Series comparison

-[PULL 00/34] target-arm queue
+[PULL 00/33] target-arm queue
-The following changes since commit c88f1ffc19e38008a1c33ae039482a860aa7418c:
+Hi; here's the first target-arm pullreq for the 7.0 cycle.
-  Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-05-08 14:29:18 +0100)
+thanks
 -- PMM
 The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:
   Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2021-12-14 12:46:18 -0800)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200511
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211215
-for you to fetch changes up to 7e17d50ebd359ee5fa3d65d7fdc0fe0336d60694:
+for you to fetch changes up to aed176558806674d030a8305d989d4e6a5073359:
-  target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed) (2020-05-11 14:22:54 +0100)
+  tests/acpi: add expected blob for VIOT test on virt machine (2021-12-15 10:35:26 +0000)
 ----------------------------------------------------------------
 target-arm queue:
- aspeed: Add boot stub for smp booting
+ * ITS: error reporting cleanup
- target/arm: Drop access_el3_aa32ns_aa64any()
+ * aspeed: improve documentation
- aspeed: Support AST2600A1 silicon revision
+ * Fix STM32F2XX USART data register readout
- aspeed: sdmc: Implement AST2600 locking behaviour
+ * allow emulated GICv3 to be disabled in non-TCG builds
- nrf51: Tracing cleanups
+ * fix exception priority for singlestep, misaligned PC, bp, etc
- target/arm: Improve handling of SVE loads and stores
+ * Correct calculation of tlb range invalidate length
- target/arm: Don't show TCG-only CPUs in KVM-only QEMU builds
+ * npcm7xx_emc: fix missing queue_flush
- hw/arm/musicpal: Map the UART devices unconditionally
+ * virt: Add VIOT ACPI table for virtio-iommu
- target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed)
+ * target/i386: Use assert() to sanity-check b1 in SSE decode
- target/arm: Use tcg_gen_gvec_5_ptr for sve FMLA/FCMLA
+ * Don't include qemu-common unnecessarily
 ----------------------------------------------------------------
-Edgar E. Iglesias (1):
+Alex Bennée (1):
-      target/arm: Drop access_el3_aa32ns_aa64any()
+      hw/intc: clean-up error reporting for failed ITS cmd
-Joel Stanley (3):
+Jean-Philippe Brucker (8):
-      aspeed: Add boot stub for smp booting
+      hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
-      aspeed: Support AST2600A1 silicon revision
+      hw/arm/virt: Remove device tree restriction for virtio-iommu
-      aspeed: sdmc: Implement AST2600 locking behaviour
+      hw/arm/virt: Reject instantiation of multiple IOMMUs
       hw/arm/virt: Use object_property_set instead of qdev_prop_set
       tests/acpi: allow updates of VIOT expected data files
       tests/acpi: add test case for VIOT
       tests/acpi: add expected blobs for VIOT test on q35 machine
       tests/acpi: add expected blob for VIOT test on virt machine
-Philippe Mathieu-Daudé (8):
+Joel Stanley (4):
-      hw/arm/nrf51: Add NRF51_PERIPHERAL_SIZE definition
+      docs: aspeed: Add new boards
-      hw/timer/nrf51_timer: Display timer ID in trace events
+      docs: aspeed: Update OpenBMC image URL
-      hw/timer/nrf51_timer: Add trace event of counter value update
+      docs: aspeed: Give an example of booting a kernel
-      target/arm/kvm: Inline set_feature() calls
+      docs: aspeed: ADC is now modelled
       target/arm/cpu: Use ARRAY_SIZE() to iterate over ARMCPUInfo[]
       target/arm/cpu: Restrict v8M IDAU interface to Aarch32 CPUs
       target/arm: Restrict TCG cpus to TCG accel
       hw/arm/musicpal: Map the UART devices unconditionally
-Richard Henderson (21):
+Olivier Hériveaux (1):
-      exec: Add block comments for watchpoint routines
+      Fix STM32F2XX USART data register readout
       exec: Fix cpu_watchpoint_address_matches address length
       accel/tcg: Add block comment for probe_access
       accel/tcg: Adjust probe_access call to page_check_range
       accel/tcg: Add probe_access_flags
       accel/tcg: Add endian-specific cpu_{ld, st}* operations
       target/arm: Use cpu_*_data_ra for sve_ldst_tlb_fn
       target/arm: Drop manual handling of set/clear_helper_retaddr
       target/arm: Add sve infrastructure for page lookup
       target/arm: Adjust interface of sve_ld1_host_fn
       target/arm: Use SVEContLdSt in sve_ld1_r
       target/arm: Handle watchpoints in sve_ld1_r
       target/arm: Use SVEContLdSt for multi-register contiguous loads
       target/arm: Update contiguous first-fault and no-fault loads
       target/arm: Use SVEContLdSt for contiguous stores
       target/arm: Reuse sve_probe_page for gather first-fault loads
       target/arm: Reuse sve_probe_page for scatter stores
       target/arm: Reuse sve_probe_page for gather loads
       target/arm: Remove sve_memopidx
       target/arm: Use tcg_gen_gvec_5_ptr for sve FMLA/FCMLA
       target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed)
-Thomas Huth (1):
+Patrick Venture (1):
-      target/arm: Make set_feature() available for other files
+      hw/net: npcm7xx_emc fix missing queue_flush
- docs/devel/loads-stores.rst    |   39 +-
+Peter Maydell (6):
- include/exec/cpu-all.h         |   13 +-
+      target/i386: Use assert() to sanity-check b1 in SSE decode
- include/exec/cpu_ldst.h        |  283 +++--
+      include/hw/i386: Don't include qemu-common.h in .h files
- include/exec/exec-all.h        |   39 +
+      target/hexagon/cpu.h: don't include qemu-common.h
- include/hw/arm/nrf51.h         |    3 +-
+      target/rx/cpu.h: Don't include qemu-common.h
- include/hw/core/cpu.h          |   23 +
+      hw/arm: Don't include qemu-common.h unnecessarily
- include/hw/i2c/microbit_i2c.h  |    2 +-
+      target/arm: Correct calculation of tlb range invalidate length
  include/hw/misc/aspeed_scu.h   |    1 +
  include/hw/timer/nrf51_timer.h |    1 +
  target/arm/cpu.h               |   10 +
  target/arm/helper-sve.h        |   45 +-
  target/arm/internals.h         |    5 -
  accel/tcg/cputlb.c             |  413 ++++---
  accel/tcg/user-exec.c          |  256 ++++-
  exec.c                         |    2 +-
  hw/arm/aspeed.c                |   73 +-
  hw/arm/aspeed_ast2600.c        |    6 +-
  hw/arm/musicpal.c              |   12 +-
  hw/arm/nrf51_soc.c             |    9 +-
  hw/i2c/microbit_i2c.c          |    2 +-
  hw/misc/aspeed_scu.c           |   11 +-
  hw/misc/aspeed_sdmc.c          |   55 +-
  hw/timer/nrf51_timer.c         |   14 +-
  target/arm/cpu.c               |  662 +----------
  target/arm/cpu64.c             |   18 +-
  target/arm/cpu_tcg.c           |  664 +++++++++++
  target/arm/helper.c            |   30 +-
  target/arm/kvm32.c             |   13 +-
  target/arm/kvm64.c             |   22 +-
  target/arm/sve_helper.c        | 2398 +++++++++++++++++++++-------------------
  target/arm/translate-sve.c     |   93 +-
  hw/timer/trace-events          |    5 +-
  target/arm/Makefile.objs       |    1 +
 files changed, 2975 insertions(+), 2248 deletions(-)
  create mode 100644 target/arm/cpu_tcg.c
+Philippe Mathieu-Daudé (2):
+      hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
+      hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector
+Richard Henderson (10):
+      target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
+      target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
+      target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
+      target/arm: Split arm_pre_translate_insn
+      target/arm: Advance pc for arch single-step exception
+      target/arm: Split compute_fsr_fsc out of arm_deliver_fault
+      target/arm: Take an exception if PC is misaligned
+      target/arm: Assert thumb pc is aligned
+      target/arm: Suppress bp for exceptions with more priority
+      tests/tcg: Add arm and aarch64 pc alignment tests
+ docs/system/arm/aspeed.rst        |  26 ++++++++++++----
+ include/hw/i386/microvm.h         |   1 -
+ include/hw/i386/x86.h             |   1 -
+ target/arm/helper.h               |   1 +
+ target/arm/syndrome.h             |   5 +++
+ target/hexagon/cpu.h              |   1 -
+ target/rx/cpu.h                   |   1 -
+ hw/arm/boot.c                     |   1 -
+ hw/arm/digic_boards.c             |   1 -
+ hw/arm/highbank.c                 |   1 -
+ hw/arm/npcm7xx_boards.c           |   1 -
+ hw/arm/sbsa-ref.c                 |   1 -
+ hw/arm/stm32f405_soc.c            |   1 -
+ hw/arm/vexpress.c                 |   1 -
+ hw/arm/virt-acpi-build.c          |   7 +++++
+ hw/arm/virt.c                     |  21 ++++++-------
+ hw/char/stm32f2xx_usart.c         |   3 +-
+ hw/intc/arm_gicv3.c               |   2 +-
+ hw/intc/arm_gicv3_cpuif.c         |  10 +-----
+ hw/intc/arm_gicv3_cpuif_common.c  |  22 +++++++++++++
+ hw/intc/arm_gicv3_its.c           |  39 +++++++++++++++--------
+ hw/net/npcm7xx_emc.c              |  18 +++++------
+ hw/virtio/virtio-iommu-pci.c      |  12 ++------
+ linux-user/aarch64/cpu_loop.c     |  46 ++++++++++++++++------------
+ linux-user/hexagon/cpu_loop.c     |   1 +
+ target/arm/debug_helper.c         |  23 ++++++++++++++
+ target/arm/gdbstub.c              |   9 ++++--
+ target/arm/helper.c               |   6 ++--
+ target/arm/machine.c              |  10 ++++++
+ target/arm/tlb_helper.c           |  63 ++++++++++++++++++++++++++++----------
+ target/arm/translate-a64.c        |  23 ++++++++++++--
+ target/arm/translate.c            |  58 ++++++++++++++++++++++++++---------
+ target/i386/tcg/translate.c       |  12 ++------
+ tests/qtest/bios-tables-test.c    |  38 +++++++++++++++++++++++
+ tests/tcg/aarch64/pcalign-a64.c   |  37 ++++++++++++++++++++++
+ tests/tcg/arm/pcalign-a32.c       |  46 ++++++++++++++++++++++++++++
+ hw/arm/Kconfig                    |   1 +
+ hw/intc/Kconfig                   |   5 +++
+ hw/intc/meson.build               |  11 ++++---
+ tests/data/acpi/q35/DSDT.viot     | Bin 0 -> 9398 bytes
+ tests/data/acpi/q35/VIOT.viot     | Bin 0 -> 112 bytes
+ tests/data/acpi/virt/VIOT         | Bin 0 -> 88 bytes
+ tests/tcg/aarch64/Makefile.target |   4 +--
+ tests/tcg/arm/Makefile.target     |   4 +++
+files changed, 429 insertions(+), 145 deletions(-)
+ create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
+ create mode 100644 tests/tcg/aarch64/pcalign-a64.c
+ create mode 100644 tests/tcg/arm/pcalign-a32.c
+ create mode 100644 tests/data/acpi/q35/DSDT.viot
+ create mode 100644 tests/data/acpi/q35/VIOT.viot
+ create mode 100644 tests/data/acpi/virt/VIOT

-[PULL 34/34] target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed)
+[PULL 01/33] hw/intc: clean-up error reporting for failed ITS cmd
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alex Bennée <alex.bennee@linaro.org>
-DUP (indexed) can duplicate 128-bit elements, so using esz
+While trying to debug a GIC ITS failure I saw some guest errors that
-unconditionally can assert in tcg_gen_gvec_dup_imm.
+had poor formatting as well as leaving me confused as to what failed.
 As most of the checks aren't possible without a valid dte split that
 check apart and then check the other conditions in steps. This avoids
 us relying on undefined data.
-Fixes: 8711e71f9cbb
+I still get a failure with the current kvm-unit-tests but at least I
-Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+know (partially) why now:
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+  Exception return from AArch64 EL1 to AArch64 EL1 PC 0x40080588
-Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
+  PASS: gicv3: its-trigger: inv/invall: dev2/eventid=20 now triggers an LPI
-Message-id: 20200507172352.15418-5-richard.henderson@linaro.org
+  ITS: MAPD devid=2 size = 0x8 itt=0x40430000 valid=0
   INT dev_id=2 event_id=20
   process_its_cmd: invalid command attributes: invalid dte: 0 for 2 (MEM_TX: 0)
   PASS: gicv3: its-trigger: mapd valid=false: no LPI after device unmap
   SUMMARY: 6 tests, 1 unexpected failures
 Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20211112170454.3158925-1-alex.bennee@linaro.org
 Cc: Shashi Mallela <shashi.mallela@linaro.org>
 Cc: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-sve.c | 6 +++++-
+ hw/intc/arm_gicv3_its.c | 39 +++++++++++++++++++++++++++------------
-file changed, 5 insertions(+), 1 deletion(-)
+file changed, 27 insertions(+), 12 deletions(-)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
+--- a/hw/intc/arm_gicv3_its.c
-+++ b/target/arm/translate-sve.c
++++ b/hw/intc/arm_gicv3_its.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_DUP_x(DisasContext *s, arg_DUP_x *a)
+@@ -XXX,XX +XXX,XX @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
-             unsigned nofs = vec_reg_offset(s, a->rn, index, esz);
+         if (res != MEMTX_OK) {
-             tcg_gen_gvec_dup_mem(esz, dofs, nofs, vsz, vsz);
+             return result;
          } else {
 -            tcg_gen_gvec_dup_imm(esz, dofs, vsz, vsz, 0);
 +            /*
 +             * While dup_mem handles 128-bit elements, dup_imm does not.
 +             * Thankfully element size doesn't matter for splatting zero.
 +             */
 +            tcg_gen_gvec_dup_imm(MO_64, dofs, vsz, vsz, 0);
          }
++    } else {
++        qemu_log_mask(LOG_GUEST_ERROR,
++                      "%s: invalid command attributes: "
++                      "invalid dte: %"PRIx64" for %d (MEM_TX: %d)\n",
++                      __func__, dte, devid, res);
++        return result;
      }
-     return true;
 -    if ((devid > s->dt.maxids.max_devids) || !dte_valid || !ite_valid ||
 -            !cte_valid || (eventid > max_eventid)) {
 +
 +    /*
 +     * In this implementation, in case of guest errors we ignore the
 +     * command and move onto the next command in the queue.
 +     */
 +    if (devid > s->dt.maxids.max_devids) {
          qemu_log_mask(LOG_GUEST_ERROR,
 -                      "%s: invalid command attributes "
 -                      "devid %d or eventid %d or invalid dte %d or"
 -                      "invalid cte %d or invalid ite %d\n",
 -                      __func__, devid, eventid, dte_valid, cte_valid,
 -                      ite_valid);
 -        /*
 -         * in this implementation, in case of error
 -         * we ignore this command and move onto the next
 -         * command in the queue
 -         */
 +                      "%s: invalid command attributes: devid %d>%d",
 +                      __func__, devid, s->dt.maxids.max_devids);
 +
 +    } else if (!dte_valid || !ite_valid || !cte_valid) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: invalid command attributes: "
 +                      "dte: %s, ite: %s, cte: %s\n",
 +                      __func__,
 +                      dte_valid ? "valid" : "invalid",
 +                      ite_valid ? "valid" : "invalid",
 +                      cte_valid ? "valid" : "invalid");
 +    } else if (eventid > max_eventid) {
 +        qemu_log_mask(LOG_GUEST_ERROR,
 +                      "%s: invalid command attributes: eventid %d > %d\n",
 +                      __func__, eventid, max_eventid);
      } else {
          /*
           * Current implementation only supports rdbase == procnum
 --
-.20.1
+.25.1

-[PULL 04/34] aspeed: sdmc: Implement AST2600 locking behaviour
+[PULL 02/33] docs: aspeed: Add new boards
 From: Joel Stanley <joel@jms.id.au>
-The AST2600 handles this differently with the extra 'hardlock' state, so
+Add X11, FP5280G2, G220A, Rainier and Fuji. Mention that Swift will be
-move the testing to the soc specific class' write callback.
+removed in v7.0.
 Signed-off-by: Joel Stanley <joel@jms.id.au>
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Message-id: 20200505090136.341426-1-joel@jms.id.au
+Message-id: 20211117065752.330632-2-joel@jms.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/misc/aspeed_sdmc.c | 55 +++++++++++++++++++++++++++++++++++--------
+ docs/system/arm/aspeed.rst | 7 ++++++-
-file changed, 45 insertions(+), 10 deletions(-)
+file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/hw/misc/aspeed_sdmc.c b/hw/misc/aspeed_sdmc.c
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/misc/aspeed_sdmc.c
+--- a/docs/system/arm/aspeed.rst
-+++ b/hw/misc/aspeed_sdmc.c
++++ b/docs/system/arm/aspeed.rst
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
- /* Protection Key Register */
+ - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
- #define R_PROT            (0x00 / 4)
+ - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
-+#define   PROT_UNLOCKED      0x01
++- ``supermicrox11-bmc``    Supermicro X11 BMC
-+#define   PROT_HARDLOCKED    0x10  /* AST2600 */
-+#define   PROT_SOFTLOCKED    0x00
+ AST2500 SoC based machines :
-+
- #define   PROT_KEY_UNLOCK     0xFC600309
+@@ -XXX,XX +XXX,XX @@ AST2500 SoC based machines :
-+#define   PROT_KEY_HARDLOCK   0xDEADDEAD /* AST2600 */
+ - ``romulus-bmc``          OpenPOWER Romulus POWER9 BMC
+ - ``witherspoon-bmc``      OpenPOWER Witherspoon POWER9 BMC
- /* Configuration Register */
+ - ``sonorapass-bmc``       OCP SonoraPass BMC
- #define R_CONF            (0x04 / 4)
+-- ``swift-bmc``            OpenPOWER Swift BMC POWER9
-@@ -XXX,XX +XXX,XX @@ static void aspeed_sdmc_write(void *opaque, hwaddr addr, uint64_t data,
++- ``swift-bmc``            OpenPOWER Swift BMC POWER9 (to be removed in v7.0)
-         return;
++- ``fp5280g2-bmc``         Inspur FP5280G2 BMC
-     }
++- ``g220a-bmc``            Bytedance G220A BMC
--    if (addr == R_PROT) {
+ AST2600 SoC based machines :
--        s->regs[addr] = (data == PROT_KEY_UNLOCK) ? 1 : 0;
--        return;
+ - ``ast2600-evb``          Aspeed AST2600 Evaluation board (Cortex-A7)
--    }
+ - ``tacoma-bmc``           OpenPOWER Witherspoon POWER9 AST2600 BMC
--
++- ``rainier-bmc``          IBM Rainier POWER10 BMC
--    if (!s->regs[R_PROT]) {
++- ``fuji-bmc``             Facebook Fuji BMC
--        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
--        return;
+ Supported devices
--    }
+ -----------------
 -
      asc->write(s, addr, data);
  }
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_2400_sdmc_compute_conf(AspeedSDMCState *s, uint32_t data)
  static void aspeed_2400_sdmc_write(AspeedSDMCState *s, uint32_t reg,
                                     uint32_t data)
  {
 +    if (reg == R_PROT) {
 +        s->regs[reg] = (data == PROT_KEY_UNLOCK) ? PROT_UNLOCKED : PROT_SOFTLOCKED;
 +        return;
 +    }
 +
 +    if (!s->regs[R_PROT]) {
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
 +        return;
 +    }
 +
      switch (reg) {
      case R_CONF:
          data = aspeed_2400_sdmc_compute_conf(s, data);
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_2500_sdmc_compute_conf(AspeedSDMCState *s, uint32_t data)
  static void aspeed_2500_sdmc_write(AspeedSDMCState *s, uint32_t reg,
                                     uint32_t data)
  {
 +    if (reg == R_PROT) {
 +        s->regs[reg] = (data == PROT_KEY_UNLOCK) ? PROT_UNLOCKED : PROT_SOFTLOCKED;
 +        return;
 +    }
 +
 +    if (!s->regs[R_PROT]) {
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
 +        return;
 +    }
 +
      switch (reg) {
      case R_CONF:
          data = aspeed_2500_sdmc_compute_conf(s, data);
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_2600_sdmc_compute_conf(AspeedSDMCState *s, uint32_t data)
  static void aspeed_2600_sdmc_write(AspeedSDMCState *s, uint32_t reg,
                                     uint32_t data)
  {
 +    if (s->regs[R_PROT] == PROT_HARDLOCKED) {
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked until system reset!\n",
 +                __func__);
 +        return;
 +    }
 +
 +    if (reg != R_PROT && s->regs[R_PROT] == PROT_SOFTLOCKED) {
 +        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
 +        return;
 +    }
 +
      switch (reg) {
 +    case R_PROT:
 +        if (data == PROT_KEY_UNLOCK)  {
 +            data = PROT_UNLOCKED;
 +        } else if (data == PROT_KEY_HARDLOCK) {
 +            data = PROT_HARDLOCKED;
 +        } else {
 +            data = PROT_SOFTLOCKED;
 +        }
 +        break;
      case R_CONF:
          data = aspeed_2600_sdmc_compute_conf(s, data);
          break;
 --
-.20.1
+.25.1

-[PULL 29/34] target/arm/cpu: Use ARRAY_SIZE() to iterate over ARMCPUInfo[]
+[PULL 03/33] docs: aspeed: Update OpenBMC image URL
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Joel Stanley <joel@jms.id.au>
-Use ARRAY_SIZE() to iterate over ARMCPUInfo[].
+This is the latest URL for the OpenBMC CI. The old URL still works, but
 redirects.
-Since on the aarch64-linux-user build, arm_cpus[] is empty, add
+Reviewed-by: Cédric Le Goater <clg@kaod.org>
-the cpu_count variable and only iterate when it is non-zero.
+Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-3-joel@jms.id.au
 Suggested-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Message-id: 20200504172448.9402-4-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c   | 16 +++++++++-------
+ docs/system/arm/aspeed.rst | 2 +-
- target/arm/cpu64.c |  8 +++-----
+file changed, 1 insertion(+), 1 deletion(-)
 files changed, 12 insertions(+), 12 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/docs/system/arm/aspeed.rst
-+++ b/target/arm/cpu.c
++++ b/docs/system/arm/aspeed.rst
-@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo arm_cpus[] = {
+@@ -XXX,XX +XXX,XX @@ The Aspeed machines can be started using the ``-kernel`` option to
-     { .name = "any",         .initfn = arm_max_initfn },
+ load a Linux kernel or from a firmware. Images can be downloaded from
- #endif
+ the OpenBMC jenkins :
- #endif
--    { .name = NULL }
+-   https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/distro=ubuntu,label=docker-builder
- };
++   https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
- static Property arm_cpu_properties[] = {
+ or directly from the OpenBMC GitHub release repository :
@@ -XXX,XX +XXX,XX @@ static const TypeInfo idau_interface_type_info = {
  static void arm_cpu_register_types(void)
  {
 -    const ARMCPUInfo *info = arm_cpus;
 +    const size_t cpu_count = ARRAY_SIZE(arm_cpus);
      type_register_static(&arm_cpu_type_info);
      type_register_static(&idau_interface_type_info);
 -    while (info->name) {
 -        arm_cpu_register(info);
 -        info++;
 -    }
 -
  #ifdef CONFIG_KVM
      type_register_static(&host_arm_cpu_type_info);
  #endif
 +
 +    if (cpu_count) {
 +        size_t i;
 +
 +        for (i = 0; i < cpu_count; ++i) {
 +            arm_cpu_register(&arm_cpus[i]);
 +        }
 +    }
  }
  type_init(arm_cpu_register_types)
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
      { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
      { .name = "cortex-a72",         .initfn = aarch64_a72_initfn },
      { .name = "max",                .initfn = aarch64_max_initfn },
 -    { .name = NULL }
  };
  static bool aarch64_cpu_get_aarch64(Object *obj, Error **errp)
@@ -XXX,XX +XXX,XX @@ static const TypeInfo aarch64_cpu_type_info = {
  static void aarch64_cpu_register_types(void)
  {
 -    const ARMCPUInfo *info = aarch64_cpus;
 +    size_t i;
      type_register_static(&aarch64_cpu_type_info);
 -    while (info->name) {
 -        aarch64_cpu_register(info);
 -        info++;
 +    for (i = 0; i < ARRAY_SIZE(aarch64_cpus); ++i) {
 +        aarch64_cpu_register(&aarch64_cpus[i]);
      }
  }
 --
-.20.1
+.25.1

-[PULL 01/34] aspeed: Add boot stub for smp booting
+[PULL 04/33] docs: aspeed: Give an example of booting a kernel
 From: Joel Stanley <joel@jms.id.au>
-This is a boot stub that is similar to the code u-boot runs, allowing
+A common use case for the ASPEED machine is to boot a Linux kernel.
-the kernel to boot the secondary CPU.
+Provide a full example command line.
 u-boot works as follows:
 . Initialises the SMP mailbox area in the SCU at 0x1e6e2180 with default values
 . Copies a stub named 'mailbox_insn' from flash to the SCU, just above the
     mailbox area
 . Sets AST_SMP_MBOX_FIELD_READY to a magic value to indicate the
     secondary can begin execution from the stub
 . The stub waits until the AST_SMP_MBOX_FIELD_GOSIGN register is set to
     a magic value
 . Jumps to the address in AST_SMP_MBOX_FIELD_ENTRY, starting Linux
 Linux indicates it is ready by writing the address of its entrypoint
 function to AST_SMP_MBOX_FIELD_ENTRY and the 'go' magic number to
 AST_SMP_MBOX_FIELD_GOSIGN. The secondary CPU sees this at step 4 and
 breaks out of it's loop.
 To be compatible, a fixed qemu stub is loaded into the mailbox area. As
 qemu can ensure the stub is loaded before execution starts, we do not
 need to emulate the AST_SMP_MBOX_FIELD_READY behaviour of u-boot. The
 secondary CPU's program counter points to the beginning of the stub,
 allowing qemu to start secondaries at step four.
 Reboot behaviour is preserved by resetting AST_SMP_MBOX_FIELD_GOSIGN
 when the secondaries are reset.
 This is only configured when the system is booted with -kernel and qemu
 does not execute u-boot first.
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
-Tested-by: Cédric Le Goater <clg@kaod.org>
 Signed-off-by: Joel Stanley <joel@jms.id.au>
+Message-id: 20211117065752.330632-4-joel@jms.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/aspeed.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
+ docs/system/arm/aspeed.rst | 15 ++++++++++++---
-file changed, 65 insertions(+)
+file changed, 12 insertions(+), 3 deletions(-)
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
+--- a/docs/system/arm/aspeed.rst
-+++ b/hw/arm/aspeed.c
++++ b/docs/system/arm/aspeed.rst
-@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps max_ram_ops = {
+@@ -XXX,XX +XXX,XX @@ Missing devices
-     .endianness = DEVICE_NATIVE_ENDIAN,
+ Boot options
- };
+ ------------
-+#define AST_SMP_MAILBOX_BASE            0x1e6e2180
+-The Aspeed machines can be started using the ``-kernel`` option to
-+#define AST_SMP_MBOX_FIELD_ENTRY        (AST_SMP_MAILBOX_BASE + 0x0)
+-load a Linux kernel or from a firmware. Images can be downloaded from
-+#define AST_SMP_MBOX_FIELD_GOSIGN       (AST_SMP_MAILBOX_BASE + 0x4)
+-the OpenBMC jenkins :
-+#define AST_SMP_MBOX_FIELD_READY        (AST_SMP_MAILBOX_BASE + 0x8)
++The Aspeed machines can be started using the ``-kernel`` and ``-dtb`` options
-+#define AST_SMP_MBOX_FIELD_POLLINSN     (AST_SMP_MAILBOX_BASE + 0xc)
++to load a Linux kernel or from a firmware. Images can be downloaded from the
-+#define AST_SMP_MBOX_CODE               (AST_SMP_MAILBOX_BASE + 0x10)
++OpenBMC jenkins :
-+#define AST_SMP_MBOX_GOSIGN             0xabbaab00
     https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
@@ -XXX,XX +XXX,XX @@ or directly from the OpenBMC GitHub release repository :
     https://github.com/openbmc/openbmc/releases
 +To boot a kernel directly from a Linux build tree:
 +
-+static void aspeed_write_smpboot(ARMCPU *cpu,
++.. code-block:: bash
 +                                 const struct arm_boot_info *info)
 +{
 +    static const uint32_t poll_mailbox_ready[] = {
 +        /*
 +         * r2 = per-cpu go sign value
 +         * r1 = AST_SMP_MBOX_FIELD_ENTRY
 +         * r0 = AST_SMP_MBOX_FIELD_GOSIGN
 +         */
 +        0xee100fb0,  /* mrc     p15, 0, r0, c0, c0, 5 */
 +        0xe21000ff,  /* ands    r0, r0, #255          */
 +        0xe59f201c,  /* ldr     r2, [pc, #28]         */
 +        0xe1822000,  /* orr     r2, r2, r0            */
 +
-+        0xe59f1018,  /* ldr     r1, [pc, #24]         */
++  $ qemu-system-arm -M ast2600-evb -nographic \
-+        0xe59f0018,  /* ldr     r0, [pc, #24]         */
++        -kernel arch/arm/boot/zImage \
 +        -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
 +        -initrd rootfs.cpio
 +
-+        0xe320f002,  /* wfe                           */
+ The image should be attached as an MTD drive. Run :
-+        0xe5904000,  /* ldr     r4, [r0]              */
-+        0xe1520004,  /* cmp     r2, r4                */
+ .. code-block:: bash
 +        0x1afffffb,  /* bne     <wfe>                 */
 +        0xe591f000,  /* ldr     pc, [r1]              */
 +        AST_SMP_MBOX_GOSIGN,
 +        AST_SMP_MBOX_FIELD_ENTRY,
 +        AST_SMP_MBOX_FIELD_GOSIGN,
 +    };
 +
 +    rom_add_blob_fixed("aspeed.smpboot", poll_mailbox_ready,
 +                       sizeof(poll_mailbox_ready),
 +                       info->smp_loader_start);
 +}
 +
 +static void aspeed_reset_secondary(ARMCPU *cpu,
 +                                   const struct arm_boot_info *info)
 +{
 +    AddressSpace *as = arm_boot_address_space(cpu, info);
 +    CPUState *cs = CPU(cpu);
 +
 +    /* info->smp_bootreg_addr */
 +    address_space_stl_notdirty(as, AST_SMP_MBOX_FIELD_GOSIGN, 0,
 +                               MEMTXATTRS_UNSPECIFIED, NULL);
 +    cpu_set_pc(cs, info->smp_loader_start);
 +}
 +
  #define FIRMWARE_ADDR 0x0
  static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_init(MachineState *machine)
          }
      }
 +    if (machine->kernel_filename && bmc->soc.num_cpus > 1) {
 +        /* With no u-boot we must set up a boot stub for the secondary CPU */
 +        MemoryRegion *smpboot = g_new(MemoryRegion, 1);
 +        memory_region_init_ram(smpboot, OBJECT(bmc), "aspeed.smpboot",
 +                               0x80, &error_abort);
 +        memory_region_add_subregion(get_system_memory(),
 +                                    AST_SMP_MAILBOX_BASE, smpboot);
 +
 +        aspeed_board_binfo.write_secondary_boot = aspeed_write_smpboot;
 +        aspeed_board_binfo.secondary_cpu_reset_hook = aspeed_reset_secondary;
 +        aspeed_board_binfo.smp_loader_start = AST_SMP_MBOX_CODE;
 +    }
 +
      aspeed_board_binfo.ram_size = ram_size;
      aspeed_board_binfo.loader_start = sc->memmap[ASPEED_SDRAM];
      aspeed_board_binfo.nb_cpus = bmc->soc.num_cpus;
 --
-.20.1
+.25.1

-[PULL 03/34] aspeed: Support AST2600A1 silicon revision
+[PULL 05/33] docs: aspeed: ADC is now modelled
 From: Joel Stanley <joel@jms.id.au>
-There are minimal differences from Qemu's point of view between the A0
+Move it to the supported list.
 and A1 silicon revisions.
 As the A1 exercises different code paths in u-boot it is desirable to
 emulate that instead.
 Signed-off-by: Joel Stanley <joel@jms.id.au>
-Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
+Message-id: 20211117065752.330632-5-joel@jms.id.au
 Reviewed-by: Cédric Le Goater <clg@kaod.org>
 Message-id: 20200504093703.261135-1-joel@jms.id.au
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/misc/aspeed_scu.h |  1 +
+ docs/system/arm/aspeed.rst | 2 +-
- hw/arm/aspeed.c              |  8 ++++----
+file changed, 1 insertion(+), 1 deletion(-)
  hw/arm/aspeed_ast2600.c      |  6 +++---
  hw/misc/aspeed_scu.c         | 11 +++++------
 files changed, 13 insertions(+), 13 deletions(-)
-diff --git a/include/hw/misc/aspeed_scu.h b/include/hw/misc/aspeed_scu.h
+diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/misc/aspeed_scu.h
+--- a/docs/system/arm/aspeed.rst
-+++ b/include/hw/misc/aspeed_scu.h
++++ b/docs/system/arm/aspeed.rst
-@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSCUState {
+@@ -XXX,XX +XXX,XX @@ Supported devices
- #define AST2500_A0_SILICON_REV   0x04000303U
+  * Front LEDs (PCA9552 on I2C bus)
- #define AST2500_A1_SILICON_REV   0x04010303U
+  * LPC Peripheral Controller (a subset of subdevices are supported)
- #define AST2600_A0_SILICON_REV   0x05000303U
+  * Hash/Crypto Engine (HACE) - Hash support only. TODO: HMAC and RSA
-+#define AST2600_A1_SILICON_REV   0x05010303U
++ * ADC
- #define ASPEED_IS_AST2500(si_rev)     ((((si_rev) >> 24) & 0xff) == 0x04)
+ Missing devices
-diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
+ ---------------
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/aspeed.c
+  * Coprocessor support
-+++ b/hw/arm/aspeed.c
+- * ADC (out of tree implementation)
-@@ -XXX,XX +XXX,XX @@ struct AspeedBoardState {
+  * PWM and Fan Controller
+  * Slave GPIO Controller
- /* Tacoma hardware value */
+  * Super I/O Controller
  #define TACOMA_BMC_HW_STRAP1  0x00000000
 -#define TACOMA_BMC_HW_STRAP2  0x00000000
 +#define TACOMA_BMC_HW_STRAP2  0x00000040
  /*
   * The max ram region is for firmwares that scan the address space
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_ast2600_evb_class_init(ObjectClass *oc, void *data)
      AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
      mc->desc       = "Aspeed AST2600 EVB (Cortex A7)";
 -    amc->soc_name  = "ast2600-a0";
 +    amc->soc_name  = "ast2600-a1";
      amc->hw_strap1 = AST2600_EVB_HW_STRAP1;
      amc->hw_strap2 = AST2600_EVB_HW_STRAP2;
      amc->fmc_model = "w25q512jv";
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_tacoma_class_init(ObjectClass *oc, void *data)
      MachineClass *mc = MACHINE_CLASS(oc);
      AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
 -    mc->desc       = "Aspeed AST2600 EVB (Cortex A7)";
 -    amc->soc_name  = "ast2600-a0";
 +    mc->desc       = "OpenPOWER Tacoma BMC (Cortex A7)";
 +    amc->soc_name  = "ast2600-a1";
      amc->hw_strap1 = TACOMA_BMC_HW_STRAP1;
      amc->hw_strap2 = TACOMA_BMC_HW_STRAP2;
      amc->fmc_model = "mx66l1g45g";
 diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/aspeed_ast2600.c
 +++ b/hw/arm/aspeed_ast2600.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_class_init(ObjectClass *oc, void *data)
      dc->realize      = aspeed_soc_ast2600_realize;
 -    sc->name         = "ast2600-a0";
 +    sc->name         = "ast2600-a1";
      sc->cpu_type     = ARM_CPU_TYPE_NAME("cortex-a7");
 -    sc->silicon_rev  = AST2600_A0_SILICON_REV;
 +    sc->silicon_rev  = AST2600_A1_SILICON_REV;
      sc->sram_size    = 0x10000;
      sc->spis_num     = 2;
      sc->ehcis_num    = 2;
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_class_init(ObjectClass *oc, void *data)
  }
  static const TypeInfo aspeed_soc_ast2600_type_info = {
 -    .name           = "ast2600-a0",
 +    .name           = "ast2600-a1",
      .parent         = TYPE_ASPEED_SOC,
      .instance_size  = sizeof(AspeedSoCState),
      .instance_init  = aspeed_soc_ast2600_init,
 diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/aspeed_scu.c
 +++ b/hw/misc/aspeed_scu.c
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_silicon_revs[] = {
      AST2500_A0_SILICON_REV,
      AST2500_A1_SILICON_REV,
      AST2600_A0_SILICON_REV,
 +    AST2600_A1_SILICON_REV,
  };
  bool is_supported_silicon_rev(uint32_t silicon_rev)
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps aspeed_ast2600_scu_ops = {
      .valid.unaligned = false,
  };
 -static const uint32_t ast2600_a0_resets[ASPEED_AST2600_SCU_NR_REGS] = {
 -    [AST2600_SILICON_REV]       = AST2600_SILICON_REV,
 -    [AST2600_SILICON_REV2]      = AST2600_SILICON_REV,
 -    [AST2600_SYS_RST_CTRL]      = 0xF7CFFEDC | 0x100,
 +static const uint32_t ast2600_a1_resets[ASPEED_AST2600_SCU_NR_REGS] = {
 +    [AST2600_SYS_RST_CTRL]      = 0xF7C3FED8,
      [AST2600_SYS_RST_CTRL2]     = 0xFFFFFFFC,
 -    [AST2600_CLK_STOP_CTRL]     = 0xEFF43E8B,
 +    [AST2600_CLK_STOP_CTRL]     = 0xFFFF7F8A,
      [AST2600_CLK_STOP_CTRL2]    = 0xFFF0FFF0,
      [AST2600_SDRAM_HANDSHAKE]   = 0x00000040,  /* SoC completed DRAM init */
      [AST2600_HPLL_PARAM]        = 0x1000405F,
@@ -XXX,XX +XXX,XX @@ static void aspeed_2600_scu_class_init(ObjectClass *klass, void *data)
      dc->desc = "ASPEED 2600 System Control Unit";
      dc->reset = aspeed_ast2600_scu_reset;
 -    asc->resets = ast2600_a0_resets;
 +    asc->resets = ast2600_a1_resets;
      asc->calc_hpll = aspeed_2500_scu_calc_hpll; /* No change since AST2500 */
      asc->apb_divider = 4;
      asc->nr_regs = ASPEED_AST2600_SCU_NR_REGS;
 --
-.20.1
+.25.1

-[PULL 32/34] hw/arm/musicpal: Map the UART devices unconditionally
+[PULL 06/33] Fix STM32F2XX USART data register readout
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
-I can't find proper documentation or datasheet, but it is likely
+Fix issue where the data register may be overwritten by next character
-a MMIO mapped serial device mapped in the 0x80000000..0x8000ffff
+reception before being read and returned.
 range belongs to the SoC address space, thus is always mapped in
 the memory bus.
 Map the devices on the bus regardless a chardev is attached to it.
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
-Reviewed-by: Jan Kiszka <jan.kiszka@web.de>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200505095945.23146-1-f4bug@amsat.org
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Message-id: 20211128120723.4053-1-olivier.heriveaux@ledger.fr
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/musicpal.c | 12 ++++--------
+ hw/char/stm32f2xx_usart.c | 3 ++-
-file changed, 4 insertions(+), 8 deletions(-)
+file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
+diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/musicpal.c
+--- a/hw/char/stm32f2xx_usart.c
-+++ b/hw/arm/musicpal.c
++++ b/hw/char/stm32f2xx_usart.c
-@@ -XXX,XX +XXX,XX @@ static void musicpal_init(MachineState *machine)
+@@ -XXX,XX +XXX,XX @@ static uint64_t stm32f2xx_usart_read(void *opaque, hwaddr addr,
-                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
+         return retvalue;
-                           pic[MP_TIMER4_IRQ], NULL);
+     case USART_DR:
+         DB_PRINT("Value: 0x%" PRIx32 ", %c\n", s->usart_dr, (char) s->usart_dr);
--    if (serial_hd(0)) {
++        retvalue = s->usart_dr & 0x3FF;
--        serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
+         s->usart_sr &= ~USART_SR_RXNE;
--                       1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
+         qemu_chr_fe_accept_input(&s->chr);
--    }
+         qemu_set_irq(s->irq, 0);
--    if (serial_hd(1)) {
+-        return s->usart_dr & 0x3FF;
--        serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
++        return retvalue;
--                       1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
+     case USART_BRR:
--    }
+         return s->usart_brr;
-+    serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
+     case USART_CR1:
 +                   1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
 +    serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
 +                   1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
      /* Register flash */
      dinfo = drive_get(IF_PFLASH, 0, 0);
 --
-.20.1
+.25.1

-[PULL 31/34] target/arm: Restrict TCG cpus to TCG accel
+[PULL 07/33] hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-A KVM-only build won't be able to run TCG cpus.
+gicv3_set_gicv3state() is used by arm_gicv3_common.c in
 arm_gicv3_common_realize(). Since we want to restrict
 arm_gicv3_cpuif.c to TCG, extract gicv3_set_gicv3state()
 to a new file. Add this file to the meson 'specific'
 source set, since it needs access to "cpu.h".
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200504172448.9402-6-philmd@redhat.com
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Message-id: 20211115223619.2599282-2-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c         | 634 -------------------------------------
+ hw/intc/arm_gicv3_cpuif.c        | 10 +---------
- target/arm/cpu_tcg.c     | 664 +++++++++++++++++++++++++++++++++++++++
+ hw/intc/arm_gicv3_cpuif_common.c | 22 ++++++++++++++++++++++
- target/arm/Makefile.objs |   1 +
+ hw/intc/meson.build              |  1 +
-files changed, 665 insertions(+), 634 deletions(-)
+files changed, 24 insertions(+), 9 deletions(-)
- create mode 100644 target/arm/cpu_tcg.c
+ create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/hw/intc/arm_gicv3_cpuif.c
-+++ b/target/arm/cpu.c
++++ b/hw/intc/arm_gicv3_cpuif.c
-@@ -XXX,XX +XXX,XX @@ bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+@@ -XXX,XX +XXX,XX @@
-     return true;
+ /*
- }
+- * ARM Generic Interrupt Controller v3
++ * ARM Generic Interrupt Controller v3 (emulation)
--#if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
+  *
--static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+  * Copyright (c) 2016 Linaro Limited
   * Written by Peter Maydell
@@ -XXX,XX +XXX,XX @@
  #include "hw/irq.h"
  #include "cpu.h"
 -void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
 -{
--    CPUClass *cc = CPU_GET_CLASS(cs);
+-    ARMCPU *arm_cpu = ARM_CPU(cpu);
--    ARMCPU *cpu = ARM_CPU(cs);
+-    CPUARMState *env = &arm_cpu->env;
 -    CPUARMState *env = &cpu->env;
 -    bool ret = false;
 -
--    /*
+-    env->gicv3state = (void *)s;
 -     * ARMv7-M interrupt masking works differently than -A or -R.
 -     * There is no FIQ/IRQ distinction. Instead of I and F bits
 -     * masking FIQ and IRQ interrupts, an exception is taken only
 -     * if it is higher priority than the current execution priority
 -     * (which depends on state like BASEPRI, FAULTMASK and the
 -     * currently active exception).
 -     */
 -    if (interrupt_request & CPU_INTERRUPT_HARD
 -        && (armv7m_nvic_can_take_pending_exception(env->nvic))) {
 -        cs->exception_index = EXCP_IRQ;
 -        cc->do_interrupt(cs);
 -        ret = true;
 -    }
 -    return ret;
 -}
 -#endif
 -
  void arm_cpu_update_virq(ARMCPU *cpu)
  {
      /*
@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
  /* CPU models. These are not needed for the AArch64 linux-user build. */
  #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 -static void arm926_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "arm,arm926";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
 -    cpu->midr = 0x41069265;
 -    cpu->reset_fpsid = 0x41011090;
 -    cpu->ctr = 0x1dd20d2;
 -    cpu->reset_sctlr = 0x00090078;
 -
 -    /*
 -     * ARMv5 does not have the ID_ISAR registers, but we can still
 -     * set the field to indicate Jazelle support within QEMU.
 -     */
 -    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
 -    /*
 -     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
 -     * support even though ARMv5 doesn't have this register.
 -     */
 -    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
 -    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
 -    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 -}
 -
 -static void arm946_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "arm,arm946";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_PMSA);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    cpu->midr = 0x41059461;
 -    cpu->ctr = 0x0f004006;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void arm1026_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "arm,arm1026";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_AUXCR);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
 -    cpu->midr = 0x4106a262;
 -    cpu->reset_fpsid = 0x410110a0;
 -    cpu->ctr = 0x1dd20d2;
 -    cpu->reset_sctlr = 0x00090078;
 -    cpu->reset_auxcr = 1;
 -
 -    /*
 -     * ARMv5 does not have the ID_ISAR registers, but we can still
 -     * set the field to indicate Jazelle support within QEMU.
 -     */
 -    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
 -    /*
 -     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
 -     * support even though ARMv5 doesn't have this register.
 -     */
 -    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
 -    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
 -    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 -
 -    {
 -        /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
 -        ARMCPRegInfo ifar = {
 -            .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
 -            .access = PL1_RW,
 -            .fieldoffset = offsetof(CPUARMState, cp15.ifar_ns),
 -            .resetvalue = 0
 -        };
 -        define_one_arm_cp_reg(cpu, &ifar);
 -    }
 -}
 -
 -static void arm1136_r2_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -    /*
 -     * What qemu calls "arm1136_r2" is actually the 1136 r0p2, ie an
 -     * older core than plain "arm1136". In particular this does not
 -     * have the v6K features.
 -     * These ID register values are correct for 1136 but may be wrong
 -     * for 1136_r2 (in particular r0p2 does not actually implement most
 -     * of the ID registers).
 -     */
 -
 -    cpu->dtb_compatible = "arm,arm1136";
 -    set_feature(&cpu->env, ARM_FEATURE_V6);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
 -    cpu->midr = 0x4107b362;
 -    cpu->reset_fpsid = 0x410120b4;
 -    cpu->isar.mvfr0 = 0x11111111;
 -    cpu->isar.mvfr1 = 0x00000000;
 -    cpu->ctr = 0x1dd20d2;
 -    cpu->reset_sctlr = 0x00050078;
 -    cpu->id_pfr0 = 0x111;
 -    cpu->id_pfr1 = 0x1;
 -    cpu->isar.id_dfr0 = 0x2;
 -    cpu->id_afr0 = 0x3;
 -    cpu->isar.id_mmfr0 = 0x01130003;
 -    cpu->isar.id_mmfr1 = 0x10030302;
 -    cpu->isar.id_mmfr2 = 0x01222110;
 -    cpu->isar.id_isar0 = 0x00140011;
 -    cpu->isar.id_isar1 = 0x12002111;
 -    cpu->isar.id_isar2 = 0x11231111;
 -    cpu->isar.id_isar3 = 0x01102131;
 -    cpu->isar.id_isar4 = 0x141;
 -    cpu->reset_auxcr = 7;
 -}
 -
 -static void arm1136_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "arm,arm1136";
 -    set_feature(&cpu->env, ARM_FEATURE_V6K);
 -    set_feature(&cpu->env, ARM_FEATURE_V6);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
 -    cpu->midr = 0x4117b363;
 -    cpu->reset_fpsid = 0x410120b4;
 -    cpu->isar.mvfr0 = 0x11111111;
 -    cpu->isar.mvfr1 = 0x00000000;
 -    cpu->ctr = 0x1dd20d2;
 -    cpu->reset_sctlr = 0x00050078;
 -    cpu->id_pfr0 = 0x111;
 -    cpu->id_pfr1 = 0x1;
 -    cpu->isar.id_dfr0 = 0x2;
 -    cpu->id_afr0 = 0x3;
 -    cpu->isar.id_mmfr0 = 0x01130003;
 -    cpu->isar.id_mmfr1 = 0x10030302;
 -    cpu->isar.id_mmfr2 = 0x01222110;
 -    cpu->isar.id_isar0 = 0x00140011;
 -    cpu->isar.id_isar1 = 0x12002111;
 -    cpu->isar.id_isar2 = 0x11231111;
 -    cpu->isar.id_isar3 = 0x01102131;
 -    cpu->isar.id_isar4 = 0x141;
 -    cpu->reset_auxcr = 7;
 -}
 -
 -static void arm1176_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "arm,arm1176";
 -    set_feature(&cpu->env, ARM_FEATURE_V6K);
 -    set_feature(&cpu->env, ARM_FEATURE_VAPA);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
 -    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
 -    set_feature(&cpu->env, ARM_FEATURE_EL3);
 -    cpu->midr = 0x410fb767;
 -    cpu->reset_fpsid = 0x410120b5;
 -    cpu->isar.mvfr0 = 0x11111111;
 -    cpu->isar.mvfr1 = 0x00000000;
 -    cpu->ctr = 0x1dd20d2;
 -    cpu->reset_sctlr = 0x00050078;
 -    cpu->id_pfr0 = 0x111;
 -    cpu->id_pfr1 = 0x11;
 -    cpu->isar.id_dfr0 = 0x33;
 -    cpu->id_afr0 = 0;
 -    cpu->isar.id_mmfr0 = 0x01130003;
 -    cpu->isar.id_mmfr1 = 0x10030302;
 -    cpu->isar.id_mmfr2 = 0x01222100;
 -    cpu->isar.id_isar0 = 0x0140011;
 -    cpu->isar.id_isar1 = 0x12002111;
 -    cpu->isar.id_isar2 = 0x11231121;
 -    cpu->isar.id_isar3 = 0x01102131;
 -    cpu->isar.id_isar4 = 0x01141;
 -    cpu->reset_auxcr = 7;
 -}
 -
 -static void arm11mpcore_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "arm,arm11mpcore";
 -    set_feature(&cpu->env, ARM_FEATURE_V6K);
 -    set_feature(&cpu->env, ARM_FEATURE_VAPA);
 -    set_feature(&cpu->env, ARM_FEATURE_MPIDR);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    cpu->midr = 0x410fb022;
 -    cpu->reset_fpsid = 0x410120b4;
 -    cpu->isar.mvfr0 = 0x11111111;
 -    cpu->isar.mvfr1 = 0x00000000;
 -    cpu->ctr = 0x1d192992; /* 32K icache 32K dcache */
 -    cpu->id_pfr0 = 0x111;
 -    cpu->id_pfr1 = 0x1;
 -    cpu->isar.id_dfr0 = 0;
 -    cpu->id_afr0 = 0x2;
 -    cpu->isar.id_mmfr0 = 0x01100103;
 -    cpu->isar.id_mmfr1 = 0x10020302;
 -    cpu->isar.id_mmfr2 = 0x01222000;
 -    cpu->isar.id_isar0 = 0x00100011;
 -    cpu->isar.id_isar1 = 0x12002111;
 -    cpu->isar.id_isar2 = 0x11221011;
 -    cpu->isar.id_isar3 = 0x01102131;
 -    cpu->isar.id_isar4 = 0x141;
 -    cpu->reset_auxcr = 1;
 -}
 -
 -static void cortex_m0_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -    set_feature(&cpu->env, ARM_FEATURE_V6);
 -    set_feature(&cpu->env, ARM_FEATURE_M);
 -
 -    cpu->midr = 0x410cc200;
 -}
 -
 -static void cortex_m3_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -    set_feature(&cpu->env, ARM_FEATURE_V7);
 -    set_feature(&cpu->env, ARM_FEATURE_M);
 -    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 -    cpu->midr = 0x410fc231;
 -    cpu->pmsav7_dregion = 8;
 -    cpu->id_pfr0 = 0x00000030;
 -    cpu->id_pfr1 = 0x00000200;
 -    cpu->isar.id_dfr0 = 0x00100000;
 -    cpu->id_afr0 = 0x00000000;
 -    cpu->isar.id_mmfr0 = 0x00000030;
 -    cpu->isar.id_mmfr1 = 0x00000000;
 -    cpu->isar.id_mmfr2 = 0x00000000;
 -    cpu->isar.id_mmfr3 = 0x00000000;
 -    cpu->isar.id_isar0 = 0x01141110;
 -    cpu->isar.id_isar1 = 0x02111000;
 -    cpu->isar.id_isar2 = 0x21112231;
 -    cpu->isar.id_isar3 = 0x01111110;
 -    cpu->isar.id_isar4 = 0x01310102;
 -    cpu->isar.id_isar5 = 0x00000000;
 -    cpu->isar.id_isar6 = 0x00000000;
 -}
 -
 -static void cortex_m4_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    set_feature(&cpu->env, ARM_FEATURE_V7);
 -    set_feature(&cpu->env, ARM_FEATURE_M);
 -    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 -    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 -    cpu->midr = 0x410fc240; /* r0p0 */
 -    cpu->pmsav7_dregion = 8;
 -    cpu->isar.mvfr0 = 0x10110021;
 -    cpu->isar.mvfr1 = 0x11000011;
 -    cpu->isar.mvfr2 = 0x00000000;
 -    cpu->id_pfr0 = 0x00000030;
 -    cpu->id_pfr1 = 0x00000200;
 -    cpu->isar.id_dfr0 = 0x00100000;
 -    cpu->id_afr0 = 0x00000000;
 -    cpu->isar.id_mmfr0 = 0x00000030;
 -    cpu->isar.id_mmfr1 = 0x00000000;
 -    cpu->isar.id_mmfr2 = 0x00000000;
 -    cpu->isar.id_mmfr3 = 0x00000000;
 -    cpu->isar.id_isar0 = 0x01141110;
 -    cpu->isar.id_isar1 = 0x02111000;
 -    cpu->isar.id_isar2 = 0x21112231;
 -    cpu->isar.id_isar3 = 0x01111110;
 -    cpu->isar.id_isar4 = 0x01310102;
 -    cpu->isar.id_isar5 = 0x00000000;
 -    cpu->isar.id_isar6 = 0x00000000;
 -}
 -
 -static void cortex_m7_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    set_feature(&cpu->env, ARM_FEATURE_V7);
 -    set_feature(&cpu->env, ARM_FEATURE_M);
 -    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 -    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 -    cpu->midr = 0x411fc272; /* r1p2 */
 -    cpu->pmsav7_dregion = 8;
 -    cpu->isar.mvfr0 = 0x10110221;
 -    cpu->isar.mvfr1 = 0x12000011;
 -    cpu->isar.mvfr2 = 0x00000040;
 -    cpu->id_pfr0 = 0x00000030;
 -    cpu->id_pfr1 = 0x00000200;
 -    cpu->isar.id_dfr0 = 0x00100000;
 -    cpu->id_afr0 = 0x00000000;
 -    cpu->isar.id_mmfr0 = 0x00100030;
 -    cpu->isar.id_mmfr1 = 0x00000000;
 -    cpu->isar.id_mmfr2 = 0x01000000;
 -    cpu->isar.id_mmfr3 = 0x00000000;
 -    cpu->isar.id_isar0 = 0x01101110;
 -    cpu->isar.id_isar1 = 0x02112000;
 -    cpu->isar.id_isar2 = 0x20232231;
 -    cpu->isar.id_isar3 = 0x01111131;
 -    cpu->isar.id_isar4 = 0x01310132;
 -    cpu->isar.id_isar5 = 0x00000000;
 -    cpu->isar.id_isar6 = 0x00000000;
 -}
 -
 -static void cortex_m33_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    set_feature(&cpu->env, ARM_FEATURE_V8);
 -    set_feature(&cpu->env, ARM_FEATURE_M);
 -    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 -    set_feature(&cpu->env, ARM_FEATURE_M_SECURITY);
 -    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 -    cpu->midr = 0x410fd213; /* r0p3 */
 -    cpu->pmsav7_dregion = 16;
 -    cpu->sau_sregion = 8;
 -    cpu->isar.mvfr0 = 0x10110021;
 -    cpu->isar.mvfr1 = 0x11000011;
 -    cpu->isar.mvfr2 = 0x00000040;
 -    cpu->id_pfr0 = 0x00000030;
 -    cpu->id_pfr1 = 0x00000210;
 -    cpu->isar.id_dfr0 = 0x00200000;
 -    cpu->id_afr0 = 0x00000000;
 -    cpu->isar.id_mmfr0 = 0x00101F40;
 -    cpu->isar.id_mmfr1 = 0x00000000;
 -    cpu->isar.id_mmfr2 = 0x01000000;
 -    cpu->isar.id_mmfr3 = 0x00000000;
 -    cpu->isar.id_isar0 = 0x01101110;
 -    cpu->isar.id_isar1 = 0x02212000;
 -    cpu->isar.id_isar2 = 0x20232232;
 -    cpu->isar.id_isar3 = 0x01111131;
 -    cpu->isar.id_isar4 = 0x01310132;
 -    cpu->isar.id_isar5 = 0x00000000;
 -    cpu->isar.id_isar6 = 0x00000000;
 -    cpu->clidr = 0x00000000;
 -    cpu->ctr = 0x8000c000;
 -}
 -
 -static void arm_v7m_class_init(ObjectClass *oc, void *data)
 -{
 -    ARMCPUClass *acc = ARM_CPU_CLASS(oc);
 -    CPUClass *cc = CPU_CLASS(oc);
 -
 -    acc->info = data;
 -#ifndef CONFIG_USER_ONLY
 -    cc->do_interrupt = arm_v7m_cpu_do_interrupt;
 -#endif
 -
 -    cc->cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt;
 -}
 -
 -static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
 -    /* Dummy the TCM region regs for the moment */
 -    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
 -      .access = PL1_RW, .type = ARM_CP_CONST },
 -    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
 -      .access = PL1_RW, .type = ARM_CP_CONST },
 -    { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
 -      .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
 -    REGINFO_SENTINEL
 -};
 -
--static void cortex_r5_initfn(Object *obj)
+ static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
--{
+ {
--    ARMCPU *cpu = ARM_CPU(obj);
+     return env->gicv3state;
--
+diff --git a/hw/intc/arm_gicv3_cpuif_common.c b/hw/intc/arm_gicv3_cpuif_common.c
 -    set_feature(&cpu->env, ARM_FEATURE_V7);
 -    set_feature(&cpu->env, ARM_FEATURE_V7MP);
 -    set_feature(&cpu->env, ARM_FEATURE_PMSA);
 -    set_feature(&cpu->env, ARM_FEATURE_PMU);
 -    cpu->midr = 0x411fc153; /* r1p3 */
 -    cpu->id_pfr0 = 0x0131;
 -    cpu->id_pfr1 = 0x001;
 -    cpu->isar.id_dfr0 = 0x010400;
 -    cpu->id_afr0 = 0x0;
 -    cpu->isar.id_mmfr0 = 0x0210030;
 -    cpu->isar.id_mmfr1 = 0x00000000;
 -    cpu->isar.id_mmfr2 = 0x01200000;
 -    cpu->isar.id_mmfr3 = 0x0211;
 -    cpu->isar.id_isar0 = 0x02101111;
 -    cpu->isar.id_isar1 = 0x13112111;
 -    cpu->isar.id_isar2 = 0x21232141;
 -    cpu->isar.id_isar3 = 0x01112131;
 -    cpu->isar.id_isar4 = 0x0010142;
 -    cpu->isar.id_isar5 = 0x0;
 -    cpu->isar.id_isar6 = 0x0;
 -    cpu->mp_is_up = true;
 -    cpu->pmsav7_dregion = 16;
 -    define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
 -}
 -
 -static void cortex_r5f_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cortex_r5_initfn(obj);
 -    cpu->isar.mvfr0 = 0x10110221;
 -    cpu->isar.mvfr1 = 0x00000011;
 -}
 -
  static const ARMCPRegInfo cortexa8_cp_reginfo[] = {
      { .name = "L2LOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 1, .opc2 = 0,
        .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
      define_arm_cp_regs(cpu, cortexa15_cp_reginfo);
  }
 -static void ti925t_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -    set_feature(&cpu->env, ARM_FEATURE_V4T);
 -    set_feature(&cpu->env, ARM_FEATURE_OMAPCP);
 -    cpu->midr = ARM_CPUID_TI925T;
 -    cpu->ctr = 0x5109149;
 -    cpu->reset_sctlr = 0x00000070;
 -}
 -
 -static void sa1100_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "intel,sa1100";
 -    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    cpu->midr = 0x4401A11B;
 -    cpu->reset_sctlr = 0x00000070;
 -}
 -
 -static void sa1110_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
 -    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 -    cpu->midr = 0x6901B119;
 -    cpu->reset_sctlr = 0x00000070;
 -}
 -
 -static void pxa250_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    cpu->midr = 0x69052100;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa255_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    cpu->midr = 0x69052d00;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa260_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    cpu->midr = 0x69052903;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa261_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    cpu->midr = 0x69052d05;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa262_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    cpu->midr = 0x69052d06;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa270a0_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 -    cpu->midr = 0x69054110;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa270a1_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 -    cpu->midr = 0x69054111;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa270b0_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 -    cpu->midr = 0x69054112;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa270b1_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 -    cpu->midr = 0x69054113;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa270c0_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 -    cpu->midr = 0x69054114;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
 -static void pxa270c5_initfn(Object *obj)
 -{
 -    ARMCPU *cpu = ARM_CPU(obj);
 -
 -    cpu->dtb_compatible = "marvell,xscale";
 -    set_feature(&cpu->env, ARM_FEATURE_V5);
 -    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 -    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 -    cpu->midr = 0x69054117;
 -    cpu->ctr = 0xd172172;
 -    cpu->reset_sctlr = 0x00000078;
 -}
 -
  #ifndef TARGET_AARCH64
  /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
   * otherwise, a CPU with as many features enabled as our emulation supports.
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
  static const ARMCPUInfo arm_cpus[] = {
  #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 -    { .name = "arm926",      .initfn = arm926_initfn },
 -    { .name = "arm946",      .initfn = arm946_initfn },
 -    { .name = "arm1026",     .initfn = arm1026_initfn },
 -    /*
 -     * What QEMU calls "arm1136-r2" is actually the 1136 r0p2, i.e. an
 -     * older core than plain "arm1136". In particular this does not
 -     * have the v6K features.
 -     */
 -    { .name = "arm1136-r2",  .initfn = arm1136_r2_initfn },
 -    { .name = "arm1136",     .initfn = arm1136_initfn },
 -    { .name = "arm1176",     .initfn = arm1176_initfn },
 -    { .name = "arm11mpcore", .initfn = arm11mpcore_initfn },
 -    { .name = "cortex-m0",   .initfn = cortex_m0_initfn,
 -                             .class_init = arm_v7m_class_init },
 -    { .name = "cortex-m3",   .initfn = cortex_m3_initfn,
 -                             .class_init = arm_v7m_class_init },
 -    { .name = "cortex-m4",   .initfn = cortex_m4_initfn,
 -                             .class_init = arm_v7m_class_init },
 -    { .name = "cortex-m7",   .initfn = cortex_m7_initfn,
 -                             .class_init = arm_v7m_class_init },
 -    { .name = "cortex-m33",  .initfn = cortex_m33_initfn,
 -                             .class_init = arm_v7m_class_init },
 -    { .name = "cortex-r5",   .initfn = cortex_r5_initfn },
 -    { .name = "cortex-r5f",  .initfn = cortex_r5f_initfn },
      { .name = "cortex-a7",   .initfn = cortex_a7_initfn },
      { .name = "cortex-a8",   .initfn = cortex_a8_initfn },
      { .name = "cortex-a9",   .initfn = cortex_a9_initfn },
      { .name = "cortex-a15",  .initfn = cortex_a15_initfn },
 -    { .name = "ti925t",      .initfn = ti925t_initfn },
 -    { .name = "sa1100",      .initfn = sa1100_initfn },
 -    { .name = "sa1110",      .initfn = sa1110_initfn },
 -    { .name = "pxa250",      .initfn = pxa250_initfn },
 -    { .name = "pxa255",      .initfn = pxa255_initfn },
 -    { .name = "pxa260",      .initfn = pxa260_initfn },
 -    { .name = "pxa261",      .initfn = pxa261_initfn },
 -    { .name = "pxa262",      .initfn = pxa262_initfn },
 -    /* "pxa270" is an alias for "pxa270-a0" */
 -    { .name = "pxa270",      .initfn = pxa270a0_initfn },
 -    { .name = "pxa270-a0",   .initfn = pxa270a0_initfn },
 -    { .name = "pxa270-a1",   .initfn = pxa270a1_initfn },
 -    { .name = "pxa270-b0",   .initfn = pxa270b0_initfn },
 -    { .name = "pxa270-b1",   .initfn = pxa270b1_initfn },
 -    { .name = "pxa270-c0",   .initfn = pxa270c0_initfn },
 -    { .name = "pxa270-c5",   .initfn = pxa270c5_initfn },
  #ifndef TARGET_AARCH64
      { .name = "max",         .initfn = arm_max_initfn },
  #endif
 diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/target/arm/cpu_tcg.c
++++ b/hw/intc/arm_gicv3_cpuif_common.c
 @@ -XXX,XX +XXX,XX @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
 +/*
-+ * QEMU ARM TCG CPUs.
++ * ARM Generic Interrupt Controller v3
 + *
-+ * Copyright (c) 2012 SUSE LINUX Products GmbH
++ * Copyright (c) 2016 Linaro Limited
 + * Written by Peter Maydell
 + *
-+ * This code is licensed under the GNU GPL v2 or later.
++ * This code is licensed under the GPL, version 2 or (at your option)
-+ *
++ * any later version.
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
 +#include "qemu/osdep.h"
++#include "gicv3_internal.h"
 +#include "cpu.h"
-+#include "internals.h"
 +
-+/* CPU models. These are not needed for the AArch64 linux-user build. */
++void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
-+#if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
++{
 +    ARMCPU *arm_cpu = ARM_CPU(cpu);
 +    CPUARMState *env = &arm_cpu->env;
 +
-+static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
++    env->gicv3state = (void *)s;
 +{
 +    CPUClass *cc = CPU_GET_CLASS(cs);
 +    ARMCPU *cpu = ARM_CPU(cs);
 +    CPUARMState *env = &cpu->env;
 +    bool ret = false;
 +
 +    /*
 +     * ARMv7-M interrupt masking works differently than -A or -R.
 +     * There is no FIQ/IRQ distinction. Instead of I and F bits
 +     * masking FIQ and IRQ interrupts, an exception is taken only
 +     * if it is higher priority than the current execution priority
 +     * (which depends on state like BASEPRI, FAULTMASK and the
 +     * currently active exception).
 +     */
 +    if (interrupt_request & CPU_INTERRUPT_HARD
 +        && (armv7m_nvic_can_take_pending_exception(env->nvic))) {
 +        cs->exception_index = EXCP_IRQ;
 +        cc->do_interrupt(cs);
 +        ret = true;
 +    }
 +    return ret;
 +}
 +
 +static void arm926_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "arm,arm926";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
 +    cpu->midr = 0x41069265;
 +    cpu->reset_fpsid = 0x41011090;
 +    cpu->ctr = 0x1dd20d2;
 +    cpu->reset_sctlr = 0x00090078;
 +
 +    /*
 +     * ARMv5 does not have the ID_ISAR registers, but we can still
 +     * set the field to indicate Jazelle support within QEMU.
 +     */
 +    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
 +    /*
 +     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
 +     * support even though ARMv5 doesn't have this register.
 +     */
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 +}
 +
 +static void arm946_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "arm,arm946";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_PMSA);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    cpu->midr = 0x41059461;
 +    cpu->ctr = 0x0f004006;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void arm1026_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "arm,arm1026";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_AUXCR);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
 +    cpu->midr = 0x4106a262;
 +    cpu->reset_fpsid = 0x410110a0;
 +    cpu->ctr = 0x1dd20d2;
 +    cpu->reset_sctlr = 0x00090078;
 +    cpu->reset_auxcr = 1;
 +
 +    /*
 +     * ARMv5 does not have the ID_ISAR registers, but we can still
 +     * set the field to indicate Jazelle support within QEMU.
 +     */
 +    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
 +    /*
 +     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
 +     * support even though ARMv5 doesn't have this register.
 +     */
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
 +    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
 +
 +    {
 +        /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
 +        ARMCPRegInfo ifar = {
 +            .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
 +            .access = PL1_RW,
 +            .fieldoffset = offsetof(CPUARMState, cp15.ifar_ns),
 +            .resetvalue = 0
 +        };
 +        define_one_arm_cp_reg(cpu, &ifar);
 +    }
 +}
 +
 +static void arm1136_r2_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    /*
 +     * What qemu calls "arm1136_r2" is actually the 1136 r0p2, ie an
 +     * older core than plain "arm1136". In particular this does not
 +     * have the v6K features.
 +     * These ID register values are correct for 1136 but may be wrong
 +     * for 1136_r2 (in particular r0p2 does not actually implement most
 +     * of the ID registers).
 +     */
 +
 +    cpu->dtb_compatible = "arm,arm1136";
 +    set_feature(&cpu->env, ARM_FEATURE_V6);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
 +    cpu->midr = 0x4107b362;
 +    cpu->reset_fpsid = 0x410120b4;
 +    cpu->isar.mvfr0 = 0x11111111;
 +    cpu->isar.mvfr1 = 0x00000000;
 +    cpu->ctr = 0x1dd20d2;
 +    cpu->reset_sctlr = 0x00050078;
 +    cpu->id_pfr0 = 0x111;
 +    cpu->id_pfr1 = 0x1;
 +    cpu->isar.id_dfr0 = 0x2;
 +    cpu->id_afr0 = 0x3;
 +    cpu->isar.id_mmfr0 = 0x01130003;
 +    cpu->isar.id_mmfr1 = 0x10030302;
 +    cpu->isar.id_mmfr2 = 0x01222110;
 +    cpu->isar.id_isar0 = 0x00140011;
 +    cpu->isar.id_isar1 = 0x12002111;
 +    cpu->isar.id_isar2 = 0x11231111;
 +    cpu->isar.id_isar3 = 0x01102131;
 +    cpu->isar.id_isar4 = 0x141;
 +    cpu->reset_auxcr = 7;
 +}
 +
 +static void arm1136_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "arm,arm1136";
 +    set_feature(&cpu->env, ARM_FEATURE_V6K);
 +    set_feature(&cpu->env, ARM_FEATURE_V6);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
 +    cpu->midr = 0x4117b363;
 +    cpu->reset_fpsid = 0x410120b4;
 +    cpu->isar.mvfr0 = 0x11111111;
 +    cpu->isar.mvfr1 = 0x00000000;
 +    cpu->ctr = 0x1dd20d2;
 +    cpu->reset_sctlr = 0x00050078;
 +    cpu->id_pfr0 = 0x111;
 +    cpu->id_pfr1 = 0x1;
 +    cpu->isar.id_dfr0 = 0x2;
 +    cpu->id_afr0 = 0x3;
 +    cpu->isar.id_mmfr0 = 0x01130003;
 +    cpu->isar.id_mmfr1 = 0x10030302;
 +    cpu->isar.id_mmfr2 = 0x01222110;
 +    cpu->isar.id_isar0 = 0x00140011;
 +    cpu->isar.id_isar1 = 0x12002111;
 +    cpu->isar.id_isar2 = 0x11231111;
 +    cpu->isar.id_isar3 = 0x01102131;
 +    cpu->isar.id_isar4 = 0x141;
 +    cpu->reset_auxcr = 7;
 +}
 +
 +static void arm1176_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "arm,arm1176";
 +    set_feature(&cpu->env, ARM_FEATURE_V6K);
 +    set_feature(&cpu->env, ARM_FEATURE_VAPA);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
 +    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
 +    set_feature(&cpu->env, ARM_FEATURE_EL3);
 +    cpu->midr = 0x410fb767;
 +    cpu->reset_fpsid = 0x410120b5;
 +    cpu->isar.mvfr0 = 0x11111111;
 +    cpu->isar.mvfr1 = 0x00000000;
 +    cpu->ctr = 0x1dd20d2;
 +    cpu->reset_sctlr = 0x00050078;
 +    cpu->id_pfr0 = 0x111;
 +    cpu->id_pfr1 = 0x11;
 +    cpu->isar.id_dfr0 = 0x33;
 +    cpu->id_afr0 = 0;
 +    cpu->isar.id_mmfr0 = 0x01130003;
 +    cpu->isar.id_mmfr1 = 0x10030302;
 +    cpu->isar.id_mmfr2 = 0x01222100;
 +    cpu->isar.id_isar0 = 0x0140011;
 +    cpu->isar.id_isar1 = 0x12002111;
 +    cpu->isar.id_isar2 = 0x11231121;
 +    cpu->isar.id_isar3 = 0x01102131;
 +    cpu->isar.id_isar4 = 0x01141;
 +    cpu->reset_auxcr = 7;
 +}
 +
 +static void arm11mpcore_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "arm,arm11mpcore";
 +    set_feature(&cpu->env, ARM_FEATURE_V6K);
 +    set_feature(&cpu->env, ARM_FEATURE_VAPA);
 +    set_feature(&cpu->env, ARM_FEATURE_MPIDR);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    cpu->midr = 0x410fb022;
 +    cpu->reset_fpsid = 0x410120b4;
 +    cpu->isar.mvfr0 = 0x11111111;
 +    cpu->isar.mvfr1 = 0x00000000;
 +    cpu->ctr = 0x1d192992; /* 32K icache 32K dcache */
 +    cpu->id_pfr0 = 0x111;
 +    cpu->id_pfr1 = 0x1;
 +    cpu->isar.id_dfr0 = 0;
 +    cpu->id_afr0 = 0x2;
 +    cpu->isar.id_mmfr0 = 0x01100103;
 +    cpu->isar.id_mmfr1 = 0x10020302;
 +    cpu->isar.id_mmfr2 = 0x01222000;
 +    cpu->isar.id_isar0 = 0x00100011;
 +    cpu->isar.id_isar1 = 0x12002111;
 +    cpu->isar.id_isar2 = 0x11221011;
 +    cpu->isar.id_isar3 = 0x01102131;
 +    cpu->isar.id_isar4 = 0x141;
 +    cpu->reset_auxcr = 1;
 +}
 +
 +static void cortex_m0_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    set_feature(&cpu->env, ARM_FEATURE_V6);
 +    set_feature(&cpu->env, ARM_FEATURE_M);
 +
 +    cpu->midr = 0x410cc200;
 +}
 +
 +static void cortex_m3_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    set_feature(&cpu->env, ARM_FEATURE_V7);
 +    set_feature(&cpu->env, ARM_FEATURE_M);
 +    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 +    cpu->midr = 0x410fc231;
 +    cpu->pmsav7_dregion = 8;
 +    cpu->id_pfr0 = 0x00000030;
 +    cpu->id_pfr1 = 0x00000200;
 +    cpu->isar.id_dfr0 = 0x00100000;
 +    cpu->id_afr0 = 0x00000000;
 +    cpu->isar.id_mmfr0 = 0x00000030;
 +    cpu->isar.id_mmfr1 = 0x00000000;
 +    cpu->isar.id_mmfr2 = 0x00000000;
 +    cpu->isar.id_mmfr3 = 0x00000000;
 +    cpu->isar.id_isar0 = 0x01141110;
 +    cpu->isar.id_isar1 = 0x02111000;
 +    cpu->isar.id_isar2 = 0x21112231;
 +    cpu->isar.id_isar3 = 0x01111110;
 +    cpu->isar.id_isar4 = 0x01310102;
 +    cpu->isar.id_isar5 = 0x00000000;
 +    cpu->isar.id_isar6 = 0x00000000;
 +}
 +
 +static void cortex_m4_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    set_feature(&cpu->env, ARM_FEATURE_V7);
 +    set_feature(&cpu->env, ARM_FEATURE_M);
 +    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 +    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 +    cpu->midr = 0x410fc240; /* r0p0 */
 +    cpu->pmsav7_dregion = 8;
 +    cpu->isar.mvfr0 = 0x10110021;
 +    cpu->isar.mvfr1 = 0x11000011;
 +    cpu->isar.mvfr2 = 0x00000000;
 +    cpu->id_pfr0 = 0x00000030;
 +    cpu->id_pfr1 = 0x00000200;
 +    cpu->isar.id_dfr0 = 0x00100000;
 +    cpu->id_afr0 = 0x00000000;
 +    cpu->isar.id_mmfr0 = 0x00000030;
 +    cpu->isar.id_mmfr1 = 0x00000000;
 +    cpu->isar.id_mmfr2 = 0x00000000;
 +    cpu->isar.id_mmfr3 = 0x00000000;
 +    cpu->isar.id_isar0 = 0x01141110;
 +    cpu->isar.id_isar1 = 0x02111000;
 +    cpu->isar.id_isar2 = 0x21112231;
 +    cpu->isar.id_isar3 = 0x01111110;
 +    cpu->isar.id_isar4 = 0x01310102;
 +    cpu->isar.id_isar5 = 0x00000000;
 +    cpu->isar.id_isar6 = 0x00000000;
 +}
 +
 +static void cortex_m7_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    set_feature(&cpu->env, ARM_FEATURE_V7);
 +    set_feature(&cpu->env, ARM_FEATURE_M);
 +    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 +    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 +    cpu->midr = 0x411fc272; /* r1p2 */
 +    cpu->pmsav7_dregion = 8;
 +    cpu->isar.mvfr0 = 0x10110221;
 +    cpu->isar.mvfr1 = 0x12000011;
 +    cpu->isar.mvfr2 = 0x00000040;
 +    cpu->id_pfr0 = 0x00000030;
 +    cpu->id_pfr1 = 0x00000200;
 +    cpu->isar.id_dfr0 = 0x00100000;
 +    cpu->id_afr0 = 0x00000000;
 +    cpu->isar.id_mmfr0 = 0x00100030;
 +    cpu->isar.id_mmfr1 = 0x00000000;
 +    cpu->isar.id_mmfr2 = 0x01000000;
 +    cpu->isar.id_mmfr3 = 0x00000000;
 +    cpu->isar.id_isar0 = 0x01101110;
 +    cpu->isar.id_isar1 = 0x02112000;
 +    cpu->isar.id_isar2 = 0x20232231;
 +    cpu->isar.id_isar3 = 0x01111131;
 +    cpu->isar.id_isar4 = 0x01310132;
 +    cpu->isar.id_isar5 = 0x00000000;
 +    cpu->isar.id_isar6 = 0x00000000;
 +}
 +
 +static void cortex_m33_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    set_feature(&cpu->env, ARM_FEATURE_V8);
 +    set_feature(&cpu->env, ARM_FEATURE_M);
 +    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
 +    set_feature(&cpu->env, ARM_FEATURE_M_SECURITY);
 +    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
 +    cpu->midr = 0x410fd213; /* r0p3 */
 +    cpu->pmsav7_dregion = 16;
 +    cpu->sau_sregion = 8;
 +    cpu->isar.mvfr0 = 0x10110021;
 +    cpu->isar.mvfr1 = 0x11000011;
 +    cpu->isar.mvfr2 = 0x00000040;
 +    cpu->id_pfr0 = 0x00000030;
 +    cpu->id_pfr1 = 0x00000210;
 +    cpu->isar.id_dfr0 = 0x00200000;
 +    cpu->id_afr0 = 0x00000000;
 +    cpu->isar.id_mmfr0 = 0x00101F40;
 +    cpu->isar.id_mmfr1 = 0x00000000;
 +    cpu->isar.id_mmfr2 = 0x01000000;
 +    cpu->isar.id_mmfr3 = 0x00000000;
 +    cpu->isar.id_isar0 = 0x01101110;
 +    cpu->isar.id_isar1 = 0x02212000;
 +    cpu->isar.id_isar2 = 0x20232232;
 +    cpu->isar.id_isar3 = 0x01111131;
 +    cpu->isar.id_isar4 = 0x01310132;
 +    cpu->isar.id_isar5 = 0x00000000;
 +    cpu->isar.id_isar6 = 0x00000000;
 +    cpu->clidr = 0x00000000;
 +    cpu->ctr = 0x8000c000;
 +}
 +
 +static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
 +    /* Dummy the TCM region regs for the moment */
 +    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_CONST },
 +    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
 +      .access = PL1_RW, .type = ARM_CP_CONST },
 +    { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
 +      .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
 +    REGINFO_SENTINEL
 +};
-+
+diff --git a/hw/intc/meson.build b/hw/intc/meson.build
 +static void cortex_r5_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    set_feature(&cpu->env, ARM_FEATURE_V7);
 +    set_feature(&cpu->env, ARM_FEATURE_V7MP);
 +    set_feature(&cpu->env, ARM_FEATURE_PMSA);
 +    set_feature(&cpu->env, ARM_FEATURE_PMU);
 +    cpu->midr = 0x411fc153; /* r1p3 */
 +    cpu->id_pfr0 = 0x0131;
 +    cpu->id_pfr1 = 0x001;
 +    cpu->isar.id_dfr0 = 0x010400;
 +    cpu->id_afr0 = 0x0;
 +    cpu->isar.id_mmfr0 = 0x0210030;
 +    cpu->isar.id_mmfr1 = 0x00000000;
 +    cpu->isar.id_mmfr2 = 0x01200000;
 +    cpu->isar.id_mmfr3 = 0x0211;
 +    cpu->isar.id_isar0 = 0x02101111;
 +    cpu->isar.id_isar1 = 0x13112111;
 +    cpu->isar.id_isar2 = 0x21232141;
 +    cpu->isar.id_isar3 = 0x01112131;
 +    cpu->isar.id_isar4 = 0x0010142;
 +    cpu->isar.id_isar5 = 0x0;
 +    cpu->isar.id_isar6 = 0x0;
 +    cpu->mp_is_up = true;
 +    cpu->pmsav7_dregion = 16;
 +    define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
 +}
 +
 +static void cortex_r5f_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cortex_r5_initfn(obj);
 +    cpu->isar.mvfr0 = 0x10110221;
 +    cpu->isar.mvfr1 = 0x00000011;
 +}
 +
 +static void ti925t_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    set_feature(&cpu->env, ARM_FEATURE_V4T);
 +    set_feature(&cpu->env, ARM_FEATURE_OMAPCP);
 +    cpu->midr = ARM_CPUID_TI925T;
 +    cpu->ctr = 0x5109149;
 +    cpu->reset_sctlr = 0x00000070;
 +}
 +
 +static void sa1100_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "intel,sa1100";
 +    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    cpu->midr = 0x4401A11B;
 +    cpu->reset_sctlr = 0x00000070;
 +}
 +
 +static void sa1110_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
 +    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
 +    cpu->midr = 0x6901B119;
 +    cpu->reset_sctlr = 0x00000070;
 +}
 +
 +static void pxa250_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    cpu->midr = 0x69052100;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa255_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    cpu->midr = 0x69052d00;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa260_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    cpu->midr = 0x69052903;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa261_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    cpu->midr = 0x69052d05;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa262_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    cpu->midr = 0x69052d06;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa270a0_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 +    cpu->midr = 0x69054110;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa270a1_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 +    cpu->midr = 0x69054111;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa270b0_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 +    cpu->midr = 0x69054112;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa270b1_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 +    cpu->midr = 0x69054113;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa270c0_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 +    cpu->midr = 0x69054114;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void pxa270c5_initfn(Object *obj)
 +{
 +    ARMCPU *cpu = ARM_CPU(obj);
 +
 +    cpu->dtb_compatible = "marvell,xscale";
 +    set_feature(&cpu->env, ARM_FEATURE_V5);
 +    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
 +    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
 +    cpu->midr = 0x69054117;
 +    cpu->ctr = 0xd172172;
 +    cpu->reset_sctlr = 0x00000078;
 +}
 +
 +static void arm_v7m_class_init(ObjectClass *oc, void *data)
 +{
 +    ARMCPUClass *acc = ARM_CPU_CLASS(oc);
 +    CPUClass *cc = CPU_CLASS(oc);
 +
 +    acc->info = data;
 +#ifndef CONFIG_USER_ONLY
 +    cc->do_interrupt = arm_v7m_cpu_do_interrupt;
 +#endif
 +
 +    cc->cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt;
 +}
 +
 +static const ARMCPUInfo arm_tcg_cpus[] = {
 +    { .name = "arm926",      .initfn = arm926_initfn },
 +    { .name = "arm946",      .initfn = arm946_initfn },
 +    { .name = "arm1026",     .initfn = arm1026_initfn },
 +    /*
 +     * What QEMU calls "arm1136-r2" is actually the 1136 r0p2, i.e. an
 +     * older core than plain "arm1136". In particular this does not
 +     * have the v6K features.
 +     */
 +    { .name = "arm1136-r2",  .initfn = arm1136_r2_initfn },
 +    { .name = "arm1136",     .initfn = arm1136_initfn },
 +    { .name = "arm1176",     .initfn = arm1176_initfn },
 +    { .name = "arm11mpcore", .initfn = arm11mpcore_initfn },
 +    { .name = "cortex-m0",   .initfn = cortex_m0_initfn,
 +                             .class_init = arm_v7m_class_init },
 +    { .name = "cortex-m3",   .initfn = cortex_m3_initfn,
 +                             .class_init = arm_v7m_class_init },
 +    { .name = "cortex-m4",   .initfn = cortex_m4_initfn,
 +                             .class_init = arm_v7m_class_init },
 +    { .name = "cortex-m7",   .initfn = cortex_m7_initfn,
 +                             .class_init = arm_v7m_class_init },
 +    { .name = "cortex-m33",  .initfn = cortex_m33_initfn,
 +                             .class_init = arm_v7m_class_init },
 +    { .name = "cortex-r5",   .initfn = cortex_r5_initfn },
 +    { .name = "cortex-r5f",  .initfn = cortex_r5f_initfn },
 +    { .name = "ti925t",      .initfn = ti925t_initfn },
 +    { .name = "sa1100",      .initfn = sa1100_initfn },
 +    { .name = "sa1110",      .initfn = sa1110_initfn },
 +    { .name = "pxa250",      .initfn = pxa250_initfn },
 +    { .name = "pxa255",      .initfn = pxa255_initfn },
 +    { .name = "pxa260",      .initfn = pxa260_initfn },
 +    { .name = "pxa261",      .initfn = pxa261_initfn },
 +    { .name = "pxa262",      .initfn = pxa262_initfn },
 +    /* "pxa270" is an alias for "pxa270-a0" */
 +    { .name = "pxa270",      .initfn = pxa270a0_initfn },
 +    { .name = "pxa270-a0",   .initfn = pxa270a0_initfn },
 +    { .name = "pxa270-a1",   .initfn = pxa270a1_initfn },
 +    { .name = "pxa270-b0",   .initfn = pxa270b0_initfn },
 +    { .name = "pxa270-b1",   .initfn = pxa270b1_initfn },
 +    { .name = "pxa270-c0",   .initfn = pxa270c0_initfn },
 +    { .name = "pxa270-c5",   .initfn = pxa270c5_initfn },
 +};
 +
 +static void arm_tcg_cpu_register_types(void)
 +{
 +    size_t i;
 +
 +    for (i = 0; i < ARRAY_SIZE(arm_tcg_cpus); ++i) {
 +        arm_cpu_register(&arm_tcg_cpus[i]);
 +    }
 +}
 +
 +type_init(arm_tcg_cpu_register_types)
 +
 +#endif /* !CONFIG_USER_ONLY || !TARGET_AARCH64 */
 diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/Makefile.objs
+--- a/hw/intc/meson.build
-+++ b/target/arm/Makefile.objs
++++ b/hw/intc/meson.build
-@@ -XXX,XX +XXX,XX @@ obj-y += translate.o op_helper.o
+@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
- obj-y += crypto_helper.o
- obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
+ specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
- obj-y += m_helper.o
+ specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
-+obj-y += cpu_tcg.o
++specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
+ specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
- obj-$(CONFIG_SOFTMMU) += psci.o
+ specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
+ specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
 --
-.20.1
+.25.1

-[PULL 30/34] target/arm/cpu: Restrict v8M IDAU interface to Aarch32 CPUs
+[PULL 08/33] hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector
 From: Philippe Mathieu-Daudé <philmd@redhat.com>
-As IDAU is a v8M feature, restrict it to the Aarch32 CPUs.
+The TYPE_ARM_GICV3 device is an emulated one.  When using
 KVM, it is recommended to use the TYPE_KVM_ARM_GICV3 device
 (which uses in-kernel support).
 When using --with-devices-FOO, it is possible to build a
 binary with a specific set of devices. When this binary is
 restricted to KVM accelerator, the TYPE_ARM_GICV3 device is
 irrelevant, and it is desirable to remove it from the binary.
 Therefore introduce the CONFIG_ARM_GIC_TCG Kconfig selector
 which select the files required to have the TYPE_ARM_GICV3
 device, but also allowing to de-select this device.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20200504172448.9402-5-philmd@redhat.com
+Message-id: 20211115223619.2599282-3-philmd@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 2 +-
+ hw/intc/arm_gicv3.c |  2 +-
-file changed, 1 insertion(+), 1 deletion(-)
+ hw/intc/Kconfig     |  5 +++++
  hw/intc/meson.build | 10 ++++++----
 files changed, 12 insertions(+), 5 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/hw/intc/arm_gicv3.c
-+++ b/target/arm/cpu.c
++++ b/hw/intc/arm_gicv3.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
+@@ -XXX,XX +XXX,XX @@
-     const size_t cpu_count = ARRAY_SIZE(arm_cpus);
+ /*
+- * ARM Generic Interrupt Controller v3
-     type_register_static(&arm_cpu_type_info);
++ * ARM Generic Interrupt Controller v3 (emulation)
--    type_register_static(&idau_interface_type_info);
+  *
+  * Copyright (c) 2015 Huawei.
- #ifdef CONFIG_KVM
+  * Copyright (c) 2016 Linaro Limited
-     type_register_static(&host_arm_cpu_type_info);
+diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
+index XXXXXXX..XXXXXXX 100644
-     if (cpu_count) {
+--- a/hw/intc/Kconfig
-         size_t i;
++++ b/hw/intc/Kconfig
+@@ -XXX,XX +XXX,XX @@ config APIC
-+        type_register_static(&idau_interface_type_info);
+     select MSI_NONBROKEN
-         for (i = 0; i < cpu_count; ++i) {
+     select I8259
-             arm_cpu_register(&arm_cpus[i]);
-         }
++config ARM_GIC_TCG
 +    bool
 +    default y
 +    depends on ARM_GIC && TCG
 +
  config ARM_GIC_KVM
      bool
      default y
 diff --git a/hw/intc/meson.build b/hw/intc/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/intc/meson.build
 +++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
    'arm_gic.c',
    'arm_gic_common.c',
    'arm_gicv2m.c',
 -  'arm_gicv3.c',
    'arm_gicv3_common.c',
 -  'arm_gicv3_dist.c',
    'arm_gicv3_its_common.c',
 -  'arm_gicv3_redist.c',
 +))
 +softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
 +  'arm_gicv3.c',
 +  'arm_gicv3_dist.c',
    'arm_gicv3_its.c',
 +  'arm_gicv3_redist.c',
  ))
  softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_pic.c'))
  softmmu_ss.add(when: 'CONFIG_HEATHROW_PIC', if_true: files('heathrow_pic.c'))
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
  specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
  specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
  specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
 -specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
 +specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
  specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
  specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
  specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
 --
-.20.1
+.25.1

-[PULL 26/34] target/arm: Remove sve_memopidx
+[PULL 09/33] target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
 From: Richard Henderson <richard.henderson@linaro.org>
-None of the sve helpers use TCGMemOpIdx any longer, so we can
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 stop passing it.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-20-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h     |  5 -----
+ target/arm/translate-a64.c | 7 ++++---
- target/arm/sve_helper.c    | 14 +++++++-------
+file changed, 4 insertions(+), 3 deletions(-)
  target/arm/translate-sve.c | 17 +++--------------
 files changed, 10 insertions(+), 26 deletions(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/target/arm/translate-a64.c
-+++ b/target/arm/internals.h
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static inline int arm_num_ctx_cmps(ARMCPU *cpu)
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *s = container_of(dcbase, DisasContext, base);
      CPUARMState *env = cpu->env_ptr;
 +    uint64_t pc = s->base.pc_next;
      uint32_t insn;
      if (s->ss_active && !s->pstate_ss) {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
- }
+-    s->pc_curr = s->base.pc_next;
--/* Note make_memop_idx reserves 4 bits for mmu_idx, and MO_BSWAP is bit 3.
+-    insn = arm_ldl_code(env, &s->base, s->base.pc_next, s->sctlr_b);
-- * Thus a TCGMemOpIdx, without any MO_ALIGN bits, fits in 8 bits.
++    s->pc_curr = pc;
-- */
++    insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
--#define MEMOPIDX_SHIFT  8
+     s->insn = insn;
--
+-    s->base.pc_next += 4;
- /**
++    s->base.pc_next = pc + 4;
-  * v7m_using_psp: Return true if using process stack pointer
-  * Return true if the CPU is currently using the process stack
+     s->fp_access_checked = false;
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+     s->sve_access_checked = false;
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void sve_ldN_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
                 sve_ldst1_host_fn *host_fn,
                 sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 +    const unsigned rd = simd_data(desc);
      const intptr_t reg_max = simd_oprsz(desc);
      intptr_t reg_off, reg_last, mem_off;
      SVEContLdSt info;
@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,
                     sve_ldst1_host_fn *host_fn,
                     sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 +    const unsigned rd = simd_data(desc);
      void *vd = &env->vfp.zregs[rd];
      const intptr_t reg_max = simd_oprsz(desc);
      intptr_t reg_off, mem_off, reg_last;
@@ -XXX,XX +XXX,XX @@ void sve_stN_r(CPUARMState *env, uint64_t *vg, target_ulong addr, uint32_t desc,
                 sve_ldst1_host_fn *host_fn,
                 sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 +    const unsigned rd = simd_data(desc);
      const intptr_t reg_max = simd_oprsz(desc);
      intptr_t reg_off, reg_last, mem_off;
      SVEContLdSt info;
@@ -XXX,XX +XXX,XX @@ void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                 sve_ldst1_host_fn *host_fn,
                 sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      const int mmu_idx = cpu_mmu_index(env, false);
      const intptr_t reg_max = simd_oprsz(desc);
 +    const int scale = simd_data(desc);
      ARMVectorReg scratch;
      intptr_t reg_off;
      SVEHostPage info, info2;
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                   sve_ldst1_tlb_fn *tlb_fn)
  {
      const int mmu_idx = cpu_mmu_index(env, false);
 -    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    const int scale = simd_data(desc);
      const int esize = 1 << esz;
      const int msize = 1 << msz;
 -    const intptr_t reg_max = simd_oprsz(desc);
      intptr_t reg_off;
      SVEHostPage info;
      target_ulong addr, in_page;
@@ -XXX,XX +XXX,XX @@ void sve_st1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                 sve_ldst1_host_fn *host_fn,
                 sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      const int mmu_idx = cpu_mmu_index(env, false);
      const intptr_t reg_max = simd_oprsz(desc);
 +    const int scale = simd_data(desc);
      void *host[ARM_MAX_VQ * 4];
      intptr_t reg_off, i;
      SVEHostPage info, info2;
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t dtype_esz[16] = {
 , 2, 1, 3
  };
 -static TCGMemOpIdx sve_memopidx(DisasContext *s, int dtype)
 -{
 -    return make_memop_idx(s->be_data | dtype_mop[dtype], get_mem_index(s));
 -}
 -
  static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
                         int dtype, gen_helper_gvec_mem *fn)
  {
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
       * registers as pointers, so encode the regno into the data field.
       * For consistency, do this even for LD1.
       */
 -    desc = sve_memopidx(s, dtype);
 -    desc |= zt << MEMOPIDX_SHIFT;
 -    desc = simd_desc(vsz, vsz, desc);
 +    desc = simd_desc(vsz, vsz, zt);
      t_desc = tcg_const_i32(desc);
      t_pg = tcg_temp_new_ptr();
@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int msz)
      int desc, poff;
      /* Load the first quadword using the normal predicated load helpers.  */
 -    desc = sve_memopidx(s, msz_dtype(s, msz));
 -    desc |= zt << MEMOPIDX_SHIFT;
 -    desc = simd_desc(16, 16, desc);
 +    desc = simd_desc(16, 16, zt);
      t_desc = tcg_const_i32(desc);
      poff = pred_full_reg_offset(s, pg);
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, int zm,
      TCGv_i32 t_desc;
      int desc;
 -    desc = sve_memopidx(s, msz_dtype(s, msz));
 -    desc |= scale << MEMOPIDX_SHIFT;
 -    desc = simd_desc(vsz, vsz, desc);
 +    desc = simd_desc(vsz, vsz, scale);
      t_desc = tcg_const_i32(desc);
      tcg_gen_addi_ptr(t_pg, cpu_env, pred_full_reg_offset(s, pg));
 --
-.20.1
+.25.1

-[PULL 23/34] target/arm: Reuse sve_probe_page for gather first-fault loads
+[PULL 10/33] target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
 From: Richard Henderson <richard.henderson@linaro.org>
-This avoids the need for a separate set of helpers to implement
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 no-fault semantics, and will enable MTE in the future.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-17-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 323 ++++++++++++++++------------------------
+ target/arm/translate.c | 9 +++++----
-file changed, 127 insertions(+), 196 deletions(-)
+file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/target/arm/translate.c
-+++ b/target/arm/sve_helper.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ DO_LD1_ZPZ_D(dd_be, zd)
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  /* First fault loads with a vector index.  */
 -/* Load one element into VD+REG_OFF from (ENV,VADDR) without faulting.
 - * The controlling predicate is known to be true.  Return true if the
 - * load was successful.
 - */
 -typedef bool sve_ld1_nf_fn(CPUARMState *env, void *vd, intptr_t reg_off,
 -                           target_ulong vaddr, int mmu_idx);
 -
 -#ifdef CONFIG_SOFTMMU
 -#define DO_LD_NF(NAME, H, TYPEE, TYPEM, HOST) \
 -static bool sve_ld##NAME##_nf(CPUARMState *env, void *vd, intptr_t reg_off, \
 -                              target_ulong addr, int mmu_idx)               \
 -{                                                                           \
 -    target_ulong next_page = -(addr | TARGET_PAGE_MASK);                    \
 -    if (likely(next_page - addr >= sizeof(TYPEM))) {                        \
 -        void *host = tlb_vaddr_to_host(env, addr, MMU_DATA_LOAD, mmu_idx);  \
 -        if (likely(host)) {                                                 \
 -            TYPEM val = HOST(host);                                         \
 -            *(TYPEE *)(vd + H(reg_off)) = val;                              \
 -            return true;                                                    \
 -        }                                                                   \
 -    }                                                                       \
 -    return false;                                                           \
 -}
 -#else
 -#define DO_LD_NF(NAME, H, TYPEE, TYPEM, HOST) \
 -static bool sve_ld##NAME##_nf(CPUARMState *env, void *vd, intptr_t reg_off, \
 -                            target_ulong addr, int mmu_idx)                 \
 -{                                                                           \
 -    if (likely(page_check_range(addr, sizeof(TYPEM), PAGE_READ))) {         \
 -        TYPEM val = HOST(g2h(addr));                                        \
 -        *(TYPEE *)(vd + H(reg_off)) = val;                                  \
 -        return true;                                                        \
 -    }                                                                       \
 -    return false;                                                           \
 -}
 -#endif
 -
 -DO_LD_NF(bsu, H1_4, uint32_t, uint8_t, ldub_p)
 -DO_LD_NF(bss, H1_4, uint32_t,  int8_t, ldsb_p)
 -DO_LD_NF(bdu,     , uint64_t, uint8_t, ldub_p)
 -DO_LD_NF(bds,     , uint64_t,  int8_t, ldsb_p)
 -
 -DO_LD_NF(hsu_le, H1_4, uint32_t, uint16_t, lduw_le_p)
 -DO_LD_NF(hss_le, H1_4, uint32_t,  int16_t, ldsw_le_p)
 -DO_LD_NF(hsu_be, H1_4, uint32_t, uint16_t, lduw_be_p)
 -DO_LD_NF(hss_be, H1_4, uint32_t,  int16_t, ldsw_be_p)
 -DO_LD_NF(hdu_le,     , uint64_t, uint16_t, lduw_le_p)
 -DO_LD_NF(hds_le,     , uint64_t,  int16_t, ldsw_le_p)
 -DO_LD_NF(hdu_be,     , uint64_t, uint16_t, lduw_be_p)
 -DO_LD_NF(hds_be,     , uint64_t,  int16_t, ldsw_be_p)
 -
 -DO_LD_NF(ss_le,  H1_4, uint32_t, uint32_t, ldl_le_p)
 -DO_LD_NF(ss_be,  H1_4, uint32_t, uint32_t, ldl_be_p)
 -DO_LD_NF(sdu_le,     , uint64_t, uint32_t, ldl_le_p)
 -DO_LD_NF(sds_le,     , uint64_t,  int32_t, ldl_le_p)
 -DO_LD_NF(sdu_be,     , uint64_t, uint32_t, ldl_be_p)
 -DO_LD_NF(sds_be,     , uint64_t,  int32_t, ldl_be_p)
 -
 -DO_LD_NF(dd_le,      , uint64_t, uint64_t, ldq_le_p)
 -DO_LD_NF(dd_be,      , uint64_t, uint64_t, ldq_be_p)
 -
  /*
 - * Common helper for all gather first-faulting loads.
 + * Common helpers for all gather first-faulting loads.
   */
 -static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
 -                                target_ulong base, uint32_t desc, uintptr_t ra,
 -                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
 -                                sve_ld1_nf_fn *nonfault_fn)
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
 +                 target_ulong base, uint32_t desc, uintptr_t retaddr,
 +                 const int esz, const int msz, zreg_off_fn *off_fn,
 +                 sve_ldst1_host_fn *host_fn,
 +                 sve_ldst1_tlb_fn *tlb_fn)
  {
--    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
--    const int mmu_idx = get_mmuidx(oi);
+     CPUARMState *env = cpu->env_ptr;
-+    const int mmu_idx = cpu_mmu_index(env, false);
++    uint32_t pc = dc->base.pc_next;
-     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
+     unsigned int insn;
--    intptr_t reg_off, reg_max = simd_oprsz(desc);
--    target_ulong addr;
+     if (arm_pre_translate_insn(dc)) {
-+    const int esize = 1 << esz;
+-        dc->base.pc_next += 4;
-+    const int msize = 1 << msz;
++        dc->base.pc_next = pc + 4;
-+    const intptr_t reg_max = simd_oprsz(desc);
+         return;
 +    intptr_t reg_off;
 +    SVEHostPage info;
 +    target_ulong addr, in_page;
      /* Skip to the first true predicate.  */
 -    reg_off = find_next_active(vg, 0, reg_max, MO_32);
 -    if (likely(reg_off < reg_max)) {
 -        /* Perform one normal read, which will fault or not.  */
 -        addr = off_fn(vm, reg_off);
 -        addr = base + (addr << scale);
 -        tlb_fn(env, vd, reg_off, addr, ra);
 -
 -        /* The rest of the reads will be non-faulting.  */
 +    reg_off = find_next_active(vg, 0, reg_max, esz);
 +    if (unlikely(reg_off >= reg_max)) {
 +        /* The entire predicate was false; no load occurs.  */
 +        memset(vd, 0, reg_max);
 +        return;
      }
--    /* After any fault, zero the leading predicated false elements.  */
+-    dc->pc_curr = dc->base.pc_next;
-+    /*
+-    insn = arm_ldl_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
-+     * Probe the first element, allowing faults.
++    dc->pc_curr = pc;
-+     */
++    insn = arm_ldl_code(env, &dc->base, pc, dc->sctlr_b);
-+    addr = base + (off_fn(vm, reg_off) << scale);
+     dc->insn = insn;
-+    tlb_fn(env, vd, reg_off, addr, retaddr);
+-    dc->base.pc_next += 4;
-+
++    dc->base.pc_next = pc + 4;
-+    /* After any fault, zero the other elements. */
+     disas_arm_insn(dc, insn);
-     swap_memzero(vd, reg_off);
-+    reg_off += esize;
+     arm_post_translate_insn(dc);
 +    swap_memzero(vd + reg_off, reg_max - reg_off);
 -    while (likely((reg_off += 4) < reg_max)) {
 -        uint64_t pg = *(uint64_t *)(vg + (reg_off >> 6) * 8);
 -        if (likely((pg >> (reg_off & 63)) & 1)) {
 -            addr = off_fn(vm, reg_off);
 -            addr = base + (addr << scale);
 -            if (!nonfault_fn(env, vd, reg_off, addr, mmu_idx)) {
 -                record_fault(env, reg_off, reg_max);
 -                break;
 +    /*
 +     * Probe the remaining elements, not allowing faults.
 +     */
 +    while (reg_off < reg_max) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if (likely((pg >> (reg_off & 63)) & 1)) {
 +                addr = base + (off_fn(vm, reg_off) << scale);
 +                in_page = -(addr | TARGET_PAGE_MASK);
 +
 +                if (unlikely(in_page < msize)) {
 +                    /* Stop if the element crosses a page boundary. */
 +                    goto fault;
 +                }
 +
 +                sve_probe_page(&info, true, env, addr, 0, MMU_DATA_LOAD,
 +                               mmu_idx, retaddr);
 +                if (unlikely(info.flags & (TLB_INVALID_MASK | TLB_MMIO))) {
 +                    goto fault;
 +                }
 +                if (unlikely(info.flags & TLB_WATCHPOINT) &&
 +                    (cpu_watchpoint_address_matches
 +                     (env_cpu(env), addr, msize) & BP_MEM_READ)) {
 +                    goto fault;
 +                }
 +                /* TODO: MTE check. */
 +
 +                host_fn(vd, reg_off, info.host);
              }
 -        } else {
 -            *(uint32_t *)(vd + H1_4(reg_off)) = 0;
 -        }
 +            reg_off += esize;
 +        } while (reg_off & 63);
      }
 +    return;
 +
 + fault:
 +    record_fault(env, reg_off, reg_max);
  }
 -static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
 -                                target_ulong base, uint32_t desc, uintptr_t ra,
 -                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
 -                                sve_ld1_nf_fn *nonfault_fn)
 -{
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
 -    const int mmu_idx = get_mmuidx(oi);
 -    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
 -    intptr_t reg_off, reg_max = simd_oprsz(desc);
 -    target_ulong addr;
 -
 -    /* Skip to the first true predicate.  */
 -    reg_off = find_next_active(vg, 0, reg_max, MO_64);
 -    if (likely(reg_off < reg_max)) {
 -        /* Perform one normal read, which will fault or not.  */
 -        addr = off_fn(vm, reg_off);
 -        addr = base + (addr << scale);
 -        tlb_fn(env, vd, reg_off, addr, ra);
 -
 -        /* The rest of the reads will be non-faulting.  */
 -    }
 -
 -    /* After any fault, zero the leading predicated false elements.  */
 -    swap_memzero(vd, reg_off);
 -
 -    while (likely((reg_off += 8) < reg_max)) {
 -        uint8_t pg = *(uint8_t *)(vg + H1(reg_off >> 3));
 -        if (likely(pg & 1)) {
 -            addr = off_fn(vm, reg_off);
 -            addr = base + (addr << scale);
 -            if (!nonfault_fn(env, vd, reg_off, addr, mmu_idx)) {
 -                record_fault(env, reg_off, reg_max);
 -                break;
 -            }
 -        } else {
 -            *(uint64_t *)(vd + reg_off) = 0;
 -        }
 -    }
 +#define DO_LDFF1_ZPZ_S(MEM, OFS, MSZ) \
 +void HELPER(sve_ldff##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
 +                                   void *vm, target_ulong base, uint32_t desc) \
 +{                                                                              \
 +    sve_ldff1_z(env, vd, vg, vm, base, desc, GETPC(), MO_32, MSZ,              \
 +                off_##OFS##_s, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
  }
 -#define DO_LDFF1_ZPZ_S(MEM, OFS) \
 -void HELPER(sve_ldff##MEM##_##OFS)                                      \
 -    (CPUARMState *env, void *vd, void *vg, void *vm,                    \
 -     target_ulong base, uint32_t desc)                                  \
 -{                                                                       \
 -    sve_ldff1_zs(env, vd, vg, vm, base, desc, GETPC(),                  \
 -                 off_##OFS##_s, sve_ld1##MEM##_tlb, sve_ld##MEM##_nf);  \
 +#define DO_LDFF1_ZPZ_D(MEM, OFS, MSZ) \
 +void HELPER(sve_ldff##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
 +                                   void *vm, target_ulong base, uint32_t desc) \
 +{                                                                              \
 +    sve_ldff1_z(env, vd, vg, vm, base, desc, GETPC(), MO_64, MSZ,              \
 +                off_##OFS##_d, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
  }
 -#define DO_LDFF1_ZPZ_D(MEM, OFS) \
 -void HELPER(sve_ldff##MEM##_##OFS)                                      \
 -    (CPUARMState *env, void *vd, void *vg, void *vm,                    \
 -     target_ulong base, uint32_t desc)                                  \
 -{                                                                       \
 -    sve_ldff1_zd(env, vd, vg, vm, base, desc, GETPC(),                  \
 -                 off_##OFS##_d, sve_ld1##MEM##_tlb, sve_ld##MEM##_nf);  \
 -}
 +DO_LDFF1_ZPZ_S(bsu, zsu, MO_8)
 +DO_LDFF1_ZPZ_S(bsu, zss, MO_8)
 +DO_LDFF1_ZPZ_D(bdu, zsu, MO_8)
 +DO_LDFF1_ZPZ_D(bdu, zss, MO_8)
 +DO_LDFF1_ZPZ_D(bdu, zd, MO_8)
 -DO_LDFF1_ZPZ_S(bsu, zsu)
 -DO_LDFF1_ZPZ_S(bsu, zss)
 -DO_LDFF1_ZPZ_D(bdu, zsu)
 -DO_LDFF1_ZPZ_D(bdu, zss)
 -DO_LDFF1_ZPZ_D(bdu, zd)
 +DO_LDFF1_ZPZ_S(bss, zsu, MO_8)
 +DO_LDFF1_ZPZ_S(bss, zss, MO_8)
 +DO_LDFF1_ZPZ_D(bds, zsu, MO_8)
 +DO_LDFF1_ZPZ_D(bds, zss, MO_8)
 +DO_LDFF1_ZPZ_D(bds, zd, MO_8)
 -DO_LDFF1_ZPZ_S(bss, zsu)
 -DO_LDFF1_ZPZ_S(bss, zss)
 -DO_LDFF1_ZPZ_D(bds, zsu)
 -DO_LDFF1_ZPZ_D(bds, zss)
 -DO_LDFF1_ZPZ_D(bds, zd)
 +DO_LDFF1_ZPZ_S(hsu_le, zsu, MO_16)
 +DO_LDFF1_ZPZ_S(hsu_le, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hdu_le, zsu, MO_16)
 +DO_LDFF1_ZPZ_D(hdu_le, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hdu_le, zd, MO_16)
 -DO_LDFF1_ZPZ_S(hsu_le, zsu)
 -DO_LDFF1_ZPZ_S(hsu_le, zss)
 -DO_LDFF1_ZPZ_D(hdu_le, zsu)
 -DO_LDFF1_ZPZ_D(hdu_le, zss)
 -DO_LDFF1_ZPZ_D(hdu_le, zd)
 +DO_LDFF1_ZPZ_S(hsu_be, zsu, MO_16)
 +DO_LDFF1_ZPZ_S(hsu_be, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hdu_be, zsu, MO_16)
 +DO_LDFF1_ZPZ_D(hdu_be, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hdu_be, zd, MO_16)
 -DO_LDFF1_ZPZ_S(hsu_be, zsu)
 -DO_LDFF1_ZPZ_S(hsu_be, zss)
 -DO_LDFF1_ZPZ_D(hdu_be, zsu)
 -DO_LDFF1_ZPZ_D(hdu_be, zss)
 -DO_LDFF1_ZPZ_D(hdu_be, zd)
 +DO_LDFF1_ZPZ_S(hss_le, zsu, MO_16)
 +DO_LDFF1_ZPZ_S(hss_le, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hds_le, zsu, MO_16)
 +DO_LDFF1_ZPZ_D(hds_le, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hds_le, zd, MO_16)
 -DO_LDFF1_ZPZ_S(hss_le, zsu)
 -DO_LDFF1_ZPZ_S(hss_le, zss)
 -DO_LDFF1_ZPZ_D(hds_le, zsu)
 -DO_LDFF1_ZPZ_D(hds_le, zss)
 -DO_LDFF1_ZPZ_D(hds_le, zd)
 +DO_LDFF1_ZPZ_S(hss_be, zsu, MO_16)
 +DO_LDFF1_ZPZ_S(hss_be, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hds_be, zsu, MO_16)
 +DO_LDFF1_ZPZ_D(hds_be, zss, MO_16)
 +DO_LDFF1_ZPZ_D(hds_be, zd, MO_16)
 -DO_LDFF1_ZPZ_S(hss_be, zsu)
 -DO_LDFF1_ZPZ_S(hss_be, zss)
 -DO_LDFF1_ZPZ_D(hds_be, zsu)
 -DO_LDFF1_ZPZ_D(hds_be, zss)
 -DO_LDFF1_ZPZ_D(hds_be, zd)
 +DO_LDFF1_ZPZ_S(ss_le,  zsu, MO_32)
 +DO_LDFF1_ZPZ_S(ss_le,  zss, MO_32)
 +DO_LDFF1_ZPZ_D(sdu_le, zsu, MO_32)
 +DO_LDFF1_ZPZ_D(sdu_le, zss, MO_32)
 +DO_LDFF1_ZPZ_D(sdu_le, zd, MO_32)
 -DO_LDFF1_ZPZ_S(ss_le,  zsu)
 -DO_LDFF1_ZPZ_S(ss_le,  zss)
 -DO_LDFF1_ZPZ_D(sdu_le, zsu)
 -DO_LDFF1_ZPZ_D(sdu_le, zss)
 -DO_LDFF1_ZPZ_D(sdu_le, zd)
 +DO_LDFF1_ZPZ_S(ss_be,  zsu, MO_32)
 +DO_LDFF1_ZPZ_S(ss_be,  zss, MO_32)
 +DO_LDFF1_ZPZ_D(sdu_be, zsu, MO_32)
 +DO_LDFF1_ZPZ_D(sdu_be, zss, MO_32)
 +DO_LDFF1_ZPZ_D(sdu_be, zd, MO_32)
 -DO_LDFF1_ZPZ_S(ss_be,  zsu)
 -DO_LDFF1_ZPZ_S(ss_be,  zss)
 -DO_LDFF1_ZPZ_D(sdu_be, zsu)
 -DO_LDFF1_ZPZ_D(sdu_be, zss)
 -DO_LDFF1_ZPZ_D(sdu_be, zd)
 +DO_LDFF1_ZPZ_D(sds_le, zsu, MO_32)
 +DO_LDFF1_ZPZ_D(sds_le, zss, MO_32)
 +DO_LDFF1_ZPZ_D(sds_le, zd, MO_32)
 -DO_LDFF1_ZPZ_D(sds_le, zsu)
 -DO_LDFF1_ZPZ_D(sds_le, zss)
 -DO_LDFF1_ZPZ_D(sds_le, zd)
 +DO_LDFF1_ZPZ_D(sds_be, zsu, MO_32)
 +DO_LDFF1_ZPZ_D(sds_be, zss, MO_32)
 +DO_LDFF1_ZPZ_D(sds_be, zd, MO_32)
 -DO_LDFF1_ZPZ_D(sds_be, zsu)
 -DO_LDFF1_ZPZ_D(sds_be, zss)
 -DO_LDFF1_ZPZ_D(sds_be, zd)
 +DO_LDFF1_ZPZ_D(dd_le, zsu, MO_64)
 +DO_LDFF1_ZPZ_D(dd_le, zss, MO_64)
 +DO_LDFF1_ZPZ_D(dd_le, zd, MO_64)
 -DO_LDFF1_ZPZ_D(dd_le, zsu)
 -DO_LDFF1_ZPZ_D(dd_le, zss)
 -DO_LDFF1_ZPZ_D(dd_le, zd)
 -
 -DO_LDFF1_ZPZ_D(dd_be, zsu)
 -DO_LDFF1_ZPZ_D(dd_be, zss)
 -DO_LDFF1_ZPZ_D(dd_be, zd)
 +DO_LDFF1_ZPZ_D(dd_be, zsu, MO_64)
 +DO_LDFF1_ZPZ_D(dd_be, zss, MO_64)
 +DO_LDFF1_ZPZ_D(dd_be, zd, MO_64)
  /* Stores with a vector index.  */
 --
-.20.1
+.25.1

-[PULL 20/34] target/arm: Use SVEContLdSt for multi-register contiguous loads
+[PULL 11/33] target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
 From: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-14-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 223 ++++++++++++++--------------------------
+ target/arm/translate.c | 16 ++++++++--------
-file changed, 79 insertions(+), 144 deletions(-)
+file changed, 8 insertions(+), 8 deletions(-)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/target/arm/translate.c
-+++ b/target/arm/sve_helper.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline bool test_host_page(void *host)
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  }
  /*
 - * Common helper for all contiguous one-register predicated loads.
 + * Common helper for all contiguous 1,2,3,4-register predicated stores.
   */
  static inline QEMU_ALWAYS_INLINE
 -void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
 +void sve_ldN_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
                 uint32_t desc, const uintptr_t retaddr,
 -               const int esz, const int msz,
 +               const int esz, const int msz, const int N,
                 sve_ldst1_host_fn *host_fn,
                 sve_ldst1_tlb_fn *tlb_fn)
  {
-     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
--    void *vd = &env->vfp.zregs[rd];
+     CPUARMState *env = cpu->env_ptr;
-     const intptr_t reg_max = simd_oprsz(desc);
++    uint32_t pc = dc->base.pc_next;
-     intptr_t reg_off, reg_last, mem_off;
+     uint32_t insn;
-     SVEContLdSt info;
+     bool is_16bit;
-     void *host;
--    int flags;
+     if (arm_pre_translate_insn(dc)) {
-+    int flags, i;
+-        dc->base.pc_next += 2;
++        dc->base.pc_next = pc + 2;
      /* Find the active elements.  */
 -    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, 1 << msz)) {
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, N << msz)) {
          /* The entire predicate was false; no load occurs.  */
 -        memset(vd, 0, reg_max);
 +        for (i = 0; i < N; ++i) {
 +            memset(&env->vfp.zregs[(rd + i) & 31], 0, reg_max);
 +        }
          return;
      }
-@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
+-    dc->pc_curr = dc->base.pc_next;
-     sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, retaddr);
+-    insn = arm_lduw_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
++    dc->pc_curr = pc;
-     /* Handle watchpoints for all active elements. */
++    insn = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
--    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, 1 << msz,
+     is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
-+    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, N << msz,
+-    dc->base.pc_next += 2;
-                               BP_MEM_READ, retaddr);
++    pc += 2;
+     if (!is_16bit) {
-     /* TODO: MTE check. */
+-        uint32_t insn2 = arm_lduw_code(env, &dc->base, dc->base.pc_next,
-@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
+-                                       dc->sctlr_b);
-          * which for ARM will raise SyncExternal.  Perform the load
+-
-          * into scratch memory to preserve register state until the end.
++        uint32_t insn2 = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
-          */
+         insn = insn << 16 | insn2;
--        ARMVectorReg scratch;
+-        dc->base.pc_next += 2;
-+        ARMVectorReg scratch[4] = { };
++        pc += 2;
 -        memset(&scratch, 0, reg_max);
          mem_off = info.mem_off_first[0];
          reg_off = info.reg_off_first[0];
          reg_last = info.reg_off_last[1];
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
              uint64_t pg = vg[reg_off >> 6];
              do {
                  if ((pg >> (reg_off & 63)) & 1) {
 -                    tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
 +                    for (i = 0; i < N; ++i) {
 +                        tlb_fn(env, &scratch[i], reg_off,
 +                               addr + mem_off + (i << msz), retaddr);
 +                    }
                  }
                  reg_off += 1 << esz;
 -                mem_off += 1 << msz;
 +                mem_off += N << msz;
              } while (reg_off & 63);
          } while (reg_off <= reg_last);
 -        memcpy(vd, &scratch, reg_max);
 +        for (i = 0; i < N; ++i) {
 +            memcpy(&env->vfp.zregs[(rd + i) & 31], &scratch[i], reg_max);
 +        }
          return;
  #endif
      }
++    dc->base.pc_next = pc;
-     /* The entire operation is in RAM, on valid pages. */
+     dc->insn = insn;
--    memset(vd, 0, reg_max);
+     if (dc->pstate_il) {
 +    for (i = 0; i < N; ++i) {
 +        memset(&env->vfp.zregs[(rd + i) & 31], 0, reg_max);
 +    }
 +
      mem_off = info.mem_off_first[0];
      reg_off = info.reg_off_first[0];
      reg_last = info.reg_off_last[0];
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
          uint64_t pg = vg[reg_off >> 6];
          do {
              if ((pg >> (reg_off & 63)) & 1) {
 -                host_fn(vd, reg_off, host + mem_off);
 +                for (i = 0; i < N; ++i) {
 +                    host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
 +                            host + mem_off + (i << msz));
 +                }
              }
              reg_off += 1 << esz;
 -            mem_off += 1 << msz;
 +            mem_off += N << msz;
          } while (reg_off <= reg_last && (reg_off & 63));
      }
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
       */
      mem_off = info.mem_off_split;
      if (unlikely(mem_off >= 0)) {
 -        tlb_fn(env, vd, info.reg_off_split, addr + mem_off, retaddr);
 +        reg_off = info.reg_off_split;
 +        for (i = 0; i < N; ++i) {
 +            tlb_fn(env, &env->vfp.zregs[(rd + i) & 31], reg_off,
 +                   addr + mem_off + (i << msz), retaddr);
 +        }
      }
      mem_off = info.mem_off_first[1];
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
              uint64_t pg = vg[reg_off >> 6];
              do {
                  if ((pg >> (reg_off & 63)) & 1) {
 -                    host_fn(vd, reg_off, host + mem_off);
 +                    for (i = 0; i < N; ++i) {
 +                        host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
 +                                host + mem_off + (i << msz));
 +                    }
                  }
                  reg_off += 1 << esz;
 -                mem_off += 1 << msz;
 +                mem_off += N << msz;
              } while (reg_off & 63);
          } while (reg_off <= reg_last);
      }
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
  void HELPER(sve_##NAME##_r)(CPUARMState *env, void *vg,        \
                              target_ulong addr, uint32_t desc)  \
  {                                                              \
 -    sve_ld1_r(env, vg, addr, desc, GETPC(), ESZ, 0,            \
 +    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, 1,      \
                sve_##NAME##_host, sve_##NAME##_tlb);            \
  }
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_##NAME##_r)(CPUARMState *env, void *vg,        \
  void HELPER(sve_##NAME##_le_r)(CPUARMState *env, void *vg,        \
                                 target_ulong addr, uint32_t desc)  \
  {                                                                 \
 -    sve_ld1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,             \
 +    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, 1,          \
                sve_##NAME##_le_host, sve_##NAME##_le_tlb);         \
  }                                                                 \
  void HELPER(sve_##NAME##_be_r)(CPUARMState *env, void *vg,        \
                                 target_ulong addr, uint32_t desc)  \
  {                                                                 \
 -    sve_ld1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,             \
 +    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, 1,          \
                sve_##NAME##_be_host, sve_##NAME##_be_tlb);         \
  }
 -DO_LD1_1(ld1bb,  0)
 -DO_LD1_1(ld1bhu, 1)
 -DO_LD1_1(ld1bhs, 1)
 -DO_LD1_1(ld1bsu, 2)
 -DO_LD1_1(ld1bss, 2)
 -DO_LD1_1(ld1bdu, 3)
 -DO_LD1_1(ld1bds, 3)
 +DO_LD1_1(ld1bb,  MO_8)
 +DO_LD1_1(ld1bhu, MO_16)
 +DO_LD1_1(ld1bhs, MO_16)
 +DO_LD1_1(ld1bsu, MO_32)
 +DO_LD1_1(ld1bss, MO_32)
 +DO_LD1_1(ld1bdu, MO_64)
 +DO_LD1_1(ld1bds, MO_64)
 -DO_LD1_2(ld1hh,  1, 1)
 -DO_LD1_2(ld1hsu, 2, 1)
 -DO_LD1_2(ld1hss, 2, 1)
 -DO_LD1_2(ld1hdu, 3, 1)
 -DO_LD1_2(ld1hds, 3, 1)
 +DO_LD1_2(ld1hh,  MO_16, MO_16)
 +DO_LD1_2(ld1hsu, MO_32, MO_16)
 +DO_LD1_2(ld1hss, MO_32, MO_16)
 +DO_LD1_2(ld1hdu, MO_64, MO_16)
 +DO_LD1_2(ld1hds, MO_64, MO_16)
 -DO_LD1_2(ld1ss,  2, 2)
 -DO_LD1_2(ld1sdu, 3, 2)
 -DO_LD1_2(ld1sds, 3, 2)
 +DO_LD1_2(ld1ss,  MO_32, MO_32)
 +DO_LD1_2(ld1sdu, MO_64, MO_32)
 +DO_LD1_2(ld1sds, MO_64, MO_32)
 -DO_LD1_2(ld1dd,  3, 3)
 +DO_LD1_2(ld1dd,  MO_64, MO_64)
  #undef DO_LD1_1
  #undef DO_LD1_2
 -/*
 - * Common helpers for all contiguous 2,3,4-register predicated loads.
 - */
 -static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
 -                      uint32_t desc, int size, uintptr_t ra,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 -{
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 -    intptr_t i, oprsz = simd_oprsz(desc);
 -    ARMVectorReg scratch[2] = { };
 -
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 -        do {
 -            if (pg & 1) {
 -                tlb_fn(env, &scratch[0], i, addr, ra);
 -                tlb_fn(env, &scratch[1], i, addr + size, ra);
 -            }
 -            i += size, pg >>= size;
 -            addr += 2 * size;
 -        } while (i & 15);
 -    }
 -
 -    /* Wait until all exceptions have been raised to write back.  */
 -    memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
 -    memcpy(&env->vfp.zregs[(rd + 1) & 31], &scratch[1], oprsz);
 -}
 -
 -static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
 -                      uint32_t desc, int size, uintptr_t ra,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 -{
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 -    intptr_t i, oprsz = simd_oprsz(desc);
 -    ARMVectorReg scratch[3] = { };
 -
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 -        do {
 -            if (pg & 1) {
 -                tlb_fn(env, &scratch[0], i, addr, ra);
 -                tlb_fn(env, &scratch[1], i, addr + size, ra);
 -                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
 -            }
 -            i += size, pg >>= size;
 -            addr += 3 * size;
 -        } while (i & 15);
 -    }
 -
 -    /* Wait until all exceptions have been raised to write back.  */
 -    memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
 -    memcpy(&env->vfp.zregs[(rd + 1) & 31], &scratch[1], oprsz);
 -    memcpy(&env->vfp.zregs[(rd + 2) & 31], &scratch[2], oprsz);
 -}
 -
 -static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
 -                      uint32_t desc, int size, uintptr_t ra,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 -{
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 -    intptr_t i, oprsz = simd_oprsz(desc);
 -    ARMVectorReg scratch[4] = { };
 -
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 -        do {
 -            if (pg & 1) {
 -                tlb_fn(env, &scratch[0], i, addr, ra);
 -                tlb_fn(env, &scratch[1], i, addr + size, ra);
 -                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
 -                tlb_fn(env, &scratch[3], i, addr + 3 * size, ra);
 -            }
 -            i += size, pg >>= size;
 -            addr += 4 * size;
 -        } while (i & 15);
 -    }
 -
 -    /* Wait until all exceptions have been raised to write back.  */
 -    memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
 -    memcpy(&env->vfp.zregs[(rd + 1) & 31], &scratch[1], oprsz);
 -    memcpy(&env->vfp.zregs[(rd + 2) & 31], &scratch[2], oprsz);
 -    memcpy(&env->vfp.zregs[(rd + 3) & 31], &scratch[3], oprsz);
 -}
 -
  #define DO_LDN_1(N) \
 -void QEMU_FLATTEN HELPER(sve_ld##N##bb_r) \
 -    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)  \
 -{                                                                   \
 -    sve_ld##N##_r(env, vg, addr, desc, 1, GETPC(), sve_ld1bb_tlb);  \
 +void HELPER(sve_ld##N##bb_r)(CPUARMState *env, void *vg,        \
 +                             target_ulong addr, uint32_t desc)  \
 +{                                                               \
 +    sve_ldN_r(env, vg, addr, desc, GETPC(), MO_8, MO_8, N,      \
 +              sve_ld1bb_host, sve_ld1bb_tlb);                   \
  }
 -#define DO_LDN_2(N, SUFF, SIZE)                                       \
 -void QEMU_FLATTEN HELPER(sve_ld##N##SUFF##_le_r)                      \
 -    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
 +#define DO_LDN_2(N, SUFF, ESZ) \
 +void HELPER(sve_ld##N##SUFF##_le_r)(CPUARMState *env, void *vg,       \
 +                                    target_ulong addr, uint32_t desc) \
  {                                                                     \
 -    sve_ld##N##_r(env, vg, addr, desc, SIZE, GETPC(),                 \
 -                  sve_ld1##SUFF##_le_tlb);                            \
 +    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, ESZ, N,              \
 +              sve_ld1##SUFF##_le_host, sve_ld1##SUFF##_le_tlb);       \
  }                                                                     \
 -void QEMU_FLATTEN HELPER(sve_ld##N##SUFF##_be_r)                      \
 -    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
 +void HELPER(sve_ld##N##SUFF##_be_r)(CPUARMState *env, void *vg,       \
 +                                    target_ulong addr, uint32_t desc) \
  {                                                                     \
 -    sve_ld##N##_r(env, vg, addr, desc, SIZE, GETPC(),                 \
 -                  sve_ld1##SUFF##_be_tlb);                            \
 +    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, ESZ, N,              \
 +              sve_ld1##SUFF##_be_host, sve_ld1##SUFF##_be_tlb);       \
  }
  DO_LDN_1(2)
  DO_LDN_1(3)
  DO_LDN_1(4)
 -DO_LDN_2(2, hh, 2)
 -DO_LDN_2(3, hh, 2)
 -DO_LDN_2(4, hh, 2)
 +DO_LDN_2(2, hh, MO_16)
 +DO_LDN_2(3, hh, MO_16)
 +DO_LDN_2(4, hh, MO_16)
 -DO_LDN_2(2, ss, 4)
 -DO_LDN_2(3, ss, 4)
 -DO_LDN_2(4, ss, 4)
 +DO_LDN_2(2, ss, MO_32)
 +DO_LDN_2(3, ss, MO_32)
 +DO_LDN_2(4, ss, MO_32)
 -DO_LDN_2(2, dd, 8)
 -DO_LDN_2(3, dd, 8)
 -DO_LDN_2(4, dd, 8)
 +DO_LDN_2(2, dd, MO_64)
 +DO_LDN_2(3, dd, MO_64)
 +DO_LDN_2(4, dd, MO_64)
  #undef DO_LDN_1
  #undef DO_LDN_2
 --
-.20.1
+.25.1

-[PULL 14/34] target/arm: Use cpu_*_data_ra for sve_ldst_tlb_fn
+[PULL 12/33] target/arm: Split arm_pre_translate_insn
 From: Richard Henderson <richard.henderson@linaro.org>
-Use the "normal" memory access functions, rather than the
+Create arm_check_ss_active and arm_check_kernelpage.
 softmmu internal helper functions directly.
-Since fb901c905dc3, cpu_mem_index is now a simple extract
+Reverse the order of the tests.  While it doesn't matter in practice,
-from env->hflags and not a large computation.  Which means
+because only user-only has a kernel page and user-only never sets
-that it's now more work to pass around this value than it
+ss_active, ss_active has priority over execution exceptions and it
-is to recompute it.
+is best to keep them in the proper order.
-This only adjusts the primitives, and does not clean up
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 all of the uses within sve_helper.c.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 221 ++++++++++++++++------------------------
+ target/arm/translate.c | 10 +++++++---
-file changed, 86 insertions(+), 135 deletions(-)
+file changed, 7 insertions(+), 3 deletions(-)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/target/arm/translate.c
-+++ b/target/arm/sve_helper.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ typedef intptr_t sve_ld1_host_fn(void *vd, void *vg, void *host,
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
-  * Load one element into @vd + @reg_off from (@env, @vaddr, @ra).
+     dc->insn_start = tcg_last_op();
   * The controlling predicate is known to be true.
   */
 -typedef void sve_ld1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
 -                            target_ulong vaddr, TCGMemOpIdx oi, uintptr_t ra);
 -typedef sve_ld1_tlb_fn sve_st1_tlb_fn;
 +typedef void sve_ldst1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
 +                              target_ulong vaddr, uintptr_t retaddr);
  /*
   * Generate the above primitives.
@@ -XXX,XX +XXX,XX @@ static intptr_t sve_##NAME##_host(void *vd, void *vg, void *host,           \
      return mem_off;                                                         \
  }
--#ifdef CONFIG_SOFTMMU
+-static bool arm_pre_translate_insn(DisasContext *dc)
--#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, HOST, MOEND, TLB) \
++static bool arm_check_kernelpage(DisasContext *dc)
 +#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB) \
  static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
 -                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra)  \
 +                             target_ulong addr, uintptr_t ra)               \
  {                                                                           \
 -    TYPEM val = TLB(env, addr, oi, ra);                                     \
 -    *(TYPEE *)(vd + H(reg_off)) = val;                                      \
 +    *(TYPEE *)(vd + H(reg_off)) = (TYPEM)TLB(env, addr, ra);                \
  }
 -#else
 -#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, HOST, MOEND, TLB)                  \
 +
 +#define DO_ST_TLB(NAME, H, TYPEE, TYPEM, TLB) \
  static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
 -                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra)  \
 +                             target_ulong addr, uintptr_t ra)               \
  {                                                                           \
 -    TYPEM val = HOST(g2h(addr));                                            \
 -    *(TYPEE *)(vd + H(reg_off)) = val;                                      \
 +    TLB(env, addr, (TYPEM)*(TYPEE *)(vd + H(reg_off)), ra);                 \
  }
 -#endif
  #define DO_LD_PRIM_1(NAME, H, TE, TM)                   \
      DO_LD_HOST(NAME, H, TE, TM, ldub_p)                 \
 -    DO_LD_TLB(NAME, H, TE, TM, ldub_p, 0, helper_ret_ldub_mmu)
 +    DO_LD_TLB(NAME, H, TE, TM, cpu_ldub_data_ra)
  DO_LD_PRIM_1(ld1bb,  H1,   uint8_t,  uint8_t)
  DO_LD_PRIM_1(ld1bhu, H1_2, uint16_t, uint8_t)
@@ -XXX,XX +XXX,XX @@ DO_LD_PRIM_1(ld1bss, H1_4, uint32_t,  int8_t)
  DO_LD_PRIM_1(ld1bdu,     , uint64_t, uint8_t)
  DO_LD_PRIM_1(ld1bds,     , uint64_t,  int8_t)
 -#define DO_LD_PRIM_2(NAME, end, MOEND, H, TE, TM, PH, PT)  \
 -    DO_LD_HOST(NAME##_##end, H, TE, TM, PH##_##end##_p)    \
 -    DO_LD_TLB(NAME##_##end, H, TE, TM, PH##_##end##_p,     \
 -              MOEND, helper_##end##_##PT##_mmu)
 +#define DO_ST_PRIM_1(NAME, H, TE, TM)                   \
 +    DO_ST_TLB(st1##NAME, H, TE, TM, cpu_stb_data_ra)
 -DO_LD_PRIM_2(ld1hh,  le, MO_LE, H1_2, uint16_t, uint16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hsu, le, MO_LE, H1_4, uint32_t, uint16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hss, le, MO_LE, H1_4, uint32_t,  int16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hdu, le, MO_LE,     , uint64_t, uint16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hds, le, MO_LE,     , uint64_t,  int16_t, lduw, lduw)
 +DO_ST_PRIM_1(bb,   H1,  uint8_t, uint8_t)
 +DO_ST_PRIM_1(bh, H1_2, uint16_t, uint8_t)
 +DO_ST_PRIM_1(bs, H1_4, uint32_t, uint8_t)
 +DO_ST_PRIM_1(bd,     , uint64_t, uint8_t)
 -DO_LD_PRIM_2(ld1ss,  le, MO_LE, H1_4, uint32_t, uint32_t, ldl, ldul)
 -DO_LD_PRIM_2(ld1sdu, le, MO_LE,     , uint64_t, uint32_t, ldl, ldul)
 -DO_LD_PRIM_2(ld1sds, le, MO_LE,     , uint64_t,  int32_t, ldl, ldul)
 +#define DO_LD_PRIM_2(NAME, H, TE, TM, LD) \
 +    DO_LD_HOST(ld1##NAME##_be, H, TE, TM, LD##_be_p)    \
 +    DO_LD_HOST(ld1##NAME##_le, H, TE, TM, LD##_le_p)    \
 +    DO_LD_TLB(ld1##NAME##_be, H, TE, TM, cpu_##LD##_be_data_ra) \
 +    DO_LD_TLB(ld1##NAME##_le, H, TE, TM, cpu_##LD##_le_data_ra)
 -DO_LD_PRIM_2(ld1dd,  le, MO_LE,     , uint64_t, uint64_t, ldq, ldq)
 +#define DO_ST_PRIM_2(NAME, H, TE, TM, ST) \
 +    DO_ST_TLB(st1##NAME##_be, H, TE, TM, cpu_##ST##_be_data_ra) \
 +    DO_ST_TLB(st1##NAME##_le, H, TE, TM, cpu_##ST##_le_data_ra)
 -DO_LD_PRIM_2(ld1hh,  be, MO_BE, H1_2, uint16_t, uint16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hsu, be, MO_BE, H1_4, uint32_t, uint16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hss, be, MO_BE, H1_4, uint32_t,  int16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hdu, be, MO_BE,     , uint64_t, uint16_t, lduw, lduw)
 -DO_LD_PRIM_2(ld1hds, be, MO_BE,     , uint64_t,  int16_t, lduw, lduw)
 +DO_LD_PRIM_2(hh,  H1_2, uint16_t, uint16_t, lduw)
 +DO_LD_PRIM_2(hsu, H1_4, uint32_t, uint16_t, lduw)
 +DO_LD_PRIM_2(hss, H1_4, uint32_t,  int16_t, lduw)
 +DO_LD_PRIM_2(hdu,     , uint64_t, uint16_t, lduw)
 +DO_LD_PRIM_2(hds,     , uint64_t,  int16_t, lduw)
 -DO_LD_PRIM_2(ld1ss,  be, MO_BE, H1_4, uint32_t, uint32_t, ldl, ldul)
 -DO_LD_PRIM_2(ld1sdu, be, MO_BE,     , uint64_t, uint32_t, ldl, ldul)
 -DO_LD_PRIM_2(ld1sds, be, MO_BE,     , uint64_t,  int32_t, ldl, ldul)
 +DO_ST_PRIM_2(hh, H1_2, uint16_t, uint16_t, stw)
 +DO_ST_PRIM_2(hs, H1_4, uint32_t, uint16_t, stw)
 +DO_ST_PRIM_2(hd,     , uint64_t, uint16_t, stw)
 -DO_LD_PRIM_2(ld1dd,  be, MO_BE,     , uint64_t, uint64_t, ldq, ldq)
 +DO_LD_PRIM_2(ss,  H1_4, uint32_t, uint32_t, ldl)
 +DO_LD_PRIM_2(sdu,     , uint64_t, uint32_t, ldl)
 +DO_LD_PRIM_2(sds,     , uint64_t,  int32_t, ldl)
 +
 +DO_ST_PRIM_2(ss, H1_4, uint32_t, uint32_t, stl)
 +DO_ST_PRIM_2(sd,     , uint64_t, uint32_t, stl)
 +
 +DO_LD_PRIM_2(dd,     , uint64_t, uint64_t, ldq)
 +DO_ST_PRIM_2(dd,     , uint64_t, uint64_t, stq)
  #undef DO_LD_TLB
 +#undef DO_ST_TLB
  #undef DO_LD_HOST
  #undef DO_LD_PRIM_1
 +#undef DO_ST_PRIM_1
  #undef DO_LD_PRIM_2
 +#undef DO_ST_PRIM_2
  /*
   * Skip through a sequence of inactive elements in the guarding predicate @vg,
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
                        uint32_t desc, const uintptr_t retaddr,
                        const int esz, const int msz,
                        sve_ld1_host_fn *host_fn,
 -                      sve_ld1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
-     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
+ #ifdef CONFIG_USER_ONLY
-     const int mmu_idx = get_mmuidx(oi);
+     /* Intercept jump to the magic kernel page.  */
-@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
+@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
-          * on I/O memory, it may succeed but not bring in the TLB entry.
+         return true;
           * But even then we have still made forward progress.
           */
 -        tlb_fn(env, &scratch, reg_off, addr + mem_off, oi, retaddr);
 +        tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
          reg_off += 1 << esz;
      }
  #endif
-@@ -XXX,XX +XXX,XX @@ DO_LD1_2(ld1dd,  3, 3)
++    return false;
-  */
++}
- static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
-                       uint32_t desc, int size, uintptr_t ra,
++static bool arm_check_ss_active(DisasContext *dc)
--                      sve_ld1_tlb_fn *tlb_fn)
++{
-+                      sve_ldst1_tlb_fn *tlb_fn)
+     if (dc->ss_active && !dc->pstate_ss) {
- {
+         /* Singlestep state is Active-pending.
--    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
+          * If we're in this state at the start of a TB then either
-     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-     intptr_t i, oprsz = simd_oprsz(desc);
+     uint32_t pc = dc->base.pc_next;
-     ARMVectorReg scratch[2] = { };
+     unsigned int insn;
-@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
-         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
+-    if (arm_pre_translate_insn(dc)) {
-         do {
++    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
-             if (pg & 1) {
+         dc->base.pc_next = pc + 4;
--                tlb_fn(env, &scratch[0], i, addr, oi, ra);
+         return;
 -                tlb_fn(env, &scratch[1], i, addr + size, oi, ra);
 +                tlb_fn(env, &scratch[0], i, addr, ra);
 +                tlb_fn(env, &scratch[1], i, addr + size, ra);
              }
              i += size, pg >>= size;
              addr += 2 * size;
@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
  static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
                        uint32_t desc, int size, uintptr_t ra,
 -                      sve_ld1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      intptr_t i, oprsz = simd_oprsz(desc);
      ARMVectorReg scratch[3] = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
              if (pg & 1) {
 -                tlb_fn(env, &scratch[0], i, addr, oi, ra);
 -                tlb_fn(env, &scratch[1], i, addr + size, oi, ra);
 -                tlb_fn(env, &scratch[2], i, addr + 2 * size, oi, ra);
 +                tlb_fn(env, &scratch[0], i, addr, ra);
 +                tlb_fn(env, &scratch[1], i, addr + size, ra);
 +                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
              }
              i += size, pg >>= size;
              addr += 3 * size;
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
  static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
                        uint32_t desc, int size, uintptr_t ra,
 -                      sve_ld1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      intptr_t i, oprsz = simd_oprsz(desc);
      ARMVectorReg scratch[4] = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
              if (pg & 1) {
 -                tlb_fn(env, &scratch[0], i, addr, oi, ra);
 -                tlb_fn(env, &scratch[1], i, addr + size, oi, ra);
 -                tlb_fn(env, &scratch[2], i, addr + 2 * size, oi, ra);
 -                tlb_fn(env, &scratch[3], i, addr + 3 * size, oi, ra);
 +                tlb_fn(env, &scratch[0], i, addr, ra);
 +                tlb_fn(env, &scratch[1], i, addr + size, ra);
 +                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
 +                tlb_fn(env, &scratch[3], i, addr + 3 * size, ra);
              }
              i += size, pg >>= size;
              addr += 4 * size;
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
                          uint32_t desc, const uintptr_t retaddr,
                          const int esz, const int msz,
                          sve_ld1_host_fn *host_fn,
 -                        sve_ld1_tlb_fn *tlb_fn)
 +                        sve_ldst1_tlb_fn *tlb_fn)
  {
      const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const int mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
       * Perform one normal read, which will fault or not.
       * But it is likely to bring the page into the tlb.
       */
 -    tlb_fn(env, vd, reg_off, addr + mem_off, oi, retaddr);
 +    tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
      /* After any fault, zero any leading predicated false elts.  */
      swap_memzero(vd, reg_off);
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_LDNF1_2(dd,  3, 3)
  #undef DO_LDFF1_LDNF1_1
  #undef DO_LDFF1_LDNF1_2
 -/*
 - * Store contiguous data, protected by a governing predicate.
 - */
 -
 -#ifdef CONFIG_SOFTMMU
 -#define DO_ST_TLB(NAME, H, TYPEM, HOST, MOEND, TLB) \
 -static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
 -                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra) \
 -{                                                                           \
 -    TLB(env, addr, *(TYPEM *)(vd + H(reg_off)), oi, ra);                    \
 -}
 -#else
 -#define DO_ST_TLB(NAME, H, TYPEM, HOST, MOEND, TLB) \
 -static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
 -                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra) \
 -{                                                                           \
 -    HOST(g2h(addr), *(TYPEM *)(vd + H(reg_off)));                           \
 -}
 -#endif
 -
 -DO_ST_TLB(st1bb,   H1,  uint8_t, stb_p, 0, helper_ret_stb_mmu)
 -DO_ST_TLB(st1bh, H1_2, uint16_t, stb_p, 0, helper_ret_stb_mmu)
 -DO_ST_TLB(st1bs, H1_4, uint32_t, stb_p, 0, helper_ret_stb_mmu)
 -DO_ST_TLB(st1bd,     , uint64_t, stb_p, 0, helper_ret_stb_mmu)
 -
 -DO_ST_TLB(st1hh_le, H1_2, uint16_t, stw_le_p, MO_LE, helper_le_stw_mmu)
 -DO_ST_TLB(st1hs_le, H1_4, uint32_t, stw_le_p, MO_LE, helper_le_stw_mmu)
 -DO_ST_TLB(st1hd_le,     , uint64_t, stw_le_p, MO_LE, helper_le_stw_mmu)
 -
 -DO_ST_TLB(st1ss_le, H1_4, uint32_t, stl_le_p, MO_LE, helper_le_stl_mmu)
 -DO_ST_TLB(st1sd_le,     , uint64_t, stl_le_p, MO_LE, helper_le_stl_mmu)
 -
 -DO_ST_TLB(st1dd_le,     , uint64_t, stq_le_p, MO_LE, helper_le_stq_mmu)
 -
 -DO_ST_TLB(st1hh_be, H1_2, uint16_t, stw_be_p, MO_BE, helper_be_stw_mmu)
 -DO_ST_TLB(st1hs_be, H1_4, uint32_t, stw_be_p, MO_BE, helper_be_stw_mmu)
 -DO_ST_TLB(st1hd_be,     , uint64_t, stw_be_p, MO_BE, helper_be_stw_mmu)
 -
 -DO_ST_TLB(st1ss_be, H1_4, uint32_t, stl_be_p, MO_BE, helper_be_stl_mmu)
 -DO_ST_TLB(st1sd_be,     , uint64_t, stl_be_p, MO_BE, helper_be_stl_mmu)
 -
 -DO_ST_TLB(st1dd_be,     , uint64_t, stq_be_p, MO_BE, helper_be_stq_mmu)
 -
 -#undef DO_ST_TLB
 -
  /*
   * Common helpers for all contiguous 1,2,3,4-register predicated stores.
   */
  static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
                        uint32_t desc, const uintptr_t ra,
                        const int esize, const int msize,
 -                      sve_st1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      intptr_t i, oprsz = simd_oprsz(desc);
      void *vd = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
              if (pg & 1) {
 -                tlb_fn(env, vd, i, addr, oi, ra);
 +                tlb_fn(env, vd, i, addr, ra);
              }
              i += esize, pg >>= esize;
              addr += msize;
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
  static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
                        uint32_t desc, const uintptr_t ra,
                        const int esize, const int msize,
 -                      sve_st1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      intptr_t i, oprsz = simd_oprsz(desc);
      void *d1 = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
              if (pg & 1) {
 -                tlb_fn(env, d1, i, addr, oi, ra);
 -                tlb_fn(env, d2, i, addr + msize, oi, ra);
 +                tlb_fn(env, d1, i, addr, ra);
 +                tlb_fn(env, d2, i, addr + msize, ra);
              }
              i += esize, pg >>= esize;
              addr += 2 * msize;
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
  static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
                        uint32_t desc, const uintptr_t ra,
                        const int esize, const int msize,
 -                      sve_st1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      intptr_t i, oprsz = simd_oprsz(desc);
      void *d1 = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
              if (pg & 1) {
 -                tlb_fn(env, d1, i, addr, oi, ra);
 -                tlb_fn(env, d2, i, addr + msize, oi, ra);
 -                tlb_fn(env, d3, i, addr + 2 * msize, oi, ra);
 +                tlb_fn(env, d1, i, addr, ra);
 +                tlb_fn(env, d2, i, addr + msize, ra);
 +                tlb_fn(env, d3, i, addr + 2 * msize, ra);
              }
              i += esize, pg >>= esize;
              addr += 3 * msize;
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
  static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
                        uint32_t desc, const uintptr_t ra,
                        const int esize, const int msize,
 -                      sve_st1_tlb_fn *tlb_fn)
 +                      sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      intptr_t i, oprsz = simd_oprsz(desc);
      void *d1 = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
              if (pg & 1) {
 -                tlb_fn(env, d1, i, addr, oi, ra);
 -                tlb_fn(env, d2, i, addr + msize, oi, ra);
 -                tlb_fn(env, d3, i, addr + 2 * msize, oi, ra);
 -                tlb_fn(env, d4, i, addr + 3 * msize, oi, ra);
 +                tlb_fn(env, d1, i, addr, ra);
 +                tlb_fn(env, d2, i, addr + msize, ra);
 +                tlb_fn(env, d3, i, addr + 2 * msize, ra);
 +                tlb_fn(env, d4, i, addr + 3 * msize, ra);
              }
              i += esize, pg >>= esize;
              addr += 4 * msize;
@@ -XXX,XX +XXX,XX @@ static target_ulong off_zd_d(void *reg, intptr_t reg_ofs)
  static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
                         target_ulong base, uint32_t desc, uintptr_t ra,
 -                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
 +                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      intptr_t i, oprsz = simd_oprsz(desc);
      ARMVectorReg scratch = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
          do {
              if (likely(pg & 1)) {
                  target_ulong off = off_fn(vm, i);
 -                tlb_fn(env, &scratch, i, base + (off << scale), oi, ra);
 +                tlb_fn(env, &scratch, i, base + (off << scale), ra);
              }
              i += 4, pg >>= 4;
          } while (i & 15);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
  static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
                         target_ulong base, uint32_t desc, uintptr_t ra,
 -                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
 +                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      intptr_t i, oprsz = simd_oprsz(desc) / 8;
      ARMVectorReg scratch = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
          uint8_t pg = *(uint8_t *)(vg + H1(i));
          if (likely(pg & 1)) {
              target_ulong off = off_fn(vm, i * 8);
 -            tlb_fn(env, &scratch, i * 8, base + (off << scale), oi, ra);
 +            tlb_fn(env, &scratch, i * 8, base + (off << scale), ra);
          }
      }
-     clear_helper_retaddr();
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-@@ -XXX,XX +XXX,XX @@ DO_LD_NF(dd_be,      , uint64_t, uint64_t, ldq_be_p)
+     uint32_t insn;
-  */
+     bool is_16bit;
- static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-                                 target_ulong base, uint32_t desc, uintptr_t ra,
+-    if (arm_pre_translate_insn(dc)) {
--                                zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn,
++    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
-+                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
+         dc->base.pc_next = pc + 2;
-                                 sve_ld1_nf_fn *nonfault_fn)
+         return;
  {
      const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
          set_helper_retaddr(ra);
          addr = off_fn(vm, reg_off);
          addr = base + (addr << scale);
 -        tlb_fn(env, vd, reg_off, addr, oi, ra);
 +        tlb_fn(env, vd, reg_off, addr, ra);
          /* The rest of the reads will be non-faulting.  */
          clear_helper_retaddr();
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
  static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
                                  target_ulong base, uint32_t desc, uintptr_t ra,
 -                                zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn,
 +                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
                                  sve_ld1_nf_fn *nonfault_fn)
  {
      const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
          set_helper_retaddr(ra);
          addr = off_fn(vm, reg_off);
          addr = base + (addr << scale);
 -        tlb_fn(env, vd, reg_off, addr, oi, ra);
 +        tlb_fn(env, vd, reg_off, addr, ra);
          /* The rest of the reads will be non-faulting.  */
          clear_helper_retaddr();
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_ZPZ_D(dd_be, zd)
  static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
                         target_ulong base, uint32_t desc, uintptr_t ra,
 -                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
 +                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      intptr_t i, oprsz = simd_oprsz(desc);
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
          do {
              if (likely(pg & 1)) {
                  target_ulong off = off_fn(vm, i);
 -                tlb_fn(env, vd, i, base + (off << scale), oi, ra);
 +                tlb_fn(env, vd, i, base + (off << scale), ra);
              }
              i += 4, pg >>= 4;
          } while (i & 15);
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
  static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
                         target_ulong base, uint32_t desc, uintptr_t ra,
 -                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
 +                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      intptr_t i, oprsz = simd_oprsz(desc) / 8;
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
          uint8_t pg = *(uint8_t *)(vg + H1(i));
          if (likely(pg & 1)) {
              target_ulong off = off_fn(vm, i * 8);
 -            tlb_fn(env, vd, i * 8, base + (off << scale), oi, ra);
 +            tlb_fn(env, vd, i * 8, base + (off << scale), ra);
          }
      }
-     clear_helper_retaddr();
 --
-.20.1
+.25.1

-[PULL 11/34] accel/tcg: Adjust probe_access call to page_check_range
+[PULL 13/33] target/arm: Advance pc for arch single-step exception
 From: Richard Henderson <richard.henderson@linaro.org>
-We have validated that addr+size does not cross a page boundary.
+The size of the code covered by a TranslationBlock cannot be 0;
-Therefore we need to validate exactly one page.  We can achieve
+this is checked via assert in tb_gen_code.
 that passing any value 1 <= x <= size to page_check_range.
 Passing 1 will simplify the next patch.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-5-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- accel/tcg/user-exec.c | 2 +-
+ target/arm/translate-a64.c | 1 +
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 1 insertion(+)
-diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/user-exec.c
+--- a/target/arm/translate-a64.c
-+++ b/accel/tcg/user-exec.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-         g_assert_not_reached();
+         assert(s->base.num_insns == 1);
          gen_swstep_exception(s, 0, 0);
          s->base.is_jmp = DISAS_NORETURN;
 +        s->base.pc_next = pc + 4;
          return;
      }
--    if (!guest_addr_valid(addr) || page_check_range(addr, size, flags) < 0) {
-+    if (!guest_addr_valid(addr) || page_check_range(addr, 1, flags) < 0) {
-         CPUState *cpu = env_cpu(env);
-         CPUClass *cc = CPU_GET_CLASS(cpu);
-         cc->tlb_fill(cpu, addr, size, access_type, MMU_USER_IDX, false,
 --
-.20.1
+.25.1

-[PULL 12/34] accel/tcg: Add probe_access_flags
+[PULL 14/33] target/arm: Split compute_fsr_fsc out of arm_deliver_fault
 From: Richard Henderson <richard.henderson@linaro.org>
-This new interface will allow targets to probe for a page
+We will reuse this section of arm_deliver_fault for
-and then handle watchpoints themselves.  This will be most
+raising pc alignment faults.
 useful for vector predicated memory operations, where one
 page lookup can be used for many operations, and one test
 can avoid many watchpoint checks.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-6-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/exec/cpu-all.h  |  13 ++-
+ target/arm/tlb_helper.c | 45 +++++++++++++++++++++++++----------------
- include/exec/exec-all.h |  22 +++++
+file changed, 28 insertions(+), 17 deletions(-)
  accel/tcg/cputlb.c      | 177 ++++++++++++++++++++--------------------
  accel/tcg/user-exec.c   |  43 ++++++++--
 files changed, 158 insertions(+), 97 deletions(-)
-diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu-all.h
+--- a/target/arm/tlb_helper.c
-+++ b/include/exec/cpu-all.h
++++ b/target/arm/tlb_helper.c
-@@ -XXX,XX +XXX,XX @@ CPUArchState *cpu_copy(CPUArchState *env);
+@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
-      | CPU_INTERRUPT_TGT_EXT_3   \
+     return syn;
       | CPU_INTERRUPT_TGT_EXT_4)
 -#if !defined(CONFIG_USER_ONLY)
 +#ifdef CONFIG_USER_ONLY
 +
 +/*
 + * Allow some level of source compatibility with softmmu.  We do not
 + * support any of the more exotic features, so only invalid pages may
 + * be signaled by probe_access_flags().
 + */
 +#define TLB_INVALID_MASK    (1 << (TARGET_PAGE_BITS_MIN - 1))
 +#define TLB_MMIO            0
 +#define TLB_WATCHPOINT      0
 +
 +#else
  /*
   * Flags stored in the low bits of the TLB virtual address.
 diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/exec-all.h
 +++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ static inline void *probe_read(CPUArchState *env, target_ulong addr, int size,
      return probe_access(env, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
  }
-+/**
+-static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-+ * probe_access_flags:
+-                                            MMUAccessType access_type,
-+ * @env: CPUArchState
+-                                            int mmu_idx, ARMMMUFaultInfo *fi)
-+ * @addr: guest virtual address to look up
++static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
-+ * @access_type: read, write or execute permission
++                                int target_el, int mmu_idx, uint32_t *ret_fsc)
 + * @mmu_idx: MMU index to use for lookup
 + * @nonfault: suppress the fault
 + * @phost: return value for host address
 + * @retaddr: return address for unwinding
 + *
 + * Similar to probe_access, loosely returning the TLB_FLAGS_MASK for
 + * the page, and storing the host address for RAM in @phost.
 + *
 + * If @nonfault is set, do not raise an exception but return TLB_INVALID_MASK.
 + * Do not handle watchpoints, but include TLB_WATCHPOINT in the returned flags.
 + * Do handle clean pages, so exclude TLB_NOTDIRY from the returned flags.
 + * For simplicity, all "mmio-like" flags are folded to TLB_MMIO.
 + */
 +int probe_access_flags(CPUArchState *env, target_ulong addr,
 +                       MMUAccessType access_type, int mmu_idx,
 +                       bool nonfault, void **phost, uintptr_t retaddr);
 +
  #define CODE_GEN_ALIGN           16 /* must be >= of the size of a icache line */
  /* Estimated block size for TB allocation.  */
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
      }
  }
 -/*
 - * Probe for whether the specified guest access is permitted. If it is not
 - * permitted then an exception will be taken in the same way as if this
 - * were a real access (and we will not return).
 - * If the size is 0 or the page requires I/O access, returns NULL; otherwise,
 - * returns the address of the host page similar to tlb_vaddr_to_host().
 - */
 -void *probe_access(CPUArchState *env, target_ulong addr, int size,
 -                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
 +static int probe_access_internal(CPUArchState *env, target_ulong addr,
 +                                 int fault_size, MMUAccessType access_type,
 +                                 int mmu_idx, bool nonfault,
 +                                 void **phost, uintptr_t retaddr)
  {
-     uintptr_t index = tlb_index(env, mmu_idx, addr);
+-    CPUARMState *env = &cpu->env;
-     CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+-    int target_el;
--    target_ulong tlb_addr;
+-    bool same_el;
--    size_t elt_ofs;
+-    uint32_t syn, exc, fsr, fsc;
--    int wp_access;
+     ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
 -
--    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
+-    target_el = exception_target_el(env);
--
+-    if (fi->stage2) {
--    switch (access_type) {
+-        target_el = 2;
--    case MMU_DATA_LOAD:
+-        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
--        elt_ofs = offsetof(CPUTLBEntry, addr_read);
+-        if (arm_is_secure_below_el3(env) && fi->s1ns) {
--        wp_access = BP_MEM_READ;
+-            env->cp15.hpfar_el2 |= HPFAR_NS;
 -        break;
 -    case MMU_DATA_STORE:
 -        elt_ofs = offsetof(CPUTLBEntry, addr_write);
 -        wp_access = BP_MEM_WRITE;
 -        break;
 -    case MMU_INST_FETCH:
 -        elt_ofs = offsetof(CPUTLBEntry, addr_code);
 -        wp_access = BP_MEM_READ;
 -        break;
 -    default:
 -        g_assert_not_reached();
 -    }
 -    tlb_addr = tlb_read_ofs(entry, elt_ofs);
 -
 -    if (unlikely(!tlb_hit(tlb_addr, addr))) {
 -        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs,
 -                            addr & TARGET_PAGE_MASK)) {
 -            tlb_fill(env_cpu(env), addr, size, access_type, mmu_idx, retaddr);
 -            /* TLB resize via tlb_fill may have moved the entry. */
 -            index = tlb_index(env, mmu_idx, addr);
 -            entry = tlb_entry(env, mmu_idx, addr);
 -        }
 -        tlb_addr = tlb_read_ofs(entry, elt_ofs);
 -    }
 -
 -    if (!size) {
 -        return NULL;
 -    }
 -
 -    if (unlikely(tlb_addr & TLB_FLAGS_MASK)) {
 -        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
 -
 -        /* Reject I/O access, or other required slow-path.  */
 -        if (tlb_addr & (TLB_MMIO | TLB_BSWAP | TLB_DISCARD_WRITE)) {
 -            return NULL;
 -        }
 -
 -        /* Handle watchpoints.  */
 -        if (tlb_addr & TLB_WATCHPOINT) {
 -            cpu_check_watchpoint(env_cpu(env), addr, size,
 -                                 iotlbentry->attrs, wp_access, retaddr);
 -        }
 -
 -        /* Handle clean RAM pages.  */
 -        if (tlb_addr & TLB_NOTDIRTY) {
 -            notdirty_write(env_cpu(env), addr, size, iotlbentry, retaddr);
 -        }
 -    }
--
+-    same_el = (arm_current_el(env) == target_el);
--    return (void *)((uintptr_t)addr + entry->addend);
++    uint32_t fsr, fsc;
--}
--
+     if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
--void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
+         arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
--                        MMUAccessType access_type, int mmu_idx)
+@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
--{
+         fsc = 0x3f;
 -    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 -    target_ulong tlb_addr, page;
 +    target_ulong tlb_addr, page_addr;
      size_t elt_ofs;
 +    int flags;
      switch (access_type) {
      case MMU_DATA_LOAD:
@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
      default:
          g_assert_not_reached();
      }
--
--    page = addr & TARGET_PAGE_MASK;
++    *ret_fsc = fsc;
-     tlb_addr = tlb_read_ofs(entry, elt_ofs);
++    return fsr;
 -    if (!tlb_hit_page(tlb_addr, page)) {
 -        uintptr_t index = tlb_index(env, mmu_idx, addr);
 -
 -        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page)) {
 +    page_addr = addr & TARGET_PAGE_MASK;
 +    if (!tlb_hit_page(tlb_addr, page_addr)) {
 +        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page_addr)) {
              CPUState *cs = env_cpu(env);
              CPUClass *cc = CPU_GET_CLASS(cs);
 -            if (!cc->tlb_fill(cs, addr, 0, access_type, mmu_idx, true, 0)) {
 +            if (!cc->tlb_fill(cs, addr, fault_size, access_type,
 +                              mmu_idx, nonfault, retaddr)) {
                  /* Non-faulting page table read failed.  */
 -                return NULL;
 +                *phost = NULL;
 +                return TLB_INVALID_MASK;
              }
              /* TLB resize via tlb_fill may have moved the entry.  */
@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
          }
          tlb_addr = tlb_read_ofs(entry, elt_ofs);
      }
 +    flags = tlb_addr & TLB_FLAGS_MASK;
 -    if (tlb_addr & ~TARGET_PAGE_MASK) {
 -        /* IO access */
 +    /* Fold all "mmio-like" bits into TLB_MMIO.  This is not RAM.  */
 +    if (unlikely(flags & ~(TLB_WATCHPOINT | TLB_NOTDIRTY))) {
 +        *phost = NULL;
 +        return TLB_MMIO;
 +    }
 +
 +    /* Everything else is RAM. */
 +    *phost = (void *)((uintptr_t)addr + entry->addend);
 +    return flags;
 +}
 +
-+int probe_access_flags(CPUArchState *env, target_ulong addr,
++static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-+                       MMUAccessType access_type, int mmu_idx,
++                                            MMUAccessType access_type,
-+                       bool nonfault, void **phost, uintptr_t retaddr)
++                                            int mmu_idx, ARMMMUFaultInfo *fi)
 +{
-+    int flags;
++    CPUARMState *env = &cpu->env;
 +    int target_el;
 +    bool same_el;
 +    uint32_t syn, exc, fsr, fsc;
 +
-+    flags = probe_access_internal(env, addr, 0, access_type, mmu_idx,
++    target_el = exception_target_el(env);
-+                                  nonfault, phost, retaddr);
++    if (fi->stage2) {
-+
++        target_el = 2;
-+    /* Handle clean RAM pages.  */
++        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
-+    if (unlikely(flags & TLB_NOTDIRTY)) {
++        if (arm_is_secure_below_el3(env) && fi->s1ns) {
-+        uintptr_t index = tlb_index(env, mmu_idx, addr);
++            env->cp15.hpfar_el2 |= HPFAR_NS;
 +        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
 +
 +        notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr);
 +        flags &= ~TLB_NOTDIRTY;
 +    }
 +
 +    return flags;
 +}
 +
 +void *probe_access(CPUArchState *env, target_ulong addr, int size,
 +                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
 +{
 +    void *host;
 +    int flags;
 +
 +    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
 +
 +    flags = probe_access_internal(env, addr, size, access_type, mmu_idx,
 +                                  false, &host, retaddr);
 +
 +    /* Per the interface, size == 0 merely faults the access. */
 +    if (size == 0) {
          return NULL;
      }
 -    return (void *)((uintptr_t)addr + entry->addend);
 +    if (unlikely(flags & (TLB_NOTDIRTY | TLB_WATCHPOINT))) {
 +        uintptr_t index = tlb_index(env, mmu_idx, addr);
 +        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
 +
 +        /* Handle watchpoints.  */
 +        if (flags & TLB_WATCHPOINT) {
 +            int wp_access = (access_type == MMU_DATA_STORE
 +                             ? BP_MEM_WRITE : BP_MEM_READ);
 +            cpu_check_watchpoint(env_cpu(env), addr, size,
 +                                 iotlbentry->attrs, wp_access, retaddr);
 +        }
 +
 +        /* Handle clean RAM pages.  */
 +        if (flags & TLB_NOTDIRTY) {
 +            notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr);
 +        }
 +    }
++    same_el = (arm_current_el(env) == target_el);
 +
-+    return host;
++    fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
  }
 +void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
 +                        MMUAccessType access_type, int mmu_idx)
 +{
 +    void *host;
 +    int flags;
 +
-+    flags = probe_access_internal(env, addr, 0, access_type,
+     if (access_type == MMU_INST_FETCH) {
-+                                  mmu_idx, true, &host, 0);
+         syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
-+
+         exc = EXCP_PREFETCH_ABORT;
 +    /* No combination of flags are expected by the caller. */
 +    return flags ? NULL : host;
 +}
  #ifdef CONFIG_PLUGIN
  /*
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
      g_assert_not_reached();
  }
 -void *probe_access(CPUArchState *env, target_ulong addr, int size,
 -                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
 +static int probe_access_internal(CPUArchState *env, target_ulong addr,
 +                                 int fault_size, MMUAccessType access_type,
 +                                 bool nonfault, uintptr_t ra)
  {
      int flags;
 -    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
 -
      switch (access_type) {
      case MMU_DATA_STORE:
          flags = PAGE_WRITE;
@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
      }
      if (!guest_addr_valid(addr) || page_check_range(addr, 1, flags) < 0) {
 -        CPUState *cpu = env_cpu(env);
 -        CPUClass *cc = CPU_GET_CLASS(cpu);
 -        cc->tlb_fill(cpu, addr, size, access_type, MMU_USER_IDX, false,
 -                     retaddr);
 -        g_assert_not_reached();
 +        if (nonfault) {
 +            return TLB_INVALID_MASK;
 +        } else {
 +            CPUState *cpu = env_cpu(env);
 +            CPUClass *cc = CPU_GET_CLASS(cpu);
 +            cc->tlb_fill(cpu, addr, fault_size, access_type,
 +                         MMU_USER_IDX, false, ra);
 +            g_assert_not_reached();
 +        }
      }
 +    return 0;
 +}
 +
 +int probe_access_flags(CPUArchState *env, target_ulong addr,
 +                       MMUAccessType access_type, int mmu_idx,
 +                       bool nonfault, void **phost, uintptr_t ra)
 +{
 +    int flags;
 +
 +    flags = probe_access_internal(env, addr, 0, access_type, nonfault, ra);
 +    *phost = flags ? NULL : g2h(addr);
 +    return flags;
 +}
 +
 +void *probe_access(CPUArchState *env, target_ulong addr, int size,
 +                   MMUAccessType access_type, int mmu_idx, uintptr_t ra)
 +{
 +    int flags;
 +
 +    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
 +    flags = probe_access_internal(env, addr, size, access_type, false, ra);
 +    g_assert(flags == 0);
      return size ? g2h(addr) : NULL;
  }
 --
-.20.1
+.25.1

-[PULL 19/34] target/arm: Handle watchpoints in sve_ld1_r
+[PULL 15/33] target/arm: Take an exception if PC is misaligned
 From: Richard Henderson <richard.henderson@linaro.org>
-Handle all of the watchpoints for active elements all at once,
+For A64, any input to an indirect branch can cause this.
-before we've modified the vector register.  This removes the
-TLB_WATCHPOINT bit from page[].flags, which means that we can
+For A32, many indirect branch paths force the branch to be aligned,
-use the normal fast path via RAM.
+but BXWritePC does not.  This includes the BX instruction but also
+other interworking changes to PC.  Prior to v8, this case is UNDEFINED.
 With v8, this is CONSTRAINED UNPREDICTABLE and may either raise an
 exception or force align the PC.
 We choose to raise an exception because we have the infrastructure,
 it makes the generated code for gen_bx simpler, and it has the
 possibility of catching more guest bugs.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-13-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 72 ++++++++++++++++++++++++++++++++++++++++-
+ target/arm/helper.h           |  1 +
-file changed, 71 insertions(+), 1 deletion(-)
+ target/arm/syndrome.h         |  5 ++++
+ linux-user/aarch64/cpu_loop.c | 46 ++++++++++++++++++++---------------
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+ target/arm/tlb_helper.c       | 18 ++++++++++++++
-index XXXXXXX..XXXXXXX 100644
+ target/arm/translate-a64.c    | 15 ++++++++++++
---- a/target/arm/sve_helper.c
+ target/arm/translate.c        | 22 ++++++++++++++++-
-+++ b/target/arm/sve_helper.c
+files changed, 87 insertions(+), 20 deletions(-)
-@@ -XXX,XX +XXX,XX @@ static bool sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault,
-     return have_work;
+diff --git a/target/arm/helper.h b/target/arm/helper.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.h
 +++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE,
  DEF_HELPER_2(exception_internal, void, env, i32)
  DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32)
  DEF_HELPER_2(exception_bkpt_insn, void, env, i32)
 +DEF_HELPER_2(exception_pc_alignment, noreturn, env, tl)
  DEF_HELPER_1(setend, void, env)
  DEF_HELPER_2(wfi, void, env, i32)
  DEF_HELPER_1(wfe, void, env)
 diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/syndrome.h
 +++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_illegalstate(void)
      return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
  }
-+static void sve_cont_ldst_watchpoints(SVEContLdSt *info, CPUARMState *env,
++static inline uint32_t syn_pcalignment(void)
 +                                      uint64_t *vg, target_ulong addr,
 +                                      int esize, int msize, int wp_access,
 +                                      uintptr_t retaddr)
 +{
-+#ifndef CONFIG_USER_ONLY
++    return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
-+    intptr_t mem_off, reg_off, reg_last;
++}
-+    int flags0 = info->page[0].flags;
++
-+    int flags1 = info->page[1].flags;
+ #endif /* TARGET_ARM_SYNDROME_H */
-+
+diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
-+    if (likely(!((flags0 | flags1) & TLB_WATCHPOINT))) {
+index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/aarch64/cpu_loop.c
 +++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
              break;
          case EXCP_PREFETCH_ABORT:
          case EXCP_DATA_ABORT:
 -            /* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
              ec = syn_get_ec(env->exception.syndrome);
 -            assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
 -
 -            /* Both EC have the same format for FSC, or close enough. */
 -            fsc = extract32(env->exception.syndrome, 0, 6);
 -            switch (fsc) {
 -            case 0x04 ... 0x07: /* Translation fault, level {0-3} */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_MAPERR;
 +            switch (ec) {
 +            case EC_DATAABORT:
 +            case EC_INSNABORT:
 +                /* Both EC have the same format for FSC, or close enough. */
 +                fsc = extract32(env->exception.syndrome, 0, 6);
 +                switch (fsc) {
 +                case 0x04 ... 0x07: /* Translation fault, level {0-3} */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_MAPERR;
 +                    break;
 +                case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
 +                case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_ACCERR;
 +                    break;
 +                case 0x11: /* Synchronous Tag Check Fault */
 +                    si_signo = TARGET_SIGSEGV;
 +                    si_code = TARGET_SEGV_MTESERR;
 +                    break;
 +                case 0x21: /* Alignment fault */
 +                    si_signo = TARGET_SIGBUS;
 +                    si_code = TARGET_BUS_ADRALN;
 +                    break;
 +                default:
 +                    g_assert_not_reached();
 +                }
                  break;
 -            case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
 -            case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_ACCERR;
 -                break;
 -            case 0x11: /* Synchronous Tag Check Fault */
 -                si_signo = TARGET_SIGSEGV;
 -                si_code = TARGET_SEGV_MTESERR;
 -                break;
 -            case 0x21: /* Alignment fault */
 +            case EC_PCALIGNMENT:
                  si_signo = TARGET_SIGBUS;
                  si_code = TARGET_BUS_ADRALN;
                  break;
 diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tlb_helper.c
 +++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "cpu.h"
  #include "internals.h"
  #include "exec/exec-all.h"
 +#include "exec/helper-proto.h"
  static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
                                              unsigned int target_el,
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
      arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
  }
 +void helper_exception_pc_alignment(CPUARMState *env, target_ulong pc)
 +{
 +    ARMMMUFaultInfo fi = { .type = ARMFault_Alignment };
 +    int target_el = exception_target_el(env);
 +    int mmu_idx = cpu_mmu_index(env, true);
 +    uint32_t fsc;
 +
 +    env->exception.vaddress = pc;
 +
 +    /*
 +     * Note that the fsc is not applicable to this exception,
 +     * since any syndrome is pcalignment not insn_abort.
 +     */
 +    env->exception.fsr = compute_fsr_fsc(env, &fi, target_el, mmu_idx, &fsc);
 +    raise_exception(env, EXCP_PREFETCH_ABORT, syn_pcalignment(), target_el);
 +}
 +
  #if !defined(CONFIG_USER_ONLY)
  /*
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint64_t pc = s->base.pc_next;
      uint32_t insn;
 +    /* Singlestep exceptions have the highest priority. */
      if (s->ss_active && !s->pstate_ss) {
          /* Singlestep state is Active-pending.
           * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          return;
      }
 +    if (pc & 3) {
 +        /*
 +         * PC alignment fault.  This has priority over the instruction abort
 +         * that we would receive from a translation fault via arm_ldl_code.
 +         * This should only be possible after an indirect branch, at the
 +         * start of the TB.
 +         */
 +        assert(s->base.num_insns == 1);
 +        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
 +        s->base.is_jmp = DISAS_NORETURN;
 +        s->base.pc_next = QEMU_ALIGN_UP(pc, 4);
 +        return;
 +    }
 +
-+    /* Indicate that watchpoints are handled. */
+     s->pc_curr = pc;
-+    info->page[0].flags = flags0 & ~TLB_WATCHPOINT;
+     insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
-+    info->page[1].flags = flags1 & ~TLB_WATCHPOINT;
+     s->insn = insn;
-+
+diff --git a/target/arm/translate.c b/target/arm/translate.c
-+    if (flags0 & TLB_WATCHPOINT) {
+index XXXXXXX..XXXXXXX 100644
-+        mem_off = info->mem_off_first[0];
+--- a/target/arm/translate.c
-+        reg_off = info->reg_off_first[0];
++++ b/target/arm/translate.c
-+        reg_last = info->reg_off_last[0];
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-+
+     uint32_t pc = dc->base.pc_next;
-+        while (reg_off <= reg_last) {
+     unsigned int insn;
-+            uint64_t pg = vg[reg_off >> 6];
-+            do {
+-    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
-+                if ((pg >> (reg_off & 63)) & 1) {
++    /* Singlestep exceptions have the highest priority. */
-+                    cpu_check_watchpoint(env_cpu(env), addr + mem_off,
++    if (arm_check_ss_active(dc)) {
-+                                         msize, info->page[0].attrs,
++        dc->base.pc_next = pc + 4;
-+                                         wp_access, retaddr);
++        return;
 +                }
 +                reg_off += esize;
 +                mem_off += msize;
 +            } while (reg_off <= reg_last && (reg_off & 63));
 +        }
 +    }
 +
-+    mem_off = info->mem_off_split;
++    if (pc & 3) {
-+    if (mem_off >= 0) {
++        /*
-+        cpu_check_watchpoint(env_cpu(env), addr + mem_off, msize,
++         * PC alignment fault.  This has priority over the instruction abort
-+                             info->page[0].attrs, wp_access, retaddr);
++         * that we would receive from a translation fault via arm_ldl_code
 +         * (or the execution of the kernelpage entrypoint). This should only
 +         * be possible after an indirect branch, at the start of the TB.
 +         */
 +        assert(dc->base.num_insns == 1);
 +        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
 +        dc->base.is_jmp = DISAS_NORETURN;
 +        dc->base.pc_next = QEMU_ALIGN_UP(pc, 4);
 +        return;
 +    }
 +
-+    mem_off = info->mem_off_first[1];
++    if (arm_check_kernelpage(dc)) {
-+    if ((flags1 & TLB_WATCHPOINT) && mem_off >= 0) {
+         dc->base.pc_next = pc + 4;
-+        reg_off = info->reg_off_first[1];
+         return;
-+        reg_last = info->reg_off_last[1];
+     }
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    cpu_check_watchpoint(env_cpu(env), addr + mem_off,
 +                                         msize, info->page[1].attrs,
 +                                         wp_access, retaddr);
 +                }
 +                reg_off += esize;
 +                mem_off += msize;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +    }
 +#endif
 +}
 +
  /*
   * The result of tlb_vaddr_to_host for user-only is just g2h(x),
   * which is always non-null.  Elide the useless test.
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
      /* Probe the page(s).  Exit with exception for any invalid page. */
      sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, retaddr);
 +    /* Handle watchpoints for all active elements. */
 +    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, 1 << msz,
 +                              BP_MEM_READ, retaddr);
 +
 +    /* TODO: MTE check. */
 +
      flags = info.page[0].flags | info.page[1].flags;
      if (unlikely(flags != 0)) {
  #ifdef CONFIG_USER_ONLY
          g_assert_not_reached();
  #else
          /*
 -         * At least one page includes MMIO (or watchpoints).
 +         * At least one page includes MMIO.
           * Any bus operation can fail with cpu_transaction_failed,
           * which for ARM will raise SyncExternal.  Perform the load
           * into scratch memory to preserve register state until the end.
 --
-.20.1
+.25.1

-[PULL 09/34] exec: Fix cpu_watchpoint_address_matches address length
+[PULL 16/33] target/arm: Assert thumb pc is aligned
 From: Richard Henderson <richard.henderson@linaro.org>
-The only caller of cpu_watchpoint_address_matches passes
+Misaligned thumb PC is architecturally impossible.
-TARGET_PAGE_SIZE, so the bug is not currently visible.
+Assert is better than proceeding, in case we've missed
 something somewhere.
 Expand a comment about aligning the pc in gdbstub.
 Fail an incoming migrate if a thumb pc is misaligned.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20200508154359.7494-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- exec.c | 2 +-
+ target/arm/gdbstub.c   |  9 +++++++--
-file changed, 1 insertion(+), 1 deletion(-)
+ target/arm/machine.c   | 10 ++++++++++
  target/arm/translate.c |  3 +++
 files changed, 20 insertions(+), 2 deletions(-)
-diff --git a/exec.c b/exec.c
+diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
 index XXXXXXX..XXXXXXX 100644
---- a/exec.c
+--- a/target/arm/gdbstub.c
-+++ b/exec.c
++++ b/target/arm/gdbstub.c
-@@ -XXX,XX +XXX,XX @@ int cpu_watchpoint_address_matches(CPUState *cpu, vaddr addr, vaddr len)
+@@ -XXX,XX +XXX,XX @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
-     int ret = 0;
+     tmp = ldl_p(mem_buf);
-     QTAILQ_FOREACH(wp, &cpu->watchpoints, entry) {
--        if (watchpoint_address_matches(wp, addr, TARGET_PAGE_SIZE)) {
+-    /* Mask out low bit of PC to workaround gdb bugs.  This will probably
-+        if (watchpoint_address_matches(wp, addr, len)) {
+-       cause problems if we ever implement the Jazelle DBX extensions.  */
-             ret |= wp->flags;
++    /*
 +     * Mask out low bits of PC to workaround gdb bugs.
 +     * This avoids an assert in thumb_tr_translate_insn, because it is
 +     * architecturally impossible to misalign the pc.
 +     * This will probably cause problems if we ever implement the
 +     * Jazelle DBX extensions.
 +     */
      if (n == 15) {
          tmp &= ~1;
      }
 diff --git a/target/arm/machine.c b/target/arm/machine.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/machine.c
 +++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
              return -1;
          }
      }
++
++    /*
++     * Misaligned thumb pc is architecturally impossible.
++     * We have an assert in thumb_tr_translate_insn to verify this.
++     * Fail an incoming migrate to avoid this assert.
++     */
++    if (!is_a64(env) && env->thumb && (env->regs[15] & 1)) {
++        return -1;
++    }
++
+     if (!kvm_enabled()) {
+         pmu_op_finish(&cpu->env);
+     }
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+     uint32_t insn;
+     bool is_16bit;
++    /* Misaligned thumb PC is architecturally impossible. */
++    assert((dc->base.pc_next & 1) == 0);
++
+     if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
+         dc->base.pc_next = pc + 2;
+         return;
 --
-.20.1
+.25.1

-[PULL 18/34] target/arm: Use SVEContLdSt in sve_ld1_r
+[PULL 17/33] target/arm: Suppress bp for exceptions with more priority
 From: Richard Henderson <richard.henderson@linaro.org>
-First use of the new helper functions, so we can remove the
+Both single-step and pc alignment faults have priority over
-unused markup.  No longer need a scratch for user-only, as
+breakpoint exceptions.
 we completely probe the page set before reading; system mode
 still requires a scratch for MMIO.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 188 +++++++++++++++++++++-------------------
+ target/arm/debug_helper.c | 23 +++++++++++++++++++++++
-file changed, 97 insertions(+), 91 deletions(-)
+file changed, 23 insertions(+)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/target/arm/debug_helper.c
-+++ b/target/arm/sve_helper.c
++++ b/target/arm/debug_helper.c
-@@ -XXX,XX +XXX,XX @@ typedef struct {
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
   * final element on each page.  Identify any single element that spans
   * the page boundary.  Return true if there are any active elements.
   */
 -static bool __attribute__((unused))
 -sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
 -                       intptr_t reg_max, int esz, int msize)
 +static bool sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr,
 +                                   uint64_t *vg, intptr_t reg_max,
 +                                   int esz, int msize)
  {
-     const int esize = 1 << esz;
+     ARMCPU *cpu = ARM_CPU(cs);
-     const uint64_t pg_mask = pred_esz_masks[esz];
+     CPUARMState *env = &cpu->env;
-@@ -XXX,XX +XXX,XX @@ sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
++    target_ulong pc;
-  * Control the generation of page faults with @fault.  Return false if
+     int n;
-  * there is no work to do, which can only happen with @fault == FAULT_NO.
-  */
+     /*
--static bool __attribute__((unused))
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
--sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault, CPUARMState *env,
+         return false;
 -                    target_ulong addr, MMUAccessType access_type,
 -                    uintptr_t retaddr)
 +static bool sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault,
 +                                CPUARMState *env, target_ulong addr,
 +                                MMUAccessType access_type, uintptr_t retaddr)
  {
      int mmu_idx = cpu_mmu_index(env, false);
      int mem_off = info->mem_off_first[0];
@@ -XXX,XX +XXX,XX @@ static inline bool test_host_page(void *host)
  /*
   * Common helper for all contiguous one-register predicated loads.
   */
 -static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
 -                      uint32_t desc, const uintptr_t retaddr,
 -                      const int esz, const int msz,
 -                      sve_ldst1_host_fn *host_fn,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 +static inline QEMU_ALWAYS_INLINE
 +void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
 +               uint32_t desc, const uintptr_t retaddr,
 +               const int esz, const int msz,
 +               sve_ldst1_host_fn *host_fn,
 +               sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
 -    const int mmu_idx = get_mmuidx(oi);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      void *vd = &env->vfp.zregs[rd];
 -    const int diffsz = esz - msz;
      const intptr_t reg_max = simd_oprsz(desc);
 -    const intptr_t mem_max = reg_max >> diffsz;
 -    ARMVectorReg scratch;
 +    intptr_t reg_off, reg_last, mem_off;
 +    SVEContLdSt info;
      void *host;
 -    intptr_t split, reg_off, mem_off;
 +    int flags;
 -    /* Find the first active element.  */
 -    reg_off = find_next_active(vg, 0, reg_max, esz);
 -    if (unlikely(reg_off == reg_max)) {
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, 1 << msz)) {
          /* The entire predicate was false; no load occurs.  */
          memset(vd, 0, reg_max);
          return;
      }
--    mem_off = reg_off >> diffsz;
++    /*
--    /*
++     * Single-step exceptions have priority over breakpoint exceptions.
--     * If the (remaining) load is entirely within a single page, then:
++     * If single-step state is active-pending, suppress the bp.
--     * For softmmu, and the tlb hits, then no faults will occur;
++     */
--     * For user-only, either the first load will fault or none will.
++    if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
--     * We can thus perform the load directly to the destination and
++        return false;
 -     * Vd will be unmodified on any exception path.
 -     */
 -    split = max_for_page(addr, mem_off, mem_max);
 -    if (likely(split == mem_max)) {
 -        host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
 -        if (test_host_page(host)) {
 -            intptr_t i = reg_off;
 -            host -= mem_off;
 -            do {
 -                host_fn(vd, i, host + (i >> diffsz));
 -                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
 -            } while (i < reg_max);
 -            /* After having taken any fault, zero leading inactive elements. */
 -            swap_memzero(vd, reg_off);
 -            return;
 -        }
 -    }
 +    /* Probe the page(s).  Exit with exception for any invalid page. */
 +    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, retaddr);
 -    /*
 -     * Perform the predicated read into a temporary, thus ensuring
 -     * if the load of the last element faults, Vd is not modified.
 -     */
 +    flags = info.page[0].flags | info.page[1].flags;
 +    if (unlikely(flags != 0)) {
  #ifdef CONFIG_USER_ONLY
 -    swap_memzero(&scratch, reg_off);
 -    host = g2h(addr);
 -    do {
 -        host_fn(&scratch, reg_off, host + (reg_off >> diffsz));
 -        reg_off += 1 << esz;
 -        reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -    } while (reg_off < reg_max);
 +        g_assert_not_reached();
  #else
 -    memset(&scratch, 0, reg_max);
 -    goto start;
 -    while (1) {
 -        reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -        if (reg_off >= reg_max) {
 -            break;
 -        }
 -        mem_off = reg_off >> diffsz;
 -        split = max_for_page(addr, mem_off, mem_max);
 +        /*
 +         * At least one page includes MMIO (or watchpoints).
 +         * Any bus operation can fail with cpu_transaction_failed,
 +         * which for ARM will raise SyncExternal.  Perform the load
 +         * into scratch memory to preserve register state until the end.
 +         */
 +        ARMVectorReg scratch;
 -    start:
 -        if (split - mem_off >= (1 << msz)) {
 -            /* At least one whole element on this page.  */
 -            host = tlb_vaddr_to_host(env, addr + mem_off,
 -                                     MMU_DATA_LOAD, mmu_idx);
 -            if (host) {
 -                host -= mem_off;
 -                do {
 -                    host_fn(&scratch, reg_off, host + mem_off);
 -                    reg_off += 1 << esz;
 -                    reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -                    mem_off = reg_off >> diffsz;
 -                } while (split - mem_off >= (1 << msz));
 -                continue;
 +        memset(&scratch, 0, reg_max);
 +        mem_off = info.mem_off_first[0];
 +        reg_off = info.reg_off_first[0];
 +        reg_last = info.reg_off_last[1];
 +        if (reg_last < 0) {
 +            reg_last = info.reg_off_split;
 +            if (reg_last < 0) {
 +                reg_last = info.reg_off_last[0];
              }
          }
 -        /*
 -         * Perform one normal read.  This may fault, longjmping out to the
 -         * main loop in order to raise an exception.  It may succeed, and
 -         * as a side-effect load the TLB entry for the next round.  Finally,
 -         * in the extremely unlikely case we're performing this operation
 -         * on I/O memory, it may succeed but not bring in the TLB entry.
 -         * But even then we have still made forward progress.
 -         */
 -        tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
 -        reg_off += 1 << esz;
 -    }
 -#endif
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
 +                }
 +                reg_off += 1 << esz;
 +                mem_off += 1 << msz;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 -    memcpy(vd, &scratch, reg_max);
 +        memcpy(vd, &scratch, reg_max);
 +        return;
 +#endif
 +    }
 +
 +    /* The entire operation is in RAM, on valid pages. */
 +
 +    memset(vd, 0, reg_max);
 +    mem_off = info.mem_off_first[0];
 +    reg_off = info.reg_off_first[0];
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 +
 +    while (reg_off <= reg_last) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                host_fn(vd, reg_off, host + mem_off);
 +            }
 +            reg_off += 1 << esz;
 +            mem_off += 1 << msz;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    }
 +
 +    /*
-+     * Use the slow path to manage the cross-page misalignment.
++     * PC alignment faults have priority over breakpoint exceptions.
 +     * But we know this is RAM and cannot trap.
 +     */
-+    mem_off = info.mem_off_split;
++    pc = is_a64(env) ? env->pc : env->regs[15];
-+    if (unlikely(mem_off >= 0)) {
++    if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
-+        tlb_fn(env, vd, info.reg_off_split, addr + mem_off, retaddr);
++        return false;
 +    }
 +
-+    mem_off = info.mem_off_first[1];
++    /*
-+    if (unlikely(mem_off >= 0)) {
++     * Instruction aborts have priority over breakpoint exceptions.
-+        reg_off = info.reg_off_first[1];
++     * TODO: We would need to look up the page for PC and verify that
-+        reg_last = info.reg_off_last[1];
++     * it is present and executable.
-+        host = info.page[1].host;
++     */
 +
-+        do {
+     for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
-+            uint64_t pg = vg[reg_off >> 6];
+         if (bp_wp_matches(cpu, n, false)) {
-+            do {
+             return true;
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    host_fn(vd, reg_off, host + mem_off);
 +                }
 +                reg_off += 1 << esz;
 +                mem_off += 1 << msz;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +    }
  }
  #define DO_LD1_1(NAME, ESZ) \
 --
-.20.1
+.25.1

-[PULL 16/34] target/arm: Add sve infrastructure for page lookup
+[PULL 18/33] tests/tcg: Add arm and aarch64 pc alignment tests
 From: Richard Henderson <richard.henderson@linaro.org>
-For contiguous predicated memory operations, we want to
-minimize the number of tlb lookups performed.  We have
-open-coded this for sve_ld1_r, but for correctness with
-MTE we will need this for all of the memory operations.
-Create a structure that holds the bounds of active elements,
-and metadata for two pages.  Add routines to find those
-active elements, lookup the pages, and run watchpoints
-for those pages.
-Temporarily mark the functions unused to avoid Werror.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-10-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 263 +++++++++++++++++++++++++++++++++++++++-
+ tests/tcg/aarch64/pcalign-a64.c   | 37 +++++++++++++++++++++++++
-file changed, 261 insertions(+), 2 deletions(-)
+ tests/tcg/arm/pcalign-a32.c       | 46 +++++++++++++++++++++++++++++++
  tests/tcg/aarch64/Makefile.target |  4 +--
  tests/tcg/arm/Makefile.target     |  4 +++
 files changed, 89 insertions(+), 2 deletions(-)
  create mode 100644 tests/tcg/aarch64/pcalign-a64.c
  create mode 100644 tests/tcg/arm/pcalign-a32.c
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/tests/tcg/aarch64/pcalign-a64.c b/tests/tcg/aarch64/pcalign-a64.c
-index XXXXXXX..XXXXXXX 100644
+new file mode 100644
---- a/target/arm/sve_helper.c
+index XXXXXXX..XXXXXXX
-+++ b/target/arm/sve_helper.c
+--- /dev/null
-@@ -XXX,XX +XXX,XX @@ void HELPER(sve_cpy_z_d)(void *vd, void *vg, uint64_t val, uint32_t desc)
++++ b/tests/tcg/aarch64/pcalign-a64.c
-     }
+@@ -XXX,XX +XXX,XX @@
- }
++/* Test PC misalignment exception */
 -/* Big-endian hosts need to frob the byte indicies.  If the copy
 +/* Big-endian hosts need to frob the byte indices.  If the copy
   * happens to be 8-byte aligned, then no frobbing necessary.
   */
  static void swap_memmove(void *vd, void *vs, size_t n)
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
  /*
   * Load elements into @vd, controlled by @vg, from @host + @mem_ofs.
   * Memory is valid through @host + @mem_max.  The register element
 - * indicies are inferred from @mem_ofs, as modified by the types for
 + * indices are inferred from @mem_ofs, as modified by the types for
   * which the helper is built.  Return the @mem_ofs of the first element
   * not loaded (which is @mem_max if they are all loaded).
   *
@@ -XXX,XX +XXX,XX @@ static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
      return MIN(split, mem_max - mem_off) + mem_off;
  }
 +/*
 + * Resolve the guest virtual address to info->host and info->flags.
 + * If @nofault, return false if the page is invalid, otherwise
 + * exit via page fault exception.
 + */
 +
-+typedef struct {
++#include <assert.h>
-+    void *host;
++#include <signal.h>
-+    int flags;
++#include <stdlib.h>
-+    MemTxAttrs attrs;
++#include <stdio.h>
 +} SVEHostPage;
 +
-+static bool sve_probe_page(SVEHostPage *info, bool nofault,
++static void *expected;
-+                           CPUARMState *env, target_ulong addr,
++
-+                           int mem_off, MMUAccessType access_type,
++static void sigbus(int sig, siginfo_t *info, void *vuc)
 +                           int mmu_idx, uintptr_t retaddr)
 +{
-+    int flags;
++    assert(info->si_code == BUS_ADRALN);
 +    assert(info->si_addr == expected);
 +    exit(EXIT_SUCCESS);
 +}
 +
-+    addr += mem_off;
++int main()
-+    flags = probe_access_flags(env, addr, access_type, mmu_idx, nofault,
++{
-+                               &info->host, retaddr);
++    void *tmp;
 +    info->flags = flags;
 +
-+    if (flags & TLB_INVALID_MASK) {
++    struct sigaction sa = {
-+        g_assert(nofault);
++        .sa_sigaction = sigbus,
-+        return false;
++        .sa_flags = SA_SIGINFO
 +    };
 +
 +    if (sigaction(SIGBUS, &sa, NULL) < 0) {
 +        perror("sigaction");
 +        return EXIT_FAILURE;
 +    }
 +
-+    /* Ensure that info->host[] is relative to addr, not addr + mem_off. */
++    asm volatile("adr %0, 1f + 1\n\t"
-+    info->host -= mem_off;
++                 "str %0, %1\n\t"
 +                 "br  %0\n"
 +                 "1:"
 +                 : "=&r"(tmp), "=m"(expected));
 +    abort();
 +}
 diff --git a/tests/tcg/arm/pcalign-a32.c b/tests/tcg/arm/pcalign-a32.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/arm/pcalign-a32.c
@@ -XXX,XX +XXX,XX @@
 +/* Test PC misalignment exception */
 +
-+#ifdef CONFIG_USER_ONLY
++#ifdef __thumb__
-+    memset(&info->attrs, 0, sizeof(info->attrs));
++#error "This test must be compiled for ARM"
 +#else
 +    /*
 +     * Find the iotlbentry for addr and return the transaction attributes.
 +     * This *must* be present in the TLB because we just found the mapping.
 +     */
 +    {
 +        uintptr_t index = tlb_index(env, mmu_idx, addr);
 +
 +# ifdef CONFIG_DEBUG_TCG
 +        CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 +        target_ulong comparator = (access_type == MMU_DATA_LOAD
 +                                   ? entry->addr_read
 +                                   : tlb_addr_write(entry));
 +        g_assert(tlb_hit(comparator, addr));
 +# endif
 +
 +        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
 +        info->attrs = iotlbentry->attrs;
 +    }
 +#endif
 +
-+    return true;
++#include <assert.h>
 +#include <signal.h>
 +#include <stdlib.h>
 +#include <stdio.h>
 +
 +static void *expected;
 +
 +static void sigbus(int sig, siginfo_t *info, void *vuc)
 +{
 +    assert(info->si_code == BUS_ADRALN);
 +    assert(info->si_addr == expected);
 +    exit(EXIT_SUCCESS);
 +}
 +
++int main()
++{
++    void *tmp;
 +
-+/*
++    struct sigaction sa = {
-+ * Analyse contiguous data, protected by a governing predicate.
++        .sa_sigaction = sigbus,
-+ */
++        .sa_flags = SA_SIGINFO
 +    };
 +
-+typedef enum {
++    if (sigaction(SIGBUS, &sa, NULL) < 0) {
-+    FAULT_NO,
++        perror("sigaction");
-+    FAULT_FIRST,
++        return EXIT_FAILURE;
-+    FAULT_ALL,
++    }
 +} SVEContFault;
 +
-+typedef struct {
++    asm volatile("adr %0, 1f + 2\n\t"
-+    /*
++                 "str %0, %1\n\t"
-+     * First and last element wholly contained within the two pages.
++                 "bx  %0\n"
-+     * mem_off_first[0] and reg_off_first[0] are always set >= 0.
++                 "1:"
-+     * reg_off_last[0] may be < 0 if the first element crosses pages.
++                 : "=&r"(tmp), "=m"(expected));
 +     * All of mem_off_first[1], reg_off_first[1] and reg_off_last[1]
 +     * are set >= 0 only if there are complete elements on a second page.
 +     *
 +     * The reg_off_* offsets are relative to the internal vector register.
 +     * The mem_off_first offset is relative to the memory address; the
 +     * two offsets are different when a load operation extends, a store
 +     * operation truncates, or for multi-register operations.
 +     */
 +    int16_t mem_off_first[2];
 +    int16_t reg_off_first[2];
 +    int16_t reg_off_last[2];
 +
 +    /*
-+     * One element that is misaligned and spans both pages,
++     * From v8, it is CONSTRAINED UNPREDICTABLE whether BXWritePC aligns
-+     * or -1 if there is no such active element.
++     * the address or not.  If so, we can legitimately fall through.
 +     */
-+    int16_t mem_off_split;
++    return EXIT_SUCCESS;
-+    int16_t reg_off_split;
++}
 diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/aarch64/Makefile.target
 +++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ VPATH         += $(ARM_SRC)
  AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64
  VPATH         += $(AARCH64_SRC)
 -# Float-convert Tests
 -AARCH64_TESTS=fcvt
 +# Base architecture tests
 +AARCH64_TESTS=fcvt pcalign-a64
  fcvt: LDFLAGS+=-lm
 diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/arm/Makefile.target
 +++ b/tests/tcg/arm/Makefile.target
@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
      $(call run-test,fcvt,$(QEMU) $<,"$< on $(TARGET_NAME)")
      $(call diff-out,fcvt,$(ARM_SRC)/fcvt.ref)
 +# PC alignment test
 +ARM_TESTS += pcalign-a32
 +pcalign-a32: CFLAGS+=-marm
 +
-+    /*
+ ifeq ($(CONFIG_ARM_COMPATIBLE_SEMIHOSTING),y)
-+     * The byte offset at which the entire operation crosses a page boundary.
-+     * Set >= 0 if and only if the entire operation spans two pages.
+ # Semihosting smoke test for linux-user
 +     */
 +    int16_t page_split;
 +
 +    /* TLB data for the two pages. */
 +    SVEHostPage page[2];
 +} SVEContLdSt;
 +
 +/*
 + * Find first active element on each page, and a loose bound for the
 + * final element on each page.  Identify any single element that spans
 + * the page boundary.  Return true if there are any active elements.
 + */
 +static bool __attribute__((unused))
 +sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
 +                       intptr_t reg_max, int esz, int msize)
 +{
 +    const int esize = 1 << esz;
 +    const uint64_t pg_mask = pred_esz_masks[esz];
 +    intptr_t reg_off_first = -1, reg_off_last = -1, reg_off_split;
 +    intptr_t mem_off_last, mem_off_split;
 +    intptr_t page_split, elt_split;
 +    intptr_t i;
 +
 +    /* Set all of the element indices to -1, and the TLB data to 0. */
 +    memset(info, -1, offsetof(SVEContLdSt, page));
 +    memset(info->page, 0, sizeof(info->page));
 +
 +    /* Gross scan over the entire predicate to find bounds. */
 +    i = 0;
 +    do {
 +        uint64_t pg = vg[i] & pg_mask;
 +        if (pg) {
 +            reg_off_last = i * 64 + 63 - clz64(pg);
 +            if (reg_off_first < 0) {
 +                reg_off_first = i * 64 + ctz64(pg);
 +            }
 +        }
 +    } while (++i * 64 < reg_max);
 +
 +    if (unlikely(reg_off_first < 0)) {
 +        /* No active elements, no pages touched. */
 +        return false;
 +    }
 +    tcg_debug_assert(reg_off_last >= 0 && reg_off_last < reg_max);
 +
 +    info->reg_off_first[0] = reg_off_first;
 +    info->mem_off_first[0] = (reg_off_first >> esz) * msize;
 +    mem_off_last = (reg_off_last >> esz) * msize;
 +
 +    page_split = -(addr | TARGET_PAGE_MASK);
 +    if (likely(mem_off_last + msize <= page_split)) {
 +        /* The entire operation fits within a single page. */
 +        info->reg_off_last[0] = reg_off_last;
 +        return true;
 +    }
 +
 +    info->page_split = page_split;
 +    elt_split = page_split / msize;
 +    reg_off_split = elt_split << esz;
 +    mem_off_split = elt_split * msize;
 +
 +    /*
 +     * This is the last full element on the first page, but it is not
 +     * necessarily active.  If there is no full element, i.e. the first
 +     * active element is the one that's split, this value remains -1.
 +     * It is useful as iteration bounds.
 +     */
 +    if (elt_split != 0) {
 +        info->reg_off_last[0] = reg_off_split - esize;
 +    }
 +
 +    /* Determine if an unaligned element spans the pages.  */
 +    if (page_split % msize != 0) {
 +        /* It is helpful to know if the split element is active. */
 +        if ((vg[reg_off_split >> 6] >> (reg_off_split & 63)) & 1) {
 +            info->reg_off_split = reg_off_split;
 +            info->mem_off_split = mem_off_split;
 +
 +            if (reg_off_split == reg_off_last) {
 +                /* The page crossing element is last. */
 +                return true;
 +            }
 +        }
 +        reg_off_split += esize;
 +        mem_off_split += msize;
 +    }
 +
 +    /*
 +     * We do want the first active element on the second page, because
 +     * this may affect the address reported in an exception.
 +     */
 +    reg_off_split = find_next_active(vg, reg_off_split, reg_max, esz);
 +    tcg_debug_assert(reg_off_split <= reg_off_last);
 +    info->reg_off_first[1] = reg_off_split;
 +    info->mem_off_first[1] = (reg_off_split >> esz) * msize;
 +    info->reg_off_last[1] = reg_off_last;
 +    return true;
 +}
 +
 +/*
 + * Resolve the guest virtual addresses to info->page[].
 + * Control the generation of page faults with @fault.  Return false if
 + * there is no work to do, which can only happen with @fault == FAULT_NO.
 + */
 +static bool __attribute__((unused))
 +sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault, CPUARMState *env,
 +                    target_ulong addr, MMUAccessType access_type,
 +                    uintptr_t retaddr)
 +{
 +    int mmu_idx = cpu_mmu_index(env, false);
 +    int mem_off = info->mem_off_first[0];
 +    bool nofault = fault == FAULT_NO;
 +    bool have_work = true;
 +
 +    if (!sve_probe_page(&info->page[0], nofault, env, addr, mem_off,
 +                        access_type, mmu_idx, retaddr)) {
 +        /* No work to be done. */
 +        return false;
 +    }
 +
 +    if (likely(info->page_split < 0)) {
 +        /* The entire operation was on the one page. */
 +        return true;
 +    }
 +
 +    /*
 +     * If the second page is invalid, then we want the fault address to be
 +     * the first byte on that page which is accessed.
 +     */
 +    if (info->mem_off_split >= 0) {
 +        /*
 +         * There is an element split across the pages.  The fault address
 +         * should be the first byte of the second page.
 +         */
 +        mem_off = info->page_split;
 +        /*
 +         * If the split element is also the first active element
 +         * of the vector, then:  For first-fault we should continue
 +         * to generate faults for the second page.  For no-fault,
 +         * we have work only if the second page is valid.
 +         */
 +        if (info->mem_off_first[0] < info->mem_off_split) {
 +            nofault = FAULT_FIRST;
 +            have_work = false;
 +        }
 +    } else {
 +        /*
 +         * There is no element split across the pages.  The fault address
 +         * should be the first active element on the second page.
 +         */
 +        mem_off = info->mem_off_first[1];
 +        /*
 +         * There must have been one active element on the first page,
 +         * so we're out of first-fault territory.
 +         */
 +        nofault = fault != FAULT_ALL;
 +    }
 +
 +    have_work |= sve_probe_page(&info->page[1], nofault, env, addr, mem_off,
 +                                access_type, mmu_idx, retaddr);
 +    return have_work;
 +}
 +
  /*
   * The result of tlb_vaddr_to_host for user-only is just g2h(x),
   * which is always non-null.  Elide the useless test.
 --
-.20.1
+.25.1

-[PULL 28/34] target/arm: Make set_feature() available for other files
+[PULL 19/33] target/i386: Use assert() to sanity-check b1 in SSE decode
-From: Thomas Huth <thuth@redhat.com>
+In the SSE decode function gen_sse(), we combine a byte
 'b' and a value 'b1' which can be [0..3], and switch on them:
    b |= (b1 << 8);
    switch (b) {
    ...
    default:
    unknown_op:
        gen_unknown_opcode(env, s);
        return;
    }
-Move the common set_feature() and unset_feature() functions
+In three cases inside this switch, we were then also checking for
-from cpu.c and cpu64.c to cpu.h.
+ "if (b1 >= 2) { goto unknown_op; }".
 However, this can never happen, because the 'case' values in each place
 are 0x0nn or 0x1nn and the switch will have directed the b1 == (2, 3)
 cases to the default already.
-Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+This check was added in commit c045af25a52e9 in 2010; the added code
-Signed-off-by: Thomas Huth <thuth@redhat.com>
+was unnecessary then as well, and was apparently intended only to
 ensure that we never accidentally ended up indexing off the end
 of an sse_op_table with only 2 entries as a result of future bugs
 in the decode logic.
 Change the checks to assert() instead, and make sure they're always
 immediately before the array access they are protecting.
 Fixes: Coverity CID 1460207
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Message-id: 20200504172448.9402-3-philmd@redhat.com
-Message-ID: <20190921150420.30743-2-thuth@redhat.com>
-[PMD: Split Thomas's patch in two: set_feature, cpu_register]
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h   | 10 ++++++++++
+ target/i386/tcg/translate.c | 12 +++---------
- target/arm/cpu.c   | 10 ----------
+file changed, 3 insertions(+), 9 deletions(-)
  target/arm/cpu64.c | 10 ----------
 files changed, 10 insertions(+), 20 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/i386/tcg/translate.c
-+++ b/target/arm/cpu.h
++++ b/target/i386/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
-     void *gicv3state;
+         case 0x171: /* shift xmm, im */
- } CPUARMState;
+         case 0x172:
+         case 0x173:
-+static inline void set_feature(CPUARMState *env, int feature)
+-            if (b1 >= 2) {
-+{
+-                goto unknown_op;
-+    env->features |= 1ULL << feature;
+-            }
-+}
+             val = x86_ldub_code(env, s);
-+
+             if (is_xmm) {
-+static inline void unset_feature(CPUARMState *env, int feature)
+                 tcg_gen_movi_tl(s->T0, val);
-+{
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
-+    env->features &= ~(1ULL << feature);
+                                 offsetof(CPUX86State, mmx_t0.MMX_L(1)));
-+}
+                 op1_offset = offsetof(CPUX86State,mmx_t0);
-+
+             }
- /**
++            assert(b1 < 2);
-  * ARMELChangeHookFn:
+             sse_fn_epp = sse_op_table2[((b - 1) & 3) * 8 +
-  * type of a function which can be registered via arm_register_el_change_hook()
+                                        (((modrm >> 3)) & 7)][b1];
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+             if (!sse_fn_epp) {
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
---- a/target/arm/cpu.c
+             rm = modrm & 7;
-+++ b/target/arm/cpu.c
+             reg = ((modrm >> 3) & 7) | REX_R(s);
-@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_virtio_is_big_endian(CPUState *cs)
+             mod = (modrm >> 6) & 3;
+-            if (b1 >= 2) {
- #endif
+-                goto unknown_op;
+-            }
--static inline void set_feature(CPUARMState *env, int feature)
--{
++            assert(b1 < 2);
--    env->features |= 1ULL << feature;
+             sse_fn_epp = sse_op_table6[b].op[b1];
--}
+             if (!sse_fn_epp) {
--
+                 goto unknown_op;
--static inline void unset_feature(CPUARMState *env, int feature)
+@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
--{
+             rm = modrm & 7;
--    env->features &= ~(1ULL << feature);
+             reg = ((modrm >> 3) & 7) | REX_R(s);
--}
+             mod = (modrm >> 6) & 3;
--
+-            if (b1 >= 2) {
- static int
+-                goto unknown_op;
- print_insn_thumb1(bfd_vma pc, disassemble_info *info)
+-            }
- {
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
++            assert(b1 < 2);
-index XXXXXXX..XXXXXXX 100644
+             sse_fn_eppi = sse_op_table7[b].op[b1];
---- a/target/arm/cpu64.c
+             if (!sse_fn_eppi) {
-+++ b/target/arm/cpu64.c
+                 goto unknown_op;
@@ -XXX,XX +XXX,XX @@
  #include "kvm_arm.h"
  #include "qapi/visitor.h"
 -static inline void set_feature(CPUARMState *env, int feature)
 -{
 -    env->features |= 1ULL << feature;
 -}
 -
 -static inline void unset_feature(CPUARMState *env, int feature)
 -{
 -    env->features &= ~(1ULL << feature);
 -}
 -
  #ifndef CONFIG_USER_ONLY
  static uint64_t a57_a53_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
 --
-.20.1
+.25.1

-[PULL 10/34] accel/tcg: Add block comment for probe_access
+[PULL 20/33] include/hw/i386: Don't include qemu-common.h in .h files
-From: Richard Henderson <richard.henderson@linaro.org>
+The qemu-common.h header is not supposed to be included from any
 other header files, only from .c files (as documented in a comment at
 the start of it).
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+include/hw/i386/x86.h and include/hw/i386/microvm.h break this rule.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+In fact, the include is not required at all, so we can just drop it
-Message-id: 20200508154359.7494-4-richard.henderson@linaro.org
+from both files.
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211129200510.1233037-2-peter.maydell@linaro.org
 ---
- include/exec/exec-all.h | 17 +++++++++++++++++
+ include/hw/i386/microvm.h | 1 -
-file changed, 17 insertions(+)
+ include/hw/i386/x86.h     | 1 -
 files changed, 2 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/include/hw/i386/microvm.h b/include/hw/i386/microvm.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/include/hw/i386/microvm.h
-+++ b/include/exec/exec-all.h
++++ b/include/hw/i386/microvm.h
-@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
+@@ -XXX,XX +XXX,XX @@
- {
+ #ifndef HW_I386_MICROVM_H
- }
+ #define HW_I386_MICROVM_H
- #endif
-+/**
+-#include "qemu-common.h"
-+ * probe_access:
+ #include "exec/hwaddr.h"
-+ * @env: CPUArchState
+ #include "qemu/notify.h"
-+ * @addr: guest virtual address to look up
-+ * @size: size of the access
+diff --git a/include/hw/i386/x86.h b/include/hw/i386/x86.h
-+ * @access_type: read, write or execute permission
+index XXXXXXX..XXXXXXX 100644
-+ * @mmu_idx: MMU index to use for lookup
+--- a/include/hw/i386/x86.h
-+ * @retaddr: return address for unwinding
++++ b/include/hw/i386/x86.h
-+ *
+@@ -XXX,XX +XXX,XX @@
-+ * Look up the guest virtual address @addr.  Raise an exception if the
+ #ifndef HW_I386_X86_H
-+ * page does not satisfy @access_type.  Raise an exception if the
+ #define HW_I386_X86_H
-+ * access (@addr, @size) hits a watchpoint.  For writes, mark a clean
-+ * page as dirty.
+-#include "qemu-common.h"
-+ *
+ #include "exec/hwaddr.h"
-+ * Finally, return the host address for a page that is backed by RAM,
+ #include "qemu/notify.h"
 + * or NULL if the page requires I/O.
 + */
  void *probe_access(CPUArchState *env, target_ulong addr, int size,
                     MMUAccessType access_type, int mmu_idx, uintptr_t retaddr);
 --
-.20.1
+.25.1

-[PULL 33/34] target/arm: Use tcg_gen_gvec_5_ptr for sve FMLA/FCMLA
+[PULL 21/33] target/hexagon/cpu.h: don't include qemu-common.h
-From: Richard Henderson <richard.henderson@linaro.org>
+The qemu-common.h header is not supposed to be included from any
 other header files, only from .c files (as documented in a comment at
 the start of it).
-Now that we can pass 7 parameters, do not encode register
+Move the include to linux-user/hexagon/cpu_loop.c, which needs it for
-operands within simd_data.
+the declaration of cpu_exec_step_atomic().
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20211129200510.1233037-3-peter.maydell@linaro.org
 Message-id: 20200507172352.15418-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper-sve.h    |  45 +++++++----
+ target/hexagon/cpu.h          | 1 -
- target/arm/sve_helper.c    | 157 ++++++++++++++-----------------------
+ linux-user/hexagon/cpu_loop.c | 1 +
- target/arm/translate-sve.c |  70 ++++++-----------
+files changed, 1 insertion(+), 1 deletion(-)
 files changed, 114 insertions(+), 158 deletions(-)
-diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
+diff --git a/target/hexagon/cpu.h b/target/hexagon/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sve.h
+--- a/target/hexagon/cpu.h
-+++ b/target/arm/helper-sve.h
++++ b/target/hexagon/cpu.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(sve_fcadd_s, TCG_CALL_NO_RWG,
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUHexagonState CPUHexagonState;
- DEF_HELPER_FLAGS_6(sve_fcadd_d, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, i32)
+ #include "fpu/softfloat-types.h"
--DEF_HELPER_FLAGS_3(sve_fmla_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
+-#include "qemu-common.h"
--DEF_HELPER_FLAGS_3(sve_fmla_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
+ #include "exec/cpu-defs.h"
--DEF_HELPER_FLAGS_3(sve_fmla_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
+ #include "hex_regs.h"
-+DEF_HELPER_FLAGS_7(sve_fmla_zpzzz_h, TCG_CALL_NO_RWG,
+ #include "mmvec/mmvec.h"
-+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
 +DEF_HELPER_FLAGS_7(sve_fmla_zpzzz_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fmla_zpzzz_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fmls_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fmls_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fmls_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fmls_zpzzz_h, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fmls_zpzzz_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fmls_zpzzz_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fnmla_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fnmla_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fnmla_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fnmla_zpzzz_h, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fnmla_zpzzz_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fnmla_zpzzz_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fnmls_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fnmls_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fnmls_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fnmls_zpzzz_h, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fnmls_zpzzz_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fnmls_zpzzz_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fcmla_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fcmla_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
 -DEF_HELPER_FLAGS_3(sve_fcmla_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fcmla_zpzzz_h, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fcmla_zpzzz_s, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sve_fcmla_zpzzz_d, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sve_ftmad_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sve_ftmad_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/linux-user/hexagon/cpu_loop.c
-+++ b/target/arm/sve_helper.c
++++ b/linux-user/hexagon/cpu_loop.c
-@@ -XXX,XX +XXX,XX @@ DO_ZPZ_FP(sve_ucvt_dd, uint64_t,     , uint64_to_float64)
+@@ -XXX,XX +XXX,XX @@
  #undef DO_ZPZ_FP
 -/* 4-operand predicated multiply-add.  This requires 7 operands to pass
 - * "properly", so we need to encode some of the registers into DESC.
 - */
 -QEMU_BUILD_BUG_ON(SIMD_DATA_SHIFT + 20 > 32);
 -
 -static void do_fmla_zpzzz_h(CPUARMState *env, void *vg, uint32_t desc,
 +static void do_fmla_zpzzz_h(void *vd, void *vn, void *vm, void *va, void *vg,
 +                            float_status *status, uint32_t desc,
                              uint16_t neg1, uint16_t neg3)
  {
      intptr_t i = simd_oprsz(desc);
 -    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
 -    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
 -    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
 -    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
 -    void *vd = &env->vfp.zregs[rd];
 -    void *vn = &env->vfp.zregs[rn];
 -    void *vm = &env->vfp.zregs[rm];
 -    void *va = &env->vfp.zregs[ra];
      uint64_t *g = vg;
      do {
@@ -XXX,XX +XXX,XX @@ static void do_fmla_zpzzz_h(CPUARMState *env, void *vg, uint32_t desc,
                  e1 = *(uint16_t *)(vn + H1_2(i)) ^ neg1;
                  e2 = *(uint16_t *)(vm + H1_2(i));
                  e3 = *(uint16_t *)(va + H1_2(i)) ^ neg3;
 -                r = float16_muladd(e1, e2, e3, 0, &env->vfp.fp_status_f16);
 +                r = float16_muladd(e1, e2, e3, 0, status);
                  *(uint16_t *)(vd + H1_2(i)) = r;
              }
          } while (i & 63);
      } while (i != 0);
  }
 -void HELPER(sve_fmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fmla_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
 +                              void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_h(env, vg, desc, 0, 0);
 +    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0, 0);
  }
 -void HELPER(sve_fmls_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fmls_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
 +                              void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_h(env, vg, desc, 0x8000, 0);
 +    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0x8000, 0);
  }
 -void HELPER(sve_fnmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fnmla_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_h(env, vg, desc, 0x8000, 0x8000);
 +    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0x8000, 0x8000);
  }
 -void HELPER(sve_fnmls_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fnmls_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_h(env, vg, desc, 0, 0x8000);
 +    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0, 0x8000);
  }
 -static void do_fmla_zpzzz_s(CPUARMState *env, void *vg, uint32_t desc,
 +static void do_fmla_zpzzz_s(void *vd, void *vn, void *vm, void *va, void *vg,
 +                            float_status *status, uint32_t desc,
                              uint32_t neg1, uint32_t neg3)
  {
      intptr_t i = simd_oprsz(desc);
 -    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
 -    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
 -    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
 -    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
 -    void *vd = &env->vfp.zregs[rd];
 -    void *vn = &env->vfp.zregs[rn];
 -    void *vm = &env->vfp.zregs[rm];
 -    void *va = &env->vfp.zregs[ra];
      uint64_t *g = vg;
      do {
@@ -XXX,XX +XXX,XX @@ static void do_fmla_zpzzz_s(CPUARMState *env, void *vg, uint32_t desc,
                  e1 = *(uint32_t *)(vn + H1_4(i)) ^ neg1;
                  e2 = *(uint32_t *)(vm + H1_4(i));
                  e3 = *(uint32_t *)(va + H1_4(i)) ^ neg3;
 -                r = float32_muladd(e1, e2, e3, 0, &env->vfp.fp_status);
 +                r = float32_muladd(e1, e2, e3, 0, status);
                  *(uint32_t *)(vd + H1_4(i)) = r;
              }
          } while (i & 63);
      } while (i != 0);
  }
 -void HELPER(sve_fmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fmla_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
 +                              void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_s(env, vg, desc, 0, 0);
 +    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0, 0);
  }
 -void HELPER(sve_fmls_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fmls_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
 +                              void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_s(env, vg, desc, 0x80000000, 0);
 +    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0x80000000, 0);
  }
 -void HELPER(sve_fnmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fnmla_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_s(env, vg, desc, 0x80000000, 0x80000000);
 +    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0x80000000, 0x80000000);
  }
 -void HELPER(sve_fnmls_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fnmls_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_s(env, vg, desc, 0, 0x80000000);
 +    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0, 0x80000000);
  }
 -static void do_fmla_zpzzz_d(CPUARMState *env, void *vg, uint32_t desc,
 +static void do_fmla_zpzzz_d(void *vd, void *vn, void *vm, void *va, void *vg,
 +                            float_status *status, uint32_t desc,
                              uint64_t neg1, uint64_t neg3)
  {
      intptr_t i = simd_oprsz(desc);
 -    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
 -    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
 -    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
 -    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
 -    void *vd = &env->vfp.zregs[rd];
 -    void *vn = &env->vfp.zregs[rn];
 -    void *vm = &env->vfp.zregs[rm];
 -    void *va = &env->vfp.zregs[ra];
      uint64_t *g = vg;
      do {
@@ -XXX,XX +XXX,XX @@ static void do_fmla_zpzzz_d(CPUARMState *env, void *vg, uint32_t desc,
                  e1 = *(uint64_t *)(vn + i) ^ neg1;
                  e2 = *(uint64_t *)(vm + i);
                  e3 = *(uint64_t *)(va + i) ^ neg3;
 -                r = float64_muladd(e1, e2, e3, 0, &env->vfp.fp_status);
 +                r = float64_muladd(e1, e2, e3, 0, status);
                  *(uint64_t *)(vd + i) = r;
              }
          } while (i & 63);
      } while (i != 0);
  }
 -void HELPER(sve_fmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fmla_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
 +                              void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_d(env, vg, desc, 0, 0);
 +    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, 0, 0);
  }
 -void HELPER(sve_fmls_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fmls_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
 +                              void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_d(env, vg, desc, INT64_MIN, 0);
 +    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, INT64_MIN, 0);
  }
 -void HELPER(sve_fnmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fnmla_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_d(env, vg, desc, INT64_MIN, INT64_MIN);
 +    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, INT64_MIN, INT64_MIN);
  }
 -void HELPER(sve_fnmls_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fnmls_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
 -    do_fmla_zpzzz_d(env, vg, desc, 0, INT64_MIN);
 +    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, 0, INT64_MIN);
  }
  /* Two operand floating-point comparison controlled by a predicate.
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcadd_d)(void *vd, void *vn, void *vm, void *vg,
   * FP Complex Multiply
   */
--QEMU_BUILD_BUG_ON(SIMD_DATA_SHIFT + 22 > 32);
+ #include "qemu/osdep.h"
--
++#include "qemu-common.h"
--void HELPER(sve_fcmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
+ #include "qemu.h"
-+void HELPER(sve_fcmla_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
+ #include "user-internals.h"
-+                               void *vg, void *status, uint32_t desc)
+ #include "cpu_loop-common.h"
  {
      intptr_t j, i = simd_oprsz(desc);
 -    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
 -    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
 -    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
 -    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
 -    unsigned rot = extract32(desc, SIMD_DATA_SHIFT + 20, 2);
 +    unsigned rot = simd_data(desc);
      bool flip = rot & 1;
      float16 neg_imag, neg_real;
 -    void *vd = &env->vfp.zregs[rd];
 -    void *vn = &env->vfp.zregs[rn];
 -    void *vm = &env->vfp.zregs[rm];
 -    void *va = &env->vfp.zregs[ra];
      uint64_t *g = vg;
      neg_imag = float16_set_sign(0, (rot & 2) != 0);
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
              if (likely((pg >> (i & 63)) & 1)) {
                  d = *(float16 *)(va + H1_2(i));
 -                d = float16_muladd(e2, e1, d, 0, &env->vfp.fp_status_f16);
 +                d = float16_muladd(e2, e1, d, 0, status);
                  *(float16 *)(vd + H1_2(i)) = d;
              }
              if (likely((pg >> (j & 63)) & 1)) {
                  d = *(float16 *)(va + H1_2(j));
 -                d = float16_muladd(e4, e3, d, 0, &env->vfp.fp_status_f16);
 +                d = float16_muladd(e4, e3, d, 0, status);
                  *(float16 *)(vd + H1_2(j)) = d;
              }
          } while (i & 63);
      } while (i != 0);
  }
 -void HELPER(sve_fcmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fcmla_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
      intptr_t j, i = simd_oprsz(desc);
 -    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
 -    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
 -    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
 -    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
 -    unsigned rot = extract32(desc, SIMD_DATA_SHIFT + 20, 2);
 +    unsigned rot = simd_data(desc);
      bool flip = rot & 1;
      float32 neg_imag, neg_real;
 -    void *vd = &env->vfp.zregs[rd];
 -    void *vn = &env->vfp.zregs[rn];
 -    void *vm = &env->vfp.zregs[rm];
 -    void *va = &env->vfp.zregs[ra];
      uint64_t *g = vg;
      neg_imag = float32_set_sign(0, (rot & 2) != 0);
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
              if (likely((pg >> (i & 63)) & 1)) {
                  d = *(float32 *)(va + H1_2(i));
 -                d = float32_muladd(e2, e1, d, 0, &env->vfp.fp_status);
 +                d = float32_muladd(e2, e1, d, 0, status);
                  *(float32 *)(vd + H1_2(i)) = d;
              }
              if (likely((pg >> (j & 63)) & 1)) {
                  d = *(float32 *)(va + H1_2(j));
 -                d = float32_muladd(e4, e3, d, 0, &env->vfp.fp_status);
 +                d = float32_muladd(e4, e3, d, 0, status);
                  *(float32 *)(vd + H1_2(j)) = d;
              }
          } while (i & 63);
      } while (i != 0);
  }
 -void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 +void HELPER(sve_fcmla_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
 +                               void *vg, void *status, uint32_t desc)
  {
      intptr_t j, i = simd_oprsz(desc);
 -    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
 -    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
 -    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
 -    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
 -    unsigned rot = extract32(desc, SIMD_DATA_SHIFT + 20, 2);
 +    unsigned rot = simd_data(desc);
      bool flip = rot & 1;
      float64 neg_imag, neg_real;
 -    void *vd = &env->vfp.zregs[rd];
 -    void *vn = &env->vfp.zregs[rn];
 -    void *vm = &env->vfp.zregs[rm];
 -    void *va = &env->vfp.zregs[ra];
      uint64_t *g = vg;
      neg_imag = float64_set_sign(0, (rot & 2) != 0);
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
              if (likely((pg >> (i & 63)) & 1)) {
                  d = *(float64 *)(va + H1_2(i));
 -                d = float64_muladd(e2, e1, d, 0, &env->vfp.fp_status);
 +                d = float64_muladd(e2, e1, d, 0, status);
                  *(float64 *)(vd + H1_2(i)) = d;
              }
              if (likely((pg >> (j & 63)) & 1)) {
                  d = *(float64 *)(va + H1_2(j));
 -                d = float64_muladd(e4, e3, d, 0, &env->vfp.fp_status);
 +                d = float64_muladd(e4, e3, d, 0, status);
                  *(float64 *)(vd + H1_2(j)) = d;
              }
          } while (i & 63);
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_FCADD(DisasContext *s, arg_FCADD *a)
      return true;
  }
 -typedef void gen_helper_sve_fmla(TCGv_env, TCGv_ptr, TCGv_i32);
 -
 -static bool do_fmla(DisasContext *s, arg_rprrr_esz *a, gen_helper_sve_fmla *fn)
 +static bool do_fmla(DisasContext *s, arg_rprrr_esz *a,
 +                    gen_helper_gvec_5_ptr *fn)
  {
 -    if (fn == NULL) {
 +    if (a->esz == 0) {
          return false;
      }
 -    if (!sve_access_check(s)) {
 -        return true;
 +    if (sve_access_check(s)) {
 +        unsigned vsz = vec_full_reg_size(s);
 +        TCGv_ptr status = get_fpstatus_ptr(a->esz == MO_16);
 +        tcg_gen_gvec_5_ptr(vec_full_reg_offset(s, a->rd),
 +                           vec_full_reg_offset(s, a->rn),
 +                           vec_full_reg_offset(s, a->rm),
 +                           vec_full_reg_offset(s, a->ra),
 +                           pred_full_reg_offset(s, a->pg),
 +                           status, vsz, vsz, 0, fn);
 +        tcg_temp_free_ptr(status);
      }
 -
 -    unsigned vsz = vec_full_reg_size(s);
 -    unsigned desc;
 -    TCGv_i32 t_desc;
 -    TCGv_ptr pg = tcg_temp_new_ptr();
 -
 -    /* We would need 7 operands to pass these arguments "properly".
 -     * So we encode all the register numbers into the descriptor.
 -     */
 -    desc = deposit32(a->rd, 5, 5, a->rn);
 -    desc = deposit32(desc, 10, 5, a->rm);
 -    desc = deposit32(desc, 15, 5, a->ra);
 -    desc = simd_desc(vsz, vsz, desc);
 -
 -    t_desc = tcg_const_i32(desc);
 -    tcg_gen_addi_ptr(pg, cpu_env, pred_full_reg_offset(s, a->pg));
 -    fn(cpu_env, pg, t_desc);
 -    tcg_temp_free_i32(t_desc);
 -    tcg_temp_free_ptr(pg);
      return true;
  }
  #define DO_FMLA(NAME, name) \
  static bool trans_##NAME(DisasContext *s, arg_rprrr_esz *a)          \
  {                                                                    \
 -    static gen_helper_sve_fmla * const fns[4] = {                    \
 +    static gen_helper_gvec_5_ptr * const fns[4] = {                  \
          NULL, gen_helper_sve_##name##_h,                             \
          gen_helper_sve_##name##_s, gen_helper_sve_##name##_d         \
      };                                                               \
@@ -XXX,XX +XXX,XX @@ DO_FMLA(FNMLS_zpzzz, fnmls_zpzzz)
  static bool trans_FCMLA_zpzzz(DisasContext *s, arg_FCMLA_zpzzz *a)
  {
 -    static gen_helper_sve_fmla * const fns[3] = {
 +    static gen_helper_gvec_5_ptr * const fns[4] = {
 +        NULL,
          gen_helper_sve_fcmla_zpzzz_h,
          gen_helper_sve_fcmla_zpzzz_s,
          gen_helper_sve_fcmla_zpzzz_d,
@@ -XXX,XX +XXX,XX @@ static bool trans_FCMLA_zpzzz(DisasContext *s, arg_FCMLA_zpzzz *a)
      }
      if (sve_access_check(s)) {
          unsigned vsz = vec_full_reg_size(s);
 -        unsigned desc;
 -        TCGv_i32 t_desc;
 -        TCGv_ptr pg = tcg_temp_new_ptr();
 -
 -        /* We would need 7 operands to pass these arguments "properly".
 -         * So we encode all the register numbers into the descriptor.
 -         */
 -        desc = deposit32(a->rd, 5, 5, a->rn);
 -        desc = deposit32(desc, 10, 5, a->rm);
 -        desc = deposit32(desc, 15, 5, a->ra);
 -        desc = deposit32(desc, 20, 2, a->rot);
 -        desc = sextract32(desc, 0, 22);
 -        desc = simd_desc(vsz, vsz, desc);
 -
 -        t_desc = tcg_const_i32(desc);
 -        tcg_gen_addi_ptr(pg, cpu_env, pred_full_reg_offset(s, a->pg));
 -        fns[a->esz - 1](cpu_env, pg, t_desc);
 -        tcg_temp_free_i32(t_desc);
 -        tcg_temp_free_ptr(pg);
 +        TCGv_ptr status = get_fpstatus_ptr(a->esz == MO_16);
 +        tcg_gen_gvec_5_ptr(vec_full_reg_offset(s, a->rd),
 +                           vec_full_reg_offset(s, a->rn),
 +                           vec_full_reg_offset(s, a->rm),
 +                           vec_full_reg_offset(s, a->ra),
 +                           pred_full_reg_offset(s, a->pg),
 +                           status, vsz, vsz, a->rot, fns[a->esz]);
 +        tcg_temp_free_ptr(status);
      }
      return true;
  }
 --
-.20.1
+.25.1

-[PULL 08/34] exec: Add block comments for watchpoint routines
+[PULL 22/33] target/rx/cpu.h: Don't include qemu-common.h
-From: Richard Henderson <richard.henderson@linaro.org>
+The qemu-common.h header is not supposed to be included from any
 other header files, only from .c files (as documented in a comment at
 the start of it).
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Nothing actually relies on target/rx/cpu.h including it, so we can
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+just drop the include.
-Message-id: 20200508154359.7494-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
+Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
+Message-id: 20211129200510.1233037-4-peter.maydell@linaro.org
 ---
- include/hw/core/cpu.h | 23 +++++++++++++++++++++++
+ target/rx/cpu.h | 1 -
-file changed, 23 insertions(+)
+file changed, 1 deletion(-)
-diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
+diff --git a/target/rx/cpu.h b/target/rx/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/core/cpu.h
+--- a/target/rx/cpu.h
-+++ b/include/hw/core/cpu.h
++++ b/target/rx/cpu.h
-@@ -XXX,XX +XXX,XX @@ int cpu_watchpoint_remove(CPUState *cpu, vaddr addr,
+@@ -XXX,XX +XXX,XX @@
-                           vaddr len, int flags);
+ #define RX_CPU_H
- void cpu_watchpoint_remove_by_ref(CPUState *cpu, CPUWatchpoint *watchpoint);
- void cpu_watchpoint_remove_all(CPUState *cpu, int mask);
+ #include "qemu/bitops.h"
-+
+-#include "qemu-common.h"
-+/**
+ #include "hw/registerfields.h"
-+ * cpu_check_watchpoint:
+ #include "cpu-qom.h"
 + * @cpu: cpu context
 + * @addr: guest virtual address
 + * @len: access length
 + * @attrs: memory access attributes
 + * @flags: watchpoint access type
 + * @ra: unwind return address
 + *
 + * Check for a watchpoint hit in [addr, addr+len) of the type
 + * specified by @flags.  Exit via exception with a hit.
 + */
  void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
                            MemTxAttrs attrs, int flags, uintptr_t ra);
 +
 +/**
 + * cpu_watchpoint_address_matches:
 + * @cpu: cpu context
 + * @addr: guest virtual address
 + * @len: access length
 + *
 + * Return the watchpoint flags that apply to [addr, addr+len).
 + * If no watchpoint is registered for the range, the result is 0.
 + */
  int cpu_watchpoint_address_matches(CPUState *cpu, vaddr addr, vaddr len);
  #endif
 --
-.20.1
+.25.1

-[PULL 17/34] target/arm: Adjust interface of sve_ld1_host_fn
+[PULL 23/33] hw/arm: Don't include qemu-common.h unnecessarily
-From: Richard Henderson <richard.henderson@linaro.org>
+A lot of C files in hw/arm include qemu-common.h when they don't
 need anything from it. Drop the include lines.
-The current interface includes a loop; change it to load a
+omap1.c, pxa2xx.c and strongarm.c retain the include because they
-single element.  We will then be able to use the function
+use it for the prototype of qemu_get_timedate().
 for ld{2,3,4} where individual vector elements are not adjacent.
-Replace each call with the simplest possible loop over active
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-elements.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
 Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
 Message-id: 20211129200510.1233037-5-peter.maydell@linaro.org
 ---
  hw/arm/boot.c           | 1 -
  hw/arm/digic_boards.c   | 1 -
  hw/arm/highbank.c       | 1 -
  hw/arm/npcm7xx_boards.c | 1 -
  hw/arm/sbsa-ref.c       | 1 -
  hw/arm/stm32f405_soc.c  | 1 -
  hw/arm/vexpress.c       | 1 -
  hw/arm/virt.c           | 1 -
 files changed, 8 deletions(-)
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+diff --git a/hw/arm/boot.c b/hw/arm/boot.c
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20200508154359.7494-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/sve_helper.c | 124 ++++++++++++++++++++--------------------
 file changed, 63 insertions(+), 61 deletions(-)
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/hw/arm/boot.c
-+++ b/target/arm/sve_helper.c
++++ b/hw/arm/boot.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
+@@ -XXX,XX +XXX,XX @@
   */
- /*
+ #include "qemu/osdep.h"
-- * Load elements into @vd, controlled by @vg, from @host + @mem_ofs.
+-#include "qemu-common.h"
-- * Memory is valid through @host + @mem_max.  The register element
+ #include "qemu/datadir.h"
-- * indices are inferred from @mem_ofs, as modified by the types for
+ #include "qemu/error-report.h"
-- * which the helper is built.  Return the @mem_ofs of the first element
+ #include "qapi/error.h"
-- * not loaded (which is @mem_max if they are all loaded).
+diff --git a/hw/arm/digic_boards.c b/hw/arm/digic_boards.c
-- *
+index XXXXXXX..XXXXXXX 100644
-- * For softmmu, we have fully validated the guest page.  For user-only,
+--- a/hw/arm/digic_boards.c
-- * we cannot fully validate without taking the mmap lock, but since we
++++ b/hw/arm/digic_boards.c
-- * know the access is within one host page, if any access is valid they
+@@ -XXX,XX +XXX,XX @@
-- * all must be valid.  However, when @vg is all false, it may be that
-- * no access is valid.
+ #include "qemu/osdep.h"
-+ * Load one element into @vd + @reg_off from @host.
+ #include "qapi/error.h"
-+ * The controlling predicate is known to be true.
+-#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "hw/boards.h"
  #include "qemu/error-report.h"
 diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/highbank.c
 +++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
   */
--typedef intptr_t sve_ld1_host_fn(void *vd, void *vg, void *host,
--                                 intptr_t mem_ofs, intptr_t mem_max);
+ #include "qemu/osdep.h"
-+typedef void sve_ldst1_host_fn(void *vd, intptr_t reg_off, void *host);
+-#include "qemu-common.h"
+ #include "qemu/datadir.h"
- /*
+ #include "qapi/error.h"
-  * Load one element into @vd + @reg_off from (@env, @vaddr, @ra).
+ #include "hw/sysbus.h"
-@@ -XXX,XX +XXX,XX @@ typedef void sve_ldst1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
+diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/npcm7xx_boards.c
 +++ b/hw/arm/npcm7xx_boards.c
@@ -XXX,XX +XXX,XX @@
  #include "hw/qdev-core.h"
  #include "hw/qdev-properties.h"
  #include "qapi/error.h"
 -#include "qemu-common.h"
  #include "qemu/datadir.h"
  #include "qemu/units.h"
  #include "sysemu/blockdev.h"
 diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/sbsa-ref.c
 +++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
   */
- #define DO_LD_HOST(NAME, H, TYPEE, TYPEM, HOST) \
+ #include "qemu/osdep.h"
--static intptr_t sve_##NAME##_host(void *vd, void *vg, void *host,           \
+-#include "qemu-common.h"
--                                  intptr_t mem_off, const intptr_t mem_max) \
+ #include "qemu/datadir.h"
--{                                                                           \
+ #include "qapi/error.h"
--    intptr_t reg_off = mem_off * (sizeof(TYPEE) / sizeof(TYPEM));           \
+ #include "qemu/error-report.h"
--    uint64_t *pg = vg;                                                      \
+diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
--    while (mem_off + sizeof(TYPEM) <= mem_max) {                            \
+index XXXXXXX..XXXXXXX 100644
--        TYPEM val = 0;                                                      \
+--- a/hw/arm/stm32f405_soc.c
--        if (likely((pg[reg_off >> 6] >> (reg_off & 63)) & 1)) {             \
++++ b/hw/arm/stm32f405_soc.c
--            val = HOST(host + mem_off);                                     \
+@@ -XXX,XX +XXX,XX @@
--        }                                                                   \
--        *(TYPEE *)(vd + H(reg_off)) = val;                                  \
+ #include "qemu/osdep.h"
--        mem_off += sizeof(TYPEM), reg_off += sizeof(TYPEE);                 \
+ #include "qapi/error.h"
--    }                                                                       \
+-#include "qemu-common.h"
--    return mem_off;                                                         \
+ #include "exec/address-spaces.h"
-+static void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host)  \
+ #include "sysemu/sysemu.h"
-+{                                                                      \
+ #include "hw/arm/stm32f405_soc.h"
-+    TYPEM val = HOST(host);                                            \
+diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
-+    *(TYPEE *)(vd + H(reg_off)) = val;                                 \
+index XXXXXXX..XXXXXXX 100644
- }
+--- a/hw/arm/vexpress.c
++++ b/hw/arm/vexpress.c
- #define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB) \
+@@ -XXX,XX +XXX,XX @@
-@@ -XXX,XX +XXX,XX @@ static inline bool test_host_page(void *host)
- static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
+ #include "qemu/osdep.h"
-                       uint32_t desc, const uintptr_t retaddr,
+ #include "qapi/error.h"
-                       const int esz, const int msz,
+-#include "qemu-common.h"
--                      sve_ld1_host_fn *host_fn,
+ #include "qemu/datadir.h"
-+                      sve_ldst1_host_fn *host_fn,
+ #include "cpu.h"
-                       sve_ldst1_tlb_fn *tlb_fn)
+ #include "hw/sysbus.h"
- {
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
+index XXXXXXX..XXXXXXX 100644
-@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
+--- a/hw/arm/virt.c
-     if (likely(split == mem_max)) {
++++ b/hw/arm/virt.c
-         host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
+@@ -XXX,XX +XXX,XX @@
          if (test_host_page(host)) {
 -            mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
 -            tcg_debug_assert(mem_off == mem_max);
 +            intptr_t i = reg_off;
 +            host -= mem_off;
 +            do {
 +                host_fn(vd, i, host + (i >> diffsz));
 +                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
 +            } while (i < reg_max);
              /* After having taken any fault, zero leading inactive elements. */
              swap_memzero(vd, reg_off);
              return;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
       */
  #ifdef CONFIG_USER_ONLY
      swap_memzero(&scratch, reg_off);
 -    host_fn(&scratch, vg, g2h(addr), mem_off, mem_max);
 +    host = g2h(addr);
 +    do {
 +        host_fn(&scratch, reg_off, host + (reg_off >> diffsz));
 +        reg_off += 1 << esz;
 +        reg_off = find_next_active(vg, reg_off, reg_max, esz);
 +    } while (reg_off < reg_max);
  #else
      memset(&scratch, 0, reg_max);
      goto start;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
              host = tlb_vaddr_to_host(env, addr + mem_off,
                                       MMU_DATA_LOAD, mmu_idx);
              if (host) {
 -                mem_off = host_fn(&scratch, vg, host - mem_off,
 -                                  mem_off, split);
 -                reg_off = mem_off << diffsz;
 +                host -= mem_off;
 +                do {
 +                    host_fn(&scratch, reg_off, host + mem_off);
 +                    reg_off += 1 << esz;
 +                    reg_off = find_next_active(vg, reg_off, reg_max, esz);
 +                    mem_off = reg_off >> diffsz;
 +                } while (split - mem_off >= (1 << msz));
                  continue;
              }
          }
@@ -XXX,XX +XXX,XX @@ static void record_fault(CPUARMState *env, uintptr_t i, uintptr_t oprsz)
  static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
                          uint32_t desc, const uintptr_t retaddr,
                          const int esz, const int msz,
 -                        sve_ld1_host_fn *host_fn,
 +                        sve_ldst1_host_fn *host_fn,
                          sve_ldst1_tlb_fn *tlb_fn)
  {
      const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
      const int diffsz = esz - msz;
      const intptr_t reg_max = simd_oprsz(desc);
      const intptr_t mem_max = reg_max >> diffsz;
 -    intptr_t split, reg_off, mem_off;
 +    intptr_t split, reg_off, mem_off, i;
      void *host;
      /* Skip to the first active element.  */
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
      if (likely(split == mem_max)) {
          host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
          if (test_host_page(host)) {
 -            mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
 -            tcg_debug_assert(mem_off == mem_max);
 +            i = reg_off;
 +            host -= mem_off;
 +            do {
 +                host_fn(vd, i, host + (i >> diffsz));
 +                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
 +            } while (i < reg_max);
              /* After any fault, zero any leading inactive elements.  */
              swap_memzero(vd, reg_off);
              return;
          }
      }
 -#ifdef CONFIG_USER_ONLY
 -    /*
 -     * The page(s) containing this first element at ADDR+MEM_OFF must
 -     * be valid.  Considering that this first element may be misaligned
 -     * and cross a page boundary itself, take the rest of the page from
 -     * the last byte of the element.
 -     */
 -    split = max_for_page(addr, mem_off + (1 << msz) - 1, mem_max);
 -    mem_off = host_fn(vd, vg, g2h(addr), mem_off, split);
 -
 -    /* After any fault, zero any leading inactive elements.  */
 -    swap_memzero(vd, reg_off);
 -    reg_off = mem_off << diffsz;
 -#else
      /*
       * Perform one normal read, which will fault or not.
       * But it is likely to bring the page into the tlb.
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
      if (split >= (1 << msz)) {
          host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
          if (host) {
 -            mem_off = host_fn(vd, vg, host - mem_off, mem_off, split);
 -            reg_off = mem_off << diffsz;
 +            host -= mem_off;
 +            do {
 +                host_fn(vd, reg_off, host + mem_off);
 +                reg_off += 1 << esz;
 +                reg_off = find_next_active(vg, reg_off, reg_max, esz);
 +                mem_off = reg_off >> diffsz;
 +            } while (split - mem_off >= (1 << msz));
          }
      }
 -#endif
      record_fault(env, reg_off, reg_max);
  }
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
   */
- static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
-                         uint32_t desc, const int esz, const int msz,
+ #include "qemu/osdep.h"
--                        sve_ld1_host_fn *host_fn)
+-#include "qemu-common.h"
-+                        sve_ldst1_host_fn *host_fn)
+ #include "qemu/datadir.h"
- {
+ #include "qemu/units.h"
-     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+ #include "qemu/option.h"
      void *vd = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
      host = tlb_vaddr_to_host(env, addr, MMU_DATA_LOAD, mmu_idx);
      if (likely(page_check_range(addr, mem_max, PAGE_READ) == 0)) {
          /* The entire operation is valid and will not fault.  */
 -        host_fn(vd, vg, host, 0, mem_max);
 +        reg_off = 0;
 +        do {
 +            mem_off = reg_off >> diffsz;
 +            host_fn(vd, reg_off, host + mem_off);
 +            reg_off += 1 << esz;
 +            reg_off = find_next_active(vg, reg_off, reg_max, esz);
 +        } while (reg_off < reg_max);
          return;
      }
  #endif
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
      if (page_check_range(addr + mem_off, 1 << msz, PAGE_READ) == 0) {
          /* At least one load is valid; take the rest of the page.  */
          split = max_for_page(addr, mem_off + (1 << msz) - 1, mem_max);
 -        mem_off = host_fn(vd, vg, host, mem_off, split);
 -        reg_off = mem_off << diffsz;
 +        do {
 +            host_fn(vd, reg_off, host + mem_off);
 +            reg_off += 1 << esz;
 +            reg_off = find_next_active(vg, reg_off, reg_max, esz);
 +            mem_off = reg_off >> diffsz;
 +        } while (split - mem_off >= (1 << msz));
      }
  #else
      /*
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
      host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
      split = max_for_page(addr, mem_off, mem_max);
      if (host && split >= (1 << msz)) {
 -        mem_off = host_fn(vd, vg, host - mem_off, mem_off, split);
 -        reg_off = mem_off << diffsz;
 +        host -= mem_off;
 +        do {
 +            host_fn(vd, reg_off, host + mem_off);
 +            reg_off += 1 << esz;
 +            reg_off = find_next_active(vg, reg_off, reg_max, esz);
 +            mem_off = reg_off >> diffsz;
 +        } while (split - mem_off >= (1 << msz));
      }
  #endif
 --
-.20.1
+.25.1

-[PULL 02/34] target/arm: Drop access_el3_aa32ns_aa64any()
+[PULL 24/33] target/arm: Correct calculation of tlb range invalidate length
-From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>
+The calculation of the length of TLB range invalidate operations
 in tlbi_aa64_range_get_length() is incorrect in two ways:
  * the NUM field is 5 bits, but we read only 4 bits
  * we miscalculate the page_shift value, because of an
    off-by-one error:
     TG 0b00 is invalid
     TG 0b01 is 4K granule size == 4096 == 2^12
     TG 0b10 is 16K granule size == 16384 == 2^14
     TG 0b11 is 64K granule size == 65536 == 2^16
    so page_shift should be (TG - 1) * 2 + 12
-Calling access_el3_aa32ns() works for AArch32 only cores
+Thanks to the bug report submitter Cha HyunSoo for identifying
-but it does not handle 32-bit EL2 on top of 64-bit EL3
+both these errors.
 for mixed 32/64-bit cores.
-Merge access_el3_aa32ns_aa64any() into access_el3_aa32ns()
+Fixes: 84940ed82552d3c ("target/arm: Add support for FEAT_TLBIRANGE")
-and only use the latter.
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/734
 Fixes: 68e9c2fe65 ("target-arm: Add VTCR_EL2")
 Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
 Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
 Message-id: 20200505141729.31930-2-edgar.iglesias@gmail.com
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-id: 20211130173257.1274194-1-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 30 +++++++-----------------------
+ target/arm/helper.c | 6 +++---
-file changed, 7 insertions(+), 23 deletions(-)
+file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void init_cpreg_list(ARMCPU *cpu)
+@@ -XXX,XX +XXX,XX @@ static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
- }
+     uint64_t exponent;
+     uint64_t length;
- /*
-- * Some registers are not accessible if EL3.NS=0 and EL3 is using AArch32 but
+-    num = extract64(value, 39, 4);
-- * they are accessible when EL3 is using AArch64 regardless of EL3.NS.
++    num = extract64(value, 39, 5);
-- *
+     scale = extract64(value, 44, 2);
-- * access_el3_aa32ns: Used to check AArch32 register views.
+     page_size_granule = extract64(value, 46, 2);
-- * access_el3_aa32ns_aa64any: Used to check both AArch32/64 register views.
-+ * Some registers are not accessible from AArch32 EL3 if SCR.NS == 0.
+-    page_shift = page_size_granule * 2 + 12;
   */
  static CPAccessResult access_el3_aa32ns(CPUARMState *env,
                                          const ARMCPRegInfo *ri,
                                          bool isread)
  {
 -    bool secure = arm_is_secure_below_el3(env);
 -
--    assert(!arm_el_is_aa64(env, 3));
+     if (page_size_granule == 0) {
--    if (secure) {
+         qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
-+    if (!is_a64(env) && arm_current_el(env) == 3 &&
+                       page_size_granule);
-+        arm_is_secure_below_el3(env)) {
+         return 0;
          return CP_ACCESS_TRAP_UNCATEGORIZED;
      }
-     return CP_ACCESS_OK;
- }
++    page_shift = (page_size_granule - 1) * 2 + 12;
++
--static CPAccessResult access_el3_aa32ns_aa64any(CPUARMState *env,
+     exponent = (5 * scale) + 1;
--                                                const ARMCPRegInfo *ri,
+     length = (num + 1) << (exponent + page_shift);
--                                                bool isread)
 -{
 -    if (!arm_el_is_aa64(env, 3)) {
 -        return access_el3_aa32ns(env, ri, isread);
 -    }
 -    return CP_ACCESS_OK;
 -}
 -
  /* Some secure-only AArch32 registers trap to EL3 if used from
   * Secure EL1 (but are just ordinary UNDEF in other non-EL3 contexts).
   * Note that an access from Secure EL1 can only happen if EL3 is AArch64.
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
        .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
      { .name = "VTCR_EL2", .state = ARM_CP_STATE_BOTH,
        .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
 -      .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
 +      .access = PL2_RW, .accessfn = access_el3_aa32ns,
        .type = ARM_CP_CONST, .resetvalue = 0 },
      { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
        .cp = 15, .opc1 = 6, .crm = 2,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
        .type = ARM_CP_CONST, .resetvalue = 0 },
      { .name = "HPFAR_EL2", .state = ARM_CP_STATE_BOTH,
        .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
 -      .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
 +      .access = PL2_RW, .accessfn = access_el3_aa32ns,
        .type = ARM_CP_CONST, .resetvalue = 0 },
      { .name = "HSTR_EL2", .state = ARM_CP_STATE_BOTH,
        .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              ARMCPRegInfo vpidr_regs[] = {
                  { .name = "VPIDR_EL2", .state = ARM_CP_STATE_BOTH,
                    .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
 -                  .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
 +                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
                    .type = ARM_CP_CONST, .resetvalue = cpu->midr,
                    .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
                  { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_BOTH,
                    .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
 -                  .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
 +                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
                    .type = ARM_CP_NO_RAW,
                    .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
                  REGINFO_SENTINEL
 --
-.20.1
+.25.1

-[PULL 22/34] target/arm: Use SVEContLdSt for contiguous stores
+[PULL 25/33] hw/net: npcm7xx_emc fix missing queue_flush
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Patrick Venture <venture@google.com>
-Follow the model set up for contiguous loads.  This handles
+The rx_active boolean change to true should always trigger a try_read
-watchpoints correctly for contiguous stores, recognizing the
+call that flushes the queue.
 exception before any changes to memory.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Patrick Venture <venture@google.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Message-id: 20200508154359.7494-16-richard.henderson@linaro.org
+Message-id: 20211203221002.1719306-1-venture@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 285 ++++++++++++++++++++++------------------
+ hw/net/npcm7xx_emc.c | 18 ++++++++----------
-file changed, 159 insertions(+), 126 deletions(-)
+file changed, 8 insertions(+), 10 deletions(-)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/hw/net/npcm7xx_emc.c
-+++ b/target/arm/sve_helper.c
++++ b/hw/net/npcm7xx_emc.c
-@@ -XXX,XX +XXX,XX @@ static void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host)  \
+@@ -XXX,XX +XXX,XX @@ static void emc_halt_rx(NPCM7xxEMCState *emc, uint32_t mista_flag)
-     *(TYPEE *)(vd + H(reg_off)) = val;                                 \
+     emc_set_mista(emc, mista_flag);
  }
-+#define DO_ST_HOST(NAME, H, TYPEE, TYPEM, HOST) \
++static void emc_enable_rx_and_flush(NPCM7xxEMCState *emc)
-+static void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host)  \
++{
-+{ HOST(host, (TYPEM)*(TYPEE *)(vd + H(reg_off))); }
++    emc->rx_active = true;
 +    qemu_flush_queued_packets(qemu_get_queue(emc->nic));
 +}
 +
- #define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB) \
+ static void emc_set_next_tx_descriptor(NPCM7xxEMCState *emc,
- static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
+                                        const NPCM7xxEMCTxDesc *tx_desc,
-                              target_ulong addr, uintptr_t ra)               \
+                                        uint32_t desc_addr)
-@@ -XXX,XX +XXX,XX @@ DO_LD_PRIM_1(ld1bdu,     , uint64_t, uint8_t)
+@@ -XXX,XX +XXX,XX @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
- DO_LD_PRIM_1(ld1bds,     , uint64_t,  int8_t)
+     return len;
  #define DO_ST_PRIM_1(NAME, H, TE, TM)                   \
 +    DO_ST_HOST(st1##NAME, H, TE, TM, stb_p)             \
      DO_ST_TLB(st1##NAME, H, TE, TM, cpu_stb_data_ra)
  DO_ST_PRIM_1(bb,   H1,  uint8_t, uint8_t)
@@ -XXX,XX +XXX,XX @@ DO_ST_PRIM_1(bd,     , uint64_t, uint8_t)
      DO_LD_TLB(ld1##NAME##_le, H, TE, TM, cpu_##LD##_le_data_ra)
  #define DO_ST_PRIM_2(NAME, H, TE, TM, ST) \
 +    DO_ST_HOST(st1##NAME##_be, H, TE, TM, ST##_be_p)    \
 +    DO_ST_HOST(st1##NAME##_le, H, TE, TM, ST##_le_p)    \
      DO_ST_TLB(st1##NAME##_be, H, TE, TM, cpu_##ST##_be_data_ra) \
      DO_ST_TLB(st1##NAME##_le, H, TE, TM, cpu_##ST##_le_data_ra)
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_LDNF1_2(dd,  MO_64, MO_64)
  #undef DO_LDFF1_LDNF1_2
  /*
 - * Common helpers for all contiguous 1,2,3,4-register predicated stores.
 + * Common helper for all contiguous 1,2,3,4-register predicated stores.
   */
 -static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
 -                      uint32_t desc, const uintptr_t ra,
 -                      const int esize, const int msize,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 +
 +static inline QEMU_ALWAYS_INLINE
 +void sve_stN_r(CPUARMState *env, uint64_t *vg, target_ulong addr, uint32_t desc,
 +               const uintptr_t retaddr, const int esz,
 +               const int msz, const int N,
 +               sve_ldst1_host_fn *host_fn,
 +               sve_ldst1_tlb_fn *tlb_fn)
  {
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 -    intptr_t i, oprsz = simd_oprsz(desc);
 -    void *vd = &env->vfp.zregs[rd];
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    intptr_t reg_off, reg_last, mem_off;
 +    SVEContLdSt info;
 +    void *host;
 +    int i, flags;
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 -        do {
 -            if (pg & 1) {
 -                tlb_fn(env, vd, i, addr, ra);
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, N << msz)) {
 +        /* The entire predicate was false; no store occurs.  */
 +        return;
 +    }
 +
 +    /* Probe the page(s).  Exit with exception for any invalid page. */
 +    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, retaddr);
 +
 +    /* Handle watchpoints for all active elements. */
 +    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, N << msz,
 +                              BP_MEM_WRITE, retaddr);
 +
 +    /* TODO: MTE check. */
 +
 +    flags = info.page[0].flags | info.page[1].flags;
 +    if (unlikely(flags != 0)) {
 +#ifdef CONFIG_USER_ONLY
 +        g_assert_not_reached();
 +#else
 +        /*
 +         * At least one page includes MMIO.
 +         * Any bus operation can fail with cpu_transaction_failed,
 +         * which for ARM will raise SyncExternal.  We cannot avoid
 +         * this fault and will leave with the store incomplete.
 +         */
 +        mem_off = info.mem_off_first[0];
 +        reg_off = info.reg_off_first[0];
 +        reg_last = info.reg_off_last[1];
 +        if (reg_last < 0) {
 +            reg_last = info.reg_off_split;
 +            if (reg_last < 0) {
 +                reg_last = info.reg_off_last[0];
              }
 -            i += esize, pg >>= esize;
 -            addr += msize;
 -        } while (i & 15);
 +        }
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    for (i = 0; i < N; ++i) {
 +                        tlb_fn(env, &env->vfp.zregs[(rd + i) & 31], reg_off,
 +                               addr + mem_off + (i << msz), retaddr);
 +                    }
 +                }
 +                reg_off += 1 << esz;
 +                mem_off += N << msz;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
 +        return;
 +#endif
 +    }
 +
 +    mem_off = info.mem_off_first[0];
 +    reg_off = info.reg_off_first[0];
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 +
 +    while (reg_off <= reg_last) {
 +        uint64_t pg = vg[reg_off >> 6];
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                for (i = 0; i < N; ++i) {
 +                    host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
 +                            host + mem_off + (i << msz));
 +                }
 +            }
 +            reg_off += 1 << esz;
 +            mem_off += N << msz;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    }
 +
 +    /*
 +     * Use the slow path to manage the cross-page misalignment.
 +     * But we know this is RAM and cannot trap.
 +     */
 +    mem_off = info.mem_off_split;
 +    if (unlikely(mem_off >= 0)) {
 +        reg_off = info.reg_off_split;
 +        for (i = 0; i < N; ++i) {
 +            tlb_fn(env, &env->vfp.zregs[(rd + i) & 31], reg_off,
 +                   addr + mem_off + (i << msz), retaddr);
 +        }
 +    }
 +
 +    mem_off = info.mem_off_first[1];
 +    if (unlikely(mem_off >= 0)) {
 +        reg_off = info.reg_off_first[1];
 +        reg_last = info.reg_off_last[1];
 +        host = info.page[1].host;
 +
 +        do {
 +            uint64_t pg = vg[reg_off >> 6];
 +            do {
 +                if ((pg >> (reg_off & 63)) & 1) {
 +                    for (i = 0; i < N; ++i) {
 +                        host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
 +                                host + mem_off + (i << msz));
 +                    }
 +                }
 +                reg_off += 1 << esz;
 +                mem_off += N << msz;
 +            } while (reg_off & 63);
 +        } while (reg_off <= reg_last);
      }
  }
--static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
+-static void emc_try_receive_next_packet(NPCM7xxEMCState *emc)
 -                      uint32_t desc, const uintptr_t ra,
 -                      const int esize, const int msize,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 -{
--    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+-    if (emc_can_receive(qemu_get_queue(emc->nic))) {
--    intptr_t i, oprsz = simd_oprsz(desc);
+-        qemu_flush_queued_packets(qemu_get_queue(emc->nic));
 -    void *d1 = &env->vfp.zregs[rd];
 -    void *d2 = &env->vfp.zregs[(rd + 1) & 31];
 -
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 -        do {
 -            if (pg & 1) {
 -                tlb_fn(env, d1, i, addr, ra);
 -                tlb_fn(env, d2, i, addr + msize, ra);
 -            }
 -            i += esize, pg >>= esize;
 -            addr += 2 * msize;
 -        } while (i & 15);
 -    }
 -}
 -
--static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
+ static uint64_t npcm7xx_emc_read(void *opaque, hwaddr offset, unsigned size)
--                      uint32_t desc, const uintptr_t ra,
+ {
--                      const int esize, const int msize,
+     NPCM7xxEMCState *emc = opaque;
--                      sve_ldst1_tlb_fn *tlb_fn)
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
--{
+             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
--    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+         }
--    intptr_t i, oprsz = simd_oprsz(desc);
+         if (value & REG_MCMDR_RXON) {
--    void *d1 = &env->vfp.zregs[rd];
+-            emc->rx_active = true;
--    void *d2 = &env->vfp.zregs[(rd + 1) & 31];
++            emc_enable_rx_and_flush(emc);
--    void *d3 = &env->vfp.zregs[(rd + 2) & 31];
+         } else {
--
+             emc_halt_rx(emc, 0);
--    for (i = 0; i < oprsz; ) {
+         }
--        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
--        do {
+         break;
--            if (pg & 1) {
+     case REG_RSDR:
--                tlb_fn(env, d1, i, addr, ra);
+         if (emc->regs[REG_MCMDR] & REG_MCMDR_RXON) {
--                tlb_fn(env, d2, i, addr + msize, ra);
+-            emc->rx_active = true;
--                tlb_fn(env, d3, i, addr + 2 * msize, ra);
+-            emc_try_receive_next_packet(emc);
--            }
++            emc_enable_rx_and_flush(emc);
--            i += esize, pg >>= esize;
+         }
--            addr += 3 * msize;
+         break;
--        } while (i & 15);
+     case REG_MIIDA:
 -    }
 -}
 -
 -static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
 -                      uint32_t desc, const uintptr_t ra,
 -                      const int esize, const int msize,
 -                      sve_ldst1_tlb_fn *tlb_fn)
 -{
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 -    intptr_t i, oprsz = simd_oprsz(desc);
 -    void *d1 = &env->vfp.zregs[rd];
 -    void *d2 = &env->vfp.zregs[(rd + 1) & 31];
 -    void *d3 = &env->vfp.zregs[(rd + 2) & 31];
 -    void *d4 = &env->vfp.zregs[(rd + 3) & 31];
 -
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 -        do {
 -            if (pg & 1) {
 -                tlb_fn(env, d1, i, addr, ra);
 -                tlb_fn(env, d2, i, addr + msize, ra);
 -                tlb_fn(env, d3, i, addr + 2 * msize, ra);
 -                tlb_fn(env, d4, i, addr + 3 * msize, ra);
 -            }
 -            i += esize, pg >>= esize;
 -            addr += 4 * msize;
 -        } while (i & 15);
 -    }
 -}
 -
 -#define DO_STN_1(N, NAME, ESIZE) \
 -void QEMU_FLATTEN HELPER(sve_st##N##NAME##_r) \
 -    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)  \
 +#define DO_STN_1(N, NAME, ESZ) \
 +void HELPER(sve_st##N##NAME##_r)(CPUARMState *env, void *vg,        \
 +                                 target_ulong addr, uint32_t desc)  \
  {                                                                   \
 -    sve_st##N##_r(env, vg, addr, desc, GETPC(), ESIZE, 1,           \
 -                  sve_st1##NAME##_tlb);                             \
 +    sve_stN_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, N,           \
 +              sve_st1##NAME##_host, sve_st1##NAME##_tlb);           \
  }
 -#define DO_STN_2(N, NAME, ESIZE, MSIZE) \
 -void QEMU_FLATTEN HELPER(sve_st##N##NAME##_le_r) \
 -    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
 +#define DO_STN_2(N, NAME, ESZ, MSZ) \
 +void HELPER(sve_st##N##NAME##_le_r)(CPUARMState *env, void *vg,       \
 +                                    target_ulong addr, uint32_t desc) \
  {                                                                     \
 -    sve_st##N##_r(env, vg, addr, desc, GETPC(), ESIZE, MSIZE,         \
 -                  sve_st1##NAME##_le_tlb);                            \
 +    sve_stN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, N,              \
 +              sve_st1##NAME##_le_host, sve_st1##NAME##_le_tlb);       \
  }                                                                     \
 -void QEMU_FLATTEN HELPER(sve_st##N##NAME##_be_r)                      \
 -    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
 +void HELPER(sve_st##N##NAME##_be_r)(CPUARMState *env, void *vg,       \
 +                                    target_ulong addr, uint32_t desc) \
  {                                                                     \
 -    sve_st##N##_r(env, vg, addr, desc, GETPC(), ESIZE, MSIZE,         \
 -                  sve_st1##NAME##_be_tlb);                            \
 +    sve_stN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, N,              \
 +              sve_st1##NAME##_be_host, sve_st1##NAME##_be_tlb);       \
  }
 -DO_STN_1(1, bb, 1)
 -DO_STN_1(1, bh, 2)
 -DO_STN_1(1, bs, 4)
 -DO_STN_1(1, bd, 8)
 -DO_STN_1(2, bb, 1)
 -DO_STN_1(3, bb, 1)
 -DO_STN_1(4, bb, 1)
 +DO_STN_1(1, bb, MO_8)
 +DO_STN_1(1, bh, MO_16)
 +DO_STN_1(1, bs, MO_32)
 +DO_STN_1(1, bd, MO_64)
 +DO_STN_1(2, bb, MO_8)
 +DO_STN_1(3, bb, MO_8)
 +DO_STN_1(4, bb, MO_8)
 -DO_STN_2(1, hh, 2, 2)
 -DO_STN_2(1, hs, 4, 2)
 -DO_STN_2(1, hd, 8, 2)
 -DO_STN_2(2, hh, 2, 2)
 -DO_STN_2(3, hh, 2, 2)
 -DO_STN_2(4, hh, 2, 2)
 +DO_STN_2(1, hh, MO_16, MO_16)
 +DO_STN_2(1, hs, MO_32, MO_16)
 +DO_STN_2(1, hd, MO_64, MO_16)
 +DO_STN_2(2, hh, MO_16, MO_16)
 +DO_STN_2(3, hh, MO_16, MO_16)
 +DO_STN_2(4, hh, MO_16, MO_16)
 -DO_STN_2(1, ss, 4, 4)
 -DO_STN_2(1, sd, 8, 4)
 -DO_STN_2(2, ss, 4, 4)
 -DO_STN_2(3, ss, 4, 4)
 -DO_STN_2(4, ss, 4, 4)
 +DO_STN_2(1, ss, MO_32, MO_32)
 +DO_STN_2(1, sd, MO_64, MO_32)
 +DO_STN_2(2, ss, MO_32, MO_32)
 +DO_STN_2(3, ss, MO_32, MO_32)
 +DO_STN_2(4, ss, MO_32, MO_32)
 -DO_STN_2(1, dd, 8, 8)
 -DO_STN_2(2, dd, 8, 8)
 -DO_STN_2(3, dd, 8, 8)
 -DO_STN_2(4, dd, 8, 8)
 +DO_STN_2(1, dd, MO_64, MO_64)
 +DO_STN_2(2, dd, MO_64, MO_64)
 +DO_STN_2(3, dd, MO_64, MO_64)
 +DO_STN_2(4, dd, MO_64, MO_64)
  #undef DO_STN_1
  #undef DO_STN_2
 --
-.20.1
+.25.1

-[PULL 15/34] target/arm: Drop manual handling of set/clear_helper_retaddr
+[PULL 26/33] hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Since we converted back to cpu_*_data_ra, we do not need to
+When a virtio-iommu is instantiated, describe it using the ACPI VIOT
-do this ourselves.
+table.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20200508154359.7494-9-richard.henderson@linaro.org
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-2-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 38 --------------------------------------
+ hw/arm/virt-acpi-build.c | 7 +++++++
-file changed, 38 deletions(-)
+ hw/arm/Kconfig           | 1 +
 files changed, 8 insertions(+)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/hw/arm/virt-acpi-build.c
-+++ b/target/arm/sve_helper.c
++++ b/hw/arm/virt-acpi-build.c
-@@ -XXX,XX +XXX,XX @@ static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
+@@ -XXX,XX +XXX,XX @@
-     return MIN(split, mem_max - mem_off) + mem_off;
+ #include "kvm_arm.h"
- }
+ #include "migration/vmstate.h"
+ #include "hw/acpi/ghes.h"
--#ifndef CONFIG_USER_ONLY
++#include "hw/acpi/viot.h"
--/* These are normally defined only for CONFIG_USER_ONLY in <exec/cpu_ldst.h> */
--static inline void set_helper_retaddr(uintptr_t ra) { }
+ #define ARM_SPI_BASE 32
--static inline void clear_helper_retaddr(void) { }
--#endif
+@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
 -
  /*
   * The result of tlb_vaddr_to_host for user-only is just g2h(x),
   * which is always non-null.  Elide the useless test.
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
          return;
      }
      mem_off = reg_off >> diffsz;
 -    set_helper_retaddr(retaddr);
      /*
       * If the (remaining) load is entirely within a single page, then:
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
          if (test_host_page(host)) {
              mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
              tcg_debug_assert(mem_off == mem_max);
 -            clear_helper_retaddr();
              /* After having taken any fault, zero leading inactive elements. */
              swap_memzero(vd, reg_off);
              return;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
      }
  #endif
--    clear_helper_retaddr();
++    if (vms->iommu == VIRT_IOMMU_VIRTIO) {
-     memcpy(vd, &scratch, reg_max);
++        acpi_add_table(table_offsets, tables_blob);
- }
++        build_viot(ms, tables_blob, tables->linker, vms->virtio_iommu_bdf,
++                   vms->oem_id, vms->oem_table_id);
-@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
++    }
-     intptr_t i, oprsz = simd_oprsz(desc);
++
-     ARMVectorReg scratch[2] = { };
+     /* XSDT is pointed to by RSDP */
+     xsdt = tables_blob->len;
--    set_helper_retaddr(ra);
+     build_xsdt(tables_blob, tables->linker, table_offsets, vms->oem_id,
-     for (i = 0; i < oprsz; ) {
+diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
-         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
+index XXXXXXX..XXXXXXX 100644
-         do {
+--- a/hw/arm/Kconfig
-@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
++++ b/hw/arm/Kconfig
-             addr += 2 * size;
+@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
-         } while (i & 15);
+     select DIMM
-     }
+     select ACPI_HW_REDUCED
--    clear_helper_retaddr();
+     select ACPI_APEI
++    select ACPI_VIOT
-     /* Wait until all exceptions have been raised to write back.  */
-     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
+ config CHEETAH
-@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
+     bool
      intptr_t i, oprsz = simd_oprsz(desc);
      ARMVectorReg scratch[3] = { };
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
              addr += 3 * size;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
      /* Wait until all exceptions have been raised to write back.  */
      memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
      intptr_t i, oprsz = simd_oprsz(desc);
      ARMVectorReg scratch[4] = { };
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
              addr += 4 * size;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
      /* Wait until all exceptions have been raised to write back.  */
      memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
          return;
      }
      mem_off = reg_off >> diffsz;
 -    set_helper_retaddr(retaddr);
      /*
       * If the (remaining) load is entirely within a single page, then:
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
          if (test_host_page(host)) {
              mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
              tcg_debug_assert(mem_off == mem_max);
 -            clear_helper_retaddr();
              /* After any fault, zero any leading inactive elements.  */
              swap_memzero(vd, reg_off);
              return;
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
      }
  #endif
 -    clear_helper_retaddr();
      record_fault(env, reg_off, reg_max);
  }
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
      intptr_t i, oprsz = simd_oprsz(desc);
      void *vd = &env->vfp.zregs[rd];
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
              addr += msize;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
  }
  static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
      void *d1 = &env->vfp.zregs[rd];
      void *d2 = &env->vfp.zregs[(rd + 1) & 31];
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
              addr += 2 * msize;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
  }
  static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
      void *d2 = &env->vfp.zregs[(rd + 1) & 31];
      void *d3 = &env->vfp.zregs[(rd + 2) & 31];
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
              addr += 3 * msize;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
  }
  static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
      void *d3 = &env->vfp.zregs[(rd + 2) & 31];
      void *d4 = &env->vfp.zregs[(rd + 3) & 31];
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
              addr += 4 * msize;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
  }
  #define DO_STN_1(N, NAME, ESIZE) \
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
      intptr_t i, oprsz = simd_oprsz(desc);
      ARMVectorReg scratch = { };
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
              i += 4, pg >>= 4;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
      /* Wait until all exceptions have been raised to write back.  */
      memcpy(vd, &scratch, oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
      intptr_t i, oprsz = simd_oprsz(desc) / 8;
      ARMVectorReg scratch = { };
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; i++) {
          uint8_t pg = *(uint8_t *)(vg + H1(i));
          if (likely(pg & 1)) {
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
              tlb_fn(env, &scratch, i * 8, base + (off << scale), ra);
          }
      }
 -    clear_helper_retaddr();
      /* Wait until all exceptions have been raised to write back.  */
      memcpy(vd, &scratch, oprsz * 8);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
      reg_off = find_next_active(vg, 0, reg_max, MO_32);
      if (likely(reg_off < reg_max)) {
          /* Perform one normal read, which will fault or not.  */
 -        set_helper_retaddr(ra);
          addr = off_fn(vm, reg_off);
          addr = base + (addr << scale);
          tlb_fn(env, vd, reg_off, addr, ra);
          /* The rest of the reads will be non-faulting.  */
 -        clear_helper_retaddr();
      }
      /* After any fault, zero the leading predicated false elements.  */
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
      reg_off = find_next_active(vg, 0, reg_max, MO_64);
      if (likely(reg_off < reg_max)) {
          /* Perform one normal read, which will fault or not.  */
 -        set_helper_retaddr(ra);
          addr = off_fn(vm, reg_off);
          addr = base + (addr << scale);
          tlb_fn(env, vd, reg_off, addr, ra);
          /* The rest of the reads will be non-faulting.  */
 -        clear_helper_retaddr();
      }
      /* After any fault, zero the leading predicated false elements.  */
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      intptr_t i, oprsz = simd_oprsz(desc);
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; ) {
          uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
          do {
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
              i += 4, pg >>= 4;
          } while (i & 15);
      }
 -    clear_helper_retaddr();
  }
  static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
      intptr_t i, oprsz = simd_oprsz(desc) / 8;
 -    set_helper_retaddr(ra);
      for (i = 0; i < oprsz; i++) {
          uint8_t pg = *(uint8_t *)(vg + H1(i));
          if (likely(pg & 1)) {
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
              tlb_fn(env, vd, i * 8, base + (off << scale), ra);
          }
      }
 -    clear_helper_retaddr();
  }
  #define DO_ST1_ZPZ_S(MEM, OFS) \
 --
-.20.1
+.25.1

-[PULL 21/34] target/arm: Update contiguous first-fault and no-fault loads
+[PULL 27/33] hw/arm/virt: Remove device tree restriction for virtio-iommu
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-With sve_cont_ldst_pages, the differences between first-fault and no-fault
+virtio-iommu is now supported with ACPI VIOT as well as device tree.
-are minimal, so unify the routines.  With cpu_probe_watchpoint, we are able
+Remove the restriction that prevents from instantiating a virtio-iommu
-to make progress through pages with TLB_WATCHPOINT set when the watchpoint
+device under ACPI.
 does not actually fire.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Acked-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20200508154359.7494-15-richard.henderson@linaro.org
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-3-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 346 +++++++++++++++++++---------------------
+ hw/arm/virt.c                | 10 ++--------
-file changed, 162 insertions(+), 184 deletions(-)
+ hw/virtio/virtio-iommu-pci.c | 12 ++----------
 files changed, 4 insertions(+), 18 deletions(-)
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/hw/arm/virt.c
-+++ b/target/arm/sve_helper.c
++++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static intptr_t find_next_active(uint64_t *vg, intptr_t reg_off,
+@@ -XXX,XX +XXX,XX @@ static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
-     return reg_off;
+     MachineClass *mc = MACHINE_GET_CLASS(machine);
      if (device_is_dynamic_sysbus(mc, dev) ||
 -       (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM))) {
 +        object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM) ||
 +        object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
          return HOTPLUG_HANDLER(machine);
      }
 -    if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
 -        VirtMachineState *vms = VIRT_MACHINE(machine);
 -
 -        if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
 -            return HOTPLUG_HANDLER(machine);
 -        }
 -    }
      return NULL;
  }
--/*
+diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
-- * Return the maximum offset <= @mem_max which is still within the page
+index XXXXXXX..XXXXXXX 100644
-- * referenced by @base + @mem_off.
+--- a/hw/virtio/virtio-iommu-pci.c
-- */
++++ b/hw/virtio/virtio-iommu-pci.c
--static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
+@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
--                             intptr_t mem_max)
+     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
--{
--    target_ulong addr = base + mem_off;
+     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
--    intptr_t split = -(intptr_t)(addr | TARGET_PAGE_MASK);
+-        MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
 -    return MIN(split, mem_max - mem_off) + mem_off;
 -}
 -
- /*
+-        error_setg(errp,
-  * Resolve the guest virtual address to info->host and info->flags.
+-                   "%s machine fails to create iommu-map device tree bindings",
-  * If @nofault, return false if the page is invalid, otherwise
+-                   mc->name);
-@@ -XXX,XX +XXX,XX @@ static void sve_cont_ldst_watchpoints(SVEContLdSt *info, CPUARMState *env,
+-        error_append_hint(errp,
- #endif
+-                          "Check your machine implements a hotplug handler "
- }
+-                          "for the virtio-iommu-pci device\n");
+-        error_append_hint(errp, "Check the guest is booted without FW or with "
--/*
+-                          "-no-acpi\n");
-- * The result of tlb_vaddr_to_host for user-only is just g2h(x),
++        error_setg(errp, "Check your machine implements a hotplug handler "
-- * which is always non-null.  Elide the useless test.
++                         "for the virtio-iommu-pci device");
 - */
 -static inline bool test_host_page(void *host)
 -{
 -#ifdef CONFIG_USER_ONLY
 -    return true;
 -#else
 -    return likely(host != NULL);
 -#endif
 -}
 -
  /*
   * Common helper for all contiguous 1,2,3,4-register predicated stores.
   */
@@ -XXX,XX +XXX,XX @@ static void record_fault(CPUARMState *env, uintptr_t i, uintptr_t oprsz)
  }
  /*
 - * Common helper for all contiguous first-fault loads.
 + * Common helper for all contiguous no-fault and first-fault loads.
   */
 -static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
 -                        uint32_t desc, const uintptr_t retaddr,
 -                        const int esz, const int msz,
 -                        sve_ldst1_host_fn *host_fn,
 -                        sve_ldst1_tlb_fn *tlb_fn)
 +static inline QEMU_ALWAYS_INLINE
 +void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,
 +                   uint32_t desc, const uintptr_t retaddr,
 +                   const int esz, const int msz, const SVEContFault fault,
 +                   sve_ldst1_host_fn *host_fn,
 +                   sve_ldst1_tlb_fn *tlb_fn)
  {
 -    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
 -    const int mmu_idx = get_mmuidx(oi);
      const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
      void *vd = &env->vfp.zregs[rd];
 -    const int diffsz = esz - msz;
      const intptr_t reg_max = simd_oprsz(desc);
 -    const intptr_t mem_max = reg_max >> diffsz;
 -    intptr_t split, reg_off, mem_off, i;
 +    intptr_t reg_off, mem_off, reg_last;
 +    SVEContLdSt info;
 +    int flags;
      void *host;
 -    /* Skip to the first active element.  */
 -    reg_off = find_next_active(vg, 0, reg_max, esz);
 -    if (unlikely(reg_off == reg_max)) {
 +    /* Find the active elements.  */
 +    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, 1 << msz)) {
          /* The entire predicate was false; no load occurs.  */
          memset(vd, 0, reg_max);
          return;
      }
--    mem_off = reg_off >> diffsz;
+     for (int i = 0; i < s->nb_reserved_regions; i++) {
 +    reg_off = info.reg_off_first[0];
 -    /*
 -     * If the (remaining) load is entirely within a single page, then:
 -     * For softmmu, and the tlb hits, then no faults will occur;
 -     * For user-only, either the first load will fault or none will.
 -     * We can thus perform the load directly to the destination and
 -     * Vd will be unmodified on any exception path.
 -     */
 -    split = max_for_page(addr, mem_off, mem_max);
 -    if (likely(split == mem_max)) {
 -        host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
 -        if (test_host_page(host)) {
 -            i = reg_off;
 -            host -= mem_off;
 -            do {
 -                host_fn(vd, i, host + (i >> diffsz));
 -                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
 -            } while (i < reg_max);
 -            /* After any fault, zero any leading inactive elements.  */
 +    /* Probe the page(s). */
 +    if (!sve_cont_ldst_pages(&info, fault, env, addr, MMU_DATA_LOAD, retaddr)) {
 +        /* Fault on first element. */
 +        tcg_debug_assert(fault == FAULT_NO);
 +        memset(vd, 0, reg_max);
 +        goto do_fault;
 +    }
 +
 +    mem_off = info.mem_off_first[0];
 +    flags = info.page[0].flags;
 +
 +    if (fault == FAULT_FIRST) {
 +        /*
 +         * Special handling of the first active element,
 +         * if it crosses a page boundary or is MMIO.
 +         */
 +        bool is_split = mem_off == info.mem_off_split;
 +        /* TODO: MTE check. */
 +        if (unlikely(flags != 0) || unlikely(is_split)) {
 +            /*
 +             * Use the slow path for cross-page handling.
 +             * Might trap for MMIO or watchpoints.
 +             */
 +            tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
 +
 +            /* After any fault, zero the other elements. */
              swap_memzero(vd, reg_off);
 -            return;
 +            reg_off += 1 << esz;
 +            mem_off += 1 << msz;
 +            swap_memzero(vd + reg_off, reg_max - reg_off);
 +
 +            if (is_split) {
 +                goto second_page;
 +            }
 +        } else {
 +            memset(vd, 0, reg_max);
 +        }
 +    } else {
 +        memset(vd, 0, reg_max);
 +        if (unlikely(mem_off == info.mem_off_split)) {
 +            /* The first active element crosses a page boundary. */
 +            flags |= info.page[1].flags;
 +            if (unlikely(flags & TLB_MMIO)) {
 +                /* Some page is MMIO, see below. */
 +                goto do_fault;
 +            }
 +            if (unlikely(flags & TLB_WATCHPOINT) &&
 +                (cpu_watchpoint_address_matches
 +                 (env_cpu(env), addr + mem_off, 1 << msz)
 +                 & BP_MEM_READ)) {
 +                /* Watchpoint hit, see below. */
 +                goto do_fault;
 +            }
 +            /* TODO: MTE check. */
 +            /*
 +             * Use the slow path for cross-page handling.
 +             * This is RAM, without a watchpoint, and will not trap.
 +             */
 +            tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
 +            goto second_page;
          }
      }
      /*
 -     * Perform one normal read, which will fault or not.
 -     * But it is likely to bring the page into the tlb.
 +     * From this point on, all memory operations are MemSingleNF.
 +     *
 +     * Per the MemSingleNF pseudocode, a no-fault load from Device memory
 +     * must not actually hit the bus -- it returns (UNKNOWN, FAULT) instead.
 +     *
 +     * Unfortuately we do not have access to the memory attributes from the
 +     * PTE to tell Device memory from Normal memory.  So we make a mostly
 +     * correct check, and indicate (UNKNOWN, FAULT) for any MMIO.
 +     * This gives the right answer for the common cases of "Normal memory,
 +     * backed by host RAM" and "Device memory, backed by MMIO".
 +     * The architecture allows us to suppress an NF load and return
 +     * (UNKNOWN, FAULT) for any reason, so our behaviour for the corner
 +     * case of "Normal memory, backed by MMIO" is permitted.  The case we
 +     * get wrong is "Device memory, backed by host RAM", for which we
 +     * should return (UNKNOWN, FAULT) for but do not.
 +     *
 +     * Similarly, CPU_BP breakpoints would raise exceptions, and so
 +     * return (UNKNOWN, FAULT).  For simplicity, we consider gdb and
 +     * architectural breakpoints the same.
       */
 -    tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
 +    if (unlikely(flags & TLB_MMIO)) {
 +        goto do_fault;
 +    }
 -    /* After any fault, zero any leading predicated false elts.  */
 -    swap_memzero(vd, reg_off);
 -    mem_off += 1 << msz;
 -    reg_off += 1 << esz;
 +    reg_last = info.reg_off_last[0];
 +    host = info.page[0].host;
 -    /* Try again to read the balance of the page.  */
 -    split = max_for_page(addr, mem_off - 1, mem_max);
 -    if (split >= (1 << msz)) {
 -        host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
 -        if (host) {
 -            host -= mem_off;
 -            do {
 +    do {
 +        uint64_t pg = *(uint64_t *)(vg + (reg_off >> 3));
 +        do {
 +            if ((pg >> (reg_off & 63)) & 1) {
 +                if (unlikely(flags & TLB_WATCHPOINT) &&
 +                    (cpu_watchpoint_address_matches
 +                     (env_cpu(env), addr + mem_off, 1 << msz)
 +                     & BP_MEM_READ)) {
 +                    goto do_fault;
 +                }
 +                /* TODO: MTE check. */
                  host_fn(vd, reg_off, host + mem_off);
 -                reg_off += 1 << esz;
 -                reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -                mem_off = reg_off >> diffsz;
 -            } while (split - mem_off >= (1 << msz));
 -        }
 -    }
 -
 -    record_fault(env, reg_off, reg_max);
 -}
 -
 -/*
 - * Common helper for all contiguous no-fault loads.
 - */
 -static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
 -                        uint32_t desc, const int esz, const int msz,
 -                        sve_ldst1_host_fn *host_fn)
 -{
 -    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
 -    void *vd = &env->vfp.zregs[rd];
 -    const int diffsz = esz - msz;
 -    const intptr_t reg_max = simd_oprsz(desc);
 -    const intptr_t mem_max = reg_max >> diffsz;
 -    const int mmu_idx = cpu_mmu_index(env, false);
 -    intptr_t split, reg_off, mem_off;
 -    void *host;
 -
 -#ifdef CONFIG_USER_ONLY
 -    host = tlb_vaddr_to_host(env, addr, MMU_DATA_LOAD, mmu_idx);
 -    if (likely(page_check_range(addr, mem_max, PAGE_READ) == 0)) {
 -        /* The entire operation is valid and will not fault.  */
 -        reg_off = 0;
 -        do {
 -            mem_off = reg_off >> diffsz;
 -            host_fn(vd, reg_off, host + mem_off);
 +            }
              reg_off += 1 << esz;
 -            reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -        } while (reg_off < reg_max);
 -        return;
 -    }
 -#endif
 +            mem_off += 1 << msz;
 +        } while (reg_off <= reg_last && (reg_off & 63));
 +    } while (reg_off <= reg_last);
 -    /* There will be no fault, so we may modify in advance.  */
 -    memset(vd, 0, reg_max);
 -
 -    /* Skip to the first active element.  */
 -    reg_off = find_next_active(vg, 0, reg_max, esz);
 -    if (unlikely(reg_off == reg_max)) {
 -        /* The entire predicate was false; no load occurs.  */
 -        return;
 -    }
 -    mem_off = reg_off >> diffsz;
 -
 -#ifdef CONFIG_USER_ONLY
 -    if (page_check_range(addr + mem_off, 1 << msz, PAGE_READ) == 0) {
 -        /* At least one load is valid; take the rest of the page.  */
 -        split = max_for_page(addr, mem_off + (1 << msz) - 1, mem_max);
 -        do {
 -            host_fn(vd, reg_off, host + mem_off);
 -            reg_off += 1 << esz;
 -            reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -            mem_off = reg_off >> diffsz;
 -        } while (split - mem_off >= (1 << msz));
 -    }
 -#else
      /*
 -     * If the address is not in the TLB, we have no way to bring the
 -     * entry into the TLB without also risking a fault.  Note that
 -     * the corollary is that we never load from an address not in RAM.
 -     *
 -     * This last is out of spec, in a weird corner case.
 -     * Per the MemNF/MemSingleNF pseudocode, a NF load from Device memory
 -     * must not actually hit the bus -- it returns UNKNOWN data instead.
 -     * But if you map non-RAM with Normal memory attributes and do a NF
 -     * load then it should access the bus.  (Nobody ought actually do this
 -     * in the real world, obviously.)
 -     *
 -     * Then there are the annoying special cases with watchpoints...
 -     * TODO: Add a form of non-faulting loads using cc->tlb_fill(probe=true).
 +     * MemSingleNF is allowed to fail for any reason.  We have special
 +     * code above to handle the first element crossing a page boundary.
 +     * As an implementation choice, decline to handle a cross-page element
 +     * in any other position.
       */
 -    host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
 -    split = max_for_page(addr, mem_off, mem_max);
 -    if (host && split >= (1 << msz)) {
 -        host -= mem_off;
 -        do {
 -            host_fn(vd, reg_off, host + mem_off);
 -            reg_off += 1 << esz;
 -            reg_off = find_next_active(vg, reg_off, reg_max, esz);
 -            mem_off = reg_off >> diffsz;
 -        } while (split - mem_off >= (1 << msz));
 +    reg_off = info.reg_off_split;
 +    if (reg_off >= 0) {
 +        goto do_fault;
      }
 -#endif
 + second_page:
 +    reg_off = info.reg_off_first[1];
 +    if (likely(reg_off < 0)) {
 +        /* No active elements on the second page.  All done. */
 +        return;
 +    }
 +
 +    /*
 +     * MemSingleNF is allowed to fail for any reason.  As an implementation
 +     * choice, decline to handle elements on the second page.  This should
 +     * be low frequency as the guest walks through memory -- the next
 +     * iteration of the guest's loop should be aligned on the page boundary,
 +     * and then all following iterations will stay aligned.
 +     */
 +
 + do_fault:
      record_fault(env, reg_off, reg_max);
  }
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
  void HELPER(sve_ldff1##PART##_r)(CPUARMState *env, void *vg,            \
                                   target_ulong addr, uint32_t desc)      \
  {                                                                       \
 -    sve_ldff1_r(env, vg, addr, desc, GETPC(), ESZ, 0,                   \
 -                sve_ld1##PART##_host, sve_ld1##PART##_tlb);             \
 +    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, FAULT_FIRST, \
 +                  sve_ld1##PART##_host, sve_ld1##PART##_tlb);           \
  }                                                                       \
  void HELPER(sve_ldnf1##PART##_r)(CPUARMState *env, void *vg,            \
                                   target_ulong addr, uint32_t desc)      \
  {                                                                       \
 -    sve_ldnf1_r(env, vg, addr, desc, ESZ, 0, sve_ld1##PART##_host);     \
 +    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, FAULT_NO,    \
 +                  sve_ld1##PART##_host, sve_ld1##PART##_tlb);           \
  }
  #define DO_LDFF1_LDNF1_2(PART, ESZ, MSZ) \
  void HELPER(sve_ldff1##PART##_le_r)(CPUARMState *env, void *vg,         \
                                      target_ulong addr, uint32_t desc)   \
  {                                                                       \
 -    sve_ldff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,                 \
 -                sve_ld1##PART##_le_host, sve_ld1##PART##_le_tlb);       \
 +    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_FIRST,  \
 +                  sve_ld1##PART##_le_host, sve_ld1##PART##_le_tlb);     \
  }                                                                       \
  void HELPER(sve_ldnf1##PART##_le_r)(CPUARMState *env, void *vg,         \
                                      target_ulong addr, uint32_t desc)   \
  {                                                                       \
 -    sve_ldnf1_r(env, vg, addr, desc, ESZ, MSZ, sve_ld1##PART##_le_host); \
 +    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_NO,     \
 +                  sve_ld1##PART##_le_host, sve_ld1##PART##_le_tlb);     \
  }                                                                       \
  void HELPER(sve_ldff1##PART##_be_r)(CPUARMState *env, void *vg,         \
                                      target_ulong addr, uint32_t desc)   \
  {                                                                       \
 -    sve_ldff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,                 \
 -                sve_ld1##PART##_be_host, sve_ld1##PART##_be_tlb);       \
 +    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_FIRST,  \
 +                  sve_ld1##PART##_be_host, sve_ld1##PART##_be_tlb);     \
  }                                                                       \
  void HELPER(sve_ldnf1##PART##_be_r)(CPUARMState *env, void *vg,         \
                                      target_ulong addr, uint32_t desc)   \
  {                                                                       \
 -    sve_ldnf1_r(env, vg, addr, desc, ESZ, MSZ, sve_ld1##PART##_be_host); \
 +    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_NO,     \
 +                  sve_ld1##PART##_be_host, sve_ld1##PART##_be_tlb);     \
  }
 -DO_LDFF1_LDNF1_1(bb,  0)
 -DO_LDFF1_LDNF1_1(bhu, 1)
 -DO_LDFF1_LDNF1_1(bhs, 1)
 -DO_LDFF1_LDNF1_1(bsu, 2)
 -DO_LDFF1_LDNF1_1(bss, 2)
 -DO_LDFF1_LDNF1_1(bdu, 3)
 -DO_LDFF1_LDNF1_1(bds, 3)
 +DO_LDFF1_LDNF1_1(bb,  MO_8)
 +DO_LDFF1_LDNF1_1(bhu, MO_16)
 +DO_LDFF1_LDNF1_1(bhs, MO_16)
 +DO_LDFF1_LDNF1_1(bsu, MO_32)
 +DO_LDFF1_LDNF1_1(bss, MO_32)
 +DO_LDFF1_LDNF1_1(bdu, MO_64)
 +DO_LDFF1_LDNF1_1(bds, MO_64)
 -DO_LDFF1_LDNF1_2(hh,  1, 1)
 -DO_LDFF1_LDNF1_2(hsu, 2, 1)
 -DO_LDFF1_LDNF1_2(hss, 2, 1)
 -DO_LDFF1_LDNF1_2(hdu, 3, 1)
 -DO_LDFF1_LDNF1_2(hds, 3, 1)
 +DO_LDFF1_LDNF1_2(hh,  MO_16, MO_16)
 +DO_LDFF1_LDNF1_2(hsu, MO_32, MO_16)
 +DO_LDFF1_LDNF1_2(hss, MO_32, MO_16)
 +DO_LDFF1_LDNF1_2(hdu, MO_64, MO_16)
 +DO_LDFF1_LDNF1_2(hds, MO_64, MO_16)
 -DO_LDFF1_LDNF1_2(ss,  2, 2)
 -DO_LDFF1_LDNF1_2(sdu, 3, 2)
 -DO_LDFF1_LDNF1_2(sds, 3, 2)
 +DO_LDFF1_LDNF1_2(ss,  MO_32, MO_32)
 +DO_LDFF1_LDNF1_2(sdu, MO_64, MO_32)
 +DO_LDFF1_LDNF1_2(sds, MO_64, MO_32)
 -DO_LDFF1_LDNF1_2(dd,  3, 3)
 +DO_LDFF1_LDNF1_2(dd,  MO_64, MO_64)
  #undef DO_LDFF1_LDNF1_1
  #undef DO_LDFF1_LDNF1_2
 --
-.20.1
+.25.1

-[PULL 06/34] hw/timer/nrf51_timer: Display timer ID in trace events
+[PULL 28/33] hw/arm/virt: Reject instantiation of multiple IOMMUs
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-The NRF51 series SoC have 3 timer peripherals, each having
+We do not support instantiating multiple IOMMUs. Before adding a
-counters. To help differentiate which peripheral is accessed,
+virtio-iommu, check that no other IOMMU is present. This will detect
-display the timer ID in the trace events.
+both "iommu=smmuv3" machine parameter and another virtio-iommu instance.
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Fixes: 70e89132c9 ("hw/arm/virt: Add the virtio-iommu device tree mappings")
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20200504072822.18799-4-f4bug@amsat.org
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-4-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/timer/nrf51_timer.h |  1 +
+ hw/arm/virt.c | 5 +++++
- hw/arm/nrf51_soc.c             |  5 +++++
+file changed, 5 insertions(+)
  hw/timer/nrf51_timer.c         | 11 +++++++++--
  hw/timer/trace-events          |  4 ++--
 files changed, 17 insertions(+), 4 deletions(-)
-diff --git a/include/hw/timer/nrf51_timer.h b/include/hw/timer/nrf51_timer.h
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/timer/nrf51_timer.h
+--- a/hw/arm/virt.c
-+++ b/include/hw/timer/nrf51_timer.h
++++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ typedef struct NRF51TimerState {
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
-     MemoryRegion iomem;
+         hwaddr db_start = 0, db_end = 0;
-     qemu_irq irq;
+         char *resv_prop_str;
-+    uint8_t id;
++        if (vms->iommu != VIRT_IOMMU_NONE) {
-     QEMUTimer timer;
++            error_setg(errp, "virt machine does not support multiple IOMMUs");
      int64_t timer_start_ns;
      int64_t update_counter_ns;
 diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/nrf51_soc.c
 +++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
      /* TIMER */
      for (i = 0; i < NRF51_NUM_TIMERS; i++) {
 +        object_property_set_uint(OBJECT(&s->timer[i]), i, "id", &err);
 +        if (err) {
 +            error_propagate(errp, err);
 +            return;
 +        }
-         object_property_set_bool(OBJECT(&s->timer[i]), true, "realized", &err);
-         if (err) {
-             error_propagate(errp, err);
-diff --git a/hw/timer/nrf51_timer.c b/hw/timer/nrf51_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/nrf51_timer.c
-+++ b/hw/timer/nrf51_timer.c
-@@ -XXX,XX +XXX,XX @@
- #include "hw/arm/nrf51.h"
- #include "hw/irq.h"
- #include "hw/timer/nrf51_timer.h"
-+#include "hw/qdev-properties.h"
- #include "migration/vmstate.h"
- #include "trace.h"
-@@ -XXX,XX +XXX,XX @@ static uint64_t nrf51_timer_read(void *opaque, hwaddr offset, unsigned int size)
-                       __func__, offset);
-     }
--    trace_nrf51_timer_read(offset, r, size);
-+    trace_nrf51_timer_read(s->id, offset, r, size);
-     return r;
- }
-@@ -XXX,XX +XXX,XX @@ static void nrf51_timer_write(void *opaque, hwaddr offset,
-     uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
-     size_t idx;
--    trace_nrf51_timer_write(offset, value, size);
-+    trace_nrf51_timer_write(s->id, offset, value, size);
-     switch (offset) {
-     case NRF51_TIMER_TASK_START:
-@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nrf51_timer = {
-     }
- };
-+static Property nrf51_timer_properties[] = {
-+    DEFINE_PROP_UINT8("id", NRF51TimerState, id, 0),
-+    DEFINE_PROP_END_OF_LIST(),
-+};
 +
- static void nrf51_timer_class_init(ObjectClass *klass, void *data)
+         switch (vms->msi_controller) {
- {
+         case VIRT_MSI_CTRL_NONE:
-     DeviceClass *dc = DEVICE_CLASS(klass);
+             return;
      dc->reset = nrf51_timer_reset;
      dc->vmsd = &vmstate_nrf51_timer;
 +    device_class_set_props(dc, nrf51_timer_properties);
  }
  static const TypeInfo nrf51_timer_info = {
 diff --git a/hw/timer/trace-events b/hw/timer/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/timer/trace-events
 +++ b/hw/timer/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_dualtimer_write(uint64_t offset, uint64_t data, unsigned size) "CMSDK
  cmsdk_apb_dualtimer_reset(void) "CMSDK APB dualtimer: reset"
  # nrf51_timer.c
 -nrf51_timer_read(uint64_t addr, uint32_t value, unsigned size) "read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 -nrf51_timer_write(uint64_t addr, uint32_t value, unsigned size) "write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 +nrf51_timer_read(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 +nrf51_timer_write(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
  # bcm2835_systmr.c
  bcm2835_systmr_irq(bool enable) "timer irq state %u"
 --
-.20.1
+.25.1

-[PULL 27/34] target/arm/kvm: Inline set_feature() calls
+[PULL 29/33] hw/arm/virt: Use object_property_set instead of qdev_prop_set
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-We want to move the inlined declarations of set_feature()
+To propagate errors to the caller of the pre_plug callback, use the
-from cpu*.c to cpu.h. To avoid clashing with the KVM
+object_poperty_set*() functions directly instead of the qdev_prop_set*()
-declarations, inline the few KVM calls.
+helpers.
-Suggested-by: Richard Henderson <richard.henderson@linaro.org>
+Suggested-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20200504172448.9402-2-philmd@redhat.com
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-5-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/kvm32.c | 13 ++++---------
+ hw/arm/virt.c | 5 +++--
- target/arm/kvm64.c | 22 ++++++----------------
+file changed, 3 insertions(+), 2 deletions(-)
 files changed, 10 insertions(+), 25 deletions(-)
-diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/kvm32.c
+--- a/hw/arm/virt.c
-+++ b/target/arm/kvm32.c
++++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
- #include "internals.h"
+                                         db_start, db_end,
- #include "qemu/log.h"
+                                         VIRTIO_IOMMU_RESV_MEM_T_MSI);
--static inline void set_feature(uint64_t *features, int feature)
+-        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
--{
+-        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
--    *features |= 1ULL << feature;
++        object_property_set_uint(OBJECT(dev), "len-reserved-regions", 1, errp);
--}
++        object_property_set_str(OBJECT(dev), "reserved-regions[0]",
--
++                                resv_prop_str, errp);
- static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
+         g_free(resv_prop_str);
  {
      struct kvm_one_reg idreg = { .id = id, .addr = (uintptr_t)pret };
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
       * timers; this in turn implies most of the other feature
       * bits, but a few must be tested.
       */
 -    set_feature(&features, ARM_FEATURE_V7VE);
 -    set_feature(&features, ARM_FEATURE_GENERIC_TIMER);
 +    features |= 1ULL << ARM_FEATURE_V7VE;
 +    features |= 1ULL << ARM_FEATURE_GENERIC_TIMER;
      if (extract32(id_pfr0, 12, 4) == 1) {
 -        set_feature(&features, ARM_FEATURE_THUMB2EE);
 +        features |= 1ULL << ARM_FEATURE_THUMB2EE;
      }
      if (extract32(ahcf->isar.mvfr1, 12, 4) == 1) {
 -        set_feature(&features, ARM_FEATURE_NEON);
 +        features |= 1ULL << ARM_FEATURE_NEON;
      }
      ahcf->features = features;
 diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/kvm64.c
 +++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_set_irq(CPUState *cs, int irq)
      }
  }
--static inline void set_feature(uint64_t *features, int feature)
--{
--    *features |= 1ULL << feature;
--}
--
--static inline void unset_feature(uint64_t *features, int feature)
--{
--    *features &= ~(1ULL << feature);
--}
--
- static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
- {
-     uint64_t ret;
-@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
-      * with VFPv4+Neon; this in turn implies most of the other
-      * feature bits.
-      */
--    set_feature(&features, ARM_FEATURE_V8);
--    set_feature(&features, ARM_FEATURE_NEON);
--    set_feature(&features, ARM_FEATURE_AARCH64);
--    set_feature(&features, ARM_FEATURE_PMU);
--    set_feature(&features, ARM_FEATURE_GENERIC_TIMER);
-+    features |= 1ULL << ARM_FEATURE_V8;
-+    features |= 1ULL << ARM_FEATURE_NEON;
-+    features |= 1ULL << ARM_FEATURE_AARCH64;
-+    features |= 1ULL << ARM_FEATURE_PMU;
-+    features |= 1ULL << ARM_FEATURE_GENERIC_TIMER;
-     ahcf->features = features;
-@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
-     if (cpu->has_pmu) {
-         cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_PMU_V3;
-     } else {
--        unset_feature(&env->features, ARM_FEATURE_PMU);
-+        env->features &= ~(1ULL << ARM_FEATURE_PMU);
-     }
-     if (cpu_isar_feature(aa64_sve, cpu)) {
-         assert(kvm_arm_sve_supported(cs));
 --
-.20.1
+.25.1

-[PULL 25/34] target/arm: Reuse sve_probe_page for gather loads
+[PULL 30/33] tests/acpi: allow updates of VIOT expected data files
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Create empty data files and allow updates for the upcoming VIOT tests.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200508154359.7494-19-richard.henderson@linaro.org
+Acked-by: Igor Mammedov <imammedo@redhat.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-6-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 208 +++++++++++++++++++++-------------------
+ tests/qtest/bios-tables-test-allowed-diff.h | 3 +++
-file changed, 109 insertions(+), 99 deletions(-)
+ tests/data/acpi/q35/DSDT.viot               | 0
  tests/data/acpi/q35/VIOT.viot               | 0
  tests/data/acpi/virt/VIOT                   | 0
 files changed, 3 insertions(+)
  create mode 100644 tests/data/acpi/q35/DSDT.viot
  create mode 100644 tests/data/acpi/q35/VIOT.viot
  create mode 100644 tests/data/acpi/virt/VIOT
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/target/arm/sve_helper.c
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ static target_ulong off_zd_d(void *reg, intptr_t reg_ofs)
+@@ -1 +1,4 @@
-     return *(uint64_t *)(reg + reg_ofs);
+ /* List of comma-separated changed AML files to ignore */
- }
++"tests/data/acpi/virt/VIOT",
++"tests/data/acpi/q35/DSDT.viot",
--static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
++"tests/data/acpi/q35/VIOT.viot",
--                       target_ulong base, uint32_t desc, uintptr_t ra,
+diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
--                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
+new file mode 100644
-+static inline QEMU_ALWAYS_INLINE
+index XXXXXXX..XXXXXXX
-+void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
-+               target_ulong base, uint32_t desc, uintptr_t retaddr,
+new file mode 100644
-+               int esize, int msize, zreg_off_fn *off_fn,
+index XXXXXXX..XXXXXXX
-+               sve_ldst1_host_fn *host_fn,
+diff --git a/tests/data/acpi/virt/VIOT b/tests/data/acpi/virt/VIOT
-+               sve_ldst1_tlb_fn *tlb_fn)
+new file mode 100644
- {
+index XXXXXXX..XXXXXXX
      const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
 -    intptr_t i, oprsz = simd_oprsz(desc);
 -    ARMVectorReg scratch = { };
 +    const int mmu_idx = cpu_mmu_index(env, false);
 +    const intptr_t reg_max = simd_oprsz(desc);
 +    ARMVectorReg scratch;
 +    intptr_t reg_off;
 +    SVEHostPage info, info2;
 -    for (i = 0; i < oprsz; ) {
 -        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
 +    memset(&scratch, 0, reg_max);
 +    reg_off = 0;
 +    do {
 +        uint64_t pg = vg[reg_off >> 6];
          do {
              if (likely(pg & 1)) {
 -                target_ulong off = off_fn(vm, i);
 -                tlb_fn(env, &scratch, i, base + (off << scale), ra);
 +                target_ulong addr = base + (off_fn(vm, reg_off) << scale);
 +                target_ulong in_page = -(addr | TARGET_PAGE_MASK);
 +
 +                sve_probe_page(&info, false, env, addr, 0, MMU_DATA_LOAD,
 +                               mmu_idx, retaddr);
 +
 +                if (likely(in_page >= msize)) {
 +                    if (unlikely(info.flags & TLB_WATCHPOINT)) {
 +                        cpu_check_watchpoint(env_cpu(env), addr, msize,
 +                                             info.attrs, BP_MEM_READ, retaddr);
 +                    }
 +                    /* TODO: MTE check */
 +                    host_fn(&scratch, reg_off, info.host);
 +                } else {
 +                    /* Element crosses the page boundary. */
 +                    sve_probe_page(&info2, false, env, addr + in_page, 0,
 +                                   MMU_DATA_LOAD, mmu_idx, retaddr);
 +                    if (unlikely((info.flags | info2.flags) & TLB_WATCHPOINT)) {
 +                        cpu_check_watchpoint(env_cpu(env), addr,
 +                                             msize, info.attrs,
 +                                             BP_MEM_READ, retaddr);
 +                    }
 +                    /* TODO: MTE check */
 +                    tlb_fn(env, &scratch, reg_off, addr, retaddr);
 +                }
              }
 -            i += 4, pg >>= 4;
 -        } while (i & 15);
 -    }
 +            reg_off += esize;
 +            pg >>= esize;
 +        } while (reg_off & 63);
 +    } while (reg_off < reg_max);
      /* Wait until all exceptions have been raised to write back.  */
 -    memcpy(vd, &scratch, oprsz);
 +    memcpy(vd, &scratch, reg_max);
  }
 -static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
 -                       target_ulong base, uint32_t desc, uintptr_t ra,
 -                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
 -{
 -    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
 -    intptr_t i, oprsz = simd_oprsz(desc) / 8;
 -    ARMVectorReg scratch = { };
 -
 -    for (i = 0; i < oprsz; i++) {
 -        uint8_t pg = *(uint8_t *)(vg + H1(i));
 -        if (likely(pg & 1)) {
 -            target_ulong off = off_fn(vm, i * 8);
 -            tlb_fn(env, &scratch, i * 8, base + (off << scale), ra);
 -        }
 -    }
 -
 -    /* Wait until all exceptions have been raised to write back.  */
 -    memcpy(vd, &scratch, oprsz * 8);
 +#define DO_LD1_ZPZ_S(MEM, OFS, MSZ) \
 +void HELPER(sve_ld##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
 +                                 void *vm, target_ulong base, uint32_t desc) \
 +{                                                                            \
 +    sve_ld1_z(env, vd, vg, vm, base, desc, GETPC(), 4, 1 << MSZ,             \
 +              off_##OFS##_s, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
  }
 -#define DO_LD1_ZPZ_S(MEM, OFS) \
 -void QEMU_FLATTEN HELPER(sve_ld##MEM##_##OFS) \
 -    (CPUARMState *env, void *vd, void *vg, void *vm,         \
 -     target_ulong base, uint32_t desc)                       \
 -{                                                            \
 -    sve_ld1_zs(env, vd, vg, vm, base, desc, GETPC(),         \
 -              off_##OFS##_s, sve_ld1##MEM##_tlb);            \
 +#define DO_LD1_ZPZ_D(MEM, OFS, MSZ) \
 +void HELPER(sve_ld##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
 +                                 void *vm, target_ulong base, uint32_t desc) \
 +{                                                                            \
 +    sve_ld1_z(env, vd, vg, vm, base, desc, GETPC(), 8, 1 << MSZ,             \
 +              off_##OFS##_d, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
  }
 -#define DO_LD1_ZPZ_D(MEM, OFS) \
 -void QEMU_FLATTEN HELPER(sve_ld##MEM##_##OFS) \
 -    (CPUARMState *env, void *vd, void *vg, void *vm,         \
 -     target_ulong base, uint32_t desc)                       \
 -{                                                            \
 -    sve_ld1_zd(env, vd, vg, vm, base, desc, GETPC(),         \
 -               off_##OFS##_d, sve_ld1##MEM##_tlb);           \
 -}
 +DO_LD1_ZPZ_S(bsu, zsu, MO_8)
 +DO_LD1_ZPZ_S(bsu, zss, MO_8)
 +DO_LD1_ZPZ_D(bdu, zsu, MO_8)
 +DO_LD1_ZPZ_D(bdu, zss, MO_8)
 +DO_LD1_ZPZ_D(bdu, zd, MO_8)
 -DO_LD1_ZPZ_S(bsu, zsu)
 -DO_LD1_ZPZ_S(bsu, zss)
 -DO_LD1_ZPZ_D(bdu, zsu)
 -DO_LD1_ZPZ_D(bdu, zss)
 -DO_LD1_ZPZ_D(bdu, zd)
 +DO_LD1_ZPZ_S(bss, zsu, MO_8)
 +DO_LD1_ZPZ_S(bss, zss, MO_8)
 +DO_LD1_ZPZ_D(bds, zsu, MO_8)
 +DO_LD1_ZPZ_D(bds, zss, MO_8)
 +DO_LD1_ZPZ_D(bds, zd, MO_8)
 -DO_LD1_ZPZ_S(bss, zsu)
 -DO_LD1_ZPZ_S(bss, zss)
 -DO_LD1_ZPZ_D(bds, zsu)
 -DO_LD1_ZPZ_D(bds, zss)
 -DO_LD1_ZPZ_D(bds, zd)
 +DO_LD1_ZPZ_S(hsu_le, zsu, MO_16)
 +DO_LD1_ZPZ_S(hsu_le, zss, MO_16)
 +DO_LD1_ZPZ_D(hdu_le, zsu, MO_16)
 +DO_LD1_ZPZ_D(hdu_le, zss, MO_16)
 +DO_LD1_ZPZ_D(hdu_le, zd, MO_16)
 -DO_LD1_ZPZ_S(hsu_le, zsu)
 -DO_LD1_ZPZ_S(hsu_le, zss)
 -DO_LD1_ZPZ_D(hdu_le, zsu)
 -DO_LD1_ZPZ_D(hdu_le, zss)
 -DO_LD1_ZPZ_D(hdu_le, zd)
 +DO_LD1_ZPZ_S(hsu_be, zsu, MO_16)
 +DO_LD1_ZPZ_S(hsu_be, zss, MO_16)
 +DO_LD1_ZPZ_D(hdu_be, zsu, MO_16)
 +DO_LD1_ZPZ_D(hdu_be, zss, MO_16)
 +DO_LD1_ZPZ_D(hdu_be, zd, MO_16)
 -DO_LD1_ZPZ_S(hsu_be, zsu)
 -DO_LD1_ZPZ_S(hsu_be, zss)
 -DO_LD1_ZPZ_D(hdu_be, zsu)
 -DO_LD1_ZPZ_D(hdu_be, zss)
 -DO_LD1_ZPZ_D(hdu_be, zd)
 +DO_LD1_ZPZ_S(hss_le, zsu, MO_16)
 +DO_LD1_ZPZ_S(hss_le, zss, MO_16)
 +DO_LD1_ZPZ_D(hds_le, zsu, MO_16)
 +DO_LD1_ZPZ_D(hds_le, zss, MO_16)
 +DO_LD1_ZPZ_D(hds_le, zd, MO_16)
 -DO_LD1_ZPZ_S(hss_le, zsu)
 -DO_LD1_ZPZ_S(hss_le, zss)
 -DO_LD1_ZPZ_D(hds_le, zsu)
 -DO_LD1_ZPZ_D(hds_le, zss)
 -DO_LD1_ZPZ_D(hds_le, zd)
 +DO_LD1_ZPZ_S(hss_be, zsu, MO_16)
 +DO_LD1_ZPZ_S(hss_be, zss, MO_16)
 +DO_LD1_ZPZ_D(hds_be, zsu, MO_16)
 +DO_LD1_ZPZ_D(hds_be, zss, MO_16)
 +DO_LD1_ZPZ_D(hds_be, zd, MO_16)
 -DO_LD1_ZPZ_S(hss_be, zsu)
 -DO_LD1_ZPZ_S(hss_be, zss)
 -DO_LD1_ZPZ_D(hds_be, zsu)
 -DO_LD1_ZPZ_D(hds_be, zss)
 -DO_LD1_ZPZ_D(hds_be, zd)
 +DO_LD1_ZPZ_S(ss_le, zsu, MO_32)
 +DO_LD1_ZPZ_S(ss_le, zss, MO_32)
 +DO_LD1_ZPZ_D(sdu_le, zsu, MO_32)
 +DO_LD1_ZPZ_D(sdu_le, zss, MO_32)
 +DO_LD1_ZPZ_D(sdu_le, zd, MO_32)
 -DO_LD1_ZPZ_S(ss_le, zsu)
 -DO_LD1_ZPZ_S(ss_le, zss)
 -DO_LD1_ZPZ_D(sdu_le, zsu)
 -DO_LD1_ZPZ_D(sdu_le, zss)
 -DO_LD1_ZPZ_D(sdu_le, zd)
 +DO_LD1_ZPZ_S(ss_be, zsu, MO_32)
 +DO_LD1_ZPZ_S(ss_be, zss, MO_32)
 +DO_LD1_ZPZ_D(sdu_be, zsu, MO_32)
 +DO_LD1_ZPZ_D(sdu_be, zss, MO_32)
 +DO_LD1_ZPZ_D(sdu_be, zd, MO_32)
 -DO_LD1_ZPZ_S(ss_be, zsu)
 -DO_LD1_ZPZ_S(ss_be, zss)
 -DO_LD1_ZPZ_D(sdu_be, zsu)
 -DO_LD1_ZPZ_D(sdu_be, zss)
 -DO_LD1_ZPZ_D(sdu_be, zd)
 +DO_LD1_ZPZ_D(sds_le, zsu, MO_32)
 +DO_LD1_ZPZ_D(sds_le, zss, MO_32)
 +DO_LD1_ZPZ_D(sds_le, zd, MO_32)
 -DO_LD1_ZPZ_D(sds_le, zsu)
 -DO_LD1_ZPZ_D(sds_le, zss)
 -DO_LD1_ZPZ_D(sds_le, zd)
 +DO_LD1_ZPZ_D(sds_be, zsu, MO_32)
 +DO_LD1_ZPZ_D(sds_be, zss, MO_32)
 +DO_LD1_ZPZ_D(sds_be, zd, MO_32)
 -DO_LD1_ZPZ_D(sds_be, zsu)
 -DO_LD1_ZPZ_D(sds_be, zss)
 -DO_LD1_ZPZ_D(sds_be, zd)
 +DO_LD1_ZPZ_D(dd_le, zsu, MO_64)
 +DO_LD1_ZPZ_D(dd_le, zss, MO_64)
 +DO_LD1_ZPZ_D(dd_le, zd, MO_64)
 -DO_LD1_ZPZ_D(dd_le, zsu)
 -DO_LD1_ZPZ_D(dd_le, zss)
 -DO_LD1_ZPZ_D(dd_le, zd)
 -
 -DO_LD1_ZPZ_D(dd_be, zsu)
 -DO_LD1_ZPZ_D(dd_be, zss)
 -DO_LD1_ZPZ_D(dd_be, zd)
 +DO_LD1_ZPZ_D(dd_be, zsu, MO_64)
 +DO_LD1_ZPZ_D(dd_be, zss, MO_64)
 +DO_LD1_ZPZ_D(dd_be, zd, MO_64)
  #undef DO_LD1_ZPZ_S
  #undef DO_LD1_ZPZ_D
 --
-.20.1
+.25.1

-[PULL 13/34] accel/tcg: Add endian-specific cpu_{ld, st}* operations
+[PULL 31/33] tests/acpi: add test case for VIOT
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-We currently have target-endian versions of these operations,
+Add two test cases for VIOT, one on the q35 machine and the other on
-but no easy way to force a specific endianness.  This can be
+virt. To test complex topologies the q35 test has two PCIe buses that
-helpful if the target has endian-specific operations, or a mode
+bypass the IOMMU (and are therefore not described by VIOT), and two
-that swaps endianness.
+buses that are translated by virtio-iommu.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20200508154359.7494-7-richard.henderson@linaro.org
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-7-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/devel/loads-stores.rst |  39 +++--
+ tests/qtest/bios-tables-test.c | 38 ++++++++++++++++++++++++++++++++++
- include/exec/cpu_ldst.h     | 283 +++++++++++++++++++++++++++---------
+file changed, 38 insertions(+)
  accel/tcg/cputlb.c          | 236 ++++++++++++++++++++++--------
  accel/tcg/user-exec.c       | 211 ++++++++++++++++++++++-----
 files changed, 587 insertions(+), 182 deletions(-)
-diff --git a/docs/devel/loads-stores.rst b/docs/devel/loads-stores.rst
+diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/devel/loads-stores.rst
+--- a/tests/qtest/bios-tables-test.c
-+++ b/docs/devel/loads-stores.rst
++++ b/tests/qtest/bios-tables-test.c
-@@ -XXX,XX +XXX,XX @@ function, which is a return address into the generated code.
+@@ -XXX,XX +XXX,XX @@ static void test_acpi_virt_tcg(void)
+     free_test_data(&data);
- Function names follow the pattern:
+ }
--load: ``cpu_ld{sign}{size}_mmuidx_ra(env, ptr, mmuidx, retaddr)``
++static void test_acpi_q35_viot(void)
-+load: ``cpu_ld{sign}{size}{end}_mmuidx_ra(env, ptr, mmuidx, retaddr)``
++{
++    test_data data = {
--store: ``cpu_st{size}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
++        .machine = MACHINE_Q35,
-+store: ``cpu_st{size}{end}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
++        .variant = ".viot",
++    };
  ``sign``
   - (empty) : for 32 or 64 bit sizes
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
   - ``l`` : 32 bits
   - ``q`` : 64 bits
 +``end``
 + - (empty) : for target endian, or 8 bit sizes
 + - ``_be`` : big endian
 + - ``_le`` : little endian
 +
- Regexes for git grep:
++    /*
-- - ``\<cpu_ld[us]\?[bwlq]_mmuidx_ra\>``
++     * To keep things interesting, two buses bypass the IOMMU.
-- - ``\<cpu_st[bwlq]_mmuidx_ra\>``
++     * VIOT should only describes the other two buses.
-+ - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_mmuidx_ra\>``
++     */
-+ - ``\<cpu_st[bwlq](_[bl]e)\?_mmuidx_ra\>``
++    test_acpi_one("-machine default_bus_bypass_iommu=on "
++                  "-device virtio-iommu-pci "
- ``cpu_{ld,st}*_data_ra``
++                  "-device pxb-pcie,bus_nr=0x10,id=pcie.100,bus=pcie.0 "
- ~~~~~~~~~~~~~~~~~~~~~~~~
++                  "-device pxb-pcie,bus_nr=0x20,id=pcie.200,bus=pcie.0,bypass_iommu=on "
-@@ -XXX,XX +XXX,XX @@ be performed with a context other than the default.
++                  "-device pxb-pcie,bus_nr=0x30,id=pcie.300,bus=pcie.0",
++                  &data);
- Function names follow the pattern:
++    free_test_data(&data);
 -load: ``cpu_ld{sign}{size}_data_ra(env, ptr, ra)``
 +load: ``cpu_ld{sign}{size}{end}_data_ra(env, ptr, ra)``
 -store: ``cpu_st{size}_data_ra(env, ptr, val, ra)``
 +store: ``cpu_st{size}{end}_data_ra(env, ptr, val, ra)``
  ``sign``
   - (empty) : for 32 or 64 bit sizes
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}_data_ra(env, ptr, val, ra)``
   - ``l`` : 32 bits
   - ``q`` : 64 bits
 +``end``
 + - (empty) : for target endian, or 8 bit sizes
 + - ``_be`` : big endian
 + - ``_le`` : little endian
 +
  Regexes for git grep:
 - - ``\<cpu_ld[us]\?[bwlq]_data_ra\>``
 - - ``\<cpu_st[bwlq]_data_ra\>``
 + - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data_ra\>``
 + - ``\<cpu_st[bwlq](_[bl]e)\?_data_ra\>``
  ``cpu_{ld,st}*_data``
  ~~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ the CPU state anyway.
  Function names follow the pattern:
 -load: ``cpu_ld{sign}{size}_data(env, ptr)``
 +load: ``cpu_ld{sign}{size}{end}_data(env, ptr)``
 -store: ``cpu_st{size}_data(env, ptr, val)``
 +store: ``cpu_st{size}{end}_data(env, ptr, val)``
  ``sign``
   - (empty) : for 32 or 64 bit sizes
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}_data(env, ptr, val)``
   - ``l`` : 32 bits
   - ``q`` : 64 bits
 +``end``
 + - (empty) : for target endian, or 8 bit sizes
 + - ``_be`` : big endian
 + - ``_le`` : little endian
 +
  Regexes for git grep
 - - ``\<cpu_ld[us]\?[bwlq]_data\>``
 - - ``\<cpu_st[bwlq]_data\+\>``
 + - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data\>``
 + - ``\<cpu_st[bwlq](_[bl]e)\?_data\+\>``
  ``cpu_ld*_code``
  ~~~~~~~~~~~~~~~~
 diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu_ldst.h
 +++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@
   *
   * The syntax for the accessors is:
   *
 - * load:  cpu_ld{sign}{size}_{mmusuffix}(env, ptr)
 - *        cpu_ld{sign}{size}_{mmusuffix}_ra(env, ptr, retaddr)
 - *        cpu_ld{sign}{size}_mmuidx_ra(env, ptr, mmu_idx, retaddr)
 + * load:  cpu_ld{sign}{size}{end}_{mmusuffix}(env, ptr)
 + *        cpu_ld{sign}{size}{end}_{mmusuffix}_ra(env, ptr, retaddr)
 + *        cpu_ld{sign}{size}{end}_mmuidx_ra(env, ptr, mmu_idx, retaddr)
   *
 - * store: cpu_st{size}_{mmusuffix}(env, ptr, val)
 - *        cpu_st{size}_{mmusuffix}_ra(env, ptr, val, retaddr)
 - *        cpu_st{size}_mmuidx_ra(env, ptr, val, mmu_idx, retaddr)
 + * store: cpu_st{size}{end}_{mmusuffix}(env, ptr, val)
 + *        cpu_st{size}{end}_{mmusuffix}_ra(env, ptr, val, retaddr)
 + *        cpu_st{size}{end}_mmuidx_ra(env, ptr, val, mmu_idx, retaddr)
   *
   * sign is:
   * (empty): for 32 and 64 bit sizes
@@ -XXX,XX +XXX,XX @@
   *   l: 32 bits
   *   q: 64 bits
   *
 + * end is:
 + * (empty): for target native endian, or for 8 bit access
 + *     _be: for forced big endian
 + *     _le: for forced little endian
 + *
   * mmusuffix is one of the generic suffixes "data" or "code", or "mmuidx".
   * The "mmuidx" suffix carries an extra mmu_idx argument that specifies
   * the index to use; the "data" and "code" suffixes take the index from
@@ -XXX,XX +XXX,XX @@ typedef target_ulong abi_ptr;
  #endif
  uint32_t cpu_ldub_data(CPUArchState *env, abi_ptr ptr);
 -uint32_t cpu_lduw_data(CPUArchState *env, abi_ptr ptr);
 -uint32_t cpu_ldl_data(CPUArchState *env, abi_ptr ptr);
 -uint64_t cpu_ldq_data(CPUArchState *env, abi_ptr ptr);
  int cpu_ldsb_data(CPUArchState *env, abi_ptr ptr);
 -int cpu_ldsw_data(CPUArchState *env, abi_ptr ptr);
 -uint32_t cpu_ldub_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
 -uint32_t cpu_lduw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
 -uint32_t cpu_ldl_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
 -uint64_t cpu_ldq_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
 -int cpu_ldsb_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
 -int cpu_ldsw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
 +uint32_t cpu_lduw_be_data(CPUArchState *env, abi_ptr ptr);
 +int cpu_ldsw_be_data(CPUArchState *env, abi_ptr ptr);
 +uint32_t cpu_ldl_be_data(CPUArchState *env, abi_ptr ptr);
 +uint64_t cpu_ldq_be_data(CPUArchState *env, abi_ptr ptr);
 +
 +uint32_t cpu_lduw_le_data(CPUArchState *env, abi_ptr ptr);
 +int cpu_ldsw_le_data(CPUArchState *env, abi_ptr ptr);
 +uint32_t cpu_ldl_le_data(CPUArchState *env, abi_ptr ptr);
 +uint64_t cpu_ldq_le_data(CPUArchState *env, abi_ptr ptr);
 +
 +uint32_t cpu_ldub_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +int cpu_ldsb_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +
 +uint32_t cpu_lduw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +int cpu_ldsw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +uint32_t cpu_ldl_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +uint64_t cpu_ldq_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +
 +uint32_t cpu_lduw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +int cpu_ldsw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +uint32_t cpu_ldl_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 +uint64_t cpu_ldq_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
  void cpu_stb_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 -void cpu_stw_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 -void cpu_stl_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 -void cpu_stq_data(CPUArchState *env, abi_ptr ptr, uint64_t val);
 +
 +void cpu_stw_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 +void cpu_stl_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 +void cpu_stq_be_data(CPUArchState *env, abi_ptr ptr, uint64_t val);
 +
 +void cpu_stw_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 +void cpu_stl_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
 +void cpu_stq_le_data(CPUArchState *env, abi_ptr ptr, uint64_t val);
  void cpu_stb_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint32_t val, uintptr_t retaddr);
 -void cpu_stw_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint32_t val, uintptr_t retaddr);
 -void cpu_stl_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint32_t val, uintptr_t retaddr);
 -void cpu_stq_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint64_t val, uintptr_t retaddr);
 +                     uint32_t val, uintptr_t ra);
 +
 +void cpu_stw_be_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t ra);
 +void cpu_stl_be_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t ra);
 +void cpu_stq_be_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint64_t val, uintptr_t ra);
 +
 +void cpu_stw_le_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t ra);
 +void cpu_stl_le_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t ra);
 +void cpu_stq_le_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint64_t val, uintptr_t ra);
  #if defined(CONFIG_USER_ONLY)
@@ -XXX,XX +XXX,XX @@ static inline uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr,
      return cpu_ldub_data_ra(env, addr, ra);
  }
 -static inline uint32_t cpu_lduw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                                          int mmu_idx, uintptr_t ra)
 -{
 -    return cpu_lduw_data_ra(env, addr, ra);
 -}
 -
 -static inline uint32_t cpu_ldl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                                         int mmu_idx, uintptr_t ra)
 -{
 -    return cpu_ldl_data_ra(env, addr, ra);
 -}
 -
 -static inline uint64_t cpu_ldq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                                         int mmu_idx, uintptr_t ra)
 -{
 -    return cpu_ldq_data_ra(env, addr, ra);
 -}
 -
  static inline int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                                       int mmu_idx, uintptr_t ra)
  {
      return cpu_ldsb_data_ra(env, addr, ra);
  }
 -static inline int cpu_ldsw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                                     int mmu_idx, uintptr_t ra)
 +static inline uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                             int mmu_idx, uintptr_t ra)
  {
 -    return cpu_ldsw_data_ra(env, addr, ra);
 +    return cpu_lduw_be_data_ra(env, addr, ra);
 +}
 +
-+static inline int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
++static void test_acpi_virt_viot(void)
 +                                        int mmu_idx, uintptr_t ra)
 +{
-+    return cpu_ldsw_be_data_ra(env, addr, ra);
++    test_data data = {
 +        .machine = "virt",
 +        .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd",
 +        .uefi_fl2 = "pc-bios/edk2-arm-vars.fd",
 +        .cd = "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2",
 +        .ram_start = 0x40000000ULL,
 +        .scan_len = 128ULL * 1024 * 1024,
 +    };
 +
 +    test_acpi_one("-cpu cortex-a57 "
 +                  "-device virtio-iommu-pci", &data);
 +    free_test_data(&data);
 +}
 +
-+static inline uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+ static void test_oem_fields(test_data *data)
 +                                            int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_ldl_be_data_ra(env, addr, ra);
 +}
 +
 +static inline uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                            int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_ldq_be_data_ra(env, addr, ra);
 +}
 +
 +static inline uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                             int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_lduw_le_data_ra(env, addr, ra);
 +}
 +
 +static inline int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                        int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_ldsw_le_data_ra(env, addr, ra);
 +}
 +
 +static inline uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                            int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_ldl_le_data_ra(env, addr, ra);
 +}
 +
 +static inline uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                            int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_ldq_le_data_ra(env, addr, ra);
  }
  static inline void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
@@ -XXX,XX +XXX,XX @@ static inline void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
      cpu_stb_data_ra(env, addr, val, ra);
  }
 -static inline void cpu_stw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                                     uint32_t val, int mmu_idx, uintptr_t ra)
 +static inline void cpu_stw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                        uint32_t val, int mmu_idx,
 +                                        uintptr_t ra)
  {
--    cpu_stw_data_ra(env, addr, val, ra);
+     int i;
-+    cpu_stw_be_data_ra(env, addr, val, ra);
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
- }
+             qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
+             qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
--static inline void cpu_stl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+         }
--                                     uint32_t val, int mmu_idx, uintptr_t ra)
++        qtest_add_func("acpi/q35/viot", test_acpi_q35_viot);
-+static inline void cpu_stl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+     } else if (strcmp(arch, "aarch64") == 0) {
-+                                        uint32_t val, int mmu_idx,
+         if (has_tcg) {
-+                                        uintptr_t ra)
+             qtest_add_func("acpi/virt", test_acpi_virt_tcg);
- {
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
--    cpu_stl_data_ra(env, addr, val, ra);
+             qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
-+    cpu_stl_be_data_ra(env, addr, val, ra);
+             qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
- }
+             qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
++            qtest_add_func("acpi/virt/viot", test_acpi_virt_viot);
--static inline void cpu_stq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+         }
--                                     uint64_t val, int mmu_idx, uintptr_t ra)
+     }
-+static inline void cpu_stq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+     ret = g_test_run();
 +                                        uint64_t val, int mmu_idx,
 +                                        uintptr_t ra)
  {
 -    cpu_stq_data_ra(env, addr, val, ra);
 +    cpu_stq_be_data_ra(env, addr, val, ra);
 +}
 +
 +static inline void cpu_stw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                        uint32_t val, int mmu_idx,
 +                                        uintptr_t ra)
 +{
 +    cpu_stw_le_data_ra(env, addr, val, ra);
 +}
 +
 +static inline void cpu_stl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                        uint32_t val, int mmu_idx,
 +                                        uintptr_t ra)
 +{
 +    cpu_stl_le_data_ra(env, addr, val, ra);
 +}
 +
 +static inline void cpu_stq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                                        uint64_t val, int mmu_idx,
 +                                        uintptr_t ra)
 +{
 +    cpu_stq_le_data_ra(env, addr, val, ra);
  }
  #else
@@ -XXX,XX +XXX,XX @@ static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
  uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                              int mmu_idx, uintptr_t ra);
 -uint32_t cpu_lduw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                            int mmu_idx, uintptr_t ra);
 -uint32_t cpu_ldl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                           int mmu_idx, uintptr_t ra);
 -uint64_t cpu_ldq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                           int mmu_idx, uintptr_t ra);
 -
  int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                         int mmu_idx, uintptr_t ra);
 -int cpu_ldsw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                       int mmu_idx, uintptr_t ra);
 +
 +uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                               int mmu_idx, uintptr_t ra);
 +int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                          int mmu_idx, uintptr_t ra);
 +uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra);
 +uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra);
 +
 +uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                               int mmu_idx, uintptr_t ra);
 +int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                          int mmu_idx, uintptr_t ra);
 +uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra);
 +uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra);
  void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
                         int mmu_idx, uintptr_t retaddr);
 -void cpu_stw_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
 -                       int mmu_idx, uintptr_t retaddr);
 -void cpu_stl_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
 -                       int mmu_idx, uintptr_t retaddr);
 -void cpu_stq_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
 -                       int mmu_idx, uintptr_t retaddr);
 +
 +void cpu_stw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr);
 +void cpu_stl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr);
 +void cpu_stq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
 +                          int mmu_idx, uintptr_t retaddr);
 +
 +void cpu_stw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr);
 +void cpu_stl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr);
 +void cpu_stq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
 +                          int mmu_idx, uintptr_t retaddr);
  #endif /* defined(CONFIG_USER_ONLY) */
 +#ifdef TARGET_WORDS_BIGENDIAN
 +# define cpu_lduw_data        cpu_lduw_be_data
 +# define cpu_ldsw_data        cpu_ldsw_be_data
 +# define cpu_ldl_data         cpu_ldl_be_data
 +# define cpu_ldq_data         cpu_ldq_be_data
 +# define cpu_lduw_data_ra     cpu_lduw_be_data_ra
 +# define cpu_ldsw_data_ra     cpu_ldsw_be_data_ra
 +# define cpu_ldl_data_ra      cpu_ldl_be_data_ra
 +# define cpu_ldq_data_ra      cpu_ldq_be_data_ra
 +# define cpu_lduw_mmuidx_ra   cpu_lduw_be_mmuidx_ra
 +# define cpu_ldsw_mmuidx_ra   cpu_ldsw_be_mmuidx_ra
 +# define cpu_ldl_mmuidx_ra    cpu_ldl_be_mmuidx_ra
 +# define cpu_ldq_mmuidx_ra    cpu_ldq_be_mmuidx_ra
 +# define cpu_stw_data         cpu_stw_be_data
 +# define cpu_stl_data         cpu_stl_be_data
 +# define cpu_stq_data         cpu_stq_be_data
 +# define cpu_stw_data_ra      cpu_stw_be_data_ra
 +# define cpu_stl_data_ra      cpu_stl_be_data_ra
 +# define cpu_stq_data_ra      cpu_stq_be_data_ra
 +# define cpu_stw_mmuidx_ra    cpu_stw_be_mmuidx_ra
 +# define cpu_stl_mmuidx_ra    cpu_stl_be_mmuidx_ra
 +# define cpu_stq_mmuidx_ra    cpu_stq_be_mmuidx_ra
 +#else
 +# define cpu_lduw_data        cpu_lduw_le_data
 +# define cpu_ldsw_data        cpu_ldsw_le_data
 +# define cpu_ldl_data         cpu_ldl_le_data
 +# define cpu_ldq_data         cpu_ldq_le_data
 +# define cpu_lduw_data_ra     cpu_lduw_le_data_ra
 +# define cpu_ldsw_data_ra     cpu_ldsw_le_data_ra
 +# define cpu_ldl_data_ra      cpu_ldl_le_data_ra
 +# define cpu_ldq_data_ra      cpu_ldq_le_data_ra
 +# define cpu_lduw_mmuidx_ra   cpu_lduw_le_mmuidx_ra
 +# define cpu_ldsw_mmuidx_ra   cpu_ldsw_le_mmuidx_ra
 +# define cpu_ldl_mmuidx_ra    cpu_ldl_le_mmuidx_ra
 +# define cpu_ldq_mmuidx_ra    cpu_ldq_le_mmuidx_ra
 +# define cpu_stw_data         cpu_stw_le_data
 +# define cpu_stl_data         cpu_stl_le_data
 +# define cpu_stq_data         cpu_stq_le_data
 +# define cpu_stw_data_ra      cpu_stw_le_data_ra
 +# define cpu_stl_data_ra      cpu_stl_le_data_ra
 +# define cpu_stq_data_ra      cpu_stq_le_data_ra
 +# define cpu_stw_mmuidx_ra    cpu_stw_le_mmuidx_ra
 +# define cpu_stl_mmuidx_ra    cpu_stl_le_mmuidx_ra
 +# define cpu_stq_mmuidx_ra    cpu_stq_le_mmuidx_ra
 +#endif
 +
  uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr);
  uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr);
  uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr);
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                                     full_ldub_mmu);
  }
 -uint32_t cpu_lduw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                            int mmu_idx, uintptr_t ra)
 +uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                               int mmu_idx, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, mmu_idx, ra, MO_TEUW,
 -                           MO_TE == MO_LE
 -                           ? full_le_lduw_mmu : full_be_lduw_mmu);
 +    return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUW, full_be_lduw_mmu);
  }
 -int cpu_ldsw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                       int mmu_idx, uintptr_t ra)
 +int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                          int mmu_idx, uintptr_t ra)
  {
 -    return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_TESW,
 -                                    MO_TE == MO_LE
 -                                    ? full_le_lduw_mmu : full_be_lduw_mmu);
 +    return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_BESW,
 +                                    full_be_lduw_mmu);
  }
 -uint32_t cpu_ldl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                           int mmu_idx, uintptr_t ra)
 +uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, mmu_idx, ra, MO_TEUL,
 -                           MO_TE == MO_LE
 -                           ? full_le_ldul_mmu : full_be_ldul_mmu);
 +    return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUL, full_be_ldul_mmu);
  }
 -uint64_t cpu_ldq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 -                           int mmu_idx, uintptr_t ra)
 +uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, mmu_idx, ra, MO_TEQ,
 -                           MO_TE == MO_LE
 -                           ? helper_le_ldq_mmu : helper_be_ldq_mmu);
 +    return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEQ, helper_be_ldq_mmu);
 +}
 +
 +uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                               int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUW, full_le_lduw_mmu);
 +}
 +
 +int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                          int mmu_idx, uintptr_t ra)
 +{
 +    return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_LESW,
 +                                    full_le_lduw_mmu);
 +}
 +
 +uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUL, full_le_ldul_mmu);
 +}
 +
 +uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
 +                              int mmu_idx, uintptr_t ra)
 +{
 +    return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEQ, helper_le_ldq_mmu);
  }
  uint32_t cpu_ldub_data_ra(CPUArchState *env, target_ulong ptr,
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
      return cpu_ldsb_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
  }
 -uint32_t cpu_lduw_data_ra(CPUArchState *env, target_ulong ptr,
 -                          uintptr_t retaddr)
 +uint32_t cpu_lduw_be_data_ra(CPUArchState *env, target_ulong ptr,
 +                             uintptr_t retaddr)
  {
 -    return cpu_lduw_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +    return cpu_lduw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
  }
 -int cpu_ldsw_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
 +int cpu_ldsw_be_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
  {
 -    return cpu_ldsw_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +    return cpu_ldsw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
  }
 -uint32_t cpu_ldl_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
 +uint32_t cpu_ldl_be_data_ra(CPUArchState *env, target_ulong ptr,
 +                            uintptr_t retaddr)
  {
 -    return cpu_ldl_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +    return cpu_ldl_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
  }
 -uint64_t cpu_ldq_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
 +uint64_t cpu_ldq_be_data_ra(CPUArchState *env, target_ulong ptr,
 +                            uintptr_t retaddr)
  {
 -    return cpu_ldq_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +    return cpu_ldq_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +uint32_t cpu_lduw_le_data_ra(CPUArchState *env, target_ulong ptr,
 +                             uintptr_t retaddr)
 +{
 +    return cpu_lduw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +int cpu_ldsw_le_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
 +{
 +    return cpu_ldsw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +uint32_t cpu_ldl_le_data_ra(CPUArchState *env, target_ulong ptr,
 +                            uintptr_t retaddr)
 +{
 +    return cpu_ldl_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +uint64_t cpu_ldq_le_data_ra(CPUArchState *env, target_ulong ptr,
 +                            uintptr_t retaddr)
 +{
 +    return cpu_ldq_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
  }
  uint32_t cpu_ldub_data(CPUArchState *env, target_ulong ptr)
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data(CPUArchState *env, target_ulong ptr)
      return cpu_ldsb_data_ra(env, ptr, 0);
  }
 -uint32_t cpu_lduw_data(CPUArchState *env, target_ulong ptr)
 +uint32_t cpu_lduw_be_data(CPUArchState *env, target_ulong ptr)
  {
 -    return cpu_lduw_data_ra(env, ptr, 0);
 +    return cpu_lduw_be_data_ra(env, ptr, 0);
  }
 -int cpu_ldsw_data(CPUArchState *env, target_ulong ptr)
 +int cpu_ldsw_be_data(CPUArchState *env, target_ulong ptr)
  {
 -    return cpu_ldsw_data_ra(env, ptr, 0);
 +    return cpu_ldsw_be_data_ra(env, ptr, 0);
  }
 -uint32_t cpu_ldl_data(CPUArchState *env, target_ulong ptr)
 +uint32_t cpu_ldl_be_data(CPUArchState *env, target_ulong ptr)
  {
 -    return cpu_ldl_data_ra(env, ptr, 0);
 +    return cpu_ldl_be_data_ra(env, ptr, 0);
  }
 -uint64_t cpu_ldq_data(CPUArchState *env, target_ulong ptr)
 +uint64_t cpu_ldq_be_data(CPUArchState *env, target_ulong ptr)
  {
 -    return cpu_ldq_data_ra(env, ptr, 0);
 +    return cpu_ldq_be_data_ra(env, ptr, 0);
 +}
 +
 +uint32_t cpu_lduw_le_data(CPUArchState *env, target_ulong ptr)
 +{
 +    return cpu_lduw_le_data_ra(env, ptr, 0);
 +}
 +
 +int cpu_ldsw_le_data(CPUArchState *env, target_ulong ptr)
 +{
 +    return cpu_ldsw_le_data_ra(env, ptr, 0);
 +}
 +
 +uint32_t cpu_ldl_le_data(CPUArchState *env, target_ulong ptr)
 +{
 +    return cpu_ldl_le_data_ra(env, ptr, 0);
 +}
 +
 +uint64_t cpu_ldq_le_data(CPUArchState *env, target_ulong ptr)
 +{
 +    return cpu_ldq_le_data_ra(env, ptr, 0);
  }
  /*
@@ -XXX,XX +XXX,XX @@ void cpu_stb_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
      cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_UB);
  }
 -void cpu_stw_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
 -                       int mmu_idx, uintptr_t retaddr)
 +void cpu_stw_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr)
  {
 -    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_TEUW);
 +    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUW);
  }
 -void cpu_stl_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
 -                       int mmu_idx, uintptr_t retaddr)
 +void cpu_stl_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr)
  {
 -    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_TEUL);
 +    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUL);
  }
 -void cpu_stq_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
 -                       int mmu_idx, uintptr_t retaddr)
 +void cpu_stq_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
 +                          int mmu_idx, uintptr_t retaddr)
  {
 -    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_TEQ);
 +    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEQ);
 +}
 +
 +void cpu_stw_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr)
 +{
 +    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUW);
 +}
 +
 +void cpu_stl_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
 +                          int mmu_idx, uintptr_t retaddr)
 +{
 +    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUL);
 +}
 +
 +void cpu_stq_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
 +                          int mmu_idx, uintptr_t retaddr)
 +{
 +    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEQ);
  }
  void cpu_stb_data_ra(CPUArchState *env, target_ulong ptr,
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data_ra(CPUArchState *env, target_ulong ptr,
      cpu_stb_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
  }
 -void cpu_stw_data_ra(CPUArchState *env, target_ulong ptr,
 -                     uint32_t val, uintptr_t retaddr)
 +void cpu_stw_be_data_ra(CPUArchState *env, target_ulong ptr,
 +                        uint32_t val, uintptr_t retaddr)
  {
 -    cpu_stw_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 +    cpu_stw_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
  }
 -void cpu_stl_data_ra(CPUArchState *env, target_ulong ptr,
 -                     uint32_t val, uintptr_t retaddr)
 +void cpu_stl_be_data_ra(CPUArchState *env, target_ulong ptr,
 +                        uint32_t val, uintptr_t retaddr)
  {
 -    cpu_stl_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 +    cpu_stl_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
  }
 -void cpu_stq_data_ra(CPUArchState *env, target_ulong ptr,
 -                     uint64_t val, uintptr_t retaddr)
 +void cpu_stq_be_data_ra(CPUArchState *env, target_ulong ptr,
 +                        uint64_t val, uintptr_t retaddr)
  {
 -    cpu_stq_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 +    cpu_stq_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +void cpu_stw_le_data_ra(CPUArchState *env, target_ulong ptr,
 +                        uint32_t val, uintptr_t retaddr)
 +{
 +    cpu_stw_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +void cpu_stl_le_data_ra(CPUArchState *env, target_ulong ptr,
 +                        uint32_t val, uintptr_t retaddr)
 +{
 +    cpu_stl_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 +}
 +
 +void cpu_stq_le_data_ra(CPUArchState *env, target_ulong ptr,
 +                        uint64_t val, uintptr_t retaddr)
 +{
 +    cpu_stq_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
  }
  void cpu_stb_data(CPUArchState *env, target_ulong ptr, uint32_t val)
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data(CPUArchState *env, target_ulong ptr, uint32_t val)
      cpu_stb_data_ra(env, ptr, val, 0);
  }
 -void cpu_stw_data(CPUArchState *env, target_ulong ptr, uint32_t val)
 +void cpu_stw_be_data(CPUArchState *env, target_ulong ptr, uint32_t val)
  {
 -    cpu_stw_data_ra(env, ptr, val, 0);
 +    cpu_stw_be_data_ra(env, ptr, val, 0);
  }
 -void cpu_stl_data(CPUArchState *env, target_ulong ptr, uint32_t val)
 +void cpu_stl_be_data(CPUArchState *env, target_ulong ptr, uint32_t val)
  {
 -    cpu_stl_data_ra(env, ptr, val, 0);
 +    cpu_stl_be_data_ra(env, ptr, val, 0);
  }
 -void cpu_stq_data(CPUArchState *env, target_ulong ptr, uint64_t val)
 +void cpu_stq_be_data(CPUArchState *env, target_ulong ptr, uint64_t val)
  {
 -    cpu_stq_data_ra(env, ptr, val, 0);
 +    cpu_stq_be_data_ra(env, ptr, val, 0);
 +}
 +
 +void cpu_stw_le_data(CPUArchState *env, target_ulong ptr, uint32_t val)
 +{
 +    cpu_stw_le_data_ra(env, ptr, val, 0);
 +}
 +
 +void cpu_stl_le_data(CPUArchState *env, target_ulong ptr, uint32_t val)
 +{
 +    cpu_stl_le_data_ra(env, ptr, val, 0);
 +}
 +
 +void cpu_stq_le_data(CPUArchState *env, target_ulong ptr, uint64_t val)
 +{
 +    cpu_stq_le_data_ra(env, ptr, val, 0);
  }
  /* First set of helpers allows passing in of OI and RETADDR.  This makes
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data(CPUArchState *env, abi_ptr ptr)
      return ret;
  }
 -uint32_t cpu_lduw_data(CPUArchState *env, abi_ptr ptr)
 +uint32_t cpu_lduw_be_data(CPUArchState *env, abi_ptr ptr)
  {
      uint32_t ret;
 -    uint16_t meminfo = trace_mem_get_info(MO_TEUW, MMU_USER_IDX, false);
 +    uint16_t meminfo = trace_mem_get_info(MO_BEUW, MMU_USER_IDX, false);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    ret = lduw_p(g2h(ptr));
 +    ret = lduw_be_p(g2h(ptr));
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
      return ret;
  }
 -int cpu_ldsw_data(CPUArchState *env, abi_ptr ptr)
 +int cpu_ldsw_be_data(CPUArchState *env, abi_ptr ptr)
  {
      int ret;
 -    uint16_t meminfo = trace_mem_get_info(MO_TESW, MMU_USER_IDX, false);
 +    uint16_t meminfo = trace_mem_get_info(MO_BESW, MMU_USER_IDX, false);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    ret = ldsw_p(g2h(ptr));
 +    ret = ldsw_be_p(g2h(ptr));
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
      return ret;
  }
 -uint32_t cpu_ldl_data(CPUArchState *env, abi_ptr ptr)
 +uint32_t cpu_ldl_be_data(CPUArchState *env, abi_ptr ptr)
  {
      uint32_t ret;
 -    uint16_t meminfo = trace_mem_get_info(MO_TEUL, MMU_USER_IDX, false);
 +    uint16_t meminfo = trace_mem_get_info(MO_BEUL, MMU_USER_IDX, false);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    ret = ldl_p(g2h(ptr));
 +    ret = ldl_be_p(g2h(ptr));
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
      return ret;
  }
 -uint64_t cpu_ldq_data(CPUArchState *env, abi_ptr ptr)
 +uint64_t cpu_ldq_be_data(CPUArchState *env, abi_ptr ptr)
  {
      uint64_t ret;
 -    uint16_t meminfo = trace_mem_get_info(MO_TEQ, MMU_USER_IDX, false);
 +    uint16_t meminfo = trace_mem_get_info(MO_BEQ, MMU_USER_IDX, false);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    ret = ldq_p(g2h(ptr));
 +    ret = ldq_be_p(g2h(ptr));
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +    return ret;
 +}
 +
 +uint32_t cpu_lduw_le_data(CPUArchState *env, abi_ptr ptr)
 +{
 +    uint32_t ret;
 +    uint16_t meminfo = trace_mem_get_info(MO_LEUW, MMU_USER_IDX, false);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    ret = lduw_le_p(g2h(ptr));
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +    return ret;
 +}
 +
 +int cpu_ldsw_le_data(CPUArchState *env, abi_ptr ptr)
 +{
 +    int ret;
 +    uint16_t meminfo = trace_mem_get_info(MO_LESW, MMU_USER_IDX, false);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    ret = ldsw_le_p(g2h(ptr));
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +    return ret;
 +}
 +
 +uint32_t cpu_ldl_le_data(CPUArchState *env, abi_ptr ptr)
 +{
 +    uint32_t ret;
 +    uint16_t meminfo = trace_mem_get_info(MO_LEUL, MMU_USER_IDX, false);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    ret = ldl_le_p(g2h(ptr));
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +    return ret;
 +}
 +
 +uint64_t cpu_ldq_le_data(CPUArchState *env, abi_ptr ptr)
 +{
 +    uint64_t ret;
 +    uint16_t meminfo = trace_mem_get_info(MO_LEQ, MMU_USER_IDX, false);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    ret = ldq_le_p(g2h(ptr));
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
      return ret;
  }
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
      return ret;
  }
 -uint32_t cpu_lduw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +uint32_t cpu_lduw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
  {
      uint32_t ret;
      set_helper_retaddr(retaddr);
 -    ret = cpu_lduw_data(env, ptr);
 +    ret = cpu_lduw_be_data(env, ptr);
      clear_helper_retaddr();
      return ret;
  }
 -int cpu_ldsw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +int cpu_ldsw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
  {
      int ret;
      set_helper_retaddr(retaddr);
 -    ret = cpu_ldsw_data(env, ptr);
 +    ret = cpu_ldsw_be_data(env, ptr);
      clear_helper_retaddr();
      return ret;
  }
 -uint32_t cpu_ldl_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +uint32_t cpu_ldl_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
  {
      uint32_t ret;
      set_helper_retaddr(retaddr);
 -    ret = cpu_ldl_data(env, ptr);
 +    ret = cpu_ldl_be_data(env, ptr);
      clear_helper_retaddr();
      return ret;
  }
 -uint64_t cpu_ldq_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +uint64_t cpu_ldq_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
  {
      uint64_t ret;
      set_helper_retaddr(retaddr);
 -    ret = cpu_ldq_data(env, ptr);
 +    ret = cpu_ldq_be_data(env, ptr);
 +    clear_helper_retaddr();
 +    return ret;
 +}
 +
 +uint32_t cpu_lduw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +{
 +    uint32_t ret;
 +
 +    set_helper_retaddr(retaddr);
 +    ret = cpu_lduw_le_data(env, ptr);
 +    clear_helper_retaddr();
 +    return ret;
 +}
 +
 +int cpu_ldsw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +{
 +    int ret;
 +
 +    set_helper_retaddr(retaddr);
 +    ret = cpu_ldsw_le_data(env, ptr);
 +    clear_helper_retaddr();
 +    return ret;
 +}
 +
 +uint32_t cpu_ldl_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +{
 +    uint32_t ret;
 +
 +    set_helper_retaddr(retaddr);
 +    ret = cpu_ldl_le_data(env, ptr);
 +    clear_helper_retaddr();
 +    return ret;
 +}
 +
 +uint64_t cpu_ldq_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 +{
 +    uint64_t ret;
 +
 +    set_helper_retaddr(retaddr);
 +    ret = cpu_ldq_le_data(env, ptr);
      clear_helper_retaddr();
      return ret;
  }
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
  }
 -void cpu_stw_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
 +void cpu_stw_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
  {
 -    uint16_t meminfo = trace_mem_get_info(MO_TEUW, MMU_USER_IDX, true);
 +    uint16_t meminfo = trace_mem_get_info(MO_BEUW, MMU_USER_IDX, true);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    stw_p(g2h(ptr), val);
 +    stw_be_p(g2h(ptr), val);
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
  }
 -void cpu_stl_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
 +void cpu_stl_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
  {
 -    uint16_t meminfo = trace_mem_get_info(MO_TEUL, MMU_USER_IDX, true);
 +    uint16_t meminfo = trace_mem_get_info(MO_BEUL, MMU_USER_IDX, true);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    stl_p(g2h(ptr), val);
 +    stl_be_p(g2h(ptr), val);
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
  }
 -void cpu_stq_data(CPUArchState *env, abi_ptr ptr, uint64_t val)
 +void cpu_stq_be_data(CPUArchState *env, abi_ptr ptr, uint64_t val)
  {
 -    uint16_t meminfo = trace_mem_get_info(MO_TEQ, MMU_USER_IDX, true);
 +    uint16_t meminfo = trace_mem_get_info(MO_BEQ, MMU_USER_IDX, true);
      trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 -    stq_p(g2h(ptr), val);
 +    stq_be_p(g2h(ptr), val);
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +}
 +
 +void cpu_stw_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
 +{
 +    uint16_t meminfo = trace_mem_get_info(MO_LEUW, MMU_USER_IDX, true);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    stw_le_p(g2h(ptr), val);
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +}
 +
 +void cpu_stl_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
 +{
 +    uint16_t meminfo = trace_mem_get_info(MO_LEUL, MMU_USER_IDX, true);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    stl_le_p(g2h(ptr), val);
 +    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 +}
 +
 +void cpu_stq_le_data(CPUArchState *env, abi_ptr ptr, uint64_t val)
 +{
 +    uint16_t meminfo = trace_mem_get_info(MO_LEQ, MMU_USER_IDX, true);
 +
 +    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
 +    stq_le_p(g2h(ptr), val);
      qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
  }
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data_ra(CPUArchState *env, abi_ptr ptr,
      clear_helper_retaddr();
  }
 -void cpu_stw_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint32_t val, uintptr_t retaddr)
 +void cpu_stw_be_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t retaddr)
  {
      set_helper_retaddr(retaddr);
 -    cpu_stw_data(env, ptr, val);
 +    cpu_stw_be_data(env, ptr, val);
      clear_helper_retaddr();
  }
 -void cpu_stl_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint32_t val, uintptr_t retaddr)
 +void cpu_stl_be_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t retaddr)
  {
      set_helper_retaddr(retaddr);
 -    cpu_stl_data(env, ptr, val);
 +    cpu_stl_be_data(env, ptr, val);
      clear_helper_retaddr();
  }
 -void cpu_stq_data_ra(CPUArchState *env, abi_ptr ptr,
 -                     uint64_t val, uintptr_t retaddr)
 +void cpu_stq_be_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint64_t val, uintptr_t retaddr)
  {
      set_helper_retaddr(retaddr);
 -    cpu_stq_data(env, ptr, val);
 +    cpu_stq_be_data(env, ptr, val);
 +    clear_helper_retaddr();
 +}
 +
 +void cpu_stw_le_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t retaddr)
 +{
 +    set_helper_retaddr(retaddr);
 +    cpu_stw_le_data(env, ptr, val);
 +    clear_helper_retaddr();
 +}
 +
 +void cpu_stl_le_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint32_t val, uintptr_t retaddr)
 +{
 +    set_helper_retaddr(retaddr);
 +    cpu_stl_le_data(env, ptr, val);
 +    clear_helper_retaddr();
 +}
 +
 +void cpu_stq_le_data_ra(CPUArchState *env, abi_ptr ptr,
 +                        uint64_t val, uintptr_t retaddr)
 +{
 +    set_helper_retaddr(retaddr);
 +    cpu_stq_le_data(env, ptr, val);
      clear_helper_retaddr();
  }
 --
-.20.1
+.25.1

-[PULL 24/34] target/arm: Reuse sve_probe_page for scatter stores
+[PULL 32/33] tests/acpi: add expected blobs for VIOT test on q35 machine
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Add expected blobs of the VIOT and DSDT table for the VIOT test on the
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+q35 machine.
-Message-id: 20200508154359.7494-18-richard.henderson@linaro.org
 Since the test instantiates a virtio device and two PCIe expander
 bridges, DSDT.viot has more blocks than the base DSDT.
 The VIOT table generated for the q35 test is:
 [000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
 [004h 0004   4]                 Table Length : 00000070
 [008h 0008   1]                     Revision : 00
 [009h 0009   1]                     Checksum : 3D
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001
 [024h 0036   2]                   Node count : 0003
 [026h 0038   2]                  Node offset : 0030
 [028h 0040   8]                     Reserved : 0000000000000000
 [030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
 [031h 0049   1]                     Reserved : 00
 [032h 0050   2]                       Length : 0010
 [034h 0052   2]                  PCI Segment : 0000
 [036h 0054   2]               PCI BDF number : 0010
 [038h 0056   8]                     Reserved : 0000000000000000
 [040h 0064   1]                         Type : 01 [PCI Range]
 [041h 0065   1]                     Reserved : 00
 [042h 0066   2]                       Length : 0018
 [044h 0068   4]               Endpoint start : 00003000
 [048h 0072   2]            PCI Segment start : 0000
 [04Ah 0074   2]              PCI Segment end : 0000
 [04Ch 0076   2]                PCI BDF start : 3000
 [04Eh 0078   2]                  PCI BDF end : 30FF
 [050h 0080   2]                  Output node : 0030
 [052h 0082   6]                     Reserved : 000000000000
 [058h 0088   1]                         Type : 01 [PCI Range]
 [059h 0089   1]                     Reserved : 00
 [05Ah 0090   2]                       Length : 0018
 [05Ch 0092   4]               Endpoint start : 00001000
 [060h 0096   2]            PCI Segment start : 0000
 [062h 0098   2]              PCI Segment end : 0000
 [064h 0100   2]                PCI BDF start : 1000
 [066h 0102   2]                  PCI BDF end : 10FF
 [068h 0104   2]                  Output node : 0030
 [06Ah 0106   6]                     Reserved : 000000000000
 And the DSDT diff is:
@@ -XXX,XX +XXX,XX @@
   *
   * Disassembling to symbolic ASL+ operators
   *
 - * Disassembly of tests/data/acpi/q35/DSDT, Fri Dec 10 15:03:08 2021
 + * Disassembly of /tmp/aml-H9Y5D1, Fri Dec 10 15:02:27 2021
   *
   * Original Table Header:
   *     Signature        "DSDT"
 - *     Length           0x00002061 (8289)
 + *     Length           0x000024B6 (9398)
   *     Revision         0x01 **** 32-bit table (V1), no 64-bit math support
 - *     Checksum         0xFA
 + *     Checksum         0xA7
   *     OEM ID           "BOCHS "
   *     OEM Table ID     "BXPC    "
   *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
          }
      }
 +    Scope (\_SB)
 +    {
 +        Device (PC30)
 +        {
 +            Name (_UID, 0x30)  // _UID: Unique ID
 +            Name (_BBN, 0x30)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC30._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0030,             // Range Minimum
 +                    0x0030,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
 +    Scope (\_SB)
 +    {
 +        Device (PC20)
 +        {
 +            Name (_UID, 0x20)  // _UID: Unique ID
 +            Name (_BBN, 0x20)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC20._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0020,             // Range Minimum
 +                    0x0020,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
 +    Scope (\_SB)
 +    {
 +        Device (PC10)
 +        {
 +            Name (_UID, 0x10)  // _UID: Unique ID
 +            Name (_BBN, 0x10)  // _BBN: BIOS Bus Number
 +            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
 +            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
 +            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
 +            {
 +                CreateDWordField (Arg3, Zero, CDW1)
 +                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
 +                {
 +                    CreateDWordField (Arg3, 0x04, CDW2)
 +                    CreateDWordField (Arg3, 0x08, CDW3)
 +                    Local0 = CDW3 /* \_SB_.PC10._OSC.CDW3 */
 +                    Local0 &= 0x1F
 +                    If ((Arg1 != One))
 +                    {
 +                        CDW1 |= 0x08
 +                    }
 +
 +                    If ((CDW3 != Local0))
 +                    {
 +                        CDW1 |= 0x10
 +                    }
 +
 +                    CDW3 = Local0
 +                }
 +                Else
 +                {
 +                    CDW1 |= 0x04
 +                }
 +
 +                Return (Arg3)
 +            }
 +
 +            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
 +            {
 +                Local0 = Package (0x80){}
 +                Local1 = Zero
 +                While ((Local1 < 0x80))
 +                {
 +                    Local2 = (Local1 >> 0x02)
 +                    Local3 = ((Local1 + Local2) & 0x03)
 +                    If ((Local3 == Zero))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKD,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == One))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKA,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x02))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKB,
 +                                Zero
 +                            }
 +                    }
 +
 +                    If ((Local3 == 0x03))
 +                    {
 +                        Local4 = Package (0x04)
 +                            {
 +                                Zero,
 +                                Zero,
 +                                LNKC,
 +                                Zero
 +                            }
 +                    }
 +
 +                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
 +                    Local4 [One] = (Local1 & 0x03)
 +                    Local0 [Local1] = Local4
 +                    Local1++
 +                }
 +
 +                Return (Local0)
 +            }
 +
 +            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
 +            {
 +                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 +                    0x0000,             // Granularity
 +                    0x0010,             // Range Minimum
 +                    0x0010,             // Range Maximum
 +                    0x0000,             // Translation Offset
 +                    0x0001,             // Length
 +                    ,, )
 +            })
 +        }
 +    }
 +
      Scope (\_SB.PCI0)
      {
          Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
@@ -XXX,XX +XXX,XX @@
              WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
 x0000,             // Granularity
 x0000,             // Range Minimum
 -                0x00FF,             // Range Maximum
 +                0x000F,             // Range Maximum
 x0000,             // Translation Offset
 -                0x0100,             // Length
 +                0x0010,             // Length
                  ,, )
              IO (Decode16,
 x0CF8,             // Range Minimum
@@ -XXX,XX +XXX,XX @@
                  }
              }
 +            Device (S10)
 +            {
 +                Name (_ADR, 0x00020000)  // _ADR: Address
 +            }
 +
 +            Device (S18)
 +            {
 +                Name (_ADR, 0x00030000)  // _ADR: Address
 +            }
 +
 +            Device (S20)
 +            {
 +                Name (_ADR, 0x00040000)  // _ADR: Address
 +            }
 +
 +            Device (S28)
 +            {
 +                Name (_ADR, 0x00050000)  // _ADR: Address
 +            }
 +
              Method (PCNT, 0, NotSerialized)
              {
              }
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-8-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sve_helper.c | 182 ++++++++++++++++++++++++----------------
+ tests/qtest/bios-tables-test-allowed-diff.h |   2 --
-file changed, 111 insertions(+), 71 deletions(-)
+ tests/data/acpi/q35/DSDT.viot               | Bin 0 -> 9398 bytes
+ tests/data/acpi/q35/VIOT.viot               | Bin 0 -> 112 bytes
-diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
+files changed, 2 deletions(-)
 diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve_helper.c
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/target/arm/sve_helper.c
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@ DO_LDFF1_ZPZ_D(dd_be, zd, MO_64)
+@@ -XXX,XX +XXX,XX @@
+ /* List of comma-separated changed AML files to ignore */
- /* Stores with a vector index.  */
+ "tests/data/acpi/virt/VIOT",
+-"tests/data/acpi/q35/DSDT.viot",
--static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
+-"tests/data/acpi/q35/VIOT.viot",
--                       target_ulong base, uint32_t desc, uintptr_t ra,
+diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
--                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
+index XXXXXXX..XXXXXXX 100644
-+static inline QEMU_ALWAYS_INLINE
+GIT binary patch
-+void sve_st1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+literal 9398
-+               target_ulong base, uint32_t desc, uintptr_t retaddr,
+zcmeHNO>7&-8J*>iv|O&FB}G~Oi$yp||57BBoWHhc5OS9yDTx$CQgH$r;8Idr*-4Q_
-+               int esize, int msize, zreg_off_fn *off_fn,
+z5(9Az1F`}niVsB-)<KW7p`g9Br(A2Gm-gmc1N78GFS!;)e2V(MnH_0{q<{#yMgn&C
-+               sve_ldst1_host_fn *host_fn,
+zn|*J-d9yqFhO_H6z19~`FlPL*u<DkZ*}|)JH;X@mF-FI<cPg<fti9tEN*yB^i5czN
-+               sve_ldst1_tlb_fn *tlb_fn)
+zNq&q?!OZ;BE3B7{KWzJ-`Tn~f`9?Qj8~2^N8{Oc8J%57{==w%rS#;nOCp*nTr@iZ1
- {
+zb+?i;JLQUJ=O0?8*>S~D)a>NF1~WVB6^~_B#yhJ`H+JU@=6aXs`?Yv)J2h=N?drcS
-     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
+zeLZ*n<<Bm^n}6`jfBx#u8&(W}1?)}iF9o#mZ~E2+zwdn7yK3AbIzKnxpZ>JRPm3~#
--    intptr_t i, oprsz = simd_oprsz(desc);
+z&ICS{+_OayRW-l=Mtk=~uaS3o8z<_udd|(wqg`&JnVPfCe>BUOO`Su3e>pff_^UW%
-+    const int mmu_idx = cpu_mmu_index(env, false);
+z&JE^NO`)=Amg~iqRB1pPscP?(>#ZuY8GHCmlEvD$9g3%4Db~Dfz2SATnddvrR-Oe^
-+    const intptr_t reg_max = simd_oprsz(desc);
+z;s;dJec!hnzi)ri^I6YN9vtkm{^TdUF8h7gX8-<Qe4p)GQ=)AtYx2VcwdLVAEXEjG
-+    void *host[ARM_MAX_VQ * 4];
+z^Mj|UHPqkj-LsWuzQem1>F3atdZn=zv3$#RmZzSHN+6-yyU#8cJb=YDilX&sl}vNm
-+    intptr_t reg_off, i;
+znkgAR^O<3kj4if>{ly5fwRfMWuC5=lrlvKPX~i#654Cp}R_d*JS$9laZ$ra6)<ns8
-+    SVEHostPage info, info2;
+zFZy28G%xP(nit&F>LDi%G<tIc=TY=gl$jSD&Uv!Yat~XR46h%rI$!}a%!|xG7u8Zn
+zeY8_|n=K>xz_v_W8VX$W-Fg-qFWcT}7MCyz{%%{ia7hZ>Law-k6NOr}VI&_48U=2l
--    for (i = 0; i < oprsz; ) {
+zwqDKFE8eTwwozDdms#e?x?5a|v>&JF;2_v0L~z5n%BYU^52<*cWuD4|GYUm@1+?))
--        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
+zte^45>Rz)t*<T5V#={r>@t@{%?^i#W{i=HAZ*Dc9y59Va-+#P!jrGs;u38a{fLr`N
-+    /*
+zvT@rUu>DljxJ?^&Z?-?vyJn3C>3D=qux{Y*bs5|5n)Qmi$TD^Zdn4GU$ocJS2Hh-<
-+     * Probe all of the elements for host addresses and flags.
+z`xPI^^+v0nUVdjMos8k`WGl7hA`{03ju%<lrgAHSpd^DRf-*}_#Ly0mB!LSfVgWcQ
-+     */
+z&T$@~G9)JI=hz5m0vkrel+Xy{Oh7pkAu-V!j*W7rY(bO}Q$nMH2`FbGB&N)QaV4<4
-+    i = reg_off = 0;
+zo)~9JXiP9=;}NPl<C@MmXG&;XFlFNrsyfFsonxFSp<}vEgsRSQP3O3#b6nSnP}ON_
-+    do {
+zI!#Tdsp~|j>ckUB>FI=~GokB5sOq#dotCE4(sd$KbtW~PNlj-`*NIToiD#j5J#9^=
-+        uint64_t pg = vg[reg_off >> 6];
+zt?NXn>YUJYPG~wObe#xQos*i*NloXZt`niEb4t@WrRki~bs|)CI+{*L)9L6s5vn><
-         do {
+zn$DD_Go|Z9sOn5>I@6lYw5}7Os&iV?Ij!lO)^#FOb!If38BJ$K*NIToIiu;E(R9w}
--            if (likely(pg & 1)) {
+zIuWWmPiZ<&X*y5oIuWWmF_XaEC!a&Jn$B5WCqh-{X-(&8P3LJ{Cqh-{8P3dyPr@^t
--                target_ulong off = off_fn(vm, i);
+zSqL9?X9Uwd3W@23*s~h*tj0X6GZCuHa~kuU#yqDp5vt7d8uPryJg+kms?5hU=3^T3
--                tlb_fn(env, vd, i, base + (off << scale), ra);
+zF`bD}WnSP+=`t5MQ$FJ_2&Q~+BP6E0f^%BVIW6a$o)e+SX~IDBih-7z6{O~7YTy`&
-+            target_ulong addr = base + (off_fn(vm, reg_off) << scale);
+zLjy&Cv?7QikV#>n0>>@MV8oK`Gmun34-FKdlm-J8SZSaNlnhir4-FI{S|bfqV8e)V
-+            target_ulong in_page = -(addr | TARGET_PAGE_MASK);
+zss<{chX#reE#g=hsKAC%sF6d-Km}BWs!kZFsFpKfpbC@>6rprQGEjt4Ck#|zITHq|
-+
+zK*>M_l;<P^MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=xY&!axO<
-+            host[i] = NULL;
+zGhv_#lnhirIg<<&q0|Wj6<E%MfhtfkPyyvkGEjt4Ck#|zITHq|K*>M_lrzad5lWpf
-+            if (likely((pg >> (reg_off & 63)) & 1)) {
+zP=V!47^ngz0~JutBm+e#b;3XemNQ|X3X}{~Ksl2P6rt1!0~J`#gn=qhGEf2KOfpb}
-+                if (likely(in_page >= msize)) {
+zQYQ>lU^x>8szAv=1(Y+%KoLrvFi?TzOc<yFB?A>u&LjgxD0RX>1(q{mpbC@>R6seC
-+                    sve_probe_page(&info, false, env, addr, 0, MMU_DATA_STORE,
+z3>2Z%2?G^a&V+#~P%=;f<xDbAgi<FARA4z12C6{GKn0XD$v_cGoiI>=<xCi;0wn_#
-+                                   mmu_idx, retaddr);
+zP|hR+MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=rz^3{+q_69%e4
-+                    host[i] = info.host;
+z$v_2^Gs!>^N}VuJf#pmXr~)Me6;RG314Srx!axxz28u{EP=u<1B2)}iVZuNaCK;&0
-+                } else {
+zBm-5LFi?dF167!0pbC==RAItE6($T+VUmF=Ofpb~2?JG_Fi?d_2C6X0Kouqo6p_5T
-+                    /*
+zFi=FeV!SiSKoR0H$dH(_Z(*Q_WZ%L-5y`$K14StNmJAdjmWs}HV4<vU_xO+1efmLq
-+                     * Element crosses the page boundary.
+zZ;W>N_U)fP6Qy6Nw5mbt9Y(#emWSi66=>tq#xoh#Ue=0qyhxi8ZOUe5y0V7VfPUhp
-+                     * Probe both pages, but do not record the host address,
+zwX=;ymc+i5%sg9Ja~lZ&8oAV@mHc>&CHP9v4R(jhtT?un;O4e9#pno)Xkh7OWgK&a
-+                     * so that we use the slow path.
+zyj=3Iv0OuoK_;5rOr5f(Kb~ZXDBO+V`OWYo#_C08imwChQxnjdd?wZLDou8aj;$SD
-+                     */
+zGDYiA3<$Tu<JnHL(KPOChi#zrR32t83}naR$+ym4P_h?z_5#|cW-nw$XD_sOtE62l
-+                    sve_probe_page(&info, false, env, addr, 0,
+zrD3@*)NVyiklt0&yF9%+klsBey&I<Y2E<!f(E8TuJte)z(|ZHyy<^gQVfx}=`q&B5
-+                                   MMU_DATA_STORE, mmu_idx, retaddr);
+z7nSryp1wGczIaUfVwiq$Fn#<4=@*ssi#+|}K>EdF(l3VTOM~ghPLRH&q%ZOGrGfON
-+                    sve_probe_page(&info2, false, env, addr + in_page, 0,
+zW73zx^yR_y<0nX8R??Sw`tm^f@-gYlNFSp|*<gA{q?Zp5Oe-+l#rmyYmKozi9y=P>
-+                                   MMU_DATA_STORE, mmu_idx, retaddr);
+zVReJU*h=ZuVXiS$ohTbw-O#v9>(yZbGE|)?8(H1ZIKvV!jWa0>vy!3eMA^vdhQ>`s
-+                    info.flags |= info2.flags;
+zuMSg{q3T50$m)j1!HixV<}X9liL#N^4c*tL^y)CF8LCc{jjV3yKAqL8!%SzWI#H%q
-+                }
+z=bSrQ&)%JCRttF5g4Zf`6l?y@>PzD7MA^D>wBlcH6r1ucwJ<p0O%rZ?JzIY3-QdmZ
-+
+zzs|n>`a5r3e|z)wcUaqS>nqFQ-8x}eCF4u`OWUxqst-@1rSmUs%WmKP5e0dcb?e2N
-+                if (unlikely(info.flags & TLB_WATCHPOINT)) {
+z;Z|x*!);VwF|Yuhqs^khqOM!@u*jY!WYldISF(V6`BoNd&6Qfk3>X#SuD^7J>p_D=
-+                    cpu_check_watchpoint(env_cpu(env), addr, msize,
+zBPa51y^_n#=cpOt#Zf$ya$Ae9Mfz56n|<i!a=ELS@)%a{^NIH3SDuN<R~sah1km#P
-+                                         info.attrs, BP_MEM_WRITE, retaddr);
+zU@?*f%<rG=4W1wgfi;C?_n|W@%lm$&8YfvNOJodIg&IcIpIJQRHr<+ej11GQ6)&eF
-+                }
+z2Lam*jIH}#y0>KnY%4JQfOYS$*uU%f#@$U6`N8I3N-lV?5ErFCdv~xDmu2(wexld4
-+                /* TODO: MTE check. */
+z4v^;aVAT2k6GJ^m*FD(Wqc(Qg^)6a<?}h$zLoj}4;PP!+(O{@!a1y-hoAhF_7!z+6
-             }
+zslpAmNtYbjHrw-~#SPVk_FUf>-Obg6yV`8o$8_`PyJe_;bY5_EMBfBfWU!Q=*9HsG
--            i += 4, pg >>= 4;
+z%_Cda{@_Krr!oHVhv9+y+T5qR8zZ2aZ>5r!$*|f$^U%yBUYfR&B!+EYy_PwL!BeUi
--        } while (i & 15);
+zJH^}r3r9Q+B)X@Z)fk=P13w&7x#wBtXTZ)g>WITPg5r&pQc!nmyrmk#S(>>b9xnNr
--    }
+zx_b#v9Xv-Y><Wb%?S^0Xe&<)bbKl_=Z|3C$tf|F<bYzE*mfHB;uC)`q-?buaBe?l?
--}
+zcLTpK*k<49Z32`K?|nSBMFqxTK^_IE-li2fEGdK~(ZdoKBl6ab4a;Hler#`xvEXJG
-+            i += 1;
+zb?<E%EZExfX>jcOVhS*0rS~RS1dA#xhkv@Nct@#q?LyeKS<$uFec!bw>{@uu$gZ6a
-+            reg_off += esize;
+zyVen1i{1BKd%~`D7|m$;U0a<I*3I7%^N%N%lGYdU_GS!gaR8T$NA@GzFi~z`l7hdl
-+        } while (reg_off & 63);
+zarZy6590|88pi(1zq;V(>38zM0sT&<zX;R5$1w3;`_JMG`;&I&0Y23DMx1%@(w(R9
-+    } while (reg_off < reg_max);
+z4M$j;D5J+Gy%fijRQsctzFKf&cv|BAz#YLq3CZJWDdtL4u1u1|mkdcUp7|sxJC+?Y
+z_@@s`v3j}Q7*z>6X~cwUxUL8G1KT)_XTp!KAbs;vCp{K3&~_X@+ew=-D}v`2MbFV0
--static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
+zQsVsL=rXi-pI*G|iiz;VTCutgUs)hDzV1+4?8KcoP3xROf<M%qC6lgVdpFt4<-|uM
--                       target_ulong base, uint32_t desc, uintptr_t ra,
+z=#rl_b1#YjSIl6Toj2z_hOZcKupkdE(LozC(fN=FY(x|sk)ym|;Rq2E1xJWD%Z!ol
--                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
+Gu>S+TT-130
--{
--    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
+literal 0
--    intptr_t i, oprsz = simd_oprsz(desc) / 8;
+HcmV?d00001
--
--    for (i = 0; i < oprsz; i++) {
+diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
--        uint8_t pg = *(uint8_t *)(vg + H1(i));
+index XXXXXXX..XXXXXXX 100644
--        if (likely(pg & 1)) {
+GIT binary patch
--            target_ulong off = off_fn(vm, i * 8);
+literal 112
--            tlb_fn(env, vd, i * 8, base + (off << scale), ra);
+zcmWIZ^baXu00LVle`k+i1*eDrX9XZ&1PX!JAex!M0Hgv8m>C3sGzdcgBZCA3T-xBj
-+    /*
+Q0Zb)W9Hva*zW_`e0M!8s0RR91
-+     * Now that we have recognized all exceptions except SyncExternal
-+     * (from TLB_MMIO), which we cannot avoid, perform all of the stores.
+literal 0
-+     *
+HcmV?d00001
-+     * Note for the common case of an element in RAM, not crossing a page
 +     * boundary, we have stored the host address in host[].  This doubles
 +     * as a first-level check against the predicate, since only enabled
 +     * elements have non-null host addresses.
 +     */
 +    i = reg_off = 0;
 +    do {
 +        void *h = host[i];
 +        if (likely(h != NULL)) {
 +            host_fn(vd, reg_off, h);
 +        } else if ((vg[reg_off >> 6] >> (reg_off & 63)) & 1) {
 +            target_ulong addr = base + (off_fn(vm, reg_off) << scale);
 +            tlb_fn(env, vd, reg_off, addr, retaddr);
          }
 -    }
 +        i += 1;
 +        reg_off += esize;
 +    } while (reg_off < reg_max);
  }
 -#define DO_ST1_ZPZ_S(MEM, OFS) \
 -void QEMU_FLATTEN HELPER(sve_st##MEM##_##OFS) \
 -    (CPUARMState *env, void *vd, void *vg, void *vm,         \
 -     target_ulong base, uint32_t desc)                       \
 -{                                                            \
 -    sve_st1_zs(env, vd, vg, vm, base, desc, GETPC(),         \
 -              off_##OFS##_s, sve_st1##MEM##_tlb);            \
 +#define DO_ST1_ZPZ_S(MEM, OFS, MSZ) \
 +void HELPER(sve_st##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
 +                                 void *vm, target_ulong base, uint32_t desc) \
 +{                                                                            \
 +    sve_st1_z(env, vd, vg, vm, base, desc, GETPC(), 4, 1 << MSZ,             \
 +              off_##OFS##_s, sve_st1##MEM##_host, sve_st1##MEM##_tlb);       \
  }
 -#define DO_ST1_ZPZ_D(MEM, OFS) \
 -void QEMU_FLATTEN HELPER(sve_st##MEM##_##OFS) \
 -    (CPUARMState *env, void *vd, void *vg, void *vm,         \
 -     target_ulong base, uint32_t desc)                       \
 -{                                                            \
 -    sve_st1_zd(env, vd, vg, vm, base, desc, GETPC(),         \
 -               off_##OFS##_d, sve_st1##MEM##_tlb);           \
 +#define DO_ST1_ZPZ_D(MEM, OFS, MSZ) \
 +void HELPER(sve_st##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
 +                                 void *vm, target_ulong base, uint32_t desc) \
 +{                                                                            \
 +    sve_st1_z(env, vd, vg, vm, base, desc, GETPC(), 8, 1 << MSZ,             \
 +              off_##OFS##_d, sve_st1##MEM##_host, sve_st1##MEM##_tlb);       \
  }
 -DO_ST1_ZPZ_S(bs, zsu)
 -DO_ST1_ZPZ_S(hs_le, zsu)
 -DO_ST1_ZPZ_S(hs_be, zsu)
 -DO_ST1_ZPZ_S(ss_le, zsu)
 -DO_ST1_ZPZ_S(ss_be, zsu)
 +DO_ST1_ZPZ_S(bs, zsu, MO_8)
 +DO_ST1_ZPZ_S(hs_le, zsu, MO_16)
 +DO_ST1_ZPZ_S(hs_be, zsu, MO_16)
 +DO_ST1_ZPZ_S(ss_le, zsu, MO_32)
 +DO_ST1_ZPZ_S(ss_be, zsu, MO_32)
 -DO_ST1_ZPZ_S(bs, zss)
 -DO_ST1_ZPZ_S(hs_le, zss)
 -DO_ST1_ZPZ_S(hs_be, zss)
 -DO_ST1_ZPZ_S(ss_le, zss)
 -DO_ST1_ZPZ_S(ss_be, zss)
 +DO_ST1_ZPZ_S(bs, zss, MO_8)
 +DO_ST1_ZPZ_S(hs_le, zss, MO_16)
 +DO_ST1_ZPZ_S(hs_be, zss, MO_16)
 +DO_ST1_ZPZ_S(ss_le, zss, MO_32)
 +DO_ST1_ZPZ_S(ss_be, zss, MO_32)
 -DO_ST1_ZPZ_D(bd, zsu)
 -DO_ST1_ZPZ_D(hd_le, zsu)
 -DO_ST1_ZPZ_D(hd_be, zsu)
 -DO_ST1_ZPZ_D(sd_le, zsu)
 -DO_ST1_ZPZ_D(sd_be, zsu)
 -DO_ST1_ZPZ_D(dd_le, zsu)
 -DO_ST1_ZPZ_D(dd_be, zsu)
 +DO_ST1_ZPZ_D(bd, zsu, MO_8)
 +DO_ST1_ZPZ_D(hd_le, zsu, MO_16)
 +DO_ST1_ZPZ_D(hd_be, zsu, MO_16)
 +DO_ST1_ZPZ_D(sd_le, zsu, MO_32)
 +DO_ST1_ZPZ_D(sd_be, zsu, MO_32)
 +DO_ST1_ZPZ_D(dd_le, zsu, MO_64)
 +DO_ST1_ZPZ_D(dd_be, zsu, MO_64)
 -DO_ST1_ZPZ_D(bd, zss)
 -DO_ST1_ZPZ_D(hd_le, zss)
 -DO_ST1_ZPZ_D(hd_be, zss)
 -DO_ST1_ZPZ_D(sd_le, zss)
 -DO_ST1_ZPZ_D(sd_be, zss)
 -DO_ST1_ZPZ_D(dd_le, zss)
 -DO_ST1_ZPZ_D(dd_be, zss)
 +DO_ST1_ZPZ_D(bd, zss, MO_8)
 +DO_ST1_ZPZ_D(hd_le, zss, MO_16)
 +DO_ST1_ZPZ_D(hd_be, zss, MO_16)
 +DO_ST1_ZPZ_D(sd_le, zss, MO_32)
 +DO_ST1_ZPZ_D(sd_be, zss, MO_32)
 +DO_ST1_ZPZ_D(dd_le, zss, MO_64)
 +DO_ST1_ZPZ_D(dd_be, zss, MO_64)
 -DO_ST1_ZPZ_D(bd, zd)
 -DO_ST1_ZPZ_D(hd_le, zd)
 -DO_ST1_ZPZ_D(hd_be, zd)
 -DO_ST1_ZPZ_D(sd_le, zd)
 -DO_ST1_ZPZ_D(sd_be, zd)
 -DO_ST1_ZPZ_D(dd_le, zd)
 -DO_ST1_ZPZ_D(dd_be, zd)
 +DO_ST1_ZPZ_D(bd, zd, MO_8)
 +DO_ST1_ZPZ_D(hd_le, zd, MO_16)
 +DO_ST1_ZPZ_D(hd_be, zd, MO_16)
 +DO_ST1_ZPZ_D(sd_le, zd, MO_32)
 +DO_ST1_ZPZ_D(sd_be, zd, MO_32)
 +DO_ST1_ZPZ_D(dd_le, zd, MO_64)
 +DO_ST1_ZPZ_D(dd_be, zd, MO_64)
  #undef DO_ST1_ZPZ_S
  #undef DO_ST1_ZPZ_D
 --
-.20.1
+.25.1

-[PULL 05/34] hw/arm/nrf51: Add NRF51_PERIPHERAL_SIZE definition
+[PULL 33/33] tests/acpi: add expected blob for VIOT test on virt machine
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
-On the NRF51 series, all peripherals have a fixed I/O size
+The VIOT blob contains the following:
 of 4KiB. Define NRF51_PERIPHERAL_SIZE and use it.
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+[004h 0004   4]                 Table Length : 00000058
-Message-id: 20200504072822.18799-2-f4bug@amsat.org
+[008h 0008   1]                     Revision : 00
 [009h 0009   1]                     Checksum : 66
 [00Ah 0010   6]                       Oem ID : "BOCHS "
 [010h 0016   8]                 Oem Table ID : "BXPC    "
 [018h 0024   4]                 Oem Revision : 00000001
 [01Ch 0028   4]              Asl Compiler ID : "BXPC"
 [020h 0032   4]        Asl Compiler Revision : 00000001
 [024h 0036   2]                   Node count : 0002
 [026h 0038   2]                  Node offset : 0030
 [028h 0040   8]                     Reserved : 0000000000000000
 [030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
 [031h 0049   1]                     Reserved : 00
 [032h 0050   2]                       Length : 0010
 [034h 0052   2]                  PCI Segment : 0000
 [036h 0054   2]               PCI BDF number : 0008
 [038h 0056   8]                     Reserved : 0000000000000000
 [040h 0064   1]                         Type : 01 [PCI Range]
 [041h 0065   1]                     Reserved : 00
 [042h 0066   2]                       Length : 0018
 [044h 0068   4]               Endpoint start : 00000000
 [048h 0072   2]            PCI Segment start : 0000
 [04Ah 0074   2]              PCI Segment end : 0000
 [04Ch 0076   2]                PCI BDF start : 0000
 [04Eh 0078   2]                  PCI BDF end : 00FF
 [050h 0080   2]                  Output node : 0030
 [052h 0082   6]                     Reserved : 000000000000
 Acked-by: Ani Sinha <ani@anisinha.ca>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
 Message-id: 20211210170415.583179-9-jean-philippe@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- include/hw/arm/nrf51.h        | 3 +--
+ tests/qtest/bios-tables-test-allowed-diff.h |   1 -
- include/hw/i2c/microbit_i2c.h | 2 +-
+ tests/data/acpi/virt/VIOT                   | Bin 0 -> 88 bytes
- hw/arm/nrf51_soc.c            | 4 ++--
+files changed, 1 deletion(-)
  hw/i2c/microbit_i2c.c         | 2 +-
  hw/timer/nrf51_timer.c        | 2 +-
 files changed, 6 insertions(+), 7 deletions(-)
-diff --git a/include/hw/arm/nrf51.h b/include/hw/arm/nrf51.h
+diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/arm/nrf51.h
+--- a/tests/qtest/bios-tables-test-allowed-diff.h
-+++ b/include/hw/arm/nrf51.h
++++ b/tests/qtest/bios-tables-test-allowed-diff.h
-@@ -XXX,XX +XXX,XX @@
+@@ -1,2 +1 @@
- #define NRF51_IOMEM_BASE      0x40000000
+ /* List of comma-separated changed AML files to ignore */
- #define NRF51_IOMEM_SIZE      0x20000000
+-"tests/data/acpi/virt/VIOT",
+diff --git a/tests/data/acpi/virt/VIOT b/tests/data/acpi/virt/VIOT
 +#define NRF51_PERIPHERAL_SIZE 0x00001000
  #define NRF51_UART_BASE       0x40002000
  #define NRF51_TWI_BASE        0x40003000
 -#define NRF51_TWI_SIZE        0x00001000
  #define NRF51_TIMER_BASE      0x40008000
 -#define NRF51_TIMER_SIZE      0x00001000
  #define NRF51_RNG_BASE        0x4000D000
  #define NRF51_NVMC_BASE       0x4001E000
  #define NRF51_GPIO_BASE       0x50000000
 diff --git a/include/hw/i2c/microbit_i2c.h b/include/hw/i2c/microbit_i2c.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/hw/i2c/microbit_i2c.h
+GIT binary patch
-+++ b/include/hw/i2c/microbit_i2c.h
+literal 88
-@@ -XXX,XX +XXX,XX @@
+zcmWIZ^bd((0D?3pe`k+i1*eDrX9XZ&1PX!JAexE60Hgv8m>C3sGzXN&z`)2L0cSHX
- #define MICROBIT_I2C(obj) \
+I{D-Rq0Q5fy0RR91
-     OBJECT_CHECK(MicrobitI2CState, (obj), TYPE_MICROBIT_I2C)
+literal 0
--#define MICROBIT_I2C_NREGS (NRF51_TWI_SIZE / sizeof(uint32_t))
+HcmV?d00001
-+#define MICROBIT_I2C_NREGS (NRF51_PERIPHERAL_SIZE / sizeof(uint32_t))
  typedef struct {
      SysBusDevice parent_obj;
 diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/nrf51_soc.c
 +++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
              return;
          }
 -        base_addr = NRF51_TIMER_BASE + i * NRF51_TIMER_SIZE;
 +        base_addr = NRF51_TIMER_BASE + i * NRF51_PERIPHERAL_SIZE;
          sysbus_mmio_map(SYS_BUS_DEVICE(&s->timer[i]), 0, base_addr);
          sysbus_connect_irq(SYS_BUS_DEVICE(&s->timer[i]), 0,
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
      /* STUB Peripherals */
      memory_region_init_io(&s->clock, OBJECT(dev_soc), &clock_ops, NULL,
 -                          "nrf51_soc.clock", 0x1000);
 +                          "nrf51_soc.clock", NRF51_PERIPHERAL_SIZE);
      memory_region_add_subregion_overlap(&s->container,
                                          NRF51_IOMEM_BASE, &s->clock, -1);
 diff --git a/hw/i2c/microbit_i2c.c b/hw/i2c/microbit_i2c.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/i2c/microbit_i2c.c
 +++ b/hw/i2c/microbit_i2c.c
@@ -XXX,XX +XXX,XX @@ static void microbit_i2c_realize(DeviceState *dev, Error **errp)
      MicrobitI2CState *s = MICROBIT_I2C(dev);
      memory_region_init_io(&s->iomem, OBJECT(s), &microbit_i2c_ops, s,
 -                          "microbit.twi", NRF51_TWI_SIZE);
 +                          "microbit.twi", NRF51_PERIPHERAL_SIZE);
      sysbus_init_mmio(sbd, &s->iomem);
  }
 diff --git a/hw/timer/nrf51_timer.c b/hw/timer/nrf51_timer.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/timer/nrf51_timer.c
 +++ b/hw/timer/nrf51_timer.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_timer_init(Object *obj)
      SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
      memory_region_init_io(&s->iomem, obj, &rng_ops, s,
 -            TYPE_NRF51_TIMER, NRF51_TIMER_SIZE);
 +                          TYPE_NRF51_TIMER, NRF51_PERIPHERAL_SIZE);
      sysbus_init_mmio(sbd, &s->iomem);
      sysbus_init_irq(sbd, &s->irq);
 --
-.20.1
+.25.1

-[PULL 07/34] hw/timer/nrf51_timer: Add trace event of counter value update
+Deleted patch
-From: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Add trace event to display timer's counter value updates.
-Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20200504072822.18799-5-f4bug@amsat.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/timer/nrf51_timer.c | 1 +
- hw/timer/trace-events  | 1 +
-files changed, 2 insertions(+)
-diff --git a/hw/timer/nrf51_timer.c b/hw/timer/nrf51_timer.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/nrf51_timer.c
-+++ b/hw/timer/nrf51_timer.c
-@@ -XXX,XX +XXX,XX @@ static void nrf51_timer_write(void *opaque, hwaddr offset,
-             idx = (offset - NRF51_TIMER_TASK_CAPTURE_0) / 4;
-             s->cc[idx] = s->counter;
-+            trace_nrf51_timer_set_count(s->id, idx, s->counter);
-         }
-         break;
-     case NRF51_TIMER_EVENT_COMPARE_0 ... NRF51_TIMER_EVENT_COMPARE_3:
-diff --git a/hw/timer/trace-events b/hw/timer/trace-events
-index XXXXXXX..XXXXXXX 100644
---- a/hw/timer/trace-events
-+++ b/hw/timer/trace-events
-@@ -XXX,XX +XXX,XX @@ cmsdk_apb_dualtimer_reset(void) "CMSDK APB dualtimer: reset"
- # nrf51_timer.c
- nrf51_timer_read(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
- nrf51_timer_write(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
-+nrf51_timer_set_count(uint8_t timer_id, uint8_t counter_id, uint32_t value) "timer %u counter %u count 0x%" PRIx32
- # bcm2835_systmr.c
- bcm2835_systmr_irq(bool enable) "timer irq state %u"
---
-.20.1

The following changes since commit c88f1ffc19e38008a1c33ae039482a860aa7418c:

Merge remote-tracking branch 'remotes/kevin/tags/for-upstream' into staging (2020-05-08 14:29:18 +0100)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20200511

for you to fetch changes up to 7e17d50ebd359ee5fa3d65d7fdc0fe0336d60694:

target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed) (2020-05-11 14:22:54 +0100)

----------------------------------------------------------------
target-arm queue:
 aspeed: Add boot stub for smp booting
 target/arm: Drop access_el3_aa32ns_aa64any()
 aspeed: Support AST2600A1 silicon revision
 aspeed: sdmc: Implement AST2600 locking behaviour
 nrf51: Tracing cleanups
 target/arm: Improve handling of SVE loads and stores
 target/arm: Don't show TCG-only CPUs in KVM-only QEMU builds
 hw/arm/musicpal: Map the UART devices unconditionally
 target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed)
 target/arm: Use tcg_gen_gvec_5_ptr for sve FMLA/FCMLA

----------------------------------------------------------------
Edgar E. Iglesias (1):
      target/arm: Drop access_el3_aa32ns_aa64any()

Joel Stanley (3):
      aspeed: Add boot stub for smp booting
      aspeed: Support AST2600A1 silicon revision
      aspeed: sdmc: Implement AST2600 locking behaviour

Philippe Mathieu-Daudé (8):
      hw/arm/nrf51: Add NRF51_PERIPHERAL_SIZE definition
      hw/timer/nrf51_timer: Display timer ID in trace events
      hw/timer/nrf51_timer: Add trace event of counter value update
      target/arm/kvm: Inline set_feature() calls
      target/arm/cpu: Use ARRAY_SIZE() to iterate over ARMCPUInfo[]
      target/arm/cpu: Restrict v8M IDAU interface to Aarch32 CPUs
      target/arm: Restrict TCG cpus to TCG accel
      hw/arm/musicpal: Map the UART devices unconditionally

Richard Henderson (21):
      exec: Add block comments for watchpoint routines
      exec: Fix cpu_watchpoint_address_matches address length
      accel/tcg: Add block comment for probe_access
      accel/tcg: Adjust probe_access call to page_check_range
      accel/tcg: Add probe_access_flags
      accel/tcg: Add endian-specific cpu_{ld, st}* operations
      target/arm: Use cpu_*_data_ra for sve_ldst_tlb_fn
      target/arm: Drop manual handling of set/clear_helper_retaddr
      target/arm: Add sve infrastructure for page lookup
      target/arm: Adjust interface of sve_ld1_host_fn
      target/arm: Use SVEContLdSt in sve_ld1_r
      target/arm: Handle watchpoints in sve_ld1_r
      target/arm: Use SVEContLdSt for multi-register contiguous loads
      target/arm: Update contiguous first-fault and no-fault loads
      target/arm: Use SVEContLdSt for contiguous stores
      target/arm: Reuse sve_probe_page for gather first-fault loads
      target/arm: Reuse sve_probe_page for scatter stores
      target/arm: Reuse sve_probe_page for gather loads
      target/arm: Remove sve_memopidx
      target/arm: Use tcg_gen_gvec_5_ptr for sve FMLA/FCMLA
      target/arm: Fix tcg_gen_gvec_dup_imm vs DUP (indexed)

Thomas Huth (1):
      target/arm: Make set_feature() available for other files

From: Joel Stanley <joel@jms.id.au>

This is a boot stub that is similar to the code u-boot runs, allowing
the kernel to boot the secondary CPU.

u-boot works as follows:

1. Initialises the SMP mailbox area in the SCU at 0x1e6e2180 with default values

2. Copies a stub named 'mailbox_insn' from flash to the SCU, just above the
    mailbox area

3. Sets AST_SMP_MBOX_FIELD_READY to a magic value to indicate the
    secondary can begin execution from the stub

4. The stub waits until the AST_SMP_MBOX_FIELD_GOSIGN register is set to
    a magic value

5. Jumps to the address in AST_SMP_MBOX_FIELD_ENTRY, starting Linux

Linux indicates it is ready by writing the address of its entrypoint
function to AST_SMP_MBOX_FIELD_ENTRY and the 'go' magic number to
AST_SMP_MBOX_FIELD_GOSIGN. The secondary CPU sees this at step 4 and
breaks out of it's loop.

To be compatible, a fixed qemu stub is loaded into the mailbox area. As
qemu can ensure the stub is loaded before execution starts, we do not
need to emulate the AST_SMP_MBOX_FIELD_READY behaviour of u-boot. The
secondary CPU's program counter points to the beginning of the stub,
allowing qemu to start secondaries at step four.

Reboot behaviour is preserved by resetting AST_SMP_MBOX_FIELD_GOSIGN
when the secondaries are reset.

This is only configured when the system is booted with -kernel and qemu
does not execute u-boot first.

Reviewed-by: Cédric Le Goater <clg@kaod.org>
Tested-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/aspeed.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps max_ram_ops = {
     .endianness = DEVICE_NATIVE_ENDIAN,
 };
 
+#define AST_SMP_MAILBOX_BASE            0x1e6e2180
+#define AST_SMP_MBOX_FIELD_ENTRY        (AST_SMP_MAILBOX_BASE + 0x0)
+#define AST_SMP_MBOX_FIELD_GOSIGN       (AST_SMP_MAILBOX_BASE + 0x4)
+#define AST_SMP_MBOX_FIELD_READY        (AST_SMP_MAILBOX_BASE + 0x8)
+#define AST_SMP_MBOX_FIELD_POLLINSN     (AST_SMP_MAILBOX_BASE + 0xc)
+#define AST_SMP_MBOX_CODE               (AST_SMP_MAILBOX_BASE + 0x10)
+#define AST_SMP_MBOX_GOSIGN             0xabbaab00
+
+static void aspeed_write_smpboot(ARMCPU *cpu,
+                                 const struct arm_boot_info *info)
+{
+    static const uint32_t poll_mailbox_ready[] = {
+        /*
+         * r2 = per-cpu go sign value
+         * r1 = AST_SMP_MBOX_FIELD_ENTRY
+         * r0 = AST_SMP_MBOX_FIELD_GOSIGN
+         */
+        0xee100fb0,  /* mrc     p15, 0, r0, c0, c0, 5 */
+        0xe21000ff,  /* ands    r0, r0, #255          */
+        0xe59f201c,  /* ldr     r2, [pc, #28]         */
+        0xe1822000,  /* orr     r2, r2, r0            */
+
+        0xe59f1018,  /* ldr     r1, [pc, #24]         */
+        0xe59f0018,  /* ldr     r0, [pc, #24]         */
+
+        0xe320f002,  /* wfe                           */
+        0xe5904000,  /* ldr     r4, [r0]              */
+        0xe1520004,  /* cmp     r2, r4                */
+        0x1afffffb,  /* bne     <wfe>                 */
+        0xe591f000,  /* ldr     pc, [r1]              */
+        AST_SMP_MBOX_GOSIGN,
+        AST_SMP_MBOX_FIELD_ENTRY,
+        AST_SMP_MBOX_FIELD_GOSIGN,
+    };
+
+    rom_add_blob_fixed("aspeed.smpboot", poll_mailbox_ready,
+                       sizeof(poll_mailbox_ready),
+                       info->smp_loader_start);
+}
+
+static void aspeed_reset_secondary(ARMCPU *cpu,
+                                   const struct arm_boot_info *info)
+{
+    AddressSpace *as = arm_boot_address_space(cpu, info);
+    CPUState *cs = CPU(cpu);
+
+    /* info->smp_bootreg_addr */
+    address_space_stl_notdirty(as, AST_SMP_MBOX_FIELD_GOSIGN, 0,
+                               MEMTXATTRS_UNSPECIFIED, NULL);
+    cpu_set_pc(cs, info->smp_loader_start);
+}
+
 #define FIRMWARE_ADDR 0x0
 
 static void write_boot_rom(DriveInfo *dinfo, hwaddr addr, size_t rom_size,
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_init(MachineState *machine)
         }
     }
 
+    if (machine->kernel_filename && bmc->soc.num_cpus > 1) {
+        /* With no u-boot we must set up a boot stub for the secondary CPU */
+        MemoryRegion *smpboot = g_new(MemoryRegion, 1);
+        memory_region_init_ram(smpboot, OBJECT(bmc), "aspeed.smpboot",
+                               0x80, &error_abort);
+        memory_region_add_subregion(get_system_memory(),
+                                    AST_SMP_MAILBOX_BASE, smpboot);
+
+        aspeed_board_binfo.write_secondary_boot = aspeed_write_smpboot;
+        aspeed_board_binfo.secondary_cpu_reset_hook = aspeed_reset_secondary;
+        aspeed_board_binfo.smp_loader_start = AST_SMP_MBOX_CODE;
+    }
+
     aspeed_board_binfo.ram_size = ram_size;
     aspeed_board_binfo.loader_start = sc->memmap[ASPEED_SDRAM];
     aspeed_board_binfo.nb_cpus = bmc->soc.num_cpus;
-- 
2.20.1

From: "Edgar E. Iglesias" <edgar.iglesias@xilinx.com>

Calling access_el3_aa32ns() works for AArch32 only cores
but it does not handle 32-bit EL2 on top of 64-bit EL3
for mixed 32/64-bit cores.

Merge access_el3_aa32ns_aa64any() into access_el3_aa32ns()
and only use the latter.

Fixes: 68e9c2fe65 ("target-arm: Add VTCR_EL2")
Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Edgar E. Iglesias <edgar.iglesias@xilinx.com>
Message-id: 20200505141729.31930-2-edgar.iglesias@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 30 +++++++-----------------------
 1 file changed, 7 insertions(+), 23 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void init_cpreg_list(ARMCPU *cpu)
 }
 
 /*
- * Some registers are not accessible if EL3.NS=0 and EL3 is using AArch32 but
- * they are accessible when EL3 is using AArch64 regardless of EL3.NS.
- *
- * access_el3_aa32ns: Used to check AArch32 register views.
- * access_el3_aa32ns_aa64any: Used to check both AArch32/64 register views.
+ * Some registers are not accessible from AArch32 EL3 if SCR.NS == 0.
  */
 static CPAccessResult access_el3_aa32ns(CPUARMState *env,
                                         const ARMCPRegInfo *ri,
                                         bool isread)
 {
-    bool secure = arm_is_secure_below_el3(env);
-
-    assert(!arm_el_is_aa64(env, 3));
-    if (secure) {
+    if (!is_a64(env) && arm_current_el(env) == 3 &&
+        arm_is_secure_below_el3(env)) {
         return CP_ACCESS_TRAP_UNCATEGORIZED;
     }
     return CP_ACCESS_OK;
 }
 
-static CPAccessResult access_el3_aa32ns_aa64any(CPUARMState *env,
-                                                const ARMCPRegInfo *ri,
-                                                bool isread)
-{
-    if (!arm_el_is_aa64(env, 3)) {
-        return access_el3_aa32ns(env, ri, isread);
-    }
-    return CP_ACCESS_OK;
-}
-
 /* Some secure-only AArch32 registers trap to EL3 if used from
  * Secure EL1 (but are just ordinary UNDEF in other non-EL3 contexts).
  * Note that an access from Secure EL1 can only happen if EL3 is AArch64.
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
       .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "VTCR_EL2", .state = ARM_CP_STATE_BOTH,
       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
-      .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
+      .access = PL2_RW, .accessfn = access_el3_aa32ns,
       .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
       .cp = 15, .opc1 = 6, .crm = 2,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
       .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "HPFAR_EL2", .state = ARM_CP_STATE_BOTH,
       .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
-      .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
+      .access = PL2_RW, .accessfn = access_el3_aa32ns,
       .type = ARM_CP_CONST, .resetvalue = 0 },
     { .name = "HSTR_EL2", .state = ARM_CP_STATE_BOTH,
       .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             ARMCPRegInfo vpidr_regs[] = {
                 { .name = "VPIDR_EL2", .state = ARM_CP_STATE_BOTH,
                   .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
-                  .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
+                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
                   .type = ARM_CP_CONST, .resetvalue = cpu->midr,
                   .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
                 { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_BOTH,
                   .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
-                  .access = PL2_RW, .accessfn = access_el3_aa32ns_aa64any,
+                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
                   .type = ARM_CP_NO_RAW,
                   .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
                 REGINFO_SENTINEL
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

There are minimal differences from Qemu's point of view between the A0
and A1 silicon revisions.

As the A1 exercises different code paths in u-boot it is desirable to
emulate that instead.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andrew Jeffery <andrew@aj.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20200504093703.261135-1-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/misc/aspeed_scu.h |  1 +
 hw/arm/aspeed.c              |  8 ++++----
 hw/arm/aspeed_ast2600.c      |  6 +++---
 hw/misc/aspeed_scu.c         | 11 +++++------
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/include/hw/misc/aspeed_scu.h b/include/hw/misc/aspeed_scu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/misc/aspeed_scu.h
+++ b/include/hw/misc/aspeed_scu.h
@@ -XXX,XX +XXX,XX @@ typedef struct AspeedSCUState {
 #define AST2500_A0_SILICON_REV   0x04000303U
 #define AST2500_A1_SILICON_REV   0x04010303U
 #define AST2600_A0_SILICON_REV   0x05000303U
+#define AST2600_A1_SILICON_REV   0x05010303U
 
 #define ASPEED_IS_AST2500(si_rev)     ((((si_rev) >> 24) & 0xff) == 0x04)
 
diff --git a/hw/arm/aspeed.c b/hw/arm/aspeed.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed.c
+++ b/hw/arm/aspeed.c
@@ -XXX,XX +XXX,XX @@ struct AspeedBoardState {
 
 /* Tacoma hardware value */
 #define TACOMA_BMC_HW_STRAP1  0x00000000
-#define TACOMA_BMC_HW_STRAP2  0x00000000
+#define TACOMA_BMC_HW_STRAP2  0x00000040
 
 /*
  * The max ram region is for firmwares that scan the address space
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_ast2600_evb_class_init(ObjectClass *oc, void *data)
     AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
 
     mc->desc       = "Aspeed AST2600 EVB (Cortex A7)";
-    amc->soc_name  = "ast2600-a0";
+    amc->soc_name  = "ast2600-a1";
     amc->hw_strap1 = AST2600_EVB_HW_STRAP1;
     amc->hw_strap2 = AST2600_EVB_HW_STRAP2;
     amc->fmc_model = "w25q512jv";
@@ -XXX,XX +XXX,XX @@ static void aspeed_machine_tacoma_class_init(ObjectClass *oc, void *data)
     MachineClass *mc = MACHINE_CLASS(oc);
     AspeedMachineClass *amc = ASPEED_MACHINE_CLASS(oc);
 
-    mc->desc       = "Aspeed AST2600 EVB (Cortex A7)";
-    amc->soc_name  = "ast2600-a0";
+    mc->desc       = "OpenPOWER Tacoma BMC (Cortex A7)";
+    amc->soc_name  = "ast2600-a1";
     amc->hw_strap1 = TACOMA_BMC_HW_STRAP1;
     amc->hw_strap2 = TACOMA_BMC_HW_STRAP2;
     amc->fmc_model = "mx66l1g45g";
diff --git a/hw/arm/aspeed_ast2600.c b/hw/arm/aspeed_ast2600.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/aspeed_ast2600.c
+++ b/hw/arm/aspeed_ast2600.c
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_class_init(ObjectClass *oc, void *data)
 
     dc->realize      = aspeed_soc_ast2600_realize;
 
-    sc->name         = "ast2600-a0";
+    sc->name         = "ast2600-a1";
     sc->cpu_type     = ARM_CPU_TYPE_NAME("cortex-a7");
-    sc->silicon_rev  = AST2600_A0_SILICON_REV;
+    sc->silicon_rev  = AST2600_A1_SILICON_REV;
     sc->sram_size    = 0x10000;
     sc->spis_num     = 2;
     sc->ehcis_num    = 2;
@@ -XXX,XX +XXX,XX @@ static void aspeed_soc_ast2600_class_init(ObjectClass *oc, void *data)
 }
 
 static const TypeInfo aspeed_soc_ast2600_type_info = {
-    .name           = "ast2600-a0",
+    .name           = "ast2600-a1",
     .parent         = TYPE_ASPEED_SOC,
     .instance_size  = sizeof(AspeedSoCState),
     .instance_init  = aspeed_soc_ast2600_init,
diff --git a/hw/misc/aspeed_scu.c b/hw/misc/aspeed_scu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/aspeed_scu.c
+++ b/hw/misc/aspeed_scu.c
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_silicon_revs[] = {
     AST2500_A0_SILICON_REV,
     AST2500_A1_SILICON_REV,
     AST2600_A0_SILICON_REV,
+    AST2600_A1_SILICON_REV,
 };
 
 bool is_supported_silicon_rev(uint32_t silicon_rev)
@@ -XXX,XX +XXX,XX @@ static const MemoryRegionOps aspeed_ast2600_scu_ops = {
     .valid.unaligned = false,
 };
 
-static const uint32_t ast2600_a0_resets[ASPEED_AST2600_SCU_NR_REGS] = {
-    [AST2600_SILICON_REV]       = AST2600_SILICON_REV,
-    [AST2600_SILICON_REV2]      = AST2600_SILICON_REV,
-    [AST2600_SYS_RST_CTRL]      = 0xF7CFFEDC | 0x100,
+static const uint32_t ast2600_a1_resets[ASPEED_AST2600_SCU_NR_REGS] = {
+    [AST2600_SYS_RST_CTRL]      = 0xF7C3FED8,
     [AST2600_SYS_RST_CTRL2]     = 0xFFFFFFFC,
-    [AST2600_CLK_STOP_CTRL]     = 0xEFF43E8B,
+    [AST2600_CLK_STOP_CTRL]     = 0xFFFF7F8A,
     [AST2600_CLK_STOP_CTRL2]    = 0xFFF0FFF0,
     [AST2600_SDRAM_HANDSHAKE]   = 0x00000040,  /* SoC completed DRAM init */
     [AST2600_HPLL_PARAM]        = 0x1000405F,
@@ -XXX,XX +XXX,XX @@ static void aspeed_2600_scu_class_init(ObjectClass *klass, void *data)
 
     dc->desc = "ASPEED 2600 System Control Unit";
     dc->reset = aspeed_ast2600_scu_reset;
-    asc->resets = ast2600_a0_resets;
+    asc->resets = ast2600_a1_resets;
     asc->calc_hpll = aspeed_2500_scu_calc_hpll; /* No change since AST2500 */
     asc->apb_divider = 4;
     asc->nr_regs = ASPEED_AST2600_SCU_NR_REGS;
-- 
2.20.1

From: Joel Stanley <joel@jms.id.au>

The AST2600 handles this differently with the extra 'hardlock' state, so
move the testing to the soc specific class' write callback.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20200505090136.341426-1-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/misc/aspeed_sdmc.c | 55 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 45 insertions(+), 10 deletions(-)

diff --git a/hw/misc/aspeed_sdmc.c b/hw/misc/aspeed_sdmc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/aspeed_sdmc.c
+++ b/hw/misc/aspeed_sdmc.c
@@ -XXX,XX +XXX,XX @@
 
 /* Protection Key Register */
 #define R_PROT            (0x00 / 4)
+#define   PROT_UNLOCKED      0x01
+#define   PROT_HARDLOCKED    0x10  /* AST2600 */
+#define   PROT_SOFTLOCKED    0x00
+
 #define   PROT_KEY_UNLOCK     0xFC600309
+#define   PROT_KEY_HARDLOCK   0xDEADDEAD /* AST2600 */
 
 /* Configuration Register */
 #define R_CONF            (0x04 / 4)
@@ -XXX,XX +XXX,XX @@ static void aspeed_sdmc_write(void *opaque, hwaddr addr, uint64_t data,
         return;
     }
 
-    if (addr == R_PROT) {
-        s->regs[addr] = (data == PROT_KEY_UNLOCK) ? 1 : 0;
-        return;
-    }
-
-    if (!s->regs[R_PROT]) {
-        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
-        return;
-    }
-
     asc->write(s, addr, data);
 }
 
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_2400_sdmc_compute_conf(AspeedSDMCState *s, uint32_t data)
 static void aspeed_2400_sdmc_write(AspeedSDMCState *s, uint32_t reg,
                                    uint32_t data)
 {
+    if (reg == R_PROT) {
+        s->regs[reg] = (data == PROT_KEY_UNLOCK) ? PROT_UNLOCKED : PROT_SOFTLOCKED;
+        return;
+    }
+
+    if (!s->regs[R_PROT]) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
+        return;
+    }
+
     switch (reg) {
     case R_CONF:
         data = aspeed_2400_sdmc_compute_conf(s, data);
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_2500_sdmc_compute_conf(AspeedSDMCState *s, uint32_t data)
 static void aspeed_2500_sdmc_write(AspeedSDMCState *s, uint32_t reg,
                                    uint32_t data)
 {
+    if (reg == R_PROT) {
+        s->regs[reg] = (data == PROT_KEY_UNLOCK) ? PROT_UNLOCKED : PROT_SOFTLOCKED;
+        return;
+    }
+
+    if (!s->regs[R_PROT]) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
+        return;
+    }
+
     switch (reg) {
     case R_CONF:
         data = aspeed_2500_sdmc_compute_conf(s, data);
@@ -XXX,XX +XXX,XX @@ static uint32_t aspeed_2600_sdmc_compute_conf(AspeedSDMCState *s, uint32_t data)
 static void aspeed_2600_sdmc_write(AspeedSDMCState *s, uint32_t reg,
                                    uint32_t data)
 {
+    if (s->regs[R_PROT] == PROT_HARDLOCKED) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked until system reset!\n",
+                __func__);
+        return;
+    }
+
+    if (reg != R_PROT && s->regs[R_PROT] == PROT_SOFTLOCKED) {
+        qemu_log_mask(LOG_GUEST_ERROR, "%s: SDMC is locked!\n", __func__);
+        return;
+    }
+
     switch (reg) {
+    case R_PROT:
+        if (data == PROT_KEY_UNLOCK)  {
+            data = PROT_UNLOCKED;
+        } else if (data == PROT_KEY_HARDLOCK) {
+            data = PROT_HARDLOCKED;
+        } else {
+            data = PROT_SOFTLOCKED;
+        }
+        break;
     case R_CONF:
         data = aspeed_2600_sdmc_compute_conf(s, data);
         break;
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

On the NRF51 series, all peripherals have a fixed I/O size
of 4KiB. Define NRF51_PERIPHERAL_SIZE and use it.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200504072822.18799-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/nrf51.h        | 3 +--
 include/hw/i2c/microbit_i2c.h | 2 +-
 hw/arm/nrf51_soc.c            | 4 ++--
 hw/i2c/microbit_i2c.c         | 2 +-
 hw/timer/nrf51_timer.c        | 2 +-
 5 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/include/hw/arm/nrf51.h b/include/hw/arm/nrf51.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/nrf51.h
+++ b/include/hw/arm/nrf51.h
@@ -XXX,XX +XXX,XX @@
 #define NRF51_IOMEM_BASE      0x40000000
 #define NRF51_IOMEM_SIZE      0x20000000
 
+#define NRF51_PERIPHERAL_SIZE 0x00001000
 #define NRF51_UART_BASE       0x40002000
 #define NRF51_TWI_BASE        0x40003000
-#define NRF51_TWI_SIZE        0x00001000
 #define NRF51_TIMER_BASE      0x40008000
-#define NRF51_TIMER_SIZE      0x00001000
 #define NRF51_RNG_BASE        0x4000D000
 #define NRF51_NVMC_BASE       0x4001E000
 #define NRF51_GPIO_BASE       0x50000000
diff --git a/include/hw/i2c/microbit_i2c.h b/include/hw/i2c/microbit_i2c.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/i2c/microbit_i2c.h
+++ b/include/hw/i2c/microbit_i2c.h
@@ -XXX,XX +XXX,XX @@
 #define MICROBIT_I2C(obj) \
     OBJECT_CHECK(MicrobitI2CState, (obj), TYPE_MICROBIT_I2C)
 
-#define MICROBIT_I2C_NREGS (NRF51_TWI_SIZE / sizeof(uint32_t))
+#define MICROBIT_I2C_NREGS (NRF51_PERIPHERAL_SIZE / sizeof(uint32_t))
 
 typedef struct {
     SysBusDevice parent_obj;
diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nrf51_soc.c
+++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
             return;
         }
 
-        base_addr = NRF51_TIMER_BASE + i * NRF51_TIMER_SIZE;
+        base_addr = NRF51_TIMER_BASE + i * NRF51_PERIPHERAL_SIZE;
 
         sysbus_mmio_map(SYS_BUS_DEVICE(&s->timer[i]), 0, base_addr);
         sysbus_connect_irq(SYS_BUS_DEVICE(&s->timer[i]), 0,
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
 
     /* STUB Peripherals */
     memory_region_init_io(&s->clock, OBJECT(dev_soc), &clock_ops, NULL,
-                          "nrf51_soc.clock", 0x1000);
+                          "nrf51_soc.clock", NRF51_PERIPHERAL_SIZE);
     memory_region_add_subregion_overlap(&s->container,
                                         NRF51_IOMEM_BASE, &s->clock, -1);
 
diff --git a/hw/i2c/microbit_i2c.c b/hw/i2c/microbit_i2c.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/i2c/microbit_i2c.c
+++ b/hw/i2c/microbit_i2c.c
@@ -XXX,XX +XXX,XX @@ static void microbit_i2c_realize(DeviceState *dev, Error **errp)
     MicrobitI2CState *s = MICROBIT_I2C(dev);
 
     memory_region_init_io(&s->iomem, OBJECT(s), &microbit_i2c_ops, s,
-                          "microbit.twi", NRF51_TWI_SIZE);
+                          "microbit.twi", NRF51_PERIPHERAL_SIZE);
     sysbus_init_mmio(sbd, &s->iomem);
 }
 
diff --git a/hw/timer/nrf51_timer.c b/hw/timer/nrf51_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/nrf51_timer.c
+++ b/hw/timer/nrf51_timer.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_timer_init(Object *obj)
     SysBusDevice *sbd = SYS_BUS_DEVICE(obj);
 
     memory_region_init_io(&s->iomem, obj, &rng_ops, s,
-            TYPE_NRF51_TIMER, NRF51_TIMER_SIZE);
+                          TYPE_NRF51_TIMER, NRF51_PERIPHERAL_SIZE);
     sysbus_init_mmio(sbd, &s->iomem);
     sysbus_init_irq(sbd, &s->irq);
 
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

The NRF51 series SoC have 3 timer peripherals, each having
4 counters. To help differentiate which peripheral is accessed,
display the timer ID in the trace events.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200504072822.18799-4-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/timer/nrf51_timer.h |  1 +
 hw/arm/nrf51_soc.c             |  5 +++++
 hw/timer/nrf51_timer.c         | 11 +++++++++--
 hw/timer/trace-events          |  4 ++--
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/include/hw/timer/nrf51_timer.h b/include/hw/timer/nrf51_timer.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/timer/nrf51_timer.h
+++ b/include/hw/timer/nrf51_timer.h
@@ -XXX,XX +XXX,XX @@ typedef struct NRF51TimerState {
     MemoryRegion iomem;
     qemu_irq irq;
 
+    uint8_t id;
     QEMUTimer timer;
     int64_t timer_start_ns;
     int64_t update_counter_ns;
diff --git a/hw/arm/nrf51_soc.c b/hw/arm/nrf51_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/nrf51_soc.c
+++ b/hw/arm/nrf51_soc.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_soc_realize(DeviceState *dev_soc, Error **errp)
 
     /* TIMER */
     for (i = 0; i < NRF51_NUM_TIMERS; i++) {
+        object_property_set_uint(OBJECT(&s->timer[i]), i, "id", &err);
+        if (err) {
+            error_propagate(errp, err);
+            return;
+        }
         object_property_set_bool(OBJECT(&s->timer[i]), true, "realized", &err);
         if (err) {
             error_propagate(errp, err);
diff --git a/hw/timer/nrf51_timer.c b/hw/timer/nrf51_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/nrf51_timer.c
+++ b/hw/timer/nrf51_timer.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/arm/nrf51.h"
 #include "hw/irq.h"
 #include "hw/timer/nrf51_timer.h"
+#include "hw/qdev-properties.h"
 #include "migration/vmstate.h"
 #include "trace.h"
 
@@ -XXX,XX +XXX,XX @@ static uint64_t nrf51_timer_read(void *opaque, hwaddr offset, unsigned int size)
                       __func__, offset);
     }
 
-    trace_nrf51_timer_read(offset, r, size);
+    trace_nrf51_timer_read(s->id, offset, r, size);
 
     return r;
 }
@@ -XXX,XX +XXX,XX @@ static void nrf51_timer_write(void *opaque, hwaddr offset,
     uint64_t now = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL);
     size_t idx;
 
-    trace_nrf51_timer_write(offset, value, size);
+    trace_nrf51_timer_write(s->id, offset, value, size);
 
     switch (offset) {
     case NRF51_TIMER_TASK_START:
@@ -XXX,XX +XXX,XX @@ static const VMStateDescription vmstate_nrf51_timer = {
     }
 };
 
+static Property nrf51_timer_properties[] = {
+    DEFINE_PROP_UINT8("id", NRF51TimerState, id, 0),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
 static void nrf51_timer_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
 
     dc->reset = nrf51_timer_reset;
     dc->vmsd = &vmstate_nrf51_timer;
+    device_class_set_props(dc, nrf51_timer_properties);
 }
 
 static const TypeInfo nrf51_timer_info = {
diff --git a/hw/timer/trace-events b/hw/timer/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/trace-events
+++ b/hw/timer/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_dualtimer_write(uint64_t offset, uint64_t data, unsigned size) "CMSDK
 cmsdk_apb_dualtimer_reset(void) "CMSDK APB dualtimer: reset"
 
 # nrf51_timer.c
-nrf51_timer_read(uint64_t addr, uint32_t value, unsigned size) "read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
-nrf51_timer_write(uint64_t addr, uint32_t value, unsigned size) "write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
+nrf51_timer_read(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
+nrf51_timer_write(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 
 # bcm2835_systmr.c
 bcm2835_systmr_irq(bool enable) "timer irq state %u"
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

Add trace event to display timer's counter value updates.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200504072822.18799-5-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/timer/nrf51_timer.c | 1 +
 hw/timer/trace-events  | 1 +
 2 files changed, 2 insertions(+)

diff --git a/hw/timer/nrf51_timer.c b/hw/timer/nrf51_timer.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/nrf51_timer.c
+++ b/hw/timer/nrf51_timer.c
@@ -XXX,XX +XXX,XX @@ static void nrf51_timer_write(void *opaque, hwaddr offset,
 
             idx = (offset - NRF51_TIMER_TASK_CAPTURE_0) / 4;
             s->cc[idx] = s->counter;
+            trace_nrf51_timer_set_count(s->id, idx, s->counter);
         }
         break;
     case NRF51_TIMER_EVENT_COMPARE_0 ... NRF51_TIMER_EVENT_COMPARE_3:
diff --git a/hw/timer/trace-events b/hw/timer/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/timer/trace-events
+++ b/hw/timer/trace-events
@@ -XXX,XX +XXX,XX @@ cmsdk_apb_dualtimer_reset(void) "CMSDK APB dualtimer: reset"
 # nrf51_timer.c
 nrf51_timer_read(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u read addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
 nrf51_timer_write(uint8_t timer_id, uint64_t addr, uint32_t value, unsigned size) "timer %u write addr 0x%" PRIx64 " data 0x%" PRIx32 " size %u"
+nrf51_timer_set_count(uint8_t timer_id, uint8_t counter_id, uint32_t value) "timer %u counter %u count 0x%" PRIx32
 
 # bcm2835_systmr.c
 bcm2835_systmr_irq(bool enable) "timer irq state %u"
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/core/cpu.h | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -XXX,XX +XXX,XX @@ int cpu_watchpoint_remove(CPUState *cpu, vaddr addr,
                           vaddr len, int flags);
 void cpu_watchpoint_remove_by_ref(CPUState *cpu, CPUWatchpoint *watchpoint);
 void cpu_watchpoint_remove_all(CPUState *cpu, int mask);
+
+/**
+ * cpu_check_watchpoint:
+ * @cpu: cpu context
+ * @addr: guest virtual address
+ * @len: access length
+ * @attrs: memory access attributes
+ * @flags: watchpoint access type
+ * @ra: unwind return address
+ *
+ * Check for a watchpoint hit in [addr, addr+len) of the type
+ * specified by @flags.  Exit via exception with a hit.
+ */
 void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
                           MemTxAttrs attrs, int flags, uintptr_t ra);
+
+/**
+ * cpu_watchpoint_address_matches:
+ * @cpu: cpu context
+ * @addr: guest virtual address
+ * @len: access length
+ *
+ * Return the watchpoint flags that apply to [addr, addr+len).
+ * If no watchpoint is registered for the range, the result is 0.
+ */
 int cpu_watchpoint_address_matches(CPUState *cpu, vaddr addr, vaddr len);
 #endif
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/exec-all.h | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ static inline void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *cpu,
 {
 }
 #endif
+/**
+ * probe_access:
+ * @env: CPUArchState
+ * @addr: guest virtual address to look up
+ * @size: size of the access
+ * @access_type: read, write or execute permission
+ * @mmu_idx: MMU index to use for lookup
+ * @retaddr: return address for unwinding
+ *
+ * Look up the guest virtual address @addr.  Raise an exception if the
+ * page does not satisfy @access_type.  Raise an exception if the
+ * access (@addr, @size) hits a watchpoint.  For writes, mark a clean
+ * page as dirty.
+ *
+ * Finally, return the host address for a page that is backed by RAM,
+ * or NULL if the page requires I/O.
+ */
 void *probe_access(CPUArchState *env, target_ulong addr, int size,
                    MMUAccessType access_type, int mmu_idx, uintptr_t retaddr);
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We have validated that addr+size does not cross a page boundary.
Therefore we need to validate exactly one page.  We can achieve
that passing any value 1 <= x <= size to page_check_range.

Passing 1 will simplify the next patch.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-5-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 accel/tcg/user-exec.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
         g_assert_not_reached();
     }
 
-    if (!guest_addr_valid(addr) || page_check_range(addr, size, flags) < 0) {
+    if (!guest_addr_valid(addr) || page_check_range(addr, 1, flags) < 0) {
         CPUState *cpu = env_cpu(env);
         CPUClass *cc = CPU_GET_CLASS(cpu);
         cc->tlb_fill(cpu, addr, size, access_type, MMU_USER_IDX, false,
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

This new interface will allow targets to probe for a page
and then handle watchpoints themselves.  This will be most
useful for vector predicated memory operations, where one
page lookup can be used for many operations, and one test
can avoid many watchpoint checks.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-6-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/exec/cpu-all.h  |  13 ++-
 include/exec/exec-all.h |  22 +++++
 accel/tcg/cputlb.c      | 177 ++++++++++++++++++++--------------------
 accel/tcg/user-exec.c   |  43 ++++++++--
 4 files changed, 158 insertions(+), 97 deletions(-)

diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu-all.h
+++ b/include/exec/cpu-all.h
@@ -XXX,XX +XXX,XX @@ CPUArchState *cpu_copy(CPUArchState *env);
      | CPU_INTERRUPT_TGT_EXT_3   \
      | CPU_INTERRUPT_TGT_EXT_4)
 
-#if !defined(CONFIG_USER_ONLY)
+#ifdef CONFIG_USER_ONLY
+
+/*
+ * Allow some level of source compatibility with softmmu.  We do not
+ * support any of the more exotic features, so only invalid pages may
+ * be signaled by probe_access_flags().
+ */
+#define TLB_INVALID_MASK    (1 << (TARGET_PAGE_BITS_MIN - 1))
+#define TLB_MMIO            0
+#define TLB_WATCHPOINT      0
+
+#else
 
 /*
  * Flags stored in the low bits of the TLB virtual address.
diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ static inline void *probe_read(CPUArchState *env, target_ulong addr, int size,
     return probe_access(env, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
 }
 
+/**
+ * probe_access_flags:
+ * @env: CPUArchState
+ * @addr: guest virtual address to look up
+ * @access_type: read, write or execute permission
+ * @mmu_idx: MMU index to use for lookup
+ * @nonfault: suppress the fault
+ * @phost: return value for host address
+ * @retaddr: return address for unwinding
+ *
+ * Similar to probe_access, loosely returning the TLB_FLAGS_MASK for
+ * the page, and storing the host address for RAM in @phost.
+ *
+ * If @nonfault is set, do not raise an exception but return TLB_INVALID_MASK.
+ * Do not handle watchpoints, but include TLB_WATCHPOINT in the returned flags.
+ * Do handle clean pages, so exclude TLB_NOTDIRY from the returned flags.
+ * For simplicity, all "mmio-like" flags are folded to TLB_MMIO.
+ */
+int probe_access_flags(CPUArchState *env, target_ulong addr,
+                       MMUAccessType access_type, int mmu_idx,
+                       bool nonfault, void **phost, uintptr_t retaddr);
+
 #define CODE_GEN_ALIGN           16 /* must be >= of the size of a icache line */
 
 /* Estimated block size for TB allocation.  */
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
     }
 }
 
-/*
- * Probe for whether the specified guest access is permitted. If it is not
- * permitted then an exception will be taken in the same way as if this
- * were a real access (and we will not return).
- * If the size is 0 or the page requires I/O access, returns NULL; otherwise,
- * returns the address of the host page similar to tlb_vaddr_to_host().
- */
-void *probe_access(CPUArchState *env, target_ulong addr, int size,
-                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
+static int probe_access_internal(CPUArchState *env, target_ulong addr,
+                                 int fault_size, MMUAccessType access_type,
+                                 int mmu_idx, bool nonfault,
+                                 void **phost, uintptr_t retaddr)
 {
     uintptr_t index = tlb_index(env, mmu_idx, addr);
     CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-    target_ulong tlb_addr;
-    size_t elt_ofs;
-    int wp_access;
-
-    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
-
-    switch (access_type) {
-    case MMU_DATA_LOAD:
-        elt_ofs = offsetof(CPUTLBEntry, addr_read);
-        wp_access = BP_MEM_READ;
-        break;
-    case MMU_DATA_STORE:
-        elt_ofs = offsetof(CPUTLBEntry, addr_write);
-        wp_access = BP_MEM_WRITE;
-        break;
-    case MMU_INST_FETCH:
-        elt_ofs = offsetof(CPUTLBEntry, addr_code);
-        wp_access = BP_MEM_READ;
-        break;
-    default:
-        g_assert_not_reached();
-    }
-    tlb_addr = tlb_read_ofs(entry, elt_ofs);
-
-    if (unlikely(!tlb_hit(tlb_addr, addr))) {
-        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs,
-                            addr & TARGET_PAGE_MASK)) {
-            tlb_fill(env_cpu(env), addr, size, access_type, mmu_idx, retaddr);
-            /* TLB resize via tlb_fill may have moved the entry. */
-            index = tlb_index(env, mmu_idx, addr);
-            entry = tlb_entry(env, mmu_idx, addr);
-        }
-        tlb_addr = tlb_read_ofs(entry, elt_ofs);
-    }
-
-    if (!size) {
-        return NULL;
-    }
-
-    if (unlikely(tlb_addr & TLB_FLAGS_MASK)) {
-        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
-
-        /* Reject I/O access, or other required slow-path.  */
-        if (tlb_addr & (TLB_MMIO | TLB_BSWAP | TLB_DISCARD_WRITE)) {
-            return NULL;
-        }
-
-        /* Handle watchpoints.  */
-        if (tlb_addr & TLB_WATCHPOINT) {
-            cpu_check_watchpoint(env_cpu(env), addr, size,
-                                 iotlbentry->attrs, wp_access, retaddr);
-        }
-
-        /* Handle clean RAM pages.  */
-        if (tlb_addr & TLB_NOTDIRTY) {
-            notdirty_write(env_cpu(env), addr, size, iotlbentry, retaddr);
-        }
-    }
-
-    return (void *)((uintptr_t)addr + entry->addend);
-}
-
-void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
-                        MMUAccessType access_type, int mmu_idx)
-{
-    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-    target_ulong tlb_addr, page;
+    target_ulong tlb_addr, page_addr;
     size_t elt_ofs;
+    int flags;
 
     switch (access_type) {
     case MMU_DATA_LOAD:
@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
     default:
         g_assert_not_reached();
     }
-
-    page = addr & TARGET_PAGE_MASK;
     tlb_addr = tlb_read_ofs(entry, elt_ofs);
 
-    if (!tlb_hit_page(tlb_addr, page)) {
-        uintptr_t index = tlb_index(env, mmu_idx, addr);
-
-        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page)) {
+    page_addr = addr & TARGET_PAGE_MASK;
+    if (!tlb_hit_page(tlb_addr, page_addr)) {
+        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page_addr)) {
             CPUState *cs = env_cpu(env);
             CPUClass *cc = CPU_GET_CLASS(cs);
 
-            if (!cc->tlb_fill(cs, addr, 0, access_type, mmu_idx, true, 0)) {
+            if (!cc->tlb_fill(cs, addr, fault_size, access_type,
+                              mmu_idx, nonfault, retaddr)) {
                 /* Non-faulting page table read failed.  */
-                return NULL;
+                *phost = NULL;
+                return TLB_INVALID_MASK;
             }
 
             /* TLB resize via tlb_fill may have moved the entry.  */
@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
         }
         tlb_addr = tlb_read_ofs(entry, elt_ofs);
     }
+    flags = tlb_addr & TLB_FLAGS_MASK;
 
-    if (tlb_addr & ~TARGET_PAGE_MASK) {
-        /* IO access */
+    /* Fold all "mmio-like" bits into TLB_MMIO.  This is not RAM.  */
+    if (unlikely(flags & ~(TLB_WATCHPOINT | TLB_NOTDIRTY))) {
+        *phost = NULL;
+        return TLB_MMIO;
+    }
+
+    /* Everything else is RAM. */
+    *phost = (void *)((uintptr_t)addr + entry->addend);
+    return flags;
+}
+
+int probe_access_flags(CPUArchState *env, target_ulong addr,
+                       MMUAccessType access_type, int mmu_idx,
+                       bool nonfault, void **phost, uintptr_t retaddr)
+{
+    int flags;
+
+    flags = probe_access_internal(env, addr, 0, access_type, mmu_idx,
+                                  nonfault, phost, retaddr);
+
+    /* Handle clean RAM pages.  */
+    if (unlikely(flags & TLB_NOTDIRTY)) {
+        uintptr_t index = tlb_index(env, mmu_idx, addr);
+        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
+
+        notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr);
+        flags &= ~TLB_NOTDIRTY;
+    }
+
+    return flags;
+}
+
+void *probe_access(CPUArchState *env, target_ulong addr, int size,
+                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
+{
+    void *host;
+    int flags;
+
+    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
+
+    flags = probe_access_internal(env, addr, size, access_type, mmu_idx,
+                                  false, &host, retaddr);
+
+    /* Per the interface, size == 0 merely faults the access. */
+    if (size == 0) {
         return NULL;
     }
 
-    return (void *)((uintptr_t)addr + entry->addend);
+    if (unlikely(flags & (TLB_NOTDIRTY | TLB_WATCHPOINT))) {
+        uintptr_t index = tlb_index(env, mmu_idx, addr);
+        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
+
+        /* Handle watchpoints.  */
+        if (flags & TLB_WATCHPOINT) {
+            int wp_access = (access_type == MMU_DATA_STORE
+                             ? BP_MEM_WRITE : BP_MEM_READ);
+            cpu_check_watchpoint(env_cpu(env), addr, size,
+                                 iotlbentry->attrs, wp_access, retaddr);
+        }
+
+        /* Handle clean RAM pages.  */
+        if (flags & TLB_NOTDIRTY) {
+            notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr);
+        }
+    }
+
+    return host;
 }
 
+void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
+                        MMUAccessType access_type, int mmu_idx)
+{
+    void *host;
+    int flags;
+
+    flags = probe_access_internal(env, addr, 0, access_type,
+                                  mmu_idx, true, &host, 0);
+
+    /* No combination of flags are expected by the caller. */
+    return flags ? NULL : host;
+}
 
 #ifdef CONFIG_PLUGIN
 /*
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
     g_assert_not_reached();
 }
 
-void *probe_access(CPUArchState *env, target_ulong addr, int size,
-                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
+static int probe_access_internal(CPUArchState *env, target_ulong addr,
+                                 int fault_size, MMUAccessType access_type,
+                                 bool nonfault, uintptr_t ra)
 {
     int flags;
 
-    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
-
     switch (access_type) {
     case MMU_DATA_STORE:
         flags = PAGE_WRITE;
@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
     }
 
     if (!guest_addr_valid(addr) || page_check_range(addr, 1, flags) < 0) {
-        CPUState *cpu = env_cpu(env);
-        CPUClass *cc = CPU_GET_CLASS(cpu);
-        cc->tlb_fill(cpu, addr, size, access_type, MMU_USER_IDX, false,
-                     retaddr);
-        g_assert_not_reached();
+        if (nonfault) {
+            return TLB_INVALID_MASK;
+        } else {
+            CPUState *cpu = env_cpu(env);
+            CPUClass *cc = CPU_GET_CLASS(cpu);
+            cc->tlb_fill(cpu, addr, fault_size, access_type,
+                         MMU_USER_IDX, false, ra);
+            g_assert_not_reached();
+        }
     }
+    return 0;
+}
+
+int probe_access_flags(CPUArchState *env, target_ulong addr,
+                       MMUAccessType access_type, int mmu_idx,
+                       bool nonfault, void **phost, uintptr_t ra)
+{
+    int flags;
+
+    flags = probe_access_internal(env, addr, 0, access_type, nonfault, ra);
+    *phost = flags ? NULL : g2h(addr);
+    return flags;
+}
+
+void *probe_access(CPUArchState *env, target_ulong addr, int size,
+                   MMUAccessType access_type, int mmu_idx, uintptr_t ra)
+{
+    int flags;
+
+    g_assert(-(addr | TARGET_PAGE_MASK) >= size);
+    flags = probe_access_internal(env, addr, size, access_type, false, ra);
+    g_assert(flags == 0);
 
     return size ? g2h(addr) : NULL;
 }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

We currently have target-endian versions of these operations,
but no easy way to force a specific endianness.  This can be
helpful if the target has endian-specific operations, or a mode
that swaps endianness.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/devel/loads-stores.rst |  39 +++--
 include/exec/cpu_ldst.h     | 283 +++++++++++++++++++++++++++---------
 accel/tcg/cputlb.c          | 236 ++++++++++++++++++++++--------
 accel/tcg/user-exec.c       | 211 ++++++++++++++++++++++-----
 4 files changed, 587 insertions(+), 182 deletions(-)

diff --git a/docs/devel/loads-stores.rst b/docs/devel/loads-stores.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/devel/loads-stores.rst
+++ b/docs/devel/loads-stores.rst
@@ -XXX,XX +XXX,XX @@ function, which is a return address into the generated code.
 
 Function names follow the pattern:
 
-load: ``cpu_ld{sign}{size}_mmuidx_ra(env, ptr, mmuidx, retaddr)``
+load: ``cpu_ld{sign}{size}{end}_mmuidx_ra(env, ptr, mmuidx, retaddr)``
 
-store: ``cpu_st{size}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
+store: ``cpu_st{size}{end}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
 
 ``sign``
  - (empty) : for 32 or 64 bit sizes
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}_mmuidx_ra(env, ptr, val, mmuidx, retaddr)``
  - ``l`` : 32 bits
  - ``q`` : 64 bits
 
+``end``
+ - (empty) : for target endian, or 8 bit sizes
+ - ``_be`` : big endian
+ - ``_le`` : little endian
+
 Regexes for git grep:
- - ``\<cpu_ld[us]\?[bwlq]_mmuidx_ra\>``
- - ``\<cpu_st[bwlq]_mmuidx_ra\>``
+ - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_mmuidx_ra\>``
+ - ``\<cpu_st[bwlq](_[bl]e)\?_mmuidx_ra\>``
 
 ``cpu_{ld,st}*_data_ra``
 ~~~~~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ be performed with a context other than the default.
 
 Function names follow the pattern:
 
-load: ``cpu_ld{sign}{size}_data_ra(env, ptr, ra)``
+load: ``cpu_ld{sign}{size}{end}_data_ra(env, ptr, ra)``
 
-store: ``cpu_st{size}_data_ra(env, ptr, val, ra)``
+store: ``cpu_st{size}{end}_data_ra(env, ptr, val, ra)``
 
 ``sign``
  - (empty) : for 32 or 64 bit sizes
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}_data_ra(env, ptr, val, ra)``
  - ``l`` : 32 bits
  - ``q`` : 64 bits
 
+``end``
+ - (empty) : for target endian, or 8 bit sizes
+ - ``_be`` : big endian
+ - ``_le`` : little endian
+
 Regexes for git grep:
- - ``\<cpu_ld[us]\?[bwlq]_data_ra\>``
- - ``\<cpu_st[bwlq]_data_ra\>``
+ - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data_ra\>``
+ - ``\<cpu_st[bwlq](_[bl]e)\?_data_ra\>``
 
 ``cpu_{ld,st}*_data``
 ~~~~~~~~~~~~~~~~~~~~~
@@ -XXX,XX +XXX,XX @@ the CPU state anyway.
 
 Function names follow the pattern:
 
-load: ``cpu_ld{sign}{size}_data(env, ptr)``
+load: ``cpu_ld{sign}{size}{end}_data(env, ptr)``
 
-store: ``cpu_st{size}_data(env, ptr, val)``
+store: ``cpu_st{size}{end}_data(env, ptr, val)``
 
 ``sign``
  - (empty) : for 32 or 64 bit sizes
@@ -XXX,XX +XXX,XX @@ store: ``cpu_st{size}_data(env, ptr, val)``
  - ``l`` : 32 bits
  - ``q`` : 64 bits
 
+``end``
+ - (empty) : for target endian, or 8 bit sizes
+ - ``_be`` : big endian
+ - ``_le`` : little endian
+
 Regexes for git grep
- - ``\<cpu_ld[us]\?[bwlq]_data\>``
- - ``\<cpu_st[bwlq]_data\+\>``
+ - ``\<cpu_ld[us]\?[bwlq](_[bl]e)\?_data\>``
+ - ``\<cpu_st[bwlq](_[bl]e)\?_data\+\>``
 
 ``cpu_ld*_code``
 ~~~~~~~~~~~~~~~~
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@
  *
  * The syntax for the accessors is:
  *
- * load:  cpu_ld{sign}{size}_{mmusuffix}(env, ptr)
- *        cpu_ld{sign}{size}_{mmusuffix}_ra(env, ptr, retaddr)
- *        cpu_ld{sign}{size}_mmuidx_ra(env, ptr, mmu_idx, retaddr)
+ * load:  cpu_ld{sign}{size}{end}_{mmusuffix}(env, ptr)
+ *        cpu_ld{sign}{size}{end}_{mmusuffix}_ra(env, ptr, retaddr)
+ *        cpu_ld{sign}{size}{end}_mmuidx_ra(env, ptr, mmu_idx, retaddr)
  *
- * store: cpu_st{size}_{mmusuffix}(env, ptr, val)
- *        cpu_st{size}_{mmusuffix}_ra(env, ptr, val, retaddr)
- *        cpu_st{size}_mmuidx_ra(env, ptr, val, mmu_idx, retaddr)
+ * store: cpu_st{size}{end}_{mmusuffix}(env, ptr, val)
+ *        cpu_st{size}{end}_{mmusuffix}_ra(env, ptr, val, retaddr)
+ *        cpu_st{size}{end}_mmuidx_ra(env, ptr, val, mmu_idx, retaddr)
  *
  * sign is:
  * (empty): for 32 and 64 bit sizes
@@ -XXX,XX +XXX,XX @@
  *   l: 32 bits
  *   q: 64 bits
  *
+ * end is:
+ * (empty): for target native endian, or for 8 bit access
+ *     _be: for forced big endian
+ *     _le: for forced little endian
+ *
  * mmusuffix is one of the generic suffixes "data" or "code", or "mmuidx".
  * The "mmuidx" suffix carries an extra mmu_idx argument that specifies
  * the index to use; the "data" and "code" suffixes take the index from
@@ -XXX,XX +XXX,XX @@ typedef target_ulong abi_ptr;
 #endif
 
 uint32_t cpu_ldub_data(CPUArchState *env, abi_ptr ptr);
-uint32_t cpu_lduw_data(CPUArchState *env, abi_ptr ptr);
-uint32_t cpu_ldl_data(CPUArchState *env, abi_ptr ptr);
-uint64_t cpu_ldq_data(CPUArchState *env, abi_ptr ptr);
 int cpu_ldsb_data(CPUArchState *env, abi_ptr ptr);
-int cpu_ldsw_data(CPUArchState *env, abi_ptr ptr);
 
-uint32_t cpu_ldub_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
-uint32_t cpu_lduw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
-uint32_t cpu_ldl_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
-uint64_t cpu_ldq_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
-int cpu_ldsb_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
-int cpu_ldsw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr);
+uint32_t cpu_lduw_be_data(CPUArchState *env, abi_ptr ptr);
+int cpu_ldsw_be_data(CPUArchState *env, abi_ptr ptr);
+uint32_t cpu_ldl_be_data(CPUArchState *env, abi_ptr ptr);
+uint64_t cpu_ldq_be_data(CPUArchState *env, abi_ptr ptr);
+
+uint32_t cpu_lduw_le_data(CPUArchState *env, abi_ptr ptr);
+int cpu_ldsw_le_data(CPUArchState *env, abi_ptr ptr);
+uint32_t cpu_ldl_le_data(CPUArchState *env, abi_ptr ptr);
+uint64_t cpu_ldq_le_data(CPUArchState *env, abi_ptr ptr);
+
+uint32_t cpu_ldub_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+int cpu_ldsb_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+
+uint32_t cpu_lduw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+int cpu_ldsw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+uint32_t cpu_ldl_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+uint64_t cpu_ldq_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+
+uint32_t cpu_lduw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+int cpu_ldsw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+uint32_t cpu_ldl_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
+uint64_t cpu_ldq_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t ra);
 
 void cpu_stb_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
-void cpu_stw_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
-void cpu_stl_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
-void cpu_stq_data(CPUArchState *env, abi_ptr ptr, uint64_t val);
+
+void cpu_stw_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
+void cpu_stl_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
+void cpu_stq_be_data(CPUArchState *env, abi_ptr ptr, uint64_t val);
+
+void cpu_stw_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
+void cpu_stl_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val);
+void cpu_stq_le_data(CPUArchState *env, abi_ptr ptr, uint64_t val);
 
 void cpu_stb_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint32_t val, uintptr_t retaddr);
-void cpu_stw_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint32_t val, uintptr_t retaddr);
-void cpu_stl_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint32_t val, uintptr_t retaddr);
-void cpu_stq_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint64_t val, uintptr_t retaddr);
+                     uint32_t val, uintptr_t ra);
+
+void cpu_stw_be_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t ra);
+void cpu_stl_be_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t ra);
+void cpu_stq_be_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint64_t val, uintptr_t ra);
+
+void cpu_stw_le_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t ra);
+void cpu_stl_le_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t ra);
+void cpu_stq_le_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint64_t val, uintptr_t ra);
 
 #if defined(CONFIG_USER_ONLY)
 
@@ -XXX,XX +XXX,XX @@ static inline uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr,
     return cpu_ldub_data_ra(env, addr, ra);
 }
 
-static inline uint32_t cpu_lduw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                          int mmu_idx, uintptr_t ra)
-{
-    return cpu_lduw_data_ra(env, addr, ra);
-}
-
-static inline uint32_t cpu_ldl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                         int mmu_idx, uintptr_t ra)
-{
-    return cpu_ldl_data_ra(env, addr, ra);
-}
-
-static inline uint64_t cpu_ldq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                         int mmu_idx, uintptr_t ra)
-{
-    return cpu_ldq_data_ra(env, addr, ra);
-}
-
 static inline int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                                      int mmu_idx, uintptr_t ra)
 {
     return cpu_ldsb_data_ra(env, addr, ra);
 }
 
-static inline int cpu_ldsw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                     int mmu_idx, uintptr_t ra)
+static inline uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                             int mmu_idx, uintptr_t ra)
 {
-    return cpu_ldsw_data_ra(env, addr, ra);
+    return cpu_lduw_be_data_ra(env, addr, ra);
+}
+
+static inline int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        int mmu_idx, uintptr_t ra)
+{
+    return cpu_ldsw_be_data_ra(env, addr, ra);
+}
+
+static inline uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                            int mmu_idx, uintptr_t ra)
+{
+    return cpu_ldl_be_data_ra(env, addr, ra);
+}
+
+static inline uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                            int mmu_idx, uintptr_t ra)
+{
+    return cpu_ldq_be_data_ra(env, addr, ra);
+}
+
+static inline uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                             int mmu_idx, uintptr_t ra)
+{
+    return cpu_lduw_le_data_ra(env, addr, ra);
+}
+
+static inline int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        int mmu_idx, uintptr_t ra)
+{
+    return cpu_ldsw_le_data_ra(env, addr, ra);
+}
+
+static inline uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                            int mmu_idx, uintptr_t ra)
+{
+    return cpu_ldl_le_data_ra(env, addr, ra);
+}
+
+static inline uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                            int mmu_idx, uintptr_t ra)
+{
+    return cpu_ldq_le_data_ra(env, addr, ra);
 }
 
 static inline void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
@@ -XXX,XX +XXX,XX @@ static inline void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
     cpu_stb_data_ra(env, addr, val, ra);
 }
 
-static inline void cpu_stw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                     uint32_t val, int mmu_idx, uintptr_t ra)
+static inline void cpu_stw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        uint32_t val, int mmu_idx,
+                                        uintptr_t ra)
 {
-    cpu_stw_data_ra(env, addr, val, ra);
+    cpu_stw_be_data_ra(env, addr, val, ra);
 }
 
-static inline void cpu_stl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                     uint32_t val, int mmu_idx, uintptr_t ra)
+static inline void cpu_stl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        uint32_t val, int mmu_idx,
+                                        uintptr_t ra)
 {
-    cpu_stl_data_ra(env, addr, val, ra);
+    cpu_stl_be_data_ra(env, addr, val, ra);
 }
 
-static inline void cpu_stq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                                     uint64_t val, int mmu_idx, uintptr_t ra)
+static inline void cpu_stq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        uint64_t val, int mmu_idx,
+                                        uintptr_t ra)
 {
-    cpu_stq_data_ra(env, addr, val, ra);
+    cpu_stq_be_data_ra(env, addr, val, ra);
+}
+
+static inline void cpu_stw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        uint32_t val, int mmu_idx,
+                                        uintptr_t ra)
+{
+    cpu_stw_le_data_ra(env, addr, val, ra);
+}
+
+static inline void cpu_stl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        uint32_t val, int mmu_idx,
+                                        uintptr_t ra)
+{
+    cpu_stl_le_data_ra(env, addr, val, ra);
+}
+
+static inline void cpu_stq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                                        uint64_t val, int mmu_idx,
+                                        uintptr_t ra)
+{
+    cpu_stq_le_data_ra(env, addr, val, ra);
 }
 
 #else
@@ -XXX,XX +XXX,XX @@ static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
 
 uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                             int mmu_idx, uintptr_t ra);
-uint32_t cpu_lduw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                            int mmu_idx, uintptr_t ra);
-uint32_t cpu_ldl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                           int mmu_idx, uintptr_t ra);
-uint64_t cpu_ldq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                           int mmu_idx, uintptr_t ra);
-
 int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                        int mmu_idx, uintptr_t ra);
-int cpu_ldsw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                       int mmu_idx, uintptr_t ra);
+
+uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                               int mmu_idx, uintptr_t ra);
+int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                          int mmu_idx, uintptr_t ra);
+uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra);
+uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra);
+
+uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                               int mmu_idx, uintptr_t ra);
+int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                          int mmu_idx, uintptr_t ra);
+uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra);
+uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra);
 
 void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
                        int mmu_idx, uintptr_t retaddr);
-void cpu_stw_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
-                       int mmu_idx, uintptr_t retaddr);
-void cpu_stl_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
-                       int mmu_idx, uintptr_t retaddr);
-void cpu_stq_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
-                       int mmu_idx, uintptr_t retaddr);
+
+void cpu_stw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr);
+void cpu_stl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr);
+void cpu_stq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
+                          int mmu_idx, uintptr_t retaddr);
+
+void cpu_stw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr);
+void cpu_stl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr);
+void cpu_stq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
+                          int mmu_idx, uintptr_t retaddr);
 
 #endif /* defined(CONFIG_USER_ONLY) */
 
+#ifdef TARGET_WORDS_BIGENDIAN
+# define cpu_lduw_data        cpu_lduw_be_data
+# define cpu_ldsw_data        cpu_ldsw_be_data
+# define cpu_ldl_data         cpu_ldl_be_data
+# define cpu_ldq_data         cpu_ldq_be_data
+# define cpu_lduw_data_ra     cpu_lduw_be_data_ra
+# define cpu_ldsw_data_ra     cpu_ldsw_be_data_ra
+# define cpu_ldl_data_ra      cpu_ldl_be_data_ra
+# define cpu_ldq_data_ra      cpu_ldq_be_data_ra
+# define cpu_lduw_mmuidx_ra   cpu_lduw_be_mmuidx_ra
+# define cpu_ldsw_mmuidx_ra   cpu_ldsw_be_mmuidx_ra
+# define cpu_ldl_mmuidx_ra    cpu_ldl_be_mmuidx_ra
+# define cpu_ldq_mmuidx_ra    cpu_ldq_be_mmuidx_ra
+# define cpu_stw_data         cpu_stw_be_data
+# define cpu_stl_data         cpu_stl_be_data
+# define cpu_stq_data         cpu_stq_be_data
+# define cpu_stw_data_ra      cpu_stw_be_data_ra
+# define cpu_stl_data_ra      cpu_stl_be_data_ra
+# define cpu_stq_data_ra      cpu_stq_be_data_ra
+# define cpu_stw_mmuidx_ra    cpu_stw_be_mmuidx_ra
+# define cpu_stl_mmuidx_ra    cpu_stl_be_mmuidx_ra
+# define cpu_stq_mmuidx_ra    cpu_stq_be_mmuidx_ra
+#else
+# define cpu_lduw_data        cpu_lduw_le_data
+# define cpu_ldsw_data        cpu_ldsw_le_data
+# define cpu_ldl_data         cpu_ldl_le_data
+# define cpu_ldq_data         cpu_ldq_le_data
+# define cpu_lduw_data_ra     cpu_lduw_le_data_ra
+# define cpu_ldsw_data_ra     cpu_ldsw_le_data_ra
+# define cpu_ldl_data_ra      cpu_ldl_le_data_ra
+# define cpu_ldq_data_ra      cpu_ldq_le_data_ra
+# define cpu_lduw_mmuidx_ra   cpu_lduw_le_mmuidx_ra
+# define cpu_ldsw_mmuidx_ra   cpu_ldsw_le_mmuidx_ra
+# define cpu_ldl_mmuidx_ra    cpu_ldl_le_mmuidx_ra
+# define cpu_ldq_mmuidx_ra    cpu_ldq_le_mmuidx_ra
+# define cpu_stw_data         cpu_stw_le_data
+# define cpu_stl_data         cpu_stl_le_data
+# define cpu_stq_data         cpu_stq_le_data
+# define cpu_stw_data_ra      cpu_stw_le_data_ra
+# define cpu_stl_data_ra      cpu_stl_le_data_ra
+# define cpu_stq_data_ra      cpu_stq_le_data_ra
+# define cpu_stw_mmuidx_ra    cpu_stw_le_mmuidx_ra
+# define cpu_stl_mmuidx_ra    cpu_stl_le_mmuidx_ra
+# define cpu_stq_mmuidx_ra    cpu_stq_le_mmuidx_ra
+#endif
+
 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr);
 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr);
 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr);
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                                    full_ldub_mmu);
 }
 
-uint32_t cpu_lduw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                            int mmu_idx, uintptr_t ra)
+uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                               int mmu_idx, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, mmu_idx, ra, MO_TEUW,
-                           MO_TE == MO_LE
-                           ? full_le_lduw_mmu : full_be_lduw_mmu);
+    return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUW, full_be_lduw_mmu);
 }
 
-int cpu_ldsw_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                       int mmu_idx, uintptr_t ra)
+int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                          int mmu_idx, uintptr_t ra)
 {
-    return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_TESW,
-                                    MO_TE == MO_LE
-                                    ? full_le_lduw_mmu : full_be_lduw_mmu);
+    return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_BESW,
+                                    full_be_lduw_mmu);
 }
 
-uint32_t cpu_ldl_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                           int mmu_idx, uintptr_t ra)
+uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, mmu_idx, ra, MO_TEUL,
-                           MO_TE == MO_LE
-                           ? full_le_ldul_mmu : full_be_ldul_mmu);
+    return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUL, full_be_ldul_mmu);
 }
 
-uint64_t cpu_ldq_mmuidx_ra(CPUArchState *env, abi_ptr addr,
-                           int mmu_idx, uintptr_t ra)
+uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, mmu_idx, ra, MO_TEQ,
-                           MO_TE == MO_LE
-                           ? helper_le_ldq_mmu : helper_be_ldq_mmu);
+    return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEQ, helper_be_ldq_mmu);
+}
+
+uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                               int mmu_idx, uintptr_t ra)
+{
+    return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUW, full_le_lduw_mmu);
+}
+
+int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                          int mmu_idx, uintptr_t ra)
+{
+    return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_LESW,
+                                    full_le_lduw_mmu);
+}
+
+uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra)
+{
+    return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUL, full_le_ldul_mmu);
+}
+
+uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
+                              int mmu_idx, uintptr_t ra)
+{
+    return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEQ, helper_le_ldq_mmu);
 }
 
 uint32_t cpu_ldub_data_ra(CPUArchState *env, target_ulong ptr,
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
     return cpu_ldsb_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 }
 
-uint32_t cpu_lduw_data_ra(CPUArchState *env, target_ulong ptr,
-                          uintptr_t retaddr)
+uint32_t cpu_lduw_be_data_ra(CPUArchState *env, target_ulong ptr,
+                             uintptr_t retaddr)
 {
-    return cpu_lduw_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+    return cpu_lduw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 }
 
-int cpu_ldsw_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
+int cpu_ldsw_be_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
 {
-    return cpu_ldsw_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+    return cpu_ldsw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 }
 
-uint32_t cpu_ldl_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
+uint32_t cpu_ldl_be_data_ra(CPUArchState *env, target_ulong ptr,
+                            uintptr_t retaddr)
 {
-    return cpu_ldl_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+    return cpu_ldl_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 }
 
-uint64_t cpu_ldq_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
+uint64_t cpu_ldq_be_data_ra(CPUArchState *env, target_ulong ptr,
+                            uintptr_t retaddr)
 {
-    return cpu_ldq_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+    return cpu_ldq_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+}
+
+uint32_t cpu_lduw_le_data_ra(CPUArchState *env, target_ulong ptr,
+                             uintptr_t retaddr)
+{
+    return cpu_lduw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+}
+
+int cpu_ldsw_le_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
+{
+    return cpu_ldsw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+}
+
+uint32_t cpu_ldl_le_data_ra(CPUArchState *env, target_ulong ptr,
+                            uintptr_t retaddr)
+{
+    return cpu_ldl_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
+}
+
+uint64_t cpu_ldq_le_data_ra(CPUArchState *env, target_ulong ptr,
+                            uintptr_t retaddr)
+{
+    return cpu_ldq_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
 }
 
 uint32_t cpu_ldub_data(CPUArchState *env, target_ulong ptr)
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data(CPUArchState *env, target_ulong ptr)
     return cpu_ldsb_data_ra(env, ptr, 0);
 }
 
-uint32_t cpu_lduw_data(CPUArchState *env, target_ulong ptr)
+uint32_t cpu_lduw_be_data(CPUArchState *env, target_ulong ptr)
 {
-    return cpu_lduw_data_ra(env, ptr, 0);
+    return cpu_lduw_be_data_ra(env, ptr, 0);
 }
 
-int cpu_ldsw_data(CPUArchState *env, target_ulong ptr)
+int cpu_ldsw_be_data(CPUArchState *env, target_ulong ptr)
 {
-    return cpu_ldsw_data_ra(env, ptr, 0);
+    return cpu_ldsw_be_data_ra(env, ptr, 0);
 }
 
-uint32_t cpu_ldl_data(CPUArchState *env, target_ulong ptr)
+uint32_t cpu_ldl_be_data(CPUArchState *env, target_ulong ptr)
 {
-    return cpu_ldl_data_ra(env, ptr, 0);
+    return cpu_ldl_be_data_ra(env, ptr, 0);
 }
 
-uint64_t cpu_ldq_data(CPUArchState *env, target_ulong ptr)
+uint64_t cpu_ldq_be_data(CPUArchState *env, target_ulong ptr)
 {
-    return cpu_ldq_data_ra(env, ptr, 0);
+    return cpu_ldq_be_data_ra(env, ptr, 0);
+}
+
+uint32_t cpu_lduw_le_data(CPUArchState *env, target_ulong ptr)
+{
+    return cpu_lduw_le_data_ra(env, ptr, 0);
+}
+
+int cpu_ldsw_le_data(CPUArchState *env, target_ulong ptr)
+{
+    return cpu_ldsw_le_data_ra(env, ptr, 0);
+}
+
+uint32_t cpu_ldl_le_data(CPUArchState *env, target_ulong ptr)
+{
+    return cpu_ldl_le_data_ra(env, ptr, 0);
+}
+
+uint64_t cpu_ldq_le_data(CPUArchState *env, target_ulong ptr)
+{
+    return cpu_ldq_le_data_ra(env, ptr, 0);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ void cpu_stb_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
     cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_UB);
 }
 
-void cpu_stw_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
-                       int mmu_idx, uintptr_t retaddr)
+void cpu_stw_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_TEUW);
+    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUW);
 }
 
-void cpu_stl_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
-                       int mmu_idx, uintptr_t retaddr)
+void cpu_stl_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_TEUL);
+    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUL);
 }
 
-void cpu_stq_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
-                       int mmu_idx, uintptr_t retaddr)
+void cpu_stq_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
+                          int mmu_idx, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_TEQ);
+    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEQ);
+}
+
+void cpu_stw_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr)
+{
+    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUW);
+}
+
+void cpu_stl_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
+                          int mmu_idx, uintptr_t retaddr)
+{
+    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUL);
+}
+
+void cpu_stq_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
+                          int mmu_idx, uintptr_t retaddr)
+{
+    cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEQ);
 }
 
 void cpu_stb_data_ra(CPUArchState *env, target_ulong ptr,
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data_ra(CPUArchState *env, target_ulong ptr,
     cpu_stb_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 }
 
-void cpu_stw_data_ra(CPUArchState *env, target_ulong ptr,
-                     uint32_t val, uintptr_t retaddr)
+void cpu_stw_be_data_ra(CPUArchState *env, target_ulong ptr,
+                        uint32_t val, uintptr_t retaddr)
 {
-    cpu_stw_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
+    cpu_stw_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 }
 
-void cpu_stl_data_ra(CPUArchState *env, target_ulong ptr,
-                     uint32_t val, uintptr_t retaddr)
+void cpu_stl_be_data_ra(CPUArchState *env, target_ulong ptr,
+                        uint32_t val, uintptr_t retaddr)
 {
-    cpu_stl_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
+    cpu_stl_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 }
 
-void cpu_stq_data_ra(CPUArchState *env, target_ulong ptr,
-                     uint64_t val, uintptr_t retaddr)
+void cpu_stq_be_data_ra(CPUArchState *env, target_ulong ptr,
+                        uint64_t val, uintptr_t retaddr)
 {
-    cpu_stq_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
+    cpu_stq_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
+}
+
+void cpu_stw_le_data_ra(CPUArchState *env, target_ulong ptr,
+                        uint32_t val, uintptr_t retaddr)
+{
+    cpu_stw_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
+}
+
+void cpu_stl_le_data_ra(CPUArchState *env, target_ulong ptr,
+                        uint32_t val, uintptr_t retaddr)
+{
+    cpu_stl_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
+}
+
+void cpu_stq_le_data_ra(CPUArchState *env, target_ulong ptr,
+                        uint64_t val, uintptr_t retaddr)
+{
+    cpu_stq_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
 }
 
 void cpu_stb_data(CPUArchState *env, target_ulong ptr, uint32_t val)
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data(CPUArchState *env, target_ulong ptr, uint32_t val)
     cpu_stb_data_ra(env, ptr, val, 0);
 }
 
-void cpu_stw_data(CPUArchState *env, target_ulong ptr, uint32_t val)
+void cpu_stw_be_data(CPUArchState *env, target_ulong ptr, uint32_t val)
 {
-    cpu_stw_data_ra(env, ptr, val, 0);
+    cpu_stw_be_data_ra(env, ptr, val, 0);
 }
 
-void cpu_stl_data(CPUArchState *env, target_ulong ptr, uint32_t val)
+void cpu_stl_be_data(CPUArchState *env, target_ulong ptr, uint32_t val)
 {
-    cpu_stl_data_ra(env, ptr, val, 0);
+    cpu_stl_be_data_ra(env, ptr, val, 0);
 }
 
-void cpu_stq_data(CPUArchState *env, target_ulong ptr, uint64_t val)
+void cpu_stq_be_data(CPUArchState *env, target_ulong ptr, uint64_t val)
 {
-    cpu_stq_data_ra(env, ptr, val, 0);
+    cpu_stq_be_data_ra(env, ptr, val, 0);
+}
+
+void cpu_stw_le_data(CPUArchState *env, target_ulong ptr, uint32_t val)
+{
+    cpu_stw_le_data_ra(env, ptr, val, 0);
+}
+
+void cpu_stl_le_data(CPUArchState *env, target_ulong ptr, uint32_t val)
+{
+    cpu_stl_le_data_ra(env, ptr, val, 0);
+}
+
+void cpu_stq_le_data(CPUArchState *env, target_ulong ptr, uint64_t val)
+{
+    cpu_stq_le_data_ra(env, ptr, val, 0);
 }
 
 /* First set of helpers allows passing in of OI and RETADDR.  This makes
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data(CPUArchState *env, abi_ptr ptr)
     return ret;
 }
 
-uint32_t cpu_lduw_data(CPUArchState *env, abi_ptr ptr)
+uint32_t cpu_lduw_be_data(CPUArchState *env, abi_ptr ptr)
 {
     uint32_t ret;
-    uint16_t meminfo = trace_mem_get_info(MO_TEUW, MMU_USER_IDX, false);
+    uint16_t meminfo = trace_mem_get_info(MO_BEUW, MMU_USER_IDX, false);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    ret = lduw_p(g2h(ptr));
+    ret = lduw_be_p(g2h(ptr));
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
     return ret;
 }
 
-int cpu_ldsw_data(CPUArchState *env, abi_ptr ptr)
+int cpu_ldsw_be_data(CPUArchState *env, abi_ptr ptr)
 {
     int ret;
-    uint16_t meminfo = trace_mem_get_info(MO_TESW, MMU_USER_IDX, false);
+    uint16_t meminfo = trace_mem_get_info(MO_BESW, MMU_USER_IDX, false);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    ret = ldsw_p(g2h(ptr));
+    ret = ldsw_be_p(g2h(ptr));
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
     return ret;
 }
 
-uint32_t cpu_ldl_data(CPUArchState *env, abi_ptr ptr)
+uint32_t cpu_ldl_be_data(CPUArchState *env, abi_ptr ptr)
 {
     uint32_t ret;
-    uint16_t meminfo = trace_mem_get_info(MO_TEUL, MMU_USER_IDX, false);
+    uint16_t meminfo = trace_mem_get_info(MO_BEUL, MMU_USER_IDX, false);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    ret = ldl_p(g2h(ptr));
+    ret = ldl_be_p(g2h(ptr));
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
     return ret;
 }
 
-uint64_t cpu_ldq_data(CPUArchState *env, abi_ptr ptr)
+uint64_t cpu_ldq_be_data(CPUArchState *env, abi_ptr ptr)
 {
     uint64_t ret;
-    uint16_t meminfo = trace_mem_get_info(MO_TEQ, MMU_USER_IDX, false);
+    uint16_t meminfo = trace_mem_get_info(MO_BEQ, MMU_USER_IDX, false);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    ret = ldq_p(g2h(ptr));
+    ret = ldq_be_p(g2h(ptr));
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+    return ret;
+}
+
+uint32_t cpu_lduw_le_data(CPUArchState *env, abi_ptr ptr)
+{
+    uint32_t ret;
+    uint16_t meminfo = trace_mem_get_info(MO_LEUW, MMU_USER_IDX, false);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    ret = lduw_le_p(g2h(ptr));
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+    return ret;
+}
+
+int cpu_ldsw_le_data(CPUArchState *env, abi_ptr ptr)
+{
+    int ret;
+    uint16_t meminfo = trace_mem_get_info(MO_LESW, MMU_USER_IDX, false);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    ret = ldsw_le_p(g2h(ptr));
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+    return ret;
+}
+
+uint32_t cpu_ldl_le_data(CPUArchState *env, abi_ptr ptr)
+{
+    uint32_t ret;
+    uint16_t meminfo = trace_mem_get_info(MO_LEUL, MMU_USER_IDX, false);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    ret = ldl_le_p(g2h(ptr));
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+    return ret;
+}
+
+uint64_t cpu_ldq_le_data(CPUArchState *env, abi_ptr ptr)
+{
+    uint64_t ret;
+    uint16_t meminfo = trace_mem_get_info(MO_LEQ, MMU_USER_IDX, false);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    ret = ldq_le_p(g2h(ptr));
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
     return ret;
 }
@@ -XXX,XX +XXX,XX @@ int cpu_ldsb_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
     return ret;
 }
 
-uint32_t cpu_lduw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+uint32_t cpu_lduw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 {
     uint32_t ret;
 
     set_helper_retaddr(retaddr);
-    ret = cpu_lduw_data(env, ptr);
+    ret = cpu_lduw_be_data(env, ptr);
     clear_helper_retaddr();
     return ret;
 }
 
-int cpu_ldsw_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+int cpu_ldsw_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 {
     int ret;
 
     set_helper_retaddr(retaddr);
-    ret = cpu_ldsw_data(env, ptr);
+    ret = cpu_ldsw_be_data(env, ptr);
     clear_helper_retaddr();
     return ret;
 }
 
-uint32_t cpu_ldl_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+uint32_t cpu_ldl_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 {
     uint32_t ret;
 
     set_helper_retaddr(retaddr);
-    ret = cpu_ldl_data(env, ptr);
+    ret = cpu_ldl_be_data(env, ptr);
     clear_helper_retaddr();
     return ret;
 }
 
-uint64_t cpu_ldq_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+uint64_t cpu_ldq_be_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
 {
     uint64_t ret;
 
     set_helper_retaddr(retaddr);
-    ret = cpu_ldq_data(env, ptr);
+    ret = cpu_ldq_be_data(env, ptr);
+    clear_helper_retaddr();
+    return ret;
+}
+
+uint32_t cpu_lduw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+{
+    uint32_t ret;
+
+    set_helper_retaddr(retaddr);
+    ret = cpu_lduw_le_data(env, ptr);
+    clear_helper_retaddr();
+    return ret;
+}
+
+int cpu_ldsw_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+{
+    int ret;
+
+    set_helper_retaddr(retaddr);
+    ret = cpu_ldsw_le_data(env, ptr);
+    clear_helper_retaddr();
+    return ret;
+}
+
+uint32_t cpu_ldl_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+{
+    uint32_t ret;
+
+    set_helper_retaddr(retaddr);
+    ret = cpu_ldl_le_data(env, ptr);
+    clear_helper_retaddr();
+    return ret;
+}
+
+uint64_t cpu_ldq_le_data_ra(CPUArchState *env, abi_ptr ptr, uintptr_t retaddr)
+{
+    uint64_t ret;
+
+    set_helper_retaddr(retaddr);
+    ret = cpu_ldq_le_data(env, ptr);
     clear_helper_retaddr();
     return ret;
 }
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 }
 
-void cpu_stw_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
+void cpu_stw_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
 {
-    uint16_t meminfo = trace_mem_get_info(MO_TEUW, MMU_USER_IDX, true);
+    uint16_t meminfo = trace_mem_get_info(MO_BEUW, MMU_USER_IDX, true);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    stw_p(g2h(ptr), val);
+    stw_be_p(g2h(ptr), val);
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 }
 
-void cpu_stl_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
+void cpu_stl_be_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
 {
-    uint16_t meminfo = trace_mem_get_info(MO_TEUL, MMU_USER_IDX, true);
+    uint16_t meminfo = trace_mem_get_info(MO_BEUL, MMU_USER_IDX, true);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    stl_p(g2h(ptr), val);
+    stl_be_p(g2h(ptr), val);
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 }
 
-void cpu_stq_data(CPUArchState *env, abi_ptr ptr, uint64_t val)
+void cpu_stq_be_data(CPUArchState *env, abi_ptr ptr, uint64_t val)
 {
-    uint16_t meminfo = trace_mem_get_info(MO_TEQ, MMU_USER_IDX, true);
+    uint16_t meminfo = trace_mem_get_info(MO_BEQ, MMU_USER_IDX, true);
 
     trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
-    stq_p(g2h(ptr), val);
+    stq_be_p(g2h(ptr), val);
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+}
+
+void cpu_stw_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
+{
+    uint16_t meminfo = trace_mem_get_info(MO_LEUW, MMU_USER_IDX, true);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    stw_le_p(g2h(ptr), val);
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+}
+
+void cpu_stl_le_data(CPUArchState *env, abi_ptr ptr, uint32_t val)
+{
+    uint16_t meminfo = trace_mem_get_info(MO_LEUL, MMU_USER_IDX, true);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    stl_le_p(g2h(ptr), val);
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
+}
+
+void cpu_stq_le_data(CPUArchState *env, abi_ptr ptr, uint64_t val)
+{
+    uint16_t meminfo = trace_mem_get_info(MO_LEQ, MMU_USER_IDX, true);
+
+    trace_guest_mem_before_exec(env_cpu(env), ptr, meminfo);
+    stq_le_p(g2h(ptr), val);
     qemu_plugin_vcpu_mem_cb(env_cpu(env), ptr, meminfo);
 }
 
@@ -XXX,XX +XXX,XX @@ void cpu_stb_data_ra(CPUArchState *env, abi_ptr ptr,
     clear_helper_retaddr();
 }
 
-void cpu_stw_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint32_t val, uintptr_t retaddr)
+void cpu_stw_be_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t retaddr)
 {
     set_helper_retaddr(retaddr);
-    cpu_stw_data(env, ptr, val);
+    cpu_stw_be_data(env, ptr, val);
     clear_helper_retaddr();
 }
 
-void cpu_stl_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint32_t val, uintptr_t retaddr)
+void cpu_stl_be_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t retaddr)
 {
     set_helper_retaddr(retaddr);
-    cpu_stl_data(env, ptr, val);
+    cpu_stl_be_data(env, ptr, val);
     clear_helper_retaddr();
 }
 
-void cpu_stq_data_ra(CPUArchState *env, abi_ptr ptr,
-                     uint64_t val, uintptr_t retaddr)
+void cpu_stq_be_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint64_t val, uintptr_t retaddr)
 {
     set_helper_retaddr(retaddr);
-    cpu_stq_data(env, ptr, val);
+    cpu_stq_be_data(env, ptr, val);
+    clear_helper_retaddr();
+}
+
+void cpu_stw_le_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t retaddr)
+{
+    set_helper_retaddr(retaddr);
+    cpu_stw_le_data(env, ptr, val);
+    clear_helper_retaddr();
+}
+
+void cpu_stl_le_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint32_t val, uintptr_t retaddr)
+{
+    set_helper_retaddr(retaddr);
+    cpu_stl_le_data(env, ptr, val);
+    clear_helper_retaddr();
+}
+
+void cpu_stq_le_data_ra(CPUArchState *env, abi_ptr ptr,
+                        uint64_t val, uintptr_t retaddr)
+{
+    set_helper_retaddr(retaddr);
+    cpu_stq_le_data(env, ptr, val);
     clear_helper_retaddr();
 }
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Use the "normal" memory access functions, rather than the
softmmu internal helper functions directly.

Since fb901c905dc3, cpu_mem_index is now a simple extract
from env->hflags and not a large computation.  Which means
that it's now more work to pass around this value than it
is to recompute it.

This only adjusts the primitives, and does not clean up
all of the uses within sve_helper.c.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 221 ++++++++++++++++------------------------
 1 file changed, 86 insertions(+), 135 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ typedef intptr_t sve_ld1_host_fn(void *vd, void *vg, void *host,
  * Load one element into @vd + @reg_off from (@env, @vaddr, @ra).
  * The controlling predicate is known to be true.
  */
-typedef void sve_ld1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
-                            target_ulong vaddr, TCGMemOpIdx oi, uintptr_t ra);
-typedef sve_ld1_tlb_fn sve_st1_tlb_fn;
+typedef void sve_ldst1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
+                              target_ulong vaddr, uintptr_t retaddr);
 
 /*
  * Generate the above primitives.
@@ -XXX,XX +XXX,XX @@ static intptr_t sve_##NAME##_host(void *vd, void *vg, void *host,           \
     return mem_off;                                                         \
 }
 
-#ifdef CONFIG_SOFTMMU
-#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, HOST, MOEND, TLB) \
+#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB) \
 static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
-                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra)  \
+                             target_ulong addr, uintptr_t ra)               \
 {                                                                           \
-    TYPEM val = TLB(env, addr, oi, ra);                                     \
-    *(TYPEE *)(vd + H(reg_off)) = val;                                      \
+    *(TYPEE *)(vd + H(reg_off)) = (TYPEM)TLB(env, addr, ra);                \
 }
-#else
-#define DO_LD_TLB(NAME, H, TYPEE, TYPEM, HOST, MOEND, TLB)                  \
+
+#define DO_ST_TLB(NAME, H, TYPEE, TYPEM, TLB) \
 static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
-                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra)  \
+                             target_ulong addr, uintptr_t ra)               \
 {                                                                           \
-    TYPEM val = HOST(g2h(addr));                                            \
-    *(TYPEE *)(vd + H(reg_off)) = val;                                      \
+    TLB(env, addr, (TYPEM)*(TYPEE *)(vd + H(reg_off)), ra);                 \
 }
-#endif
 
 #define DO_LD_PRIM_1(NAME, H, TE, TM)                   \
     DO_LD_HOST(NAME, H, TE, TM, ldub_p)                 \
-    DO_LD_TLB(NAME, H, TE, TM, ldub_p, 0, helper_ret_ldub_mmu)
+    DO_LD_TLB(NAME, H, TE, TM, cpu_ldub_data_ra)
 
 DO_LD_PRIM_1(ld1bb,  H1,   uint8_t,  uint8_t)
 DO_LD_PRIM_1(ld1bhu, H1_2, uint16_t, uint8_t)
@@ -XXX,XX +XXX,XX @@ DO_LD_PRIM_1(ld1bss, H1_4, uint32_t,  int8_t)
 DO_LD_PRIM_1(ld1bdu,     , uint64_t, uint8_t)
 DO_LD_PRIM_1(ld1bds,     , uint64_t,  int8_t)
 
-#define DO_LD_PRIM_2(NAME, end, MOEND, H, TE, TM, PH, PT)  \
-    DO_LD_HOST(NAME##_##end, H, TE, TM, PH##_##end##_p)    \
-    DO_LD_TLB(NAME##_##end, H, TE, TM, PH##_##end##_p,     \
-              MOEND, helper_##end##_##PT##_mmu)
+#define DO_ST_PRIM_1(NAME, H, TE, TM)                   \
+    DO_ST_TLB(st1##NAME, H, TE, TM, cpu_stb_data_ra)
 
-DO_LD_PRIM_2(ld1hh,  le, MO_LE, H1_2, uint16_t, uint16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hsu, le, MO_LE, H1_4, uint32_t, uint16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hss, le, MO_LE, H1_4, uint32_t,  int16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hdu, le, MO_LE,     , uint64_t, uint16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hds, le, MO_LE,     , uint64_t,  int16_t, lduw, lduw)
+DO_ST_PRIM_1(bb,   H1,  uint8_t, uint8_t)
+DO_ST_PRIM_1(bh, H1_2, uint16_t, uint8_t)
+DO_ST_PRIM_1(bs, H1_4, uint32_t, uint8_t)
+DO_ST_PRIM_1(bd,     , uint64_t, uint8_t)
 
-DO_LD_PRIM_2(ld1ss,  le, MO_LE, H1_4, uint32_t, uint32_t, ldl, ldul)
-DO_LD_PRIM_2(ld1sdu, le, MO_LE,     , uint64_t, uint32_t, ldl, ldul)
-DO_LD_PRIM_2(ld1sds, le, MO_LE,     , uint64_t,  int32_t, ldl, ldul)
+#define DO_LD_PRIM_2(NAME, H, TE, TM, LD) \
+    DO_LD_HOST(ld1##NAME##_be, H, TE, TM, LD##_be_p)    \
+    DO_LD_HOST(ld1##NAME##_le, H, TE, TM, LD##_le_p)    \
+    DO_LD_TLB(ld1##NAME##_be, H, TE, TM, cpu_##LD##_be_data_ra) \
+    DO_LD_TLB(ld1##NAME##_le, H, TE, TM, cpu_##LD##_le_data_ra)
 
-DO_LD_PRIM_2(ld1dd,  le, MO_LE,     , uint64_t, uint64_t, ldq, ldq)
+#define DO_ST_PRIM_2(NAME, H, TE, TM, ST) \
+    DO_ST_TLB(st1##NAME##_be, H, TE, TM, cpu_##ST##_be_data_ra) \
+    DO_ST_TLB(st1##NAME##_le, H, TE, TM, cpu_##ST##_le_data_ra)
 
-DO_LD_PRIM_2(ld1hh,  be, MO_BE, H1_2, uint16_t, uint16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hsu, be, MO_BE, H1_4, uint32_t, uint16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hss, be, MO_BE, H1_4, uint32_t,  int16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hdu, be, MO_BE,     , uint64_t, uint16_t, lduw, lduw)
-DO_LD_PRIM_2(ld1hds, be, MO_BE,     , uint64_t,  int16_t, lduw, lduw)
+DO_LD_PRIM_2(hh,  H1_2, uint16_t, uint16_t, lduw)
+DO_LD_PRIM_2(hsu, H1_4, uint32_t, uint16_t, lduw)
+DO_LD_PRIM_2(hss, H1_4, uint32_t,  int16_t, lduw)
+DO_LD_PRIM_2(hdu,     , uint64_t, uint16_t, lduw)
+DO_LD_PRIM_2(hds,     , uint64_t,  int16_t, lduw)
 
-DO_LD_PRIM_2(ld1ss,  be, MO_BE, H1_4, uint32_t, uint32_t, ldl, ldul)
-DO_LD_PRIM_2(ld1sdu, be, MO_BE,     , uint64_t, uint32_t, ldl, ldul)
-DO_LD_PRIM_2(ld1sds, be, MO_BE,     , uint64_t,  int32_t, ldl, ldul)
+DO_ST_PRIM_2(hh, H1_2, uint16_t, uint16_t, stw)
+DO_ST_PRIM_2(hs, H1_4, uint32_t, uint16_t, stw)
+DO_ST_PRIM_2(hd,     , uint64_t, uint16_t, stw)
 
-DO_LD_PRIM_2(ld1dd,  be, MO_BE,     , uint64_t, uint64_t, ldq, ldq)
+DO_LD_PRIM_2(ss,  H1_4, uint32_t, uint32_t, ldl)
+DO_LD_PRIM_2(sdu,     , uint64_t, uint32_t, ldl)
+DO_LD_PRIM_2(sds,     , uint64_t,  int32_t, ldl)
+
+DO_ST_PRIM_2(ss, H1_4, uint32_t, uint32_t, stl)
+DO_ST_PRIM_2(sd,     , uint64_t, uint32_t, stl)
+
+DO_LD_PRIM_2(dd,     , uint64_t, uint64_t, ldq)
+DO_ST_PRIM_2(dd,     , uint64_t, uint64_t, stq)
 
 #undef DO_LD_TLB
+#undef DO_ST_TLB
 #undef DO_LD_HOST
 #undef DO_LD_PRIM_1
+#undef DO_ST_PRIM_1
 #undef DO_LD_PRIM_2
+#undef DO_ST_PRIM_2
 
 /*
  * Skip through a sequence of inactive elements in the guarding predicate @vg,
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
                       uint32_t desc, const uintptr_t retaddr,
                       const int esz, const int msz,
                       sve_ld1_host_fn *host_fn,
-                      sve_ld1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const int mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
          * on I/O memory, it may succeed but not bring in the TLB entry.
          * But even then we have still made forward progress.
          */
-        tlb_fn(env, &scratch, reg_off, addr + mem_off, oi, retaddr);
+        tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
         reg_off += 1 << esz;
     }
 #endif
@@ -XXX,XX +XXX,XX @@ DO_LD1_2(ld1dd,  3, 3)
  */
 static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, int size, uintptr_t ra,
-                      sve_ld1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch[2] = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, &scratch[0], i, addr, oi, ra);
-                tlb_fn(env, &scratch[1], i, addr + size, oi, ra);
+                tlb_fn(env, &scratch[0], i, addr, ra);
+                tlb_fn(env, &scratch[1], i, addr + size, ra);
             }
             i += size, pg >>= size;
             addr += 2 * size;
@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
 
 static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, int size, uintptr_t ra,
-                      sve_ld1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch[3] = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, &scratch[0], i, addr, oi, ra);
-                tlb_fn(env, &scratch[1], i, addr + size, oi, ra);
-                tlb_fn(env, &scratch[2], i, addr + 2 * size, oi, ra);
+                tlb_fn(env, &scratch[0], i, addr, ra);
+                tlb_fn(env, &scratch[1], i, addr + size, ra);
+                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
             }
             i += size, pg >>= size;
             addr += 3 * size;
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
 
 static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, int size, uintptr_t ra,
-                      sve_ld1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch[4] = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, &scratch[0], i, addr, oi, ra);
-                tlb_fn(env, &scratch[1], i, addr + size, oi, ra);
-                tlb_fn(env, &scratch[2], i, addr + 2 * size, oi, ra);
-                tlb_fn(env, &scratch[3], i, addr + 3 * size, oi, ra);
+                tlb_fn(env, &scratch[0], i, addr, ra);
+                tlb_fn(env, &scratch[1], i, addr + size, ra);
+                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
+                tlb_fn(env, &scratch[3], i, addr + 3 * size, ra);
             }
             i += size, pg >>= size;
             addr += 4 * size;
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
                         uint32_t desc, const uintptr_t retaddr,
                         const int esz, const int msz,
                         sve_ld1_host_fn *host_fn,
-                        sve_ld1_tlb_fn *tlb_fn)
+                        sve_ldst1_tlb_fn *tlb_fn)
 {
     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const int mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
      * Perform one normal read, which will fault or not.
      * But it is likely to bring the page into the tlb.
      */
-    tlb_fn(env, vd, reg_off, addr + mem_off, oi, retaddr);
+    tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
 
     /* After any fault, zero any leading predicated false elts.  */
     swap_memzero(vd, reg_off);
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_LDNF1_2(dd,  3, 3)
 #undef DO_LDFF1_LDNF1_1
 #undef DO_LDFF1_LDNF1_2
 
-/*
- * Store contiguous data, protected by a governing predicate.
- */
-
-#ifdef CONFIG_SOFTMMU
-#define DO_ST_TLB(NAME, H, TYPEM, HOST, MOEND, TLB) \
-static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
-                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra) \
-{                                                                           \
-    TLB(env, addr, *(TYPEM *)(vd + H(reg_off)), oi, ra);                    \
-}
-#else
-#define DO_ST_TLB(NAME, H, TYPEM, HOST, MOEND, TLB) \
-static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
-                             target_ulong addr, TCGMemOpIdx oi, uintptr_t ra) \
-{                                                                           \
-    HOST(g2h(addr), *(TYPEM *)(vd + H(reg_off)));                           \
-}
-#endif
-
-DO_ST_TLB(st1bb,   H1,  uint8_t, stb_p, 0, helper_ret_stb_mmu)
-DO_ST_TLB(st1bh, H1_2, uint16_t, stb_p, 0, helper_ret_stb_mmu)
-DO_ST_TLB(st1bs, H1_4, uint32_t, stb_p, 0, helper_ret_stb_mmu)
-DO_ST_TLB(st1bd,     , uint64_t, stb_p, 0, helper_ret_stb_mmu)
-
-DO_ST_TLB(st1hh_le, H1_2, uint16_t, stw_le_p, MO_LE, helper_le_stw_mmu)
-DO_ST_TLB(st1hs_le, H1_4, uint32_t, stw_le_p, MO_LE, helper_le_stw_mmu)
-DO_ST_TLB(st1hd_le,     , uint64_t, stw_le_p, MO_LE, helper_le_stw_mmu)
-
-DO_ST_TLB(st1ss_le, H1_4, uint32_t, stl_le_p, MO_LE, helper_le_stl_mmu)
-DO_ST_TLB(st1sd_le,     , uint64_t, stl_le_p, MO_LE, helper_le_stl_mmu)
-
-DO_ST_TLB(st1dd_le,     , uint64_t, stq_le_p, MO_LE, helper_le_stq_mmu)
-
-DO_ST_TLB(st1hh_be, H1_2, uint16_t, stw_be_p, MO_BE, helper_be_stw_mmu)
-DO_ST_TLB(st1hs_be, H1_4, uint32_t, stw_be_p, MO_BE, helper_be_stw_mmu)
-DO_ST_TLB(st1hd_be,     , uint64_t, stw_be_p, MO_BE, helper_be_stw_mmu)
-
-DO_ST_TLB(st1ss_be, H1_4, uint32_t, stl_be_p, MO_BE, helper_be_stl_mmu)
-DO_ST_TLB(st1sd_be,     , uint64_t, stl_be_p, MO_BE, helper_be_stl_mmu)
-
-DO_ST_TLB(st1dd_be,     , uint64_t, stq_be_p, MO_BE, helper_be_stq_mmu)
-
-#undef DO_ST_TLB
-
 /*
  * Common helpers for all contiguous 1,2,3,4-register predicated stores.
  */
 static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, const uintptr_t ra,
                       const int esize, const int msize,
-                      sve_st1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     void *vd = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, vd, i, addr, oi, ra);
+                tlb_fn(env, vd, i, addr, ra);
             }
             i += esize, pg >>= esize;
             addr += msize;
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
 static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, const uintptr_t ra,
                       const int esize, const int msize,
-                      sve_st1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     void *d1 = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, d1, i, addr, oi, ra);
-                tlb_fn(env, d2, i, addr + msize, oi, ra);
+                tlb_fn(env, d1, i, addr, ra);
+                tlb_fn(env, d2, i, addr + msize, ra);
             }
             i += esize, pg >>= esize;
             addr += 2 * msize;
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
 static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, const uintptr_t ra,
                       const int esize, const int msize,
-                      sve_st1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     void *d1 = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, d1, i, addr, oi, ra);
-                tlb_fn(env, d2, i, addr + msize, oi, ra);
-                tlb_fn(env, d3, i, addr + 2 * msize, oi, ra);
+                tlb_fn(env, d1, i, addr, ra);
+                tlb_fn(env, d2, i, addr + msize, ra);
+                tlb_fn(env, d3, i, addr + 2 * msize, ra);
             }
             i += esize, pg >>= esize;
             addr += 3 * msize;
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
 static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
                       uint32_t desc, const uintptr_t ra,
                       const int esize, const int msize,
-                      sve_st1_tlb_fn *tlb_fn)
+                      sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     intptr_t i, oprsz = simd_oprsz(desc);
     void *d1 = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
             if (pg & 1) {
-                tlb_fn(env, d1, i, addr, oi, ra);
-                tlb_fn(env, d2, i, addr + msize, oi, ra);
-                tlb_fn(env, d3, i, addr + 2 * msize, oi, ra);
-                tlb_fn(env, d4, i, addr + 3 * msize, oi, ra);
+                tlb_fn(env, d1, i, addr, ra);
+                tlb_fn(env, d2, i, addr + msize, ra);
+                tlb_fn(env, d3, i, addr + 2 * msize, ra);
+                tlb_fn(env, d4, i, addr + 3 * msize, ra);
             }
             i += esize, pg >>= esize;
             addr += 4 * msize;
@@ -XXX,XX +XXX,XX @@ static target_ulong off_zd_d(void *reg, intptr_t reg_ofs)
 
 static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
                        target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
+                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
         do {
             if (likely(pg & 1)) {
                 target_ulong off = off_fn(vm, i);
-                tlb_fn(env, &scratch, i, base + (off << scale), oi, ra);
+                tlb_fn(env, &scratch, i, base + (off << scale), ra);
             }
             i += 4, pg >>= 4;
         } while (i & 15);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
 
 static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
                        target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
+                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     intptr_t i, oprsz = simd_oprsz(desc) / 8;
     ARMVectorReg scratch = { };
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
         uint8_t pg = *(uint8_t *)(vg + H1(i));
         if (likely(pg & 1)) {
             target_ulong off = off_fn(vm, i * 8);
-            tlb_fn(env, &scratch, i * 8, base + (off << scale), oi, ra);
+            tlb_fn(env, &scratch, i * 8, base + (off << scale), ra);
         }
     }
     clear_helper_retaddr();
@@ -XXX,XX +XXX,XX @@ DO_LD_NF(dd_be,      , uint64_t, uint64_t, ldq_be_p)
  */
 static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
                                 target_ulong base, uint32_t desc, uintptr_t ra,
-                                zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn,
+                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
                                 sve_ld1_nf_fn *nonfault_fn)
 {
     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
         set_helper_retaddr(ra);
         addr = off_fn(vm, reg_off);
         addr = base + (addr << scale);
-        tlb_fn(env, vd, reg_off, addr, oi, ra);
+        tlb_fn(env, vd, reg_off, addr, ra);
 
         /* The rest of the reads will be non-faulting.  */
         clear_helper_retaddr();
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
 
 static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
                                 target_ulong base, uint32_t desc, uintptr_t ra,
-                                zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn,
+                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
                                 sve_ld1_nf_fn *nonfault_fn)
 {
     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
         set_helper_retaddr(ra);
         addr = off_fn(vm, reg_off);
         addr = base + (addr << scale);
-        tlb_fn(env, vd, reg_off, addr, oi, ra);
+        tlb_fn(env, vd, reg_off, addr, ra);
 
         /* The rest of the reads will be non-faulting.  */
         clear_helper_retaddr();
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_ZPZ_D(dd_be, zd)
 
 static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
                        target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
+                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     intptr_t i, oprsz = simd_oprsz(desc);
 
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
         do {
             if (likely(pg & 1)) {
                 target_ulong off = off_fn(vm, i);
-                tlb_fn(env, vd, i, base + (off << scale), oi, ra);
+                tlb_fn(env, vd, i, base + (off << scale), ra);
             }
             i += 4, pg >>= 4;
         } while (i & 15);
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
 
 static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
                        target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ld1_tlb_fn *tlb_fn)
+                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     intptr_t i, oprsz = simd_oprsz(desc) / 8;
 
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
         uint8_t pg = *(uint8_t *)(vg + H1(i));
         if (likely(pg & 1)) {
             target_ulong off = off_fn(vm, i * 8);
-            tlb_fn(env, vd, i * 8, base + (off << scale), oi, ra);
+            tlb_fn(env, vd, i * 8, base + (off << scale), ra);
         }
     }
     clear_helper_retaddr();
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Since we converted back to cpu_*_data_ra, we do not need to
do this ourselves.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 38 --------------------------------------
 1 file changed, 38 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
     return MIN(split, mem_max - mem_off) + mem_off;
 }
 
-#ifndef CONFIG_USER_ONLY
-/* These are normally defined only for CONFIG_USER_ONLY in <exec/cpu_ldst.h> */
-static inline void set_helper_retaddr(uintptr_t ra) { }
-static inline void clear_helper_retaddr(void) { }
-#endif
-
 /*
  * The result of tlb_vaddr_to_host for user-only is just g2h(x),
  * which is always non-null.  Elide the useless test.
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
         return;
     }
     mem_off = reg_off >> diffsz;
-    set_helper_retaddr(retaddr);
 
     /*
      * If the (remaining) load is entirely within a single page, then:
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
         if (test_host_page(host)) {
             mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
             tcg_debug_assert(mem_off == mem_max);
-            clear_helper_retaddr();
             /* After having taken any fault, zero leading inactive elements. */
             swap_memzero(vd, reg_off);
             return;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
     }
 #endif
 
-    clear_helper_retaddr();
     memcpy(vd, &scratch, reg_max);
 }
 
@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch[2] = { };
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 2 * size;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch[3] = { };
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 3 * size;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch[4] = { };
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 4 * size;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
         return;
     }
     mem_off = reg_off >> diffsz;
-    set_helper_retaddr(retaddr);
 
     /*
      * If the (remaining) load is entirely within a single page, then:
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
         if (test_host_page(host)) {
             mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
             tcg_debug_assert(mem_off == mem_max);
-            clear_helper_retaddr();
             /* After any fault, zero any leading inactive elements.  */
             swap_memzero(vd, reg_off);
             return;
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
     }
 #endif
 
-    clear_helper_retaddr();
     record_fault(env, reg_off, reg_max);
 }
 
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
     intptr_t i, oprsz = simd_oprsz(desc);
     void *vd = &env->vfp.zregs[rd];
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += msize;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 }
 
 static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
     void *d1 = &env->vfp.zregs[rd];
     void *d2 = &env->vfp.zregs[(rd + 1) & 31];
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 2 * msize;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 }
 
 static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
     void *d2 = &env->vfp.zregs[(rd + 1) & 31];
     void *d3 = &env->vfp.zregs[(rd + 2) & 31];
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 3 * msize;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 }
 
 static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
     void *d3 = &env->vfp.zregs[(rd + 2) & 31];
     void *d4 = &env->vfp.zregs[(rd + 3) & 31];
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
             addr += 4 * msize;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 }
 
 #define DO_STN_1(N, NAME, ESIZE) \
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
     intptr_t i, oprsz = simd_oprsz(desc);
     ARMVectorReg scratch = { };
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
             i += 4, pg >>= 4;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(vd, &scratch, oprsz);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
     intptr_t i, oprsz = simd_oprsz(desc) / 8;
     ARMVectorReg scratch = { };
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; i++) {
         uint8_t pg = *(uint8_t *)(vg + H1(i));
         if (likely(pg & 1)) {
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
             tlb_fn(env, &scratch, i * 8, base + (off << scale), ra);
         }
     }
-    clear_helper_retaddr();
 
     /* Wait until all exceptions have been raised to write back.  */
     memcpy(vd, &scratch, oprsz * 8);
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
     reg_off = find_next_active(vg, 0, reg_max, MO_32);
     if (likely(reg_off < reg_max)) {
         /* Perform one normal read, which will fault or not.  */
-        set_helper_retaddr(ra);
         addr = off_fn(vm, reg_off);
         addr = base + (addr << scale);
         tlb_fn(env, vd, reg_off, addr, ra);
 
         /* The rest of the reads will be non-faulting.  */
-        clear_helper_retaddr();
     }
 
     /* After any fault, zero the leading predicated false elements.  */
@@ -XXX,XX +XXX,XX @@ static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
     reg_off = find_next_active(vg, 0, reg_max, MO_64);
     if (likely(reg_off < reg_max)) {
         /* Perform one normal read, which will fault or not.  */
-        set_helper_retaddr(ra);
         addr = off_fn(vm, reg_off);
         addr = base + (addr << scale);
         tlb_fn(env, vd, reg_off, addr, ra);
 
         /* The rest of the reads will be non-faulting.  */
-        clear_helper_retaddr();
     }
 
     /* After any fault, zero the leading predicated false elements.  */
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     intptr_t i, oprsz = simd_oprsz(desc);
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; ) {
         uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
         do {
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
             i += 4, pg >>= 4;
         } while (i & 15);
     }
-    clear_helper_retaddr();
 }
 
 static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     intptr_t i, oprsz = simd_oprsz(desc) / 8;
 
-    set_helper_retaddr(ra);
     for (i = 0; i < oprsz; i++) {
         uint8_t pg = *(uint8_t *)(vg + H1(i));
         if (likely(pg & 1)) {
@@ -XXX,XX +XXX,XX @@ static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
             tlb_fn(env, vd, i * 8, base + (off << scale), ra);
         }
     }
-    clear_helper_retaddr();
 }
 
 #define DO_ST1_ZPZ_S(MEM, OFS) \
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

For contiguous predicated memory operations, we want to
minimize the number of tlb lookups performed.  We have
open-coded this for sve_ld1_r, but for correctness with
MTE we will need this for all of the memory operations.

Create a structure that holds the bounds of active elements,
and metadata for two pages.  Add routines to find those
active elements, lookup the pages, and run watchpoints
for those pages.

Temporarily mark the functions unused to avoid Werror.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 263 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 261 insertions(+), 2 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_cpy_z_d)(void *vd, void *vg, uint64_t val, uint32_t desc)
     }
 }
 
-/* Big-endian hosts need to frob the byte indicies.  If the copy
+/* Big-endian hosts need to frob the byte indices.  If the copy
  * happens to be 8-byte aligned, then no frobbing necessary.
  */
 static void swap_memmove(void *vd, void *vs, size_t n)
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 /*
  * Load elements into @vd, controlled by @vg, from @host + @mem_ofs.
  * Memory is valid through @host + @mem_max.  The register element
- * indicies are inferred from @mem_ofs, as modified by the types for
+ * indices are inferred from @mem_ofs, as modified by the types for
  * which the helper is built.  Return the @mem_ofs of the first element
  * not loaded (which is @mem_max if they are all loaded).
  *
@@ -XXX,XX +XXX,XX @@ static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
     return MIN(split, mem_max - mem_off) + mem_off;
 }
 
+/*
+ * Resolve the guest virtual address to info->host and info->flags.
+ * If @nofault, return false if the page is invalid, otherwise
+ * exit via page fault exception.
+ */
+
+typedef struct {
+    void *host;
+    int flags;
+    MemTxAttrs attrs;
+} SVEHostPage;
+
+static bool sve_probe_page(SVEHostPage *info, bool nofault,
+                           CPUARMState *env, target_ulong addr,
+                           int mem_off, MMUAccessType access_type,
+                           int mmu_idx, uintptr_t retaddr)
+{
+    int flags;
+
+    addr += mem_off;
+    flags = probe_access_flags(env, addr, access_type, mmu_idx, nofault,
+                               &info->host, retaddr);
+    info->flags = flags;
+
+    if (flags & TLB_INVALID_MASK) {
+        g_assert(nofault);
+        return false;
+    }
+
+    /* Ensure that info->host[] is relative to addr, not addr + mem_off. */
+    info->host -= mem_off;
+
+#ifdef CONFIG_USER_ONLY
+    memset(&info->attrs, 0, sizeof(info->attrs));
+#else
+    /*
+     * Find the iotlbentry for addr and return the transaction attributes.
+     * This *must* be present in the TLB because we just found the mapping.
+     */
+    {
+        uintptr_t index = tlb_index(env, mmu_idx, addr);
+
+# ifdef CONFIG_DEBUG_TCG
+        CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+        target_ulong comparator = (access_type == MMU_DATA_LOAD
+                                   ? entry->addr_read
+                                   : tlb_addr_write(entry));
+        g_assert(tlb_hit(comparator, addr));
+# endif
+
+        CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
+        info->attrs = iotlbentry->attrs;
+    }
+#endif
+
+    return true;
+}
+
+
+/*
+ * Analyse contiguous data, protected by a governing predicate.
+ */
+
+typedef enum {
+    FAULT_NO,
+    FAULT_FIRST,
+    FAULT_ALL,
+} SVEContFault;
+
+typedef struct {
+    /*
+     * First and last element wholly contained within the two pages.
+     * mem_off_first[0] and reg_off_first[0] are always set >= 0.
+     * reg_off_last[0] may be < 0 if the first element crosses pages.
+     * All of mem_off_first[1], reg_off_first[1] and reg_off_last[1]
+     * are set >= 0 only if there are complete elements on a second page.
+     *
+     * The reg_off_* offsets are relative to the internal vector register.
+     * The mem_off_first offset is relative to the memory address; the
+     * two offsets are different when a load operation extends, a store
+     * operation truncates, or for multi-register operations.
+     */
+    int16_t mem_off_first[2];
+    int16_t reg_off_first[2];
+    int16_t reg_off_last[2];
+
+    /*
+     * One element that is misaligned and spans both pages,
+     * or -1 if there is no such active element.
+     */
+    int16_t mem_off_split;
+    int16_t reg_off_split;
+
+    /*
+     * The byte offset at which the entire operation crosses a page boundary.
+     * Set >= 0 if and only if the entire operation spans two pages.
+     */
+    int16_t page_split;
+
+    /* TLB data for the two pages. */
+    SVEHostPage page[2];
+} SVEContLdSt;
+
+/*
+ * Find first active element on each page, and a loose bound for the
+ * final element on each page.  Identify any single element that spans
+ * the page boundary.  Return true if there are any active elements.
+ */
+static bool __attribute__((unused))
+sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
+                       intptr_t reg_max, int esz, int msize)
+{
+    const int esize = 1 << esz;
+    const uint64_t pg_mask = pred_esz_masks[esz];
+    intptr_t reg_off_first = -1, reg_off_last = -1, reg_off_split;
+    intptr_t mem_off_last, mem_off_split;
+    intptr_t page_split, elt_split;
+    intptr_t i;
+
+    /* Set all of the element indices to -1, and the TLB data to 0. */
+    memset(info, -1, offsetof(SVEContLdSt, page));
+    memset(info->page, 0, sizeof(info->page));
+
+    /* Gross scan over the entire predicate to find bounds. */
+    i = 0;
+    do {
+        uint64_t pg = vg[i] & pg_mask;
+        if (pg) {
+            reg_off_last = i * 64 + 63 - clz64(pg);
+            if (reg_off_first < 0) {
+                reg_off_first = i * 64 + ctz64(pg);
+            }
+        }
+    } while (++i * 64 < reg_max);
+
+    if (unlikely(reg_off_first < 0)) {
+        /* No active elements, no pages touched. */
+        return false;
+    }
+    tcg_debug_assert(reg_off_last >= 0 && reg_off_last < reg_max);
+
+    info->reg_off_first[0] = reg_off_first;
+    info->mem_off_first[0] = (reg_off_first >> esz) * msize;
+    mem_off_last = (reg_off_last >> esz) * msize;
+
+    page_split = -(addr | TARGET_PAGE_MASK);
+    if (likely(mem_off_last + msize <= page_split)) {
+        /* The entire operation fits within a single page. */
+        info->reg_off_last[0] = reg_off_last;
+        return true;
+    }
+
+    info->page_split = page_split;
+    elt_split = page_split / msize;
+    reg_off_split = elt_split << esz;
+    mem_off_split = elt_split * msize;
+
+    /*
+     * This is the last full element on the first page, but it is not
+     * necessarily active.  If there is no full element, i.e. the first
+     * active element is the one that's split, this value remains -1.
+     * It is useful as iteration bounds.
+     */
+    if (elt_split != 0) {
+        info->reg_off_last[0] = reg_off_split - esize;
+    }
+
+    /* Determine if an unaligned element spans the pages.  */
+    if (page_split % msize != 0) {
+        /* It is helpful to know if the split element is active. */
+        if ((vg[reg_off_split >> 6] >> (reg_off_split & 63)) & 1) {
+            info->reg_off_split = reg_off_split;
+            info->mem_off_split = mem_off_split;
+
+            if (reg_off_split == reg_off_last) {
+                /* The page crossing element is last. */
+                return true;
+            }
+        }
+        reg_off_split += esize;
+        mem_off_split += msize;
+    }
+
+    /*
+     * We do want the first active element on the second page, because
+     * this may affect the address reported in an exception.
+     */
+    reg_off_split = find_next_active(vg, reg_off_split, reg_max, esz);
+    tcg_debug_assert(reg_off_split <= reg_off_last);
+    info->reg_off_first[1] = reg_off_split;
+    info->mem_off_first[1] = (reg_off_split >> esz) * msize;
+    info->reg_off_last[1] = reg_off_last;
+    return true;
+}
+
+/*
+ * Resolve the guest virtual addresses to info->page[].
+ * Control the generation of page faults with @fault.  Return false if
+ * there is no work to do, which can only happen with @fault == FAULT_NO.
+ */
+static bool __attribute__((unused))
+sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault, CPUARMState *env,
+                    target_ulong addr, MMUAccessType access_type,
+                    uintptr_t retaddr)
+{
+    int mmu_idx = cpu_mmu_index(env, false);
+    int mem_off = info->mem_off_first[0];
+    bool nofault = fault == FAULT_NO;
+    bool have_work = true;
+
+    if (!sve_probe_page(&info->page[0], nofault, env, addr, mem_off,
+                        access_type, mmu_idx, retaddr)) {
+        /* No work to be done. */
+        return false;
+    }
+
+    if (likely(info->page_split < 0)) {
+        /* The entire operation was on the one page. */
+        return true;
+    }
+
+    /*
+     * If the second page is invalid, then we want the fault address to be
+     * the first byte on that page which is accessed.
+     */
+    if (info->mem_off_split >= 0) {
+        /*
+         * There is an element split across the pages.  The fault address
+         * should be the first byte of the second page.
+         */
+        mem_off = info->page_split;
+        /*
+         * If the split element is also the first active element
+         * of the vector, then:  For first-fault we should continue
+         * to generate faults for the second page.  For no-fault,
+         * we have work only if the second page is valid.
+         */
+        if (info->mem_off_first[0] < info->mem_off_split) {
+            nofault = FAULT_FIRST;
+            have_work = false;
+        }
+    } else {
+        /*
+         * There is no element split across the pages.  The fault address
+         * should be the first active element on the second page.
+         */
+        mem_off = info->mem_off_first[1];
+        /*
+         * There must have been one active element on the first page,
+         * so we're out of first-fault territory.
+         */
+        nofault = fault != FAULT_ALL;
+    }
+
+    have_work |= sve_probe_page(&info->page[1], nofault, env, addr, mem_off,
+                                access_type, mmu_idx, retaddr);
+    return have_work;
+}
+
 /*
  * The result of tlb_vaddr_to_host for user-only is just g2h(x),
  * which is always non-null.  Elide the useless test.
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

The current interface includes a loop; change it to load a
single element.  We will then be able to use the function
for ld{2,3,4} where individual vector elements are not adjacent.

Replace each call with the simplest possible loop over active
elements.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 124 ++++++++++++++++++++--------------------
 1 file changed, 63 insertions(+), 61 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
  */
 
 /*
- * Load elements into @vd, controlled by @vg, from @host + @mem_ofs.
- * Memory is valid through @host + @mem_max.  The register element
- * indices are inferred from @mem_ofs, as modified by the types for
- * which the helper is built.  Return the @mem_ofs of the first element
- * not loaded (which is @mem_max if they are all loaded).
- *
- * For softmmu, we have fully validated the guest page.  For user-only,
- * we cannot fully validate without taking the mmap lock, but since we
- * know the access is within one host page, if any access is valid they
- * all must be valid.  However, when @vg is all false, it may be that
- * no access is valid.
+ * Load one element into @vd + @reg_off from @host.
+ * The controlling predicate is known to be true.
  */
-typedef intptr_t sve_ld1_host_fn(void *vd, void *vg, void *host,
-                                 intptr_t mem_ofs, intptr_t mem_max);
+typedef void sve_ldst1_host_fn(void *vd, intptr_t reg_off, void *host);
 
 /*
  * Load one element into @vd + @reg_off from (@env, @vaddr, @ra).
@@ -XXX,XX +XXX,XX @@ typedef void sve_ldst1_tlb_fn(CPUARMState *env, void *vd, intptr_t reg_off,
  */
 
 #define DO_LD_HOST(NAME, H, TYPEE, TYPEM, HOST) \
-static intptr_t sve_##NAME##_host(void *vd, void *vg, void *host,           \
-                                  intptr_t mem_off, const intptr_t mem_max) \
-{                                                                           \
-    intptr_t reg_off = mem_off * (sizeof(TYPEE) / sizeof(TYPEM));           \
-    uint64_t *pg = vg;                                                      \
-    while (mem_off + sizeof(TYPEM) <= mem_max) {                            \
-        TYPEM val = 0;                                                      \
-        if (likely((pg[reg_off >> 6] >> (reg_off & 63)) & 1)) {             \
-            val = HOST(host + mem_off);                                     \
-        }                                                                   \
-        *(TYPEE *)(vd + H(reg_off)) = val;                                  \
-        mem_off += sizeof(TYPEM), reg_off += sizeof(TYPEE);                 \
-    }                                                                       \
-    return mem_off;                                                         \
+static void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host)  \
+{                                                                      \
+    TYPEM val = HOST(host);                                            \
+    *(TYPEE *)(vd + H(reg_off)) = val;                                 \
 }
 
 #define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB) \
@@ -XXX,XX +XXX,XX @@ static inline bool test_host_page(void *host)
 static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
                       uint32_t desc, const uintptr_t retaddr,
                       const int esz, const int msz,
-                      sve_ld1_host_fn *host_fn,
+                      sve_ldst1_host_fn *host_fn,
                       sve_ldst1_tlb_fn *tlb_fn)
 {
     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
     if (likely(split == mem_max)) {
         host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
         if (test_host_page(host)) {
-            mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
-            tcg_debug_assert(mem_off == mem_max);
+            intptr_t i = reg_off;
+            host -= mem_off;
+            do {
+                host_fn(vd, i, host + (i >> diffsz));
+                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
+            } while (i < reg_max);
             /* After having taken any fault, zero leading inactive elements. */
             swap_memzero(vd, reg_off);
             return;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
      */
 #ifdef CONFIG_USER_ONLY
     swap_memzero(&scratch, reg_off);
-    host_fn(&scratch, vg, g2h(addr), mem_off, mem_max);
+    host = g2h(addr);
+    do {
+        host_fn(&scratch, reg_off, host + (reg_off >> diffsz));
+        reg_off += 1 << esz;
+        reg_off = find_next_active(vg, reg_off, reg_max, esz);
+    } while (reg_off < reg_max);
 #else
     memset(&scratch, 0, reg_max);
     goto start;
@@ -XXX,XX +XXX,XX @@ static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
             host = tlb_vaddr_to_host(env, addr + mem_off,
                                      MMU_DATA_LOAD, mmu_idx);
             if (host) {
-                mem_off = host_fn(&scratch, vg, host - mem_off,
-                                  mem_off, split);
-                reg_off = mem_off << diffsz;
+                host -= mem_off;
+                do {
+                    host_fn(&scratch, reg_off, host + mem_off);
+                    reg_off += 1 << esz;
+                    reg_off = find_next_active(vg, reg_off, reg_max, esz);
+                    mem_off = reg_off >> diffsz;
+                } while (split - mem_off >= (1 << msz));
                 continue;
             }
         }
@@ -XXX,XX +XXX,XX @@ static void record_fault(CPUARMState *env, uintptr_t i, uintptr_t oprsz)
 static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
                         uint32_t desc, const uintptr_t retaddr,
                         const int esz, const int msz,
-                        sve_ld1_host_fn *host_fn,
+                        sve_ldst1_host_fn *host_fn,
                         sve_ldst1_tlb_fn *tlb_fn)
 {
     const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
     const int diffsz = esz - msz;
     const intptr_t reg_max = simd_oprsz(desc);
     const intptr_t mem_max = reg_max >> diffsz;
-    intptr_t split, reg_off, mem_off;
+    intptr_t split, reg_off, mem_off, i;
     void *host;
 
     /* Skip to the first active element.  */
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
     if (likely(split == mem_max)) {
         host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
         if (test_host_page(host)) {
-            mem_off = host_fn(vd, vg, host - mem_off, mem_off, mem_max);
-            tcg_debug_assert(mem_off == mem_max);
+            i = reg_off;
+            host -= mem_off;
+            do {
+                host_fn(vd, i, host + (i >> diffsz));
+                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
+            } while (i < reg_max);
             /* After any fault, zero any leading inactive elements.  */
             swap_memzero(vd, reg_off);
             return;
         }
     }
 
-#ifdef CONFIG_USER_ONLY
-    /*
-     * The page(s) containing this first element at ADDR+MEM_OFF must
-     * be valid.  Considering that this first element may be misaligned
-     * and cross a page boundary itself, take the rest of the page from
-     * the last byte of the element.
-     */
-    split = max_for_page(addr, mem_off + (1 << msz) - 1, mem_max);
-    mem_off = host_fn(vd, vg, g2h(addr), mem_off, split);
-
-    /* After any fault, zero any leading inactive elements.  */
-    swap_memzero(vd, reg_off);
-    reg_off = mem_off << diffsz;
-#else
     /*
      * Perform one normal read, which will fault or not.
      * But it is likely to bring the page into the tlb.
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
     if (split >= (1 << msz)) {
         host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
         if (host) {
-            mem_off = host_fn(vd, vg, host - mem_off, mem_off, split);
-            reg_off = mem_off << diffsz;
+            host -= mem_off;
+            do {
+                host_fn(vd, reg_off, host + mem_off);
+                reg_off += 1 << esz;
+                reg_off = find_next_active(vg, reg_off, reg_max, esz);
+                mem_off = reg_off >> diffsz;
+            } while (split - mem_off >= (1 << msz));
         }
     }
-#endif
 
     record_fault(env, reg_off, reg_max);
 }
@@ -XXX,XX +XXX,XX @@ static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
  */
 static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
                         uint32_t desc, const int esz, const int msz,
-                        sve_ld1_host_fn *host_fn)
+                        sve_ldst1_host_fn *host_fn)
 {
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     void *vd = &env->vfp.zregs[rd];
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
     host = tlb_vaddr_to_host(env, addr, MMU_DATA_LOAD, mmu_idx);
     if (likely(page_check_range(addr, mem_max, PAGE_READ) == 0)) {
         /* The entire operation is valid and will not fault.  */
-        host_fn(vd, vg, host, 0, mem_max);
+        reg_off = 0;
+        do {
+            mem_off = reg_off >> diffsz;
+            host_fn(vd, reg_off, host + mem_off);
+            reg_off += 1 << esz;
+            reg_off = find_next_active(vg, reg_off, reg_max, esz);
+        } while (reg_off < reg_max);
         return;
     }
 #endif
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
     if (page_check_range(addr + mem_off, 1 << msz, PAGE_READ) == 0) {
         /* At least one load is valid; take the rest of the page.  */
         split = max_for_page(addr, mem_off + (1 << msz) - 1, mem_max);
-        mem_off = host_fn(vd, vg, host, mem_off, split);
-        reg_off = mem_off << diffsz;
+        do {
+            host_fn(vd, reg_off, host + mem_off);
+            reg_off += 1 << esz;
+            reg_off = find_next_active(vg, reg_off, reg_max, esz);
+            mem_off = reg_off >> diffsz;
+        } while (split - mem_off >= (1 << msz));
     }
 #else
     /*
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
     host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
     split = max_for_page(addr, mem_off, mem_max);
     if (host && split >= (1 << msz)) {
-        mem_off = host_fn(vd, vg, host - mem_off, mem_off, split);
-        reg_off = mem_off << diffsz;
+        host -= mem_off;
+        do {
+            host_fn(vd, reg_off, host + mem_off);
+            reg_off += 1 << esz;
+            reg_off = find_next_active(vg, reg_off, reg_max, esz);
+            mem_off = reg_off >> diffsz;
+        } while (split - mem_off >= (1 << msz));
     }
 #endif
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

First use of the new helper functions, so we can remove the
unused markup.  No longer need a scratch for user-only, as
we completely probe the page set before reading; system mode
still requires a scratch for MMIO.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 188 +++++++++++++++++++++-------------------
 1 file changed, 97 insertions(+), 91 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ typedef struct {
  * final element on each page.  Identify any single element that spans
  * the page boundary.  Return true if there are any active elements.
  */
-static bool __attribute__((unused))
-sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
-                       intptr_t reg_max, int esz, int msize)
+static bool sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr,
+                                   uint64_t *vg, intptr_t reg_max,
+                                   int esz, int msize)
 {
     const int esize = 1 << esz;
     const uint64_t pg_mask = pred_esz_masks[esz];
@@ -XXX,XX +XXX,XX @@ sve_cont_ldst_elements(SVEContLdSt *info, target_ulong addr, uint64_t *vg,
  * Control the generation of page faults with @fault.  Return false if
  * there is no work to do, which can only happen with @fault == FAULT_NO.
  */
-static bool __attribute__((unused))
-sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault, CPUARMState *env,
-                    target_ulong addr, MMUAccessType access_type,
-                    uintptr_t retaddr)
+static bool sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault,
+                                CPUARMState *env, target_ulong addr,
+                                MMUAccessType access_type, uintptr_t retaddr)
 {
     int mmu_idx = cpu_mmu_index(env, false);
     int mem_off = info->mem_off_first[0];
@@ -XXX,XX +XXX,XX @@ static inline bool test_host_page(void *host)
 /*
  * Common helper for all contiguous one-register predicated loads.
  */
-static void sve_ld1_r(CPUARMState *env, void *vg, const target_ulong addr,
-                      uint32_t desc, const uintptr_t retaddr,
-                      const int esz, const int msz,
-                      sve_ldst1_host_fn *host_fn,
-                      sve_ldst1_tlb_fn *tlb_fn)
+static inline QEMU_ALWAYS_INLINE
+void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
+               uint32_t desc, const uintptr_t retaddr,
+               const int esz, const int msz,
+               sve_ldst1_host_fn *host_fn,
+               sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
-    const int mmu_idx = get_mmuidx(oi);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     void *vd = &env->vfp.zregs[rd];
-    const int diffsz = esz - msz;
     const intptr_t reg_max = simd_oprsz(desc);
-    const intptr_t mem_max = reg_max >> diffsz;
-    ARMVectorReg scratch;
+    intptr_t reg_off, reg_last, mem_off;
+    SVEContLdSt info;
     void *host;
-    intptr_t split, reg_off, mem_off;
+    int flags;
 
-    /* Find the first active element.  */
-    reg_off = find_next_active(vg, 0, reg_max, esz);
-    if (unlikely(reg_off == reg_max)) {
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, 1 << msz)) {
         /* The entire predicate was false; no load occurs.  */
         memset(vd, 0, reg_max);
         return;
     }
-    mem_off = reg_off >> diffsz;
 
-    /*
-     * If the (remaining) load is entirely within a single page, then:
-     * For softmmu, and the tlb hits, then no faults will occur;
-     * For user-only, either the first load will fault or none will.
-     * We can thus perform the load directly to the destination and
-     * Vd will be unmodified on any exception path.
-     */
-    split = max_for_page(addr, mem_off, mem_max);
-    if (likely(split == mem_max)) {
-        host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
-        if (test_host_page(host)) {
-            intptr_t i = reg_off;
-            host -= mem_off;
-            do {
-                host_fn(vd, i, host + (i >> diffsz));
-                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
-            } while (i < reg_max);
-            /* After having taken any fault, zero leading inactive elements. */
-            swap_memzero(vd, reg_off);
-            return;
-        }
-    }
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, retaddr);
 
-    /*
-     * Perform the predicated read into a temporary, thus ensuring
-     * if the load of the last element faults, Vd is not modified.
-     */
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
 #ifdef CONFIG_USER_ONLY
-    swap_memzero(&scratch, reg_off);
-    host = g2h(addr);
-    do {
-        host_fn(&scratch, reg_off, host + (reg_off >> diffsz));
-        reg_off += 1 << esz;
-        reg_off = find_next_active(vg, reg_off, reg_max, esz);
-    } while (reg_off < reg_max);
+        g_assert_not_reached();
 #else
-    memset(&scratch, 0, reg_max);
-    goto start;
-    while (1) {
-        reg_off = find_next_active(vg, reg_off, reg_max, esz);
-        if (reg_off >= reg_max) {
-            break;
-        }
-        mem_off = reg_off >> diffsz;
-        split = max_for_page(addr, mem_off, mem_max);
+        /*
+         * At least one page includes MMIO (or watchpoints).
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  Perform the load
+         * into scratch memory to preserve register state until the end.
+         */
+        ARMVectorReg scratch;
 
-    start:
-        if (split - mem_off >= (1 << msz)) {
-            /* At least one whole element on this page.  */
-            host = tlb_vaddr_to_host(env, addr + mem_off,
-                                     MMU_DATA_LOAD, mmu_idx);
-            if (host) {
-                host -= mem_off;
-                do {
-                    host_fn(&scratch, reg_off, host + mem_off);
-                    reg_off += 1 << esz;
-                    reg_off = find_next_active(vg, reg_off, reg_max, esz);
-                    mem_off = reg_off >> diffsz;
-                } while (split - mem_off >= (1 << msz));
-                continue;
+        memset(&scratch, 0, reg_max);
+        mem_off = info.mem_off_first[0];
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
             }
         }
 
-        /*
-         * Perform one normal read.  This may fault, longjmping out to the
-         * main loop in order to raise an exception.  It may succeed, and
-         * as a side-effect load the TLB entry for the next round.  Finally,
-         * in the extremely unlikely case we're performing this operation
-         * on I/O memory, it may succeed but not bring in the TLB entry.
-         * But even then we have still made forward progress.
-         */
-        tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
-        reg_off += 1 << esz;
-    }
-#endif
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
+                }
+                reg_off += 1 << esz;
+                mem_off += 1 << msz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
 
-    memcpy(vd, &scratch, reg_max);
+        memcpy(vd, &scratch, reg_max);
+        return;
+#endif
+    }
+
+    /* The entire operation is in RAM, on valid pages. */
+
+    memset(vd, 0, reg_max);
+    mem_off = info.mem_off_first[0];
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(vd, reg_off, host + mem_off);
+            }
+            reg_off += 1 << esz;
+            mem_off += 1 << msz;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    mem_off = info.mem_off_split;
+    if (unlikely(mem_off >= 0)) {
+        tlb_fn(env, vd, info.reg_off_split, addr + mem_off, retaddr);
+    }
+
+    mem_off = info.mem_off_first[1];
+    if (unlikely(mem_off >= 0)) {
+        reg_off = info.reg_off_first[1];
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(vd, reg_off, host + mem_off);
+                }
+                reg_off += 1 << esz;
+                mem_off += 1 << msz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
 }
 
 #define DO_LD1_1(NAME, ESZ) \
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Handle all of the watchpoints for active elements all at once,
before we've modified the vector register.  This removes the
TLB_WATCHPOINT bit from page[].flags, which means that we can
use the normal fast path via RAM.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 72 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 71 insertions(+), 1 deletion(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static bool sve_cont_ldst_pages(SVEContLdSt *info, SVEContFault fault,
     return have_work;
 }
 
+static void sve_cont_ldst_watchpoints(SVEContLdSt *info, CPUARMState *env,
+                                      uint64_t *vg, target_ulong addr,
+                                      int esize, int msize, int wp_access,
+                                      uintptr_t retaddr)
+{
+#ifndef CONFIG_USER_ONLY
+    intptr_t mem_off, reg_off, reg_last;
+    int flags0 = info->page[0].flags;
+    int flags1 = info->page[1].flags;
+
+    if (likely(!((flags0 | flags1) & TLB_WATCHPOINT))) {
+        return;
+    }
+
+    /* Indicate that watchpoints are handled. */
+    info->page[0].flags = flags0 & ~TLB_WATCHPOINT;
+    info->page[1].flags = flags1 & ~TLB_WATCHPOINT;
+
+    if (flags0 & TLB_WATCHPOINT) {
+        mem_off = info->mem_off_first[0];
+        reg_off = info->reg_off_first[0];
+        reg_last = info->reg_off_last[0];
+
+        while (reg_off <= reg_last) {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    cpu_check_watchpoint(env_cpu(env), addr + mem_off,
+                                         msize, info->page[0].attrs,
+                                         wp_access, retaddr);
+                }
+                reg_off += esize;
+                mem_off += msize;
+            } while (reg_off <= reg_last && (reg_off & 63));
+        }
+    }
+
+    mem_off = info->mem_off_split;
+    if (mem_off >= 0) {
+        cpu_check_watchpoint(env_cpu(env), addr + mem_off, msize,
+                             info->page[0].attrs, wp_access, retaddr);
+    }
+
+    mem_off = info->mem_off_first[1];
+    if ((flags1 & TLB_WATCHPOINT) && mem_off >= 0) {
+        reg_off = info->reg_off_first[1];
+        reg_last = info->reg_off_last[1];
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    cpu_check_watchpoint(env_cpu(env), addr + mem_off,
+                                         msize, info->page[1].attrs,
+                                         wp_access, retaddr);
+                }
+                reg_off += esize;
+                mem_off += msize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+#endif
+}
+
 /*
  * The result of tlb_vaddr_to_host for user-only is just g2h(x),
  * which is always non-null.  Elide the useless test.
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
     /* Probe the page(s).  Exit with exception for any invalid page. */
     sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, retaddr);
 
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, 1 << msz,
+                              BP_MEM_READ, retaddr);
+
+    /* TODO: MTE check. */
+
     flags = info.page[0].flags | info.page[1].flags;
     if (unlikely(flags != 0)) {
 #ifdef CONFIG_USER_ONLY
         g_assert_not_reached();
 #else
         /*
-         * At least one page includes MMIO (or watchpoints).
+         * At least one page includes MMIO.
          * Any bus operation can fail with cpu_transaction_failed,
          * which for ARM will raise SyncExternal.  Perform the load
          * into scratch memory to preserve register state until the end.
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 223 ++++++++++++++--------------------------
 1 file changed, 79 insertions(+), 144 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static inline bool test_host_page(void *host)
 }
 
 /*
- * Common helper for all contiguous one-register predicated loads.
+ * Common helper for all contiguous 1,2,3,4-register predicated stores.
  */
 static inline QEMU_ALWAYS_INLINE
-void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
+void sve_ldN_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
                uint32_t desc, const uintptr_t retaddr,
-               const int esz, const int msz,
+               const int esz, const int msz, const int N,
                sve_ldst1_host_fn *host_fn,
                sve_ldst1_tlb_fn *tlb_fn)
 {
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    void *vd = &env->vfp.zregs[rd];
     const intptr_t reg_max = simd_oprsz(desc);
     intptr_t reg_off, reg_last, mem_off;
     SVEContLdSt info;
     void *host;
-    int flags;
+    int flags, i;
 
     /* Find the active elements.  */
-    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, 1 << msz)) {
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, N << msz)) {
         /* The entire predicate was false; no load occurs.  */
-        memset(vd, 0, reg_max);
+        for (i = 0; i < N; ++i) {
+            memset(&env->vfp.zregs[(rd + i) & 31], 0, reg_max);
+        }
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
     sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, retaddr);
 
     /* Handle watchpoints for all active elements. */
-    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, 1 << msz,
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, N << msz,
                               BP_MEM_READ, retaddr);
 
     /* TODO: MTE check. */
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
          * which for ARM will raise SyncExternal.  Perform the load
          * into scratch memory to preserve register state until the end.
          */
-        ARMVectorReg scratch;
+        ARMVectorReg scratch[4] = { };
 
-        memset(&scratch, 0, reg_max);
         mem_off = info.mem_off_first[0];
         reg_off = info.reg_off_first[0];
         reg_last = info.reg_off_last[1];
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
             uint64_t pg = vg[reg_off >> 6];
             do {
                 if ((pg >> (reg_off & 63)) & 1) {
-                    tlb_fn(env, &scratch, reg_off, addr + mem_off, retaddr);
+                    for (i = 0; i < N; ++i) {
+                        tlb_fn(env, &scratch[i], reg_off,
+                               addr + mem_off + (i << msz), retaddr);
+                    }
                 }
                 reg_off += 1 << esz;
-                mem_off += 1 << msz;
+                mem_off += N << msz;
             } while (reg_off & 63);
         } while (reg_off <= reg_last);
 
-        memcpy(vd, &scratch, reg_max);
+        for (i = 0; i < N; ++i) {
+            memcpy(&env->vfp.zregs[(rd + i) & 31], &scratch[i], reg_max);
+        }
         return;
 #endif
     }
 
     /* The entire operation is in RAM, on valid pages. */
 
-    memset(vd, 0, reg_max);
+    for (i = 0; i < N; ++i) {
+        memset(&env->vfp.zregs[(rd + i) & 31], 0, reg_max);
+    }
+
     mem_off = info.mem_off_first[0];
     reg_off = info.reg_off_first[0];
     reg_last = info.reg_off_last[0];
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
         uint64_t pg = vg[reg_off >> 6];
         do {
             if ((pg >> (reg_off & 63)) & 1) {
-                host_fn(vd, reg_off, host + mem_off);
+                for (i = 0; i < N; ++i) {
+                    host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
+                            host + mem_off + (i << msz));
+                }
             }
             reg_off += 1 << esz;
-            mem_off += 1 << msz;
+            mem_off += N << msz;
         } while (reg_off <= reg_last && (reg_off & 63));
     }
 
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
      */
     mem_off = info.mem_off_split;
     if (unlikely(mem_off >= 0)) {
-        tlb_fn(env, vd, info.reg_off_split, addr + mem_off, retaddr);
+        reg_off = info.reg_off_split;
+        for (i = 0; i < N; ++i) {
+            tlb_fn(env, &env->vfp.zregs[(rd + i) & 31], reg_off,
+                   addr + mem_off + (i << msz), retaddr);
+        }
     }
 
     mem_off = info.mem_off_first[1];
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
             uint64_t pg = vg[reg_off >> 6];
             do {
                 if ((pg >> (reg_off & 63)) & 1) {
-                    host_fn(vd, reg_off, host + mem_off);
+                    for (i = 0; i < N; ++i) {
+                        host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
+                                host + mem_off + (i << msz));
+                    }
                 }
                 reg_off += 1 << esz;
-                mem_off += 1 << msz;
+                mem_off += N << msz;
             } while (reg_off & 63);
         } while (reg_off <= reg_last);
     }
@@ -XXX,XX +XXX,XX @@ void sve_ld1_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
 void HELPER(sve_##NAME##_r)(CPUARMState *env, void *vg,        \
                             target_ulong addr, uint32_t desc)  \
 {                                                              \
-    sve_ld1_r(env, vg, addr, desc, GETPC(), ESZ, 0,            \
+    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, 1,      \
               sve_##NAME##_host, sve_##NAME##_tlb);            \
 }
 
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_##NAME##_r)(CPUARMState *env, void *vg,        \
 void HELPER(sve_##NAME##_le_r)(CPUARMState *env, void *vg,        \
                                target_ulong addr, uint32_t desc)  \
 {                                                                 \
-    sve_ld1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,             \
+    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, 1,          \
               sve_##NAME##_le_host, sve_##NAME##_le_tlb);         \
 }                                                                 \
 void HELPER(sve_##NAME##_be_r)(CPUARMState *env, void *vg,        \
                                target_ulong addr, uint32_t desc)  \
 {                                                                 \
-    sve_ld1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,             \
+    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, 1,          \
               sve_##NAME##_be_host, sve_##NAME##_be_tlb);         \
 }
 
-DO_LD1_1(ld1bb,  0)
-DO_LD1_1(ld1bhu, 1)
-DO_LD1_1(ld1bhs, 1)
-DO_LD1_1(ld1bsu, 2)
-DO_LD1_1(ld1bss, 2)
-DO_LD1_1(ld1bdu, 3)
-DO_LD1_1(ld1bds, 3)
+DO_LD1_1(ld1bb,  MO_8)
+DO_LD1_1(ld1bhu, MO_16)
+DO_LD1_1(ld1bhs, MO_16)
+DO_LD1_1(ld1bsu, MO_32)
+DO_LD1_1(ld1bss, MO_32)
+DO_LD1_1(ld1bdu, MO_64)
+DO_LD1_1(ld1bds, MO_64)
 
-DO_LD1_2(ld1hh,  1, 1)
-DO_LD1_2(ld1hsu, 2, 1)
-DO_LD1_2(ld1hss, 2, 1)
-DO_LD1_2(ld1hdu, 3, 1)
-DO_LD1_2(ld1hds, 3, 1)
+DO_LD1_2(ld1hh,  MO_16, MO_16)
+DO_LD1_2(ld1hsu, MO_32, MO_16)
+DO_LD1_2(ld1hss, MO_32, MO_16)
+DO_LD1_2(ld1hdu, MO_64, MO_16)
+DO_LD1_2(ld1hds, MO_64, MO_16)
 
-DO_LD1_2(ld1ss,  2, 2)
-DO_LD1_2(ld1sdu, 3, 2)
-DO_LD1_2(ld1sds, 3, 2)
+DO_LD1_2(ld1ss,  MO_32, MO_32)
+DO_LD1_2(ld1sdu, MO_64, MO_32)
+DO_LD1_2(ld1sds, MO_64, MO_32)
 
-DO_LD1_2(ld1dd,  3, 3)
+DO_LD1_2(ld1dd,  MO_64, MO_64)
 
 #undef DO_LD1_1
 #undef DO_LD1_2
 
-/*
- * Common helpers for all contiguous 2,3,4-register predicated loads.
- */
-static void sve_ld2_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, int size, uintptr_t ra,
-                      sve_ldst1_tlb_fn *tlb_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    ARMVectorReg scratch[2] = { };
-
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, &scratch[0], i, addr, ra);
-                tlb_fn(env, &scratch[1], i, addr + size, ra);
-            }
-            i += size, pg >>= size;
-            addr += 2 * size;
-        } while (i & 15);
-    }
-
-    /* Wait until all exceptions have been raised to write back.  */
-    memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
-    memcpy(&env->vfp.zregs[(rd + 1) & 31], &scratch[1], oprsz);
-}
-
-static void sve_ld3_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, int size, uintptr_t ra,
-                      sve_ldst1_tlb_fn *tlb_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    ARMVectorReg scratch[3] = { };
-
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, &scratch[0], i, addr, ra);
-                tlb_fn(env, &scratch[1], i, addr + size, ra);
-                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
-            }
-            i += size, pg >>= size;
-            addr += 3 * size;
-        } while (i & 15);
-    }
-
-    /* Wait until all exceptions have been raised to write back.  */
-    memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
-    memcpy(&env->vfp.zregs[(rd + 1) & 31], &scratch[1], oprsz);
-    memcpy(&env->vfp.zregs[(rd + 2) & 31], &scratch[2], oprsz);
-}
-
-static void sve_ld4_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, int size, uintptr_t ra,
-                      sve_ldst1_tlb_fn *tlb_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    ARMVectorReg scratch[4] = { };
-
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, &scratch[0], i, addr, ra);
-                tlb_fn(env, &scratch[1], i, addr + size, ra);
-                tlb_fn(env, &scratch[2], i, addr + 2 * size, ra);
-                tlb_fn(env, &scratch[3], i, addr + 3 * size, ra);
-            }
-            i += size, pg >>= size;
-            addr += 4 * size;
-        } while (i & 15);
-    }
-
-    /* Wait until all exceptions have been raised to write back.  */
-    memcpy(&env->vfp.zregs[rd], &scratch[0], oprsz);
-    memcpy(&env->vfp.zregs[(rd + 1) & 31], &scratch[1], oprsz);
-    memcpy(&env->vfp.zregs[(rd + 2) & 31], &scratch[2], oprsz);
-    memcpy(&env->vfp.zregs[(rd + 3) & 31], &scratch[3], oprsz);
-}
-
 #define DO_LDN_1(N) \
-void QEMU_FLATTEN HELPER(sve_ld##N##bb_r) \
-    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)  \
-{                                                                   \
-    sve_ld##N##_r(env, vg, addr, desc, 1, GETPC(), sve_ld1bb_tlb);  \
+void HELPER(sve_ld##N##bb_r)(CPUARMState *env, void *vg,        \
+                             target_ulong addr, uint32_t desc)  \
+{                                                               \
+    sve_ldN_r(env, vg, addr, desc, GETPC(), MO_8, MO_8, N,      \
+              sve_ld1bb_host, sve_ld1bb_tlb);                   \
 }
 
-#define DO_LDN_2(N, SUFF, SIZE)                                       \
-void QEMU_FLATTEN HELPER(sve_ld##N##SUFF##_le_r)                      \
-    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
+#define DO_LDN_2(N, SUFF, ESZ) \
+void HELPER(sve_ld##N##SUFF##_le_r)(CPUARMState *env, void *vg,       \
+                                    target_ulong addr, uint32_t desc) \
 {                                                                     \
-    sve_ld##N##_r(env, vg, addr, desc, SIZE, GETPC(),                 \
-                  sve_ld1##SUFF##_le_tlb);                            \
+    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, ESZ, N,              \
+              sve_ld1##SUFF##_le_host, sve_ld1##SUFF##_le_tlb);       \
 }                                                                     \
-void QEMU_FLATTEN HELPER(sve_ld##N##SUFF##_be_r)                      \
-    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
+void HELPER(sve_ld##N##SUFF##_be_r)(CPUARMState *env, void *vg,       \
+                                    target_ulong addr, uint32_t desc) \
 {                                                                     \
-    sve_ld##N##_r(env, vg, addr, desc, SIZE, GETPC(),                 \
-                  sve_ld1##SUFF##_be_tlb);                            \
+    sve_ldN_r(env, vg, addr, desc, GETPC(), ESZ, ESZ, N,              \
+              sve_ld1##SUFF##_be_host, sve_ld1##SUFF##_be_tlb);       \
 }
 
 DO_LDN_1(2)
 DO_LDN_1(3)
 DO_LDN_1(4)
 
-DO_LDN_2(2, hh, 2)
-DO_LDN_2(3, hh, 2)
-DO_LDN_2(4, hh, 2)
+DO_LDN_2(2, hh, MO_16)
+DO_LDN_2(3, hh, MO_16)
+DO_LDN_2(4, hh, MO_16)
 
-DO_LDN_2(2, ss, 4)
-DO_LDN_2(3, ss, 4)
-DO_LDN_2(4, ss, 4)
+DO_LDN_2(2, ss, MO_32)
+DO_LDN_2(3, ss, MO_32)
+DO_LDN_2(4, ss, MO_32)
 
-DO_LDN_2(2, dd, 8)
-DO_LDN_2(3, dd, 8)
-DO_LDN_2(4, dd, 8)
+DO_LDN_2(2, dd, MO_64)
+DO_LDN_2(3, dd, MO_64)
+DO_LDN_2(4, dd, MO_64)
 
 #undef DO_LDN_1
 #undef DO_LDN_2
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

With sve_cont_ldst_pages, the differences between first-fault and no-fault
are minimal, so unify the routines.  With cpu_probe_watchpoint, we are able
to make progress through pages with TLB_WATCHPOINT set when the watchpoint
does not actually fire.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 346 +++++++++++++++++++---------------------
 1 file changed, 162 insertions(+), 184 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static intptr_t find_next_active(uint64_t *vg, intptr_t reg_off,
     return reg_off;
 }
 
-/*
- * Return the maximum offset <= @mem_max which is still within the page
- * referenced by @base + @mem_off.
- */
-static intptr_t max_for_page(target_ulong base, intptr_t mem_off,
-                             intptr_t mem_max)
-{
-    target_ulong addr = base + mem_off;
-    intptr_t split = -(intptr_t)(addr | TARGET_PAGE_MASK);
-    return MIN(split, mem_max - mem_off) + mem_off;
-}
-
 /*
  * Resolve the guest virtual address to info->host and info->flags.
  * If @nofault, return false if the page is invalid, otherwise
@@ -XXX,XX +XXX,XX @@ static void sve_cont_ldst_watchpoints(SVEContLdSt *info, CPUARMState *env,
 #endif
 }
 
-/*
- * The result of tlb_vaddr_to_host for user-only is just g2h(x),
- * which is always non-null.  Elide the useless test.
- */
-static inline bool test_host_page(void *host)
-{
-#ifdef CONFIG_USER_ONLY
-    return true;
-#else
-    return likely(host != NULL);
-#endif
-}
-
 /*
  * Common helper for all contiguous 1,2,3,4-register predicated stores.
  */
@@ -XXX,XX +XXX,XX @@ static void record_fault(CPUARMState *env, uintptr_t i, uintptr_t oprsz)
 }
 
 /*
- * Common helper for all contiguous first-fault loads.
+ * Common helper for all contiguous no-fault and first-fault loads.
  */
-static void sve_ldff1_r(CPUARMState *env, void *vg, const target_ulong addr,
-                        uint32_t desc, const uintptr_t retaddr,
-                        const int esz, const int msz,
-                        sve_ldst1_host_fn *host_fn,
-                        sve_ldst1_tlb_fn *tlb_fn)
+static inline QEMU_ALWAYS_INLINE
+void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,
+                   uint32_t desc, const uintptr_t retaddr,
+                   const int esz, const int msz, const SVEContFault fault,
+                   sve_ldst1_host_fn *host_fn,
+                   sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
-    const int mmu_idx = get_mmuidx(oi);
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
     void *vd = &env->vfp.zregs[rd];
-    const int diffsz = esz - msz;
     const intptr_t reg_max = simd_oprsz(desc);
-    const intptr_t mem_max = reg_max >> diffsz;
-    intptr_t split, reg_off, mem_off, i;
+    intptr_t reg_off, mem_off, reg_last;
+    SVEContLdSt info;
+    int flags;
     void *host;
 
-    /* Skip to the first active element.  */
-    reg_off = find_next_active(vg, 0, reg_max, esz);
-    if (unlikely(reg_off == reg_max)) {
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, 1 << msz)) {
         /* The entire predicate was false; no load occurs.  */
         memset(vd, 0, reg_max);
         return;
     }
-    mem_off = reg_off >> diffsz;
+    reg_off = info.reg_off_first[0];
 
-    /*
-     * If the (remaining) load is entirely within a single page, then:
-     * For softmmu, and the tlb hits, then no faults will occur;
-     * For user-only, either the first load will fault or none will.
-     * We can thus perform the load directly to the destination and
-     * Vd will be unmodified on any exception path.
-     */
-    split = max_for_page(addr, mem_off, mem_max);
-    if (likely(split == mem_max)) {
-        host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
-        if (test_host_page(host)) {
-            i = reg_off;
-            host -= mem_off;
-            do {
-                host_fn(vd, i, host + (i >> diffsz));
-                i = find_next_active(vg, i + (1 << esz), reg_max, esz);
-            } while (i < reg_max);
-            /* After any fault, zero any leading inactive elements.  */
+    /* Probe the page(s). */
+    if (!sve_cont_ldst_pages(&info, fault, env, addr, MMU_DATA_LOAD, retaddr)) {
+        /* Fault on first element. */
+        tcg_debug_assert(fault == FAULT_NO);
+        memset(vd, 0, reg_max);
+        goto do_fault;
+    }
+
+    mem_off = info.mem_off_first[0];
+    flags = info.page[0].flags;
+
+    if (fault == FAULT_FIRST) {
+        /*
+         * Special handling of the first active element,
+         * if it crosses a page boundary or is MMIO.
+         */
+        bool is_split = mem_off == info.mem_off_split;
+        /* TODO: MTE check. */
+        if (unlikely(flags != 0) || unlikely(is_split)) {
+            /*
+             * Use the slow path for cross-page handling.
+             * Might trap for MMIO or watchpoints.
+             */
+            tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
+
+            /* After any fault, zero the other elements. */
             swap_memzero(vd, reg_off);
-            return;
+            reg_off += 1 << esz;
+            mem_off += 1 << msz;
+            swap_memzero(vd + reg_off, reg_max - reg_off);
+
+            if (is_split) {
+                goto second_page;
+            }
+        } else {
+            memset(vd, 0, reg_max);
+        }
+    } else {
+        memset(vd, 0, reg_max);
+        if (unlikely(mem_off == info.mem_off_split)) {
+            /* The first active element crosses a page boundary. */
+            flags |= info.page[1].flags;
+            if (unlikely(flags & TLB_MMIO)) {
+                /* Some page is MMIO, see below. */
+                goto do_fault;
+            }
+            if (unlikely(flags & TLB_WATCHPOINT) &&
+                (cpu_watchpoint_address_matches
+                 (env_cpu(env), addr + mem_off, 1 << msz)
+                 & BP_MEM_READ)) {
+                /* Watchpoint hit, see below. */
+                goto do_fault;
+            }
+            /* TODO: MTE check. */
+            /*
+             * Use the slow path for cross-page handling.
+             * This is RAM, without a watchpoint, and will not trap.
+             */
+            tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
+            goto second_page;
         }
     }
 
     /*
-     * Perform one normal read, which will fault or not.
-     * But it is likely to bring the page into the tlb.
+     * From this point on, all memory operations are MemSingleNF.
+     *
+     * Per the MemSingleNF pseudocode, a no-fault load from Device memory
+     * must not actually hit the bus -- it returns (UNKNOWN, FAULT) instead.
+     *
+     * Unfortuately we do not have access to the memory attributes from the
+     * PTE to tell Device memory from Normal memory.  So we make a mostly
+     * correct check, and indicate (UNKNOWN, FAULT) for any MMIO.
+     * This gives the right answer for the common cases of "Normal memory,
+     * backed by host RAM" and "Device memory, backed by MMIO".
+     * The architecture allows us to suppress an NF load and return
+     * (UNKNOWN, FAULT) for any reason, so our behaviour for the corner
+     * case of "Normal memory, backed by MMIO" is permitted.  The case we
+     * get wrong is "Device memory, backed by host RAM", for which we
+     * should return (UNKNOWN, FAULT) for but do not.
+     *
+     * Similarly, CPU_BP breakpoints would raise exceptions, and so
+     * return (UNKNOWN, FAULT).  For simplicity, we consider gdb and
+     * architectural breakpoints the same.
      */
-    tlb_fn(env, vd, reg_off, addr + mem_off, retaddr);
+    if (unlikely(flags & TLB_MMIO)) {
+        goto do_fault;
+    }
 
-    /* After any fault, zero any leading predicated false elts.  */
-    swap_memzero(vd, reg_off);
-    mem_off += 1 << msz;
-    reg_off += 1 << esz;
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
 
-    /* Try again to read the balance of the page.  */
-    split = max_for_page(addr, mem_off - 1, mem_max);
-    if (split >= (1 << msz)) {
-        host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
-        if (host) {
-            host -= mem_off;
-            do {
+    do {
+        uint64_t pg = *(uint64_t *)(vg + (reg_off >> 3));
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                if (unlikely(flags & TLB_WATCHPOINT) &&
+                    (cpu_watchpoint_address_matches
+                     (env_cpu(env), addr + mem_off, 1 << msz)
+                     & BP_MEM_READ)) {
+                    goto do_fault;
+                }
+                /* TODO: MTE check. */
                 host_fn(vd, reg_off, host + mem_off);
-                reg_off += 1 << esz;
-                reg_off = find_next_active(vg, reg_off, reg_max, esz);
-                mem_off = reg_off >> diffsz;
-            } while (split - mem_off >= (1 << msz));
-        }
-    }
-
-    record_fault(env, reg_off, reg_max);
-}
-
-/*
- * Common helper for all contiguous no-fault loads.
- */
-static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
-                        uint32_t desc, const int esz, const int msz,
-                        sve_ldst1_host_fn *host_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    void *vd = &env->vfp.zregs[rd];
-    const int diffsz = esz - msz;
-    const intptr_t reg_max = simd_oprsz(desc);
-    const intptr_t mem_max = reg_max >> diffsz;
-    const int mmu_idx = cpu_mmu_index(env, false);
-    intptr_t split, reg_off, mem_off;
-    void *host;
-
-#ifdef CONFIG_USER_ONLY
-    host = tlb_vaddr_to_host(env, addr, MMU_DATA_LOAD, mmu_idx);
-    if (likely(page_check_range(addr, mem_max, PAGE_READ) == 0)) {
-        /* The entire operation is valid and will not fault.  */
-        reg_off = 0;
-        do {
-            mem_off = reg_off >> diffsz;
-            host_fn(vd, reg_off, host + mem_off);
+            }
             reg_off += 1 << esz;
-            reg_off = find_next_active(vg, reg_off, reg_max, esz);
-        } while (reg_off < reg_max);
-        return;
-    }
-#endif
+            mem_off += 1 << msz;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    } while (reg_off <= reg_last);
 
-    /* There will be no fault, so we may modify in advance.  */
-    memset(vd, 0, reg_max);
-
-    /* Skip to the first active element.  */
-    reg_off = find_next_active(vg, 0, reg_max, esz);
-    if (unlikely(reg_off == reg_max)) {
-        /* The entire predicate was false; no load occurs.  */
-        return;
-    }
-    mem_off = reg_off >> diffsz;
-
-#ifdef CONFIG_USER_ONLY
-    if (page_check_range(addr + mem_off, 1 << msz, PAGE_READ) == 0) {
-        /* At least one load is valid; take the rest of the page.  */
-        split = max_for_page(addr, mem_off + (1 << msz) - 1, mem_max);
-        do {
-            host_fn(vd, reg_off, host + mem_off);
-            reg_off += 1 << esz;
-            reg_off = find_next_active(vg, reg_off, reg_max, esz);
-            mem_off = reg_off >> diffsz;
-        } while (split - mem_off >= (1 << msz));
-    }
-#else
     /*
-     * If the address is not in the TLB, we have no way to bring the
-     * entry into the TLB without also risking a fault.  Note that
-     * the corollary is that we never load from an address not in RAM.
-     *
-     * This last is out of spec, in a weird corner case.
-     * Per the MemNF/MemSingleNF pseudocode, a NF load from Device memory
-     * must not actually hit the bus -- it returns UNKNOWN data instead.
-     * But if you map non-RAM with Normal memory attributes and do a NF
-     * load then it should access the bus.  (Nobody ought actually do this
-     * in the real world, obviously.)
-     *
-     * Then there are the annoying special cases with watchpoints...
-     * TODO: Add a form of non-faulting loads using cc->tlb_fill(probe=true).
+     * MemSingleNF is allowed to fail for any reason.  We have special
+     * code above to handle the first element crossing a page boundary.
+     * As an implementation choice, decline to handle a cross-page element
+     * in any other position.
      */
-    host = tlb_vaddr_to_host(env, addr + mem_off, MMU_DATA_LOAD, mmu_idx);
-    split = max_for_page(addr, mem_off, mem_max);
-    if (host && split >= (1 << msz)) {
-        host -= mem_off;
-        do {
-            host_fn(vd, reg_off, host + mem_off);
-            reg_off += 1 << esz;
-            reg_off = find_next_active(vg, reg_off, reg_max, esz);
-            mem_off = reg_off >> diffsz;
-        } while (split - mem_off >= (1 << msz));
+    reg_off = info.reg_off_split;
+    if (reg_off >= 0) {
+        goto do_fault;
     }
-#endif
 
+ second_page:
+    reg_off = info.reg_off_first[1];
+    if (likely(reg_off < 0)) {
+        /* No active elements on the second page.  All done. */
+        return;
+    }
+
+    /*
+     * MemSingleNF is allowed to fail for any reason.  As an implementation
+     * choice, decline to handle elements on the second page.  This should
+     * be low frequency as the guest walks through memory -- the next
+     * iteration of the guest's loop should be aligned on the page boundary,
+     * and then all following iterations will stay aligned.
+     */
+
+ do_fault:
     record_fault(env, reg_off, reg_max);
 }
 
@@ -XXX,XX +XXX,XX @@ static void sve_ldnf1_r(CPUARMState *env, void *vg, const target_ulong addr,
 void HELPER(sve_ldff1##PART##_r)(CPUARMState *env, void *vg,            \
                                  target_ulong addr, uint32_t desc)      \
 {                                                                       \
-    sve_ldff1_r(env, vg, addr, desc, GETPC(), ESZ, 0,                   \
-                sve_ld1##PART##_host, sve_ld1##PART##_tlb);             \
+    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, FAULT_FIRST, \
+                  sve_ld1##PART##_host, sve_ld1##PART##_tlb);           \
 }                                                                       \
 void HELPER(sve_ldnf1##PART##_r)(CPUARMState *env, void *vg,            \
                                  target_ulong addr, uint32_t desc)      \
 {                                                                       \
-    sve_ldnf1_r(env, vg, addr, desc, ESZ, 0, sve_ld1##PART##_host);     \
+    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, FAULT_NO,    \
+                  sve_ld1##PART##_host, sve_ld1##PART##_tlb);           \
 }
 
 #define DO_LDFF1_LDNF1_2(PART, ESZ, MSZ) \
 void HELPER(sve_ldff1##PART##_le_r)(CPUARMState *env, void *vg,         \
                                     target_ulong addr, uint32_t desc)   \
 {                                                                       \
-    sve_ldff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,                 \
-                sve_ld1##PART##_le_host, sve_ld1##PART##_le_tlb);       \
+    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_FIRST,  \
+                  sve_ld1##PART##_le_host, sve_ld1##PART##_le_tlb);     \
 }                                                                       \
 void HELPER(sve_ldnf1##PART##_le_r)(CPUARMState *env, void *vg,         \
                                     target_ulong addr, uint32_t desc)   \
 {                                                                       \
-    sve_ldnf1_r(env, vg, addr, desc, ESZ, MSZ, sve_ld1##PART##_le_host); \
+    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_NO,     \
+                  sve_ld1##PART##_le_host, sve_ld1##PART##_le_tlb);     \
 }                                                                       \
 void HELPER(sve_ldff1##PART##_be_r)(CPUARMState *env, void *vg,         \
                                     target_ulong addr, uint32_t desc)   \
 {                                                                       \
-    sve_ldff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ,                 \
-                sve_ld1##PART##_be_host, sve_ld1##PART##_be_tlb);       \
+    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_FIRST,  \
+                  sve_ld1##PART##_be_host, sve_ld1##PART##_be_tlb);     \
 }                                                                       \
 void HELPER(sve_ldnf1##PART##_be_r)(CPUARMState *env, void *vg,         \
                                     target_ulong addr, uint32_t desc)   \
 {                                                                       \
-    sve_ldnf1_r(env, vg, addr, desc, ESZ, MSZ, sve_ld1##PART##_be_host); \
+    sve_ldnfff1_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, FAULT_NO,     \
+                  sve_ld1##PART##_be_host, sve_ld1##PART##_be_tlb);     \
 }
 
-DO_LDFF1_LDNF1_1(bb,  0)
-DO_LDFF1_LDNF1_1(bhu, 1)
-DO_LDFF1_LDNF1_1(bhs, 1)
-DO_LDFF1_LDNF1_1(bsu, 2)
-DO_LDFF1_LDNF1_1(bss, 2)
-DO_LDFF1_LDNF1_1(bdu, 3)
-DO_LDFF1_LDNF1_1(bds, 3)
+DO_LDFF1_LDNF1_1(bb,  MO_8)
+DO_LDFF1_LDNF1_1(bhu, MO_16)
+DO_LDFF1_LDNF1_1(bhs, MO_16)
+DO_LDFF1_LDNF1_1(bsu, MO_32)
+DO_LDFF1_LDNF1_1(bss, MO_32)
+DO_LDFF1_LDNF1_1(bdu, MO_64)
+DO_LDFF1_LDNF1_1(bds, MO_64)
 
-DO_LDFF1_LDNF1_2(hh,  1, 1)
-DO_LDFF1_LDNF1_2(hsu, 2, 1)
-DO_LDFF1_LDNF1_2(hss, 2, 1)
-DO_LDFF1_LDNF1_2(hdu, 3, 1)
-DO_LDFF1_LDNF1_2(hds, 3, 1)
+DO_LDFF1_LDNF1_2(hh,  MO_16, MO_16)
+DO_LDFF1_LDNF1_2(hsu, MO_32, MO_16)
+DO_LDFF1_LDNF1_2(hss, MO_32, MO_16)
+DO_LDFF1_LDNF1_2(hdu, MO_64, MO_16)
+DO_LDFF1_LDNF1_2(hds, MO_64, MO_16)
 
-DO_LDFF1_LDNF1_2(ss,  2, 2)
-DO_LDFF1_LDNF1_2(sdu, 3, 2)
-DO_LDFF1_LDNF1_2(sds, 3, 2)
+DO_LDFF1_LDNF1_2(ss,  MO_32, MO_32)
+DO_LDFF1_LDNF1_2(sdu, MO_64, MO_32)
+DO_LDFF1_LDNF1_2(sds, MO_64, MO_32)
 
-DO_LDFF1_LDNF1_2(dd,  3, 3)
+DO_LDFF1_LDNF1_2(dd,  MO_64, MO_64)
 
 #undef DO_LDFF1_LDNF1_1
 #undef DO_LDFF1_LDNF1_2
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Follow the model set up for contiguous loads.  This handles
watchpoints correctly for contiguous stores, recognizing the
exception before any changes to memory.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 285 ++++++++++++++++++++++------------------
 1 file changed, 159 insertions(+), 126 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host)  \
     *(TYPEE *)(vd + H(reg_off)) = val;                                 \
 }
 
+#define DO_ST_HOST(NAME, H, TYPEE, TYPEM, HOST) \
+static void sve_##NAME##_host(void *vd, intptr_t reg_off, void *host)  \
+{ HOST(host, (TYPEM)*(TYPEE *)(vd + H(reg_off))); }
+
 #define DO_LD_TLB(NAME, H, TYPEE, TYPEM, TLB) \
 static void sve_##NAME##_tlb(CPUARMState *env, void *vd, intptr_t reg_off,  \
                              target_ulong addr, uintptr_t ra)               \
@@ -XXX,XX +XXX,XX @@ DO_LD_PRIM_1(ld1bdu,     , uint64_t, uint8_t)
 DO_LD_PRIM_1(ld1bds,     , uint64_t,  int8_t)
 
 #define DO_ST_PRIM_1(NAME, H, TE, TM)                   \
+    DO_ST_HOST(st1##NAME, H, TE, TM, stb_p)             \
     DO_ST_TLB(st1##NAME, H, TE, TM, cpu_stb_data_ra)
 
 DO_ST_PRIM_1(bb,   H1,  uint8_t, uint8_t)
@@ -XXX,XX +XXX,XX @@ DO_ST_PRIM_1(bd,     , uint64_t, uint8_t)
     DO_LD_TLB(ld1##NAME##_le, H, TE, TM, cpu_##LD##_le_data_ra)
 
 #define DO_ST_PRIM_2(NAME, H, TE, TM, ST) \
+    DO_ST_HOST(st1##NAME##_be, H, TE, TM, ST##_be_p)    \
+    DO_ST_HOST(st1##NAME##_le, H, TE, TM, ST##_le_p)    \
     DO_ST_TLB(st1##NAME##_be, H, TE, TM, cpu_##ST##_be_data_ra) \
     DO_ST_TLB(st1##NAME##_le, H, TE, TM, cpu_##ST##_le_data_ra)
 
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_LDNF1_2(dd,  MO_64, MO_64)
 #undef DO_LDFF1_LDNF1_2
 
 /*
- * Common helpers for all contiguous 1,2,3,4-register predicated stores.
+ * Common helper for all contiguous 1,2,3,4-register predicated stores.
  */
-static void sve_st1_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, const uintptr_t ra,
-                      const int esize, const int msize,
-                      sve_ldst1_tlb_fn *tlb_fn)
+
+static inline QEMU_ALWAYS_INLINE
+void sve_stN_r(CPUARMState *env, uint64_t *vg, target_ulong addr, uint32_t desc,
+               const uintptr_t retaddr, const int esz,
+               const int msz, const int N,
+               sve_ldst1_host_fn *host_fn,
+               sve_ldst1_tlb_fn *tlb_fn)
 {
     const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    void *vd = &env->vfp.zregs[rd];
+    const intptr_t reg_max = simd_oprsz(desc);
+    intptr_t reg_off, reg_last, mem_off;
+    SVEContLdSt info;
+    void *host;
+    int i, flags;
 
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, vd, i, addr, ra);
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, N << msz)) {
+        /* The entire predicate was false; no store occurs.  */
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, retaddr);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, 1 << esz, N << msz,
+                              BP_MEM_WRITE, retaddr);
+
+    /* TODO: MTE check. */
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  We cannot avoid
+         * this fault and will leave with the store incomplete.
+         */
+        mem_off = info.mem_off_first[0];
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
             }
-            i += esize, pg >>= esize;
-            addr += msize;
-        } while (i & 15);
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    for (i = 0; i < N; ++i) {
+                        tlb_fn(env, &env->vfp.zregs[(rd + i) & 31], reg_off,
+                               addr + mem_off + (i << msz), retaddr);
+                    }
+                }
+                reg_off += 1 << esz;
+                mem_off += N << msz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+        return;
+#endif
+    }
+
+    mem_off = info.mem_off_first[0];
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                for (i = 0; i < N; ++i) {
+                    host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
+                            host + mem_off + (i << msz));
+                }
+            }
+            reg_off += 1 << esz;
+            mem_off += N << msz;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    mem_off = info.mem_off_split;
+    if (unlikely(mem_off >= 0)) {
+        reg_off = info.reg_off_split;
+        for (i = 0; i < N; ++i) {
+            tlb_fn(env, &env->vfp.zregs[(rd + i) & 31], reg_off,
+                   addr + mem_off + (i << msz), retaddr);
+        }
+    }
+
+    mem_off = info.mem_off_first[1];
+    if (unlikely(mem_off >= 0)) {
+        reg_off = info.reg_off_first[1];
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    for (i = 0; i < N; ++i) {
+                        host_fn(&env->vfp.zregs[(rd + i) & 31], reg_off,
+                                host + mem_off + (i << msz));
+                    }
+                }
+                reg_off += 1 << esz;
+                mem_off += N << msz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
     }
 }
 
-static void sve_st2_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, const uintptr_t ra,
-                      const int esize, const int msize,
-                      sve_ldst1_tlb_fn *tlb_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    void *d1 = &env->vfp.zregs[rd];
-    void *d2 = &env->vfp.zregs[(rd + 1) & 31];
-
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, d1, i, addr, ra);
-                tlb_fn(env, d2, i, addr + msize, ra);
-            }
-            i += esize, pg >>= esize;
-            addr += 2 * msize;
-        } while (i & 15);
-    }
-}
-
-static void sve_st3_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, const uintptr_t ra,
-                      const int esize, const int msize,
-                      sve_ldst1_tlb_fn *tlb_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    void *d1 = &env->vfp.zregs[rd];
-    void *d2 = &env->vfp.zregs[(rd + 1) & 31];
-    void *d3 = &env->vfp.zregs[(rd + 2) & 31];
-
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, d1, i, addr, ra);
-                tlb_fn(env, d2, i, addr + msize, ra);
-                tlb_fn(env, d3, i, addr + 2 * msize, ra);
-            }
-            i += esize, pg >>= esize;
-            addr += 3 * msize;
-        } while (i & 15);
-    }
-}
-
-static void sve_st4_r(CPUARMState *env, void *vg, target_ulong addr,
-                      uint32_t desc, const uintptr_t ra,
-                      const int esize, const int msize,
-                      sve_ldst1_tlb_fn *tlb_fn)
-{
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    void *d1 = &env->vfp.zregs[rd];
-    void *d2 = &env->vfp.zregs[(rd + 1) & 31];
-    void *d3 = &env->vfp.zregs[(rd + 2) & 31];
-    void *d4 = &env->vfp.zregs[(rd + 3) & 31];
-
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
-        do {
-            if (pg & 1) {
-                tlb_fn(env, d1, i, addr, ra);
-                tlb_fn(env, d2, i, addr + msize, ra);
-                tlb_fn(env, d3, i, addr + 2 * msize, ra);
-                tlb_fn(env, d4, i, addr + 3 * msize, ra);
-            }
-            i += esize, pg >>= esize;
-            addr += 4 * msize;
-        } while (i & 15);
-    }
-}
-
-#define DO_STN_1(N, NAME, ESIZE) \
-void QEMU_FLATTEN HELPER(sve_st##N##NAME##_r) \
-    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)  \
+#define DO_STN_1(N, NAME, ESZ) \
+void HELPER(sve_st##N##NAME##_r)(CPUARMState *env, void *vg,        \
+                                 target_ulong addr, uint32_t desc)  \
 {                                                                   \
-    sve_st##N##_r(env, vg, addr, desc, GETPC(), ESIZE, 1,           \
-                  sve_st1##NAME##_tlb);                             \
+    sve_stN_r(env, vg, addr, desc, GETPC(), ESZ, MO_8, N,           \
+              sve_st1##NAME##_host, sve_st1##NAME##_tlb);           \
 }
 
-#define DO_STN_2(N, NAME, ESIZE, MSIZE) \
-void QEMU_FLATTEN HELPER(sve_st##N##NAME##_le_r) \
-    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
+#define DO_STN_2(N, NAME, ESZ, MSZ) \
+void HELPER(sve_st##N##NAME##_le_r)(CPUARMState *env, void *vg,       \
+                                    target_ulong addr, uint32_t desc) \
 {                                                                     \
-    sve_st##N##_r(env, vg, addr, desc, GETPC(), ESIZE, MSIZE,         \
-                  sve_st1##NAME##_le_tlb);                            \
+    sve_stN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, N,              \
+              sve_st1##NAME##_le_host, sve_st1##NAME##_le_tlb);       \
 }                                                                     \
-void QEMU_FLATTEN HELPER(sve_st##N##NAME##_be_r)                      \
-    (CPUARMState *env, void *vg, target_ulong addr, uint32_t desc)    \
+void HELPER(sve_st##N##NAME##_be_r)(CPUARMState *env, void *vg,       \
+                                    target_ulong addr, uint32_t desc) \
 {                                                                     \
-    sve_st##N##_r(env, vg, addr, desc, GETPC(), ESIZE, MSIZE,         \
-                  sve_st1##NAME##_be_tlb);                            \
+    sve_stN_r(env, vg, addr, desc, GETPC(), ESZ, MSZ, N,              \
+              sve_st1##NAME##_be_host, sve_st1##NAME##_be_tlb);       \
 }
 
-DO_STN_1(1, bb, 1)
-DO_STN_1(1, bh, 2)
-DO_STN_1(1, bs, 4)
-DO_STN_1(1, bd, 8)
-DO_STN_1(2, bb, 1)
-DO_STN_1(3, bb, 1)
-DO_STN_1(4, bb, 1)
+DO_STN_1(1, bb, MO_8)
+DO_STN_1(1, bh, MO_16)
+DO_STN_1(1, bs, MO_32)
+DO_STN_1(1, bd, MO_64)
+DO_STN_1(2, bb, MO_8)
+DO_STN_1(3, bb, MO_8)
+DO_STN_1(4, bb, MO_8)
 
-DO_STN_2(1, hh, 2, 2)
-DO_STN_2(1, hs, 4, 2)
-DO_STN_2(1, hd, 8, 2)
-DO_STN_2(2, hh, 2, 2)
-DO_STN_2(3, hh, 2, 2)
-DO_STN_2(4, hh, 2, 2)
+DO_STN_2(1, hh, MO_16, MO_16)
+DO_STN_2(1, hs, MO_32, MO_16)
+DO_STN_2(1, hd, MO_64, MO_16)
+DO_STN_2(2, hh, MO_16, MO_16)
+DO_STN_2(3, hh, MO_16, MO_16)
+DO_STN_2(4, hh, MO_16, MO_16)
 
-DO_STN_2(1, ss, 4, 4)
-DO_STN_2(1, sd, 8, 4)
-DO_STN_2(2, ss, 4, 4)
-DO_STN_2(3, ss, 4, 4)
-DO_STN_2(4, ss, 4, 4)
+DO_STN_2(1, ss, MO_32, MO_32)
+DO_STN_2(1, sd, MO_64, MO_32)
+DO_STN_2(2, ss, MO_32, MO_32)
+DO_STN_2(3, ss, MO_32, MO_32)
+DO_STN_2(4, ss, MO_32, MO_32)
 
-DO_STN_2(1, dd, 8, 8)
-DO_STN_2(2, dd, 8, 8)
-DO_STN_2(3, dd, 8, 8)
-DO_STN_2(4, dd, 8, 8)
+DO_STN_2(1, dd, MO_64, MO_64)
+DO_STN_2(2, dd, MO_64, MO_64)
+DO_STN_2(3, dd, MO_64, MO_64)
+DO_STN_2(4, dd, MO_64, MO_64)
 
 #undef DO_STN_1
 #undef DO_STN_2
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

This avoids the need for a separate set of helpers to implement
no-fault semantics, and will enable MTE in the future.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 323 ++++++++++++++++------------------------
 1 file changed, 127 insertions(+), 196 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_LD1_ZPZ_D(dd_be, zd)
 
 /* First fault loads with a vector index.  */
 
-/* Load one element into VD+REG_OFF from (ENV,VADDR) without faulting.
- * The controlling predicate is known to be true.  Return true if the
- * load was successful.
- */
-typedef bool sve_ld1_nf_fn(CPUARMState *env, void *vd, intptr_t reg_off,
-                           target_ulong vaddr, int mmu_idx);
-
-#ifdef CONFIG_SOFTMMU
-#define DO_LD_NF(NAME, H, TYPEE, TYPEM, HOST) \
-static bool sve_ld##NAME##_nf(CPUARMState *env, void *vd, intptr_t reg_off, \
-                              target_ulong addr, int mmu_idx)               \
-{                                                                           \
-    target_ulong next_page = -(addr | TARGET_PAGE_MASK);                    \
-    if (likely(next_page - addr >= sizeof(TYPEM))) {                        \
-        void *host = tlb_vaddr_to_host(env, addr, MMU_DATA_LOAD, mmu_idx);  \
-        if (likely(host)) {                                                 \
-            TYPEM val = HOST(host);                                         \
-            *(TYPEE *)(vd + H(reg_off)) = val;                              \
-            return true;                                                    \
-        }                                                                   \
-    }                                                                       \
-    return false;                                                           \
-}
-#else
-#define DO_LD_NF(NAME, H, TYPEE, TYPEM, HOST) \
-static bool sve_ld##NAME##_nf(CPUARMState *env, void *vd, intptr_t reg_off, \
-                            target_ulong addr, int mmu_idx)                 \
-{                                                                           \
-    if (likely(page_check_range(addr, sizeof(TYPEM), PAGE_READ))) {         \
-        TYPEM val = HOST(g2h(addr));                                        \
-        *(TYPEE *)(vd + H(reg_off)) = val;                                  \
-        return true;                                                        \
-    }                                                                       \
-    return false;                                                           \
-}
-#endif
-
-DO_LD_NF(bsu, H1_4, uint32_t, uint8_t, ldub_p)
-DO_LD_NF(bss, H1_4, uint32_t,  int8_t, ldsb_p)
-DO_LD_NF(bdu,     , uint64_t, uint8_t, ldub_p)
-DO_LD_NF(bds,     , uint64_t,  int8_t, ldsb_p)
-
-DO_LD_NF(hsu_le, H1_4, uint32_t, uint16_t, lduw_le_p)
-DO_LD_NF(hss_le, H1_4, uint32_t,  int16_t, ldsw_le_p)
-DO_LD_NF(hsu_be, H1_4, uint32_t, uint16_t, lduw_be_p)
-DO_LD_NF(hss_be, H1_4, uint32_t,  int16_t, ldsw_be_p)
-DO_LD_NF(hdu_le,     , uint64_t, uint16_t, lduw_le_p)
-DO_LD_NF(hds_le,     , uint64_t,  int16_t, ldsw_le_p)
-DO_LD_NF(hdu_be,     , uint64_t, uint16_t, lduw_be_p)
-DO_LD_NF(hds_be,     , uint64_t,  int16_t, ldsw_be_p)
-
-DO_LD_NF(ss_le,  H1_4, uint32_t, uint32_t, ldl_le_p)
-DO_LD_NF(ss_be,  H1_4, uint32_t, uint32_t, ldl_be_p)
-DO_LD_NF(sdu_le,     , uint64_t, uint32_t, ldl_le_p)
-DO_LD_NF(sds_le,     , uint64_t,  int32_t, ldl_le_p)
-DO_LD_NF(sdu_be,     , uint64_t, uint32_t, ldl_be_p)
-DO_LD_NF(sds_be,     , uint64_t,  int32_t, ldl_be_p)
-
-DO_LD_NF(dd_le,      , uint64_t, uint64_t, ldq_le_p)
-DO_LD_NF(dd_be,      , uint64_t, uint64_t, ldq_be_p)
-
 /*
- * Common helper for all gather first-faulting loads.
+ * Common helpers for all gather first-faulting loads.
  */
-static inline void sve_ldff1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-                                target_ulong base, uint32_t desc, uintptr_t ra,
-                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
-                                sve_ld1_nf_fn *nonfault_fn)
+
+static inline QEMU_ALWAYS_INLINE
+void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+                 target_ulong base, uint32_t desc, uintptr_t retaddr,
+                 const int esz, const int msz, zreg_off_fn *off_fn,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn)
 {
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
-    const int mmu_idx = get_mmuidx(oi);
+    const int mmu_idx = cpu_mmu_index(env, false);
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
-    intptr_t reg_off, reg_max = simd_oprsz(desc);
-    target_ulong addr;
+    const int esize = 1 << esz;
+    const int msize = 1 << msz;
+    const intptr_t reg_max = simd_oprsz(desc);
+    intptr_t reg_off;
+    SVEHostPage info;
+    target_ulong addr, in_page;
 
     /* Skip to the first true predicate.  */
-    reg_off = find_next_active(vg, 0, reg_max, MO_32);
-    if (likely(reg_off < reg_max)) {
-        /* Perform one normal read, which will fault or not.  */
-        addr = off_fn(vm, reg_off);
-        addr = base + (addr << scale);
-        tlb_fn(env, vd, reg_off, addr, ra);
-
-        /* The rest of the reads will be non-faulting.  */
+    reg_off = find_next_active(vg, 0, reg_max, esz);
+    if (unlikely(reg_off >= reg_max)) {
+        /* The entire predicate was false; no load occurs.  */
+        memset(vd, 0, reg_max);
+        return;
     }
 
-    /* After any fault, zero the leading predicated false elements.  */
+    /*
+     * Probe the first element, allowing faults.
+     */
+    addr = base + (off_fn(vm, reg_off) << scale);
+    tlb_fn(env, vd, reg_off, addr, retaddr);
+
+    /* After any fault, zero the other elements. */
     swap_memzero(vd, reg_off);
+    reg_off += esize;
+    swap_memzero(vd + reg_off, reg_max - reg_off);
 
-    while (likely((reg_off += 4) < reg_max)) {
-        uint64_t pg = *(uint64_t *)(vg + (reg_off >> 6) * 8);
-        if (likely((pg >> (reg_off & 63)) & 1)) {
-            addr = off_fn(vm, reg_off);
-            addr = base + (addr << scale);
-            if (!nonfault_fn(env, vd, reg_off, addr, mmu_idx)) {
-                record_fault(env, reg_off, reg_max);
-                break;
+    /*
+     * Probe the remaining elements, not allowing faults.
+     */
+    while (reg_off < reg_max) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if (likely((pg >> (reg_off & 63)) & 1)) {
+                addr = base + (off_fn(vm, reg_off) << scale);
+                in_page = -(addr | TARGET_PAGE_MASK);
+
+                if (unlikely(in_page < msize)) {
+                    /* Stop if the element crosses a page boundary. */
+                    goto fault;
+                }
+
+                sve_probe_page(&info, true, env, addr, 0, MMU_DATA_LOAD,
+                               mmu_idx, retaddr);
+                if (unlikely(info.flags & (TLB_INVALID_MASK | TLB_MMIO))) {
+                    goto fault;
+                }
+                if (unlikely(info.flags & TLB_WATCHPOINT) &&
+                    (cpu_watchpoint_address_matches
+                     (env_cpu(env), addr, msize) & BP_MEM_READ)) {
+                    goto fault;
+                }
+                /* TODO: MTE check. */
+
+                host_fn(vd, reg_off, info.host);
             }
-        } else {
-            *(uint32_t *)(vd + H1_4(reg_off)) = 0;
-        }
+            reg_off += esize;
+        } while (reg_off & 63);
     }
+    return;
+
+ fault:
+    record_fault(env, reg_off, reg_max);
 }
 
-static inline void sve_ldff1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-                                target_ulong base, uint32_t desc, uintptr_t ra,
-                                zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn,
-                                sve_ld1_nf_fn *nonfault_fn)
-{
-    const TCGMemOpIdx oi = extract32(desc, SIMD_DATA_SHIFT, MEMOPIDX_SHIFT);
-    const int mmu_idx = get_mmuidx(oi);
-    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
-    intptr_t reg_off, reg_max = simd_oprsz(desc);
-    target_ulong addr;
-
-    /* Skip to the first true predicate.  */
-    reg_off = find_next_active(vg, 0, reg_max, MO_64);
-    if (likely(reg_off < reg_max)) {
-        /* Perform one normal read, which will fault or not.  */
-        addr = off_fn(vm, reg_off);
-        addr = base + (addr << scale);
-        tlb_fn(env, vd, reg_off, addr, ra);
-
-        /* The rest of the reads will be non-faulting.  */
-    }
-
-    /* After any fault, zero the leading predicated false elements.  */
-    swap_memzero(vd, reg_off);
-
-    while (likely((reg_off += 8) < reg_max)) {
-        uint8_t pg = *(uint8_t *)(vg + H1(reg_off >> 3));
-        if (likely(pg & 1)) {
-            addr = off_fn(vm, reg_off);
-            addr = base + (addr << scale);
-            if (!nonfault_fn(env, vd, reg_off, addr, mmu_idx)) {
-                record_fault(env, reg_off, reg_max);
-                break;
-            }
-        } else {
-            *(uint64_t *)(vd + reg_off) = 0;
-        }
-    }
+#define DO_LDFF1_ZPZ_S(MEM, OFS, MSZ) \
+void HELPER(sve_ldff##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
+                                   void *vm, target_ulong base, uint32_t desc) \
+{                                                                              \
+    sve_ldff1_z(env, vd, vg, vm, base, desc, GETPC(), MO_32, MSZ,              \
+                off_##OFS##_s, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
 }
 
-#define DO_LDFF1_ZPZ_S(MEM, OFS) \
-void HELPER(sve_ldff##MEM##_##OFS)                                      \
-    (CPUARMState *env, void *vd, void *vg, void *vm,                    \
-     target_ulong base, uint32_t desc)                                  \
-{                                                                       \
-    sve_ldff1_zs(env, vd, vg, vm, base, desc, GETPC(),                  \
-                 off_##OFS##_s, sve_ld1##MEM##_tlb, sve_ld##MEM##_nf);  \
+#define DO_LDFF1_ZPZ_D(MEM, OFS, MSZ) \
+void HELPER(sve_ldff##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
+                                   void *vm, target_ulong base, uint32_t desc) \
+{                                                                              \
+    sve_ldff1_z(env, vd, vg, vm, base, desc, GETPC(), MO_64, MSZ,              \
+                off_##OFS##_d, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
 }
 
-#define DO_LDFF1_ZPZ_D(MEM, OFS) \
-void HELPER(sve_ldff##MEM##_##OFS)                                      \
-    (CPUARMState *env, void *vd, void *vg, void *vm,                    \
-     target_ulong base, uint32_t desc)                                  \
-{                                                                       \
-    sve_ldff1_zd(env, vd, vg, vm, base, desc, GETPC(),                  \
-                 off_##OFS##_d, sve_ld1##MEM##_tlb, sve_ld##MEM##_nf);  \
-}
+DO_LDFF1_ZPZ_S(bsu, zsu, MO_8)
+DO_LDFF1_ZPZ_S(bsu, zss, MO_8)
+DO_LDFF1_ZPZ_D(bdu, zsu, MO_8)
+DO_LDFF1_ZPZ_D(bdu, zss, MO_8)
+DO_LDFF1_ZPZ_D(bdu, zd, MO_8)
 
-DO_LDFF1_ZPZ_S(bsu, zsu)
-DO_LDFF1_ZPZ_S(bsu, zss)
-DO_LDFF1_ZPZ_D(bdu, zsu)
-DO_LDFF1_ZPZ_D(bdu, zss)
-DO_LDFF1_ZPZ_D(bdu, zd)
+DO_LDFF1_ZPZ_S(bss, zsu, MO_8)
+DO_LDFF1_ZPZ_S(bss, zss, MO_8)
+DO_LDFF1_ZPZ_D(bds, zsu, MO_8)
+DO_LDFF1_ZPZ_D(bds, zss, MO_8)
+DO_LDFF1_ZPZ_D(bds, zd, MO_8)
 
-DO_LDFF1_ZPZ_S(bss, zsu)
-DO_LDFF1_ZPZ_S(bss, zss)
-DO_LDFF1_ZPZ_D(bds, zsu)
-DO_LDFF1_ZPZ_D(bds, zss)
-DO_LDFF1_ZPZ_D(bds, zd)
+DO_LDFF1_ZPZ_S(hsu_le, zsu, MO_16)
+DO_LDFF1_ZPZ_S(hsu_le, zss, MO_16)
+DO_LDFF1_ZPZ_D(hdu_le, zsu, MO_16)
+DO_LDFF1_ZPZ_D(hdu_le, zss, MO_16)
+DO_LDFF1_ZPZ_D(hdu_le, zd, MO_16)
 
-DO_LDFF1_ZPZ_S(hsu_le, zsu)
-DO_LDFF1_ZPZ_S(hsu_le, zss)
-DO_LDFF1_ZPZ_D(hdu_le, zsu)
-DO_LDFF1_ZPZ_D(hdu_le, zss)
-DO_LDFF1_ZPZ_D(hdu_le, zd)
+DO_LDFF1_ZPZ_S(hsu_be, zsu, MO_16)
+DO_LDFF1_ZPZ_S(hsu_be, zss, MO_16)
+DO_LDFF1_ZPZ_D(hdu_be, zsu, MO_16)
+DO_LDFF1_ZPZ_D(hdu_be, zss, MO_16)
+DO_LDFF1_ZPZ_D(hdu_be, zd, MO_16)
 
-DO_LDFF1_ZPZ_S(hsu_be, zsu)
-DO_LDFF1_ZPZ_S(hsu_be, zss)
-DO_LDFF1_ZPZ_D(hdu_be, zsu)
-DO_LDFF1_ZPZ_D(hdu_be, zss)
-DO_LDFF1_ZPZ_D(hdu_be, zd)
+DO_LDFF1_ZPZ_S(hss_le, zsu, MO_16)
+DO_LDFF1_ZPZ_S(hss_le, zss, MO_16)
+DO_LDFF1_ZPZ_D(hds_le, zsu, MO_16)
+DO_LDFF1_ZPZ_D(hds_le, zss, MO_16)
+DO_LDFF1_ZPZ_D(hds_le, zd, MO_16)
 
-DO_LDFF1_ZPZ_S(hss_le, zsu)
-DO_LDFF1_ZPZ_S(hss_le, zss)
-DO_LDFF1_ZPZ_D(hds_le, zsu)
-DO_LDFF1_ZPZ_D(hds_le, zss)
-DO_LDFF1_ZPZ_D(hds_le, zd)
+DO_LDFF1_ZPZ_S(hss_be, zsu, MO_16)
+DO_LDFF1_ZPZ_S(hss_be, zss, MO_16)
+DO_LDFF1_ZPZ_D(hds_be, zsu, MO_16)
+DO_LDFF1_ZPZ_D(hds_be, zss, MO_16)
+DO_LDFF1_ZPZ_D(hds_be, zd, MO_16)
 
-DO_LDFF1_ZPZ_S(hss_be, zsu)
-DO_LDFF1_ZPZ_S(hss_be, zss)
-DO_LDFF1_ZPZ_D(hds_be, zsu)
-DO_LDFF1_ZPZ_D(hds_be, zss)
-DO_LDFF1_ZPZ_D(hds_be, zd)
+DO_LDFF1_ZPZ_S(ss_le,  zsu, MO_32)
+DO_LDFF1_ZPZ_S(ss_le,  zss, MO_32)
+DO_LDFF1_ZPZ_D(sdu_le, zsu, MO_32)
+DO_LDFF1_ZPZ_D(sdu_le, zss, MO_32)
+DO_LDFF1_ZPZ_D(sdu_le, zd, MO_32)
 
-DO_LDFF1_ZPZ_S(ss_le,  zsu)
-DO_LDFF1_ZPZ_S(ss_le,  zss)
-DO_LDFF1_ZPZ_D(sdu_le, zsu)
-DO_LDFF1_ZPZ_D(sdu_le, zss)
-DO_LDFF1_ZPZ_D(sdu_le, zd)
+DO_LDFF1_ZPZ_S(ss_be,  zsu, MO_32)
+DO_LDFF1_ZPZ_S(ss_be,  zss, MO_32)
+DO_LDFF1_ZPZ_D(sdu_be, zsu, MO_32)
+DO_LDFF1_ZPZ_D(sdu_be, zss, MO_32)
+DO_LDFF1_ZPZ_D(sdu_be, zd, MO_32)
 
-DO_LDFF1_ZPZ_S(ss_be,  zsu)
-DO_LDFF1_ZPZ_S(ss_be,  zss)
-DO_LDFF1_ZPZ_D(sdu_be, zsu)
-DO_LDFF1_ZPZ_D(sdu_be, zss)
-DO_LDFF1_ZPZ_D(sdu_be, zd)
+DO_LDFF1_ZPZ_D(sds_le, zsu, MO_32)
+DO_LDFF1_ZPZ_D(sds_le, zss, MO_32)
+DO_LDFF1_ZPZ_D(sds_le, zd, MO_32)
 
-DO_LDFF1_ZPZ_D(sds_le, zsu)
-DO_LDFF1_ZPZ_D(sds_le, zss)
-DO_LDFF1_ZPZ_D(sds_le, zd)
+DO_LDFF1_ZPZ_D(sds_be, zsu, MO_32)
+DO_LDFF1_ZPZ_D(sds_be, zss, MO_32)
+DO_LDFF1_ZPZ_D(sds_be, zd, MO_32)
 
-DO_LDFF1_ZPZ_D(sds_be, zsu)
-DO_LDFF1_ZPZ_D(sds_be, zss)
-DO_LDFF1_ZPZ_D(sds_be, zd)
+DO_LDFF1_ZPZ_D(dd_le, zsu, MO_64)
+DO_LDFF1_ZPZ_D(dd_le, zss, MO_64)
+DO_LDFF1_ZPZ_D(dd_le, zd, MO_64)
 
-DO_LDFF1_ZPZ_D(dd_le, zsu)
-DO_LDFF1_ZPZ_D(dd_le, zss)
-DO_LDFF1_ZPZ_D(dd_le, zd)
-
-DO_LDFF1_ZPZ_D(dd_be, zsu)
-DO_LDFF1_ZPZ_D(dd_be, zss)
-DO_LDFF1_ZPZ_D(dd_be, zd)
+DO_LDFF1_ZPZ_D(dd_be, zsu, MO_64)
+DO_LDFF1_ZPZ_D(dd_be, zss, MO_64)
+DO_LDFF1_ZPZ_D(dd_be, zd, MO_64)
 
 /* Stores with a vector index.  */
 
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 182 ++++++++++++++++++++++++----------------
 1 file changed, 111 insertions(+), 71 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_LDFF1_ZPZ_D(dd_be, zd, MO_64)
 
 /* Stores with a vector index.  */
 
-static void sve_st1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-                       target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
+static inline QEMU_ALWAYS_INLINE
+void sve_st1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+               target_ulong base, uint32_t desc, uintptr_t retaddr,
+               int esize, int msize, zreg_off_fn *off_fn,
+               sve_ldst1_host_fn *host_fn,
+               sve_ldst1_tlb_fn *tlb_fn)
 {
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
-    intptr_t i, oprsz = simd_oprsz(desc);
+    const int mmu_idx = cpu_mmu_index(env, false);
+    const intptr_t reg_max = simd_oprsz(desc);
+    void *host[ARM_MAX_VQ * 4];
+    intptr_t reg_off, i;
+    SVEHostPage info, info2;
 
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
+    /*
+     * Probe all of the elements for host addresses and flags.
+     */
+    i = reg_off = 0;
+    do {
+        uint64_t pg = vg[reg_off >> 6];
         do {
-            if (likely(pg & 1)) {
-                target_ulong off = off_fn(vm, i);
-                tlb_fn(env, vd, i, base + (off << scale), ra);
+            target_ulong addr = base + (off_fn(vm, reg_off) << scale);
+            target_ulong in_page = -(addr | TARGET_PAGE_MASK);
+
+            host[i] = NULL;
+            if (likely((pg >> (reg_off & 63)) & 1)) {
+                if (likely(in_page >= msize)) {
+                    sve_probe_page(&info, false, env, addr, 0, MMU_DATA_STORE,
+                                   mmu_idx, retaddr);
+                    host[i] = info.host;
+                } else {
+                    /*
+                     * Element crosses the page boundary.
+                     * Probe both pages, but do not record the host address,
+                     * so that we use the slow path.
+                     */
+                    sve_probe_page(&info, false, env, addr, 0,
+                                   MMU_DATA_STORE, mmu_idx, retaddr);
+                    sve_probe_page(&info2, false, env, addr + in_page, 0,
+                                   MMU_DATA_STORE, mmu_idx, retaddr);
+                    info.flags |= info2.flags;
+                }
+
+                if (unlikely(info.flags & TLB_WATCHPOINT)) {
+                    cpu_check_watchpoint(env_cpu(env), addr, msize,
+                                         info.attrs, BP_MEM_WRITE, retaddr);
+                }
+                /* TODO: MTE check. */
             }
-            i += 4, pg >>= 4;
-        } while (i & 15);
-    }
-}
+            i += 1;
+            reg_off += esize;
+        } while (reg_off & 63);
+    } while (reg_off < reg_max);
 
-static void sve_st1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-                       target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
-{
-    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
-    intptr_t i, oprsz = simd_oprsz(desc) / 8;
-
-    for (i = 0; i < oprsz; i++) {
-        uint8_t pg = *(uint8_t *)(vg + H1(i));
-        if (likely(pg & 1)) {
-            target_ulong off = off_fn(vm, i * 8);
-            tlb_fn(env, vd, i * 8, base + (off << scale), ra);
+    /*
+     * Now that we have recognized all exceptions except SyncExternal
+     * (from TLB_MMIO), which we cannot avoid, perform all of the stores.
+     *
+     * Note for the common case of an element in RAM, not crossing a page
+     * boundary, we have stored the host address in host[].  This doubles
+     * as a first-level check against the predicate, since only enabled
+     * elements have non-null host addresses.
+     */
+    i = reg_off = 0;
+    do {
+        void *h = host[i];
+        if (likely(h != NULL)) {
+            host_fn(vd, reg_off, h);
+        } else if ((vg[reg_off >> 6] >> (reg_off & 63)) & 1) {
+            target_ulong addr = base + (off_fn(vm, reg_off) << scale);
+            tlb_fn(env, vd, reg_off, addr, retaddr);
         }
-    }
+        i += 1;
+        reg_off += esize;
+    } while (reg_off < reg_max);
 }
 
-#define DO_ST1_ZPZ_S(MEM, OFS) \
-void QEMU_FLATTEN HELPER(sve_st##MEM##_##OFS) \
-    (CPUARMState *env, void *vd, void *vg, void *vm,         \
-     target_ulong base, uint32_t desc)                       \
-{                                                            \
-    sve_st1_zs(env, vd, vg, vm, base, desc, GETPC(),         \
-              off_##OFS##_s, sve_st1##MEM##_tlb);            \
+#define DO_ST1_ZPZ_S(MEM, OFS, MSZ) \
+void HELPER(sve_st##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
+                                 void *vm, target_ulong base, uint32_t desc) \
+{                                                                            \
+    sve_st1_z(env, vd, vg, vm, base, desc, GETPC(), 4, 1 << MSZ,             \
+              off_##OFS##_s, sve_st1##MEM##_host, sve_st1##MEM##_tlb);       \
 }
 
-#define DO_ST1_ZPZ_D(MEM, OFS) \
-void QEMU_FLATTEN HELPER(sve_st##MEM##_##OFS) \
-    (CPUARMState *env, void *vd, void *vg, void *vm,         \
-     target_ulong base, uint32_t desc)                       \
-{                                                            \
-    sve_st1_zd(env, vd, vg, vm, base, desc, GETPC(),         \
-               off_##OFS##_d, sve_st1##MEM##_tlb);           \
+#define DO_ST1_ZPZ_D(MEM, OFS, MSZ) \
+void HELPER(sve_st##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
+                                 void *vm, target_ulong base, uint32_t desc) \
+{                                                                            \
+    sve_st1_z(env, vd, vg, vm, base, desc, GETPC(), 8, 1 << MSZ,             \
+              off_##OFS##_d, sve_st1##MEM##_host, sve_st1##MEM##_tlb);       \
 }
 
-DO_ST1_ZPZ_S(bs, zsu)
-DO_ST1_ZPZ_S(hs_le, zsu)
-DO_ST1_ZPZ_S(hs_be, zsu)
-DO_ST1_ZPZ_S(ss_le, zsu)
-DO_ST1_ZPZ_S(ss_be, zsu)
+DO_ST1_ZPZ_S(bs, zsu, MO_8)
+DO_ST1_ZPZ_S(hs_le, zsu, MO_16)
+DO_ST1_ZPZ_S(hs_be, zsu, MO_16)
+DO_ST1_ZPZ_S(ss_le, zsu, MO_32)
+DO_ST1_ZPZ_S(ss_be, zsu, MO_32)
 
-DO_ST1_ZPZ_S(bs, zss)
-DO_ST1_ZPZ_S(hs_le, zss)
-DO_ST1_ZPZ_S(hs_be, zss)
-DO_ST1_ZPZ_S(ss_le, zss)
-DO_ST1_ZPZ_S(ss_be, zss)
+DO_ST1_ZPZ_S(bs, zss, MO_8)
+DO_ST1_ZPZ_S(hs_le, zss, MO_16)
+DO_ST1_ZPZ_S(hs_be, zss, MO_16)
+DO_ST1_ZPZ_S(ss_le, zss, MO_32)
+DO_ST1_ZPZ_S(ss_be, zss, MO_32)
 
-DO_ST1_ZPZ_D(bd, zsu)
-DO_ST1_ZPZ_D(hd_le, zsu)
-DO_ST1_ZPZ_D(hd_be, zsu)
-DO_ST1_ZPZ_D(sd_le, zsu)
-DO_ST1_ZPZ_D(sd_be, zsu)
-DO_ST1_ZPZ_D(dd_le, zsu)
-DO_ST1_ZPZ_D(dd_be, zsu)
+DO_ST1_ZPZ_D(bd, zsu, MO_8)
+DO_ST1_ZPZ_D(hd_le, zsu, MO_16)
+DO_ST1_ZPZ_D(hd_be, zsu, MO_16)
+DO_ST1_ZPZ_D(sd_le, zsu, MO_32)
+DO_ST1_ZPZ_D(sd_be, zsu, MO_32)
+DO_ST1_ZPZ_D(dd_le, zsu, MO_64)
+DO_ST1_ZPZ_D(dd_be, zsu, MO_64)
 
-DO_ST1_ZPZ_D(bd, zss)
-DO_ST1_ZPZ_D(hd_le, zss)
-DO_ST1_ZPZ_D(hd_be, zss)
-DO_ST1_ZPZ_D(sd_le, zss)
-DO_ST1_ZPZ_D(sd_be, zss)
-DO_ST1_ZPZ_D(dd_le, zss)
-DO_ST1_ZPZ_D(dd_be, zss)
+DO_ST1_ZPZ_D(bd, zss, MO_8)
+DO_ST1_ZPZ_D(hd_le, zss, MO_16)
+DO_ST1_ZPZ_D(hd_be, zss, MO_16)
+DO_ST1_ZPZ_D(sd_le, zss, MO_32)
+DO_ST1_ZPZ_D(sd_be, zss, MO_32)
+DO_ST1_ZPZ_D(dd_le, zss, MO_64)
+DO_ST1_ZPZ_D(dd_be, zss, MO_64)
 
-DO_ST1_ZPZ_D(bd, zd)
-DO_ST1_ZPZ_D(hd_le, zd)
-DO_ST1_ZPZ_D(hd_be, zd)
-DO_ST1_ZPZ_D(sd_le, zd)
-DO_ST1_ZPZ_D(sd_be, zd)
-DO_ST1_ZPZ_D(dd_le, zd)
-DO_ST1_ZPZ_D(dd_be, zd)
+DO_ST1_ZPZ_D(bd, zd, MO_8)
+DO_ST1_ZPZ_D(hd_le, zd, MO_16)
+DO_ST1_ZPZ_D(hd_be, zd, MO_16)
+DO_ST1_ZPZ_D(sd_le, zd, MO_32)
+DO_ST1_ZPZ_D(sd_be, zd, MO_32)
+DO_ST1_ZPZ_D(dd_le, zd, MO_64)
+DO_ST1_ZPZ_D(dd_be, zd, MO_64)
 
 #undef DO_ST1_ZPZ_S
 #undef DO_ST1_ZPZ_D
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve_helper.c | 208 +++++++++++++++++++++-------------------
 1 file changed, 109 insertions(+), 99 deletions(-)

diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ static target_ulong off_zd_d(void *reg, intptr_t reg_ofs)
     return *(uint64_t *)(reg + reg_ofs);
 }
 
-static void sve_ld1_zs(CPUARMState *env, void *vd, void *vg, void *vm,
-                       target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
+static inline QEMU_ALWAYS_INLINE
+void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
+               target_ulong base, uint32_t desc, uintptr_t retaddr,
+               int esize, int msize, zreg_off_fn *off_fn,
+               sve_ldst1_host_fn *host_fn,
+               sve_ldst1_tlb_fn *tlb_fn)
 {
     const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
-    intptr_t i, oprsz = simd_oprsz(desc);
-    ARMVectorReg scratch = { };
+    const int mmu_idx = cpu_mmu_index(env, false);
+    const intptr_t reg_max = simd_oprsz(desc);
+    ARMVectorReg scratch;
+    intptr_t reg_off;
+    SVEHostPage info, info2;
 
-    for (i = 0; i < oprsz; ) {
-        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));
+    memset(&scratch, 0, reg_max);
+    reg_off = 0;
+    do {
+        uint64_t pg = vg[reg_off >> 6];
         do {
             if (likely(pg & 1)) {
-                target_ulong off = off_fn(vm, i);
-                tlb_fn(env, &scratch, i, base + (off << scale), ra);
+                target_ulong addr = base + (off_fn(vm, reg_off) << scale);
+                target_ulong in_page = -(addr | TARGET_PAGE_MASK);
+
+                sve_probe_page(&info, false, env, addr, 0, MMU_DATA_LOAD,
+                               mmu_idx, retaddr);
+
+                if (likely(in_page >= msize)) {
+                    if (unlikely(info.flags & TLB_WATCHPOINT)) {
+                        cpu_check_watchpoint(env_cpu(env), addr, msize,
+                                             info.attrs, BP_MEM_READ, retaddr);
+                    }
+                    /* TODO: MTE check */
+                    host_fn(&scratch, reg_off, info.host);
+                } else {
+                    /* Element crosses the page boundary. */
+                    sve_probe_page(&info2, false, env, addr + in_page, 0,
+                                   MMU_DATA_LOAD, mmu_idx, retaddr);
+                    if (unlikely((info.flags | info2.flags) & TLB_WATCHPOINT)) {
+                        cpu_check_watchpoint(env_cpu(env), addr,
+                                             msize, info.attrs,
+                                             BP_MEM_READ, retaddr);
+                    }
+                    /* TODO: MTE check */
+                    tlb_fn(env, &scratch, reg_off, addr, retaddr);
+                }
             }
-            i += 4, pg >>= 4;
-        } while (i & 15);
-    }
+            reg_off += esize;
+            pg >>= esize;
+        } while (reg_off & 63);
+    } while (reg_off < reg_max);
 
     /* Wait until all exceptions have been raised to write back.  */
-    memcpy(vd, &scratch, oprsz);
+    memcpy(vd, &scratch, reg_max);
 }
 
-static void sve_ld1_zd(CPUARMState *env, void *vd, void *vg, void *vm,
-                       target_ulong base, uint32_t desc, uintptr_t ra,
-                       zreg_off_fn *off_fn, sve_ldst1_tlb_fn *tlb_fn)
-{
-    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
-    intptr_t i, oprsz = simd_oprsz(desc) / 8;
-    ARMVectorReg scratch = { };
-
-    for (i = 0; i < oprsz; i++) {
-        uint8_t pg = *(uint8_t *)(vg + H1(i));
-        if (likely(pg & 1)) {
-            target_ulong off = off_fn(vm, i * 8);
-            tlb_fn(env, &scratch, i * 8, base + (off << scale), ra);
-        }
-    }
-
-    /* Wait until all exceptions have been raised to write back.  */
-    memcpy(vd, &scratch, oprsz * 8);
+#define DO_LD1_ZPZ_S(MEM, OFS, MSZ) \
+void HELPER(sve_ld##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
+                                 void *vm, target_ulong base, uint32_t desc) \
+{                                                                            \
+    sve_ld1_z(env, vd, vg, vm, base, desc, GETPC(), 4, 1 << MSZ,             \
+              off_##OFS##_s, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
 }
 
-#define DO_LD1_ZPZ_S(MEM, OFS) \
-void QEMU_FLATTEN HELPER(sve_ld##MEM##_##OFS) \
-    (CPUARMState *env, void *vd, void *vg, void *vm,         \
-     target_ulong base, uint32_t desc)                       \
-{                                                            \
-    sve_ld1_zs(env, vd, vg, vm, base, desc, GETPC(),         \
-              off_##OFS##_s, sve_ld1##MEM##_tlb);            \
+#define DO_LD1_ZPZ_D(MEM, OFS, MSZ) \
+void HELPER(sve_ld##MEM##_##OFS)(CPUARMState *env, void *vd, void *vg,       \
+                                 void *vm, target_ulong base, uint32_t desc) \
+{                                                                            \
+    sve_ld1_z(env, vd, vg, vm, base, desc, GETPC(), 8, 1 << MSZ,             \
+              off_##OFS##_d, sve_ld1##MEM##_host, sve_ld1##MEM##_tlb);       \
 }
 
-#define DO_LD1_ZPZ_D(MEM, OFS) \
-void QEMU_FLATTEN HELPER(sve_ld##MEM##_##OFS) \
-    (CPUARMState *env, void *vd, void *vg, void *vm,         \
-     target_ulong base, uint32_t desc)                       \
-{                                                            \
-    sve_ld1_zd(env, vd, vg, vm, base, desc, GETPC(),         \
-               off_##OFS##_d, sve_ld1##MEM##_tlb);           \
-}
+DO_LD1_ZPZ_S(bsu, zsu, MO_8)
+DO_LD1_ZPZ_S(bsu, zss, MO_8)
+DO_LD1_ZPZ_D(bdu, zsu, MO_8)
+DO_LD1_ZPZ_D(bdu, zss, MO_8)
+DO_LD1_ZPZ_D(bdu, zd, MO_8)
 
-DO_LD1_ZPZ_S(bsu, zsu)
-DO_LD1_ZPZ_S(bsu, zss)
-DO_LD1_ZPZ_D(bdu, zsu)
-DO_LD1_ZPZ_D(bdu, zss)
-DO_LD1_ZPZ_D(bdu, zd)
+DO_LD1_ZPZ_S(bss, zsu, MO_8)
+DO_LD1_ZPZ_S(bss, zss, MO_8)
+DO_LD1_ZPZ_D(bds, zsu, MO_8)
+DO_LD1_ZPZ_D(bds, zss, MO_8)
+DO_LD1_ZPZ_D(bds, zd, MO_8)
 
-DO_LD1_ZPZ_S(bss, zsu)
-DO_LD1_ZPZ_S(bss, zss)
-DO_LD1_ZPZ_D(bds, zsu)
-DO_LD1_ZPZ_D(bds, zss)
-DO_LD1_ZPZ_D(bds, zd)
+DO_LD1_ZPZ_S(hsu_le, zsu, MO_16)
+DO_LD1_ZPZ_S(hsu_le, zss, MO_16)
+DO_LD1_ZPZ_D(hdu_le, zsu, MO_16)
+DO_LD1_ZPZ_D(hdu_le, zss, MO_16)
+DO_LD1_ZPZ_D(hdu_le, zd, MO_16)
 
-DO_LD1_ZPZ_S(hsu_le, zsu)
-DO_LD1_ZPZ_S(hsu_le, zss)
-DO_LD1_ZPZ_D(hdu_le, zsu)
-DO_LD1_ZPZ_D(hdu_le, zss)
-DO_LD1_ZPZ_D(hdu_le, zd)
+DO_LD1_ZPZ_S(hsu_be, zsu, MO_16)
+DO_LD1_ZPZ_S(hsu_be, zss, MO_16)
+DO_LD1_ZPZ_D(hdu_be, zsu, MO_16)
+DO_LD1_ZPZ_D(hdu_be, zss, MO_16)
+DO_LD1_ZPZ_D(hdu_be, zd, MO_16)
 
-DO_LD1_ZPZ_S(hsu_be, zsu)
-DO_LD1_ZPZ_S(hsu_be, zss)
-DO_LD1_ZPZ_D(hdu_be, zsu)
-DO_LD1_ZPZ_D(hdu_be, zss)
-DO_LD1_ZPZ_D(hdu_be, zd)
+DO_LD1_ZPZ_S(hss_le, zsu, MO_16)
+DO_LD1_ZPZ_S(hss_le, zss, MO_16)
+DO_LD1_ZPZ_D(hds_le, zsu, MO_16)
+DO_LD1_ZPZ_D(hds_le, zss, MO_16)
+DO_LD1_ZPZ_D(hds_le, zd, MO_16)
 
-DO_LD1_ZPZ_S(hss_le, zsu)
-DO_LD1_ZPZ_S(hss_le, zss)
-DO_LD1_ZPZ_D(hds_le, zsu)
-DO_LD1_ZPZ_D(hds_le, zss)
-DO_LD1_ZPZ_D(hds_le, zd)
+DO_LD1_ZPZ_S(hss_be, zsu, MO_16)
+DO_LD1_ZPZ_S(hss_be, zss, MO_16)
+DO_LD1_ZPZ_D(hds_be, zsu, MO_16)
+DO_LD1_ZPZ_D(hds_be, zss, MO_16)
+DO_LD1_ZPZ_D(hds_be, zd, MO_16)
 
-DO_LD1_ZPZ_S(hss_be, zsu)
-DO_LD1_ZPZ_S(hss_be, zss)
-DO_LD1_ZPZ_D(hds_be, zsu)
-DO_LD1_ZPZ_D(hds_be, zss)
-DO_LD1_ZPZ_D(hds_be, zd)
+DO_LD1_ZPZ_S(ss_le, zsu, MO_32)
+DO_LD1_ZPZ_S(ss_le, zss, MO_32)
+DO_LD1_ZPZ_D(sdu_le, zsu, MO_32)
+DO_LD1_ZPZ_D(sdu_le, zss, MO_32)
+DO_LD1_ZPZ_D(sdu_le, zd, MO_32)
 
-DO_LD1_ZPZ_S(ss_le, zsu)
-DO_LD1_ZPZ_S(ss_le, zss)
-DO_LD1_ZPZ_D(sdu_le, zsu)
-DO_LD1_ZPZ_D(sdu_le, zss)
-DO_LD1_ZPZ_D(sdu_le, zd)
+DO_LD1_ZPZ_S(ss_be, zsu, MO_32)
+DO_LD1_ZPZ_S(ss_be, zss, MO_32)
+DO_LD1_ZPZ_D(sdu_be, zsu, MO_32)
+DO_LD1_ZPZ_D(sdu_be, zss, MO_32)
+DO_LD1_ZPZ_D(sdu_be, zd, MO_32)
 
-DO_LD1_ZPZ_S(ss_be, zsu)
-DO_LD1_ZPZ_S(ss_be, zss)
-DO_LD1_ZPZ_D(sdu_be, zsu)
-DO_LD1_ZPZ_D(sdu_be, zss)
-DO_LD1_ZPZ_D(sdu_be, zd)
+DO_LD1_ZPZ_D(sds_le, zsu, MO_32)
+DO_LD1_ZPZ_D(sds_le, zss, MO_32)
+DO_LD1_ZPZ_D(sds_le, zd, MO_32)
 
-DO_LD1_ZPZ_D(sds_le, zsu)
-DO_LD1_ZPZ_D(sds_le, zss)
-DO_LD1_ZPZ_D(sds_le, zd)
+DO_LD1_ZPZ_D(sds_be, zsu, MO_32)
+DO_LD1_ZPZ_D(sds_be, zss, MO_32)
+DO_LD1_ZPZ_D(sds_be, zd, MO_32)
 
-DO_LD1_ZPZ_D(sds_be, zsu)
-DO_LD1_ZPZ_D(sds_be, zss)
-DO_LD1_ZPZ_D(sds_be, zd)
+DO_LD1_ZPZ_D(dd_le, zsu, MO_64)
+DO_LD1_ZPZ_D(dd_le, zss, MO_64)
+DO_LD1_ZPZ_D(dd_le, zd, MO_64)
 
-DO_LD1_ZPZ_D(dd_le, zsu)
-DO_LD1_ZPZ_D(dd_le, zss)
-DO_LD1_ZPZ_D(dd_le, zd)
-
-DO_LD1_ZPZ_D(dd_be, zsu)
-DO_LD1_ZPZ_D(dd_be, zss)
-DO_LD1_ZPZ_D(dd_be, zd)
+DO_LD1_ZPZ_D(dd_be, zsu, MO_64)
+DO_LD1_ZPZ_D(dd_be, zss, MO_64)
+DO_LD1_ZPZ_D(dd_be, zd, MO_64)
 
 #undef DO_LD1_ZPZ_S
 #undef DO_LD1_ZPZ_D
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

None of the sve helpers use TCGMemOpIdx any longer, so we can
stop passing it.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200508154359.7494-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h     |  5 -----
 target/arm/sve_helper.c    | 14 +++++++-------
 target/arm/translate-sve.c | 17 +++--------------
 3 files changed, 10 insertions(+), 26 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline int arm_num_ctx_cmps(ARMCPU *cpu)
     }
 }
 
-/* Note make_memop_idx reserves 4 bits for mmu_idx, and MO_BSWAP is bit 3.
- * Thus a TCGMemOpIdx, without any MO_ALIGN bits, fits in 8 bits.
- */
-#define MEMOPIDX_SHIFT  8
-
 /**
  * v7m_using_psp: Return true if using process stack pointer
  * Return true if the CPU is currently using the process stack
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void sve_ldN_r(CPUARMState *env, uint64_t *vg, const target_ulong addr,
                sve_ldst1_host_fn *host_fn,
                sve_ldst1_tlb_fn *tlb_fn)
 {
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+    const unsigned rd = simd_data(desc);
     const intptr_t reg_max = simd_oprsz(desc);
     intptr_t reg_off, reg_last, mem_off;
     SVEContLdSt info;
@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,
                    sve_ldst1_host_fn *host_fn,
                    sve_ldst1_tlb_fn *tlb_fn)
 {
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+    const unsigned rd = simd_data(desc);
     void *vd = &env->vfp.zregs[rd];
     const intptr_t reg_max = simd_oprsz(desc);
     intptr_t reg_off, mem_off, reg_last;
@@ -XXX,XX +XXX,XX @@ void sve_stN_r(CPUARMState *env, uint64_t *vg, target_ulong addr, uint32_t desc,
                sve_ldst1_host_fn *host_fn,
                sve_ldst1_tlb_fn *tlb_fn)
 {
-    const unsigned rd = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 5);
+    const unsigned rd = simd_data(desc);
     const intptr_t reg_max = simd_oprsz(desc);
     intptr_t reg_off, reg_last, mem_off;
     SVEContLdSt info;
@@ -XXX,XX +XXX,XX @@ void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                sve_ldst1_host_fn *host_fn,
                sve_ldst1_tlb_fn *tlb_fn)
 {
-    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     const int mmu_idx = cpu_mmu_index(env, false);
     const intptr_t reg_max = simd_oprsz(desc);
+    const int scale = simd_data(desc);
     ARMVectorReg scratch;
     intptr_t reg_off;
     SVEHostPage info, info2;
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                  sve_ldst1_tlb_fn *tlb_fn)
 {
     const int mmu_idx = cpu_mmu_index(env, false);
-    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
+    const intptr_t reg_max = simd_oprsz(desc);
+    const int scale = simd_data(desc);
     const int esize = 1 << esz;
     const int msize = 1 << msz;
-    const intptr_t reg_max = simd_oprsz(desc);
     intptr_t reg_off;
     SVEHostPage info;
     target_ulong addr, in_page;
@@ -XXX,XX +XXX,XX @@ void sve_st1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                sve_ldst1_host_fn *host_fn,
                sve_ldst1_tlb_fn *tlb_fn)
 {
-    const int scale = extract32(desc, SIMD_DATA_SHIFT + MEMOPIDX_SHIFT, 2);
     const int mmu_idx = cpu_mmu_index(env, false);
     const intptr_t reg_max = simd_oprsz(desc);
+    const int scale = simd_data(desc);
     void *host[ARM_MAX_VQ * 4];
     intptr_t reg_off, i;
     SVEHostPage info, info2;
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static const uint8_t dtype_esz[16] = {
     3, 2, 1, 3
 };
 
-static TCGMemOpIdx sve_memopidx(DisasContext *s, int dtype)
-{
-    return make_memop_idx(s->be_data | dtype_mop[dtype], get_mem_index(s));
-}
-
 static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
                        int dtype, gen_helper_gvec_mem *fn)
 {
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpa(DisasContext *s, int zt, int pg, TCGv_i64 addr,
      * registers as pointers, so encode the regno into the data field.
      * For consistency, do this even for LD1.
      */
-    desc = sve_memopidx(s, dtype);
-    desc |= zt << MEMOPIDX_SHIFT;
-    desc = simd_desc(vsz, vsz, desc);
+    desc = simd_desc(vsz, vsz, zt);
     t_desc = tcg_const_i32(desc);
     t_pg = tcg_temp_new_ptr();
 
@@ -XXX,XX +XXX,XX @@ static void do_ldrq(DisasContext *s, int zt, int pg, TCGv_i64 addr, int msz)
     int desc, poff;
 
     /* Load the first quadword using the normal predicated load helpers.  */
-    desc = sve_memopidx(s, msz_dtype(s, msz));
-    desc |= zt << MEMOPIDX_SHIFT;
-    desc = simd_desc(16, 16, desc);
+    desc = simd_desc(16, 16, zt);
     t_desc = tcg_const_i32(desc);
 
     poff = pred_full_reg_offset(s, pg);
@@ -XXX,XX +XXX,XX @@ static void do_mem_zpz(DisasContext *s, int zt, int pg, int zm,
     TCGv_i32 t_desc;
     int desc;
 
-    desc = sve_memopidx(s, msz_dtype(s, msz));
-    desc |= scale << MEMOPIDX_SHIFT;
-    desc = simd_desc(vsz, vsz, desc);
+    desc = simd_desc(vsz, vsz, scale);
     t_desc = tcg_const_i32(desc);
 
     tcg_gen_addi_ptr(t_pg, cpu_env, pred_full_reg_offset(s, pg));
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

We want to move the inlined declarations of set_feature()
from cpu*.c to cpu.h. To avoid clashing with the KVM
declarations, inline the few KVM calls.

Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200504172448.9402-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/kvm32.c | 13 ++++---------
 target/arm/kvm64.c | 22 ++++++----------------
 2 files changed, 10 insertions(+), 25 deletions(-)

diff --git a/target/arm/kvm32.c b/target/arm/kvm32.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm32.c
+++ b/target/arm/kvm32.c
@@ -XXX,XX +XXX,XX @@
 #include "internals.h"
 #include "qemu/log.h"
 
-static inline void set_feature(uint64_t *features, int feature)
-{
-    *features |= 1ULL << feature;
-}
-
 static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
 {
     struct kvm_one_reg idreg = { .id = id, .addr = (uintptr_t)pret };
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      * timers; this in turn implies most of the other feature
      * bits, but a few must be tested.
      */
-    set_feature(&features, ARM_FEATURE_V7VE);
-    set_feature(&features, ARM_FEATURE_GENERIC_TIMER);
+    features |= 1ULL << ARM_FEATURE_V7VE;
+    features |= 1ULL << ARM_FEATURE_GENERIC_TIMER;
 
     if (extract32(id_pfr0, 12, 4) == 1) {
-        set_feature(&features, ARM_FEATURE_THUMB2EE);
+        features |= 1ULL << ARM_FEATURE_THUMB2EE;
     }
     if (extract32(ahcf->isar.mvfr1, 12, 4) == 1) {
-        set_feature(&features, ARM_FEATURE_NEON);
+        features |= 1ULL << ARM_FEATURE_NEON;
     }
 
     ahcf->features = features;
diff --git a/target/arm/kvm64.c b/target/arm/kvm64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/kvm64.c
+++ b/target/arm/kvm64.c
@@ -XXX,XX +XXX,XX @@ void kvm_arm_pmu_set_irq(CPUState *cs, int irq)
     }
 }
 
-static inline void set_feature(uint64_t *features, int feature)
-{
-    *features |= 1ULL << feature;
-}
-
-static inline void unset_feature(uint64_t *features, int feature)
-{
-    *features &= ~(1ULL << feature);
-}
-
 static int read_sys_reg32(int fd, uint32_t *pret, uint64_t id)
 {
     uint64_t ret;
@@ -XXX,XX +XXX,XX @@ bool kvm_arm_get_host_cpu_features(ARMHostCPUFeatures *ahcf)
      * with VFPv4+Neon; this in turn implies most of the other
      * feature bits.
      */
-    set_feature(&features, ARM_FEATURE_V8);
-    set_feature(&features, ARM_FEATURE_NEON);
-    set_feature(&features, ARM_FEATURE_AARCH64);
-    set_feature(&features, ARM_FEATURE_PMU);
-    set_feature(&features, ARM_FEATURE_GENERIC_TIMER);
+    features |= 1ULL << ARM_FEATURE_V8;
+    features |= 1ULL << ARM_FEATURE_NEON;
+    features |= 1ULL << ARM_FEATURE_AARCH64;
+    features |= 1ULL << ARM_FEATURE_PMU;
+    features |= 1ULL << ARM_FEATURE_GENERIC_TIMER;
 
     ahcf->features = features;
 
@@ -XXX,XX +XXX,XX @@ int kvm_arch_init_vcpu(CPUState *cs)
     if (cpu->has_pmu) {
         cpu->kvm_init_features[0] |= 1 << KVM_ARM_VCPU_PMU_V3;
     } else {
-        unset_feature(&env->features, ARM_FEATURE_PMU);
+        env->features &= ~(1ULL << ARM_FEATURE_PMU);
     }
     if (cpu_isar_feature(aa64_sve, cpu)) {
         assert(kvm_arm_sve_supported(cs));
-- 
2.20.1

From: Thomas Huth <thuth@redhat.com>

Move the common set_feature() and unset_feature() functions
from cpu.c and cpu64.c to cpu.h.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200504172448.9402-3-philmd@redhat.com
Message-ID: <20190921150420.30743-2-thuth@redhat.com>
[PMD: Split Thomas's patch in two: set_feature, cpu_register]
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h   | 10 ++++++++++
 target/arm/cpu.c   | 10 ----------
 target/arm/cpu64.c | 10 ----------
 3 files changed, 10 insertions(+), 20 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMState {
     void *gicv3state;
 } CPUARMState;
 
+static inline void set_feature(CPUARMState *env, int feature)
+{
+    env->features |= 1ULL << feature;
+}
+
+static inline void unset_feature(CPUARMState *env, int feature)
+{
+    env->features &= ~(1ULL << feature);
+}
+
 /**
  * ARMELChangeHookFn:
  * type of a function which can be registered via arm_register_el_change_hook()
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_virtio_is_big_endian(CPUState *cs)
 
 #endif
 
-static inline void set_feature(CPUARMState *env, int feature)
-{
-    env->features |= 1ULL << feature;
-}
-
-static inline void unset_feature(CPUARMState *env, int feature)
-{
-    env->features &= ~(1ULL << feature);
-}
-
 static int
 print_insn_thumb1(bfd_vma pc, disassemble_info *info)
 {
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
 #include "kvm_arm.h"
 #include "qapi/visitor.h"
 
-static inline void set_feature(CPUARMState *env, int feature)
-{
-    env->features |= 1ULL << feature;
-}
-
-static inline void unset_feature(CPUARMState *env, int feature)
-{
-    env->features &= ~(1ULL << feature);
-}
-
 #ifndef CONFIG_USER_ONLY
 static uint64_t a57_a53_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

Use ARRAY_SIZE() to iterate over ARMCPUInfo[].

Since on the aarch64-linux-user build, arm_cpus[] is empty, add
the cpu_count variable and only iterate when it is non-zero.

Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200504172448.9402-4-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c   | 16 +++++++++-------
 target/arm/cpu64.c |  8 +++-----
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo arm_cpus[] = {
     { .name = "any",         .initfn = arm_max_initfn },
 #endif
 #endif
-    { .name = NULL }
 };
 
 static Property arm_cpu_properties[] = {
@@ -XXX,XX +XXX,XX @@ static const TypeInfo idau_interface_type_info = {
 
 static void arm_cpu_register_types(void)
 {
-    const ARMCPUInfo *info = arm_cpus;
+    const size_t cpu_count = ARRAY_SIZE(arm_cpus);
 
     type_register_static(&arm_cpu_type_info);
     type_register_static(&idau_interface_type_info);
 
-    while (info->name) {
-        arm_cpu_register(info);
-        info++;
-    }
-
 #ifdef CONFIG_KVM
     type_register_static(&host_arm_cpu_type_info);
 #endif
+
+    if (cpu_count) {
+        size_t i;
+
+        for (i = 0; i < cpu_count; ++i) {
+            arm_cpu_register(&arm_cpus[i]);
+        }
+    }
 }
 
 type_init(arm_cpu_register_types)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
     { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
     { .name = "cortex-a72",         .initfn = aarch64_a72_initfn },
     { .name = "max",                .initfn = aarch64_max_initfn },
-    { .name = NULL }
 };
 
 static bool aarch64_cpu_get_aarch64(Object *obj, Error **errp)
@@ -XXX,XX +XXX,XX @@ static const TypeInfo aarch64_cpu_type_info = {
 
 static void aarch64_cpu_register_types(void)
 {
-    const ARMCPUInfo *info = aarch64_cpus;
+    size_t i;
 
     type_register_static(&aarch64_cpu_type_info);
 
-    while (info->name) {
-        aarch64_cpu_register(info);
-        info++;
+    for (i = 0; i < ARRAY_SIZE(aarch64_cpus); ++i) {
+        aarch64_cpu_register(&aarch64_cpus[i]);
     }
 }
 
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

As IDAU is a v8M feature, restrict it to the Aarch32 CPUs.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200504172448.9402-5-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
     const size_t cpu_count = ARRAY_SIZE(arm_cpus);
 
     type_register_static(&arm_cpu_type_info);
-    type_register_static(&idau_interface_type_info);
 
 #ifdef CONFIG_KVM
     type_register_static(&host_arm_cpu_type_info);
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_register_types(void)
     if (cpu_count) {
         size_t i;
 
+        type_register_static(&idau_interface_type_info);
         for (i = 0; i < cpu_count; ++i) {
             arm_cpu_register(&arm_cpus[i]);
         }
-- 
2.20.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

A KVM-only build won't be able to run TCG cpus.

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20200504172448.9402-6-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c         | 634 -------------------------------------
 target/arm/cpu_tcg.c     | 664 +++++++++++++++++++++++++++++++++++++++
 target/arm/Makefile.objs |   1 +
 3 files changed, 665 insertions(+), 634 deletions(-)
 create mode 100644 target/arm/cpu_tcg.c

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
     return true;
 }
 
-#if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
-static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-{
-    CPUClass *cc = CPU_GET_CLASS(cs);
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-    bool ret = false;
-
-    /*
-     * ARMv7-M interrupt masking works differently than -A or -R.
-     * There is no FIQ/IRQ distinction. Instead of I and F bits
-     * masking FIQ and IRQ interrupts, an exception is taken only
-     * if it is higher priority than the current execution priority
-     * (which depends on state like BASEPRI, FAULTMASK and the
-     * currently active exception).
-     */
-    if (interrupt_request & CPU_INTERRUPT_HARD
-        && (armv7m_nvic_can_take_pending_exception(env->nvic))) {
-        cs->exception_index = EXCP_IRQ;
-        cc->do_interrupt(cs);
-        ret = true;
-    }
-    return ret;
-}
-#endif
-
 void arm_cpu_update_virq(ARMCPU *cpu)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static ObjectClass *arm_cpu_class_by_name(const char *cpu_model)
 /* CPU models. These are not needed for the AArch64 linux-user build. */
 #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 
-static void arm926_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "arm,arm926";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
-    cpu->midr = 0x41069265;
-    cpu->reset_fpsid = 0x41011090;
-    cpu->ctr = 0x1dd20d2;
-    cpu->reset_sctlr = 0x00090078;
-
-    /*
-     * ARMv5 does not have the ID_ISAR registers, but we can still
-     * set the field to indicate Jazelle support within QEMU.
-     */
-    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
-    /*
-     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
-     * support even though ARMv5 doesn't have this register.
-     */
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
-}
-
-static void arm946_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "arm,arm946";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_PMSA);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    cpu->midr = 0x41059461;
-    cpu->ctr = 0x0f004006;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void arm1026_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "arm,arm1026";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_AUXCR);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
-    cpu->midr = 0x4106a262;
-    cpu->reset_fpsid = 0x410110a0;
-    cpu->ctr = 0x1dd20d2;
-    cpu->reset_sctlr = 0x00090078;
-    cpu->reset_auxcr = 1;
-
-    /*
-     * ARMv5 does not have the ID_ISAR registers, but we can still
-     * set the field to indicate Jazelle support within QEMU.
-     */
-    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
-    /*
-     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
-     * support even though ARMv5 doesn't have this register.
-     */
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
-
-    {
-        /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
-        ARMCPRegInfo ifar = {
-            .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
-            .access = PL1_RW,
-            .fieldoffset = offsetof(CPUARMState, cp15.ifar_ns),
-            .resetvalue = 0
-        };
-        define_one_arm_cp_reg(cpu, &ifar);
-    }
-}
-
-static void arm1136_r2_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-    /*
-     * What qemu calls "arm1136_r2" is actually the 1136 r0p2, ie an
-     * older core than plain "arm1136". In particular this does not
-     * have the v6K features.
-     * These ID register values are correct for 1136 but may be wrong
-     * for 1136_r2 (in particular r0p2 does not actually implement most
-     * of the ID registers).
-     */
-
-    cpu->dtb_compatible = "arm,arm1136";
-    set_feature(&cpu->env, ARM_FEATURE_V6);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
-    cpu->midr = 0x4107b362;
-    cpu->reset_fpsid = 0x410120b4;
-    cpu->isar.mvfr0 = 0x11111111;
-    cpu->isar.mvfr1 = 0x00000000;
-    cpu->ctr = 0x1dd20d2;
-    cpu->reset_sctlr = 0x00050078;
-    cpu->id_pfr0 = 0x111;
-    cpu->id_pfr1 = 0x1;
-    cpu->isar.id_dfr0 = 0x2;
-    cpu->id_afr0 = 0x3;
-    cpu->isar.id_mmfr0 = 0x01130003;
-    cpu->isar.id_mmfr1 = 0x10030302;
-    cpu->isar.id_mmfr2 = 0x01222110;
-    cpu->isar.id_isar0 = 0x00140011;
-    cpu->isar.id_isar1 = 0x12002111;
-    cpu->isar.id_isar2 = 0x11231111;
-    cpu->isar.id_isar3 = 0x01102131;
-    cpu->isar.id_isar4 = 0x141;
-    cpu->reset_auxcr = 7;
-}
-
-static void arm1136_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "arm,arm1136";
-    set_feature(&cpu->env, ARM_FEATURE_V6K);
-    set_feature(&cpu->env, ARM_FEATURE_V6);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
-    cpu->midr = 0x4117b363;
-    cpu->reset_fpsid = 0x410120b4;
-    cpu->isar.mvfr0 = 0x11111111;
-    cpu->isar.mvfr1 = 0x00000000;
-    cpu->ctr = 0x1dd20d2;
-    cpu->reset_sctlr = 0x00050078;
-    cpu->id_pfr0 = 0x111;
-    cpu->id_pfr1 = 0x1;
-    cpu->isar.id_dfr0 = 0x2;
-    cpu->id_afr0 = 0x3;
-    cpu->isar.id_mmfr0 = 0x01130003;
-    cpu->isar.id_mmfr1 = 0x10030302;
-    cpu->isar.id_mmfr2 = 0x01222110;
-    cpu->isar.id_isar0 = 0x00140011;
-    cpu->isar.id_isar1 = 0x12002111;
-    cpu->isar.id_isar2 = 0x11231111;
-    cpu->isar.id_isar3 = 0x01102131;
-    cpu->isar.id_isar4 = 0x141;
-    cpu->reset_auxcr = 7;
-}
-
-static void arm1176_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "arm,arm1176";
-    set_feature(&cpu->env, ARM_FEATURE_V6K);
-    set_feature(&cpu->env, ARM_FEATURE_VAPA);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
-    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
-    set_feature(&cpu->env, ARM_FEATURE_EL3);
-    cpu->midr = 0x410fb767;
-    cpu->reset_fpsid = 0x410120b5;
-    cpu->isar.mvfr0 = 0x11111111;
-    cpu->isar.mvfr1 = 0x00000000;
-    cpu->ctr = 0x1dd20d2;
-    cpu->reset_sctlr = 0x00050078;
-    cpu->id_pfr0 = 0x111;
-    cpu->id_pfr1 = 0x11;
-    cpu->isar.id_dfr0 = 0x33;
-    cpu->id_afr0 = 0;
-    cpu->isar.id_mmfr0 = 0x01130003;
-    cpu->isar.id_mmfr1 = 0x10030302;
-    cpu->isar.id_mmfr2 = 0x01222100;
-    cpu->isar.id_isar0 = 0x0140011;
-    cpu->isar.id_isar1 = 0x12002111;
-    cpu->isar.id_isar2 = 0x11231121;
-    cpu->isar.id_isar3 = 0x01102131;
-    cpu->isar.id_isar4 = 0x01141;
-    cpu->reset_auxcr = 7;
-}
-
-static void arm11mpcore_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "arm,arm11mpcore";
-    set_feature(&cpu->env, ARM_FEATURE_V6K);
-    set_feature(&cpu->env, ARM_FEATURE_VAPA);
-    set_feature(&cpu->env, ARM_FEATURE_MPIDR);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    cpu->midr = 0x410fb022;
-    cpu->reset_fpsid = 0x410120b4;
-    cpu->isar.mvfr0 = 0x11111111;
-    cpu->isar.mvfr1 = 0x00000000;
-    cpu->ctr = 0x1d192992; /* 32K icache 32K dcache */
-    cpu->id_pfr0 = 0x111;
-    cpu->id_pfr1 = 0x1;
-    cpu->isar.id_dfr0 = 0;
-    cpu->id_afr0 = 0x2;
-    cpu->isar.id_mmfr0 = 0x01100103;
-    cpu->isar.id_mmfr1 = 0x10020302;
-    cpu->isar.id_mmfr2 = 0x01222000;
-    cpu->isar.id_isar0 = 0x00100011;
-    cpu->isar.id_isar1 = 0x12002111;
-    cpu->isar.id_isar2 = 0x11221011;
-    cpu->isar.id_isar3 = 0x01102131;
-    cpu->isar.id_isar4 = 0x141;
-    cpu->reset_auxcr = 1;
-}
-
-static void cortex_m0_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-    set_feature(&cpu->env, ARM_FEATURE_V6);
-    set_feature(&cpu->env, ARM_FEATURE_M);
-
-    cpu->midr = 0x410cc200;
-}
-
-static void cortex_m3_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-    set_feature(&cpu->env, ARM_FEATURE_V7);
-    set_feature(&cpu->env, ARM_FEATURE_M);
-    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
-    cpu->midr = 0x410fc231;
-    cpu->pmsav7_dregion = 8;
-    cpu->id_pfr0 = 0x00000030;
-    cpu->id_pfr1 = 0x00000200;
-    cpu->isar.id_dfr0 = 0x00100000;
-    cpu->id_afr0 = 0x00000000;
-    cpu->isar.id_mmfr0 = 0x00000030;
-    cpu->isar.id_mmfr1 = 0x00000000;
-    cpu->isar.id_mmfr2 = 0x00000000;
-    cpu->isar.id_mmfr3 = 0x00000000;
-    cpu->isar.id_isar0 = 0x01141110;
-    cpu->isar.id_isar1 = 0x02111000;
-    cpu->isar.id_isar2 = 0x21112231;
-    cpu->isar.id_isar3 = 0x01111110;
-    cpu->isar.id_isar4 = 0x01310102;
-    cpu->isar.id_isar5 = 0x00000000;
-    cpu->isar.id_isar6 = 0x00000000;
-}
-
-static void cortex_m4_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    set_feature(&cpu->env, ARM_FEATURE_V7);
-    set_feature(&cpu->env, ARM_FEATURE_M);
-    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
-    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
-    cpu->midr = 0x410fc240; /* r0p0 */
-    cpu->pmsav7_dregion = 8;
-    cpu->isar.mvfr0 = 0x10110021;
-    cpu->isar.mvfr1 = 0x11000011;
-    cpu->isar.mvfr2 = 0x00000000;
-    cpu->id_pfr0 = 0x00000030;
-    cpu->id_pfr1 = 0x00000200;
-    cpu->isar.id_dfr0 = 0x00100000;
-    cpu->id_afr0 = 0x00000000;
-    cpu->isar.id_mmfr0 = 0x00000030;
-    cpu->isar.id_mmfr1 = 0x00000000;
-    cpu->isar.id_mmfr2 = 0x00000000;
-    cpu->isar.id_mmfr3 = 0x00000000;
-    cpu->isar.id_isar0 = 0x01141110;
-    cpu->isar.id_isar1 = 0x02111000;
-    cpu->isar.id_isar2 = 0x21112231;
-    cpu->isar.id_isar3 = 0x01111110;
-    cpu->isar.id_isar4 = 0x01310102;
-    cpu->isar.id_isar5 = 0x00000000;
-    cpu->isar.id_isar6 = 0x00000000;
-}
-
-static void cortex_m7_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    set_feature(&cpu->env, ARM_FEATURE_V7);
-    set_feature(&cpu->env, ARM_FEATURE_M);
-    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
-    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
-    cpu->midr = 0x411fc272; /* r1p2 */
-    cpu->pmsav7_dregion = 8;
-    cpu->isar.mvfr0 = 0x10110221;
-    cpu->isar.mvfr1 = 0x12000011;
-    cpu->isar.mvfr2 = 0x00000040;
-    cpu->id_pfr0 = 0x00000030;
-    cpu->id_pfr1 = 0x00000200;
-    cpu->isar.id_dfr0 = 0x00100000;
-    cpu->id_afr0 = 0x00000000;
-    cpu->isar.id_mmfr0 = 0x00100030;
-    cpu->isar.id_mmfr1 = 0x00000000;
-    cpu->isar.id_mmfr2 = 0x01000000;
-    cpu->isar.id_mmfr3 = 0x00000000;
-    cpu->isar.id_isar0 = 0x01101110;
-    cpu->isar.id_isar1 = 0x02112000;
-    cpu->isar.id_isar2 = 0x20232231;
-    cpu->isar.id_isar3 = 0x01111131;
-    cpu->isar.id_isar4 = 0x01310132;
-    cpu->isar.id_isar5 = 0x00000000;
-    cpu->isar.id_isar6 = 0x00000000;
-}
-
-static void cortex_m33_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    set_feature(&cpu->env, ARM_FEATURE_V8);
-    set_feature(&cpu->env, ARM_FEATURE_M);
-    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
-    set_feature(&cpu->env, ARM_FEATURE_M_SECURITY);
-    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
-    cpu->midr = 0x410fd213; /* r0p3 */
-    cpu->pmsav7_dregion = 16;
-    cpu->sau_sregion = 8;
-    cpu->isar.mvfr0 = 0x10110021;
-    cpu->isar.mvfr1 = 0x11000011;
-    cpu->isar.mvfr2 = 0x00000040;
-    cpu->id_pfr0 = 0x00000030;
-    cpu->id_pfr1 = 0x00000210;
-    cpu->isar.id_dfr0 = 0x00200000;
-    cpu->id_afr0 = 0x00000000;
-    cpu->isar.id_mmfr0 = 0x00101F40;
-    cpu->isar.id_mmfr1 = 0x00000000;
-    cpu->isar.id_mmfr2 = 0x01000000;
-    cpu->isar.id_mmfr3 = 0x00000000;
-    cpu->isar.id_isar0 = 0x01101110;
-    cpu->isar.id_isar1 = 0x02212000;
-    cpu->isar.id_isar2 = 0x20232232;
-    cpu->isar.id_isar3 = 0x01111131;
-    cpu->isar.id_isar4 = 0x01310132;
-    cpu->isar.id_isar5 = 0x00000000;
-    cpu->isar.id_isar6 = 0x00000000;
-    cpu->clidr = 0x00000000;
-    cpu->ctr = 0x8000c000;
-}
-
-static void arm_v7m_class_init(ObjectClass *oc, void *data)
-{
-    ARMCPUClass *acc = ARM_CPU_CLASS(oc);
-    CPUClass *cc = CPU_CLASS(oc);
-
-    acc->info = data;
-#ifndef CONFIG_USER_ONLY
-    cc->do_interrupt = arm_v7m_cpu_do_interrupt;
-#endif
-
-    cc->cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt;
-}
-
-static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
-    /* Dummy the TCM region regs for the moment */
-    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
-      .access = PL1_RW, .type = ARM_CP_CONST },
-    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
-      .access = PL1_RW, .type = ARM_CP_CONST },
-    { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
-      .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
-    REGINFO_SENTINEL
-};
-
-static void cortex_r5_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    set_feature(&cpu->env, ARM_FEATURE_V7);
-    set_feature(&cpu->env, ARM_FEATURE_V7MP);
-    set_feature(&cpu->env, ARM_FEATURE_PMSA);
-    set_feature(&cpu->env, ARM_FEATURE_PMU);
-    cpu->midr = 0x411fc153; /* r1p3 */
-    cpu->id_pfr0 = 0x0131;
-    cpu->id_pfr1 = 0x001;
-    cpu->isar.id_dfr0 = 0x010400;
-    cpu->id_afr0 = 0x0;
-    cpu->isar.id_mmfr0 = 0x0210030;
-    cpu->isar.id_mmfr1 = 0x00000000;
-    cpu->isar.id_mmfr2 = 0x01200000;
-    cpu->isar.id_mmfr3 = 0x0211;
-    cpu->isar.id_isar0 = 0x02101111;
-    cpu->isar.id_isar1 = 0x13112111;
-    cpu->isar.id_isar2 = 0x21232141;
-    cpu->isar.id_isar3 = 0x01112131;
-    cpu->isar.id_isar4 = 0x0010142;
-    cpu->isar.id_isar5 = 0x0;
-    cpu->isar.id_isar6 = 0x0;
-    cpu->mp_is_up = true;
-    cpu->pmsav7_dregion = 16;
-    define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
-}
-
-static void cortex_r5f_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cortex_r5_initfn(obj);
-    cpu->isar.mvfr0 = 0x10110221;
-    cpu->isar.mvfr1 = 0x00000011;
-}
-
 static const ARMCPRegInfo cortexa8_cp_reginfo[] = {
     { .name = "L2LOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 1, .opc2 = 0,
       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
@@ -XXX,XX +XXX,XX @@ static void cortex_a15_initfn(Object *obj)
     define_arm_cp_regs(cpu, cortexa15_cp_reginfo);
 }
 
-static void ti925t_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-    set_feature(&cpu->env, ARM_FEATURE_V4T);
-    set_feature(&cpu->env, ARM_FEATURE_OMAPCP);
-    cpu->midr = ARM_CPUID_TI925T;
-    cpu->ctr = 0x5109149;
-    cpu->reset_sctlr = 0x00000070;
-}
-
-static void sa1100_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "intel,sa1100";
-    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    cpu->midr = 0x4401A11B;
-    cpu->reset_sctlr = 0x00000070;
-}
-
-static void sa1110_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
-    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
-    cpu->midr = 0x6901B119;
-    cpu->reset_sctlr = 0x00000070;
-}
-
-static void pxa250_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    cpu->midr = 0x69052100;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa255_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    cpu->midr = 0x69052d00;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa260_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    cpu->midr = 0x69052903;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa261_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    cpu->midr = 0x69052d05;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa262_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    cpu->midr = 0x69052d06;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa270a0_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
-    cpu->midr = 0x69054110;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa270a1_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
-    cpu->midr = 0x69054111;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa270b0_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
-    cpu->midr = 0x69054112;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa270b1_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
-    cpu->midr = 0x69054113;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa270c0_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
-    cpu->midr = 0x69054114;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
-static void pxa270c5_initfn(Object *obj)
-{
-    ARMCPU *cpu = ARM_CPU(obj);
-
-    cpu->dtb_compatible = "marvell,xscale";
-    set_feature(&cpu->env, ARM_FEATURE_V5);
-    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
-    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
-    cpu->midr = 0x69054117;
-    cpu->ctr = 0xd172172;
-    cpu->reset_sctlr = 0x00000078;
-}
-
 #ifndef TARGET_AARCH64
 /* -cpu max: if KVM is enabled, like -cpu host (best possible with this host);
  * otherwise, a CPU with as many features enabled as our emulation supports.
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
 
 static const ARMCPUInfo arm_cpus[] = {
 #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
-    { .name = "arm926",      .initfn = arm926_initfn },
-    { .name = "arm946",      .initfn = arm946_initfn },
-    { .name = "arm1026",     .initfn = arm1026_initfn },
-    /*
-     * What QEMU calls "arm1136-r2" is actually the 1136 r0p2, i.e. an
-     * older core than plain "arm1136". In particular this does not
-     * have the v6K features.
-     */
-    { .name = "arm1136-r2",  .initfn = arm1136_r2_initfn },
-    { .name = "arm1136",     .initfn = arm1136_initfn },
-    { .name = "arm1176",     .initfn = arm1176_initfn },
-    { .name = "arm11mpcore", .initfn = arm11mpcore_initfn },
-    { .name = "cortex-m0",   .initfn = cortex_m0_initfn,
-                             .class_init = arm_v7m_class_init },
-    { .name = "cortex-m3",   .initfn = cortex_m3_initfn,
-                             .class_init = arm_v7m_class_init },
-    { .name = "cortex-m4",   .initfn = cortex_m4_initfn,
-                             .class_init = arm_v7m_class_init },
-    { .name = "cortex-m7",   .initfn = cortex_m7_initfn,
-                             .class_init = arm_v7m_class_init },
-    { .name = "cortex-m33",  .initfn = cortex_m33_initfn,
-                             .class_init = arm_v7m_class_init },
-    { .name = "cortex-r5",   .initfn = cortex_r5_initfn },
-    { .name = "cortex-r5f",  .initfn = cortex_r5f_initfn },
     { .name = "cortex-a7",   .initfn = cortex_a7_initfn },
     { .name = "cortex-a8",   .initfn = cortex_a8_initfn },
     { .name = "cortex-a9",   .initfn = cortex_a9_initfn },
     { .name = "cortex-a15",  .initfn = cortex_a15_initfn },
-    { .name = "ti925t",      .initfn = ti925t_initfn },
-    { .name = "sa1100",      .initfn = sa1100_initfn },
-    { .name = "sa1110",      .initfn = sa1110_initfn },
-    { .name = "pxa250",      .initfn = pxa250_initfn },
-    { .name = "pxa255",      .initfn = pxa255_initfn },
-    { .name = "pxa260",      .initfn = pxa260_initfn },
-    { .name = "pxa261",      .initfn = pxa261_initfn },
-    { .name = "pxa262",      .initfn = pxa262_initfn },
-    /* "pxa270" is an alias for "pxa270-a0" */
-    { .name = "pxa270",      .initfn = pxa270a0_initfn },
-    { .name = "pxa270-a0",   .initfn = pxa270a0_initfn },
-    { .name = "pxa270-a1",   .initfn = pxa270a1_initfn },
-    { .name = "pxa270-b0",   .initfn = pxa270b0_initfn },
-    { .name = "pxa270-b1",   .initfn = pxa270b1_initfn },
-    { .name = "pxa270-c0",   .initfn = pxa270c0_initfn },
-    { .name = "pxa270-c5",   .initfn = pxa270c5_initfn },
 #ifndef TARGET_AARCH64
     { .name = "max",         .initfn = arm_max_initfn },
 #endif
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * QEMU ARM TCG CPUs.
+ *
+ * Copyright (c) 2012 SUSE LINUX Products GmbH
+ *
+ * This code is licensed under the GNU GPL v2 or later.
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "internals.h"
+
+/* CPU models. These are not needed for the AArch64 linux-user build. */
+#if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
+
+static bool arm_v7m_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+{
+    CPUClass *cc = CPU_GET_CLASS(cs);
+    ARMCPU *cpu = ARM_CPU(cs);
+    CPUARMState *env = &cpu->env;
+    bool ret = false;
+
+    /*
+     * ARMv7-M interrupt masking works differently than -A or -R.
+     * There is no FIQ/IRQ distinction. Instead of I and F bits
+     * masking FIQ and IRQ interrupts, an exception is taken only
+     * if it is higher priority than the current execution priority
+     * (which depends on state like BASEPRI, FAULTMASK and the
+     * currently active exception).
+     */
+    if (interrupt_request & CPU_INTERRUPT_HARD
+        && (armv7m_nvic_can_take_pending_exception(env->nvic))) {
+        cs->exception_index = EXCP_IRQ;
+        cc->do_interrupt(cs);
+        ret = true;
+    }
+    return ret;
+}
+
+static void arm926_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,arm926";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
+    cpu->midr = 0x41069265;
+    cpu->reset_fpsid = 0x41011090;
+    cpu->ctr = 0x1dd20d2;
+    cpu->reset_sctlr = 0x00090078;
+
+    /*
+     * ARMv5 does not have the ID_ISAR registers, but we can still
+     * set the field to indicate Jazelle support within QEMU.
+     */
+    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
+     * support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+}
+
+static void arm946_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,arm946";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_PMSA);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    cpu->midr = 0x41059461;
+    cpu->ctr = 0x0f004006;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void arm1026_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,arm1026";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_AUXCR);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_TEST_CLEAN);
+    cpu->midr = 0x4106a262;
+    cpu->reset_fpsid = 0x410110a0;
+    cpu->ctr = 0x1dd20d2;
+    cpu->reset_sctlr = 0x00090078;
+    cpu->reset_auxcr = 1;
+
+    /*
+     * ARMv5 does not have the ID_ISAR registers, but we can still
+     * set the field to indicate Jazelle support within QEMU.
+     */
+    cpu->isar.id_isar1 = FIELD_DP32(cpu->isar.id_isar1, ID_ISAR1, JAZELLE, 1);
+    /*
+     * Similarly, we need to set MVFR0 fields to enable vfp and short vector
+     * support even though ARMv5 doesn't have this register.
+     */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSP, 1);
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPDP, 1);
+
+    {
+        /* The 1026 had an IFAR at c6,c0,0,1 rather than the ARMv6 c6,c0,0,2 */
+        ARMCPRegInfo ifar = {
+            .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
+            .access = PL1_RW,
+            .fieldoffset = offsetof(CPUARMState, cp15.ifar_ns),
+            .resetvalue = 0
+        };
+        define_one_arm_cp_reg(cpu, &ifar);
+    }
+}
+
+static void arm1136_r2_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    /*
+     * What qemu calls "arm1136_r2" is actually the 1136 r0p2, ie an
+     * older core than plain "arm1136". In particular this does not
+     * have the v6K features.
+     * These ID register values are correct for 1136 but may be wrong
+     * for 1136_r2 (in particular r0p2 does not actually implement most
+     * of the ID registers).
+     */
+
+    cpu->dtb_compatible = "arm,arm1136";
+    set_feature(&cpu->env, ARM_FEATURE_V6);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
+    cpu->midr = 0x4107b362;
+    cpu->reset_fpsid = 0x410120b4;
+    cpu->isar.mvfr0 = 0x11111111;
+    cpu->isar.mvfr1 = 0x00000000;
+    cpu->ctr = 0x1dd20d2;
+    cpu->reset_sctlr = 0x00050078;
+    cpu->id_pfr0 = 0x111;
+    cpu->id_pfr1 = 0x1;
+    cpu->isar.id_dfr0 = 0x2;
+    cpu->id_afr0 = 0x3;
+    cpu->isar.id_mmfr0 = 0x01130003;
+    cpu->isar.id_mmfr1 = 0x10030302;
+    cpu->isar.id_mmfr2 = 0x01222110;
+    cpu->isar.id_isar0 = 0x00140011;
+    cpu->isar.id_isar1 = 0x12002111;
+    cpu->isar.id_isar2 = 0x11231111;
+    cpu->isar.id_isar3 = 0x01102131;
+    cpu->isar.id_isar4 = 0x141;
+    cpu->reset_auxcr = 7;
+}
+
+static void arm1136_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,arm1136";
+    set_feature(&cpu->env, ARM_FEATURE_V6K);
+    set_feature(&cpu->env, ARM_FEATURE_V6);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
+    cpu->midr = 0x4117b363;
+    cpu->reset_fpsid = 0x410120b4;
+    cpu->isar.mvfr0 = 0x11111111;
+    cpu->isar.mvfr1 = 0x00000000;
+    cpu->ctr = 0x1dd20d2;
+    cpu->reset_sctlr = 0x00050078;
+    cpu->id_pfr0 = 0x111;
+    cpu->id_pfr1 = 0x1;
+    cpu->isar.id_dfr0 = 0x2;
+    cpu->id_afr0 = 0x3;
+    cpu->isar.id_mmfr0 = 0x01130003;
+    cpu->isar.id_mmfr1 = 0x10030302;
+    cpu->isar.id_mmfr2 = 0x01222110;
+    cpu->isar.id_isar0 = 0x00140011;
+    cpu->isar.id_isar1 = 0x12002111;
+    cpu->isar.id_isar2 = 0x11231111;
+    cpu->isar.id_isar3 = 0x01102131;
+    cpu->isar.id_isar4 = 0x141;
+    cpu->reset_auxcr = 7;
+}
+
+static void arm1176_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,arm1176";
+    set_feature(&cpu->env, ARM_FEATURE_V6K);
+    set_feature(&cpu->env, ARM_FEATURE_VAPA);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_DIRTY_REG);
+    set_feature(&cpu->env, ARM_FEATURE_CACHE_BLOCK_OPS);
+    set_feature(&cpu->env, ARM_FEATURE_EL3);
+    cpu->midr = 0x410fb767;
+    cpu->reset_fpsid = 0x410120b5;
+    cpu->isar.mvfr0 = 0x11111111;
+    cpu->isar.mvfr1 = 0x00000000;
+    cpu->ctr = 0x1dd20d2;
+    cpu->reset_sctlr = 0x00050078;
+    cpu->id_pfr0 = 0x111;
+    cpu->id_pfr1 = 0x11;
+    cpu->isar.id_dfr0 = 0x33;
+    cpu->id_afr0 = 0;
+    cpu->isar.id_mmfr0 = 0x01130003;
+    cpu->isar.id_mmfr1 = 0x10030302;
+    cpu->isar.id_mmfr2 = 0x01222100;
+    cpu->isar.id_isar0 = 0x0140011;
+    cpu->isar.id_isar1 = 0x12002111;
+    cpu->isar.id_isar2 = 0x11231121;
+    cpu->isar.id_isar3 = 0x01102131;
+    cpu->isar.id_isar4 = 0x01141;
+    cpu->reset_auxcr = 7;
+}
+
+static void arm11mpcore_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,arm11mpcore";
+    set_feature(&cpu->env, ARM_FEATURE_V6K);
+    set_feature(&cpu->env, ARM_FEATURE_VAPA);
+    set_feature(&cpu->env, ARM_FEATURE_MPIDR);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    cpu->midr = 0x410fb022;
+    cpu->reset_fpsid = 0x410120b4;
+    cpu->isar.mvfr0 = 0x11111111;
+    cpu->isar.mvfr1 = 0x00000000;
+    cpu->ctr = 0x1d192992; /* 32K icache 32K dcache */
+    cpu->id_pfr0 = 0x111;
+    cpu->id_pfr1 = 0x1;
+    cpu->isar.id_dfr0 = 0;
+    cpu->id_afr0 = 0x2;
+    cpu->isar.id_mmfr0 = 0x01100103;
+    cpu->isar.id_mmfr1 = 0x10020302;
+    cpu->isar.id_mmfr2 = 0x01222000;
+    cpu->isar.id_isar0 = 0x00100011;
+    cpu->isar.id_isar1 = 0x12002111;
+    cpu->isar.id_isar2 = 0x11221011;
+    cpu->isar.id_isar3 = 0x01102131;
+    cpu->isar.id_isar4 = 0x141;
+    cpu->reset_auxcr = 1;
+}
+
+static void cortex_m0_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    set_feature(&cpu->env, ARM_FEATURE_V6);
+    set_feature(&cpu->env, ARM_FEATURE_M);
+
+    cpu->midr = 0x410cc200;
+}
+
+static void cortex_m3_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    set_feature(&cpu->env, ARM_FEATURE_V7);
+    set_feature(&cpu->env, ARM_FEATURE_M);
+    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
+    cpu->midr = 0x410fc231;
+    cpu->pmsav7_dregion = 8;
+    cpu->id_pfr0 = 0x00000030;
+    cpu->id_pfr1 = 0x00000200;
+    cpu->isar.id_dfr0 = 0x00100000;
+    cpu->id_afr0 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00000030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x00000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
+    cpu->isar.id_isar0 = 0x01141110;
+    cpu->isar.id_isar1 = 0x02111000;
+    cpu->isar.id_isar2 = 0x21112231;
+    cpu->isar.id_isar3 = 0x01111110;
+    cpu->isar.id_isar4 = 0x01310102;
+    cpu->isar.id_isar5 = 0x00000000;
+    cpu->isar.id_isar6 = 0x00000000;
+}
+
+static void cortex_m4_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    set_feature(&cpu->env, ARM_FEATURE_V7);
+    set_feature(&cpu->env, ARM_FEATURE_M);
+    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
+    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
+    cpu->midr = 0x410fc240; /* r0p0 */
+    cpu->pmsav7_dregion = 8;
+    cpu->isar.mvfr0 = 0x10110021;
+    cpu->isar.mvfr1 = 0x11000011;
+    cpu->isar.mvfr2 = 0x00000000;
+    cpu->id_pfr0 = 0x00000030;
+    cpu->id_pfr1 = 0x00000200;
+    cpu->isar.id_dfr0 = 0x00100000;
+    cpu->id_afr0 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00000030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x00000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
+    cpu->isar.id_isar0 = 0x01141110;
+    cpu->isar.id_isar1 = 0x02111000;
+    cpu->isar.id_isar2 = 0x21112231;
+    cpu->isar.id_isar3 = 0x01111110;
+    cpu->isar.id_isar4 = 0x01310102;
+    cpu->isar.id_isar5 = 0x00000000;
+    cpu->isar.id_isar6 = 0x00000000;
+}
+
+static void cortex_m7_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    set_feature(&cpu->env, ARM_FEATURE_V7);
+    set_feature(&cpu->env, ARM_FEATURE_M);
+    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
+    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
+    cpu->midr = 0x411fc272; /* r1p2 */
+    cpu->pmsav7_dregion = 8;
+    cpu->isar.mvfr0 = 0x10110221;
+    cpu->isar.mvfr1 = 0x12000011;
+    cpu->isar.mvfr2 = 0x00000040;
+    cpu->id_pfr0 = 0x00000030;
+    cpu->id_pfr1 = 0x00000200;
+    cpu->isar.id_dfr0 = 0x00100000;
+    cpu->id_afr0 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00100030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x01000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
+    cpu->isar.id_isar0 = 0x01101110;
+    cpu->isar.id_isar1 = 0x02112000;
+    cpu->isar.id_isar2 = 0x20232231;
+    cpu->isar.id_isar3 = 0x01111131;
+    cpu->isar.id_isar4 = 0x01310132;
+    cpu->isar.id_isar5 = 0x00000000;
+    cpu->isar.id_isar6 = 0x00000000;
+}
+
+static void cortex_m33_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    set_feature(&cpu->env, ARM_FEATURE_V8);
+    set_feature(&cpu->env, ARM_FEATURE_M);
+    set_feature(&cpu->env, ARM_FEATURE_M_MAIN);
+    set_feature(&cpu->env, ARM_FEATURE_M_SECURITY);
+    set_feature(&cpu->env, ARM_FEATURE_THUMB_DSP);
+    cpu->midr = 0x410fd213; /* r0p3 */
+    cpu->pmsav7_dregion = 16;
+    cpu->sau_sregion = 8;
+    cpu->isar.mvfr0 = 0x10110021;
+    cpu->isar.mvfr1 = 0x11000011;
+    cpu->isar.mvfr2 = 0x00000040;
+    cpu->id_pfr0 = 0x00000030;
+    cpu->id_pfr1 = 0x00000210;
+    cpu->isar.id_dfr0 = 0x00200000;
+    cpu->id_afr0 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x00101F40;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x01000000;
+    cpu->isar.id_mmfr3 = 0x00000000;
+    cpu->isar.id_isar0 = 0x01101110;
+    cpu->isar.id_isar1 = 0x02212000;
+    cpu->isar.id_isar2 = 0x20232232;
+    cpu->isar.id_isar3 = 0x01111131;
+    cpu->isar.id_isar4 = 0x01310132;
+    cpu->isar.id_isar5 = 0x00000000;
+    cpu->isar.id_isar6 = 0x00000000;
+    cpu->clidr = 0x00000000;
+    cpu->ctr = 0x8000c000;
+}
+
+static const ARMCPRegInfo cortexr5_cp_reginfo[] = {
+    /* Dummy the TCM region regs for the moment */
+    { .name = "ATCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST },
+    { .name = "BTCM", .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST },
+    { .name = "DCACHE_INVAL", .cp = 15, .opc1 = 0, .crn = 15, .crm = 5,
+      .opc2 = 0, .access = PL1_W, .type = ARM_CP_NOP },
+    REGINFO_SENTINEL
+};
+
+static void cortex_r5_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    set_feature(&cpu->env, ARM_FEATURE_V7);
+    set_feature(&cpu->env, ARM_FEATURE_V7MP);
+    set_feature(&cpu->env, ARM_FEATURE_PMSA);
+    set_feature(&cpu->env, ARM_FEATURE_PMU);
+    cpu->midr = 0x411fc153; /* r1p3 */
+    cpu->id_pfr0 = 0x0131;
+    cpu->id_pfr1 = 0x001;
+    cpu->isar.id_dfr0 = 0x010400;
+    cpu->id_afr0 = 0x0;
+    cpu->isar.id_mmfr0 = 0x0210030;
+    cpu->isar.id_mmfr1 = 0x00000000;
+    cpu->isar.id_mmfr2 = 0x01200000;
+    cpu->isar.id_mmfr3 = 0x0211;
+    cpu->isar.id_isar0 = 0x02101111;
+    cpu->isar.id_isar1 = 0x13112111;
+    cpu->isar.id_isar2 = 0x21232141;
+    cpu->isar.id_isar3 = 0x01112131;
+    cpu->isar.id_isar4 = 0x0010142;
+    cpu->isar.id_isar5 = 0x0;
+    cpu->isar.id_isar6 = 0x0;
+    cpu->mp_is_up = true;
+    cpu->pmsav7_dregion = 16;
+    define_arm_cp_regs(cpu, cortexr5_cp_reginfo);
+}
+
+static void cortex_r5f_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cortex_r5_initfn(obj);
+    cpu->isar.mvfr0 = 0x10110221;
+    cpu->isar.mvfr1 = 0x00000011;
+}
+
+static void ti925t_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    set_feature(&cpu->env, ARM_FEATURE_V4T);
+    set_feature(&cpu->env, ARM_FEATURE_OMAPCP);
+    cpu->midr = ARM_CPUID_TI925T;
+    cpu->ctr = 0x5109149;
+    cpu->reset_sctlr = 0x00000070;
+}
+
+static void sa1100_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "intel,sa1100";
+    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    cpu->midr = 0x4401A11B;
+    cpu->reset_sctlr = 0x00000070;
+}
+
+static void sa1110_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+    set_feature(&cpu->env, ARM_FEATURE_STRONGARM);
+    set_feature(&cpu->env, ARM_FEATURE_DUMMY_C15_REGS);
+    cpu->midr = 0x6901B119;
+    cpu->reset_sctlr = 0x00000070;
+}
+
+static void pxa250_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    cpu->midr = 0x69052100;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa255_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    cpu->midr = 0x69052d00;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa260_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    cpu->midr = 0x69052903;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa261_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    cpu->midr = 0x69052d05;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa262_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    cpu->midr = 0x69052d06;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa270a0_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
+    cpu->midr = 0x69054110;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa270a1_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
+    cpu->midr = 0x69054111;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa270b0_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
+    cpu->midr = 0x69054112;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa270b1_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
+    cpu->midr = 0x69054113;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa270c0_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
+    cpu->midr = 0x69054114;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void pxa270c5_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "marvell,xscale";
+    set_feature(&cpu->env, ARM_FEATURE_V5);
+    set_feature(&cpu->env, ARM_FEATURE_XSCALE);
+    set_feature(&cpu->env, ARM_FEATURE_IWMMXT);
+    cpu->midr = 0x69054117;
+    cpu->ctr = 0xd172172;
+    cpu->reset_sctlr = 0x00000078;
+}
+
+static void arm_v7m_class_init(ObjectClass *oc, void *data)
+{
+    ARMCPUClass *acc = ARM_CPU_CLASS(oc);
+    CPUClass *cc = CPU_CLASS(oc);
+
+    acc->info = data;
+#ifndef CONFIG_USER_ONLY
+    cc->do_interrupt = arm_v7m_cpu_do_interrupt;
+#endif
+
+    cc->cpu_exec_interrupt = arm_v7m_cpu_exec_interrupt;
+}
+
+static const ARMCPUInfo arm_tcg_cpus[] = {
+    { .name = "arm926",      .initfn = arm926_initfn },
+    { .name = "arm946",      .initfn = arm946_initfn },
+    { .name = "arm1026",     .initfn = arm1026_initfn },
+    /*
+     * What QEMU calls "arm1136-r2" is actually the 1136 r0p2, i.e. an
+     * older core than plain "arm1136". In particular this does not
+     * have the v6K features.
+     */
+    { .name = "arm1136-r2",  .initfn = arm1136_r2_initfn },
+    { .name = "arm1136",     .initfn = arm1136_initfn },
+    { .name = "arm1176",     .initfn = arm1176_initfn },
+    { .name = "arm11mpcore", .initfn = arm11mpcore_initfn },
+    { .name = "cortex-m0",   .initfn = cortex_m0_initfn,
+                             .class_init = arm_v7m_class_init },
+    { .name = "cortex-m3",   .initfn = cortex_m3_initfn,
+                             .class_init = arm_v7m_class_init },
+    { .name = "cortex-m4",   .initfn = cortex_m4_initfn,
+                             .class_init = arm_v7m_class_init },
+    { .name = "cortex-m7",   .initfn = cortex_m7_initfn,
+                             .class_init = arm_v7m_class_init },
+    { .name = "cortex-m33",  .initfn = cortex_m33_initfn,
+                             .class_init = arm_v7m_class_init },
+    { .name = "cortex-r5",   .initfn = cortex_r5_initfn },
+    { .name = "cortex-r5f",  .initfn = cortex_r5f_initfn },
+    { .name = "ti925t",      .initfn = ti925t_initfn },
+    { .name = "sa1100",      .initfn = sa1100_initfn },
+    { .name = "sa1110",      .initfn = sa1110_initfn },
+    { .name = "pxa250",      .initfn = pxa250_initfn },
+    { .name = "pxa255",      .initfn = pxa255_initfn },
+    { .name = "pxa260",      .initfn = pxa260_initfn },
+    { .name = "pxa261",      .initfn = pxa261_initfn },
+    { .name = "pxa262",      .initfn = pxa262_initfn },
+    /* "pxa270" is an alias for "pxa270-a0" */
+    { .name = "pxa270",      .initfn = pxa270a0_initfn },
+    { .name = "pxa270-a0",   .initfn = pxa270a0_initfn },
+    { .name = "pxa270-a1",   .initfn = pxa270a1_initfn },
+    { .name = "pxa270-b0",   .initfn = pxa270b0_initfn },
+    { .name = "pxa270-b1",   .initfn = pxa270b1_initfn },
+    { .name = "pxa270-c0",   .initfn = pxa270c0_initfn },
+    { .name = "pxa270-c5",   .initfn = pxa270c5_initfn },
+};
+
+static void arm_tcg_cpu_register_types(void)
+{
+    size_t i;
+
+    for (i = 0; i < ARRAY_SIZE(arm_tcg_cpus); ++i) {
+        arm_cpu_register(&arm_tcg_cpus[i]);
+    }
+}
+
+type_init(arm_tcg_cpu_register_types)
+
+#endif /* !CONFIG_USER_ONLY || !TARGET_AARCH64 */
diff --git a/target/arm/Makefile.objs b/target/arm/Makefile.objs
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/Makefile.objs
+++ b/target/arm/Makefile.objs
@@ -XXX,XX +XXX,XX @@ obj-y += translate.o op_helper.o
 obj-y += crypto_helper.o
 obj-y += iwmmxt_helper.o vec_helper.o neon_helper.o
 obj-y += m_helper.o
+obj-y += cpu_tcg.o
 
 obj-$(CONFIG_SOFTMMU) += psci.o
 
-- 
2.20.1

From: Philippe Mathieu-Daudé <f4bug@amsat.org>

I can't find proper documentation or datasheet, but it is likely
a MMIO mapped serial device mapped in the 0x80000000..0x8000ffff
range belongs to the SoC address space, thus is always mapped in
the memory bus.
Map the devices on the bus regardless a chardev is attached to it.

Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Jan Kiszka <jan.kiszka@web.de>
Message-id: 20200505095945.23146-1-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/musicpal.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/hw/arm/musicpal.c b/hw/arm/musicpal.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/musicpal.c
+++ b/hw/arm/musicpal.c
@@ -XXX,XX +XXX,XX @@ static void musicpal_init(MachineState *machine)
                           pic[MP_TIMER2_IRQ], pic[MP_TIMER3_IRQ],
                           pic[MP_TIMER4_IRQ], NULL);
 
-    if (serial_hd(0)) {
-        serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
-                       1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
-    }
-    if (serial_hd(1)) {
-        serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
-                       1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
-    }
+    serial_mm_init(address_space_mem, MP_UART1_BASE, 2, pic[MP_UART1_IRQ],
+                   1825000, serial_hd(0), DEVICE_NATIVE_ENDIAN);
+    serial_mm_init(address_space_mem, MP_UART2_BASE, 2, pic[MP_UART2_IRQ],
+                   1825000, serial_hd(1), DEVICE_NATIVE_ENDIAN);
 
     /* Register flash */
     dinfo = drive_get(IF_PFLASH, 0, 0);
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

Now that we can pass 7 parameters, do not encode register
operands within simd_data.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20200507172352.15418-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sve.h    |  45 +++++++----
 target/arm/sve_helper.c    | 157 ++++++++++++++-----------------------
 target/arm/translate-sve.c |  70 ++++++-----------
 3 files changed, 114 insertions(+), 158 deletions(-)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(sve_fcadd_s, TCG_CALL_NO_RWG,
 DEF_HELPER_FLAGS_6(sve_fcadd_d, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, ptr, i32)
 
-DEF_HELPER_FLAGS_3(sve_fmla_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fmla_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fmla_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fmla_zpzzz_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fmla_zpzzz_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fmla_zpzzz_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 
-DEF_HELPER_FLAGS_3(sve_fmls_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fmls_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fmls_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fmls_zpzzz_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fmls_zpzzz_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fmls_zpzzz_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 
-DEF_HELPER_FLAGS_3(sve_fnmla_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fnmla_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fnmla_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fnmla_zpzzz_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fnmla_zpzzz_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fnmla_zpzzz_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 
-DEF_HELPER_FLAGS_3(sve_fnmls_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fnmls_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fnmls_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fnmls_zpzzz_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fnmls_zpzzz_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fnmls_zpzzz_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 
-DEF_HELPER_FLAGS_3(sve_fcmla_zpzzz_h, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fcmla_zpzzz_s, TCG_CALL_NO_RWG, void, env, ptr, i32)
-DEF_HELPER_FLAGS_3(sve_fcmla_zpzzz_d, TCG_CALL_NO_RWG, void, env, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fcmla_zpzzz_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fcmla_zpzzz_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_7(sve_fcmla_zpzzz_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_5(sve_ftmad_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_5(sve_ftmad_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_FP(sve_ucvt_dd, uint64_t,     , uint64_to_float64)
 
 #undef DO_ZPZ_FP
 
-/* 4-operand predicated multiply-add.  This requires 7 operands to pass
- * "properly", so we need to encode some of the registers into DESC.
- */
-QEMU_BUILD_BUG_ON(SIMD_DATA_SHIFT + 20 > 32);
-
-static void do_fmla_zpzzz_h(CPUARMState *env, void *vg, uint32_t desc,
+static void do_fmla_zpzzz_h(void *vd, void *vn, void *vm, void *va, void *vg,
+                            float_status *status, uint32_t desc,
                             uint16_t neg1, uint16_t neg3)
 {
     intptr_t i = simd_oprsz(desc);
-    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
-    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
-    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
-    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
-    void *vd = &env->vfp.zregs[rd];
-    void *vn = &env->vfp.zregs[rn];
-    void *vm = &env->vfp.zregs[rm];
-    void *va = &env->vfp.zregs[ra];
     uint64_t *g = vg;
 
     do {
@@ -XXX,XX +XXX,XX @@ static void do_fmla_zpzzz_h(CPUARMState *env, void *vg, uint32_t desc,
                 e1 = *(uint16_t *)(vn + H1_2(i)) ^ neg1;
                 e2 = *(uint16_t *)(vm + H1_2(i));
                 e3 = *(uint16_t *)(va + H1_2(i)) ^ neg3;
-                r = float16_muladd(e1, e2, e3, 0, &env->vfp.fp_status_f16);
+                r = float16_muladd(e1, e2, e3, 0, status);
                 *(uint16_t *)(vd + H1_2(i)) = r;
             }
         } while (i & 63);
     } while (i != 0);
 }
 
-void HELPER(sve_fmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fmla_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
+                              void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_h(env, vg, desc, 0, 0);
+    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0, 0);
 }
 
-void HELPER(sve_fmls_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fmls_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
+                              void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_h(env, vg, desc, 0x8000, 0);
+    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0x8000, 0);
 }
 
-void HELPER(sve_fnmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fnmla_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_h(env, vg, desc, 0x8000, 0x8000);
+    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0x8000, 0x8000);
 }
 
-void HELPER(sve_fnmls_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fnmls_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_h(env, vg, desc, 0, 0x8000);
+    do_fmla_zpzzz_h(vd, vn, vm, va, vg, status, desc, 0, 0x8000);
 }
 
-static void do_fmla_zpzzz_s(CPUARMState *env, void *vg, uint32_t desc,
+static void do_fmla_zpzzz_s(void *vd, void *vn, void *vm, void *va, void *vg,
+                            float_status *status, uint32_t desc,
                             uint32_t neg1, uint32_t neg3)
 {
     intptr_t i = simd_oprsz(desc);
-    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
-    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
-    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
-    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
-    void *vd = &env->vfp.zregs[rd];
-    void *vn = &env->vfp.zregs[rn];
-    void *vm = &env->vfp.zregs[rm];
-    void *va = &env->vfp.zregs[ra];
     uint64_t *g = vg;
 
     do {
@@ -XXX,XX +XXX,XX @@ static void do_fmla_zpzzz_s(CPUARMState *env, void *vg, uint32_t desc,
                 e1 = *(uint32_t *)(vn + H1_4(i)) ^ neg1;
                 e2 = *(uint32_t *)(vm + H1_4(i));
                 e3 = *(uint32_t *)(va + H1_4(i)) ^ neg3;
-                r = float32_muladd(e1, e2, e3, 0, &env->vfp.fp_status);
+                r = float32_muladd(e1, e2, e3, 0, status);
                 *(uint32_t *)(vd + H1_4(i)) = r;
             }
         } while (i & 63);
     } while (i != 0);
 }
 
-void HELPER(sve_fmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fmla_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
+                              void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_s(env, vg, desc, 0, 0);
+    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0, 0);
 }
 
-void HELPER(sve_fmls_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fmls_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
+                              void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_s(env, vg, desc, 0x80000000, 0);
+    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0x80000000, 0);
 }
 
-void HELPER(sve_fnmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fnmla_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_s(env, vg, desc, 0x80000000, 0x80000000);
+    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0x80000000, 0x80000000);
 }
 
-void HELPER(sve_fnmls_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fnmls_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_s(env, vg, desc, 0, 0x80000000);
+    do_fmla_zpzzz_s(vd, vn, vm, va, vg, status, desc, 0, 0x80000000);
 }
 
-static void do_fmla_zpzzz_d(CPUARMState *env, void *vg, uint32_t desc,
+static void do_fmla_zpzzz_d(void *vd, void *vn, void *vm, void *va, void *vg,
+                            float_status *status, uint32_t desc,
                             uint64_t neg1, uint64_t neg3)
 {
     intptr_t i = simd_oprsz(desc);
-    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
-    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
-    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
-    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
-    void *vd = &env->vfp.zregs[rd];
-    void *vn = &env->vfp.zregs[rn];
-    void *vm = &env->vfp.zregs[rm];
-    void *va = &env->vfp.zregs[ra];
     uint64_t *g = vg;
 
     do {
@@ -XXX,XX +XXX,XX @@ static void do_fmla_zpzzz_d(CPUARMState *env, void *vg, uint32_t desc,
                 e1 = *(uint64_t *)(vn + i) ^ neg1;
                 e2 = *(uint64_t *)(vm + i);
                 e3 = *(uint64_t *)(va + i) ^ neg3;
-                r = float64_muladd(e1, e2, e3, 0, &env->vfp.fp_status);
+                r = float64_muladd(e1, e2, e3, 0, status);
                 *(uint64_t *)(vd + i) = r;
             }
         } while (i & 63);
     } while (i != 0);
 }
 
-void HELPER(sve_fmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fmla_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
+                              void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_d(env, vg, desc, 0, 0);
+    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, 0, 0);
 }
 
-void HELPER(sve_fmls_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fmls_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
+                              void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_d(env, vg, desc, INT64_MIN, 0);
+    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, INT64_MIN, 0);
 }
 
-void HELPER(sve_fnmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fnmla_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_d(env, vg, desc, INT64_MIN, INT64_MIN);
+    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, INT64_MIN, INT64_MIN);
 }
 
-void HELPER(sve_fnmls_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fnmls_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
-    do_fmla_zpzzz_d(env, vg, desc, 0, INT64_MIN);
+    do_fmla_zpzzz_d(vd, vn, vm, va, vg, status, desc, 0, INT64_MIN);
 }
 
 /* Two operand floating-point comparison controlled by a predicate.
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcadd_d)(void *vd, void *vn, void *vm, void *vg,
  * FP Complex Multiply
  */
 
-QEMU_BUILD_BUG_ON(SIMD_DATA_SHIFT + 22 > 32);
-
-void HELPER(sve_fcmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fcmla_zpzzz_h)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
     intptr_t j, i = simd_oprsz(desc);
-    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
-    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
-    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
-    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
-    unsigned rot = extract32(desc, SIMD_DATA_SHIFT + 20, 2);
+    unsigned rot = simd_data(desc);
     bool flip = rot & 1;
     float16 neg_imag, neg_real;
-    void *vd = &env->vfp.zregs[rd];
-    void *vn = &env->vfp.zregs[rn];
-    void *vm = &env->vfp.zregs[rm];
-    void *va = &env->vfp.zregs[ra];
     uint64_t *g = vg;
 
     neg_imag = float16_set_sign(0, (rot & 2) != 0);
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_h)(CPUARMState *env, void *vg, uint32_t desc)
 
             if (likely((pg >> (i & 63)) & 1)) {
                 d = *(float16 *)(va + H1_2(i));
-                d = float16_muladd(e2, e1, d, 0, &env->vfp.fp_status_f16);
+                d = float16_muladd(e2, e1, d, 0, status);
                 *(float16 *)(vd + H1_2(i)) = d;
             }
             if (likely((pg >> (j & 63)) & 1)) {
                 d = *(float16 *)(va + H1_2(j));
-                d = float16_muladd(e4, e3, d, 0, &env->vfp.fp_status_f16);
+                d = float16_muladd(e4, e3, d, 0, status);
                 *(float16 *)(vd + H1_2(j)) = d;
             }
         } while (i & 63);
     } while (i != 0);
 }
 
-void HELPER(sve_fcmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fcmla_zpzzz_s)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
     intptr_t j, i = simd_oprsz(desc);
-    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
-    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
-    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
-    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
-    unsigned rot = extract32(desc, SIMD_DATA_SHIFT + 20, 2);
+    unsigned rot = simd_data(desc);
     bool flip = rot & 1;
     float32 neg_imag, neg_real;
-    void *vd = &env->vfp.zregs[rd];
-    void *vn = &env->vfp.zregs[rn];
-    void *vm = &env->vfp.zregs[rm];
-    void *va = &env->vfp.zregs[ra];
     uint64_t *g = vg;
 
     neg_imag = float32_set_sign(0, (rot & 2) != 0);
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_s)(CPUARMState *env, void *vg, uint32_t desc)
 
             if (likely((pg >> (i & 63)) & 1)) {
                 d = *(float32 *)(va + H1_2(i));
-                d = float32_muladd(e2, e1, d, 0, &env->vfp.fp_status);
+                d = float32_muladd(e2, e1, d, 0, status);
                 *(float32 *)(vd + H1_2(i)) = d;
             }
             if (likely((pg >> (j & 63)) & 1)) {
                 d = *(float32 *)(va + H1_2(j));
-                d = float32_muladd(e4, e3, d, 0, &env->vfp.fp_status);
+                d = float32_muladd(e4, e3, d, 0, status);
                 *(float32 *)(vd + H1_2(j)) = d;
             }
         } while (i & 63);
     } while (i != 0);
 }
 
-void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
+void HELPER(sve_fcmla_zpzzz_d)(void *vd, void *vn, void *vm, void *va,
+                               void *vg, void *status, uint32_t desc)
 {
     intptr_t j, i = simd_oprsz(desc);
-    unsigned rd = extract32(desc, SIMD_DATA_SHIFT, 5);
-    unsigned rn = extract32(desc, SIMD_DATA_SHIFT + 5, 5);
-    unsigned rm = extract32(desc, SIMD_DATA_SHIFT + 10, 5);
-    unsigned ra = extract32(desc, SIMD_DATA_SHIFT + 15, 5);
-    unsigned rot = extract32(desc, SIMD_DATA_SHIFT + 20, 2);
+    unsigned rot = simd_data(desc);
     bool flip = rot & 1;
     float64 neg_imag, neg_real;
-    void *vd = &env->vfp.zregs[rd];
-    void *vn = &env->vfp.zregs[rn];
-    void *vm = &env->vfp.zregs[rm];
-    void *va = &env->vfp.zregs[ra];
     uint64_t *g = vg;
 
     neg_imag = float64_set_sign(0, (rot & 2) != 0);
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_fcmla_zpzzz_d)(CPUARMState *env, void *vg, uint32_t desc)
 
             if (likely((pg >> (i & 63)) & 1)) {
                 d = *(float64 *)(va + H1_2(i));
-                d = float64_muladd(e2, e1, d, 0, &env->vfp.fp_status);
+                d = float64_muladd(e2, e1, d, 0, status);
                 *(float64 *)(vd + H1_2(i)) = d;
             }
             if (likely((pg >> (j & 63)) & 1)) {
                 d = *(float64 *)(va + H1_2(j));
-                d = float64_muladd(e4, e3, d, 0, &env->vfp.fp_status);
+                d = float64_muladd(e4, e3, d, 0, status);
                 *(float64 *)(vd + H1_2(j)) = d;
             }
         } while (i & 63);
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_FCADD(DisasContext *s, arg_FCADD *a)
     return true;
 }
 
-typedef void gen_helper_sve_fmla(TCGv_env, TCGv_ptr, TCGv_i32);
-
-static bool do_fmla(DisasContext *s, arg_rprrr_esz *a, gen_helper_sve_fmla *fn)
+static bool do_fmla(DisasContext *s, arg_rprrr_esz *a,
+                    gen_helper_gvec_5_ptr *fn)
 {
-    if (fn == NULL) {
+    if (a->esz == 0) {
         return false;
     }
-    if (!sve_access_check(s)) {
-        return true;
+    if (sve_access_check(s)) {
+        unsigned vsz = vec_full_reg_size(s);
+        TCGv_ptr status = get_fpstatus_ptr(a->esz == MO_16);
+        tcg_gen_gvec_5_ptr(vec_full_reg_offset(s, a->rd),
+                           vec_full_reg_offset(s, a->rn),
+                           vec_full_reg_offset(s, a->rm),
+                           vec_full_reg_offset(s, a->ra),
+                           pred_full_reg_offset(s, a->pg),
+                           status, vsz, vsz, 0, fn);
+        tcg_temp_free_ptr(status);
     }
-
-    unsigned vsz = vec_full_reg_size(s);
-    unsigned desc;
-    TCGv_i32 t_desc;
-    TCGv_ptr pg = tcg_temp_new_ptr();
-
-    /* We would need 7 operands to pass these arguments "properly".
-     * So we encode all the register numbers into the descriptor.
-     */
-    desc = deposit32(a->rd, 5, 5, a->rn);
-    desc = deposit32(desc, 10, 5, a->rm);
-    desc = deposit32(desc, 15, 5, a->ra);
-    desc = simd_desc(vsz, vsz, desc);
-
-    t_desc = tcg_const_i32(desc);
-    tcg_gen_addi_ptr(pg, cpu_env, pred_full_reg_offset(s, a->pg));
-    fn(cpu_env, pg, t_desc);
-    tcg_temp_free_i32(t_desc);
-    tcg_temp_free_ptr(pg);
     return true;
 }
 
 #define DO_FMLA(NAME, name) \
 static bool trans_##NAME(DisasContext *s, arg_rprrr_esz *a)          \
 {                                                                    \
-    static gen_helper_sve_fmla * const fns[4] = {                    \
+    static gen_helper_gvec_5_ptr * const fns[4] = {                  \
         NULL, gen_helper_sve_##name##_h,                             \
         gen_helper_sve_##name##_s, gen_helper_sve_##name##_d         \
     };                                                               \
@@ -XXX,XX +XXX,XX @@ DO_FMLA(FNMLS_zpzzz, fnmls_zpzzz)
 
 static bool trans_FCMLA_zpzzz(DisasContext *s, arg_FCMLA_zpzzz *a)
 {
-    static gen_helper_sve_fmla * const fns[3] = {
+    static gen_helper_gvec_5_ptr * const fns[4] = {
+        NULL,
         gen_helper_sve_fcmla_zpzzz_h,
         gen_helper_sve_fcmla_zpzzz_s,
         gen_helper_sve_fcmla_zpzzz_d,
@@ -XXX,XX +XXX,XX @@ static bool trans_FCMLA_zpzzz(DisasContext *s, arg_FCMLA_zpzzz *a)
     }
     if (sve_access_check(s)) {
         unsigned vsz = vec_full_reg_size(s);
-        unsigned desc;
-        TCGv_i32 t_desc;
-        TCGv_ptr pg = tcg_temp_new_ptr();
-
-        /* We would need 7 operands to pass these arguments "properly".
-         * So we encode all the register numbers into the descriptor.
-         */
-        desc = deposit32(a->rd, 5, 5, a->rn);
-        desc = deposit32(desc, 10, 5, a->rm);
-        desc = deposit32(desc, 15, 5, a->ra);
-        desc = deposit32(desc, 20, 2, a->rot);
-        desc = sextract32(desc, 0, 22);
-        desc = simd_desc(vsz, vsz, desc);
-
-        t_desc = tcg_const_i32(desc);
-        tcg_gen_addi_ptr(pg, cpu_env, pred_full_reg_offset(s, a->pg));
-        fns[a->esz - 1](cpu_env, pg, t_desc);
-        tcg_temp_free_i32(t_desc);
-        tcg_temp_free_ptr(pg);
+        TCGv_ptr status = get_fpstatus_ptr(a->esz == MO_16);
+        tcg_gen_gvec_5_ptr(vec_full_reg_offset(s, a->rd),
+                           vec_full_reg_offset(s, a->rn),
+                           vec_full_reg_offset(s, a->rm),
+                           vec_full_reg_offset(s, a->ra),
+                           pred_full_reg_offset(s, a->pg),
+                           status, vsz, vsz, a->rot, fns[a->esz]);
+        tcg_temp_free_ptr(status);
     }
     return true;
 }
-- 
2.20.1

From: Richard Henderson <richard.henderson@linaro.org>

DUP (indexed) can duplicate 128-bit elements, so using esz
unconditionally can assert in tcg_gen_gvec_dup_imm.

Fixes: 8711e71f9cbb
Reported-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Tested-by: Laurent Desnogues <laurent.desnogues@gmail.com>
Message-id: 20200507172352.15418-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-sve.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_DUP_x(DisasContext *s, arg_DUP_x *a)
             unsigned nofs = vec_reg_offset(s, a->rn, index, esz);
             tcg_gen_gvec_dup_mem(esz, dofs, nofs, vsz, vsz);
         } else {
-            tcg_gen_gvec_dup_imm(esz, dofs, vsz, vsz, 0);
+            /*
+             * While dup_mem handles 128-bit elements, dup_imm does not.
+             * Thankfully element size doesn't matter for splatting zero.
+             */
+            tcg_gen_gvec_dup_imm(MO_64, dofs, vsz, vsz, 0);
         }
     }
     return true;
-- 
2.20.1

Hi; here's the first target-arm pullreq for the 7.0 cycle.

thanks
-- PMM

The following changes since commit 76b56fdfc9fa43ec6e5986aee33f108c6c6a511e:

Merge tag 'block-pull-request' of https://gitlab.com/stefanha/qemu into staging (2021-12-14 12:46:18 -0800)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20211215

for you to fetch changes up to aed176558806674d030a8305d989d4e6a5073359:

tests/acpi: add expected blob for VIOT test on virt machine (2021-12-15 10:35:26 +0000)

----------------------------------------------------------------
target-arm queue:
 * ITS: error reporting cleanup
 * aspeed: improve documentation
 * Fix STM32F2XX USART data register readout
 * allow emulated GICv3 to be disabled in non-TCG builds
 * fix exception priority for singlestep, misaligned PC, bp, etc
 * Correct calculation of tlb range invalidate length
 * npcm7xx_emc: fix missing queue_flush
 * virt: Add VIOT ACPI table for virtio-iommu
 * target/i386: Use assert() to sanity-check b1 in SSE decode
 * Don't include qemu-common unnecessarily

----------------------------------------------------------------
Alex Bennée (1):
      hw/intc: clean-up error reporting for failed ITS cmd

Jean-Philippe Brucker (8):
      hw/arm/virt-acpi-build: Add VIOT table for virtio-iommu
      hw/arm/virt: Remove device tree restriction for virtio-iommu
      hw/arm/virt: Reject instantiation of multiple IOMMUs
      hw/arm/virt: Use object_property_set instead of qdev_prop_set
      tests/acpi: allow updates of VIOT expected data files
      tests/acpi: add test case for VIOT
      tests/acpi: add expected blobs for VIOT test on q35 machine
      tests/acpi: add expected blob for VIOT test on virt machine

Joel Stanley (4):
      docs: aspeed: Add new boards
      docs: aspeed: Update OpenBMC image URL
      docs: aspeed: Give an example of booting a kernel
      docs: aspeed: ADC is now modelled

Olivier Hériveaux (1):
      Fix STM32F2XX USART data register readout

Patrick Venture (1):
      hw/net: npcm7xx_emc fix missing queue_flush

Peter Maydell (6):
      target/i386: Use assert() to sanity-check b1 in SSE decode
      include/hw/i386: Don't include qemu-common.h in .h files
      target/hexagon/cpu.h: don't include qemu-common.h
      target/rx/cpu.h: Don't include qemu-common.h
      hw/arm: Don't include qemu-common.h unnecessarily
      target/arm: Correct calculation of tlb range invalidate length

Philippe Mathieu-Daudé (2):
      hw/intc/arm_gicv3: Extract gicv3_set_gicv3state from arm_gicv3_cpuif.c
      hw/intc/arm_gicv3: Introduce CONFIG_ARM_GIC_TCG Kconfig selector

Richard Henderson (10):
      target/arm: Hoist pc_next to a local variable in aarch64_tr_translate_insn
      target/arm: Hoist pc_next to a local variable in arm_tr_translate_insn
      target/arm: Hoist pc_next to a local variable in thumb_tr_translate_insn
      target/arm: Split arm_pre_translate_insn
      target/arm: Advance pc for arch single-step exception
      target/arm: Split compute_fsr_fsc out of arm_deliver_fault
      target/arm: Take an exception if PC is misaligned
      target/arm: Assert thumb pc is aligned
      target/arm: Suppress bp for exceptions with more priority
      tests/tcg: Add arm and aarch64 pc alignment tests

docs/system/arm/aspeed.rst        |  26 ++++++++++++----
 include/hw/i386/microvm.h         |   1 -
 include/hw/i386/x86.h             |   1 -
 target/arm/helper.h               |   1 +
 target/arm/syndrome.h             |   5 +++
 target/hexagon/cpu.h              |   1 -
 target/rx/cpu.h                   |   1 -
 hw/arm/boot.c                     |   1 -
 hw/arm/digic_boards.c             |   1 -
 hw/arm/highbank.c                 |   1 -
 hw/arm/npcm7xx_boards.c           |   1 -
 hw/arm/sbsa-ref.c                 |   1 -
 hw/arm/stm32f405_soc.c            |   1 -
 hw/arm/vexpress.c                 |   1 -
 hw/arm/virt-acpi-build.c          |   7 +++++
 hw/arm/virt.c                     |  21 ++++++-------
 hw/char/stm32f2xx_usart.c         |   3 +-
 hw/intc/arm_gicv3.c               |   2 +-
 hw/intc/arm_gicv3_cpuif.c         |  10 +-----
 hw/intc/arm_gicv3_cpuif_common.c  |  22 +++++++++++++
 hw/intc/arm_gicv3_its.c           |  39 +++++++++++++++--------
 hw/net/npcm7xx_emc.c              |  18 +++++------
 hw/virtio/virtio-iommu-pci.c      |  12 ++------
 linux-user/aarch64/cpu_loop.c     |  46 ++++++++++++++++------------
 linux-user/hexagon/cpu_loop.c     |   1 +
 target/arm/debug_helper.c         |  23 ++++++++++++++
 target/arm/gdbstub.c              |   9 ++++--
 target/arm/helper.c               |   6 ++--
 target/arm/machine.c              |  10 ++++++
 target/arm/tlb_helper.c           |  63 ++++++++++++++++++++++++++++----------
 target/arm/translate-a64.c        |  23 ++++++++++++--
 target/arm/translate.c            |  58 ++++++++++++++++++++++++++---------
 target/i386/tcg/translate.c       |  12 ++------
 tests/qtest/bios-tables-test.c    |  38 +++++++++++++++++++++++
 tests/tcg/aarch64/pcalign-a64.c   |  37 ++++++++++++++++++++++
 tests/tcg/arm/pcalign-a32.c       |  46 ++++++++++++++++++++++++++++
 hw/arm/Kconfig                    |   1 +
 hw/intc/Kconfig                   |   5 +++
 hw/intc/meson.build               |  11 ++++---
 tests/data/acpi/q35/DSDT.viot     | Bin 0 -> 9398 bytes
 tests/data/acpi/q35/VIOT.viot     | Bin 0 -> 112 bytes
 tests/data/acpi/virt/VIOT         | Bin 0 -> 88 bytes
 tests/tcg/aarch64/Makefile.target |   4 +--
 tests/tcg/arm/Makefile.target     |   4 +++
 44 files changed, 429 insertions(+), 145 deletions(-)
 create mode 100644 hw/intc/arm_gicv3_cpuif_common.c
 create mode 100644 tests/tcg/aarch64/pcalign-a64.c
 create mode 100644 tests/tcg/arm/pcalign-a32.c
 create mode 100644 tests/data/acpi/q35/DSDT.viot
 create mode 100644 tests/data/acpi/q35/VIOT.viot
 create mode 100644 tests/data/acpi/virt/VIOT

From: Alex Bennée <alex.bennee@linaro.org>

While trying to debug a GIC ITS failure I saw some guest errors that
had poor formatting as well as leaving me confused as to what failed.
As most of the checks aren't possible without a valid dte split that
check apart and then check the other conditions in steps. This avoids
us relying on undefined data.

I still get a failure with the current kvm-unit-tests but at least I
know (partially) why now:

Exception return from AArch64 EL1 to AArch64 EL1 PC 0x40080588
  PASS: gicv3: its-trigger: inv/invall: dev2/eventid=20 now triggers an LPI
  ITS: MAPD devid=2 size = 0x8 itt=0x40430000 valid=0
  INT dev_id=2 event_id=20
  process_its_cmd: invalid command attributes: invalid dte: 0 for 2 (MEM_TX: 0)
  PASS: gicv3: its-trigger: mapd valid=false: no LPI after device unmap
  SUMMARY: 6 tests, 1 unexpected failures

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211112170454.3158925-1-alex.bennee@linaro.org
Cc: Shashi Mallela <shashi.mallela@linaro.org>
Cc: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_its.c | 39 +++++++++++++++++++++++++++------------
 1 file changed, 27 insertions(+), 12 deletions(-)

diff --git a/hw/intc/arm_gicv3_its.c b/hw/intc/arm_gicv3_its.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_its.c
+++ b/hw/intc/arm_gicv3_its.c
@@ -XXX,XX +XXX,XX @@ static bool process_its_cmd(GICv3ITSState *s, uint64_t value, uint32_t offset,
         if (res != MEMTX_OK) {
             return result;
         }
+    } else {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: "
+                      "invalid dte: %"PRIx64" for %d (MEM_TX: %d)\n",
+                      __func__, dte, devid, res);
+        return result;
     }
 
-    if ((devid > s->dt.maxids.max_devids) || !dte_valid || !ite_valid ||
-            !cte_valid || (eventid > max_eventid)) {
+
+    /*
+     * In this implementation, in case of guest errors we ignore the
+     * command and move onto the next command in the queue.
+     */
+    if (devid > s->dt.maxids.max_devids) {
         qemu_log_mask(LOG_GUEST_ERROR,
-                      "%s: invalid command attributes "
-                      "devid %d or eventid %d or invalid dte %d or"
-                      "invalid cte %d or invalid ite %d\n",
-                      __func__, devid, eventid, dte_valid, cte_valid,
-                      ite_valid);
-        /*
-         * in this implementation, in case of error
-         * we ignore this command and move onto the next
-         * command in the queue
-         */
+                      "%s: invalid command attributes: devid %d>%d",
+                      __func__, devid, s->dt.maxids.max_devids);
+
+    } else if (!dte_valid || !ite_valid || !cte_valid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: "
+                      "dte: %s, ite: %s, cte: %s\n",
+                      __func__,
+                      dte_valid ? "valid" : "invalid",
+                      ite_valid ? "valid" : "invalid",
+                      cte_valid ? "valid" : "invalid");
+    } else if (eventid > max_eventid) {
+        qemu_log_mask(LOG_GUEST_ERROR,
+                      "%s: invalid command attributes: eventid %d > %d\n",
+                      __func__, eventid, max_eventid);
     } else {
         /*
          * Current implementation only supports rdbase == procnum
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

Add X11, FP5280G2, G220A, Rainier and Fuji. Mention that Swift will be
removed in v7.0.

Signed-off-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Cédric Le Goater <clg@kaod.org>
Message-id: 20211117065752.330632-2-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/aspeed.rst | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/aspeed.rst
+++ b/docs/system/arm/aspeed.rst
@@ -XXX,XX +XXX,XX @@ AST2400 SoC based machines :
 
 - ``palmetto-bmc``         OpenPOWER Palmetto POWER8 BMC
 - ``quanta-q71l-bmc``      OpenBMC Quanta BMC
+- ``supermicrox11-bmc``    Supermicro X11 BMC
 
 AST2500 SoC based machines :
 
@@ -XXX,XX +XXX,XX @@ AST2500 SoC based machines :
 - ``romulus-bmc``          OpenPOWER Romulus POWER9 BMC
 - ``witherspoon-bmc``      OpenPOWER Witherspoon POWER9 BMC
 - ``sonorapass-bmc``       OCP SonoraPass BMC
-- ``swift-bmc``            OpenPOWER Swift BMC POWER9
+- ``swift-bmc``            OpenPOWER Swift BMC POWER9 (to be removed in v7.0)
+- ``fp5280g2-bmc``         Inspur FP5280G2 BMC
+- ``g220a-bmc``            Bytedance G220A BMC
 
 AST2600 SoC based machines :
 
 - ``ast2600-evb``          Aspeed AST2600 Evaluation board (Cortex-A7)
 - ``tacoma-bmc``           OpenPOWER Witherspoon POWER9 AST2600 BMC
+- ``rainier-bmc``          IBM Rainier POWER10 BMC
+- ``fuji-bmc``             Facebook Fuji BMC
 
 Supported devices
 -----------------
-- 
2.25.1

From: Joel Stanley <joel@jms.id.au>

A common use case for the ASPEED machine is to boot a Linux kernel.
Provide a full example command line.

Reviewed-by: Cédric Le Goater <clg@kaod.org>
Signed-off-by: Joel Stanley <joel@jms.id.au>
Message-id: 20211117065752.330632-4-joel@jms.id.au
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/aspeed.rst | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/docs/system/arm/aspeed.rst b/docs/system/arm/aspeed.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/aspeed.rst
+++ b/docs/system/arm/aspeed.rst
@@ -XXX,XX +XXX,XX @@ Missing devices
 Boot options
 ------------
 
-The Aspeed machines can be started using the ``-kernel`` option to
-load a Linux kernel or from a firmware. Images can be downloaded from
-the OpenBMC jenkins :
+The Aspeed machines can be started using the ``-kernel`` and ``-dtb`` options
+to load a Linux kernel or from a firmware. Images can be downloaded from the
+OpenBMC jenkins :
 
    https://jenkins.openbmc.org/job/ci-openbmc/lastSuccessfulBuild/
 
@@ -XXX,XX +XXX,XX @@ or directly from the OpenBMC GitHub release repository :
 
    https://github.com/openbmc/openbmc/releases
 
+To boot a kernel directly from a Linux build tree:
+
+.. code-block:: bash
+
+  $ qemu-system-arm -M ast2600-evb -nographic \
+        -kernel arch/arm/boot/zImage \
+        -dtb arch/arm/boot/dts/aspeed-ast2600-evb.dtb \
+        -initrd rootfs.cpio
+
 The image should be attached as an MTD drive. Run :
 
 .. code-block:: bash
-- 
2.25.1

From: Olivier Hériveaux <olivier.heriveaux@ledger.fr>

Fix issue where the data register may be overwritten by next character
reception before being read and returned.

Signed-off-by: Olivier Hériveaux <olivier.heriveaux@ledger.fr>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Message-id: 20211128120723.4053-1-olivier.heriveaux@ledger.fr
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/char/stm32f2xx_usart.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/hw/char/stm32f2xx_usart.c b/hw/char/stm32f2xx_usart.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/char/stm32f2xx_usart.c
+++ b/hw/char/stm32f2xx_usart.c
@@ -XXX,XX +XXX,XX @@ static uint64_t stm32f2xx_usart_read(void *opaque, hwaddr addr,
         return retvalue;
     case USART_DR:
         DB_PRINT("Value: 0x%" PRIx32 ", %c\n", s->usart_dr, (char) s->usart_dr);
+        retvalue = s->usart_dr & 0x3FF;
         s->usart_sr &= ~USART_SR_RXNE;
         qemu_chr_fe_accept_input(&s->chr);
         qemu_set_irq(s->irq, 0);
-        return s->usart_dr & 0x3FF;
+        return retvalue;
     case USART_BRR:
         return s->usart_brr;
     case USART_CR1:
-- 
2.25.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

gicv3_set_gicv3state() is used by arm_gicv3_common.c in
arm_gicv3_common_realize(). Since we want to restrict
arm_gicv3_cpuif.c to TCG, extract gicv3_set_gicv3state()
to a new file. Add this file to the meson 'specific'
source set, since it needs access to "cpu.h".

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211115223619.2599282-2-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3_cpuif.c        | 10 +---------
 hw/intc/arm_gicv3_cpuif_common.c | 22 ++++++++++++++++++++++
 hw/intc/meson.build              |  1 +
 3 files changed, 24 insertions(+), 9 deletions(-)
 create mode 100644 hw/intc/arm_gicv3_cpuif_common.c

diff --git a/hw/intc/arm_gicv3_cpuif.c b/hw/intc/arm_gicv3_cpuif.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3_cpuif.c
+++ b/hw/intc/arm_gicv3_cpuif.c
@@ -XXX,XX +XXX,XX @@
 /*
- * ARM Generic Interrupt Controller v3
+ * ARM Generic Interrupt Controller v3 (emulation)
  *
  * Copyright (c) 2016 Linaro Limited
  * Written by Peter Maydell
@@ -XXX,XX +XXX,XX @@
 #include "hw/irq.h"
 #include "cpu.h"
 
-void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
-{
-    ARMCPU *arm_cpu = ARM_CPU(cpu);
-    CPUARMState *env = &arm_cpu->env;
-
-    env->gicv3state = (void *)s;
-};
-
 static GICv3CPUState *icc_cs_from_env(CPUARMState *env)
 {
     return env->gicv3state;
diff --git a/hw/intc/arm_gicv3_cpuif_common.c b/hw/intc/arm_gicv3_cpuif_common.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/hw/intc/arm_gicv3_cpuif_common.c
@@ -XXX,XX +XXX,XX @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * ARM Generic Interrupt Controller v3
+ *
+ * Copyright (c) 2016 Linaro Limited
+ * Written by Peter Maydell
+ *
+ * This code is licensed under the GPL, version 2 or (at your option)
+ * any later version.
+ */
+
+#include "qemu/osdep.h"
+#include "gicv3_internal.h"
+#include "cpu.h"
+
+void gicv3_set_gicv3state(CPUState *cpu, GICv3CPUState *s)
+{
+    ARMCPU *arm_cpu = ARM_CPU(cpu);
+    CPUARMState *env = &arm_cpu->env;
+
+    env->gicv3state = (void *)s;
+};
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
+specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
-- 
2.25.1

From: Philippe Mathieu-Daudé <philmd@redhat.com>

The TYPE_ARM_GICV3 device is an emulated one.  When using
KVM, it is recommended to use the TYPE_KVM_ARM_GICV3 device
(which uses in-kernel support).

When using --with-devices-FOO, it is possible to build a
binary with a specific set of devices. When this binary is
restricted to KVM accelerator, the TYPE_ARM_GICV3 device is
irrelevant, and it is desirable to remove it from the binary.

Therefore introduce the CONFIG_ARM_GIC_TCG Kconfig selector
which select the files required to have the TYPE_ARM_GICV3
device, but also allowing to de-select this device.

Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20211115223619.2599282-3-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/intc/arm_gicv3.c |  2 +-
 hw/intc/Kconfig     |  5 +++++
 hw/intc/meson.build | 10 ++++++----
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hw/intc/arm_gicv3.c b/hw/intc/arm_gicv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/arm_gicv3.c
+++ b/hw/intc/arm_gicv3.c
@@ -XXX,XX +XXX,XX @@
 /*
- * ARM Generic Interrupt Controller v3
+ * ARM Generic Interrupt Controller v3 (emulation)
  *
  * Copyright (c) 2015 Huawei.
  * Copyright (c) 2016 Linaro Limited
diff --git a/hw/intc/Kconfig b/hw/intc/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/Kconfig
+++ b/hw/intc/Kconfig
@@ -XXX,XX +XXX,XX @@ config APIC
     select MSI_NONBROKEN
     select I8259
 
+config ARM_GIC_TCG
+    bool
+    default y
+    depends on ARM_GIC && TCG
+
 config ARM_GIC_KVM
     bool
     default y
diff --git a/hw/intc/meson.build b/hw/intc/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/hw/intc/meson.build
+++ b/hw/intc/meson.build
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_ARM_GIC', if_true: files(
   'arm_gic.c',
   'arm_gic_common.c',
   'arm_gicv2m.c',
-  'arm_gicv3.c',
   'arm_gicv3_common.c',
-  'arm_gicv3_dist.c',
   'arm_gicv3_its_common.c',
-  'arm_gicv3_redist.c',
+))
+softmmu_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files(
+  'arm_gicv3.c',
+  'arm_gicv3_dist.c',
   'arm_gicv3_its.c',
+  'arm_gicv3_redist.c',
 ))
 softmmu_ss.add(when: 'CONFIG_ETRAXFS', if_true: files('etraxfs_pic.c'))
 softmmu_ss.add(when: 'CONFIG_HEATHROW_PIC', if_true: files('heathrow_pic.c'))
@@ -XXX,XX +XXX,XX @@ softmmu_ss.add(when: 'CONFIG_XLNX_ZYNQMP_PMU', if_true: files('xlnx-pmu-iomod-in
 specific_ss.add(when: 'CONFIG_ALLWINNER_A10_PIC', if_true: files('allwinner-a10-pic.c'))
 specific_ss.add(when: 'CONFIG_APIC', if_true: files('apic.c', 'apic_common.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif_common.c'))
-specific_ss.add(when: 'CONFIG_ARM_GIC', if_true: files('arm_gicv3_cpuif.c'))
+specific_ss.add(when: 'CONFIG_ARM_GIC_TCG', if_true: files('arm_gicv3_cpuif.c'))
 specific_ss.add(when: 'CONFIG_ARM_GIC_KVM', if_true: files('arm_gic_kvm.c'))
 specific_ss.add(when: ['CONFIG_ARM_GIC_KVM', 'TARGET_AARCH64'], if_true: files('arm_gicv3_kvm.c', 'arm_gicv3_its_kvm.c'))
 specific_ss.add(when: 'CONFIG_ARM_V7M', if_true: files('armv7m_nvic.c'))
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *s = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint64_t pc = s->base.pc_next;
     uint32_t insn;
 
     if (s->ss_active && !s->pstate_ss) {
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
-    s->pc_curr = s->base.pc_next;
-    insn = arm_ldl_code(env, &s->base, s->base.pc_next, s->sctlr_b);
+    s->pc_curr = pc;
+    insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
     s->insn = insn;
-    s->base.pc_next += 4;
+    s->base.pc_next = pc + 4;
 
     s->fp_access_checked = false;
     s->sve_access_checked = false;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint32_t pc = dc->base.pc_next;
     unsigned int insn;
 
     if (arm_pre_translate_insn(dc)) {
-        dc->base.pc_next += 4;
+        dc->base.pc_next = pc + 4;
         return;
     }
 
-    dc->pc_curr = dc->base.pc_next;
-    insn = arm_ldl_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
+    dc->pc_curr = pc;
+    insn = arm_ldl_code(env, &dc->base, pc, dc->sctlr_b);
     dc->insn = insn;
-    dc->base.pc_next += 4;
+    dc->base.pc_next = pc + 4;
     disas_arm_insn(dc, insn);
 
     arm_post_translate_insn(dc);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUARMState *env = cpu->env_ptr;
+    uint32_t pc = dc->base.pc_next;
     uint32_t insn;
     bool is_16bit;
 
     if (arm_pre_translate_insn(dc)) {
-        dc->base.pc_next += 2;
+        dc->base.pc_next = pc + 2;
         return;
     }
 
-    dc->pc_curr = dc->base.pc_next;
-    insn = arm_lduw_code(env, &dc->base, dc->base.pc_next, dc->sctlr_b);
+    dc->pc_curr = pc;
+    insn = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
     is_16bit = thumb_insn_is_16bit(dc, dc->base.pc_next, insn);
-    dc->base.pc_next += 2;
+    pc += 2;
     if (!is_16bit) {
-        uint32_t insn2 = arm_lduw_code(env, &dc->base, dc->base.pc_next,
-                                       dc->sctlr_b);
-
+        uint32_t insn2 = arm_lduw_code(env, &dc->base, pc, dc->sctlr_b);
         insn = insn << 16 | insn2;
-        dc->base.pc_next += 2;
+        pc += 2;
     }
+    dc->base.pc_next = pc;
     dc->insn = insn;
 
     if (dc->pstate_il) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Create arm_check_ss_active and arm_check_kernelpage.

Reverse the order of the tests.  While it doesn't matter in practice,
because only user-only has a kernel page and user-only never sets
ss_active, ss_active has priority over execution exceptions and it
is best to keep them in the proper order.

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     dc->insn_start = tcg_last_op();
 }
 
-static bool arm_pre_translate_insn(DisasContext *dc)
+static bool arm_check_kernelpage(DisasContext *dc)
 {
 #ifdef CONFIG_USER_ONLY
     /* Intercept jump to the magic kernel page.  */
@@ -XXX,XX +XXX,XX @@ static bool arm_pre_translate_insn(DisasContext *dc)
         return true;
     }
 #endif
+    return false;
+}
 
+static bool arm_check_ss_active(DisasContext *dc)
+{
     if (dc->ss_active && !dc->pstate_ss) {
         /* Singlestep state is Active-pending.
          * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t pc = dc->base.pc_next;
     unsigned int insn;
 
-    if (arm_pre_translate_insn(dc)) {
+    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 4;
         return;
     }
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t insn;
     bool is_16bit;
 
-    if (arm_pre_translate_insn(dc)) {
+    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 2;
         return;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We will reuse this section of arm_deliver_fault for
raising pc alignment faults.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/tlb_helper.c | 45 +++++++++++++++++++++++++----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
     return syn;
 }
 
-static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
-                                            MMUAccessType access_type,
-                                            int mmu_idx, ARMMMUFaultInfo *fi)
+static uint32_t compute_fsr_fsc(CPUARMState *env, ARMMMUFaultInfo *fi,
+                                int target_el, int mmu_idx, uint32_t *ret_fsc)
 {
-    CPUARMState *env = &cpu->env;
-    int target_el;
-    bool same_el;
-    uint32_t syn, exc, fsr, fsc;
     ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
-
-    target_el = exception_target_el(env);
-    if (fi->stage2) {
-        target_el = 2;
-        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
-        if (arm_is_secure_below_el3(env) && fi->s1ns) {
-            env->cp15.hpfar_el2 |= HPFAR_NS;
-        }
-    }
-    same_el = (arm_current_el(env) == target_el);
+    uint32_t fsr, fsc;
 
     if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
         arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
@@ -XXX,XX +XXX,XX @@ static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
         fsc = 0x3f;
     }
 
+    *ret_fsc = fsc;
+    return fsr;
+}
+
+static void QEMU_NORETURN arm_deliver_fault(ARMCPU *cpu, vaddr addr,
+                                            MMUAccessType access_type,
+                                            int mmu_idx, ARMMMUFaultInfo *fi)
+{
+    CPUARMState *env = &cpu->env;
+    int target_el;
+    bool same_el;
+    uint32_t syn, exc, fsr, fsc;
+
+    target_el = exception_target_el(env);
+    if (fi->stage2) {
+        target_el = 2;
+        env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
+        if (arm_is_secure_below_el3(env) && fi->s1ns) {
+            env->cp15.hpfar_el2 |= HPFAR_NS;
+        }
+    }
+    same_el = (arm_current_el(env) == target_el);
+
+    fsr = compute_fsr_fsc(env, fi, target_el, mmu_idx, &fsc);
+
     if (access_type == MMU_INST_FETCH) {
         syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
         exc = EXCP_PREFETCH_ABORT;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

For A64, any input to an indirect branch can cause this.

For A32, many indirect branch paths force the branch to be aligned,
but BXWritePC does not.  This includes the BX instruction but also
other interworking changes to PC.  Prior to v8, this case is UNDEFINED.
With v8, this is CONSTRAINED UNPREDICTABLE and may either raise an
exception or force align the PC.

We choose to raise an exception because we have the infrastructure,
it makes the generated code for gen_bx simpler, and it has the
possibility of catching more guest bugs.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h           |  1 +
 target/arm/syndrome.h         |  5 ++++
 linux-user/aarch64/cpu_loop.c | 46 ++++++++++++++++++++---------------
 target/arm/tlb_helper.c       | 18 ++++++++++++++
 target/arm/translate-a64.c    | 15 ++++++++++++
 target/arm/translate.c        | 22 ++++++++++++++++-
 6 files changed, 87 insertions(+), 20 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_3(sel_flags, TCG_CALL_NO_RWG_SE,
 DEF_HELPER_2(exception_internal, void, env, i32)
 DEF_HELPER_4(exception_with_syndrome, void, env, i32, i32, i32)
 DEF_HELPER_2(exception_bkpt_insn, void, env, i32)
+DEF_HELPER_2(exception_pc_alignment, noreturn, env, tl)
 DEF_HELPER_1(setend, void, env)
 DEF_HELPER_2(wfi, void, env, i32)
 DEF_HELPER_1(wfe, void, env)
diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_illegalstate(void)
     return (EC_ILLEGALSTATE << ARM_EL_EC_SHIFT) | ARM_EL_IL;
 }
 
+static inline uint32_t syn_pcalignment(void)
+{
+    return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
+}
+
 #endif /* TARGET_ARM_SYNDROME_H */
diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
             break;
         case EXCP_PREFETCH_ABORT:
         case EXCP_DATA_ABORT:
-            /* We should only arrive here with EC in {DATAABORT, INSNABORT}. */
             ec = syn_get_ec(env->exception.syndrome);
-            assert(ec == EC_DATAABORT || ec == EC_INSNABORT);
-
-            /* Both EC have the same format for FSC, or close enough. */
-            fsc = extract32(env->exception.syndrome, 0, 6);
-            switch (fsc) {
-            case 0x04 ... 0x07: /* Translation fault, level {0-3} */
-                si_signo = TARGET_SIGSEGV;
-                si_code = TARGET_SEGV_MAPERR;
+            switch (ec) {
+            case EC_DATAABORT:
+            case EC_INSNABORT:
+                /* Both EC have the same format for FSC, or close enough. */
+                fsc = extract32(env->exception.syndrome, 0, 6);
+                switch (fsc) {
+                case 0x04 ... 0x07: /* Translation fault, level {0-3} */
+                    si_signo = TARGET_SIGSEGV;
+                    si_code = TARGET_SEGV_MAPERR;
+                    break;
+                case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
+                case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
+                    si_signo = TARGET_SIGSEGV;
+                    si_code = TARGET_SEGV_ACCERR;
+                    break;
+                case 0x11: /* Synchronous Tag Check Fault */
+                    si_signo = TARGET_SIGSEGV;
+                    si_code = TARGET_SEGV_MTESERR;
+                    break;
+                case 0x21: /* Alignment fault */
+                    si_signo = TARGET_SIGBUS;
+                    si_code = TARGET_BUS_ADRALN;
+                    break;
+                default:
+                    g_assert_not_reached();
+                }
                 break;
-            case 0x09 ... 0x0b: /* Access flag fault, level {1-3} */
-            case 0x0d ... 0x0f: /* Permission fault, level {1-3} */
-                si_signo = TARGET_SIGSEGV;
-                si_code = TARGET_SEGV_ACCERR;
-                break;
-            case 0x11: /* Synchronous Tag Check Fault */
-                si_signo = TARGET_SIGSEGV;
-                si_code = TARGET_SEGV_MTESERR;
-                break;
-            case 0x21: /* Alignment fault */
+            case EC_PCALIGNMENT:
                 si_signo = TARGET_SIGBUS;
                 si_code = TARGET_BUS_ADRALN;
                 break;
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 #include "internals.h"
 #include "exec/exec-all.h"
+#include "exec/helper-proto.h"
 
 static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
                                             unsigned int target_el,
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
     arm_deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
 }
 
+void helper_exception_pc_alignment(CPUARMState *env, target_ulong pc)
+{
+    ARMMMUFaultInfo fi = { .type = ARMFault_Alignment };
+    int target_el = exception_target_el(env);
+    int mmu_idx = cpu_mmu_index(env, true);
+    uint32_t fsc;
+
+    env->exception.vaddress = pc;
+
+    /*
+     * Note that the fsc is not applicable to this exception,
+     * since any syndrome is pcalignment not insn_abort.
+     */
+    env->exception.fsr = compute_fsr_fsc(env, &fi, target_el, mmu_idx, &fsc);
+    raise_exception(env, EXCP_PREFETCH_ABORT, syn_pcalignment(), target_el);
+}
+
 #if !defined(CONFIG_USER_ONLY)
 
 /*
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint64_t pc = s->base.pc_next;
     uint32_t insn;
 
+    /* Singlestep exceptions have the highest priority. */
     if (s->ss_active && !s->pstate_ss) {
         /* Singlestep state is Active-pending.
          * If we're in this state at the start of a TB then either
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         return;
     }
 
+    if (pc & 3) {
+        /*
+         * PC alignment fault.  This has priority over the instruction abort
+         * that we would receive from a translation fault via arm_ldl_code.
+         * This should only be possible after an indirect branch, at the
+         * start of the TB.
+         */
+        assert(s->base.num_insns == 1);
+        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
+        s->base.is_jmp = DISAS_NORETURN;
+        s->base.pc_next = QEMU_ALIGN_UP(pc, 4);
+        return;
+    }
+
     s->pc_curr = pc;
     insn = arm_ldl_code(env, &s->base, pc, s->sctlr_b);
     s->insn = insn;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t pc = dc->base.pc_next;
     unsigned int insn;
 
-    if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
+    /* Singlestep exceptions have the highest priority. */
+    if (arm_check_ss_active(dc)) {
+        dc->base.pc_next = pc + 4;
+        return;
+    }
+
+    if (pc & 3) {
+        /*
+         * PC alignment fault.  This has priority over the instruction abort
+         * that we would receive from a translation fault via arm_ldl_code
+         * (or the execution of the kernelpage entrypoint). This should only
+         * be possible after an indirect branch, at the start of the TB.
+         */
+        assert(dc->base.num_insns == 1);
+        gen_helper_exception_pc_alignment(cpu_env, tcg_constant_tl(pc));
+        dc->base.is_jmp = DISAS_NORETURN;
+        dc->base.pc_next = QEMU_ALIGN_UP(pc, 4);
+        return;
+    }
+
+    if (arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 4;
         return;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Misaligned thumb PC is architecturally impossible.
Assert is better than proceeding, in case we've missed
something somewhere.

Expand a comment about aligning the pc in gdbstub.
Fail an incoming migrate if a thumb pc is misaligned.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gdbstub.c   |  9 +++++++--
 target/arm/machine.c   | 10 ++++++++++
 target/arm/translate.c |  3 +++
 3 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/target/arm/gdbstub.c b/target/arm/gdbstub.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gdbstub.c
+++ b/target/arm/gdbstub.c
@@ -XXX,XX +XXX,XX @@ int arm_cpu_gdb_write_register(CPUState *cs, uint8_t *mem_buf, int n)
 
     tmp = ldl_p(mem_buf);
 
-    /* Mask out low bit of PC to workaround gdb bugs.  This will probably
-       cause problems if we ever implement the Jazelle DBX extensions.  */
+    /*
+     * Mask out low bits of PC to workaround gdb bugs.
+     * This avoids an assert in thumb_tr_translate_insn, because it is
+     * architecturally impossible to misalign the pc.
+     * This will probably cause problems if we ever implement the
+     * Jazelle DBX extensions.
+     */
     if (n == 15) {
         tmp &= ~1;
     }
diff --git a/target/arm/machine.c b/target/arm/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/machine.c
+++ b/target/arm/machine.c
@@ -XXX,XX +XXX,XX @@ static int cpu_post_load(void *opaque, int version_id)
             return -1;
         }
     }
+
+    /*
+     * Misaligned thumb pc is architecturally impossible.
+     * We have an assert in thumb_tr_translate_insn to verify this.
+     * Fail an incoming migrate to avoid this assert.
+     */
+    if (!is_a64(env) && env->thumb && (env->regs[15] & 1)) {
+        return -1;
+    }
+
     if (!kvm_enabled()) {
         pmu_op_finish(&cpu->env);
     }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t insn;
     bool is_16bit;
 
+    /* Misaligned thumb PC is architecturally impossible. */
+    assert((dc->base.pc_next & 1) == 0);
+
     if (arm_check_ss_active(dc) || arm_check_kernelpage(dc)) {
         dc->base.pc_next = pc + 2;
         return;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Both single-step and pc alignment faults have priority over
breakpoint exceptions.

diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
 {
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
+    target_ulong pc;
     int n;
 
     /*
@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
         return false;
     }
 
+    /*
+     * Single-step exceptions have priority over breakpoint exceptions.
+     * If single-step state is active-pending, suppress the bp.
+     */
+    if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
+        return false;
+    }
+
+    /*
+     * PC alignment faults have priority over breakpoint exceptions.
+     */
+    pc = is_a64(env) ? env->pc : env->regs[15];
+    if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
+        return false;
+    }
+
+    /*
+     * Instruction aborts have priority over breakpoint exceptions.
+     * TODO: We would need to look up the page for PC and verify that
+     * it is present and executable.
+     */
+
     for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
         if (bp_wp_matches(cpu, n, false)) {
             return true;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/tcg/aarch64/pcalign-a64.c   | 37 +++++++++++++++++++++++++
 tests/tcg/arm/pcalign-a32.c       | 46 +++++++++++++++++++++++++++++++
 tests/tcg/aarch64/Makefile.target |  4 +--
 tests/tcg/arm/Makefile.target     |  4 +++
 4 files changed, 89 insertions(+), 2 deletions(-)
 create mode 100644 tests/tcg/aarch64/pcalign-a64.c
 create mode 100644 tests/tcg/arm/pcalign-a32.c

diff --git a/tests/tcg/aarch64/pcalign-a64.c b/tests/tcg/aarch64/pcalign-a64.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/aarch64/pcalign-a64.c
@@ -XXX,XX +XXX,XX @@
+/* Test PC misalignment exception */
+
+#include <assert.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+static void *expected;
+
+static void sigbus(int sig, siginfo_t *info, void *vuc)
+{
+    assert(info->si_code == BUS_ADRALN);
+    assert(info->si_addr == expected);
+    exit(EXIT_SUCCESS);
+}
+
+int main()
+{
+    void *tmp;
+
+    struct sigaction sa = {
+        .sa_sigaction = sigbus,
+        .sa_flags = SA_SIGINFO
+    };
+
+    if (sigaction(SIGBUS, &sa, NULL) < 0) {
+        perror("sigaction");
+        return EXIT_FAILURE;
+    }
+
+    asm volatile("adr %0, 1f + 1\n\t"
+                 "str %0, %1\n\t"
+                 "br  %0\n"
+                 "1:"
+                 : "=&r"(tmp), "=m"(expected));
+    abort();
+}
diff --git a/tests/tcg/arm/pcalign-a32.c b/tests/tcg/arm/pcalign-a32.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/arm/pcalign-a32.c
@@ -XXX,XX +XXX,XX @@
+/* Test PC misalignment exception */
+
+#ifdef __thumb__
+#error "This test must be compiled for ARM"
+#endif
+
+#include <assert.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+static void *expected;
+
+static void sigbus(int sig, siginfo_t *info, void *vuc)
+{
+    assert(info->si_code == BUS_ADRALN);
+    assert(info->si_addr == expected);
+    exit(EXIT_SUCCESS);
+}
+
+int main()
+{
+    void *tmp;
+
+    struct sigaction sa = {
+        .sa_sigaction = sigbus,
+        .sa_flags = SA_SIGINFO
+    };
+
+    if (sigaction(SIGBUS, &sa, NULL) < 0) {
+        perror("sigaction");
+        return EXIT_FAILURE;
+    }
+
+    asm volatile("adr %0, 1f + 2\n\t"
+                 "str %0, %1\n\t"
+                 "bx  %0\n"
+                 "1:"
+                 : "=&r"(tmp), "=m"(expected));
+
+    /*
+     * From v8, it is CONSTRAINED UNPREDICTABLE whether BXWritePC aligns
+     * the address or not.  If so, we can legitimately fall through.
+     */
+    return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/aarch64/Makefile.target
+++ b/tests/tcg/aarch64/Makefile.target
@@ -XXX,XX +XXX,XX @@ VPATH 		+= $(ARM_SRC)
 AARCH64_SRC=$(SRC_PATH)/tests/tcg/aarch64
 VPATH 		+= $(AARCH64_SRC)
 
-# Float-convert Tests
-AARCH64_TESTS=fcvt
+# Base architecture tests
+AARCH64_TESTS=fcvt pcalign-a64
 
 fcvt: LDFLAGS+=-lm
 
diff --git a/tests/tcg/arm/Makefile.target b/tests/tcg/arm/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/arm/Makefile.target
+++ b/tests/tcg/arm/Makefile.target
@@ -XXX,XX +XXX,XX @@ run-fcvt: fcvt
 	$(call run-test,fcvt,$(QEMU) $<,"$< on $(TARGET_NAME)")
 	$(call diff-out,fcvt,$(ARM_SRC)/fcvt.ref)
 
+# PC alignment test
+ARM_TESTS += pcalign-a32
+pcalign-a32: CFLAGS+=-marm
+
 ifeq ($(CONFIG_ARM_COMPATIBLE_SEMIHOSTING),y)
 
 # Semihosting smoke test for linux-user
-- 
2.25.1

In the SSE decode function gen_sse(), we combine a byte
'b' and a value 'b1' which can be [0..3], and switch on them:
   b |= (b1 << 8);
   switch (b) {
   ...
   default:
   unknown_op:
       gen_unknown_opcode(env, s);
       return;
   }

In three cases inside this switch, we were then also checking for
 "if (b1 >= 2) { goto unknown_op; }".
However, this can never happen, because the 'case' values in each place
are 0x0nn or 0x1nn and the switch will have directed the b1 == (2, 3)
cases to the default already.

This check was added in commit c045af25a52e9 in 2010; the added code
was unnecessary then as well, and was apparently intended only to
ensure that we never accidentally ended up indexing off the end
of an sse_op_table with only 2 entries as a result of future bugs
in the decode logic.

Change the checks to assert() instead, and make sure they're always
immediately before the array access they are protecting.

Fixes: Coverity CID 1460207
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
         case 0x171: /* shift xmm, im */
         case 0x172:
         case 0x173:
-            if (b1 >= 2) {
-                goto unknown_op;
-            }
             val = x86_ldub_code(env, s);
             if (is_xmm) {
                 tcg_gen_movi_tl(s->T0, val);
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
                                 offsetof(CPUX86State, mmx_t0.MMX_L(1)));
                 op1_offset = offsetof(CPUX86State,mmx_t0);
             }
+            assert(b1 < 2);
             sse_fn_epp = sse_op_table2[((b - 1) & 3) * 8 +
                                        (((modrm >> 3)) & 7)][b1];
             if (!sse_fn_epp) {
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
             rm = modrm & 7;
             reg = ((modrm >> 3) & 7) | REX_R(s);
             mod = (modrm >> 6) & 3;
-            if (b1 >= 2) {
-                goto unknown_op;
-            }
 
+            assert(b1 < 2);
             sse_fn_epp = sse_op_table6[b].op[b1];
             if (!sse_fn_epp) {
                 goto unknown_op;
@@ -XXX,XX +XXX,XX @@ static void gen_sse(CPUX86State *env, DisasContext *s, int b,
             rm = modrm & 7;
             reg = ((modrm >> 3) & 7) | REX_R(s);
             mod = (modrm >> 6) & 3;
-            if (b1 >= 2) {
-                goto unknown_op;
-            }
 
+            assert(b1 < 2);
             sse_fn_eppi = sse_op_table7[b].op[b1];
             if (!sse_fn_eppi) {
                 goto unknown_op;
-- 
2.25.1

The qemu-common.h header is not supposed to be included from any
other header files, only from .c files (as documented in a comment at
the start of it).

include/hw/i386/x86.h and include/hw/i386/microvm.h break this rule.
In fact, the include is not required at all, so we can just drop it
from both files.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20211129200510.1233037-2-peter.maydell@linaro.org
---
 include/hw/i386/microvm.h | 1 -
 include/hw/i386/x86.h     | 1 -
 2 files changed, 2 deletions(-)

diff --git a/include/hw/i386/microvm.h b/include/hw/i386/microvm.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/i386/microvm.h
+++ b/include/hw/i386/microvm.h
@@ -XXX,XX +XXX,XX @@
 #ifndef HW_I386_MICROVM_H
 #define HW_I386_MICROVM_H
 
-#include "qemu-common.h"
 #include "exec/hwaddr.h"
 #include "qemu/notify.h"
 
diff --git a/include/hw/i386/x86.h b/include/hw/i386/x86.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/i386/x86.h
+++ b/include/hw/i386/x86.h
@@ -XXX,XX +XXX,XX @@
 #ifndef HW_I386_X86_H
 #define HW_I386_X86_H
 
-#include "qemu-common.h"
 #include "exec/hwaddr.h"
 #include "qemu/notify.h"
 
-- 
2.25.1

The qemu-common.h header is not supposed to be included from any
other header files, only from .c files (as documented in a comment at
the start of it).

Move the include to linux-user/hexagon/cpu_loop.c, which needs it for
the declaration of cpu_exec_step_atomic().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
Message-id: 20211129200510.1233037-3-peter.maydell@linaro.org
---
 target/hexagon/cpu.h          | 1 -
 linux-user/hexagon/cpu_loop.c | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/hexagon/cpu.h b/target/hexagon/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/cpu.h
+++ b/target/hexagon/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUHexagonState CPUHexagonState;
 
 #include "fpu/softfloat-types.h"
 
-#include "qemu-common.h"
 #include "exec/cpu-defs.h"
 #include "hex_regs.h"
 #include "mmvec/mmvec.h"
diff --git a/linux-user/hexagon/cpu_loop.c b/linux-user/hexagon/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/hexagon/cpu_loop.c
+++ b/linux-user/hexagon/cpu_loop.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "qemu.h"
 #include "user-internals.h"
 #include "cpu_loop-common.h"
-- 
2.25.1

A lot of C files in hw/arm include qemu-common.h when they don't
need anything from it. Drop the include lines.

omap1.c, pxa2xx.c and strongarm.c retain the include because they
use it for the prototype of qemu_get_timedate().

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Taylor Simpson <tsimpson@quicinc.com>
Reviewed-by: Yoshinori Sato <ysato@users.sourceforge.jp>
Message-id: 20211129200510.1233037-5-peter.maydell@linaro.org
---
 hw/arm/boot.c           | 1 -
 hw/arm/digic_boards.c   | 1 -
 hw/arm/highbank.c       | 1 -
 hw/arm/npcm7xx_boards.c | 1 -
 hw/arm/sbsa-ref.c       | 1 -
 hw/arm/stm32f405_soc.c  | 1 -
 hw/arm/vexpress.c       | 1 -
 hw/arm/virt.c           | 1 -
 8 files changed, 8 deletions(-)

diff --git a/hw/arm/boot.c b/hw/arm/boot.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/boot.c
+++ b/hw/arm/boot.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qemu/error-report.h"
 #include "qapi/error.h"
diff --git a/hw/arm/digic_boards.c b/hw/arm/digic_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/digic_boards.c
+++ b/hw/arm/digic_boards.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "hw/boards.h"
 #include "qemu/error-report.h"
diff --git a/hw/arm/highbank.c b/hw/arm/highbank.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/highbank.c
+++ b/hw/arm/highbank.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qapi/error.h"
 #include "hw/sysbus.h"
diff --git a/hw/arm/npcm7xx_boards.c b/hw/arm/npcm7xx_boards.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/npcm7xx_boards.c
+++ b/hw/arm/npcm7xx_boards.c
@@ -XXX,XX +XXX,XX @@
 #include "hw/qdev-core.h"
 #include "hw/qdev-properties.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qemu/units.h"
 #include "sysemu/blockdev.h"
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
diff --git a/hw/arm/stm32f405_soc.c b/hw/arm/stm32f405_soc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/stm32f405_soc.c
+++ b/hw/arm/stm32f405_soc.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "exec/address-spaces.h"
 #include "sysemu/sysemu.h"
 #include "hw/arm/stm32f405_soc.h"
diff --git a/hw/arm/vexpress.c b/hw/arm/vexpress.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/vexpress.c
+++ b/hw/arm/vexpress.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qapi/error.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "cpu.h"
 #include "hw/sysbus.h"
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu-common.h"
 #include "qemu/datadir.h"
 #include "qemu/units.h"
 #include "qemu/option.h"
-- 
2.25.1

The calculation of the length of TLB range invalidate operations
in tlbi_aa64_range_get_length() is incorrect in two ways:
 * the NUM field is 5 bits, but we read only 4 bits
 * we miscalculate the page_shift value, because of an
   off-by-one error:
    TG 0b00 is invalid
    TG 0b01 is 4K granule size == 4096 == 2^12
    TG 0b10 is 16K granule size == 16384 == 2^14
    TG 0b11 is 64K granule size == 65536 == 2^16
   so page_shift should be (TG - 1) * 2 + 12

Thanks to the bug report submitter Cha HyunSoo for identifying
both these errors.

Fixes: 84940ed82552d3c ("target/arm: Add support for FEAT_TLBIRANGE")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/734
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20211130173257.1274194-1-peter.maydell@linaro.org
---
 target/arm/helper.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t tlbi_aa64_range_get_length(CPUARMState *env,
     uint64_t exponent;
     uint64_t length;
 
-    num = extract64(value, 39, 4);
+    num = extract64(value, 39, 5);
     scale = extract64(value, 44, 2);
     page_size_granule = extract64(value, 46, 2);
 
-    page_shift = page_size_granule * 2 + 12;
-
     if (page_size_granule == 0) {
         qemu_log_mask(LOG_GUEST_ERROR, "Invalid page size granule %d\n",
                       page_size_granule);
         return 0;
     }
 
+    page_shift = (page_size_granule - 1) * 2 + 12;
+
     exponent = (5 * scale) + 1;
     length = (num + 1) << (exponent + page_shift);
 
-- 
2.25.1

From: Patrick Venture <venture@google.com>

The rx_active boolean change to true should always trigger a try_read
call that flushes the queue.

Signed-off-by: Patrick Venture <venture@google.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20211203221002.1719306-1-venture@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/net/npcm7xx_emc.c | 18 ++++++++----------
 1 file changed, 8 insertions(+), 10 deletions(-)

diff --git a/hw/net/npcm7xx_emc.c b/hw/net/npcm7xx_emc.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/net/npcm7xx_emc.c
+++ b/hw/net/npcm7xx_emc.c
@@ -XXX,XX +XXX,XX @@ static void emc_halt_rx(NPCM7xxEMCState *emc, uint32_t mista_flag)
     emc_set_mista(emc, mista_flag);
 }
 
+static void emc_enable_rx_and_flush(NPCM7xxEMCState *emc)
+{
+    emc->rx_active = true;
+    qemu_flush_queued_packets(qemu_get_queue(emc->nic));
+}
+
 static void emc_set_next_tx_descriptor(NPCM7xxEMCState *emc,
                                        const NPCM7xxEMCTxDesc *tx_desc,
                                        uint32_t desc_addr)
@@ -XXX,XX +XXX,XX @@ static ssize_t emc_receive(NetClientState *nc, const uint8_t *buf, size_t len1)
     return len;
 }
 
-static void emc_try_receive_next_packet(NPCM7xxEMCState *emc)
-{
-    if (emc_can_receive(qemu_get_queue(emc->nic))) {
-        qemu_flush_queued_packets(qemu_get_queue(emc->nic));
-    }
-}
-
 static uint64_t npcm7xx_emc_read(void *opaque, hwaddr offset, unsigned size)
 {
     NPCM7xxEMCState *emc = opaque;
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
             emc->regs[REG_MGSTA] |= REG_MGSTA_RXHA;
         }
         if (value & REG_MCMDR_RXON) {
-            emc->rx_active = true;
+            emc_enable_rx_and_flush(emc);
         } else {
             emc_halt_rx(emc, 0);
         }
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_emc_write(void *opaque, hwaddr offset,
         break;
     case REG_RSDR:
         if (emc->regs[REG_MCMDR] & REG_MCMDR_RXON) {
-            emc->rx_active = true;
-            emc_try_receive_next_packet(emc);
+            emc_enable_rx_and_flush(emc);
         }
         break;
     case REG_MIIDA:
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

When a virtio-iommu is instantiated, describe it using the ACPI VIOT
table.

diff --git a/hw/arm/virt-acpi-build.c b/hw/arm/virt-acpi-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt-acpi-build.c
+++ b/hw/arm/virt-acpi-build.c
@@ -XXX,XX +XXX,XX @@
 #include "kvm_arm.h"
 #include "migration/vmstate.h"
 #include "hw/acpi/ghes.h"
+#include "hw/acpi/viot.h"
 
 #define ARM_SPI_BASE 32
 
@@ -XXX,XX +XXX,XX @@ void virt_acpi_build(VirtMachineState *vms, AcpiBuildTables *tables)
     }
 #endif
 
+    if (vms->iommu == VIRT_IOMMU_VIRTIO) {
+        acpi_add_table(table_offsets, tables_blob);
+        build_viot(ms, tables_blob, tables->linker, vms->virtio_iommu_bdf,
+                   vms->oem_id, vms->oem_table_id);
+    }
+
     /* XSDT is pointed to by RSDP */
     xsdt = tables_blob->len;
     build_xsdt(tables_blob, tables->linker, table_offsets, vms->oem_id,
diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/Kconfig
+++ b/hw/arm/Kconfig
@@ -XXX,XX +XXX,XX @@ config ARM_VIRT
     select DIMM
     select ACPI_HW_REDUCED
     select ACPI_APEI
+    select ACPI_VIOT
 
 config CHEETAH
     bool
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

virtio-iommu is now supported with ACPI VIOT as well as device tree.
Remove the restriction that prevents from instantiating a virtio-iommu
device under ACPI.

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static HotplugHandler *virt_machine_get_hotplug_handler(MachineState *machine,
     MachineClass *mc = MACHINE_GET_CLASS(machine);
 
     if (device_is_dynamic_sysbus(mc, dev) ||
-       (object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM))) {
+        object_dynamic_cast(OBJECT(dev), TYPE_PC_DIMM) ||
+        object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
         return HOTPLUG_HANDLER(machine);
     }
-    if (object_dynamic_cast(OBJECT(dev), TYPE_VIRTIO_IOMMU_PCI)) {
-        VirtMachineState *vms = VIRT_MACHINE(machine);
-
-        if (!vms->bootinfo.firmware_loaded || !virt_is_acpi_enabled(vms)) {
-            return HOTPLUG_HANDLER(machine);
-        }
-    }
     return NULL;
 }
 
diff --git a/hw/virtio/virtio-iommu-pci.c b/hw/virtio/virtio-iommu-pci.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/virtio/virtio-iommu-pci.c
+++ b/hw/virtio/virtio-iommu-pci.c
@@ -XXX,XX +XXX,XX @@ static void virtio_iommu_pci_realize(VirtIOPCIProxy *vpci_dev, Error **errp)
     VirtIOIOMMU *s = VIRTIO_IOMMU(vdev);
 
     if (!qdev_get_machine_hotplug_handler(DEVICE(vpci_dev))) {
-        MachineClass *mc = MACHINE_GET_CLASS(qdev_get_machine());
-
-        error_setg(errp,
-                   "%s machine fails to create iommu-map device tree bindings",
-                   mc->name);
-        error_append_hint(errp,
-                          "Check your machine implements a hotplug handler "
-                          "for the virtio-iommu-pci device\n");
-        error_append_hint(errp, "Check the guest is booted without FW or with "
-                          "-no-acpi\n");
+        error_setg(errp, "Check your machine implements a hotplug handler "
+                         "for the virtio-iommu-pci device");
         return;
     }
     for (int i = 0; i < s->nb_reserved_regions; i++) {
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

We do not support instantiating multiple IOMMUs. Before adding a
virtio-iommu, check that no other IOMMU is present. This will detect
both "iommu=smmuv3" machine parameter and another virtio-iommu instance.

Fixes: 70e89132c9 ("hw/arm/virt: Add the virtio-iommu device tree mappings")
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-4-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
         hwaddr db_start = 0, db_end = 0;
         char *resv_prop_str;
 
+        if (vms->iommu != VIRT_IOMMU_NONE) {
+            error_setg(errp, "virt machine does not support multiple IOMMUs");
+            return;
+        }
+
         switch (vms->msi_controller) {
         case VIRT_MSI_CTRL_NONE:
             return;
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

To propagate errors to the caller of the pre_plug callback, use the
object_poperty_set*() functions directly instead of the qdev_prop_set*()
helpers.

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-5-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void virt_machine_device_pre_plug_cb(HotplugHandler *hotplug_dev,
                                         db_start, db_end,
                                         VIRTIO_IOMMU_RESV_MEM_T_MSI);
 
-        qdev_prop_set_uint32(dev, "len-reserved-regions", 1);
-        qdev_prop_set_string(dev, "reserved-regions[0]", resv_prop_str);
+        object_property_set_uint(OBJECT(dev), "len-reserved-regions", 1, errp);
+        object_property_set_str(OBJECT(dev), "reserved-regions[0]",
+                                resv_prop_str, errp);
         g_free(resv_prop_str);
     }
 }
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

Create empty data files and allow updates for the upcoming VIOT tests.

Acked-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-6-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h | 3 +++
 tests/data/acpi/q35/DSDT.viot               | 0
 tests/data/acpi/q35/VIOT.viot               | 0
 tests/data/acpi/virt/VIOT                   | 0
 4 files changed, 3 insertions(+)
 create mode 100644 tests/data/acpi/q35/DSDT.viot
 create mode 100644 tests/data/acpi/q35/VIOT.viot
 create mode 100644 tests/data/acpi/virt/VIOT

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

Add two test cases for VIOT, one on the q35 machine and the other on
virt. To test complex topologies the q35 test has two PCIe buses that
bypass the IOMMU (and are therefore not described by VIOT), and two
buses that are translated by virtio-iommu.

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-7-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test.c | 38 ++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)

diff --git a/tests/qtest/bios-tables-test.c b/tests/qtest/bios-tables-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/bios-tables-test.c
+++ b/tests/qtest/bios-tables-test.c
@@ -XXX,XX +XXX,XX @@ static void test_acpi_virt_tcg(void)
     free_test_data(&data);
 }
 
+static void test_acpi_q35_viot(void)
+{
+    test_data data = {
+        .machine = MACHINE_Q35,
+        .variant = ".viot",
+    };
+
+    /*
+     * To keep things interesting, two buses bypass the IOMMU.
+     * VIOT should only describes the other two buses.
+     */
+    test_acpi_one("-machine default_bus_bypass_iommu=on "
+                  "-device virtio-iommu-pci "
+                  "-device pxb-pcie,bus_nr=0x10,id=pcie.100,bus=pcie.0 "
+                  "-device pxb-pcie,bus_nr=0x20,id=pcie.200,bus=pcie.0,bypass_iommu=on "
+                  "-device pxb-pcie,bus_nr=0x30,id=pcie.300,bus=pcie.0",
+                  &data);
+    free_test_data(&data);
+}
+
+static void test_acpi_virt_viot(void)
+{
+    test_data data = {
+        .machine = "virt",
+        .uefi_fl1 = "pc-bios/edk2-aarch64-code.fd",
+        .uefi_fl2 = "pc-bios/edk2-arm-vars.fd",
+        .cd = "tests/data/uefi-boot-images/bios-tables-test.aarch64.iso.qcow2",
+        .ram_start = 0x40000000ULL,
+        .scan_len = 128ULL * 1024 * 1024,
+    };
+
+    test_acpi_one("-cpu cortex-a57 "
+                  "-device virtio-iommu-pci", &data);
+    free_test_data(&data);
+}
+
 static void test_oem_fields(test_data *data)
 {
     int i;
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
             qtest_add_func("acpi/q35/kvm/xapic", test_acpi_q35_kvm_xapic);
             qtest_add_func("acpi/q35/kvm/dmar", test_acpi_q35_kvm_dmar);
         }
+        qtest_add_func("acpi/q35/viot", test_acpi_q35_viot);
     } else if (strcmp(arch, "aarch64") == 0) {
         if (has_tcg) {
             qtest_add_func("acpi/virt", test_acpi_virt_tcg);
@@ -XXX,XX +XXX,XX @@ int main(int argc, char *argv[])
             qtest_add_func("acpi/virt/memhp", test_acpi_virt_tcg_memhp);
             qtest_add_func("acpi/virt/pxb", test_acpi_virt_tcg_pxb);
             qtest_add_func("acpi/virt/oem-fields", test_acpi_oem_fields_virt);
+            qtest_add_func("acpi/virt/viot", test_acpi_virt_viot);
         }
     }
     ret = g_test_run();
-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

Add expected blobs of the VIOT and DSDT table for the VIOT test on the
q35 machine.

Since the test instantiates a virtio device and two PCIe expander
bridges, DSDT.viot has more blocks than the base DSDT.

The VIOT table generated for the q35 test is:

[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
[004h 0004   4]                 Table Length : 00000070
[008h 0008   1]                     Revision : 00
[009h 0009   1]                     Checksum : 3D
[00Ah 0010   6]                       Oem ID : "BOCHS "
[010h 0016   8]                 Oem Table ID : "BXPC    "
[018h 0024   4]                 Oem Revision : 00000001
[01Ch 0028   4]              Asl Compiler ID : "BXPC"
[020h 0032   4]        Asl Compiler Revision : 00000001

[024h 0036   2]                   Node count : 0003
[026h 0038   2]                  Node offset : 0030
[028h 0040   8]                     Reserved : 0000000000000000

[030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
[031h 0049   1]                     Reserved : 00
[032h 0050   2]                       Length : 0010

[034h 0052   2]                  PCI Segment : 0000
[036h 0054   2]               PCI BDF number : 0010
[038h 0056   8]                     Reserved : 0000000000000000

[040h 0064   1]                         Type : 01 [PCI Range]
[041h 0065   1]                     Reserved : 00
[042h 0066   2]                       Length : 0018

[044h 0068   4]               Endpoint start : 00003000
[048h 0072   2]            PCI Segment start : 0000
[04Ah 0074   2]              PCI Segment end : 0000
[04Ch 0076   2]                PCI BDF start : 3000
[04Eh 0078   2]                  PCI BDF end : 30FF
[050h 0080   2]                  Output node : 0030
[052h 0082   6]                     Reserved : 000000000000

[058h 0088   1]                         Type : 01 [PCI Range]
[059h 0089   1]                     Reserved : 00
[05Ah 0090   2]                       Length : 0018

[05Ch 0092   4]               Endpoint start : 00001000
[060h 0096   2]            PCI Segment start : 0000
[062h 0098   2]              PCI Segment end : 0000
[064h 0100   2]                PCI BDF start : 1000
[066h 0102   2]                  PCI BDF end : 10FF
[068h 0104   2]                  Output node : 0030
[06Ah 0106   6]                     Reserved : 000000000000

And the DSDT diff is:

@@ -XXX,XX +XXX,XX @@
  *
  * Disassembling to symbolic ASL+ operators
  *
- * Disassembly of tests/data/acpi/q35/DSDT, Fri Dec 10 15:03:08 2021
+ * Disassembly of /tmp/aml-H9Y5D1, Fri Dec 10 15:02:27 2021
  *
  * Original Table Header:
  *     Signature        "DSDT"
- *     Length           0x00002061 (8289)
+ *     Length           0x000024B6 (9398)
  *     Revision         0x01 **** 32-bit table (V1), no 64-bit math support
- *     Checksum         0xFA
+ *     Checksum         0xA7
  *     OEM ID           "BOCHS "
  *     OEM Table ID     "BXPC    "
  *     OEM Revision     0x00000001 (1)
@@ -XXX,XX +XXX,XX @@
         }
     }

+    Scope (\_SB)
+    {
+        Device (PC30)
+        {
+            Name (_UID, 0x30)  // _UID: Unique ID
+            Name (_BBN, 0x30)  // _BBN: BIOS Bus Number
+            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
+            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
+            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
+            {
+                CreateDWordField (Arg3, Zero, CDW1)
+                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
+                {
+                    CreateDWordField (Arg3, 0x04, CDW2)
+                    CreateDWordField (Arg3, 0x08, CDW3)
+                    Local0 = CDW3 /* \_SB_.PC30._OSC.CDW3 */
+                    Local0 &= 0x1F
+                    If ((Arg1 != One))
+                    {
+                        CDW1 |= 0x08
+                    }
+
+                    If ((CDW3 != Local0))
+                    {
+                        CDW1 |= 0x10
+                    }
+
+                    CDW3 = Local0
+                }
+                Else
+                {
+                    CDW1 |= 0x04
+                }
+
+                Return (Arg3)
+            }
+
+            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
+            {
+                Local0 = Package (0x80){}
+                Local1 = Zero
+                While ((Local1 < 0x80))
+                {
+                    Local2 = (Local1 >> 0x02)
+                    Local3 = ((Local1 + Local2) & 0x03)
+                    If ((Local3 == Zero))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKD,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == One))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKA,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x02))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKB,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x03))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKC,
+                                Zero
+                            }
+                    }
+
+                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
+                    Local4 [One] = (Local1 & 0x03)
+                    Local0 [Local1] = Local4
+                    Local1++
+                }
+
+                Return (Local0)
+            }
+
+            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
+            {
+                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
+                    0x0000,             // Granularity
+                    0x0030,             // Range Minimum
+                    0x0030,             // Range Maximum
+                    0x0000,             // Translation Offset
+                    0x0001,             // Length
+                    ,, )
+            })
+        }
+    }
+
+    Scope (\_SB)
+    {
+        Device (PC20)
+        {
+            Name (_UID, 0x20)  // _UID: Unique ID
+            Name (_BBN, 0x20)  // _BBN: BIOS Bus Number
+            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
+            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
+            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
+            {
+                CreateDWordField (Arg3, Zero, CDW1)
+                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
+                {
+                    CreateDWordField (Arg3, 0x04, CDW2)
+                    CreateDWordField (Arg3, 0x08, CDW3)
+                    Local0 = CDW3 /* \_SB_.PC20._OSC.CDW3 */
+                    Local0 &= 0x1F
+                    If ((Arg1 != One))
+                    {
+                        CDW1 |= 0x08
+                    }
+
+                    If ((CDW3 != Local0))
+                    {
+                        CDW1 |= 0x10
+                    }
+
+                    CDW3 = Local0
+                }
+                Else
+                {
+                    CDW1 |= 0x04
+                }
+
+                Return (Arg3)
+            }
+
+            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
+            {
+                Local0 = Package (0x80){}
+                Local1 = Zero
+                While ((Local1 < 0x80))
+                {
+                    Local2 = (Local1 >> 0x02)
+                    Local3 = ((Local1 + Local2) & 0x03)
+                    If ((Local3 == Zero))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKD,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == One))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKA,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x02))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKB,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x03))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKC,
+                                Zero
+                            }
+                    }
+
+                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
+                    Local4 [One] = (Local1 & 0x03)
+                    Local0 [Local1] = Local4
+                    Local1++
+                }
+
+                Return (Local0)
+            }
+
+            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
+            {
+                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
+                    0x0000,             // Granularity
+                    0x0020,             // Range Minimum
+                    0x0020,             // Range Maximum
+                    0x0000,             // Translation Offset
+                    0x0001,             // Length
+                    ,, )
+            })
+        }
+    }
+
+    Scope (\_SB)
+    {
+        Device (PC10)
+        {
+            Name (_UID, 0x10)  // _UID: Unique ID
+            Name (_BBN, 0x10)  // _BBN: BIOS Bus Number
+            Name (_HID, EisaId ("PNP0A08") /* PCI Express Bus */)  // _HID: Hardware ID
+            Name (_CID, EisaId ("PNP0A03") /* PCI Bus */)  // _CID: Compatible ID
+            Method (_OSC, 4, NotSerialized)  // _OSC: Operating System Capabilities
+            {
+                CreateDWordField (Arg3, Zero, CDW1)
+                If ((Arg0 == ToUUID ("33db4d5b-1ff7-401c-9657-7441c03dd766") /* PCI Host Bridge Device */))
+                {
+                    CreateDWordField (Arg3, 0x04, CDW2)
+                    CreateDWordField (Arg3, 0x08, CDW3)
+                    Local0 = CDW3 /* \_SB_.PC10._OSC.CDW3 */
+                    Local0 &= 0x1F
+                    If ((Arg1 != One))
+                    {
+                        CDW1 |= 0x08
+                    }
+
+                    If ((CDW3 != Local0))
+                    {
+                        CDW1 |= 0x10
+                    }
+
+                    CDW3 = Local0
+                }
+                Else
+                {
+                    CDW1 |= 0x04
+                }
+
+                Return (Arg3)
+            }
+
+            Method (_PRT, 0, NotSerialized)  // _PRT: PCI Routing Table
+            {
+                Local0 = Package (0x80){}
+                Local1 = Zero
+                While ((Local1 < 0x80))
+                {
+                    Local2 = (Local1 >> 0x02)
+                    Local3 = ((Local1 + Local2) & 0x03)
+                    If ((Local3 == Zero))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKD,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == One))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKA,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x02))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKB,
+                                Zero
+                            }
+                    }
+
+                    If ((Local3 == 0x03))
+                    {
+                        Local4 = Package (0x04)
+                            {
+                                Zero,
+                                Zero,
+                                LNKC,
+                                Zero
+                            }
+                    }
+
+                    Local4 [Zero] = ((Local2 << 0x10) | 0xFFFF)
+                    Local4 [One] = (Local1 & 0x03)
+                    Local0 [Local1] = Local4
+                    Local1++
+                }
+
+                Return (Local0)
+            }
+
+            Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
+            {
+                WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
+                    0x0000,             // Granularity
+                    0x0010,             // Range Minimum
+                    0x0010,             // Range Maximum
+                    0x0000,             // Translation Offset
+                    0x0001,             // Length
+                    ,, )
+            })
+        }
+    }
+
     Scope (\_SB.PCI0)
     {
         Name (_CRS, ResourceTemplate ()  // _CRS: Current Resource Settings
@@ -XXX,XX +XXX,XX @@
             WordBusNumber (ResourceProducer, MinFixed, MaxFixed, PosDecode,
                 0x0000,             // Granularity
                 0x0000,             // Range Minimum
-                0x00FF,             // Range Maximum
+                0x000F,             // Range Maximum
                 0x0000,             // Translation Offset
-                0x0100,             // Length
+                0x0010,             // Length
                 ,, )
             IO (Decode16,
                 0x0CF8,             // Range Minimum
@@ -XXX,XX +XXX,XX @@
                 }
             }

+            Device (S10)
+            {
+                Name (_ADR, 0x00020000)  // _ADR: Address
+            }
+
+            Device (S18)
+            {
+                Name (_ADR, 0x00030000)  // _ADR: Address
+            }
+
+            Device (S20)
+            {
+                Name (_ADR, 0x00040000)  // _ADR: Address
+            }
+
+            Device (S28)
+            {
+                Name (_ADR, 0x00050000)  // _ADR: Address
+            }
+
             Method (PCNT, 0, NotSerialized)
             {
             }

Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-8-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h |   2 --
 tests/data/acpi/q35/DSDT.viot               | Bin 0 -> 9398 bytes
 tests/data/acpi/q35/VIOT.viot               | Bin 0 -> 112 bytes
 3 files changed, 2 deletions(-)

diff --git a/tests/qtest/bios-tables-test-allowed-diff.h b/tests/qtest/bios-tables-test-allowed-diff.h
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/bios-tables-test-allowed-diff.h
+++ b/tests/qtest/bios-tables-test-allowed-diff.h
@@ -XXX,XX +XXX,XX @@
 /* List of comma-separated changed AML files to ignore */
 "tests/data/acpi/virt/VIOT",
-"tests/data/acpi/q35/DSDT.viot",
-"tests/data/acpi/q35/VIOT.viot",
diff --git a/tests/data/acpi/q35/DSDT.viot b/tests/data/acpi/q35/DSDT.viot
index XXXXXXX..XXXXXXX 100644
GIT binary patch
literal 9398
zcmeHNO>7&-8J*>iv|O&FB}G~Oi$yp||57BBoWHhc5OS9yDTx$CQgH$r;8Idr*-4Q_
z5(9Az1F`}niVsB-)<KW7p`g9Br(A2Gm-gmc1N78GFS!;)e2V(MnH_0{q<{#yMgn&C
zn|*J-d9yqFhO_H6z19~`FlPL*u<DkZ*}|)JH;X@mF-FI<cPg<fti9tEN*yB^i5czN
zNq&q?!OZ;BE3B7{KWzJ-`Tn~f`9?Qj8~2^N8{Oc8J%57{==w%rS#;nOCp*nTr@iZ1
zb+?i;JLQUJ=O0?8*>S~D)a>NF1~WVB6^~_B#yhJ`H+JU@=6aXs`?Yv)J2h=N?drcS
zeLZ*n<<Bm^n}6`jfBx#u8&(W}1?)}iF9o#mZ~E2+zwdn7yK3AbIzKnxpZ>JRPm3~#
z&ICS{+_OayRW-l=Mtk=~uaS3o8z<_udd|(wqg`&JnVPfCe>BUOO`Su3e>pff_^UW%
z&JE^NO`)=Amg~iqRB1pPscP?(>#ZuY8GHCmlEvD$9g3%4Db~Dfz2SATnddvrR-Oe^
z;s;dJec!hnzi)ri^I6YN9vtkm{^TdUF8h7gX8-<Qe4p)GQ=)AtYx2VcwdLVAEXEjG
z^Mj|UHPqkj-LsWuzQem1>F3atdZn=zv3$#RmZzSHN+6-yyU#8cJb=YDilX&sl}vNm
znkgAR^O<3kj4if>{ly5fwRfMWuC5=lrlvKPX~i#654Cp}R_d*JS$9laZ$ra6)<ns8
zFZy28G%xP(nit&F>LDi%G<tIc=TY=gl$jSD&Uv!Yat~XR46h%rI$!}a%!|xG7u8Zn
zeY8_|n=K>xz_v_W8VX$W-Fg-qFWcT}7MCyz{%%{ia7hZ>Law-k6NOr}VI&_48U=2l
zwqDKFE8eTwwozDdms#e?x?5a|v>&JF;2_v0L~z5n%BYU^52<*cWuD4|GYUm@1+?))
zte^45>Rz)t*<T5V#={r>@t@{%?^i#W{i=HAZ*Dc9y59Va-+#P!jrGs;u38a{fLr`N
zvT@rUu>DljxJ?^&Z?-?vyJn3C>3D=qux{Y*bs5|5n)Qmi$TD^Zdn4GU$ocJS2Hh-<
z`xPI^^+v0nUVdjMos8k`WGl7hA`{03ju%<lrgAHSpd^DRf-*}_#Ly0mB!LSfVgWcQ
z&T$@~G9)JI=hz5m0vkrel+Xy{Oh7pkAu-V!j*W7rY(bO}Q$nMH2`FbGB&N)QaV4<4
zo)~9JXiP9=;}NPl<C@MmXG&;XFlFNrsyfFsonxFSp<}vEgsRSQP3O3#b6nSnP}ON_
zI!#Tdsp~|j>ckUB>FI=~GokB5sOq#dotCE4(sd$KbtW~PNlj-`*NIToiD#j5J#9^=
zt?NXn>YUJYPG~wObe#xQos*i*NloXZt`niEb4t@WrRki~bs|)CI+{*L)9L6s5vn><
zn$DD_Go|Z9sOn5>I@6lYw5}7Os&iV?Ij!lO)^#FOb!If38BJ$K*NIToIiu;E(R9w}
zIuWWmPiZ<&X*y5oIuWWmF_XaEC!a&Jn$B5WCqh-{X-(&8P3LJ{Cqh-{8P3dyPr@^t
zSqL9?X9Uwd3W@23*s~h*tj0X6GZCuHa~kuU#yqDp5vt7d8uPryJg+kms?5hU=3^T3
zF`bD}WnSP+=`t5MQ$FJ_2&Q~+BP6E0f^%BVIW6a$o)e+SX~IDBih-7z6{O~7YTy`&
zLjy&Cv?7QikV#>n0>>@MV8oK`Gmun34-FKdlm-J8SZSaNlnhir4-FI{S|bfqV8e)V
zss<{chX#reE#g=hsKAC%sF6d-Km}BWs!kZFsFpKfpbC@>6rprQGEjt4Ck#|zITHq|
zK*>M_l;<P^MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=xY&!axO<
zGhv_#lnhirIg<<&q0|Wj6<E%MfhtfkPyyvkGEjt4Ck#|zITHq|K*>M_lrzad5lWpf
zP=V!47^ngz0~JutBm+e#b;3XemNQ|X3X}{~Ksl2P6rt1!0~J`#gn=qhGEf2KOfpb}
zQYQ>lU^x>8szAv=1(Y+%KoLrvFi?TzOc<yFB?A>u&LjgxD0RX>1(q{mpbC@>R6seC
z3>2Z%2?G^a&V+#~P%=;f<xDbAgi<FARA4z12C6{GKn0XD$v_cGoiI>=<xCi;0wn_#
zP|hR+MJRQ`Kn0dFVW0|>3{*fllMEE0)CmI>Sk8ojDo`>|0p(0GP=rz^3{+q_69%e4
z$v_2^Gs!>^N}VuJf#pmXr~)Me6;RG314Srx!axxz28u{EP=u<1B2)}iVZuNaCK;&0
zBm-5LFi?dF167!0pbC==RAItE6($T+VUmF=Ofpb~2?JG_Fi?d_2C6X0Kouqo6p_5T
zFi=FeV!SiSKoR0H$dH(_Z(*Q_WZ%L-5y`$K14StNmJAdjmWs}HV4<vU_xO+1efmLq
zZ;W>N_U)fP6Qy6Nw5mbt9Y(#emWSi66=>tq#xoh#Ue=0qyhxi8ZOUe5y0V7VfPUhp
zwX=;ymc+i5%sg9Ja~lZ&8oAV@mHc>&CHP9v4R(jhtT?un;O4e9#pno)Xkh7OWgK&a
zyj=3Iv0OuoK_;5rOr5f(Kb~ZXDBO+V`OWYo#_C08imwChQxnjdd?wZLDou8aj;$SD
zGDYiA3<$Tu<JnHL(KPOChi#zrR32t83}naR$+ym4P_h?z_5#|cW-nw$XD_sOtE62l
zrD3@*)NVyiklt0&yF9%+klsBey&I<Y2E<!f(E8TuJte)z(|ZHyy<^gQVfx}=`q&B5
z7nSryp1wGczIaUfVwiq$Fn#<4=@*ssi#+|}K>EdF(l3VTOM~ghPLRH&q%ZOGrGfON
zW73zx^yR_y<0nX8R??Sw`tm^f@-gYlNFSp|*<gA{q?Zp5Oe-+l#rmyYmKozi9y=P>
zVReJU*h=ZuVXiS$ohTbw-O#v9>(yZbGE|)?8(H1ZIKvV!jWa0>vy!3eMA^vdhQ>`s
zuMSg{q3T50$m)j1!HixV<}X9liL#N^4c*tL^y)CF8LCc{jjV3yKAqL8!%SzWI#H%q
z=bSrQ&)%JCRttF5g4Zf`6l?y@>PzD7MA^D>wBlcH6r1ucwJ<p0O%rZ?JzIY3-QdmZ
zzs|n>`a5r3e|z)wcUaqS>nqFQ-8x}eCF4u`OWUxqst-@1rSmUs%WmKP5e0dcb?e2N
z;Z|x*!);VwF|Yuhqs^khqOM!@u*jY!WYldISF(V6`BoNd&6Qfk3>X#SuD^7J>p_D=
zBPa51y^_n#=cpOt#Zf$ya$Ae9Mfz56n|<i!a=ELS@)%a{^NIH3SDuN<R~sah1km#P
zU@?*f%<rG=4W1wgfi;C?_n|W@%lm$&8YfvNOJodIg&IcIpIJQRHr<+ej11GQ6)&eF
z2Lam*jIH}#y0>KnY%4JQfOYS$*uU%f#@$U6`N8I3N-lV?5ErFCdv~xDmu2(wexld4
z4v^;aVAT2k6GJ^m*FD(Wqc(Qg^)6a<?}h$zLoj}4;PP!+(O{@!a1y-hoAhF_7!z+6
zslpAmNtYbjHrw-~#SPVk_FUf>-Obg6yV`8o$8_`PyJe_;bY5_EMBfBfWU!Q=*9HsG
z%_Cda{@_Krr!oHVhv9+y+T5qR8zZ2aZ>5r!$*|f$^U%yBUYfR&B!+EYy_PwL!BeUi
zJH^}r3r9Q+B)X@Z)fk=P13w&7x#wBtXTZ)g>WITPg5r&pQc!nmyrmk#S(>>b9xnNr
zx_b#v9Xv-Y><Wb%?S^0Xe&<)bbKl_=Z|3C$tf|F<bYzE*mfHB;uC)`q-?buaBe?l?
zcLTpK*k<49Z32`K?|nSBMFqxTK^_IE-li2fEGdK~(ZdoKBl6ab4a;Hler#`xvEXJG
zb?<E%EZExfX>jcOVhS*0rS~RS1dA#xhkv@Nct@#q?LyeKS<$uFec!bw>{@uu$gZ6a
zyVen1i{1BKd%~`D7|m$;U0a<I*3I7%^N%N%lGYdU_GS!gaR8T$NA@GzFi~z`l7hdl
zarZy6590|88pi(1zq;V(>38zM0sT&<zX;R5$1w3;`_JMG`;&I&0Y23DMx1%@(w(R9
z4M$j;D5J+Gy%fijRQsctzFKf&cv|BAz#YLq3CZJWDdtL4u1u1|mkdcUp7|sxJC+?Y
z_@@s`v3j}Q7*z>6X~cwUxUL8G1KT)_XTp!KAbs;vCp{K3&~_X@+ew=-D}v`2MbFV0
zQsVsL=rXi-pI*G|iiz;VTCutgUs)hDzV1+4?8KcoP3xROf<M%qC6lgVdpFt4<-|uM
z=#rl_b1#YjSIl6Toj2z_hOZcKupkdE(LozC(fN=FY(x|sk)ym|;Rq2E1xJWD%Z!ol
Gu>S+TT-130

literal 0
HcmV?d00001

diff --git a/tests/data/acpi/q35/VIOT.viot b/tests/data/acpi/q35/VIOT.viot
index XXXXXXX..XXXXXXX 100644
GIT binary patch
literal 112
zcmWIZ^baXu00LVle`k+i1*eDrX9XZ&1PX!JAex!M0Hgv8m>C3sGzdcgBZCA3T-xBj
Q0Zb)W9Hva*zW_`e0M!8s0RR91

literal 0
HcmV?d00001

-- 
2.25.1

From: Jean-Philippe Brucker <jean-philippe@linaro.org>

The VIOT blob contains the following:

[000h 0000   4]                    Signature : "VIOT"    [Virtual I/O Translation Table]
[004h 0004   4]                 Table Length : 00000058
[008h 0008   1]                     Revision : 00
[009h 0009   1]                     Checksum : 66
[00Ah 0010   6]                       Oem ID : "BOCHS "
[010h 0016   8]                 Oem Table ID : "BXPC    "
[018h 0024   4]                 Oem Revision : 00000001
[01Ch 0028   4]              Asl Compiler ID : "BXPC"
[020h 0032   4]        Asl Compiler Revision : 00000001

[024h 0036   2]                   Node count : 0002
[026h 0038   2]                  Node offset : 0030
[028h 0040   8]                     Reserved : 0000000000000000

[030h 0048   1]                         Type : 03 [VirtIO-PCI IOMMU]
[031h 0049   1]                     Reserved : 00
[032h 0050   2]                       Length : 0010

[034h 0052   2]                  PCI Segment : 0000
[036h 0054   2]               PCI BDF number : 0008
[038h 0056   8]                     Reserved : 0000000000000000

[040h 0064   1]                         Type : 01 [PCI Range]
[041h 0065   1]                     Reserved : 00
[042h 0066   2]                       Length : 0018

[044h 0068   4]               Endpoint start : 00000000
[048h 0072   2]            PCI Segment start : 0000
[04Ah 0074   2]              PCI Segment end : 0000
[04Ch 0076   2]                PCI BDF start : 0000
[04Eh 0078   2]                  PCI BDF end : 00FF
[050h 0080   2]                  Output node : 0030
[052h 0082   6]                     Reserved : 000000000000

Acked-by: Ani Sinha <ani@anisinha.ca>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Message-id: 20211210170415.583179-9-jean-philippe@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/bios-tables-test-allowed-diff.h |   1 -
 tests/data/acpi/virt/VIOT                   | Bin 0 -> 88 bytes
 2 files changed, 1 deletion(-)

literal 0
HcmV?d00001

-- 
2.25.1