Series comparison

-[PULL 00/32] target-arm queue
+[PULL 00/24] target-arm queue
-target-arm queue: the big stuff here is the final part of
+Hi; here's the latest arm pullreq. This is mostly patches from
-rth's patches for Cortex-A76 and Neoverse-N1 support;
+RTH, plus a couple of other more minor things. Switching to
-also present are Gavin's NUMA series and a few other things.
+PCREL is the big one, hopefully should improve performance.
 thanks
 -- PMM
-The following changes since commit 554623226f800acf48a2ed568900c1c968ec9a8b:
+The following changes since commit 214a8da23651f2472b296b3293e619fd58d9e212:
-  Merge tag 'qemu-sparc-20220508' of https://github.com/mcayland/qemu into staging (2022-05-08 17:03:26 -0500)
+  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2022-10-18 11:14:31 -0400)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220509
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221020
-for you to fetch changes up to ae9141d4a3265553503bf07d3574b40f84615a34:
+for you to fetch changes up to 5db899303799e49209016a93289b8694afa1449e:
-  hw/acpi/aml-build: Use existing CPU topology to build PPTT table (2022-05-09 11:47:55 +0100)
+  hw/ide/microdrive: Use device_cold_reset() for self-resets (2022-10-20 12:11:53 +0100)
 ----------------------------------------------------------------
 target-arm queue:
- * MAINTAINERS/.mailmap: update email for Leif Lindholm
+ * Switch to TARGET_TB_PCREL
- * hw/arm: add version information to sbsa-ref machine DT
+ * More pagetable-walk refactoring preparatory to HAFDBS
- * Enable new features for -cpu max:
+ * update the cortex-a15 MIDR to latest rev
-   FEAT_Debugv8p2, FEAT_Debugv8p4, FEAT_RAS (minimal version only),
+ * hw/char/pl011: fix baud rate calculation
-   FEAT_IESB, FEAT_CSV2, FEAT_CSV2_2, FEAT_CSV3, FEAT_DGH
+ * hw/ide/microdrive: Use device_cold_reset() for self-resets
  * Emulate Cortex-A76
  * Emulate Neoverse-N1
  * Fix the virt board default NUMA topology
 ----------------------------------------------------------------
-Gavin Shan (6):
+Alex Bennée (1):
-      qapi/machine.json: Add cluster-id
+      target/arm: update the cortex-a15 MIDR to latest rev
       qtest/numa-test: Specify CPU topology in aarch64_numa_cpu()
       hw/arm/virt: Consider SMP configuration in CPU topology
       qtest/numa-test: Correct CPU and NUMA association in aarch64_numa_cpu()
       hw/arm/virt: Fix CPU's default NUMA node ID
       hw/acpi/aml-build: Use existing CPU topology to build PPTT table
-Leif Lindholm (2):
+Baruch Siach (1):
-      MAINTAINERS/.mailmap: update email for Leif Lindholm
+      hw/char/pl011: fix baud rate calculation
       hw/arm: add versioning to sbsa-ref machine DT
-Richard Henderson (24):
+Peter Maydell (1):
-      target/arm: Handle cpreg registration for missing EL
+      hw/ide/microdrive: Use device_cold_reset() for self-resets
       target/arm: Drop EL3 no EL2 fallbacks
       target/arm: Merge zcr reginfo
       target/arm: Adjust definition of CONTEXTIDR_EL2
       target/arm: Move cortex impdef sysregs to cpu_tcg.c
       target/arm: Update qemu-system-arm -cpu max to cortex-a57
       target/arm: Set ID_DFR0.PerfMon for qemu-system-arm -cpu max
       target/arm: Split out aa32_max_features
       target/arm: Annotate arm_max_initfn with FEAT identifiers
       target/arm: Use field names for manipulating EL2 and EL3 modes
       target/arm: Enable FEAT_Debugv8p2 for -cpu max
       target/arm: Enable FEAT_Debugv8p4 for -cpu max
       target/arm: Add minimal RAS registers
       target/arm: Enable SCR and HCR bits for RAS
       target/arm: Implement virtual SError exceptions
       target/arm: Implement ESB instruction
       target/arm: Enable FEAT_RAS for -cpu max
       target/arm: Enable FEAT_IESB for -cpu max
       target/arm: Enable FEAT_CSV2 for -cpu max
       target/arm: Enable FEAT_CSV2_2 for -cpu max
       target/arm: Enable FEAT_CSV3 for -cpu max
       target/arm: Enable FEAT_DGH for -cpu max
       target/arm: Define cortex-a76
       target/arm: Define neoverse-n1
- docs/system/arm/emulation.rst |  10 +
+Richard Henderson (21):
- docs/system/arm/virt.rst      |   2 +
+      target/arm: Enable TARGET_PAGE_ENTRY_EXTRA
- qapi/machine.json             |   6 +-
+      target/arm: Use probe_access_full for MTE
- target/arm/cpregs.h           |  11 +
+      target/arm: Use probe_access_full for BTI
- target/arm/cpu.h              |  23 ++
+      target/arm: Add ARMMMUIdx_Phys_{S,NS}
- target/arm/helper.h           |   1 +
+      target/arm: Move ARMMMUIdx_Stage2 to a real tlb mmu_idx
- target/arm/internals.h        |  16 ++
+      target/arm: Restrict tlb flush from vttbr_write to vmid change
- target/arm/syndrome.h         |   5 +
+      target/arm: Split out S1Translate type
- target/arm/a32.decode         |  16 +-
+      target/arm: Plumb debug into S1Translate
- target/arm/t32.decode         |  18 +-
+      target/arm: Move be test for regime into S1TranslateResult
- hw/acpi/aml-build.c           | 111 ++++----
+      target/arm: Use softmmu tlbs for page table walking
- hw/arm/sbsa-ref.c             |  16 ++
+      target/arm: Split out get_phys_addr_twostage
- hw/arm/virt.c                 |  21 +-
+      target/arm: Use bool consistently for get_phys_addr subroutines
- hw/core/machine-hmp-cmds.c    |   4 +
+      target/arm: Introduce curr_insn_len
- hw/core/machine.c             |  16 ++
+      target/arm: Change gen_goto_tb to work on displacements
- target/arm/cpu.c              |  66 ++++-
+      target/arm: Change gen_*set_pc_im to gen_*update_pc
- target/arm/cpu64.c            | 353 ++++++++++++++-----------
+      target/arm: Change gen_exception_insn* to work on displacements
- target/arm/cpu_tcg.c          | 227 +++++++++++-----
+      target/arm: Remove gen_exception_internal_insn pc argument
- target/arm/helper.c           | 600 +++++++++++++++++++++++++-----------------
+      target/arm: Change gen_jmp* to work on displacements
- target/arm/op_helper.c        |  43 +++
+      target/arm: Introduce gen_pc_plus_diff for aarch64
- target/arm/translate-a64.c    |  18 ++
+      target/arm: Introduce gen_pc_plus_diff for aarch32
- target/arm/translate.c        |  23 ++
+      target/arm: Enable TARGET_TB_PCREL
- tests/qtest/numa-test.c       |  19 +-
- .mailmap                      |   3 +-
+ target/arm/cpu-param.h         |  17 +-
- MAINTAINERS                   |   2 +-
+ target/arm/cpu.h               |  47 ++--
-files changed, 1068 insertions(+), 562 deletions(-)
+ target/arm/internals.h         |   1 +
  target/arm/sve_ldst_internal.h |   1 +
  target/arm/translate-a32.h     |   2 +-
  target/arm/translate.h         |  66 ++++-
  hw/char/pl011.c                |   2 +-
  hw/ide/microdrive.c            |   8 +-
  target/arm/cpu.c               |  23 +-
  target/arm/cpu_tcg.c           |   4 +-
  target/arm/helper.c            | 155 +++++++++---
  target/arm/mte_helper.c        |  62 ++---
  target/arm/ptw.c               | 535 +++++++++++++++++++++++++----------------
  target/arm/sve_helper.c        |  54 ++---
  target/arm/tlb_helper.c        |  24 +-
  target/arm/translate-a64.c     | 220 ++++++++++-------
  target/arm/translate-m-nocp.c  |   8 +-
  target/arm/translate-mve.c     |   2 +-
  target/arm/translate-vfp.c     |  10 +-
  target/arm/translate.c         | 284 +++++++++++++---------
 files changed, 918 insertions(+), 607 deletions(-)

-[PULL 32/32] hw/acpi/aml-build: Use existing CPU topology to build PPTT table
+[PULL 01/24] hw/char/pl011: fix baud rate calculation
-From: Gavin Shan <gshan@redhat.com>
+From: Baruch Siach <baruch@tkos.co.il>
-When the PPTT table is built, the CPU topology is re-calculated, but
+The PL011 TRM says that "UARTIBRD = 0 is invalid and UARTFBRD is ignored
-it's unecessary because the CPU topology has been populated in
+when this is the case". But the code looks at FBRD for the invalid case.
-virt_possible_cpu_arch_ids() on arm/virt machine.
+Fix this.
-This reworks build_pptt() to avoid by reusing the existing IDs in
+Signed-off-by: Baruch Siach <baruch@tkos.co.il>
-ms->possible_cpus. Currently, the only user of build_pptt() is
+Message-id: 1408f62a2e45665816527d4845ffde650957d5ab.1665051588.git.baruchs-c@neureality.ai
-arm/virt machine.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Gavin Shan <gshan@redhat.com>
 Tested-by: Yanan Wang <wangyanan55@huawei.com>
 Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
 Acked-by: Igor Mammedov <imammedo@redhat.com>
 Acked-by: Michael S. Tsirkin <mst@redhat.com>
 Message-id: 20220503140304.855514-7-gshan@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/acpi/aml-build.c | 111 +++++++++++++++++++-------------------------
+ hw/char/pl011.c | 2 +-
-file changed, 48 insertions(+), 63 deletions(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
+diff --git a/hw/char/pl011.c b/hw/char/pl011.c
 index XXXXXXX..XXXXXXX 100644
---- a/hw/acpi/aml-build.c
+--- a/hw/char/pl011.c
-+++ b/hw/acpi/aml-build.c
++++ b/hw/char/pl011.c
-@@ -XXX,XX +XXX,XX @@ void build_pptt(GArray *table_data, BIOSLinker *linker, MachineState *ms,
+@@ -XXX,XX +XXX,XX @@ static unsigned int pl011_get_baudrate(const PL011State *s)
                  const char *oem_id, const char *oem_table_id)
  {
-     MachineClass *mc = MACHINE_GET_CLASS(ms);
+     uint64_t clk;
--    GQueue *list = g_queue_new();
--    guint pptt_start = table_data->len;
+-    if (s->fbrd == 0) {
--    guint parent_offset;
++    if (s->ibrd == 0) {
--    guint length, i;
+         return 0;
 -    int uid = 0;
 -    int socket;
 +    CPUArchIdList *cpus = ms->possible_cpus;
 +    int64_t socket_id = -1, cluster_id = -1, core_id = -1;
 +    uint32_t socket_offset = 0, cluster_offset = 0, core_offset = 0;
 +    uint32_t pptt_start = table_data->len;
 +    int n;
      AcpiTable table = { .sig = "PPTT", .rev = 2,
                          .oem_id = oem_id, .oem_table_id = oem_table_id };
      acpi_table_begin(&table, table_data);
 -    for (socket = 0; socket < ms->smp.sockets; socket++) {
 -        g_queue_push_tail(list,
 -            GUINT_TO_POINTER(table_data->len - pptt_start));
 -        build_processor_hierarchy_node(
 -            table_data,
 -            /*
 -             * Physical package - represents the boundary
 -             * of a physical package
 -             */
 -            (1 << 0),
 -            0, socket, NULL, 0);
 -    }
 -
 -    if (mc->smp_props.clusters_supported) {
 -        length = g_queue_get_length(list);
 -        for (i = 0; i < length; i++) {
 -            int cluster;
 -
 -            parent_offset = GPOINTER_TO_UINT(g_queue_pop_head(list));
 -            for (cluster = 0; cluster < ms->smp.clusters; cluster++) {
 -                g_queue_push_tail(list,
 -                    GUINT_TO_POINTER(table_data->len - pptt_start));
 -                build_processor_hierarchy_node(
 -                    table_data,
 -                    (0 << 0), /* not a physical package */
 -                    parent_offset, cluster, NULL, 0);
 -            }
 +    /*
 +     * This works with the assumption that cpus[n].props.*_id has been
 +     * sorted from top to down levels in mc->possible_cpu_arch_ids().
 +     * Otherwise, the unexpected and duplicated containers will be
 +     * created.
 +     */
 +    for (n = 0; n < cpus->len; n++) {
 +        if (cpus->cpus[n].props.socket_id != socket_id) {
 +            assert(cpus->cpus[n].props.socket_id > socket_id);
 +            socket_id = cpus->cpus[n].props.socket_id;
 +            cluster_id = -1;
 +            core_id = -1;
 +            socket_offset = table_data->len - pptt_start;
 +            build_processor_hierarchy_node(table_data,
 +                (1 << 0), /* Physical package */
 +                0, socket_id, NULL, 0);
          }
 -    }
 -    length = g_queue_get_length(list);
 -    for (i = 0; i < length; i++) {
 -        int core;
 -
 -        parent_offset = GPOINTER_TO_UINT(g_queue_pop_head(list));
 -        for (core = 0; core < ms->smp.cores; core++) {
 -            if (ms->smp.threads > 1) {
 -                g_queue_push_tail(list,
 -                    GUINT_TO_POINTER(table_data->len - pptt_start));
 -                build_processor_hierarchy_node(
 -                    table_data,
 -                    (0 << 0), /* not a physical package */
 -                    parent_offset, core, NULL, 0);
 -            } else {
 -                build_processor_hierarchy_node(
 -                    table_data,
 -                    (1 << 1) | /* ACPI Processor ID valid */
 -                    (1 << 3),  /* Node is a Leaf */
 -                    parent_offset, uid++, NULL, 0);
 +        if (mc->smp_props.clusters_supported) {
 +            if (cpus->cpus[n].props.cluster_id != cluster_id) {
 +                assert(cpus->cpus[n].props.cluster_id > cluster_id);
 +                cluster_id = cpus->cpus[n].props.cluster_id;
 +                core_id = -1;
 +                cluster_offset = table_data->len - pptt_start;
 +                build_processor_hierarchy_node(table_data,
 +                    (0 << 0), /* Not a physical package */
 +                    socket_offset, cluster_id, NULL, 0);
              }
 +        } else {
 +            cluster_offset = socket_offset;
          }
 -    }
 -    length = g_queue_get_length(list);
 -    for (i = 0; i < length; i++) {
 -        int thread;
 +        if (ms->smp.threads == 1) {
 +            build_processor_hierarchy_node(table_data,
 +                (1 << 1) | /* ACPI Processor ID valid */
 +                (1 << 3),  /* Node is a Leaf */
 +                cluster_offset, n, NULL, 0);
 +        } else {
 +            if (cpus->cpus[n].props.core_id != core_id) {
 +                assert(cpus->cpus[n].props.core_id > core_id);
 +                core_id = cpus->cpus[n].props.core_id;
 +                core_offset = table_data->len - pptt_start;
 +                build_processor_hierarchy_node(table_data,
 +                    (0 << 0), /* Not a physical package */
 +                    cluster_offset, core_id, NULL, 0);
 +            }
 -        parent_offset = GPOINTER_TO_UINT(g_queue_pop_head(list));
 -        for (thread = 0; thread < ms->smp.threads; thread++) {
 -            build_processor_hierarchy_node(
 -                table_data,
 +            build_processor_hierarchy_node(table_data,
                  (1 << 1) | /* ACPI Processor ID valid */
                  (1 << 2) | /* Processor is a Thread */
                  (1 << 3),  /* Node is a Leaf */
 -                parent_offset, uid++, NULL, 0);
 +                core_offset, n, NULL, 0);
          }
      }
--    g_queue_free(list);
-     acpi_table_end(linker, &table);
- }
 --
 .25.1

-[PULL 06/32] target/arm: Move cortex impdef sysregs to cpu_tcg.c
+[PULL 04/24] target/arm: Use probe_access_full for MTE
 From: Richard Henderson <richard.henderson@linaro.org>
-Previously we were defining some of these in user-only mode,
+The CPUTLBEntryFull structure now stores the original pte attributes, as
-but none of them are accessible from user-only, therefore
+well as the physical address.  Therefore, we no longer need a separate
-define them only in system mode.
+bit in MemTxAttrs, nor do we need to walk the tree of memory regions.
 This will shortly be used from cpu_tcg.c also.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-6-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h |  6 ++++
+ target/arm/cpu.h               |  1 -
- target/arm/cpu64.c     | 64 +++---------------------------------------
+ target/arm/sve_ldst_internal.h |  1 +
- target/arm/cpu_tcg.c   | 59 ++++++++++++++++++++++++++++++++++++++
+ target/arm/mte_helper.c        | 62 ++++++++++------------------------
-files changed, 69 insertions(+), 60 deletions(-)
+ target/arm/sve_helper.c        | 54 ++++++++++-------------------
  target/arm/tlb_helper.c        |  4 ---
 files changed, 36 insertions(+), 86 deletions(-)
-diff --git a/target/arm/internals.h b/target/arm/internals.h
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/internals.h
+--- a/target/arm/cpu.h
-+++ b/target/arm/internals.h
++++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ int aarch64_fpu_gdb_get_reg(CPUARMState *env, GByteArray *buf, int reg);
+@@ -XXX,XX +XXX,XX @@ static inline MemTxAttrs *typecheck_memtxattrs(MemTxAttrs *x)
- int aarch64_fpu_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg);
+  * generic target bits directly.
- #endif
+  */
  #define arm_tlb_bti_gp(x) (typecheck_memtxattrs(x)->target_tlb_bit0)
 -#define arm_tlb_mte_tagged(x) (typecheck_memtxattrs(x)->target_tlb_bit1)
  /*
   * AArch64 usage of the PAGE_TARGET_* bits for linux-user.
 diff --git a/target/arm/sve_ldst_internal.h b/target/arm/sve_ldst_internal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_ldst_internal.h
 +++ b/target/arm/sve_ldst_internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
      void *host;
      int flags;
      MemTxAttrs attrs;
 +    bool tagged;
  } SVEHostPage;
  bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
 diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/mte_helper.c
 +++ b/target/arm/mte_helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
                        TARGET_PAGE_BITS - LOG2_TAG_GRANULE - 1);
      return tags + index;
  #else
 -    uintptr_t index;
      CPUTLBEntryFull *full;
 +    MemTxAttrs attrs;
      int in_page, flags;
 -    ram_addr_t ptr_ra;
      hwaddr ptr_paddr, tag_paddr, xlat;
      MemoryRegion *mr;
      ARMASIdx tag_asi;
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
       * valid.  Indicate to probe_access_flags no-fault, then assert that
       * we received a valid page.
       */
 -    flags = probe_access_flags(env, ptr, ptr_access, ptr_mmu_idx,
 -                               ra == 0, &host, ra);
 +    flags = probe_access_full(env, ptr, ptr_access, ptr_mmu_idx,
 +                              ra == 0, &host, &full, ra);
      assert(!(flags & TLB_INVALID_MASK));
 -    /*
 -     * Find the CPUTLBEntryFull for ptr.  This *must* be present in the TLB
 -     * because we just found the mapping.
 -     * TODO: Perhaps there should be a cputlb helper that returns a
 -     * matching tlb entry + iotlb entry.
 -     */
 -    index = tlb_index(env, ptr_mmu_idx, ptr);
 -# ifdef CONFIG_DEBUG_TCG
 -    {
 -        CPUTLBEntry *entry = tlb_entry(env, ptr_mmu_idx, ptr);
 -        target_ulong comparator = (ptr_access == MMU_DATA_LOAD
 -                                   ? entry->addr_read
 -                                   : tlb_addr_write(entry));
 -        g_assert(tlb_hit(comparator, ptr));
 -    }
 -# endif
 -    full = &env_tlb(env)->d[ptr_mmu_idx].fulltlb[index];
 -
      /* If the virtual page MemAttr != Tagged, access unchecked. */
 -    if (!arm_tlb_mte_tagged(&full->attrs)) {
 +    if (full->pte_attrs != 0xf0) {
          return NULL;
      }
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
          return NULL;
      }
 +    /*
 +     * Remember these values across the second lookup below,
 +     * which may invalidate this pointer via tlb resize.
 +     */
 +    ptr_paddr = full->phys_addr;
 +    attrs = full->attrs;
 +    full = NULL;
 +
      /*
       * The Normal memory access can extend to the next page.  E.g. a single
       * 8-byte access to the last byte of a page will check only the last
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
       */
      in_page = -(ptr | TARGET_PAGE_MASK);
      if (unlikely(ptr_size > in_page)) {
 -        void *ignore;
 -        flags |= probe_access_flags(env, ptr + in_page, ptr_access,
 -                                    ptr_mmu_idx, ra == 0, &ignore, ra);
 +        flags |= probe_access_full(env, ptr + in_page, ptr_access,
 +                                   ptr_mmu_idx, ra == 0, &host, &full, ra);
          assert(!(flags & TLB_INVALID_MASK));
      }
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
      if (unlikely(flags & TLB_WATCHPOINT)) {
          int wp = ptr_access == MMU_DATA_LOAD ? BP_MEM_READ : BP_MEM_WRITE;
          assert(ra != 0);
 -        cpu_check_watchpoint(env_cpu(env), ptr, ptr_size,
 -                             full->attrs, wp, ra);
 +        cpu_check_watchpoint(env_cpu(env), ptr, ptr_size, attrs, wp, ra);
      }
 -    /*
 -     * Find the physical address within the normal mem space.
 -     * The memory region lookup must succeed because TLB_MMIO was
 -     * not set in the cputlb lookup above.
 -     */
 -    mr = memory_region_from_host(host, &ptr_ra);
 -    tcg_debug_assert(mr != NULL);
 -    tcg_debug_assert(memory_region_is_ram(mr));
 -    ptr_paddr = ptr_ra;
 -    do {
 -        ptr_paddr += mr->addr;
 -        mr = mr->container;
 -    } while (mr);
 -
      /* Convert to the physical address in tag space.  */
      tag_paddr = ptr_paddr >> (LOG2_TAG_GRANULE + 1);
      /* Look up the address in tag space. */
 -    tag_asi = full->attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
 +    tag_asi = attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
      tag_as = cpu_get_address_space(env_cpu(env), tag_asi);
      mr = address_space_translate(tag_as, tag_paddr, &xlat, NULL,
 -                                 tag_access == MMU_DATA_STORE,
 -                                 full->attrs);
 +                                 tag_access == MMU_DATA_STORE, attrs);
      /*
       * Note that @mr will never be NULL.  If there is nothing in the address
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
       */
      addr = useronly_clean_ptr(addr);
 +#ifdef CONFIG_USER_ONLY
-+static inline void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu) { }
+     flags = probe_access_flags(env, addr, access_type, mmu_idx, nofault,
                                 &info->host, retaddr);
 +    memset(&info->attrs, 0, sizeof(info->attrs));
 +    /* Require both ANON and MTE; see allocation_tag_mem(). */
 +    info->tagged = (flags & PAGE_ANON) && (flags & PAGE_MTE);
 +#else
-+void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu);
++    CPUTLBEntryFull *full;
 +    flags = probe_access_full(env, addr, access_type, mmu_idx, nofault,
 +                              &info->host, &full, retaddr);
 +    info->attrs = full->attrs;
 +    info->tagged = full->pte_attrs == 0xf0;
 +#endif
-+
+     info->flags = flags;
- #endif
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+     if (flags & TLB_INVALID_MASK) {
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
+     /* Ensure that info->host[] is relative to addr, not addr + mem_off. */
-@@ -XXX,XX +XXX,XX @@
+     info->host -= mem_off;
- #include "hvf_arm.h"
+-
- #include "qapi/visitor.h"
+-#ifdef CONFIG_USER_ONLY
- #include "hw/qdev-properties.h"
+-    memset(&info->attrs, 0, sizeof(info->attrs));
--#include "cpregs.h"
+-    /* Require both MAP_ANON and PROT_MTE -- see allocation_tag_mem. */
-+#include "internals.h"
+-    arm_tlb_mte_tagged(&info->attrs) =
+-        (flags & PAGE_ANON) && (flags & PAGE_MTE);
+-#else
--#ifndef CONFIG_USER_ONLY
+-    /*
--static uint64_t a57_a53_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+-     * Find the iotlbentry for addr and return the transaction attributes.
--{
+-     * This *must* be present in the TLB because we just found the mapping.
--    ARMCPU *cpu = env_archcpu(env);
+-     */
--
+-    {
--    /* Number of cores is in [25:24]; otherwise we RAZ */
+-        uintptr_t index = tlb_index(env, mmu_idx, addr);
--    return (cpu->core_count - 1) << 24;
+-
--}
+-# ifdef CONFIG_DEBUG_TCG
 -        CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 -        target_ulong comparator = (access_type == MMU_DATA_LOAD
 -                                   ? entry->addr_read
 -                                   : tlb_addr_write(entry));
 -        g_assert(tlb_hit(comparator, addr));
 -# endif
 -
 -        CPUTLBEntryFull *full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
 -        info->attrs = full->attrs;
 -    }
 -#endif
 -
--static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
+     return true;
 -#ifndef CONFIG_USER_ONLY
 -    { .name = "L2CTLR_EL1", .state = ARM_CP_STATE_AA64,
 -      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 2,
 -      .access = PL1_RW, .readfn = a57_a53_l2ctlr_read,
 -      .writefn = arm_cp_write_ignore },
 -    { .name = "L2CTLR",
 -      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 2,
 -      .access = PL1_RW, .readfn = a57_a53_l2ctlr_read,
 -      .writefn = arm_cp_write_ignore },
 -#endif
 -    { .name = "L2ECTLR_EL1", .state = ARM_CP_STATE_AA64,
 -      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 3,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "L2ECTLR",
 -      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 3,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "L2ACTLR", .state = ARM_CP_STATE_BOTH,
 -      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 0, .opc2 = 0,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64,
 -      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 0,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "CPUACTLR",
 -      .cp = 15, .opc1 = 0, .crm = 15,
 -      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
 -    { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64,
 -      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 1,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "CPUECTLR",
 -      .cp = 15, .opc1 = 1, .crm = 15,
 -      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
 -    { .name = "CPUMERRSR_EL1", .state = ARM_CP_STATE_AA64,
 -      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 2,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "CPUMERRSR",
 -      .cp = 15, .opc1 = 2, .crm = 15,
 -      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
 -    { .name = "L2MERRSR_EL1", .state = ARM_CP_STATE_AA64,
 -      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 3,
 -      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 -    { .name = "L2MERRSR",
 -      .cp = 15, .opc1 = 3, .crm = 15,
 -      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
 -};
 -
  static void aarch64_a57_initfn(Object *obj)
  {
      ARMCPU *cpu = ARM_CPU(obj);
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
      cpu->gic_num_lrs = 4;
      cpu->gic_vpribits = 5;
      cpu->gic_vprebits = 5;
 -    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
 +    define_cortex_a72_a57_a53_cp_reginfo(cpu);
  }
- static void aarch64_a53_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ void sve_cont_ldst_mte_check(SVEContLdSt *info, CPUARMState *env,
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
+     intptr_t mem_off, reg_off, reg_last;
-     cpu->gic_num_lrs = 4;
-     cpu->gic_vpribits = 5;
+     /* Process the page only if MemAttr == Tagged. */
-     cpu->gic_vprebits = 5;
+-    if (arm_tlb_mte_tagged(&info->page[0].attrs)) {
--    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
++    if (info->page[0].tagged) {
-+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
+         mem_off = info->mem_off_first[0];
- }
+         reg_off = info->reg_off_first[0];
+         reg_last = info->reg_off_split;
- static void aarch64_a72_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ void sve_cont_ldst_mte_check(SVEContLdSt *info, CPUARMState *env,
-@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
+     }
-     cpu->gic_num_lrs = 4;
-     cpu->gic_vpribits = 5;
+     mem_off = info->mem_off_first[1];
-     cpu->gic_vprebits = 5;
+-    if (mem_off >= 0 && arm_tlb_mte_tagged(&info->page[1].attrs)) {
--    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
++    if (mem_off >= 0 && info->page[1].tagged) {
-+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
+         reg_off = info->reg_off_first[1];
- }
+         reg_last = info->reg_off_last[1];
- void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
+@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
+      * Disable MTE checking if the Tagged bit is not set.  Since TBI must
-index XXXXXXX..XXXXXXX 100644
+      * be set within MTEDESC for MTE, !mtedesc => !mte_active.
---- a/target/arm/cpu_tcg.c
+      */
-+++ b/target/arm/cpu_tcg.c
+-    if (!arm_tlb_mte_tagged(&info.page[0].attrs)) {
-@@ -XXX,XX +XXX,XX @@
++    if (!info.page[0].tagged) {
- #endif
+         mtedesc = 0;
- #include "cpregs.h"
+     }
-+#ifndef CONFIG_USER_ONLY
+@@ -XXX,XX +XXX,XX @@ void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
-+static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+                         cpu_check_watchpoint(env_cpu(env), addr, msize,
-+{
+                                              info.attrs, BP_MEM_READ, retaddr);
-+    ARMCPU *cpu = env_archcpu(env);
+                     }
-+
+-                    if (mtedesc && arm_tlb_mte_tagged(&info.attrs)) {
-+    /* Number of cores is in [25:24]; otherwise we RAZ */
++                    if (mtedesc && info.tagged) {
-+    return (cpu->core_count - 1) << 24;
+                         mte_check(env, mtedesc, addr, retaddr);
-+}
+                     }
-+
+                     if (unlikely(info.flags & TLB_MMIO)) {
-+static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@ void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
-+    { .name = "L2CTLR_EL1", .state = ARM_CP_STATE_AA64,
+                                              msize, info.attrs,
-+      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 2,
+                                              BP_MEM_READ, retaddr);
-+      .access = PL1_RW, .readfn = l2ctlr_read,
+                     }
-+      .writefn = arm_cp_write_ignore },
+-                    if (mtedesc && arm_tlb_mte_tagged(&info.attrs)) {
-+    { .name = "L2CTLR",
++                    if (mtedesc && info.tagged) {
-+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 2,
+                         mte_check(env, mtedesc, addr, retaddr);
-+      .access = PL1_RW, .readfn = l2ctlr_read,
+                     }
-+      .writefn = arm_cp_write_ignore },
+                     tlb_fn(env, &scratch, reg_off, addr, retaddr);
-+    { .name = "L2ECTLR_EL1", .state = ARM_CP_STATE_AA64,
+@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
-+      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 3,
+                      (env_cpu(env), addr, msize) & BP_MEM_READ)) {
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+                     goto fault;
-+    { .name = "L2ECTLR",
+                 }
-+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 3,
+-                if (mtedesc &&
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+-                    arm_tlb_mte_tagged(&info.attrs) &&
-+    { .name = "L2ACTLR", .state = ARM_CP_STATE_BOTH,
+-                    !mte_probe(env, mtedesc, addr)) {
-+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 0, .opc2 = 0,
++                if (mtedesc && info.tagged && !mte_probe(env, mtedesc, addr)) {
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+                     goto fault;
-+    { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64,
+                 }
-+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 0,
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+@@ -XXX,XX +XXX,XX @@ void sve_st1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
-+    { .name = "CPUACTLR",
+                                          info.attrs, BP_MEM_WRITE, retaddr);
-+      .cp = 15, .opc1 = 0, .crm = 15,
+                 }
-+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-+    { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64,
+-                if (mtedesc && arm_tlb_mte_tagged(&info.attrs)) {
-+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 1,
++                if (mtedesc && info.tagged) {
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+                     mte_check(env, mtedesc, addr, retaddr);
-+    { .name = "CPUECTLR",
+                 }
-+      .cp = 15, .opc1 = 1, .crm = 15,
+             }
-+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
-+    { .name = "CPUMERRSR_EL1", .state = ARM_CP_STATE_AA64,
+index XXXXXXX..XXXXXXX 100644
-+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 2,
+--- a/target/arm/tlb_helper.c
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
++++ b/target/arm/tlb_helper.c
-+    { .name = "CPUMERRSR",
+@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-+      .cp = 15, .opc1 = 2, .crm = 15,
+             res.f.phys_addr &= TARGET_PAGE_MASK;
-+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+             address &= TARGET_PAGE_MASK;
-+    { .name = "L2MERRSR_EL1", .state = ARM_CP_STATE_AA64,
+         }
-+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 3,
+-        /* Notice and record tagged memory. */
-+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+-        if (cpu_isar_feature(aa64_mte, cpu) && res.cacheattrs.attrs == 0xf0) {
-+    { .name = "L2MERRSR",
+-            arm_tlb_mte_tagged(&res.f.attrs) = true;
-+      .cp = 15, .opc1 = 3, .crm = 15,
+-        }
-+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-+};
+         res.f.pte_attrs = res.cacheattrs.attrs;
-+
+         res.f.shareability = res.cacheattrs.shareability;
 +void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu)
 +{
 +    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
 +}
 +#endif /* !CONFIG_USER_ONLY */
 +
  /* CPU models. These are not needed for the AArch64 linux-user build. */
  #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 --
 .25.1

-[PULL 09/32] target/arm: Split out aa32_max_features
+[PULL 05/24] target/arm: Use probe_access_full for BTI
 From: Richard Henderson <richard.henderson@linaro.org>
-Share the code to set AArch32 max features so that we no
+Add a field to TARGET_PAGE_ENTRY_EXTRA to hold the guarded bit.
-longer have code drift between qemu{-system,}-{arm,aarch64}.
+In is_guarded_page, use probe_access_full instead of just guessing
 that the tlb entry is still present.  Also handles the FIXME about
 executing from device memory.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-9-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-4-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/internals.h |   2 +
+ target/arm/cpu-param.h     |  9 +++++----
- target/arm/cpu64.c     |  50 +-----------------
+ target/arm/cpu.h           | 13 -------------
- target/arm/cpu_tcg.c   | 114 ++++++++++++++++++++++-------------------
+ target/arm/internals.h     |  1 +
-files changed, 65 insertions(+), 101 deletions(-)
+ target/arm/ptw.c           |  7 ++++---
  target/arm/translate-a64.c | 21 ++++++++++-----------
 files changed, 20 insertions(+), 31 deletions(-)
+diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu-param.h
++++ b/target/arm/cpu-param.h
+@@ -XXX,XX +XXX,XX @@
+  *
+  * For ARMMMUIdx_Stage2*, pte_attrs is the S2 descriptor bits [5:2].
+  * Otherwise, pte_attrs is the same as the MAIR_EL1 8-bit format.
+- * For shareability, as in the SH field of the VMSAv8-64 PTEs.
++ * For shareability and guarded, as in the SH and GP fields respectively
++ * of the VMSAv8-64 PTEs.
+  */
+ # define TARGET_PAGE_ENTRY_EXTRA  \
+-     uint8_t pte_attrs;           \
+-     uint8_t shareability;
+-
++    uint8_t pte_attrs;            \
++    uint8_t shareability;         \
++    bool guarded;
+ #endif
+ #define NB_MMU_MODES 8
+diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.h
++++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ static inline uint64_t *aa64_vfp_qreg(CPUARMState *env, unsigned regno)
+ /* Shared between translate-sve.c and sve_helper.c.  */
+ extern const uint64_t pred_esz_masks[5];
+-/* Helper for the macros below, validating the argument type. */
+-static inline MemTxAttrs *typecheck_memtxattrs(MemTxAttrs *x)
+-{
+-    return x;
+-}
+-
+-/*
+- * Lvalue macros for ARM TLB bits that we must cache in the TCG TLB.
+- * Using these should be a bit more self-documenting than using the
+- * generic target bits directly.
+- */
+-#define arm_tlb_bti_gp(x) (typecheck_memtxattrs(x)->target_tlb_bit0)
+-
+ /*
+  * AArch64 usage of the PAGE_TARGET_* bits for linux-user.
+  * Note that with the Linux kernel, PROT_MTE may not be cleared by mprotect
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ static inline void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu) { }
+@@ -XXX,XX +XXX,XX @@ typedef struct ARMCacheAttrs {
- void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu);
+     unsigned int attrs:8;
      unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
      bool is_s2_format:1;
 +    bool guarded:1;              /* guarded bit of the v8-64 PTE */
  } ARMCacheAttrs;
  /* Fields that are valid upon success. */
 diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/ptw.c
 +++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
           */
          result->f.attrs.secure = false;
      }
 -    /* When in aarch64 mode, and BTI is enabled, remember GP in the IOTLB.  */
 -    if (aarch64 && guarded && cpu_isar_feature(aa64_bti, cpu)) {
 -        arm_tlb_bti_gp(&result->f.attrs) = true;
 +
 +    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
 +    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
 +        result->f.guarded = guarded;
      }
      if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool is_guarded_page(CPUARMState *env, DisasContext *s)
  #ifdef CONFIG_USER_ONLY
      return page_get_flags(addr) & PAGE_BTI;
  #else
 +    CPUTLBEntryFull *full;
 +    void *host;
      int mmu_idx = arm_to_core_mmu_idx(s->mmu_idx);
 -    unsigned int index = tlb_index(env, mmu_idx, addr);
 -    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 +    int flags;
      /*
       * We test this immediately after reading an insn, which means
 -     * that any normal page must be in the TLB.  The only exception
 -     * would be for executing from flash or device memory, which
 -     * does not retain the TLB entry.
 -     *
 -     * FIXME: Assume false for those, for now.  We could use
 -     * arm_cpu_get_phys_page_attrs_debug to re-read the page
 -     * table entry even for that case.
 +     * that the TLB entry must be present and valid, and thus this
 +     * access will never raise an exception.
       */
 -    return (tlb_hit(entry->addr_code, addr) &&
 -            arm_tlb_bti_gp(&env_tlb(env)->d[mmu_idx].fulltlb[index].attrs));
 +    flags = probe_access_full(env, addr, MMU_INST_FETCH, mmu_idx,
 +                              false, &host, &full, 0);
 +    assert(!(flags & TLB_INVALID_MASK));
 +
 +    return full->guarded;
  #endif
+ }
-+void aa32_max_features(ARMCPU *cpu);
 +
  #endif
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
  {
      ARMCPU *cpu = ARM_CPU(obj);
      uint64_t t;
 -    uint32_t u;
      if (kvm_enabled() || hvf_enabled()) {
          /* With KVM or HVF, '-cpu max' is identical to '-cpu host' */
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      t = FIELD_DP64(t, ID_AA64ZFR0, F64MM, 1);
      cpu->isar.id_aa64zfr0 = t;
 -    /* Replicate the same data to the 32-bit id registers.  */
 -    u = cpu->isar.id_isar5;
 -    u = FIELD_DP32(u, ID_ISAR5, AES, 2); /* AES + PMULL */
 -    u = FIELD_DP32(u, ID_ISAR5, SHA1, 1);
 -    u = FIELD_DP32(u, ID_ISAR5, SHA2, 1);
 -    u = FIELD_DP32(u, ID_ISAR5, CRC32, 1);
 -    u = FIELD_DP32(u, ID_ISAR5, RDM, 1);
 -    u = FIELD_DP32(u, ID_ISAR5, VCMA, 1);
 -    cpu->isar.id_isar5 = u;
 -
 -    u = cpu->isar.id_isar6;
 -    u = FIELD_DP32(u, ID_ISAR6, JSCVT, 1);
 -    u = FIELD_DP32(u, ID_ISAR6, DP, 1);
 -    u = FIELD_DP32(u, ID_ISAR6, FHM, 1);
 -    u = FIELD_DP32(u, ID_ISAR6, SB, 1);
 -    u = FIELD_DP32(u, ID_ISAR6, SPECRES, 1);
 -    u = FIELD_DP32(u, ID_ISAR6, BF16, 1);
 -    u = FIELD_DP32(u, ID_ISAR6, I8MM, 1);
 -    cpu->isar.id_isar6 = u;
 -
 -    u = cpu->isar.id_pfr0;
 -    u = FIELD_DP32(u, ID_PFR0, DIT, 1);
 -    cpu->isar.id_pfr0 = u;
 -
 -    u = cpu->isar.id_pfr2;
 -    u = FIELD_DP32(u, ID_PFR2, SSBS, 1);
 -    cpu->isar.id_pfr2 = u;
 -
 -    u = cpu->isar.id_mmfr3;
 -    u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
 -    cpu->isar.id_mmfr3 = u;
 -
 -    u = cpu->isar.id_mmfr4;
 -    u = FIELD_DP32(u, ID_MMFR4, HPDS, 1); /* AA32HPD */
 -    u = FIELD_DP32(u, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
 -    u = FIELD_DP32(u, ID_MMFR4, CNP, 1); /* TTCNP */
 -    u = FIELD_DP32(u, ID_MMFR4, XNX, 1); /* TTS2UXN */
 -    cpu->isar.id_mmfr4 = u;
 -
      t = cpu->isar.id_aa64dfr0;
      t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
      cpu->isar.id_aa64dfr0 = t;
 -    u = cpu->isar.id_dfr0;
 -    u = FIELD_DP32(u, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
 -    cpu->isar.id_dfr0 = u;
 -
 -    u = cpu->isar.mvfr1;
 -    u = FIELD_DP32(u, MVFR1, FPHP, 3);      /* v8.2-FP16 */
 -    u = FIELD_DP32(u, MVFR1, SIMDHP, 2);    /* v8.2-FP16 */
 -    cpu->isar.mvfr1 = u;
 +    /* Replicate the same data to the 32-bit id registers.  */
 +    aa32_max_features(cpu);
  #ifdef CONFIG_USER_ONLY
      /*
 diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu_tcg.c
 +++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@
  #endif
  #include "cpregs.h"
 +
 +/* Share AArch32 -cpu max features with AArch64. */
 +void aa32_max_features(ARMCPU *cpu)
 +{
 +    uint32_t t;
 +
 +    /* Add additional features supported by QEMU */
 +    t = cpu->isar.id_isar5;
 +    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
 +    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
 +    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
 +    t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
 +    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
 +    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
 +    cpu->isar.id_isar5 = t;
 +
 +    t = cpu->isar.id_isar6;
 +    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
 +    cpu->isar.id_isar6 = t;
 +
 +    t = cpu->isar.mvfr1;
 +    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
 +    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
 +    cpu->isar.mvfr1 = t;
 +
 +    t = cpu->isar.mvfr2;
 +    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
 +    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
 +    cpu->isar.mvfr2 = t;
 +
 +    t = cpu->isar.id_mmfr3;
 +    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
 +    cpu->isar.id_mmfr3 = t;
 +
 +    t = cpu->isar.id_mmfr4;
 +    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
 +    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
 +    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
 +    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
 +    cpu->isar.id_mmfr4 = t;
 +
 +    t = cpu->isar.id_pfr0;
 +    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
 +    cpu->isar.id_pfr0 = t;
 +
 +    t = cpu->isar.id_pfr2;
 +    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
 +    cpu->isar.id_pfr2 = t;
 +
 +    t = cpu->isar.id_dfr0;
 +    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
 +    cpu->isar.id_dfr0 = t;
 +}
 +
  #ifndef CONFIG_USER_ONLY
  static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
@@ -XXX,XX +XXX,XX @@ static void arm_v7m_class_init(ObjectClass *oc, void *data)
  static void arm_max_initfn(Object *obj)
  {
      ARMCPU *cpu = ARM_CPU(obj);
 -    uint32_t t;
      /* aarch64_a57_initfn, advertising none of the aarch64 features */
      cpu->dtb_compatible = "arm,cortex-a57";
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
      cpu->ccsidr[2] = 0x70ffe07a; /* 2048KB L2 cache */
      define_cortex_a72_a57_a53_cp_reginfo(cpu);
 -    /* Add additional features supported by QEMU */
 -    t = cpu->isar.id_isar5;
 -    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
 -    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
 -    cpu->isar.id_isar5 = t;
 -
 -    t = cpu->isar.id_isar6;
 -    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
 -    cpu->isar.id_isar6 = t;
 -
 -    t = cpu->isar.mvfr1;
 -    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
 -    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
 -    cpu->isar.mvfr1 = t;
 -
 -    t = cpu->isar.mvfr2;
 -    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
 -    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
 -    cpu->isar.mvfr2 = t;
 -
 -    t = cpu->isar.id_mmfr3;
 -    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
 -    cpu->isar.id_mmfr3 = t;
 -
 -    t = cpu->isar.id_mmfr4;
 -    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
 -    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
 -    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
 -    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
 -    cpu->isar.id_mmfr4 = t;
 -
 -    t = cpu->isar.id_pfr0;
 -    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
 -    cpu->isar.id_pfr0 = t;
 -
 -    t = cpu->isar.id_pfr2;
 -    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
 -    cpu->isar.id_pfr2 = t;
 -
 -    t = cpu->isar.id_dfr0;
 -    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
 -    cpu->isar.id_dfr0 = t;
 +    aa32_max_features(cpu);
  #ifdef CONFIG_USER_ONLY
      /*
 --
 .25.1

-[PULL 21/32] target/arm: Enable FEAT_CSV2_2 for -cpu max
+[PULL 06/24] target/arm: Add ARMMMUIdx_Phys_{S,NS}
 From: Richard Henderson <richard.henderson@linaro.org>
-There is no branch prediction in TCG, therefore there is no
+Not yet used, but add mmu indexes for 1-1 mapping
-need to actually include the context number into the predictor.
+to physical addresses.
 Therefore all we need to do is add the state for SCXTNUM_ELx.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-21-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/emulation.rst |  3 ++
+ target/arm/cpu-param.h |  2 +-
- target/arm/cpu.h              | 16 +++++++++
+ target/arm/cpu.h       |  7 ++++++-
- target/arm/cpu.c              |  5 +++
+ target/arm/ptw.c       | 19 +++++++++++++++++--
- target/arm/cpu64.c            |  3 +-
+files changed, 24 insertions(+), 4 deletions(-)
  target/arm/helper.c           | 61 ++++++++++++++++++++++++++++++++++-
 files changed, 86 insertions(+), 2 deletions(-)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
+--- a/target/arm/cpu-param.h
-+++ b/docs/system/arm/emulation.rst
++++ b/target/arm/cpu-param.h
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+@@ -XXX,XX +XXX,XX @@
- - FEAT_BF16 (AArch64 BFloat16 instructions)
+     bool guarded;
- - FEAT_BTI (Branch Target Identification)
+ #endif
- - FEAT_CSV2 (Cache speculation variant 2)
-+- FEAT_CSV2_1p1 (Cache speculation variant 2, version 1.1)
+-#define NB_MMU_MODES 8
-+- FEAT_CSV2_1p2 (Cache speculation variant 2, version 1.2)
++#define NB_MMU_MODES 10
-+- FEAT_CSV2_2 (Cache speculation variant 2, version 2)
- - FEAT_DIT (Data Independent Timing instructions)
+ #endif
  - FEAT_DPB (DC CVAP instruction)
  - FEAT_Debugv8p2 (Debug changes for v8.2)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
+@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
-         ARMPACKey apdb;
+  * EL2 EL2&0 +PAN
-         ARMPACKey apga;
+  * EL2 (aka NS PL2)
-     } keys;
+  * EL3 (aka S PL1)
 + * Physical (NS & S)
   *
 - * for a total of 8 different mmu_idx.
 + * for a total of 10 different mmu_idx.
   *
   * R profile CPUs have an MPU, but can use the same set of MMU indexes
   * as A profile. They only need to distinguish EL0 and EL1 (and
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
      ARMMMUIdx_E2        = 6 | ARM_MMU_IDX_A,
      ARMMMUIdx_E3        = 7 | ARM_MMU_IDX_A,
 +    /* TLBs with 1-1 mapping to the physical address spaces. */
 +    ARMMMUIdx_Phys_NS   = 8 | ARM_MMU_IDX_A,
 +    ARMMMUIdx_Phys_S    = 9 | ARM_MMU_IDX_A,
 +
-+    uint64_t scxtnum_el[4];
+     /*
- #endif
+      * These are not allocated TLBs and are used only for AT system
+      * instructions or for the first stage of an S12 page table walk.
- #if defined(CONFIG_USER_ONLY)
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ void pmu_init(ARMCPU *cpu);
+index XXXXXXX..XXXXXXX 100644
- #define SCTLR_WXN     (1U << 19)
+--- a/target/arm/ptw.c
- #define SCTLR_ST      (1U << 20) /* up to ??, RAZ in v6 */
++++ b/target/arm/ptw.c
- #define SCTLR_UWXN    (1U << 20) /* v7 onward, AArch32 only */
+@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
-+#define SCTLR_TSCXT   (1U << 20) /* FEAT_CSV2_1p2, AArch64 only */
+     case ARMMMUIdx_E3:
- #define SCTLR_FI      (1U << 21) /* up to v7, v8 RES0 */
+         break;
- #define SCTLR_IESB    (1U << 21) /* v8.2-IESB, AArch64 only */
- #define SCTLR_U       (1U << 22) /* up to v6, RAO in v7 */
++    case ARMMMUIdx_Phys_NS:
-@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_dit(const ARMISARegisters *id)
++    case ARMMMUIdx_Phys_S:
-     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, DIT) != 0;
++        /* No translation for physical address spaces. */
- }
++        return true;
 +static inline bool isar_feature_aa64_scxtnum(const ARMISARegisters *id)
 +{
 +    int key = FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, CSV2);
 +    if (key >= 2) {
 +        return true;      /* FEAT_CSV2_2 */
 +    }
 +    if (key == 1) {
 +        key = FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, CSV2_FRAC);
 +        return key >= 2;  /* FEAT_CSV2_1p2 */
 +    }
 +    return false;
 +}
 +
- static inline bool isar_feature_aa64_ssbs(const ARMISARegisters *id)
+     default:
          g_assert_not_reached();
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
  {
-     return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, SSBS) != 0;
+     uint8_t memattr = 0x00;    /* Device nGnRnE */
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+     uint8_t shareability = 0;  /* non-sharable */
-index XXXXXXX..XXXXXXX 100644
++    int r_el;
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
+-    if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
+-        int r_el = regime_el(env, mmu_idx);
-              */
++    switch (mmu_idx) {
-             env->cp15.gcr_el1 = 0x1ffff;
++    case ARMMMUIdx_Stage2:
 +    case ARMMMUIdx_Stage2_S:
 +    case ARMMMUIdx_Phys_NS:
 +    case ARMMMUIdx_Phys_S:
 +        break;
 +    default:
 +        r_el = regime_el(env, mmu_idx);
          if (arm_el_is_aa64(env, r_el)) {
              int pamax = arm_pamax(env_archcpu(env));
              uint64_t tcr = env->cp15.tcr_el[r_el];
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
              shareability = 2; /* outer sharable */
          }
-+        /*
+         result->cacheattrs.is_s2_format = false;
-+         * Disable access to SCXTNUM_EL0 from CSV2_1p2.
++        break;
 +         * This is not yet exposed from the Linux kernel in any way.
 +         */
 +        env->cp15.sctlr_el[1] |= SCTLR_TSCXT;
  #else
          /* Reset into the highest available EL */
          if (arm_feature(env, ARM_FEATURE_EL3)) {
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
      t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
      t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
 -    t = FIELD_DP64(t, ID_AA64PFR0, CSV2, 1);      /* FEAT_CSV2 */
 +    t = FIELD_DP64(t, ID_AA64PFR0, CSV2, 2);      /* FEAT_CSV2_2 */
      cpu->isar.id_aa64pfr0 = t;
      t = cpu->isar.id_aa64pfr1;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
       * we do for EL2 with the virtualization=on property.
       */
      t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
 +    t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
      cpu->isar.id_aa64pfr1 = t;
      t = cpu->isar.id_aa64mmfr0;
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          if (cpu_isar_feature(aa64_mte, cpu)) {
              valid_mask |= SCR_ATA;
          }
 +        if (cpu_isar_feature(aa64_scxtnum, cpu)) {
 +            valid_mask |= SCR_ENSCXT;
 +        }
      } else {
          valid_mask &= ~(SCR_RW | SCR_ST);
          if (cpu_isar_feature(aa32_ras, cpu)) {
@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
          if (cpu_isar_feature(aa64_mte, cpu)) {
              valid_mask |= HCR_ATA | HCR_DCT | HCR_TID5;
          }
 +        if (cpu_isar_feature(aa64_scxtnum, cpu)) {
 +            valid_mask |= HCR_ENSCXT;
 +        }
      }
-     /* Clear RES0 bits.  */
+     result->f.phys_addr = address;
-@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-         { K(3, 0,  5, 6, 0), K(3, 4,  5, 6, 0), K(3, 5, 5, 6, 0),
+         is_secure = arm_is_secure_below_el3(env);
-           "TFSR_EL1", "TFSR_EL2", "TFSR_EL12", isar_feature_aa64_mte },
+         break;
+     case ARMMMUIdx_Stage2:
-+        { K(3, 0, 13, 0, 7), K(3, 4, 13, 0, 7), K(3, 5, 13, 0, 7),
++    case ARMMMUIdx_Phys_NS:
-+          "SCXTNUM_EL1", "SCXTNUM_EL2", "SCXTNUM_EL12",
+     case ARMMMUIdx_MPrivNegPri:
-+          isar_feature_aa64_scxtnum },
+     case ARMMMUIdx_MUserNegPri:
-+
+     case ARMMMUIdx_MPriv:
-         /* TODO: ARMv8.2-SPE -- PMSCR_EL2 */
+@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
-         /* TODO: ARMv8.4-Trace -- TRFCR_EL2 */
+         break;
-     };
+     case ARMMMUIdx_E3:
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
+     case ARMMMUIdx_Stage2_S:
-     },
++    case ARMMMUIdx_Phys_S:
- };
+     case ARMMMUIdx_MSPrivNegPri:
+     case ARMMMUIdx_MSUserNegPri:
--#endif
+     case ARMMMUIdx_MSPriv:
 +static CPAccessResult access_scxtnum(CPUARMState *env, const ARMCPRegInfo *ri,
 +                                     bool isread)
 +{
 +    uint64_t hcr = arm_hcr_el2_eff(env);
 +    int el = arm_current_el(env);
 +
 +    if (el == 0 && !((hcr & HCR_E2H) && (hcr & HCR_TGE))) {
 +        if (env->cp15.sctlr_el[1] & SCTLR_TSCXT) {
 +            if (hcr & HCR_TGE) {
 +                return CP_ACCESS_TRAP_EL2;
 +            }
 +            return CP_ACCESS_TRAP;
 +        }
 +    } else if (el < 2 && (env->cp15.sctlr_el[2] & SCTLR_TSCXT)) {
 +        return CP_ACCESS_TRAP_EL2;
 +    }
 +    if (el < 2 && arm_is_el2_enabled(env) && !(hcr & HCR_ENSCXT)) {
 +        return CP_ACCESS_TRAP_EL2;
 +    }
 +    if (el < 3
 +        && arm_feature(env, ARM_FEATURE_EL3)
 +        && !(env->cp15.scr_el3 & SCR_ENSCXT)) {
 +        return CP_ACCESS_TRAP_EL3;
 +    }
 +    return CP_ACCESS_OK;
 +}
 +
 +static const ARMCPRegInfo scxtnum_reginfo[] = {
 +    { .name = "SCXTNUM_EL0", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 3, .crn = 13, .crm = 0, .opc2 = 7,
 +      .access = PL0_RW, .accessfn = access_scxtnum,
 +      .fieldoffset = offsetof(CPUARMState, scxtnum_el[0]) },
 +    { .name = "SCXTNUM_EL1", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 7,
 +      .access = PL1_RW, .accessfn = access_scxtnum,
 +      .fieldoffset = offsetof(CPUARMState, scxtnum_el[1]) },
 +    { .name = "SCXTNUM_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 7,
 +      .access = PL2_RW, .accessfn = access_scxtnum,
 +      .fieldoffset = offsetof(CPUARMState, scxtnum_el[2]) },
 +    { .name = "SCXTNUM_EL3", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 7,
 +      .access = PL3_RW,
 +      .fieldoffset = offsetof(CPUARMState, scxtnum_el[3]) },
 +};
 +#endif /* TARGET_AARCH64 */
  static CPAccessResult access_predinv(CPUARMState *env, const ARMCPRegInfo *ri,
                                       bool isread)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
          define_arm_cp_regs(cpu, mte_tco_ro_reginfo);
          define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo);
      }
 +
 +    if (cpu_isar_feature(aa64_scxtnum, cpu)) {
 +        define_arm_cp_regs(cpu, scxtnum_reginfo);
 +    }
  #endif
      if (cpu_isar_feature(any_predinv, cpu)) {
 --
 .25.1

-[PULL 02/32] target/arm: Handle cpreg registration for missing EL
+[PULL 07/24] target/arm: Move ARMMMUIdx_Stage2 to a real tlb mmu_idx
 From: Richard Henderson <richard.henderson@linaro.org>
-More gracefully handle cpregs when EL2 and/or EL3 are missing.
+We had been marking this ARM_MMU_IDX_NOTLB, move it to a real tlb.
-If the reg is entirely inaccessible, do not register it at all.
+Flush the tlb when invalidating stage 1+2 translations.  Re-use
-If the reg is for EL2, and EL3 is present but EL2 is not,
+alle1_tlbmask() for other instances of EL1&0 + Stage2.
 either discard, squash to res0, const, or keep unchanged.
-Per rule RJFFP, mark the 4 aarch32 hypervisor access registers
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 with ARM_CP_EL3_NO_EL2_KEEP, and mark all of the EL2 address
 translation and tlb invalidation "regs" ARM_CP_EL3_NO_EL2_UNDEF.
 Mark the 2 virtualization processor id regs ARM_CP_EL3_NO_EL2_C_NZ.
 This will simplify cpreg registration for conditional arm features.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221011031911.2408754-6-richard.henderson@linaro.org
 Message-id: 20220506180242.216785-2-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpregs.h |  11 +++
+ target/arm/cpu-param.h |   2 +-
- target/arm/helper.c | 178 ++++++++++++++++++++++++++++++--------------
+ target/arm/cpu.h       |  23 ++++---
-files changed, 133 insertions(+), 56 deletions(-)
+ target/arm/helper.c    | 151 ++++++++++++++++++++++++++++++-----------
 files changed, 127 insertions(+), 49 deletions(-)
-diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
+diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpregs.h
+--- a/target/arm/cpu-param.h
-+++ b/target/arm/cpregs.h
++++ b/target/arm/cpu-param.h
-@@ -XXX,XX +XXX,XX @@ enum {
+@@ -XXX,XX +XXX,XX @@
-     ARM_CP_SVE                   = 1 << 14,
+     bool guarded;
-     /* Flag: Do not expose in gdb sysreg xml. */
+ #endif
-     ARM_CP_NO_GDB                = 1 << 15,
 -#define NB_MMU_MODES 10
 +#define NB_MMU_MODES 12
  #endif
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
   * EL2 (aka NS PL2)
   * EL3 (aka S PL1)
   * Physical (NS & S)
 + * Stage2 (NS & S)
   *
 - * for a total of 10 different mmu_idx.
 + * for a total of 12 different mmu_idx.
   *
   * R profile CPUs have an MPU, but can use the same set of MMU indexes
   * as A profile. They only need to distinguish EL0 and EL1 (and
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
      ARMMMUIdx_Phys_NS   = 8 | ARM_MMU_IDX_A,
      ARMMMUIdx_Phys_S    = 9 | ARM_MMU_IDX_A,
 +    /*
-+     * Flags: If EL3 but not EL2...
++     * Used for second stage of an S12 page table walk, or for descriptor
-+     *   - UNDEF: discard the cpreg,
++     * loads during first stage of an S1 page table walk.  Note that both
-+     *   -  KEEP: retain the cpreg as is,
++     * are in use simultaneously for SecureEL2: the security state for
-+     *   -  C_NZ: set const on the cpreg, but retain resetvalue,
++     * the S2 ptw is selected by the NS bit from the S1 ptw.
 +     *   -  else: set const on the cpreg, zero resetvalue, aka RES0.
 +     * See rule RJFFP in section D1.1.3 of DDI0487H.a.
 +     */
-+    ARM_CP_EL3_NO_EL2_UNDEF      = 1 << 16,
++    ARMMMUIdx_Stage2    = 10 | ARM_MMU_IDX_A,
-+    ARM_CP_EL3_NO_EL2_KEEP       = 1 << 17,
++    ARMMMUIdx_Stage2_S  = 11 | ARM_MMU_IDX_A,
-+    ARM_CP_EL3_NO_EL2_C_NZ       = 1 << 18,
++
- };
+     /*
+      * These are not allocated TLBs and are used only for AT system
- /*
+      * instructions or for the first stage of an S12 page table walk.
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
      ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB,
      ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB,
      ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB,
 -    /*
 -     * Not allocated a TLB: used only for second stage of an S12 page
 -     * table walk, or for descriptor loads during first stage of an S1
 -     * page table walk. Note that if we ever want to have a TLB for this
 -     * then various TLB flush insns which currently are no-ops or flush
 -     * only stage 1 MMU indexes will need to change to flush stage 2.
 -     */
 -    ARMMMUIdx_Stage2     = 3 | ARM_MMU_IDX_NOTLB,
 -    ARMMMUIdx_Stage2_S   = 4 | ARM_MMU_IDX_NOTLB,
      /*
       * M-profile.
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdxBit {
      TO_CORE_BIT(E20_2),
      TO_CORE_BIT(E20_2_PAN),
      TO_CORE_BIT(E3),
 +    TO_CORE_BIT(Stage2),
 +    TO_CORE_BIT(Stage2_S),
      TO_CORE_BIT(MUser),
      TO_CORE_BIT(MPriv),
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
+@@ -XXX,XX +XXX,XX @@ static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     raw_write(env, ri, value);
+ }
++static int alle1_tlbmask(CPUARMState *env)
++{
++    /*
++     * Note that the 'ALL' scope must invalidate both stage 1 and
++     * stage 2 translations, whereas most other scopes only invalidate
++     * stage 1 translations.
++     */
++    return (ARMMMUIdxBit_E10_1 |
++            ARMMMUIdxBit_E10_1_PAN |
++            ARMMMUIdxBit_E10_0 |
++            ARMMMUIdxBit_Stage2 |
++            ARMMMUIdxBit_Stage2_S);
++}
++
++
+ /* IS variants of TLB operations must affect all cores */
+ static void tlbiall_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+@@ -XXX,XX +XXX,XX @@ static void tlbiall_nsnh_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ {
+     CPUState *cs = env_cpu(env);
+-    tlb_flush_by_mmuidx(cs,
+-                        ARMMMUIdxBit_E10_1 |
+-                        ARMMMUIdxBit_E10_1_PAN |
+-                        ARMMMUIdxBit_E10_0);
++    tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
+ }
+ static void tlbiall_nsnh_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void tlbiall_nsnh_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+ {
+     CPUState *cs = env_cpu(env);
+-    tlb_flush_by_mmuidx_all_cpus_synced(cs,
+-                                        ARMMMUIdxBit_E10_1 |
+-                                        ARMMMUIdxBit_E10_1_PAN |
+-                                        ARMMMUIdxBit_E10_0);
++    tlb_flush_by_mmuidx_all_cpus_synced(cs, alle1_tlbmask(env));
+ }
+@@ -XXX,XX +XXX,XX @@ static void tlbimva_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                              ARMMMUIdxBit_E2);
+ }
++static void tlbiipas2_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri,
++                                uint64_t value)
++{
++    CPUState *cs = env_cpu(env);
++    uint64_t pageaddr = (value & MAKE_64BIT_MASK(0, 28)) << 12;
++
++    tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_Stage2);
++}
++
++static void tlbiipas2is_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri,
++                                uint64_t value)
++{
++    CPUState *cs = env_cpu(env);
++    uint64_t pageaddr = (value & MAKE_64BIT_MASK(0, 28)) << 12;
++
++    tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, ARMMMUIdxBit_Stage2);
++}
++
+ static const ARMCPRegInfo cp_reginfo[] = {
+     /* Define the secure and non-secure FCSE identifier CP registers
+      * separately because there is no secure bank in V8 (no _EL3).  This allows
+@@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     /*
+      * A change in VMID to the stage2 page table (Stage2) invalidates
+-     * the combined stage 1&2 tlbs (EL10_1 and EL10_0).
++     * the stage2 and combined stage 1&2 tlbs (EL10_1 and EL10_0).
+      */
+     if (raw_read(env, ri) != value) {
+-        uint16_t mask = ARMMMUIdxBit_E10_1 |
+-                        ARMMMUIdxBit_E10_1_PAN |
+-                        ARMMMUIdxBit_E10_0;
+-        tlb_flush_by_mmuidx(cs, mask);
++        tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
+         raw_write(env, ri, value);
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vmalle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+     }
+ }
+-static int alle1_tlbmask(CPUARMState *env)
+-{
+-    /*
+-     * Note that the 'ALL' scope must invalidate both stage 1 and
+-     * stage 2 translations, whereas most other scopes only invalidate
+-     * stage 1 translations.
+-     */
+-    return (ARMMMUIdxBit_E10_1 |
+-            ARMMMUIdxBit_E10_1_PAN |
+-            ARMMMUIdxBit_E10_0);
+-}
+-
+ static int e2_tlbmask(CPUARMState *env)
+ {
+     return (ARMMMUIdxBit_E20_0 |
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                                   ARMMMUIdxBit_E3, bits);
+ }
++static int ipas2e1_tlbmask(CPUARMState *env, int64_t value)
++{
++    /*
++     * The MSB of value is the NS field, which only applies if SEL2
++     * is implemented and SCR_EL3.NS is not set (i.e. in secure mode).
++     */
++    return (value >= 0
++            && cpu_isar_feature(aa64_sel2, env_archcpu(env))
++            && arm_is_secure_below_el3(env)
++            ? ARMMMUIdxBit_Stage2_S
++            : ARMMMUIdxBit_Stage2);
++}
++
++static void tlbi_aa64_ipas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri,
++                                    uint64_t value)
++{
++    CPUState *cs = env_cpu(env);
++    int mask = ipas2e1_tlbmask(env, value);
++    uint64_t pageaddr = sextract64(value << 12, 0, 56);
++
++    if (tlb_force_broadcast(env)) {
++        tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, mask);
++    } else {
++        tlb_flush_page_by_mmuidx(cs, pageaddr, mask);
++    }
++}
++
++static void tlbi_aa64_ipas2e1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
++                                      uint64_t value)
++{
++    CPUState *cs = env_cpu(env);
++    int mask = ipas2e1_tlbmask(env, value);
++    uint64_t pageaddr = sextract64(value << 12, 0, 56);
++
++    tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, mask);
++}
++
+ #ifdef TARGET_AARCH64
+ typedef struct {
+     uint64_t base;
+@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae3is_write(CPUARMState *env,
+     do_rvae_write(env, value, ARMMMUIdxBit_E3, true);
+ }
++
++static void tlbi_aa64_ripas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri,
++                                     uint64_t value)
++{
++    do_rvae_write(env, value, ipas2e1_tlbmask(env, value),
++                  tlb_force_broadcast(env));
++}
++
++static void tlbi_aa64_ripas2e1is_write(CPUARMState *env,
++                                       const ARMCPRegInfo *ri,
++                                       uint64_t value)
++{
++    do_rvae_write(env, value, ipas2e1_tlbmask(env, value), true);
++}
+ #endif
+ static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri,
 @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
-       .access = PL1_RW, .readfn = spsel_read, .writefn = spsel_write },
+       .writefn = tlbi_aa64_vae1_write },
-     { .name = "FPEXC32_EL2", .state = ARM_CP_STATE_AA64,
+     { .name = "TLBI_IPAS2E1IS", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 3, .opc2 = 0,
+       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1,
--      .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_FPU,
+-      .access = PL2_W, .type = ARM_CP_NOP },
-+      .access = PL2_RW,
++      .access = PL2_W, .type = ARM_CP_NO_RAW,
-+      .type = ARM_CP_ALIAS | ARM_CP_FPU | ARM_CP_EL3_NO_EL2_KEEP,
++      .writefn = tlbi_aa64_ipas2e1is_write },
-       .fieldoffset = offsetof(CPUARMState, vfp.xregs[ARM_VFP_FPEXC]) },
+     { .name = "TLBI_IPAS2LE1IS", .state = ARM_CP_STATE_AA64,
-     { .name = "DACR32_EL2", .state = ARM_CP_STATE_AA64,
+       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5,
-       .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 0, .opc2 = 0,
+-      .access = PL2_W, .type = ARM_CP_NOP },
--      .access = PL2_RW, .resetvalue = 0,
++      .access = PL2_W, .type = ARM_CP_NO_RAW,
-+      .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP,
++      .writefn = tlbi_aa64_ipas2e1is_write },
-       .writefn = dacr_write, .raw_writefn = raw_write,
+     { .name = "TLBI_ALLE1IS", .state = ARM_CP_STATE_AA64,
-       .fieldoffset = offsetof(CPUARMState, cp15.dacr32_el2) },
+       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 4,
-     { .name = "IFSR32_EL2", .state = ARM_CP_STATE_AA64,
+       .access = PL2_W, .type = ARM_CP_NO_RAW,
-       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 0, .opc2 = 1,
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
--      .access = PL2_RW, .resetvalue = 0,
+       .writefn = tlbi_aa64_alle1is_write },
-+      .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP,
+     { .name = "TLBI_IPAS2E1", .state = ARM_CP_STATE_AA64,
-       .fieldoffset = offsetof(CPUARMState, cp15.ifsr32_el2) },
+       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1,
-     { .name = "SPSR_IRQ", .state = ARM_CP_STATE_AA64,
+-      .access = PL2_W, .type = ARM_CP_NOP },
-       .type = ARM_CP_ALIAS,
++      .access = PL2_W, .type = ARM_CP_NO_RAW,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
++      .writefn = tlbi_aa64_ipas2e1_write },
      { .name = "TLBI_IPAS2LE1", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NOP },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_ipas2e1_write },
      { .name = "TLBI_ALLE1", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 4,
        .access = PL2_W, .type = ARM_CP_NO_RAW,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
        .writefn = tlbimva_hyp_is_write },
-     { .name = "TLBI_ALLE2", .state = ARM_CP_STATE_AA64,
+     { .name = "TLBIIPAS2",
-       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 0,
+       .cp = 15, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1,
--      .type = ARM_CP_NO_RAW, .access = PL2_W,
+-      .type = ARM_CP_NOP, .access = PL2_W },
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
++      .type = ARM_CP_NO_RAW, .access = PL2_W,
-       .writefn = tlbi_aa64_alle2_write },
++      .writefn = tlbiipas2_hyp_write },
-     { .name = "TLBI_VAE2", .state = ARM_CP_STATE_AA64,
+     { .name = "TLBIIPAS2IS",
-       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 1,
+       .cp = 15, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1,
--      .type = ARM_CP_NO_RAW, .access = PL2_W,
+-      .type = ARM_CP_NOP, .access = PL2_W },
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
++      .type = ARM_CP_NO_RAW, .access = PL2_W,
-       .writefn = tlbi_aa64_vae2_write },
++      .writefn = tlbiipas2is_hyp_write },
-     { .name = "TLBI_VALE2", .state = ARM_CP_STATE_AA64,
+     { .name = "TLBIIPAS2L",
-       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 5,
+       .cp = 15, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5,
--      .access = PL2_W, .type = ARM_CP_NO_RAW,
+-      .type = ARM_CP_NOP, .access = PL2_W },
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
++      .type = ARM_CP_NO_RAW, .access = PL2_W,
-       .writefn = tlbi_aa64_vae2_write },
++      .writefn = tlbiipas2_hyp_write },
-     { .name = "TLBI_ALLE2IS", .state = ARM_CP_STATE_AA64,
+     { .name = "TLBIIPAS2LIS",
-       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 0,
+       .cp = 15, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5,
--      .access = PL2_W, .type = ARM_CP_NO_RAW,
+-      .type = ARM_CP_NOP, .access = PL2_W },
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
++      .type = ARM_CP_NO_RAW, .access = PL2_W,
-       .writefn = tlbi_aa64_alle2is_write },
++      .writefn = tlbiipas2is_hyp_write },
-     { .name = "TLBI_VAE2IS", .state = ARM_CP_STATE_AA64,
+     /* 32 bit cache operations */
-       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1,
+     { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
--      .type = ARM_CP_NO_RAW, .access = PL2_W,
+       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_pou_access },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_vae2is_write },
      { .name = "TLBI_VALE2IS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_vae2is_write },
  #ifndef CONFIG_USER_ONLY
      /* Unlike the other EL2-related AT operations, these must
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
      { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
        .access = PL2_W, .accessfn = at_s1e2_access,
 -      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
 +      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF,
 +      .writefn = ats_write64 },
      { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
        .access = PL2_W, .accessfn = at_s1e2_access,
 -      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
 +      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF,
 +      .writefn = ats_write64 },
      /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
       * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
       * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
      { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,
        .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,
        .access = PL2_RW, .accessfn = access_tda,
 -      .type = ARM_CP_NOP },
 +      .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },
      /* Dummy MDCCINT_EL1, since we don't implement the Debug Communications
       * Channel but Linux may try to access this register. The 32-bit
       * alias is DBGDCCINT.
 @@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
-       .access = PL2_W, .type = ARM_CP_NOP },
+       .writefn = tlbi_aa64_rvae1_write },
      { .name = "TLBI_RIPAS2E1IS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 2,
 -      .access = PL2_W, .type = ARM_CP_NOP },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_ripas2e1is_write },
      { .name = "TLBI_RIPAS2LE1IS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 6,
 -      .access = PL2_W, .type = ARM_CP_NOP },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_ripas2e1is_write },
      { .name = "TLBI_RVAE2IS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 1,
--      .access = PL2_W, .type = ARM_CP_NO_RAW,
+       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
-+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
        .writefn = tlbi_aa64_rvae2is_write },
     { .name = "TLBI_RVALE2IS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_rvae2is_write },
      { .name = "TLBI_RIPAS2E1", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 2,
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
+-      .access = PL2_W, .type = ARM_CP_NOP },
-       .access = PL2_W, .type = ARM_CP_NOP },
+-   { .name = "TLBI_RIPAS2LE1", .state = ARM_CP_STATE_AA64,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_ripas2e1_write },
 +    { .name = "TLBI_RIPAS2LE1", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 6,
 -      .access = PL2_W, .type = ARM_CP_NOP },
 +      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .writefn = tlbi_aa64_ripas2e1_write },
     { .name = "TLBI_RVAE2OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 1,
--      .access = PL2_W, .type = ARM_CP_NO_RAW,
+       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_rvae2is_write },
     { .name = "TLBI_RVALE2OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_rvae2is_write },
      { .name = "TLBI_RVAE2", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 6, .opc2 = 1,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_rvae2_write },
     { .name = "TLBI_RVALE2", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 6, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_rvae2_write },
     { .name = "TLBI_RVAE3IS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 2, .opc2 = 1,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbios_reginfo[] = {
        .writefn = tlbi_aa64_vae1is_write },
      { .name = "TLBI_ALLE2OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 0,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_alle2is_write },
      { .name = "TLBI_VAE2OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 1,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_vae2is_write },
     { .name = "TLBI_ALLE1OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 4,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbios_reginfo[] = {
        .writefn = tlbi_aa64_alle1is_write },
      { .name = "TLBI_VALE2OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 5,
 -      .access = PL2_W, .type = ARM_CP_NO_RAW,
 +      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
        .writefn = tlbi_aa64_vae2is_write },
      { .name = "TLBI_VMALLS12E1OS", .state = ARM_CP_STATE_AA64,
        .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 6,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
              { .name = "VPIDR", .state = ARM_CP_STATE_AA32,
                .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
                .access = PL2_RW, .accessfn = access_el3_aa32ns,
 -              .resetvalue = cpu->midr, .type = ARM_CP_ALIAS,
 +              .resetvalue = cpu->midr,
 +              .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ,
                .fieldoffset = offsetoflow32(CPUARMState, cp15.vpidr_el2) },
              { .name = "VPIDR_EL2", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
                .access = PL2_RW, .resetvalue = cpu->midr,
 +              .type = ARM_CP_EL3_NO_EL2_C_NZ,
                .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
              { .name = "VMPIDR", .state = ARM_CP_STATE_AA32,
                .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
                .access = PL2_RW, .accessfn = access_el3_aa32ns,
 -              .resetvalue = vmpidr_def, .type = ARM_CP_ALIAS,
 +              .resetvalue = vmpidr_def,
 +              .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ,
                .fieldoffset = offsetoflow32(CPUARMState, cp15.vmpidr_el2) },
              { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_AA64,
                .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
 -              .access = PL2_RW,
 -              .resetvalue = vmpidr_def,
 +              .access = PL2_RW, .resetvalue = vmpidr_def,
 +              .type = ARM_CP_EL3_NO_EL2_C_NZ,
                .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
          };
          define_arm_cp_regs(cpu, vpidr_regs);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
                                     int crm, int opc1, int opc2,
                                     const char *name)
  {
 +    CPUARMState *env = &cpu->env;
      uint32_t key;
      ARMCPRegInfo *r2;
      bool is64 = r->type & ARM_CP_64BIT;
      bool ns = secstate & ARM_CP_SECSTATE_NS;
      int cp = r->cp;
 -    bool isbanked;
      size_t name_len;
 +    bool make_const;
      switch (state) {
      case ARM_CP_STATE_AA32:
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
          }
      }
 +    /*
 +     * Eliminate registers that are not present because the EL is missing.
 +     * Doing this here makes it easier to put all registers for a given
 +     * feature into the same ARMCPRegInfo array and define them all at once.
 +     */
 +    make_const = false;
 +    if (arm_feature(env, ARM_FEATURE_EL3)) {
 +        /*
 +         * An EL2 register without EL2 but with EL3 is (usually) RES0.
 +         * See rule RJFFP in section D1.1.3 of DDI0487H.a.
 +         */
 +        int min_el = ctz32(r->access) / 2;
 +        if (min_el == 2 && !arm_feature(env, ARM_FEATURE_EL2)) {
 +            if (r->type & ARM_CP_EL3_NO_EL2_UNDEF) {
 +                return;
 +            }
 +            make_const = !(r->type & ARM_CP_EL3_NO_EL2_KEEP);
 +        }
 +    } else {
 +        CPAccessRights max_el = (arm_feature(env, ARM_FEATURE_EL2)
 +                                 ? PL2_RW : PL1_RW);
 +        if ((r->access & max_el) == 0) {
 +            return;
 +        }
 +    }
 +
      /* Combine cpreg and name into one allocation. */
      name_len = strlen(name) + 1;
      r2 = g_malloc(sizeof(*r2) + name_len);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
          r2->opaque = opaque;
      }
 -    isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
 -    if (isbanked) {
 +    if (make_const) {
 +        /* This should not have been a very special register to begin. */
 +        int old_special = r2->type & ARM_CP_SPECIAL_MASK;
 +        assert(old_special == 0 || old_special == ARM_CP_NOP);
          /*
 -         * Register is banked (using both entries in array).
 -         * Overwriting fieldoffset as the array is only used to define
 -         * banked registers but later only fieldoffset is used.
 +         * Set the special function to CONST, retaining the other flags.
 +         * This is important for e.g. ARM_CP_SVE so that we still
 +         * take the SVE trap if CPTR_EL3.EZ == 0.
           */
 -        r2->fieldoffset = r->bank_fieldoffsets[ns];
 -    }
 +        r2->type = (r2->type & ~ARM_CP_SPECIAL_MASK) | ARM_CP_CONST;
 +        /*
 +         * Usually, these registers become RES0, but there are a few
 +         * special cases like VPIDR_EL2 which have a constant non-zero
 +         * value with writes ignored.
 +         */
 +        if (!(r->type & ARM_CP_EL3_NO_EL2_C_NZ)) {
 +            r2->resetvalue = 0;
 +        }
 +        /*
 +         * ARM_CP_CONST has precedence, so removing the callbacks and
 +         * offsets are not strictly necessary, but it is potentially
 +         * less confusing to debug later.
 +         */
 +        r2->readfn = NULL;
 +        r2->writefn = NULL;
 +        r2->raw_readfn = NULL;
 +        r2->raw_writefn = NULL;
 +        r2->resetfn = NULL;
 +        r2->fieldoffset = 0;
 +        r2->bank_fieldoffsets[0] = 0;
 +        r2->bank_fieldoffsets[1] = 0;
 +    } else {
 +        bool isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
 -    if (state == ARM_CP_STATE_AA32) {
          if (isbanked) {
              /*
 -             * If the register is banked then we don't need to migrate or
 -             * reset the 32-bit instance in certain cases:
 -             *
 -             * 1) If the register has both 32-bit and 64-bit instances then we
 -             *    can count on the 64-bit instance taking care of the
 -             *    non-secure bank.
 -             * 2) If ARMv8 is enabled then we can count on a 64-bit version
 -             *    taking care of the secure bank.  This requires that separate
 -             *    32 and 64-bit definitions are provided.
 +             * Register is banked (using both entries in array).
 +             * Overwriting fieldoffset as the array is only used to define
 +             * banked registers but later only fieldoffset is used.
               */
 -            if ((r->state == ARM_CP_STATE_BOTH && ns) ||
 -                (arm_feature(&cpu->env, ARM_FEATURE_V8) && !ns)) {
 +            r2->fieldoffset = r->bank_fieldoffsets[ns];
 +        }
 +        if (state == ARM_CP_STATE_AA32) {
 +            if (isbanked) {
 +                /*
 +                 * If the register is banked then we don't need to migrate or
 +                 * reset the 32-bit instance in certain cases:
 +                 *
 +                 * 1) If the register has both 32-bit and 64-bit instances
 +                 *    then we can count on the 64-bit instance taking care
 +                 *    of the non-secure bank.
 +                 * 2) If ARMv8 is enabled then we can count on a 64-bit
 +                 *    version taking care of the secure bank.  This requires
 +                 *    that separate 32 and 64-bit definitions are provided.
 +                 */
 +                if ((r->state == ARM_CP_STATE_BOTH && ns) ||
 +                    (arm_feature(env, ARM_FEATURE_V8) && !ns)) {
 +                    r2->type |= ARM_CP_ALIAS;
 +                }
 +            } else if ((secstate != r->secure) && !ns) {
 +                /*
 +                 * The register is not banked so we only want to allow
 +                 * migration of the non-secure instance.
 +                 */
                  r2->type |= ARM_CP_ALIAS;
              }
 -        } else if ((secstate != r->secure) && !ns) {
 -            /*
 -             * The register is not banked so we only want to allow migration
 -             * of the non-secure instance.
 -             */
 -            r2->type |= ARM_CP_ALIAS;
 -        }
 -        if (HOST_BIG_ENDIAN &&
 -            r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
 -            r2->fieldoffset += sizeof(uint32_t);
 +            if (HOST_BIG_ENDIAN &&
 +                r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
 +                r2->fieldoffset += sizeof(uint32_t);
 +            }
          }
      }
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
       * multiple times. Special registers (ie NOP/WFI) are
       * never migratable and not even raw-accessible.
       */
 -    if (r->type & ARM_CP_SPECIAL_MASK) {
 +    if (r2->type & ARM_CP_SPECIAL_MASK) {
          r2->type |= ARM_CP_NO_RAW;
      }
      if (((r->crm == CP_ANY) && crm != 0) ||
 --
 .25.1

-[PULL 15/32] target/arm: Enable SCR and HCR bits for RAS
+[PULL 08/24] target/arm: Restrict tlb flush from vttbr_write to vmid change
 From: Richard Henderson <richard.henderson@linaro.org>
-Enable writes to the TERR and TEA bits when RAS is enabled.
+Compare only the VMID field when considering whether we need to flush.
 These bits are otherwise RES0.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221011031911.2408754-7-richard.henderson@linaro.org
 Message-id: 20220506180242.216785-15-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 9 +++++++++
+ target/arm/helper.c | 4 ++--
-file changed, 9 insertions(+)
+file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+@@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
-         }
+      * A change in VMID to the stage2 page table (Stage2) invalidates
-         valid_mask &= ~SCR_NET;
+      * the stage2 and combined stage 1&2 tlbs (EL10_1 and EL10_0).
+      */
-+        if (cpu_isar_feature(aa64_ras, cpu)) {
+-    if (raw_read(env, ri) != value) {
-+            valid_mask |= SCR_TERR;
++    if (extract64(raw_read(env, ri) ^ value, 48, 16) != 0) {
-+        }
+         tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
-         if (cpu_isar_feature(aa64_lor, cpu)) {
+-        raw_write(env, ri, value);
              valid_mask |= SCR_TLOR;
          }
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
          }
      } else {
          valid_mask &= ~(SCR_RW | SCR_ST);
 +        if (cpu_isar_feature(aa32_ras, cpu)) {
 +            valid_mask |= SCR_TERR;
 +        }
      }
++    raw_write(env, ri, value);
-     if (!arm_feature(env, ARM_FEATURE_EL2)) {
+ }
-@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
-         if (cpu_isar_feature(aa64_vh, cpu)) {
+ static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
              valid_mask |= HCR_E2H;
          }
 +        if (cpu_isar_feature(aa64_ras, cpu)) {
 +            valid_mask |= HCR_TERR | HCR_TEA;
 +        }
          if (cpu_isar_feature(aa64_lor, cpu)) {
              valid_mask |= HCR_TLOR;
          }
 --
 .25.1

-[PULL 22/32] target/arm: Enable FEAT_CSV3 for -cpu max
+[PULL 09/24] target/arm: Split out S1Translate type
 From: Richard Henderson <richard.henderson@linaro.org>
-This extension concerns cache speculation, which TCG does
+Consolidate most of the inputs and outputs of S1_ptw_translate
-not implement.  Thus we can trivially enable this feature.
+into a single structure.  Plumb this through arm_ld*_ptw from
 the controlling get_phys_addr_* routine.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20221011031911.2408754-8-richard.henderson@linaro.org
 Message-id: 20220506180242.216785-22-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/emulation.rst | 1 +
+ target/arm/ptw.c | 140 ++++++++++++++++++++++++++---------------------
- target/arm/cpu64.c            | 1 +
+file changed, 79 insertions(+), 61 deletions(-)
  target/arm/cpu_tcg.c          | 1 +
 files changed, 3 insertions(+)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
+--- a/target/arm/ptw.c
-+++ b/docs/system/arm/emulation.rst
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+@@ -XXX,XX +XXX,XX @@
- - FEAT_CSV2_1p1 (Cache speculation variant 2, version 1.1)
+ #include "idau.h"
- - FEAT_CSV2_1p2 (Cache speculation variant 2, version 1.2)
- - FEAT_CSV2_2 (Cache speculation variant 2, version 2)
-+- FEAT_CSV3 (Cache speculation variant 3)
+-static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
- - FEAT_DIT (Data Independent Timing instructions)
+-                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
- - FEAT_DPB (DC CVAP instruction)
+-                               bool is_secure, bool s1_is_el0,
- - FEAT_Debugv8p2 (Debug changes for v8.2)
++typedef struct S1Translate {
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
++    ARMMMUIdx in_mmu_idx;
-index XXXXXXX..XXXXXXX 100644
++    bool in_secure;
---- a/target/arm/cpu64.c
++    bool out_secure;
-+++ b/target/arm/cpu64.c
++    hwaddr out_phys;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
++} S1Translate;
-     t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
++
-     t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
++static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
-     t = FIELD_DP64(t, ID_AA64PFR0, CSV2, 2);      /* FEAT_CSV2_2 */
++                               uint64_t address,
-+    t = FIELD_DP64(t, ID_AA64PFR0, CSV3, 1);      /* FEAT_CSV3 */
++                               MMUAccessType access_type, bool s1_is_el0,
-     cpu->isar.id_aa64pfr0 = t;
+                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
+     __attribute__((nonnull));
-     t = cpu->isar.id_aa64pfr1;
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
+@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
-index XXXXXXX..XXXXXXX 100644
+ }
---- a/target/arm/cpu_tcg.c
-+++ b/target/arm/cpu_tcg.c
+ /* Translate a S1 pagetable walk through S2 if needed.  */
-@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
+-static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-     cpu->isar.id_pfr0 = t;
+-                               hwaddr addr, bool *is_secure_ptr,
+-                               ARMMMUFaultInfo *fi)
-     t = cpu->isar.id_pfr2;
++static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-+    t = FIELD_DP32(t, ID_PFR2, CSV3, 1);          /* FEAT_CSV3 */
++                             hwaddr addr, ARMMMUFaultInfo *fi)
-     t = FIELD_DP32(t, ID_PFR2, SSBS, 1);          /* FEAT_SSBS */
+ {
-     cpu->isar.id_pfr2 = t;
+-    bool is_secure = *is_secure_ptr;
 +    bool is_secure = ptw->in_secure;
      ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 -    if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
 +    if (arm_mmu_idx_is_stage1_of_2(ptw->in_mmu_idx) &&
          !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
          GetPhysAddrResult s2 = {};
 +        S1Translate s2ptw = {
 +            .in_mmu_idx = s2_mmu_idx,
 +            .in_secure = is_secure,
 +        };
          uint64_t hcr;
          int ret;
 -        ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
 -                                 is_secure, false, &s2, fi);
 +        ret = get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
 +                                 false, &s2, fi);
          if (ret) {
              assert(fi->type != ARMFault_None);
              fi->s2addr = addr;
              fi->stage2 = true;
              fi->s1ptw = true;
              fi->s1ns = !is_secure;
 -            return ~0;
 +            return false;
          }
          hcr = arm_hcr_el2_eff_secstate(env, is_secure);
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
              fi->stage2 = true;
              fi->s1ptw = true;
              fi->s1ns = !is_secure;
 -            return ~0;
 +            return false;
          }
          if (arm_is_secure_below_el3(env)) {
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
              } else {
                  is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
              }
 -            *is_secure_ptr = is_secure;
          } else {
              assert(!is_secure);
          }
          addr = s2.f.phys_addr;
      }
 -    return addr;
 +
 +    ptw->out_secure = is_secure;
 +    ptw->out_phys = addr;
 +    return true;
  }
  /* All loads done in the course of a page table walk go through here. */
 -static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
 -                            ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 +static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
 +                            ARMMMUFaultInfo *fi)
  {
      CPUState *cs = env_cpu(env);
      MemTxAttrs attrs = {};
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
      AddressSpace *as;
      uint32_t data;
 -    addr = S1_ptw_translate(env, mmu_idx, addr, &is_secure, fi);
 -    attrs.secure = is_secure;
 -    as = arm_addressspace(cs, attrs);
 -    if (fi->s1ptw) {
 +    if (!S1_ptw_translate(env, ptw, addr, fi)) {
          return 0;
      }
 -    if (regime_translation_big_endian(env, mmu_idx)) {
 +    addr = ptw->out_phys;
 +    attrs.secure = ptw->out_secure;
 +    as = arm_addressspace(cs, attrs);
 +    if (regime_translation_big_endian(env, ptw->in_mmu_idx)) {
          data = address_space_ldl_be(as, addr, attrs, &result);
      } else {
          data = address_space_ldl_le(as, addr, attrs, &result);
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
      return 0;
  }
 -static uint64_t arm_ldq_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
 -                            ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
 +static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
 +                            ARMMMUFaultInfo *fi)
  {
      CPUState *cs = env_cpu(env);
      MemTxAttrs attrs = {};
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
      AddressSpace *as;
      uint64_t data;
 -    addr = S1_ptw_translate(env, mmu_idx, addr, &is_secure, fi);
 -    attrs.secure = is_secure;
 -    as = arm_addressspace(cs, attrs);
 -    if (fi->s1ptw) {
 +    if (!S1_ptw_translate(env, ptw, addr, fi)) {
          return 0;
      }
 -    if (regime_translation_big_endian(env, mmu_idx)) {
 +    addr = ptw->out_phys;
 +    attrs.secure = ptw->out_secure;
 +    as = arm_addressspace(cs, attrs);
 +    if (regime_translation_big_endian(env, ptw->in_mmu_idx)) {
          data = address_space_ldq_be(as, addr, attrs, &result);
      } else {
          data = address_space_ldq_le(as, addr, attrs, &result);
@@ -XXX,XX +XXX,XX @@ static int simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
      return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
  }
 -static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
 -                             MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                             bool is_secure, GetPhysAddrResult *result,
 -                             ARMMMUFaultInfo *fi)
 +static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw,
 +                             uint32_t address, MMUAccessType access_type,
 +                             GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
      int level = 1;
      uint32_t table;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
      /* Pagetable walk.  */
      /* Lookup l1 descriptor.  */
 -    if (!get_level1_table_address(env, mmu_idx, &table, address)) {
 +    if (!get_level1_table_address(env, ptw->in_mmu_idx, &table, address)) {
          /* Section translation fault if page walk is disabled by PD0 or PD1 */
          fi->type = ARMFault_Translation;
          goto do_fault;
      }
 -    desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
 +    desc = arm_ldl_ptw(env, ptw, table, fi);
      if (fi->type != ARMFault_None) {
          goto do_fault;
      }
      type = (desc & 3);
      domain = (desc >> 5) & 0x0f;
 -    if (regime_el(env, mmu_idx) == 1) {
 +    if (regime_el(env, ptw->in_mmu_idx) == 1) {
          dacr = env->cp15.dacr_ns;
      } else {
          dacr = env->cp15.dacr_s;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
              /* Fine pagetable.  */
              table = (desc & 0xfffff000) | ((address >> 8) & 0xffc);
          }
 -        desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
 +        desc = arm_ldl_ptw(env, ptw, table, fi);
          if (fi->type != ARMFault_None) {
              goto do_fault;
          }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
              g_assert_not_reached();
          }
      }
 -    result->f.prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
 +    result->f.prot = ap_to_rw_prot(env, ptw->in_mmu_idx, ap, domain_prot);
      result->f.prot |= result->f.prot ? PAGE_EXEC : 0;
      if (!(result->f.prot & (1 << access_type))) {
          /* Access permission fault.  */
@@ -XXX,XX +XXX,XX @@ do_fault:
      return true;
  }
 -static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
 -                             MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                             bool is_secure, GetPhysAddrResult *result,
 -                             ARMMMUFaultInfo *fi)
 +static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
 +                             uint32_t address, MMUAccessType access_type,
 +                             GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
      ARMCPU *cpu = env_archcpu(env);
 +    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
      int level = 1;
      uint32_t table;
      uint32_t desc;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
          fi->type = ARMFault_Translation;
          goto do_fault;
      }
 -    desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
 +    desc = arm_ldl_ptw(env, ptw, table, fi);
      if (fi->type != ARMFault_None) {
          goto do_fault;
      }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
          ns = extract32(desc, 3, 1);
          /* Lookup l2 entry.  */
          table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
 -        desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
 +        desc = arm_ldl_ptw(env, ptw, table, fi);
          if (fi->type != ARMFault_None) {
              goto do_fault;
          }
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
   * the WnR bit is never set (the caller must do this).
   *
   * @env: CPUARMState
 + * @ptw: Current and next stage parameters for the walk.
   * @address: virtual address to get physical address for
   * @access_type: MMU_DATA_LOAD, MMU_DATA_STORE or MMU_INST_FETCH
 - * @mmu_idx: MMU index indicating required translation regime
 - * @s1_is_el0: if @mmu_idx is ARMMMUIdx_Stage2 (so this is a stage 2 page
 - *             table walk), must be true if this is stage 2 of a stage 1+2
 + * @s1_is_el0: if @ptw->in_mmu_idx is ARMMMUIdx_Stage2
 + *             (so this is a stage 2 page table walk),
 + *             must be true if this is stage 2 of a stage 1+2
   *             walk for an EL0 access. If @mmu_idx is anything else,
   *             @s1_is_el0 is ignored.
   * @result: set on translation success,
   * @fi: set to fault info if the translation fails
   */
 -static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
 -                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                               bool is_secure, bool s1_is_el0,
 +static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
 +                               uint64_t address,
 +                               MMUAccessType access_type, bool s1_is_el0,
                                 GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
  {
      ARMCPU *cpu = env_archcpu(env);
 +    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
 +    bool is_secure = ptw->in_secure;
      /* Read an LPAE long-descriptor translation table. */
      ARMFaultType fault_type = ARMFault_Translation;
      uint32_t level;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          descaddr |= (address >> (stride * (4 - level))) & indexmask;
          descaddr &= ~7ULL;
          nstable = extract32(tableattrs, 4, 1);
 -        descriptor = arm_ldq_ptw(env, descaddr, !nstable, mmu_idx, fi);
 +        ptw->in_secure = !nstable;
 +        descriptor = arm_ldq_ptw(env, ptw, descaddr, fi);
          if (fi->type != ARMFault_None) {
              goto do_fault;
          }
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                 ARMMMUFaultInfo *fi)
  {
      ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
 +    S1Translate ptw;
      if (mmu_idx != s1_mmu_idx) {
          /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              int ret;
              bool ipa_secure, s2walk_secure;
              ARMCacheAttrs cacheattrs1;
 -            ARMMMUIdx s2_mmu_idx;
              bool is_el0;
              uint64_t hcr;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                  s2walk_secure = false;
              }
 -            s2_mmu_idx = (s2walk_secure
 -                          ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2);
 +            ptw.in_mmu_idx =
 +                s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 +            ptw.in_secure = s2walk_secure;
              is_el0 = mmu_idx == ARMMMUIdx_E10_0;
              /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              cacheattrs1 = result->cacheattrs;
              memset(result, 0, sizeof(*result));
 -            ret = get_phys_addr_lpae(env, ipa, access_type, s2_mmu_idx,
 -                                     s2walk_secure, is_el0, result, fi);
 +            ret = get_phys_addr_lpae(env, &ptw, ipa, access_type,
 +                                     is_el0, result, fi);
              fi->s2addr = ipa;
              /* Combine the S1 and S2 perms.  */
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
          return get_phys_addr_disabled(env, address, access_type, mmu_idx,
                                        is_secure, result, fi);
      }
 +
 +    ptw.in_mmu_idx = mmu_idx;
 +    ptw.in_secure = is_secure;
 +
      if (regime_using_lpae_format(env, mmu_idx)) {
 -        return get_phys_addr_lpae(env, address, access_type, mmu_idx,
 -                                  is_secure, false, result, fi);
 +        return get_phys_addr_lpae(env, &ptw, address, access_type, false,
 +                                  result, fi);
      } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
 -        return get_phys_addr_v6(env, address, access_type, mmu_idx,
 -                                is_secure, result, fi);
 +        return get_phys_addr_v6(env, &ptw, address, access_type, result, fi);
      } else {
 -        return get_phys_addr_v5(env, address, access_type, mmu_idx,
 -                                is_secure, result, fi);
 +        return get_phys_addr_v5(env, &ptw, address, access_type, result, fi);
      }
  }
 --
 .25.1

-[PULL 25/32] target/arm: Define neoverse-n1
+[PULL 10/24] target/arm: Plumb debug into S1Translate
 From: Richard Henderson <richard.henderson@linaro.org>
-Enable the n1 for virt and sbsa board use.
+Before using softmmu page tables for the ptw, plumb down
 a debug parameter so that we can query page table entries
 from gdbstub without modifying cpu state.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-25-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-9-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/virt.rst |  1 +
+ target/arm/ptw.c | 55 ++++++++++++++++++++++++++++++++----------------
- hw/arm/sbsa-ref.c        |  1 +
+file changed, 37 insertions(+), 18 deletions(-)
  hw/arm/virt.c            |  1 +
  target/arm/cpu64.c       | 66 ++++++++++++++++++++++++++++++++++++++++
 files changed, 69 insertions(+)
-diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/virt.rst
+--- a/target/arm/ptw.c
-+++ b/docs/system/arm/virt.rst
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ Supported guest CPU types:
+@@ -XXX,XX +XXX,XX @@
- - ``cortex-a76`` (64-bit)
+ typedef struct S1Translate {
- - ``a64fx`` (64-bit)
+     ARMMMUIdx in_mmu_idx;
- - ``host`` (with KVM only)
+     bool in_secure;
-+- ``neoverse-n1`` (64-bit)
++    bool in_debug;
- - ``max`` (same as ``host`` for KVM; best possible emulation with TCG)
+     bool out_secure;
+     hwaddr out_phys;
- Note that the default is ``cortex-a15``, so for an AArch64 guest you must
+ } S1Translate;
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-index XXXXXXX..XXXXXXX 100644
+         S1Translate s2ptw = {
---- a/hw/arm/sbsa-ref.c
+             .in_mmu_idx = s2_mmu_idx,
-+++ b/hw/arm/sbsa-ref.c
+             .in_secure = is_secure,
-@@ -XXX,XX +XXX,XX @@ static const char * const valid_cpus[] = {
++            .in_debug = ptw->in_debug,
-     ARM_CPU_TYPE_NAME("cortex-a57"),
+         };
-     ARM_CPU_TYPE_NAME("cortex-a72"),
+         uint64_t hcr;
-     ARM_CPU_TYPE_NAME("cortex-a76"),
+         int ret;
-+    ARM_CPU_TYPE_NAME("neoverse-n1"),
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
-     ARM_CPU_TYPE_NAME("max"),
+     return 0;
  };
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static const char *valid_cpus[] = {
      ARM_CPU_TYPE_NAME("cortex-a72"),
      ARM_CPU_TYPE_NAME("cortex-a76"),
      ARM_CPU_TYPE_NAME("a64fx"),
 +    ARM_CPU_TYPE_NAME("neoverse-n1"),
      ARM_CPU_TYPE_NAME("host"),
      ARM_CPU_TYPE_NAME("max"),
  };
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a76_initfn(Object *obj)
      cpu->isar.mvfr2 = 0x00000043;
  }
-+static void aarch64_neoverse_n1_initfn(Object *obj)
+-bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
 -                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
 -                               bool is_secure, GetPhysAddrResult *result,
 -                               ARMMMUFaultInfo *fi)
 +static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
 +                                      target_ulong address,
 +                                      MMUAccessType access_type,
 +                                      GetPhysAddrResult *result,
 +                                      ARMMMUFaultInfo *fi)
  {
 +    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
      ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
 -    S1Translate ptw;
 +    bool is_secure = ptw->in_secure;
      if (mmu_idx != s1_mmu_idx) {
          /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              bool is_el0;
              uint64_t hcr;
 -            ret = get_phys_addr_with_secure(env, address, access_type,
 -                                            s1_mmu_idx, is_secure, result, fi);
 +            ptw->in_mmu_idx = s1_mmu_idx;
 +            ret = get_phys_addr_with_struct(env, ptw, address, access_type,
 +                                            result, fi);
              /* If S1 fails or S2 is disabled, return early.  */
              if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                  s2walk_secure = false;
              }
 -            ptw.in_mmu_idx =
 +            ptw->in_mmu_idx =
                  s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 -            ptw.in_secure = s2walk_secure;
 +            ptw->in_secure = s2walk_secure;
              is_el0 = mmu_idx == ARMMMUIdx_E10_0;
              /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
              cacheattrs1 = result->cacheattrs;
              memset(result, 0, sizeof(*result));
 -            ret = get_phys_addr_lpae(env, &ptw, ipa, access_type,
 +            ret = get_phys_addr_lpae(env, ptw, ipa, access_type,
                                       is_el0, result, fi);
              fi->s2addr = ipa;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                        is_secure, result, fi);
      }
 -    ptw.in_mmu_idx = mmu_idx;
 -    ptw.in_secure = is_secure;
 -
      if (regime_using_lpae_format(env, mmu_idx)) {
 -        return get_phys_addr_lpae(env, &ptw, address, access_type, false,
 +        return get_phys_addr_lpae(env, ptw, address, access_type, false,
                                    result, fi);
      } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
 -        return get_phys_addr_v6(env, &ptw, address, access_type, result, fi);
 +        return get_phys_addr_v6(env, ptw, address, access_type, result, fi);
      } else {
 -        return get_phys_addr_v5(env, &ptw, address, access_type, result, fi);
 +        return get_phys_addr_v5(env, ptw, address, access_type, result, fi);
      }
  }
 +bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
 +                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
 +                               bool is_secure, GetPhysAddrResult *result,
 +                               ARMMMUFaultInfo *fi)
 +{
-+    ARMCPU *cpu = ARM_CPU(obj);
++    S1Translate ptw = {
-+
++        .in_mmu_idx = mmu_idx,
-+    cpu->dtb_compatible = "arm,neoverse-n1";
++        .in_secure = is_secure,
-+    set_feature(&cpu->env, ARM_FEATURE_V8);
++    };
-+    set_feature(&cpu->env, ARM_FEATURE_NEON);
++    return get_phys_addr_with_struct(env, &ptw, address, access_type,
-+    set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
++                                     result, fi);
 +    set_feature(&cpu->env, ARM_FEATURE_AARCH64);
 +    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
 +    set_feature(&cpu->env, ARM_FEATURE_EL2);
 +    set_feature(&cpu->env, ARM_FEATURE_EL3);
 +    set_feature(&cpu->env, ARM_FEATURE_PMU);
 +
 +    /* Ordered by B2.4 AArch64 registers by functional group */
 +    cpu->clidr = 0x82000023;
 +    cpu->ctr = 0x8444c004;
 +    cpu->dcz_blocksize = 4;
 +    cpu->isar.id_aa64dfr0  = 0x0000000110305408ull;
 +    cpu->isar.id_aa64isar0 = 0x0000100010211120ull;
 +    cpu->isar.id_aa64isar1 = 0x0000000000100001ull;
 +    cpu->isar.id_aa64mmfr0 = 0x0000000000101125ull;
 +    cpu->isar.id_aa64mmfr1 = 0x0000000010212122ull;
 +    cpu->isar.id_aa64mmfr2 = 0x0000000000001011ull;
 +    cpu->isar.id_aa64pfr0  = 0x1100000010111112ull; /* GIC filled in later */
 +    cpu->isar.id_aa64pfr1  = 0x0000000000000020ull;
 +    cpu->id_afr0       = 0x00000000;
 +    cpu->isar.id_dfr0  = 0x04010088;
 +    cpu->isar.id_isar0 = 0x02101110;
 +    cpu->isar.id_isar1 = 0x13112111;
 +    cpu->isar.id_isar2 = 0x21232042;
 +    cpu->isar.id_isar3 = 0x01112131;
 +    cpu->isar.id_isar4 = 0x00010142;
 +    cpu->isar.id_isar5 = 0x01011121;
 +    cpu->isar.id_isar6 = 0x00000010;
 +    cpu->isar.id_mmfr0 = 0x10201105;
 +    cpu->isar.id_mmfr1 = 0x40000000;
 +    cpu->isar.id_mmfr2 = 0x01260000;
 +    cpu->isar.id_mmfr3 = 0x02122211;
 +    cpu->isar.id_mmfr4 = 0x00021110;
 +    cpu->isar.id_pfr0  = 0x10010131;
 +    cpu->isar.id_pfr1  = 0x00010000; /* GIC filled in later */
 +    cpu->isar.id_pfr2  = 0x00000011;
 +    cpu->midr = 0x414fd0c1;          /* r4p1 */
 +    cpu->revidr = 0;
 +
 +    /* From B2.23 CCSIDR_EL1 */
 +    cpu->ccsidr[0] = 0x701fe01a; /* 64KB L1 dcache */
 +    cpu->ccsidr[1] = 0x201fe01a; /* 64KB L1 icache */
 +    cpu->ccsidr[2] = 0x70ffe03a; /* 1MB L2 cache */
 +
 +    /* From B2.98 SCTLR_EL3 */
 +    cpu->reset_sctlr = 0x30c50838;
 +
 +    /* From B4.23 ICH_VTR_EL2 */
 +    cpu->gic_num_lrs = 4;
 +    cpu->gic_vpribits = 5;
 +    cpu->gic_vprebits = 5;
 +
 +    /* From B5.1 AdvSIMD AArch64 register summary */
 +    cpu->isar.mvfr0 = 0x10110222;
 +    cpu->isar.mvfr1 = 0x13211111;
 +    cpu->isar.mvfr2 = 0x00000043;
 +}
 +
- void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
+ bool get_phys_addr(CPUARMState *env, target_ulong address,
                     MMUAccessType access_type, ARMMMUIdx mmu_idx,
                     GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
  {
-     /*
+     ARMCPU *cpu = ARM_CPU(cs);
-@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
+     CPUARMState *env = &cpu->env;
-     { .name = "cortex-a72",         .initfn = aarch64_a72_initfn },
++    S1Translate ptw = {
-     { .name = "cortex-a76",         .initfn = aarch64_a76_initfn },
++        .in_mmu_idx = arm_mmu_idx(env),
-     { .name = "a64fx",              .initfn = aarch64_a64fx_initfn },
++        .in_secure = arm_is_secure(env),
-+    { .name = "neoverse-n1",        .initfn = aarch64_neoverse_n1_initfn },
++        .in_debug = true,
-     { .name = "max",                .initfn = aarch64_max_initfn },
++    };
- #if defined(CONFIG_KVM) || defined(CONFIG_HVF)
+     GetPhysAddrResult res = {};
-     { .name = "host",               .initfn = aarch64_host_initfn },
+     ARMMMUFaultInfo fi = {};
 -    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
      bool ret;
 -    ret = get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &res, &fi);
 +    ret = get_phys_addr_with_struct(env, &ptw, addr, MMU_DATA_LOAD, &res, &fi);
      *attrs = res.f.attrs;
      if (ret) {
 --
 .25.1

-[PULL 24/32] target/arm: Define cortex-a76
+[PULL 11/24] target/arm: Move be test for regime into S1TranslateResult
 From: Richard Henderson <richard.henderson@linaro.org>
-Enable the a76 for virt and sbsa board use.
+Hoist this test out of arm_ld[lq]_ptw into S1_ptw_translate.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-24-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-10-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/virt.rst |  1 +
+ target/arm/ptw.c | 6 ++++--
- hw/arm/sbsa-ref.c        |  1 +
+file changed, 4 insertions(+), 2 deletions(-)
  hw/arm/virt.c            |  1 +
  target/arm/cpu64.c       | 66 ++++++++++++++++++++++++++++++++++++++++
 files changed, 69 insertions(+)
-diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/virt.rst
+--- a/target/arm/ptw.c
-+++ b/docs/system/arm/virt.rst
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ Supported guest CPU types:
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
- - ``cortex-a53`` (64-bit)
+     bool in_secure;
- - ``cortex-a57`` (64-bit)
+     bool in_debug;
- - ``cortex-a72`` (64-bit)
+     bool out_secure;
-+- ``cortex-a76`` (64-bit)
++    bool out_be;
- - ``a64fx`` (64-bit)
+     hwaddr out_phys;
- - ``host`` (with KVM only)
+ } S1Translate;
- - ``max`` (same as ``host`` for KVM; best possible emulation with TCG)
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/sbsa-ref.c
+     ptw->out_secure = is_secure;
-+++ b/hw/arm/sbsa-ref.c
+     ptw->out_phys = addr;
-@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {
++    ptw->out_be = regime_translation_big_endian(env, ptw->in_mmu_idx);
- static const char * const valid_cpus[] = {
+     return true;
      ARM_CPU_TYPE_NAME("cortex-a57"),
      ARM_CPU_TYPE_NAME("cortex-a72"),
 +    ARM_CPU_TYPE_NAME("cortex-a76"),
      ARM_CPU_TYPE_NAME("max"),
  };
 diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/virt.c
 +++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static const char *valid_cpus[] = {
      ARM_CPU_TYPE_NAME("cortex-a53"),
      ARM_CPU_TYPE_NAME("cortex-a57"),
      ARM_CPU_TYPE_NAME("cortex-a72"),
 +    ARM_CPU_TYPE_NAME("cortex-a76"),
      ARM_CPU_TYPE_NAME("a64fx"),
      ARM_CPU_TYPE_NAME("host"),
      ARM_CPU_TYPE_NAME("max"),
 diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu64.c
 +++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
      define_cortex_a72_a57_a53_cp_reginfo(cpu);
  }
-+static void aarch64_a76_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
-+{
+     addr = ptw->out_phys;
-+    ARMCPU *cpu = ARM_CPU(obj);
+     attrs.secure = ptw->out_secure;
-+
+     as = arm_addressspace(cs, attrs);
-+    cpu->dtb_compatible = "arm,cortex-a76";
+-    if (regime_translation_big_endian(env, ptw->in_mmu_idx)) {
-+    set_feature(&cpu->env, ARM_FEATURE_V8);
++    if (ptw->out_be) {
-+    set_feature(&cpu->env, ARM_FEATURE_NEON);
+         data = address_space_ldl_be(as, addr, attrs, &result);
-+    set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
+     } else {
-+    set_feature(&cpu->env, ARM_FEATURE_AARCH64);
+         data = address_space_ldl_le(as, addr, attrs, &result);
-+    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
+@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
-+    set_feature(&cpu->env, ARM_FEATURE_EL2);
+     addr = ptw->out_phys;
-+    set_feature(&cpu->env, ARM_FEATURE_EL3);
+     attrs.secure = ptw->out_secure;
-+    set_feature(&cpu->env, ARM_FEATURE_PMU);
+     as = arm_addressspace(cs, attrs);
-+
+-    if (regime_translation_big_endian(env, ptw->in_mmu_idx)) {
-+    /* Ordered by B2.4 AArch64 registers by functional group */
++    if (ptw->out_be) {
-+    cpu->clidr = 0x82000023;
+         data = address_space_ldq_be(as, addr, attrs, &result);
-+    cpu->ctr = 0x8444C004;
+     } else {
-+    cpu->dcz_blocksize = 4;
+         data = address_space_ldq_le(as, addr, attrs, &result);
 +    cpu->isar.id_aa64dfr0  = 0x0000000010305408ull;
 +    cpu->isar.id_aa64isar0 = 0x0000100010211120ull;
 +    cpu->isar.id_aa64isar1 = 0x0000000000100001ull;
 +    cpu->isar.id_aa64mmfr0 = 0x0000000000101122ull;
 +    cpu->isar.id_aa64mmfr1 = 0x0000000010212122ull;
 +    cpu->isar.id_aa64mmfr2 = 0x0000000000001011ull;
 +    cpu->isar.id_aa64pfr0  = 0x1100000010111112ull; /* GIC filled in later */
 +    cpu->isar.id_aa64pfr1  = 0x0000000000000010ull;
 +    cpu->id_afr0       = 0x00000000;
 +    cpu->isar.id_dfr0  = 0x04010088;
 +    cpu->isar.id_isar0 = 0x02101110;
 +    cpu->isar.id_isar1 = 0x13112111;
 +    cpu->isar.id_isar2 = 0x21232042;
 +    cpu->isar.id_isar3 = 0x01112131;
 +    cpu->isar.id_isar4 = 0x00010142;
 +    cpu->isar.id_isar5 = 0x01011121;
 +    cpu->isar.id_isar6 = 0x00000010;
 +    cpu->isar.id_mmfr0 = 0x10201105;
 +    cpu->isar.id_mmfr1 = 0x40000000;
 +    cpu->isar.id_mmfr2 = 0x01260000;
 +    cpu->isar.id_mmfr3 = 0x02122211;
 +    cpu->isar.id_mmfr4 = 0x00021110;
 +    cpu->isar.id_pfr0  = 0x10010131;
 +    cpu->isar.id_pfr1  = 0x00010000; /* GIC filled in later */
 +    cpu->isar.id_pfr2  = 0x00000011;
 +    cpu->midr = 0x414fd0b1;          /* r4p1 */
 +    cpu->revidr = 0;
 +
 +    /* From B2.18 CCSIDR_EL1 */
 +    cpu->ccsidr[0] = 0x701fe01a; /* 64KB L1 dcache */
 +    cpu->ccsidr[1] = 0x201fe01a; /* 64KB L1 icache */
 +    cpu->ccsidr[2] = 0x707fe03a; /* 512KB L2 cache */
 +
 +    /* From B2.93 SCTLR_EL3 */
 +    cpu->reset_sctlr = 0x30c50838;
 +
 +    /* From B4.23 ICH_VTR_EL2 */
 +    cpu->gic_num_lrs = 4;
 +    cpu->gic_vpribits = 5;
 +    cpu->gic_vprebits = 5;
 +
 +    /* From B5.1 AdvSIMD AArch64 register summary */
 +    cpu->isar.mvfr0 = 0x10110222;
 +    cpu->isar.mvfr1 = 0x13211111;
 +    cpu->isar.mvfr2 = 0x00000043;
 +}
 +
  void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
  {
      /*
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
      { .name = "cortex-a57",         .initfn = aarch64_a57_initfn },
      { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
      { .name = "cortex-a72",         .initfn = aarch64_a72_initfn },
 +    { .name = "cortex-a76",         .initfn = aarch64_a76_initfn },
      { .name = "a64fx",              .initfn = aarch64_a64fx_initfn },
      { .name = "max",                .initfn = aarch64_max_initfn },
  #if defined(CONFIG_KVM) || defined(CONFIG_HVF)
 --
 .25.1

-[PULL 14/32] target/arm: Add minimal RAS registers
+[PULL 12/24] target/arm: Use softmmu tlbs for page table walking
 From: Richard Henderson <richard.henderson@linaro.org>
-Add only the system registers required to implement zero error
+So far, limit the change to S1_ptw_translate, arm_ldl_ptw, and
-records.  This means that all values for ERRSELR are out of range,
+arm_ldq_ptw.  Use probe_access_full to find the host address,
-which means that it and all of the indexed error record registers
+and if so use a host load.  If the probe fails, we've got our
-need not be implemented.
+fault info already.  On the off chance that page tables are not
+in RAM, continue to use the address_space_ld* functions.
 Add the EL2 registers required for injecting virtual SError.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-14-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h    |  5 +++
+ target/arm/cpu.h        |   5 +
- target/arm/helper.c | 84 +++++++++++++++++++++++++++++++++++++++++++++
+ target/arm/ptw.c        | 196 +++++++++++++++++++++++++---------------
-files changed, 89 insertions(+)
+ target/arm/tlb_helper.c |  17 +++-
 files changed, 144 insertions(+), 74 deletions(-)
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMTBFlags {
+     target_ulong flags2;
+ } CPUARMTBFlags;
++typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
++
+ typedef struct CPUArchState {
+     /* Regs for current mode.  */
+     uint32_t regs[16];
 @@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
-         uint64_t tfsr_el[4]; /* tfsre0_el1 is index 0.  */
+     struct CPUBreakpoint *cpu_breakpoint[16];
-         uint64_t gcr_el1;
+     struct CPUWatchpoint *cpu_watchpoint[16];
-         uint64_t rgsr_el1;
-+
++    /* Optional fault info across tlb lookup. */
-+        /* Minimal RAS registers */
++    ARMMMUFaultInfo *tlb_fi;
-+        uint64_t disr_el1;
++
-+        uint64_t vdisr_el2;
+     /* Fields up to this point are cleared by a CPU reset */
-+        uint64_t vsesr_el2;
+     struct {} end_reset_fields;
-     } cp15;
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
      struct {
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/helper.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
+@@ -XXX,XX +XXX,XX @@
-       .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
+ #include "qemu/osdep.h"
- };
+ #include "qemu/log.h"
+ #include "qemu/range.h"
-+/*
++#include "exec/exec-all.h"
-+ * Check for traps to RAS registers, which are controlled
+ #include "cpu.h"
-+ * by HCR_EL2.TERR and SCR_EL3.TERR.
+ #include "internals.h"
-+ */
+ #include "idau.h"
-+static CPAccessResult access_terr(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
-+                                  bool isread)
+     bool out_secure;
-+{
+     bool out_be;
-+    int el = arm_current_el(env);
+     hwaddr out_phys;
-+
++    void *out_host;
-+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TERR)) {
+ } S1Translate;
-+        return CP_ACCESS_TRAP_EL2;
  static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
      return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
  }
 -static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
 +static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
  {
      /*
       * For an S1 page table walk, the stage 1 attributes are always
@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
       * With HCR_EL2.FWB == 1 this is when descriptor bit [4] is 0, ie
       * when cacheattrs.attrs bit [2] is 0.
       */
 -    assert(cacheattrs.is_s2_format);
      if (hcr & HCR_FWB) {
 -        return (cacheattrs.attrs & 0x4) == 0;
 +        return (attrs & 0x4) == 0;
      } else {
 -        return (cacheattrs.attrs & 0xc) == 0;
 +        return (attrs & 0xc) == 0;
      }
  }
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                               hwaddr addr, ARMMMUFaultInfo *fi)
  {
      bool is_secure = ptw->in_secure;
 +    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
      ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 +    bool s2_phys = false;
 +    uint8_t pte_attrs;
 +    bool pte_secure;
 -    if (arm_mmu_idx_is_stage1_of_2(ptw->in_mmu_idx) &&
 -        !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
 -        GetPhysAddrResult s2 = {};
 -        S1Translate s2ptw = {
 -            .in_mmu_idx = s2_mmu_idx,
 -            .in_secure = is_secure,
 -            .in_debug = ptw->in_debug,
 -        };
 -        uint64_t hcr;
 -        int ret;
 +    if (!arm_mmu_idx_is_stage1_of_2(mmu_idx)
 +        || regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
 +        s2_mmu_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
 +        s2_phys = true;
 +    }
-+    if (el < 3 && (env->cp15.scr_el3 & SCR_TERR)) {
-+        return CP_ACCESS_TRAP_EL3;
+-        ret = get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
 -                                 false, &s2, fi);
 -        if (ret) {
 -            assert(fi->type != ARMFault_None);
 -            fi->s2addr = addr;
 -            fi->stage2 = true;
 -            fi->s1ptw = true;
 -            fi->s1ns = !is_secure;
 -            return false;
 +    if (unlikely(ptw->in_debug)) {
 +        /*
 +         * From gdbstub, do not use softmmu so that we don't modify the
 +         * state of the cpu at all, including softmmu tlb contents.
 +         */
 +        if (s2_phys) {
 +            ptw->out_phys = addr;
 +            pte_attrs = 0;
 +            pte_secure = is_secure;
 +        } else {
 +            S1Translate s2ptw = {
 +                .in_mmu_idx = s2_mmu_idx,
 +                .in_secure = is_secure,
 +                .in_debug = true,
 +            };
 +            GetPhysAddrResult s2 = { };
 +            if (!get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
 +                                    false, &s2, fi)) {
 +                goto fail;
 +            }
 +            ptw->out_phys = s2.f.phys_addr;
 +            pte_attrs = s2.cacheattrs.attrs;
 +            pte_secure = s2.f.attrs.secure;
          }
 +        ptw->out_host = NULL;
 +    } else {
 +        CPUTLBEntryFull *full;
 +        int flags;
 -        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
 -        if ((hcr & HCR_PTW) && ptw_attrs_are_device(hcr, s2.cacheattrs)) {
 +        env->tlb_fi = fi;
 +        flags = probe_access_full(env, addr, MMU_DATA_LOAD,
 +                                  arm_to_core_mmu_idx(s2_mmu_idx),
 +                                  true, &ptw->out_host, &full, 0);
 +        env->tlb_fi = NULL;
 +
 +        if (unlikely(flags & TLB_INVALID_MASK)) {
 +            goto fail;
 +        }
 +        ptw->out_phys = full->phys_addr;
 +        pte_attrs = full->pte_attrs;
 +        pte_secure = full->attrs.secure;
 +    }
-+    return CP_ACCESS_OK;
++
-+}
++    if (!s2_phys) {
-+
++        uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-+static uint64_t disr_read(CPUARMState *env, const ARMCPRegInfo *ri)
++
-+{
++        if ((hcr & HCR_PTW) && S2_attrs_are_device(hcr, pte_attrs)) {
-+    int el = arm_current_el(env);
+             /*
-+
+              * PTW set and S1 walk touched S2 Device memory:
-+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) {
+              * generate Permission fault.
-+        return env->cp15.vdisr_el2;
+@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
              fi->s1ns = !is_secure;
              return false;
          }
 -
 -        if (arm_is_secure_below_el3(env)) {
 -            /* Check if page table walk is to secure or non-secure PA space. */
 -            if (is_secure) {
 -                is_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
 -            } else {
 -                is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
 -            }
 -        } else {
 -            assert(!is_secure);
 -        }
 -
 -        addr = s2.f.phys_addr;
      }
 -    ptw->out_secure = is_secure;
 -    ptw->out_phys = addr;
 -    ptw->out_be = regime_translation_big_endian(env, ptw->in_mmu_idx);
 +    /* Check if page table walk is to secure or non-secure PA space. */
 +    ptw->out_secure = (is_secure
 +                       && !(pte_secure
 +                            ? env->cp15.vstcr_el2 & VSTCR_SW
 +                            : env->cp15.vtcr_el2 & VTCR_NSW));
 +    ptw->out_be = regime_translation_big_endian(env, mmu_idx);
      return true;
 +
 + fail:
 +    assert(fi->type != ARMFault_None);
 +    fi->s2addr = addr;
 +    fi->stage2 = true;
 +    fi->s1ptw = true;
 +    fi->s1ns = !is_secure;
 +    return false;
  }
  /* All loads done in the course of a page table walk go through here. */
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
                              ARMMMUFaultInfo *fi)
  {
      CPUState *cs = env_cpu(env);
 -    MemTxAttrs attrs = {};
 -    MemTxResult result = MEMTX_OK;
 -    AddressSpace *as;
      uint32_t data;
      if (!S1_ptw_translate(env, ptw, addr, fi)) {
 +        /* Failure. */
 +        assert(fi->s1ptw);
          return 0;
      }
 -    addr = ptw->out_phys;
 -    attrs.secure = ptw->out_secure;
 -    as = arm_addressspace(cs, attrs);
 -    if (ptw->out_be) {
 -        data = address_space_ldl_be(as, addr, attrs, &result);
 +
 +    if (likely(ptw->out_host)) {
 +        /* Page tables are in RAM, and we have the host address. */
 +        if (ptw->out_be) {
 +            data = ldl_be_p(ptw->out_host);
 +        } else {
 +            data = ldl_le_p(ptw->out_host);
 +        }
      } else {
 -        data = address_space_ldl_le(as, addr, attrs, &result);
 +        /* Page tables are in MMIO. */
 +        MemTxAttrs attrs = { .secure = ptw->out_secure };
 +        AddressSpace *as = arm_addressspace(cs, attrs);
 +        MemTxResult result = MEMTX_OK;
 +
 +        if (ptw->out_be) {
 +            data = address_space_ldl_be(as, ptw->out_phys, attrs, &result);
 +        } else {
 +            data = address_space_ldl_le(as, ptw->out_phys, attrs, &result);
 +        }
 +        if (unlikely(result != MEMTX_OK)) {
 +            fi->type = ARMFault_SyncExternalOnWalk;
 +            fi->ea = arm_extabort_type(result);
 +            return 0;
 +        }
      }
 -    if (result == MEMTX_OK) {
 -        return data;
 -    }
 -    fi->type = ARMFault_SyncExternalOnWalk;
 -    fi->ea = arm_extabort_type(result);
 -    return 0;
 +    return data;
  }
  static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
                              ARMMMUFaultInfo *fi)
  {
      CPUState *cs = env_cpu(env);
 -    MemTxAttrs attrs = {};
 -    MemTxResult result = MEMTX_OK;
 -    AddressSpace *as;
      uint64_t data;
      if (!S1_ptw_translate(env, ptw, addr, fi)) {
 +        /* Failure. */
 +        assert(fi->s1ptw);
          return 0;
      }
 -    addr = ptw->out_phys;
 -    attrs.secure = ptw->out_secure;
 -    as = arm_addressspace(cs, attrs);
 -    if (ptw->out_be) {
 -        data = address_space_ldq_be(as, addr, attrs, &result);
 +
 +    if (likely(ptw->out_host)) {
 +        /* Page tables are in RAM, and we have the host address. */
 +        if (ptw->out_be) {
 +            data = ldq_be_p(ptw->out_host);
 +        } else {
 +            data = ldq_le_p(ptw->out_host);
 +        }
      } else {
 -        data = address_space_ldq_le(as, addr, attrs, &result);
 +        /* Page tables are in MMIO. */
 +        MemTxAttrs attrs = { .secure = ptw->out_secure };
 +        AddressSpace *as = arm_addressspace(cs, attrs);
 +        MemTxResult result = MEMTX_OK;
 +
 +        if (ptw->out_be) {
 +            data = address_space_ldq_be(as, ptw->out_phys, attrs, &result);
 +        } else {
 +            data = address_space_ldq_le(as, ptw->out_phys, attrs, &result);
 +        }
 +        if (unlikely(result != MEMTX_OK)) {
 +            fi->type = ARMFault_SyncExternalOnWalk;
 +            fi->ea = arm_extabort_type(result);
 +            return 0;
 +        }
      }
 -    if (result == MEMTX_OK) {
 -        return data;
 -    }
 -    fi->type = ARMFault_SyncExternalOnWalk;
 -    fi->ea = arm_extabort_type(result);
 -    return 0;
 +    return data;
  }
  static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
 diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tlb_helper.c
 +++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                        bool probe, uintptr_t retaddr)
  {
      ARMCPU *cpu = ARM_CPU(cs);
 -    ARMMMUFaultInfo fi = {};
      GetPhysAddrResult res = {};
 +    ARMMMUFaultInfo local_fi, *fi;
      int ret;
 +    /*
 +     * Allow S1_ptw_translate to see any fault generated here.
 +     * Since this may recurse, read and clear.
 +     */
 +    fi = cpu->env.tlb_fi;
 +    if (fi) {
 +        cpu->env.tlb_fi = NULL;
 +    } else {
 +        fi = memset(&local_fi, 0, sizeof(local_fi));
 +    }
-+    if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) {
++
-+        return 0; /* RAZ/WI */
+     /*
-+    }
+      * Walk the page table and (if the mapping exists) add the page
-+    return env->cp15.disr_el1;
+      * to the TLB.  On success, return true.  Otherwise, if probing,
-+}
+@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-+
+      */
-+static void disr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
+     ret = get_phys_addr(&cpu->env, address, access_type,
-+{
+                         core_to_arm_mmu_idx(&cpu->env, mmu_idx),
-+    int el = arm_current_el(env);
+-                        &res, &fi);
-+
++                        &res, fi);
-+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) {
+     if (likely(!ret)) {
-+        env->cp15.vdisr_el2 = val;
+         /*
-+        return;
+          * Map a single [sub]page. Regions smaller than our declared
-+    }
+@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-+    if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) {
+     } else {
-+        return; /* RAZ/WI */
+         /* now we have a real cpu fault */
-+    }
+         cpu_restore_state(cs, retaddr, true);
-+    env->cp15.disr_el1 = val;
+-        arm_deliver_fault(cpu, address, access_type, mmu_idx, &fi);
-+}
++        arm_deliver_fault(cpu, address, access_type, mmu_idx, fi);
-+
+     }
-+/*
+ }
-+ * Minimal RAS implementation with no Error Records.
+ #else
 + * Which means that all of the Error Record registers:
 + *   ERXADDR_EL1
 + *   ERXCTLR_EL1
 + *   ERXFR_EL1
 + *   ERXMISC0_EL1
 + *   ERXMISC1_EL1
 + *   ERXMISC2_EL1
 + *   ERXMISC3_EL1
 + *   ERXPFGCDN_EL1  (RASv1p1)
 + *   ERXPFGCTL_EL1  (RASv1p1)
 + *   ERXPFGF_EL1    (RASv1p1)
 + *   ERXSTATUS_EL1
 + * and
 + *   ERRSELR_EL1
 + * may generate UNDEFINED, which is the effect we get by not
 + * listing them at all.
 + */
 +static const ARMCPRegInfo minimal_ras_reginfo[] = {
 +    { .name = "DISR_EL1", .state = ARM_CP_STATE_BOTH,
 +      .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 1,
 +      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.disr_el1),
 +      .readfn = disr_read, .writefn = disr_write, .raw_writefn = raw_write },
 +    { .name = "ERRIDR_EL1", .state = ARM_CP_STATE_BOTH,
 +      .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 3, .opc2 = 0,
 +      .access = PL1_R, .accessfn = access_terr,
 +      .type = ARM_CP_CONST, .resetvalue = 0 },
 +    { .name = "VDISR_EL2", .state = ARM_CP_STATE_BOTH,
 +      .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 1, .opc2 = 1,
 +      .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vdisr_el2) },
 +    { .name = "VSESR_EL2", .state = ARM_CP_STATE_BOTH,
 +      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 3,
 +      .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vsesr_el2) },
 +};
 +
  /* Return the exception level to which exceptions should be taken
   * via SVEAccessTrap.  If an exception should be routed through
   * AArch64.AdvSIMDFPAccessTrap, return 0; fp_exception_el should
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
      if (cpu_isar_feature(aa64_ssbs, cpu)) {
          define_one_arm_cp_reg(cpu, &ssbs_reginfo);
      }
 +    if (cpu_isar_feature(any_ras, cpu)) {
 +        define_arm_cp_regs(cpu, minimal_ras_reginfo);
 +    }
      if (cpu_isar_feature(aa64_vh, cpu) ||
          cpu_isar_feature(aa64_debugv8p2, cpu)) {
 --
 .25.1

-[PULL 18/32] target/arm: Enable FEAT_RAS for -cpu max
+[PULL 13/24] target/arm: Split out get_phys_addr_twostage
 From: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-18-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-12-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/emulation.rst | 1 +
+ target/arm/ptw.c | 191 +++++++++++++++++++++++++----------------------
- target/arm/cpu64.c            | 1 +
+file changed, 100 insertions(+), 91 deletions(-)
  target/arm/cpu_tcg.c          | 1 +
 files changed, 3 insertions(+)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
+--- a/target/arm/ptw.c
-+++ b/docs/system/arm/emulation.rst
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
- - FEAT_PMULL (PMULL, PMULL2 instructions)
+                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
- - FEAT_PMUv3p1 (PMU Extensions v3.1)
+     __attribute__((nonnull));
- - FEAT_PMUv3p4 (PMU Extensions v3.4)
-+- FEAT_RAS (Reliability, availability, and serviceability)
++static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
- - FEAT_RDM (Advanced SIMD rounding double multiply accumulate instructions)
++                                      target_ulong address,
- - FEAT_RNG (Random number generator)
++                                      MMUAccessType access_type,
- - FEAT_SB (Speculation Barrier)
++                                      GetPhysAddrResult *result,
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
++                                      ARMMMUFaultInfo *fi)
-index XXXXXXX..XXXXXXX 100644
++    __attribute__((nonnull));
---- a/target/arm/cpu64.c
++
-+++ b/target/arm/cpu64.c
+ /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+ static const uint8_t pamax_map[] = {
-     t = cpu->isar.id_aa64pfr0;
+     [0] = 32,
-     t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);        /* FEAT_FP16 */
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
-     t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);   /* FEAT_FP16 */
+     return 0;
-+    t = FIELD_DP64(t, ID_AA64PFR0, RAS, 1);       /* FEAT_RAS */
+ }
-     t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-     t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
++static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
-     t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
++                                   target_ulong address,
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
++                                   MMUAccessType access_type,
-index XXXXXXX..XXXXXXX 100644
++                                   GetPhysAddrResult *result,
---- a/target/arm/cpu_tcg.c
++                                   ARMMMUFaultInfo *fi)
-+++ b/target/arm/cpu_tcg.c
++{
-@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
++    hwaddr ipa;
++    int s1_prot;
-     t = cpu->isar.id_pfr0;
++    int ret;
-     t = FIELD_DP32(t, ID_PFR0, DIT, 1);           /* FEAT_DIT */
++    bool is_secure = ptw->in_secure;
-+    t = FIELD_DP32(t, ID_PFR0, RAS, 1);           /* FEAT_RAS */
++    bool ipa_secure, s2walk_secure;
-     cpu->isar.id_pfr0 = t;
++    ARMCacheAttrs cacheattrs1;
++    bool is_el0;
-     t = cpu->isar.id_pfr2;
++    uint64_t hcr;
 +
 +    ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
 +
 +    /* If S1 fails or S2 is disabled, return early.  */
 +    if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
 +        return ret;
 +    }
 +
 +    ipa = result->f.phys_addr;
 +    ipa_secure = result->f.attrs.secure;
 +    if (is_secure) {
 +        /* Select TCR based on the NS bit from the S1 walk. */
 +        s2walk_secure = !(ipa_secure
 +                          ? env->cp15.vstcr_el2 & VSTCR_SW
 +                          : env->cp15.vtcr_el2 & VTCR_NSW);
 +    } else {
 +        assert(!ipa_secure);
 +        s2walk_secure = false;
 +    }
 +
 +    is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
 +    ptw->in_mmu_idx = s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 +    ptw->in_secure = s2walk_secure;
 +
 +    /*
 +     * S1 is done, now do S2 translation.
 +     * Save the stage1 results so that we may merge prot and cacheattrs later.
 +     */
 +    s1_prot = result->f.prot;
 +    cacheattrs1 = result->cacheattrs;
 +    memset(result, 0, sizeof(*result));
 +
 +    ret = get_phys_addr_lpae(env, ptw, ipa, access_type, is_el0, result, fi);
 +    fi->s2addr = ipa;
 +
 +    /* Combine the S1 and S2 perms.  */
 +    result->f.prot &= s1_prot;
 +
 +    /* If S2 fails, return early.  */
 +    if (ret) {
 +        return ret;
 +    }
 +
 +    /* Combine the S1 and S2 cache attributes. */
 +    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
 +    if (hcr & HCR_DC) {
 +        /*
 +         * HCR.DC forces the first stage attributes to
 +         *  Normal Non-Shareable,
 +         *  Inner Write-Back Read-Allocate Write-Allocate,
 +         *  Outer Write-Back Read-Allocate Write-Allocate.
 +         * Do not overwrite Tagged within attrs.
 +         */
 +        if (cacheattrs1.attrs != 0xf0) {
 +            cacheattrs1.attrs = 0xff;
 +        }
 +        cacheattrs1.shareability = 0;
 +    }
 +    result->cacheattrs = combine_cacheattrs(hcr, cacheattrs1,
 +                                            result->cacheattrs);
 +
 +    /*
 +     * Check if IPA translates to secure or non-secure PA space.
 +     * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
 +     */
 +    result->f.attrs.secure =
 +        (is_secure
 +         && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
 +         && (ipa_secure
 +             || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
 +
 +    return 0;
 +}
 +
  static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
                                        target_ulong address,
                                        MMUAccessType access_type,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
      if (mmu_idx != s1_mmu_idx) {
          /*
           * Call ourselves recursively to do the stage 1 and then stage 2
 -         * translations if mmu_idx is a two-stage regime.
 +         * translations if mmu_idx is a two-stage regime, and EL2 present.
 +         * Otherwise, a stage1+stage2 translation is just stage 1.
           */
 +        ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
          if (arm_feature(env, ARM_FEATURE_EL2)) {
 -            hwaddr ipa;
 -            int s1_prot;
 -            int ret;
 -            bool ipa_secure, s2walk_secure;
 -            ARMCacheAttrs cacheattrs1;
 -            bool is_el0;
 -            uint64_t hcr;
 -
 -            ptw->in_mmu_idx = s1_mmu_idx;
 -            ret = get_phys_addr_with_struct(env, ptw, address, access_type,
 -                                            result, fi);
 -
 -            /* If S1 fails or S2 is disabled, return early.  */
 -            if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
 -                                                   is_secure)) {
 -                return ret;
 -            }
 -
 -            ipa = result->f.phys_addr;
 -            ipa_secure = result->f.attrs.secure;
 -            if (is_secure) {
 -                /* Select TCR based on the NS bit from the S1 walk. */
 -                s2walk_secure = !(ipa_secure
 -                                  ? env->cp15.vstcr_el2 & VSTCR_SW
 -                                  : env->cp15.vtcr_el2 & VTCR_NSW);
 -            } else {
 -                assert(!ipa_secure);
 -                s2walk_secure = false;
 -            }
 -
 -            ptw->in_mmu_idx =
 -                s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 -            ptw->in_secure = s2walk_secure;
 -            is_el0 = mmu_idx == ARMMMUIdx_E10_0;
 -
 -            /*
 -             * S1 is done, now do S2 translation.
 -             * Save the stage1 results so that we may merge
 -             * prot and cacheattrs later.
 -             */
 -            s1_prot = result->f.prot;
 -            cacheattrs1 = result->cacheattrs;
 -            memset(result, 0, sizeof(*result));
 -
 -            ret = get_phys_addr_lpae(env, ptw, ipa, access_type,
 -                                     is_el0, result, fi);
 -            fi->s2addr = ipa;
 -
 -            /* Combine the S1 and S2 perms.  */
 -            result->f.prot &= s1_prot;
 -
 -            /* If S2 fails, return early.  */
 -            if (ret) {
 -                return ret;
 -            }
 -
 -            /* Combine the S1 and S2 cache attributes. */
 -            hcr = arm_hcr_el2_eff_secstate(env, is_secure);
 -            if (hcr & HCR_DC) {
 -                /*
 -                 * HCR.DC forces the first stage attributes to
 -                 *  Normal Non-Shareable,
 -                 *  Inner Write-Back Read-Allocate Write-Allocate,
 -                 *  Outer Write-Back Read-Allocate Write-Allocate.
 -                 * Do not overwrite Tagged within attrs.
 -                 */
 -                if (cacheattrs1.attrs != 0xf0) {
 -                    cacheattrs1.attrs = 0xff;
 -                }
 -                cacheattrs1.shareability = 0;
 -            }
 -            result->cacheattrs = combine_cacheattrs(hcr, cacheattrs1,
 -                                                    result->cacheattrs);
 -
 -            /*
 -             * Check if IPA translates to secure or non-secure PA space.
 -             * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
 -             */
 -            result->f.attrs.secure =
 -                (is_secure
 -                 && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
 -                 && (ipa_secure
 -                     || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
 -
 -            return 0;
 -        } else {
 -            /*
 -             * For non-EL2 CPUs a stage1+stage2 translation is just stage 1.
 -             */
 -            mmu_idx = stage_1_mmu_idx(mmu_idx);
 +            return get_phys_addr_twostage(env, ptw, address, access_type,
 +                                          result, fi);
          }
      }
 --
 .25.1

-[PULL 10/32] target/arm: Annotate arm_max_initfn with FEAT identifiers
+[PULL 14/24] target/arm: Use bool consistently for get_phys_addr subroutines
 From: Richard Henderson <richard.henderson@linaro.org>
-Update the legacy feature names to the current names.
+The return type of the functions is already bool, but in a few
-Provide feature names for id changes that were not marked.
+instances we used an integer type with the return statement.
 Sort the field updates into increasing bitfield order.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-10-richard.henderson@linaro.org
+Message-id: 20221011031911.2408754-13-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu64.c   | 100 +++++++++++++++++++++----------------------
+ target/arm/ptw.c | 7 +++----
- target/arm/cpu_tcg.c |  48 ++++++++++-----------
+file changed, 3 insertions(+), 4 deletions(-)
 files changed, 74 insertions(+), 74 deletions(-)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+diff --git a/target/arm/ptw.c b/target/arm/ptw.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
+--- a/target/arm/ptw.c
-+++ b/target/arm/cpu64.c
++++ b/target/arm/ptw.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
-     cpu->midr = t;
+     result->f.lg_page_size = TARGET_PAGE_BITS;
+     result->cacheattrs.shareability = shareability;
-     t = cpu->isar.id_aa64isar0;
+     result->cacheattrs.attrs = memattr;
--    t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* AES + PMULL */
+-    return 0;
--    t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);
++    return false;
 -    t = FIELD_DP64(t, ID_AA64ISAR0, SHA2, 2); /* SHA512 */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2);      /* FEAT_PMULL */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);     /* FEAT_SHA1 */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, SHA2, 2);     /* FEAT_SHA512 */
      t = FIELD_DP64(t, ID_AA64ISAR0, CRC32, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, ATOMIC, 2);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, RDM, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, SHA3, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, SM3, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, SM4, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, DP, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, FHM, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR0, TS, 2); /* v8.5-CondM */
 -    t = FIELD_DP64(t, ID_AA64ISAR0, TLB, 2); /* FEAT_TLBIRANGE */
 -    t = FIELD_DP64(t, ID_AA64ISAR0, RNDR, 1);
 +    t = FIELD_DP64(t, ID_AA64ISAR0, ATOMIC, 2);   /* FEAT_LSE */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, RDM, 1);      /* FEAT_RDM */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, SHA3, 1);     /* FEAT_SHA3 */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, SM3, 1);      /* FEAT_SM3 */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, SM4, 1);      /* FEAT_SM4 */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, DP, 1);       /* FEAT_DotProd */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, FHM, 1);      /* FEAT_FHM */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, TS, 2);       /* FEAT_FlagM2 */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, TLB, 2);      /* FEAT_TLBIRANGE */
 +    t = FIELD_DP64(t, ID_AA64ISAR0, RNDR, 1);     /* FEAT_RNG */
      cpu->isar.id_aa64isar0 = t;
      t = cpu->isar.id_aa64isar1;
 -    t = FIELD_DP64(t, ID_AA64ISAR1, DPB, 2);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, JSCVT, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, FCMA, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, SB, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, SPECRES, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, BF16, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, FRINTTS, 1);
 -    t = FIELD_DP64(t, ID_AA64ISAR1, LRCPC, 2); /* ARMv8.4-RCPC */
 -    t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);
 +    t = FIELD_DP64(t, ID_AA64ISAR1, DPB, 2);      /* FEAT_DPB2 */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, JSCVT, 1);    /* FEAT_JSCVT */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, FCMA, 1);     /* FEAT_FCMA */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, LRCPC, 2);    /* FEAT_LRCPC2 */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, FRINTTS, 1);  /* FEAT_FRINTTS */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, SB, 1);       /* FEAT_SB */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, SPECRES, 1);  /* FEAT_SPECRES */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, BF16, 1);     /* FEAT_BF16 */
 +    t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);     /* FEAT_I8MM */
      cpu->isar.id_aa64isar1 = t;
      t = cpu->isar.id_aa64pfr0;
 +    t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);        /* FEAT_FP16 */
 +    t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);   /* FEAT_FP16 */
      t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
 -    t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);
 -    t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);
 -    t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);
 -    t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);
 +    t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
 +    t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
      cpu->isar.id_aa64pfr0 = t;
      t = cpu->isar.id_aa64pfr1;
 -    t = FIELD_DP64(t, ID_AA64PFR1, BT, 1);
 -    t = FIELD_DP64(t, ID_AA64PFR1, SSBS, 2);
 +    t = FIELD_DP64(t, ID_AA64PFR1, BT, 1);        /* FEAT_BTI */
 +    t = FIELD_DP64(t, ID_AA64PFR1, SSBS, 2);      /* FEAT_SSBS2 */
      /*
       * Begin with full support for MTE. This will be downgraded to MTE=0
       * during realize if the board provides no tag memory, much like
       * we do for EL2 with the virtualization=on property.
       */
 -    t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);
 +    t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
      cpu->isar.id_aa64pfr1 = t;
      t = cpu->isar.id_aa64mmfr0;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      cpu->isar.id_aa64mmfr0 = t;
      t = cpu->isar.id_aa64mmfr1;
 -    t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
 -    t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
 -    t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);
 -    t = FIELD_DP64(t, ID_AA64MMFR1, PAN, 2); /* ATS1E1 */
 -    t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* VMID16 */
 -    t = FIELD_DP64(t, ID_AA64MMFR1, XNX, 1); /* TTS2UXN */
 +    t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */
 +    t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);       /* FEAT_VHE */
 +    t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1);     /* FEAT_HPDS */
 +    t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);       /* FEAT_LOR */
 +    t = FIELD_DP64(t, ID_AA64MMFR1, PAN, 2);      /* FEAT_PAN2 */
 +    t = FIELD_DP64(t, ID_AA64MMFR1, XNX, 1);      /* FEAT_XNX */
      cpu->isar.id_aa64mmfr1 = t;
      t = cpu->isar.id_aa64mmfr2;
 -    t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1);
 -    t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1); /* TTCNP */
 -    t = FIELD_DP64(t, ID_AA64MMFR2, ST, 1); /* TTST */
 -    t = FIELD_DP64(t, ID_AA64MMFR2, VARANGE, 1); /* FEAT_LVA */
 -    t = FIELD_DP64(t, ID_AA64MMFR2, TTL, 1); /* FEAT_TTL */
 -    t = FIELD_DP64(t, ID_AA64MMFR2, BBM, 2); /* FEAT_BBM at level 2 */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1);      /* FEAT_TTCNP */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1);      /* FEAT_UAO */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, VARANGE, 1);  /* FEAT_LVA */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, ST, 1);       /* FEAT_TTST */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, TTL, 1);      /* FEAT_TTL */
 +    t = FIELD_DP64(t, ID_AA64MMFR2, BBM, 2);      /* FEAT_BBM at level 2 */
      cpu->isar.id_aa64mmfr2 = t;
      t = cpu->isar.id_aa64zfr0;
      t = FIELD_DP64(t, ID_AA64ZFR0, SVEVER, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, AES, 2);  /* PMULL */
 -    t = FIELD_DP64(t, ID_AA64ZFR0, BITPERM, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, BFLOAT16, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, SHA3, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, SM4, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, I8MM, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, F32MM, 1);
 -    t = FIELD_DP64(t, ID_AA64ZFR0, F64MM, 1);
 +    t = FIELD_DP64(t, ID_AA64ZFR0, AES, 2);       /* FEAT_SVE_PMULL128 */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, BITPERM, 1);   /* FEAT_SVE_BitPerm */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, BFLOAT16, 1);  /* FEAT_BF16 */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, SHA3, 1);      /* FEAT_SVE_SHA3 */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, SM4, 1);       /* FEAT_SVE_SM4 */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, I8MM, 1);      /* FEAT_I8MM */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, F32MM, 1);     /* FEAT_F32MM */
 +    t = FIELD_DP64(t, ID_AA64ZFR0, F64MM, 1);     /* FEAT_F64MM */
      cpu->isar.id_aa64zfr0 = t;
      t = cpu->isar.id_aa64dfr0;
 -    t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
 +    t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
      cpu->isar.id_aa64dfr0 = t;
      /* Replicate the same data to the 32-bit id registers.  */
 diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu_tcg.c
 +++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
      /* Add additional features supported by QEMU */
      t = cpu->isar.id_isar5;
 -    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
 -    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
 +    t = FIELD_DP32(t, ID_ISAR5, AES, 2);          /* FEAT_PMULL */
 +    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);         /* FEAT_SHA1 */
 +    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);         /* FEAT_SHA256 */
      t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
 -    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
 +    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);          /* FEAT_RDM */
 +    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);         /* FEAT_FCMA */
      cpu->isar.id_isar5 = t;
      t = cpu->isar.id_isar6;
 -    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
 -    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
 +    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);        /* FEAT_JSCVT */
 +    t = FIELD_DP32(t, ID_ISAR6, DP, 1);           /* Feat_DotProd */
 +    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);          /* FEAT_FHM */
 +    t = FIELD_DP32(t, ID_ISAR6, SB, 1);           /* FEAT_SB */
 +    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);      /* FEAT_SPECRES */
 +    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);         /* FEAT_AA32BF16 */
 +    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);         /* FEAT_AA32I8MM */
      cpu->isar.id_isar6 = t;
      t = cpu->isar.mvfr1;
 -    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
 -    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
 +    t = FIELD_DP32(t, MVFR1, FPHP, 3);            /* FEAT_FP16 */
 +    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);          /* FEAT_FP16 */
      cpu->isar.mvfr1 = t;
      t = cpu->isar.mvfr2;
 -    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
 -    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
 +    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3);        /* SIMD MaxNum */
 +    t = FIELD_DP32(t, MVFR2, FPMISC, 4);          /* FP MaxNum */
      cpu->isar.mvfr2 = t;
      t = cpu->isar.id_mmfr3;
 -    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
 +    t = FIELD_DP32(t, ID_MMFR3, PAN, 2);          /* FEAT_PAN2 */
      cpu->isar.id_mmfr3 = t;
      t = cpu->isar.id_mmfr4;
 -    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
 -    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
 -    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
 -    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
 +    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1);         /* FEAT_AA32HPD */
 +    t = FIELD_DP32(t, ID_MMFR4, AC2, 1);          /* ACTLR2, HACTLR2 */
 +    t = FIELD_DP32(t, ID_MMFR4, CNP, 1);          /* FEAT_TTCNP */
 +    t = FIELD_DP32(t, ID_MMFR4, XNX, 1);          /* FEAT_XNX*/
      cpu->isar.id_mmfr4 = t;
      t = cpu->isar.id_pfr0;
 -    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
 +    t = FIELD_DP32(t, ID_PFR0, DIT, 1);           /* FEAT_DIT */
      cpu->isar.id_pfr0 = t;
      t = cpu->isar.id_pfr2;
 -    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
 +    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);          /* FEAT_SSBS */
      cpu->isar.id_pfr2 = t;
      t = cpu->isar.id_dfr0;
 -    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
 +    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5);       /* FEAT_PMUv3p4 */
      cpu->isar.id_dfr0 = t;
  }
+ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+ {
+     hwaddr ipa;
+     int s1_prot;
+-    int ret;
+     bool is_secure = ptw->in_secure;
+-    bool ipa_secure, s2walk_secure;
++    bool ret, ipa_secure, s2walk_secure;
+     ARMCacheAttrs cacheattrs1;
+     bool is_el0;
+     uint64_t hcr;
+@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+          && (ipa_secure
+              || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
+-    return 0;
++    return false;
+ }
+ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
 --
 .25.1

-[PULL 28/32] qtest/numa-test: Specify CPU topology in aarch64_numa_cpu()
+[PULL 15/24] target/arm: Introduce curr_insn_len
-From: Gavin Shan <gshan@redhat.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The CPU topology isn't enabled on arm/virt machine yet, but we're
+A simple helper to retrieve the length of the current insn.
 going to do it in next patch. After the CPU topology is enabled by
 next patch, "thread-id=1" becomes invalid because the CPU core is
 preferred on arm/virt machine. It means these two CPUs have 0/1
 as their core IDs, but their thread IDs are all 0. It will trigger
 test failure as the following message indicates:
-  [14/21 qemu:qtest+qtest-aarch64 / qtest-aarch64/numa-test  ERROR
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-.48s   killed by signal 6 SIGABRT
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-  >>> G_TEST_DBUS_DAEMON=/home/gavin/sandbox/qemu.main/tests/dbus-vmstate-daemon.sh \
+Message-id: 20221020030641.2066807-2-richard.henderson@linaro.org
       QTEST_QEMU_STORAGE_DAEMON_BINARY=./storage-daemon/qemu-storage-daemon         \
       QTEST_QEMU_BINARY=./qemu-system-aarch64                                       \
       QTEST_QEMU_IMG=./qemu-img MALLOC_PERTURB_=83                                  \
       /home/gavin/sandbox/qemu.main/build/tests/qtest/numa-test --tap -k
   ――――――――――――――――――――――――――――――――――――――――――――――
   stderr:
   qemu-system-aarch64: -numa cpu,node-id=0,thread-id=1: no match found
 This fixes the issue by providing comprehensive SMP configurations
 in aarch64_numa_cpu(). The SMP configurations aren't used before
 the CPU topology is enabled in next patch.
 Signed-off-by: Gavin Shan <gshan@redhat.com>
 Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
 Message-id: 20220503140304.855514-3-gshan@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- tests/qtest/numa-test.c | 3 ++-
+ target/arm/translate.h     | 5 +++++
-file changed, 2 insertions(+), 1 deletion(-)
+ target/arm/translate-vfp.c | 2 +-
  target/arm/translate.c     | 5 ++---
 files changed, 8 insertions(+), 4 deletions(-)
-diff --git a/tests/qtest/numa-test.c b/tests/qtest/numa-test.c
+diff --git a/target/arm/translate.h b/target/arm/translate.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/numa-test.c
+--- a/target/arm/translate.h
-+++ b/tests/qtest/numa-test.c
++++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static void aarch64_numa_cpu(const void *data)
+@@ -XXX,XX +XXX,XX @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
-     QTestState *qts;
+     s->insn_start = NULL;
-     g_autofree char *cli = NULL;
+ }
--    cli = make_cli(data, "-machine smp.cpus=2 "
++static inline int curr_insn_len(DisasContext *s)
-+    cli = make_cli(data, "-machine "
++{
-+        "smp.cpus=2,smp.sockets=1,smp.clusters=1,smp.cores=1,smp.threads=2 "
++    return s->base.pc_next - s->pc_curr;
-         "-numa node,nodeid=0,memdev=ram -numa node,nodeid=1 "
++}
-         "-numa cpu,node-id=1,thread-id=0 "
++
-         "-numa cpu,node-id=0,thread-id=1");
+ /* is_jmp field values */
  #define DISAS_JUMP      DISAS_TARGET_0 /* only pc was modified dynamically */
  /* CPU state was modified dynamically; exit to main loop for interrupts. */
 diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c
 +++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
      if (s->sme_trap_nonstreaming) {
          gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                             syn_smetrap(SME_ET_Streaming,
 -                                       s->base.pc_next - s->pc_curr == 2));
 +                                       curr_insn_len(s) == 2));
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static ISSInfo make_issinfo(DisasContext *s, int rd, bool p, bool w)
      /* ISS not valid if writeback */
      if (p && !w) {
          ret = rd;
 -        if (s->base.pc_next - s->pc_curr == 2) {
 +        if (curr_insn_len(s) == 2) {
              ret |= ISSIs16Bit;
          }
      } else {
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              /* nothing more to generate */
              break;
          case DISAS_WFI:
 -            gen_helper_wfi(cpu_env,
 -                           tcg_constant_i32(dc->base.pc_next - dc->pc_curr));
 +            gen_helper_wfi(cpu_env, tcg_constant_i32(curr_insn_len(dc)));
              /*
               * The helper doesn't necessarily throw an exception, but we
               * must go back to the main loop to check for interrupts anyway.
 --
 .25.1

-[PULL 13/32] target/arm: Enable FEAT_Debugv8p4 for -cpu max
+[PULL 16/24] target/arm: Change gen_goto_tb to work on displacements
 From: Richard Henderson <richard.henderson@linaro.org>
-This extension concerns changes to the External Debug interface,
+In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
 with Secure and Non-secure access to the debug registers, and all
 of it is outside the scope of QEMU.  Indicating support for this
 is mandatory with FEAT_SEL2, which we do implement.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-13-richard.henderson@linaro.org
+Message-id: 20221020030641.2066807-3-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/emulation.rst | 1 +
+ target/arm/translate-a64.c | 40 ++++++++++++++++++++------------------
- target/arm/cpu64.c            | 2 +-
+ target/arm/translate.c     | 10 ++++++----
- target/arm/cpu_tcg.c          | 4 ++--
+files changed, 27 insertions(+), 23 deletions(-)
 files changed, 4 insertions(+), 3 deletions(-)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
+--- a/target/arm/translate-a64.c
-+++ b/docs/system/arm/emulation.rst
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, uint64_t dest)
- - FEAT_DIT (Data Independent Timing instructions)
+     return translator_use_goto_tb(&s->base, dest);
- - FEAT_DPB (DC CVAP instruction)
+ }
- - FEAT_Debugv8p2 (Debug changes for v8.2)
-+- FEAT_Debugv8p4 (Debug changes for v8.4)
+-static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
- - FEAT_DotProd (Advanced SIMD dot product instructions)
++static void gen_goto_tb(DisasContext *s, int n, int64_t diff)
- - FEAT_FCMA (Floating-point complex number instructions)
+ {
- - FEAT_FHM (Floating-point half-precision multiplication instructions)
++    uint64_t dest = s->pc_curr + diff;
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
++
      if (use_goto_tb(s, dest)) {
          tcg_gen_goto_tb(n);
          gen_a64_set_pc_im(dest);
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
   */
  static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
  {
 -    uint64_t addr = s->pc_curr + sextract32(insn, 0, 26) * 4;
 +    int64_t diff = sextract32(insn, 0, 26) * 4;
      if (insn & (1U << 31)) {
          /* BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
      /* B Branch / BL Branch with link */
      reset_btype(s);
 -    gen_goto_tb(s, 0, addr);
 +    gen_goto_tb(s, 0, diff);
  }
  /* Compare and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
  static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
  {
      unsigned int sf, op, rt;
 -    uint64_t addr;
 +    int64_t diff;
      TCGLabel *label_match;
      TCGv_i64 tcg_cmp;
      sf = extract32(insn, 31, 1);
      op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
      rt = extract32(insn, 0, 5);
 -    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
 +    diff = sextract32(insn, 5, 19) * 4;
      tcg_cmp = read_cpu_reg(s, rt, sf);
      label_match = gen_new_label();
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, label_match);
 -    gen_goto_tb(s, 0, s->base.pc_next);
 +    gen_goto_tb(s, 0, 4);
      gen_set_label(label_match);
 -    gen_goto_tb(s, 1, addr);
 +    gen_goto_tb(s, 1, diff);
  }
  /* Test and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
  static void disas_test_b_imm(DisasContext *s, uint32_t insn)
  {
      unsigned int bit_pos, op, rt;
 -    uint64_t addr;
 +    int64_t diff;
      TCGLabel *label_match;
      TCGv_i64 tcg_cmp;
      bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
      op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
 -    addr = s->pc_curr + sextract32(insn, 5, 14) * 4;
 +    diff = sextract32(insn, 5, 14) * 4;
      rt = extract32(insn, 0, 5);
      tcg_cmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                          tcg_cmp, 0, label_match);
      tcg_temp_free_i64(tcg_cmp);
 -    gen_goto_tb(s, 0, s->base.pc_next);
 +    gen_goto_tb(s, 0, 4);
      gen_set_label(label_match);
 -    gen_goto_tb(s, 1, addr);
 +    gen_goto_tb(s, 1, diff);
  }
  /* Conditional branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
  static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
  {
      unsigned int cond;
 -    uint64_t addr;
 +    int64_t diff;
      if ((insn & (1 << 4)) || (insn & (1 << 24))) {
          unallocated_encoding(s);
          return;
      }
 -    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
 +    diff = sextract32(insn, 5, 19) * 4;
      cond = extract32(insn, 0, 4);
      reset_btype(s);
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
          /* genuinely conditional branches */
          TCGLabel *label_match = gen_new_label();
          arm_gen_test_cc(cond, label_match);
 -        gen_goto_tb(s, 0, s->base.pc_next);
 +        gen_goto_tb(s, 0, 4);
          gen_set_label(label_match);
 -        gen_goto_tb(s, 1, addr);
 +        gen_goto_tb(s, 1, diff);
      } else {
          /* 0xe and 0xf are both "always" conditions */
 -        gen_goto_tb(s, 0, addr);
 +        gen_goto_tb(s, 0, diff);
      }
  }
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
           * any pending interrupts immediately.
           */
          reset_btype(s);
 -        gen_goto_tb(s, 0, s->base.pc_next);
 +        gen_goto_tb(s, 0, 4);
          return;
      case 7: /* SB */
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
           * MB and end the TB instead.
           */
          tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
 -        gen_goto_tb(s, 0, s->base.pc_next);
 +        gen_goto_tb(s, 0, 4);
          return;
      default:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          switch (dc->base.is_jmp) {
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
 -            gen_goto_tb(dc, 1, dc->base.pc_next);
 +            gen_goto_tb(dc, 1, 4);
              break;
          default:
          case DISAS_UPDATE_EXIT:
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu64.c
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_ptr(void)
-     cpu->isar.id_aa64zfr0 = t;
+  * cpu_loop_exec. Any live exit_requests will be processed as we
+  * enter the next TB.
-     t = cpu->isar.id_aa64dfr0;
+  */
--    t = FIELD_DP64(t, ID_AA64DFR0, DEBUGVER, 8);  /* FEAT_Debugv8p2 */
+-static void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
-+    t = FIELD_DP64(t, ID_AA64DFR0, DEBUGVER, 9);  /* FEAT_Debugv8p4 */
++static void gen_goto_tb(DisasContext *s, int n, int diff)
-     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
+ {
-     cpu->isar.id_aa64dfr0 = t;
++    target_ulong dest = s->pc_curr + diff;
++
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
+     if (translator_use_goto_tb(&s->base, dest)) {
-index XXXXXXX..XXXXXXX 100644
+         tcg_gen_goto_tb(n);
---- a/target/arm/cpu_tcg.c
+         gen_set_pc_im(s, dest);
-+++ b/target/arm/cpu_tcg.c
+@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
-@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
+          *    gen_jmp();
-     cpu->isar.id_pfr2 = t;
+          * on the second call to gen_jmp().
+          */
-     t = cpu->isar.id_dfr0;
+-        gen_goto_tb(s, tbno, dest);
--    t = FIELD_DP32(t, ID_DFR0, COPDBG, 8);        /* FEAT_Debugv8p2 */
++        gen_goto_tb(s, tbno, dest - s->pc_curr);
--    t = FIELD_DP32(t, ID_DFR0, COPSDBG, 8);       /* FEAT_Debugv8p2 */
+         break;
-+    t = FIELD_DP32(t, ID_DFR0, COPDBG, 9);        /* FEAT_Debugv8p4 */
+     case DISAS_UPDATE_NOCHAIN:
-+    t = FIELD_DP32(t, ID_DFR0, COPSDBG, 9);       /* FEAT_Debugv8p4 */
+     case DISAS_UPDATE_EXIT:
-     t = FIELD_DP32(t, ID_DFR0, PERFMON, 5);       /* FEAT_PMUv3p4 */
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
-     cpu->isar.id_dfr0 = t;
+         switch (dc->base.is_jmp) {
          case DISAS_NEXT:
          case DISAS_TOO_MANY:
 -            gen_goto_tb(dc, 1, dc->base.pc_next);
 +            gen_goto_tb(dc, 1, curr_insn_len(dc));
              break;
          case DISAS_UPDATE_NOCHAIN:
              gen_set_pc_im(dc, dc->base.pc_next);
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              gen_set_pc_im(dc, dc->base.pc_next);
              gen_singlestep_exception(dc);
          } else {
 -            gen_goto_tb(dc, 1, dc->base.pc_next);
 +            gen_goto_tb(dc, 1, curr_insn_len(dc));
          }
      }
  }
 --
 .25.1

-[PULL 26/32] hw/arm: add versioning to sbsa-ref machine DT
+[PULL 17/24] target/arm: Change gen_*set_pc_im to gen_*update_pc
-From: Leif Lindholm <quic_llindhol@quicinc.com>
+From: Richard Henderson <richard.henderson@linaro.org>
-The sbsa-ref machine is continuously evolving. Some of the changes we
+In preparation for TARGET_TB_PCREL, reduce reliance on
-want to make in the near future, to align with real components (e.g.
+absolute values by passing in pc difference.
 the GIC-700), will break compatibility for existing firmware.
-Introduce two new properties to the DT generated on machine generation:
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-- machine-version-major
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-  To be incremented when a platform change makes the machine
+Message-id: 20221020030641.2066807-4-richard.henderson@linaro.org
   incompatible with existing firmware.
 - machine-version-minor
   To be incremented when functionality is added to the machine
   without causing incompatibility with existing firmware.
   to be reset to 0 when machine-version-major is incremented.
 This versioning scheme is *neither*:
 - A QEMU versioned machine type; a given version of QEMU will emulate
   a given version of the platform.
 - A reflection of level of SBSA (now SystemReady SR) support provided.
 The version will increment on guest-visible functional changes only,
 akin to a revision ID register found on a physical platform.
 These properties are both introduced with the value 0.
 (Hence, a machine where the DT is lacking these nodes is equivalent
 to version 0.0.)
 Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
 Message-id: 20220505113947.75714-1-quic_llindhol@quicinc.com
 Cc: Peter Maydell <peter.maydell@linaro.org>
 Cc: Radoslaw Biernacki <rad@semihalf.com>
 Cc: Cédric Le Goater <clg@kaod.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- hw/arm/sbsa-ref.c | 14 ++++++++++++++
+ target/arm/translate-a32.h |  2 +-
-file changed, 14 insertions(+)
+ target/arm/translate.h     |  6 ++--
  target/arm/translate-a64.c | 32 +++++++++---------
  target/arm/translate-vfp.c |  2 +-
  target/arm/translate.c     | 68 ++++++++++++++++++++------------------
 files changed, 56 insertions(+), 54 deletions(-)
-diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
+diff --git a/target/arm/translate-a32.h b/target/arm/translate-a32.h
 index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/sbsa-ref.c
+--- a/target/arm/translate-a32.h
-+++ b/hw/arm/sbsa-ref.c
++++ b/target/arm/translate-a32.h
-@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)
+@@ -XXX,XX +XXX,XX @@ void write_neon_element64(TCGv_i64 src, int reg, int ele, MemOp memop);
-     qemu_fdt_setprop_cell(fdt, "/", "#address-cells", 0x2);
+ TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs);
-     qemu_fdt_setprop_cell(fdt, "/", "#size-cells", 0x2);
+ void gen_set_cpsr(TCGv_i32 var, uint32_t mask);
+ void gen_set_condexec(DisasContext *s);
-+    /*
+-void gen_set_pc_im(DisasContext *s, target_ulong val);
-+     * This versioning scheme is for informing platform fw only. It is neither:
++void gen_update_pc(DisasContext *s, target_long diff);
-+     * - A QEMU versioned machine type; a given version of QEMU will emulate
+ void gen_lookup_tb(DisasContext *s);
-+     *   a given version of the platform.
+ long vfp_reg_offset(bool dp, unsigned reg);
-+     * - A reflection of level of SBSA (now SystemReady SR) support provided.
+ long neon_full_reg_offset(unsigned reg);
-+     *
+diff --git a/target/arm/translate.h b/target/arm/translate.h
-+     * machine-version-major: updated when changes breaking fw compatibility
+index XXXXXXX..XXXXXXX 100644
-+     *                        are introduced.
+--- a/target/arm/translate.h
-+     * machine-version-minor: updated when features are added that don't break
++++ b/target/arm/translate.h
-+     *                        fw compatibility.
+@@ -XXX,XX +XXX,XX @@ static inline int curr_insn_len(DisasContext *s)
-+     */
+  * For instructions which want an immediate exit to the main loop, as opposed
-+    qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);
+  * to attempting to use lookup_and_goto_ptr.  Unlike DISAS_UPDATE_EXIT, this
-+    qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 0);
+  * doesn't write the PC on exiting the translation loop so you need to ensure
 - * something (gen_a64_set_pc_im or runtime helper) has done so before we reach
 + * something (gen_a64_update_pc or runtime helper) has done so before we reach
   * return from cpu_tb_exec.
   */
  #define DISAS_EXIT      DISAS_TARGET_9
@@ -XXX,XX +XXX,XX @@ static inline int curr_insn_len(DisasContext *s)
  #ifdef TARGET_AARCH64
  void a64_translate_init(void);
 -void gen_a64_set_pc_im(uint64_t val);
 +void gen_a64_update_pc(DisasContext *s, target_long diff);
  extern const TranslatorOps aarch64_translator_ops;
  #else
  static inline void a64_translate_init(void)
  {
  }
 -static inline void gen_a64_set_pc_im(uint64_t val)
 +static inline void gen_a64_update_pc(DisasContext *s, target_long diff)
  {
  }
  #endif
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void reset_btype(DisasContext *s)
      }
  }
 -void gen_a64_set_pc_im(uint64_t val)
 +void gen_a64_update_pc(DisasContext *s, target_long diff)
  {
 -    tcg_gen_movi_i64(cpu_pc, val);
 +    tcg_gen_movi_i64(cpu_pc, s->pc_curr + diff);
  }
  /*
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
  static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
  {
 -    gen_a64_set_pc_im(pc);
 +    gen_a64_update_pc(s, pc - s->pc_curr);
      gen_exception_internal(excp);
      s->base.is_jmp = DISAS_NORETURN;
  }
  static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syndrome)
  {
 -    gen_a64_set_pc_im(s->pc_curr);
 +    gen_a64_update_pc(s, 0);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_constant_i32(syndrome));
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int64_t diff)
      if (use_goto_tb(s, dest)) {
          tcg_gen_goto_tb(n);
 -        gen_a64_set_pc_im(dest);
 +        gen_a64_update_pc(s, diff);
          tcg_gen_exit_tb(s->base.tb, n);
          s->base.is_jmp = DISAS_NORETURN;
      } else {
 -        gen_a64_set_pc_im(dest);
 +        gen_a64_update_pc(s, diff);
          if (s->ss_active) {
              gen_step_complete_exception(s);
          } else {
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
          uint32_t syndrome;
          syndrome = syn_aa64_sysregtrap(op0, op1, op2, crn, crm, rt, isread);
 -        gen_a64_set_pc_im(s->pc_curr);
 +        gen_a64_update_pc(s, 0);
          gen_helper_access_check_cp_reg(cpu_env,
                                         tcg_constant_ptr(ri),
                                         tcg_constant_i32(syndrome),
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
           * The readfn or writefn might raise an exception;
           * synchronize the CPU state in case it does.
           */
 -        gen_a64_set_pc_im(s->pc_curr);
 +        gen_a64_update_pc(s, 0);
      }
      /* Handle special cases first */
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              /* The pre HVC helper handles cases when HVC gets trapped
               * as an undefined insn by runtime configuration.
               */
 -            gen_a64_set_pc_im(s->pc_curr);
 +            gen_a64_update_pc(s, 0);
              gen_helper_pre_hvc(cpu_env);
              gen_ss_advance(s);
              gen_exception_insn_el(s, s->base.pc_next, EXCP_HVC,
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                  unallocated_encoding(s);
                  break;
              }
 -            gen_a64_set_pc_im(s->pc_curr);
 +            gen_a64_update_pc(s, 0);
              gen_helper_pre_smc(cpu_env, tcg_constant_i32(syn_aa64_smc(imm16)));
              gen_ss_advance(s);
              gen_exception_insn_el(s, s->base.pc_next, EXCP_SMC,
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
           */
          switch (dc->base.is_jmp) {
          default:
 -            gen_a64_set_pc_im(dc->base.pc_next);
 +            gen_a64_update_pc(dc, 4);
              /* fall through */
          case DISAS_EXIT:
          case DISAS_JUMP:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              break;
          default:
          case DISAS_UPDATE_EXIT:
 -            gen_a64_set_pc_im(dc->base.pc_next);
 +            gen_a64_update_pc(dc, 4);
              /* fall through */
          case DISAS_EXIT:
              tcg_gen_exit_tb(NULL, 0);
              break;
          case DISAS_UPDATE_NOCHAIN:
 -            gen_a64_set_pc_im(dc->base.pc_next);
 +            gen_a64_update_pc(dc, 4);
              /* fall through */
          case DISAS_JUMP:
              tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_SWI:
              break;
          case DISAS_WFE:
 -            gen_a64_set_pc_im(dc->base.pc_next);
 +            gen_a64_update_pc(dc, 4);
              gen_helper_wfe(cpu_env);
              break;
          case DISAS_YIELD:
 -            gen_a64_set_pc_im(dc->base.pc_next);
 +            gen_a64_update_pc(dc, 4);
              gen_helper_yield(cpu_env);
              break;
          case DISAS_WFI:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
               * This is a special case because we don't want to just halt
               * the CPU if trying to debug across a WFI.
               */
 -            gen_a64_set_pc_im(dc->base.pc_next);
 +            gen_a64_update_pc(dc, 4);
              gen_helper_wfi(cpu_env, tcg_constant_i32(4));
              /*
               * The helper doesn't necessarily throw an exception, but we
 diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c
 +++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
          case ARM_VFP_FPSID:
              if (s->current_el == 1) {
                  gen_set_condexec(s);
 -                gen_set_pc_im(s, s->pc_curr);
 +                gen_update_pc(s, 0);
                  gen_helper_check_hcr_el2_trap(cpu_env,
                                                tcg_constant_i32(a->rt),
                                                tcg_constant_i32(a->reg));
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ void gen_set_condexec(DisasContext *s)
      }
  }
 -void gen_set_pc_im(DisasContext *s, target_ulong val)
 +void gen_update_pc(DisasContext *s, target_long diff)
  {
 -    tcg_gen_movi_i32(cpu_R[15], val);
 +    tcg_gen_movi_i32(cpu_R[15], s->pc_curr + diff);
  }
  /* Set PC and Thumb state from var.  var is marked as dead.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_bxns(DisasContext *s, int rm)
      /* The bxns helper may raise an EXCEPTION_EXIT exception, so in theory
       * we need to sync state before calling it, but:
 -     *  - we don't need to do gen_set_pc_im() because the bxns helper will
 +     *  - we don't need to do gen_update_pc() because the bxns helper will
       *    always set the PC itself
       *  - we don't need to do gen_set_condexec() because BXNS is UNPREDICTABLE
       *    unless it's outside an IT block or the last insn in an IT block,
@@ -XXX,XX +XXX,XX @@ static inline void gen_blxns(DisasContext *s, int rm)
       * We do however need to set the PC, because the blxns helper reads it.
       * The blxns helper may throw an exception.
       */
 -    gen_set_pc_im(s, s->base.pc_next);
 +    gen_update_pc(s, curr_insn_len(s));
      gen_helper_v7m_blxns(cpu_env, var);
      tcg_temp_free_i32(var);
      s->base.is_jmp = DISAS_EXIT;
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
       * as an undefined insn by runtime configuration (ie before
       * the insn really executes).
       */
 -    gen_set_pc_im(s, s->pc_curr);
 +    gen_update_pc(s, 0);
      gen_helper_pre_hvc(cpu_env);
      /* Otherwise we will treat this as a real exception which
       * happens after execution of the insn. (The distinction matters
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
       * for single stepping.)
       */
      s->svc_imm = imm16;
 -    gen_set_pc_im(s, s->base.pc_next);
 +    gen_update_pc(s, curr_insn_len(s));
      s->base.is_jmp = DISAS_HVC;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
      /* As with HVC, we may take an exception either before or after
       * the insn executes.
       */
 -    gen_set_pc_im(s, s->pc_curr);
 +    gen_update_pc(s, 0);
      gen_helper_pre_smc(cpu_env, tcg_constant_i32(syn_aa32_smc()));
 -    gen_set_pc_im(s, s->base.pc_next);
 +    gen_update_pc(s, curr_insn_len(s));
      s->base.is_jmp = DISAS_SMC;
  }
  static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, pc);
 +    gen_update_pc(s, pc - s->pc_curr);
      gen_exception_internal(excp);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn_el_v(DisasContext *s, uint64_t pc, int excp,
                                      uint32_t syn, TCGv_i32 tcg_el)
  {
      if (s->aarch64) {
 -        gen_a64_set_pc_im(pc);
 +        gen_a64_update_pc(s, pc - s->pc_curr);
      } else {
          gen_set_condexec(s);
 -        gen_set_pc_im(s, pc);
 +        gen_update_pc(s, pc - s->pc_curr);
      }
      gen_exception_el_v(excp, syn, tcg_el);
      s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ void gen_exception_insn_el(DisasContext *s, uint64_t pc, int excp,
  void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn)
  {
      if (s->aarch64) {
 -        gen_a64_set_pc_im(pc);
 +        gen_a64_update_pc(s, pc - s->pc_curr);
      } else {
          gen_set_condexec(s);
 -        gen_set_pc_im(s, pc);
 +        gen_update_pc(s, pc - s->pc_curr);
      }
      gen_exception(excp, syn);
      s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn)
  static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
  {
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc_curr);
 +    gen_update_pc(s, 0);
      gen_helper_exception_bkpt_insn(cpu_env, tcg_constant_i32(syn));
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int diff)
      if (translator_use_goto_tb(&s->base, dest)) {
          tcg_gen_goto_tb(n);
 -        gen_set_pc_im(s, dest);
 +        gen_update_pc(s, diff);
          tcg_gen_exit_tb(s->base.tb, n);
      } else {
 -        gen_set_pc_im(s, dest);
 +        gen_update_pc(s, diff);
          gen_goto_ptr();
      }
      s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int diff)
  /* Jump, specifying which TB number to use if we gen_goto_tb() */
  static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
  {
 +    int diff = dest - s->pc_curr;
 +
-     if (ms->numa_state->have_numa_distance) {
+     if (unlikely(s->ss_active)) {
-         int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);
+         /* An indirect jump so that we still trigger the debug exception.  */
-         uint32_t *matrix = g_malloc0(size);
+-        gen_set_pc_im(s, dest);
 +        gen_update_pc(s, diff);
          s->base.is_jmp = DISAS_JUMP;
          return;
      }
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
           *    gen_jmp();
           * on the second call to gen_jmp().
           */
 -        gen_goto_tb(s, tbno, dest - s->pc_curr);
 +        gen_goto_tb(s, tbno, diff);
          break;
      case DISAS_UPDATE_NOCHAIN:
      case DISAS_UPDATE_EXIT:
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
           * Avoid using goto_tb so we really do exit back to the main loop
           * and don't chain to another TB.
           */
 -        gen_set_pc_im(s, dest);
 +        gen_update_pc(s, diff);
          gen_goto_ptr();
          s->base.is_jmp = DISAS_NORETURN;
          break;
@@ -XXX,XX +XXX,XX @@ static void gen_msr_banked(DisasContext *s, int r, int sysm, int rn)
      /* Sync state because msr_banked() can raise exceptions */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc_curr);
 +    gen_update_pc(s, 0);
      tcg_reg = load_reg(s, rn);
      gen_helper_msr_banked(cpu_env, tcg_reg,
                            tcg_constant_i32(tgtmode),
@@ -XXX,XX +XXX,XX @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
      /* Sync state because mrs_banked() can raise exceptions */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc_curr);
 +    gen_update_pc(s, 0);
      tcg_reg = tcg_temp_new_i32();
      gen_helper_mrs_banked(tcg_reg, cpu_env,
                            tcg_constant_i32(tgtmode),
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
              }
              gen_set_condexec(s);
 -            gen_set_pc_im(s, s->pc_curr);
 +            gen_update_pc(s, 0);
              gen_helper_access_check_cp_reg(cpu_env,
                                             tcg_constant_ptr(ri),
                                             tcg_constant_i32(syndrome),
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
               * synchronize the CPU state in case it does.
               */
              gen_set_condexec(s);
 -            gen_set_pc_im(s, s->pc_curr);
 +            gen_update_pc(s, 0);
          }
          /* Handle special cases first */
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
                  unallocated_encoding(s);
                  return;
              }
 -            gen_set_pc_im(s, s->base.pc_next);
 +            gen_update_pc(s, curr_insn_len(s));
              s->base.is_jmp = DISAS_WFI;
              return;
          default:
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      addr = tcg_temp_new_i32();
      /* get_r13_banked() will raise an exception if called from System mode */
      gen_set_condexec(s);
 -    gen_set_pc_im(s, s->pc_curr);
 +    gen_update_pc(s, 0);
      gen_helper_get_r13_banked(addr, cpu_env, tcg_constant_i32(mode));
      switch (amode) {
      case 0: /* DA */
@@ -XXX,XX +XXX,XX @@ static bool trans_YIELD(DisasContext *s, arg_YIELD *a)
       * scheduling of other vCPUs.
       */
      if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
 -        gen_set_pc_im(s, s->base.pc_next);
 +        gen_update_pc(s, curr_insn_len(s));
          s->base.is_jmp = DISAS_YIELD;
      }
      return true;
@@ -XXX,XX +XXX,XX @@ static bool trans_WFE(DisasContext *s, arg_WFE *a)
       * implemented so we can't sleep like WFI does.
       */
      if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
 -        gen_set_pc_im(s, s->base.pc_next);
 +        gen_update_pc(s, curr_insn_len(s));
          s->base.is_jmp = DISAS_WFE;
      }
      return true;
@@ -XXX,XX +XXX,XX @@ static bool trans_WFE(DisasContext *s, arg_WFE *a)
  static bool trans_WFI(DisasContext *s, arg_WFI *a)
  {
      /* For WFI, halt the vCPU until an IRQ. */
 -    gen_set_pc_im(s, s->base.pc_next);
 +    gen_update_pc(s, curr_insn_len(s));
      s->base.is_jmp = DISAS_WFI;
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_SVC(DisasContext *s, arg_SVC *a)
          (a->imm == semihost_imm)) {
          gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
      } else {
 -        gen_set_pc_im(s, s->base.pc_next);
 +        gen_update_pc(s, curr_insn_len(s));
          s->svc_imm = a->imm;
          s->base.is_jmp = DISAS_SWI;
      }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          case DISAS_TOO_MANY:
          case DISAS_UPDATE_EXIT:
          case DISAS_UPDATE_NOCHAIN:
 -            gen_set_pc_im(dc, dc->base.pc_next);
 +            gen_update_pc(dc, curr_insn_len(dc));
              /* fall through */
          default:
              /* FIXME: Single stepping a WFI insn will not halt the CPU. */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              gen_goto_tb(dc, 1, curr_insn_len(dc));
              break;
          case DISAS_UPDATE_NOCHAIN:
 -            gen_set_pc_im(dc, dc->base.pc_next);
 +            gen_update_pc(dc, curr_insn_len(dc));
              /* fall through */
          case DISAS_JUMP:
              gen_goto_ptr();
              break;
          case DISAS_UPDATE_EXIT:
 -            gen_set_pc_im(dc, dc->base.pc_next);
 +            gen_update_pc(dc, curr_insn_len(dc));
              /* fall through */
          default:
              /* indicate that the hash table must be used to find the next TB */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          gen_set_label(dc->condlabel);
          gen_set_condexec(dc);
          if (unlikely(dc->ss_active)) {
 -            gen_set_pc_im(dc, dc->base.pc_next);
 +            gen_update_pc(dc, curr_insn_len(dc));
              gen_singlestep_exception(dc);
          } else {
              gen_goto_tb(dc, 1, curr_insn_len(dc));
 --
 .25.1

-[PULL 23/32] target/arm: Enable FEAT_DGH for -cpu max
+[PULL 18/24] target/arm: Change gen_exception_insn* to work on displacements
 From: Richard Henderson <richard.henderson@linaro.org>
-This extension concerns not merging memory access, which TCG does
+In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
-not implement.  Thus we can trivially enable this feature.
-Add a comment to handle_hint for the DGH instruction, but no code.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-23-richard.henderson@linaro.org
+Message-id: 20221020030641.2066807-5-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/emulation.rst | 1 +
+ target/arm/translate.h        |  5 +++--
- target/arm/cpu64.c            | 1 +
+ target/arm/translate-a64.c    | 28 ++++++++++-------------
- target/arm/translate-a64.c    | 1 +
+ target/arm/translate-m-nocp.c |  6 ++---
-files changed, 3 insertions(+)
+ target/arm/translate-mve.c    |  2 +-
+ target/arm/translate-vfp.c    |  6 ++---
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+ target/arm/translate.c        | 42 +++++++++++++++++------------------
-index XXXXXXX..XXXXXXX 100644
+files changed, 43 insertions(+), 46 deletions(-)
---- a/docs/system/arm/emulation.rst
-+++ b/docs/system/arm/emulation.rst
+diff --git a/target/arm/translate.h b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+index XXXXXXX..XXXXXXX 100644
- - FEAT_CSV2_1p2 (Cache speculation variant 2, version 1.2)
+--- a/target/arm/translate.h
- - FEAT_CSV2_2 (Cache speculation variant 2, version 2)
++++ b/target/arm/translate.h
- - FEAT_CSV3 (Cache speculation variant 3)
+@@ -XXX,XX +XXX,XX @@ void arm_jump_cc(DisasCompare *cmp, TCGLabel *label);
-+- FEAT_DGH (Data gathering hint)
+ void arm_gen_test_cc(int cc, TCGLabel *label);
- - FEAT_DIT (Data Independent Timing instructions)
+ MemOp pow2_align(unsigned i);
- - FEAT_DPB (DC CVAP instruction)
+ void unallocated_encoding(DisasContext *s);
- - FEAT_Debugv8p2 (Debug changes for v8.2)
+-void gen_exception_insn_el(DisasContext *s, uint64_t pc, int excp,
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
++void gen_exception_insn_el(DisasContext *s, target_long pc_diff, int excp,
-index XXXXXXX..XXXXXXX 100644
+                            uint32_t syn, uint32_t target_el);
---- a/target/arm/cpu64.c
+-void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn);
-+++ b/target/arm/cpu64.c
++void gen_exception_insn(DisasContext *s, target_long pc_diff,
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
++                        int excp, uint32_t syn);
-     t = FIELD_DP64(t, ID_AA64ISAR1, SB, 1);       /* FEAT_SB */
-     t = FIELD_DP64(t, ID_AA64ISAR1, SPECRES, 1);  /* FEAT_SPECRES */
+ /* Return state of Alternate Half-precision flag, caller frees result */
-     t = FIELD_DP64(t, ID_AA64ISAR1, BF16, 1);     /* FEAT_BF16 */
+ static inline TCGv_i32 get_ahp_flag(void)
 +    t = FIELD_DP64(t, ID_AA64ISAR1, DGH, 1);      /* FEAT_DGH */
      t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);     /* FEAT_I8MM */
      cpu->isar.id_aa64isar1 = t;
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void handle_hint(DisasContext *s, uint32_t insn,
+@@ -XXX,XX +XXX,XX @@ static bool fp_access_check_only(DisasContext *s)
-         break;
+         assert(!s->fp_access_checked);
-     case 0b00100: /* SEV */
+         s->fp_access_checked = true;
-     case 0b00101: /* SEVL */
-+    case 0b00110: /* DGH */
+-        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
-         /* we treat all as NOP at least for now */
++        gen_exception_insn_el(s, 0, EXCP_UDEF,
-         break;
+                               syn_fp_access_trap(1, 0xe, false, 0),
-     case 0b00111: /* XPACLRI */
+                               s->fp_excp_el);
          return false;
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
          return false;
      }
      if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +        gen_exception_insn(s, 0, EXCP_UDEF,
                             syn_smetrap(SME_ET_Streaming, false));
          return false;
      }
@@ -XXX,XX +XXX,XX @@ bool sve_access_check(DisasContext *s)
              goto fail_exit;
          }
      } else if (s->sve_excp_el) {
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
 +        gen_exception_insn_el(s, 0, EXCP_UDEF,
                                syn_sve_access_trap(), s->sve_excp_el);
          goto fail_exit;
      }
@@ -XXX,XX +XXX,XX @@ bool sve_access_check(DisasContext *s)
  static bool sme_access_check(DisasContext *s)
  {
      if (s->sme_excp_el) {
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
 +        gen_exception_insn_el(s, 0, EXCP_UDEF,
                                syn_smetrap(SME_ET_AccessTrap, false),
                                s->sme_excp_el);
          return false;
@@ -XXX,XX +XXX,XX @@ bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
          return false;
      }
      if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +        gen_exception_insn(s, 0, EXCP_UDEF,
                             syn_smetrap(SME_ET_NotStreaming, false));
          return false;
      }
      if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +        gen_exception_insn(s, 0, EXCP_UDEF,
                             syn_smetrap(SME_ET_InactiveZA, false));
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static void gen_sysreg_undef(DisasContext *s, bool isread,
      } else {
          syndrome = syn_uncategorized();
      }
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syndrome);
 +    gen_exception_insn(s, 0, EXCP_UDEF, syndrome);
  }
  /* MRS - move from system register
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
          switch (op2_ll) {
          case 1:                                                     /* SVC */
              gen_ss_advance(s);
 -            gen_exception_insn(s, s->base.pc_next, EXCP_SWI,
 -                               syn_aa64_svc(imm16));
 +            gen_exception_insn(s, 4, EXCP_SWI, syn_aa64_svc(imm16));
              break;
          case 2:                                                     /* HVC */
              if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              gen_a64_update_pc(s, 0);
              gen_helper_pre_hvc(cpu_env);
              gen_ss_advance(s);
 -            gen_exception_insn_el(s, s->base.pc_next, EXCP_HVC,
 -                                  syn_aa64_hvc(imm16), 2);
 +            gen_exception_insn_el(s, 4, EXCP_HVC, syn_aa64_hvc(imm16), 2);
              break;
          case 3:                                                     /* SMC */
              if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
              gen_a64_update_pc(s, 0);
              gen_helper_pre_smc(cpu_env, tcg_constant_i32(syn_aa64_smc(imm16)));
              gen_ss_advance(s);
 -            gen_exception_insn_el(s, s->base.pc_next, EXCP_SMC,
 -                                  syn_aa64_smc(imm16), 3);
 +            gen_exception_insn_el(s, 4, EXCP_SMC, syn_aa64_smc(imm16), 3);
              break;
          default:
              unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
           * Illegal execution state. This has priority over BTI
           * exceptions, but comes after instruction abort exceptions.
           */
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_illegalstate());
 +        gen_exception_insn(s, 0, EXCP_UDEF, syn_illegalstate());
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
              if (s->btype != 0
                  && s->guarded_page
                  && !btype_destination_ok(insn, s->bt, s->btype)) {
 -                gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 -                                   syn_btitrap(s->btype));
 +                gen_exception_insn(s, 0, EXCP_UDEF, syn_btitrap(s->btype));
                  return;
              }
          } else {
 diff --git a/target/arm/translate-m-nocp.c b/target/arm/translate-m-nocp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-m-nocp.c
 +++ b/target/arm/translate-m-nocp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSCCLRM(DisasContext *s, arg_VSCCLRM *a)
      tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel);
      if (s->fp_excp_el != 0) {
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
 +        gen_exception_insn_el(s, 0, EXCP_NOCP,
                                syn_uncategorized(), s->fp_excp_el);
          return true;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_NOCP(DisasContext *s, arg_nocp *a)
      }
      if (a->cp != 10) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized());
 +        gen_exception_insn(s, 0, EXCP_NOCP, syn_uncategorized());
          return true;
      }
      if (s->fp_excp_el != 0) {
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
 +        gen_exception_insn_el(s, 0, EXCP_NOCP,
                                syn_uncategorized(), s->fp_excp_el);
          return true;
      }
 diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-mve.c
 +++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ bool mve_eci_check(DisasContext *s)
          return true;
      default:
          /* Reserved value: INVSTATE UsageFault */
 -        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized());
 +        gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
          return false;
      }
  }
 diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-vfp.c
 +++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
          int coproc = arm_dc_feature(s, ARM_FEATURE_V8) ? 0 : 0xa;
          uint32_t syn = syn_fp_access_trap(1, 0xe, false, coproc);
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF, syn, s->fp_excp_el);
 +        gen_exception_insn_el(s, 0, EXCP_UDEF, syn, s->fp_excp_el);
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
       * appear to be any insns which touch VFP which are allowed.
       */
      if (s->sme_trap_nonstreaming) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +        gen_exception_insn(s, 0, EXCP_UDEF,
                             syn_smetrap(SME_ET_Streaming,
                                         curr_insn_len(s) == 2));
          return false;
@@ -XXX,XX +XXX,XX @@ bool vfp_access_check_m(DisasContext *s, bool skip_context_update)
           * the encoding space handled by the patterns in m-nocp.decode,
           * and for them we may need to raise NOCP here.
           */
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
 +        gen_exception_insn_el(s, 0, EXCP_NOCP,
                                syn_uncategorized(), s->fp_excp_el);
          return false;
      }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception(int excp, uint32_t syndrome)
                                         tcg_constant_i32(syndrome));
  }
 -static void gen_exception_insn_el_v(DisasContext *s, uint64_t pc, int excp,
 -                                    uint32_t syn, TCGv_i32 tcg_el)
 +static void gen_exception_insn_el_v(DisasContext *s, target_long pc_diff,
 +                                    int excp, uint32_t syn, TCGv_i32 tcg_el)
  {
      if (s->aarch64) {
 -        gen_a64_update_pc(s, pc - s->pc_curr);
 +        gen_a64_update_pc(s, pc_diff);
      } else {
          gen_set_condexec(s);
 -        gen_update_pc(s, pc - s->pc_curr);
 +        gen_update_pc(s, pc_diff);
      }
      gen_exception_el_v(excp, syn, tcg_el);
      s->base.is_jmp = DISAS_NORETURN;
  }
 -void gen_exception_insn_el(DisasContext *s, uint64_t pc, int excp,
 +void gen_exception_insn_el(DisasContext *s, target_long pc_diff, int excp,
                             uint32_t syn, uint32_t target_el)
  {
 -    gen_exception_insn_el_v(s, pc, excp, syn, tcg_constant_i32(target_el));
 +    gen_exception_insn_el_v(s, pc_diff, excp, syn,
 +                            tcg_constant_i32(target_el));
  }
 -void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn)
 +void gen_exception_insn(DisasContext *s, target_long pc_diff,
 +                        int excp, uint32_t syn)
  {
      if (s->aarch64) {
 -        gen_a64_update_pc(s, pc - s->pc_curr);
 +        gen_a64_update_pc(s, pc_diff);
      } else {
          gen_set_condexec(s);
 -        gen_update_pc(s, pc - s->pc_curr);
 +        gen_update_pc(s, pc_diff);
      }
      gen_exception(excp, syn);
      s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
  void unallocated_encoding(DisasContext *s)
  {
      /* Unallocated and reserved encodings are uncategorized */
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized());
 +    gen_exception_insn(s, 0, EXCP_UDEF, syn_uncategorized());
  }
  /* Force a TB lookup after an instruction that changes the CPU state.  */
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
                  tcg_el = tcg_constant_i32(3);
              }
 -            gen_exception_insn_el_v(s, s->pc_curr, EXCP_UDEF,
 +            gen_exception_insn_el_v(s, 0, EXCP_UDEF,
                                      syn_uncategorized(), tcg_el);
              tcg_temp_free_i32(tcg_el);
              return false;
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
  undef:
      /* If we get here then some access check did not pass */
 -    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized());
 +    gen_exception_insn(s, 0, EXCP_UDEF, syn_uncategorized());
      return false;
  }
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
       * For the UNPREDICTABLE cases we choose to UNDEF.
       */
      if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
 -        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
 -                              syn_uncategorized(), 3);
 +        gen_exception_insn_el(s, 0, EXCP_UDEF, syn_uncategorized(), 3);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
           * Do the check-and-raise-exception by hand.
           */
          if (s->fp_excp_el) {
 -            gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
 +            gen_exception_insn_el(s, 0, EXCP_NOCP,
                                    syn_uncategorized(), s->fp_excp_el);
              return true;
          }
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
          tmp = load_cpu_field(v7m.ltpsize);
          tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc);
          tcg_temp_free_i32(tmp);
 -        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized());
 +        gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
          gen_set_label(skipexc);
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
       * UsageFault exception.
       */
      if (arm_dc_feature(s, ARM_FEATURE_M)) {
 -        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized());
 +        gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
           * Illegal execution state. This has priority over BTI
           * exceptions, but comes after instruction abort exceptions.
           */
 -        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_illegalstate());
 +        gen_exception_insn(s, 0, EXCP_UDEF, syn_illegalstate());
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
           * Illegal execution state. This has priority over BTI
           * exceptions, but comes after instruction abort exceptions.
           */
 -        gen_exception_insn(dc, dc->pc_curr, EXCP_UDEF, syn_illegalstate());
 +        gen_exception_insn(dc, 0, EXCP_UDEF, syn_illegalstate());
          return;
      }
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
           */
          tcg_remove_ops_after(dc->insn_eci_rewind);
          dc->condjmp = 0;
 -        gen_exception_insn(dc, dc->pc_curr, EXCP_INVSTATE,
 -                           syn_uncategorized());
 +        gen_exception_insn(dc, 0, EXCP_INVSTATE, syn_uncategorized());
      }
      arm_post_translate_insn(dc);
 --
 .25.1

-[PULL 17/32] target/arm: Implement ESB instruction
+[PULL 19/24] target/arm: Remove gen_exception_internal_insn pc argument
 From: Richard Henderson <richard.henderson@linaro.org>
-Check for and defer any pending virtual SError.
+In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
 Since we always pass dc->pc_curr, fold the arithmetic to zero displacement.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-17-richard.henderson@linaro.org
+Message-id: 20221020030641.2066807-6-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.h        |  1 +
+ target/arm/translate-a64.c |  6 +++---
- target/arm/a32.decode      | 16 ++++++++------
+ target/arm/translate.c     | 10 +++++-----
- target/arm/t32.decode      | 18 ++++++++--------
+files changed, 8 insertions(+), 8 deletions(-)
  target/arm/op_helper.c     | 43 ++++++++++++++++++++++++++++++++++++++
  target/arm/translate-a64.c | 17 +++++++++++++++
  target/arm/translate.c     | 23 ++++++++++++++++++++
 files changed, 103 insertions(+), 15 deletions(-)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
-+++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(wfe, void, env)
- DEF_HELPER_1(yield, void, env)
- DEF_HELPER_1(pre_hvc, void, env)
- DEF_HELPER_2(pre_smc, void, env, i32)
-+DEF_HELPER_1(vesb, void, env)
- DEF_HELPER_3(cpsr_write, void, env, i32, i32)
- DEF_HELPER_2(cpsr_write_eret, void, env, i32)
-diff --git a/target/arm/a32.decode b/target/arm/a32.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/a32.decode
-+++ b/target/arm/a32.decode
-@@ -XXX,XX +XXX,XX @@ SMULTT           .... 0001 0110 .... 0000 .... 1110 ....      @rd0mn
- {
-   {
--    YIELD        ---- 0011 0010 0000 1111 ---- 0000 0001
--    WFE          ---- 0011 0010 0000 1111 ---- 0000 0010
--    WFI          ---- 0011 0010 0000 1111 ---- 0000 0011
-+    [
-+      YIELD      ---- 0011 0010 0000 1111 ---- 0000 0001
-+      WFE        ---- 0011 0010 0000 1111 ---- 0000 0010
-+      WFI        ---- 0011 0010 0000 1111 ---- 0000 0011
--    # TODO: Implement SEV, SEVL; may help SMP performance.
--    # SEV        ---- 0011 0010 0000 1111 ---- 0000 0100
--    # SEVL       ---- 0011 0010 0000 1111 ---- 0000 0101
-+      # TODO: Implement SEV, SEVL; may help SMP performance.
-+      # SEV      ---- 0011 0010 0000 1111 ---- 0000 0100
-+      # SEVL     ---- 0011 0010 0000 1111 ---- 0000 0101
-+
-+      ESB        ---- 0011 0010 0000 1111 ---- 0001 0000
-+    ]
-     # The canonical nop ends in 00000000, but the whole of the
-     # rest of the space executes as nop if otherwise unsupported.
-diff --git a/target/arm/t32.decode b/target/arm/t32.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/t32.decode
-+++ b/target/arm/t32.decode
-@@ -XXX,XX +XXX,XX @@ CLZ              1111 1010 1011 ---- 1111 .... 1000 ....      @rdm
-   [
-     # Hints, and CPS
-     {
--      YIELD      1111 0011 1010 1111 1000 0000 0000 0001
--      WFE        1111 0011 1010 1111 1000 0000 0000 0010
--      WFI        1111 0011 1010 1111 1000 0000 0000 0011
-+      [
-+        YIELD    1111 0011 1010 1111 1000 0000 0000 0001
-+        WFE      1111 0011 1010 1111 1000 0000 0000 0010
-+        WFI      1111 0011 1010 1111 1000 0000 0000 0011
--      # TODO: Implement SEV, SEVL; may help SMP performance.
--      # SEV      1111 0011 1010 1111 1000 0000 0000 0100
--      # SEVL     1111 0011 1010 1111 1000 0000 0000 0101
-+        # TODO: Implement SEV, SEVL; may help SMP performance.
-+        # SEV    1111 0011 1010 1111 1000 0000 0000 0100
-+        # SEVL   1111 0011 1010 1111 1000 0000 0000 0101
--      # For M-profile minimal-RAS ESB can be a NOP, which is the
--      # default behaviour since it is in the hint space.
--      # ESB      1111 0011 1010 1111 1000 0000 0001 0000
-+        ESB      1111 0011 1010 1111 1000 0000 0001 0000
-+      ]
-       # The canonical nop ends in 0000 0000, but the whole rest
-       # of the space is "reserved hint, behaves as nop".
-diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/op_helper.c
-+++ b/target/arm/op_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(probe_access)(CPUARMState *env, target_ulong ptr,
-                      access_type, mmu_idx, ra);
-     }
- }
-+
-+/*
-+ * This function corresponds to AArch64.vESBOperation().
-+ * Note that the AArch32 version is not functionally different.
-+ */
-+void HELPER(vesb)(CPUARMState *env)
-+{
-+    /*
-+     * The EL2Enabled() check is done inside arm_hcr_el2_eff,
-+     * and will return HCR_EL2.VSE == 0, so nothing happens.
-+     */
-+    uint64_t hcr = arm_hcr_el2_eff(env);
-+    bool enabled = !(hcr & HCR_TGE) && (hcr & HCR_AMO);
-+    bool pending = enabled && (hcr & HCR_VSE);
-+    bool masked  = (env->daif & PSTATE_A);
-+
-+    /* If VSE pending and masked, defer the exception.  */
-+    if (pending && masked) {
-+        uint32_t syndrome;
-+
-+        if (arm_el_is_aa64(env, 1)) {
-+            /* Copy across IDS and ISS from VSESR. */
-+            syndrome = env->cp15.vsesr_el2 & 0x1ffffff;
-+        } else {
-+            ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal };
-+
-+            if (extended_addresses_enabled(env)) {
-+                syndrome = arm_fi_to_lfsc(&fi);
-+            } else {
-+                syndrome = arm_fi_to_sfsc(&fi);
-+            }
-+            /* Copy across AET and ExT from VSESR. */
-+            syndrome |= env->cp15.vsesr_el2 & 0xd000;
-+        }
-+
-+        /* Set VDISR_EL2.A along with the syndrome. */
-+        env->cp15.vdisr_el2 = syndrome | (1u << 31);
-+
-+        /* Clear pending virtual SError */
-+        env->cp15.hcr_el2 &= ~HCR_VSE;
-+        cpu_reset_interrupt(env_cpu(env), CPU_INTERRUPT_VSERR);
-+    }
-+}
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void handle_hint(DisasContext *s, uint32_t insn,
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
-             gen_helper_autib(cpu_X[17], cpu_env, cpu_X[17], cpu_X[16]);
+     gen_helper_exception_internal(cpu_env, tcg_constant_i32(excp));
  }
 -static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
 +static void gen_exception_internal_insn(DisasContext *s, int excp)
  {
 -    gen_a64_update_pc(s, pc - s->pc_curr);
 +    gen_a64_update_pc(s, 0);
      gen_exception_internal(excp);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
           * Secondly, "HLT 0xf000" is the A64 semihosting syscall instruction.
           */
          if (semihosting_enabled(s->current_el == 0) && imm16 == 0xf000) {
 -            gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
 +            gen_exception_internal_insn(s, EXCP_SEMIHOST);
          } else {
              unallocated_encoding(s);
          }
-         break;
-+    case 0b10000: /* ESB */
-+        /* Without RAS, we must implement this as NOP. */
-+        if (dc_isar_feature(aa64_ras, s)) {
-+            /*
-+             * QEMU does not have a source of physical SErrors,
-+             * so we are only concerned with virtual SErrors.
-+             * The pseudocode in the ARM for this case is
-+             *   if PSTATE.EL IN {EL0, EL1} && EL2Enabled() then
-+             *      AArch64.vESBOperation();
-+             * Most of the condition can be evaluated at translation time.
-+             * Test for EL2 present, and defer test for SEL2 to runtime.
-+             */
-+            if (s->current_el <= 1 && arm_dc_feature(s, ARM_FEATURE_EL2)) {
-+                gen_helper_vesb(cpu_env);
-+            }
-+        }
-+        break;
-     case 0b11000: /* PACIAZ */
-         if (s->pauth_active) {
-             gen_helper_pacia(cpu_X[30], cpu_env, cpu_X[30],
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_WFI(DisasContext *s, arg_WFI *a)
+@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
-     return true;
+     s->base.is_jmp = DISAS_SMC;
  }
-+static bool trans_ESB(DisasContext *s, arg_ESB *a)
+-static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
-+{
++static void gen_exception_internal_insn(DisasContext *s, int excp)
 +    /*
 +     * For M-profile, minimal-RAS ESB can be a NOP.
 +     * Without RAS, we must implement this as NOP.
 +     */
 +    if (!arm_dc_feature(s, ARM_FEATURE_M) && dc_isar_feature(aa32_ras, s)) {
 +        /*
 +         * QEMU does not have a source of physical SErrors,
 +         * so we are only concerned with virtual SErrors.
 +         * The pseudocode in the ARM for this case is
 +         *   if PSTATE.EL IN {EL0, EL1} && EL2Enabled() then
 +         *      AArch32.vESBOperation();
 +         * Most of the condition can be evaluated at translation time.
 +         * Test for EL2 present, and defer test for SEL2 to runtime.
 +         */
 +        if (s->current_el <= 1 && arm_dc_feature(s, ARM_FEATURE_EL2)) {
 +            gen_helper_vesb(cpu_env);
 +        }
 +    }
 +    return true;
 +}
 +
  static bool trans_NOP(DisasContext *s, arg_NOP *a)
  {
-     return true;
+     gen_set_condexec(s);
 -    gen_update_pc(s, pc - s->pc_curr);
 +    gen_update_pc(s, 0);
      gen_exception_internal(excp);
      s->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
       */
      if (semihosting_enabled(s->current_el != 0) &&
          (imm == (s->thumb ? 0x3c : 0xf000))) {
 -        gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
 +        gen_exception_internal_insn(s, EXCP_SEMIHOST);
          return;
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_BKPT(DisasContext *s, arg_BKPT *a)
      if (arm_dc_feature(s, ARM_FEATURE_M) &&
          semihosting_enabled(s->current_el == 0) &&
          (a->imm == 0xab)) {
 -        gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
 +        gen_exception_internal_insn(s, EXCP_SEMIHOST);
      } else {
          gen_exception_bkpt_insn(s, syn_aa32_bkpt(a->imm, false));
      }
@@ -XXX,XX +XXX,XX @@ static bool trans_SVC(DisasContext *s, arg_SVC *a)
      if (!arm_dc_feature(s, ARM_FEATURE_M) &&
          semihosting_enabled(s->current_el == 0) &&
          (a->imm == semihost_imm)) {
 -        gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
 +        gen_exception_internal_insn(s, EXCP_SEMIHOST);
      } else {
          gen_update_pc(s, curr_insn_len(s));
          s->svc_imm = a->imm;
 --
 .25.1

-[PULL 16/32] target/arm: Implement virtual SError exceptions
+[PULL 20/24] target/arm: Change gen_jmp* to work on displacements
 From: Richard Henderson <richard.henderson@linaro.org>
-Virtual SError exceptions are raised by setting HCR_EL2.VSE,
+In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
 and are routed to EL1 just like other virtual exceptions.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-16-richard.henderson@linaro.org
+Message-id: 20221020030641.2066807-7-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h       |  2 ++
+ target/arm/translate.c | 37 +++++++++++++++++++++----------------
- target/arm/internals.h |  8 ++++++++
+file changed, 21 insertions(+), 16 deletions(-)
  target/arm/syndrome.h  |  5 +++++
  target/arm/cpu.c       | 38 +++++++++++++++++++++++++++++++++++++-
  target/arm/helper.c    | 40 +++++++++++++++++++++++++++++++++++++++-
 files changed, 91 insertions(+), 2 deletions(-)
-diff --git a/target/arm/cpu.h b/target/arm/cpu.h
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.h
+--- a/target/arm/translate.c
-+++ b/target/arm/cpu.h
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static uint32_t read_pc(DisasContext *s)
- #define EXCP_LSERR          21   /* v8M LSERR SecureFault */
+     return s->pc_curr + (s->thumb ? 4 : 8);
  #define EXCP_UNALIGNED      22   /* v7M UNALIGNED UsageFault */
  #define EXCP_DIVBYZERO      23   /* v7M DIVBYZERO UsageFault */
 +#define EXCP_VSERR          24
  /* NB: add new EXCP_ defines to the array in arm_log_exception() too */
  #define ARMV7M_EXCP_RESET   1
@@ -XXX,XX +XXX,XX @@ enum {
  #define CPU_INTERRUPT_FIQ   CPU_INTERRUPT_TGT_EXT_1
  #define CPU_INTERRUPT_VIRQ  CPU_INTERRUPT_TGT_EXT_2
  #define CPU_INTERRUPT_VFIQ  CPU_INTERRUPT_TGT_EXT_3
 +#define CPU_INTERRUPT_VSERR CPU_INTERRUPT_TGT_INT_0
  /* The usual mapping for an AArch64 system register to its AArch32
   * counterpart is for the 32 bit world to have access to the lower
 diff --git a/target/arm/internals.h b/target/arm/internals.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/internals.h
 +++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ void arm_cpu_update_virq(ARMCPU *cpu);
   */
  void arm_cpu_update_vfiq(ARMCPU *cpu);
 +/**
 + * arm_cpu_update_vserr: Update CPU_INTERRUPT_VSERR bit
 + *
 + * Update the CPU_INTERRUPT_VSERR bit in cs->interrupt_request,
 + * following a change to the HCR_EL2.VSE bit.
 + */
 +void arm_cpu_update_vserr(ARMCPU *cpu);
 +
  /**
   * arm_mmu_idx_el:
   * @env: The cpu environment
 diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/syndrome.h
 +++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_pcalignment(void)
      return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
  }
-+static inline uint32_t syn_serror(uint32_t extra)
++/* The pc_curr difference for an architectural jump. */
 +static target_long jmp_diff(DisasContext *s, target_long diff)
 +{
-+    return (EC_SERROR << ARM_EL_EC_SHIFT) | ARM_EL_IL | extra;
++    return diff + (s->thumb ? 4 : 8);
 +}
 +
- #endif /* TARGET_ARM_SYNDROME_H */
+ /* Set a variable to the value of a CPU register.  */
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+ void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
-index XXXXXXX..XXXXXXX 100644
+ {
---- a/target/arm/cpu.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_ptr(void)
-+++ b/target/arm/cpu.c
+  * cpu_loop_exec. Any live exit_requests will be processed as we
-@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_has_work(CPUState *cs)
+  * enter the next TB.
-     return (cpu->power_state != PSCI_OFF)
+  */
-         && cs->interrupt_request &
+-static void gen_goto_tb(DisasContext *s, int n, int diff)
-         (CPU_INTERRUPT_FIQ | CPU_INTERRUPT_HARD
++static void gen_goto_tb(DisasContext *s, int n, target_long diff)
--         | CPU_INTERRUPT_VFIQ | CPU_INTERRUPT_VIRQ
+ {
-+         | CPU_INTERRUPT_VFIQ | CPU_INTERRUPT_VIRQ | CPU_INTERRUPT_VSERR
+     target_ulong dest = s->pc_curr + diff;
-          | CPU_INTERRUPT_EXITTB);
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int diff)
  }
-@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
+ /* Jump, specifying which TB number to use if we gen_goto_tb() */
-             return false;
+-static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
-         }
++static void gen_jmp_tb(DisasContext *s, target_long diff, int tbno)
-         return !(env->daif & PSTATE_I);
+ {
-+    case EXCP_VSERR:
+-    int diff = dest - s->pc_curr;
-+        if (!(hcr_el2 & HCR_AMO) || (hcr_el2 & HCR_TGE)) {
+-
-+            /* VIRQs are only taken when hypervized.  */
+     if (unlikely(s->ss_active)) {
-+            return false;
+         /* An indirect jump so that we still trigger the debug exception.  */
-+        }
+         gen_update_pc(s, diff);
-+        return !(env->daif & PSTATE_A);
+@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
      default:
          g_assert_not_reached();
      }
@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
              goto found;
          }
      }
 +    if (interrupt_request & CPU_INTERRUPT_VSERR) {
 +        excp_idx = EXCP_VSERR;
 +        target_el = 1;
 +        if (arm_excp_unmasked(cs, excp_idx, target_el,
 +                              cur_el, secure, hcr_el2)) {
 +            /* Taking a virtual abort clears HCR_EL2.VSE */
 +            env->cp15.hcr_el2 &= ~HCR_VSE;
 +            cpu_reset_interrupt(cs, CPU_INTERRUPT_VSERR);
 +            goto found;
 +        }
 +    }
      return false;
   found:
@@ -XXX,XX +XXX,XX @@ void arm_cpu_update_vfiq(ARMCPU *cpu)
      }
  }
-+void arm_cpu_update_vserr(ARMCPU *cpu)
+-static inline void gen_jmp(DisasContext *s, uint32_t dest)
-+{
++static inline void gen_jmp(DisasContext *s, target_long diff)
 +    /*
 +     * Update the interrupt level for VSERR, which is the HCR_EL2.VSE bit.
 +     */
 +    CPUARMState *env = &cpu->env;
 +    CPUState *cs = CPU(cpu);
 +
 +    bool new_state = env->cp15.hcr_el2 & HCR_VSE;
 +
 +    if (new_state != ((cs->interrupt_request & CPU_INTERRUPT_VSERR) != 0)) {
 +        if (new_state) {
 +            cpu_interrupt(cs, CPU_INTERRUPT_VSERR);
 +        } else {
 +            cpu_reset_interrupt(cs, CPU_INTERRUPT_VSERR);
 +        }
 +    }
 +}
 +
  #ifndef CONFIG_USER_ONLY
  static void arm_cpu_set_irq(void *opaque, int irq, int level)
  {
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+-    gen_jmp_tb(s, dest, 0);
-index XXXXXXX..XXXXXXX 100644
++    gen_jmp_tb(s, diff, 0);
---- a/target/arm/helper.c
+ }
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+ static inline void gen_mulxy(TCGv_i32 t0, TCGv_i32 t1, int x, int y)
-         }
+@@ -XXX,XX +XXX,XX @@ static bool trans_CLRM(DisasContext *s, arg_CLRM *a)
  static bool trans_B(DisasContext *s, arg_i *a)
  {
 -    gen_jmp(s, read_pc(s) + a->imm);
 +    gen_jmp(s, jmp_diff(s, a->imm));
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond_thumb(DisasContext *s, arg_ci *a)
          return true;
      }
+     arm_skip_unless(s, a->cond);
--    /* External aborts are not possible in QEMU so A bit is always clear */
+-    gen_jmp(s, read_pc(s) + a->imm);
-+    if (hcr_el2 & HCR_AMO) {
++    gen_jmp(s, jmp_diff(s, a->imm));
-+        if (cs->interrupt_request & CPU_INTERRUPT_VSERR) {
+     return true;
 +            ret |= CPSR_A;
 +        }
 +    }
 +
      return ret;
  }
-@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
+ static bool trans_BL(DisasContext *s, arg_i *a)
-     g_assert(qemu_mutex_iothread_locked());
+ {
-     arm_cpu_update_virq(cpu);
+     tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
-     arm_cpu_update_vfiq(cpu);
+-    gen_jmp(s, read_pc(s) + a->imm);
-+    arm_cpu_update_vserr(cpu);
++    gen_jmp(s, jmp_diff(s, a->imm));
      return true;
  }
- static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
+@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_i(DisasContext *s, arg_BLX_i *a)
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(CPUState *cs)
              [EXCP_LSERR] = "v8M LSERR UsageFault",
              [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
              [EXCP_DIVBYZERO] = "v7M DIVBYZERO UsageFault",
 +            [EXCP_VSERR] = "Virtual SERR",
          };
          if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch32(CPUState *cs)
          mask = CPSR_A | CPSR_I | CPSR_F;
          offset = 4;
          break;
 +    case EXCP_VSERR:
 +        {
 +            /*
 +             * Note that this is reported as a data abort, but the DFAR
 +             * has an UNKNOWN value.  Construct the SError syndrome from
 +             * AET and ExT fields.
 +             */
 +            ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal, };
 +
 +            if (extended_addresses_enabled(env)) {
 +                env->exception.fsr = arm_fi_to_lfsc(&fi);
 +            } else {
 +                env->exception.fsr = arm_fi_to_sfsc(&fi);
 +            }
 +            env->exception.fsr |= env->cp15.vsesr_el2 & 0xd000;
 +            A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr);
 +            qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x\n",
 +                          env->exception.fsr);
 +
 +            new_mode = ARM_CPU_MODE_ABT;
 +            addr = 0x10;
 +            mask = CPSR_A | CPSR_I;
 +            offset = 8;
 +        }
 +        break;
      case EXCP_SMC:
          new_mode = ARM_CPU_MODE_MON;
          addr = 0x08;
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
      case EXCP_VFIQ:
          addr += 0x100;
          break;
 +    case EXCP_VSERR:
 +        addr += 0x180;
 +        /* Construct the SError syndrome from IDS and ISS fields. */
 +        env->exception.syndrome = syn_serror(env->cp15.vsesr_el2 & 0x1ffffff);
 +        env->cp15.esr_el[new_el] = env->exception.syndrome;
 +        break;
      default:
          cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
      }
+     tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
+     store_cpu_field_constant(!s->thumb, thumb);
+-    gen_jmp(s, (read_pc(s) & ~3) + a->imm);
++    /* This jump is computed from an aligned PC: subtract off the low bits. */
++    gen_jmp(s, jmp_diff(s, a->imm - (s->pc_curr & 3)));
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
+          * when we take this upcoming exit from this TB, so gen_jmp_tb() is OK.
+          */
+     }
+-    gen_jmp_tb(s, s->base.pc_next, 1);
++    gen_jmp_tb(s, curr_insn_len(s), 1);
+     gen_set_label(nextlabel);
+-    gen_jmp(s, read_pc(s) + a->imm);
++    gen_jmp(s, jmp_diff(s, a->imm));
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
+     if (a->f) {
+         /* Loop-forever: just jump back to the loop start */
+-        gen_jmp(s, read_pc(s) - a->imm);
++        gen_jmp(s, jmp_diff(s, -a->imm));
+         return true;
+     }
+@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
+         tcg_temp_free_i32(decr);
+     }
+     /* Jump back to the loop start */
+-    gen_jmp(s, read_pc(s) - a->imm);
++    gen_jmp(s, jmp_diff(s, -a->imm));
+     gen_set_label(loopend);
+     if (a->tp) {
+@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
+         store_cpu_field(tcg_constant_i32(4), v7m.ltpsize);
+     }
+     /* End TB, continuing to following insn */
+-    gen_jmp_tb(s, s->base.pc_next, 1);
++    gen_jmp_tb(s, curr_insn_len(s), 1);
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_CBZ *a)
+     tcg_gen_brcondi_i32(a->nz ? TCG_COND_EQ : TCG_COND_NE,
+                         tmp, 0, s->condlabel);
+     tcg_temp_free_i32(tmp);
+-    gen_jmp(s, read_pc(s) + a->imm);
++    gen_jmp(s, jmp_diff(s, a->imm));
+     return true;
+ }
 --
 .25.1

-[PULL 04/32] target/arm: Merge zcr reginfo
+[PULL 21/24] target/arm: Introduce gen_pc_plus_diff for aarch64
 From: Richard Henderson <richard.henderson@linaro.org>
-Drop zcr_no_el2_reginfo and merge the 3 registers into one array,
+In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
 now that ZCR_EL2 can be squashed to RES0 and ZCR_EL3 dropped
 while registering.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-4-richard.henderson@linaro.org
+Message-id: 20221020030641.2066807-8-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/helper.c | 55 ++++++++++++++-------------------------------
+ target/arm/translate-a64.c | 41 +++++++++++++++++++++++++++-----------
-file changed, 17 insertions(+), 38 deletions(-)
+file changed, 29 insertions(+), 12 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
+--- a/target/arm/translate-a64.c
-+++ b/target/arm/helper.c
++++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
+@@ -XXX,XX +XXX,XX @@ static void reset_btype(DisasContext *s)
      }
  }
--static const ARMCPRegInfo zcr_el1_reginfo = {
++static void gen_pc_plus_diff(DisasContext *s, TCGv_i64 dest, target_long diff)
--    .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
++{
--    .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
++    tcg_gen_movi_i64(dest, s->pc_curr + diff);
--    .access = PL1_RW, .type = ARM_CP_SVE,
++}
--    .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
++
--    .writefn = zcr_write, .raw_writefn = raw_write
+ void gen_a64_update_pc(DisasContext *s, target_long diff)
--};
+ {
--
+-    tcg_gen_movi_i64(cpu_pc, s->pc_curr + diff);
--static const ARMCPRegInfo zcr_el2_reginfo = {
++    gen_pc_plus_diff(s, cpu_pc, diff);
--    .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
+ }
--    .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
--    .access = PL2_RW, .type = ARM_CP_SVE,
+ /*
--    .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
--    .writefn = zcr_write, .raw_writefn = raw_write
--};
+     if (insn & (1U << 31)) {
--
+         /* BL Branch with link */
--static const ARMCPRegInfo zcr_no_el2_reginfo = {
+-        tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
--    .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
++        gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
 -    .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL2_RW, .type = ARM_CP_SVE,
 -    .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore
 -};
 -
 -static const ARMCPRegInfo zcr_el3_reginfo = {
 -    .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
 -    .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
 -    .access = PL3_RW, .type = ARM_CP_SVE,
 -    .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
 -    .writefn = zcr_write, .raw_writefn = raw_write
 +static const ARMCPRegInfo zcr_reginfo[] = {
 +    { .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
 +      .access = PL1_RW, .type = ARM_CP_SVE,
 +      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
 +      .writefn = zcr_write, .raw_writefn = raw_write },
 +    { .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
 +      .access = PL2_RW, .type = ARM_CP_SVE,
 +      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
 +      .writefn = zcr_write, .raw_writefn = raw_write },
 +    { .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
 +      .access = PL3_RW, .type = ARM_CP_SVE,
 +      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
 +      .writefn = zcr_write, .raw_writefn = raw_write },
  };
  void hw_watchpoint_update(ARMCPU *cpu, int n)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
      }
-     if (cpu_isar_feature(aa64_sve, cpu)) {
+     /* B Branch / BL Branch with link */
--        define_one_arm_cp_reg(cpu, &zcr_el1_reginfo);
+@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
--        if (arm_feature(env, ARM_FEATURE_EL2)) {
+         default:
--            define_one_arm_cp_reg(cpu, &zcr_el2_reginfo);
+             goto do_unallocated;
--        } else {
+         }
--            define_one_arm_cp_reg(cpu, &zcr_no_el2_reginfo);
+-        gen_a64_set_pc(s, dst);
--        }
+         /* BLR also needs to load return address */
--        if (arm_feature(env, ARM_FEATURE_EL3)) {
+         if (opc == 1) {
--            define_one_arm_cp_reg(cpu, &zcr_el3_reginfo);
+-            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
--        }
++            TCGv_i64 lr = cpu_reg(s, 30);
-+        define_arm_cp_regs(cpu, zcr_reginfo);
++            if (dst == lr) {
 +                TCGv_i64 tmp = new_tmp_a64(s);
 +                tcg_gen_mov_i64(tmp, dst);
 +                dst = tmp;
 +            }
 +            gen_pc_plus_diff(s, lr, curr_insn_len(s));
          }
 +        gen_a64_set_pc(s, dst);
          break;
      case 8: /* BRAA */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
          } else {
              dst = cpu_reg(s, rn);
          }
 -        gen_a64_set_pc(s, dst);
          /* BLRAA also needs to load return address */
          if (opc == 9) {
 -            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
 +            TCGv_i64 lr = cpu_reg(s, 30);
 +            if (dst == lr) {
 +                TCGv_i64 tmp = new_tmp_a64(s);
 +                tcg_gen_mov_i64(tmp, dst);
 +                dst = tmp;
 +            }
 +            gen_pc_plus_diff(s, lr, curr_insn_len(s));
          }
 +        gen_a64_set_pc(s, dst);
          break;
      case 4: /* ERET */
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
      tcg_rt = cpu_reg(s, rt);
 -    clean_addr = tcg_constant_i64(s->pc_curr + imm);
 +    clean_addr = new_tmp_a64(s);
 +    gen_pc_plus_diff(s, clean_addr, imm);
      if (is_vector) {
          do_fp_ld(s, rt, clean_addr, size);
      } else {
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
  static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
  {
      unsigned int page, rd;
 -    uint64_t base;
 -    uint64_t offset;
 +    int64_t offset;
      page = extract32(insn, 31, 1);
      /* SignExtend(immhi:immlo) -> offset */
      offset = sextract64(insn, 5, 19);
      offset = offset << 2 | extract32(insn, 29, 2);
      rd = extract32(insn, 0, 5);
 -    base = s->pc_curr;
      if (page) {
          /* ADRP (page based) */
 -        base &= ~0xfff;
          offset <<= 12;
 +        /* The page offset is ok for TARGET_TB_PCREL. */
 +        offset -= s->pc_curr & 0xfff;
      }
- #ifdef TARGET_AARCH64
+-    tcg_gen_movi_i64(cpu_reg(s, rd), base + offset);
 +    gen_pc_plus_diff(s, cpu_reg(s, rd), offset);
  }
  /*
 --
 .25.1

-[PULL 12/32] target/arm: Enable FEAT_Debugv8p2 for -cpu max
+[PULL 22/24] target/arm: Introduce gen_pc_plus_diff for aarch32
 From: Richard Henderson <richard.henderson@linaro.org>
-The only portion of FEAT_Debugv8p2 that is relevant to QEMU
+In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
 is CONTEXTIDR_EL2, which is also conditionally implemented
 with FEAT_VHE.  The rest of the debug extension concerns the
 External debug interface, which is outside the scope of QEMU.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-12-richard.henderson@linaro.org
+Message-id: 20221020030641.2066807-9-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- docs/system/arm/emulation.rst | 1 +
+ target/arm/translate.c | 38 +++++++++++++++++++++-----------------
- target/arm/cpu.c              | 1 +
+file changed, 21 insertions(+), 17 deletions(-)
  target/arm/cpu64.c            | 1 +
  target/arm/cpu_tcg.c          | 2 ++
 files changed, 5 insertions(+)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
+diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
+--- a/target/arm/translate.c
-+++ b/docs/system/arm/emulation.rst
++++ b/target/arm/translate.c
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
+@@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s)
  - FEAT_BTI (Branch Target Identification)
  - FEAT_DIT (Data Independent Timing instructions)
  - FEAT_DPB (DC CVAP instruction)
 +- FEAT_Debugv8p2 (Debug changes for v8.2)
  - FEAT_DotProd (Advanced SIMD dot product instructions)
  - FEAT_FCMA (Floating-point complex number instructions)
  - FEAT_FHM (Floating-point half-precision multiplication instructions)
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
           * feature registers as well.
           */
          cpu->isar.id_pfr1 = FIELD_DP32(cpu->isar.id_pfr1, ID_PFR1, SECURITY, 0);
 +        cpu->isar.id_dfr0 = FIELD_DP32(cpu->isar.id_dfr0, ID_DFR0, COPSDBG, 0);
          cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
                                             ID_AA64PFR0, EL3, 0);
      }
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
+ }
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
+-/* The architectural value of PC.  */
-+++ b/target/arm/cpu64.c
+-static uint32_t read_pc(DisasContext *s)
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
+-{
-     cpu->isar.id_aa64zfr0 = t;
+-    return s->pc_curr + (s->thumb ? 4 : 8);
+-}
-     t = cpu->isar.id_aa64dfr0;
+-
-+    t = FIELD_DP64(t, ID_AA64DFR0, DEBUGVER, 8);  /* FEAT_Debugv8p2 */
+ /* The pc_curr difference for an architectural jump. */
-     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
+ static target_long jmp_diff(DisasContext *s, target_long diff)
-     cpu->isar.id_aa64dfr0 = t;
+ {
+     return diff + (s->thumb ? 4 : 8);
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
+ }
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu_tcg.c
++static void gen_pc_plus_diff(DisasContext *s, TCGv_i32 var, target_long diff)
-+++ b/target/arm/cpu_tcg.c
++{
-@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
++    tcg_gen_movi_i32(var, s->pc_curr + diff);
-     cpu->isar.id_pfr2 = t;
++}
++
-     t = cpu->isar.id_dfr0;
+ /* Set a variable to the value of a CPU register.  */
-+    t = FIELD_DP32(t, ID_DFR0, COPDBG, 8);        /* FEAT_Debugv8p2 */
+ void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
-+    t = FIELD_DP32(t, ID_DFR0, COPSDBG, 8);       /* FEAT_Debugv8p2 */
+ {
-     t = FIELD_DP32(t, ID_DFR0, PERFMON, 5);       /* FEAT_PMUv3p4 */
+     if (reg == 15) {
-     cpu->isar.id_dfr0 = t;
+-        tcg_gen_movi_i32(var, read_pc(s));
 +        gen_pc_plus_diff(s, var, jmp_diff(s, 0));
      } else {
          tcg_gen_mov_i32(var, cpu_R[reg]);
      }
@@ -XXX,XX +XXX,XX @@ TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs)
      TCGv_i32 tmp = tcg_temp_new_i32();
      if (reg == 15) {
 -        tcg_gen_movi_i32(tmp, (read_pc(s) & ~3) + ofs);
 +        /*
 +         * This address is computed from an aligned PC:
 +         * subtract off the low bits.
 +         */
 +        gen_pc_plus_diff(s, tmp, jmp_diff(s, ofs - (s->pc_curr & 3)));
      } else {
          tcg_gen_addi_i32(tmp, cpu_R[reg], ofs);
      }
@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s)
  /* Force a TB lookup after an instruction that changes the CPU state.  */
  void gen_lookup_tb(DisasContext *s)
  {
 -    tcg_gen_movi_i32(cpu_R[15], s->base.pc_next);
 +    gen_pc_plus_diff(s, cpu_R[15], curr_insn_len(s));
      s->base.is_jmp = DISAS_EXIT;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_r(DisasContext *s, arg_BLX_r *a)
          return false;
      }
      tmp = load_reg(s, a->rm);
 -    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
 +    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | s->thumb);
      gen_bx(s, tmp);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond_thumb(DisasContext *s, arg_ci *a)
  static bool trans_BL(DisasContext *s, arg_i *a)
  {
 -    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
 +    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | s->thumb);
      gen_jmp(s, jmp_diff(s, a->imm));
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_i(DisasContext *s, arg_BLX_i *a)
      if (s->thumb && (a->imm & 2)) {
          return false;
      }
 -    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
 +    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | s->thumb);
      store_cpu_field_constant(!s->thumb, thumb);
      /* This jump is computed from an aligned PC: subtract off the low bits. */
      gen_jmp(s, jmp_diff(s, a->imm - (s->pc_curr & 3)));
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_i(DisasContext *s, arg_BLX_i *a)
  static bool trans_BL_BLX_prefix(DisasContext *s, arg_BL_BLX_prefix *a)
  {
      assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
 -    tcg_gen_movi_i32(cpu_R[14], read_pc(s) + (a->imm << 12));
 +    gen_pc_plus_diff(s, cpu_R[14], jmp_diff(s, a->imm << 12));
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_BL_suffix(DisasContext *s, arg_BL_suffix *a)
      assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
      tcg_gen_addi_i32(tmp, cpu_R[14], (a->imm << 1) | 1);
 -    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
 +    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | 1);
      gen_bx(s, tmp);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_suffix(DisasContext *s, arg_BLX_suffix *a)
      tmp = tcg_temp_new_i32();
      tcg_gen_addi_i32(tmp, cpu_R[14], a->imm << 1);
      tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
 -    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
 +    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | 1);
      gen_bx(s, tmp);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool op_tbranch(DisasContext *s, arg_tbranch *a, bool half)
      tcg_gen_add_i32(addr, addr, tmp);
      gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s), half ? MO_UW : MO_UB);
 -    tcg_temp_free_i32(addr);
      tcg_gen_add_i32(tmp, tmp, tmp);
 -    tcg_gen_addi_i32(tmp, tmp, read_pc(s));
 +    gen_pc_plus_diff(s, addr, jmp_diff(s, 0));
 +    tcg_gen_add_i32(tmp, tmp, addr);
 +    tcg_temp_free_i32(addr);
      store_reg(s, 15, tmp);
      return true;
  }
 --
 .25.1

-[PULL 11/32] target/arm: Use field names for manipulating EL2 and EL3 modes
+[PULL 23/24] target/arm: Enable TARGET_TB_PCREL
 From: Richard Henderson <richard.henderson@linaro.org>
-Use FIELD_DP{32,64} to manipulate id_pfr1 and id_aa64pfr0
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-during arm_cpu_realizefn.
+Message-id: 20221020030641.2066807-10-richard.henderson@linaro.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-11-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 22 +++++++++++++---------
+ target/arm/cpu-param.h        |   2 +
-file changed, 13 insertions(+), 9 deletions(-)
+ target/arm/translate.h        |  50 +++++++++++++++-
  target/arm/cpu.c              |  23 ++++----
  target/arm/translate-a64.c    |  64 +++++++++++++-------
  target/arm/translate-m-nocp.c |   2 +-
  target/arm/translate.c        | 108 +++++++++++++++++++++++-----------
 files changed, 178 insertions(+), 71 deletions(-)
+diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu-param.h
++++ b/target/arm/cpu-param.h
+@@ -XXX,XX +XXX,XX @@
+ # define TARGET_PAGE_BITS_VARY
+ # define TARGET_PAGE_BITS_MIN  10
++# define TARGET_TB_PCREL 1
++
+ /*
+  * Cache the attrs and shareability fields from the page table entry.
+  *
+diff --git a/target/arm/translate.h b/target/arm/translate.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.h
++++ b/target/arm/translate.h
+@@ -XXX,XX +XXX,XX @@
+ /* internal defines */
++
++/*
++ * Save pc_save across a branch, so that we may restore the value from
++ * before the branch at the point the label is emitted.
++ */
++typedef struct DisasLabel {
++    TCGLabel *label;
++    target_ulong pc_save;
++} DisasLabel;
++
+ typedef struct DisasContext {
+     DisasContextBase base;
+     const ARMISARegisters *isar;
+     /* The address of the current instruction being translated. */
+     target_ulong pc_curr;
++    /*
++     * For TARGET_TB_PCREL, the full value of cpu_pc is not known
++     * (although the page offset is known).  For convenience, the
++     * translation loop uses the full virtual address that triggered
++     * the translation, from base.pc_start through pc_curr.
++     * For efficiency, we do not update cpu_pc for every instruction.
++     * Instead, pc_save has the value of pc_curr at the time of the
++     * last update to cpu_pc, which allows us to compute the addend
++     * needed to bring cpu_pc current: pc_curr - pc_save.
++     * If cpu_pc now contains the destination of an indirect branch,
++     * pc_save contains -1 to indicate that relative updates are no
++     * longer possible.
++     */
++    target_ulong pc_save;
+     target_ulong page_start;
+     uint32_t insn;
+     /* Nonzero if this instruction has been conditionally skipped.  */
+     int condjmp;
+     /* The label that will be jumped to when the instruction is skipped.  */
+-    TCGLabel *condlabel;
++    DisasLabel condlabel;
+     /* Thumb-2 conditional execution bits.  */
+     int condexec_mask;
+     int condexec_cond;
+@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
+      * after decode (ie after any UNDEF checks)
+      */
+     bool eci_handled;
+-    /* TCG op to rewind to if this turns out to be an invalid ECI state */
+-    TCGOp *insn_eci_rewind;
+     int sctlr_b;
+     MemOp be_data;
+ #if !defined(CONFIG_USER_ONLY)
+@@ -XXX,XX +XXX,XX @@ static inline MemOp finalize_memop(DisasContext *s, MemOp opc)
+  */
+ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
++/*
++ * gen_disas_label:
++ * Create a label and cache a copy of pc_save.
++ */
++static inline DisasLabel gen_disas_label(DisasContext *s)
++{
++    return (DisasLabel){
++        .label = gen_new_label(),
++        .pc_save = s->pc_save,
++    };
++}
++
++/*
++ * set_disas_label:
++ * Emit a label and restore the cached copy of pc_save.
++ */
++static inline void set_disas_label(DisasContext *s, DisasLabel l)
++{
++    gen_set_label(l.label);
++    s->pc_save = l.pc_save;
++}
++
+ /*
+  * Helpers for implementing sets of trans_* functions.
+  * Defer the implementation of NAME to FUNC, with optional extra arguments.
 diff --git a/target/arm/cpu.c b/target/arm/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.c
 +++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static vaddr arm_cpu_get_pc(CPUState *cs)
  void arm_cpu_synchronize_from_tb(CPUState *cs,
                                   const TranslationBlock *tb)
  {
 -    ARMCPU *cpu = ARM_CPU(cs);
 -    CPUARMState *env = &cpu->env;
 -
 -    /*
 -     * It's OK to look at env for the current mode here, because it's
 -     * never possible for an AArch64 TB to chain to an AArch32 TB.
 -     */
 -    if (is_a64(env)) {
 -        env->pc = tb_pc(tb);
 -    } else {
 -        env->regs[15] = tb_pc(tb);
 +    /* The program counter is always up to date with TARGET_TB_PCREL. */
 +    if (!TARGET_TB_PCREL) {
 +        CPUARMState *env = cs->env_ptr;
 +        /*
 +         * It's OK to look at env for the current mode here, because it's
 +         * never possible for an AArch64 TB to chain to an AArch32 TB.
 +         */
 +        if (is_a64(env)) {
 +            env->pc = tb_pc(tb);
 +        } else {
 +            env->regs[15] = tb_pc(tb);
 +        }
      }
  }
  #endif /* CONFIG_TCG */
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void reset_btype(DisasContext *s)
  static void gen_pc_plus_diff(DisasContext *s, TCGv_i64 dest, target_long diff)
  {
 -    tcg_gen_movi_i64(dest, s->pc_curr + diff);
 +    assert(s->pc_save != -1);
 +    if (TARGET_TB_PCREL) {
 +        tcg_gen_addi_i64(dest, cpu_pc, (s->pc_curr - s->pc_save) + diff);
 +    } else {
 +        tcg_gen_movi_i64(dest, s->pc_curr + diff);
 +    }
  }
  void gen_a64_update_pc(DisasContext *s, target_long diff)
  {
      gen_pc_plus_diff(s, cpu_pc, diff);
 +    s->pc_save = s->pc_curr + diff;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static void gen_a64_set_pc(DisasContext *s, TCGv_i64 src)
       * then loading an address into the PC will clear out any tag.
       */
      gen_top_byte_ignore(s, cpu_pc, src, s->tbii);
 +    s->pc_save = -1;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, uint64_t dest)
  static void gen_goto_tb(DisasContext *s, int n, int64_t diff)
  {
 -    uint64_t dest = s->pc_curr + diff;
 -
 -    if (use_goto_tb(s, dest)) {
 -        tcg_gen_goto_tb(n);
 -        gen_a64_update_pc(s, diff);
 +    if (use_goto_tb(s, s->pc_curr + diff)) {
 +        /*
 +         * For pcrel, the pc must always be up-to-date on entry to
 +         * the linked TB, so that it can use simple additions for all
 +         * further adjustments.  For !pcrel, the linked TB is compiled
 +         * to know its full virtual address, so we can delay the
 +         * update to pc to the unlinked path.  A long chain of links
 +         * can thus avoid many updates to the PC.
 +         */
 +        if (TARGET_TB_PCREL) {
 +            gen_a64_update_pc(s, diff);
 +            tcg_gen_goto_tb(n);
 +        } else {
 +            tcg_gen_goto_tb(n);
 +            gen_a64_update_pc(s, diff);
 +        }
          tcg_gen_exit_tb(s->base.tb, n);
          s->base.is_jmp = DISAS_NORETURN;
      } else {
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
  {
      unsigned int sf, op, rt;
      int64_t diff;
 -    TCGLabel *label_match;
 +    DisasLabel match;
      TCGv_i64 tcg_cmp;
      sf = extract32(insn, 31, 1);
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
      diff = sextract32(insn, 5, 19) * 4;
      tcg_cmp = read_cpu_reg(s, rt, sf);
 -    label_match = gen_new_label();
 -
      reset_btype(s);
 -    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
 -                        tcg_cmp, 0, label_match);
 +    match = gen_disas_label(s);
 +    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
 +                        tcg_cmp, 0, match.label);
      gen_goto_tb(s, 0, 4);
 -    gen_set_label(label_match);
 +    set_disas_label(s, match);
      gen_goto_tb(s, 1, diff);
  }
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
  {
      unsigned int bit_pos, op, rt;
      int64_t diff;
 -    TCGLabel *label_match;
 +    DisasLabel match;
      TCGv_i64 tcg_cmp;
      bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
      tcg_cmp = tcg_temp_new_i64();
      tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos));
 -    label_match = gen_new_label();
      reset_btype(s);
 +
 +    match = gen_disas_label(s);
      tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
 -                        tcg_cmp, 0, label_match);
 +                        tcg_cmp, 0, match.label);
      tcg_temp_free_i64(tcg_cmp);
      gen_goto_tb(s, 0, 4);
 -    gen_set_label(label_match);
 +    set_disas_label(s, match);
      gen_goto_tb(s, 1, diff);
  }
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
      reset_btype(s);
      if (cond < 0x0e) {
          /* genuinely conditional branches */
 -        TCGLabel *label_match = gen_new_label();
 -        arm_gen_test_cc(cond, label_match);
 +        DisasLabel match = gen_disas_label(s);
 +        arm_gen_test_cc(cond, match.label);
          gen_goto_tb(s, 0, 4);
 -        gen_set_label(label_match);
 +        set_disas_label(s, match);
          gen_goto_tb(s, 1, diff);
      } else {
          /* 0xe and 0xf are both "always" conditions */
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
      dc->isar = &arm_cpu->isar;
      dc->condjmp = 0;
 -
 +    dc->pc_save = dc->base.pc_first;
      dc->aarch64 = true;
      dc->thumb = false;
      dc->sctlr_b = 0;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_start(DisasContextBase *db, CPUState *cpu)
  static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 +    target_ulong pc_arg = dc->base.pc_next;
 -    tcg_gen_insn_start(dc->base.pc_next, 0, 0);
 +    if (TARGET_TB_PCREL) {
 +        pc_arg &= ~TARGET_PAGE_MASK;
 +    }
 +    tcg_gen_insn_start(pc_arg, 0, 0);
      dc->insn_start = tcg_last_op();
  }
 diff --git a/target/arm/translate-m-nocp.c b/target/arm/translate-m-nocp.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-m-nocp.c
 +++ b/target/arm/translate-m-nocp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSCCLRM(DisasContext *s, arg_VSCCLRM *a)
      tcg_gen_andi_i32(sfpa, sfpa, R_V7M_CONTROL_SFPA_MASK);
      tcg_gen_or_i32(sfpa, sfpa, aspen);
      arm_gen_condlabel(s);
 -    tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel);
 +    tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel.label);
      if (s->fp_excp_el != 0) {
          gen_exception_insn_el(s, 0, EXCP_NOCP,
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op)
  void arm_gen_condlabel(DisasContext *s)
  {
      if (!s->condjmp) {
 -        s->condlabel = gen_new_label();
 +        s->condlabel = gen_disas_label(s);
          s->condjmp = 1;
      }
  }
@@ -XXX,XX +XXX,XX @@ static target_long jmp_diff(DisasContext *s, target_long diff)
  static void gen_pc_plus_diff(DisasContext *s, TCGv_i32 var, target_long diff)
  {
 -    tcg_gen_movi_i32(var, s->pc_curr + diff);
 +    assert(s->pc_save != -1);
 +    if (TARGET_TB_PCREL) {
 +        tcg_gen_addi_i32(var, cpu_R[15], (s->pc_curr - s->pc_save) + diff);
 +    } else {
 +        tcg_gen_movi_i32(var, s->pc_curr + diff);
 +    }
  }
  /* Set a variable to the value of a CPU register.  */
@@ -XXX,XX +XXX,XX @@ void store_reg(DisasContext *s, int reg, TCGv_i32 var)
           */
-         unset_feature(env, ARM_FEATURE_EL3);
+         tcg_gen_andi_i32(var, var, s->thumb ? ~1 : ~3);
+         s->base.is_jmp = DISAS_JUMP;
--        /* Disable the security extension feature bits in the processor feature
++        s->pc_save = -1;
--         * registers as well. These are id_pfr1[7:4] and id_aa64pfr0[15:12].
+     } else if (reg == 13 && arm_dc_feature(s, ARM_FEATURE_M)) {
          /* For M-profile SP bits [1:0] are always zero */
          tcg_gen_andi_i32(var, var, ~3);
@@ -XXX,XX +XXX,XX @@ void gen_set_condexec(DisasContext *s)
  void gen_update_pc(DisasContext *s, target_long diff)
  {
 -    tcg_gen_movi_i32(cpu_R[15], s->pc_curr + diff);
 +    gen_pc_plus_diff(s, cpu_R[15], diff);
 +    s->pc_save = s->pc_curr + diff;
  }
  /* Set PC and Thumb state from var.  var is marked as dead.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx(DisasContext *s, TCGv_i32 var)
      tcg_gen_andi_i32(cpu_R[15], var, ~1);
      tcg_gen_andi_i32(var, var, 1);
      store_cpu_field(var, thumb);
 +    s->pc_save = -1;
  }
  /*
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
  static inline void gen_bx_excret_final_code(DisasContext *s)
  {
      /* Generate the code to finish possible exception return and end the TB */
 -    TCGLabel *excret_label = gen_new_label();
 +    DisasLabel excret_label = gen_disas_label(s);
      uint32_t min_magic;
      if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY)) {
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
      }
      /* Is the new PC value in the magic range indicating exception return? */
 -    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
 +    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label.label);
      /* No: end the TB as we would for a DISAS_JMP */
      if (s->ss_active) {
          gen_singlestep_exception(s);
      } else {
          tcg_gen_exit_tb(NULL, 0);
      }
 -    gen_set_label(excret_label);
 +    set_disas_label(s, excret_label);
      /* Yes: this is an exception return.
       * At this point in runtime env->regs[15] and env->thumb will hold
       * the exception-return magic number, which do_v7m_exception_exit()
@@ -XXX,XX +XXX,XX @@ static void gen_goto_ptr(void)
   */
  static void gen_goto_tb(DisasContext *s, int n, target_long diff)
  {
 -    target_ulong dest = s->pc_curr + diff;
 -
 -    if (translator_use_goto_tb(&s->base, dest)) {
 -        tcg_gen_goto_tb(n);
 -        gen_update_pc(s, diff);
 +    if (translator_use_goto_tb(&s->base, s->pc_curr + diff)) {
 +        /*
-+         * Disable the security extension feature bits in the processor
++         * For pcrel, the pc must always be up-to-date on entry to
-+         * feature registers as well.
++         * the linked TB, so that it can use simple additions for all
 +         * further adjustments.  For !pcrel, the linked TB is compiled
 +         * to know its full virtual address, so we can delay the
 +         * update to pc to the unlinked path.  A long chain of links
 +         * can thus avoid many updates to the PC.
 +         */
 +        if (TARGET_TB_PCREL) {
 +            gen_update_pc(s, diff);
 +            tcg_gen_goto_tb(n);
 +        } else {
 +            tcg_gen_goto_tb(n);
 +            gen_update_pc(s, diff);
 +        }
          tcg_gen_exit_tb(s->base.tb, n);
      } else {
          gen_update_pc(s, diff);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
  static void arm_skip_unless(DisasContext *s, uint32_t cond)
  {
      arm_gen_condlabel(s);
 -    arm_gen_test_cc(cond ^ 1, s->condlabel);
 +    arm_gen_test_cc(cond ^ 1, s->condlabel.label);
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
  {
      /* M-profile low-overhead while-loop start */
      TCGv_i32 tmp;
 -    TCGLabel *nextlabel;
 +    DisasLabel nextlabel;
      if (!dc_isar_feature(aa32_lob, s)) {
          return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
          }
      }
 -    nextlabel = gen_new_label();
 -    tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_R[a->rn], 0, nextlabel);
 +    nextlabel = gen_disas_label(s);
 +    tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_R[a->rn], 0, nextlabel.label);
      tmp = load_reg(s, a->rn);
      store_reg(s, 14, tmp);
      if (a->size != 4) {
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
      }
      gen_jmp_tb(s, curr_insn_len(s), 1);
 -    gen_set_label(nextlabel);
 +    set_disas_label(s, nextlabel);
      gen_jmp(s, jmp_diff(s, a->imm));
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
       * any faster.
       */
      TCGv_i32 tmp;
 -    TCGLabel *loopend;
 +    DisasLabel loopend;
      bool fpu_active;
      if (!dc_isar_feature(aa32_lob, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
      if (!a->tp && dc_isar_feature(aa32_mve, s) && fpu_active) {
          /* Need to do a runtime check for LTPSIZE != 4 */
 -        TCGLabel *skipexc = gen_new_label();
 +        DisasLabel skipexc = gen_disas_label(s);
          tmp = load_cpu_field(v7m.ltpsize);
 -        tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc);
 +        tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc.label);
          tcg_temp_free_i32(tmp);
          gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
 -        gen_set_label(skipexc);
 +        set_disas_label(s, skipexc);
      }
      if (a->f) {
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
       * loop decrement value is 1. For LETP we need to calculate the decrement
       * value from LTPSIZE.
       */
 -    loopend = gen_new_label();
 +    loopend = gen_disas_label(s);
      if (!a->tp) {
 -        tcg_gen_brcondi_i32(TCG_COND_LEU, cpu_R[14], 1, loopend);
 +        tcg_gen_brcondi_i32(TCG_COND_LEU, cpu_R[14], 1, loopend.label);
          tcg_gen_addi_i32(cpu_R[14], cpu_R[14], -1);
      } else {
          /*
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
          tcg_gen_shl_i32(decr, tcg_constant_i32(1), decr);
          tcg_temp_free_i32(ltpsize);
 -        tcg_gen_brcond_i32(TCG_COND_LEU, cpu_R[14], decr, loopend);
 +        tcg_gen_brcond_i32(TCG_COND_LEU, cpu_R[14], decr, loopend.label);
          tcg_gen_sub_i32(cpu_R[14], cpu_R[14], decr);
          tcg_temp_free_i32(decr);
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
      /* Jump back to the loop start */
      gen_jmp(s, jmp_diff(s, -a->imm));
 -    gen_set_label(loopend);
 +    set_disas_label(s, loopend);
      if (a->tp) {
          /* Exits from tail-pred loops must reset LTPSIZE to 4 */
          store_cpu_field(tcg_constant_i32(4), v7m.ltpsize);
@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_CBZ *a)
      arm_gen_condlabel(s);
      tcg_gen_brcondi_i32(a->nz ? TCG_COND_EQ : TCG_COND_NE,
 -                        tmp, 0, s->condlabel);
 +                        tmp, 0, s->condlabel.label);
      tcg_temp_free_i32(tmp);
      gen_jmp(s, jmp_diff(s, a->imm));
      return true;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
      dc->isar = &cpu->isar;
      dc->condjmp = 0;
 -
 +    dc->pc_save = dc->base.pc_first;
      dc->aarch64 = false;
      dc->thumb = EX_TBFLAG_AM32(tb_flags, THUMB);
      dc->be_data = EX_TBFLAG_ANY(tb_flags, BE_DATA) ? MO_BE : MO_LE;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
       */
      dc->eci = dc->condexec_mask = dc->condexec_cond = 0;
      dc->eci_handled = false;
 -    dc->insn_eci_rewind = NULL;
      if (condexec & 0xf) {
          dc->condexec_mask = (condexec & 0xf) << 1;
          dc->condexec_cond = condexec >> 4;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
       * fields here.
       */
      uint32_t condexec_bits;
 +    target_ulong pc_arg = dc->base.pc_next;
 +    if (TARGET_TB_PCREL) {
 +        pc_arg &= ~TARGET_PAGE_MASK;
 +    }
      if (dc->eci) {
          condexec_bits = dc->eci << 4;
      } else {
          condexec_bits = (dc->condexec_cond << 4) | (dc->condexec_mask >> 1);
      }
 -    tcg_gen_insn_start(dc->base.pc_next, condexec_bits, 0);
 +    tcg_gen_insn_start(pc_arg, condexec_bits, 0);
      dc->insn_start = tcg_last_op();
  }
@@ -XXX,XX +XXX,XX @@ static bool arm_check_ss_active(DisasContext *dc)
  static void arm_post_translate_insn(DisasContext *dc)
  {
 -    if (dc->condjmp && !dc->base.is_jmp) {
 -        gen_set_label(dc->condlabel);
 +    if (dc->condjmp && dc->base.is_jmp == DISAS_NEXT) {
 +        if (dc->pc_save != dc->condlabel.pc_save) {
 +            gen_update_pc(dc, dc->condlabel.pc_save - dc->pc_save);
 +        }
 +        gen_set_label(dc->condlabel.label);
          dc->condjmp = 0;
      }
      translator_loop_temp_check(&dc->base);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      uint32_t pc = dc->base.pc_next;
      uint32_t insn;
      bool is_16bit;
 +    /* TCG op to rewind to if this turns out to be an invalid ECI state */
 +    TCGOp *insn_eci_rewind = NULL;
 +    target_ulong insn_eci_pc_save = -1;
      /* Misaligned thumb PC is architecturally impossible. */
      assert((dc->base.pc_next & 1) == 0);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
           *     insn" case. We will rewind to the marker (ie throwing away
           *     all the generated code) and instead emit "take exception".
           */
--        cpu->isar.id_pfr1 &= ~0xf0;
+-        dc->insn_eci_rewind = tcg_last_op();
--        cpu->isar.id_aa64pfr0 &= ~0xf000;
++        insn_eci_rewind = tcg_last_op();
-+        cpu->isar.id_pfr1 = FIELD_DP32(cpu->isar.id_pfr1, ID_PFR1, SECURITY, 0);
++        insn_eci_pc_save = dc->pc_save;
-+        cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
+     }
-+                                           ID_AA64PFR0, EL3, 0);
-     }
+     if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
+@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-     if (!cpu->has_el2) {
+          * Insn wasn't valid for ECI/ICI at all: undo what we
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
+          * just generated and instead emit an exception
      }
      if (!arm_feature(env, ARM_FEATURE_EL2)) {
 -        /* Disable the hypervisor feature bits in the processor feature
 -         * registers if we don't have EL2. These are id_pfr1[15:12] and
 -         * id_aa64pfr0_el1[11:8].
 +        /*
 +         * Disable the hypervisor feature bits in the processor feature
 +         * registers if we don't have EL2.
           */
--        cpu->isar.id_aa64pfr0 &= ~0xf00;
+-        tcg_remove_ops_after(dc->insn_eci_rewind);
--        cpu->isar.id_pfr1 &= ~0xf000;
++        tcg_remove_ops_after(insn_eci_rewind);
-+        cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
++        dc->pc_save = insn_eci_pc_save;
-+                                           ID_AA64PFR0, EL2, 0);
+         dc->condjmp = 0;
-+        cpu->isar.id_pfr1 = FIELD_DP32(cpu->isar.id_pfr1,
+         gen_exception_insn(dc, 0, EXCP_INVSTATE, syn_uncategorized());
-+                                       ID_PFR1, VIRTUALIZATION, 0);
+     }
-     }
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
- #ifndef CONFIG_USER_ONLY
+     if (dc->condjmp) {
          /* "Condition failed" instruction codepath for the branch/trap insn */
 -        gen_set_label(dc->condlabel);
 +        set_disas_label(dc, dc->condlabel);
          gen_set_condexec(dc);
          if (unlikely(dc->ss_active)) {
              gen_update_pc(dc, curr_insn_len(dc));
@@ -XXX,XX +XXX,XX @@ void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
                            target_ulong *data)
  {
      if (is_a64(env)) {
 -        env->pc = data[0];
 +        if (TARGET_TB_PCREL) {
 +            env->pc = (env->pc & TARGET_PAGE_MASK) | data[0];
 +        } else {
 +            env->pc = data[0];
 +        }
          env->condexec_bits = 0;
          env->exception.syndrome = data[2] << ARM_INSN_START_WORD2_SHIFT;
      } else {
 -        env->regs[15] = data[0];
 +        if (TARGET_TB_PCREL) {
 +            env->regs[15] = (env->regs[15] & TARGET_PAGE_MASK) | data[0];
 +        } else {
 +            env->regs[15] = data[0];
 +        }
          env->condexec_bits = data[1];
          env->exception.syndrome = data[2] << ARM_INSN_START_WORD2_SHIFT;
      }
 --
 .25.1

-[PULL 01/32] MAINTAINERS/.mailmap: update email for Leif Lindholm
+[PULL 24/24] hw/ide/microdrive: Use device_cold_reset() for self-resets
-From: Leif Lindholm <quic_llindhol@quicinc.com>
+Currently the microdrive code uses device_legacy_reset() to reset
 itself, and has its reset method call reset on the IDE bus as the
 last thing it does.  Switch to using device_cold_reset().
-NUVIA was acquired by Qualcomm in March 2021, but kept functioning on
+The only concrete microdrive device is the TYPE_DSCM1XXXX; it is not
-separate infrastructure for a transitional period. We've now switched
+command-line pluggable, so it is used only by the old pxa2xx Arm
-over to contributing as Qualcomm Innovation Center (quicinc), so update
+boards 'akita', 'borzoi', 'spitz', 'terrier' and 'tosa'.
 my email address to reflect this.
-Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
+You might think that this would result in the IDE bus being
-Message-id: 20220505113740.75565-1-quic_llindhol@quicinc.com
+reset automatically, but it does not, because the IDEBus type
-Cc: Leif Lindholm <leif@nuviainc.com>
+does not set the BusClass::reset method. Instead the controller
-Cc: Peter Maydell <peter.maydell@linaro.org>
+must explicitly call ide_bus_reset(). We therefore leave that
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+call in md_reset().
-[Fixed commit message typo]
 Note also that because the PCMCIA card device is a direct subclass of
 TYPE_DEVICE and we don't model the PCMCIA controller-to-card
 interface as a qbus, PCMCIA cards are not on any qbus and so they
 don't get reset when the system is reset.  The reset only happens via
 the dscm1xxxx_attach() and dscm1xxxx_detach() functions during
 machine creation.
 Because our aim here is merely to try to get rid of calls to the
 device_legacy_reset() function, we leave these other dubious
 reset-related issues alone.  (They all stem from this code being
 absolutely ancient.)
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-id: 20221013174042.1602926-1-peter.maydell@linaro.org
 ---
- .mailmap    | 3 ++-
+ hw/ide/microdrive.c | 8 ++++----
- MAINTAINERS | 2 +-
+file changed, 4 insertions(+), 4 deletions(-)
 files changed, 3 insertions(+), 2 deletions(-)
-diff --git a/.mailmap b/.mailmap
+diff --git a/hw/ide/microdrive.c b/hw/ide/microdrive.c
 index XXXXXXX..XXXXXXX 100644
---- a/.mailmap
+--- a/hw/ide/microdrive.c
-+++ b/.mailmap
++++ b/hw/ide/microdrive.c
-@@ -XXX,XX +XXX,XX @@ Greg Kurz <groug@kaod.org> <gkurz@linux.vnet.ibm.com>
+@@ -XXX,XX +XXX,XX @@ static void md_attr_write(PCMCIACardState *card, uint32_t at, uint8_t value)
- Huacai Chen <chenhuacai@kernel.org> <chenhc@lemote.com>
+     case 0x00:    /* Configuration Option Register */
- Huacai Chen <chenhuacai@kernel.org> <chenhuacai@loongson.cn>
+         s->opt = value & 0xcf;
- James Hogan <jhogan@kernel.org> <james.hogan@imgtec.com>
+         if (value & OPT_SRESET) {
--Leif Lindholm <leif@nuviainc.com> <leif.lindholm@linaro.org>
+-            device_legacy_reset(DEVICE(s));
-+Leif Lindholm <quic_llindhol@quicinc.com> <leif.lindholm@linaro.org>
++            device_cold_reset(DEVICE(s));
-+Leif Lindholm <quic_llindhol@quicinc.com> <leif@nuviainc.com>
+         }
- Radoslaw Biernacki <rad@semihalf.com> <radoslaw.biernacki@linaro.org>
+         md_interrupt_update(s);
- Paul Burton <paulburton@kernel.org> <paul.burton@mips.com>
+         break;
- Paul Burton <paulburton@kernel.org> <paul.burton@imgtec.com>
+@@ -XXX,XX +XXX,XX @@ static void md_common_write(PCMCIACardState *card, uint32_t at, uint16_t value)
-diff --git a/MAINTAINERS b/MAINTAINERS
+     case 0xe:    /* Device Control */
-index XXXXXXX..XXXXXXX 100644
+         s->ctrl = value;
---- a/MAINTAINERS
+         if (value & CTRL_SRST) {
-+++ b/MAINTAINERS
+-            device_legacy_reset(DEVICE(s));
-@@ -XXX,XX +XXX,XX @@ F: include/hw/ssi/imx_spi.h
++            device_cold_reset(DEVICE(s));
- SBSA-REF
+         }
- M: Radoslaw Biernacki <rad@semihalf.com>
+         md_interrupt_update(s);
- M: Peter Maydell <peter.maydell@linaro.org>
+         break;
--R: Leif Lindholm <leif@nuviainc.com>
+@@ -XXX,XX +XXX,XX @@ static int dscm1xxxx_attach(PCMCIACardState *card)
-+R: Leif Lindholm <quic_llindhol@quicinc.com>
+     md->attr_base = pcc->cis[0x74] | (pcc->cis[0x76] << 8);
- L: qemu-arm@nongnu.org
+     md->io_base = 0x0;
- S: Maintained
- F: hw/arm/sbsa-ref.c
+-    device_legacy_reset(DEVICE(md));
 +    device_cold_reset(DEVICE(md));
      md_interrupt_update(md);
      return 0;
@@ -XXX,XX +XXX,XX @@ static int dscm1xxxx_detach(PCMCIACardState *card)
  {
      MicroDriveState *md = MICRODRIVE(card);
 -    device_legacy_reset(DEVICE(md));
 +    device_cold_reset(DEVICE(md));
      return 0;
  }
 --
 .25.1

-[PULL 03/32] target/arm: Drop EL3 no EL2 fallbacks
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Drop el3_no_el2_cp_reginfo, el3_no_el2_v8_cp_reginfo, and the local
-vpidr_regs definition, and rely on the squashing to ARM_CP_CONST
-while registering for v8.
-This is a behavior change for v7 cpus with Security Extensions and
-without Virtualization Extensions, in that the virtualization cpregs
-are now correctly not present.  This would be a migration compatibility
-break, except that we have an existing bug in which migration of 32-bit
-cpus with Security Extensions enabled does not work.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-3-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 158 ++++----------------------------------------
-file changed, 13 insertions(+), 145 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
-       .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
- };
--/* Used to describe the behaviour of EL2 regs when EL2 does not exist.  */
--static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
--    { .name = "VBAR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
--      .access = PL2_RW,
--      .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore },
--    { .name = "HCR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
--      .access = PL2_RW,
--      .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
--      .access = PL2_RW,
--      .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
--      .cp = 15, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "AMAIR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "HAMAIR1", .state = ARM_CP_STATE_AA32,
--      .cp = 15, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 1,
--      .access = PL2_RW, .type = ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "AFSR0_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "AFSR1_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 1,
--      .access = PL2_RW, .type = ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "VTCR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
--      .access = PL2_RW, .accessfn = access_el3_aa32ns,
--      .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
--      .cp = 15, .opc1 = 6, .crm = 2,
--      .access = PL2_RW, .accessfn = access_el3_aa32ns,
--      .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
--    { .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,
--      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,
--      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,
--      .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64,
--      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "CNTVOFF", .cp = 15, .opc1 = 4, .crm = 14,
--      .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "CNTHP_CVAL_EL2", .state = ARM_CP_STATE_AA64,
--      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 2,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "CNTHP_CVAL", .cp = 15, .opc1 = 6, .crm = 14,
--      .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
--      .resetvalue = 0 },
--    { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 1,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
--      .access = PL2_RW, .accessfn = access_tda,
--      .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "HPFAR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
--      .access = PL2_RW, .accessfn = access_el3_aa32ns,
--      .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "HSTR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "FAR_EL2", .state = ARM_CP_STATE_BOTH,
--      .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 0,
--      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
--    { .name = "HIFAR", .state = ARM_CP_STATE_AA32,
--      .type = ARM_CP_CONST,
--      .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 2,
--      .access = PL2_RW, .resetvalue = 0 },
--};
--
--/* Ditto, but for registers which exist in ARMv8 but not v7 */
--static const ARMCPRegInfo el3_no_el2_v8_cp_reginfo[] = {
--    { .name = "HCR2", .state = ARM_CP_STATE_AA32,
--      .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4,
--      .access = PL2_RW,
--      .type = ARM_CP_CONST, .resetvalue = 0 },
--};
--
- static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
- {
-     ARMCPU *cpu = env_archcpu(env);
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-         define_arm_cp_regs(cpu, v8_idregs);
-         define_arm_cp_regs(cpu, v8_cp_reginfo);
-     }
--    if (arm_feature(env, ARM_FEATURE_EL2)) {
-+
-+    /*
-+     * Register the base EL2 cpregs.
-+     * Pre v8, these registers are implemented only as part of the
-+     * Virtualization Extensions (EL2 present).  Beginning with v8,
-+     * if EL2 is missing but EL3 is enabled, mostly these become
-+     * RES0 from EL3, with some specific exceptions.
-+     */
-+    if (arm_feature(env, ARM_FEATURE_EL2)
-+        || (arm_feature(env, ARM_FEATURE_EL3)
-+            && arm_feature(env, ARM_FEATURE_V8))) {
-         uint64_t vmpidr_def = mpidr_read_val(env);
-         ARMCPRegInfo vpidr_regs[] = {
-             { .name = "VPIDR", .state = ARM_CP_STATE_AA32,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-             };
-             define_one_arm_cp_reg(cpu, &rvbar);
-         }
--    } else {
--        /* If EL2 is missing but higher ELs are enabled, we need to
--         * register the no_el2 reginfos.
--         */
--        if (arm_feature(env, ARM_FEATURE_EL3)) {
--            /* When EL3 exists but not EL2, VPIDR and VMPIDR take the value
--             * of MIDR_EL1 and MPIDR_EL1.
--             */
--            ARMCPRegInfo vpidr_regs[] = {
--                { .name = "VPIDR_EL2", .state = ARM_CP_STATE_BOTH,
--                  .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
--                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
--                  .type = ARM_CP_CONST, .resetvalue = cpu->midr,
--                  .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
--                { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_BOTH,
--                  .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
--                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
--                  .type = ARM_CP_NO_RAW,
--                  .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
--            };
--            define_arm_cp_regs(cpu, vpidr_regs);
--            define_arm_cp_regs(cpu, el3_no_el2_cp_reginfo);
--            if (arm_feature(env, ARM_FEATURE_V8)) {
--                define_arm_cp_regs(cpu, el3_no_el2_v8_cp_reginfo);
--            }
--        }
-     }
-+
-+    /* Register the base EL3 cpregs. */
-     if (arm_feature(env, ARM_FEATURE_EL3)) {
-         define_arm_cp_regs(cpu, el3_cp_reginfo);
-         ARMCPRegInfo el3_regs[] = {
---
-.25.1

-[PULL 05/32] target/arm: Adjust definition of CONTEXTIDR_EL2
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This register is present for either VHE or Debugv8p2.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-5-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.c | 15 +++++++++++----
-file changed, 11 insertions(+), 4 deletions(-)
-diff --git a/target/arm/helper.c b/target/arm/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.c
-+++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo jazelle_regs[] = {
-       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
- };
-+static const ARMCPRegInfo contextidr_el2 = {
-+    .name = "CONTEXTIDR_EL2", .state = ARM_CP_STATE_AA64,
-+    .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 1,
-+    .access = PL2_RW,
-+    .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[2])
-+};
-+
- static const ARMCPRegInfo vhe_reginfo[] = {
--    { .name = "CONTEXTIDR_EL2", .state = ARM_CP_STATE_AA64,
--      .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 1,
--      .access = PL2_RW,
--      .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[2]) },
-     { .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,
-       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,
-       .access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,
-@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
-         define_one_arm_cp_reg(cpu, &ssbs_reginfo);
-     }
-+    if (cpu_isar_feature(aa64_vh, cpu) ||
-+        cpu_isar_feature(aa64_debugv8p2, cpu)) {
-+        define_one_arm_cp_reg(cpu, &contextidr_el2);
-+    }
-     if (arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu)) {
-         define_arm_cp_regs(cpu, vhe_reginfo);
-     }
---
-.25.1

-[PULL 07/32] target/arm: Update qemu-system-arm -cpu max to cortex-a57
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Instead of starting with cortex-a15 and adding v8 features to
-a v7 cpu, begin with a v8 cpu stripped of its aarch64 features.
-This fixes the long-standing to-do where we only enabled v8
-features for user-only.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-7-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu_tcg.c | 151 ++++++++++++++++++++++++++-----------------
-file changed, 92 insertions(+), 59 deletions(-)
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu_tcg.c
-+++ b/target/arm/cpu_tcg.c
-@@ -XXX,XX +XXX,XX @@ static void arm_v7m_class_init(ObjectClass *oc, void *data)
- static void arm_max_initfn(Object *obj)
- {
-     ARMCPU *cpu = ARM_CPU(obj);
-+    uint32_t t;
--    cortex_a15_initfn(obj);
-+    /* aarch64_a57_initfn, advertising none of the aarch64 features */
-+    cpu->dtb_compatible = "arm,cortex-a57";
-+    set_feature(&cpu->env, ARM_FEATURE_V8);
-+    set_feature(&cpu->env, ARM_FEATURE_NEON);
-+    set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
-+    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
-+    set_feature(&cpu->env, ARM_FEATURE_EL2);
-+    set_feature(&cpu->env, ARM_FEATURE_EL3);
-+    set_feature(&cpu->env, ARM_FEATURE_PMU);
-+    cpu->midr = 0x411fd070;
-+    cpu->revidr = 0x00000000;
-+    cpu->reset_fpsid = 0x41034070;
-+    cpu->isar.mvfr0 = 0x10110222;
-+    cpu->isar.mvfr1 = 0x12111111;
-+    cpu->isar.mvfr2 = 0x00000043;
-+    cpu->ctr = 0x8444c004;
-+    cpu->reset_sctlr = 0x00c50838;
-+    cpu->isar.id_pfr0 = 0x00000131;
-+    cpu->isar.id_pfr1 = 0x00011011;
-+    cpu->isar.id_dfr0 = 0x03010066;
-+    cpu->id_afr0 = 0x00000000;
-+    cpu->isar.id_mmfr0 = 0x10101105;
-+    cpu->isar.id_mmfr1 = 0x40000000;
-+    cpu->isar.id_mmfr2 = 0x01260000;
-+    cpu->isar.id_mmfr3 = 0x02102211;
-+    cpu->isar.id_isar0 = 0x02101110;
-+    cpu->isar.id_isar1 = 0x13112111;
-+    cpu->isar.id_isar2 = 0x21232042;
-+    cpu->isar.id_isar3 = 0x01112131;
-+    cpu->isar.id_isar4 = 0x00011142;
-+    cpu->isar.id_isar5 = 0x00011121;
-+    cpu->isar.id_isar6 = 0;
-+    cpu->isar.dbgdidr = 0x3516d000;
-+    cpu->clidr = 0x0a200023;
-+    cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
-+    cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
-+    cpu->ccsidr[2] = 0x70ffe07a; /* 2048KB L2 cache */
-+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
--    /* old-style VFP short-vector support */
--    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
-+    /* Add additional features supported by QEMU */
-+    t = cpu->isar.id_isar5;
-+    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
-+    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
-+    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
-+    t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
-+    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
-+    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
-+    cpu->isar.id_isar5 = t;
-+
-+    t = cpu->isar.id_isar6;
-+    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
-+    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
-+    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
-+    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
-+    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
-+    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
-+    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
-+    cpu->isar.id_isar6 = t;
-+
-+    t = cpu->isar.mvfr1;
-+    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
-+    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
-+    cpu->isar.mvfr1 = t;
-+
-+    t = cpu->isar.mvfr2;
-+    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-+    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-+    cpu->isar.mvfr2 = t;
-+
-+    t = cpu->isar.id_mmfr3;
-+    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
-+    cpu->isar.id_mmfr3 = t;
-+
-+    t = cpu->isar.id_mmfr4;
-+    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
-+    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
-+    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
-+    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
-+    cpu->isar.id_mmfr4 = t;
-+
-+    t = cpu->isar.id_pfr0;
-+    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
-+    cpu->isar.id_pfr0 = t;
-+
-+    t = cpu->isar.id_pfr2;
-+    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
-+    cpu->isar.id_pfr2 = t;
- #ifdef CONFIG_USER_ONLY
-     /*
--     * We don't set these in system emulation mode for the moment,
--     * since we don't correctly set (all of) the ID registers to
--     * advertise them.
-+     * Break with true ARMv8 and add back old-style VFP short-vector support.
-+     * Only do this for user-mode, where -cpu max is the default, so that
-+     * older v6 and v7 programs are more likely to work without adjustment.
-      */
--    set_feature(&cpu->env, ARM_FEATURE_V8);
--    {
--        uint32_t t;
--
--        t = cpu->isar.id_isar5;
--        t = FIELD_DP32(t, ID_ISAR5, AES, 2);
--        t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
--        t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
--        t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
--        t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
--        t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
--        cpu->isar.id_isar5 = t;
--
--        t = cpu->isar.id_isar6;
--        t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
--        t = FIELD_DP32(t, ID_ISAR6, DP, 1);
--        t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
--        t = FIELD_DP32(t, ID_ISAR6, SB, 1);
--        t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
--        t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
--        t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
--        cpu->isar.id_isar6 = t;
--
--        t = cpu->isar.mvfr1;
--        t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
--        t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
--        cpu->isar.mvfr1 = t;
--
--        t = cpu->isar.mvfr2;
--        t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
--        t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
--        cpu->isar.mvfr2 = t;
--
--        t = cpu->isar.id_mmfr3;
--        t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
--        cpu->isar.id_mmfr3 = t;
--
--        t = cpu->isar.id_mmfr4;
--        t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
--        t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
--        t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
--        t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
--        cpu->isar.id_mmfr4 = t;
--
--        t = cpu->isar.id_pfr0;
--        t = FIELD_DP32(t, ID_PFR0, DIT, 1);
--        cpu->isar.id_pfr0 = t;
--
--        t = cpu->isar.id_pfr2;
--        t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
--        cpu->isar.id_pfr2 = t;
--    }
--#endif /* CONFIG_USER_ONLY */
-+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
-+#endif
- }
- #endif /* !TARGET_AARCH64 */
---
-.25.1

-[PULL 08/32] target/arm: Set ID_DFR0.PerfMon for qemu-system-arm -cpu max
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-We set this for qemu-system-aarch64, but failed to do so
-for the strictly 32-bit emulation.
-Fixes: 3bec78447a9 ("target/arm: Provide ARMv8.4-PMU in '-cpu max'")
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-8-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu_tcg.c | 4 ++++
-file changed, 4 insertions(+)
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu_tcg.c
-+++ b/target/arm/cpu_tcg.c
-@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
-     t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
-     cpu->isar.id_pfr2 = t;
-+    t = cpu->isar.id_dfr0;
-+    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
-+    cpu->isar.id_dfr0 = t;
-+
- #ifdef CONFIG_USER_ONLY
-     /*
-      * Break with true ARMv8 and add back old-style VFP short-vector support.
---
-.25.1

-[PULL 19/32] target/arm: Enable FEAT_IESB for -cpu max
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This feature is AArch64 only, and applies to physical SErrors,
-which QEMU does not implement, thus the feature is a nop.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-19-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- docs/system/arm/emulation.rst | 1 +
- target/arm/cpu64.c            | 1 +
-files changed, 2 insertions(+)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
-+++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- - FEAT_FlagM2 (Enhancements to flag manipulation instructions)
- - FEAT_HPDS (Hierarchical permission disables)
- - FEAT_I8MM (AArch64 Int8 matrix multiplication instructions)
-+- FEAT_IESB (Implicit error synchronization event)
- - FEAT_JSCVT (JavaScript conversion instructions)
- - FEAT_LOR (Limited ordering regions)
- - FEAT_LPA (Large Physical Address space)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     t = cpu->isar.id_aa64mmfr2;
-     t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1);      /* FEAT_TTCNP */
-     t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1);      /* FEAT_UAO */
-+    t = FIELD_DP64(t, ID_AA64MMFR2, IESB, 1);     /* FEAT_IESB */
-     t = FIELD_DP64(t, ID_AA64MMFR2, VARANGE, 1);  /* FEAT_LVA */
-     t = FIELD_DP64(t, ID_AA64MMFR2, ST, 1);       /* FEAT_TTST */
-     t = FIELD_DP64(t, ID_AA64MMFR2, TTL, 1);      /* FEAT_TTL */
---
-.25.1

-[PULL 20/32] target/arm: Enable FEAT_CSV2 for -cpu max
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This extension concerns branch speculation, which TCG does
-not implement.  Thus we can trivially enable this feature.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220506180242.216785-20-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- docs/system/arm/emulation.rst | 1 +
- target/arm/cpu64.c            | 1 +
- target/arm/cpu_tcg.c          | 1 +
-files changed, 3 insertions(+)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
-+++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- - FEAT_BBM at level 2 (Translation table break-before-make levels)
- - FEAT_BF16 (AArch64 BFloat16 instructions)
- - FEAT_BTI (Branch Target Identification)
-+- FEAT_CSV2 (Cache speculation variant 2)
- - FEAT_DIT (Data Independent Timing instructions)
- - FEAT_DPB (DC CVAP instruction)
- - FEAT_Debugv8p2 (Debug changes for v8.2)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-     t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
-     t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
-+    t = FIELD_DP64(t, ID_AA64PFR0, CSV2, 1);      /* FEAT_CSV2 */
-     cpu->isar.id_aa64pfr0 = t;
-     t = cpu->isar.id_aa64pfr1;
-diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu_tcg.c
-+++ b/target/arm/cpu_tcg.c
-@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
-     cpu->isar.id_mmfr4 = t;
-     t = cpu->isar.id_pfr0;
-+    t = FIELD_DP32(t, ID_PFR0, CSV2, 2);          /* FEAT_CVS2 */
-     t = FIELD_DP32(t, ID_PFR0, DIT, 1);           /* FEAT_DIT */
-     t = FIELD_DP32(t, ID_PFR0, RAS, 1);           /* FEAT_RAS */
-     cpu->isar.id_pfr0 = t;
---
-.25.1

-[PULL 27/32] qapi/machine.json: Add cluster-id
+Deleted patch
-From: Gavin Shan <gshan@redhat.com>
-This adds cluster-id in CPU instance properties, which will be used
-by arm/virt machine. Besides, the cluster-id is also verified or
-dumped in various spots:
-  * hw/core/machine.c::machine_set_cpu_numa_node() to associate
-    CPU with its NUMA node.
-  * hw/core/machine.c::machine_numa_finish_cpu_init() to record
-    CPU slots with no NUMA mapping set.
-  * hw/core/machine-hmp-cmds.c::hmp_hotpluggable_cpus() to dump
-    cluster-id.
-Signed-off-by: Gavin Shan <gshan@redhat.com>
-Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
-Acked-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20220503140304.855514-2-gshan@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- qapi/machine.json          |  6 ++++--
- hw/core/machine-hmp-cmds.c |  4 ++++
- hw/core/machine.c          | 16 ++++++++++++++++
-files changed, 24 insertions(+), 2 deletions(-)
-diff --git a/qapi/machine.json b/qapi/machine.json
-index XXXXXXX..XXXXXXX 100644
---- a/qapi/machine.json
-+++ b/qapi/machine.json
-@@ -XXX,XX +XXX,XX @@
- # @node-id: NUMA node ID the CPU belongs to
- # @socket-id: socket number within node/board the CPU belongs to
- # @die-id: die number within socket the CPU belongs to (since 4.1)
--# @core-id: core number within die the CPU belongs to
-+# @cluster-id: cluster number within die the CPU belongs to (since 7.1)
-+# @core-id: core number within cluster the CPU belongs to
- # @thread-id: thread number within core the CPU belongs to
- #
--# Note: currently there are 5 properties that could be present
-+# Note: currently there are 6 properties that could be present
- #       but management should be prepared to pass through other
- #       properties with device_add command to allow for future
- #       interface extension. This also requires the filed names to be kept in
-@@ -XXX,XX +XXX,XX @@
-   'data': { '*node-id': 'int',
-             '*socket-id': 'int',
-             '*die-id': 'int',
-+            '*cluster-id': 'int',
-             '*core-id': 'int',
-             '*thread-id': 'int'
-   }
-diff --git a/hw/core/machine-hmp-cmds.c b/hw/core/machine-hmp-cmds.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/core/machine-hmp-cmds.c
-+++ b/hw/core/machine-hmp-cmds.c
-@@ -XXX,XX +XXX,XX @@ void hmp_hotpluggable_cpus(Monitor *mon, const QDict *qdict)
-         if (c->has_die_id) {
-             monitor_printf(mon, "    die-id: \"%" PRIu64 "\"\n", c->die_id);
-         }
-+        if (c->has_cluster_id) {
-+            monitor_printf(mon, "    cluster-id: \"%" PRIu64 "\"\n",
-+                           c->cluster_id);
-+        }
-         if (c->has_core_id) {
-             monitor_printf(mon, "    core-id: \"%" PRIu64 "\"\n", c->core_id);
-         }
-diff --git a/hw/core/machine.c b/hw/core/machine.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/core/machine.c
-+++ b/hw/core/machine.c
-@@ -XXX,XX +XXX,XX @@ void machine_set_cpu_numa_node(MachineState *machine,
-             return;
-         }
-+        if (props->has_cluster_id && !slot->props.has_cluster_id) {
-+            error_setg(errp, "cluster-id is not supported");
-+            return;
-+        }
-+
-         if (props->has_socket_id && !slot->props.has_socket_id) {
-             error_setg(errp, "socket-id is not supported");
-             return;
-@@ -XXX,XX +XXX,XX @@ void machine_set_cpu_numa_node(MachineState *machine,
-                 continue;
-         }
-+        if (props->has_cluster_id &&
-+            props->cluster_id != slot->props.cluster_id) {
-+                continue;
-+        }
-+
-         if (props->has_die_id && props->die_id != slot->props.die_id) {
-                 continue;
-         }
-@@ -XXX,XX +XXX,XX @@ static char *cpu_slot_to_string(const CPUArchId *cpu)
-         }
-         g_string_append_printf(s, "die-id: %"PRId64, cpu->props.die_id);
-     }
-+    if (cpu->props.has_cluster_id) {
-+        if (s->len) {
-+            g_string_append_printf(s, ", ");
-+        }
-+        g_string_append_printf(s, "cluster-id: %"PRId64, cpu->props.cluster_id);
-+    }
-     if (cpu->props.has_core_id) {
-         if (s->len) {
-             g_string_append_printf(s, ", ");
---
-.25.1

-[PULL 29/32] hw/arm/virt: Consider SMP configuration in CPU topology
+Deleted patch
-From: Gavin Shan <gshan@redhat.com>
-Currently, the SMP configuration isn't considered when the CPU
-topology is populated. In this case, it's impossible to provide
-the default CPU-to-NUMA mapping or association based on the socket
-ID of the given CPU.
-This takes account of SMP configuration when the CPU topology
-is populated. The die ID for the given CPU isn't assigned since
-it's not supported on arm/virt machine. Besides, the used SMP
-configuration in qtest/numa-test/aarch64_numa_cpu() is corrcted
-to avoid testing failure
-Signed-off-by: Gavin Shan <gshan@redhat.com>
-Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
-Acked-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20220503140304.855514-4-gshan@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt.c | 15 ++++++++++++++-
-file changed, 14 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ static const CPUArchIdList *virt_possible_cpu_arch_ids(MachineState *ms)
-     int n;
-     unsigned int max_cpus = ms->smp.max_cpus;
-     VirtMachineState *vms = VIRT_MACHINE(ms);
-+    MachineClass *mc = MACHINE_GET_CLASS(vms);
-     if (ms->possible_cpus) {
-         assert(ms->possible_cpus->len == max_cpus);
-@@ -XXX,XX +XXX,XX @@ static const CPUArchIdList *virt_possible_cpu_arch_ids(MachineState *ms)
-         ms->possible_cpus->cpus[n].type = ms->cpu_type;
-         ms->possible_cpus->cpus[n].arch_id =
-             virt_cpu_mp_affinity(vms, n);
-+
-+        assert(!mc->smp_props.dies_supported);
-+        ms->possible_cpus->cpus[n].props.has_socket_id = true;
-+        ms->possible_cpus->cpus[n].props.socket_id =
-+            n / (ms->smp.clusters * ms->smp.cores * ms->smp.threads);
-+        ms->possible_cpus->cpus[n].props.has_cluster_id = true;
-+        ms->possible_cpus->cpus[n].props.cluster_id =
-+            (n / (ms->smp.cores * ms->smp.threads)) % ms->smp.clusters;
-+        ms->possible_cpus->cpus[n].props.has_core_id = true;
-+        ms->possible_cpus->cpus[n].props.core_id =
-+            (n / ms->smp.threads) % ms->smp.cores;
-         ms->possible_cpus->cpus[n].props.has_thread_id = true;
--        ms->possible_cpus->cpus[n].props.thread_id = n;
-+        ms->possible_cpus->cpus[n].props.thread_id =
-+            n % ms->smp.threads;
-     }
-     return ms->possible_cpus;
- }
---
-.25.1

-[PULL 30/32] qtest/numa-test: Correct CPU and NUMA association in aarch64_numa_cpu()
+Deleted patch
-From: Gavin Shan <gshan@redhat.com>
-In aarch64_numa_cpu(), the CPU and NUMA association is something
-like below. Two threads in the same core/cluster/socket are
-associated with two individual NUMA nodes, which is unreal as
-Igor Mammedov mentioned. We don't expect the association to break
-NUMA-to-socket boundary, which matches with the real world.
-    NUMA-node  socket  cluster   core   thread
-    ------------------------------------------
-0        0        0      0
-0        0        0      1
-This corrects the topology for CPUs and their association with
-NUMA nodes. After this patch is applied, the CPU and NUMA
-association becomes something like below, which looks real.
-Besides, socket/cluster/core/thread IDs are all checked when
-the NUMA node IDs are verified. It helps to check if the CPU
-topology is properly populated or not.
-    NUMA-node  socket  cluster   core   thread
-    ------------------------------------------
-1        0        0       0
-0        0        0       0
-Suggested-by: Igor Mammedov <imammedo@redhat.com>
-Signed-off-by: Gavin Shan <gshan@redhat.com>
-Acked-by: Igor Mammedov <imammedo@redhat.com>
-Message-id: 20220503140304.855514-5-gshan@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- tests/qtest/numa-test.c | 18 ++++++++++++------
-file changed, 12 insertions(+), 6 deletions(-)
-diff --git a/tests/qtest/numa-test.c b/tests/qtest/numa-test.c
-index XXXXXXX..XXXXXXX 100644
---- a/tests/qtest/numa-test.c
-+++ b/tests/qtest/numa-test.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_numa_cpu(const void *data)
-     g_autofree char *cli = NULL;
-     cli = make_cli(data, "-machine "
--        "smp.cpus=2,smp.sockets=1,smp.clusters=1,smp.cores=1,smp.threads=2 "
-+        "smp.cpus=2,smp.sockets=2,smp.clusters=1,smp.cores=1,smp.threads=1 "
-         "-numa node,nodeid=0,memdev=ram -numa node,nodeid=1 "
--        "-numa cpu,node-id=1,thread-id=0 "
--        "-numa cpu,node-id=0,thread-id=1");
-+        "-numa cpu,node-id=0,socket-id=1,cluster-id=0,core-id=0,thread-id=0 "
-+        "-numa cpu,node-id=1,socket-id=0,cluster-id=0,core-id=0,thread-id=0");
-     qts = qtest_init(cli);
-     cpus = get_cpus(qts, &resp);
-     g_assert(cpus);
-     while ((e = qlist_pop(cpus))) {
-         QDict *cpu, *props;
--        int64_t thread, node;
-+        int64_t socket, cluster, core, thread, node;
-         cpu = qobject_to(QDict, e);
-         g_assert(qdict_haskey(cpu, "props"));
-@@ -XXX,XX +XXX,XX @@ static void aarch64_numa_cpu(const void *data)
-         g_assert(qdict_haskey(props, "node-id"));
-         node = qdict_get_int(props, "node-id");
-+        g_assert(qdict_haskey(props, "socket-id"));
-+        socket = qdict_get_int(props, "socket-id");
-+        g_assert(qdict_haskey(props, "cluster-id"));
-+        cluster = qdict_get_int(props, "cluster-id");
-+        g_assert(qdict_haskey(props, "core-id"));
-+        core = qdict_get_int(props, "core-id");
-         g_assert(qdict_haskey(props, "thread-id"));
-         thread = qdict_get_int(props, "thread-id");
--        if (thread == 0) {
-+        if (socket == 0 && cluster == 0 && core == 0 && thread == 0) {
-             g_assert_cmpint(node, ==, 1);
--        } else if (thread == 1) {
-+        } else if (socket == 1 && cluster == 0 && core == 0 && thread == 0) {
-             g_assert_cmpint(node, ==, 0);
-         } else {
-             g_assert(false);
---
-.25.1

-[PULL 31/32] hw/arm/virt: Fix CPU's default NUMA node ID
+Deleted patch
-From: Gavin Shan <gshan@redhat.com>
-When CPU-to-NUMA association isn't explicitly provided by users,
-the default one is given by mc->get_default_cpu_node_id(). However,
-the CPU topology isn't fully considered in the default association
-and this causes CPU topology broken warnings on booting Linux guest.
-For example, the following warning messages are observed when the
-Linux guest is booted with the following command lines.
-  /home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
-  -accel kvm -machine virt,gic-version=host               \
-  -cpu host                                               \
-  -smp 6,sockets=2,cores=3,threads=1                      \
-  -m 1024M,slots=16,maxmem=64G                            \
-  -object memory-backend-ram,id=mem0,size=128M            \
-  -object memory-backend-ram,id=mem1,size=128M            \
-  -object memory-backend-ram,id=mem2,size=128M            \
-  -object memory-backend-ram,id=mem3,size=128M            \
-  -object memory-backend-ram,id=mem4,size=128M            \
-  -object memory-backend-ram,id=mem4,size=384M            \
-  -numa node,nodeid=0,memdev=mem0                         \
-  -numa node,nodeid=1,memdev=mem1                         \
-  -numa node,nodeid=2,memdev=mem2                         \
-  -numa node,nodeid=3,memdev=mem3                         \
-  -numa node,nodeid=4,memdev=mem4                         \
-  -numa node,nodeid=5,memdev=mem5
-         :
-  alternatives: patching kernel code
-  BUG: arch topology borken
-  the CLS domain not a subset of the MC domain
-  <the above error log repeats>
-  BUG: arch topology borken
-  the DIE domain not a subset of the NODE domain
-With current implementation of mc->get_default_cpu_node_id(),
-CPU#0 to CPU#5 are associated with NODE#0 to NODE#5 separately.
-That's incorrect because CPU#0/1/2 should be associated with same
-NUMA node because they're seated in same socket.
-This fixes the issue by considering the socket ID when the default
-CPU-to-NUMA association is provided in virt_possible_cpu_arch_ids().
-With this applied, no more CPU topology broken warnings are seen
-from the Linux guest. The 6 CPUs are associated with NODE#0/1, but
-there are no CPUs associated with NODE#2/3/4/5.
-Signed-off-by: Gavin Shan <gshan@redhat.com>
-Reviewed-by: Igor Mammedov <imammedo@redhat.com>
-Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
-Message-id: 20220503140304.855514-6-gshan@redhat.com
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- hw/arm/virt.c | 4 +++-
-file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/hw/arm/virt.c b/hw/arm/virt.c
-index XXXXXXX..XXXXXXX 100644
---- a/hw/arm/virt.c
-+++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@ virt_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
- static int64_t virt_get_default_cpu_node_id(const MachineState *ms, int idx)
- {
--    return idx % ms->numa_state->num_nodes;
-+    int64_t socket_id = ms->possible_cpus->cpus[idx].props.socket_id;
-+
-+    return socket_id % ms->numa_state->num_nodes;
- }
- static const CPUArchIdList *virt_possible_cpu_arch_ids(MachineState *ms)
---
-.25.1

target-arm queue: the big stuff here is the final part of
rth's patches for Cortex-A76 and Neoverse-N1 support;
also present are Gavin's NUMA series and a few other things.

thanks
-- PMM

The following changes since commit 554623226f800acf48a2ed568900c1c968ec9a8b:

Merge tag 'qemu-sparc-20220508' of https://github.com/mcayland/qemu into staging (2022-05-08 17:03:26 -0500)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220509

for you to fetch changes up to ae9141d4a3265553503bf07d3574b40f84615a34:

hw/acpi/aml-build: Use existing CPU topology to build PPTT table (2022-05-09 11:47:55 +0100)

----------------------------------------------------------------
target-arm queue:
 * MAINTAINERS/.mailmap: update email for Leif Lindholm
 * hw/arm: add version information to sbsa-ref machine DT
 * Enable new features for -cpu max:
   FEAT_Debugv8p2, FEAT_Debugv8p4, FEAT_RAS (minimal version only),
   FEAT_IESB, FEAT_CSV2, FEAT_CSV2_2, FEAT_CSV3, FEAT_DGH
 * Emulate Cortex-A76
 * Emulate Neoverse-N1
 * Fix the virt board default NUMA topology

----------------------------------------------------------------
Gavin Shan (6):
      qapi/machine.json: Add cluster-id
      qtest/numa-test: Specify CPU topology in aarch64_numa_cpu()
      hw/arm/virt: Consider SMP configuration in CPU topology
      qtest/numa-test: Correct CPU and NUMA association in aarch64_numa_cpu()
      hw/arm/virt: Fix CPU's default NUMA node ID
      hw/acpi/aml-build: Use existing CPU topology to build PPTT table

Leif Lindholm (2):
      MAINTAINERS/.mailmap: update email for Leif Lindholm
      hw/arm: add versioning to sbsa-ref machine DT

Richard Henderson (24):
      target/arm: Handle cpreg registration for missing EL
      target/arm: Drop EL3 no EL2 fallbacks
      target/arm: Merge zcr reginfo
      target/arm: Adjust definition of CONTEXTIDR_EL2
      target/arm: Move cortex impdef sysregs to cpu_tcg.c
      target/arm: Update qemu-system-arm -cpu max to cortex-a57
      target/arm: Set ID_DFR0.PerfMon for qemu-system-arm -cpu max
      target/arm: Split out aa32_max_features
      target/arm: Annotate arm_max_initfn with FEAT identifiers
      target/arm: Use field names for manipulating EL2 and EL3 modes
      target/arm: Enable FEAT_Debugv8p2 for -cpu max
      target/arm: Enable FEAT_Debugv8p4 for -cpu max
      target/arm: Add minimal RAS registers
      target/arm: Enable SCR and HCR bits for RAS
      target/arm: Implement virtual SError exceptions
      target/arm: Implement ESB instruction
      target/arm: Enable FEAT_RAS for -cpu max
      target/arm: Enable FEAT_IESB for -cpu max
      target/arm: Enable FEAT_CSV2 for -cpu max
      target/arm: Enable FEAT_CSV2_2 for -cpu max
      target/arm: Enable FEAT_CSV3 for -cpu max
      target/arm: Enable FEAT_DGH for -cpu max
      target/arm: Define cortex-a76
      target/arm: Define neoverse-n1

From: Leif Lindholm <quic_llindhol@quicinc.com>

NUVIA was acquired by Qualcomm in March 2021, but kept functioning on
separate infrastructure for a transitional period. We've now switched
over to contributing as Qualcomm Innovation Center (quicinc), so update
my email address to reflect this.

Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Message-id: 20220505113740.75565-1-quic_llindhol@quicinc.com
Cc: Leif Lindholm <leif@nuviainc.com>
Cc: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
[Fixed commit message typo]
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 .mailmap    | 3 ++-
 MAINTAINERS | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.mailmap b/.mailmap
index XXXXXXX..XXXXXXX 100644
--- a/.mailmap
+++ b/.mailmap
@@ -XXX,XX +XXX,XX @@ Greg Kurz <groug@kaod.org> <gkurz@linux.vnet.ibm.com>
 Huacai Chen <chenhuacai@kernel.org> <chenhc@lemote.com>
 Huacai Chen <chenhuacai@kernel.org> <chenhuacai@loongson.cn>
 James Hogan <jhogan@kernel.org> <james.hogan@imgtec.com>
-Leif Lindholm <leif@nuviainc.com> <leif.lindholm@linaro.org>
+Leif Lindholm <quic_llindhol@quicinc.com> <leif.lindholm@linaro.org>
+Leif Lindholm <quic_llindhol@quicinc.com> <leif@nuviainc.com>
 Radoslaw Biernacki <rad@semihalf.com> <radoslaw.biernacki@linaro.org>
 Paul Burton <paulburton@kernel.org> <paul.burton@mips.com>
 Paul Burton <paulburton@kernel.org> <paul.burton@imgtec.com>
diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ F: include/hw/ssi/imx_spi.h
 SBSA-REF
 M: Radoslaw Biernacki <rad@semihalf.com>
 M: Peter Maydell <peter.maydell@linaro.org>
-R: Leif Lindholm <leif@nuviainc.com>
+R: Leif Lindholm <quic_llindhol@quicinc.com>
 L: qemu-arm@nongnu.org
 S: Maintained
 F: hw/arm/sbsa-ref.c
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

More gracefully handle cpregs when EL2 and/or EL3 are missing.
If the reg is entirely inaccessible, do not register it at all.
If the reg is for EL2, and EL3 is present but EL2 is not,
either discard, squash to res0, const, or keep unchanged.

Per rule RJFFP, mark the 4 aarch32 hypervisor access registers
with ARM_CP_EL3_NO_EL2_KEEP, and mark all of the EL2 address
translation and tlb invalidation "regs" ARM_CP_EL3_NO_EL2_UNDEF.
Mark the 2 virtualization processor id regs ARM_CP_EL3_NO_EL2_C_NZ.

This will simplify cpreg registration for conditional arm features.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpregs.h |  11 +++
 target/arm/helper.c | 178 ++++++++++++++++++++++++++++++--------------
 2 files changed, 133 insertions(+), 56 deletions(-)

diff --git a/target/arm/cpregs.h b/target/arm/cpregs.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpregs.h
+++ b/target/arm/cpregs.h
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_CP_SVE                   = 1 << 14,
     /* Flag: Do not expose in gdb sysreg xml. */
     ARM_CP_NO_GDB                = 1 << 15,
+    /*
+     * Flags: If EL3 but not EL2...
+     *   - UNDEF: discard the cpreg,
+     *   -  KEEP: retain the cpreg as is,
+     *   -  C_NZ: set const on the cpreg, but retain resetvalue,
+     *   -  else: set const on the cpreg, zero resetvalue, aka RES0.
+     * See rule RJFFP in section D1.1.3 of DDI0487H.a.
+     */
+    ARM_CP_EL3_NO_EL2_UNDEF      = 1 << 16,
+    ARM_CP_EL3_NO_EL2_KEEP       = 1 << 17,
+    ARM_CP_EL3_NO_EL2_C_NZ       = 1 << 18,
 };
 
 /*
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .access = PL1_RW, .readfn = spsel_read, .writefn = spsel_write },
     { .name = "FPEXC32_EL2", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 3, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_ALIAS | ARM_CP_FPU,
+      .access = PL2_RW,
+      .type = ARM_CP_ALIAS | ARM_CP_FPU | ARM_CP_EL3_NO_EL2_KEEP,
       .fieldoffset = offsetof(CPUARMState, vfp.xregs[ARM_VFP_FPEXC]) },
     { .name = "DACR32_EL2", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 0, .opc2 = 0,
-      .access = PL2_RW, .resetvalue = 0,
+      .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP,
       .writefn = dacr_write, .raw_writefn = raw_write,
       .fieldoffset = offsetof(CPUARMState, cp15.dacr32_el2) },
     { .name = "IFSR32_EL2", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 0, .opc2 = 1,
-      .access = PL2_RW, .resetvalue = 0,
+      .access = PL2_RW, .resetvalue = 0, .type = ARM_CP_EL3_NO_EL2_KEEP,
       .fieldoffset = offsetof(CPUARMState, cp15.ifsr32_el2) },
     { .name = "SPSR_IRQ", .state = ARM_CP_STATE_AA64,
       .type = ARM_CP_ALIAS,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
       .writefn = tlbimva_hyp_is_write },
     { .name = "TLBI_ALLE2", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 0,
-      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_alle2_write },
     { .name = "TLBI_VAE2", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 1,
-      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_vae2_write },
     { .name = "TLBI_VALE2", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_vae2_write },
     { .name = "TLBI_ALLE2IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 0,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_alle2is_write },
     { .name = "TLBI_VAE2IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 1,
-      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_vae2is_write },
     { .name = "TLBI_VALE2IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_vae2is_write },
 #ifndef CONFIG_USER_ONLY
     /* Unlike the other EL2-related AT operations, these must
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {
     { .name = "AT_S1E2R", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 0,
       .access = PL2_W, .accessfn = at_s1e2_access,
-      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
+      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF,
+      .writefn = ats_write64 },
     { .name = "AT_S1E2W", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 7, .crm = 8, .opc2 = 1,
       .access = PL2_W, .accessfn = at_s1e2_access,
-      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC, .writefn = ats_write64 },
+      .type = ARM_CP_NO_RAW | ARM_CP_RAISES_EXC | ARM_CP_EL3_NO_EL2_UNDEF,
+      .writefn = ats_write64 },
     /* The AArch32 ATS1H* operations are CONSTRAINED UNPREDICTABLE
      * if EL2 is not implemented; we choose to UNDEF. Behaviour at EL3
      * with SCR.NS == 0 outside Monitor mode is UNPREDICTABLE; we choose
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
     { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,
       .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,
       .access = PL2_RW, .accessfn = access_tda,
-      .type = ARM_CP_NOP },
+      .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },
     /* Dummy MDCCINT_EL1, since we don't implement the Debug Communications
      * Channel but Linux may try to access this register. The 32-bit
      * alias is DBGDCCINT.
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
       .access = PL2_W, .type = ARM_CP_NOP },
     { .name = "TLBI_RVAE2IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 1,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_rvae2is_write },
    { .name = "TLBI_RVALE2IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_rvae2is_write },
     { .name = "TLBI_RIPAS2E1", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 2,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
       .access = PL2_W, .type = ARM_CP_NOP },
    { .name = "TLBI_RVAE2OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 1,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_rvae2is_write },
    { .name = "TLBI_RVALE2OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_rvae2is_write },
     { .name = "TLBI_RVAE2", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 6, .opc2 = 1,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_rvae2_write },
    { .name = "TLBI_RVALE2", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 6, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_rvae2_write },
    { .name = "TLBI_RVAE3IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 6, .crn = 8, .crm = 2, .opc2 = 1,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbios_reginfo[] = {
       .writefn = tlbi_aa64_vae1is_write },
     { .name = "TLBI_ALLE2OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 0,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_alle2is_write },
     { .name = "TLBI_VAE2OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 1,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_vae2is_write },
    { .name = "TLBI_ALLE1OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 4,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbios_reginfo[] = {
       .writefn = tlbi_aa64_alle1is_write },
     { .name = "TLBI_VALE2OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
       .writefn = tlbi_aa64_vae2is_write },
     { .name = "TLBI_VMALLS12E1OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 1, .opc2 = 6,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             { .name = "VPIDR", .state = ARM_CP_STATE_AA32,
               .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
               .access = PL2_RW, .accessfn = access_el3_aa32ns,
-              .resetvalue = cpu->midr, .type = ARM_CP_ALIAS,
+              .resetvalue = cpu->midr,
+              .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ,
               .fieldoffset = offsetoflow32(CPUARMState, cp15.vpidr_el2) },
             { .name = "VPIDR_EL2", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
               .access = PL2_RW, .resetvalue = cpu->midr,
+              .type = ARM_CP_EL3_NO_EL2_C_NZ,
               .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
             { .name = "VMPIDR", .state = ARM_CP_STATE_AA32,
               .cp = 15, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
               .access = PL2_RW, .accessfn = access_el3_aa32ns,
-              .resetvalue = vmpidr_def, .type = ARM_CP_ALIAS,
+              .resetvalue = vmpidr_def,
+              .type = ARM_CP_ALIAS | ARM_CP_EL3_NO_EL2_C_NZ,
               .fieldoffset = offsetoflow32(CPUARMState, cp15.vmpidr_el2) },
             { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_AA64,
               .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
-              .access = PL2_RW,
-              .resetvalue = vmpidr_def,
+              .access = PL2_RW, .resetvalue = vmpidr_def,
+              .type = ARM_CP_EL3_NO_EL2_C_NZ,
               .fieldoffset = offsetof(CPUARMState, cp15.vmpidr_el2) },
         };
         define_arm_cp_regs(cpu, vpidr_regs);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
                                    int crm, int opc1, int opc2,
                                    const char *name)
 {
+    CPUARMState *env = &cpu->env;
     uint32_t key;
     ARMCPRegInfo *r2;
     bool is64 = r->type & ARM_CP_64BIT;
     bool ns = secstate & ARM_CP_SECSTATE_NS;
     int cp = r->cp;
-    bool isbanked;
     size_t name_len;
+    bool make_const;
 
     switch (state) {
     case ARM_CP_STATE_AA32:
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         }
     }
 
+    /*
+     * Eliminate registers that are not present because the EL is missing.
+     * Doing this here makes it easier to put all registers for a given
+     * feature into the same ARMCPRegInfo array and define them all at once.
+     */
+    make_const = false;
+    if (arm_feature(env, ARM_FEATURE_EL3)) {
+        /*
+         * An EL2 register without EL2 but with EL3 is (usually) RES0.
+         * See rule RJFFP in section D1.1.3 of DDI0487H.a.
+         */
+        int min_el = ctz32(r->access) / 2;
+        if (min_el == 2 && !arm_feature(env, ARM_FEATURE_EL2)) {
+            if (r->type & ARM_CP_EL3_NO_EL2_UNDEF) {
+                return;
+            }
+            make_const = !(r->type & ARM_CP_EL3_NO_EL2_KEEP);
+        }
+    } else {
+        CPAccessRights max_el = (arm_feature(env, ARM_FEATURE_EL2)
+                                 ? PL2_RW : PL1_RW);
+        if ((r->access & max_el) == 0) {
+            return;
+        }
+    }
+
     /* Combine cpreg and name into one allocation. */
     name_len = strlen(name) + 1;
     r2 = g_malloc(sizeof(*r2) + name_len);
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
         r2->opaque = opaque;
     }
 
-    isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
-    if (isbanked) {
+    if (make_const) {
+        /* This should not have been a very special register to begin. */
+        int old_special = r2->type & ARM_CP_SPECIAL_MASK;
+        assert(old_special == 0 || old_special == ARM_CP_NOP);
         /*
-         * Register is banked (using both entries in array).
-         * Overwriting fieldoffset as the array is only used to define
-         * banked registers but later only fieldoffset is used.
+         * Set the special function to CONST, retaining the other flags.
+         * This is important for e.g. ARM_CP_SVE so that we still
+         * take the SVE trap if CPTR_EL3.EZ == 0.
          */
-        r2->fieldoffset = r->bank_fieldoffsets[ns];
-    }
+        r2->type = (r2->type & ~ARM_CP_SPECIAL_MASK) | ARM_CP_CONST;
+        /*
+         * Usually, these registers become RES0, but there are a few
+         * special cases like VPIDR_EL2 which have a constant non-zero
+         * value with writes ignored.
+         */
+        if (!(r->type & ARM_CP_EL3_NO_EL2_C_NZ)) {
+            r2->resetvalue = 0;
+        }
+        /*
+         * ARM_CP_CONST has precedence, so removing the callbacks and
+         * offsets are not strictly necessary, but it is potentially
+         * less confusing to debug later.
+         */
+        r2->readfn = NULL;
+        r2->writefn = NULL;
+        r2->raw_readfn = NULL;
+        r2->raw_writefn = NULL;
+        r2->resetfn = NULL;
+        r2->fieldoffset = 0;
+        r2->bank_fieldoffsets[0] = 0;
+        r2->bank_fieldoffsets[1] = 0;
+    } else {
+        bool isbanked = r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1];
 
-    if (state == ARM_CP_STATE_AA32) {
         if (isbanked) {
             /*
-             * If the register is banked then we don't need to migrate or
-             * reset the 32-bit instance in certain cases:
-             *
-             * 1) If the register has both 32-bit and 64-bit instances then we
-             *    can count on the 64-bit instance taking care of the
-             *    non-secure bank.
-             * 2) If ARMv8 is enabled then we can count on a 64-bit version
-             *    taking care of the secure bank.  This requires that separate
-             *    32 and 64-bit definitions are provided.
+             * Register is banked (using both entries in array).
+             * Overwriting fieldoffset as the array is only used to define
+             * banked registers but later only fieldoffset is used.
              */
-            if ((r->state == ARM_CP_STATE_BOTH && ns) ||
-                (arm_feature(&cpu->env, ARM_FEATURE_V8) && !ns)) {
+            r2->fieldoffset = r->bank_fieldoffsets[ns];
+        }
+        if (state == ARM_CP_STATE_AA32) {
+            if (isbanked) {
+                /*
+                 * If the register is banked then we don't need to migrate or
+                 * reset the 32-bit instance in certain cases:
+                 *
+                 * 1) If the register has both 32-bit and 64-bit instances
+                 *    then we can count on the 64-bit instance taking care
+                 *    of the non-secure bank.
+                 * 2) If ARMv8 is enabled then we can count on a 64-bit
+                 *    version taking care of the secure bank.  This requires
+                 *    that separate 32 and 64-bit definitions are provided.
+                 */
+                if ((r->state == ARM_CP_STATE_BOTH && ns) ||
+                    (arm_feature(env, ARM_FEATURE_V8) && !ns)) {
+                    r2->type |= ARM_CP_ALIAS;
+                }
+            } else if ((secstate != r->secure) && !ns) {
+                /*
+                 * The register is not banked so we only want to allow
+                 * migration of the non-secure instance.
+                 */
                 r2->type |= ARM_CP_ALIAS;
             }
-        } else if ((secstate != r->secure) && !ns) {
-            /*
-             * The register is not banked so we only want to allow migration
-             * of the non-secure instance.
-             */
-            r2->type |= ARM_CP_ALIAS;
-        }
 
-        if (HOST_BIG_ENDIAN &&
-            r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
-            r2->fieldoffset += sizeof(uint32_t);
+            if (HOST_BIG_ENDIAN &&
+                r->state == ARM_CP_STATE_BOTH && r2->fieldoffset) {
+                r2->fieldoffset += sizeof(uint32_t);
+            }
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
      * multiple times. Special registers (ie NOP/WFI) are
      * never migratable and not even raw-accessible.
      */
-    if (r->type & ARM_CP_SPECIAL_MASK) {
+    if (r2->type & ARM_CP_SPECIAL_MASK) {
         r2->type |= ARM_CP_NO_RAW;
     }
     if (((r->crm == CP_ANY) && crm != 0) ||
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Drop el3_no_el2_cp_reginfo, el3_no_el2_v8_cp_reginfo, and the local
vpidr_regs definition, and rely on the squashing to ARM_CP_CONST
while registering for v8.

This is a behavior change for v7 cpus with Security Extensions and
without Virtualization Extensions, in that the virtualization cpregs
are now correctly not present.  This would be a migration compatibility
break, except that we have an existing bug in which migration of 32-bit
cpus with Security Extensions enabled does not work.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 158 ++++----------------------------------------
 1 file changed, 13 insertions(+), 145 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .fieldoffset = offsetoflow32(CPUARMState, cp15.mdcr_el3) },
 };
 
-/* Used to describe the behaviour of EL2 regs when EL2 does not exist.  */
-static const ARMCPRegInfo el3_no_el2_cp_reginfo[] = {
-    { .name = "VBAR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
-      .access = PL2_RW,
-      .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore },
-    { .name = "HCR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
-      .access = PL2_RW,
-      .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "HACR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 7,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "ESR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
-      .access = PL2_RW,
-      .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
-      .cp = 15, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "AMAIR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "HAMAIR1", .state = ARM_CP_STATE_AA32,
-      .cp = 15, .opc1 = 4, .crn = 10, .crm = 3, .opc2 = 1,
-      .access = PL2_RW, .type = ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "AFSR0_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "AFSR1_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 1, .opc2 = 1,
-      .access = PL2_RW, .type = ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "VTCR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,
-      .access = PL2_RW, .accessfn = access_el3_aa32ns,
-      .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "VTTBR", .state = ARM_CP_STATE_AA32,
-      .cp = 15, .opc1 = 6, .crm = 2,
-      .access = PL2_RW, .accessfn = access_el3_aa32ns,
-      .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-    { .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,
-      .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "CNTHCTL_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 1, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CNTVOFF_EL2", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 0, .opc2 = 3,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CNTVOFF", .cp = 15, .opc1 = 4, .crm = 14,
-      .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "CNTHP_CVAL_EL2", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 2,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CNTHP_CVAL", .cp = 15, .opc1 = 6, .crm = 14,
-      .access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_CONST,
-      .resetvalue = 0 },
-    { .name = "CNTHP_TVAL_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CNTHP_CTL_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 2, .opc2 = 1,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "MDCR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 1,
-      .access = PL2_RW, .accessfn = access_tda,
-      .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "HPFAR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 4,
-      .access = PL2_RW, .accessfn = access_el3_aa32ns,
-      .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "HSTR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 3,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "FAR_EL2", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 0,
-      .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "HIFAR", .state = ARM_CP_STATE_AA32,
-      .type = ARM_CP_CONST,
-      .cp = 15, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 2,
-      .access = PL2_RW, .resetvalue = 0 },
-};
-
-/* Ditto, but for registers which exist in ARMv8 but not v7 */
-static const ARMCPRegInfo el3_no_el2_v8_cp_reginfo[] = {
-    { .name = "HCR2", .state = ARM_CP_STATE_AA32,
-      .cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 4,
-      .access = PL2_RW,
-      .type = ARM_CP_CONST, .resetvalue = 0 },
-};
-
 static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
 {
     ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_arm_cp_regs(cpu, v8_idregs);
         define_arm_cp_regs(cpu, v8_cp_reginfo);
     }
-    if (arm_feature(env, ARM_FEATURE_EL2)) {
+
+    /*
+     * Register the base EL2 cpregs.
+     * Pre v8, these registers are implemented only as part of the
+     * Virtualization Extensions (EL2 present).  Beginning with v8,
+     * if EL2 is missing but EL3 is enabled, mostly these become
+     * RES0 from EL3, with some specific exceptions.
+     */
+    if (arm_feature(env, ARM_FEATURE_EL2)
+        || (arm_feature(env, ARM_FEATURE_EL3)
+            && arm_feature(env, ARM_FEATURE_V8))) {
         uint64_t vmpidr_def = mpidr_read_val(env);
         ARMCPRegInfo vpidr_regs[] = {
             { .name = "VPIDR", .state = ARM_CP_STATE_AA32,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
             };
             define_one_arm_cp_reg(cpu, &rvbar);
         }
-    } else {
-        /* If EL2 is missing but higher ELs are enabled, we need to
-         * register the no_el2 reginfos.
-         */
-        if (arm_feature(env, ARM_FEATURE_EL3)) {
-            /* When EL3 exists but not EL2, VPIDR and VMPIDR take the value
-             * of MIDR_EL1 and MPIDR_EL1.
-             */
-            ARMCPRegInfo vpidr_regs[] = {
-                { .name = "VPIDR_EL2", .state = ARM_CP_STATE_BOTH,
-                  .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 0,
-                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
-                  .type = ARM_CP_CONST, .resetvalue = cpu->midr,
-                  .fieldoffset = offsetof(CPUARMState, cp15.vpidr_el2) },
-                { .name = "VMPIDR_EL2", .state = ARM_CP_STATE_BOTH,
-                  .opc0 = 3, .opc1 = 4, .crn = 0, .crm = 0, .opc2 = 5,
-                  .access = PL2_RW, .accessfn = access_el3_aa32ns,
-                  .type = ARM_CP_NO_RAW,
-                  .writefn = arm_cp_write_ignore, .readfn = mpidr_read },
-            };
-            define_arm_cp_regs(cpu, vpidr_regs);
-            define_arm_cp_regs(cpu, el3_no_el2_cp_reginfo);
-            if (arm_feature(env, ARM_FEATURE_V8)) {
-                define_arm_cp_regs(cpu, el3_no_el2_v8_cp_reginfo);
-            }
-        }
     }
+
+    /* Register the base EL3 cpregs. */
     if (arm_feature(env, ARM_FEATURE_EL3)) {
         define_arm_cp_regs(cpu, el3_cp_reginfo);
         ARMCPRegInfo el3_regs[] = {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Drop zcr_no_el2_reginfo and merge the 3 registers into one array,
now that ZCR_EL2 can be squashed to RES0 and ZCR_EL3 dropped
while registering.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 55 ++++++++++++++-------------------------------
 1 file changed, 17 insertions(+), 38 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void zcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     }
 }
 
-static const ARMCPRegInfo zcr_el1_reginfo = {
-    .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
-    .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL1_RW, .type = ARM_CP_SVE,
-    .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
-    .writefn = zcr_write, .raw_writefn = raw_write
-};
-
-static const ARMCPRegInfo zcr_el2_reginfo = {
-    .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
-    .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL2_RW, .type = ARM_CP_SVE,
-    .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
-    .writefn = zcr_write, .raw_writefn = raw_write
-};
-
-static const ARMCPRegInfo zcr_no_el2_reginfo = {
-    .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
-    .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL2_RW, .type = ARM_CP_SVE,
-    .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore
-};
-
-static const ARMCPRegInfo zcr_el3_reginfo = {
-    .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
-    .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
-    .access = PL3_RW, .type = ARM_CP_SVE,
-    .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
-    .writefn = zcr_write, .raw_writefn = raw_write
+static const ARMCPRegInfo zcr_reginfo[] = {
+    { .name = "ZCR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 2, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_SVE,
+      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[1]),
+      .writefn = zcr_write, .raw_writefn = raw_write },
+    { .name = "ZCR_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 2, .opc2 = 0,
+      .access = PL2_RW, .type = ARM_CP_SVE,
+      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[2]),
+      .writefn = zcr_write, .raw_writefn = raw_write },
+    { .name = "ZCR_EL3", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 2, .opc2 = 0,
+      .access = PL3_RW, .type = ARM_CP_SVE,
+      .fieldoffset = offsetof(CPUARMState, vfp.zcr_el[3]),
+      .writefn = zcr_write, .raw_writefn = raw_write },
 };
 
 void hw_watchpoint_update(ARMCPU *cpu, int n)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     }
 
     if (cpu_isar_feature(aa64_sve, cpu)) {
-        define_one_arm_cp_reg(cpu, &zcr_el1_reginfo);
-        if (arm_feature(env, ARM_FEATURE_EL2)) {
-            define_one_arm_cp_reg(cpu, &zcr_el2_reginfo);
-        } else {
-            define_one_arm_cp_reg(cpu, &zcr_no_el2_reginfo);
-        }
-        if (arm_feature(env, ARM_FEATURE_EL3)) {
-            define_one_arm_cp_reg(cpu, &zcr_el3_reginfo);
-        }
+        define_arm_cp_regs(cpu, zcr_reginfo);
     }
 
 #ifdef TARGET_AARCH64
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This register is present for either VHE or Debugv8p2.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo jazelle_regs[] = {
       .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
 };
 
+static const ARMCPRegInfo contextidr_el2 = {
+    .name = "CONTEXTIDR_EL2", .state = ARM_CP_STATE_AA64,
+    .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 1,
+    .access = PL2_RW,
+    .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[2])
+};
+
 static const ARMCPRegInfo vhe_reginfo[] = {
-    { .name = "CONTEXTIDR_EL2", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 1,
-      .access = PL2_RW,
-      .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[2]) },
     { .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,
       .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,
       .access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_one_arm_cp_reg(cpu, &ssbs_reginfo);
     }
 
+    if (cpu_isar_feature(aa64_vh, cpu) ||
+        cpu_isar_feature(aa64_debugv8p2, cpu)) {
+        define_one_arm_cp_reg(cpu, &contextidr_el2);
+    }
     if (arm_feature(env, ARM_FEATURE_EL2) && cpu_isar_feature(aa64_vh, cpu)) {
         define_arm_cp_regs(cpu, vhe_reginfo);
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Previously we were defining some of these in user-only mode,
but none of them are accessible from user-only, therefore
define them only in system mode.

This will shortly be used from cpu_tcg.c also.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |  6 ++++
 target/arm/cpu64.c     | 64 +++---------------------------------------
 target/arm/cpu_tcg.c   | 59 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+), 60 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ int aarch64_fpu_gdb_get_reg(CPUARMState *env, GByteArray *buf, int reg);
 int aarch64_fpu_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg);
 #endif
 
+#ifdef CONFIG_USER_ONLY
+static inline void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu) { }
+#else
+void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu);
+#endif
+
 #endif
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@
 #include "hvf_arm.h"
 #include "qapi/visitor.h"
 #include "hw/qdev-properties.h"
-#include "cpregs.h"
+#include "internals.h"
 
 
-#ifndef CONFIG_USER_ONLY
-static uint64_t a57_a53_l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
-{
-    ARMCPU *cpu = env_archcpu(env);
-
-    /* Number of cores is in [25:24]; otherwise we RAZ */
-    return (cpu->core_count - 1) << 24;
-}
-#endif
-
-static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
-#ifndef CONFIG_USER_ONLY
-    { .name = "L2CTLR_EL1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 2,
-      .access = PL1_RW, .readfn = a57_a53_l2ctlr_read,
-      .writefn = arm_cp_write_ignore },
-    { .name = "L2CTLR",
-      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 2,
-      .access = PL1_RW, .readfn = a57_a53_l2ctlr_read,
-      .writefn = arm_cp_write_ignore },
-#endif
-    { .name = "L2ECTLR_EL1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 3,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "L2ECTLR",
-      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 3,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "L2ACTLR", .state = ARM_CP_STATE_BOTH,
-      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 0, .opc2 = 0,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 0,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CPUACTLR",
-      .cp = 15, .opc1 = 0, .crm = 15,
-      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-    { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 1,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CPUECTLR",
-      .cp = 15, .opc1 = 1, .crm = 15,
-      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-    { .name = "CPUMERRSR_EL1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 2,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "CPUMERRSR",
-      .cp = 15, .opc1 = 2, .crm = 15,
-      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-    { .name = "L2MERRSR_EL1", .state = ARM_CP_STATE_AA64,
-      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 3,
-      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
-    { .name = "L2MERRSR",
-      .cp = 15, .opc1 = 3, .crm = 15,
-      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
-};
-
 static void aarch64_a57_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
@@ -XXX,XX +XXX,XX @@ static void aarch64_a57_initfn(Object *obj)
     cpu->gic_num_lrs = 4;
     cpu->gic_vpribits = 5;
     cpu->gic_vprebits = 5;
-    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
 }
 
 static void aarch64_a53_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void aarch64_a53_initfn(Object *obj)
     cpu->gic_num_lrs = 4;
     cpu->gic_vpribits = 5;
     cpu->gic_vprebits = 5;
-    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
 }
 
 static void aarch64_a72_initfn(Object *obj)
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     cpu->gic_num_lrs = 4;
     cpu->gic_vpribits = 5;
     cpu->gic_vprebits = 5;
-    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
 }
 
 void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@
 #endif
 #include "cpregs.h"
 
+#ifndef CONFIG_USER_ONLY
+static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    ARMCPU *cpu = env_archcpu(env);
+
+    /* Number of cores is in [25:24]; otherwise we RAZ */
+    return (cpu->core_count - 1) << 24;
+}
+
+static const ARMCPRegInfo cortex_a72_a57_a53_cp_reginfo[] = {
+    { .name = "L2CTLR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 2,
+      .access = PL1_RW, .readfn = l2ctlr_read,
+      .writefn = arm_cp_write_ignore },
+    { .name = "L2CTLR",
+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 2,
+      .access = PL1_RW, .readfn = l2ctlr_read,
+      .writefn = arm_cp_write_ignore },
+    { .name = "L2ECTLR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 1, .crn = 11, .crm = 0, .opc2 = 3,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "L2ECTLR",
+      .cp = 15, .opc1 = 1, .crn = 9, .crm = 0, .opc2 = 3,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "L2ACTLR", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 0, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "CPUACTLR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 0,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "CPUACTLR",
+      .cp = 15, .opc1 = 0, .crm = 15,
+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+    { .name = "CPUECTLR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 1,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "CPUECTLR",
+      .cp = 15, .opc1 = 1, .crm = 15,
+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+    { .name = "CPUMERRSR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 2,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "CPUMERRSR",
+      .cp = 15, .opc1 = 2, .crm = 15,
+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+    { .name = "L2MERRSR_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 2, .opc2 = 3,
+      .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "L2MERRSR",
+      .cp = 15, .opc1 = 3, .crm = 15,
+      .access = PL1_RW, .type = ARM_CP_CONST | ARM_CP_64BIT, .resetvalue = 0 },
+};
+
+void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu)
+{
+    define_arm_cp_regs(cpu, cortex_a72_a57_a53_cp_reginfo);
+}
+#endif /* !CONFIG_USER_ONLY */
+
 /* CPU models. These are not needed for the AArch64 linux-user build. */
 #if !defined(CONFIG_USER_ONLY) || !defined(TARGET_AARCH64)
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Instead of starting with cortex-a15 and adding v8 features to
a v7 cpu, begin with a v8 cpu stripped of its aarch64 features.
This fixes the long-standing to-do where we only enabled v8
features for user-only.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu_tcg.c | 151 ++++++++++++++++++++++++++-----------------
 1 file changed, 92 insertions(+), 59 deletions(-)

diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ static void arm_v7m_class_init(ObjectClass *oc, void *data)
 static void arm_max_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
+    uint32_t t;
 
-    cortex_a15_initfn(obj);
+    /* aarch64_a57_initfn, advertising none of the aarch64 features */
+    cpu->dtb_compatible = "arm,cortex-a57";
+    set_feature(&cpu->env, ARM_FEATURE_V8);
+    set_feature(&cpu->env, ARM_FEATURE_NEON);
+    set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
+    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
+    set_feature(&cpu->env, ARM_FEATURE_EL2);
+    set_feature(&cpu->env, ARM_FEATURE_EL3);
+    set_feature(&cpu->env, ARM_FEATURE_PMU);
+    cpu->midr = 0x411fd070;
+    cpu->revidr = 0x00000000;
+    cpu->reset_fpsid = 0x41034070;
+    cpu->isar.mvfr0 = 0x10110222;
+    cpu->isar.mvfr1 = 0x12111111;
+    cpu->isar.mvfr2 = 0x00000043;
+    cpu->ctr = 0x8444c004;
+    cpu->reset_sctlr = 0x00c50838;
+    cpu->isar.id_pfr0 = 0x00000131;
+    cpu->isar.id_pfr1 = 0x00011011;
+    cpu->isar.id_dfr0 = 0x03010066;
+    cpu->id_afr0 = 0x00000000;
+    cpu->isar.id_mmfr0 = 0x10101105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01260000;
+    cpu->isar.id_mmfr3 = 0x02102211;
+    cpu->isar.id_isar0 = 0x02101110;
+    cpu->isar.id_isar1 = 0x13112111;
+    cpu->isar.id_isar2 = 0x21232042;
+    cpu->isar.id_isar3 = 0x01112131;
+    cpu->isar.id_isar4 = 0x00011142;
+    cpu->isar.id_isar5 = 0x00011121;
+    cpu->isar.id_isar6 = 0;
+    cpu->isar.dbgdidr = 0x3516d000;
+    cpu->clidr = 0x0a200023;
+    cpu->ccsidr[0] = 0x701fe00a; /* 32KB L1 dcache */
+    cpu->ccsidr[1] = 0x201fe012; /* 48KB L1 icache */
+    cpu->ccsidr[2] = 0x70ffe07a; /* 2048KB L2 cache */
+    define_cortex_a72_a57_a53_cp_reginfo(cpu);
 
-    /* old-style VFP short-vector support */
-    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+    /* Add additional features supported by QEMU */
+    t = cpu->isar.id_isar5;
+    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
+    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
+    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
+    t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
+    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
+    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
+    cpu->isar.id_isar5 = t;
+
+    t = cpu->isar.id_isar6;
+    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
+    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
+    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
+    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
+    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
+    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
+    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
+    cpu->isar.id_isar6 = t;
+
+    t = cpu->isar.mvfr1;
+    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
+    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
+    cpu->isar.mvfr1 = t;
+
+    t = cpu->isar.mvfr2;
+    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
+    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
+    cpu->isar.mvfr2 = t;
+
+    t = cpu->isar.id_mmfr3;
+    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
+    cpu->isar.id_mmfr3 = t;
+
+    t = cpu->isar.id_mmfr4;
+    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
+    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
+    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
+    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
+    cpu->isar.id_mmfr4 = t;
+
+    t = cpu->isar.id_pfr0;
+    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
+    cpu->isar.id_pfr0 = t;
+
+    t = cpu->isar.id_pfr2;
+    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
+    cpu->isar.id_pfr2 = t;
 
 #ifdef CONFIG_USER_ONLY
     /*
-     * We don't set these in system emulation mode for the moment,
-     * since we don't correctly set (all of) the ID registers to
-     * advertise them.
+     * Break with true ARMv8 and add back old-style VFP short-vector support.
+     * Only do this for user-mode, where -cpu max is the default, so that
+     * older v6 and v7 programs are more likely to work without adjustment.
      */
-    set_feature(&cpu->env, ARM_FEATURE_V8);
-    {
-        uint32_t t;
-
-        t = cpu->isar.id_isar5;
-        t = FIELD_DP32(t, ID_ISAR5, AES, 2);
-        t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
-        t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
-        t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
-        t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
-        t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
-        cpu->isar.id_isar5 = t;
-
-        t = cpu->isar.id_isar6;
-        t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
-        t = FIELD_DP32(t, ID_ISAR6, DP, 1);
-        t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
-        t = FIELD_DP32(t, ID_ISAR6, SB, 1);
-        t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
-        t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
-        t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
-        cpu->isar.id_isar6 = t;
-
-        t = cpu->isar.mvfr1;
-        t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
-        t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
-        cpu->isar.mvfr1 = t;
-
-        t = cpu->isar.mvfr2;
-        t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-        t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-        cpu->isar.mvfr2 = t;
-
-        t = cpu->isar.id_mmfr3;
-        t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
-        cpu->isar.id_mmfr3 = t;
-
-        t = cpu->isar.id_mmfr4;
-        t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
-        t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
-        t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
-        t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
-        cpu->isar.id_mmfr4 = t;
-
-        t = cpu->isar.id_pfr0;
-        t = FIELD_DP32(t, ID_PFR0, DIT, 1);
-        cpu->isar.id_pfr0 = t;
-
-        t = cpu->isar.id_pfr2;
-        t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
-        cpu->isar.id_pfr2 = t;
-    }
-#endif /* CONFIG_USER_ONLY */
+    cpu->isar.mvfr0 = FIELD_DP32(cpu->isar.mvfr0, MVFR0, FPSHVEC, 1);
+#endif
 }
 #endif /* !TARGET_AARCH64 */
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We set this for qemu-system-aarch64, but failed to do so
for the strictly 32-bit emulation.

Fixes: 3bec78447a9 ("target/arm: Provide ARMv8.4-PMU in '-cpu max'")
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu_tcg.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
     t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
     cpu->isar.id_pfr2 = t;
 
+    t = cpu->isar.id_dfr0;
+    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
+    cpu->isar.id_dfr0 = t;
+
 #ifdef CONFIG_USER_ONLY
     /*
      * Break with true ARMv8 and add back old-style VFP short-vector support.
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Share the code to set AArch32 max features so that we no
longer have code drift between qemu{-system,}-{arm,aarch64}.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/internals.h |   2 +
 target/arm/cpu64.c     |  50 +-----------------
 target/arm/cpu_tcg.c   | 114 ++++++++++++++++++++++-------------------
 3 files changed, 65 insertions(+), 101 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ static inline void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu) { }
 void define_cortex_a72_a57_a53_cp_reginfo(ARMCPU *cpu);
 #endif
 
+void aa32_max_features(ARMCPU *cpu);
+
 #endif
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
     uint64_t t;
-    uint32_t u;
 
     if (kvm_enabled() || hvf_enabled()) {
         /* With KVM or HVF, '-cpu max' is identical to '-cpu host' */
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     t = FIELD_DP64(t, ID_AA64ZFR0, F64MM, 1);
     cpu->isar.id_aa64zfr0 = t;
 
-    /* Replicate the same data to the 32-bit id registers.  */
-    u = cpu->isar.id_isar5;
-    u = FIELD_DP32(u, ID_ISAR5, AES, 2); /* AES + PMULL */
-    u = FIELD_DP32(u, ID_ISAR5, SHA1, 1);
-    u = FIELD_DP32(u, ID_ISAR5, SHA2, 1);
-    u = FIELD_DP32(u, ID_ISAR5, CRC32, 1);
-    u = FIELD_DP32(u, ID_ISAR5, RDM, 1);
-    u = FIELD_DP32(u, ID_ISAR5, VCMA, 1);
-    cpu->isar.id_isar5 = u;
-
-    u = cpu->isar.id_isar6;
-    u = FIELD_DP32(u, ID_ISAR6, JSCVT, 1);
-    u = FIELD_DP32(u, ID_ISAR6, DP, 1);
-    u = FIELD_DP32(u, ID_ISAR6, FHM, 1);
-    u = FIELD_DP32(u, ID_ISAR6, SB, 1);
-    u = FIELD_DP32(u, ID_ISAR6, SPECRES, 1);
-    u = FIELD_DP32(u, ID_ISAR6, BF16, 1);
-    u = FIELD_DP32(u, ID_ISAR6, I8MM, 1);
-    cpu->isar.id_isar6 = u;
-
-    u = cpu->isar.id_pfr0;
-    u = FIELD_DP32(u, ID_PFR0, DIT, 1);
-    cpu->isar.id_pfr0 = u;
-
-    u = cpu->isar.id_pfr2;
-    u = FIELD_DP32(u, ID_PFR2, SSBS, 1);
-    cpu->isar.id_pfr2 = u;
-
-    u = cpu->isar.id_mmfr3;
-    u = FIELD_DP32(u, ID_MMFR3, PAN, 2); /* ATS1E1 */
-    cpu->isar.id_mmfr3 = u;
-
-    u = cpu->isar.id_mmfr4;
-    u = FIELD_DP32(u, ID_MMFR4, HPDS, 1); /* AA32HPD */
-    u = FIELD_DP32(u, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
-    u = FIELD_DP32(u, ID_MMFR4, CNP, 1); /* TTCNP */
-    u = FIELD_DP32(u, ID_MMFR4, XNX, 1); /* TTS2UXN */
-    cpu->isar.id_mmfr4 = u;
-
     t = cpu->isar.id_aa64dfr0;
     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
     cpu->isar.id_aa64dfr0 = t;
 
-    u = cpu->isar.id_dfr0;
-    u = FIELD_DP32(u, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
-    cpu->isar.id_dfr0 = u;
-
-    u = cpu->isar.mvfr1;
-    u = FIELD_DP32(u, MVFR1, FPHP, 3);      /* v8.2-FP16 */
-    u = FIELD_DP32(u, MVFR1, SIMDHP, 2);    /* v8.2-FP16 */
-    cpu->isar.mvfr1 = u;
+    /* Replicate the same data to the 32-bit id registers.  */
+    aa32_max_features(cpu);
 
 #ifdef CONFIG_USER_ONLY
     /*
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@
 #endif
 #include "cpregs.h"
 
+
+/* Share AArch32 -cpu max features with AArch64. */
+void aa32_max_features(ARMCPU *cpu)
+{
+    uint32_t t;
+
+    /* Add additional features supported by QEMU */
+    t = cpu->isar.id_isar5;
+    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
+    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
+    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
+    t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
+    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
+    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
+    cpu->isar.id_isar5 = t;
+
+    t = cpu->isar.id_isar6;
+    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
+    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
+    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
+    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
+    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
+    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
+    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
+    cpu->isar.id_isar6 = t;
+
+    t = cpu->isar.mvfr1;
+    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
+    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
+    cpu->isar.mvfr1 = t;
+
+    t = cpu->isar.mvfr2;
+    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
+    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
+    cpu->isar.mvfr2 = t;
+
+    t = cpu->isar.id_mmfr3;
+    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
+    cpu->isar.id_mmfr3 = t;
+
+    t = cpu->isar.id_mmfr4;
+    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
+    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
+    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
+    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
+    cpu->isar.id_mmfr4 = t;
+
+    t = cpu->isar.id_pfr0;
+    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
+    cpu->isar.id_pfr0 = t;
+
+    t = cpu->isar.id_pfr2;
+    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
+    cpu->isar.id_pfr2 = t;
+
+    t = cpu->isar.id_dfr0;
+    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
+    cpu->isar.id_dfr0 = t;
+}
+
 #ifndef CONFIG_USER_ONLY
 static uint64_t l2ctlr_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
@@ -XXX,XX +XXX,XX @@ static void arm_v7m_class_init(ObjectClass *oc, void *data)
 static void arm_max_initfn(Object *obj)
 {
     ARMCPU *cpu = ARM_CPU(obj);
-    uint32_t t;
 
     /* aarch64_a57_initfn, advertising none of the aarch64 features */
     cpu->dtb_compatible = "arm,cortex-a57";
@@ -XXX,XX +XXX,XX @@ static void arm_max_initfn(Object *obj)
     cpu->ccsidr[2] = 0x70ffe07a; /* 2048KB L2 cache */
     define_cortex_a72_a57_a53_cp_reginfo(cpu);
 
-    /* Add additional features supported by QEMU */
-    t = cpu->isar.id_isar5;
-    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
-    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
-    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
-    t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
-    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
-    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
-    cpu->isar.id_isar5 = t;
-
-    t = cpu->isar.id_isar6;
-    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
-    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
-    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
-    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
-    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
-    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
-    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
-    cpu->isar.id_isar6 = t;
-
-    t = cpu->isar.mvfr1;
-    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
-    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
-    cpu->isar.mvfr1 = t;
-
-    t = cpu->isar.mvfr2;
-    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
-    cpu->isar.mvfr2 = t;
-
-    t = cpu->isar.id_mmfr3;
-    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
-    cpu->isar.id_mmfr3 = t;
-
-    t = cpu->isar.id_mmfr4;
-    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
-    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
-    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
-    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
-    cpu->isar.id_mmfr4 = t;
-
-    t = cpu->isar.id_pfr0;
-    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
-    cpu->isar.id_pfr0 = t;
-
-    t = cpu->isar.id_pfr2;
-    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
-    cpu->isar.id_pfr2 = t;
-
-    t = cpu->isar.id_dfr0;
-    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
-    cpu->isar.id_dfr0 = t;
+    aa32_max_features(cpu);
 
 #ifdef CONFIG_USER_ONLY
     /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Update the legacy feature names to the current names.
Provide feature names for id changes that were not marked.
Sort the field updates into increasing bitfield order.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu64.c   | 100 +++++++++++++++++++++----------------------
 target/arm/cpu_tcg.c |  48 ++++++++++-----------
 2 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     cpu->midr = t;
 
     t = cpu->isar.id_aa64isar0;
-    t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2); /* AES + PMULL */
-    t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, SHA2, 2); /* SHA512 */
+    t = FIELD_DP64(t, ID_AA64ISAR0, AES, 2);      /* FEAT_PMULL */
+    t = FIELD_DP64(t, ID_AA64ISAR0, SHA1, 1);     /* FEAT_SHA1 */
+    t = FIELD_DP64(t, ID_AA64ISAR0, SHA2, 2);     /* FEAT_SHA512 */
     t = FIELD_DP64(t, ID_AA64ISAR0, CRC32, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, ATOMIC, 2);
-    t = FIELD_DP64(t, ID_AA64ISAR0, RDM, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, SHA3, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, SM3, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, SM4, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, DP, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, FHM, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR0, TS, 2); /* v8.5-CondM */
-    t = FIELD_DP64(t, ID_AA64ISAR0, TLB, 2); /* FEAT_TLBIRANGE */
-    t = FIELD_DP64(t, ID_AA64ISAR0, RNDR, 1);
+    t = FIELD_DP64(t, ID_AA64ISAR0, ATOMIC, 2);   /* FEAT_LSE */
+    t = FIELD_DP64(t, ID_AA64ISAR0, RDM, 1);      /* FEAT_RDM */
+    t = FIELD_DP64(t, ID_AA64ISAR0, SHA3, 1);     /* FEAT_SHA3 */
+    t = FIELD_DP64(t, ID_AA64ISAR0, SM3, 1);      /* FEAT_SM3 */
+    t = FIELD_DP64(t, ID_AA64ISAR0, SM4, 1);      /* FEAT_SM4 */
+    t = FIELD_DP64(t, ID_AA64ISAR0, DP, 1);       /* FEAT_DotProd */
+    t = FIELD_DP64(t, ID_AA64ISAR0, FHM, 1);      /* FEAT_FHM */
+    t = FIELD_DP64(t, ID_AA64ISAR0, TS, 2);       /* FEAT_FlagM2 */
+    t = FIELD_DP64(t, ID_AA64ISAR0, TLB, 2);      /* FEAT_TLBIRANGE */
+    t = FIELD_DP64(t, ID_AA64ISAR0, RNDR, 1);     /* FEAT_RNG */
     cpu->isar.id_aa64isar0 = t;
 
     t = cpu->isar.id_aa64isar1;
-    t = FIELD_DP64(t, ID_AA64ISAR1, DPB, 2);
-    t = FIELD_DP64(t, ID_AA64ISAR1, JSCVT, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR1, FCMA, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR1, SB, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR1, SPECRES, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR1, BF16, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR1, FRINTTS, 1);
-    t = FIELD_DP64(t, ID_AA64ISAR1, LRCPC, 2); /* ARMv8.4-RCPC */
-    t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);
+    t = FIELD_DP64(t, ID_AA64ISAR1, DPB, 2);      /* FEAT_DPB2 */
+    t = FIELD_DP64(t, ID_AA64ISAR1, JSCVT, 1);    /* FEAT_JSCVT */
+    t = FIELD_DP64(t, ID_AA64ISAR1, FCMA, 1);     /* FEAT_FCMA */
+    t = FIELD_DP64(t, ID_AA64ISAR1, LRCPC, 2);    /* FEAT_LRCPC2 */
+    t = FIELD_DP64(t, ID_AA64ISAR1, FRINTTS, 1);  /* FEAT_FRINTTS */
+    t = FIELD_DP64(t, ID_AA64ISAR1, SB, 1);       /* FEAT_SB */
+    t = FIELD_DP64(t, ID_AA64ISAR1, SPECRES, 1);  /* FEAT_SPECRES */
+    t = FIELD_DP64(t, ID_AA64ISAR1, BF16, 1);     /* FEAT_BF16 */
+    t = FIELD_DP64(t, ID_AA64ISAR1, I8MM, 1);     /* FEAT_I8MM */
     cpu->isar.id_aa64isar1 = t;
 
     t = cpu->isar.id_aa64pfr0;
+    t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);        /* FEAT_FP16 */
+    t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);   /* FEAT_FP16 */
     t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
-    t = FIELD_DP64(t, ID_AA64PFR0, FP, 1);
-    t = FIELD_DP64(t, ID_AA64PFR0, ADVSIMD, 1);
-    t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);
-    t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);
+    t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
+    t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
     cpu->isar.id_aa64pfr0 = t;
 
     t = cpu->isar.id_aa64pfr1;
-    t = FIELD_DP64(t, ID_AA64PFR1, BT, 1);
-    t = FIELD_DP64(t, ID_AA64PFR1, SSBS, 2);
+    t = FIELD_DP64(t, ID_AA64PFR1, BT, 1);        /* FEAT_BTI */
+    t = FIELD_DP64(t, ID_AA64PFR1, SSBS, 2);      /* FEAT_SSBS2 */
     /*
      * Begin with full support for MTE. This will be downgraded to MTE=0
      * during realize if the board provides no tag memory, much like
      * we do for EL2 with the virtualization=on property.
      */
-    t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);
+    t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
     cpu->isar.id_aa64pfr1 = t;
 
     t = cpu->isar.id_aa64mmfr0;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     cpu->isar.id_aa64mmfr0 = t;
 
     t = cpu->isar.id_aa64mmfr1;
-    t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1); /* HPD */
-    t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);
-    t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);
-    t = FIELD_DP64(t, ID_AA64MMFR1, PAN, 2); /* ATS1E1 */
-    t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* VMID16 */
-    t = FIELD_DP64(t, ID_AA64MMFR1, XNX, 1); /* TTS2UXN */
+    t = FIELD_DP64(t, ID_AA64MMFR1, VMIDBITS, 2); /* FEAT_VMID16 */
+    t = FIELD_DP64(t, ID_AA64MMFR1, VH, 1);       /* FEAT_VHE */
+    t = FIELD_DP64(t, ID_AA64MMFR1, HPDS, 1);     /* FEAT_HPDS */
+    t = FIELD_DP64(t, ID_AA64MMFR1, LO, 1);       /* FEAT_LOR */
+    t = FIELD_DP64(t, ID_AA64MMFR1, PAN, 2);      /* FEAT_PAN2 */
+    t = FIELD_DP64(t, ID_AA64MMFR1, XNX, 1);      /* FEAT_XNX */
     cpu->isar.id_aa64mmfr1 = t;
 
     t = cpu->isar.id_aa64mmfr2;
-    t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1);
-    t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1); /* TTCNP */
-    t = FIELD_DP64(t, ID_AA64MMFR2, ST, 1); /* TTST */
-    t = FIELD_DP64(t, ID_AA64MMFR2, VARANGE, 1); /* FEAT_LVA */
-    t = FIELD_DP64(t, ID_AA64MMFR2, TTL, 1); /* FEAT_TTL */
-    t = FIELD_DP64(t, ID_AA64MMFR2, BBM, 2); /* FEAT_BBM at level 2 */
+    t = FIELD_DP64(t, ID_AA64MMFR2, CNP, 1);      /* FEAT_TTCNP */
+    t = FIELD_DP64(t, ID_AA64MMFR2, UAO, 1);      /* FEAT_UAO */
+    t = FIELD_DP64(t, ID_AA64MMFR2, VARANGE, 1);  /* FEAT_LVA */
+    t = FIELD_DP64(t, ID_AA64MMFR2, ST, 1);       /* FEAT_TTST */
+    t = FIELD_DP64(t, ID_AA64MMFR2, TTL, 1);      /* FEAT_TTL */
+    t = FIELD_DP64(t, ID_AA64MMFR2, BBM, 2);      /* FEAT_BBM at level 2 */
     cpu->isar.id_aa64mmfr2 = t;
 
     t = cpu->isar.id_aa64zfr0;
     t = FIELD_DP64(t, ID_AA64ZFR0, SVEVER, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, AES, 2);  /* PMULL */
-    t = FIELD_DP64(t, ID_AA64ZFR0, BITPERM, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, BFLOAT16, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, SHA3, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, SM4, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, I8MM, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, F32MM, 1);
-    t = FIELD_DP64(t, ID_AA64ZFR0, F64MM, 1);
+    t = FIELD_DP64(t, ID_AA64ZFR0, AES, 2);       /* FEAT_SVE_PMULL128 */
+    t = FIELD_DP64(t, ID_AA64ZFR0, BITPERM, 1);   /* FEAT_SVE_BitPerm */
+    t = FIELD_DP64(t, ID_AA64ZFR0, BFLOAT16, 1);  /* FEAT_BF16 */
+    t = FIELD_DP64(t, ID_AA64ZFR0, SHA3, 1);      /* FEAT_SVE_SHA3 */
+    t = FIELD_DP64(t, ID_AA64ZFR0, SM4, 1);       /* FEAT_SVE_SM4 */
+    t = FIELD_DP64(t, ID_AA64ZFR0, I8MM, 1);      /* FEAT_I8MM */
+    t = FIELD_DP64(t, ID_AA64ZFR0, F32MM, 1);     /* FEAT_F32MM */
+    t = FIELD_DP64(t, ID_AA64ZFR0, F64MM, 1);     /* FEAT_F64MM */
     cpu->isar.id_aa64zfr0 = t;
 
     t = cpu->isar.id_aa64dfr0;
-    t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5); /* v8.4-PMU */
+    t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
     cpu->isar.id_aa64dfr0 = t;
 
     /* Replicate the same data to the 32-bit id registers.  */
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ void aa32_max_features(ARMCPU *cpu)
 
     /* Add additional features supported by QEMU */
     t = cpu->isar.id_isar5;
-    t = FIELD_DP32(t, ID_ISAR5, AES, 2);
-    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);
-    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);
+    t = FIELD_DP32(t, ID_ISAR5, AES, 2);          /* FEAT_PMULL */
+    t = FIELD_DP32(t, ID_ISAR5, SHA1, 1);         /* FEAT_SHA1 */
+    t = FIELD_DP32(t, ID_ISAR5, SHA2, 1);         /* FEAT_SHA256 */
     t = FIELD_DP32(t, ID_ISAR5, CRC32, 1);
-    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);
-    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);
+    t = FIELD_DP32(t, ID_ISAR5, RDM, 1);          /* FEAT_RDM */
+    t = FIELD_DP32(t, ID_ISAR5, VCMA, 1);         /* FEAT_FCMA */
     cpu->isar.id_isar5 = t;
 
     t = cpu->isar.id_isar6;
-    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);
-    t = FIELD_DP32(t, ID_ISAR6, DP, 1);
-    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);
-    t = FIELD_DP32(t, ID_ISAR6, SB, 1);
-    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);
-    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);
-    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);
+    t = FIELD_DP32(t, ID_ISAR6, JSCVT, 1);        /* FEAT_JSCVT */
+    t = FIELD_DP32(t, ID_ISAR6, DP, 1);           /* Feat_DotProd */
+    t = FIELD_DP32(t, ID_ISAR6, FHM, 1);          /* FEAT_FHM */
+    t = FIELD_DP32(t, ID_ISAR6, SB, 1);           /* FEAT_SB */
+    t = FIELD_DP32(t, ID_ISAR6, SPECRES, 1);      /* FEAT_SPECRES */
+    t = FIELD_DP32(t, ID_ISAR6, BF16, 1);         /* FEAT_AA32BF16 */
+    t = FIELD_DP32(t, ID_ISAR6, I8MM, 1);         /* FEAT_AA32I8MM */
     cpu->isar.id_isar6 = t;
 
     t = cpu->isar.mvfr1;
-    t = FIELD_DP32(t, MVFR1, FPHP, 3);     /* v8.2-FP16 */
-    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);   /* v8.2-FP16 */
+    t = FIELD_DP32(t, MVFR1, FPHP, 3);            /* FEAT_FP16 */
+    t = FIELD_DP32(t, MVFR1, SIMDHP, 2);          /* FEAT_FP16 */
     cpu->isar.mvfr1 = t;
 
     t = cpu->isar.mvfr2;
-    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3); /* SIMD MaxNum */
-    t = FIELD_DP32(t, MVFR2, FPMISC, 4);   /* FP MaxNum */
+    t = FIELD_DP32(t, MVFR2, SIMDMISC, 3);        /* SIMD MaxNum */
+    t = FIELD_DP32(t, MVFR2, FPMISC, 4);          /* FP MaxNum */
     cpu->isar.mvfr2 = t;
 
     t = cpu->isar.id_mmfr3;
-    t = FIELD_DP32(t, ID_MMFR3, PAN, 2); /* ATS1E1 */
+    t = FIELD_DP32(t, ID_MMFR3, PAN, 2);          /* FEAT_PAN2 */
     cpu->isar.id_mmfr3 = t;
 
     t = cpu->isar.id_mmfr4;
-    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1); /* AA32HPD */
-    t = FIELD_DP32(t, ID_MMFR4, AC2, 1); /* ACTLR2, HACTLR2 */
-    t = FIELD_DP32(t, ID_MMFR4, CNP, 1); /* TTCNP */
-    t = FIELD_DP32(t, ID_MMFR4, XNX, 1); /* TTS2UXN */
+    t = FIELD_DP32(t, ID_MMFR4, HPDS, 1);         /* FEAT_AA32HPD */
+    t = FIELD_DP32(t, ID_MMFR4, AC2, 1);          /* ACTLR2, HACTLR2 */
+    t = FIELD_DP32(t, ID_MMFR4, CNP, 1);          /* FEAT_TTCNP */
+    t = FIELD_DP32(t, ID_MMFR4, XNX, 1);          /* FEAT_XNX*/
     cpu->isar.id_mmfr4 = t;
 
     t = cpu->isar.id_pfr0;
-    t = FIELD_DP32(t, ID_PFR0, DIT, 1);
+    t = FIELD_DP32(t, ID_PFR0, DIT, 1);           /* FEAT_DIT */
     cpu->isar.id_pfr0 = t;
 
     t = cpu->isar.id_pfr2;
-    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);
+    t = FIELD_DP32(t, ID_PFR2, SSBS, 1);          /* FEAT_SSBS */
     cpu->isar.id_pfr2 = t;
 
     t = cpu->isar.id_dfr0;
-    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5); /* v8.4-PMU */
+    t = FIELD_DP32(t, ID_DFR0, PERFMON, 5);       /* FEAT_PMUv3p4 */
     cpu->isar.id_dfr0 = t;
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Use FIELD_DP{32,64} to manipulate id_pfr1 and id_aa64pfr0
during arm_cpu_realizefn.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
          */
         unset_feature(env, ARM_FEATURE_EL3);
 
-        /* Disable the security extension feature bits in the processor feature
-         * registers as well. These are id_pfr1[7:4] and id_aa64pfr0[15:12].
+        /*
+         * Disable the security extension feature bits in the processor
+         * feature registers as well.
          */
-        cpu->isar.id_pfr1 &= ~0xf0;
-        cpu->isar.id_aa64pfr0 &= ~0xf000;
+        cpu->isar.id_pfr1 = FIELD_DP32(cpu->isar.id_pfr1, ID_PFR1, SECURITY, 0);
+        cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
+                                           ID_AA64PFR0, EL3, 0);
     }
 
     if (!cpu->has_el2) {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
     }
 
     if (!arm_feature(env, ARM_FEATURE_EL2)) {
-        /* Disable the hypervisor feature bits in the processor feature
-         * registers if we don't have EL2. These are id_pfr1[15:12] and
-         * id_aa64pfr0_el1[11:8].
+        /*
+         * Disable the hypervisor feature bits in the processor feature
+         * registers if we don't have EL2.
          */
-        cpu->isar.id_aa64pfr0 &= ~0xf00;
-        cpu->isar.id_pfr1 &= ~0xf000;
+        cpu->isar.id_aa64pfr0 = FIELD_DP64(cpu->isar.id_aa64pfr0,
+                                           ID_AA64PFR0, EL2, 0);
+        cpu->isar.id_pfr1 = FIELD_DP32(cpu->isar.id_pfr1,
+                                       ID_PFR1, VIRTUALIZATION, 0);
     }
 
 #ifndef CONFIG_USER_ONLY
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The only portion of FEAT_Debugv8p2 that is relevant to QEMU
is CONTEXTIDR_EL2, which is also conditionally implemented
with FEAT_VHE.  The rest of the debug extension concerns the
External debug interface, which is outside the scope of QEMU.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu.c              | 1 +
 target/arm/cpu64.c            | 1 +
 target/arm/cpu_tcg.c          | 2 ++
 4 files changed, 5 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This extension concerns changes to the External Debug interface,
with Secure and Non-secure access to the debug registers, and all
of it is outside the scope of QEMU.  Indicating support for this
is mandatory with FEAT_SEL2, which we do implement.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c            | 2 +-
 target/arm/cpu_tcg.c          | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Add only the system registers required to implement zero error
records.  This means that all values for ERRSELR are out of range,
which means that it and all of the indexed error record registers
need not be implemented.

Add the EL2 registers required for injecting virtual SError.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h    |  5 +++
 target/arm/helper.c | 84 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
         uint64_t tfsr_el[4]; /* tfsre0_el1 is index 0.  */
         uint64_t gcr_el1;
         uint64_t rgsr_el1;
+
+        /* Minimal RAS registers */
+        uint64_t disr_el1;
+        uint64_t vdisr_el2;
+        uint64_t vsesr_el2;
     } cp15;
 
     struct {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
       .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
 };
 
+/*
+ * Check for traps to RAS registers, which are controlled
+ * by HCR_EL2.TERR and SCR_EL3.TERR.
+ */
+static CPAccessResult access_terr(CPUARMState *env, const ARMCPRegInfo *ri,
+                                  bool isread)
+{
+    int el = arm_current_el(env);
+
+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_TERR)) {
+        return CP_ACCESS_TRAP_EL2;
+    }
+    if (el < 3 && (env->cp15.scr_el3 & SCR_TERR)) {
+        return CP_ACCESS_TRAP_EL3;
+    }
+    return CP_ACCESS_OK;
+}
+
+static uint64_t disr_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    int el = arm_current_el(env);
+
+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) {
+        return env->cp15.vdisr_el2;
+    }
+    if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) {
+        return 0; /* RAZ/WI */
+    }
+    return env->cp15.disr_el1;
+}
+
+static void disr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
+{
+    int el = arm_current_el(env);
+
+    if (el < 2 && (arm_hcr_el2_eff(env) & HCR_AMO)) {
+        env->cp15.vdisr_el2 = val;
+        return;
+    }
+    if (el < 3 && (env->cp15.scr_el3 & SCR_EA)) {
+        return; /* RAZ/WI */
+    }
+    env->cp15.disr_el1 = val;
+}
+
+/*
+ * Minimal RAS implementation with no Error Records.
+ * Which means that all of the Error Record registers:
+ *   ERXADDR_EL1
+ *   ERXCTLR_EL1
+ *   ERXFR_EL1
+ *   ERXMISC0_EL1
+ *   ERXMISC1_EL1
+ *   ERXMISC2_EL1
+ *   ERXMISC3_EL1
+ *   ERXPFGCDN_EL1  (RASv1p1)
+ *   ERXPFGCTL_EL1  (RASv1p1)
+ *   ERXPFGF_EL1    (RASv1p1)
+ *   ERXSTATUS_EL1
+ * and
+ *   ERRSELR_EL1
+ * may generate UNDEFINED, which is the effect we get by not
+ * listing them at all.
+ */
+static const ARMCPRegInfo minimal_ras_reginfo[] = {
+    { .name = "DISR_EL1", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 1,
+      .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.disr_el1),
+      .readfn = disr_read, .writefn = disr_write, .raw_writefn = raw_write },
+    { .name = "ERRIDR_EL1", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 3, .opc2 = 0,
+      .access = PL1_R, .accessfn = access_terr,
+      .type = ARM_CP_CONST, .resetvalue = 0 },
+    { .name = "VDISR_EL2", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 1, .opc2 = 1,
+      .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vdisr_el2) },
+    { .name = "VSESR_EL2", .state = ARM_CP_STATE_BOTH,
+      .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 3,
+      .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.vsesr_el2) },
+};
+
 /* Return the exception level to which exceptions should be taken
  * via SVEAccessTrap.  If an exception should be routed through
  * AArch64.AdvSIMDFPAccessTrap, return 0; fp_exception_el should
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
     if (cpu_isar_feature(aa64_ssbs, cpu)) {
         define_one_arm_cp_reg(cpu, &ssbs_reginfo);
     }
+    if (cpu_isar_feature(any_ras, cpu)) {
+        define_arm_cp_regs(cpu, minimal_ras_reginfo);
+    }
 
     if (cpu_isar_feature(aa64_vh, cpu) ||
         cpu_isar_feature(aa64_debugv8p2, cpu)) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Enable writes to the TERR and TEA bits when RAS is enabled.
These bits are otherwise RES0.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         }
         valid_mask &= ~SCR_NET;
 
+        if (cpu_isar_feature(aa64_ras, cpu)) {
+            valid_mask |= SCR_TERR;
+        }
         if (cpu_isar_feature(aa64_lor, cpu)) {
             valid_mask |= SCR_TLOR;
         }
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         }
     } else {
         valid_mask &= ~(SCR_RW | SCR_ST);
+        if (cpu_isar_feature(aa32_ras, cpu)) {
+            valid_mask |= SCR_TERR;
+        }
     }
 
     if (!arm_feature(env, ARM_FEATURE_EL2)) {
@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
         if (cpu_isar_feature(aa64_vh, cpu)) {
             valid_mask |= HCR_E2H;
         }
+        if (cpu_isar_feature(aa64_ras, cpu)) {
+            valid_mask |= HCR_TERR | HCR_TEA;
+        }
         if (cpu_isar_feature(aa64_lor, cpu)) {
             valid_mask |= HCR_TLOR;
         }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Virtual SError exceptions are raised by setting HCR_EL2.VSE,
and are routed to EL1 just like other virtual exceptions.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h       |  2 ++
 target/arm/internals.h |  8 ++++++++
 target/arm/syndrome.h  |  5 +++++
 target/arm/cpu.c       | 38 +++++++++++++++++++++++++++++++++++++-
 target/arm/helper.c    | 40 +++++++++++++++++++++++++++++++++++++++-
 5 files changed, 91 insertions(+), 2 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@
 #define EXCP_LSERR          21   /* v8M LSERR SecureFault */
 #define EXCP_UNALIGNED      22   /* v7M UNALIGNED UsageFault */
 #define EXCP_DIVBYZERO      23   /* v7M DIVBYZERO UsageFault */
+#define EXCP_VSERR          24
 /* NB: add new EXCP_ defines to the array in arm_log_exception() too */
 
 #define ARMV7M_EXCP_RESET   1
@@ -XXX,XX +XXX,XX @@ enum {
 #define CPU_INTERRUPT_FIQ   CPU_INTERRUPT_TGT_EXT_1
 #define CPU_INTERRUPT_VIRQ  CPU_INTERRUPT_TGT_EXT_2
 #define CPU_INTERRUPT_VFIQ  CPU_INTERRUPT_TGT_EXT_3
+#define CPU_INTERRUPT_VSERR CPU_INTERRUPT_TGT_INT_0
 
 /* The usual mapping for an AArch64 system register to its AArch32
  * counterpart is for the 32 bit world to have access to the lower
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ void arm_cpu_update_virq(ARMCPU *cpu);
  */
 void arm_cpu_update_vfiq(ARMCPU *cpu);
 
+/**
+ * arm_cpu_update_vserr: Update CPU_INTERRUPT_VSERR bit
+ *
+ * Update the CPU_INTERRUPT_VSERR bit in cs->interrupt_request,
+ * following a change to the HCR_EL2.VSE bit.
+ */
+void arm_cpu_update_vserr(ARMCPU *cpu);
+
 /**
  * arm_mmu_idx_el:
  * @env: The cpu environment
diff --git a/target/arm/syndrome.h b/target/arm/syndrome.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/syndrome.h
+++ b/target/arm/syndrome.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t syn_pcalignment(void)
     return (EC_PCALIGNMENT << ARM_EL_EC_SHIFT) | ARM_EL_IL;
 }
 
+static inline uint32_t syn_serror(uint32_t extra)
+{
+    return (EC_SERROR << ARM_EL_EC_SHIFT) | ARM_EL_IL | extra;
+}
+
 #endif /* TARGET_ARM_SYNDROME_H */
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_has_work(CPUState *cs)
     return (cpu->power_state != PSCI_OFF)
         && cs->interrupt_request &
         (CPU_INTERRUPT_FIQ | CPU_INTERRUPT_HARD
-         | CPU_INTERRUPT_VFIQ | CPU_INTERRUPT_VIRQ
+         | CPU_INTERRUPT_VFIQ | CPU_INTERRUPT_VIRQ | CPU_INTERRUPT_VSERR
          | CPU_INTERRUPT_EXITTB);
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool arm_excp_unmasked(CPUState *cs, unsigned int excp_idx,
             return false;
         }
         return !(env->daif & PSTATE_I);
+    case EXCP_VSERR:
+        if (!(hcr_el2 & HCR_AMO) || (hcr_el2 & HCR_TGE)) {
+            /* VIRQs are only taken when hypervized.  */
+            return false;
+        }
+        return !(env->daif & PSTATE_A);
     default:
         g_assert_not_reached();
     }
@@ -XXX,XX +XXX,XX @@ static bool arm_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
             goto found;
         }
     }
+    if (interrupt_request & CPU_INTERRUPT_VSERR) {
+        excp_idx = EXCP_VSERR;
+        target_el = 1;
+        if (arm_excp_unmasked(cs, excp_idx, target_el,
+                              cur_el, secure, hcr_el2)) {
+            /* Taking a virtual abort clears HCR_EL2.VSE */
+            env->cp15.hcr_el2 &= ~HCR_VSE;
+            cpu_reset_interrupt(cs, CPU_INTERRUPT_VSERR);
+            goto found;
+        }
+    }
     return false;
 
  found:
@@ -XXX,XX +XXX,XX @@ void arm_cpu_update_vfiq(ARMCPU *cpu)
     }
 }
 
+void arm_cpu_update_vserr(ARMCPU *cpu)
+{
+    /*
+     * Update the interrupt level for VSERR, which is the HCR_EL2.VSE bit.
+     */
+    CPUARMState *env = &cpu->env;
+    CPUState *cs = CPU(cpu);
+
+    bool new_state = env->cp15.hcr_el2 & HCR_VSE;
+
+    if (new_state != ((cs->interrupt_request & CPU_INTERRUPT_VSERR) != 0)) {
+        if (new_state) {
+            cpu_interrupt(cs, CPU_INTERRUPT_VSERR);
+        } else {
+            cpu_reset_interrupt(cs, CPU_INTERRUPT_VSERR);
+        }
+    }
+}
+
 #ifndef CONFIG_USER_ONLY
 static void arm_cpu_set_irq(void *opaque, int irq, int level)
 {
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
         }
     }
 
-    /* External aborts are not possible in QEMU so A bit is always clear */
+    if (hcr_el2 & HCR_AMO) {
+        if (cs->interrupt_request & CPU_INTERRUPT_VSERR) {
+            ret |= CPSR_A;
+        }
+    }
+
     return ret;
 }
 
@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
     g_assert(qemu_mutex_iothread_locked());
     arm_cpu_update_virq(cpu);
     arm_cpu_update_vfiq(cpu);
+    arm_cpu_update_vserr(cpu);
 }
 
 static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
@@ -XXX,XX +XXX,XX @@ void arm_log_exception(CPUState *cs)
             [EXCP_LSERR] = "v8M LSERR UsageFault",
             [EXCP_UNALIGNED] = "v7M UNALIGNED UsageFault",
             [EXCP_DIVBYZERO] = "v7M DIVBYZERO UsageFault",
+            [EXCP_VSERR] = "Virtual SERR",
         };
 
         if (idx >= 0 && idx < ARRAY_SIZE(excnames)) {
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch32(CPUState *cs)
         mask = CPSR_A | CPSR_I | CPSR_F;
         offset = 4;
         break;
+    case EXCP_VSERR:
+        {
+            /*
+             * Note that this is reported as a data abort, but the DFAR
+             * has an UNKNOWN value.  Construct the SError syndrome from
+             * AET and ExT fields.
+             */
+            ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal, };
+
+            if (extended_addresses_enabled(env)) {
+                env->exception.fsr = arm_fi_to_lfsc(&fi);
+            } else {
+                env->exception.fsr = arm_fi_to_sfsc(&fi);
+            }
+            env->exception.fsr |= env->cp15.vsesr_el2 & 0xd000;
+            A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr);
+            qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x\n",
+                          env->exception.fsr);
+
+            new_mode = ARM_CPU_MODE_ABT;
+            addr = 0x10;
+            mask = CPSR_A | CPSR_I;
+            offset = 8;
+        }
+        break;
     case EXCP_SMC:
         new_mode = ARM_CPU_MODE_MON;
         addr = 0x08;
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_do_interrupt_aarch64(CPUState *cs)
     case EXCP_VFIQ:
         addr += 0x100;
         break;
+    case EXCP_VSERR:
+        addr += 0x180;
+        /* Construct the SError syndrome from IDS and ISS fields. */
+        env->exception.syndrome = syn_serror(env->cp15.vsesr_el2 & 0x1ffffff);
+        env->cp15.esr_el[new_el] = env->exception.syndrome;
+        break;
     default:
         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Check for and defer any pending virtual SError.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  1 +
 target/arm/a32.decode      | 16 ++++++++------
 target/arm/t32.decode      | 18 ++++++++--------
 target/arm/op_helper.c     | 43 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-a64.c | 17 +++++++++++++++
 target/arm/translate.c     | 23 ++++++++++++++++++++
 6 files changed, 103 insertions(+), 15 deletions(-)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(wfe, void, env)
 DEF_HELPER_1(yield, void, env)
 DEF_HELPER_1(pre_hvc, void, env)
 DEF_HELPER_2(pre_smc, void, env, i32)
+DEF_HELPER_1(vesb, void, env)
 
 DEF_HELPER_3(cpsr_write, void, env, i32, i32)
 DEF_HELPER_2(cpsr_write_eret, void, env, i32)
diff --git a/target/arm/a32.decode b/target/arm/a32.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/a32.decode
+++ b/target/arm/a32.decode
@@ -XXX,XX +XXX,XX @@ SMULTT           .... 0001 0110 .... 0000 .... 1110 ....      @rd0mn
 
 {
   {
-    YIELD        ---- 0011 0010 0000 1111 ---- 0000 0001
-    WFE          ---- 0011 0010 0000 1111 ---- 0000 0010
-    WFI          ---- 0011 0010 0000 1111 ---- 0000 0011
+    [
+      YIELD      ---- 0011 0010 0000 1111 ---- 0000 0001
+      WFE        ---- 0011 0010 0000 1111 ---- 0000 0010
+      WFI        ---- 0011 0010 0000 1111 ---- 0000 0011
 
-    # TODO: Implement SEV, SEVL; may help SMP performance.
-    # SEV        ---- 0011 0010 0000 1111 ---- 0000 0100
-    # SEVL       ---- 0011 0010 0000 1111 ---- 0000 0101
+      # TODO: Implement SEV, SEVL; may help SMP performance.
+      # SEV      ---- 0011 0010 0000 1111 ---- 0000 0100
+      # SEVL     ---- 0011 0010 0000 1111 ---- 0000 0101
+
+      ESB        ---- 0011 0010 0000 1111 ---- 0001 0000
+    ]
 
     # The canonical nop ends in 00000000, but the whole of the
     # rest of the space executes as nop if otherwise unsupported.
diff --git a/target/arm/t32.decode b/target/arm/t32.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/t32.decode
+++ b/target/arm/t32.decode
@@ -XXX,XX +XXX,XX @@ CLZ              1111 1010 1011 ---- 1111 .... 1000 ....      @rdm
   [
     # Hints, and CPS
     {
-      YIELD      1111 0011 1010 1111 1000 0000 0000 0001
-      WFE        1111 0011 1010 1111 1000 0000 0000 0010
-      WFI        1111 0011 1010 1111 1000 0000 0000 0011
+      [
+        YIELD    1111 0011 1010 1111 1000 0000 0000 0001
+        WFE      1111 0011 1010 1111 1000 0000 0000 0010
+        WFI      1111 0011 1010 1111 1000 0000 0000 0011
 
-      # TODO: Implement SEV, SEVL; may help SMP performance.
-      # SEV      1111 0011 1010 1111 1000 0000 0000 0100
-      # SEVL     1111 0011 1010 1111 1000 0000 0000 0101
+        # TODO: Implement SEV, SEVL; may help SMP performance.
+        # SEV    1111 0011 1010 1111 1000 0000 0000 0100
+        # SEVL   1111 0011 1010 1111 1000 0000 0000 0101
 
-      # For M-profile minimal-RAS ESB can be a NOP, which is the
-      # default behaviour since it is in the hint space.
-      # ESB      1111 0011 1010 1111 1000 0000 0001 0000
+        ESB      1111 0011 1010 1111 1000 0000 0001 0000
+      ]
 
       # The canonical nop ends in 0000 0000, but the whole rest
       # of the space is "reserved hint, behaves as nop".
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(probe_access)(CPUARMState *env, target_ulong ptr,
                      access_type, mmu_idx, ra);
     }
 }
+
+/*
+ * This function corresponds to AArch64.vESBOperation().
+ * Note that the AArch32 version is not functionally different.
+ */
+void HELPER(vesb)(CPUARMState *env)
+{
+    /*
+     * The EL2Enabled() check is done inside arm_hcr_el2_eff,
+     * and will return HCR_EL2.VSE == 0, so nothing happens.
+     */
+    uint64_t hcr = arm_hcr_el2_eff(env);
+    bool enabled = !(hcr & HCR_TGE) && (hcr & HCR_AMO);
+    bool pending = enabled && (hcr & HCR_VSE);
+    bool masked  = (env->daif & PSTATE_A);
+
+    /* If VSE pending and masked, defer the exception.  */
+    if (pending && masked) {
+        uint32_t syndrome;
+
+        if (arm_el_is_aa64(env, 1)) {
+            /* Copy across IDS and ISS from VSESR. */
+            syndrome = env->cp15.vsesr_el2 & 0x1ffffff;
+        } else {
+            ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal };
+
+            if (extended_addresses_enabled(env)) {
+                syndrome = arm_fi_to_lfsc(&fi);
+            } else {
+                syndrome = arm_fi_to_sfsc(&fi);
+            }
+            /* Copy across AET and ExT from VSESR. */
+            syndrome |= env->cp15.vsesr_el2 & 0xd000;
+        }
+
+        /* Set VDISR_EL2.A along with the syndrome. */
+        env->cp15.vdisr_el2 = syndrome | (1u << 31);
+
+        /* Clear pending virtual SError */
+        env->cp15.hcr_el2 &= ~HCR_VSE;
+        cpu_reset_interrupt(env_cpu(env), CPU_INTERRUPT_VSERR);
+    }
+}
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void handle_hint(DisasContext *s, uint32_t insn,
             gen_helper_autib(cpu_X[17], cpu_env, cpu_X[17], cpu_X[16]);
         }
         break;
+    case 0b10000: /* ESB */
+        /* Without RAS, we must implement this as NOP. */
+        if (dc_isar_feature(aa64_ras, s)) {
+            /*
+             * QEMU does not have a source of physical SErrors,
+             * so we are only concerned with virtual SErrors.
+             * The pseudocode in the ARM for this case is
+             *   if PSTATE.EL IN {EL0, EL1} && EL2Enabled() then
+             *      AArch64.vESBOperation();
+             * Most of the condition can be evaluated at translation time.
+             * Test for EL2 present, and defer test for SEL2 to runtime.
+             */
+            if (s->current_el <= 1 && arm_dc_feature(s, ARM_FEATURE_EL2)) {
+                gen_helper_vesb(cpu_env);
+            }
+        }
+        break;
     case 0b11000: /* PACIAZ */
         if (s->pauth_active) {
             gen_helper_pacia(cpu_X[30], cpu_env, cpu_X[30],
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static bool trans_WFI(DisasContext *s, arg_WFI *a)
     return true;
 }
 
+static bool trans_ESB(DisasContext *s, arg_ESB *a)
+{
+    /*
+     * For M-profile, minimal-RAS ESB can be a NOP.
+     * Without RAS, we must implement this as NOP.
+     */
+    if (!arm_dc_feature(s, ARM_FEATURE_M) && dc_isar_feature(aa32_ras, s)) {
+        /*
+         * QEMU does not have a source of physical SErrors,
+         * so we are only concerned with virtual SErrors.
+         * The pseudocode in the ARM for this case is
+         *   if PSTATE.EL IN {EL0, EL1} && EL2Enabled() then
+         *      AArch32.vESBOperation();
+         * Most of the condition can be evaluated at translation time.
+         * Test for EL2 present, and defer test for SEL2 to runtime.
+         */
+        if (s->current_el <= 1 && arm_dc_feature(s, ARM_FEATURE_EL2)) {
+            gen_helper_vesb(cpu_env);
+        }
+    }
+    return true;
+}
+
 static bool trans_NOP(DisasContext *s, arg_NOP *a)
 {
     return true;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c            | 1 +
 target/arm/cpu_tcg.c          | 1 +
 3 files changed, 3 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This feature is AArch64 only, and applies to physical SErrors,
which QEMU does not implement, thus the feature is a nop.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c            | 1 +
 2 files changed, 2 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This extension concerns branch speculation, which TCG does
not implement.  Thus we can trivially enable this feature.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c            | 1 +
 target/arm/cpu_tcg.c          | 1 +
 3 files changed, 3 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

There is no branch prediction in TCG, therefore there is no
need to actually include the context number into the predictor.
Therefore all we need to do is add the state for SCXTNUM_ELx.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-21-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |  3 ++
 target/arm/cpu.h              | 16 +++++++++
 target/arm/cpu.c              |  5 +++
 target/arm/cpu64.c            |  3 +-
 target/arm/helper.c           | 61 ++++++++++++++++++++++++++++++++++-
 5 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_BF16 (AArch64 BFloat16 instructions)
 - FEAT_BTI (Branch Target Identification)
 - FEAT_CSV2 (Cache speculation variant 2)
+- FEAT_CSV2_1p1 (Cache speculation variant 2, version 1.1)
+- FEAT_CSV2_1p2 (Cache speculation variant 2, version 1.2)
+- FEAT_CSV2_2 (Cache speculation variant 2, version 2)
 - FEAT_DIT (Data Independent Timing instructions)
 - FEAT_DPB (DC CVAP instruction)
 - FEAT_Debugv8p2 (Debug changes for v8.2)
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
         ARMPACKey apdb;
         ARMPACKey apga;
     } keys;
+
+    uint64_t scxtnum_el[4];
 #endif
 
 #if defined(CONFIG_USER_ONLY)
@@ -XXX,XX +XXX,XX @@ void pmu_init(ARMCPU *cpu);
 #define SCTLR_WXN     (1U << 19)
 #define SCTLR_ST      (1U << 20) /* up to ??, RAZ in v6 */
 #define SCTLR_UWXN    (1U << 20) /* v7 onward, AArch32 only */
+#define SCTLR_TSCXT   (1U << 20) /* FEAT_CSV2_1p2, AArch64 only */
 #define SCTLR_FI      (1U << 21) /* up to v7, v8 RES0 */
 #define SCTLR_IESB    (1U << 21) /* v8.2-IESB, AArch64 only */
 #define SCTLR_U       (1U << 22) /* up to v6, RAO in v7 */
@@ -XXX,XX +XXX,XX @@ static inline bool isar_feature_aa64_dit(const ARMISARegisters *id)
     return FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, DIT) != 0;
 }
 
+static inline bool isar_feature_aa64_scxtnum(const ARMISARegisters *id)
+{
+    int key = FIELD_EX64(id->id_aa64pfr0, ID_AA64PFR0, CSV2);
+    if (key >= 2) {
+        return true;      /* FEAT_CSV2_2 */
+    }
+    if (key == 1) {
+        key = FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, CSV2_FRAC);
+        return key >= 2;  /* FEAT_CSV2_1p2 */
+    }
+    return false;
+}
+
 static inline bool isar_feature_aa64_ssbs(const ARMISARegisters *id)
 {
     return FIELD_EX64(id->id_aa64pfr1, ID_AA64PFR1, SSBS) != 0;
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
              */
             env->cp15.gcr_el1 = 0x1ffff;
         }
+        /*
+         * Disable access to SCXTNUM_EL0 from CSV2_1p2.
+         * This is not yet exposed from the Linux kernel in any way.
+         */
+        env->cp15.sctlr_el[1] |= SCTLR_TSCXT;
 #else
         /* Reset into the highest available EL */
         if (arm_feature(env, ARM_FEATURE_EL3)) {
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     t = FIELD_DP64(t, ID_AA64PFR0, SVE, 1);
     t = FIELD_DP64(t, ID_AA64PFR0, SEL2, 1);      /* FEAT_SEL2 */
     t = FIELD_DP64(t, ID_AA64PFR0, DIT, 1);       /* FEAT_DIT */
-    t = FIELD_DP64(t, ID_AA64PFR0, CSV2, 1);      /* FEAT_CSV2 */
+    t = FIELD_DP64(t, ID_AA64PFR0, CSV2, 2);      /* FEAT_CSV2_2 */
     cpu->isar.id_aa64pfr0 = t;
 
     t = cpu->isar.id_aa64pfr1;
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      * we do for EL2 with the virtualization=on property.
      */
     t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
+    t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
     cpu->isar.id_aa64pfr1 = t;
 
     t = cpu->isar.id_aa64mmfr0;
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
         if (cpu_isar_feature(aa64_mte, cpu)) {
             valid_mask |= SCR_ATA;
         }
+        if (cpu_isar_feature(aa64_scxtnum, cpu)) {
+            valid_mask |= SCR_ENSCXT;
+        }
     } else {
         valid_mask &= ~(SCR_RW | SCR_ST);
         if (cpu_isar_feature(aa32_ras, cpu)) {
@@ -XXX,XX +XXX,XX @@ static void do_hcr_write(CPUARMState *env, uint64_t value, uint64_t valid_mask)
         if (cpu_isar_feature(aa64_mte, cpu)) {
             valid_mask |= HCR_ATA | HCR_DCT | HCR_TID5;
         }
+        if (cpu_isar_feature(aa64_scxtnum, cpu)) {
+            valid_mask |= HCR_ENSCXT;
+        }
     }
 
     /* Clear RES0 bits.  */
@@ -XXX,XX +XXX,XX @@ static void define_arm_vh_e2h_redirects_aliases(ARMCPU *cpu)
         { K(3, 0,  5, 6, 0), K(3, 4,  5, 6, 0), K(3, 5, 5, 6, 0),
           "TFSR_EL1", "TFSR_EL2", "TFSR_EL12", isar_feature_aa64_mte },
 
+        { K(3, 0, 13, 0, 7), K(3, 4, 13, 0, 7), K(3, 5, 13, 0, 7),
+          "SCXTNUM_EL1", "SCXTNUM_EL2", "SCXTNUM_EL12",
+          isar_feature_aa64_scxtnum },
+
         /* TODO: ARMv8.2-SPE -- PMSCR_EL2 */
         /* TODO: ARMv8.4-Trace -- TRFCR_EL2 */
     };
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo mte_el0_cacheop_reginfo[] = {
     },
 };
 
-#endif
+static CPAccessResult access_scxtnum(CPUARMState *env, const ARMCPRegInfo *ri,
+                                     bool isread)
+{
+    uint64_t hcr = arm_hcr_el2_eff(env);
+    int el = arm_current_el(env);
+
+    if (el == 0 && !((hcr & HCR_E2H) && (hcr & HCR_TGE))) {
+        if (env->cp15.sctlr_el[1] & SCTLR_TSCXT) {
+            if (hcr & HCR_TGE) {
+                return CP_ACCESS_TRAP_EL2;
+            }
+            return CP_ACCESS_TRAP;
+        }
+    } else if (el < 2 && (env->cp15.sctlr_el[2] & SCTLR_TSCXT)) {
+        return CP_ACCESS_TRAP_EL2;
+    }
+    if (el < 2 && arm_is_el2_enabled(env) && !(hcr & HCR_ENSCXT)) {
+        return CP_ACCESS_TRAP_EL2;
+    }
+    if (el < 3
+        && arm_feature(env, ARM_FEATURE_EL3)
+        && !(env->cp15.scr_el3 & SCR_ENSCXT)) {
+        return CP_ACCESS_TRAP_EL3;
+    }
+    return CP_ACCESS_OK;
+}
+
+static const ARMCPRegInfo scxtnum_reginfo[] = {
+    { .name = "SCXTNUM_EL0", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 3, .crn = 13, .crm = 0, .opc2 = 7,
+      .access = PL0_RW, .accessfn = access_scxtnum,
+      .fieldoffset = offsetof(CPUARMState, scxtnum_el[0]) },
+    { .name = "SCXTNUM_EL1", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 7,
+      .access = PL1_RW, .accessfn = access_scxtnum,
+      .fieldoffset = offsetof(CPUARMState, scxtnum_el[1]) },
+    { .name = "SCXTNUM_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 7,
+      .access = PL2_RW, .accessfn = access_scxtnum,
+      .fieldoffset = offsetof(CPUARMState, scxtnum_el[2]) },
+    { .name = "SCXTNUM_EL3", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 6, .crn = 13, .crm = 0, .opc2 = 7,
+      .access = PL3_RW,
+      .fieldoffset = offsetof(CPUARMState, scxtnum_el[3]) },
+};
+#endif /* TARGET_AARCH64 */
 
 static CPAccessResult access_predinv(CPUARMState *env, const ARMCPRegInfo *ri,
                                      bool isread)
@@ -XXX,XX +XXX,XX @@ void register_cp_regs_for_features(ARMCPU *cpu)
         define_arm_cp_regs(cpu, mte_tco_ro_reginfo);
         define_arm_cp_regs(cpu, mte_el0_cacheop_reginfo);
     }
+
+    if (cpu_isar_feature(aa64_scxtnum, cpu)) {
+        define_arm_cp_regs(cpu, scxtnum_reginfo);
+    }
 #endif
 
     if (cpu_isar_feature(any_predinv, cpu)) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This extension concerns cache speculation, which TCG does
not implement.  Thus we can trivially enable this feature.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-22-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c            | 1 +
 target/arm/cpu_tcg.c          | 1 +
 3 files changed, 3 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This extension concerns not merging memory access, which TCG does
not implement.  Thus we can trivially enable this feature.
Add a comment to handle_hint for the DGH instruction, but no code.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-23-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst | 1 +
 target/arm/cpu64.c            | 1 +
 target/arm/translate-a64.c    | 1 +
 3 files changed, 3 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Enable the a76 for virt and sbsa board use.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-24-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/virt.rst |  1 +
 hw/arm/sbsa-ref.c        |  1 +
 hw/arm/virt.c            |  1 +
 target/arm/cpu64.c       | 66 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 69 insertions(+)

diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/virt.rst
+++ b/docs/system/arm/virt.rst
@@ -XXX,XX +XXX,XX @@ Supported guest CPU types:
 - ``cortex-a53`` (64-bit)
 - ``cortex-a57`` (64-bit)
 - ``cortex-a72`` (64-bit)
+- ``cortex-a76`` (64-bit)
 - ``a64fx`` (64-bit)
 - ``host`` (with KVM only)
 - ``max`` (same as ``host`` for KVM; best possible emulation with TCG)
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {
 static const char * const valid_cpus[] = {
     ARM_CPU_TYPE_NAME("cortex-a57"),
     ARM_CPU_TYPE_NAME("cortex-a72"),
+    ARM_CPU_TYPE_NAME("cortex-a76"),
     ARM_CPU_TYPE_NAME("max"),
 };
 
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static const char *valid_cpus[] = {
     ARM_CPU_TYPE_NAME("cortex-a53"),
     ARM_CPU_TYPE_NAME("cortex-a57"),
     ARM_CPU_TYPE_NAME("cortex-a72"),
+    ARM_CPU_TYPE_NAME("cortex-a76"),
     ARM_CPU_TYPE_NAME("a64fx"),
     ARM_CPU_TYPE_NAME("host"),
     ARM_CPU_TYPE_NAME("max"),
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a72_initfn(Object *obj)
     define_cortex_a72_a57_a53_cp_reginfo(cpu);
 }
 
+static void aarch64_a76_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,cortex-a76";
+    set_feature(&cpu->env, ARM_FEATURE_V8);
+    set_feature(&cpu->env, ARM_FEATURE_NEON);
+    set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
+    set_feature(&cpu->env, ARM_FEATURE_AARCH64);
+    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
+    set_feature(&cpu->env, ARM_FEATURE_EL2);
+    set_feature(&cpu->env, ARM_FEATURE_EL3);
+    set_feature(&cpu->env, ARM_FEATURE_PMU);
+
+    /* Ordered by B2.4 AArch64 registers by functional group */
+    cpu->clidr = 0x82000023;
+    cpu->ctr = 0x8444C004;
+    cpu->dcz_blocksize = 4;
+    cpu->isar.id_aa64dfr0  = 0x0000000010305408ull;
+    cpu->isar.id_aa64isar0 = 0x0000100010211120ull;
+    cpu->isar.id_aa64isar1 = 0x0000000000100001ull;
+    cpu->isar.id_aa64mmfr0 = 0x0000000000101122ull;
+    cpu->isar.id_aa64mmfr1 = 0x0000000010212122ull;
+    cpu->isar.id_aa64mmfr2 = 0x0000000000001011ull;
+    cpu->isar.id_aa64pfr0  = 0x1100000010111112ull; /* GIC filled in later */
+    cpu->isar.id_aa64pfr1  = 0x0000000000000010ull;
+    cpu->id_afr0       = 0x00000000;
+    cpu->isar.id_dfr0  = 0x04010088;
+    cpu->isar.id_isar0 = 0x02101110;
+    cpu->isar.id_isar1 = 0x13112111;
+    cpu->isar.id_isar2 = 0x21232042;
+    cpu->isar.id_isar3 = 0x01112131;
+    cpu->isar.id_isar4 = 0x00010142;
+    cpu->isar.id_isar5 = 0x01011121;
+    cpu->isar.id_isar6 = 0x00000010;
+    cpu->isar.id_mmfr0 = 0x10201105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01260000;
+    cpu->isar.id_mmfr3 = 0x02122211;
+    cpu->isar.id_mmfr4 = 0x00021110;
+    cpu->isar.id_pfr0  = 0x10010131;
+    cpu->isar.id_pfr1  = 0x00010000; /* GIC filled in later */
+    cpu->isar.id_pfr2  = 0x00000011;
+    cpu->midr = 0x414fd0b1;          /* r4p1 */
+    cpu->revidr = 0;
+
+    /* From B2.18 CCSIDR_EL1 */
+    cpu->ccsidr[0] = 0x701fe01a; /* 64KB L1 dcache */
+    cpu->ccsidr[1] = 0x201fe01a; /* 64KB L1 icache */
+    cpu->ccsidr[2] = 0x707fe03a; /* 512KB L2 cache */
+
+    /* From B2.93 SCTLR_EL3 */
+    cpu->reset_sctlr = 0x30c50838;
+
+    /* From B4.23 ICH_VTR_EL2 */
+    cpu->gic_num_lrs = 4;
+    cpu->gic_vpribits = 5;
+    cpu->gic_vprebits = 5;
+
+    /* From B5.1 AdvSIMD AArch64 register summary */
+    cpu->isar.mvfr0 = 0x10110222;
+    cpu->isar.mvfr1 = 0x13211111;
+    cpu->isar.mvfr2 = 0x00000043;
+}
+
 void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
     { .name = "cortex-a57",         .initfn = aarch64_a57_initfn },
     { .name = "cortex-a53",         .initfn = aarch64_a53_initfn },
     { .name = "cortex-a72",         .initfn = aarch64_a72_initfn },
+    { .name = "cortex-a76",         .initfn = aarch64_a76_initfn },
     { .name = "a64fx",              .initfn = aarch64_a64fx_initfn },
     { .name = "max",                .initfn = aarch64_max_initfn },
 #if defined(CONFIG_KVM) || defined(CONFIG_HVF)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Enable the n1 for virt and sbsa board use.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220506180242.216785-25-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/virt.rst |  1 +
 hw/arm/sbsa-ref.c        |  1 +
 hw/arm/virt.c            |  1 +
 target/arm/cpu64.c       | 66 ++++++++++++++++++++++++++++++++++++++++
 4 files changed, 69 insertions(+)

diff --git a/docs/system/arm/virt.rst b/docs/system/arm/virt.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/virt.rst
+++ b/docs/system/arm/virt.rst
@@ -XXX,XX +XXX,XX @@ Supported guest CPU types:
 - ``cortex-a76`` (64-bit)
 - ``a64fx`` (64-bit)
 - ``host`` (with KVM only)
+- ``neoverse-n1`` (64-bit)
 - ``max`` (same as ``host`` for KVM; best possible emulation with TCG)
 
 Note that the default is ``cortex-a15``, so for an AArch64 guest you must
diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static const char * const valid_cpus[] = {
     ARM_CPU_TYPE_NAME("cortex-a57"),
     ARM_CPU_TYPE_NAME("cortex-a72"),
     ARM_CPU_TYPE_NAME("cortex-a76"),
+    ARM_CPU_TYPE_NAME("neoverse-n1"),
     ARM_CPU_TYPE_NAME("max"),
 };
 
diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static const char *valid_cpus[] = {
     ARM_CPU_TYPE_NAME("cortex-a72"),
     ARM_CPU_TYPE_NAME("cortex-a76"),
     ARM_CPU_TYPE_NAME("a64fx"),
+    ARM_CPU_TYPE_NAME("neoverse-n1"),
     ARM_CPU_TYPE_NAME("host"),
     ARM_CPU_TYPE_NAME("max"),
 };
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_a76_initfn(Object *obj)
     cpu->isar.mvfr2 = 0x00000043;
 }
 
+static void aarch64_neoverse_n1_initfn(Object *obj)
+{
+    ARMCPU *cpu = ARM_CPU(obj);
+
+    cpu->dtb_compatible = "arm,neoverse-n1";
+    set_feature(&cpu->env, ARM_FEATURE_V8);
+    set_feature(&cpu->env, ARM_FEATURE_NEON);
+    set_feature(&cpu->env, ARM_FEATURE_GENERIC_TIMER);
+    set_feature(&cpu->env, ARM_FEATURE_AARCH64);
+    set_feature(&cpu->env, ARM_FEATURE_CBAR_RO);
+    set_feature(&cpu->env, ARM_FEATURE_EL2);
+    set_feature(&cpu->env, ARM_FEATURE_EL3);
+    set_feature(&cpu->env, ARM_FEATURE_PMU);
+
+    /* Ordered by B2.4 AArch64 registers by functional group */
+    cpu->clidr = 0x82000023;
+    cpu->ctr = 0x8444c004;
+    cpu->dcz_blocksize = 4;
+    cpu->isar.id_aa64dfr0  = 0x0000000110305408ull;
+    cpu->isar.id_aa64isar0 = 0x0000100010211120ull;
+    cpu->isar.id_aa64isar1 = 0x0000000000100001ull;
+    cpu->isar.id_aa64mmfr0 = 0x0000000000101125ull;
+    cpu->isar.id_aa64mmfr1 = 0x0000000010212122ull;
+    cpu->isar.id_aa64mmfr2 = 0x0000000000001011ull;
+    cpu->isar.id_aa64pfr0  = 0x1100000010111112ull; /* GIC filled in later */
+    cpu->isar.id_aa64pfr1  = 0x0000000000000020ull;
+    cpu->id_afr0       = 0x00000000;
+    cpu->isar.id_dfr0  = 0x04010088;
+    cpu->isar.id_isar0 = 0x02101110;
+    cpu->isar.id_isar1 = 0x13112111;
+    cpu->isar.id_isar2 = 0x21232042;
+    cpu->isar.id_isar3 = 0x01112131;
+    cpu->isar.id_isar4 = 0x00010142;
+    cpu->isar.id_isar5 = 0x01011121;
+    cpu->isar.id_isar6 = 0x00000010;
+    cpu->isar.id_mmfr0 = 0x10201105;
+    cpu->isar.id_mmfr1 = 0x40000000;
+    cpu->isar.id_mmfr2 = 0x01260000;
+    cpu->isar.id_mmfr3 = 0x02122211;
+    cpu->isar.id_mmfr4 = 0x00021110;
+    cpu->isar.id_pfr0  = 0x10010131;
+    cpu->isar.id_pfr1  = 0x00010000; /* GIC filled in later */
+    cpu->isar.id_pfr2  = 0x00000011;
+    cpu->midr = 0x414fd0c1;          /* r4p1 */
+    cpu->revidr = 0;
+
+    /* From B2.23 CCSIDR_EL1 */
+    cpu->ccsidr[0] = 0x701fe01a; /* 64KB L1 dcache */
+    cpu->ccsidr[1] = 0x201fe01a; /* 64KB L1 icache */
+    cpu->ccsidr[2] = 0x70ffe03a; /* 1MB L2 cache */
+
+    /* From B2.98 SCTLR_EL3 */
+    cpu->reset_sctlr = 0x30c50838;
+
+    /* From B4.23 ICH_VTR_EL2 */
+    cpu->gic_num_lrs = 4;
+    cpu->gic_vpribits = 5;
+    cpu->gic_vprebits = 5;
+
+    /* From B5.1 AdvSIMD AArch64 register summary */
+    cpu->isar.mvfr0 = 0x10110222;
+    cpu->isar.mvfr1 = 0x13211111;
+    cpu->isar.mvfr2 = 0x00000043;
+}
+
 void arm_cpu_sve_finalize(ARMCPU *cpu, Error **errp)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static const ARMCPUInfo aarch64_cpus[] = {
     { .name = "cortex-a72",         .initfn = aarch64_a72_initfn },
     { .name = "cortex-a76",         .initfn = aarch64_a76_initfn },
     { .name = "a64fx",              .initfn = aarch64_a64fx_initfn },
+    { .name = "neoverse-n1",        .initfn = aarch64_neoverse_n1_initfn },
     { .name = "max",                .initfn = aarch64_max_initfn },
 #if defined(CONFIG_KVM) || defined(CONFIG_HVF)
     { .name = "host",               .initfn = aarch64_host_initfn },
-- 
2.25.1

From: Leif Lindholm <quic_llindhol@quicinc.com>

The sbsa-ref machine is continuously evolving. Some of the changes we
want to make in the near future, to align with real components (e.g.
the GIC-700), will break compatibility for existing firmware.

Introduce two new properties to the DT generated on machine generation:
- machine-version-major
  To be incremented when a platform change makes the machine
  incompatible with existing firmware.
- machine-version-minor
  To be incremented when functionality is added to the machine
  without causing incompatibility with existing firmware.
  to be reset to 0 when machine-version-major is incremented.

This versioning scheme is *neither*:
- A QEMU versioned machine type; a given version of QEMU will emulate
  a given version of the platform.
- A reflection of level of SBSA (now SystemReady SR) support provided.

The version will increment on guest-visible functional changes only,
akin to a revision ID register found on a physical platform.

These properties are both introduced with the value 0.
(Hence, a machine where the DT is lacking these nodes is equivalent
to version 0.0.)

Signed-off-by: Leif Lindholm <quic_llindhol@quicinc.com>
Message-id: 20220505113947.75714-1-quic_llindhol@quicinc.com
Cc: Peter Maydell <peter.maydell@linaro.org>
Cc: Radoslaw Biernacki <rad@semihalf.com>
Cc: Cédric Le Goater <clg@kaod.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/sbsa-ref.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/sbsa-ref.c
+++ b/hw/arm/sbsa-ref.c
@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)
     qemu_fdt_setprop_cell(fdt, "/", "#address-cells", 0x2);
     qemu_fdt_setprop_cell(fdt, "/", "#size-cells", 0x2);
 
+    /*
+     * This versioning scheme is for informing platform fw only. It is neither:
+     * - A QEMU versioned machine type; a given version of QEMU will emulate
+     *   a given version of the platform.
+     * - A reflection of level of SBSA (now SystemReady SR) support provided.
+     *
+     * machine-version-major: updated when changes breaking fw compatibility
+     *                        are introduced.
+     * machine-version-minor: updated when features are added that don't break
+     *                        fw compatibility.
+     */
+    qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);
+    qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 0);
+
     if (ms->numa_state->have_numa_distance) {
         int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);
         uint32_t *matrix = g_malloc0(size);
-- 
2.25.1

From: Gavin Shan <gshan@redhat.com>

This adds cluster-id in CPU instance properties, which will be used
by arm/virt machine. Besides, the cluster-id is also verified or
dumped in various spots:

* hw/core/machine.c::machine_set_cpu_numa_node() to associate
    CPU with its NUMA node.

* hw/core/machine.c::machine_numa_finish_cpu_init() to record
    CPU slots with no NUMA mapping set.

* hw/core/machine-hmp-cmds.c::hmp_hotpluggable_cpus() to dump
    cluster-id.

Signed-off-by: Gavin Shan <gshan@redhat.com>
Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Message-id: 20220503140304.855514-2-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 qapi/machine.json          |  6 ++++--
 hw/core/machine-hmp-cmds.c |  4 ++++
 hw/core/machine.c          | 16 ++++++++++++++++
 3 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/qapi/machine.json b/qapi/machine.json
index XXXXXXX..XXXXXXX 100644
--- a/qapi/machine.json
+++ b/qapi/machine.json
@@ -XXX,XX +XXX,XX @@
 # @node-id: NUMA node ID the CPU belongs to
 # @socket-id: socket number within node/board the CPU belongs to
 # @die-id: die number within socket the CPU belongs to (since 4.1)
-# @core-id: core number within die the CPU belongs to
+# @cluster-id: cluster number within die the CPU belongs to (since 7.1)
+# @core-id: core number within cluster the CPU belongs to
 # @thread-id: thread number within core the CPU belongs to
 #
-# Note: currently there are 5 properties that could be present
+# Note: currently there are 6 properties that could be present
 #       but management should be prepared to pass through other
 #       properties with device_add command to allow for future
 #       interface extension. This also requires the filed names to be kept in
@@ -XXX,XX +XXX,XX @@
   'data': { '*node-id': 'int',
             '*socket-id': 'int',
             '*die-id': 'int',
+            '*cluster-id': 'int',
             '*core-id': 'int',
             '*thread-id': 'int'
   }
diff --git a/hw/core/machine-hmp-cmds.c b/hw/core/machine-hmp-cmds.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine-hmp-cmds.c
+++ b/hw/core/machine-hmp-cmds.c
@@ -XXX,XX +XXX,XX @@ void hmp_hotpluggable_cpus(Monitor *mon, const QDict *qdict)
         if (c->has_die_id) {
             monitor_printf(mon, "    die-id: \"%" PRIu64 "\"\n", c->die_id);
         }
+        if (c->has_cluster_id) {
+            monitor_printf(mon, "    cluster-id: \"%" PRIu64 "\"\n",
+                           c->cluster_id);
+        }
         if (c->has_core_id) {
             monitor_printf(mon, "    core-id: \"%" PRIu64 "\"\n", c->core_id);
         }
diff --git a/hw/core/machine.c b/hw/core/machine.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/machine.c
+++ b/hw/core/machine.c
@@ -XXX,XX +XXX,XX @@ void machine_set_cpu_numa_node(MachineState *machine,
             return;
         }
 
+        if (props->has_cluster_id && !slot->props.has_cluster_id) {
+            error_setg(errp, "cluster-id is not supported");
+            return;
+        }
+
         if (props->has_socket_id && !slot->props.has_socket_id) {
             error_setg(errp, "socket-id is not supported");
             return;
@@ -XXX,XX +XXX,XX @@ void machine_set_cpu_numa_node(MachineState *machine,
                 continue;
         }
 
+        if (props->has_cluster_id &&
+            props->cluster_id != slot->props.cluster_id) {
+                continue;
+        }
+
         if (props->has_die_id && props->die_id != slot->props.die_id) {
                 continue;
         }
@@ -XXX,XX +XXX,XX @@ static char *cpu_slot_to_string(const CPUArchId *cpu)
         }
         g_string_append_printf(s, "die-id: %"PRId64, cpu->props.die_id);
     }
+    if (cpu->props.has_cluster_id) {
+        if (s->len) {
+            g_string_append_printf(s, ", ");
+        }
+        g_string_append_printf(s, "cluster-id: %"PRId64, cpu->props.cluster_id);
+    }
     if (cpu->props.has_core_id) {
         if (s->len) {
             g_string_append_printf(s, ", ");
-- 
2.25.1

From: Gavin Shan <gshan@redhat.com>

The CPU topology isn't enabled on arm/virt machine yet, but we're
going to do it in next patch. After the CPU topology is enabled by
next patch, "thread-id=1" becomes invalid because the CPU core is
preferred on arm/virt machine. It means these two CPUs have 0/1
as their core IDs, but their thread IDs are all 0. It will trigger
test failure as the following message indicates:

[14/21 qemu:qtest+qtest-aarch64 / qtest-aarch64/numa-test  ERROR
  1.48s   killed by signal 6 SIGABRT
  >>> G_TEST_DBUS_DAEMON=/home/gavin/sandbox/qemu.main/tests/dbus-vmstate-daemon.sh \
      QTEST_QEMU_STORAGE_DAEMON_BINARY=./storage-daemon/qemu-storage-daemon         \
      QTEST_QEMU_BINARY=./qemu-system-aarch64                                       \
      QTEST_QEMU_IMG=./qemu-img MALLOC_PERTURB_=83                                  \
      /home/gavin/sandbox/qemu.main/build/tests/qtest/numa-test --tap -k
  ――――――――――――――――――――――――――――――――――――――――――――――
  stderr:
  qemu-system-aarch64: -numa cpu,node-id=0,thread-id=1: no match found

This fixes the issue by providing comprehensive SMP configurations
in aarch64_numa_cpu(). The SMP configurations aren't used before
the CPU topology is enabled in next patch.

Signed-off-by: Gavin Shan <gshan@redhat.com>
Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
Message-id: 20220503140304.855514-3-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/numa-test.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

From: Gavin Shan <gshan@redhat.com>

Currently, the SMP configuration isn't considered when the CPU
topology is populated. In this case, it's impossible to provide
the default CPU-to-NUMA mapping or association based on the socket
ID of the given CPU.

This takes account of SMP configuration when the CPU topology
is populated. The die ID for the given CPU isn't assigned since
it's not supported on arm/virt machine. Besides, the used SMP
configuration in qtest/numa-test/aarch64_numa_cpu() is corrcted
to avoid testing failure

Signed-off-by: Gavin Shan <gshan@redhat.com>
Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Message-id: 20220503140304.855514-4-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static const CPUArchIdList *virt_possible_cpu_arch_ids(MachineState *ms)
     int n;
     unsigned int max_cpus = ms->smp.max_cpus;
     VirtMachineState *vms = VIRT_MACHINE(ms);
+    MachineClass *mc = MACHINE_GET_CLASS(vms);
 
     if (ms->possible_cpus) {
         assert(ms->possible_cpus->len == max_cpus);
@@ -XXX,XX +XXX,XX @@ static const CPUArchIdList *virt_possible_cpu_arch_ids(MachineState *ms)
         ms->possible_cpus->cpus[n].type = ms->cpu_type;
         ms->possible_cpus->cpus[n].arch_id =
             virt_cpu_mp_affinity(vms, n);
+
+        assert(!mc->smp_props.dies_supported);
+        ms->possible_cpus->cpus[n].props.has_socket_id = true;
+        ms->possible_cpus->cpus[n].props.socket_id =
+            n / (ms->smp.clusters * ms->smp.cores * ms->smp.threads);
+        ms->possible_cpus->cpus[n].props.has_cluster_id = true;
+        ms->possible_cpus->cpus[n].props.cluster_id =
+            (n / (ms->smp.cores * ms->smp.threads)) % ms->smp.clusters;
+        ms->possible_cpus->cpus[n].props.has_core_id = true;
+        ms->possible_cpus->cpus[n].props.core_id =
+            (n / ms->smp.threads) % ms->smp.cores;
         ms->possible_cpus->cpus[n].props.has_thread_id = true;
-        ms->possible_cpus->cpus[n].props.thread_id = n;
+        ms->possible_cpus->cpus[n].props.thread_id =
+            n % ms->smp.threads;
     }
     return ms->possible_cpus;
 }
-- 
2.25.1

From: Gavin Shan <gshan@redhat.com>

In aarch64_numa_cpu(), the CPU and NUMA association is something
like below. Two threads in the same core/cluster/socket are
associated with two individual NUMA nodes, which is unreal as
Igor Mammedov mentioned. We don't expect the association to break
NUMA-to-socket boundary, which matches with the real world.

NUMA-node  socket  cluster   core   thread
    ------------------------------------------
        0       0        0        0      0
        1       0        0        0      1

This corrects the topology for CPUs and their association with
NUMA nodes. After this patch is applied, the CPU and NUMA
association becomes something like below, which looks real.
Besides, socket/cluster/core/thread IDs are all checked when
the NUMA node IDs are verified. It helps to check if the CPU
topology is properly populated or not.

NUMA-node  socket  cluster   core   thread
    ------------------------------------------
       0        1        0        0       0
       1        0        0        0       0

Suggested-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Gavin Shan <gshan@redhat.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Message-id: 20220503140304.855514-5-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 tests/qtest/numa-test.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/tests/qtest/numa-test.c b/tests/qtest/numa-test.c
index XXXXXXX..XXXXXXX 100644
--- a/tests/qtest/numa-test.c
+++ b/tests/qtest/numa-test.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_numa_cpu(const void *data)
     g_autofree char *cli = NULL;
 
     cli = make_cli(data, "-machine "
-        "smp.cpus=2,smp.sockets=1,smp.clusters=1,smp.cores=1,smp.threads=2 "
+        "smp.cpus=2,smp.sockets=2,smp.clusters=1,smp.cores=1,smp.threads=1 "
         "-numa node,nodeid=0,memdev=ram -numa node,nodeid=1 "
-        "-numa cpu,node-id=1,thread-id=0 "
-        "-numa cpu,node-id=0,thread-id=1");
+        "-numa cpu,node-id=0,socket-id=1,cluster-id=0,core-id=0,thread-id=0 "
+        "-numa cpu,node-id=1,socket-id=0,cluster-id=0,core-id=0,thread-id=0");
     qts = qtest_init(cli);
     cpus = get_cpus(qts, &resp);
     g_assert(cpus);
 
     while ((e = qlist_pop(cpus))) {
         QDict *cpu, *props;
-        int64_t thread, node;
+        int64_t socket, cluster, core, thread, node;
 
         cpu = qobject_to(QDict, e);
         g_assert(qdict_haskey(cpu, "props"));
@@ -XXX,XX +XXX,XX @@ static void aarch64_numa_cpu(const void *data)
 
         g_assert(qdict_haskey(props, "node-id"));
         node = qdict_get_int(props, "node-id");
+        g_assert(qdict_haskey(props, "socket-id"));
+        socket = qdict_get_int(props, "socket-id");
+        g_assert(qdict_haskey(props, "cluster-id"));
+        cluster = qdict_get_int(props, "cluster-id");
+        g_assert(qdict_haskey(props, "core-id"));
+        core = qdict_get_int(props, "core-id");
         g_assert(qdict_haskey(props, "thread-id"));
         thread = qdict_get_int(props, "thread-id");
 
-        if (thread == 0) {
+        if (socket == 0 && cluster == 0 && core == 0 && thread == 0) {
             g_assert_cmpint(node, ==, 1);
-        } else if (thread == 1) {
+        } else if (socket == 1 && cluster == 0 && core == 0 && thread == 0) {
             g_assert_cmpint(node, ==, 0);
         } else {
             g_assert(false);
-- 
2.25.1

From: Gavin Shan <gshan@redhat.com>

When CPU-to-NUMA association isn't explicitly provided by users,
the default one is given by mc->get_default_cpu_node_id(). However,
the CPU topology isn't fully considered in the default association
and this causes CPU topology broken warnings on booting Linux guest.

For example, the following warning messages are observed when the
Linux guest is booted with the following command lines.

/home/gavin/sandbox/qemu.main/build/qemu-system-aarch64 \
  -accel kvm -machine virt,gic-version=host               \
  -cpu host                                               \
  -smp 6,sockets=2,cores=3,threads=1                      \
  -m 1024M,slots=16,maxmem=64G                            \
  -object memory-backend-ram,id=mem0,size=128M            \
  -object memory-backend-ram,id=mem1,size=128M            \
  -object memory-backend-ram,id=mem2,size=128M            \
  -object memory-backend-ram,id=mem3,size=128M            \
  -object memory-backend-ram,id=mem4,size=128M            \
  -object memory-backend-ram,id=mem4,size=384M            \
  -numa node,nodeid=0,memdev=mem0                         \
  -numa node,nodeid=1,memdev=mem1                         \
  -numa node,nodeid=2,memdev=mem2                         \
  -numa node,nodeid=3,memdev=mem3                         \
  -numa node,nodeid=4,memdev=mem4                         \
  -numa node,nodeid=5,memdev=mem5
         :
  alternatives: patching kernel code
  BUG: arch topology borken
  the CLS domain not a subset of the MC domain
  <the above error log repeats>
  BUG: arch topology borken
  the DIE domain not a subset of the NODE domain

With current implementation of mc->get_default_cpu_node_id(),
CPU#0 to CPU#5 are associated with NODE#0 to NODE#5 separately.
That's incorrect because CPU#0/1/2 should be associated with same
NUMA node because they're seated in same socket.

This fixes the issue by considering the socket ID when the default
CPU-to-NUMA association is provided in virt_possible_cpu_arch_ids().
With this applied, no more CPU topology broken warnings are seen
from the Linux guest. The 6 CPUs are associated with NODE#0/1, but
there are no CPUs associated with NODE#2/3/4/5.

Signed-off-by: Gavin Shan <gshan@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
Message-id: 20220503140304.855514-6-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ virt_cpu_index_to_props(MachineState *ms, unsigned cpu_index)
 
 static int64_t virt_get_default_cpu_node_id(const MachineState *ms, int idx)
 {
-    return idx % ms->numa_state->num_nodes;
+    int64_t socket_id = ms->possible_cpus->cpus[idx].props.socket_id;
+
+    return socket_id % ms->numa_state->num_nodes;
 }
 
 static const CPUArchIdList *virt_possible_cpu_arch_ids(MachineState *ms)
-- 
2.25.1

From: Gavin Shan <gshan@redhat.com>

When the PPTT table is built, the CPU topology is re-calculated, but
it's unecessary because the CPU topology has been populated in
virt_possible_cpu_arch_ids() on arm/virt machine.

This reworks build_pptt() to avoid by reusing the existing IDs in
ms->possible_cpus. Currently, the only user of build_pptt() is
arm/virt machine.

Signed-off-by: Gavin Shan <gshan@redhat.com>
Tested-by: Yanan Wang <wangyanan55@huawei.com>
Reviewed-by: Yanan Wang <wangyanan55@huawei.com>
Acked-by: Igor Mammedov <imammedo@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Message-id: 20220503140304.855514-7-gshan@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/acpi/aml-build.c | 111 +++++++++++++++++++-------------------------
 1 file changed, 48 insertions(+), 63 deletions(-)

diff --git a/hw/acpi/aml-build.c b/hw/acpi/aml-build.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/acpi/aml-build.c
+++ b/hw/acpi/aml-build.c
@@ -XXX,XX +XXX,XX @@ void build_pptt(GArray *table_data, BIOSLinker *linker, MachineState *ms,
                 const char *oem_id, const char *oem_table_id)
 {
     MachineClass *mc = MACHINE_GET_CLASS(ms);
-    GQueue *list = g_queue_new();
-    guint pptt_start = table_data->len;
-    guint parent_offset;
-    guint length, i;
-    int uid = 0;
-    int socket;
+    CPUArchIdList *cpus = ms->possible_cpus;
+    int64_t socket_id = -1, cluster_id = -1, core_id = -1;
+    uint32_t socket_offset = 0, cluster_offset = 0, core_offset = 0;
+    uint32_t pptt_start = table_data->len;
+    int n;
     AcpiTable table = { .sig = "PPTT", .rev = 2,
                         .oem_id = oem_id, .oem_table_id = oem_table_id };
 
     acpi_table_begin(&table, table_data);
 
-    for (socket = 0; socket < ms->smp.sockets; socket++) {
-        g_queue_push_tail(list,
-            GUINT_TO_POINTER(table_data->len - pptt_start));
-        build_processor_hierarchy_node(
-            table_data,
-            /*
-             * Physical package - represents the boundary
-             * of a physical package
-             */
-            (1 << 0),
-            0, socket, NULL, 0);
-    }
-
-    if (mc->smp_props.clusters_supported) {
-        length = g_queue_get_length(list);
-        for (i = 0; i < length; i++) {
-            int cluster;
-
-            parent_offset = GPOINTER_TO_UINT(g_queue_pop_head(list));
-            for (cluster = 0; cluster < ms->smp.clusters; cluster++) {
-                g_queue_push_tail(list,
-                    GUINT_TO_POINTER(table_data->len - pptt_start));
-                build_processor_hierarchy_node(
-                    table_data,
-                    (0 << 0), /* not a physical package */
-                    parent_offset, cluster, NULL, 0);
-            }
+    /*
+     * This works with the assumption that cpus[n].props.*_id has been
+     * sorted from top to down levels in mc->possible_cpu_arch_ids().
+     * Otherwise, the unexpected and duplicated containers will be
+     * created.
+     */
+    for (n = 0; n < cpus->len; n++) {
+        if (cpus->cpus[n].props.socket_id != socket_id) {
+            assert(cpus->cpus[n].props.socket_id > socket_id);
+            socket_id = cpus->cpus[n].props.socket_id;
+            cluster_id = -1;
+            core_id = -1;
+            socket_offset = table_data->len - pptt_start;
+            build_processor_hierarchy_node(table_data,
+                (1 << 0), /* Physical package */
+                0, socket_id, NULL, 0);
         }
-    }
 
-    length = g_queue_get_length(list);
-    for (i = 0; i < length; i++) {
-        int core;
-
-        parent_offset = GPOINTER_TO_UINT(g_queue_pop_head(list));
-        for (core = 0; core < ms->smp.cores; core++) {
-            if (ms->smp.threads > 1) {
-                g_queue_push_tail(list,
-                    GUINT_TO_POINTER(table_data->len - pptt_start));
-                build_processor_hierarchy_node(
-                    table_data,
-                    (0 << 0), /* not a physical package */
-                    parent_offset, core, NULL, 0);
-            } else {
-                build_processor_hierarchy_node(
-                    table_data,
-                    (1 << 1) | /* ACPI Processor ID valid */
-                    (1 << 3),  /* Node is a Leaf */
-                    parent_offset, uid++, NULL, 0);
+        if (mc->smp_props.clusters_supported) {
+            if (cpus->cpus[n].props.cluster_id != cluster_id) {
+                assert(cpus->cpus[n].props.cluster_id > cluster_id);
+                cluster_id = cpus->cpus[n].props.cluster_id;
+                core_id = -1;
+                cluster_offset = table_data->len - pptt_start;
+                build_processor_hierarchy_node(table_data,
+                    (0 << 0), /* Not a physical package */
+                    socket_offset, cluster_id, NULL, 0);
             }
+        } else {
+            cluster_offset = socket_offset;
         }
-    }
 
-    length = g_queue_get_length(list);
-    for (i = 0; i < length; i++) {
-        int thread;
+        if (ms->smp.threads == 1) {
+            build_processor_hierarchy_node(table_data,
+                (1 << 1) | /* ACPI Processor ID valid */
+                (1 << 3),  /* Node is a Leaf */
+                cluster_offset, n, NULL, 0);
+        } else {
+            if (cpus->cpus[n].props.core_id != core_id) {
+                assert(cpus->cpus[n].props.core_id > core_id);
+                core_id = cpus->cpus[n].props.core_id;
+                core_offset = table_data->len - pptt_start;
+                build_processor_hierarchy_node(table_data,
+                    (0 << 0), /* Not a physical package */
+                    cluster_offset, core_id, NULL, 0);
+            }
 
-        parent_offset = GPOINTER_TO_UINT(g_queue_pop_head(list));
-        for (thread = 0; thread < ms->smp.threads; thread++) {
-            build_processor_hierarchy_node(
-                table_data,
+            build_processor_hierarchy_node(table_data,
                 (1 << 1) | /* ACPI Processor ID valid */
                 (1 << 2) | /* Processor is a Thread */
                 (1 << 3),  /* Node is a Leaf */
-                parent_offset, uid++, NULL, 0);
+                core_offset, n, NULL, 0);
         }
     }
 
-    g_queue_free(list);
     acpi_table_end(linker, &table);
 }
 
-- 
2.25.1

Hi; here's the latest arm pullreq. This is mostly patches from
RTH, plus a couple of other more minor things. Switching to
PCREL is the big one, hopefully should improve performance.

thanks
-- PMM

The following changes since commit 214a8da23651f2472b296b3293e619fd58d9e212:

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2022-10-18 11:14:31 -0400)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20221020

for you to fetch changes up to 5db899303799e49209016a93289b8694afa1449e:

hw/ide/microdrive: Use device_cold_reset() for self-resets (2022-10-20 12:11:53 +0100)

----------------------------------------------------------------
target-arm queue:
 * Switch to TARGET_TB_PCREL
 * More pagetable-walk refactoring preparatory to HAFDBS
 * update the cortex-a15 MIDR to latest rev
 * hw/char/pl011: fix baud rate calculation
 * hw/ide/microdrive: Use device_cold_reset() for self-resets

----------------------------------------------------------------
Alex Bennée (1):
      target/arm: update the cortex-a15 MIDR to latest rev

Baruch Siach (1):
      hw/char/pl011: fix baud rate calculation

Peter Maydell (1):
      hw/ide/microdrive: Use device_cold_reset() for self-resets

Richard Henderson (21):
      target/arm: Enable TARGET_PAGE_ENTRY_EXTRA
      target/arm: Use probe_access_full for MTE
      target/arm: Use probe_access_full for BTI
      target/arm: Add ARMMMUIdx_Phys_{S,NS}
      target/arm: Move ARMMMUIdx_Stage2 to a real tlb mmu_idx
      target/arm: Restrict tlb flush from vttbr_write to vmid change
      target/arm: Split out S1Translate type
      target/arm: Plumb debug into S1Translate
      target/arm: Move be test for regime into S1TranslateResult
      target/arm: Use softmmu tlbs for page table walking
      target/arm: Split out get_phys_addr_twostage
      target/arm: Use bool consistently for get_phys_addr subroutines
      target/arm: Introduce curr_insn_len
      target/arm: Change gen_goto_tb to work on displacements
      target/arm: Change gen_*set_pc_im to gen_*update_pc
      target/arm: Change gen_exception_insn* to work on displacements
      target/arm: Remove gen_exception_internal_insn pc argument
      target/arm: Change gen_jmp* to work on displacements
      target/arm: Introduce gen_pc_plus_diff for aarch64
      target/arm: Introduce gen_pc_plus_diff for aarch32
      target/arm: Enable TARGET_TB_PCREL

From: Richard Henderson <richard.henderson@linaro.org>

The CPUTLBEntryFull structure now stores the original pte attributes, as
well as the physical address.  Therefore, we no longer need a separate
bit in MemTxAttrs, nor do we need to walk the tree of memory regions.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h               |  1 -
 target/arm/sve_ldst_internal.h |  1 +
 target/arm/mte_helper.c        | 62 ++++++++++------------------------
 target/arm/sve_helper.c        | 54 ++++++++++-------------------
 target/arm/tlb_helper.c        |  4 ---
 5 files changed, 36 insertions(+), 86 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline MemTxAttrs *typecheck_memtxattrs(MemTxAttrs *x)
  * generic target bits directly.
  */
 #define arm_tlb_bti_gp(x) (typecheck_memtxattrs(x)->target_tlb_bit0)
-#define arm_tlb_mte_tagged(x) (typecheck_memtxattrs(x)->target_tlb_bit1)
 
 /*
  * AArch64 usage of the PAGE_TARGET_* bits for linux-user.
diff --git a/target/arm/sve_ldst_internal.h b/target/arm/sve_ldst_internal.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_ldst_internal.h
+++ b/target/arm/sve_ldst_internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
     void *host;
     int flags;
     MemTxAttrs attrs;
+    bool tagged;
 } SVEHostPage;
 
 bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
diff --git a/target/arm/mte_helper.c b/target/arm/mte_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/mte_helper.c
+++ b/target/arm/mte_helper.c
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
                       TARGET_PAGE_BITS - LOG2_TAG_GRANULE - 1);
     return tags + index;
 #else
-    uintptr_t index;
     CPUTLBEntryFull *full;
+    MemTxAttrs attrs;
     int in_page, flags;
-    ram_addr_t ptr_ra;
     hwaddr ptr_paddr, tag_paddr, xlat;
     MemoryRegion *mr;
     ARMASIdx tag_asi;
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
      * valid.  Indicate to probe_access_flags no-fault, then assert that
      * we received a valid page.
      */
-    flags = probe_access_flags(env, ptr, ptr_access, ptr_mmu_idx,
-                               ra == 0, &host, ra);
+    flags = probe_access_full(env, ptr, ptr_access, ptr_mmu_idx,
+                              ra == 0, &host, &full, ra);
     assert(!(flags & TLB_INVALID_MASK));
 
-    /*
-     * Find the CPUTLBEntryFull for ptr.  This *must* be present in the TLB
-     * because we just found the mapping.
-     * TODO: Perhaps there should be a cputlb helper that returns a
-     * matching tlb entry + iotlb entry.
-     */
-    index = tlb_index(env, ptr_mmu_idx, ptr);
-# ifdef CONFIG_DEBUG_TCG
-    {
-        CPUTLBEntry *entry = tlb_entry(env, ptr_mmu_idx, ptr);
-        target_ulong comparator = (ptr_access == MMU_DATA_LOAD
-                                   ? entry->addr_read
-                                   : tlb_addr_write(entry));
-        g_assert(tlb_hit(comparator, ptr));
-    }
-# endif
-    full = &env_tlb(env)->d[ptr_mmu_idx].fulltlb[index];
-
     /* If the virtual page MemAttr != Tagged, access unchecked. */
-    if (!arm_tlb_mte_tagged(&full->attrs)) {
+    if (full->pte_attrs != 0xf0) {
         return NULL;
     }
 
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
         return NULL;
     }
 
+    /*
+     * Remember these values across the second lookup below,
+     * which may invalidate this pointer via tlb resize.
+     */
+    ptr_paddr = full->phys_addr;
+    attrs = full->attrs;
+    full = NULL;
+
     /*
      * The Normal memory access can extend to the next page.  E.g. a single
      * 8-byte access to the last byte of a page will check only the last
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
      */
     in_page = -(ptr | TARGET_PAGE_MASK);
     if (unlikely(ptr_size > in_page)) {
-        void *ignore;
-        flags |= probe_access_flags(env, ptr + in_page, ptr_access,
-                                    ptr_mmu_idx, ra == 0, &ignore, ra);
+        flags |= probe_access_full(env, ptr + in_page, ptr_access,
+                                   ptr_mmu_idx, ra == 0, &host, &full, ra);
         assert(!(flags & TLB_INVALID_MASK));
     }
 
@@ -XXX,XX +XXX,XX @@ static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
     if (unlikely(flags & TLB_WATCHPOINT)) {
         int wp = ptr_access == MMU_DATA_LOAD ? BP_MEM_READ : BP_MEM_WRITE;
         assert(ra != 0);
-        cpu_check_watchpoint(env_cpu(env), ptr, ptr_size,
-                             full->attrs, wp, ra);
+        cpu_check_watchpoint(env_cpu(env), ptr, ptr_size, attrs, wp, ra);
     }
 
-    /*
-     * Find the physical address within the normal mem space.
-     * The memory region lookup must succeed because TLB_MMIO was
-     * not set in the cputlb lookup above.
-     */
-    mr = memory_region_from_host(host, &ptr_ra);
-    tcg_debug_assert(mr != NULL);
-    tcg_debug_assert(memory_region_is_ram(mr));
-    ptr_paddr = ptr_ra;
-    do {
-        ptr_paddr += mr->addr;
-        mr = mr->container;
-    } while (mr);
-
     /* Convert to the physical address in tag space.  */
     tag_paddr = ptr_paddr >> (LOG2_TAG_GRANULE + 1);
 
     /* Look up the address in tag space. */
-    tag_asi = full->attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
+    tag_asi = attrs.secure ? ARMASIdx_TagS : ARMASIdx_TagNS;
     tag_as = cpu_get_address_space(env_cpu(env), tag_asi);
     mr = address_space_translate(tag_as, tag_paddr, &xlat, NULL,
-                                 tag_access == MMU_DATA_STORE,
-                                 full->attrs);
+                                 tag_access == MMU_DATA_STORE, attrs);
 
     /*
      * Note that @mr will never be NULL.  If there is nothing in the address
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
      */
     addr = useronly_clean_ptr(addr);
 
+#ifdef CONFIG_USER_ONLY
     flags = probe_access_flags(env, addr, access_type, mmu_idx, nofault,
                                &info->host, retaddr);
+    memset(&info->attrs, 0, sizeof(info->attrs));
+    /* Require both ANON and MTE; see allocation_tag_mem(). */
+    info->tagged = (flags & PAGE_ANON) && (flags & PAGE_MTE);
+#else
+    CPUTLBEntryFull *full;
+    flags = probe_access_full(env, addr, access_type, mmu_idx, nofault,
+                              &info->host, &full, retaddr);
+    info->attrs = full->attrs;
+    info->tagged = full->pte_attrs == 0xf0;
+#endif
     info->flags = flags;
 
     if (flags & TLB_INVALID_MASK) {
@@ -XXX,XX +XXX,XX @@ bool sve_probe_page(SVEHostPage *info, bool nofault, CPUARMState *env,
 
     /* Ensure that info->host[] is relative to addr, not addr + mem_off. */
     info->host -= mem_off;
-
-#ifdef CONFIG_USER_ONLY
-    memset(&info->attrs, 0, sizeof(info->attrs));
-    /* Require both MAP_ANON and PROT_MTE -- see allocation_tag_mem. */
-    arm_tlb_mte_tagged(&info->attrs) =
-        (flags & PAGE_ANON) && (flags & PAGE_MTE);
-#else
-    /*
-     * Find the iotlbentry for addr and return the transaction attributes.
-     * This *must* be present in the TLB because we just found the mapping.
-     */
-    {
-        uintptr_t index = tlb_index(env, mmu_idx, addr);
-
-# ifdef CONFIG_DEBUG_TCG
-        CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-        target_ulong comparator = (access_type == MMU_DATA_LOAD
-                                   ? entry->addr_read
-                                   : tlb_addr_write(entry));
-        g_assert(tlb_hit(comparator, addr));
-# endif
-
-        CPUTLBEntryFull *full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
-        info->attrs = full->attrs;
-    }
-#endif
-
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ void sve_cont_ldst_mte_check(SVEContLdSt *info, CPUARMState *env,
     intptr_t mem_off, reg_off, reg_last;
 
     /* Process the page only if MemAttr == Tagged. */
-    if (arm_tlb_mte_tagged(&info->page[0].attrs)) {
+    if (info->page[0].tagged) {
         mem_off = info->mem_off_first[0];
         reg_off = info->reg_off_first[0];
         reg_last = info->reg_off_split;
@@ -XXX,XX +XXX,XX @@ void sve_cont_ldst_mte_check(SVEContLdSt *info, CPUARMState *env,
     }
 
     mem_off = info->mem_off_first[1];
-    if (mem_off >= 0 && arm_tlb_mte_tagged(&info->page[1].attrs)) {
+    if (mem_off >= 0 && info->page[1].tagged) {
         reg_off = info->reg_off_first[1];
         reg_last = info->reg_off_last[1];
 
@@ -XXX,XX +XXX,XX @@ void sve_ldnfff1_r(CPUARMState *env, void *vg, const target_ulong addr,
      * Disable MTE checking if the Tagged bit is not set.  Since TBI must
      * be set within MTEDESC for MTE, !mtedesc => !mte_active.
      */
-    if (!arm_tlb_mte_tagged(&info.page[0].attrs)) {
+    if (!info.page[0].tagged) {
         mtedesc = 0;
     }
 
@@ -XXX,XX +XXX,XX @@ void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                         cpu_check_watchpoint(env_cpu(env), addr, msize,
                                              info.attrs, BP_MEM_READ, retaddr);
                     }
-                    if (mtedesc && arm_tlb_mte_tagged(&info.attrs)) {
+                    if (mtedesc && info.tagged) {
                         mte_check(env, mtedesc, addr, retaddr);
                     }
                     if (unlikely(info.flags & TLB_MMIO)) {
@@ -XXX,XX +XXX,XX @@ void sve_ld1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                                              msize, info.attrs,
                                              BP_MEM_READ, retaddr);
                     }
-                    if (mtedesc && arm_tlb_mte_tagged(&info.attrs)) {
+                    if (mtedesc && info.tagged) {
                         mte_check(env, mtedesc, addr, retaddr);
                     }
                     tlb_fn(env, &scratch, reg_off, addr, retaddr);
@@ -XXX,XX +XXX,XX @@ void sve_ldff1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                      (env_cpu(env), addr, msize) & BP_MEM_READ)) {
                     goto fault;
                 }
-                if (mtedesc &&
-                    arm_tlb_mte_tagged(&info.attrs) &&
-                    !mte_probe(env, mtedesc, addr)) {
+                if (mtedesc && info.tagged && !mte_probe(env, mtedesc, addr)) {
                     goto fault;
                 }
 
@@ -XXX,XX +XXX,XX @@ void sve_st1_z(CPUARMState *env, void *vd, uint64_t *vg, void *vm,
                                          info.attrs, BP_MEM_WRITE, retaddr);
                 }
 
-                if (mtedesc && arm_tlb_mte_tagged(&info.attrs)) {
+                if (mtedesc && info.tagged) {
                     mte_check(env, mtedesc, addr, retaddr);
                 }
             }
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
             res.f.phys_addr &= TARGET_PAGE_MASK;
             address &= TARGET_PAGE_MASK;
         }
-        /* Notice and record tagged memory. */
-        if (cpu_isar_feature(aa64_mte, cpu) && res.cacheattrs.attrs == 0xf0) {
-            arm_tlb_mte_tagged(&res.f.attrs) = true;
-        }
 
         res.f.pte_attrs = res.cacheattrs.attrs;
         res.f.shareability = res.cacheattrs.shareability;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add a field to TARGET_PAGE_ENTRY_EXTRA to hold the guarded bit.
In is_guarded_page, use probe_access_full instead of just guessing
that the tlb entry is still present.  Also handles the FIXME about
executing from device memory.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu-param.h     |  9 +++++----
 target/arm/cpu.h           | 13 -------------
 target/arm/internals.h     |  1 +
 target/arm/ptw.c           |  7 ++++---
 target/arm/translate-a64.c | 21 ++++++++++-----------
 5 files changed, 20 insertions(+), 31 deletions(-)

diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu-param.h
+++ b/target/arm/cpu-param.h
@@ -XXX,XX +XXX,XX @@
  *
  * For ARMMMUIdx_Stage2*, pte_attrs is the S2 descriptor bits [5:2].
  * Otherwise, pte_attrs is the same as the MAIR_EL1 8-bit format.
- * For shareability, as in the SH field of the VMSAv8-64 PTEs.
+ * For shareability and guarded, as in the SH and GP fields respectively
+ * of the VMSAv8-64 PTEs.
  */
 # define TARGET_PAGE_ENTRY_EXTRA  \
-     uint8_t pte_attrs;           \
-     uint8_t shareability;
-
+    uint8_t pte_attrs;            \
+    uint8_t shareability;         \
+    bool guarded;
 #endif
 
 #define NB_MMU_MODES 8
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t *aa64_vfp_qreg(CPUARMState *env, unsigned regno)
 /* Shared between translate-sve.c and sve_helper.c.  */
 extern const uint64_t pred_esz_masks[5];
 
-/* Helper for the macros below, validating the argument type. */
-static inline MemTxAttrs *typecheck_memtxattrs(MemTxAttrs *x)
-{
-    return x;
-}
-
-/*
- * Lvalue macros for ARM TLB bits that we must cache in the TCG TLB.
- * Using these should be a bit more self-documenting than using the
- * generic target bits directly.
- */
-#define arm_tlb_bti_gp(x) (typecheck_memtxattrs(x)->target_tlb_bit0)
-
 /*
  * AArch64 usage of the PAGE_TARGET_* bits for linux-user.
  * Note that with the Linux kernel, PROT_MTE may not be cleared by mprotect
diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ typedef struct ARMCacheAttrs {
     unsigned int attrs:8;
     unsigned int shareability:2; /* as in the SH field of the VMSAv8-64 PTEs */
     bool is_s2_format:1;
+    bool guarded:1;              /* guarded bit of the v8-64 PTE */
 } ARMCacheAttrs;
 
 /* Fields that are valid upon success. */
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
          */
         result->f.attrs.secure = false;
     }
-    /* When in aarch64 mode, and BTI is enabled, remember GP in the IOTLB.  */
-    if (aarch64 && guarded && cpu_isar_feature(aa64_bti, cpu)) {
-        arm_tlb_bti_gp(&result->f.attrs) = true;
+
+    /* When in aarch64 mode, and BTI is enabled, remember GP in the TLB.  */
+    if (aarch64 && cpu_isar_feature(aa64_bti, cpu)) {
+        result->f.guarded = guarded;
     }
 
     if (mmu_idx == ARMMMUIdx_Stage2 || mmu_idx == ARMMMUIdx_Stage2_S) {
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool is_guarded_page(CPUARMState *env, DisasContext *s)
 #ifdef CONFIG_USER_ONLY
     return page_get_flags(addr) & PAGE_BTI;
 #else
+    CPUTLBEntryFull *full;
+    void *host;
     int mmu_idx = arm_to_core_mmu_idx(s->mmu_idx);
-    unsigned int index = tlb_index(env, mmu_idx, addr);
-    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+    int flags;
 
     /*
      * We test this immediately after reading an insn, which means
-     * that any normal page must be in the TLB.  The only exception
-     * would be for executing from flash or device memory, which
-     * does not retain the TLB entry.
-     *
-     * FIXME: Assume false for those, for now.  We could use
-     * arm_cpu_get_phys_page_attrs_debug to re-read the page
-     * table entry even for that case.
+     * that the TLB entry must be present and valid, and thus this
+     * access will never raise an exception.
      */
-    return (tlb_hit(entry->addr_code, addr) &&
-            arm_tlb_bti_gp(&env_tlb(env)->d[mmu_idx].fulltlb[index].attrs));
+    flags = probe_access_full(env, addr, MMU_INST_FETCH, mmu_idx,
+                              false, &host, &full, 0);
+    assert(!(flags & TLB_INVALID_MASK));
+
+    return full->guarded;
 #endif
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Not yet used, but add mmu indexes for 1-1 mapping
to physical addresses.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu-param.h |  2 +-
 target/arm/cpu.h       |  7 ++++++-
 target/arm/ptw.c       | 19 +++++++++++++++++--
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu-param.h
+++ b/target/arm/cpu-param.h
@@ -XXX,XX +XXX,XX @@
     bool guarded;
 #endif
 
-#define NB_MMU_MODES 8
+#define NB_MMU_MODES 10
 
 #endif
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  * EL2 EL2&0 +PAN
  * EL2 (aka NS PL2)
  * EL3 (aka S PL1)
+ * Physical (NS & S)
  *
- * for a total of 8 different mmu_idx.
+ * for a total of 10 different mmu_idx.
  *
  * R profile CPUs have an MPU, but can use the same set of MMU indexes
  * as A profile. They only need to distinguish EL0 and EL1 (and
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     ARMMMUIdx_E2        = 6 | ARM_MMU_IDX_A,
     ARMMMUIdx_E3        = 7 | ARM_MMU_IDX_A,
 
+    /* TLBs with 1-1 mapping to the physical address spaces. */
+    ARMMMUIdx_Phys_NS   = 8 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Phys_S    = 9 | ARM_MMU_IDX_A,
+
     /*
      * These are not allocated TLBs and are used only for AT system
      * instructions or for the first stage of an S12 page table walk.
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
     case ARMMMUIdx_E3:
         break;
 
+    case ARMMMUIdx_Phys_NS:
+    case ARMMMUIdx_Phys_S:
+        /* No translation for physical address spaces. */
+        return true;
+
     default:
         g_assert_not_reached();
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
 {
     uint8_t memattr = 0x00;    /* Device nGnRnE */
     uint8_t shareability = 0;  /* non-sharable */
+    int r_el;
 
-    if (mmu_idx != ARMMMUIdx_Stage2 && mmu_idx != ARMMMUIdx_Stage2_S) {
-        int r_el = regime_el(env, mmu_idx);
+    switch (mmu_idx) {
+    case ARMMMUIdx_Stage2:
+    case ARMMMUIdx_Stage2_S:
+    case ARMMMUIdx_Phys_NS:
+    case ARMMMUIdx_Phys_S:
+        break;
 
+    default:
+        r_el = regime_el(env, mmu_idx);
         if (arm_el_is_aa64(env, r_el)) {
             int pamax = arm_pamax(env_archcpu(env));
             uint64_t tcr = env->cp15.tcr_el[r_el];
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
             shareability = 2; /* outer sharable */
         }
         result->cacheattrs.is_s2_format = false;
+        break;
     }
 
     result->f.phys_addr = address;
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
         is_secure = arm_is_secure_below_el3(env);
         break;
     case ARMMMUIdx_Stage2:
+    case ARMMMUIdx_Phys_NS:
     case ARMMMUIdx_MPrivNegPri:
     case ARMMMUIdx_MUserNegPri:
     case ARMMMUIdx_MPriv:
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr(CPUARMState *env, target_ulong address,
         break;
     case ARMMMUIdx_E3:
     case ARMMMUIdx_Stage2_S:
+    case ARMMMUIdx_Phys_S:
     case ARMMMUIdx_MSPrivNegPri:
     case ARMMMUIdx_MSUserNegPri:
     case ARMMMUIdx_MSPriv:
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We had been marking this ARM_MMU_IDX_NOTLB, move it to a real tlb.
Flush the tlb when invalidating stage 1+2 translations.  Re-use
alle1_tlbmask() for other instances of EL1&0 + Stage2.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221011031911.2408754-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu-param.h |   2 +-
 target/arm/cpu.h       |  23 ++++---
 target/arm/helper.c    | 151 ++++++++++++++++++++++++++++++-----------
 3 files changed, 127 insertions(+), 49 deletions(-)

diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu-param.h
+++ b/target/arm/cpu-param.h
@@ -XXX,XX +XXX,XX @@
     bool guarded;
 #endif
 
-#define NB_MMU_MODES 10
+#define NB_MMU_MODES 12
 
 #endif
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ bool write_cpustate_to_list(ARMCPU *cpu, bool kvm_sync);
  * EL2 (aka NS PL2)
  * EL3 (aka S PL1)
  * Physical (NS & S)
+ * Stage2 (NS & S)
  *
- * for a total of 10 different mmu_idx.
+ * for a total of 12 different mmu_idx.
  *
  * R profile CPUs have an MPU, but can use the same set of MMU indexes
  * as A profile. They only need to distinguish EL0 and EL1 (and
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     ARMMMUIdx_Phys_NS   = 8 | ARM_MMU_IDX_A,
     ARMMMUIdx_Phys_S    = 9 | ARM_MMU_IDX_A,
 
+    /*
+     * Used for second stage of an S12 page table walk, or for descriptor
+     * loads during first stage of an S1 page table walk.  Note that both
+     * are in use simultaneously for SecureEL2: the security state for
+     * the S2 ptw is selected by the NS bit from the S1 ptw.
+     */
+    ARMMMUIdx_Stage2    = 10 | ARM_MMU_IDX_A,
+    ARMMMUIdx_Stage2_S  = 11 | ARM_MMU_IDX_A,
+
     /*
      * These are not allocated TLBs and are used only for AT system
      * instructions or for the first stage of an S12 page table walk.
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdx {
     ARMMMUIdx_Stage1_E0 = 0 | ARM_MMU_IDX_NOTLB,
     ARMMMUIdx_Stage1_E1 = 1 | ARM_MMU_IDX_NOTLB,
     ARMMMUIdx_Stage1_E1_PAN = 2 | ARM_MMU_IDX_NOTLB,
-    /*
-     * Not allocated a TLB: used only for second stage of an S12 page
-     * table walk, or for descriptor loads during first stage of an S1
-     * page table walk. Note that if we ever want to have a TLB for this
-     * then various TLB flush insns which currently are no-ops or flush
-     * only stage 1 MMU indexes will need to change to flush stage 2.
-     */
-    ARMMMUIdx_Stage2     = 3 | ARM_MMU_IDX_NOTLB,
-    ARMMMUIdx_Stage2_S   = 4 | ARM_MMU_IDX_NOTLB,
 
     /*
      * M-profile.
@@ -XXX,XX +XXX,XX @@ typedef enum ARMMMUIdxBit {
     TO_CORE_BIT(E20_2),
     TO_CORE_BIT(E20_2_PAN),
     TO_CORE_BIT(E3),
+    TO_CORE_BIT(Stage2),
+    TO_CORE_BIT(Stage2_S),
 
     TO_CORE_BIT(MUser),
     TO_CORE_BIT(MPriv),
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri,
     raw_write(env, ri, value);
 }
 
+static int alle1_tlbmask(CPUARMState *env)
+{
+    /*
+     * Note that the 'ALL' scope must invalidate both stage 1 and
+     * stage 2 translations, whereas most other scopes only invalidate
+     * stage 1 translations.
+     */
+    return (ARMMMUIdxBit_E10_1 |
+            ARMMMUIdxBit_E10_1_PAN |
+            ARMMMUIdxBit_E10_0 |
+            ARMMMUIdxBit_Stage2 |
+            ARMMMUIdxBit_Stage2_S);
+}
+
+
 /* IS variants of TLB operations must affect all cores */
 static void tlbiall_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
                              uint64_t value)
@@ -XXX,XX +XXX,XX @@ static void tlbiall_nsnh_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     CPUState *cs = env_cpu(env);
 
-    tlb_flush_by_mmuidx(cs,
-                        ARMMMUIdxBit_E10_1 |
-                        ARMMMUIdxBit_E10_1_PAN |
-                        ARMMMUIdxBit_E10_0);
+    tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
 }
 
 static void tlbiall_nsnh_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void tlbiall_nsnh_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
 {
     CPUState *cs = env_cpu(env);
 
-    tlb_flush_by_mmuidx_all_cpus_synced(cs,
-                                        ARMMMUIdxBit_E10_1 |
-                                        ARMMMUIdxBit_E10_1_PAN |
-                                        ARMMMUIdxBit_E10_0);
+    tlb_flush_by_mmuidx_all_cpus_synced(cs, alle1_tlbmask(env));
 }
 
 
@@ -XXX,XX +XXX,XX @@ static void tlbimva_hyp_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
                                              ARMMMUIdxBit_E2);
 }
 
+static void tlbiipas2_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                uint64_t value)
+{
+    CPUState *cs = env_cpu(env);
+    uint64_t pageaddr = (value & MAKE_64BIT_MASK(0, 28)) << 12;
+
+    tlb_flush_page_by_mmuidx(cs, pageaddr, ARMMMUIdxBit_Stage2);
+}
+
+static void tlbiipas2is_hyp_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                uint64_t value)
+{
+    CPUState *cs = env_cpu(env);
+    uint64_t pageaddr = (value & MAKE_64BIT_MASK(0, 28)) << 12;
+
+    tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, ARMMMUIdxBit_Stage2);
+}
+
 static const ARMCPRegInfo cp_reginfo[] = {
     /* Define the secure and non-secure FCSE identifier CP registers
      * separately because there is no secure bank in V8 (no _EL3).  This allows
@@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
 
     /*
      * A change in VMID to the stage2 page table (Stage2) invalidates
-     * the combined stage 1&2 tlbs (EL10_1 and EL10_0).
+     * the stage2 and combined stage 1&2 tlbs (EL10_1 and EL10_0).
      */
     if (raw_read(env, ri) != value) {
-        uint16_t mask = ARMMMUIdxBit_E10_1 |
-                        ARMMMUIdxBit_E10_1_PAN |
-                        ARMMMUIdxBit_E10_0;
-        tlb_flush_by_mmuidx(cs, mask);
+        tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
         raw_write(env, ri, value);
     }
 }
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vmalle1_write(CPUARMState *env, const ARMCPRegInfo *ri,
     }
 }
 
-static int alle1_tlbmask(CPUARMState *env)
-{
-    /*
-     * Note that the 'ALL' scope must invalidate both stage 1 and
-     * stage 2 translations, whereas most other scopes only invalidate
-     * stage 1 translations.
-     */
-    return (ARMMMUIdxBit_E10_1 |
-            ARMMMUIdxBit_E10_1_PAN |
-            ARMMMUIdxBit_E10_0);
-}
-
 static int e2_tlbmask(CPUARMState *env)
 {
     return (ARMMMUIdxBit_E20_0 |
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_vae3is_write(CPUARMState *env, const ARMCPRegInfo *ri,
                                                   ARMMMUIdxBit_E3, bits);
 }
 
+static int ipas2e1_tlbmask(CPUARMState *env, int64_t value)
+{
+    /*
+     * The MSB of value is the NS field, which only applies if SEL2
+     * is implemented and SCR_EL3.NS is not set (i.e. in secure mode).
+     */
+    return (value >= 0
+            && cpu_isar_feature(aa64_sel2, env_archcpu(env))
+            && arm_is_secure_below_el3(env)
+            ? ARMMMUIdxBit_Stage2_S
+            : ARMMMUIdxBit_Stage2);
+}
+
+static void tlbi_aa64_ipas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                    uint64_t value)
+{
+    CPUState *cs = env_cpu(env);
+    int mask = ipas2e1_tlbmask(env, value);
+    uint64_t pageaddr = sextract64(value << 12, 0, 56);
+
+    if (tlb_force_broadcast(env)) {
+        tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, mask);
+    } else {
+        tlb_flush_page_by_mmuidx(cs, pageaddr, mask);
+    }
+}
+
+static void tlbi_aa64_ipas2e1is_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                      uint64_t value)
+{
+    CPUState *cs = env_cpu(env);
+    int mask = ipas2e1_tlbmask(env, value);
+    uint64_t pageaddr = sextract64(value << 12, 0, 56);
+
+    tlb_flush_page_by_mmuidx_all_cpus_synced(cs, pageaddr, mask);
+}
+
 #ifdef TARGET_AARCH64
 typedef struct {
     uint64_t base;
@@ -XXX,XX +XXX,XX @@ static void tlbi_aa64_rvae3is_write(CPUARMState *env,
 
     do_rvae_write(env, value, ARMMMUIdxBit_E3, true);
 }
+
+static void tlbi_aa64_ripas2e1_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                     uint64_t value)
+{
+    do_rvae_write(env, value, ipas2e1_tlbmask(env, value),
+                  tlb_force_broadcast(env));
+}
+
+static void tlbi_aa64_ripas2e1is_write(CPUARMState *env,
+                                       const ARMCPRegInfo *ri,
+                                       uint64_t value)
+{
+    do_rvae_write(env, value, ipas2e1_tlbmask(env, value), true);
+}
 #endif
 
 static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .writefn = tlbi_aa64_vae1_write },
     { .name = "TLBI_IPAS2E1IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ipas2e1is_write },
     { .name = "TLBI_IPAS2LE1IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ipas2e1is_write },
     { .name = "TLBI_ALLE1IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 3, .opc2 = 4,
       .access = PL2_W, .type = ARM_CP_NO_RAW,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .writefn = tlbi_aa64_alle1is_write },
     { .name = "TLBI_IPAS2E1", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ipas2e1_write },
     { .name = "TLBI_IPAS2LE1", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ipas2e1_write },
     { .name = "TLBI_ALLE1", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 7, .opc2 = 4,
       .access = PL2_W, .type = ARM_CP_NO_RAW,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {
       .writefn = tlbimva_hyp_is_write },
     { .name = "TLBIIPAS2",
       .cp = 15, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 1,
-      .type = ARM_CP_NOP, .access = PL2_W },
+      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .writefn = tlbiipas2_hyp_write },
     { .name = "TLBIIPAS2IS",
       .cp = 15, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 1,
-      .type = ARM_CP_NOP, .access = PL2_W },
+      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .writefn = tlbiipas2is_hyp_write },
     { .name = "TLBIIPAS2L",
       .cp = 15, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 5,
-      .type = ARM_CP_NOP, .access = PL2_W },
+      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .writefn = tlbiipas2_hyp_write },
     { .name = "TLBIIPAS2LIS",
       .cp = 15, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 5,
-      .type = ARM_CP_NOP, .access = PL2_W },
+      .type = ARM_CP_NO_RAW, .access = PL2_W,
+      .writefn = tlbiipas2is_hyp_write },
     /* 32 bit cache operations */
     { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
       .type = ARM_CP_NOP, .access = PL1_W, .accessfn = aa64_cacheop_pou_access },
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
       .writefn = tlbi_aa64_rvae1_write },
     { .name = "TLBI_RIPAS2E1IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 2,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ripas2e1is_write },
     { .name = "TLBI_RIPAS2LE1IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 0, .opc2 = 6,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ripas2e1is_write },
     { .name = "TLBI_RVAE2IS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 2, .opc2 = 1,
       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo tlbirange_reginfo[] = {
       .writefn = tlbi_aa64_rvae2is_write },
     { .name = "TLBI_RIPAS2E1", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 2,
-      .access = PL2_W, .type = ARM_CP_NOP },
-   { .name = "TLBI_RIPAS2LE1", .state = ARM_CP_STATE_AA64,
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ripas2e1_write },
+    { .name = "TLBI_RIPAS2LE1", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 4, .opc2 = 6,
-      .access = PL2_W, .type = ARM_CP_NOP },
+      .access = PL2_W, .type = ARM_CP_NO_RAW,
+      .writefn = tlbi_aa64_ripas2e1_write },
    { .name = "TLBI_RVAE2OS", .state = ARM_CP_STATE_AA64,
       .opc0 = 1, .opc1 = 4, .crn = 8, .crm = 5, .opc2 = 1,
       .access = PL2_W, .type = ARM_CP_NO_RAW | ARM_CP_EL3_NO_EL2_UNDEF,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Compare only the VMID field when considering whether we need to flush.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221011031911.2408754-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void vttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
      * A change in VMID to the stage2 page table (Stage2) invalidates
      * the stage2 and combined stage 1&2 tlbs (EL10_1 and EL10_0).
      */
-    if (raw_read(env, ri) != value) {
+    if (extract64(raw_read(env, ri) ^ value, 48, 16) != 0) {
         tlb_flush_by_mmuidx(cs, alle1_tlbmask(env));
-        raw_write(env, ri, value);
     }
+    raw_write(env, ri, value);
 }
 
 static const ARMCPRegInfo vmsa_pmsa_cp_reginfo[] = {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Consolidate most of the inputs and outputs of S1_ptw_translate
into a single structure.  Plumb this through arm_ld*_ptw from
the controlling get_phys_addr_* routine.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20221011031911.2408754-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 140 ++++++++++++++++++++++++++---------------------
 1 file changed, 79 insertions(+), 61 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@
 #include "idau.h"
 
 
-static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                               bool is_secure, bool s1_is_el0,
+typedef struct S1Translate {
+    ARMMMUIdx in_mmu_idx;
+    bool in_secure;
+    bool out_secure;
+    hwaddr out_phys;
+} S1Translate;
+
+static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+                               uint64_t address,
+                               MMUAccessType access_type, bool s1_is_el0,
                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
     __attribute__((nonnull));
 
@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
 }
 
 /* Translate a S1 pagetable walk through S2 if needed.  */
-static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
-                               hwaddr addr, bool *is_secure_ptr,
-                               ARMMMUFaultInfo *fi)
+static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
+                             hwaddr addr, ARMMMUFaultInfo *fi)
 {
-    bool is_secure = *is_secure_ptr;
+    bool is_secure = ptw->in_secure;
     ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
 
-    if (arm_mmu_idx_is_stage1_of_2(mmu_idx) &&
+    if (arm_mmu_idx_is_stage1_of_2(ptw->in_mmu_idx) &&
         !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
         GetPhysAddrResult s2 = {};
+        S1Translate s2ptw = {
+            .in_mmu_idx = s2_mmu_idx,
+            .in_secure = is_secure,
+        };
         uint64_t hcr;
         int ret;
 
-        ret = get_phys_addr_lpae(env, addr, MMU_DATA_LOAD, s2_mmu_idx,
-                                 is_secure, false, &s2, fi);
+        ret = get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
+                                 false, &s2, fi);
         if (ret) {
             assert(fi->type != ARMFault_None);
             fi->s2addr = addr;
             fi->stage2 = true;
             fi->s1ptw = true;
             fi->s1ns = !is_secure;
-            return ~0;
+            return false;
         }
 
         hcr = arm_hcr_el2_eff_secstate(env, is_secure);
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             fi->stage2 = true;
             fi->s1ptw = true;
             fi->s1ns = !is_secure;
-            return ~0;
+            return false;
         }
 
         if (arm_is_secure_below_el3(env)) {
@@ -XXX,XX +XXX,XX @@ static hwaddr S1_ptw_translate(CPUARMState *env, ARMMMUIdx mmu_idx,
             } else {
                 is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
             }
-            *is_secure_ptr = is_secure;
         } else {
             assert(!is_secure);
         }
 
         addr = s2.f.phys_addr;
     }
-    return addr;
+
+    ptw->out_secure = is_secure;
+    ptw->out_phys = addr;
+    return true;
 }
 
 /* All loads done in the course of a page table walk go through here. */
-static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
-                            ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
+static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
+                            ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
     MemTxAttrs attrs = {};
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
     AddressSpace *as;
     uint32_t data;
 
-    addr = S1_ptw_translate(env, mmu_idx, addr, &is_secure, fi);
-    attrs.secure = is_secure;
-    as = arm_addressspace(cs, attrs);
-    if (fi->s1ptw) {
+    if (!S1_ptw_translate(env, ptw, addr, fi)) {
         return 0;
     }
-    if (regime_translation_big_endian(env, mmu_idx)) {
+    addr = ptw->out_phys;
+    attrs.secure = ptw->out_secure;
+    as = arm_addressspace(cs, attrs);
+    if (regime_translation_big_endian(env, ptw->in_mmu_idx)) {
         data = address_space_ldl_be(as, addr, attrs, &result);
     } else {
         data = address_space_ldl_le(as, addr, attrs, &result);
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
     return 0;
 }
 
-static uint64_t arm_ldq_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
-                            ARMMMUIdx mmu_idx, ARMMMUFaultInfo *fi)
+static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
+                            ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
     MemTxAttrs attrs = {};
@@ -XXX,XX +XXX,XX @@ static uint64_t arm_ldq_ptw(CPUARMState *env, hwaddr addr, bool is_secure,
     AddressSpace *as;
     uint64_t data;
 
-    addr = S1_ptw_translate(env, mmu_idx, addr, &is_secure, fi);
-    attrs.secure = is_secure;
-    as = arm_addressspace(cs, attrs);
-    if (fi->s1ptw) {
+    if (!S1_ptw_translate(env, ptw, addr, fi)) {
         return 0;
     }
-    if (regime_translation_big_endian(env, mmu_idx)) {
+    addr = ptw->out_phys;
+    attrs.secure = ptw->out_secure;
+    as = arm_addressspace(cs, attrs);
+    if (regime_translation_big_endian(env, ptw->in_mmu_idx)) {
         data = address_space_ldq_be(as, addr, attrs, &result);
     } else {
         data = address_space_ldq_le(as, addr, attrs, &result);
@@ -XXX,XX +XXX,XX @@ static int simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
     return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
 }
 
-static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
-                             MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                             bool is_secure, GetPhysAddrResult *result,
-                             ARMMMUFaultInfo *fi)
+static bool get_phys_addr_v5(CPUARMState *env, S1Translate *ptw,
+                             uint32_t address, MMUAccessType access_type,
+                             GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
     int level = 1;
     uint32_t table;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
 
     /* Pagetable walk.  */
     /* Lookup l1 descriptor.  */
-    if (!get_level1_table_address(env, mmu_idx, &table, address)) {
+    if (!get_level1_table_address(env, ptw->in_mmu_idx, &table, address)) {
         /* Section translation fault if page walk is disabled by PD0 or PD1 */
         fi->type = ARMFault_Translation;
         goto do_fault;
     }
-    desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
+    desc = arm_ldl_ptw(env, ptw, table, fi);
     if (fi->type != ARMFault_None) {
         goto do_fault;
     }
     type = (desc & 3);
     domain = (desc >> 5) & 0x0f;
-    if (regime_el(env, mmu_idx) == 1) {
+    if (regime_el(env, ptw->in_mmu_idx) == 1) {
         dacr = env->cp15.dacr_ns;
     } else {
         dacr = env->cp15.dacr_s;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
             /* Fine pagetable.  */
             table = (desc & 0xfffff000) | ((address >> 8) & 0xffc);
         }
-        desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
+        desc = arm_ldl_ptw(env, ptw, table, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
         }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v5(CPUARMState *env, uint32_t address,
             g_assert_not_reached();
         }
     }
-    result->f.prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
+    result->f.prot = ap_to_rw_prot(env, ptw->in_mmu_idx, ap, domain_prot);
     result->f.prot |= result->f.prot ? PAGE_EXEC : 0;
     if (!(result->f.prot & (1 << access_type))) {
         /* Access permission fault.  */
@@ -XXX,XX +XXX,XX @@ do_fault:
     return true;
 }
 
-static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
-                             MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                             bool is_secure, GetPhysAddrResult *result,
-                             ARMMMUFaultInfo *fi)
+static bool get_phys_addr_v6(CPUARMState *env, S1Translate *ptw,
+                             uint32_t address, MMUAccessType access_type,
+                             GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
     ARMCPU *cpu = env_archcpu(env);
+    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     int level = 1;
     uint32_t table;
     uint32_t desc;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
         fi->type = ARMFault_Translation;
         goto do_fault;
     }
-    desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
+    desc = arm_ldl_ptw(env, ptw, table, fi);
     if (fi->type != ARMFault_None) {
         goto do_fault;
     }
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_v6(CPUARMState *env, uint32_t address,
         ns = extract32(desc, 3, 1);
         /* Lookup l2 entry.  */
         table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
-        desc = arm_ldl_ptw(env, table, is_secure, mmu_idx, fi);
+        desc = arm_ldl_ptw(env, ptw, table, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
         }
@@ -XXX,XX +XXX,XX @@ static bool check_s2_mmu_setup(ARMCPU *cpu, bool is_aa64, int level,
  * the WnR bit is never set (the caller must do this).
  *
  * @env: CPUARMState
+ * @ptw: Current and next stage parameters for the walk.
  * @address: virtual address to get physical address for
  * @access_type: MMU_DATA_LOAD, MMU_DATA_STORE or MMU_INST_FETCH
- * @mmu_idx: MMU index indicating required translation regime
- * @s1_is_el0: if @mmu_idx is ARMMMUIdx_Stage2 (so this is a stage 2 page
- *             table walk), must be true if this is stage 2 of a stage 1+2
+ * @s1_is_el0: if @ptw->in_mmu_idx is ARMMMUIdx_Stage2
+ *             (so this is a stage 2 page table walk),
+ *             must be true if this is stage 2 of a stage 1+2
  *             walk for an EL0 access. If @mmu_idx is anything else,
  *             @s1_is_el0 is ignored.
  * @result: set on translation success,
  * @fi: set to fault info if the translation fails
  */
-static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
-                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                               bool is_secure, bool s1_is_el0,
+static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
+                               uint64_t address,
+                               MMUAccessType access_type, bool s1_is_el0,
                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
 {
     ARMCPU *cpu = env_archcpu(env);
+    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
+    bool is_secure = ptw->in_secure;
     /* Read an LPAE long-descriptor translation table. */
     ARMFaultType fault_type = ARMFault_Translation;
     uint32_t level;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, uint64_t address,
         descaddr |= (address >> (stride * (4 - level))) & indexmask;
         descaddr &= ~7ULL;
         nstable = extract32(tableattrs, 4, 1);
-        descriptor = arm_ldq_ptw(env, descaddr, !nstable, mmu_idx, fi);
+        ptw->in_secure = !nstable;
+        descriptor = arm_ldq_ptw(env, ptw, descaddr, fi);
         if (fi->type != ARMFault_None) {
             goto do_fault;
         }
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                ARMMMUFaultInfo *fi)
 {
     ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
+    S1Translate ptw;
 
     if (mmu_idx != s1_mmu_idx) {
         /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             int ret;
             bool ipa_secure, s2walk_secure;
             ARMCacheAttrs cacheattrs1;
-            ARMMMUIdx s2_mmu_idx;
             bool is_el0;
             uint64_t hcr;
 
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                 s2walk_secure = false;
             }
 
-            s2_mmu_idx = (s2walk_secure
-                          ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2);
+            ptw.in_mmu_idx =
+                s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+            ptw.in_secure = s2walk_secure;
             is_el0 = mmu_idx == ARMMMUIdx_E10_0;
 
             /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             cacheattrs1 = result->cacheattrs;
             memset(result, 0, sizeof(*result));
 
-            ret = get_phys_addr_lpae(env, ipa, access_type, s2_mmu_idx,
-                                     s2walk_secure, is_el0, result, fi);
+            ret = get_phys_addr_lpae(env, &ptw, ipa, access_type,
+                                     is_el0, result, fi);
             fi->s2addr = ipa;
 
             /* Combine the S1 and S2 perms.  */
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
         return get_phys_addr_disabled(env, address, access_type, mmu_idx,
                                       is_secure, result, fi);
     }
+
+    ptw.in_mmu_idx = mmu_idx;
+    ptw.in_secure = is_secure;
+
     if (regime_using_lpae_format(env, mmu_idx)) {
-        return get_phys_addr_lpae(env, address, access_type, mmu_idx,
-                                  is_secure, false, result, fi);
+        return get_phys_addr_lpae(env, &ptw, address, access_type, false,
+                                  result, fi);
     } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
-        return get_phys_addr_v6(env, address, access_type, mmu_idx,
-                                is_secure, result, fi);
+        return get_phys_addr_v6(env, &ptw, address, access_type, result, fi);
     } else {
-        return get_phys_addr_v5(env, address, access_type, mmu_idx,
-                                is_secure, result, fi);
+        return get_phys_addr_v5(env, &ptw, address, access_type, result, fi);
     }
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Before using softmmu page tables for the ptw, plumb down
a debug parameter so that we can query page table entries
from gdbstub without modifying cpu state.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 55 ++++++++++++++++++++++++++++++++----------------
 1 file changed, 37 insertions(+), 18 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@
 typedef struct S1Translate {
     ARMMMUIdx in_mmu_idx;
     bool in_secure;
+    bool in_debug;
     bool out_secure;
     hwaddr out_phys;
 } S1Translate;
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
         S1Translate s2ptw = {
             .in_mmu_idx = s2_mmu_idx,
             .in_secure = is_secure,
+            .in_debug = ptw->in_debug,
         };
         uint64_t hcr;
         int ret;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
     return 0;
 }
 
-bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
-                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
-                               bool is_secure, GetPhysAddrResult *result,
-                               ARMMMUFaultInfo *fi)
+static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
+                                      target_ulong address,
+                                      MMUAccessType access_type,
+                                      GetPhysAddrResult *result,
+                                      ARMMMUFaultInfo *fi)
 {
+    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     ARMMMUIdx s1_mmu_idx = stage_1_mmu_idx(mmu_idx);
-    S1Translate ptw;
+    bool is_secure = ptw->in_secure;
 
     if (mmu_idx != s1_mmu_idx) {
         /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             bool is_el0;
             uint64_t hcr;
 
-            ret = get_phys_addr_with_secure(env, address, access_type,
-                                            s1_mmu_idx, is_secure, result, fi);
+            ptw->in_mmu_idx = s1_mmu_idx;
+            ret = get_phys_addr_with_struct(env, ptw, address, access_type,
+                                            result, fi);
 
             /* If S1 fails or S2 is disabled, return early.  */
             if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                 s2walk_secure = false;
             }
 
-            ptw.in_mmu_idx =
+            ptw->in_mmu_idx =
                 s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-            ptw.in_secure = s2walk_secure;
+            ptw->in_secure = s2walk_secure;
             is_el0 = mmu_idx == ARMMMUIdx_E10_0;
 
             /*
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
             cacheattrs1 = result->cacheattrs;
             memset(result, 0, sizeof(*result));
 
-            ret = get_phys_addr_lpae(env, &ptw, ipa, access_type,
+            ret = get_phys_addr_lpae(env, ptw, ipa, access_type,
                                      is_el0, result, fi);
             fi->s2addr = ipa;
 
@@ -XXX,XX +XXX,XX @@ bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
                                       is_secure, result, fi);
     }
 
-    ptw.in_mmu_idx = mmu_idx;
-    ptw.in_secure = is_secure;
-
     if (regime_using_lpae_format(env, mmu_idx)) {
-        return get_phys_addr_lpae(env, &ptw, address, access_type, false,
+        return get_phys_addr_lpae(env, ptw, address, access_type, false,
                                   result, fi);
     } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
-        return get_phys_addr_v6(env, &ptw, address, access_type, result, fi);
+        return get_phys_addr_v6(env, ptw, address, access_type, result, fi);
     } else {
-        return get_phys_addr_v5(env, &ptw, address, access_type, result, fi);
+        return get_phys_addr_v5(env, ptw, address, access_type, result, fi);
     }
 }
 
+bool get_phys_addr_with_secure(CPUARMState *env, target_ulong address,
+                               MMUAccessType access_type, ARMMMUIdx mmu_idx,
+                               bool is_secure, GetPhysAddrResult *result,
+                               ARMMMUFaultInfo *fi)
+{
+    S1Translate ptw = {
+        .in_mmu_idx = mmu_idx,
+        .in_secure = is_secure,
+    };
+    return get_phys_addr_with_struct(env, &ptw, address, access_type,
+                                     result, fi);
+}
+
 bool get_phys_addr(CPUARMState *env, target_ulong address,
                    MMUAccessType access_type, ARMMMUIdx mmu_idx,
                    GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
@@ -XXX,XX +XXX,XX @@ hwaddr arm_cpu_get_phys_page_attrs_debug(CPUState *cs, vaddr addr,
 {
     ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
+    S1Translate ptw = {
+        .in_mmu_idx = arm_mmu_idx(env),
+        .in_secure = arm_is_secure(env),
+        .in_debug = true,
+    };
     GetPhysAddrResult res = {};
     ARMMMUFaultInfo fi = {};
-    ARMMMUIdx mmu_idx = arm_mmu_idx(env);
     bool ret;
 
-    ret = get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &res, &fi);
+    ret = get_phys_addr_with_struct(env, &ptw, addr, MMU_DATA_LOAD, &res, &fi);
     *attrs = res.f.attrs;
 
     if (ret) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Hoist this test out of arm_ld[lq]_ptw into S1_ptw_translate.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

So far, limit the change to S1_ptw_translate, arm_ldl_ptw, and
arm_ldq_ptw.  Use probe_access_full to find the host address,
and if so use a host load.  If the probe fails, we've got our
fault info already.  On the off chance that page tables are not
in RAM, continue to use the address_space_ld* functions.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h        |   5 +
 target/arm/ptw.c        | 196 +++++++++++++++++++++++++---------------
 target/arm/tlb_helper.c |  17 +++-
 3 files changed, 144 insertions(+), 74 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUARMTBFlags {
     target_ulong flags2;
 } CPUARMTBFlags;
 
+typedef struct ARMMMUFaultInfo ARMMMUFaultInfo;
+
 typedef struct CPUArchState {
     /* Regs for current mode.  */
     uint32_t regs[16];
@@ -XXX,XX +XXX,XX @@ typedef struct CPUArchState {
     struct CPUBreakpoint *cpu_breakpoint[16];
     struct CPUWatchpoint *cpu_watchpoint[16];
 
+    /* Optional fault info across tlb lookup. */
+    ARMMMUFaultInfo *tlb_fi;
+
     /* Fields up to this point are cleared by a CPU reset */
     struct {} end_reset_fields;
 
diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/osdep.h"
 #include "qemu/log.h"
 #include "qemu/range.h"
+#include "exec/exec-all.h"
 #include "cpu.h"
 #include "internals.h"
 #include "idau.h"
@@ -XXX,XX +XXX,XX @@ typedef struct S1Translate {
     bool out_secure;
     bool out_be;
     hwaddr out_phys;
+    void *out_host;
 } S1Translate;
 
 static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
@@ -XXX,XX +XXX,XX @@ static bool regime_translation_disabled(CPUARMState *env, ARMMMUIdx mmu_idx,
     return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
 }
 
-static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
+static bool S2_attrs_are_device(uint64_t hcr, uint8_t attrs)
 {
     /*
      * For an S1 page table walk, the stage 1 attributes are always
@@ -XXX,XX +XXX,XX @@ static bool ptw_attrs_are_device(uint64_t hcr, ARMCacheAttrs cacheattrs)
      * With HCR_EL2.FWB == 1 this is when descriptor bit [4] is 0, ie
      * when cacheattrs.attrs bit [2] is 0.
      */
-    assert(cacheattrs.is_s2_format);
     if (hcr & HCR_FWB) {
-        return (cacheattrs.attrs & 0x4) == 0;
+        return (attrs & 0x4) == 0;
     } else {
-        return (cacheattrs.attrs & 0xc) == 0;
+        return (attrs & 0xc) == 0;
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
                              hwaddr addr, ARMMMUFaultInfo *fi)
 {
     bool is_secure = ptw->in_secure;
+    ARMMMUIdx mmu_idx = ptw->in_mmu_idx;
     ARMMMUIdx s2_mmu_idx = is_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+    bool s2_phys = false;
+    uint8_t pte_attrs;
+    bool pte_secure;
 
-    if (arm_mmu_idx_is_stage1_of_2(ptw->in_mmu_idx) &&
-        !regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
-        GetPhysAddrResult s2 = {};
-        S1Translate s2ptw = {
-            .in_mmu_idx = s2_mmu_idx,
-            .in_secure = is_secure,
-            .in_debug = ptw->in_debug,
-        };
-        uint64_t hcr;
-        int ret;
+    if (!arm_mmu_idx_is_stage1_of_2(mmu_idx)
+        || regime_translation_disabled(env, s2_mmu_idx, is_secure)) {
+        s2_mmu_idx = is_secure ? ARMMMUIdx_Phys_S : ARMMMUIdx_Phys_NS;
+        s2_phys = true;
+    }
 
-        ret = get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
-                                 false, &s2, fi);
-        if (ret) {
-            assert(fi->type != ARMFault_None);
-            fi->s2addr = addr;
-            fi->stage2 = true;
-            fi->s1ptw = true;
-            fi->s1ns = !is_secure;
-            return false;
+    if (unlikely(ptw->in_debug)) {
+        /*
+         * From gdbstub, do not use softmmu so that we don't modify the
+         * state of the cpu at all, including softmmu tlb contents.
+         */
+        if (s2_phys) {
+            ptw->out_phys = addr;
+            pte_attrs = 0;
+            pte_secure = is_secure;
+        } else {
+            S1Translate s2ptw = {
+                .in_mmu_idx = s2_mmu_idx,
+                .in_secure = is_secure,
+                .in_debug = true,
+            };
+            GetPhysAddrResult s2 = { };
+            if (!get_phys_addr_lpae(env, &s2ptw, addr, MMU_DATA_LOAD,
+                                    false, &s2, fi)) {
+                goto fail;
+            }
+            ptw->out_phys = s2.f.phys_addr;
+            pte_attrs = s2.cacheattrs.attrs;
+            pte_secure = s2.f.attrs.secure;
         }
+        ptw->out_host = NULL;
+    } else {
+        CPUTLBEntryFull *full;
+        int flags;
 
-        hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-        if ((hcr & HCR_PTW) && ptw_attrs_are_device(hcr, s2.cacheattrs)) {
+        env->tlb_fi = fi;
+        flags = probe_access_full(env, addr, MMU_DATA_LOAD,
+                                  arm_to_core_mmu_idx(s2_mmu_idx),
+                                  true, &ptw->out_host, &full, 0);
+        env->tlb_fi = NULL;
+
+        if (unlikely(flags & TLB_INVALID_MASK)) {
+            goto fail;
+        }
+        ptw->out_phys = full->phys_addr;
+        pte_attrs = full->pte_attrs;
+        pte_secure = full->attrs.secure;
+    }
+
+    if (!s2_phys) {
+        uint64_t hcr = arm_hcr_el2_eff_secstate(env, is_secure);
+
+        if ((hcr & HCR_PTW) && S2_attrs_are_device(hcr, pte_attrs)) {
             /*
              * PTW set and S1 walk touched S2 Device memory:
              * generate Permission fault.
@@ -XXX,XX +XXX,XX @@ static bool S1_ptw_translate(CPUARMState *env, S1Translate *ptw,
             fi->s1ns = !is_secure;
             return false;
         }
-
-        if (arm_is_secure_below_el3(env)) {
-            /* Check if page table walk is to secure or non-secure PA space. */
-            if (is_secure) {
-                is_secure = !(env->cp15.vstcr_el2 & VSTCR_SW);
-            } else {
-                is_secure = !(env->cp15.vtcr_el2 & VTCR_NSW);
-            }
-        } else {
-            assert(!is_secure);
-        }
-
-        addr = s2.f.phys_addr;
     }
 
-    ptw->out_secure = is_secure;
-    ptw->out_phys = addr;
-    ptw->out_be = regime_translation_big_endian(env, ptw->in_mmu_idx);
+    /* Check if page table walk is to secure or non-secure PA space. */
+    ptw->out_secure = (is_secure
+                       && !(pte_secure
+                            ? env->cp15.vstcr_el2 & VSTCR_SW
+                            : env->cp15.vtcr_el2 & VTCR_NSW));
+    ptw->out_be = regime_translation_big_endian(env, mmu_idx);
     return true;
+
+ fail:
+    assert(fi->type != ARMFault_None);
+    fi->s2addr = addr;
+    fi->stage2 = true;
+    fi->s1ptw = true;
+    fi->s1ns = !is_secure;
+    return false;
 }
 
 /* All loads done in the course of a page table walk go through here. */
@@ -XXX,XX +XXX,XX @@ static uint32_t arm_ldl_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
                             ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
-    MemTxAttrs attrs = {};
-    MemTxResult result = MEMTX_OK;
-    AddressSpace *as;
     uint32_t data;
 
     if (!S1_ptw_translate(env, ptw, addr, fi)) {
+        /* Failure. */
+        assert(fi->s1ptw);
         return 0;
     }
-    addr = ptw->out_phys;
-    attrs.secure = ptw->out_secure;
-    as = arm_addressspace(cs, attrs);
-    if (ptw->out_be) {
-        data = address_space_ldl_be(as, addr, attrs, &result);
+
+    if (likely(ptw->out_host)) {
+        /* Page tables are in RAM, and we have the host address. */
+        if (ptw->out_be) {
+            data = ldl_be_p(ptw->out_host);
+        } else {
+            data = ldl_le_p(ptw->out_host);
+        }
     } else {
-        data = address_space_ldl_le(as, addr, attrs, &result);
+        /* Page tables are in MMIO. */
+        MemTxAttrs attrs = { .secure = ptw->out_secure };
+        AddressSpace *as = arm_addressspace(cs, attrs);
+        MemTxResult result = MEMTX_OK;
+
+        if (ptw->out_be) {
+            data = address_space_ldl_be(as, ptw->out_phys, attrs, &result);
+        } else {
+            data = address_space_ldl_le(as, ptw->out_phys, attrs, &result);
+        }
+        if (unlikely(result != MEMTX_OK)) {
+            fi->type = ARMFault_SyncExternalOnWalk;
+            fi->ea = arm_extabort_type(result);
+            return 0;
+        }
     }
-    if (result == MEMTX_OK) {
-        return data;
-    }
-    fi->type = ARMFault_SyncExternalOnWalk;
-    fi->ea = arm_extabort_type(result);
-    return 0;
+    return data;
 }
 
 static uint64_t arm_ldq_ptw(CPUARMState *env, S1Translate *ptw, hwaddr addr,
                             ARMMMUFaultInfo *fi)
 {
     CPUState *cs = env_cpu(env);
-    MemTxAttrs attrs = {};
-    MemTxResult result = MEMTX_OK;
-    AddressSpace *as;
     uint64_t data;
 
     if (!S1_ptw_translate(env, ptw, addr, fi)) {
+        /* Failure. */
+        assert(fi->s1ptw);
         return 0;
     }
-    addr = ptw->out_phys;
-    attrs.secure = ptw->out_secure;
-    as = arm_addressspace(cs, attrs);
-    if (ptw->out_be) {
-        data = address_space_ldq_be(as, addr, attrs, &result);
+
+    if (likely(ptw->out_host)) {
+        /* Page tables are in RAM, and we have the host address. */
+        if (ptw->out_be) {
+            data = ldq_be_p(ptw->out_host);
+        } else {
+            data = ldq_le_p(ptw->out_host);
+        }
     } else {
-        data = address_space_ldq_le(as, addr, attrs, &result);
+        /* Page tables are in MMIO. */
+        MemTxAttrs attrs = { .secure = ptw->out_secure };
+        AddressSpace *as = arm_addressspace(cs, attrs);
+        MemTxResult result = MEMTX_OK;
+
+        if (ptw->out_be) {
+            data = address_space_ldq_be(as, ptw->out_phys, attrs, &result);
+        } else {
+            data = address_space_ldq_le(as, ptw->out_phys, attrs, &result);
+        }
+        if (unlikely(result != MEMTX_OK)) {
+            fi->type = ARMFault_SyncExternalOnWalk;
+            fi->ea = arm_extabort_type(result);
+            return 0;
+        }
     }
-    if (result == MEMTX_OK) {
-        return data;
-    }
-    fi->type = ARMFault_SyncExternalOnWalk;
-    fi->ea = arm_extabort_type(result);
-    return 0;
+    return data;
 }
 
 static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
diff --git a/target/arm/tlb_helper.c b/target/arm/tlb_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tlb_helper.c
+++ b/target/arm/tlb_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       bool probe, uintptr_t retaddr)
 {
     ARMCPU *cpu = ARM_CPU(cs);
-    ARMMMUFaultInfo fi = {};
     GetPhysAddrResult res = {};
+    ARMMMUFaultInfo local_fi, *fi;
     int ret;
 
+    /*
+     * Allow S1_ptw_translate to see any fault generated here.
+     * Since this may recurse, read and clear.
+     */
+    fi = cpu->env.tlb_fi;
+    if (fi) {
+        cpu->env.tlb_fi = NULL;
+    } else {
+        fi = memset(&local_fi, 0, sizeof(local_fi));
+    }
+
     /*
      * Walk the page table and (if the mapping exists) add the page
      * to the TLB.  On success, return true.  Otherwise, if probing,
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
      */
     ret = get_phys_addr(&cpu->env, address, access_type,
                         core_to_arm_mmu_idx(&cpu->env, mmu_idx),
-                        &res, &fi);
+                        &res, fi);
     if (likely(!ret)) {
         /*
          * Map a single [sub]page. Regions smaller than our declared
@@ -XXX,XX +XXX,XX @@ bool arm_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
     } else {
         /* now we have a real cpu fault */
         cpu_restore_state(cs, retaddr, true);
-        arm_deliver_fault(cpu, address, access_type, mmu_idx, &fi);
+        arm_deliver_fault(cpu, address, access_type, mmu_idx, fi);
     }
 }
 #else
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 191 +++++++++++++++++++++++++----------------------
 1 file changed, 100 insertions(+), 91 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_lpae(CPUARMState *env, S1Translate *ptw,
                                GetPhysAddrResult *result, ARMMMUFaultInfo *fi)
     __attribute__((nonnull));
 
+static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
+                                      target_ulong address,
+                                      MMUAccessType access_type,
+                                      GetPhysAddrResult *result,
+                                      ARMMMUFaultInfo *fi)
+    __attribute__((nonnull));
+
 /* This mapping is common between ID_AA64MMFR0.PARANGE and TCR_ELx.{I}PS. */
 static const uint8_t pamax_map[] = {
     [0] = 32,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
     return 0;
 }
 
+static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
+                                   target_ulong address,
+                                   MMUAccessType access_type,
+                                   GetPhysAddrResult *result,
+                                   ARMMMUFaultInfo *fi)
+{
+    hwaddr ipa;
+    int s1_prot;
+    int ret;
+    bool is_secure = ptw->in_secure;
+    bool ipa_secure, s2walk_secure;
+    ARMCacheAttrs cacheattrs1;
+    bool is_el0;
+    uint64_t hcr;
+
+    ret = get_phys_addr_with_struct(env, ptw, address, access_type, result, fi);
+
+    /* If S1 fails or S2 is disabled, return early.  */
+    if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2, is_secure)) {
+        return ret;
+    }
+
+    ipa = result->f.phys_addr;
+    ipa_secure = result->f.attrs.secure;
+    if (is_secure) {
+        /* Select TCR based on the NS bit from the S1 walk. */
+        s2walk_secure = !(ipa_secure
+                          ? env->cp15.vstcr_el2 & VSTCR_SW
+                          : env->cp15.vtcr_el2 & VTCR_NSW);
+    } else {
+        assert(!ipa_secure);
+        s2walk_secure = false;
+    }
+
+    is_el0 = ptw->in_mmu_idx == ARMMMUIdx_Stage1_E0;
+    ptw->in_mmu_idx = s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
+    ptw->in_secure = s2walk_secure;
+
+    /*
+     * S1 is done, now do S2 translation.
+     * Save the stage1 results so that we may merge prot and cacheattrs later.
+     */
+    s1_prot = result->f.prot;
+    cacheattrs1 = result->cacheattrs;
+    memset(result, 0, sizeof(*result));
+
+    ret = get_phys_addr_lpae(env, ptw, ipa, access_type, is_el0, result, fi);
+    fi->s2addr = ipa;
+
+    /* Combine the S1 and S2 perms.  */
+    result->f.prot &= s1_prot;
+
+    /* If S2 fails, return early.  */
+    if (ret) {
+        return ret;
+    }
+
+    /* Combine the S1 and S2 cache attributes. */
+    hcr = arm_hcr_el2_eff_secstate(env, is_secure);
+    if (hcr & HCR_DC) {
+        /*
+         * HCR.DC forces the first stage attributes to
+         *  Normal Non-Shareable,
+         *  Inner Write-Back Read-Allocate Write-Allocate,
+         *  Outer Write-Back Read-Allocate Write-Allocate.
+         * Do not overwrite Tagged within attrs.
+         */
+        if (cacheattrs1.attrs != 0xf0) {
+            cacheattrs1.attrs = 0xff;
+        }
+        cacheattrs1.shareability = 0;
+    }
+    result->cacheattrs = combine_cacheattrs(hcr, cacheattrs1,
+                                            result->cacheattrs);
+
+    /*
+     * Check if IPA translates to secure or non-secure PA space.
+     * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
+     */
+    result->f.attrs.secure =
+        (is_secure
+         && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
+         && (ipa_secure
+             || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
+
+    return 0;
+}
+
 static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
                                       target_ulong address,
                                       MMUAccessType access_type,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
     if (mmu_idx != s1_mmu_idx) {
         /*
          * Call ourselves recursively to do the stage 1 and then stage 2
-         * translations if mmu_idx is a two-stage regime.
+         * translations if mmu_idx is a two-stage regime, and EL2 present.
+         * Otherwise, a stage1+stage2 translation is just stage 1.
          */
+        ptw->in_mmu_idx = mmu_idx = s1_mmu_idx;
         if (arm_feature(env, ARM_FEATURE_EL2)) {
-            hwaddr ipa;
-            int s1_prot;
-            int ret;
-            bool ipa_secure, s2walk_secure;
-            ARMCacheAttrs cacheattrs1;
-            bool is_el0;
-            uint64_t hcr;
-
-            ptw->in_mmu_idx = s1_mmu_idx;
-            ret = get_phys_addr_with_struct(env, ptw, address, access_type,
-                                            result, fi);
-
-            /* If S1 fails or S2 is disabled, return early.  */
-            if (ret || regime_translation_disabled(env, ARMMMUIdx_Stage2,
-                                                   is_secure)) {
-                return ret;
-            }
-
-            ipa = result->f.phys_addr;
-            ipa_secure = result->f.attrs.secure;
-            if (is_secure) {
-                /* Select TCR based on the NS bit from the S1 walk. */
-                s2walk_secure = !(ipa_secure
-                                  ? env->cp15.vstcr_el2 & VSTCR_SW
-                                  : env->cp15.vtcr_el2 & VTCR_NSW);
-            } else {
-                assert(!ipa_secure);
-                s2walk_secure = false;
-            }
-
-            ptw->in_mmu_idx =
-                s2walk_secure ? ARMMMUIdx_Stage2_S : ARMMMUIdx_Stage2;
-            ptw->in_secure = s2walk_secure;
-            is_el0 = mmu_idx == ARMMMUIdx_E10_0;
-
-            /*
-             * S1 is done, now do S2 translation.
-             * Save the stage1 results so that we may merge
-             * prot and cacheattrs later.
-             */
-            s1_prot = result->f.prot;
-            cacheattrs1 = result->cacheattrs;
-            memset(result, 0, sizeof(*result));
-
-            ret = get_phys_addr_lpae(env, ptw, ipa, access_type,
-                                     is_el0, result, fi);
-            fi->s2addr = ipa;
-
-            /* Combine the S1 and S2 perms.  */
-            result->f.prot &= s1_prot;
-
-            /* If S2 fails, return early.  */
-            if (ret) {
-                return ret;
-            }
-
-            /* Combine the S1 and S2 cache attributes. */
-            hcr = arm_hcr_el2_eff_secstate(env, is_secure);
-            if (hcr & HCR_DC) {
-                /*
-                 * HCR.DC forces the first stage attributes to
-                 *  Normal Non-Shareable,
-                 *  Inner Write-Back Read-Allocate Write-Allocate,
-                 *  Outer Write-Back Read-Allocate Write-Allocate.
-                 * Do not overwrite Tagged within attrs.
-                 */
-                if (cacheattrs1.attrs != 0xf0) {
-                    cacheattrs1.attrs = 0xff;
-                }
-                cacheattrs1.shareability = 0;
-            }
-            result->cacheattrs = combine_cacheattrs(hcr, cacheattrs1,
-                                                    result->cacheattrs);
-
-            /*
-             * Check if IPA translates to secure or non-secure PA space.
-             * Note that VSTCR overrides VTCR and {N}SW overrides {N}SA.
-             */
-            result->f.attrs.secure =
-                (is_secure
-                 && !(env->cp15.vstcr_el2 & (VSTCR_SA | VSTCR_SW))
-                 && (ipa_secure
-                     || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
-
-            return 0;
-        } else {
-            /*
-             * For non-EL2 CPUs a stage1+stage2 translation is just stage 1.
-             */
-            mmu_idx = stage_1_mmu_idx(mmu_idx);
+            return get_phys_addr_twostage(env, ptw, address, access_type,
+                                          result, fi);
         }
     }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The return type of the functions is already bool, but in a few
instances we used an integer type with the return statement.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221011031911.2408754-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/ptw.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/target/arm/ptw.c b/target/arm/ptw.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/ptw.c
+++ b/target/arm/ptw.c
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_disabled(CPUARMState *env, target_ulong address,
     result->f.lg_page_size = TARGET_PAGE_BITS;
     result->cacheattrs.shareability = shareability;
     result->cacheattrs.attrs = memattr;
-    return 0;
+    return false;
 }
 
 static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
 {
     hwaddr ipa;
     int s1_prot;
-    int ret;
     bool is_secure = ptw->in_secure;
-    bool ipa_secure, s2walk_secure;
+    bool ret, ipa_secure, s2walk_secure;
     ARMCacheAttrs cacheattrs1;
     bool is_el0;
     uint64_t hcr;
@@ -XXX,XX +XXX,XX @@ static bool get_phys_addr_twostage(CPUARMState *env, S1Translate *ptw,
          && (ipa_secure
              || !(env->cp15.vtcr_el2 & (VTCR_NSA | VTCR_NSW))));
 
-    return 0;
+    return false;
 }
 
 static bool get_phys_addr_with_struct(CPUARMState *env, S1Translate *ptw,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

A simple helper to retrieve the length of the current insn.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h     | 5 +++++
 target/arm/translate-vfp.c | 2 +-
 target/arm/translate.c     | 5 ++---
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ static inline void disas_set_insn_syndrome(DisasContext *s, uint32_t syn)
     s->insn_start = NULL;
 }
 
+static inline int curr_insn_len(DisasContext *s)
+{
+    return s->base.pc_next - s->pc_curr;
+}
+
 /* is_jmp field values */
 #define DISAS_JUMP      DISAS_TARGET_0 /* only pc was modified dynamically */
 /* CPU state was modified dynamically; exit to main loop for interrupts. */
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
     if (s->sme_trap_nonstreaming) {
         gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
                            syn_smetrap(SME_ET_Streaming,
-                                       s->base.pc_next - s->pc_curr == 2));
+                                       curr_insn_len(s) == 2));
         return false;
     }
 
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static ISSInfo make_issinfo(DisasContext *s, int rd, bool p, bool w)
     /* ISS not valid if writeback */
     if (p && !w) {
         ret = rd;
-        if (s->base.pc_next - s->pc_curr == 2) {
+        if (curr_insn_len(s) == 2) {
             ret |= ISSIs16Bit;
         }
     } else {
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
             /* nothing more to generate */
             break;
         case DISAS_WFI:
-            gen_helper_wfi(cpu_env,
-                           tcg_constant_i32(dc->base.pc_next - dc->pc_curr));
+            gen_helper_wfi(cpu_env, tcg_constant_i32(curr_insn_len(dc)));
             /*
              * The helper doesn't necessarily throw an exception, but we
              * must go back to the main loop to check for interrupts anyway.
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 40 ++++++++++++++++++++------------------
 target/arm/translate.c     | 10 ++++++----
 2 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, uint64_t dest)
     return translator_use_goto_tb(&s->base, dest);
 }
 
-static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
+static void gen_goto_tb(DisasContext *s, int n, int64_t diff)
 {
+    uint64_t dest = s->pc_curr + diff;
+
     if (use_goto_tb(s, dest)) {
         tcg_gen_goto_tb(n);
         gen_a64_set_pc_im(dest);
@@ -XXX,XX +XXX,XX @@ static inline AArch64DecodeFn *lookup_disas_fn(const AArch64DecodeTable *table,
  */
 static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 {
-    uint64_t addr = s->pc_curr + sextract32(insn, 0, 26) * 4;
+    int64_t diff = sextract32(insn, 0, 26) * 4;
 
     if (insn & (1U << 31)) {
         /* BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 
     /* B Branch / BL Branch with link */
     reset_btype(s);
-    gen_goto_tb(s, 0, addr);
+    gen_goto_tb(s, 0, diff);
 }
 
 /* Compare and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
 {
     unsigned int sf, op, rt;
-    uint64_t addr;
+    int64_t diff;
     TCGLabel *label_match;
     TCGv_i64 tcg_cmp;
 
     sf = extract32(insn, 31, 1);
     op = extract32(insn, 24, 1); /* 0: CBZ; 1: CBNZ */
     rt = extract32(insn, 0, 5);
-    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
+    diff = sextract32(insn, 5, 19) * 4;
 
     tcg_cmp = read_cpu_reg(s, rt, sf);
     label_match = gen_new_label();
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, label_match);
 
-    gen_goto_tb(s, 0, s->base.pc_next);
+    gen_goto_tb(s, 0, 4);
     gen_set_label(label_match);
-    gen_goto_tb(s, 1, addr);
+    gen_goto_tb(s, 1, diff);
 }
 
 /* Test and branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
 static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 {
     unsigned int bit_pos, op, rt;
-    uint64_t addr;
+    int64_t diff;
     TCGLabel *label_match;
     TCGv_i64 tcg_cmp;
 
     bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
     op = extract32(insn, 24, 1); /* 0: TBZ; 1: TBNZ */
-    addr = s->pc_curr + sextract32(insn, 5, 14) * 4;
+    diff = sextract32(insn, 5, 14) * 4;
     rt = extract32(insn, 0, 5);
 
     tcg_cmp = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
                         tcg_cmp, 0, label_match);
     tcg_temp_free_i64(tcg_cmp);
-    gen_goto_tb(s, 0, s->base.pc_next);
+    gen_goto_tb(s, 0, 4);
     gen_set_label(label_match);
-    gen_goto_tb(s, 1, addr);
+    gen_goto_tb(s, 1, diff);
 }
 
 /* Conditional branch (immediate)
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
 {
     unsigned int cond;
-    uint64_t addr;
+    int64_t diff;
 
     if ((insn & (1 << 4)) || (insn & (1 << 24))) {
         unallocated_encoding(s);
         return;
     }
-    addr = s->pc_curr + sextract32(insn, 5, 19) * 4;
+    diff = sextract32(insn, 5, 19) * 4;
     cond = extract32(insn, 0, 4);
 
     reset_btype(s);
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
         /* genuinely conditional branches */
         TCGLabel *label_match = gen_new_label();
         arm_gen_test_cc(cond, label_match);
-        gen_goto_tb(s, 0, s->base.pc_next);
+        gen_goto_tb(s, 0, 4);
         gen_set_label(label_match);
-        gen_goto_tb(s, 1, addr);
+        gen_goto_tb(s, 1, diff);
     } else {
         /* 0xe and 0xf are both "always" conditions */
-        gen_goto_tb(s, 0, addr);
+        gen_goto_tb(s, 0, diff);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
          * any pending interrupts immediately.
          */
         reset_btype(s);
-        gen_goto_tb(s, 0, s->base.pc_next);
+        gen_goto_tb(s, 0, 4);
         return;
 
     case 7: /* SB */
@@ -XXX,XX +XXX,XX @@ static void handle_sync(DisasContext *s, uint32_t insn,
          * MB and end the TB instead.
          */
         tcg_gen_mb(TCG_MO_ALL | TCG_BAR_SC);
-        gen_goto_tb(s, 0, s->base.pc_next);
+        gen_goto_tb(s, 0, 4);
         return;
 
     default:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         switch (dc->base.is_jmp) {
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
-            gen_goto_tb(dc, 1, dc->base.pc_next);
+            gen_goto_tb(dc, 1, 4);
             break;
         default:
         case DISAS_UPDATE_EXIT:
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_ptr(void)
  * cpu_loop_exec. Any live exit_requests will be processed as we
  * enter the next TB.
  */
-static void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
+static void gen_goto_tb(DisasContext *s, int n, int diff)
 {
+    target_ulong dest = s->pc_curr + diff;
+
     if (translator_use_goto_tb(&s->base, dest)) {
         tcg_gen_goto_tb(n);
         gen_set_pc_im(s, dest);
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
          *    gen_jmp();
          * on the second call to gen_jmp().
          */
-        gen_goto_tb(s, tbno, dest);
+        gen_goto_tb(s, tbno, dest - s->pc_curr);
         break;
     case DISAS_UPDATE_NOCHAIN:
     case DISAS_UPDATE_EXIT:
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         switch (dc->base.is_jmp) {
         case DISAS_NEXT:
         case DISAS_TOO_MANY:
-            gen_goto_tb(dc, 1, dc->base.pc_next);
+            gen_goto_tb(dc, 1, curr_insn_len(dc));
             break;
         case DISAS_UPDATE_NOCHAIN:
             gen_set_pc_im(dc, dc->base.pc_next);
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
             gen_set_pc_im(dc, dc->base.pc_next);
             gen_singlestep_exception(dc);
         } else {
-            gen_goto_tb(dc, 1, dc->base.pc_next);
+            gen_goto_tb(dc, 1, curr_insn_len(dc));
         }
     }
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on
absolute values by passing in pc difference.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a32.h |  2 +-
 target/arm/translate.h     |  6 ++--
 target/arm/translate-a64.c | 32 +++++++++---------
 target/arm/translate-vfp.c |  2 +-
 target/arm/translate.c     | 68 ++++++++++++++++++++------------------
 5 files changed, 56 insertions(+), 54 deletions(-)

diff --git a/target/arm/translate-a32.h b/target/arm/translate-a32.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a32.h
+++ b/target/arm/translate-a32.h
@@ -XXX,XX +XXX,XX @@ void write_neon_element64(TCGv_i64 src, int reg, int ele, MemOp memop);
 TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs);
 void gen_set_cpsr(TCGv_i32 var, uint32_t mask);
 void gen_set_condexec(DisasContext *s);
-void gen_set_pc_im(DisasContext *s, target_ulong val);
+void gen_update_pc(DisasContext *s, target_long diff);
 void gen_lookup_tb(DisasContext *s);
 long vfp_reg_offset(bool dp, unsigned reg);
 long neon_full_reg_offset(unsigned reg);
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ static inline int curr_insn_len(DisasContext *s)
  * For instructions which want an immediate exit to the main loop, as opposed
  * to attempting to use lookup_and_goto_ptr.  Unlike DISAS_UPDATE_EXIT, this
  * doesn't write the PC on exiting the translation loop so you need to ensure
- * something (gen_a64_set_pc_im or runtime helper) has done so before we reach
+ * something (gen_a64_update_pc or runtime helper) has done so before we reach
  * return from cpu_tb_exec.
  */
 #define DISAS_EXIT      DISAS_TARGET_9
@@ -XXX,XX +XXX,XX @@ static inline int curr_insn_len(DisasContext *s)
 
 #ifdef TARGET_AARCH64
 void a64_translate_init(void);
-void gen_a64_set_pc_im(uint64_t val);
+void gen_a64_update_pc(DisasContext *s, target_long diff);
 extern const TranslatorOps aarch64_translator_ops;
 #else
 static inline void a64_translate_init(void)
 {
 }
 
-static inline void gen_a64_set_pc_im(uint64_t val)
+static inline void gen_a64_update_pc(DisasContext *s, target_long diff)
 {
 }
 #endif
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void reset_btype(DisasContext *s)
     }
 }
 
-void gen_a64_set_pc_im(uint64_t val)
+void gen_a64_update_pc(DisasContext *s, target_long diff)
 {
-    tcg_gen_movi_i64(cpu_pc, val);
+    tcg_gen_movi_i64(cpu_pc, s->pc_curr + diff);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
 
 static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
 {
-    gen_a64_set_pc_im(pc);
+    gen_a64_update_pc(s, pc - s->pc_curr);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
 
 static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syndrome)
 {
-    gen_a64_set_pc_im(s->pc_curr);
+    gen_a64_update_pc(s, 0);
     gen_helper_exception_bkpt_insn(cpu_env, tcg_constant_i32(syndrome));
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int64_t diff)
 
     if (use_goto_tb(s, dest)) {
         tcg_gen_goto_tb(n);
-        gen_a64_set_pc_im(dest);
+        gen_a64_update_pc(s, diff);
         tcg_gen_exit_tb(s->base.tb, n);
         s->base.is_jmp = DISAS_NORETURN;
     } else {
-        gen_a64_set_pc_im(dest);
+        gen_a64_update_pc(s, diff);
         if (s->ss_active) {
             gen_step_complete_exception(s);
         } else {
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
         uint32_t syndrome;
 
         syndrome = syn_aa64_sysregtrap(op0, op1, op2, crn, crm, rt, isread);
-        gen_a64_set_pc_im(s->pc_curr);
+        gen_a64_update_pc(s, 0);
         gen_helper_access_check_cp_reg(cpu_env,
                                        tcg_constant_ptr(ri),
                                        tcg_constant_i32(syndrome),
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
          * The readfn or writefn might raise an exception;
          * synchronize the CPU state in case it does.
          */
-        gen_a64_set_pc_im(s->pc_curr);
+        gen_a64_update_pc(s, 0);
     }
 
     /* Handle special cases first */
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             /* The pre HVC helper handles cases when HVC gets trapped
              * as an undefined insn by runtime configuration.
              */
-            gen_a64_set_pc_im(s->pc_curr);
+            gen_a64_update_pc(s, 0);
             gen_helper_pre_hvc(cpu_env);
             gen_ss_advance(s);
             gen_exception_insn_el(s, s->base.pc_next, EXCP_HVC,
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
                 unallocated_encoding(s);
                 break;
             }
-            gen_a64_set_pc_im(s->pc_curr);
+            gen_a64_update_pc(s, 0);
             gen_helper_pre_smc(cpu_env, tcg_constant_i32(syn_aa64_smc(imm16)));
             gen_ss_advance(s);
             gen_exception_insn_el(s, s->base.pc_next, EXCP_SMC,
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          */
         switch (dc->base.is_jmp) {
         default:
-            gen_a64_set_pc_im(dc->base.pc_next);
+            gen_a64_update_pc(dc, 4);
             /* fall through */
         case DISAS_EXIT:
         case DISAS_JUMP:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
             break;
         default:
         case DISAS_UPDATE_EXIT:
-            gen_a64_set_pc_im(dc->base.pc_next);
+            gen_a64_update_pc(dc, 4);
             /* fall through */
         case DISAS_EXIT:
             tcg_gen_exit_tb(NULL, 0);
             break;
         case DISAS_UPDATE_NOCHAIN:
-            gen_a64_set_pc_im(dc->base.pc_next);
+            gen_a64_update_pc(dc, 4);
             /* fall through */
         case DISAS_JUMP:
             tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         case DISAS_SWI:
             break;
         case DISAS_WFE:
-            gen_a64_set_pc_im(dc->base.pc_next);
+            gen_a64_update_pc(dc, 4);
             gen_helper_wfe(cpu_env);
             break;
         case DISAS_YIELD:
-            gen_a64_set_pc_im(dc->base.pc_next);
+            gen_a64_update_pc(dc, 4);
             gen_helper_yield(cpu_env);
             break;
         case DISAS_WFI:
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
              * This is a special case because we don't want to just halt
              * the CPU if trying to debug across a WFI.
              */
-            gen_a64_set_pc_im(dc->base.pc_next);
+            gen_a64_update_pc(dc, 4);
             gen_helper_wfi(cpu_env, tcg_constant_i32(4));
             /*
              * The helper doesn't necessarily throw an exception, but we
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VMSR_VMRS(DisasContext *s, arg_VMSR_VMRS *a)
         case ARM_VFP_FPSID:
             if (s->current_el == 1) {
                 gen_set_condexec(s);
-                gen_set_pc_im(s, s->pc_curr);
+                gen_update_pc(s, 0);
                 gen_helper_check_hcr_el2_trap(cpu_env,
                                               tcg_constant_i32(a->rt),
                                               tcg_constant_i32(a->reg));
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ void gen_set_condexec(DisasContext *s)
     }
 }
 
-void gen_set_pc_im(DisasContext *s, target_ulong val)
+void gen_update_pc(DisasContext *s, target_long diff)
 {
-    tcg_gen_movi_i32(cpu_R[15], val);
+    tcg_gen_movi_i32(cpu_R[15], s->pc_curr + diff);
 }
 
 /* Set PC and Thumb state from var.  var is marked as dead.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_bxns(DisasContext *s, int rm)
 
     /* The bxns helper may raise an EXCEPTION_EXIT exception, so in theory
      * we need to sync state before calling it, but:
-     *  - we don't need to do gen_set_pc_im() because the bxns helper will
+     *  - we don't need to do gen_update_pc() because the bxns helper will
      *    always set the PC itself
      *  - we don't need to do gen_set_condexec() because BXNS is UNPREDICTABLE
      *    unless it's outside an IT block or the last insn in an IT block,
@@ -XXX,XX +XXX,XX @@ static inline void gen_blxns(DisasContext *s, int rm)
      * We do however need to set the PC, because the blxns helper reads it.
      * The blxns helper may throw an exception.
      */
-    gen_set_pc_im(s, s->base.pc_next);
+    gen_update_pc(s, curr_insn_len(s));
     gen_helper_v7m_blxns(cpu_env, var);
     tcg_temp_free_i32(var);
     s->base.is_jmp = DISAS_EXIT;
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
      * as an undefined insn by runtime configuration (ie before
      * the insn really executes).
      */
-    gen_set_pc_im(s, s->pc_curr);
+    gen_update_pc(s, 0);
     gen_helper_pre_hvc(cpu_env);
     /* Otherwise we will treat this as a real exception which
      * happens after execution of the insn. (The distinction matters
@@ -XXX,XX +XXX,XX @@ static inline void gen_hvc(DisasContext *s, int imm16)
      * for single stepping.)
      */
     s->svc_imm = imm16;
-    gen_set_pc_im(s, s->base.pc_next);
+    gen_update_pc(s, curr_insn_len(s));
     s->base.is_jmp = DISAS_HVC;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
     /* As with HVC, we may take an exception either before or after
      * the insn executes.
      */
-    gen_set_pc_im(s, s->pc_curr);
+    gen_update_pc(s, 0);
     gen_helper_pre_smc(cpu_env, tcg_constant_i32(syn_aa32_smc()));
-    gen_set_pc_im(s, s->base.pc_next);
+    gen_update_pc(s, curr_insn_len(s));
     s->base.is_jmp = DISAS_SMC;
 }
 
 static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, pc);
+    gen_update_pc(s, pc - s->pc_curr);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_exception_insn_el_v(DisasContext *s, uint64_t pc, int excp,
                                     uint32_t syn, TCGv_i32 tcg_el)
 {
     if (s->aarch64) {
-        gen_a64_set_pc_im(pc);
+        gen_a64_update_pc(s, pc - s->pc_curr);
     } else {
         gen_set_condexec(s);
-        gen_set_pc_im(s, pc);
+        gen_update_pc(s, pc - s->pc_curr);
     }
     gen_exception_el_v(excp, syn, tcg_el);
     s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ void gen_exception_insn_el(DisasContext *s, uint64_t pc, int excp,
 void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn)
 {
     if (s->aarch64) {
-        gen_a64_set_pc_im(pc);
+        gen_a64_update_pc(s, pc - s->pc_curr);
     } else {
         gen_set_condexec(s);
-        gen_set_pc_im(s, pc);
+        gen_update_pc(s, pc - s->pc_curr);
     }
     gen_exception(excp, syn);
     s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn)
 static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
 {
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc_curr);
+    gen_update_pc(s, 0);
     gen_helper_exception_bkpt_insn(cpu_env, tcg_constant_i32(syn));
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int diff)
 
     if (translator_use_goto_tb(&s->base, dest)) {
         tcg_gen_goto_tb(n);
-        gen_set_pc_im(s, dest);
+        gen_update_pc(s, diff);
         tcg_gen_exit_tb(s->base.tb, n);
     } else {
-        gen_set_pc_im(s, dest);
+        gen_update_pc(s, diff);
         gen_goto_ptr();
     }
     s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int diff)
 /* Jump, specifying which TB number to use if we gen_goto_tb() */
 static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
 {
+    int diff = dest - s->pc_curr;
+
     if (unlikely(s->ss_active)) {
         /* An indirect jump so that we still trigger the debug exception.  */
-        gen_set_pc_im(s, dest);
+        gen_update_pc(s, diff);
         s->base.is_jmp = DISAS_JUMP;
         return;
     }
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
          *    gen_jmp();
          * on the second call to gen_jmp().
          */
-        gen_goto_tb(s, tbno, dest - s->pc_curr);
+        gen_goto_tb(s, tbno, diff);
         break;
     case DISAS_UPDATE_NOCHAIN:
     case DISAS_UPDATE_EXIT:
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
          * Avoid using goto_tb so we really do exit back to the main loop
          * and don't chain to another TB.
          */
-        gen_set_pc_im(s, dest);
+        gen_update_pc(s, diff);
         gen_goto_ptr();
         s->base.is_jmp = DISAS_NORETURN;
         break;
@@ -XXX,XX +XXX,XX @@ static void gen_msr_banked(DisasContext *s, int r, int sysm, int rn)
 
     /* Sync state because msr_banked() can raise exceptions */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc_curr);
+    gen_update_pc(s, 0);
     tcg_reg = load_reg(s, rn);
     gen_helper_msr_banked(cpu_env, tcg_reg,
                           tcg_constant_i32(tgtmode),
@@ -XXX,XX +XXX,XX @@ static void gen_mrs_banked(DisasContext *s, int r, int sysm, int rn)
 
     /* Sync state because mrs_banked() can raise exceptions */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc_curr);
+    gen_update_pc(s, 0);
     tcg_reg = tcg_temp_new_i32();
     gen_helper_mrs_banked(tcg_reg, cpu_env,
                           tcg_constant_i32(tgtmode),
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
             }
 
             gen_set_condexec(s);
-            gen_set_pc_im(s, s->pc_curr);
+            gen_update_pc(s, 0);
             gen_helper_access_check_cp_reg(cpu_env,
                                            tcg_constant_ptr(ri),
                                            tcg_constant_i32(syndrome),
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
              * synchronize the CPU state in case it does.
              */
             gen_set_condexec(s);
-            gen_set_pc_im(s, s->pc_curr);
+            gen_update_pc(s, 0);
         }
 
         /* Handle special cases first */
@@ -XXX,XX +XXX,XX @@ static void do_coproc_insn(DisasContext *s, int cpnum, int is64,
                 unallocated_encoding(s);
                 return;
             }
-            gen_set_pc_im(s, s->base.pc_next);
+            gen_update_pc(s, curr_insn_len(s));
             s->base.is_jmp = DISAS_WFI;
             return;
         default:
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
     addr = tcg_temp_new_i32();
     /* get_r13_banked() will raise an exception if called from System mode */
     gen_set_condexec(s);
-    gen_set_pc_im(s, s->pc_curr);
+    gen_update_pc(s, 0);
     gen_helper_get_r13_banked(addr, cpu_env, tcg_constant_i32(mode));
     switch (amode) {
     case 0: /* DA */
@@ -XXX,XX +XXX,XX @@ static bool trans_YIELD(DisasContext *s, arg_YIELD *a)
      * scheduling of other vCPUs.
      */
     if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
-        gen_set_pc_im(s, s->base.pc_next);
+        gen_update_pc(s, curr_insn_len(s));
         s->base.is_jmp = DISAS_YIELD;
     }
     return true;
@@ -XXX,XX +XXX,XX @@ static bool trans_WFE(DisasContext *s, arg_WFE *a)
      * implemented so we can't sleep like WFI does.
      */
     if (!(tb_cflags(s->base.tb) & CF_PARALLEL)) {
-        gen_set_pc_im(s, s->base.pc_next);
+        gen_update_pc(s, curr_insn_len(s));
         s->base.is_jmp = DISAS_WFE;
     }
     return true;
@@ -XXX,XX +XXX,XX @@ static bool trans_WFE(DisasContext *s, arg_WFE *a)
 static bool trans_WFI(DisasContext *s, arg_WFI *a)
 {
     /* For WFI, halt the vCPU until an IRQ. */
-    gen_set_pc_im(s, s->base.pc_next);
+    gen_update_pc(s, curr_insn_len(s));
     s->base.is_jmp = DISAS_WFI;
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_SVC(DisasContext *s, arg_SVC *a)
         (a->imm == semihost_imm)) {
         gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
     } else {
-        gen_set_pc_im(s, s->base.pc_next);
+        gen_update_pc(s, curr_insn_len(s));
         s->svc_imm = a->imm;
         s->base.is_jmp = DISAS_SWI;
     }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         case DISAS_TOO_MANY:
         case DISAS_UPDATE_EXIT:
         case DISAS_UPDATE_NOCHAIN:
-            gen_set_pc_im(dc, dc->base.pc_next);
+            gen_update_pc(dc, curr_insn_len(dc));
             /* fall through */
         default:
             /* FIXME: Single stepping a WFI insn will not halt the CPU. */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
             gen_goto_tb(dc, 1, curr_insn_len(dc));
             break;
         case DISAS_UPDATE_NOCHAIN:
-            gen_set_pc_im(dc, dc->base.pc_next);
+            gen_update_pc(dc, curr_insn_len(dc));
             /* fall through */
         case DISAS_JUMP:
             gen_goto_ptr();
             break;
         case DISAS_UPDATE_EXIT:
-            gen_set_pc_im(dc, dc->base.pc_next);
+            gen_update_pc(dc, curr_insn_len(dc));
             /* fall through */
         default:
             /* indicate that the hash table must be used to find the next TB */
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         gen_set_label(dc->condlabel);
         gen_set_condexec(dc);
         if (unlikely(dc->ss_active)) {
-            gen_set_pc_im(dc, dc->base.pc_next);
+            gen_update_pc(dc, curr_insn_len(dc));
             gen_singlestep_exception(dc);
         } else {
             gen_goto_tb(dc, 1, curr_insn_len(dc));
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h        |  5 +++--
 target/arm/translate-a64.c    | 28 ++++++++++-------------
 target/arm/translate-m-nocp.c |  6 ++---
 target/arm/translate-mve.c    |  2 +-
 target/arm/translate-vfp.c    |  6 ++---
 target/arm/translate.c        | 42 +++++++++++++++++------------------
 6 files changed, 43 insertions(+), 46 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ void arm_jump_cc(DisasCompare *cmp, TCGLabel *label);
 void arm_gen_test_cc(int cc, TCGLabel *label);
 MemOp pow2_align(unsigned i);
 void unallocated_encoding(DisasContext *s);
-void gen_exception_insn_el(DisasContext *s, uint64_t pc, int excp,
+void gen_exception_insn_el(DisasContext *s, target_long pc_diff, int excp,
                            uint32_t syn, uint32_t target_el);
-void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn);
+void gen_exception_insn(DisasContext *s, target_long pc_diff,
+                        int excp, uint32_t syn);
 
 /* Return state of Alternate Half-precision flag, caller frees result */
 static inline TCGv_i32 get_ahp_flag(void)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check_only(DisasContext *s)
         assert(!s->fp_access_checked);
         s->fp_access_checked = true;
 
-        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn_el(s, 0, EXCP_UDEF,
                               syn_fp_access_trap(1, 0xe, false, 0),
                               s->fp_excp_el);
         return false;
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
         return false;
     }
     if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn(s, 0, EXCP_UDEF,
                            syn_smetrap(SME_ET_Streaming, false));
         return false;
     }
@@ -XXX,XX +XXX,XX @@ bool sve_access_check(DisasContext *s)
             goto fail_exit;
         }
     } else if (s->sve_excp_el) {
-        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn_el(s, 0, EXCP_UDEF,
                               syn_sve_access_trap(), s->sve_excp_el);
         goto fail_exit;
     }
@@ -XXX,XX +XXX,XX @@ bool sve_access_check(DisasContext *s)
 static bool sme_access_check(DisasContext *s)
 {
     if (s->sme_excp_el) {
-        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn_el(s, 0, EXCP_UDEF,
                               syn_smetrap(SME_ET_AccessTrap, false),
                               s->sme_excp_el);
         return false;
@@ -XXX,XX +XXX,XX @@ bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
         return false;
     }
     if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn(s, 0, EXCP_UDEF,
                            syn_smetrap(SME_ET_NotStreaming, false));
         return false;
     }
     if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn(s, 0, EXCP_UDEF,
                            syn_smetrap(SME_ET_InactiveZA, false));
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static void gen_sysreg_undef(DisasContext *s, bool isread,
     } else {
         syndrome = syn_uncategorized();
     }
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syndrome);
+    gen_exception_insn(s, 0, EXCP_UDEF, syndrome);
 }
 
 /* MRS - move from system register
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
         switch (op2_ll) {
         case 1:                                                     /* SVC */
             gen_ss_advance(s);
-            gen_exception_insn(s, s->base.pc_next, EXCP_SWI,
-                               syn_aa64_svc(imm16));
+            gen_exception_insn(s, 4, EXCP_SWI, syn_aa64_svc(imm16));
             break;
         case 2:                                                     /* HVC */
             if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             gen_a64_update_pc(s, 0);
             gen_helper_pre_hvc(cpu_env);
             gen_ss_advance(s);
-            gen_exception_insn_el(s, s->base.pc_next, EXCP_HVC,
-                                  syn_aa64_hvc(imm16), 2);
+            gen_exception_insn_el(s, 4, EXCP_HVC, syn_aa64_hvc(imm16), 2);
             break;
         case 3:                                                     /* SMC */
             if (s->current_el == 0) {
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
             gen_a64_update_pc(s, 0);
             gen_helper_pre_smc(cpu_env, tcg_constant_i32(syn_aa64_smc(imm16)));
             gen_ss_advance(s);
-            gen_exception_insn_el(s, s->base.pc_next, EXCP_SMC,
-                                  syn_aa64_smc(imm16), 3);
+            gen_exception_insn_el(s, 4, EXCP_SMC, syn_aa64_smc(imm16), 3);
             break;
         default:
             unallocated_encoding(s);
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          * Illegal execution state. This has priority over BTI
          * exceptions, but comes after instruction abort exceptions.
          */
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_illegalstate());
+        gen_exception_insn(s, 0, EXCP_UDEF, syn_illegalstate());
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
             if (s->btype != 0
                 && s->guarded_page
                 && !btype_destination_ok(insn, s->bt, s->btype)) {
-                gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
-                                   syn_btitrap(s->btype));
+                gen_exception_insn(s, 0, EXCP_UDEF, syn_btitrap(s->btype));
                 return;
             }
         } else {
diff --git a/target/arm/translate-m-nocp.c b/target/arm/translate-m-nocp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-m-nocp.c
+++ b/target/arm/translate-m-nocp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSCCLRM(DisasContext *s, arg_VSCCLRM *a)
     tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel);
 
     if (s->fp_excp_el != 0) {
-        gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
+        gen_exception_insn_el(s, 0, EXCP_NOCP,
                               syn_uncategorized(), s->fp_excp_el);
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_NOCP(DisasContext *s, arg_nocp *a)
     }
 
     if (a->cp != 10) {
-        gen_exception_insn(s, s->pc_curr, EXCP_NOCP, syn_uncategorized());
+        gen_exception_insn(s, 0, EXCP_NOCP, syn_uncategorized());
         return true;
     }
 
     if (s->fp_excp_el != 0) {
-        gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
+        gen_exception_insn_el(s, 0, EXCP_NOCP,
                               syn_uncategorized(), s->fp_excp_el);
         return true;
     }
diff --git a/target/arm/translate-mve.c b/target/arm/translate-mve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-mve.c
+++ b/target/arm/translate-mve.c
@@ -XXX,XX +XXX,XX @@ bool mve_eci_check(DisasContext *s)
         return true;
     default:
         /* Reserved value: INVSTATE UsageFault */
-        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized());
+        gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
         return false;
     }
 }
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
         int coproc = arm_dc_feature(s, ARM_FEATURE_V8) ? 0 : 0xa;
         uint32_t syn = syn_fp_access_trap(1, 0xe, false, coproc);
 
-        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF, syn, s->fp_excp_el);
+        gen_exception_insn_el(s, 0, EXCP_UDEF, syn, s->fp_excp_el);
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
      * appear to be any insns which touch VFP which are allowed.
      */
     if (s->sme_trap_nonstreaming) {
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+        gen_exception_insn(s, 0, EXCP_UDEF,
                            syn_smetrap(SME_ET_Streaming,
                                        curr_insn_len(s) == 2));
         return false;
@@ -XXX,XX +XXX,XX @@ bool vfp_access_check_m(DisasContext *s, bool skip_context_update)
          * the encoding space handled by the patterns in m-nocp.decode,
          * and for them we may need to raise NOCP here.
          */
-        gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
+        gen_exception_insn_el(s, 0, EXCP_NOCP,
                               syn_uncategorized(), s->fp_excp_el);
         return false;
     }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception(int excp, uint32_t syndrome)
                                        tcg_constant_i32(syndrome));
 }
 
-static void gen_exception_insn_el_v(DisasContext *s, uint64_t pc, int excp,
-                                    uint32_t syn, TCGv_i32 tcg_el)
+static void gen_exception_insn_el_v(DisasContext *s, target_long pc_diff,
+                                    int excp, uint32_t syn, TCGv_i32 tcg_el)
 {
     if (s->aarch64) {
-        gen_a64_update_pc(s, pc - s->pc_curr);
+        gen_a64_update_pc(s, pc_diff);
     } else {
         gen_set_condexec(s);
-        gen_update_pc(s, pc - s->pc_curr);
+        gen_update_pc(s, pc_diff);
     }
     gen_exception_el_v(excp, syn, tcg_el);
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-void gen_exception_insn_el(DisasContext *s, uint64_t pc, int excp,
+void gen_exception_insn_el(DisasContext *s, target_long pc_diff, int excp,
                            uint32_t syn, uint32_t target_el)
 {
-    gen_exception_insn_el_v(s, pc, excp, syn, tcg_constant_i32(target_el));
+    gen_exception_insn_el_v(s, pc_diff, excp, syn,
+                            tcg_constant_i32(target_el));
 }
 
-void gen_exception_insn(DisasContext *s, uint64_t pc, int excp, uint32_t syn)
+void gen_exception_insn(DisasContext *s, target_long pc_diff,
+                        int excp, uint32_t syn)
 {
     if (s->aarch64) {
-        gen_a64_update_pc(s, pc - s->pc_curr);
+        gen_a64_update_pc(s, pc_diff);
     } else {
         gen_set_condexec(s);
-        gen_update_pc(s, pc - s->pc_curr);
+        gen_update_pc(s, pc_diff);
     }
     gen_exception(excp, syn);
     s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ static void gen_exception_bkpt_insn(DisasContext *s, uint32_t syn)
 void unallocated_encoding(DisasContext *s)
 {
     /* Unallocated and reserved encodings are uncategorized */
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized());
+    gen_exception_insn(s, 0, EXCP_UDEF, syn_uncategorized());
 }
 
 /* Force a TB lookup after an instruction that changes the CPU state.  */
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
                 tcg_el = tcg_constant_i32(3);
             }
 
-            gen_exception_insn_el_v(s, s->pc_curr, EXCP_UDEF,
+            gen_exception_insn_el_v(s, 0, EXCP_UDEF,
                                     syn_uncategorized(), tcg_el);
             tcg_temp_free_i32(tcg_el);
             return false;
@@ -XXX,XX +XXX,XX @@ static bool msr_banked_access_decode(DisasContext *s, int r, int sysm, int rn,
 
 undef:
     /* If we get here then some access check did not pass */
-    gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_uncategorized());
+    gen_exception_insn(s, 0, EXCP_UDEF, syn_uncategorized());
     return false;
 }
 
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
      * For the UNPREDICTABLE cases we choose to UNDEF.
      */
     if (s->current_el == 1 && !s->ns && mode == ARM_CPU_MODE_MON) {
-        gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
-                              syn_uncategorized(), 3);
+        gen_exception_insn_el(s, 0, EXCP_UDEF, syn_uncategorized(), 3);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
          * Do the check-and-raise-exception by hand.
          */
         if (s->fp_excp_el) {
-            gen_exception_insn_el(s, s->pc_curr, EXCP_NOCP,
+            gen_exception_insn_el(s, 0, EXCP_NOCP,
                                   syn_uncategorized(), s->fp_excp_el);
             return true;
         }
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
         tmp = load_cpu_field(v7m.ltpsize);
         tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc);
         tcg_temp_free_i32(tmp);
-        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized());
+        gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
         gen_set_label(skipexc);
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
      * UsageFault exception.
      */
     if (arm_dc_feature(s, ARM_FEATURE_M)) {
-        gen_exception_insn(s, s->pc_curr, EXCP_INVSTATE, syn_uncategorized());
+        gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void disas_arm_insn(DisasContext *s, unsigned int insn)
          * Illegal execution state. This has priority over BTI
          * exceptions, but comes after instruction abort exceptions.
          */
-        gen_exception_insn(s, s->pc_curr, EXCP_UDEF, syn_illegalstate());
+        gen_exception_insn(s, 0, EXCP_UDEF, syn_illegalstate());
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          * Illegal execution state. This has priority over BTI
          * exceptions, but comes after instruction abort exceptions.
          */
-        gen_exception_insn(dc, dc->pc_curr, EXCP_UDEF, syn_illegalstate());
+        gen_exception_insn(dc, 0, EXCP_UDEF, syn_illegalstate());
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          */
         tcg_remove_ops_after(dc->insn_eci_rewind);
         dc->condjmp = 0;
-        gen_exception_insn(dc, dc->pc_curr, EXCP_INVSTATE,
-                           syn_uncategorized());
+        gen_exception_insn(dc, 0, EXCP_INVSTATE, syn_uncategorized());
     }
 
     arm_post_translate_insn(dc);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.
Since we always pass dc->pc_curr, fold the arithmetic to zero displacement.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c |  6 +++---
 target/arm/translate.c     | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     gen_helper_exception_internal(cpu_env, tcg_constant_i32(excp));
 }
 
-static void gen_exception_internal_insn(DisasContext *s, uint64_t pc, int excp)
+static void gen_exception_internal_insn(DisasContext *s, int excp)
 {
-    gen_a64_update_pc(s, pc - s->pc_curr);
+    gen_a64_update_pc(s, 0);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void disas_exc(DisasContext *s, uint32_t insn)
          * Secondly, "HLT 0xf000" is the A64 semihosting syscall instruction.
          */
         if (semihosting_enabled(s->current_el == 0) && imm16 == 0xf000) {
-            gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
+            gen_exception_internal_insn(s, EXCP_SEMIHOST);
         } else {
             unallocated_encoding(s);
         }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_smc(DisasContext *s)
     s->base.is_jmp = DISAS_SMC;
 }
 
-static void gen_exception_internal_insn(DisasContext *s, uint32_t pc, int excp)
+static void gen_exception_internal_insn(DisasContext *s, int excp)
 {
     gen_set_condexec(s);
-    gen_update_pc(s, pc - s->pc_curr);
+    gen_update_pc(s, 0);
     gen_exception_internal(excp);
     s->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static inline void gen_hlt(DisasContext *s, int imm)
      */
     if (semihosting_enabled(s->current_el != 0) &&
         (imm == (s->thumb ? 0x3c : 0xf000))) {
-        gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
+        gen_exception_internal_insn(s, EXCP_SEMIHOST);
         return;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_BKPT(DisasContext *s, arg_BKPT *a)
     if (arm_dc_feature(s, ARM_FEATURE_M) &&
         semihosting_enabled(s->current_el == 0) &&
         (a->imm == 0xab)) {
-        gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
+        gen_exception_internal_insn(s, EXCP_SEMIHOST);
     } else {
         gen_exception_bkpt_insn(s, syn_aa32_bkpt(a->imm, false));
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_SVC(DisasContext *s, arg_SVC *a)
     if (!arm_dc_feature(s, ARM_FEATURE_M) &&
         semihosting_enabled(s->current_el == 0) &&
         (a->imm == semihost_imm)) {
-        gen_exception_internal_insn(s, s->pc_curr, EXCP_SEMIHOST);
+        gen_exception_internal_insn(s, EXCP_SEMIHOST);
     } else {
         gen_update_pc(s, curr_insn_len(s));
         s->svc_imm = a->imm;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 37 +++++++++++++++++++++----------------
 1 file changed, 21 insertions(+), 16 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static uint32_t read_pc(DisasContext *s)
     return s->pc_curr + (s->thumb ? 4 : 8);
 }
 
+/* The pc_curr difference for an architectural jump. */
+static target_long jmp_diff(DisasContext *s, target_long diff)
+{
+    return diff + (s->thumb ? 4 : 8);
+}
+
 /* Set a variable to the value of a CPU register.  */
 void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
 {
@@ -XXX,XX +XXX,XX @@ static void gen_goto_ptr(void)
  * cpu_loop_exec. Any live exit_requests will be processed as we
  * enter the next TB.
  */
-static void gen_goto_tb(DisasContext *s, int n, int diff)
+static void gen_goto_tb(DisasContext *s, int n, target_long diff)
 {
     target_ulong dest = s->pc_curr + diff;
 
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, int diff)
 }
 
 /* Jump, specifying which TB number to use if we gen_goto_tb() */
-static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
+static void gen_jmp_tb(DisasContext *s, target_long diff, int tbno)
 {
-    int diff = dest - s->pc_curr;
-
     if (unlikely(s->ss_active)) {
         /* An indirect jump so that we still trigger the debug exception.  */
         gen_update_pc(s, diff);
@@ -XXX,XX +XXX,XX @@ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
     }
 }
 
-static inline void gen_jmp(DisasContext *s, uint32_t dest)
+static inline void gen_jmp(DisasContext *s, target_long diff)
 {
-    gen_jmp_tb(s, dest, 0);
+    gen_jmp_tb(s, diff, 0);
 }
 
 static inline void gen_mulxy(TCGv_i32 t0, TCGv_i32 t1, int x, int y)
@@ -XXX,XX +XXX,XX @@ static bool trans_CLRM(DisasContext *s, arg_CLRM *a)
 
 static bool trans_B(DisasContext *s, arg_i *a)
 {
-    gen_jmp(s, read_pc(s) + a->imm);
+    gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond_thumb(DisasContext *s, arg_ci *a)
         return true;
     }
     arm_skip_unless(s, a->cond);
-    gen_jmp(s, read_pc(s) + a->imm);
+    gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
 
 static bool trans_BL(DisasContext *s, arg_i *a)
 {
     tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
-    gen_jmp(s, read_pc(s) + a->imm);
+    gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_i(DisasContext *s, arg_BLX_i *a)
     }
     tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
     store_cpu_field_constant(!s->thumb, thumb);
-    gen_jmp(s, (read_pc(s) & ~3) + a->imm);
+    /* This jump is computed from an aligned PC: subtract off the low bits. */
+    gen_jmp(s, jmp_diff(s, a->imm - (s->pc_curr & 3)));
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
          * when we take this upcoming exit from this TB, so gen_jmp_tb() is OK.
          */
     }
-    gen_jmp_tb(s, s->base.pc_next, 1);
+    gen_jmp_tb(s, curr_insn_len(s), 1);
 
     gen_set_label(nextlabel);
-    gen_jmp(s, read_pc(s) + a->imm);
+    gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
 
     if (a->f) {
         /* Loop-forever: just jump back to the loop start */
-        gen_jmp(s, read_pc(s) - a->imm);
+        gen_jmp(s, jmp_diff(s, -a->imm));
         return true;
     }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
         tcg_temp_free_i32(decr);
     }
     /* Jump back to the loop start */
-    gen_jmp(s, read_pc(s) - a->imm);
+    gen_jmp(s, jmp_diff(s, -a->imm));
 
     gen_set_label(loopend);
     if (a->tp) {
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
         store_cpu_field(tcg_constant_i32(4), v7m.ltpsize);
     }
     /* End TB, continuing to following insn */
-    gen_jmp_tb(s, s->base.pc_next, 1);
+    gen_jmp_tb(s, curr_insn_len(s), 1);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_CBZ *a)
     tcg_gen_brcondi_i32(a->nz ? TCG_COND_EQ : TCG_COND_NE,
                         tmp, 0, s->condlabel);
     tcg_temp_free_i32(tmp);
-    gen_jmp(s, read_pc(s) + a->imm);
+    gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 41 +++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void reset_btype(DisasContext *s)
     }
 }
 
+static void gen_pc_plus_diff(DisasContext *s, TCGv_i64 dest, target_long diff)
+{
+    tcg_gen_movi_i64(dest, s->pc_curr + diff);
+}
+
 void gen_a64_update_pc(DisasContext *s, target_long diff)
 {
-    tcg_gen_movi_i64(cpu_pc, s->pc_curr + diff);
+    gen_pc_plus_diff(s, cpu_pc, diff);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_imm(DisasContext *s, uint32_t insn)
 
     if (insn & (1U << 31)) {
         /* BL Branch with link */
-        tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
+        gen_pc_plus_diff(s, cpu_reg(s, 30), curr_insn_len(s));
     }
 
     /* B Branch / BL Branch with link */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         default:
             goto do_unallocated;
         }
-        gen_a64_set_pc(s, dst);
         /* BLR also needs to load return address */
         if (opc == 1) {
-            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
+            TCGv_i64 lr = cpu_reg(s, 30);
+            if (dst == lr) {
+                TCGv_i64 tmp = new_tmp_a64(s);
+                tcg_gen_mov_i64(tmp, dst);
+                dst = tmp;
+            }
+            gen_pc_plus_diff(s, lr, curr_insn_len(s));
         }
+        gen_a64_set_pc(s, dst);
         break;
 
     case 8: /* BRAA */
@@ -XXX,XX +XXX,XX @@ static void disas_uncond_b_reg(DisasContext *s, uint32_t insn)
         } else {
             dst = cpu_reg(s, rn);
         }
-        gen_a64_set_pc(s, dst);
         /* BLRAA also needs to load return address */
         if (opc == 9) {
-            tcg_gen_movi_i64(cpu_reg(s, 30), s->base.pc_next);
+            TCGv_i64 lr = cpu_reg(s, 30);
+            if (dst == lr) {
+                TCGv_i64 tmp = new_tmp_a64(s);
+                tcg_gen_mov_i64(tmp, dst);
+                dst = tmp;
+            }
+            gen_pc_plus_diff(s, lr, curr_insn_len(s));
         }
+        gen_a64_set_pc(s, dst);
         break;
 
     case 4: /* ERET */
@@ -XXX,XX +XXX,XX @@ static void disas_ld_lit(DisasContext *s, uint32_t insn)
 
     tcg_rt = cpu_reg(s, rt);
 
-    clean_addr = tcg_constant_i64(s->pc_curr + imm);
+    clean_addr = new_tmp_a64(s);
+    gen_pc_plus_diff(s, clean_addr, imm);
     if (is_vector) {
         do_fp_ld(s, rt, clean_addr, size);
     } else {
@@ -XXX,XX +XXX,XX @@ static void disas_ldst(DisasContext *s, uint32_t insn)
 static void disas_pc_rel_adr(DisasContext *s, uint32_t insn)
 {
     unsigned int page, rd;
-    uint64_t base;
-    uint64_t offset;
+    int64_t offset;
 
     page = extract32(insn, 31, 1);
     /* SignExtend(immhi:immlo) -> offset */
     offset = sextract64(insn, 5, 19);
     offset = offset << 2 | extract32(insn, 29, 2);
     rd = extract32(insn, 0, 5);
-    base = s->pc_curr;
 
     if (page) {
         /* ADRP (page based) */
-        base &= ~0xfff;
         offset <<= 12;
+        /* The page offset is ok for TARGET_TB_PCREL. */
+        offset -= s->pc_curr & 0xfff;
     }
 
-    tcg_gen_movi_i64(cpu_reg(s, rd), base + offset);
+    gen_pc_plus_diff(s, cpu_reg(s, rd), offset);
 }
 
 /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In preparation for TARGET_TB_PCREL, reduce reliance on absolute values.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static inline int get_a32_user_mem_index(DisasContext *s)
     }
 }
 
-/* The architectural value of PC.  */
-static uint32_t read_pc(DisasContext *s)
-{
-    return s->pc_curr + (s->thumb ? 4 : 8);
-}
-
 /* The pc_curr difference for an architectural jump. */
 static target_long jmp_diff(DisasContext *s, target_long diff)
 {
     return diff + (s->thumb ? 4 : 8);
 }
 
+static void gen_pc_plus_diff(DisasContext *s, TCGv_i32 var, target_long diff)
+{
+    tcg_gen_movi_i32(var, s->pc_curr + diff);
+}
+
 /* Set a variable to the value of a CPU register.  */
 void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
 {
     if (reg == 15) {
-        tcg_gen_movi_i32(var, read_pc(s));
+        gen_pc_plus_diff(s, var, jmp_diff(s, 0));
     } else {
         tcg_gen_mov_i32(var, cpu_R[reg]);
     }
@@ -XXX,XX +XXX,XX @@ TCGv_i32 add_reg_for_lit(DisasContext *s, int reg, int ofs)
     TCGv_i32 tmp = tcg_temp_new_i32();
 
     if (reg == 15) {
-        tcg_gen_movi_i32(tmp, (read_pc(s) & ~3) + ofs);
+        /*
+         * This address is computed from an aligned PC:
+         * subtract off the low bits.
+         */
+        gen_pc_plus_diff(s, tmp, jmp_diff(s, ofs - (s->pc_curr & 3)));
     } else {
         tcg_gen_addi_i32(tmp, cpu_R[reg], ofs);
     }
@@ -XXX,XX +XXX,XX @@ void unallocated_encoding(DisasContext *s)
 /* Force a TB lookup after an instruction that changes the CPU state.  */
 void gen_lookup_tb(DisasContext *s)
 {
-    tcg_gen_movi_i32(cpu_R[15], s->base.pc_next);
+    gen_pc_plus_diff(s, cpu_R[15], curr_insn_len(s));
     s->base.is_jmp = DISAS_EXIT;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_r(DisasContext *s, arg_BLX_r *a)
         return false;
     }
     tmp = load_reg(s, a->rm);
-    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
+    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | s->thumb);
     gen_bx(s, tmp);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_B_cond_thumb(DisasContext *s, arg_ci *a)
 
 static bool trans_BL(DisasContext *s, arg_i *a)
 {
-    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
+    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | s->thumb);
     gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_i(DisasContext *s, arg_BLX_i *a)
     if (s->thumb && (a->imm & 2)) {
         return false;
     }
-    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | s->thumb);
+    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | s->thumb);
     store_cpu_field_constant(!s->thumb, thumb);
     /* This jump is computed from an aligned PC: subtract off the low bits. */
     gen_jmp(s, jmp_diff(s, a->imm - (s->pc_curr & 3)));
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_i(DisasContext *s, arg_BLX_i *a)
 static bool trans_BL_BLX_prefix(DisasContext *s, arg_BL_BLX_prefix *a)
 {
     assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
-    tcg_gen_movi_i32(cpu_R[14], read_pc(s) + (a->imm << 12));
+    gen_pc_plus_diff(s, cpu_R[14], jmp_diff(s, a->imm << 12));
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_BL_suffix(DisasContext *s, arg_BL_suffix *a)
 
     assert(!arm_dc_feature(s, ARM_FEATURE_THUMB2));
     tcg_gen_addi_i32(tmp, cpu_R[14], (a->imm << 1) | 1);
-    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
+    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | 1);
     gen_bx(s, tmp);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_BLX_suffix(DisasContext *s, arg_BLX_suffix *a)
     tmp = tcg_temp_new_i32();
     tcg_gen_addi_i32(tmp, cpu_R[14], a->imm << 1);
     tcg_gen_andi_i32(tmp, tmp, 0xfffffffc);
-    tcg_gen_movi_i32(cpu_R[14], s->base.pc_next | 1);
+    gen_pc_plus_diff(s, cpu_R[14], curr_insn_len(s) | 1);
     gen_bx(s, tmp);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool op_tbranch(DisasContext *s, arg_tbranch *a, bool half)
     tcg_gen_add_i32(addr, addr, tmp);
 
     gen_aa32_ld_i32(s, tmp, addr, get_mem_index(s), half ? MO_UW : MO_UB);
-    tcg_temp_free_i32(addr);
 
     tcg_gen_add_i32(tmp, tmp, tmp);
-    tcg_gen_addi_i32(tmp, tmp, read_pc(s));
+    gen_pc_plus_diff(s, addr, jmp_diff(s, 0));
+    tcg_gen_add_i32(tmp, tmp, addr);
+    tcg_temp_free_i32(addr);
     store_reg(s, 15, tmp);
     return true;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20221020030641.2066807-10-richard.henderson@linaro.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu-param.h        |   2 +
 target/arm/translate.h        |  50 +++++++++++++++-
 target/arm/cpu.c              |  23 ++++----
 target/arm/translate-a64.c    |  64 +++++++++++++-------
 target/arm/translate-m-nocp.c |   2 +-
 target/arm/translate.c        | 108 +++++++++++++++++++++++-----------
 6 files changed, 178 insertions(+), 71 deletions(-)

diff --git a/target/arm/cpu-param.h b/target/arm/cpu-param.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu-param.h
+++ b/target/arm/cpu-param.h
@@ -XXX,XX +XXX,XX @@
 # define TARGET_PAGE_BITS_VARY
 # define TARGET_PAGE_BITS_MIN  10
 
+# define TARGET_TB_PCREL 1
+
 /*
  * Cache the attrs and shareability fields from the page table entry.
  *
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@
 
 
 /* internal defines */
+
+/*
+ * Save pc_save across a branch, so that we may restore the value from
+ * before the branch at the point the label is emitted.
+ */
+typedef struct DisasLabel {
+    TCGLabel *label;
+    target_ulong pc_save;
+} DisasLabel;
+
 typedef struct DisasContext {
     DisasContextBase base;
     const ARMISARegisters *isar;
 
     /* The address of the current instruction being translated. */
     target_ulong pc_curr;
+    /*
+     * For TARGET_TB_PCREL, the full value of cpu_pc is not known
+     * (although the page offset is known).  For convenience, the
+     * translation loop uses the full virtual address that triggered
+     * the translation, from base.pc_start through pc_curr.
+     * For efficiency, we do not update cpu_pc for every instruction.
+     * Instead, pc_save has the value of pc_curr at the time of the
+     * last update to cpu_pc, which allows us to compute the addend
+     * needed to bring cpu_pc current: pc_curr - pc_save.
+     * If cpu_pc now contains the destination of an indirect branch,
+     * pc_save contains -1 to indicate that relative updates are no
+     * longer possible.
+     */
+    target_ulong pc_save;
     target_ulong page_start;
     uint32_t insn;
     /* Nonzero if this instruction has been conditionally skipped.  */
     int condjmp;
     /* The label that will be jumped to when the instruction is skipped.  */
-    TCGLabel *condlabel;
+    DisasLabel condlabel;
     /* Thumb-2 conditional execution bits.  */
     int condexec_mask;
     int condexec_cond;
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      * after decode (ie after any UNDEF checks)
      */
     bool eci_handled;
-    /* TCG op to rewind to if this turns out to be an invalid ECI state */
-    TCGOp *insn_eci_rewind;
     int sctlr_b;
     MemOp be_data;
 #if !defined(CONFIG_USER_ONLY)
@@ -XXX,XX +XXX,XX @@ static inline MemOp finalize_memop(DisasContext *s, MemOp opc)
  */
 uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
 
+/*
+ * gen_disas_label:
+ * Create a label and cache a copy of pc_save.
+ */
+static inline DisasLabel gen_disas_label(DisasContext *s)
+{
+    return (DisasLabel){
+        .label = gen_new_label(),
+        .pc_save = s->pc_save,
+    };
+}
+
+/*
+ * set_disas_label:
+ * Emit a label and restore the cached copy of pc_save.
+ */
+static inline void set_disas_label(DisasContext *s, DisasLabel l)
+{
+    gen_set_label(l.label);
+    s->pc_save = l.pc_save;
+}
+
 /*
  * Helpers for implementing sets of trans_* functions.
  * Defer the implementation of NAME to FUNC, with optional extra arguments.
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static vaddr arm_cpu_get_pc(CPUState *cs)
 void arm_cpu_synchronize_from_tb(CPUState *cs,
                                  const TranslationBlock *tb)
 {
-    ARMCPU *cpu = ARM_CPU(cs);
-    CPUARMState *env = &cpu->env;
-
-    /*
-     * It's OK to look at env for the current mode here, because it's
-     * never possible for an AArch64 TB to chain to an AArch32 TB.
-     */
-    if (is_a64(env)) {
-        env->pc = tb_pc(tb);
-    } else {
-        env->regs[15] = tb_pc(tb);
+    /* The program counter is always up to date with TARGET_TB_PCREL. */
+    if (!TARGET_TB_PCREL) {
+        CPUARMState *env = cs->env_ptr;
+        /*
+         * It's OK to look at env for the current mode here, because it's
+         * never possible for an AArch64 TB to chain to an AArch32 TB.
+         */
+        if (is_a64(env)) {
+            env->pc = tb_pc(tb);
+        } else {
+            env->regs[15] = tb_pc(tb);
+        }
     }
 }
 #endif /* CONFIG_TCG */
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void reset_btype(DisasContext *s)
 
 static void gen_pc_plus_diff(DisasContext *s, TCGv_i64 dest, target_long diff)
 {
-    tcg_gen_movi_i64(dest, s->pc_curr + diff);
+    assert(s->pc_save != -1);
+    if (TARGET_TB_PCREL) {
+        tcg_gen_addi_i64(dest, cpu_pc, (s->pc_curr - s->pc_save) + diff);
+    } else {
+        tcg_gen_movi_i64(dest, s->pc_curr + diff);
+    }
 }
 
 void gen_a64_update_pc(DisasContext *s, target_long diff)
 {
     gen_pc_plus_diff(s, cpu_pc, diff);
+    s->pc_save = s->pc_curr + diff;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static void gen_a64_set_pc(DisasContext *s, TCGv_i64 src)
      * then loading an address into the PC will clear out any tag.
      */
     gen_top_byte_ignore(s, cpu_pc, src, s->tbii);
+    s->pc_save = -1;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *s, uint64_t dest)
 
 static void gen_goto_tb(DisasContext *s, int n, int64_t diff)
 {
-    uint64_t dest = s->pc_curr + diff;
-
-    if (use_goto_tb(s, dest)) {
-        tcg_gen_goto_tb(n);
-        gen_a64_update_pc(s, diff);
+    if (use_goto_tb(s, s->pc_curr + diff)) {
+        /*
+         * For pcrel, the pc must always be up-to-date on entry to
+         * the linked TB, so that it can use simple additions for all
+         * further adjustments.  For !pcrel, the linked TB is compiled
+         * to know its full virtual address, so we can delay the
+         * update to pc to the unlinked path.  A long chain of links
+         * can thus avoid many updates to the PC.
+         */
+        if (TARGET_TB_PCREL) {
+            gen_a64_update_pc(s, diff);
+            tcg_gen_goto_tb(n);
+        } else {
+            tcg_gen_goto_tb(n);
+            gen_a64_update_pc(s, diff);
+        }
         tcg_gen_exit_tb(s->base.tb, n);
         s->base.is_jmp = DISAS_NORETURN;
     } else {
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
 {
     unsigned int sf, op, rt;
     int64_t diff;
-    TCGLabel *label_match;
+    DisasLabel match;
     TCGv_i64 tcg_cmp;
 
     sf = extract32(insn, 31, 1);
@@ -XXX,XX +XXX,XX @@ static void disas_comp_b_imm(DisasContext *s, uint32_t insn)
     diff = sextract32(insn, 5, 19) * 4;
 
     tcg_cmp = read_cpu_reg(s, rt, sf);
-    label_match = gen_new_label();
-
     reset_btype(s);
-    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
-                        tcg_cmp, 0, label_match);
 
+    match = gen_disas_label(s);
+    tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
+                        tcg_cmp, 0, match.label);
     gen_goto_tb(s, 0, 4);
-    gen_set_label(label_match);
+    set_disas_label(s, match);
     gen_goto_tb(s, 1, diff);
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 {
     unsigned int bit_pos, op, rt;
     int64_t diff;
-    TCGLabel *label_match;
+    DisasLabel match;
     TCGv_i64 tcg_cmp;
 
     bit_pos = (extract32(insn, 31, 1) << 5) | extract32(insn, 19, 5);
@@ -XXX,XX +XXX,XX @@ static void disas_test_b_imm(DisasContext *s, uint32_t insn)
 
     tcg_cmp = tcg_temp_new_i64();
     tcg_gen_andi_i64(tcg_cmp, cpu_reg(s, rt), (1ULL << bit_pos));
-    label_match = gen_new_label();
 
     reset_btype(s);
+
+    match = gen_disas_label(s);
     tcg_gen_brcondi_i64(op ? TCG_COND_NE : TCG_COND_EQ,
-                        tcg_cmp, 0, label_match);
+                        tcg_cmp, 0, match.label);
     tcg_temp_free_i64(tcg_cmp);
     gen_goto_tb(s, 0, 4);
-    gen_set_label(label_match);
+    set_disas_label(s, match);
     gen_goto_tb(s, 1, diff);
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_cond_b_imm(DisasContext *s, uint32_t insn)
     reset_btype(s);
     if (cond < 0x0e) {
         /* genuinely conditional branches */
-        TCGLabel *label_match = gen_new_label();
-        arm_gen_test_cc(cond, label_match);
+        DisasLabel match = gen_disas_label(s);
+        arm_gen_test_cc(cond, match.label);
         gen_goto_tb(s, 0, 4);
-        gen_set_label(label_match);
+        set_disas_label(s, match);
         gen_goto_tb(s, 1, diff);
     } else {
         /* 0xe and 0xf are both "always" conditions */
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
 
     dc->isar = &arm_cpu->isar;
     dc->condjmp = 0;
-
+    dc->pc_save = dc->base.pc_first;
     dc->aarch64 = true;
     dc->thumb = false;
     dc->sctlr_b = 0;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_start(DisasContextBase *db, CPUState *cpu)
 static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
+    target_ulong pc_arg = dc->base.pc_next;
 
-    tcg_gen_insn_start(dc->base.pc_next, 0, 0);
+    if (TARGET_TB_PCREL) {
+        pc_arg &= ~TARGET_PAGE_MASK;
+    }
+    tcg_gen_insn_start(pc_arg, 0, 0);
     dc->insn_start = tcg_last_op();
 }
 
diff --git a/target/arm/translate-m-nocp.c b/target/arm/translate-m-nocp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-m-nocp.c
+++ b/target/arm/translate-m-nocp.c
@@ -XXX,XX +XXX,XX @@ static bool trans_VSCCLRM(DisasContext *s, arg_VSCCLRM *a)
     tcg_gen_andi_i32(sfpa, sfpa, R_V7M_CONTROL_SFPA_MASK);
     tcg_gen_or_i32(sfpa, sfpa, aspen);
     arm_gen_condlabel(s);
-    tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel);
+    tcg_gen_brcondi_i32(TCG_COND_EQ, sfpa, 0, s->condlabel.label);
 
     if (s->fp_excp_el != 0) {
         gen_exception_insn_el(s, 0, EXCP_NOCP,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op)
 void arm_gen_condlabel(DisasContext *s)
 {
     if (!s->condjmp) {
-        s->condlabel = gen_new_label();
+        s->condlabel = gen_disas_label(s);
         s->condjmp = 1;
     }
 }
@@ -XXX,XX +XXX,XX @@ static target_long jmp_diff(DisasContext *s, target_long diff)
 
 static void gen_pc_plus_diff(DisasContext *s, TCGv_i32 var, target_long diff)
 {
-    tcg_gen_movi_i32(var, s->pc_curr + diff);
+    assert(s->pc_save != -1);
+    if (TARGET_TB_PCREL) {
+        tcg_gen_addi_i32(var, cpu_R[15], (s->pc_curr - s->pc_save) + diff);
+    } else {
+        tcg_gen_movi_i32(var, s->pc_curr + diff);
+    }
 }
 
 /* Set a variable to the value of a CPU register.  */
@@ -XXX,XX +XXX,XX @@ void store_reg(DisasContext *s, int reg, TCGv_i32 var)
          */
         tcg_gen_andi_i32(var, var, s->thumb ? ~1 : ~3);
         s->base.is_jmp = DISAS_JUMP;
+        s->pc_save = -1;
     } else if (reg == 13 && arm_dc_feature(s, ARM_FEATURE_M)) {
         /* For M-profile SP bits [1:0] are always zero */
         tcg_gen_andi_i32(var, var, ~3);
@@ -XXX,XX +XXX,XX @@ void gen_set_condexec(DisasContext *s)
 
 void gen_update_pc(DisasContext *s, target_long diff)
 {
-    tcg_gen_movi_i32(cpu_R[15], s->pc_curr + diff);
+    gen_pc_plus_diff(s, cpu_R[15], diff);
+    s->pc_save = s->pc_curr + diff;
 }
 
 /* Set PC and Thumb state from var.  var is marked as dead.  */
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx(DisasContext *s, TCGv_i32 var)
     tcg_gen_andi_i32(cpu_R[15], var, ~1);
     tcg_gen_andi_i32(var, var, 1);
     store_cpu_field(var, thumb);
+    s->pc_save = -1;
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret(DisasContext *s, TCGv_i32 var)
 static inline void gen_bx_excret_final_code(DisasContext *s)
 {
     /* Generate the code to finish possible exception return and end the TB */
-    TCGLabel *excret_label = gen_new_label();
+    DisasLabel excret_label = gen_disas_label(s);
     uint32_t min_magic;
 
     if (arm_dc_feature(s, ARM_FEATURE_M_SECURITY)) {
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
     }
 
     /* Is the new PC value in the magic range indicating exception return? */
-    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
+    tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label.label);
     /* No: end the TB as we would for a DISAS_JMP */
     if (s->ss_active) {
         gen_singlestep_exception(s);
     } else {
         tcg_gen_exit_tb(NULL, 0);
     }
-    gen_set_label(excret_label);
+    set_disas_label(s, excret_label);
     /* Yes: this is an exception return.
      * At this point in runtime env->regs[15] and env->thumb will hold
      * the exception-return magic number, which do_v7m_exception_exit()
@@ -XXX,XX +XXX,XX @@ static void gen_goto_ptr(void)
  */
 static void gen_goto_tb(DisasContext *s, int n, target_long diff)
 {
-    target_ulong dest = s->pc_curr + diff;
-
-    if (translator_use_goto_tb(&s->base, dest)) {
-        tcg_gen_goto_tb(n);
-        gen_update_pc(s, diff);
+    if (translator_use_goto_tb(&s->base, s->pc_curr + diff)) {
+        /*
+         * For pcrel, the pc must always be up-to-date on entry to
+         * the linked TB, so that it can use simple additions for all
+         * further adjustments.  For !pcrel, the linked TB is compiled
+         * to know its full virtual address, so we can delay the
+         * update to pc to the unlinked path.  A long chain of links
+         * can thus avoid many updates to the PC.
+         */
+        if (TARGET_TB_PCREL) {
+            gen_update_pc(s, diff);
+            tcg_gen_goto_tb(n);
+        } else {
+            tcg_gen_goto_tb(n);
+            gen_update_pc(s, diff);
+        }
         tcg_gen_exit_tb(s->base.tb, n);
     } else {
         gen_update_pc(s, diff);
@@ -XXX,XX +XXX,XX @@ static void gen_srs(DisasContext *s,
 static void arm_skip_unless(DisasContext *s, uint32_t cond)
 {
     arm_gen_condlabel(s);
-    arm_gen_test_cc(cond ^ 1, s->condlabel);
+    arm_gen_test_cc(cond ^ 1, s->condlabel.label);
 }
 
 
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
 {
     /* M-profile low-overhead while-loop start */
     TCGv_i32 tmp;
-    TCGLabel *nextlabel;
+    DisasLabel nextlabel;
 
     if (!dc_isar_feature(aa32_lob, s)) {
         return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
         }
     }
 
-    nextlabel = gen_new_label();
-    tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_R[a->rn], 0, nextlabel);
+    nextlabel = gen_disas_label(s);
+    tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_R[a->rn], 0, nextlabel.label);
     tmp = load_reg(s, a->rn);
     store_reg(s, 14, tmp);
     if (a->size != 4) {
@@ -XXX,XX +XXX,XX @@ static bool trans_WLS(DisasContext *s, arg_WLS *a)
     }
     gen_jmp_tb(s, curr_insn_len(s), 1);
 
-    gen_set_label(nextlabel);
+    set_disas_label(s, nextlabel);
     gen_jmp(s, jmp_diff(s, a->imm));
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
      * any faster.
      */
     TCGv_i32 tmp;
-    TCGLabel *loopend;
+    DisasLabel loopend;
     bool fpu_active;
 
     if (!dc_isar_feature(aa32_lob, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
 
     if (!a->tp && dc_isar_feature(aa32_mve, s) && fpu_active) {
         /* Need to do a runtime check for LTPSIZE != 4 */
-        TCGLabel *skipexc = gen_new_label();
+        DisasLabel skipexc = gen_disas_label(s);
         tmp = load_cpu_field(v7m.ltpsize);
-        tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc);
+        tcg_gen_brcondi_i32(TCG_COND_EQ, tmp, 4, skipexc.label);
         tcg_temp_free_i32(tmp);
         gen_exception_insn(s, 0, EXCP_INVSTATE, syn_uncategorized());
-        gen_set_label(skipexc);
+        set_disas_label(s, skipexc);
     }
 
     if (a->f) {
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
      * loop decrement value is 1. For LETP we need to calculate the decrement
      * value from LTPSIZE.
      */
-    loopend = gen_new_label();
+    loopend = gen_disas_label(s);
     if (!a->tp) {
-        tcg_gen_brcondi_i32(TCG_COND_LEU, cpu_R[14], 1, loopend);
+        tcg_gen_brcondi_i32(TCG_COND_LEU, cpu_R[14], 1, loopend.label);
         tcg_gen_addi_i32(cpu_R[14], cpu_R[14], -1);
     } else {
         /*
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
         tcg_gen_shl_i32(decr, tcg_constant_i32(1), decr);
         tcg_temp_free_i32(ltpsize);
 
-        tcg_gen_brcond_i32(TCG_COND_LEU, cpu_R[14], decr, loopend);
+        tcg_gen_brcond_i32(TCG_COND_LEU, cpu_R[14], decr, loopend.label);
 
         tcg_gen_sub_i32(cpu_R[14], cpu_R[14], decr);
         tcg_temp_free_i32(decr);
@@ -XXX,XX +XXX,XX @@ static bool trans_LE(DisasContext *s, arg_LE *a)
     /* Jump back to the loop start */
     gen_jmp(s, jmp_diff(s, -a->imm));
 
-    gen_set_label(loopend);
+    set_disas_label(s, loopend);
     if (a->tp) {
         /* Exits from tail-pred loops must reset LTPSIZE to 4 */
         store_cpu_field(tcg_constant_i32(4), v7m.ltpsize);
@@ -XXX,XX +XXX,XX @@ static bool trans_CBZ(DisasContext *s, arg_CBZ *a)
 
     arm_gen_condlabel(s);
     tcg_gen_brcondi_i32(a->nz ? TCG_COND_EQ : TCG_COND_NE,
-                        tmp, 0, s->condlabel);
+                        tmp, 0, s->condlabel.label);
     tcg_temp_free_i32(tmp);
     gen_jmp(s, jmp_diff(s, a->imm));
     return true;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
 
     dc->isar = &cpu->isar;
     dc->condjmp = 0;
-
+    dc->pc_save = dc->base.pc_first;
     dc->aarch64 = false;
     dc->thumb = EX_TBFLAG_AM32(tb_flags, THUMB);
     dc->be_data = EX_TBFLAG_ANY(tb_flags, BE_DATA) ? MO_BE : MO_LE;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
      */
     dc->eci = dc->condexec_mask = dc->condexec_cond = 0;
     dc->eci_handled = false;
-    dc->insn_eci_rewind = NULL;
     if (condexec & 0xf) {
         dc->condexec_mask = (condexec & 0xf) << 1;
         dc->condexec_cond = condexec >> 4;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      * fields here.
      */
     uint32_t condexec_bits;
+    target_ulong pc_arg = dc->base.pc_next;
 
+    if (TARGET_TB_PCREL) {
+        pc_arg &= ~TARGET_PAGE_MASK;
+    }
     if (dc->eci) {
         condexec_bits = dc->eci << 4;
     } else {
         condexec_bits = (dc->condexec_cond << 4) | (dc->condexec_mask >> 1);
     }
-    tcg_gen_insn_start(dc->base.pc_next, condexec_bits, 0);
+    tcg_gen_insn_start(pc_arg, condexec_bits, 0);
     dc->insn_start = tcg_last_op();
 }
 
@@ -XXX,XX +XXX,XX @@ static bool arm_check_ss_active(DisasContext *dc)
 
 static void arm_post_translate_insn(DisasContext *dc)
 {
-    if (dc->condjmp && !dc->base.is_jmp) {
-        gen_set_label(dc->condlabel);
+    if (dc->condjmp && dc->base.is_jmp == DISAS_NEXT) {
+        if (dc->pc_save != dc->condlabel.pc_save) {
+            gen_update_pc(dc, dc->condlabel.pc_save - dc->pc_save);
+        }
+        gen_set_label(dc->condlabel.label);
         dc->condjmp = 0;
     }
     translator_loop_temp_check(&dc->base);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     uint32_t pc = dc->base.pc_next;
     uint32_t insn;
     bool is_16bit;
+    /* TCG op to rewind to if this turns out to be an invalid ECI state */
+    TCGOp *insn_eci_rewind = NULL;
+    target_ulong insn_eci_pc_save = -1;
 
     /* Misaligned thumb PC is architecturally impossible. */
     assert((dc->base.pc_next & 1) == 0);
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          *     insn" case. We will rewind to the marker (ie throwing away
          *     all the generated code) and instead emit "take exception".
          */
-        dc->insn_eci_rewind = tcg_last_op();
+        insn_eci_rewind = tcg_last_op();
+        insn_eci_pc_save = dc->pc_save;
     }
 
     if (dc->condexec_mask && !thumb_insn_is_unconditional(dc, insn)) {
@@ -XXX,XX +XXX,XX @@ static void thumb_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
          * Insn wasn't valid for ECI/ICI at all: undo what we
          * just generated and instead emit an exception
          */
-        tcg_remove_ops_after(dc->insn_eci_rewind);
+        tcg_remove_ops_after(insn_eci_rewind);
+        dc->pc_save = insn_eci_pc_save;
         dc->condjmp = 0;
         gen_exception_insn(dc, 0, EXCP_INVSTATE, syn_uncategorized());
     }
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
 
     if (dc->condjmp) {
         /* "Condition failed" instruction codepath for the branch/trap insn */
-        gen_set_label(dc->condlabel);
+        set_disas_label(dc, dc->condlabel);
         gen_set_condexec(dc);
         if (unlikely(dc->ss_active)) {
             gen_update_pc(dc, curr_insn_len(dc));
@@ -XXX,XX +XXX,XX @@ void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
                           target_ulong *data)
 {
     if (is_a64(env)) {
-        env->pc = data[0];
+        if (TARGET_TB_PCREL) {
+            env->pc = (env->pc & TARGET_PAGE_MASK) | data[0];
+        } else {
+            env->pc = data[0];
+        }
         env->condexec_bits = 0;
         env->exception.syndrome = data[2] << ARM_INSN_START_WORD2_SHIFT;
     } else {
-        env->regs[15] = data[0];
+        if (TARGET_TB_PCREL) {
+            env->regs[15] = (env->regs[15] & TARGET_PAGE_MASK) | data[0];
+        } else {
+            env->regs[15] = data[0];
+        }
         env->condexec_bits = data[1];
         env->exception.syndrome = data[2] << ARM_INSN_START_WORD2_SHIFT;
     }
-- 
2.25.1

Currently the microdrive code uses device_legacy_reset() to reset
itself, and has its reset method call reset on the IDE bus as the
last thing it does.  Switch to using device_cold_reset().

The only concrete microdrive device is the TYPE_DSCM1XXXX; it is not
command-line pluggable, so it is used only by the old pxa2xx Arm
boards 'akita', 'borzoi', 'spitz', 'terrier' and 'tosa'.

You might think that this would result in the IDE bus being
reset automatically, but it does not, because the IDEBus type
does not set the BusClass::reset method. Instead the controller
must explicitly call ide_bus_reset(). We therefore leave that
call in md_reset().

Note also that because the PCMCIA card device is a direct subclass of
TYPE_DEVICE and we don't model the PCMCIA controller-to-card
interface as a qbus, PCMCIA cards are not on any qbus and so they
don't get reset when the system is reset.  The reset only happens via
the dscm1xxxx_attach() and dscm1xxxx_detach() functions during
machine creation.

Because our aim here is merely to try to get rid of calls to the
device_legacy_reset() function, we leave these other dubious
reset-related issues alone.  (They all stem from this code being
absolutely ancient.)

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20221013174042.1602926-1-peter.maydell@linaro.org
---
 hw/ide/microdrive.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/hw/ide/microdrive.c b/hw/ide/microdrive.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/ide/microdrive.c
+++ b/hw/ide/microdrive.c
@@ -XXX,XX +XXX,XX @@ static void md_attr_write(PCMCIACardState *card, uint32_t at, uint8_t value)
     case 0x00:	/* Configuration Option Register */
         s->opt = value & 0xcf;
         if (value & OPT_SRESET) {
-            device_legacy_reset(DEVICE(s));
+            device_cold_reset(DEVICE(s));
         }
         md_interrupt_update(s);
         break;
@@ -XXX,XX +XXX,XX @@ static void md_common_write(PCMCIACardState *card, uint32_t at, uint16_t value)
     case 0xe:	/* Device Control */
         s->ctrl = value;
         if (value & CTRL_SRST) {
-            device_legacy_reset(DEVICE(s));
+            device_cold_reset(DEVICE(s));
         }
         md_interrupt_update(s);
         break;
@@ -XXX,XX +XXX,XX @@ static int dscm1xxxx_attach(PCMCIACardState *card)
     md->attr_base = pcc->cis[0x74] | (pcc->cis[0x76] << 8);
     md->io_base = 0x0;
 
-    device_legacy_reset(DEVICE(md));
+    device_cold_reset(DEVICE(md));
     md_interrupt_update(md);
 
     return 0;
@@ -XXX,XX +XXX,XX @@ static int dscm1xxxx_detach(PCMCIACardState *card)
 {
     MicroDriveState *md = MICRODRIVE(card);
 
-    device_legacy_reset(DEVICE(md));
+    device_cold_reset(DEVICE(md));
     return 0;
 }
 
-- 
2.25.1