Series comparison

-[PULL 00/45] target-arm queue
+[PULL 00/21] target-arm queue
-I don't have anything else queued up at the moment, so this is just
+Hi; here's a target-arm pullreq to go in before softfreeze.
-Richard's SME patches.
+This is actually pretty much entirely bugfixes (since the
 SEL2 timers we implement here are a missing part of a feature
 we claim to already implement).
+thanks
 -- PMM
-The following changes since commit 63b38f6c85acd312c2cab68554abf33adf4ee2b3:
+The following changes since commit 98c7362b1efe651327385a25874a73e008c6549e:
-  Merge tag 'pull-target-arm-20220707' of https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-07-08 06:17:11 +0530)
+  Merge tag 'accel-cpus-20250306' of https://github.com/philmd/qemu into staging (2025-03-07 07:39:49 +0800)
 are available in the Git repository at:
-  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220711
+  https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20250307
-for you to fetch changes up to f9982ceaf26df27d15547a3a7990a95019e9e3a8:
+for you to fetch changes up to 0ce0739d46983e5e88fa9c149cb305689c9d8c6f:
-  linux-user/aarch64: Add SME related hwcap entries (2022-07-11 13:43:52 +0100)
+  target/rx: Remove TCG_CALL_NO_WG from helpers which write env (2025-03-07 15:03:20 +0000)
 ----------------------------------------------------------------
-target-arm:
+target-arm queue:
- * Implement SME emulation, for both system and linux-user
+ * hw/arm/smmu-common: Remove the repeated ttb field
  * hw/gpio: npcm7xx: fixup out-of-bounds access
  * tests/functional/test_arm_sx1: Check whether the serial console is working
  * target/arm: Fix minor bugs in generic timer register handling
  * target/arm: Implement SEL2 physical and virtual timers
  * target/arm: Correct STRD, LDRD atomicity and fault behaviour
  * target/arm: Make dummy debug registers RAZ, not NOP
  * util/qemu-timer.c: Don't warp timer from timerlist_rearm()
  * include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN
  * hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper
  * target/rx: Set exception vector base to 0xffffff80
  * target/rx: Remove TCG_CALL_NO_WG from helpers which write env
 ----------------------------------------------------------------
-Richard Henderson (45):
+Alex Bennée (4):
-      target/arm: Handle SME in aarch64_cpu_dump_state
+      target/arm: Implement SEL2 physical and virtual timers
-      target/arm: Add infrastructure for disas_sme
+      target/arm: Document the architectural names of our GTIMERs
-      target/arm: Trap non-streaming usage when Streaming SVE is active
+      hw/arm: enable secure EL2 timers for virt machine
-      target/arm: Mark ADR as non-streaming
+      hw/arm: enable secure EL2 timers for sbsa machine
       target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
       target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
       target/arm: Mark PMULL, FMMLA as non-streaming
       target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
       target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
       target/arm: Mark string/histo/crypto as non-streaming
       target/arm: Mark gather/scatter load/store as non-streaming
       target/arm: Mark gather prefetch as non-streaming
       target/arm: Mark LDFF1 and LDNF1 as non-streaming
       target/arm: Mark LD1RO as non-streaming
       target/arm: Add SME enablement checks
       target/arm: Handle SME in sve_access_check
       target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
       target/arm: Implement SME ZERO
       target/arm: Implement SME MOVA
       target/arm: Implement SME LD1, ST1
       target/arm: Export unpredicated ld/st from translate-sve.c
       target/arm: Implement SME LDR, STR
       target/arm: Implement SME ADDHA, ADDVA
       target/arm: Implement FMOPA, FMOPS (non-widening)
       target/arm: Implement BFMOPA, BFMOPS
       target/arm: Implement FMOPA, FMOPS (widening)
       target/arm: Implement SME integer outer product
       target/arm: Implement PSEL
       target/arm: Implement REVD
       target/arm: Implement SCLAMP, UCLAMP
       target/arm: Reset streaming sve state on exception boundaries
       target/arm: Enable SME for -cpu max
       linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
       linux-user/aarch64: Reset PSTATE.SM on syscalls
       linux-user/aarch64: Add SM bit to SVE signal context
       linux-user/aarch64: Tidy target_restore_sigframe error return
       linux-user/aarch64: Do not allow duplicate or short sve records
       linux-user/aarch64: Verify extra record lock succeeded
       linux-user/aarch64: Move sve record checks into restore
       linux-user/aarch64: Implement SME signal handling
       linux-user: Rename sve prctls
       linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
       target/arm: Only set ZEN in reset if SVE present
       target/arm: Enable SME for user-only
       linux-user/aarch64: Add SME related hwcap entries
- docs/system/arm/emulation.rst     |    4 +
+JianChunfu (2):
- linux-user/aarch64/target_cpu.h   |    5 +-
+      hw/arm/smmu-common: Remove the repeated ttb field
- linux-user/aarch64/target_prctl.h |   62 +-
+      hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper
- target/arm/cpu.h                  |    7 +
- target/arm/helper-sme.h           |  126 ++++
+Keith Packard (2):
- target/arm/helper-sve.h           |    4 +
+      target/rx: Set exception vector base to 0xffffff80
- target/arm/helper.h               |   18 +
+      target/rx: Remove TCG_CALL_NO_WG from helpers which write env
- target/arm/translate-a64.h        |   45 ++
- target/arm/translate.h            |   16 +
+Patrick Venture (1):
- target/arm/sme-fa64.decode        |   60 ++
+      hw/gpio: npcm7xx: fixup out-of-bounds access
- target/arm/sme.decode             |   88 +++
- target/arm/sve.decode             |   41 +-
+Peter Maydell (11):
- linux-user/aarch64/cpu_loop.c     |    9 +
+      target/arm: Apply correct timer offset when calculating deadlines
- linux-user/aarch64/signal.c       |  243 ++++++--
+      target/arm: Don't apply CNTVOFF_EL2 for EL2_VIRT timer
- linux-user/elfload.c              |   20 +
+      target/arm: Make CNTPS_* UNDEF from Secure EL1 when Secure EL2 is enabled
- linux-user/syscall.c              |   28 +-
+      target/arm: Always apply CNTVOFF_EL2 for CNTV_TVAL_EL02 accesses
- target/arm/cpu.c                  |   35 +-
+      target/arm: Refactor handling of timer offset for direct register accesses
- target/arm/cpu64.c                |   11 +
+      target/arm: Correct LDRD atomicity and fault behaviour
- target/arm/helper.c               |   56 +-
+      target/arm: Correct STRD atomicity
- target/arm/sme_helper.c           | 1140 +++++++++++++++++++++++++++++++++++++
+      target/arm: Drop unused address_offset from op_addr_{rr, ri}_post()
- target/arm/sve_helper.c           |   28 +
+      target/arm: Make dummy debug registers RAZ, not NOP
- target/arm/translate-a64.c        |  103 +++-
+      util/qemu-timer.c: Don't warp timer from timerlist_rearm()
- target/arm/translate-sme.c        |  373 ++++++++++++
+      include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN
- target/arm/translate-sve.c        |  393 ++++++++++---
- target/arm/translate-vfp.c        |   12 +
+Thomas Huth (1):
- target/arm/translate.c            |    2 +
+      tests/functional/test_arm_sx1: Check whether the serial console is working
- target/arm/vec_helper.c           |   24 +
- target/arm/meson.build            |    3 +
+ MAINTAINERS                      |   1 +
-files changed, 2821 insertions(+), 135 deletions(-)
+ hw/arm/smmu-internal.h           |   5 -
- create mode 100644 target/arm/sme-fa64.decode
+ include/exec/memop.h             |   8 +-
- create mode 100644 target/arm/sme.decode
+ include/hw/arm/bsa.h             |   2 +
- create mode 100644 target/arm/translate-sme.c
+ include/hw/arm/smmu-common.h     |   7 +-
  target/arm/cpu.h                 |   2 +
  target/arm/gtimer.h              |  14 +-
  target/arm/internals.h           |   5 +-
  target/rx/helper.h               |  34 ++--
  hw/arm/sbsa-ref.c                |   2 +
  hw/arm/smmu-common.c             |  21 +++
  hw/arm/smmuv3.c                  |  19 +--
  hw/arm/virt.c                    |   2 +
  hw/gpio/npcm7xx_gpio.c           |   3 +-
  target/arm/cpu.c                 |   4 +
  target/arm/debug_helper.c        |   7 +-
  target/arm/helper.c              | 324 ++++++++++++++++++++++++++++++++-------
  target/arm/tcg/op_helper.c       |   8 +-
  target/arm/tcg/translate.c       | 147 +++++++++++-------
  target/rx/helper.c               |   2 +-
  util/qemu-timer.c                |   4 -
  hw/arm/trace-events              |   3 +-
  tests/functional/test_arm_sx1.py |   7 +-
 files changed, 455 insertions(+), 176 deletions(-)

-[PULL 01/45] target/arm: Handle SME in aarch64_cpu_dump_state
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Dump SVCR, plus use the correct access check for Streaming Mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-2-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/cpu.c | 17 ++++++++++++++++-
-file changed, 16 insertions(+), 1 deletion(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
-+++ b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-     int i;
-     int el = arm_current_el(env);
-     const char *ns_status;
-+    bool sve;
-     qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
-     for (i = 0; i < 32; i++) {
-@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-                  el,
-                  psr & PSTATE_SP ? 'h' : 't');
-+    if (cpu_isar_feature(aa64_sme, cpu)) {
-+        qemu_fprintf(f, "  SVCR=%08" PRIx64 " %c%c",
-+                     env->svcr,
-+                     (FIELD_EX64(env->svcr, SVCR, ZA) ? 'Z' : '-'),
-+                     (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-'));
-+    }
-     if (cpu_isar_feature(aa64_bti, cpu)) {
-         qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
-     }
-@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-     qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
-                  vfp_get_fpcr(env), vfp_get_fpsr(env));
--    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
-+    if (cpu_isar_feature(aa64_sme, cpu) && FIELD_EX64(env->svcr, SVCR, SM)) {
-+        sve = sme_exception_el(env, el) == 0;
-+    } else if (cpu_isar_feature(aa64_sve, cpu)) {
-+        sve = sve_exception_el(env, el) == 0;
-+    } else {
-+        sve = false;
-+    }
-+
-+    if (sve) {
-         int j, zcr_len = sve_vqm1_for_el(env, el);
-         for (i = 0; i <= FFR_PRED_NUM; i++) {
---
-.25.1

-[PULL 44/45] target/arm: Enable SME for user-only
+[PULL 01/21] hw/arm/smmu-common: Remove the repeated ttb field
-From: Richard Henderson <richard.henderson@linaro.org>
+From: JianChunfu <jansef.jian@hj-micro.com>
-Enable SME, TPIDR2_EL0, and FA64 if supported by the cpu.
+SMMUTransCfg->ttb is never used in QEMU, TT base address
 can be accessed by SMMUTransCfg->tt[i]->ttb.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: JianChunfu <jansef.jian@hj-micro.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Eric Auger <eric.auger@redhat.com>
-Message-id: 20220708151540.18136-45-richard.henderson@linaro.org
+Message-id: 20250221031034.69822-1-jansef.jian@hj-micro.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 11 +++++++++++
+ include/hw/arm/smmu-common.h | 1 -
-file changed, 11 insertions(+)
+file changed, 1 deletion(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/include/hw/arm/smmu-common.h
-+++ b/target/arm/cpu.c
++++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
+@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTransCfg {
-                                              CPACR_EL1, ZEN, 3);
+     /* Used by stage-1 only. */
-             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
+     bool aa64;                 /* arch64 or aarch32 translation table */
-         }
+     bool record_faults;        /* record fault events */
-+        /* and for SME instructions, with default vector length, and TPIDR2 */
+-    uint64_t ttb;              /* TT base address */
-+        if (cpu_isar_feature(aa64_sme, cpu)) {
+     uint8_t oas;               /* output address width */
-+            env->cp15.sctlr_el[1] |= SCTLR_EnTP2;
+     uint8_t tbi;               /* Top Byte Ignore */
-+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+     int asid;
 +                                             CPACR_EL1, SMEN, 3);
 +            env->vfp.smcr_el[1] = cpu->sme_default_vq - 1;
 +            if (cpu_isar_feature(aa64_sme_fa64, cpu)) {
 +                env->vfp.smcr_el[1] = FIELD_DP64(env->vfp.smcr_el[1],
 +                                                 SMCR, FA64, 1);
 +            }
 +        }
          /*
           * Enable 48-bit address space (TODO: take reserved_va into account).
           * Enable TBI0 but not TBI1.
 --
-.25.1
+.43.0

-[PULL 02/45] target/arm: Add infrastructure for disas_sme
+[PULL 02/21] hw/gpio: npcm7xx: fixup out-of-bounds access
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Patrick Venture <venture@google.com>
-This includes the build rules for the decoder, and the
+The reg isn't validated to be a possible register before
-new file for translation, but excludes any instructions.
+it's dereferenced for one case.  The mmio space registered
 for the gpio device is 4KiB but there aren't that many
 registers in the struct.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Cc: qemu-stable@nongnu.org
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Fixes: 526dbbe0874 ("hw/gpio: Add GPIO model for Nuvoton NPCM7xx")
-Message-id: 20220708151540.18136-3-richard.henderson@linaro.org
+Signed-off-by: Patrick Venture <venture@google.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20250226024603.493148-1-venture@google.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/translate-a64.h |  1 +
+ hw/gpio/npcm7xx_gpio.c | 3 +--
- target/arm/sme.decode      | 20 ++++++++++++++++++++
+file changed, 1 insertion(+), 2 deletions(-)
  target/arm/translate-a64.c |  7 ++++++-
  target/arm/translate-sme.c | 35 +++++++++++++++++++++++++++++++++++
  target/arm/meson.build     |  2 ++
 files changed, 64 insertions(+), 1 deletion(-)
  create mode 100644 target/arm/sme.decode
  create mode 100644 target/arm/translate-sme.c
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/hw/gpio/npcm7xx_gpio.c
-+++ b/target/arm/translate-a64.h
++++ b/hw/gpio/npcm7xx_gpio.c
-@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v,
- }
+         return;
  bool disas_sve(DisasContext *, uint32_t);
 +bool disas_sme(DisasContext *, uint32_t);
  void gen_gvec_rax1(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                     uint32_t rm_ofs, uint32_t opr_sz, uint32_t max_sz);
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@
 +# AArch64 SME instruction descriptions
 +#
 +#  Copyright (c) 2022 Linaro, Ltd
 +#
 +# This library is free software; you can redistribute it and/or
 +# modify it under the terms of the GNU Lesser General Public
 +# License as published by the Free Software Foundation; either
 +# version 2.1 of the License, or (at your option) any later version.
 +#
 +# This library is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# Lesser General Public License for more details.
 +#
 +# You should have received a copy of the GNU Lesser General Public
 +# License along with this library; if not, see <http://www.gnu.org/licenses/>.
 +
 +#
 +# This file is processed by scripts/decodetree.py
 +#
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      }
-     switch (extract32(insn, 25, 4)) {
+-    diff = s->regs[reg] ^ value;
--    case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
+-
-+    case 0x0:
+     switch (reg) {
-+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+     case NPCM7XX_GPIO_TLOCK1:
-+            unallocated_encoding(s);
+     case NPCM7XX_GPIO_TLOCK2:
-+        }
+@@ -XXX,XX +XXX,XX @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v,
-+        break;
+     case NPCM7XX_GPIO_PU:
-+    case 0x1: case 0x3: /* UNALLOCATED */
+     case NPCM7XX_GPIO_PD:
-         unallocated_encoding(s);
+     case NPCM7XX_GPIO_IEM:
 +        diff = s->regs[reg] ^ value;
          s->regs[reg] = value;
          npcm7xx_gpio_update_pins(s, diff);
          break;
-     case 0x2:
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-new file mode 100644
-index XXXXXXX..XXXXXXX
---- /dev/null
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@
-+/*
-+ * AArch64 SME translation
-+ *
-+ * Copyright (c) 2022 Linaro, Ltd
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2.1 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public
-+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+#include "qemu/osdep.h"
-+#include "cpu.h"
-+#include "tcg/tcg-op.h"
-+#include "tcg/tcg-op-gvec.h"
-+#include "tcg/tcg-gvec-desc.h"
-+#include "translate.h"
-+#include "exec/helper-gen.h"
-+#include "translate-a64.h"
-+#include "fpu/softfloat.h"
-+
-+
-+/*
-+ * Include the generated decoder.
-+ */
-+
-+#include "decode-sme.c.inc"
-diff --git a/target/arm/meson.build b/target/arm/meson.build
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/meson.build
-+++ b/target/arm/meson.build
-@@ -XXX,XX +XXX,XX @@
- gen = [
-   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
-+  decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
-   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
-   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
-   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
-@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
-   'sme_helper.c',
-   'translate-a64.c',
-   'translate-sve.c',
-+  'translate-sme.c',
- ))
- arm_softmmu_ss = ss.source_set()
 --
-.25.1
+.43.0

-[PULL 43/45] target/arm: Only set ZEN in reset if SVE present
+[PULL 03/21] tests/functional/test_arm_sx1: Check whether the serial console is working
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Thomas Huth <thuth@redhat.com>
-There's no reason to set CPACR_EL1.ZEN if SVE disabled.
+The kernel that is used in the sx1 test prints the usual Linux log
 onto the serial console, but this test currently ignores it. To
 make sure that the serial device is working properly, let's check
 for some strings in the output here.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+While we're at it, also add the test to the corresponding section
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+in the MAINTAINERS file.
-Message-id: 20220708151540.18136-44-richard.henderson@linaro.org
 Signed-off-by: Thomas Huth <thuth@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20250226104833.1176253-1-thuth@redhat.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.c | 7 +++----
+ MAINTAINERS                      | 1 +
-file changed, 3 insertions(+), 4 deletions(-)
+ tests/functional/test_arm_sx1.py | 7 ++++---
 files changed, 5 insertions(+), 3 deletions(-)
-diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+diff --git a/MAINTAINERS b/MAINTAINERS
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu.c
+--- a/MAINTAINERS
-+++ b/target/arm/cpu.c
++++ b/MAINTAINERS
-@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
+@@ -XXX,XX +XXX,XX @@ S: Maintained
-         /* and to the FP/Neon instructions */
+ F: hw/*/omap*
-         env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+ F: include/hw/arm/omap.h
-                                          CPACR_EL1, FPEN, 3);
+ F: docs/system/arm/sx1.rst
--        /* and to the SVE instructions */
++F: tests/functional/test_arm_sx1.py
--        env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
--                                         CPACR_EL1, ZEN, 3);
+ IPack
--        /* with reasonable vector length */
+ M: Alberto Garcia <berto@igalia.com>
-+        /* and to the SVE instructions, with default vector length */
+diff --git a/tests/functional/test_arm_sx1.py b/tests/functional/test_arm_sx1.py
-         if (cpu_isar_feature(aa64_sve, cpu)) {
+index XXXXXXX..XXXXXXX 100755
-+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+--- a/tests/functional/test_arm_sx1.py
-+                                             CPACR_EL1, ZEN, 3);
++++ b/tests/functional/test_arm_sx1.py
-             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
+@@ -XXX,XX +XXX,XX @@ def test_arm_sx1_initrd(self):
-         }
+         self.vm.add_args('-append', f'kunit.enable=0 rdinit=/sbin/init {self.CONSOLE_ARGS}')
-         /*
+         self.vm.add_args('-no-reboot')
          self.launch_kernel(zimage_path,
 -                           initrd=initrd_path)
 +                           initrd=initrd_path,
 +                           wait_for='Boot successful')
          self.vm.wait(timeout=120)
      def test_arm_sx1_sd(self):
@@ -XXX,XX +XXX,XX @@ def test_arm_sx1_sd(self):
          self.vm.add_args('-no-reboot')
          self.vm.add_args('-snapshot')
          self.vm.add_args('-drive', f'format=raw,if=sd,file={sd_fs_path}')
 -        self.launch_kernel(zimage_path)
 +        self.launch_kernel(zimage_path, wait_for='Boot successful')
          self.vm.wait(timeout=120)
      def test_arm_sx1_flash(self):
@@ -XXX,XX +XXX,XX @@ def test_arm_sx1_flash(self):
          self.vm.add_args('-no-reboot')
          self.vm.add_args('-snapshot')
          self.vm.add_args('-drive', f'format=raw,if=pflash,file={flash_path}')
 -        self.launch_kernel(zimage_path)
 +        self.launch_kernel(zimage_path, wait_for='Boot successful')
          self.vm.wait(timeout=120)
  if __name__ == '__main__':
 --
-.25.1
+.43.0

-[PULL 40/45] linux-user/aarch64: Implement SME signal handling
+[PULL 04/21] target/arm: Apply correct timer offset when calculating deadlines
-From: Richard Henderson <richard.henderson@linaro.org>
+When we are calculating timer deadlines, the correct definition of
 whether or not to apply an offset to the physical count is described
 in the Arm ARM DDI4087 rev L.a section D12.2.4.1.  This is different
 from when the offset should be applied for a direct read of the
 counter sysreg.
-Set the SM bit in the SVE record on signal delivery, create the ZA record.
+We got this right for the EL1 physical timer and for the EL1 virtual
-Restore SM and ZA state according to the records present on return.
+timer, but got all the rest wrong: they should be using a zero offset
 always.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Factor the offset calculation out into a function that has a comment
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+documenting exactly which offset it is calculating and which gets the
-Message-id: 20220708151540.18136-41-richard.henderson@linaro.org
+HYP, SEC, and HYPVIRT cases right.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20250204125009.2281315-2-peter.maydell@linaro.org
 ---
- linux-user/aarch64/signal.c | 167 +++++++++++++++++++++++++++++++++---
+ target/arm/helper.c | 29 +++++++++++++++++++++++++++--
-file changed, 154 insertions(+), 13 deletions(-)
+file changed, 27 insertions(+), 2 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/helper.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
+@@ -XXX,XX +XXX,XX @@ static uint64_t gt_phys_cnt_offset(CPUARMState *env)
+     return gt_phys_raw_cnt_offset(env);
  #define TARGET_SVE_SIG_FLAG_SM  1
 +#define TARGET_ZA_MAGIC        0x54366345
 +
 +struct target_za_context {
 +    struct target_aarch64_ctx head;
 +    uint16_t vl;
 +    uint16_t reserved[3];
 +    /* The actual ZA data immediately follows. */
 +};
 +
 +#define TARGET_ZA_SIG_REGS_OFFSET \
 +    QEMU_ALIGN_UP(sizeof(struct target_za_context), TARGET_SVE_VQ_BYTES)
 +#define TARGET_ZA_SIG_ZAV_OFFSET(VQ, N) \
 +    (TARGET_ZA_SIG_REGS_OFFSET + (VQ) * TARGET_SVE_VQ_BYTES * (N))
 +#define TARGET_ZA_SIG_CONTEXT_SIZE(VQ) \
 +    TARGET_ZA_SIG_ZAV_OFFSET(VQ, VQ * TARGET_SVE_VQ_BYTES)
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
  }
- static void target_setup_sve_record(struct target_sve_context *sve,
++static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
 -                                    CPUARMState *env, int vq, int size)
 +                                    CPUARMState *env, int size)
  {
 -    int i, j;
 +    int i, j, vq = sve_vq(env);
      memset(sve, 0, sizeof(*sve));
      __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
      }
  }
 +static void target_setup_za_record(struct target_za_context *za,
 +                                   CPUARMState *env, int size)
 +{
-+    int vq = sme_vq(env);
-+    int vl = vq * TARGET_SVE_VQ_BYTES;
-+    int i, j;
-+
-+    memset(za, 0, sizeof(*za));
-+    __put_user(TARGET_ZA_MAGIC, &za->head.magic);
-+    __put_user(size, &za->head.size);
-+    __put_user(vl, &za->vl);
-+
-+    if (size == TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
-+        return;
-+    }
-+    assert(size == TARGET_ZA_SIG_CONTEXT_SIZE(vq));
-+
 +    /*
-+     * Note that ZA vectors are stored as a byte stream,
++     * Return the timer offset to use for indirect accesses to the timer.
-+     * with each byte element at a subsequent address.
++     * This is the Offset value as defined in D12.2.4.1 "Operation of the
 +     * CompareValue views of the timers".
 +     *
 +     * The condition here is not always the same as the condition for
 +     * whether to apply an offset register when doing a direct read of
 +     * the counter sysreg; those conditions are described in the
 +     * access pseudocode for each counter register.
 +     */
-+    for (i = 0; i < vl; ++i) {
++    switch (timeridx) {
-+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
++    case GTIMER_PHYS:
-+        for (j = 0; j < vq * 2; ++j) {
++        return gt_phys_raw_cnt_offset(env);
-+            __put_user_e(env->zarray[i].d[j], z + j, le);
++    case GTIMER_VIRT:
-+        }
++        return env->cp15.cntvoff_el2;
 +    case GTIMER_HYP:
 +    case GTIMER_SEC:
 +    case GTIMER_HYPVIRT:
 +        return 0;
 +    default:
 +        g_assert_not_reached();
 +    }
 +}
 +
- static void target_restore_general_frame(CPUARMState *env,
+ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
                                           struct target_rt_sigframe *sf)
  {
-@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
+     ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
+@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
- static bool target_restore_sve_record(CPUARMState *env,
+          * Timer enabled: calculate and set current ISTATUS, irq, and
-                                       struct target_sve_context *sve,
+          * reset timer to when ISTATUS next has to change
--                                      int size)
+          */
-+                                      int size, int *svcr)
+-        uint64_t offset = timeridx == GTIMER_VIRT ?
- {
+-            cpu->env.cp15.cntvoff_el2 : gt_phys_raw_cnt_offset(&cpu->env);
--    int i, j, vl, vq;
++        uint64_t offset = gt_indirect_access_timer_offset(&cpu->env, timeridx);
-+    int i, j, vl, vq, flags;
+         uint64_t count = gt_get_countervalue(&cpu->env);
-+    bool sm;
+         /* Note that this must be unsigned 64 bit arithmetic: */
+         int istatus = count - offset >= gt->cval;
 -    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 +    __get_user(vl, &sve->vl);
 +    __get_user(flags, &sve->flags);
 +
 +    sm = flags & TARGET_SVE_SIG_FLAG_SM;
 +
 +    /* The cpu must support Streaming or Non-streaming SVE. */
 +    if (sm
 +        ? !cpu_isar_feature(aa64_sme, env_archcpu(env))
 +        : !cpu_isar_feature(aa64_sve, env_archcpu(env))) {
          return false;
      }
 -    __get_user(vl, &sve->vl);
 -    vq = sve_vq(env);
 +    /*
 +     * Note that we cannot use sve_vq() because that depends on the
 +     * current setting of PSTATE.SM, not the state to be restored.
 +     */
 +    vq = sve_vqm1_for_el_sm(env, 0, sm) + 1;
      /* Reject mismatched VL. */
      if (vl != vq * TARGET_SVE_VQ_BYTES) {
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
          return false;
      }
 +    *svcr = FIELD_DP64(*svcr, SVCR, SM, sm);
 +
      /*
       * Note that SVE regs are stored as a byte stream, with each byte element
       * at a subsequent address.  This corresponds to a little-endian load
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
      return true;
  }
 +static bool target_restore_za_record(CPUARMState *env,
 +                                     struct target_za_context *za,
 +                                     int size, int *svcr)
 +{
 +    int i, j, vl, vq;
 +
 +    if (!cpu_isar_feature(aa64_sme, env_archcpu(env))) {
 +        return false;
 +    }
 +
 +    __get_user(vl, &za->vl);
 +    vq = sme_vq(env);
 +
 +    /* Reject mismatched VL. */
 +    if (vl != vq * TARGET_SVE_VQ_BYTES) {
 +        return false;
 +    }
 +
 +    /* Accept empty record -- used to clear PSTATE.ZA. */
 +    if (size <= TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
 +        return true;
 +    }
 +
 +    /* Reject non-empty but incomplete record. */
 +    if (size < TARGET_ZA_SIG_CONTEXT_SIZE(vq)) {
 +        return false;
 +    }
 +
 +    *svcr = FIELD_DP64(*svcr, SVCR, ZA, 1);
 +
 +    for (i = 0; i < vl; ++i) {
 +        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
 +        for (j = 0; j < vq * 2; ++j) {
 +            __get_user_e(env->zarray[i].d[j], z + j, le);
 +        }
 +    }
 +    return true;
 +}
 +
  static int target_restore_sigframe(CPUARMState *env,
                                     struct target_rt_sigframe *sf)
  {
      struct target_aarch64_ctx *ctx, *extra = NULL;
      struct target_fpsimd_context *fpsimd = NULL;
      struct target_sve_context *sve = NULL;
 +    struct target_za_context *za = NULL;
      uint64_t extra_datap = 0;
      bool used_extra = false;
      int sve_size = 0;
 +    int za_size = 0;
 +    int svcr = 0;
      target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              sve_size = size;
              break;
 +        case TARGET_ZA_MAGIC:
 +            if (za || size < sizeof(struct target_za_context)) {
 +                goto err;
 +            }
 +            za = (struct target_za_context *)ctx;
 +            za_size = size;
 +            break;
 +
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
                  goto err;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
 -    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
 +    if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
          goto err;
      }
 +    if (za && !target_restore_za_record(env, za, za_size, &svcr)) {
 +        goto err;
 +    }
 +    if (env->svcr != svcr) {
 +        env->svcr = svcr;
 +        arm_rebuild_hflags(env);
 +    }
      unlock_user(extra, extra_datap, 0);
      return 0;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          .total_size = offsetof(struct target_rt_sigframe,
                                 uc.tuc_mcontext.__reserved),
      };
 -    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
 +    int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0;
 +    int sve_size = 0, za_size = 0;
      struct target_rt_sigframe *frame;
      struct target_rt_frame_record *fr;
      abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                        &layout);
      /* SVE state needs saving only if it exists.  */
 -    if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 -        vq = sve_vq(env);
 -        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 +    if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
 +        cpu_isar_feature(aa64_sme, env_archcpu(env))) {
 +        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(sve_vq(env)), 16);
          sve_ofs = alloc_sigframe_space(sve_size, &layout);
      }
 +    if (cpu_isar_feature(aa64_sme, env_archcpu(env))) {
 +        /* ZA state needs saving only if it is enabled.  */
 +        if (FIELD_EX64(env->svcr, SVCR, ZA)) {
 +            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(sme_vq(env));
 +        } else {
 +            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(0);
 +        }
 +        za_ofs = alloc_sigframe_space(za_size, &layout);
 +    }
      if (layout.extra_ofs) {
          /* Reserve space for the extra end marker.  The standard end marker
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          target_setup_end_record((void *)frame + layout.extra_end_ofs);
      }
      if (sve_ofs) {
 -        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
 +        target_setup_sve_record((void *)frame + sve_ofs, env, sve_size);
 +    }
 +    if (za_ofs) {
 +        target_setup_za_record((void *)frame + za_ofs, env, za_size);
      }
      /* Set up the stack frame for unwinding.  */
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
          env->btype = 2;
      }
 +    /*
 +     * Invoke the signal handler with both SM and ZA disabled.
 +     * When clearing SM, ResetSVEState, per SMSTOP.
 +     */
 +    if (FIELD_EX64(env->svcr, SVCR, SM)) {
 +        arm_reset_sve_state(env);
 +    }
 +    if (env->svcr) {
 +        env->svcr = 0;
 +        arm_rebuild_hflags(env);
 +    }
 +
      if (info) {
          tswap_siginfo(&frame->info, info);
          env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
 --
-.25.1
+.43.0

-[PULL 31/45] target/arm: Reset streaming sve state on exception boundaries
+[PULL 05/21] target/arm: Don't apply CNTVOFF_EL2 for EL2_VIRT timer
-From: Richard Henderson <richard.henderson@linaro.org>
+The CNTVOFF_EL2 offset register should only be applied for accessses
 to CNTVCT_EL0 and for the EL1 virtual timer (CNTV_*).  We were
 incorrectly applying it for the EL2 virtual timer (CNTHV_*).
-We can handle both exception entry and exception return by
+Cc: qemu-stable@nongnu.org
 hooking into aarch64_sve_change_el.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-32-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20250204125009.2281315-3-peter.maydell@linaro.org
 ---
- target/arm/helper.c | 15 +++++++++++++--
+ target/arm/helper.c | 2 --
-file changed, 13 insertions(+), 2 deletions(-)
+file changed, 2 deletions(-)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
+@@ -XXX,XX +XXX,XX @@ static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
-         return;
-     }
+     switch (timeridx) {
+     case GTIMER_VIRT:
-+    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
+-    case GTIMER_HYPVIRT:
-+    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
+         offset = gt_virt_cnt_offset(env);
-+
+         break;
-+    /*
+     case GTIMER_PHYS:
-+     * Both AArch64.TakeException and AArch64.ExceptionReturn
+@@ -XXX,XX +XXX,XX @@ static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+     * invoke ResetSVEState when taking an exception from, or
-+     * returning to, AArch32 state when PSTATE.SM is enabled.
+     switch (timeridx) {
-+     */
+     case GTIMER_VIRT:
-+    if (old_a64 != new_a64 && FIELD_EX64(env->svcr, SVCR, SM)) {
+-    case GTIMER_HYPVIRT:
-+        arm_reset_sve_state(env);
+         offset = gt_virt_cnt_offset(env);
-+        return;
+         break;
-+    }
+     case GTIMER_PHYS:
 +
      /*
       * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
       * at ELx, or not available because the EL is in AArch32 state, then
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
       * we already have the correct register contents when encountering the
       * vq0->vq0 transition between EL0->EL1.
       */
 -    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
      old_len = (old_a64 && !sve_exception_el(env, old_el)
                 ? sve_vqm1_for_el(env, old_el) : 0);
 -    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
      new_len = (new_a64 && !sve_exception_el(env, new_el)
                 ? sve_vqm1_for_el(env, new_el) : 0);
 --
-.25.1
+.43.0

-[PULL 38/45] linux-user/aarch64: Verify extra record lock succeeded
+[PULL 06/21] target/arm: Make CNTPS_* UNDEF from Secure EL1 when Secure EL2 is enabled
-From: Richard Henderson <richard.henderson@linaro.org>
+When we added Secure EL2 support, we missed that this needs an update
 to the access code for the EL3 physical timer registers.  These are
 supposed to UNDEF from Secure EL1 when Secure EL2 is enabled.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+(Note for stable backporting: for backports to branches where
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+CP_ACCESS_UNDEFINED is not defined, the old name to use instead
-Message-id: 20220708151540.18136-39-richard.henderson@linaro.org
+is CP_ACCESS_TRAP_UNCATEGORIZED.)
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20250204125009.2281315-4-peter.maydell@linaro.org
 ---
- linux-user/aarch64/signal.c | 3 +++
+ target/arm/helper.c | 3 +++
 file changed, 3 insertions(+)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/arm/helper.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_stimer_access(CPUARMState *env,
-             __get_user(extra_size,
+         if (!arm_is_secure(env)) {
-                        &((struct target_extra_context *)ctx)->size);
+             return CP_ACCESS_UNDEFINED;
-             extra = lock_user(VERIFY_READ, extra_datap, extra_size, 0);
+         }
-+            if (!extra) {
++        if (arm_is_el2_enabled(env)) {
-+                return 1;
++            return CP_ACCESS_UNDEFINED;
-+            }
++        }
-             break;
+         if (!(env->cp15.scr_el3 & SCR_ST)) {
+             return CP_ACCESS_TRAP_EL3;
-         default:
+         }
 --
-.25.1
+.43.0

-[PULL 19/45] target/arm: Implement SME MOVA
+[PULL 07/21] target/arm: Always apply CNTVOFF_EL2 for CNTV_TVAL_EL02 accesses
-From: Richard Henderson <richard.henderson@linaro.org>
+Currently we handle CNTV_TVAL_EL02 by calling gt_tval_read() for the
 EL1 virt timer.  This is almost correct, but the underlying
 CNTV_TVAL_EL0 register behaves slightly differently.  CNTV_TVAL_EL02
 always applies the CNTVOFF_EL2 offset; CNTV_TVAL_EL0 doesn't do so if
 we're at EL2 and HCR_EL2.E2H is 1.
-We can reuse the SVE functions for implementing moves to/from
+We were getting this wrong, because we ended up in
-horizontal tile slices, but we need new ones for moves to/from
+gt_virt_cnt_offset() and did the E2H check.
 vertical tile slices.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Factor out the tval read/write calculation from the selection of the
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+offset, so that we can special case gt_virt_tval_read() and
-Message-id: 20220708151540.18136-20-richard.henderson@linaro.org
+gt_virt_tval_write() to unconditionally pass CNTVOFF_EL2.
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20250204125009.2281315-5-peter.maydell@linaro.org
 ---
- target/arm/helper-sme.h    |  12 +++
+ target/arm/helper.c | 36 +++++++++++++++++++++++++++---------
- target/arm/helper-sve.h    |   2 +
+file changed, 27 insertions(+), 9 deletions(-)
  target/arm/translate-a64.h |   8 ++
  target/arm/translate.h     |   5 ++
  target/arm/sme.decode      |  15 ++++
  target/arm/sme_helper.c    | 151 ++++++++++++++++++++++++++++++++++++-
  target/arm/sve_helper.c    |  12 +++
  target/arm/translate-sme.c | 127 +++++++++++++++++++++++++++++++
 files changed, 331 insertions(+), 1 deletion(-)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/helper.c
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_2(set_pstate_sm, TCG_CALL_NO_RWG, void, env, i32)
+@@ -XXX,XX +XXX,XX @@ static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
- DEF_HELPER_FLAGS_2(set_pstate_za, TCG_CALL_NO_RWG, void, env, i32)
+     gt_recalc_timer(env_archcpu(env), timeridx);
  DEF_HELPER_FLAGS_3(sme_zero, TCG_CALL_NO_RWG, void, env, i32, i32)
 +
 +/* Move to/from vertical array slices, i.e. columns, so 'c'.  */
 +DEF_HELPER_FLAGS_4(sme_mova_cz_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper-sve.h
 +++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sve_sel_zpzz_s, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sve_sel_zpzz_d, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_5(sve_sel_zpzz_q, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_5(sve2_addp_zpzz_b, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, i32)
 diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.h
 +++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
      return size_for_gvec(pred_full_reg_size(s));
  }
-+/* Return a newly allocated pointer to the predicate register.  */
++static uint64_t do_tval_read(CPUARMState *env, int timeridx, uint64_t offset)
 +static inline TCGv_ptr pred_full_reg_ptr(DisasContext *s, int regno)
 +{
-+    TCGv_ptr ret = tcg_temp_new_ptr();
++    return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
-+    tcg_gen_addi_ptr(ret, cpu_env, pred_full_reg_offset(s, regno));
++                      (gt_get_countervalue(env) - offset));
 +    return ret;
 +}
 +
- bool disas_sve(DisasContext *, uint32_t);
+ static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
- bool disas_sme(DisasContext *, uint32_t);
+                              int timeridx)
+ {
-diff --git a/target/arm/translate.h b/target/arm/translate.h
+@@ -XXX,XX +XXX,XX @@ static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
-index XXXXXXX..XXXXXXX 100644
+         break;
---- a/target/arm/translate.h
+     }
-+++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ static inline int plus_2(DisasContext *s, int x)
+-    return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
-     return x + 2;
+-                      (gt_get_countervalue(env) - offset));
- }
++    return do_tval_read(env, timeridx, offset);
 +static inline int plus_12(DisasContext *s, int x)
 +{
 +    return x + 12;
 +}
 +
- static inline int times_2(DisasContext *s, int x)
++static void do_tval_write(CPUARMState *env, int timeridx, uint64_t value,
 +                          uint64_t offset)
 +{
 +    trace_arm_gt_tval_write(timeridx, value);
 +    env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
 +                                         sextract64(value, 0, 32);
 +    gt_recalc_timer(env_archcpu(env), timeridx);
  }
  static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
          offset = gt_phys_cnt_offset(env);
          break;
      }
 -
 -    trace_arm_gt_tval_write(timeridx, value);
 -    env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
 -                                         sextract64(value, 0, 32);
 -    gt_recalc_timer(env_archcpu(env), timeridx);
 +    do_tval_write(env, timeridx, value, offset);
  }
  static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void gt_virt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
  static uint64_t gt_virt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
-     return x * 2;
+-    return gt_tval_read(env, ri, GTIMER_VIRT);
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
++    /*
-index XXXXXXX..XXXXXXX 100644
++     * This is CNTV_TVAL_EL02; unlike the underlying CNTV_TVAL_EL0
---- a/target/arm/sme.decode
++     * we always apply CNTVOFF_EL2. Special case that here rather
-+++ b/target/arm/sme.decode
++     * than going into the generic gt_tval_read() and then having
-@@ -XXX,XX +XXX,XX @@
++     * to re-detect that it's this register.
- ### SME Misc
++     * Note that the accessfn/perms mean we know we're at EL2 or EL3 here.
++     */
- ZERO            11000000 00 001 00000000000 imm:8
++    return do_tval_read(env, GTIMER_VIRT, env->cp15.cntvoff_el2);
 +
 +### SME Move into/from Array
 +
 +%mova_rs        13:2 !function=plus_12
 +&mova           esz rs pg zr za_imm v:bool to_vec:bool
 +
 +MOVA            11000000 esz:2 00000 0 v:1 .. pg:3 zr:5 0 za_imm:4  \
 +                &mova to_vec=0 rs=%mova_rs
 +MOVA            11000000 11    00000 1 v:1 .. pg:3 zr:5 0 za_imm:4  \
 +                &mova to_vec=0 rs=%mova_rs esz=4
 +
 +MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
 +                &mova to_vec=1 rs=%mova_rs
 +MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
 +                &mova to_vec=1 rs=%mova_rs esz=4
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "cpu.h"
 -#include "internals.h"
 +#include "tcg/tcg-gvec-desc.h"
  #include "exec/helper-proto.h"
 +#include "qemu/int128.h"
 +#include "vec_internal.h"
  /* ResetSVEState */
  void arm_reset_sve_state(CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ void helper_sme_zero(CPUARMState *env, uint32_t imm, uint32_t svl)
          }
      }
  }
-+
-+
+ static void gt_virt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+/*
+                                uint64_t value)
-+ * When considering the ZA storage as an array of elements of
+ {
-+ * type T, the index within that array of the Nth element of
+-    gt_tval_write(env, ri, GTIMER_VIRT, value);
-+ * a vertical slice of a tile can be calculated like this,
++    /* Similarly for writes to CNTV_TVAL_EL02 */
-+ * regardless of the size of type T. This is because the tiles
++    do_tval_write(env, GTIMER_VIRT, value, env->cp15.cntvoff_el2);
 + * are interleaved, so if type T is size N bytes then row 1 of
 + * the tile is N rows away from row 0. The division by N to
 + * convert a byte offset into an array index and the multiplication
 + * by N to convert from vslice-index-within-the-tile to
 + * the index within the ZA storage cancel out.
 + */
 +#define tile_vslice_index(i) ((i) * sizeof(ARMVectorReg))
 +
 +/*
 + * When doing byte arithmetic on the ZA storage, the element
 + * byteoff bytes away in a tile vertical slice is always this
 + * many bytes away in the ZA storage, regardless of the
 + * size of the tile element, assuming that byteoff is a multiple
 + * of the element size. Again this is because of the interleaving
 + * of the tiles. For instance if we have 1 byte per element then
 + * each row of the ZA storage has one byte of the vslice data,
 + * and (counting from 0) byte 8 goes in row 8 of the storage
 + * at offset (8 * row-size-in-bytes).
 + * If we have 8 bytes per element then each row of the ZA storage
 + * has 8 bytes of the data, but there are 8 interleaved tiles and
 + * so byte 8 of the data goes into row 1 of the tile,
 + * which is again row 8 of the storage, so the offset is still
 + * (8 * row-size-in-bytes). Similarly for other element sizes.
 + */
 +#define tile_vslice_offset(byteoff) ((byteoff) * sizeof(ARMVectorReg))
 +
 +
 +/*
 + * Move Zreg vector to ZArray column.
 + */
 +#define DO_MOVA_C(NAME, TYPE, H)                                        \
 +void HELPER(NAME)(void *za, void *vn, void *vg, uint32_t desc)          \
 +{                                                                       \
 +    int i, oprsz = simd_oprsz(desc);                                    \
 +    for (i = 0; i < oprsz; ) {                                          \
 +        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
 +        do {                                                            \
 +            if (pg & 1) {                                               \
 +                *(TYPE *)(za + tile_vslice_offset(i)) = *(TYPE *)(vn + H(i)); \
 +            }                                                           \
 +            i += sizeof(TYPE);                                          \
 +            pg >>= sizeof(TYPE);                                        \
 +        } while (i & 15);                                               \
 +    }                                                                   \
 +}
 +
 +DO_MOVA_C(sme_mova_cz_b, uint8_t, H1)
 +DO_MOVA_C(sme_mova_cz_h, uint16_t, H1_2)
 +DO_MOVA_C(sme_mova_cz_s, uint32_t, H1_4)
 +
 +void HELPER(sme_mova_cz_d)(void *za, void *vn, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 8;
 +    uint8_t *pg = vg;
 +    uint64_t *n = vn;
 +    uint64_t *a = za;
 +
 +    for (i = 0; i < oprsz; i++) {
 +        if (pg[H1(i)] & 1) {
 +            a[tile_vslice_index(i)] = n[i];
 +        }
 +    }
 +}
 +
 +void HELPER(sme_mova_cz_q)(void *za, void *vn, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 16;
 +    uint16_t *pg = vg;
 +    Int128 *n = vn;
 +    Int128 *a = za;
 +
 +    /*
 +     * Int128 is used here simply to copy 16 bytes, and to simplify
 +     * the address arithmetic.
 +     */
 +    for (i = 0; i < oprsz; i++) {
 +        if (pg[H2(i)] & 1) {
 +            a[tile_vslice_index(i)] = n[i];
 +        }
 +    }
 +}
 +
 +#undef DO_MOVA_C
 +
 +/*
 + * Move ZArray column to Zreg vector.
 + */
 +#define DO_MOVA_Z(NAME, TYPE, H)                                        \
 +void HELPER(NAME)(void *vd, void *za, void *vg, uint32_t desc)          \
 +{                                                                       \
 +    int i, oprsz = simd_oprsz(desc);                                    \
 +    for (i = 0; i < oprsz; ) {                                          \
 +        uint16_t pg = *(uint16_t *)(vg + H1_2(i >> 3));                 \
 +        do {                                                            \
 +            if (pg & 1) {                                               \
 +                *(TYPE *)(vd + H(i)) = *(TYPE *)(za + tile_vslice_offset(i)); \
 +            }                                                           \
 +            i += sizeof(TYPE);                                          \
 +            pg >>= sizeof(TYPE);                                        \
 +        } while (i & 15);                                               \
 +    }                                                                   \
 +}
 +
 +DO_MOVA_Z(sme_mova_zc_b, uint8_t, H1)
 +DO_MOVA_Z(sme_mova_zc_h, uint16_t, H1_2)
 +DO_MOVA_Z(sme_mova_zc_s, uint32_t, H1_4)
 +
 +void HELPER(sme_mova_zc_d)(void *vd, void *za, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 8;
 +    uint8_t *pg = vg;
 +    uint64_t *d = vd;
 +    uint64_t *a = za;
 +
 +    for (i = 0; i < oprsz; i++) {
 +        if (pg[H1(i)] & 1) {
 +            d[i] = a[tile_vslice_index(i)];
 +        }
 +    }
 +}
 +
 +void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
 +{
 +    int i, oprsz = simd_oprsz(desc) / 16;
 +    uint16_t *pg = vg;
 +    Int128 *d = vd;
 +    Int128 *a = za;
 +
 +    /*
 +     * Int128 is used here simply to copy 16 bytes, and to simplify
 +     * the address arithmetic.
 +     */
 +    for (i = 0; i < oprsz; i++, za += sizeof(ARMVectorReg)) {
 +        if (pg[H2(i)] & 1) {
 +            d[i] = a[tile_vslice_index(i)];
 +        }
 +    }
 +}
 +
 +#undef DO_MOVA_Z
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(sve_sel_zpzz_d)(void *vd, void *vn, void *vm,
      }
  }
-+void HELPER(sve_sel_zpzz_q)(void *vd, void *vn, void *vm,
+ static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
 +                            void *vg, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc) / 16;
 +    Int128 *d = vd, *n = vn, *m = vm;
 +    uint16_t *pg = vg;
 +
 +    for (i = 0; i < opr_sz; i += 1) {
 +        d[i] = (pg[H2(i)] & 1 ? n : m)[i];
 +    }
 +}
 +
  /* Two operand comparison controlled by a predicate.
   * ??? It is very tempting to want to be able to expand this inline
   * with x86 instructions, e.g.
 diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sme.c
 +++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
  #include "decode-sme.c.inc"
 +/*
 + * Resolve tile.size[index] to a host pointer, where tile and index
 + * are always decoded together, dependent on the element size.
 + */
 +static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,
 +                                int tile_index, bool vertical)
 +{
 +    int tile = tile_index >> (4 - esz);
 +    int index = esz == MO_128 ? 0 : extract32(tile_index, 0, 4 - esz);
 +    int pos, len, offset;
 +    TCGv_i32 tmp;
 +    TCGv_ptr addr;
 +
 +    /* Compute the final index, which is Rs+imm. */
 +    tmp = tcg_temp_new_i32();
 +    tcg_gen_trunc_tl_i32(tmp, cpu_reg(s, rs));
 +    tcg_gen_addi_i32(tmp, tmp, index);
 +
 +    /* Prepare a power-of-two modulo via extraction of @len bits. */
 +    len = ctz32(streaming_vec_reg_size(s)) - esz;
 +
 +    if (vertical) {
 +        /*
 +         * Compute the byte offset of the index within the tile:
 +         *     (index % (svl / size)) * size
 +         *   = (index % (svl >> esz)) << esz
 +         * Perform the power-of-two modulo via extraction of the low @len bits.
 +         * Perform the multiply by shifting left by @pos bits.
 +         * Perform these operations simultaneously via deposit into zero.
 +         */
 +        pos = esz;
 +        tcg_gen_deposit_z_i32(tmp, tmp, pos, len);
 +
 +        /*
 +         * For big-endian, adjust the indexed column byte offset within
 +         * the uint64_t host words that make up env->zarray[].
 +         */
 +        if (HOST_BIG_ENDIAN && esz < MO_64) {
 +            tcg_gen_xori_i32(tmp, tmp, 8 - (1 << esz));
 +        }
 +    } else {
 +        /*
 +         * Compute the byte offset of the index within the tile:
 +         *     (index % (svl / size)) * (size * sizeof(row))
 +         *   = (index % (svl >> esz)) << (esz + log2(sizeof(row)))
 +         */
 +        pos = esz + ctz32(sizeof(ARMVectorReg));
 +        tcg_gen_deposit_z_i32(tmp, tmp, pos, len);
 +
 +        /* Row slices are always aligned and need no endian adjustment. */
 +    }
 +
 +    /* The tile byte offset within env->zarray is the row. */
 +    offset = tile * sizeof(ARMVectorReg);
 +
 +    /* Include the byte offset of zarray to make this relative to env. */
 +    offset += offsetof(CPUARMState, zarray);
 +    tcg_gen_addi_i32(tmp, tmp, offset);
 +
 +    /* Add the byte offset to env to produce the final pointer. */
 +    addr = tcg_temp_new_ptr();
 +    tcg_gen_ext_i32_ptr(addr, tmp);
 +    tcg_temp_free_i32(tmp);
 +    tcg_gen_add_ptr(addr, addr, cpu_env);
 +
 +    return addr;
 +}
 +
  static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
  {
      if (!dc_isar_feature(aa64_sme, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
      }
      return true;
  }
 +
 +static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
 +{
 +    static gen_helper_gvec_4 * const h_fns[5] = {
 +        gen_helper_sve_sel_zpzz_b, gen_helper_sve_sel_zpzz_h,
 +        gen_helper_sve_sel_zpzz_s, gen_helper_sve_sel_zpzz_d,
 +        gen_helper_sve_sel_zpzz_q
 +    };
 +    static gen_helper_gvec_3 * const cz_fns[5] = {
 +        gen_helper_sme_mova_cz_b, gen_helper_sme_mova_cz_h,
 +        gen_helper_sme_mova_cz_s, gen_helper_sme_mova_cz_d,
 +        gen_helper_sme_mova_cz_q,
 +    };
 +    static gen_helper_gvec_3 * const zc_fns[5] = {
 +        gen_helper_sme_mova_zc_b, gen_helper_sme_mova_zc_h,
 +        gen_helper_sme_mova_zc_s, gen_helper_sme_mova_zc_d,
 +        gen_helper_sme_mova_zc_q,
 +    };
 +
 +    TCGv_ptr t_za, t_zr, t_pg;
 +    TCGv_i32 t_desc;
 +    int svl;
 +
 +    if (!dc_isar_feature(aa64_sme, s)) {
 +        return false;
 +    }
 +    if (!sme_smza_enabled_check(s)) {
 +        return true;
 +    }
 +
 +    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
 +    t_zr = vec_full_reg_ptr(s, a->zr);
 +    t_pg = pred_full_reg_ptr(s, a->pg);
 +
 +    svl = streaming_vec_reg_size(s);
 +    t_desc = tcg_constant_i32(simd_desc(svl, svl, 0));
 +
 +    if (a->v) {
 +        /* Vertical slice -- use sme mova helpers. */
 +        if (a->to_vec) {
 +            zc_fns[a->esz](t_zr, t_za, t_pg, t_desc);
 +        } else {
 +            cz_fns[a->esz](t_za, t_zr, t_pg, t_desc);
 +        }
 +    } else {
 +        /* Horizontal slice -- reuse sve sel helpers. */
 +        if (a->to_vec) {
 +            h_fns[a->esz](t_zr, t_za, t_zr, t_pg, t_desc);
 +        } else {
 +            h_fns[a->esz](t_za, t_zr, t_za, t_pg, t_desc);
 +        }
 +    }
 +
 +    tcg_temp_free_ptr(t_za);
 +    tcg_temp_free_ptr(t_zr);
 +    tcg_temp_free_ptr(t_pg);
 +
 +    return true;
 +}
 --
-.25.1
+.43.0

-[PULL 29/45] target/arm: Implement REVD
+[PULL 08/21] target/arm: Refactor handling of timer offset for direct register accesses
-From: Richard Henderson <richard.henderson@linaro.org>
+When reading or writing the timer registers, sometimes we need to
+apply one of the timer offsets.  Specifically, this happens for
-This is an SVE instruction that operates using the SVE vector
+direct reads of the counter registers CNTPCT_EL0 and CNTVCT_EL0 (and
-length but that it is present only if SME is implemented.
+their self-synchronized variants CNTVCTSS_EL0 and CNTPCTSS_EL0).  It
+also applies for direct reads and writes of the CNT*_TVAL_EL*
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+registers that provide the 32-bit downcounting view of each timer.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-30-richard.henderson@linaro.org
+We currently do this with duplicated code in gt_tval_read() and
 gt_tval_write() and a special-case in gt_virt_cnt_read() and
 gt_cnt_read().  Refactor this so that we handle it all in a single
 function gt_direct_access_timer_offset(), to parallel how we handle
 the offset for indirect accesses.
 The call in the WFIT helper previously to gt_virt_cnt_offset() is
 now to gt_direct_access_timer_offset(); this is the correct
 behaviour, but it's not immediately obvious that it shouldn't be
 considered an indirect access, so we add an explanatory comment.
 This commit should make no behavioural changes.
 (Cc to stable because the following bugfix commit will
 depend on this one.)
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20250204125009.2281315-6-peter.maydell@linaro.org
 ---
- target/arm/helper-sve.h    |  2 ++
+ target/arm/internals.h     |   5 +-
- target/arm/sve.decode      |  1 +
+ target/arm/helper.c        | 103 +++++++++++++++++++------------------
- target/arm/sve_helper.c    | 16 ++++++++++++++++
+ target/arm/tcg/op_helper.c |   8 ++-
- target/arm/translate-sve.c |  2 ++
+files changed, 62 insertions(+), 54 deletions(-)
-files changed, 21 insertions(+)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
 diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sve.h
+--- a/target/arm/internals.h
-+++ b/target/arm/helper-sve.h
++++ b/target/arm/internals.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sve_revh_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+@@ -XXX,XX +XXX,XX @@ int delete_hw_watchpoint(target_ulong addr, target_ulong len, int type);
+ uint64_t gt_get_countervalue(CPUARMState *env);
- DEF_HELPER_FLAGS_4(sve_revw_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+ /*
+  * Return the currently applicable offset between the system counter
-+DEF_HELPER_FLAGS_4(sme_revd_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+- * and CNTVCT_EL0 (this will be either 0 or the value of CNTVOFF_EL2).
 + * and the counter for the specified timer, as used for direct register
 + * accesses.
   */
 -uint64_t gt_virt_cnt_offset(CPUARMState *env);
 +uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx);
  /*
   * Return mask of ARMMMUIdxBit values corresponding to an "invalidate
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_phys_raw_cnt_offset(CPUARMState *env)
      return 0;
  }
 -static uint64_t gt_phys_cnt_offset(CPUARMState *env)
 -{
 -    if (arm_current_el(env) >= 2) {
 -        return 0;
 -    }
 -    return gt_phys_raw_cnt_offset(env);
 -}
 -
  static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
  {
      /*
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
      }
  }
 +uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx)
 +{
 +    /*
 +     * Return the timer offset to use for direct accesses to the
 +     * counter registers CNTPCT and CNTVCT, and for direct accesses
 +     * to the CNT*_TVAL registers.
 +     *
 +     * This isn't exactly the same as the indirect-access offset,
 +     * because here we also care about what EL the register access
 +     * is being made from.
 +     *
 +     * This corresponds to the access pseudocode for the registers.
 +     */
 +    uint64_t hcr;
 +
- DEF_HELPER_FLAGS_4(sve_rbit_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++    switch (timeridx) {
- DEF_HELPER_FLAGS_4(sve_rbit_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++    case GTIMER_PHYS:
- DEF_HELPER_FLAGS_4(sve_rbit_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
++        if (arm_current_el(env) >= 2) {
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
++            return 0;
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve.decode
 +++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ REVB            00000101 .. 1001 00 100 ... ..... .....         @rd_pg_rn
  REVH            00000101 .. 1001 01 100 ... ..... .....         @rd_pg_rn
  REVW            00000101 .. 1001 10 100 ... ..... .....         @rd_pg_rn
  RBIT            00000101 .. 1001 11 100 ... ..... .....         @rd_pg_rn
 +REVD            00000101 00 1011 10 100 ... ..... .....         @rd_pg_rn_e0
  # SVE vector splice (predicated, destructive)
  SPLICE          00000101 .. 101 100 100 ... ..... .....         @rdn_pg_rm
 diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sve_helper.c
 +++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_D(sve_revh_d, uint64_t, hswap64)
  DO_ZPZ_D(sve_revw_d, uint64_t, wswap64)
 +void HELPER(sme_revd_q)(void *vd, void *vn, void *vg, uint32_t desc)
 +{
 +    intptr_t i, opr_sz = simd_oprsz(desc) / 8;
 +    uint64_t *d = vd, *n = vn;
 +    uint8_t *pg = vg;
 +
 +    for (i = 0; i < opr_sz; i += 2) {
 +        if (pg[H1(i)] & 1) {
 +            uint64_t n0 = n[i + 0];
 +            uint64_t n1 = n[i + 1];
 +            d[i + 0] = n1;
 +            d[i + 1] = n0;
 +        }
++        return gt_phys_raw_cnt_offset(env);
++    case GTIMER_VIRT:
++        switch (arm_current_el(env)) {
++        case 2:
++            hcr = arm_hcr_el2_eff(env);
++            if (hcr & HCR_E2H) {
++                return 0;
++            }
++            break;
++        case 0:
++            hcr = arm_hcr_el2_eff(env);
++            if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
++                return 0;
++            }
++            break;
++        }
++        return env->cp15.cntvoff_el2;
++    case GTIMER_HYP:
++    case GTIMER_SEC:
++    case GTIMER_HYPVIRT:
++        return 0;
++    default:
++        g_assert_not_reached();
 +    }
 +}
 +
- DO_ZPZ(sve_rbit_b, uint8_t, H1, revbit8)
+ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
- DO_ZPZ(sve_rbit_h, uint16_t, H1_2, revbit16)
+ {
- DO_ZPZ(sve_rbit_s, uint32_t, H1_4, revbit32)
+     ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
+@@ -XXX,XX +XXX,XX @@ static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri,
  static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
 -    return gt_get_countervalue(env) - gt_phys_cnt_offset(env);
 -}
 -
 -uint64_t gt_virt_cnt_offset(CPUARMState *env)
 -{
 -    uint64_t hcr;
 -
 -    switch (arm_current_el(env)) {
 -    case 2:
 -        hcr = arm_hcr_el2_eff(env);
 -        if (hcr & HCR_E2H) {
 -            return 0;
 -        }
 -        break;
 -    case 0:
 -        hcr = arm_hcr_el2_eff(env);
 -        if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
 -            return 0;
 -        }
 -        break;
 -    }
 -
 -    return env->cp15.cntvoff_el2;
 +    uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_PHYS);
 +    return gt_get_countervalue(env) - offset;
  }
  static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
  {
 -    return gt_get_countervalue(env) - gt_virt_cnt_offset(env);
 +    uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
 +    return gt_get_countervalue(env) - offset;
  }
  static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static uint64_t do_tval_read(CPUARMState *env, int timeridx, uint64_t offset)
  static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
                               int timeridx)
  {
 -    uint64_t offset = 0;
 -
 -    switch (timeridx) {
 -    case GTIMER_VIRT:
 -        offset = gt_virt_cnt_offset(env);
 -        break;
 -    case GTIMER_PHYS:
 -        offset = gt_phys_cnt_offset(env);
 -        break;
 -    }
 +    uint64_t offset = gt_direct_access_timer_offset(env, timeridx);
      return do_tval_read(env, timeridx, offset);
  }
@@ -XXX,XX +XXX,XX @@ static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
                            int timeridx,
                            uint64_t value)
  {
 -    uint64_t offset = 0;
 +    uint64_t offset = gt_direct_access_timer_offset(env, timeridx);
 -    switch (timeridx) {
 -    case GTIMER_VIRT:
 -        offset = gt_virt_cnt_offset(env);
 -        break;
 -    case GTIMER_PHYS:
 -        offset = gt_phys_cnt_offset(env);
 -        break;
 -    }
      do_tval_write(env, timeridx, value, offset);
  }
 diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
+--- a/target/arm/tcg/op_helper.c
-+++ b/target/arm/translate-sve.c
++++ b/target/arm/tcg/op_helper.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(REVH, aa64_sve, gen_gvec_ool_arg_zpz, revh_fns[a->esz], a, 0)
+@@ -XXX,XX +XXX,XX @@ void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
- TRANS_FEAT(REVW, aa64_sve, gen_gvec_ool_arg_zpz,
+     int target_el = check_wfx_trap(env, false, &excp);
-            a->esz == 3 ? gen_helper_sve_revw_d : NULL, a, 0)
+     /* The WFIT should time out when CNTVCT_EL0 >= the specified value. */
+     uint64_t cntval = gt_get_countervalue(env);
-+TRANS_FEAT(REVD, aa64_sme, gen_gvec_ool_arg_zpz, gen_helper_sme_revd_q, a, 0)
+-    uint64_t offset = gt_virt_cnt_offset(env);
-+
++    /*
- TRANS_FEAT(SPLICE, aa64_sve, gen_gvec_ool_arg_zpzz,
++     * We want the value that we would get if we read CNTVCT_EL0 from
-            gen_helper_sve_splice, a, a->esz)
++     * the current exception level, so the direct_access offset, not
 +     * the indirect_access one. Compare the pseudocode LocalTimeoutEvent(),
 +     * which calls VirtualCounterTimer().
 +     */
 +    uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
      uint64_t cntvct = cntval - offset;
      uint64_t nexttick;
 --
-.25.1
+.43.0

-[PULL 03/45] target/arm: Trap non-streaming usage when Streaming SVE is active
+[PULL 09/21] target/arm: Implement SEL2 physical and virtual timers
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alex Bennée <alex.bennee@linaro.org>
-This new behaviour is in the ARM pseudocode function
+When FEAT_SEL2 was implemented the SEL2 timers were missed. This
-AArch64.CheckFPAdvSIMDEnabled, which applies to AArch32
+shows up when building the latest Hafnium with SPMC_AT_EL=2. The
-via AArch32.CheckAdvSIMDOrFPEnabled when the EL to which
+actual implementation utilises the same logic as the rest of the
-the trap would be delivered is in AArch64 mode.
+timers so all we need to do is:
-Given that ARMv9 drops support for AArch32 outside EL0, the trap EL
+  - define the timers and their access functions
-detection ought to be trivially true, but the pseudocode still contains
+  - conditionally add the correct system registers
-a number of conditions, and QEMU has not yet committed to dropping A32
+  - create a new accessfn as the rules are subtly different to the
-support for EL[12] when v9 features are present.
+    existing secure timer
-Since the computation of SME_TRAP_NONSTREAMING is necessarily different
+Fixes: e9152ee91c (target/arm: add ARMv8.4-SEL2 system registers)
-for the two modes, we might as well preserve bits within TBFLAG_ANY and
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-allocate separate bits within TBFLAG_A32 and TBFLAG_A64 instead.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Note that DDI0616A.a has typos for bits [22:21] of LD1RO in the table
 of instructions illegal in streaming mode.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20250204125009.2281315-7-peter.maydell@linaro.org
-Message-id: 20220708151540.18136-4-richard.henderson@linaro.org
+Cc: qemu-stable@nongnu.org
 Cc: Andrei Homescu <ahomescu@google.com>
 Cc: Arve Hjønnevåg <arve@google.com>
 Cc: Rémi Denis-Courmont <remi.denis.courmont@huawei.com>
 [PMM: CP_ACCESS_TRAP_UNCATEGORIZED -> CP_ACCESS_UNDEFINED;
  offset logic now in gt_{indirect,direct}_access_timer_offset() ]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/cpu.h           |  7 +++
+ include/hw/arm/bsa.h |   2 +
- target/arm/translate.h     |  4 ++
+ target/arm/cpu.h     |   2 +
- target/arm/sme-fa64.decode | 90 ++++++++++++++++++++++++++++++++++++++
+ target/arm/gtimer.h  |   4 +-
- target/arm/helper.c        | 41 +++++++++++++++++
+ target/arm/cpu.c     |   4 ++
- target/arm/translate-a64.c | 40 ++++++++++++++++-
+ target/arm/helper.c  | 163 +++++++++++++++++++++++++++++++++++++++++++
- target/arm/translate-vfp.c | 12 +++++
+files changed, 174 insertions(+), 1 deletion(-)
- target/arm/translate.c     |  2 +
- target/arm/meson.build     |  1 +
+diff --git a/include/hw/arm/bsa.h b/include/hw/arm/bsa.h
-files changed, 195 insertions(+), 2 deletions(-)
+index XXXXXXX..XXXXXXX 100644
- create mode 100644 target/arm/sme-fa64.decode
+--- a/include/hw/arm/bsa.h
++++ b/include/hw/arm/bsa.h
@@ -XXX,XX +XXX,XX @@
  #define QEMU_ARM_BSA_H
  /* These are architectural INTID values */
 +#define ARCH_TIMER_S_EL2_VIRT_IRQ  19
 +#define ARCH_TIMER_S_EL2_IRQ       20
  #define VIRTUAL_PMU_IRQ            23
  #define ARCH_GIC_MAINT_IRQ         25
  #define ARCH_TIMER_NS_EL2_IRQ      26
 diff --git a/target/arm/cpu.h b/target/arm/cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/cpu.h
 +++ b/target/arm/cpu.h
-@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A32, HSTR_ACTIVE, 9, 1)
+@@ -XXX,XX +XXX,XX @@ void arm_gt_vtimer_cb(void *opaque);
-  * the same thing as the current security state of the processor!
+ void arm_gt_htimer_cb(void *opaque);
-  */
+ void arm_gt_stimer_cb(void *opaque);
- FIELD(TBFLAG_A32, NS, 10, 1)
+ void arm_gt_hvtimer_cb(void *opaque);
-+/*
++void arm_gt_sel2timer_cb(void *opaque);
-+ * Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not.
++void arm_gt_sel2vtimer_cb(void *opaque);
-+ * This requires an SME trap from AArch32 mode when using NEON.
-+ */
+ unsigned int gt_cntfrq_period_ns(ARMCPU *cpu);
-+FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
+ void gt_rme_post_el_change(ARMCPU *cpu, void *opaque);
+diff --git a/target/arm/gtimer.h b/target/arm/gtimer.h
- /*
+index XXXXXXX..XXXXXXX 100644
-  * Bit usage when in AArch32 state, for M-profile only.
+--- a/target/arm/gtimer.h
-@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SMEEXC_EL, 20, 2)
++++ b/target/arm/gtimer.h
- FIELD(TBFLAG_A64, PSTATE_SM, 22, 1)
+@@ -XXX,XX +XXX,XX @@ enum {
- FIELD(TBFLAG_A64, PSTATE_ZA, 23, 1)
+     GTIMER_HYP      = 2,
- FIELD(TBFLAG_A64, SVL, 24, 4)
+     GTIMER_SEC      = 3,
-+/* Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not. */
+     GTIMER_HYPVIRT  = 4,
-+FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
+-#define NUM_GTIMERS   5
++    GTIMER_S_EL2_PHYS = 5, /* CNTHPS_* ; only if FEAT_SEL2 */
- /*
++    GTIMER_S_EL2_VIRT = 6, /* CNTHVS_* ; only if FEAT_SEL2 */
-  * Helpers for using the above.
++#define NUM_GTIMERS   7
-diff --git a/target/arm/translate.h b/target/arm/translate.h
+ };
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
+ #endif
-+++ b/target/arm/translate.h
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
-@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
+index XXXXXXX..XXXXXXX 100644
-     bool pstate_sm;
+--- a/target/arm/cpu.c
-     /* True if PSTATE.ZA is set. */
++++ b/target/arm/cpu.c
-     bool pstate_za;
+@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
-+    /* True if non-streaming insns should raise an SME Streaming exception. */
+                                               arm_gt_stimer_cb, cpu);
-+    bool sme_trap_nonstreaming;
+         cpu->gt_timer[GTIMER_HYPVIRT] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
-+    /* True if the current instruction is non-streaming. */
+                                                   arm_gt_hvtimer_cb, cpu);
-+    bool is_nonstreaming;
++        cpu->gt_timer[GTIMER_S_EL2_PHYS] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
-     /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
++                                                     arm_gt_sel2timer_cb, cpu);
-     bool mve_no_pred;
++        cpu->gt_timer[GTIMER_S_EL2_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
-     /*
++                                                     arm_gt_sel2vtimer_cb, cpu);
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+     }
-new file mode 100644
+ #endif
-index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@
 +# AArch64 SME allowed instruction decoding
 +#
 +#  Copyright (c) 2022 Linaro, Ltd
 +#
 +# This library is free software; you can redistribute it and/or
 +# modify it under the terms of the GNU Lesser General Public
 +# License as published by the Free Software Foundation; either
 +# version 2.1 of the License, or (at your option) any later version.
 +#
 +# This library is distributed in the hope that it will be useful,
 +# but WITHOUT ANY WARRANTY; without even the implied warranty of
 +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 +# Lesser General Public License for more details.
 +#
 +# You should have received a copy of the GNU Lesser General Public
 +# License along with this library; if not, see <http://www.gnu.org/licenses/>.
 +
 +#
 +# This file is processed by scripts/decodetree.py
 +#
 +
 +# These patterns are taken from Appendix E1.1 of DDI0616 A.a,
 +# Arm Architecture Reference Manual Supplement,
 +# The Scalable Matrix Extension (SME), for Armv9-A
 +
 +{
 +  [
 +    OK  0-00 1110 0000 0001 0010 11-- ---- ----   # SMOV W|Xd,Vn.B[0]
 +    OK  0-00 1110 0000 0010 0010 11-- ---- ----   # SMOV W|Xd,Vn.H[0]
 +    OK  0100 1110 0000 0100 0010 11-- ---- ----   # SMOV Xd,Vn.S[0]
 +    OK  0000 1110 0000 0001 0011 11-- ---- ----   # UMOV Wd,Vn.B[0]
 +    OK  0000 1110 0000 0010 0011 11-- ---- ----   # UMOV Wd,Vn.H[0]
 +    OK  0000 1110 0000 0100 0011 11-- ---- ----   # UMOV Wd,Vn.S[0]
 +    OK  0100 1110 0000 1000 0011 11-- ---- ----   # UMOV Xd,Vn.D[0]
 +  ]
 +  FAIL  0--0 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD vector operations
 +}
 +
 +{
 +  [
 +    OK  0101 1110 --1- ---- 11-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar)
 +    OK  0101 1110 -10- ---- 00-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar, FP16)
 +    OK  01-1 1110 1-10 0001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar)
 +    OK  01-1 1110 1111 1001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar, FP16)
 +  ]
 +  FAIL  01-1 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD single-element operations
 +}
 +
 +FAIL    0-00 110- ---- ---- ---- ---- ---- ----   # Advanced SIMD structure load/store
 +FAIL    1100 1110 ---- ---- ---- ---- ---- ----   # Advanced SIMD cryptography extensions
 +FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 +
 +# These are the "avoidance of doubt" final table of Illegal Advanced SIMD instructions
 +# We don't actually need to include these, as the default is OK.
 +#       -001 111- ---- ---- ---- ---- ---- ----   # Scalar floating-point operations
 +#       --10 110- ---- ---- ---- ---- ---- ----   # Load/store pair of FP registers
 +#       --01 1100 ---- ---- ---- ---- ---- ----   # Load FP register (PC-relative literal)
 +#       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
 +#       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 +#       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 +
 +FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
 +FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
 +FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
 +FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
 +FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
 +FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
 +FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
 +FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 +FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
 +FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
 +FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
 +FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
 +FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
 +FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 +FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 +FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
 +FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
 +FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
 +FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
 +FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
 +FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 +FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 +FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 +FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
 +FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
 +FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
 +FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
 +FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
 +FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
 diff --git a/target/arm/helper.c b/target/arm/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/helper.c
 +++ b/target/arm/helper.c
-@@ -XXX,XX +XXX,XX @@ int sme_exception_el(CPUARMState *env, int el)
+@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_stimer_access(CPUARMState *env,
-     return 0;
+     }
  }
-+/* This corresponds to the ARM pseudocode function IsFullA64Enabled(). */
++static CPAccessResult gt_sel2timer_access(CPUARMState *env,
-+static bool sme_fa64(CPUARMState *env, int el)
++                                          const ARMCPRegInfo *ri,
-+{
++                                          bool isread)
-+    if (!cpu_isar_feature(aa64_sme_fa64, env_archcpu(env))) {
++{
-+        return false;
++    /*
 +     * The AArch64 register view of the secure EL2 timers are mostly
 +     * accessible from EL3 and EL2 although can also be trapped to EL2
 +     * from EL1 depending on nested virt config.
 +     */
 +    switch (arm_current_el(env)) {
 +    case 0: /* UNDEFINED */
 +        return CP_ACCESS_UNDEFINED;
 +    case 1:
 +        if (!arm_is_secure(env)) {
 +            /* UNDEFINED */
 +            return CP_ACCESS_UNDEFINED;
 +        } else if (arm_hcr_el2_eff(env) & HCR_NV) {
 +            /* Aarch64.SystemAccessTrap(EL2, 0x18) */
 +            return CP_ACCESS_TRAP_EL2;
 +        }
 +        /* UNDEFINED */
 +        return CP_ACCESS_UNDEFINED;
 +    case 2:
 +        if (!arm_is_secure(env)) {
 +            /* UNDEFINED */
 +            return CP_ACCESS_UNDEFINED;
 +        }
 +        return CP_ACCESS_OK;
 +    case 3:
 +        if (env->cp15.scr_el3 & SCR_EEL2) {
 +            return CP_ACCESS_OK;
 +        } else {
 +            return CP_ACCESS_UNDEFINED;
 +        }
 +    default:
 +        g_assert_not_reached();
 +    }
-+
++}
-+    if (el <= 1 && !el_is_in_host(env, el)) {
++
-+        if (!FIELD_EX64(env->vfp.smcr_el[1], SMCR, FA64)) {
+ uint64_t gt_get_countervalue(CPUARMState *env)
 +            return false;
 +        }
 +    }
 +    if (el <= 2 && arm_is_el2_enabled(env)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[2], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +    if (arm_feature(env, ARM_FEATURE_EL3)) {
 +        if (!FIELD_EX64(env->vfp.smcr_el[3], SMCR, FA64)) {
 +            return false;
 +        }
 +    }
 +
 +    return true;
 +}
 +
  /*
   * Given that SVE is enabled, return the vector length for EL.
   */
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
          DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
      }
 +    /*
 +     * The SME exception we are testing for is raised via
 +     * AArch64.CheckFPAdvSIMDEnabled(), as called from
 +     * AArch32.CheckAdvSIMDOrFPEnabled().
 +     */
 +    if (el == 0
 +        && FIELD_EX64(env->svcr, SVCR, SM)
 +        && (!arm_is_el2_enabled(env)
 +            || (arm_el_is_aa64(env, 2) && !(env->cp15.hcr_el2 & HCR_TGE)))
 +        && arm_el_is_aa64(env, 1)
 +        && !sme_fa64(env, el)) {
 +        DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
 +    }
 +
      return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
  }
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
          }
          if (FIELD_EX64(env->svcr, SVCR, SM)) {
              DP_TBFLAG_A64(flags, PSTATE_SM, 1);
 +            DP_TBFLAG_A64(flags, SME_TRAP_NONSTREAMING, !sme_fa64(env, el));
          }
          DP_TBFLAG_A64(flags, PSTATE_ZA, FIELD_EX64(env->svcr, SVCR, ZA));
      }
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
   * unallocated-encoding checks (otherwise the syndrome information
   * for the resulting exception will be incorrect).
   */
 -static bool fp_access_check(DisasContext *s)
 +static bool fp_access_check_only(DisasContext *s)
  {
-     if (s->fp_excp_el) {
+     ARMCPU *cpu = env_archcpu(env);
-         assert(!s->fp_access_checked);
+@@ -XXX,XX +XXX,XX @@ static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
-@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
+     case GTIMER_HYP:
-     return true;
+     case GTIMER_SEC:
- }
+     case GTIMER_HYPVIRT:
++    case GTIMER_S_EL2_PHYS:
-+static bool fp_access_check(DisasContext *s)
++    case GTIMER_S_EL2_VIRT:
-+{
+         return 0;
 +    if (!fp_access_check_only(s)) {
 +        return false;
 +    }
 +    if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
 +        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
 +                           syn_smetrap(SME_ET_Streaming, false));
 +        return false;
 +    }
 +    return true;
 +}
 +
  /* Check that SVE access is enabled.  If it is, return true.
   * If not, emit code to generate an appropriate exception and return false.
   */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
      default:
          g_assert_not_reached();
-     }
+@@ -XXX,XX +XXX,XX @@ uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx)
--    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
+     case GTIMER_HYP:
-+    if ((ri->type & ARM_CP_FPU) && !fp_access_check_only(s)) {
+     case GTIMER_SEC:
-         return;
+     case GTIMER_HYPVIRT:
-     } else if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
++    case GTIMER_S_EL2_PHYS:
-         return;
++    case GTIMER_S_EL2_VIRT:
-@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
+         return 0;
-     }
+     default:
          g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void gt_sec_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
      gt_ctl_write(env, ri, GTIMER_SEC, value);
  }
-+/*
++static void gt_sec_pel2_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
-+ * Include the generated SME FA64 decoder.
++{
-+ */
++    gt_timer_reset(env, ri, GTIMER_S_EL2_PHYS);
-+
++}
-+#include "decode-sme-fa64.c.inc"
++
-+
++static void gt_sec_pel2_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+static bool trans_OK(DisasContext *s, arg_OK *a)
++                                   uint64_t value)
 +{
-+    return true;
++    gt_cval_write(env, ri, GTIMER_S_EL2_PHYS, value);
 +}
 +
-+static bool trans_FAIL(DisasContext *s, arg_OK *a)
++static uint64_t gt_sec_pel2_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
 +{
-+    s->is_nonstreaming = true;
++    return gt_tval_read(env, ri, GTIMER_S_EL2_PHYS);
-+    return true;
++}
-+}
++
-+
++static void gt_sec_pel2_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
- /**
++                              uint64_t value)
-  * is_guarded_page:
++{
-  * @env: The cpu environment
++    gt_tval_write(env, ri, GTIMER_S_EL2_PHYS, value);
-@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
++}
-     dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
++
-     dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
++static void gt_sec_pel2_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
-     dc->pstate_za = EX_TBFLAG_A64(tb_flags, PSTATE_ZA);
++                              uint64_t value)
-+    dc->sme_trap_nonstreaming = EX_TBFLAG_A64(tb_flags, SME_TRAP_NONSTREAMING);
++{
-     dc->vec_len = 0;
++    gt_ctl_write(env, ri, GTIMER_S_EL2_PHYS, value);
-     dc->vec_stride = 0;
++}
-     dc->cp_regs = arm_cpu->cp_regs;
++
-@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
++static void gt_sec_vel2_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
-         }
++{
-     }
++    gt_timer_reset(env, ri, GTIMER_S_EL2_VIRT);
++}
-+    s->is_nonstreaming = false;
++
-+    if (s->sme_trap_nonstreaming) {
++static void gt_sec_vel2_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+        disas_sme_fa64(s, insn);
++                              uint64_t value)
-+    }
++{
-+
++    gt_cval_write(env, ri, GTIMER_S_EL2_VIRT, value);
-     switch (extract32(insn, 25, 4)) {
++}
-     case 0x0:
++
-         if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
++static uint64_t gt_sec_vel2_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
-diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
++{
-index XXXXXXX..XXXXXXX 100644
++    return gt_tval_read(env, ri, GTIMER_S_EL2_VIRT);
---- a/target/arm/translate-vfp.c
++}
-+++ b/target/arm/translate-vfp.c
++
-@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
++static void gt_sec_vel2_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
-         return false;
++                                   uint64_t value)
-     }
++{
++    gt_tval_write(env, ri, GTIMER_S_EL2_VIRT, value);
-+    /*
++}
-+     * Note that rebuild_hflags_a32 has already accounted for being in EL0
++
-+     * and the higher EL in A64 mode, etc.  Unlike A64 mode, there do not
++static void gt_sec_vel2_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
-+     * appear to be any insns which touch VFP which are allowed.
++                              uint64_t value)
-+     */
++{
-+    if (s->sme_trap_nonstreaming) {
++    gt_ctl_write(env, ri, GTIMER_S_EL2_VIRT, value);
-+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
++}
-+                           syn_smetrap(SME_ET_Streaming,
++
-+                                       s->base.pc_next - s->pc_curr == 2));
+ static void gt_hv_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
-+        return false;
+ {
-+    }
+     gt_timer_reset(env, ri, GTIMER_HYPVIRT);
-+
+@@ -XXX,XX +XXX,XX @@ void arm_gt_stimer_cb(void *opaque)
-     if (!s->vfp_enabled && !ignore_vfp_enabled) {
+     gt_recalc_timer(cpu, GTIMER_SEC);
-         assert(!arm_dc_feature(s, ARM_FEATURE_M));
+ }
-         unallocated_encoding(s);
-diff --git a/target/arm/translate.c b/target/arm/translate.c
++void arm_gt_sel2timer_cb(void *opaque)
-index XXXXXXX..XXXXXXX 100644
++{
---- a/target/arm/translate.c
++    ARMCPU *cpu = opaque;
-+++ b/target/arm/translate.c
++
-@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
++    gt_recalc_timer(cpu, GTIMER_S_EL2_PHYS);
-             dc->vec_len = EX_TBFLAG_A32(tb_flags, VECLEN);
++}
-             dc->vec_stride = EX_TBFLAG_A32(tb_flags, VECSTRIDE);
++
-         }
++void arm_gt_sel2vtimer_cb(void *opaque)
-+        dc->sme_trap_nonstreaming =
++{
-+            EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
++    ARMCPU *cpu = opaque;
-     }
++
-     dc->cp_regs = cpu->cp_regs;
++    gt_recalc_timer(cpu, GTIMER_S_EL2_VIRT);
-     dc->features = env->features;
++}
-diff --git a/target/arm/meson.build b/target/arm/meson.build
++
-index XXXXXXX..XXXXXXX 100644
+ void arm_gt_hvtimer_cb(void *opaque)
---- a/target/arm/meson.build
+ {
-+++ b/target/arm/meson.build
+     ARMCPU *cpu = opaque;
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_sec_cp_reginfo[] = {
- gen = [
+       .access = PL2_RW, .accessfn = sel2_access,
-   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
+       .nv2_redirect_offset = 0x48,
-   decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
+       .fieldoffset = offsetof(CPUARMState, cp15.vstcr_el2) },
-+  decodetree.process('sme-fa64.decode', extra_args: '--static-decode=disas_sme_fa64'),
++#ifndef CONFIG_USER_ONLY
-   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
++    /* Secure EL2 Physical Timer */
-   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
++    { .name = "CNTHPS_TVAL_EL2", .state = ARM_CP_STATE_AA64,
-   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
++      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 0,
 +      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
 +      .accessfn = gt_sel2timer_access,
 +      .readfn = gt_sec_pel2_tval_read,
 +      .writefn = gt_sec_pel2_tval_write,
 +      .resetfn = gt_sec_pel2_timer_reset,
 +    },
 +    { .name = "CNTHPS_CTL_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 1,
 +      .type = ARM_CP_IO, .access = PL2_RW,
 +      .accessfn = gt_sel2timer_access,
 +      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_PHYS].ctl),
 +      .resetvalue = 0,
 +      .writefn = gt_sec_pel2_ctl_write, .raw_writefn = raw_write,
 +    },
 +    { .name = "CNTHPS_CVAL_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 2,
 +      .type = ARM_CP_IO, .access = PL2_RW,
 +      .accessfn = gt_sel2timer_access,
 +      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_PHYS].cval),
 +      .writefn = gt_sec_pel2_cval_write, .raw_writefn = raw_write,
 +    },
 +    /* Secure EL2 Virtual Timer */
 +    { .name = "CNTHVS_TVAL_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 0,
 +      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
 +      .accessfn = gt_sel2timer_access,
 +      .readfn = gt_sec_vel2_tval_read,
 +      .writefn = gt_sec_vel2_tval_write,
 +      .resetfn = gt_sec_vel2_timer_reset,
 +    },
 +    { .name = "CNTHVS_CTL_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 1,
 +      .type = ARM_CP_IO, .access = PL2_RW,
 +      .accessfn = gt_sel2timer_access,
 +      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_VIRT].ctl),
 +      .resetvalue = 0,
 +      .writefn = gt_sec_vel2_ctl_write, .raw_writefn = raw_write,
 +    },
 +    { .name = "CNTHVS_CVAL_EL2", .state = ARM_CP_STATE_AA64,
 +      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 2,
 +      .type = ARM_CP_IO, .access = PL2_RW,
 +      .accessfn = gt_sel2timer_access,
 +      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_VIRT].cval),
 +      .writefn = gt_sec_vel2_cval_write, .raw_writefn = raw_write,
 +    },
 +#endif
  };
  static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
 --
-.25.1
+.43.0

-[PULL 04/45] target/arm: Mark ADR as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark ADR as a non-streaming instruction, which should trap
-if full a64 support is not enabled in streaming mode.
-Removing entries from sme-fa64.decode is an easy way to see
-what remains to be done.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-5-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate.h     | 7 +++++++
- target/arm/sme-fa64.decode | 1 -
- target/arm/translate-sve.c | 8 ++++----
-files changed, 11 insertions(+), 5 deletions(-)
-diff --git a/target/arm/translate.h b/target/arm/translate.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.h
-+++ b/target/arm/translate.h
-@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
-     static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \
-     { return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__); }
-+#define TRANS_FEAT_NONSTREAMING(NAME, FEAT, FUNC, ...)            \
-+    static bool trans_##NAME(DisasContext *s, arg_##NAME *a)      \
-+    {                                                             \
-+        s->is_nonstreaming = true;                                \
-+        return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__);  \
-+    }
-+
- #endif /* TARGET_ARM_TRANSLATE_H */
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
- FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
- FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
- FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_adr(DisasContext *s, arg_rrri *a, gen_helper_gvec_3 *fn)
-     return gen_gvec_ool_zzz(s, fn, a->rd, a->rn, a->rm, a->imm);
- }
--TRANS_FEAT(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
--TRANS_FEAT(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
--TRANS_FEAT(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
--TRANS_FEAT(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
-+TRANS_FEAT_NONSTREAMING(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-+TRANS_FEAT_NONSTREAMING(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
-+TRANS_FEAT_NONSTREAMING(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
-+TRANS_FEAT_NONSTREAMING(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
- /*
-  *** SVE Integer Misc - Unpredicated Group
---
-.25.1

-[PULL 05/45] target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-6-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 2 --
- target/arm/translate-sve.c | 9 ++++++---
-files changed, 6 insertions(+), 5 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
- FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
--FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
--FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
- FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
- FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
- FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_predset(DisasContext *s, int esz, int rd, int pat, bool setflag)
- TRANS_FEAT(PTRUE, aa64_sve, do_predset, a->esz, a->rd, a->pat, a->s)
- /* Note pat == 31 is #all, to set all elements.  */
--TRANS_FEAT(SETFFR, aa64_sve, do_predset, 0, FFR_PRED_NUM, 31, false)
-+TRANS_FEAT_NONSTREAMING(SETFFR, aa64_sve,
-+                        do_predset, 0, FFR_PRED_NUM, 31, false)
- /* Note pat == 32 is #unimp, to set no elements.  */
- TRANS_FEAT(PFALSE, aa64_sve, do_predset, 0, a->rd, 32, false)
-@@ -XXX,XX +XXX,XX @@ static bool trans_RDFFR_p(DisasContext *s, arg_RDFFR_p *a)
-         .rd = a->rd, .pg = a->pg, .s = a->s,
-         .rn = FFR_PRED_NUM, .rm = FFR_PRED_NUM,
-     };
-+
-+    s->is_nonstreaming = true;
-     return trans_AND_pppp(s, &alt_a);
- }
--TRANS_FEAT(RDFFR, aa64_sve, do_mov_p, a->rd, FFR_PRED_NUM)
--TRANS_FEAT(WRFFR, aa64_sve, do_mov_p, FFR_PRED_NUM, a->rn)
-+TRANS_FEAT_NONSTREAMING(RDFFR, aa64_sve, do_mov_p, a->rd, FFR_PRED_NUM)
-+TRANS_FEAT_NONSTREAMING(WRFFR, aa64_sve, do_mov_p, FFR_PRED_NUM, a->rn)
- static bool do_pfirst_pnext(DisasContext *s, arg_rr_esz *a,
-                             void (*gen_fn)(TCGv_i32, TCGv_ptr,
---
-.25.1

-[PULL 06/45] target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-7-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  3 ---
- target/arm/translate-sve.c | 22 ++++++++++++----------
-files changed, 12 insertions(+), 13 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
--FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
--FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
- FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
- FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
- FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_2 * const fexpa_fns[4] = {
-     NULL,                   gen_helper_sve_fexpa_h,
-     gen_helper_sve_fexpa_s, gen_helper_sve_fexpa_d,
- };
--TRANS_FEAT(FEXPA, aa64_sve, gen_gvec_ool_zz,
--           fexpa_fns[a->esz], a->rd, a->rn, 0)
-+TRANS_FEAT_NONSTREAMING(FEXPA, aa64_sve, gen_gvec_ool_zz,
-+                        fexpa_fns[a->esz], a->rd, a->rn, 0)
- static gen_helper_gvec_3 * const ftssel_fns[4] = {
-     NULL,                    gen_helper_sve_ftssel_h,
-     gen_helper_sve_ftssel_s, gen_helper_sve_ftssel_d,
- };
--TRANS_FEAT(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz, ftssel_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz,
-+                        ftssel_fns[a->esz], a, 0)
- /*
-  *** SVE Predicate Logical Operations Group
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(TRN2_q, aa64_sve_f64mm, gen_gvec_ool_arg_zzz,
- static gen_helper_gvec_3 * const compact_fns[4] = {
-     NULL, NULL, gen_helper_sve_compact_s, gen_helper_sve_compact_d
- };
--TRANS_FEAT(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz, compact_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz,
-+                        compact_fns[a->esz], a, 0)
- /* Call the helper that computes the ARM LastActiveElement pseudocode
-  * function, scaled by the element size.  This includes the not found
-@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3 * const bext_fns[4] = {
-     gen_helper_sve2_bext_b, gen_helper_sve2_bext_h,
-     gen_helper_sve2_bext_s, gen_helper_sve2_bext_d,
- };
--TRANS_FEAT(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
--           bext_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-+                        bext_fns[a->esz], a, 0)
- static gen_helper_gvec_3 * const bdep_fns[4] = {
-     gen_helper_sve2_bdep_b, gen_helper_sve2_bdep_h,
-     gen_helper_sve2_bdep_s, gen_helper_sve2_bdep_d,
- };
--TRANS_FEAT(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
--           bdep_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-+                        bdep_fns[a->esz], a, 0)
- static gen_helper_gvec_3 * const bgrp_fns[4] = {
-     gen_helper_sve2_bgrp_b, gen_helper_sve2_bgrp_h,
-     gen_helper_sve2_bgrp_s, gen_helper_sve2_bgrp_d,
- };
--TRANS_FEAT(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
--           bgrp_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-+                        bgrp_fns[a->esz], a, 0)
- static gen_helper_gvec_3 * const cadd_fns[4] = {
-     gen_helper_sve2_cadd_b, gen_helper_sve2_cadd_h,
---
-.25.1

-[PULL 07/45] target/arm: Mark PMULL, FMMLA as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-8-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  2 --
- target/arm/translate-sve.c | 24 +++++++++++++++---------
-files changed, 15 insertions(+), 11 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
--FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
- FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
- FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
- FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_trans_pmull(DisasContext *s, arg_rrr_esz *a, bool sel)
-         gen_helper_gvec_pmull_q, gen_helper_sve2_pmull_h,
-         NULL,                    gen_helper_sve2_pmull_d,
-     };
--    if (a->esz == 0
--        ? !dc_isar_feature(aa64_sve2_pmull128, s)
--        : !dc_isar_feature(aa64_sve, s)) {
-+
-+    if (a->esz == 0) {
-+        if (!dc_isar_feature(aa64_sve2_pmull128, s)) {
-+            return false;
-+        }
-+        s->is_nonstreaming = true;
-+    } else if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-     return gen_gvec_ool_arg_zzz(s, fns[a->esz], a, sel);
-@@ -XXX,XX +XXX,XX @@ DO_ZPZZ_FP(FMINP, aa64_sve2, sve2_fminp_zpzz)
-  * SVE Integer Multiply-Add (unpredicated)
-  */
--TRANS_FEAT(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_s,
--           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
--TRANS_FEAT(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_d,
--           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
-+TRANS_FEAT_NONSTREAMING(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz,
-+                        gen_helper_fmmla_s, a->rd, a->rn, a->rm, a->ra,
-+                        0, FPST_FPCR)
-+TRANS_FEAT_NONSTREAMING(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz,
-+                        gen_helper_fmmla_d, a->rd, a->rn, a->rm, a->ra,
-+                        0, FPST_FPCR)
- static gen_helper_gvec_4 * const sqdmlal_zzzw_fns[] = {
-     NULL,                           gen_helper_sve2_sqdmlal_zzzw_h,
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
- TRANS_FEAT(BFDOT_zzxz, aa64_sve_bf16, gen_gvec_ool_arg_zzxz,
-            gen_helper_gvec_bfdot_idx, a)
--TRANS_FEAT(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_bfmmla, a, 0)
-+TRANS_FEAT_NONSTREAMING(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_bfmmla, a, 0)
- static bool do_BFMLAL_zzzw(DisasContext *s, arg_rrrr_esz *a, bool sel)
- {
---
-.25.1

-[PULL 08/45] target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-9-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  3 ---
- target/arm/translate-sve.c | 15 +++++++++++----
-files changed, 11 insertions(+), 7 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
--FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
--FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
- FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
- FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
- FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3_ptr * const ftmad_fns[4] = {
-     NULL,                   gen_helper_sve_ftmad_h,
-     gen_helper_sve_ftmad_s, gen_helper_sve_ftmad_d,
- };
--TRANS_FEAT(FTMAD, aa64_sve, gen_gvec_fpst_zzz,
--           ftmad_fns[a->esz], a->rd, a->rn, a->rm, a->imm,
--           a->esz == MO_16 ? FPST_FPCR_F16 : FPST_FPCR)
-+TRANS_FEAT_NONSTREAMING(FTMAD, aa64_sve, gen_gvec_fpst_zzz,
-+                        ftmad_fns[a->esz], a->rd, a->rn, a->rm, a->imm,
-+                        a->esz == MO_16 ? FPST_FPCR_F16 : FPST_FPCR)
- /*
-  *** SVE Floating Point Accumulating Reduction Group
-@@ -XXX,XX +XXX,XX @@ static bool trans_FADDA(DisasContext *s, arg_rprr_esz *a)
-     if (a->esz == 0 || !dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_FADDA(DisasContext *s, arg_rprr_esz *a)
- DO_FP3(FADD_zzz, fadd)
- DO_FP3(FSUB_zzz, fsub)
- DO_FP3(FMUL_zzz, fmul)
--DO_FP3(FTSMUL, ftsmul)
- DO_FP3(FRECPS, recps)
- DO_FP3(FRSQRTS, rsqrts)
- #undef DO_FP3
-+static gen_helper_gvec_3_ptr * const ftsmul_fns[4] = {
-+    NULL,                     gen_helper_gvec_ftsmul_h,
-+    gen_helper_gvec_ftsmul_s, gen_helper_gvec_ftsmul_d
-+};
-+TRANS_FEAT_NONSTREAMING(FTSMUL, aa64_sve, gen_gvec_fpst_arg_zzz,
-+                        ftsmul_fns[a->esz], a, 0)
-+
- /*
-  *** SVE Floating Point Arithmetic - Predicated Group
-  */
---
-.25.1

-[PULL 09/45] target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-10-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  1 -
- target/arm/translate-sve.c | 12 ++++++------
-files changed, 6 insertions(+), 7 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
- FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
- FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
- FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(FMLALT_zzxw, aa64_sve2, do_FMLAL_zzxw, a, false, true)
- TRANS_FEAT(FMLSLB_zzxw, aa64_sve2, do_FMLAL_zzxw, a, true, false)
- TRANS_FEAT(FMLSLT_zzxw, aa64_sve2, do_FMLAL_zzxw, a, true, true)
--TRANS_FEAT(SMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_smmla_b, a, 0)
--TRANS_FEAT(USMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_usmmla_b, a, 0)
--TRANS_FEAT(UMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
--           gen_helper_gvec_ummla_b, a, 0)
-+TRANS_FEAT_NONSTREAMING(SMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_smmla_b, a, 0)
-+TRANS_FEAT_NONSTREAMING(USMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_usmmla_b, a, 0)
-+TRANS_FEAT_NONSTREAMING(UMMLA, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-+                        gen_helper_gvec_ummla_b, a, 0)
- TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-            gen_helper_gvec_bfdot, a, 0)
---
-.25.1

-[PULL 10/45] target/arm: Mark string/histo/crypto as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-11-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode |  1 -
- target/arm/translate-sve.c | 35 ++++++++++++++++++-----------------
-files changed, 18 insertions(+), 18 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
- FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
- FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
- FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ DO_SVE2_ZZZ_NARROW(RSUBHNT, rsubhnt)
- static gen_helper_gvec_flags_4 * const match_fns[4] = {
-     gen_helper_sve2_match_ppzz_b, gen_helper_sve2_match_ppzz_h, NULL, NULL
- };
--TRANS_FEAT(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
-+TRANS_FEAT_NONSTREAMING(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
- static gen_helper_gvec_flags_4 * const nmatch_fns[4] = {
-     gen_helper_sve2_nmatch_ppzz_b, gen_helper_sve2_nmatch_ppzz_h, NULL, NULL
- };
--TRANS_FEAT(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
-+TRANS_FEAT_NONSTREAMING(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
- static gen_helper_gvec_4 * const histcnt_fns[4] = {
-     NULL, NULL, gen_helper_sve2_histcnt_s, gen_helper_sve2_histcnt_d
- };
--TRANS_FEAT(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
--           histcnt_fns[a->esz], a, 0)
-+TRANS_FEAT_NONSTREAMING(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
-+                        histcnt_fns[a->esz], a, 0)
--TRANS_FEAT(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
--           a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
-+TRANS_FEAT_NONSTREAMING(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
-+                        a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
- DO_ZPZZ_FP(FADDP, aa64_sve2, sve2_faddp_zpzz)
- DO_ZPZZ_FP(FMAXNMP, aa64_sve2, sve2_fmaxnmp_zpzz)
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SQRDCMLAH_zzzz, aa64_sve2, gen_gvec_ool_zzzz,
- TRANS_FEAT(USDOT_zzzz, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
-            a->esz == 2 ? gen_helper_gvec_usdot_b : NULL, a, 0)
--TRANS_FEAT(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
--           gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
-+TRANS_FEAT_NONSTREAMING(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
-+                        gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
--TRANS_FEAT(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_aese, a, false)
--TRANS_FEAT(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_aese, a, true)
-+TRANS_FEAT_NONSTREAMING(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_aese, a, false)
-+TRANS_FEAT_NONSTREAMING(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_aese, a, true)
--TRANS_FEAT(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_sm4e, a, 0)
--TRANS_FEAT(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
--           gen_helper_crypto_sm4ekey, a, 0)
-+TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_sm4e, a, 0)
-+TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-+                        gen_helper_crypto_sm4ekey, a, 0)
--TRANS_FEAT(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz, gen_gvec_rax1, a)
-+TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
-+                        gen_gvec_rax1, a)
- TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
-            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_FPCR)
---
-.25.1

-[PULL 11/45] target/arm: Mark gather/scatter load/store as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-12-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 9 ---------
- target/arm/translate-sve.c | 6 ++++++
-files changed, 6 insertions(+), 9 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
- FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
- FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
--FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
--FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
--FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
--FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
- FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
- FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
- FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
- FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
- FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
--FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
--FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
--FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
--FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zprz(DisasContext *s, arg_LD1_zprz *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
-     if (!dc_isar_feature(aa64_sve2, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zprz(DisasContext *s, arg_ST1_zprz *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
-@@ -XXX,XX +XXX,XX @@ static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
-     if (!dc_isar_feature(aa64_sve2, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (!sve_access_check(s)) {
-         return true;
-     }
---
-.25.1

-[PULL 42/45] linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
+[PULL 10/21] target/arm: Document the architectural names of our GTIMERs
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alex Bennée <alex.bennee@linaro.org>
-These prctl set the Streaming SVE vector length, which may
+As we are about to add more physical and virtual timers let's make it
-be completely different from the Normal SVE vector length.
+clear what each timer does.
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20250204125009.2281315-8-peter.maydell@linaro.org
-Message-id: 20220708151540.18136-43-richard.henderson@linaro.org
+[PMM: Add timer register name prefix to each comment]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/target_prctl.h | 54 +++++++++++++++++++++++++++++++
+ target/arm/gtimer.h | 10 +++++-----
- linux-user/syscall.c              | 16 +++++++++
+file changed, 5 insertions(+), 5 deletions(-)
 files changed, 70 insertions(+)
-diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
+diff --git a/target/arm/gtimer.h b/target/arm/gtimer.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_prctl.h
+--- a/target/arm/gtimer.h
-+++ b/linux-user/aarch64/target_prctl.h
++++ b/target/arm/gtimer.h
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_get_vl(CPUArchState *env)
+@@ -XXX,XX +XXX,XX @@
- {
+ #define TARGET_ARM_GTIMER_H
-     ARMCPU *cpu = env_archcpu(env);
-     if (cpu_isar_feature(aa64_sve, cpu)) {
+ enum {
-+        /* PSTATE.SM is always unset on syscall entry. */
+-    GTIMER_PHYS     = 0,
-         return sve_vq(env) * 16;
+-    GTIMER_VIRT     = 1,
-     }
+-    GTIMER_HYP      = 2,
-     return -TARGET_EINVAL;
+-    GTIMER_SEC      = 3,
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
+-    GTIMER_HYPVIRT  = 4,
-         && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
++    GTIMER_PHYS     = 0, /* CNTP_* ; EL1 physical timer */
-         uint32_t vq, old_vq;
++    GTIMER_VIRT     = 1, /* CNTV_* ; EL1 virtual timer */
++    GTIMER_HYP      = 2, /* CNTHP_* ; EL2 physical timer */
-+        /* PSTATE.SM is always unset on syscall entry. */
++    GTIMER_SEC      = 3, /* CNTPS_* ; EL3 physical timer */
-         old_vq = sve_vq(env);
++    GTIMER_HYPVIRT  = 4, /* CNTHV_* ; EL2 virtual timer ; only if FEAT_VHE */
+     GTIMER_S_EL2_PHYS = 5, /* CNTHPS_* ; only if FEAT_SEL2 */
-         /*
+     GTIMER_S_EL2_VIRT = 6, /* CNTHVS_* ; only if FEAT_SEL2 */
-@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
+ #define NUM_GTIMERS   7
  }
  #define do_prctl_sve_set_vl do_prctl_sve_set_vl
 +static abi_long do_prctl_sme_get_vl(CPUArchState *env)
 +{
 +    ARMCPU *cpu = env_archcpu(env);
 +    if (cpu_isar_feature(aa64_sme, cpu)) {
 +        return sme_vq(env) * 16;
 +    }
 +    return -TARGET_EINVAL;
 +}
 +#define do_prctl_sme_get_vl do_prctl_sme_get_vl
 +
 +static abi_long do_prctl_sme_set_vl(CPUArchState *env, abi_long arg2)
 +{
 +    /*
 +     * We cannot support either PR_SME_SET_VL_ONEXEC or PR_SME_VL_INHERIT.
 +     * Note the kernel definition of sve_vl_valid allows for VQ=512,
 +     * i.e. VL=8192, even though the architectural maximum is VQ=16.
 +     */
 +    if (cpu_isar_feature(aa64_sme, env_archcpu(env))
 +        && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
 +        int vq, old_vq;
 +
 +        old_vq = sme_vq(env);
 +
 +        /*
 +         * Bound the value of vq, so that we know that it fits into
 +         * the 4-bit field in SMCR_EL1.  Because PSTATE.SM is cleared
 +         * on syscall entry, we are not modifying the current SVE
 +         * vector length.
 +         */
 +        vq = MAX(arg2 / 16, 1);
 +        vq = MIN(vq, 16);
 +        env->vfp.smcr_el[1] =
 +            FIELD_DP64(env->vfp.smcr_el[1], SMCR, LEN, vq - 1);
 +
 +        /* Delay rebuilding hflags until we know if ZA must change. */
 +        vq = sve_vqm1_for_el_sm(env, 0, true) + 1;
 +
 +        if (vq != old_vq) {
 +            /*
 +             * PSTATE.ZA state is cleared on any change to SVL.
 +             * We need not call arm_rebuild_hflags because PSTATE.SM was
 +             * cleared on syscall entry, so this hasn't changed VL.
 +             */
 +            env->svcr = FIELD_DP64(env->svcr, SVCR, ZA, 0);
 +            arm_rebuild_hflags(env);
 +        }
 +        return vq * 16;
 +    }
 +    return -TARGET_EINVAL;
 +}
 +#define do_prctl_sme_set_vl do_prctl_sme_set_vl
 +
  static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
  {
      ARMCPU *cpu = env_archcpu(env);
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr)
  #ifndef PR_SET_SYSCALL_USER_DISPATCH
  # define PR_SET_SYSCALL_USER_DISPATCH 59
  #endif
 +#ifndef PR_SME_SET_VL
 +# define PR_SME_SET_VL  63
 +# define PR_SME_GET_VL  64
 +# define PR_SME_VL_LEN_MASK  0xffff
 +# define PR_SME_VL_INHERIT   (1 << 17)
 +#endif
  #include "target_prctl.h"
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
  #ifndef do_prctl_set_unalign
  #define do_prctl_set_unalign do_prctl_inval1
  #endif
 +#ifndef do_prctl_sme_get_vl
 +#define do_prctl_sme_get_vl do_prctl_inval0
 +#endif
 +#ifndef do_prctl_sme_set_vl
 +#define do_prctl_sme_set_vl do_prctl_inval1
 +#endif
  static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
                           abi_long arg3, abi_long arg4, abi_long arg5)
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
          return do_prctl_sve_get_vl(env);
      case PR_SVE_SET_VL:
          return do_prctl_sve_set_vl(env, arg2);
 +    case PR_SME_GET_VL:
 +        return do_prctl_sme_get_vl(env);
 +    case PR_SME_SET_VL:
 +        return do_prctl_sme_set_vl(env, arg2);
      case PR_PAC_RESET_KEYS:
          if (arg3 || arg4 || arg5) {
              return -TARGET_EINVAL;
 --
-.25.1
+.43.0

-[PULL 41/45] linux-user: Rename sve prctls
+[PULL 11/21] hw/arm: enable secure EL2 timers for virt machine
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alex Bennée <alex.bennee@linaro.org>
-Add "sve" to the sve prctl functions, to distinguish
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
-them from the coming "sme" prctls with similar names.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20250204125009.2281315-9-peter.maydell@linaro.org
-Message-id: 20220708151540.18136-42-richard.henderson@linaro.org
+Cc: qemu-stable@nongnu.org
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/target_prctl.h |  8 ++++----
+ hw/arm/virt.c | 2 ++
- linux-user/syscall.c              | 12 ++++++------
+file changed, 2 insertions(+)
 files changed, 10 insertions(+), 10 deletions(-)
-diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
+diff --git a/hw/arm/virt.c b/hw/arm/virt.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_prctl.h
+--- a/hw/arm/virt.c
-+++ b/linux-user/aarch64/target_prctl.h
++++ b/hw/arm/virt.c
-@@ -XXX,XX +XXX,XX @@
+@@ -XXX,XX +XXX,XX @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
- #ifndef AARCH64_TARGET_PRCTL_H
+             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
- #define AARCH64_TARGET_PRCTL_H
+             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
+             [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
--static abi_long do_prctl_get_vl(CPUArchState *env)
++            [GTIMER_S_EL2_PHYS] = ARCH_TIMER_S_EL2_IRQ,
-+static abi_long do_prctl_sve_get_vl(CPUArchState *env)
++            [GTIMER_S_EL2_VIRT] = ARCH_TIMER_S_EL2_VIRT_IRQ,
- {
+         };
-     ARMCPU *cpu = env_archcpu(env);
-     if (cpu_isar_feature(aa64_sve, cpu)) {
+         for (unsigned irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_get_vl(CPUArchState *env)
      }
      return -TARGET_EINVAL;
  }
 -#define do_prctl_get_vl do_prctl_get_vl
 +#define do_prctl_sve_get_vl do_prctl_sve_get_vl
 -static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
 +static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
  {
      /*
       * We cannot support either PR_SVE_SET_VL_ONEXEC or PR_SVE_VL_INHERIT.
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
      }
      return -TARGET_EINVAL;
  }
 -#define do_prctl_set_vl do_prctl_set_vl
 +#define do_prctl_sve_set_vl do_prctl_sve_set_vl
  static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
  {
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
  #ifndef do_prctl_set_fp_mode
  #define do_prctl_set_fp_mode do_prctl_inval1
  #endif
 -#ifndef do_prctl_get_vl
 -#define do_prctl_get_vl do_prctl_inval0
 +#ifndef do_prctl_sve_get_vl
 +#define do_prctl_sve_get_vl do_prctl_inval0
  #endif
 -#ifndef do_prctl_set_vl
 -#define do_prctl_set_vl do_prctl_inval1
 +#ifndef do_prctl_sve_set_vl
 +#define do_prctl_sve_set_vl do_prctl_inval1
  #endif
  #ifndef do_prctl_reset_keys
  #define do_prctl_reset_keys do_prctl_inval1
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
      case PR_SET_FP_MODE:
          return do_prctl_set_fp_mode(env, arg2);
      case PR_SVE_GET_VL:
 -        return do_prctl_get_vl(env);
 +        return do_prctl_sve_get_vl(env);
      case PR_SVE_SET_VL:
 -        return do_prctl_set_vl(env, arg2);
 +        return do_prctl_sve_set_vl(env, arg2);
      case PR_PAC_RESET_KEYS:
          if (arg3 || arg4 || arg5) {
              return -TARGET_EINVAL;
 --
-.25.1
+.43.0

-[PULL 39/45] linux-user/aarch64: Move sve record checks into restore
+[PULL 12/21] hw/arm: enable secure EL2 timers for sbsa machine
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Alex Bennée <alex.bennee@linaro.org>
-Move the checks out of the parsing loop and into the
+Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
 restore function.  This more closely mirrors the code
 structure in the kernel, and is slightly clearer.
 Reject rather than silently skip incorrect VL and SVE record sizes,
 bringing our checks in to line with those the kernel does.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Message-id: 20220708151540.18136-40-richard.henderson@linaro.org
+Message-id: 20250204125009.2281315-10-peter.maydell@linaro.org
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 51 +++++++++++++++++++++++++------------
+ hw/arm/sbsa-ref.c | 2 ++
-file changed, 35 insertions(+), 16 deletions(-)
+file changed, 2 insertions(+)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/hw/arm/sbsa-ref.c b/hw/arm/sbsa-ref.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/hw/arm/sbsa-ref.c
-+++ b/linux-user/aarch64/signal.c
++++ b/hw/arm/sbsa-ref.c
-@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static void create_gic(SBSAMachineState *sms, MemoryRegion *mem)
-     }
+             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
- }
+             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
+             [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
--static void target_restore_sve_record(CPUARMState *env,
++            [GTIMER_S_EL2_PHYS] = ARCH_TIMER_S_EL2_IRQ,
--                                      struct target_sve_context *sve, int vq)
++            [GTIMER_S_EL2_VIRT] = ARCH_TIMER_S_EL2_VIRT_IRQ,
-+static bool target_restore_sve_record(CPUARMState *env,
+         };
-+                                      struct target_sve_context *sve,
-+                                      int size)
+         for (irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
  {
 -    int i, j;
 +    int i, j, vl, vq;
 -    /* Note that SVE regs are stored as a byte stream, with each byte element
 +    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 +        return false;
 +    }
 +
 +    __get_user(vl, &sve->vl);
 +    vq = sve_vq(env);
 +
 +    /* Reject mismatched VL. */
 +    if (vl != vq * TARGET_SVE_VQ_BYTES) {
 +        return false;
 +    }
 +
 +    /* Accept empty record -- used to clear PSTATE.SM. */
 +    if (size <= sizeof(*sve)) {
 +        return true;
 +    }
 +
 +    /* Reject non-empty but incomplete record. */
 +    if (size < TARGET_SVE_SIG_CONTEXT_SIZE(vq)) {
 +        return false;
 +    }
 +
 +    /*
 +     * Note that SVE regs are stored as a byte stream, with each byte element
       * at a subsequent address.  This corresponds to a little-endian load
       * of our 64-bit hunks.
       */
@@ -XXX,XX +XXX,XX @@ static void target_restore_sve_record(CPUARMState *env,
              }
          }
      }
 +    return true;
  }
  static int target_restore_sigframe(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      struct target_sve_context *sve = NULL;
      uint64_t extra_datap = 0;
      bool used_extra = false;
 -    int vq = 0, sve_size = 0;
 +    int sve_size = 0;
      target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              if (sve || size < sizeof(struct target_sve_context)) {
                  goto err;
              }
 -            if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
 -                vq = sve_vq(env);
 -                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
 -                if (size == sve_size) {
 -                    sve = (struct target_sve_context *)ctx;
 -                    break;
 -                }
 -            }
 -            goto err;
 +            sve = (struct target_sve_context *)ctx;
 +            sve_size = size;
 +            break;
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
 -    if (sve) {
 -        target_restore_sve_record(env, sve, vq);
 +    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
 +        goto err;
      }
      unlock_user(extra, extra_datap, 0);
      return 0;
 --
-.25.1
+.43.0

-[PULL 17/45] target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
+[PULL 13/21] target/arm: Correct LDRD atomicity and fault behaviour
-From: Richard Henderson <richard.henderson@linaro.org>
+Our LDRD implementation is wrong in two respects:
-These SME instructions are nominally within the SVE decode space,
+ * if the address is 4-aligned and the load crosses a page boundary
-so we add them to sve.decode and translate-sve.c.
+   and the second load faults and the first load was to the
    base register (as in cases like "ldrd r2, r3, [r2]", then we
    must not update the base register before taking the fault
  * if the address is 8-aligned the access must be a 64-bit
    single-copy atomic access, not two 32-bit accesses
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Rewrite the handling of the loads in LDRD to use a single
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+tcg_gen_qemu_ld_i64() and split the result into the destination
-Message-id: 20220708151540.18136-18-richard.henderson@linaro.org
+registers. This allows us to get the atomicity requirements
 right, and also implicitly means that we won't update the
 base register too early for the page-crossing case.
 Note that because we no longer increment 'addr' by 4 in the course of
 performing the LDRD we must change the adjustment value we pass to
 op_addr_ri_post() and op_addr_rr_post(): it no longer needs to
 subtract 4 to get the correct value to use if doing base register
 writeback.
 STRD has the same problem with not getting the atomicity right;
 we will deal with that in the following commit.
 Cc: qemu-stable@nongnu.org
 Reported-by: Stu Grossman <stu.grossman@gmail.com>
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20250227142746.1698904-2-peter.maydell@linaro.org
 ---
- target/arm/translate-a64.h | 12 ++++++++++++
+ target/arm/tcg/translate.c | 70 +++++++++++++++++++++++++-------------
- target/arm/sve.decode      |  5 ++++-
+file changed, 46 insertions(+), 24 deletions(-)
  target/arm/translate-sve.c | 38 ++++++++++++++++++++++++++++++++++++++
 files changed, 54 insertions(+), 1 deletion(-)
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
+diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/tcg/translate.c
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ static inline int vec_full_reg_size(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static bool op_store_rr(DisasContext *s, arg_ldst_rr *a,
-     return s->vl;
+     return true;
  }
-+/* Return the byte size of the vector register, SVL / 8. */
++static void do_ldrd_load(DisasContext *s, TCGv_i32 addr, int rt, int rt2)
 +static inline int streaming_vec_reg_size(DisasContext *s)
 +{
-+    return s->svl;
++    /*
 +     * LDRD is required to be an atomic 64-bit access if the
 +     * address is 8-aligned, two atomic 32-bit accesses if
 +     * it's only 4-aligned, and to give an alignment fault
 +     * if it's not 4-aligned. This is MO_ALIGN_4 | MO_ATOM_SUBALIGN.
 +     * Rt is always the word from the lower address, and Rt2 the
 +     * data from the higher address, regardless of endianness.
 +     * So (like gen_load_exclusive) we avoid gen_aa32_ld_i64()
 +     * so we don't get its SCTLR_B check, and instead do a 64-bit access
 +     * using MO_BE if appropriate and then split the two halves.
 +     *
 +     * For M-profile, and for A-profile before LPAE, the 64-bit
 +     * atomicity is not required. We could model that using
 +     * the looser MO_ATOM_IFALIGN_PAIR, but providing a higher
 +     * level of atomicity than required is harmless (we would not
 +     * currently generate better code for IFALIGN_PAIR here).
 +     *
 +     * This also gives us the correct behaviour of not updating
 +     * rt if the load of rt2 faults; this is required for cases
 +     * like "ldrd r2, r3, [r2]" where rt is also the base register.
 +     */
 +    int mem_idx = get_mem_index(s);
 +    MemOp opc = MO_64 | MO_ALIGN_4 | MO_ATOM_SUBALIGN | s->be_data;
 +    TCGv taddr = gen_aa32_addr(s, addr, opc);
 +    TCGv_i64 t64 = tcg_temp_new_i64();
 +    TCGv_i32 tmp = tcg_temp_new_i32();
 +    TCGv_i32 tmp2 = tcg_temp_new_i32();
 +
 +    tcg_gen_qemu_ld_i64(t64, taddr, mem_idx, opc);
 +    if (s->be_data == MO_BE) {
 +        tcg_gen_extr_i64_i32(tmp2, tmp, t64);
 +    } else {
 +        tcg_gen_extr_i64_i32(tmp, tmp2, t64);
 +    }
 +    store_reg(s, rt, tmp);
 +    store_reg(s, rt2, tmp2);
 +}
 +
- /*
+ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
-  * Return the offset info CPUARMState of the predicate vector register Pn.
+ {
-  * Note for this purpose, FFR is P16.
+-    int mem_idx = get_mem_index(s);
-@@ -XXX,XX +XXX,XX @@ static inline int pred_full_reg_size(DisasContext *s)
+-    TCGv_i32 addr, tmp;
-     return s->vl >> 3;
++    TCGv_i32 addr;
- }
+     if (!ENABLE_ARCH_5TE) {
-+/* Return the byte size of the predicate register, SVL / 64.  */
+         return false;
-+static inline int streaming_pred_reg_size(DisasContext *s)
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
-+{
+     }
-+    return s->svl >> 3;
+     addr = op_addr_rr_pre(s, a);
-+}
-+
+-    tmp = tcg_temp_new_i32();
- /*
+-    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-  * Round up the size of a register to a size allowed by
+-    store_reg(s, a->rt, tmp);
-  * the tcg vector infrastructure.  Any operation which uses this
+-
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
+-    tcg_gen_addi_i32(addr, addr, 4);
-index XXXXXXX..XXXXXXX 100644
+-
---- a/target/arm/sve.decode
+-    tmp = tcg_temp_new_i32();
-+++ b/target/arm/sve.decode
+-    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-@@ -XXX,XX +XXX,XX @@ INDEX_ri        00000100 esz:2 1 imm:s5 010001 rn:5 rd:5
+-    store_reg(s, a->rt + 1, tmp);
- # SVE index generation (register start, register increment)
++    do_ldrd_load(s, addr, a->rt, a->rt + 1);
- INDEX_rr        00000100 .. 1 ..... 010011 ..... .....          @rd_rn_rm
+     /* LDRD w/ base writeback is undefined if the registers overlap.  */
--### SVE Stack Allocation Group
+-    op_addr_rr_post(s, a, addr, -4);
-+### SVE / Streaming SVE Stack Allocation Group
++    op_addr_rr_post(s, a, addr, 0);
  # SVE stack frame adjustment
  ADDVL           00000100 001 ..... 01010 ...... .....           @rd_rn_i6
 +ADDSVL          00000100 001 ..... 01011 ...... .....           @rd_rn_i6
  ADDPL           00000100 011 ..... 01010 ...... .....           @rd_rn_i6
 +ADDSPL          00000100 011 ..... 01011 ...... .....           @rd_rn_i6
  # SVE stack frame size
  RDVL            00000100 101 11111 01010 imm:s6 rd:5
 +RDSVL           00000100 101 11111 01011 imm:s6 rd:5
  ### SVE Bitwise Shift - Unpredicated Group
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
      return true;
  }
-+static bool trans_ADDSVL(DisasContext *s, arg_ADDSVL *a)
+@@ -XXX,XX +XXX,XX @@ static bool op_store_ri(DisasContext *s, arg_ldst_ri *a,
-+{
-+    if (!dc_isar_feature(aa64_sme, s)) {
+ static bool op_ldrd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
 +        return false;
 +    }
 +    if (sme_enabled_check(s)) {
 +        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
 +        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
 +        tcg_gen_addi_i64(rd, rn, a->imm * streaming_vec_reg_size(s));
 +    }
 +    return true;
 +}
 +
  static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
  {
-     if (!dc_isar_feature(aa64_sve, s)) {
+-    int mem_idx = get_mem_index(s);
-@@ -XXX,XX +XXX,XX @@ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
+-    TCGv_i32 addr, tmp;
 +    TCGv_i32 addr;
      addr = op_addr_ri_pre(s, a);
 -    tmp = tcg_temp_new_i32();
 -    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
 -    store_reg(s, a->rt, tmp);
 -
 -    tcg_gen_addi_i32(addr, addr, 4);
 -
 -    tmp = tcg_temp_new_i32();
 -    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
 -    store_reg(s, rt2, tmp);
 +    do_ldrd_load(s, addr, a->rt, rt2);
      /* LDRD w/ base writeback is undefined if the registers overlap.  */
 -    op_addr_ri_post(s, a, addr, -4);
 +    op_addr_ri_post(s, a, addr, 0);
      return true;
  }
-+static bool trans_ADDSPL(DisasContext *s, arg_ADDSPL *a)
-+{
-+    if (!dc_isar_feature(aa64_sme, s)) {
-+        return false;
-+    }
-+    if (sme_enabled_check(s)) {
-+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
-+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
-+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_pred_reg_size(s));
-+    }
-+    return true;
-+}
-+
- static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
- {
-     if (!dc_isar_feature(aa64_sve, s)) {
-@@ -XXX,XX +XXX,XX @@ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
-     return true;
- }
-+static bool trans_RDSVL(DisasContext *s, arg_RDSVL *a)
-+{
-+    if (!dc_isar_feature(aa64_sme, s)) {
-+        return false;
-+    }
-+    if (sme_enabled_check(s)) {
-+        TCGv_i64 reg = cpu_reg(s, a->rd);
-+        tcg_gen_movi_i64(reg, a->imm * streaming_vec_reg_size(s));
-+    }
-+    return true;
-+}
-+
- /*
-  *** SVE Compute Vector Address Group
-  */
 --
-.25.1
+.43.0

-[PULL 26/45] target/arm: Implement FMOPA, FMOPS (widening)
+[PULL 14/21] target/arm: Correct STRD atomicity
-From: Richard Henderson <richard.henderson@linaro.org>
+Our STRD implementation doesn't correctly implement the requirement:
  * if the address is 8-aligned the access must be a 64-bit
    single-copy atomic access, not two 32-bit accesses
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Rewrite the handling of STRD to use a single tcg_gen_qemu_st_i64()
-Message-id: 20220708151540.18136-27-richard.henderson@linaro.org
+of a value produced by concatenating the two 32 bit source registers.
 This allows us to get the atomicity right.
 As with the LDRD change, now that we don't update 'addr' in the
 course of performing the store we need to adjust the offset
 we pass to op_addr_ri_post() and op_addr_rr_post().
 Cc: qemu-stable@nongnu.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20250227142746.1698904-3-peter.maydell@linaro.org
 ---
- target/arm/helper-sme.h    |  2 ++
+ target/arm/tcg/translate.c | 59 +++++++++++++++++++++++++-------------
- target/arm/sme.decode      |  1 +
+file changed, 39 insertions(+), 20 deletions(-)
  target/arm/sme_helper.c    | 74 ++++++++++++++++++++++++++++++++++++++
  target/arm/translate-sme.c |  1 +
 files changed, 78 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
+diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
+--- a/target/arm/tcg/translate.c
-+++ b/target/arm/helper-sme.h
++++ b/target/arm/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
- DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
+     return true;
  DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
 +DEF_HELPER_FLAGS_7(sme_fmopa_h, TCG_CALL_NO_RWG,
 +                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
                     void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
 diff --git a/target/arm/sme.decode b/target/arm/sme.decode
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme.decode
 +++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
  FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
  BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
 +FMOPA_h         10000001 101 ..... ... ... ..... . 00 ..        @op_32
 diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/sme_helper.c
 +++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@ static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
      return pair;
  }
-+static float32 f16_dotadd(float32 sum, uint32_t e1, uint32_t e2,
++static void do_strd_store(DisasContext *s, TCGv_i32 addr, int rt, int rt2)
 +                          float_status *s_std, float_status *s_odd)
 +{
-+    float64 e1r = float16_to_float64(e1 & 0xffff, true, s_std);
++    /*
-+    float64 e1c = float16_to_float64(e1 >> 16, true, s_std);
++     * STRD is required to be an atomic 64-bit access if the
-+    float64 e2r = float16_to_float64(e2 & 0xffff, true, s_std);
++     * address is 8-aligned, two atomic 32-bit accesses if
-+    float64 e2c = float16_to_float64(e2 >> 16, true, s_std);
++     * it's only 4-aligned, and to give an alignment fault
-+    float64 t64;
++     * if it's not 4-aligned.
-+    float32 t32;
++     * Rt is always the word from the lower address, and Rt2 the
 +     * data from the higher address, regardless of endianness.
 +     * So (like gen_store_exclusive) we avoid gen_aa32_ld_i64()
 +     * so we don't get its SCTLR_B check, and instead do a 64-bit access
 +     * using MO_BE if appropriate, using a value constructed
 +     * by putting the two halves together in the right order.
 +     *
 +     * As with LDRD, the 64-bit atomicity is not required for
 +     * M-profile, or for A-profile before LPAE, and we provide
 +     * the higher guarantee always for simplicity.
 +     */
 +    int mem_idx = get_mem_index(s);
 +    MemOp opc = MO_64 | MO_ALIGN_4 | MO_ATOM_SUBALIGN | s->be_data;
 +    TCGv taddr = gen_aa32_addr(s, addr, opc);
 +    TCGv_i32 t1 = load_reg(s, rt);
 +    TCGv_i32 t2 = load_reg(s, rt2);
 +    TCGv_i64 t64 = tcg_temp_new_i64();
 +
-+    /*
++    if (s->be_data == MO_BE) {
-+     * The ARM pseudocode function FPDot performs both multiplies
++        tcg_gen_concat_i32_i64(t64, t2, t1);
-+     * and the add with a single rounding operation.  Emulate this
++    } else {
-+     * by performing the first multiply in round-to-odd, then doing
++        tcg_gen_concat_i32_i64(t64, t1, t2);
-+     * the second multiply as fused multiply-add, and rounding to
++    }
-+     * float32 all in one step.
++    tcg_gen_qemu_st_i64(t64, taddr, mem_idx, opc);
 +     */
 +    t64 = float64_mul(e1r, e2r, s_odd);
 +    t64 = float64r32_muladd(e1c, e2c, t64, 0, s_std);
 +
 +    /* This conversion is exact, because we've already rounded. */
 +    t32 = float64_to_float32(t64, s_std);
 +
 +    /* The final accumulation step is not fused. */
 +    return float32_add(sum, t32, s_std);
 +}
 +
-+void HELPER(sme_fmopa_h)(void *vza, void *vzn, void *vzm, void *vpn,
+ static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
 +                         void *vpm, void *vst, uint32_t desc)
 +{
 +    intptr_t row, col, oprsz = simd_maxsz(desc);
 +    uint32_t neg = simd_data(desc) * 0x80008000u;
 +    uint16_t *pn = vpn, *pm = vpm;
 +    float_status fpst_odd, fpst_std;
 +
 +    /*
 +     * Make a copy of float_status because this operation does not
 +     * update the cumulative fp exception status.  It also produces
 +     * default nans.  Make a second copy with round-to-odd -- see above.
 +     */
 +    fpst_std = *(float_status *)vst;
 +    set_default_nan_mode(true, &fpst_std);
 +    fpst_odd = fpst_std;
 +    set_float_rounding_mode(float_round_to_odd, &fpst_odd);
 +
 +    for (row = 0; row < oprsz; ) {
 +        uint16_t prow = pn[H2(row >> 4)];
 +        do {
 +            void *vza_row = vza + tile_vslice_offset(row);
 +            uint32_t n = *(uint32_t *)(vzn + H1_4(row));
 +
 +            n = f16mop_adj_pair(n, prow, neg);
 +
 +            for (col = 0; col < oprsz; ) {
 +                uint16_t pcol = pm[H2(col >> 4)];
 +                do {
 +                    if (prow & pcol & 0b0101) {
 +                        uint32_t *a = vza_row + H1_4(col);
 +                        uint32_t m = *(uint32_t *)(vzm + H1_4(col));
 +
 +                        m = f16mop_adj_pair(m, pcol, 0);
 +                        *a = f16_dotadd(*a, n, m, &fpst_std, &fpst_odd);
 +
 +                        col += 4;
 +                        pcol >>= 4;
 +                    }
 +                } while (col & 15);
 +            }
 +            row += 4;
 +            prow >>= 4;
 +        } while (row & 15);
 +    }
 +}
 +
  void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
                          void *vpm, uint32_t desc)
  {
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
+-    int mem_idx = get_mem_index(s);
-index XXXXXXX..XXXXXXX 100644
+-    TCGv_i32 addr, tmp;
---- a/target/arm/translate-sme.c
++    TCGv_i32 addr;
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
+     if (!ENABLE_ARCH_5TE) {
          return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
      }
      addr = op_addr_rr_pre(s, a);
 -    tmp = load_reg(s, a->rt);
 -    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
 +    do_strd_store(s, addr, a->rt, a->rt + 1);
 -    tcg_gen_addi_i32(addr, addr, 4);
 -
 -    tmp = load_reg(s, a->rt + 1);
 -    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
 -
 -    op_addr_rr_post(s, a, addr, -4);
 +    op_addr_rr_post(s, a, addr, 0);
      return true;
  }
-+TRANS_FEAT(FMOPA_h, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_h)
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_ri_t32(DisasContext *s, arg_ldst_ri2 *a)
- TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
- TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
+ static bool op_strd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
  {
 -    int mem_idx = get_mem_index(s);
 -    TCGv_i32 addr, tmp;
 +    TCGv_i32 addr;
      addr = op_addr_ri_pre(s, a);
 -    tmp = load_reg(s, a->rt);
 -    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
 +    do_strd_store(s, addr, a->rt, rt2);
 -    tcg_gen_addi_i32(addr, addr, 4);
 -
 -    tmp = load_reg(s, rt2);
 -    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
 -
 -    op_addr_ri_post(s, a, addr, -4);
 +    op_addr_ri_post(s, a, addr, 0);
      return true;
  }
 --
-.25.1
+.43.0

-[PULL 21/45] target/arm: Export unpredicated ld/st from translate-sve.c
+[PULL 15/21] target/arm: Drop unused address_offset from op_addr_{rr, ri}_post()
-From: Richard Henderson <richard.henderson@linaro.org>
+All the callers of op_addr_rr_post() and op_addr_ri_post() now pass in
 zero for the address_offset, so we can remove that argument.
-Add a TCGv_ptr base argument, which will be cpu_env for SVE.
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-We will reuse this for SME save and restore array insns.
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-id: 20250227142746.1698904-4-peter.maydell@linaro.org
 ---
  target/arm/tcg/translate.c | 26 +++++++++++++-------------
 file changed, 13 insertions(+), 13 deletions(-)
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-22-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  target/arm/translate-a64.h |  3 +++
  target/arm/translate-sve.c | 48 ++++++++++++++++++++++++++++----------
 files changed, 39 insertions(+), 12 deletions(-)
 diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
+--- a/target/arm/tcg/translate.c
-+++ b/target/arm/translate-a64.h
++++ b/target/arm/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ void gen_gvec_xar(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
+@@ -XXX,XX +XXX,XX @@ static TCGv_i32 op_addr_rr_pre(DisasContext *s, arg_ldst_rr *a)
-                   uint32_t rm_ofs, int64_t shift,
+ }
-                   uint32_t opr_sz, uint32_t max_sz);
+ static void op_addr_rr_post(DisasContext *s, arg_ldst_rr *a,
-+void gen_sve_ldr(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+-                            TCGv_i32 addr, int address_offset)
-+void gen_sve_str(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
++                            TCGv_i32 addr)
 +
  #endif /* TARGET_ARM_TRANSLATE_A64_H */
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(UCVTF_dd, aa64_sve, gen_gvec_fpst_arg_zpz,
   * The load should begin at the address Rn + IMM.
   */
 -static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 +void gen_sve_ldr(DisasContext *s, TCGv_ptr base, int vofs,
 +                 int len, int rn, int imm)
  {
-     int len_align = QEMU_ALIGN_DOWN(len, 8);
+     if (!a->p) {
-     int len_remain = len % 8;
+         TCGv_i32 ofs = load_reg(s, a->rm);
-@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+@@ -XXX,XX +XXX,XX @@ static void op_addr_rr_post(DisasContext *s, arg_ldst_rr *a,
-         t0 = tcg_temp_new_i64();
+     } else if (!a->w) {
-         for (i = 0; i < len_align; i += 8) {
+         return;
              tcg_gen_qemu_ld_i64(t0, clean_addr, midx, MO_LEUQ);
 -            tcg_gen_st_i64(t0, cpu_env, vofs + i);
 +            tcg_gen_st_i64(t0, base, vofs + i);
              tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          }
          tcg_temp_free_i64(t0);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          clean_addr = new_tmp_a64_local(s);
          tcg_gen_mov_i64(clean_addr, t0);
 +        if (base != cpu_env) {
 +            TCGv_ptr b = tcg_temp_local_new_ptr();
 +            tcg_gen_mov_ptr(b, base);
 +            base = b;
 +        }
 +
          gen_set_label(loop);
          t0 = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          tp = tcg_temp_new_ptr();
 -        tcg_gen_add_ptr(tp, cpu_env, i);
 +        tcg_gen_add_ptr(tp, base, i);
          tcg_gen_addi_ptr(i, i, 8);
          tcg_gen_st_i64(t0, tp, vofs);
          tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
          tcg_temp_free_ptr(i);
 +
 +        if (base != cpu_env) {
 +            tcg_temp_free_ptr(base);
 +            assert(len_remain == 0);
 +        }
      }
+-    tcg_gen_addi_i32(addr, addr, address_offset);
-     /*
+     store_reg(s, a->rn, addr);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          default:
              g_assert_not_reached();
          }
 -        tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
 +        tcg_gen_st_i64(t0, base, vofs + len_align);
          tcg_temp_free_i64(t0);
      }
  }
- /* Similarly for stores.  */
+@@ -XXX,XX +XXX,XX @@ static bool op_load_rr(DisasContext *s, arg_ldst_rr *a,
--static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+      * Perform base writeback before the loaded value to
-+void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
+      * ensure correct behavior with overlapping index registers.
-+                 int len, int rn, int imm)
+      */
- {
+-    op_addr_rr_post(s, a, addr, 0);
-     int len_align = QEMU_ALIGN_DOWN(len, 8);
++    op_addr_rr_post(s, a, addr);
-     int len_remain = len % 8;
+     store_reg_from_load(s, a->rt, tmp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          t0 = tcg_temp_new_i64();
          for (i = 0; i < len_align; i += 8) {
 -            tcg_gen_ld_i64(t0, cpu_env, vofs + i);
 +            tcg_gen_ld_i64(t0, base, vofs + i);
              tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ);
              tcg_gen_addi_i64(clean_addr, clean_addr, 8);
          }
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          clean_addr = new_tmp_a64_local(s);
          tcg_gen_mov_i64(clean_addr, t0);
 +        if (base != cpu_env) {
 +            TCGv_ptr b = tcg_temp_local_new_ptr();
 +            tcg_gen_mov_ptr(b, base);
 +            base = b;
 +        }
 +
          gen_set_label(loop);
          t0 = tcg_temp_new_i64();
          tp = tcg_temp_new_ptr();
 -        tcg_gen_add_ptr(tp, cpu_env, i);
 +        tcg_gen_add_ptr(tp, base, i);
          tcg_gen_ld_i64(t0, tp, vofs);
          tcg_gen_addi_ptr(i, i, 8);
          tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
          tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
          tcg_temp_free_ptr(i);
 +
 +        if (base != cpu_env) {
 +            tcg_temp_free_ptr(base);
 +            assert(len_remain == 0);
 +        }
      }
      /* Predicate register stores can be any multiple of 2.  */
      if (len_remain) {
          t0 = tcg_temp_new_i64();
 -        tcg_gen_ld_i64(t0, cpu_env, vofs + len_align);
 +        tcg_gen_ld_i64(t0, base, vofs + len_align);
          switch (len_remain) {
          case 2:
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
      if (sve_access_check(s)) {
          int size = vec_full_reg_size(s);
          int off = vec_full_reg_offset(s, a->rd);
 -        do_ldr(s, off, size, a->rn, a->imm * size);
 +        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
      }
      return true;
  }
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_pri(DisasContext *s, arg_rri *a)
+@@ -XXX,XX +XXX,XX @@ static bool op_store_rr(DisasContext *s, arg_ldst_rr *a,
-     if (sve_access_check(s)) {
+     gen_aa32_st_i32(s, tmp, addr, mem_idx, mop);
-         int size = pred_full_reg_size(s);
+     disas_set_da_iss(s, mop, issinfo);
-         int off = pred_full_reg_offset(s, a->rd);
--        do_ldr(s, off, size, a->rn, a->imm * size);
+-    op_addr_rr_post(s, a, addr, 0);
-+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
++    op_addr_rr_post(s, a, addr);
      }
      return true;
  }
-@@ -XXX,XX +XXX,XX @@ static bool trans_STR_zri(DisasContext *s, arg_rri *a)
-     if (sve_access_check(s)) {
+@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
-         int size = vec_full_reg_size(s);
+     do_ldrd_load(s, addr, a->rt, a->rt + 1);
-         int off = vec_full_reg_offset(s, a->rd);
--        do_str(s, off, size, a->rn, a->imm * size);
+     /* LDRD w/ base writeback is undefined if the registers overlap.  */
-+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
+-    op_addr_rr_post(s, a, addr, 0);
-     }
++    op_addr_rr_post(s, a, addr);
      return true;
  }
-@@ -XXX,XX +XXX,XX @@ static bool trans_STR_pri(DisasContext *s, arg_rri *a)
-     if (sve_access_check(s)) {
+@@ -XXX,XX +XXX,XX @@ static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
-         int size = pred_full_reg_size(s);
-         int off = pred_full_reg_offset(s, a->rd);
+     do_strd_store(s, addr, a->rt, a->rt + 1);
--        do_str(s, off, size, a->rn, a->imm * size);
-+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
+-    op_addr_rr_post(s, a, addr, 0);
-     }
++    op_addr_rr_post(s, a, addr);
      return true;
  }
+@@ -XXX,XX +XXX,XX @@ static TCGv_i32 op_addr_ri_pre(DisasContext *s, arg_ldst_ri *a)
+ }
+ static void op_addr_ri_post(DisasContext *s, arg_ldst_ri *a,
+-                            TCGv_i32 addr, int address_offset)
++                            TCGv_i32 addr)
+ {
++    int address_offset = 0;
+     if (!a->p) {
+         if (a->u) {
+-            address_offset += a->imm;
++            address_offset = a->imm;
+         } else {
+-            address_offset -= a->imm;
++            address_offset = -a->imm;
+         }
+     } else if (!a->w) {
+         return;
+@@ -XXX,XX +XXX,XX @@ static bool op_load_ri(DisasContext *s, arg_ldst_ri *a,
+      * Perform base writeback before the loaded value to
+      * ensure correct behavior with overlapping index registers.
+      */
+-    op_addr_ri_post(s, a, addr, 0);
++    op_addr_ri_post(s, a, addr);
+     store_reg_from_load(s, a->rt, tmp);
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool op_store_ri(DisasContext *s, arg_ldst_ri *a,
+     gen_aa32_st_i32(s, tmp, addr, mem_idx, mop);
+     disas_set_da_iss(s, mop, issinfo);
+-    op_addr_ri_post(s, a, addr, 0);
++    op_addr_ri_post(s, a, addr);
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool op_ldrd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
+     do_ldrd_load(s, addr, a->rt, rt2);
+     /* LDRD w/ base writeback is undefined if the registers overlap.  */
+-    op_addr_ri_post(s, a, addr, 0);
++    op_addr_ri_post(s, a, addr);
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool op_strd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
+     do_strd_store(s, addr, a->rt, rt2);
+-    op_addr_ri_post(s, a, addr, 0);
++    op_addr_ri_post(s, a, addr);
+     return true;
+ }
 --
-.25.1
+.43.0

-[PULL 45/45] linux-user/aarch64: Add SME related hwcap entries
+[PULL 16/21] target/arm: Make dummy debug registers RAZ, not NOP
-From: Richard Henderson <richard.henderson@linaro.org>
+In debug_helper.c we provide a few dummy versions of
 debug registers:
  * DBGVCR (AArch32 only): enable bits for vector-catch
    debug events
  * MDCCINT_EL1: interrupt enable bits for the DCC
    debug communications channel
  * DBGVCR32_EL2: the AArch64 accessor for the state in
    DBGVCR
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+We implemented these only to stop Linux crashing on startup,
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+but we chose to implement them as ARM_CP_NOP. This worked
-Message-id: 20220708151540.18136-46-richard.henderson@linaro.org
+for Linux where it only cares about trying to write to these
 registers, but is very confusing behaviour for anything that
 wants to read the registers (perhaps for context state switches),
 because the destination register will be left with whatever
 random value it happened to have before the read.
 Model these registers instead as RAZ.
 Fixes: 5e8b12ffbb8c68 ("target-arm: Implement minimal DBGVCR, OSDLR_EL1, MDCCSR_EL0")
 Fixes: 5dbdc4342f479d ("target-arm: Implement dummy MDCCINT_EL1")
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2708
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-id: 20250228162424.1917269-1-peter.maydell@linaro.org
 ---
- linux-user/elfload.c | 20 ++++++++++++++++++++
+ target/arm/debug_helper.c | 7 ++++---
-file changed, 20 insertions(+)
+file changed, 4 insertions(+), 3 deletions(-)
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/elfload.c
+--- a/target/arm/debug_helper.c
-+++ b/linux-user/elfload.c
++++ b/target/arm/debug_helper.c
-@@ -XXX,XX +XXX,XX @@ enum {
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
-     ARM_HWCAP2_A64_RNG          = 1 << 16,
+     { .name = "DBGVCR",
-     ARM_HWCAP2_A64_BTI          = 1 << 17,
+       .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
-     ARM_HWCAP2_A64_MTE          = 1 << 18,
+       .access = PL1_RW, .accessfn = access_tda,
-+    ARM_HWCAP2_A64_ECV          = 1 << 19,
+-      .type = ARM_CP_NOP },
-+    ARM_HWCAP2_A64_AFP          = 1 << 20,
++      .type = ARM_CP_CONST, .resetvalue = 0 },
-+    ARM_HWCAP2_A64_RPRES        = 1 << 21,
+     /*
-+    ARM_HWCAP2_A64_MTE3         = 1 << 22,
+      * Dummy MDCCINT_EL1, since we don't implement the Debug Communications
-+    ARM_HWCAP2_A64_SME          = 1 << 23,
+      * Channel but Linux may try to access this register. The 32-bit
-+    ARM_HWCAP2_A64_SME_I16I64   = 1 << 24,
+@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
-+    ARM_HWCAP2_A64_SME_F64F64   = 1 << 25,
+     { .name = "MDCCINT_EL1", .state = ARM_CP_STATE_BOTH,
-+    ARM_HWCAP2_A64_SME_I8I32    = 1 << 26,
+       .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
-+    ARM_HWCAP2_A64_SME_F16F32   = 1 << 27,
+       .access = PL1_RW, .accessfn = access_tdcc,
-+    ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
+-      .type = ARM_CP_NOP },
-+    ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
++      .type = ARM_CP_CONST, .resetvalue = 0 },
-+    ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
+     /*
       * Dummy DBGCLAIM registers.
       * "The architecture does not define any functionality for the CLAIM tag bits.",
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_aa32_el1_reginfo[] = {
      { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,
        .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,
        .access = PL2_RW, .accessfn = access_dbgvcr32,
 -      .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },
 +      .type = ARM_CP_CONST | ARM_CP_EL3_NO_EL2_KEEP,
 +      .resetvalue = 0 },
  };
- #define ELF_HWCAP   get_elf_hwcap()
+ static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap2(void)
      GET_FEATURE_ID(aa64_rndr, ARM_HWCAP2_A64_RNG);
      GET_FEATURE_ID(aa64_bti, ARM_HWCAP2_A64_BTI);
      GET_FEATURE_ID(aa64_mte, ARM_HWCAP2_A64_MTE);
 +    GET_FEATURE_ID(aa64_sme, (ARM_HWCAP2_A64_SME |
 +                              ARM_HWCAP2_A64_SME_F32F32 |
 +                              ARM_HWCAP2_A64_SME_B16F32 |
 +                              ARM_HWCAP2_A64_SME_F16F32 |
 +                              ARM_HWCAP2_A64_SME_I8I32));
 +    GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
 +    GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
 +    GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
      return hwcaps;
  }
 --
-.25.1
+.43.0

-[PULL 36/45] linux-user/aarch64: Tidy target_restore_sigframe error return
+[PULL 17/21] util/qemu-timer.c: Don't warp timer from timerlist_rearm()
-From: Richard Henderson <richard.henderson@linaro.org>
+Currently we call icount_start_warp_timer() from timerlist_rearm().
 This produces incorrect behaviour, because timerlist_rearm() is
 called, for instance, when a timer callback modifies its timer.  We
 cannot decide here to warp the timer forwards to the next timer
 deadline merely because all_cpu_threads_idle() is true, because the
 timer callback we were called from (or some other callback later in
 the list of callbacks being invoked) may be about to raise a CPU
 interrupt and move a CPU from idle to ready.
-Fold the return value setting into the goto, so each
+The only valid place to choose to warp the timer forward is from the
-point of failure need not do both.
+main loop, when we know we have no outstanding IO or timer callbacks
 that might be about to wake up a CPU.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+For Arm guests, this bug was mostly latent until the refactoring
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+commit f6fc36deef6abc ("target/arm/helper: Implement
-Message-id: 20220708151540.18136-37-richard.henderson@linaro.org
+CNTHCTL_EL2.CNT[VP]MASK"), which exposed it because it refactored a
 timer callback so that it happened to call timer_mod() first and
 raise the interrupt second, when it had previously raised the
 interrupt first and called timer_mod() afterwards.
 This call seems to have originally derived from the
 pre-record-and-replay icount code, which (as of e.g.  commit
 db1a49726c3c in 2010) in this location did a call to
 qemu_notify_event(), necessary to get the icount code in the vCPU
 round-robin thread to stop and recalculate the icount deadline when a
 timer was reprogrammed from the IO thread.  In current QEMU,
 everything is done on the vCPU thread when we are in icount mode, so
 there's no need to try to notify another thread here.
 I suspect that the other reason why this call was doing icount timer
 warping is that it pre-dates commit efab87cf79077a from 2015, which
 added a call to icount_start_warp_timer() to main_loop_wait().  Once
 the call in timerlist_rearm() has been removed, if the timer
 callbacks don't cause any CPU to be woken up then we will end up
 calling icount_start_warp_timer() from main_loop_wait() when the rr
 main loop code calls rr_wait_io_event().
 Remove the incorrect call from timerlist_rearm().
 Cc: qemu-stable@nongnu.org
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2703
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Tested-by: Alex Bennée <alex.bennee@linaro.org>
+Message-id: 20250210135804.3526943-1-peter.maydell@linaro.org
 ---
- linux-user/aarch64/signal.c | 26 +++++++++++---------------
+ util/qemu-timer.c | 4 ----
-file changed, 11 insertions(+), 15 deletions(-)
+file changed, 4 deletions(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/util/qemu-timer.c b/util/qemu-timer.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/util/qemu-timer.c
-+++ b/linux-user/aarch64/signal.c
++++ b/util/qemu-timer.c
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ static bool timer_mod_ns_locked(QEMUTimerList *timer_list,
-     struct target_sve_context *sve = NULL;
-     uint64_t extra_datap = 0;
+ static void timerlist_rearm(QEMUTimerList *timer_list)
-     bool used_extra = false;
+ {
--    bool err = false;
+-    /* Interrupt execution to force deadline recalculation.  */
-     int vq = 0, sve_size = 0;
+-    if (icount_enabled() && timer_list->clock->type == QEMU_CLOCK_VIRTUAL) {
+-        icount_start_warp_timer();
-     target_restore_general_frame(env, sf);
+-    }
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+     timerlist_notify(timer_list);
          switch (magic) {
          case 0:
              if (size != 0) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              if (used_extra) {
                  ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
          case TARGET_FPSIMD_MAGIC:
              if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              fpsimd = (struct target_fpsimd_context *)ctx;
              break;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
                      break;
                  }
              }
 -            err = true;
 -            goto exit;
 +            goto err;
          case TARGET_EXTRA_MAGIC:
              if (extra || size != sizeof(struct target_extra_context)) {
 -                err = true;
 -                goto exit;
 +                goto err;
              }
              __get_user(extra_datap,
                         &((struct target_extra_context *)ctx)->datap);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
              /* Unknown record -- we certainly didn't generate it.
               * Did we in fact get out of sync?
               */
 -            err = true;
 -            goto exit;
 +            goto err;
          }
          ctx = (void *)ctx + size;
      }
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
      if (fpsimd) {
          target_restore_fpsimd_record(env, fpsimd);
      } else {
 -        err = true;
 +        goto err;
      }
      /* SVE data, if present, overwrites FPSIMD data.  */
      if (sve) {
          target_restore_sve_record(env, sve, vq);
      }
 -
 - exit:
      unlock_user(extra, extra_datap, 0);
 -    return err;
 +    return 0;
 +
 + err:
 +    unlock_user(extra, extra_datap, 0);
 +    return 1;
  }
- static abi_ulong get_sigframe(struct target_sigaction *ka,
 --
-.25.1
+.43.0

-[PULL 37/45] linux-user/aarch64: Do not allow duplicate or short sve records
+[PULL 18/21] include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN
-From: Richard Henderson <richard.henderson@linaro.org>
+Expand the example in the comment documenting MO_ATOM_SUBALIGN,
 to be clearer about the atomicity guarantees it represents.
-In parse_user_sigframe, the kernel rejects duplicate sve records,
+Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-or records that are smaller than the header.  We were silently
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-allowing these cases to pass, dropping the record.
+Message-id: 20250228103222.1838913-1-peter.maydell@linaro.org
 ---
  include/exec/memop.h | 8 ++++++--
 file changed, 6 insertions(+), 2 deletions(-)
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+diff --git a/include/exec/memop.h b/include/exec/memop.h
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Message-id: 20220708151540.18136-38-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
  linux-user/aarch64/signal.c | 5 ++++-
 file changed, 4 insertions(+), 1 deletion(-)
 diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/include/exec/memop.h
-+++ b/linux-user/aarch64/signal.c
++++ b/include/exec/memop.h
-@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
+@@ -XXX,XX +XXX,XX @@ typedef enum MemOp {
-             break;
+      *    Depending on alignment, one or both will be single-copy atomic.
+      *    This is the atomicity e.g. of Arm FEAT_LSE2 LDP.
-         case TARGET_SVE_MAGIC:
+      * MO_ATOM_SUBALIGN: the operation is single-copy atomic by parts
-+            if (sve || size < sizeof(struct target_sve_context)) {
+-     *    by the alignment.  E.g. if the address is 0 mod 4, then each
-+                goto err;
+-     *    4-byte subobject is single-copy atomic.
-+            }
++     *    by the alignment.  E.g. if an 8-byte value is accessed at an
-             if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
++     *    address which is 0 mod 8, then the whole 8-byte access is
-                 vq = sve_vq(env);
++     *    single-copy atomic; otherwise, if it is accessed at 0 mod 4
-                 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
++     *    then each 4-byte subobject is single-copy atomic; otherwise
--                if (!sve && size == sve_size) {
++     *    if it is accessed at 0 mod 2 then the four 2-byte subobjects
-+                if (size == sve_size) {
++     *    are single-copy atomic.
-                     sve = (struct target_sve_context *)ctx;
+      *    This is the atomicity e.g. of IBM Power.
-                     break;
+      * MO_ATOM_NONE: the operation has no atomicity requirements.
-                 }
+      *
 --
-.25.1
+.43.0

-[PULL 12/45] target/arm: Mark gather prefetch as non-streaming
+[PULL 19/21] hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper
-From: Richard Henderson <richard.henderson@linaro.org>
+From: JianChunfu <jansef.jian@hj-micro.com>
-Mark these as a non-streaming instructions, which should trap if full
+Use a similar terminology smmu_hash_remove_by_sid_range() as the one
-a64 support is not enabled in streaming mode.  In this case, introduce
+being used for other hash table matching functions since
-PRF_ns (prefetch non-streaming) to handle the checks.
+smmuv3_invalidate_ste() name is not self explanatory, and introduce a
 helper that invokes the g_hash_table_foreach_remove.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+No functional change intended.
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-13-richard.henderson@linaro.org
+Signed-off-by: JianChunfu <jansef.jian@hj-micro.com>
 Reviewed-by: Eric Auger <eric.auger@redhat.com>
 Message-id: 20250228031438.3916-1-jansef.jian@hj-micro.com
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- target/arm/sme-fa64.decode |  3 ---
+ hw/arm/smmu-internal.h       |  5 -----
- target/arm/sve.decode      | 10 +++++-----
+ include/hw/arm/smmu-common.h |  6 ++++++
- target/arm/translate-sve.c | 11 +++++++++++
+ hw/arm/smmu-common.c         | 21 +++++++++++++++++++++
-files changed, 16 insertions(+), 8 deletions(-)
+ hw/arm/smmuv3.c              | 19 ++-----------------
  hw/arm/trace-events          |  3 ++-
 files changed, 31 insertions(+), 23 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
+diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
+--- a/hw/arm/smmu-internal.h
-+++ b/target/arm/sme-fa64.decode
++++ b/hw/arm/smmu-internal.h
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+@@ -XXX,XX +XXX,XX @@ typedef struct SMMUIOTLBPageInvInfo {
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+     uint64_t mask;
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+ } SMMUIOTLBPageInvInfo;
--FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+-typedef struct SMMUSIDRange {
--FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+-    uint32_t start;
- FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+-    uint32_t end;
- FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+-} SMMUSIDRange;
- FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+-
- FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+ #endif
--FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
+diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
 diff --git a/target/arm/sve.decode b/target/arm/sve.decode
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
+--- a/include/hw/arm/smmu-common.h
-+++ b/target/arm/sve.decode
++++ b/include/hw/arm/smmu-common.h
-@@ -XXX,XX +XXX,XX @@ LD1RO_zpri      1010010 .. 01 0.... 001 ... ..... ..... \
+@@ -XXX,XX +XXX,XX @@ typedef struct SMMUIOTLBKey {
-                 @rpri_load_msz nreg=0
+     uint8_t level;
+ } SMMUIOTLBKey;
- # SVE 32-bit gather prefetch (scalar plus 32-bit scaled offsets)
--PRF             1000010 00 -1 ----- 0-- --- ----- 0 ----
++typedef struct SMMUSIDRange {
-+PRF_ns          1000010 00 -1 ----- 0-- --- ----- 0 ----
++    uint32_t start;
++    uint32_t end;
- # SVE 32-bit gather prefetch (vector plus immediate)
++} SMMUSIDRange;
--PRF             1000010 -- 00 ----- 111 --- ----- 0 ----
++
-+PRF_ns          1000010 -- 00 ----- 111 --- ----- 0 ----
+ struct SMMUState {
+     /* <private> */
- # SVE contiguous prefetch (scalar plus immediate)
+     SysBusDevice  dev;
- PRF             1000010 11 1- ----- 0-- --- ----- 0 ----
+@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
-@@ -XXX,XX +XXX,XX @@ LD1_zpiz        1100010 .. 01 ..... 1.. ... ..... ..... \
+                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
-                 @rpri_g_load esz=3
+ void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
+                         uint64_t num_pages, uint8_t ttl);
- # SVE 64-bit gather prefetch (scalar plus 64-bit scaled offsets)
++void smmu_configs_inv_sid_range(SMMUState *s, SMMUSIDRange sid_range);
--PRF             1100010 00 11 ----- 1-- --- ----- 0 ----
+ /* Unmap the range of all the notifiers registered to any IOMMU mr */
-+PRF_ns          1100010 00 11 ----- 1-- --- ----- 0 ----
+ void smmu_inv_notifiers_all(SMMUState *s);
- # SVE 64-bit gather prefetch (scalar plus unpacked 32-bit scaled offsets)
+diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
 -PRF             1100010 00 -1 ----- 0-- --- ----- 0 ----
 +PRF_ns          1100010 00 -1 ----- 0-- --- ----- 0 ----
  # SVE 64-bit gather prefetch (vector plus immediate)
 -PRF             1100010 -- 00 ----- 111 --- ----- 0 ----
 +PRF_ns          1100010 -- 00 ----- 111 --- ----- 0 ----
  ### SVE Memory Store Group
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
+--- a/hw/arm/smmu-common.c
-+++ b/target/arm/translate-sve.c
++++ b/hw/arm/smmu-common.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_PRF_rr(DisasContext *s, arg_PRF_rr *a)
+@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_vmid_ipa(gpointer key, gpointer value,
-     return true;
+            ((entry->iova & ~info->mask) == info->iova);
  }
-+static bool trans_PRF_ns(DisasContext *s, arg_PRF_ns *a)
++static gboolean
 +smmu_hash_remove_by_sid_range(gpointer key, gpointer value, gpointer user_data)
 +{
-+    if (!dc_isar_feature(aa64_sve, s)) {
++    SMMUDevice *sdev = (SMMUDevice *)key;
 +    uint32_t sid = smmu_get_sid(sdev);
 +    SMMUSIDRange *sid_range = (SMMUSIDRange *)user_data;
 +
 +    if (sid < sid_range->start || sid > sid_range->end) {
 +        return false;
 +    }
-+    /* Prefetch is a nop within QEMU.  */
++    trace_smmu_config_cache_inv(sid);
 +    s->is_nonstreaming = true;
 +    (void)sve_access_check(s);
 +    return true;
 +}
 +
- /*
++void smmu_configs_inv_sid_range(SMMUState *s, SMMUSIDRange sid_range)
-  * Move Prefix
++{
-  *
++    trace_smmu_configs_inv_sid_range(sid_range.start, sid_range.end);
 +    g_hash_table_foreach_remove(s->configs, smmu_hash_remove_by_sid_range,
 +                                &sid_range);
 +}
 +
  void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                           uint8_t tg, uint64_t num_pages, uint8_t ttl)
  {
 diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/smmuv3.c
 +++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_flush_config(SMMUDevice *sdev)
      SMMUv3State *s = sdev->smmu;
      SMMUState *bc = &s->smmu_state;
 -    trace_smmuv3_config_cache_inv(smmu_get_sid(sdev));
 +    trace_smmu_config_cache_inv(smmu_get_sid(sdev));
      g_hash_table_remove(bc->configs, sdev);
  }
@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
      }
  }
 -static gboolean
 -smmuv3_invalidate_ste(gpointer key, gpointer value, gpointer user_data)
 -{
 -    SMMUDevice *sdev = (SMMUDevice *)key;
 -    uint32_t sid = smmu_get_sid(sdev);
 -    SMMUSIDRange *sid_range = (SMMUSIDRange *)user_data;
 -
 -    if (sid < sid_range->start || sid > sid_range->end) {
 -        return false;
 -    }
 -    trace_smmuv3_config_cache_inv(sid);
 -    return true;
 -}
 -
  static int smmuv3_cmdq_consume(SMMUv3State *s)
  {
      SMMUState *bs = ARM_SMMU(s);
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
              sid_range.end = sid_range.start + mask;
              trace_smmuv3_cmdq_cfgi_ste_range(sid_range.start, sid_range.end);
 -            g_hash_table_foreach_remove(bs->configs, smmuv3_invalidate_ste,
 -                                        &sid_range);
 +            smmu_configs_inv_sid_range(bs, sid_range);
              break;
          }
          case SMMU_CMD_CFGI_CD:
 diff --git a/hw/arm/trace-events b/hw/arm/trace-events
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/arm/trace-events
 +++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_iotlb_inv_asid_vmid(int asid, int vmid) "IOTLB invalidate asid=%d vmid=%d"
  smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
  smmu_iotlb_inv_vmid_s1(int vmid) "IOTLB invalidate vmid=%d"
  smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
 +smmu_configs_inv_sid_range(uint32_t start, uint32_t end) "Config cache INV SID range from 0x%x to 0x%x"
 +smmu_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
  smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
  smmu_iotlb_lookup_hit(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
  smmu_iotlb_lookup_miss(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache MISS asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_tlbi_nh(int vmid) "vmid=%d"
  smmuv3_cmdq_tlbi_nsnh(void) ""
  smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
  smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
 -smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
  smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
  smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
  smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages, int stage) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" stage=%d"
 --
-.25.1
+.43.0

-[PULL 13/45] target/arm: Mark LDFF1 and LDNF1 as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-14-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 2 --
- target/arm/translate-sve.c | 2 ++
-files changed, 2 insertions(+), 2 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
--FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
- FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
- FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDFF1_zprr(DisasContext *s, arg_rprr_load *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         TCGv_i64 addr = new_tmp_a64(s);
-         tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), dtype_msz(a->dtype));
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDNF1_zpri(DisasContext *s, arg_rpri_load *a)
-     if (!dc_isar_feature(aa64_sve, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         int vsz = vec_full_reg_size(s);
-         int elements = vsz >> dtype_esz[a->dtype];
---
-.25.1

-[PULL 14/45] target/arm: Mark LD1RO as non-streaming
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Mark these as a non-streaming instructions, which should trap
-if full a64 support is not enabled in streaming mode.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-15-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme-fa64.decode | 3 ---
- target/arm/translate-sve.c | 2 ++
-files changed, 2 insertions(+), 3 deletions(-)
-diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme-fa64.decode
-+++ b/target/arm/sme-fa64.decode
-@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
- #       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
- #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
- #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
--
--FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
--FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1RO_zprr(DisasContext *s, arg_rprr_load *a)
-     if (a->rm == 31) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         TCGv_i64 addr = new_tmp_a64(s);
-         tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), dtype_msz(a->dtype));
-@@ -XXX,XX +XXX,XX @@ static bool trans_LD1RO_zpri(DisasContext *s, arg_rpri_load *a)
-     if (!dc_isar_feature(aa64_sve_f64mm, s)) {
-         return false;
-     }
-+    s->is_nonstreaming = true;
-     if (sve_access_check(s)) {
-         TCGv_i64 addr = new_tmp_a64(s);
-         tcg_gen_addi_i64(addr, cpu_reg_sp(s, a->rn), a->imm * 32);
---
-.25.1

-[PULL 15/45] target/arm: Add SME enablement checks
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-These functions will be used to verify that the cpu
-is in the correct state for a given instruction.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-16-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.h | 21 +++++++++++++++++++++
- target/arm/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++
-files changed, 55 insertions(+)
-diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.h
-+++ b/target/arm/translate-a64.h
-@@ -XXX,XX +XXX,XX @@ void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v);
- bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
-                             unsigned int imms, unsigned int immr);
- bool sve_access_check(DisasContext *s);
-+bool sme_enabled_check(DisasContext *s);
-+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
-+
-+/* This function corresponds to CheckStreamingSVEEnabled. */
-+static inline bool sme_sm_enabled_check(DisasContext *s)
-+{
-+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK);
-+}
-+
-+/* This function corresponds to CheckSMEAndZAEnabled. */
-+static inline bool sme_za_enabled_check(DisasContext *s)
-+{
-+    return sme_enabled_check_with_svcr(s, R_SVCR_ZA_MASK);
-+}
-+
-+/* Note that this function corresponds to CheckStreamingSVEAndZAEnabled. */
-+static inline bool sme_smza_enabled_check(DisasContext *s)
-+{
-+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK | R_SVCR_ZA_MASK);
-+}
-+
- TCGv_i64 clean_data_tbi(DisasContext *s, TCGv_i64 addr);
- TCGv_i64 gen_mte_check1(DisasContext *s, TCGv_i64 addr, bool is_write,
-                         bool tag_checked, int log2_size);
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static bool sme_access_check(DisasContext *s)
-     return true;
- }
-+/* This function corresponds to CheckSMEEnabled. */
-+bool sme_enabled_check(DisasContext *s)
-+{
-+    /*
-+     * Note that unlike sve_excp_el, we have not constrained sme_excp_el
-+     * to be zero when fp_excp_el has priority.  This is because we need
-+     * sme_excp_el by itself for cpregs access checks.
-+     */
-+    if (!s->fp_excp_el || s->sme_excp_el < s->fp_excp_el) {
-+        s->fp_access_checked = true;
-+        return sme_access_check(s);
-+    }
-+    return fp_access_check_only(s);
-+}
-+
-+/* Common subroutine for CheckSMEAnd*Enabled. */
-+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
-+{
-+    if (!sme_enabled_check(s)) {
-+        return false;
-+    }
-+    if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
-+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
-+                           syn_smetrap(SME_ET_NotStreaming, false));
-+        return false;
-+    }
-+    if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
-+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
-+                           syn_smetrap(SME_ET_InactiveZA, false));
-+        return false;
-+    }
-+    return true;
-+}
-+
- /*
-  * This utility function is for doing register extension with an
-  * optional shift. You will likely want to pass a temporary for the
---
-.25.1

-[PULL 16/45] target/arm: Handle SME in sve_access_check
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-The pseudocode for CheckSVEEnabled gains a check for Streaming
-SVE mode, and for SME present but SVE absent.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-17-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/translate-a64.c | 22 ++++++++++++++++------
-file changed, 16 insertions(+), 6 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
-+++ b/target/arm/translate-a64.c
-@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
-     return true;
- }
--/* Check that SVE access is enabled.  If it is, return true.
-+/*
-+ * Check that SVE access is enabled.  If it is, return true.
-  * If not, emit code to generate an appropriate exception and return false.
-+ * This function corresponds to CheckSVEEnabled().
-  */
- bool sve_access_check(DisasContext *s)
- {
--    if (s->sve_excp_el) {
--        assert(!s->sve_access_checked);
--        s->sve_access_checked = true;
--
-+    if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
-+        assert(dc_isar_feature(aa64_sme, s));
-+        if (!sme_sm_enabled_check(s)) {
-+            goto fail_exit;
-+        }
-+    } else if (s->sve_excp_el) {
-         gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
-                               syn_sve_access_trap(), s->sve_excp_el);
--        return false;
-+        goto fail_exit;
-     }
-     s->sve_access_checked = true;
-     return fp_access_check(s);
-+
-+ fail_exit:
-+    /* Assert that we only raise one exception per instruction. */
-+    assert(!s->sve_access_checked);
-+    s->sve_access_checked = true;
-+    return false;
- }
- /*
---
-.25.1

-[PULL 18/45] target/arm: Implement SME ZERO
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-19-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  2 ++
- target/arm/sme.decode      |  4 ++++
- target/arm/sme_helper.c    | 25 +++++++++++++++++++++++++
- target/arm/translate-sme.c | 13 +++++++++++++
-files changed, 44 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@
- DEF_HELPER_FLAGS_2(set_pstate_sm, TCG_CALL_NO_RWG, void, env, i32)
- DEF_HELPER_FLAGS_2(set_pstate_za, TCG_CALL_NO_RWG, void, env, i32)
-+
-+DEF_HELPER_FLAGS_3(sme_zero, TCG_CALL_NO_RWG, void, env, i32, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@
- #
- # This file is processed by scripts/decodetree.py
- #
-+
-+### SME Misc
-+
-+ZERO            11000000 00 001 00000000000 imm:8
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ void helper_set_pstate_za(CPUARMState *env, uint32_t i)
-         memset(env->zarray, 0, sizeof(env->zarray));
-     }
- }
-+
-+void helper_sme_zero(CPUARMState *env, uint32_t imm, uint32_t svl)
-+{
-+    uint32_t i;
-+
-+    /*
-+     * Special case clearing the entire ZA space.
-+     * This falls into the CONSTRAINED UNPREDICTABLE zeroing of any
-+     * parts of the ZA storage outside of SVL.
-+     */
-+    if (imm == 0xff) {
-+        memset(env->zarray, 0, sizeof(env->zarray));
-+        return;
-+    }
-+
-+    /*
-+     * Recall that ZAnH.D[m] is spread across ZA[n+8*m],
-+     * so each row is discontiguous within ZA[].
-+     */
-+    for (i = 0; i < svl; i++) {
-+        if (imm & (1 << (i % 8))) {
-+            memset(&env->zarray[i], 0, svl);
-+        }
-+    }
-+}
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@
-  */
- #include "decode-sme.c.inc"
-+
-+
-+static bool trans_ZERO(DisasContext *s, arg_ZERO *a)
-+{
-+    if (!dc_isar_feature(aa64_sme, s)) {
-+        return false;
-+    }
-+    if (sme_za_enabled_check(s)) {
-+        gen_helper_sme_zero(cpu_env, tcg_constant_i32(a->imm),
-+                            tcg_constant_i32(streaming_vec_reg_size(s)));
-+    }
-+    return true;
-+}
---
-.25.1

-[PULL 20/45] target/arm: Implement SME LD1, ST1
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-We cannot reuse the SVE functions for LD[1-4] and ST[1-4],
-because those functions accept only a Zreg register number.
-For SME, we want to pass a pointer into ZA storage.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-21-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  82 +++++
- target/arm/sme.decode      |   9 +
- target/arm/sme_helper.c    | 595 +++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c |  70 +++++
-files changed, 756 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_ld1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_ld1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_ld1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_ld1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_ld1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_ld1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_st1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_st1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_st1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_st1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_st1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
-                 &mova to_vec=1 rs=%mova_rs
- MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
-                 &mova to_vec=1 rs=%mova_rs esz=4
-+
-+### SME Memory
-+
-+&ldst           esz rs pg rn rm za_imm v:bool st:bool
-+
-+LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
-+                &ldst rs=%mova_rs
-+LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
-+                &ldst esz=4 rs=%mova_rs
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@
- #include "qemu/osdep.h"
- #include "cpu.h"
-+#include "internals.h"
- #include "tcg/tcg-gvec-desc.h"
- #include "exec/helper-proto.h"
-+#include "exec/cpu_ldst.h"
-+#include "exec/exec-all.h"
- #include "qemu/int128.h"
- #include "vec_internal.h"
-+#include "sve_ldst_internal.h"
- /* ResetSVEState */
- void arm_reset_sve_state(CPUARMState *env)
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
- }
- #undef DO_MOVA_Z
-+
-+/*
-+ * Clear elements in a tile slice comprising len bytes.
-+ */
-+
-+typedef void ClearFn(void *ptr, size_t off, size_t len);
-+
-+static void clear_horizontal(void *ptr, size_t off, size_t len)
-+{
-+    memset(ptr + off, 0, len);
-+}
-+
-+static void clear_vertical_b(void *vptr, size_t off, size_t len)
-+{
-+    for (size_t i = 0; i < len; ++i) {
-+        *(uint8_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+    }
-+}
-+
-+static void clear_vertical_h(void *vptr, size_t off, size_t len)
-+{
-+    for (size_t i = 0; i < len; i += 2) {
-+        *(uint16_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+    }
-+}
-+
-+static void clear_vertical_s(void *vptr, size_t off, size_t len)
-+{
-+    for (size_t i = 0; i < len; i += 4) {
-+        *(uint32_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+    }
-+}
-+
-+static void clear_vertical_d(void *vptr, size_t off, size_t len)
-+{
-+    for (size_t i = 0; i < len; i += 8) {
-+        *(uint64_t *)(vptr + tile_vslice_offset(i + off)) = 0;
-+    }
-+}
-+
-+static void clear_vertical_q(void *vptr, size_t off, size_t len)
-+{
-+    for (size_t i = 0; i < len; i += 16) {
-+        memset(vptr + tile_vslice_offset(i + off), 0, 16);
-+    }
-+}
-+
-+/*
-+ * Copy elements from an array into a tile slice comprising len bytes.
-+ */
-+
-+typedef void CopyFn(void *dst, const void *src, size_t len);
-+
-+static void copy_horizontal(void *dst, const void *src, size_t len)
-+{
-+    memcpy(dst, src, len);
-+}
-+
-+static void copy_vertical_b(void *vdst, const void *vsrc, size_t len)
-+{
-+    const uint8_t *src = vsrc;
-+    uint8_t *dst = vdst;
-+    size_t i;
-+
-+    for (i = 0; i < len; ++i) {
-+        dst[tile_vslice_index(i)] = src[i];
-+    }
-+}
-+
-+static void copy_vertical_h(void *vdst, const void *vsrc, size_t len)
-+{
-+    const uint16_t *src = vsrc;
-+    uint16_t *dst = vdst;
-+    size_t i;
-+
-+    for (i = 0; i < len / 2; ++i) {
-+        dst[tile_vslice_index(i)] = src[i];
-+    }
-+}
-+
-+static void copy_vertical_s(void *vdst, const void *vsrc, size_t len)
-+{
-+    const uint32_t *src = vsrc;
-+    uint32_t *dst = vdst;
-+    size_t i;
-+
-+    for (i = 0; i < len / 4; ++i) {
-+        dst[tile_vslice_index(i)] = src[i];
-+    }
-+}
-+
-+static void copy_vertical_d(void *vdst, const void *vsrc, size_t len)
-+{
-+    const uint64_t *src = vsrc;
-+    uint64_t *dst = vdst;
-+    size_t i;
-+
-+    for (i = 0; i < len / 8; ++i) {
-+        dst[tile_vslice_index(i)] = src[i];
-+    }
-+}
-+
-+static void copy_vertical_q(void *vdst, const void *vsrc, size_t len)
-+{
-+    for (size_t i = 0; i < len; i += 16) {
-+        memcpy(vdst + tile_vslice_offset(i), vsrc + i, 16);
-+    }
-+}
-+
-+/*
-+ * Host and TLB primitives for vertical tile slice addressing.
-+ */
-+
-+#define DO_LD(NAME, TYPE, HOST, TLB)                                        \
-+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
-+{                                                                           \
-+    TYPE val = HOST(host);                                                  \
-+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
-+}                                                                           \
-+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
-+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
-+{                                                                           \
-+    TYPE val = TLB(env, useronly_clean_ptr(addr), ra);                      \
-+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
-+}
-+
-+#define DO_ST(NAME, TYPE, HOST, TLB)                                        \
-+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
-+{                                                                           \
-+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
-+    HOST(host, val);                                                        \
-+}                                                                           \
-+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
-+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
-+{                                                                           \
-+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
-+    TLB(env, useronly_clean_ptr(addr), val, ra);                            \
-+}
-+
-+/*
-+ * The ARMVectorReg elements are stored in host-endian 64-bit units.
-+ * For 128-bit quantities, the sequence defined by the Elem[] pseudocode
-+ * corresponds to storing the two 64-bit pieces in little-endian order.
-+ */
-+#define DO_LDQ(HNAME, VNAME, BE, HOST, TLB)                                 \
-+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
-+{                                                                           \
-+    uint64_t val0 = HOST(host), val1 = HOST(host + 8);                      \
-+    uint64_t *ptr = za + off;                                               \
-+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
-+}                                                                           \
-+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
-+{                                                                           \
-+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
-+}                                                                           \
-+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
-+                               target_ulong addr, uintptr_t ra)             \
-+{                                                                           \
-+    uint64_t val0 = TLB(env, useronly_clean_ptr(addr), ra);                 \
-+    uint64_t val1 = TLB(env, useronly_clean_ptr(addr + 8), ra);             \
-+    uint64_t *ptr = za + off;                                               \
-+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
-+}                                                                           \
-+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
-+                               target_ulong addr, uintptr_t ra)             \
-+{                                                                           \
-+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
-+}
-+
-+#define DO_STQ(HNAME, VNAME, BE, HOST, TLB)                                 \
-+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
-+{                                                                           \
-+    uint64_t *ptr = za + off;                                               \
-+    HOST(host, ptr[BE]);                                                    \
-+    HOST(host + 1, ptr[!BE]);                                               \
-+}                                                                           \
-+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
-+{                                                                           \
-+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
-+}                                                                           \
-+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
-+                               target_ulong addr, uintptr_t ra)             \
-+{                                                                           \
-+    uint64_t *ptr = za + off;                                               \
-+    TLB(env, useronly_clean_ptr(addr), ptr[BE], ra);                        \
-+    TLB(env, useronly_clean_ptr(addr + 8), ptr[!BE], ra);                   \
-+}                                                                           \
-+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
-+                               target_ulong addr, uintptr_t ra)             \
-+{                                                                           \
-+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
-+}
-+
-+DO_LD(ld1b, uint8_t, ldub_p, cpu_ldub_data_ra)
-+DO_LD(ld1h_be, uint16_t, lduw_be_p, cpu_lduw_be_data_ra)
-+DO_LD(ld1h_le, uint16_t, lduw_le_p, cpu_lduw_le_data_ra)
-+DO_LD(ld1s_be, uint32_t, ldl_be_p, cpu_ldl_be_data_ra)
-+DO_LD(ld1s_le, uint32_t, ldl_le_p, cpu_ldl_le_data_ra)
-+DO_LD(ld1d_be, uint64_t, ldq_be_p, cpu_ldq_be_data_ra)
-+DO_LD(ld1d_le, uint64_t, ldq_le_p, cpu_ldq_le_data_ra)
-+
-+DO_LDQ(sve_ld1qq_be, sme_ld1q_be, 1, ldq_be_p, cpu_ldq_be_data_ra)
-+DO_LDQ(sve_ld1qq_le, sme_ld1q_le, 0, ldq_le_p, cpu_ldq_le_data_ra)
-+
-+DO_ST(st1b, uint8_t, stb_p, cpu_stb_data_ra)
-+DO_ST(st1h_be, uint16_t, stw_be_p, cpu_stw_be_data_ra)
-+DO_ST(st1h_le, uint16_t, stw_le_p, cpu_stw_le_data_ra)
-+DO_ST(st1s_be, uint32_t, stl_be_p, cpu_stl_be_data_ra)
-+DO_ST(st1s_le, uint32_t, stl_le_p, cpu_stl_le_data_ra)
-+DO_ST(st1d_be, uint64_t, stq_be_p, cpu_stq_be_data_ra)
-+DO_ST(st1d_le, uint64_t, stq_le_p, cpu_stq_le_data_ra)
-+
-+DO_STQ(sve_st1qq_be, sme_st1q_be, 1, stq_be_p, cpu_stq_be_data_ra)
-+DO_STQ(sve_st1qq_le, sme_st1q_le, 0, stq_le_p, cpu_stq_le_data_ra)
-+
-+#undef DO_LD
-+#undef DO_ST
-+#undef DO_LDQ
-+#undef DO_STQ
-+
-+/*
-+ * Common helper for all contiguous predicated loads.
-+ */
-+
-+static inline QEMU_ALWAYS_INLINE
-+void sme_ld1(CPUARMState *env, void *za, uint64_t *vg,
-+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
-+             const int esz, uint32_t mtedesc, bool vertical,
-+             sve_ldst1_host_fn *host_fn,
-+             sve_ldst1_tlb_fn *tlb_fn,
-+             ClearFn *clr_fn,
-+             CopyFn *cpy_fn)
-+{
-+    const intptr_t reg_max = simd_oprsz(desc);
-+    const intptr_t esize = 1 << esz;
-+    intptr_t reg_off, reg_last;
-+    SVEContLdSt info;
-+    void *host;
-+    int flags;
-+
-+    /* Find the active elements.  */
-+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
-+        /* The entire predicate was false; no load occurs.  */
-+        clr_fn(za, 0, reg_max);
-+        return;
-+    }
-+
-+    /* Probe the page(s).  Exit with exception for any invalid page. */
-+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, ra);
-+
-+    /* Handle watchpoints for all active elements. */
-+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
-+                              BP_MEM_READ, ra);
-+
-+    /*
-+     * Handle mte checks for all active elements.
-+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
-+     */
-+    if (mtedesc) {
-+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
-+                                mtedesc, ra);
-+    }
-+
-+    flags = info.page[0].flags | info.page[1].flags;
-+    if (unlikely(flags != 0)) {
-+#ifdef CONFIG_USER_ONLY
-+        g_assert_not_reached();
-+#else
-+        /*
-+         * At least one page includes MMIO.
-+         * Any bus operation can fail with cpu_transaction_failed,
-+         * which for ARM will raise SyncExternal.  Perform the load
-+         * into scratch memory to preserve register state until the end.
-+         */
-+        ARMVectorReg scratch = { };
-+
-+        reg_off = info.reg_off_first[0];
-+        reg_last = info.reg_off_last[1];
-+        if (reg_last < 0) {
-+            reg_last = info.reg_off_split;
-+            if (reg_last < 0) {
-+                reg_last = info.reg_off_last[0];
-+            }
-+        }
-+
-+        do {
-+            uint64_t pg = vg[reg_off >> 6];
-+            do {
-+                if ((pg >> (reg_off & 63)) & 1) {
-+                    tlb_fn(env, &scratch, reg_off, addr + reg_off, ra);
-+                }
-+                reg_off += esize;
-+            } while (reg_off & 63);
-+        } while (reg_off <= reg_last);
-+
-+        cpy_fn(za, &scratch, reg_max);
-+        return;
-+#endif
-+    }
-+
-+    /* The entire operation is in RAM, on valid pages. */
-+
-+    reg_off = info.reg_off_first[0];
-+    reg_last = info.reg_off_last[0];
-+    host = info.page[0].host;
-+
-+    if (!vertical) {
-+        memset(za, 0, reg_max);
-+    } else if (reg_off) {
-+        clr_fn(za, 0, reg_off);
-+    }
-+
-+    while (reg_off <= reg_last) {
-+        uint64_t pg = vg[reg_off >> 6];
-+        do {
-+            if ((pg >> (reg_off & 63)) & 1) {
-+                host_fn(za, reg_off, host + reg_off);
-+            } else if (vertical) {
-+                clr_fn(za, reg_off, esize);
-+            }
-+            reg_off += esize;
-+        } while (reg_off <= reg_last && (reg_off & 63));
-+    }
-+
-+    /*
-+     * Use the slow path to manage the cross-page misalignment.
-+     * But we know this is RAM and cannot trap.
-+     */
-+    reg_off = info.reg_off_split;
-+    if (unlikely(reg_off >= 0)) {
-+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
-+    }
-+
-+    reg_off = info.reg_off_first[1];
-+    if (unlikely(reg_off >= 0)) {
-+        reg_last = info.reg_off_last[1];
-+        host = info.page[1].host;
-+
-+        do {
-+            uint64_t pg = vg[reg_off >> 6];
-+            do {
-+                if ((pg >> (reg_off & 63)) & 1) {
-+                    host_fn(za, reg_off, host + reg_off);
-+                } else if (vertical) {
-+                    clr_fn(za, reg_off, esize);
-+                }
-+                reg_off += esize;
-+            } while (reg_off & 63);
-+        } while (reg_off <= reg_last);
-+    }
-+}
-+
-+static inline QEMU_ALWAYS_INLINE
-+void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
-+                 target_ulong addr, uint32_t desc, uintptr_t ra,
-+                 const int esz, bool vertical,
-+                 sve_ldst1_host_fn *host_fn,
-+                 sve_ldst1_tlb_fn *tlb_fn,
-+                 ClearFn *clr_fn,
-+                 CopyFn *cpy_fn)
-+{
-+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
-+    int bit55 = extract64(addr, 55, 1);
-+
-+    /* Remove mtedesc from the normal sve descriptor. */
-+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
-+
-+    /* Perform gross MTE suppression early. */
-+    if (!tbi_check(desc, bit55) ||
-+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
-+        mtedesc = 0;
-+    }
-+
-+    sme_ld1(env, za, vg, addr, desc, ra, esz, mtedesc, vertical,
-+            host_fn, tlb_fn, clr_fn, cpy_fn);
-+}
-+
-+#define DO_LD(L, END, ESZ)                                                 \
-+void HELPER(sme_ld1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
-+                                 target_ulong addr, uint32_t desc)         \
-+{                                                                          \
-+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
-+            sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,           \
-+            clear_horizontal, copy_horizontal);                            \
-+}                                                                          \
-+void HELPER(sme_ld1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
-+                                 target_ulong addr, uint32_t desc)         \
-+{                                                                          \
-+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
-+            sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,             \
-+            clear_vertical_##L, copy_vertical_##L);                        \
-+}                                                                          \
-+void HELPER(sme_ld1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
-+                                     target_ulong addr, uint32_t desc)     \
-+{                                                                          \
-+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
-+                sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,       \
-+                clear_horizontal, copy_horizontal);                        \
-+}                                                                          \
-+void HELPER(sme_ld1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
-+                                     target_ulong addr, uint32_t desc)     \
-+{                                                                          \
-+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
-+                sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,         \
-+                clear_vertical_##L, copy_vertical_##L);                    \
-+}
-+
-+DO_LD(b, , MO_8)
-+DO_LD(h, _be, MO_16)
-+DO_LD(h, _le, MO_16)
-+DO_LD(s, _be, MO_32)
-+DO_LD(s, _le, MO_32)
-+DO_LD(d, _be, MO_64)
-+DO_LD(d, _le, MO_64)
-+DO_LD(q, _be, MO_128)
-+DO_LD(q, _le, MO_128)
-+
-+#undef DO_LD
-+
-+/*
-+ * Common helper for all contiguous predicated stores.
-+ */
-+
-+static inline QEMU_ALWAYS_INLINE
-+void sme_st1(CPUARMState *env, void *za, uint64_t *vg,
-+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
-+             const int esz, uint32_t mtedesc, bool vertical,
-+             sve_ldst1_host_fn *host_fn,
-+             sve_ldst1_tlb_fn *tlb_fn)
-+{
-+    const intptr_t reg_max = simd_oprsz(desc);
-+    const intptr_t esize = 1 << esz;
-+    intptr_t reg_off, reg_last;
-+    SVEContLdSt info;
-+    void *host;
-+    int flags;
-+
-+    /* Find the active elements.  */
-+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
-+        /* The entire predicate was false; no store occurs.  */
-+        return;
-+    }
-+
-+    /* Probe the page(s).  Exit with exception for any invalid page. */
-+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, ra);
-+
-+    /* Handle watchpoints for all active elements. */
-+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
-+                              BP_MEM_WRITE, ra);
-+
-+    /*
-+     * Handle mte checks for all active elements.
-+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
-+     */
-+    if (mtedesc) {
-+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
-+                                mtedesc, ra);
-+    }
-+
-+    flags = info.page[0].flags | info.page[1].flags;
-+    if (unlikely(flags != 0)) {
-+#ifdef CONFIG_USER_ONLY
-+        g_assert_not_reached();
-+#else
-+        /*
-+         * At least one page includes MMIO.
-+         * Any bus operation can fail with cpu_transaction_failed,
-+         * which for ARM will raise SyncExternal.  We cannot avoid
-+         * this fault and will leave with the store incomplete.
-+         */
-+        reg_off = info.reg_off_first[0];
-+        reg_last = info.reg_off_last[1];
-+        if (reg_last < 0) {
-+            reg_last = info.reg_off_split;
-+            if (reg_last < 0) {
-+                reg_last = info.reg_off_last[0];
-+            }
-+        }
-+
-+        do {
-+            uint64_t pg = vg[reg_off >> 6];
-+            do {
-+                if ((pg >> (reg_off & 63)) & 1) {
-+                    tlb_fn(env, za, reg_off, addr + reg_off, ra);
-+                }
-+                reg_off += esize;
-+            } while (reg_off & 63);
-+        } while (reg_off <= reg_last);
-+        return;
-+#endif
-+    }
-+
-+    reg_off = info.reg_off_first[0];
-+    reg_last = info.reg_off_last[0];
-+    host = info.page[0].host;
-+
-+    while (reg_off <= reg_last) {
-+        uint64_t pg = vg[reg_off >> 6];
-+        do {
-+            if ((pg >> (reg_off & 63)) & 1) {
-+                host_fn(za, reg_off, host + reg_off);
-+            }
-+            reg_off += 1 << esz;
-+        } while (reg_off <= reg_last && (reg_off & 63));
-+    }
-+
-+    /*
-+     * Use the slow path to manage the cross-page misalignment.
-+     * But we know this is RAM and cannot trap.
-+     */
-+    reg_off = info.reg_off_split;
-+    if (unlikely(reg_off >= 0)) {
-+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
-+    }
-+
-+    reg_off = info.reg_off_first[1];
-+    if (unlikely(reg_off >= 0)) {
-+        reg_last = info.reg_off_last[1];
-+        host = info.page[1].host;
-+
-+        do {
-+            uint64_t pg = vg[reg_off >> 6];
-+            do {
-+                if ((pg >> (reg_off & 63)) & 1) {
-+                    host_fn(za, reg_off, host + reg_off);
-+                }
-+                reg_off += 1 << esz;
-+            } while (reg_off & 63);
-+        } while (reg_off <= reg_last);
-+    }
-+}
-+
-+static inline QEMU_ALWAYS_INLINE
-+void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
-+                 uint32_t desc, uintptr_t ra, int esz, bool vertical,
-+                 sve_ldst1_host_fn *host_fn,
-+                 sve_ldst1_tlb_fn *tlb_fn)
-+{
-+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
-+    int bit55 = extract64(addr, 55, 1);
-+
-+    /* Remove mtedesc from the normal sve descriptor. */
-+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
-+
-+    /* Perform gross MTE suppression early. */
-+    if (!tbi_check(desc, bit55) ||
-+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
-+        mtedesc = 0;
-+    }
-+
-+    sme_st1(env, za, vg, addr, desc, ra, esz, mtedesc,
-+            vertical, host_fn, tlb_fn);
-+}
-+
-+#define DO_ST(L, END, ESZ)                                                 \
-+void HELPER(sme_st1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
-+                                 target_ulong addr, uint32_t desc)         \
-+{                                                                          \
-+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
-+            sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);          \
-+}                                                                          \
-+void HELPER(sme_st1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
-+                                 target_ulong addr, uint32_t desc)         \
-+{                                                                          \
-+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
-+            sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);            \
-+}                                                                          \
-+void HELPER(sme_st1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
-+                                     target_ulong addr, uint32_t desc)     \
-+{                                                                          \
-+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
-+                sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);      \
-+}                                                                          \
-+void HELPER(sme_st1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
-+                                     target_ulong addr, uint32_t desc)     \
-+{                                                                          \
-+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
-+                sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);        \
-+}
-+
-+DO_ST(b, , MO_8)
-+DO_ST(h, _be, MO_16)
-+DO_ST(h, _le, MO_16)
-+DO_ST(s, _be, MO_32)
-+DO_ST(s, _le, MO_32)
-+DO_ST(d, _be, MO_64)
-+DO_ST(d, _le, MO_64)
-+DO_ST(q, _be, MO_128)
-+DO_ST(q, _le, MO_128)
-+
-+#undef DO_ST
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
-     return true;
- }
-+
-+static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
-+{
-+    typedef void GenLdSt1(TCGv_env, TCGv_ptr, TCGv_ptr, TCGv, TCGv_i32);
-+
-+    /*
-+     * Indexed by [esz][be][v][mte][st], which is (except for load/store)
-+     * also the order in which the elements appear in the function names,
-+     * and so how we must concatenate the pieces.
-+     */
-+
-+#define FN_LS(F)     { gen_helper_sme_ld1##F, gen_helper_sme_st1##F }
-+#define FN_MTE(F)    { FN_LS(F), FN_LS(F##_mte) }
-+#define FN_HV(F)     { FN_MTE(F##_h), FN_MTE(F##_v) }
-+#define FN_END(L, B) { FN_HV(L), FN_HV(B) }
-+
-+    static GenLdSt1 * const fns[5][2][2][2][2] = {
-+        FN_END(b, b),
-+        FN_END(h_le, h_be),
-+        FN_END(s_le, s_be),
-+        FN_END(d_le, d_be),
-+        FN_END(q_le, q_be),
-+    };
-+
-+#undef FN_LS
-+#undef FN_MTE
-+#undef FN_HV
-+#undef FN_END
-+
-+    TCGv_ptr t_za, t_pg;
-+    TCGv_i64 addr;
-+    int svl, desc = 0;
-+    bool be = s->be_data == MO_BE;
-+    bool mte = s->mte_active[0];
-+
-+    if (!dc_isar_feature(aa64_sme, s)) {
-+        return false;
-+    }
-+    if (!sme_smza_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
-+    t_pg = pred_full_reg_ptr(s, a->pg);
-+    addr = tcg_temp_new_i64();
-+
-+    tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
-+    tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
-+
-+    if (mte) {
-+        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
-+        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
-+        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
-+        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
-+        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
-+        desc <<= SVE_MTEDESC_SHIFT;
-+    } else {
-+        addr = clean_data_tbi(s, addr);
-+    }
-+    svl = streaming_vec_reg_size(s);
-+    desc = simd_desc(svl, svl, desc);
-+
-+    fns[a->esz][be][a->v][mte][a->st](cpu_env, t_za, t_pg, addr,
-+                                      tcg_constant_i32(desc));
-+
-+    tcg_temp_free_ptr(t_za);
-+    tcg_temp_free_ptr(t_pg);
-+    tcg_temp_free_i64(addr);
-+    return true;
-+}
---
-.25.1

-[PULL 22/45] target/arm: Implement SME LDR, STR
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-We can reuse the SVE functions for LDR and STR, passing in the
-base of the ZA vector and a zero offset.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-23-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sme.decode      |  7 +++++++
- target/arm/translate-sme.c | 24 ++++++++++++++++++++++++
-files changed, 31 insertions(+)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
-                 &ldst rs=%mova_rs
- LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
-                 &ldst esz=4 rs=%mova_rs
-+
-+&ldstr          rv rn imm
-+@ldstr          ....... ... . ...... .. ... rn:5 . imm:4 \
-+                &ldstr rv=%mova_rs
-+
-+LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
-+STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
-     tcg_temp_free_i64(addr);
-     return true;
- }
-+
-+typedef void GenLdStR(DisasContext *, TCGv_ptr, int, int, int, int);
-+
-+static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    int imm = a->imm;
-+    TCGv_ptr base;
-+
-+    if (!sme_za_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* ZA[n] equates to ZA0H.B[n]. */
-+    base = get_tile_rowcol(s, MO_8, a->rv, imm, false);
-+
-+    fn(s, base, 0, svl, a->rn, imm * svl);
-+
-+    tcg_temp_free_ptr(base);
-+    return true;
-+}
-+
-+TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
-+TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
---
-.25.1

-[PULL 23/45] target/arm: Implement SME ADDHA, ADDVA
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-24-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  5 +++
- target/arm/sme.decode      | 11 +++++
- target/arm/sme_helper.c    | 90 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c | 31 +++++++++++++
-files changed, 137 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i
- DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
- DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
- DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
-+
-+DEF_HELPER_FLAGS_5(sme_addha_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
- LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
- STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
-+
-+### SME Add Vector to Array
-+
-+&adda           zad zn pm pn
-+@adda_32        ........ .. ..... . pm:3 pn:3 zn:5 ... zad:2    &adda
-+@adda_64        ........ .. ..... . pm:3 pn:3 zn:5 ..  zad:3    &adda
-+
-+ADDHA_s         11000000 10 01000 0 ... ... ..... 000 ..        @adda_32
-+ADDVA_s         11000000 10 01000 1 ... ... ..... 000 ..        @adda_32
-+ADDHA_d         11000000 11 01000 0 ... ... ..... 00 ...        @adda_64
-+ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ DO_ST(q, _be, MO_128)
- DO_ST(q, _le, MO_128)
- #undef DO_ST
-+
-+void HELPER(sme_addha_s)(void *vzda, void *vzn, void *vpn,
-+                         void *vpm, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 4;
-+    uint64_t *pn = vpn, *pm = vpm;
-+    uint32_t *zda = vzda, *zn = vzn;
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint64_t pa = pn[row >> 4];
-+        do {
-+            if (pa & 1) {
-+                for (col = 0; col < oprsz; ) {
-+                    uint64_t pb = pm[col >> 4];
-+                    do {
-+                        if (pb & 1) {
-+                            zda[tile_vslice_index(row) + H4(col)] += zn[H4(col)];
-+                        }
-+                        pb >>= 4;
-+                    } while (++col & 15);
-+                }
-+            }
-+            pa >>= 4;
-+        } while (++row & 15);
-+    }
-+}
-+
-+void HELPER(sme_addha_d)(void *vzda, void *vzn, void *vpn,
-+                         void *vpm, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    uint8_t *pn = vpn, *pm = vpm;
-+    uint64_t *zda = vzda, *zn = vzn;
-+
-+    for (row = 0; row < oprsz; ++row) {
-+        if (pn[H1(row)] & 1) {
-+            for (col = 0; col < oprsz; ++col) {
-+                if (pm[H1(col)] & 1) {
-+                    zda[tile_vslice_index(row) + col] += zn[col];
-+                }
-+            }
-+        }
-+    }
-+}
-+
-+void HELPER(sme_addva_s)(void *vzda, void *vzn, void *vpn,
-+                         void *vpm, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 4;
-+    uint64_t *pn = vpn, *pm = vpm;
-+    uint32_t *zda = vzda, *zn = vzn;
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint64_t pa = pn[row >> 4];
-+        do {
-+            if (pa & 1) {
-+                uint32_t zn_row = zn[H4(row)];
-+                for (col = 0; col < oprsz; ) {
-+                    uint64_t pb = pm[col >> 4];
-+                    do {
-+                        if (pb & 1) {
-+                            zda[tile_vslice_index(row) + H4(col)] += zn_row;
-+                        }
-+                        pb >>= 4;
-+                    } while (++col & 15);
-+                }
-+            }
-+            pa >>= 4;
-+        } while (++row & 15);
-+    }
-+}
-+
-+void HELPER(sme_addva_d)(void *vzda, void *vzn, void *vpn,
-+                         void *vpm, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    uint8_t *pn = vpn, *pm = vpm;
-+    uint64_t *zda = vzda, *zn = vzn;
-+
-+    for (row = 0; row < oprsz; ++row) {
-+        if (pn[H1(row)] & 1) {
-+            uint64_t zn_row = zn[row];
-+            for (col = 0; col < oprsz; ++col) {
-+                if (pm[H1(col)] & 1) {
-+                    zda[tile_vslice_index(row) + col] += zn_row;
-+                }
-+            }
-+        }
-+    }
-+}
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
- TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
- TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
-+
-+static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,
-+                    gen_helper_gvec_4 *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    uint32_t desc = simd_desc(svl, svl, 0);
-+    TCGv_ptr za, zn, pn, pm;
-+
-+    if (!sme_smza_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* Sum XZR+zad to find ZAd. */
-+    za = get_tile_rowcol(s, esz, 31, a->zad, false);
-+    zn = vec_full_reg_ptr(s, a->zn);
-+    pn = pred_full_reg_ptr(s, a->pn);
-+    pm = pred_full_reg_ptr(s, a->pm);
-+
-+    fn(za, zn, pn, pm, tcg_constant_i32(desc));
-+
-+    tcg_temp_free_ptr(za);
-+    tcg_temp_free_ptr(zn);
-+    tcg_temp_free_ptr(pn);
-+    tcg_temp_free_ptr(pm);
-+    return true;
-+}
-+
-+TRANS_FEAT(ADDHA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addha_s)
-+TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
-+TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
-+TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
---
-.25.1

-[PULL 24/45] target/arm: Implement FMOPA, FMOPS (non-widening)
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-25-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  5 +++
- target/arm/sme.decode      |  9 +++++
- target/arm/sme_helper.c    | 69 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c | 32 ++++++++++++++++++
-files changed, 115 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_5(sme_addha_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addva_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addha_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_5(sme_addva_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
-+
-+DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ ADDHA_s         11000000 10 01000 0 ... ... ..... 000 ..        @adda_32
- ADDVA_s         11000000 10 01000 1 ... ... ..... 000 ..        @adda_32
- ADDHA_d         11000000 11 01000 0 ... ... ..... 00 ...        @adda_64
- ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
-+
-+### SME Outer Product
-+
-+&op             zad zn zm pm pn sub:bool
-+@op_32          ........ ... zm:5 pm:3 pn:3 zn:5 sub:1 .. zad:2 &op
-+@op_64          ........ ... zm:5 pm:3 pn:3 zn:5 sub:1 .  zad:3 &op
-+
-+FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
-+FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@
- #include "exec/cpu_ldst.h"
- #include "exec/exec-all.h"
- #include "qemu/int128.h"
-+#include "fpu/softfloat.h"
- #include "vec_internal.h"
- #include "sve_ldst_internal.h"
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_addva_d)(void *vzda, void *vzn, void *vpn,
-         }
-     }
- }
-+
-+void HELPER(sme_fmopa_s)(void *vza, void *vzn, void *vzm, void *vpn,
-+                         void *vpm, void *vst, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    uint32_t neg = simd_data(desc) << 31;
-+    uint16_t *pn = vpn, *pm = vpm;
-+    float_status fpst;
-+
-+    /*
-+     * Make a copy of float_status because this operation does not
-+     * update the cumulative fp exception status.  It also produces
-+     * default nans.
-+     */
-+    fpst = *(float_status *)vst;
-+    set_default_nan_mode(true, &fpst);
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint16_t pa = pn[H2(row >> 4)];
-+        do {
-+            if (pa & 1) {
-+                void *vza_row = vza + tile_vslice_offset(row);
-+                uint32_t n = *(uint32_t *)(vzn + H1_4(row)) ^ neg;
-+
-+                for (col = 0; col < oprsz; ) {
-+                    uint16_t pb = pm[H2(col >> 4)];
-+                    do {
-+                        if (pb & 1) {
-+                            uint32_t *a = vza_row + H1_4(col);
-+                            uint32_t *m = vzm + H1_4(col);
-+                            *a = float32_muladd(n, *m, *a, 0, vst);
-+                        }
-+                        col += 4;
-+                        pb >>= 4;
-+                    } while (col & 15);
-+                }
-+            }
-+            row += 4;
-+            pa >>= 4;
-+        } while (row & 15);
-+    }
-+}
-+
-+void HELPER(sme_fmopa_d)(void *vza, void *vzn, void *vzm, void *vpn,
-+                         void *vpm, void *vst, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    uint64_t neg = (uint64_t)simd_data(desc) << 63;
-+    uint64_t *za = vza, *zn = vzn, *zm = vzm;
-+    uint8_t *pn = vpn, *pm = vpm;
-+    float_status fpst = *(float_status *)vst;
-+
-+    set_default_nan_mode(true, &fpst);
-+
-+    for (row = 0; row < oprsz; ++row) {
-+        if (pn[H1(row)] & 1) {
-+            uint64_t *za_row = &za[tile_vslice_index(row)];
-+            uint64_t n = zn[row] ^ neg;
-+
-+            for (col = 0; col < oprsz; ++col) {
-+                if (pm[H1(col)] & 1) {
-+                    uint64_t *a = &za_row[col];
-+                    *a = float64_muladd(n, zm[col], *a, 0, &fpst);
-+                }
-+            }
-+        }
-+    }
-+}
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(ADDHA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addha_s)
- TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
- TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
- TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
-+
-+static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-+                            gen_helper_gvec_5_ptr *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    uint32_t desc = simd_desc(svl, svl, a->sub);
-+    TCGv_ptr za, zn, zm, pn, pm, fpst;
-+
-+    if (!sme_smza_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* Sum XZR+zad to find ZAd. */
-+    za = get_tile_rowcol(s, esz, 31, a->zad, false);
-+    zn = vec_full_reg_ptr(s, a->zn);
-+    zm = vec_full_reg_ptr(s, a->zm);
-+    pn = pred_full_reg_ptr(s, a->pn);
-+    pm = pred_full_reg_ptr(s, a->pm);
-+    fpst = fpstatus_ptr(FPST_FPCR);
-+
-+    fn(za, zn, zm, pn, pm, fpst, tcg_constant_i32(desc));
-+
-+    tcg_temp_free_ptr(za);
-+    tcg_temp_free_ptr(zn);
-+    tcg_temp_free_ptr(pn);
-+    tcg_temp_free_ptr(pm);
-+    tcg_temp_free_ptr(fpst);
-+    return true;
-+}
-+
-+TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
-+TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
---
-.25.1

-[PULL 25/45] target/arm: Implement BFMOPA, BFMOPS
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-26-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    |  2 ++
- target/arm/sme.decode      |  2 ++
- target/arm/sme_helper.c    | 56 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c | 30 ++++++++++++++++++++
-files changed, 90 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_7(sme_fmopa_s, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_bfmopa, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ ADDVA_d         11000000 11 01000 1 ... ... ..... 00 ...        @adda_64
- FMOPA_s         10000000 100 ..... ... ... ..... . 00 ..        @op_32
- FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
-+
-+BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_fmopa_d)(void *vza, void *vzn, void *vzm, void *vpn,
-         }
-     }
- }
-+
-+/*
-+ * Alter PAIR as needed for controlling predicates being false,
-+ * and for NEG on an enabled row element.
-+ */
-+static inline uint32_t f16mop_adj_pair(uint32_t pair, uint32_t pg, uint32_t neg)
-+{
-+    /*
-+     * The pseudocode uses a conditional negate after the conditional zero.
-+     * It is simpler here to unconditionally negate before conditional zero.
-+     */
-+    pair ^= neg;
-+    if (!(pg & 1)) {
-+        pair &= 0xffff0000u;
-+    }
-+    if (!(pg & 4)) {
-+        pair &= 0x0000ffffu;
-+    }
-+    return pair;
-+}
-+
-+void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
-+                        void *vpm, uint32_t desc)
-+{
-+    intptr_t row, col, oprsz = simd_maxsz(desc);
-+    uint32_t neg = simd_data(desc) * 0x80008000u;
-+    uint16_t *pn = vpn, *pm = vpm;
-+
-+    for (row = 0; row < oprsz; ) {
-+        uint16_t prow = pn[H2(row >> 4)];
-+        do {
-+            void *vza_row = vza + tile_vslice_offset(row);
-+            uint32_t n = *(uint32_t *)(vzn + H1_4(row));
-+
-+            n = f16mop_adj_pair(n, prow, neg);
-+
-+            for (col = 0; col < oprsz; ) {
-+                uint16_t pcol = pm[H2(col >> 4)];
-+                do {
-+                    if (prow & pcol & 0b0101) {
-+                        uint32_t *a = vza_row + H1_4(col);
-+                        uint32_t m = *(uint32_t *)(vzm + H1_4(col));
-+
-+                        m = f16mop_adj_pair(m, pcol, 0);
-+                        *a = bfdotadd(*a, n, m);
-+
-+                        col += 4;
-+                        pcol >>= 4;
-+                    }
-+                } while (col & 15);
-+            }
-+            row += 4;
-+            prow >>= 4;
-+        } while (row & 15);
-+    }
-+}
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(ADDVA_s, aa64_sme, do_adda, a, MO_32, gen_helper_sme_addva_s)
- TRANS_FEAT(ADDHA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addha_d)
- TRANS_FEAT(ADDVA_d, aa64_sme_i16i64, do_adda, a, MO_64, gen_helper_sme_addva_d)
-+static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,
-+                       gen_helper_gvec_5 *fn)
-+{
-+    int svl = streaming_vec_reg_size(s);
-+    uint32_t desc = simd_desc(svl, svl, a->sub);
-+    TCGv_ptr za, zn, zm, pn, pm;
-+
-+    if (!sme_smza_enabled_check(s)) {
-+        return true;
-+    }
-+
-+    /* Sum XZR+zad to find ZAd. */
-+    za = get_tile_rowcol(s, esz, 31, a->zad, false);
-+    zn = vec_full_reg_ptr(s, a->zn);
-+    zm = vec_full_reg_ptr(s, a->zm);
-+    pn = pred_full_reg_ptr(s, a->pn);
-+    pm = pred_full_reg_ptr(s, a->pm);
-+
-+    fn(za, zn, zm, pn, pm, tcg_constant_i32(desc));
-+
-+    tcg_temp_free_ptr(za);
-+    tcg_temp_free_ptr(zn);
-+    tcg_temp_free_ptr(pn);
-+    tcg_temp_free_ptr(pm);
-+    return true;
-+}
-+
- static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
-                             gen_helper_gvec_5_ptr *fn)
- {
-@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,
- TRANS_FEAT(FMOPA_s, aa64_sme, do_outprod_fpst, a, MO_32, gen_helper_sme_fmopa_s)
- TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_fmopa_d)
-+
-+/* TODO: FEAT_EBF16 */
-+TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
---
-.25.1

-[PULL 27/45] target/arm: Implement SME integer outer product
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This is SMOPA, SUMOPA, USMOPA_s, UMOPA, for both Int8 and Int16.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-28-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper-sme.h    | 16 ++++++++
- target/arm/sme.decode      | 10 +++++
- target/arm/sme_helper.c    | 82 ++++++++++++++++++++++++++++++++++++++
- target/arm/translate-sme.c | 10 +++++
-files changed, 118 insertions(+)
-diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper-sme.h
-+++ b/target/arm/helper-sme.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_7(sme_fmopa_d, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, ptr, i32)
- DEF_HELPER_FLAGS_6(sme_bfmopa, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_smopa_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_umopa_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_sumopa_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_usmopa_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_smopa_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_umopa_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_sumopa_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_6(sme_usmopa_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, ptr, i32)
-diff --git a/target/arm/sme.decode b/target/arm/sme.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme.decode
-+++ b/target/arm/sme.decode
-@@ -XXX,XX +XXX,XX @@ FMOPA_d         10000000 110 ..... ... ... ..... . 0 ...        @op_64
- BFMOPA          10000001 100 ..... ... ... ..... . 00 ..        @op_32
- FMOPA_h         10000001 101 ..... ... ... ..... . 00 ..        @op_32
-+
-+SMOPA_s         1010000 0 10 0 ..... ... ... ..... . 00 ..      @op_32
-+SUMOPA_s        1010000 0 10 1 ..... ... ... ..... . 00 ..      @op_32
-+USMOPA_s        1010000 1 10 0 ..... ... ... ..... . 00 ..      @op_32
-+UMOPA_s         1010000 1 10 1 ..... ... ... ..... . 00 ..      @op_32
-+
-+SMOPA_d         1010000 0 11 0 ..... ... ... ..... . 0 ...      @op_64
-+SUMOPA_d        1010000 0 11 1 ..... ... ... ..... . 0 ...      @op_64
-+USMOPA_d        1010000 1 11 0 ..... ... ... ..... . 0 ...      @op_64
-+UMOPA_d         1010000 1 11 1 ..... ... ... ..... . 0 ...      @op_64
-diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sme_helper.c
-+++ b/target/arm/sme_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(sme_bfmopa)(void *vza, void *vzn, void *vzm, void *vpn,
-         } while (row & 15);
-     }
- }
-+
-+typedef uint64_t IMOPFn(uint64_t, uint64_t, uint64_t, uint8_t, bool);
-+
-+static inline void do_imopa(uint64_t *za, uint64_t *zn, uint64_t *zm,
-+                            uint8_t *pn, uint8_t *pm,
-+                            uint32_t desc, IMOPFn *fn)
-+{
-+    intptr_t row, col, oprsz = simd_oprsz(desc) / 8;
-+    bool neg = simd_data(desc);
-+
-+    for (row = 0; row < oprsz; ++row) {
-+        uint8_t pa = pn[H1(row)];
-+        uint64_t *za_row = &za[tile_vslice_index(row)];
-+        uint64_t n = zn[row];
-+
-+        for (col = 0; col < oprsz; ++col) {
-+            uint8_t pb = pm[H1(col)];
-+            uint64_t *a = &za_row[col];
-+
-+            *a = fn(n, zm[col], *a, pa & pb, neg);
-+        }
-+    }
-+}
-+
-+#define DEF_IMOP_32(NAME, NTYPE, MTYPE) \
-+static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
-+{                                                                           \
-+    uint32_t sum0 = 0, sum1 = 0;                                            \
-+    /* Apply P to N as a mask, making the inactive elements 0. */           \
-+    n &= expand_pred_b(p);                                                  \
-+    sum0 += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                              \
-+    sum0 += (NTYPE)(n >> 8) * (MTYPE)(m >> 8);                              \
-+    sum0 += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                            \
-+    sum0 += (NTYPE)(n >> 24) * (MTYPE)(m >> 24);                            \
-+    sum1 += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                            \
-+    sum1 += (NTYPE)(n >> 40) * (MTYPE)(m >> 40);                            \
-+    sum1 += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                            \
-+    sum1 += (NTYPE)(n >> 56) * (MTYPE)(m >> 56);                            \
-+    if (neg) {                                                              \
-+        sum0 = (uint32_t)a - sum0, sum1 = (uint32_t)(a >> 32) - sum1;       \
-+    } else {                                                                \
-+        sum0 = (uint32_t)a + sum0, sum1 = (uint32_t)(a >> 32) + sum1;       \
-+    }                                                                       \
-+    return ((uint64_t)sum1 << 32) | sum0;                                   \
-+}
-+
-+#define DEF_IMOP_64(NAME, NTYPE, MTYPE) \
-+static uint64_t NAME(uint64_t n, uint64_t m, uint64_t a, uint8_t p, bool neg) \
-+{                                                                           \
-+    uint64_t sum = 0;                                                       \
-+    /* Apply P to N as a mask, making the inactive elements 0. */           \
-+    n &= expand_pred_h(p);                                                  \
-+    sum += (NTYPE)(n >> 0) * (MTYPE)(m >> 0);                               \
-+    sum += (NTYPE)(n >> 16) * (MTYPE)(m >> 16);                             \
-+    sum += (NTYPE)(n >> 32) * (MTYPE)(m >> 32);                             \
-+    sum += (NTYPE)(n >> 48) * (MTYPE)(m >> 48);                             \
-+    return neg ? a - sum : a + sum;                                         \
-+}
-+
-+DEF_IMOP_32(smopa_s, int8_t, int8_t)
-+DEF_IMOP_32(umopa_s, uint8_t, uint8_t)
-+DEF_IMOP_32(sumopa_s, int8_t, uint8_t)
-+DEF_IMOP_32(usmopa_s, uint8_t, int8_t)
-+
-+DEF_IMOP_64(smopa_d, int16_t, int16_t)
-+DEF_IMOP_64(umopa_d, uint16_t, uint16_t)
-+DEF_IMOP_64(sumopa_d, int16_t, uint16_t)
-+DEF_IMOP_64(usmopa_d, uint16_t, int16_t)
-+
-+#define DEF_IMOPH(NAME) \
-+    void HELPER(sme_##NAME)(void *vza, void *vzn, void *vzm, void *vpn,      \
-+                            void *vpm, uint32_t desc)                        \
-+    { do_imopa(vza, vzn, vzm, vpn, vpm, desc, NAME); }
-+
-+DEF_IMOPH(smopa_s)
-+DEF_IMOPH(umopa_s)
-+DEF_IMOPH(sumopa_s)
-+DEF_IMOPH(usmopa_s)
-+DEF_IMOPH(smopa_d)
-+DEF_IMOPH(umopa_d)
-+DEF_IMOPH(sumopa_d)
-+DEF_IMOPH(usmopa_d)
-diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sme.c
-+++ b/target/arm/translate-sme.c
-@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(FMOPA_d, aa64_sme_f64f64, do_outprod_fpst, a, MO_64, gen_helper_sme_f
- /* TODO: FEAT_EBF16 */
- TRANS_FEAT(BFMOPA, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_bfmopa)
-+
-+TRANS_FEAT(SMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_smopa_s)
-+TRANS_FEAT(UMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_umopa_s)
-+TRANS_FEAT(SUMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_sumopa_s)
-+TRANS_FEAT(USMOPA_s, aa64_sme, do_outprod, a, MO_32, gen_helper_sme_usmopa_s)
-+
-+TRANS_FEAT(SMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_smopa_d)
-+TRANS_FEAT(UMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_umopa_d)
-+TRANS_FEAT(SUMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_sumopa_d)
-+TRANS_FEAT(USMOPA_d, aa64_sme_i16i64, do_outprod, a, MO_64, gen_helper_sme_usmopa_d)
---
-.25.1

-[PULL 28/45] target/arm: Implement PSEL
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This is an SVE instruction that operates using the SVE vector
-length but that it is present only if SME is implemented.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-29-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/sve.decode      | 20 +++++++++++++
- target/arm/translate-sve.c | 57 ++++++++++++++++++++++++++++++++++++++
-files changed, 77 insertions(+)
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
-+++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ BFMLALT_zzxw    01100100 11 1 ..... 0100.1 ..... .....     @rrxr_3a esz=2
- ### SVE2 floating-point bfloat16 dot-product (indexed)
- BFDOT_zzxz      01100100 01 1 ..... 010000 ..... .....     @rrxr_2 esz=2
-+
-+### SVE broadcast predicate element
-+
-+&psel           esz pd pn pm rv imm
-+%psel_rv        16:2 !function=plus_12
-+%psel_imm_b     22:2 19:2
-+%psel_imm_h     22:2 20:1
-+%psel_imm_s     22:2
-+%psel_imm_d     23:1
-+@psel           ........ .. . ... .. .. pn:4 . pm:4 . pd:4  \
-+                &psel rv=%psel_rv
-+
-+PSEL            00100101 .. 1 ..1 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=0 imm=%psel_imm_b
-+PSEL            00100101 .. 1 .10 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=1 imm=%psel_imm_h
-+PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=2 imm=%psel_imm_s
-+PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
-+                @psel esz=3 imm=%psel_imm_d
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool do_BFMLAL_zzxw(DisasContext *s, arg_rrxr_esz *a, bool sel)
- TRANS_FEAT(BFMLALB_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, false)
- TRANS_FEAT(BFMLALT_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, true)
-+
-+static bool trans_PSEL(DisasContext *s, arg_psel *a)
-+{
-+    int vl = vec_full_reg_size(s);
-+    int pl = pred_gvec_reg_size(s);
-+    int elements = vl >> a->esz;
-+    TCGv_i64 tmp, didx, dbit;
-+    TCGv_ptr ptr;
-+
-+    if (!dc_isar_feature(aa64_sme, s)) {
-+        return false;
-+    }
-+    if (!sve_access_check(s)) {
-+        return true;
-+    }
-+
-+    tmp = tcg_temp_new_i64();
-+    dbit = tcg_temp_new_i64();
-+    didx = tcg_temp_new_i64();
-+    ptr = tcg_temp_new_ptr();
-+
-+    /* Compute the predicate element. */
-+    tcg_gen_addi_i64(tmp, cpu_reg(s, a->rv), a->imm);
-+    if (is_power_of_2(elements)) {
-+        tcg_gen_andi_i64(tmp, tmp, elements - 1);
-+    } else {
-+        tcg_gen_remu_i64(tmp, tmp, tcg_constant_i64(elements));
-+    }
-+
-+    /* Extract the predicate byte and bit indices. */
-+    tcg_gen_shli_i64(tmp, tmp, a->esz);
-+    tcg_gen_andi_i64(dbit, tmp, 7);
-+    tcg_gen_shri_i64(didx, tmp, 3);
-+    if (HOST_BIG_ENDIAN) {
-+        tcg_gen_xori_i64(didx, didx, 7);
-+    }
-+
-+    /* Load the predicate word. */
-+    tcg_gen_trunc_i64_ptr(ptr, didx);
-+    tcg_gen_add_ptr(ptr, ptr, cpu_env);
-+    tcg_gen_ld8u_i64(tmp, ptr, pred_full_reg_offset(s, a->pm));
-+
-+    /* Extract the predicate bit and replicate to MO_64. */
-+    tcg_gen_shr_i64(tmp, tmp, dbit);
-+    tcg_gen_andi_i64(tmp, tmp, 1);
-+    tcg_gen_neg_i64(tmp, tmp);
-+
-+    /* Apply to either copy the source, or write zeros. */
-+    tcg_gen_gvec_ands(MO_64, pred_full_reg_offset(s, a->pd),
-+                      pred_full_reg_offset(s, a->pn), tmp, pl, pl);
-+
-+    tcg_temp_free_i64(tmp);
-+    tcg_temp_free_i64(dbit);
-+    tcg_temp_free_i64(didx);
-+    tcg_temp_free_ptr(ptr);
-+    return true;
-+}
---
-.25.1

-[PULL 30/45] target/arm: Implement SCLAMP, UCLAMP
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-This is an SVE instruction that operates using the SVE vector
-length but that it is present only if SME is implemented.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-31-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- target/arm/helper.h        |  18 +++++++
- target/arm/sve.decode      |   5 ++
- target/arm/translate-sve.c | 102 +++++++++++++++++++++++++++++++++++++
- target/arm/vec_helper.c    |  24 +++++++++
-files changed, 149 insertions(+)
-diff --git a/target/arm/helper.h b/target/arm/helper.h
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/helper.h
-+++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_bfmlal, TCG_CALL_NO_RWG,
- DEF_HELPER_FLAGS_6(gvec_bfmlal_idx, TCG_CALL_NO_RWG,
-                    void, ptr, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_sclamp_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+
-+DEF_HELPER_FLAGS_5(gvec_uclamp_b, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uclamp_h, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uclamp_s, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
-+                   void, ptr, ptr, ptr, ptr, i32)
-+
- #ifdef TARGET_AARCH64
- #include "helper-a64.h"
- #include "helper-sve.h"
-diff --git a/target/arm/sve.decode b/target/arm/sve.decode
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/sve.decode
-+++ b/target/arm/sve.decode
-@@ -XXX,XX +XXX,XX @@ PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
-                 @psel esz=2 imm=%psel_imm_s
- PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
-                 @psel esz=3 imm=%psel_imm_d
-+
-+### SVE clamp
-+
-+SCLAMP          01000100 .. 0 ..... 110000 ..... .....          @rda_rn_rm
-+UCLAMP          01000100 .. 0 ..... 110001 ..... .....          @rda_rn_rm
-diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-sve.c
-+++ b/target/arm/translate-sve.c
-@@ -XXX,XX +XXX,XX @@ static bool trans_PSEL(DisasContext *s, arg_psel *a)
-     tcg_temp_free_ptr(ptr);
-     return true;
- }
-+
-+static void gen_sclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
-+{
-+    tcg_gen_smax_i32(d, a, n);
-+    tcg_gen_smin_i32(d, d, m);
-+}
-+
-+static void gen_sclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
-+{
-+    tcg_gen_smax_i64(d, a, n);
-+    tcg_gen_smin_i64(d, d, m);
-+}
-+
-+static void gen_sclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
-+                           TCGv_vec m, TCGv_vec a)
-+{
-+    tcg_gen_smax_vec(vece, d, a, n);
-+    tcg_gen_smin_vec(vece, d, d, m);
-+}
-+
-+static void gen_sclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
-+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
-+{
-+    static const TCGOpcode vecop[] = {
-+        INDEX_op_smin_vec, INDEX_op_smax_vec, 0
-+    };
-+    static const GVecGen4 ops[4] = {
-+        { .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_b,
-+          .opt_opc = vecop,
-+          .vece = MO_8 },
-+        { .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_h,
-+          .opt_opc = vecop,
-+          .vece = MO_16 },
-+        { .fni4 = gen_sclamp_i32,
-+          .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_s,
-+          .opt_opc = vecop,
-+          .vece = MO_32 },
-+        { .fni8 = gen_sclamp_i64,
-+          .fniv = gen_sclamp_vec,
-+          .fno  = gen_helper_gvec_sclamp_d,
-+          .opt_opc = vecop,
-+          .vece = MO_64,
-+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
-+    };
-+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
-+}
-+
-+TRANS_FEAT(SCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_sclamp, a)
-+
-+static void gen_uclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
-+{
-+    tcg_gen_umax_i32(d, a, n);
-+    tcg_gen_umin_i32(d, d, m);
-+}
-+
-+static void gen_uclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
-+{
-+    tcg_gen_umax_i64(d, a, n);
-+    tcg_gen_umin_i64(d, d, m);
-+}
-+
-+static void gen_uclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
-+                           TCGv_vec m, TCGv_vec a)
-+{
-+    tcg_gen_umax_vec(vece, d, a, n);
-+    tcg_gen_umin_vec(vece, d, d, m);
-+}
-+
-+static void gen_uclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
-+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
-+{
-+    static const TCGOpcode vecop[] = {
-+        INDEX_op_umin_vec, INDEX_op_umax_vec, 0
-+    };
-+    static const GVecGen4 ops[4] = {
-+        { .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_b,
-+          .opt_opc = vecop,
-+          .vece = MO_8 },
-+        { .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_h,
-+          .opt_opc = vecop,
-+          .vece = MO_16 },
-+        { .fni4 = gen_uclamp_i32,
-+          .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_s,
-+          .opt_opc = vecop,
-+          .vece = MO_32 },
-+        { .fni8 = gen_uclamp_i64,
-+          .fniv = gen_uclamp_vec,
-+          .fno  = gen_helper_gvec_uclamp_d,
-+          .opt_opc = vecop,
-+          .vece = MO_64,
-+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
-+    };
-+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
-+}
-+
-+TRANS_FEAT(UCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_uclamp, a)
-diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/vec_helper.c
-+++ b/target/arm/vec_helper.c
-@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_bfmlal_idx)(void *vd, void *vn, void *vm,
-     }
-     clear_tail(d, opr_sz, simd_maxsz(desc));
- }
-+
-+#define DO_CLAMP(NAME, TYPE) \
-+void HELPER(NAME)(void *d, void *n, void *m, void *a, uint32_t desc)    \
-+{                                                                       \
-+    intptr_t i, opr_sz = simd_oprsz(desc);                              \
-+    for (i = 0; i < opr_sz; i += sizeof(TYPE)) {                        \
-+        TYPE aa = *(TYPE *)(a + i);                                     \
-+        TYPE nn = *(TYPE *)(n + i);                                     \
-+        TYPE mm = *(TYPE *)(m + i);                                     \
-+        TYPE dd = MIN(MAX(aa, nn), mm);                                 \
-+        *(TYPE *)(d + i) = dd;                                          \
-+    }                                                                   \
-+    clear_tail(d, opr_sz, simd_maxsz(desc));                            \
-+}
-+
-+DO_CLAMP(gvec_sclamp_b, int8_t)
-+DO_CLAMP(gvec_sclamp_h, int16_t)
-+DO_CLAMP(gvec_sclamp_s, int32_t)
-+DO_CLAMP(gvec_sclamp_d, int64_t)
-+
-+DO_CLAMP(gvec_uclamp_b, uint8_t)
-+DO_CLAMP(gvec_uclamp_h, uint16_t)
-+DO_CLAMP(gvec_uclamp_s, uint32_t)
-+DO_CLAMP(gvec_uclamp_d, uint64_t)
---
-.25.1

-[PULL 32/45] target/arm: Enable SME for -cpu max
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Note that SME remains effectively disabled for user-only,
-because we do not yet set CPACR_EL1.SMEN.  This needs to
-wait until the kernel ABI is implemented.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-33-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- docs/system/arm/emulation.rst |  4 ++++
- target/arm/cpu64.c            | 11 +++++++++++
-files changed, 15 insertions(+)
-diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
-index XXXXXXX..XXXXXXX 100644
---- a/docs/system/arm/emulation.rst
-+++ b/docs/system/arm/emulation.rst
-@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
- - FEAT_SHA512 (Advanced SIMD SHA512 instructions)
- - FEAT_SM3 (Advanced SIMD SM3 instructions)
- - FEAT_SM4 (Advanced SIMD SM4 instructions)
-+- FEAT_SME (Scalable Matrix Extension)
-+- FEAT_SME_FA64 (Full A64 instruction set in Streaming SVE mode)
-+- FEAT_SME_F64F64 (Double-precision floating-point outer product instructions)
-+- FEAT_SME_I16I64 (16-bit to 64-bit integer widening outer product instructions)
- - FEAT_SPECRES (Speculation restriction instructions)
- - FEAT_SSBS (Speculative Store Bypass Safe)
- - FEAT_TLBIOS (TLB invalidate instructions in Outer Shareable domain)
-diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/arm/cpu64.c
-+++ b/target/arm/cpu64.c
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-      */
-     t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
-     t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + FEAT_DoubleFault */
-+    t = FIELD_DP64(t, ID_AA64PFR1, SME, 1);       /* FEAT_SME */
-     t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
-     cpu->isar.id_aa64pfr1 = t;
-@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
-     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
-     cpu->isar.id_aa64dfr0 = t;
-+    t = cpu->isar.id_aa64smfr0;
-+    t = FIELD_DP64(t, ID_AA64SMFR0, F32F32, 1);   /* FEAT_SME */
-+    t = FIELD_DP64(t, ID_AA64SMFR0, B16F32, 1);   /* FEAT_SME */
-+    t = FIELD_DP64(t, ID_AA64SMFR0, F16F32, 1);   /* FEAT_SME */
-+    t = FIELD_DP64(t, ID_AA64SMFR0, I8I32, 0xf);  /* FEAT_SME */
-+    t = FIELD_DP64(t, ID_AA64SMFR0, F64F64, 1);   /* FEAT_SME_F64F64 */
-+    t = FIELD_DP64(t, ID_AA64SMFR0, I16I64, 0xf); /* FEAT_SME_I16I64 */
-+    t = FIELD_DP64(t, ID_AA64SMFR0, FA64, 1);     /* FEAT_SME_FA64 */
-+    cpu->isar.id_aa64smfr0 = t;
-+
-     /* Replicate the same data to the 32-bit id registers.  */
-     aa32_max_features(cpu);
---
-.25.1

-[PULL 33/45] linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
+Deleted patch
-From: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-34-richard.henderson@linaro.org
-Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
----
- linux-user/aarch64/target_cpu.h | 5 ++++-
-file changed, 4 insertions(+), 1 deletion(-)
-diff --git a/linux-user/aarch64/target_cpu.h b/linux-user/aarch64/target_cpu.h
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/target_cpu.h
-+++ b/linux-user/aarch64/target_cpu.h
-@@ -XXX,XX +XXX,XX @@ static inline void cpu_clone_regs_parent(CPUARMState *env, unsigned flags)
- static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
- {
--    /* Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
-+    /*
-+     * Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
-      * different from AArch32 Linux, which uses TPIDRRO.
-      */
-     env->cp15.tpidr_el[0] = newtls;
-+    /* TPIDR2_EL0 is cleared with CLONE_SETTLS. */
-+    env->cp15.tpidr2_el0 = 0;
- }
- static inline abi_ulong get_sp_from_cpustate(CPUARMState *state)
---
-.25.1

-[PULL 35/45] linux-user/aarch64: Add SM bit to SVE signal context
+[PULL 20/21] target/rx: Set exception vector base to 0xffffff80
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Keith Packard <keithp@keithp.com>
-Make sure to zero the currently reserved fields.
+The documentation says the vector is at 0xffffff80, instead of the
 previous value of 0xffffffc0. That value must have been a bug because
 the standard vector values (20, 21, 23, 25, 30) were all
 past the end of the array.
+Signed-off-by: Keith Packard <keithp@keithp.com>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-36-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/signal.c | 9 ++++++++-
+ target/rx/helper.c | 2 +-
-file changed, 8 insertions(+), 1 deletion(-)
+file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
+diff --git a/target/rx/helper.c b/target/rx/helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/signal.c
+--- a/target/rx/helper.c
-+++ b/linux-user/aarch64/signal.c
++++ b/target/rx/helper.c
-@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
+@@ -XXX,XX +XXX,XX @@ void rx_cpu_do_interrupt(CPUState *cs)
- struct target_sve_context {
+         cpu_stl_data(env, env->isp, env->pc);
-     struct target_aarch64_ctx head;
-     uint16_t vl;
+         if (vec < 0x100) {
--    uint16_t reserved[3];
+-            env->pc = cpu_ldl_data(env, 0xffffffc0 + vec * 4);
-+    uint16_t flags;
++            env->pc = cpu_ldl_data(env, 0xffffff80 + vec * 4);
-+    uint16_t reserved[2];
+         } else {
-     /* The actual SVE data immediately follows.  It is laid out
+             env->pc = cpu_ldl_data(env, env->intb + (vec & 0xff) * 4);
-      * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
+         }
       * the original struct pointer.
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
  #define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
      (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
 +#define TARGET_SVE_SIG_FLAG_SM  1
 +
  struct target_rt_sigframe {
      struct target_siginfo info;
      struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
  {
      int i, j;
 +    memset(sve, 0, sizeof(*sve));
      __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
      __put_user(size, &sve->head.size);
      __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
 +    if (FIELD_EX64(env->svcr, SVCR, SM)) {
 +        __put_user(TARGET_SVE_SIG_FLAG_SM, &sve->flags);
 +    }
      /* Note that SVE regs are stored as a byte stream, with each byte element
       * at a subsequent address.  This corresponds to a little-endian store
 --
-.25.1
+.43.0

-[PULL 34/45] linux-user/aarch64: Reset PSTATE.SM on syscalls
+[PULL 21/21] target/rx: Remove TCG_CALL_NO_WG from helpers which write env
-From: Richard Henderson <richard.henderson@linaro.org>
+From: Keith Packard <keithp@keithp.com>
+Functions which modify TCG globals must not be marked TCG_CALL_NO_WG,
+as that tells the optimizer that TCG global values already loaded in
+machine registers are still valid, and so any changes which these
+helpers make to the CPU state may be ignored.
+The target/rx code chooses to put (among other things) all the PSW
+bits and also ACC into globals, so the NO_WG flag on various
+functions that touch the PSW or ACC is incorrect and must be removed.
+This includes all the floating point helper functions, because
+update_fpsw() will update PSW Z and S.
+Signed-off-by: Keith Packard <keithp@keithp.com>
+[PMM: Clarified commit message]
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
-Message-id: 20220708151540.18136-35-richard.henderson@linaro.org
 Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
 ---
- linux-user/aarch64/cpu_loop.c | 9 +++++++++
+ target/rx/helper.h | 34 +++++++++++++++++-----------------
-file changed, 9 insertions(+)
+file changed, 17 insertions(+), 17 deletions(-)
-diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
+diff --git a/target/rx/helper.h b/target/rx/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/aarch64/cpu_loop.c
+--- a/target/rx/helper.h
-+++ b/linux-user/aarch64/cpu_loop.c
++++ b/target/rx/helper.h
-@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_privilege_violation, noreturn, env)
+ DEF_HELPER_1(wait, noreturn, env)
-         switch (trapnr) {
+ DEF_HELPER_2(rxint, noreturn, env, i32)
-         case EXCP_SWI:
+ DEF_HELPER_1(rxbrk, noreturn, env)
-+            /*
+-DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
-+             * On syscall, PSTATE.ZA is preserved, along with the ZA matrix.
+-DEF_HELPER_FLAGS_3(fsub, TCG_CALL_NO_WG, f32, env, f32, f32)
-+             * PSTATE.SM is cleared, per SMSTOP, which does ResetSVEState.
+-DEF_HELPER_FLAGS_3(fmul, TCG_CALL_NO_WG, f32, env, f32, f32)
-+             */
+-DEF_HELPER_FLAGS_3(fdiv, TCG_CALL_NO_WG, f32, env, f32, f32)
-+            if (FIELD_EX64(env->svcr, SVCR, SM)) {
+-DEF_HELPER_FLAGS_3(fcmp, TCG_CALL_NO_WG, void, env, f32, f32)
-+                env->svcr = FIELD_DP64(env->svcr, SVCR, SM, 0);
+-DEF_HELPER_FLAGS_2(ftoi, TCG_CALL_NO_WG, i32, env, f32)
-+                arm_rebuild_hflags(env);
+-DEF_HELPER_FLAGS_2(round, TCG_CALL_NO_WG, i32, env, f32)
-+                arm_reset_sve_state(env);
+-DEF_HELPER_FLAGS_2(itof, TCG_CALL_NO_WG, f32, env, i32)
-+            }
++DEF_HELPER_3(fadd, f32, env, f32, f32)
-             ret = do_syscall(env,
++DEF_HELPER_3(fsub, f32, env, f32, f32)
-                              env->xregs[8],
++DEF_HELPER_3(fmul, f32, env, f32, f32)
-                              env->xregs[0],
++DEF_HELPER_3(fdiv, f32, env, f32, f32)
 +DEF_HELPER_3(fcmp, void, env, f32, f32)
 +DEF_HELPER_2(ftoi, i32, env, f32)
 +DEF_HELPER_2(round, i32, env, f32)
 +DEF_HELPER_2(itof, f32, env, i32)
  DEF_HELPER_2(set_fpsw, void, env, i32)
 -DEF_HELPER_FLAGS_2(racw, TCG_CALL_NO_WG, void, env, i32)
 -DEF_HELPER_FLAGS_2(set_psw_rte, TCG_CALL_NO_WG, void, env, i32)
 -DEF_HELPER_FLAGS_2(set_psw, TCG_CALL_NO_WG, void, env, i32)
 +DEF_HELPER_2(racw, void, env, i32)
 +DEF_HELPER_2(set_psw_rte, void, env, i32)
 +DEF_HELPER_2(set_psw, void, env, i32)
  DEF_HELPER_1(pack_psw, i32, env)
 -DEF_HELPER_FLAGS_3(div, TCG_CALL_NO_WG, i32, env, i32, i32)
 -DEF_HELPER_FLAGS_3(divu, TCG_CALL_NO_WG, i32, env, i32, i32)
 -DEF_HELPER_FLAGS_1(scmpu, TCG_CALL_NO_WG, void, env)
 +DEF_HELPER_3(div, i32, env, i32, i32)
 +DEF_HELPER_3(divu, i32, env, i32, i32)
 +DEF_HELPER_1(scmpu, void, env)
  DEF_HELPER_1(smovu, void, env)
  DEF_HELPER_1(smovf, void, env)
  DEF_HELPER_1(smovb, void, env)
  DEF_HELPER_2(sstr, void, env, i32)
 -DEF_HELPER_FLAGS_2(swhile, TCG_CALL_NO_WG, void, env, i32)
 -DEF_HELPER_FLAGS_2(suntil, TCG_CALL_NO_WG, void, env, i32)
 -DEF_HELPER_FLAGS_2(rmpa, TCG_CALL_NO_WG, void, env, i32)
 +DEF_HELPER_2(swhile, void, env, i32)
 +DEF_HELPER_2(suntil, void, env, i32)
 +DEF_HELPER_2(rmpa, void, env, i32)
  DEF_HELPER_1(satr, void, env)
 --
-.25.1
+.43.0

I don't have anything else queued up at the moment, so this is just
Richard's SME patches.

-- PMM

The following changes since commit 63b38f6c85acd312c2cab68554abf33adf4ee2b3:

Merge tag 'pull-target-arm-20220707' of https://git.linaro.org/people/pmaydell/qemu-arm into staging (2022-07-08 06:17:11 +0530)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20220711

for you to fetch changes up to f9982ceaf26df27d15547a3a7990a95019e9e3a8:

linux-user/aarch64: Add SME related hwcap entries (2022-07-11 13:43:52 +0100)

----------------------------------------------------------------
target-arm:
 * Implement SME emulation, for both system and linux-user

----------------------------------------------------------------
Richard Henderson (45):
      target/arm: Handle SME in aarch64_cpu_dump_state
      target/arm: Add infrastructure for disas_sme
      target/arm: Trap non-streaming usage when Streaming SVE is active
      target/arm: Mark ADR as non-streaming
      target/arm: Mark RDFFR, WRFFR, SETFFR as non-streaming
      target/arm: Mark BDEP, BEXT, BGRP, COMPACT, FEXPA, FTSSEL as non-streaming
      target/arm: Mark PMULL, FMMLA as non-streaming
      target/arm: Mark FTSMUL, FTMAD, FADDA as non-streaming
      target/arm: Mark SMMLA, UMMLA, USMMLA as non-streaming
      target/arm: Mark string/histo/crypto as non-streaming
      target/arm: Mark gather/scatter load/store as non-streaming
      target/arm: Mark gather prefetch as non-streaming
      target/arm: Mark LDFF1 and LDNF1 as non-streaming
      target/arm: Mark LD1RO as non-streaming
      target/arm: Add SME enablement checks
      target/arm: Handle SME in sve_access_check
      target/arm: Implement SME RDSVL, ADDSVL, ADDSPL
      target/arm: Implement SME ZERO
      target/arm: Implement SME MOVA
      target/arm: Implement SME LD1, ST1
      target/arm: Export unpredicated ld/st from translate-sve.c
      target/arm: Implement SME LDR, STR
      target/arm: Implement SME ADDHA, ADDVA
      target/arm: Implement FMOPA, FMOPS (non-widening)
      target/arm: Implement BFMOPA, BFMOPS
      target/arm: Implement FMOPA, FMOPS (widening)
      target/arm: Implement SME integer outer product
      target/arm: Implement PSEL
      target/arm: Implement REVD
      target/arm: Implement SCLAMP, UCLAMP
      target/arm: Reset streaming sve state on exception boundaries
      target/arm: Enable SME for -cpu max
      linux-user/aarch64: Clear tpidr2_el0 if CLONE_SETTLS
      linux-user/aarch64: Reset PSTATE.SM on syscalls
      linux-user/aarch64: Add SM bit to SVE signal context
      linux-user/aarch64: Tidy target_restore_sigframe error return
      linux-user/aarch64: Do not allow duplicate or short sve records
      linux-user/aarch64: Verify extra record lock succeeded
      linux-user/aarch64: Move sve record checks into restore
      linux-user/aarch64: Implement SME signal handling
      linux-user: Rename sve prctls
      linux-user/aarch64: Implement PR_SME_GET_VL, PR_SME_SET_VL
      target/arm: Only set ZEN in reset if SVE present
      target/arm: Enable SME for user-only
      linux-user/aarch64: Add SME related hwcap entries

From: Richard Henderson <richard.henderson@linaro.org>

Dump SVCR, plus use the correct access check for Streaming Mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     int i;
     int el = arm_current_el(env);
     const char *ns_status;
+    bool sve;
 
     qemu_fprintf(f, " PC=%016" PRIx64 " ", env->pc);
     for (i = 0; i < 32; i++) {
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
                  el,
                  psr & PSTATE_SP ? 'h' : 't');
 
+    if (cpu_isar_feature(aa64_sme, cpu)) {
+        qemu_fprintf(f, "  SVCR=%08" PRIx64 " %c%c",
+                     env->svcr,
+                     (FIELD_EX64(env->svcr, SVCR, ZA) ? 'Z' : '-'),
+                     (FIELD_EX64(env->svcr, SVCR, SM) ? 'S' : '-'));
+    }
     if (cpu_isar_feature(aa64_bti, cpu)) {
         qemu_fprintf(f, "  BTYPE=%d", (psr & PSTATE_BTYPE) >> 10);
     }
@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)
     qemu_fprintf(f, "     FPCR=%08x FPSR=%08x\n",
                  vfp_get_fpcr(env), vfp_get_fpsr(env));
 
-    if (cpu_isar_feature(aa64_sve, cpu) && sve_exception_el(env, el) == 0) {
+    if (cpu_isar_feature(aa64_sme, cpu) && FIELD_EX64(env->svcr, SVCR, SM)) {
+        sve = sme_exception_el(env, el) == 0;
+    } else if (cpu_isar_feature(aa64_sve, cpu)) {
+        sve = sve_exception_el(env, el) == 0;
+    } else {
+        sve = false;
+    }
+
+    if (sve) {
         int j, zcr_len = sve_vqm1_for_el(env, el);
 
         for (i = 0; i <= FFR_PRED_NUM; i++) {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This includes the build rules for the decoder, and the
new file for translation, but excludes any instructions.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  1 +
 target/arm/sme.decode      | 20 ++++++++++++++++++++
 target/arm/translate-a64.c |  7 ++++++-
 target/arm/translate-sme.c | 35 +++++++++++++++++++++++++++++++++++
 target/arm/meson.build     |  2 ++
 5 files changed, 64 insertions(+), 1 deletion(-)
 create mode 100644 target/arm/sme.decode
 create mode 100644 target/arm/translate-sme.c

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int pred_gvec_reg_size(DisasContext *s)
 }
 
 bool disas_sve(DisasContext *, uint32_t);
+bool disas_sme(DisasContext *, uint32_t);
 
 void gen_gvec_rax1(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                    uint32_t rm_ofs, uint32_t opr_sz, uint32_t max_sz);
diff --git a/target/arm/sme.decode b/target/arm/sme.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 SME instruction descriptions
+#
+#  Copyright (c) 2022 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
 
     switch (extract32(insn, 25, 4)) {
-    case 0x0: case 0x1: case 0x3: /* UNALLOCATED */
+    case 0x0:
+        if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
+            unallocated_encoding(s);
+        }
+        break;
+    case 0x1: case 0x3: /* UNALLOCATED */
         unallocated_encoding(s);
         break;
     case 0x2:
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * AArch64 SME translation
+ *
+ * Copyright (c) 2022 Linaro, Ltd
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "qemu/osdep.h"
+#include "cpu.h"
+#include "tcg/tcg-op.h"
+#include "tcg/tcg-op-gvec.h"
+#include "tcg/tcg-gvec-desc.h"
+#include "translate.h"
+#include "exec/helper-gen.h"
+#include "translate-a64.h"
+#include "fpu/softfloat.h"
+
+
+/*
+ * Include the generated decoder.
+ */
+
+#include "decode-sme.c.inc"
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
 gen = [
   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
+  decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
@@ -XXX,XX +XXX,XX @@ arm_ss.add(when: 'TARGET_AARCH64', if_true: files(
   'sme_helper.c',
   'translate-a64.c',
   'translate-sve.c',
+  'translate-sme.c',
 ))
 
 arm_softmmu_ss = ss.source_set()
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This new behaviour is in the ARM pseudocode function
AArch64.CheckFPAdvSIMDEnabled, which applies to AArch32
via AArch32.CheckAdvSIMDOrFPEnabled when the EL to which
the trap would be delivered is in AArch64 mode.

Given that ARMv9 drops support for AArch32 outside EL0, the trap EL
detection ought to be trivially true, but the pseudocode still contains
a number of conditions, and QEMU has not yet committed to dropping A32
support for EL[12] when v9 features are present.

Since the computation of SME_TRAP_NONSTREAMING is necessarily different
for the two modes, we might as well preserve bits within TBFLAG_ANY and
allocate separate bits within TBFLAG_A32 and TBFLAG_A64 instead.

Note that DDI0616A.a has typos for bits [22:21] of LD1RO in the table
of instructions illegal in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.h           |  7 +++
 target/arm/translate.h     |  4 ++
 target/arm/sme-fa64.decode | 90 ++++++++++++++++++++++++++++++++++++++
 target/arm/helper.c        | 41 +++++++++++++++++
 target/arm/translate-a64.c | 40 ++++++++++++++++-
 target/arm/translate-vfp.c | 12 +++++
 target/arm/translate.c     |  2 +
 target/arm/meson.build     |  1 +
 8 files changed, 195 insertions(+), 2 deletions(-)
 create mode 100644 target/arm/sme-fa64.decode

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A32, HSTR_ACTIVE, 9, 1)
  * the same thing as the current security state of the processor!
  */
 FIELD(TBFLAG_A32, NS, 10, 1)
+/*
+ * Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not.
+ * This requires an SME trap from AArch32 mode when using NEON.
+ */
+FIELD(TBFLAG_A32, SME_TRAP_NONSTREAMING, 11, 1)
 
 /*
  * Bit usage when in AArch32 state, for M-profile only.
@@ -XXX,XX +XXX,XX @@ FIELD(TBFLAG_A64, SMEEXC_EL, 20, 2)
 FIELD(TBFLAG_A64, PSTATE_SM, 22, 1)
 FIELD(TBFLAG_A64, PSTATE_ZA, 23, 1)
 FIELD(TBFLAG_A64, SVL, 24, 4)
+/* Indicates that SME Streaming mode is active, and SMCR_ELx.FA64 is not. */
+FIELD(TBFLAG_A64, SME_TRAP_NONSTREAMING, 28, 1)
 
 /*
  * Helpers for using the above.
diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     bool pstate_sm;
     /* True if PSTATE.ZA is set. */
     bool pstate_za;
+    /* True if non-streaming insns should raise an SME Streaming exception. */
+    bool sme_trap_nonstreaming;
+    /* True if the current instruction is non-streaming. */
+    bool is_nonstreaming;
     /* True if MVE insns are definitely not predicated by VPR or LTPSIZE */
     bool mve_no_pred;
     /*
diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@
+# AArch64 SME allowed instruction decoding
+#
+#  Copyright (c) 2022 Linaro, Ltd
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library; if not, see <http://www.gnu.org/licenses/>.
+
+#
+# This file is processed by scripts/decodetree.py
+#
+
+# These patterns are taken from Appendix E1.1 of DDI0616 A.a,
+# Arm Architecture Reference Manual Supplement,
+# The Scalable Matrix Extension (SME), for Armv9-A
+
+{
+  [
+    OK  0-00 1110 0000 0001 0010 11-- ---- ----   # SMOV W|Xd,Vn.B[0]
+    OK  0-00 1110 0000 0010 0010 11-- ---- ----   # SMOV W|Xd,Vn.H[0]
+    OK  0100 1110 0000 0100 0010 11-- ---- ----   # SMOV Xd,Vn.S[0]
+    OK  0000 1110 0000 0001 0011 11-- ---- ----   # UMOV Wd,Vn.B[0]
+    OK  0000 1110 0000 0010 0011 11-- ---- ----   # UMOV Wd,Vn.H[0]
+    OK  0000 1110 0000 0100 0011 11-- ---- ----   # UMOV Wd,Vn.S[0]
+    OK  0100 1110 0000 1000 0011 11-- ---- ----   # UMOV Xd,Vn.D[0]
+  ]
+  FAIL  0--0 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD vector operations
+}
+
+{
+  [
+    OK  0101 1110 --1- ---- 11-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar)
+    OK  0101 1110 -10- ---- 00-1 11-- ---- ----   # FMULX/FRECPS/FRSQRTS (scalar, FP16)
+    OK  01-1 1110 1-10 0001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar)
+    OK  01-1 1110 1111 1001 11-1 10-- ---- ----   # FRECPE/FRSQRTE/FRECPX (scalar, FP16)
+  ]
+  FAIL  01-1 111- ---- ---- ---- ---- ---- ----   # Advanced SIMD single-element operations
+}
+
+FAIL    0-00 110- ---- ---- ---- ---- ---- ----   # Advanced SIMD structure load/store
+FAIL    1100 1110 ---- ---- ---- ---- ---- ----   # Advanced SIMD cryptography extensions
+FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
+
+# These are the "avoidance of doubt" final table of Illegal Advanced SIMD instructions
+# We don't actually need to include these, as the default is OK.
+#       -001 111- ---- ---- ---- ---- ---- ----   # Scalar floating-point operations
+#       --10 110- ---- ---- ---- ---- ---- ----   # Load/store pair of FP registers
+#       --01 1100 ---- ---- ---- ---- ---- ----   # Load FP register (PC-relative literal)
+#       --11 1100 --0- ---- ---- ---- ---- ----   # Load/store FP register (unscaled imm)
+#       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
+#       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
+
+FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
+FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
+FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
+FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
+FAIL    0010 0101 --10 1--- 1001 ---- ---- ----   # WRFFR, SETFFR
+FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
+FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
+FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
+FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
+FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
+FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
+FAIL    0100 0101 --0- ---- 1001 10-- ---- ----   # SMMLA, UMMLA, USMMLA
+FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
+FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
+FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
+FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
+FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
+FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
+FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
+FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
+FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
+FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
+FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
+FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
+FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
+FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
+FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
+FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
+FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ int sme_exception_el(CPUARMState *env, int el)
     return 0;
 }
 
+/* This corresponds to the ARM pseudocode function IsFullA64Enabled(). */
+static bool sme_fa64(CPUARMState *env, int el)
+{
+    if (!cpu_isar_feature(aa64_sme_fa64, env_archcpu(env))) {
+        return false;
+    }
+
+    if (el <= 1 && !el_is_in_host(env, el)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[1], SMCR, FA64)) {
+            return false;
+        }
+    }
+    if (el <= 2 && arm_is_el2_enabled(env)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[2], SMCR, FA64)) {
+            return false;
+        }
+    }
+    if (arm_feature(env, ARM_FEATURE_EL3)) {
+        if (!FIELD_EX64(env->vfp.smcr_el[3], SMCR, FA64)) {
+            return false;
+        }
+    }
+
+    return true;
+}
+
 /*
  * Given that SVE is enabled, return the vector length for EL.
  */
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a32(CPUARMState *env, int fp_el,
         DP_TBFLAG_ANY(flags, PSTATE__IL, 1);
     }
 
+    /*
+     * The SME exception we are testing for is raised via
+     * AArch64.CheckFPAdvSIMDEnabled(), as called from
+     * AArch32.CheckAdvSIMDOrFPEnabled().
+     */
+    if (el == 0
+        && FIELD_EX64(env->svcr, SVCR, SM)
+        && (!arm_is_el2_enabled(env)
+            || (arm_el_is_aa64(env, 2) && !(env->cp15.hcr_el2 & HCR_TGE)))
+        && arm_el_is_aa64(env, 1)
+        && !sme_fa64(env, el)) {
+        DP_TBFLAG_A32(flags, SME_TRAP_NONSTREAMING, 1);
+    }
+
     return rebuild_hflags_common_32(env, fp_el, mmu_idx, flags);
 }
 
@@ -XXX,XX +XXX,XX @@ static CPUARMTBFlags rebuild_hflags_a64(CPUARMState *env, int el, int fp_el,
         }
         if (FIELD_EX64(env->svcr, SVCR, SM)) {
             DP_TBFLAG_A64(flags, PSTATE_SM, 1);
+            DP_TBFLAG_A64(flags, SME_TRAP_NONSTREAMING, !sme_fa64(env, el));
         }
         DP_TBFLAG_A64(flags, PSTATE_ZA, FIELD_EX64(env->svcr, SVCR, ZA));
     }
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void do_vec_ld(DisasContext *s, int destidx, int element,
  * unallocated-encoding checks (otherwise the syndrome information
  * for the resulting exception will be incorrect).
  */
-static bool fp_access_check(DisasContext *s)
+static bool fp_access_check_only(DisasContext *s)
 {
     if (s->fp_excp_el) {
         assert(!s->fp_access_checked);
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
     return true;
 }
 
+static bool fp_access_check(DisasContext *s)
+{
+    if (!fp_access_check_only(s)) {
+        return false;
+    }
+    if (s->sme_trap_nonstreaming && s->is_nonstreaming) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_Streaming, false));
+        return false;
+    }
+    return true;
+}
+
 /* Check that SVE access is enabled.  If it is, return true.
  * If not, emit code to generate an appropriate exception and return false.
  */
@@ -XXX,XX +XXX,XX @@ static void handle_sys(DisasContext *s, uint32_t insn, bool isread,
     default:
         g_assert_not_reached();
     }
-    if ((ri->type & ARM_CP_FPU) && !fp_access_check(s)) {
+    if ((ri->type & ARM_CP_FPU) && !fp_access_check_only(s)) {
         return;
     } else if ((ri->type & ARM_CP_SVE) && !sve_access_check(s)) {
         return;
@@ -XXX,XX +XXX,XX @@ static void disas_data_proc_simd_fp(DisasContext *s, uint32_t insn)
     }
 }
 
+/*
+ * Include the generated SME FA64 decoder.
+ */
+
+#include "decode-sme-fa64.c.inc"
+
+static bool trans_OK(DisasContext *s, arg_OK *a)
+{
+    return true;
+}
+
+static bool trans_FAIL(DisasContext *s, arg_OK *a)
+{
+    s->is_nonstreaming = true;
+    return true;
+}
+
 /**
  * is_guarded_page:
  * @env: The cpu environment
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_init_disas_context(DisasContextBase *dcbase,
     dc->mte_active[1] = EX_TBFLAG_A64(tb_flags, MTE0_ACTIVE);
     dc->pstate_sm = EX_TBFLAG_A64(tb_flags, PSTATE_SM);
     dc->pstate_za = EX_TBFLAG_A64(tb_flags, PSTATE_ZA);
+    dc->sme_trap_nonstreaming = EX_TBFLAG_A64(tb_flags, SME_TRAP_NONSTREAMING);
     dc->vec_len = 0;
     dc->vec_stride = 0;
     dc->cp_regs = arm_cpu->cp_regs;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
         }
     }
 
+    s->is_nonstreaming = false;
+    if (s->sme_trap_nonstreaming) {
+        disas_sme_fa64(s, insn);
+    }
+
     switch (extract32(insn, 25, 4)) {
     case 0x0:
         if (!extract32(insn, 31, 1) || !disas_sme(s, insn)) {
diff --git a/target/arm/translate-vfp.c b/target/arm/translate-vfp.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-vfp.c
+++ b/target/arm/translate-vfp.c
@@ -XXX,XX +XXX,XX @@ static bool vfp_access_check_a(DisasContext *s, bool ignore_vfp_enabled)
         return false;
     }
 
+    /*
+     * Note that rebuild_hflags_a32 has already accounted for being in EL0
+     * and the higher EL in A64 mode, etc.  Unlike A64 mode, there do not
+     * appear to be any insns which touch VFP which are allowed.
+     */
+    if (s->sme_trap_nonstreaming) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_Streaming,
+                                       s->base.pc_next - s->pc_curr == 2));
+        return false;
+    }
+
     if (!s->vfp_enabled && !ignore_vfp_enabled) {
         assert(!arm_dc_feature(s, ARM_FEATURE_M));
         unallocated_encoding(s);
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
             dc->vec_len = EX_TBFLAG_A32(tb_flags, VECLEN);
             dc->vec_stride = EX_TBFLAG_A32(tb_flags, VECSTRIDE);
         }
+        dc->sme_trap_nonstreaming =
+            EX_TBFLAG_A32(tb_flags, SME_TRAP_NONSTREAMING);
     }
     dc->cp_regs = cpu->cp_regs;
     dc->features = env->features;
diff --git a/target/arm/meson.build b/target/arm/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/meson.build
+++ b/target/arm/meson.build
@@ -XXX,XX +XXX,XX @@
 gen = [
   decodetree.process('sve.decode', extra_args: '--decode=disas_sve'),
   decodetree.process('sme.decode', extra_args: '--decode=disas_sme'),
+  decodetree.process('sme-fa64.decode', extra_args: '--static-decode=disas_sme_fa64'),
   decodetree.process('neon-shared.decode', extra_args: '--decode=disas_neon_shared'),
   decodetree.process('neon-dp.decode', extra_args: '--decode=disas_neon_dp'),
   decodetree.process('neon-ls.decode', extra_args: '--decode=disas_neon_ls'),
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark ADR as a non-streaming instruction, which should trap
if full a64 support is not enabled in streaming mode.

Removing entries from sme-fa64.decode is an easy way to see
what remains to be done.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-5-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate.h     | 7 +++++++
 target/arm/sme-fa64.decode | 1 -
 target/arm/translate-sve.c | 8 ++++----
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/target/arm/translate.h b/target/arm/translate.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.h
+++ b/target/arm/translate.h
@@ -XXX,XX +XXX,XX @@ uint64_t asimd_imm_const(uint32_t imm, int cmode, int op);
     static bool trans_##NAME(DisasContext *s, arg_##NAME *a) \
     { return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__); }
 
+#define TRANS_FEAT_NONSTREAMING(NAME, FEAT, FUNC, ...)            \
+    static bool trans_##NAME(DisasContext *s, arg_##NAME *a)      \
+    {                                                             \
+        s->is_nonstreaming = true;                                \
+        return dc_isar_feature(FEAT, s) && FUNC(s, __VA_ARGS__);  \
+    }
+
 #endif /* TARGET_ARM_TRANSLATE_H */
diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0000 0100 --1- ---- 1010 ---- ---- ----   # ADR
 FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
 FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
 FAIL    0010 0101 --01 100- 1111 000- ---0 ----   # RDFFR, RDFFRS
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_adr(DisasContext *s, arg_rrri *a, gen_helper_gvec_3 *fn)
     return gen_gvec_ool_zzz(s, fn, a->rd, a->rn, a->rm, a->imm);
 }
 
-TRANS_FEAT(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
-TRANS_FEAT(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
-TRANS_FEAT(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
-TRANS_FEAT(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
+TRANS_FEAT_NONSTREAMING(ADR_p32, aa64_sve, do_adr, a, gen_helper_sve_adr_p32)
+TRANS_FEAT_NONSTREAMING(ADR_p64, aa64_sve, do_adr, a, gen_helper_sve_adr_p64)
+TRANS_FEAT_NONSTREAMING(ADR_s32, aa64_sve, do_adr, a, gen_helper_sve_adr_s32)
+TRANS_FEAT_NONSTREAMING(ADR_u32, aa64_sve, do_adr, a, gen_helper_sve_adr_u32)
 
 /*
  *** SVE Integer Misc - Unpredicated Group
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-6-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 2 --
 target/arm/translate-sve.c | 9 ++++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-7-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/translate-sve.c | 22 ++++++++++++----------
 2 files changed, 12 insertions(+), 13 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0000 0100 --1- ---- 1011 -0-- ---- ----   # FTSSEL, FEXPA
-FAIL    0000 0101 --10 0001 100- ---- ---- ----   # COMPACT
-FAIL    0100 0101 --0- ---- 1011 ---- ---- ----   # BDEP, BEXT, BGRP
 FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
 FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_2 * const fexpa_fns[4] = {
     NULL,                   gen_helper_sve_fexpa_h,
     gen_helper_sve_fexpa_s, gen_helper_sve_fexpa_d,
 };
-TRANS_FEAT(FEXPA, aa64_sve, gen_gvec_ool_zz,
-           fexpa_fns[a->esz], a->rd, a->rn, 0)
+TRANS_FEAT_NONSTREAMING(FEXPA, aa64_sve, gen_gvec_ool_zz,
+                        fexpa_fns[a->esz], a->rd, a->rn, 0)
 
 static gen_helper_gvec_3 * const ftssel_fns[4] = {
     NULL,                    gen_helper_sve_ftssel_h,
     gen_helper_sve_ftssel_s, gen_helper_sve_ftssel_d,
 };
-TRANS_FEAT(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz, ftssel_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(FTSSEL, aa64_sve, gen_gvec_ool_arg_zzz,
+                        ftssel_fns[a->esz], a, 0)
 
 /*
  *** SVE Predicate Logical Operations Group
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(TRN2_q, aa64_sve_f64mm, gen_gvec_ool_arg_zzz,
 static gen_helper_gvec_3 * const compact_fns[4] = {
     NULL, NULL, gen_helper_sve_compact_s, gen_helper_sve_compact_d
 };
-TRANS_FEAT(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz, compact_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(COMPACT, aa64_sve, gen_gvec_ool_arg_zpz,
+                        compact_fns[a->esz], a, 0)
 
 /* Call the helper that computes the ARM LastActiveElement pseudocode
  * function, scaled by the element size.  This includes the not found
@@ -XXX,XX +XXX,XX @@ static gen_helper_gvec_3 * const bext_fns[4] = {
     gen_helper_sve2_bext_b, gen_helper_sve2_bext_h,
     gen_helper_sve2_bext_s, gen_helper_sve2_bext_d,
 };
-TRANS_FEAT(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bext_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BEXT, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bext_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const bdep_fns[4] = {
     gen_helper_sve2_bdep_b, gen_helper_sve2_bdep_h,
     gen_helper_sve2_bdep_s, gen_helper_sve2_bdep_d,
 };
-TRANS_FEAT(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bdep_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BDEP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bdep_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const bgrp_fns[4] = {
     gen_helper_sve2_bgrp_b, gen_helper_sve2_bgrp_h,
     gen_helper_sve2_bgrp_s, gen_helper_sve2_bgrp_d,
 };
-TRANS_FEAT(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
-           bgrp_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(BGRP, aa64_sve2_bitperm, gen_gvec_ool_arg_zzz,
+                        bgrp_fns[a->esz], a, 0)
 
 static gen_helper_gvec_3 * const cadd_fns[4] = {
     gen_helper_sve2_cadd_b, gen_helper_sve2_cadd_h,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-8-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  2 --
 target/arm/translate-sve.c | 24 +++++++++++++++---------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0100 0101 000- ---- 0110 1--- ---- ----   # PMULLB, PMULLT (128b result)
-FAIL    0110 0100 --1- ---- 1110 01-- ---- ----   # FMMLA, BFMMLA
 FAIL    0110 0101 --0- ---- 0000 11-- ---- ----   # FTSMUL
 FAIL    0110 0101 --01 0--- 100- ---- ---- ----   # FTMAD
 FAIL    0110 0101 --01 1--- 001- ---- ---- ----   # FADDA
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_trans_pmull(DisasContext *s, arg_rrr_esz *a, bool sel)
         gen_helper_gvec_pmull_q, gen_helper_sve2_pmull_h,
         NULL,                    gen_helper_sve2_pmull_d,
     };
-    if (a->esz == 0
-        ? !dc_isar_feature(aa64_sve2_pmull128, s)
-        : !dc_isar_feature(aa64_sve, s)) {
+
+    if (a->esz == 0) {
+        if (!dc_isar_feature(aa64_sve2_pmull128, s)) {
+            return false;
+        }
+        s->is_nonstreaming = true;
+    } else if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
     return gen_gvec_ool_arg_zzz(s, fns[a->esz], a, sel);
@@ -XXX,XX +XXX,XX @@ DO_ZPZZ_FP(FMINP, aa64_sve2, sve2_fminp_zpzz)
  * SVE Integer Multiply-Add (unpredicated)
  */
 
-TRANS_FEAT(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_s,
-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
-TRANS_FEAT(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz, gen_helper_fmmla_d,
-           a->rd, a->rn, a->rm, a->ra, 0, FPST_FPCR)
+TRANS_FEAT_NONSTREAMING(FMMLA_s, aa64_sve_f32mm, gen_gvec_fpst_zzzz,
+                        gen_helper_fmmla_s, a->rd, a->rn, a->rm, a->ra,
+                        0, FPST_FPCR)
+TRANS_FEAT_NONSTREAMING(FMMLA_d, aa64_sve_f64mm, gen_gvec_fpst_zzzz,
+                        gen_helper_fmmla_d, a->rd, a->rn, a->rm, a->ra,
+                        0, FPST_FPCR)
 
 static gen_helper_gvec_4 * const sqdmlal_zzzw_fns[] = {
     NULL,                           gen_helper_sve2_sqdmlal_zzzw_h,
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(BFDOT_zzzz, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
 TRANS_FEAT(BFDOT_zzxz, aa64_sve_bf16, gen_gvec_ool_arg_zzxz,
            gen_helper_gvec_bfdot_idx, a)
 
-TRANS_FEAT(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
-           gen_helper_gvec_bfmmla, a, 0)
+TRANS_FEAT_NONSTREAMING(BFMMLA, aa64_sve_bf16, gen_gvec_ool_arg_zzzz,
+                        gen_helper_gvec_bfmmla, a, 0)
 
 static bool do_BFMLAL_zzzw(DisasContext *s, arg_rrrr_esz *a, bool sel)
 {
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-9-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/translate-sve.c | 15 +++++++++++----
 2 files changed, 11 insertions(+), 7 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-10-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  1 -
 target/arm/translate-sve.c | 12 ++++++------
 2 files changed, 6 insertions(+), 7 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-11-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  1 -
 target/arm/translate-sve.c | 35 ++++++++++++++++++-----------------
 2 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    0100 0101 --1- ---- 1--- ---- ---- ----   # SVE2 string/histo/crypto instructions
 FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ DO_SVE2_ZZZ_NARROW(RSUBHNT, rsubhnt)
 static gen_helper_gvec_flags_4 * const match_fns[4] = {
     gen_helper_sve2_match_ppzz_b, gen_helper_sve2_match_ppzz_h, NULL, NULL
 };
-TRANS_FEAT(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
+TRANS_FEAT_NONSTREAMING(MATCH, aa64_sve2, do_ppzz_flags, a, match_fns[a->esz])
 
 static gen_helper_gvec_flags_4 * const nmatch_fns[4] = {
     gen_helper_sve2_nmatch_ppzz_b, gen_helper_sve2_nmatch_ppzz_h, NULL, NULL
 };
-TRANS_FEAT(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
+TRANS_FEAT_NONSTREAMING(NMATCH, aa64_sve2, do_ppzz_flags, a, nmatch_fns[a->esz])
 
 static gen_helper_gvec_4 * const histcnt_fns[4] = {
     NULL, NULL, gen_helper_sve2_histcnt_s, gen_helper_sve2_histcnt_d
 };
-TRANS_FEAT(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
-           histcnt_fns[a->esz], a, 0)
+TRANS_FEAT_NONSTREAMING(HISTCNT, aa64_sve2, gen_gvec_ool_arg_zpzz,
+                        histcnt_fns[a->esz], a, 0)
 
-TRANS_FEAT(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
-           a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
+TRANS_FEAT_NONSTREAMING(HISTSEG, aa64_sve2, gen_gvec_ool_arg_zzz,
+                        a->esz == 0 ? gen_helper_sve2_histseg : NULL, a, 0)
 
 DO_ZPZZ_FP(FADDP, aa64_sve2, sve2_faddp_zpzz)
 DO_ZPZZ_FP(FMAXNMP, aa64_sve2, sve2_fmaxnmp_zpzz)
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(SQRDCMLAH_zzzz, aa64_sve2, gen_gvec_ool_zzzz,
 TRANS_FEAT(USDOT_zzzz, aa64_sve_i8mm, gen_gvec_ool_arg_zzzz,
            a->esz == 2 ? gen_helper_gvec_usdot_b : NULL, a, 0)
 
-TRANS_FEAT(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
-           gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
+TRANS_FEAT_NONSTREAMING(AESMC, aa64_sve2_aes, gen_gvec_ool_zz,
+                        gen_helper_crypto_aesmc, a->rd, a->rd, a->decrypt)
 
-TRANS_FEAT(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_aese, a, false)
-TRANS_FEAT(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_aese, a, true)
+TRANS_FEAT_NONSTREAMING(AESE, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_aese, a, false)
+TRANS_FEAT_NONSTREAMING(AESD, aa64_sve2_aes, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_aese, a, true)
 
-TRANS_FEAT(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_sm4e, a, 0)
-TRANS_FEAT(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
-           gen_helper_crypto_sm4ekey, a, 0)
+TRANS_FEAT_NONSTREAMING(SM4E, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_sm4e, a, 0)
+TRANS_FEAT_NONSTREAMING(SM4EKEY, aa64_sve2_sm4, gen_gvec_ool_arg_zzz,
+                        gen_helper_crypto_sm4ekey, a, 0)
 
-TRANS_FEAT(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz, gen_gvec_rax1, a)
+TRANS_FEAT_NONSTREAMING(RAX1, aa64_sve2_sha3, gen_gvec_fn_arg_zzz,
+                        gen_gvec_rax1, a)
 
 TRANS_FEAT(FCVTNT_sh, aa64_sve2, gen_gvec_fpst_arg_zpz,
            gen_helper_sve2_fcvtnt_sh, a, 0, FPST_FPCR)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-12-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 9 ---------
 target/arm/translate-sve.c | 6 ++++++
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    1000 010- -00- ---- 10-- ---- ---- ----   # SVE2 32-bit gather NT load (vector+scalar)
 FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
 FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
-FAIL    1000 010- -01- ---- 1--- ---- ---- ----   # SVE 32-bit gather load (vector+imm)
-FAIL    1000 0100 0-0- ---- 0--- ---- ---- ----   # SVE 32-bit gather load byte (scalar+vector)
-FAIL    1000 0100 1--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load half (scalar+vector)
-FAIL    1000 0101 0--- ---- 0--- ---- ---- ----   # SVE 32-bit gather load word (scalar+vector)
 FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
 FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
-FAIL    1110 010- -00- ---- 001- ---- ---- ----   # SVE2 64-bit scatter NT store (vector+scalar)
-FAIL    1110 010- -10- ---- 001- ---- ---- ----   # SVE2 32-bit scatter NT store (vector+scalar)
-FAIL    1110 010- ---- ---- 1-0- ---- ---- ----   # SVE scatter store (scalar+32-bit vector)
-FAIL    1110 010- ---- ---- 101- ---- ---- ----   # SVE scatter store (misc)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zprz(DisasContext *s, arg_LD1_zprz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_LD1_zpiz(DisasContext *s, arg_LD1_zpiz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDNT1_zprz(DisasContext *s, arg_LD1_zprz *a)
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zprz(DisasContext *s, arg_ST1_zprz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_ST1_zpiz(DisasContext *s, arg_ST1_zpiz *a)
     if (!dc_isar_feature(aa64_sve, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_STNT1_zprz(DisasContext *s, arg_ST1_zprz *a)
     if (!dc_isar_feature(aa64_sve2, s)) {
         return false;
     }
+    s->is_nonstreaming = true;
     if (!sve_access_check(s)) {
         return true;
     }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap if full
a64 support is not enabled in streaming mode.  In this case, introduce
PRF_ns (prefetch non-streaming) to handle the checks.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-13-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode |  3 ---
 target/arm/sve.decode      | 10 +++++-----
 target/arm/translate-sve.c | 11 +++++++++++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/target/arm/sme-fa64.decode b/target/arm/sme-fa64.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme-fa64.decode
+++ b/target/arm/sme-fa64.decode
@@ -XXX,XX +XXX,XX @@ FAIL    0001 1110 0111 1110 0000 00-- ---- ----   # FJCVTZS
 #       --11 1100 --1- ---- ---- ---- ---- --10   # Load/store FP register (register offset)
 #       --11 1101 ---- ---- ---- ---- ---- ----   # Load/store FP register (scaled imm)
 
-FAIL    1000 010- -00- ---- 111- ---- ---- ----   # SVE 32-bit gather prefetch (vector+imm)
-FAIL    1000 0100 0-1- ---- 0--- ---- ---- ----   # SVE 32-bit gather prefetch (scalar+vector)
 FAIL    1010 010- ---- ---- 011- ---- ---- ----   # SVE contiguous FF load (scalar+scalar)
 FAIL    1010 010- ---1 ---- 101- ---- ---- ----   # SVE contiguous NF load (scalar+imm)
 FAIL    1010 010- -01- ---- 000- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+scalar)
 FAIL    1010 010- -010 ---- 001- ---- ---- ----   # SVE load & replicate 32 bytes (scalar+imm)
-FAIL    1100 010- ---- ---- ---- ---- ---- ----   # SVE 64-bit gather load/prefetch
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ LD1RO_zpri      1010010 .. 01 0.... 001 ... ..... ..... \
                 @rpri_load_msz nreg=0
 
 # SVE 32-bit gather prefetch (scalar plus 32-bit scaled offsets)
-PRF             1000010 00 -1 ----- 0-- --- ----- 0 ----
+PRF_ns          1000010 00 -1 ----- 0-- --- ----- 0 ----
 
 # SVE 32-bit gather prefetch (vector plus immediate)
-PRF             1000010 -- 00 ----- 111 --- ----- 0 ----
+PRF_ns          1000010 -- 00 ----- 111 --- ----- 0 ----
 
 # SVE contiguous prefetch (scalar plus immediate)
 PRF             1000010 11 1- ----- 0-- --- ----- 0 ----
@@ -XXX,XX +XXX,XX @@ LD1_zpiz        1100010 .. 01 ..... 1.. ... ..... ..... \
                 @rpri_g_load esz=3
 
 # SVE 64-bit gather prefetch (scalar plus 64-bit scaled offsets)
-PRF             1100010 00 11 ----- 1-- --- ----- 0 ----
+PRF_ns          1100010 00 11 ----- 1-- --- ----- 0 ----
 
 # SVE 64-bit gather prefetch (scalar plus unpacked 32-bit scaled offsets)
-PRF             1100010 00 -1 ----- 0-- --- ----- 0 ----
+PRF_ns          1100010 00 -1 ----- 0-- --- ----- 0 ----
 
 # SVE 64-bit gather prefetch (vector plus immediate)
-PRF             1100010 -- 00 ----- 111 --- ----- 0 ----
+PRF_ns          1100010 -- 00 ----- 111 --- ----- 0 ----
 
 ### SVE Memory Store Group
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_PRF_rr(DisasContext *s, arg_PRF_rr *a)
     return true;
 }
 
+static bool trans_PRF_ns(DisasContext *s, arg_PRF_ns *a)
+{
+    if (!dc_isar_feature(aa64_sve, s)) {
+        return false;
+    }
+    /* Prefetch is a nop within QEMU.  */
+    s->is_nonstreaming = true;
+    (void)sve_access_check(s);
+    return true;
+}
+
 /*
  * Move Prefix
  *
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-14-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 2 --
 target/arm/translate-sve.c | 2 ++
 2 files changed, 2 insertions(+), 2 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

Mark these as a non-streaming instructions, which should trap
if full a64 support is not enabled in streaming mode.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-15-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme-fa64.decode | 3 ---
 target/arm/translate-sve.c | 2 ++
 2 files changed, 2 insertions(+), 3 deletions(-)

From: Richard Henderson <richard.henderson@linaro.org>

These functions will be used to verify that the cpu
is in the correct state for a given instruction.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-16-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 21 +++++++++++++++++++++
 target/arm/translate-a64.c | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void write_fp_dreg(DisasContext *s, int reg, TCGv_i64 v);
 bool logic_imm_decode_wmask(uint64_t *result, unsigned int immn,
                             unsigned int imms, unsigned int immr);
 bool sve_access_check(DisasContext *s);
+bool sme_enabled_check(DisasContext *s);
+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned);
+
+/* This function corresponds to CheckStreamingSVEEnabled. */
+static inline bool sme_sm_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK);
+}
+
+/* This function corresponds to CheckSMEAndZAEnabled. */
+static inline bool sme_za_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_ZA_MASK);
+}
+
+/* Note that this function corresponds to CheckStreamingSVEAndZAEnabled. */
+static inline bool sme_smza_enabled_check(DisasContext *s)
+{
+    return sme_enabled_check_with_svcr(s, R_SVCR_SM_MASK | R_SVCR_ZA_MASK);
+}
+
 TCGv_i64 clean_data_tbi(DisasContext *s, TCGv_i64 addr);
 TCGv_i64 gen_mte_check1(DisasContext *s, TCGv_i64 addr, bool is_write,
                         bool tag_checked, int log2_size);
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool sme_access_check(DisasContext *s)
     return true;
 }
 
+/* This function corresponds to CheckSMEEnabled. */
+bool sme_enabled_check(DisasContext *s)
+{
+    /*
+     * Note that unlike sve_excp_el, we have not constrained sme_excp_el
+     * to be zero when fp_excp_el has priority.  This is because we need
+     * sme_excp_el by itself for cpregs access checks.
+     */
+    if (!s->fp_excp_el || s->sme_excp_el < s->fp_excp_el) {
+        s->fp_access_checked = true;
+        return sme_access_check(s);
+    }
+    return fp_access_check_only(s);
+}
+
+/* Common subroutine for CheckSMEAnd*Enabled. */
+bool sme_enabled_check_with_svcr(DisasContext *s, unsigned req)
+{
+    if (!sme_enabled_check(s)) {
+        return false;
+    }
+    if (FIELD_EX64(req, SVCR, SM) && !s->pstate_sm) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_NotStreaming, false));
+        return false;
+    }
+    if (FIELD_EX64(req, SVCR, ZA) && !s->pstate_za) {
+        gen_exception_insn(s, s->pc_curr, EXCP_UDEF,
+                           syn_smetrap(SME_ET_InactiveZA, false));
+        return false;
+    }
+    return true;
+}
+
 /*
  * This utility function is for doing register extension with an
  * optional shift. You will likely want to pass a temporary for the
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

The pseudocode for CheckSVEEnabled gains a check for Streaming
SVE mode, and for SME present but SVE absent.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-17-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.c | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static bool fp_access_check(DisasContext *s)
     return true;
 }
 
-/* Check that SVE access is enabled.  If it is, return true.
+/*
+ * Check that SVE access is enabled.  If it is, return true.
  * If not, emit code to generate an appropriate exception and return false.
+ * This function corresponds to CheckSVEEnabled().
  */
 bool sve_access_check(DisasContext *s)
 {
-    if (s->sve_excp_el) {
-        assert(!s->sve_access_checked);
-        s->sve_access_checked = true;
-
+    if (s->pstate_sm || !dc_isar_feature(aa64_sve, s)) {
+        assert(dc_isar_feature(aa64_sme, s));
+        if (!sme_sm_enabled_check(s)) {
+            goto fail_exit;
+        }
+    } else if (s->sve_excp_el) {
         gen_exception_insn_el(s, s->pc_curr, EXCP_UDEF,
                               syn_sve_access_trap(), s->sve_excp_el);
-        return false;
+        goto fail_exit;
     }
     s->sve_access_checked = true;
     return fp_access_check(s);
+
+ fail_exit:
+    /* Assert that we only raise one exception per instruction. */
+    assert(!s->sve_access_checked);
+    s->sve_access_checked = true;
+    return false;
 }
 
 /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These SME instructions are nominally within the SVE decode space,
so we add them to sve.decode and translate-sve.c.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-18-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h | 12 ++++++++++++
 target/arm/sve.decode      |  5 ++++-
 target/arm/translate-sve.c | 38 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 54 insertions(+), 1 deletion(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ static inline int vec_full_reg_size(DisasContext *s)
     return s->vl;
 }
 
+/* Return the byte size of the vector register, SVL / 8. */
+static inline int streaming_vec_reg_size(DisasContext *s)
+{
+    return s->svl;
+}
+
 /*
  * Return the offset info CPUARMState of the predicate vector register Pn.
  * Note for this purpose, FFR is P16.
@@ -XXX,XX +XXX,XX @@ static inline int pred_full_reg_size(DisasContext *s)
     return s->vl >> 3;
 }
 
+/* Return the byte size of the predicate register, SVL / 64.  */
+static inline int streaming_pred_reg_size(DisasContext *s)
+{
+    return s->svl >> 3;
+}
+
 /*
  * Round up the size of a register to a size allowed by
  * the tcg vector infrastructure.  Any operation which uses this
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ INDEX_ri        00000100 esz:2 1 imm:s5 010001 rn:5 rd:5
 # SVE index generation (register start, register increment)
 INDEX_rr        00000100 .. 1 ..... 010011 ..... .....          @rd_rn_rm
 
-### SVE Stack Allocation Group
+### SVE / Streaming SVE Stack Allocation Group
 
 # SVE stack frame adjustment
 ADDVL           00000100 001 ..... 01010 ...... .....           @rd_rn_i6
+ADDSVL          00000100 001 ..... 01011 ...... .....           @rd_rn_i6
 ADDPL           00000100 011 ..... 01010 ...... .....           @rd_rn_i6
+ADDSPL          00000100 011 ..... 01011 ...... .....           @rd_rn_i6
 
 # SVE stack frame size
 RDVL            00000100 101 11111 01010 imm:s6 rd:5
+RDSVL           00000100 101 11111 01011 imm:s6 rd:5
 
 ### SVE Bitwise Shift - Unpredicated Group
 
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDVL(DisasContext *s, arg_ADDVL *a)
     return true;
 }
 
+static bool trans_ADDSVL(DisasContext *s, arg_ADDSVL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_vec_reg_size(s));
+    }
+    return true;
+}
+
 static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
 {
     if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_ADDPL(DisasContext *s, arg_ADDPL *a)
     return true;
 }
 
+static bool trans_ADDSPL(DisasContext *s, arg_ADDSPL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 rd = cpu_reg_sp(s, a->rd);
+        TCGv_i64 rn = cpu_reg_sp(s, a->rn);
+        tcg_gen_addi_i64(rd, rn, a->imm * streaming_pred_reg_size(s));
+    }
+    return true;
+}
+
 static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
 {
     if (!dc_isar_feature(aa64_sve, s)) {
@@ -XXX,XX +XXX,XX @@ static bool trans_RDVL(DisasContext *s, arg_RDVL *a)
     return true;
 }
 
+static bool trans_RDSVL(DisasContext *s, arg_RDSVL *a)
+{
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (sme_enabled_check(s)) {
+        TCGv_i64 reg = cpu_reg(s, a->rd);
+        tcg_gen_movi_i64(reg, a->imm * streaming_vec_reg_size(s));
+    }
+    return true;
+}
+
 /*
  *** SVE Compute Vector Address Group
  */
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-19-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  4 ++++
 target/arm/sme_helper.c    | 25 +++++++++++++++++++++++++
 target/arm/translate-sme.c | 13 +++++++++++++
 4 files changed, 44 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

We can reuse the SVE functions for implementing moves to/from
horizontal tile slices, but we need new ones for moves to/from
vertical tile slices.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-20-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  12 +++
 target/arm/helper-sve.h    |   2 +
 target/arm/translate-a64.h |   8 ++
 target/arm/translate.h     |   5 ++
 target/arm/sme.decode      |  15 ++++
 target/arm/sme_helper.c    | 151 ++++++++++++++++++++++++++++++++++++-
 target/arm/sve_helper.c    |  12 +++
 target/arm/translate-sme.c | 127 +++++++++++++++++++++++++++++++
 8 files changed, 331 insertions(+), 1 deletion(-)

From: Richard Henderson <richard.henderson@linaro.org>

We cannot reuse the SVE functions for LD[1-4] and ST[1-4],
because those functions accept only a Zreg register number.
For SME, we want to pass a pointer into ZA storage.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-21-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  82 +++++
 target/arm/sme.decode      |   9 +
 target/arm/sme_helper.c    | 595 +++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c |  70 +++++
 4 files changed, 756 insertions(+)

diff --git a/target/arm/helper-sme.h b/target/arm/helper-sme.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sme.h
+++ b/target/arm/helper-sme.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sme_mova_cz_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_zc_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_cz_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sme_mova_zc_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_ld1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_ld1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1b_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1b_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1h_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1h_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1s_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1s_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1d_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1d_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+
+DEF_HELPER_FLAGS_5(sme_st1q_be_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_h, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_v, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_h_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_be_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
+DEF_HELPER_FLAGS_5(sme_st1q_le_v_mte, TCG_CALL_NO_WG, void, env, ptr, ptr, tl, i32)
diff --git a/target/arm/sme.decode b/target/arm/sme.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme.decode
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ MOVA            11000000 esz:2 00001 0 v:1 .. pg:3 0 za_imm:4 zr:5  \
                 &mova to_vec=1 rs=%mova_rs
 MOVA            11000000 11    00001 1 v:1 .. pg:3 0 za_imm:4 zr:5  \
                 &mova to_vec=1 rs=%mova_rs esz=4
+
+### SME Memory
+
+&ldst           esz rs pg rn rm za_imm v:bool st:bool
+
+LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                &ldst rs=%mova_rs
+LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
+                &ldst esz=4 rs=%mova_rs
diff --git a/target/arm/sme_helper.c b/target/arm/sme_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme_helper.c
+++ b/target/arm/sme_helper.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "cpu.h"
+#include "internals.h"
 #include "tcg/tcg-gvec-desc.h"
 #include "exec/helper-proto.h"
+#include "exec/cpu_ldst.h"
+#include "exec/exec-all.h"
 #include "qemu/int128.h"
 #include "vec_internal.h"
+#include "sve_ldst_internal.h"
 
 /* ResetSVEState */
 void arm_reset_sve_state(CPUARMState *env)
@@ -XXX,XX +XXX,XX @@ void HELPER(sme_mova_zc_q)(void *vd, void *za, void *vg, uint32_t desc)
 }
 
 #undef DO_MOVA_Z
+
+/*
+ * Clear elements in a tile slice comprising len bytes.
+ */
+
+typedef void ClearFn(void *ptr, size_t off, size_t len);
+
+static void clear_horizontal(void *ptr, size_t off, size_t len)
+{
+    memset(ptr + off, 0, len);
+}
+
+static void clear_vertical_b(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; ++i) {
+        *(uint8_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_h(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 2) {
+        *(uint16_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_s(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 4) {
+        *(uint32_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_d(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 8) {
+        *(uint64_t *)(vptr + tile_vslice_offset(i + off)) = 0;
+    }
+}
+
+static void clear_vertical_q(void *vptr, size_t off, size_t len)
+{
+    for (size_t i = 0; i < len; i += 16) {
+        memset(vptr + tile_vslice_offset(i + off), 0, 16);
+    }
+}
+
+/*
+ * Copy elements from an array into a tile slice comprising len bytes.
+ */
+
+typedef void CopyFn(void *dst, const void *src, size_t len);
+
+static void copy_horizontal(void *dst, const void *src, size_t len)
+{
+    memcpy(dst, src, len);
+}
+
+static void copy_vertical_b(void *vdst, const void *vsrc, size_t len)
+{
+    const uint8_t *src = vsrc;
+    uint8_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_h(void *vdst, const void *vsrc, size_t len)
+{
+    const uint16_t *src = vsrc;
+    uint16_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 2; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_s(void *vdst, const void *vsrc, size_t len)
+{
+    const uint32_t *src = vsrc;
+    uint32_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 4; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_d(void *vdst, const void *vsrc, size_t len)
+{
+    const uint64_t *src = vsrc;
+    uint64_t *dst = vdst;
+    size_t i;
+
+    for (i = 0; i < len / 8; ++i) {
+        dst[tile_vslice_index(i)] = src[i];
+    }
+}
+
+static void copy_vertical_q(void *vdst, const void *vsrc, size_t len)
+{
+    for (size_t i = 0; i < len; i += 16) {
+        memcpy(vdst + tile_vslice_offset(i), vsrc + i, 16);
+    }
+}
+
+/*
+ * Host and TLB primitives for vertical tile slice addressing.
+ */
+
+#define DO_LD(NAME, TYPE, HOST, TLB)                                        \
+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
+{                                                                           \
+    TYPE val = HOST(host);                                                  \
+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
+}                                                                           \
+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
+{                                                                           \
+    TYPE val = TLB(env, useronly_clean_ptr(addr), ra);                      \
+    *(TYPE *)(za + tile_vslice_offset(off)) = val;                          \
+}
+
+#define DO_ST(NAME, TYPE, HOST, TLB)                                        \
+static inline void sme_##NAME##_v_host(void *za, intptr_t off, void *host)  \
+{                                                                           \
+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
+    HOST(host, val);                                                        \
+}                                                                           \
+static inline void sme_##NAME##_v_tlb(CPUARMState *env, void *za,           \
+                        intptr_t off, target_ulong addr, uintptr_t ra)      \
+{                                                                           \
+    TYPE val = *(TYPE *)(za + tile_vslice_offset(off));                     \
+    TLB(env, useronly_clean_ptr(addr), val, ra);                            \
+}
+
+/*
+ * The ARMVectorReg elements are stored in host-endian 64-bit units.
+ * For 128-bit quantities, the sequence defined by the Elem[] pseudocode
+ * corresponds to storing the two 64-bit pieces in little-endian order.
+ */
+#define DO_LDQ(HNAME, VNAME, BE, HOST, TLB)                                 \
+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
+{                                                                           \
+    uint64_t val0 = HOST(host), val1 = HOST(host + 8);                      \
+    uint64_t *ptr = za + off;                                               \
+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
+}                                                                           \
+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
+{                                                                           \
+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
+}                                                                           \
+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    uint64_t val0 = TLB(env, useronly_clean_ptr(addr), ra);                 \
+    uint64_t val1 = TLB(env, useronly_clean_ptr(addr + 8), ra);             \
+    uint64_t *ptr = za + off;                                               \
+    ptr[0] = BE ? val1 : val0, ptr[1] = BE ? val0 : val1;                   \
+}                                                                           \
+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
+}
+
+#define DO_STQ(HNAME, VNAME, BE, HOST, TLB)                                 \
+static inline void HNAME##_host(void *za, intptr_t off, void *host)         \
+{                                                                           \
+    uint64_t *ptr = za + off;                                               \
+    HOST(host, ptr[BE]);                                                    \
+    HOST(host + 1, ptr[!BE]);                                               \
+}                                                                           \
+static inline void VNAME##_v_host(void *za, intptr_t off, void *host)       \
+{                                                                           \
+    HNAME##_host(za, tile_vslice_offset(off), host);                        \
+}                                                                           \
+static inline void HNAME##_tlb(CPUARMState *env, void *za, intptr_t off,    \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    uint64_t *ptr = za + off;                                               \
+    TLB(env, useronly_clean_ptr(addr), ptr[BE], ra);                        \
+    TLB(env, useronly_clean_ptr(addr + 8), ptr[!BE], ra);                   \
+}                                                                           \
+static inline void VNAME##_v_tlb(CPUARMState *env, void *za, intptr_t off,  \
+                               target_ulong addr, uintptr_t ra)             \
+{                                                                           \
+    HNAME##_tlb(env, za, tile_vslice_offset(off), addr, ra);                \
+}
+
+DO_LD(ld1b, uint8_t, ldub_p, cpu_ldub_data_ra)
+DO_LD(ld1h_be, uint16_t, lduw_be_p, cpu_lduw_be_data_ra)
+DO_LD(ld1h_le, uint16_t, lduw_le_p, cpu_lduw_le_data_ra)
+DO_LD(ld1s_be, uint32_t, ldl_be_p, cpu_ldl_be_data_ra)
+DO_LD(ld1s_le, uint32_t, ldl_le_p, cpu_ldl_le_data_ra)
+DO_LD(ld1d_be, uint64_t, ldq_be_p, cpu_ldq_be_data_ra)
+DO_LD(ld1d_le, uint64_t, ldq_le_p, cpu_ldq_le_data_ra)
+
+DO_LDQ(sve_ld1qq_be, sme_ld1q_be, 1, ldq_be_p, cpu_ldq_be_data_ra)
+DO_LDQ(sve_ld1qq_le, sme_ld1q_le, 0, ldq_le_p, cpu_ldq_le_data_ra)
+
+DO_ST(st1b, uint8_t, stb_p, cpu_stb_data_ra)
+DO_ST(st1h_be, uint16_t, stw_be_p, cpu_stw_be_data_ra)
+DO_ST(st1h_le, uint16_t, stw_le_p, cpu_stw_le_data_ra)
+DO_ST(st1s_be, uint32_t, stl_be_p, cpu_stl_be_data_ra)
+DO_ST(st1s_le, uint32_t, stl_le_p, cpu_stl_le_data_ra)
+DO_ST(st1d_be, uint64_t, stq_be_p, cpu_stq_be_data_ra)
+DO_ST(st1d_le, uint64_t, stq_le_p, cpu_stq_le_data_ra)
+
+DO_STQ(sve_st1qq_be, sme_st1q_be, 1, stq_be_p, cpu_stq_be_data_ra)
+DO_STQ(sve_st1qq_le, sme_st1q_le, 0, stq_le_p, cpu_stq_le_data_ra)
+
+#undef DO_LD
+#undef DO_ST
+#undef DO_LDQ
+#undef DO_STQ
+
+/*
+ * Common helper for all contiguous predicated loads.
+ */
+
+static inline QEMU_ALWAYS_INLINE
+void sme_ld1(CPUARMState *env, void *za, uint64_t *vg,
+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
+             const int esz, uint32_t mtedesc, bool vertical,
+             sve_ldst1_host_fn *host_fn,
+             sve_ldst1_tlb_fn *tlb_fn,
+             ClearFn *clr_fn,
+             CopyFn *cpy_fn)
+{
+    const intptr_t reg_max = simd_oprsz(desc);
+    const intptr_t esize = 1 << esz;
+    intptr_t reg_off, reg_last;
+    SVEContLdSt info;
+    void *host;
+    int flags;
+
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
+        /* The entire predicate was false; no load occurs.  */
+        clr_fn(za, 0, reg_max);
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_LOAD, ra);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
+                              BP_MEM_READ, ra);
+
+    /*
+     * Handle mte checks for all active elements.
+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
+     */
+    if (mtedesc) {
+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
+                                mtedesc, ra);
+    }
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  Perform the load
+         * into scratch memory to preserve register state until the end.
+         */
+        ARMVectorReg scratch = { };
+
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
+            }
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, &scratch, reg_off, addr + reg_off, ra);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+
+        cpy_fn(za, &scratch, reg_max);
+        return;
+#endif
+    }
+
+    /* The entire operation is in RAM, on valid pages. */
+
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    if (!vertical) {
+        memset(za, 0, reg_max);
+    } else if (reg_off) {
+        clr_fn(za, 0, reg_off);
+    }
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(za, reg_off, host + reg_off);
+            } else if (vertical) {
+                clr_fn(za, reg_off, esize);
+            }
+            reg_off += esize;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    reg_off = info.reg_off_split;
+    if (unlikely(reg_off >= 0)) {
+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
+    }
+
+    reg_off = info.reg_off_first[1];
+    if (unlikely(reg_off >= 0)) {
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(za, reg_off, host + reg_off);
+                } else if (vertical) {
+                    clr_fn(za, reg_off, esize);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+}
+
+static inline QEMU_ALWAYS_INLINE
+void sme_ld1_mte(CPUARMState *env, void *za, uint64_t *vg,
+                 target_ulong addr, uint32_t desc, uintptr_t ra,
+                 const int esz, bool vertical,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn,
+                 ClearFn *clr_fn,
+                 CopyFn *cpy_fn)
+{
+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+    int bit55 = extract64(addr, 55, 1);
+
+    /* Remove mtedesc from the normal sve descriptor. */
+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+    /* Perform gross MTE suppression early. */
+    if (!tbi_check(desc, bit55) ||
+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+        mtedesc = 0;
+    }
+
+    sme_ld1(env, za, vg, addr, desc, ra, esz, mtedesc, vertical,
+            host_fn, tlb_fn, clr_fn, cpy_fn);
+}
+
+#define DO_LD(L, END, ESZ)                                                 \
+void HELPER(sme_ld1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
+            sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,           \
+            clear_horizontal, copy_horizontal);                            \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_ld1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
+            sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,             \
+            clear_vertical_##L, copy_vertical_##L);                        \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
+                sve_ld1##L##L##END##_host, sve_ld1##L##L##END##_tlb,       \
+                clear_horizontal, copy_horizontal);                        \
+}                                                                          \
+void HELPER(sme_ld1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_ld1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
+                sme_ld1##L##END##_v_host, sme_ld1##L##END##_v_tlb,         \
+                clear_vertical_##L, copy_vertical_##L);                    \
+}
+
+DO_LD(b, , MO_8)
+DO_LD(h, _be, MO_16)
+DO_LD(h, _le, MO_16)
+DO_LD(s, _be, MO_32)
+DO_LD(s, _le, MO_32)
+DO_LD(d, _be, MO_64)
+DO_LD(d, _le, MO_64)
+DO_LD(q, _be, MO_128)
+DO_LD(q, _le, MO_128)
+
+#undef DO_LD
+
+/*
+ * Common helper for all contiguous predicated stores.
+ */
+
+static inline QEMU_ALWAYS_INLINE
+void sme_st1(CPUARMState *env, void *za, uint64_t *vg,
+             const target_ulong addr, uint32_t desc, const uintptr_t ra,
+             const int esz, uint32_t mtedesc, bool vertical,
+             sve_ldst1_host_fn *host_fn,
+             sve_ldst1_tlb_fn *tlb_fn)
+{
+    const intptr_t reg_max = simd_oprsz(desc);
+    const intptr_t esize = 1 << esz;
+    intptr_t reg_off, reg_last;
+    SVEContLdSt info;
+    void *host;
+    int flags;
+
+    /* Find the active elements.  */
+    if (!sve_cont_ldst_elements(&info, addr, vg, reg_max, esz, esize)) {
+        /* The entire predicate was false; no store occurs.  */
+        return;
+    }
+
+    /* Probe the page(s).  Exit with exception for any invalid page. */
+    sve_cont_ldst_pages(&info, FAULT_ALL, env, addr, MMU_DATA_STORE, ra);
+
+    /* Handle watchpoints for all active elements. */
+    sve_cont_ldst_watchpoints(&info, env, vg, addr, esize, esize,
+                              BP_MEM_WRITE, ra);
+
+    /*
+     * Handle mte checks for all active elements.
+     * Since TBI must be set for MTE, !mtedesc => !mte_active.
+     */
+    if (mtedesc) {
+        sve_cont_ldst_mte_check(&info, env, vg, addr, esize, esize,
+                                mtedesc, ra);
+    }
+
+    flags = info.page[0].flags | info.page[1].flags;
+    if (unlikely(flags != 0)) {
+#ifdef CONFIG_USER_ONLY
+        g_assert_not_reached();
+#else
+        /*
+         * At least one page includes MMIO.
+         * Any bus operation can fail with cpu_transaction_failed,
+         * which for ARM will raise SyncExternal.  We cannot avoid
+         * this fault and will leave with the store incomplete.
+         */
+        reg_off = info.reg_off_first[0];
+        reg_last = info.reg_off_last[1];
+        if (reg_last < 0) {
+            reg_last = info.reg_off_split;
+            if (reg_last < 0) {
+                reg_last = info.reg_off_last[0];
+            }
+        }
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    tlb_fn(env, za, reg_off, addr + reg_off, ra);
+                }
+                reg_off += esize;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+        return;
+#endif
+    }
+
+    reg_off = info.reg_off_first[0];
+    reg_last = info.reg_off_last[0];
+    host = info.page[0].host;
+
+    while (reg_off <= reg_last) {
+        uint64_t pg = vg[reg_off >> 6];
+        do {
+            if ((pg >> (reg_off & 63)) & 1) {
+                host_fn(za, reg_off, host + reg_off);
+            }
+            reg_off += 1 << esz;
+        } while (reg_off <= reg_last && (reg_off & 63));
+    }
+
+    /*
+     * Use the slow path to manage the cross-page misalignment.
+     * But we know this is RAM and cannot trap.
+     */
+    reg_off = info.reg_off_split;
+    if (unlikely(reg_off >= 0)) {
+        tlb_fn(env, za, reg_off, addr + reg_off, ra);
+    }
+
+    reg_off = info.reg_off_first[1];
+    if (unlikely(reg_off >= 0)) {
+        reg_last = info.reg_off_last[1];
+        host = info.page[1].host;
+
+        do {
+            uint64_t pg = vg[reg_off >> 6];
+            do {
+                if ((pg >> (reg_off & 63)) & 1) {
+                    host_fn(za, reg_off, host + reg_off);
+                }
+                reg_off += 1 << esz;
+            } while (reg_off & 63);
+        } while (reg_off <= reg_last);
+    }
+}
+
+static inline QEMU_ALWAYS_INLINE
+void sme_st1_mte(CPUARMState *env, void *za, uint64_t *vg, target_ulong addr,
+                 uint32_t desc, uintptr_t ra, int esz, bool vertical,
+                 sve_ldst1_host_fn *host_fn,
+                 sve_ldst1_tlb_fn *tlb_fn)
+{
+    uint32_t mtedesc = desc >> (SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+    int bit55 = extract64(addr, 55, 1);
+
+    /* Remove mtedesc from the normal sve descriptor. */
+    desc = extract32(desc, 0, SIMD_DATA_SHIFT + SVE_MTEDESC_SHIFT);
+
+    /* Perform gross MTE suppression early. */
+    if (!tbi_check(desc, bit55) ||
+        tcma_check(desc, bit55, allocation_tag_from_addr(addr))) {
+        mtedesc = 0;
+    }
+
+    sme_st1(env, za, vg, addr, desc, ra, esz, mtedesc,
+            vertical, host_fn, tlb_fn);
+}
+
+#define DO_ST(L, END, ESZ)                                                 \
+void HELPER(sme_st1##L##END##_h)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, false,               \
+            sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);          \
+}                                                                          \
+void HELPER(sme_st1##L##END##_v)(CPUARMState *env, void *za, void *vg,     \
+                                 target_ulong addr, uint32_t desc)         \
+{                                                                          \
+    sme_st1(env, za, vg, addr, desc, GETPC(), ESZ, 0, true,                \
+            sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);            \
+}                                                                          \
+void HELPER(sme_st1##L##END##_h_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, false,              \
+                sve_st1##L##L##END##_host, sve_st1##L##L##END##_tlb);      \
+}                                                                          \
+void HELPER(sme_st1##L##END##_v_mte)(CPUARMState *env, void *za, void *vg, \
+                                     target_ulong addr, uint32_t desc)     \
+{                                                                          \
+    sme_st1_mte(env, za, vg, addr, desc, GETPC(), ESZ, true,               \
+                sme_st1##L##END##_v_host, sme_st1##L##END##_v_tlb);        \
+}
+
+DO_ST(b, , MO_8)
+DO_ST(h, _be, MO_16)
+DO_ST(h, _le, MO_16)
+DO_ST(s, _be, MO_32)
+DO_ST(s, _le, MO_32)
+DO_ST(d, _be, MO_64)
+DO_ST(d, _le, MO_64)
+DO_ST(q, _be, MO_128)
+DO_ST(q, _le, MO_128)
+
+#undef DO_ST
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sme.c
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_MOVA(DisasContext *s, arg_MOVA *a)
 
     return true;
 }
+
+static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
+{
+    typedef void GenLdSt1(TCGv_env, TCGv_ptr, TCGv_ptr, TCGv, TCGv_i32);
+
+    /*
+     * Indexed by [esz][be][v][mte][st], which is (except for load/store)
+     * also the order in which the elements appear in the function names,
+     * and so how we must concatenate the pieces.
+     */
+
+#define FN_LS(F)     { gen_helper_sme_ld1##F, gen_helper_sme_st1##F }
+#define FN_MTE(F)    { FN_LS(F), FN_LS(F##_mte) }
+#define FN_HV(F)     { FN_MTE(F##_h), FN_MTE(F##_v) }
+#define FN_END(L, B) { FN_HV(L), FN_HV(B) }
+
+    static GenLdSt1 * const fns[5][2][2][2][2] = {
+        FN_END(b, b),
+        FN_END(h_le, h_be),
+        FN_END(s_le, s_be),
+        FN_END(d_le, d_be),
+        FN_END(q_le, q_be),
+    };
+
+#undef FN_LS
+#undef FN_MTE
+#undef FN_HV
+#undef FN_END
+
+    TCGv_ptr t_za, t_pg;
+    TCGv_i64 addr;
+    int svl, desc = 0;
+    bool be = s->be_data == MO_BE;
+    bool mte = s->mte_active[0];
+
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (!sme_smza_enabled_check(s)) {
+        return true;
+    }
+
+    t_za = get_tile_rowcol(s, a->esz, a->rs, a->za_imm, a->v);
+    t_pg = pred_full_reg_ptr(s, a->pg);
+    addr = tcg_temp_new_i64();
+
+    tcg_gen_shli_i64(addr, cpu_reg(s, a->rm), a->esz);
+    tcg_gen_add_i64(addr, addr, cpu_reg_sp(s, a->rn));
+
+    if (mte) {
+        desc = FIELD_DP32(desc, MTEDESC, MIDX, get_mem_index(s));
+        desc = FIELD_DP32(desc, MTEDESC, TBI, s->tbid);
+        desc = FIELD_DP32(desc, MTEDESC, TCMA, s->tcma);
+        desc = FIELD_DP32(desc, MTEDESC, WRITE, a->st);
+        desc = FIELD_DP32(desc, MTEDESC, SIZEM1, (1 << a->esz) - 1);
+        desc <<= SVE_MTEDESC_SHIFT;
+    } else {
+        addr = clean_data_tbi(s, addr);
+    }
+    svl = streaming_vec_reg_size(s);
+    desc = simd_desc(svl, svl, desc);
+
+    fns[a->esz][be][a->v][mte][a->st](cpu_env, t_za, t_pg, addr,
+                                      tcg_constant_i32(desc));
+
+    tcg_temp_free_ptr(t_za);
+    tcg_temp_free_ptr(t_pg);
+    tcg_temp_free_i64(addr);
+    return true;
+}
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add a TCGv_ptr base argument, which will be cpu_env for SVE.
We will reuse this for SME save and restore array insns.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-22-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/translate-a64.h |  3 +++
 target/arm/translate-sve.c | 48 ++++++++++++++++++++++++++++----------
 2 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/target/arm/translate-a64.h b/target/arm/translate-a64.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.h
+++ b/target/arm/translate-a64.h
@@ -XXX,XX +XXX,XX @@ void gen_gvec_xar(unsigned vece, uint32_t rd_ofs, uint32_t rn_ofs,
                   uint32_t rm_ofs, int64_t shift,
                   uint32_t opr_sz, uint32_t max_sz);
 
+void gen_sve_ldr(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+void gen_sve_str(DisasContext *s, TCGv_ptr, int vofs, int len, int rn, int imm);
+
 #endif /* TARGET_ARM_TRANSLATE_A64_H */
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(UCVTF_dd, aa64_sve, gen_gvec_fpst_arg_zpz,
  * The load should begin at the address Rn + IMM.
  */
 
-static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+void gen_sve_ldr(DisasContext *s, TCGv_ptr base, int vofs,
+                 int len, int rn, int imm)
 {
     int len_align = QEMU_ALIGN_DOWN(len, 8);
     int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         t0 = tcg_temp_new_i64();
         for (i = 0; i < len_align; i += 8) {
             tcg_gen_qemu_ld_i64(t0, clean_addr, midx, MO_LEUQ);
-            tcg_gen_st_i64(t0, cpu_env, vofs + i);
+            tcg_gen_st_i64(t0, base, vofs + i);
             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
         }
         tcg_temp_free_i64(t0);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
 
+        if (base != cpu_env) {
+            TCGv_ptr b = tcg_temp_local_new_ptr();
+            tcg_gen_mov_ptr(b, base);
+            base = b;
+        }
+
         gen_set_label(loop);
 
         t0 = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         tcg_gen_addi_i64(clean_addr, clean_addr, 8);
 
         tp = tcg_temp_new_ptr();
-        tcg_gen_add_ptr(tp, cpu_env, i);
+        tcg_gen_add_ptr(tp, base, i);
         tcg_gen_addi_ptr(i, i, 8);
         tcg_gen_st_i64(t0, tp, vofs);
         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
         tcg_temp_free_ptr(i);
+
+        if (base != cpu_env) {
+            tcg_temp_free_ptr(base);
+            assert(len_remain == 0);
+        }
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ static void do_ldr(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         default:
             g_assert_not_reached();
         }
-        tcg_gen_st_i64(t0, cpu_env, vofs + len_align);
+        tcg_gen_st_i64(t0, base, vofs + len_align);
         tcg_temp_free_i64(t0);
     }
 }
 
 /* Similarly for stores.  */
-static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
+void gen_sve_str(DisasContext *s, TCGv_ptr base, int vofs,
+                 int len, int rn, int imm)
 {
     int len_align = QEMU_ALIGN_DOWN(len, 8);
     int len_remain = len % 8;
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         t0 = tcg_temp_new_i64();
         for (i = 0; i < len_align; i += 8) {
-            tcg_gen_ld_i64(t0, cpu_env, vofs + i);
+            tcg_gen_ld_i64(t0, base, vofs + i);
             tcg_gen_qemu_st_i64(t0, clean_addr, midx, MO_LEUQ);
             tcg_gen_addi_i64(clean_addr, clean_addr, 8);
         }
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
         clean_addr = new_tmp_a64_local(s);
         tcg_gen_mov_i64(clean_addr, t0);
 
+        if (base != cpu_env) {
+            TCGv_ptr b = tcg_temp_local_new_ptr();
+            tcg_gen_mov_ptr(b, base);
+            base = b;
+        }
+
         gen_set_label(loop);
 
         t0 = tcg_temp_new_i64();
         tp = tcg_temp_new_ptr();
-        tcg_gen_add_ptr(tp, cpu_env, i);
+        tcg_gen_add_ptr(tp, base, i);
         tcg_gen_ld_i64(t0, tp, vofs);
         tcg_gen_addi_ptr(i, i, 8);
         tcg_temp_free_ptr(tp);
@@ -XXX,XX +XXX,XX @@ static void do_str(DisasContext *s, uint32_t vofs, int len, int rn, int imm)
 
         tcg_gen_brcondi_ptr(TCG_COND_LTU, i, len_align, loop);
         tcg_temp_free_ptr(i);
+
+        if (base != cpu_env) {
+            tcg_temp_free_ptr(base);
+            assert(len_remain == 0);
+        }
     }
 
     /* Predicate register stores can be any multiple of 2.  */
     if (len_remain) {
         t0 = tcg_temp_new_i64();
-        tcg_gen_ld_i64(t0, cpu_env, vofs + len_align);
+        tcg_gen_ld_i64(t0, base, vofs + len_align);
 
         switch (len_remain) {
         case 2:
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_zri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = vec_full_reg_size(s);
         int off = vec_full_reg_offset(s, a->rd);
-        do_ldr(s, off, size, a->rn, a->imm * size);
+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_LDR_pri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = pred_full_reg_size(s);
         int off = pred_full_reg_offset(s, a->rd);
-        do_ldr(s, off, size, a->rn, a->imm * size);
+        gen_sve_ldr(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_zri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = vec_full_reg_size(s);
         int off = vec_full_reg_offset(s, a->rd);
-        do_str(s, off, size, a->rn, a->imm * size);
+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_STR_pri(DisasContext *s, arg_rri *a)
     if (sve_access_check(s)) {
         int size = pred_full_reg_size(s);
         int off = pred_full_reg_offset(s, a->rd);
-        do_str(s, off, size, a->rn, a->imm * size);
+        gen_sve_str(s, cpu_env, off, size, a->rn, a->imm * size);
     }
     return true;
 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We can reuse the SVE functions for LDR and STR, passing in the
base of the ZA vector and a zero offset.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-23-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sme.decode      |  7 +++++++
 target/arm/translate-sme.c | 24 ++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/target/arm/sme.decode b/target/arm/sme.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sme.decode
+++ b/target/arm/sme.decode
@@ -XXX,XX +XXX,XX @@ LDST1           1110000 0 esz:2 st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
                 &ldst rs=%mova_rs
 LDST1           1110000 111     st:1 rm:5 v:1 .. pg:3 rn:5 0 za_imm:4  \
                 &ldst esz=4 rs=%mova_rs
+
+&ldstr          rv rn imm
+@ldstr          ....... ... . ...... .. ... rn:5 . imm:4 \
+                &ldstr rv=%mova_rs
+
+LDR             1110000 100 0 000000 .. 000 ..... 0 ....        @ldstr
+STR             1110000 100 1 000000 .. 000 ..... 0 ....        @ldstr
diff --git a/target/arm/translate-sme.c b/target/arm/translate-sme.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sme.c
+++ b/target/arm/translate-sme.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDST1(DisasContext *s, arg_LDST1 *a)
     tcg_temp_free_i64(addr);
     return true;
 }
+
+typedef void GenLdStR(DisasContext *, TCGv_ptr, int, int, int, int);
+
+static bool do_ldst_r(DisasContext *s, arg_ldstr *a, GenLdStR *fn)
+{
+    int svl = streaming_vec_reg_size(s);
+    int imm = a->imm;
+    TCGv_ptr base;
+
+    if (!sme_za_enabled_check(s)) {
+        return true;
+    }
+
+    /* ZA[n] equates to ZA0H.B[n]. */
+    base = get_tile_rowcol(s, MO_8, a->rv, imm, false);
+
+    fn(s, base, 0, svl, a->rn, imm * svl);
+
+    tcg_temp_free_ptr(base);
+    return true;
+}
+
+TRANS_FEAT(LDR, aa64_sme, do_ldst_r, a, gen_sve_ldr)
+TRANS_FEAT(STR, aa64_sme, do_ldst_r, a, gen_sve_str)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-24-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  5 +++
 target/arm/sme.decode      | 11 +++++
 target/arm/sme_helper.c    | 90 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 31 +++++++++++++
 4 files changed, 137 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-25-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  5 +++
 target/arm/sme.decode      |  9 +++++
 target/arm/sme_helper.c    | 69 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 32 ++++++++++++++++++
 4 files changed, 115 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-26-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  2 ++
 target/arm/sme_helper.c    | 56 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 30 ++++++++++++++++++++
 4 files changed, 90 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-27-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    |  2 ++
 target/arm/sme.decode      |  1 +
 target/arm/sme_helper.c    | 74 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c |  1 +
 4 files changed, 78 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This is SMOPA, SUMOPA, USMOPA_s, UMOPA, for both Int8 and Int16.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-28-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sme.h    | 16 ++++++++
 target/arm/sme.decode      | 10 +++++
 target/arm/sme_helper.c    | 82 ++++++++++++++++++++++++++++++++++++++
 target/arm/translate-sme.c | 10 +++++
 4 files changed, 118 insertions(+)

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-29-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/sve.decode      | 20 +++++++++++++
 target/arm/translate-sve.c | 57 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)

diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ BFMLALT_zzxw    01100100 11 1 ..... 0100.1 ..... .....     @rrxr_3a esz=2
 
 ### SVE2 floating-point bfloat16 dot-product (indexed)
 BFDOT_zzxz      01100100 01 1 ..... 010000 ..... .....     @rrxr_2 esz=2
+
+### SVE broadcast predicate element
+
+&psel           esz pd pn pm rv imm
+%psel_rv        16:2 !function=plus_12
+%psel_imm_b     22:2 19:2
+%psel_imm_h     22:2 20:1
+%psel_imm_s     22:2
+%psel_imm_d     23:1
+@psel           ........ .. . ... .. .. pn:4 . pm:4 . pd:4  \
+                &psel rv=%psel_rv
+
+PSEL            00100101 .. 1 ..1 .. 01 .... 0 .... 0 ....  \
+                @psel esz=0 imm=%psel_imm_b
+PSEL            00100101 .. 1 .10 .. 01 .... 0 .... 0 ....  \
+                @psel esz=1 imm=%psel_imm_h
+PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
+                @psel esz=2 imm=%psel_imm_s
+PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
+                @psel esz=3 imm=%psel_imm_d
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_BFMLAL_zzxw(DisasContext *s, arg_rrxr_esz *a, bool sel)
 
 TRANS_FEAT(BFMLALB_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, false)
 TRANS_FEAT(BFMLALT_zzxw, aa64_sve_bf16, do_BFMLAL_zzxw, a, true)
+
+static bool trans_PSEL(DisasContext *s, arg_psel *a)
+{
+    int vl = vec_full_reg_size(s);
+    int pl = pred_gvec_reg_size(s);
+    int elements = vl >> a->esz;
+    TCGv_i64 tmp, didx, dbit;
+    TCGv_ptr ptr;
+
+    if (!dc_isar_feature(aa64_sme, s)) {
+        return false;
+    }
+    if (!sve_access_check(s)) {
+        return true;
+    }
+
+    tmp = tcg_temp_new_i64();
+    dbit = tcg_temp_new_i64();
+    didx = tcg_temp_new_i64();
+    ptr = tcg_temp_new_ptr();
+
+    /* Compute the predicate element. */
+    tcg_gen_addi_i64(tmp, cpu_reg(s, a->rv), a->imm);
+    if (is_power_of_2(elements)) {
+        tcg_gen_andi_i64(tmp, tmp, elements - 1);
+    } else {
+        tcg_gen_remu_i64(tmp, tmp, tcg_constant_i64(elements));
+    }
+
+    /* Extract the predicate byte and bit indices. */
+    tcg_gen_shli_i64(tmp, tmp, a->esz);
+    tcg_gen_andi_i64(dbit, tmp, 7);
+    tcg_gen_shri_i64(didx, tmp, 3);
+    if (HOST_BIG_ENDIAN) {
+        tcg_gen_xori_i64(didx, didx, 7);
+    }
+
+    /* Load the predicate word. */
+    tcg_gen_trunc_i64_ptr(ptr, didx);
+    tcg_gen_add_ptr(ptr, ptr, cpu_env);
+    tcg_gen_ld8u_i64(tmp, ptr, pred_full_reg_offset(s, a->pm));
+
+    /* Extract the predicate bit and replicate to MO_64. */
+    tcg_gen_shr_i64(tmp, tmp, dbit);
+    tcg_gen_andi_i64(tmp, tmp, 1);
+    tcg_gen_neg_i64(tmp, tmp);
+
+    /* Apply to either copy the source, or write zeros. */
+    tcg_gen_gvec_ands(MO_64, pred_full_reg_offset(s, a->pd),
+                      pred_full_reg_offset(s, a->pn), tmp, pl, pl);
+
+    tcg_temp_free_i64(tmp);
+    tcg_temp_free_i64(dbit);
+    tcg_temp_free_i64(didx);
+    tcg_temp_free_ptr(ptr);
+    return true;
+}
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-30-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper-sve.h    |  2 ++
 target/arm/sve.decode      |  1 +
 target/arm/sve_helper.c    | 16 ++++++++++++++++
 target/arm/translate-sve.c |  2 ++
 4 files changed, 21 insertions(+)

diff --git a/target/arm/helper-sve.h b/target/arm/helper-sve.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper-sve.h
+++ b/target/arm/helper-sve.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(sve_revh_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(sve_revw_d, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_4(sme_revd_q, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
+
 DEF_HELPER_FLAGS_4(sve_rbit_b, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sve_rbit_h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(sve_rbit_s, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ REVB            00000101 .. 1001 00 100 ... ..... .....         @rd_pg_rn
 REVH            00000101 .. 1001 01 100 ... ..... .....         @rd_pg_rn
 REVW            00000101 .. 1001 10 100 ... ..... .....         @rd_pg_rn
 RBIT            00000101 .. 1001 11 100 ... ..... .....         @rd_pg_rn
+REVD            00000101 00 1011 10 100 ... ..... .....         @rd_pg_rn_e0
 
 # SVE vector splice (predicated, destructive)
 SPLICE          00000101 .. 101 100 100 ... ..... .....         @rdn_pg_rm
diff --git a/target/arm/sve_helper.c b/target/arm/sve_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve_helper.c
+++ b/target/arm/sve_helper.c
@@ -XXX,XX +XXX,XX @@ DO_ZPZ_D(sve_revh_d, uint64_t, hswap64)
 
 DO_ZPZ_D(sve_revw_d, uint64_t, wswap64)
 
+void HELPER(sme_revd_q)(void *vd, void *vn, void *vg, uint32_t desc)
+{
+    intptr_t i, opr_sz = simd_oprsz(desc) / 8;
+    uint64_t *d = vd, *n = vn;
+    uint8_t *pg = vg;
+
+    for (i = 0; i < opr_sz; i += 2) {
+        if (pg[H1(i)] & 1) {
+            uint64_t n0 = n[i + 0];
+            uint64_t n1 = n[i + 1];
+            d[i + 0] = n1;
+            d[i + 1] = n0;
+        }
+    }
+}
+
 DO_ZPZ(sve_rbit_b, uint8_t, H1, revbit8)
 DO_ZPZ(sve_rbit_h, uint16_t, H1_2, revbit16)
 DO_ZPZ(sve_rbit_s, uint32_t, H1_4, revbit32)
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ TRANS_FEAT(REVH, aa64_sve, gen_gvec_ool_arg_zpz, revh_fns[a->esz], a, 0)
 TRANS_FEAT(REVW, aa64_sve, gen_gvec_ool_arg_zpz,
            a->esz == 3 ? gen_helper_sve_revw_d : NULL, a, 0)
 
+TRANS_FEAT(REVD, aa64_sme, gen_gvec_ool_arg_zpz, gen_helper_sme_revd_q, a, 0)
+
 TRANS_FEAT(SPLICE, aa64_sve, gen_gvec_ool_arg_zpzz,
            gen_helper_sve_splice, a, a->esz)
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

This is an SVE instruction that operates using the SVE vector
length but that it is present only if SME is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-31-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.h        |  18 +++++++
 target/arm/sve.decode      |   5 ++
 target/arm/translate-sve.c | 102 +++++++++++++++++++++++++++++++++++++
 target/arm/vec_helper.c    |  24 +++++++++
 4 files changed, 149 insertions(+)

diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_6(gvec_bfmlal, TCG_CALL_NO_RWG,
 DEF_HELPER_FLAGS_6(gvec_bfmlal_idx, TCG_CALL_NO_RWG,
                    void, ptr, ptr, ptr, ptr, ptr, i32)
 
+DEF_HELPER_FLAGS_5(gvec_sclamp_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_sclamp_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
+DEF_HELPER_FLAGS_5(gvec_uclamp_b, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_h, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_s, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+DEF_HELPER_FLAGS_5(gvec_uclamp_d, TCG_CALL_NO_RWG,
+                   void, ptr, ptr, ptr, ptr, i32)
+
 #ifdef TARGET_AARCH64
 #include "helper-a64.h"
 #include "helper-sve.h"
diff --git a/target/arm/sve.decode b/target/arm/sve.decode
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/sve.decode
+++ b/target/arm/sve.decode
@@ -XXX,XX +XXX,XX @@ PSEL            00100101 .. 1 100 .. 01 .... 0 .... 0 ....  \
                 @psel esz=2 imm=%psel_imm_s
 PSEL            00100101 .1 1 000 .. 01 .... 0 .... 0 ....  \
                 @psel esz=3 imm=%psel_imm_d
+
+### SVE clamp
+
+SCLAMP          01000100 .. 0 ..... 110000 ..... .....          @rda_rn_rm
+UCLAMP          01000100 .. 0 ..... 110001 ..... .....          @rda_rn_rm
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool trans_PSEL(DisasContext *s, arg_psel *a)
     tcg_temp_free_ptr(ptr);
     return true;
 }
+
+static void gen_sclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
+{
+    tcg_gen_smax_i32(d, a, n);
+    tcg_gen_smin_i32(d, d, m);
+}
+
+static void gen_sclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
+{
+    tcg_gen_smax_i64(d, a, n);
+    tcg_gen_smin_i64(d, d, m);
+}
+
+static void gen_sclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
+                           TCGv_vec m, TCGv_vec a)
+{
+    tcg_gen_smax_vec(vece, d, a, n);
+    tcg_gen_smin_vec(vece, d, d, m);
+}
+
+static void gen_sclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
+{
+    static const TCGOpcode vecop[] = {
+        INDEX_op_smin_vec, INDEX_op_smax_vec, 0
+    };
+    static const GVecGen4 ops[4] = {
+        { .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_b,
+          .opt_opc = vecop,
+          .vece = MO_8 },
+        { .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_h,
+          .opt_opc = vecop,
+          .vece = MO_16 },
+        { .fni4 = gen_sclamp_i32,
+          .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_s,
+          .opt_opc = vecop,
+          .vece = MO_32 },
+        { .fni8 = gen_sclamp_i64,
+          .fniv = gen_sclamp_vec,
+          .fno  = gen_helper_gvec_sclamp_d,
+          .opt_opc = vecop,
+          .vece = MO_64,
+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
+    };
+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
+}
+
+TRANS_FEAT(SCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_sclamp, a)
+
+static void gen_uclamp_i32(TCGv_i32 d, TCGv_i32 n, TCGv_i32 m, TCGv_i32 a)
+{
+    tcg_gen_umax_i32(d, a, n);
+    tcg_gen_umin_i32(d, d, m);
+}
+
+static void gen_uclamp_i64(TCGv_i64 d, TCGv_i64 n, TCGv_i64 m, TCGv_i64 a)
+{
+    tcg_gen_umax_i64(d, a, n);
+    tcg_gen_umin_i64(d, d, m);
+}
+
+static void gen_uclamp_vec(unsigned vece, TCGv_vec d, TCGv_vec n,
+                           TCGv_vec m, TCGv_vec a)
+{
+    tcg_gen_umax_vec(vece, d, a, n);
+    tcg_gen_umin_vec(vece, d, d, m);
+}
+
+static void gen_uclamp(unsigned vece, uint32_t d, uint32_t n, uint32_t m,
+                       uint32_t a, uint32_t oprsz, uint32_t maxsz)
+{
+    static const TCGOpcode vecop[] = {
+        INDEX_op_umin_vec, INDEX_op_umax_vec, 0
+    };
+    static const GVecGen4 ops[4] = {
+        { .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_b,
+          .opt_opc = vecop,
+          .vece = MO_8 },
+        { .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_h,
+          .opt_opc = vecop,
+          .vece = MO_16 },
+        { .fni4 = gen_uclamp_i32,
+          .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_s,
+          .opt_opc = vecop,
+          .vece = MO_32 },
+        { .fni8 = gen_uclamp_i64,
+          .fniv = gen_uclamp_vec,
+          .fno  = gen_helper_gvec_uclamp_d,
+          .opt_opc = vecop,
+          .vece = MO_64,
+          .prefer_i64 = TCG_TARGET_REG_BITS == 64 }
+    };
+    tcg_gen_gvec_4(d, n, m, a, oprsz, maxsz, &ops[vece]);
+}
+
+TRANS_FEAT(UCLAMP, aa64_sme, gen_gvec_fn_arg_zzzz, gen_uclamp, a)
diff --git a/target/arm/vec_helper.c b/target/arm/vec_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/vec_helper.c
+++ b/target/arm/vec_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_bfmlal_idx)(void *vd, void *vn, void *vm,
     }
     clear_tail(d, opr_sz, simd_maxsz(desc));
 }
+
+#define DO_CLAMP(NAME, TYPE) \
+void HELPER(NAME)(void *d, void *n, void *m, void *a, uint32_t desc)    \
+{                                                                       \
+    intptr_t i, opr_sz = simd_oprsz(desc);                              \
+    for (i = 0; i < opr_sz; i += sizeof(TYPE)) {                        \
+        TYPE aa = *(TYPE *)(a + i);                                     \
+        TYPE nn = *(TYPE *)(n + i);                                     \
+        TYPE mm = *(TYPE *)(m + i);                                     \
+        TYPE dd = MIN(MAX(aa, nn), mm);                                 \
+        *(TYPE *)(d + i) = dd;                                          \
+    }                                                                   \
+    clear_tail(d, opr_sz, simd_maxsz(desc));                            \
+}
+
+DO_CLAMP(gvec_sclamp_b, int8_t)
+DO_CLAMP(gvec_sclamp_h, int16_t)
+DO_CLAMP(gvec_sclamp_s, int32_t)
+DO_CLAMP(gvec_sclamp_d, int64_t)
+
+DO_CLAMP(gvec_uclamp_b, uint8_t)
+DO_CLAMP(gvec_uclamp_h, uint16_t)
+DO_CLAMP(gvec_uclamp_s, uint32_t)
+DO_CLAMP(gvec_uclamp_d, uint64_t)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

We can handle both exception entry and exception return by
hooking into aarch64_sve_change_el.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-32-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/helper.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
         return;
     }
 
+    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
+    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
+
+    /*
+     * Both AArch64.TakeException and AArch64.ExceptionReturn
+     * invoke ResetSVEState when taking an exception from, or
+     * returning to, AArch32 state when PSTATE.SM is enabled.
+     */
+    if (old_a64 != new_a64 && FIELD_EX64(env->svcr, SVCR, SM)) {
+        arm_reset_sve_state(env);
+        return;
+    }
+
     /*
      * DDI0584A.d sec 3.2: "If SVE instructions are disabled or trapped
      * at ELx, or not available because the EL is in AArch32 state, then
@@ -XXX,XX +XXX,XX @@ void aarch64_sve_change_el(CPUARMState *env, int old_el,
      * we already have the correct register contents when encountering the
      * vq0->vq0 transition between EL0->EL1.
      */
-    old_a64 = old_el ? arm_el_is_aa64(env, old_el) : el0_a64;
     old_len = (old_a64 && !sve_exception_el(env, old_el)
                ? sve_vqm1_for_el(env, old_el) : 0);
-    new_a64 = new_el ? arm_el_is_aa64(env, new_el) : el0_a64;
     new_len = (new_a64 && !sve_exception_el(env, new_el)
                ? sve_vqm1_for_el(env, new_el) : 0);
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Note that SME remains effectively disabled for user-only,
because we do not yet set CPACR_EL1.SMEN.  This needs to
wait until the kernel ABI is implemented.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-33-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 docs/system/arm/emulation.rst |  4 ++++
 target/arm/cpu64.c            | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/docs/system/arm/emulation.rst b/docs/system/arm/emulation.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/system/arm/emulation.rst
+++ b/docs/system/arm/emulation.rst
@@ -XXX,XX +XXX,XX @@ the following architecture extensions:
 - FEAT_SHA512 (Advanced SIMD SHA512 instructions)
 - FEAT_SM3 (Advanced SIMD SM3 instructions)
 - FEAT_SM4 (Advanced SIMD SM4 instructions)
+- FEAT_SME (Scalable Matrix Extension)
+- FEAT_SME_FA64 (Full A64 instruction set in Streaming SVE mode)
+- FEAT_SME_F64F64 (Double-precision floating-point outer product instructions)
+- FEAT_SME_I16I64 (16-bit to 64-bit integer widening outer product instructions)
 - FEAT_SPECRES (Speculation restriction instructions)
 - FEAT_SSBS (Speculative Store Bypass Safe)
 - FEAT_TLBIOS (TLB invalidate instructions in Outer Shareable domain)
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
      */
     t = FIELD_DP64(t, ID_AA64PFR1, MTE, 3);       /* FEAT_MTE3 */
     t = FIELD_DP64(t, ID_AA64PFR1, RAS_FRAC, 0);  /* FEAT_RASv1p1 + FEAT_DoubleFault */
+    t = FIELD_DP64(t, ID_AA64PFR1, SME, 1);       /* FEAT_SME */
     t = FIELD_DP64(t, ID_AA64PFR1, CSV2_FRAC, 0); /* FEAT_CSV2_2 */
     cpu->isar.id_aa64pfr1 = t;
 
@@ -XXX,XX +XXX,XX @@ static void aarch64_max_initfn(Object *obj)
     t = FIELD_DP64(t, ID_AA64DFR0, PMUVER, 5);    /* FEAT_PMUv3p4 */
     cpu->isar.id_aa64dfr0 = t;
 
+    t = cpu->isar.id_aa64smfr0;
+    t = FIELD_DP64(t, ID_AA64SMFR0, F32F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, B16F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, F16F32, 1);   /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, I8I32, 0xf);  /* FEAT_SME */
+    t = FIELD_DP64(t, ID_AA64SMFR0, F64F64, 1);   /* FEAT_SME_F64F64 */
+    t = FIELD_DP64(t, ID_AA64SMFR0, I16I64, 0xf); /* FEAT_SME_I16I64 */
+    t = FIELD_DP64(t, ID_AA64SMFR0, FA64, 1);     /* FEAT_SME_FA64 */
+    cpu->isar.id_aa64smfr0 = t;
+
     /* Replicate the same data to the 32-bit id registers.  */
     aa32_max_features(cpu);
 
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-34-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_cpu.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/target_cpu.h b/linux-user/aarch64/target_cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_cpu.h
+++ b/linux-user/aarch64/target_cpu.h
@@ -XXX,XX +XXX,XX @@ static inline void cpu_clone_regs_parent(CPUARMState *env, unsigned flags)
 
 static inline void cpu_set_tls(CPUARMState *env, target_ulong newtls)
 {
-    /* Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
+    /*
+     * Note that AArch64 Linux keeps the TLS pointer in TPIDR; this is
      * different from AArch32 Linux, which uses TPIDRRO.
      */
     env->cp15.tpidr_el[0] = newtls;
+    /* TPIDR2_EL0 is cleared with CLONE_SETTLS. */
+    env->cp15.tpidr2_el0 = 0;
 }
 
 static inline abi_ulong get_sp_from_cpustate(CPUARMState *state)
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-35-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/cpu_loop.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/linux-user/aarch64/cpu_loop.c b/linux-user/aarch64/cpu_loop.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/cpu_loop.c
+++ b/linux-user/aarch64/cpu_loop.c
@@ -XXX,XX +XXX,XX @@ void cpu_loop(CPUARMState *env)
 
         switch (trapnr) {
         case EXCP_SWI:
+            /*
+             * On syscall, PSTATE.ZA is preserved, along with the ZA matrix.
+             * PSTATE.SM is cleared, per SMSTOP, which does ResetSVEState.
+             */
+            if (FIELD_EX64(env->svcr, SVCR, SM)) {
+                env->svcr = FIELD_DP64(env->svcr, SVCR, SM, 0);
+                arm_rebuild_hflags(env);
+                arm_reset_sve_state(env);
+            }
             ret = do_syscall(env,
                              env->xregs[8],
                              env->xregs[0],
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Make sure to zero the currently reserved fields.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-36-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_extra_context {
 struct target_sve_context {
     struct target_aarch64_ctx head;
     uint16_t vl;
-    uint16_t reserved[3];
+    uint16_t flags;
+    uint16_t reserved[2];
     /* The actual SVE data immediately follows.  It is laid out
      * according to TARGET_SVE_SIG_{Z,P}REG_OFFSET, based off of
      * the original struct pointer.
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
 #define TARGET_SVE_SIG_CONTEXT_SIZE(VQ) \
     (TARGET_SVE_SIG_PREG_OFFSET(VQ, 17))
 
+#define TARGET_SVE_SIG_FLAG_SM  1
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
 {
     int i, j;
 
+    memset(sve, 0, sizeof(*sve));
     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
     __put_user(size, &sve->head.size);
     __put_user(vq * TARGET_SVE_VQ_BYTES, &sve->vl);
+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
+        __put_user(TARGET_SVE_SIG_FLAG_SM, &sve->flags);
+    }
 
     /* Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian store
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Fold the return value setting into the goto, so each
point of failure need not do both.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-37-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
-    bool err = false;
     int vq = 0, sve_size = 0;
 
     target_restore_general_frame(env, sf);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
         switch (magic) {
         case 0:
             if (size != 0) {
-                err = true;
-                goto exit;
+                goto err;
             }
             if (used_extra) {
                 ctx = NULL;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
 
         case TARGET_FPSIMD_MAGIC:
             if (fpsimd || size != sizeof(struct target_fpsimd_context)) {
-                err = true;
-                goto exit;
+                goto err;
             }
             fpsimd = (struct target_fpsimd_context *)ctx;
             break;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
                     break;
                 }
             }
-            err = true;
-            goto exit;
+            goto err;
 
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
-                err = true;
-                goto exit;
+                goto err;
             }
             __get_user(extra_datap,
                        &((struct target_extra_context *)ctx)->datap);
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             /* Unknown record -- we certainly didn't generate it.
              * Did we in fact get out of sync?
              */
-            err = true;
-            goto exit;
+            goto err;
         }
         ctx = (void *)ctx + size;
     }
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     if (fpsimd) {
         target_restore_fpsimd_record(env, fpsimd);
     } else {
-        err = true;
+        goto err;
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
     if (sve) {
         target_restore_sve_record(env, sve, vq);
     }
-
- exit:
     unlock_user(extra, extra_datap, 0);
-    return err;
+    return 0;
+
+ err:
+    unlock_user(extra, extra_datap, 0);
+    return 1;
 }
 
 static abi_ulong get_sigframe(struct target_sigaction *ka,
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

In parse_user_sigframe, the kernel rejects duplicate sve records,
or records that are smaller than the header.  We were silently
allowing these cases to pass, dropping the record.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-38-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             break;
 
         case TARGET_SVE_MAGIC:
+            if (sve || size < sizeof(struct target_sve_context)) {
+                goto err;
+            }
             if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
                 vq = sve_vq(env);
                 sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-                if (!sve && size == sve_size) {
+                if (size == sve_size) {
                     sve = (struct target_sve_context *)ctx;
                     break;
                 }
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Move the checks out of the parsing loop and into the
restore function.  This more closely mirrors the code
structure in the kernel, and is slightly clearer.

Reject rather than silently skip incorrect VL and SVE record sizes,
bringing our checks in to line with those the kernel does.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-40-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 51 +++++++++++++++++++++++++------------
 1 file changed, 35 insertions(+), 16 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
     }
 }
 
-static void target_restore_sve_record(CPUARMState *env,
-                                      struct target_sve_context *sve, int vq)
+static bool target_restore_sve_record(CPUARMState *env,
+                                      struct target_sve_context *sve,
+                                      int size)
 {
-    int i, j;
+    int i, j, vl, vq;
 
-    /* Note that SVE regs are stored as a byte stream, with each byte element
+    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+        return false;
+    }
+
+    __get_user(vl, &sve->vl);
+    vq = sve_vq(env);
+
+    /* Reject mismatched VL. */
+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
+        return false;
+    }
+
+    /* Accept empty record -- used to clear PSTATE.SM. */
+    if (size <= sizeof(*sve)) {
+        return true;
+    }
+
+    /* Reject non-empty but incomplete record. */
+    if (size < TARGET_SVE_SIG_CONTEXT_SIZE(vq)) {
+        return false;
+    }
+
+    /*
+     * Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian load
      * of our 64-bit hunks.
      */
@@ -XXX,XX +XXX,XX @@ static void target_restore_sve_record(CPUARMState *env,
             }
         }
     }
+    return true;
 }
 
 static int target_restore_sigframe(CPUARMState *env,
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     struct target_sve_context *sve = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
-    int vq = 0, sve_size = 0;
+    int sve_size = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             if (sve || size < sizeof(struct target_sve_context)) {
                 goto err;
             }
-            if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-                vq = sve_vq(env);
-                sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
-                if (size == sve_size) {
-                    sve = (struct target_sve_context *)ctx;
-                    break;
-                }
-            }
-            goto err;
+            sve = (struct target_sve_context *)ctx;
+            sve_size = size;
+            break;
 
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
-    if (sve) {
-        target_restore_sve_record(env, sve, vq);
+    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
+        goto err;
     }
     unlock_user(extra, extra_datap, 0);
     return 0;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Set the SM bit in the SVE record on signal delivery, create the ZA record.
Restore SM and ZA state according to the records present on return.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-41-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/signal.c | 167 +++++++++++++++++++++++++++++++++---
 1 file changed, 154 insertions(+), 13 deletions(-)

diff --git a/linux-user/aarch64/signal.c b/linux-user/aarch64/signal.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/signal.c
+++ b/linux-user/aarch64/signal.c
@@ -XXX,XX +XXX,XX @@ struct target_sve_context {
 
 #define TARGET_SVE_SIG_FLAG_SM  1
 
+#define TARGET_ZA_MAGIC        0x54366345
+
+struct target_za_context {
+    struct target_aarch64_ctx head;
+    uint16_t vl;
+    uint16_t reserved[3];
+    /* The actual ZA data immediately follows. */
+};
+
+#define TARGET_ZA_SIG_REGS_OFFSET \
+    QEMU_ALIGN_UP(sizeof(struct target_za_context), TARGET_SVE_VQ_BYTES)
+#define TARGET_ZA_SIG_ZAV_OFFSET(VQ, N) \
+    (TARGET_ZA_SIG_REGS_OFFSET + (VQ) * TARGET_SVE_VQ_BYTES * (N))
+#define TARGET_ZA_SIG_CONTEXT_SIZE(VQ) \
+    TARGET_ZA_SIG_ZAV_OFFSET(VQ, VQ * TARGET_SVE_VQ_BYTES)
+
 struct target_rt_sigframe {
     struct target_siginfo info;
     struct target_ucontext uc;
@@ -XXX,XX +XXX,XX @@ static void target_setup_end_record(struct target_aarch64_ctx *end)
 }
 
 static void target_setup_sve_record(struct target_sve_context *sve,
-                                    CPUARMState *env, int vq, int size)
+                                    CPUARMState *env, int size)
 {
-    int i, j;
+    int i, j, vq = sve_vq(env);
 
     memset(sve, 0, sizeof(*sve));
     __put_user(TARGET_SVE_MAGIC, &sve->head.magic);
@@ -XXX,XX +XXX,XX @@ static void target_setup_sve_record(struct target_sve_context *sve,
     }
 }
 
+static void target_setup_za_record(struct target_za_context *za,
+                                   CPUARMState *env, int size)
+{
+    int vq = sme_vq(env);
+    int vl = vq * TARGET_SVE_VQ_BYTES;
+    int i, j;
+
+    memset(za, 0, sizeof(*za));
+    __put_user(TARGET_ZA_MAGIC, &za->head.magic);
+    __put_user(size, &za->head.size);
+    __put_user(vl, &za->vl);
+
+    if (size == TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
+        return;
+    }
+    assert(size == TARGET_ZA_SIG_CONTEXT_SIZE(vq));
+
+    /*
+     * Note that ZA vectors are stored as a byte stream,
+     * with each byte element at a subsequent address.
+     */
+    for (i = 0; i < vl; ++i) {
+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __put_user_e(env->zarray[i].d[j], z + j, le);
+        }
+    }
+}
+
 static void target_restore_general_frame(CPUARMState *env,
                                          struct target_rt_sigframe *sf)
 {
@@ -XXX,XX +XXX,XX @@ static void target_restore_fpsimd_record(CPUARMState *env,
 
 static bool target_restore_sve_record(CPUARMState *env,
                                       struct target_sve_context *sve,
-                                      int size)
+                                      int size, int *svcr)
 {
-    int i, j, vl, vq;
+    int i, j, vl, vq, flags;
+    bool sm;
 
-    if (!cpu_isar_feature(aa64_sve, env_archcpu(env))) {
+    __get_user(vl, &sve->vl);
+    __get_user(flags, &sve->flags);
+
+    sm = flags & TARGET_SVE_SIG_FLAG_SM;
+
+    /* The cpu must support Streaming or Non-streaming SVE. */
+    if (sm
+        ? !cpu_isar_feature(aa64_sme, env_archcpu(env))
+        : !cpu_isar_feature(aa64_sve, env_archcpu(env))) {
         return false;
     }
 
-    __get_user(vl, &sve->vl);
-    vq = sve_vq(env);
+    /*
+     * Note that we cannot use sve_vq() because that depends on the
+     * current setting of PSTATE.SM, not the state to be restored.
+     */
+    vq = sve_vqm1_for_el_sm(env, 0, sm) + 1;
 
     /* Reject mismatched VL. */
     if (vl != vq * TARGET_SVE_VQ_BYTES) {
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
         return false;
     }
 
+    *svcr = FIELD_DP64(*svcr, SVCR, SM, sm);
+
     /*
      * Note that SVE regs are stored as a byte stream, with each byte element
      * at a subsequent address.  This corresponds to a little-endian load
@@ -XXX,XX +XXX,XX @@ static bool target_restore_sve_record(CPUARMState *env,
     return true;
 }
 
+static bool target_restore_za_record(CPUARMState *env,
+                                     struct target_za_context *za,
+                                     int size, int *svcr)
+{
+    int i, j, vl, vq;
+
+    if (!cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        return false;
+    }
+
+    __get_user(vl, &za->vl);
+    vq = sme_vq(env);
+
+    /* Reject mismatched VL. */
+    if (vl != vq * TARGET_SVE_VQ_BYTES) {
+        return false;
+    }
+
+    /* Accept empty record -- used to clear PSTATE.ZA. */
+    if (size <= TARGET_ZA_SIG_CONTEXT_SIZE(0)) {
+        return true;
+    }
+
+    /* Reject non-empty but incomplete record. */
+    if (size < TARGET_ZA_SIG_CONTEXT_SIZE(vq)) {
+        return false;
+    }
+
+    *svcr = FIELD_DP64(*svcr, SVCR, ZA, 1);
+
+    for (i = 0; i < vl; ++i) {
+        uint64_t *z = (void *)za + TARGET_ZA_SIG_ZAV_OFFSET(vq, i);
+        for (j = 0; j < vq * 2; ++j) {
+            __get_user_e(env->zarray[i].d[j], z + j, le);
+        }
+    }
+    return true;
+}
+
 static int target_restore_sigframe(CPUARMState *env,
                                    struct target_rt_sigframe *sf)
 {
     struct target_aarch64_ctx *ctx, *extra = NULL;
     struct target_fpsimd_context *fpsimd = NULL;
     struct target_sve_context *sve = NULL;
+    struct target_za_context *za = NULL;
     uint64_t extra_datap = 0;
     bool used_extra = false;
     int sve_size = 0;
+    int za_size = 0;
+    int svcr = 0;
 
     target_restore_general_frame(env, sf);
 
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
             sve_size = size;
             break;
 
+        case TARGET_ZA_MAGIC:
+            if (za || size < sizeof(struct target_za_context)) {
+                goto err;
+            }
+            za = (struct target_za_context *)ctx;
+            za_size = size;
+            break;
+
         case TARGET_EXTRA_MAGIC:
             if (extra || size != sizeof(struct target_extra_context)) {
                 goto err;
@@ -XXX,XX +XXX,XX @@ static int target_restore_sigframe(CPUARMState *env,
     }
 
     /* SVE data, if present, overwrites FPSIMD data.  */
-    if (sve && !target_restore_sve_record(env, sve, sve_size)) {
+    if (sve && !target_restore_sve_record(env, sve, sve_size, &svcr)) {
         goto err;
     }
+    if (za && !target_restore_za_record(env, za, za_size, &svcr)) {
+        goto err;
+    }
+    if (env->svcr != svcr) {
+        env->svcr = svcr;
+        arm_rebuild_hflags(env);
+    }
     unlock_user(extra, extra_datap, 0);
     return 0;
 
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         .total_size = offsetof(struct target_rt_sigframe,
                                uc.tuc_mcontext.__reserved),
     };
-    int fpsimd_ofs, fr_ofs, sve_ofs = 0, vq = 0, sve_size = 0;
+    int fpsimd_ofs, fr_ofs, sve_ofs = 0, za_ofs = 0;
+    int sve_size = 0, za_size = 0;
     struct target_rt_sigframe *frame;
     struct target_rt_frame_record *fr;
     abi_ulong frame_addr, return_addr;
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
                                       &layout);
 
     /* SVE state needs saving only if it exists.  */
-    if (cpu_isar_feature(aa64_sve, env_archcpu(env))) {
-        vq = sve_vq(env);
-        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(vq), 16);
+    if (cpu_isar_feature(aa64_sve, env_archcpu(env)) ||
+        cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        sve_size = QEMU_ALIGN_UP(TARGET_SVE_SIG_CONTEXT_SIZE(sve_vq(env)), 16);
         sve_ofs = alloc_sigframe_space(sve_size, &layout);
     }
+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))) {
+        /* ZA state needs saving only if it is enabled.  */
+        if (FIELD_EX64(env->svcr, SVCR, ZA)) {
+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(sme_vq(env));
+        } else {
+            za_size = TARGET_ZA_SIG_CONTEXT_SIZE(0);
+        }
+        za_ofs = alloc_sigframe_space(za_size, &layout);
+    }
 
     if (layout.extra_ofs) {
         /* Reserve space for the extra end marker.  The standard end marker
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         target_setup_end_record((void *)frame + layout.extra_end_ofs);
     }
     if (sve_ofs) {
-        target_setup_sve_record((void *)frame + sve_ofs, env, vq, sve_size);
+        target_setup_sve_record((void *)frame + sve_ofs, env, sve_size);
+    }
+    if (za_ofs) {
+        target_setup_za_record((void *)frame + za_ofs, env, za_size);
     }
 
     /* Set up the stack frame for unwinding.  */
@@ -XXX,XX +XXX,XX @@ static void target_setup_frame(int usig, struct target_sigaction *ka,
         env->btype = 2;
     }
 
+    /*
+     * Invoke the signal handler with both SM and ZA disabled.
+     * When clearing SM, ResetSVEState, per SMSTOP.
+     */
+    if (FIELD_EX64(env->svcr, SVCR, SM)) {
+        arm_reset_sve_state(env);
+    }
+    if (env->svcr) {
+        env->svcr = 0;
+        arm_rebuild_hflags(env);
+    }
+
     if (info) {
         tswap_siginfo(&frame->info, info);
         env->xregs[1] = frame_addr + offsetof(struct target_rt_sigframe, info);
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Add "sve" to the sve prctl functions, to distinguish
them from the coming "sme" prctls with similar names.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-42-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h |  8 ++++----
 linux-user/syscall.c              | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@
 #ifndef AARCH64_TARGET_PRCTL_H
 #define AARCH64_TARGET_PRCTL_H
 
-static abi_long do_prctl_get_vl(CPUArchState *env)
+static abi_long do_prctl_sve_get_vl(CPUArchState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
     if (cpu_isar_feature(aa64_sve, cpu)) {
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_get_vl(CPUArchState *env)
     }
     return -TARGET_EINVAL;
 }
-#define do_prctl_get_vl do_prctl_get_vl
+#define do_prctl_sve_get_vl do_prctl_sve_get_vl
 
-static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
+static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
 {
     /*
      * We cannot support either PR_SVE_SET_VL_ONEXEC or PR_SVE_VL_INHERIT.
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_set_vl(CPUArchState *env, abi_long arg2)
     }
     return -TARGET_EINVAL;
 }
-#define do_prctl_set_vl do_prctl_set_vl
+#define do_prctl_sve_set_vl do_prctl_sve_set_vl
 
 static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
 {
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
 #ifndef do_prctl_set_fp_mode
 #define do_prctl_set_fp_mode do_prctl_inval1
 #endif
-#ifndef do_prctl_get_vl
-#define do_prctl_get_vl do_prctl_inval0
+#ifndef do_prctl_sve_get_vl
+#define do_prctl_sve_get_vl do_prctl_inval0
 #endif
-#ifndef do_prctl_set_vl
-#define do_prctl_set_vl do_prctl_inval1
+#ifndef do_prctl_sve_set_vl
+#define do_prctl_sve_set_vl do_prctl_inval1
 #endif
 #ifndef do_prctl_reset_keys
 #define do_prctl_reset_keys do_prctl_inval1
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
     case PR_SET_FP_MODE:
         return do_prctl_set_fp_mode(env, arg2);
     case PR_SVE_GET_VL:
-        return do_prctl_get_vl(env);
+        return do_prctl_sve_get_vl(env);
     case PR_SVE_SET_VL:
-        return do_prctl_set_vl(env, arg2);
+        return do_prctl_sve_set_vl(env, arg2);
     case PR_PAC_RESET_KEYS:
         if (arg3 || arg4 || arg5) {
             return -TARGET_EINVAL;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

These prctl set the Streaming SVE vector length, which may
be completely different from the Normal SVE vector length.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-43-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/aarch64/target_prctl.h | 54 +++++++++++++++++++++++++++++++
 linux-user/syscall.c              | 16 +++++++++
 2 files changed, 70 insertions(+)

diff --git a/linux-user/aarch64/target_prctl.h b/linux-user/aarch64/target_prctl.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/aarch64/target_prctl.h
+++ b/linux-user/aarch64/target_prctl.h
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_get_vl(CPUArchState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
     if (cpu_isar_feature(aa64_sve, cpu)) {
+        /* PSTATE.SM is always unset on syscall entry. */
         return sve_vq(env) * 16;
     }
     return -TARGET_EINVAL;
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
         && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
         uint32_t vq, old_vq;
 
+        /* PSTATE.SM is always unset on syscall entry. */
         old_vq = sve_vq(env);
 
         /*
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_sve_set_vl(CPUArchState *env, abi_long arg2)
 }
 #define do_prctl_sve_set_vl do_prctl_sve_set_vl
 
+static abi_long do_prctl_sme_get_vl(CPUArchState *env)
+{
+    ARMCPU *cpu = env_archcpu(env);
+    if (cpu_isar_feature(aa64_sme, cpu)) {
+        return sme_vq(env) * 16;
+    }
+    return -TARGET_EINVAL;
+}
+#define do_prctl_sme_get_vl do_prctl_sme_get_vl
+
+static abi_long do_prctl_sme_set_vl(CPUArchState *env, abi_long arg2)
+{
+    /*
+     * We cannot support either PR_SME_SET_VL_ONEXEC or PR_SME_VL_INHERIT.
+     * Note the kernel definition of sve_vl_valid allows for VQ=512,
+     * i.e. VL=8192, even though the architectural maximum is VQ=16.
+     */
+    if (cpu_isar_feature(aa64_sme, env_archcpu(env))
+        && arg2 >= 0 && arg2 <= 512 * 16 && !(arg2 & 15)) {
+        int vq, old_vq;
+
+        old_vq = sme_vq(env);
+
+        /*
+         * Bound the value of vq, so that we know that it fits into
+         * the 4-bit field in SMCR_EL1.  Because PSTATE.SM is cleared
+         * on syscall entry, we are not modifying the current SVE
+         * vector length.
+         */
+        vq = MAX(arg2 / 16, 1);
+        vq = MIN(vq, 16);
+        env->vfp.smcr_el[1] =
+            FIELD_DP64(env->vfp.smcr_el[1], SMCR, LEN, vq - 1);
+
+        /* Delay rebuilding hflags until we know if ZA must change. */
+        vq = sve_vqm1_for_el_sm(env, 0, true) + 1;
+
+        if (vq != old_vq) {
+            /*
+             * PSTATE.ZA state is cleared on any change to SVL.
+             * We need not call arm_rebuild_hflags because PSTATE.SM was
+             * cleared on syscall entry, so this hasn't changed VL.
+             */
+            env->svcr = FIELD_DP64(env->svcr, SVCR, ZA, 0);
+            arm_rebuild_hflags(env);
+        }
+        return vq * 16;
+    }
+    return -TARGET_EINVAL;
+}
+#define do_prctl_sme_set_vl do_prctl_sme_set_vl
+
 static abi_long do_prctl_reset_keys(CPUArchState *env, abi_long arg2)
 {
     ARMCPU *cpu = env_archcpu(env);
diff --git a/linux-user/syscall.c b/linux-user/syscall.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/syscall.c
+++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ abi_long do_arch_prctl(CPUX86State *env, int code, abi_ulong addr)
 #ifndef PR_SET_SYSCALL_USER_DISPATCH
 # define PR_SET_SYSCALL_USER_DISPATCH 59
 #endif
+#ifndef PR_SME_SET_VL
+# define PR_SME_SET_VL  63
+# define PR_SME_GET_VL  64
+# define PR_SME_VL_LEN_MASK  0xffff
+# define PR_SME_VL_INHERIT   (1 << 17)
+#endif
 
 #include "target_prctl.h"
 
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl_inval1(CPUArchState *env, abi_long arg2)
 #ifndef do_prctl_set_unalign
 #define do_prctl_set_unalign do_prctl_inval1
 #endif
+#ifndef do_prctl_sme_get_vl
+#define do_prctl_sme_get_vl do_prctl_inval0
+#endif
+#ifndef do_prctl_sme_set_vl
+#define do_prctl_sme_set_vl do_prctl_inval1
+#endif
 
 static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
                          abi_long arg3, abi_long arg4, abi_long arg5)
@@ -XXX,XX +XXX,XX @@ static abi_long do_prctl(CPUArchState *env, abi_long option, abi_long arg2,
         return do_prctl_sve_get_vl(env);
     case PR_SVE_SET_VL:
         return do_prctl_sve_set_vl(env, arg2);
+    case PR_SME_GET_VL:
+        return do_prctl_sme_get_vl(env);
+    case PR_SME_SET_VL:
+        return do_prctl_sme_set_vl(env, arg2);
     case PR_PAC_RESET_KEYS:
         if (arg3 || arg4 || arg5) {
             return -TARGET_EINVAL;
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

There's no reason to set CPACR_EL1.ZEN if SVE disabled.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-44-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
         /* and to the FP/Neon instructions */
         env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
                                          CPACR_EL1, FPEN, 3);
-        /* and to the SVE instructions */
-        env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
-                                         CPACR_EL1, ZEN, 3);
-        /* with reasonable vector length */
+        /* and to the SVE instructions, with default vector length */
         if (cpu_isar_feature(aa64_sve, cpu)) {
+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+                                             CPACR_EL1, ZEN, 3);
             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
         }
         /*
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Enable SME, TPIDR2_EL0, and FA64 if supported by the cpu.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-45-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/cpu.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_reset(DeviceState *dev)
                                              CPACR_EL1, ZEN, 3);
             env->vfp.zcr_el[1] = cpu->sve_default_vq - 1;
         }
+        /* and for SME instructions, with default vector length, and TPIDR2 */
+        if (cpu_isar_feature(aa64_sme, cpu)) {
+            env->cp15.sctlr_el[1] |= SCTLR_EnTP2;
+            env->cp15.cpacr_el1 = FIELD_DP64(env->cp15.cpacr_el1,
+                                             CPACR_EL1, SMEN, 3);
+            env->vfp.smcr_el[1] = cpu->sme_default_vq - 1;
+            if (cpu_isar_feature(aa64_sme_fa64, cpu)) {
+                env->vfp.smcr_el[1] = FIELD_DP64(env->vfp.smcr_el[1],
+                                                 SMCR, FA64, 1);
+            }
+        }
         /*
          * Enable 48-bit address space (TODO: take reserved_va into account).
          * Enable TBI0 but not TBI1.
-- 
2.25.1

From: Richard Henderson <richard.henderson@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20220708151540.18136-46-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 linux-user/elfload.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ enum {
     ARM_HWCAP2_A64_RNG          = 1 << 16,
     ARM_HWCAP2_A64_BTI          = 1 << 17,
     ARM_HWCAP2_A64_MTE          = 1 << 18,
+    ARM_HWCAP2_A64_ECV          = 1 << 19,
+    ARM_HWCAP2_A64_AFP          = 1 << 20,
+    ARM_HWCAP2_A64_RPRES        = 1 << 21,
+    ARM_HWCAP2_A64_MTE3         = 1 << 22,
+    ARM_HWCAP2_A64_SME          = 1 << 23,
+    ARM_HWCAP2_A64_SME_I16I64   = 1 << 24,
+    ARM_HWCAP2_A64_SME_F64F64   = 1 << 25,
+    ARM_HWCAP2_A64_SME_I8I32    = 1 << 26,
+    ARM_HWCAP2_A64_SME_F16F32   = 1 << 27,
+    ARM_HWCAP2_A64_SME_B16F32   = 1 << 28,
+    ARM_HWCAP2_A64_SME_F32F32   = 1 << 29,
+    ARM_HWCAP2_A64_SME_FA64     = 1 << 30,
 };
 
 #define ELF_HWCAP   get_elf_hwcap()
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap2(void)
     GET_FEATURE_ID(aa64_rndr, ARM_HWCAP2_A64_RNG);
     GET_FEATURE_ID(aa64_bti, ARM_HWCAP2_A64_BTI);
     GET_FEATURE_ID(aa64_mte, ARM_HWCAP2_A64_MTE);
+    GET_FEATURE_ID(aa64_sme, (ARM_HWCAP2_A64_SME |
+                              ARM_HWCAP2_A64_SME_F32F32 |
+                              ARM_HWCAP2_A64_SME_B16F32 |
+                              ARM_HWCAP2_A64_SME_F16F32 |
+                              ARM_HWCAP2_A64_SME_I8I32));
+    GET_FEATURE_ID(aa64_sme_f64f64, ARM_HWCAP2_A64_SME_F64F64);
+    GET_FEATURE_ID(aa64_sme_i16i64, ARM_HWCAP2_A64_SME_I16I64);
+    GET_FEATURE_ID(aa64_sme_fa64, ARM_HWCAP2_A64_SME_FA64);
 
     return hwcaps;
 }
-- 
2.25.1

Hi; here's a target-arm pullreq to go in before softfreeze.
This is actually pretty much entirely bugfixes (since the
SEL2 timers we implement here are a missing part of a feature
we claim to already implement).

thanks
-- PMM

The following changes since commit 98c7362b1efe651327385a25874a73e008c6549e:

Merge tag 'accel-cpus-20250306' of https://github.com/philmd/qemu into staging (2025-03-07 07:39:49 +0800)

are available in the Git repository at:

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20250307

for you to fetch changes up to 0ce0739d46983e5e88fa9c149cb305689c9d8c6f:

target/rx: Remove TCG_CALL_NO_WG from helpers which write env (2025-03-07 15:03:20 +0000)

----------------------------------------------------------------
target-arm queue:
 * hw/arm/smmu-common: Remove the repeated ttb field
 * hw/gpio: npcm7xx: fixup out-of-bounds access
 * tests/functional/test_arm_sx1: Check whether the serial console is working
 * target/arm: Fix minor bugs in generic timer register handling
 * target/arm: Implement SEL2 physical and virtual timers
 * target/arm: Correct STRD, LDRD atomicity and fault behaviour
 * target/arm: Make dummy debug registers RAZ, not NOP
 * util/qemu-timer.c: Don't warp timer from timerlist_rearm()
 * include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN
 * hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper
 * target/rx: Set exception vector base to 0xffffff80
 * target/rx: Remove TCG_CALL_NO_WG from helpers which write env

----------------------------------------------------------------
Alex Bennée (4):
      target/arm: Implement SEL2 physical and virtual timers
      target/arm: Document the architectural names of our GTIMERs
      hw/arm: enable secure EL2 timers for virt machine
      hw/arm: enable secure EL2 timers for sbsa machine

JianChunfu (2):
      hw/arm/smmu-common: Remove the repeated ttb field
      hw/arm/smmu: Introduce smmu_configs_inv_sid_range() helper

Keith Packard (2):
      target/rx: Set exception vector base to 0xffffff80
      target/rx: Remove TCG_CALL_NO_WG from helpers which write env

Patrick Venture (1):
      hw/gpio: npcm7xx: fixup out-of-bounds access

Peter Maydell (11):
      target/arm: Apply correct timer offset when calculating deadlines
      target/arm: Don't apply CNTVOFF_EL2 for EL2_VIRT timer
      target/arm: Make CNTPS_* UNDEF from Secure EL1 when Secure EL2 is enabled
      target/arm: Always apply CNTVOFF_EL2 for CNTV_TVAL_EL02 accesses
      target/arm: Refactor handling of timer offset for direct register accesses
      target/arm: Correct LDRD atomicity and fault behaviour
      target/arm: Correct STRD atomicity
      target/arm: Drop unused address_offset from op_addr_{rr, ri}_post()
      target/arm: Make dummy debug registers RAZ, not NOP
      util/qemu-timer.c: Don't warp timer from timerlist_rearm()
      include/exec/memop.h: Expand comment for MO_ATOM_SUBALIGN

Thomas Huth (1):
      tests/functional/test_arm_sx1: Check whether the serial console is working

From: JianChunfu <jansef.jian@hj-micro.com>

SMMUTransCfg->ttb is never used in QEMU, TT base address
can be accessed by SMMUTransCfg->tt[i]->ttb.

Signed-off-by: JianChunfu <jansef.jian@hj-micro.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20250221031034.69822-1-jansef.jian@hj-micro.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/smmu-common.h | 1 -
 1 file changed, 1 deletion(-)

diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUTransCfg {
     /* Used by stage-1 only. */
     bool aa64;                 /* arch64 or aarch32 translation table */
     bool record_faults;        /* record fault events */
-    uint64_t ttb;              /* TT base address */
     uint8_t oas;               /* output address width */
     uint8_t tbi;               /* Top Byte Ignore */
     int asid;
-- 
2.43.0

From: Patrick Venture <venture@google.com>

The reg isn't validated to be a possible register before
it's dereferenced for one case.  The mmio space registered
for the gpio device is 4KiB but there aren't that many
registers in the struct.

Cc: qemu-stable@nongnu.org
Fixes: 526dbbe0874 ("hw/gpio: Add GPIO model for Nuvoton NPCM7xx")
Signed-off-by: Patrick Venture <venture@google.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20250226024603.493148-1-venture@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/gpio/npcm7xx_gpio.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/hw/gpio/npcm7xx_gpio.c b/hw/gpio/npcm7xx_gpio.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/gpio/npcm7xx_gpio.c
+++ b/hw/gpio/npcm7xx_gpio.c
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v,
         return;
     }
 
-    diff = s->regs[reg] ^ value;
-
     switch (reg) {
     case NPCM7XX_GPIO_TLOCK1:
     case NPCM7XX_GPIO_TLOCK2:
@@ -XXX,XX +XXX,XX @@ static void npcm7xx_gpio_regs_write(void *opaque, hwaddr addr, uint64_t v,
     case NPCM7XX_GPIO_PU:
     case NPCM7XX_GPIO_PD:
     case NPCM7XX_GPIO_IEM:
+        diff = s->regs[reg] ^ value;
         s->regs[reg] = value;
         npcm7xx_gpio_update_pins(s, diff);
         break;
-- 
2.43.0

From: Thomas Huth <thuth@redhat.com>

The kernel that is used in the sx1 test prints the usual Linux log
onto the serial console, but this test currently ignores it. To
make sure that the serial device is working properly, let's check
for some strings in the output here.

While we're at it, also add the test to the corresponding section
in the MAINTAINERS file.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20250226104833.1176253-1-thuth@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 MAINTAINERS                      | 1 +
 tests/functional/test_arm_sx1.py | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/MAINTAINERS b/MAINTAINERS
index XXXXXXX..XXXXXXX 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -XXX,XX +XXX,XX @@ S: Maintained
 F: hw/*/omap*
 F: include/hw/arm/omap.h
 F: docs/system/arm/sx1.rst
+F: tests/functional/test_arm_sx1.py
 
 IPack
 M: Alberto Garcia <berto@igalia.com>
diff --git a/tests/functional/test_arm_sx1.py b/tests/functional/test_arm_sx1.py
index XXXXXXX..XXXXXXX 100755
--- a/tests/functional/test_arm_sx1.py
+++ b/tests/functional/test_arm_sx1.py
@@ -XXX,XX +XXX,XX @@ def test_arm_sx1_initrd(self):
         self.vm.add_args('-append', f'kunit.enable=0 rdinit=/sbin/init {self.CONSOLE_ARGS}')
         self.vm.add_args('-no-reboot')
         self.launch_kernel(zimage_path,
-                           initrd=initrd_path)
+                           initrd=initrd_path,
+                           wait_for='Boot successful')
         self.vm.wait(timeout=120)
 
     def test_arm_sx1_sd(self):
@@ -XXX,XX +XXX,XX @@ def test_arm_sx1_sd(self):
         self.vm.add_args('-no-reboot')
         self.vm.add_args('-snapshot')
         self.vm.add_args('-drive', f'format=raw,if=sd,file={sd_fs_path}')
-        self.launch_kernel(zimage_path)
+        self.launch_kernel(zimage_path, wait_for='Boot successful')
         self.vm.wait(timeout=120)
 
     def test_arm_sx1_flash(self):
@@ -XXX,XX +XXX,XX @@ def test_arm_sx1_flash(self):
         self.vm.add_args('-no-reboot')
         self.vm.add_args('-snapshot')
         self.vm.add_args('-drive', f'format=raw,if=pflash,file={flash_path}')
-        self.launch_kernel(zimage_path)
+        self.launch_kernel(zimage_path, wait_for='Boot successful')
         self.vm.wait(timeout=120)
 
 if __name__ == '__main__':
-- 
2.43.0

When we are calculating timer deadlines, the correct definition of
whether or not to apply an offset to the physical count is described
in the Arm ARM DDI4087 rev L.a section D12.2.4.1.  This is different
from when the offset should be applied for a direct read of the
counter sysreg.

We got this right for the EL1 physical timer and for the EL1 virtual
timer, but got all the rest wrong: they should be using a zero offset
always.

Factor the offset calculation out into a function that has a comment
documenting exactly which offset it is calculating and which gets the
HYP, SEC, and HYPVIRT cases right.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20250204125009.2281315-2-peter.maydell@linaro.org
---
 target/arm/helper.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_phys_cnt_offset(CPUARMState *env)
     return gt_phys_raw_cnt_offset(env);
 }
 
+static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
+{
+    /*
+     * Return the timer offset to use for indirect accesses to the timer.
+     * This is the Offset value as defined in D12.2.4.1 "Operation of the
+     * CompareValue views of the timers".
+     *
+     * The condition here is not always the same as the condition for
+     * whether to apply an offset register when doing a direct read of
+     * the counter sysreg; those conditions are described in the
+     * access pseudocode for each counter register.
+     */
+    switch (timeridx) {
+    case GTIMER_PHYS:
+        return gt_phys_raw_cnt_offset(env);
+    case GTIMER_VIRT:
+        return env->cp15.cntvoff_el2;
+    case GTIMER_HYP:
+    case GTIMER_SEC:
+    case GTIMER_HYPVIRT:
+        return 0;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
 {
     ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
@@ -XXX,XX +XXX,XX @@ static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
          * Timer enabled: calculate and set current ISTATUS, irq, and
          * reset timer to when ISTATUS next has to change
          */
-        uint64_t offset = timeridx == GTIMER_VIRT ?
-            cpu->env.cp15.cntvoff_el2 : gt_phys_raw_cnt_offset(&cpu->env);
+        uint64_t offset = gt_indirect_access_timer_offset(&cpu->env, timeridx);
         uint64_t count = gt_get_countervalue(&cpu->env);
         /* Note that this must be unsigned 64 bit arithmetic: */
         int istatus = count - offset >= gt->cval;
-- 
2.43.0

The CNTVOFF_EL2 offset register should only be applied for accessses
to CNTVCT_EL0 and for the EL1 virtual timer (CNTV_*).  We were
incorrectly applying it for the EL2 virtual timer (CNTHV_*).

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
 
     switch (timeridx) {
     case GTIMER_VIRT:
-    case GTIMER_HYPVIRT:
         offset = gt_virt_cnt_offset(env);
         break;
     case GTIMER_PHYS:
@@ -XXX,XX +XXX,XX @@ static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
 
     switch (timeridx) {
     case GTIMER_VIRT:
-    case GTIMER_HYPVIRT:
         offset = gt_virt_cnt_offset(env);
         break;
     case GTIMER_PHYS:
-- 
2.43.0

When we added Secure EL2 support, we missed that this needs an update
to the access code for the EL3 physical timer registers.  These are
supposed to UNDEF from Secure EL1 when Secure EL2 is enabled.

(Note for stable backporting: for backports to branches where
CP_ACCESS_UNDEFINED is not defined, the old name to use instead
is CP_ACCESS_TRAP_UNCATEGORIZED.)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_stimer_access(CPUARMState *env,
         if (!arm_is_secure(env)) {
             return CP_ACCESS_UNDEFINED;
         }
+        if (arm_is_el2_enabled(env)) {
+            return CP_ACCESS_UNDEFINED;
+        }
         if (!(env->cp15.scr_el3 & SCR_ST)) {
             return CP_ACCESS_TRAP_EL3;
         }
-- 
2.43.0

Currently we handle CNTV_TVAL_EL02 by calling gt_tval_read() for the
EL1 virt timer.  This is almost correct, but the underlying
CNTV_TVAL_EL0 register behaves slightly differently.  CNTV_TVAL_EL02
always applies the CNTVOFF_EL2 offset; CNTV_TVAL_EL0 doesn't do so if
we're at EL2 and HCR_EL2.E2H is 1.

We were getting this wrong, because we ended up in
gt_virt_cnt_offset() and did the E2H check.

Factor out the tval read/write calculation from the selection of the
offset, so that we can special case gt_virt_tval_read() and
gt_virt_tval_write() to unconditionally pass CNTVOFF_EL2.

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20250204125009.2281315-5-peter.maydell@linaro.org
---
 target/arm/helper.c | 36 +++++++++++++++++++++++++++---------
 1 file changed, 27 insertions(+), 9 deletions(-)

diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
     gt_recalc_timer(env_archcpu(env), timeridx);
 }
 
+static uint64_t do_tval_read(CPUARMState *env, int timeridx, uint64_t offset)
+{
+    return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
+                      (gt_get_countervalue(env) - offset));
+}
+
 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
                              int timeridx)
 {
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
         break;
     }
 
-    return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
-                      (gt_get_countervalue(env) - offset));
+    return do_tval_read(env, timeridx, offset);
+}
+
+static void do_tval_write(CPUARMState *env, int timeridx, uint64_t value,
+                          uint64_t offset)
+{
+    trace_arm_gt_tval_write(timeridx, value);
+    env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
+                                         sextract64(value, 0, 32);
+    gt_recalc_timer(env_archcpu(env), timeridx);
 }
 
 static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
         offset = gt_phys_cnt_offset(env);
         break;
     }
-
-    trace_arm_gt_tval_write(timeridx, value);
-    env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) - offset +
-                                         sextract64(value, 0, 32);
-    gt_recalc_timer(env_archcpu(env), timeridx);
+    do_tval_write(env, timeridx, value, offset);
 }
 
 static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static void gt_virt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
 
 static uint64_t gt_virt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
-    return gt_tval_read(env, ri, GTIMER_VIRT);
+    /*
+     * This is CNTV_TVAL_EL02; unlike the underlying CNTV_TVAL_EL0
+     * we always apply CNTVOFF_EL2. Special case that here rather
+     * than going into the generic gt_tval_read() and then having
+     * to re-detect that it's this register.
+     * Note that the accessfn/perms mean we know we're at EL2 or EL3 here.
+     */
+    return do_tval_read(env, GTIMER_VIRT, env->cp15.cntvoff_el2);
 }
 
 static void gt_virt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
                                uint64_t value)
 {
-    gt_tval_write(env, ri, GTIMER_VIRT, value);
+    /* Similarly for writes to CNTV_TVAL_EL02 */
+    do_tval_write(env, GTIMER_VIRT, value, env->cp15.cntvoff_el2);
 }
 
 static void gt_virt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
-- 
2.43.0

When reading or writing the timer registers, sometimes we need to
apply one of the timer offsets.  Specifically, this happens for
direct reads of the counter registers CNTPCT_EL0 and CNTVCT_EL0 (and
their self-synchronized variants CNTVCTSS_EL0 and CNTPCTSS_EL0).  It
also applies for direct reads and writes of the CNT*_TVAL_EL*
registers that provide the 32-bit downcounting view of each timer.

We currently do this with duplicated code in gt_tval_read() and
gt_tval_write() and a special-case in gt_virt_cnt_read() and
gt_cnt_read().  Refactor this so that we handle it all in a single
function gt_direct_access_timer_offset(), to parallel how we handle
the offset for indirect accesses.

The call in the WFIT helper previously to gt_virt_cnt_offset() is
now to gt_direct_access_timer_offset(); this is the correct
behaviour, but it's not immediately obvious that it shouldn't be
considered an indirect access, so we add an explanatory comment.

This commit should make no behavioural changes.

(Cc to stable because the following bugfix commit will
depend on this one.)

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20250204125009.2281315-6-peter.maydell@linaro.org
---
 target/arm/internals.h     |   5 +-
 target/arm/helper.c        | 103 +++++++++++++++++++------------------
 target/arm/tcg/op_helper.c |   8 ++-
 3 files changed, 62 insertions(+), 54 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ int delete_hw_watchpoint(target_ulong addr, target_ulong len, int type);
 uint64_t gt_get_countervalue(CPUARMState *env);
 /*
  * Return the currently applicable offset between the system counter
- * and CNTVCT_EL0 (this will be either 0 or the value of CNTVOFF_EL2).
+ * and the counter for the specified timer, as used for direct register
+ * accesses.
  */
-uint64_t gt_virt_cnt_offset(CPUARMState *env);
+uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx);
 
 /*
  * Return mask of ARMMMUIdxBit values corresponding to an "invalidate
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_phys_raw_cnt_offset(CPUARMState *env)
     return 0;
 }
 
-static uint64_t gt_phys_cnt_offset(CPUARMState *env)
-{
-    if (arm_current_el(env) >= 2) {
-        return 0;
-    }
-    return gt_phys_raw_cnt_offset(env);
-}
-
 static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
     }
 }
 
+uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx)
+{
+    /*
+     * Return the timer offset to use for direct accesses to the
+     * counter registers CNTPCT and CNTVCT, and for direct accesses
+     * to the CNT*_TVAL registers.
+     *
+     * This isn't exactly the same as the indirect-access offset,
+     * because here we also care about what EL the register access
+     * is being made from.
+     *
+     * This corresponds to the access pseudocode for the registers.
+     */
+    uint64_t hcr;
+
+    switch (timeridx) {
+    case GTIMER_PHYS:
+        if (arm_current_el(env) >= 2) {
+            return 0;
+        }
+        return gt_phys_raw_cnt_offset(env);
+    case GTIMER_VIRT:
+        switch (arm_current_el(env)) {
+        case 2:
+            hcr = arm_hcr_el2_eff(env);
+            if (hcr & HCR_E2H) {
+                return 0;
+            }
+            break;
+        case 0:
+            hcr = arm_hcr_el2_eff(env);
+            if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
+                return 0;
+            }
+            break;
+        }
+        return env->cp15.cntvoff_el2;
+    case GTIMER_HYP:
+    case GTIMER_SEC:
+    case GTIMER_HYPVIRT:
+        return 0;
+    default:
+        g_assert_not_reached();
+    }
+}
+
 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
 {
     ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
@@ -XXX,XX +XXX,XX @@ static void gt_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri,
 
 static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
-    return gt_get_countervalue(env) - gt_phys_cnt_offset(env);
-}
-
-uint64_t gt_virt_cnt_offset(CPUARMState *env)
-{
-    uint64_t hcr;
-
-    switch (arm_current_el(env)) {
-    case 2:
-        hcr = arm_hcr_el2_eff(env);
-        if (hcr & HCR_E2H) {
-            return 0;
-        }
-        break;
-    case 0:
-        hcr = arm_hcr_el2_eff(env);
-        if ((hcr & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
-            return 0;
-        }
-        break;
-    }
-
-    return env->cp15.cntvoff_el2;
+    uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_PHYS);
+    return gt_get_countervalue(env) - offset;
 }
 
 static uint64_t gt_virt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
 {
-    return gt_get_countervalue(env) - gt_virt_cnt_offset(env);
+    uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
+    return gt_get_countervalue(env) - offset;
 }
 
 static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
@@ -XXX,XX +XXX,XX @@ static uint64_t do_tval_read(CPUARMState *env, int timeridx, uint64_t offset)
 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri,
                              int timeridx)
 {
-    uint64_t offset = 0;
-
-    switch (timeridx) {
-    case GTIMER_VIRT:
-        offset = gt_virt_cnt_offset(env);
-        break;
-    case GTIMER_PHYS:
-        offset = gt_phys_cnt_offset(env);
-        break;
-    }
+    uint64_t offset = gt_direct_access_timer_offset(env, timeridx);
 
     return do_tval_read(env, timeridx, offset);
 }
@@ -XXX,XX +XXX,XX @@ static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
                           int timeridx,
                           uint64_t value)
 {
-    uint64_t offset = 0;
+    uint64_t offset = gt_direct_access_timer_offset(env, timeridx);
 
-    switch (timeridx) {
-    case GTIMER_VIRT:
-        offset = gt_virt_cnt_offset(env);
-        break;
-    case GTIMER_PHYS:
-        offset = gt_phys_cnt_offset(env);
-        break;
-    }
     do_tval_write(env, timeridx, value, offset);
 }
 
diff --git a/target/arm/tcg/op_helper.c b/target/arm/tcg/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/op_helper.c
+++ b/target/arm/tcg/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
     int target_el = check_wfx_trap(env, false, &excp);
     /* The WFIT should time out when CNTVCT_EL0 >= the specified value. */
     uint64_t cntval = gt_get_countervalue(env);
-    uint64_t offset = gt_virt_cnt_offset(env);
+    /*
+     * We want the value that we would get if we read CNTVCT_EL0 from
+     * the current exception level, so the direct_access offset, not
+     * the indirect_access one. Compare the pseudocode LocalTimeoutEvent(),
+     * which calls VirtualCounterTimer().
+     */
+    uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
     uint64_t cntvct = cntval - offset;
     uint64_t nexttick;
 
-- 
2.43.0

From: Alex Bennée <alex.bennee@linaro.org>

When FEAT_SEL2 was implemented the SEL2 timers were missed. This
shows up when building the latest Hafnium with SPMC_AT_EL=2. The
actual implementation utilises the same logic as the rest of the
timers so all we need to do is:

- define the timers and their access functions
  - conditionally add the correct system registers
  - create a new accessfn as the rules are subtly different to the
    existing secure timer

Fixes: e9152ee91c (target/arm: add ARMv8.4-SEL2 system registers)
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20250204125009.2281315-7-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
Cc: Andrei Homescu <ahomescu@google.com>
Cc: Arve Hjønnevåg <arve@google.com>
Cc: Rémi Denis-Courmont <remi.denis.courmont@huawei.com>
[PMM: CP_ACCESS_TRAP_UNCATEGORIZED -> CP_ACCESS_UNDEFINED;
 offset logic now in gt_{indirect,direct}_access_timer_offset() ]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 include/hw/arm/bsa.h |   2 +
 target/arm/cpu.h     |   2 +
 target/arm/gtimer.h  |   4 +-
 target/arm/cpu.c     |   4 ++
 target/arm/helper.c  | 163 +++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 174 insertions(+), 1 deletion(-)

diff --git a/include/hw/arm/bsa.h b/include/hw/arm/bsa.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/bsa.h
+++ b/include/hw/arm/bsa.h
@@ -XXX,XX +XXX,XX @@
 #define QEMU_ARM_BSA_H
 
 /* These are architectural INTID values */
+#define ARCH_TIMER_S_EL2_VIRT_IRQ  19
+#define ARCH_TIMER_S_EL2_IRQ       20
 #define VIRTUAL_PMU_IRQ            23
 #define ARCH_GIC_MAINT_IRQ         25
 #define ARCH_TIMER_NS_EL2_IRQ      26
diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -XXX,XX +XXX,XX @@ void arm_gt_vtimer_cb(void *opaque);
 void arm_gt_htimer_cb(void *opaque);
 void arm_gt_stimer_cb(void *opaque);
 void arm_gt_hvtimer_cb(void *opaque);
+void arm_gt_sel2timer_cb(void *opaque);
+void arm_gt_sel2vtimer_cb(void *opaque);
 
 unsigned int gt_cntfrq_period_ns(ARMCPU *cpu);
 void gt_rme_post_el_change(ARMCPU *cpu, void *opaque);
diff --git a/target/arm/gtimer.h b/target/arm/gtimer.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gtimer.h
+++ b/target/arm/gtimer.h
@@ -XXX,XX +XXX,XX @@ enum {
     GTIMER_HYP      = 2,
     GTIMER_SEC      = 3,
     GTIMER_HYPVIRT  = 4,
-#define NUM_GTIMERS   5
+    GTIMER_S_EL2_PHYS = 5, /* CNTHPS_* ; only if FEAT_SEL2 */
+    GTIMER_S_EL2_VIRT = 6, /* CNTHVS_* ; only if FEAT_SEL2 */
+#define NUM_GTIMERS   7
 };
 
 #endif
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static void arm_cpu_realizefn(DeviceState *dev, Error **errp)
                                               arm_gt_stimer_cb, cpu);
         cpu->gt_timer[GTIMER_HYPVIRT] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
                                                   arm_gt_hvtimer_cb, cpu);
+        cpu->gt_timer[GTIMER_S_EL2_PHYS] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
+                                                     arm_gt_sel2timer_cb, cpu);
+        cpu->gt_timer[GTIMER_S_EL2_VIRT] = timer_new(QEMU_CLOCK_VIRTUAL, scale,
+                                                     arm_gt_sel2vtimer_cb, cpu);
     }
 #endif
 
diff --git a/target/arm/helper.c b/target/arm/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.c
+++ b/target/arm/helper.c
@@ -XXX,XX +XXX,XX @@ static CPAccessResult gt_stimer_access(CPUARMState *env,
     }
 }
 
+static CPAccessResult gt_sel2timer_access(CPUARMState *env,
+                                          const ARMCPRegInfo *ri,
+                                          bool isread)
+{
+    /*
+     * The AArch64 register view of the secure EL2 timers are mostly
+     * accessible from EL3 and EL2 although can also be trapped to EL2
+     * from EL1 depending on nested virt config.
+     */
+    switch (arm_current_el(env)) {
+    case 0: /* UNDEFINED */
+        return CP_ACCESS_UNDEFINED;
+    case 1:
+        if (!arm_is_secure(env)) {
+            /* UNDEFINED */
+            return CP_ACCESS_UNDEFINED;
+        } else if (arm_hcr_el2_eff(env) & HCR_NV) {
+            /* Aarch64.SystemAccessTrap(EL2, 0x18) */
+            return CP_ACCESS_TRAP_EL2;
+        }
+        /* UNDEFINED */
+        return CP_ACCESS_UNDEFINED;
+    case 2:
+        if (!arm_is_secure(env)) {
+            /* UNDEFINED */
+            return CP_ACCESS_UNDEFINED;
+        }
+        return CP_ACCESS_OK;
+    case 3:
+        if (env->cp15.scr_el3 & SCR_EEL2) {
+            return CP_ACCESS_OK;
+        } else {
+            return CP_ACCESS_UNDEFINED;
+        }
+    default:
+        g_assert_not_reached();
+    }
+}
+
 uint64_t gt_get_countervalue(CPUARMState *env)
 {
     ARMCPU *cpu = env_archcpu(env);
@@ -XXX,XX +XXX,XX @@ static uint64_t gt_indirect_access_timer_offset(CPUARMState *env, int timeridx)
     case GTIMER_HYP:
     case GTIMER_SEC:
     case GTIMER_HYPVIRT:
+    case GTIMER_S_EL2_PHYS:
+    case GTIMER_S_EL2_VIRT:
         return 0;
     default:
         g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ uint64_t gt_direct_access_timer_offset(CPUARMState *env, int timeridx)
     case GTIMER_HYP:
     case GTIMER_SEC:
     case GTIMER_HYPVIRT:
+    case GTIMER_S_EL2_PHYS:
+    case GTIMER_S_EL2_VIRT:
         return 0;
     default:
         g_assert_not_reached();
@@ -XXX,XX +XXX,XX @@ static void gt_sec_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
     gt_ctl_write(env, ri, GTIMER_SEC, value);
 }
 
+static void gt_sec_pel2_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    gt_timer_reset(env, ri, GTIMER_S_EL2_PHYS);
+}
+
+static void gt_sec_pel2_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                   uint64_t value)
+{
+    gt_cval_write(env, ri, GTIMER_S_EL2_PHYS, value);
+}
+
+static uint64_t gt_sec_pel2_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    return gt_tval_read(env, ri, GTIMER_S_EL2_PHYS);
+}
+
+static void gt_sec_pel2_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_tval_write(env, ri, GTIMER_S_EL2_PHYS, value);
+}
+
+static void gt_sec_pel2_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_ctl_write(env, ri, GTIMER_S_EL2_PHYS, value);
+}
+
+static void gt_sec_vel2_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    gt_timer_reset(env, ri, GTIMER_S_EL2_VIRT);
+}
+
+static void gt_sec_vel2_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_cval_write(env, ri, GTIMER_S_EL2_VIRT, value);
+}
+
+static uint64_t gt_sec_vel2_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
+{
+    return gt_tval_read(env, ri, GTIMER_S_EL2_VIRT);
+}
+
+static void gt_sec_vel2_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                                   uint64_t value)
+{
+    gt_tval_write(env, ri, GTIMER_S_EL2_VIRT, value);
+}
+
+static void gt_sec_vel2_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
+                              uint64_t value)
+{
+    gt_ctl_write(env, ri, GTIMER_S_EL2_VIRT, value);
+}
+
 static void gt_hv_timer_reset(CPUARMState *env, const ARMCPRegInfo *ri)
 {
     gt_timer_reset(env, ri, GTIMER_HYPVIRT);
@@ -XXX,XX +XXX,XX @@ void arm_gt_stimer_cb(void *opaque)
     gt_recalc_timer(cpu, GTIMER_SEC);
 }
 
+void arm_gt_sel2timer_cb(void *opaque)
+{
+    ARMCPU *cpu = opaque;
+
+    gt_recalc_timer(cpu, GTIMER_S_EL2_PHYS);
+}
+
+void arm_gt_sel2vtimer_cb(void *opaque)
+{
+    ARMCPU *cpu = opaque;
+
+    gt_recalc_timer(cpu, GTIMER_S_EL2_VIRT);
+}
+
 void arm_gt_hvtimer_cb(void *opaque)
 {
     ARMCPU *cpu = opaque;
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_sec_cp_reginfo[] = {
       .access = PL2_RW, .accessfn = sel2_access,
       .nv2_redirect_offset = 0x48,
       .fieldoffset = offsetof(CPUARMState, cp15.vstcr_el2) },
+#ifndef CONFIG_USER_ONLY
+    /* Secure EL2 Physical Timer */
+    { .name = "CNTHPS_TVAL_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 0,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
+      .accessfn = gt_sel2timer_access,
+      .readfn = gt_sec_pel2_tval_read,
+      .writefn = gt_sec_pel2_tval_write,
+      .resetfn = gt_sec_pel2_timer_reset,
+    },
+    { .name = "CNTHPS_CTL_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 1,
+      .type = ARM_CP_IO, .access = PL2_RW,
+      .accessfn = gt_sel2timer_access,
+      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_PHYS].ctl),
+      .resetvalue = 0,
+      .writefn = gt_sec_pel2_ctl_write, .raw_writefn = raw_write,
+    },
+    { .name = "CNTHPS_CVAL_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 5, .opc2 = 2,
+      .type = ARM_CP_IO, .access = PL2_RW,
+      .accessfn = gt_sel2timer_access,
+      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_PHYS].cval),
+      .writefn = gt_sec_pel2_cval_write, .raw_writefn = raw_write,
+    },
+    /* Secure EL2 Virtual Timer */
+    { .name = "CNTHVS_TVAL_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 0,
+      .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL2_RW,
+      .accessfn = gt_sel2timer_access,
+      .readfn = gt_sec_vel2_tval_read,
+      .writefn = gt_sec_vel2_tval_write,
+      .resetfn = gt_sec_vel2_timer_reset,
+    },
+    { .name = "CNTHVS_CTL_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 1,
+      .type = ARM_CP_IO, .access = PL2_RW,
+      .accessfn = gt_sel2timer_access,
+      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_VIRT].ctl),
+      .resetvalue = 0,
+      .writefn = gt_sec_vel2_ctl_write, .raw_writefn = raw_write,
+    },
+    { .name = "CNTHVS_CVAL_EL2", .state = ARM_CP_STATE_AA64,
+      .opc0 = 3, .opc1 = 4, .crn = 14, .crm = 4, .opc2 = 2,
+      .type = ARM_CP_IO, .access = PL2_RW,
+      .accessfn = gt_sel2timer_access,
+      .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_S_EL2_VIRT].cval),
+      .writefn = gt_sec_vel2_cval_write, .raw_writefn = raw_write,
+    },
+#endif
 };
 
 static CPAccessResult nsacr_access(CPUARMState *env, const ARMCPRegInfo *ri,
-- 
2.43.0

From: Alex Bennée <alex.bennee@linaro.org>

As we are about to add more physical and virtual timers let's make it
clear what each timer does.

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20250204125009.2281315-8-peter.maydell@linaro.org
[PMM: Add timer register name prefix to each comment]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/arm/gtimer.h | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/target/arm/gtimer.h b/target/arm/gtimer.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/gtimer.h
+++ b/target/arm/gtimer.h
@@ -XXX,XX +XXX,XX @@
 #define TARGET_ARM_GTIMER_H
 
 enum {
-    GTIMER_PHYS     = 0,
-    GTIMER_VIRT     = 1,
-    GTIMER_HYP      = 2,
-    GTIMER_SEC      = 3,
-    GTIMER_HYPVIRT  = 4,
+    GTIMER_PHYS     = 0, /* CNTP_* ; EL1 physical timer */
+    GTIMER_VIRT     = 1, /* CNTV_* ; EL1 virtual timer */
+    GTIMER_HYP      = 2, /* CNTHP_* ; EL2 physical timer */
+    GTIMER_SEC      = 3, /* CNTPS_* ; EL3 physical timer */
+    GTIMER_HYPVIRT  = 4, /* CNTHV_* ; EL2 virtual timer ; only if FEAT_VHE */
     GTIMER_S_EL2_PHYS = 5, /* CNTHPS_* ; only if FEAT_SEL2 */
     GTIMER_S_EL2_VIRT = 6, /* CNTHVS_* ; only if FEAT_SEL2 */
 #define NUM_GTIMERS   7
-- 
2.43.0

From: Alex Bennée <alex.bennee@linaro.org>

Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20250204125009.2281315-9-peter.maydell@linaro.org
Cc: qemu-stable@nongnu.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/virt.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/hw/arm/virt.c b/hw/arm/virt.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/virt.c
+++ b/hw/arm/virt.c
@@ -XXX,XX +XXX,XX @@ static void create_gic(VirtMachineState *vms, MemoryRegion *mem)
             [GTIMER_HYP]  = ARCH_TIMER_NS_EL2_IRQ,
             [GTIMER_SEC]  = ARCH_TIMER_S_EL1_IRQ,
             [GTIMER_HYPVIRT] = ARCH_TIMER_NS_EL2_VIRT_IRQ,
+            [GTIMER_S_EL2_PHYS] = ARCH_TIMER_S_EL2_IRQ,
+            [GTIMER_S_EL2_VIRT] = ARCH_TIMER_S_EL2_VIRT_IRQ,
         };
 
         for (unsigned irq = 0; irq < ARRAY_SIZE(timer_irq); irq++) {
-- 
2.43.0

Our LDRD implementation is wrong in two respects:

* if the address is 4-aligned and the load crosses a page boundary
   and the second load faults and the first load was to the
   base register (as in cases like "ldrd r2, r3, [r2]", then we
   must not update the base register before taking the fault
 * if the address is 8-aligned the access must be a 64-bit
   single-copy atomic access, not two 32-bit accesses

Rewrite the handling of the loads in LDRD to use a single
tcg_gen_qemu_ld_i64() and split the result into the destination
registers. This allows us to get the atomicity requirements
right, and also implicitly means that we won't update the
base register too early for the page-crossing case.

Note that because we no longer increment 'addr' by 4 in the course of
performing the LDRD we must change the adjustment value we pass to
op_addr_ri_post() and op_addr_rr_post(): it no longer needs to
subtract 4 to get the correct value to use if doing base register
writeback.

STRD has the same problem with not getting the atomicity right;
we will deal with that in the following commit.

Cc: qemu-stable@nongnu.org
Reported-by: Stu Grossman <stu.grossman@gmail.com>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250227142746.1698904-2-peter.maydell@linaro.org
---
 target/arm/tcg/translate.c | 70 +++++++++++++++++++++++++-------------
 1 file changed, 46 insertions(+), 24 deletions(-)

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static bool op_store_rr(DisasContext *s, arg_ldst_rr *a,
     return true;
 }
 
+static void do_ldrd_load(DisasContext *s, TCGv_i32 addr, int rt, int rt2)
+{
+    /*
+     * LDRD is required to be an atomic 64-bit access if the
+     * address is 8-aligned, two atomic 32-bit accesses if
+     * it's only 4-aligned, and to give an alignment fault
+     * if it's not 4-aligned. This is MO_ALIGN_4 | MO_ATOM_SUBALIGN.
+     * Rt is always the word from the lower address, and Rt2 the
+     * data from the higher address, regardless of endianness.
+     * So (like gen_load_exclusive) we avoid gen_aa32_ld_i64()
+     * so we don't get its SCTLR_B check, and instead do a 64-bit access
+     * using MO_BE if appropriate and then split the two halves.
+     *
+     * For M-profile, and for A-profile before LPAE, the 64-bit
+     * atomicity is not required. We could model that using
+     * the looser MO_ATOM_IFALIGN_PAIR, but providing a higher
+     * level of atomicity than required is harmless (we would not
+     * currently generate better code for IFALIGN_PAIR here).
+     *
+     * This also gives us the correct behaviour of not updating
+     * rt if the load of rt2 faults; this is required for cases
+     * like "ldrd r2, r3, [r2]" where rt is also the base register.
+     */
+    int mem_idx = get_mem_index(s);
+    MemOp opc = MO_64 | MO_ALIGN_4 | MO_ATOM_SUBALIGN | s->be_data;
+    TCGv taddr = gen_aa32_addr(s, addr, opc);
+    TCGv_i64 t64 = tcg_temp_new_i64();
+    TCGv_i32 tmp = tcg_temp_new_i32();
+    TCGv_i32 tmp2 = tcg_temp_new_i32();
+
+    tcg_gen_qemu_ld_i64(t64, taddr, mem_idx, opc);
+    if (s->be_data == MO_BE) {
+        tcg_gen_extr_i64_i32(tmp2, tmp, t64);
+    } else {
+        tcg_gen_extr_i64_i32(tmp, tmp2, t64);
+    }
+    store_reg(s, rt, tmp);
+    store_reg(s, rt2, tmp2);
+}
+
 static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
 {
-    int mem_idx = get_mem_index(s);
-    TCGv_i32 addr, tmp;
+    TCGv_i32 addr;
 
     if (!ENABLE_ARCH_5TE) {
         return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
     }
     addr = op_addr_rr_pre(s, a);
 
-    tmp = tcg_temp_new_i32();
-    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-    store_reg(s, a->rt, tmp);
-
-    tcg_gen_addi_i32(addr, addr, 4);
-
-    tmp = tcg_temp_new_i32();
-    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-    store_reg(s, a->rt + 1, tmp);
+    do_ldrd_load(s, addr, a->rt, a->rt + 1);
 
     /* LDRD w/ base writeback is undefined if the registers overlap.  */
-    op_addr_rr_post(s, a, addr, -4);
+    op_addr_rr_post(s, a, addr, 0);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool op_store_ri(DisasContext *s, arg_ldst_ri *a,
 
 static bool op_ldrd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
 {
-    int mem_idx = get_mem_index(s);
-    TCGv_i32 addr, tmp;
+    TCGv_i32 addr;
 
     addr = op_addr_ri_pre(s, a);
 
-    tmp = tcg_temp_new_i32();
-    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-    store_reg(s, a->rt, tmp);
-
-    tcg_gen_addi_i32(addr, addr, 4);
-
-    tmp = tcg_temp_new_i32();
-    gen_aa32_ld_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-    store_reg(s, rt2, tmp);
+    do_ldrd_load(s, addr, a->rt, rt2);
 
     /* LDRD w/ base writeback is undefined if the registers overlap.  */
-    op_addr_ri_post(s, a, addr, -4);
+    op_addr_ri_post(s, a, addr, 0);
     return true;
 }
 
-- 
2.43.0

Our STRD implementation doesn't correctly implement the requirement:
 * if the address is 8-aligned the access must be a 64-bit
   single-copy atomic access, not two 32-bit accesses

Rewrite the handling of STRD to use a single tcg_gen_qemu_st_i64()
of a value produced by concatenating the two 32 bit source registers.
This allows us to get the atomicity right.

As with the LDRD change, now that we don't update 'addr' in the
course of performing the store we need to adjust the offset
we pass to op_addr_ri_post() and op_addr_rr_post().

Cc: qemu-stable@nongnu.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250227142746.1698904-3-peter.maydell@linaro.org
---
 target/arm/tcg/translate.c | 59 +++++++++++++++++++++++++-------------
 1 file changed, 39 insertions(+), 20 deletions(-)

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
     return true;
 }
 
+static void do_strd_store(DisasContext *s, TCGv_i32 addr, int rt, int rt2)
+{
+    /*
+     * STRD is required to be an atomic 64-bit access if the
+     * address is 8-aligned, two atomic 32-bit accesses if
+     * it's only 4-aligned, and to give an alignment fault
+     * if it's not 4-aligned.
+     * Rt is always the word from the lower address, and Rt2 the
+     * data from the higher address, regardless of endianness.
+     * So (like gen_store_exclusive) we avoid gen_aa32_ld_i64()
+     * so we don't get its SCTLR_B check, and instead do a 64-bit access
+     * using MO_BE if appropriate, using a value constructed
+     * by putting the two halves together in the right order.
+     *
+     * As with LDRD, the 64-bit atomicity is not required for
+     * M-profile, or for A-profile before LPAE, and we provide
+     * the higher guarantee always for simplicity.
+     */
+    int mem_idx = get_mem_index(s);
+    MemOp opc = MO_64 | MO_ALIGN_4 | MO_ATOM_SUBALIGN | s->be_data;
+    TCGv taddr = gen_aa32_addr(s, addr, opc);
+    TCGv_i32 t1 = load_reg(s, rt);
+    TCGv_i32 t2 = load_reg(s, rt2);
+    TCGv_i64 t64 = tcg_temp_new_i64();
+
+    if (s->be_data == MO_BE) {
+        tcg_gen_concat_i32_i64(t64, t2, t1);
+    } else {
+        tcg_gen_concat_i32_i64(t64, t1, t2);
+    }
+    tcg_gen_qemu_st_i64(t64, taddr, mem_idx, opc);
+}
+
 static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
 {
-    int mem_idx = get_mem_index(s);
-    TCGv_i32 addr, tmp;
+    TCGv_i32 addr;
 
     if (!ENABLE_ARCH_5TE) {
         return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
     }
     addr = op_addr_rr_pre(s, a);
 
-    tmp = load_reg(s, a->rt);
-    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
+    do_strd_store(s, addr, a->rt, a->rt + 1);
 
-    tcg_gen_addi_i32(addr, addr, 4);
-
-    tmp = load_reg(s, a->rt + 1);
-    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-
-    op_addr_rr_post(s, a, addr, -4);
+    op_addr_rr_post(s, a, addr, 0);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_ri_t32(DisasContext *s, arg_ldst_ri2 *a)
 
 static bool op_strd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
 {
-    int mem_idx = get_mem_index(s);
-    TCGv_i32 addr, tmp;
+    TCGv_i32 addr;
 
     addr = op_addr_ri_pre(s, a);
 
-    tmp = load_reg(s, a->rt);
-    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
+    do_strd_store(s, addr, a->rt, rt2);
 
-    tcg_gen_addi_i32(addr, addr, 4);
-
-    tmp = load_reg(s, rt2);
-    gen_aa32_st_i32(s, tmp, addr, mem_idx, MO_UL | MO_ALIGN);
-
-    op_addr_ri_post(s, a, addr, -4);
+    op_addr_ri_post(s, a, addr, 0);
     return true;
 }
 
-- 
2.43.0

All the callers of op_addr_rr_post() and op_addr_ri_post() now pass in
zero for the address_offset, so we can remove that argument.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Message-id: 20250227142746.1698904-4-peter.maydell@linaro.org
---
 target/arm/tcg/translate.c | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/target/arm/tcg/translate.c b/target/arm/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/tcg/translate.c
+++ b/target/arm/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static TCGv_i32 op_addr_rr_pre(DisasContext *s, arg_ldst_rr *a)
 }
 
 static void op_addr_rr_post(DisasContext *s, arg_ldst_rr *a,
-                            TCGv_i32 addr, int address_offset)
+                            TCGv_i32 addr)
 {
     if (!a->p) {
         TCGv_i32 ofs = load_reg(s, a->rm);
@@ -XXX,XX +XXX,XX @@ static void op_addr_rr_post(DisasContext *s, arg_ldst_rr *a,
     } else if (!a->w) {
         return;
     }
-    tcg_gen_addi_i32(addr, addr, address_offset);
     store_reg(s, a->rn, addr);
 }
 
@@ -XXX,XX +XXX,XX @@ static bool op_load_rr(DisasContext *s, arg_ldst_rr *a,
      * Perform base writeback before the loaded value to
      * ensure correct behavior with overlapping index registers.
      */
-    op_addr_rr_post(s, a, addr, 0);
+    op_addr_rr_post(s, a, addr);
     store_reg_from_load(s, a->rt, tmp);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool op_store_rr(DisasContext *s, arg_ldst_rr *a,
     gen_aa32_st_i32(s, tmp, addr, mem_idx, mop);
     disas_set_da_iss(s, mop, issinfo);
 
-    op_addr_rr_post(s, a, addr, 0);
+    op_addr_rr_post(s, a, addr);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_LDRD_rr(DisasContext *s, arg_ldst_rr *a)
     do_ldrd_load(s, addr, a->rt, a->rt + 1);
 
     /* LDRD w/ base writeback is undefined if the registers overlap.  */
-    op_addr_rr_post(s, a, addr, 0);
+    op_addr_rr_post(s, a, addr);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_STRD_rr(DisasContext *s, arg_ldst_rr *a)
 
     do_strd_store(s, addr, a->rt, a->rt + 1);
 
-    op_addr_rr_post(s, a, addr, 0);
+    op_addr_rr_post(s, a, addr);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static TCGv_i32 op_addr_ri_pre(DisasContext *s, arg_ldst_ri *a)
 }
 
 static void op_addr_ri_post(DisasContext *s, arg_ldst_ri *a,
-                            TCGv_i32 addr, int address_offset)
+                            TCGv_i32 addr)
 {
+    int address_offset = 0;
     if (!a->p) {
         if (a->u) {
-            address_offset += a->imm;
+            address_offset = a->imm;
         } else {
-            address_offset -= a->imm;
+            address_offset = -a->imm;
         }
     } else if (!a->w) {
         return;
@@ -XXX,XX +XXX,XX @@ static bool op_load_ri(DisasContext *s, arg_ldst_ri *a,
      * Perform base writeback before the loaded value to
      * ensure correct behavior with overlapping index registers.
      */
-    op_addr_ri_post(s, a, addr, 0);
+    op_addr_ri_post(s, a, addr);
     store_reg_from_load(s, a->rt, tmp);
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool op_store_ri(DisasContext *s, arg_ldst_ri *a,
     gen_aa32_st_i32(s, tmp, addr, mem_idx, mop);
     disas_set_da_iss(s, mop, issinfo);
 
-    op_addr_ri_post(s, a, addr, 0);
+    op_addr_ri_post(s, a, addr);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool op_ldrd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
     do_ldrd_load(s, addr, a->rt, rt2);
 
     /* LDRD w/ base writeback is undefined if the registers overlap.  */
-    op_addr_ri_post(s, a, addr, 0);
+    op_addr_ri_post(s, a, addr);
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool op_strd_ri(DisasContext *s, arg_ldst_ri *a, int rt2)
 
     do_strd_store(s, addr, a->rt, rt2);
 
-    op_addr_ri_post(s, a, addr, 0);
+    op_addr_ri_post(s, a, addr);
     return true;
 }
 
-- 
2.43.0

In debug_helper.c we provide a few dummy versions of
debug registers:
 * DBGVCR (AArch32 only): enable bits for vector-catch
   debug events
 * MDCCINT_EL1: interrupt enable bits for the DCC
   debug communications channel
 * DBGVCR32_EL2: the AArch64 accessor for the state in
   DBGVCR

We implemented these only to stop Linux crashing on startup,
but we chose to implement them as ARM_CP_NOP. This worked
for Linux where it only cares about trying to write to these
registers, but is very confusing behaviour for anything that
wants to read the registers (perhaps for context state switches),
because the destination register will be left with whatever
random value it happened to have before the read.

Model these registers instead as RAZ.

Fixes: 5e8b12ffbb8c68 ("target-arm: Implement minimal DBGVCR, OSDLR_EL1, MDCCSR_EL0")
Fixes: 5dbdc4342f479d ("target-arm: Implement dummy MDCCINT_EL1")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2708
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250228162424.1917269-1-peter.maydell@linaro.org
---
 target/arm/debug_helper.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
     { .name = "DBGVCR",
       .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
       .access = PL1_RW, .accessfn = access_tda,
-      .type = ARM_CP_NOP },
+      .type = ARM_CP_CONST, .resetvalue = 0 },
     /*
      * Dummy MDCCINT_EL1, since we don't implement the Debug Communications
      * Channel but Linux may try to access this register. The 32-bit
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_cp_reginfo[] = {
     { .name = "MDCCINT_EL1", .state = ARM_CP_STATE_BOTH,
       .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
       .access = PL1_RW, .accessfn = access_tdcc,
-      .type = ARM_CP_NOP },
+      .type = ARM_CP_CONST, .resetvalue = 0 },
     /*
      * Dummy DBGCLAIM registers.
      * "The architecture does not define any functionality for the CLAIM tag bits.",
@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo debug_aa32_el1_reginfo[] = {
     { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,
       .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,
       .access = PL2_RW, .accessfn = access_dbgvcr32,
-      .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },
+      .type = ARM_CP_CONST | ARM_CP_EL3_NO_EL2_KEEP,
+      .resetvalue = 0 },
 };
 
 static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
-- 
2.43.0

Currently we call icount_start_warp_timer() from timerlist_rearm().
This produces incorrect behaviour, because timerlist_rearm() is
called, for instance, when a timer callback modifies its timer.  We
cannot decide here to warp the timer forwards to the next timer
deadline merely because all_cpu_threads_idle() is true, because the
timer callback we were called from (or some other callback later in
the list of callbacks being invoked) may be about to raise a CPU
interrupt and move a CPU from idle to ready.

The only valid place to choose to warp the timer forward is from the
main loop, when we know we have no outstanding IO or timer callbacks
that might be about to wake up a CPU.

For Arm guests, this bug was mostly latent until the refactoring
commit f6fc36deef6abc ("target/arm/helper: Implement
CNTHCTL_EL2.CNT[VP]MASK"), which exposed it because it refactored a
timer callback so that it happened to call timer_mod() first and
raise the interrupt second, when it had previously raised the
interrupt first and called timer_mod() afterwards.

This call seems to have originally derived from the
pre-record-and-replay icount code, which (as of e.g.  commit
db1a49726c3c in 2010) in this location did a call to
qemu_notify_event(), necessary to get the icount code in the vCPU
round-robin thread to stop and recalculate the icount deadline when a
timer was reprogrammed from the IO thread.  In current QEMU,
everything is done on the vCPU thread when we are in icount mode, so
there's no need to try to notify another thread here.

I suspect that the other reason why this call was doing icount timer
warping is that it pre-dates commit efab87cf79077a from 2015, which
added a call to icount_start_warp_timer() to main_loop_wait().  Once
the call in timerlist_rearm() has been removed, if the timer
callbacks don't cause any CPU to be woken up then we will end up
calling icount_start_warp_timer() from main_loop_wait() when the rr
main loop code calls rr_wait_io_event().

Remove the incorrect call from timerlist_rearm().

Cc: qemu-stable@nongnu.org
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/2703
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20250210135804.3526943-1-peter.maydell@linaro.org
---
 util/qemu-timer.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/util/qemu-timer.c b/util/qemu-timer.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qemu-timer.c
+++ b/util/qemu-timer.c
@@ -XXX,XX +XXX,XX @@ static bool timer_mod_ns_locked(QEMUTimerList *timer_list,
 
 static void timerlist_rearm(QEMUTimerList *timer_list)
 {
-    /* Interrupt execution to force deadline recalculation.  */
-    if (icount_enabled() && timer_list->clock->type == QEMU_CLOCK_VIRTUAL) {
-        icount_start_warp_timer();
-    }
     timerlist_notify(timer_list);
 }
 
-- 
2.43.0

Expand the example in the comment documenting MO_ATOM_SUBALIGN,
to be clearer about the atomicity guarantees it represents.

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20250228103222.1838913-1-peter.maydell@linaro.org
---
 include/exec/memop.h | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/include/exec/memop.h b/include/exec/memop.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memop.h
+++ b/include/exec/memop.h
@@ -XXX,XX +XXX,XX @@ typedef enum MemOp {
      *    Depending on alignment, one or both will be single-copy atomic.
      *    This is the atomicity e.g. of Arm FEAT_LSE2 LDP.
      * MO_ATOM_SUBALIGN: the operation is single-copy atomic by parts
-     *    by the alignment.  E.g. if the address is 0 mod 4, then each
-     *    4-byte subobject is single-copy atomic.
+     *    by the alignment.  E.g. if an 8-byte value is accessed at an
+     *    address which is 0 mod 8, then the whole 8-byte access is
+     *    single-copy atomic; otherwise, if it is accessed at 0 mod 4
+     *    then each 4-byte subobject is single-copy atomic; otherwise
+     *    if it is accessed at 0 mod 2 then the four 2-byte subobjects
+     *    are single-copy atomic.
      *    This is the atomicity e.g. of IBM Power.
      * MO_ATOM_NONE: the operation has no atomicity requirements.
      *
-- 
2.43.0

From: JianChunfu <jansef.jian@hj-micro.com>

Use a similar terminology smmu_hash_remove_by_sid_range() as the one
being used for other hash table matching functions since
smmuv3_invalidate_ste() name is not self explanatory, and introduce a
helper that invokes the g_hash_table_foreach_remove.

No functional change intended.

Signed-off-by: JianChunfu <jansef.jian@hj-micro.com>
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Message-id: 20250228031438.3916-1-jansef.jian@hj-micro.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 hw/arm/smmu-internal.h       |  5 -----
 include/hw/arm/smmu-common.h |  6 ++++++
 hw/arm/smmu-common.c         | 21 +++++++++++++++++++++
 hw/arm/smmuv3.c              | 19 ++-----------------
 hw/arm/trace-events          |  3 ++-
 5 files changed, 31 insertions(+), 23 deletions(-)

diff --git a/hw/arm/smmu-internal.h b/hw/arm/smmu-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-internal.h
+++ b/hw/arm/smmu-internal.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUIOTLBPageInvInfo {
     uint64_t mask;
 } SMMUIOTLBPageInvInfo;
 
-typedef struct SMMUSIDRange {
-    uint32_t start;
-    uint32_t end;
-} SMMUSIDRange;
-
 #endif
diff --git a/include/hw/arm/smmu-common.h b/include/hw/arm/smmu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/arm/smmu-common.h
+++ b/include/hw/arm/smmu-common.h
@@ -XXX,XX +XXX,XX @@ typedef struct SMMUIOTLBKey {
     uint8_t level;
 } SMMUIOTLBKey;
 
+typedef struct SMMUSIDRange {
+    uint32_t start;
+    uint32_t end;
+} SMMUSIDRange;
+
 struct SMMUState {
     /* <private> */
     SysBusDevice  dev;
@@ -XXX,XX +XXX,XX @@ void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl);
 void smmu_iotlb_inv_ipa(SMMUState *s, int vmid, dma_addr_t ipa, uint8_t tg,
                         uint64_t num_pages, uint8_t ttl);
+void smmu_configs_inv_sid_range(SMMUState *s, SMMUSIDRange sid_range);
 /* Unmap the range of all the notifiers registered to any IOMMU mr */
 void smmu_inv_notifiers_all(SMMUState *s);
 
diff --git a/hw/arm/smmu-common.c b/hw/arm/smmu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmu-common.c
+++ b/hw/arm/smmu-common.c
@@ -XXX,XX +XXX,XX @@ static gboolean smmu_hash_remove_by_vmid_ipa(gpointer key, gpointer value,
            ((entry->iova & ~info->mask) == info->iova);
 }
 
+static gboolean
+smmu_hash_remove_by_sid_range(gpointer key, gpointer value, gpointer user_data)
+{
+    SMMUDevice *sdev = (SMMUDevice *)key;
+    uint32_t sid = smmu_get_sid(sdev);
+    SMMUSIDRange *sid_range = (SMMUSIDRange *)user_data;
+
+    if (sid < sid_range->start || sid > sid_range->end) {
+        return false;
+    }
+    trace_smmu_config_cache_inv(sid);
+    return true;
+}
+
+void smmu_configs_inv_sid_range(SMMUState *s, SMMUSIDRange sid_range)
+{
+    trace_smmu_configs_inv_sid_range(sid_range.start, sid_range.end);
+    g_hash_table_foreach_remove(s->configs, smmu_hash_remove_by_sid_range,
+                                &sid_range);
+}
+
 void smmu_iotlb_inv_iova(SMMUState *s, int asid, int vmid, dma_addr_t iova,
                          uint8_t tg, uint64_t num_pages, uint8_t ttl)
 {
diff --git a/hw/arm/smmuv3.c b/hw/arm/smmuv3.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/smmuv3.c
+++ b/hw/arm/smmuv3.c
@@ -XXX,XX +XXX,XX @@ static void smmuv3_flush_config(SMMUDevice *sdev)
     SMMUv3State *s = sdev->smmu;
     SMMUState *bc = &s->smmu_state;
 
-    trace_smmuv3_config_cache_inv(smmu_get_sid(sdev));
+    trace_smmu_config_cache_inv(smmu_get_sid(sdev));
     g_hash_table_remove(bc->configs, sdev);
 }
 
@@ -XXX,XX +XXX,XX @@ static void smmuv3_range_inval(SMMUState *s, Cmd *cmd, SMMUStage stage)
     }
 }
 
-static gboolean
-smmuv3_invalidate_ste(gpointer key, gpointer value, gpointer user_data)
-{
-    SMMUDevice *sdev = (SMMUDevice *)key;
-    uint32_t sid = smmu_get_sid(sdev);
-    SMMUSIDRange *sid_range = (SMMUSIDRange *)user_data;
-
-    if (sid < sid_range->start || sid > sid_range->end) {
-        return false;
-    }
-    trace_smmuv3_config_cache_inv(sid);
-    return true;
-}
-
 static int smmuv3_cmdq_consume(SMMUv3State *s)
 {
     SMMUState *bs = ARM_SMMU(s);
@@ -XXX,XX +XXX,XX @@ static int smmuv3_cmdq_consume(SMMUv3State *s)
             sid_range.end = sid_range.start + mask;
 
             trace_smmuv3_cmdq_cfgi_ste_range(sid_range.start, sid_range.end);
-            g_hash_table_foreach_remove(bs->configs, smmuv3_invalidate_ste,
-                                        &sid_range);
+            smmu_configs_inv_sid_range(bs, sid_range);
             break;
         }
         case SMMU_CMD_CFGI_CD:
diff --git a/hw/arm/trace-events b/hw/arm/trace-events
index XXXXXXX..XXXXXXX 100644
--- a/hw/arm/trace-events
+++ b/hw/arm/trace-events
@@ -XXX,XX +XXX,XX @@ smmu_iotlb_inv_asid_vmid(int asid, int vmid) "IOTLB invalidate asid=%d vmid=%d"
 smmu_iotlb_inv_vmid(int vmid) "IOTLB invalidate vmid=%d"
 smmu_iotlb_inv_vmid_s1(int vmid) "IOTLB invalidate vmid=%d"
 smmu_iotlb_inv_iova(int asid, uint64_t addr) "IOTLB invalidate asid=%d addr=0x%"PRIx64
+smmu_configs_inv_sid_range(uint32_t start, uint32_t end) "Config cache INV SID range from 0x%x to 0x%x"
+smmu_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
 smmu_inv_notifiers_mr(const char *name) "iommu mr=%s"
 smmu_iotlb_lookup_hit(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache HIT asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
 smmu_iotlb_lookup_miss(int asid, int vmid, uint64_t addr, uint32_t hit, uint32_t miss, uint32_t p) "IOTLB cache MISS asid=%d vmid=%d addr=0x%"PRIx64" hit=%d miss=%d hit rate=%d"
@@ -XXX,XX +XXX,XX @@ smmuv3_cmdq_tlbi_nh(int vmid) "vmid=%d"
 smmuv3_cmdq_tlbi_nsnh(void) ""
 smmuv3_cmdq_tlbi_nh_asid(int asid) "asid=%d"
 smmuv3_cmdq_tlbi_s12_vmid(int vmid) "vmid=%d"
-smmuv3_config_cache_inv(uint32_t sid) "Config cache INV for sid=0x%x"
 smmuv3_notify_flag_add(const char *iommu) "ADD SMMUNotifier node for iommu mr=%s"
 smmuv3_notify_flag_del(const char *iommu) "DEL SMMUNotifier node for iommu mr=%s"
 smmuv3_inv_notifiers_iova(const char *name, int asid, int vmid, uint64_t iova, uint8_t tg, uint64_t num_pages, int stage) "iommu mr=%s asid=%d vmid=%d iova=0x%"PRIx64" tg=%d num_pages=0x%"PRIx64" stage=%d"
-- 
2.43.0

From: Keith Packard <keithp@keithp.com>

The documentation says the vector is at 0xffffff80, instead of the
previous value of 0xffffffc0. That value must have been a bug because
the standard vector values (20, 21, 23, 25, 30) were all
past the end of the array.

Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/rx/helper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/rx/helper.c b/target/rx/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/helper.c
+++ b/target/rx/helper.c
@@ -XXX,XX +XXX,XX @@ void rx_cpu_do_interrupt(CPUState *cs)
         cpu_stl_data(env, env->isp, env->pc);
 
         if (vec < 0x100) {
-            env->pc = cpu_ldl_data(env, 0xffffffc0 + vec * 4);
+            env->pc = cpu_ldl_data(env, 0xffffff80 + vec * 4);
         } else {
             env->pc = cpu_ldl_data(env, env->intb + (vec & 0xff) * 4);
         }
-- 
2.43.0

From: Keith Packard <keithp@keithp.com>

Functions which modify TCG globals must not be marked TCG_CALL_NO_WG,
as that tells the optimizer that TCG global values already loaded in
machine registers are still valid, and so any changes which these
helpers make to the CPU state may be ignored.

The target/rx code chooses to put (among other things) all the PSW
bits and also ACC into globals, so the NO_WG flag on various
functions that touch the PSW or ACC is incorrect and must be removed.
This includes all the floating point helper functions, because
update_fpsw() will update PSW Z and S.

Signed-off-by: Keith Packard <keithp@keithp.com>
[PMM: Clarified commit message]
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
---
 target/rx/helper.h | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/target/rx/helper.h b/target/rx/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/helper.h
+++ b/target/rx/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_privilege_violation, noreturn, env)
 DEF_HELPER_1(wait, noreturn, env)
 DEF_HELPER_2(rxint, noreturn, env, i32)
 DEF_HELPER_1(rxbrk, noreturn, env)
-DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
-DEF_HELPER_FLAGS_3(fsub, TCG_CALL_NO_WG, f32, env, f32, f32)
-DEF_HELPER_FLAGS_3(fmul, TCG_CALL_NO_WG, f32, env, f32, f32)
-DEF_HELPER_FLAGS_3(fdiv, TCG_CALL_NO_WG, f32, env, f32, f32)
-DEF_HELPER_FLAGS_3(fcmp, TCG_CALL_NO_WG, void, env, f32, f32)
-DEF_HELPER_FLAGS_2(ftoi, TCG_CALL_NO_WG, i32, env, f32)
-DEF_HELPER_FLAGS_2(round, TCG_CALL_NO_WG, i32, env, f32)
-DEF_HELPER_FLAGS_2(itof, TCG_CALL_NO_WG, f32, env, i32)
+DEF_HELPER_3(fadd, f32, env, f32, f32)
+DEF_HELPER_3(fsub, f32, env, f32, f32)
+DEF_HELPER_3(fmul, f32, env, f32, f32)
+DEF_HELPER_3(fdiv, f32, env, f32, f32)
+DEF_HELPER_3(fcmp, void, env, f32, f32)
+DEF_HELPER_2(ftoi, i32, env, f32)
+DEF_HELPER_2(round, i32, env, f32)
+DEF_HELPER_2(itof, f32, env, i32)
 DEF_HELPER_2(set_fpsw, void, env, i32)
-DEF_HELPER_FLAGS_2(racw, TCG_CALL_NO_WG, void, env, i32)
-DEF_HELPER_FLAGS_2(set_psw_rte, TCG_CALL_NO_WG, void, env, i32)
-DEF_HELPER_FLAGS_2(set_psw, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_2(racw, void, env, i32)
+DEF_HELPER_2(set_psw_rte, void, env, i32)
+DEF_HELPER_2(set_psw, void, env, i32)
 DEF_HELPER_1(pack_psw, i32, env)
-DEF_HELPER_FLAGS_3(div, TCG_CALL_NO_WG, i32, env, i32, i32)
-DEF_HELPER_FLAGS_3(divu, TCG_CALL_NO_WG, i32, env, i32, i32)
-DEF_HELPER_FLAGS_1(scmpu, TCG_CALL_NO_WG, void, env)
+DEF_HELPER_3(div, i32, env, i32, i32)
+DEF_HELPER_3(divu, i32, env, i32, i32)
+DEF_HELPER_1(scmpu, void, env)
 DEF_HELPER_1(smovu, void, env)
 DEF_HELPER_1(smovf, void, env)
 DEF_HELPER_1(smovb, void, env)
 DEF_HELPER_2(sstr, void, env, i32)
-DEF_HELPER_FLAGS_2(swhile, TCG_CALL_NO_WG, void, env, i32)
-DEF_HELPER_FLAGS_2(suntil, TCG_CALL_NO_WG, void, env, i32)
-DEF_HELPER_FLAGS_2(rmpa, TCG_CALL_NO_WG, void, env, i32)
+DEF_HELPER_2(swhile, void, env, i32)
+DEF_HELPER_2(suntil, void, env, i32)
+DEF_HELPER_2(rmpa, void, env, i32)
 DEF_HELPER_1(satr, void, env)
-- 
2.43.0