Changes v1->v2 (fixing CI failures in v1, added a couple of

extra patches in an attempt to avoid having to do a last

minute arm pullreq next week):

* new patch to hopefully fix the build issue with the SVE/SME sysregs test

* dropped the IC IVAU test case patch

* new patch: fix over-length shift

* new patches: define neoverse-v1

The following changes since commit 2a6ae69154542caa91dd17c40fd3f5ffbec300de:

Merge tag 'pull-maintainer-ominbus-030723-1' of https://gitlab.com/stsquad/qemu into staging (2023-07-04 08:36:44 +0200)

https://git.linaro.org/people/pmaydell/qemu-arm.git tags/pull-target-arm-20230706

for you to fetch changes up to c41077235168140cdd4a34fce9bd95c3d30efe9c:

target/arm: Avoid over-length shift in arm_cpu_sve_finalize() error case (2023-07-06 13:36:51 +0100)

* Add raw_writes ops for register whose write induce TLB maintenance

* hw/arm/sbsa-ref: use XHCI to replace EHCI

* Avoid splitting Zregs across lines in dump

* Dump ZA[] when active

* Fix SME full tile indexing

* Handle IC IVAU to improve compatibility with JITs

* xlnx-canfd-test: Fix code coverity issues

* gdbstub: Guard M-profile code with CONFIG_TCG

* allwinner-sramc: Set class_size

* target/xtensa: Assert that interrupt level is within bounds

* Avoid over-length shift in arm_cpu_sve_finalize() error case

* Define new 'neoverse-v1' CPU type

Akihiko Odaki (1):

hw: arm: allwinner-sramc: Set class_size

Eric Auger (1):

target/arm: Add raw_writes ops for register whose write induce TLB maintenance

Fabiano Rosas (1):

target/arm: gdbstub: Guard M-profile code with CONFIG_TCG

John Högberg (1):

target/arm: Handle IC IVAU to improve compatibility with JITs

Peter Maydell (5):

tests/tcg/aarch64/sysregs.c: Use S syntax for id_aa64zfr0_el1 and id_aa64smfr0_el1

target/xtensa: Assert that interrupt level is within bounds

target/arm: Suppress more TCG unimplemented features in ID registers

target/arm: Define neoverse-v1

target/arm: Avoid over-length shift in arm_cpu_sve_finalize() error case

Richard Henderson (3):

target/arm: Avoid splitting Zregs across lines in dump

target/arm: Dump ZA[] when active

target/arm: Fix SME full tile indexing

Vikram Garhwal (1):

tests/qtest: xlnx-canfd-test: Fix code coverity issues

From: Eric Auger <eric.auger@redhat.com>

Some registers whose 'cooked' writefns induce TLB maintenance do

not have raw_writefn ops defined. If only the writefn ops is set

(ie. no raw_writefn is provided), it is assumed the cooked also

work as the raw one. For those registers it is not obvious the

tlb_flush works on KVM mode so better/safer setting the raw write.

Signed-off-by: Eric Auger <eric.auger@redhat.com>

Suggested-by: Peter Maydell <peter.maydell@linaro.org>

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>

target/arm/helper.c | 23 +++++++++++++----------

1 file changed, 13 insertions(+), 10 deletions(-)

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vmsa_cp_reginfo[] = {

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR0_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) } },

{ .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.fgt = FGT_TTBR1_EL1,

- .writefn = vmsa_ttbr_write, .resetvalue = 0,

+ .writefn = vmsa_ttbr_write, .resetvalue = 0, .raw_writefn = raw_write,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) } },

{ .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo lpae_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),

offsetof(CPUARMState, cp15.ttbr0_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

{ .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,

.access = PL1_RW, .accessfn = access_tvm_trvm,

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),

offsetof(CPUARMState, cp15.ttbr1_ns) },

- .writefn = vmsa_ttbr_write, },

+ .writefn = vmsa_ttbr_write, .raw_writefn = raw_write },

};

static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_IO,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),

- .writefn = hcr_write },

+ .writefn = hcr_write, .raw_writefn = raw_write },

{ .name = "HCR", .state = ARM_CP_STATE_AA32,

.type = ARM_CP_ALIAS | ARM_CP_IO,

.cp = 15, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

{ .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,

.access = PL2_RW, .writefn = vmsa_tcr_el12_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },

{ .name = "VTCR", .state = ARM_CP_STATE_AA32,

.cp = 15, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 2,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.type = ARM_CP_64BIT | ARM_CP_ALIAS,

.access = PL2_RW, .accessfn = access_el3_aa32ns,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2),

- .writefn = vttbr_write },

+ .writefn = vttbr_write, .raw_writefn = raw_write },

{ .name = "VTTBR_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 1, .opc2 = 0,

- .access = PL2_RW, .writefn = vttbr_write,

+ .access = PL2_RW, .writefn = vttbr_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.vttbr_el2) },

{ .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,

.opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el2_cp_reginfo[] = {

.fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },

{ .name = "TTBR0_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 0,

- .access = PL2_RW, .resetvalue = 0, .writefn = vmsa_tcr_ttbr_el2_write,

+ .access = PL2_RW, .resetvalue = 0,

+ .writefn = vmsa_tcr_ttbr_el2_write, .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[2]) },

{ .name = "HTTBR", .cp = 15, .opc1 = 4, .crm = 2,

.access = PL2_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo el3_cp_reginfo[] = {

{ .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),

- .resetfn = scr_reset, .writefn = scr_write },

+ .resetfn = scr_reset, .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SCR", .type = ARM_CP_ALIAS | ARM_CP_NEWEL,

.cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,

.access = PL1_RW, .accessfn = access_trap_aa32s_el1,

.fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),

- .writefn = scr_write },

+ .writefn = scr_write, .raw_writefn = raw_write },

{ .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,

.access = PL3_RW, .resetvalue = 0,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo vhe_reginfo[] = {

{ .name = "TTBR1_EL2", .state = ARM_CP_STATE_AA64,

.opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 1,

.access = PL2_RW, .writefn = vmsa_tcr_ttbr_el2_write,

+ .raw_writefn = raw_write,

.fieldoffset = offsetof(CPUARMState, cp15.ttbr1_el[2]) },

#ifndef CONFIG_USER_ONLY

{ .name = "CNTHV_CVAL_EL2", .state = ARM_CP_STATE_AA64,

2.34.1

From: Yuquan Wang <wangyuquan1236@phytium.com.cn>

The current sbsa-ref cannot use EHCI controller which is only

able to do 32-bit DMA, since sbsa-ref doesn't have RAM below 4GB.

Hence, this uses XHCI to provide a usb controller with 64-bit

DMA capablity instead of EHCI.

We bump the platform version to 0.3 with this change. Although the

hardware at the USB controller address changes, the firmware and

Linux can both cope with this -- on an older non-XHCI-aware

firmware/kernel setup the probe routine simply fails and the guest

proceeds without any USB. (This isn't a loss of functionality,

because the old USB controller never worked in the first place.) So

we can call this a backwards-compatible change and only bump the

minor version.

Signed-off-by: Yuquan Wang <wangyuquan1236@phytium.com.cn>

Message-id: 20230621103847.447508-2-wangyuquan1236@phytium.com.cn

[PMM: tweaked commit message; add line to docs about what

changes in platform version 0.3]

docs/system/arm/sbsa.rst | 5 ++++-

hw/arm/sbsa-ref.c | 23 +++++++++++++----------

hw/arm/Kconfig | 2 +-

3 files changed, 18 insertions(+), 12 deletions(-)

@@ -XXX,XX +XXX,XX @@

#include "hw/pci-host/gpex.h"

#include "hw/qdev-properties.h"

#include "hw/usb.h"

+#include "hw/usb/xhci.h"

#include "hw/char/pl011.h"

#include "hw/watchdog/sbsa_gwdt.h"

#include "net/net.h"

@@ -XXX,XX +XXX,XX @@ enum {

SBSA_SECURE_UART_MM,

SBSA_SECURE_MEM,

SBSA_AHCI,

- SBSA_EHCI,

+ SBSA_XHCI,

};

struct SBSAMachineState {

@@ -XXX,XX +XXX,XX @@ static const MemMapEntry sbsa_ref_memmap[] = {

[SBSA_SMMU] = { 0x60050000, 0x00020000 },

/* Space here reserved for more SMMUs */

[SBSA_AHCI] = { 0x60100000, 0x00010000 },

- [SBSA_EHCI] = { 0x60110000, 0x00010000 },

+ [SBSA_XHCI] = { 0x60110000, 0x00010000 },

/* Space here reserved for other devices */

[SBSA_PCIE_PIO] = { 0x7fff0000, 0x00010000 },

/* 32-bit address PCIE MMIO space */

@@ -XXX,XX +XXX,XX @@ static const int sbsa_ref_irqmap[] = {

[SBSA_SECURE_UART] = 8,

[SBSA_SECURE_UART_MM] = 9,

[SBSA_AHCI] = 10,

- [SBSA_EHCI] = 11,

+ [SBSA_XHCI] = 11,

[SBSA_SMMU] = 12, /* ... to 15 */

[SBSA_GWDT_WS0] = 16,

};

@@ -XXX,XX +XXX,XX @@ static void create_fdt(SBSAMachineState *sms)

* fw compatibility.

*/

qemu_fdt_setprop_cell(fdt, "/", "machine-version-major", 0);

- qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 2);

+ qemu_fdt_setprop_cell(fdt, "/", "machine-version-minor", 3);

if (ms->numa_state->have_numa_distance) {

int size = nb_numa_nodes * nb_numa_nodes * 3 * sizeof(uint32_t);

@@ -XXX,XX +XXX,XX @@ static void create_ahci(const SBSAMachineState *sms)

}

}

-static void create_ehci(const SBSAMachineState *sms)

+static void create_xhci(const SBSAMachineState *sms)

{

- hwaddr base = sbsa_ref_memmap[SBSA_EHCI].base;

- int irq = sbsa_ref_irqmap[SBSA_EHCI];

+ hwaddr base = sbsa_ref_memmap[SBSA_XHCI].base;

+ int irq = sbsa_ref_irqmap[SBSA_XHCI];

+ DeviceState *dev = qdev_new(TYPE_XHCI_SYSBUS);

- sysbus_create_simple("platform-ehci-usb", base,

- qdev_get_gpio_in(sms->gic, irq));

+ sysbus_realize_and_unref(SYS_BUS_DEVICE(dev), &error_fatal);

+ sysbus_mmio_map(SYS_BUS_DEVICE(dev), 0, base);

+ sysbus_connect_irq(SYS_BUS_DEVICE(dev), 0, qdev_get_gpio_in(sms->gic, irq));

}

static void create_smmu(const SBSAMachineState *sms, PCIBus *bus)

@@ -XXX,XX +XXX,XX @@ static void sbsa_ref_init(MachineState *machine)

create_ahci(sms);

- create_ehci(sms);

+ create_xhci(sms);

create_pcie(sms);

diff --git a/hw/arm/Kconfig b/hw/arm/Kconfig

index XXXXXXX..XXXXXXX 100644

--- a/hw/arm/Kconfig

+++ b/hw/arm/Kconfig

@@ -XXX,XX +XXX,XX @@ config SBSA_REF

select PL011 # UART

select PL031 # RTC

select PL061 # GPIO

- select USB_EHCI_SYSBUS

+ select USB_XHCI_SYSBUS

select WDT_SBSA

select BOCHS_DISPLAY

2.34.1

Some assemblers will complain about attempts to access

id_aa64zfr0_el1 and id_aa64smfr0_el1 by name if the test

binary isn't built for the right processor type:

/tmp/ccASXpLo.s:782: Error: selected processor does not support system register name 'id_aa64zfr0_el1'

/tmp/ccASXpLo.s:829: Error: selected processor does not support system register name 'id_aa64smfr0_el1'

However, these registers are in the ID space and are guaranteed to

read-as-zero on older CPUs, so the access is both safe and sensible.

Switch to using the S syntax, as we already do for ID_AA64ISAR2_EL1

and ID_AA64MMFR2_EL1. This allows us to drop the HAS_ARMV9_SME check

and the makefile machinery to adjust the CFLAGS for this test, so we

don't rely on having a sufficiently new compiler to be able to check

these registers.

This means we're actually testing the SME ID register: no released

GCC yet recognizes -march=armv9-a+sme, so that was always skipped.

It also avoids a future problem if we try to switch the "do we have

SME support in the toolchain" check from "in the compiler" to "in the

assembler" (at which point we would otherwise run into the above

errors).

tests/tcg/aarch64/sysregs.c | 11 +++++++----

tests/tcg/aarch64/Makefile.target | 7 +------

2 files changed, 8 insertions(+), 10 deletions(-)

diff --git a/tests/tcg/aarch64/sysregs.c b/tests/tcg/aarch64/sysregs.c

--- a/tests/tcg/aarch64/sysregs.c

+++ b/tests/tcg/aarch64/sysregs.c

@@ -XXX,XX +XXX,XX @@

/*

* Older assemblers don't recognize newer system register names,

* but we can still access them by the Sn_n_Cn_Cn_n syntax.

+ * This also means we don't need to specifically request that the

+ * assembler enables whatever architectural features the ID registers

+ * syntax might be gated behind.

*/

#define SYS_ID_AA64ISAR2_EL1 S3_0_C0_C6_2

#define SYS_ID_AA64MMFR2_EL1 S3_0_C0_C7_2

+#define SYS_ID_AA64ZFR0_EL1 S3_0_C0_C4_4

+#define SYS_ID_AA64SMFR0_EL1 S3_0_C0_C4_5

int failed_bit_count;

@@ -XXX,XX +XXX,XX @@ int main(void)

/* all hidden, DebugVer fixed to 0x6 (ARMv8 debug architecture) */

get_cpu_reg_check_mask(id_aa64dfr0_el1, _m(0000,0000,0000,0006));

get_cpu_reg_check_zero(id_aa64dfr1_el1);

- get_cpu_reg_check_mask(id_aa64zfr0_el1, _m(0ff0,ff0f,00ff,00ff));

-#ifdef HAS_ARMV9_SME

- get_cpu_reg_check_mask(id_aa64smfr0_el1, _m(80f1,00fd,0000,0000));

-#endif

+ get_cpu_reg_check_mask(SYS_ID_AA64ZFR0_EL1, _m(0ff0,ff0f,00ff,00ff));

+ get_cpu_reg_check_mask(SYS_ID_AA64SMFR0_EL1, _m(80f1,00fd,0000,0000));

get_cpu_reg_check_zero(id_aa64afr0_el1);

get_cpu_reg_check_zero(id_aa64afr1_el1);

diff --git a/tests/tcg/aarch64/Makefile.target b/tests/tcg/aarch64/Makefile.target

index XXXXXXX..XXXXXXX 100644

--- a/tests/tcg/aarch64/Makefile.target

+++ b/tests/tcg/aarch64/Makefile.target

@@ -XXX,XX +XXX,XX @@ AARCH64_TESTS += mte-1 mte-2 mte-3 mte-4 mte-5 mte-6 mte-7

mte-%: CFLAGS += -march=armv8.5-a+memtag

endif

-ifneq ($(CROSS_CC_HAS_SVE),)

# System Registers Tests

AARCH64_TESTS += sysregs

-ifneq ($(CROSS_CC_HAS_ARMV9_SME),)

-sysregs: CFLAGS+=-march=armv9-a+sme -DHAS_ARMV9_SME

-else

-sysregs: CFLAGS+=-march=armv8.1-a+sve

-endif

+ifneq ($(CROSS_CC_HAS_SVE),)

# SVE ioctl test

AARCH64_TESTS += sve-ioctls

sve-ioctls: CFLAGS+=-march=armv8.1-a+sve

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Allow the line length to extend to 548 columns. While annoyingly wide,

it's still less confusing than the continuations we print. Also, the

default VL used by Linux (and max for A64FX) uses only 140 columns.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-2-richard.henderson@linaro.org

target/arm/cpu.c | 36 ++++++++++++++----------------------

1 file changed, 14 insertions(+), 22 deletions(-)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

ARMCPU *cpu = ARM_CPU(cs);

CPUARMState *env = &cpu->env;

uint32_t psr = pstate_read(env);

- int i;

+ int i, j;

int el = arm_current_el(env);

const char *ns_status;

bool sve;

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

}

if (sve) {

- int j, zcr_len = sve_vqm1_for_el(env, el);

+ int zcr_len = sve_vqm1_for_el(env, el);

for (i = 0; i <= FFR_PRED_NUM; i++) {

bool eol;

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

}

}

- for (i = 0; i < 32; i++) {

- if (zcr_len == 0) {

+ if (zcr_len == 0) {

+ /*

+ * With vl=16, there are only 37 columns per register,

+ * so output two registers per line.

+ */

+ for (i = 0; i < 32; i++) {

qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64 "%s",

i, env->vfp.zregs[i].d[1],

env->vfp.zregs[i].d[0], i & 1 ? "\n" : " ");

- } else if (zcr_len == 1) {

- qemu_fprintf(f, "Z%02d=%016" PRIx64 ":%016" PRIx64

- ":%016" PRIx64 ":%016" PRIx64 "\n",

- i, env->vfp.zregs[i].d[3], env->vfp.zregs[i].d[2],

- env->vfp.zregs[i].d[1], env->vfp.zregs[i].d[0]);

- } else {

+ }

+ } else {

+ for (i = 0; i < 32; i++) {

+ qemu_fprintf(f, "Z%02d=", i);

for (j = zcr_len; j >= 0; j--) {

- bool odd = (zcr_len - j) % 2 != 0;

- if (j == zcr_len) {

- qemu_fprintf(f, "Z%02d[%x-%x]=", i, j, j - 1);

- } else if (!odd) {

- if (j > 0) {

- qemu_fprintf(f, " [%x-%x]=", j, j - 1);

- } else {

- qemu_fprintf(f, " [%x]=", j);

- }

- }

qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%s",

env->vfp.zregs[i].d[j * 2 + 1],

- env->vfp.zregs[i].d[j * 2],

- odd || j == 0 ? "\n" : ":");

+ env->vfp.zregs[i].d[j * 2 + 0],

+ j ? ":" : "\n");

}

}

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

Always print each matrix row whole, one per line, so that we

get the entire matrix in the proper shape.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 20230622151201.1578522-3-richard.henderson@linaro.org

target/arm/cpu.c | 18 ++++++++++++++++++

1 file changed, 18 insertions(+)

diff --git a/target/arm/cpu.c b/target/arm/cpu.c

--- a/target/arm/cpu.c

+++ b/target/arm/cpu.c

@@ -XXX,XX +XXX,XX @@ static void aarch64_cpu_dump_state(CPUState *cs, FILE *f, int flags)

i, q[1], q[0], (i & 1 ? "\n" : " "));

}

}

+

+ if (cpu_isar_feature(aa64_sme, cpu) &&

+ FIELD_EX64(env->svcr, SVCR, ZA) &&

+ sme_exception_el(env, el) == 0) {

+ int zcr_len = sve_vqm1_for_el_sm(env, el, true);

+ int svl = (zcr_len + 1) * 16;

+ int svl_lg10 = svl < 100 ? 2 : 3;

+

+ for (i = 0; i < svl; i++) {

+ qemu_fprintf(f, "ZA[%0*d]=", svl_lg10, i);

+ for (j = zcr_len; j >= 0; --j) {

+ qemu_fprintf(f, "%016" PRIx64 ":%016" PRIx64 "%c",

+ env->zarray[i].d[2 * j + 1],

+ env->zarray[i].d[2 * j],

+ j ? ':' : '\n');

+ }

+ }

+ }

}

#else

2.34.1

From: Richard Henderson <richard.henderson@linaro.org>

For the outer product set of insns, which take an entire matrix

tile as output, the argument is not a combined tile+column.

Therefore using get_tile_rowcol was incorrect, as we extracted

the tile number from itself.

The test case relies only on assembler support for SME, since

no release of GCC recognizes -march=armv9-a+sme yet.

target/arm/tcg/translate-sme.c | 24 ++++++---

tests/tcg/aarch64/sme-outprod1.c | 83 +++++++++++++++++++++++++++++++

tests/tcg/aarch64/Makefile.target | 7 ++-

3 files changed, 107 insertions(+), 7 deletions(-)

create mode 100644 tests/tcg/aarch64/sme-outprod1.c

diff --git a/target/arm/tcg/translate-sme.c b/target/arm/tcg/translate-sme.c

--- a/target/arm/tcg/translate-sme.c

+++ b/target/arm/tcg/translate-sme.c

@@ -XXX,XX +XXX,XX @@ static TCGv_ptr get_tile_rowcol(DisasContext *s, int esz, int rs,

return addr;

+/*

+ * Resolve tile.size[0] to a host pointer.

+ * Used by e.g. outer product insns where we require the entire tile.

+ */

+static TCGv_ptr get_tile(DisasContext *s, int esz, int tile)

+ TCGv_ptr addr = tcg_temp_new_ptr();

+ int offset;

+

+ offset = tile * sizeof(ARMVectorReg) + offsetof(CPUARMState, zarray);

+

+ tcg_gen_addi_ptr(addr, cpu_env, offset);

+ return addr;

static bool trans_ZERO(DisasContext *s, arg_ZERO *a)

if (!dc_isar_feature(aa64_sme, s)) {

@@ -XXX,XX +XXX,XX @@ static bool do_adda(DisasContext *s, arg_adda *a, MemOp esz,

return true;

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

pn = pred_full_reg_ptr(s, a->pn);

pm = pred_full_reg_ptr(s, a->pm);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

@@ -XXX,XX +XXX,XX @@ static bool do_outprod_fpst(DisasContext *s, arg_op *a, MemOp esz,

return true;

}

- /* Sum XZR+zad to find ZAd. */

- za = get_tile_rowcol(s, esz, 31, a->zad, false);

+ za = get_tile(s, esz, a->zad);

zn = vec_full_reg_ptr(s, a->zn);

zm = vec_full_reg_ptr(s, a->zm);

pn = pred_full_reg_ptr(s, a->pn);

diff --git a/tests/tcg/aarch64/sme-outprod1.c b/tests/tcg/aarch64/sme-outprod1.c

new file mode 100644

index XXXXXXX..XXXXXXX

--- /dev/null

+++ b/tests/tcg/aarch64/sme-outprod1.c

@@ -XXX,XX +XXX,XX @@

+/*

+ * SME outer product, 1 x 1.

+ * SPDX-License-Identifier: GPL-2.0-or-later

+ */

+

+#include <stdio.h>

+

+extern void foo(float *dst);

+

+asm(

+"    .arch_extension sme\n"

+"    .type foo, @function\n"

+"foo:\n"

+"    stp x29, x30, [sp, -80]!\n"

+"    mov x29, sp\n"

+"    stp d8, d9, [sp, 16]\n"

+"    stp d10, d11, [sp, 32]\n"

+"    stp d12, d13, [sp, 48]\n"

+"    stp d14, d15, [sp, 64]\n"

+"    smstart\n"

+"    ptrue p0.s, vl4\n"

+"    fmov z0.s, #1.0\n"

+/*

+ * An outer product of a vector of 1.0 by itself should be a matrix of 1.0.

+ * Note that we are using tile 1 here (za1.s) rather than tile 0.

+ */

+"    zero {za}\n"

+"    fmopa za1.s, p0/m, p0/m, z0.s, z0.s\n"

+/*

+ * Read the first 4x4 sub-matrix of elements from tile 1:

+ * Note that za1h should be interchangable here.

+ */

+"    mov w12, #0\n"

+"    mova z0.s, p0/m, za1v.s[w12, #0]\n"

+"    mova z1.s, p0/m, za1v.s[w12, #1]\n"

+"    mova z2.s, p0/m, za1v.s[w12, #2]\n"

+"    mova z3.s, p0/m, za1v.s[w12, #3]\n"

+/*

+ * And store them to the input pointer (dst in the C code):

+ */

+"    st1w {z0.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z1.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z2.s}, p0, [x0]\n"

+"    add x0, x0, #16\n"

+"    st1w {z3.s}, p0, [x0]\n"

+"    smstop\n"

+"    ldp d8, d9, [sp, 16]\n"

+"    ldp d10, d11, [sp, 32]\n"

+"    ldp d12, d13, [sp, 48]\n"

+"    ldp d14, d15, [sp, 64]\n"

+"    ldp x29, x30, [sp], 80\n"

+"    ret\n"

+"    .size foo, . - foo"

+);

+

+int main()

+{

+ float dst[16];

+ int i, j;

+

+ foo(dst);

+

+ for (i = 0; i < 16; i++) {

+ if (dst[i] != 1.0f) {

+ break;

+ }

+ }

+

+ if (i == 16) {

+ return 0; /* success */

+ }

+

+ /* failure */

+ for (i = 0; i < 4; ++i) {

+ for (j = 0; j < 4; ++j) {

+ printf("%f ", (double)dst[i * 4 + j]);

+ }

+ printf("\n");

+ }

+ return 1;

# System Registers Tests

AARCH64_TESTS += sysregs

2.34.1

From: John Högberg <john.hogberg@ericsson.com>

Unlike architectures with precise self-modifying code semantics

(e.g. x86) ARM processors do not maintain coherency for instruction

execution and memory, requiring an instruction synchronization

barrier on every core that will execute the new code, and on many

models also the explicit use of cache management instructions.

While this is required to make JITs work on actual hardware, QEMU

has gotten away with not handling this since it does not emulate

caches, and unconditionally invalidates code whenever the softmmu

or the user-mode page protection logic detects that code has been

modified.

Unfortunately the latter does not work in the face of dual-mapped

code (a common W^X workaround), where one page is executable and

the other is writable: user-mode has no way to connect one with the

other as that is only known to the kernel and the emulated

application.

This commit works around the issue by telling software that

instruction cache invalidation is required by clearing the

CPR_EL0.DIC flag (regardless of whether the emulated processor

needs it), and then invalidating code in IC IVAU instructions.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1034

Co-authored-by: Richard Henderson <richard.henderson@linaro.org>

Signed-off-by: John Högberg <john.hogberg@ericsson.com>

Reviewed-by: Richard Henderson <richard.henderson@linaro.org>

Message-id: 168778890374.24232.3402138851538068785-1@git.sr.ht

[PMM: removed unnecessary AArch64 feature check; moved

"clear CTR_EL1.DIC" code up a bit so it's not in the middle

of the vfp/neon related tests]

target/arm/cpu.c | 11 +++++++++++

target/arm/helper.c | 47 ++++++++++++++++++++++++++++++++++++++++++---

2 files changed, 55 insertions(+), 3 deletions(-)

return;

+#ifdef CONFIG_USER_ONLY

+ /*

+ * User mode relies on IC IVAU instructions to catch modification of

+ * dual-mapped code.

+ *

+ * Clear CTR_EL0.DIC to ensure that software that honors these flags uses

+ * IC IVAU even if the emulated processor does not normally require it.

+ */

+ cpu->ctr = FIELD_DP64(cpu->ctr, CTR_EL0, DIC, 0);

+#endif

+

if (arm_feature(env, ARM_FEATURE_AARCH64) &&

cpu->has_vfp != cpu->has_neon) {

/*

@@ -XXX,XX +XXX,XX @@ static void mdcr_el2_write(CPUARMState *env, const ARMCPRegInfo *ri,

+#ifdef CONFIG_USER_ONLY

+/*

+ * `IC IVAU` is handled to improve compatibility with JITs that dual-map their

+ * code to get around W^X restrictions, where one region is writable and the

+ * other is executable.

+ *

+ * Since the executable region is never written to we cannot detect code

+ * changes when running in user mode, and rely on the emulated JIT telling us

+ * that the code has changed by executing this instruction.

+ */

+static void ic_ivau_write(CPUARMState *env, const ARMCPRegInfo *ri,

+ uint64_t value)

+ * Instruction cache ops. All of these except `IC IVAU` NOP because we

+ * don't emulate caches.

{ .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,

.access = PL1_W, .type = ARM_CP_NOP,

@@ -XXX,XX +XXX,XX @@ static const ARMCPRegInfo v8_cp_reginfo[] = {

.accessfn = access_tocu },

{ .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,

.opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,

- .access = PL0_W, .type = ARM_CP_NOP,

+ .access = PL0_W,

.fgt = FGT_ICIVAU,

- .accessfn = access_tocu },

+ .accessfn = access_tocu,

+#ifdef CONFIG_USER_ONLY

+ .type = ARM_CP_NO_RAW,

+ .writefn = ic_ivau_write

+#else

+ .type = ARM_CP_NOP

+#endif