1 /*
2  *  ARM helper routines
3  *
4  *  Copyright (c) 2005-2007 CodeSourcery, LLC
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "qemu/osdep.h"
20 #include "qemu/main-loop.h"
21 #include "cpu.h"
22 #include "exec/helper-proto.h"
23 #include "exec/target_page.h"
24 #include "internals.h"
25 #include "cpu-features.h"
26 #include "accel/tcg/cpu-ldst.h"
27 #include "accel/tcg/probe.h"
28 #include "cpregs.h"
29 
30 #define SIGNBIT (uint32_t)0x80000000
31 #define SIGNBIT64 ((uint64_t)1 << 63)
32 
exception_target_el(CPUARMState * env)33 int exception_target_el(CPUARMState *env)
34 {
35     int target_el = MAX(1, arm_current_el(env));
36 
37     /*
38      * No such thing as secure EL1 if EL3 is aarch32,
39      * so update the target EL to EL3 in this case.
40      */
41     if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) {
42         target_el = 3;
43     }
44 
45     return target_el;
46 }
47 
raise_exception(CPUARMState * env,uint32_t excp,uint32_t syndrome,uint32_t target_el)48 void raise_exception(CPUARMState *env, uint32_t excp,
49                      uint32_t syndrome, uint32_t target_el)
50 {
51     CPUState *cs = env_cpu(env);
52 
53     if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
54         /*
55          * Redirect NS EL1 exceptions to NS EL2. These are reported with
56          * their original syndrome register value, with the exception of
57          * SIMD/FP access traps, which are reported as uncategorized
58          * (see DDI0478C.a D1.10.4)
59          */
60         target_el = 2;
61         if (syn_get_ec(syndrome) == EC_ADVSIMDFPACCESSTRAP) {
62             syndrome = syn_uncategorized();
63         }
64     }
65 
66     assert(!excp_is_internal(excp));
67     cs->exception_index = excp;
68     env->exception.syndrome = syndrome;
69     env->exception.target_el = target_el;
70     cpu_loop_exit(cs);
71 }
72 
raise_exception_ra(CPUARMState * env,uint32_t excp,uint32_t syndrome,uint32_t target_el,uintptr_t ra)73 void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome,
74                         uint32_t target_el, uintptr_t ra)
75 {
76     CPUState *cs = env_cpu(env);
77 
78     /*
79      * restore_state_to_opc() will set env->exception.syndrome, so
80      * we must restore CPU state here before setting the syndrome
81      * the caller passed us, and cannot use cpu_loop_exit_restore().
82      */
83     cpu_restore_state(cs, ra);
84     raise_exception(env, excp, syndrome, target_el);
85 }
86 
HELPER(neon_tbl)87 uint64_t HELPER(neon_tbl)(CPUARMState *env, uint32_t desc,
88                           uint64_t ireg, uint64_t def)
89 {
90     uint64_t tmp, val = 0;
91     uint32_t maxindex = ((desc & 3) + 1) * 8;
92     uint32_t base_reg = desc >> 2;
93     uint32_t shift, index, reg;
94 
95     for (shift = 0; shift < 64; shift += 8) {
96         index = (ireg >> shift) & 0xff;
97         if (index < maxindex) {
98             reg = base_reg + (index >> 3);
99             tmp = *aa32_vfp_dreg(env, reg);
100             tmp = ((tmp >> ((index & 7) << 3)) & 0xff) << shift;
101         } else {
102             tmp = def & (0xffull << shift);
103         }
104         val |= tmp;
105     }
106     return val;
107 }
108 
HELPER(v8m_stackcheck)109 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
110 {
111     /*
112      * Perform the v8M stack limit check for SP updates from translated code,
113      * raising an exception if the limit is breached.
114      */
115     if (newvalue < v7m_sp_limit(env)) {
116         /*
117          * Stack limit exceptions are a rare case, so rather than syncing
118          * PC/condbits before the call, we use raise_exception_ra() so
119          * that cpu_restore_state() will sort them out.
120          */
121         raise_exception_ra(env, EXCP_STKOF, 0, 1, GETPC());
122     }
123 }
124 
125 /* Sign/zero extend */
HELPER(sxtb16)126 uint32_t HELPER(sxtb16)(uint32_t x)
127 {
128     uint32_t res;
129     res = (uint16_t)(int8_t)x;
130     res |= (uint32_t)(int8_t)(x >> 16) << 16;
131     return res;
132 }
133 
handle_possible_div0_trap(CPUARMState * env,uintptr_t ra)134 static void handle_possible_div0_trap(CPUARMState *env, uintptr_t ra)
135 {
136     /*
137      * Take a division-by-zero exception if necessary; otherwise return
138      * to get the usual non-trapping division behaviour (result of 0)
139      */
140     if (arm_feature(env, ARM_FEATURE_M)
141         && (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_DIV_0_TRP_MASK)) {
142         raise_exception_ra(env, EXCP_DIVBYZERO, 0, 1, ra);
143     }
144 }
145 
HELPER(uxtb16)146 uint32_t HELPER(uxtb16)(uint32_t x)
147 {
148     uint32_t res;
149     res = (uint16_t)(uint8_t)x;
150     res |= (uint32_t)(uint8_t)(x >> 16) << 16;
151     return res;
152 }
153 
HELPER(sdiv)154 int32_t HELPER(sdiv)(CPUARMState *env, int32_t num, int32_t den)
155 {
156     if (den == 0) {
157         handle_possible_div0_trap(env, GETPC());
158         return 0;
159     }
160     if (num == INT_MIN && den == -1) {
161         return INT_MIN;
162     }
163     return num / den;
164 }
165 
HELPER(udiv)166 uint32_t HELPER(udiv)(CPUARMState *env, uint32_t num, uint32_t den)
167 {
168     if (den == 0) {
169         handle_possible_div0_trap(env, GETPC());
170         return 0;
171     }
172     return num / den;
173 }
174 
HELPER(rbit)175 uint32_t HELPER(rbit)(uint32_t x)
176 {
177     return revbit32(x);
178 }
179 
HELPER(add_setq)180 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b)
181 {
182     uint32_t res = a + b;
183     if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT))
184         env->QF = 1;
185     return res;
186 }
187 
HELPER(add_saturate)188 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
189 {
190     uint32_t res = a + b;
191     if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
192         env->QF = 1;
193         res = ~(((int32_t)a >> 31) ^ SIGNBIT);
194     }
195     return res;
196 }
197 
HELPER(sub_saturate)198 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
199 {
200     uint32_t res = a - b;
201     if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
202         env->QF = 1;
203         res = ~(((int32_t)a >> 31) ^ SIGNBIT);
204     }
205     return res;
206 }
207 
HELPER(add_usaturate)208 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
209 {
210     uint32_t res = a + b;
211     if (res < a) {
212         env->QF = 1;
213         res = ~0;
214     }
215     return res;
216 }
217 
HELPER(sub_usaturate)218 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
219 {
220     uint32_t res = a - b;
221     if (res > a) {
222         env->QF = 1;
223         res = 0;
224     }
225     return res;
226 }
227 
228 /* Signed saturation.  */
do_ssat(CPUARMState * env,int32_t val,int shift)229 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift)
230 {
231     int32_t top;
232     uint32_t mask;
233 
234     top = val >> shift;
235     mask = (1u << shift) - 1;
236     if (top > 0) {
237         env->QF = 1;
238         return mask;
239     } else if (top < -1) {
240         env->QF = 1;
241         return ~mask;
242     }
243     return val;
244 }
245 
246 /* Unsigned saturation.  */
do_usat(CPUARMState * env,int32_t val,int shift)247 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift)
248 {
249     uint32_t max;
250 
251     max = (1u << shift) - 1;
252     if (val < 0) {
253         env->QF = 1;
254         return 0;
255     } else if (val > max) {
256         env->QF = 1;
257         return max;
258     }
259     return val;
260 }
261 
262 /* Signed saturate.  */
HELPER(ssat)263 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift)
264 {
265     return do_ssat(env, x, shift);
266 }
267 
268 /* Dual halfword signed saturate.  */
HELPER(ssat16)269 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift)
270 {
271     uint32_t res;
272 
273     res = (uint16_t)do_ssat(env, (int16_t)x, shift);
274     res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16;
275     return res;
276 }
277 
278 /* Unsigned saturate.  */
HELPER(usat)279 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift)
280 {
281     return do_usat(env, x, shift);
282 }
283 
284 /* Dual halfword unsigned saturate.  */
HELPER(usat16)285 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift)
286 {
287     uint32_t res;
288 
289     res = (uint16_t)do_usat(env, (int16_t)x, shift);
290     res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16;
291     return res;
292 }
293 
HELPER(setend)294 void HELPER(setend)(CPUARMState *env)
295 {
296     env->uncached_cpsr ^= CPSR_E;
297     arm_rebuild_hflags(env);
298 }
299 
HELPER(check_bxj_trap)300 void HELPER(check_bxj_trap)(CPUARMState *env, uint32_t rm)
301 {
302     /*
303      * Only called if in NS EL0 or EL1 for a BXJ for a v7A CPU;
304      * check if HSTR.TJDBX means we need to trap to EL2.
305      */
306     if (env->cp15.hstr_el2 & HSTR_TJDBX) {
307         /*
308          * We know the condition code check passed, so take the IMPDEF
309          * choice to always report CV=1 COND 0xe
310          */
311         uint32_t syn = syn_bxjtrap(1, 0xe, rm);
312         raise_exception_ra(env, EXCP_HYP_TRAP, syn, 2, GETPC());
313     }
314 }
315 
316 #ifndef CONFIG_USER_ONLY
317 /*
318  * Function checks whether WFx (WFI/WFE) instructions are set up to be trapped.
319  * The function returns the target EL (1-3) if the instruction is to be trapped;
320  * otherwise it returns 0 indicating it is not trapped.
321  * For a trap, *excp is updated with the EXCP_* trap type to use.
322  */
check_wfx_trap(CPUARMState * env,bool is_wfe,uint32_t * excp)323 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe, uint32_t *excp)
324 {
325     int cur_el = arm_current_el(env);
326     uint64_t mask;
327 
328     *excp = EXCP_UDEF;
329 
330     if (arm_feature(env, ARM_FEATURE_M)) {
331         /* M profile cores can never trap WFI/WFE. */
332         return 0;
333     }
334 
335     /* If we are currently in EL0 then we need to check if SCTLR is set up for
336      * WFx instructions being trapped to EL1. These trap bits don't exist in v7.
337      */
338     if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) {
339         mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI;
340         if (!(arm_sctlr(env, cur_el) & mask)) {
341             return exception_target_el(env);
342         }
343     }
344 
345     /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it
346      * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
347      * bits will be zero indicating no trap.
348      */
349     if (cur_el < 2) {
350         mask = is_wfe ? HCR_TWE : HCR_TWI;
351         if (arm_hcr_el2_eff(env) & mask) {
352             return 2;
353         }
354     }
355 
356     /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */
357     if (arm_feature(env, ARM_FEATURE_V8) && !arm_is_el3_or_mon(env)) {
358         mask = (is_wfe) ? SCR_TWE : SCR_TWI;
359         if (env->cp15.scr_el3 & mask) {
360             if (!arm_el_is_aa64(env, 3)) {
361                 *excp = EXCP_MON_TRAP;
362             }
363             return 3;
364         }
365     }
366 
367     return 0;
368 }
369 #endif
370 
HELPER(wfi)371 void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
372 {
373 #ifdef CONFIG_USER_ONLY
374     /*
375      * WFI in the user-mode emulator is technically permitted but not
376      * something any real-world code would do. AArch64 Linux kernels
377      * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP;
378      * AArch32 kernels don't trap it so it will delay a bit.
379      * For QEMU, make it NOP here, because trying to raise EXCP_HLT
380      * would trigger an abort.
381      */
382     return;
383 #else
384     CPUState *cs = env_cpu(env);
385     uint32_t excp;
386     int target_el = check_wfx_trap(env, false, &excp);
387 
388     if (cpu_has_work(cs)) {
389         /* Don't bother to go into our "low power state" if
390          * we would just wake up immediately.
391          */
392         return;
393     }
394 
395     if (target_el) {
396         if (env->aarch64) {
397             env->pc -= insn_len;
398         } else {
399             env->regs[15] -= insn_len;
400         }
401 
402         raise_exception(env, excp, syn_wfx(1, 0xe, 0, insn_len == 2),
403                         target_el);
404     }
405 
406     cs->exception_index = EXCP_HLT;
407     cs->halted = 1;
408     cpu_loop_exit(cs);
409 #endif
410 }
411 
HELPER(wfit)412 void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
413 {
414 #ifdef CONFIG_USER_ONLY
415     /*
416      * WFI in the user-mode emulator is technically permitted but not
417      * something any real-world code would do. AArch64 Linux kernels
418      * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP;
419      * AArch32 kernels don't trap it so it will delay a bit.
420      * For QEMU, make it NOP here, because trying to raise EXCP_HLT
421      * would trigger an abort.
422      */
423     return;
424 #else
425     ARMCPU *cpu = env_archcpu(env);
426     CPUState *cs = env_cpu(env);
427     uint32_t excp;
428     int target_el = check_wfx_trap(env, false, &excp);
429     /* The WFIT should time out when CNTVCT_EL0 >= the specified value. */
430     uint64_t cntval = gt_get_countervalue(env);
431     /*
432      * We want the value that we would get if we read CNTVCT_EL0 from
433      * the current exception level, so the direct_access offset, not
434      * the indirect_access one. Compare the pseudocode LocalTimeoutEvent(),
435      * which calls VirtualCounterTimer().
436      */
437     uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
438     uint64_t cntvct = cntval - offset;
439     uint64_t nexttick;
440 
441     if (cpu_has_work(cs) || cntvct >= timeout) {
442         /*
443          * Don't bother to go into our "low power state" if
444          * we would just wake up immediately.
445          */
446         return;
447     }
448 
449     if (target_el) {
450         env->pc -= 4;
451         raise_exception(env, excp, syn_wfx(1, 0xe, 0, false), target_el);
452     }
453 
454     if (uadd64_overflow(timeout, offset, &nexttick)) {
455         nexttick = UINT64_MAX;
456     }
457     if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) {
458         /*
459          * If the timeout is too long for the signed 64-bit range
460          * of a QEMUTimer, let it expire early.
461          */
462         timer_mod_ns(cpu->wfxt_timer, INT64_MAX);
463     } else {
464         timer_mod(cpu->wfxt_timer, nexttick);
465     }
466     cs->exception_index = EXCP_HLT;
467     cs->halted = 1;
468     cpu_loop_exit(cs);
469 #endif
470 }
471 
HELPER(wfe)472 void HELPER(wfe)(CPUARMState *env)
473 {
474     /* This is a hint instruction that is semantically different
475      * from YIELD even though we currently implement it identically.
476      * Don't actually halt the CPU, just yield back to top
477      * level loop. This is not going into a "low power state"
478      * (ie halting until some event occurs), so we never take
479      * a configurable trap to a different exception level.
480      */
481     HELPER(yield)(env);
482 }
483 
HELPER(yield)484 void HELPER(yield)(CPUARMState *env)
485 {
486     CPUState *cs = env_cpu(env);
487 
488     /* This is a non-trappable hint instruction that generally indicates
489      * that the guest is currently busy-looping. Yield control back to the
490      * top level loop so that a more deserving VCPU has a chance to run.
491      */
492     cs->exception_index = EXCP_YIELD;
493     cpu_loop_exit(cs);
494 }
495 
496 /* Raise an internal-to-QEMU exception. This is limited to only
497  * those EXCP values which are special cases for QEMU to interrupt
498  * execution and not to be used for exceptions which are passed to
499  * the guest (those must all have syndrome information and thus should
500  * use exception_with_syndrome*).
501  */
HELPER(exception_internal)502 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp)
503 {
504     CPUState *cs = env_cpu(env);
505 
506     assert(excp_is_internal(excp));
507     cs->exception_index = excp;
508     cpu_loop_exit(cs);
509 }
510 
511 /* Raise an exception with the specified syndrome register value */
HELPER(exception_with_syndrome_el)512 void HELPER(exception_with_syndrome_el)(CPUARMState *env, uint32_t excp,
513                                         uint32_t syndrome, uint32_t target_el)
514 {
515     raise_exception(env, excp, syndrome, target_el);
516 }
517 
518 /*
519  * Raise an exception with the specified syndrome register value
520  * to the default target el.
521  */
HELPER(exception_with_syndrome)522 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp,
523                                      uint32_t syndrome)
524 {
525     raise_exception(env, excp, syndrome, exception_target_el(env));
526 }
527 
HELPER(cpsr_read)528 uint32_t HELPER(cpsr_read)(CPUARMState *env)
529 {
530     return cpsr_read(env) & ~CPSR_EXEC;
531 }
532 
HELPER(cpsr_write)533 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
534 {
535     cpsr_write(env, val, mask, CPSRWriteByInstr);
536     /* TODO: Not all cpsr bits are relevant to hflags.  */
537     arm_rebuild_hflags(env);
538 }
539 
540 /* Write the CPSR for a 32-bit exception return */
HELPER(cpsr_write_eret)541 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
542 {
543     uint32_t mask;
544 
545     bql_lock();
546     arm_call_pre_el_change_hook(env_archcpu(env));
547     bql_unlock();
548 
549     mask = aarch32_cpsr_valid_mask(env->features, &env_archcpu(env)->isar);
550     cpsr_write(env, val, mask, CPSRWriteExceptionReturn);
551 
552     /* Generated code has already stored the new PC value, but
553      * without masking out its low bits, because which bits need
554      * masking depends on whether we're returning to Thumb or ARM
555      * state. Do the masking now.
556      */
557     env->regs[15] &= (env->thumb ? ~1 : ~3);
558     arm_rebuild_hflags(env);
559 
560     bql_lock();
561     arm_call_el_change_hook(env_archcpu(env));
562     bql_unlock();
563 }
564 
565 /* Access to user mode registers from privileged modes.  */
HELPER(get_user_reg)566 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
567 {
568     uint32_t val;
569 
570     if (regno == 13) {
571         val = env->banked_r13[BANK_USRSYS];
572     } else if (regno == 14) {
573         val = env->banked_r14[BANK_USRSYS];
574     } else if (regno >= 8
575                && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
576         val = env->usr_regs[regno - 8];
577     } else {
578         val = env->regs[regno];
579     }
580     return val;
581 }
582 
HELPER(set_user_reg)583 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val)
584 {
585     if (regno == 13) {
586         env->banked_r13[BANK_USRSYS] = val;
587     } else if (regno == 14) {
588         env->banked_r14[BANK_USRSYS] = val;
589     } else if (regno >= 8
590                && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
591         env->usr_regs[regno - 8] = val;
592     } else {
593         env->regs[regno] = val;
594     }
595 }
596 
HELPER(set_r13_banked)597 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
598 {
599     if ((env->uncached_cpsr & CPSR_M) == mode) {
600         env->regs[13] = val;
601     } else {
602         env->banked_r13[bank_number(mode)] = val;
603     }
604 }
605 
HELPER(get_r13_banked)606 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
607 {
608     if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) {
609         /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF.
610          * Other UNPREDICTABLE and UNDEF cases were caught at translate time.
611          */
612         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
613                         exception_target_el(env));
614     }
615 
616     if ((env->uncached_cpsr & CPSR_M) == mode) {
617         return env->regs[13];
618     } else {
619         return env->banked_r13[bank_number(mode)];
620     }
621 }
622 
msr_mrs_banked_exc_checks(CPUARMState * env,uint32_t tgtmode,uint32_t regno)623 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
624                                       uint32_t regno)
625 {
626     /* Raise an exception if the requested access is one of the UNPREDICTABLE
627      * cases; otherwise return. This broadly corresponds to the pseudocode
628      * BankedRegisterAccessValid() and SPSRAccessValid(),
629      * except that we have already handled some cases at translate time.
630      */
631     int curmode = env->uncached_cpsr & CPSR_M;
632 
633     if (tgtmode == ARM_CPU_MODE_HYP) {
634         /*
635          * Handle Hyp target regs first because some are special cases
636          * which don't want the usual "not accessible from tgtmode" check.
637          */
638         switch (regno) {
639         case 16 ... 17: /* ELR_Hyp, SPSR_Hyp */
640             if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
641                 goto undef;
642             }
643             break;
644         case 13:
645             if (curmode != ARM_CPU_MODE_MON) {
646                 goto undef;
647             }
648             break;
649         default:
650             g_assert_not_reached();
651         }
652         return;
653     }
654 
655     if (curmode == tgtmode) {
656         goto undef;
657     }
658 
659     if (tgtmode == ARM_CPU_MODE_USR) {
660         switch (regno) {
661         case 8 ... 12:
662             if (curmode != ARM_CPU_MODE_FIQ) {
663                 goto undef;
664             }
665             break;
666         case 13:
667             if (curmode == ARM_CPU_MODE_SYS) {
668                 goto undef;
669             }
670             break;
671         case 14:
672             if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) {
673                 goto undef;
674             }
675             break;
676         default:
677             break;
678         }
679     }
680 
681     return;
682 
683 undef:
684     raise_exception(env, EXCP_UDEF, syn_uncategorized(),
685                     exception_target_el(env));
686 }
687 
HELPER(msr_banked)688 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
689                         uint32_t regno)
690 {
691     msr_mrs_banked_exc_checks(env, tgtmode, regno);
692 
693     switch (regno) {
694     case 16: /* SPSRs */
695         if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
696             /* Only happens for SPSR_Hyp access in Hyp mode */
697             env->spsr = value;
698         } else {
699             env->banked_spsr[bank_number(tgtmode)] = value;
700         }
701         break;
702     case 17: /* ELR_Hyp */
703         env->elr_el[2] = value;
704         break;
705     case 13:
706         env->banked_r13[bank_number(tgtmode)] = value;
707         break;
708     case 14:
709         env->banked_r14[r14_bank_number(tgtmode)] = value;
710         break;
711     case 8 ... 12:
712         switch (tgtmode) {
713         case ARM_CPU_MODE_USR:
714             env->usr_regs[regno - 8] = value;
715             break;
716         case ARM_CPU_MODE_FIQ:
717             env->fiq_regs[regno - 8] = value;
718             break;
719         default:
720             g_assert_not_reached();
721         }
722         break;
723     default:
724         g_assert_not_reached();
725     }
726 }
727 
HELPER(mrs_banked)728 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
729 {
730     msr_mrs_banked_exc_checks(env, tgtmode, regno);
731 
732     switch (regno) {
733     case 16: /* SPSRs */
734         if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
735             /* Only happens for SPSR_Hyp access in Hyp mode */
736             return env->spsr;
737         } else {
738             return env->banked_spsr[bank_number(tgtmode)];
739         }
740     case 17: /* ELR_Hyp */
741         return env->elr_el[2];
742     case 13:
743         return env->banked_r13[bank_number(tgtmode)];
744     case 14:
745         return env->banked_r14[r14_bank_number(tgtmode)];
746     case 8 ... 12:
747         switch (tgtmode) {
748         case ARM_CPU_MODE_USR:
749             return env->usr_regs[regno - 8];
750         case ARM_CPU_MODE_FIQ:
751             return env->fiq_regs[regno - 8];
752         default:
753             g_assert_not_reached();
754         }
755     default:
756         g_assert_not_reached();
757     }
758 }
759 
HELPER(access_check_cp_reg)760 const void *HELPER(access_check_cp_reg)(CPUARMState *env, uint32_t key,
761                                         uint32_t syndrome, uint32_t isread)
762 {
763     ARMCPU *cpu = env_archcpu(env);
764     const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key);
765     CPAccessResult res = CP_ACCESS_OK;
766     int target_el;
767     uint32_t excp;
768 
769     assert(ri != NULL);
770 
771     if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
772         && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
773         res = CP_ACCESS_UNDEFINED;
774         goto fail;
775     }
776 
777     if (ri->accessfn) {
778         res = ri->accessfn(env, ri, isread);
779     }
780 
781     /*
782      * If the access function indicates a trap from EL0 to EL1 then
783      * that always takes priority over the HSTR_EL2 trap. (If it indicates
784      * a trap to EL3, then the HSTR_EL2 trap takes priority; if it indicates
785      * a trap to EL2, then the syndrome is the same either way so we don't
786      * care whether technically the architecture says that HSTR_EL2 trap or
787      * the other trap takes priority. So we take the "check HSTR_EL2" path
788      * for all of those cases.)
789      */
790     if (res != CP_ACCESS_OK && ((res & CP_ACCESS_EL_MASK) < 2) &&
791         arm_current_el(env) == 0) {
792         goto fail;
793     }
794 
795     /*
796      * HSTR_EL2 traps from EL1 are checked earlier, in generated code;
797      * we only need to check here for traps from EL0.
798      */
799     if (!is_a64(env) && arm_current_el(env) == 0 && ri->cp == 15 &&
800         arm_is_el2_enabled(env) &&
801         (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
802         uint32_t mask = 1 << ri->crn;
803 
804         if (ri->type & ARM_CP_64BIT) {
805             mask = 1 << ri->crm;
806         }
807 
808         /* T4 and T14 are RES0 */
809         mask &= ~((1 << 4) | (1 << 14));
810 
811         if (env->cp15.hstr_el2 & mask) {
812             res = CP_ACCESS_TRAP_EL2;
813             goto fail;
814         }
815     }
816 
817     /*
818      * Fine-grained traps also are lower priority than undef-to-EL1,
819      * higher priority than trap-to-EL3, and we don't care about priority
820      * order with other EL2 traps because the syndrome value is the same.
821      */
822     if (arm_fgt_active(env, arm_current_el(env))) {
823         uint64_t trapword = 0;
824         unsigned int idx = FIELD_EX32(ri->fgt, FGT, IDX);
825         unsigned int bitpos = FIELD_EX32(ri->fgt, FGT, BITPOS);
826         bool rev = FIELD_EX32(ri->fgt, FGT, REV);
827         bool nxs = FIELD_EX32(ri->fgt, FGT, NXS);
828         bool trapbit;
829 
830         if (ri->fgt & FGT_EXEC) {
831             assert(idx < ARRAY_SIZE(env->cp15.fgt_exec));
832             trapword = env->cp15.fgt_exec[idx];
833         } else if (isread && (ri->fgt & FGT_R)) {
834             assert(idx < ARRAY_SIZE(env->cp15.fgt_read));
835             trapword = env->cp15.fgt_read[idx];
836         } else if (!isread && (ri->fgt & FGT_W)) {
837             assert(idx < ARRAY_SIZE(env->cp15.fgt_write));
838             trapword = env->cp15.fgt_write[idx];
839         }
840 
841         if (nxs && (arm_hcrx_el2_eff(env) & HCRX_FGTNXS)) {
842             /*
843              * If HCRX_EL2.FGTnXS is 1 then the fine-grained trap for
844              * TLBI maintenance insns does *not* apply to the nXS variant.
845              */
846             trapbit = 0;
847         } else {
848             trapbit = extract64(trapword, bitpos, 1);
849         }
850         if (trapbit != rev) {
851             res = CP_ACCESS_TRAP_EL2;
852             goto fail;
853         }
854     }
855 
856     if (likely(res == CP_ACCESS_OK)) {
857         return ri;
858     }
859 
860  fail:
861     excp = EXCP_UDEF;
862     switch (res) {
863         /* CP_ACCESS_TRAP* traps are always direct to a specified EL */
864     case CP_ACCESS_TRAP_EL3:
865         /*
866          * If EL3 is AArch32 then there's no syndrome register; the cases
867          * where we would raise a SystemAccessTrap to AArch64 EL3 all become
868          * raising a Monitor trap exception. (Because there's no visible
869          * syndrome it doesn't matter what we pass to raise_exception().)
870          */
871         if (!arm_el_is_aa64(env, 3)) {
872             excp = EXCP_MON_TRAP;
873         }
874         break;
875     case CP_ACCESS_TRAP_EL2:
876     case CP_ACCESS_TRAP_EL1:
877         break;
878     case CP_ACCESS_UNDEFINED:
879         /* CP_ACCESS_UNDEFINED is never direct to a specified EL */
880         if (cpu_isar_feature(aa64_ids, cpu) && isread &&
881             arm_cpreg_in_idspace(ri)) {
882             /*
883              * FEAT_IDST says this should be reported as EC_SYSTEMREGISTERTRAP,
884              * not EC_UNCATEGORIZED
885              */
886             break;
887         }
888         syndrome = syn_uncategorized();
889         break;
890     default:
891         g_assert_not_reached();
892     }
893 
894     target_el = res & CP_ACCESS_EL_MASK;
895     switch (target_el) {
896     case 0:
897         target_el = exception_target_el(env);
898         break;
899     case 1:
900         assert(arm_current_el(env) < 2);
901         break;
902     case 2:
903         assert(arm_current_el(env) != 3);
904         assert(arm_is_el2_enabled(env));
905         break;
906     case 3:
907         assert(arm_feature(env, ARM_FEATURE_EL3));
908         break;
909     default:
910         g_assert_not_reached();
911     }
912 
913     raise_exception(env, excp, syndrome, target_el);
914 }
915 
HELPER(lookup_cp_reg)916 const void *HELPER(lookup_cp_reg)(CPUARMState *env, uint32_t key)
917 {
918     ARMCPU *cpu = env_archcpu(env);
919     const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key);
920 
921     assert(ri != NULL);
922     return ri;
923 }
924 
925 /*
926  * Test for HCR_EL2.TIDCP at EL1.
927  * Since implementation defined registers are rare, and within QEMU
928  * most of them are no-op, do not waste HFLAGS space for this and
929  * always use a helper.
930  */
HELPER(tidcp_el1)931 void HELPER(tidcp_el1)(CPUARMState *env, uint32_t syndrome)
932 {
933     if (arm_hcr_el2_eff(env) & HCR_TIDCP) {
934         raise_exception_ra(env, EXCP_UDEF, syndrome, 2, GETPC());
935     }
936 }
937 
938 /*
939  * Similarly, for FEAT_TIDCP1 at EL0.
940  * We have already checked for the presence of the feature.
941  */
HELPER(tidcp_el0)942 void HELPER(tidcp_el0)(CPUARMState *env, uint32_t syndrome)
943 {
944     /* See arm_sctlr(), but we also need the sctlr el. */
945     ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
946     int target_el;
947 
948     switch (mmu_idx) {
949     case ARMMMUIdx_E20_0:
950         target_el = 2;
951         break;
952     case ARMMMUIdx_E30_0:
953         target_el = 3;
954         break;
955     default:
956         target_el = 1;
957         break;
958     }
959 
960     /*
961      * The bit is not valid unless the target el is aa64, but since the
962      * bit test is simpler perform that first and check validity after.
963      */
964     if ((env->cp15.sctlr_el[target_el] & SCTLR_TIDCP)
965         && arm_el_is_aa64(env, target_el)) {
966         raise_exception_ra(env, EXCP_UDEF, syndrome, target_el, GETPC());
967     }
968 }
969 
HELPER(set_cp_reg)970 void HELPER(set_cp_reg)(CPUARMState *env, const void *rip, uint32_t value)
971 {
972     const ARMCPRegInfo *ri = rip;
973 
974     if (ri->type & ARM_CP_IO) {
975         bql_lock();
976         ri->writefn(env, ri, value);
977         bql_unlock();
978     } else {
979         ri->writefn(env, ri, value);
980     }
981 }
982 
HELPER(get_cp_reg)983 uint32_t HELPER(get_cp_reg)(CPUARMState *env, const void *rip)
984 {
985     const ARMCPRegInfo *ri = rip;
986     uint32_t res;
987 
988     if (ri->type & ARM_CP_IO) {
989         bql_lock();
990         res = ri->readfn(env, ri);
991         bql_unlock();
992     } else {
993         res = ri->readfn(env, ri);
994     }
995 
996     return res;
997 }
998 
HELPER(set_cp_reg64)999 void HELPER(set_cp_reg64)(CPUARMState *env, const void *rip, uint64_t value)
1000 {
1001     const ARMCPRegInfo *ri = rip;
1002 
1003     if (ri->type & ARM_CP_IO) {
1004         bql_lock();
1005         ri->writefn(env, ri, value);
1006         bql_unlock();
1007     } else {
1008         ri->writefn(env, ri, value);
1009     }
1010 }
1011 
HELPER(get_cp_reg64)1012 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, const void *rip)
1013 {
1014     const ARMCPRegInfo *ri = rip;
1015     uint64_t res;
1016 
1017     if (ri->type & ARM_CP_IO) {
1018         bql_lock();
1019         res = ri->readfn(env, ri);
1020         bql_unlock();
1021     } else {
1022         res = ri->readfn(env, ri);
1023     }
1024 
1025     return res;
1026 }
1027 
HELPER(pre_hvc)1028 void HELPER(pre_hvc)(CPUARMState *env)
1029 {
1030     ARMCPU *cpu = env_archcpu(env);
1031     int cur_el = arm_current_el(env);
1032     /* FIXME: Use actual secure state.  */
1033     bool secure = false;
1034     bool undef;
1035 
1036     if (arm_is_psci_call(cpu, EXCP_HVC)) {
1037         /* If PSCI is enabled and this looks like a valid PSCI call then
1038          * that overrides the architecturally mandated HVC behaviour.
1039          */
1040         return;
1041     }
1042 
1043     if (!arm_feature(env, ARM_FEATURE_EL2)) {
1044         /* If EL2 doesn't exist, HVC always UNDEFs */
1045         undef = true;
1046     } else if (arm_feature(env, ARM_FEATURE_EL3)) {
1047         /* EL3.HCE has priority over EL2.HCD. */
1048         undef = !(env->cp15.scr_el3 & SCR_HCE);
1049     } else {
1050         undef = env->cp15.hcr_el2 & HCR_HCD;
1051     }
1052 
1053     /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state.
1054      * For ARMv8/AArch64, HVC is allowed in EL3.
1055      * Note that we've already trapped HVC from EL0 at translation
1056      * time.
1057      */
1058     if (secure && (!is_a64(env) || cur_el == 1)) {
1059         undef = true;
1060     }
1061 
1062     if (undef) {
1063         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1064                         exception_target_el(env));
1065     }
1066 }
1067 
HELPER(pre_smc)1068 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
1069 {
1070     ARMCPU *cpu = env_archcpu(env);
1071     int cur_el = arm_current_el(env);
1072     bool secure = arm_is_secure(env);
1073     bool smd_flag = env->cp15.scr_el3 & SCR_SMD;
1074 
1075     /*
1076      * SMC behaviour is summarized in the following table.
1077      * This helper handles the "Trap to EL2" and "Undef insn" cases.
1078      * The "Trap to EL3" and "PSCI call" cases are handled in the exception
1079      * helper.
1080      *
1081      *  -> ARM_FEATURE_EL3 and !SMD
1082      *                           HCR_TSC && NS EL1   !HCR_TSC || !NS EL1
1083      *
1084      *  Conduit SMC, valid call  Trap to EL2         PSCI Call
1085      *  Conduit SMC, inval call  Trap to EL2         Trap to EL3
1086      *  Conduit not SMC          Trap to EL2         Trap to EL3
1087      *
1088      *
1089      *  -> ARM_FEATURE_EL3 and SMD
1090      *                           HCR_TSC && NS EL1   !HCR_TSC || !NS EL1
1091      *
1092      *  Conduit SMC, valid call  Trap to EL2         PSCI Call
1093      *  Conduit SMC, inval call  Trap to EL2         Undef insn
1094      *  Conduit not SMC          Trap to EL2         Undef insn
1095      *
1096      *
1097      *  -> !ARM_FEATURE_EL3
1098      *                           HCR_TSC && NS EL1   !HCR_TSC || !NS EL1
1099      *
1100      *  Conduit SMC, valid call  Trap to EL2         PSCI Call
1101      *  Conduit SMC, inval call  Trap to EL2         Undef insn
1102      *  Conduit not SMC          Undef or trap[1]    Undef insn
1103      *
1104      * [1] In this case:
1105      *  - if HCR_EL2.NV == 1 we must trap to EL2
1106      *  - if HCR_EL2.NV == 0 then newer architecture revisions permit
1107      *    AArch64 (but not AArch32) to trap to EL2 as an IMPDEF choice
1108      *  - otherwise we must UNDEF
1109      * We take the IMPDEF choice to always UNDEF if HCR_EL2.NV == 0.
1110      */
1111 
1112     /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state.
1113      * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization
1114      *  extensions, SMD only applies to NS state.
1115      * On ARMv7 without the Virtualization extensions, the SMD bit
1116      * doesn't exist, but we forbid the guest to set it to 1 in scr_write(),
1117      * so we need not special case this here.
1118      */
1119     bool smd = arm_feature(env, ARM_FEATURE_AARCH64) ? smd_flag
1120                                                      : smd_flag && !secure;
1121 
1122     if (!arm_feature(env, ARM_FEATURE_EL3) &&
1123         !(arm_hcr_el2_eff(env) & HCR_NV) &&
1124         cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) {
1125         /*
1126          * If we have no EL3 then traditionally SMC always UNDEFs and can't be
1127          * trapped to EL2. For nested virtualization, SMC can be trapped to
1128          * the outer hypervisor. PSCI-via-SMC is a sort of ersatz EL3
1129          * firmware within QEMU, and we want an EL2 guest to be able
1130          * to forbid its EL1 from making PSCI calls into QEMU's
1131          * "firmware" via HCR.TSC, so for these purposes treat
1132          * PSCI-via-SMC as implying an EL3.
1133          * This handles the very last line of the previous table.
1134          */
1135         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1136                         exception_target_el(env));
1137     }
1138 
1139     if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) {
1140         /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
1141          * We also want an EL2 guest to be able to forbid its EL1 from
1142          * making PSCI calls into QEMU's "firmware" via HCR.TSC.
1143          * This handles all the "Trap to EL2" cases of the previous table.
1144          */
1145         raise_exception(env, EXCP_HYP_TRAP, syndrome, 2);
1146     }
1147 
1148     /* Catch the two remaining "Undef insn" cases of the previous table:
1149      *    - PSCI conduit is SMC but we don't have a valid PCSI call,
1150      *    - We don't have EL3 or SMD is set.
1151      */
1152     if (!arm_is_psci_call(cpu, EXCP_SMC) &&
1153         (smd || !arm_feature(env, ARM_FEATURE_EL3))) {
1154         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1155                         exception_target_el(env));
1156     }
1157 }
1158 
1159 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
1160    The only way to do that in TCG is a conditional branch, which clobbers
1161    all our temporaries.  For now implement these as helper functions.  */
1162 
1163 /* Similarly for variable shift instructions.  */
1164 
HELPER(shl_cc)1165 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1166 {
1167     int shift = i & 0xff;
1168     if (shift >= 32) {
1169         if (shift == 32)
1170             env->CF = x & 1;
1171         else
1172             env->CF = 0;
1173         return 0;
1174     } else if (shift != 0) {
1175         env->CF = (x >> (32 - shift)) & 1;
1176         return x << shift;
1177     }
1178     return x;
1179 }
1180 
HELPER(shr_cc)1181 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1182 {
1183     int shift = i & 0xff;
1184     if (shift >= 32) {
1185         if (shift == 32)
1186             env->CF = (x >> 31) & 1;
1187         else
1188             env->CF = 0;
1189         return 0;
1190     } else if (shift != 0) {
1191         env->CF = (x >> (shift - 1)) & 1;
1192         return x >> shift;
1193     }
1194     return x;
1195 }
1196 
HELPER(sar_cc)1197 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1198 {
1199     int shift = i & 0xff;
1200     if (shift >= 32) {
1201         env->CF = (x >> 31) & 1;
1202         return (int32_t)x >> 31;
1203     } else if (shift != 0) {
1204         env->CF = (x >> (shift - 1)) & 1;
1205         return (int32_t)x >> shift;
1206     }
1207     return x;
1208 }
1209 
HELPER(ror_cc)1210 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1211 {
1212     int shift1, shift;
1213     shift1 = i & 0xff;
1214     shift = shift1 & 0x1f;
1215     if (shift == 0) {
1216         if (shift1 != 0)
1217             env->CF = (x >> 31) & 1;
1218         return x;
1219     } else {
1220         env->CF = (x >> (shift - 1)) & 1;
1221         return ((uint32_t)x >> shift) | (x << (32 - shift));
1222     }
1223 }
1224 
HELPER(probe_access)1225 void HELPER(probe_access)(CPUARMState *env, vaddr ptr,
1226                           uint32_t access_type, uint32_t mmu_idx,
1227                           uint32_t size)
1228 {
1229     uint32_t in_page = -((uint32_t)ptr | TARGET_PAGE_SIZE);
1230     uintptr_t ra = GETPC();
1231 
1232     if (likely(size <= in_page)) {
1233         probe_access(env, ptr, size, access_type, mmu_idx, ra);
1234     } else {
1235         probe_access(env, ptr, in_page, access_type, mmu_idx, ra);
1236         probe_access(env, ptr + in_page, size - in_page,
1237                      access_type, mmu_idx, ra);
1238     }
1239 }
1240 
1241 /*
1242  * This function corresponds to AArch64.vESBOperation().
1243  * Note that the AArch32 version is not functionally different.
1244  */
HELPER(vesb)1245 void HELPER(vesb)(CPUARMState *env)
1246 {
1247     /*
1248      * The EL2Enabled() check is done inside arm_hcr_el2_eff,
1249      * and will return HCR_EL2.VSE == 0, so nothing happens.
1250      */
1251     uint64_t hcr = arm_hcr_el2_eff(env);
1252     bool enabled = !(hcr & HCR_TGE) && (hcr & HCR_AMO);
1253     bool pending = enabled && (hcr & HCR_VSE);
1254     bool masked  = (env->daif & PSTATE_A);
1255 
1256     /* If VSE pending and masked, defer the exception.  */
1257     if (pending && masked) {
1258         uint32_t syndrome;
1259 
1260         if (arm_el_is_aa64(env, 1)) {
1261             /* Copy across IDS and ISS from VSESR. */
1262             syndrome = env->cp15.vsesr_el2 & 0x1ffffff;
1263         } else {
1264             ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal };
1265 
1266             if (extended_addresses_enabled(env)) {
1267                 syndrome = arm_fi_to_lfsc(&fi);
1268             } else {
1269                 syndrome = arm_fi_to_sfsc(&fi);
1270             }
1271             /* Copy across AET and ExT from VSESR. */
1272             syndrome |= env->cp15.vsesr_el2 & 0xd000;
1273         }
1274 
1275         /* Set VDISR_EL2.A along with the syndrome. */
1276         env->cp15.vdisr_el2 = syndrome | (1u << 31);
1277 
1278         /* Clear pending virtual SError */
1279         env->cp15.hcr_el2 &= ~HCR_VSE;
1280         cpu_reset_interrupt(env_cpu(env), CPU_INTERRUPT_VSERR);
1281     }
1282 }
1283