xref: /openbmc/qemu/target/arm/tcg/op_helper.c (revision 739dabb1ad26c750fdf6df469e442ab8591c3090)
1 /*
2  *  ARM helper routines
3  *
4  *  Copyright (c) 2005-2007 CodeSourcery, LLC
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "qemu/osdep.h"
20 #include "qemu/main-loop.h"
21 #include "cpu.h"
22 #include "exec/helper-proto.h"
23 #include "internals.h"
24 #include "cpu-features.h"
25 #include "exec/exec-all.h"
26 #include "exec/cpu_ldst.h"
27 #include "cpregs.h"
28 
29 #define SIGNBIT (uint32_t)0x80000000
30 #define SIGNBIT64 ((uint64_t)1 << 63)
31 
exception_target_el(CPUARMState * env)32 int exception_target_el(CPUARMState *env)
33 {
34     int target_el = MAX(1, arm_current_el(env));
35 
36     /*
37      * No such thing as secure EL1 if EL3 is aarch32,
38      * so update the target EL to EL3 in this case.
39      */
40     if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) {
41         target_el = 3;
42     }
43 
44     return target_el;
45 }
46 
raise_exception(CPUARMState * env,uint32_t excp,uint32_t syndrome,uint32_t target_el)47 void raise_exception(CPUARMState *env, uint32_t excp,
48                      uint32_t syndrome, uint32_t target_el)
49 {
50     CPUState *cs = env_cpu(env);
51 
52     if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
53         /*
54          * Redirect NS EL1 exceptions to NS EL2. These are reported with
55          * their original syndrome register value, with the exception of
56          * SIMD/FP access traps, which are reported as uncategorized
57          * (see DDI0478C.a D1.10.4)
58          */
59         target_el = 2;
60         if (syn_get_ec(syndrome) == EC_ADVSIMDFPACCESSTRAP) {
61             syndrome = syn_uncategorized();
62         }
63     }
64 
65     assert(!excp_is_internal(excp));
66     cs->exception_index = excp;
67     env->exception.syndrome = syndrome;
68     env->exception.target_el = target_el;
69     cpu_loop_exit(cs);
70 }
71 
raise_exception_ra(CPUARMState * env,uint32_t excp,uint32_t syndrome,uint32_t target_el,uintptr_t ra)72 void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome,
73                         uint32_t target_el, uintptr_t ra)
74 {
75     CPUState *cs = env_cpu(env);
76 
77     /*
78      * restore_state_to_opc() will set env->exception.syndrome, so
79      * we must restore CPU state here before setting the syndrome
80      * the caller passed us, and cannot use cpu_loop_exit_restore().
81      */
82     cpu_restore_state(cs, ra);
83     raise_exception(env, excp, syndrome, target_el);
84 }
85 
HELPER(neon_tbl)86 uint64_t HELPER(neon_tbl)(CPUARMState *env, uint32_t desc,
87                           uint64_t ireg, uint64_t def)
88 {
89     uint64_t tmp, val = 0;
90     uint32_t maxindex = ((desc & 3) + 1) * 8;
91     uint32_t base_reg = desc >> 2;
92     uint32_t shift, index, reg;
93 
94     for (shift = 0; shift < 64; shift += 8) {
95         index = (ireg >> shift) & 0xff;
96         if (index < maxindex) {
97             reg = base_reg + (index >> 3);
98             tmp = *aa32_vfp_dreg(env, reg);
99             tmp = ((tmp >> ((index & 7) << 3)) & 0xff) << shift;
100         } else {
101             tmp = def & (0xffull << shift);
102         }
103         val |= tmp;
104     }
105     return val;
106 }
107 
HELPER(v8m_stackcheck)108 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
109 {
110     /*
111      * Perform the v8M stack limit check for SP updates from translated code,
112      * raising an exception if the limit is breached.
113      */
114     if (newvalue < v7m_sp_limit(env)) {
115         /*
116          * Stack limit exceptions are a rare case, so rather than syncing
117          * PC/condbits before the call, we use raise_exception_ra() so
118          * that cpu_restore_state() will sort them out.
119          */
120         raise_exception_ra(env, EXCP_STKOF, 0, 1, GETPC());
121     }
122 }
123 
124 /* Sign/zero extend */
HELPER(sxtb16)125 uint32_t HELPER(sxtb16)(uint32_t x)
126 {
127     uint32_t res;
128     res = (uint16_t)(int8_t)x;
129     res |= (uint32_t)(int8_t)(x >> 16) << 16;
130     return res;
131 }
132 
handle_possible_div0_trap(CPUARMState * env,uintptr_t ra)133 static void handle_possible_div0_trap(CPUARMState *env, uintptr_t ra)
134 {
135     /*
136      * Take a division-by-zero exception if necessary; otherwise return
137      * to get the usual non-trapping division behaviour (result of 0)
138      */
139     if (arm_feature(env, ARM_FEATURE_M)
140         && (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_DIV_0_TRP_MASK)) {
141         raise_exception_ra(env, EXCP_DIVBYZERO, 0, 1, ra);
142     }
143 }
144 
HELPER(uxtb16)145 uint32_t HELPER(uxtb16)(uint32_t x)
146 {
147     uint32_t res;
148     res = (uint16_t)(uint8_t)x;
149     res |= (uint32_t)(uint8_t)(x >> 16) << 16;
150     return res;
151 }
152 
HELPER(sdiv)153 int32_t HELPER(sdiv)(CPUARMState *env, int32_t num, int32_t den)
154 {
155     if (den == 0) {
156         handle_possible_div0_trap(env, GETPC());
157         return 0;
158     }
159     if (num == INT_MIN && den == -1) {
160         return INT_MIN;
161     }
162     return num / den;
163 }
164 
HELPER(udiv)165 uint32_t HELPER(udiv)(CPUARMState *env, uint32_t num, uint32_t den)
166 {
167     if (den == 0) {
168         handle_possible_div0_trap(env, GETPC());
169         return 0;
170     }
171     return num / den;
172 }
173 
HELPER(rbit)174 uint32_t HELPER(rbit)(uint32_t x)
175 {
176     return revbit32(x);
177 }
178 
HELPER(add_setq)179 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b)
180 {
181     uint32_t res = a + b;
182     if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT))
183         env->QF = 1;
184     return res;
185 }
186 
HELPER(add_saturate)187 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
188 {
189     uint32_t res = a + b;
190     if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
191         env->QF = 1;
192         res = ~(((int32_t)a >> 31) ^ SIGNBIT);
193     }
194     return res;
195 }
196 
HELPER(sub_saturate)197 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
198 {
199     uint32_t res = a - b;
200     if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
201         env->QF = 1;
202         res = ~(((int32_t)a >> 31) ^ SIGNBIT);
203     }
204     return res;
205 }
206 
HELPER(add_usaturate)207 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
208 {
209     uint32_t res = a + b;
210     if (res < a) {
211         env->QF = 1;
212         res = ~0;
213     }
214     return res;
215 }
216 
HELPER(sub_usaturate)217 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
218 {
219     uint32_t res = a - b;
220     if (res > a) {
221         env->QF = 1;
222         res = 0;
223     }
224     return res;
225 }
226 
227 /* Signed saturation.  */
do_ssat(CPUARMState * env,int32_t val,int shift)228 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift)
229 {
230     int32_t top;
231     uint32_t mask;
232 
233     top = val >> shift;
234     mask = (1u << shift) - 1;
235     if (top > 0) {
236         env->QF = 1;
237         return mask;
238     } else if (top < -1) {
239         env->QF = 1;
240         return ~mask;
241     }
242     return val;
243 }
244 
245 /* Unsigned saturation.  */
do_usat(CPUARMState * env,int32_t val,int shift)246 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift)
247 {
248     uint32_t max;
249 
250     max = (1u << shift) - 1;
251     if (val < 0) {
252         env->QF = 1;
253         return 0;
254     } else if (val > max) {
255         env->QF = 1;
256         return max;
257     }
258     return val;
259 }
260 
261 /* Signed saturate.  */
HELPER(ssat)262 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift)
263 {
264     return do_ssat(env, x, shift);
265 }
266 
267 /* Dual halfword signed saturate.  */
HELPER(ssat16)268 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift)
269 {
270     uint32_t res;
271 
272     res = (uint16_t)do_ssat(env, (int16_t)x, shift);
273     res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16;
274     return res;
275 }
276 
277 /* Unsigned saturate.  */
HELPER(usat)278 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift)
279 {
280     return do_usat(env, x, shift);
281 }
282 
283 /* Dual halfword unsigned saturate.  */
HELPER(usat16)284 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift)
285 {
286     uint32_t res;
287 
288     res = (uint16_t)do_usat(env, (int16_t)x, shift);
289     res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16;
290     return res;
291 }
292 
HELPER(setend)293 void HELPER(setend)(CPUARMState *env)
294 {
295     env->uncached_cpsr ^= CPSR_E;
296     arm_rebuild_hflags(env);
297 }
298 
HELPER(check_bxj_trap)299 void HELPER(check_bxj_trap)(CPUARMState *env, uint32_t rm)
300 {
301     /*
302      * Only called if in NS EL0 or EL1 for a BXJ for a v7A CPU;
303      * check if HSTR.TJDBX means we need to trap to EL2.
304      */
305     if (env->cp15.hstr_el2 & HSTR_TJDBX) {
306         /*
307          * We know the condition code check passed, so take the IMPDEF
308          * choice to always report CV=1 COND 0xe
309          */
310         uint32_t syn = syn_bxjtrap(1, 0xe, rm);
311         raise_exception_ra(env, EXCP_HYP_TRAP, syn, 2, GETPC());
312     }
313 }
314 
315 #ifndef CONFIG_USER_ONLY
316 /*
317  * Function checks whether WFx (WFI/WFE) instructions are set up to be trapped.
318  * The function returns the target EL (1-3) if the instruction is to be trapped;
319  * otherwise it returns 0 indicating it is not trapped.
320  * For a trap, *excp is updated with the EXCP_* trap type to use.
321  */
check_wfx_trap(CPUARMState * env,bool is_wfe,uint32_t * excp)322 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe, uint32_t *excp)
323 {
324     int cur_el = arm_current_el(env);
325     uint64_t mask;
326 
327     *excp = EXCP_UDEF;
328 
329     if (arm_feature(env, ARM_FEATURE_M)) {
330         /* M profile cores can never trap WFI/WFE. */
331         return 0;
332     }
333 
334     /* If we are currently in EL0 then we need to check if SCTLR is set up for
335      * WFx instructions being trapped to EL1. These trap bits don't exist in v7.
336      */
337     if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) {
338         mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI;
339         if (!(arm_sctlr(env, cur_el) & mask)) {
340             return exception_target_el(env);
341         }
342     }
343 
344     /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it
345      * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
346      * bits will be zero indicating no trap.
347      */
348     if (cur_el < 2) {
349         mask = is_wfe ? HCR_TWE : HCR_TWI;
350         if (arm_hcr_el2_eff(env) & mask) {
351             return 2;
352         }
353     }
354 
355     /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */
356     if (arm_feature(env, ARM_FEATURE_V8) && !arm_is_el3_or_mon(env)) {
357         mask = (is_wfe) ? SCR_TWE : SCR_TWI;
358         if (env->cp15.scr_el3 & mask) {
359             if (!arm_el_is_aa64(env, 3)) {
360                 *excp = EXCP_MON_TRAP;
361             }
362             return 3;
363         }
364     }
365 
366     return 0;
367 }
368 #endif
369 
HELPER(wfi)370 void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
371 {
372 #ifdef CONFIG_USER_ONLY
373     /*
374      * WFI in the user-mode emulator is technically permitted but not
375      * something any real-world code would do. AArch64 Linux kernels
376      * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP;
377      * AArch32 kernels don't trap it so it will delay a bit.
378      * For QEMU, make it NOP here, because trying to raise EXCP_HLT
379      * would trigger an abort.
380      */
381     return;
382 #else
383     CPUState *cs = env_cpu(env);
384     uint32_t excp;
385     int target_el = check_wfx_trap(env, false, &excp);
386 
387     if (cpu_has_work(cs)) {
388         /* Don't bother to go into our "low power state" if
389          * we would just wake up immediately.
390          */
391         return;
392     }
393 
394     if (target_el) {
395         if (env->aarch64) {
396             env->pc -= insn_len;
397         } else {
398             env->regs[15] -= insn_len;
399         }
400 
401         raise_exception(env, excp, syn_wfx(1, 0xe, 0, insn_len == 2),
402                         target_el);
403     }
404 
405     cs->exception_index = EXCP_HLT;
406     cs->halted = 1;
407     cpu_loop_exit(cs);
408 #endif
409 }
410 
HELPER(wfit)411 void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
412 {
413 #ifdef CONFIG_USER_ONLY
414     /*
415      * WFI in the user-mode emulator is technically permitted but not
416      * something any real-world code would do. AArch64 Linux kernels
417      * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP;
418      * AArch32 kernels don't trap it so it will delay a bit.
419      * For QEMU, make it NOP here, because trying to raise EXCP_HLT
420      * would trigger an abort.
421      */
422     return;
423 #else
424     ARMCPU *cpu = env_archcpu(env);
425     CPUState *cs = env_cpu(env);
426     uint32_t excp;
427     int target_el = check_wfx_trap(env, false, &excp);
428     /* The WFIT should time out when CNTVCT_EL0 >= the specified value. */
429     uint64_t cntval = gt_get_countervalue(env);
430     /*
431      * We want the value that we would get if we read CNTVCT_EL0 from
432      * the current exception level, so the direct_access offset, not
433      * the indirect_access one. Compare the pseudocode LocalTimeoutEvent(),
434      * which calls VirtualCounterTimer().
435      */
436     uint64_t offset = gt_direct_access_timer_offset(env, GTIMER_VIRT);
437     uint64_t cntvct = cntval - offset;
438     uint64_t nexttick;
439 
440     if (cpu_has_work(cs) || cntvct >= timeout) {
441         /*
442          * Don't bother to go into our "low power state" if
443          * we would just wake up immediately.
444          */
445         return;
446     }
447 
448     if (target_el) {
449         env->pc -= 4;
450         raise_exception(env, excp, syn_wfx(1, 0xe, 0, false), target_el);
451     }
452 
453     if (uadd64_overflow(timeout, offset, &nexttick)) {
454         nexttick = UINT64_MAX;
455     }
456     if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) {
457         /*
458          * If the timeout is too long for the signed 64-bit range
459          * of a QEMUTimer, let it expire early.
460          */
461         timer_mod_ns(cpu->wfxt_timer, INT64_MAX);
462     } else {
463         timer_mod(cpu->wfxt_timer, nexttick);
464     }
465     cs->exception_index = EXCP_HLT;
466     cs->halted = 1;
467     cpu_loop_exit(cs);
468 #endif
469 }
470 
HELPER(wfe)471 void HELPER(wfe)(CPUARMState *env)
472 {
473     /* This is a hint instruction that is semantically different
474      * from YIELD even though we currently implement it identically.
475      * Don't actually halt the CPU, just yield back to top
476      * level loop. This is not going into a "low power state"
477      * (ie halting until some event occurs), so we never take
478      * a configurable trap to a different exception level.
479      */
480     HELPER(yield)(env);
481 }
482 
HELPER(yield)483 void HELPER(yield)(CPUARMState *env)
484 {
485     CPUState *cs = env_cpu(env);
486 
487     /* This is a non-trappable hint instruction that generally indicates
488      * that the guest is currently busy-looping. Yield control back to the
489      * top level loop so that a more deserving VCPU has a chance to run.
490      */
491     cs->exception_index = EXCP_YIELD;
492     cpu_loop_exit(cs);
493 }
494 
495 /* Raise an internal-to-QEMU exception. This is limited to only
496  * those EXCP values which are special cases for QEMU to interrupt
497  * execution and not to be used for exceptions which are passed to
498  * the guest (those must all have syndrome information and thus should
499  * use exception_with_syndrome*).
500  */
HELPER(exception_internal)501 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp)
502 {
503     CPUState *cs = env_cpu(env);
504 
505     assert(excp_is_internal(excp));
506     cs->exception_index = excp;
507     cpu_loop_exit(cs);
508 }
509 
510 /* Raise an exception with the specified syndrome register value */
HELPER(exception_with_syndrome_el)511 void HELPER(exception_with_syndrome_el)(CPUARMState *env, uint32_t excp,
512                                         uint32_t syndrome, uint32_t target_el)
513 {
514     raise_exception(env, excp, syndrome, target_el);
515 }
516 
517 /*
518  * Raise an exception with the specified syndrome register value
519  * to the default target el.
520  */
HELPER(exception_with_syndrome)521 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp,
522                                      uint32_t syndrome)
523 {
524     raise_exception(env, excp, syndrome, exception_target_el(env));
525 }
526 
HELPER(cpsr_read)527 uint32_t HELPER(cpsr_read)(CPUARMState *env)
528 {
529     return cpsr_read(env) & ~CPSR_EXEC;
530 }
531 
HELPER(cpsr_write)532 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
533 {
534     cpsr_write(env, val, mask, CPSRWriteByInstr);
535     /* TODO: Not all cpsr bits are relevant to hflags.  */
536     arm_rebuild_hflags(env);
537 }
538 
539 /* Write the CPSR for a 32-bit exception return */
HELPER(cpsr_write_eret)540 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
541 {
542     uint32_t mask;
543 
544     bql_lock();
545     arm_call_pre_el_change_hook(env_archcpu(env));
546     bql_unlock();
547 
548     mask = aarch32_cpsr_valid_mask(env->features, &env_archcpu(env)->isar);
549     cpsr_write(env, val, mask, CPSRWriteExceptionReturn);
550 
551     /* Generated code has already stored the new PC value, but
552      * without masking out its low bits, because which bits need
553      * masking depends on whether we're returning to Thumb or ARM
554      * state. Do the masking now.
555      */
556     env->regs[15] &= (env->thumb ? ~1 : ~3);
557     arm_rebuild_hflags(env);
558 
559     bql_lock();
560     arm_call_el_change_hook(env_archcpu(env));
561     bql_unlock();
562 }
563 
564 /* Access to user mode registers from privileged modes.  */
HELPER(get_user_reg)565 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
566 {
567     uint32_t val;
568 
569     if (regno == 13) {
570         val = env->banked_r13[BANK_USRSYS];
571     } else if (regno == 14) {
572         val = env->banked_r14[BANK_USRSYS];
573     } else if (regno >= 8
574                && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
575         val = env->usr_regs[regno - 8];
576     } else {
577         val = env->regs[regno];
578     }
579     return val;
580 }
581 
HELPER(set_user_reg)582 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val)
583 {
584     if (regno == 13) {
585         env->banked_r13[BANK_USRSYS] = val;
586     } else if (regno == 14) {
587         env->banked_r14[BANK_USRSYS] = val;
588     } else if (regno >= 8
589                && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
590         env->usr_regs[regno - 8] = val;
591     } else {
592         env->regs[regno] = val;
593     }
594 }
595 
HELPER(set_r13_banked)596 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
597 {
598     if ((env->uncached_cpsr & CPSR_M) == mode) {
599         env->regs[13] = val;
600     } else {
601         env->banked_r13[bank_number(mode)] = val;
602     }
603 }
604 
HELPER(get_r13_banked)605 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
606 {
607     if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) {
608         /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF.
609          * Other UNPREDICTABLE and UNDEF cases were caught at translate time.
610          */
611         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
612                         exception_target_el(env));
613     }
614 
615     if ((env->uncached_cpsr & CPSR_M) == mode) {
616         return env->regs[13];
617     } else {
618         return env->banked_r13[bank_number(mode)];
619     }
620 }
621 
msr_mrs_banked_exc_checks(CPUARMState * env,uint32_t tgtmode,uint32_t regno)622 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
623                                       uint32_t regno)
624 {
625     /* Raise an exception if the requested access is one of the UNPREDICTABLE
626      * cases; otherwise return. This broadly corresponds to the pseudocode
627      * BankedRegisterAccessValid() and SPSRAccessValid(),
628      * except that we have already handled some cases at translate time.
629      */
630     int curmode = env->uncached_cpsr & CPSR_M;
631 
632     if (tgtmode == ARM_CPU_MODE_HYP) {
633         /*
634          * Handle Hyp target regs first because some are special cases
635          * which don't want the usual "not accessible from tgtmode" check.
636          */
637         switch (regno) {
638         case 16 ... 17: /* ELR_Hyp, SPSR_Hyp */
639             if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
640                 goto undef;
641             }
642             break;
643         case 13:
644             if (curmode != ARM_CPU_MODE_MON) {
645                 goto undef;
646             }
647             break;
648         default:
649             g_assert_not_reached();
650         }
651         return;
652     }
653 
654     if (curmode == tgtmode) {
655         goto undef;
656     }
657 
658     if (tgtmode == ARM_CPU_MODE_USR) {
659         switch (regno) {
660         case 8 ... 12:
661             if (curmode != ARM_CPU_MODE_FIQ) {
662                 goto undef;
663             }
664             break;
665         case 13:
666             if (curmode == ARM_CPU_MODE_SYS) {
667                 goto undef;
668             }
669             break;
670         case 14:
671             if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) {
672                 goto undef;
673             }
674             break;
675         default:
676             break;
677         }
678     }
679 
680     return;
681 
682 undef:
683     raise_exception(env, EXCP_UDEF, syn_uncategorized(),
684                     exception_target_el(env));
685 }
686 
HELPER(msr_banked)687 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
688                         uint32_t regno)
689 {
690     msr_mrs_banked_exc_checks(env, tgtmode, regno);
691 
692     switch (regno) {
693     case 16: /* SPSRs */
694         if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
695             /* Only happens for SPSR_Hyp access in Hyp mode */
696             env->spsr = value;
697         } else {
698             env->banked_spsr[bank_number(tgtmode)] = value;
699         }
700         break;
701     case 17: /* ELR_Hyp */
702         env->elr_el[2] = value;
703         break;
704     case 13:
705         env->banked_r13[bank_number(tgtmode)] = value;
706         break;
707     case 14:
708         env->banked_r14[r14_bank_number(tgtmode)] = value;
709         break;
710     case 8 ... 12:
711         switch (tgtmode) {
712         case ARM_CPU_MODE_USR:
713             env->usr_regs[regno - 8] = value;
714             break;
715         case ARM_CPU_MODE_FIQ:
716             env->fiq_regs[regno - 8] = value;
717             break;
718         default:
719             g_assert_not_reached();
720         }
721         break;
722     default:
723         g_assert_not_reached();
724     }
725 }
726 
HELPER(mrs_banked)727 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
728 {
729     msr_mrs_banked_exc_checks(env, tgtmode, regno);
730 
731     switch (regno) {
732     case 16: /* SPSRs */
733         if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
734             /* Only happens for SPSR_Hyp access in Hyp mode */
735             return env->spsr;
736         } else {
737             return env->banked_spsr[bank_number(tgtmode)];
738         }
739     case 17: /* ELR_Hyp */
740         return env->elr_el[2];
741     case 13:
742         return env->banked_r13[bank_number(tgtmode)];
743     case 14:
744         return env->banked_r14[r14_bank_number(tgtmode)];
745     case 8 ... 12:
746         switch (tgtmode) {
747         case ARM_CPU_MODE_USR:
748             return env->usr_regs[regno - 8];
749         case ARM_CPU_MODE_FIQ:
750             return env->fiq_regs[regno - 8];
751         default:
752             g_assert_not_reached();
753         }
754     default:
755         g_assert_not_reached();
756     }
757 }
758 
HELPER(access_check_cp_reg)759 const void *HELPER(access_check_cp_reg)(CPUARMState *env, uint32_t key,
760                                         uint32_t syndrome, uint32_t isread)
761 {
762     ARMCPU *cpu = env_archcpu(env);
763     const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key);
764     CPAccessResult res = CP_ACCESS_OK;
765     int target_el;
766     uint32_t excp;
767 
768     assert(ri != NULL);
769 
770     if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
771         && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
772         res = CP_ACCESS_TRAP;
773         goto fail;
774     }
775 
776     if (ri->accessfn) {
777         res = ri->accessfn(env, ri, isread);
778     }
779 
780     /*
781      * If the access function indicates a trap from EL0 to EL1 then
782      * that always takes priority over the HSTR_EL2 trap. (If it indicates
783      * a trap to EL3, then the HSTR_EL2 trap takes priority; if it indicates
784      * a trap to EL2, then the syndrome is the same either way so we don't
785      * care whether technically the architecture says that HSTR_EL2 trap or
786      * the other trap takes priority. So we take the "check HSTR_EL2" path
787      * for all of those cases.)
788      */
789     if (res != CP_ACCESS_OK && ((res & CP_ACCESS_EL_MASK) == 0) &&
790         arm_current_el(env) == 0) {
791         goto fail;
792     }
793 
794     /*
795      * HSTR_EL2 traps from EL1 are checked earlier, in generated code;
796      * we only need to check here for traps from EL0.
797      */
798     if (!is_a64(env) && arm_current_el(env) == 0 && ri->cp == 15 &&
799         arm_is_el2_enabled(env) &&
800         (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
801         uint32_t mask = 1 << ri->crn;
802 
803         if (ri->type & ARM_CP_64BIT) {
804             mask = 1 << ri->crm;
805         }
806 
807         /* T4 and T14 are RES0 */
808         mask &= ~((1 << 4) | (1 << 14));
809 
810         if (env->cp15.hstr_el2 & mask) {
811             res = CP_ACCESS_TRAP_EL2;
812             goto fail;
813         }
814     }
815 
816     /*
817      * Fine-grained traps also are lower priority than undef-to-EL1,
818      * higher priority than trap-to-EL3, and we don't care about priority
819      * order with other EL2 traps because the syndrome value is the same.
820      */
821     if (arm_fgt_active(env, arm_current_el(env))) {
822         uint64_t trapword = 0;
823         unsigned int idx = FIELD_EX32(ri->fgt, FGT, IDX);
824         unsigned int bitpos = FIELD_EX32(ri->fgt, FGT, BITPOS);
825         bool rev = FIELD_EX32(ri->fgt, FGT, REV);
826         bool trapbit;
827 
828         if (ri->fgt & FGT_EXEC) {
829             assert(idx < ARRAY_SIZE(env->cp15.fgt_exec));
830             trapword = env->cp15.fgt_exec[idx];
831         } else if (isread && (ri->fgt & FGT_R)) {
832             assert(idx < ARRAY_SIZE(env->cp15.fgt_read));
833             trapword = env->cp15.fgt_read[idx];
834         } else if (!isread && (ri->fgt & FGT_W)) {
835             assert(idx < ARRAY_SIZE(env->cp15.fgt_write));
836             trapword = env->cp15.fgt_write[idx];
837         }
838 
839         trapbit = extract64(trapword, bitpos, 1);
840         if (trapbit != rev) {
841             res = CP_ACCESS_TRAP_EL2;
842             goto fail;
843         }
844     }
845 
846     if (likely(res == CP_ACCESS_OK)) {
847         return ri;
848     }
849 
850  fail:
851     excp = EXCP_UDEF;
852     switch (res & ~CP_ACCESS_EL_MASK) {
853     case CP_ACCESS_TRAP:
854         /*
855          * If EL3 is AArch32 then there's no syndrome register; the cases
856          * where we would raise a SystemAccessTrap to AArch64 EL3 all become
857          * raising a Monitor trap exception. (Because there's no visible
858          * syndrome it doesn't matter what we pass to raise_exception().)
859          */
860         if ((res & CP_ACCESS_EL_MASK) == 3 && !arm_el_is_aa64(env, 3)) {
861             excp = EXCP_MON_TRAP;
862         }
863         break;
864     case CP_ACCESS_TRAP_UNCATEGORIZED:
865         /* Only CP_ACCESS_TRAP traps are direct to a specified EL */
866         assert((res & CP_ACCESS_EL_MASK) == 0);
867         if (cpu_isar_feature(aa64_ids, cpu) && isread &&
868             arm_cpreg_in_idspace(ri)) {
869             /*
870              * FEAT_IDST says this should be reported as EC_SYSTEMREGISTERTRAP,
871              * not EC_UNCATEGORIZED
872              */
873             break;
874         }
875         syndrome = syn_uncategorized();
876         break;
877     default:
878         g_assert_not_reached();
879     }
880 
881     target_el = res & CP_ACCESS_EL_MASK;
882     switch (target_el) {
883     case 0:
884         target_el = exception_target_el(env);
885         break;
886     case 2:
887         assert(arm_current_el(env) != 3);
888         assert(arm_is_el2_enabled(env));
889         break;
890     case 3:
891         assert(arm_feature(env, ARM_FEATURE_EL3));
892         break;
893     default:
894         /* No "direct" traps to EL1 */
895         g_assert_not_reached();
896     }
897 
898     raise_exception(env, excp, syndrome, target_el);
899 }
900 
HELPER(lookup_cp_reg)901 const void *HELPER(lookup_cp_reg)(CPUARMState *env, uint32_t key)
902 {
903     ARMCPU *cpu = env_archcpu(env);
904     const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key);
905 
906     assert(ri != NULL);
907     return ri;
908 }
909 
910 /*
911  * Test for HCR_EL2.TIDCP at EL1.
912  * Since implementation defined registers are rare, and within QEMU
913  * most of them are no-op, do not waste HFLAGS space for this and
914  * always use a helper.
915  */
HELPER(tidcp_el1)916 void HELPER(tidcp_el1)(CPUARMState *env, uint32_t syndrome)
917 {
918     if (arm_hcr_el2_eff(env) & HCR_TIDCP) {
919         raise_exception_ra(env, EXCP_UDEF, syndrome, 2, GETPC());
920     }
921 }
922 
923 /*
924  * Similarly, for FEAT_TIDCP1 at EL0.
925  * We have already checked for the presence of the feature.
926  */
HELPER(tidcp_el0)927 void HELPER(tidcp_el0)(CPUARMState *env, uint32_t syndrome)
928 {
929     /* See arm_sctlr(), but we also need the sctlr el. */
930     ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
931     int target_el;
932 
933     switch (mmu_idx) {
934     case ARMMMUIdx_E20_0:
935         target_el = 2;
936         break;
937     case ARMMMUIdx_E30_0:
938         target_el = 3;
939         break;
940     default:
941         target_el = 1;
942         break;
943     }
944 
945     /*
946      * The bit is not valid unless the target el is aa64, but since the
947      * bit test is simpler perform that first and check validity after.
948      */
949     if ((env->cp15.sctlr_el[target_el] & SCTLR_TIDCP)
950         && arm_el_is_aa64(env, target_el)) {
951         raise_exception_ra(env, EXCP_UDEF, syndrome, target_el, GETPC());
952     }
953 }
954 
HELPER(set_cp_reg)955 void HELPER(set_cp_reg)(CPUARMState *env, const void *rip, uint32_t value)
956 {
957     const ARMCPRegInfo *ri = rip;
958 
959     if (ri->type & ARM_CP_IO) {
960         bql_lock();
961         ri->writefn(env, ri, value);
962         bql_unlock();
963     } else {
964         ri->writefn(env, ri, value);
965     }
966 }
967 
HELPER(get_cp_reg)968 uint32_t HELPER(get_cp_reg)(CPUARMState *env, const void *rip)
969 {
970     const ARMCPRegInfo *ri = rip;
971     uint32_t res;
972 
973     if (ri->type & ARM_CP_IO) {
974         bql_lock();
975         res = ri->readfn(env, ri);
976         bql_unlock();
977     } else {
978         res = ri->readfn(env, ri);
979     }
980 
981     return res;
982 }
983 
HELPER(set_cp_reg64)984 void HELPER(set_cp_reg64)(CPUARMState *env, const void *rip, uint64_t value)
985 {
986     const ARMCPRegInfo *ri = rip;
987 
988     if (ri->type & ARM_CP_IO) {
989         bql_lock();
990         ri->writefn(env, ri, value);
991         bql_unlock();
992     } else {
993         ri->writefn(env, ri, value);
994     }
995 }
996 
HELPER(get_cp_reg64)997 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, const void *rip)
998 {
999     const ARMCPRegInfo *ri = rip;
1000     uint64_t res;
1001 
1002     if (ri->type & ARM_CP_IO) {
1003         bql_lock();
1004         res = ri->readfn(env, ri);
1005         bql_unlock();
1006     } else {
1007         res = ri->readfn(env, ri);
1008     }
1009 
1010     return res;
1011 }
1012 
HELPER(pre_hvc)1013 void HELPER(pre_hvc)(CPUARMState *env)
1014 {
1015     ARMCPU *cpu = env_archcpu(env);
1016     int cur_el = arm_current_el(env);
1017     /* FIXME: Use actual secure state.  */
1018     bool secure = false;
1019     bool undef;
1020 
1021     if (arm_is_psci_call(cpu, EXCP_HVC)) {
1022         /* If PSCI is enabled and this looks like a valid PSCI call then
1023          * that overrides the architecturally mandated HVC behaviour.
1024          */
1025         return;
1026     }
1027 
1028     if (!arm_feature(env, ARM_FEATURE_EL2)) {
1029         /* If EL2 doesn't exist, HVC always UNDEFs */
1030         undef = true;
1031     } else if (arm_feature(env, ARM_FEATURE_EL3)) {
1032         /* EL3.HCE has priority over EL2.HCD. */
1033         undef = !(env->cp15.scr_el3 & SCR_HCE);
1034     } else {
1035         undef = env->cp15.hcr_el2 & HCR_HCD;
1036     }
1037 
1038     /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state.
1039      * For ARMv8/AArch64, HVC is allowed in EL3.
1040      * Note that we've already trapped HVC from EL0 at translation
1041      * time.
1042      */
1043     if (secure && (!is_a64(env) || cur_el == 1)) {
1044         undef = true;
1045     }
1046 
1047     if (undef) {
1048         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1049                         exception_target_el(env));
1050     }
1051 }
1052 
HELPER(pre_smc)1053 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
1054 {
1055     ARMCPU *cpu = env_archcpu(env);
1056     int cur_el = arm_current_el(env);
1057     bool secure = arm_is_secure(env);
1058     bool smd_flag = env->cp15.scr_el3 & SCR_SMD;
1059 
1060     /*
1061      * SMC behaviour is summarized in the following table.
1062      * This helper handles the "Trap to EL2" and "Undef insn" cases.
1063      * The "Trap to EL3" and "PSCI call" cases are handled in the exception
1064      * helper.
1065      *
1066      *  -> ARM_FEATURE_EL3 and !SMD
1067      *                           HCR_TSC && NS EL1   !HCR_TSC || !NS EL1
1068      *
1069      *  Conduit SMC, valid call  Trap to EL2         PSCI Call
1070      *  Conduit SMC, inval call  Trap to EL2         Trap to EL3
1071      *  Conduit not SMC          Trap to EL2         Trap to EL3
1072      *
1073      *
1074      *  -> ARM_FEATURE_EL3 and SMD
1075      *                           HCR_TSC && NS EL1   !HCR_TSC || !NS EL1
1076      *
1077      *  Conduit SMC, valid call  Trap to EL2         PSCI Call
1078      *  Conduit SMC, inval call  Trap to EL2         Undef insn
1079      *  Conduit not SMC          Trap to EL2         Undef insn
1080      *
1081      *
1082      *  -> !ARM_FEATURE_EL3
1083      *                           HCR_TSC && NS EL1   !HCR_TSC || !NS EL1
1084      *
1085      *  Conduit SMC, valid call  Trap to EL2         PSCI Call
1086      *  Conduit SMC, inval call  Trap to EL2         Undef insn
1087      *  Conduit not SMC          Undef or trap[1]    Undef insn
1088      *
1089      * [1] In this case:
1090      *  - if HCR_EL2.NV == 1 we must trap to EL2
1091      *  - if HCR_EL2.NV == 0 then newer architecture revisions permit
1092      *    AArch64 (but not AArch32) to trap to EL2 as an IMPDEF choice
1093      *  - otherwise we must UNDEF
1094      * We take the IMPDEF choice to always UNDEF if HCR_EL2.NV == 0.
1095      */
1096 
1097     /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state.
1098      * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization
1099      *  extensions, SMD only applies to NS state.
1100      * On ARMv7 without the Virtualization extensions, the SMD bit
1101      * doesn't exist, but we forbid the guest to set it to 1 in scr_write(),
1102      * so we need not special case this here.
1103      */
1104     bool smd = arm_feature(env, ARM_FEATURE_AARCH64) ? smd_flag
1105                                                      : smd_flag && !secure;
1106 
1107     if (!arm_feature(env, ARM_FEATURE_EL3) &&
1108         !(arm_hcr_el2_eff(env) & HCR_NV) &&
1109         cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) {
1110         /*
1111          * If we have no EL3 then traditionally SMC always UNDEFs and can't be
1112          * trapped to EL2. For nested virtualization, SMC can be trapped to
1113          * the outer hypervisor. PSCI-via-SMC is a sort of ersatz EL3
1114          * firmware within QEMU, and we want an EL2 guest to be able
1115          * to forbid its EL1 from making PSCI calls into QEMU's
1116          * "firmware" via HCR.TSC, so for these purposes treat
1117          * PSCI-via-SMC as implying an EL3.
1118          * This handles the very last line of the previous table.
1119          */
1120         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1121                         exception_target_el(env));
1122     }
1123 
1124     if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) {
1125         /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
1126          * We also want an EL2 guest to be able to forbid its EL1 from
1127          * making PSCI calls into QEMU's "firmware" via HCR.TSC.
1128          * This handles all the "Trap to EL2" cases of the previous table.
1129          */
1130         raise_exception(env, EXCP_HYP_TRAP, syndrome, 2);
1131     }
1132 
1133     /* Catch the two remaining "Undef insn" cases of the previous table:
1134      *    - PSCI conduit is SMC but we don't have a valid PCSI call,
1135      *    - We don't have EL3 or SMD is set.
1136      */
1137     if (!arm_is_psci_call(cpu, EXCP_SMC) &&
1138         (smd || !arm_feature(env, ARM_FEATURE_EL3))) {
1139         raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1140                         exception_target_el(env));
1141     }
1142 }
1143 
1144 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
1145    The only way to do that in TCG is a conditional branch, which clobbers
1146    all our temporaries.  For now implement these as helper functions.  */
1147 
1148 /* Similarly for variable shift instructions.  */
1149 
HELPER(shl_cc)1150 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1151 {
1152     int shift = i & 0xff;
1153     if (shift >= 32) {
1154         if (shift == 32)
1155             env->CF = x & 1;
1156         else
1157             env->CF = 0;
1158         return 0;
1159     } else if (shift != 0) {
1160         env->CF = (x >> (32 - shift)) & 1;
1161         return x << shift;
1162     }
1163     return x;
1164 }
1165 
HELPER(shr_cc)1166 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1167 {
1168     int shift = i & 0xff;
1169     if (shift >= 32) {
1170         if (shift == 32)
1171             env->CF = (x >> 31) & 1;
1172         else
1173             env->CF = 0;
1174         return 0;
1175     } else if (shift != 0) {
1176         env->CF = (x >> (shift - 1)) & 1;
1177         return x >> shift;
1178     }
1179     return x;
1180 }
1181 
HELPER(sar_cc)1182 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1183 {
1184     int shift = i & 0xff;
1185     if (shift >= 32) {
1186         env->CF = (x >> 31) & 1;
1187         return (int32_t)x >> 31;
1188     } else if (shift != 0) {
1189         env->CF = (x >> (shift - 1)) & 1;
1190         return (int32_t)x >> shift;
1191     }
1192     return x;
1193 }
1194 
HELPER(ror_cc)1195 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1196 {
1197     int shift1, shift;
1198     shift1 = i & 0xff;
1199     shift = shift1 & 0x1f;
1200     if (shift == 0) {
1201         if (shift1 != 0)
1202             env->CF = (x >> 31) & 1;
1203         return x;
1204     } else {
1205         env->CF = (x >> (shift - 1)) & 1;
1206         return ((uint32_t)x >> shift) | (x << (32 - shift));
1207     }
1208 }
1209 
HELPER(probe_access)1210 void HELPER(probe_access)(CPUARMState *env, target_ulong ptr,
1211                           uint32_t access_type, uint32_t mmu_idx,
1212                           uint32_t size)
1213 {
1214     uint32_t in_page = -((uint32_t)ptr | TARGET_PAGE_SIZE);
1215     uintptr_t ra = GETPC();
1216 
1217     if (likely(size <= in_page)) {
1218         probe_access(env, ptr, size, access_type, mmu_idx, ra);
1219     } else {
1220         probe_access(env, ptr, in_page, access_type, mmu_idx, ra);
1221         probe_access(env, ptr + in_page, size - in_page,
1222                      access_type, mmu_idx, ra);
1223     }
1224 }
1225 
1226 /*
1227  * This function corresponds to AArch64.vESBOperation().
1228  * Note that the AArch32 version is not functionally different.
1229  */
HELPER(vesb)1230 void HELPER(vesb)(CPUARMState *env)
1231 {
1232     /*
1233      * The EL2Enabled() check is done inside arm_hcr_el2_eff,
1234      * and will return HCR_EL2.VSE == 0, so nothing happens.
1235      */
1236     uint64_t hcr = arm_hcr_el2_eff(env);
1237     bool enabled = !(hcr & HCR_TGE) && (hcr & HCR_AMO);
1238     bool pending = enabled && (hcr & HCR_VSE);
1239     bool masked  = (env->daif & PSTATE_A);
1240 
1241     /* If VSE pending and masked, defer the exception.  */
1242     if (pending && masked) {
1243         uint32_t syndrome;
1244 
1245         if (arm_el_is_aa64(env, 1)) {
1246             /* Copy across IDS and ISS from VSESR. */
1247             syndrome = env->cp15.vsesr_el2 & 0x1ffffff;
1248         } else {
1249             ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal };
1250 
1251             if (extended_addresses_enabled(env)) {
1252                 syndrome = arm_fi_to_lfsc(&fi);
1253             } else {
1254                 syndrome = arm_fi_to_sfsc(&fi);
1255             }
1256             /* Copy across AET and ExT from VSESR. */
1257             syndrome |= env->cp15.vsesr_el2 & 0xd000;
1258         }
1259 
1260         /* Set VDISR_EL2.A along with the syndrome. */
1261         env->cp15.vdisr_el2 = syndrome | (1u << 31);
1262 
1263         /* Clear pending virtual SError */
1264         env->cp15.hcr_el2 &= ~HCR_VSE;
1265         cpu_reset_interrupt(env_cpu(env), CPU_INTERRUPT_VSERR);
1266     }
1267 }
1268