xref: /openbmc/qemu/target/avr/translate.c (revision af8c14a25477e0ea127ca66d5d9c0710da854906)
1 /*
2  * QEMU AVR CPU
3  *
4  * Copyright (c) 2019-2020 Michael Rolnik
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2.1 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see
18  * <http://www.gnu.org/licenses/lgpl-2.1.html>
19  */
20 
21 #include "qemu/osdep.h"
22 #include "qemu/qemu-print.h"
23 #include "tcg/tcg.h"
24 #include "cpu.h"
25 #include "exec/exec-all.h"
26 #include "tcg/tcg-op.h"
27 #include "exec/helper-proto.h"
28 #include "exec/helper-gen.h"
29 #include "exec/log.h"
30 #include "exec/translator.h"
31 
32 #define HELPER_H "helper.h"
33 #include "exec/helper-info.c.inc"
34 #undef  HELPER_H
35 
36 
37 /*
38  *  Define if you want a BREAK instruction translated to a breakpoint
39  *  Active debugging connection is assumed
40  *  This is for
41  *  https://github.com/seharris/qemu-avr-tests/tree/master/instruction-tests
42  *  tests
43  */
44 #undef BREAKPOINT_ON_BREAK
45 
46 static TCGv cpu_pc;
47 
48 static TCGv cpu_Cf;
49 static TCGv cpu_Zf;
50 static TCGv cpu_Nf;
51 static TCGv cpu_Vf;
52 static TCGv cpu_Sf;
53 static TCGv cpu_Hf;
54 static TCGv cpu_Tf;
55 static TCGv cpu_If;
56 
57 static TCGv cpu_rampD;
58 static TCGv cpu_rampX;
59 static TCGv cpu_rampY;
60 static TCGv cpu_rampZ;
61 
62 static TCGv cpu_r[NUMBER_OF_CPU_REGISTERS];
63 static TCGv cpu_eind;
64 static TCGv cpu_sp;
65 
66 static TCGv cpu_skip;
67 
68 static const char reg_names[NUMBER_OF_CPU_REGISTERS][8] = {
69     "r0",  "r1",  "r2",  "r3",  "r4",  "r5",  "r6",  "r7",
70     "r8",  "r9",  "r10", "r11", "r12", "r13", "r14", "r15",
71     "r16", "r17", "r18", "r19", "r20", "r21", "r22", "r23",
72     "r24", "r25", "r26", "r27", "r28", "r29", "r30", "r31",
73 };
74 #define REG(x) (cpu_r[x])
75 
76 #define DISAS_EXIT   DISAS_TARGET_0  /* We want return to the cpu main loop.  */
77 #define DISAS_LOOKUP DISAS_TARGET_1  /* We have a variable condition exit.  */
78 #define DISAS_CHAIN  DISAS_TARGET_2  /* We have a single condition exit.  */
79 
80 typedef struct DisasContext DisasContext;
81 
82 /* This is the state at translation time. */
83 struct DisasContext {
84     DisasContextBase base;
85 
86     CPUAVRState *env;
87     CPUState *cs;
88 
89     target_long npc;
90     uint32_t opcode;
91 
92     /* Routine used to access memory */
93     int memidx;
94 
95     /*
96      * some AVR instructions can make the following instruction to be skipped
97      * Let's name those instructions
98      *     A   - instruction that can skip the next one
99      *     B   - instruction that can be skipped. this depends on execution of A
100      * there are two scenarios
101      * 1. A and B belong to the same translation block
102      * 2. A is the last instruction in the translation block and B is the last
103      *
104      * following variables are used to simplify the skipping logic, they are
105      * used in the following manner (sketch)
106      *
107      * TCGLabel *skip_label = NULL;
108      * if (ctx->skip_cond != TCG_COND_NEVER) {
109      *     skip_label = gen_new_label();
110      *     tcg_gen_brcond_tl(skip_cond, skip_var0, skip_var1, skip_label);
111      * }
112      *
113      * translate(ctx);
114      *
115      * if (skip_label) {
116      *     gen_set_label(skip_label);
117      * }
118      */
119     TCGv skip_var0;
120     TCGv skip_var1;
121     TCGCond skip_cond;
122 };
123 
124 void avr_cpu_tcg_init(void)
125 {
126     int i;
127 
128 #define AVR_REG_OFFS(x) offsetof(CPUAVRState, x)
129     cpu_pc = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(pc_w), "pc");
130     cpu_Cf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregC), "Cf");
131     cpu_Zf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregZ), "Zf");
132     cpu_Nf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregN), "Nf");
133     cpu_Vf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregV), "Vf");
134     cpu_Sf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregS), "Sf");
135     cpu_Hf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregH), "Hf");
136     cpu_Tf = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregT), "Tf");
137     cpu_If = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sregI), "If");
138     cpu_rampD = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(rampD), "rampD");
139     cpu_rampX = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(rampX), "rampX");
140     cpu_rampY = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(rampY), "rampY");
141     cpu_rampZ = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(rampZ), "rampZ");
142     cpu_eind = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(eind), "eind");
143     cpu_sp = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(sp), "sp");
144     cpu_skip = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(skip), "skip");
145 
146     for (i = 0; i < NUMBER_OF_CPU_REGISTERS; i++) {
147         cpu_r[i] = tcg_global_mem_new_i32(tcg_env, AVR_REG_OFFS(r[i]),
148                                           reg_names[i]);
149     }
150 #undef AVR_REG_OFFS
151 }
152 
153 static int to_regs_16_31_by_one(DisasContext *ctx, int indx)
154 {
155     return 16 + (indx % 16);
156 }
157 
158 static int to_regs_16_23_by_one(DisasContext *ctx, int indx)
159 {
160     return 16 + (indx % 8);
161 }
162 
163 static int to_regs_24_30_by_two(DisasContext *ctx, int indx)
164 {
165     return 24 + (indx % 4) * 2;
166 }
167 
168 static int to_regs_00_30_by_two(DisasContext *ctx, int indx)
169 {
170     return (indx % 16) * 2;
171 }
172 
173 static uint16_t next_word(DisasContext *ctx)
174 {
175     return translator_lduw(ctx->env, &ctx->base, ctx->npc++ * 2);
176 }
177 
178 static int append_16(DisasContext *ctx, int x)
179 {
180     return x << 16 | next_word(ctx);
181 }
182 
183 static bool avr_have_feature(DisasContext *ctx, int feature)
184 {
185     if (!avr_feature(ctx->env, feature)) {
186         gen_helper_unsupported(tcg_env);
187         ctx->base.is_jmp = DISAS_NORETURN;
188         return false;
189     }
190     return true;
191 }
192 
193 static bool decode_insn(DisasContext *ctx, uint16_t insn);
194 #include "decode-insn.c.inc"
195 
196 /*
197  * Arithmetic Instructions
198  */
199 
200 /*
201  * Utility functions for updating status registers:
202  *
203  *   - gen_add_CHf()
204  *   - gen_add_Vf()
205  *   - gen_sub_CHf()
206  *   - gen_sub_Vf()
207  *   - gen_NSf()
208  *   - gen_ZNSf()
209  *
210  */
211 
212 static void gen_add_CHf(TCGv R, TCGv Rd, TCGv Rr)
213 {
214     TCGv t1 = tcg_temp_new_i32();
215     TCGv t2 = tcg_temp_new_i32();
216     TCGv t3 = tcg_temp_new_i32();
217 
218     tcg_gen_and_tl(t1, Rd, Rr); /* t1 = Rd & Rr */
219     tcg_gen_andc_tl(t2, Rd, R); /* t2 = Rd & ~R */
220     tcg_gen_andc_tl(t3, Rr, R); /* t3 = Rr & ~R */
221     tcg_gen_or_tl(t1, t1, t2); /* t1 = t1 | t2 | t3 */
222     tcg_gen_or_tl(t1, t1, t3);
223 
224     tcg_gen_shri_tl(cpu_Cf, t1, 7); /* Cf = t1(7) */
225     tcg_gen_shri_tl(cpu_Hf, t1, 3); /* Hf = t1(3) */
226     tcg_gen_andi_tl(cpu_Hf, cpu_Hf, 1);
227 }
228 
229 static void gen_add_Vf(TCGv R, TCGv Rd, TCGv Rr)
230 {
231     TCGv t1 = tcg_temp_new_i32();
232     TCGv t2 = tcg_temp_new_i32();
233 
234     /* t1 = Rd & Rr & ~R | ~Rd & ~Rr & R */
235     /*    = (Rd ^ R) & ~(Rd ^ Rr) */
236     tcg_gen_xor_tl(t1, Rd, R);
237     tcg_gen_xor_tl(t2, Rd, Rr);
238     tcg_gen_andc_tl(t1, t1, t2);
239 
240     tcg_gen_shri_tl(cpu_Vf, t1, 7); /* Vf = t1(7) */
241 }
242 
243 static void gen_sub_CHf(TCGv R, TCGv Rd, TCGv Rr)
244 {
245     TCGv t1 = tcg_temp_new_i32();
246     TCGv t2 = tcg_temp_new_i32();
247     TCGv t3 = tcg_temp_new_i32();
248 
249     tcg_gen_not_tl(t1, Rd); /* t1 = ~Rd */
250     tcg_gen_and_tl(t2, t1, Rr); /* t2 = ~Rd & Rr */
251     tcg_gen_or_tl(t3, t1, Rr); /* t3 = (~Rd | Rr) & R */
252     tcg_gen_and_tl(t3, t3, R);
253     tcg_gen_or_tl(t2, t2, t3); /* t2 = ~Rd & Rr | ~Rd & R | R & Rr */
254 
255     tcg_gen_shri_tl(cpu_Cf, t2, 7); /* Cf = t2(7) */
256     tcg_gen_shri_tl(cpu_Hf, t2, 3); /* Hf = t2(3) */
257     tcg_gen_andi_tl(cpu_Hf, cpu_Hf, 1);
258 }
259 
260 static void gen_sub_Vf(TCGv R, TCGv Rd, TCGv Rr)
261 {
262     TCGv t1 = tcg_temp_new_i32();
263     TCGv t2 = tcg_temp_new_i32();
264 
265     /* t1 = Rd & ~Rr & ~R | ~Rd & Rr & R */
266     /*    = (Rd ^ R) & (Rd ^ R) */
267     tcg_gen_xor_tl(t1, Rd, R);
268     tcg_gen_xor_tl(t2, Rd, Rr);
269     tcg_gen_and_tl(t1, t1, t2);
270 
271     tcg_gen_shri_tl(cpu_Vf, t1, 7); /* Vf = t1(7) */
272 }
273 
274 static void gen_NSf(TCGv R)
275 {
276     tcg_gen_shri_tl(cpu_Nf, R, 7); /* Nf = R(7) */
277     tcg_gen_xor_tl(cpu_Sf, cpu_Nf, cpu_Vf); /* Sf = Nf ^ Vf */
278 }
279 
280 static void gen_ZNSf(TCGv R)
281 {
282     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
283 
284     /* update status register */
285     tcg_gen_shri_tl(cpu_Nf, R, 7); /* Nf = R(7) */
286     tcg_gen_xor_tl(cpu_Sf, cpu_Nf, cpu_Vf); /* Sf = Nf ^ Vf */
287 }
288 
289 /*
290  *  Adds two registers without the C Flag and places the result in the
291  *  destination register Rd.
292  */
293 static bool trans_ADD(DisasContext *ctx, arg_ADD *a)
294 {
295     TCGv Rd = cpu_r[a->rd];
296     TCGv Rr = cpu_r[a->rr];
297     TCGv R = tcg_temp_new_i32();
298 
299     tcg_gen_add_tl(R, Rd, Rr); /* Rd = Rd + Rr */
300     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
301 
302     /* update status register */
303     gen_add_CHf(R, Rd, Rr);
304     gen_add_Vf(R, Rd, Rr);
305     gen_ZNSf(R);
306 
307     /* update output registers */
308     tcg_gen_mov_tl(Rd, R);
309     return true;
310 }
311 
312 /*
313  *  Adds two registers and the contents of the C Flag and places the result in
314  *  the destination register Rd.
315  */
316 static bool trans_ADC(DisasContext *ctx, arg_ADC *a)
317 {
318     TCGv Rd = cpu_r[a->rd];
319     TCGv Rr = cpu_r[a->rr];
320     TCGv R = tcg_temp_new_i32();
321 
322     tcg_gen_add_tl(R, Rd, Rr); /* R = Rd + Rr + Cf */
323     tcg_gen_add_tl(R, R, cpu_Cf);
324     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
325 
326     /* update status register */
327     gen_add_CHf(R, Rd, Rr);
328     gen_add_Vf(R, Rd, Rr);
329     gen_ZNSf(R);
330 
331     /* update output registers */
332     tcg_gen_mov_tl(Rd, R);
333     return true;
334 }
335 
336 /*
337  *  Adds an immediate value (0 - 63) to a register pair and places the result
338  *  in the register pair. This instruction operates on the upper four register
339  *  pairs, and is well suited for operations on the pointer registers.  This
340  *  instruction is not available in all devices. Refer to the device specific
341  *  instruction set summary.
342  */
343 static bool trans_ADIW(DisasContext *ctx, arg_ADIW *a)
344 {
345     if (!avr_have_feature(ctx, AVR_FEATURE_ADIW_SBIW)) {
346         return true;
347     }
348 
349     TCGv RdL = cpu_r[a->rd];
350     TCGv RdH = cpu_r[a->rd + 1];
351     int Imm = (a->imm);
352     TCGv R = tcg_temp_new_i32();
353     TCGv Rd = tcg_temp_new_i32();
354 
355     tcg_gen_deposit_tl(Rd, RdL, RdH, 8, 8); /* Rd = RdH:RdL */
356     tcg_gen_addi_tl(R, Rd, Imm); /* R = Rd + Imm */
357     tcg_gen_andi_tl(R, R, 0xffff); /* make it 16 bits */
358 
359     /* update status register */
360     tcg_gen_andc_tl(cpu_Cf, Rd, R); /* Cf = Rd & ~R */
361     tcg_gen_shri_tl(cpu_Cf, cpu_Cf, 15);
362     tcg_gen_andc_tl(cpu_Vf, R, Rd); /* Vf = R & ~Rd */
363     tcg_gen_shri_tl(cpu_Vf, cpu_Vf, 15);
364     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
365     tcg_gen_shri_tl(cpu_Nf, R, 15); /* Nf = R(15) */
366     tcg_gen_xor_tl(cpu_Sf, cpu_Nf, cpu_Vf);/* Sf = Nf ^ Vf */
367 
368     /* update output registers */
369     tcg_gen_andi_tl(RdL, R, 0xff);
370     tcg_gen_shri_tl(RdH, R, 8);
371     return true;
372 }
373 
374 /*
375  *  Subtracts two registers and places the result in the destination
376  *  register Rd.
377  */
378 static bool trans_SUB(DisasContext *ctx, arg_SUB *a)
379 {
380     TCGv Rd = cpu_r[a->rd];
381     TCGv Rr = cpu_r[a->rr];
382     TCGv R = tcg_temp_new_i32();
383 
384     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Rr */
385     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
386 
387     /* update status register */
388     tcg_gen_andc_tl(cpu_Cf, Rd, R); /* Cf = Rd & ~R */
389     gen_sub_CHf(R, Rd, Rr);
390     gen_sub_Vf(R, Rd, Rr);
391     gen_ZNSf(R);
392 
393     /* update output registers */
394     tcg_gen_mov_tl(Rd, R);
395     return true;
396 }
397 
398 /*
399  *  Subtracts a register and a constant and places the result in the
400  *  destination register Rd. This instruction is working on Register R16 to R31
401  *  and is very well suited for operations on the X, Y, and Z-pointers.
402  */
403 static bool trans_SUBI(DisasContext *ctx, arg_SUBI *a)
404 {
405     TCGv Rd = cpu_r[a->rd];
406     TCGv Rr = tcg_constant_i32(a->imm);
407     TCGv R = tcg_temp_new_i32();
408 
409     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Imm */
410     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
411 
412     /* update status register */
413     gen_sub_CHf(R, Rd, Rr);
414     gen_sub_Vf(R, Rd, Rr);
415     gen_ZNSf(R);
416 
417     /* update output registers */
418     tcg_gen_mov_tl(Rd, R);
419     return true;
420 }
421 
422 /*
423  *  Subtracts two registers and subtracts with the C Flag and places the
424  *  result in the destination register Rd.
425  */
426 static bool trans_SBC(DisasContext *ctx, arg_SBC *a)
427 {
428     TCGv Rd = cpu_r[a->rd];
429     TCGv Rr = cpu_r[a->rr];
430     TCGv R = tcg_temp_new_i32();
431     TCGv zero = tcg_constant_i32(0);
432 
433     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Rr - Cf */
434     tcg_gen_sub_tl(R, R, cpu_Cf);
435     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
436 
437     /* update status register */
438     gen_sub_CHf(R, Rd, Rr);
439     gen_sub_Vf(R, Rd, Rr);
440     gen_NSf(R);
441 
442     /*
443      * Previous value remains unchanged when the result is zero;
444      * cleared otherwise.
445      */
446     tcg_gen_movcond_tl(TCG_COND_EQ, cpu_Zf, R, zero, cpu_Zf, zero);
447 
448     /* update output registers */
449     tcg_gen_mov_tl(Rd, R);
450     return true;
451 }
452 
453 /*
454  *  SBCI -- Subtract Immediate with Carry
455  */
456 static bool trans_SBCI(DisasContext *ctx, arg_SBCI *a)
457 {
458     TCGv Rd = cpu_r[a->rd];
459     TCGv Rr = tcg_constant_i32(a->imm);
460     TCGv R = tcg_temp_new_i32();
461     TCGv zero = tcg_constant_i32(0);
462 
463     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Rr - Cf */
464     tcg_gen_sub_tl(R, R, cpu_Cf);
465     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
466 
467     /* update status register */
468     gen_sub_CHf(R, Rd, Rr);
469     gen_sub_Vf(R, Rd, Rr);
470     gen_NSf(R);
471 
472     /*
473      * Previous value remains unchanged when the result is zero;
474      * cleared otherwise.
475      */
476     tcg_gen_movcond_tl(TCG_COND_EQ, cpu_Zf, R, zero, cpu_Zf, zero);
477 
478     /* update output registers */
479     tcg_gen_mov_tl(Rd, R);
480     return true;
481 }
482 
483 /*
484  *  Subtracts an immediate value (0-63) from a register pair and places the
485  *  result in the register pair. This instruction operates on the upper four
486  *  register pairs, and is well suited for operations on the Pointer Registers.
487  *  This instruction is not available in all devices. Refer to the device
488  *  specific instruction set summary.
489  */
490 static bool trans_SBIW(DisasContext *ctx, arg_SBIW *a)
491 {
492     if (!avr_have_feature(ctx, AVR_FEATURE_ADIW_SBIW)) {
493         return true;
494     }
495 
496     TCGv RdL = cpu_r[a->rd];
497     TCGv RdH = cpu_r[a->rd + 1];
498     int Imm = (a->imm);
499     TCGv R = tcg_temp_new_i32();
500     TCGv Rd = tcg_temp_new_i32();
501 
502     tcg_gen_deposit_tl(Rd, RdL, RdH, 8, 8); /* Rd = RdH:RdL */
503     tcg_gen_subi_tl(R, Rd, Imm); /* R = Rd - Imm */
504     tcg_gen_andi_tl(R, R, 0xffff); /* make it 16 bits */
505 
506     /* update status register */
507     tcg_gen_andc_tl(cpu_Cf, R, Rd);
508     tcg_gen_shri_tl(cpu_Cf, cpu_Cf, 15); /* Cf = R & ~Rd */
509     tcg_gen_andc_tl(cpu_Vf, Rd, R);
510     tcg_gen_shri_tl(cpu_Vf, cpu_Vf, 15); /* Vf = Rd & ~R */
511     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
512     tcg_gen_shri_tl(cpu_Nf, R, 15); /* Nf = R(15) */
513     tcg_gen_xor_tl(cpu_Sf, cpu_Nf, cpu_Vf); /* Sf = Nf ^ Vf */
514 
515     /* update output registers */
516     tcg_gen_andi_tl(RdL, R, 0xff);
517     tcg_gen_shri_tl(RdH, R, 8);
518     return true;
519 }
520 
521 /*
522  *  Performs the logical AND between the contents of register Rd and register
523  *  Rr and places the result in the destination register Rd.
524  */
525 static bool trans_AND(DisasContext *ctx, arg_AND *a)
526 {
527     TCGv Rd = cpu_r[a->rd];
528     TCGv Rr = cpu_r[a->rr];
529     TCGv R = tcg_temp_new_i32();
530 
531     tcg_gen_and_tl(R, Rd, Rr); /* Rd = Rd and Rr */
532 
533     /* update status register */
534     tcg_gen_movi_tl(cpu_Vf, 0); /* Vf = 0 */
535     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
536     gen_ZNSf(R);
537 
538     /* update output registers */
539     tcg_gen_mov_tl(Rd, R);
540     return true;
541 }
542 
543 /*
544  *  Performs the logical AND between the contents of register Rd and a constant
545  *  and places the result in the destination register Rd.
546  */
547 static bool trans_ANDI(DisasContext *ctx, arg_ANDI *a)
548 {
549     TCGv Rd = cpu_r[a->rd];
550     int Imm = (a->imm);
551 
552     tcg_gen_andi_tl(Rd, Rd, Imm); /* Rd = Rd & Imm */
553 
554     /* update status register */
555     tcg_gen_movi_tl(cpu_Vf, 0x00); /* Vf = 0 */
556     gen_ZNSf(Rd);
557 
558     return true;
559 }
560 
561 /*
562  *  Performs the logical OR between the contents of register Rd and register
563  *  Rr and places the result in the destination register Rd.
564  */
565 static bool trans_OR(DisasContext *ctx, arg_OR *a)
566 {
567     TCGv Rd = cpu_r[a->rd];
568     TCGv Rr = cpu_r[a->rr];
569     TCGv R = tcg_temp_new_i32();
570 
571     tcg_gen_or_tl(R, Rd, Rr);
572 
573     /* update status register */
574     tcg_gen_movi_tl(cpu_Vf, 0);
575     gen_ZNSf(R);
576 
577     /* update output registers */
578     tcg_gen_mov_tl(Rd, R);
579     return true;
580 }
581 
582 /*
583  *  Performs the logical OR between the contents of register Rd and a
584  *  constant and places the result in the destination register Rd.
585  */
586 static bool trans_ORI(DisasContext *ctx, arg_ORI *a)
587 {
588     TCGv Rd = cpu_r[a->rd];
589     int Imm = (a->imm);
590 
591     tcg_gen_ori_tl(Rd, Rd, Imm); /* Rd = Rd | Imm */
592 
593     /* update status register */
594     tcg_gen_movi_tl(cpu_Vf, 0x00); /* Vf = 0 */
595     gen_ZNSf(Rd);
596 
597     return true;
598 }
599 
600 /*
601  *  Performs the logical EOR between the contents of register Rd and
602  *  register Rr and places the result in the destination register Rd.
603  */
604 static bool trans_EOR(DisasContext *ctx, arg_EOR *a)
605 {
606     TCGv Rd = cpu_r[a->rd];
607     TCGv Rr = cpu_r[a->rr];
608 
609     tcg_gen_xor_tl(Rd, Rd, Rr);
610 
611     /* update status register */
612     tcg_gen_movi_tl(cpu_Vf, 0);
613     gen_ZNSf(Rd);
614 
615     return true;
616 }
617 
618 /*
619  *  Clears the specified bits in register Rd. Performs the logical AND
620  *  between the contents of register Rd and the complement of the constant mask
621  *  K. The result will be placed in register Rd.
622  */
623 static bool trans_COM(DisasContext *ctx, arg_COM *a)
624 {
625     TCGv Rd = cpu_r[a->rd];
626 
627     tcg_gen_xori_tl(Rd, Rd, 0xff);
628 
629     /* update status register */
630     tcg_gen_movi_tl(cpu_Cf, 1); /* Cf = 1 */
631     tcg_gen_movi_tl(cpu_Vf, 0); /* Vf = 0 */
632     gen_ZNSf(Rd);
633     return true;
634 }
635 
636 /*
637  *  Replaces the contents of register Rd with its two's complement; the
638  *  value $80 is left unchanged.
639  */
640 static bool trans_NEG(DisasContext *ctx, arg_NEG *a)
641 {
642     TCGv Rd = cpu_r[a->rd];
643     TCGv t0 = tcg_constant_i32(0);
644     TCGv R = tcg_temp_new_i32();
645 
646     tcg_gen_sub_tl(R, t0, Rd); /* R = 0 - Rd */
647     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
648 
649     /* update status register */
650     gen_sub_CHf(R, t0, Rd);
651     gen_sub_Vf(R, t0, Rd);
652     gen_ZNSf(R);
653 
654     /* update output registers */
655     tcg_gen_mov_tl(Rd, R);
656     return true;
657 }
658 
659 /*
660  *  Adds one -1- to the contents of register Rd and places the result in the
661  *  destination register Rd.  The C Flag in SREG is not affected by the
662  *  operation, thus allowing the INC instruction to be used on a loop counter in
663  *  multiple-precision computations.  When operating on unsigned numbers, only
664  *  BREQ and BRNE branches can be expected to perform consistently. When
665  *  operating on two's complement values, all signed branches are available.
666  */
667 static bool trans_INC(DisasContext *ctx, arg_INC *a)
668 {
669     TCGv Rd = cpu_r[a->rd];
670 
671     tcg_gen_addi_tl(Rd, Rd, 1);
672     tcg_gen_andi_tl(Rd, Rd, 0xff);
673 
674     /* update status register */
675     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Vf, Rd, 0x80); /* Vf = Rd == 0x80 */
676     gen_ZNSf(Rd);
677 
678     return true;
679 }
680 
681 /*
682  *  Subtracts one -1- from the contents of register Rd and places the result
683  *  in the destination register Rd.  The C Flag in SREG is not affected by the
684  *  operation, thus allowing the DEC instruction to be used on a loop counter in
685  *  multiple-precision computations.  When operating on unsigned values, only
686  *  BREQ and BRNE branches can be expected to perform consistently.  When
687  *  operating on two's complement values, all signed branches are available.
688  */
689 static bool trans_DEC(DisasContext *ctx, arg_DEC *a)
690 {
691     TCGv Rd = cpu_r[a->rd];
692 
693     tcg_gen_subi_tl(Rd, Rd, 1); /* Rd = Rd - 1 */
694     tcg_gen_andi_tl(Rd, Rd, 0xff); /* make it 8 bits */
695 
696     /* update status register */
697     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Vf, Rd, 0x7f); /* Vf = Rd == 0x7f */
698     gen_ZNSf(Rd);
699 
700     return true;
701 }
702 
703 /*
704  *  This instruction performs 8-bit x 8-bit -> 16-bit unsigned multiplication.
705  */
706 static bool trans_MUL(DisasContext *ctx, arg_MUL *a)
707 {
708     if (!avr_have_feature(ctx, AVR_FEATURE_MUL)) {
709         return true;
710     }
711 
712     TCGv R0 = cpu_r[0];
713     TCGv R1 = cpu_r[1];
714     TCGv Rd = cpu_r[a->rd];
715     TCGv Rr = cpu_r[a->rr];
716     TCGv R = tcg_temp_new_i32();
717 
718     tcg_gen_mul_tl(R, Rd, Rr); /* R = Rd * Rr */
719     tcg_gen_andi_tl(R0, R, 0xff);
720     tcg_gen_shri_tl(R1, R, 8);
721 
722     /* update status register */
723     tcg_gen_shri_tl(cpu_Cf, R, 15); /* Cf = R(15) */
724     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
725     return true;
726 }
727 
728 /*
729  *  This instruction performs 8-bit x 8-bit -> 16-bit signed multiplication.
730  */
731 static bool trans_MULS(DisasContext *ctx, arg_MULS *a)
732 {
733     if (!avr_have_feature(ctx, AVR_FEATURE_MUL)) {
734         return true;
735     }
736 
737     TCGv R0 = cpu_r[0];
738     TCGv R1 = cpu_r[1];
739     TCGv Rd = cpu_r[a->rd];
740     TCGv Rr = cpu_r[a->rr];
741     TCGv R = tcg_temp_new_i32();
742     TCGv t0 = tcg_temp_new_i32();
743     TCGv t1 = tcg_temp_new_i32();
744 
745     tcg_gen_ext8s_tl(t0, Rd); /* make Rd full 32 bit signed */
746     tcg_gen_ext8s_tl(t1, Rr); /* make Rr full 32 bit signed */
747     tcg_gen_mul_tl(R, t0, t1); /* R = Rd * Rr */
748     tcg_gen_andi_tl(R, R, 0xffff); /* make it 16 bits */
749     tcg_gen_andi_tl(R0, R, 0xff);
750     tcg_gen_shri_tl(R1, R, 8);
751 
752     /* update status register */
753     tcg_gen_shri_tl(cpu_Cf, R, 15); /* Cf = R(15) */
754     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
755     return true;
756 }
757 
758 /*
759  *  This instruction performs 8-bit x 8-bit -> 16-bit multiplication of a
760  *  signed and an unsigned number.
761  */
762 static bool trans_MULSU(DisasContext *ctx, arg_MULSU *a)
763 {
764     if (!avr_have_feature(ctx, AVR_FEATURE_MUL)) {
765         return true;
766     }
767 
768     TCGv R0 = cpu_r[0];
769     TCGv R1 = cpu_r[1];
770     TCGv Rd = cpu_r[a->rd];
771     TCGv Rr = cpu_r[a->rr];
772     TCGv R = tcg_temp_new_i32();
773     TCGv t0 = tcg_temp_new_i32();
774 
775     tcg_gen_ext8s_tl(t0, Rd); /* make Rd full 32 bit signed */
776     tcg_gen_mul_tl(R, t0, Rr); /* R = Rd * Rr */
777     tcg_gen_andi_tl(R, R, 0xffff); /* make R 16 bits */
778     tcg_gen_andi_tl(R0, R, 0xff);
779     tcg_gen_shri_tl(R1, R, 8);
780 
781     /* update status register */
782     tcg_gen_shri_tl(cpu_Cf, R, 15); /* Cf = R(15) */
783     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
784     return true;
785 }
786 
787 /*
788  *  This instruction performs 8-bit x 8-bit -> 16-bit unsigned
789  *  multiplication and shifts the result one bit left.
790  */
791 static bool trans_FMUL(DisasContext *ctx, arg_FMUL *a)
792 {
793     if (!avr_have_feature(ctx, AVR_FEATURE_MUL)) {
794         return true;
795     }
796 
797     TCGv R0 = cpu_r[0];
798     TCGv R1 = cpu_r[1];
799     TCGv Rd = cpu_r[a->rd];
800     TCGv Rr = cpu_r[a->rr];
801     TCGv R = tcg_temp_new_i32();
802 
803     tcg_gen_mul_tl(R, Rd, Rr); /* R = Rd * Rr */
804 
805     /* update status register */
806     tcg_gen_shri_tl(cpu_Cf, R, 15); /* Cf = R(15) */
807     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
808 
809     /* update output registers */
810     tcg_gen_shli_tl(R, R, 1);
811     tcg_gen_andi_tl(R0, R, 0xff);
812     tcg_gen_shri_tl(R1, R, 8);
813     tcg_gen_andi_tl(R1, R1, 0xff);
814     return true;
815 }
816 
817 /*
818  *  This instruction performs 8-bit x 8-bit -> 16-bit signed multiplication
819  *  and shifts the result one bit left.
820  */
821 static bool trans_FMULS(DisasContext *ctx, arg_FMULS *a)
822 {
823     if (!avr_have_feature(ctx, AVR_FEATURE_MUL)) {
824         return true;
825     }
826 
827     TCGv R0 = cpu_r[0];
828     TCGv R1 = cpu_r[1];
829     TCGv Rd = cpu_r[a->rd];
830     TCGv Rr = cpu_r[a->rr];
831     TCGv R = tcg_temp_new_i32();
832     TCGv t0 = tcg_temp_new_i32();
833     TCGv t1 = tcg_temp_new_i32();
834 
835     tcg_gen_ext8s_tl(t0, Rd); /* make Rd full 32 bit signed */
836     tcg_gen_ext8s_tl(t1, Rr); /* make Rr full 32 bit signed */
837     tcg_gen_mul_tl(R, t0, t1); /* R = Rd * Rr */
838     tcg_gen_andi_tl(R, R, 0xffff); /* make it 16 bits */
839 
840     /* update status register */
841     tcg_gen_shri_tl(cpu_Cf, R, 15); /* Cf = R(15) */
842     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
843 
844     /* update output registers */
845     tcg_gen_shli_tl(R, R, 1);
846     tcg_gen_andi_tl(R0, R, 0xff);
847     tcg_gen_shri_tl(R1, R, 8);
848     tcg_gen_andi_tl(R1, R1, 0xff);
849     return true;
850 }
851 
852 /*
853  *  This instruction performs 8-bit x 8-bit -> 16-bit signed multiplication
854  *  and shifts the result one bit left.
855  */
856 static bool trans_FMULSU(DisasContext *ctx, arg_FMULSU *a)
857 {
858     if (!avr_have_feature(ctx, AVR_FEATURE_MUL)) {
859         return true;
860     }
861 
862     TCGv R0 = cpu_r[0];
863     TCGv R1 = cpu_r[1];
864     TCGv Rd = cpu_r[a->rd];
865     TCGv Rr = cpu_r[a->rr];
866     TCGv R = tcg_temp_new_i32();
867     TCGv t0 = tcg_temp_new_i32();
868 
869     tcg_gen_ext8s_tl(t0, Rd); /* make Rd full 32 bit signed */
870     tcg_gen_mul_tl(R, t0, Rr); /* R = Rd * Rr */
871     tcg_gen_andi_tl(R, R, 0xffff); /* make it 16 bits */
872 
873     /* update status register */
874     tcg_gen_shri_tl(cpu_Cf, R, 15); /* Cf = R(15) */
875     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
876 
877     /* update output registers */
878     tcg_gen_shli_tl(R, R, 1);
879     tcg_gen_andi_tl(R0, R, 0xff);
880     tcg_gen_shri_tl(R1, R, 8);
881     tcg_gen_andi_tl(R1, R1, 0xff);
882     return true;
883 }
884 
885 /*
886  *  The module is an instruction set extension to the AVR CPU, performing
887  *  DES iterations. The 64-bit data block (plaintext or ciphertext) is placed in
888  *  the CPU register file, registers R0-R7, where LSB of data is placed in LSB
889  *  of R0 and MSB of data is placed in MSB of R7. The full 64-bit key (including
890  *  parity bits) is placed in registers R8- R15, organized in the register file
891  *  with LSB of key in LSB of R8 and MSB of key in MSB of R15. Executing one DES
892  *  instruction performs one round in the DES algorithm. Sixteen rounds must be
893  *  executed in increasing order to form the correct DES ciphertext or
894  *  plaintext. Intermediate results are stored in the register file (R0-R15)
895  *  after each DES instruction. The instruction's operand (K) determines which
896  *  round is executed, and the half carry flag (H) determines whether encryption
897  *  or decryption is performed.  The DES algorithm is described in
898  *  "Specifications for the Data Encryption Standard" (Federal Information
899  *  Processing Standards Publication 46). Intermediate results in this
900  *  implementation differ from the standard because the initial permutation and
901  *  the inverse initial permutation are performed each iteration. This does not
902  *  affect the result in the final ciphertext or plaintext, but reduces
903  *  execution time.
904  */
905 static bool trans_DES(DisasContext *ctx, arg_DES *a)
906 {
907     /* TODO */
908     if (!avr_have_feature(ctx, AVR_FEATURE_DES)) {
909         return true;
910     }
911 
912     qemu_log_mask(LOG_UNIMP, "%s: not implemented\n", __func__);
913 
914     return true;
915 }
916 
917 /*
918  * Branch Instructions
919  */
920 static void gen_jmp_ez(DisasContext *ctx)
921 {
922     tcg_gen_deposit_tl(cpu_pc, cpu_r[30], cpu_r[31], 8, 8);
923     tcg_gen_or_tl(cpu_pc, cpu_pc, cpu_eind);
924     ctx->base.is_jmp = DISAS_LOOKUP;
925 }
926 
927 static void gen_jmp_z(DisasContext *ctx)
928 {
929     tcg_gen_deposit_tl(cpu_pc, cpu_r[30], cpu_r[31], 8, 8);
930     ctx->base.is_jmp = DISAS_LOOKUP;
931 }
932 
933 static void gen_push_ret(DisasContext *ctx, int ret)
934 {
935     if (avr_feature(ctx->env, AVR_FEATURE_1_BYTE_PC)) {
936         TCGv t0 = tcg_constant_i32(ret & 0x0000ff);
937 
938         tcg_gen_qemu_st_tl(t0, cpu_sp, MMU_DATA_IDX, MO_UB);
939         tcg_gen_subi_tl(cpu_sp, cpu_sp, 1);
940     } else if (avr_feature(ctx->env, AVR_FEATURE_2_BYTE_PC)) {
941         TCGv t0 = tcg_constant_i32(ret & 0x00ffff);
942 
943         tcg_gen_subi_tl(cpu_sp, cpu_sp, 1);
944         tcg_gen_qemu_st_tl(t0, cpu_sp, MMU_DATA_IDX, MO_BEUW);
945         tcg_gen_subi_tl(cpu_sp, cpu_sp, 1);
946     } else if (avr_feature(ctx->env, AVR_FEATURE_3_BYTE_PC)) {
947         TCGv lo = tcg_constant_i32(ret & 0x0000ff);
948         TCGv hi = tcg_constant_i32((ret & 0xffff00) >> 8);
949 
950         tcg_gen_qemu_st_tl(lo, cpu_sp, MMU_DATA_IDX, MO_UB);
951         tcg_gen_subi_tl(cpu_sp, cpu_sp, 2);
952         tcg_gen_qemu_st_tl(hi, cpu_sp, MMU_DATA_IDX, MO_BEUW);
953         tcg_gen_subi_tl(cpu_sp, cpu_sp, 1);
954     }
955 }
956 
957 static void gen_pop_ret(DisasContext *ctx, TCGv ret)
958 {
959     if (avr_feature(ctx->env, AVR_FEATURE_1_BYTE_PC)) {
960         tcg_gen_addi_tl(cpu_sp, cpu_sp, 1);
961         tcg_gen_qemu_ld_tl(ret, cpu_sp, MMU_DATA_IDX, MO_UB);
962     } else if (avr_feature(ctx->env, AVR_FEATURE_2_BYTE_PC)) {
963         tcg_gen_addi_tl(cpu_sp, cpu_sp, 1);
964         tcg_gen_qemu_ld_tl(ret, cpu_sp, MMU_DATA_IDX, MO_BEUW);
965         tcg_gen_addi_tl(cpu_sp, cpu_sp, 1);
966     } else if (avr_feature(ctx->env, AVR_FEATURE_3_BYTE_PC)) {
967         TCGv lo = tcg_temp_new_i32();
968         TCGv hi = tcg_temp_new_i32();
969 
970         tcg_gen_addi_tl(cpu_sp, cpu_sp, 1);
971         tcg_gen_qemu_ld_tl(hi, cpu_sp, MMU_DATA_IDX, MO_BEUW);
972 
973         tcg_gen_addi_tl(cpu_sp, cpu_sp, 2);
974         tcg_gen_qemu_ld_tl(lo, cpu_sp, MMU_DATA_IDX, MO_UB);
975 
976         tcg_gen_deposit_tl(ret, lo, hi, 8, 16);
977     }
978 }
979 
980 static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
981 {
982     const TranslationBlock *tb = ctx->base.tb;
983 
984     if (translator_use_goto_tb(&ctx->base, dest)) {
985         tcg_gen_goto_tb(n);
986         tcg_gen_movi_i32(cpu_pc, dest);
987         tcg_gen_exit_tb(tb, n);
988     } else {
989         tcg_gen_movi_i32(cpu_pc, dest);
990         tcg_gen_lookup_and_goto_ptr();
991     }
992     ctx->base.is_jmp = DISAS_NORETURN;
993 }
994 
995 /*
996  *  Relative jump to an address within PC - 2K +1 and PC + 2K (words). For
997  *  AVR microcontrollers with Program memory not exceeding 4K words (8KB) this
998  *  instruction can address the entire memory from every address location. See
999  *  also JMP.
1000  */
1001 static bool trans_RJMP(DisasContext *ctx, arg_RJMP *a)
1002 {
1003     int dst = ctx->npc + a->imm;
1004 
1005     gen_goto_tb(ctx, 0, dst);
1006 
1007     return true;
1008 }
1009 
1010 /*
1011  *  Indirect jump to the address pointed to by the Z (16 bits) Pointer
1012  *  Register in the Register File. The Z-pointer Register is 16 bits wide and
1013  *  allows jump within the lowest 64K words (128KB) section of Program memory.
1014  *  This instruction is not available in all devices. Refer to the device
1015  *  specific instruction set summary.
1016  */
1017 static bool trans_IJMP(DisasContext *ctx, arg_IJMP *a)
1018 {
1019     if (!avr_have_feature(ctx, AVR_FEATURE_IJMP_ICALL)) {
1020         return true;
1021     }
1022 
1023     gen_jmp_z(ctx);
1024 
1025     return true;
1026 }
1027 
1028 /*
1029  *  Indirect jump to the address pointed to by the Z (16 bits) Pointer
1030  *  Register in the Register File and the EIND Register in the I/O space. This
1031  *  instruction allows for indirect jumps to the entire 4M (words) Program
1032  *  memory space. See also IJMP.  This instruction is not available in all
1033  *  devices. Refer to the device specific instruction set summary.
1034  */
1035 static bool trans_EIJMP(DisasContext *ctx, arg_EIJMP *a)
1036 {
1037     if (!avr_have_feature(ctx, AVR_FEATURE_EIJMP_EICALL)) {
1038         return true;
1039     }
1040 
1041     gen_jmp_ez(ctx);
1042     return true;
1043 }
1044 
1045 /*
1046  *  Jump to an address within the entire 4M (words) Program memory. See also
1047  *  RJMP.  This instruction is not available in all devices. Refer to the device
1048  *  specific instruction set summary.0
1049  */
1050 static bool trans_JMP(DisasContext *ctx, arg_JMP *a)
1051 {
1052     if (!avr_have_feature(ctx, AVR_FEATURE_JMP_CALL)) {
1053         return true;
1054     }
1055 
1056     gen_goto_tb(ctx, 0, a->imm);
1057 
1058     return true;
1059 }
1060 
1061 /*
1062  *  Relative call to an address within PC - 2K + 1 and PC + 2K (words). The
1063  *  return address (the instruction after the RCALL) is stored onto the Stack.
1064  *  See also CALL. For AVR microcontrollers with Program memory not exceeding 4K
1065  *  words (8KB) this instruction can address the entire memory from every
1066  *  address location. The Stack Pointer uses a post-decrement scheme during
1067  *  RCALL.
1068  */
1069 static bool trans_RCALL(DisasContext *ctx, arg_RCALL *a)
1070 {
1071     int ret = ctx->npc;
1072     int dst = ctx->npc + a->imm;
1073 
1074     gen_push_ret(ctx, ret);
1075     gen_goto_tb(ctx, 0, dst);
1076 
1077     return true;
1078 }
1079 
1080 /*
1081  *  Calls to a subroutine within the entire 4M (words) Program memory. The
1082  *  return address (to the instruction after the CALL) will be stored onto the
1083  *  Stack. See also RCALL. The Stack Pointer uses a post-decrement scheme during
1084  *  CALL.  This instruction is not available in all devices. Refer to the device
1085  *  specific instruction set summary.
1086  */
1087 static bool trans_ICALL(DisasContext *ctx, arg_ICALL *a)
1088 {
1089     if (!avr_have_feature(ctx, AVR_FEATURE_IJMP_ICALL)) {
1090         return true;
1091     }
1092 
1093     int ret = ctx->npc;
1094 
1095     gen_push_ret(ctx, ret);
1096     gen_jmp_z(ctx);
1097 
1098     return true;
1099 }
1100 
1101 /*
1102  *  Indirect call of a subroutine pointed to by the Z (16 bits) Pointer
1103  *  Register in the Register File and the EIND Register in the I/O space. This
1104  *  instruction allows for indirect calls to the entire 4M (words) Program
1105  *  memory space. See also ICALL. The Stack Pointer uses a post-decrement scheme
1106  *  during EICALL.  This instruction is not available in all devices. Refer to
1107  *  the device specific instruction set summary.
1108  */
1109 static bool trans_EICALL(DisasContext *ctx, arg_EICALL *a)
1110 {
1111     if (!avr_have_feature(ctx, AVR_FEATURE_EIJMP_EICALL)) {
1112         return true;
1113     }
1114 
1115     int ret = ctx->npc;
1116 
1117     gen_push_ret(ctx, ret);
1118     gen_jmp_ez(ctx);
1119     return true;
1120 }
1121 
1122 /*
1123  *  Calls to a subroutine within the entire Program memory. The return
1124  *  address (to the instruction after the CALL) will be stored onto the Stack.
1125  *  (See also RCALL). The Stack Pointer uses a post-decrement scheme during
1126  *  CALL.  This instruction is not available in all devices. Refer to the device
1127  *  specific instruction set summary.
1128  */
1129 static bool trans_CALL(DisasContext *ctx, arg_CALL *a)
1130 {
1131     if (!avr_have_feature(ctx, AVR_FEATURE_JMP_CALL)) {
1132         return true;
1133     }
1134 
1135     int Imm = a->imm;
1136     int ret = ctx->npc;
1137 
1138     gen_push_ret(ctx, ret);
1139     gen_goto_tb(ctx, 0, Imm);
1140 
1141     return true;
1142 }
1143 
1144 /*
1145  *  Returns from subroutine. The return address is loaded from the STACK.
1146  *  The Stack Pointer uses a preincrement scheme during RET.
1147  */
1148 static bool trans_RET(DisasContext *ctx, arg_RET *a)
1149 {
1150     gen_pop_ret(ctx, cpu_pc);
1151 
1152     ctx->base.is_jmp = DISAS_LOOKUP;
1153     return true;
1154 }
1155 
1156 /*
1157  *  Returns from interrupt. The return address is loaded from the STACK and
1158  *  the Global Interrupt Flag is set.  Note that the Status Register is not
1159  *  automatically stored when entering an interrupt routine, and it is not
1160  *  restored when returning from an interrupt routine. This must be handled by
1161  *  the application program. The Stack Pointer uses a pre-increment scheme
1162  *  during RETI.
1163  */
1164 static bool trans_RETI(DisasContext *ctx, arg_RETI *a)
1165 {
1166     gen_pop_ret(ctx, cpu_pc);
1167     tcg_gen_movi_tl(cpu_If, 1);
1168 
1169     /* Need to return to main loop to re-evaluate interrupts.  */
1170     ctx->base.is_jmp = DISAS_EXIT;
1171     return true;
1172 }
1173 
1174 /*
1175  *  This instruction performs a compare between two registers Rd and Rr, and
1176  *  skips the next instruction if Rd = Rr.
1177  */
1178 static bool trans_CPSE(DisasContext *ctx, arg_CPSE *a)
1179 {
1180     ctx->skip_cond = TCG_COND_EQ;
1181     ctx->skip_var0 = cpu_r[a->rd];
1182     ctx->skip_var1 = cpu_r[a->rr];
1183     return true;
1184 }
1185 
1186 /*
1187  *  This instruction performs a compare between two registers Rd and Rr.
1188  *  None of the registers are changed. All conditional branches can be used
1189  *  after this instruction.
1190  */
1191 static bool trans_CP(DisasContext *ctx, arg_CP *a)
1192 {
1193     TCGv Rd = cpu_r[a->rd];
1194     TCGv Rr = cpu_r[a->rr];
1195     TCGv R = tcg_temp_new_i32();
1196 
1197     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Rr */
1198     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
1199 
1200     /* update status register */
1201     gen_sub_CHf(R, Rd, Rr);
1202     gen_sub_Vf(R, Rd, Rr);
1203     gen_ZNSf(R);
1204     return true;
1205 }
1206 
1207 /*
1208  *  This instruction performs a compare between two registers Rd and Rr and
1209  *  also takes into account the previous carry. None of the registers are
1210  *  changed. All conditional branches can be used after this instruction.
1211  */
1212 static bool trans_CPC(DisasContext *ctx, arg_CPC *a)
1213 {
1214     TCGv Rd = cpu_r[a->rd];
1215     TCGv Rr = cpu_r[a->rr];
1216     TCGv R = tcg_temp_new_i32();
1217     TCGv zero = tcg_constant_i32(0);
1218 
1219     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Rr - Cf */
1220     tcg_gen_sub_tl(R, R, cpu_Cf);
1221     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
1222     /* update status register */
1223     gen_sub_CHf(R, Rd, Rr);
1224     gen_sub_Vf(R, Rd, Rr);
1225     gen_NSf(R);
1226 
1227     /*
1228      * Previous value remains unchanged when the result is zero;
1229      * cleared otherwise.
1230      */
1231     tcg_gen_movcond_tl(TCG_COND_EQ, cpu_Zf, R, zero, cpu_Zf, zero);
1232     return true;
1233 }
1234 
1235 /*
1236  *  This instruction performs a compare between register Rd and a constant.
1237  *  The register is not changed. All conditional branches can be used after this
1238  *  instruction.
1239  */
1240 static bool trans_CPI(DisasContext *ctx, arg_CPI *a)
1241 {
1242     TCGv Rd = cpu_r[a->rd];
1243     int Imm = a->imm;
1244     TCGv Rr = tcg_constant_i32(Imm);
1245     TCGv R = tcg_temp_new_i32();
1246 
1247     tcg_gen_sub_tl(R, Rd, Rr); /* R = Rd - Rr */
1248     tcg_gen_andi_tl(R, R, 0xff); /* make it 8 bits */
1249 
1250     /* update status register */
1251     gen_sub_CHf(R, Rd, Rr);
1252     gen_sub_Vf(R, Rd, Rr);
1253     gen_ZNSf(R);
1254     return true;
1255 }
1256 
1257 /*
1258  *  This instruction tests a single bit in a register and skips the next
1259  *  instruction if the bit is cleared.
1260  */
1261 static bool trans_SBRC(DisasContext *ctx, arg_SBRC *a)
1262 {
1263     TCGv Rr = cpu_r[a->rr];
1264 
1265     ctx->skip_cond = TCG_COND_EQ;
1266     ctx->skip_var0 = tcg_temp_new();
1267 
1268     tcg_gen_andi_tl(ctx->skip_var0, Rr, 1 << a->bit);
1269     return true;
1270 }
1271 
1272 /*
1273  *  This instruction tests a single bit in a register and skips the next
1274  *  instruction if the bit is set.
1275  */
1276 static bool trans_SBRS(DisasContext *ctx, arg_SBRS *a)
1277 {
1278     TCGv Rr = cpu_r[a->rr];
1279 
1280     ctx->skip_cond = TCG_COND_NE;
1281     ctx->skip_var0 = tcg_temp_new();
1282 
1283     tcg_gen_andi_tl(ctx->skip_var0, Rr, 1 << a->bit);
1284     return true;
1285 }
1286 
1287 /*
1288  *  This instruction tests a single bit in an I/O Register and skips the
1289  *  next instruction if the bit is cleared. This instruction operates on the
1290  *  lower 32 I/O Registers -- addresses 0-31.
1291  */
1292 static bool trans_SBIC(DisasContext *ctx, arg_SBIC *a)
1293 {
1294     TCGv data = tcg_temp_new_i32();
1295     TCGv port = tcg_constant_i32(a->reg);
1296 
1297     gen_helper_inb(data, tcg_env, port);
1298     tcg_gen_andi_tl(data, data, 1 << a->bit);
1299     ctx->skip_cond = TCG_COND_EQ;
1300     ctx->skip_var0 = data;
1301 
1302     return true;
1303 }
1304 
1305 /*
1306  *  This instruction tests a single bit in an I/O Register and skips the
1307  *  next instruction if the bit is set. This instruction operates on the lower
1308  *  32 I/O Registers -- addresses 0-31.
1309  */
1310 static bool trans_SBIS(DisasContext *ctx, arg_SBIS *a)
1311 {
1312     TCGv data = tcg_temp_new_i32();
1313     TCGv port = tcg_constant_i32(a->reg);
1314 
1315     gen_helper_inb(data, tcg_env, port);
1316     tcg_gen_andi_tl(data, data, 1 << a->bit);
1317     ctx->skip_cond = TCG_COND_NE;
1318     ctx->skip_var0 = data;
1319 
1320     return true;
1321 }
1322 
1323 /*
1324  *  Conditional relative branch. Tests a single bit in SREG and branches
1325  *  relatively to PC if the bit is cleared. This instruction branches relatively
1326  *  to PC in either direction (PC - 63 < = destination <= PC + 64). The
1327  *  parameter k is the offset from PC and is represented in two's complement
1328  *  form.
1329  */
1330 static bool trans_BRBC(DisasContext *ctx, arg_BRBC *a)
1331 {
1332     TCGLabel *not_taken = gen_new_label();
1333 
1334     TCGv var;
1335 
1336     switch (a->bit) {
1337     case 0x00:
1338         var = cpu_Cf;
1339         break;
1340     case 0x01:
1341         var = cpu_Zf;
1342         break;
1343     case 0x02:
1344         var = cpu_Nf;
1345         break;
1346     case 0x03:
1347         var = cpu_Vf;
1348         break;
1349     case 0x04:
1350         var = cpu_Sf;
1351         break;
1352     case 0x05:
1353         var = cpu_Hf;
1354         break;
1355     case 0x06:
1356         var = cpu_Tf;
1357         break;
1358     case 0x07:
1359         var = cpu_If;
1360         break;
1361     default:
1362         g_assert_not_reached();
1363     }
1364 
1365     tcg_gen_brcondi_i32(TCG_COND_NE, var, 0, not_taken);
1366     gen_goto_tb(ctx, 0, ctx->npc + a->imm);
1367     gen_set_label(not_taken);
1368 
1369     ctx->base.is_jmp = DISAS_CHAIN;
1370     return true;
1371 }
1372 
1373 /*
1374  *  Conditional relative branch. Tests a single bit in SREG and branches
1375  *  relatively to PC if the bit is set. This instruction branches relatively to
1376  *  PC in either direction (PC - 63 < = destination <= PC + 64). The parameter k
1377  *  is the offset from PC and is represented in two's complement form.
1378  */
1379 static bool trans_BRBS(DisasContext *ctx, arg_BRBS *a)
1380 {
1381     TCGLabel *not_taken = gen_new_label();
1382 
1383     TCGv var;
1384 
1385     switch (a->bit) {
1386     case 0x00:
1387         var = cpu_Cf;
1388         break;
1389     case 0x01:
1390         var = cpu_Zf;
1391         break;
1392     case 0x02:
1393         var = cpu_Nf;
1394         break;
1395     case 0x03:
1396         var = cpu_Vf;
1397         break;
1398     case 0x04:
1399         var = cpu_Sf;
1400         break;
1401     case 0x05:
1402         var = cpu_Hf;
1403         break;
1404     case 0x06:
1405         var = cpu_Tf;
1406         break;
1407     case 0x07:
1408         var = cpu_If;
1409         break;
1410     default:
1411         g_assert_not_reached();
1412     }
1413 
1414     tcg_gen_brcondi_i32(TCG_COND_EQ, var, 0, not_taken);
1415     gen_goto_tb(ctx, 0, ctx->npc + a->imm);
1416     gen_set_label(not_taken);
1417 
1418     ctx->base.is_jmp = DISAS_CHAIN;
1419     return true;
1420 }
1421 
1422 /*
1423  * Data Transfer Instructions
1424  */
1425 
1426 /*
1427  *  in the gen_set_addr & gen_get_addr functions
1428  *  H assumed to be in 0x00ff0000 format
1429  *  M assumed to be in 0x000000ff format
1430  *  L assumed to be in 0x000000ff format
1431  */
1432 static void gen_set_addr(TCGv addr, TCGv H, TCGv M, TCGv L)
1433 {
1434 
1435     tcg_gen_andi_tl(L, addr, 0x000000ff);
1436 
1437     tcg_gen_andi_tl(M, addr, 0x0000ff00);
1438     tcg_gen_shri_tl(M, M, 8);
1439 
1440     tcg_gen_andi_tl(H, addr, 0x00ff0000);
1441 }
1442 
1443 static void gen_set_xaddr(TCGv addr)
1444 {
1445     gen_set_addr(addr, cpu_rampX, cpu_r[27], cpu_r[26]);
1446 }
1447 
1448 static void gen_set_yaddr(TCGv addr)
1449 {
1450     gen_set_addr(addr, cpu_rampY, cpu_r[29], cpu_r[28]);
1451 }
1452 
1453 static void gen_set_zaddr(TCGv addr)
1454 {
1455     gen_set_addr(addr, cpu_rampZ, cpu_r[31], cpu_r[30]);
1456 }
1457 
1458 static TCGv gen_get_addr(TCGv H, TCGv M, TCGv L)
1459 {
1460     TCGv addr = tcg_temp_new_i32();
1461 
1462     tcg_gen_deposit_tl(addr, M, H, 8, 8);
1463     tcg_gen_deposit_tl(addr, L, addr, 8, 16);
1464 
1465     return addr;
1466 }
1467 
1468 static TCGv gen_get_xaddr(void)
1469 {
1470     return gen_get_addr(cpu_rampX, cpu_r[27], cpu_r[26]);
1471 }
1472 
1473 static TCGv gen_get_yaddr(void)
1474 {
1475     return gen_get_addr(cpu_rampY, cpu_r[29], cpu_r[28]);
1476 }
1477 
1478 static TCGv gen_get_zaddr(void)
1479 {
1480     return gen_get_addr(cpu_rampZ, cpu_r[31], cpu_r[30]);
1481 }
1482 
1483 /*
1484  *  Load one byte indirect from data space to register and stores an clear
1485  *  the bits in data space specified by the register. The instruction can only
1486  *  be used towards internal SRAM.  The data location is pointed to by the Z (16
1487  *  bits) Pointer Register in the Register File. Memory access is limited to the
1488  *  current data segment of 64KB. To access another data segment in devices with
1489  *  more than 64KB data space, the RAMPZ in register in the I/O area has to be
1490  *  changed.  The Z-pointer Register is left unchanged by the operation. This
1491  *  instruction is especially suited for clearing status bits stored in SRAM.
1492  */
1493 static void gen_data_store(DisasContext *ctx, TCGv data, TCGv addr)
1494 {
1495     if (ctx->base.tb->flags & TB_FLAGS_FULL_ACCESS) {
1496         gen_helper_fullwr(tcg_env, data, addr);
1497     } else {
1498         tcg_gen_qemu_st_tl(data, addr, MMU_DATA_IDX, MO_UB);
1499     }
1500 }
1501 
1502 static void gen_data_load(DisasContext *ctx, TCGv data, TCGv addr)
1503 {
1504     if (ctx->base.tb->flags & TB_FLAGS_FULL_ACCESS) {
1505         gen_helper_fullrd(data, tcg_env, addr);
1506     } else {
1507         tcg_gen_qemu_ld_tl(data, addr, MMU_DATA_IDX, MO_UB);
1508     }
1509 }
1510 
1511 /*
1512  *  This instruction makes a copy of one register into another. The source
1513  *  register Rr is left unchanged, while the destination register Rd is loaded
1514  *  with a copy of Rr.
1515  */
1516 static bool trans_MOV(DisasContext *ctx, arg_MOV *a)
1517 {
1518     TCGv Rd = cpu_r[a->rd];
1519     TCGv Rr = cpu_r[a->rr];
1520 
1521     tcg_gen_mov_tl(Rd, Rr);
1522 
1523     return true;
1524 }
1525 
1526 /*
1527  *  This instruction makes a copy of one register pair into another register
1528  *  pair. The source register pair Rr+1:Rr is left unchanged, while the
1529  *  destination register pair Rd+1:Rd is loaded with a copy of Rr + 1:Rr.  This
1530  *  instruction is not available in all devices. Refer to the device specific
1531  *  instruction set summary.
1532  */
1533 static bool trans_MOVW(DisasContext *ctx, arg_MOVW *a)
1534 {
1535     if (!avr_have_feature(ctx, AVR_FEATURE_MOVW)) {
1536         return true;
1537     }
1538 
1539     TCGv RdL = cpu_r[a->rd];
1540     TCGv RdH = cpu_r[a->rd + 1];
1541     TCGv RrL = cpu_r[a->rr];
1542     TCGv RrH = cpu_r[a->rr + 1];
1543 
1544     tcg_gen_mov_tl(RdH, RrH);
1545     tcg_gen_mov_tl(RdL, RrL);
1546 
1547     return true;
1548 }
1549 
1550 /*
1551  * Loads an 8 bit constant directly to register 16 to 31.
1552  */
1553 static bool trans_LDI(DisasContext *ctx, arg_LDI *a)
1554 {
1555     TCGv Rd = cpu_r[a->rd];
1556     int imm = a->imm;
1557 
1558     tcg_gen_movi_tl(Rd, imm);
1559 
1560     return true;
1561 }
1562 
1563 /*
1564  *  Loads one byte from the data space to a register. For parts with SRAM,
1565  *  the data space consists of the Register File, I/O memory and internal SRAM
1566  *  (and external SRAM if applicable). For parts without SRAM, the data space
1567  *  consists of the register file only. The EEPROM has a separate address space.
1568  *  A 16-bit address must be supplied. Memory access is limited to the current
1569  *  data segment of 64KB. The LDS instruction uses the RAMPD Register to access
1570  *  memory above 64KB. To access another data segment in devices with more than
1571  *  64KB data space, the RAMPD in register in the I/O area has to be changed.
1572  *  This instruction is not available in all devices. Refer to the device
1573  *  specific instruction set summary.
1574  */
1575 static bool trans_LDS(DisasContext *ctx, arg_LDS *a)
1576 {
1577     TCGv Rd = cpu_r[a->rd];
1578     TCGv addr = tcg_temp_new_i32();
1579     TCGv H = cpu_rampD;
1580     a->imm = next_word(ctx);
1581 
1582     tcg_gen_mov_tl(addr, H); /* addr = H:M:L */
1583     tcg_gen_shli_tl(addr, addr, 16);
1584     tcg_gen_ori_tl(addr, addr, a->imm);
1585 
1586     gen_data_load(ctx, Rd, addr);
1587     return true;
1588 }
1589 
1590 /*
1591  *  Loads one byte indirect from the data space to a register. For parts
1592  *  with SRAM, the data space consists of the Register File, I/O memory and
1593  *  internal SRAM (and external SRAM if applicable). For parts without SRAM, the
1594  *  data space consists of the Register File only. In some parts the Flash
1595  *  Memory has been mapped to the data space and can be read using this command.
1596  *  The EEPROM has a separate address space.  The data location is pointed to by
1597  *  the X (16 bits) Pointer Register in the Register File. Memory access is
1598  *  limited to the current data segment of 64KB. To access another data segment
1599  *  in devices with more than 64KB data space, the RAMPX in register in the I/O
1600  *  area has to be changed.  The X-pointer Register can either be left unchanged
1601  *  by the operation, or it can be post-incremented or predecremented.  These
1602  *  features are especially suited for accessing arrays, tables, and Stack
1603  *  Pointer usage of the X-pointer Register. Note that only the low byte of the
1604  *  X-pointer is updated in devices with no more than 256 bytes data space. For
1605  *  such devices, the high byte of the pointer is not used by this instruction
1606  *  and can be used for other purposes. The RAMPX Register in the I/O area is
1607  *  updated in parts with more than 64KB data space or more than 64KB Program
1608  *  memory, and the increment/decrement is added to the entire 24-bit address on
1609  *  such devices.  Not all variants of this instruction is available in all
1610  *  devices. Refer to the device specific instruction set summary.  In the
1611  *  Reduced Core tinyAVR the LD instruction can be used to achieve the same
1612  *  operation as LPM since the program memory is mapped to the data memory
1613  *  space.
1614  */
1615 static bool trans_LDX1(DisasContext *ctx, arg_LDX1 *a)
1616 {
1617     TCGv Rd = cpu_r[a->rd];
1618     TCGv addr = gen_get_xaddr();
1619 
1620     gen_data_load(ctx, Rd, addr);
1621     return true;
1622 }
1623 
1624 static bool trans_LDX2(DisasContext *ctx, arg_LDX2 *a)
1625 {
1626     TCGv Rd = cpu_r[a->rd];
1627     TCGv addr = gen_get_xaddr();
1628 
1629     gen_data_load(ctx, Rd, addr);
1630     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
1631 
1632     gen_set_xaddr(addr);
1633     return true;
1634 }
1635 
1636 static bool trans_LDX3(DisasContext *ctx, arg_LDX3 *a)
1637 {
1638     TCGv Rd = cpu_r[a->rd];
1639     TCGv addr = gen_get_xaddr();
1640 
1641     tcg_gen_subi_tl(addr, addr, 1); /* addr = addr - 1 */
1642     gen_data_load(ctx, Rd, addr);
1643     gen_set_xaddr(addr);
1644     return true;
1645 }
1646 
1647 /*
1648  *  Loads one byte indirect with or without displacement from the data space
1649  *  to a register. For parts with SRAM, the data space consists of the Register
1650  *  File, I/O memory and internal SRAM (and external SRAM if applicable). For
1651  *  parts without SRAM, the data space consists of the Register File only. In
1652  *  some parts the Flash Memory has been mapped to the data space and can be
1653  *  read using this command. The EEPROM has a separate address space.  The data
1654  *  location is pointed to by the Y (16 bits) Pointer Register in the Register
1655  *  File. Memory access is limited to the current data segment of 64KB. To
1656  *  access another data segment in devices with more than 64KB data space, the
1657  *  RAMPY in register in the I/O area has to be changed.  The Y-pointer Register
1658  *  can either be left unchanged by the operation, or it can be post-incremented
1659  *  or predecremented.  These features are especially suited for accessing
1660  *  arrays, tables, and Stack Pointer usage of the Y-pointer Register. Note that
1661  *  only the low byte of the Y-pointer is updated in devices with no more than
1662  *  256 bytes data space. For such devices, the high byte of the pointer is not
1663  *  used by this instruction and can be used for other purposes. The RAMPY
1664  *  Register in the I/O area is updated in parts with more than 64KB data space
1665  *  or more than 64KB Program memory, and the increment/decrement/displacement
1666  *  is added to the entire 24-bit address on such devices.  Not all variants of
1667  *  this instruction is available in all devices. Refer to the device specific
1668  *  instruction set summary.  In the Reduced Core tinyAVR the LD instruction can
1669  *  be used to achieve the same operation as LPM since the program memory is
1670  *  mapped to the data memory space.
1671  */
1672 static bool trans_LDY2(DisasContext *ctx, arg_LDY2 *a)
1673 {
1674     TCGv Rd = cpu_r[a->rd];
1675     TCGv addr = gen_get_yaddr();
1676 
1677     gen_data_load(ctx, Rd, addr);
1678     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
1679 
1680     gen_set_yaddr(addr);
1681     return true;
1682 }
1683 
1684 static bool trans_LDY3(DisasContext *ctx, arg_LDY3 *a)
1685 {
1686     TCGv Rd = cpu_r[a->rd];
1687     TCGv addr = gen_get_yaddr();
1688 
1689     tcg_gen_subi_tl(addr, addr, 1); /* addr = addr - 1 */
1690     gen_data_load(ctx, Rd, addr);
1691     gen_set_yaddr(addr);
1692     return true;
1693 }
1694 
1695 static bool trans_LDDY(DisasContext *ctx, arg_LDDY *a)
1696 {
1697     TCGv Rd = cpu_r[a->rd];
1698     TCGv addr = gen_get_yaddr();
1699 
1700     tcg_gen_addi_tl(addr, addr, a->imm); /* addr = addr + q */
1701     gen_data_load(ctx, Rd, addr);
1702     return true;
1703 }
1704 
1705 /*
1706  *  Loads one byte indirect with or without displacement from the data space
1707  *  to a register. For parts with SRAM, the data space consists of the Register
1708  *  File, I/O memory and internal SRAM (and external SRAM if applicable). For
1709  *  parts without SRAM, the data space consists of the Register File only. In
1710  *  some parts the Flash Memory has been mapped to the data space and can be
1711  *  read using this command. The EEPROM has a separate address space.  The data
1712  *  location is pointed to by the Z (16 bits) Pointer Register in the Register
1713  *  File. Memory access is limited to the current data segment of 64KB. To
1714  *  access another data segment in devices with more than 64KB data space, the
1715  *  RAMPZ in register in the I/O area has to be changed.  The Z-pointer Register
1716  *  can either be left unchanged by the operation, or it can be post-incremented
1717  *  or predecremented.  These features are especially suited for Stack Pointer
1718  *  usage of the Z-pointer Register, however because the Z-pointer Register can
1719  *  be used for indirect subroutine calls, indirect jumps and table lookup, it
1720  *  is often more convenient to use the X or Y-pointer as a dedicated Stack
1721  *  Pointer. Note that only the low byte of the Z-pointer is updated in devices
1722  *  with no more than 256 bytes data space. For such devices, the high byte of
1723  *  the pointer is not used by this instruction and can be used for other
1724  *  purposes. The RAMPZ Register in the I/O area is updated in parts with more
1725  *  than 64KB data space or more than 64KB Program memory, and the
1726  *  increment/decrement/displacement is added to the entire 24-bit address on
1727  *  such devices.  Not all variants of this instruction is available in all
1728  *  devices. Refer to the device specific instruction set summary.  In the
1729  *  Reduced Core tinyAVR the LD instruction can be used to achieve the same
1730  *  operation as LPM since the program memory is mapped to the data memory
1731  *  space.  For using the Z-pointer for table lookup in Program memory see the
1732  *  LPM and ELPM instructions.
1733  */
1734 static bool trans_LDZ2(DisasContext *ctx, arg_LDZ2 *a)
1735 {
1736     TCGv Rd = cpu_r[a->rd];
1737     TCGv addr = gen_get_zaddr();
1738 
1739     gen_data_load(ctx, Rd, addr);
1740     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
1741 
1742     gen_set_zaddr(addr);
1743     return true;
1744 }
1745 
1746 static bool trans_LDZ3(DisasContext *ctx, arg_LDZ3 *a)
1747 {
1748     TCGv Rd = cpu_r[a->rd];
1749     TCGv addr = gen_get_zaddr();
1750 
1751     tcg_gen_subi_tl(addr, addr, 1); /* addr = addr - 1 */
1752     gen_data_load(ctx, Rd, addr);
1753 
1754     gen_set_zaddr(addr);
1755     return true;
1756 }
1757 
1758 static bool trans_LDDZ(DisasContext *ctx, arg_LDDZ *a)
1759 {
1760     TCGv Rd = cpu_r[a->rd];
1761     TCGv addr = gen_get_zaddr();
1762 
1763     tcg_gen_addi_tl(addr, addr, a->imm); /* addr = addr + q */
1764     gen_data_load(ctx, Rd, addr);
1765     return true;
1766 }
1767 
1768 /*
1769  *  Stores one byte from a Register to the data space. For parts with SRAM,
1770  *  the data space consists of the Register File, I/O memory and internal SRAM
1771  *  (and external SRAM if applicable). For parts without SRAM, the data space
1772  *  consists of the Register File only. The EEPROM has a separate address space.
1773  *  A 16-bit address must be supplied. Memory access is limited to the current
1774  *  data segment of 64KB. The STS instruction uses the RAMPD Register to access
1775  *  memory above 64KB. To access another data segment in devices with more than
1776  *  64KB data space, the RAMPD in register in the I/O area has to be changed.
1777  *  This instruction is not available in all devices. Refer to the device
1778  *  specific instruction set summary.
1779  */
1780 static bool trans_STS(DisasContext *ctx, arg_STS *a)
1781 {
1782     TCGv Rd = cpu_r[a->rd];
1783     TCGv addr = tcg_temp_new_i32();
1784     TCGv H = cpu_rampD;
1785     a->imm = next_word(ctx);
1786 
1787     tcg_gen_mov_tl(addr, H); /* addr = H:M:L */
1788     tcg_gen_shli_tl(addr, addr, 16);
1789     tcg_gen_ori_tl(addr, addr, a->imm);
1790     gen_data_store(ctx, Rd, addr);
1791     return true;
1792 }
1793 
1794 /*
1795  * Stores one byte indirect from a register to data space. For parts with SRAM,
1796  * the data space consists of the Register File, I/O memory, and internal SRAM
1797  * (and external SRAM if applicable). For parts without SRAM, the data space
1798  * consists of the Register File only. The EEPROM has a separate address space.
1799  *
1800  * The data location is pointed to by the X (16 bits) Pointer Register in the
1801  * Register File. Memory access is limited to the current data segment of 64KB.
1802  * To access another data segment in devices with more than 64KB data space, the
1803  * RAMPX in register in the I/O area has to be changed.
1804  *
1805  * The X-pointer Register can either be left unchanged by the operation, or it
1806  * can be post-incremented or pre-decremented. These features are especially
1807  * suited for accessing arrays, tables, and Stack Pointer usage of the
1808  * X-pointer Register. Note that only the low byte of the X-pointer is updated
1809  * in devices with no more than 256 bytes data space. For such devices, the high
1810  * byte of the pointer is not used by this instruction and can be used for other
1811  * purposes. The RAMPX Register in the I/O area is updated in parts with more
1812  * than 64KB data space or more than 64KB Program memory, and the increment /
1813  * decrement is added to the entire 24-bit address on such devices.
1814  */
1815 static bool trans_STX1(DisasContext *ctx, arg_STX1 *a)
1816 {
1817     TCGv Rd = cpu_r[a->rr];
1818     TCGv addr = gen_get_xaddr();
1819 
1820     gen_data_store(ctx, Rd, addr);
1821     return true;
1822 }
1823 
1824 static bool trans_STX2(DisasContext *ctx, arg_STX2 *a)
1825 {
1826     TCGv Rd = cpu_r[a->rr];
1827     TCGv addr = gen_get_xaddr();
1828 
1829     gen_data_store(ctx, Rd, addr);
1830     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
1831     gen_set_xaddr(addr);
1832     return true;
1833 }
1834 
1835 static bool trans_STX3(DisasContext *ctx, arg_STX3 *a)
1836 {
1837     TCGv Rd = cpu_r[a->rr];
1838     TCGv addr = gen_get_xaddr();
1839 
1840     tcg_gen_subi_tl(addr, addr, 1); /* addr = addr - 1 */
1841     gen_data_store(ctx, Rd, addr);
1842     gen_set_xaddr(addr);
1843     return true;
1844 }
1845 
1846 /*
1847  * Stores one byte indirect with or without displacement from a register to data
1848  * space. For parts with SRAM, the data space consists of the Register File, I/O
1849  * memory, and internal SRAM (and external SRAM if applicable). For parts
1850  * without SRAM, the data space consists of the Register File only. The EEPROM
1851  * has a separate address space.
1852  *
1853  * The data location is pointed to by the Y (16 bits) Pointer Register in the
1854  * Register File. Memory access is limited to the current data segment of 64KB.
1855  * To access another data segment in devices with more than 64KB data space, the
1856  * RAMPY in register in the I/O area has to be changed.
1857  *
1858  * The Y-pointer Register can either be left unchanged by the operation, or it
1859  * can be post-incremented or pre-decremented. These features are especially
1860  * suited for accessing arrays, tables, and Stack Pointer usage of the Y-pointer
1861  * Register. Note that only the low byte of the Y-pointer is updated in devices
1862  * with no more than 256 bytes data space. For such devices, the high byte of
1863  * the pointer is not used by this instruction and can be used for other
1864  * purposes. The RAMPY Register in the I/O area is updated in parts with more
1865  * than 64KB data space or more than 64KB Program memory, and the increment /
1866  * decrement / displacement is added to the entire 24-bit address on such
1867  * devices.
1868  */
1869 static bool trans_STY2(DisasContext *ctx, arg_STY2 *a)
1870 {
1871     TCGv Rd = cpu_r[a->rd];
1872     TCGv addr = gen_get_yaddr();
1873 
1874     gen_data_store(ctx, Rd, addr);
1875     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
1876     gen_set_yaddr(addr);
1877     return true;
1878 }
1879 
1880 static bool trans_STY3(DisasContext *ctx, arg_STY3 *a)
1881 {
1882     TCGv Rd = cpu_r[a->rd];
1883     TCGv addr = gen_get_yaddr();
1884 
1885     tcg_gen_subi_tl(addr, addr, 1); /* addr = addr - 1 */
1886     gen_data_store(ctx, Rd, addr);
1887     gen_set_yaddr(addr);
1888     return true;
1889 }
1890 
1891 static bool trans_STDY(DisasContext *ctx, arg_STDY *a)
1892 {
1893     TCGv Rd = cpu_r[a->rd];
1894     TCGv addr = gen_get_yaddr();
1895 
1896     tcg_gen_addi_tl(addr, addr, a->imm); /* addr = addr + q */
1897     gen_data_store(ctx, Rd, addr);
1898     return true;
1899 }
1900 
1901 /*
1902  * Stores one byte indirect with or without displacement from a register to data
1903  * space. For parts with SRAM, the data space consists of the Register File, I/O
1904  * memory, and internal SRAM (and external SRAM if applicable). For parts
1905  * without SRAM, the data space consists of the Register File only. The EEPROM
1906  * has a separate address space.
1907  *
1908  * The data location is pointed to by the Y (16 bits) Pointer Register in the
1909  * Register File. Memory access is limited to the current data segment of 64KB.
1910  * To access another data segment in devices with more than 64KB data space, the
1911  * RAMPY in register in the I/O area has to be changed.
1912  *
1913  * The Y-pointer Register can either be left unchanged by the operation, or it
1914  * can be post-incremented or pre-decremented. These features are especially
1915  * suited for accessing arrays, tables, and Stack Pointer usage of the Y-pointer
1916  * Register. Note that only the low byte of the Y-pointer is updated in devices
1917  * with no more than 256 bytes data space. For such devices, the high byte of
1918  * the pointer is not used by this instruction and can be used for other
1919  * purposes. The RAMPY Register in the I/O area is updated in parts with more
1920  * than 64KB data space or more than 64KB Program memory, and the increment /
1921  * decrement / displacement is added to the entire 24-bit address on such
1922  * devices.
1923  */
1924 static bool trans_STZ2(DisasContext *ctx, arg_STZ2 *a)
1925 {
1926     TCGv Rd = cpu_r[a->rd];
1927     TCGv addr = gen_get_zaddr();
1928 
1929     gen_data_store(ctx, Rd, addr);
1930     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
1931 
1932     gen_set_zaddr(addr);
1933     return true;
1934 }
1935 
1936 static bool trans_STZ3(DisasContext *ctx, arg_STZ3 *a)
1937 {
1938     TCGv Rd = cpu_r[a->rd];
1939     TCGv addr = gen_get_zaddr();
1940 
1941     tcg_gen_subi_tl(addr, addr, 1); /* addr = addr - 1 */
1942     gen_data_store(ctx, Rd, addr);
1943 
1944     gen_set_zaddr(addr);
1945     return true;
1946 }
1947 
1948 static bool trans_STDZ(DisasContext *ctx, arg_STDZ *a)
1949 {
1950     TCGv Rd = cpu_r[a->rd];
1951     TCGv addr = gen_get_zaddr();
1952 
1953     tcg_gen_addi_tl(addr, addr, a->imm); /* addr = addr + q */
1954     gen_data_store(ctx, Rd, addr);
1955     return true;
1956 }
1957 
1958 /*
1959  *  Loads one byte pointed to by the Z-register into the destination
1960  *  register Rd. This instruction features a 100% space effective constant
1961  *  initialization or constant data fetch. The Program memory is organized in
1962  *  16-bit words while the Z-pointer is a byte address. Thus, the least
1963  *  significant bit of the Z-pointer selects either low byte (ZLSB = 0) or high
1964  *  byte (ZLSB = 1). This instruction can address the first 64KB (32K words) of
1965  *  Program memory. The Zpointer Register can either be left unchanged by the
1966  *  operation, or it can be incremented. The incrementation does not apply to
1967  *  the RAMPZ Register.
1968  *
1969  *  Devices with Self-Programming capability can use the LPM instruction to read
1970  *  the Fuse and Lock bit values.
1971  */
1972 static bool trans_LPM1(DisasContext *ctx, arg_LPM1 *a)
1973 {
1974     if (!avr_have_feature(ctx, AVR_FEATURE_LPM)) {
1975         return true;
1976     }
1977 
1978     TCGv Rd = cpu_r[0];
1979     TCGv addr = tcg_temp_new_i32();
1980     TCGv H = cpu_r[31];
1981     TCGv L = cpu_r[30];
1982 
1983     tcg_gen_shli_tl(addr, H, 8); /* addr = H:L */
1984     tcg_gen_or_tl(addr, addr, L);
1985     tcg_gen_qemu_ld_tl(Rd, addr, MMU_CODE_IDX, MO_UB);
1986     return true;
1987 }
1988 
1989 static bool trans_LPM2(DisasContext *ctx, arg_LPM2 *a)
1990 {
1991     if (!avr_have_feature(ctx, AVR_FEATURE_LPM)) {
1992         return true;
1993     }
1994 
1995     TCGv Rd = cpu_r[a->rd];
1996     TCGv addr = tcg_temp_new_i32();
1997     TCGv H = cpu_r[31];
1998     TCGv L = cpu_r[30];
1999 
2000     tcg_gen_shli_tl(addr, H, 8); /* addr = H:L */
2001     tcg_gen_or_tl(addr, addr, L);
2002     tcg_gen_qemu_ld_tl(Rd, addr, MMU_CODE_IDX, MO_UB);
2003     return true;
2004 }
2005 
2006 static bool trans_LPMX(DisasContext *ctx, arg_LPMX *a)
2007 {
2008     if (!avr_have_feature(ctx, AVR_FEATURE_LPMX)) {
2009         return true;
2010     }
2011 
2012     TCGv Rd = cpu_r[a->rd];
2013     TCGv addr = tcg_temp_new_i32();
2014     TCGv H = cpu_r[31];
2015     TCGv L = cpu_r[30];
2016 
2017     tcg_gen_shli_tl(addr, H, 8); /* addr = H:L */
2018     tcg_gen_or_tl(addr, addr, L);
2019     tcg_gen_qemu_ld_tl(Rd, addr, MMU_CODE_IDX, MO_UB);
2020     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
2021     tcg_gen_andi_tl(L, addr, 0xff);
2022     tcg_gen_shri_tl(addr, addr, 8);
2023     tcg_gen_andi_tl(H, addr, 0xff);
2024     return true;
2025 }
2026 
2027 /*
2028  *  Loads one byte pointed to by the Z-register and the RAMPZ Register in
2029  *  the I/O space, and places this byte in the destination register Rd. This
2030  *  instruction features a 100% space effective constant initialization or
2031  *  constant data fetch. The Program memory is organized in 16-bit words while
2032  *  the Z-pointer is a byte address. Thus, the least significant bit of the
2033  *  Z-pointer selects either low byte (ZLSB = 0) or high byte (ZLSB = 1). This
2034  *  instruction can address the entire Program memory space. The Z-pointer
2035  *  Register can either be left unchanged by the operation, or it can be
2036  *  incremented. The incrementation applies to the entire 24-bit concatenation
2037  *  of the RAMPZ and Z-pointer Registers.
2038  *
2039  *  Devices with Self-Programming capability can use the ELPM instruction to
2040  *  read the Fuse and Lock bit value.
2041  */
2042 static bool trans_ELPM1(DisasContext *ctx, arg_ELPM1 *a)
2043 {
2044     if (!avr_have_feature(ctx, AVR_FEATURE_ELPM)) {
2045         return true;
2046     }
2047 
2048     TCGv Rd = cpu_r[0];
2049     TCGv addr = gen_get_zaddr();
2050 
2051     tcg_gen_qemu_ld_tl(Rd, addr, MMU_CODE_IDX, MO_UB);
2052     return true;
2053 }
2054 
2055 static bool trans_ELPM2(DisasContext *ctx, arg_ELPM2 *a)
2056 {
2057     if (!avr_have_feature(ctx, AVR_FEATURE_ELPM)) {
2058         return true;
2059     }
2060 
2061     TCGv Rd = cpu_r[a->rd];
2062     TCGv addr = gen_get_zaddr();
2063 
2064     tcg_gen_qemu_ld_tl(Rd, addr, MMU_CODE_IDX, MO_UB);
2065     return true;
2066 }
2067 
2068 static bool trans_ELPMX(DisasContext *ctx, arg_ELPMX *a)
2069 {
2070     if (!avr_have_feature(ctx, AVR_FEATURE_ELPMX)) {
2071         return true;
2072     }
2073 
2074     TCGv Rd = cpu_r[a->rd];
2075     TCGv addr = gen_get_zaddr();
2076 
2077     tcg_gen_qemu_ld_tl(Rd, addr, MMU_CODE_IDX, MO_UB);
2078     tcg_gen_addi_tl(addr, addr, 1); /* addr = addr + 1 */
2079     gen_set_zaddr(addr);
2080     return true;
2081 }
2082 
2083 /*
2084  *  SPM can be used to erase a page in the Program memory, to write a page
2085  *  in the Program memory (that is already erased), and to set Boot Loader Lock
2086  *  bits. In some devices, the Program memory can be written one word at a time,
2087  *  in other devices an entire page can be programmed simultaneously after first
2088  *  filling a temporary page buffer. In all cases, the Program memory must be
2089  *  erased one page at a time. When erasing the Program memory, the RAMPZ and
2090  *  Z-register are used as page address. When writing the Program memory, the
2091  *  RAMPZ and Z-register are used as page or word address, and the R1:R0
2092  *  register pair is used as data(1). When setting the Boot Loader Lock bits,
2093  *  the R1:R0 register pair is used as data. Refer to the device documentation
2094  *  for detailed description of SPM usage. This instruction can address the
2095  *  entire Program memory.
2096  *
2097  *  The SPM instruction is not available in all devices. Refer to the device
2098  *  specific instruction set summary.
2099  *
2100  *  Note: 1. R1 determines the instruction high byte, and R0 determines the
2101  *  instruction low byte.
2102  */
2103 static bool trans_SPM(DisasContext *ctx, arg_SPM *a)
2104 {
2105     /* TODO */
2106     if (!avr_have_feature(ctx, AVR_FEATURE_SPM)) {
2107         return true;
2108     }
2109 
2110     return true;
2111 }
2112 
2113 static bool trans_SPMX(DisasContext *ctx, arg_SPMX *a)
2114 {
2115     /* TODO */
2116     if (!avr_have_feature(ctx, AVR_FEATURE_SPMX)) {
2117         return true;
2118     }
2119 
2120     return true;
2121 }
2122 
2123 /*
2124  *  Loads data from the I/O Space (Ports, Timers, Configuration Registers,
2125  *  etc.) into register Rd in the Register File.
2126  */
2127 static bool trans_IN(DisasContext *ctx, arg_IN *a)
2128 {
2129     TCGv Rd = cpu_r[a->rd];
2130     TCGv port = tcg_constant_i32(a->imm);
2131 
2132     gen_helper_inb(Rd, tcg_env, port);
2133     return true;
2134 }
2135 
2136 /*
2137  *  Stores data from register Rr in the Register File to I/O Space (Ports,
2138  *  Timers, Configuration Registers, etc.).
2139  */
2140 static bool trans_OUT(DisasContext *ctx, arg_OUT *a)
2141 {
2142     TCGv Rd = cpu_r[a->rd];
2143     TCGv port = tcg_constant_i32(a->imm);
2144 
2145     gen_helper_outb(tcg_env, port, Rd);
2146     return true;
2147 }
2148 
2149 /*
2150  *  This instruction stores the contents of register Rr on the STACK. The
2151  *  Stack Pointer is post-decremented by 1 after the PUSH.  This instruction is
2152  *  not available in all devices. Refer to the device specific instruction set
2153  *  summary.
2154  */
2155 static bool trans_PUSH(DisasContext *ctx, arg_PUSH *a)
2156 {
2157     TCGv Rd = cpu_r[a->rd];
2158 
2159     gen_data_store(ctx, Rd, cpu_sp);
2160     tcg_gen_subi_tl(cpu_sp, cpu_sp, 1);
2161 
2162     return true;
2163 }
2164 
2165 /*
2166  *  This instruction loads register Rd with a byte from the STACK. The Stack
2167  *  Pointer is pre-incremented by 1 before the POP.  This instruction is not
2168  *  available in all devices. Refer to the device specific instruction set
2169  *  summary.
2170  */
2171 static bool trans_POP(DisasContext *ctx, arg_POP *a)
2172 {
2173     /*
2174      * Using a temp to work around some strange behaviour:
2175      * tcg_gen_addi_tl(cpu_sp, cpu_sp, 1);
2176      * gen_data_load(ctx, Rd, cpu_sp);
2177      * seems to cause the add to happen twice.
2178      * This doesn't happen if either the add or the load is removed.
2179      */
2180     TCGv t1 = tcg_temp_new_i32();
2181     TCGv Rd = cpu_r[a->rd];
2182 
2183     tcg_gen_addi_tl(t1, cpu_sp, 1);
2184     gen_data_load(ctx, Rd, t1);
2185     tcg_gen_mov_tl(cpu_sp, t1);
2186 
2187     return true;
2188 }
2189 
2190 /*
2191  *  Exchanges one byte indirect between register and data space.  The data
2192  *  location is pointed to by the Z (16 bits) Pointer Register in the Register
2193  *  File. Memory access is limited to the current data segment of 64KB. To
2194  *  access another data segment in devices with more than 64KB data space, the
2195  *  RAMPZ in register in the I/O area has to be changed.
2196  *
2197  *  The Z-pointer Register is left unchanged by the operation. This instruction
2198  *  is especially suited for writing/reading status bits stored in SRAM.
2199  */
2200 static bool trans_XCH(DisasContext *ctx, arg_XCH *a)
2201 {
2202     if (!avr_have_feature(ctx, AVR_FEATURE_RMW)) {
2203         return true;
2204     }
2205 
2206     TCGv Rd = cpu_r[a->rd];
2207     TCGv t0 = tcg_temp_new_i32();
2208     TCGv addr = gen_get_zaddr();
2209 
2210     gen_data_load(ctx, t0, addr);
2211     gen_data_store(ctx, Rd, addr);
2212     tcg_gen_mov_tl(Rd, t0);
2213     return true;
2214 }
2215 
2216 /*
2217  *  Load one byte indirect from data space to register and set bits in data
2218  *  space specified by the register. The instruction can only be used towards
2219  *  internal SRAM.  The data location is pointed to by the Z (16 bits) Pointer
2220  *  Register in the Register File. Memory access is limited to the current data
2221  *  segment of 64KB. To access another data segment in devices with more than
2222  *  64KB data space, the RAMPZ in register in the I/O area has to be changed.
2223  *
2224  *  The Z-pointer Register is left unchanged by the operation. This instruction
2225  *  is especially suited for setting status bits stored in SRAM.
2226  */
2227 static bool trans_LAS(DisasContext *ctx, arg_LAS *a)
2228 {
2229     if (!avr_have_feature(ctx, AVR_FEATURE_RMW)) {
2230         return true;
2231     }
2232 
2233     TCGv Rr = cpu_r[a->rd];
2234     TCGv addr = gen_get_zaddr();
2235     TCGv t0 = tcg_temp_new_i32();
2236     TCGv t1 = tcg_temp_new_i32();
2237 
2238     gen_data_load(ctx, t0, addr); /* t0 = mem[addr] */
2239     tcg_gen_or_tl(t1, t0, Rr);
2240     tcg_gen_mov_tl(Rr, t0); /* Rr = t0 */
2241     gen_data_store(ctx, t1, addr); /* mem[addr] = t1 */
2242     return true;
2243 }
2244 
2245 /*
2246  *  Load one byte indirect from data space to register and stores and clear
2247  *  the bits in data space specified by the register. The instruction can
2248  *  only be used towards internal SRAM.  The data location is pointed to by
2249  *  the Z (16 bits) Pointer Register in the Register File. Memory access is
2250  *  limited to the current data segment of 64KB. To access another data
2251  *  segment in devices with more than 64KB data space, the RAMPZ in register
2252  *  in the I/O area has to be changed.
2253  *
2254  *  The Z-pointer Register is left unchanged by the operation. This instruction
2255  *  is especially suited for clearing status bits stored in SRAM.
2256  */
2257 static bool trans_LAC(DisasContext *ctx, arg_LAC *a)
2258 {
2259     if (!avr_have_feature(ctx, AVR_FEATURE_RMW)) {
2260         return true;
2261     }
2262 
2263     TCGv Rr = cpu_r[a->rd];
2264     TCGv addr = gen_get_zaddr();
2265     TCGv t0 = tcg_temp_new_i32();
2266     TCGv t1 = tcg_temp_new_i32();
2267 
2268     gen_data_load(ctx, t0, addr); /* t0 = mem[addr] */
2269     tcg_gen_andc_tl(t1, t0, Rr); /* t1 = t0 & (0xff - Rr) = t0 & ~Rr */
2270     tcg_gen_mov_tl(Rr, t0); /* Rr = t0 */
2271     gen_data_store(ctx, t1, addr); /* mem[addr] = t1 */
2272     return true;
2273 }
2274 
2275 
2276 /*
2277  *  Load one byte indirect from data space to register and toggles bits in
2278  *  the data space specified by the register.  The instruction can only be used
2279  *  towards SRAM.  The data location is pointed to by the Z (16 bits) Pointer
2280  *  Register in the Register File. Memory access is limited to the current data
2281  *  segment of 64KB. To access another data segment in devices with more than
2282  *  64KB data space, the RAMPZ in register in the I/O area has to be changed.
2283  *
2284  *  The Z-pointer Register is left unchanged by the operation. This instruction
2285  *  is especially suited for changing status bits stored in SRAM.
2286  */
2287 static bool trans_LAT(DisasContext *ctx, arg_LAT *a)
2288 {
2289     if (!avr_have_feature(ctx, AVR_FEATURE_RMW)) {
2290         return true;
2291     }
2292 
2293     TCGv Rd = cpu_r[a->rd];
2294     TCGv addr = gen_get_zaddr();
2295     TCGv t0 = tcg_temp_new_i32();
2296     TCGv t1 = tcg_temp_new_i32();
2297 
2298     gen_data_load(ctx, t0, addr); /* t0 = mem[addr] */
2299     tcg_gen_xor_tl(t1, t0, Rd);
2300     tcg_gen_mov_tl(Rd, t0); /* Rd = t0 */
2301     gen_data_store(ctx, t1, addr); /* mem[addr] = t1 */
2302     return true;
2303 }
2304 
2305 /*
2306  * Bit and Bit-test Instructions
2307  */
2308 static void gen_rshift_ZNVSf(TCGv R)
2309 {
2310     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, R, 0); /* Zf = R == 0 */
2311     tcg_gen_shri_tl(cpu_Nf, R, 7); /* Nf = R(7) */
2312     tcg_gen_xor_tl(cpu_Vf, cpu_Nf, cpu_Cf);
2313     tcg_gen_xor_tl(cpu_Sf, cpu_Nf, cpu_Vf); /* Sf = Nf ^ Vf */
2314 }
2315 
2316 /*
2317  *  Shifts all bits in Rd one place to the right. Bit 7 is cleared. Bit 0 is
2318  *  loaded into the C Flag of the SREG. This operation effectively divides an
2319  *  unsigned value by two. The C Flag can be used to round the result.
2320  */
2321 static bool trans_LSR(DisasContext *ctx, arg_LSR *a)
2322 {
2323     TCGv Rd = cpu_r[a->rd];
2324 
2325     tcg_gen_andi_tl(cpu_Cf, Rd, 1);
2326     tcg_gen_shri_tl(Rd, Rd, 1);
2327 
2328     /* update status register */
2329     tcg_gen_setcondi_tl(TCG_COND_EQ, cpu_Zf, Rd, 0); /* Zf = Rd == 0 */
2330     tcg_gen_movi_tl(cpu_Nf, 0);
2331     tcg_gen_mov_tl(cpu_Vf, cpu_Cf);
2332     tcg_gen_mov_tl(cpu_Sf, cpu_Vf);
2333 
2334     return true;
2335 }
2336 
2337 /*
2338  *  Shifts all bits in Rd one place to the right. The C Flag is shifted into
2339  *  bit 7 of Rd. Bit 0 is shifted into the C Flag.  This operation, combined
2340  *  with ASR, effectively divides multi-byte signed values by two. Combined with
2341  *  LSR it effectively divides multi-byte unsigned values by two. The Carry Flag
2342  *  can be used to round the result.
2343  */
2344 static bool trans_ROR(DisasContext *ctx, arg_ROR *a)
2345 {
2346     TCGv Rd = cpu_r[a->rd];
2347     TCGv t0 = tcg_temp_new_i32();
2348 
2349     tcg_gen_shli_tl(t0, cpu_Cf, 7);
2350 
2351     /* update status register */
2352     tcg_gen_andi_tl(cpu_Cf, Rd, 1);
2353 
2354     /* update output register */
2355     tcg_gen_shri_tl(Rd, Rd, 1);
2356     tcg_gen_or_tl(Rd, Rd, t0);
2357 
2358     /* update status register */
2359     gen_rshift_ZNVSf(Rd);
2360     return true;
2361 }
2362 
2363 /*
2364  *  Shifts all bits in Rd one place to the right. Bit 7 is held constant. Bit 0
2365  *  is loaded into the C Flag of the SREG. This operation effectively divides a
2366  *  signed value by two without changing its sign. The Carry Flag can be used to
2367  *  round the result.
2368  */
2369 static bool trans_ASR(DisasContext *ctx, arg_ASR *a)
2370 {
2371     TCGv Rd = cpu_r[a->rd];
2372     TCGv t0 = tcg_temp_new_i32();
2373 
2374     /* update status register */
2375     tcg_gen_andi_tl(cpu_Cf, Rd, 1); /* Cf = Rd(0) */
2376 
2377     /* update output register */
2378     tcg_gen_andi_tl(t0, Rd, 0x80); /* Rd = (Rd & 0x80) | (Rd >> 1) */
2379     tcg_gen_shri_tl(Rd, Rd, 1);
2380     tcg_gen_or_tl(Rd, Rd, t0);
2381 
2382     /* update status register */
2383     gen_rshift_ZNVSf(Rd);
2384     return true;
2385 }
2386 
2387 /*
2388  *  Swaps high and low nibbles in a register.
2389  */
2390 static bool trans_SWAP(DisasContext *ctx, arg_SWAP *a)
2391 {
2392     TCGv Rd = cpu_r[a->rd];
2393     TCGv t0 = tcg_temp_new_i32();
2394     TCGv t1 = tcg_temp_new_i32();
2395 
2396     tcg_gen_andi_tl(t0, Rd, 0x0f);
2397     tcg_gen_shli_tl(t0, t0, 4);
2398     tcg_gen_andi_tl(t1, Rd, 0xf0);
2399     tcg_gen_shri_tl(t1, t1, 4);
2400     tcg_gen_or_tl(Rd, t0, t1);
2401     return true;
2402 }
2403 
2404 /*
2405  *  Sets a specified bit in an I/O Register. This instruction operates on
2406  *  the lower 32 I/O Registers -- addresses 0-31.
2407  */
2408 static bool trans_SBI(DisasContext *ctx, arg_SBI *a)
2409 {
2410     TCGv data = tcg_temp_new_i32();
2411     TCGv port = tcg_constant_i32(a->reg);
2412 
2413     gen_helper_inb(data, tcg_env, port);
2414     tcg_gen_ori_tl(data, data, 1 << a->bit);
2415     gen_helper_outb(tcg_env, port, data);
2416     return true;
2417 }
2418 
2419 /*
2420  *  Clears a specified bit in an I/O Register. This instruction operates on
2421  *  the lower 32 I/O Registers -- addresses 0-31.
2422  */
2423 static bool trans_CBI(DisasContext *ctx, arg_CBI *a)
2424 {
2425     TCGv data = tcg_temp_new_i32();
2426     TCGv port = tcg_constant_i32(a->reg);
2427 
2428     gen_helper_inb(data, tcg_env, port);
2429     tcg_gen_andi_tl(data, data, ~(1 << a->bit));
2430     gen_helper_outb(tcg_env, port, data);
2431     return true;
2432 }
2433 
2434 /*
2435  *  Stores bit b from Rd to the T Flag in SREG (Status Register).
2436  */
2437 static bool trans_BST(DisasContext *ctx, arg_BST *a)
2438 {
2439     TCGv Rd = cpu_r[a->rd];
2440 
2441     tcg_gen_andi_tl(cpu_Tf, Rd, 1 << a->bit);
2442     tcg_gen_shri_tl(cpu_Tf, cpu_Tf, a->bit);
2443 
2444     return true;
2445 }
2446 
2447 /*
2448  *  Copies the T Flag in the SREG (Status Register) to bit b in register Rd.
2449  */
2450 static bool trans_BLD(DisasContext *ctx, arg_BLD *a)
2451 {
2452     TCGv Rd = cpu_r[a->rd];
2453     TCGv t1 = tcg_temp_new_i32();
2454 
2455     tcg_gen_andi_tl(Rd, Rd, ~(1u << a->bit)); /* clear bit */
2456     tcg_gen_shli_tl(t1, cpu_Tf, a->bit); /* create mask */
2457     tcg_gen_or_tl(Rd, Rd, t1);
2458     return true;
2459 }
2460 
2461 /*
2462  *  Sets a single Flag or bit in SREG.
2463  */
2464 static bool trans_BSET(DisasContext *ctx, arg_BSET *a)
2465 {
2466     switch (a->bit) {
2467     case 0x00:
2468         tcg_gen_movi_tl(cpu_Cf, 0x01);
2469         break;
2470     case 0x01:
2471         tcg_gen_movi_tl(cpu_Zf, 0x01);
2472         break;
2473     case 0x02:
2474         tcg_gen_movi_tl(cpu_Nf, 0x01);
2475         break;
2476     case 0x03:
2477         tcg_gen_movi_tl(cpu_Vf, 0x01);
2478         break;
2479     case 0x04:
2480         tcg_gen_movi_tl(cpu_Sf, 0x01);
2481         break;
2482     case 0x05:
2483         tcg_gen_movi_tl(cpu_Hf, 0x01);
2484         break;
2485     case 0x06:
2486         tcg_gen_movi_tl(cpu_Tf, 0x01);
2487         break;
2488     case 0x07:
2489         tcg_gen_movi_tl(cpu_If, 0x01);
2490         break;
2491     }
2492 
2493     return true;
2494 }
2495 
2496 /*
2497  *  Clears a single Flag in SREG.
2498  */
2499 static bool trans_BCLR(DisasContext *ctx, arg_BCLR *a)
2500 {
2501     switch (a->bit) {
2502     case 0x00:
2503         tcg_gen_movi_tl(cpu_Cf, 0x00);
2504         break;
2505     case 0x01:
2506         tcg_gen_movi_tl(cpu_Zf, 0x00);
2507         break;
2508     case 0x02:
2509         tcg_gen_movi_tl(cpu_Nf, 0x00);
2510         break;
2511     case 0x03:
2512         tcg_gen_movi_tl(cpu_Vf, 0x00);
2513         break;
2514     case 0x04:
2515         tcg_gen_movi_tl(cpu_Sf, 0x00);
2516         break;
2517     case 0x05:
2518         tcg_gen_movi_tl(cpu_Hf, 0x00);
2519         break;
2520     case 0x06:
2521         tcg_gen_movi_tl(cpu_Tf, 0x00);
2522         break;
2523     case 0x07:
2524         tcg_gen_movi_tl(cpu_If, 0x00);
2525         break;
2526     }
2527 
2528     return true;
2529 }
2530 
2531 /*
2532  * MCU Control Instructions
2533  */
2534 
2535 /*
2536  *  The BREAK instruction is used by the On-chip Debug system, and is
2537  *  normally not used in the application software. When the BREAK instruction is
2538  *  executed, the AVR CPU is set in the Stopped Mode. This gives the On-chip
2539  *  Debugger access to internal resources.  If any Lock bits are set, or either
2540  *  the JTAGEN or OCDEN Fuses are unprogrammed, the CPU will treat the BREAK
2541  *  instruction as a NOP and will not enter the Stopped mode.  This instruction
2542  *  is not available in all devices. Refer to the device specific instruction
2543  *  set summary.
2544  */
2545 static bool trans_BREAK(DisasContext *ctx, arg_BREAK *a)
2546 {
2547     if (!avr_have_feature(ctx, AVR_FEATURE_BREAK)) {
2548         return true;
2549     }
2550 
2551 #ifdef BREAKPOINT_ON_BREAK
2552     tcg_gen_movi_tl(cpu_pc, ctx->npc - 1);
2553     gen_helper_debug(tcg_env);
2554     ctx->base.is_jmp = DISAS_EXIT;
2555 #else
2556     /* NOP */
2557 #endif
2558 
2559     return true;
2560 }
2561 
2562 /*
2563  *  This instruction performs a single cycle No Operation.
2564  */
2565 static bool trans_NOP(DisasContext *ctx, arg_NOP *a)
2566 {
2567 
2568     /* NOP */
2569 
2570     return true;
2571 }
2572 
2573 /*
2574  *  This instruction sets the circuit in sleep mode defined by the MCU
2575  *  Control Register.
2576  */
2577 static bool trans_SLEEP(DisasContext *ctx, arg_SLEEP *a)
2578 {
2579     gen_helper_sleep(tcg_env);
2580     ctx->base.is_jmp = DISAS_NORETURN;
2581     return true;
2582 }
2583 
2584 /*
2585  *  This instruction resets the Watchdog Timer. This instruction must be
2586  *  executed within a limited time given by the WD prescaler. See the Watchdog
2587  *  Timer hardware specification.
2588  */
2589 static bool trans_WDR(DisasContext *ctx, arg_WDR *a)
2590 {
2591     gen_helper_wdr(tcg_env);
2592 
2593     return true;
2594 }
2595 
2596 /*
2597  *  Core translation mechanism functions:
2598  *
2599  *    - translate()
2600  *    - canonicalize_skip()
2601  *    - gen_intermediate_code()
2602  *    - restore_state_to_opc()
2603  *
2604  */
2605 static void translate(DisasContext *ctx)
2606 {
2607     uint32_t opcode = next_word(ctx);
2608 
2609     if (!decode_insn(ctx, opcode)) {
2610         gen_helper_unsupported(tcg_env);
2611         ctx->base.is_jmp = DISAS_NORETURN;
2612     }
2613 }
2614 
2615 /* Standardize the cpu_skip condition to NE.  */
2616 static bool canonicalize_skip(DisasContext *ctx)
2617 {
2618     switch (ctx->skip_cond) {
2619     case TCG_COND_NEVER:
2620         /* Normal case: cpu_skip is known to be false.  */
2621         return false;
2622 
2623     case TCG_COND_ALWAYS:
2624         /*
2625          * Breakpoint case: cpu_skip is known to be true, via TB_FLAGS_SKIP.
2626          * The breakpoint is on the instruction being skipped, at the start
2627          * of the TranslationBlock.  No need to update.
2628          */
2629         return false;
2630 
2631     case TCG_COND_NE:
2632         if (ctx->skip_var1 == NULL) {
2633             tcg_gen_mov_tl(cpu_skip, ctx->skip_var0);
2634         } else {
2635             tcg_gen_xor_tl(cpu_skip, ctx->skip_var0, ctx->skip_var1);
2636             ctx->skip_var1 = NULL;
2637         }
2638         break;
2639 
2640     default:
2641         /* Convert to a NE condition vs 0. */
2642         if (ctx->skip_var1 == NULL) {
2643             tcg_gen_setcondi_tl(ctx->skip_cond, cpu_skip, ctx->skip_var0, 0);
2644         } else {
2645             tcg_gen_setcond_tl(ctx->skip_cond, cpu_skip,
2646                                ctx->skip_var0, ctx->skip_var1);
2647             ctx->skip_var1 = NULL;
2648         }
2649         ctx->skip_cond = TCG_COND_NE;
2650         break;
2651     }
2652     ctx->skip_var0 = cpu_skip;
2653     return true;
2654 }
2655 
2656 static void avr_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
2657 {
2658     DisasContext *ctx = container_of(dcbase, DisasContext, base);
2659     uint32_t tb_flags = ctx->base.tb->flags;
2660 
2661     ctx->cs = cs;
2662     ctx->env = cpu_env(cs);
2663     ctx->npc = ctx->base.pc_first / 2;
2664 
2665     ctx->skip_cond = TCG_COND_NEVER;
2666     if (tb_flags & TB_FLAGS_SKIP) {
2667         ctx->skip_cond = TCG_COND_ALWAYS;
2668         ctx->skip_var0 = cpu_skip;
2669     }
2670 
2671     if (tb_flags & TB_FLAGS_FULL_ACCESS) {
2672         /*
2673          * This flag is set by ST/LD instruction we will regenerate it ONLY
2674          * with mem/cpu memory access instead of mem access
2675          */
2676         ctx->base.max_insns = 1;
2677     }
2678 }
2679 
2680 static void avr_tr_tb_start(DisasContextBase *db, CPUState *cs)
2681 {
2682 }
2683 
2684 static void avr_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
2685 {
2686     DisasContext *ctx = container_of(dcbase, DisasContext, base);
2687 
2688     tcg_gen_insn_start(ctx->npc);
2689 }
2690 
2691 static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
2692 {
2693     DisasContext *ctx = container_of(dcbase, DisasContext, base);
2694     TCGLabel *skip_label = NULL;
2695 
2696     /* Conditionally skip the next instruction, if indicated.  */
2697     if (ctx->skip_cond != TCG_COND_NEVER) {
2698         skip_label = gen_new_label();
2699         if (ctx->skip_var0 == cpu_skip) {
2700             /*
2701              * Copy cpu_skip so that we may zero it before the branch.
2702              * This ensures that cpu_skip is non-zero after the label
2703              * if and only if the skipped insn itself sets a skip.
2704              */
2705             ctx->skip_var0 = tcg_temp_new();
2706             tcg_gen_mov_tl(ctx->skip_var0, cpu_skip);
2707             tcg_gen_movi_tl(cpu_skip, 0);
2708         }
2709         if (ctx->skip_var1 == NULL) {
2710             tcg_gen_brcondi_tl(ctx->skip_cond, ctx->skip_var0, 0, skip_label);
2711         } else {
2712             tcg_gen_brcond_tl(ctx->skip_cond, ctx->skip_var0,
2713                               ctx->skip_var1, skip_label);
2714             ctx->skip_var1 = NULL;
2715         }
2716         ctx->skip_cond = TCG_COND_NEVER;
2717         ctx->skip_var0 = NULL;
2718     }
2719 
2720     translate(ctx);
2721 
2722     ctx->base.pc_next = ctx->npc * 2;
2723 
2724     if (skip_label) {
2725         canonicalize_skip(ctx);
2726         gen_set_label(skip_label);
2727 
2728         switch (ctx->base.is_jmp) {
2729         case DISAS_NORETURN:
2730             ctx->base.is_jmp = DISAS_CHAIN;
2731             break;
2732         case DISAS_NEXT:
2733             if (ctx->base.tb->flags & TB_FLAGS_SKIP) {
2734                 ctx->base.is_jmp = DISAS_TOO_MANY;
2735             }
2736             break;
2737         default:
2738             break;
2739         }
2740     }
2741 
2742     if (ctx->base.is_jmp == DISAS_NEXT) {
2743         target_ulong page_first = ctx->base.pc_first & TARGET_PAGE_MASK;
2744 
2745         if ((ctx->base.pc_next - page_first) >= TARGET_PAGE_SIZE - 4) {
2746             ctx->base.is_jmp = DISAS_TOO_MANY;
2747         }
2748     }
2749 }
2750 
2751 static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
2752 {
2753     DisasContext *ctx = container_of(dcbase, DisasContext, base);
2754     bool nonconst_skip = canonicalize_skip(ctx);
2755     /*
2756      * Because we disable interrupts while env->skip is set,
2757      * we must return to the main loop to re-evaluate afterward.
2758      */
2759     bool force_exit = ctx->base.tb->flags & TB_FLAGS_SKIP;
2760 
2761     switch (ctx->base.is_jmp) {
2762     case DISAS_NORETURN:
2763         assert(!nonconst_skip);
2764         break;
2765     case DISAS_NEXT:
2766     case DISAS_TOO_MANY:
2767     case DISAS_CHAIN:
2768         if (!nonconst_skip && !force_exit) {
2769             /* Note gen_goto_tb checks singlestep.  */
2770             gen_goto_tb(ctx, 1, ctx->npc);
2771             break;
2772         }
2773         tcg_gen_movi_tl(cpu_pc, ctx->npc);
2774         /* fall through */
2775     case DISAS_LOOKUP:
2776         if (!force_exit) {
2777             tcg_gen_lookup_and_goto_ptr();
2778             break;
2779         }
2780         /* fall through */
2781     case DISAS_EXIT:
2782         tcg_gen_exit_tb(NULL, 0);
2783         break;
2784     default:
2785         g_assert_not_reached();
2786     }
2787 }
2788 
2789 static const TranslatorOps avr_tr_ops = {
2790     .init_disas_context = avr_tr_init_disas_context,
2791     .tb_start           = avr_tr_tb_start,
2792     .insn_start         = avr_tr_insn_start,
2793     .translate_insn     = avr_tr_translate_insn,
2794     .tb_stop            = avr_tr_tb_stop,
2795 };
2796 
2797 void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int *max_insns,
2798                            vaddr pc, void *host_pc)
2799 {
2800     DisasContext dc = { };
2801     translator_loop(cs, tb, max_insns, pc, host_pc, &avr_tr_ops, &dc.base);
2802 }
2803