xref: /openbmc/qemu/hw/display/cirrus_vga.c (revision d024d0adf48e28d4f93161878053936d55dab9c9)
1 /*
2  * QEMU Cirrus CLGD 54xx VGA Emulator.
3  *
4  * Copyright (c) 2004 Fabrice Bellard
5  * Copyright (c) 2004 Makoto Suzuki (suzu)
6  *
7  * Permission is hereby granted, free of charge, to any person obtaining a copy
8  * of this software and associated documentation files (the "Software"), to deal
9  * in the Software without restriction, including without limitation the rights
10  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11  * copies of the Software, and to permit persons to whom the Software is
12  * furnished to do so, subject to the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be included in
15  * all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23  * THE SOFTWARE.
24  */
25 /*
26  * Reference: Finn Thogersons' VGADOC4b:
27  *
28  *  http://web.archive.org/web/20021019054927/http://home.worldonline.dk/finth/
29  *
30  * VGADOC4b.ZIP content available at:
31  *
32  *  https://pdos.csail.mit.edu/6.828/2005/readings/hardware/vgadoc
33  */
34 
35 #include "qemu/osdep.h"
36 #include "qemu/module.h"
37 #include "qemu/units.h"
38 #include "qemu/log.h"
39 #include "system/reset.h"
40 #include "qapi/error.h"
41 #include "trace.h"
42 #include "hw/pci/pci_device.h"
43 #include "hw/qdev-properties.h"
44 #include "migration/vmstate.h"
45 #include "ui/pixel_ops.h"
46 #include "vga_regs.h"
47 #include "cirrus_vga_internal.h"
48 #include "qom/object.h"
49 #include "ui/console.h"
50 
51 /*
52  * TODO:
53  *    - destination write mask support not complete (bits 5..7)
54  *    - optimize linear mappings
55  *    - optimize bitblt functions
56  */
57 
58 //#define DEBUG_CIRRUS
59 
60 /***************************************
61  *
62  *  definitions
63  *
64  ***************************************/
65 
66 // sequencer 0x07
67 #define CIRRUS_SR7_BPP_VGA            0x00
68 #define CIRRUS_SR7_BPP_SVGA           0x01
69 #define CIRRUS_SR7_BPP_MASK           0x0e
70 #define CIRRUS_SR7_BPP_8              0x00
71 #define CIRRUS_SR7_BPP_16_DOUBLEVCLK  0x02
72 #define CIRRUS_SR7_BPP_24             0x04
73 #define CIRRUS_SR7_BPP_16             0x06
74 #define CIRRUS_SR7_BPP_32             0x08
75 #define CIRRUS_SR7_ISAADDR_MASK       0xe0
76 
77 // sequencer 0x0f
78 #define CIRRUS_MEMSIZE_512k        0x08
79 #define CIRRUS_MEMSIZE_1M          0x10
80 #define CIRRUS_MEMSIZE_2M          0x18
81 #define CIRRUS_MEMFLAGS_BANKSWITCH 0x80 // bank switching is enabled.
82 
83 // sequencer 0x12
84 #define CIRRUS_CURSOR_SHOW         0x01
85 #define CIRRUS_CURSOR_HIDDENPEL    0x02
86 #define CIRRUS_CURSOR_LARGE        0x04 // 64x64 if set, 32x32 if clear
87 
88 // sequencer 0x17
89 #define CIRRUS_BUSTYPE_VLBFAST   0x10
90 #define CIRRUS_BUSTYPE_PCI       0x20
91 #define CIRRUS_BUSTYPE_VLBSLOW   0x30
92 #define CIRRUS_BUSTYPE_ISA       0x38
93 #define CIRRUS_MMIO_ENABLE       0x04
94 #define CIRRUS_MMIO_USE_PCIADDR  0x40   // 0xb8000 if cleared.
95 #define CIRRUS_MEMSIZEEXT_DOUBLE 0x80
96 
97 // control 0x0b
98 #define CIRRUS_BANKING_DUAL             0x01
99 #define CIRRUS_BANKING_GRANULARITY_16K  0x20    // set:16k, clear:4k
100 
101 // control 0x30
102 #define CIRRUS_BLTMODE_BACKWARDS        0x01
103 #define CIRRUS_BLTMODE_MEMSYSDEST       0x02
104 #define CIRRUS_BLTMODE_MEMSYSSRC        0x04
105 #define CIRRUS_BLTMODE_TRANSPARENTCOMP  0x08
106 #define CIRRUS_BLTMODE_PATTERNCOPY      0x40
107 #define CIRRUS_BLTMODE_COLOREXPAND      0x80
108 #define CIRRUS_BLTMODE_PIXELWIDTHMASK   0x30
109 #define CIRRUS_BLTMODE_PIXELWIDTH8      0x00
110 #define CIRRUS_BLTMODE_PIXELWIDTH16     0x10
111 #define CIRRUS_BLTMODE_PIXELWIDTH24     0x20
112 #define CIRRUS_BLTMODE_PIXELWIDTH32     0x30
113 
114 // control 0x31
115 #define CIRRUS_BLT_BUSY                 0x01
116 #define CIRRUS_BLT_START                0x02
117 #define CIRRUS_BLT_RESET                0x04
118 #define CIRRUS_BLT_FIFOUSED             0x10
119 #define CIRRUS_BLT_AUTOSTART            0x80
120 
121 // control 0x32
122 #define CIRRUS_ROP_0                    0x00
123 #define CIRRUS_ROP_SRC_AND_DST          0x05
124 #define CIRRUS_ROP_NOP                  0x06
125 #define CIRRUS_ROP_SRC_AND_NOTDST       0x09
126 #define CIRRUS_ROP_NOTDST               0x0b
127 #define CIRRUS_ROP_SRC                  0x0d
128 #define CIRRUS_ROP_1                    0x0e
129 #define CIRRUS_ROP_NOTSRC_AND_DST       0x50
130 #define CIRRUS_ROP_SRC_XOR_DST          0x59
131 #define CIRRUS_ROP_SRC_OR_DST           0x6d
132 #define CIRRUS_ROP_NOTSRC_OR_NOTDST     0x90
133 #define CIRRUS_ROP_SRC_NOTXOR_DST       0x95
134 #define CIRRUS_ROP_SRC_OR_NOTDST        0xad
135 #define CIRRUS_ROP_NOTSRC               0xd0
136 #define CIRRUS_ROP_NOTSRC_OR_DST        0xd6
137 #define CIRRUS_ROP_NOTSRC_AND_NOTDST    0xda
138 
139 #define CIRRUS_ROP_NOP_INDEX 2
140 #define CIRRUS_ROP_SRC_INDEX 5
141 
142 // control 0x33
143 #define CIRRUS_BLTMODEEXT_SOLIDFILL        0x04
144 #define CIRRUS_BLTMODEEXT_COLOREXPINV      0x02
145 #define CIRRUS_BLTMODEEXT_DWORDGRANULARITY 0x01
146 
147 // memory-mapped IO
148 #define CIRRUS_MMIO_BLTBGCOLOR        0x00      // dword
149 #define CIRRUS_MMIO_BLTFGCOLOR        0x04      // dword
150 #define CIRRUS_MMIO_BLTWIDTH          0x08      // word
151 #define CIRRUS_MMIO_BLTHEIGHT         0x0a      // word
152 #define CIRRUS_MMIO_BLTDESTPITCH      0x0c      // word
153 #define CIRRUS_MMIO_BLTSRCPITCH       0x0e      // word
154 #define CIRRUS_MMIO_BLTDESTADDR       0x10      // dword
155 #define CIRRUS_MMIO_BLTSRCADDR        0x14      // dword
156 #define CIRRUS_MMIO_BLTWRITEMASK      0x17      // byte
157 #define CIRRUS_MMIO_BLTMODE           0x18      // byte
158 #define CIRRUS_MMIO_BLTROP            0x1a      // byte
159 #define CIRRUS_MMIO_BLTMODEEXT        0x1b      // byte
160 #define CIRRUS_MMIO_BLTTRANSPARENTCOLOR 0x1c    // word?
161 #define CIRRUS_MMIO_BLTTRANSPARENTCOLORMASK 0x20        // word?
162 #define CIRRUS_MMIO_LINEARDRAW_START_X 0x24     // word
163 #define CIRRUS_MMIO_LINEARDRAW_START_Y 0x26     // word
164 #define CIRRUS_MMIO_LINEARDRAW_END_X  0x28      // word
165 #define CIRRUS_MMIO_LINEARDRAW_END_Y  0x2a      // word
166 #define CIRRUS_MMIO_LINEARDRAW_LINESTYLE_INC 0x2c       // byte
167 #define CIRRUS_MMIO_LINEARDRAW_LINESTYLE_ROLLOVER 0x2d  // byte
168 #define CIRRUS_MMIO_LINEARDRAW_LINESTYLE_MASK 0x2e      // byte
169 #define CIRRUS_MMIO_LINEARDRAW_LINESTYLE_ACCUM 0x2f     // byte
170 #define CIRRUS_MMIO_BRESENHAM_K1      0x30      // word
171 #define CIRRUS_MMIO_BRESENHAM_K3      0x32      // word
172 #define CIRRUS_MMIO_BRESENHAM_ERROR   0x34      // word
173 #define CIRRUS_MMIO_BRESENHAM_DELTA_MAJOR 0x36  // word
174 #define CIRRUS_MMIO_BRESENHAM_DIRECTION 0x38    // byte
175 #define CIRRUS_MMIO_LINEDRAW_MODE     0x39      // byte
176 #define CIRRUS_MMIO_BLTSTATUS         0x40      // byte
177 
178 #define CIRRUS_PNPMMIO_SIZE         0x1000
179 
180 typedef void (*cirrus_fill_t)(struct CirrusVGAState *s,
181                               uint32_t dstaddr, int dst_pitch,
182                               int width, int height);
183 
184 struct PCICirrusVGAState {
185     PCIDevice dev;
186     CirrusVGAState cirrus_vga;
187 };
188 
189 #define TYPE_PCI_CIRRUS_VGA "cirrus-vga"
190 OBJECT_DECLARE_SIMPLE_TYPE(PCICirrusVGAState, PCI_CIRRUS_VGA)
191 
192 static uint8_t rop_to_index[256];
193 
194 /***************************************
195  *
196  *  prototypes.
197  *
198  ***************************************/
199 
200 
201 static void cirrus_bitblt_reset(CirrusVGAState *s);
202 static void cirrus_update_memory_access(CirrusVGAState *s);
203 
204 /***************************************
205  *
206  *  raster operations
207  *
208  ***************************************/
209 
210 static bool blit_region_is_unsafe(struct CirrusVGAState *s,
211                                   int32_t pitch, int32_t addr)
212 {
213     if (!pitch) {
214         return true;
215     }
216     if (pitch < 0) {
217         int64_t min = addr
218             + ((int64_t)s->cirrus_blt_height - 1) * pitch
219             - s->cirrus_blt_width;
220         if (min < -1 || addr >= s->vga.vram_size) {
221             return true;
222         }
223     } else {
224         int64_t max = addr
225             + ((int64_t)s->cirrus_blt_height-1) * pitch
226             + s->cirrus_blt_width;
227         if (max > s->vga.vram_size) {
228             return true;
229         }
230     }
231     return false;
232 }
233 
234 static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only)
235 {
236     /* should be the case, see cirrus_bitblt_start */
237     assert(s->cirrus_blt_width > 0);
238     assert(s->cirrus_blt_height > 0);
239 
240     if (s->cirrus_blt_width > CIRRUS_BLTBUFSIZE) {
241         return true;
242     }
243 
244     if (blit_region_is_unsafe(s, s->cirrus_blt_dstpitch,
245                               s->cirrus_blt_dstaddr)) {
246         return true;
247     }
248     if (dst_only) {
249         return false;
250     }
251     if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch,
252                               s->cirrus_blt_srcaddr)) {
253         return true;
254     }
255 
256     return false;
257 }
258 
259 static void cirrus_bitblt_rop_nop(CirrusVGAState *s,
260                                   uint32_t dstaddr, uint32_t srcaddr,
261                                   int dstpitch,int srcpitch,
262                                   int bltwidth,int bltheight)
263 {
264 }
265 
266 static void cirrus_bitblt_fill_nop(CirrusVGAState *s,
267                                    uint32_t dstaddr,
268                                    int dstpitch, int bltwidth,int bltheight)
269 {
270 }
271 
272 static inline uint8_t cirrus_src(CirrusVGAState *s, uint32_t srcaddr)
273 {
274     if (s->cirrus_srccounter) {
275         /* cputovideo */
276         return s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1)];
277     } else {
278         /* videotovideo */
279         return s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask];
280     }
281 }
282 
283 static inline uint16_t cirrus_src16(CirrusVGAState *s, uint32_t srcaddr)
284 {
285     uint16_t *src;
286 
287     if (s->cirrus_srccounter) {
288         /* cputovideo */
289         src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~1];
290     } else {
291         /* videotovideo */
292         src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~1];
293     }
294     return *src;
295 }
296 
297 static inline uint32_t cirrus_src32(CirrusVGAState *s, uint32_t srcaddr)
298 {
299     uint32_t *src;
300 
301     if (s->cirrus_srccounter) {
302         /* cputovideo */
303         src = (void *)&s->cirrus_bltbuf[srcaddr & (CIRRUS_BLTBUFSIZE - 1) & ~3];
304     } else {
305         /* videotovideo */
306         src = (void *)&s->vga.vram_ptr[srcaddr & s->cirrus_addr_mask & ~3];
307     }
308     return *src;
309 }
310 
311 #define ROP_NAME 0
312 #define ROP_FN(d, s) 0
313 #include "cirrus_vga_rop.h"
314 
315 #define ROP_NAME src_and_dst
316 #define ROP_FN(d, s) (s) & (d)
317 #include "cirrus_vga_rop.h"
318 
319 #define ROP_NAME src_and_notdst
320 #define ROP_FN(d, s) (s) & (~(d))
321 #include "cirrus_vga_rop.h"
322 
323 #define ROP_NAME notdst
324 #define ROP_FN(d, s) ~(d)
325 #include "cirrus_vga_rop.h"
326 
327 #define ROP_NAME src
328 #define ROP_FN(d, s) s
329 #include "cirrus_vga_rop.h"
330 
331 #define ROP_NAME 1
332 #define ROP_FN(d, s) ~0
333 #include "cirrus_vga_rop.h"
334 
335 #define ROP_NAME notsrc_and_dst
336 #define ROP_FN(d, s) (~(s)) & (d)
337 #include "cirrus_vga_rop.h"
338 
339 #define ROP_NAME src_xor_dst
340 #define ROP_FN(d, s) (s) ^ (d)
341 #include "cirrus_vga_rop.h"
342 
343 #define ROP_NAME src_or_dst
344 #define ROP_FN(d, s) (s) | (d)
345 #include "cirrus_vga_rop.h"
346 
347 #define ROP_NAME notsrc_or_notdst
348 #define ROP_FN(d, s) (~(s)) | (~(d))
349 #include "cirrus_vga_rop.h"
350 
351 #define ROP_NAME src_notxor_dst
352 #define ROP_FN(d, s) ~((s) ^ (d))
353 #include "cirrus_vga_rop.h"
354 
355 #define ROP_NAME src_or_notdst
356 #define ROP_FN(d, s) (s) | (~(d))
357 #include "cirrus_vga_rop.h"
358 
359 #define ROP_NAME notsrc
360 #define ROP_FN(d, s) (~(s))
361 #include "cirrus_vga_rop.h"
362 
363 #define ROP_NAME notsrc_or_dst
364 #define ROP_FN(d, s) (~(s)) | (d)
365 #include "cirrus_vga_rop.h"
366 
367 #define ROP_NAME notsrc_and_notdst
368 #define ROP_FN(d, s) (~(s)) & (~(d))
369 #include "cirrus_vga_rop.h"
370 
371 static const cirrus_bitblt_rop_t cirrus_fwd_rop[16] = {
372     cirrus_bitblt_rop_fwd_0,
373     cirrus_bitblt_rop_fwd_src_and_dst,
374     cirrus_bitblt_rop_nop,
375     cirrus_bitblt_rop_fwd_src_and_notdst,
376     cirrus_bitblt_rop_fwd_notdst,
377     cirrus_bitblt_rop_fwd_src,
378     cirrus_bitblt_rop_fwd_1,
379     cirrus_bitblt_rop_fwd_notsrc_and_dst,
380     cirrus_bitblt_rop_fwd_src_xor_dst,
381     cirrus_bitblt_rop_fwd_src_or_dst,
382     cirrus_bitblt_rop_fwd_notsrc_or_notdst,
383     cirrus_bitblt_rop_fwd_src_notxor_dst,
384     cirrus_bitblt_rop_fwd_src_or_notdst,
385     cirrus_bitblt_rop_fwd_notsrc,
386     cirrus_bitblt_rop_fwd_notsrc_or_dst,
387     cirrus_bitblt_rop_fwd_notsrc_and_notdst,
388 };
389 
390 static const cirrus_bitblt_rop_t cirrus_bkwd_rop[16] = {
391     cirrus_bitblt_rop_bkwd_0,
392     cirrus_bitblt_rop_bkwd_src_and_dst,
393     cirrus_bitblt_rop_nop,
394     cirrus_bitblt_rop_bkwd_src_and_notdst,
395     cirrus_bitblt_rop_bkwd_notdst,
396     cirrus_bitblt_rop_bkwd_src,
397     cirrus_bitblt_rop_bkwd_1,
398     cirrus_bitblt_rop_bkwd_notsrc_and_dst,
399     cirrus_bitblt_rop_bkwd_src_xor_dst,
400     cirrus_bitblt_rop_bkwd_src_or_dst,
401     cirrus_bitblt_rop_bkwd_notsrc_or_notdst,
402     cirrus_bitblt_rop_bkwd_src_notxor_dst,
403     cirrus_bitblt_rop_bkwd_src_or_notdst,
404     cirrus_bitblt_rop_bkwd_notsrc,
405     cirrus_bitblt_rop_bkwd_notsrc_or_dst,
406     cirrus_bitblt_rop_bkwd_notsrc_and_notdst,
407 };
408 
409 #define TRANSP_ROP(name) {\
410     name ## _8,\
411     name ## _16,\
412         }
413 #define TRANSP_NOP(func) {\
414     func,\
415     func,\
416         }
417 
418 static const cirrus_bitblt_rop_t cirrus_fwd_transp_rop[16][2] = {
419     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_0),
420     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src_and_dst),
421     TRANSP_NOP(cirrus_bitblt_rop_nop),
422     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src_and_notdst),
423     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_notdst),
424     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src),
425     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_1),
426     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_notsrc_and_dst),
427     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src_xor_dst),
428     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src_or_dst),
429     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_notsrc_or_notdst),
430     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src_notxor_dst),
431     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_src_or_notdst),
432     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_notsrc),
433     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_notsrc_or_dst),
434     TRANSP_ROP(cirrus_bitblt_rop_fwd_transp_notsrc_and_notdst),
435 };
436 
437 static const cirrus_bitblt_rop_t cirrus_bkwd_transp_rop[16][2] = {
438     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_0),
439     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src_and_dst),
440     TRANSP_NOP(cirrus_bitblt_rop_nop),
441     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src_and_notdst),
442     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_notdst),
443     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src),
444     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_1),
445     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_notsrc_and_dst),
446     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src_xor_dst),
447     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src_or_dst),
448     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_notsrc_or_notdst),
449     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src_notxor_dst),
450     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_src_or_notdst),
451     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_notsrc),
452     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_notsrc_or_dst),
453     TRANSP_ROP(cirrus_bitblt_rop_bkwd_transp_notsrc_and_notdst),
454 };
455 
456 #define ROP2(name) {\
457     name ## _8,\
458     name ## _16,\
459     name ## _24,\
460     name ## _32,\
461         }
462 
463 #define ROP_NOP2(func) {\
464     func,\
465     func,\
466     func,\
467     func,\
468         }
469 
470 static const cirrus_bitblt_rop_t cirrus_patternfill[16][4] = {
471     ROP2(cirrus_patternfill_0),
472     ROP2(cirrus_patternfill_src_and_dst),
473     ROP_NOP2(cirrus_bitblt_rop_nop),
474     ROP2(cirrus_patternfill_src_and_notdst),
475     ROP2(cirrus_patternfill_notdst),
476     ROP2(cirrus_patternfill_src),
477     ROP2(cirrus_patternfill_1),
478     ROP2(cirrus_patternfill_notsrc_and_dst),
479     ROP2(cirrus_patternfill_src_xor_dst),
480     ROP2(cirrus_patternfill_src_or_dst),
481     ROP2(cirrus_patternfill_notsrc_or_notdst),
482     ROP2(cirrus_patternfill_src_notxor_dst),
483     ROP2(cirrus_patternfill_src_or_notdst),
484     ROP2(cirrus_patternfill_notsrc),
485     ROP2(cirrus_patternfill_notsrc_or_dst),
486     ROP2(cirrus_patternfill_notsrc_and_notdst),
487 };
488 
489 static const cirrus_bitblt_rop_t cirrus_colorexpand_transp[16][4] = {
490     ROP2(cirrus_colorexpand_transp_0),
491     ROP2(cirrus_colorexpand_transp_src_and_dst),
492     ROP_NOP2(cirrus_bitblt_rop_nop),
493     ROP2(cirrus_colorexpand_transp_src_and_notdst),
494     ROP2(cirrus_colorexpand_transp_notdst),
495     ROP2(cirrus_colorexpand_transp_src),
496     ROP2(cirrus_colorexpand_transp_1),
497     ROP2(cirrus_colorexpand_transp_notsrc_and_dst),
498     ROP2(cirrus_colorexpand_transp_src_xor_dst),
499     ROP2(cirrus_colorexpand_transp_src_or_dst),
500     ROP2(cirrus_colorexpand_transp_notsrc_or_notdst),
501     ROP2(cirrus_colorexpand_transp_src_notxor_dst),
502     ROP2(cirrus_colorexpand_transp_src_or_notdst),
503     ROP2(cirrus_colorexpand_transp_notsrc),
504     ROP2(cirrus_colorexpand_transp_notsrc_or_dst),
505     ROP2(cirrus_colorexpand_transp_notsrc_and_notdst),
506 };
507 
508 static const cirrus_bitblt_rop_t cirrus_colorexpand[16][4] = {
509     ROP2(cirrus_colorexpand_0),
510     ROP2(cirrus_colorexpand_src_and_dst),
511     ROP_NOP2(cirrus_bitblt_rop_nop),
512     ROP2(cirrus_colorexpand_src_and_notdst),
513     ROP2(cirrus_colorexpand_notdst),
514     ROP2(cirrus_colorexpand_src),
515     ROP2(cirrus_colorexpand_1),
516     ROP2(cirrus_colorexpand_notsrc_and_dst),
517     ROP2(cirrus_colorexpand_src_xor_dst),
518     ROP2(cirrus_colorexpand_src_or_dst),
519     ROP2(cirrus_colorexpand_notsrc_or_notdst),
520     ROP2(cirrus_colorexpand_src_notxor_dst),
521     ROP2(cirrus_colorexpand_src_or_notdst),
522     ROP2(cirrus_colorexpand_notsrc),
523     ROP2(cirrus_colorexpand_notsrc_or_dst),
524     ROP2(cirrus_colorexpand_notsrc_and_notdst),
525 };
526 
527 static const cirrus_bitblt_rop_t cirrus_colorexpand_pattern_transp[16][4] = {
528     ROP2(cirrus_colorexpand_pattern_transp_0),
529     ROP2(cirrus_colorexpand_pattern_transp_src_and_dst),
530     ROP_NOP2(cirrus_bitblt_rop_nop),
531     ROP2(cirrus_colorexpand_pattern_transp_src_and_notdst),
532     ROP2(cirrus_colorexpand_pattern_transp_notdst),
533     ROP2(cirrus_colorexpand_pattern_transp_src),
534     ROP2(cirrus_colorexpand_pattern_transp_1),
535     ROP2(cirrus_colorexpand_pattern_transp_notsrc_and_dst),
536     ROP2(cirrus_colorexpand_pattern_transp_src_xor_dst),
537     ROP2(cirrus_colorexpand_pattern_transp_src_or_dst),
538     ROP2(cirrus_colorexpand_pattern_transp_notsrc_or_notdst),
539     ROP2(cirrus_colorexpand_pattern_transp_src_notxor_dst),
540     ROP2(cirrus_colorexpand_pattern_transp_src_or_notdst),
541     ROP2(cirrus_colorexpand_pattern_transp_notsrc),
542     ROP2(cirrus_colorexpand_pattern_transp_notsrc_or_dst),
543     ROP2(cirrus_colorexpand_pattern_transp_notsrc_and_notdst),
544 };
545 
546 static const cirrus_bitblt_rop_t cirrus_colorexpand_pattern[16][4] = {
547     ROP2(cirrus_colorexpand_pattern_0),
548     ROP2(cirrus_colorexpand_pattern_src_and_dst),
549     ROP_NOP2(cirrus_bitblt_rop_nop),
550     ROP2(cirrus_colorexpand_pattern_src_and_notdst),
551     ROP2(cirrus_colorexpand_pattern_notdst),
552     ROP2(cirrus_colorexpand_pattern_src),
553     ROP2(cirrus_colorexpand_pattern_1),
554     ROP2(cirrus_colorexpand_pattern_notsrc_and_dst),
555     ROP2(cirrus_colorexpand_pattern_src_xor_dst),
556     ROP2(cirrus_colorexpand_pattern_src_or_dst),
557     ROP2(cirrus_colorexpand_pattern_notsrc_or_notdst),
558     ROP2(cirrus_colorexpand_pattern_src_notxor_dst),
559     ROP2(cirrus_colorexpand_pattern_src_or_notdst),
560     ROP2(cirrus_colorexpand_pattern_notsrc),
561     ROP2(cirrus_colorexpand_pattern_notsrc_or_dst),
562     ROP2(cirrus_colorexpand_pattern_notsrc_and_notdst),
563 };
564 
565 static const cirrus_fill_t cirrus_fill[16][4] = {
566     ROP2(cirrus_fill_0),
567     ROP2(cirrus_fill_src_and_dst),
568     ROP_NOP2(cirrus_bitblt_fill_nop),
569     ROP2(cirrus_fill_src_and_notdst),
570     ROP2(cirrus_fill_notdst),
571     ROP2(cirrus_fill_src),
572     ROP2(cirrus_fill_1),
573     ROP2(cirrus_fill_notsrc_and_dst),
574     ROP2(cirrus_fill_src_xor_dst),
575     ROP2(cirrus_fill_src_or_dst),
576     ROP2(cirrus_fill_notsrc_or_notdst),
577     ROP2(cirrus_fill_src_notxor_dst),
578     ROP2(cirrus_fill_src_or_notdst),
579     ROP2(cirrus_fill_notsrc),
580     ROP2(cirrus_fill_notsrc_or_dst),
581     ROP2(cirrus_fill_notsrc_and_notdst),
582 };
583 
584 static inline void cirrus_bitblt_fgcol(CirrusVGAState *s)
585 {
586     unsigned int color;
587     switch (s->cirrus_blt_pixelwidth) {
588     case 1:
589         s->cirrus_blt_fgcol = s->cirrus_shadow_gr1;
590         break;
591     case 2:
592         color = s->cirrus_shadow_gr1 | (s->vga.gr[0x11] << 8);
593         s->cirrus_blt_fgcol = le16_to_cpu(color);
594         break;
595     case 3:
596         s->cirrus_blt_fgcol = s->cirrus_shadow_gr1 |
597             (s->vga.gr[0x11] << 8) | (s->vga.gr[0x13] << 16);
598         break;
599     default:
600     case 4:
601         color = s->cirrus_shadow_gr1 | (s->vga.gr[0x11] << 8) |
602             (s->vga.gr[0x13] << 16) | (s->vga.gr[0x15] << 24);
603         s->cirrus_blt_fgcol = le32_to_cpu(color);
604         break;
605     }
606 }
607 
608 static inline void cirrus_bitblt_bgcol(CirrusVGAState *s)
609 {
610     unsigned int color;
611     switch (s->cirrus_blt_pixelwidth) {
612     case 1:
613         s->cirrus_blt_bgcol = s->cirrus_shadow_gr0;
614         break;
615     case 2:
616         color = s->cirrus_shadow_gr0 | (s->vga.gr[0x10] << 8);
617         s->cirrus_blt_bgcol = le16_to_cpu(color);
618         break;
619     case 3:
620         s->cirrus_blt_bgcol = s->cirrus_shadow_gr0 |
621             (s->vga.gr[0x10] << 8) | (s->vga.gr[0x12] << 16);
622         break;
623     default:
624     case 4:
625         color = s->cirrus_shadow_gr0 | (s->vga.gr[0x10] << 8) |
626             (s->vga.gr[0x12] << 16) | (s->vga.gr[0x14] << 24);
627         s->cirrus_blt_bgcol = le32_to_cpu(color);
628         break;
629     }
630 }
631 
632 static void cirrus_invalidate_region(CirrusVGAState * s, int off_begin,
633                                      int off_pitch, int bytesperline,
634                                      int lines)
635 {
636     int y;
637     int off_cur;
638     int off_cur_end;
639 
640     if (off_pitch < 0) {
641         off_begin -= bytesperline - 1;
642     }
643 
644     for (y = 0; y < lines; y++) {
645         off_cur = off_begin & s->cirrus_addr_mask;
646         off_cur_end = ((off_cur + bytesperline - 1) & s->cirrus_addr_mask) + 1;
647         if (off_cur_end >= off_cur) {
648             memory_region_set_dirty(&s->vga.vram, off_cur, off_cur_end - off_cur);
649         } else {
650             /* wraparound */
651             memory_region_set_dirty(&s->vga.vram, off_cur,
652                                     s->cirrus_addr_mask + 1 - off_cur);
653             memory_region_set_dirty(&s->vga.vram, 0, off_cur_end);
654         }
655         off_begin += off_pitch;
656     }
657 }
658 
659 static int cirrus_bitblt_common_patterncopy(CirrusVGAState *s)
660 {
661     uint32_t patternsize;
662     bool videosrc = !s->cirrus_srccounter;
663 
664     if (videosrc) {
665         switch (s->vga.get_bpp(&s->vga)) {
666         case 8:
667             patternsize = 64;
668             break;
669         case 15:
670         case 16:
671             patternsize = 128;
672             break;
673         case 24:
674         case 32:
675         default:
676             patternsize = 256;
677             break;
678         }
679         s->cirrus_blt_srcaddr &= ~(patternsize - 1);
680         if (s->cirrus_blt_srcaddr + patternsize > s->vga.vram_size) {
681             return 0;
682         }
683     }
684 
685     if (blit_is_unsafe(s, true)) {
686         return 0;
687     }
688 
689     (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
690                       videosrc ? s->cirrus_blt_srcaddr : 0,
691                       s->cirrus_blt_dstpitch, 0,
692                       s->cirrus_blt_width, s->cirrus_blt_height);
693     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
694                              s->cirrus_blt_dstpitch, s->cirrus_blt_width,
695                              s->cirrus_blt_height);
696     return 1;
697 }
698 
699 /* fill */
700 
701 static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop)
702 {
703     cirrus_fill_t rop_func;
704 
705     if (blit_is_unsafe(s, true)) {
706         return 0;
707     }
708     rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
709     rop_func(s, s->cirrus_blt_dstaddr,
710              s->cirrus_blt_dstpitch,
711              s->cirrus_blt_width, s->cirrus_blt_height);
712     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
713                              s->cirrus_blt_dstpitch, s->cirrus_blt_width,
714                              s->cirrus_blt_height);
715     cirrus_bitblt_reset(s);
716     return 1;
717 }
718 
719 /***************************************
720  *
721  *  bitblt (video-to-video)
722  *
723  ***************************************/
724 
725 static int cirrus_bitblt_videotovideo_patterncopy(CirrusVGAState * s)
726 {
727     return cirrus_bitblt_common_patterncopy(s);
728 }
729 
730 static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h)
731 {
732     int sx = 0, sy = 0;
733     int dx = 0, dy = 0;
734     int depth = 0;
735     int notify = 0;
736 
737     /* make sure to only copy if it's a plain copy ROP */
738     if (*s->cirrus_rop == cirrus_bitblt_rop_fwd_src ||
739         *s->cirrus_rop == cirrus_bitblt_rop_bkwd_src) {
740 
741         int width, height;
742 
743         depth = s->vga.get_bpp(&s->vga) / 8;
744         if (!depth) {
745             return 0;
746         }
747         s->vga.get_resolution(&s->vga, &width, &height);
748 
749         /* extra x, y */
750         sx = (src % ABS(s->cirrus_blt_srcpitch)) / depth;
751         sy = (src / ABS(s->cirrus_blt_srcpitch));
752         dx = (dst % ABS(s->cirrus_blt_dstpitch)) / depth;
753         dy = (dst / ABS(s->cirrus_blt_dstpitch));
754 
755         /* normalize width */
756         w /= depth;
757 
758         /* if we're doing a backward copy, we have to adjust
759            our x/y to be the upper left corner (instead of the lower
760            right corner) */
761         if (s->cirrus_blt_dstpitch < 0) {
762             sx -= (s->cirrus_blt_width / depth) - 1;
763             dx -= (s->cirrus_blt_width / depth) - 1;
764             sy -= s->cirrus_blt_height - 1;
765             dy -= s->cirrus_blt_height - 1;
766         }
767 
768         /* are we in the visible portion of memory? */
769         if (sx >= 0 && sy >= 0 && dx >= 0 && dy >= 0 &&
770             (sx + w) <= width && (sy + h) <= height &&
771             (dx + w) <= width && (dy + h) <= height) {
772             notify = 1;
773         }
774     }
775 
776     (*s->cirrus_rop) (s, s->cirrus_blt_dstaddr,
777                       s->cirrus_blt_srcaddr,
778                       s->cirrus_blt_dstpitch, s->cirrus_blt_srcpitch,
779                       s->cirrus_blt_width, s->cirrus_blt_height);
780 
781     if (notify) {
782         dpy_gfx_update(s->vga.con, dx, dy,
783                        s->cirrus_blt_width / depth,
784                        s->cirrus_blt_height);
785     }
786 
787     /* we don't have to notify the display that this portion has
788        changed since qemu_console_copy implies this */
789 
790     cirrus_invalidate_region(s, s->cirrus_blt_dstaddr,
791                                 s->cirrus_blt_dstpitch, s->cirrus_blt_width,
792                                 s->cirrus_blt_height);
793 
794     return 1;
795 }
796 
797 static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s)
798 {
799     if (blit_is_unsafe(s, false))
800         return 0;
801 
802     return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.params.start_addr,
803                           s->cirrus_blt_srcaddr - s->vga.params.start_addr,
804                           s->cirrus_blt_width, s->cirrus_blt_height);
805 }
806 
807 /***************************************
808  *
809  *  bitblt (cpu-to-video)
810  *
811  ***************************************/
812 
813 static void cirrus_bitblt_cputovideo_next(CirrusVGAState * s)
814 {
815     int copy_count;
816     uint8_t *end_ptr;
817 
818     if (s->cirrus_srccounter > 0) {
819         if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
820             cirrus_bitblt_common_patterncopy(s);
821         the_end:
822             s->cirrus_srccounter = 0;
823             cirrus_bitblt_reset(s);
824         } else {
825             /* at least one scan line */
826             do {
827                 (*s->cirrus_rop)(s, s->cirrus_blt_dstaddr,
828                                  0, 0, 0, s->cirrus_blt_width, 1);
829                 cirrus_invalidate_region(s, s->cirrus_blt_dstaddr, 0,
830                                          s->cirrus_blt_width, 1);
831                 s->cirrus_blt_dstaddr += s->cirrus_blt_dstpitch;
832                 s->cirrus_srccounter -= s->cirrus_blt_srcpitch;
833                 if (s->cirrus_srccounter <= 0)
834                     goto the_end;
835                 /* more bytes than needed can be transferred because of
836                    word alignment, so we keep them for the next line */
837                 /* XXX: keep alignment to speed up transfer */
838                 end_ptr = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
839                 copy_count = MIN(s->cirrus_srcptr_end - end_ptr, CIRRUS_BLTBUFSIZE);
840                 memmove(s->cirrus_bltbuf, end_ptr, copy_count);
841                 s->cirrus_srcptr = s->cirrus_bltbuf + copy_count;
842                 s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
843             } while (s->cirrus_srcptr >= s->cirrus_srcptr_end);
844         }
845     }
846 }
847 
848 /***************************************
849  *
850  *  bitblt wrapper
851  *
852  ***************************************/
853 
854 static void cirrus_bitblt_reset(CirrusVGAState * s)
855 {
856     int need_update;
857 
858     s->vga.gr[0x31] &=
859         ~(CIRRUS_BLT_START | CIRRUS_BLT_BUSY | CIRRUS_BLT_FIFOUSED);
860     need_update = s->cirrus_srcptr != &s->cirrus_bltbuf[0]
861         || s->cirrus_srcptr_end != &s->cirrus_bltbuf[0];
862     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
863     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
864     s->cirrus_srccounter = 0;
865     if (!need_update)
866         return;
867     cirrus_update_memory_access(s);
868 }
869 
870 static int cirrus_bitblt_cputovideo(CirrusVGAState * s)
871 {
872     int w;
873 
874     if (blit_is_unsafe(s, true)) {
875         return 0;
876     }
877 
878     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC;
879     s->cirrus_srcptr = &s->cirrus_bltbuf[0];
880     s->cirrus_srcptr_end = &s->cirrus_bltbuf[0];
881 
882     if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
883         if (s->cirrus_blt_mode & CIRRUS_BLTMODE_COLOREXPAND) {
884             s->cirrus_blt_srcpitch = 8;
885         } else {
886             /* XXX: check for 24 bpp */
887             s->cirrus_blt_srcpitch = 8 * 8 * s->cirrus_blt_pixelwidth;
888         }
889         s->cirrus_srccounter = s->cirrus_blt_srcpitch;
890     } else {
891         if (s->cirrus_blt_mode & CIRRUS_BLTMODE_COLOREXPAND) {
892             w = s->cirrus_blt_width / s->cirrus_blt_pixelwidth;
893             if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_DWORDGRANULARITY)
894                 s->cirrus_blt_srcpitch = ((w + 31) >> 5);
895             else
896                 s->cirrus_blt_srcpitch = ((w + 7) >> 3);
897         } else {
898             /* always align input size to 32 bits */
899             s->cirrus_blt_srcpitch = (s->cirrus_blt_width + 3) & ~3;
900         }
901         s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height;
902     }
903 
904     /* the blit_is_unsafe call above should catch this */
905     assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE);
906 
907     s->cirrus_srcptr = s->cirrus_bltbuf;
908     s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch;
909     cirrus_update_memory_access(s);
910     return 1;
911 }
912 
913 static int cirrus_bitblt_videotocpu(CirrusVGAState * s)
914 {
915     /* XXX */
916     qemu_log_mask(LOG_UNIMP,
917                   "cirrus: bitblt (video to cpu) is not implemented\n");
918     return 0;
919 }
920 
921 static int cirrus_bitblt_videotovideo(CirrusVGAState * s)
922 {
923     int ret;
924 
925     if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
926         ret = cirrus_bitblt_videotovideo_patterncopy(s);
927     } else {
928         ret = cirrus_bitblt_videotovideo_copy(s);
929     }
930     if (ret)
931         cirrus_bitblt_reset(s);
932     return ret;
933 }
934 
935 static void cirrus_bitblt_start(CirrusVGAState * s)
936 {
937     uint8_t blt_rop;
938 
939     if (!s->enable_blitter) {
940         goto bitblt_ignore;
941     }
942 
943     s->vga.gr[0x31] |= CIRRUS_BLT_BUSY;
944 
945     s->cirrus_blt_width = (s->vga.gr[0x20] | (s->vga.gr[0x21] << 8)) + 1;
946     s->cirrus_blt_height = (s->vga.gr[0x22] | (s->vga.gr[0x23] << 8)) + 1;
947     s->cirrus_blt_dstpitch = (s->vga.gr[0x24] | (s->vga.gr[0x25] << 8));
948     s->cirrus_blt_srcpitch = (s->vga.gr[0x26] | (s->vga.gr[0x27] << 8));
949     s->cirrus_blt_dstaddr =
950         (s->vga.gr[0x28] | (s->vga.gr[0x29] << 8) | (s->vga.gr[0x2a] << 16));
951     s->cirrus_blt_srcaddr =
952         (s->vga.gr[0x2c] | (s->vga.gr[0x2d] << 8) | (s->vga.gr[0x2e] << 16));
953     s->cirrus_blt_mode = s->vga.gr[0x30];
954     s->cirrus_blt_modeext = s->vga.gr[0x33];
955     blt_rop = s->vga.gr[0x32];
956 
957     s->cirrus_blt_dstaddr &= s->cirrus_addr_mask;
958     s->cirrus_blt_srcaddr &= s->cirrus_addr_mask;
959 
960     trace_vga_cirrus_bitblt_start(blt_rop,
961                                   s->cirrus_blt_mode,
962                                   s->cirrus_blt_modeext,
963                                   s->cirrus_blt_width,
964                                   s->cirrus_blt_height,
965                                   s->cirrus_blt_dstpitch,
966                                   s->cirrus_blt_srcpitch,
967                                   s->cirrus_blt_dstaddr,
968                                   s->cirrus_blt_srcaddr,
969                                   s->vga.gr[0x2f]);
970 
971     switch (s->cirrus_blt_mode & CIRRUS_BLTMODE_PIXELWIDTHMASK) {
972     case CIRRUS_BLTMODE_PIXELWIDTH8:
973         s->cirrus_blt_pixelwidth = 1;
974         break;
975     case CIRRUS_BLTMODE_PIXELWIDTH16:
976         s->cirrus_blt_pixelwidth = 2;
977         break;
978     case CIRRUS_BLTMODE_PIXELWIDTH24:
979         s->cirrus_blt_pixelwidth = 3;
980         break;
981     case CIRRUS_BLTMODE_PIXELWIDTH32:
982         s->cirrus_blt_pixelwidth = 4;
983         break;
984     default:
985         qemu_log_mask(LOG_GUEST_ERROR,
986                       "cirrus: bitblt - pixel width is unknown\n");
987         goto bitblt_ignore;
988     }
989     s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_PIXELWIDTHMASK;
990 
991     if ((s->
992          cirrus_blt_mode & (CIRRUS_BLTMODE_MEMSYSSRC |
993                             CIRRUS_BLTMODE_MEMSYSDEST))
994         == (CIRRUS_BLTMODE_MEMSYSSRC | CIRRUS_BLTMODE_MEMSYSDEST)) {
995         qemu_log_mask(LOG_UNIMP,
996                       "cirrus: bitblt - memory-to-memory copy requested\n");
997         goto bitblt_ignore;
998     }
999 
1000     if ((s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_SOLIDFILL) &&
1001         (s->cirrus_blt_mode & (CIRRUS_BLTMODE_MEMSYSDEST |
1002                                CIRRUS_BLTMODE_TRANSPARENTCOMP |
1003                                CIRRUS_BLTMODE_PATTERNCOPY |
1004                                CIRRUS_BLTMODE_COLOREXPAND)) ==
1005          (CIRRUS_BLTMODE_PATTERNCOPY | CIRRUS_BLTMODE_COLOREXPAND)) {
1006         cirrus_bitblt_fgcol(s);
1007         cirrus_bitblt_solidfill(s, blt_rop);
1008     } else {
1009         if ((s->cirrus_blt_mode & (CIRRUS_BLTMODE_COLOREXPAND |
1010                                    CIRRUS_BLTMODE_PATTERNCOPY)) ==
1011             CIRRUS_BLTMODE_COLOREXPAND) {
1012 
1013             if (s->cirrus_blt_mode & CIRRUS_BLTMODE_TRANSPARENTCOMP) {
1014                 if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV)
1015                     cirrus_bitblt_bgcol(s);
1016                 else
1017                     cirrus_bitblt_fgcol(s);
1018                 s->cirrus_rop = cirrus_colorexpand_transp[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1019             } else {
1020                 cirrus_bitblt_fgcol(s);
1021                 cirrus_bitblt_bgcol(s);
1022                 s->cirrus_rop = cirrus_colorexpand[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1023             }
1024         } else if (s->cirrus_blt_mode & CIRRUS_BLTMODE_PATTERNCOPY) {
1025             if (s->cirrus_blt_mode & CIRRUS_BLTMODE_COLOREXPAND) {
1026                 if (s->cirrus_blt_mode & CIRRUS_BLTMODE_TRANSPARENTCOMP) {
1027                     if (s->cirrus_blt_modeext & CIRRUS_BLTMODEEXT_COLOREXPINV)
1028                         cirrus_bitblt_bgcol(s);
1029                     else
1030                         cirrus_bitblt_fgcol(s);
1031                     s->cirrus_rop = cirrus_colorexpand_pattern_transp[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1032                 } else {
1033                     cirrus_bitblt_fgcol(s);
1034                     cirrus_bitblt_bgcol(s);
1035                     s->cirrus_rop = cirrus_colorexpand_pattern[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1036                 }
1037             } else {
1038                 s->cirrus_rop = cirrus_patternfill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1039             }
1040         } else {
1041             if (s->cirrus_blt_mode & CIRRUS_BLTMODE_TRANSPARENTCOMP) {
1042                 if (s->cirrus_blt_pixelwidth > 2) {
1043                     qemu_log_mask(LOG_GUEST_ERROR,
1044                                   "cirrus: src transparent without colorexpand "
1045                                   "must be 8bpp or 16bpp\n");
1046                     goto bitblt_ignore;
1047                 }
1048                 if (s->cirrus_blt_mode & CIRRUS_BLTMODE_BACKWARDS) {
1049                     s->cirrus_blt_dstpitch = -s->cirrus_blt_dstpitch;
1050                     s->cirrus_blt_srcpitch = -s->cirrus_blt_srcpitch;
1051                     s->cirrus_rop = cirrus_bkwd_transp_rop[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1052                 } else {
1053                     s->cirrus_rop = cirrus_fwd_transp_rop[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1];
1054                 }
1055             } else {
1056                 if (s->cirrus_blt_mode & CIRRUS_BLTMODE_BACKWARDS) {
1057                     s->cirrus_blt_dstpitch = -s->cirrus_blt_dstpitch;
1058                     s->cirrus_blt_srcpitch = -s->cirrus_blt_srcpitch;
1059                     s->cirrus_rop = cirrus_bkwd_rop[rop_to_index[blt_rop]];
1060                 } else {
1061                     s->cirrus_rop = cirrus_fwd_rop[rop_to_index[blt_rop]];
1062                 }
1063             }
1064         }
1065         // setup bitblt engine.
1066         if (s->cirrus_blt_mode & CIRRUS_BLTMODE_MEMSYSSRC) {
1067             if (!cirrus_bitblt_cputovideo(s))
1068                 goto bitblt_ignore;
1069         } else if (s->cirrus_blt_mode & CIRRUS_BLTMODE_MEMSYSDEST) {
1070             if (!cirrus_bitblt_videotocpu(s))
1071                 goto bitblt_ignore;
1072         } else {
1073             if (!cirrus_bitblt_videotovideo(s))
1074                 goto bitblt_ignore;
1075         }
1076     }
1077     return;
1078   bitblt_ignore:;
1079     cirrus_bitblt_reset(s);
1080 }
1081 
1082 static void cirrus_write_bitblt(CirrusVGAState * s, unsigned reg_value)
1083 {
1084     unsigned old_value;
1085 
1086     old_value = s->vga.gr[0x31];
1087     s->vga.gr[0x31] = reg_value;
1088 
1089     if (((old_value & CIRRUS_BLT_RESET) != 0) &&
1090         ((reg_value & CIRRUS_BLT_RESET) == 0)) {
1091         cirrus_bitblt_reset(s);
1092     } else if (((old_value & CIRRUS_BLT_START) == 0) &&
1093                ((reg_value & CIRRUS_BLT_START) != 0)) {
1094         cirrus_bitblt_start(s);
1095     }
1096 }
1097 
1098 
1099 /***************************************
1100  *
1101  *  basic parameters
1102  *
1103  ***************************************/
1104 
1105 static void cirrus_get_params(VGACommonState *s1,
1106                               VGADisplayParams *params)
1107 {
1108     CirrusVGAState * s = container_of(s1, CirrusVGAState, vga);
1109     uint32_t line_offset;
1110 
1111     line_offset = s->vga.cr[0x13]
1112         | ((s->vga.cr[0x1b] & 0x10) << 4);
1113     line_offset <<= 3;
1114     params->line_offset = line_offset;
1115 
1116     params->start_addr = (s->vga.cr[0x0c] << 8)
1117         | s->vga.cr[0x0d]
1118         | ((s->vga.cr[0x1b] & 0x01) << 16)
1119         | ((s->vga.cr[0x1b] & 0x0c) << 15)
1120         | ((s->vga.cr[0x1d] & 0x80) << 12);
1121 
1122     params->line_compare = s->vga.cr[0x18] |
1123         ((s->vga.cr[0x07] & 0x10) << 4) |
1124         ((s->vga.cr[0x09] & 0x40) << 3);
1125 
1126     params->hpel = s->vga.ar[VGA_ATC_PEL];
1127     params->hpel_split = s->vga.ar[VGA_ATC_MODE] & 0x20;
1128 }
1129 
1130 static uint32_t cirrus_get_bpp16_depth(CirrusVGAState * s)
1131 {
1132     uint32_t ret = 16;
1133 
1134     switch (s->cirrus_hidden_dac_data & 0xf) {
1135     case 0:
1136         ret = 15;
1137         break;                  /* Sierra HiColor */
1138     case 1:
1139         ret = 16;
1140         break;                  /* XGA HiColor */
1141     default:
1142         qemu_log_mask(LOG_GUEST_ERROR,
1143                       "cirrus: invalid DAC value 0x%x in 16bpp\n",
1144                       (s->cirrus_hidden_dac_data & 0xf));
1145         ret = 15;               /* XXX */
1146         break;
1147     }
1148     return ret;
1149 }
1150 
1151 static int cirrus_get_bpp(VGACommonState *s1)
1152 {
1153     CirrusVGAState * s = container_of(s1, CirrusVGAState, vga);
1154     uint32_t ret = 8;
1155 
1156     if ((s->vga.sr[0x07] & 0x01) != 0) {
1157         /* Cirrus SVGA */
1158         switch (s->vga.sr[0x07] & CIRRUS_SR7_BPP_MASK) {
1159         case CIRRUS_SR7_BPP_8:
1160             ret = 8;
1161             break;
1162         case CIRRUS_SR7_BPP_16_DOUBLEVCLK:
1163             ret = cirrus_get_bpp16_depth(s);
1164             break;
1165         case CIRRUS_SR7_BPP_24:
1166             ret = 24;
1167             break;
1168         case CIRRUS_SR7_BPP_16:
1169             ret = cirrus_get_bpp16_depth(s);
1170             break;
1171         case CIRRUS_SR7_BPP_32:
1172             ret = 32;
1173             break;
1174         default:
1175 #ifdef DEBUG_CIRRUS
1176             printf("cirrus: unknown bpp - sr7=%x\n", s->vga.sr[0x7]);
1177 #endif
1178             ret = 8;
1179             break;
1180         }
1181     } else {
1182         /* VGA */
1183         ret = 0;
1184     }
1185 
1186     return ret;
1187 }
1188 
1189 static void cirrus_get_resolution(VGACommonState *s, int *pwidth, int *pheight)
1190 {
1191     int width, height;
1192 
1193     width = (s->cr[0x01] + 1) * 8;
1194     height = s->cr[0x12] |
1195         ((s->cr[0x07] & 0x02) << 7) |
1196         ((s->cr[0x07] & 0x40) << 3);
1197     height = (height + 1);
1198     /* interlace support */
1199     if (s->cr[0x1a] & 0x01)
1200         height = height * 2;
1201     *pwidth = width;
1202     *pheight = height;
1203 }
1204 
1205 /***************************************
1206  *
1207  * bank memory
1208  *
1209  ***************************************/
1210 
1211 static void cirrus_update_bank_ptr(CirrusVGAState * s, unsigned bank_index)
1212 {
1213     unsigned offset;
1214     unsigned limit;
1215 
1216     if ((s->vga.gr[0x0b] & 0x01) != 0)  /* dual bank */
1217         offset = s->vga.gr[0x09 + bank_index];
1218     else                        /* single bank */
1219         offset = s->vga.gr[0x09];
1220 
1221     if ((s->vga.gr[0x0b] & 0x20) != 0)
1222         offset <<= 14;
1223     else
1224         offset <<= 12;
1225 
1226     if (s->real_vram_size <= offset)
1227         limit = 0;
1228     else
1229         limit = s->real_vram_size - offset;
1230 
1231     if (((s->vga.gr[0x0b] & 0x01) == 0) && (bank_index != 0)) {
1232         if (limit > 0x8000) {
1233             offset += 0x8000;
1234             limit -= 0x8000;
1235         } else {
1236             limit = 0;
1237         }
1238     }
1239 
1240     if (limit > 0) {
1241         s->cirrus_bank_base[bank_index] = offset;
1242         s->cirrus_bank_limit[bank_index] = limit;
1243     } else {
1244         s->cirrus_bank_base[bank_index] = 0;
1245         s->cirrus_bank_limit[bank_index] = 0;
1246     }
1247 }
1248 
1249 /***************************************
1250  *
1251  *  I/O access between 0x3c4-0x3c5
1252  *
1253  ***************************************/
1254 
1255 static int cirrus_vga_read_sr(CirrusVGAState * s)
1256 {
1257     switch (s->vga.sr_index) {
1258     case 0x00:                  // Standard VGA
1259     case 0x01:                  // Standard VGA
1260     case 0x02:                  // Standard VGA
1261     case 0x03:                  // Standard VGA
1262     case 0x04:                  // Standard VGA
1263         return s->vga.sr[s->vga.sr_index];
1264     case 0x06:                  // Unlock Cirrus extensions
1265         return s->vga.sr[s->vga.sr_index];
1266     case 0x10:
1267     case 0x30:
1268     case 0x50:
1269     case 0x70:                  // Graphics Cursor X
1270     case 0x90:
1271     case 0xb0:
1272     case 0xd0:
1273     case 0xf0:                  // Graphics Cursor X
1274         return s->vga.sr[0x10];
1275     case 0x11:
1276     case 0x31:
1277     case 0x51:
1278     case 0x71:                  // Graphics Cursor Y
1279     case 0x91:
1280     case 0xb1:
1281     case 0xd1:
1282     case 0xf1:                  // Graphics Cursor Y
1283         return s->vga.sr[0x11];
1284     case 0x05:                  // ???
1285     case 0x07:                  // Extended Sequencer Mode
1286     case 0x08:                  // EEPROM Control
1287     case 0x09:                  // Scratch Register 0
1288     case 0x0a:                  // Scratch Register 1
1289     case 0x0b:                  // VCLK 0
1290     case 0x0c:                  // VCLK 1
1291     case 0x0d:                  // VCLK 2
1292     case 0x0e:                  // VCLK 3
1293     case 0x0f:                  // DRAM Control
1294     case 0x12:                  // Graphics Cursor Attribute
1295     case 0x13:                  // Graphics Cursor Pattern Address
1296     case 0x14:                  // Scratch Register 2
1297     case 0x15:                  // Scratch Register 3
1298     case 0x16:                  // Performance Tuning Register
1299     case 0x17:                  // Configuration Readback and Extended Control
1300     case 0x18:                  // Signature Generator Control
1301     case 0x19:                  // Signal Generator Result
1302     case 0x1a:                  // Signal Generator Result
1303     case 0x1b:                  // VCLK 0 Denominator & Post
1304     case 0x1c:                  // VCLK 1 Denominator & Post
1305     case 0x1d:                  // VCLK 2 Denominator & Post
1306     case 0x1e:                  // VCLK 3 Denominator & Post
1307     case 0x1f:                  // BIOS Write Enable and MCLK select
1308 #ifdef DEBUG_CIRRUS
1309         printf("cirrus: handled inport sr_index %02x\n", s->vga.sr_index);
1310 #endif
1311         return s->vga.sr[s->vga.sr_index];
1312     default:
1313         qemu_log_mask(LOG_GUEST_ERROR,
1314                       "cirrus: inport sr_index 0x%02x\n", s->vga.sr_index);
1315         return 0xff;
1316     }
1317 }
1318 
1319 static void cirrus_vga_write_sr(CirrusVGAState * s, uint32_t val)
1320 {
1321     switch (s->vga.sr_index) {
1322     case 0x00:                  // Standard VGA
1323     case 0x01:                  // Standard VGA
1324     case 0x02:                  // Standard VGA
1325     case 0x03:                  // Standard VGA
1326     case 0x04:                  // Standard VGA
1327         s->vga.sr[s->vga.sr_index] = val & sr_mask[s->vga.sr_index];
1328         if (s->vga.sr_index == 1)
1329             s->vga.update_retrace_info(&s->vga);
1330         break;
1331     case 0x06:                  // Unlock Cirrus extensions
1332         val &= 0x17;
1333         if (val == 0x12) {
1334             s->vga.sr[s->vga.sr_index] = 0x12;
1335         } else {
1336             s->vga.sr[s->vga.sr_index] = 0x0f;
1337         }
1338         break;
1339     case 0x10:
1340     case 0x30:
1341     case 0x50:
1342     case 0x70:                  // Graphics Cursor X
1343     case 0x90:
1344     case 0xb0:
1345     case 0xd0:
1346     case 0xf0:                  // Graphics Cursor X
1347         s->vga.sr[0x10] = val;
1348         s->vga.hw_cursor_x = (val << 3) | (s->vga.sr_index >> 5);
1349         break;
1350     case 0x11:
1351     case 0x31:
1352     case 0x51:
1353     case 0x71:                  // Graphics Cursor Y
1354     case 0x91:
1355     case 0xb1:
1356     case 0xd1:
1357     case 0xf1:                  // Graphics Cursor Y
1358         s->vga.sr[0x11] = val;
1359         s->vga.hw_cursor_y = (val << 3) | (s->vga.sr_index >> 5);
1360         break;
1361     case 0x07:                  // Extended Sequencer Mode
1362         cirrus_update_memory_access(s);
1363         /* fall through */
1364     case 0x08:                  // EEPROM Control
1365     case 0x09:                  // Scratch Register 0
1366     case 0x0a:                  // Scratch Register 1
1367     case 0x0b:                  // VCLK 0
1368     case 0x0c:                  // VCLK 1
1369     case 0x0d:                  // VCLK 2
1370     case 0x0e:                  // VCLK 3
1371     case 0x0f:                  // DRAM Control
1372     case 0x13:                  // Graphics Cursor Pattern Address
1373     case 0x14:                  // Scratch Register 2
1374     case 0x15:                  // Scratch Register 3
1375     case 0x16:                  // Performance Tuning Register
1376     case 0x18:                  // Signature Generator Control
1377     case 0x19:                  // Signature Generator Result
1378     case 0x1a:                  // Signature Generator Result
1379     case 0x1b:                  // VCLK 0 Denominator & Post
1380     case 0x1c:                  // VCLK 1 Denominator & Post
1381     case 0x1d:                  // VCLK 2 Denominator & Post
1382     case 0x1e:                  // VCLK 3 Denominator & Post
1383     case 0x1f:                  // BIOS Write Enable and MCLK select
1384         s->vga.sr[s->vga.sr_index] = val;
1385 #ifdef DEBUG_CIRRUS
1386         printf("cirrus: handled outport sr_index %02x, sr_value %02x\n",
1387                s->vga.sr_index, val);
1388 #endif
1389         break;
1390     case 0x12:                  // Graphics Cursor Attribute
1391         s->vga.sr[0x12] = val;
1392         s->vga.force_shadow = !!(val & CIRRUS_CURSOR_SHOW);
1393 #ifdef DEBUG_CIRRUS
1394         printf("cirrus: cursor ctl SR12=%02x (force shadow: %d)\n",
1395                val, s->vga.force_shadow);
1396 #endif
1397         break;
1398     case 0x17:                  // Configuration Readback and Extended Control
1399         s->vga.sr[s->vga.sr_index] = (s->vga.sr[s->vga.sr_index] & 0x38)
1400                                    | (val & 0xc7);
1401         cirrus_update_memory_access(s);
1402         break;
1403     default:
1404         qemu_log_mask(LOG_GUEST_ERROR,
1405                       "cirrus: outport sr_index 0x%02x, sr_value 0x%02x\n",
1406                       s->vga.sr_index, val);
1407         break;
1408     }
1409 }
1410 
1411 /***************************************
1412  *
1413  *  I/O access at 0x3c6
1414  *
1415  ***************************************/
1416 
1417 static int cirrus_read_hidden_dac(CirrusVGAState * s)
1418 {
1419     if (++s->cirrus_hidden_dac_lockindex == 5) {
1420         s->cirrus_hidden_dac_lockindex = 0;
1421         return s->cirrus_hidden_dac_data;
1422     }
1423     return 0xff;
1424 }
1425 
1426 static void cirrus_write_hidden_dac(CirrusVGAState * s, int reg_value)
1427 {
1428     if (s->cirrus_hidden_dac_lockindex == 4) {
1429         s->cirrus_hidden_dac_data = reg_value;
1430 #if defined(DEBUG_CIRRUS)
1431         printf("cirrus: outport hidden DAC, value %02x\n", reg_value);
1432 #endif
1433     }
1434     s->cirrus_hidden_dac_lockindex = 0;
1435 }
1436 
1437 /***************************************
1438  *
1439  *  I/O access at 0x3c9
1440  *
1441  ***************************************/
1442 
1443 static int cirrus_vga_read_palette(CirrusVGAState * s)
1444 {
1445     int val;
1446 
1447     if ((s->vga.sr[0x12] & CIRRUS_CURSOR_HIDDENPEL)) {
1448         val = s->cirrus_hidden_palette[(s->vga.dac_read_index & 0x0f) * 3 +
1449                                        s->vga.dac_sub_index];
1450     } else {
1451         val = s->vga.palette[s->vga.dac_read_index * 3 + s->vga.dac_sub_index];
1452     }
1453     if (++s->vga.dac_sub_index == 3) {
1454         s->vga.dac_sub_index = 0;
1455         s->vga.dac_read_index++;
1456     }
1457     return val;
1458 }
1459 
1460 static void cirrus_vga_write_palette(CirrusVGAState * s, int reg_value)
1461 {
1462     s->vga.dac_cache[s->vga.dac_sub_index] = reg_value;
1463     if (++s->vga.dac_sub_index == 3) {
1464         if ((s->vga.sr[0x12] & CIRRUS_CURSOR_HIDDENPEL)) {
1465             memcpy(&s->cirrus_hidden_palette[(s->vga.dac_write_index & 0x0f) * 3],
1466                    s->vga.dac_cache, 3);
1467         } else {
1468             memcpy(&s->vga.palette[s->vga.dac_write_index * 3], s->vga.dac_cache, 3);
1469         }
1470         /* XXX update cursor */
1471         s->vga.dac_sub_index = 0;
1472         s->vga.dac_write_index++;
1473     }
1474 }
1475 
1476 /***************************************
1477  *
1478  *  I/O access between 0x3ce-0x3cf
1479  *
1480  ***************************************/
1481 
1482 static int cirrus_vga_read_gr(CirrusVGAState * s, unsigned reg_index)
1483 {
1484     switch (reg_index) {
1485     case 0x00: // Standard VGA, BGCOLOR 0x000000ff
1486         return s->cirrus_shadow_gr0;
1487     case 0x01: // Standard VGA, FGCOLOR 0x000000ff
1488         return s->cirrus_shadow_gr1;
1489     case 0x02:                  // Standard VGA
1490     case 0x03:                  // Standard VGA
1491     case 0x04:                  // Standard VGA
1492     case 0x06:                  // Standard VGA
1493     case 0x07:                  // Standard VGA
1494     case 0x08:                  // Standard VGA
1495         return s->vga.gr[s->vga.gr_index];
1496     case 0x05:                  // Standard VGA, Cirrus extended mode
1497     default:
1498         break;
1499     }
1500 
1501     if (reg_index < 0x3a) {
1502         return s->vga.gr[reg_index];
1503     } else {
1504         qemu_log_mask(LOG_GUEST_ERROR,
1505                       "cirrus: inport gr_index 0x%02x\n", reg_index);
1506         return 0xff;
1507     }
1508 }
1509 
1510 static void
1511 cirrus_vga_write_gr(CirrusVGAState * s, unsigned reg_index, int reg_value)
1512 {
1513     trace_vga_cirrus_write_gr(reg_index, reg_value);
1514     switch (reg_index) {
1515     case 0x00:                  // Standard VGA, BGCOLOR 0x000000ff
1516         s->vga.gr[reg_index] = reg_value & gr_mask[reg_index];
1517         s->cirrus_shadow_gr0 = reg_value;
1518         break;
1519     case 0x01:                  // Standard VGA, FGCOLOR 0x000000ff
1520         s->vga.gr[reg_index] = reg_value & gr_mask[reg_index];
1521         s->cirrus_shadow_gr1 = reg_value;
1522         break;
1523     case 0x02:                  // Standard VGA
1524     case 0x03:                  // Standard VGA
1525     case 0x04:                  // Standard VGA
1526     case 0x06:                  // Standard VGA
1527     case 0x07:                  // Standard VGA
1528     case 0x08:                  // Standard VGA
1529         s->vga.gr[reg_index] = reg_value & gr_mask[reg_index];
1530         break;
1531     case 0x05:                  // Standard VGA, Cirrus extended mode
1532         s->vga.gr[reg_index] = reg_value & 0x7f;
1533         cirrus_update_memory_access(s);
1534         break;
1535     case 0x09:                  // bank offset #0
1536     case 0x0A:                  // bank offset #1
1537         s->vga.gr[reg_index] = reg_value;
1538         cirrus_update_bank_ptr(s, 0);
1539         cirrus_update_bank_ptr(s, 1);
1540         cirrus_update_memory_access(s);
1541         break;
1542     case 0x0B:
1543         s->vga.gr[reg_index] = reg_value;
1544         cirrus_update_bank_ptr(s, 0);
1545         cirrus_update_bank_ptr(s, 1);
1546         cirrus_update_memory_access(s);
1547         break;
1548     case 0x10:                  // BGCOLOR 0x0000ff00
1549     case 0x11:                  // FGCOLOR 0x0000ff00
1550     case 0x12:                  // BGCOLOR 0x00ff0000
1551     case 0x13:                  // FGCOLOR 0x00ff0000
1552     case 0x14:                  // BGCOLOR 0xff000000
1553     case 0x15:                  // FGCOLOR 0xff000000
1554     case 0x20:                  // BLT WIDTH 0x0000ff
1555     case 0x22:                  // BLT HEIGHT 0x0000ff
1556     case 0x24:                  // BLT DEST PITCH 0x0000ff
1557     case 0x26:                  // BLT SRC PITCH 0x0000ff
1558     case 0x28:                  // BLT DEST ADDR 0x0000ff
1559     case 0x29:                  // BLT DEST ADDR 0x00ff00
1560     case 0x2c:                  // BLT SRC ADDR 0x0000ff
1561     case 0x2d:                  // BLT SRC ADDR 0x00ff00
1562     case 0x2f:                  // BLT WRITEMASK
1563     case 0x30:                  // BLT MODE
1564     case 0x32:                  // RASTER OP
1565     case 0x33:                  // BLT MODEEXT
1566     case 0x34:                  // BLT TRANSPARENT COLOR 0x00ff
1567     case 0x35:                  // BLT TRANSPARENT COLOR 0xff00
1568     case 0x38:                  // BLT TRANSPARENT COLOR MASK 0x00ff
1569     case 0x39:                  // BLT TRANSPARENT COLOR MASK 0xff00
1570         s->vga.gr[reg_index] = reg_value;
1571         break;
1572     case 0x21:                  // BLT WIDTH 0x001f00
1573     case 0x23:                  // BLT HEIGHT 0x001f00
1574     case 0x25:                  // BLT DEST PITCH 0x001f00
1575     case 0x27:                  // BLT SRC PITCH 0x001f00
1576         s->vga.gr[reg_index] = reg_value & 0x1f;
1577         break;
1578     case 0x2a:                  // BLT DEST ADDR 0x3f0000
1579         s->vga.gr[reg_index] = reg_value & 0x3f;
1580         /* if auto start mode, starts bit blt now */
1581         if (s->vga.gr[0x31] & CIRRUS_BLT_AUTOSTART) {
1582             cirrus_bitblt_start(s);
1583         }
1584         break;
1585     case 0x2e:                  // BLT SRC ADDR 0x3f0000
1586         s->vga.gr[reg_index] = reg_value & 0x3f;
1587         break;
1588     case 0x31:                  // BLT STATUS/START
1589         cirrus_write_bitblt(s, reg_value);
1590         break;
1591     default:
1592         qemu_log_mask(LOG_GUEST_ERROR,
1593                       "cirrus: outport gr_index 0x%02x, gr_value 0x%02x\n",
1594                       reg_index, reg_value);
1595         break;
1596     }
1597 }
1598 
1599 /***************************************
1600  *
1601  *  I/O access between 0x3d4-0x3d5
1602  *
1603  ***************************************/
1604 
1605 static int cirrus_vga_read_cr(CirrusVGAState * s, unsigned reg_index)
1606 {
1607     switch (reg_index) {
1608     case 0x00:                  // Standard VGA
1609     case 0x01:                  // Standard VGA
1610     case 0x02:                  // Standard VGA
1611     case 0x03:                  // Standard VGA
1612     case 0x04:                  // Standard VGA
1613     case 0x05:                  // Standard VGA
1614     case 0x06:                  // Standard VGA
1615     case 0x07:                  // Standard VGA
1616     case 0x08:                  // Standard VGA
1617     case 0x09:                  // Standard VGA
1618     case 0x0a:                  // Standard VGA
1619     case 0x0b:                  // Standard VGA
1620     case 0x0c:                  // Standard VGA
1621     case 0x0d:                  // Standard VGA
1622     case 0x0e:                  // Standard VGA
1623     case 0x0f:                  // Standard VGA
1624     case 0x10:                  // Standard VGA
1625     case 0x11:                  // Standard VGA
1626     case 0x12:                  // Standard VGA
1627     case 0x13:                  // Standard VGA
1628     case 0x14:                  // Standard VGA
1629     case 0x15:                  // Standard VGA
1630     case 0x16:                  // Standard VGA
1631     case 0x17:                  // Standard VGA
1632     case 0x18:                  // Standard VGA
1633         return s->vga.cr[s->vga.cr_index];
1634     case 0x24:                  // Attribute Controller Toggle Readback (R)
1635         return (s->vga.ar_flip_flop << 7);
1636     case 0x19:                  // Interlace End
1637     case 0x1a:                  // Miscellaneous Control
1638     case 0x1b:                  // Extended Display Control
1639     case 0x1c:                  // Sync Adjust and Genlock
1640     case 0x1d:                  // Overlay Extended Control
1641     case 0x22:                  // Graphics Data Latches Readback (R)
1642     case 0x25:                  // Part Status
1643     case 0x27:                  // Part ID (R)
1644         return s->vga.cr[s->vga.cr_index];
1645     case 0x26:                  // Attribute Controller Index Readback (R)
1646         return s->vga.ar_index & 0x3f;
1647     default:
1648         qemu_log_mask(LOG_GUEST_ERROR,
1649                       "cirrus: inport cr_index 0x%02x\n", reg_index);
1650         return 0xff;
1651     }
1652 }
1653 
1654 static void cirrus_vga_write_cr(CirrusVGAState * s, int reg_value)
1655 {
1656     switch (s->vga.cr_index) {
1657     case 0x00:                  // Standard VGA
1658     case 0x01:                  // Standard VGA
1659     case 0x02:                  // Standard VGA
1660     case 0x03:                  // Standard VGA
1661     case 0x04:                  // Standard VGA
1662     case 0x05:                  // Standard VGA
1663     case 0x06:                  // Standard VGA
1664     case 0x07:                  // Standard VGA
1665     case 0x08:                  // Standard VGA
1666     case 0x09:                  // Standard VGA
1667     case 0x0a:                  // Standard VGA
1668     case 0x0b:                  // Standard VGA
1669     case 0x0c:                  // Standard VGA
1670     case 0x0d:                  // Standard VGA
1671     case 0x0e:                  // Standard VGA
1672     case 0x0f:                  // Standard VGA
1673     case 0x10:                  // Standard VGA
1674     case 0x11:                  // Standard VGA
1675     case 0x12:                  // Standard VGA
1676     case 0x13:                  // Standard VGA
1677     case 0x14:                  // Standard VGA
1678     case 0x15:                  // Standard VGA
1679     case 0x16:                  // Standard VGA
1680     case 0x17:                  // Standard VGA
1681     case 0x18:                  // Standard VGA
1682         /* handle CR0-7 protection */
1683         if ((s->vga.cr[0x11] & 0x80) && s->vga.cr_index <= 7) {
1684             /* can always write bit 4 of CR7 */
1685             if (s->vga.cr_index == 7)
1686                 s->vga.cr[7] = (s->vga.cr[7] & ~0x10) | (reg_value & 0x10);
1687             return;
1688         }
1689         s->vga.cr[s->vga.cr_index] = reg_value;
1690         switch(s->vga.cr_index) {
1691         case 0x00:
1692         case 0x04:
1693         case 0x05:
1694         case 0x06:
1695         case 0x07:
1696         case 0x11:
1697         case 0x17:
1698             s->vga.update_retrace_info(&s->vga);
1699             break;
1700         }
1701         break;
1702     case 0x19:                  // Interlace End
1703     case 0x1a:                  // Miscellaneous Control
1704     case 0x1b:                  // Extended Display Control
1705     case 0x1c:                  // Sync Adjust and Genlock
1706     case 0x1d:                  // Overlay Extended Control
1707         s->vga.cr[s->vga.cr_index] = reg_value;
1708 #ifdef DEBUG_CIRRUS
1709         printf("cirrus: handled outport cr_index %02x, cr_value %02x\n",
1710                s->vga.cr_index, reg_value);
1711 #endif
1712         break;
1713     case 0x22:                  // Graphics Data Latches Readback (R)
1714     case 0x24:                  // Attribute Controller Toggle Readback (R)
1715     case 0x26:                  // Attribute Controller Index Readback (R)
1716     case 0x27:                  // Part ID (R)
1717         break;
1718     case 0x25:                  // Part Status
1719     default:
1720         qemu_log_mask(LOG_GUEST_ERROR,
1721                       "cirrus: outport cr_index 0x%02x, cr_value 0x%02x\n",
1722                       s->vga.cr_index, reg_value);
1723         break;
1724     }
1725 }
1726 
1727 /***************************************
1728  *
1729  *  memory-mapped I/O (bitblt)
1730  *
1731  ***************************************/
1732 
1733 static uint8_t cirrus_mmio_blt_read(CirrusVGAState * s, unsigned address)
1734 {
1735     int value = 0xff;
1736 
1737     switch (address) {
1738     case (CIRRUS_MMIO_BLTBGCOLOR + 0):
1739         value = cirrus_vga_read_gr(s, 0x00);
1740         break;
1741     case (CIRRUS_MMIO_BLTBGCOLOR + 1):
1742         value = cirrus_vga_read_gr(s, 0x10);
1743         break;
1744     case (CIRRUS_MMIO_BLTBGCOLOR + 2):
1745         value = cirrus_vga_read_gr(s, 0x12);
1746         break;
1747     case (CIRRUS_MMIO_BLTBGCOLOR + 3):
1748         value = cirrus_vga_read_gr(s, 0x14);
1749         break;
1750     case (CIRRUS_MMIO_BLTFGCOLOR + 0):
1751         value = cirrus_vga_read_gr(s, 0x01);
1752         break;
1753     case (CIRRUS_MMIO_BLTFGCOLOR + 1):
1754         value = cirrus_vga_read_gr(s, 0x11);
1755         break;
1756     case (CIRRUS_MMIO_BLTFGCOLOR + 2):
1757         value = cirrus_vga_read_gr(s, 0x13);
1758         break;
1759     case (CIRRUS_MMIO_BLTFGCOLOR + 3):
1760         value = cirrus_vga_read_gr(s, 0x15);
1761         break;
1762     case (CIRRUS_MMIO_BLTWIDTH + 0):
1763         value = cirrus_vga_read_gr(s, 0x20);
1764         break;
1765     case (CIRRUS_MMIO_BLTWIDTH + 1):
1766         value = cirrus_vga_read_gr(s, 0x21);
1767         break;
1768     case (CIRRUS_MMIO_BLTHEIGHT + 0):
1769         value = cirrus_vga_read_gr(s, 0x22);
1770         break;
1771     case (CIRRUS_MMIO_BLTHEIGHT + 1):
1772         value = cirrus_vga_read_gr(s, 0x23);
1773         break;
1774     case (CIRRUS_MMIO_BLTDESTPITCH + 0):
1775         value = cirrus_vga_read_gr(s, 0x24);
1776         break;
1777     case (CIRRUS_MMIO_BLTDESTPITCH + 1):
1778         value = cirrus_vga_read_gr(s, 0x25);
1779         break;
1780     case (CIRRUS_MMIO_BLTSRCPITCH + 0):
1781         value = cirrus_vga_read_gr(s, 0x26);
1782         break;
1783     case (CIRRUS_MMIO_BLTSRCPITCH + 1):
1784         value = cirrus_vga_read_gr(s, 0x27);
1785         break;
1786     case (CIRRUS_MMIO_BLTDESTADDR + 0):
1787         value = cirrus_vga_read_gr(s, 0x28);
1788         break;
1789     case (CIRRUS_MMIO_BLTDESTADDR + 1):
1790         value = cirrus_vga_read_gr(s, 0x29);
1791         break;
1792     case (CIRRUS_MMIO_BLTDESTADDR + 2):
1793         value = cirrus_vga_read_gr(s, 0x2a);
1794         break;
1795     case (CIRRUS_MMIO_BLTSRCADDR + 0):
1796         value = cirrus_vga_read_gr(s, 0x2c);
1797         break;
1798     case (CIRRUS_MMIO_BLTSRCADDR + 1):
1799         value = cirrus_vga_read_gr(s, 0x2d);
1800         break;
1801     case (CIRRUS_MMIO_BLTSRCADDR + 2):
1802         value = cirrus_vga_read_gr(s, 0x2e);
1803         break;
1804     case CIRRUS_MMIO_BLTWRITEMASK:
1805         value = cirrus_vga_read_gr(s, 0x2f);
1806         break;
1807     case CIRRUS_MMIO_BLTMODE:
1808         value = cirrus_vga_read_gr(s, 0x30);
1809         break;
1810     case CIRRUS_MMIO_BLTROP:
1811         value = cirrus_vga_read_gr(s, 0x32);
1812         break;
1813     case CIRRUS_MMIO_BLTMODEEXT:
1814         value = cirrus_vga_read_gr(s, 0x33);
1815         break;
1816     case (CIRRUS_MMIO_BLTTRANSPARENTCOLOR + 0):
1817         value = cirrus_vga_read_gr(s, 0x34);
1818         break;
1819     case (CIRRUS_MMIO_BLTTRANSPARENTCOLOR + 1):
1820         value = cirrus_vga_read_gr(s, 0x35);
1821         break;
1822     case (CIRRUS_MMIO_BLTTRANSPARENTCOLORMASK + 0):
1823         value = cirrus_vga_read_gr(s, 0x38);
1824         break;
1825     case (CIRRUS_MMIO_BLTTRANSPARENTCOLORMASK + 1):
1826         value = cirrus_vga_read_gr(s, 0x39);
1827         break;
1828     case CIRRUS_MMIO_BLTSTATUS:
1829         value = cirrus_vga_read_gr(s, 0x31);
1830         break;
1831     default:
1832         qemu_log_mask(LOG_GUEST_ERROR,
1833                       "cirrus: mmio read - address 0x%04x\n", address);
1834         break;
1835     }
1836 
1837     trace_vga_cirrus_write_blt(address, value);
1838     return (uint8_t) value;
1839 }
1840 
1841 static void cirrus_mmio_blt_write(CirrusVGAState * s, unsigned address,
1842                                   uint8_t value)
1843 {
1844     trace_vga_cirrus_write_blt(address, value);
1845     switch (address) {
1846     case (CIRRUS_MMIO_BLTBGCOLOR + 0):
1847         cirrus_vga_write_gr(s, 0x00, value);
1848         break;
1849     case (CIRRUS_MMIO_BLTBGCOLOR + 1):
1850         cirrus_vga_write_gr(s, 0x10, value);
1851         break;
1852     case (CIRRUS_MMIO_BLTBGCOLOR + 2):
1853         cirrus_vga_write_gr(s, 0x12, value);
1854         break;
1855     case (CIRRUS_MMIO_BLTBGCOLOR + 3):
1856         cirrus_vga_write_gr(s, 0x14, value);
1857         break;
1858     case (CIRRUS_MMIO_BLTFGCOLOR + 0):
1859         cirrus_vga_write_gr(s, 0x01, value);
1860         break;
1861     case (CIRRUS_MMIO_BLTFGCOLOR + 1):
1862         cirrus_vga_write_gr(s, 0x11, value);
1863         break;
1864     case (CIRRUS_MMIO_BLTFGCOLOR + 2):
1865         cirrus_vga_write_gr(s, 0x13, value);
1866         break;
1867     case (CIRRUS_MMIO_BLTFGCOLOR + 3):
1868         cirrus_vga_write_gr(s, 0x15, value);
1869         break;
1870     case (CIRRUS_MMIO_BLTWIDTH + 0):
1871         cirrus_vga_write_gr(s, 0x20, value);
1872         break;
1873     case (CIRRUS_MMIO_BLTWIDTH + 1):
1874         cirrus_vga_write_gr(s, 0x21, value);
1875         break;
1876     case (CIRRUS_MMIO_BLTHEIGHT + 0):
1877         cirrus_vga_write_gr(s, 0x22, value);
1878         break;
1879     case (CIRRUS_MMIO_BLTHEIGHT + 1):
1880         cirrus_vga_write_gr(s, 0x23, value);
1881         break;
1882     case (CIRRUS_MMIO_BLTDESTPITCH + 0):
1883         cirrus_vga_write_gr(s, 0x24, value);
1884         break;
1885     case (CIRRUS_MMIO_BLTDESTPITCH + 1):
1886         cirrus_vga_write_gr(s, 0x25, value);
1887         break;
1888     case (CIRRUS_MMIO_BLTSRCPITCH + 0):
1889         cirrus_vga_write_gr(s, 0x26, value);
1890         break;
1891     case (CIRRUS_MMIO_BLTSRCPITCH + 1):
1892         cirrus_vga_write_gr(s, 0x27, value);
1893         break;
1894     case (CIRRUS_MMIO_BLTDESTADDR + 0):
1895         cirrus_vga_write_gr(s, 0x28, value);
1896         break;
1897     case (CIRRUS_MMIO_BLTDESTADDR + 1):
1898         cirrus_vga_write_gr(s, 0x29, value);
1899         break;
1900     case (CIRRUS_MMIO_BLTDESTADDR + 2):
1901         cirrus_vga_write_gr(s, 0x2a, value);
1902         break;
1903     case (CIRRUS_MMIO_BLTDESTADDR + 3):
1904         /* ignored */
1905         break;
1906     case (CIRRUS_MMIO_BLTSRCADDR + 0):
1907         cirrus_vga_write_gr(s, 0x2c, value);
1908         break;
1909     case (CIRRUS_MMIO_BLTSRCADDR + 1):
1910         cirrus_vga_write_gr(s, 0x2d, value);
1911         break;
1912     case (CIRRUS_MMIO_BLTSRCADDR + 2):
1913         cirrus_vga_write_gr(s, 0x2e, value);
1914         break;
1915     case CIRRUS_MMIO_BLTWRITEMASK:
1916         cirrus_vga_write_gr(s, 0x2f, value);
1917         break;
1918     case CIRRUS_MMIO_BLTMODE:
1919         cirrus_vga_write_gr(s, 0x30, value);
1920         break;
1921     case CIRRUS_MMIO_BLTROP:
1922         cirrus_vga_write_gr(s, 0x32, value);
1923         break;
1924     case CIRRUS_MMIO_BLTMODEEXT:
1925         cirrus_vga_write_gr(s, 0x33, value);
1926         break;
1927     case (CIRRUS_MMIO_BLTTRANSPARENTCOLOR + 0):
1928         cirrus_vga_write_gr(s, 0x34, value);
1929         break;
1930     case (CIRRUS_MMIO_BLTTRANSPARENTCOLOR + 1):
1931         cirrus_vga_write_gr(s, 0x35, value);
1932         break;
1933     case (CIRRUS_MMIO_BLTTRANSPARENTCOLORMASK + 0):
1934         cirrus_vga_write_gr(s, 0x38, value);
1935         break;
1936     case (CIRRUS_MMIO_BLTTRANSPARENTCOLORMASK + 1):
1937         cirrus_vga_write_gr(s, 0x39, value);
1938         break;
1939     case CIRRUS_MMIO_BLTSTATUS:
1940         cirrus_vga_write_gr(s, 0x31, value);
1941         break;
1942     default:
1943         qemu_log_mask(LOG_GUEST_ERROR,
1944                       "cirrus: mmio write - addr 0x%04x val 0x%02x (ignored)\n",
1945                       address, value);
1946         break;
1947     }
1948 }
1949 
1950 /***************************************
1951  *
1952  *  write mode 4/5
1953  *
1954  ***************************************/
1955 
1956 static void cirrus_mem_writeb_mode4and5_8bpp(CirrusVGAState * s,
1957                                              unsigned mode,
1958                                              unsigned offset,
1959                                              uint32_t mem_value)
1960 {
1961     int x;
1962     unsigned val = mem_value;
1963     uint8_t *dst;
1964 
1965     for (x = 0; x < 8; x++) {
1966         dst = s->vga.vram_ptr + ((offset + x) & s->cirrus_addr_mask);
1967         if (val & 0x80) {
1968             *dst = s->cirrus_shadow_gr1;
1969         } else if (mode == 5) {
1970             *dst = s->cirrus_shadow_gr0;
1971         }
1972         val <<= 1;
1973     }
1974     memory_region_set_dirty(&s->vga.vram, offset, 8);
1975 }
1976 
1977 static void cirrus_mem_writeb_mode4and5_16bpp(CirrusVGAState * s,
1978                                               unsigned mode,
1979                                               unsigned offset,
1980                                               uint32_t mem_value)
1981 {
1982     int x;
1983     unsigned val = mem_value;
1984     uint8_t *dst;
1985 
1986     for (x = 0; x < 8; x++) {
1987         dst = s->vga.vram_ptr + ((offset + 2 * x) & s->cirrus_addr_mask & ~1);
1988         if (val & 0x80) {
1989             *dst = s->cirrus_shadow_gr1;
1990             *(dst + 1) = s->vga.gr[0x11];
1991         } else if (mode == 5) {
1992             *dst = s->cirrus_shadow_gr0;
1993             *(dst + 1) = s->vga.gr[0x10];
1994         }
1995         val <<= 1;
1996     }
1997     memory_region_set_dirty(&s->vga.vram, offset, 16);
1998 }
1999 
2000 /***************************************
2001  *
2002  *  memory access between 0xa0000-0xbffff
2003  *
2004  ***************************************/
2005 
2006 static uint64_t cirrus_vga_mem_read(void *opaque,
2007                                     hwaddr addr,
2008                                     uint32_t size)
2009 {
2010     CirrusVGAState *s = opaque;
2011     unsigned bank_index;
2012     unsigned bank_offset;
2013     uint32_t val;
2014 
2015     if ((s->vga.sr[0x07] & 0x01) == 0) {
2016         return vga_mem_readb(&s->vga, addr);
2017     }
2018 
2019     if (addr < 0x10000) {
2020         /* XXX handle bitblt */
2021         /* video memory */
2022         bank_index = addr >> 15;
2023         bank_offset = addr & 0x7fff;
2024         if (bank_offset < s->cirrus_bank_limit[bank_index]) {
2025             bank_offset += s->cirrus_bank_base[bank_index];
2026             if ((s->vga.gr[0x0B] & 0x14) == 0x14) {
2027                 bank_offset <<= 4;
2028             } else if (s->vga.gr[0x0B] & 0x02) {
2029                 bank_offset <<= 3;
2030             }
2031             bank_offset &= s->cirrus_addr_mask;
2032             val = *(s->vga.vram_ptr + bank_offset);
2033         } else
2034             val = 0xff;
2035     } else if (addr >= 0x18000 && addr < 0x18100) {
2036         /* memory-mapped I/O */
2037         val = 0xff;
2038         if ((s->vga.sr[0x17] & 0x44) == 0x04) {
2039             val = cirrus_mmio_blt_read(s, addr & 0xff);
2040         }
2041     } else {
2042         val = 0xff;
2043         qemu_log_mask(LOG_GUEST_ERROR,
2044                       "cirrus: mem_readb 0x" HWADDR_FMT_plx "\n", addr);
2045     }
2046     return val;
2047 }
2048 
2049 static void cirrus_vga_mem_write(void *opaque,
2050                                  hwaddr addr,
2051                                  uint64_t mem_value,
2052                                  uint32_t size)
2053 {
2054     CirrusVGAState *s = opaque;
2055     unsigned bank_index;
2056     unsigned bank_offset;
2057     unsigned mode;
2058 
2059     if ((s->vga.sr[0x07] & 0x01) == 0) {
2060         vga_mem_writeb(&s->vga, addr, mem_value);
2061         return;
2062     }
2063 
2064     if (addr < 0x10000) {
2065         if (s->cirrus_srcptr != s->cirrus_srcptr_end) {
2066             /* bitblt */
2067             *s->cirrus_srcptr++ = (uint8_t) mem_value;
2068             if (s->cirrus_srcptr >= s->cirrus_srcptr_end) {
2069                 cirrus_bitblt_cputovideo_next(s);
2070             }
2071         } else {
2072             /* video memory */
2073             bank_index = addr >> 15;
2074             bank_offset = addr & 0x7fff;
2075             if (bank_offset < s->cirrus_bank_limit[bank_index]) {
2076                 bank_offset += s->cirrus_bank_base[bank_index];
2077                 if ((s->vga.gr[0x0B] & 0x14) == 0x14) {
2078                     bank_offset <<= 4;
2079                 } else if (s->vga.gr[0x0B] & 0x02) {
2080                     bank_offset <<= 3;
2081                 }
2082                 bank_offset &= s->cirrus_addr_mask;
2083                 mode = s->vga.gr[0x05] & 0x7;
2084                 if (mode < 4 || mode > 5 || ((s->vga.gr[0x0B] & 0x4) == 0)) {
2085                     *(s->vga.vram_ptr + bank_offset) = mem_value;
2086                     memory_region_set_dirty(&s->vga.vram, bank_offset,
2087                                             sizeof(mem_value));
2088                 } else {
2089                     if ((s->vga.gr[0x0B] & 0x14) != 0x14) {
2090                         cirrus_mem_writeb_mode4and5_8bpp(s, mode,
2091                                                          bank_offset,
2092                                                          mem_value);
2093                     } else {
2094                         cirrus_mem_writeb_mode4and5_16bpp(s, mode,
2095                                                           bank_offset,
2096                                                           mem_value);
2097                     }
2098                 }
2099             }
2100         }
2101     } else if (addr >= 0x18000 && addr < 0x18100) {
2102         /* memory-mapped I/O */
2103         if ((s->vga.sr[0x17] & 0x44) == 0x04) {
2104             cirrus_mmio_blt_write(s, addr & 0xff, mem_value);
2105         }
2106     } else {
2107         qemu_log_mask(LOG_GUEST_ERROR,
2108                       "cirrus: mem_writeb 0x" HWADDR_FMT_plx " "
2109                       "value 0x%02" PRIx64 "\n", addr, mem_value);
2110     }
2111 }
2112 
2113 static const MemoryRegionOps cirrus_vga_mem_ops = {
2114     .read = cirrus_vga_mem_read,
2115     .write = cirrus_vga_mem_write,
2116     .endianness = DEVICE_LITTLE_ENDIAN,
2117     .impl = {
2118         .min_access_size = 1,
2119         .max_access_size = 1,
2120     },
2121 };
2122 
2123 /***************************************
2124  *
2125  *  hardware cursor
2126  *
2127  ***************************************/
2128 
2129 static inline void invalidate_cursor1(CirrusVGAState *s)
2130 {
2131     if (s->last_hw_cursor_size) {
2132         vga_invalidate_scanlines(&s->vga,
2133                                  s->last_hw_cursor_y + s->last_hw_cursor_y_start,
2134                                  s->last_hw_cursor_y + s->last_hw_cursor_y_end);
2135     }
2136 }
2137 
2138 static inline void cirrus_cursor_compute_yrange(CirrusVGAState *s)
2139 {
2140     const uint8_t *src;
2141     uint32_t content;
2142     int y, y_min, y_max;
2143 
2144     src = s->vga.vram_ptr + s->real_vram_size - 16 * KiB;
2145     if (s->vga.sr[0x12] & CIRRUS_CURSOR_LARGE) {
2146         src += (s->vga.sr[0x13] & 0x3c) * 256;
2147         y_min = 64;
2148         y_max = -1;
2149         for(y = 0; y < 64; y++) {
2150             content = ((uint32_t *)src)[0] |
2151                 ((uint32_t *)src)[1] |
2152                 ((uint32_t *)src)[2] |
2153                 ((uint32_t *)src)[3];
2154             if (content) {
2155                 if (y < y_min)
2156                     y_min = y;
2157                 if (y > y_max)
2158                     y_max = y;
2159             }
2160             src += 16;
2161         }
2162     } else {
2163         src += (s->vga.sr[0x13] & 0x3f) * 256;
2164         y_min = 32;
2165         y_max = -1;
2166         for(y = 0; y < 32; y++) {
2167             content = ((uint32_t *)src)[0] |
2168                 ((uint32_t *)(src + 128))[0];
2169             if (content) {
2170                 if (y < y_min)
2171                     y_min = y;
2172                 if (y > y_max)
2173                     y_max = y;
2174             }
2175             src += 4;
2176         }
2177     }
2178     if (y_min > y_max) {
2179         s->last_hw_cursor_y_start = 0;
2180         s->last_hw_cursor_y_end = 0;
2181     } else {
2182         s->last_hw_cursor_y_start = y_min;
2183         s->last_hw_cursor_y_end = y_max + 1;
2184     }
2185 }
2186 
2187 /* NOTE: we do not currently handle the cursor bitmap change, so we
2188    update the cursor only if it moves. */
2189 static void cirrus_cursor_invalidate(VGACommonState *s1)
2190 {
2191     CirrusVGAState *s = container_of(s1, CirrusVGAState, vga);
2192     int size;
2193 
2194     if (!(s->vga.sr[0x12] & CIRRUS_CURSOR_SHOW)) {
2195         size = 0;
2196     } else {
2197         if (s->vga.sr[0x12] & CIRRUS_CURSOR_LARGE)
2198             size = 64;
2199         else
2200             size = 32;
2201     }
2202     /* invalidate last cursor and new cursor if any change */
2203     if (s->last_hw_cursor_size != size ||
2204         s->last_hw_cursor_x != s->vga.hw_cursor_x ||
2205         s->last_hw_cursor_y != s->vga.hw_cursor_y) {
2206 
2207         invalidate_cursor1(s);
2208 
2209         s->last_hw_cursor_size = size;
2210         s->last_hw_cursor_x = s->vga.hw_cursor_x;
2211         s->last_hw_cursor_y = s->vga.hw_cursor_y;
2212         /* compute the real cursor min and max y */
2213         cirrus_cursor_compute_yrange(s);
2214         invalidate_cursor1(s);
2215     }
2216 }
2217 
2218 static void vga_draw_cursor_line(uint8_t *d1,
2219                                  const uint8_t *src1,
2220                                  int poffset, int w,
2221                                  unsigned int color0,
2222                                  unsigned int color1,
2223                                  unsigned int color_xor)
2224 {
2225     const uint8_t *plane0, *plane1;
2226     int x, b0, b1;
2227     uint8_t *d;
2228 
2229     d = d1;
2230     plane0 = src1;
2231     plane1 = src1 + poffset;
2232     for (x = 0; x < w; x++) {
2233         b0 = (plane0[x >> 3] >> (7 - (x & 7))) & 1;
2234         b1 = (plane1[x >> 3] >> (7 - (x & 7))) & 1;
2235         switch (b0 | (b1 << 1)) {
2236         case 0:
2237             break;
2238         case 1:
2239             ((uint32_t *)d)[0] ^= color_xor;
2240             break;
2241         case 2:
2242             ((uint32_t *)d)[0] = color0;
2243             break;
2244         case 3:
2245             ((uint32_t *)d)[0] = color1;
2246             break;
2247         }
2248         d += 4;
2249     }
2250 }
2251 
2252 static void cirrus_cursor_draw_line(VGACommonState *s1, uint8_t *d1, int scr_y)
2253 {
2254     CirrusVGAState *s = container_of(s1, CirrusVGAState, vga);
2255     int w, h, x1, x2, poffset;
2256     unsigned int color0, color1;
2257     const uint8_t *palette, *src;
2258     uint32_t content;
2259 
2260     if (!(s->vga.sr[0x12] & CIRRUS_CURSOR_SHOW))
2261         return;
2262     /* fast test to see if the cursor intersects with the scan line */
2263     if (s->vga.sr[0x12] & CIRRUS_CURSOR_LARGE) {
2264         h = 64;
2265     } else {
2266         h = 32;
2267     }
2268     if (scr_y < s->vga.hw_cursor_y ||
2269         scr_y >= (s->vga.hw_cursor_y + h)) {
2270         return;
2271     }
2272 
2273     src = s->vga.vram_ptr + s->real_vram_size - 16 * KiB;
2274     if (s->vga.sr[0x12] & CIRRUS_CURSOR_LARGE) {
2275         src += (s->vga.sr[0x13] & 0x3c) * 256;
2276         src += (scr_y - s->vga.hw_cursor_y) * 16;
2277         poffset = 8;
2278         content = ((uint32_t *)src)[0] |
2279             ((uint32_t *)src)[1] |
2280             ((uint32_t *)src)[2] |
2281             ((uint32_t *)src)[3];
2282     } else {
2283         src += (s->vga.sr[0x13] & 0x3f) * 256;
2284         src += (scr_y - s->vga.hw_cursor_y) * 4;
2285 
2286 
2287         poffset = 128;
2288         content = ((uint32_t *)src)[0] |
2289             ((uint32_t *)(src + 128))[0];
2290     }
2291     /* if nothing to draw, no need to continue */
2292     if (!content)
2293         return;
2294     w = h;
2295 
2296     x1 = s->vga.hw_cursor_x;
2297     if (x1 >= s->vga.last_scr_width)
2298         return;
2299     x2 = s->vga.hw_cursor_x + w;
2300     if (x2 > s->vga.last_scr_width)
2301         x2 = s->vga.last_scr_width;
2302     w = x2 - x1;
2303     palette = s->cirrus_hidden_palette;
2304     color0 = rgb_to_pixel32(c6_to_8(palette[0x0 * 3]),
2305                             c6_to_8(palette[0x0 * 3 + 1]),
2306                             c6_to_8(palette[0x0 * 3 + 2]));
2307     color1 = rgb_to_pixel32(c6_to_8(palette[0xf * 3]),
2308                             c6_to_8(palette[0xf * 3 + 1]),
2309                             c6_to_8(palette[0xf * 3 + 2]));
2310     d1 += x1 * 4;
2311     vga_draw_cursor_line(d1, src, poffset, w, color0, color1, 0xffffff);
2312 }
2313 
2314 /***************************************
2315  *
2316  *  LFB memory access
2317  *
2318  ***************************************/
2319 
2320 static uint64_t cirrus_linear_read(void *opaque, hwaddr addr,
2321                                    unsigned size)
2322 {
2323     CirrusVGAState *s = opaque;
2324     uint32_t ret;
2325 
2326     addr &= s->cirrus_addr_mask;
2327 
2328     if (((s->vga.sr[0x17] & 0x44) == 0x44) &&
2329         ((addr & s->linear_mmio_mask) == s->linear_mmio_mask)) {
2330         /* memory-mapped I/O */
2331         ret = cirrus_mmio_blt_read(s, addr & 0xff);
2332     } else if (0) {
2333         /* XXX handle bitblt */
2334         ret = 0xff;
2335     } else {
2336         /* video memory */
2337         if ((s->vga.gr[0x0B] & 0x14) == 0x14) {
2338             addr <<= 4;
2339         } else if (s->vga.gr[0x0B] & 0x02) {
2340             addr <<= 3;
2341         }
2342         addr &= s->cirrus_addr_mask;
2343         ret = *(s->vga.vram_ptr + addr);
2344     }
2345 
2346     return ret;
2347 }
2348 
2349 static void cirrus_linear_write(void *opaque, hwaddr addr,
2350                                 uint64_t val, unsigned size)
2351 {
2352     CirrusVGAState *s = opaque;
2353     unsigned mode;
2354 
2355     addr &= s->cirrus_addr_mask;
2356 
2357     if (((s->vga.sr[0x17] & 0x44) == 0x44) &&
2358         ((addr & s->linear_mmio_mask) ==  s->linear_mmio_mask)) {
2359         /* memory-mapped I/O */
2360         cirrus_mmio_blt_write(s, addr & 0xff, val);
2361     } else if (s->cirrus_srcptr != s->cirrus_srcptr_end) {
2362         /* bitblt */
2363         *s->cirrus_srcptr++ = (uint8_t) val;
2364         if (s->cirrus_srcptr >= s->cirrus_srcptr_end) {
2365             cirrus_bitblt_cputovideo_next(s);
2366         }
2367     } else {
2368         /* video memory */
2369         if ((s->vga.gr[0x0B] & 0x14) == 0x14) {
2370             addr <<= 4;
2371         } else if (s->vga.gr[0x0B] & 0x02) {
2372             addr <<= 3;
2373         }
2374         addr &= s->cirrus_addr_mask;
2375 
2376         mode = s->vga.gr[0x05] & 0x7;
2377         if (mode < 4 || mode > 5 || ((s->vga.gr[0x0B] & 0x4) == 0)) {
2378             *(s->vga.vram_ptr + addr) = (uint8_t) val;
2379             memory_region_set_dirty(&s->vga.vram, addr, 1);
2380         } else {
2381             if ((s->vga.gr[0x0B] & 0x14) != 0x14) {
2382                 cirrus_mem_writeb_mode4and5_8bpp(s, mode, addr, val);
2383             } else {
2384                 cirrus_mem_writeb_mode4and5_16bpp(s, mode, addr, val);
2385             }
2386         }
2387     }
2388 }
2389 
2390 /***************************************
2391  *
2392  *  system to screen memory access
2393  *
2394  ***************************************/
2395 
2396 
2397 static uint64_t cirrus_linear_bitblt_read(void *opaque,
2398                                           hwaddr addr,
2399                                           unsigned size)
2400 {
2401     CirrusVGAState *s = opaque;
2402 
2403     /* XXX handle bitblt */
2404     (void)s;
2405     qemu_log_mask(LOG_UNIMP,
2406                   "cirrus: linear bitblt is not implemented\n");
2407 
2408     return 0xff;
2409 }
2410 
2411 static void cirrus_linear_bitblt_write(void *opaque,
2412                                        hwaddr addr,
2413                                        uint64_t val,
2414                                        unsigned size)
2415 {
2416     CirrusVGAState *s = opaque;
2417 
2418     if (s->cirrus_srcptr != s->cirrus_srcptr_end) {
2419         /* bitblt */
2420         *s->cirrus_srcptr++ = (uint8_t) val;
2421         if (s->cirrus_srcptr >= s->cirrus_srcptr_end) {
2422             cirrus_bitblt_cputovideo_next(s);
2423         }
2424     }
2425 }
2426 
2427 static const MemoryRegionOps cirrus_linear_bitblt_io_ops = {
2428     .read = cirrus_linear_bitblt_read,
2429     .write = cirrus_linear_bitblt_write,
2430     .endianness = DEVICE_LITTLE_ENDIAN,
2431     .impl = {
2432         .min_access_size = 1,
2433         .max_access_size = 1,
2434     },
2435 };
2436 
2437 static void map_linear_vram_bank(CirrusVGAState *s, unsigned bank)
2438 {
2439     MemoryRegion *mr = &s->cirrus_bank[bank];
2440     bool enabled = !(s->cirrus_srcptr != s->cirrus_srcptr_end)
2441         && !((s->vga.sr[0x07] & 0x01) == 0)
2442         && !((s->vga.gr[0x0B] & 0x14) == 0x14)
2443         && !(s->vga.gr[0x0B] & 0x02);
2444 
2445     memory_region_set_enabled(mr, enabled);
2446     memory_region_set_alias_offset(mr, s->cirrus_bank_base[bank]);
2447 }
2448 
2449 static void map_linear_vram(CirrusVGAState *s)
2450 {
2451     if (s->bustype == CIRRUS_BUSTYPE_PCI && !s->linear_vram) {
2452         s->linear_vram = true;
2453         memory_region_add_subregion_overlap(&s->pci_bar, 0, &s->vga.vram, 1);
2454     }
2455     map_linear_vram_bank(s, 0);
2456     map_linear_vram_bank(s, 1);
2457 }
2458 
2459 static void unmap_linear_vram(CirrusVGAState *s)
2460 {
2461     if (s->bustype == CIRRUS_BUSTYPE_PCI && s->linear_vram) {
2462         s->linear_vram = false;
2463         memory_region_del_subregion(&s->pci_bar, &s->vga.vram);
2464     }
2465     memory_region_set_enabled(&s->cirrus_bank[0], false);
2466     memory_region_set_enabled(&s->cirrus_bank[1], false);
2467 }
2468 
2469 /* Compute the memory access functions */
2470 static void cirrus_update_memory_access(CirrusVGAState *s)
2471 {
2472     unsigned mode;
2473 
2474     memory_region_transaction_begin();
2475     if ((s->vga.sr[0x17] & 0x44) == 0x44) {
2476         goto generic_io;
2477     } else if (s->cirrus_srcptr != s->cirrus_srcptr_end) {
2478         goto generic_io;
2479     } else {
2480         if ((s->vga.gr[0x0B] & 0x14) == 0x14) {
2481             goto generic_io;
2482         } else if (s->vga.gr[0x0B] & 0x02) {
2483             goto generic_io;
2484         }
2485 
2486         mode = s->vga.gr[0x05] & 0x7;
2487         if (mode < 4 || mode > 5 || ((s->vga.gr[0x0B] & 0x4) == 0)) {
2488             map_linear_vram(s);
2489         } else {
2490         generic_io:
2491             unmap_linear_vram(s);
2492         }
2493     }
2494     memory_region_transaction_commit();
2495 }
2496 
2497 
2498 /* I/O ports */
2499 
2500 static uint64_t cirrus_vga_ioport_read(void *opaque, hwaddr addr,
2501                                        unsigned size)
2502 {
2503     CirrusVGAState *c = opaque;
2504     VGACommonState *s = &c->vga;
2505     int val, index;
2506 
2507     addr += 0x3b0;
2508 
2509     if (vga_ioport_invalid(s, addr)) {
2510         val = 0xff;
2511     } else {
2512         switch (addr) {
2513         case 0x3c0:
2514             if (s->ar_flip_flop == 0) {
2515                 val = s->ar_index;
2516             } else {
2517                 val = 0;
2518             }
2519             break;
2520         case 0x3c1:
2521             index = s->ar_index & 0x1f;
2522             if (index < 21)
2523                 val = s->ar[index];
2524             else
2525                 val = 0;
2526             break;
2527         case 0x3c2:
2528             val = s->st00;
2529             break;
2530         case 0x3c4:
2531             val = s->sr_index;
2532             break;
2533         case 0x3c5:
2534             val = cirrus_vga_read_sr(c);
2535             break;
2536             break;
2537         case 0x3c6:
2538             val = cirrus_read_hidden_dac(c);
2539             break;
2540         case 0x3c7:
2541             val = s->dac_state;
2542             break;
2543         case 0x3c8:
2544             val = s->dac_write_index;
2545             c->cirrus_hidden_dac_lockindex = 0;
2546             break;
2547         case 0x3c9:
2548             val = cirrus_vga_read_palette(c);
2549             break;
2550         case 0x3ca:
2551             val = s->fcr;
2552             break;
2553         case 0x3cc:
2554             val = s->msr;
2555             break;
2556         case 0x3ce:
2557             val = s->gr_index;
2558             break;
2559         case 0x3cf:
2560             val = cirrus_vga_read_gr(c, s->gr_index);
2561             break;
2562         case 0x3b4:
2563         case 0x3d4:
2564             val = s->cr_index;
2565             break;
2566         case 0x3b5:
2567         case 0x3d5:
2568             val = cirrus_vga_read_cr(c, s->cr_index);
2569             break;
2570         case 0x3ba:
2571         case 0x3da:
2572             /* just toggle to fool polling */
2573             val = s->st01 = s->retrace(s);
2574             s->ar_flip_flop = 0;
2575             break;
2576         default:
2577             val = 0x00;
2578             break;
2579         }
2580     }
2581     trace_vga_cirrus_read_io(addr, val);
2582     return val;
2583 }
2584 
2585 static void cirrus_vga_ioport_write(void *opaque, hwaddr addr, uint64_t val,
2586                                     unsigned size)
2587 {
2588     CirrusVGAState *c = opaque;
2589     VGACommonState *s = &c->vga;
2590     int index;
2591 
2592     addr += 0x3b0;
2593 
2594     /* check port range access depending on color/monochrome mode */
2595     if (vga_ioport_invalid(s, addr)) {
2596         return;
2597     }
2598     trace_vga_cirrus_write_io(addr, val);
2599 
2600     switch (addr) {
2601     case 0x3c0:
2602         if (s->ar_flip_flop == 0) {
2603             val &= 0x3f;
2604             s->ar_index = val;
2605         } else {
2606             index = s->ar_index & 0x1f;
2607             switch (index) {
2608             case 0x00 ... 0x0f:
2609                 s->ar[index] = val & 0x3f;
2610                 break;
2611             case 0x10:
2612                 s->ar[index] = val & ~0x10;
2613                 break;
2614             case 0x11:
2615                 s->ar[index] = val;
2616                 break;
2617             case 0x12:
2618                 s->ar[index] = val & ~0xc0;
2619                 break;
2620             case 0x13:
2621                 s->ar[index] = val & ~0xf0;
2622                 break;
2623             case 0x14:
2624                 s->ar[index] = val & ~0xf0;
2625                 break;
2626             default:
2627                 break;
2628             }
2629         }
2630         s->ar_flip_flop ^= 1;
2631         break;
2632     case 0x3c2:
2633         s->msr = val & ~0x10;
2634         s->update_retrace_info(s);
2635         break;
2636     case 0x3c4:
2637         s->sr_index = val;
2638         break;
2639     case 0x3c5:
2640         cirrus_vga_write_sr(c, val);
2641         break;
2642     case 0x3c6:
2643         cirrus_write_hidden_dac(c, val);
2644         break;
2645     case 0x3c7:
2646         s->dac_read_index = val;
2647         s->dac_sub_index = 0;
2648         s->dac_state = 3;
2649         break;
2650     case 0x3c8:
2651         s->dac_write_index = val;
2652         s->dac_sub_index = 0;
2653         s->dac_state = 0;
2654         break;
2655     case 0x3c9:
2656         cirrus_vga_write_palette(c, val);
2657         break;
2658     case 0x3ce:
2659         s->gr_index = val;
2660         break;
2661     case 0x3cf:
2662         cirrus_vga_write_gr(c, s->gr_index, val);
2663         break;
2664     case 0x3b4:
2665     case 0x3d4:
2666         s->cr_index = val;
2667         break;
2668     case 0x3b5:
2669     case 0x3d5:
2670         cirrus_vga_write_cr(c, val);
2671         break;
2672     case 0x3ba:
2673     case 0x3da:
2674         s->fcr = val & 0x10;
2675         break;
2676     }
2677 }
2678 
2679 /***************************************
2680  *
2681  *  memory-mapped I/O access
2682  *
2683  ***************************************/
2684 
2685 static uint64_t cirrus_mmio_read(void *opaque, hwaddr addr,
2686                                  unsigned size)
2687 {
2688     CirrusVGAState *s = opaque;
2689 
2690     if (addr >= 0x100) {
2691         return cirrus_mmio_blt_read(s, addr - 0x100);
2692     } else {
2693         return cirrus_vga_ioport_read(s, addr + 0x10, size);
2694     }
2695 }
2696 
2697 static void cirrus_mmio_write(void *opaque, hwaddr addr,
2698                               uint64_t val, unsigned size)
2699 {
2700     CirrusVGAState *s = opaque;
2701 
2702     if (addr >= 0x100) {
2703         cirrus_mmio_blt_write(s, addr - 0x100, val);
2704     } else {
2705         cirrus_vga_ioport_write(s, addr + 0x10, val, size);
2706     }
2707 }
2708 
2709 static const MemoryRegionOps cirrus_mmio_io_ops = {
2710     .read = cirrus_mmio_read,
2711     .write = cirrus_mmio_write,
2712     .endianness = DEVICE_LITTLE_ENDIAN,
2713     .impl = {
2714         .min_access_size = 1,
2715         .max_access_size = 1,
2716     },
2717 };
2718 
2719 /* load/save state */
2720 
2721 static int cirrus_post_load(void *opaque, int version_id)
2722 {
2723     CirrusVGAState *s = opaque;
2724 
2725     s->vga.gr[0x00] = s->cirrus_shadow_gr0 & 0x0f;
2726     s->vga.gr[0x01] = s->cirrus_shadow_gr1 & 0x0f;
2727 
2728     cirrus_update_bank_ptr(s, 0);
2729     cirrus_update_bank_ptr(s, 1);
2730     cirrus_update_memory_access(s);
2731     /* force refresh */
2732     s->vga.graphic_mode = -1;
2733 
2734     return 0;
2735 }
2736 
2737 const VMStateDescription vmstate_cirrus_vga = {
2738     .name = "cirrus_vga",
2739     .version_id = 2,
2740     .minimum_version_id = 1,
2741     .post_load = cirrus_post_load,
2742     .fields = (const VMStateField[]) {
2743         VMSTATE_UINT32(vga.latch, CirrusVGAState),
2744         VMSTATE_UINT8(vga.sr_index, CirrusVGAState),
2745         VMSTATE_BUFFER(vga.sr, CirrusVGAState),
2746         VMSTATE_UINT8(vga.gr_index, CirrusVGAState),
2747         VMSTATE_UINT8(cirrus_shadow_gr0, CirrusVGAState),
2748         VMSTATE_UINT8(cirrus_shadow_gr1, CirrusVGAState),
2749         VMSTATE_BUFFER_START_MIDDLE(vga.gr, CirrusVGAState, 2),
2750         VMSTATE_UINT8(vga.ar_index, CirrusVGAState),
2751         VMSTATE_BUFFER(vga.ar, CirrusVGAState),
2752         VMSTATE_INT32(vga.ar_flip_flop, CirrusVGAState),
2753         VMSTATE_UINT8(vga.cr_index, CirrusVGAState),
2754         VMSTATE_BUFFER(vga.cr, CirrusVGAState),
2755         VMSTATE_UINT8(vga.msr, CirrusVGAState),
2756         VMSTATE_UINT8(vga.fcr, CirrusVGAState),
2757         VMSTATE_UINT8(vga.st00, CirrusVGAState),
2758         VMSTATE_UINT8(vga.st01, CirrusVGAState),
2759         VMSTATE_UINT8(vga.dac_state, CirrusVGAState),
2760         VMSTATE_UINT8(vga.dac_sub_index, CirrusVGAState),
2761         VMSTATE_UINT8(vga.dac_read_index, CirrusVGAState),
2762         VMSTATE_UINT8(vga.dac_write_index, CirrusVGAState),
2763         VMSTATE_BUFFER(vga.dac_cache, CirrusVGAState),
2764         VMSTATE_BUFFER(vga.palette, CirrusVGAState),
2765         VMSTATE_INT32(vga.bank_offset, CirrusVGAState),
2766         VMSTATE_UINT8(cirrus_hidden_dac_lockindex, CirrusVGAState),
2767         VMSTATE_UINT8(cirrus_hidden_dac_data, CirrusVGAState),
2768         VMSTATE_UINT32(vga.hw_cursor_x, CirrusVGAState),
2769         VMSTATE_UINT32(vga.hw_cursor_y, CirrusVGAState),
2770         /* XXX: we do not save the bitblt state - we assume we do not save
2771            the state when the blitter is active */
2772         VMSTATE_END_OF_LIST()
2773     }
2774 };
2775 
2776 static const VMStateDescription vmstate_pci_cirrus_vga = {
2777     .name = "cirrus_vga",
2778     .version_id = 2,
2779     .minimum_version_id = 2,
2780     .fields = (const VMStateField[]) {
2781         VMSTATE_PCI_DEVICE(dev, PCICirrusVGAState),
2782         VMSTATE_STRUCT(cirrus_vga, PCICirrusVGAState, 0,
2783                        vmstate_cirrus_vga, CirrusVGAState),
2784         VMSTATE_END_OF_LIST()
2785     }
2786 };
2787 
2788 /***************************************
2789  *
2790  *  initialize
2791  *
2792  ***************************************/
2793 
2794 static void cirrus_reset(void *opaque)
2795 {
2796     CirrusVGAState *s = opaque;
2797 
2798     vga_common_reset(&s->vga);
2799     unmap_linear_vram(s);
2800     s->vga.sr[0x06] = 0x0f;
2801     if (s->device_id == CIRRUS_ID_CLGD5446) {
2802         /* 4MB 64 bit memory config, always PCI */
2803         s->vga.sr[0x1F] = 0x2d;         // MemClock
2804         s->vga.gr[0x18] = 0x0f;             // fastest memory configuration
2805         s->vga.sr[0x0f] = 0x98;
2806         s->vga.sr[0x17] = 0x20;
2807         s->vga.sr[0x15] = 0x04; /* memory size, 3=2MB, 4=4MB */
2808     } else {
2809         s->vga.sr[0x1F] = 0x22;         // MemClock
2810         s->vga.sr[0x0F] = CIRRUS_MEMSIZE_2M;
2811         s->vga.sr[0x17] = s->bustype;
2812         s->vga.sr[0x15] = 0x03; /* memory size, 3=2MB, 4=4MB */
2813     }
2814     s->vga.cr[0x27] = s->device_id;
2815 
2816     s->cirrus_hidden_dac_lockindex = 5;
2817     s->cirrus_hidden_dac_data = 0;
2818 }
2819 
2820 static const MemoryRegionOps cirrus_linear_io_ops = {
2821     .read = cirrus_linear_read,
2822     .write = cirrus_linear_write,
2823     .endianness = DEVICE_LITTLE_ENDIAN,
2824     .impl = {
2825         .min_access_size = 1,
2826         .max_access_size = 1,
2827     },
2828 };
2829 
2830 static const MemoryRegionOps cirrus_vga_io_ops = {
2831     .read = cirrus_vga_ioport_read,
2832     .write = cirrus_vga_ioport_write,
2833     .endianness = DEVICE_LITTLE_ENDIAN,
2834     .impl = {
2835         .min_access_size = 1,
2836         .max_access_size = 1,
2837     },
2838 };
2839 
2840 void cirrus_init_common(CirrusVGAState *s, Object *owner,
2841                         int device_id, int is_pci,
2842                         MemoryRegion *system_memory, MemoryRegion *system_io)
2843 {
2844     int i;
2845     static int inited;
2846 
2847     if (!inited) {
2848         inited = 1;
2849         for(i = 0;i < 256; i++)
2850             rop_to_index[i] = CIRRUS_ROP_NOP_INDEX; /* nop rop */
2851         rop_to_index[CIRRUS_ROP_0] = 0;
2852         rop_to_index[CIRRUS_ROP_SRC_AND_DST] = 1;
2853         rop_to_index[CIRRUS_ROP_NOP] = 2;
2854         rop_to_index[CIRRUS_ROP_SRC_AND_NOTDST] = 3;
2855         rop_to_index[CIRRUS_ROP_NOTDST] = 4;
2856         rop_to_index[CIRRUS_ROP_SRC] = 5;
2857         rop_to_index[CIRRUS_ROP_1] = 6;
2858         rop_to_index[CIRRUS_ROP_NOTSRC_AND_DST] = 7;
2859         rop_to_index[CIRRUS_ROP_SRC_XOR_DST] = 8;
2860         rop_to_index[CIRRUS_ROP_SRC_OR_DST] = 9;
2861         rop_to_index[CIRRUS_ROP_NOTSRC_OR_NOTDST] = 10;
2862         rop_to_index[CIRRUS_ROP_SRC_NOTXOR_DST] = 11;
2863         rop_to_index[CIRRUS_ROP_SRC_OR_NOTDST] = 12;
2864         rop_to_index[CIRRUS_ROP_NOTSRC] = 13;
2865         rop_to_index[CIRRUS_ROP_NOTSRC_OR_DST] = 14;
2866         rop_to_index[CIRRUS_ROP_NOTSRC_AND_NOTDST] = 15;
2867         s->device_id = device_id;
2868         if (is_pci)
2869             s->bustype = CIRRUS_BUSTYPE_PCI;
2870         else
2871             s->bustype = CIRRUS_BUSTYPE_ISA;
2872     }
2873 
2874     /* Register ioport 0x3b0 - 0x3df */
2875     memory_region_init_io(&s->cirrus_vga_io, owner, &cirrus_vga_io_ops, s,
2876                           "cirrus-io", 0x30);
2877     memory_region_set_flush_coalesced(&s->cirrus_vga_io);
2878     memory_region_add_subregion(system_io, 0x3b0, &s->cirrus_vga_io);
2879 
2880     memory_region_init(&s->low_mem_container, owner,
2881                        "cirrus-lowmem-container",
2882                        0x20000);
2883 
2884     memory_region_init_io(&s->low_mem, owner, &cirrus_vga_mem_ops, s,
2885                           "cirrus-low-memory", 0x20000);
2886     memory_region_add_subregion(&s->low_mem_container, 0, &s->low_mem);
2887     for (i = 0; i < 2; ++i) {
2888         static const char *names[] = { "vga.bank0", "vga.bank1" };
2889         MemoryRegion *bank = &s->cirrus_bank[i];
2890         memory_region_init_alias(bank, owner, names[i], &s->vga.vram,
2891                                  0, 0x8000);
2892         memory_region_set_enabled(bank, false);
2893         memory_region_add_subregion_overlap(&s->low_mem_container, i * 0x8000,
2894                                             bank, 1);
2895     }
2896     memory_region_add_subregion_overlap(system_memory,
2897                                         0x000a0000,
2898                                         &s->low_mem_container,
2899                                         1);
2900     memory_region_set_coalescing(&s->low_mem);
2901 
2902     /* I/O handler for LFB */
2903     memory_region_init_io(&s->cirrus_linear_io, owner, &cirrus_linear_io_ops, s,
2904                           "cirrus-linear-io", s->vga.vram_size_mb * MiB);
2905     memory_region_set_flush_coalesced(&s->cirrus_linear_io);
2906 
2907     /* I/O handler for LFB */
2908     memory_region_init_io(&s->cirrus_linear_bitblt_io, owner,
2909                           &cirrus_linear_bitblt_io_ops,
2910                           s,
2911                           "cirrus-bitblt-mmio",
2912                           0x400000);
2913     memory_region_set_flush_coalesced(&s->cirrus_linear_bitblt_io);
2914 
2915     /* I/O handler for memory-mapped I/O */
2916     memory_region_init_io(&s->cirrus_mmio_io, owner, &cirrus_mmio_io_ops, s,
2917                           "cirrus-mmio", CIRRUS_PNPMMIO_SIZE);
2918     memory_region_set_flush_coalesced(&s->cirrus_mmio_io);
2919 
2920     s->real_vram_size =
2921         (s->device_id == CIRRUS_ID_CLGD5446) ? 4 * MiB : 2 * MiB;
2922 
2923     /* XXX: s->vga.vram_size must be a power of two */
2924     s->cirrus_addr_mask = s->real_vram_size - 1;
2925     s->linear_mmio_mask = s->real_vram_size - 256;
2926 
2927     s->vga.get_bpp = cirrus_get_bpp;
2928     s->vga.get_params = cirrus_get_params;
2929     s->vga.get_resolution = cirrus_get_resolution;
2930     s->vga.cursor_invalidate = cirrus_cursor_invalidate;
2931     s->vga.cursor_draw_line = cirrus_cursor_draw_line;
2932 
2933     qemu_register_reset(cirrus_reset, s);
2934 }
2935 
2936 /***************************************
2937  *
2938  *  PCI bus support
2939  *
2940  ***************************************/
2941 
2942 static void pci_cirrus_vga_realize(PCIDevice *dev, Error **errp)
2943 {
2944     PCICirrusVGAState *d = PCI_CIRRUS_VGA(dev);
2945     CirrusVGAState *s = &d->cirrus_vga;
2946     PCIDeviceClass *pc = PCI_DEVICE_GET_CLASS(dev);
2947     int16_t device_id = pc->device_id;
2948 
2949     /*
2950      * Follow real hardware, cirrus card emulated has 4 MB video memory.
2951      * Also accept 8 MB/16 MB for backward compatibility.
2952      */
2953     if (s->vga.vram_size_mb != 4 && s->vga.vram_size_mb != 8 &&
2954         s->vga.vram_size_mb != 16) {
2955         error_setg(errp, "Invalid cirrus_vga ram size '%u'",
2956                    s->vga.vram_size_mb);
2957         return;
2958     }
2959     /* setup VGA */
2960     if (!vga_common_init(&s->vga, OBJECT(dev), errp)) {
2961         return;
2962     }
2963     cirrus_init_common(s, OBJECT(dev), device_id, 1, pci_address_space(dev),
2964                        pci_address_space_io(dev));
2965     s->vga.con = graphic_console_init(DEVICE(dev), 0, s->vga.hw_ops, &s->vga);
2966 
2967     /* setup PCI */
2968     memory_region_init(&s->pci_bar, OBJECT(dev), "cirrus-pci-bar0", 0x2000000);
2969 
2970     /* XXX: add byte swapping apertures */
2971     memory_region_add_subregion(&s->pci_bar, 0, &s->cirrus_linear_io);
2972     memory_region_add_subregion(&s->pci_bar, 0x1000000,
2973                                 &s->cirrus_linear_bitblt_io);
2974 
2975     /* setup memory space */
2976     /* memory #0 LFB */
2977     /* memory #1 memory-mapped I/O */
2978     /* XXX: s->vga.vram_size must be a power of two */
2979     pci_register_bar(&d->dev, 0, PCI_BASE_ADDRESS_MEM_PREFETCH, &s->pci_bar);
2980     if (device_id == CIRRUS_ID_CLGD5446) {
2981         pci_register_bar(&d->dev, 1, 0, &s->cirrus_mmio_io);
2982     }
2983 }
2984 
2985 static const Property pci_vga_cirrus_properties[] = {
2986     DEFINE_PROP_UINT32("vgamem_mb", struct PCICirrusVGAState,
2987                        cirrus_vga.vga.vram_size_mb, 4),
2988     DEFINE_PROP_BOOL("blitter", struct PCICirrusVGAState,
2989                      cirrus_vga.enable_blitter, true),
2990     DEFINE_PROP_BOOL("global-vmstate", struct PCICirrusVGAState,
2991                      cirrus_vga.vga.global_vmstate, false),
2992 };
2993 
2994 static void cirrus_vga_class_init(ObjectClass *klass, void *data)
2995 {
2996     DeviceClass *dc = DEVICE_CLASS(klass);
2997     PCIDeviceClass *k = PCI_DEVICE_CLASS(klass);
2998 
2999     k->realize = pci_cirrus_vga_realize;
3000     k->romfile = VGABIOS_CIRRUS_FILENAME;
3001     k->vendor_id = PCI_VENDOR_ID_CIRRUS;
3002     k->device_id = CIRRUS_ID_CLGD5446;
3003     k->class_id = PCI_CLASS_DISPLAY_VGA;
3004     set_bit(DEVICE_CATEGORY_DISPLAY, dc->categories);
3005     dc->desc = "Cirrus CLGD 54xx VGA";
3006     dc->vmsd = &vmstate_pci_cirrus_vga;
3007     device_class_set_props(dc, pci_vga_cirrus_properties);
3008     dc->hotpluggable = false;
3009 }
3010 
3011 static const TypeInfo cirrus_vga_info = {
3012     .name          = TYPE_PCI_CIRRUS_VGA,
3013     .parent        = TYPE_PCI_DEVICE,
3014     .instance_size = sizeof(PCICirrusVGAState),
3015     .class_init    = cirrus_vga_class_init,
3016     .interfaces = (InterfaceInfo[]) {
3017         { INTERFACE_CONVENTIONAL_PCI_DEVICE },
3018         { },
3019     },
3020 };
3021 
3022 static void cirrus_vga_register_types(void)
3023 {
3024     type_register_static(&cirrus_vga_info);
3025 }
3026 
3027 type_init(cirrus_vga_register_types)
3028