xref: /openbmc/qemu/target/arm/tcg/m_helper.c (revision 259ebed4)
1 /*
2  * ARM generic helpers.
3  *
4  * This code is licensed under the GNU GPL v2 or later.
5  *
6  * SPDX-License-Identifier: GPL-2.0-or-later
7  */
8 
9 #include "qemu/osdep.h"
10 #include "cpu.h"
11 #include "internals.h"
12 #include "cpu-features.h"
13 #include "gdbstub/helpers.h"
14 #include "exec/helper-proto.h"
15 #include "qemu/main-loop.h"
16 #include "qemu/bitops.h"
17 #include "qemu/log.h"
18 #include "exec/exec-all.h"
19 #ifdef CONFIG_TCG
20 #include "exec/cpu_ldst.h"
21 #include "semihosting/common-semi.h"
22 #endif
23 #if !defined(CONFIG_USER_ONLY)
24 #include "hw/intc/armv7m_nvic.h"
25 #endif
26 
27 static void v7m_msr_xpsr(CPUARMState *env, uint32_t mask,
28                          uint32_t reg, uint32_t val)
29 {
30     /* Only APSR is actually writable */
31     if (!(reg & 4)) {
32         uint32_t apsrmask = 0;
33 
34         if (mask & 8) {
35             apsrmask |= XPSR_NZCV | XPSR_Q;
36         }
37         if ((mask & 4) && arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
38             apsrmask |= XPSR_GE;
39         }
40         xpsr_write(env, val, apsrmask);
41     }
42 }
43 
44 static uint32_t v7m_mrs_xpsr(CPUARMState *env, uint32_t reg, unsigned el)
45 {
46     uint32_t mask = 0;
47 
48     if ((reg & 1) && el) {
49         mask |= XPSR_EXCP; /* IPSR (unpriv. reads as zero) */
50     }
51     if (!(reg & 4)) {
52         mask |= XPSR_NZCV | XPSR_Q; /* APSR */
53         if (arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
54             mask |= XPSR_GE;
55         }
56     }
57     /* EPSR reads as zero */
58     return xpsr_read(env) & mask;
59 }
60 
61 uint32_t arm_v7m_mrs_control(CPUARMState *env, uint32_t secure)
62 {
63     uint32_t value = env->v7m.control[secure];
64 
65     if (!secure) {
66         /* SFPA is RAZ/WI from NS; FPCA is stored in the M_REG_S bank */
67         value |= env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK;
68     }
69     return value;
70 }
71 
72 #ifdef CONFIG_USER_ONLY
73 
74 void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
75 {
76     uint32_t mask = extract32(maskreg, 8, 4);
77     uint32_t reg = extract32(maskreg, 0, 8);
78 
79     switch (reg) {
80     case 0 ... 7: /* xPSR sub-fields */
81         v7m_msr_xpsr(env, mask, reg, val);
82         break;
83     case 20: /* CONTROL */
84         /* There are no sub-fields that are actually writable from EL0. */
85         break;
86     default:
87         /* Unprivileged writes to other registers are ignored */
88         break;
89     }
90 }
91 
92 uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
93 {
94     switch (reg) {
95     case 0 ... 7: /* xPSR sub-fields */
96         return v7m_mrs_xpsr(env, reg, 0);
97     case 20: /* CONTROL */
98         return arm_v7m_mrs_control(env, 0);
99     default:
100         /* Unprivileged reads others as zero.  */
101         return 0;
102     }
103 }
104 
105 void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
106 {
107     /* translate.c should never generate calls here in user-only mode */
108     g_assert_not_reached();
109 }
110 
111 void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
112 {
113     /* translate.c should never generate calls here in user-only mode */
114     g_assert_not_reached();
115 }
116 
117 void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
118 {
119     /* translate.c should never generate calls here in user-only mode */
120     g_assert_not_reached();
121 }
122 
123 void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
124 {
125     /* translate.c should never generate calls here in user-only mode */
126     g_assert_not_reached();
127 }
128 
129 void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
130 {
131     /* translate.c should never generate calls here in user-only mode */
132     g_assert_not_reached();
133 }
134 
135 uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
136 {
137     /*
138      * The TT instructions can be used by unprivileged code, but in
139      * user-only emulation we don't have the MPU.
140      * Luckily since we know we are NonSecure unprivileged (and that in
141      * turn means that the A flag wasn't specified), all the bits in the
142      * register must be zero:
143      *  IREGION: 0 because IRVALID is 0
144      *  IRVALID: 0 because NS
145      *  S: 0 because NS
146      *  NSRW: 0 because NS
147      *  NSR: 0 because NS
148      *  RW: 0 because unpriv and A flag not set
149      *  R: 0 because unpriv and A flag not set
150      *  SRVALID: 0 because NS
151      *  MRVALID: 0 because unpriv and A flag not set
152      *  SREGION: 0 because SRVALID is 0
153      *  MREGION: 0 because MRVALID is 0
154      */
155     return 0;
156 }
157 
158 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
159 {
160     return ARMMMUIdx_MUser;
161 }
162 
163 #else /* !CONFIG_USER_ONLY */
164 
165 static ARMMMUIdx arm_v7m_mmu_idx_all(CPUARMState *env,
166                                      bool secstate, bool priv, bool negpri)
167 {
168     ARMMMUIdx mmu_idx = ARM_MMU_IDX_M;
169 
170     if (priv) {
171         mmu_idx |= ARM_MMU_IDX_M_PRIV;
172     }
173 
174     if (negpri) {
175         mmu_idx |= ARM_MMU_IDX_M_NEGPRI;
176     }
177 
178     if (secstate) {
179         mmu_idx |= ARM_MMU_IDX_M_S;
180     }
181 
182     return mmu_idx;
183 }
184 
185 static ARMMMUIdx arm_v7m_mmu_idx_for_secstate_and_priv(CPUARMState *env,
186                                                        bool secstate, bool priv)
187 {
188     bool negpri = armv7m_nvic_neg_prio_requested(env->nvic, secstate);
189 
190     return arm_v7m_mmu_idx_all(env, secstate, priv, negpri);
191 }
192 
193 /* Return the MMU index for a v7M CPU in the specified security state */
194 ARMMMUIdx arm_v7m_mmu_idx_for_secstate(CPUARMState *env, bool secstate)
195 {
196     bool priv = arm_v7m_is_handler_mode(env) ||
197         !(env->v7m.control[secstate] & 1);
198 
199     return arm_v7m_mmu_idx_for_secstate_and_priv(env, secstate, priv);
200 }
201 
202 /*
203  * What kind of stack write are we doing? This affects how exceptions
204  * generated during the stacking are treated.
205  */
206 typedef enum StackingMode {
207     STACK_NORMAL,
208     STACK_IGNFAULTS,
209     STACK_LAZYFP,
210 } StackingMode;
211 
212 static bool v7m_stack_write(ARMCPU *cpu, uint32_t addr, uint32_t value,
213                             ARMMMUIdx mmu_idx, StackingMode mode)
214 {
215     CPUState *cs = CPU(cpu);
216     CPUARMState *env = &cpu->env;
217     MemTxResult txres;
218     GetPhysAddrResult res = {};
219     ARMMMUFaultInfo fi = {};
220     bool secure = mmu_idx & ARM_MMU_IDX_M_S;
221     int exc;
222     bool exc_secure;
223 
224     if (get_phys_addr(env, addr, MMU_DATA_STORE, mmu_idx, &res, &fi)) {
225         /* MPU/SAU lookup failed */
226         if (fi.type == ARMFault_QEMU_SFault) {
227             if (mode == STACK_LAZYFP) {
228                 qemu_log_mask(CPU_LOG_INT,
229                               "...SecureFault with SFSR.LSPERR "
230                               "during lazy stacking\n");
231                 env->v7m.sfsr |= R_V7M_SFSR_LSPERR_MASK;
232             } else {
233                 qemu_log_mask(CPU_LOG_INT,
234                               "...SecureFault with SFSR.AUVIOL "
235                               "during stacking\n");
236                 env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
237             }
238             env->v7m.sfsr |= R_V7M_SFSR_SFARVALID_MASK;
239             env->v7m.sfar = addr;
240             exc = ARMV7M_EXCP_SECURE;
241             exc_secure = false;
242         } else {
243             if (mode == STACK_LAZYFP) {
244                 qemu_log_mask(CPU_LOG_INT,
245                               "...MemManageFault with CFSR.MLSPERR\n");
246                 env->v7m.cfsr[secure] |= R_V7M_CFSR_MLSPERR_MASK;
247             } else {
248                 qemu_log_mask(CPU_LOG_INT,
249                               "...MemManageFault with CFSR.MSTKERR\n");
250                 env->v7m.cfsr[secure] |= R_V7M_CFSR_MSTKERR_MASK;
251             }
252             exc = ARMV7M_EXCP_MEM;
253             exc_secure = secure;
254         }
255         goto pend_fault;
256     }
257     address_space_stl_le(arm_addressspace(cs, res.f.attrs), res.f.phys_addr,
258                          value, res.f.attrs, &txres);
259     if (txres != MEMTX_OK) {
260         /* BusFault trying to write the data */
261         if (mode == STACK_LAZYFP) {
262             qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.LSPERR\n");
263             env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_LSPERR_MASK;
264         } else {
265             qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.STKERR\n");
266             env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_STKERR_MASK;
267         }
268         exc = ARMV7M_EXCP_BUS;
269         exc_secure = false;
270         goto pend_fault;
271     }
272     return true;
273 
274 pend_fault:
275     /*
276      * By pending the exception at this point we are making
277      * the IMPDEF choice "overridden exceptions pended" (see the
278      * MergeExcInfo() pseudocode). The other choice would be to not
279      * pend them now and then make a choice about which to throw away
280      * later if we have two derived exceptions.
281      * The only case when we must not pend the exception but instead
282      * throw it away is if we are doing the push of the callee registers
283      * and we've already generated a derived exception (this is indicated
284      * by the caller passing STACK_IGNFAULTS). Even in this case we will
285      * still update the fault status registers.
286      */
287     switch (mode) {
288     case STACK_NORMAL:
289         armv7m_nvic_set_pending_derived(env->nvic, exc, exc_secure);
290         break;
291     case STACK_LAZYFP:
292         armv7m_nvic_set_pending_lazyfp(env->nvic, exc, exc_secure);
293         break;
294     case STACK_IGNFAULTS:
295         break;
296     }
297     return false;
298 }
299 
300 static bool v7m_stack_read(ARMCPU *cpu, uint32_t *dest, uint32_t addr,
301                            ARMMMUIdx mmu_idx)
302 {
303     CPUState *cs = CPU(cpu);
304     CPUARMState *env = &cpu->env;
305     MemTxResult txres;
306     GetPhysAddrResult res = {};
307     ARMMMUFaultInfo fi = {};
308     bool secure = mmu_idx & ARM_MMU_IDX_M_S;
309     int exc;
310     bool exc_secure;
311     uint32_t value;
312 
313     if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &res, &fi)) {
314         /* MPU/SAU lookup failed */
315         if (fi.type == ARMFault_QEMU_SFault) {
316             qemu_log_mask(CPU_LOG_INT,
317                           "...SecureFault with SFSR.AUVIOL during unstack\n");
318             env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
319             env->v7m.sfar = addr;
320             exc = ARMV7M_EXCP_SECURE;
321             exc_secure = false;
322         } else {
323             qemu_log_mask(CPU_LOG_INT,
324                           "...MemManageFault with CFSR.MUNSTKERR\n");
325             env->v7m.cfsr[secure] |= R_V7M_CFSR_MUNSTKERR_MASK;
326             exc = ARMV7M_EXCP_MEM;
327             exc_secure = secure;
328         }
329         goto pend_fault;
330     }
331 
332     value = address_space_ldl(arm_addressspace(cs, res.f.attrs),
333                               res.f.phys_addr, res.f.attrs, &txres);
334     if (txres != MEMTX_OK) {
335         /* BusFault trying to read the data */
336         qemu_log_mask(CPU_LOG_INT, "...BusFault with BFSR.UNSTKERR\n");
337         env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_UNSTKERR_MASK;
338         exc = ARMV7M_EXCP_BUS;
339         exc_secure = false;
340         goto pend_fault;
341     }
342 
343     *dest = value;
344     return true;
345 
346 pend_fault:
347     /*
348      * By pending the exception at this point we are making
349      * the IMPDEF choice "overridden exceptions pended" (see the
350      * MergeExcInfo() pseudocode). The other choice would be to not
351      * pend them now and then make a choice about which to throw away
352      * later if we have two derived exceptions.
353      */
354     armv7m_nvic_set_pending(env->nvic, exc, exc_secure);
355     return false;
356 }
357 
358 void HELPER(v7m_preserve_fp_state)(CPUARMState *env)
359 {
360     /*
361      * Preserve FP state (because LSPACT was set and we are about
362      * to execute an FP instruction). This corresponds to the
363      * PreserveFPState() pseudocode.
364      * We may throw an exception if the stacking fails.
365      */
366     ARMCPU *cpu = env_archcpu(env);
367     bool is_secure = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
368     bool negpri = !(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_HFRDY_MASK);
369     bool is_priv = !(env->v7m.fpccr[is_secure] & R_V7M_FPCCR_USER_MASK);
370     bool splimviol = env->v7m.fpccr[is_secure] & R_V7M_FPCCR_SPLIMVIOL_MASK;
371     uint32_t fpcar = env->v7m.fpcar[is_secure];
372     bool stacked_ok = true;
373     bool ts = is_secure && (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
374     bool take_exception;
375 
376     /* Take the iothread lock as we are going to touch the NVIC */
377     qemu_mutex_lock_iothread();
378 
379     /* Check the background context had access to the FPU */
380     if (!v7m_cpacr_pass(env, is_secure, is_priv)) {
381         armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, is_secure);
382         env->v7m.cfsr[is_secure] |= R_V7M_CFSR_NOCP_MASK;
383         stacked_ok = false;
384     } else if (!is_secure && !extract32(env->v7m.nsacr, 10, 1)) {
385         armv7m_nvic_set_pending_lazyfp(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
386         env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
387         stacked_ok = false;
388     }
389 
390     if (!splimviol && stacked_ok) {
391         /* We only stack if the stack limit wasn't violated */
392         int i;
393         ARMMMUIdx mmu_idx;
394 
395         mmu_idx = arm_v7m_mmu_idx_all(env, is_secure, is_priv, negpri);
396         for (i = 0; i < (ts ? 32 : 16); i += 2) {
397             uint64_t dn = *aa32_vfp_dreg(env, i / 2);
398             uint32_t faddr = fpcar + 4 * i;
399             uint32_t slo = extract64(dn, 0, 32);
400             uint32_t shi = extract64(dn, 32, 32);
401 
402             if (i >= 16) {
403                 faddr += 8; /* skip the slot for the FPSCR/VPR */
404             }
405             stacked_ok = stacked_ok &&
406                 v7m_stack_write(cpu, faddr, slo, mmu_idx, STACK_LAZYFP) &&
407                 v7m_stack_write(cpu, faddr + 4, shi, mmu_idx, STACK_LAZYFP);
408         }
409 
410         stacked_ok = stacked_ok &&
411             v7m_stack_write(cpu, fpcar + 0x40,
412                             vfp_get_fpscr(env), mmu_idx, STACK_LAZYFP);
413         if (cpu_isar_feature(aa32_mve, cpu)) {
414             stacked_ok = stacked_ok &&
415                 v7m_stack_write(cpu, fpcar + 0x44,
416                                 env->v7m.vpr, mmu_idx, STACK_LAZYFP);
417         }
418     }
419 
420     /*
421      * We definitely pended an exception, but it's possible that it
422      * might not be able to be taken now. If its priority permits us
423      * to take it now, then we must not update the LSPACT or FP regs,
424      * but instead jump out to take the exception immediately.
425      * If it's just pending and won't be taken until the current
426      * handler exits, then we do update LSPACT and the FP regs.
427      */
428     take_exception = !stacked_ok &&
429         armv7m_nvic_can_take_pending_exception(env->nvic);
430 
431     qemu_mutex_unlock_iothread();
432 
433     if (take_exception) {
434         raise_exception_ra(env, EXCP_LAZYFP, 0, 1, GETPC());
435     }
436 
437     env->v7m.fpccr[is_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
438 
439     if (ts) {
440         /* Clear s0 to s31 and the FPSCR and VPR */
441         int i;
442 
443         for (i = 0; i < 32; i += 2) {
444             *aa32_vfp_dreg(env, i / 2) = 0;
445         }
446         vfp_set_fpscr(env, 0);
447         if (cpu_isar_feature(aa32_mve, cpu)) {
448             env->v7m.vpr = 0;
449         }
450     }
451     /*
452      * Otherwise s0 to s15, FPSCR and VPR are UNKNOWN; we choose to leave them
453      * unchanged.
454      */
455 }
456 
457 /*
458  * Write to v7M CONTROL.SPSEL bit for the specified security bank.
459  * This may change the current stack pointer between Main and Process
460  * stack pointers if it is done for the CONTROL register for the current
461  * security state.
462  */
463 static void write_v7m_control_spsel_for_secstate(CPUARMState *env,
464                                                  bool new_spsel,
465                                                  bool secstate)
466 {
467     bool old_is_psp = v7m_using_psp(env);
468 
469     env->v7m.control[secstate] =
470         deposit32(env->v7m.control[secstate],
471                   R_V7M_CONTROL_SPSEL_SHIFT,
472                   R_V7M_CONTROL_SPSEL_LENGTH, new_spsel);
473 
474     if (secstate == env->v7m.secure) {
475         bool new_is_psp = v7m_using_psp(env);
476         uint32_t tmp;
477 
478         if (old_is_psp != new_is_psp) {
479             tmp = env->v7m.other_sp;
480             env->v7m.other_sp = env->regs[13];
481             env->regs[13] = tmp;
482         }
483     }
484 }
485 
486 /*
487  * Write to v7M CONTROL.SPSEL bit. This may change the current
488  * stack pointer between Main and Process stack pointers.
489  */
490 static void write_v7m_control_spsel(CPUARMState *env, bool new_spsel)
491 {
492     write_v7m_control_spsel_for_secstate(env, new_spsel, env->v7m.secure);
493 }
494 
495 void write_v7m_exception(CPUARMState *env, uint32_t new_exc)
496 {
497     /*
498      * Write a new value to v7m.exception, thus transitioning into or out
499      * of Handler mode; this may result in a change of active stack pointer.
500      */
501     bool new_is_psp, old_is_psp = v7m_using_psp(env);
502     uint32_t tmp;
503 
504     env->v7m.exception = new_exc;
505 
506     new_is_psp = v7m_using_psp(env);
507 
508     if (old_is_psp != new_is_psp) {
509         tmp = env->v7m.other_sp;
510         env->v7m.other_sp = env->regs[13];
511         env->regs[13] = tmp;
512     }
513 }
514 
515 /* Switch M profile security state between NS and S */
516 static void switch_v7m_security_state(CPUARMState *env, bool new_secstate)
517 {
518     uint32_t new_ss_msp, new_ss_psp;
519 
520     if (env->v7m.secure == new_secstate) {
521         return;
522     }
523 
524     /*
525      * All the banked state is accessed by looking at env->v7m.secure
526      * except for the stack pointer; rearrange the SP appropriately.
527      */
528     new_ss_msp = env->v7m.other_ss_msp;
529     new_ss_psp = env->v7m.other_ss_psp;
530 
531     if (v7m_using_psp(env)) {
532         env->v7m.other_ss_psp = env->regs[13];
533         env->v7m.other_ss_msp = env->v7m.other_sp;
534     } else {
535         env->v7m.other_ss_msp = env->regs[13];
536         env->v7m.other_ss_psp = env->v7m.other_sp;
537     }
538 
539     env->v7m.secure = new_secstate;
540 
541     if (v7m_using_psp(env)) {
542         env->regs[13] = new_ss_psp;
543         env->v7m.other_sp = new_ss_msp;
544     } else {
545         env->regs[13] = new_ss_msp;
546         env->v7m.other_sp = new_ss_psp;
547     }
548 }
549 
550 void HELPER(v7m_bxns)(CPUARMState *env, uint32_t dest)
551 {
552     /*
553      * Handle v7M BXNS:
554      *  - if the return value is a magic value, do exception return (like BX)
555      *  - otherwise bit 0 of the return value is the target security state
556      */
557     uint32_t min_magic;
558 
559     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
560         /* Covers FNC_RETURN and EXC_RETURN magic */
561         min_magic = FNC_RETURN_MIN_MAGIC;
562     } else {
563         /* EXC_RETURN magic only */
564         min_magic = EXC_RETURN_MIN_MAGIC;
565     }
566 
567     if (dest >= min_magic) {
568         /*
569          * This is an exception return magic value; put it where
570          * do_v7m_exception_exit() expects and raise EXCEPTION_EXIT.
571          * Note that if we ever add gen_ss_advance() singlestep support to
572          * M profile this should count as an "instruction execution complete"
573          * event (compare gen_bx_excret_final_code()).
574          */
575         env->regs[15] = dest & ~1;
576         env->thumb = dest & 1;
577         HELPER(exception_internal)(env, EXCP_EXCEPTION_EXIT);
578         /* notreached */
579     }
580 
581     /* translate.c should have made BXNS UNDEF unless we're secure */
582     assert(env->v7m.secure);
583 
584     if (!(dest & 1)) {
585         env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
586     }
587     switch_v7m_security_state(env, dest & 1);
588     env->thumb = true;
589     env->regs[15] = dest & ~1;
590     arm_rebuild_hflags(env);
591 }
592 
593 void HELPER(v7m_blxns)(CPUARMState *env, uint32_t dest)
594 {
595     /*
596      * Handle v7M BLXNS:
597      *  - bit 0 of the destination address is the target security state
598      */
599 
600     /* At this point regs[15] is the address just after the BLXNS */
601     uint32_t nextinst = env->regs[15] | 1;
602     uint32_t sp = env->regs[13] - 8;
603     uint32_t saved_psr;
604 
605     /* translate.c will have made BLXNS UNDEF unless we're secure */
606     assert(env->v7m.secure);
607 
608     if (dest & 1) {
609         /*
610          * Target is Secure, so this is just a normal BLX,
611          * except that the low bit doesn't indicate Thumb/not.
612          */
613         env->regs[14] = nextinst;
614         env->thumb = true;
615         env->regs[15] = dest & ~1;
616         return;
617     }
618 
619     /* Target is non-secure: first push a stack frame */
620     if (!QEMU_IS_ALIGNED(sp, 8)) {
621         qemu_log_mask(LOG_GUEST_ERROR,
622                       "BLXNS with misaligned SP is UNPREDICTABLE\n");
623     }
624 
625     if (sp < v7m_sp_limit(env)) {
626         raise_exception(env, EXCP_STKOF, 0, 1);
627     }
628 
629     saved_psr = env->v7m.exception;
630     if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK) {
631         saved_psr |= XPSR_SFPA;
632     }
633 
634     /* Note that these stores can throw exceptions on MPU faults */
635     cpu_stl_data_ra(env, sp, nextinst, GETPC());
636     cpu_stl_data_ra(env, sp + 4, saved_psr, GETPC());
637 
638     env->regs[13] = sp;
639     env->regs[14] = 0xfeffffff;
640     if (arm_v7m_is_handler_mode(env)) {
641         /*
642          * Write a dummy value to IPSR, to avoid leaking the current secure
643          * exception number to non-secure code. This is guaranteed not
644          * to cause write_v7m_exception() to actually change stacks.
645          */
646         write_v7m_exception(env, 1);
647     }
648     env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
649     switch_v7m_security_state(env, 0);
650     env->thumb = true;
651     env->regs[15] = dest;
652     arm_rebuild_hflags(env);
653 }
654 
655 static bool arm_v7m_load_vector(ARMCPU *cpu, int exc, bool targets_secure,
656                                 uint32_t *pvec)
657 {
658     CPUState *cs = CPU(cpu);
659     CPUARMState *env = &cpu->env;
660     MemTxResult result;
661     uint32_t addr = env->v7m.vecbase[targets_secure] + exc * 4;
662     uint32_t vector_entry;
663     MemTxAttrs attrs = {};
664     ARMMMUIdx mmu_idx;
665     bool exc_secure;
666 
667     qemu_log_mask(CPU_LOG_INT,
668                   "...loading from element %d of %s vector table at 0x%x\n",
669                   exc, targets_secure ? "secure" : "non-secure", addr);
670 
671     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targets_secure, true);
672 
673     /*
674      * We don't do a get_phys_addr() here because the rules for vector
675      * loads are special: they always use the default memory map, and
676      * the default memory map permits reads from all addresses.
677      * Since there's no easy way to pass through to pmsav8_mpu_lookup()
678      * that we want this special case which would always say "yes",
679      * we just do the SAU lookup here followed by a direct physical load.
680      */
681     attrs.secure = targets_secure;
682     attrs.user = false;
683 
684     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
685         V8M_SAttributes sattrs = {};
686 
687         v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,
688                             targets_secure, &sattrs);
689         if (sattrs.ns) {
690             attrs.secure = false;
691         } else if (!targets_secure) {
692             /*
693              * NS access to S memory: the underlying exception which we escalate
694              * to HardFault is SecureFault, which always targets Secure.
695              */
696             exc_secure = true;
697             goto load_fail;
698         }
699     }
700 
701     vector_entry = address_space_ldl(arm_addressspace(cs, attrs), addr,
702                                      attrs, &result);
703     if (result != MEMTX_OK) {
704         /*
705          * Underlying exception is BusFault: its target security state
706          * depends on BFHFNMINS.
707          */
708         exc_secure = !(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK);
709         goto load_fail;
710     }
711     *pvec = vector_entry;
712     qemu_log_mask(CPU_LOG_INT, "...loaded new PC 0x%x\n", *pvec);
713     return true;
714 
715 load_fail:
716     /*
717      * All vector table fetch fails are reported as HardFault, with
718      * HFSR.VECTTBL and .FORCED set. (FORCED is set because
719      * technically the underlying exception is a SecureFault or BusFault
720      * that is escalated to HardFault.) This is a terminal exception,
721      * so we will either take the HardFault immediately or else enter
722      * lockup (the latter case is handled in armv7m_nvic_set_pending_derived()).
723      * The HardFault is Secure if BFHFNMINS is 0 (meaning that all HFs are
724      * secure); otherwise it targets the same security state as the
725      * underlying exception.
726      * In v8.1M HardFaults from vector table fetch fails don't set FORCED.
727      */
728     if (!(cpu->env.v7m.aircr & R_V7M_AIRCR_BFHFNMINS_MASK)) {
729         exc_secure = true;
730     }
731     env->v7m.hfsr |= R_V7M_HFSR_VECTTBL_MASK;
732     if (!arm_feature(env, ARM_FEATURE_V8_1M)) {
733         env->v7m.hfsr |= R_V7M_HFSR_FORCED_MASK;
734     }
735     armv7m_nvic_set_pending_derived(env->nvic, ARMV7M_EXCP_HARD, exc_secure);
736     return false;
737 }
738 
739 static uint32_t v7m_integrity_sig(CPUARMState *env, uint32_t lr)
740 {
741     /*
742      * Return the integrity signature value for the callee-saves
743      * stack frame section. @lr is the exception return payload/LR value
744      * whose FType bit forms bit 0 of the signature if FP is present.
745      */
746     uint32_t sig = 0xfefa125a;
747 
748     if (!cpu_isar_feature(aa32_vfp_simd, env_archcpu(env))
749         || (lr & R_V7M_EXCRET_FTYPE_MASK)) {
750         sig |= 1;
751     }
752     return sig;
753 }
754 
755 static bool v7m_push_callee_stack(ARMCPU *cpu, uint32_t lr, bool dotailchain,
756                                   bool ignore_faults)
757 {
758     /*
759      * For v8M, push the callee-saves register part of the stack frame.
760      * Compare the v8M pseudocode PushCalleeStack().
761      * In the tailchaining case this may not be the current stack.
762      */
763     CPUARMState *env = &cpu->env;
764     uint32_t *frame_sp_p;
765     uint32_t frameptr;
766     ARMMMUIdx mmu_idx;
767     bool stacked_ok;
768     uint32_t limit;
769     bool want_psp;
770     uint32_t sig;
771     StackingMode smode = ignore_faults ? STACK_IGNFAULTS : STACK_NORMAL;
772 
773     if (dotailchain) {
774         bool mode = lr & R_V7M_EXCRET_MODE_MASK;
775         bool priv = !(env->v7m.control[M_REG_S] & R_V7M_CONTROL_NPRIV_MASK) ||
776             !mode;
777 
778         mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, M_REG_S, priv);
779         frame_sp_p = arm_v7m_get_sp_ptr(env, M_REG_S, mode,
780                                         lr & R_V7M_EXCRET_SPSEL_MASK);
781         want_psp = mode && (lr & R_V7M_EXCRET_SPSEL_MASK);
782         if (want_psp) {
783             limit = env->v7m.psplim[M_REG_S];
784         } else {
785             limit = env->v7m.msplim[M_REG_S];
786         }
787     } else {
788         mmu_idx = arm_mmu_idx(env);
789         frame_sp_p = &env->regs[13];
790         limit = v7m_sp_limit(env);
791     }
792 
793     frameptr = *frame_sp_p - 0x28;
794     if (frameptr < limit) {
795         /*
796          * Stack limit failure: set SP to the limit value, and generate
797          * STKOF UsageFault. Stack pushes below the limit must not be
798          * performed. It is IMPDEF whether pushes above the limit are
799          * performed; we choose not to.
800          */
801         qemu_log_mask(CPU_LOG_INT,
802                       "...STKOF during callee-saves register stacking\n");
803         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
804         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
805                                 env->v7m.secure);
806         *frame_sp_p = limit;
807         return true;
808     }
809 
810     /*
811      * Write as much of the stack frame as we can. A write failure may
812      * cause us to pend a derived exception.
813      */
814     sig = v7m_integrity_sig(env, lr);
815     stacked_ok =
816         v7m_stack_write(cpu, frameptr, sig, mmu_idx, smode) &&
817         v7m_stack_write(cpu, frameptr + 0x8, env->regs[4], mmu_idx, smode) &&
818         v7m_stack_write(cpu, frameptr + 0xc, env->regs[5], mmu_idx, smode) &&
819         v7m_stack_write(cpu, frameptr + 0x10, env->regs[6], mmu_idx, smode) &&
820         v7m_stack_write(cpu, frameptr + 0x14, env->regs[7], mmu_idx, smode) &&
821         v7m_stack_write(cpu, frameptr + 0x18, env->regs[8], mmu_idx, smode) &&
822         v7m_stack_write(cpu, frameptr + 0x1c, env->regs[9], mmu_idx, smode) &&
823         v7m_stack_write(cpu, frameptr + 0x20, env->regs[10], mmu_idx, smode) &&
824         v7m_stack_write(cpu, frameptr + 0x24, env->regs[11], mmu_idx, smode);
825 
826     /* Update SP regardless of whether any of the stack accesses failed. */
827     *frame_sp_p = frameptr;
828 
829     return !stacked_ok;
830 }
831 
832 static void v7m_exception_taken(ARMCPU *cpu, uint32_t lr, bool dotailchain,
833                                 bool ignore_stackfaults)
834 {
835     /*
836      * Do the "take the exception" parts of exception entry,
837      * but not the pushing of state to the stack. This is
838      * similar to the pseudocode ExceptionTaken() function.
839      */
840     CPUARMState *env = &cpu->env;
841     uint32_t addr;
842     bool targets_secure;
843     int exc;
844     bool push_failed = false;
845 
846     armv7m_nvic_get_pending_irq_info(env->nvic, &exc, &targets_secure);
847     qemu_log_mask(CPU_LOG_INT, "...taking pending %s exception %d\n",
848                   targets_secure ? "secure" : "nonsecure", exc);
849 
850     if (dotailchain) {
851         /* Sanitize LR FType and PREFIX bits */
852         if (!cpu_isar_feature(aa32_vfp_simd, cpu)) {
853             lr |= R_V7M_EXCRET_FTYPE_MASK;
854         }
855         lr = deposit32(lr, 24, 8, 0xff);
856     }
857 
858     if (arm_feature(env, ARM_FEATURE_V8)) {
859         if (arm_feature(env, ARM_FEATURE_M_SECURITY) &&
860             (lr & R_V7M_EXCRET_S_MASK)) {
861             /*
862              * The background code (the owner of the registers in the
863              * exception frame) is Secure. This means it may either already
864              * have or now needs to push callee-saves registers.
865              */
866             if (targets_secure) {
867                 if (dotailchain && !(lr & R_V7M_EXCRET_ES_MASK)) {
868                     /*
869                      * We took an exception from Secure to NonSecure
870                      * (which means the callee-saved registers got stacked)
871                      * and are now tailchaining to a Secure exception.
872                      * Clear DCRS so eventual return from this Secure
873                      * exception unstacks the callee-saved registers.
874                      */
875                     lr &= ~R_V7M_EXCRET_DCRS_MASK;
876                 }
877             } else {
878                 /*
879                  * We're going to a non-secure exception; push the
880                  * callee-saves registers to the stack now, if they're
881                  * not already saved.
882                  */
883                 if (lr & R_V7M_EXCRET_DCRS_MASK &&
884                     !(dotailchain && !(lr & R_V7M_EXCRET_ES_MASK))) {
885                     push_failed = v7m_push_callee_stack(cpu, lr, dotailchain,
886                                                         ignore_stackfaults);
887                 }
888                 lr |= R_V7M_EXCRET_DCRS_MASK;
889             }
890         }
891 
892         lr &= ~R_V7M_EXCRET_ES_MASK;
893         if (targets_secure) {
894             lr |= R_V7M_EXCRET_ES_MASK;
895         }
896         lr &= ~R_V7M_EXCRET_SPSEL_MASK;
897         if (env->v7m.control[targets_secure] & R_V7M_CONTROL_SPSEL_MASK) {
898             lr |= R_V7M_EXCRET_SPSEL_MASK;
899         }
900 
901         /*
902          * Clear registers if necessary to prevent non-secure exception
903          * code being able to see register values from secure code.
904          * Where register values become architecturally UNKNOWN we leave
905          * them with their previous values. v8.1M is tighter than v8.0M
906          * here and always zeroes the caller-saved registers regardless
907          * of the security state the exception is targeting.
908          */
909         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
910             if (!targets_secure || arm_feature(env, ARM_FEATURE_V8_1M)) {
911                 /*
912                  * Always clear the caller-saved registers (they have been
913                  * pushed to the stack earlier in v7m_push_stack()).
914                  * Clear callee-saved registers if the background code is
915                  * Secure (in which case these regs were saved in
916                  * v7m_push_callee_stack()).
917                  */
918                 int i;
919                 /*
920                  * r4..r11 are callee-saves, zero only if background
921                  * state was Secure (EXCRET.S == 1) and exception
922                  * targets Non-secure state
923                  */
924                 bool zero_callee_saves = !targets_secure &&
925                     (lr & R_V7M_EXCRET_S_MASK);
926 
927                 for (i = 0; i < 13; i++) {
928                     if (i < 4 || i > 11 || zero_callee_saves) {
929                         env->regs[i] = 0;
930                     }
931                 }
932                 /* Clear EAPSR */
933                 xpsr_write(env, 0, XPSR_NZCV | XPSR_Q | XPSR_GE | XPSR_IT);
934             }
935         }
936     }
937 
938     if (push_failed && !ignore_stackfaults) {
939         /*
940          * Derived exception on callee-saves register stacking:
941          * we might now want to take a different exception which
942          * targets a different security state, so try again from the top.
943          */
944         qemu_log_mask(CPU_LOG_INT,
945                       "...derived exception on callee-saves register stacking");
946         v7m_exception_taken(cpu, lr, true, true);
947         return;
948     }
949 
950     if (!arm_v7m_load_vector(cpu, exc, targets_secure, &addr)) {
951         /* Vector load failed: derived exception */
952         qemu_log_mask(CPU_LOG_INT, "...derived exception on vector table load");
953         v7m_exception_taken(cpu, lr, true, true);
954         return;
955     }
956 
957     /*
958      * Now we've done everything that might cause a derived exception
959      * we can go ahead and activate whichever exception we're going to
960      * take (which might now be the derived exception).
961      */
962     armv7m_nvic_acknowledge_irq(env->nvic);
963 
964     /* Switch to target security state -- must do this before writing SPSEL */
965     switch_v7m_security_state(env, targets_secure);
966     write_v7m_control_spsel(env, 0);
967     arm_clear_exclusive(env);
968     /* Clear SFPA and FPCA (has no effect if no FPU) */
969     env->v7m.control[M_REG_S] &=
970         ~(R_V7M_CONTROL_FPCA_MASK | R_V7M_CONTROL_SFPA_MASK);
971     /* Clear IT bits */
972     env->condexec_bits = 0;
973     env->regs[14] = lr;
974     env->regs[15] = addr & 0xfffffffe;
975     env->thumb = addr & 1;
976     arm_rebuild_hflags(env);
977 }
978 
979 static void v7m_update_fpccr(CPUARMState *env, uint32_t frameptr,
980                              bool apply_splim)
981 {
982     /*
983      * Like the pseudocode UpdateFPCCR: save state in FPCAR and FPCCR
984      * that we will need later in order to do lazy FP reg stacking.
985      */
986     bool is_secure = env->v7m.secure;
987     NVICState *nvic = env->nvic;
988     /*
989      * Some bits are unbanked and live always in fpccr[M_REG_S]; some bits
990      * are banked and we want to update the bit in the bank for the
991      * current security state; and in one case we want to specifically
992      * update the NS banked version of a bit even if we are secure.
993      */
994     uint32_t *fpccr_s = &env->v7m.fpccr[M_REG_S];
995     uint32_t *fpccr_ns = &env->v7m.fpccr[M_REG_NS];
996     uint32_t *fpccr = &env->v7m.fpccr[is_secure];
997     bool hfrdy, bfrdy, mmrdy, ns_ufrdy, s_ufrdy, sfrdy, monrdy;
998 
999     env->v7m.fpcar[is_secure] = frameptr & ~0x7;
1000 
1001     if (apply_splim && arm_feature(env, ARM_FEATURE_V8)) {
1002         bool splimviol;
1003         uint32_t splim = v7m_sp_limit(env);
1004         bool ign = armv7m_nvic_neg_prio_requested(nvic, is_secure) &&
1005             (env->v7m.ccr[is_secure] & R_V7M_CCR_STKOFHFNMIGN_MASK);
1006 
1007         splimviol = !ign && frameptr < splim;
1008         *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, SPLIMVIOL, splimviol);
1009     }
1010 
1011     *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, LSPACT, 1);
1012 
1013     *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, S, is_secure);
1014 
1015     *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, USER, arm_current_el(env) == 0);
1016 
1017     *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, THREAD,
1018                         !arm_v7m_is_handler_mode(env));
1019 
1020     hfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_HARD, false);
1021     *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, HFRDY, hfrdy);
1022 
1023     bfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_BUS, false);
1024     *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, BFRDY, bfrdy);
1025 
1026     mmrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_MEM, is_secure);
1027     *fpccr = FIELD_DP32(*fpccr, V7M_FPCCR, MMRDY, mmrdy);
1028 
1029     ns_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, false);
1030     *fpccr_ns = FIELD_DP32(*fpccr_ns, V7M_FPCCR, UFRDY, ns_ufrdy);
1031 
1032     monrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_DEBUG, false);
1033     *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, MONRDY, monrdy);
1034 
1035     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
1036         s_ufrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_USAGE, true);
1037         *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, UFRDY, s_ufrdy);
1038 
1039         sfrdy = armv7m_nvic_get_ready_status(nvic, ARMV7M_EXCP_SECURE, false);
1040         *fpccr_s = FIELD_DP32(*fpccr_s, V7M_FPCCR, SFRDY, sfrdy);
1041     }
1042 }
1043 
1044 void HELPER(v7m_vlstm)(CPUARMState *env, uint32_t fptr)
1045 {
1046     /* fptr is the value of Rn, the frame pointer we store the FP regs to */
1047     ARMCPU *cpu = env_archcpu(env);
1048     bool s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
1049     bool lspact = env->v7m.fpccr[s] & R_V7M_FPCCR_LSPACT_MASK;
1050     uintptr_t ra = GETPC();
1051 
1052     assert(env->v7m.secure);
1053 
1054     if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
1055         return;
1056     }
1057 
1058     /* Check access to the coprocessor is permitted */
1059     if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
1060         raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
1061     }
1062 
1063     if (lspact) {
1064         /* LSPACT should not be active when there is active FP state */
1065         raise_exception_ra(env, EXCP_LSERR, 0, 1, GETPC());
1066     }
1067 
1068     if (fptr & 7) {
1069         raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
1070     }
1071 
1072     /*
1073      * Note that we do not use v7m_stack_write() here, because the
1074      * accesses should not set the FSR bits for stacking errors if they
1075      * fail. (In pseudocode terms, they are AccType_NORMAL, not AccType_STACK
1076      * or AccType_LAZYFP). Faults in cpu_stl_data_ra() will throw exceptions
1077      * and longjmp out.
1078      */
1079     if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
1080         bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
1081         int i;
1082 
1083         for (i = 0; i < (ts ? 32 : 16); i += 2) {
1084             uint64_t dn = *aa32_vfp_dreg(env, i / 2);
1085             uint32_t faddr = fptr + 4 * i;
1086             uint32_t slo = extract64(dn, 0, 32);
1087             uint32_t shi = extract64(dn, 32, 32);
1088 
1089             if (i >= 16) {
1090                 faddr += 8; /* skip the slot for the FPSCR */
1091             }
1092             cpu_stl_data_ra(env, faddr, slo, ra);
1093             cpu_stl_data_ra(env, faddr + 4, shi, ra);
1094         }
1095         cpu_stl_data_ra(env, fptr + 0x40, vfp_get_fpscr(env), ra);
1096         if (cpu_isar_feature(aa32_mve, cpu)) {
1097             cpu_stl_data_ra(env, fptr + 0x44, env->v7m.vpr, ra);
1098         }
1099 
1100         /*
1101          * If TS is 0 then s0 to s15, FPSCR and VPR are UNKNOWN; we choose to
1102          * leave them unchanged, matching our choice in v7m_preserve_fp_state.
1103          */
1104         if (ts) {
1105             for (i = 0; i < 32; i += 2) {
1106                 *aa32_vfp_dreg(env, i / 2) = 0;
1107             }
1108             vfp_set_fpscr(env, 0);
1109             if (cpu_isar_feature(aa32_mve, cpu)) {
1110                 env->v7m.vpr = 0;
1111             }
1112         }
1113     } else {
1114         v7m_update_fpccr(env, fptr, false);
1115     }
1116 
1117     env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
1118 }
1119 
1120 void HELPER(v7m_vlldm)(CPUARMState *env, uint32_t fptr)
1121 {
1122     ARMCPU *cpu = env_archcpu(env);
1123     uintptr_t ra = GETPC();
1124 
1125     /* fptr is the value of Rn, the frame pointer we load the FP regs from */
1126     assert(env->v7m.secure);
1127 
1128     if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
1129         return;
1130     }
1131 
1132     /* Check access to the coprocessor is permitted */
1133     if (!v7m_cpacr_pass(env, true, arm_current_el(env) != 0)) {
1134         raise_exception_ra(env, EXCP_NOCP, 0, 1, GETPC());
1135     }
1136 
1137     if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
1138         /* State in FP is still valid */
1139         env->v7m.fpccr[M_REG_S] &= ~R_V7M_FPCCR_LSPACT_MASK;
1140     } else {
1141         bool ts = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK;
1142         int i;
1143         uint32_t fpscr;
1144 
1145         if (fptr & 7) {
1146             raise_exception_ra(env, EXCP_UNALIGNED, 0, 1, GETPC());
1147         }
1148 
1149         for (i = 0; i < (ts ? 32 : 16); i += 2) {
1150             uint32_t slo, shi;
1151             uint64_t dn;
1152             uint32_t faddr = fptr + 4 * i;
1153 
1154             if (i >= 16) {
1155                 faddr += 8; /* skip the slot for the FPSCR and VPR */
1156             }
1157 
1158             slo = cpu_ldl_data_ra(env, faddr, ra);
1159             shi = cpu_ldl_data_ra(env, faddr + 4, ra);
1160 
1161             dn = (uint64_t) shi << 32 | slo;
1162             *aa32_vfp_dreg(env, i / 2) = dn;
1163         }
1164         fpscr = cpu_ldl_data_ra(env, fptr + 0x40, ra);
1165         vfp_set_fpscr(env, fpscr);
1166         if (cpu_isar_feature(aa32_mve, cpu)) {
1167             env->v7m.vpr = cpu_ldl_data_ra(env, fptr + 0x44, ra);
1168         }
1169     }
1170 
1171     env->v7m.control[M_REG_S] |= R_V7M_CONTROL_FPCA_MASK;
1172 }
1173 
1174 static bool v7m_push_stack(ARMCPU *cpu)
1175 {
1176     /*
1177      * Do the "set up stack frame" part of exception entry,
1178      * similar to pseudocode PushStack().
1179      * Return true if we generate a derived exception (and so
1180      * should ignore further stack faults trying to process
1181      * that derived exception.)
1182      */
1183     bool stacked_ok = true, limitviol = false;
1184     CPUARMState *env = &cpu->env;
1185     uint32_t xpsr = xpsr_read(env);
1186     uint32_t frameptr = env->regs[13];
1187     ARMMMUIdx mmu_idx = arm_mmu_idx(env);
1188     uint32_t framesize;
1189     bool nsacr_cp10 = extract32(env->v7m.nsacr, 10, 1);
1190 
1191     if ((env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) &&
1192         (env->v7m.secure || nsacr_cp10)) {
1193         if (env->v7m.secure &&
1194             env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK) {
1195             framesize = 0xa8;
1196         } else {
1197             framesize = 0x68;
1198         }
1199     } else {
1200         framesize = 0x20;
1201     }
1202 
1203     /* Align stack pointer if the guest wants that */
1204     if ((frameptr & 4) &&
1205         (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_STKALIGN_MASK)) {
1206         frameptr -= 4;
1207         xpsr |= XPSR_SPREALIGN;
1208     }
1209 
1210     xpsr &= ~XPSR_SFPA;
1211     if (env->v7m.secure &&
1212         (env->v7m.control[M_REG_S] & R_V7M_CONTROL_SFPA_MASK)) {
1213         xpsr |= XPSR_SFPA;
1214     }
1215 
1216     frameptr -= framesize;
1217 
1218     if (arm_feature(env, ARM_FEATURE_V8)) {
1219         uint32_t limit = v7m_sp_limit(env);
1220 
1221         if (frameptr < limit) {
1222             /*
1223              * Stack limit failure: set SP to the limit value, and generate
1224              * STKOF UsageFault. Stack pushes below the limit must not be
1225              * performed. It is IMPDEF whether pushes above the limit are
1226              * performed; we choose not to.
1227              */
1228             qemu_log_mask(CPU_LOG_INT,
1229                           "...STKOF during stacking\n");
1230             env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
1231             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
1232                                     env->v7m.secure);
1233             env->regs[13] = limit;
1234             /*
1235              * We won't try to perform any further memory accesses but
1236              * we must continue through the following code to check for
1237              * permission faults during FPU state preservation, and we
1238              * must update FPCCR if lazy stacking is enabled.
1239              */
1240             limitviol = true;
1241             stacked_ok = false;
1242         }
1243     }
1244 
1245     /*
1246      * Write as much of the stack frame as we can. If we fail a stack
1247      * write this will result in a derived exception being pended
1248      * (which may be taken in preference to the one we started with
1249      * if it has higher priority).
1250      */
1251     stacked_ok = stacked_ok &&
1252         v7m_stack_write(cpu, frameptr, env->regs[0], mmu_idx, STACK_NORMAL) &&
1253         v7m_stack_write(cpu, frameptr + 4, env->regs[1],
1254                         mmu_idx, STACK_NORMAL) &&
1255         v7m_stack_write(cpu, frameptr + 8, env->regs[2],
1256                         mmu_idx, STACK_NORMAL) &&
1257         v7m_stack_write(cpu, frameptr + 12, env->regs[3],
1258                         mmu_idx, STACK_NORMAL) &&
1259         v7m_stack_write(cpu, frameptr + 16, env->regs[12],
1260                         mmu_idx, STACK_NORMAL) &&
1261         v7m_stack_write(cpu, frameptr + 20, env->regs[14],
1262                         mmu_idx, STACK_NORMAL) &&
1263         v7m_stack_write(cpu, frameptr + 24, env->regs[15],
1264                         mmu_idx, STACK_NORMAL) &&
1265         v7m_stack_write(cpu, frameptr + 28, xpsr, mmu_idx, STACK_NORMAL);
1266 
1267     if (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK) {
1268         /* FPU is active, try to save its registers */
1269         bool fpccr_s = env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_S_MASK;
1270         bool lspact = env->v7m.fpccr[fpccr_s] & R_V7M_FPCCR_LSPACT_MASK;
1271 
1272         if (lspact && arm_feature(env, ARM_FEATURE_M_SECURITY)) {
1273             qemu_log_mask(CPU_LOG_INT,
1274                           "...SecureFault because LSPACT and FPCA both set\n");
1275             env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
1276             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
1277         } else if (!env->v7m.secure && !nsacr_cp10) {
1278             qemu_log_mask(CPU_LOG_INT,
1279                           "...Secure UsageFault with CFSR.NOCP because "
1280                           "NSACR.CP10 prevents stacking FP regs\n");
1281             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, M_REG_S);
1282             env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
1283         } else {
1284             if (!(env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPEN_MASK)) {
1285                 /* Lazy stacking disabled, save registers now */
1286                 int i;
1287                 bool cpacr_pass = v7m_cpacr_pass(env, env->v7m.secure,
1288                                                  arm_current_el(env) != 0);
1289 
1290                 if (stacked_ok && !cpacr_pass) {
1291                     /*
1292                      * Take UsageFault if CPACR forbids access. The pseudocode
1293                      * here does a full CheckCPEnabled() but we know the NSACR
1294                      * check can never fail as we have already handled that.
1295                      */
1296                     qemu_log_mask(CPU_LOG_INT,
1297                                   "...UsageFault with CFSR.NOCP because "
1298                                   "CPACR.CP10 prevents stacking FP regs\n");
1299                     armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
1300                                             env->v7m.secure);
1301                     env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_NOCP_MASK;
1302                     stacked_ok = false;
1303                 }
1304 
1305                 for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
1306                     uint64_t dn = *aa32_vfp_dreg(env, i / 2);
1307                     uint32_t faddr = frameptr + 0x20 + 4 * i;
1308                     uint32_t slo = extract64(dn, 0, 32);
1309                     uint32_t shi = extract64(dn, 32, 32);
1310 
1311                     if (i >= 16) {
1312                         faddr += 8; /* skip the slot for the FPSCR and VPR */
1313                     }
1314                     stacked_ok = stacked_ok &&
1315                         v7m_stack_write(cpu, faddr, slo,
1316                                         mmu_idx, STACK_NORMAL) &&
1317                         v7m_stack_write(cpu, faddr + 4, shi,
1318                                         mmu_idx, STACK_NORMAL);
1319                 }
1320                 stacked_ok = stacked_ok &&
1321                     v7m_stack_write(cpu, frameptr + 0x60,
1322                                     vfp_get_fpscr(env), mmu_idx, STACK_NORMAL);
1323                 if (cpu_isar_feature(aa32_mve, cpu)) {
1324                     stacked_ok = stacked_ok &&
1325                         v7m_stack_write(cpu, frameptr + 0x64,
1326                                         env->v7m.vpr, mmu_idx, STACK_NORMAL);
1327                 }
1328                 if (cpacr_pass) {
1329                     for (i = 0; i < ((framesize == 0xa8) ? 32 : 16); i += 2) {
1330                         *aa32_vfp_dreg(env, i / 2) = 0;
1331                     }
1332                     vfp_set_fpscr(env, 0);
1333                     if (cpu_isar_feature(aa32_mve, cpu)) {
1334                         env->v7m.vpr = 0;
1335                     }
1336                 }
1337             } else {
1338                 /* Lazy stacking enabled, save necessary info to stack later */
1339                 v7m_update_fpccr(env, frameptr + 0x20, true);
1340             }
1341         }
1342     }
1343 
1344     /*
1345      * If we broke a stack limit then SP was already updated earlier;
1346      * otherwise we update SP regardless of whether any of the stack
1347      * accesses failed or we took some other kind of fault.
1348      */
1349     if (!limitviol) {
1350         env->regs[13] = frameptr;
1351     }
1352 
1353     return !stacked_ok;
1354 }
1355 
1356 static void do_v7m_exception_exit(ARMCPU *cpu)
1357 {
1358     CPUARMState *env = &cpu->env;
1359     uint32_t excret;
1360     uint32_t xpsr, xpsr_mask;
1361     bool ufault = false;
1362     bool sfault = false;
1363     bool return_to_sp_process;
1364     bool return_to_handler;
1365     bool rettobase = false;
1366     bool exc_secure = false;
1367     bool return_to_secure;
1368     bool ftype;
1369     bool restore_s16_s31 = false;
1370 
1371     /*
1372      * If we're not in Handler mode then jumps to magic exception-exit
1373      * addresses don't have magic behaviour. However for the v8M
1374      * security extensions the magic secure-function-return has to
1375      * work in thread mode too, so to avoid doing an extra check in
1376      * the generated code we allow exception-exit magic to also cause the
1377      * internal exception and bring us here in thread mode. Correct code
1378      * will never try to do this (the following insn fetch will always
1379      * fault) so we the overhead of having taken an unnecessary exception
1380      * doesn't matter.
1381      */
1382     if (!arm_v7m_is_handler_mode(env)) {
1383         return;
1384     }
1385 
1386     /*
1387      * In the spec pseudocode ExceptionReturn() is called directly
1388      * from BXWritePC() and gets the full target PC value including
1389      * bit zero. In QEMU's implementation we treat it as a normal
1390      * jump-to-register (which is then caught later on), and so split
1391      * the target value up between env->regs[15] and env->thumb in
1392      * gen_bx(). Reconstitute it.
1393      */
1394     excret = env->regs[15];
1395     if (env->thumb) {
1396         excret |= 1;
1397     }
1398 
1399     qemu_log_mask(CPU_LOG_INT, "Exception return: magic PC %" PRIx32
1400                   " previous exception %d\n",
1401                   excret, env->v7m.exception);
1402 
1403     if ((excret & R_V7M_EXCRET_RES1_MASK) != R_V7M_EXCRET_RES1_MASK) {
1404         qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero high bits in exception "
1405                       "exit PC value 0x%" PRIx32 " are UNPREDICTABLE\n",
1406                       excret);
1407     }
1408 
1409     ftype = excret & R_V7M_EXCRET_FTYPE_MASK;
1410 
1411     if (!ftype && !cpu_isar_feature(aa32_vfp_simd, cpu)) {
1412         qemu_log_mask(LOG_GUEST_ERROR, "M profile: zero FTYPE in exception "
1413                       "exit PC value 0x%" PRIx32 " is UNPREDICTABLE "
1414                       "if FPU not present\n",
1415                       excret);
1416         ftype = true;
1417     }
1418 
1419     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
1420         /*
1421          * EXC_RETURN.ES validation check (R_SMFL). We must do this before
1422          * we pick which FAULTMASK to clear.
1423          */
1424         if (!env->v7m.secure &&
1425             ((excret & R_V7M_EXCRET_ES_MASK) ||
1426              !(excret & R_V7M_EXCRET_DCRS_MASK))) {
1427             sfault = 1;
1428             /* For all other purposes, treat ES as 0 (R_HXSR) */
1429             excret &= ~R_V7M_EXCRET_ES_MASK;
1430         }
1431         exc_secure = excret & R_V7M_EXCRET_ES_MASK;
1432     }
1433 
1434     if (env->v7m.exception != ARMV7M_EXCP_NMI) {
1435         /*
1436          * Auto-clear FAULTMASK on return from other than NMI.
1437          * If the security extension is implemented then this only
1438          * happens if the raw execution priority is >= 0; the
1439          * value of the ES bit in the exception return value indicates
1440          * which security state's faultmask to clear. (v8M ARM ARM R_KBNF.)
1441          */
1442         if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
1443             if (armv7m_nvic_raw_execution_priority(env->nvic) >= 0) {
1444                 env->v7m.faultmask[exc_secure] = 0;
1445             }
1446         } else {
1447             env->v7m.faultmask[M_REG_NS] = 0;
1448         }
1449     }
1450 
1451     switch (armv7m_nvic_complete_irq(env->nvic, env->v7m.exception,
1452                                      exc_secure)) {
1453     case -1:
1454         /* attempt to exit an exception that isn't active */
1455         ufault = true;
1456         break;
1457     case 0:
1458         /* still an irq active now */
1459         break;
1460     case 1:
1461         /*
1462          * We returned to base exception level, no nesting.
1463          * (In the pseudocode this is written using "NestedActivation != 1"
1464          * where we have 'rettobase == false'.)
1465          */
1466         rettobase = true;
1467         break;
1468     default:
1469         g_assert_not_reached();
1470     }
1471 
1472     return_to_handler = !(excret & R_V7M_EXCRET_MODE_MASK);
1473     return_to_sp_process = excret & R_V7M_EXCRET_SPSEL_MASK;
1474     return_to_secure = arm_feature(env, ARM_FEATURE_M_SECURITY) &&
1475         (excret & R_V7M_EXCRET_S_MASK);
1476 
1477     if (arm_feature(env, ARM_FEATURE_V8)) {
1478         if (!arm_feature(env, ARM_FEATURE_M_SECURITY)) {
1479             /*
1480              * UNPREDICTABLE if S == 1 or DCRS == 0 or ES == 1 (R_XLCP);
1481              * we choose to take the UsageFault.
1482              */
1483             if ((excret & R_V7M_EXCRET_S_MASK) ||
1484                 (excret & R_V7M_EXCRET_ES_MASK) ||
1485                 !(excret & R_V7M_EXCRET_DCRS_MASK)) {
1486                 ufault = true;
1487             }
1488         }
1489         if (excret & R_V7M_EXCRET_RES0_MASK) {
1490             ufault = true;
1491         }
1492     } else {
1493         /* For v7M we only recognize certain combinations of the low bits */
1494         switch (excret & 0xf) {
1495         case 1: /* Return to Handler */
1496             break;
1497         case 13: /* Return to Thread using Process stack */
1498         case 9: /* Return to Thread using Main stack */
1499             /*
1500              * We only need to check NONBASETHRDENA for v7M, because in
1501              * v8M this bit does not exist (it is RES1).
1502              */
1503             if (!rettobase &&
1504                 !(env->v7m.ccr[env->v7m.secure] &
1505                   R_V7M_CCR_NONBASETHRDENA_MASK)) {
1506                 ufault = true;
1507             }
1508             break;
1509         default:
1510             ufault = true;
1511         }
1512     }
1513 
1514     /*
1515      * Set CONTROL.SPSEL from excret.SPSEL. Since we're still in
1516      * Handler mode (and will be until we write the new XPSR.Interrupt
1517      * field) this does not switch around the current stack pointer.
1518      * We must do this before we do any kind of tailchaining, including
1519      * for the derived exceptions on integrity check failures, or we will
1520      * give the guest an incorrect EXCRET.SPSEL value on exception entry.
1521      */
1522     write_v7m_control_spsel_for_secstate(env, return_to_sp_process, exc_secure);
1523 
1524     /*
1525      * Clear scratch FP values left in caller saved registers; this
1526      * must happen before any kind of tail chaining.
1527      */
1528     if ((env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_CLRONRET_MASK) &&
1529         (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
1530         if (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK) {
1531             env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
1532             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
1533             qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
1534                           "stackframe: error during lazy state deactivation\n");
1535             v7m_exception_taken(cpu, excret, true, false);
1536             return;
1537         } else {
1538             if (arm_feature(env, ARM_FEATURE_V8_1M)) {
1539                 /* v8.1M adds this NOCP check */
1540                 bool nsacr_pass = exc_secure ||
1541                     extract32(env->v7m.nsacr, 10, 1);
1542                 bool cpacr_pass = v7m_cpacr_pass(env, exc_secure, true);
1543                 if (!nsacr_pass) {
1544                     armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
1545                     env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_NOCP_MASK;
1546                     qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
1547                         "stackframe: NSACR prevents clearing FPU registers\n");
1548                     v7m_exception_taken(cpu, excret, true, false);
1549                     return;
1550                 } else if (!cpacr_pass) {
1551                     armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
1552                                             exc_secure);
1553                     env->v7m.cfsr[exc_secure] |= R_V7M_CFSR_NOCP_MASK;
1554                     qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
1555                         "stackframe: CPACR prevents clearing FPU registers\n");
1556                     v7m_exception_taken(cpu, excret, true, false);
1557                     return;
1558                 }
1559             }
1560             /* Clear s0..s15, FPSCR and VPR */
1561             int i;
1562 
1563             for (i = 0; i < 16; i += 2) {
1564                 *aa32_vfp_dreg(env, i / 2) = 0;
1565             }
1566             vfp_set_fpscr(env, 0);
1567             if (cpu_isar_feature(aa32_mve, cpu)) {
1568                 env->v7m.vpr = 0;
1569             }
1570         }
1571     }
1572 
1573     if (sfault) {
1574         env->v7m.sfsr |= R_V7M_SFSR_INVER_MASK;
1575         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
1576         qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
1577                       "stackframe: failed EXC_RETURN.ES validity check\n");
1578         v7m_exception_taken(cpu, excret, true, false);
1579         return;
1580     }
1581 
1582     if (ufault) {
1583         /*
1584          * Bad exception return: instead of popping the exception
1585          * stack, directly take a usage fault on the current stack.
1586          */
1587         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
1588         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
1589         qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
1590                       "stackframe: failed exception return integrity check\n");
1591         v7m_exception_taken(cpu, excret, true, false);
1592         return;
1593     }
1594 
1595     /*
1596      * Tailchaining: if there is currently a pending exception that
1597      * is high enough priority to preempt execution at the level we're
1598      * about to return to, then just directly take that exception now,
1599      * avoiding an unstack-and-then-stack. Note that now we have
1600      * deactivated the previous exception by calling armv7m_nvic_complete_irq()
1601      * our current execution priority is already the execution priority we are
1602      * returning to -- none of the state we would unstack or set based on
1603      * the EXCRET value affects it.
1604      */
1605     if (armv7m_nvic_can_take_pending_exception(env->nvic)) {
1606         qemu_log_mask(CPU_LOG_INT, "...tailchaining to pending exception\n");
1607         v7m_exception_taken(cpu, excret, true, false);
1608         return;
1609     }
1610 
1611     switch_v7m_security_state(env, return_to_secure);
1612 
1613     {
1614         /*
1615          * The stack pointer we should be reading the exception frame from
1616          * depends on bits in the magic exception return type value (and
1617          * for v8M isn't necessarily the stack pointer we will eventually
1618          * end up resuming execution with). Get a pointer to the location
1619          * in the CPU state struct where the SP we need is currently being
1620          * stored; we will use and modify it in place.
1621          * We use this limited C variable scope so we don't accidentally
1622          * use 'frame_sp_p' after we do something that makes it invalid.
1623          */
1624         bool spsel = env->v7m.control[return_to_secure] & R_V7M_CONTROL_SPSEL_MASK;
1625         uint32_t *frame_sp_p = arm_v7m_get_sp_ptr(env, return_to_secure,
1626                                                   !return_to_handler, spsel);
1627         uint32_t frameptr = *frame_sp_p;
1628         bool pop_ok = true;
1629         ARMMMUIdx mmu_idx;
1630         bool return_to_priv = return_to_handler ||
1631             !(env->v7m.control[return_to_secure] & R_V7M_CONTROL_NPRIV_MASK);
1632 
1633         mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, return_to_secure,
1634                                                         return_to_priv);
1635 
1636         if (!QEMU_IS_ALIGNED(frameptr, 8) &&
1637             arm_feature(env, ARM_FEATURE_V8)) {
1638             qemu_log_mask(LOG_GUEST_ERROR,
1639                           "M profile exception return with non-8-aligned SP "
1640                           "for destination state is UNPREDICTABLE\n");
1641         }
1642 
1643         /* Do we need to pop callee-saved registers? */
1644         if (return_to_secure &&
1645             ((excret & R_V7M_EXCRET_ES_MASK) == 0 ||
1646              (excret & R_V7M_EXCRET_DCRS_MASK) == 0)) {
1647             uint32_t actual_sig;
1648 
1649             pop_ok = v7m_stack_read(cpu, &actual_sig, frameptr, mmu_idx);
1650 
1651             if (pop_ok && v7m_integrity_sig(env, excret) != actual_sig) {
1652                 /* Take a SecureFault on the current stack */
1653                 env->v7m.sfsr |= R_V7M_SFSR_INVIS_MASK;
1654                 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
1655                 qemu_log_mask(CPU_LOG_INT, "...taking SecureFault on existing "
1656                               "stackframe: failed exception return integrity "
1657                               "signature check\n");
1658                 v7m_exception_taken(cpu, excret, true, false);
1659                 return;
1660             }
1661 
1662             pop_ok = pop_ok &&
1663                 v7m_stack_read(cpu, &env->regs[4], frameptr + 0x8, mmu_idx) &&
1664                 v7m_stack_read(cpu, &env->regs[5], frameptr + 0xc, mmu_idx) &&
1665                 v7m_stack_read(cpu, &env->regs[6], frameptr + 0x10, mmu_idx) &&
1666                 v7m_stack_read(cpu, &env->regs[7], frameptr + 0x14, mmu_idx) &&
1667                 v7m_stack_read(cpu, &env->regs[8], frameptr + 0x18, mmu_idx) &&
1668                 v7m_stack_read(cpu, &env->regs[9], frameptr + 0x1c, mmu_idx) &&
1669                 v7m_stack_read(cpu, &env->regs[10], frameptr + 0x20, mmu_idx) &&
1670                 v7m_stack_read(cpu, &env->regs[11], frameptr + 0x24, mmu_idx);
1671 
1672             frameptr += 0x28;
1673         }
1674 
1675         /* Pop registers */
1676         pop_ok = pop_ok &&
1677             v7m_stack_read(cpu, &env->regs[0], frameptr, mmu_idx) &&
1678             v7m_stack_read(cpu, &env->regs[1], frameptr + 0x4, mmu_idx) &&
1679             v7m_stack_read(cpu, &env->regs[2], frameptr + 0x8, mmu_idx) &&
1680             v7m_stack_read(cpu, &env->regs[3], frameptr + 0xc, mmu_idx) &&
1681             v7m_stack_read(cpu, &env->regs[12], frameptr + 0x10, mmu_idx) &&
1682             v7m_stack_read(cpu, &env->regs[14], frameptr + 0x14, mmu_idx) &&
1683             v7m_stack_read(cpu, &env->regs[15], frameptr + 0x18, mmu_idx) &&
1684             v7m_stack_read(cpu, &xpsr, frameptr + 0x1c, mmu_idx);
1685 
1686         if (!pop_ok) {
1687             /*
1688              * v7m_stack_read() pended a fault, so take it (as a tail
1689              * chained exception on the same stack frame)
1690              */
1691             qemu_log_mask(CPU_LOG_INT, "...derived exception on unstacking\n");
1692             v7m_exception_taken(cpu, excret, true, false);
1693             return;
1694         }
1695 
1696         /*
1697          * Returning from an exception with a PC with bit 0 set is defined
1698          * behaviour on v8M (bit 0 is ignored), but for v7M it was specified
1699          * to be UNPREDICTABLE. In practice actual v7M hardware seems to ignore
1700          * the lsbit, and there are several RTOSes out there which incorrectly
1701          * assume the r15 in the stack frame should be a Thumb-style "lsbit
1702          * indicates ARM/Thumb" value, so ignore the bit on v7M as well, but
1703          * complain about the badly behaved guest.
1704          */
1705         if (env->regs[15] & 1) {
1706             env->regs[15] &= ~1U;
1707             if (!arm_feature(env, ARM_FEATURE_V8)) {
1708                 qemu_log_mask(LOG_GUEST_ERROR,
1709                               "M profile return from interrupt with misaligned "
1710                               "PC is UNPREDICTABLE on v7M\n");
1711             }
1712         }
1713 
1714         if (arm_feature(env, ARM_FEATURE_V8)) {
1715             /*
1716              * For v8M we have to check whether the xPSR exception field
1717              * matches the EXCRET value for return to handler/thread
1718              * before we commit to changing the SP and xPSR.
1719              */
1720             bool will_be_handler = (xpsr & XPSR_EXCP) != 0;
1721             if (return_to_handler != will_be_handler) {
1722                 /*
1723                  * Take an INVPC UsageFault on the current stack.
1724                  * By this point we will have switched to the security state
1725                  * for the background state, so this UsageFault will target
1726                  * that state.
1727                  */
1728                 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
1729                                         env->v7m.secure);
1730                 env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
1731                 qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on existing "
1732                               "stackframe: failed exception return integrity "
1733                               "check\n");
1734                 v7m_exception_taken(cpu, excret, true, false);
1735                 return;
1736             }
1737         }
1738 
1739         if (!ftype) {
1740             /* FP present and we need to handle it */
1741             if (!return_to_secure &&
1742                 (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_LSPACT_MASK)) {
1743                 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
1744                 env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
1745                 qemu_log_mask(CPU_LOG_INT,
1746                               "...taking SecureFault on existing stackframe: "
1747                               "Secure LSPACT set but exception return is "
1748                               "not to secure state\n");
1749                 v7m_exception_taken(cpu, excret, true, false);
1750                 return;
1751             }
1752 
1753             restore_s16_s31 = return_to_secure &&
1754                 (env->v7m.fpccr[M_REG_S] & R_V7M_FPCCR_TS_MASK);
1755 
1756             if (env->v7m.fpccr[return_to_secure] & R_V7M_FPCCR_LSPACT_MASK) {
1757                 /* State in FPU is still valid, just clear LSPACT */
1758                 env->v7m.fpccr[return_to_secure] &= ~R_V7M_FPCCR_LSPACT_MASK;
1759             } else {
1760                 int i;
1761                 uint32_t fpscr;
1762                 bool cpacr_pass, nsacr_pass;
1763 
1764                 cpacr_pass = v7m_cpacr_pass(env, return_to_secure,
1765                                             return_to_priv);
1766                 nsacr_pass = return_to_secure ||
1767                     extract32(env->v7m.nsacr, 10, 1);
1768 
1769                 if (!cpacr_pass) {
1770                     armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
1771                                             return_to_secure);
1772                     env->v7m.cfsr[return_to_secure] |= R_V7M_CFSR_NOCP_MASK;
1773                     qemu_log_mask(CPU_LOG_INT,
1774                                   "...taking UsageFault on existing "
1775                                   "stackframe: CPACR.CP10 prevents unstacking "
1776                                   "FP regs\n");
1777                     v7m_exception_taken(cpu, excret, true, false);
1778                     return;
1779                 } else if (!nsacr_pass) {
1780                     armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, true);
1781                     env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_INVPC_MASK;
1782                     qemu_log_mask(CPU_LOG_INT,
1783                                   "...taking Secure UsageFault on existing "
1784                                   "stackframe: NSACR.CP10 prevents unstacking "
1785                                   "FP regs\n");
1786                     v7m_exception_taken(cpu, excret, true, false);
1787                     return;
1788                 }
1789 
1790                 for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
1791                     uint32_t slo, shi;
1792                     uint64_t dn;
1793                     uint32_t faddr = frameptr + 0x20 + 4 * i;
1794 
1795                     if (i >= 16) {
1796                         faddr += 8; /* Skip the slot for the FPSCR and VPR */
1797                     }
1798 
1799                     pop_ok = pop_ok &&
1800                         v7m_stack_read(cpu, &slo, faddr, mmu_idx) &&
1801                         v7m_stack_read(cpu, &shi, faddr + 4, mmu_idx);
1802 
1803                     if (!pop_ok) {
1804                         break;
1805                     }
1806 
1807                     dn = (uint64_t)shi << 32 | slo;
1808                     *aa32_vfp_dreg(env, i / 2) = dn;
1809                 }
1810                 pop_ok = pop_ok &&
1811                     v7m_stack_read(cpu, &fpscr, frameptr + 0x60, mmu_idx);
1812                 if (pop_ok) {
1813                     vfp_set_fpscr(env, fpscr);
1814                 }
1815                 if (cpu_isar_feature(aa32_mve, cpu)) {
1816                     pop_ok = pop_ok &&
1817                         v7m_stack_read(cpu, &env->v7m.vpr,
1818                                        frameptr + 0x64, mmu_idx);
1819                 }
1820                 if (!pop_ok) {
1821                     /*
1822                      * These regs are 0 if security extension present;
1823                      * otherwise merely UNKNOWN. We zero always.
1824                      */
1825                     for (i = 0; i < (restore_s16_s31 ? 32 : 16); i += 2) {
1826                         *aa32_vfp_dreg(env, i / 2) = 0;
1827                     }
1828                     vfp_set_fpscr(env, 0);
1829                     if (cpu_isar_feature(aa32_mve, cpu)) {
1830                         env->v7m.vpr = 0;
1831                     }
1832                 }
1833             }
1834         }
1835         env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
1836                                                V7M_CONTROL, FPCA, !ftype);
1837 
1838         /* Commit to consuming the stack frame */
1839         frameptr += 0x20;
1840         if (!ftype) {
1841             frameptr += 0x48;
1842             if (restore_s16_s31) {
1843                 frameptr += 0x40;
1844             }
1845         }
1846         /*
1847          * Undo stack alignment (the SPREALIGN bit indicates that the original
1848          * pre-exception SP was not 8-aligned and we added a padding word to
1849          * align it, so we undo this by ORing in the bit that increases it
1850          * from the current 8-aligned value to the 8-unaligned value. (Adding 4
1851          * would work too but a logical OR is how the pseudocode specifies it.)
1852          */
1853         if (xpsr & XPSR_SPREALIGN) {
1854             frameptr |= 4;
1855         }
1856         *frame_sp_p = frameptr;
1857     }
1858 
1859     xpsr_mask = ~(XPSR_SPREALIGN | XPSR_SFPA);
1860     if (!arm_feature(env, ARM_FEATURE_THUMB_DSP)) {
1861         xpsr_mask &= ~XPSR_GE;
1862     }
1863     /* This xpsr_write() will invalidate frame_sp_p as it may switch stack */
1864     xpsr_write(env, xpsr, xpsr_mask);
1865 
1866     if (env->v7m.secure) {
1867         bool sfpa = xpsr & XPSR_SFPA;
1868 
1869         env->v7m.control[M_REG_S] = FIELD_DP32(env->v7m.control[M_REG_S],
1870                                                V7M_CONTROL, SFPA, sfpa);
1871     }
1872 
1873     /*
1874      * The restored xPSR exception field will be zero if we're
1875      * resuming in Thread mode. If that doesn't match what the
1876      * exception return excret specified then this is a UsageFault.
1877      * v7M requires we make this check here; v8M did it earlier.
1878      */
1879     if (return_to_handler != arm_v7m_is_handler_mode(env)) {
1880         /*
1881          * Take an INVPC UsageFault by pushing the stack again;
1882          * we know we're v7M so this is never a Secure UsageFault.
1883          */
1884         bool ignore_stackfaults;
1885 
1886         assert(!arm_feature(env, ARM_FEATURE_V8));
1887         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, false);
1888         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
1889         ignore_stackfaults = v7m_push_stack(cpu);
1890         qemu_log_mask(CPU_LOG_INT, "...taking UsageFault on new stackframe: "
1891                       "failed exception return integrity check\n");
1892         v7m_exception_taken(cpu, excret, false, ignore_stackfaults);
1893         return;
1894     }
1895 
1896     /* Otherwise, we have a successful exception exit. */
1897     arm_clear_exclusive(env);
1898     arm_rebuild_hflags(env);
1899     qemu_log_mask(CPU_LOG_INT, "...successful exception return\n");
1900 }
1901 
1902 static bool do_v7m_function_return(ARMCPU *cpu)
1903 {
1904     /*
1905      * v8M security extensions magic function return.
1906      * We may either:
1907      *  (1) throw an exception (longjump)
1908      *  (2) return true if we successfully handled the function return
1909      *  (3) return false if we failed a consistency check and have
1910      *      pended a UsageFault that needs to be taken now
1911      *
1912      * At this point the magic return value is split between env->regs[15]
1913      * and env->thumb. We don't bother to reconstitute it because we don't
1914      * need it (all values are handled the same way).
1915      */
1916     CPUARMState *env = &cpu->env;
1917     uint32_t newpc, newpsr, newpsr_exc;
1918 
1919     qemu_log_mask(CPU_LOG_INT, "...really v7M secure function return\n");
1920 
1921     {
1922         bool threadmode, spsel;
1923         MemOpIdx oi;
1924         ARMMMUIdx mmu_idx;
1925         uint32_t *frame_sp_p;
1926         uint32_t frameptr;
1927 
1928         /* Pull the return address and IPSR from the Secure stack */
1929         threadmode = !arm_v7m_is_handler_mode(env);
1930         spsel = env->v7m.control[M_REG_S] & R_V7M_CONTROL_SPSEL_MASK;
1931 
1932         frame_sp_p = arm_v7m_get_sp_ptr(env, true, threadmode, spsel);
1933         frameptr = *frame_sp_p;
1934 
1935         /*
1936          * These loads may throw an exception (for MPU faults). We want to
1937          * do them as secure, so work out what MMU index that is.
1938          */
1939         mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
1940         oi = make_memop_idx(MO_LEUL, arm_to_core_mmu_idx(mmu_idx));
1941         newpc = cpu_ldl_mmu(env, frameptr, oi, 0);
1942         newpsr = cpu_ldl_mmu(env, frameptr + 4, oi, 0);
1943 
1944         /* Consistency checks on new IPSR */
1945         newpsr_exc = newpsr & XPSR_EXCP;
1946         if (!((env->v7m.exception == 0 && newpsr_exc == 0) ||
1947               (env->v7m.exception == 1 && newpsr_exc != 0))) {
1948             /* Pend the fault and tell our caller to take it */
1949             env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVPC_MASK;
1950             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
1951                                     env->v7m.secure);
1952             qemu_log_mask(CPU_LOG_INT,
1953                           "...taking INVPC UsageFault: "
1954                           "IPSR consistency check failed\n");
1955             return false;
1956         }
1957 
1958         *frame_sp_p = frameptr + 8;
1959     }
1960 
1961     /* This invalidates frame_sp_p */
1962     switch_v7m_security_state(env, true);
1963     env->v7m.exception = newpsr_exc;
1964     env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
1965     if (newpsr & XPSR_SFPA) {
1966         env->v7m.control[M_REG_S] |= R_V7M_CONTROL_SFPA_MASK;
1967     }
1968     xpsr_write(env, 0, XPSR_IT);
1969     env->thumb = newpc & 1;
1970     env->regs[15] = newpc & ~1;
1971     arm_rebuild_hflags(env);
1972 
1973     qemu_log_mask(CPU_LOG_INT, "...function return successful\n");
1974     return true;
1975 }
1976 
1977 static bool v7m_read_half_insn(ARMCPU *cpu, ARMMMUIdx mmu_idx, bool secure,
1978                                uint32_t addr, uint16_t *insn)
1979 {
1980     /*
1981      * Load a 16-bit portion of a v7M instruction, returning true on success,
1982      * or false on failure (in which case we will have pended the appropriate
1983      * exception).
1984      * We need to do the instruction fetch's MPU and SAU checks
1985      * like this because there is no MMU index that would allow
1986      * doing the load with a single function call. Instead we must
1987      * first check that the security attributes permit the load
1988      * and that they don't mismatch on the two halves of the instruction,
1989      * and then we do the load as a secure load (ie using the security
1990      * attributes of the address, not the CPU, as architecturally required).
1991      */
1992     CPUState *cs = CPU(cpu);
1993     CPUARMState *env = &cpu->env;
1994     V8M_SAttributes sattrs = {};
1995     GetPhysAddrResult res = {};
1996     ARMMMUFaultInfo fi = {};
1997     MemTxResult txres;
1998 
1999     v8m_security_lookup(env, addr, MMU_INST_FETCH, mmu_idx, secure, &sattrs);
2000     if (!sattrs.nsc || sattrs.ns) {
2001         /*
2002          * This must be the second half of the insn, and it straddles a
2003          * region boundary with the second half not being S&NSC.
2004          */
2005         env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
2006         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
2007         qemu_log_mask(CPU_LOG_INT,
2008                       "...really SecureFault with SFSR.INVEP\n");
2009         return false;
2010     }
2011     if (get_phys_addr(env, addr, MMU_INST_FETCH, mmu_idx, &res, &fi)) {
2012         /* the MPU lookup failed */
2013         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
2014         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, env->v7m.secure);
2015         qemu_log_mask(CPU_LOG_INT, "...really MemManage with CFSR.IACCVIOL\n");
2016         return false;
2017     }
2018     *insn = address_space_lduw_le(arm_addressspace(cs, res.f.attrs),
2019                                   res.f.phys_addr, res.f.attrs, &txres);
2020     if (txres != MEMTX_OK) {
2021         env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
2022         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
2023         qemu_log_mask(CPU_LOG_INT, "...really BusFault with CFSR.IBUSERR\n");
2024         return false;
2025     }
2026     return true;
2027 }
2028 
2029 static bool v7m_read_sg_stack_word(ARMCPU *cpu, ARMMMUIdx mmu_idx,
2030                                    uint32_t addr, uint32_t *spdata)
2031 {
2032     /*
2033      * Read a word of data from the stack for the SG instruction,
2034      * writing the value into *spdata. If the load succeeds, return
2035      * true; otherwise pend an appropriate exception and return false.
2036      * (We can't use data load helpers here that throw an exception
2037      * because of the context we're called in, which is halfway through
2038      * arm_v7m_cpu_do_interrupt().)
2039      */
2040     CPUState *cs = CPU(cpu);
2041     CPUARMState *env = &cpu->env;
2042     MemTxResult txres;
2043     GetPhysAddrResult res = {};
2044     ARMMMUFaultInfo fi = {};
2045     uint32_t value;
2046 
2047     if (get_phys_addr(env, addr, MMU_DATA_LOAD, mmu_idx, &res, &fi)) {
2048         /* MPU/SAU lookup failed */
2049         if (fi.type == ARMFault_QEMU_SFault) {
2050             qemu_log_mask(CPU_LOG_INT,
2051                           "...SecureFault during stack word read\n");
2052             env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK | R_V7M_SFSR_SFARVALID_MASK;
2053             env->v7m.sfar = addr;
2054             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
2055         } else {
2056             qemu_log_mask(CPU_LOG_INT,
2057                           "...MemManageFault during stack word read\n");
2058             env->v7m.cfsr[M_REG_S] |= R_V7M_CFSR_DACCVIOL_MASK |
2059                 R_V7M_CFSR_MMARVALID_MASK;
2060             env->v7m.mmfar[M_REG_S] = addr;
2061             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM, false);
2062         }
2063         return false;
2064     }
2065     value = address_space_ldl(arm_addressspace(cs, res.f.attrs),
2066                               res.f.phys_addr, res.f.attrs, &txres);
2067     if (txres != MEMTX_OK) {
2068         /* BusFault trying to read the data */
2069         qemu_log_mask(CPU_LOG_INT,
2070                       "...BusFault during stack word read\n");
2071         env->v7m.cfsr[M_REG_NS] |=
2072             (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
2073         env->v7m.bfar = addr;
2074         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
2075         return false;
2076     }
2077 
2078     *spdata = value;
2079     return true;
2080 }
2081 
2082 static bool v7m_handle_execute_nsc(ARMCPU *cpu)
2083 {
2084     /*
2085      * Check whether this attempt to execute code in a Secure & NS-Callable
2086      * memory region is for an SG instruction; if so, then emulate the
2087      * effect of the SG instruction and return true. Otherwise pend
2088      * the correct kind of exception and return false.
2089      */
2090     CPUARMState *env = &cpu->env;
2091     ARMMMUIdx mmu_idx;
2092     uint16_t insn;
2093 
2094     /*
2095      * We should never get here unless get_phys_addr_pmsav8() caused
2096      * an exception for NS executing in S&NSC memory.
2097      */
2098     assert(!env->v7m.secure);
2099     assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
2100 
2101     /* We want to do the MPU lookup as secure; work out what mmu_idx that is */
2102     mmu_idx = arm_v7m_mmu_idx_for_secstate(env, true);
2103 
2104     if (!v7m_read_half_insn(cpu, mmu_idx, true, env->regs[15], &insn)) {
2105         return false;
2106     }
2107 
2108     if (!env->thumb) {
2109         goto gen_invep;
2110     }
2111 
2112     if (insn != 0xe97f) {
2113         /*
2114          * Not an SG instruction first half (we choose the IMPDEF
2115          * early-SG-check option).
2116          */
2117         goto gen_invep;
2118     }
2119 
2120     if (!v7m_read_half_insn(cpu, mmu_idx, true, env->regs[15] + 2, &insn)) {
2121         return false;
2122     }
2123 
2124     if (insn != 0xe97f) {
2125         /*
2126          * Not an SG instruction second half (yes, both halves of the SG
2127          * insn have the same hex value)
2128          */
2129         goto gen_invep;
2130     }
2131 
2132     /*
2133      * OK, we have confirmed that we really have an SG instruction.
2134      * We know we're NS in S memory so don't need to repeat those checks.
2135      */
2136     qemu_log_mask(CPU_LOG_INT, "...really an SG instruction at 0x%08" PRIx32
2137                   ", executing it\n", env->regs[15]);
2138 
2139     if (cpu_isar_feature(aa32_m_sec_state, cpu) &&
2140         !arm_v7m_is_handler_mode(env)) {
2141         /*
2142          * v8.1M exception stack frame integrity check. Note that we
2143          * must perform the memory access even if CCR_S.TRD is zero
2144          * and we aren't going to check what the data loaded is.
2145          */
2146         uint32_t spdata, sp;
2147 
2148         /*
2149          * We know we are currently NS, so the S stack pointers must be
2150          * in other_ss_{psp,msp}, not in regs[13]/other_sp.
2151          */
2152         sp = v7m_using_psp(env) ? env->v7m.other_ss_psp : env->v7m.other_ss_msp;
2153         if (!v7m_read_sg_stack_word(cpu, mmu_idx, sp, &spdata)) {
2154             /* Stack access failed and an exception has been pended */
2155             return false;
2156         }
2157 
2158         if (env->v7m.ccr[M_REG_S] & R_V7M_CCR_TRD_MASK) {
2159             if (((spdata & ~1) == 0xfefa125a) ||
2160                 !(env->v7m.control[M_REG_S] & 1)) {
2161                 goto gen_invep;
2162             }
2163         }
2164     }
2165 
2166     env->regs[14] &= ~1;
2167     env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
2168     switch_v7m_security_state(env, true);
2169     xpsr_write(env, 0, XPSR_IT);
2170     env->regs[15] += 4;
2171     arm_rebuild_hflags(env);
2172     return true;
2173 
2174 gen_invep:
2175     env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
2176     armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
2177     qemu_log_mask(CPU_LOG_INT,
2178                   "...really SecureFault with SFSR.INVEP\n");
2179     return false;
2180 }
2181 
2182 void arm_v7m_cpu_do_interrupt(CPUState *cs)
2183 {
2184     ARMCPU *cpu = ARM_CPU(cs);
2185     CPUARMState *env = &cpu->env;
2186     uint32_t lr;
2187     bool ignore_stackfaults;
2188 
2189     arm_log_exception(cs);
2190 
2191     /*
2192      * For exceptions we just mark as pending on the NVIC, and let that
2193      * handle it.
2194      */
2195     switch (cs->exception_index) {
2196     case EXCP_UDEF:
2197         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
2198         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNDEFINSTR_MASK;
2199         break;
2200     case EXCP_NOCP:
2201     {
2202         /*
2203          * NOCP might be directed to something other than the current
2204          * security state if this fault is because of NSACR; we indicate
2205          * the target security state using exception.target_el.
2206          */
2207         int target_secstate;
2208 
2209         if (env->exception.target_el == 3) {
2210             target_secstate = M_REG_S;
2211         } else {
2212             target_secstate = env->v7m.secure;
2213         }
2214         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, target_secstate);
2215         env->v7m.cfsr[target_secstate] |= R_V7M_CFSR_NOCP_MASK;
2216         break;
2217     }
2218     case EXCP_INVSTATE:
2219         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
2220         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_INVSTATE_MASK;
2221         break;
2222     case EXCP_STKOF:
2223         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
2224         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_STKOF_MASK;
2225         break;
2226     case EXCP_LSERR:
2227         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
2228         env->v7m.sfsr |= R_V7M_SFSR_LSERR_MASK;
2229         break;
2230     case EXCP_UNALIGNED:
2231         /* Unaligned faults reported by M-profile aware code */
2232         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
2233         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNALIGNED_MASK;
2234         break;
2235     case EXCP_DIVBYZERO:
2236         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE, env->v7m.secure);
2237         env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_DIVBYZERO_MASK;
2238         break;
2239     case EXCP_SWI:
2240         /* The PC already points to the next instruction.  */
2241         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC, env->v7m.secure);
2242         break;
2243     case EXCP_PREFETCH_ABORT:
2244     case EXCP_DATA_ABORT:
2245         /*
2246          * Note that for M profile we don't have a guest facing FSR, but
2247          * the env->exception.fsr will be populated by the code that
2248          * raises the fault, in the A profile short-descriptor format.
2249          *
2250          * Log the exception.vaddress now regardless of subtype, because
2251          * logging below only logs it when it goes into a guest visible
2252          * register.
2253          */
2254         qemu_log_mask(CPU_LOG_INT, "...at fault address 0x%x\n",
2255                       (uint32_t)env->exception.vaddress);
2256         switch (env->exception.fsr & 0xf) {
2257         case M_FAKE_FSR_NSC_EXEC:
2258             /*
2259              * Exception generated when we try to execute code at an address
2260              * which is marked as Secure & Non-Secure Callable and the CPU
2261              * is in the Non-Secure state. The only instruction which can
2262              * be executed like this is SG (and that only if both halves of
2263              * the SG instruction have the same security attributes.)
2264              * Everything else must generate an INVEP SecureFault, so we
2265              * emulate the SG instruction here.
2266              */
2267             if (v7m_handle_execute_nsc(cpu)) {
2268                 return;
2269             }
2270             break;
2271         case M_FAKE_FSR_SFAULT:
2272             /*
2273              * Various flavours of SecureFault for attempts to execute or
2274              * access data in the wrong security state.
2275              */
2276             switch (cs->exception_index) {
2277             case EXCP_PREFETCH_ABORT:
2278                 if (env->v7m.secure) {
2279                     env->v7m.sfsr |= R_V7M_SFSR_INVTRAN_MASK;
2280                     qemu_log_mask(CPU_LOG_INT,
2281                                   "...really SecureFault with SFSR.INVTRAN\n");
2282                 } else {
2283                     env->v7m.sfsr |= R_V7M_SFSR_INVEP_MASK;
2284                     qemu_log_mask(CPU_LOG_INT,
2285                                   "...really SecureFault with SFSR.INVEP\n");
2286                 }
2287                 break;
2288             case EXCP_DATA_ABORT:
2289                 /* This must be an NS access to S memory */
2290                 env->v7m.sfsr |= R_V7M_SFSR_AUVIOL_MASK;
2291                 qemu_log_mask(CPU_LOG_INT,
2292                               "...really SecureFault with SFSR.AUVIOL\n");
2293                 break;
2294             }
2295             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SECURE, false);
2296             break;
2297         case 0x8: /* External Abort */
2298             switch (cs->exception_index) {
2299             case EXCP_PREFETCH_ABORT:
2300                 env->v7m.cfsr[M_REG_NS] |= R_V7M_CFSR_IBUSERR_MASK;
2301                 qemu_log_mask(CPU_LOG_INT, "...with CFSR.IBUSERR\n");
2302                 break;
2303             case EXCP_DATA_ABORT:
2304                 env->v7m.cfsr[M_REG_NS] |=
2305                     (R_V7M_CFSR_PRECISERR_MASK | R_V7M_CFSR_BFARVALID_MASK);
2306                 env->v7m.bfar = env->exception.vaddress;
2307                 qemu_log_mask(CPU_LOG_INT,
2308                               "...with CFSR.PRECISERR and BFAR 0x%x\n",
2309                               env->v7m.bfar);
2310                 break;
2311             }
2312             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_BUS, false);
2313             break;
2314         case 0x1: /* Alignment fault reported by generic code */
2315             qemu_log_mask(CPU_LOG_INT,
2316                           "...really UsageFault with UFSR.UNALIGNED\n");
2317             env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_UNALIGNED_MASK;
2318             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE,
2319                                     env->v7m.secure);
2320             break;
2321         default:
2322             /*
2323              * All other FSR values are either MPU faults or "can't happen
2324              * for M profile" cases.
2325              */
2326             switch (cs->exception_index) {
2327             case EXCP_PREFETCH_ABORT:
2328                 env->v7m.cfsr[env->v7m.secure] |= R_V7M_CFSR_IACCVIOL_MASK;
2329                 qemu_log_mask(CPU_LOG_INT, "...with CFSR.IACCVIOL\n");
2330                 break;
2331             case EXCP_DATA_ABORT:
2332                 env->v7m.cfsr[env->v7m.secure] |=
2333                     (R_V7M_CFSR_DACCVIOL_MASK | R_V7M_CFSR_MMARVALID_MASK);
2334                 env->v7m.mmfar[env->v7m.secure] = env->exception.vaddress;
2335                 qemu_log_mask(CPU_LOG_INT,
2336                               "...with CFSR.DACCVIOL and MMFAR 0x%x\n",
2337                               env->v7m.mmfar[env->v7m.secure]);
2338                 break;
2339             }
2340             armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM,
2341                                     env->v7m.secure);
2342             break;
2343         }
2344         break;
2345     case EXCP_SEMIHOST:
2346         qemu_log_mask(CPU_LOG_INT,
2347                       "...handling as semihosting call 0x%x\n",
2348                       env->regs[0]);
2349 #ifdef CONFIG_TCG
2350         do_common_semihosting(cs);
2351 #else
2352         g_assert_not_reached();
2353 #endif
2354         env->regs[15] += env->thumb ? 2 : 4;
2355         return;
2356     case EXCP_BKPT:
2357         armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG, false);
2358         break;
2359     case EXCP_IRQ:
2360         break;
2361     case EXCP_EXCEPTION_EXIT:
2362         if (env->regs[15] < EXC_RETURN_MIN_MAGIC) {
2363             /* Must be v8M security extension function return */
2364             assert(env->regs[15] >= FNC_RETURN_MIN_MAGIC);
2365             assert(arm_feature(env, ARM_FEATURE_M_SECURITY));
2366             if (do_v7m_function_return(cpu)) {
2367                 return;
2368             }
2369         } else {
2370             do_v7m_exception_exit(cpu);
2371             return;
2372         }
2373         break;
2374     case EXCP_LAZYFP:
2375         /*
2376          * We already pended the specific exception in the NVIC in the
2377          * v7m_preserve_fp_state() helper function.
2378          */
2379         break;
2380     default:
2381         cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
2382         return; /* Never happens.  Keep compiler happy.  */
2383     }
2384 
2385     if (arm_feature(env, ARM_FEATURE_V8)) {
2386         lr = R_V7M_EXCRET_RES1_MASK |
2387             R_V7M_EXCRET_DCRS_MASK;
2388         /*
2389          * The S bit indicates whether we should return to Secure
2390          * or NonSecure (ie our current state).
2391          * The ES bit indicates whether we're taking this exception
2392          * to Secure or NonSecure (ie our target state). We set it
2393          * later, in v7m_exception_taken().
2394          * The SPSEL bit is also set in v7m_exception_taken() for v8M.
2395          * This corresponds to the ARM ARM pseudocode for v8M setting
2396          * some LR bits in PushStack() and some in ExceptionTaken();
2397          * the distinction matters for the tailchain cases where we
2398          * can take an exception without pushing the stack.
2399          */
2400         if (env->v7m.secure) {
2401             lr |= R_V7M_EXCRET_S_MASK;
2402         }
2403     } else {
2404         lr = R_V7M_EXCRET_RES1_MASK |
2405             R_V7M_EXCRET_S_MASK |
2406             R_V7M_EXCRET_DCRS_MASK |
2407             R_V7M_EXCRET_ES_MASK;
2408         if (env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK) {
2409             lr |= R_V7M_EXCRET_SPSEL_MASK;
2410         }
2411     }
2412     if (!(env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK)) {
2413         lr |= R_V7M_EXCRET_FTYPE_MASK;
2414     }
2415     if (!arm_v7m_is_handler_mode(env)) {
2416         lr |= R_V7M_EXCRET_MODE_MASK;
2417     }
2418 
2419     ignore_stackfaults = v7m_push_stack(cpu);
2420     v7m_exception_taken(cpu, lr, false, ignore_stackfaults);
2421 }
2422 
2423 uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
2424 {
2425     unsigned el = arm_current_el(env);
2426 
2427     /* First handle registers which unprivileged can read */
2428     switch (reg) {
2429     case 0 ... 7: /* xPSR sub-fields */
2430         return v7m_mrs_xpsr(env, reg, el);
2431     case 20: /* CONTROL */
2432         return arm_v7m_mrs_control(env, env->v7m.secure);
2433     case 0x94: /* CONTROL_NS */
2434         /*
2435          * We have to handle this here because unprivileged Secure code
2436          * can read the NS CONTROL register.
2437          */
2438         if (!env->v7m.secure) {
2439             return 0;
2440         }
2441         return env->v7m.control[M_REG_NS] |
2442             (env->v7m.control[M_REG_S] & R_V7M_CONTROL_FPCA_MASK);
2443     }
2444 
2445     if (el == 0) {
2446         return 0; /* unprivileged reads others as zero */
2447     }
2448 
2449     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
2450         switch (reg) {
2451         case 0x88: /* MSP_NS */
2452             if (!env->v7m.secure) {
2453                 return 0;
2454             }
2455             return env->v7m.other_ss_msp;
2456         case 0x89: /* PSP_NS */
2457             if (!env->v7m.secure) {
2458                 return 0;
2459             }
2460             return env->v7m.other_ss_psp;
2461         case 0x8a: /* MSPLIM_NS */
2462             if (!env->v7m.secure) {
2463                 return 0;
2464             }
2465             return env->v7m.msplim[M_REG_NS];
2466         case 0x8b: /* PSPLIM_NS */
2467             if (!env->v7m.secure) {
2468                 return 0;
2469             }
2470             return env->v7m.psplim[M_REG_NS];
2471         case 0x90: /* PRIMASK_NS */
2472             if (!env->v7m.secure) {
2473                 return 0;
2474             }
2475             return env->v7m.primask[M_REG_NS];
2476         case 0x91: /* BASEPRI_NS */
2477             if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2478                 goto bad_reg;
2479             }
2480             if (!env->v7m.secure) {
2481                 return 0;
2482             }
2483             return env->v7m.basepri[M_REG_NS];
2484         case 0x93: /* FAULTMASK_NS */
2485             if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2486                 goto bad_reg;
2487             }
2488             if (!env->v7m.secure) {
2489                 return 0;
2490             }
2491             return env->v7m.faultmask[M_REG_NS];
2492         case 0x98: /* SP_NS */
2493         {
2494             /*
2495              * This gives the non-secure SP selected based on whether we're
2496              * currently in handler mode or not, using the NS CONTROL.SPSEL.
2497              */
2498             bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
2499 
2500             if (!env->v7m.secure) {
2501                 return 0;
2502             }
2503             if (!arm_v7m_is_handler_mode(env) && spsel) {
2504                 return env->v7m.other_ss_psp;
2505             } else {
2506                 return env->v7m.other_ss_msp;
2507             }
2508         }
2509         default:
2510             break;
2511         }
2512     }
2513 
2514     switch (reg) {
2515     case 8: /* MSP */
2516         return v7m_using_psp(env) ? env->v7m.other_sp : env->regs[13];
2517     case 9: /* PSP */
2518         return v7m_using_psp(env) ? env->regs[13] : env->v7m.other_sp;
2519     case 10: /* MSPLIM */
2520         if (!arm_feature(env, ARM_FEATURE_V8)) {
2521             goto bad_reg;
2522         }
2523         return env->v7m.msplim[env->v7m.secure];
2524     case 11: /* PSPLIM */
2525         if (!arm_feature(env, ARM_FEATURE_V8)) {
2526             goto bad_reg;
2527         }
2528         return env->v7m.psplim[env->v7m.secure];
2529     case 16: /* PRIMASK */
2530         return env->v7m.primask[env->v7m.secure];
2531     case 17: /* BASEPRI */
2532     case 18: /* BASEPRI_MAX */
2533         if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2534             goto bad_reg;
2535         }
2536         return env->v7m.basepri[env->v7m.secure];
2537     case 19: /* FAULTMASK */
2538         if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2539             goto bad_reg;
2540         }
2541         return env->v7m.faultmask[env->v7m.secure];
2542     default:
2543     bad_reg:
2544         qemu_log_mask(LOG_GUEST_ERROR, "Attempt to read unknown special"
2545                                        " register %d\n", reg);
2546         return 0;
2547     }
2548 }
2549 
2550 void HELPER(v7m_msr)(CPUARMState *env, uint32_t maskreg, uint32_t val)
2551 {
2552     /*
2553      * We're passed bits [11..0] of the instruction; extract
2554      * SYSm and the mask bits.
2555      * Invalid combinations of SYSm and mask are UNPREDICTABLE;
2556      * we choose to treat them as if the mask bits were valid.
2557      * NB that the pseudocode 'mask' variable is bits [11..10],
2558      * whereas ours is [11..8].
2559      */
2560     uint32_t mask = extract32(maskreg, 8, 4);
2561     uint32_t reg = extract32(maskreg, 0, 8);
2562     int cur_el = arm_current_el(env);
2563 
2564     if (cur_el == 0 && reg > 7 && reg != 20) {
2565         /*
2566          * only xPSR sub-fields and CONTROL.SFPA may be written by
2567          * unprivileged code
2568          */
2569         return;
2570     }
2571 
2572     if (arm_feature(env, ARM_FEATURE_M_SECURITY)) {
2573         switch (reg) {
2574         case 0x88: /* MSP_NS */
2575             if (!env->v7m.secure) {
2576                 return;
2577             }
2578             env->v7m.other_ss_msp = val & ~3;
2579             return;
2580         case 0x89: /* PSP_NS */
2581             if (!env->v7m.secure) {
2582                 return;
2583             }
2584             env->v7m.other_ss_psp = val & ~3;
2585             return;
2586         case 0x8a: /* MSPLIM_NS */
2587             if (!env->v7m.secure) {
2588                 return;
2589             }
2590             env->v7m.msplim[M_REG_NS] = val & ~7;
2591             return;
2592         case 0x8b: /* PSPLIM_NS */
2593             if (!env->v7m.secure) {
2594                 return;
2595             }
2596             env->v7m.psplim[M_REG_NS] = val & ~7;
2597             return;
2598         case 0x90: /* PRIMASK_NS */
2599             if (!env->v7m.secure) {
2600                 return;
2601             }
2602             env->v7m.primask[M_REG_NS] = val & 1;
2603             return;
2604         case 0x91: /* BASEPRI_NS */
2605             if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2606                 goto bad_reg;
2607             }
2608             if (!env->v7m.secure) {
2609                 return;
2610             }
2611             env->v7m.basepri[M_REG_NS] = val & 0xff;
2612             return;
2613         case 0x93: /* FAULTMASK_NS */
2614             if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2615                 goto bad_reg;
2616             }
2617             if (!env->v7m.secure) {
2618                 return;
2619             }
2620             env->v7m.faultmask[M_REG_NS] = val & 1;
2621             return;
2622         case 0x94: /* CONTROL_NS */
2623             if (!env->v7m.secure) {
2624                 return;
2625             }
2626             write_v7m_control_spsel_for_secstate(env,
2627                                                  val & R_V7M_CONTROL_SPSEL_MASK,
2628                                                  M_REG_NS);
2629             if (arm_feature(env, ARM_FEATURE_M_MAIN)) {
2630                 env->v7m.control[M_REG_NS] &= ~R_V7M_CONTROL_NPRIV_MASK;
2631                 env->v7m.control[M_REG_NS] |= val & R_V7M_CONTROL_NPRIV_MASK;
2632             }
2633             /*
2634              * SFPA is RAZ/WI from NS. FPCA is RO if NSACR.CP10 == 0,
2635              * RES0 if the FPU is not present, and is stored in the S bank
2636              */
2637             if (cpu_isar_feature(aa32_vfp_simd, env_archcpu(env)) &&
2638                 extract32(env->v7m.nsacr, 10, 1)) {
2639                 env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
2640                 env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
2641             }
2642             return;
2643         case 0x98: /* SP_NS */
2644         {
2645             /*
2646              * This gives the non-secure SP selected based on whether we're
2647              * currently in handler mode or not, using the NS CONTROL.SPSEL.
2648              */
2649             bool spsel = env->v7m.control[M_REG_NS] & R_V7M_CONTROL_SPSEL_MASK;
2650             bool is_psp = !arm_v7m_is_handler_mode(env) && spsel;
2651             uint32_t limit;
2652 
2653             if (!env->v7m.secure) {
2654                 return;
2655             }
2656 
2657             limit = is_psp ? env->v7m.psplim[false] : env->v7m.msplim[false];
2658 
2659             val &= ~0x3;
2660 
2661             if (val < limit) {
2662                 raise_exception_ra(env, EXCP_STKOF, 0, 1, GETPC());
2663             }
2664 
2665             if (is_psp) {
2666                 env->v7m.other_ss_psp = val;
2667             } else {
2668                 env->v7m.other_ss_msp = val;
2669             }
2670             return;
2671         }
2672         default:
2673             break;
2674         }
2675     }
2676 
2677     switch (reg) {
2678     case 0 ... 7: /* xPSR sub-fields */
2679         v7m_msr_xpsr(env, mask, reg, val);
2680         break;
2681     case 8: /* MSP */
2682         if (v7m_using_psp(env)) {
2683             env->v7m.other_sp = val & ~3;
2684         } else {
2685             env->regs[13] = val & ~3;
2686         }
2687         break;
2688     case 9: /* PSP */
2689         if (v7m_using_psp(env)) {
2690             env->regs[13] = val & ~3;
2691         } else {
2692             env->v7m.other_sp = val & ~3;
2693         }
2694         break;
2695     case 10: /* MSPLIM */
2696         if (!arm_feature(env, ARM_FEATURE_V8)) {
2697             goto bad_reg;
2698         }
2699         env->v7m.msplim[env->v7m.secure] = val & ~7;
2700         break;
2701     case 11: /* PSPLIM */
2702         if (!arm_feature(env, ARM_FEATURE_V8)) {
2703             goto bad_reg;
2704         }
2705         env->v7m.psplim[env->v7m.secure] = val & ~7;
2706         break;
2707     case 16: /* PRIMASK */
2708         env->v7m.primask[env->v7m.secure] = val & 1;
2709         break;
2710     case 17: /* BASEPRI */
2711         if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2712             goto bad_reg;
2713         }
2714         env->v7m.basepri[env->v7m.secure] = val & 0xff;
2715         break;
2716     case 18: /* BASEPRI_MAX */
2717         if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2718             goto bad_reg;
2719         }
2720         val &= 0xff;
2721         if (val != 0 && (val < env->v7m.basepri[env->v7m.secure]
2722                          || env->v7m.basepri[env->v7m.secure] == 0)) {
2723             env->v7m.basepri[env->v7m.secure] = val;
2724         }
2725         break;
2726     case 19: /* FAULTMASK */
2727         if (!arm_feature(env, ARM_FEATURE_M_MAIN)) {
2728             goto bad_reg;
2729         }
2730         env->v7m.faultmask[env->v7m.secure] = val & 1;
2731         break;
2732     case 20: /* CONTROL */
2733         /*
2734          * Writing to the SPSEL bit only has an effect if we are in
2735          * thread mode; other bits can be updated by any privileged code.
2736          * write_v7m_control_spsel() deals with updating the SPSEL bit in
2737          * env->v7m.control, so we only need update the others.
2738          * For v7M, we must just ignore explicit writes to SPSEL in handler
2739          * mode; for v8M the write is permitted but will have no effect.
2740          * All these bits are writes-ignored from non-privileged code,
2741          * except for SFPA.
2742          */
2743         if (cur_el > 0 && (arm_feature(env, ARM_FEATURE_V8) ||
2744                            !arm_v7m_is_handler_mode(env))) {
2745             write_v7m_control_spsel(env, (val & R_V7M_CONTROL_SPSEL_MASK) != 0);
2746         }
2747         if (cur_el > 0 && arm_feature(env, ARM_FEATURE_M_MAIN)) {
2748             env->v7m.control[env->v7m.secure] &= ~R_V7M_CONTROL_NPRIV_MASK;
2749             env->v7m.control[env->v7m.secure] |= val & R_V7M_CONTROL_NPRIV_MASK;
2750         }
2751         if (cpu_isar_feature(aa32_vfp_simd, env_archcpu(env))) {
2752             /*
2753              * SFPA is RAZ/WI from NS or if no FPU.
2754              * FPCA is RO if NSACR.CP10 == 0, RES0 if the FPU is not present.
2755              * Both are stored in the S bank.
2756              */
2757             if (env->v7m.secure) {
2758                 env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_SFPA_MASK;
2759                 env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_SFPA_MASK;
2760             }
2761             if (cur_el > 0 &&
2762                 (env->v7m.secure || !arm_feature(env, ARM_FEATURE_M_SECURITY) ||
2763                  extract32(env->v7m.nsacr, 10, 1))) {
2764                 env->v7m.control[M_REG_S] &= ~R_V7M_CONTROL_FPCA_MASK;
2765                 env->v7m.control[M_REG_S] |= val & R_V7M_CONTROL_FPCA_MASK;
2766             }
2767         }
2768         break;
2769     default:
2770     bad_reg:
2771         qemu_log_mask(LOG_GUEST_ERROR, "Attempt to write unknown special"
2772                                        " register %d\n", reg);
2773         return;
2774     }
2775 }
2776 
2777 uint32_t HELPER(v7m_tt)(CPUARMState *env, uint32_t addr, uint32_t op)
2778 {
2779     /* Implement the TT instruction. op is bits [7:6] of the insn. */
2780     bool forceunpriv = op & 1;
2781     bool alt = op & 2;
2782     V8M_SAttributes sattrs = {};
2783     uint32_t tt_resp;
2784     bool r, rw, nsr, nsrw, mrvalid;
2785     ARMMMUIdx mmu_idx;
2786     uint32_t mregion;
2787     bool targetpriv;
2788     bool targetsec = env->v7m.secure;
2789 
2790     /*
2791      * Work out what the security state and privilege level we're
2792      * interested in is...
2793      */
2794     if (alt) {
2795         targetsec = !targetsec;
2796     }
2797 
2798     if (forceunpriv) {
2799         targetpriv = false;
2800     } else {
2801         targetpriv = arm_v7m_is_handler_mode(env) ||
2802             !(env->v7m.control[targetsec] & R_V7M_CONTROL_NPRIV_MASK);
2803     }
2804 
2805     /* ...and then figure out which MMU index this is */
2806     mmu_idx = arm_v7m_mmu_idx_for_secstate_and_priv(env, targetsec, targetpriv);
2807 
2808     /*
2809      * We know that the MPU and SAU don't care about the access type
2810      * for our purposes beyond that we don't want to claim to be
2811      * an insn fetch, so we arbitrarily call this a read.
2812      */
2813 
2814     /*
2815      * MPU region info only available for privileged or if
2816      * inspecting the other MPU state.
2817      */
2818     if (arm_current_el(env) != 0 || alt) {
2819         GetPhysAddrResult res = {};
2820         ARMMMUFaultInfo fi = {};
2821 
2822         /* We can ignore the return value as prot is always set */
2823         pmsav8_mpu_lookup(env, addr, MMU_DATA_LOAD, mmu_idx, targetsec,
2824                           &res, &fi, &mregion);
2825         if (mregion == -1) {
2826             mrvalid = false;
2827             mregion = 0;
2828         } else {
2829             mrvalid = true;
2830         }
2831         r = res.f.prot & PAGE_READ;
2832         rw = res.f.prot & PAGE_WRITE;
2833     } else {
2834         r = false;
2835         rw = false;
2836         mrvalid = false;
2837         mregion = 0;
2838     }
2839 
2840     if (env->v7m.secure) {
2841         v8m_security_lookup(env, addr, MMU_DATA_LOAD, mmu_idx,
2842                             targetsec, &sattrs);
2843         nsr = sattrs.ns && r;
2844         nsrw = sattrs.ns && rw;
2845     } else {
2846         sattrs.ns = true;
2847         nsr = false;
2848         nsrw = false;
2849     }
2850 
2851     tt_resp = (sattrs.iregion << 24) |
2852         (sattrs.irvalid << 23) |
2853         ((!sattrs.ns) << 22) |
2854         (nsrw << 21) |
2855         (nsr << 20) |
2856         (rw << 19) |
2857         (r << 18) |
2858         (sattrs.srvalid << 17) |
2859         (mrvalid << 16) |
2860         (sattrs.sregion << 8) |
2861         mregion;
2862 
2863     return tt_resp;
2864 }
2865 
2866 #endif /* !CONFIG_USER_ONLY */
2867 
2868 uint32_t *arm_v7m_get_sp_ptr(CPUARMState *env, bool secure, bool threadmode,
2869                              bool spsel)
2870 {
2871     /*
2872      * Return a pointer to the location where we currently store the
2873      * stack pointer for the requested security state and thread mode.
2874      * This pointer will become invalid if the CPU state is updated
2875      * such that the stack pointers are switched around (eg changing
2876      * the SPSEL control bit).
2877      * Compare the v8M ARM ARM pseudocode LookUpSP_with_security_mode().
2878      * Unlike that pseudocode, we require the caller to pass us in the
2879      * SPSEL control bit value; this is because we also use this
2880      * function in handling of pushing of the callee-saves registers
2881      * part of the v8M stack frame (pseudocode PushCalleeStack()),
2882      * and in the tailchain codepath the SPSEL bit comes from the exception
2883      * return magic LR value from the previous exception. The pseudocode
2884      * opencodes the stack-selection in PushCalleeStack(), but we prefer
2885      * to make this utility function generic enough to do the job.
2886      */
2887     bool want_psp = threadmode && spsel;
2888 
2889     if (secure == env->v7m.secure) {
2890         if (want_psp == v7m_using_psp(env)) {
2891             return &env->regs[13];
2892         } else {
2893             return &env->v7m.other_sp;
2894         }
2895     } else {
2896         if (want_psp) {
2897             return &env->v7m.other_ss_psp;
2898         } else {
2899             return &env->v7m.other_ss_msp;
2900         }
2901     }
2902 }
2903