1 /* 2 * ARM helper routines 3 * 4 * Copyright (c) 2005-2007 CodeSourcery, LLC 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 #include "qemu/osdep.h" 20 #include "qemu/main-loop.h" 21 #include "cpu.h" 22 #include "exec/helper-proto.h" 23 #include "internals.h" 24 #include "cpu-features.h" 25 #include "exec/exec-all.h" 26 #include "exec/cpu_ldst.h" 27 #include "cpregs.h" 28 29 #define SIGNBIT (uint32_t)0x80000000 30 #define SIGNBIT64 ((uint64_t)1 << 63) 31 32 int exception_target_el(CPUARMState *env) 33 { 34 int target_el = MAX(1, arm_current_el(env)); 35 36 /* 37 * No such thing as secure EL1 if EL3 is aarch32, 38 * so update the target EL to EL3 in this case. 39 */ 40 if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) { 41 target_el = 3; 42 } 43 44 return target_el; 45 } 46 47 void raise_exception(CPUARMState *env, uint32_t excp, 48 uint32_t syndrome, uint32_t target_el) 49 { 50 CPUState *cs = env_cpu(env); 51 52 if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) { 53 /* 54 * Redirect NS EL1 exceptions to NS EL2. These are reported with 55 * their original syndrome register value, with the exception of 56 * SIMD/FP access traps, which are reported as uncategorized 57 * (see DDI0478C.a D1.10.4) 58 */ 59 target_el = 2; 60 if (syn_get_ec(syndrome) == EC_ADVSIMDFPACCESSTRAP) { 61 syndrome = syn_uncategorized(); 62 } 63 } 64 65 assert(!excp_is_internal(excp)); 66 cs->exception_index = excp; 67 env->exception.syndrome = syndrome; 68 env->exception.target_el = target_el; 69 cpu_loop_exit(cs); 70 } 71 72 void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome, 73 uint32_t target_el, uintptr_t ra) 74 { 75 CPUState *cs = env_cpu(env); 76 77 /* 78 * restore_state_to_opc() will set env->exception.syndrome, so 79 * we must restore CPU state here before setting the syndrome 80 * the caller passed us, and cannot use cpu_loop_exit_restore(). 81 */ 82 cpu_restore_state(cs, ra); 83 raise_exception(env, excp, syndrome, target_el); 84 } 85 86 uint64_t HELPER(neon_tbl)(CPUARMState *env, uint32_t desc, 87 uint64_t ireg, uint64_t def) 88 { 89 uint64_t tmp, val = 0; 90 uint32_t maxindex = ((desc & 3) + 1) * 8; 91 uint32_t base_reg = desc >> 2; 92 uint32_t shift, index, reg; 93 94 for (shift = 0; shift < 64; shift += 8) { 95 index = (ireg >> shift) & 0xff; 96 if (index < maxindex) { 97 reg = base_reg + (index >> 3); 98 tmp = *aa32_vfp_dreg(env, reg); 99 tmp = ((tmp >> ((index & 7) << 3)) & 0xff) << shift; 100 } else { 101 tmp = def & (0xffull << shift); 102 } 103 val |= tmp; 104 } 105 return val; 106 } 107 108 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue) 109 { 110 /* 111 * Perform the v8M stack limit check for SP updates from translated code, 112 * raising an exception if the limit is breached. 113 */ 114 if (newvalue < v7m_sp_limit(env)) { 115 /* 116 * Stack limit exceptions are a rare case, so rather than syncing 117 * PC/condbits before the call, we use raise_exception_ra() so 118 * that cpu_restore_state() will sort them out. 119 */ 120 raise_exception_ra(env, EXCP_STKOF, 0, 1, GETPC()); 121 } 122 } 123 124 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b) 125 { 126 uint32_t res = a + b; 127 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) 128 env->QF = 1; 129 return res; 130 } 131 132 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b) 133 { 134 uint32_t res = a + b; 135 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) { 136 env->QF = 1; 137 res = ~(((int32_t)a >> 31) ^ SIGNBIT); 138 } 139 return res; 140 } 141 142 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b) 143 { 144 uint32_t res = a - b; 145 if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) { 146 env->QF = 1; 147 res = ~(((int32_t)a >> 31) ^ SIGNBIT); 148 } 149 return res; 150 } 151 152 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b) 153 { 154 uint32_t res = a + b; 155 if (res < a) { 156 env->QF = 1; 157 res = ~0; 158 } 159 return res; 160 } 161 162 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b) 163 { 164 uint32_t res = a - b; 165 if (res > a) { 166 env->QF = 1; 167 res = 0; 168 } 169 return res; 170 } 171 172 /* Signed saturation. */ 173 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift) 174 { 175 int32_t top; 176 uint32_t mask; 177 178 top = val >> shift; 179 mask = (1u << shift) - 1; 180 if (top > 0) { 181 env->QF = 1; 182 return mask; 183 } else if (top < -1) { 184 env->QF = 1; 185 return ~mask; 186 } 187 return val; 188 } 189 190 /* Unsigned saturation. */ 191 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift) 192 { 193 uint32_t max; 194 195 max = (1u << shift) - 1; 196 if (val < 0) { 197 env->QF = 1; 198 return 0; 199 } else if (val > max) { 200 env->QF = 1; 201 return max; 202 } 203 return val; 204 } 205 206 /* Signed saturate. */ 207 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift) 208 { 209 return do_ssat(env, x, shift); 210 } 211 212 /* Dual halfword signed saturate. */ 213 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift) 214 { 215 uint32_t res; 216 217 res = (uint16_t)do_ssat(env, (int16_t)x, shift); 218 res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16; 219 return res; 220 } 221 222 /* Unsigned saturate. */ 223 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift) 224 { 225 return do_usat(env, x, shift); 226 } 227 228 /* Dual halfword unsigned saturate. */ 229 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift) 230 { 231 uint32_t res; 232 233 res = (uint16_t)do_usat(env, (int16_t)x, shift); 234 res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16; 235 return res; 236 } 237 238 void HELPER(setend)(CPUARMState *env) 239 { 240 env->uncached_cpsr ^= CPSR_E; 241 arm_rebuild_hflags(env); 242 } 243 244 void HELPER(check_bxj_trap)(CPUARMState *env, uint32_t rm) 245 { 246 /* 247 * Only called if in NS EL0 or EL1 for a BXJ for a v7A CPU; 248 * check if HSTR.TJDBX means we need to trap to EL2. 249 */ 250 if (env->cp15.hstr_el2 & HSTR_TJDBX) { 251 /* 252 * We know the condition code check passed, so take the IMPDEF 253 * choice to always report CV=1 COND 0xe 254 */ 255 uint32_t syn = syn_bxjtrap(1, 0xe, rm); 256 raise_exception_ra(env, EXCP_HYP_TRAP, syn, 2, GETPC()); 257 } 258 } 259 260 #ifndef CONFIG_USER_ONLY 261 /* Function checks whether WFx (WFI/WFE) instructions are set up to be trapped. 262 * The function returns the target EL (1-3) if the instruction is to be trapped; 263 * otherwise it returns 0 indicating it is not trapped. 264 */ 265 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe) 266 { 267 int cur_el = arm_current_el(env); 268 uint64_t mask; 269 270 if (arm_feature(env, ARM_FEATURE_M)) { 271 /* M profile cores can never trap WFI/WFE. */ 272 return 0; 273 } 274 275 /* If we are currently in EL0 then we need to check if SCTLR is set up for 276 * WFx instructions being trapped to EL1. These trap bits don't exist in v7. 277 */ 278 if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) { 279 int target_el; 280 281 mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI; 282 if (arm_is_secure_below_el3(env) && !arm_el_is_aa64(env, 3)) { 283 /* Secure EL0 and Secure PL1 is at EL3 */ 284 target_el = 3; 285 } else { 286 target_el = 1; 287 } 288 289 if (!(env->cp15.sctlr_el[target_el] & mask)) { 290 return target_el; 291 } 292 } 293 294 /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it 295 * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the 296 * bits will be zero indicating no trap. 297 */ 298 if (cur_el < 2) { 299 mask = is_wfe ? HCR_TWE : HCR_TWI; 300 if (arm_hcr_el2_eff(env) & mask) { 301 return 2; 302 } 303 } 304 305 /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */ 306 if (cur_el < 3) { 307 mask = (is_wfe) ? SCR_TWE : SCR_TWI; 308 if (env->cp15.scr_el3 & mask) { 309 return 3; 310 } 311 } 312 313 return 0; 314 } 315 #endif 316 317 void HELPER(wfi)(CPUARMState *env, uint32_t insn_len) 318 { 319 #ifdef CONFIG_USER_ONLY 320 /* 321 * WFI in the user-mode emulator is technically permitted but not 322 * something any real-world code would do. AArch64 Linux kernels 323 * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP; 324 * AArch32 kernels don't trap it so it will delay a bit. 325 * For QEMU, make it NOP here, because trying to raise EXCP_HLT 326 * would trigger an abort. 327 */ 328 return; 329 #else 330 CPUState *cs = env_cpu(env); 331 int target_el = check_wfx_trap(env, false); 332 333 if (cpu_has_work(cs)) { 334 /* Don't bother to go into our "low power state" if 335 * we would just wake up immediately. 336 */ 337 return; 338 } 339 340 if (target_el) { 341 if (env->aarch64) { 342 env->pc -= insn_len; 343 } else { 344 env->regs[15] -= insn_len; 345 } 346 347 raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, insn_len == 2), 348 target_el); 349 } 350 351 cs->exception_index = EXCP_HLT; 352 cs->halted = 1; 353 cpu_loop_exit(cs); 354 #endif 355 } 356 357 void HELPER(wfe)(CPUARMState *env) 358 { 359 /* This is a hint instruction that is semantically different 360 * from YIELD even though we currently implement it identically. 361 * Don't actually halt the CPU, just yield back to top 362 * level loop. This is not going into a "low power state" 363 * (ie halting until some event occurs), so we never take 364 * a configurable trap to a different exception level. 365 */ 366 HELPER(yield)(env); 367 } 368 369 void HELPER(yield)(CPUARMState *env) 370 { 371 CPUState *cs = env_cpu(env); 372 373 /* This is a non-trappable hint instruction that generally indicates 374 * that the guest is currently busy-looping. Yield control back to the 375 * top level loop so that a more deserving VCPU has a chance to run. 376 */ 377 cs->exception_index = EXCP_YIELD; 378 cpu_loop_exit(cs); 379 } 380 381 /* Raise an internal-to-QEMU exception. This is limited to only 382 * those EXCP values which are special cases for QEMU to interrupt 383 * execution and not to be used for exceptions which are passed to 384 * the guest (those must all have syndrome information and thus should 385 * use exception_with_syndrome*). 386 */ 387 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp) 388 { 389 CPUState *cs = env_cpu(env); 390 391 assert(excp_is_internal(excp)); 392 cs->exception_index = excp; 393 cpu_loop_exit(cs); 394 } 395 396 /* Raise an exception with the specified syndrome register value */ 397 void HELPER(exception_with_syndrome_el)(CPUARMState *env, uint32_t excp, 398 uint32_t syndrome, uint32_t target_el) 399 { 400 raise_exception(env, excp, syndrome, target_el); 401 } 402 403 /* 404 * Raise an exception with the specified syndrome register value 405 * to the default target el. 406 */ 407 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp, 408 uint32_t syndrome) 409 { 410 raise_exception(env, excp, syndrome, exception_target_el(env)); 411 } 412 413 uint32_t HELPER(cpsr_read)(CPUARMState *env) 414 { 415 return cpsr_read(env) & ~CPSR_EXEC; 416 } 417 418 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask) 419 { 420 cpsr_write(env, val, mask, CPSRWriteByInstr); 421 /* TODO: Not all cpsr bits are relevant to hflags. */ 422 arm_rebuild_hflags(env); 423 } 424 425 /* Write the CPSR for a 32-bit exception return */ 426 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val) 427 { 428 uint32_t mask; 429 430 qemu_mutex_lock_iothread(); 431 arm_call_pre_el_change_hook(env_archcpu(env)); 432 qemu_mutex_unlock_iothread(); 433 434 mask = aarch32_cpsr_valid_mask(env->features, &env_archcpu(env)->isar); 435 cpsr_write(env, val, mask, CPSRWriteExceptionReturn); 436 437 /* Generated code has already stored the new PC value, but 438 * without masking out its low bits, because which bits need 439 * masking depends on whether we're returning to Thumb or ARM 440 * state. Do the masking now. 441 */ 442 env->regs[15] &= (env->thumb ? ~1 : ~3); 443 arm_rebuild_hflags(env); 444 445 qemu_mutex_lock_iothread(); 446 arm_call_el_change_hook(env_archcpu(env)); 447 qemu_mutex_unlock_iothread(); 448 } 449 450 /* Access to user mode registers from privileged modes. */ 451 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno) 452 { 453 uint32_t val; 454 455 if (regno == 13) { 456 val = env->banked_r13[BANK_USRSYS]; 457 } else if (regno == 14) { 458 val = env->banked_r14[BANK_USRSYS]; 459 } else if (regno >= 8 460 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) { 461 val = env->usr_regs[regno - 8]; 462 } else { 463 val = env->regs[regno]; 464 } 465 return val; 466 } 467 468 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val) 469 { 470 if (regno == 13) { 471 env->banked_r13[BANK_USRSYS] = val; 472 } else if (regno == 14) { 473 env->banked_r14[BANK_USRSYS] = val; 474 } else if (regno >= 8 475 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) { 476 env->usr_regs[regno - 8] = val; 477 } else { 478 env->regs[regno] = val; 479 } 480 } 481 482 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val) 483 { 484 if ((env->uncached_cpsr & CPSR_M) == mode) { 485 env->regs[13] = val; 486 } else { 487 env->banked_r13[bank_number(mode)] = val; 488 } 489 } 490 491 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode) 492 { 493 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) { 494 /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF. 495 * Other UNPREDICTABLE and UNDEF cases were caught at translate time. 496 */ 497 raise_exception(env, EXCP_UDEF, syn_uncategorized(), 498 exception_target_el(env)); 499 } 500 501 if ((env->uncached_cpsr & CPSR_M) == mode) { 502 return env->regs[13]; 503 } else { 504 return env->banked_r13[bank_number(mode)]; 505 } 506 } 507 508 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode, 509 uint32_t regno) 510 { 511 /* Raise an exception if the requested access is one of the UNPREDICTABLE 512 * cases; otherwise return. This broadly corresponds to the pseudocode 513 * BankedRegisterAccessValid() and SPSRAccessValid(), 514 * except that we have already handled some cases at translate time. 515 */ 516 int curmode = env->uncached_cpsr & CPSR_M; 517 518 if (regno == 17) { 519 /* ELR_Hyp: a special case because access from tgtmode is OK */ 520 if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) { 521 goto undef; 522 } 523 return; 524 } 525 526 if (curmode == tgtmode) { 527 goto undef; 528 } 529 530 if (tgtmode == ARM_CPU_MODE_USR) { 531 switch (regno) { 532 case 8 ... 12: 533 if (curmode != ARM_CPU_MODE_FIQ) { 534 goto undef; 535 } 536 break; 537 case 13: 538 if (curmode == ARM_CPU_MODE_SYS) { 539 goto undef; 540 } 541 break; 542 case 14: 543 if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) { 544 goto undef; 545 } 546 break; 547 default: 548 break; 549 } 550 } 551 552 if (tgtmode == ARM_CPU_MODE_HYP) { 553 /* SPSR_Hyp, r13_hyp: accessible from Monitor mode only */ 554 if (curmode != ARM_CPU_MODE_MON) { 555 goto undef; 556 } 557 } 558 559 return; 560 561 undef: 562 raise_exception(env, EXCP_UDEF, syn_uncategorized(), 563 exception_target_el(env)); 564 } 565 566 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode, 567 uint32_t regno) 568 { 569 msr_mrs_banked_exc_checks(env, tgtmode, regno); 570 571 switch (regno) { 572 case 16: /* SPSRs */ 573 env->banked_spsr[bank_number(tgtmode)] = value; 574 break; 575 case 17: /* ELR_Hyp */ 576 env->elr_el[2] = value; 577 break; 578 case 13: 579 env->banked_r13[bank_number(tgtmode)] = value; 580 break; 581 case 14: 582 env->banked_r14[r14_bank_number(tgtmode)] = value; 583 break; 584 case 8 ... 12: 585 switch (tgtmode) { 586 case ARM_CPU_MODE_USR: 587 env->usr_regs[regno - 8] = value; 588 break; 589 case ARM_CPU_MODE_FIQ: 590 env->fiq_regs[regno - 8] = value; 591 break; 592 default: 593 g_assert_not_reached(); 594 } 595 break; 596 default: 597 g_assert_not_reached(); 598 } 599 } 600 601 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno) 602 { 603 msr_mrs_banked_exc_checks(env, tgtmode, regno); 604 605 switch (regno) { 606 case 16: /* SPSRs */ 607 return env->banked_spsr[bank_number(tgtmode)]; 608 case 17: /* ELR_Hyp */ 609 return env->elr_el[2]; 610 case 13: 611 return env->banked_r13[bank_number(tgtmode)]; 612 case 14: 613 return env->banked_r14[r14_bank_number(tgtmode)]; 614 case 8 ... 12: 615 switch (tgtmode) { 616 case ARM_CPU_MODE_USR: 617 return env->usr_regs[regno - 8]; 618 case ARM_CPU_MODE_FIQ: 619 return env->fiq_regs[regno - 8]; 620 default: 621 g_assert_not_reached(); 622 } 623 default: 624 g_assert_not_reached(); 625 } 626 } 627 628 const void *HELPER(access_check_cp_reg)(CPUARMState *env, uint32_t key, 629 uint32_t syndrome, uint32_t isread) 630 { 631 ARMCPU *cpu = env_archcpu(env); 632 const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key); 633 CPAccessResult res = CP_ACCESS_OK; 634 int target_el; 635 636 assert(ri != NULL); 637 638 if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14 639 && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) { 640 res = CP_ACCESS_TRAP; 641 goto fail; 642 } 643 644 if (ri->accessfn) { 645 res = ri->accessfn(env, ri, isread); 646 } 647 648 /* 649 * If the access function indicates a trap from EL0 to EL1 then 650 * that always takes priority over the HSTR_EL2 trap. (If it indicates 651 * a trap to EL3, then the HSTR_EL2 trap takes priority; if it indicates 652 * a trap to EL2, then the syndrome is the same either way so we don't 653 * care whether technically the architecture says that HSTR_EL2 trap or 654 * the other trap takes priority. So we take the "check HSTR_EL2" path 655 * for all of those cases.) 656 */ 657 if (res != CP_ACCESS_OK && ((res & CP_ACCESS_EL_MASK) == 0) && 658 arm_current_el(env) == 0) { 659 goto fail; 660 } 661 662 /* 663 * HSTR_EL2 traps from EL1 are checked earlier, in generated code; 664 * we only need to check here for traps from EL0. 665 */ 666 if (!is_a64(env) && arm_current_el(env) == 0 && ri->cp == 15 && 667 arm_is_el2_enabled(env) && 668 (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) { 669 uint32_t mask = 1 << ri->crn; 670 671 if (ri->type & ARM_CP_64BIT) { 672 mask = 1 << ri->crm; 673 } 674 675 /* T4 and T14 are RES0 */ 676 mask &= ~((1 << 4) | (1 << 14)); 677 678 if (env->cp15.hstr_el2 & mask) { 679 res = CP_ACCESS_TRAP_EL2; 680 goto fail; 681 } 682 } 683 684 /* 685 * Fine-grained traps also are lower priority than undef-to-EL1, 686 * higher priority than trap-to-EL3, and we don't care about priority 687 * order with other EL2 traps because the syndrome value is the same. 688 */ 689 if (arm_fgt_active(env, arm_current_el(env))) { 690 uint64_t trapword = 0; 691 unsigned int idx = FIELD_EX32(ri->fgt, FGT, IDX); 692 unsigned int bitpos = FIELD_EX32(ri->fgt, FGT, BITPOS); 693 bool rev = FIELD_EX32(ri->fgt, FGT, REV); 694 bool trapbit; 695 696 if (ri->fgt & FGT_EXEC) { 697 assert(idx < ARRAY_SIZE(env->cp15.fgt_exec)); 698 trapword = env->cp15.fgt_exec[idx]; 699 } else if (isread && (ri->fgt & FGT_R)) { 700 assert(idx < ARRAY_SIZE(env->cp15.fgt_read)); 701 trapword = env->cp15.fgt_read[idx]; 702 } else if (!isread && (ri->fgt & FGT_W)) { 703 assert(idx < ARRAY_SIZE(env->cp15.fgt_write)); 704 trapword = env->cp15.fgt_write[idx]; 705 } 706 707 trapbit = extract64(trapword, bitpos, 1); 708 if (trapbit != rev) { 709 res = CP_ACCESS_TRAP_EL2; 710 goto fail; 711 } 712 } 713 714 if (likely(res == CP_ACCESS_OK)) { 715 return ri; 716 } 717 718 fail: 719 switch (res & ~CP_ACCESS_EL_MASK) { 720 case CP_ACCESS_TRAP: 721 break; 722 case CP_ACCESS_TRAP_UNCATEGORIZED: 723 /* Only CP_ACCESS_TRAP traps are direct to a specified EL */ 724 assert((res & CP_ACCESS_EL_MASK) == 0); 725 if (cpu_isar_feature(aa64_ids, cpu) && isread && 726 arm_cpreg_in_idspace(ri)) { 727 /* 728 * FEAT_IDST says this should be reported as EC_SYSTEMREGISTERTRAP, 729 * not EC_UNCATEGORIZED 730 */ 731 break; 732 } 733 syndrome = syn_uncategorized(); 734 break; 735 default: 736 g_assert_not_reached(); 737 } 738 739 target_el = res & CP_ACCESS_EL_MASK; 740 switch (target_el) { 741 case 0: 742 target_el = exception_target_el(env); 743 break; 744 case 2: 745 assert(arm_current_el(env) != 3); 746 assert(arm_is_el2_enabled(env)); 747 break; 748 case 3: 749 assert(arm_feature(env, ARM_FEATURE_EL3)); 750 break; 751 default: 752 /* No "direct" traps to EL1 */ 753 g_assert_not_reached(); 754 } 755 756 raise_exception(env, EXCP_UDEF, syndrome, target_el); 757 } 758 759 const void *HELPER(lookup_cp_reg)(CPUARMState *env, uint32_t key) 760 { 761 ARMCPU *cpu = env_archcpu(env); 762 const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key); 763 764 assert(ri != NULL); 765 return ri; 766 } 767 768 /* 769 * Test for HCR_EL2.TIDCP at EL1. 770 * Since implementation defined registers are rare, and within QEMU 771 * most of them are no-op, do not waste HFLAGS space for this and 772 * always use a helper. 773 */ 774 void HELPER(tidcp_el1)(CPUARMState *env, uint32_t syndrome) 775 { 776 if (arm_hcr_el2_eff(env) & HCR_TIDCP) { 777 raise_exception_ra(env, EXCP_UDEF, syndrome, 2, GETPC()); 778 } 779 } 780 781 /* 782 * Similarly, for FEAT_TIDCP1 at EL0. 783 * We have already checked for the presence of the feature. 784 */ 785 void HELPER(tidcp_el0)(CPUARMState *env, uint32_t syndrome) 786 { 787 /* See arm_sctlr(), but we also need the sctlr el. */ 788 ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0); 789 int target_el = mmu_idx == ARMMMUIdx_E20_0 ? 2 : 1; 790 791 /* 792 * The bit is not valid unless the target el is aa64, but since the 793 * bit test is simpler perform that first and check validity after. 794 */ 795 if ((env->cp15.sctlr_el[target_el] & SCTLR_TIDCP) 796 && arm_el_is_aa64(env, target_el)) { 797 raise_exception_ra(env, EXCP_UDEF, syndrome, target_el, GETPC()); 798 } 799 } 800 801 void HELPER(set_cp_reg)(CPUARMState *env, const void *rip, uint32_t value) 802 { 803 const ARMCPRegInfo *ri = rip; 804 805 if (ri->type & ARM_CP_IO) { 806 qemu_mutex_lock_iothread(); 807 ri->writefn(env, ri, value); 808 qemu_mutex_unlock_iothread(); 809 } else { 810 ri->writefn(env, ri, value); 811 } 812 } 813 814 uint32_t HELPER(get_cp_reg)(CPUARMState *env, const void *rip) 815 { 816 const ARMCPRegInfo *ri = rip; 817 uint32_t res; 818 819 if (ri->type & ARM_CP_IO) { 820 qemu_mutex_lock_iothread(); 821 res = ri->readfn(env, ri); 822 qemu_mutex_unlock_iothread(); 823 } else { 824 res = ri->readfn(env, ri); 825 } 826 827 return res; 828 } 829 830 void HELPER(set_cp_reg64)(CPUARMState *env, const void *rip, uint64_t value) 831 { 832 const ARMCPRegInfo *ri = rip; 833 834 if (ri->type & ARM_CP_IO) { 835 qemu_mutex_lock_iothread(); 836 ri->writefn(env, ri, value); 837 qemu_mutex_unlock_iothread(); 838 } else { 839 ri->writefn(env, ri, value); 840 } 841 } 842 843 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, const void *rip) 844 { 845 const ARMCPRegInfo *ri = rip; 846 uint64_t res; 847 848 if (ri->type & ARM_CP_IO) { 849 qemu_mutex_lock_iothread(); 850 res = ri->readfn(env, ri); 851 qemu_mutex_unlock_iothread(); 852 } else { 853 res = ri->readfn(env, ri); 854 } 855 856 return res; 857 } 858 859 void HELPER(pre_hvc)(CPUARMState *env) 860 { 861 ARMCPU *cpu = env_archcpu(env); 862 int cur_el = arm_current_el(env); 863 /* FIXME: Use actual secure state. */ 864 bool secure = false; 865 bool undef; 866 867 if (arm_is_psci_call(cpu, EXCP_HVC)) { 868 /* If PSCI is enabled and this looks like a valid PSCI call then 869 * that overrides the architecturally mandated HVC behaviour. 870 */ 871 return; 872 } 873 874 if (!arm_feature(env, ARM_FEATURE_EL2)) { 875 /* If EL2 doesn't exist, HVC always UNDEFs */ 876 undef = true; 877 } else if (arm_feature(env, ARM_FEATURE_EL3)) { 878 /* EL3.HCE has priority over EL2.HCD. */ 879 undef = !(env->cp15.scr_el3 & SCR_HCE); 880 } else { 881 undef = env->cp15.hcr_el2 & HCR_HCD; 882 } 883 884 /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state. 885 * For ARMv8/AArch64, HVC is allowed in EL3. 886 * Note that we've already trapped HVC from EL0 at translation 887 * time. 888 */ 889 if (secure && (!is_a64(env) || cur_el == 1)) { 890 undef = true; 891 } 892 893 if (undef) { 894 raise_exception(env, EXCP_UDEF, syn_uncategorized(), 895 exception_target_el(env)); 896 } 897 } 898 899 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome) 900 { 901 ARMCPU *cpu = env_archcpu(env); 902 int cur_el = arm_current_el(env); 903 bool secure = arm_is_secure(env); 904 bool smd_flag = env->cp15.scr_el3 & SCR_SMD; 905 906 /* 907 * SMC behaviour is summarized in the following table. 908 * This helper handles the "Trap to EL2" and "Undef insn" cases. 909 * The "Trap to EL3" and "PSCI call" cases are handled in the exception 910 * helper. 911 * 912 * -> ARM_FEATURE_EL3 and !SMD 913 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1 914 * 915 * Conduit SMC, valid call Trap to EL2 PSCI Call 916 * Conduit SMC, inval call Trap to EL2 Trap to EL3 917 * Conduit not SMC Trap to EL2 Trap to EL3 918 * 919 * 920 * -> ARM_FEATURE_EL3 and SMD 921 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1 922 * 923 * Conduit SMC, valid call Trap to EL2 PSCI Call 924 * Conduit SMC, inval call Trap to EL2 Undef insn 925 * Conduit not SMC Trap to EL2 Undef insn 926 * 927 * 928 * -> !ARM_FEATURE_EL3 929 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1 930 * 931 * Conduit SMC, valid call Trap to EL2 PSCI Call 932 * Conduit SMC, inval call Trap to EL2 Undef insn 933 * Conduit not SMC Undef insn Undef insn 934 */ 935 936 /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state. 937 * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization 938 * extensions, SMD only applies to NS state. 939 * On ARMv7 without the Virtualization extensions, the SMD bit 940 * doesn't exist, but we forbid the guest to set it to 1 in scr_write(), 941 * so we need not special case this here. 942 */ 943 bool smd = arm_feature(env, ARM_FEATURE_AARCH64) ? smd_flag 944 : smd_flag && !secure; 945 946 if (!arm_feature(env, ARM_FEATURE_EL3) && 947 cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) { 948 /* If we have no EL3 then SMC always UNDEFs and can't be 949 * trapped to EL2. PSCI-via-SMC is a sort of ersatz EL3 950 * firmware within QEMU, and we want an EL2 guest to be able 951 * to forbid its EL1 from making PSCI calls into QEMU's 952 * "firmware" via HCR.TSC, so for these purposes treat 953 * PSCI-via-SMC as implying an EL3. 954 * This handles the very last line of the previous table. 955 */ 956 raise_exception(env, EXCP_UDEF, syn_uncategorized(), 957 exception_target_el(env)); 958 } 959 960 if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) { 961 /* In NS EL1, HCR controlled routing to EL2 has priority over SMD. 962 * We also want an EL2 guest to be able to forbid its EL1 from 963 * making PSCI calls into QEMU's "firmware" via HCR.TSC. 964 * This handles all the "Trap to EL2" cases of the previous table. 965 */ 966 raise_exception(env, EXCP_HYP_TRAP, syndrome, 2); 967 } 968 969 /* Catch the two remaining "Undef insn" cases of the previous table: 970 * - PSCI conduit is SMC but we don't have a valid PCSI call, 971 * - We don't have EL3 or SMD is set. 972 */ 973 if (!arm_is_psci_call(cpu, EXCP_SMC) && 974 (smd || !arm_feature(env, ARM_FEATURE_EL3))) { 975 raise_exception(env, EXCP_UDEF, syn_uncategorized(), 976 exception_target_el(env)); 977 } 978 } 979 980 /* ??? Flag setting arithmetic is awkward because we need to do comparisons. 981 The only way to do that in TCG is a conditional branch, which clobbers 982 all our temporaries. For now implement these as helper functions. */ 983 984 /* Similarly for variable shift instructions. */ 985 986 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i) 987 { 988 int shift = i & 0xff; 989 if (shift >= 32) { 990 if (shift == 32) 991 env->CF = x & 1; 992 else 993 env->CF = 0; 994 return 0; 995 } else if (shift != 0) { 996 env->CF = (x >> (32 - shift)) & 1; 997 return x << shift; 998 } 999 return x; 1000 } 1001 1002 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i) 1003 { 1004 int shift = i & 0xff; 1005 if (shift >= 32) { 1006 if (shift == 32) 1007 env->CF = (x >> 31) & 1; 1008 else 1009 env->CF = 0; 1010 return 0; 1011 } else if (shift != 0) { 1012 env->CF = (x >> (shift - 1)) & 1; 1013 return x >> shift; 1014 } 1015 return x; 1016 } 1017 1018 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i) 1019 { 1020 int shift = i & 0xff; 1021 if (shift >= 32) { 1022 env->CF = (x >> 31) & 1; 1023 return (int32_t)x >> 31; 1024 } else if (shift != 0) { 1025 env->CF = (x >> (shift - 1)) & 1; 1026 return (int32_t)x >> shift; 1027 } 1028 return x; 1029 } 1030 1031 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i) 1032 { 1033 int shift1, shift; 1034 shift1 = i & 0xff; 1035 shift = shift1 & 0x1f; 1036 if (shift == 0) { 1037 if (shift1 != 0) 1038 env->CF = (x >> 31) & 1; 1039 return x; 1040 } else { 1041 env->CF = (x >> (shift - 1)) & 1; 1042 return ((uint32_t)x >> shift) | (x << (32 - shift)); 1043 } 1044 } 1045 1046 void HELPER(probe_access)(CPUARMState *env, target_ulong ptr, 1047 uint32_t access_type, uint32_t mmu_idx, 1048 uint32_t size) 1049 { 1050 uint32_t in_page = -((uint32_t)ptr | TARGET_PAGE_SIZE); 1051 uintptr_t ra = GETPC(); 1052 1053 if (likely(size <= in_page)) { 1054 probe_access(env, ptr, size, access_type, mmu_idx, ra); 1055 } else { 1056 probe_access(env, ptr, in_page, access_type, mmu_idx, ra); 1057 probe_access(env, ptr + in_page, size - in_page, 1058 access_type, mmu_idx, ra); 1059 } 1060 } 1061 1062 /* 1063 * This function corresponds to AArch64.vESBOperation(). 1064 * Note that the AArch32 version is not functionally different. 1065 */ 1066 void HELPER(vesb)(CPUARMState *env) 1067 { 1068 /* 1069 * The EL2Enabled() check is done inside arm_hcr_el2_eff, 1070 * and will return HCR_EL2.VSE == 0, so nothing happens. 1071 */ 1072 uint64_t hcr = arm_hcr_el2_eff(env); 1073 bool enabled = !(hcr & HCR_TGE) && (hcr & HCR_AMO); 1074 bool pending = enabled && (hcr & HCR_VSE); 1075 bool masked = (env->daif & PSTATE_A); 1076 1077 /* If VSE pending and masked, defer the exception. */ 1078 if (pending && masked) { 1079 uint32_t syndrome; 1080 1081 if (arm_el_is_aa64(env, 1)) { 1082 /* Copy across IDS and ISS from VSESR. */ 1083 syndrome = env->cp15.vsesr_el2 & 0x1ffffff; 1084 } else { 1085 ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal }; 1086 1087 if (extended_addresses_enabled(env)) { 1088 syndrome = arm_fi_to_lfsc(&fi); 1089 } else { 1090 syndrome = arm_fi_to_sfsc(&fi); 1091 } 1092 /* Copy across AET and ExT from VSESR. */ 1093 syndrome |= env->cp15.vsesr_el2 & 0xd000; 1094 } 1095 1096 /* Set VDISR_EL2.A along with the syndrome. */ 1097 env->cp15.vdisr_el2 = syndrome | (1u << 31); 1098 1099 /* Clear pending virtual SError */ 1100 env->cp15.hcr_el2 &= ~HCR_VSE; 1101 cpu_reset_interrupt(env_cpu(env), CPU_INTERRUPT_VSERR); 1102 } 1103 } 1104