4 * Copyright (c) 2005-2007 CodeSourcery, LLC
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 #include "qemu/osdep.h"
21 #include "exec/helper-proto.h"
22 #include "internals.h"
23 #include "exec/cpu_ldst.h"
25 #define SIGNBIT (uint32_t)0x80000000
26 #define SIGNBIT64 ((uint64_t)1 << 63)
28 static void raise_exception(CPUARMState *env, uint32_t excp,
29 uint32_t syndrome, uint32_t target_el)
31 CPUState *cs = CPU(arm_env_get_cpu(env));
33 assert(!excp_is_internal(excp));
34 cs->exception_index = excp;
35 env->exception.syndrome = syndrome;
36 env->exception.target_el = target_el;
40 static int exception_target_el(CPUARMState *env)
42 int target_el = MAX(1, arm_current_el(env));
44 /* No such thing as secure EL1 if EL3 is aarch32, so update the target EL
45 * to EL3 in this case.
47 if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) {
54 uint32_t HELPER(neon_tbl)(CPUARMState *env, uint32_t ireg, uint32_t def,
55 uint32_t rn, uint32_t maxindex)
62 table = (uint64_t *)&env->vfp.regs[rn];
64 for (shift = 0; shift < 32; shift += 8) {
65 index = (ireg >> shift) & 0xff;
66 if (index < maxindex) {
67 tmp = (table[index >> 3] >> ((index & 7) << 3)) & 0xff;
70 val |= def & (0xff << shift);
76 #if !defined(CONFIG_USER_ONLY)
78 /* try to fill the TLB and return an exception if error. If retaddr is
79 * NULL, it means that the function was called in C code (i.e. not
80 * from generated code or from helper.c)
82 void tlb_fill(CPUState *cs, target_ulong addr, int is_write, int mmu_idx,
87 ARMMMUFaultInfo fi = {};
89 ret = arm_tlb_fill(cs, addr, is_write, mmu_idx, &fsr, &fi);
91 ARMCPU *cpu = ARM_CPU(cs);
92 CPUARMState *env = &cpu->env;
94 unsigned int target_el;
98 /* now we have a real cpu fault */
99 cpu_restore_state(cs, retaddr);
102 target_el = exception_target_el(env);
105 env->cp15.hpfar_el2 = extract64(fi.s2addr, 12, 47) << 4;
107 same_el = arm_current_el(env) == target_el;
108 /* AArch64 syndrome does not have an LPAE bit */
109 syn = fsr & ~(1 << 9);
111 /* For insn and data aborts we assume there is no instruction syndrome
112 * information; this is always true for exceptions reported to EL1.
115 syn = syn_insn_abort(same_el, 0, fi.s1ptw, syn);
116 exc = EXCP_PREFETCH_ABORT;
118 syn = syn_data_abort_no_iss(same_el,
119 0, 0, fi.s1ptw, is_write == 1, syn);
120 if (is_write == 1 && arm_feature(env, ARM_FEATURE_V6)) {
123 exc = EXCP_DATA_ABORT;
126 env->exception.vaddress = addr;
127 env->exception.fsr = fsr;
128 raise_exception(env, exc, syn, target_el);
132 /* Raise a data fault alignment exception for the specified virtual address */
133 void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr, int is_write,
134 int is_user, uintptr_t retaddr)
136 ARMCPU *cpu = ARM_CPU(cs);
137 CPUARMState *env = &cpu->env;
142 /* now we have a real cpu fault */
143 cpu_restore_state(cs, retaddr);
146 target_el = exception_target_el(env);
147 same_el = (arm_current_el(env) == target_el);
149 env->exception.vaddress = vaddr;
151 /* the DFSR for an alignment fault depends on whether we're using
152 * the LPAE long descriptor format, or the short descriptor format
154 if (arm_s1_regime_using_lpae_format(env, cpu_mmu_index(env, false))) {
155 env->exception.fsr = 0x21;
157 env->exception.fsr = 0x1;
160 if (is_write == 1 && arm_feature(env, ARM_FEATURE_V6)) {
161 env->exception.fsr |= (1 << 11);
164 raise_exception(env, EXCP_DATA_ABORT,
165 syn_data_abort_no_iss(same_el,
166 0, 0, 0, is_write == 1, 0x21),
170 #endif /* !defined(CONFIG_USER_ONLY) */
172 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b)
174 uint32_t res = a + b;
175 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT))
180 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
182 uint32_t res = a + b;
183 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
185 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
190 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
192 uint32_t res = a - b;
193 if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
195 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
200 uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
203 if (val >= 0x40000000) {
206 } else if (val <= (int32_t)0xc0000000) {
215 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
217 uint32_t res = a + b;
225 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
227 uint32_t res = a - b;
235 /* Signed saturation. */
236 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift)
242 mask = (1u << shift) - 1;
246 } else if (top < -1) {
253 /* Unsigned saturation. */
254 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift)
258 max = (1u << shift) - 1;
262 } else if (val > max) {
269 /* Signed saturate. */
270 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift)
272 return do_ssat(env, x, shift);
275 /* Dual halfword signed saturate. */
276 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift)
280 res = (uint16_t)do_ssat(env, (int16_t)x, shift);
281 res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16;
285 /* Unsigned saturate. */
286 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift)
288 return do_usat(env, x, shift);
291 /* Dual halfword unsigned saturate. */
292 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift)
296 res = (uint16_t)do_usat(env, (int16_t)x, shift);
297 res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16;
301 void HELPER(setend)(CPUARMState *env)
303 env->uncached_cpsr ^= CPSR_E;
306 /* Function checks whether WFx (WFI/WFE) instructions are set up to be trapped.
307 * The function returns the target EL (1-3) if the instruction is to be trapped;
308 * otherwise it returns 0 indicating it is not trapped.
310 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe)
312 int cur_el = arm_current_el(env);
315 /* If we are currently in EL0 then we need to check if SCTLR is set up for
316 * WFx instructions being trapped to EL1. These trap bits don't exist in v7.
318 if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) {
321 mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI;
322 if (arm_is_secure_below_el3(env) && !arm_el_is_aa64(env, 3)) {
323 /* Secure EL0 and Secure PL1 is at EL3 */
329 if (!(env->cp15.sctlr_el[target_el] & mask)) {
334 /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it
335 * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
336 * bits will be zero indicating no trap.
338 if (cur_el < 2 && !arm_is_secure(env)) {
339 mask = (is_wfe) ? HCR_TWE : HCR_TWI;
340 if (env->cp15.hcr_el2 & mask) {
345 /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */
347 mask = (is_wfe) ? SCR_TWE : SCR_TWI;
348 if (env->cp15.scr_el3 & mask) {
356 void HELPER(wfi)(CPUARMState *env)
358 CPUState *cs = CPU(arm_env_get_cpu(env));
359 int target_el = check_wfx_trap(env, false);
361 if (cpu_has_work(cs)) {
362 /* Don't bother to go into our "low power state" if
363 * we would just wake up immediately.
370 raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0), target_el);
373 cs->exception_index = EXCP_HLT;
378 void HELPER(wfe)(CPUARMState *env)
380 /* This is a hint instruction that is semantically different
381 * from YIELD even though we currently implement it identically.
382 * Don't actually halt the CPU, just yield back to top
383 * level loop. This is not going into a "low power state"
384 * (ie halting until some event occurs), so we never take
385 * a configurable trap to a different exception level.
390 void HELPER(yield)(CPUARMState *env)
392 ARMCPU *cpu = arm_env_get_cpu(env);
393 CPUState *cs = CPU(cpu);
395 /* This is a non-trappable hint instruction that generally indicates
396 * that the guest is currently busy-looping. Yield control back to the
397 * top level loop so that a more deserving VCPU has a chance to run.
399 cs->exception_index = EXCP_YIELD;
403 /* Raise an internal-to-QEMU exception. This is limited to only
404 * those EXCP values which are special cases for QEMU to interrupt
405 * execution and not to be used for exceptions which are passed to
406 * the guest (those must all have syndrome information and thus should
407 * use exception_with_syndrome).
409 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp)
411 CPUState *cs = CPU(arm_env_get_cpu(env));
413 assert(excp_is_internal(excp));
414 cs->exception_index = excp;
418 /* Raise an exception with the specified syndrome register value */
419 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp,
420 uint32_t syndrome, uint32_t target_el)
422 raise_exception(env, excp, syndrome, target_el);
425 uint32_t HELPER(cpsr_read)(CPUARMState *env)
427 return cpsr_read(env) & ~(CPSR_EXEC | CPSR_RESERVED);
430 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
432 cpsr_write(env, val, mask, CPSRWriteByInstr);
435 /* Write the CPSR for a 32-bit exception return */
436 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
438 cpsr_write(env, val, CPSR_ERET_MASK, CPSRWriteExceptionReturn);
441 /* Access to user mode registers from privileged modes. */
442 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
447 val = env->banked_r13[BANK_USRSYS];
448 } else if (regno == 14) {
449 val = env->banked_r14[BANK_USRSYS];
450 } else if (regno >= 8
451 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
452 val = env->usr_regs[regno - 8];
454 val = env->regs[regno];
459 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val)
462 env->banked_r13[BANK_USRSYS] = val;
463 } else if (regno == 14) {
464 env->banked_r14[BANK_USRSYS] = val;
465 } else if (regno >= 8
466 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
467 env->usr_regs[regno - 8] = val;
469 env->regs[regno] = val;
473 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
475 if ((env->uncached_cpsr & CPSR_M) == mode) {
478 env->banked_r13[bank_number(mode)] = val;
482 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
484 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) {
485 /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF.
486 * Other UNPREDICTABLE and UNDEF cases were caught at translate time.
488 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
489 exception_target_el(env));
492 if ((env->uncached_cpsr & CPSR_M) == mode) {
493 return env->regs[13];
495 return env->banked_r13[bank_number(mode)];
499 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
502 /* Raise an exception if the requested access is one of the UNPREDICTABLE
503 * cases; otherwise return. This broadly corresponds to the pseudocode
504 * BankedRegisterAccessValid() and SPSRAccessValid(),
505 * except that we have already handled some cases at translate time.
507 int curmode = env->uncached_cpsr & CPSR_M;
509 if (curmode == tgtmode) {
513 if (tgtmode == ARM_CPU_MODE_USR) {
516 if (curmode != ARM_CPU_MODE_FIQ) {
521 if (curmode == ARM_CPU_MODE_SYS) {
526 if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) {
535 if (tgtmode == ARM_CPU_MODE_HYP) {
537 case 17: /* ELR_Hyp */
538 if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
543 if (curmode != ARM_CPU_MODE_MON) {
553 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
554 exception_target_el(env));
557 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
560 msr_mrs_banked_exc_checks(env, tgtmode, regno);
564 env->banked_spsr[bank_number(tgtmode)] = value;
566 case 17: /* ELR_Hyp */
567 env->elr_el[2] = value;
570 env->banked_r13[bank_number(tgtmode)] = value;
573 env->banked_r14[bank_number(tgtmode)] = value;
577 case ARM_CPU_MODE_USR:
578 env->usr_regs[regno - 8] = value;
580 case ARM_CPU_MODE_FIQ:
581 env->fiq_regs[regno - 8] = value;
584 g_assert_not_reached();
588 g_assert_not_reached();
592 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
594 msr_mrs_banked_exc_checks(env, tgtmode, regno);
598 return env->banked_spsr[bank_number(tgtmode)];
599 case 17: /* ELR_Hyp */
600 return env->elr_el[2];
602 return env->banked_r13[bank_number(tgtmode)];
604 return env->banked_r14[bank_number(tgtmode)];
607 case ARM_CPU_MODE_USR:
608 return env->usr_regs[regno - 8];
609 case ARM_CPU_MODE_FIQ:
610 return env->fiq_regs[regno - 8];
612 g_assert_not_reached();
615 g_assert_not_reached();
619 void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
622 const ARMCPRegInfo *ri = rip;
625 if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
626 && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
627 raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
634 switch (ri->accessfn(env, ri, isread)) {
638 target_el = exception_target_el(env);
640 case CP_ACCESS_TRAP_EL2:
641 /* Requesting a trap to EL2 when we're in EL3 or S-EL0/1 is
642 * a bug in the access function.
644 assert(!arm_is_secure(env) && arm_current_el(env) != 3);
647 case CP_ACCESS_TRAP_EL3:
650 case CP_ACCESS_TRAP_UNCATEGORIZED:
651 target_el = exception_target_el(env);
652 syndrome = syn_uncategorized();
654 case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
656 syndrome = syn_uncategorized();
658 case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
660 syndrome = syn_uncategorized();
662 case CP_ACCESS_TRAP_FP_EL2:
664 /* Since we are an implementation that takes exceptions on a trapped
665 * conditional insn only if the insn has passed its condition code
666 * check, we take the IMPDEF choice to always report CV=1 COND=0xe
667 * (which is also the required value for AArch64 traps).
669 syndrome = syn_fp_access_trap(1, 0xe, false);
671 case CP_ACCESS_TRAP_FP_EL3:
673 syndrome = syn_fp_access_trap(1, 0xe, false);
676 g_assert_not_reached();
679 raise_exception(env, EXCP_UDEF, syndrome, target_el);
682 void HELPER(set_cp_reg)(CPUARMState *env, void *rip, uint32_t value)
684 const ARMCPRegInfo *ri = rip;
686 ri->writefn(env, ri, value);
689 uint32_t HELPER(get_cp_reg)(CPUARMState *env, void *rip)
691 const ARMCPRegInfo *ri = rip;
693 return ri->readfn(env, ri);
696 void HELPER(set_cp_reg64)(CPUARMState *env, void *rip, uint64_t value)
698 const ARMCPRegInfo *ri = rip;
700 ri->writefn(env, ri, value);
703 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, void *rip)
705 const ARMCPRegInfo *ri = rip;
707 return ri->readfn(env, ri);
710 void HELPER(msr_i_pstate)(CPUARMState *env, uint32_t op, uint32_t imm)
712 /* MSR_i to update PSTATE. This is OK from EL0 only if UMA is set.
713 * Note that SPSel is never OK from EL0; we rely on handle_msr_i()
714 * to catch that case at translate time.
716 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UMA)) {
717 uint32_t syndrome = syn_aa64_sysregtrap(0, extract32(op, 0, 3),
718 extract32(op, 3, 3), 4,
720 raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
724 case 0x05: /* SPSel */
725 update_spsel(env, imm);
727 case 0x1e: /* DAIFSet */
728 env->daif |= (imm << 6) & PSTATE_DAIF;
730 case 0x1f: /* DAIFClear */
731 env->daif &= ~((imm << 6) & PSTATE_DAIF);
734 g_assert_not_reached();
738 void HELPER(clear_pstate_ss)(CPUARMState *env)
740 env->pstate &= ~PSTATE_SS;
743 void HELPER(pre_hvc)(CPUARMState *env)
745 ARMCPU *cpu = arm_env_get_cpu(env);
746 int cur_el = arm_current_el(env);
747 /* FIXME: Use actual secure state. */
751 if (arm_is_psci_call(cpu, EXCP_HVC)) {
752 /* If PSCI is enabled and this looks like a valid PSCI call then
753 * that overrides the architecturally mandated HVC behaviour.
758 if (!arm_feature(env, ARM_FEATURE_EL2)) {
759 /* If EL2 doesn't exist, HVC always UNDEFs */
761 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
762 /* EL3.HCE has priority over EL2.HCD. */
763 undef = !(env->cp15.scr_el3 & SCR_HCE);
765 undef = env->cp15.hcr_el2 & HCR_HCD;
768 /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state.
769 * For ARMv8/AArch64, HVC is allowed in EL3.
770 * Note that we've already trapped HVC from EL0 at translation
773 if (secure && (!is_a64(env) || cur_el == 1)) {
778 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
779 exception_target_el(env));
783 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
785 ARMCPU *cpu = arm_env_get_cpu(env);
786 int cur_el = arm_current_el(env);
787 bool secure = arm_is_secure(env);
788 bool smd = env->cp15.scr_el3 & SCR_SMD;
789 /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state.
790 * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization
791 * extensions, SMD only applies to NS state.
792 * On ARMv7 without the Virtualization extensions, the SMD bit
793 * doesn't exist, but we forbid the guest to set it to 1 in scr_write(),
794 * so we need not special case this here.
796 bool undef = arm_feature(env, ARM_FEATURE_AARCH64) ? smd : smd && !secure;
798 if (arm_is_psci_call(cpu, EXCP_SMC)) {
799 /* If PSCI is enabled and this looks like a valid PSCI call then
800 * that overrides the architecturally mandated SMC behaviour.
805 if (!arm_feature(env, ARM_FEATURE_EL3)) {
806 /* If we have no EL3 then SMC always UNDEFs */
808 } else if (!secure && cur_el == 1 && (env->cp15.hcr_el2 & HCR_TSC)) {
809 /* In NS EL1, HCR controlled routing to EL2 has priority over SMD. */
810 raise_exception(env, EXCP_HYP_TRAP, syndrome, 2);
814 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
815 exception_target_el(env));
819 static int el_from_spsr(uint32_t spsr)
821 /* Return the exception level that this SPSR is requesting a return to,
822 * or -1 if it is invalid (an illegal return)
824 if (spsr & PSTATE_nRW) {
825 switch (spsr & CPSR_M) {
826 case ARM_CPU_MODE_USR:
828 case ARM_CPU_MODE_HYP:
830 case ARM_CPU_MODE_FIQ:
831 case ARM_CPU_MODE_IRQ:
832 case ARM_CPU_MODE_SVC:
833 case ARM_CPU_MODE_ABT:
834 case ARM_CPU_MODE_UND:
835 case ARM_CPU_MODE_SYS:
837 case ARM_CPU_MODE_MON:
838 /* Returning to Mon from AArch64 is never possible,
839 * so this is an illegal return.
845 if (extract32(spsr, 1, 1)) {
846 /* Return with reserved M[1] bit set */
849 if (extract32(spsr, 0, 4) == 1) {
850 /* return to EL0 with M[0] bit set */
853 return extract32(spsr, 2, 2);
857 void HELPER(exception_return)(CPUARMState *env)
859 int cur_el = arm_current_el(env);
860 unsigned int spsr_idx = aarch64_banked_spsr_index(cur_el);
861 uint32_t spsr = env->banked_spsr[spsr_idx];
863 bool return_to_aa64 = (spsr & PSTATE_nRW) == 0;
865 aarch64_save_sp(env, cur_el);
867 env->exclusive_addr = -1;
869 /* We must squash the PSTATE.SS bit to zero unless both of the
871 * 1. debug exceptions are currently disabled
872 * 2. singlestep will be active in the EL we return to
873 * We check 1 here and 2 after we've done the pstate/cpsr write() to
874 * transition to the EL we're going to.
876 if (arm_generate_debug_exceptions(env)) {
880 new_el = el_from_spsr(spsr);
885 || (new_el == 2 && !arm_feature(env, ARM_FEATURE_EL2))) {
886 /* Disallow return to an EL which is unimplemented or higher
887 * than the current one.
892 if (new_el != 0 && arm_el_is_aa64(env, new_el) != return_to_aa64) {
893 /* Return to an EL which is configured for a different register width */
897 if (new_el == 2 && arm_is_secure_below_el3(env)) {
898 /* Return to the non-existent secure-EL2 */
902 if (new_el == 1 && (env->cp15.hcr_el2 & HCR_TGE)
903 && !arm_is_secure_below_el3(env)) {
907 if (!return_to_aa64) {
909 /* We do a raw CPSR write because aarch64_sync_64_to_32()
910 * will sort the register banks out for us, and we've already
911 * caught all the bad-mode cases in el_from_spsr().
913 cpsr_write(env, spsr, ~0, CPSRWriteRaw);
914 if (!arm_singlestep_active(env)) {
915 env->uncached_cpsr &= ~PSTATE_SS;
917 aarch64_sync_64_to_32(env);
920 env->regs[15] = env->elr_el[cur_el] & ~0x1;
922 env->regs[15] = env->elr_el[cur_el] & ~0x3;
926 pstate_write(env, spsr);
927 if (!arm_singlestep_active(env)) {
928 env->pstate &= ~PSTATE_SS;
930 aarch64_restore_sp(env, new_el);
931 env->pc = env->elr_el[cur_el];
937 /* Illegal return events of various kinds have architecturally
938 * mandated behaviour:
939 * restore NZCV and DAIF from SPSR_ELx
941 * restore PC from ELR_ELx
942 * no change to exception level, execution state or stack pointer
944 env->pstate |= PSTATE_IL;
945 env->pc = env->elr_el[cur_el];
946 spsr &= PSTATE_NZCV | PSTATE_DAIF;
947 spsr |= pstate_read(env) & ~(PSTATE_NZCV | PSTATE_DAIF);
948 pstate_write(env, spsr);
949 if (!arm_singlestep_active(env)) {
950 env->pstate &= ~PSTATE_SS;
954 /* Return true if the linked breakpoint entry lbn passes its checks */
955 static bool linked_bp_matches(ARMCPU *cpu, int lbn)
957 CPUARMState *env = &cpu->env;
958 uint64_t bcr = env->cp15.dbgbcr[lbn];
959 int brps = extract32(cpu->dbgdidr, 24, 4);
960 int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
964 /* Links to unimplemented or non-context aware breakpoints are
965 * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
966 * as if linked to an UNKNOWN context-aware breakpoint (in which
967 * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
968 * We choose the former.
970 if (lbn > brps || lbn < (brps - ctx_cmps)) {
974 bcr = env->cp15.dbgbcr[lbn];
976 if (extract64(bcr, 0, 1) == 0) {
977 /* Linked breakpoint disabled : generate no events */
981 bt = extract64(bcr, 20, 4);
983 /* We match the whole register even if this is AArch32 using the
984 * short descriptor format (in which case it holds both PROCID and ASID),
985 * since we don't implement the optional v7 context ID masking.
987 contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
990 case 3: /* linked context ID match */
991 if (arm_current_el(env) > 1) {
992 /* Context matches never fire in EL2 or (AArch64) EL3 */
995 return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
996 case 5: /* linked address mismatch (reserved in AArch64) */
997 case 9: /* linked VMID match (reserved if no EL2) */
998 case 11: /* linked context ID and VMID match (reserved if no EL2) */
1000 /* Links to Unlinked context breakpoints must generate no
1001 * events; we choose to do the same for reserved values too.
1009 static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
1011 CPUARMState *env = &cpu->env;
1013 int pac, hmc, ssc, wt, lbn;
1014 /* Note that for watchpoints the check is against the CPU security
1015 * state, not the S/NS attribute on the offending data access.
1017 bool is_secure = arm_is_secure(env);
1018 int access_el = arm_current_el(env);
1021 CPUWatchpoint *wp = env->cpu_watchpoint[n];
1023 if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
1026 cr = env->cp15.dbgwcr[n];
1027 if (wp->hitattrs.user) {
1028 /* The LDRT/STRT/LDT/STT "unprivileged access" instructions should
1029 * match watchpoints as if they were accesses done at EL0, even if
1030 * the CPU is at EL1 or higher.
1035 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
1037 if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
1040 cr = env->cp15.dbgbcr[n];
1042 /* The WATCHPOINT_HIT flag guarantees us that the watchpoint is
1043 * enabled and that the address and access type match; for breakpoints
1044 * we know the address matched; check the remaining fields, including
1045 * linked breakpoints. We rely on WCR and BCR having the same layout
1046 * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
1047 * Note that some combinations of {PAC, HMC, SSC} are reserved and
1048 * must act either like some valid combination or as if the watchpoint
1049 * were disabled. We choose the former, and use this together with
1050 * the fact that EL3 must always be Secure and EL2 must always be
1051 * Non-Secure to simplify the code slightly compared to the full
1052 * table in the ARM ARM.
1054 pac = extract64(cr, 1, 2);
1055 hmc = extract64(cr, 13, 1);
1056 ssc = extract64(cr, 14, 2);
1074 switch (access_el) {
1082 if (extract32(pac, 0, 1) == 0) {
1087 if (extract32(pac, 1, 1) == 0) {
1092 g_assert_not_reached();
1095 wt = extract64(cr, 20, 1);
1096 lbn = extract64(cr, 16, 4);
1098 if (wt && !linked_bp_matches(cpu, lbn)) {
1105 static bool check_watchpoints(ARMCPU *cpu)
1107 CPUARMState *env = &cpu->env;
1110 /* If watchpoints are disabled globally or we can't take debug
1111 * exceptions here then watchpoint firings are ignored.
1113 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
1114 || !arm_generate_debug_exceptions(env)) {
1118 for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
1119 if (bp_wp_matches(cpu, n, true)) {
1126 static bool check_breakpoints(ARMCPU *cpu)
1128 CPUARMState *env = &cpu->env;
1131 /* If breakpoints are disabled globally or we can't take debug
1132 * exceptions here then breakpoint firings are ignored.
1134 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
1135 || !arm_generate_debug_exceptions(env)) {
1139 for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
1140 if (bp_wp_matches(cpu, n, false)) {
1147 void HELPER(check_breakpoints)(CPUARMState *env)
1149 ARMCPU *cpu = arm_env_get_cpu(env);
1151 if (check_breakpoints(cpu)) {
1152 HELPER(exception_internal(env, EXCP_DEBUG));
1156 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
1158 /* Called by core code when a CPU watchpoint fires; need to check if this
1159 * is also an architectural watchpoint match.
1161 ARMCPU *cpu = ARM_CPU(cs);
1163 return check_watchpoints(cpu);
1166 void arm_debug_excp_handler(CPUState *cs)
1168 /* Called by core code when a watchpoint or breakpoint fires;
1169 * need to check which one and raise the appropriate exception.
1171 ARMCPU *cpu = ARM_CPU(cs);
1172 CPUARMState *env = &cpu->env;
1173 CPUWatchpoint *wp_hit = cs->watchpoint_hit;
1176 if (wp_hit->flags & BP_CPU) {
1177 bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
1178 bool same_el = arm_debug_target_el(env) == arm_current_el(env);
1180 cs->watchpoint_hit = NULL;
1182 if (extended_addresses_enabled(env)) {
1183 env->exception.fsr = (1 << 9) | 0x22;
1185 env->exception.fsr = 0x2;
1187 env->exception.vaddress = wp_hit->hitaddr;
1188 raise_exception(env, EXCP_DATA_ABORT,
1189 syn_watchpoint(same_el, 0, wnr),
1190 arm_debug_target_el(env));
1193 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
1194 bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
1196 /* (1) GDB breakpoints should be handled first.
1197 * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
1198 * since singlestep is also done by generating a debug internal
1201 if (cpu_breakpoint_test(cs, pc, BP_GDB)
1202 || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
1206 if (extended_addresses_enabled(env)) {
1207 env->exception.fsr = (1 << 9) | 0x22;
1209 env->exception.fsr = 0x2;
1211 /* FAR is UNKNOWN, so doesn't need setting */
1212 raise_exception(env, EXCP_PREFETCH_ABORT,
1213 syn_breakpoint(same_el),
1214 arm_debug_target_el(env));
1218 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
1219 The only way to do that in TCG is a conditional branch, which clobbers
1220 all our temporaries. For now implement these as helper functions. */
1222 /* Similarly for variable shift instructions. */
1224 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1226 int shift = i & 0xff;
1233 } else if (shift != 0) {
1234 env->CF = (x >> (32 - shift)) & 1;
1240 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1242 int shift = i & 0xff;
1245 env->CF = (x >> 31) & 1;
1249 } else if (shift != 0) {
1250 env->CF = (x >> (shift - 1)) & 1;
1256 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1258 int shift = i & 0xff;
1260 env->CF = (x >> 31) & 1;
1261 return (int32_t)x >> 31;
1262 } else if (shift != 0) {
1263 env->CF = (x >> (shift - 1)) & 1;
1264 return (int32_t)x >> shift;
1269 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1273 shift = shift1 & 0x1f;
1276 env->CF = (x >> 31) & 1;
1279 env->CF = (x >> (shift - 1)) & 1;
1280 return ((uint32_t)x >> shift) | (x << (32 - shift));
projects / qemu.git / blob