4 * Copyright (c) 2005-2007 CodeSourcery, LLC
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
23 #include "exec/helper-proto.h"
24 #include "internals.h"
25 #include "exec/exec-all.h"
26 #include "exec/cpu_ldst.h"
28 #define SIGNBIT (uint32_t)0x80000000
29 #define SIGNBIT64 ((uint64_t)1 << 63)
31 static CPUState *do_raise_exception(CPUARMState *env, uint32_t excp,
32 uint32_t syndrome, uint32_t target_el)
34 CPUState *cs = CPU(arm_env_get_cpu(env));
36 if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
38 * Redirect NS EL1 exceptions to NS EL2. These are reported with
39 * their original syndrome register value, with the exception of
40 * SIMD/FP access traps, which are reported as uncategorized
41 * (see DDI0478C.a D1.10.4)
44 if (syn_get_ec(syndrome) == EC_ADVSIMDFPACCESSTRAP) {
45 syndrome = syn_uncategorized();
49 assert(!excp_is_internal(excp));
50 cs->exception_index = excp;
51 env->exception.syndrome = syndrome;
52 env->exception.target_el = target_el;
57 void raise_exception(CPUARMState *env, uint32_t excp,
58 uint32_t syndrome, uint32_t target_el)
60 CPUState *cs = do_raise_exception(env, excp, syndrome, target_el);
64 void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome,
65 uint32_t target_el, uintptr_t ra)
67 CPUState *cs = do_raise_exception(env, excp, syndrome, target_el);
68 cpu_loop_exit_restore(cs, ra);
71 static int exception_target_el(CPUARMState *env)
73 int target_el = MAX(1, arm_current_el(env));
75 /* No such thing as secure EL1 if EL3 is aarch32, so update the target EL
76 * to EL3 in this case.
78 if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) {
85 uint32_t HELPER(neon_tbl)(uint32_t ireg, uint32_t def, void *vn,
92 for (shift = 0; shift < 32; shift += 8) {
93 uint32_t index = (ireg >> shift) & 0xff;
94 if (index < maxindex) {
95 uint32_t tmp = (table[index >> 3] >> ((index & 7) << 3)) & 0xff;
98 val |= def & (0xff << shift);
104 #if !defined(CONFIG_USER_ONLY)
106 static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
107 unsigned int target_el,
108 bool same_el, bool ea,
109 bool s1ptw, bool is_write,
114 /* ISV is only set for data aborts routed to EL2 and
115 * never for stage-1 page table walks faulting on stage 2.
117 * Furthermore, ISV is only set for certain kinds of load/stores.
118 * If the template syndrome does not have ISV set, we should leave
121 * See ARMv8 specs, D7-1974:
122 * ISS encoding for an exception from a Data Abort, the
125 if (!(template_syn & ARM_EL_ISV) || target_el != 2 || s1ptw) {
126 syn = syn_data_abort_no_iss(same_el,
127 ea, 0, s1ptw, is_write, fsc);
129 /* Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
130 * syndrome created at translation time.
131 * Now we create the runtime syndrome with the remaining fields.
133 syn = syn_data_abort_with_iss(same_el,
135 ea, 0, s1ptw, is_write, fsc,
137 /* Merge the runtime syndrome with the template syndrome. */
143 static void deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
144 int mmu_idx, ARMMMUFaultInfo *fi)
146 CPUARMState *env = &cpu->env;
149 uint32_t syn, exc, fsr, fsc;
150 ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
152 target_el = exception_target_el(env);
155 env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
157 same_el = (arm_current_el(env) == target_el);
159 if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
160 arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
161 /* LPAE format fault status register : bottom 6 bits are
162 * status code in the same form as needed for syndrome
164 fsr = arm_fi_to_lfsc(fi);
165 fsc = extract32(fsr, 0, 6);
167 fsr = arm_fi_to_sfsc(fi);
168 /* Short format FSR : this fault will never actually be reported
169 * to an EL that uses a syndrome register. Use a (currently)
170 * reserved FSR code in case the constructed syndrome does leak
171 * into the guest somehow.
176 if (access_type == MMU_INST_FETCH) {
177 syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
178 exc = EXCP_PREFETCH_ABORT;
180 syn = merge_syn_data_abort(env->exception.syndrome, target_el,
181 same_el, fi->ea, fi->s1ptw,
182 access_type == MMU_DATA_STORE,
184 if (access_type == MMU_DATA_STORE
185 && arm_feature(env, ARM_FEATURE_V6)) {
188 exc = EXCP_DATA_ABORT;
191 env->exception.vaddress = addr;
192 env->exception.fsr = fsr;
193 raise_exception(env, exc, syn, target_el);
196 /* try to fill the TLB and return an exception if error. If retaddr is
197 * NULL, it means that the function was called in C code (i.e. not
198 * from generated code or from helper.c)
200 void tlb_fill(CPUState *cs, target_ulong addr, int size,
201 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
204 ARMMMUFaultInfo fi = {};
206 ret = arm_tlb_fill(cs, addr, access_type, mmu_idx, &fi);
208 ARMCPU *cpu = ARM_CPU(cs);
210 /* now we have a real cpu fault */
211 cpu_restore_state(cs, retaddr, true);
213 deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
217 /* Raise a data fault alignment exception for the specified virtual address */
218 void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
219 MMUAccessType access_type,
220 int mmu_idx, uintptr_t retaddr)
222 ARMCPU *cpu = ARM_CPU(cs);
223 ARMMMUFaultInfo fi = {};
225 /* now we have a real cpu fault */
226 cpu_restore_state(cs, retaddr, true);
228 fi.type = ARMFault_Alignment;
229 deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
232 /* arm_cpu_do_transaction_failed: handle a memory system error response
233 * (eg "no device/memory present at address") by raising an external abort
236 void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
237 vaddr addr, unsigned size,
238 MMUAccessType access_type,
239 int mmu_idx, MemTxAttrs attrs,
240 MemTxResult response, uintptr_t retaddr)
242 ARMCPU *cpu = ARM_CPU(cs);
243 ARMMMUFaultInfo fi = {};
245 /* now we have a real cpu fault */
246 cpu_restore_state(cs, retaddr, true);
248 fi.ea = arm_extabort_type(response);
249 fi.type = ARMFault_SyncExternal;
250 deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
253 #endif /* !defined(CONFIG_USER_ONLY) */
255 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
258 * Perform the v8M stack limit check for SP updates from translated code,
259 * raising an exception if the limit is breached.
261 if (newvalue < v7m_sp_limit(env)) {
262 CPUState *cs = CPU(arm_env_get_cpu(env));
265 * Stack limit exceptions are a rare case, so rather than syncing
266 * PC/condbits before the call, we use cpu_restore_state() to
267 * get them right before raising the exception.
269 cpu_restore_state(cs, GETPC(), true);
270 raise_exception(env, EXCP_STKOF, 0, 1);
274 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b)
276 uint32_t res = a + b;
277 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT))
282 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
284 uint32_t res = a + b;
285 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
287 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
292 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
294 uint32_t res = a - b;
295 if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
297 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
302 uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
305 if (val >= 0x40000000) {
308 } else if (val <= (int32_t)0xc0000000) {
317 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
319 uint32_t res = a + b;
327 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
329 uint32_t res = a - b;
337 /* Signed saturation. */
338 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift)
344 mask = (1u << shift) - 1;
348 } else if (top < -1) {
355 /* Unsigned saturation. */
356 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift)
360 max = (1u << shift) - 1;
364 } else if (val > max) {
371 /* Signed saturate. */
372 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift)
374 return do_ssat(env, x, shift);
377 /* Dual halfword signed saturate. */
378 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift)
382 res = (uint16_t)do_ssat(env, (int16_t)x, shift);
383 res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16;
387 /* Unsigned saturate. */
388 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift)
390 return do_usat(env, x, shift);
393 /* Dual halfword unsigned saturate. */
394 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift)
398 res = (uint16_t)do_usat(env, (int16_t)x, shift);
399 res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16;
403 void HELPER(setend)(CPUARMState *env)
405 env->uncached_cpsr ^= CPSR_E;
408 /* Function checks whether WFx (WFI/WFE) instructions are set up to be trapped.
409 * The function returns the target EL (1-3) if the instruction is to be trapped;
410 * otherwise it returns 0 indicating it is not trapped.
412 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe)
414 int cur_el = arm_current_el(env);
417 if (arm_feature(env, ARM_FEATURE_M)) {
418 /* M profile cores can never trap WFI/WFE. */
422 /* If we are currently in EL0 then we need to check if SCTLR is set up for
423 * WFx instructions being trapped to EL1. These trap bits don't exist in v7.
425 if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) {
428 mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI;
429 if (arm_is_secure_below_el3(env) && !arm_el_is_aa64(env, 3)) {
430 /* Secure EL0 and Secure PL1 is at EL3 */
436 if (!(env->cp15.sctlr_el[target_el] & mask)) {
441 /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it
442 * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
443 * bits will be zero indicating no trap.
446 mask = is_wfe ? HCR_TWE : HCR_TWI;
447 if (arm_hcr_el2_eff(env) & mask) {
452 /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */
454 mask = (is_wfe) ? SCR_TWE : SCR_TWI;
455 if (env->cp15.scr_el3 & mask) {
463 void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
465 CPUState *cs = CPU(arm_env_get_cpu(env));
466 int target_el = check_wfx_trap(env, false);
468 if (cpu_has_work(cs)) {
469 /* Don't bother to go into our "low power state" if
470 * we would just wake up immediately.
477 raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, insn_len == 2),
481 cs->exception_index = EXCP_HLT;
486 void HELPER(wfe)(CPUARMState *env)
488 /* This is a hint instruction that is semantically different
489 * from YIELD even though we currently implement it identically.
490 * Don't actually halt the CPU, just yield back to top
491 * level loop. This is not going into a "low power state"
492 * (ie halting until some event occurs), so we never take
493 * a configurable trap to a different exception level.
498 void HELPER(yield)(CPUARMState *env)
500 ARMCPU *cpu = arm_env_get_cpu(env);
501 CPUState *cs = CPU(cpu);
503 /* This is a non-trappable hint instruction that generally indicates
504 * that the guest is currently busy-looping. Yield control back to the
505 * top level loop so that a more deserving VCPU has a chance to run.
507 cs->exception_index = EXCP_YIELD;
511 /* Raise an internal-to-QEMU exception. This is limited to only
512 * those EXCP values which are special cases for QEMU to interrupt
513 * execution and not to be used for exceptions which are passed to
514 * the guest (those must all have syndrome information and thus should
515 * use exception_with_syndrome).
517 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp)
519 CPUState *cs = CPU(arm_env_get_cpu(env));
521 assert(excp_is_internal(excp));
522 cs->exception_index = excp;
526 /* Raise an exception with the specified syndrome register value */
527 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp,
528 uint32_t syndrome, uint32_t target_el)
530 raise_exception(env, excp, syndrome, target_el);
533 /* Raise an EXCP_BKPT with the specified syndrome register value,
534 * targeting the correct exception level for debug exceptions.
536 void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome)
538 /* FSR will only be used if the debug target EL is AArch32. */
539 env->exception.fsr = arm_debug_exception_fsr(env);
540 /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
541 * values to the guest that it shouldn't be able to see at its
542 * exception/security level.
544 env->exception.vaddress = 0;
545 raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env));
548 uint32_t HELPER(cpsr_read)(CPUARMState *env)
550 return cpsr_read(env) & ~(CPSR_EXEC | CPSR_RESERVED);
553 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
555 cpsr_write(env, val, mask, CPSRWriteByInstr);
558 /* Write the CPSR for a 32-bit exception return */
559 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
561 qemu_mutex_lock_iothread();
562 arm_call_pre_el_change_hook(arm_env_get_cpu(env));
563 qemu_mutex_unlock_iothread();
565 cpsr_write(env, val, CPSR_ERET_MASK, CPSRWriteExceptionReturn);
567 /* Generated code has already stored the new PC value, but
568 * without masking out its low bits, because which bits need
569 * masking depends on whether we're returning to Thumb or ARM
570 * state. Do the masking now.
572 env->regs[15] &= (env->thumb ? ~1 : ~3);
574 qemu_mutex_lock_iothread();
575 arm_call_el_change_hook(arm_env_get_cpu(env));
576 qemu_mutex_unlock_iothread();
579 /* Access to user mode registers from privileged modes. */
580 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
585 val = env->banked_r13[BANK_USRSYS];
586 } else if (regno == 14) {
587 val = env->banked_r14[BANK_USRSYS];
588 } else if (regno >= 8
589 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
590 val = env->usr_regs[regno - 8];
592 val = env->regs[regno];
597 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val)
600 env->banked_r13[BANK_USRSYS] = val;
601 } else if (regno == 14) {
602 env->banked_r14[BANK_USRSYS] = val;
603 } else if (regno >= 8
604 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
605 env->usr_regs[regno - 8] = val;
607 env->regs[regno] = val;
611 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
613 if ((env->uncached_cpsr & CPSR_M) == mode) {
616 env->banked_r13[bank_number(mode)] = val;
620 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
622 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) {
623 /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF.
624 * Other UNPREDICTABLE and UNDEF cases were caught at translate time.
626 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
627 exception_target_el(env));
630 if ((env->uncached_cpsr & CPSR_M) == mode) {
631 return env->regs[13];
633 return env->banked_r13[bank_number(mode)];
637 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
640 /* Raise an exception if the requested access is one of the UNPREDICTABLE
641 * cases; otherwise return. This broadly corresponds to the pseudocode
642 * BankedRegisterAccessValid() and SPSRAccessValid(),
643 * except that we have already handled some cases at translate time.
645 int curmode = env->uncached_cpsr & CPSR_M;
648 /* ELR_Hyp: a special case because access from tgtmode is OK */
649 if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
655 if (curmode == tgtmode) {
659 if (tgtmode == ARM_CPU_MODE_USR) {
662 if (curmode != ARM_CPU_MODE_FIQ) {
667 if (curmode == ARM_CPU_MODE_SYS) {
672 if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) {
681 if (tgtmode == ARM_CPU_MODE_HYP) {
682 /* SPSR_Hyp, r13_hyp: accessible from Monitor mode only */
683 if (curmode != ARM_CPU_MODE_MON) {
691 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
692 exception_target_el(env));
695 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
698 msr_mrs_banked_exc_checks(env, tgtmode, regno);
702 env->banked_spsr[bank_number(tgtmode)] = value;
704 case 17: /* ELR_Hyp */
705 env->elr_el[2] = value;
708 env->banked_r13[bank_number(tgtmode)] = value;
711 env->banked_r14[r14_bank_number(tgtmode)] = value;
715 case ARM_CPU_MODE_USR:
716 env->usr_regs[regno - 8] = value;
718 case ARM_CPU_MODE_FIQ:
719 env->fiq_regs[regno - 8] = value;
722 g_assert_not_reached();
726 g_assert_not_reached();
730 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
732 msr_mrs_banked_exc_checks(env, tgtmode, regno);
736 return env->banked_spsr[bank_number(tgtmode)];
737 case 17: /* ELR_Hyp */
738 return env->elr_el[2];
740 return env->banked_r13[bank_number(tgtmode)];
742 return env->banked_r14[r14_bank_number(tgtmode)];
745 case ARM_CPU_MODE_USR:
746 return env->usr_regs[regno - 8];
747 case ARM_CPU_MODE_FIQ:
748 return env->fiq_regs[regno - 8];
750 g_assert_not_reached();
753 g_assert_not_reached();
757 void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
760 const ARMCPRegInfo *ri = rip;
763 if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
764 && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
765 raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
772 switch (ri->accessfn(env, ri, isread)) {
776 target_el = exception_target_el(env);
778 case CP_ACCESS_TRAP_EL2:
779 /* Requesting a trap to EL2 when we're in EL3 or S-EL0/1 is
780 * a bug in the access function.
782 assert(!arm_is_secure(env) && arm_current_el(env) != 3);
785 case CP_ACCESS_TRAP_EL3:
788 case CP_ACCESS_TRAP_UNCATEGORIZED:
789 target_el = exception_target_el(env);
790 syndrome = syn_uncategorized();
792 case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
794 syndrome = syn_uncategorized();
796 case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
798 syndrome = syn_uncategorized();
800 case CP_ACCESS_TRAP_FP_EL2:
802 /* Since we are an implementation that takes exceptions on a trapped
803 * conditional insn only if the insn has passed its condition code
804 * check, we take the IMPDEF choice to always report CV=1 COND=0xe
805 * (which is also the required value for AArch64 traps).
807 syndrome = syn_fp_access_trap(1, 0xe, false);
809 case CP_ACCESS_TRAP_FP_EL3:
811 syndrome = syn_fp_access_trap(1, 0xe, false);
814 g_assert_not_reached();
817 raise_exception(env, EXCP_UDEF, syndrome, target_el);
820 void HELPER(set_cp_reg)(CPUARMState *env, void *rip, uint32_t value)
822 const ARMCPRegInfo *ri = rip;
824 if (ri->type & ARM_CP_IO) {
825 qemu_mutex_lock_iothread();
826 ri->writefn(env, ri, value);
827 qemu_mutex_unlock_iothread();
829 ri->writefn(env, ri, value);
833 uint32_t HELPER(get_cp_reg)(CPUARMState *env, void *rip)
835 const ARMCPRegInfo *ri = rip;
838 if (ri->type & ARM_CP_IO) {
839 qemu_mutex_lock_iothread();
840 res = ri->readfn(env, ri);
841 qemu_mutex_unlock_iothread();
843 res = ri->readfn(env, ri);
849 void HELPER(set_cp_reg64)(CPUARMState *env, void *rip, uint64_t value)
851 const ARMCPRegInfo *ri = rip;
853 if (ri->type & ARM_CP_IO) {
854 qemu_mutex_lock_iothread();
855 ri->writefn(env, ri, value);
856 qemu_mutex_unlock_iothread();
858 ri->writefn(env, ri, value);
862 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, void *rip)
864 const ARMCPRegInfo *ri = rip;
867 if (ri->type & ARM_CP_IO) {
868 qemu_mutex_lock_iothread();
869 res = ri->readfn(env, ri);
870 qemu_mutex_unlock_iothread();
872 res = ri->readfn(env, ri);
878 void HELPER(msr_i_pstate)(CPUARMState *env, uint32_t op, uint32_t imm)
880 /* MSR_i to update PSTATE. This is OK from EL0 only if UMA is set.
881 * Note that SPSel is never OK from EL0; we rely on handle_msr_i()
882 * to catch that case at translate time.
884 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UMA)) {
885 uint32_t syndrome = syn_aa64_sysregtrap(0, extract32(op, 0, 3),
886 extract32(op, 3, 3), 4,
888 raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
892 case 0x05: /* SPSel */
893 update_spsel(env, imm);
895 case 0x1e: /* DAIFSet */
896 env->daif |= (imm << 6) & PSTATE_DAIF;
898 case 0x1f: /* DAIFClear */
899 env->daif &= ~((imm << 6) & PSTATE_DAIF);
902 g_assert_not_reached();
906 void HELPER(clear_pstate_ss)(CPUARMState *env)
908 env->pstate &= ~PSTATE_SS;
911 void HELPER(pre_hvc)(CPUARMState *env)
913 ARMCPU *cpu = arm_env_get_cpu(env);
914 int cur_el = arm_current_el(env);
915 /* FIXME: Use actual secure state. */
919 if (arm_is_psci_call(cpu, EXCP_HVC)) {
920 /* If PSCI is enabled and this looks like a valid PSCI call then
921 * that overrides the architecturally mandated HVC behaviour.
926 if (!arm_feature(env, ARM_FEATURE_EL2)) {
927 /* If EL2 doesn't exist, HVC always UNDEFs */
929 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
930 /* EL3.HCE has priority over EL2.HCD. */
931 undef = !(env->cp15.scr_el3 & SCR_HCE);
933 undef = env->cp15.hcr_el2 & HCR_HCD;
936 /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state.
937 * For ARMv8/AArch64, HVC is allowed in EL3.
938 * Note that we've already trapped HVC from EL0 at translation
941 if (secure && (!is_a64(env) || cur_el == 1)) {
946 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
947 exception_target_el(env));
951 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
953 ARMCPU *cpu = arm_env_get_cpu(env);
954 int cur_el = arm_current_el(env);
955 bool secure = arm_is_secure(env);
956 bool smd_flag = env->cp15.scr_el3 & SCR_SMD;
959 * SMC behaviour is summarized in the following table.
960 * This helper handles the "Trap to EL2" and "Undef insn" cases.
961 * The "Trap to EL3" and "PSCI call" cases are handled in the exception
964 * -> ARM_FEATURE_EL3 and !SMD
965 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1
967 * Conduit SMC, valid call Trap to EL2 PSCI Call
968 * Conduit SMC, inval call Trap to EL2 Trap to EL3
969 * Conduit not SMC Trap to EL2 Trap to EL3
972 * -> ARM_FEATURE_EL3 and SMD
973 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1
975 * Conduit SMC, valid call Trap to EL2 PSCI Call
976 * Conduit SMC, inval call Trap to EL2 Undef insn
977 * Conduit not SMC Trap to EL2 Undef insn
980 * -> !ARM_FEATURE_EL3
981 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1
983 * Conduit SMC, valid call Trap to EL2 PSCI Call
984 * Conduit SMC, inval call Trap to EL2 Undef insn
985 * Conduit not SMC Undef insn Undef insn
988 /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state.
989 * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization
990 * extensions, SMD only applies to NS state.
991 * On ARMv7 without the Virtualization extensions, the SMD bit
992 * doesn't exist, but we forbid the guest to set it to 1 in scr_write(),
993 * so we need not special case this here.
995 bool smd = arm_feature(env, ARM_FEATURE_AARCH64) ? smd_flag
996 : smd_flag && !secure;
998 if (!arm_feature(env, ARM_FEATURE_EL3) &&
999 cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) {
1000 /* If we have no EL3 then SMC always UNDEFs and can't be
1001 * trapped to EL2. PSCI-via-SMC is a sort of ersatz EL3
1002 * firmware within QEMU, and we want an EL2 guest to be able
1003 * to forbid its EL1 from making PSCI calls into QEMU's
1004 * "firmware" via HCR.TSC, so for these purposes treat
1005 * PSCI-via-SMC as implying an EL3.
1006 * This handles the very last line of the previous table.
1008 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1009 exception_target_el(env));
1012 if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) {
1013 /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
1014 * We also want an EL2 guest to be able to forbid its EL1 from
1015 * making PSCI calls into QEMU's "firmware" via HCR.TSC.
1016 * This handles all the "Trap to EL2" cases of the previous table.
1018 raise_exception(env, EXCP_HYP_TRAP, syndrome, 2);
1021 /* Catch the two remaining "Undef insn" cases of the previous table:
1022 * - PSCI conduit is SMC but we don't have a valid PCSI call,
1023 * - We don't have EL3 or SMD is set.
1025 if (!arm_is_psci_call(cpu, EXCP_SMC) &&
1026 (smd || !arm_feature(env, ARM_FEATURE_EL3))) {
1027 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1028 exception_target_el(env));
1032 static int el_from_spsr(uint32_t spsr)
1034 /* Return the exception level that this SPSR is requesting a return to,
1035 * or -1 if it is invalid (an illegal return)
1037 if (spsr & PSTATE_nRW) {
1038 switch (spsr & CPSR_M) {
1039 case ARM_CPU_MODE_USR:
1041 case ARM_CPU_MODE_HYP:
1043 case ARM_CPU_MODE_FIQ:
1044 case ARM_CPU_MODE_IRQ:
1045 case ARM_CPU_MODE_SVC:
1046 case ARM_CPU_MODE_ABT:
1047 case ARM_CPU_MODE_UND:
1048 case ARM_CPU_MODE_SYS:
1050 case ARM_CPU_MODE_MON:
1051 /* Returning to Mon from AArch64 is never possible,
1052 * so this is an illegal return.
1058 if (extract32(spsr, 1, 1)) {
1059 /* Return with reserved M[1] bit set */
1062 if (extract32(spsr, 0, 4) == 1) {
1063 /* return to EL0 with M[0] bit set */
1066 return extract32(spsr, 2, 2);
1070 void HELPER(exception_return)(CPUARMState *env)
1072 int cur_el = arm_current_el(env);
1073 unsigned int spsr_idx = aarch64_banked_spsr_index(cur_el);
1074 uint32_t spsr = env->banked_spsr[spsr_idx];
1076 bool return_to_aa64 = (spsr & PSTATE_nRW) == 0;
1078 aarch64_save_sp(env, cur_el);
1080 arm_clear_exclusive(env);
1082 /* We must squash the PSTATE.SS bit to zero unless both of the
1084 * 1. debug exceptions are currently disabled
1085 * 2. singlestep will be active in the EL we return to
1086 * We check 1 here and 2 after we've done the pstate/cpsr write() to
1087 * transition to the EL we're going to.
1089 if (arm_generate_debug_exceptions(env)) {
1093 new_el = el_from_spsr(spsr);
1095 goto illegal_return;
1098 || (new_el == 2 && !arm_feature(env, ARM_FEATURE_EL2))) {
1099 /* Disallow return to an EL which is unimplemented or higher
1100 * than the current one.
1102 goto illegal_return;
1105 if (new_el != 0 && arm_el_is_aa64(env, new_el) != return_to_aa64) {
1106 /* Return to an EL which is configured for a different register width */
1107 goto illegal_return;
1110 if (new_el == 2 && arm_is_secure_below_el3(env)) {
1111 /* Return to the non-existent secure-EL2 */
1112 goto illegal_return;
1115 if (new_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
1116 goto illegal_return;
1119 qemu_mutex_lock_iothread();
1120 arm_call_pre_el_change_hook(arm_env_get_cpu(env));
1121 qemu_mutex_unlock_iothread();
1123 if (!return_to_aa64) {
1125 /* We do a raw CPSR write because aarch64_sync_64_to_32()
1126 * will sort the register banks out for us, and we've already
1127 * caught all the bad-mode cases in el_from_spsr().
1129 cpsr_write(env, spsr, ~0, CPSRWriteRaw);
1130 if (!arm_singlestep_active(env)) {
1131 env->uncached_cpsr &= ~PSTATE_SS;
1133 aarch64_sync_64_to_32(env);
1135 if (spsr & CPSR_T) {
1136 env->regs[15] = env->elr_el[cur_el] & ~0x1;
1138 env->regs[15] = env->elr_el[cur_el] & ~0x3;
1140 qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to "
1141 "AArch32 EL%d PC 0x%" PRIx32 "\n",
1142 cur_el, new_el, env->regs[15]);
1145 pstate_write(env, spsr);
1146 if (!arm_singlestep_active(env)) {
1147 env->pstate &= ~PSTATE_SS;
1149 aarch64_restore_sp(env, new_el);
1150 env->pc = env->elr_el[cur_el];
1151 qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to "
1152 "AArch64 EL%d PC 0x%" PRIx64 "\n",
1153 cur_el, new_el, env->pc);
1156 * Note that cur_el can never be 0. If new_el is 0, then
1157 * el0_a64 is return_to_aa64, else el0_a64 is ignored.
1159 aarch64_sve_change_el(env, cur_el, new_el, return_to_aa64);
1161 qemu_mutex_lock_iothread();
1162 arm_call_el_change_hook(arm_env_get_cpu(env));
1163 qemu_mutex_unlock_iothread();
1168 /* Illegal return events of various kinds have architecturally
1169 * mandated behaviour:
1170 * restore NZCV and DAIF from SPSR_ELx
1172 * restore PC from ELR_ELx
1173 * no change to exception level, execution state or stack pointer
1175 env->pstate |= PSTATE_IL;
1176 env->pc = env->elr_el[cur_el];
1177 spsr &= PSTATE_NZCV | PSTATE_DAIF;
1178 spsr |= pstate_read(env) & ~(PSTATE_NZCV | PSTATE_DAIF);
1179 pstate_write(env, spsr);
1180 if (!arm_singlestep_active(env)) {
1181 env->pstate &= ~PSTATE_SS;
1183 qemu_log_mask(LOG_GUEST_ERROR, "Illegal exception return at EL%d: "
1184 "resuming execution at 0x%" PRIx64 "\n", cur_el, env->pc);
1187 /* Return true if the linked breakpoint entry lbn passes its checks */
1188 static bool linked_bp_matches(ARMCPU *cpu, int lbn)
1190 CPUARMState *env = &cpu->env;
1191 uint64_t bcr = env->cp15.dbgbcr[lbn];
1192 int brps = extract32(cpu->dbgdidr, 24, 4);
1193 int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
1195 uint32_t contextidr;
1197 /* Links to unimplemented or non-context aware breakpoints are
1198 * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
1199 * as if linked to an UNKNOWN context-aware breakpoint (in which
1200 * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
1201 * We choose the former.
1203 if (lbn > brps || lbn < (brps - ctx_cmps)) {
1207 bcr = env->cp15.dbgbcr[lbn];
1209 if (extract64(bcr, 0, 1) == 0) {
1210 /* Linked breakpoint disabled : generate no events */
1214 bt = extract64(bcr, 20, 4);
1216 /* We match the whole register even if this is AArch32 using the
1217 * short descriptor format (in which case it holds both PROCID and ASID),
1218 * since we don't implement the optional v7 context ID masking.
1220 contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
1223 case 3: /* linked context ID match */
1224 if (arm_current_el(env) > 1) {
1225 /* Context matches never fire in EL2 or (AArch64) EL3 */
1228 return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
1229 case 5: /* linked address mismatch (reserved in AArch64) */
1230 case 9: /* linked VMID match (reserved if no EL2) */
1231 case 11: /* linked context ID and VMID match (reserved if no EL2) */
1233 /* Links to Unlinked context breakpoints must generate no
1234 * events; we choose to do the same for reserved values too.
1242 static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
1244 CPUARMState *env = &cpu->env;
1246 int pac, hmc, ssc, wt, lbn;
1247 /* Note that for watchpoints the check is against the CPU security
1248 * state, not the S/NS attribute on the offending data access.
1250 bool is_secure = arm_is_secure(env);
1251 int access_el = arm_current_el(env);
1254 CPUWatchpoint *wp = env->cpu_watchpoint[n];
1256 if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
1259 cr = env->cp15.dbgwcr[n];
1260 if (wp->hitattrs.user) {
1261 /* The LDRT/STRT/LDT/STT "unprivileged access" instructions should
1262 * match watchpoints as if they were accesses done at EL0, even if
1263 * the CPU is at EL1 or higher.
1268 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
1270 if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
1273 cr = env->cp15.dbgbcr[n];
1275 /* The WATCHPOINT_HIT flag guarantees us that the watchpoint is
1276 * enabled and that the address and access type match; for breakpoints
1277 * we know the address matched; check the remaining fields, including
1278 * linked breakpoints. We rely on WCR and BCR having the same layout
1279 * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
1280 * Note that some combinations of {PAC, HMC, SSC} are reserved and
1281 * must act either like some valid combination or as if the watchpoint
1282 * were disabled. We choose the former, and use this together with
1283 * the fact that EL3 must always be Secure and EL2 must always be
1284 * Non-Secure to simplify the code slightly compared to the full
1285 * table in the ARM ARM.
1287 pac = extract64(cr, 1, 2);
1288 hmc = extract64(cr, 13, 1);
1289 ssc = extract64(cr, 14, 2);
1307 switch (access_el) {
1315 if (extract32(pac, 0, 1) == 0) {
1320 if (extract32(pac, 1, 1) == 0) {
1325 g_assert_not_reached();
1328 wt = extract64(cr, 20, 1);
1329 lbn = extract64(cr, 16, 4);
1331 if (wt && !linked_bp_matches(cpu, lbn)) {
1338 static bool check_watchpoints(ARMCPU *cpu)
1340 CPUARMState *env = &cpu->env;
1343 /* If watchpoints are disabled globally or we can't take debug
1344 * exceptions here then watchpoint firings are ignored.
1346 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
1347 || !arm_generate_debug_exceptions(env)) {
1351 for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
1352 if (bp_wp_matches(cpu, n, true)) {
1359 static bool check_breakpoints(ARMCPU *cpu)
1361 CPUARMState *env = &cpu->env;
1364 /* If breakpoints are disabled globally or we can't take debug
1365 * exceptions here then breakpoint firings are ignored.
1367 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
1368 || !arm_generate_debug_exceptions(env)) {
1372 for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
1373 if (bp_wp_matches(cpu, n, false)) {
1380 void HELPER(check_breakpoints)(CPUARMState *env)
1382 ARMCPU *cpu = arm_env_get_cpu(env);
1384 if (check_breakpoints(cpu)) {
1385 HELPER(exception_internal(env, EXCP_DEBUG));
1389 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
1391 /* Called by core code when a CPU watchpoint fires; need to check if this
1392 * is also an architectural watchpoint match.
1394 ARMCPU *cpu = ARM_CPU(cs);
1396 return check_watchpoints(cpu);
1399 vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
1401 ARMCPU *cpu = ARM_CPU(cs);
1402 CPUARMState *env = &cpu->env;
1404 /* In BE32 system mode, target memory is stored byteswapped (on a
1405 * little-endian host system), and by the time we reach here (via an
1406 * opcode helper) the addresses of subword accesses have been adjusted
1407 * to account for that, which means that watchpoints will not match.
1408 * Undo the adjustment here.
1410 if (arm_sctlr_b(env)) {
1413 } else if (len == 2) {
1421 void arm_debug_excp_handler(CPUState *cs)
1423 /* Called by core code when a watchpoint or breakpoint fires;
1424 * need to check which one and raise the appropriate exception.
1426 ARMCPU *cpu = ARM_CPU(cs);
1427 CPUARMState *env = &cpu->env;
1428 CPUWatchpoint *wp_hit = cs->watchpoint_hit;
1431 if (wp_hit->flags & BP_CPU) {
1432 bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
1433 bool same_el = arm_debug_target_el(env) == arm_current_el(env);
1435 cs->watchpoint_hit = NULL;
1437 env->exception.fsr = arm_debug_exception_fsr(env);
1438 env->exception.vaddress = wp_hit->hitaddr;
1439 raise_exception(env, EXCP_DATA_ABORT,
1440 syn_watchpoint(same_el, 0, wnr),
1441 arm_debug_target_el(env));
1444 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
1445 bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
1447 /* (1) GDB breakpoints should be handled first.
1448 * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
1449 * since singlestep is also done by generating a debug internal
1452 if (cpu_breakpoint_test(cs, pc, BP_GDB)
1453 || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
1457 env->exception.fsr = arm_debug_exception_fsr(env);
1458 /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
1459 * values to the guest that it shouldn't be able to see at its
1460 * exception/security level.
1462 env->exception.vaddress = 0;
1463 raise_exception(env, EXCP_PREFETCH_ABORT,
1464 syn_breakpoint(same_el),
1465 arm_debug_target_el(env));
1469 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
1470 The only way to do that in TCG is a conditional branch, which clobbers
1471 all our temporaries. For now implement these as helper functions. */
1473 /* Similarly for variable shift instructions. */
1475 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1477 int shift = i & 0xff;
1484 } else if (shift != 0) {
1485 env->CF = (x >> (32 - shift)) & 1;
1491 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1493 int shift = i & 0xff;
1496 env->CF = (x >> 31) & 1;
1500 } else if (shift != 0) {
1501 env->CF = (x >> (shift - 1)) & 1;
1507 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1509 int shift = i & 0xff;
1511 env->CF = (x >> 31) & 1;
1512 return (int32_t)x >> 31;
1513 } else if (shift != 0) {
1514 env->CF = (x >> (shift - 1)) & 1;
1515 return (int32_t)x >> shift;
1520 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1524 shift = shift1 & 0x1f;
1527 env->CF = (x >> 31) & 1;
1530 env->CF = (x >> (shift - 1)) & 1;
1531 return ((uint32_t)x >> shift) | (x << (32 - shift));
projects / qemu.git / blob