4 * Copyright (c) 2005-2007 CodeSourcery, LLC
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
23 #include "exec/helper-proto.h"
24 #include "internals.h"
25 #include "exec/exec-all.h"
26 #include "exec/cpu_ldst.h"
28 #define SIGNBIT (uint32_t)0x80000000
29 #define SIGNBIT64 ((uint64_t)1 << 63)
31 void raise_exception(CPUARMState *env, uint32_t excp,
32 uint32_t syndrome, uint32_t target_el)
34 CPUState *cs = CPU(arm_env_get_cpu(env));
36 if ((env->cp15.hcr_el2 & HCR_TGE) &&
37 target_el == 1 && !arm_is_secure(env)) {
39 * Redirect NS EL1 exceptions to NS EL2. These are reported with
40 * their original syndrome register value, with the exception of
41 * SIMD/FP access traps, which are reported as uncategorized
42 * (see DDI0478C.a D1.10.4)
45 if (syn_get_ec(syndrome) == EC_ADVSIMDFPACCESSTRAP) {
46 syndrome = syn_uncategorized();
50 assert(!excp_is_internal(excp));
51 cs->exception_index = excp;
52 env->exception.syndrome = syndrome;
53 env->exception.target_el = target_el;
57 static int exception_target_el(CPUARMState *env)
59 int target_el = MAX(1, arm_current_el(env));
61 /* No such thing as secure EL1 if EL3 is aarch32, so update the target EL
62 * to EL3 in this case.
64 if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) {
71 uint32_t HELPER(neon_tbl)(uint32_t ireg, uint32_t def, void *vn,
78 for (shift = 0; shift < 32; shift += 8) {
79 uint32_t index = (ireg >> shift) & 0xff;
80 if (index < maxindex) {
81 uint32_t tmp = (table[index >> 3] >> ((index & 7) << 3)) & 0xff;
84 val |= def & (0xff << shift);
90 #if !defined(CONFIG_USER_ONLY)
92 static inline uint32_t merge_syn_data_abort(uint32_t template_syn,
93 unsigned int target_el,
94 bool same_el, bool ea,
95 bool s1ptw, bool is_write,
100 /* ISV is only set for data aborts routed to EL2 and
101 * never for stage-1 page table walks faulting on stage 2.
103 * Furthermore, ISV is only set for certain kinds of load/stores.
104 * If the template syndrome does not have ISV set, we should leave
107 * See ARMv8 specs, D7-1974:
108 * ISS encoding for an exception from a Data Abort, the
111 if (!(template_syn & ARM_EL_ISV) || target_el != 2 || s1ptw) {
112 syn = syn_data_abort_no_iss(same_el,
113 ea, 0, s1ptw, is_write, fsc);
115 /* Fields: IL, ISV, SAS, SSE, SRT, SF and AR come from the template
116 * syndrome created at translation time.
117 * Now we create the runtime syndrome with the remaining fields.
119 syn = syn_data_abort_with_iss(same_el,
121 ea, 0, s1ptw, is_write, fsc,
123 /* Merge the runtime syndrome with the template syndrome. */
129 static void deliver_fault(ARMCPU *cpu, vaddr addr, MMUAccessType access_type,
130 int mmu_idx, ARMMMUFaultInfo *fi)
132 CPUARMState *env = &cpu->env;
135 uint32_t syn, exc, fsr, fsc;
136 ARMMMUIdx arm_mmu_idx = core_to_arm_mmu_idx(env, mmu_idx);
138 target_el = exception_target_el(env);
141 env->cp15.hpfar_el2 = extract64(fi->s2addr, 12, 47) << 4;
143 same_el = (arm_current_el(env) == target_el);
145 if (target_el == 2 || arm_el_is_aa64(env, target_el) ||
146 arm_s1_regime_using_lpae_format(env, arm_mmu_idx)) {
147 /* LPAE format fault status register : bottom 6 bits are
148 * status code in the same form as needed for syndrome
150 fsr = arm_fi_to_lfsc(fi);
151 fsc = extract32(fsr, 0, 6);
153 fsr = arm_fi_to_sfsc(fi);
154 /* Short format FSR : this fault will never actually be reported
155 * to an EL that uses a syndrome register. Use a (currently)
156 * reserved FSR code in case the constructed syndrome does leak
157 * into the guest somehow.
162 if (access_type == MMU_INST_FETCH) {
163 syn = syn_insn_abort(same_el, fi->ea, fi->s1ptw, fsc);
164 exc = EXCP_PREFETCH_ABORT;
166 syn = merge_syn_data_abort(env->exception.syndrome, target_el,
167 same_el, fi->ea, fi->s1ptw,
168 access_type == MMU_DATA_STORE,
170 if (access_type == MMU_DATA_STORE
171 && arm_feature(env, ARM_FEATURE_V6)) {
174 exc = EXCP_DATA_ABORT;
177 env->exception.vaddress = addr;
178 env->exception.fsr = fsr;
179 raise_exception(env, exc, syn, target_el);
182 /* try to fill the TLB and return an exception if error. If retaddr is
183 * NULL, it means that the function was called in C code (i.e. not
184 * from generated code or from helper.c)
186 void tlb_fill(CPUState *cs, target_ulong addr, int size,
187 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
190 ARMMMUFaultInfo fi = {};
192 ret = arm_tlb_fill(cs, addr, access_type, mmu_idx, &fi);
194 ARMCPU *cpu = ARM_CPU(cs);
196 /* now we have a real cpu fault */
197 cpu_restore_state(cs, retaddr, true);
199 deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
203 /* Raise a data fault alignment exception for the specified virtual address */
204 void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
205 MMUAccessType access_type,
206 int mmu_idx, uintptr_t retaddr)
208 ARMCPU *cpu = ARM_CPU(cs);
209 ARMMMUFaultInfo fi = {};
211 /* now we have a real cpu fault */
212 cpu_restore_state(cs, retaddr, true);
214 fi.type = ARMFault_Alignment;
215 deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
218 /* arm_cpu_do_transaction_failed: handle a memory system error response
219 * (eg "no device/memory present at address") by raising an external abort
222 void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
223 vaddr addr, unsigned size,
224 MMUAccessType access_type,
225 int mmu_idx, MemTxAttrs attrs,
226 MemTxResult response, uintptr_t retaddr)
228 ARMCPU *cpu = ARM_CPU(cs);
229 ARMMMUFaultInfo fi = {};
231 /* now we have a real cpu fault */
232 cpu_restore_state(cs, retaddr, true);
234 fi.ea = arm_extabort_type(response);
235 fi.type = ARMFault_SyncExternal;
236 deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
239 #endif /* !defined(CONFIG_USER_ONLY) */
241 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
244 * Perform the v8M stack limit check for SP updates from translated code,
245 * raising an exception if the limit is breached.
247 if (newvalue < v7m_sp_limit(env)) {
248 CPUState *cs = CPU(arm_env_get_cpu(env));
251 * Stack limit exceptions are a rare case, so rather than syncing
252 * PC/condbits before the call, we use cpu_restore_state() to
253 * get them right before raising the exception.
255 cpu_restore_state(cs, GETPC(), true);
256 raise_exception(env, EXCP_STKOF, 0, 1);
260 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b)
262 uint32_t res = a + b;
263 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT))
268 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
270 uint32_t res = a + b;
271 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
273 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
278 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
280 uint32_t res = a - b;
281 if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
283 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
288 uint32_t HELPER(double_saturate)(CPUARMState *env, int32_t val)
291 if (val >= 0x40000000) {
294 } else if (val <= (int32_t)0xc0000000) {
303 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
305 uint32_t res = a + b;
313 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
315 uint32_t res = a - b;
323 /* Signed saturation. */
324 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift)
330 mask = (1u << shift) - 1;
334 } else if (top < -1) {
341 /* Unsigned saturation. */
342 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift)
346 max = (1u << shift) - 1;
350 } else if (val > max) {
357 /* Signed saturate. */
358 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift)
360 return do_ssat(env, x, shift);
363 /* Dual halfword signed saturate. */
364 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift)
368 res = (uint16_t)do_ssat(env, (int16_t)x, shift);
369 res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16;
373 /* Unsigned saturate. */
374 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift)
376 return do_usat(env, x, shift);
379 /* Dual halfword unsigned saturate. */
380 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift)
384 res = (uint16_t)do_usat(env, (int16_t)x, shift);
385 res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16;
389 void HELPER(setend)(CPUARMState *env)
391 env->uncached_cpsr ^= CPSR_E;
394 /* Function checks whether WFx (WFI/WFE) instructions are set up to be trapped.
395 * The function returns the target EL (1-3) if the instruction is to be trapped;
396 * otherwise it returns 0 indicating it is not trapped.
398 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe)
400 int cur_el = arm_current_el(env);
403 if (arm_feature(env, ARM_FEATURE_M)) {
404 /* M profile cores can never trap WFI/WFE. */
408 /* If we are currently in EL0 then we need to check if SCTLR is set up for
409 * WFx instructions being trapped to EL1. These trap bits don't exist in v7.
411 if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) {
414 mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI;
415 if (arm_is_secure_below_el3(env) && !arm_el_is_aa64(env, 3)) {
416 /* Secure EL0 and Secure PL1 is at EL3 */
422 if (!(env->cp15.sctlr_el[target_el] & mask)) {
427 /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it
428 * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
429 * bits will be zero indicating no trap.
431 if (cur_el < 2 && !arm_is_secure(env)) {
432 mask = (is_wfe) ? HCR_TWE : HCR_TWI;
433 if (env->cp15.hcr_el2 & mask) {
438 /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */
440 mask = (is_wfe) ? SCR_TWE : SCR_TWI;
441 if (env->cp15.scr_el3 & mask) {
449 void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
451 CPUState *cs = CPU(arm_env_get_cpu(env));
452 int target_el = check_wfx_trap(env, false);
454 if (cpu_has_work(cs)) {
455 /* Don't bother to go into our "low power state" if
456 * we would just wake up immediately.
463 raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, insn_len == 2),
467 cs->exception_index = EXCP_HLT;
472 void HELPER(wfe)(CPUARMState *env)
474 /* This is a hint instruction that is semantically different
475 * from YIELD even though we currently implement it identically.
476 * Don't actually halt the CPU, just yield back to top
477 * level loop. This is not going into a "low power state"
478 * (ie halting until some event occurs), so we never take
479 * a configurable trap to a different exception level.
484 void HELPER(yield)(CPUARMState *env)
486 ARMCPU *cpu = arm_env_get_cpu(env);
487 CPUState *cs = CPU(cpu);
489 /* This is a non-trappable hint instruction that generally indicates
490 * that the guest is currently busy-looping. Yield control back to the
491 * top level loop so that a more deserving VCPU has a chance to run.
493 cs->exception_index = EXCP_YIELD;
497 /* Raise an internal-to-QEMU exception. This is limited to only
498 * those EXCP values which are special cases for QEMU to interrupt
499 * execution and not to be used for exceptions which are passed to
500 * the guest (those must all have syndrome information and thus should
501 * use exception_with_syndrome).
503 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp)
505 CPUState *cs = CPU(arm_env_get_cpu(env));
507 assert(excp_is_internal(excp));
508 cs->exception_index = excp;
512 /* Raise an exception with the specified syndrome register value */
513 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp,
514 uint32_t syndrome, uint32_t target_el)
516 raise_exception(env, excp, syndrome, target_el);
519 /* Raise an EXCP_BKPT with the specified syndrome register value,
520 * targeting the correct exception level for debug exceptions.
522 void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome)
524 /* FSR will only be used if the debug target EL is AArch32. */
525 env->exception.fsr = arm_debug_exception_fsr(env);
526 /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
527 * values to the guest that it shouldn't be able to see at its
528 * exception/security level.
530 env->exception.vaddress = 0;
531 raise_exception(env, EXCP_BKPT, syndrome, arm_debug_target_el(env));
534 uint32_t HELPER(cpsr_read)(CPUARMState *env)
536 return cpsr_read(env) & ~(CPSR_EXEC | CPSR_RESERVED);
539 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
541 cpsr_write(env, val, mask, CPSRWriteByInstr);
544 /* Write the CPSR for a 32-bit exception return */
545 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
547 qemu_mutex_lock_iothread();
548 arm_call_pre_el_change_hook(arm_env_get_cpu(env));
549 qemu_mutex_unlock_iothread();
551 cpsr_write(env, val, CPSR_ERET_MASK, CPSRWriteExceptionReturn);
553 /* Generated code has already stored the new PC value, but
554 * without masking out its low bits, because which bits need
555 * masking depends on whether we're returning to Thumb or ARM
556 * state. Do the masking now.
558 env->regs[15] &= (env->thumb ? ~1 : ~3);
560 qemu_mutex_lock_iothread();
561 arm_call_el_change_hook(arm_env_get_cpu(env));
562 qemu_mutex_unlock_iothread();
565 /* Access to user mode registers from privileged modes. */
566 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
571 val = env->banked_r13[BANK_USRSYS];
572 } else if (regno == 14) {
573 val = env->banked_r14[BANK_USRSYS];
574 } else if (regno >= 8
575 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
576 val = env->usr_regs[regno - 8];
578 val = env->regs[regno];
583 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val)
586 env->banked_r13[BANK_USRSYS] = val;
587 } else if (regno == 14) {
588 env->banked_r14[BANK_USRSYS] = val;
589 } else if (regno >= 8
590 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
591 env->usr_regs[regno - 8] = val;
593 env->regs[regno] = val;
597 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
599 if ((env->uncached_cpsr & CPSR_M) == mode) {
602 env->banked_r13[bank_number(mode)] = val;
606 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
608 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) {
609 /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF.
610 * Other UNPREDICTABLE and UNDEF cases were caught at translate time.
612 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
613 exception_target_el(env));
616 if ((env->uncached_cpsr & CPSR_M) == mode) {
617 return env->regs[13];
619 return env->banked_r13[bank_number(mode)];
623 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
626 /* Raise an exception if the requested access is one of the UNPREDICTABLE
627 * cases; otherwise return. This broadly corresponds to the pseudocode
628 * BankedRegisterAccessValid() and SPSRAccessValid(),
629 * except that we have already handled some cases at translate time.
631 int curmode = env->uncached_cpsr & CPSR_M;
634 /* ELR_Hyp: a special case because access from tgtmode is OK */
635 if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
641 if (curmode == tgtmode) {
645 if (tgtmode == ARM_CPU_MODE_USR) {
648 if (curmode != ARM_CPU_MODE_FIQ) {
653 if (curmode == ARM_CPU_MODE_SYS) {
658 if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) {
667 if (tgtmode == ARM_CPU_MODE_HYP) {
668 /* SPSR_Hyp, r13_hyp: accessible from Monitor mode only */
669 if (curmode != ARM_CPU_MODE_MON) {
677 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
678 exception_target_el(env));
681 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
684 msr_mrs_banked_exc_checks(env, tgtmode, regno);
688 env->banked_spsr[bank_number(tgtmode)] = value;
690 case 17: /* ELR_Hyp */
691 env->elr_el[2] = value;
694 env->banked_r13[bank_number(tgtmode)] = value;
697 env->banked_r14[bank_number(tgtmode)] = value;
701 case ARM_CPU_MODE_USR:
702 env->usr_regs[regno - 8] = value;
704 case ARM_CPU_MODE_FIQ:
705 env->fiq_regs[regno - 8] = value;
708 g_assert_not_reached();
712 g_assert_not_reached();
716 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
718 msr_mrs_banked_exc_checks(env, tgtmode, regno);
722 return env->banked_spsr[bank_number(tgtmode)];
723 case 17: /* ELR_Hyp */
724 return env->elr_el[2];
726 return env->banked_r13[bank_number(tgtmode)];
728 return env->banked_r14[bank_number(tgtmode)];
731 case ARM_CPU_MODE_USR:
732 return env->usr_regs[regno - 8];
733 case ARM_CPU_MODE_FIQ:
734 return env->fiq_regs[regno - 8];
736 g_assert_not_reached();
739 g_assert_not_reached();
743 void HELPER(access_check_cp_reg)(CPUARMState *env, void *rip, uint32_t syndrome,
746 const ARMCPRegInfo *ri = rip;
749 if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
750 && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
751 raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
758 switch (ri->accessfn(env, ri, isread)) {
762 target_el = exception_target_el(env);
764 case CP_ACCESS_TRAP_EL2:
765 /* Requesting a trap to EL2 when we're in EL3 or S-EL0/1 is
766 * a bug in the access function.
768 assert(!arm_is_secure(env) && arm_current_el(env) != 3);
771 case CP_ACCESS_TRAP_EL3:
774 case CP_ACCESS_TRAP_UNCATEGORIZED:
775 target_el = exception_target_el(env);
776 syndrome = syn_uncategorized();
778 case CP_ACCESS_TRAP_UNCATEGORIZED_EL2:
780 syndrome = syn_uncategorized();
782 case CP_ACCESS_TRAP_UNCATEGORIZED_EL3:
784 syndrome = syn_uncategorized();
786 case CP_ACCESS_TRAP_FP_EL2:
788 /* Since we are an implementation that takes exceptions on a trapped
789 * conditional insn only if the insn has passed its condition code
790 * check, we take the IMPDEF choice to always report CV=1 COND=0xe
791 * (which is also the required value for AArch64 traps).
793 syndrome = syn_fp_access_trap(1, 0xe, false);
795 case CP_ACCESS_TRAP_FP_EL3:
797 syndrome = syn_fp_access_trap(1, 0xe, false);
800 g_assert_not_reached();
803 raise_exception(env, EXCP_UDEF, syndrome, target_el);
806 void HELPER(set_cp_reg)(CPUARMState *env, void *rip, uint32_t value)
808 const ARMCPRegInfo *ri = rip;
810 if (ri->type & ARM_CP_IO) {
811 qemu_mutex_lock_iothread();
812 ri->writefn(env, ri, value);
813 qemu_mutex_unlock_iothread();
815 ri->writefn(env, ri, value);
819 uint32_t HELPER(get_cp_reg)(CPUARMState *env, void *rip)
821 const ARMCPRegInfo *ri = rip;
824 if (ri->type & ARM_CP_IO) {
825 qemu_mutex_lock_iothread();
826 res = ri->readfn(env, ri);
827 qemu_mutex_unlock_iothread();
829 res = ri->readfn(env, ri);
835 void HELPER(set_cp_reg64)(CPUARMState *env, void *rip, uint64_t value)
837 const ARMCPRegInfo *ri = rip;
839 if (ri->type & ARM_CP_IO) {
840 qemu_mutex_lock_iothread();
841 ri->writefn(env, ri, value);
842 qemu_mutex_unlock_iothread();
844 ri->writefn(env, ri, value);
848 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, void *rip)
850 const ARMCPRegInfo *ri = rip;
853 if (ri->type & ARM_CP_IO) {
854 qemu_mutex_lock_iothread();
855 res = ri->readfn(env, ri);
856 qemu_mutex_unlock_iothread();
858 res = ri->readfn(env, ri);
864 void HELPER(msr_i_pstate)(CPUARMState *env, uint32_t op, uint32_t imm)
866 /* MSR_i to update PSTATE. This is OK from EL0 only if UMA is set.
867 * Note that SPSel is never OK from EL0; we rely on handle_msr_i()
868 * to catch that case at translate time.
870 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UMA)) {
871 uint32_t syndrome = syn_aa64_sysregtrap(0, extract32(op, 0, 3),
872 extract32(op, 3, 3), 4,
874 raise_exception(env, EXCP_UDEF, syndrome, exception_target_el(env));
878 case 0x05: /* SPSel */
879 update_spsel(env, imm);
881 case 0x1e: /* DAIFSet */
882 env->daif |= (imm << 6) & PSTATE_DAIF;
884 case 0x1f: /* DAIFClear */
885 env->daif &= ~((imm << 6) & PSTATE_DAIF);
888 g_assert_not_reached();
892 void HELPER(clear_pstate_ss)(CPUARMState *env)
894 env->pstate &= ~PSTATE_SS;
897 void HELPER(pre_hvc)(CPUARMState *env)
899 ARMCPU *cpu = arm_env_get_cpu(env);
900 int cur_el = arm_current_el(env);
901 /* FIXME: Use actual secure state. */
905 if (arm_is_psci_call(cpu, EXCP_HVC)) {
906 /* If PSCI is enabled and this looks like a valid PSCI call then
907 * that overrides the architecturally mandated HVC behaviour.
912 if (!arm_feature(env, ARM_FEATURE_EL2)) {
913 /* If EL2 doesn't exist, HVC always UNDEFs */
915 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
916 /* EL3.HCE has priority over EL2.HCD. */
917 undef = !(env->cp15.scr_el3 & SCR_HCE);
919 undef = env->cp15.hcr_el2 & HCR_HCD;
922 /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state.
923 * For ARMv8/AArch64, HVC is allowed in EL3.
924 * Note that we've already trapped HVC from EL0 at translation
927 if (secure && (!is_a64(env) || cur_el == 1)) {
932 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
933 exception_target_el(env));
937 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
939 ARMCPU *cpu = arm_env_get_cpu(env);
940 int cur_el = arm_current_el(env);
941 bool secure = arm_is_secure(env);
942 bool smd = env->cp15.scr_el3 & SCR_SMD;
943 /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state.
944 * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization
945 * extensions, SMD only applies to NS state.
946 * On ARMv7 without the Virtualization extensions, the SMD bit
947 * doesn't exist, but we forbid the guest to set it to 1 in scr_write(),
948 * so we need not special case this here.
950 bool undef = arm_feature(env, ARM_FEATURE_AARCH64) ? smd : smd && !secure;
952 if (!arm_feature(env, ARM_FEATURE_EL3) &&
953 cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) {
954 /* If we have no EL3 then SMC always UNDEFs and can't be
955 * trapped to EL2. PSCI-via-SMC is a sort of ersatz EL3
956 * firmware within QEMU, and we want an EL2 guest to be able
957 * to forbid its EL1 from making PSCI calls into QEMU's
958 * "firmware" via HCR.TSC, so for these purposes treat
959 * PSCI-via-SMC as implying an EL3.
962 } else if (!secure && cur_el == 1 && (env->cp15.hcr_el2 & HCR_TSC)) {
963 /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
964 * We also want an EL2 guest to be able to forbid its EL1 from
965 * making PSCI calls into QEMU's "firmware" via HCR.TSC.
967 raise_exception(env, EXCP_HYP_TRAP, syndrome, 2);
970 /* If PSCI is enabled and this looks like a valid PSCI call then
971 * suppress the UNDEF -- we'll catch the SMC exception and
972 * implement the PSCI call behaviour there.
974 if (undef && !arm_is_psci_call(cpu, EXCP_SMC)) {
975 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
976 exception_target_el(env));
980 static int el_from_spsr(uint32_t spsr)
982 /* Return the exception level that this SPSR is requesting a return to,
983 * or -1 if it is invalid (an illegal return)
985 if (spsr & PSTATE_nRW) {
986 switch (spsr & CPSR_M) {
987 case ARM_CPU_MODE_USR:
989 case ARM_CPU_MODE_HYP:
991 case ARM_CPU_MODE_FIQ:
992 case ARM_CPU_MODE_IRQ:
993 case ARM_CPU_MODE_SVC:
994 case ARM_CPU_MODE_ABT:
995 case ARM_CPU_MODE_UND:
996 case ARM_CPU_MODE_SYS:
998 case ARM_CPU_MODE_MON:
999 /* Returning to Mon from AArch64 is never possible,
1000 * so this is an illegal return.
1006 if (extract32(spsr, 1, 1)) {
1007 /* Return with reserved M[1] bit set */
1010 if (extract32(spsr, 0, 4) == 1) {
1011 /* return to EL0 with M[0] bit set */
1014 return extract32(spsr, 2, 2);
1018 void HELPER(exception_return)(CPUARMState *env)
1020 int cur_el = arm_current_el(env);
1021 unsigned int spsr_idx = aarch64_banked_spsr_index(cur_el);
1022 uint32_t spsr = env->banked_spsr[spsr_idx];
1024 bool return_to_aa64 = (spsr & PSTATE_nRW) == 0;
1026 aarch64_save_sp(env, cur_el);
1028 arm_clear_exclusive(env);
1030 /* We must squash the PSTATE.SS bit to zero unless both of the
1032 * 1. debug exceptions are currently disabled
1033 * 2. singlestep will be active in the EL we return to
1034 * We check 1 here and 2 after we've done the pstate/cpsr write() to
1035 * transition to the EL we're going to.
1037 if (arm_generate_debug_exceptions(env)) {
1041 new_el = el_from_spsr(spsr);
1043 goto illegal_return;
1046 || (new_el == 2 && !arm_feature(env, ARM_FEATURE_EL2))) {
1047 /* Disallow return to an EL which is unimplemented or higher
1048 * than the current one.
1050 goto illegal_return;
1053 if (new_el != 0 && arm_el_is_aa64(env, new_el) != return_to_aa64) {
1054 /* Return to an EL which is configured for a different register width */
1055 goto illegal_return;
1058 if (new_el == 2 && arm_is_secure_below_el3(env)) {
1059 /* Return to the non-existent secure-EL2 */
1060 goto illegal_return;
1063 if (new_el == 1 && (env->cp15.hcr_el2 & HCR_TGE)
1064 && !arm_is_secure_below_el3(env)) {
1065 goto illegal_return;
1068 qemu_mutex_lock_iothread();
1069 arm_call_pre_el_change_hook(arm_env_get_cpu(env));
1070 qemu_mutex_unlock_iothread();
1072 if (!return_to_aa64) {
1074 /* We do a raw CPSR write because aarch64_sync_64_to_32()
1075 * will sort the register banks out for us, and we've already
1076 * caught all the bad-mode cases in el_from_spsr().
1078 cpsr_write(env, spsr, ~0, CPSRWriteRaw);
1079 if (!arm_singlestep_active(env)) {
1080 env->uncached_cpsr &= ~PSTATE_SS;
1082 aarch64_sync_64_to_32(env);
1084 if (spsr & CPSR_T) {
1085 env->regs[15] = env->elr_el[cur_el] & ~0x1;
1087 env->regs[15] = env->elr_el[cur_el] & ~0x3;
1089 qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to "
1090 "AArch32 EL%d PC 0x%" PRIx32 "\n",
1091 cur_el, new_el, env->regs[15]);
1094 pstate_write(env, spsr);
1095 if (!arm_singlestep_active(env)) {
1096 env->pstate &= ~PSTATE_SS;
1098 aarch64_restore_sp(env, new_el);
1099 env->pc = env->elr_el[cur_el];
1100 qemu_log_mask(CPU_LOG_INT, "Exception return from AArch64 EL%d to "
1101 "AArch64 EL%d PC 0x%" PRIx64 "\n",
1102 cur_el, new_el, env->pc);
1105 * Note that cur_el can never be 0. If new_el is 0, then
1106 * el0_a64 is return_to_aa64, else el0_a64 is ignored.
1108 aarch64_sve_change_el(env, cur_el, new_el, return_to_aa64);
1110 qemu_mutex_lock_iothread();
1111 arm_call_el_change_hook(arm_env_get_cpu(env));
1112 qemu_mutex_unlock_iothread();
1117 /* Illegal return events of various kinds have architecturally
1118 * mandated behaviour:
1119 * restore NZCV and DAIF from SPSR_ELx
1121 * restore PC from ELR_ELx
1122 * no change to exception level, execution state or stack pointer
1124 env->pstate |= PSTATE_IL;
1125 env->pc = env->elr_el[cur_el];
1126 spsr &= PSTATE_NZCV | PSTATE_DAIF;
1127 spsr |= pstate_read(env) & ~(PSTATE_NZCV | PSTATE_DAIF);
1128 pstate_write(env, spsr);
1129 if (!arm_singlestep_active(env)) {
1130 env->pstate &= ~PSTATE_SS;
1132 qemu_log_mask(LOG_GUEST_ERROR, "Illegal exception return at EL%d: "
1133 "resuming execution at 0x%" PRIx64 "\n", cur_el, env->pc);
1136 /* Return true if the linked breakpoint entry lbn passes its checks */
1137 static bool linked_bp_matches(ARMCPU *cpu, int lbn)
1139 CPUARMState *env = &cpu->env;
1140 uint64_t bcr = env->cp15.dbgbcr[lbn];
1141 int brps = extract32(cpu->dbgdidr, 24, 4);
1142 int ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
1144 uint32_t contextidr;
1146 /* Links to unimplemented or non-context aware breakpoints are
1147 * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
1148 * as if linked to an UNKNOWN context-aware breakpoint (in which
1149 * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
1150 * We choose the former.
1152 if (lbn > brps || lbn < (brps - ctx_cmps)) {
1156 bcr = env->cp15.dbgbcr[lbn];
1158 if (extract64(bcr, 0, 1) == 0) {
1159 /* Linked breakpoint disabled : generate no events */
1163 bt = extract64(bcr, 20, 4);
1165 /* We match the whole register even if this is AArch32 using the
1166 * short descriptor format (in which case it holds both PROCID and ASID),
1167 * since we don't implement the optional v7 context ID masking.
1169 contextidr = extract64(env->cp15.contextidr_el[1], 0, 32);
1172 case 3: /* linked context ID match */
1173 if (arm_current_el(env) > 1) {
1174 /* Context matches never fire in EL2 or (AArch64) EL3 */
1177 return (contextidr == extract64(env->cp15.dbgbvr[lbn], 0, 32));
1178 case 5: /* linked address mismatch (reserved in AArch64) */
1179 case 9: /* linked VMID match (reserved if no EL2) */
1180 case 11: /* linked context ID and VMID match (reserved if no EL2) */
1182 /* Links to Unlinked context breakpoints must generate no
1183 * events; we choose to do the same for reserved values too.
1191 static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
1193 CPUARMState *env = &cpu->env;
1195 int pac, hmc, ssc, wt, lbn;
1196 /* Note that for watchpoints the check is against the CPU security
1197 * state, not the S/NS attribute on the offending data access.
1199 bool is_secure = arm_is_secure(env);
1200 int access_el = arm_current_el(env);
1203 CPUWatchpoint *wp = env->cpu_watchpoint[n];
1205 if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
1208 cr = env->cp15.dbgwcr[n];
1209 if (wp->hitattrs.user) {
1210 /* The LDRT/STRT/LDT/STT "unprivileged access" instructions should
1211 * match watchpoints as if they were accesses done at EL0, even if
1212 * the CPU is at EL1 or higher.
1217 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
1219 if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
1222 cr = env->cp15.dbgbcr[n];
1224 /* The WATCHPOINT_HIT flag guarantees us that the watchpoint is
1225 * enabled and that the address and access type match; for breakpoints
1226 * we know the address matched; check the remaining fields, including
1227 * linked breakpoints. We rely on WCR and BCR having the same layout
1228 * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
1229 * Note that some combinations of {PAC, HMC, SSC} are reserved and
1230 * must act either like some valid combination or as if the watchpoint
1231 * were disabled. We choose the former, and use this together with
1232 * the fact that EL3 must always be Secure and EL2 must always be
1233 * Non-Secure to simplify the code slightly compared to the full
1234 * table in the ARM ARM.
1236 pac = extract64(cr, 1, 2);
1237 hmc = extract64(cr, 13, 1);
1238 ssc = extract64(cr, 14, 2);
1256 switch (access_el) {
1264 if (extract32(pac, 0, 1) == 0) {
1269 if (extract32(pac, 1, 1) == 0) {
1274 g_assert_not_reached();
1277 wt = extract64(cr, 20, 1);
1278 lbn = extract64(cr, 16, 4);
1280 if (wt && !linked_bp_matches(cpu, lbn)) {
1287 static bool check_watchpoints(ARMCPU *cpu)
1289 CPUARMState *env = &cpu->env;
1292 /* If watchpoints are disabled globally or we can't take debug
1293 * exceptions here then watchpoint firings are ignored.
1295 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
1296 || !arm_generate_debug_exceptions(env)) {
1300 for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
1301 if (bp_wp_matches(cpu, n, true)) {
1308 static bool check_breakpoints(ARMCPU *cpu)
1310 CPUARMState *env = &cpu->env;
1313 /* If breakpoints are disabled globally or we can't take debug
1314 * exceptions here then breakpoint firings are ignored.
1316 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
1317 || !arm_generate_debug_exceptions(env)) {
1321 for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
1322 if (bp_wp_matches(cpu, n, false)) {
1329 void HELPER(check_breakpoints)(CPUARMState *env)
1331 ARMCPU *cpu = arm_env_get_cpu(env);
1333 if (check_breakpoints(cpu)) {
1334 HELPER(exception_internal(env, EXCP_DEBUG));
1338 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
1340 /* Called by core code when a CPU watchpoint fires; need to check if this
1341 * is also an architectural watchpoint match.
1343 ARMCPU *cpu = ARM_CPU(cs);
1345 return check_watchpoints(cpu);
1348 vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
1350 ARMCPU *cpu = ARM_CPU(cs);
1351 CPUARMState *env = &cpu->env;
1353 /* In BE32 system mode, target memory is stored byteswapped (on a
1354 * little-endian host system), and by the time we reach here (via an
1355 * opcode helper) the addresses of subword accesses have been adjusted
1356 * to account for that, which means that watchpoints will not match.
1357 * Undo the adjustment here.
1359 if (arm_sctlr_b(env)) {
1362 } else if (len == 2) {
1370 void arm_debug_excp_handler(CPUState *cs)
1372 /* Called by core code when a watchpoint or breakpoint fires;
1373 * need to check which one and raise the appropriate exception.
1375 ARMCPU *cpu = ARM_CPU(cs);
1376 CPUARMState *env = &cpu->env;
1377 CPUWatchpoint *wp_hit = cs->watchpoint_hit;
1380 if (wp_hit->flags & BP_CPU) {
1381 bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
1382 bool same_el = arm_debug_target_el(env) == arm_current_el(env);
1384 cs->watchpoint_hit = NULL;
1386 env->exception.fsr = arm_debug_exception_fsr(env);
1387 env->exception.vaddress = wp_hit->hitaddr;
1388 raise_exception(env, EXCP_DATA_ABORT,
1389 syn_watchpoint(same_el, 0, wnr),
1390 arm_debug_target_el(env));
1393 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
1394 bool same_el = (arm_debug_target_el(env) == arm_current_el(env));
1396 /* (1) GDB breakpoints should be handled first.
1397 * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
1398 * since singlestep is also done by generating a debug internal
1401 if (cpu_breakpoint_test(cs, pc, BP_GDB)
1402 || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
1406 env->exception.fsr = arm_debug_exception_fsr(env);
1407 /* FAR is UNKNOWN: clear vaddress to avoid potentially exposing
1408 * values to the guest that it shouldn't be able to see at its
1409 * exception/security level.
1411 env->exception.vaddress = 0;
1412 raise_exception(env, EXCP_PREFETCH_ABORT,
1413 syn_breakpoint(same_el),
1414 arm_debug_target_el(env));
1418 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
1419 The only way to do that in TCG is a conditional branch, which clobbers
1420 all our temporaries. For now implement these as helper functions. */
1422 /* Similarly for variable shift instructions. */
1424 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1426 int shift = i & 0xff;
1433 } else if (shift != 0) {
1434 env->CF = (x >> (32 - shift)) & 1;
1440 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1442 int shift = i & 0xff;
1445 env->CF = (x >> 31) & 1;
1449 } else if (shift != 0) {
1450 env->CF = (x >> (shift - 1)) & 1;
1456 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1458 int shift = i & 0xff;
1460 env->CF = (x >> 31) & 1;
1461 return (int32_t)x >> 31;
1462 } else if (shift != 0) {
1463 env->CF = (x >> (shift - 1)) & 1;
1464 return (int32_t)x >> shift;
1469 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1473 shift = shift1 & 0x1f;
1476 env->CF = (x >> 31) & 1;
1479 env->CF = (x >> (shift - 1)) & 1;
1480 return ((uint32_t)x >> shift) | (x << (32 - shift));
projects / qemu.git / blob