3 #include "exec/gdbstub.h"
4 #include "exec/helper-proto.h"
5 #include "qemu/host-utils.h"
6 #include "sysemu/arch_init.h"
7 #include "sysemu/sysemu.h"
8 #include "qemu/bitops.h"
9 #include "qemu/crc32c.h"
10 #include "exec/cpu_ldst.h"
12 #include <zlib.h> /* For crc32 */
14 #ifndef CONFIG_USER_ONLY
15 static inline int get_phys_addr(CPUARMState *env, target_ulong address,
16 int access_type, ARMMMUIdx mmu_idx,
17 hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
18 target_ulong *page_size);
20 /* Definitions for the PMCCNTR and PMCR registers */
26 static int vfp_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
30 /* VFP data registers are always little-endian. */
31 nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
33 stfq_le_p(buf, env->vfp.regs[reg]);
36 if (arm_feature(env, ARM_FEATURE_NEON)) {
37 /* Aliases for Q regs. */
40 stfq_le_p(buf, env->vfp.regs[(reg - 32) * 2]);
41 stfq_le_p(buf + 8, env->vfp.regs[(reg - 32) * 2 + 1]);
45 switch (reg - nregs) {
46 case 0: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSID]); return 4;
47 case 1: stl_p(buf, env->vfp.xregs[ARM_VFP_FPSCR]); return 4;
48 case 2: stl_p(buf, env->vfp.xregs[ARM_VFP_FPEXC]); return 4;
53 static int vfp_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
57 nregs = arm_feature(env, ARM_FEATURE_VFP3) ? 32 : 16;
59 env->vfp.regs[reg] = ldfq_le_p(buf);
62 if (arm_feature(env, ARM_FEATURE_NEON)) {
65 env->vfp.regs[(reg - 32) * 2] = ldfq_le_p(buf);
66 env->vfp.regs[(reg - 32) * 2 + 1] = ldfq_le_p(buf + 8);
70 switch (reg - nregs) {
71 case 0: env->vfp.xregs[ARM_VFP_FPSID] = ldl_p(buf); return 4;
72 case 1: env->vfp.xregs[ARM_VFP_FPSCR] = ldl_p(buf); return 4;
73 case 2: env->vfp.xregs[ARM_VFP_FPEXC] = ldl_p(buf) & (1 << 30); return 4;
78 static int aarch64_fpu_gdb_get_reg(CPUARMState *env, uint8_t *buf, int reg)
82 /* 128 bit FP register */
83 stfq_le_p(buf, env->vfp.regs[reg * 2]);
84 stfq_le_p(buf + 8, env->vfp.regs[reg * 2 + 1]);
88 stl_p(buf, vfp_get_fpsr(env));
92 stl_p(buf, vfp_get_fpcr(env));
99 static int aarch64_fpu_gdb_set_reg(CPUARMState *env, uint8_t *buf, int reg)
103 /* 128 bit FP register */
104 env->vfp.regs[reg * 2] = ldfq_le_p(buf);
105 env->vfp.regs[reg * 2 + 1] = ldfq_le_p(buf + 8);
109 vfp_set_fpsr(env, ldl_p(buf));
113 vfp_set_fpcr(env, ldl_p(buf));
120 static uint64_t raw_read(CPUARMState *env, const ARMCPRegInfo *ri)
122 assert(ri->fieldoffset);
123 if (cpreg_field_is_64bit(ri)) {
124 return CPREG_FIELD64(env, ri);
126 return CPREG_FIELD32(env, ri);
130 static void raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
133 assert(ri->fieldoffset);
134 if (cpreg_field_is_64bit(ri)) {
135 CPREG_FIELD64(env, ri) = value;
137 CPREG_FIELD32(env, ri) = value;
141 static void *raw_ptr(CPUARMState *env, const ARMCPRegInfo *ri)
143 return (char *)env + ri->fieldoffset;
146 static uint64_t read_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri)
148 /* Raw read of a coprocessor register (as needed for migration, etc). */
149 if (ri->type & ARM_CP_CONST) {
150 return ri->resetvalue;
151 } else if (ri->raw_readfn) {
152 return ri->raw_readfn(env, ri);
153 } else if (ri->readfn) {
154 return ri->readfn(env, ri);
156 return raw_read(env, ri);
160 static void write_raw_cp_reg(CPUARMState *env, const ARMCPRegInfo *ri,
163 /* Raw write of a coprocessor register (as needed for migration, etc).
164 * Note that constant registers are treated as write-ignored; the
165 * caller should check for success by whether a readback gives the
168 if (ri->type & ARM_CP_CONST) {
170 } else if (ri->raw_writefn) {
171 ri->raw_writefn(env, ri, v);
172 } else if (ri->writefn) {
173 ri->writefn(env, ri, v);
175 raw_write(env, ri, v);
179 static bool raw_accessors_invalid(const ARMCPRegInfo *ri)
181 /* Return true if the regdef would cause an assertion if you called
182 * read_raw_cp_reg() or write_raw_cp_reg() on it (ie if it is a
183 * program bug for it not to have the NO_RAW flag).
184 * NB that returning false here doesn't necessarily mean that calling
185 * read/write_raw_cp_reg() is safe, because we can't distinguish "has
186 * read/write access functions which are safe for raw use" from "has
187 * read/write access functions which have side effects but has forgotten
188 * to provide raw access functions".
189 * The tests here line up with the conditions in read/write_raw_cp_reg()
190 * and assertions in raw_read()/raw_write().
192 if ((ri->type & ARM_CP_CONST) ||
194 ((ri->raw_writefn || ri->writefn) && (ri->raw_readfn || ri->readfn))) {
200 bool write_cpustate_to_list(ARMCPU *cpu)
202 /* Write the coprocessor state from cpu->env to the (index,value) list. */
206 for (i = 0; i < cpu->cpreg_array_len; i++) {
207 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
208 const ARMCPRegInfo *ri;
210 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
215 if (ri->type & ARM_CP_NO_RAW) {
218 cpu->cpreg_values[i] = read_raw_cp_reg(&cpu->env, ri);
223 bool write_list_to_cpustate(ARMCPU *cpu)
228 for (i = 0; i < cpu->cpreg_array_len; i++) {
229 uint32_t regidx = kvm_to_cpreg_id(cpu->cpreg_indexes[i]);
230 uint64_t v = cpu->cpreg_values[i];
231 const ARMCPRegInfo *ri;
233 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
238 if (ri->type & ARM_CP_NO_RAW) {
241 /* Write value and confirm it reads back as written
242 * (to catch read-only registers and partially read-only
243 * registers where the incoming migration value doesn't match)
245 write_raw_cp_reg(&cpu->env, ri, v);
246 if (read_raw_cp_reg(&cpu->env, ri) != v) {
253 static void add_cpreg_to_list(gpointer key, gpointer opaque)
255 ARMCPU *cpu = opaque;
257 const ARMCPRegInfo *ri;
259 regidx = *(uint32_t *)key;
260 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
262 if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
263 cpu->cpreg_indexes[cpu->cpreg_array_len] = cpreg_to_kvm_id(regidx);
264 /* The value array need not be initialized at this point */
265 cpu->cpreg_array_len++;
269 static void count_cpreg(gpointer key, gpointer opaque)
271 ARMCPU *cpu = opaque;
273 const ARMCPRegInfo *ri;
275 regidx = *(uint32_t *)key;
276 ri = get_arm_cp_reginfo(cpu->cp_regs, regidx);
278 if (!(ri->type & (ARM_CP_NO_RAW|ARM_CP_ALIAS))) {
279 cpu->cpreg_array_len++;
283 static gint cpreg_key_compare(gconstpointer a, gconstpointer b)
285 uint64_t aidx = cpreg_to_kvm_id(*(uint32_t *)a);
286 uint64_t bidx = cpreg_to_kvm_id(*(uint32_t *)b);
297 static void cpreg_make_keylist(gpointer key, gpointer value, gpointer udata)
299 GList **plist = udata;
301 *plist = g_list_prepend(*plist, key);
304 void init_cpreg_list(ARMCPU *cpu)
306 /* Initialise the cpreg_tuples[] array based on the cp_regs hash.
307 * Note that we require cpreg_tuples[] to be sorted by key ID.
312 g_hash_table_foreach(cpu->cp_regs, cpreg_make_keylist, &keys);
314 keys = g_list_sort(keys, cpreg_key_compare);
316 cpu->cpreg_array_len = 0;
318 g_list_foreach(keys, count_cpreg, cpu);
320 arraylen = cpu->cpreg_array_len;
321 cpu->cpreg_indexes = g_new(uint64_t, arraylen);
322 cpu->cpreg_values = g_new(uint64_t, arraylen);
323 cpu->cpreg_vmstate_indexes = g_new(uint64_t, arraylen);
324 cpu->cpreg_vmstate_values = g_new(uint64_t, arraylen);
325 cpu->cpreg_vmstate_array_len = cpu->cpreg_array_len;
326 cpu->cpreg_array_len = 0;
328 g_list_foreach(keys, add_cpreg_to_list, cpu);
330 assert(cpu->cpreg_array_len == arraylen);
335 static void dacr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
337 ARMCPU *cpu = arm_env_get_cpu(env);
339 raw_write(env, ri, value);
340 tlb_flush(CPU(cpu), 1); /* Flush TLB as domain not tracked in TLB */
343 static void fcse_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
345 ARMCPU *cpu = arm_env_get_cpu(env);
347 if (raw_read(env, ri) != value) {
348 /* Unlike real hardware the qemu TLB uses virtual addresses,
349 * not modified virtual addresses, so this causes a TLB flush.
351 tlb_flush(CPU(cpu), 1);
352 raw_write(env, ri, value);
356 static void contextidr_write(CPUARMState *env, const ARMCPRegInfo *ri,
359 ARMCPU *cpu = arm_env_get_cpu(env);
361 if (raw_read(env, ri) != value && !arm_feature(env, ARM_FEATURE_MPU)
362 && !extended_addresses_enabled(env)) {
363 /* For VMSA (when not using the LPAE long descriptor page table
364 * format) this register includes the ASID, so do a TLB flush.
365 * For PMSA it is purely a process ID and no action is needed.
367 tlb_flush(CPU(cpu), 1);
369 raw_write(env, ri, value);
372 static void tlbiall_write(CPUARMState *env, const ARMCPRegInfo *ri,
375 /* Invalidate all (TLBIALL) */
376 ARMCPU *cpu = arm_env_get_cpu(env);
378 tlb_flush(CPU(cpu), 1);
381 static void tlbimva_write(CPUARMState *env, const ARMCPRegInfo *ri,
384 /* Invalidate single TLB entry by MVA and ASID (TLBIMVA) */
385 ARMCPU *cpu = arm_env_get_cpu(env);
387 tlb_flush_page(CPU(cpu), value & TARGET_PAGE_MASK);
390 static void tlbiasid_write(CPUARMState *env, const ARMCPRegInfo *ri,
393 /* Invalidate by ASID (TLBIASID) */
394 ARMCPU *cpu = arm_env_get_cpu(env);
396 tlb_flush(CPU(cpu), value == 0);
399 static void tlbimvaa_write(CPUARMState *env, const ARMCPRegInfo *ri,
402 /* Invalidate single entry by MVA, all ASIDs (TLBIMVAA) */
403 ARMCPU *cpu = arm_env_get_cpu(env);
405 tlb_flush_page(CPU(cpu), value & TARGET_PAGE_MASK);
408 /* IS variants of TLB operations must affect all cores */
409 static void tlbiall_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
414 CPU_FOREACH(other_cs) {
415 tlb_flush(other_cs, 1);
419 static void tlbiasid_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
424 CPU_FOREACH(other_cs) {
425 tlb_flush(other_cs, value == 0);
429 static void tlbimva_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
434 CPU_FOREACH(other_cs) {
435 tlb_flush_page(other_cs, value & TARGET_PAGE_MASK);
439 static void tlbimvaa_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
444 CPU_FOREACH(other_cs) {
445 tlb_flush_page(other_cs, value & TARGET_PAGE_MASK);
449 static const ARMCPRegInfo cp_reginfo[] = {
450 /* Define the secure and non-secure FCSE identifier CP registers
451 * separately because there is no secure bank in V8 (no _EL3). This allows
452 * the secure register to be properly reset and migrated. There is also no
453 * v8 EL1 version of the register so the non-secure instance stands alone.
455 { .name = "FCSEIDR(NS)",
456 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
457 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
458 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_ns),
459 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
460 { .name = "FCSEIDR(S)",
461 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 0,
462 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
463 .fieldoffset = offsetof(CPUARMState, cp15.fcseidr_s),
464 .resetvalue = 0, .writefn = fcse_write, .raw_writefn = raw_write, },
465 /* Define the secure and non-secure context identifier CP registers
466 * separately because there is no secure bank in V8 (no _EL3). This allows
467 * the secure register to be properly reset and migrated. In the
468 * non-secure case, the 32-bit register will have reset and migration
469 * disabled during registration as it is handled by the 64-bit instance.
471 { .name = "CONTEXTIDR_EL1", .state = ARM_CP_STATE_BOTH,
472 .opc0 = 3, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
473 .access = PL1_RW, .secure = ARM_CP_SECSTATE_NS,
474 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_el[1]),
475 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
476 { .name = "CONTEXTIDR(S)", .state = ARM_CP_STATE_AA32,
477 .cp = 15, .opc1 = 0, .crn = 13, .crm = 0, .opc2 = 1,
478 .access = PL1_RW, .secure = ARM_CP_SECSTATE_S,
479 .fieldoffset = offsetof(CPUARMState, cp15.contextidr_s),
480 .resetvalue = 0, .writefn = contextidr_write, .raw_writefn = raw_write, },
484 static const ARMCPRegInfo not_v8_cp_reginfo[] = {
485 /* NB: Some of these registers exist in v8 but with more precise
486 * definitions that don't use CP_ANY wildcards (mostly in v8_cp_reginfo[]).
488 /* MMU Domain access control / MPU write buffer control */
490 .cp = 15, .opc1 = CP_ANY, .crn = 3, .crm = CP_ANY, .opc2 = CP_ANY,
491 .access = PL1_RW, .resetvalue = 0,
492 .writefn = dacr_write, .raw_writefn = raw_write,
493 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
494 offsetoflow32(CPUARMState, cp15.dacr_ns) } },
495 /* ARMv7 allocates a range of implementation defined TLB LOCKDOWN regs.
496 * For v6 and v5, these mappings are overly broad.
498 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 0,
499 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
500 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 1,
501 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
502 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 4,
503 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
504 { .name = "TLB_LOCKDOWN", .cp = 15, .crn = 10, .crm = 8,
505 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_NOP },
506 /* Cache maintenance ops; some of this space may be overridden later. */
507 { .name = "CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
508 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
509 .type = ARM_CP_NOP | ARM_CP_OVERRIDE },
513 static const ARMCPRegInfo not_v6_cp_reginfo[] = {
514 /* Not all pre-v6 cores implemented this WFI, so this is slightly
517 { .name = "WFI_v5", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = 2,
518 .access = PL1_W, .type = ARM_CP_WFI },
522 static const ARMCPRegInfo not_v7_cp_reginfo[] = {
523 /* Standard v6 WFI (also used in some pre-v6 cores); not in v7 (which
524 * is UNPREDICTABLE; we choose to NOP as most implementations do).
526 { .name = "WFI_v6", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
527 .access = PL1_W, .type = ARM_CP_WFI },
528 /* L1 cache lockdown. Not architectural in v6 and earlier but in practice
529 * implemented in 926, 946, 1026, 1136, 1176 and 11MPCore. StrongARM and
530 * OMAPCP will override this space.
532 { .name = "DLOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 0,
533 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_data),
535 { .name = "ILOCKDOWN", .cp = 15, .crn = 9, .crm = 0, .opc1 = 0, .opc2 = 1,
536 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_insn),
538 /* v6 doesn't have the cache ID registers but Linux reads them anyway */
539 { .name = "DUMMY", .cp = 15, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = CP_ANY,
540 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
542 /* We don't implement pre-v7 debug but most CPUs had at least a DBGDIDR;
543 * implementing it as RAZ means the "debug architecture version" bits
544 * will read as a reserved value, which should cause Linux to not try
545 * to use the debug hardware.
547 { .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
548 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 },
549 /* MMU TLB control. Note that the wildcarding means we cover not just
550 * the unified TLB ops but also the dside/iside/inner-shareable variants.
552 { .name = "TLBIALL", .cp = 15, .crn = 8, .crm = CP_ANY,
553 .opc1 = CP_ANY, .opc2 = 0, .access = PL1_W, .writefn = tlbiall_write,
554 .type = ARM_CP_NO_RAW },
555 { .name = "TLBIMVA", .cp = 15, .crn = 8, .crm = CP_ANY,
556 .opc1 = CP_ANY, .opc2 = 1, .access = PL1_W, .writefn = tlbimva_write,
557 .type = ARM_CP_NO_RAW },
558 { .name = "TLBIASID", .cp = 15, .crn = 8, .crm = CP_ANY,
559 .opc1 = CP_ANY, .opc2 = 2, .access = PL1_W, .writefn = tlbiasid_write,
560 .type = ARM_CP_NO_RAW },
561 { .name = "TLBIMVAA", .cp = 15, .crn = 8, .crm = CP_ANY,
562 .opc1 = CP_ANY, .opc2 = 3, .access = PL1_W, .writefn = tlbimvaa_write,
563 .type = ARM_CP_NO_RAW },
564 { .name = "PRRR", .cp = 15, .crn = 10, .crm = 2,
565 .opc1 = 0, .opc2 = 0, .access = PL1_RW, .type = ARM_CP_NOP },
566 { .name = "NMRR", .cp = 15, .crn = 10, .crm = 2,
567 .opc1 = 0, .opc2 = 1, .access = PL1_RW, .type = ARM_CP_NOP },
571 static void cpacr_write(CPUARMState *env, const ARMCPRegInfo *ri,
576 /* In ARMv8 most bits of CPACR_EL1 are RES0. */
577 if (!arm_feature(env, ARM_FEATURE_V8)) {
578 /* ARMv7 defines bits for unimplemented coprocessors as RAZ/WI.
579 * ASEDIS [31] and D32DIS [30] are both UNK/SBZP without VFP.
580 * TRCDIS [28] is RAZ/WI since we do not implement a trace macrocell.
582 if (arm_feature(env, ARM_FEATURE_VFP)) {
583 /* VFP coprocessor: cp10 & cp11 [23:20] */
584 mask |= (1 << 31) | (1 << 30) | (0xf << 20);
586 if (!arm_feature(env, ARM_FEATURE_NEON)) {
587 /* ASEDIS [31] bit is RAO/WI */
591 /* VFPv3 and upwards with NEON implement 32 double precision
592 * registers (D0-D31).
594 if (!arm_feature(env, ARM_FEATURE_NEON) ||
595 !arm_feature(env, ARM_FEATURE_VFP3)) {
596 /* D32DIS [30] is RAO/WI if D16-31 are not implemented. */
602 env->cp15.cpacr_el1 = value;
605 static CPAccessResult cpacr_access(CPUARMState *env, const ARMCPRegInfo *ri)
607 if (arm_feature(env, ARM_FEATURE_V8)) {
608 /* Check if CPACR accesses are to be trapped to EL2 */
609 if (arm_current_el(env) == 1 &&
610 (env->cp15.cptr_el[2] & CPTR_TCPAC) && !arm_is_secure(env)) {
611 return CP_ACCESS_TRAP_EL2;
612 /* Check if CPACR accesses are to be trapped to EL3 */
613 } else if (arm_current_el(env) < 3 &&
614 (env->cp15.cptr_el[3] & CPTR_TCPAC)) {
615 return CP_ACCESS_TRAP_EL3;
622 static CPAccessResult cptr_access(CPUARMState *env, const ARMCPRegInfo *ri)
624 /* Check if CPTR accesses are set to trap to EL3 */
625 if (arm_current_el(env) == 2 && (env->cp15.cptr_el[3] & CPTR_TCPAC)) {
626 return CP_ACCESS_TRAP_EL3;
632 static const ARMCPRegInfo v6_cp_reginfo[] = {
633 /* prefetch by MVA in v6, NOP in v7 */
634 { .name = "MVA_prefetch",
635 .cp = 15, .crn = 7, .crm = 13, .opc1 = 0, .opc2 = 1,
636 .access = PL1_W, .type = ARM_CP_NOP },
637 { .name = "ISB", .cp = 15, .crn = 7, .crm = 5, .opc1 = 0, .opc2 = 4,
638 .access = PL0_W, .type = ARM_CP_NOP },
639 { .name = "DSB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 4,
640 .access = PL0_W, .type = ARM_CP_NOP },
641 { .name = "DMB", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 5,
642 .access = PL0_W, .type = ARM_CP_NOP },
643 { .name = "IFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 2,
645 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ifar_s),
646 offsetof(CPUARMState, cp15.ifar_ns) },
648 /* Watchpoint Fault Address Register : should actually only be present
649 * for 1136, 1176, 11MPCore.
651 { .name = "WFAR", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 1,
652 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0, },
653 { .name = "CPACR", .state = ARM_CP_STATE_BOTH, .opc0 = 3,
654 .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 2, .accessfn = cpacr_access,
655 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.cpacr_el1),
656 .resetvalue = 0, .writefn = cpacr_write },
660 static CPAccessResult pmreg_access(CPUARMState *env, const ARMCPRegInfo *ri)
662 /* Performance monitor registers user accessibility is controlled
665 if (arm_current_el(env) == 0 && !env->cp15.c9_pmuserenr) {
666 return CP_ACCESS_TRAP;
671 #ifndef CONFIG_USER_ONLY
673 static inline bool arm_ccnt_enabled(CPUARMState *env)
675 /* This does not support checking PMCCFILTR_EL0 register */
677 if (!(env->cp15.c9_pmcr & PMCRE)) {
684 void pmccntr_sync(CPUARMState *env)
688 temp_ticks = muldiv64(qemu_clock_get_us(QEMU_CLOCK_VIRTUAL),
689 get_ticks_per_sec(), 1000000);
691 if (env->cp15.c9_pmcr & PMCRD) {
692 /* Increment once every 64 processor clock cycles */
696 if (arm_ccnt_enabled(env)) {
697 env->cp15.c15_ccnt = temp_ticks - env->cp15.c15_ccnt;
701 static void pmcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
707 /* The counter has been reset */
708 env->cp15.c15_ccnt = 0;
711 /* only the DP, X, D and E bits are writable */
712 env->cp15.c9_pmcr &= ~0x39;
713 env->cp15.c9_pmcr |= (value & 0x39);
718 static uint64_t pmccntr_read(CPUARMState *env, const ARMCPRegInfo *ri)
720 uint64_t total_ticks;
722 if (!arm_ccnt_enabled(env)) {
723 /* Counter is disabled, do not change value */
724 return env->cp15.c15_ccnt;
727 total_ticks = muldiv64(qemu_clock_get_us(QEMU_CLOCK_VIRTUAL),
728 get_ticks_per_sec(), 1000000);
730 if (env->cp15.c9_pmcr & PMCRD) {
731 /* Increment once every 64 processor clock cycles */
734 return total_ticks - env->cp15.c15_ccnt;
737 static void pmccntr_write(CPUARMState *env, const ARMCPRegInfo *ri,
740 uint64_t total_ticks;
742 if (!arm_ccnt_enabled(env)) {
743 /* Counter is disabled, set the absolute value */
744 env->cp15.c15_ccnt = value;
748 total_ticks = muldiv64(qemu_clock_get_us(QEMU_CLOCK_VIRTUAL),
749 get_ticks_per_sec(), 1000000);
751 if (env->cp15.c9_pmcr & PMCRD) {
752 /* Increment once every 64 processor clock cycles */
755 env->cp15.c15_ccnt = total_ticks - value;
758 static void pmccntr_write32(CPUARMState *env, const ARMCPRegInfo *ri,
761 uint64_t cur_val = pmccntr_read(env, NULL);
763 pmccntr_write(env, ri, deposit64(cur_val, 0, 32, value));
766 #else /* CONFIG_USER_ONLY */
768 void pmccntr_sync(CPUARMState *env)
774 static void pmccfiltr_write(CPUARMState *env, const ARMCPRegInfo *ri,
778 env->cp15.pmccfiltr_el0 = value & 0x7E000000;
782 static void pmcntenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
786 env->cp15.c9_pmcnten |= value;
789 static void pmcntenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
793 env->cp15.c9_pmcnten &= ~value;
796 static void pmovsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
799 env->cp15.c9_pmovsr &= ~value;
802 static void pmxevtyper_write(CPUARMState *env, const ARMCPRegInfo *ri,
805 env->cp15.c9_pmxevtyper = value & 0xff;
808 static void pmuserenr_write(CPUARMState *env, const ARMCPRegInfo *ri,
811 env->cp15.c9_pmuserenr = value & 1;
814 static void pmintenset_write(CPUARMState *env, const ARMCPRegInfo *ri,
817 /* We have no event counters so only the C bit can be changed */
819 env->cp15.c9_pminten |= value;
822 static void pmintenclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
826 env->cp15.c9_pminten &= ~value;
829 static void vbar_write(CPUARMState *env, const ARMCPRegInfo *ri,
832 /* Note that even though the AArch64 view of this register has bits
833 * [10:0] all RES0 we can only mask the bottom 5, to comply with the
834 * architectural requirements for bits which are RES0 only in some
835 * contexts. (ARMv8 would permit us to do no masking at all, but ARMv7
836 * requires the bottom five bits to be RAZ/WI because they're UNK/SBZP.)
838 raw_write(env, ri, value & ~0x1FULL);
841 static void scr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
843 /* We only mask off bits that are RES0 both for AArch64 and AArch32.
844 * For bits that vary between AArch32/64, code needs to check the
845 * current execution mode before directly using the feature bit.
847 uint32_t valid_mask = SCR_AARCH64_MASK | SCR_AARCH32_MASK;
849 if (!arm_feature(env, ARM_FEATURE_EL2)) {
850 valid_mask &= ~SCR_HCE;
852 /* On ARMv7, SMD (or SCD as it is called in v7) is only
853 * supported if EL2 exists. The bit is UNK/SBZP when
854 * EL2 is unavailable. In QEMU ARMv7, we force it to always zero
855 * when EL2 is unavailable.
856 * On ARMv8, this bit is always available.
858 if (arm_feature(env, ARM_FEATURE_V7) &&
859 !arm_feature(env, ARM_FEATURE_V8)) {
860 valid_mask &= ~SCR_SMD;
864 /* Clear all-context RES0 bits. */
866 raw_write(env, ri, value);
869 static uint64_t ccsidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
871 ARMCPU *cpu = arm_env_get_cpu(env);
873 /* Acquire the CSSELR index from the bank corresponding to the CCSIDR
876 uint32_t index = A32_BANKED_REG_GET(env, csselr,
877 ri->secure & ARM_CP_SECSTATE_S);
879 return cpu->ccsidr[index];
882 static void csselr_write(CPUARMState *env, const ARMCPRegInfo *ri,
885 raw_write(env, ri, value & 0xf);
888 static uint64_t isr_read(CPUARMState *env, const ARMCPRegInfo *ri)
890 CPUState *cs = ENV_GET_CPU(env);
893 if (cs->interrupt_request & CPU_INTERRUPT_HARD) {
896 if (cs->interrupt_request & CPU_INTERRUPT_FIQ) {
899 /* External aborts are not possible in QEMU so A bit is always clear */
903 static const ARMCPRegInfo v7_cp_reginfo[] = {
904 /* the old v6 WFI, UNPREDICTABLE in v7 but we choose to NOP */
905 { .name = "NOP", .cp = 15, .crn = 7, .crm = 0, .opc1 = 0, .opc2 = 4,
906 .access = PL1_W, .type = ARM_CP_NOP },
907 /* Performance monitors are implementation defined in v7,
908 * but with an ARM recommended set of registers, which we
909 * follow (although we don't actually implement any counters)
911 * Performance registers fall into three categories:
912 * (a) always UNDEF in PL0, RW in PL1 (PMINTENSET, PMINTENCLR)
913 * (b) RO in PL0 (ie UNDEF on write), RW in PL1 (PMUSERENR)
914 * (c) UNDEF in PL0 if PMUSERENR.EN==0, otherwise accessible (all others)
915 * For the cases controlled by PMUSERENR we must set .access to PL0_RW
916 * or PL0_RO as appropriate and then check PMUSERENR in the helper fn.
918 { .name = "PMCNTENSET", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 1,
919 .access = PL0_RW, .type = ARM_CP_ALIAS,
920 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
921 .writefn = pmcntenset_write,
922 .accessfn = pmreg_access,
923 .raw_writefn = raw_write },
924 { .name = "PMCNTENSET_EL0", .state = ARM_CP_STATE_AA64,
925 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 1,
926 .access = PL0_RW, .accessfn = pmreg_access,
927 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten), .resetvalue = 0,
928 .writefn = pmcntenset_write, .raw_writefn = raw_write },
929 { .name = "PMCNTENCLR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 2,
931 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcnten),
932 .accessfn = pmreg_access,
933 .writefn = pmcntenclr_write,
934 .type = ARM_CP_ALIAS },
935 { .name = "PMCNTENCLR_EL0", .state = ARM_CP_STATE_AA64,
936 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 2,
937 .access = PL0_RW, .accessfn = pmreg_access,
938 .type = ARM_CP_ALIAS,
939 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcnten),
940 .writefn = pmcntenclr_write },
941 { .name = "PMOVSR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 3,
942 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, cp15.c9_pmovsr),
943 .accessfn = pmreg_access,
944 .writefn = pmovsr_write,
945 .raw_writefn = raw_write },
946 /* Unimplemented so WI. */
947 { .name = "PMSWINC", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 4,
948 .access = PL0_W, .accessfn = pmreg_access, .type = ARM_CP_NOP },
949 /* Since we don't implement any events, writing to PMSELR is UNPREDICTABLE.
950 * We choose to RAZ/WI.
952 { .name = "PMSELR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 5,
953 .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
954 .accessfn = pmreg_access },
955 #ifndef CONFIG_USER_ONLY
956 { .name = "PMCCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 0,
957 .access = PL0_RW, .resetvalue = 0, .type = ARM_CP_IO,
958 .readfn = pmccntr_read, .writefn = pmccntr_write32,
959 .accessfn = pmreg_access },
960 { .name = "PMCCNTR_EL0", .state = ARM_CP_STATE_AA64,
961 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 13, .opc2 = 0,
962 .access = PL0_RW, .accessfn = pmreg_access,
964 .readfn = pmccntr_read, .writefn = pmccntr_write, },
966 { .name = "PMCCFILTR_EL0", .state = ARM_CP_STATE_AA64,
967 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 15, .opc2 = 7,
968 .writefn = pmccfiltr_write,
969 .access = PL0_RW, .accessfn = pmreg_access,
971 .fieldoffset = offsetof(CPUARMState, cp15.pmccfiltr_el0),
973 { .name = "PMXEVTYPER", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 1,
975 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmxevtyper),
976 .accessfn = pmreg_access, .writefn = pmxevtyper_write,
977 .raw_writefn = raw_write },
978 /* Unimplemented, RAZ/WI. */
979 { .name = "PMXEVCNTR", .cp = 15, .crn = 9, .crm = 13, .opc1 = 0, .opc2 = 2,
980 .access = PL0_RW, .type = ARM_CP_CONST, .resetvalue = 0,
981 .accessfn = pmreg_access },
982 { .name = "PMUSERENR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 0,
983 .access = PL0_R | PL1_RW,
984 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmuserenr),
986 .writefn = pmuserenr_write, .raw_writefn = raw_write },
987 { .name = "PMINTENSET", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 1,
989 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
991 .writefn = pmintenset_write, .raw_writefn = raw_write },
992 { .name = "PMINTENCLR", .cp = 15, .crn = 9, .crm = 14, .opc1 = 0, .opc2 = 2,
993 .access = PL1_RW, .type = ARM_CP_ALIAS,
994 .fieldoffset = offsetof(CPUARMState, cp15.c9_pminten),
995 .resetvalue = 0, .writefn = pmintenclr_write, },
996 { .name = "VBAR", .state = ARM_CP_STATE_BOTH,
997 .opc0 = 3, .crn = 12, .crm = 0, .opc1 = 0, .opc2 = 0,
998 .access = PL1_RW, .writefn = vbar_write,
999 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.vbar_s),
1000 offsetof(CPUARMState, cp15.vbar_ns) },
1002 { .name = "CCSIDR", .state = ARM_CP_STATE_BOTH,
1003 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 0,
1004 .access = PL1_R, .readfn = ccsidr_read, .type = ARM_CP_NO_RAW },
1005 { .name = "CSSELR", .state = ARM_CP_STATE_BOTH,
1006 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 2, .opc2 = 0,
1007 .access = PL1_RW, .writefn = csselr_write, .resetvalue = 0,
1008 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.csselr_s),
1009 offsetof(CPUARMState, cp15.csselr_ns) } },
1010 /* Auxiliary ID register: this actually has an IMPDEF value but for now
1011 * just RAZ for all cores:
1013 { .name = "AIDR", .state = ARM_CP_STATE_BOTH,
1014 .opc0 = 3, .opc1 = 1, .crn = 0, .crm = 0, .opc2 = 7,
1015 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
1016 /* Auxiliary fault status registers: these also are IMPDEF, and we
1017 * choose to RAZ/WI for all cores.
1019 { .name = "AFSR0_EL1", .state = ARM_CP_STATE_BOTH,
1020 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 0,
1021 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
1022 { .name = "AFSR1_EL1", .state = ARM_CP_STATE_BOTH,
1023 .opc0 = 3, .opc1 = 0, .crn = 5, .crm = 1, .opc2 = 1,
1024 .access = PL1_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
1025 /* MAIR can just read-as-written because we don't implement caches
1026 * and so don't need to care about memory attributes.
1028 { .name = "MAIR_EL1", .state = ARM_CP_STATE_AA64,
1029 .opc0 = 3, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0,
1030 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[1]),
1032 /* For non-long-descriptor page tables these are PRRR and NMRR;
1033 * regardless they still act as reads-as-written for QEMU.
1035 /* MAIR0/1 are defined separately from their 64-bit counterpart which
1036 * allows them to assign the correct fieldoffset based on the endianness
1037 * handled in the field definitions.
1039 { .name = "MAIR0", .state = ARM_CP_STATE_AA32,
1040 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 0, .access = PL1_RW,
1041 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair0_s),
1042 offsetof(CPUARMState, cp15.mair0_ns) },
1043 .resetfn = arm_cp_reset_ignore },
1044 { .name = "MAIR1", .state = ARM_CP_STATE_AA32,
1045 .cp = 15, .opc1 = 0, .crn = 10, .crm = 2, .opc2 = 1, .access = PL1_RW,
1046 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.mair1_s),
1047 offsetof(CPUARMState, cp15.mair1_ns) },
1048 .resetfn = arm_cp_reset_ignore },
1049 { .name = "ISR_EL1", .state = ARM_CP_STATE_BOTH,
1050 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 1, .opc2 = 0,
1051 .type = ARM_CP_NO_RAW, .access = PL1_R, .readfn = isr_read },
1052 /* 32 bit ITLB invalidates */
1053 { .name = "ITLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 0,
1054 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1055 { .name = "ITLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 1,
1056 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1057 { .name = "ITLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 5, .opc2 = 2,
1058 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1059 /* 32 bit DTLB invalidates */
1060 { .name = "DTLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 0,
1061 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1062 { .name = "DTLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 1,
1063 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1064 { .name = "DTLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 6, .opc2 = 2,
1065 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1066 /* 32 bit TLB invalidates */
1067 { .name = "TLBIALL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
1068 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_write },
1069 { .name = "TLBIMVA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
1070 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
1071 { .name = "TLBIASID", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
1072 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiasid_write },
1073 { .name = "TLBIMVAA", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
1074 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write },
1078 static const ARMCPRegInfo v7mp_cp_reginfo[] = {
1079 /* 32 bit TLB invalidates, Inner Shareable */
1080 { .name = "TLBIALLIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
1081 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbiall_is_write },
1082 { .name = "TLBIMVAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
1083 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write },
1084 { .name = "TLBIASIDIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
1085 .type = ARM_CP_NO_RAW, .access = PL1_W,
1086 .writefn = tlbiasid_is_write },
1087 { .name = "TLBIMVAAIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
1088 .type = ARM_CP_NO_RAW, .access = PL1_W,
1089 .writefn = tlbimvaa_is_write },
1093 static void teecr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1100 static CPAccessResult teehbr_access(CPUARMState *env, const ARMCPRegInfo *ri)
1102 if (arm_current_el(env) == 0 && (env->teecr & 1)) {
1103 return CP_ACCESS_TRAP;
1105 return CP_ACCESS_OK;
1108 static const ARMCPRegInfo t2ee_cp_reginfo[] = {
1109 { .name = "TEECR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 6, .opc2 = 0,
1110 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, teecr),
1112 .writefn = teecr_write },
1113 { .name = "TEEHBR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 6, .opc2 = 0,
1114 .access = PL0_RW, .fieldoffset = offsetof(CPUARMState, teehbr),
1115 .accessfn = teehbr_access, .resetvalue = 0 },
1119 static const ARMCPRegInfo v6k_cp_reginfo[] = {
1120 { .name = "TPIDR_EL0", .state = ARM_CP_STATE_AA64,
1121 .opc0 = 3, .opc1 = 3, .opc2 = 2, .crn = 13, .crm = 0,
1123 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[0]), .resetvalue = 0 },
1124 { .name = "TPIDRURW", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 2,
1126 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrurw_s),
1127 offsetoflow32(CPUARMState, cp15.tpidrurw_ns) },
1128 .resetfn = arm_cp_reset_ignore },
1129 { .name = "TPIDRRO_EL0", .state = ARM_CP_STATE_AA64,
1130 .opc0 = 3, .opc1 = 3, .opc2 = 3, .crn = 13, .crm = 0,
1131 .access = PL0_R|PL1_W,
1132 .fieldoffset = offsetof(CPUARMState, cp15.tpidrro_el[0]),
1134 { .name = "TPIDRURO", .cp = 15, .crn = 13, .crm = 0, .opc1 = 0, .opc2 = 3,
1135 .access = PL0_R|PL1_W,
1136 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidruro_s),
1137 offsetoflow32(CPUARMState, cp15.tpidruro_ns) },
1138 .resetfn = arm_cp_reset_ignore },
1139 { .name = "TPIDR_EL1", .state = ARM_CP_STATE_AA64,
1140 .opc0 = 3, .opc1 = 0, .opc2 = 4, .crn = 13, .crm = 0,
1142 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[1]), .resetvalue = 0 },
1143 { .name = "TPIDRPRW", .opc1 = 0, .cp = 15, .crn = 13, .crm = 0, .opc2 = 4,
1145 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tpidrprw_s),
1146 offsetoflow32(CPUARMState, cp15.tpidrprw_ns) },
1151 #ifndef CONFIG_USER_ONLY
1153 static CPAccessResult gt_cntfrq_access(CPUARMState *env, const ARMCPRegInfo *ri)
1155 /* CNTFRQ: not visible from PL0 if both PL0PCTEN and PL0VCTEN are zero */
1156 if (arm_current_el(env) == 0 && !extract32(env->cp15.c14_cntkctl, 0, 2)) {
1157 return CP_ACCESS_TRAP;
1159 return CP_ACCESS_OK;
1162 static CPAccessResult gt_counter_access(CPUARMState *env, int timeridx)
1164 /* CNT[PV]CT: not visible from PL0 if ELO[PV]CTEN is zero */
1165 if (arm_current_el(env) == 0 &&
1166 !extract32(env->cp15.c14_cntkctl, timeridx, 1)) {
1167 return CP_ACCESS_TRAP;
1169 return CP_ACCESS_OK;
1172 static CPAccessResult gt_timer_access(CPUARMState *env, int timeridx)
1174 /* CNT[PV]_CVAL, CNT[PV]_CTL, CNT[PV]_TVAL: not visible from PL0 if
1175 * EL0[PV]TEN is zero.
1177 if (arm_current_el(env) == 0 &&
1178 !extract32(env->cp15.c14_cntkctl, 9 - timeridx, 1)) {
1179 return CP_ACCESS_TRAP;
1181 return CP_ACCESS_OK;
1184 static CPAccessResult gt_pct_access(CPUARMState *env,
1185 const ARMCPRegInfo *ri)
1187 return gt_counter_access(env, GTIMER_PHYS);
1190 static CPAccessResult gt_vct_access(CPUARMState *env,
1191 const ARMCPRegInfo *ri)
1193 return gt_counter_access(env, GTIMER_VIRT);
1196 static CPAccessResult gt_ptimer_access(CPUARMState *env, const ARMCPRegInfo *ri)
1198 return gt_timer_access(env, GTIMER_PHYS);
1201 static CPAccessResult gt_vtimer_access(CPUARMState *env, const ARMCPRegInfo *ri)
1203 return gt_timer_access(env, GTIMER_VIRT);
1206 static uint64_t gt_get_countervalue(CPUARMState *env)
1208 return qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) / GTIMER_SCALE;
1211 static void gt_recalc_timer(ARMCPU *cpu, int timeridx)
1213 ARMGenericTimer *gt = &cpu->env.cp15.c14_timer[timeridx];
1216 /* Timer enabled: calculate and set current ISTATUS, irq, and
1217 * reset timer to when ISTATUS next has to change
1219 uint64_t count = gt_get_countervalue(&cpu->env);
1220 /* Note that this must be unsigned 64 bit arithmetic: */
1221 int istatus = count >= gt->cval;
1224 gt->ctl = deposit32(gt->ctl, 2, 1, istatus);
1225 qemu_set_irq(cpu->gt_timer_outputs[timeridx],
1226 (istatus && !(gt->ctl & 2)));
1228 /* Next transition is when count rolls back over to zero */
1229 nexttick = UINT64_MAX;
1231 /* Next transition is when we hit cval */
1232 nexttick = gt->cval;
1234 /* Note that the desired next expiry time might be beyond the
1235 * signed-64-bit range of a QEMUTimer -- in this case we just
1236 * set the timer for as far in the future as possible. When the
1237 * timer expires we will reset the timer for any remaining period.
1239 if (nexttick > INT64_MAX / GTIMER_SCALE) {
1240 nexttick = INT64_MAX / GTIMER_SCALE;
1242 timer_mod(cpu->gt_timer[timeridx], nexttick);
1244 /* Timer disabled: ISTATUS and timer output always clear */
1246 qemu_set_irq(cpu->gt_timer_outputs[timeridx], 0);
1247 timer_del(cpu->gt_timer[timeridx]);
1251 static void gt_cnt_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1253 ARMCPU *cpu = arm_env_get_cpu(env);
1254 int timeridx = ri->opc1 & 1;
1256 timer_del(cpu->gt_timer[timeridx]);
1259 static uint64_t gt_cnt_read(CPUARMState *env, const ARMCPRegInfo *ri)
1261 return gt_get_countervalue(env);
1264 static void gt_cval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1267 int timeridx = ri->opc1 & 1;
1269 env->cp15.c14_timer[timeridx].cval = value;
1270 gt_recalc_timer(arm_env_get_cpu(env), timeridx);
1273 static uint64_t gt_tval_read(CPUARMState *env, const ARMCPRegInfo *ri)
1275 int timeridx = ri->crm & 1;
1277 return (uint32_t)(env->cp15.c14_timer[timeridx].cval -
1278 gt_get_countervalue(env));
1281 static void gt_tval_write(CPUARMState *env, const ARMCPRegInfo *ri,
1284 int timeridx = ri->crm & 1;
1286 env->cp15.c14_timer[timeridx].cval = gt_get_countervalue(env) +
1287 sextract64(value, 0, 32);
1288 gt_recalc_timer(arm_env_get_cpu(env), timeridx);
1291 static void gt_ctl_write(CPUARMState *env, const ARMCPRegInfo *ri,
1294 ARMCPU *cpu = arm_env_get_cpu(env);
1295 int timeridx = ri->crm & 1;
1296 uint32_t oldval = env->cp15.c14_timer[timeridx].ctl;
1298 env->cp15.c14_timer[timeridx].ctl = deposit64(oldval, 0, 2, value);
1299 if ((oldval ^ value) & 1) {
1300 /* Enable toggled */
1301 gt_recalc_timer(cpu, timeridx);
1302 } else if ((oldval ^ value) & 2) {
1303 /* IMASK toggled: don't need to recalculate,
1304 * just set the interrupt line based on ISTATUS
1306 qemu_set_irq(cpu->gt_timer_outputs[timeridx],
1307 (oldval & 4) && !(value & 2));
1311 void arm_gt_ptimer_cb(void *opaque)
1313 ARMCPU *cpu = opaque;
1315 gt_recalc_timer(cpu, GTIMER_PHYS);
1318 void arm_gt_vtimer_cb(void *opaque)
1320 ARMCPU *cpu = opaque;
1322 gt_recalc_timer(cpu, GTIMER_VIRT);
1325 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
1326 /* Note that CNTFRQ is purely reads-as-written for the benefit
1327 * of software; writing it doesn't actually change the timer frequency.
1328 * Our reset value matches the fixed frequency we implement the timer at.
1330 { .name = "CNTFRQ", .cp = 15, .crn = 14, .crm = 0, .opc1 = 0, .opc2 = 0,
1331 .type = ARM_CP_ALIAS,
1332 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
1333 .fieldoffset = offsetoflow32(CPUARMState, cp15.c14_cntfrq),
1334 .resetfn = arm_cp_reset_ignore,
1336 { .name = "CNTFRQ_EL0", .state = ARM_CP_STATE_AA64,
1337 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 0,
1338 .access = PL1_RW | PL0_R, .accessfn = gt_cntfrq_access,
1339 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntfrq),
1340 .resetvalue = (1000 * 1000 * 1000) / GTIMER_SCALE,
1342 /* overall control: mostly access permissions */
1343 { .name = "CNTKCTL", .state = ARM_CP_STATE_BOTH,
1344 .opc0 = 3, .opc1 = 0, .crn = 14, .crm = 1, .opc2 = 0,
1346 .fieldoffset = offsetof(CPUARMState, cp15.c14_cntkctl),
1349 /* per-timer control */
1350 { .name = "CNTP_CTL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 1,
1351 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1352 .accessfn = gt_ptimer_access,
1353 .fieldoffset = offsetoflow32(CPUARMState,
1354 cp15.c14_timer[GTIMER_PHYS].ctl),
1355 .resetfn = arm_cp_reset_ignore,
1356 .writefn = gt_ctl_write, .raw_writefn = raw_write,
1358 { .name = "CNTP_CTL_EL0", .state = ARM_CP_STATE_AA64,
1359 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 1,
1360 .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
1361 .accessfn = gt_ptimer_access,
1362 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].ctl),
1364 .writefn = gt_ctl_write, .raw_writefn = raw_write,
1366 { .name = "CNTV_CTL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 1,
1367 .type = ARM_CP_IO | ARM_CP_ALIAS, .access = PL1_RW | PL0_R,
1368 .accessfn = gt_vtimer_access,
1369 .fieldoffset = offsetoflow32(CPUARMState,
1370 cp15.c14_timer[GTIMER_VIRT].ctl),
1371 .resetfn = arm_cp_reset_ignore,
1372 .writefn = gt_ctl_write, .raw_writefn = raw_write,
1374 { .name = "CNTV_CTL_EL0", .state = ARM_CP_STATE_AA64,
1375 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 1,
1376 .type = ARM_CP_IO, .access = PL1_RW | PL0_R,
1377 .accessfn = gt_vtimer_access,
1378 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].ctl),
1380 .writefn = gt_ctl_write, .raw_writefn = raw_write,
1382 /* TimerValue views: a 32 bit downcounting view of the underlying state */
1383 { .name = "CNTP_TVAL", .cp = 15, .crn = 14, .crm = 2, .opc1 = 0, .opc2 = 0,
1384 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1385 .accessfn = gt_ptimer_access,
1386 .readfn = gt_tval_read, .writefn = gt_tval_write,
1388 { .name = "CNTP_TVAL_EL0", .state = ARM_CP_STATE_AA64,
1389 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 0,
1390 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1391 .accessfn = gt_ptimer_access,
1392 .readfn = gt_tval_read, .writefn = gt_tval_write,
1394 { .name = "CNTV_TVAL", .cp = 15, .crn = 14, .crm = 3, .opc1 = 0, .opc2 = 0,
1395 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1396 .accessfn = gt_vtimer_access,
1397 .readfn = gt_tval_read, .writefn = gt_tval_write,
1399 { .name = "CNTV_TVAL_EL0", .state = ARM_CP_STATE_AA64,
1400 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 0,
1401 .type = ARM_CP_NO_RAW | ARM_CP_IO, .access = PL1_RW | PL0_R,
1402 .accessfn = gt_vtimer_access,
1403 .readfn = gt_tval_read, .writefn = gt_tval_write,
1405 /* The counter itself */
1406 { .name = "CNTPCT", .cp = 15, .crm = 14, .opc1 = 0,
1407 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
1408 .accessfn = gt_pct_access,
1409 .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore,
1411 { .name = "CNTPCT_EL0", .state = ARM_CP_STATE_AA64,
1412 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 1,
1413 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1414 .accessfn = gt_pct_access,
1415 .readfn = gt_cnt_read, .resetfn = gt_cnt_reset,
1417 { .name = "CNTVCT", .cp = 15, .crm = 14, .opc1 = 1,
1418 .access = PL0_R, .type = ARM_CP_64BIT | ARM_CP_NO_RAW | ARM_CP_IO,
1419 .accessfn = gt_vct_access,
1420 .readfn = gt_cnt_read, .resetfn = arm_cp_reset_ignore,
1422 { .name = "CNTVCT_EL0", .state = ARM_CP_STATE_AA64,
1423 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 0, .opc2 = 2,
1424 .access = PL0_R, .type = ARM_CP_NO_RAW | ARM_CP_IO,
1425 .accessfn = gt_vct_access,
1426 .readfn = gt_cnt_read, .resetfn = gt_cnt_reset,
1428 /* Comparison value, indicating when the timer goes off */
1429 { .name = "CNTP_CVAL", .cp = 15, .crm = 14, .opc1 = 2,
1430 .access = PL1_RW | PL0_R,
1431 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1432 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
1433 .accessfn = gt_ptimer_access, .resetfn = arm_cp_reset_ignore,
1434 .writefn = gt_cval_write, .raw_writefn = raw_write,
1436 { .name = "CNTP_CVAL_EL0", .state = ARM_CP_STATE_AA64,
1437 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 2, .opc2 = 2,
1438 .access = PL1_RW | PL0_R,
1440 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_PHYS].cval),
1441 .resetvalue = 0, .accessfn = gt_ptimer_access,
1442 .writefn = gt_cval_write, .raw_writefn = raw_write,
1444 { .name = "CNTV_CVAL", .cp = 15, .crm = 14, .opc1 = 3,
1445 .access = PL1_RW | PL0_R,
1446 .type = ARM_CP_64BIT | ARM_CP_IO | ARM_CP_ALIAS,
1447 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
1448 .accessfn = gt_vtimer_access, .resetfn = arm_cp_reset_ignore,
1449 .writefn = gt_cval_write, .raw_writefn = raw_write,
1451 { .name = "CNTV_CVAL_EL0", .state = ARM_CP_STATE_AA64,
1452 .opc0 = 3, .opc1 = 3, .crn = 14, .crm = 3, .opc2 = 2,
1453 .access = PL1_RW | PL0_R,
1455 .fieldoffset = offsetof(CPUARMState, cp15.c14_timer[GTIMER_VIRT].cval),
1456 .resetvalue = 0, .accessfn = gt_vtimer_access,
1457 .writefn = gt_cval_write, .raw_writefn = raw_write,
1463 /* In user-mode none of the generic timer registers are accessible,
1464 * and their implementation depends on QEMU_CLOCK_VIRTUAL and qdev gpio outputs,
1465 * so instead just don't register any of them.
1467 static const ARMCPRegInfo generic_timer_cp_reginfo[] = {
1473 static void par_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1475 if (arm_feature(env, ARM_FEATURE_LPAE)) {
1476 raw_write(env, ri, value);
1477 } else if (arm_feature(env, ARM_FEATURE_V7)) {
1478 raw_write(env, ri, value & 0xfffff6ff);
1480 raw_write(env, ri, value & 0xfffff1ff);
1484 #ifndef CONFIG_USER_ONLY
1485 /* get_phys_addr() isn't present for user-mode-only targets */
1487 static CPAccessResult ats_access(CPUARMState *env, const ARMCPRegInfo *ri)
1490 /* Other states are only available with TrustZone; in
1491 * a non-TZ implementation these registers don't exist
1492 * at all, which is an Uncategorized trap. This underdecoding
1493 * is safe because the reginfo is NO_RAW.
1495 return CP_ACCESS_TRAP_UNCATEGORIZED;
1497 return CP_ACCESS_OK;
1500 static uint64_t do_ats_write(CPUARMState *env, uint64_t value,
1501 int access_type, ARMMMUIdx mmu_idx)
1504 target_ulong page_size;
1508 MemTxAttrs attrs = {};
1510 ret = get_phys_addr(env, value, access_type, mmu_idx,
1511 &phys_addr, &attrs, &prot, &page_size);
1512 if (extended_addresses_enabled(env)) {
1513 /* ret is a DFSR/IFSR value for the long descriptor
1514 * translation table format, but with WnR always clear.
1515 * Convert it to a 64-bit PAR.
1517 par64 = (1 << 11); /* LPAE bit always set */
1519 par64 |= phys_addr & ~0xfffULL;
1520 if (!attrs.secure) {
1521 par64 |= (1 << 9); /* NS */
1523 /* We don't set the ATTR or SH fields in the PAR. */
1526 par64 |= (ret & 0x3f) << 1; /* FS */
1527 /* Note that S2WLK and FSTAGE are always zero, because we don't
1528 * implement virtualization and therefore there can't be a stage 2
1533 /* ret is a DFSR/IFSR value for the short descriptor
1534 * translation table format (with WnR always clear).
1535 * Convert it to a 32-bit PAR.
1538 /* We do not set any attribute bits in the PAR */
1539 if (page_size == (1 << 24)
1540 && arm_feature(env, ARM_FEATURE_V7)) {
1541 par64 = (phys_addr & 0xff000000) | (1 << 1);
1543 par64 = phys_addr & 0xfffff000;
1545 if (!attrs.secure) {
1546 par64 |= (1 << 9); /* NS */
1549 par64 = ((ret & (1 << 10)) >> 5) | ((ret & (1 << 12)) >> 6) |
1550 ((ret & 0xf) << 1) | 1;
1556 static void ats_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
1558 int access_type = ri->opc2 & 1;
1561 int el = arm_current_el(env);
1562 bool secure = arm_is_secure_below_el3(env);
1564 switch (ri->opc2 & 6) {
1566 /* stage 1 current state PL1: ATS1CPR, ATS1CPW */
1569 mmu_idx = ARMMMUIdx_S1E3;
1572 mmu_idx = ARMMMUIdx_S1NSE1;
1575 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S1NSE1;
1578 g_assert_not_reached();
1582 /* stage 1 current state PL0: ATS1CUR, ATS1CUW */
1585 mmu_idx = ARMMMUIdx_S1SE0;
1588 mmu_idx = ARMMMUIdx_S1NSE0;
1591 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
1594 g_assert_not_reached();
1598 /* stage 1+2 NonSecure PL1: ATS12NSOPR, ATS12NSOPW */
1599 mmu_idx = ARMMMUIdx_S12NSE1;
1602 /* stage 1+2 NonSecure PL0: ATS12NSOUR, ATS12NSOUW */
1603 mmu_idx = ARMMMUIdx_S12NSE0;
1606 g_assert_not_reached();
1609 par64 = do_ats_write(env, value, access_type, mmu_idx);
1611 A32_BANKED_CURRENT_REG_SET(env, par, par64);
1614 static void ats_write64(CPUARMState *env, const ARMCPRegInfo *ri,
1617 int access_type = ri->opc2 & 1;
1619 int secure = arm_is_secure_below_el3(env);
1621 switch (ri->opc2 & 6) {
1624 case 0: /* AT S1E1R, AT S1E1W */
1625 mmu_idx = secure ? ARMMMUIdx_S1SE1 : ARMMMUIdx_S1NSE1;
1627 case 4: /* AT S1E2R, AT S1E2W */
1628 mmu_idx = ARMMMUIdx_S1E2;
1630 case 6: /* AT S1E3R, AT S1E3W */
1631 mmu_idx = ARMMMUIdx_S1E3;
1634 g_assert_not_reached();
1637 case 2: /* AT S1E0R, AT S1E0W */
1638 mmu_idx = secure ? ARMMMUIdx_S1SE0 : ARMMMUIdx_S1NSE0;
1640 case 4: /* AT S12E1R, AT S12E1W */
1641 mmu_idx = ARMMMUIdx_S12NSE1;
1643 case 6: /* AT S12E0R, AT S12E0W */
1644 mmu_idx = ARMMMUIdx_S12NSE0;
1647 g_assert_not_reached();
1650 env->cp15.par_el[1] = do_ats_write(env, value, access_type, mmu_idx);
1654 static const ARMCPRegInfo vapa_cp_reginfo[] = {
1655 { .name = "PAR", .cp = 15, .crn = 7, .crm = 4, .opc1 = 0, .opc2 = 0,
1656 .access = PL1_RW, .resetvalue = 0,
1657 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.par_s),
1658 offsetoflow32(CPUARMState, cp15.par_ns) },
1659 .writefn = par_write },
1660 #ifndef CONFIG_USER_ONLY
1661 { .name = "ATS", .cp = 15, .crn = 7, .crm = 8, .opc1 = 0, .opc2 = CP_ANY,
1662 .access = PL1_W, .accessfn = ats_access,
1663 .writefn = ats_write, .type = ARM_CP_NO_RAW },
1668 /* Return basic MPU access permission bits. */
1669 static uint32_t simple_mpu_ap_bits(uint32_t val)
1676 for (i = 0; i < 16; i += 2) {
1677 ret |= (val >> i) & mask;
1683 /* Pad basic MPU access permission bits to extended format. */
1684 static uint32_t extended_mpu_ap_bits(uint32_t val)
1691 for (i = 0; i < 16; i += 2) {
1692 ret |= (val & mask) << i;
1698 static void pmsav5_data_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
1701 env->cp15.pmsav5_data_ap = extended_mpu_ap_bits(value);
1704 static uint64_t pmsav5_data_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
1706 return simple_mpu_ap_bits(env->cp15.pmsav5_data_ap);
1709 static void pmsav5_insn_ap_write(CPUARMState *env, const ARMCPRegInfo *ri,
1712 env->cp15.pmsav5_insn_ap = extended_mpu_ap_bits(value);
1715 static uint64_t pmsav5_insn_ap_read(CPUARMState *env, const ARMCPRegInfo *ri)
1717 return simple_mpu_ap_bits(env->cp15.pmsav5_insn_ap);
1720 static const ARMCPRegInfo pmsav5_cp_reginfo[] = {
1721 { .name = "DATA_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
1722 .access = PL1_RW, .type = ARM_CP_ALIAS,
1723 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
1725 .readfn = pmsav5_data_ap_read, .writefn = pmsav5_data_ap_write, },
1726 { .name = "INSN_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
1727 .access = PL1_RW, .type = ARM_CP_ALIAS,
1728 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
1730 .readfn = pmsav5_insn_ap_read, .writefn = pmsav5_insn_ap_write, },
1731 { .name = "DATA_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 2,
1733 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_data_ap),
1735 { .name = "INSN_EXT_AP", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 3,
1737 .fieldoffset = offsetof(CPUARMState, cp15.pmsav5_insn_ap),
1739 { .name = "DCACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
1741 .fieldoffset = offsetof(CPUARMState, cp15.c2_data), .resetvalue = 0, },
1742 { .name = "ICACHE_CFG", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 1,
1744 .fieldoffset = offsetof(CPUARMState, cp15.c2_insn), .resetvalue = 0, },
1745 /* Protection region base and size registers */
1746 { .name = "946_PRBS0", .cp = 15, .crn = 6, .crm = 0, .opc1 = 0,
1747 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1748 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[0]) },
1749 { .name = "946_PRBS1", .cp = 15, .crn = 6, .crm = 1, .opc1 = 0,
1750 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1751 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[1]) },
1752 { .name = "946_PRBS2", .cp = 15, .crn = 6, .crm = 2, .opc1 = 0,
1753 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1754 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[2]) },
1755 { .name = "946_PRBS3", .cp = 15, .crn = 6, .crm = 3, .opc1 = 0,
1756 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1757 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[3]) },
1758 { .name = "946_PRBS4", .cp = 15, .crn = 6, .crm = 4, .opc1 = 0,
1759 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1760 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[4]) },
1761 { .name = "946_PRBS5", .cp = 15, .crn = 6, .crm = 5, .opc1 = 0,
1762 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1763 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[5]) },
1764 { .name = "946_PRBS6", .cp = 15, .crn = 6, .crm = 6, .opc1 = 0,
1765 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1766 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[6]) },
1767 { .name = "946_PRBS7", .cp = 15, .crn = 6, .crm = 7, .opc1 = 0,
1768 .opc2 = CP_ANY, .access = PL1_RW, .resetvalue = 0,
1769 .fieldoffset = offsetof(CPUARMState, cp15.c6_region[7]) },
1773 static void vmsa_ttbcr_raw_write(CPUARMState *env, const ARMCPRegInfo *ri,
1776 TCR *tcr = raw_ptr(env, ri);
1777 int maskshift = extract32(value, 0, 3);
1779 if (!arm_feature(env, ARM_FEATURE_V8)) {
1780 if (arm_feature(env, ARM_FEATURE_LPAE) && (value & TTBCR_EAE)) {
1781 /* Pre ARMv8 bits [21:19], [15:14] and [6:3] are UNK/SBZP when
1782 * using Long-desciptor translation table format */
1783 value &= ~((7 << 19) | (3 << 14) | (0xf << 3));
1784 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
1785 /* In an implementation that includes the Security Extensions
1786 * TTBCR has additional fields PD0 [4] and PD1 [5] for
1787 * Short-descriptor translation table format.
1789 value &= TTBCR_PD1 | TTBCR_PD0 | TTBCR_N;
1795 /* Update the masks corresponding to the the TCR bank being written
1796 * Note that we always calculate mask and base_mask, but
1797 * they are only used for short-descriptor tables (ie if EAE is 0);
1798 * for long-descriptor tables the TCR fields are used differently
1799 * and the mask and base_mask values are meaningless.
1801 tcr->raw_tcr = value;
1802 tcr->mask = ~(((uint32_t)0xffffffffu) >> maskshift);
1803 tcr->base_mask = ~((uint32_t)0x3fffu >> maskshift);
1806 static void vmsa_ttbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1809 ARMCPU *cpu = arm_env_get_cpu(env);
1811 if (arm_feature(env, ARM_FEATURE_LPAE)) {
1812 /* With LPAE the TTBCR could result in a change of ASID
1813 * via the TTBCR.A1 bit, so do a TLB flush.
1815 tlb_flush(CPU(cpu), 1);
1817 vmsa_ttbcr_raw_write(env, ri, value);
1820 static void vmsa_ttbcr_reset(CPUARMState *env, const ARMCPRegInfo *ri)
1822 TCR *tcr = raw_ptr(env, ri);
1824 /* Reset both the TCR as well as the masks corresponding to the bank of
1825 * the TCR being reset.
1829 tcr->base_mask = 0xffffc000u;
1832 static void vmsa_tcr_el1_write(CPUARMState *env, const ARMCPRegInfo *ri,
1835 ARMCPU *cpu = arm_env_get_cpu(env);
1836 TCR *tcr = raw_ptr(env, ri);
1838 /* For AArch64 the A1 bit could result in a change of ASID, so TLB flush. */
1839 tlb_flush(CPU(cpu), 1);
1840 tcr->raw_tcr = value;
1843 static void vmsa_ttbr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1846 /* 64 bit accesses to the TTBRs can change the ASID and so we
1847 * must flush the TLB.
1849 if (cpreg_field_is_64bit(ri)) {
1850 ARMCPU *cpu = arm_env_get_cpu(env);
1852 tlb_flush(CPU(cpu), 1);
1854 raw_write(env, ri, value);
1857 static const ARMCPRegInfo vmsa_cp_reginfo[] = {
1858 { .name = "DFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 0,
1859 .access = PL1_RW, .type = ARM_CP_ALIAS,
1860 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dfsr_s),
1861 offsetoflow32(CPUARMState, cp15.dfsr_ns) },
1862 .resetfn = arm_cp_reset_ignore, },
1863 { .name = "IFSR", .cp = 15, .crn = 5, .crm = 0, .opc1 = 0, .opc2 = 1,
1864 .access = PL1_RW, .resetvalue = 0,
1865 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.ifsr_s),
1866 offsetoflow32(CPUARMState, cp15.ifsr_ns) } },
1867 { .name = "ESR_EL1", .state = ARM_CP_STATE_AA64,
1868 .opc0 = 3, .crn = 5, .crm = 2, .opc1 = 0, .opc2 = 0,
1870 .fieldoffset = offsetof(CPUARMState, cp15.esr_el[1]), .resetvalue = 0, },
1871 { .name = "TTBR0_EL1", .state = ARM_CP_STATE_BOTH,
1872 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 0,
1873 .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
1874 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
1875 offsetof(CPUARMState, cp15.ttbr0_ns) } },
1876 { .name = "TTBR1_EL1", .state = ARM_CP_STATE_BOTH,
1877 .opc0 = 3, .opc1 = 0, .crn = 2, .crm = 0, .opc2 = 1,
1878 .access = PL1_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
1879 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
1880 offsetof(CPUARMState, cp15.ttbr1_ns) } },
1881 { .name = "TCR_EL1", .state = ARM_CP_STATE_AA64,
1882 .opc0 = 3, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
1883 .access = PL1_RW, .writefn = vmsa_tcr_el1_write,
1884 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
1885 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[1]) },
1886 { .name = "TTBCR", .cp = 15, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 2,
1887 .access = PL1_RW, .type = ARM_CP_ALIAS, .writefn = vmsa_ttbcr_write,
1888 .resetfn = arm_cp_reset_ignore, .raw_writefn = vmsa_ttbcr_raw_write,
1889 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.tcr_el[3]),
1890 offsetoflow32(CPUARMState, cp15.tcr_el[1])} },
1891 { .name = "FAR_EL1", .state = ARM_CP_STATE_AA64,
1892 .opc0 = 3, .crn = 6, .crm = 0, .opc1 = 0, .opc2 = 0,
1893 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[1]),
1895 { .name = "DFAR", .cp = 15, .opc1 = 0, .crn = 6, .crm = 0, .opc2 = 0,
1896 .access = PL1_RW, .resetvalue = 0,
1897 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.dfar_s),
1898 offsetof(CPUARMState, cp15.dfar_ns) } },
1902 static void omap_ticonfig_write(CPUARMState *env, const ARMCPRegInfo *ri,
1905 env->cp15.c15_ticonfig = value & 0xe7;
1906 /* The OS_TYPE bit in this register changes the reported CPUID! */
1907 env->cp15.c0_cpuid = (value & (1 << 5)) ?
1908 ARM_CPUID_TI915T : ARM_CPUID_TI925T;
1911 static void omap_threadid_write(CPUARMState *env, const ARMCPRegInfo *ri,
1914 env->cp15.c15_threadid = value & 0xffff;
1917 static void omap_wfi_write(CPUARMState *env, const ARMCPRegInfo *ri,
1920 /* Wait-for-interrupt (deprecated) */
1921 cpu_interrupt(CPU(arm_env_get_cpu(env)), CPU_INTERRUPT_HALT);
1924 static void omap_cachemaint_write(CPUARMState *env, const ARMCPRegInfo *ri,
1927 /* On OMAP there are registers indicating the max/min index of dcache lines
1928 * containing a dirty line; cache flush operations have to reset these.
1930 env->cp15.c15_i_max = 0x000;
1931 env->cp15.c15_i_min = 0xff0;
1934 static const ARMCPRegInfo omap_cp_reginfo[] = {
1935 { .name = "DFSR", .cp = 15, .crn = 5, .crm = CP_ANY,
1936 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW, .type = ARM_CP_OVERRIDE,
1937 .fieldoffset = offsetoflow32(CPUARMState, cp15.esr_el[1]),
1939 { .name = "", .cp = 15, .crn = 15, .crm = 0, .opc1 = 0, .opc2 = 0,
1940 .access = PL1_RW, .type = ARM_CP_NOP },
1941 { .name = "TICONFIG", .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0,
1943 .fieldoffset = offsetof(CPUARMState, cp15.c15_ticonfig), .resetvalue = 0,
1944 .writefn = omap_ticonfig_write },
1945 { .name = "IMAX", .cp = 15, .crn = 15, .crm = 2, .opc1 = 0, .opc2 = 0,
1947 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_max), .resetvalue = 0, },
1948 { .name = "IMIN", .cp = 15, .crn = 15, .crm = 3, .opc1 = 0, .opc2 = 0,
1949 .access = PL1_RW, .resetvalue = 0xff0,
1950 .fieldoffset = offsetof(CPUARMState, cp15.c15_i_min) },
1951 { .name = "THREADID", .cp = 15, .crn = 15, .crm = 4, .opc1 = 0, .opc2 = 0,
1953 .fieldoffset = offsetof(CPUARMState, cp15.c15_threadid), .resetvalue = 0,
1954 .writefn = omap_threadid_write },
1955 { .name = "TI925T_STATUS", .cp = 15, .crn = 15,
1956 .crm = 8, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
1957 .type = ARM_CP_NO_RAW,
1958 .readfn = arm_cp_read_zero, .writefn = omap_wfi_write, },
1959 /* TODO: Peripheral port remap register:
1960 * On OMAP2 mcr p15, 0, rn, c15, c2, 4 sets up the interrupt controller
1961 * base address at $rn & ~0xfff and map size of 0x200 << ($rn & 0xfff),
1964 { .name = "OMAP_CACHEMAINT", .cp = 15, .crn = 7, .crm = CP_ANY,
1965 .opc1 = 0, .opc2 = CP_ANY, .access = PL1_W,
1966 .type = ARM_CP_OVERRIDE | ARM_CP_NO_RAW,
1967 .writefn = omap_cachemaint_write },
1968 { .name = "C9", .cp = 15, .crn = 9,
1969 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_RW,
1970 .type = ARM_CP_CONST | ARM_CP_OVERRIDE, .resetvalue = 0 },
1974 static void xscale_cpar_write(CPUARMState *env, const ARMCPRegInfo *ri,
1977 env->cp15.c15_cpar = value & 0x3fff;
1980 static const ARMCPRegInfo xscale_cp_reginfo[] = {
1981 { .name = "XSCALE_CPAR",
1982 .cp = 15, .crn = 15, .crm = 1, .opc1 = 0, .opc2 = 0, .access = PL1_RW,
1983 .fieldoffset = offsetof(CPUARMState, cp15.c15_cpar), .resetvalue = 0,
1984 .writefn = xscale_cpar_write, },
1985 { .name = "XSCALE_AUXCR",
1986 .cp = 15, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 1, .access = PL1_RW,
1987 .fieldoffset = offsetof(CPUARMState, cp15.c1_xscaleauxcr),
1989 /* XScale specific cache-lockdown: since we have no cache we NOP these
1990 * and hope the guest does not really rely on cache behaviour.
1992 { .name = "XSCALE_LOCK_ICACHE_LINE",
1993 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 0,
1994 .access = PL1_W, .type = ARM_CP_NOP },
1995 { .name = "XSCALE_UNLOCK_ICACHE",
1996 .cp = 15, .opc1 = 0, .crn = 9, .crm = 1, .opc2 = 1,
1997 .access = PL1_W, .type = ARM_CP_NOP },
1998 { .name = "XSCALE_DCACHE_LOCK",
1999 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 0,
2000 .access = PL1_RW, .type = ARM_CP_NOP },
2001 { .name = "XSCALE_UNLOCK_DCACHE",
2002 .cp = 15, .opc1 = 0, .crn = 9, .crm = 2, .opc2 = 1,
2003 .access = PL1_W, .type = ARM_CP_NOP },
2007 static const ARMCPRegInfo dummy_c15_cp_reginfo[] = {
2008 /* RAZ/WI the whole crn=15 space, when we don't have a more specific
2009 * implementation of this implementation-defined space.
2010 * Ideally this should eventually disappear in favour of actually
2011 * implementing the correct behaviour for all cores.
2013 { .name = "C15_IMPDEF", .cp = 15, .crn = 15,
2014 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
2016 .type = ARM_CP_CONST | ARM_CP_NO_RAW | ARM_CP_OVERRIDE,
2021 static const ARMCPRegInfo cache_dirty_status_cp_reginfo[] = {
2022 /* Cache status: RAZ because we have no cache so it's always clean */
2023 { .name = "CDSR", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 6,
2024 .access = PL1_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2029 static const ARMCPRegInfo cache_block_ops_cp_reginfo[] = {
2030 /* We never have a a block transfer operation in progress */
2031 { .name = "BXSR", .cp = 15, .crn = 7, .crm = 12, .opc1 = 0, .opc2 = 4,
2032 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2034 /* The cache ops themselves: these all NOP for QEMU */
2035 { .name = "IICR", .cp = 15, .crm = 5, .opc1 = 0,
2036 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2037 { .name = "IDCR", .cp = 15, .crm = 6, .opc1 = 0,
2038 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2039 { .name = "CDCR", .cp = 15, .crm = 12, .opc1 = 0,
2040 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2041 { .name = "PIR", .cp = 15, .crm = 12, .opc1 = 1,
2042 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2043 { .name = "PDR", .cp = 15, .crm = 12, .opc1 = 2,
2044 .access = PL0_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2045 { .name = "CIDCR", .cp = 15, .crm = 14, .opc1 = 0,
2046 .access = PL1_W, .type = ARM_CP_NOP|ARM_CP_64BIT },
2050 static const ARMCPRegInfo cache_test_clean_cp_reginfo[] = {
2051 /* The cache test-and-clean instructions always return (1 << 30)
2052 * to indicate that there are no dirty cache lines.
2054 { .name = "TC_DCACHE", .cp = 15, .crn = 7, .crm = 10, .opc1 = 0, .opc2 = 3,
2055 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2056 .resetvalue = (1 << 30) },
2057 { .name = "TCI_DCACHE", .cp = 15, .crn = 7, .crm = 14, .opc1 = 0, .opc2 = 3,
2058 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_NO_RAW,
2059 .resetvalue = (1 << 30) },
2063 static const ARMCPRegInfo strongarm_cp_reginfo[] = {
2064 /* Ignore ReadBuffer accesses */
2065 { .name = "C9_READBUFFER", .cp = 15, .crn = 9,
2066 .crm = CP_ANY, .opc1 = CP_ANY, .opc2 = CP_ANY,
2067 .access = PL1_RW, .resetvalue = 0,
2068 .type = ARM_CP_CONST | ARM_CP_OVERRIDE | ARM_CP_NO_RAW },
2072 static uint64_t mpidr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2074 CPUState *cs = CPU(arm_env_get_cpu(env));
2075 uint32_t mpidr = cs->cpu_index;
2076 /* We don't support setting cluster ID ([8..11]) (known as Aff1
2077 * in later ARM ARM versions), or any of the higher affinity level fields,
2078 * so these bits always RAZ.
2080 if (arm_feature(env, ARM_FEATURE_V7MP)) {
2081 mpidr |= (1U << 31);
2082 /* Cores which are uniprocessor (non-coherent)
2083 * but still implement the MP extensions set
2084 * bit 30. (For instance, A9UP.) However we do
2085 * not currently model any of those cores.
2091 static const ARMCPRegInfo mpidr_cp_reginfo[] = {
2092 { .name = "MPIDR", .state = ARM_CP_STATE_BOTH,
2093 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 5,
2094 .access = PL1_R, .readfn = mpidr_read, .type = ARM_CP_NO_RAW },
2098 static const ARMCPRegInfo lpae_cp_reginfo[] = {
2100 { .name = "AMAIR0", .state = ARM_CP_STATE_BOTH,
2101 .opc0 = 3, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 0,
2102 .access = PL1_RW, .type = ARM_CP_CONST,
2104 /* AMAIR1 is mapped to AMAIR_EL1[63:32] */
2105 { .name = "AMAIR1", .cp = 15, .crn = 10, .crm = 3, .opc1 = 0, .opc2 = 1,
2106 .access = PL1_RW, .type = ARM_CP_CONST,
2108 { .name = "PAR", .cp = 15, .crm = 7, .opc1 = 0,
2109 .access = PL1_RW, .type = ARM_CP_64BIT, .resetvalue = 0,
2110 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.par_s),
2111 offsetof(CPUARMState, cp15.par_ns)} },
2112 { .name = "TTBR0", .cp = 15, .crm = 2, .opc1 = 0,
2113 .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
2114 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr0_s),
2115 offsetof(CPUARMState, cp15.ttbr0_ns) },
2116 .writefn = vmsa_ttbr_write, .resetfn = arm_cp_reset_ignore },
2117 { .name = "TTBR1", .cp = 15, .crm = 2, .opc1 = 1,
2118 .access = PL1_RW, .type = ARM_CP_64BIT | ARM_CP_ALIAS,
2119 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.ttbr1_s),
2120 offsetof(CPUARMState, cp15.ttbr1_ns) },
2121 .writefn = vmsa_ttbr_write, .resetfn = arm_cp_reset_ignore },
2125 static uint64_t aa64_fpcr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2127 return vfp_get_fpcr(env);
2130 static void aa64_fpcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2133 vfp_set_fpcr(env, value);
2136 static uint64_t aa64_fpsr_read(CPUARMState *env, const ARMCPRegInfo *ri)
2138 return vfp_get_fpsr(env);
2141 static void aa64_fpsr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2144 vfp_set_fpsr(env, value);
2147 static CPAccessResult aa64_daif_access(CPUARMState *env, const ARMCPRegInfo *ri)
2149 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UMA)) {
2150 return CP_ACCESS_TRAP;
2152 return CP_ACCESS_OK;
2155 static void aa64_daif_write(CPUARMState *env, const ARMCPRegInfo *ri,
2158 env->daif = value & PSTATE_DAIF;
2161 static CPAccessResult aa64_cacheop_access(CPUARMState *env,
2162 const ARMCPRegInfo *ri)
2164 /* Cache invalidate/clean: NOP, but EL0 must UNDEF unless
2165 * SCTLR_EL1.UCI is set.
2167 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UCI)) {
2168 return CP_ACCESS_TRAP;
2170 return CP_ACCESS_OK;
2173 /* See: D4.7.2 TLB maintenance requirements and the TLB maintenance instructions
2174 * Page D4-1736 (DDI0487A.b)
2177 static void tlbi_aa64_va_write(CPUARMState *env, const ARMCPRegInfo *ri,
2180 /* Invalidate by VA (AArch64 version) */
2181 ARMCPU *cpu = arm_env_get_cpu(env);
2182 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2184 tlb_flush_page(CPU(cpu), pageaddr);
2187 static void tlbi_aa64_vaa_write(CPUARMState *env, const ARMCPRegInfo *ri,
2190 /* Invalidate by VA, all ASIDs (AArch64 version) */
2191 ARMCPU *cpu = arm_env_get_cpu(env);
2192 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2194 tlb_flush_page(CPU(cpu), pageaddr);
2197 static void tlbi_aa64_asid_write(CPUARMState *env, const ARMCPRegInfo *ri,
2200 /* Invalidate by ASID (AArch64 version) */
2201 ARMCPU *cpu = arm_env_get_cpu(env);
2202 int asid = extract64(value, 48, 16);
2203 tlb_flush(CPU(cpu), asid == 0);
2206 static void tlbi_aa64_va_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2210 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2212 CPU_FOREACH(other_cs) {
2213 tlb_flush_page(other_cs, pageaddr);
2217 static void tlbi_aa64_vaa_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2221 uint64_t pageaddr = sextract64(value << 12, 0, 56);
2223 CPU_FOREACH(other_cs) {
2224 tlb_flush_page(other_cs, pageaddr);
2228 static void tlbi_aa64_asid_is_write(CPUARMState *env, const ARMCPRegInfo *ri,
2232 int asid = extract64(value, 48, 16);
2234 CPU_FOREACH(other_cs) {
2235 tlb_flush(other_cs, asid == 0);
2239 static CPAccessResult aa64_zva_access(CPUARMState *env, const ARMCPRegInfo *ri)
2241 /* We don't implement EL2, so the only control on DC ZVA is the
2242 * bit in the SCTLR which can prohibit access for EL0.
2244 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_DZE)) {
2245 return CP_ACCESS_TRAP;
2247 return CP_ACCESS_OK;
2250 static uint64_t aa64_dczid_read(CPUARMState *env, const ARMCPRegInfo *ri)
2252 ARMCPU *cpu = arm_env_get_cpu(env);
2253 int dzp_bit = 1 << 4;
2255 /* DZP indicates whether DC ZVA access is allowed */
2256 if (aa64_zva_access(env, NULL) == CP_ACCESS_OK) {
2259 return cpu->dcz_blocksize | dzp_bit;
2262 static CPAccessResult sp_el0_access(CPUARMState *env, const ARMCPRegInfo *ri)
2264 if (!(env->pstate & PSTATE_SP)) {
2265 /* Access to SP_EL0 is undefined if it's being used as
2266 * the stack pointer.
2268 return CP_ACCESS_TRAP_UNCATEGORIZED;
2270 return CP_ACCESS_OK;
2273 static uint64_t spsel_read(CPUARMState *env, const ARMCPRegInfo *ri)
2275 return env->pstate & PSTATE_SP;
2278 static void spsel_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t val)
2280 update_spsel(env, val);
2283 static void sctlr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2286 ARMCPU *cpu = arm_env_get_cpu(env);
2288 if (raw_read(env, ri) == value) {
2289 /* Skip the TLB flush if nothing actually changed; Linux likes
2290 * to do a lot of pointless SCTLR writes.
2295 raw_write(env, ri, value);
2296 /* ??? Lots of these bits are not implemented. */
2297 /* This may enable/disable the MMU, so do a TLB flush. */
2298 tlb_flush(CPU(cpu), 1);
2301 static const ARMCPRegInfo v8_cp_reginfo[] = {
2302 /* Minimal set of EL0-visible registers. This will need to be expanded
2303 * significantly for system emulation of AArch64 CPUs.
2305 { .name = "NZCV", .state = ARM_CP_STATE_AA64,
2306 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 2,
2307 .access = PL0_RW, .type = ARM_CP_NZCV },
2308 { .name = "DAIF", .state = ARM_CP_STATE_AA64,
2309 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 2,
2310 .type = ARM_CP_NO_RAW,
2311 .access = PL0_RW, .accessfn = aa64_daif_access,
2312 .fieldoffset = offsetof(CPUARMState, daif),
2313 .writefn = aa64_daif_write, .resetfn = arm_cp_reset_ignore },
2314 { .name = "FPCR", .state = ARM_CP_STATE_AA64,
2315 .opc0 = 3, .opc1 = 3, .opc2 = 0, .crn = 4, .crm = 4,
2316 .access = PL0_RW, .readfn = aa64_fpcr_read, .writefn = aa64_fpcr_write },
2317 { .name = "FPSR", .state = ARM_CP_STATE_AA64,
2318 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 4, .crm = 4,
2319 .access = PL0_RW, .readfn = aa64_fpsr_read, .writefn = aa64_fpsr_write },
2320 { .name = "DCZID_EL0", .state = ARM_CP_STATE_AA64,
2321 .opc0 = 3, .opc1 = 3, .opc2 = 7, .crn = 0, .crm = 0,
2322 .access = PL0_R, .type = ARM_CP_NO_RAW,
2323 .readfn = aa64_dczid_read },
2324 { .name = "DC_ZVA", .state = ARM_CP_STATE_AA64,
2325 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 4, .opc2 = 1,
2326 .access = PL0_W, .type = ARM_CP_DC_ZVA,
2327 #ifndef CONFIG_USER_ONLY
2328 /* Avoid overhead of an access check that always passes in user-mode */
2329 .accessfn = aa64_zva_access,
2332 { .name = "CURRENTEL", .state = ARM_CP_STATE_AA64,
2333 .opc0 = 3, .opc1 = 0, .opc2 = 2, .crn = 4, .crm = 2,
2334 .access = PL1_R, .type = ARM_CP_CURRENTEL },
2335 /* Cache ops: all NOPs since we don't emulate caches */
2336 { .name = "IC_IALLUIS", .state = ARM_CP_STATE_AA64,
2337 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
2338 .access = PL1_W, .type = ARM_CP_NOP },
2339 { .name = "IC_IALLU", .state = ARM_CP_STATE_AA64,
2340 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
2341 .access = PL1_W, .type = ARM_CP_NOP },
2342 { .name = "IC_IVAU", .state = ARM_CP_STATE_AA64,
2343 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 5, .opc2 = 1,
2344 .access = PL0_W, .type = ARM_CP_NOP,
2345 .accessfn = aa64_cacheop_access },
2346 { .name = "DC_IVAC", .state = ARM_CP_STATE_AA64,
2347 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
2348 .access = PL1_W, .type = ARM_CP_NOP },
2349 { .name = "DC_ISW", .state = ARM_CP_STATE_AA64,
2350 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
2351 .access = PL1_W, .type = ARM_CP_NOP },
2352 { .name = "DC_CVAC", .state = ARM_CP_STATE_AA64,
2353 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 10, .opc2 = 1,
2354 .access = PL0_W, .type = ARM_CP_NOP,
2355 .accessfn = aa64_cacheop_access },
2356 { .name = "DC_CSW", .state = ARM_CP_STATE_AA64,
2357 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
2358 .access = PL1_W, .type = ARM_CP_NOP },
2359 { .name = "DC_CVAU", .state = ARM_CP_STATE_AA64,
2360 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 11, .opc2 = 1,
2361 .access = PL0_W, .type = ARM_CP_NOP,
2362 .accessfn = aa64_cacheop_access },
2363 { .name = "DC_CIVAC", .state = ARM_CP_STATE_AA64,
2364 .opc0 = 1, .opc1 = 3, .crn = 7, .crm = 14, .opc2 = 1,
2365 .access = PL0_W, .type = ARM_CP_NOP,
2366 .accessfn = aa64_cacheop_access },
2367 { .name = "DC_CISW", .state = ARM_CP_STATE_AA64,
2368 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
2369 .access = PL1_W, .type = ARM_CP_NOP },
2370 /* TLBI operations */
2371 { .name = "TLBI_VMALLE1IS", .state = ARM_CP_STATE_AA64,
2372 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 0,
2373 .access = PL1_W, .type = ARM_CP_NO_RAW,
2374 .writefn = tlbiall_is_write },
2375 { .name = "TLBI_VAE1IS", .state = ARM_CP_STATE_AA64,
2376 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 1,
2377 .access = PL1_W, .type = ARM_CP_NO_RAW,
2378 .writefn = tlbi_aa64_va_is_write },
2379 { .name = "TLBI_ASIDE1IS", .state = ARM_CP_STATE_AA64,
2380 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 2,
2381 .access = PL1_W, .type = ARM_CP_NO_RAW,
2382 .writefn = tlbi_aa64_asid_is_write },
2383 { .name = "TLBI_VAAE1IS", .state = ARM_CP_STATE_AA64,
2384 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 3,
2385 .access = PL1_W, .type = ARM_CP_NO_RAW,
2386 .writefn = tlbi_aa64_vaa_is_write },
2387 { .name = "TLBI_VALE1IS", .state = ARM_CP_STATE_AA64,
2388 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
2389 .access = PL1_W, .type = ARM_CP_NO_RAW,
2390 .writefn = tlbi_aa64_va_is_write },
2391 { .name = "TLBI_VAALE1IS", .state = ARM_CP_STATE_AA64,
2392 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7,
2393 .access = PL1_W, .type = ARM_CP_NO_RAW,
2394 .writefn = tlbi_aa64_vaa_is_write },
2395 { .name = "TLBI_VMALLE1", .state = ARM_CP_STATE_AA64,
2396 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 0,
2397 .access = PL1_W, .type = ARM_CP_NO_RAW,
2398 .writefn = tlbiall_write },
2399 { .name = "TLBI_VAE1", .state = ARM_CP_STATE_AA64,
2400 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 1,
2401 .access = PL1_W, .type = ARM_CP_NO_RAW,
2402 .writefn = tlbi_aa64_va_write },
2403 { .name = "TLBI_ASIDE1", .state = ARM_CP_STATE_AA64,
2404 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 2,
2405 .access = PL1_W, .type = ARM_CP_NO_RAW,
2406 .writefn = tlbi_aa64_asid_write },
2407 { .name = "TLBI_VAAE1", .state = ARM_CP_STATE_AA64,
2408 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 3,
2409 .access = PL1_W, .type = ARM_CP_NO_RAW,
2410 .writefn = tlbi_aa64_vaa_write },
2411 { .name = "TLBI_VALE1", .state = ARM_CP_STATE_AA64,
2412 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5,
2413 .access = PL1_W, .type = ARM_CP_NO_RAW,
2414 .writefn = tlbi_aa64_va_write },
2415 { .name = "TLBI_VAALE1", .state = ARM_CP_STATE_AA64,
2416 .opc0 = 1, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7,
2417 .access = PL1_W, .type = ARM_CP_NO_RAW,
2418 .writefn = tlbi_aa64_vaa_write },
2419 #ifndef CONFIG_USER_ONLY
2420 /* 64 bit address translation operations */
2421 { .name = "AT_S1E1R", .state = ARM_CP_STATE_AA64,
2422 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 0,
2423 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
2424 { .name = "AT_S1E1W", .state = ARM_CP_STATE_AA64,
2425 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 1,
2426 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
2427 { .name = "AT_S1E0R", .state = ARM_CP_STATE_AA64,
2428 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 2,
2429 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
2430 { .name = "AT_S1E0W", .state = ARM_CP_STATE_AA64,
2431 .opc0 = 1, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 3,
2432 .access = PL1_W, .type = ARM_CP_NO_RAW, .writefn = ats_write64 },
2434 /* TLB invalidate last level of translation table walk */
2435 { .name = "TLBIMVALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 5,
2436 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_is_write },
2437 { .name = "TLBIMVAALIS", .cp = 15, .opc1 = 0, .crn = 8, .crm = 3, .opc2 = 7,
2438 .type = ARM_CP_NO_RAW, .access = PL1_W,
2439 .writefn = tlbimvaa_is_write },
2440 { .name = "TLBIMVAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 5,
2441 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimva_write },
2442 { .name = "TLBIMVAAL", .cp = 15, .opc1 = 0, .crn = 8, .crm = 7, .opc2 = 7,
2443 .type = ARM_CP_NO_RAW, .access = PL1_W, .writefn = tlbimvaa_write },
2444 /* 32 bit cache operations */
2445 { .name = "ICIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 0,
2446 .type = ARM_CP_NOP, .access = PL1_W },
2447 { .name = "BPIALLUIS", .cp = 15, .opc1 = 0, .crn = 7, .crm = 1, .opc2 = 6,
2448 .type = ARM_CP_NOP, .access = PL1_W },
2449 { .name = "ICIALLU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 0,
2450 .type = ARM_CP_NOP, .access = PL1_W },
2451 { .name = "ICIMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 1,
2452 .type = ARM_CP_NOP, .access = PL1_W },
2453 { .name = "BPIALL", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 6,
2454 .type = ARM_CP_NOP, .access = PL1_W },
2455 { .name = "BPIMVA", .cp = 15, .opc1 = 0, .crn = 7, .crm = 5, .opc2 = 7,
2456 .type = ARM_CP_NOP, .access = PL1_W },
2457 { .name = "DCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 1,
2458 .type = ARM_CP_NOP, .access = PL1_W },
2459 { .name = "DCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 6, .opc2 = 2,
2460 .type = ARM_CP_NOP, .access = PL1_W },
2461 { .name = "DCCMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 1,
2462 .type = ARM_CP_NOP, .access = PL1_W },
2463 { .name = "DCCSW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 10, .opc2 = 2,
2464 .type = ARM_CP_NOP, .access = PL1_W },
2465 { .name = "DCCMVAU", .cp = 15, .opc1 = 0, .crn = 7, .crm = 11, .opc2 = 1,
2466 .type = ARM_CP_NOP, .access = PL1_W },
2467 { .name = "DCCIMVAC", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 1,
2468 .type = ARM_CP_NOP, .access = PL1_W },
2469 { .name = "DCCISW", .cp = 15, .opc1 = 0, .crn = 7, .crm = 14, .opc2 = 2,
2470 .type = ARM_CP_NOP, .access = PL1_W },
2471 /* MMU Domain access control / MPU write buffer control */
2472 { .name = "DACR", .cp = 15, .opc1 = 0, .crn = 3, .crm = 0, .opc2 = 0,
2473 .access = PL1_RW, .resetvalue = 0,
2474 .writefn = dacr_write, .raw_writefn = raw_write,
2475 .bank_fieldoffsets = { offsetoflow32(CPUARMState, cp15.dacr_s),
2476 offsetoflow32(CPUARMState, cp15.dacr_ns) } },
2477 { .name = "ELR_EL1", .state = ARM_CP_STATE_AA64,
2478 .type = ARM_CP_ALIAS,
2479 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 1,
2481 .fieldoffset = offsetof(CPUARMState, elr_el[1]) },
2482 { .name = "SPSR_EL1", .state = ARM_CP_STATE_AA64,
2483 .type = ARM_CP_ALIAS,
2484 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 0, .opc2 = 0,
2485 .access = PL1_RW, .fieldoffset = offsetof(CPUARMState, banked_spsr[1]) },
2486 /* We rely on the access checks not allowing the guest to write to the
2487 * state field when SPSel indicates that it's being used as the stack
2490 { .name = "SP_EL0", .state = ARM_CP_STATE_AA64,
2491 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 1, .opc2 = 0,
2492 .access = PL1_RW, .accessfn = sp_el0_access,
2493 .type = ARM_CP_ALIAS,
2494 .fieldoffset = offsetof(CPUARMState, sp_el[0]) },
2495 { .name = "SP_EL1", .state = ARM_CP_STATE_AA64,
2496 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 1, .opc2 = 0,
2497 .access = PL2_RW, .type = ARM_CP_ALIAS,
2498 .fieldoffset = offsetof(CPUARMState, sp_el[1]) },
2499 { .name = "SPSel", .state = ARM_CP_STATE_AA64,
2500 .opc0 = 3, .opc1 = 0, .crn = 4, .crm = 2, .opc2 = 0,
2501 .type = ARM_CP_NO_RAW,
2502 .access = PL1_RW, .readfn = spsel_read, .writefn = spsel_write },
2506 /* Used to describe the behaviour of EL2 regs when EL2 does not exist. */
2507 static const ARMCPRegInfo v8_el3_no_el2_cp_reginfo[] = {
2508 { .name = "VBAR_EL2", .state = ARM_CP_STATE_AA64,
2509 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
2511 .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore },
2512 { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
2513 .type = ARM_CP_NO_RAW,
2514 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
2516 .readfn = arm_cp_read_zero, .writefn = arm_cp_write_ignore },
2517 { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
2518 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
2519 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
2520 { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
2521 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
2522 .access = PL2_RW, .type = ARM_CP_CONST,
2524 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
2525 .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
2526 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
2527 { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
2528 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
2529 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
2530 { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
2531 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
2532 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
2533 { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
2534 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
2535 .access = PL2_RW, .type = ARM_CP_CONST, .resetvalue = 0 },
2539 static void hcr_write(CPUARMState *env, const ARMCPRegInfo *ri, uint64_t value)
2541 ARMCPU *cpu = arm_env_get_cpu(env);
2542 uint64_t valid_mask = HCR_MASK;
2544 if (arm_feature(env, ARM_FEATURE_EL3)) {
2545 valid_mask &= ~HCR_HCD;
2547 valid_mask &= ~HCR_TSC;
2550 /* Clear RES0 bits. */
2551 value &= valid_mask;
2553 /* These bits change the MMU setup:
2554 * HCR_VM enables stage 2 translation
2555 * HCR_PTW forbids certain page-table setups
2556 * HCR_DC Disables stage1 and enables stage2 translation
2558 if ((raw_read(env, ri) ^ value) & (HCR_VM | HCR_PTW | HCR_DC)) {
2559 tlb_flush(CPU(cpu), 1);
2561 raw_write(env, ri, value);
2564 static const ARMCPRegInfo v8_el2_cp_reginfo[] = {
2565 { .name = "HCR_EL2", .state = ARM_CP_STATE_AA64,
2566 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 0,
2567 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.hcr_el2),
2568 .writefn = hcr_write },
2569 { .name = "DACR32_EL2", .state = ARM_CP_STATE_AA64,
2570 .opc0 = 3, .opc1 = 4, .crn = 3, .crm = 0, .opc2 = 0,
2571 .access = PL2_RW, .resetvalue = 0,
2572 .writefn = dacr_write, .raw_writefn = raw_write,
2573 .fieldoffset = offsetof(CPUARMState, cp15.dacr32_el2) },
2574 { .name = "ELR_EL2", .state = ARM_CP_STATE_AA64,
2575 .type = ARM_CP_ALIAS,
2576 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 1,
2578 .fieldoffset = offsetof(CPUARMState, elr_el[2]) },
2579 { .name = "ESR_EL2", .state = ARM_CP_STATE_AA64,
2580 .type = ARM_CP_ALIAS,
2581 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 2, .opc2 = 0,
2582 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[2]) },
2583 { .name = "IFSR32_EL2", .state = ARM_CP_STATE_AA64,
2584 .opc0 = 3, .opc1 = 4, .crn = 5, .crm = 0, .opc2 = 1,
2585 .access = PL2_RW, .resetvalue = 0,
2586 .fieldoffset = offsetof(CPUARMState, cp15.ifsr32_el2) },
2587 { .name = "FAR_EL2", .state = ARM_CP_STATE_AA64,
2588 .opc0 = 3, .opc1 = 4, .crn = 6, .crm = 0, .opc2 = 0,
2589 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[2]) },
2590 { .name = "SPSR_EL2", .state = ARM_CP_STATE_AA64,
2591 .type = ARM_CP_ALIAS,
2592 .opc0 = 3, .opc1 = 4, .crn = 4, .crm = 0, .opc2 = 0,
2593 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, banked_spsr[6]) },
2594 { .name = "VBAR_EL2", .state = ARM_CP_STATE_AA64,
2595 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 0,
2596 .access = PL2_RW, .writefn = vbar_write,
2597 .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[2]),
2599 { .name = "SP_EL2", .state = ARM_CP_STATE_AA64,
2600 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 1, .opc2 = 0,
2601 .access = PL3_RW, .type = ARM_CP_ALIAS,
2602 .fieldoffset = offsetof(CPUARMState, sp_el[2]) },
2603 { .name = "CPTR_EL2", .state = ARM_CP_STATE_BOTH,
2604 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 1, .opc2 = 2,
2605 .access = PL2_RW, .accessfn = cptr_access, .resetvalue = 0,
2606 .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[2]) },
2607 { .name = "MAIR_EL2", .state = ARM_CP_STATE_BOTH,
2608 .opc0 = 3, .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 0,
2609 .access = PL2_RW, .fieldoffset = offsetof(CPUARMState, cp15.mair_el[2]),
2611 { .name = "HMAIR1", .state = ARM_CP_STATE_AA32,
2612 .opc1 = 4, .crn = 10, .crm = 2, .opc2 = 1,
2613 .access = PL2_RW, .type = ARM_CP_ALIAS,
2614 .fieldoffset = offsetofhigh32(CPUARMState, cp15.mair_el[2]) },
2615 { .name = "TCR_EL2", .state = ARM_CP_STATE_BOTH,
2616 .opc0 = 3, .opc1 = 4, .crn = 2, .crm = 0, .opc2 = 2,
2617 .access = PL2_RW, .writefn = vmsa_tcr_el1_write,
2618 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
2619 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[2]) },
2620 { .name = "SCTLR_EL2", .state = ARM_CP_STATE_BOTH,
2621 .opc0 = 3, .opc1 = 4, .crn = 1, .crm = 0, .opc2 = 0,
2622 .access = PL2_RW, .raw_writefn = raw_write, .writefn = sctlr_write,
2623 .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[2]) },
2624 { .name = "TPIDR_EL2", .state = ARM_CP_STATE_BOTH,
2625 .opc0 = 3, .opc1 = 4, .crn = 13, .crm = 0, .opc2 = 2,
2626 .access = PL2_RW, .resetvalue = 0,
2627 .fieldoffset = offsetof(CPUARMState, cp15.tpidr_el[2]) },
2631 static const ARMCPRegInfo el3_cp_reginfo[] = {
2632 { .name = "SCR_EL3", .state = ARM_CP_STATE_AA64,
2633 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 0,
2634 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.scr_el3),
2635 .resetvalue = 0, .writefn = scr_write },
2636 { .name = "SCR", .type = ARM_CP_ALIAS,
2637 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 0,
2638 .access = PL3_RW, .fieldoffset = offsetoflow32(CPUARMState, cp15.scr_el3),
2639 .resetfn = arm_cp_reset_ignore, .writefn = scr_write },
2640 { .name = "SDER32_EL3", .state = ARM_CP_STATE_AA64,
2641 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 1,
2642 .access = PL3_RW, .resetvalue = 0,
2643 .fieldoffset = offsetof(CPUARMState, cp15.sder) },
2645 .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 1,
2646 .access = PL3_RW, .resetvalue = 0,
2647 .fieldoffset = offsetoflow32(CPUARMState, cp15.sder) },
2648 /* TODO: Implement NSACR trapping of secure EL1 accesses to EL3 */
2649 { .name = "NSACR", .cp = 15, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 2,
2650 .access = PL3_W | PL1_R, .resetvalue = 0,
2651 .fieldoffset = offsetof(CPUARMState, cp15.nsacr) },
2652 { .name = "MVBAR", .cp = 15, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
2653 .access = PL3_RW, .writefn = vbar_write, .resetvalue = 0,
2654 .fieldoffset = offsetof(CPUARMState, cp15.mvbar) },
2655 { .name = "SCTLR_EL3", .state = ARM_CP_STATE_AA64,
2656 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 0, .opc2 = 0,
2657 .access = PL3_RW, .raw_writefn = raw_write, .writefn = sctlr_write,
2658 .fieldoffset = offsetof(CPUARMState, cp15.sctlr_el[3]) },
2659 { .name = "TTBR0_EL3", .state = ARM_CP_STATE_AA64,
2660 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 0,
2661 .access = PL3_RW, .writefn = vmsa_ttbr_write, .resetvalue = 0,
2662 .fieldoffset = offsetof(CPUARMState, cp15.ttbr0_el[3]) },
2663 { .name = "TCR_EL3", .state = ARM_CP_STATE_AA64,
2664 .opc0 = 3, .opc1 = 6, .crn = 2, .crm = 0, .opc2 = 2,
2665 .access = PL3_RW, .writefn = vmsa_tcr_el1_write,
2666 .resetfn = vmsa_ttbcr_reset, .raw_writefn = raw_write,
2667 .fieldoffset = offsetof(CPUARMState, cp15.tcr_el[3]) },
2668 { .name = "ELR_EL3", .state = ARM_CP_STATE_AA64,
2669 .type = ARM_CP_ALIAS,
2670 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 1,
2672 .fieldoffset = offsetof(CPUARMState, elr_el[3]) },
2673 { .name = "ESR_EL3", .state = ARM_CP_STATE_AA64,
2674 .type = ARM_CP_ALIAS,
2675 .opc0 = 3, .opc1 = 6, .crn = 5, .crm = 2, .opc2 = 0,
2676 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.esr_el[3]) },
2677 { .name = "FAR_EL3", .state = ARM_CP_STATE_AA64,
2678 .opc0 = 3, .opc1 = 6, .crn = 6, .crm = 0, .opc2 = 0,
2679 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, cp15.far_el[3]) },
2680 { .name = "SPSR_EL3", .state = ARM_CP_STATE_AA64,
2681 .type = ARM_CP_ALIAS,
2682 .opc0 = 3, .opc1 = 6, .crn = 4, .crm = 0, .opc2 = 0,
2683 .access = PL3_RW, .fieldoffset = offsetof(CPUARMState, banked_spsr[7]) },
2684 { .name = "VBAR_EL3", .state = ARM_CP_STATE_AA64,
2685 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 0,
2686 .access = PL3_RW, .writefn = vbar_write,
2687 .fieldoffset = offsetof(CPUARMState, cp15.vbar_el[3]),
2689 { .name = "CPTR_EL3", .state = ARM_CP_STATE_AA64,
2690 .opc0 = 3, .opc1 = 6, .crn = 1, .crm = 1, .opc2 = 2,
2691 .access = PL3_RW, .accessfn = cptr_access, .resetvalue = 0,
2692 .fieldoffset = offsetof(CPUARMState, cp15.cptr_el[3]) },
2696 static CPAccessResult ctr_el0_access(CPUARMState *env, const ARMCPRegInfo *ri)
2698 /* Only accessible in EL0 if SCTLR.UCT is set (and only in AArch64,
2699 * but the AArch32 CTR has its own reginfo struct)
2701 if (arm_current_el(env) == 0 && !(env->cp15.sctlr_el[1] & SCTLR_UCT)) {
2702 return CP_ACCESS_TRAP;
2704 return CP_ACCESS_OK;
2707 static const ARMCPRegInfo debug_cp_reginfo[] = {
2708 /* DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped
2709 * debug components. The AArch64 version of DBGDRAR is named MDRAR_EL1;
2710 * unlike DBGDRAR it is never accessible from EL0.
2711 * DBGDSAR is deprecated and must RAZ from v8 anyway, so it has no AArch64
2714 { .name = "DBGDRAR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 0,
2715 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 },
2716 { .name = "MDRAR_EL1", .state = ARM_CP_STATE_AA64,
2717 .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,
2718 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
2719 { .name = "DBGDSAR", .cp = 14, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
2720 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = 0 },
2721 /* Monitor debug system control register; the 32-bit alias is DBGDSCRext. */
2722 { .name = "MDSCR_EL1", .state = ARM_CP_STATE_BOTH,
2723 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
2725 .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),
2727 /* MDCCSR_EL0, aka DBGDSCRint. This is a read-only mirror of MDSCR_EL1.
2728 * We don't implement the configurable EL0 access.
2730 { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_BOTH,
2731 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
2732 .type = ARM_CP_ALIAS,
2734 .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),
2735 .resetfn = arm_cp_reset_ignore },
2736 /* We define a dummy WI OSLAR_EL1, because Linux writes to it. */
2737 { .name = "OSLAR_EL1", .state = ARM_CP_STATE_BOTH,
2738 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 4,
2739 .access = PL1_W, .type = ARM_CP_NOP },
2740 /* Dummy OSDLR_EL1: 32-bit Linux will read this */
2741 { .name = "OSDLR_EL1", .state = ARM_CP_STATE_BOTH,
2742 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 4,
2743 .access = PL1_RW, .type = ARM_CP_NOP },
2744 /* Dummy DBGVCR: Linux wants to clear this on startup, but we don't
2745 * implement vector catch debug events yet.
2748 .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
2749 .access = PL1_RW, .type = ARM_CP_NOP },
2753 static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
2754 /* 64 bit access versions of the (dummy) debug registers */
2755 { .name = "DBGDRAR", .cp = 14, .crm = 1, .opc1 = 0,
2756 .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
2757 { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,
2758 .access = PL0_R, .type = ARM_CP_CONST|ARM_CP_64BIT, .resetvalue = 0 },
2762 void hw_watchpoint_update(ARMCPU *cpu, int n)
2764 CPUARMState *env = &cpu->env;
2766 vaddr wvr = env->cp15.dbgwvr[n];
2767 uint64_t wcr = env->cp15.dbgwcr[n];
2769 int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;
2771 if (env->cpu_watchpoint[n]) {
2772 cpu_watchpoint_remove_by_ref(CPU(cpu), env->cpu_watchpoint[n]);
2773 env->cpu_watchpoint[n] = NULL;
2776 if (!extract64(wcr, 0, 1)) {
2777 /* E bit clear : watchpoint disabled */
2781 switch (extract64(wcr, 3, 2)) {
2783 /* LSC 00 is reserved and must behave as if the wp is disabled */
2786 flags |= BP_MEM_READ;
2789 flags |= BP_MEM_WRITE;
2792 flags |= BP_MEM_ACCESS;
2796 /* Attempts to use both MASK and BAS fields simultaneously are
2797 * CONSTRAINED UNPREDICTABLE; we opt to ignore BAS in this case,
2798 * thus generating a watchpoint for every byte in the masked region.
2800 mask = extract64(wcr, 24, 4);
2801 if (mask == 1 || mask == 2) {
2802 /* Reserved values of MASK; we must act as if the mask value was
2803 * some non-reserved value, or as if the watchpoint were disabled.
2804 * We choose the latter.
2808 /* Watchpoint covers an aligned area up to 2GB in size */
2810 /* If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE
2811 * whether the watchpoint fires when the unmasked bits match; we opt
2812 * to generate the exceptions.
2816 /* Watchpoint covers bytes defined by the byte address select bits */
2817 int bas = extract64(wcr, 5, 8);
2821 /* This must act as if the watchpoint is disabled */
2825 if (extract64(wvr, 2, 1)) {
2826 /* Deprecated case of an only 4-aligned address. BAS[7:4] are
2827 * ignored, and BAS[3:0] define which bytes to watch.
2831 /* The BAS bits are supposed to be programmed to indicate a contiguous
2832 * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether
2833 * we fire for each byte in the word/doubleword addressed by the WVR.
2834 * We choose to ignore any non-zero bits after the first range of 1s.
2836 basstart = ctz32(bas);
2837 len = cto32(bas >> basstart);
2841 cpu_watchpoint_insert(CPU(cpu), wvr, len, flags,
2842 &env->cpu_watchpoint[n]);
2845 void hw_watchpoint_update_all(ARMCPU *cpu)
2848 CPUARMState *env = &cpu->env;
2850 /* Completely clear out existing QEMU watchpoints and our array, to
2851 * avoid possible stale entries following migration load.
2853 cpu_watchpoint_remove_all(CPU(cpu), BP_CPU);
2854 memset(env->cpu_watchpoint, 0, sizeof(env->cpu_watchpoint));
2856 for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_watchpoint); i++) {
2857 hw_watchpoint_update(cpu, i);
2861 static void dbgwvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2864 ARMCPU *cpu = arm_env_get_cpu(env);
2867 /* Bits [63:49] are hardwired to the value of bit [48]; that is, the
2868 * register reads and behaves as if values written are sign extended.
2869 * Bits [1:0] are RES0.
2871 value = sextract64(value, 0, 49) & ~3ULL;
2873 raw_write(env, ri, value);
2874 hw_watchpoint_update(cpu, i);
2877 static void dbgwcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2880 ARMCPU *cpu = arm_env_get_cpu(env);
2883 raw_write(env, ri, value);
2884 hw_watchpoint_update(cpu, i);
2887 void hw_breakpoint_update(ARMCPU *cpu, int n)
2889 CPUARMState *env = &cpu->env;
2890 uint64_t bvr = env->cp15.dbgbvr[n];
2891 uint64_t bcr = env->cp15.dbgbcr[n];
2896 if (env->cpu_breakpoint[n]) {
2897 cpu_breakpoint_remove_by_ref(CPU(cpu), env->cpu_breakpoint[n]);
2898 env->cpu_breakpoint[n] = NULL;
2901 if (!extract64(bcr, 0, 1)) {
2902 /* E bit clear : watchpoint disabled */
2906 bt = extract64(bcr, 20, 4);
2909 case 4: /* unlinked address mismatch (reserved if AArch64) */
2910 case 5: /* linked address mismatch (reserved if AArch64) */
2911 qemu_log_mask(LOG_UNIMP,
2912 "arm: address mismatch breakpoint types not implemented");
2914 case 0: /* unlinked address match */
2915 case 1: /* linked address match */
2917 /* Bits [63:49] are hardwired to the value of bit [48]; that is,
2918 * we behave as if the register was sign extended. Bits [1:0] are
2919 * RES0. The BAS field is used to allow setting breakpoints on 16
2920 * bit wide instructions; it is CONSTRAINED UNPREDICTABLE whether
2921 * a bp will fire if the addresses covered by the bp and the addresses
2922 * covered by the insn overlap but the insn doesn't start at the
2923 * start of the bp address range. We choose to require the insn and
2924 * the bp to have the same address. The constraints on writing to
2925 * BAS enforced in dbgbcr_write mean we have only four cases:
2926 * 0b0000 => no breakpoint
2927 * 0b0011 => breakpoint on addr
2928 * 0b1100 => breakpoint on addr + 2
2929 * 0b1111 => breakpoint on addr
2930 * See also figure D2-3 in the v8 ARM ARM (DDI0487A.c).
2932 int bas = extract64(bcr, 5, 4);
2933 addr = sextract64(bvr, 0, 49) & ~3ULL;
2942 case 2: /* unlinked context ID match */
2943 case 8: /* unlinked VMID match (reserved if no EL2) */
2944 case 10: /* unlinked context ID and VMID match (reserved if no EL2) */
2945 qemu_log_mask(LOG_UNIMP,
2946 "arm: unlinked context breakpoint types not implemented");
2948 case 9: /* linked VMID match (reserved if no EL2) */
2949 case 11: /* linked context ID and VMID match (reserved if no EL2) */
2950 case 3: /* linked context ID match */
2952 /* We must generate no events for Linked context matches (unless
2953 * they are linked to by some other bp/wp, which is handled in
2954 * updates for the linking bp/wp). We choose to also generate no events
2955 * for reserved values.
2960 cpu_breakpoint_insert(CPU(cpu), addr, flags, &env->cpu_breakpoint[n]);
2963 void hw_breakpoint_update_all(ARMCPU *cpu)
2966 CPUARMState *env = &cpu->env;
2968 /* Completely clear out existing QEMU breakpoints and our array, to
2969 * avoid possible stale entries following migration load.
2971 cpu_breakpoint_remove_all(CPU(cpu), BP_CPU);
2972 memset(env->cpu_breakpoint, 0, sizeof(env->cpu_breakpoint));
2974 for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_breakpoint); i++) {
2975 hw_breakpoint_update(cpu, i);
2979 static void dbgbvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2982 ARMCPU *cpu = arm_env_get_cpu(env);
2985 raw_write(env, ri, value);
2986 hw_breakpoint_update(cpu, i);
2989 static void dbgbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
2992 ARMCPU *cpu = arm_env_get_cpu(env);
2995 /* BAS[3] is a read-only copy of BAS[2], and BAS[1] a read-only
2998 value = deposit64(value, 6, 1, extract64(value, 5, 1));
2999 value = deposit64(value, 8, 1, extract64(value, 7, 1));
3001 raw_write(env, ri, value);
3002 hw_breakpoint_update(cpu, i);
3005 static void define_debug_regs(ARMCPU *cpu)
3007 /* Define v7 and v8 architectural debug registers.
3008 * These are just dummy implementations for now.
3011 int wrps, brps, ctx_cmps;
3012 ARMCPRegInfo dbgdidr = {
3013 .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 0,
3014 .access = PL0_R, .type = ARM_CP_CONST, .resetvalue = cpu->dbgdidr,
3017 /* Note that all these register fields hold "number of Xs minus 1". */
3018 brps = extract32(cpu->dbgdidr, 24, 4);
3019 wrps = extract32(cpu->dbgdidr, 28, 4);
3020 ctx_cmps = extract32(cpu->dbgdidr, 20, 4);
3022 assert(ctx_cmps <= brps);
3024 /* The DBGDIDR and ID_AA64DFR0_EL1 define various properties
3025 * of the debug registers such as number of breakpoints;
3026 * check that if they both exist then they agree.
3028 if (arm_feature(&cpu->env, ARM_FEATURE_AARCH64)) {
3029 assert(extract32(cpu->id_aa64dfr0, 12, 4) == brps);
3030 assert(extract32(cpu->id_aa64dfr0, 20, 4) == wrps);
3031 assert(extract32(cpu->id_aa64dfr0, 28, 4) == ctx_cmps);
3034 define_one_arm_cp_reg(cpu, &dbgdidr);
3035 define_arm_cp_regs(cpu, debug_cp_reginfo);
3037 if (arm_feature(&cpu->env, ARM_FEATURE_LPAE)) {
3038 define_arm_cp_regs(cpu, debug_lpae_cp_reginfo);
3041 for (i = 0; i < brps + 1; i++) {
3042 ARMCPRegInfo dbgregs[] = {
3043 { .name = "DBGBVR", .state = ARM_CP_STATE_BOTH,
3044 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 4,
3046 .fieldoffset = offsetof(CPUARMState, cp15.dbgbvr[i]),
3047 .writefn = dbgbvr_write, .raw_writefn = raw_write
3049 { .name = "DBGBCR", .state = ARM_CP_STATE_BOTH,
3050 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 5,
3052 .fieldoffset = offsetof(CPUARMState, cp15.dbgbcr[i]),
3053 .writefn = dbgbcr_write, .raw_writefn = raw_write
3057 define_arm_cp_regs(cpu, dbgregs);
3060 for (i = 0; i < wrps + 1; i++) {
3061 ARMCPRegInfo dbgregs[] = {
3062 { .name = "DBGWVR", .state = ARM_CP_STATE_BOTH,
3063 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 6,
3065 .fieldoffset = offsetof(CPUARMState, cp15.dbgwvr[i]),
3066 .writefn = dbgwvr_write, .raw_writefn = raw_write
3068 { .name = "DBGWCR", .state = ARM_CP_STATE_BOTH,
3069 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 7,
3071 .fieldoffset = offsetof(CPUARMState, cp15.dbgwcr[i]),
3072 .writefn = dbgwcr_write, .raw_writefn = raw_write
3076 define_arm_cp_regs(cpu, dbgregs);
3080 void register_cp_regs_for_features(ARMCPU *cpu)
3082 /* Register all the coprocessor registers based on feature bits */
3083 CPUARMState *env = &cpu->env;
3084 if (arm_feature(env, ARM_FEATURE_M)) {
3085 /* M profile has no coprocessor registers */
3089 define_arm_cp_regs(cpu, cp_reginfo);
3090 if (!arm_feature(env, ARM_FEATURE_V8)) {
3091 /* Must go early as it is full of wildcards that may be
3092 * overridden by later definitions.
3094 define_arm_cp_regs(cpu, not_v8_cp_reginfo);
3097 if (arm_feature(env, ARM_FEATURE_V6)) {
3098 /* The ID registers all have impdef reset values */
3099 ARMCPRegInfo v6_idregs[] = {
3100 { .name = "ID_PFR0", .state = ARM_CP_STATE_BOTH,
3101 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
3102 .access = PL1_R, .type = ARM_CP_CONST,
3103 .resetvalue = cpu->id_pfr0 },
3104 { .name = "ID_PFR1", .state = ARM_CP_STATE_BOTH,
3105 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 1,
3106 .access = PL1_R, .type = ARM_CP_CONST,
3107 .resetvalue = cpu->id_pfr1 },
3108 { .name = "ID_DFR0", .state = ARM_CP_STATE_BOTH,
3109 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 2,
3110 .access = PL1_R, .type = ARM_CP_CONST,
3111 .resetvalue = cpu->id_dfr0 },
3112 { .name = "ID_AFR0", .state = ARM_CP_STATE_BOTH,
3113 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 3,
3114 .access = PL1_R, .type = ARM_CP_CONST,
3115 .resetvalue = cpu->id_afr0 },
3116 { .name = "ID_MMFR0", .state = ARM_CP_STATE_BOTH,
3117 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 4,
3118 .access = PL1_R, .type = ARM_CP_CONST,
3119 .resetvalue = cpu->id_mmfr0 },
3120 { .name = "ID_MMFR1", .state = ARM_CP_STATE_BOTH,
3121 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 5,
3122 .access = PL1_R, .type = ARM_CP_CONST,
3123 .resetvalue = cpu->id_mmfr1 },
3124 { .name = "ID_MMFR2", .state = ARM_CP_STATE_BOTH,
3125 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 6,
3126 .access = PL1_R, .type = ARM_CP_CONST,
3127 .resetvalue = cpu->id_mmfr2 },
3128 { .name = "ID_MMFR3", .state = ARM_CP_STATE_BOTH,
3129 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 7,
3130 .access = PL1_R, .type = ARM_CP_CONST,
3131 .resetvalue = cpu->id_mmfr3 },
3132 { .name = "ID_ISAR0", .state = ARM_CP_STATE_BOTH,
3133 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
3134 .access = PL1_R, .type = ARM_CP_CONST,
3135 .resetvalue = cpu->id_isar0 },
3136 { .name = "ID_ISAR1", .state = ARM_CP_STATE_BOTH,
3137 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 1,
3138 .access = PL1_R, .type = ARM_CP_CONST,
3139 .resetvalue = cpu->id_isar1 },
3140 { .name = "ID_ISAR2", .state = ARM_CP_STATE_BOTH,
3141 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
3142 .access = PL1_R, .type = ARM_CP_CONST,
3143 .resetvalue = cpu->id_isar2 },
3144 { .name = "ID_ISAR3", .state = ARM_CP_STATE_BOTH,
3145 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 3,
3146 .access = PL1_R, .type = ARM_CP_CONST,
3147 .resetvalue = cpu->id_isar3 },
3148 { .name = "ID_ISAR4", .state = ARM_CP_STATE_BOTH,
3149 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 4,
3150 .access = PL1_R, .type = ARM_CP_CONST,
3151 .resetvalue = cpu->id_isar4 },
3152 { .name = "ID_ISAR5", .state = ARM_CP_STATE_BOTH,
3153 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 5,
3154 .access = PL1_R, .type = ARM_CP_CONST,
3155 .resetvalue = cpu->id_isar5 },
3156 /* 6..7 are as yet unallocated and must RAZ */
3157 { .name = "ID_ISAR6", .cp = 15, .crn = 0, .crm = 2,
3158 .opc1 = 0, .opc2 = 6, .access = PL1_R, .type = ARM_CP_CONST,
3160 { .name = "ID_ISAR7", .cp = 15, .crn = 0, .crm = 2,
3161 .opc1 = 0, .opc2 = 7, .access = PL1_R, .type = ARM_CP_CONST,
3165 define_arm_cp_regs(cpu, v6_idregs);
3166 define_arm_cp_regs(cpu, v6_cp_reginfo);
3168 define_arm_cp_regs(cpu, not_v6_cp_reginfo);
3170 if (arm_feature(env, ARM_FEATURE_V6K)) {
3171 define_arm_cp_regs(cpu, v6k_cp_reginfo);
3173 if (arm_feature(env, ARM_FEATURE_V7MP)) {
3174 define_arm_cp_regs(cpu, v7mp_cp_reginfo);
3176 if (arm_feature(env, ARM_FEATURE_V7)) {
3177 /* v7 performance monitor control register: same implementor
3178 * field as main ID register, and we implement only the cycle
3181 #ifndef CONFIG_USER_ONLY
3182 ARMCPRegInfo pmcr = {
3183 .name = "PMCR", .cp = 15, .crn = 9, .crm = 12, .opc1 = 0, .opc2 = 0,
3185 .type = ARM_CP_IO | ARM_CP_ALIAS,
3186 .fieldoffset = offsetoflow32(CPUARMState, cp15.c9_pmcr),
3187 .accessfn = pmreg_access, .writefn = pmcr_write,
3188 .raw_writefn = raw_write,
3190 ARMCPRegInfo pmcr64 = {
3191 .name = "PMCR_EL0", .state = ARM_CP_STATE_AA64,
3192 .opc0 = 3, .opc1 = 3, .crn = 9, .crm = 12, .opc2 = 0,
3193 .access = PL0_RW, .accessfn = pmreg_access,
3195 .fieldoffset = offsetof(CPUARMState, cp15.c9_pmcr),
3196 .resetvalue = cpu->midr & 0xff000000,
3197 .writefn = pmcr_write, .raw_writefn = raw_write,
3199 define_one_arm_cp_reg(cpu, &pmcr);
3200 define_one_arm_cp_reg(cpu, &pmcr64);
3202 ARMCPRegInfo clidr = {
3203 .name = "CLIDR", .state = ARM_CP_STATE_BOTH,
3204 .opc0 = 3, .crn = 0, .crm = 0, .opc1 = 1, .opc2 = 1,
3205 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->clidr
3207 define_one_arm_cp_reg(cpu, &clidr);
3208 define_arm_cp_regs(cpu, v7_cp_reginfo);
3209 define_debug_regs(cpu);
3211 define_arm_cp_regs(cpu, not_v7_cp_reginfo);
3213 if (arm_feature(env, ARM_FEATURE_V8)) {
3214 /* AArch64 ID registers, which all have impdef reset values */
3215 ARMCPRegInfo v8_idregs[] = {
3216 { .name = "ID_AA64PFR0_EL1", .state = ARM_CP_STATE_AA64,
3217 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 0,
3218 .access = PL1_R, .type = ARM_CP_CONST,
3219 .resetvalue = cpu->id_aa64pfr0 },
3220 { .name = "ID_AA64PFR1_EL1", .state = ARM_CP_STATE_AA64,
3221 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 4, .opc2 = 1,
3222 .access = PL1_R, .type = ARM_CP_CONST,
3223 .resetvalue = cpu->id_aa64pfr1},
3224 { .name = "ID_AA64DFR0_EL1", .state = ARM_CP_STATE_AA64,
3225 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 0,
3226 .access = PL1_R, .type = ARM_CP_CONST,
3227 /* We mask out the PMUVer field, because we don't currently
3228 * implement the PMU. Not advertising it prevents the guest
3229 * from trying to use it and getting UNDEFs on registers we
3232 .resetvalue = cpu->id_aa64dfr0 & ~0xf00 },
3233 { .name = "ID_AA64DFR1_EL1", .state = ARM_CP_STATE_AA64,
3234 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 1,
3235 .access = PL1_R, .type = ARM_CP_CONST,
3236 .resetvalue = cpu->id_aa64dfr1 },
3237 { .name = "ID_AA64AFR0_EL1", .state = ARM_CP_STATE_AA64,
3238 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 4,
3239 .access = PL1_R, .type = ARM_CP_CONST,
3240 .resetvalue = cpu->id_aa64afr0 },
3241 { .name = "ID_AA64AFR1_EL1", .state = ARM_CP_STATE_AA64,
3242 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 5, .opc2 = 5,
3243 .access = PL1_R, .type = ARM_CP_CONST,
3244 .resetvalue = cpu->id_aa64afr1 },
3245 { .name = "ID_AA64ISAR0_EL1", .state = ARM_CP_STATE_AA64,
3246 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 0,
3247 .access = PL1_R, .type = ARM_CP_CONST,
3248 .resetvalue = cpu->id_aa64isar0 },
3249 { .name = "ID_AA64ISAR1_EL1", .state = ARM_CP_STATE_AA64,
3250 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 1,
3251 .access = PL1_R, .type = ARM_CP_CONST,
3252 .resetvalue = cpu->id_aa64isar1 },
3253 { .name = "ID_AA64MMFR0_EL1", .state = ARM_CP_STATE_AA64,
3254 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
3255 .access = PL1_R, .type = ARM_CP_CONST,
3256 .resetvalue = cpu->id_aa64mmfr0 },
3257 { .name = "ID_AA64MMFR1_EL1", .state = ARM_CP_STATE_AA64,
3258 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 1,
3259 .access = PL1_R, .type = ARM_CP_CONST,
3260 .resetvalue = cpu->id_aa64mmfr1 },
3261 { .name = "MVFR0_EL1", .state = ARM_CP_STATE_AA64,
3262 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 0,
3263 .access = PL1_R, .type = ARM_CP_CONST,
3264 .resetvalue = cpu->mvfr0 },
3265 { .name = "MVFR1_EL1", .state = ARM_CP_STATE_AA64,
3266 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 1,
3267 .access = PL1_R, .type = ARM_CP_CONST,
3268 .resetvalue = cpu->mvfr1 },
3269 { .name = "MVFR2_EL1", .state = ARM_CP_STATE_AA64,
3270 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
3271 .access = PL1_R, .type = ARM_CP_CONST,
3272 .resetvalue = cpu->mvfr2 },
3275 /* RVBAR_EL1 is only implemented if EL1 is the highest EL */
3276 if (!arm_feature(env, ARM_FEATURE_EL3) &&
3277 !arm_feature(env, ARM_FEATURE_EL2)) {
3278 ARMCPRegInfo rvbar = {
3279 .name = "RVBAR_EL1", .state = ARM_CP_STATE_AA64,
3280 .opc0 = 3, .opc1 = 0, .crn = 12, .crm = 0, .opc2 = 1,
3281 .type = ARM_CP_CONST, .access = PL1_R, .resetvalue = cpu->rvbar
3283 define_one_arm_cp_reg(cpu, &rvbar);
3285 define_arm_cp_regs(cpu, v8_idregs);
3286 define_arm_cp_regs(cpu, v8_cp_reginfo);
3288 if (arm_feature(env, ARM_FEATURE_EL2)) {
3289 define_arm_cp_regs(cpu, v8_el2_cp_reginfo);
3290 /* RVBAR_EL2 is only implemented if EL2 is the highest EL */
3291 if (!arm_feature(env, ARM_FEATURE_EL3)) {
3292 ARMCPRegInfo rvbar = {
3293 .name = "RVBAR_EL2", .state = ARM_CP_STATE_AA64,
3294 .opc0 = 3, .opc1 = 4, .crn = 12, .crm = 0, .opc2 = 1,
3295 .type = ARM_CP_CONST, .access = PL2_R, .resetvalue = cpu->rvbar
3297 define_one_arm_cp_reg(cpu, &rvbar);
3300 /* If EL2 is missing but higher ELs are enabled, we need to
3301 * register the no_el2 reginfos.
3303 if (arm_feature(env, ARM_FEATURE_EL3)) {
3304 define_arm_cp_regs(cpu, v8_el3_no_el2_cp_reginfo);
3307 if (arm_feature(env, ARM_FEATURE_EL3)) {
3308 define_arm_cp_regs(cpu, el3_cp_reginfo);
3309 ARMCPRegInfo rvbar = {
3310 .name = "RVBAR_EL3", .state = ARM_CP_STATE_AA64,
3311 .opc0 = 3, .opc1 = 6, .crn = 12, .crm = 0, .opc2 = 1,
3312 .type = ARM_CP_CONST, .access = PL3_R, .resetvalue = cpu->rvbar
3314 define_one_arm_cp_reg(cpu, &rvbar);
3316 if (arm_feature(env, ARM_FEATURE_MPU)) {
3317 /* These are the MPU registers prior to PMSAv6. Any new
3318 * PMSA core later than the ARM946 will require that we
3319 * implement the PMSAv6 or PMSAv7 registers, which are
3320 * completely different.
3322 assert(!arm_feature(env, ARM_FEATURE_V6));
3323 define_arm_cp_regs(cpu, pmsav5_cp_reginfo);
3325 define_arm_cp_regs(cpu, vmsa_cp_reginfo);
3327 if (arm_feature(env, ARM_FEATURE_THUMB2EE)) {
3328 define_arm_cp_regs(cpu, t2ee_cp_reginfo);
3330 if (arm_feature(env, ARM_FEATURE_GENERIC_TIMER)) {
3331 define_arm_cp_regs(cpu, generic_timer_cp_reginfo);
3333 if (arm_feature(env, ARM_FEATURE_VAPA)) {
3334 define_arm_cp_regs(cpu, vapa_cp_reginfo);
3336 if (arm_feature(env, ARM_FEATURE_CACHE_TEST_CLEAN)) {
3337 define_arm_cp_regs(cpu, cache_test_clean_cp_reginfo);
3339 if (arm_feature(env, ARM_FEATURE_CACHE_DIRTY_REG)) {
3340 define_arm_cp_regs(cpu, cache_dirty_status_cp_reginfo);
3342 if (arm_feature(env, ARM_FEATURE_CACHE_BLOCK_OPS)) {
3343 define_arm_cp_regs(cpu, cache_block_ops_cp_reginfo);
3345 if (arm_feature(env, ARM_FEATURE_OMAPCP)) {
3346 define_arm_cp_regs(cpu, omap_cp_reginfo);
3348 if (arm_feature(env, ARM_FEATURE_STRONGARM)) {
3349 define_arm_cp_regs(cpu, strongarm_cp_reginfo);
3351 if (arm_feature(env, ARM_FEATURE_XSCALE)) {
3352 define_arm_cp_regs(cpu, xscale_cp_reginfo);
3354 if (arm_feature(env, ARM_FEATURE_DUMMY_C15_REGS)) {
3355 define_arm_cp_regs(cpu, dummy_c15_cp_reginfo);
3357 if (arm_feature(env, ARM_FEATURE_LPAE)) {
3358 define_arm_cp_regs(cpu, lpae_cp_reginfo);
3360 /* Slightly awkwardly, the OMAP and StrongARM cores need all of
3361 * cp15 crn=0 to be writes-ignored, whereas for other cores they should
3362 * be read-only (ie write causes UNDEF exception).
3365 ARMCPRegInfo id_pre_v8_midr_cp_reginfo[] = {
3366 /* Pre-v8 MIDR space.
3367 * Note that the MIDR isn't a simple constant register because
3368 * of the TI925 behaviour where writes to another register can
3369 * cause the MIDR value to change.
3371 * Unimplemented registers in the c15 0 0 0 space default to
3372 * MIDR. Define MIDR first as this entire space, then CTR, TCMTR
3373 * and friends override accordingly.
3376 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = CP_ANY,
3377 .access = PL1_R, .resetvalue = cpu->midr,
3378 .writefn = arm_cp_write_ignore, .raw_writefn = raw_write,
3379 .fieldoffset = offsetof(CPUARMState, cp15.c0_cpuid),
3380 .type = ARM_CP_OVERRIDE },
3381 /* crn = 0 op1 = 0 crm = 3..7 : currently unassigned; we RAZ. */
3383 .cp = 15, .crn = 0, .crm = 3, .opc1 = 0, .opc2 = CP_ANY,
3384 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3386 .cp = 15, .crn = 0, .crm = 4, .opc1 = 0, .opc2 = CP_ANY,
3387 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3389 .cp = 15, .crn = 0, .crm = 5, .opc1 = 0, .opc2 = CP_ANY,
3390 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3392 .cp = 15, .crn = 0, .crm = 6, .opc1 = 0, .opc2 = CP_ANY,
3393 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3395 .cp = 15, .crn = 0, .crm = 7, .opc1 = 0, .opc2 = CP_ANY,
3396 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3399 ARMCPRegInfo id_v8_midr_cp_reginfo[] = {
3400 /* v8 MIDR -- the wildcard isn't necessary, and nor is the
3401 * variable-MIDR TI925 behaviour. Instead we have a single
3402 * (strictly speaking IMPDEF) alias of the MIDR, REVIDR.
3404 { .name = "MIDR_EL1", .state = ARM_CP_STATE_BOTH,
3405 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 0,
3406 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->midr },
3407 { .name = "REVIDR_EL1", .state = ARM_CP_STATE_BOTH,
3408 .opc0 = 3, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 6,
3409 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->midr },
3412 ARMCPRegInfo id_cp_reginfo[] = {
3413 /* These are common to v8 and pre-v8 */
3415 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 1,
3416 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = cpu->ctr },
3417 { .name = "CTR_EL0", .state = ARM_CP_STATE_AA64,
3418 .opc0 = 3, .opc1 = 3, .opc2 = 1, .crn = 0, .crm = 0,
3419 .access = PL0_R, .accessfn = ctr_el0_access,
3420 .type = ARM_CP_CONST, .resetvalue = cpu->ctr },
3421 /* TCMTR and TLBTR exist in v8 but have no 64-bit versions */
3423 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 2,
3424 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3426 .cp = 15, .crn = 0, .crm = 0, .opc1 = 0, .opc2 = 3,
3427 .access = PL1_R, .type = ARM_CP_CONST, .resetvalue = 0 },
3430 ARMCPRegInfo crn0_wi_reginfo = {
3431 .name = "CRN0_WI", .cp = 15, .crn = 0, .crm = CP_ANY,
3432 .opc1 = CP_ANY, .opc2 = CP_ANY, .access = PL1_W,
3433 .type = ARM_CP_NOP | ARM_CP_OVERRIDE
3435 if (arm_feature(env, ARM_FEATURE_OMAPCP) ||
3436 arm_feature(env, ARM_FEATURE_STRONGARM)) {
3438 /* Register the blanket "writes ignored" value first to cover the
3439 * whole space. Then update the specific ID registers to allow write
3440 * access, so that they ignore writes rather than causing them to
3443 define_one_arm_cp_reg(cpu, &crn0_wi_reginfo);
3444 for (r = id_pre_v8_midr_cp_reginfo;
3445 r->type != ARM_CP_SENTINEL; r++) {
3448 for (r = id_cp_reginfo; r->type != ARM_CP_SENTINEL; r++) {
3452 if (arm_feature(env, ARM_FEATURE_V8)) {
3453 define_arm_cp_regs(cpu, id_v8_midr_cp_reginfo);
3455 define_arm_cp_regs(cpu, id_pre_v8_midr_cp_reginfo);
3457 define_arm_cp_regs(cpu, id_cp_reginfo);
3460 if (arm_feature(env, ARM_FEATURE_MPIDR)) {
3461 define_arm_cp_regs(cpu, mpidr_cp_reginfo);
3464 if (arm_feature(env, ARM_FEATURE_AUXCR)) {
3465 ARMCPRegInfo auxcr = {
3466 .name = "ACTLR_EL1", .state = ARM_CP_STATE_BOTH,
3467 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 1,
3468 .access = PL1_RW, .type = ARM_CP_CONST,
3469 .resetvalue = cpu->reset_auxcr
3471 define_one_arm_cp_reg(cpu, &auxcr);
3474 if (arm_feature(env, ARM_FEATURE_CBAR)) {
3475 if (arm_feature(env, ARM_FEATURE_AARCH64)) {
3476 /* 32 bit view is [31:18] 0...0 [43:32]. */
3477 uint32_t cbar32 = (extract64(cpu->reset_cbar, 18, 14) << 18)
3478 | extract64(cpu->reset_cbar, 32, 12);
3479 ARMCPRegInfo cbar_reginfo[] = {
3481 .type = ARM_CP_CONST,
3482 .cp = 15, .crn = 15, .crm = 0, .opc1 = 4, .opc2 = 0,
3483 .access = PL1_R, .resetvalue = cpu->reset_cbar },
3484 { .name = "CBAR_EL1", .state = ARM_CP_STATE_AA64,
3485 .type = ARM_CP_CONST,
3486 .opc0 = 3, .opc1 = 1, .crn = 15, .crm = 3, .opc2 = 0,
3487 .access = PL1_R, .resetvalue = cbar32 },
3490 /* We don't implement a r/w 64 bit CBAR currently */
3491 assert(arm_feature(env, ARM_FEATURE_CBAR_RO));
3492 define_arm_cp_regs(cpu, cbar_reginfo);
3494 ARMCPRegInfo cbar = {
3496 .cp = 15, .crn = 15, .crm = 0, .opc1 = 4, .opc2 = 0,
3497 .access = PL1_R|PL3_W, .resetvalue = cpu->reset_cbar,
3498 .fieldoffset = offsetof(CPUARMState,
3499 cp15.c15_config_base_address)
3501 if (arm_feature(env, ARM_FEATURE_CBAR_RO)) {
3502 cbar.access = PL1_R;
3503 cbar.fieldoffset = 0;
3504 cbar.type = ARM_CP_CONST;
3506 define_one_arm_cp_reg(cpu, &cbar);
3510 /* Generic registers whose values depend on the implementation */
3512 ARMCPRegInfo sctlr = {
3513 .name = "SCTLR", .state = ARM_CP_STATE_BOTH,
3514 .opc0 = 3, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,
3516 .bank_fieldoffsets = { offsetof(CPUARMState, cp15.sctlr_s),
3517 offsetof(CPUARMState, cp15.sctlr_ns) },
3518 .writefn = sctlr_write, .resetvalue = cpu->reset_sctlr,
3519 .raw_writefn = raw_write,
3521 if (arm_feature(env, ARM_FEATURE_XSCALE)) {
3522 /* Normally we would always end the TB on an SCTLR write, but Linux
3523 * arch/arm/mach-pxa/sleep.S expects two instructions following
3524 * an MMU enable to execute from cache. Imitate this behaviour.
3526 sctlr.type |= ARM_CP_SUPPRESS_TB_END;
3528 define_one_arm_cp_reg(cpu, &sctlr);
3532 ARMCPU *cpu_arm_init(const char *cpu_model)
3534 return ARM_CPU(cpu_generic_init(TYPE_ARM_CPU, cpu_model));
3537 void arm_cpu_register_gdb_regs_for_features(ARMCPU *cpu)
3539 CPUState *cs = CPU(cpu);
3540 CPUARMState *env = &cpu->env;
3542 if (arm_feature(env, ARM_FEATURE_AARCH64)) {
3543 gdb_register_coprocessor(cs, aarch64_fpu_gdb_get_reg,
3544 aarch64_fpu_gdb_set_reg,
3545 34, "aarch64-fpu.xml", 0);
3546 } else if (arm_feature(env, ARM_FEATURE_NEON)) {
3547 gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
3548 51, "arm-neon.xml", 0);
3549 } else if (arm_feature(env, ARM_FEATURE_VFP3)) {
3550 gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
3551 35, "arm-vfp3.xml", 0);
3552 } else if (arm_feature(env, ARM_FEATURE_VFP)) {
3553 gdb_register_coprocessor(cs, vfp_gdb_get_reg, vfp_gdb_set_reg,
3554 19, "arm-vfp.xml", 0);
3558 /* Sort alphabetically by type name, except for "any". */
3559 static gint arm_cpu_list_compare(gconstpointer a, gconstpointer b)
3561 ObjectClass *class_a = (ObjectClass *)a;
3562 ObjectClass *class_b = (ObjectClass *)b;
3563 const char *name_a, *name_b;
3565 name_a = object_class_get_name(class_a);
3566 name_b = object_class_get_name(class_b);
3567 if (strcmp(name_a, "any-" TYPE_ARM_CPU) == 0) {
3569 } else if (strcmp(name_b, "any-" TYPE_ARM_CPU) == 0) {
3572 return strcmp(name_a, name_b);
3576 static void arm_cpu_list_entry(gpointer data, gpointer user_data)
3578 ObjectClass *oc = data;
3579 CPUListState *s = user_data;
3580 const char *typename;
3583 typename = object_class_get_name(oc);
3584 name = g_strndup(typename, strlen(typename) - strlen("-" TYPE_ARM_CPU));
3585 (*s->cpu_fprintf)(s->file, " %s\n",
3590 void arm_cpu_list(FILE *f, fprintf_function cpu_fprintf)
3594 .cpu_fprintf = cpu_fprintf,
3598 list = object_class_get_list(TYPE_ARM_CPU, false);
3599 list = g_slist_sort(list, arm_cpu_list_compare);
3600 (*cpu_fprintf)(f, "Available CPUs:\n");
3601 g_slist_foreach(list, arm_cpu_list_entry, &s);
3604 /* The 'host' CPU type is dynamically registered only if KVM is
3605 * enabled, so we have to special-case it here:
3607 (*cpu_fprintf)(f, " host (only available in KVM mode)\n");
3611 static void arm_cpu_add_definition(gpointer data, gpointer user_data)
3613 ObjectClass *oc = data;
3614 CpuDefinitionInfoList **cpu_list = user_data;
3615 CpuDefinitionInfoList *entry;
3616 CpuDefinitionInfo *info;
3617 const char *typename;
3619 typename = object_class_get_name(oc);
3620 info = g_malloc0(sizeof(*info));
3621 info->name = g_strndup(typename,
3622 strlen(typename) - strlen("-" TYPE_ARM_CPU));
3624 entry = g_malloc0(sizeof(*entry));
3625 entry->value = info;
3626 entry->next = *cpu_list;
3630 CpuDefinitionInfoList *arch_query_cpu_definitions(Error **errp)
3632 CpuDefinitionInfoList *cpu_list = NULL;
3635 list = object_class_get_list(TYPE_ARM_CPU, false);
3636 g_slist_foreach(list, arm_cpu_add_definition, &cpu_list);
3642 static void add_cpreg_to_hashtable(ARMCPU *cpu, const ARMCPRegInfo *r,
3643 void *opaque, int state, int secstate,
3644 int crm, int opc1, int opc2)
3646 /* Private utility function for define_one_arm_cp_reg_with_opaque():
3647 * add a single reginfo struct to the hash table.
3649 uint32_t *key = g_new(uint32_t, 1);
3650 ARMCPRegInfo *r2 = g_memdup(r, sizeof(ARMCPRegInfo));
3651 int is64 = (r->type & ARM_CP_64BIT) ? 1 : 0;
3652 int ns = (secstate & ARM_CP_SECSTATE_NS) ? 1 : 0;
3654 /* Reset the secure state to the specific incoming state. This is
3655 * necessary as the register may have been defined with both states.
3657 r2->secure = secstate;
3659 if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
3660 /* Register is banked (using both entries in array).
3661 * Overwriting fieldoffset as the array is only used to define
3662 * banked registers but later only fieldoffset is used.
3664 r2->fieldoffset = r->bank_fieldoffsets[ns];
3667 if (state == ARM_CP_STATE_AA32) {
3668 if (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1]) {
3669 /* If the register is banked then we don't need to migrate or
3670 * reset the 32-bit instance in certain cases:
3672 * 1) If the register has both 32-bit and 64-bit instances then we
3673 * can count on the 64-bit instance taking care of the
3675 * 2) If ARMv8 is enabled then we can count on a 64-bit version
3676 * taking care of the secure bank. This requires that separate
3677 * 32 and 64-bit definitions are provided.
3679 if ((r->state == ARM_CP_STATE_BOTH && ns) ||
3680 (arm_feature(&cpu->env, ARM_FEATURE_V8) && !ns)) {
3681 r2->type |= ARM_CP_ALIAS;
3682 r2->resetfn = arm_cp_reset_ignore;
3684 } else if ((secstate != r->secure) && !ns) {
3685 /* The register is not banked so we only want to allow migration of
3686 * the non-secure instance.
3688 r2->type |= ARM_CP_ALIAS;
3689 r2->resetfn = arm_cp_reset_ignore;
3692 if (r->state == ARM_CP_STATE_BOTH) {
3693 /* We assume it is a cp15 register if the .cp field is left unset.
3699 #ifdef HOST_WORDS_BIGENDIAN
3700 if (r2->fieldoffset) {
3701 r2->fieldoffset += sizeof(uint32_t);
3706 if (state == ARM_CP_STATE_AA64) {
3707 /* To allow abbreviation of ARMCPRegInfo
3708 * definitions, we treat cp == 0 as equivalent to
3709 * the value for "standard guest-visible sysreg".
3710 * STATE_BOTH definitions are also always "standard
3711 * sysreg" in their AArch64 view (the .cp value may
3712 * be non-zero for the benefit of the AArch32 view).
3714 if (r->cp == 0 || r->state == ARM_CP_STATE_BOTH) {
3715 r2->cp = CP_REG_ARM64_SYSREG_CP;
3717 *key = ENCODE_AA64_CP_REG(r2->cp, r2->crn, crm,
3718 r2->opc0, opc1, opc2);
3720 *key = ENCODE_CP_REG(r2->cp, is64, ns, r2->crn, crm, opc1, opc2);
3723 r2->opaque = opaque;
3725 /* reginfo passed to helpers is correct for the actual access,
3726 * and is never ARM_CP_STATE_BOTH:
3729 /* Make sure reginfo passed to helpers for wildcarded regs
3730 * has the correct crm/opc1/opc2 for this reg, not CP_ANY:
3735 /* By convention, for wildcarded registers only the first
3736 * entry is used for migration; the others are marked as
3737 * ALIAS so we don't try to transfer the register
3738 * multiple times. Special registers (ie NOP/WFI) are
3739 * never migratable and not even raw-accessible.
3741 if ((r->type & ARM_CP_SPECIAL)) {
3742 r2->type |= ARM_CP_NO_RAW;
3744 if (((r->crm == CP_ANY) && crm != 0) ||
3745 ((r->opc1 == CP_ANY) && opc1 != 0) ||
3746 ((r->opc2 == CP_ANY) && opc2 != 0)) {
3747 r2->type |= ARM_CP_ALIAS;
3750 /* Check that raw accesses are either forbidden or handled. Note that
3751 * we can't assert this earlier because the setup of fieldoffset for
3752 * banked registers has to be done first.
3754 if (!(r2->type & ARM_CP_NO_RAW)) {
3755 assert(!raw_accessors_invalid(r2));
3758 /* Overriding of an existing definition must be explicitly
3761 if (!(r->type & ARM_CP_OVERRIDE)) {
3762 ARMCPRegInfo *oldreg;
3763 oldreg = g_hash_table_lookup(cpu->cp_regs, key);
3764 if (oldreg && !(oldreg->type & ARM_CP_OVERRIDE)) {
3765 fprintf(stderr, "Register redefined: cp=%d %d bit "
3766 "crn=%d crm=%d opc1=%d opc2=%d, "
3767 "was %s, now %s\n", r2->cp, 32 + 32 * is64,
3768 r2->crn, r2->crm, r2->opc1, r2->opc2,
3769 oldreg->name, r2->name);
3770 g_assert_not_reached();
3773 g_hash_table_insert(cpu->cp_regs, key, r2);
3777 void define_one_arm_cp_reg_with_opaque(ARMCPU *cpu,
3778 const ARMCPRegInfo *r, void *opaque)
3780 /* Define implementations of coprocessor registers.
3781 * We store these in a hashtable because typically
3782 * there are less than 150 registers in a space which
3783 * is 16*16*16*8*8 = 262144 in size.
3784 * Wildcarding is supported for the crm, opc1 and opc2 fields.
3785 * If a register is defined twice then the second definition is
3786 * used, so this can be used to define some generic registers and
3787 * then override them with implementation specific variations.
3788 * At least one of the original and the second definition should
3789 * include ARM_CP_OVERRIDE in its type bits -- this is just a guard
3790 * against accidental use.
3792 * The state field defines whether the register is to be
3793 * visible in the AArch32 or AArch64 execution state. If the
3794 * state is set to ARM_CP_STATE_BOTH then we synthesise a
3795 * reginfo structure for the AArch32 view, which sees the lower
3796 * 32 bits of the 64 bit register.
3798 * Only registers visible in AArch64 may set r->opc0; opc0 cannot
3799 * be wildcarded. AArch64 registers are always considered to be 64
3800 * bits; the ARM_CP_64BIT* flag applies only to the AArch32 view of
3801 * the register, if any.
3803 int crm, opc1, opc2, state;
3804 int crmmin = (r->crm == CP_ANY) ? 0 : r->crm;
3805 int crmmax = (r->crm == CP_ANY) ? 15 : r->crm;
3806 int opc1min = (r->opc1 == CP_ANY) ? 0 : r->opc1;
3807 int opc1max = (r->opc1 == CP_ANY) ? 7 : r->opc1;
3808 int opc2min = (r->opc2 == CP_ANY) ? 0 : r->opc2;
3809 int opc2max = (r->opc2 == CP_ANY) ? 7 : r->opc2;
3810 /* 64 bit registers have only CRm and Opc1 fields */
3811 assert(!((r->type & ARM_CP_64BIT) && (r->opc2 || r->crn)));
3812 /* op0 only exists in the AArch64 encodings */
3813 assert((r->state != ARM_CP_STATE_AA32) || (r->opc0 == 0));
3814 /* AArch64 regs are all 64 bit so ARM_CP_64BIT is meaningless */
3815 assert((r->state != ARM_CP_STATE_AA64) || !(r->type & ARM_CP_64BIT));
3816 /* The AArch64 pseudocode CheckSystemAccess() specifies that op1
3817 * encodes a minimum access level for the register. We roll this
3818 * runtime check into our general permission check code, so check
3819 * here that the reginfo's specified permissions are strict enough
3820 * to encompass the generic architectural permission check.
3822 if (r->state != ARM_CP_STATE_AA32) {
3825 case 0: case 1: case 2:
3838 /* unallocated encoding, so not possible */
3846 /* min_EL EL1, secure mode only (we don't check the latter) */
3850 /* broken reginfo with out-of-range opc1 */
3854 /* assert our permissions are not too lax (stricter is fine) */
3855 assert((r->access & ~mask) == 0);
3858 /* Check that the register definition has enough info to handle
3859 * reads and writes if they are permitted.
3861 if (!(r->type & (ARM_CP_SPECIAL|ARM_CP_CONST))) {
3862 if (r->access & PL3_R) {
3863 assert((r->fieldoffset ||
3864 (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
3867 if (r->access & PL3_W) {
3868 assert((r->fieldoffset ||
3869 (r->bank_fieldoffsets[0] && r->bank_fieldoffsets[1])) ||
3873 /* Bad type field probably means missing sentinel at end of reg list */
3874 assert(cptype_valid(r->type));
3875 for (crm = crmmin; crm <= crmmax; crm++) {
3876 for (opc1 = opc1min; opc1 <= opc1max; opc1++) {
3877 for (opc2 = opc2min; opc2 <= opc2max; opc2++) {
3878 for (state = ARM_CP_STATE_AA32;
3879 state <= ARM_CP_STATE_AA64; state++) {
3880 if (r->state != state && r->state != ARM_CP_STATE_BOTH) {
3883 if (state == ARM_CP_STATE_AA32) {
3884 /* Under AArch32 CP registers can be common
3885 * (same for secure and non-secure world) or banked.
3887 switch (r->secure) {
3888 case ARM_CP_SECSTATE_S:
3889 case ARM_CP_SECSTATE_NS:
3890 add_cpreg_to_hashtable(cpu, r, opaque, state,
3891 r->secure, crm, opc1, opc2);
3894 add_cpreg_to_hashtable(cpu, r, opaque, state,
3897 add_cpreg_to_hashtable(cpu, r, opaque, state,
3903 /* AArch64 registers get mapped to non-secure instance
3905 add_cpreg_to_hashtable(cpu, r, opaque, state,
3915 void define_arm_cp_regs_with_opaque(ARMCPU *cpu,
3916 const ARMCPRegInfo *regs, void *opaque)
3918 /* Define a whole list of registers */
3919 const ARMCPRegInfo *r;
3920 for (r = regs; r->type != ARM_CP_SENTINEL; r++) {
3921 define_one_arm_cp_reg_with_opaque(cpu, r, opaque);
3925 const ARMCPRegInfo *get_arm_cp_reginfo(GHashTable *cpregs, uint32_t encoded_cp)
3927 return g_hash_table_lookup(cpregs, &encoded_cp);
3930 void arm_cp_write_ignore(CPUARMState *env, const ARMCPRegInfo *ri,
3933 /* Helper coprocessor write function for write-ignore registers */
3936 uint64_t arm_cp_read_zero(CPUARMState *env, const ARMCPRegInfo *ri)
3938 /* Helper coprocessor write function for read-as-zero registers */
3942 void arm_cp_reset_ignore(CPUARMState *env, const ARMCPRegInfo *opaque)
3944 /* Helper coprocessor reset function for do-nothing-on-reset registers */
3947 static int bad_mode_switch(CPUARMState *env, int mode)
3949 /* Return true if it is not valid for us to switch to
3950 * this CPU mode (ie all the UNPREDICTABLE cases in
3951 * the ARM ARM CPSRWriteByInstr pseudocode).
3954 case ARM_CPU_MODE_USR:
3955 case ARM_CPU_MODE_SYS:
3956 case ARM_CPU_MODE_SVC:
3957 case ARM_CPU_MODE_ABT:
3958 case ARM_CPU_MODE_UND:
3959 case ARM_CPU_MODE_IRQ:
3960 case ARM_CPU_MODE_FIQ:
3962 case ARM_CPU_MODE_MON:
3963 return !arm_is_secure(env);
3969 uint32_t cpsr_read(CPUARMState *env)
3972 ZF = (env->ZF == 0);
3973 return env->uncached_cpsr | (env->NF & 0x80000000) | (ZF << 30) |
3974 (env->CF << 29) | ((env->VF & 0x80000000) >> 3) | (env->QF << 27)
3975 | (env->thumb << 5) | ((env->condexec_bits & 3) << 25)
3976 | ((env->condexec_bits & 0xfc) << 8)
3977 | (env->GE << 16) | (env->daif & CPSR_AIF);
3980 void cpsr_write(CPUARMState *env, uint32_t val, uint32_t mask)
3982 uint32_t changed_daif;
3984 if (mask & CPSR_NZCV) {
3985 env->ZF = (~val) & CPSR_Z;
3987 env->CF = (val >> 29) & 1;
3988 env->VF = (val << 3) & 0x80000000;
3991 env->QF = ((val & CPSR_Q) != 0);
3993 env->thumb = ((val & CPSR_T) != 0);
3994 if (mask & CPSR_IT_0_1) {
3995 env->condexec_bits &= ~3;
3996 env->condexec_bits |= (val >> 25) & 3;
3998 if (mask & CPSR_IT_2_7) {
3999 env->condexec_bits &= 3;
4000 env->condexec_bits |= (val >> 8) & 0xfc;
4002 if (mask & CPSR_GE) {
4003 env->GE = (val >> 16) & 0xf;
4006 /* In a V7 implementation that includes the security extensions but does
4007 * not include Virtualization Extensions the SCR.FW and SCR.AW bits control
4008 * whether non-secure software is allowed to change the CPSR_F and CPSR_A
4009 * bits respectively.
4011 * In a V8 implementation, it is permitted for privileged software to
4012 * change the CPSR A/F bits regardless of the SCR.AW/FW bits.
4014 if (!arm_feature(env, ARM_FEATURE_V8) &&
4015 arm_feature(env, ARM_FEATURE_EL3) &&
4016 !arm_feature(env, ARM_FEATURE_EL2) &&
4017 !arm_is_secure(env)) {
4019 changed_daif = (env->daif ^ val) & mask;
4021 if (changed_daif & CPSR_A) {
4022 /* Check to see if we are allowed to change the masking of async
4023 * abort exceptions from a non-secure state.
4025 if (!(env->cp15.scr_el3 & SCR_AW)) {
4026 qemu_log_mask(LOG_GUEST_ERROR,
4027 "Ignoring attempt to switch CPSR_A flag from "
4028 "non-secure world with SCR.AW bit clear\n");
4033 if (changed_daif & CPSR_F) {
4034 /* Check to see if we are allowed to change the masking of FIQ
4035 * exceptions from a non-secure state.
4037 if (!(env->cp15.scr_el3 & SCR_FW)) {
4038 qemu_log_mask(LOG_GUEST_ERROR,
4039 "Ignoring attempt to switch CPSR_F flag from "
4040 "non-secure world with SCR.FW bit clear\n");
4044 /* Check whether non-maskable FIQ (NMFI) support is enabled.
4045 * If this bit is set software is not allowed to mask
4046 * FIQs, but is allowed to set CPSR_F to 0.
4048 if ((A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_NMFI) &&
4050 qemu_log_mask(LOG_GUEST_ERROR,
4051 "Ignoring attempt to enable CPSR_F flag "
4052 "(non-maskable FIQ [NMFI] support enabled)\n");
4058 env->daif &= ~(CPSR_AIF & mask);
4059 env->daif |= val & CPSR_AIF & mask;
4061 if ((env->uncached_cpsr ^ val) & mask & CPSR_M) {
4062 if (bad_mode_switch(env, val & CPSR_M)) {
4063 /* Attempt to switch to an invalid mode: this is UNPREDICTABLE.
4064 * We choose to ignore the attempt and leave the CPSR M field
4069 switch_mode(env, val & CPSR_M);
4072 mask &= ~CACHED_CPSR_BITS;
4073 env->uncached_cpsr = (env->uncached_cpsr & ~mask) | (val & mask);
4076 /* Sign/zero extend */
4077 uint32_t HELPER(sxtb16)(uint32_t x)
4080 res = (uint16_t)(int8_t)x;
4081 res |= (uint32_t)(int8_t)(x >> 16) << 16;
4085 uint32_t HELPER(uxtb16)(uint32_t x)
4088 res = (uint16_t)(uint8_t)x;
4089 res |= (uint32_t)(uint8_t)(x >> 16) << 16;
4093 uint32_t HELPER(clz)(uint32_t x)
4098 int32_t HELPER(sdiv)(int32_t num, int32_t den)
4102 if (num == INT_MIN && den == -1)
4107 uint32_t HELPER(udiv)(uint32_t num, uint32_t den)
4114 uint32_t HELPER(rbit)(uint32_t x)
4116 x = ((x & 0xff000000) >> 24)
4117 | ((x & 0x00ff0000) >> 8)
4118 | ((x & 0x0000ff00) << 8)
4119 | ((x & 0x000000ff) << 24);
4120 x = ((x & 0xf0f0f0f0) >> 4)
4121 | ((x & 0x0f0f0f0f) << 4);
4122 x = ((x & 0x88888888) >> 3)
4123 | ((x & 0x44444444) >> 1)
4124 | ((x & 0x22222222) << 1)
4125 | ((x & 0x11111111) << 3);
4129 #if defined(CONFIG_USER_ONLY)
4131 /* These should probably raise undefined insn exceptions. */
4132 void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
4134 ARMCPU *cpu = arm_env_get_cpu(env);
4136 cpu_abort(CPU(cpu), "v7m_msr %d\n", reg);
4139 uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
4141 ARMCPU *cpu = arm_env_get_cpu(env);
4143 cpu_abort(CPU(cpu), "v7m_mrs %d\n", reg);
4147 void switch_mode(CPUARMState *env, int mode)
4149 ARMCPU *cpu = arm_env_get_cpu(env);
4151 if (mode != ARM_CPU_MODE_USR) {
4152 cpu_abort(CPU(cpu), "Tried to switch out of user mode\n");
4156 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
4158 ARMCPU *cpu = arm_env_get_cpu(env);
4160 cpu_abort(CPU(cpu), "banked r13 write\n");
4163 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
4165 ARMCPU *cpu = arm_env_get_cpu(env);
4167 cpu_abort(CPU(cpu), "banked r13 read\n");
4171 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
4172 uint32_t cur_el, bool secure)
4177 void aarch64_sync_64_to_32(CPUARMState *env)
4179 g_assert_not_reached();
4184 /* Map CPU modes onto saved register banks. */
4185 int bank_number(int mode)
4188 case ARM_CPU_MODE_USR:
4189 case ARM_CPU_MODE_SYS:
4191 case ARM_CPU_MODE_SVC:
4193 case ARM_CPU_MODE_ABT:
4195 case ARM_CPU_MODE_UND:
4197 case ARM_CPU_MODE_IRQ:
4199 case ARM_CPU_MODE_FIQ:
4201 case ARM_CPU_MODE_HYP:
4203 case ARM_CPU_MODE_MON:
4206 hw_error("bank number requested for bad CPSR mode value 0x%x\n", mode);
4209 void switch_mode(CPUARMState *env, int mode)
4214 old_mode = env->uncached_cpsr & CPSR_M;
4215 if (mode == old_mode)
4218 if (old_mode == ARM_CPU_MODE_FIQ) {
4219 memcpy (env->fiq_regs, env->regs + 8, 5 * sizeof(uint32_t));
4220 memcpy (env->regs + 8, env->usr_regs, 5 * sizeof(uint32_t));
4221 } else if (mode == ARM_CPU_MODE_FIQ) {
4222 memcpy (env->usr_regs, env->regs + 8, 5 * sizeof(uint32_t));
4223 memcpy (env->regs + 8, env->fiq_regs, 5 * sizeof(uint32_t));
4226 i = bank_number(old_mode);
4227 env->banked_r13[i] = env->regs[13];
4228 env->banked_r14[i] = env->regs[14];
4229 env->banked_spsr[i] = env->spsr;
4231 i = bank_number(mode);
4232 env->regs[13] = env->banked_r13[i];
4233 env->regs[14] = env->banked_r14[i];
4234 env->spsr = env->banked_spsr[i];
4237 /* Physical Interrupt Target EL Lookup Table
4239 * [ From ARM ARM section G1.13.4 (Table G1-15) ]
4241 * The below multi-dimensional table is used for looking up the target
4242 * exception level given numerous condition criteria. Specifically, the
4243 * target EL is based on SCR and HCR routing controls as well as the
4244 * currently executing EL and secure state.
4247 * target_el_table[2][2][2][2][2][4]
4248 * | | | | | +--- Current EL
4249 * | | | | +------ Non-secure(0)/Secure(1)
4250 * | | | +--------- HCR mask override
4251 * | | +------------ SCR exec state control
4252 * | +--------------- SCR mask override
4253 * +------------------ 32-bit(0)/64-bit(1) EL3
4255 * The table values are as such:
4259 * The ARM ARM target EL table includes entries indicating that an "exception
4260 * is not taken". The two cases where this is applicable are:
4261 * 1) An exception is taken from EL3 but the SCR does not have the exception
4263 * 2) An exception is taken from EL2 but the HCR does not have the exception
4265 * In these two cases, the below table contain a target of EL1. This value is
4266 * returned as it is expected that the consumer of the table data will check
4267 * for "target EL >= current EL" to ensure the exception is not taken.
4271 * BIT IRQ IMO Non-secure Secure
4272 * EL3 FIQ RW FMO EL0 EL1 EL2 EL3 EL0 EL1 EL2 EL3
4274 const int8_t target_el_table[2][2][2][2][2][4] = {
4275 {{{{/* 0 0 0 0 */{ 1, 1, 2, -1 },{ 3, -1, -1, 3 },},
4276 {/* 0 0 0 1 */{ 2, 2, 2, -1 },{ 3, -1, -1, 3 },},},
4277 {{/* 0 0 1 0 */{ 1, 1, 2, -1 },{ 3, -1, -1, 3 },},
4278 {/* 0 0 1 1 */{ 2, 2, 2, -1 },{ 3, -1, -1, 3 },},},},
4279 {{{/* 0 1 0 0 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},
4280 {/* 0 1 0 1 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},},
4281 {{/* 0 1 1 0 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},
4282 {/* 0 1 1 1 */{ 3, 3, 3, -1 },{ 3, -1, -1, 3 },},},},},
4283 {{{{/* 1 0 0 0 */{ 1, 1, 2, -1 },{ 1, 1, -1, 1 },},
4284 {/* 1 0 0 1 */{ 2, 2, 2, -1 },{ 1, 1, -1, 1 },},},
4285 {{/* 1 0 1 0 */{ 1, 1, 1, -1 },{ 1, 1, -1, 1 },},
4286 {/* 1 0 1 1 */{ 2, 2, 2, -1 },{ 1, 1, -1, 1 },},},},
4287 {{{/* 1 1 0 0 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},
4288 {/* 1 1 0 1 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},},
4289 {{/* 1 1 1 0 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},
4290 {/* 1 1 1 1 */{ 3, 3, 3, -1 },{ 3, 3, -1, 3 },},},},},
4294 * Determine the target EL for physical exceptions
4296 uint32_t arm_phys_excp_target_el(CPUState *cs, uint32_t excp_idx,
4297 uint32_t cur_el, bool secure)
4299 CPUARMState *env = cs->env_ptr;
4300 int rw = ((env->cp15.scr_el3 & SCR_RW) == SCR_RW);
4304 int is64 = arm_el_is_aa64(env, 3);
4308 scr = ((env->cp15.scr_el3 & SCR_IRQ) == SCR_IRQ);
4309 hcr = ((env->cp15.hcr_el2 & HCR_IMO) == HCR_IMO);
4312 scr = ((env->cp15.scr_el3 & SCR_FIQ) == SCR_FIQ);
4313 hcr = ((env->cp15.hcr_el2 & HCR_FMO) == HCR_FMO);
4316 scr = ((env->cp15.scr_el3 & SCR_EA) == SCR_EA);
4317 hcr = ((env->cp15.hcr_el2 & HCR_AMO) == HCR_AMO);
4321 /* If HCR.TGE is set then HCR is treated as being 1 */
4322 hcr |= ((env->cp15.hcr_el2 & HCR_TGE) == HCR_TGE);
4324 /* Perform a table-lookup for the target EL given the current state */
4325 target_el = target_el_table[is64][scr][rw][hcr][secure][cur_el];
4327 assert(target_el > 0);
4332 static void v7m_push(CPUARMState *env, uint32_t val)
4334 CPUState *cs = CPU(arm_env_get_cpu(env));
4337 stl_phys(cs->as, env->regs[13], val);
4340 static uint32_t v7m_pop(CPUARMState *env)
4342 CPUState *cs = CPU(arm_env_get_cpu(env));
4345 val = ldl_phys(cs->as, env->regs[13]);
4350 /* Switch to V7M main or process stack pointer. */
4351 static void switch_v7m_sp(CPUARMState *env, int process)
4354 if (env->v7m.current_sp != process) {
4355 tmp = env->v7m.other_sp;
4356 env->v7m.other_sp = env->regs[13];
4357 env->regs[13] = tmp;
4358 env->v7m.current_sp = process;
4362 static void do_v7m_exception_exit(CPUARMState *env)
4367 type = env->regs[15];
4368 if (env->v7m.exception != 0)
4369 armv7m_nvic_complete_irq(env->nvic, env->v7m.exception);
4371 /* Switch to the target stack. */
4372 switch_v7m_sp(env, (type & 4) != 0);
4373 /* Pop registers. */
4374 env->regs[0] = v7m_pop(env);
4375 env->regs[1] = v7m_pop(env);
4376 env->regs[2] = v7m_pop(env);
4377 env->regs[3] = v7m_pop(env);
4378 env->regs[12] = v7m_pop(env);
4379 env->regs[14] = v7m_pop(env);
4380 env->regs[15] = v7m_pop(env);
4381 if (env->regs[15] & 1) {
4382 qemu_log_mask(LOG_GUEST_ERROR,
4383 "M profile return from interrupt with misaligned "
4384 "PC is UNPREDICTABLE\n");
4385 /* Actual hardware seems to ignore the lsbit, and there are several
4386 * RTOSes out there which incorrectly assume the r15 in the stack
4387 * frame should be a Thumb-style "lsbit indicates ARM/Thumb" value.
4389 env->regs[15] &= ~1U;
4391 xpsr = v7m_pop(env);
4392 xpsr_write(env, xpsr, 0xfffffdff);
4393 /* Undo stack alignment. */
4396 /* ??? The exception return type specifies Thread/Handler mode. However
4397 this is also implied by the xPSR value. Not sure what to do
4398 if there is a mismatch. */
4399 /* ??? Likewise for mismatches between the CONTROL register and the stack
4403 void arm_v7m_cpu_do_interrupt(CPUState *cs)
4405 ARMCPU *cpu = ARM_CPU(cs);
4406 CPUARMState *env = &cpu->env;
4407 uint32_t xpsr = xpsr_read(env);
4411 arm_log_exception(cs->exception_index);
4414 if (env->v7m.current_sp)
4416 if (env->v7m.exception == 0)
4419 /* For exceptions we just mark as pending on the NVIC, and let that
4421 /* TODO: Need to escalate if the current priority is higher than the
4422 one we're raising. */
4423 switch (cs->exception_index) {
4425 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_USAGE);
4428 /* The PC already points to the next instruction. */
4429 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_SVC);
4431 case EXCP_PREFETCH_ABORT:
4432 case EXCP_DATA_ABORT:
4433 /* TODO: if we implemented the MPU registers, this is where we
4434 * should set the MMFAR, etc from exception.fsr and exception.vaddress.
4436 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_MEM);
4439 if (semihosting_enabled) {
4441 nr = arm_lduw_code(env, env->regs[15], env->bswap_code) & 0xff;
4444 env->regs[0] = do_arm_semihosting(env);
4445 qemu_log_mask(CPU_LOG_INT, "...handled as semihosting call\n");
4449 armv7m_nvic_set_pending(env->nvic, ARMV7M_EXCP_DEBUG);
4452 env->v7m.exception = armv7m_nvic_acknowledge_irq(env->nvic);
4454 case EXCP_EXCEPTION_EXIT:
4455 do_v7m_exception_exit(env);
4458 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
4459 return; /* Never happens. Keep compiler happy. */
4462 /* Align stack pointer. */
4463 /* ??? Should only do this if Configuration Control Register
4464 STACKALIGN bit is set. */
4465 if (env->regs[13] & 4) {
4469 /* Switch to the handler mode. */
4470 v7m_push(env, xpsr);
4471 v7m_push(env, env->regs[15]);
4472 v7m_push(env, env->regs[14]);
4473 v7m_push(env, env->regs[12]);
4474 v7m_push(env, env->regs[3]);
4475 v7m_push(env, env->regs[2]);
4476 v7m_push(env, env->regs[1]);
4477 v7m_push(env, env->regs[0]);
4478 switch_v7m_sp(env, 0);
4480 env->condexec_bits = 0;
4482 addr = ldl_phys(cs->as, env->v7m.vecbase + env->v7m.exception * 4);
4483 env->regs[15] = addr & 0xfffffffe;
4484 env->thumb = addr & 1;
4487 /* Function used to synchronize QEMU's AArch64 register set with AArch32
4488 * register set. This is necessary when switching between AArch32 and AArch64
4491 void aarch64_sync_32_to_64(CPUARMState *env)
4494 uint32_t mode = env->uncached_cpsr & CPSR_M;
4496 /* We can blanket copy R[0:7] to X[0:7] */
4497 for (i = 0; i < 8; i++) {
4498 env->xregs[i] = env->regs[i];
4501 /* Unless we are in FIQ mode, x8-x12 come from the user registers r8-r12.
4502 * Otherwise, they come from the banked user regs.
4504 if (mode == ARM_CPU_MODE_FIQ) {
4505 for (i = 8; i < 13; i++) {
4506 env->xregs[i] = env->usr_regs[i - 8];
4509 for (i = 8; i < 13; i++) {
4510 env->xregs[i] = env->regs[i];
4514 /* Registers x13-x23 are the various mode SP and FP registers. Registers
4515 * r13 and r14 are only copied if we are in that mode, otherwise we copy
4516 * from the mode banked register.
4518 if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) {
4519 env->xregs[13] = env->regs[13];
4520 env->xregs[14] = env->regs[14];
4522 env->xregs[13] = env->banked_r13[bank_number(ARM_CPU_MODE_USR)];
4523 /* HYP is an exception in that it is copied from r14 */
4524 if (mode == ARM_CPU_MODE_HYP) {
4525 env->xregs[14] = env->regs[14];
4527 env->xregs[14] = env->banked_r14[bank_number(ARM_CPU_MODE_USR)];
4531 if (mode == ARM_CPU_MODE_HYP) {
4532 env->xregs[15] = env->regs[13];
4534 env->xregs[15] = env->banked_r13[bank_number(ARM_CPU_MODE_HYP)];
4537 if (mode == ARM_CPU_MODE_IRQ) {
4538 env->xregs[16] = env->regs[13];
4539 env->xregs[17] = env->regs[14];
4541 env->xregs[16] = env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)];
4542 env->xregs[17] = env->banked_r14[bank_number(ARM_CPU_MODE_IRQ)];
4545 if (mode == ARM_CPU_MODE_SVC) {
4546 env->xregs[18] = env->regs[13];
4547 env->xregs[19] = env->regs[14];
4549 env->xregs[18] = env->banked_r13[bank_number(ARM_CPU_MODE_SVC)];
4550 env->xregs[19] = env->banked_r14[bank_number(ARM_CPU_MODE_SVC)];
4553 if (mode == ARM_CPU_MODE_ABT) {
4554 env->xregs[20] = env->regs[13];
4555 env->xregs[21] = env->regs[14];
4557 env->xregs[20] = env->banked_r13[bank_number(ARM_CPU_MODE_ABT)];
4558 env->xregs[21] = env->banked_r14[bank_number(ARM_CPU_MODE_ABT)];
4561 if (mode == ARM_CPU_MODE_UND) {
4562 env->xregs[22] = env->regs[13];
4563 env->xregs[23] = env->regs[14];
4565 env->xregs[22] = env->banked_r13[bank_number(ARM_CPU_MODE_UND)];
4566 env->xregs[23] = env->banked_r14[bank_number(ARM_CPU_MODE_UND)];
4569 /* Registers x24-x30 are mapped to r8-r14 in FIQ mode. If we are in FIQ
4570 * mode, then we can copy from r8-r14. Otherwise, we copy from the
4571 * FIQ bank for r8-r14.
4573 if (mode == ARM_CPU_MODE_FIQ) {
4574 for (i = 24; i < 31; i++) {
4575 env->xregs[i] = env->regs[i - 16]; /* X[24:30] <- R[8:14] */
4578 for (i = 24; i < 29; i++) {
4579 env->xregs[i] = env->fiq_regs[i - 24];
4581 env->xregs[29] = env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)];
4582 env->xregs[30] = env->banked_r14[bank_number(ARM_CPU_MODE_FIQ)];
4585 env->pc = env->regs[15];
4588 /* Function used to synchronize QEMU's AArch32 register set with AArch64
4589 * register set. This is necessary when switching between AArch32 and AArch64
4592 void aarch64_sync_64_to_32(CPUARMState *env)
4595 uint32_t mode = env->uncached_cpsr & CPSR_M;
4597 /* We can blanket copy X[0:7] to R[0:7] */
4598 for (i = 0; i < 8; i++) {
4599 env->regs[i] = env->xregs[i];
4602 /* Unless we are in FIQ mode, r8-r12 come from the user registers x8-x12.
4603 * Otherwise, we copy x8-x12 into the banked user regs.
4605 if (mode == ARM_CPU_MODE_FIQ) {
4606 for (i = 8; i < 13; i++) {
4607 env->usr_regs[i - 8] = env->xregs[i];
4610 for (i = 8; i < 13; i++) {
4611 env->regs[i] = env->xregs[i];
4615 /* Registers r13 & r14 depend on the current mode.
4616 * If we are in a given mode, we copy the corresponding x registers to r13
4617 * and r14. Otherwise, we copy the x register to the banked r13 and r14
4620 if (mode == ARM_CPU_MODE_USR || mode == ARM_CPU_MODE_SYS) {
4621 env->regs[13] = env->xregs[13];
4622 env->regs[14] = env->xregs[14];
4624 env->banked_r13[bank_number(ARM_CPU_MODE_USR)] = env->xregs[13];
4626 /* HYP is an exception in that it does not have its own banked r14 but
4627 * shares the USR r14
4629 if (mode == ARM_CPU_MODE_HYP) {
4630 env->regs[14] = env->xregs[14];
4632 env->banked_r14[bank_number(ARM_CPU_MODE_USR)] = env->xregs[14];
4636 if (mode == ARM_CPU_MODE_HYP) {
4637 env->regs[13] = env->xregs[15];
4639 env->banked_r13[bank_number(ARM_CPU_MODE_HYP)] = env->xregs[15];
4642 if (mode == ARM_CPU_MODE_IRQ) {
4643 env->regs[13] = env->xregs[16];
4644 env->regs[14] = env->xregs[17];
4646 env->banked_r13[bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[16];
4647 env->banked_r14[bank_number(ARM_CPU_MODE_IRQ)] = env->xregs[17];
4650 if (mode == ARM_CPU_MODE_SVC) {
4651 env->regs[13] = env->xregs[18];
4652 env->regs[14] = env->xregs[19];
4654 env->banked_r13[bank_number(ARM_CPU_MODE_SVC)] = env->xregs[18];
4655 env->banked_r14[bank_number(ARM_CPU_MODE_SVC)] = env->xregs[19];
4658 if (mode == ARM_CPU_MODE_ABT) {
4659 env->regs[13] = env->xregs[20];
4660 env->regs[14] = env->xregs[21];
4662 env->banked_r13[bank_number(ARM_CPU_MODE_ABT)] = env->xregs[20];
4663 env->banked_r14[bank_number(ARM_CPU_MODE_ABT)] = env->xregs[21];
4666 if (mode == ARM_CPU_MODE_UND) {
4667 env->regs[13] = env->xregs[22];
4668 env->regs[14] = env->xregs[23];
4670 env->banked_r13[bank_number(ARM_CPU_MODE_UND)] = env->xregs[22];
4671 env->banked_r14[bank_number(ARM_CPU_MODE_UND)] = env->xregs[23];
4674 /* Registers x24-x30 are mapped to r8-r14 in FIQ mode. If we are in FIQ
4675 * mode, then we can copy to r8-r14. Otherwise, we copy to the
4676 * FIQ bank for r8-r14.
4678 if (mode == ARM_CPU_MODE_FIQ) {
4679 for (i = 24; i < 31; i++) {
4680 env->regs[i - 16] = env->xregs[i]; /* X[24:30] -> R[8:14] */
4683 for (i = 24; i < 29; i++) {
4684 env->fiq_regs[i - 24] = env->xregs[i];
4686 env->banked_r13[bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[29];
4687 env->banked_r14[bank_number(ARM_CPU_MODE_FIQ)] = env->xregs[30];
4690 env->regs[15] = env->pc;
4693 /* Handle a CPU exception. */
4694 void arm_cpu_do_interrupt(CPUState *cs)
4696 ARMCPU *cpu = ARM_CPU(cs);
4697 CPUARMState *env = &cpu->env;
4706 arm_log_exception(cs->exception_index);
4708 if (arm_is_psci_call(cpu, cs->exception_index)) {
4709 arm_handle_psci_call(cpu);
4710 qemu_log_mask(CPU_LOG_INT, "...handled as PSCI call\n");
4714 /* If this is a debug exception we must update the DBGDSCR.MOE bits */
4715 switch (env->exception.syndrome >> ARM_EL_EC_SHIFT) {
4717 case EC_BREAKPOINT_SAME_EL:
4721 case EC_WATCHPOINT_SAME_EL:
4727 case EC_VECTORCATCH:
4736 env->cp15.mdscr_el1 = deposit64(env->cp15.mdscr_el1, 2, 4, moe);
4739 /* TODO: Vectored interrupt controller. */
4740 switch (cs->exception_index) {
4742 new_mode = ARM_CPU_MODE_UND;
4751 if (semihosting_enabled) {
4752 /* Check for semihosting interrupt. */
4754 mask = arm_lduw_code(env, env->regs[15] - 2, env->bswap_code)
4757 mask = arm_ldl_code(env, env->regs[15] - 4, env->bswap_code)
4760 /* Only intercept calls from privileged modes, to provide some
4761 semblance of security. */
4762 if (((mask == 0x123456 && !env->thumb)
4763 || (mask == 0xab && env->thumb))
4764 && (env->uncached_cpsr & CPSR_M) != ARM_CPU_MODE_USR) {
4765 env->regs[0] = do_arm_semihosting(env);
4766 qemu_log_mask(CPU_LOG_INT, "...handled as semihosting call\n");
4770 new_mode = ARM_CPU_MODE_SVC;
4773 /* The PC already points to the next instruction. */
4777 /* See if this is a semihosting syscall. */
4778 if (env->thumb && semihosting_enabled) {
4779 mask = arm_lduw_code(env, env->regs[15], env->bswap_code) & 0xff;
4781 && (env->uncached_cpsr & CPSR_M) != ARM_CPU_MODE_USR) {
4783 env->regs[0] = do_arm_semihosting(env);
4784 qemu_log_mask(CPU_LOG_INT, "...handled as semihosting call\n");
4788 env->exception.fsr = 2;
4789 /* Fall through to prefetch abort. */
4790 case EXCP_PREFETCH_ABORT:
4791 A32_BANKED_CURRENT_REG_SET(env, ifsr, env->exception.fsr);
4792 A32_BANKED_CURRENT_REG_SET(env, ifar, env->exception.vaddress);
4793 qemu_log_mask(CPU_LOG_INT, "...with IFSR 0x%x IFAR 0x%x\n",
4794 env->exception.fsr, (uint32_t)env->exception.vaddress);
4795 new_mode = ARM_CPU_MODE_ABT;
4797 mask = CPSR_A | CPSR_I;
4800 case EXCP_DATA_ABORT:
4801 A32_BANKED_CURRENT_REG_SET(env, dfsr, env->exception.fsr);
4802 A32_BANKED_CURRENT_REG_SET(env, dfar, env->exception.vaddress);
4803 qemu_log_mask(CPU_LOG_INT, "...with DFSR 0x%x DFAR 0x%x\n",
4805 (uint32_t)env->exception.vaddress);
4806 new_mode = ARM_CPU_MODE_ABT;
4808 mask = CPSR_A | CPSR_I;
4812 new_mode = ARM_CPU_MODE_IRQ;
4814 /* Disable IRQ and imprecise data aborts. */
4815 mask = CPSR_A | CPSR_I;
4817 if (env->cp15.scr_el3 & SCR_IRQ) {
4818 /* IRQ routed to monitor mode */
4819 new_mode = ARM_CPU_MODE_MON;
4824 new_mode = ARM_CPU_MODE_FIQ;
4826 /* Disable FIQ, IRQ and imprecise data aborts. */
4827 mask = CPSR_A | CPSR_I | CPSR_F;
4828 if (env->cp15.scr_el3 & SCR_FIQ) {
4829 /* FIQ routed to monitor mode */
4830 new_mode = ARM_CPU_MODE_MON;
4835 new_mode = ARM_CPU_MODE_MON;
4837 mask = CPSR_A | CPSR_I | CPSR_F;
4841 cpu_abort(cs, "Unhandled exception 0x%x\n", cs->exception_index);
4842 return; /* Never happens. Keep compiler happy. */
4845 if (new_mode == ARM_CPU_MODE_MON) {
4846 addr += env->cp15.mvbar;
4847 } else if (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_V) {
4848 /* High vectors. When enabled, base address cannot be remapped. */
4851 /* ARM v7 architectures provide a vector base address register to remap
4852 * the interrupt vector table.
4853 * This register is only followed in non-monitor mode, and is banked.
4854 * Note: only bits 31:5 are valid.
4856 addr += A32_BANKED_CURRENT_REG_GET(env, vbar);
4859 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_MON) {
4860 env->cp15.scr_el3 &= ~SCR_NS;
4863 switch_mode (env, new_mode);
4864 /* For exceptions taken to AArch32 we must clear the SS bit in both
4865 * PSTATE and in the old-state value we save to SPSR_<mode>, so zero it now.
4867 env->uncached_cpsr &= ~PSTATE_SS;
4868 env->spsr = cpsr_read(env);
4869 /* Clear IT bits. */
4870 env->condexec_bits = 0;
4871 /* Switch to the new mode, and to the correct instruction set. */
4872 env->uncached_cpsr = (env->uncached_cpsr & ~CPSR_M) | new_mode;
4874 /* this is a lie, as the was no c1_sys on V4T/V5, but who cares
4875 * and we should just guard the thumb mode on V4 */
4876 if (arm_feature(env, ARM_FEATURE_V4T)) {
4877 env->thumb = (A32_BANKED_CURRENT_REG_GET(env, sctlr) & SCTLR_TE) != 0;
4879 env->regs[14] = env->regs[15] + offset;
4880 env->regs[15] = addr;
4881 cs->interrupt_request |= CPU_INTERRUPT_EXITTB;
4885 /* Return the exception level which controls this address translation regime */
4886 static inline uint32_t regime_el(CPUARMState *env, ARMMMUIdx mmu_idx)
4889 case ARMMMUIdx_S2NS:
4890 case ARMMMUIdx_S1E2:
4892 case ARMMMUIdx_S1E3:
4894 case ARMMMUIdx_S1SE0:
4895 return arm_el_is_aa64(env, 3) ? 1 : 3;
4896 case ARMMMUIdx_S1SE1:
4897 case ARMMMUIdx_S1NSE0:
4898 case ARMMMUIdx_S1NSE1:
4901 g_assert_not_reached();
4905 /* Return true if this address translation regime is secure */
4906 static inline bool regime_is_secure(CPUARMState *env, ARMMMUIdx mmu_idx)
4909 case ARMMMUIdx_S12NSE0:
4910 case ARMMMUIdx_S12NSE1:
4911 case ARMMMUIdx_S1NSE0:
4912 case ARMMMUIdx_S1NSE1:
4913 case ARMMMUIdx_S1E2:
4914 case ARMMMUIdx_S2NS:
4916 case ARMMMUIdx_S1E3:
4917 case ARMMMUIdx_S1SE0:
4918 case ARMMMUIdx_S1SE1:
4921 g_assert_not_reached();
4925 /* Return the SCTLR value which controls this address translation regime */
4926 static inline uint32_t regime_sctlr(CPUARMState *env, ARMMMUIdx mmu_idx)
4928 return env->cp15.sctlr_el[regime_el(env, mmu_idx)];
4931 /* Return true if the specified stage of address translation is disabled */
4932 static inline bool regime_translation_disabled(CPUARMState *env,
4935 if (mmu_idx == ARMMMUIdx_S2NS) {
4936 return (env->cp15.hcr_el2 & HCR_VM) == 0;
4938 return (regime_sctlr(env, mmu_idx) & SCTLR_M) == 0;
4941 /* Return the TCR controlling this translation regime */
4942 static inline TCR *regime_tcr(CPUARMState *env, ARMMMUIdx mmu_idx)
4944 if (mmu_idx == ARMMMUIdx_S2NS) {
4945 /* TODO: return VTCR_EL2 */
4946 g_assert_not_reached();
4948 return &env->cp15.tcr_el[regime_el(env, mmu_idx)];
4951 /* Return the TTBR associated with this translation regime */
4952 static inline uint64_t regime_ttbr(CPUARMState *env, ARMMMUIdx mmu_idx,
4955 if (mmu_idx == ARMMMUIdx_S2NS) {
4956 /* TODO: return VTTBR_EL2 */
4957 g_assert_not_reached();
4960 return env->cp15.ttbr0_el[regime_el(env, mmu_idx)];
4962 return env->cp15.ttbr1_el[regime_el(env, mmu_idx)];
4966 /* Return true if the translation regime is using LPAE format page tables */
4967 static inline bool regime_using_lpae_format(CPUARMState *env,
4970 int el = regime_el(env, mmu_idx);
4971 if (el == 2 || arm_el_is_aa64(env, el)) {
4974 if (arm_feature(env, ARM_FEATURE_LPAE)
4975 && (regime_tcr(env, mmu_idx)->raw_tcr & TTBCR_EAE)) {
4981 static inline bool regime_is_user(CPUARMState *env, ARMMMUIdx mmu_idx)
4984 case ARMMMUIdx_S1SE0:
4985 case ARMMMUIdx_S1NSE0:
4989 case ARMMMUIdx_S12NSE0:
4990 case ARMMMUIdx_S12NSE1:
4991 g_assert_not_reached();
4995 /* Translate section/page access permissions to page
4996 * R/W protection flags
4999 * @mmu_idx: MMU index indicating required translation regime
5000 * @ap: The 3-bit access permissions (AP[2:0])
5001 * @domain_prot: The 2-bit domain access permissions
5003 static inline int ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx,
5004 int ap, int domain_prot)
5006 bool is_user = regime_is_user(env, mmu_idx);
5008 if (domain_prot == 3) {
5009 return PAGE_READ | PAGE_WRITE;
5014 if (arm_feature(env, ARM_FEATURE_V7)) {
5017 switch (regime_sctlr(env, mmu_idx) & (SCTLR_S | SCTLR_R)) {
5019 return is_user ? 0 : PAGE_READ;
5026 return is_user ? 0 : PAGE_READ | PAGE_WRITE;
5031 return PAGE_READ | PAGE_WRITE;
5034 return PAGE_READ | PAGE_WRITE;
5035 case 4: /* Reserved. */
5038 return is_user ? 0 : PAGE_READ;
5042 if (!arm_feature(env, ARM_FEATURE_V6K)) {
5047 g_assert_not_reached();
5051 /* Translate section/page access permissions to page
5052 * R/W protection flags.
5054 * @ap: The 2-bit simple AP (AP[2:1])
5055 * @is_user: TRUE if accessing from PL0
5057 static inline int simple_ap_to_rw_prot_is_user(int ap, bool is_user)
5061 return is_user ? 0 : PAGE_READ | PAGE_WRITE;
5063 return PAGE_READ | PAGE_WRITE;
5065 return is_user ? 0 : PAGE_READ;
5069 g_assert_not_reached();
5074 simple_ap_to_rw_prot(CPUARMState *env, ARMMMUIdx mmu_idx, int ap)
5076 return simple_ap_to_rw_prot_is_user(ap, regime_is_user(env, mmu_idx));
5079 /* Translate section/page access permissions to protection flags
5082 * @mmu_idx: MMU index indicating required translation regime
5083 * @is_aa64: TRUE if AArch64
5084 * @ap: The 2-bit simple AP (AP[2:1])
5085 * @ns: NS (non-secure) bit
5086 * @xn: XN (execute-never) bit
5087 * @pxn: PXN (privileged execute-never) bit
5089 static int get_S1prot(CPUARMState *env, ARMMMUIdx mmu_idx, bool is_aa64,
5090 int ap, int ns, int xn, int pxn)
5092 bool is_user = regime_is_user(env, mmu_idx);
5093 int prot_rw, user_rw;
5097 assert(mmu_idx != ARMMMUIdx_S2NS);
5099 user_rw = simple_ap_to_rw_prot_is_user(ap, true);
5103 prot_rw = simple_ap_to_rw_prot_is_user(ap, false);
5106 if (ns && arm_is_secure(env) && (env->cp15.scr_el3 & SCR_SIF)) {
5110 /* TODO have_wxn should be replaced with
5111 * ARM_FEATURE_V8 || (ARM_FEATURE_V7 && ARM_FEATURE_EL2)
5112 * when ARM_FEATURE_EL2 starts getting set. For now we assume all LPAE
5113 * compatible processors have EL2, which is required for [U]WXN.
5115 have_wxn = arm_feature(env, ARM_FEATURE_LPAE);
5118 wxn = regime_sctlr(env, mmu_idx) & SCTLR_WXN;
5122 switch (regime_el(env, mmu_idx)) {
5125 xn = pxn || (user_rw & PAGE_WRITE);
5132 } else if (arm_feature(env, ARM_FEATURE_V7)) {
5133 switch (regime_el(env, mmu_idx)) {
5137 xn = xn || !(user_rw & PAGE_READ);
5141 uwxn = regime_sctlr(env, mmu_idx) & SCTLR_UWXN;
5143 xn = xn || !(prot_rw & PAGE_READ) || pxn ||
5144 (uwxn && (user_rw & PAGE_WRITE));
5154 if (xn || (wxn && (prot_rw & PAGE_WRITE))) {
5157 return prot_rw | PAGE_EXEC;
5160 static bool get_level1_table_address(CPUARMState *env, ARMMMUIdx mmu_idx,
5161 uint32_t *table, uint32_t address)
5163 /* Note that we can only get here for an AArch32 PL0/PL1 lookup */
5164 TCR *tcr = regime_tcr(env, mmu_idx);
5166 if (address & tcr->mask) {
5167 if (tcr->raw_tcr & TTBCR_PD1) {
5168 /* Translation table walk disabled for TTBR1 */
5171 *table = regime_ttbr(env, mmu_idx, 1) & 0xffffc000;
5173 if (tcr->raw_tcr & TTBCR_PD0) {
5174 /* Translation table walk disabled for TTBR0 */
5177 *table = regime_ttbr(env, mmu_idx, 0) & tcr->base_mask;
5179 *table |= (address >> 18) & 0x3ffc;
5183 /* All loads done in the course of a page table walk go through here.
5184 * TODO: rather than ignoring errors from physical memory reads (which
5185 * are external aborts in ARM terminology) we should propagate this
5186 * error out so that we can turn it into a Data Abort if this walk
5187 * was being done for a CPU load/store or an address translation instruction
5188 * (but not if it was for a debug access).
5190 static uint32_t arm_ldl_ptw(CPUState *cs, hwaddr addr, bool is_secure)
5192 MemTxAttrs attrs = {};
5194 attrs.secure = is_secure;
5195 return address_space_ldl(cs->as, addr, attrs, NULL);
5198 static uint64_t arm_ldq_ptw(CPUState *cs, hwaddr addr, bool is_secure)
5200 MemTxAttrs attrs = {};
5202 attrs.secure = is_secure;
5203 return address_space_ldq(cs->as, addr, attrs, NULL);
5206 static int get_phys_addr_v5(CPUARMState *env, uint32_t address, int access_type,
5207 ARMMMUIdx mmu_idx, hwaddr *phys_ptr,
5208 int *prot, target_ulong *page_size)
5210 CPUState *cs = CPU(arm_env_get_cpu(env));
5221 /* Pagetable walk. */
5222 /* Lookup l1 descriptor. */
5223 if (!get_level1_table_address(env, mmu_idx, &table, address)) {
5224 /* Section translation fault if page walk is disabled by PD0 or PD1 */
5228 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx));
5230 domain = (desc >> 5) & 0x0f;
5231 if (regime_el(env, mmu_idx) == 1) {
5232 dacr = env->cp15.dacr_ns;
5234 dacr = env->cp15.dacr_s;
5236 domain_prot = (dacr >> (domain * 2)) & 3;
5238 /* Section translation fault. */
5242 if (domain_prot == 0 || domain_prot == 2) {
5244 code = 9; /* Section domain fault. */
5246 code = 11; /* Page domain fault. */
5251 phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
5252 ap = (desc >> 10) & 3;
5254 *page_size = 1024 * 1024;
5256 /* Lookup l2 entry. */
5258 /* Coarse pagetable. */
5259 table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
5261 /* Fine pagetable. */
5262 table = (desc & 0xfffff000) | ((address >> 8) & 0xffc);
5264 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx));
5266 case 0: /* Page translation fault. */
5269 case 1: /* 64k page. */
5270 phys_addr = (desc & 0xffff0000) | (address & 0xffff);
5271 ap = (desc >> (4 + ((address >> 13) & 6))) & 3;
5272 *page_size = 0x10000;
5274 case 2: /* 4k page. */
5275 phys_addr = (desc & 0xfffff000) | (address & 0xfff);
5276 ap = (desc >> (4 + ((address >> 9) & 6))) & 3;
5277 *page_size = 0x1000;
5279 case 3: /* 1k page. */
5281 if (arm_feature(env, ARM_FEATURE_XSCALE)) {
5282 phys_addr = (desc & 0xfffff000) | (address & 0xfff);
5284 /* Page translation fault. */
5289 phys_addr = (desc & 0xfffffc00) | (address & 0x3ff);
5291 ap = (desc >> 4) & 3;
5295 /* Never happens, but compiler isn't smart enough to tell. */
5300 *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
5301 *prot |= *prot ? PAGE_EXEC : 0;
5302 if (!(*prot & (1 << access_type))) {
5303 /* Access permission fault. */
5306 *phys_ptr = phys_addr;
5309 return code | (domain << 4);
5312 static int get_phys_addr_v6(CPUARMState *env, uint32_t address, int access_type,
5313 ARMMMUIdx mmu_idx, hwaddr *phys_ptr,
5315 int *prot, target_ulong *page_size)
5317 CPUState *cs = CPU(arm_env_get_cpu(env));
5331 /* Pagetable walk. */
5332 /* Lookup l1 descriptor. */
5333 if (!get_level1_table_address(env, mmu_idx, &table, address)) {
5334 /* Section translation fault if page walk is disabled by PD0 or PD1 */
5338 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx));
5340 if (type == 0 || (type == 3 && !arm_feature(env, ARM_FEATURE_PXN))) {
5341 /* Section translation fault, or attempt to use the encoding
5342 * which is Reserved on implementations without PXN.
5347 if ((type == 1) || !(desc & (1 << 18))) {
5348 /* Page or Section. */
5349 domain = (desc >> 5) & 0x0f;
5351 if (regime_el(env, mmu_idx) == 1) {
5352 dacr = env->cp15.dacr_ns;
5354 dacr = env->cp15.dacr_s;
5356 domain_prot = (dacr >> (domain * 2)) & 3;
5357 if (domain_prot == 0 || domain_prot == 2) {
5359 code = 9; /* Section domain fault. */
5361 code = 11; /* Page domain fault. */
5366 if (desc & (1 << 18)) {
5368 phys_addr = (desc & 0xff000000) | (address & 0x00ffffff);
5369 *page_size = 0x1000000;
5372 phys_addr = (desc & 0xfff00000) | (address & 0x000fffff);
5373 *page_size = 0x100000;
5375 ap = ((desc >> 10) & 3) | ((desc >> 13) & 4);
5376 xn = desc & (1 << 4);
5379 ns = extract32(desc, 19, 1);
5381 if (arm_feature(env, ARM_FEATURE_PXN)) {
5382 pxn = (desc >> 2) & 1;
5384 ns = extract32(desc, 3, 1);
5385 /* Lookup l2 entry. */
5386 table = (desc & 0xfffffc00) | ((address >> 10) & 0x3fc);
5387 desc = arm_ldl_ptw(cs, table, regime_is_secure(env, mmu_idx));
5388 ap = ((desc >> 4) & 3) | ((desc >> 7) & 4);
5390 case 0: /* Page translation fault. */
5393 case 1: /* 64k page. */
5394 phys_addr = (desc & 0xffff0000) | (address & 0xffff);
5395 xn = desc & (1 << 15);
5396 *page_size = 0x10000;
5398 case 2: case 3: /* 4k page. */
5399 phys_addr = (desc & 0xfffff000) | (address & 0xfff);
5401 *page_size = 0x1000;
5404 /* Never happens, but compiler isn't smart enough to tell. */
5409 if (domain_prot == 3) {
5410 *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
5412 if (pxn && !regime_is_user(env, mmu_idx)) {
5415 if (xn && access_type == 2)
5418 if (arm_feature(env, ARM_FEATURE_V6K) &&
5419 (regime_sctlr(env, mmu_idx) & SCTLR_AFE)) {
5420 /* The simplified model uses AP[0] as an access control bit. */
5421 if ((ap & 1) == 0) {
5422 /* Access flag fault. */
5423 code = (code == 15) ? 6 : 3;
5426 *prot = simple_ap_to_rw_prot(env, mmu_idx, ap >> 1);
5428 *prot = ap_to_rw_prot(env, mmu_idx, ap, domain_prot);
5433 if (!(*prot & (1 << access_type))) {
5434 /* Access permission fault. */
5439 /* The NS bit will (as required by the architecture) have no effect if
5440 * the CPU doesn't support TZ or this is a non-secure translation
5441 * regime, because the attribute will already be non-secure.
5443 attrs->secure = false;
5445 *phys_ptr = phys_addr;
5448 return code | (domain << 4);
5451 /* Fault type for long-descriptor MMU fault reporting; this corresponds
5452 * to bits [5..2] in the STATUS field in long-format DFSR/IFSR.
5455 translation_fault = 1,
5457 permission_fault = 3,
5460 static int get_phys_addr_lpae(CPUARMState *env, target_ulong address,
5461 int access_type, ARMMMUIdx mmu_idx,
5462 hwaddr *phys_ptr, MemTxAttrs *txattrs, int *prot,
5463 target_ulong *page_size_ptr)
5465 CPUState *cs = CPU(arm_env_get_cpu(env));
5466 /* Read an LPAE long-descriptor translation table. */
5467 MMUFaultType fault_type = translation_fault;
5474 hwaddr descaddr, descmask;
5475 uint32_t tableattrs;
5476 target_ulong page_size;
5478 int32_t granule_sz = 9;
5479 int32_t va_size = 32;
5481 TCR *tcr = regime_tcr(env, mmu_idx);
5482 int ap, ns, xn, pxn;
5483 uint32_t el = regime_el(env, mmu_idx);
5484 bool ttbr1_valid = true;
5487 * This code does not handle the different format TCR for VTCR_EL2.
5488 * This code also does not support shareability levels.
5489 * Attribute and permission bit handling should also be checked when adding
5490 * support for those page table walks.
5492 if (arm_el_is_aa64(env, el)) {
5495 tbi = extract64(tcr->raw_tcr, 20, 1);
5497 if (extract64(address, 55, 1)) {
5498 tbi = extract64(tcr->raw_tcr, 38, 1);
5500 tbi = extract64(tcr->raw_tcr, 37, 1);
5505 /* If we are in 64-bit EL2 or EL3 then there is no TTBR1, so mark it
5509 ttbr1_valid = false;
5513 /* Determine whether this address is in the region controlled by
5514 * TTBR0 or TTBR1 (or if it is in neither region and should fault).
5515 * This is a Non-secure PL0/1 stage 1 translation, so controlled by
5516 * TTBCR/TTBR0/TTBR1 in accordance with ARM ARM DDI0406C table B-32:
5518 uint32_t t0sz = extract32(tcr->raw_tcr, 0, 6);
5519 if (va_size == 64) {
5520 t0sz = MIN(t0sz, 39);
5521 t0sz = MAX(t0sz, 16);
5523 uint32_t t1sz = extract32(tcr->raw_tcr, 16, 6);
5524 if (va_size == 64) {
5525 t1sz = MIN(t1sz, 39);
5526 t1sz = MAX(t1sz, 16);
5528 if (t0sz && !extract64(address, va_size - t0sz, t0sz - tbi)) {
5529 /* there is a ttbr0 region and we are in it (high bits all zero) */
5531 } else if (ttbr1_valid && t1sz &&
5532 !extract64(~address, va_size - t1sz, t1sz - tbi)) {
5533 /* there is a ttbr1 region and we are in it (high bits all one) */
5536 /* ttbr0 region is "everything not in the ttbr1 region" */
5538 } else if (!t1sz && ttbr1_valid) {
5539 /* ttbr1 region is "everything not in the ttbr0 region" */
5542 /* in the gap between the two regions, this is a Translation fault */
5543 fault_type = translation_fault;
5547 /* Note that QEMU ignores shareability and cacheability attributes,
5548 * so we don't need to do anything with the SH, ORGN, IRGN fields
5549 * in the TTBCR. Similarly, TTBCR:A1 selects whether we get the
5550 * ASID from TTBR0 or TTBR1, but QEMU's TLB doesn't currently
5551 * implement any ASID-like capability so we can ignore it (instead
5552 * we will always flush the TLB any time the ASID is changed).
5554 if (ttbr_select == 0) {
5555 ttbr = regime_ttbr(env, mmu_idx, 0);
5556 epd = extract32(tcr->raw_tcr, 7, 1);
5559 tg = extract32(tcr->raw_tcr, 14, 2);
5560 if (tg == 1) { /* 64KB pages */
5563 if (tg == 2) { /* 16KB pages */
5567 /* We should only be here if TTBR1 is valid */
5568 assert(ttbr1_valid);
5570 ttbr = regime_ttbr(env, mmu_idx, 1);
5571 epd = extract32(tcr->raw_tcr, 23, 1);
5574 tg = extract32(tcr->raw_tcr, 30, 2);
5575 if (tg == 3) { /* 64KB pages */
5578 if (tg == 1) { /* 16KB pages */
5583 /* Here we should have set up all the parameters for the translation:
5584 * va_size, ttbr, epd, tsz, granule_sz, tbi
5588 /* Translation table walk disabled => Translation fault on TLB miss
5589 * Note: This is always 0 on 64-bit EL2 and EL3.
5594 /* The starting level depends on the virtual address size (which can be
5595 * up to 48 bits) and the translation granule size. It indicates the number
5596 * of strides (granule_sz bits at a time) needed to consume the bits
5597 * of the input address. In the pseudocode this is:
5598 * level = 4 - RoundUp((inputsize - grainsize) / stride)
5599 * where their 'inputsize' is our 'va_size - tsz', 'grainsize' is
5600 * our 'granule_sz + 3' and 'stride' is our 'granule_sz'.
5601 * Applying the usual "rounded up m/n is (m+n-1)/n" and simplifying:
5602 * = 4 - (va_size - tsz - granule_sz - 3 + granule_sz - 1) / granule_sz
5603 * = 4 - (va_size - tsz - 4) / granule_sz;
5605 level = 4 - (va_size - tsz - 4) / granule_sz;
5607 /* Clear the vaddr bits which aren't part of the within-region address,
5608 * so that we don't have to special case things when calculating the
5609 * first descriptor address.
5612 address &= (1ULL << (va_size - tsz)) - 1;
5615 descmask = (1ULL << (granule_sz + 3)) - 1;
5617 /* Now we can extract the actual base address from the TTBR */
5618 descaddr = extract64(ttbr, 0, 48);
5619 descaddr &= ~((1ULL << (va_size - tsz - (granule_sz * (4 - level)))) - 1);
5621 /* Secure accesses start with the page table in secure memory and
5622 * can be downgraded to non-secure at any step. Non-secure accesses
5623 * remain non-secure. We implement this by just ORing in the NSTable/NS
5624 * bits at each step.
5626 tableattrs = regime_is_secure(env, mmu_idx) ? 0 : (1 << 4);
5628 uint64_t descriptor;
5631 descaddr |= (address >> (granule_sz * (4 - level))) & descmask;
5633 nstable = extract32(tableattrs, 4, 1);
5634 descriptor = arm_ldq_ptw(cs, descaddr, !nstable);
5635 if (!(descriptor & 1) ||
5636 (!(descriptor & 2) && (level == 3))) {
5637 /* Invalid, or the Reserved level 3 encoding */
5640 descaddr = descriptor & 0xfffffff000ULL;
5642 if ((descriptor & 2) && (level < 3)) {
5643 /* Table entry. The top five bits are attributes which may
5644 * propagate down through lower levels of the table (and
5645 * which are all arranged so that 0 means "no effect", so
5646 * we can gather them up by ORing in the bits at each level).
5648 tableattrs |= extract64(descriptor, 59, 5);
5652 /* Block entry at level 1 or 2, or page entry at level 3.
5653 * These are basically the same thing, although the number
5654 * of bits we pull in from the vaddr varies.
5656 page_size = (1ULL << ((granule_sz * (4 - level)) + 3));
5657 descaddr |= (address & (page_size - 1));
5658 /* Extract attributes from the descriptor and merge with table attrs */
5659 attrs = extract64(descriptor, 2, 10)
5660 | (extract64(descriptor, 52, 12) << 10);
5661 attrs |= extract32(tableattrs, 0, 2) << 11; /* XN, PXN */
5662 attrs |= extract32(tableattrs, 3, 1) << 5; /* APTable[1] => AP[2] */
5663 /* The sense of AP[1] vs APTable[0] is reversed, as APTable[0] == 1
5664 * means "force PL1 access only", which means forcing AP[1] to 0.
5666 if (extract32(tableattrs, 2, 1)) {
5669 attrs |= nstable << 3; /* NS */
5672 /* Here descaddr is the final physical address, and attributes
5675 fault_type = access_fault;
5676 if ((attrs & (1 << 8)) == 0) {
5681 ap = extract32(attrs, 4, 2);
5682 ns = extract32(attrs, 3, 1);
5683 xn = extract32(attrs, 12, 1);
5684 pxn = extract32(attrs, 11, 1);
5686 *prot = get_S1prot(env, mmu_idx, va_size == 64, ap, ns, xn, pxn);
5688 fault_type = permission_fault;
5689 if (!(*prot & (1 << access_type))) {
5694 /* The NS bit will (as required by the architecture) have no effect if
5695 * the CPU doesn't support TZ or this is a non-secure translation
5696 * regime, because the attribute will already be non-secure.
5698 txattrs->secure = false;
5700 *phys_ptr = descaddr;
5701 *page_size_ptr = page_size;
5705 /* Long-descriptor format IFSR/DFSR value */
5706 return (1 << 9) | (fault_type << 2) | level;
5709 static int get_phys_addr_mpu(CPUARMState *env, uint32_t address,
5710 int access_type, ARMMMUIdx mmu_idx,
5711 hwaddr *phys_ptr, int *prot)
5716 bool is_user = regime_is_user(env, mmu_idx);
5718 *phys_ptr = address;
5719 for (n = 7; n >= 0; n--) {
5720 base = env->cp15.c6_region[n];
5721 if ((base & 1) == 0) {
5724 mask = 1 << ((base >> 1) & 0x1f);
5725 /* Keep this shift separate from the above to avoid an
5726 (undefined) << 32. */
5727 mask = (mask << 1) - 1;
5728 if (((base ^ address) & ~mask) == 0) {
5736 if (access_type == 2) {
5737 mask = env->cp15.pmsav5_insn_ap;
5739 mask = env->cp15.pmsav5_data_ap;
5741 mask = (mask >> (n * 4)) & 0xf;
5749 *prot = PAGE_READ | PAGE_WRITE;
5754 *prot |= PAGE_WRITE;
5758 *prot = PAGE_READ | PAGE_WRITE;
5770 /* Bad permission. */
5777 /* get_phys_addr - get the physical address for this virtual address
5779 * Find the physical address corresponding to the given virtual address,
5780 * by doing a translation table walk on MMU based systems or using the
5781 * MPU state on MPU based systems.
5783 * Returns 0 if the translation was successful. Otherwise, phys_ptr, attrs,
5784 * prot and page_size may not be filled in, and the return value provides
5785 * information on why the translation aborted, in the format of a
5786 * DFSR/IFSR fault register, with the following caveats:
5787 * * we honour the short vs long DFSR format differences.
5788 * * the WnR bit is never set (the caller must do this).
5789 * * for MPU based systems we don't bother to return a full FSR format
5793 * @address: virtual address to get physical address for
5794 * @access_type: 0 for read, 1 for write, 2 for execute
5795 * @mmu_idx: MMU index indicating required translation regime
5796 * @phys_ptr: set to the physical address corresponding to the virtual address
5797 * @attrs: set to the memory transaction attributes to use
5798 * @prot: set to the permissions for the page containing phys_ptr
5799 * @page_size: set to the size of the page containing phys_ptr
5801 static inline int get_phys_addr(CPUARMState *env, target_ulong address,
5802 int access_type, ARMMMUIdx mmu_idx,
5803 hwaddr *phys_ptr, MemTxAttrs *attrs, int *prot,
5804 target_ulong *page_size)
5806 if (mmu_idx == ARMMMUIdx_S12NSE0 || mmu_idx == ARMMMUIdx_S12NSE1) {
5807 /* TODO: when we support EL2 we should here call ourselves recursively
5808 * to do the stage 1 and then stage 2 translations. The arm_ld*_ptw
5809 * functions will also need changing to perform ARMMMUIdx_S2NS loads
5810 * rather than direct physical memory loads when appropriate.
5811 * For non-EL2 CPUs a stage1+stage2 translation is just stage 1.
5813 assert(!arm_feature(env, ARM_FEATURE_EL2));
5814 mmu_idx += ARMMMUIdx_S1NSE0;
5817 /* The page table entries may downgrade secure to non-secure, but
5818 * cannot upgrade an non-secure translation regime's attributes
5821 attrs->secure = regime_is_secure(env, mmu_idx);
5822 attrs->user = regime_is_user(env, mmu_idx);
5824 /* Fast Context Switch Extension. This doesn't exist at all in v8.
5825 * In v7 and earlier it affects all stage 1 translations.
5827 if (address < 0x02000000 && mmu_idx != ARMMMUIdx_S2NS
5828 && !arm_feature(env, ARM_FEATURE_V8)) {
5829 if (regime_el(env, mmu_idx) == 3) {
5830 address += env->cp15.fcseidr_s;
5832 address += env->cp15.fcseidr_ns;
5836 if (regime_translation_disabled(env, mmu_idx)) {
5837 /* MMU/MPU disabled. */
5838 *phys_ptr = address;
5839 *prot = PAGE_READ | PAGE_WRITE | PAGE_EXEC;
5840 *page_size = TARGET_PAGE_SIZE;
5844 if (arm_feature(env, ARM_FEATURE_MPU)) {
5845 *page_size = TARGET_PAGE_SIZE;
5846 return get_phys_addr_mpu(env, address, access_type, mmu_idx, phys_ptr,
5850 if (regime_using_lpae_format(env, mmu_idx)) {
5851 return get_phys_addr_lpae(env, address, access_type, mmu_idx, phys_ptr,
5852 attrs, prot, page_size);
5853 } else if (regime_sctlr(env, mmu_idx) & SCTLR_XP) {
5854 return get_phys_addr_v6(env, address, access_type, mmu_idx, phys_ptr,
5855 attrs, prot, page_size);
5857 return get_phys_addr_v5(env, address, access_type, mmu_idx, phys_ptr,
5862 /* Walk the page table and (if the mapping exists) add the page
5863 * to the TLB. Return 0 on success, or an ARM DFSR/IFSR fault
5864 * register format value on failure.
5866 int arm_tlb_fill(CPUState *cs, vaddr address,
5867 int access_type, int mmu_idx)
5869 ARMCPU *cpu = ARM_CPU(cs);
5870 CPUARMState *env = &cpu->env;
5872 target_ulong page_size;
5875 MemTxAttrs attrs = {};
5877 ret = get_phys_addr(env, address, access_type, mmu_idx, &phys_addr,
5878 &attrs, &prot, &page_size);
5880 /* Map a single [sub]page. */
5881 phys_addr &= TARGET_PAGE_MASK;
5882 address &= TARGET_PAGE_MASK;
5883 tlb_set_page_with_attrs(cs, address, phys_addr, attrs,
5884 prot, mmu_idx, page_size);
5891 hwaddr arm_cpu_get_phys_page_debug(CPUState *cs, vaddr addr)
5893 ARMCPU *cpu = ARM_CPU(cs);
5894 CPUARMState *env = &cpu->env;
5896 target_ulong page_size;
5899 MemTxAttrs attrs = {};
5901 ret = get_phys_addr(env, addr, 0, cpu_mmu_index(env), &phys_addr,
5902 &attrs, &prot, &page_size);
5911 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
5913 if ((env->uncached_cpsr & CPSR_M) == mode) {
5914 env->regs[13] = val;
5916 env->banked_r13[bank_number(mode)] = val;
5920 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
5922 if ((env->uncached_cpsr & CPSR_M) == mode) {
5923 return env->regs[13];
5925 return env->banked_r13[bank_number(mode)];
5929 uint32_t HELPER(v7m_mrs)(CPUARMState *env, uint32_t reg)
5931 ARMCPU *cpu = arm_env_get_cpu(env);
5935 return xpsr_read(env) & 0xf8000000;
5937 return xpsr_read(env) & 0xf80001ff;
5939 return xpsr_read(env) & 0xff00fc00;
5941 return xpsr_read(env) & 0xff00fdff;
5943 return xpsr_read(env) & 0x000001ff;
5945 return xpsr_read(env) & 0x0700fc00;
5947 return xpsr_read(env) & 0x0700edff;
5949 return env->v7m.current_sp ? env->v7m.other_sp : env->regs[13];
5951 return env->v7m.current_sp ? env->regs[13] : env->v7m.other_sp;
5952 case 16: /* PRIMASK */
5953 return (env->daif & PSTATE_I) != 0;
5954 case 17: /* BASEPRI */
5955 case 18: /* BASEPRI_MAX */
5956 return env->v7m.basepri;
5957 case 19: /* FAULTMASK */
5958 return (env->daif & PSTATE_F) != 0;
5959 case 20: /* CONTROL */
5960 return env->v7m.control;
5962 /* ??? For debugging only. */
5963 cpu_abort(CPU(cpu), "Unimplemented system register read (%d)\n", reg);
5968 void HELPER(v7m_msr)(CPUARMState *env, uint32_t reg, uint32_t val)
5970 ARMCPU *cpu = arm_env_get_cpu(env);
5974 xpsr_write(env, val, 0xf8000000);
5977 xpsr_write(env, val, 0xf8000000);
5980 xpsr_write(env, val, 0xfe00fc00);
5983 xpsr_write(env, val, 0xfe00fc00);
5986 /* IPSR bits are readonly. */
5989 xpsr_write(env, val, 0x0600fc00);
5992 xpsr_write(env, val, 0x0600fc00);
5995 if (env->v7m.current_sp)
5996 env->v7m.other_sp = val;
5998 env->regs[13] = val;
6001 if (env->v7m.current_sp)
6002 env->regs[13] = val;
6004 env->v7m.other_sp = val;
6006 case 16: /* PRIMASK */
6008 env->daif |= PSTATE_I;
6010 env->daif &= ~PSTATE_I;
6013 case 17: /* BASEPRI */
6014 env->v7m.basepri = val & 0xff;
6016 case 18: /* BASEPRI_MAX */
6018 if (val != 0 && (val < env->v7m.basepri || env->v7m.basepri == 0))
6019 env->v7m.basepri = val;
6021 case 19: /* FAULTMASK */
6023 env->daif |= PSTATE_F;
6025 env->daif &= ~PSTATE_F;
6028 case 20: /* CONTROL */
6029 env->v7m.control = val & 3;
6030 switch_v7m_sp(env, (val & 2) != 0);
6033 /* ??? For debugging only. */
6034 cpu_abort(CPU(cpu), "Unimplemented system register write (%d)\n", reg);
6041 void HELPER(dc_zva)(CPUARMState *env, uint64_t vaddr_in)
6043 /* Implement DC ZVA, which zeroes a fixed-length block of memory.
6044 * Note that we do not implement the (architecturally mandated)
6045 * alignment fault for attempts to use this on Device memory
6046 * (which matches the usual QEMU behaviour of not implementing either
6047 * alignment faults or any memory attribute handling).
6050 ARMCPU *cpu = arm_env_get_cpu(env);
6051 uint64_t blocklen = 4 << cpu->dcz_blocksize;
6052 uint64_t vaddr = vaddr_in & ~(blocklen - 1);
6054 #ifndef CONFIG_USER_ONLY
6056 /* Slightly awkwardly, QEMU's TARGET_PAGE_SIZE may be less than
6057 * the block size so we might have to do more than one TLB lookup.
6058 * We know that in fact for any v8 CPU the page size is at least 4K
6059 * and the block size must be 2K or less, but TARGET_PAGE_SIZE is only
6060 * 1K as an artefact of legacy v5 subpage support being present in the
6061 * same QEMU executable.
6063 int maxidx = DIV_ROUND_UP(blocklen, TARGET_PAGE_SIZE);
6064 void *hostaddr[maxidx];
6066 unsigned mmu_idx = cpu_mmu_index(env);
6067 TCGMemOpIdx oi = make_memop_idx(MO_UB, mmu_idx);
6069 for (try = 0; try < 2; try++) {
6071 for (i = 0; i < maxidx; i++) {
6072 hostaddr[i] = tlb_vaddr_to_host(env,
6073 vaddr + TARGET_PAGE_SIZE * i,
6080 /* If it's all in the TLB it's fair game for just writing to;
6081 * we know we don't need to update dirty status, etc.
6083 for (i = 0; i < maxidx - 1; i++) {
6084 memset(hostaddr[i], 0, TARGET_PAGE_SIZE);
6086 memset(hostaddr[i], 0, blocklen - (i * TARGET_PAGE_SIZE));
6089 /* OK, try a store and see if we can populate the tlb. This
6090 * might cause an exception if the memory isn't writable,
6091 * in which case we will longjmp out of here. We must for
6092 * this purpose use the actual register value passed to us
6093 * so that we get the fault address right.
6095 helper_ret_stb_mmu(env, vaddr_in, 0, oi, GETRA());
6096 /* Now we can populate the other TLB entries, if any */
6097 for (i = 0; i < maxidx; i++) {
6098 uint64_t va = vaddr + TARGET_PAGE_SIZE * i;
6099 if (va != (vaddr_in & TARGET_PAGE_MASK)) {
6100 helper_ret_stb_mmu(env, va, 0, oi, GETRA());
6105 /* Slow path (probably attempt to do this to an I/O device or
6106 * similar, or clearing of a block of code we have translations
6107 * cached for). Just do a series of byte writes as the architecture
6108 * demands. It's not worth trying to use a cpu_physical_memory_map(),
6109 * memset(), unmap() sequence here because:
6110 * + we'd need to account for the blocksize being larger than a page
6111 * + the direct-RAM access case is almost always going to be dealt
6112 * with in the fastpath code above, so there's no speed benefit
6113 * + we would have to deal with the map returning NULL because the
6114 * bounce buffer was in use
6116 for (i = 0; i < blocklen; i++) {
6117 helper_ret_stb_mmu(env, vaddr + i, 0, oi, GETRA());
6121 memset(g2h(vaddr), 0, blocklen);
6125 /* Note that signed overflow is undefined in C. The following routines are
6126 careful to use unsigned types where modulo arithmetic is required.
6127 Failure to do so _will_ break on newer gcc. */
6129 /* Signed saturating arithmetic. */
6131 /* Perform 16-bit signed saturating addition. */
6132 static inline uint16_t add16_sat(uint16_t a, uint16_t b)
6137 if (((res ^ a) & 0x8000) && !((a ^ b) & 0x8000)) {
6146 /* Perform 8-bit signed saturating addition. */
6147 static inline uint8_t add8_sat(uint8_t a, uint8_t b)
6152 if (((res ^ a) & 0x80) && !((a ^ b) & 0x80)) {
6161 /* Perform 16-bit signed saturating subtraction. */
6162 static inline uint16_t sub16_sat(uint16_t a, uint16_t b)
6167 if (((res ^ a) & 0x8000) && ((a ^ b) & 0x8000)) {
6176 /* Perform 8-bit signed saturating subtraction. */
6177 static inline uint8_t sub8_sat(uint8_t a, uint8_t b)
6182 if (((res ^ a) & 0x80) && ((a ^ b) & 0x80)) {
6191 #define ADD16(a, b, n) RESULT(add16_sat(a, b), n, 16);
6192 #define SUB16(a, b, n) RESULT(sub16_sat(a, b), n, 16);
6193 #define ADD8(a, b, n) RESULT(add8_sat(a, b), n, 8);
6194 #define SUB8(a, b, n) RESULT(sub8_sat(a, b), n, 8);
6197 #include "op_addsub.h"
6199 /* Unsigned saturating arithmetic. */
6200 static inline uint16_t add16_usat(uint16_t a, uint16_t b)
6209 static inline uint16_t sub16_usat(uint16_t a, uint16_t b)
6217 static inline uint8_t add8_usat(uint8_t a, uint8_t b)
6226 static inline uint8_t sub8_usat(uint8_t a, uint8_t b)
6234 #define ADD16(a, b, n) RESULT(add16_usat(a, b), n, 16);
6235 #define SUB16(a, b, n) RESULT(sub16_usat(a, b), n, 16);
6236 #define ADD8(a, b, n) RESULT(add8_usat(a, b), n, 8);
6237 #define SUB8(a, b, n) RESULT(sub8_usat(a, b), n, 8);
6240 #include "op_addsub.h"
6242 /* Signed modulo arithmetic. */
6243 #define SARITH16(a, b, n, op) do { \
6245 sum = (int32_t)(int16_t)(a) op (int32_t)(int16_t)(b); \
6246 RESULT(sum, n, 16); \
6248 ge |= 3 << (n * 2); \
6251 #define SARITH8(a, b, n, op) do { \
6253 sum = (int32_t)(int8_t)(a) op (int32_t)(int8_t)(b); \
6254 RESULT(sum, n, 8); \
6260 #define ADD16(a, b, n) SARITH16(a, b, n, +)
6261 #define SUB16(a, b, n) SARITH16(a, b, n, -)
6262 #define ADD8(a, b, n) SARITH8(a, b, n, +)
6263 #define SUB8(a, b, n) SARITH8(a, b, n, -)
6267 #include "op_addsub.h"
6269 /* Unsigned modulo arithmetic. */
6270 #define ADD16(a, b, n) do { \
6272 sum = (uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b); \
6273 RESULT(sum, n, 16); \
6274 if ((sum >> 16) == 1) \
6275 ge |= 3 << (n * 2); \
6278 #define ADD8(a, b, n) do { \
6280 sum = (uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b); \
6281 RESULT(sum, n, 8); \
6282 if ((sum >> 8) == 1) \
6286 #define SUB16(a, b, n) do { \
6288 sum = (uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b); \
6289 RESULT(sum, n, 16); \
6290 if ((sum >> 16) == 0) \
6291 ge |= 3 << (n * 2); \
6294 #define SUB8(a, b, n) do { \
6296 sum = (uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b); \
6297 RESULT(sum, n, 8); \
6298 if ((sum >> 8) == 0) \
6305 #include "op_addsub.h"
6307 /* Halved signed arithmetic. */
6308 #define ADD16(a, b, n) \
6309 RESULT(((int32_t)(int16_t)(a) + (int32_t)(int16_t)(b)) >> 1, n, 16)
6310 #define SUB16(a, b, n) \
6311 RESULT(((int32_t)(int16_t)(a) - (int32_t)(int16_t)(b)) >> 1, n, 16)
6312 #define ADD8(a, b, n) \
6313 RESULT(((int32_t)(int8_t)(a) + (int32_t)(int8_t)(b)) >> 1, n, 8)
6314 #define SUB8(a, b, n) \
6315 RESULT(((int32_t)(int8_t)(a) - (int32_t)(int8_t)(b)) >> 1, n, 8)
6318 #include "op_addsub.h"
6320 /* Halved unsigned arithmetic. */
6321 #define ADD16(a, b, n) \
6322 RESULT(((uint32_t)(uint16_t)(a) + (uint32_t)(uint16_t)(b)) >> 1, n, 16)
6323 #define SUB16(a, b, n) \
6324 RESULT(((uint32_t)(uint16_t)(a) - (uint32_t)(uint16_t)(b)) >> 1, n, 16)
6325 #define ADD8(a, b, n) \
6326 RESULT(((uint32_t)(uint8_t)(a) + (uint32_t)(uint8_t)(b)) >> 1, n, 8)
6327 #define SUB8(a, b, n) \
6328 RESULT(((uint32_t)(uint8_t)(a) - (uint32_t)(uint8_t)(b)) >> 1, n, 8)
6331 #include "op_addsub.h"
6333 static inline uint8_t do_usad(uint8_t a, uint8_t b)
6341 /* Unsigned sum of absolute byte differences. */
6342 uint32_t HELPER(usad8)(uint32_t a, uint32_t b)
6345 sum = do_usad(a, b);
6346 sum += do_usad(a >> 8, b >> 8);
6347 sum += do_usad(a >> 16, b >>16);
6348 sum += do_usad(a >> 24, b >> 24);
6352 /* For ARMv6 SEL instruction. */
6353 uint32_t HELPER(sel_flags)(uint32_t flags, uint32_t a, uint32_t b)
6366 return (a & mask) | (b & ~mask);
6369 /* VFP support. We follow the convention used for VFP instructions:
6370 Single precision routines have a "s" suffix, double precision a
6373 /* Convert host exception flags to vfp form. */
6374 static inline int vfp_exceptbits_from_host(int host_bits)
6376 int target_bits = 0;
6378 if (host_bits & float_flag_invalid)
6380 if (host_bits & float_flag_divbyzero)
6382 if (host_bits & float_flag_overflow)
6384 if (host_bits & (float_flag_underflow | float_flag_output_denormal))
6386 if (host_bits & float_flag_inexact)
6387 target_bits |= 0x10;
6388 if (host_bits & float_flag_input_denormal)
6389 target_bits |= 0x80;
6393 uint32_t HELPER(vfp_get_fpscr)(CPUARMState *env)
6398 fpscr = (env->vfp.xregs[ARM_VFP_FPSCR] & 0xffc8ffff)
6399 | (env->vfp.vec_len << 16)
6400 | (env->vfp.vec_stride << 20);
6401 i = get_float_exception_flags(&env->vfp.fp_status);
6402 i |= get_float_exception_flags(&env->vfp.standard_fp_status);
6403 fpscr |= vfp_exceptbits_from_host(i);
6407 uint32_t vfp_get_fpscr(CPUARMState *env)
6409 return HELPER(vfp_get_fpscr)(env);
6412 /* Convert vfp exception flags to target form. */
6413 static inline int vfp_exceptbits_to_host(int target_bits)
6417 if (target_bits & 1)
6418 host_bits |= float_flag_invalid;
6419 if (target_bits & 2)
6420 host_bits |= float_flag_divbyzero;
6421 if (target_bits & 4)
6422 host_bits |= float_flag_overflow;
6423 if (target_bits & 8)
6424 host_bits |= float_flag_underflow;
6425 if (target_bits & 0x10)
6426 host_bits |= float_flag_inexact;
6427 if (target_bits & 0x80)
6428 host_bits |= float_flag_input_denormal;
6432 void HELPER(vfp_set_fpscr)(CPUARMState *env, uint32_t val)
6437 changed = env->vfp.xregs[ARM_VFP_FPSCR];
6438 env->vfp.xregs[ARM_VFP_FPSCR] = (val & 0xffc8ffff);
6439 env->vfp.vec_len = (val >> 16) & 7;
6440 env->vfp.vec_stride = (val >> 20) & 3;
6443 if (changed & (3 << 22)) {
6444 i = (val >> 22) & 3;
6446 case FPROUNDING_TIEEVEN:
6447 i = float_round_nearest_even;
6449 case FPROUNDING_POSINF:
6452 case FPROUNDING_NEGINF:
6453 i = float_round_down;
6455 case FPROUNDING_ZERO:
6456 i = float_round_to_zero;
6459 set_float_rounding_mode(i, &env->vfp.fp_status);
6461 if (changed & (1 << 24)) {
6462 set_flush_to_zero((val & (1 << 24)) != 0, &env->vfp.fp_status);
6463 set_flush_inputs_to_zero((val & (1 << 24)) != 0, &env->vfp.fp_status);
6465 if (changed & (1 << 25))
6466 set_default_nan_mode((val & (1 << 25)) != 0, &env->vfp.fp_status);
6468 i = vfp_exceptbits_to_host(val);
6469 set_float_exception_flags(i, &env->vfp.fp_status);
6470 set_float_exception_flags(0, &env->vfp.standard_fp_status);
6473 void vfp_set_fpscr(CPUARMState *env, uint32_t val)
6475 HELPER(vfp_set_fpscr)(env, val);
6478 #define VFP_HELPER(name, p) HELPER(glue(glue(vfp_,name),p))
6480 #define VFP_BINOP(name) \
6481 float32 VFP_HELPER(name, s)(float32 a, float32 b, void *fpstp) \
6483 float_status *fpst = fpstp; \
6484 return float32_ ## name(a, b, fpst); \
6486 float64 VFP_HELPER(name, d)(float64 a, float64 b, void *fpstp) \
6488 float_status *fpst = fpstp; \
6489 return float64_ ## name(a, b, fpst); \
6501 float32 VFP_HELPER(neg, s)(float32 a)
6503 return float32_chs(a);
6506 float64 VFP_HELPER(neg, d)(float64 a)
6508 return float64_chs(a);
6511 float32 VFP_HELPER(abs, s)(float32 a)
6513 return float32_abs(a);
6516 float64 VFP_HELPER(abs, d)(float64 a)
6518 return float64_abs(a);
6521 float32 VFP_HELPER(sqrt, s)(float32 a, CPUARMState *env)
6523 return float32_sqrt(a, &env->vfp.fp_status);
6526 float64 VFP_HELPER(sqrt, d)(float64 a, CPUARMState *env)
6528 return float64_sqrt(a, &env->vfp.fp_status);
6531 /* XXX: check quiet/signaling case */
6532 #define DO_VFP_cmp(p, type) \
6533 void VFP_HELPER(cmp, p)(type a, type b, CPUARMState *env) \
6536 switch(type ## _compare_quiet(a, b, &env->vfp.fp_status)) { \
6537 case 0: flags = 0x6; break; \
6538 case -1: flags = 0x8; break; \
6539 case 1: flags = 0x2; break; \
6540 default: case 2: flags = 0x3; break; \
6542 env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
6543 | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
6545 void VFP_HELPER(cmpe, p)(type a, type b, CPUARMState *env) \
6548 switch(type ## _compare(a, b, &env->vfp.fp_status)) { \
6549 case 0: flags = 0x6; break; \
6550 case -1: flags = 0x8; break; \
6551 case 1: flags = 0x2; break; \
6552 default: case 2: flags = 0x3; break; \
6554 env->vfp.xregs[ARM_VFP_FPSCR] = (flags << 28) \
6555 | (env->vfp.xregs[ARM_VFP_FPSCR] & 0x0fffffff); \
6557 DO_VFP_cmp(s, float32)
6558 DO_VFP_cmp(d, float64)
6561 /* Integer to float and float to integer conversions */
6563 #define CONV_ITOF(name, fsz, sign) \
6564 float##fsz HELPER(name)(uint32_t x, void *fpstp) \
6566 float_status *fpst = fpstp; \
6567 return sign##int32_to_##float##fsz((sign##int32_t)x, fpst); \
6570 #define CONV_FTOI(name, fsz, sign, round) \
6571 uint32_t HELPER(name)(float##fsz x, void *fpstp) \
6573 float_status *fpst = fpstp; \
6574 if (float##fsz##_is_any_nan(x)) { \
6575 float_raise(float_flag_invalid, fpst); \
6578 return float##fsz##_to_##sign##int32##round(x, fpst); \
6581 #define FLOAT_CONVS(name, p, fsz, sign) \
6582 CONV_ITOF(vfp_##name##to##p, fsz, sign) \
6583 CONV_FTOI(vfp_to##name##p, fsz, sign, ) \
6584 CONV_FTOI(vfp_to##name##z##p, fsz, sign, _round_to_zero)
6586 FLOAT_CONVS(si, s, 32, )
6587 FLOAT_CONVS(si, d, 64, )
6588 FLOAT_CONVS(ui, s, 32, u)
6589 FLOAT_CONVS(ui, d, 64, u)
6595 /* floating point conversion */
6596 float64 VFP_HELPER(fcvtd, s)(float32 x, CPUARMState *env)
6598 float64 r = float32_to_float64(x, &env->vfp.fp_status);
6599 /* ARM requires that S<->D conversion of any kind of NaN generates
6600 * a quiet NaN by forcing the most significant frac bit to 1.
6602 return float64_maybe_silence_nan(r);
6605 float32 VFP_HELPER(fcvts, d)(float64 x, CPUARMState *env)
6607 float32 r = float64_to_float32(x, &env->vfp.fp_status);
6608 /* ARM requires that S<->D conversion of any kind of NaN generates
6609 * a quiet NaN by forcing the most significant frac bit to 1.
6611 return float32_maybe_silence_nan(r);
6614 /* VFP3 fixed point conversion. */
6615 #define VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
6616 float##fsz HELPER(vfp_##name##to##p)(uint##isz##_t x, uint32_t shift, \
6619 float_status *fpst = fpstp; \
6621 tmp = itype##_to_##float##fsz(x, fpst); \
6622 return float##fsz##_scalbn(tmp, -(int)shift, fpst); \
6625 /* Notice that we want only input-denormal exception flags from the
6626 * scalbn operation: the other possible flags (overflow+inexact if
6627 * we overflow to infinity, output-denormal) aren't correct for the
6628 * complete scale-and-convert operation.
6630 #define VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, round) \
6631 uint##isz##_t HELPER(vfp_to##name##p##round)(float##fsz x, \
6635 float_status *fpst = fpstp; \
6636 int old_exc_flags = get_float_exception_flags(fpst); \
6638 if (float##fsz##_is_any_nan(x)) { \
6639 float_raise(float_flag_invalid, fpst); \
6642 tmp = float##fsz##_scalbn(x, shift, fpst); \
6643 old_exc_flags |= get_float_exception_flags(fpst) \
6644 & float_flag_input_denormal; \
6645 set_float_exception_flags(old_exc_flags, fpst); \
6646 return float##fsz##_to_##itype##round(tmp, fpst); \
6649 #define VFP_CONV_FIX(name, p, fsz, isz, itype) \
6650 VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
6651 VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, _round_to_zero) \
6652 VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, )
6654 #define VFP_CONV_FIX_A64(name, p, fsz, isz, itype) \
6655 VFP_CONV_FIX_FLOAT(name, p, fsz, isz, itype) \
6656 VFP_CONV_FLOAT_FIX_ROUND(name, p, fsz, isz, itype, )
6658 VFP_CONV_FIX(sh, d, 64, 64, int16)
6659 VFP_CONV_FIX(sl, d, 64, 64, int32)
6660 VFP_CONV_FIX_A64(sq, d, 64, 64, int64)
6661 VFP_CONV_FIX(uh, d, 64, 64, uint16)
6662 VFP_CONV_FIX(ul, d, 64, 64, uint32)
6663 VFP_CONV_FIX_A64(uq, d, 64, 64, uint64)
6664 VFP_CONV_FIX(sh, s, 32, 32, int16)
6665 VFP_CONV_FIX(sl, s, 32, 32, int32)
6666 VFP_CONV_FIX_A64(sq, s, 32, 64, int64)
6667 VFP_CONV_FIX(uh, s, 32, 32, uint16)
6668 VFP_CONV_FIX(ul, s, 32, 32, uint32)
6669 VFP_CONV_FIX_A64(uq, s, 32, 64, uint64)
6671 #undef VFP_CONV_FIX_FLOAT
6672 #undef VFP_CONV_FLOAT_FIX_ROUND
6674 /* Set the current fp rounding mode and return the old one.
6675 * The argument is a softfloat float_round_ value.
6677 uint32_t HELPER(set_rmode)(uint32_t rmode, CPUARMState *env)
6679 float_status *fp_status = &env->vfp.fp_status;
6681 uint32_t prev_rmode = get_float_rounding_mode(fp_status);
6682 set_float_rounding_mode(rmode, fp_status);
6687 /* Set the current fp rounding mode in the standard fp status and return
6688 * the old one. This is for NEON instructions that need to change the
6689 * rounding mode but wish to use the standard FPSCR values for everything
6690 * else. Always set the rounding mode back to the correct value after
6692 * The argument is a softfloat float_round_ value.
6694 uint32_t HELPER(set_neon_rmode)(uint32_t rmode, CPUARMState *env)
6696 float_status *fp_status = &env->vfp.standard_fp_status;
6698 uint32_t prev_rmode = get_float_rounding_mode(fp_status);
6699 set_float_rounding_mode(rmode, fp_status);
6704 /* Half precision conversions. */
6705 static float32 do_fcvt_f16_to_f32(uint32_t a, CPUARMState *env, float_status *s)
6707 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
6708 float32 r = float16_to_float32(make_float16(a), ieee, s);
6710 return float32_maybe_silence_nan(r);
6715 static uint32_t do_fcvt_f32_to_f16(float32 a, CPUARMState *env, float_status *s)
6717 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
6718 float16 r = float32_to_float16(a, ieee, s);
6720 r = float16_maybe_silence_nan(r);
6722 return float16_val(r);
6725 float32 HELPER(neon_fcvt_f16_to_f32)(uint32_t a, CPUARMState *env)
6727 return do_fcvt_f16_to_f32(a, env, &env->vfp.standard_fp_status);
6730 uint32_t HELPER(neon_fcvt_f32_to_f16)(float32 a, CPUARMState *env)
6732 return do_fcvt_f32_to_f16(a, env, &env->vfp.standard_fp_status);
6735 float32 HELPER(vfp_fcvt_f16_to_f32)(uint32_t a, CPUARMState *env)
6737 return do_fcvt_f16_to_f32(a, env, &env->vfp.fp_status);
6740 uint32_t HELPER(vfp_fcvt_f32_to_f16)(float32 a, CPUARMState *env)
6742 return do_fcvt_f32_to_f16(a, env, &env->vfp.fp_status);
6745 float64 HELPER(vfp_fcvt_f16_to_f64)(uint32_t a, CPUARMState *env)
6747 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
6748 float64 r = float16_to_float64(make_float16(a), ieee, &env->vfp.fp_status);
6750 return float64_maybe_silence_nan(r);
6755 uint32_t HELPER(vfp_fcvt_f64_to_f16)(float64 a, CPUARMState *env)
6757 int ieee = (env->vfp.xregs[ARM_VFP_FPSCR] & (1 << 26)) == 0;
6758 float16 r = float64_to_float16(a, ieee, &env->vfp.fp_status);
6760 r = float16_maybe_silence_nan(r);
6762 return float16_val(r);
6765 #define float32_two make_float32(0x40000000)
6766 #define float32_three make_float32(0x40400000)
6767 #define float32_one_point_five make_float32(0x3fc00000)
6769 float32 HELPER(recps_f32)(float32 a, float32 b, CPUARMState *env)
6771 float_status *s = &env->vfp.standard_fp_status;
6772 if ((float32_is_infinity(a) && float32_is_zero_or_denormal(b)) ||
6773 (float32_is_infinity(b) && float32_is_zero_or_denormal(a))) {
6774 if (!(float32_is_zero(a) || float32_is_zero(b))) {
6775 float_raise(float_flag_input_denormal, s);
6779 return float32_sub(float32_two, float32_mul(a, b, s), s);
6782 float32 HELPER(rsqrts_f32)(float32 a, float32 b, CPUARMState *env)
6784 float_status *s = &env->vfp.standard_fp_status;
6786 if ((float32_is_infinity(a) && float32_is_zero_or_denormal(b)) ||
6787 (float32_is_infinity(b) && float32_is_zero_or_denormal(a))) {
6788 if (!(float32_is_zero(a) || float32_is_zero(b))) {
6789 float_raise(float_flag_input_denormal, s);
6791 return float32_one_point_five;
6793 product = float32_mul(a, b, s);
6794 return float32_div(float32_sub(float32_three, product, s), float32_two, s);
6799 /* Constants 256 and 512 are used in some helpers; we avoid relying on
6800 * int->float conversions at run-time. */
6801 #define float64_256 make_float64(0x4070000000000000LL)
6802 #define float64_512 make_float64(0x4080000000000000LL)
6803 #define float32_maxnorm make_float32(0x7f7fffff)
6804 #define float64_maxnorm make_float64(0x7fefffffffffffffLL)
6806 /* Reciprocal functions
6808 * The algorithm that must be used to calculate the estimate
6809 * is specified by the ARM ARM, see FPRecipEstimate()
6812 static float64 recip_estimate(float64 a, float_status *real_fp_status)
6814 /* These calculations mustn't set any fp exception flags,
6815 * so we use a local copy of the fp_status.
6817 float_status dummy_status = *real_fp_status;
6818 float_status *s = &dummy_status;
6819 /* q = (int)(a * 512.0) */
6820 float64 q = float64_mul(float64_512, a, s);
6821 int64_t q_int = float64_to_int64_round_to_zero(q, s);
6823 /* r = 1.0 / (((double)q + 0.5) / 512.0) */
6824 q = int64_to_float64(q_int, s);
6825 q = float64_add(q, float64_half, s);
6826 q = float64_div(q, float64_512, s);
6827 q = float64_div(float64_one, q, s);
6829 /* s = (int)(256.0 * r + 0.5) */
6830 q = float64_mul(q, float64_256, s);
6831 q = float64_add(q, float64_half, s);
6832 q_int = float64_to_int64_round_to_zero(q, s);
6834 /* return (double)s / 256.0 */
6835 return float64_div(int64_to_float64(q_int, s), float64_256, s);
6838 /* Common wrapper to call recip_estimate */
6839 static float64 call_recip_estimate(float64 num, int off, float_status *fpst)
6841 uint64_t val64 = float64_val(num);
6842 uint64_t frac = extract64(val64, 0, 52);
6843 int64_t exp = extract64(val64, 52, 11);
6845 float64 scaled, estimate;
6847 /* Generate the scaled number for the estimate function */
6849 if (extract64(frac, 51, 1) == 0) {
6851 frac = extract64(frac, 0, 50) << 2;
6853 frac = extract64(frac, 0, 51) << 1;
6857 /* scaled = '0' : '01111111110' : fraction<51:44> : Zeros(44); */
6858 scaled = make_float64((0x3feULL << 52)
6859 | extract64(frac, 44, 8) << 44);
6861 estimate = recip_estimate(scaled, fpst);
6863 /* Build new result */
6864 val64 = float64_val(estimate);
6865 sbit = 0x8000000000000000ULL & val64;
6867 frac = extract64(val64, 0, 52);
6870 frac = 1ULL << 51 | extract64(frac, 1, 51);
6871 } else if (exp == -1) {
6872 frac = 1ULL << 50 | extract64(frac, 2, 50);
6876 return make_float64(sbit | (exp << 52) | frac);
6879 static bool round_to_inf(float_status *fpst, bool sign_bit)
6881 switch (fpst->float_rounding_mode) {
6882 case float_round_nearest_even: /* Round to Nearest */
6884 case float_round_up: /* Round to +Inf */
6886 case float_round_down: /* Round to -Inf */
6888 case float_round_to_zero: /* Round to Zero */
6892 g_assert_not_reached();
6895 float32 HELPER(recpe_f32)(float32 input, void *fpstp)
6897 float_status *fpst = fpstp;
6898 float32 f32 = float32_squash_input_denormal(input, fpst);
6899 uint32_t f32_val = float32_val(f32);
6900 uint32_t f32_sbit = 0x80000000ULL & f32_val;
6901 int32_t f32_exp = extract32(f32_val, 23, 8);
6902 uint32_t f32_frac = extract32(f32_val, 0, 23);
6908 if (float32_is_any_nan(f32)) {
6910 if (float32_is_signaling_nan(f32)) {
6911 float_raise(float_flag_invalid, fpst);
6912 nan = float32_maybe_silence_nan(f32);
6914 if (fpst->default_nan_mode) {
6915 nan = float32_default_nan;
6918 } else if (float32_is_infinity(f32)) {
6919 return float32_set_sign(float32_zero, float32_is_neg(f32));
6920 } else if (float32_is_zero(f32)) {
6921 float_raise(float_flag_divbyzero, fpst);
6922 return float32_set_sign(float32_infinity, float32_is_neg(f32));
6923 } else if ((f32_val & ~(1ULL << 31)) < (1ULL << 21)) {
6924 /* Abs(value) < 2.0^-128 */
6925 float_raise(float_flag_overflow | float_flag_inexact, fpst);
6926 if (round_to_inf(fpst, f32_sbit)) {
6927 return float32_set_sign(float32_infinity, float32_is_neg(f32));
6929 return float32_set_sign(float32_maxnorm, float32_is_neg(f32));
6931 } else if (f32_exp >= 253 && fpst->flush_to_zero) {
6932 float_raise(float_flag_underflow, fpst);
6933 return float32_set_sign(float32_zero, float32_is_neg(f32));
6937 f64 = make_float64(((int64_t)(f32_exp) << 52) | (int64_t)(f32_frac) << 29);
6938 r64 = call_recip_estimate(f64, 253, fpst);
6939 r64_val = float64_val(r64);
6940 r64_exp = extract64(r64_val, 52, 11);
6941 r64_frac = extract64(r64_val, 0, 52);
6943 /* result = sign : result_exp<7:0> : fraction<51:29>; */
6944 return make_float32(f32_sbit |
6945 (r64_exp & 0xff) << 23 |
6946 extract64(r64_frac, 29, 24));
6949 float64 HELPER(recpe_f64)(float64 input, void *fpstp)
6951 float_status *fpst = fpstp;
6952 float64 f64 = float64_squash_input_denormal(input, fpst);
6953 uint64_t f64_val = float64_val(f64);
6954 uint64_t f64_sbit = 0x8000000000000000ULL & f64_val;
6955 int64_t f64_exp = extract64(f64_val, 52, 11);
6961 /* Deal with any special cases */
6962 if (float64_is_any_nan(f64)) {
6964 if (float64_is_signaling_nan(f64)) {
6965 float_raise(float_flag_invalid, fpst);
6966 nan = float64_maybe_silence_nan(f64);
6968 if (fpst->default_nan_mode) {
6969 nan = float64_default_nan;
6972 } else if (float64_is_infinity(f64)) {
6973 return float64_set_sign(float64_zero, float64_is_neg(f64));
6974 } else if (float64_is_zero(f64)) {
6975 float_raise(float_flag_divbyzero, fpst);
6976 return float64_set_sign(float64_infinity, float64_is_neg(f64));
6977 } else if ((f64_val & ~(1ULL << 63)) < (1ULL << 50)) {
6978 /* Abs(value) < 2.0^-1024 */
6979 float_raise(float_flag_overflow | float_flag_inexact, fpst);
6980 if (round_to_inf(fpst, f64_sbit)) {
6981 return float64_set_sign(float64_infinity, float64_is_neg(f64));
6983 return float64_set_sign(float64_maxnorm, float64_is_neg(f64));
6985 } else if (f64_exp >= 2045 && fpst->flush_to_zero) {
6986 float_raise(float_flag_underflow, fpst);
6987 return float64_set_sign(float64_zero, float64_is_neg(f64));
6990 r64 = call_recip_estimate(f64, 2045, fpst);
6991 r64_val = float64_val(r64);
6992 r64_exp = extract64(r64_val, 52, 11);
6993 r64_frac = extract64(r64_val, 0, 52);
6995 /* result = sign : result_exp<10:0> : fraction<51:0> */
6996 return make_float64(f64_sbit |
6997 ((r64_exp & 0x7ff) << 52) |
7001 /* The algorithm that must be used to calculate the estimate
7002 * is specified by the ARM ARM.
7004 static float64 recip_sqrt_estimate(float64 a, float_status *real_fp_status)
7006 /* These calculations mustn't set any fp exception flags,
7007 * so we use a local copy of the fp_status.
7009 float_status dummy_status = *real_fp_status;
7010 float_status *s = &dummy_status;
7014 if (float64_lt(a, float64_half, s)) {
7015 /* range 0.25 <= a < 0.5 */
7017 /* a in units of 1/512 rounded down */
7018 /* q0 = (int)(a * 512.0); */
7019 q = float64_mul(float64_512, a, s);
7020 q_int = float64_to_int64_round_to_zero(q, s);
7022 /* reciprocal root r */
7023 /* r = 1.0 / sqrt(((double)q0 + 0.5) / 512.0); */
7024 q = int64_to_float64(q_int, s);
7025 q = float64_add(q, float64_half, s);
7026 q = float64_div(q, float64_512, s);
7027 q = float64_sqrt(q, s);
7028 q = float64_div(float64_one, q, s);
7030 /* range 0.5 <= a < 1.0 */
7032 /* a in units of 1/256 rounded down */
7033 /* q1 = (int)(a * 256.0); */
7034 q = float64_mul(float64_256, a, s);
7035 int64_t q_int = float64_to_int64_round_to_zero(q, s);
7037 /* reciprocal root r */
7038 /* r = 1.0 /sqrt(((double)q1 + 0.5) / 256); */
7039 q = int64_to_float64(q_int, s);
7040 q = float64_add(q, float64_half, s);
7041 q = float64_div(q, float64_256, s);
7042 q = float64_sqrt(q, s);
7043 q = float64_div(float64_one, q, s);
7045 /* r in units of 1/256 rounded to nearest */
7046 /* s = (int)(256.0 * r + 0.5); */
7048 q = float64_mul(q, float64_256,s );
7049 q = float64_add(q, float64_half, s);
7050 q_int = float64_to_int64_round_to_zero(q, s);
7052 /* return (double)s / 256.0;*/
7053 return float64_div(int64_to_float64(q_int, s), float64_256, s);
7056 float32 HELPER(rsqrte_f32)(float32 input, void *fpstp)
7058 float_status *s = fpstp;
7059 float32 f32 = float32_squash_input_denormal(input, s);
7060 uint32_t val = float32_val(f32);
7061 uint32_t f32_sbit = 0x80000000 & val;
7062 int32_t f32_exp = extract32(val, 23, 8);
7063 uint32_t f32_frac = extract32(val, 0, 23);
7069 if (float32_is_any_nan(f32)) {
7071 if (float32_is_signaling_nan(f32)) {
7072 float_raise(float_flag_invalid, s);
7073 nan = float32_maybe_silence_nan(f32);
7075 if (s->default_nan_mode) {
7076 nan = float32_default_nan;
7079 } else if (float32_is_zero(f32)) {
7080 float_raise(float_flag_divbyzero, s);
7081 return float32_set_sign(float32_infinity, float32_is_neg(f32));
7082 } else if (float32_is_neg(f32)) {
7083 float_raise(float_flag_invalid, s);
7084 return float32_default_nan;
7085 } else if (float32_is_infinity(f32)) {
7086 return float32_zero;
7089 /* Scale and normalize to a double-precision value between 0.25 and 1.0,
7090 * preserving the parity of the exponent. */
7092 f64_frac = ((uint64_t) f32_frac) << 29;
7094 while (extract64(f64_frac, 51, 1) == 0) {
7095 f64_frac = f64_frac << 1;
7096 f32_exp = f32_exp-1;
7098 f64_frac = extract64(f64_frac, 0, 51) << 1;
7101 if (extract64(f32_exp, 0, 1) == 0) {
7102 f64 = make_float64(((uint64_t) f32_sbit) << 32
7106 f64 = make_float64(((uint64_t) f32_sbit) << 32
7111 result_exp = (380 - f32_exp) / 2;
7113 f64 = recip_sqrt_estimate(f64, s);
7115 val64 = float64_val(f64);
7117 val = ((result_exp & 0xff) << 23)
7118 | ((val64 >> 29) & 0x7fffff);
7119 return make_float32(val);
7122 float64 HELPER(rsqrte_f64)(float64 input, void *fpstp)
7124 float_status *s = fpstp;
7125 float64 f64 = float64_squash_input_denormal(input, s);
7126 uint64_t val = float64_val(f64);
7127 uint64_t f64_sbit = 0x8000000000000000ULL & val;
7128 int64_t f64_exp = extract64(val, 52, 11);
7129 uint64_t f64_frac = extract64(val, 0, 52);
7131 uint64_t result_frac;
7133 if (float64_is_any_nan(f64)) {
7135 if (float64_is_signaling_nan(f64)) {
7136 float_raise(float_flag_invalid, s);
7137 nan = float64_maybe_silence_nan(f64);
7139 if (s->default_nan_mode) {
7140 nan = float64_default_nan;
7143 } else if (float64_is_zero(f64)) {
7144 float_raise(float_flag_divbyzero, s);
7145 return float64_set_sign(float64_infinity, float64_is_neg(f64));
7146 } else if (float64_is_neg(f64)) {
7147 float_raise(float_flag_invalid, s);
7148 return float64_default_nan;
7149 } else if (float64_is_infinity(f64)) {
7150 return float64_zero;
7153 /* Scale and normalize to a double-precision value between 0.25 and 1.0,
7154 * preserving the parity of the exponent. */
7157 while (extract64(f64_frac, 51, 1) == 0) {
7158 f64_frac = f64_frac << 1;
7159 f64_exp = f64_exp - 1;
7161 f64_frac = extract64(f64_frac, 0, 51) << 1;
7164 if (extract64(f64_exp, 0, 1) == 0) {
7165 f64 = make_float64(f64_sbit
7169 f64 = make_float64(f64_sbit
7174 result_exp = (3068 - f64_exp) / 2;
7176 f64 = recip_sqrt_estimate(f64, s);
7178 result_frac = extract64(float64_val(f64), 0, 52);
7180 return make_float64(f64_sbit |
7181 ((result_exp & 0x7ff) << 52) |
7185 uint32_t HELPER(recpe_u32)(uint32_t a, void *fpstp)
7187 float_status *s = fpstp;
7190 if ((a & 0x80000000) == 0) {
7194 f64 = make_float64((0x3feULL << 52)
7195 | ((int64_t)(a & 0x7fffffff) << 21));
7197 f64 = recip_estimate(f64, s);
7199 return 0x80000000 | ((float64_val(f64) >> 21) & 0x7fffffff);
7202 uint32_t HELPER(rsqrte_u32)(uint32_t a, void *fpstp)
7204 float_status *fpst = fpstp;
7207 if ((a & 0xc0000000) == 0) {
7211 if (a & 0x80000000) {
7212 f64 = make_float64((0x3feULL << 52)
7213 | ((uint64_t)(a & 0x7fffffff) << 21));
7214 } else { /* bits 31-30 == '01' */
7215 f64 = make_float64((0x3fdULL << 52)
7216 | ((uint64_t)(a & 0x3fffffff) << 22));
7219 f64 = recip_sqrt_estimate(f64, fpst);
7221 return 0x80000000 | ((float64_val(f64) >> 21) & 0x7fffffff);
7224 /* VFPv4 fused multiply-accumulate */
7225 float32 VFP_HELPER(muladd, s)(float32 a, float32 b, float32 c, void *fpstp)
7227 float_status *fpst = fpstp;
7228 return float32_muladd(a, b, c, 0, fpst);
7231 float64 VFP_HELPER(muladd, d)(float64 a, float64 b, float64 c, void *fpstp)
7233 float_status *fpst = fpstp;
7234 return float64_muladd(a, b, c, 0, fpst);
7237 /* ARMv8 round to integral */
7238 float32 HELPER(rints_exact)(float32 x, void *fp_status)
7240 return float32_round_to_int(x, fp_status);
7243 float64 HELPER(rintd_exact)(float64 x, void *fp_status)
7245 return float64_round_to_int(x, fp_status);
7248 float32 HELPER(rints)(float32 x, void *fp_status)
7250 int old_flags = get_float_exception_flags(fp_status), new_flags;
7253 ret = float32_round_to_int(x, fp_status);
7255 /* Suppress any inexact exceptions the conversion produced */
7256 if (!(old_flags & float_flag_inexact)) {
7257 new_flags = get_float_exception_flags(fp_status);
7258 set_float_exception_flags(new_flags & ~float_flag_inexact, fp_status);
7264 float64 HELPER(rintd)(float64 x, void *fp_status)
7266 int old_flags = get_float_exception_flags(fp_status), new_flags;
7269 ret = float64_round_to_int(x, fp_status);
7271 new_flags = get_float_exception_flags(fp_status);
7273 /* Suppress any inexact exceptions the conversion produced */
7274 if (!(old_flags & float_flag_inexact)) {
7275 new_flags = get_float_exception_flags(fp_status);
7276 set_float_exception_flags(new_flags & ~float_flag_inexact, fp_status);
7282 /* Convert ARM rounding mode to softfloat */
7283 int arm_rmode_to_sf(int rmode)
7286 case FPROUNDING_TIEAWAY:
7287 rmode = float_round_ties_away;
7289 case FPROUNDING_ODD:
7290 /* FIXME: add support for TIEAWAY and ODD */
7291 qemu_log_mask(LOG_UNIMP, "arm: unimplemented rounding mode: %d\n",
7293 case FPROUNDING_TIEEVEN:
7295 rmode = float_round_nearest_even;
7297 case FPROUNDING_POSINF:
7298 rmode = float_round_up;
7300 case FPROUNDING_NEGINF:
7301 rmode = float_round_down;
7303 case FPROUNDING_ZERO:
7304 rmode = float_round_to_zero;
7311 * The upper bytes of val (above the number specified by 'bytes') must have
7312 * been zeroed out by the caller.
7314 uint32_t HELPER(crc32)(uint32_t acc, uint32_t val, uint32_t bytes)
7320 /* zlib crc32 converts the accumulator and output to one's complement. */
7321 return crc32(acc ^ 0xffffffff, buf, bytes) ^ 0xffffffff;
7324 uint32_t HELPER(crc32c)(uint32_t acc, uint32_t val, uint32_t bytes)
7330 /* Linux crc32c converts the output to one's complement. */
7331 return crc32c(acc, buf, bytes) ^ 0xffffffff;
projects / qemu.git / blob