1 /*
2 * ARM helper routines
3 *
4 * Copyright (c) 2005-2007 CodeSourcery, LLC
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19 #include "qemu/osdep.h"
20 #include "qemu/main-loop.h"
21 #include "cpu.h"
22 #include "exec/helper-proto.h"
23 #include "internals.h"
24 #include "cpu-features.h"
25 #include "exec/exec-all.h"
26 #include "exec/cpu_ldst.h"
27 #include "cpregs.h"
28
29 #define SIGNBIT (uint32_t)0x80000000
30 #define SIGNBIT64 ((uint64_t)1 << 63)
31
exception_target_el(CPUARMState * env)32 int exception_target_el(CPUARMState *env)
33 {
34 int target_el = MAX(1, arm_current_el(env));
35
36 /*
37 * No such thing as secure EL1 if EL3 is aarch32,
38 * so update the target EL to EL3 in this case.
39 */
40 if (arm_is_secure(env) && !arm_el_is_aa64(env, 3) && target_el == 1) {
41 target_el = 3;
42 }
43
44 return target_el;
45 }
46
raise_exception(CPUARMState * env,uint32_t excp,uint32_t syndrome,uint32_t target_el)47 void raise_exception(CPUARMState *env, uint32_t excp,
48 uint32_t syndrome, uint32_t target_el)
49 {
50 CPUState *cs = env_cpu(env);
51
52 if (target_el == 1 && (arm_hcr_el2_eff(env) & HCR_TGE)) {
53 /*
54 * Redirect NS EL1 exceptions to NS EL2. These are reported with
55 * their original syndrome register value, with the exception of
56 * SIMD/FP access traps, which are reported as uncategorized
57 * (see DDI0478C.a D1.10.4)
58 */
59 target_el = 2;
60 if (syn_get_ec(syndrome) == EC_ADVSIMDFPACCESSTRAP) {
61 syndrome = syn_uncategorized();
62 }
63 }
64
65 assert(!excp_is_internal(excp));
66 cs->exception_index = excp;
67 env->exception.syndrome = syndrome;
68 env->exception.target_el = target_el;
69 cpu_loop_exit(cs);
70 }
71
raise_exception_ra(CPUARMState * env,uint32_t excp,uint32_t syndrome,uint32_t target_el,uintptr_t ra)72 void raise_exception_ra(CPUARMState *env, uint32_t excp, uint32_t syndrome,
73 uint32_t target_el, uintptr_t ra)
74 {
75 CPUState *cs = env_cpu(env);
76
77 /*
78 * restore_state_to_opc() will set env->exception.syndrome, so
79 * we must restore CPU state here before setting the syndrome
80 * the caller passed us, and cannot use cpu_loop_exit_restore().
81 */
82 cpu_restore_state(cs, ra);
83 raise_exception(env, excp, syndrome, target_el);
84 }
85
HELPER(neon_tbl)86 uint64_t HELPER(neon_tbl)(CPUARMState *env, uint32_t desc,
87 uint64_t ireg, uint64_t def)
88 {
89 uint64_t tmp, val = 0;
90 uint32_t maxindex = ((desc & 3) + 1) * 8;
91 uint32_t base_reg = desc >> 2;
92 uint32_t shift, index, reg;
93
94 for (shift = 0; shift < 64; shift += 8) {
95 index = (ireg >> shift) & 0xff;
96 if (index < maxindex) {
97 reg = base_reg + (index >> 3);
98 tmp = *aa32_vfp_dreg(env, reg);
99 tmp = ((tmp >> ((index & 7) << 3)) & 0xff) << shift;
100 } else {
101 tmp = def & (0xffull << shift);
102 }
103 val |= tmp;
104 }
105 return val;
106 }
107
HELPER(v8m_stackcheck)108 void HELPER(v8m_stackcheck)(CPUARMState *env, uint32_t newvalue)
109 {
110 /*
111 * Perform the v8M stack limit check for SP updates from translated code,
112 * raising an exception if the limit is breached.
113 */
114 if (newvalue < v7m_sp_limit(env)) {
115 /*
116 * Stack limit exceptions are a rare case, so rather than syncing
117 * PC/condbits before the call, we use raise_exception_ra() so
118 * that cpu_restore_state() will sort them out.
119 */
120 raise_exception_ra(env, EXCP_STKOF, 0, 1, GETPC());
121 }
122 }
123
124 /* Sign/zero extend */
HELPER(sxtb16)125 uint32_t HELPER(sxtb16)(uint32_t x)
126 {
127 uint32_t res;
128 res = (uint16_t)(int8_t)x;
129 res |= (uint32_t)(int8_t)(x >> 16) << 16;
130 return res;
131 }
132
handle_possible_div0_trap(CPUARMState * env,uintptr_t ra)133 static void handle_possible_div0_trap(CPUARMState *env, uintptr_t ra)
134 {
135 /*
136 * Take a division-by-zero exception if necessary; otherwise return
137 * to get the usual non-trapping division behaviour (result of 0)
138 */
139 if (arm_feature(env, ARM_FEATURE_M)
140 && (env->v7m.ccr[env->v7m.secure] & R_V7M_CCR_DIV_0_TRP_MASK)) {
141 raise_exception_ra(env, EXCP_DIVBYZERO, 0, 1, ra);
142 }
143 }
144
HELPER(uxtb16)145 uint32_t HELPER(uxtb16)(uint32_t x)
146 {
147 uint32_t res;
148 res = (uint16_t)(uint8_t)x;
149 res |= (uint32_t)(uint8_t)(x >> 16) << 16;
150 return res;
151 }
152
HELPER(sdiv)153 int32_t HELPER(sdiv)(CPUARMState *env, int32_t num, int32_t den)
154 {
155 if (den == 0) {
156 handle_possible_div0_trap(env, GETPC());
157 return 0;
158 }
159 if (num == INT_MIN && den == -1) {
160 return INT_MIN;
161 }
162 return num / den;
163 }
164
HELPER(udiv)165 uint32_t HELPER(udiv)(CPUARMState *env, uint32_t num, uint32_t den)
166 {
167 if (den == 0) {
168 handle_possible_div0_trap(env, GETPC());
169 return 0;
170 }
171 return num / den;
172 }
173
HELPER(rbit)174 uint32_t HELPER(rbit)(uint32_t x)
175 {
176 return revbit32(x);
177 }
178
HELPER(add_setq)179 uint32_t HELPER(add_setq)(CPUARMState *env, uint32_t a, uint32_t b)
180 {
181 uint32_t res = a + b;
182 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT))
183 env->QF = 1;
184 return res;
185 }
186
HELPER(add_saturate)187 uint32_t HELPER(add_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
188 {
189 uint32_t res = a + b;
190 if (((res ^ a) & SIGNBIT) && !((a ^ b) & SIGNBIT)) {
191 env->QF = 1;
192 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
193 }
194 return res;
195 }
196
HELPER(sub_saturate)197 uint32_t HELPER(sub_saturate)(CPUARMState *env, uint32_t a, uint32_t b)
198 {
199 uint32_t res = a - b;
200 if (((res ^ a) & SIGNBIT) && ((a ^ b) & SIGNBIT)) {
201 env->QF = 1;
202 res = ~(((int32_t)a >> 31) ^ SIGNBIT);
203 }
204 return res;
205 }
206
HELPER(add_usaturate)207 uint32_t HELPER(add_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
208 {
209 uint32_t res = a + b;
210 if (res < a) {
211 env->QF = 1;
212 res = ~0;
213 }
214 return res;
215 }
216
HELPER(sub_usaturate)217 uint32_t HELPER(sub_usaturate)(CPUARMState *env, uint32_t a, uint32_t b)
218 {
219 uint32_t res = a - b;
220 if (res > a) {
221 env->QF = 1;
222 res = 0;
223 }
224 return res;
225 }
226
227 /* Signed saturation. */
do_ssat(CPUARMState * env,int32_t val,int shift)228 static inline uint32_t do_ssat(CPUARMState *env, int32_t val, int shift)
229 {
230 int32_t top;
231 uint32_t mask;
232
233 top = val >> shift;
234 mask = (1u << shift) - 1;
235 if (top > 0) {
236 env->QF = 1;
237 return mask;
238 } else if (top < -1) {
239 env->QF = 1;
240 return ~mask;
241 }
242 return val;
243 }
244
245 /* Unsigned saturation. */
do_usat(CPUARMState * env,int32_t val,int shift)246 static inline uint32_t do_usat(CPUARMState *env, int32_t val, int shift)
247 {
248 uint32_t max;
249
250 max = (1u << shift) - 1;
251 if (val < 0) {
252 env->QF = 1;
253 return 0;
254 } else if (val > max) {
255 env->QF = 1;
256 return max;
257 }
258 return val;
259 }
260
261 /* Signed saturate. */
HELPER(ssat)262 uint32_t HELPER(ssat)(CPUARMState *env, uint32_t x, uint32_t shift)
263 {
264 return do_ssat(env, x, shift);
265 }
266
267 /* Dual halfword signed saturate. */
HELPER(ssat16)268 uint32_t HELPER(ssat16)(CPUARMState *env, uint32_t x, uint32_t shift)
269 {
270 uint32_t res;
271
272 res = (uint16_t)do_ssat(env, (int16_t)x, shift);
273 res |= do_ssat(env, ((int32_t)x) >> 16, shift) << 16;
274 return res;
275 }
276
277 /* Unsigned saturate. */
HELPER(usat)278 uint32_t HELPER(usat)(CPUARMState *env, uint32_t x, uint32_t shift)
279 {
280 return do_usat(env, x, shift);
281 }
282
283 /* Dual halfword unsigned saturate. */
HELPER(usat16)284 uint32_t HELPER(usat16)(CPUARMState *env, uint32_t x, uint32_t shift)
285 {
286 uint32_t res;
287
288 res = (uint16_t)do_usat(env, (int16_t)x, shift);
289 res |= do_usat(env, ((int32_t)x) >> 16, shift) << 16;
290 return res;
291 }
292
HELPER(setend)293 void HELPER(setend)(CPUARMState *env)
294 {
295 env->uncached_cpsr ^= CPSR_E;
296 arm_rebuild_hflags(env);
297 }
298
HELPER(check_bxj_trap)299 void HELPER(check_bxj_trap)(CPUARMState *env, uint32_t rm)
300 {
301 /*
302 * Only called if in NS EL0 or EL1 for a BXJ for a v7A CPU;
303 * check if HSTR.TJDBX means we need to trap to EL2.
304 */
305 if (env->cp15.hstr_el2 & HSTR_TJDBX) {
306 /*
307 * We know the condition code check passed, so take the IMPDEF
308 * choice to always report CV=1 COND 0xe
309 */
310 uint32_t syn = syn_bxjtrap(1, 0xe, rm);
311 raise_exception_ra(env, EXCP_HYP_TRAP, syn, 2, GETPC());
312 }
313 }
314
315 #ifndef CONFIG_USER_ONLY
316 /* Function checks whether WFx (WFI/WFE) instructions are set up to be trapped.
317 * The function returns the target EL (1-3) if the instruction is to be trapped;
318 * otherwise it returns 0 indicating it is not trapped.
319 */
check_wfx_trap(CPUARMState * env,bool is_wfe)320 static inline int check_wfx_trap(CPUARMState *env, bool is_wfe)
321 {
322 int cur_el = arm_current_el(env);
323 uint64_t mask;
324
325 if (arm_feature(env, ARM_FEATURE_M)) {
326 /* M profile cores can never trap WFI/WFE. */
327 return 0;
328 }
329
330 /* If we are currently in EL0 then we need to check if SCTLR is set up for
331 * WFx instructions being trapped to EL1. These trap bits don't exist in v7.
332 */
333 if (cur_el < 1 && arm_feature(env, ARM_FEATURE_V8)) {
334 int target_el;
335
336 mask = is_wfe ? SCTLR_nTWE : SCTLR_nTWI;
337 if (arm_is_secure_below_el3(env) && !arm_el_is_aa64(env, 3)) {
338 /* Secure EL0 and Secure PL1 is at EL3 */
339 target_el = 3;
340 } else {
341 target_el = 1;
342 }
343
344 if (!(env->cp15.sctlr_el[target_el] & mask)) {
345 return target_el;
346 }
347 }
348
349 /* We are not trapping to EL1; trap to EL2 if HCR_EL2 requires it
350 * No need for ARM_FEATURE check as if HCR_EL2 doesn't exist the
351 * bits will be zero indicating no trap.
352 */
353 if (cur_el < 2) {
354 mask = is_wfe ? HCR_TWE : HCR_TWI;
355 if (arm_hcr_el2_eff(env) & mask) {
356 return 2;
357 }
358 }
359
360 /* We are not trapping to EL1 or EL2; trap to EL3 if SCR_EL3 requires it */
361 if (cur_el < 3) {
362 mask = (is_wfe) ? SCR_TWE : SCR_TWI;
363 if (env->cp15.scr_el3 & mask) {
364 return 3;
365 }
366 }
367
368 return 0;
369 }
370 #endif
371
HELPER(wfi)372 void HELPER(wfi)(CPUARMState *env, uint32_t insn_len)
373 {
374 #ifdef CONFIG_USER_ONLY
375 /*
376 * WFI in the user-mode emulator is technically permitted but not
377 * something any real-world code would do. AArch64 Linux kernels
378 * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP;
379 * AArch32 kernels don't trap it so it will delay a bit.
380 * For QEMU, make it NOP here, because trying to raise EXCP_HLT
381 * would trigger an abort.
382 */
383 return;
384 #else
385 CPUState *cs = env_cpu(env);
386 int target_el = check_wfx_trap(env, false);
387
388 if (cpu_has_work(cs)) {
389 /* Don't bother to go into our "low power state" if
390 * we would just wake up immediately.
391 */
392 return;
393 }
394
395 if (target_el) {
396 if (env->aarch64) {
397 env->pc -= insn_len;
398 } else {
399 env->regs[15] -= insn_len;
400 }
401
402 raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, insn_len == 2),
403 target_el);
404 }
405
406 cs->exception_index = EXCP_HLT;
407 cs->halted = 1;
408 cpu_loop_exit(cs);
409 #endif
410 }
411
HELPER(wfit)412 void HELPER(wfit)(CPUARMState *env, uint64_t timeout)
413 {
414 #ifdef CONFIG_USER_ONLY
415 /*
416 * WFI in the user-mode emulator is technically permitted but not
417 * something any real-world code would do. AArch64 Linux kernels
418 * trap it via SCTRL_EL1.nTWI and make it an (expensive) NOP;
419 * AArch32 kernels don't trap it so it will delay a bit.
420 * For QEMU, make it NOP here, because trying to raise EXCP_HLT
421 * would trigger an abort.
422 */
423 return;
424 #else
425 ARMCPU *cpu = env_archcpu(env);
426 CPUState *cs = env_cpu(env);
427 int target_el = check_wfx_trap(env, false);
428 /* The WFIT should time out when CNTVCT_EL0 >= the specified value. */
429 uint64_t cntval = gt_get_countervalue(env);
430 uint64_t offset = gt_virt_cnt_offset(env);
431 uint64_t cntvct = cntval - offset;
432 uint64_t nexttick;
433
434 if (cpu_has_work(cs) || cntvct >= timeout) {
435 /*
436 * Don't bother to go into our "low power state" if
437 * we would just wake up immediately.
438 */
439 return;
440 }
441
442 if (target_el) {
443 env->pc -= 4;
444 raise_exception(env, EXCP_UDEF, syn_wfx(1, 0xe, 0, false),
445 target_el);
446 }
447
448 if (uadd64_overflow(timeout, offset, &nexttick)) {
449 nexttick = UINT64_MAX;
450 }
451 if (nexttick > INT64_MAX / gt_cntfrq_period_ns(cpu)) {
452 /*
453 * If the timeout is too long for the signed 64-bit range
454 * of a QEMUTimer, let it expire early.
455 */
456 timer_mod_ns(cpu->wfxt_timer, INT64_MAX);
457 } else {
458 timer_mod(cpu->wfxt_timer, nexttick);
459 }
460 cs->exception_index = EXCP_HLT;
461 cs->halted = 1;
462 cpu_loop_exit(cs);
463 #endif
464 }
465
HELPER(wfe)466 void HELPER(wfe)(CPUARMState *env)
467 {
468 /* This is a hint instruction that is semantically different
469 * from YIELD even though we currently implement it identically.
470 * Don't actually halt the CPU, just yield back to top
471 * level loop. This is not going into a "low power state"
472 * (ie halting until some event occurs), so we never take
473 * a configurable trap to a different exception level.
474 */
475 HELPER(yield)(env);
476 }
477
HELPER(yield)478 void HELPER(yield)(CPUARMState *env)
479 {
480 CPUState *cs = env_cpu(env);
481
482 /* This is a non-trappable hint instruction that generally indicates
483 * that the guest is currently busy-looping. Yield control back to the
484 * top level loop so that a more deserving VCPU has a chance to run.
485 */
486 cs->exception_index = EXCP_YIELD;
487 cpu_loop_exit(cs);
488 }
489
490 /* Raise an internal-to-QEMU exception. This is limited to only
491 * those EXCP values which are special cases for QEMU to interrupt
492 * execution and not to be used for exceptions which are passed to
493 * the guest (those must all have syndrome information and thus should
494 * use exception_with_syndrome*).
495 */
HELPER(exception_internal)496 void HELPER(exception_internal)(CPUARMState *env, uint32_t excp)
497 {
498 CPUState *cs = env_cpu(env);
499
500 assert(excp_is_internal(excp));
501 cs->exception_index = excp;
502 cpu_loop_exit(cs);
503 }
504
505 /* Raise an exception with the specified syndrome register value */
HELPER(exception_with_syndrome_el)506 void HELPER(exception_with_syndrome_el)(CPUARMState *env, uint32_t excp,
507 uint32_t syndrome, uint32_t target_el)
508 {
509 raise_exception(env, excp, syndrome, target_el);
510 }
511
512 /*
513 * Raise an exception with the specified syndrome register value
514 * to the default target el.
515 */
HELPER(exception_with_syndrome)516 void HELPER(exception_with_syndrome)(CPUARMState *env, uint32_t excp,
517 uint32_t syndrome)
518 {
519 raise_exception(env, excp, syndrome, exception_target_el(env));
520 }
521
HELPER(cpsr_read)522 uint32_t HELPER(cpsr_read)(CPUARMState *env)
523 {
524 return cpsr_read(env) & ~CPSR_EXEC;
525 }
526
HELPER(cpsr_write)527 void HELPER(cpsr_write)(CPUARMState *env, uint32_t val, uint32_t mask)
528 {
529 cpsr_write(env, val, mask, CPSRWriteByInstr);
530 /* TODO: Not all cpsr bits are relevant to hflags. */
531 arm_rebuild_hflags(env);
532 }
533
534 /* Write the CPSR for a 32-bit exception return */
HELPER(cpsr_write_eret)535 void HELPER(cpsr_write_eret)(CPUARMState *env, uint32_t val)
536 {
537 uint32_t mask;
538
539 bql_lock();
540 arm_call_pre_el_change_hook(env_archcpu(env));
541 bql_unlock();
542
543 mask = aarch32_cpsr_valid_mask(env->features, &env_archcpu(env)->isar);
544 cpsr_write(env, val, mask, CPSRWriteExceptionReturn);
545
546 /* Generated code has already stored the new PC value, but
547 * without masking out its low bits, because which bits need
548 * masking depends on whether we're returning to Thumb or ARM
549 * state. Do the masking now.
550 */
551 env->regs[15] &= (env->thumb ? ~1 : ~3);
552 arm_rebuild_hflags(env);
553
554 bql_lock();
555 arm_call_el_change_hook(env_archcpu(env));
556 bql_unlock();
557 }
558
559 /* Access to user mode registers from privileged modes. */
HELPER(get_user_reg)560 uint32_t HELPER(get_user_reg)(CPUARMState *env, uint32_t regno)
561 {
562 uint32_t val;
563
564 if (regno == 13) {
565 val = env->banked_r13[BANK_USRSYS];
566 } else if (regno == 14) {
567 val = env->banked_r14[BANK_USRSYS];
568 } else if (regno >= 8
569 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
570 val = env->usr_regs[regno - 8];
571 } else {
572 val = env->regs[regno];
573 }
574 return val;
575 }
576
HELPER(set_user_reg)577 void HELPER(set_user_reg)(CPUARMState *env, uint32_t regno, uint32_t val)
578 {
579 if (regno == 13) {
580 env->banked_r13[BANK_USRSYS] = val;
581 } else if (regno == 14) {
582 env->banked_r14[BANK_USRSYS] = val;
583 } else if (regno >= 8
584 && (env->uncached_cpsr & 0x1f) == ARM_CPU_MODE_FIQ) {
585 env->usr_regs[regno - 8] = val;
586 } else {
587 env->regs[regno] = val;
588 }
589 }
590
HELPER(set_r13_banked)591 void HELPER(set_r13_banked)(CPUARMState *env, uint32_t mode, uint32_t val)
592 {
593 if ((env->uncached_cpsr & CPSR_M) == mode) {
594 env->regs[13] = val;
595 } else {
596 env->banked_r13[bank_number(mode)] = val;
597 }
598 }
599
HELPER(get_r13_banked)600 uint32_t HELPER(get_r13_banked)(CPUARMState *env, uint32_t mode)
601 {
602 if ((env->uncached_cpsr & CPSR_M) == ARM_CPU_MODE_SYS) {
603 /* SRS instruction is UNPREDICTABLE from System mode; we UNDEF.
604 * Other UNPREDICTABLE and UNDEF cases were caught at translate time.
605 */
606 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
607 exception_target_el(env));
608 }
609
610 if ((env->uncached_cpsr & CPSR_M) == mode) {
611 return env->regs[13];
612 } else {
613 return env->banked_r13[bank_number(mode)];
614 }
615 }
616
msr_mrs_banked_exc_checks(CPUARMState * env,uint32_t tgtmode,uint32_t regno)617 static void msr_mrs_banked_exc_checks(CPUARMState *env, uint32_t tgtmode,
618 uint32_t regno)
619 {
620 /* Raise an exception if the requested access is one of the UNPREDICTABLE
621 * cases; otherwise return. This broadly corresponds to the pseudocode
622 * BankedRegisterAccessValid() and SPSRAccessValid(),
623 * except that we have already handled some cases at translate time.
624 */
625 int curmode = env->uncached_cpsr & CPSR_M;
626
627 if (tgtmode == ARM_CPU_MODE_HYP) {
628 /*
629 * Handle Hyp target regs first because some are special cases
630 * which don't want the usual "not accessible from tgtmode" check.
631 */
632 switch (regno) {
633 case 16 ... 17: /* ELR_Hyp, SPSR_Hyp */
634 if (curmode != ARM_CPU_MODE_HYP && curmode != ARM_CPU_MODE_MON) {
635 goto undef;
636 }
637 break;
638 case 13:
639 if (curmode != ARM_CPU_MODE_MON) {
640 goto undef;
641 }
642 break;
643 default:
644 g_assert_not_reached();
645 }
646 return;
647 }
648
649 if (curmode == tgtmode) {
650 goto undef;
651 }
652
653 if (tgtmode == ARM_CPU_MODE_USR) {
654 switch (regno) {
655 case 8 ... 12:
656 if (curmode != ARM_CPU_MODE_FIQ) {
657 goto undef;
658 }
659 break;
660 case 13:
661 if (curmode == ARM_CPU_MODE_SYS) {
662 goto undef;
663 }
664 break;
665 case 14:
666 if (curmode == ARM_CPU_MODE_HYP || curmode == ARM_CPU_MODE_SYS) {
667 goto undef;
668 }
669 break;
670 default:
671 break;
672 }
673 }
674
675 return;
676
677 undef:
678 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
679 exception_target_el(env));
680 }
681
HELPER(msr_banked)682 void HELPER(msr_banked)(CPUARMState *env, uint32_t value, uint32_t tgtmode,
683 uint32_t regno)
684 {
685 msr_mrs_banked_exc_checks(env, tgtmode, regno);
686
687 switch (regno) {
688 case 16: /* SPSRs */
689 if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
690 /* Only happens for SPSR_Hyp access in Hyp mode */
691 env->spsr = value;
692 } else {
693 env->banked_spsr[bank_number(tgtmode)] = value;
694 }
695 break;
696 case 17: /* ELR_Hyp */
697 env->elr_el[2] = value;
698 break;
699 case 13:
700 env->banked_r13[bank_number(tgtmode)] = value;
701 break;
702 case 14:
703 env->banked_r14[r14_bank_number(tgtmode)] = value;
704 break;
705 case 8 ... 12:
706 switch (tgtmode) {
707 case ARM_CPU_MODE_USR:
708 env->usr_regs[regno - 8] = value;
709 break;
710 case ARM_CPU_MODE_FIQ:
711 env->fiq_regs[regno - 8] = value;
712 break;
713 default:
714 g_assert_not_reached();
715 }
716 break;
717 default:
718 g_assert_not_reached();
719 }
720 }
721
HELPER(mrs_banked)722 uint32_t HELPER(mrs_banked)(CPUARMState *env, uint32_t tgtmode, uint32_t regno)
723 {
724 msr_mrs_banked_exc_checks(env, tgtmode, regno);
725
726 switch (regno) {
727 case 16: /* SPSRs */
728 if (tgtmode == (env->uncached_cpsr & CPSR_M)) {
729 /* Only happens for SPSR_Hyp access in Hyp mode */
730 return env->spsr;
731 } else {
732 return env->banked_spsr[bank_number(tgtmode)];
733 }
734 case 17: /* ELR_Hyp */
735 return env->elr_el[2];
736 case 13:
737 return env->banked_r13[bank_number(tgtmode)];
738 case 14:
739 return env->banked_r14[r14_bank_number(tgtmode)];
740 case 8 ... 12:
741 switch (tgtmode) {
742 case ARM_CPU_MODE_USR:
743 return env->usr_regs[regno - 8];
744 case ARM_CPU_MODE_FIQ:
745 return env->fiq_regs[regno - 8];
746 default:
747 g_assert_not_reached();
748 }
749 default:
750 g_assert_not_reached();
751 }
752 }
753
HELPER(access_check_cp_reg)754 const void *HELPER(access_check_cp_reg)(CPUARMState *env, uint32_t key,
755 uint32_t syndrome, uint32_t isread)
756 {
757 ARMCPU *cpu = env_archcpu(env);
758 const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key);
759 CPAccessResult res = CP_ACCESS_OK;
760 int target_el;
761
762 assert(ri != NULL);
763
764 if (arm_feature(env, ARM_FEATURE_XSCALE) && ri->cp < 14
765 && extract32(env->cp15.c15_cpar, ri->cp, 1) == 0) {
766 res = CP_ACCESS_TRAP;
767 goto fail;
768 }
769
770 if (ri->accessfn) {
771 res = ri->accessfn(env, ri, isread);
772 }
773
774 /*
775 * If the access function indicates a trap from EL0 to EL1 then
776 * that always takes priority over the HSTR_EL2 trap. (If it indicates
777 * a trap to EL3, then the HSTR_EL2 trap takes priority; if it indicates
778 * a trap to EL2, then the syndrome is the same either way so we don't
779 * care whether technically the architecture says that HSTR_EL2 trap or
780 * the other trap takes priority. So we take the "check HSTR_EL2" path
781 * for all of those cases.)
782 */
783 if (res != CP_ACCESS_OK && ((res & CP_ACCESS_EL_MASK) == 0) &&
784 arm_current_el(env) == 0) {
785 goto fail;
786 }
787
788 /*
789 * HSTR_EL2 traps from EL1 are checked earlier, in generated code;
790 * we only need to check here for traps from EL0.
791 */
792 if (!is_a64(env) && arm_current_el(env) == 0 && ri->cp == 15 &&
793 arm_is_el2_enabled(env) &&
794 (arm_hcr_el2_eff(env) & (HCR_E2H | HCR_TGE)) != (HCR_E2H | HCR_TGE)) {
795 uint32_t mask = 1 << ri->crn;
796
797 if (ri->type & ARM_CP_64BIT) {
798 mask = 1 << ri->crm;
799 }
800
801 /* T4 and T14 are RES0 */
802 mask &= ~((1 << 4) | (1 << 14));
803
804 if (env->cp15.hstr_el2 & mask) {
805 res = CP_ACCESS_TRAP_EL2;
806 goto fail;
807 }
808 }
809
810 /*
811 * Fine-grained traps also are lower priority than undef-to-EL1,
812 * higher priority than trap-to-EL3, and we don't care about priority
813 * order with other EL2 traps because the syndrome value is the same.
814 */
815 if (arm_fgt_active(env, arm_current_el(env))) {
816 uint64_t trapword = 0;
817 unsigned int idx = FIELD_EX32(ri->fgt, FGT, IDX);
818 unsigned int bitpos = FIELD_EX32(ri->fgt, FGT, BITPOS);
819 bool rev = FIELD_EX32(ri->fgt, FGT, REV);
820 bool trapbit;
821
822 if (ri->fgt & FGT_EXEC) {
823 assert(idx < ARRAY_SIZE(env->cp15.fgt_exec));
824 trapword = env->cp15.fgt_exec[idx];
825 } else if (isread && (ri->fgt & FGT_R)) {
826 assert(idx < ARRAY_SIZE(env->cp15.fgt_read));
827 trapword = env->cp15.fgt_read[idx];
828 } else if (!isread && (ri->fgt & FGT_W)) {
829 assert(idx < ARRAY_SIZE(env->cp15.fgt_write));
830 trapword = env->cp15.fgt_write[idx];
831 }
832
833 trapbit = extract64(trapword, bitpos, 1);
834 if (trapbit != rev) {
835 res = CP_ACCESS_TRAP_EL2;
836 goto fail;
837 }
838 }
839
840 if (likely(res == CP_ACCESS_OK)) {
841 return ri;
842 }
843
844 fail:
845 switch (res & ~CP_ACCESS_EL_MASK) {
846 case CP_ACCESS_TRAP:
847 break;
848 case CP_ACCESS_TRAP_UNCATEGORIZED:
849 /* Only CP_ACCESS_TRAP traps are direct to a specified EL */
850 assert((res & CP_ACCESS_EL_MASK) == 0);
851 if (cpu_isar_feature(aa64_ids, cpu) && isread &&
852 arm_cpreg_in_idspace(ri)) {
853 /*
854 * FEAT_IDST says this should be reported as EC_SYSTEMREGISTERTRAP,
855 * not EC_UNCATEGORIZED
856 */
857 break;
858 }
859 syndrome = syn_uncategorized();
860 break;
861 default:
862 g_assert_not_reached();
863 }
864
865 target_el = res & CP_ACCESS_EL_MASK;
866 switch (target_el) {
867 case 0:
868 target_el = exception_target_el(env);
869 break;
870 case 2:
871 assert(arm_current_el(env) != 3);
872 assert(arm_is_el2_enabled(env));
873 break;
874 case 3:
875 assert(arm_feature(env, ARM_FEATURE_EL3));
876 break;
877 default:
878 /* No "direct" traps to EL1 */
879 g_assert_not_reached();
880 }
881
882 raise_exception(env, EXCP_UDEF, syndrome, target_el);
883 }
884
HELPER(lookup_cp_reg)885 const void *HELPER(lookup_cp_reg)(CPUARMState *env, uint32_t key)
886 {
887 ARMCPU *cpu = env_archcpu(env);
888 const ARMCPRegInfo *ri = get_arm_cp_reginfo(cpu->cp_regs, key);
889
890 assert(ri != NULL);
891 return ri;
892 }
893
894 /*
895 * Test for HCR_EL2.TIDCP at EL1.
896 * Since implementation defined registers are rare, and within QEMU
897 * most of them are no-op, do not waste HFLAGS space for this and
898 * always use a helper.
899 */
HELPER(tidcp_el1)900 void HELPER(tidcp_el1)(CPUARMState *env, uint32_t syndrome)
901 {
902 if (arm_hcr_el2_eff(env) & HCR_TIDCP) {
903 raise_exception_ra(env, EXCP_UDEF, syndrome, 2, GETPC());
904 }
905 }
906
907 /*
908 * Similarly, for FEAT_TIDCP1 at EL0.
909 * We have already checked for the presence of the feature.
910 */
HELPER(tidcp_el0)911 void HELPER(tidcp_el0)(CPUARMState *env, uint32_t syndrome)
912 {
913 /* See arm_sctlr(), but we also need the sctlr el. */
914 ARMMMUIdx mmu_idx = arm_mmu_idx_el(env, 0);
915 int target_el = mmu_idx == ARMMMUIdx_E20_0 ? 2 : 1;
916
917 /*
918 * The bit is not valid unless the target el is aa64, but since the
919 * bit test is simpler perform that first and check validity after.
920 */
921 if ((env->cp15.sctlr_el[target_el] & SCTLR_TIDCP)
922 && arm_el_is_aa64(env, target_el)) {
923 raise_exception_ra(env, EXCP_UDEF, syndrome, target_el, GETPC());
924 }
925 }
926
HELPER(set_cp_reg)927 void HELPER(set_cp_reg)(CPUARMState *env, const void *rip, uint32_t value)
928 {
929 const ARMCPRegInfo *ri = rip;
930
931 if (ri->type & ARM_CP_IO) {
932 bql_lock();
933 ri->writefn(env, ri, value);
934 bql_unlock();
935 } else {
936 ri->writefn(env, ri, value);
937 }
938 }
939
HELPER(get_cp_reg)940 uint32_t HELPER(get_cp_reg)(CPUARMState *env, const void *rip)
941 {
942 const ARMCPRegInfo *ri = rip;
943 uint32_t res;
944
945 if (ri->type & ARM_CP_IO) {
946 bql_lock();
947 res = ri->readfn(env, ri);
948 bql_unlock();
949 } else {
950 res = ri->readfn(env, ri);
951 }
952
953 return res;
954 }
955
HELPER(set_cp_reg64)956 void HELPER(set_cp_reg64)(CPUARMState *env, const void *rip, uint64_t value)
957 {
958 const ARMCPRegInfo *ri = rip;
959
960 if (ri->type & ARM_CP_IO) {
961 bql_lock();
962 ri->writefn(env, ri, value);
963 bql_unlock();
964 } else {
965 ri->writefn(env, ri, value);
966 }
967 }
968
HELPER(get_cp_reg64)969 uint64_t HELPER(get_cp_reg64)(CPUARMState *env, const void *rip)
970 {
971 const ARMCPRegInfo *ri = rip;
972 uint64_t res;
973
974 if (ri->type & ARM_CP_IO) {
975 bql_lock();
976 res = ri->readfn(env, ri);
977 bql_unlock();
978 } else {
979 res = ri->readfn(env, ri);
980 }
981
982 return res;
983 }
984
HELPER(pre_hvc)985 void HELPER(pre_hvc)(CPUARMState *env)
986 {
987 ARMCPU *cpu = env_archcpu(env);
988 int cur_el = arm_current_el(env);
989 /* FIXME: Use actual secure state. */
990 bool secure = false;
991 bool undef;
992
993 if (arm_is_psci_call(cpu, EXCP_HVC)) {
994 /* If PSCI is enabled and this looks like a valid PSCI call then
995 * that overrides the architecturally mandated HVC behaviour.
996 */
997 return;
998 }
999
1000 if (!arm_feature(env, ARM_FEATURE_EL2)) {
1001 /* If EL2 doesn't exist, HVC always UNDEFs */
1002 undef = true;
1003 } else if (arm_feature(env, ARM_FEATURE_EL3)) {
1004 /* EL3.HCE has priority over EL2.HCD. */
1005 undef = !(env->cp15.scr_el3 & SCR_HCE);
1006 } else {
1007 undef = env->cp15.hcr_el2 & HCR_HCD;
1008 }
1009
1010 /* In ARMv7 and ARMv8/AArch32, HVC is undef in secure state.
1011 * For ARMv8/AArch64, HVC is allowed in EL3.
1012 * Note that we've already trapped HVC from EL0 at translation
1013 * time.
1014 */
1015 if (secure && (!is_a64(env) || cur_el == 1)) {
1016 undef = true;
1017 }
1018
1019 if (undef) {
1020 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1021 exception_target_el(env));
1022 }
1023 }
1024
HELPER(pre_smc)1025 void HELPER(pre_smc)(CPUARMState *env, uint32_t syndrome)
1026 {
1027 ARMCPU *cpu = env_archcpu(env);
1028 int cur_el = arm_current_el(env);
1029 bool secure = arm_is_secure(env);
1030 bool smd_flag = env->cp15.scr_el3 & SCR_SMD;
1031
1032 /*
1033 * SMC behaviour is summarized in the following table.
1034 * This helper handles the "Trap to EL2" and "Undef insn" cases.
1035 * The "Trap to EL3" and "PSCI call" cases are handled in the exception
1036 * helper.
1037 *
1038 * -> ARM_FEATURE_EL3 and !SMD
1039 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1
1040 *
1041 * Conduit SMC, valid call Trap to EL2 PSCI Call
1042 * Conduit SMC, inval call Trap to EL2 Trap to EL3
1043 * Conduit not SMC Trap to EL2 Trap to EL3
1044 *
1045 *
1046 * -> ARM_FEATURE_EL3 and SMD
1047 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1
1048 *
1049 * Conduit SMC, valid call Trap to EL2 PSCI Call
1050 * Conduit SMC, inval call Trap to EL2 Undef insn
1051 * Conduit not SMC Trap to EL2 Undef insn
1052 *
1053 *
1054 * -> !ARM_FEATURE_EL3
1055 * HCR_TSC && NS EL1 !HCR_TSC || !NS EL1
1056 *
1057 * Conduit SMC, valid call Trap to EL2 PSCI Call
1058 * Conduit SMC, inval call Trap to EL2 Undef insn
1059 * Conduit not SMC Undef or trap[1] Undef insn
1060 *
1061 * [1] In this case:
1062 * - if HCR_EL2.NV == 1 we must trap to EL2
1063 * - if HCR_EL2.NV == 0 then newer architecture revisions permit
1064 * AArch64 (but not AArch32) to trap to EL2 as an IMPDEF choice
1065 * - otherwise we must UNDEF
1066 * We take the IMPDEF choice to always UNDEF if HCR_EL2.NV == 0.
1067 */
1068
1069 /* On ARMv8 with EL3 AArch64, SMD applies to both S and NS state.
1070 * On ARMv8 with EL3 AArch32, or ARMv7 with the Virtualization
1071 * extensions, SMD only applies to NS state.
1072 * On ARMv7 without the Virtualization extensions, the SMD bit
1073 * doesn't exist, but we forbid the guest to set it to 1 in scr_write(),
1074 * so we need not special case this here.
1075 */
1076 bool smd = arm_feature(env, ARM_FEATURE_AARCH64) ? smd_flag
1077 : smd_flag && !secure;
1078
1079 if (!arm_feature(env, ARM_FEATURE_EL3) &&
1080 !(arm_hcr_el2_eff(env) & HCR_NV) &&
1081 cpu->psci_conduit != QEMU_PSCI_CONDUIT_SMC) {
1082 /*
1083 * If we have no EL3 then traditionally SMC always UNDEFs and can't be
1084 * trapped to EL2. For nested virtualization, SMC can be trapped to
1085 * the outer hypervisor. PSCI-via-SMC is a sort of ersatz EL3
1086 * firmware within QEMU, and we want an EL2 guest to be able
1087 * to forbid its EL1 from making PSCI calls into QEMU's
1088 * "firmware" via HCR.TSC, so for these purposes treat
1089 * PSCI-via-SMC as implying an EL3.
1090 * This handles the very last line of the previous table.
1091 */
1092 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1093 exception_target_el(env));
1094 }
1095
1096 if (cur_el == 1 && (arm_hcr_el2_eff(env) & HCR_TSC)) {
1097 /* In NS EL1, HCR controlled routing to EL2 has priority over SMD.
1098 * We also want an EL2 guest to be able to forbid its EL1 from
1099 * making PSCI calls into QEMU's "firmware" via HCR.TSC.
1100 * This handles all the "Trap to EL2" cases of the previous table.
1101 */
1102 raise_exception(env, EXCP_HYP_TRAP, syndrome, 2);
1103 }
1104
1105 /* Catch the two remaining "Undef insn" cases of the previous table:
1106 * - PSCI conduit is SMC but we don't have a valid PCSI call,
1107 * - We don't have EL3 or SMD is set.
1108 */
1109 if (!arm_is_psci_call(cpu, EXCP_SMC) &&
1110 (smd || !arm_feature(env, ARM_FEATURE_EL3))) {
1111 raise_exception(env, EXCP_UDEF, syn_uncategorized(),
1112 exception_target_el(env));
1113 }
1114 }
1115
1116 /* ??? Flag setting arithmetic is awkward because we need to do comparisons.
1117 The only way to do that in TCG is a conditional branch, which clobbers
1118 all our temporaries. For now implement these as helper functions. */
1119
1120 /* Similarly for variable shift instructions. */
1121
HELPER(shl_cc)1122 uint32_t HELPER(shl_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1123 {
1124 int shift = i & 0xff;
1125 if (shift >= 32) {
1126 if (shift == 32)
1127 env->CF = x & 1;
1128 else
1129 env->CF = 0;
1130 return 0;
1131 } else if (shift != 0) {
1132 env->CF = (x >> (32 - shift)) & 1;
1133 return x << shift;
1134 }
1135 return x;
1136 }
1137
HELPER(shr_cc)1138 uint32_t HELPER(shr_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1139 {
1140 int shift = i & 0xff;
1141 if (shift >= 32) {
1142 if (shift == 32)
1143 env->CF = (x >> 31) & 1;
1144 else
1145 env->CF = 0;
1146 return 0;
1147 } else if (shift != 0) {
1148 env->CF = (x >> (shift - 1)) & 1;
1149 return x >> shift;
1150 }
1151 return x;
1152 }
1153
HELPER(sar_cc)1154 uint32_t HELPER(sar_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1155 {
1156 int shift = i & 0xff;
1157 if (shift >= 32) {
1158 env->CF = (x >> 31) & 1;
1159 return (int32_t)x >> 31;
1160 } else if (shift != 0) {
1161 env->CF = (x >> (shift - 1)) & 1;
1162 return (int32_t)x >> shift;
1163 }
1164 return x;
1165 }
1166
HELPER(ror_cc)1167 uint32_t HELPER(ror_cc)(CPUARMState *env, uint32_t x, uint32_t i)
1168 {
1169 int shift1, shift;
1170 shift1 = i & 0xff;
1171 shift = shift1 & 0x1f;
1172 if (shift == 0) {
1173 if (shift1 != 0)
1174 env->CF = (x >> 31) & 1;
1175 return x;
1176 } else {
1177 env->CF = (x >> (shift - 1)) & 1;
1178 return ((uint32_t)x >> shift) | (x << (32 - shift));
1179 }
1180 }
1181
HELPER(probe_access)1182 void HELPER(probe_access)(CPUARMState *env, target_ulong ptr,
1183 uint32_t access_type, uint32_t mmu_idx,
1184 uint32_t size)
1185 {
1186 uint32_t in_page = -((uint32_t)ptr | TARGET_PAGE_SIZE);
1187 uintptr_t ra = GETPC();
1188
1189 if (likely(size <= in_page)) {
1190 probe_access(env, ptr, size, access_type, mmu_idx, ra);
1191 } else {
1192 probe_access(env, ptr, in_page, access_type, mmu_idx, ra);
1193 probe_access(env, ptr + in_page, size - in_page,
1194 access_type, mmu_idx, ra);
1195 }
1196 }
1197
1198 /*
1199 * This function corresponds to AArch64.vESBOperation().
1200 * Note that the AArch32 version is not functionally different.
1201 */
HELPER(vesb)1202 void HELPER(vesb)(CPUARMState *env)
1203 {
1204 /*
1205 * The EL2Enabled() check is done inside arm_hcr_el2_eff,
1206 * and will return HCR_EL2.VSE == 0, so nothing happens.
1207 */
1208 uint64_t hcr = arm_hcr_el2_eff(env);
1209 bool enabled = !(hcr & HCR_TGE) && (hcr & HCR_AMO);
1210 bool pending = enabled && (hcr & HCR_VSE);
1211 bool masked = (env->daif & PSTATE_A);
1212
1213 /* If VSE pending and masked, defer the exception. */
1214 if (pending && masked) {
1215 uint32_t syndrome;
1216
1217 if (arm_el_is_aa64(env, 1)) {
1218 /* Copy across IDS and ISS from VSESR. */
1219 syndrome = env->cp15.vsesr_el2 & 0x1ffffff;
1220 } else {
1221 ARMMMUFaultInfo fi = { .type = ARMFault_AsyncExternal };
1222
1223 if (extended_addresses_enabled(env)) {
1224 syndrome = arm_fi_to_lfsc(&fi);
1225 } else {
1226 syndrome = arm_fi_to_sfsc(&fi);
1227 }
1228 /* Copy across AET and ExT from VSESR. */
1229 syndrome |= env->cp15.vsesr_el2 & 0xd000;
1230 }
1231
1232 /* Set VDISR_EL2.A along with the syndrome. */
1233 env->cp15.vdisr_el2 = syndrome | (1u << 31);
1234
1235 /* Clear pending virtual SError */
1236 env->cp15.hcr_el2 &= ~HCR_VSE;
1237 cpu_reset_interrupt(env_cpu(env), CPU_INTERRUPT_VSERR);
1238 }
1239 }
1240