[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] 528814: target/arm: Fix SMLAD incorrect setti
|
From: |
Peter Maydell |
|
Subject: |
[Qemu-commits] [qemu/qemu] 528814: target/arm: Fix SMLAD incorrect setting of Q bit |
|
Date: |
Wed, 21 Oct 2020 03:08:29 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: 5288145d716338ace0f83e3ff05c4d07715bb4f4
https://github.com/qemu/qemu/commit/5288145d716338ace0f83e3ff05c4d07715bb4f4
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/translate.c
Log Message:
-----------
target/arm: Fix SMLAD incorrect setting of Q bit
The SMLAD instruction is supposed to:
* signed multiply Rn[15:0] * Rm[15:0]
* signed multiply Rn[31:16] * Rm[31:16]
* perform a signed addition of the products and Ra
* set Rd to the low 32 bits of the theoretical
infinite-precision result
* set the Q flag if the sign-extension of Rd
would differ from the infinite-precision result
(ie on overflow)
Our current implementation doesn't quite do this, though: it performs
an addition of the products setting Q on overflow, and then it adds
Ra, again possibly setting Q. This sometimes incorrectly sets Q when
the architecturally mandated only-check-for-overflow-once algorithm
does not. For instance:
r1 = 0x80008000; r2 = 0x80008000; r3 = 0xffffffff
smlad r0, r1, r2, r3
This is (-32768 * -32768) + (-32768 * -32768) - 1
The products are both 0x4000_0000, so when added together as 32-bit
signed numbers they overflow (and QEMU sets Q), but because the
addition of Ra == -1 brings the total back down to 0x7fff_ffff
there is no overflow for the complete operation and setting Q is
incorrect.
Fix this edge case by resorting to 64-bit arithmetic for the
case where we need to add three values together.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201009144712.11187-1-peter.maydell@linaro.org
Commit: 61db12d9f9eb36761edba4d9a414cd8dd34c512b
https://github.com/qemu/qemu/commit/61db12d9f9eb36761edba4d9a414cd8dd34c512b
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/helper.h
M target/arm/translate-vfp.c.inc
M target/arm/vfp_helper.c
Log Message:
-----------
target/arm: AArch32 VCVT fixed-point to float is always round-to-nearest
For AArch32, unlike the VCVT of integer to float, which honours the
rounding mode specified by the FPSCR, VCVT of fixed-point to float is
always round-to-nearest. (AArch64 fixed-point-to-float conversions
always honour the FPCR rounding mode.)
Implement this by providing _round_to_nearest versions of the
relevant helpers which set the rounding mode temporarily when making
the call to the underlying softfloat function.
We only need to change the VFP VCVT instructions, because the
standard- FPSCR value used by the Neon VCVT is always set to
round-to-nearest, so we don't need to do the extra work of saving
and restoring the rounding mode.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201013103532.13391-1-peter.maydell@linaro.org
Commit: 8ddd611a50481826a8e583b7ccdf6e1866e22c15
https://github.com/qemu/qemu/commit/8ddd611a50481826a8e583b7ccdf6e1866e22c15
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/arm/strongarm.c
Log Message:
-----------
hw/arm/strongarm: Fix 'time to transmit a char' unit comment
The time to transmit a char is expressed in nanoseconds, not in ticks.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201014213601.205222-1-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: b77a52a0c14163e4d8602c94b64bae9cf3524ee1
https://github.com/qemu/qemu/commit/b77a52a0c14163e4d8602c94b64bae9cf3524ee1
Author: Philippe Mathieu-Daudé <philmd@redhat.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M default-configs/devices/arm-softmmu.mak
M hw/arm/Kconfig
Log Message:
-----------
hw/arm: Restrict APEI tables generation to the 'virt' machine
While APEI is a generic ACPI feature (usable by X86 and ARM64), only
the 'virt' machine uses it, by enabling the RAS Virtualization. See
commit 2afa8c8519: "hw/arm/virt: Introduce a RAS machine option").
Restrict the APEI tables generation code to the single user: the virt
machine. If another machine wants to use it, it simply has to 'select
ACPI_APEI' in its Kconfig.
Fixes: aa16508f1d ("ACPI: Build related register address fields via hardware
error fw_cfg blob")
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Dongjiu Geng <gengdongjiu@huawei.com>
Acked-by: Laszlo Ersek <lersek@redhat.com>
Reviewed-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20201008161414.2672569-1-philmd@redhat.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: f3f69362fdd957dbdc6b5bd1120347560752e4b2
https://github.com/qemu/qemu/commit/f3f69362fdd957dbdc6b5bd1120347560752e4b2
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/timer/bcm2835_systmr.c
M include/hw/timer/bcm2835_systmr.h
Log Message:
-----------
hw/timer/bcm2835: Introduce BCM2835_SYSTIMER_COUNT definition
Use the BCM2835_SYSTIMER_COUNT definition instead of the
magic '4' value.
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201010203709.3116542-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: cdb490da8695ec67dbc151335b31450abb9e564e
https://github.com/qemu/qemu/commit/cdb490da8695ec67dbc151335b31450abb9e564e
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/timer/bcm2835_systmr.c
M include/hw/timer/bcm2835_systmr.h
Log Message:
-----------
hw/timer/bcm2835: Rename variable holding CTRL_STATUS register
The variable holding the CTRL_STATUS register is misnamed
'status'. Rename it 'ctrl_status' to make it more obvious
this register is also used to control the peripheral.
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201010203709.3116542-3-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: be95dffa326a63f6f850d389dbe358d25e8ba20b
https://github.com/qemu/qemu/commit/be95dffa326a63f6f850d389dbe358d25e8ba20b
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/timer/bcm2835_systmr.c
M hw/timer/trace-events
M include/hw/timer/bcm2835_systmr.h
Log Message:
-----------
hw/timer/bcm2835: Support the timer COMPARE registers
This peripheral has 1 free-running timer and 4 compare registers.
Only the free-running timer is implemented. Add support the
COMPARE registers (each register is wired to an IRQ).
Reference: "BCM2835 ARM Peripherals" datasheet [*]
chapter 12 "System Timer":
The System Timer peripheral provides four 32-bit timer channels
and a single 64-bit free running counter. Each channel has an
output compare register, which is compared against the 32 least
significant bits of the free running counter values. When the
two values match, the system timer peripheral generates a signal
to indicate a match for the appropriate channel. The match signal
is then fed into the interrupt controller.
This peripheral is used since Linux 3.7, commit ee4af5696720
("ARM: bcm2835: add system timer").
[*] https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Luc Michel <luc@lmichel.fr>
Message-id: 20201010203709.3116542-4-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 722bde6789c55f9f872026f796ecabecbec5d82b
https://github.com/qemu/qemu/commit/722bde6789c55f9f872026f796ecabecbec5d82b
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/arm/bcm2835_peripherals.c
Log Message:
-----------
hw/arm/bcm2835_peripherals: Correctly wire the SYS_timer IRQs
The SYS_timer is not directly wired to the ARM core, but to the
SoC (peripheral) interrupt controller.
Fixes: 0e5bbd74064 ("hw/arm/bcm2835_peripherals: Use the SYS_timer")
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201010203709.3116542-5-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 3ab6e68cd035de244d9bf999900349a69939ad41
https://github.com/qemu/qemu/commit/3ab6e68cd035de244d9bf999900349a69939ad41
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M accel/tcg/cputlb.c
M include/exec/exec-all.h
Log Message:
-----------
accel/tcg: Add tlb_flush_page_bits_by_mmuidx*
On ARM, the Top Byte Ignore feature means that only 56 bits of
the address are significant in the virtual address. We are
required to give the entire 64-bit address to FAR_ELx on fault,
which means that we do not "clean" the top byte early in TCG.
This new interface allows us to flush all 256 possible aliases
for a given page, currently missed by tlb_flush_page*.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201016210754.818257-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: ea04dce7bb4ccd3e464e5189c0d6d53510b7c212
https://github.com/qemu/qemu/commit/ea04dce7bb4ccd3e464e5189c0d6d53510b7c212
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/helper.c
Log Message:
-----------
target/arm: Use tlb_flush_page_bits_by_mmuidx*
When TBI is enabled in a given regime, 56 bits of the address
are significant and we need to clear out any other matching
virtual addresses with differing tags.
The other uses of tlb_flush_page (without mmuidx) in this file
are only used by aarch32 mode.
Fixes: 38d931687fa1
Reported-by: Jordan Frank <jordanfrank@fb.com>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201016210754.818257-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 19d50149c857e50ccb1ee35dd4277f9d4954877f
https://github.com/qemu/qemu/commit/19d50149c857e50ccb1ee35dd4277f9d4954877f
Author: Havard Skinnemoen <hskinnemoen@google.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M tests/qtest/meson.build
A tests/qtest/npcm7xx_timer-test.c
Log Message:
-----------
tests/qtest: Add npcm7xx timer test
This test exercises the various modes of the npcm7xx timer. In
particular, it triggers the bug found by the fuzzer, as reported here:
https://lists.gnu.org/archive/html/qemu-devel/2020-09/msg02992.html
It also found several other bugs, especially related to interrupt
handling.
The test exercises all the timers in all the timer modules, which
expands to 180 test cases in total.
Reviewed-by: Tyrone Ting <kfting@nuvoton.com>
Signed-off-by: Havard Skinnemoen <hskinnemoen@google.com>
Message-id: 20201008232154.94221-2-hskinnemoen@google.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: a0c0c9f8b4093bf1564d705d8977b6ba46cd2f5a
https://github.com/qemu/qemu/commit/a0c0c9f8b4093bf1564d705d8977b6ba46cd2f5a
Author: Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M docs/devel/loads-stores.rst
Log Message:
-----------
loads-stores.rst: add footnote that clarifies GETPC usage
Current documentation is not too clear on the GETPC usage.
In particular, when used outside the top level helper function
it causes unexpected behavior.
Signed-off-by: Emanuele Giuseppe Esposito <e.emanuelegiuseppe@gmail.com>
Message-id: 20201015095147.1691-1-e.emanuelegiuseppe@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: b68a92f4cb16115025f41bc59e1b2f182a610370
https://github.com/qemu/qemu/commit/b68a92f4cb16115025f41bc59e1b2f182a610370
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/intc/bcm2835_ic.c
M hw/intc/trace-events
Log Message:
-----------
hw/intc/bcm2835_ic: Trace GPU/CPU IRQ handlers
Add trace events for GPU and CPU IRQs.
Reviewed-by: Luc Michel <luc.michel@greensocs.com>
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201017180731.1165871-2-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: e7534f29b1587527613fdce3e460ac4720e5d18b
https://github.com/qemu/qemu/commit/e7534f29b1587527613fdce3e460ac4720e5d18b
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/intc/bcm2836_control.c
Log Message:
-----------
hw/intc/bcm2836_control: Use IRQ definitions instead of magic numbers
The IRQ values are defined few lines earlier, use them instead of
the magic numbers.
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-id: 20201017180731.1165871-3-f4bug@amsat.org
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 4aedfc0f633fd06dd2a5dc8ffa93f4c56117e37f
https://github.com/qemu/qemu/commit/4aedfc0f633fd06dd2a5dc8ffa93f4c56117e37f
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/mte_helper.c
Log Message:
-----------
target/arm: Remove redundant mmu_idx lookup
We already have the full ARMMMUIdx as computed from the
function parameter.
For the purpose of regime_has_2_ranges, we can ignore any
difference between AccType_Normal and AccType_Unpriv, which
would be the only difference between the passed mmu_idx
and arm_mmu_idx_el.
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Tested-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Message-id: 20201008162155.161886-2-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 50244cc76abcac3296cff3d84826f5ff71808c80
https://github.com/qemu/qemu/commit/50244cc76abcac3296cff3d84826f5ff71808c80
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/mte_helper.c
Log Message:
-----------
target/arm: Fix reported EL for mte_check_fail
The reporting in AArch64.TagCheckFail only depends on PSTATE.EL,
and not the AccType of the operation. There are two guest
visible problems that affect LDTR and STTR because of this:
(1) Selecting TCF0 vs TCF1 to decide on reporting,
(2) Report "data abort same el" not "data abort lower el".
Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Tested-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Message-id: 20201008162155.161886-3-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 4301acd7d7d455792ea873ced75c0b5d653618b1
https://github.com/qemu/qemu/commit/4301acd7d7d455792ea873ced75c0b5d653618b1
Author: Richard Henderson <richard.henderson@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/helper.c
M target/arm/internals.h
Log Message:
-----------
target/arm: Ignore HCR_EL2.ATA when {E2H,TGE} != 11
Unlike many other bits in HCR_EL2, the description for this
bit does not contain the phrase "if ... this field behaves
as 0 for all purposes other than", so do not squash the bit
in arm_hcr_el2_eff.
Instead, replicate the E2H+TGE test in the two places that
require it.
Reported-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Tested-by: Vincenzo Frascino <vincenzo.frascino@arm.com>
Message-id: 20201008162155.161886-4-richard.henderson@linaro.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 3cd27b58dd2045580689bdece677fa14e12c324d
https://github.com/qemu/qemu/commit/3cd27b58dd2045580689bdece677fa14e12c324d
Author: Peng Liang <liangpeng10@huawei.com>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/i2c/microbit_i2c.c
Log Message:
-----------
microbit_i2c: Fix coredump when dump-vmstate
VMStateDescription.fields should be end with VMSTATE_END_OF_LIST().
However, microbit_i2c_vmstate doesn't follow it. Let's change it.
Fixes: 9d68bf564e ("arm: Stub out NRF51 TWI magnetometer/accelerometer
detection")
Reported-by: Euler Robot <euler.robot@huawei.com>
Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Message-id: 20201019093401.2993833-1-liangpeng10@huawei.com
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: b3267ff675dd410b4c2a569e209cb7d468cf1873
https://github.com/qemu/qemu/commit/b3267ff675dd410b4c2a569e209cb7d468cf1873
Author: Philippe Mathieu-Daudé <f4bug@amsat.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M hw/arm/nseries.c
Log Message:
-----------
hw/arm/nseries: Fix loading kernel image on n8x0 machines
Commit 7998beb9c2e removed the ram_size initialization in the
arm_boot_info structure, however it is used by arm_load_kernel().
Initialize the field to fix:
$ qemu-system-arm -M n800 -append 'console=ttyS1' \
-kernel meego-arm-n8x0-1.0.80.20100712.1431-vmlinuz-2.6.35~rc4-129.1-n8x0
qemu-system-arm: kernel
'meego-arm-n8x0-1.0.80.20100712.1431-vmlinuz-2.6.35~rc4-129.1-n8x0' is too
large to fit in RAM (kernel size 1964608, RAM size 0)
Noticed while running the test introduced in commit 050a82f0c5b
("tests/acceptance: Add a test for the N800 and N810 arm machines").
Fixes: 7998beb9c2e ("arm/nseries: use memdev for RAM")
Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Tested-by: Thomas Huth <thuth@redhat.com>
Message-id: 20201019095148.1602119-1-f4bug@amsat.org
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Commit: 514101c0b931f0a11a40d29d26af1cc40482f951
https://github.com/qemu/qemu/commit/514101c0b931f0a11a40d29d26af1cc40482f951
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M scripts/decodetree.py
Log Message:
-----------
decodetree: Fix codegen for non-overlapping group inside overlapping group
For nested groups like:
{
[
pattern 1
pattern 2
]
pattern 3
}
the intended behaviour is that patterns 1 and 2 must not
overlap with each other; if the insn matches neither then
we fall through to pattern 3 as the next thing in the
outer overlapping group.
Currently we generate incorrect code for this situation,
because in the code path for a failed match inside the
inner non-overlapping group we generate a "return" statement,
which causes decode to stop entirely rather than continuing
to the next thing in the outer group.
Generate a "break" instead, so that decode flow behaves
as required for this nested group case.
Suggested-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201019151301.2046-2-peter.maydell@linaro.org
Commit: 5d2555a1fe7370feeb1efbbf276a653040910017
https://github.com/qemu/qemu/commit/5d2555a1fe7370feeb1efbbf276a653040910017
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/cpu.h
M target/arm/m-nocp.decode
M target/arm/translate-vfp.c.inc
Log Message:
-----------
target/arm: Implement v8.1M NOCP handling
>From v8.1M, disabled-coprocessor handling changes slightly:
* coprocessors 8, 9, 14 and 15 are also governed by the
cp10 enable bit, like cp11
* an extra range of instruction patterns is considered
to be inside the coprocessor space
We previously marked these up with TODO comments; implement the
correct behaviour.
Unfortunately there is no ID register field which indicates this
behaviour. We could in theory test an unrelated ID register which
indicates guaranteed-to-be-in-v8.1M behaviour like ID_ISAR0.CmpBranch
>= 3 (low-overhead-loops), but it seems better to simply define a new
ARM_FEATURE_V8_1M feature flag and use it for this and other
new-in-v8.1M behaviour that isn't identifiable from the ID registers.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201019151301.2046-3-peter.maydell@linaro.org
Commit: cc73bbded0dfb5612b0e416f7eda13a66950542a
https://github.com/qemu/qemu/commit/cc73bbded0dfb5612b0e416f7eda13a66950542a
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/t32.decode
M target/arm/translate.c
Log Message:
-----------
target/arm: Implement v8.1M conditional-select insns
v8.1M brings four new insns to M-profile:
* CSEL : Rd = cond ? Rn : Rm
* CSINC : Rd = cond ? Rn : Rm+1
* CSINV : Rd = cond ? Rn : ~Rm
* CSNEG : Rd = cond ? Rn : -Rm
Implement these.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201019151301.2046-4-peter.maydell@linaro.org
Commit: 45f11876ae86128bdee27e0b089045de43cc88e4
https://github.com/qemu/qemu/commit/45f11876ae86128bdee27e0b089045de43cc88e4
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/t32.decode
Log Message:
-----------
target/arm: Make the t32 insn[25:23]=111 group non-overlapping
The t32 decode has a group which represents a set of insns
which overlap with B_cond_thumb because they have [25:23]=111
(which is an invalid condition code field for the branch insn).
This group is currently defined using the {} overlap-OK syntax,
but it is almost entirely non-overlapping patterns. Switch
it over to use a non-overlapping group.
For this to be valid syntactically, CPS must move into the same
overlapping-group as the hint insns (CPS vs hints was the
only actual use of the overlap facility for the group).
The non-overlapping subgroup for CLREX/DSB/DMB/ISB/SB is no longer
necessary and so we can remove it (promoting those insns to
be members of the parent group).
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201019151301.2046-5-peter.maydell@linaro.org
Commit: 920f04fa3ea789f8f85a52cee5395b8887b56cf7
https://github.com/qemu/qemu/commit/920f04fa3ea789f8f85a52cee5395b8887b56cf7
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/translate.c
Log Message:
-----------
target/arm: Don't allow BLX imm for M-profile
The BLX immediate insn in the Thumb encoding always performs
a switch from Thumb to Arm state. This would be totally useless
in M-profile which has no Arm decoder, and so the instruction
does not exist at all there. Make the encoding UNDEF for M-profile.
(This part of the encoding space is used for the branch-future
and low-overhead-loop insns in v8.1M.)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201019151301.2046-6-peter.maydell@linaro.org
Commit: 05903f036edba8e3ed940cc215b8e27fb49265b9
https://github.com/qemu/qemu/commit/05903f036edba8e3ed940cc215b8e27fb49265b9
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/cpu.h
M target/arm/t32.decode
M target/arm/translate.c
Log Message:
-----------
target/arm: Implement v8.1M branch-future insns (as NOPs)
v8.1M implements a new 'branch future' feature, which is a
set of instructions that request the CPU to perform a branch
"in the future", when it reaches a particular execution address.
In hardware, the expected implementation is that the information
about the branch location and destination is cached and then
acted upon when execution reaches the specified address.
However the architecture permits an implementation to discard
this cached information at any point, and so guest code must
always include a normal branch insn at the branch point as
a fallback. In particular, an implementation is specifically
permitted to treat all BF insns as NOPs (which is equivalent
to discarding the cached information immediately).
For QEMU, implementing this caching of branch information
would be complicated and would not improve the speed of
execution at all, so we make the IMPDEF choice to implement
all BF insns as NOPs.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201019151301.2046-7-peter.maydell@linaro.org
Commit: b7226369721896ab9ef71544e4fe95b40710e05a
https://github.com/qemu/qemu/commit/b7226369721896ab9ef71544e4fe95b40710e05a
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/t32.decode
M target/arm/translate.c
Log Message:
-----------
target/arm: Implement v8.1M low-overhead-loop instructions
v8.1M's "low-overhead-loop" extension has three instructions
for looping:
* DLS (start of a do-loop)
* WLS (start of a while-loop)
* LE (end of a loop)
The loop-start instructions are both simple operations to start a
loop whose iteration count (if any) is in LR. The loop-end
instruction handles "decrement iteration count and jump back to loop
start"; it also caches the information about the branch back to the
start of the loop to improve performance of the branch on subsequent
iterations.
As with the branch-future instructions, the architecture permits an
implementation to discard the LO_BRANCH_INFO cache at any time, and
QEMU takes the IMPDEF option to never set it in the first place
(equivalent to discarding it immediately), because for us a "real"
implementation would be unnecessary complexity.
(This implementation only provides the simple looping constructs; the
vector extension MVE (Helium) adds some extra variants to handle
looping across vectors. We'll add those later when we implement
MVE.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201019151301.2046-8-peter.maydell@linaro.org
Commit: 532a3af5fbd348bca371b4a56b45f8f97c7c5519
https://github.com/qemu/qemu/commit/532a3af5fbd348bca371b4a56b45f8f97c7c5519
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/cpu.c
Log Message:
-----------
target/arm: Fix has_vfp/has_neon ID reg squashing for M-profile
In arm_cpu_realizefn(), if the CPU has VFP or Neon disabled then we
squash the ID register fields so that we don't advertise it to the
guest. This code was written for A-profile and needs some tweaks to
work correctly on M-profile:
* A-profile only fields should not be zeroed on M-profile:
- MVFR0.FPSHVEC,FPTRAP
- MVFR1.SIMDLS,SIMDINT,SIMDSP,SIMDHP
- MVFR2.SIMDMISC
* M-profile only fields should be zeroed on M-profile:
- MVFR1.FP16
In particular, because MVFR1.SIMDHP on A-profile is the same field as
MVFR1.FP16 on M-profile this code was incorrectly disabling FP16
support on an M-profile CPU (where has_neon is always false). This
isn't a visible bug yet because we don't have any M-profile CPUs with
FP16 support, but the change is necessary before we introduce any.
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20201019151301.2046-9-peter.maydell@linaro.org
Commit: d31e2ce68d56f5bcc83831497e5fe4b8a7e18e85
https://github.com/qemu/qemu/commit/d31e2ce68d56f5bcc83831497e5fe4b8a7e18e85
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/vfp_helper.c
Log Message:
-----------
target/arm: Allow M-profile CPUs with FP16 to set FPSCR.FP16
M-profile CPUs with half-precision floating point support should
be able to write to FPSCR.FZ16, but an M-profile specific masking
of the value at the top of vfp_set_fpscr() currently prevents that.
This is not yet an active bug because we have no M-profile
FP16 CPUs, but needs to be fixed before we can add any.
The bits that the masking is effectively preventing from being
set are the A-profile only short-vector Len and Stride fields,
plus the Neon QC bit. Rearrange the order of the function so
that those fields are handled earlier and only under a suitable
guard; this allows us to drop the M-profile specific masking,
making FZ16 writeable.
This change also makes the QC bit correctly RAZ/WI for older
no-Neon A-profile cores.
This refactoring also paves the way for the low-overhead-branch
LTPSIZE field, which uses some of the bits that are used for
A-profile Stride and Len.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201019151301.2046-10-peter.maydell@linaro.org
Commit: 8128c8e8cc9489a8387c74075974f86dc0222e7f
https://github.com/qemu/qemu/commit/8128c8e8cc9489a8387c74075974f86dc0222e7f
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M target/arm/cpu.c
M target/arm/cpu.h
M target/arm/vfp_helper.c
Log Message:
-----------
target/arm: Implement FPSCR.LTPSIZE for M-profile LOB extension
If the M-profile low-overhead-branch extension is implemented, FPSCR
bits [18:16] are a new field LTPSIZE. If MVE is not implemented
(currently always true for us) then this field always reads as 4 and
ignores writes.
These bits used to be the vector-length field for the old
short-vector extension, so we need to take care that they are not
misinterpreted as setting vec_len. We do this with a rearrangement
of the vfp_set_fpscr() code that deals with vec_len, vec_stride
and also the QC bit; this obviates the need for the M-profile
only masking step that we used to have at the start of the function.
We provide a new field in CPUState for LTPSIZE, even though this
will always be 4, in preparation for MVE, so we don't have to
come back later and split it out of the vfp.xregs[FPSCR] value.
(This state struct field will be saved and restored as part of
the FPSCR value via the vmstate_fpscr in machine.c.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20201019151301.2046-11-peter.maydell@linaro.org
Commit: ac793156f650ae2d77834932d72224175ee69086
https://github.com/qemu/qemu/commit/ac793156f650ae2d77834932d72224175ee69086
Author: Peter Maydell <peter.maydell@linaro.org>
Date: 2020-10-20 (Tue, 20 Oct 2020)
Changed paths:
M accel/tcg/cputlb.c
M default-configs/devices/arm-softmmu.mak
M docs/devel/loads-stores.rst
M hw/arm/Kconfig
M hw/arm/bcm2835_peripherals.c
M hw/arm/nseries.c
M hw/arm/strongarm.c
M hw/i2c/microbit_i2c.c
M hw/intc/bcm2835_ic.c
M hw/intc/bcm2836_control.c
M hw/intc/trace-events
M hw/timer/bcm2835_systmr.c
M hw/timer/trace-events
M include/exec/exec-all.h
M include/hw/timer/bcm2835_systmr.h
M scripts/decodetree.py
M target/arm/cpu.c
M target/arm/cpu.h
M target/arm/helper.c
M target/arm/helper.h
M target/arm/internals.h
M target/arm/m-nocp.decode
M target/arm/mte_helper.c
M target/arm/t32.decode
M target/arm/translate-vfp.c.inc
M target/arm/translate.c
M target/arm/vfp_helper.c
M tests/qtest/meson.build
A tests/qtest/npcm7xx_timer-test.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/pmaydell/tags/pull-target-arm-20201020-1' into staging
target-arm queue:
* Fix AArch32 SMLAD incorrect setting of Q bit
* AArch32 VCVT fixed-point to float is always round-to-nearest
* strongarm: Fix 'time to transmit a char' unit comment
* Restrict APEI tables generation to the 'virt' machine
* bcm2835: minor code cleanups
* bcm2835: connect all IRQs from SYS_timer device
* correctly flush TLBs when TBI is enabled
* tests/qtest: Add npcm7xx timer test
* loads-stores.rst: add footnote that clarifies GETPC usage
* Fix reported EL for mte_check_fail
* Ignore HCR_EL2.ATA when {E2H,TGE} != 11
* microbit_i2c: Fix coredump when dump-vmstate
* nseries: Fix loading kernel image on n8x0 machines
* Implement v8.1M low-overhead-loops
# gpg: Signature made Tue 20 Oct 2020 21:10:35 BST
# gpg: using RSA key E1A5C593CD419DE28E8315CF3C2525ED14360CDE
# gpg: issuer "peter.maydell@linaro.org"
# gpg: Good signature from "Peter Maydell <peter.maydell@linaro.org>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@gmail.com>" [ultimate]
# gpg: aka "Peter Maydell <pmaydell@chiark.greenend.org.uk>"
[ultimate]
# Primary key fingerprint: E1A5 C593 CD41 9DE2 8E83 15CF 3C25 25ED 1436 0CDE
* remotes/pmaydell/tags/pull-target-arm-20201020-1: (29 commits)
target/arm: Implement FPSCR.LTPSIZE for M-profile LOB extension
target/arm: Allow M-profile CPUs with FP16 to set FPSCR.FP16
target/arm: Fix has_vfp/has_neon ID reg squashing for M-profile
target/arm: Implement v8.1M low-overhead-loop instructions
target/arm: Implement v8.1M branch-future insns (as NOPs)
target/arm: Don't allow BLX imm for M-profile
target/arm: Make the t32 insn[25:23]=111 group non-overlapping
target/arm: Implement v8.1M conditional-select insns
target/arm: Implement v8.1M NOCP handling
decodetree: Fix codegen for non-overlapping group inside overlapping group
hw/arm/nseries: Fix loading kernel image on n8x0 machines
microbit_i2c: Fix coredump when dump-vmstate
target/arm: Ignore HCR_EL2.ATA when {E2H,TGE} != 11
target/arm: Fix reported EL for mte_check_fail
target/arm: Remove redundant mmu_idx lookup
hw/intc/bcm2836_control: Use IRQ definitions instead of magic numbers
hw/intc/bcm2835_ic: Trace GPU/CPU IRQ handlers
loads-stores.rst: add footnote that clarifies GETPC usage
tests/qtest: Add npcm7xx timer test
target/arm: Use tlb_flush_page_bits_by_mmuidx*
...
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Compare: https://github.com/qemu/qemu/compare/4c41341af76c...ac793156f650
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] 528814: target/arm: Fix SMLAD incorrect setting of Q bit,
Peter Maydell <=