From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:53794) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bq5jR-000077-Vt for qemu-devel@nongnu.org; Fri, 30 Sep 2016 17:52:39 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bq5jM-0006Ms-Vg for qemu-devel@nongnu.org; Fri, 30 Sep 2016 17:52:36 -0400 Received: from mail-oi0-x22d.google.com ([2607:f8b0:4003:c06::22d]:36476) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bq5jM-0006Mc-QA for qemu-devel@nongnu.org; Fri, 30 Sep 2016 17:52:32 -0400 Received: by mail-oi0-x22d.google.com with SMTP id t83so145163021oie.3 for ; Fri, 30 Sep 2016 14:52:32 -0700 (PDT) References: <1474047287-145701-1-git-send-email-thomas.hanson@linaro.org> From: Tom Hanson Message-ID: <57EEDDC7.7060407@linaro.org> Date: Fri, 30 Sep 2016 15:48:55 -0600 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Qemu-devel] [PATCH 0/3] tareget-arm: Handle tagged addresses when loading PC List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Peter Maydell Cc: QEMU Developers , Grant Likely On 09/29/2016 07:37 PM, Peter Maydell wrote: > On 16 September 2016 at 10:34, Thomas Hanson wrote: >> If tagged addresses are enabled, then addresses being loaded into the >> PC must be cleaned up by overwriting the tag bits with either all 0's >> or all 1's as specified in the ARM ARM spec. The decision process is >> dependent on whether the code will be running in EL0/1 or in EL2/3 and >> is controlled by a combination of Top Byte Ignored (TBI) bits in the >> TCR and the value of bit 55 in the address being loaded. >> >> TBI values are extracted from the appropriate TCR and made available >> to TCG code generation routines by inserting them into the TB flags >> field and then transferring them to DisasContext structure in >> gen_intermediate_code_a64(). >> >> New function gen_a64_set_pc_reg() encapsulates the logic required to >> determine whether clean up of the tag byte is required and then >> generating the code to correctly load the PC. >> >> In addition to those instruction which can directly load a tagged >> address into the PC, there are others which increment or add a value to >> the PC. If 56 bit addressing is used, these instructions can cause an >> arithmetic roll-over into the tag bits. The ARM ARM specification for >> handling tagged addresses requires that these cases also be addressed >> by cleaning up the tag field. This work has been deferred because >> there is currently no CPU model available for testing with 56 bit >> addresses. > These changes are OK (other than the comments I've made on the > patches), but do not cover all the cases where values can be > loaded into the PC and may need to be cleansed of their tags. > > In particular: > * on exception entry to AArch64 we may need to clean a tag out of > the vector table base address register VBAR_ELx > (in QEMU this would be in arm_cpu_do_interrupt_aarch64()) > * on exception return to AArch64 we may need to clean a tag out of > the return address we got from ELR_ELx > (in QEMU, in the exception_return helper) > > Note that D4.1.1 of the ARM ARM describes a potential relaxation > of the requirement that tag bits not be propagated into the PC > in the case of an illegal exception return; I recommend not > taking advantage of that relaxation unless it really does fall > out of the implementation much more trivially that way. > > Watch out that you use the TBI bits for the destination EL in > each case, not the EL you start in... > > thanks > -- PMM Peter, As I read arm_cpu_do_interrupt_aarch64() it sets the return address in env->elr_el[new_el] to env->pc (for AArch64). Since the PC is alway clean, how can a tagged address get saved off? Am I missing something? -Tom