[Qemu-devel] [PATCH v2 0/5] fix & clean PPC e300

[Qemu-devel] [PATCH v2 0/5] fix & clean PPC e300

[Thomas Monjalon]

From: Thomas Monjalon <thomas@monjalon.net>

Mainly resending.

The only improvement is in the fix for RFI/RFID.
Please Blue Swirl, could you test with Altivec ?

---

Thomas Monjalon (5):
  target-ppc: fix processor versions (PVR) for e300
  target-ppc: fix interrupt vectors for MPC603 and e300
  target-ppc: exception model of 603e inherits from 603
  target-ppc: fix RFI by clearing upper bytes of MSR
  ppc: remove dead code

 hw/ppc.c                    |   10 ----------
 target-ppc/cpu.h            |    2 --
 target-ppc/helper.c         |    3 ---
 target-ppc/op_helper.c      |    6 +++---
 target-ppc/translate_init.c |   31 +++++++++++++++++++------------
 5 files changed, 22 insertions(+), 30 deletions(-)

[Qemu-devel] [PATCH v2 1/5] target-ppc: fix processor versions (PVR) for e300

[Thomas Monjalon]

From: Thomas Monjalon <thomas@monjalon.net>

Reflect values from the table "Assigned PVR values" in [e300CORERM].

Values for MPC603 and G2 processors could need check/changes also.

The reference document (e300CORERM) which is used is:
"e300 Power Architecture Core Family Reference Manual", Revision 4, 12/2007.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
---
 target-ppc/translate_init.c |   13 +++++++------
 1 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index e8eadf4..9e42831 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -6720,17 +6720,18 @@ enum {
     /* e300 family */
     /* e300 cores */
 #define CPU_POWERPC_e300             CPU_POWERPC_e300c3
-    CPU_POWERPC_e300c1             = 0x00830010,
-    CPU_POWERPC_e300c2             = 0x00840010,
-    CPU_POWERPC_e300c3             = 0x00850010,
-    CPU_POWERPC_e300c4             = 0x00860010,
+    CPU_POWERPC_e300c1             = 0x80830010,
+    CPU_POWERPC_e300c2             = 0x80840010,
+    CPU_POWERPC_e300c3             = 0x80850010,
+    CPU_POWERPC_e300c4_MPC5121e    = 0x80860010,
+    CPU_POWERPC_e300c4_MPC83xx     = 0x80861010,
     /* MPC83xx microcontrollers */
 #define CPU_POWERPC_MPC831x          CPU_POWERPC_e300c3
 #define CPU_POWERPC_MPC832x          CPU_POWERPC_e300c2
 #define CPU_POWERPC_MPC834x          CPU_POWERPC_e300c1
 #define CPU_POWERPC_MPC835x          CPU_POWERPC_e300c1
 #define CPU_POWERPC_MPC836x          CPU_POWERPC_e300c1
-#define CPU_POWERPC_MPC837x          CPU_POWERPC_e300c4
+#define CPU_POWERPC_MPC837x          CPU_POWERPC_e300c4_MPC83xx
     /* e500 family */
     /* e500 cores  */
 #define CPU_POWERPC_e500             CPU_POWERPC_e500v2_v22
@@ -7977,7 +7978,7 @@ static const ppc_def_t ppc_defs[] = {
     /* PowerPC e300c3 core                                                   */
     POWERPC_DEF("e300c3",        CPU_POWERPC_e300c3,                 e300),
     /* PowerPC e300c4 core                                                   */
-    POWERPC_DEF("e300c4",        CPU_POWERPC_e300c4,                 e300),
+    POWERPC_DEF("e300c4",        CPU_POWERPC_e300c4_MPC83xx,         e300),
     /* PowerPC e300 microcontrollers                                         */
 #if defined (TODO)
     /* MPC8313                                                               */
-- 
1.7.1

[Qemu-devel] [PATCH v2 2/5] target-ppc: fix interrupt vectors for MPC603 and e300

[Thomas Monjalon]

From: Thomas Monjalon <thomas@monjalon.net>

The vectors are listed
    - in the chapter 1.3.3.2 (Implementation-Specific Interrupt Model)
      of the e300 datasheet [e300CORERM] and
    - in the chapter 3.5.2 (PowerPC 603 Microprocessor Exception Model)
      of the MPC603 datasheet.

As e300 inherits from MPC603, init_excp_e300() calls init_excp_603().

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
---
 target-ppc/translate_init.c |   13 +++++++++++--
 1 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index 9e42831..f3e266d 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -2853,7 +2853,16 @@ static void init_excp_603 (CPUPPCState *env)
     env->excp_vectors[POWERPC_EXCP_SMI]      = 0x00001400;
     env->hreset_excp_prefix = 0x00000000UL;
     /* Hardware reset vector */
-    env->hreset_vector = 0xFFFFFFFCUL;
+    env->hreset_vector = 0x00000100UL;
+#endif
+}
+
+static void init_excp_e300 (CPUPPCState *env)
+{
+    init_excp_603(env);
+#if !defined(CONFIG_USER_ONLY)
+    env->excp_vectors[POWERPC_EXCP_CRITICAL] = 0x00000A00;
+    env->excp_vectors[POWERPC_EXCP_PERFM]    = 0x00000F00;
 #endif
 }
 
@@ -4175,7 +4184,7 @@ static void init_proc_e300 (CPUPPCState *env)
     gen_low_BATs(env);
     gen_high_BATs(env);
     gen_6xx_7xx_soft_tlb(env, 64, 2);
-    init_excp_603(env);
+    init_excp_e300(env);
     env->dcache_line_size = 32;
     env->icache_line_size = 32;
     /* Allocate hardware IRQ controller */
-- 
1.7.1

[Qemu-devel] [PATCH v2 3/5] target-ppc: exception model of 603e inherits from 603

[Thomas Monjalon]

From: Thomas Monjalon <thomas@monjalon.net>

It appears in the code that the exception handling of 603e is the same as 603.
If there is addon like SRR1[KEY], it is handled without special case for it.
So it could be removed safely.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
---
 target-ppc/cpu.h            |    2 --
 target-ppc/helper.c         |    3 ---
 target-ppc/translate_init.c |    5 +----
 3 files changed, 1 insertions(+), 9 deletions(-)

diff --git a/target-ppc/cpu.h b/target-ppc/cpu.h
index 2ad4486..ba266cb 100644
--- a/target-ppc/cpu.h
+++ b/target-ppc/cpu.h
@@ -134,8 +134,6 @@ enum powerpc_excp_t {
     POWERPC_EXCP_602,
     /* PowerPC 603 exception model      */
     POWERPC_EXCP_603,
-    /* PowerPC 603e exception model     */
-    POWERPC_EXCP_603E,
     /* PowerPC G2 exception model       */
     POWERPC_EXCP_G2,
     /* PowerPC 604 exception model      */
diff --git a/target-ppc/helper.c b/target-ppc/helper.c
index a5479c4..3d843b5 100644
--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -2391,7 +2391,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         switch (excp_model) {
         case POWERPC_EXCP_602:
         case POWERPC_EXCP_603:
-        case POWERPC_EXCP_603E:
         case POWERPC_EXCP_G2:
             goto tlb_miss_tgpr;
         case POWERPC_EXCP_7x5:
@@ -2410,7 +2409,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         switch (excp_model) {
         case POWERPC_EXCP_602:
         case POWERPC_EXCP_603:
-        case POWERPC_EXCP_603E:
         case POWERPC_EXCP_G2:
             goto tlb_miss_tgpr;
         case POWERPC_EXCP_7x5:
@@ -2429,7 +2427,6 @@ static inline void powerpc_excp(CPUState *env, int excp_model, int excp)
         switch (excp_model) {
         case POWERPC_EXCP_602:
         case POWERPC_EXCP_603:
-        case POWERPC_EXCP_603E:
         case POWERPC_EXCP_G2:
         tlb_miss_tgpr:
             /* Swap temporary saved registers with GPRs */
diff --git a/target-ppc/translate_init.c b/target-ppc/translate_init.c
index f3e266d..c88762e 100644
--- a/target-ppc/translate_init.c
+++ b/target-ppc/translate_init.c
@@ -4519,7 +4519,7 @@ static void init_proc_603 (CPUPPCState *env)
                               PPC_SEGMENT | PPC_EXTERN)
 #define POWERPC_MSRM_603E    (0x000000000007FF73ULL)
 #define POWERPC_MMU_603E     (POWERPC_MMU_SOFT_6xx)
-//#define POWERPC_EXCP_603E    (POWERPC_EXCP_603E)
+#define POWERPC_EXCP_603E    (POWERPC_EXCP_603)
 #define POWERPC_INPUT_603E   (PPC_FLAGS_INPUT_6xx)
 #define POWERPC_BFDM_603E    (bfd_mach_ppc_ec603e)
 #define POWERPC_FLAG_603E    (POWERPC_FLAG_TGPR | POWERPC_FLAG_SE |           \
@@ -9589,9 +9589,6 @@ int cpu_ppc_register_internal (CPUPPCState *env, const ppc_def_t *def)
         case POWERPC_EXCP_603:
             excp_model = "PowerPC 603";
             break;
-        case POWERPC_EXCP_603E:
-            excp_model = "PowerPC 603e";
-            break;
         case POWERPC_EXCP_604:
             excp_model = "PowerPC 604";
             break;
-- 
1.7.1

[Qemu-devel] [PATCH v2 4/5] target-ppc: fix RFI by clearing upper bytes of MSR

[Thomas Monjalon]

From: Thomas Monjalon <thomas@monjalon.net>

Since commit 2ada0ed, "Return From Interrupt" is broken for PPC processors
because the upper bits (POW, TGPR, ILE) of MSR were not cleared.

Below is a representation of MSR bits:
0 .. 12  13  14  15  16         ..         23  24        ..      31
 —————  POW TGPR ILE EE PR FP ME FE0 SE BE FE1 CE IP IR DR —— RI LE

Only the 2 lower bytes (16-31) of MSR are saved to SRR1 before an interrupt.
So only these bytes should be restored and the upper ones (0-15) cleared.
But, referring to commit 2ada0ed, clearing all the upper bytes breaks Altivec.
The compromise is to clear the well known bits (13-15).

Regarding RFID, since the 32 lower bits of MSR are the same in 64-bit,
the same mask as RFI should apply to RFID.

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Cc: Blue Swirl <blauwirbel@gmail.com>
---
 target-ppc/op_helper.c |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
index 8f2ee98..2bf2ce1 100644
--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -1646,20 +1646,20 @@ static inline void do_rfi(target_ulong nip, target_ulong msr,
 void helper_rfi (void)
 {
     do_rfi(env->spr[SPR_SRR0], env->spr[SPR_SRR1],
-           ~((target_ulong)0x0), 1);
+           ~((target_ulong)0x00070000), 1);
 }
 
 #if defined(TARGET_PPC64)
 void helper_rfid (void)
 {
     do_rfi(env->spr[SPR_SRR0], env->spr[SPR_SRR1],
-           ~((target_ulong)0x0), 0);
+           ~((target_ulong)0x00070000), 0);
 }
 
 void helper_hrfid (void)
 {
     do_rfi(env->spr[SPR_HSRR0], env->spr[SPR_HSRR1],
-           ~((target_ulong)0x0), 0);
+           ~((target_ulong)0x00070000), 0);
 }
 #endif
 #endif
-- 
1.7.1

[Qemu-devel] [PATCH v2 5/5] ppc: remove dead code

[Thomas Monjalon]

From: Thomas Monjalon <thomas@monjalon.net>

This function had been disabled from the beginning (see 9fddaa0).

cpu_reset() function is in target-ppc/helper.c

Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
Acked-by: Alexander Graf <agraf@suse.de>
---
 hw/ppc.c |   10 ----------
 1 files changed, 0 insertions(+), 10 deletions(-)

diff --git a/hw/ppc.c b/hw/ppc.c
index 5baeeaf..2a77eb9 100644
--- a/hw/ppc.c
+++ b/hw/ppc.c
@@ -1085,16 +1085,6 @@ int ppc_dcr_init (CPUState *env, int (*read_error)(int dcrn),
     return 0;
 }
 
-#if 0
-/*****************************************************************************/
-/* Handle system reset (for now, just stop emulation) */
-void cpu_reset(CPUState *env)
-{
-    printf("Reset asked... Stop emulation\n");
-    abort();
-}
-#endif
-
 /*****************************************************************************/
 /* Debug port */
 void PPC_debug_write (void *opaque, uint32_t addr, uint32_t val)
-- 
1.7.1

[Qemu-devel] Re: [PATCH v2 0/5] fix & clean PPC e300

[Blue Swirl]

On 4/27/10, Thomas Monjalon <thomas_ml@monjalon.net> wrote:
> From: Thomas Monjalon <thomas@monjalon.net>
>
>  Mainly resending.
>
>  The only improvement is in the fix for RFI/RFID.
>  Please Blue Swirl, could you test with Altivec ?

Sorry, I don't have one.

>
>  ---
>
>  Thomas Monjalon (5):
>   target-ppc: fix processor versions (PVR) for e300
>   target-ppc: fix interrupt vectors for MPC603 and e300
>   target-ppc: exception model of 603e inherits from 603
>   target-ppc: fix RFI by clearing upper bytes of MSR
>   ppc: remove dead code
>
>   hw/ppc.c                    |   10 ----------
>   target-ppc/cpu.h            |    2 --
>   target-ppc/helper.c         |    3 ---
>   target-ppc/op_helper.c      |    6 +++---
>   target-ppc/translate_init.c |   31 +++++++++++++++++++------------
>   5 files changed, 22 insertions(+), 30 deletions(-)
>
>
>
>

[Qemu-devel] Re: [PATCH v2 0/5] fix & clean PPC e300

[Thomas Monjalon]

Blue Swirl wrote:
> On 4/27/10, Thomas Monjalon <thomas_ml@monjalon.net> wrote:
> >  The only improvement is in the fix for RFI/RFID.
> >  Please Blue Swirl, could you test with Altivec ?
> 
> Sorry, I don't have one.

Oops, sorry. I have "CCed" the author of the commit 2ada0ed. But it was the 
SVN old time. I should look at the Signed-off line.

Alexander, you have made the commit 2ada0ed to fix Altivec. Could you check 
that the 4th patch of this serie doesn't break Altivec ?
Thanks
-- 
Thomas

Re: [Qemu-devel] [PATCH v2 4/5] target-ppc: fix RFI by clearing upper bytes of MSR

[Alexander Graf]

On 27.04.2010, at 17:31, Thomas Monjalon wrote:

> From: Thomas Monjalon <thomas@monjalon.net>
> 
> Since commit 2ada0ed, "Return From Interrupt" is broken for PPC processors
> because the upper bits (POW, TGPR, ILE) of MSR were not cleared.

May I ask for your test case or how you stumbled over this? I haven't seen any OS rely on this yet.

> 
> Below is a representation of MSR bits:
> 0 .. 12  13  14  15  16         ..         23  24        ..      31
> —————  POW TGPR ILE EE PR FP ME FE0 SE BE FE1 CE IP IR DR —— RI LE
> 
> Only the 2 lower bytes (16-31) of MSR are saved to SRR1 before an interrupt.
> So only these bytes should be restored and the upper ones (0-15) cleared.
> But, referring to commit 2ada0ed, clearing all the upper bytes breaks Altivec.
> The compromise is to clear the well known bits (13-15).

IIRC this is vastly implementation dependent. Book3 lists the bits saved when setting SRR1 explicitly and I haven't found a good rule of thumb yet.
RFI on the other hand is described as MSR <- SRR1. So I'm fairly sure RFI is implemented correctly.

Have you tried making the SRR1 setting more clever?

> 
> Regarding RFID, since the 32 lower bits of MSR are the same in 64-bit,
> the same mask as RFI should apply to RFID.
> 
> Signed-off-by: Thomas Monjalon <thomas@monjalon.net>
> Cc: Blue Swirl <blauwirbel@gmail.com>
> ---
> target-ppc/op_helper.c |    6 +++---
> 1 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/target-ppc/op_helper.c b/target-ppc/op_helper.c
> index 8f2ee98..2bf2ce1 100644
> --- a/target-ppc/op_helper.c
> +++ b/target-ppc/op_helper.c
> @@ -1646,20 +1646,20 @@ static inline void do_rfi(target_ulong nip, target_ulong msr,
> void helper_rfi (void)
> {
>     do_rfi(env->spr[SPR_SRR0], env->spr[SPR_SRR1],
> -           ~((target_ulong)0x0), 1);
> +           ~((target_ulong)0x00070000), 1);

Please use constant defines here. We have MSR_XX.

Alex

Re: [Qemu-devel] [PATCH v2 4/5] target-ppc: fix RFI by clearing upper bytes of MSR

[Thomas Monjalon]

Alexander Graf wrote:
> On 27.04.2010, at 17:31, Thomas Monjalon wrote:
> > Since commit 2ada0ed, "Return From Interrupt" is broken for PPC
> > processors because the upper bits (POW, TGPR, ILE) of MSR were not
> > cleared.
>
> May I ask for your test case or how you stumbled over this? I haven't seen
> any OS rely on this yet.

I'm running Linux for SBC834x in Qemu. The interrupt controller and board 
definition are not yet published.

The boot process hang with the actual implementation of RFI.

> > Below is a representation of MSR bits:
> > 0 .. 12  13  14  15  16         ..         23  24        ..      31
> > —————  POW TGPR ILE EE PR FP ME FE0 SE BE FE1 CE IP IR DR —— RI LE
> >
> > Only the 2 lower bytes (16-31) of MSR are saved to SRR1 before an
> > interrupt. So only these bytes should be restored and the upper ones
> > (0-15) cleared. But, referring to commit 2ada0ed, clearing all the upper
> > bytes breaks Altivec. The compromise is to clear the well known bits
> > (13-15).
>
> IIRC this is vastly implementation dependent. Book3 lists the bits saved
> when setting SRR1 explicitly and I haven't found a good rule of thumb yet.
> RFI on the other hand is described as MSR <- SRR1. So I'm fairly sure RFI
> is implemented correctly.

From the programming manual (MPCFPE32B):
"The save/restore register 1 (SRR1) is used to save machine status (selected 
bits from the MSR and other implementation-specific status bits as well) on 
interrupts and to restore those values when rfi is executed.
[..]
When an interrupt occurs, SRR1 bits 1–4 and 10–15 are loaded with 
interrupt-specific information and MSR bits 16–23, 25–27, and 30–31 are 
placed into the corresponding bit positions of SRR1. Depending on the 
implementation, additional MSR bits may be copied to SRR1."

From the e300 reference manual (e300CORERM):
"The TGPR bit is cleared by an rfi instruction."

My first try was to clear only TGPR. But it doesn't work properly if POW and 
ILE are not cleared.

> Have you tried making the SRR1 setting more clever?

Yes. POW and TGPR can be filtered-out when saving to SRR1. But it seems that 
ILE must be cleared in RFI (if not, the Linux PCI scan is an endless loop).

I don't if this way is better:

--- a/target-ppc/helper.c
+++ b/target-ppc/helper.c
@@ -2571,2 +2571,2 @@ static inline void powerpc_excp(CPUState *env, int 
excp_model, int excp)
     /* Save MSR */
-    env->spr[srr1] = msr;
+    env->spr[srr1] = msr & ~(1 << MSR_POW | 1 << MSR_TGPR);

--- a/target-ppc/op_helper.c
+++ b/target-ppc/op_helper.c
@@ -1648,2 +1648,2 @@ void helper_rfi (void)
     do_rfi(env->spr[SPR_SRR0], env->spr[SPR_SRR1],
-           ~((target_ulong)0x0), 1);
+           ~((target_ulong) 1 << MSR_ILE), 1);

-- 
Thomas

Re: [Qemu-devel] [PATCH v2 4/5] target-ppc: fix RFI by clearing upper bytes of MSR

[Alexander Graf]

Thomas Monjalon wrote:
> Alexander Graf wrote:
>   
>> On 27.04.2010, at 17:31, Thomas Monjalon wrote:
>>     
>>> Since commit 2ada0ed, "Return From Interrupt" is broken for PPC
>>> processors because the upper bits (POW, TGPR, ILE) of MSR were not
>>> cleared.
>>>       
>> May I ask for your test case or how you stumbled over this? I haven't seen
>> any OS rely on this yet.
>>     
>
> I'm running Linux for SBC834x in Qemu. The interrupt controller and board 
> definition are not yet published.
>   

Wow, I didn't know there were still new products based on e300.

> The boot process hang with the actual implementation of RFI.
>   

Hrm.

>   
>>> Below is a representation of MSR bits:
>>> 0 .. 12  13  14  15  16         ..         23  24        ..      31
>>> —————  POW TGPR ILE EE PR FP ME FE0 SE BE FE1 CE IP IR DR —— RI LE
>>>
>>> Only the 2 lower bytes (16-31) of MSR are saved to SRR1 before an
>>> interrupt. So only these bytes should be restored and the upper ones
>>> (0-15) cleared. But, referring to commit 2ada0ed, clearing all the upper
>>> bytes breaks Altivec. The compromise is to clear the well known bits
>>> (13-15).
>>>       
>> IIRC this is vastly implementation dependent. Book3 lists the bits saved
>> when setting SRR1 explicitly and I haven't found a good rule of thumb yet.
>> RFI on the other hand is described as MSR <- SRR1. So I'm fairly sure RFI
>> is implemented correctly.
>>     
>
> From the programming manual (MPCFPE32B):
> "The save/restore register 1 (SRR1) is used to save machine status (selected 
> bits from the MSR and other implementation-specific status bits as well) on 
> interrupts and to restore those values when rfi is executed.
> [..]
> When an interrupt occurs, SRR1 bits 1–4 and 10–15 are loaded with 
> interrupt-specific information and MSR bits 16–23, 25–27, and 30–31 are 
> placed into the corresponding bit positions of SRR1. Depending on the 
> implementation, additional MSR bits may be copied to SRR1."
>   

According to the 2.06 ISA, for example the DSI sets SRR1 to:

33:36        Set to 0
42:47        Set to 0
Others      Loaded from the MSR



> From the e300 reference manual (e300CORERM):
> "The TGPR bit is cleared by an rfi instruction."
>
> My first try was to clear only TGPR. But it doesn't work properly if POW and 
> ILE are not cleared.
>   

According to the 2.06 ISA again, rfi does the following:

The contents of SRR1 are placed into the MSR. If the new MSR value does
not enable any pending exceptions, then the next instruction is fetched,
under control of the new MSR value, from the address SRR0 0:64 || 0b00.
(Note: VLE behavior may be different; see Book VLE).

Book VLE is the Variable Length Encoded Instructions Architecture, so
that doesn't come into play here.

If rfi would clear ILE, how would it be enabled then?


Alex

Re: [Qemu-devel] [PATCH v2 4/5] target-ppc: fix RFI by clearing upper bytes of MSR

[Thomas Monjalon]

Alexander Graf wrote:
> Thomas Monjalon wrote:
> > I'm running Linux for SBC834x in Qemu. The interrupt controller and board
> > definition are not yet published.
>
> Wow, I didn't know there were still new products based on e300.

Sorry, I was not clear. By "not yet published", I mean that I've written Qemu 
code to emulate e300 but I haven't yet send it to the ML. I would prefer to 
fix this RFI issue first.
SBC834x is not a new product.


> > From the e300 reference manual (e300CORERM):
> > "The TGPR bit is cleared by an rfi instruction."
> >
> > My first try was to clear only TGPR. But it doesn't work properly if POW
> > and ILE are not cleared.
>
> According to the 2.06 ISA again, rfi does the following:
>
> The contents of SRR1 are placed into the MSR. If the new MSR value does
> not enable any pending exceptions, then the next instruction is fetched,
> under control of the new MSR value, from the address SRR0 0:64 || 0b00.
>
> If rfi would clear ILE, how would it be enabled then?

You should be right. I have to fix a bug elsewhere.

-- 
Thomas