]> git.proxmox.com Git - mirror_qemu.git/blob - target/arm/debug_helper.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
target/arm: Don't implement *32_EL2 registers when EL1 is AArch64 only
[mirror_qemu.git] / target / arm / debug_helper.c
1 /*
2 * ARM debug helpers.
3 *
4 * This code is licensed under the GNU GPL v2 or later.
5 *
6 * SPDX-License-Identifier: GPL-2.0-or-later
7 */
8 #include "qemu/osdep.h"
9 #include "qemu/log.h"
10 #include "cpu.h"
11 #include "internals.h"
12 #include "cpu-features.h"
13 #include "cpregs.h"
14 #include "exec/exec-all.h"
15 #include "exec/helper-proto.h"
16 #include "sysemu/tcg.h"
17
18 #ifdef CONFIG_TCG
19 /* Return the Exception Level targeted by debug exceptions. */
20 static int arm_debug_target_el(CPUARMState *env)
21 {
22 bool secure = arm_is_secure(env);
23 bool route_to_el2 = false;
24
25 if (arm_feature(env, ARM_FEATURE_M)) {
26 return 1;
27 }
28
29 if (arm_is_el2_enabled(env)) {
30 route_to_el2 = env->cp15.hcr_el2 & HCR_TGE ||
31 env->cp15.mdcr_el2 & MDCR_TDE;
32 }
33
34 if (route_to_el2) {
35 return 2;
36 } else if (arm_feature(env, ARM_FEATURE_EL3) &&
37 !arm_el_is_aa64(env, 3) && secure) {
38 return 3;
39 } else {
40 return 1;
41 }
42 }
43
44 /*
45 * Raise an exception to the debug target el.
46 * Modify syndrome to indicate when origin and target EL are the same.
47 */
48 G_NORETURN static void
49 raise_exception_debug(CPUARMState *env, uint32_t excp, uint32_t syndrome)
50 {
51 int debug_el = arm_debug_target_el(env);
52 int cur_el = arm_current_el(env);
53
54 /*
55 * If singlestep is targeting a lower EL than the current one, then
56 * DisasContext.ss_active must be false and we can never get here.
57 * Similarly for watchpoint and breakpoint matches.
58 */
59 assert(debug_el >= cur_el);
60 syndrome |= (debug_el == cur_el) << ARM_EL_EC_SHIFT;
61 raise_exception(env, excp, syndrome, debug_el);
62 }
63
64 /* See AArch64.GenerateDebugExceptionsFrom() in ARM ARM pseudocode */
65 static bool aa64_generate_debug_exceptions(CPUARMState *env)
66 {
67 int cur_el = arm_current_el(env);
68 int debug_el;
69
70 if (cur_el == 3) {
71 return false;
72 }
73
74 /* MDCR_EL3.SDD disables debug events from Secure state */
75 if (arm_is_secure_below_el3(env)
76 && extract32(env->cp15.mdcr_el3, 16, 1)) {
77 return false;
78 }
79
80 /*
81 * Same EL to same EL debug exceptions need MDSCR_KDE enabled
82 * while not masking the (D)ebug bit in DAIF.
83 */
84 debug_el = arm_debug_target_el(env);
85
86 if (cur_el == debug_el) {
87 return extract32(env->cp15.mdscr_el1, 13, 1)
88 && !(env->daif & PSTATE_D);
89 }
90
91 /* Otherwise the debug target needs to be a higher EL */
92 return debug_el > cur_el;
93 }
94
95 static bool aa32_generate_debug_exceptions(CPUARMState *env)
96 {
97 int el = arm_current_el(env);
98
99 if (el == 0 && arm_el_is_aa64(env, 1)) {
100 return aa64_generate_debug_exceptions(env);
101 }
102
103 if (arm_is_secure(env)) {
104 int spd;
105
106 if (el == 0 && (env->cp15.sder & 1)) {
107 /*
108 * SDER.SUIDEN means debug exceptions from Secure EL0
109 * are always enabled. Otherwise they are controlled by
110 * SDCR.SPD like those from other Secure ELs.
111 */
112 return true;
113 }
114
115 spd = extract32(env->cp15.mdcr_el3, 14, 2);
116 switch (spd) {
117 case 1:
118 /* SPD == 0b01 is reserved, but behaves as 0b00. */
119 case 0:
120 /*
121 * For 0b00 we return true if external secure invasive debug
122 * is enabled. On real hardware this is controlled by external
123 * signals to the core. QEMU always permits debug, and behaves
124 * as if DBGEN, SPIDEN, NIDEN and SPNIDEN are all tied high.
125 */
126 return true;
127 case 2:
128 return false;
129 case 3:
130 return true;
131 }
132 }
133
134 return el != 2;
135 }
136
137 /*
138 * Return true if debugging exceptions are currently enabled.
139 * This corresponds to what in ARM ARM pseudocode would be
140 * if UsingAArch32() then
141 * return AArch32.GenerateDebugExceptions()
142 * else
143 * return AArch64.GenerateDebugExceptions()
144 * We choose to push the if() down into this function for clarity,
145 * since the pseudocode has it at all callsites except for the one in
146 * CheckSoftwareStep(), where it is elided because both branches would
147 * always return the same value.
148 */
149 bool arm_generate_debug_exceptions(CPUARMState *env)
150 {
151 if ((env->cp15.oslsr_el1 & 1) || (env->cp15.osdlr_el1 & 1)) {
152 return false;
153 }
154 if (is_a64(env)) {
155 return aa64_generate_debug_exceptions(env);
156 } else {
157 return aa32_generate_debug_exceptions(env);
158 }
159 }
160
161 /*
162 * Is single-stepping active? (Note that the "is EL_D AArch64?" check
163 * implicitly means this always returns false in pre-v8 CPUs.)
164 */
165 bool arm_singlestep_active(CPUARMState *env)
166 {
167 return extract32(env->cp15.mdscr_el1, 0, 1)
168 && arm_el_is_aa64(env, arm_debug_target_el(env))
169 && arm_generate_debug_exceptions(env);
170 }
171
172 /* Return true if the linked breakpoint entry lbn passes its checks */
173 static bool linked_bp_matches(ARMCPU *cpu, int lbn)
174 {
175 CPUARMState *env = &cpu->env;
176 uint64_t bcr = env->cp15.dbgbcr[lbn];
177 int brps = arm_num_brps(cpu);
178 int ctx_cmps = arm_num_ctx_cmps(cpu);
179 int bt;
180 uint32_t contextidr;
181 uint64_t hcr_el2;
182
183 /*
184 * Links to unimplemented or non-context aware breakpoints are
185 * CONSTRAINED UNPREDICTABLE: either behave as if disabled, or
186 * as if linked to an UNKNOWN context-aware breakpoint (in which
187 * case DBGWCR<n>_EL1.LBN must indicate that breakpoint).
188 * We choose the former.
189 */
190 if (lbn >= brps || lbn < (brps - ctx_cmps)) {
191 return false;
192 }
193
194 bcr = env->cp15.dbgbcr[lbn];
195
196 if (extract64(bcr, 0, 1) == 0) {
197 /* Linked breakpoint disabled : generate no events */
198 return false;
199 }
200
201 bt = extract64(bcr, 20, 4);
202 hcr_el2 = arm_hcr_el2_eff(env);
203
204 switch (bt) {
205 case 3: /* linked context ID match */
206 switch (arm_current_el(env)) {
207 default:
208 /* Context matches never fire in AArch64 EL3 */
209 return false;
210 case 2:
211 if (!(hcr_el2 & HCR_E2H)) {
212 /* Context matches never fire in EL2 without E2H enabled. */
213 return false;
214 }
215 contextidr = env->cp15.contextidr_el[2];
216 break;
217 case 1:
218 contextidr = env->cp15.contextidr_el[1];
219 break;
220 case 0:
221 if ((hcr_el2 & (HCR_E2H | HCR_TGE)) == (HCR_E2H | HCR_TGE)) {
222 contextidr = env->cp15.contextidr_el[2];
223 } else {
224 contextidr = env->cp15.contextidr_el[1];
225 }
226 break;
227 }
228 break;
229
230 case 7: /* linked contextidr_el1 match */
231 contextidr = env->cp15.contextidr_el[1];
232 break;
233 case 13: /* linked contextidr_el2 match */
234 contextidr = env->cp15.contextidr_el[2];
235 break;
236
237 case 9: /* linked VMID match (reserved if no EL2) */
238 case 11: /* linked context ID and VMID match (reserved if no EL2) */
239 case 15: /* linked full context ID match */
240 default:
241 /*
242 * Links to Unlinked context breakpoints must generate no
243 * events; we choose to do the same for reserved values too.
244 */
245 return false;
246 }
247
248 /*
249 * We match the whole register even if this is AArch32 using the
250 * short descriptor format (in which case it holds both PROCID and ASID),
251 * since we don't implement the optional v7 context ID masking.
252 */
253 return contextidr == (uint32_t)env->cp15.dbgbvr[lbn];
254 }
255
256 static bool bp_wp_matches(ARMCPU *cpu, int n, bool is_wp)
257 {
258 CPUARMState *env = &cpu->env;
259 uint64_t cr;
260 int pac, hmc, ssc, wt, lbn;
261 /*
262 * Note that for watchpoints the check is against the CPU security
263 * state, not the S/NS attribute on the offending data access.
264 */
265 bool is_secure = arm_is_secure(env);
266 int access_el = arm_current_el(env);
267
268 if (is_wp) {
269 CPUWatchpoint *wp = env->cpu_watchpoint[n];
270
271 if (!wp || !(wp->flags & BP_WATCHPOINT_HIT)) {
272 return false;
273 }
274 cr = env->cp15.dbgwcr[n];
275 if (wp->hitattrs.user) {
276 /*
277 * The LDRT/STRT/LDT/STT "unprivileged access" instructions should
278 * match watchpoints as if they were accesses done at EL0, even if
279 * the CPU is at EL1 or higher.
280 */
281 access_el = 0;
282 }
283 } else {
284 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
285
286 if (!env->cpu_breakpoint[n] || env->cpu_breakpoint[n]->pc != pc) {
287 return false;
288 }
289 cr = env->cp15.dbgbcr[n];
290 }
291 /*
292 * The WATCHPOINT_HIT flag guarantees us that the watchpoint is
293 * enabled and that the address and access type match; for breakpoints
294 * we know the address matched; check the remaining fields, including
295 * linked breakpoints. We rely on WCR and BCR having the same layout
296 * for the LBN, SSC, HMC, PAC/PMC and is-linked fields.
297 * Note that some combinations of {PAC, HMC, SSC} are reserved and
298 * must act either like some valid combination or as if the watchpoint
299 * were disabled. We choose the former, and use this together with
300 * the fact that EL3 must always be Secure and EL2 must always be
301 * Non-Secure to simplify the code slightly compared to the full
302 * table in the ARM ARM.
303 */
304 pac = FIELD_EX64(cr, DBGWCR, PAC);
305 hmc = FIELD_EX64(cr, DBGWCR, HMC);
306 ssc = FIELD_EX64(cr, DBGWCR, SSC);
307
308 switch (ssc) {
309 case 0:
310 break;
311 case 1:
312 case 3:
313 if (is_secure) {
314 return false;
315 }
316 break;
317 case 2:
318 if (!is_secure) {
319 return false;
320 }
321 break;
322 }
323
324 switch (access_el) {
325 case 3:
326 case 2:
327 if (!hmc) {
328 return false;
329 }
330 break;
331 case 1:
332 if (extract32(pac, 0, 1) == 0) {
333 return false;
334 }
335 break;
336 case 0:
337 if (extract32(pac, 1, 1) == 0) {
338 return false;
339 }
340 break;
341 default:
342 g_assert_not_reached();
343 }
344
345 wt = FIELD_EX64(cr, DBGWCR, WT);
346 lbn = FIELD_EX64(cr, DBGWCR, LBN);
347
348 if (wt && !linked_bp_matches(cpu, lbn)) {
349 return false;
350 }
351
352 return true;
353 }
354
355 static bool check_watchpoints(ARMCPU *cpu)
356 {
357 CPUARMState *env = &cpu->env;
358 int n;
359
360 /*
361 * If watchpoints are disabled globally or we can't take debug
362 * exceptions here then watchpoint firings are ignored.
363 */
364 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
365 || !arm_generate_debug_exceptions(env)) {
366 return false;
367 }
368
369 for (n = 0; n < ARRAY_SIZE(env->cpu_watchpoint); n++) {
370 if (bp_wp_matches(cpu, n, true)) {
371 return true;
372 }
373 }
374 return false;
375 }
376
377 bool arm_debug_check_breakpoint(CPUState *cs)
378 {
379 ARMCPU *cpu = ARM_CPU(cs);
380 CPUARMState *env = &cpu->env;
381 target_ulong pc;
382 int n;
383
384 /*
385 * If breakpoints are disabled globally or we can't take debug
386 * exceptions here then breakpoint firings are ignored.
387 */
388 if (extract32(env->cp15.mdscr_el1, 15, 1) == 0
389 || !arm_generate_debug_exceptions(env)) {
390 return false;
391 }
392
393 /*
394 * Single-step exceptions have priority over breakpoint exceptions.
395 * If single-step state is active-pending, suppress the bp.
396 */
397 if (arm_singlestep_active(env) && !(env->pstate & PSTATE_SS)) {
398 return false;
399 }
400
401 /*
402 * PC alignment faults have priority over breakpoint exceptions.
403 */
404 pc = is_a64(env) ? env->pc : env->regs[15];
405 if ((is_a64(env) || !env->thumb) && (pc & 3) != 0) {
406 return false;
407 }
408
409 /*
410 * Instruction aborts have priority over breakpoint exceptions.
411 * TODO: We would need to look up the page for PC and verify that
412 * it is present and executable.
413 */
414
415 for (n = 0; n < ARRAY_SIZE(env->cpu_breakpoint); n++) {
416 if (bp_wp_matches(cpu, n, false)) {
417 return true;
418 }
419 }
420 return false;
421 }
422
423 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
424 {
425 /*
426 * Called by core code when a CPU watchpoint fires; need to check if this
427 * is also an architectural watchpoint match.
428 */
429 ARMCPU *cpu = ARM_CPU(cs);
430
431 return check_watchpoints(cpu);
432 }
433
434 /*
435 * Return the FSR value for a debug exception (watchpoint, hardware
436 * breakpoint or BKPT insn) targeting the specified exception level.
437 */
438 static uint32_t arm_debug_exception_fsr(CPUARMState *env)
439 {
440 ARMMMUFaultInfo fi = { .type = ARMFault_Debug };
441 int target_el = arm_debug_target_el(env);
442 bool using_lpae;
443
444 if (arm_feature(env, ARM_FEATURE_M)) {
445 using_lpae = false;
446 } else if (target_el == 2 || arm_el_is_aa64(env, target_el)) {
447 using_lpae = true;
448 } else if (arm_feature(env, ARM_FEATURE_PMSA) &&
449 arm_feature(env, ARM_FEATURE_V8)) {
450 using_lpae = true;
451 } else if (arm_feature(env, ARM_FEATURE_LPAE) &&
452 (env->cp15.tcr_el[target_el] & TTBCR_EAE)) {
453 using_lpae = true;
454 } else {
455 using_lpae = false;
456 }
457
458 if (using_lpae) {
459 return arm_fi_to_lfsc(&fi);
460 } else {
461 return arm_fi_to_sfsc(&fi);
462 }
463 }
464
465 void arm_debug_excp_handler(CPUState *cs)
466 {
467 /*
468 * Called by core code when a watchpoint or breakpoint fires;
469 * need to check which one and raise the appropriate exception.
470 */
471 ARMCPU *cpu = ARM_CPU(cs);
472 CPUARMState *env = &cpu->env;
473 CPUWatchpoint *wp_hit = cs->watchpoint_hit;
474
475 if (wp_hit) {
476 if (wp_hit->flags & BP_CPU) {
477 bool wnr = (wp_hit->flags & BP_WATCHPOINT_HIT_WRITE) != 0;
478
479 cs->watchpoint_hit = NULL;
480
481 env->exception.fsr = arm_debug_exception_fsr(env);
482 env->exception.vaddress = wp_hit->hitaddr;
483 raise_exception_debug(env, EXCP_DATA_ABORT,
484 syn_watchpoint(0, 0, wnr));
485 }
486 } else {
487 uint64_t pc = is_a64(env) ? env->pc : env->regs[15];
488
489 /*
490 * (1) GDB breakpoints should be handled first.
491 * (2) Do not raise a CPU exception if no CPU breakpoint has fired,
492 * since singlestep is also done by generating a debug internal
493 * exception.
494 */
495 if (cpu_breakpoint_test(cs, pc, BP_GDB)
496 || !cpu_breakpoint_test(cs, pc, BP_CPU)) {
497 return;
498 }
499
500 env->exception.fsr = arm_debug_exception_fsr(env);
501 /*
502 * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
503 * values to the guest that it shouldn't be able to see at its
504 * exception/security level.
505 */
506 env->exception.vaddress = 0;
507 raise_exception_debug(env, EXCP_PREFETCH_ABORT, syn_breakpoint(0));
508 }
509 }
510
511 /*
512 * Raise an EXCP_BKPT with the specified syndrome register value,
513 * targeting the correct exception level for debug exceptions.
514 */
515 void HELPER(exception_bkpt_insn)(CPUARMState *env, uint32_t syndrome)
516 {
517 int debug_el = arm_debug_target_el(env);
518 int cur_el = arm_current_el(env);
519
520 /* FSR will only be used if the debug target EL is AArch32. */
521 env->exception.fsr = arm_debug_exception_fsr(env);
522 /*
523 * FAR is UNKNOWN: clear vaddress to avoid potentially exposing
524 * values to the guest that it shouldn't be able to see at its
525 * exception/security level.
526 */
527 env->exception.vaddress = 0;
528 /*
529 * Other kinds of architectural debug exception are ignored if
530 * they target an exception level below the current one (in QEMU
531 * this is checked by arm_generate_debug_exceptions()). Breakpoint
532 * instructions are special because they always generate an exception
533 * to somewhere: if they can't go to the configured debug exception
534 * level they are taken to the current exception level.
535 */
536 if (debug_el < cur_el) {
537 debug_el = cur_el;
538 }
539 raise_exception(env, EXCP_BKPT, syndrome, debug_el);
540 }
541
542 void HELPER(exception_swstep)(CPUARMState *env, uint32_t syndrome)
543 {
544 raise_exception_debug(env, EXCP_UDEF, syndrome);
545 }
546
547 void hw_watchpoint_update(ARMCPU *cpu, int n)
548 {
549 CPUARMState *env = &cpu->env;
550 vaddr len = 0;
551 vaddr wvr = env->cp15.dbgwvr[n];
552 uint64_t wcr = env->cp15.dbgwcr[n];
553 int mask;
554 int flags = BP_CPU | BP_STOP_BEFORE_ACCESS;
555
556 if (env->cpu_watchpoint[n]) {
557 cpu_watchpoint_remove_by_ref(CPU(cpu), env->cpu_watchpoint[n]);
558 env->cpu_watchpoint[n] = NULL;
559 }
560
561 if (!FIELD_EX64(wcr, DBGWCR, E)) {
562 /* E bit clear : watchpoint disabled */
563 return;
564 }
565
566 switch (FIELD_EX64(wcr, DBGWCR, LSC)) {
567 case 0:
568 /* LSC 00 is reserved and must behave as if the wp is disabled */
569 return;
570 case 1:
571 flags |= BP_MEM_READ;
572 break;
573 case 2:
574 flags |= BP_MEM_WRITE;
575 break;
576 case 3:
577 flags |= BP_MEM_ACCESS;
578 break;
579 }
580
581 /*
582 * Attempts to use both MASK and BAS fields simultaneously are
583 * CONSTRAINED UNPREDICTABLE; we opt to ignore BAS in this case,
584 * thus generating a watchpoint for every byte in the masked region.
585 */
586 mask = FIELD_EX64(wcr, DBGWCR, MASK);
587 if (mask == 1 || mask == 2) {
588 /*
589 * Reserved values of MASK; we must act as if the mask value was
590 * some non-reserved value, or as if the watchpoint were disabled.
591 * We choose the latter.
592 */
593 return;
594 } else if (mask) {
595 /* Watchpoint covers an aligned area up to 2GB in size */
596 len = 1ULL << mask;
597 /*
598 * If masked bits in WVR are not zero it's CONSTRAINED UNPREDICTABLE
599 * whether the watchpoint fires when the unmasked bits match; we opt
600 * to generate the exceptions.
601 */
602 wvr &= ~(len - 1);
603 } else {
604 /* Watchpoint covers bytes defined by the byte address select bits */
605 int bas = FIELD_EX64(wcr, DBGWCR, BAS);
606 int basstart;
607
608 if (extract64(wvr, 2, 1)) {
609 /*
610 * Deprecated case of an only 4-aligned address. BAS[7:4] are
611 * ignored, and BAS[3:0] define which bytes to watch.
612 */
613 bas &= 0xf;
614 }
615
616 if (bas == 0) {
617 /* This must act as if the watchpoint is disabled */
618 return;
619 }
620
621 /*
622 * The BAS bits are supposed to be programmed to indicate a contiguous
623 * range of bytes. Otherwise it is CONSTRAINED UNPREDICTABLE whether
624 * we fire for each byte in the word/doubleword addressed by the WVR.
625 * We choose to ignore any non-zero bits after the first range of 1s.
626 */
627 basstart = ctz32(bas);
628 len = cto32(bas >> basstart);
629 wvr += basstart;
630 }
631
632 cpu_watchpoint_insert(CPU(cpu), wvr, len, flags,
633 &env->cpu_watchpoint[n]);
634 }
635
636 void hw_watchpoint_update_all(ARMCPU *cpu)
637 {
638 int i;
639 CPUARMState *env = &cpu->env;
640
641 /*
642 * Completely clear out existing QEMU watchpoints and our array, to
643 * avoid possible stale entries following migration load.
644 */
645 cpu_watchpoint_remove_all(CPU(cpu), BP_CPU);
646 memset(env->cpu_watchpoint, 0, sizeof(env->cpu_watchpoint));
647
648 for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_watchpoint); i++) {
649 hw_watchpoint_update(cpu, i);
650 }
651 }
652
653 void hw_breakpoint_update(ARMCPU *cpu, int n)
654 {
655 CPUARMState *env = &cpu->env;
656 uint64_t bvr = env->cp15.dbgbvr[n];
657 uint64_t bcr = env->cp15.dbgbcr[n];
658 vaddr addr;
659 int bt;
660 int flags = BP_CPU;
661
662 if (env->cpu_breakpoint[n]) {
663 cpu_breakpoint_remove_by_ref(CPU(cpu), env->cpu_breakpoint[n]);
664 env->cpu_breakpoint[n] = NULL;
665 }
666
667 if (!extract64(bcr, 0, 1)) {
668 /* E bit clear : watchpoint disabled */
669 return;
670 }
671
672 bt = extract64(bcr, 20, 4);
673
674 switch (bt) {
675 case 4: /* unlinked address mismatch (reserved if AArch64) */
676 case 5: /* linked address mismatch (reserved if AArch64) */
677 qemu_log_mask(LOG_UNIMP,
678 "arm: address mismatch breakpoint types not implemented\n");
679 return;
680 case 0: /* unlinked address match */
681 case 1: /* linked address match */
682 {
683 /*
684 * Bits [1:0] are RES0.
685 *
686 * It is IMPLEMENTATION DEFINED whether bits [63:49]
687 * ([63:53] for FEAT_LVA) are hardwired to a copy of the sign bit
688 * of the VA field ([48] or [52] for FEAT_LVA), or whether the
689 * value is read as written. It is CONSTRAINED UNPREDICTABLE
690 * whether the RESS bits are ignored when comparing an address.
691 * Therefore we are allowed to compare the entire register, which
692 * lets us avoid considering whether FEAT_LVA is actually enabled.
693 *
694 * The BAS field is used to allow setting breakpoints on 16-bit
695 * wide instructions; it is CONSTRAINED UNPREDICTABLE whether
696 * a bp will fire if the addresses covered by the bp and the addresses
697 * covered by the insn overlap but the insn doesn't start at the
698 * start of the bp address range. We choose to require the insn and
699 * the bp to have the same address. The constraints on writing to
700 * BAS enforced in dbgbcr_write mean we have only four cases:
701 * 0b0000 => no breakpoint
702 * 0b0011 => breakpoint on addr
703 * 0b1100 => breakpoint on addr + 2
704 * 0b1111 => breakpoint on addr
705 * See also figure D2-3 in the v8 ARM ARM (DDI0487A.c).
706 */
707 int bas = extract64(bcr, 5, 4);
708 addr = bvr & ~3ULL;
709 if (bas == 0) {
710 return;
711 }
712 if (bas == 0xc) {
713 addr += 2;
714 }
715 break;
716 }
717 case 2: /* unlinked context ID match */
718 case 8: /* unlinked VMID match (reserved if no EL2) */
719 case 10: /* unlinked context ID and VMID match (reserved if no EL2) */
720 qemu_log_mask(LOG_UNIMP,
721 "arm: unlinked context breakpoint types not implemented\n");
722 return;
723 case 9: /* linked VMID match (reserved if no EL2) */
724 case 11: /* linked context ID and VMID match (reserved if no EL2) */
725 case 3: /* linked context ID match */
726 default:
727 /*
728 * We must generate no events for Linked context matches (unless
729 * they are linked to by some other bp/wp, which is handled in
730 * updates for the linking bp/wp). We choose to also generate no events
731 * for reserved values.
732 */
733 return;
734 }
735
736 cpu_breakpoint_insert(CPU(cpu), addr, flags, &env->cpu_breakpoint[n]);
737 }
738
739 void hw_breakpoint_update_all(ARMCPU *cpu)
740 {
741 int i;
742 CPUARMState *env = &cpu->env;
743
744 /*
745 * Completely clear out existing QEMU breakpoints and our array, to
746 * avoid possible stale entries following migration load.
747 */
748 cpu_breakpoint_remove_all(CPU(cpu), BP_CPU);
749 memset(env->cpu_breakpoint, 0, sizeof(env->cpu_breakpoint));
750
751 for (i = 0; i < ARRAY_SIZE(cpu->env.cpu_breakpoint); i++) {
752 hw_breakpoint_update(cpu, i);
753 }
754 }
755
756 #if !defined(CONFIG_USER_ONLY)
757
758 vaddr arm_adjust_watchpoint_address(CPUState *cs, vaddr addr, int len)
759 {
760 ARMCPU *cpu = ARM_CPU(cs);
761 CPUARMState *env = &cpu->env;
762
763 /*
764 * In BE32 system mode, target memory is stored byteswapped (on a
765 * little-endian host system), and by the time we reach here (via an
766 * opcode helper) the addresses of subword accesses have been adjusted
767 * to account for that, which means that watchpoints will not match.
768 * Undo the adjustment here.
769 */
770 if (arm_sctlr_b(env)) {
771 if (len == 1) {
772 addr ^= 3;
773 } else if (len == 2) {
774 addr ^= 2;
775 }
776 }
777
778 return addr;
779 }
780
781 #endif /* !CONFIG_USER_ONLY */
782 #endif /* CONFIG_TCG */
783
784 /*
785 * Check for traps to "powerdown debug" registers, which are controlled
786 * by MDCR.TDOSA
787 */
788 static CPAccessResult access_tdosa(CPUARMState *env, const ARMCPRegInfo *ri,
789 bool isread)
790 {
791 int el = arm_current_el(env);
792 uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
793 bool mdcr_el2_tdosa = (mdcr_el2 & MDCR_TDOSA) || (mdcr_el2 & MDCR_TDE) ||
794 (arm_hcr_el2_eff(env) & HCR_TGE);
795
796 if (el < 2 && mdcr_el2_tdosa) {
797 return CP_ACCESS_TRAP_EL2;
798 }
799 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDOSA)) {
800 return CP_ACCESS_TRAP_EL3;
801 }
802 return CP_ACCESS_OK;
803 }
804
805 /*
806 * Check for traps to "debug ROM" registers, which are controlled
807 * by MDCR_EL2.TDRA for EL2 but by the more general MDCR_EL3.TDA for EL3.
808 */
809 static CPAccessResult access_tdra(CPUARMState *env, const ARMCPRegInfo *ri,
810 bool isread)
811 {
812 int el = arm_current_el(env);
813 uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
814 bool mdcr_el2_tdra = (mdcr_el2 & MDCR_TDRA) || (mdcr_el2 & MDCR_TDE) ||
815 (arm_hcr_el2_eff(env) & HCR_TGE);
816
817 if (el < 2 && mdcr_el2_tdra) {
818 return CP_ACCESS_TRAP_EL2;
819 }
820 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {
821 return CP_ACCESS_TRAP_EL3;
822 }
823 return CP_ACCESS_OK;
824 }
825
826 /*
827 * Check for traps to general debug registers, which are controlled
828 * by MDCR_EL2.TDA for EL2 and MDCR_EL3.TDA for EL3.
829 */
830 static CPAccessResult access_tda(CPUARMState *env, const ARMCPRegInfo *ri,
831 bool isread)
832 {
833 int el = arm_current_el(env);
834 uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
835 bool mdcr_el2_tda = (mdcr_el2 & MDCR_TDA) || (mdcr_el2 & MDCR_TDE) ||
836 (arm_hcr_el2_eff(env) & HCR_TGE);
837
838 if (el < 2 && mdcr_el2_tda) {
839 return CP_ACCESS_TRAP_EL2;
840 }
841 if (el < 3 && (env->cp15.mdcr_el3 & MDCR_TDA)) {
842 return CP_ACCESS_TRAP_EL3;
843 }
844 return CP_ACCESS_OK;
845 }
846
847 /*
848 * Check for traps to Debug Comms Channel registers. If FEAT_FGT
849 * is implemented then these are controlled by MDCR_EL2.TDCC for
850 * EL2 and MDCR_EL3.TDCC for EL3. They are also controlled by
851 * the general debug access trap bits MDCR_EL2.TDA and MDCR_EL3.TDA.
852 * For EL0, they are also controlled by MDSCR_EL1.TDCC.
853 */
854 static CPAccessResult access_tdcc(CPUARMState *env, const ARMCPRegInfo *ri,
855 bool isread)
856 {
857 int el = arm_current_el(env);
858 uint64_t mdcr_el2 = arm_mdcr_el2_eff(env);
859 bool mdscr_el1_tdcc = extract32(env->cp15.mdscr_el1, 12, 1);
860 bool mdcr_el2_tda = (mdcr_el2 & MDCR_TDA) || (mdcr_el2 & MDCR_TDE) ||
861 (arm_hcr_el2_eff(env) & HCR_TGE);
862 bool mdcr_el2_tdcc = cpu_isar_feature(aa64_fgt, env_archcpu(env)) &&
863 (mdcr_el2 & MDCR_TDCC);
864 bool mdcr_el3_tdcc = cpu_isar_feature(aa64_fgt, env_archcpu(env)) &&
865 (env->cp15.mdcr_el3 & MDCR_TDCC);
866
867 if (el < 1 && mdscr_el1_tdcc) {
868 return CP_ACCESS_TRAP;
869 }
870 if (el < 2 && (mdcr_el2_tda || mdcr_el2_tdcc)) {
871 return CP_ACCESS_TRAP_EL2;
872 }
873 if (el < 3 && ((env->cp15.mdcr_el3 & MDCR_TDA) || mdcr_el3_tdcc)) {
874 return CP_ACCESS_TRAP_EL3;
875 }
876 return CP_ACCESS_OK;
877 }
878
879 static void oslar_write(CPUARMState *env, const ARMCPRegInfo *ri,
880 uint64_t value)
881 {
882 /*
883 * Writes to OSLAR_EL1 may update the OS lock status, which can be
884 * read via a bit in OSLSR_EL1.
885 */
886 int oslock;
887
888 if (ri->state == ARM_CP_STATE_AA32) {
889 oslock = (value == 0xC5ACCE55);
890 } else {
891 oslock = value & 1;
892 }
893
894 env->cp15.oslsr_el1 = deposit32(env->cp15.oslsr_el1, 1, 1, oslock);
895 }
896
897 static void osdlr_write(CPUARMState *env, const ARMCPRegInfo *ri,
898 uint64_t value)
899 {
900 ARMCPU *cpu = env_archcpu(env);
901 /*
902 * Only defined bit is bit 0 (DLK); if Feat_DoubleLock is not
903 * implemented this is RAZ/WI.
904 */
905 if(arm_feature(env, ARM_FEATURE_AARCH64)
906 ? cpu_isar_feature(aa64_doublelock, cpu)
907 : cpu_isar_feature(aa32_doublelock, cpu)) {
908 env->cp15.osdlr_el1 = value & 1;
909 }
910 }
911
912 static void dbgclaimset_write(CPUARMState *env, const ARMCPRegInfo *ri,
913 uint64_t value)
914 {
915 env->cp15.dbgclaim |= (value & 0xFF);
916 }
917
918 static uint64_t dbgclaimset_read(CPUARMState *env, const ARMCPRegInfo *ri)
919 {
920 /* CLAIM bits are RAO */
921 return 0xFF;
922 }
923
924 static void dbgclaimclr_write(CPUARMState *env, const ARMCPRegInfo *ri,
925 uint64_t value)
926 {
927 env->cp15.dbgclaim &= ~(value & 0xFF);
928 }
929
930 static const ARMCPRegInfo debug_cp_reginfo[] = {
931 /*
932 * DBGDRAR, DBGDSAR: always RAZ since we don't implement memory mapped
933 * debug components. The AArch64 version of DBGDRAR is named MDRAR_EL1;
934 * unlike DBGDRAR it is never accessible from EL0.
935 * DBGDSAR is deprecated and must RAZ from v8 anyway, so it has no AArch64
936 * accessor.
937 */
938 { .name = "DBGDRAR", .cp = 14, .crn = 1, .crm = 0, .opc1 = 0, .opc2 = 0,
939 .access = PL0_R, .accessfn = access_tdra,
940 .type = ARM_CP_CONST | ARM_CP_NO_GDB, .resetvalue = 0 },
941 { .name = "MDRAR_EL1", .state = ARM_CP_STATE_AA64,
942 .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 0,
943 .access = PL1_R, .accessfn = access_tdra,
944 .type = ARM_CP_CONST, .resetvalue = 0 },
945 { .name = "DBGDSAR", .cp = 14, .crn = 2, .crm = 0, .opc1 = 0, .opc2 = 0,
946 .access = PL0_R, .accessfn = access_tdra,
947 .type = ARM_CP_CONST | ARM_CP_NO_GDB, .resetvalue = 0 },
948 /* Monitor debug system control register; the 32-bit alias is DBGDSCRext. */
949 { .name = "MDSCR_EL1", .state = ARM_CP_STATE_BOTH,
950 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 2,
951 .access = PL1_RW, .accessfn = access_tda,
952 .fgt = FGT_MDSCR_EL1,
953 .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1),
954 .resetvalue = 0 },
955 /*
956 * MDCCSR_EL0[30:29] map to EDSCR[30:29]. Simply RAZ as the external
957 * Debug Communication Channel is not implemented.
958 */
959 { .name = "MDCCSR_EL0", .state = ARM_CP_STATE_AA64,
960 .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 1, .opc2 = 0,
961 .access = PL0_R, .accessfn = access_tdcc,
962 .type = ARM_CP_CONST, .resetvalue = 0 },
963 /*
964 * These registers belong to the Debug Communications Channel,
965 * which is not implemented. However we implement RAZ/WI behaviour
966 * with trapping to prevent spurious SIGILLs if the guest OS does
967 * access them as the support cannot be probed for.
968 */
969 { .name = "OSDTRRX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
970 .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 0, .opc2 = 2,
971 .access = PL1_RW, .accessfn = access_tdcc,
972 .type = ARM_CP_CONST, .resetvalue = 0 },
973 { .name = "OSDTRTX_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
974 .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 3, .opc2 = 2,
975 .access = PL1_RW, .accessfn = access_tdcc,
976 .type = ARM_CP_CONST, .resetvalue = 0 },
977 /* DBGDTRTX_EL0/DBGDTRRX_EL0 depend on direction */
978 { .name = "DBGDTR_EL0", .state = ARM_CP_STATE_BOTH, .cp = 14,
979 .opc0 = 2, .opc1 = 3, .crn = 0, .crm = 5, .opc2 = 0,
980 .access = PL0_RW, .accessfn = access_tdcc,
981 .type = ARM_CP_CONST, .resetvalue = 0 },
982 /*
983 * OSECCR_EL1 provides a mechanism for an operating system
984 * to access the contents of EDECCR. EDECCR is not implemented though,
985 * as is the rest of external device mechanism.
986 */
987 { .name = "OSECCR_EL1", .state = ARM_CP_STATE_BOTH, .cp = 14,
988 .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 6, .opc2 = 2,
989 .access = PL1_RW, .accessfn = access_tda,
990 .fgt = FGT_OSECCR_EL1,
991 .type = ARM_CP_CONST, .resetvalue = 0 },
992 /*
993 * DBGDSCRint[15,12,5:2] map to MDSCR_EL1[15,12,5:2]. Map all bits as
994 * it is unlikely a guest will care.
995 * We don't implement the configurable EL0 access.
996 */
997 { .name = "DBGDSCRint", .state = ARM_CP_STATE_AA32,
998 .cp = 14, .opc1 = 0, .crn = 0, .crm = 1, .opc2 = 0,
999 .type = ARM_CP_ALIAS,
1000 .access = PL1_R, .accessfn = access_tda,
1001 .fieldoffset = offsetof(CPUARMState, cp15.mdscr_el1), },
1002 { .name = "OSLAR_EL1", .state = ARM_CP_STATE_BOTH,
1003 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 0, .opc2 = 4,
1004 .access = PL1_W, .type = ARM_CP_NO_RAW,
1005 .accessfn = access_tdosa,
1006 .fgt = FGT_OSLAR_EL1,
1007 .writefn = oslar_write },
1008 { .name = "OSLSR_EL1", .state = ARM_CP_STATE_BOTH,
1009 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 1, .opc2 = 4,
1010 .access = PL1_R, .resetvalue = 10,
1011 .accessfn = access_tdosa,
1012 .fgt = FGT_OSLSR_EL1,
1013 .fieldoffset = offsetof(CPUARMState, cp15.oslsr_el1) },
1014 /* Dummy OSDLR_EL1: 32-bit Linux will read this */
1015 { .name = "OSDLR_EL1", .state = ARM_CP_STATE_BOTH,
1016 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 1, .crm = 3, .opc2 = 4,
1017 .access = PL1_RW, .accessfn = access_tdosa,
1018 .fgt = FGT_OSDLR_EL1,
1019 .writefn = osdlr_write,
1020 .fieldoffset = offsetof(CPUARMState, cp15.osdlr_el1) },
1021 /*
1022 * Dummy DBGVCR: Linux wants to clear this on startup, but we don't
1023 * implement vector catch debug events yet.
1024 */
1025 { .name = "DBGVCR",
1026 .cp = 14, .opc1 = 0, .crn = 0, .crm = 7, .opc2 = 0,
1027 .access = PL1_RW, .accessfn = access_tda,
1028 .type = ARM_CP_NOP },
1029 /*
1030 * Dummy MDCCINT_EL1, since we don't implement the Debug Communications
1031 * Channel but Linux may try to access this register. The 32-bit
1032 * alias is DBGDCCINT.
1033 */
1034 { .name = "MDCCINT_EL1", .state = ARM_CP_STATE_BOTH,
1035 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = 2, .opc2 = 0,
1036 .access = PL1_RW, .accessfn = access_tdcc,
1037 .type = ARM_CP_NOP },
1038 /*
1039 * Dummy DBGCLAIM registers.
1040 * "The architecture does not define any functionality for the CLAIM tag bits.",
1041 * so we only keep the raw bits
1042 */
1043 { .name = "DBGCLAIMSET_EL1", .state = ARM_CP_STATE_BOTH,
1044 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 7, .crm = 8, .opc2 = 6,
1045 .type = ARM_CP_ALIAS,
1046 .access = PL1_RW, .accessfn = access_tda,
1047 .fgt = FGT_DBGCLAIM,
1048 .writefn = dbgclaimset_write, .readfn = dbgclaimset_read },
1049 { .name = "DBGCLAIMCLR_EL1", .state = ARM_CP_STATE_BOTH,
1050 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 7, .crm = 9, .opc2 = 6,
1051 .access = PL1_RW, .accessfn = access_tda,
1052 .fgt = FGT_DBGCLAIM,
1053 .writefn = dbgclaimclr_write, .raw_writefn = raw_write,
1054 .fieldoffset = offsetof(CPUARMState, cp15.dbgclaim) },
1055 };
1056
1057 /* These are present only when EL1 supports AArch32 */
1058 static const ARMCPRegInfo debug_aa32_el1_reginfo[] = {
1059 /*
1060 * Dummy DBGVCR32_EL2 (which is only for a 64-bit hypervisor
1061 * to save and restore a 32-bit guest's DBGVCR)
1062 */
1063 { .name = "DBGVCR32_EL2", .state = ARM_CP_STATE_AA64,
1064 .opc0 = 2, .opc1 = 4, .crn = 0, .crm = 7, .opc2 = 0,
1065 .access = PL2_RW, .accessfn = access_tda,
1066 .type = ARM_CP_NOP | ARM_CP_EL3_NO_EL2_KEEP },
1067 };
1068
1069 static const ARMCPRegInfo debug_lpae_cp_reginfo[] = {
1070 /* 64 bit access versions of the (dummy) debug registers */
1071 { .name = "DBGDRAR", .cp = 14, .crm = 1, .opc1 = 0,
1072 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT | ARM_CP_NO_GDB,
1073 .resetvalue = 0 },
1074 { .name = "DBGDSAR", .cp = 14, .crm = 2, .opc1 = 0,
1075 .access = PL0_R, .type = ARM_CP_CONST | ARM_CP_64BIT | ARM_CP_NO_GDB,
1076 .resetvalue = 0 },
1077 };
1078
1079 static void dbgwvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1080 uint64_t value)
1081 {
1082 ARMCPU *cpu = env_archcpu(env);
1083 int i = ri->crm;
1084
1085 /*
1086 * Bits [1:0] are RES0.
1087 *
1088 * It is IMPLEMENTATION DEFINED whether [63:49] ([63:53] with FEAT_LVA)
1089 * are hardwired to the value of bit [48] ([52] with FEAT_LVA), or if
1090 * they contain the value written. It is CONSTRAINED UNPREDICTABLE
1091 * whether the RESS bits are ignored when comparing an address.
1092 *
1093 * Therefore we are allowed to compare the entire register, which lets
1094 * us avoid considering whether or not FEAT_LVA is actually enabled.
1095 */
1096 value &= ~3ULL;
1097
1098 raw_write(env, ri, value);
1099 if (tcg_enabled()) {
1100 hw_watchpoint_update(cpu, i);
1101 }
1102 }
1103
1104 static void dbgwcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1105 uint64_t value)
1106 {
1107 ARMCPU *cpu = env_archcpu(env);
1108 int i = ri->crm;
1109
1110 raw_write(env, ri, value);
1111 if (tcg_enabled()) {
1112 hw_watchpoint_update(cpu, i);
1113 }
1114 }
1115
1116 static void dbgbvr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1117 uint64_t value)
1118 {
1119 ARMCPU *cpu = env_archcpu(env);
1120 int i = ri->crm;
1121
1122 raw_write(env, ri, value);
1123 if (tcg_enabled()) {
1124 hw_breakpoint_update(cpu, i);
1125 }
1126 }
1127
1128 static void dbgbcr_write(CPUARMState *env, const ARMCPRegInfo *ri,
1129 uint64_t value)
1130 {
1131 ARMCPU *cpu = env_archcpu(env);
1132 int i = ri->crm;
1133
1134 /*
1135 * BAS[3] is a read-only copy of BAS[2], and BAS[1] a read-only
1136 * copy of BAS[0].
1137 */
1138 value = deposit64(value, 6, 1, extract64(value, 5, 1));
1139 value = deposit64(value, 8, 1, extract64(value, 7, 1));
1140
1141 raw_write(env, ri, value);
1142 if (tcg_enabled()) {
1143 hw_breakpoint_update(cpu, i);
1144 }
1145 }
1146
1147 void define_debug_regs(ARMCPU *cpu)
1148 {
1149 /*
1150 * Define v7 and v8 architectural debug registers.
1151 * These are just dummy implementations for now.
1152 */
1153 int i;
1154 int wrps, brps, ctx_cmps;
1155
1156 /*
1157 * The Arm ARM says DBGDIDR is optional and deprecated if EL1 cannot
1158 * use AArch32. Given that bit 15 is RES1, if the value is 0 then
1159 * the register must not exist for this cpu.
1160 */
1161 if (cpu->isar.dbgdidr != 0) {
1162 ARMCPRegInfo dbgdidr = {
1163 .name = "DBGDIDR", .cp = 14, .crn = 0, .crm = 0,
1164 .opc1 = 0, .opc2 = 0,
1165 .access = PL0_R, .accessfn = access_tda,
1166 .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdidr,
1167 };
1168 define_one_arm_cp_reg(cpu, &dbgdidr);
1169 }
1170
1171 /*
1172 * DBGDEVID is present in the v7 debug architecture if
1173 * DBGDIDR.DEVID_imp is 1 (bit 15); from v7.1 and on it is
1174 * mandatory (and bit 15 is RES1). DBGDEVID1 and DBGDEVID2 exist
1175 * from v7.1 of the debug architecture. Because no fields have yet
1176 * been defined in DBGDEVID2 (and quite possibly none will ever
1177 * be) we don't define an ARMISARegisters field for it.
1178 * These registers exist only if EL1 can use AArch32, but that
1179 * happens naturally because they are only PL1 accessible anyway.
1180 */
1181 if (extract32(cpu->isar.dbgdidr, 15, 1)) {
1182 ARMCPRegInfo dbgdevid = {
1183 .name = "DBGDEVID",
1184 .cp = 14, .opc1 = 0, .crn = 7, .opc2 = 2, .crn = 7,
1185 .access = PL1_R, .accessfn = access_tda,
1186 .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdevid,
1187 };
1188 define_one_arm_cp_reg(cpu, &dbgdevid);
1189 }
1190 if (cpu_isar_feature(aa32_debugv7p1, cpu)) {
1191 ARMCPRegInfo dbgdevid12[] = {
1192 {
1193 .name = "DBGDEVID1",
1194 .cp = 14, .opc1 = 0, .crn = 7, .opc2 = 1, .crn = 7,
1195 .access = PL1_R, .accessfn = access_tda,
1196 .type = ARM_CP_CONST, .resetvalue = cpu->isar.dbgdevid1,
1197 }, {
1198 .name = "DBGDEVID2",
1199 .cp = 14, .opc1 = 0, .crn = 7, .opc2 = 0, .crn = 7,
1200 .access = PL1_R, .accessfn = access_tda,
1201 .type = ARM_CP_CONST, .resetvalue = 0,
1202 },
1203 };
1204 define_arm_cp_regs(cpu, dbgdevid12);
1205 }
1206
1207 brps = arm_num_brps(cpu);
1208 wrps = arm_num_wrps(cpu);
1209 ctx_cmps = arm_num_ctx_cmps(cpu);
1210
1211 assert(ctx_cmps <= brps);
1212
1213 define_arm_cp_regs(cpu, debug_cp_reginfo);
1214 if (cpu_isar_feature(aa64_aa32_el1, cpu)) {
1215 define_arm_cp_regs(cpu, debug_aa32_el1_reginfo);
1216 }
1217
1218 if (arm_feature(&cpu->env, ARM_FEATURE_LPAE)) {
1219 define_arm_cp_regs(cpu, debug_lpae_cp_reginfo);
1220 }
1221
1222 for (i = 0; i < brps; i++) {
1223 char *dbgbvr_el1_name = g_strdup_printf("DBGBVR%d_EL1", i);
1224 char *dbgbcr_el1_name = g_strdup_printf("DBGBCR%d_EL1", i);
1225 ARMCPRegInfo dbgregs[] = {
1226 { .name = dbgbvr_el1_name, .state = ARM_CP_STATE_BOTH,
1227 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 4,
1228 .access = PL1_RW, .accessfn = access_tda,
1229 .fgt = FGT_DBGBVRN_EL1,
1230 .fieldoffset = offsetof(CPUARMState, cp15.dbgbvr[i]),
1231 .writefn = dbgbvr_write, .raw_writefn = raw_write
1232 },
1233 { .name = dbgbcr_el1_name, .state = ARM_CP_STATE_BOTH,
1234 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 5,
1235 .access = PL1_RW, .accessfn = access_tda,
1236 .fgt = FGT_DBGBCRN_EL1,
1237 .fieldoffset = offsetof(CPUARMState, cp15.dbgbcr[i]),
1238 .writefn = dbgbcr_write, .raw_writefn = raw_write
1239 },
1240 };
1241 define_arm_cp_regs(cpu, dbgregs);
1242 g_free(dbgbvr_el1_name);
1243 g_free(dbgbcr_el1_name);
1244 }
1245
1246 for (i = 0; i < wrps; i++) {
1247 char *dbgwvr_el1_name = g_strdup_printf("DBGWVR%d_EL1", i);
1248 char *dbgwcr_el1_name = g_strdup_printf("DBGWCR%d_EL1", i);
1249 ARMCPRegInfo dbgregs[] = {
1250 { .name = dbgwvr_el1_name, .state = ARM_CP_STATE_BOTH,
1251 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 6,
1252 .access = PL1_RW, .accessfn = access_tda,
1253 .fgt = FGT_DBGWVRN_EL1,
1254 .fieldoffset = offsetof(CPUARMState, cp15.dbgwvr[i]),
1255 .writefn = dbgwvr_write, .raw_writefn = raw_write
1256 },
1257 { .name = dbgwcr_el1_name, .state = ARM_CP_STATE_BOTH,
1258 .cp = 14, .opc0 = 2, .opc1 = 0, .crn = 0, .crm = i, .opc2 = 7,
1259 .access = PL1_RW, .accessfn = access_tda,
1260 .fgt = FGT_DBGWCRN_EL1,
1261 .fieldoffset = offsetof(CPUARMState, cp15.dbgwcr[i]),
1262 .writefn = dbgwcr_write, .raw_writefn = raw_write
1263 },
1264 };
1265 define_arm_cp_regs(cpu, dbgregs);
1266 g_free(dbgwvr_el1_name);
1267 g_free(dbgwcr_el1_name);
1268 }
1269 }
QEMU mirror