310 currState->stage2Req = _stage2Req && !isStage2;
311
312 bool long_desc_format = currState->aarch64 || _isHyp || isStage2 ||
313 longDescFormatInUse(currState->tc);
314
315 if (long_desc_format) {
316 // Helper variables used for hierarchical permissions
317 currState->secureLookup = currState->isSecure;
318 currState->rwTable = true;
319 currState->userTable = true;
320 currState->xnTable = false;
321 currState->pxnTable = false;
322
323 ++statWalksLongDescriptor;
324 } else {
325 ++statWalksShortDescriptor;
326 }
327
328 if (!currState->timing) {
329 Fault fault = NoFault;
330 if (currState->aarch64)
331 fault = processWalkAArch64();
332 else if (long_desc_format)
333 fault = processWalkLPAE();
334 else
335 fault = processWalk();
336
337 // If this was a functional non-timing access restore state to
338 // how we found it.
339 if (currState->functional) {
340 delete currState;
341 currState = savedCurrState;
342 }
343 return fault;
344 }
345
346 if (pending || pendingQueue.size()) {
347 pendingQueue.push_back(currState);
348 currState = NULL;
349 pendingChange();
350 } else {
351 pending = true;
352 pendingChange();
353 if (currState->aarch64)
354 return processWalkAArch64();
355 else if (long_desc_format)
356 return processWalkLPAE();
357 else
358 return processWalk();
359 }
360
361 return NoFault;
362}
363
364void
365TableWalker::processWalkWrapper()
366{
367 assert(!currState);
368 assert(pendingQueue.size());
369 pendingChange();
370 currState = pendingQueue.front();
371
372 // Check if a previous walk filled this request already
373 // @TODO Should this always be the TLB or should we look in the stage2 TLB?
374 TlbEntry* te = tlb->lookup(currState->vaddr, currState->asid,
375 currState->vmid, currState->isHyp, currState->isSecure, true, false,
376 currState->el);
377
378 // Check if we still need to have a walk for this request. If the requesting
379 // instruction has been squashed, or a previous walk has filled the TLB with
380 // a match, we just want to get rid of the walk. The latter could happen
381 // when there are multiple outstanding misses to a single page and a
382 // previous request has been successfully translated.
383 if (!currState->transState->squashed() && !te) {
384 // We've got a valid request, lets process it
385 pending = true;
386 pendingQueue.pop_front();
387 // Keep currState in case one of the processWalk... calls NULLs it
388 WalkerState *curr_state_copy = currState;
389 Fault f;
390 if (currState->aarch64)
391 f = processWalkAArch64();
392 else if (longDescFormatInUse(currState->tc) ||
393 currState->isHyp || isStage2)
394 f = processWalkLPAE();
395 else
396 f = processWalk();
397
398 if (f != NoFault) {
399 curr_state_copy->transState->finish(f, curr_state_copy->req,
400 curr_state_copy->tc, curr_state_copy->mode);
401
402 delete curr_state_copy;
403 }
404 return;
405 }
406
407
408 // If the instruction that we were translating for has been
409 // squashed we shouldn't bother.
410 unsigned num_squashed = 0;
411 ThreadContext *tc = currState->tc;
412 while ((num_squashed < numSquashable) && currState &&
413 (currState->transState->squashed() || te)) {
414 pendingQueue.pop_front();
415 num_squashed++;
416 statSquashedBefore++;
417
418 DPRINTF(TLB, "Squashing table walk for address %#x\n",
419 currState->vaddr_tainted);
420
421 if (currState->transState->squashed()) {
422 // finish the translation which will delete the translation object
423 currState->transState->finish(
424 std::make_shared<UnimpFault>("Squashed Inst"),
425 currState->req, currState->tc, currState->mode);
426 } else {
427 // translate the request now that we know it will work
428 statWalkServiceTime.sample(curTick() - currState->startTime);
429 tlb->translateTiming(currState->req, currState->tc,
430 currState->transState, currState->mode);
431
432 }
433
434 // delete the current request
435 delete currState;
436
437 // peak at the next one
438 if (pendingQueue.size()) {
439 currState = pendingQueue.front();
440 te = tlb->lookup(currState->vaddr, currState->asid,
441 currState->vmid, currState->isHyp, currState->isSecure, true,
442 false, currState->el);
443 } else {
444 // Terminate the loop, nothing more to do
445 currState = NULL;
446 }
447 }
448 pendingChange();
449
450 // if we still have pending translations, schedule more work
451 nextWalk(tc);
452 currState = NULL;
453}
454
455Fault
456TableWalker::processWalk()
457{
458 Addr ttbr = 0;
459
460 // If translation isn't enabled, we shouldn't be here
461 assert(currState->sctlr.m || isStage2);
462
463 DPRINTF(TLB, "Beginning table walk for address %#x, TTBCR: %#x, bits:%#x\n",
464 currState->vaddr_tainted, currState->ttbcr, mbits(currState->vaddr, 31,
465 32 - currState->ttbcr.n));
466
467 statWalkWaitTime.sample(curTick() - currState->startTime);
468
469 if (currState->ttbcr.n == 0 || !mbits(currState->vaddr, 31,
470 32 - currState->ttbcr.n)) {
471 DPRINTF(TLB, " - Selecting TTBR0\n");
472 // Check if table walk is allowed when Security Extensions are enabled
473 if (haveSecurity && currState->ttbcr.pd0) {
474 if (currState->isFetch)
475 return std::make_shared<PrefetchAbort>(
476 currState->vaddr_tainted,
477 ArmFault::TranslationLL + L1,
478 isStage2,
479 ArmFault::VmsaTran);
480 else
481 return std::make_shared<DataAbort>(
482 currState->vaddr_tainted,
483 TlbEntry::DomainType::NoAccess, currState->isWrite,
484 ArmFault::TranslationLL + L1, isStage2,
485 ArmFault::VmsaTran);
486 }
487 ttbr = currState->tc->readMiscReg(snsBankedIndex(
488 MISCREG_TTBR0, currState->tc, !currState->isSecure));
489 } else {
490 DPRINTF(TLB, " - Selecting TTBR1\n");
491 // Check if table walk is allowed when Security Extensions are enabled
492 if (haveSecurity && currState->ttbcr.pd1) {
493 if (currState->isFetch)
494 return std::make_shared<PrefetchAbort>(
495 currState->vaddr_tainted,
496 ArmFault::TranslationLL + L1,
497 isStage2,
498 ArmFault::VmsaTran);
499 else
500 return std::make_shared<DataAbort>(
501 currState->vaddr_tainted,
502 TlbEntry::DomainType::NoAccess, currState->isWrite,
503 ArmFault::TranslationLL + L1, isStage2,
504 ArmFault::VmsaTran);
505 }
506 ttbr = currState->tc->readMiscReg(snsBankedIndex(
507 MISCREG_TTBR1, currState->tc, !currState->isSecure));
508 currState->ttbcr.n = 0;
509 }
510
511 Addr l1desc_addr = mbits(ttbr, 31, 14 - currState->ttbcr.n) |
512 (bits(currState->vaddr, 31 - currState->ttbcr.n, 20) << 2);
513 DPRINTF(TLB, " - Descriptor at address %#x (%s)\n", l1desc_addr,
514 currState->isSecure ? "s" : "ns");
515
516 // Trickbox address check
517 Fault f;
518 f = testWalk(l1desc_addr, sizeof(uint32_t),
519 TlbEntry::DomainType::NoAccess, L1);
520 if (f) {
521 DPRINTF(TLB, "Trickbox check caused fault on %#x\n", currState->vaddr_tainted);
522 if (currState->timing) {
523 pending = false;
524 nextWalk(currState->tc);
525 currState = NULL;
526 } else {
527 currState->tc = NULL;
528 currState->req = NULL;
529 }
530 return f;
531 }
532
533 Request::Flags flag = Request::PT_WALK;
534 if (currState->sctlr.c == 0) {
535 flag.set(Request::UNCACHEABLE);
536 }
537
538 if (currState->isSecure) {
539 flag.set(Request::SECURE);
540 }
541
542 bool delayed;
543 delayed = fetchDescriptor(l1desc_addr, (uint8_t*)&currState->l1Desc.data,
544 sizeof(uint32_t), flag, L1, &doL1DescEvent,
545 &TableWalker::doL1Descriptor);
546 if (!delayed) {
547 f = currState->fault;
548 }
549
550 return f;
551}
552
553Fault
554TableWalker::processWalkLPAE()
555{
556 Addr ttbr, ttbr0_max, ttbr1_min, desc_addr;
557 int tsz, n;
558 LookupLevel start_lookup_level = L1;
559
560 DPRINTF(TLB, "Beginning table walk for address %#x, TTBCR: %#x\n",
561 currState->vaddr_tainted, currState->ttbcr);
562
563 statWalkWaitTime.sample(curTick() - currState->startTime);
564
565 Request::Flags flag = Request::PT_WALK;
566 if (currState->isSecure)
567 flag.set(Request::SECURE);
568
569 // work out which base address register to use, if in hyp mode we always
570 // use HTTBR
571 if (isStage2) {
572 DPRINTF(TLB, " - Selecting VTTBR (long-desc.)\n");
573 ttbr = currState->tc->readMiscReg(MISCREG_VTTBR);
574 tsz = sext<4>(currState->vtcr.t0sz);
575 start_lookup_level = currState->vtcr.sl0 ? L1 : L2;
576 } else if (currState->isHyp) {
577 DPRINTF(TLB, " - Selecting HTTBR (long-desc.)\n");
578 ttbr = currState->tc->readMiscReg(MISCREG_HTTBR);
579 tsz = currState->htcr.t0sz;
580 } else {
581 assert(longDescFormatInUse(currState->tc));
582
583 // Determine boundaries of TTBR0/1 regions
584 if (currState->ttbcr.t0sz)
585 ttbr0_max = (1ULL << (32 - currState->ttbcr.t0sz)) - 1;
586 else if (currState->ttbcr.t1sz)
587 ttbr0_max = (1ULL << 32) -
588 (1ULL << (32 - currState->ttbcr.t1sz)) - 1;
589 else
590 ttbr0_max = (1ULL << 32) - 1;
591 if (currState->ttbcr.t1sz)
592 ttbr1_min = (1ULL << 32) - (1ULL << (32 - currState->ttbcr.t1sz));
593 else
594 ttbr1_min = (1ULL << (32 - currState->ttbcr.t0sz));
595
596 // The following code snippet selects the appropriate translation table base
597 // address (TTBR0 or TTBR1) and the appropriate starting lookup level
598 // depending on the address range supported by the translation table (ARM
599 // ARM issue C B3.6.4)
600 if (currState->vaddr <= ttbr0_max) {
601 DPRINTF(TLB, " - Selecting TTBR0 (long-desc.)\n");
602 // Check if table walk is allowed
603 if (currState->ttbcr.epd0) {
604 if (currState->isFetch)
605 return std::make_shared<PrefetchAbort>(
606 currState->vaddr_tainted,
607 ArmFault::TranslationLL + L1,
608 isStage2,
609 ArmFault::LpaeTran);
610 else
611 return std::make_shared<DataAbort>(
612 currState->vaddr_tainted,
613 TlbEntry::DomainType::NoAccess,
614 currState->isWrite,
615 ArmFault::TranslationLL + L1,
616 isStage2,
617 ArmFault::LpaeTran);
618 }
619 ttbr = currState->tc->readMiscReg(snsBankedIndex(
620 MISCREG_TTBR0, currState->tc, !currState->isSecure));
621 tsz = currState->ttbcr.t0sz;
622 if (ttbr0_max < (1ULL << 30)) // Upper limit < 1 GB
623 start_lookup_level = L2;
624 } else if (currState->vaddr >= ttbr1_min) {
625 DPRINTF(TLB, " - Selecting TTBR1 (long-desc.)\n");
626 // Check if table walk is allowed
627 if (currState->ttbcr.epd1) {
628 if (currState->isFetch)
629 return std::make_shared<PrefetchAbort>(
630 currState->vaddr_tainted,
631 ArmFault::TranslationLL + L1,
632 isStage2,
633 ArmFault::LpaeTran);
634 else
635 return std::make_shared<DataAbort>(
636 currState->vaddr_tainted,
637 TlbEntry::DomainType::NoAccess,
638 currState->isWrite,
639 ArmFault::TranslationLL + L1,
640 isStage2,
641 ArmFault::LpaeTran);
642 }
643 ttbr = currState->tc->readMiscReg(snsBankedIndex(
644 MISCREG_TTBR1, currState->tc, !currState->isSecure));
645 tsz = currState->ttbcr.t1sz;
646 if (ttbr1_min >= (1ULL << 31) + (1ULL << 30)) // Lower limit >= 3 GB
647 start_lookup_level = L2;
648 } else {
649 // Out of boundaries -> translation fault
650 if (currState->isFetch)
651 return std::make_shared<PrefetchAbort>(
652 currState->vaddr_tainted,
653 ArmFault::TranslationLL + L1,
654 isStage2,
655 ArmFault::LpaeTran);
656 else
657 return std::make_shared<DataAbort>(
658 currState->vaddr_tainted,
659 TlbEntry::DomainType::NoAccess,
660 currState->isWrite, ArmFault::TranslationLL + L1,
661 isStage2, ArmFault::LpaeTran);
662 }
663
664 }
665
666 // Perform lookup (ARM ARM issue C B3.6.6)
667 if (start_lookup_level == L1) {
668 n = 5 - tsz;
669 desc_addr = mbits(ttbr, 39, n) |
670 (bits(currState->vaddr, n + 26, 30) << 3);
671 DPRINTF(TLB, " - Descriptor at address %#x (%s) (long-desc.)\n",
672 desc_addr, currState->isSecure ? "s" : "ns");
673 } else {
674 // Skip first-level lookup
675 n = (tsz >= 2 ? 14 - tsz : 12);
676 desc_addr = mbits(ttbr, 39, n) |
677 (bits(currState->vaddr, n + 17, 21) << 3);
678 DPRINTF(TLB, " - Descriptor at address %#x (%s) (long-desc.)\n",
679 desc_addr, currState->isSecure ? "s" : "ns");
680 }
681
682 // Trickbox address check
683 Fault f = testWalk(desc_addr, sizeof(uint64_t),
684 TlbEntry::DomainType::NoAccess, start_lookup_level);
685 if (f) {
686 DPRINTF(TLB, "Trickbox check caused fault on %#x\n", currState->vaddr_tainted);
687 if (currState->timing) {
688 pending = false;
689 nextWalk(currState->tc);
690 currState = NULL;
691 } else {
692 currState->tc = NULL;
693 currState->req = NULL;
694 }
695 return f;
696 }
697
698 if (currState->sctlr.c == 0) {
699 flag.set(Request::UNCACHEABLE);
700 }
701
702 currState->longDesc.lookupLevel = start_lookup_level;
703 currState->longDesc.aarch64 = false;
704 currState->longDesc.grainSize = Grain4KB;
705
706 bool delayed = fetchDescriptor(desc_addr, (uint8_t*)&currState->longDesc.data,
707 sizeof(uint64_t), flag, start_lookup_level,
708 LongDescEventByLevel[start_lookup_level],
709 &TableWalker::doLongDescriptor);
710 if (!delayed) {
711 f = currState->fault;
712 }
713
714 return f;
715}
716
717unsigned
718TableWalker::adjustTableSizeAArch64(unsigned tsz)
719{
720 if (tsz < 25)
721 return 25;
722 if (tsz > 48)
723 return 48;
724 return tsz;
725}
726
727bool
728TableWalker::checkAddrSizeFaultAArch64(Addr addr, int currPhysAddrRange)
729{
730 return (currPhysAddrRange != MaxPhysAddrRange &&
731 bits(addr, MaxPhysAddrRange - 1, currPhysAddrRange));
732}
733
734Fault
735TableWalker::processWalkAArch64()
736{
737 assert(currState->aarch64);
738
739 DPRINTF(TLB, "Beginning table walk for address %#llx, TCR: %#llx\n",
740 currState->vaddr_tainted, currState->tcr);
741
742 static const GrainSize GrainMap_tg0[] =
743 { Grain4KB, Grain64KB, Grain16KB, ReservedGrain };
744 static const GrainSize GrainMap_tg1[] =
745 { ReservedGrain, Grain16KB, Grain4KB, Grain64KB };
746
747 statWalkWaitTime.sample(curTick() - currState->startTime);
748
749 // Determine TTBR, table size, granule size and phys. address range
750 Addr ttbr = 0;
751 int tsz = 0, ps = 0;
752 GrainSize tg = Grain4KB; // grain size computed from tg* field
753 bool fault = false;
754
755 LookupLevel start_lookup_level = MAX_LOOKUP_LEVELS;
756
757 switch (currState->el) {
758 case EL0:
759 case EL1:
760 if (isStage2) {
761 DPRINTF(TLB, " - Selecting VTTBR0 (AArch64 stage 2)\n");
762 ttbr = currState->tc->readMiscReg(MISCREG_VTTBR_EL2);
763 tsz = 64 - currState->vtcr.t0sz64;
764 tg = GrainMap_tg0[currState->vtcr.tg0];
765 // ARM DDI 0487A.f D7-2148
766 // The starting level of stage 2 translation depends on
767 // VTCR_EL2.SL0 and VTCR_EL2.TG0
768 LookupLevel __ = MAX_LOOKUP_LEVELS; // invalid level
769 uint8_t sl_tg = (currState->vtcr.sl0 << 2) | currState->vtcr.tg0;
770 static const LookupLevel SLL[] = {
771 L2, L3, L3, __, // sl0 == 0
772 L1, L2, L2, __, // sl0 == 1, etc.
773 L0, L1, L1, __,
774 __, __, __, __
775 };
776 start_lookup_level = SLL[sl_tg];
777 panic_if(start_lookup_level == MAX_LOOKUP_LEVELS,
778 "Cannot discern lookup level from vtcr.{sl0,tg0}");
779 } else switch (bits(currState->vaddr, 63,48)) {
780 case 0:
781 DPRINTF(TLB, " - Selecting TTBR0 (AArch64)\n");
782 ttbr = currState->tc->readMiscReg(MISCREG_TTBR0_EL1);
783 tsz = adjustTableSizeAArch64(64 - currState->tcr.t0sz);
784 tg = GrainMap_tg0[currState->tcr.tg0];
785 if (bits(currState->vaddr, 63, tsz) != 0x0 ||
786 currState->tcr.epd0)
787 fault = true;
788 break;
789 case 0xffff:
790 DPRINTF(TLB, " - Selecting TTBR1 (AArch64)\n");
791 ttbr = currState->tc->readMiscReg(MISCREG_TTBR1_EL1);
792 tsz = adjustTableSizeAArch64(64 - currState->tcr.t1sz);
793 tg = GrainMap_tg1[currState->tcr.tg1];
794 if (bits(currState->vaddr, 63, tsz) != mask(64-tsz) ||
795 currState->tcr.epd1)
796 fault = true;
797 break;
798 default:
799 // top two bytes must be all 0s or all 1s, else invalid addr
800 fault = true;
801 }
802 ps = currState->tcr.ips;
803 break;
804 case EL2:
805 switch(bits(currState->vaddr, 63,48)) {
806 case 0:
807 DPRINTF(TLB, " - Selecting TTBR0 (AArch64)\n");
808 ttbr = currState->tc->readMiscReg(MISCREG_TTBR0_EL2);
809 tsz = adjustTableSizeAArch64(64 - currState->tcr.t0sz);
810 tg = GrainMap_tg0[currState->tcr.tg0];
811 break;
812
813 case 0xffff:
814 DPRINTF(TLB, " - Selecting TTBR1 (AArch64)\n");
815 ttbr = currState->tc->readMiscReg(MISCREG_TTBR1_EL2);
816 tsz = adjustTableSizeAArch64(64 - currState->tcr.t1sz);
817 tg = GrainMap_tg1[currState->tcr.tg1];
818 if (bits(currState->vaddr, 63, tsz) != mask(64-tsz) ||
819 currState->tcr.epd1 || !currState->hcr.e2h)
820 fault = true;
821 break;
822
823 default:
824 // invalid addr if top two bytes are not all 0s
825 fault = true;
826 }
827 ps = currState->tcr.ips;
828 break;
829 case EL3:
830 switch(bits(currState->vaddr, 63,48)) {
831 case 0:
832 DPRINTF(TLB, " - Selecting TTBR0 (AArch64)\n");
833 ttbr = currState->tc->readMiscReg(MISCREG_TTBR0_EL3);
834 tsz = adjustTableSizeAArch64(64 - currState->tcr.t0sz);
835 tg = GrainMap_tg0[currState->tcr.tg0];
836 break;
837 default:
838 // invalid addr if top two bytes are not all 0s
839 fault = true;
840 }
841 ps = currState->tcr.ips;
842 break;
843 }
844
845 if (fault) {
846 Fault f;
847 if (currState->isFetch)
848 f = std::make_shared<PrefetchAbort>(
849 currState->vaddr_tainted,
850 ArmFault::TranslationLL + L0, isStage2,
851 ArmFault::LpaeTran);
852 else
853 f = std::make_shared<DataAbort>(
854 currState->vaddr_tainted,
855 TlbEntry::DomainType::NoAccess,
856 currState->isWrite,
857 ArmFault::TranslationLL + L0,
858 isStage2, ArmFault::LpaeTran);
859
860 if (currState->timing) {
861 pending = false;
862 nextWalk(currState->tc);
863 currState = NULL;
864 } else {
865 currState->tc = NULL;
866 currState->req = NULL;
867 }
868 return f;
869
870 }
871
872 if (tg == ReservedGrain) {
873 warn_once("Reserved granule size requested; gem5's IMPLEMENTATION "
874 "DEFINED behavior takes this to mean 4KB granules\n");
875 tg = Grain4KB;
876 }
877
878 // Determine starting lookup level
879 // See aarch64/translation/walk in Appendix G: ARMv8 Pseudocode Library
880 // in ARM DDI 0487A. These table values correspond to the cascading tests
881 // to compute the lookup level and are of the form
882 // (grain_size + N*stride), for N = {1, 2, 3}.
883 // A value of 64 will never succeed and a value of 0 will always succeed.
884 if (start_lookup_level == MAX_LOOKUP_LEVELS) {
885 struct GrainMap {
886 GrainSize grain_size;
887 unsigned lookup_level_cutoff[MAX_LOOKUP_LEVELS];
888 };
889 static const GrainMap GM[] = {
890 { Grain4KB, { 39, 30, 0, 0 } },
891 { Grain16KB, { 47, 36, 25, 0 } },
892 { Grain64KB, { 64, 42, 29, 0 } }
893 };
894
895 const unsigned *lookup = NULL; // points to a lookup_level_cutoff
896
897 for (unsigned i = 0; i < 3; ++i) { // choose entry of GM[]
898 if (tg == GM[i].grain_size) {
899 lookup = GM[i].lookup_level_cutoff;
900 break;
901 }
902 }
903 assert(lookup);
904
905 for (int L = L0; L != MAX_LOOKUP_LEVELS; ++L) {
906 if (tsz > lookup[L]) {
907 start_lookup_level = (LookupLevel) L;
908 break;
909 }
910 }
911 panic_if(start_lookup_level == MAX_LOOKUP_LEVELS,
912 "Table walker couldn't find lookup level\n");
913 }
914
915 int stride = tg - 3;
916
917 // Determine table base address
918 int base_addr_lo = 3 + tsz - stride * (3 - start_lookup_level) - tg;
919 Addr base_addr = mbits(ttbr, 47, base_addr_lo);
920
921 // Determine physical address size and raise an Address Size Fault if
922 // necessary
923 int pa_range = decodePhysAddrRange64(ps);
924 // Clamp to lower limit
925 if (pa_range > physAddrRange)
926 currState->physAddrRange = physAddrRange;
927 else
928 currState->physAddrRange = pa_range;
929 if (checkAddrSizeFaultAArch64(base_addr, currState->physAddrRange)) {
930 DPRINTF(TLB, "Address size fault before any lookup\n");
931 Fault f;
932 if (currState->isFetch)
933 f = std::make_shared<PrefetchAbort>(
934 currState->vaddr_tainted,
935 ArmFault::AddressSizeLL + start_lookup_level,
936 isStage2,
937 ArmFault::LpaeTran);
938 else
939 f = std::make_shared<DataAbort>(
940 currState->vaddr_tainted,
941 TlbEntry::DomainType::NoAccess,
942 currState->isWrite,
943 ArmFault::AddressSizeLL + start_lookup_level,
944 isStage2,
945 ArmFault::LpaeTran);
946
947
948 if (currState->timing) {
949 pending = false;
950 nextWalk(currState->tc);
951 currState = NULL;
952 } else {
953 currState->tc = NULL;
954 currState->req = NULL;
955 }
956 return f;
957
958 }
959
960 // Determine descriptor address
961 Addr desc_addr = base_addr |
962 (bits(currState->vaddr, tsz - 1,
963 stride * (3 - start_lookup_level) + tg) << 3);
964
965 // Trickbox address check
966 Fault f = testWalk(desc_addr, sizeof(uint64_t),
967 TlbEntry::DomainType::NoAccess, start_lookup_level);
968 if (f) {
969 DPRINTF(TLB, "Trickbox check caused fault on %#x\n", currState->vaddr_tainted);
970 if (currState->timing) {
971 pending = false;
972 nextWalk(currState->tc);
973 currState = NULL;
974 } else {
975 currState->tc = NULL;
976 currState->req = NULL;
977 }
978 return f;
979 }
980
981 Request::Flags flag = Request::PT_WALK;
982 if (currState->sctlr.c == 0) {
983 flag.set(Request::UNCACHEABLE);
984 }
985
986 if (currState->isSecure) {
987 flag.set(Request::SECURE);
988 }
989
990 currState->longDesc.lookupLevel = start_lookup_level;
991 currState->longDesc.aarch64 = true;
992 currState->longDesc.grainSize = tg;
993
994 if (currState->timing) {
995 fetchDescriptor(desc_addr, (uint8_t*) &currState->longDesc.data,
996 sizeof(uint64_t), flag, start_lookup_level,
997 LongDescEventByLevel[start_lookup_level], NULL);
998 } else {
999 fetchDescriptor(desc_addr, (uint8_t*)&currState->longDesc.data,
1000 sizeof(uint64_t), flag, -1, NULL,
1001 &TableWalker::doLongDescriptor);
1002 f = currState->fault;
1003 }
1004
1005 return f;
1006}
1007
1008void
1009TableWalker::memAttrs(ThreadContext *tc, TlbEntry &te, SCTLR sctlr,
1010 uint8_t texcb, bool s)
1011{
1012 // Note: tc and sctlr local variables are hiding tc and sctrl class
1013 // variables
1014 DPRINTF(TLBVerbose, "memAttrs texcb:%d s:%d\n", texcb, s);
1015 te.shareable = false; // default value
1016 te.nonCacheable = false;
1017 te.outerShareable = false;
1018 if (sctlr.tre == 0 || ((sctlr.tre == 1) && (sctlr.m == 0))) {
1019 switch(texcb) {
1020 case 0: // Stongly-ordered
1021 te.nonCacheable = true;
1022 te.mtype = TlbEntry::MemoryType::StronglyOrdered;
1023 te.shareable = true;
1024 te.innerAttrs = 1;
1025 te.outerAttrs = 0;
1026 break;
1027 case 1: // Shareable Device
1028 te.nonCacheable = true;
1029 te.mtype = TlbEntry::MemoryType::Device;
1030 te.shareable = true;
1031 te.innerAttrs = 3;
1032 te.outerAttrs = 0;
1033 break;
1034 case 2: // Outer and Inner Write-Through, no Write-Allocate
1035 te.mtype = TlbEntry::MemoryType::Normal;
1036 te.shareable = s;
1037 te.innerAttrs = 6;
1038 te.outerAttrs = bits(texcb, 1, 0);
1039 break;
1040 case 3: // Outer and Inner Write-Back, no Write-Allocate
1041 te.mtype = TlbEntry::MemoryType::Normal;
1042 te.shareable = s;
1043 te.innerAttrs = 7;
1044 te.outerAttrs = bits(texcb, 1, 0);
1045 break;
1046 case 4: // Outer and Inner Non-cacheable
1047 te.nonCacheable = true;
1048 te.mtype = TlbEntry::MemoryType::Normal;
1049 te.shareable = s;
1050 te.innerAttrs = 0;
1051 te.outerAttrs = bits(texcb, 1, 0);
1052 break;
1053 case 5: // Reserved
1054 panic("Reserved texcb value!\n");
1055 break;
1056 case 6: // Implementation Defined
1057 panic("Implementation-defined texcb value!\n");
1058 break;
1059 case 7: // Outer and Inner Write-Back, Write-Allocate
1060 te.mtype = TlbEntry::MemoryType::Normal;
1061 te.shareable = s;
1062 te.innerAttrs = 5;
1063 te.outerAttrs = 1;
1064 break;
1065 case 8: // Non-shareable Device
1066 te.nonCacheable = true;
1067 te.mtype = TlbEntry::MemoryType::Device;
1068 te.shareable = false;
1069 te.innerAttrs = 3;
1070 te.outerAttrs = 0;
1071 break;
1072 case 9 ... 15: // Reserved
1073 panic("Reserved texcb value!\n");
1074 break;
1075 case 16 ... 31: // Cacheable Memory
1076 te.mtype = TlbEntry::MemoryType::Normal;
1077 te.shareable = s;
1078 if (bits(texcb, 1,0) == 0 || bits(texcb, 3,2) == 0)
1079 te.nonCacheable = true;
1080 te.innerAttrs = bits(texcb, 1, 0);
1081 te.outerAttrs = bits(texcb, 3, 2);
1082 break;
1083 default:
1084 panic("More than 32 states for 5 bits?\n");
1085 }
1086 } else {
1087 assert(tc);
1088 PRRR prrr = tc->readMiscReg(snsBankedIndex(MISCREG_PRRR,
1089 currState->tc, !currState->isSecure));
1090 NMRR nmrr = tc->readMiscReg(snsBankedIndex(MISCREG_NMRR,
1091 currState->tc, !currState->isSecure));
1092 DPRINTF(TLBVerbose, "memAttrs PRRR:%08x NMRR:%08x\n", prrr, nmrr);
1093 uint8_t curr_tr = 0, curr_ir = 0, curr_or = 0;
1094 switch(bits(texcb, 2,0)) {
1095 case 0:
1096 curr_tr = prrr.tr0;
1097 curr_ir = nmrr.ir0;
1098 curr_or = nmrr.or0;
1099 te.outerShareable = (prrr.nos0 == 0);
1100 break;
1101 case 1:
1102 curr_tr = prrr.tr1;
1103 curr_ir = nmrr.ir1;
1104 curr_or = nmrr.or1;
1105 te.outerShareable = (prrr.nos1 == 0);
1106 break;
1107 case 2:
1108 curr_tr = prrr.tr2;
1109 curr_ir = nmrr.ir2;
1110 curr_or = nmrr.or2;
1111 te.outerShareable = (prrr.nos2 == 0);
1112 break;
1113 case 3:
1114 curr_tr = prrr.tr3;
1115 curr_ir = nmrr.ir3;
1116 curr_or = nmrr.or3;
1117 te.outerShareable = (prrr.nos3 == 0);
1118 break;
1119 case 4:
1120 curr_tr = prrr.tr4;
1121 curr_ir = nmrr.ir4;
1122 curr_or = nmrr.or4;
1123 te.outerShareable = (prrr.nos4 == 0);
1124 break;
1125 case 5:
1126 curr_tr = prrr.tr5;
1127 curr_ir = nmrr.ir5;
1128 curr_or = nmrr.or5;
1129 te.outerShareable = (prrr.nos5 == 0);
1130 break;
1131 case 6:
1132 panic("Imp defined type\n");
1133 case 7:
1134 curr_tr = prrr.tr7;
1135 curr_ir = nmrr.ir7;
1136 curr_or = nmrr.or7;
1137 te.outerShareable = (prrr.nos7 == 0);
1138 break;
1139 }
1140
1141 switch(curr_tr) {
1142 case 0:
1143 DPRINTF(TLBVerbose, "StronglyOrdered\n");
1144 te.mtype = TlbEntry::MemoryType::StronglyOrdered;
1145 te.nonCacheable = true;
1146 te.innerAttrs = 1;
1147 te.outerAttrs = 0;
1148 te.shareable = true;
1149 break;
1150 case 1:
1151 DPRINTF(TLBVerbose, "Device ds1:%d ds0:%d s:%d\n",
1152 prrr.ds1, prrr.ds0, s);
1153 te.mtype = TlbEntry::MemoryType::Device;
1154 te.nonCacheable = true;
1155 te.innerAttrs = 3;
1156 te.outerAttrs = 0;
1157 if (prrr.ds1 && s)
1158 te.shareable = true;
1159 if (prrr.ds0 && !s)
1160 te.shareable = true;
1161 break;
1162 case 2:
1163 DPRINTF(TLBVerbose, "Normal ns1:%d ns0:%d s:%d\n",
1164 prrr.ns1, prrr.ns0, s);
1165 te.mtype = TlbEntry::MemoryType::Normal;
1166 if (prrr.ns1 && s)
1167 te.shareable = true;
1168 if (prrr.ns0 && !s)
1169 te.shareable = true;
1170 break;
1171 case 3:
1172 panic("Reserved type");
1173 }
1174
1175 if (te.mtype == TlbEntry::MemoryType::Normal){
1176 switch(curr_ir) {
1177 case 0:
1178 te.nonCacheable = true;
1179 te.innerAttrs = 0;
1180 break;
1181 case 1:
1182 te.innerAttrs = 5;
1183 break;
1184 case 2:
1185 te.innerAttrs = 6;
1186 break;
1187 case 3:
1188 te.innerAttrs = 7;
1189 break;
1190 }
1191
1192 switch(curr_or) {
1193 case 0:
1194 te.nonCacheable = true;
1195 te.outerAttrs = 0;
1196 break;
1197 case 1:
1198 te.outerAttrs = 1;
1199 break;
1200 case 2:
1201 te.outerAttrs = 2;
1202 break;
1203 case 3:
1204 te.outerAttrs = 3;
1205 break;
1206 }
1207 }
1208 }
1209 DPRINTF(TLBVerbose, "memAttrs: shareable: %d, innerAttrs: %d, "
1210 "outerAttrs: %d\n",
1211 te.shareable, te.innerAttrs, te.outerAttrs);
1212 te.setAttributes(false);
1213}
1214
1215void
1216TableWalker::memAttrsLPAE(ThreadContext *tc, TlbEntry &te,
1217 LongDescriptor &lDescriptor)
1218{
1219 assert(_haveLPAE);
1220
1221 uint8_t attr;
1222 uint8_t sh = lDescriptor.sh();
1223 // Different format and source of attributes if this is a stage 2
1224 // translation
1225 if (isStage2) {
1226 attr = lDescriptor.memAttr();
1227 uint8_t attr_3_2 = (attr >> 2) & 0x3;
1228 uint8_t attr_1_0 = attr & 0x3;
1229
1230 DPRINTF(TLBVerbose, "memAttrsLPAE MemAttr:%#x sh:%#x\n", attr, sh);
1231
1232 if (attr_3_2 == 0) {
1233 te.mtype = attr_1_0 == 0 ? TlbEntry::MemoryType::StronglyOrdered
1234 : TlbEntry::MemoryType::Device;
1235 te.outerAttrs = 0;
1236 te.innerAttrs = attr_1_0 == 0 ? 1 : 3;
1237 te.nonCacheable = true;
1238 } else {
1239 te.mtype = TlbEntry::MemoryType::Normal;
1240 te.outerAttrs = attr_3_2 == 1 ? 0 :
1241 attr_3_2 == 2 ? 2 : 1;
1242 te.innerAttrs = attr_1_0 == 1 ? 0 :
1243 attr_1_0 == 2 ? 6 : 5;
1244 te.nonCacheable = (attr_3_2 == 1) || (attr_1_0 == 1);
1245 }
1246 } else {
1247 uint8_t attrIndx = lDescriptor.attrIndx();
1248
1249 // LPAE always uses remapping of memory attributes, irrespective of the
1250 // value of SCTLR.TRE
1251 MiscRegIndex reg = attrIndx & 0x4 ? MISCREG_MAIR1 : MISCREG_MAIR0;
1252 int reg_as_int = snsBankedIndex(reg, currState->tc,
1253 !currState->isSecure);
1254 uint32_t mair = currState->tc->readMiscReg(reg_as_int);
1255 attr = (mair >> (8 * (attrIndx % 4))) & 0xff;
1256 uint8_t attr_7_4 = bits(attr, 7, 4);
1257 uint8_t attr_3_0 = bits(attr, 3, 0);
1258 DPRINTF(TLBVerbose, "memAttrsLPAE AttrIndx:%#x sh:%#x, attr %#x\n", attrIndx, sh, attr);
1259
1260 // Note: the memory subsystem only cares about the 'cacheable' memory
1261 // attribute. The other attributes are only used to fill the PAR register
1262 // accordingly to provide the illusion of full support
1263 te.nonCacheable = false;
1264
1265 switch (attr_7_4) {
1266 case 0x0:
1267 // Strongly-ordered or Device memory
1268 if (attr_3_0 == 0x0)
1269 te.mtype = TlbEntry::MemoryType::StronglyOrdered;
1270 else if (attr_3_0 == 0x4)
1271 te.mtype = TlbEntry::MemoryType::Device;
1272 else
1273 panic("Unpredictable behavior\n");
1274 te.nonCacheable = true;
1275 te.outerAttrs = 0;
1276 break;
1277 case 0x4:
1278 // Normal memory, Outer Non-cacheable
1279 te.mtype = TlbEntry::MemoryType::Normal;
1280 te.outerAttrs = 0;
1281 if (attr_3_0 == 0x4)
1282 // Inner Non-cacheable
1283 te.nonCacheable = true;
1284 else if (attr_3_0 < 0x8)
1285 panic("Unpredictable behavior\n");
1286 break;
1287 case 0x8:
1288 case 0x9:
1289 case 0xa:
1290 case 0xb:
1291 case 0xc:
1292 case 0xd:
1293 case 0xe:
1294 case 0xf:
1295 if (attr_7_4 & 0x4) {
1296 te.outerAttrs = (attr_7_4 & 1) ? 1 : 3;
1297 } else {
1298 te.outerAttrs = 0x2;
1299 }
1300 // Normal memory, Outer Cacheable
1301 te.mtype = TlbEntry::MemoryType::Normal;
1302 if (attr_3_0 != 0x4 && attr_3_0 < 0x8)
1303 panic("Unpredictable behavior\n");
1304 break;
1305 default:
1306 panic("Unpredictable behavior\n");
1307 break;
1308 }
1309
1310 switch (attr_3_0) {
1311 case 0x0:
1312 te.innerAttrs = 0x1;
1313 break;
1314 case 0x4:
1315 te.innerAttrs = attr_7_4 == 0 ? 0x3 : 0;
1316 break;
1317 case 0x8:
1318 case 0x9:
1319 case 0xA:
1320 case 0xB:
1321 te.innerAttrs = 6;
1322 break;
1323 case 0xC:
1324 case 0xD:
1325 case 0xE:
1326 case 0xF:
1327 te.innerAttrs = attr_3_0 & 1 ? 0x5 : 0x7;
1328 break;
1329 default:
1330 panic("Unpredictable behavior\n");
1331 break;
1332 }
1333 }
1334
1335 te.outerShareable = sh == 2;
1336 te.shareable = (sh & 0x2) ? true : false;
1337 te.setAttributes(true);
1338 te.attributes |= (uint64_t) attr << 56;
1339}
1340
1341void
1342TableWalker::memAttrsAArch64(ThreadContext *tc, TlbEntry &te,
1343 LongDescriptor &lDescriptor)
1344{
1345 uint8_t attr;
1346 uint8_t attr_hi;
1347 uint8_t attr_lo;
1348 uint8_t sh = lDescriptor.sh();
1349
1350 if (isStage2) {
1351 attr = lDescriptor.memAttr();
1352 uint8_t attr_hi = (attr >> 2) & 0x3;
1353 uint8_t attr_lo = attr & 0x3;
1354
1355 DPRINTF(TLBVerbose, "memAttrsAArch64 MemAttr:%#x sh:%#x\n", attr, sh);
1356
1357 if (attr_hi == 0) {
1358 te.mtype = attr_lo == 0 ? TlbEntry::MemoryType::StronglyOrdered
1359 : TlbEntry::MemoryType::Device;
1360 te.outerAttrs = 0;
1361 te.innerAttrs = attr_lo == 0 ? 1 : 3;
1362 te.nonCacheable = true;
1363 } else {
1364 te.mtype = TlbEntry::MemoryType::Normal;
1365 te.outerAttrs = attr_hi == 1 ? 0 :
1366 attr_hi == 2 ? 2 : 1;
1367 te.innerAttrs = attr_lo == 1 ? 0 :
1368 attr_lo == 2 ? 6 : 5;
1369 // Treat write-through memory as uncacheable, this is safe
1370 // but for performance reasons not optimal.
1371 te.nonCacheable = (attr_hi == 1) || (attr_hi == 2) ||
1372 (attr_lo == 1) || (attr_lo == 2);
1373 }
1374 } else {
1375 uint8_t attrIndx = lDescriptor.attrIndx();
1376
1377 DPRINTF(TLBVerbose, "memAttrsAArch64 AttrIndx:%#x sh:%#x\n", attrIndx, sh);
1378
1379 // Select MAIR
1380 uint64_t mair;
1381 switch (currState->el) {
1382 case EL0:
1383 case EL1:
1384 mair = tc->readMiscReg(MISCREG_MAIR_EL1);
1385 break;
1386 case EL2:
1387 mair = tc->readMiscReg(MISCREG_MAIR_EL2);
1388 break;
1389 case EL3:
1390 mair = tc->readMiscReg(MISCREG_MAIR_EL3);
1391 break;
1392 default:
1393 panic("Invalid exception level");
1394 break;
1395 }
1396
1397 // Select attributes
1398 attr = bits(mair, 8 * attrIndx + 7, 8 * attrIndx);
1399 attr_lo = bits(attr, 3, 0);
1400 attr_hi = bits(attr, 7, 4);
1401
1402 // Memory type
1403 te.mtype = attr_hi == 0 ? TlbEntry::MemoryType::Device : TlbEntry::MemoryType::Normal;
1404
1405 // Cacheability
1406 te.nonCacheable = false;
1407 if (te.mtype == TlbEntry::MemoryType::Device) { // Device memory
1408 te.nonCacheable = true;
1409 }
1410 // Treat write-through memory as uncacheable, this is safe
1411 // but for performance reasons not optimal.
1412 switch (attr_hi) {
1413 case 0x1 ... 0x3: // Normal Memory, Outer Write-through transient
1414 case 0x4: // Normal memory, Outer Non-cacheable
1415 case 0x8 ... 0xb: // Normal Memory, Outer Write-through non-transient
1416 te.nonCacheable = true;
1417 }
1418 switch (attr_lo) {
1419 case 0x1 ... 0x3: // Normal Memory, Inner Write-through transient
1420 case 0x9 ... 0xb: // Normal Memory, Inner Write-through non-transient
1421 warn_if(!attr_hi, "Unpredictable behavior");
1422 M5_FALLTHROUGH;
1423 case 0x4: // Device-nGnRE memory or
1424 // Normal memory, Inner Non-cacheable
1425 case 0x8: // Device-nGRE memory or
1426 // Normal memory, Inner Write-through non-transient
1427 te.nonCacheable = true;
1428 }
1429
1430 te.shareable = sh == 2;
1431 te.outerShareable = (sh & 0x2) ? true : false;
1432 // Attributes formatted according to the 64-bit PAR
1433 te.attributes = ((uint64_t) attr << 56) |
1434 (1 << 11) | // LPAE bit
1435 (te.ns << 9) | // NS bit
1436 (sh << 7);
1437 }
1438}
1439
1440void
1441TableWalker::doL1Descriptor()
1442{
1443 if (currState->fault != NoFault) {
1444 return;
1445 }
1446
1447 currState->l1Desc.data = htog(currState->l1Desc.data,
1448 byteOrder(currState->tc));
1449
1450 DPRINTF(TLB, "L1 descriptor for %#x is %#x\n",
1451 currState->vaddr_tainted, currState->l1Desc.data);
1452 TlbEntry te;
1453
1454 switch (currState->l1Desc.type()) {
1455 case L1Descriptor::Ignore:
1456 case L1Descriptor::Reserved:
1457 if (!currState->timing) {
1458 currState->tc = NULL;
1459 currState->req = NULL;
1460 }
1461 DPRINTF(TLB, "L1 Descriptor Reserved/Ignore, causing fault\n");
1462 if (currState->isFetch)
1463 currState->fault =
1464 std::make_shared<PrefetchAbort>(
1465 currState->vaddr_tainted,
1466 ArmFault::TranslationLL + L1,
1467 isStage2,
1468 ArmFault::VmsaTran);
1469 else
1470 currState->fault =
1471 std::make_shared<DataAbort>(
1472 currState->vaddr_tainted,
1473 TlbEntry::DomainType::NoAccess,
1474 currState->isWrite,
1475 ArmFault::TranslationLL + L1, isStage2,
1476 ArmFault::VmsaTran);
1477 return;
1478 case L1Descriptor::Section:
1479 if (currState->sctlr.afe && bits(currState->l1Desc.ap(), 0) == 0) {
1480 /** @todo: check sctlr.ha (bit[17]) if Hardware Access Flag is
1481 * enabled if set, do l1.Desc.setAp0() instead of generating
1482 * AccessFlag0
1483 */
1484
1485 currState->fault = std::make_shared<DataAbort>(
1486 currState->vaddr_tainted,
1487 currState->l1Desc.domain(),
1488 currState->isWrite,
1489 ArmFault::AccessFlagLL + L1,
1490 isStage2,
1491 ArmFault::VmsaTran);
1492 }
1493 if (currState->l1Desc.supersection()) {
1494 panic("Haven't implemented supersections\n");
1495 }
1496 insertTableEntry(currState->l1Desc, false);
1497 return;
1498 case L1Descriptor::PageTable:
1499 {
1500 Addr l2desc_addr;
1501 l2desc_addr = currState->l1Desc.l2Addr() |
1502 (bits(currState->vaddr, 19, 12) << 2);
1503 DPRINTF(TLB, "L1 descriptor points to page table at: %#x (%s)\n",
1504 l2desc_addr, currState->isSecure ? "s" : "ns");
1505
1506 // Trickbox address check
1507 currState->fault = testWalk(l2desc_addr, sizeof(uint32_t),
1508 currState->l1Desc.domain(), L2);
1509
1510 if (currState->fault) {
1511 if (!currState->timing) {
1512 currState->tc = NULL;
1513 currState->req = NULL;
1514 }
1515 return;
1516 }
1517
1518 Request::Flags flag = Request::PT_WALK;
1519 if (currState->isSecure)
1520 flag.set(Request::SECURE);
1521
1522 bool delayed;
1523 delayed = fetchDescriptor(l2desc_addr,
1524 (uint8_t*)&currState->l2Desc.data,
1525 sizeof(uint32_t), flag, -1, &doL2DescEvent,
1526 &TableWalker::doL2Descriptor);
1527 if (delayed) {
1528 currState->delayed = true;
1529 }
1530
1531 return;
1532 }
1533 default:
1534 panic("A new type in a 2 bit field?\n");
1535 }
1536}
1537
1538void
1539TableWalker::doLongDescriptor()
1540{
1541 if (currState->fault != NoFault) {
1542 return;
1543 }
1544
1545 currState->longDesc.data = htog(currState->longDesc.data,
1546 byteOrder(currState->tc));
1547
1548 DPRINTF(TLB, "L%d descriptor for %#llx is %#llx (%s)\n",
1549 currState->longDesc.lookupLevel, currState->vaddr_tainted,
1550 currState->longDesc.data,
1551 currState->aarch64 ? "AArch64" : "long-desc.");
1552
1553 if ((currState->longDesc.type() == LongDescriptor::Block) ||
1554 (currState->longDesc.type() == LongDescriptor::Page)) {
1555 DPRINTF(TLBVerbose, "Analyzing L%d descriptor: %#llx, pxn: %d, "
1556 "xn: %d, ap: %d, af: %d, type: %d\n",
1557 currState->longDesc.lookupLevel,
1558 currState->longDesc.data,
1559 currState->longDesc.pxn(),
1560 currState->longDesc.xn(),
1561 currState->longDesc.ap(),
1562 currState->longDesc.af(),
1563 currState->longDesc.type());
1564 } else {
1565 DPRINTF(TLBVerbose, "Analyzing L%d descriptor: %#llx, type: %d\n",
1566 currState->longDesc.lookupLevel,
1567 currState->longDesc.data,
1568 currState->longDesc.type());
1569 }
1570
1571 TlbEntry te;
1572
1573 switch (currState->longDesc.type()) {
1574 case LongDescriptor::Invalid:
1575 if (!currState->timing) {
1576 currState->tc = NULL;
1577 currState->req = NULL;
1578 }
1579
1580 DPRINTF(TLB, "L%d descriptor Invalid, causing fault type %d\n",
1581 currState->longDesc.lookupLevel,
1582 ArmFault::TranslationLL + currState->longDesc.lookupLevel);
1583 if (currState->isFetch)
1584 currState->fault = std::make_shared<PrefetchAbort>(
1585 currState->vaddr_tainted,
1586 ArmFault::TranslationLL + currState->longDesc.lookupLevel,
1587 isStage2,
1588 ArmFault::LpaeTran);
1589 else
1590 currState->fault = std::make_shared<DataAbort>(
1591 currState->vaddr_tainted,
1592 TlbEntry::DomainType::NoAccess,
1593 currState->isWrite,
1594 ArmFault::TranslationLL + currState->longDesc.lookupLevel,
1595 isStage2,
1596 ArmFault::LpaeTran);
1597 return;
1598 case LongDescriptor::Block:
1599 case LongDescriptor::Page:
1600 {
1601 bool fault = false;
1602 bool aff = false;
1603 // Check for address size fault
1604 if (checkAddrSizeFaultAArch64(
1605 mbits(currState->longDesc.data, MaxPhysAddrRange - 1,
1606 currState->longDesc.offsetBits()),
1607 currState->physAddrRange)) {
1608 fault = true;
1609 DPRINTF(TLB, "L%d descriptor causing Address Size Fault\n",
1610 currState->longDesc.lookupLevel);
1611 // Check for access fault
1612 } else if (currState->longDesc.af() == 0) {
1613 fault = true;
1614 DPRINTF(TLB, "L%d descriptor causing Access Fault\n",
1615 currState->longDesc.lookupLevel);
1616 aff = true;
1617 }
1618 if (fault) {
1619 if (currState->isFetch)
1620 currState->fault = std::make_shared<PrefetchAbort>(
1621 currState->vaddr_tainted,
1622 (aff ? ArmFault::AccessFlagLL : ArmFault::AddressSizeLL) +
1623 currState->longDesc.lookupLevel,
1624 isStage2,
1625 ArmFault::LpaeTran);
1626 else
1627 currState->fault = std::make_shared<DataAbort>(
1628 currState->vaddr_tainted,
1629 TlbEntry::DomainType::NoAccess, currState->isWrite,
1630 (aff ? ArmFault::AccessFlagLL : ArmFault::AddressSizeLL) +
1631 currState->longDesc.lookupLevel,
1632 isStage2,
1633 ArmFault::LpaeTran);
1634 } else {
1635 insertTableEntry(currState->longDesc, true);
1636 }
1637 }
1638 return;
1639 case LongDescriptor::Table:
1640 {
1641 // Set hierarchical permission flags
1642 currState->secureLookup = currState->secureLookup &&
1643 currState->longDesc.secureTable();
1644 currState->rwTable = currState->rwTable &&
1645 currState->longDesc.rwTable();
1646 currState->userTable = currState->userTable &&
1647 currState->longDesc.userTable();
1648 currState->xnTable = currState->xnTable ||
1649 currState->longDesc.xnTable();
1650 currState->pxnTable = currState->pxnTable ||
1651 currState->longDesc.pxnTable();
1652
1653 // Set up next level lookup
1654 Addr next_desc_addr = currState->longDesc.nextDescAddr(
1655 currState->vaddr);
1656
1657 DPRINTF(TLB, "L%d descriptor points to L%d descriptor at: %#x (%s)\n",
1658 currState->longDesc.lookupLevel,
1659 currState->longDesc.lookupLevel + 1,
1660 next_desc_addr,
1661 currState->secureLookup ? "s" : "ns");
1662
1663 // Check for address size fault
1664 if (currState->aarch64 && checkAddrSizeFaultAArch64(
1665 next_desc_addr, currState->physAddrRange)) {
1666 DPRINTF(TLB, "L%d descriptor causing Address Size Fault\n",
1667 currState->longDesc.lookupLevel);
1668 if (currState->isFetch)
1669 currState->fault = std::make_shared<PrefetchAbort>(
1670 currState->vaddr_tainted,
1671 ArmFault::AddressSizeLL
1672 + currState->longDesc.lookupLevel,
1673 isStage2,
1674 ArmFault::LpaeTran);
1675 else
1676 currState->fault = std::make_shared<DataAbort>(
1677 currState->vaddr_tainted,
1678 TlbEntry::DomainType::NoAccess, currState->isWrite,
1679 ArmFault::AddressSizeLL
1680 + currState->longDesc.lookupLevel,
1681 isStage2,
1682 ArmFault::LpaeTran);
1683 return;
1684 }
1685
1686 // Trickbox address check
1687 currState->fault = testWalk(
1688 next_desc_addr, sizeof(uint64_t), TlbEntry::DomainType::Client,
1689 toLookupLevel(currState->longDesc.lookupLevel +1));
1690
1691 if (currState->fault) {
1692 if (!currState->timing) {
1693 currState->tc = NULL;
1694 currState->req = NULL;
1695 }
1696 return;
1697 }
1698
1699 Request::Flags flag = Request::PT_WALK;
1700 if (currState->secureLookup)
1701 flag.set(Request::SECURE);
1702
1703 LookupLevel L = currState->longDesc.lookupLevel =
1704 (LookupLevel) (currState->longDesc.lookupLevel + 1);
1705 Event *event = NULL;
1706 switch (L) {
1707 case L1:
1708 assert(currState->aarch64);
1709 case L2:
1710 case L3:
1711 event = LongDescEventByLevel[L];
1712 break;
1713 default:
1714 panic("Wrong lookup level in table walk\n");
1715 break;
1716 }
1717
1718 bool delayed;
1719 delayed = fetchDescriptor(next_desc_addr, (uint8_t*)&currState->longDesc.data,
1720 sizeof(uint64_t), flag, -1, event,
1721 &TableWalker::doLongDescriptor);
1722 if (delayed) {
1723 currState->delayed = true;
1724 }
1725 }
1726 return;
1727 default:
1728 panic("A new type in a 2 bit field?\n");
1729 }
1730}
1731
1732void
1733TableWalker::doL2Descriptor()
1734{
1735 if (currState->fault != NoFault) {
1736 return;
1737 }
1738
1739 currState->l2Desc.data = htog(currState->l2Desc.data,
1740 byteOrder(currState->tc));
1741
1742 DPRINTF(TLB, "L2 descriptor for %#x is %#x\n",
1743 currState->vaddr_tainted, currState->l2Desc.data);
1744 TlbEntry te;
1745
1746 if (currState->l2Desc.invalid()) {
1747 DPRINTF(TLB, "L2 descriptor invalid, causing fault\n");
1748 if (!currState->timing) {
1749 currState->tc = NULL;
1750 currState->req = NULL;
1751 }
1752 if (currState->isFetch)
1753 currState->fault = std::make_shared<PrefetchAbort>(
1754 currState->vaddr_tainted,
1755 ArmFault::TranslationLL + L2,
1756 isStage2,
1757 ArmFault::VmsaTran);
1758 else
1759 currState->fault = std::make_shared<DataAbort>(
1760 currState->vaddr_tainted, currState->l1Desc.domain(),
1761 currState->isWrite, ArmFault::TranslationLL + L2,
1762 isStage2,
1763 ArmFault::VmsaTran);
1764 return;
1765 }
1766
1767 if (currState->sctlr.afe && bits(currState->l2Desc.ap(), 0) == 0) {
1768 /** @todo: check sctlr.ha (bit[17]) if Hardware Access Flag is enabled
1769 * if set, do l2.Desc.setAp0() instead of generating AccessFlag0
1770 */
1771 DPRINTF(TLB, "Generating access fault at L2, afe: %d, ap: %d\n",
1772 currState->sctlr.afe, currState->l2Desc.ap());
1773
1774 currState->fault = std::make_shared<DataAbort>(
1775 currState->vaddr_tainted,
1776 TlbEntry::DomainType::NoAccess, currState->isWrite,
1777 ArmFault::AccessFlagLL + L2, isStage2,
1778 ArmFault::VmsaTran);
1779 }
1780
1781 insertTableEntry(currState->l2Desc, false);
1782}
1783
1784void
1785TableWalker::doL1DescriptorWrapper()
1786{
1787 currState = stateQueues[L1].front();
1788 currState->delayed = false;
1789 // if there's a stage2 translation object we don't need it any more
1790 if (currState->stage2Tran) {
1791 delete currState->stage2Tran;
1792 currState->stage2Tran = NULL;
1793 }
1794
1795
1796 DPRINTF(TLBVerbose, "L1 Desc object host addr: %p\n",&currState->l1Desc.data);
1797 DPRINTF(TLBVerbose, "L1 Desc object data: %08x\n",currState->l1Desc.data);
1798
1799 DPRINTF(TLBVerbose, "calling doL1Descriptor for vaddr:%#x\n", currState->vaddr_tainted);
1800 doL1Descriptor();
1801
1802 stateQueues[L1].pop_front();
1803 // Check if fault was generated
1804 if (currState->fault != NoFault) {
1805 currState->transState->finish(currState->fault, currState->req,
1806 currState->tc, currState->mode);
1807 statWalksShortTerminatedAtLevel[0]++;
1808
1809 pending = false;
1810 nextWalk(currState->tc);
1811
1812 currState->req = NULL;
1813 currState->tc = NULL;
1814 currState->delayed = false;
1815 delete currState;
1816 }
1817 else if (!currState->delayed) {
1818 // delay is not set so there is no L2 to do
1819 // Don't finish the translation if a stage 2 look up is underway
| 305 currState->stage2Req = _stage2Req && !isStage2;
306
307 bool long_desc_format = currState->aarch64 || _isHyp || isStage2 ||
308 longDescFormatInUse(currState->tc);
309
310 if (long_desc_format) {
311 // Helper variables used for hierarchical permissions
312 currState->secureLookup = currState->isSecure;
313 currState->rwTable = true;
314 currState->userTable = true;
315 currState->xnTable = false;
316 currState->pxnTable = false;
317
318 ++statWalksLongDescriptor;
319 } else {
320 ++statWalksShortDescriptor;
321 }
322
323 if (!currState->timing) {
324 Fault fault = NoFault;
325 if (currState->aarch64)
326 fault = processWalkAArch64();
327 else if (long_desc_format)
328 fault = processWalkLPAE();
329 else
330 fault = processWalk();
331
332 // If this was a functional non-timing access restore state to
333 // how we found it.
334 if (currState->functional) {
335 delete currState;
336 currState = savedCurrState;
337 }
338 return fault;
339 }
340
341 if (pending || pendingQueue.size()) {
342 pendingQueue.push_back(currState);
343 currState = NULL;
344 pendingChange();
345 } else {
346 pending = true;
347 pendingChange();
348 if (currState->aarch64)
349 return processWalkAArch64();
350 else if (long_desc_format)
351 return processWalkLPAE();
352 else
353 return processWalk();
354 }
355
356 return NoFault;
357}
358
359void
360TableWalker::processWalkWrapper()
361{
362 assert(!currState);
363 assert(pendingQueue.size());
364 pendingChange();
365 currState = pendingQueue.front();
366
367 // Check if a previous walk filled this request already
368 // @TODO Should this always be the TLB or should we look in the stage2 TLB?
369 TlbEntry* te = tlb->lookup(currState->vaddr, currState->asid,
370 currState->vmid, currState->isHyp, currState->isSecure, true, false,
371 currState->el);
372
373 // Check if we still need to have a walk for this request. If the requesting
374 // instruction has been squashed, or a previous walk has filled the TLB with
375 // a match, we just want to get rid of the walk. The latter could happen
376 // when there are multiple outstanding misses to a single page and a
377 // previous request has been successfully translated.
378 if (!currState->transState->squashed() && !te) {
379 // We've got a valid request, lets process it
380 pending = true;
381 pendingQueue.pop_front();
382 // Keep currState in case one of the processWalk... calls NULLs it
383 WalkerState *curr_state_copy = currState;
384 Fault f;
385 if (currState->aarch64)
386 f = processWalkAArch64();
387 else if (longDescFormatInUse(currState->tc) ||
388 currState->isHyp || isStage2)
389 f = processWalkLPAE();
390 else
391 f = processWalk();
392
393 if (f != NoFault) {
394 curr_state_copy->transState->finish(f, curr_state_copy->req,
395 curr_state_copy->tc, curr_state_copy->mode);
396
397 delete curr_state_copy;
398 }
399 return;
400 }
401
402
403 // If the instruction that we were translating for has been
404 // squashed we shouldn't bother.
405 unsigned num_squashed = 0;
406 ThreadContext *tc = currState->tc;
407 while ((num_squashed < numSquashable) && currState &&
408 (currState->transState->squashed() || te)) {
409 pendingQueue.pop_front();
410 num_squashed++;
411 statSquashedBefore++;
412
413 DPRINTF(TLB, "Squashing table walk for address %#x\n",
414 currState->vaddr_tainted);
415
416 if (currState->transState->squashed()) {
417 // finish the translation which will delete the translation object
418 currState->transState->finish(
419 std::make_shared<UnimpFault>("Squashed Inst"),
420 currState->req, currState->tc, currState->mode);
421 } else {
422 // translate the request now that we know it will work
423 statWalkServiceTime.sample(curTick() - currState->startTime);
424 tlb->translateTiming(currState->req, currState->tc,
425 currState->transState, currState->mode);
426
427 }
428
429 // delete the current request
430 delete currState;
431
432 // peak at the next one
433 if (pendingQueue.size()) {
434 currState = pendingQueue.front();
435 te = tlb->lookup(currState->vaddr, currState->asid,
436 currState->vmid, currState->isHyp, currState->isSecure, true,
437 false, currState->el);
438 } else {
439 // Terminate the loop, nothing more to do
440 currState = NULL;
441 }
442 }
443 pendingChange();
444
445 // if we still have pending translations, schedule more work
446 nextWalk(tc);
447 currState = NULL;
448}
449
450Fault
451TableWalker::processWalk()
452{
453 Addr ttbr = 0;
454
455 // If translation isn't enabled, we shouldn't be here
456 assert(currState->sctlr.m || isStage2);
457
458 DPRINTF(TLB, "Beginning table walk for address %#x, TTBCR: %#x, bits:%#x\n",
459 currState->vaddr_tainted, currState->ttbcr, mbits(currState->vaddr, 31,
460 32 - currState->ttbcr.n));
461
462 statWalkWaitTime.sample(curTick() - currState->startTime);
463
464 if (currState->ttbcr.n == 0 || !mbits(currState->vaddr, 31,
465 32 - currState->ttbcr.n)) {
466 DPRINTF(TLB, " - Selecting TTBR0\n");
467 // Check if table walk is allowed when Security Extensions are enabled
468 if (haveSecurity && currState->ttbcr.pd0) {
469 if (currState->isFetch)
470 return std::make_shared<PrefetchAbort>(
471 currState->vaddr_tainted,
472 ArmFault::TranslationLL + L1,
473 isStage2,
474 ArmFault::VmsaTran);
475 else
476 return std::make_shared<DataAbort>(
477 currState->vaddr_tainted,
478 TlbEntry::DomainType::NoAccess, currState->isWrite,
479 ArmFault::TranslationLL + L1, isStage2,
480 ArmFault::VmsaTran);
481 }
482 ttbr = currState->tc->readMiscReg(snsBankedIndex(
483 MISCREG_TTBR0, currState->tc, !currState->isSecure));
484 } else {
485 DPRINTF(TLB, " - Selecting TTBR1\n");
486 // Check if table walk is allowed when Security Extensions are enabled
487 if (haveSecurity && currState->ttbcr.pd1) {
488 if (currState->isFetch)
489 return std::make_shared<PrefetchAbort>(
490 currState->vaddr_tainted,
491 ArmFault::TranslationLL + L1,
492 isStage2,
493 ArmFault::VmsaTran);
494 else
495 return std::make_shared<DataAbort>(
496 currState->vaddr_tainted,
497 TlbEntry::DomainType::NoAccess, currState->isWrite,
498 ArmFault::TranslationLL + L1, isStage2,
499 ArmFault::VmsaTran);
500 }
501 ttbr = currState->tc->readMiscReg(snsBankedIndex(
502 MISCREG_TTBR1, currState->tc, !currState->isSecure));
503 currState->ttbcr.n = 0;
504 }
505
506 Addr l1desc_addr = mbits(ttbr, 31, 14 - currState->ttbcr.n) |
507 (bits(currState->vaddr, 31 - currState->ttbcr.n, 20) << 2);
508 DPRINTF(TLB, " - Descriptor at address %#x (%s)\n", l1desc_addr,
509 currState->isSecure ? "s" : "ns");
510
511 // Trickbox address check
512 Fault f;
513 f = testWalk(l1desc_addr, sizeof(uint32_t),
514 TlbEntry::DomainType::NoAccess, L1);
515 if (f) {
516 DPRINTF(TLB, "Trickbox check caused fault on %#x\n", currState->vaddr_tainted);
517 if (currState->timing) {
518 pending = false;
519 nextWalk(currState->tc);
520 currState = NULL;
521 } else {
522 currState->tc = NULL;
523 currState->req = NULL;
524 }
525 return f;
526 }
527
528 Request::Flags flag = Request::PT_WALK;
529 if (currState->sctlr.c == 0) {
530 flag.set(Request::UNCACHEABLE);
531 }
532
533 if (currState->isSecure) {
534 flag.set(Request::SECURE);
535 }
536
537 bool delayed;
538 delayed = fetchDescriptor(l1desc_addr, (uint8_t*)&currState->l1Desc.data,
539 sizeof(uint32_t), flag, L1, &doL1DescEvent,
540 &TableWalker::doL1Descriptor);
541 if (!delayed) {
542 f = currState->fault;
543 }
544
545 return f;
546}
547
548Fault
549TableWalker::processWalkLPAE()
550{
551 Addr ttbr, ttbr0_max, ttbr1_min, desc_addr;
552 int tsz, n;
553 LookupLevel start_lookup_level = L1;
554
555 DPRINTF(TLB, "Beginning table walk for address %#x, TTBCR: %#x\n",
556 currState->vaddr_tainted, currState->ttbcr);
557
558 statWalkWaitTime.sample(curTick() - currState->startTime);
559
560 Request::Flags flag = Request::PT_WALK;
561 if (currState->isSecure)
562 flag.set(Request::SECURE);
563
564 // work out which base address register to use, if in hyp mode we always
565 // use HTTBR
566 if (isStage2) {
567 DPRINTF(TLB, " - Selecting VTTBR (long-desc.)\n");
568 ttbr = currState->tc->readMiscReg(MISCREG_VTTBR);
569 tsz = sext<4>(currState->vtcr.t0sz);
570 start_lookup_level = currState->vtcr.sl0 ? L1 : L2;
571 } else if (currState->isHyp) {
572 DPRINTF(TLB, " - Selecting HTTBR (long-desc.)\n");
573 ttbr = currState->tc->readMiscReg(MISCREG_HTTBR);
574 tsz = currState->htcr.t0sz;
575 } else {
576 assert(longDescFormatInUse(currState->tc));
577
578 // Determine boundaries of TTBR0/1 regions
579 if (currState->ttbcr.t0sz)
580 ttbr0_max = (1ULL << (32 - currState->ttbcr.t0sz)) - 1;
581 else if (currState->ttbcr.t1sz)
582 ttbr0_max = (1ULL << 32) -
583 (1ULL << (32 - currState->ttbcr.t1sz)) - 1;
584 else
585 ttbr0_max = (1ULL << 32) - 1;
586 if (currState->ttbcr.t1sz)
587 ttbr1_min = (1ULL << 32) - (1ULL << (32 - currState->ttbcr.t1sz));
588 else
589 ttbr1_min = (1ULL << (32 - currState->ttbcr.t0sz));
590
591 // The following code snippet selects the appropriate translation table base
592 // address (TTBR0 or TTBR1) and the appropriate starting lookup level
593 // depending on the address range supported by the translation table (ARM
594 // ARM issue C B3.6.4)
595 if (currState->vaddr <= ttbr0_max) {
596 DPRINTF(TLB, " - Selecting TTBR0 (long-desc.)\n");
597 // Check if table walk is allowed
598 if (currState->ttbcr.epd0) {
599 if (currState->isFetch)
600 return std::make_shared<PrefetchAbort>(
601 currState->vaddr_tainted,
602 ArmFault::TranslationLL + L1,
603 isStage2,
604 ArmFault::LpaeTran);
605 else
606 return std::make_shared<DataAbort>(
607 currState->vaddr_tainted,
608 TlbEntry::DomainType::NoAccess,
609 currState->isWrite,
610 ArmFault::TranslationLL + L1,
611 isStage2,
612 ArmFault::LpaeTran);
613 }
614 ttbr = currState->tc->readMiscReg(snsBankedIndex(
615 MISCREG_TTBR0, currState->tc, !currState->isSecure));
616 tsz = currState->ttbcr.t0sz;
617 if (ttbr0_max < (1ULL << 30)) // Upper limit < 1 GB
618 start_lookup_level = L2;
619 } else if (currState->vaddr >= ttbr1_min) {
620 DPRINTF(TLB, " - Selecting TTBR1 (long-desc.)\n");
621 // Check if table walk is allowed
622 if (currState->ttbcr.epd1) {
623 if (currState->isFetch)
624 return std::make_shared<PrefetchAbort>(
625 currState->vaddr_tainted,
626 ArmFault::TranslationLL + L1,
627 isStage2,
628 ArmFault::LpaeTran);
629 else
630 return std::make_shared<DataAbort>(
631 currState->vaddr_tainted,
632 TlbEntry::DomainType::NoAccess,
633 currState->isWrite,
634 ArmFault::TranslationLL + L1,
635 isStage2,
636 ArmFault::LpaeTran);
637 }
638 ttbr = currState->tc->readMiscReg(snsBankedIndex(
639 MISCREG_TTBR1, currState->tc, !currState->isSecure));
640 tsz = currState->ttbcr.t1sz;
641 if (ttbr1_min >= (1ULL << 31) + (1ULL << 30)) // Lower limit >= 3 GB
642 start_lookup_level = L2;
643 } else {
644 // Out of boundaries -> translation fault
645 if (currState->isFetch)
646 return std::make_shared<PrefetchAbort>(
647 currState->vaddr_tainted,
648 ArmFault::TranslationLL + L1,
649 isStage2,
650 ArmFault::LpaeTran);
651 else
652 return std::make_shared<DataAbort>(
653 currState->vaddr_tainted,
654 TlbEntry::DomainType::NoAccess,
655 currState->isWrite, ArmFault::TranslationLL + L1,
656 isStage2, ArmFault::LpaeTran);
657 }
658
659 }
660
661 // Perform lookup (ARM ARM issue C B3.6.6)
662 if (start_lookup_level == L1) {
663 n = 5 - tsz;
664 desc_addr = mbits(ttbr, 39, n) |
665 (bits(currState->vaddr, n + 26, 30) << 3);
666 DPRINTF(TLB, " - Descriptor at address %#x (%s) (long-desc.)\n",
667 desc_addr, currState->isSecure ? "s" : "ns");
668 } else {
669 // Skip first-level lookup
670 n = (tsz >= 2 ? 14 - tsz : 12);
671 desc_addr = mbits(ttbr, 39, n) |
672 (bits(currState->vaddr, n + 17, 21) << 3);
673 DPRINTF(TLB, " - Descriptor at address %#x (%s) (long-desc.)\n",
674 desc_addr, currState->isSecure ? "s" : "ns");
675 }
676
677 // Trickbox address check
678 Fault f = testWalk(desc_addr, sizeof(uint64_t),
679 TlbEntry::DomainType::NoAccess, start_lookup_level);
680 if (f) {
681 DPRINTF(TLB, "Trickbox check caused fault on %#x\n", currState->vaddr_tainted);
682 if (currState->timing) {
683 pending = false;
684 nextWalk(currState->tc);
685 currState = NULL;
686 } else {
687 currState->tc = NULL;
688 currState->req = NULL;
689 }
690 return f;
691 }
692
693 if (currState->sctlr.c == 0) {
694 flag.set(Request::UNCACHEABLE);
695 }
696
697 currState->longDesc.lookupLevel = start_lookup_level;
698 currState->longDesc.aarch64 = false;
699 currState->longDesc.grainSize = Grain4KB;
700
701 bool delayed = fetchDescriptor(desc_addr, (uint8_t*)&currState->longDesc.data,
702 sizeof(uint64_t), flag, start_lookup_level,
703 LongDescEventByLevel[start_lookup_level],
704 &TableWalker::doLongDescriptor);
705 if (!delayed) {
706 f = currState->fault;
707 }
708
709 return f;
710}
711
712unsigned
713TableWalker::adjustTableSizeAArch64(unsigned tsz)
714{
715 if (tsz < 25)
716 return 25;
717 if (tsz > 48)
718 return 48;
719 return tsz;
720}
721
722bool
723TableWalker::checkAddrSizeFaultAArch64(Addr addr, int currPhysAddrRange)
724{
725 return (currPhysAddrRange != MaxPhysAddrRange &&
726 bits(addr, MaxPhysAddrRange - 1, currPhysAddrRange));
727}
728
729Fault
730TableWalker::processWalkAArch64()
731{
732 assert(currState->aarch64);
733
734 DPRINTF(TLB, "Beginning table walk for address %#llx, TCR: %#llx\n",
735 currState->vaddr_tainted, currState->tcr);
736
737 static const GrainSize GrainMap_tg0[] =
738 { Grain4KB, Grain64KB, Grain16KB, ReservedGrain };
739 static const GrainSize GrainMap_tg1[] =
740 { ReservedGrain, Grain16KB, Grain4KB, Grain64KB };
741
742 statWalkWaitTime.sample(curTick() - currState->startTime);
743
744 // Determine TTBR, table size, granule size and phys. address range
745 Addr ttbr = 0;
746 int tsz = 0, ps = 0;
747 GrainSize tg = Grain4KB; // grain size computed from tg* field
748 bool fault = false;
749
750 LookupLevel start_lookup_level = MAX_LOOKUP_LEVELS;
751
752 switch (currState->el) {
753 case EL0:
754 case EL1:
755 if (isStage2) {
756 DPRINTF(TLB, " - Selecting VTTBR0 (AArch64 stage 2)\n");
757 ttbr = currState->tc->readMiscReg(MISCREG_VTTBR_EL2);
758 tsz = 64 - currState->vtcr.t0sz64;
759 tg = GrainMap_tg0[currState->vtcr.tg0];
760 // ARM DDI 0487A.f D7-2148
761 // The starting level of stage 2 translation depends on
762 // VTCR_EL2.SL0 and VTCR_EL2.TG0
763 LookupLevel __ = MAX_LOOKUP_LEVELS; // invalid level
764 uint8_t sl_tg = (currState->vtcr.sl0 << 2) | currState->vtcr.tg0;
765 static const LookupLevel SLL[] = {
766 L2, L3, L3, __, // sl0 == 0
767 L1, L2, L2, __, // sl0 == 1, etc.
768 L0, L1, L1, __,
769 __, __, __, __
770 };
771 start_lookup_level = SLL[sl_tg];
772 panic_if(start_lookup_level == MAX_LOOKUP_LEVELS,
773 "Cannot discern lookup level from vtcr.{sl0,tg0}");
774 } else switch (bits(currState->vaddr, 63,48)) {
775 case 0:
776 DPRINTF(TLB, " - Selecting TTBR0 (AArch64)\n");
777 ttbr = currState->tc->readMiscReg(MISCREG_TTBR0_EL1);
778 tsz = adjustTableSizeAArch64(64 - currState->tcr.t0sz);
779 tg = GrainMap_tg0[currState->tcr.tg0];
780 if (bits(currState->vaddr, 63, tsz) != 0x0 ||
781 currState->tcr.epd0)
782 fault = true;
783 break;
784 case 0xffff:
785 DPRINTF(TLB, " - Selecting TTBR1 (AArch64)\n");
786 ttbr = currState->tc->readMiscReg(MISCREG_TTBR1_EL1);
787 tsz = adjustTableSizeAArch64(64 - currState->tcr.t1sz);
788 tg = GrainMap_tg1[currState->tcr.tg1];
789 if (bits(currState->vaddr, 63, tsz) != mask(64-tsz) ||
790 currState->tcr.epd1)
791 fault = true;
792 break;
793 default:
794 // top two bytes must be all 0s or all 1s, else invalid addr
795 fault = true;
796 }
797 ps = currState->tcr.ips;
798 break;
799 case EL2:
800 switch(bits(currState->vaddr, 63,48)) {
801 case 0:
802 DPRINTF(TLB, " - Selecting TTBR0 (AArch64)\n");
803 ttbr = currState->tc->readMiscReg(MISCREG_TTBR0_EL2);
804 tsz = adjustTableSizeAArch64(64 - currState->tcr.t0sz);
805 tg = GrainMap_tg0[currState->tcr.tg0];
806 break;
807
808 case 0xffff:
809 DPRINTF(TLB, " - Selecting TTBR1 (AArch64)\n");
810 ttbr = currState->tc->readMiscReg(MISCREG_TTBR1_EL2);
811 tsz = adjustTableSizeAArch64(64 - currState->tcr.t1sz);
812 tg = GrainMap_tg1[currState->tcr.tg1];
813 if (bits(currState->vaddr, 63, tsz) != mask(64-tsz) ||
814 currState->tcr.epd1 || !currState->hcr.e2h)
815 fault = true;
816 break;
817
818 default:
819 // invalid addr if top two bytes are not all 0s
820 fault = true;
821 }
822 ps = currState->tcr.ips;
823 break;
824 case EL3:
825 switch(bits(currState->vaddr, 63,48)) {
826 case 0:
827 DPRINTF(TLB, " - Selecting TTBR0 (AArch64)\n");
828 ttbr = currState->tc->readMiscReg(MISCREG_TTBR0_EL3);
829 tsz = adjustTableSizeAArch64(64 - currState->tcr.t0sz);
830 tg = GrainMap_tg0[currState->tcr.tg0];
831 break;
832 default:
833 // invalid addr if top two bytes are not all 0s
834 fault = true;
835 }
836 ps = currState->tcr.ips;
837 break;
838 }
839
840 if (fault) {
841 Fault f;
842 if (currState->isFetch)
843 f = std::make_shared<PrefetchAbort>(
844 currState->vaddr_tainted,
845 ArmFault::TranslationLL + L0, isStage2,
846 ArmFault::LpaeTran);
847 else
848 f = std::make_shared<DataAbort>(
849 currState->vaddr_tainted,
850 TlbEntry::DomainType::NoAccess,
851 currState->isWrite,
852 ArmFault::TranslationLL + L0,
853 isStage2, ArmFault::LpaeTran);
854
855 if (currState->timing) {
856 pending = false;
857 nextWalk(currState->tc);
858 currState = NULL;
859 } else {
860 currState->tc = NULL;
861 currState->req = NULL;
862 }
863 return f;
864
865 }
866
867 if (tg == ReservedGrain) {
868 warn_once("Reserved granule size requested; gem5's IMPLEMENTATION "
869 "DEFINED behavior takes this to mean 4KB granules\n");
870 tg = Grain4KB;
871 }
872
873 // Determine starting lookup level
874 // See aarch64/translation/walk in Appendix G: ARMv8 Pseudocode Library
875 // in ARM DDI 0487A. These table values correspond to the cascading tests
876 // to compute the lookup level and are of the form
877 // (grain_size + N*stride), for N = {1, 2, 3}.
878 // A value of 64 will never succeed and a value of 0 will always succeed.
879 if (start_lookup_level == MAX_LOOKUP_LEVELS) {
880 struct GrainMap {
881 GrainSize grain_size;
882 unsigned lookup_level_cutoff[MAX_LOOKUP_LEVELS];
883 };
884 static const GrainMap GM[] = {
885 { Grain4KB, { 39, 30, 0, 0 } },
886 { Grain16KB, { 47, 36, 25, 0 } },
887 { Grain64KB, { 64, 42, 29, 0 } }
888 };
889
890 const unsigned *lookup = NULL; // points to a lookup_level_cutoff
891
892 for (unsigned i = 0; i < 3; ++i) { // choose entry of GM[]
893 if (tg == GM[i].grain_size) {
894 lookup = GM[i].lookup_level_cutoff;
895 break;
896 }
897 }
898 assert(lookup);
899
900 for (int L = L0; L != MAX_LOOKUP_LEVELS; ++L) {
901 if (tsz > lookup[L]) {
902 start_lookup_level = (LookupLevel) L;
903 break;
904 }
905 }
906 panic_if(start_lookup_level == MAX_LOOKUP_LEVELS,
907 "Table walker couldn't find lookup level\n");
908 }
909
910 int stride = tg - 3;
911
912 // Determine table base address
913 int base_addr_lo = 3 + tsz - stride * (3 - start_lookup_level) - tg;
914 Addr base_addr = mbits(ttbr, 47, base_addr_lo);
915
916 // Determine physical address size and raise an Address Size Fault if
917 // necessary
918 int pa_range = decodePhysAddrRange64(ps);
919 // Clamp to lower limit
920 if (pa_range > physAddrRange)
921 currState->physAddrRange = physAddrRange;
922 else
923 currState->physAddrRange = pa_range;
924 if (checkAddrSizeFaultAArch64(base_addr, currState->physAddrRange)) {
925 DPRINTF(TLB, "Address size fault before any lookup\n");
926 Fault f;
927 if (currState->isFetch)
928 f = std::make_shared<PrefetchAbort>(
929 currState->vaddr_tainted,
930 ArmFault::AddressSizeLL + start_lookup_level,
931 isStage2,
932 ArmFault::LpaeTran);
933 else
934 f = std::make_shared<DataAbort>(
935 currState->vaddr_tainted,
936 TlbEntry::DomainType::NoAccess,
937 currState->isWrite,
938 ArmFault::AddressSizeLL + start_lookup_level,
939 isStage2,
940 ArmFault::LpaeTran);
941
942
943 if (currState->timing) {
944 pending = false;
945 nextWalk(currState->tc);
946 currState = NULL;
947 } else {
948 currState->tc = NULL;
949 currState->req = NULL;
950 }
951 return f;
952
953 }
954
955 // Determine descriptor address
956 Addr desc_addr = base_addr |
957 (bits(currState->vaddr, tsz - 1,
958 stride * (3 - start_lookup_level) + tg) << 3);
959
960 // Trickbox address check
961 Fault f = testWalk(desc_addr, sizeof(uint64_t),
962 TlbEntry::DomainType::NoAccess, start_lookup_level);
963 if (f) {
964 DPRINTF(TLB, "Trickbox check caused fault on %#x\n", currState->vaddr_tainted);
965 if (currState->timing) {
966 pending = false;
967 nextWalk(currState->tc);
968 currState = NULL;
969 } else {
970 currState->tc = NULL;
971 currState->req = NULL;
972 }
973 return f;
974 }
975
976 Request::Flags flag = Request::PT_WALK;
977 if (currState->sctlr.c == 0) {
978 flag.set(Request::UNCACHEABLE);
979 }
980
981 if (currState->isSecure) {
982 flag.set(Request::SECURE);
983 }
984
985 currState->longDesc.lookupLevel = start_lookup_level;
986 currState->longDesc.aarch64 = true;
987 currState->longDesc.grainSize = tg;
988
989 if (currState->timing) {
990 fetchDescriptor(desc_addr, (uint8_t*) &currState->longDesc.data,
991 sizeof(uint64_t), flag, start_lookup_level,
992 LongDescEventByLevel[start_lookup_level], NULL);
993 } else {
994 fetchDescriptor(desc_addr, (uint8_t*)&currState->longDesc.data,
995 sizeof(uint64_t), flag, -1, NULL,
996 &TableWalker::doLongDescriptor);
997 f = currState->fault;
998 }
999
1000 return f;
1001}
1002
1003void
1004TableWalker::memAttrs(ThreadContext *tc, TlbEntry &te, SCTLR sctlr,
1005 uint8_t texcb, bool s)
1006{
1007 // Note: tc and sctlr local variables are hiding tc and sctrl class
1008 // variables
1009 DPRINTF(TLBVerbose, "memAttrs texcb:%d s:%d\n", texcb, s);
1010 te.shareable = false; // default value
1011 te.nonCacheable = false;
1012 te.outerShareable = false;
1013 if (sctlr.tre == 0 || ((sctlr.tre == 1) && (sctlr.m == 0))) {
1014 switch(texcb) {
1015 case 0: // Stongly-ordered
1016 te.nonCacheable = true;
1017 te.mtype = TlbEntry::MemoryType::StronglyOrdered;
1018 te.shareable = true;
1019 te.innerAttrs = 1;
1020 te.outerAttrs = 0;
1021 break;
1022 case 1: // Shareable Device
1023 te.nonCacheable = true;
1024 te.mtype = TlbEntry::MemoryType::Device;
1025 te.shareable = true;
1026 te.innerAttrs = 3;
1027 te.outerAttrs = 0;
1028 break;
1029 case 2: // Outer and Inner Write-Through, no Write-Allocate
1030 te.mtype = TlbEntry::MemoryType::Normal;
1031 te.shareable = s;
1032 te.innerAttrs = 6;
1033 te.outerAttrs = bits(texcb, 1, 0);
1034 break;
1035 case 3: // Outer and Inner Write-Back, no Write-Allocate
1036 te.mtype = TlbEntry::MemoryType::Normal;
1037 te.shareable = s;
1038 te.innerAttrs = 7;
1039 te.outerAttrs = bits(texcb, 1, 0);
1040 break;
1041 case 4: // Outer and Inner Non-cacheable
1042 te.nonCacheable = true;
1043 te.mtype = TlbEntry::MemoryType::Normal;
1044 te.shareable = s;
1045 te.innerAttrs = 0;
1046 te.outerAttrs = bits(texcb, 1, 0);
1047 break;
1048 case 5: // Reserved
1049 panic("Reserved texcb value!\n");
1050 break;
1051 case 6: // Implementation Defined
1052 panic("Implementation-defined texcb value!\n");
1053 break;
1054 case 7: // Outer and Inner Write-Back, Write-Allocate
1055 te.mtype = TlbEntry::MemoryType::Normal;
1056 te.shareable = s;
1057 te.innerAttrs = 5;
1058 te.outerAttrs = 1;
1059 break;
1060 case 8: // Non-shareable Device
1061 te.nonCacheable = true;
1062 te.mtype = TlbEntry::MemoryType::Device;
1063 te.shareable = false;
1064 te.innerAttrs = 3;
1065 te.outerAttrs = 0;
1066 break;
1067 case 9 ... 15: // Reserved
1068 panic("Reserved texcb value!\n");
1069 break;
1070 case 16 ... 31: // Cacheable Memory
1071 te.mtype = TlbEntry::MemoryType::Normal;
1072 te.shareable = s;
1073 if (bits(texcb, 1,0) == 0 || bits(texcb, 3,2) == 0)
1074 te.nonCacheable = true;
1075 te.innerAttrs = bits(texcb, 1, 0);
1076 te.outerAttrs = bits(texcb, 3, 2);
1077 break;
1078 default:
1079 panic("More than 32 states for 5 bits?\n");
1080 }
1081 } else {
1082 assert(tc);
1083 PRRR prrr = tc->readMiscReg(snsBankedIndex(MISCREG_PRRR,
1084 currState->tc, !currState->isSecure));
1085 NMRR nmrr = tc->readMiscReg(snsBankedIndex(MISCREG_NMRR,
1086 currState->tc, !currState->isSecure));
1087 DPRINTF(TLBVerbose, "memAttrs PRRR:%08x NMRR:%08x\n", prrr, nmrr);
1088 uint8_t curr_tr = 0, curr_ir = 0, curr_or = 0;
1089 switch(bits(texcb, 2,0)) {
1090 case 0:
1091 curr_tr = prrr.tr0;
1092 curr_ir = nmrr.ir0;
1093 curr_or = nmrr.or0;
1094 te.outerShareable = (prrr.nos0 == 0);
1095 break;
1096 case 1:
1097 curr_tr = prrr.tr1;
1098 curr_ir = nmrr.ir1;
1099 curr_or = nmrr.or1;
1100 te.outerShareable = (prrr.nos1 == 0);
1101 break;
1102 case 2:
1103 curr_tr = prrr.tr2;
1104 curr_ir = nmrr.ir2;
1105 curr_or = nmrr.or2;
1106 te.outerShareable = (prrr.nos2 == 0);
1107 break;
1108 case 3:
1109 curr_tr = prrr.tr3;
1110 curr_ir = nmrr.ir3;
1111 curr_or = nmrr.or3;
1112 te.outerShareable = (prrr.nos3 == 0);
1113 break;
1114 case 4:
1115 curr_tr = prrr.tr4;
1116 curr_ir = nmrr.ir4;
1117 curr_or = nmrr.or4;
1118 te.outerShareable = (prrr.nos4 == 0);
1119 break;
1120 case 5:
1121 curr_tr = prrr.tr5;
1122 curr_ir = nmrr.ir5;
1123 curr_or = nmrr.or5;
1124 te.outerShareable = (prrr.nos5 == 0);
1125 break;
1126 case 6:
1127 panic("Imp defined type\n");
1128 case 7:
1129 curr_tr = prrr.tr7;
1130 curr_ir = nmrr.ir7;
1131 curr_or = nmrr.or7;
1132 te.outerShareable = (prrr.nos7 == 0);
1133 break;
1134 }
1135
1136 switch(curr_tr) {
1137 case 0:
1138 DPRINTF(TLBVerbose, "StronglyOrdered\n");
1139 te.mtype = TlbEntry::MemoryType::StronglyOrdered;
1140 te.nonCacheable = true;
1141 te.innerAttrs = 1;
1142 te.outerAttrs = 0;
1143 te.shareable = true;
1144 break;
1145 case 1:
1146 DPRINTF(TLBVerbose, "Device ds1:%d ds0:%d s:%d\n",
1147 prrr.ds1, prrr.ds0, s);
1148 te.mtype = TlbEntry::MemoryType::Device;
1149 te.nonCacheable = true;
1150 te.innerAttrs = 3;
1151 te.outerAttrs = 0;
1152 if (prrr.ds1 && s)
1153 te.shareable = true;
1154 if (prrr.ds0 && !s)
1155 te.shareable = true;
1156 break;
1157 case 2:
1158 DPRINTF(TLBVerbose, "Normal ns1:%d ns0:%d s:%d\n",
1159 prrr.ns1, prrr.ns0, s);
1160 te.mtype = TlbEntry::MemoryType::Normal;
1161 if (prrr.ns1 && s)
1162 te.shareable = true;
1163 if (prrr.ns0 && !s)
1164 te.shareable = true;
1165 break;
1166 case 3:
1167 panic("Reserved type");
1168 }
1169
1170 if (te.mtype == TlbEntry::MemoryType::Normal){
1171 switch(curr_ir) {
1172 case 0:
1173 te.nonCacheable = true;
1174 te.innerAttrs = 0;
1175 break;
1176 case 1:
1177 te.innerAttrs = 5;
1178 break;
1179 case 2:
1180 te.innerAttrs = 6;
1181 break;
1182 case 3:
1183 te.innerAttrs = 7;
1184 break;
1185 }
1186
1187 switch(curr_or) {
1188 case 0:
1189 te.nonCacheable = true;
1190 te.outerAttrs = 0;
1191 break;
1192 case 1:
1193 te.outerAttrs = 1;
1194 break;
1195 case 2:
1196 te.outerAttrs = 2;
1197 break;
1198 case 3:
1199 te.outerAttrs = 3;
1200 break;
1201 }
1202 }
1203 }
1204 DPRINTF(TLBVerbose, "memAttrs: shareable: %d, innerAttrs: %d, "
1205 "outerAttrs: %d\n",
1206 te.shareable, te.innerAttrs, te.outerAttrs);
1207 te.setAttributes(false);
1208}
1209
1210void
1211TableWalker::memAttrsLPAE(ThreadContext *tc, TlbEntry &te,
1212 LongDescriptor &lDescriptor)
1213{
1214 assert(_haveLPAE);
1215
1216 uint8_t attr;
1217 uint8_t sh = lDescriptor.sh();
1218 // Different format and source of attributes if this is a stage 2
1219 // translation
1220 if (isStage2) {
1221 attr = lDescriptor.memAttr();
1222 uint8_t attr_3_2 = (attr >> 2) & 0x3;
1223 uint8_t attr_1_0 = attr & 0x3;
1224
1225 DPRINTF(TLBVerbose, "memAttrsLPAE MemAttr:%#x sh:%#x\n", attr, sh);
1226
1227 if (attr_3_2 == 0) {
1228 te.mtype = attr_1_0 == 0 ? TlbEntry::MemoryType::StronglyOrdered
1229 : TlbEntry::MemoryType::Device;
1230 te.outerAttrs = 0;
1231 te.innerAttrs = attr_1_0 == 0 ? 1 : 3;
1232 te.nonCacheable = true;
1233 } else {
1234 te.mtype = TlbEntry::MemoryType::Normal;
1235 te.outerAttrs = attr_3_2 == 1 ? 0 :
1236 attr_3_2 == 2 ? 2 : 1;
1237 te.innerAttrs = attr_1_0 == 1 ? 0 :
1238 attr_1_0 == 2 ? 6 : 5;
1239 te.nonCacheable = (attr_3_2 == 1) || (attr_1_0 == 1);
1240 }
1241 } else {
1242 uint8_t attrIndx = lDescriptor.attrIndx();
1243
1244 // LPAE always uses remapping of memory attributes, irrespective of the
1245 // value of SCTLR.TRE
1246 MiscRegIndex reg = attrIndx & 0x4 ? MISCREG_MAIR1 : MISCREG_MAIR0;
1247 int reg_as_int = snsBankedIndex(reg, currState->tc,
1248 !currState->isSecure);
1249 uint32_t mair = currState->tc->readMiscReg(reg_as_int);
1250 attr = (mair >> (8 * (attrIndx % 4))) & 0xff;
1251 uint8_t attr_7_4 = bits(attr, 7, 4);
1252 uint8_t attr_3_0 = bits(attr, 3, 0);
1253 DPRINTF(TLBVerbose, "memAttrsLPAE AttrIndx:%#x sh:%#x, attr %#x\n", attrIndx, sh, attr);
1254
1255 // Note: the memory subsystem only cares about the 'cacheable' memory
1256 // attribute. The other attributes are only used to fill the PAR register
1257 // accordingly to provide the illusion of full support
1258 te.nonCacheable = false;
1259
1260 switch (attr_7_4) {
1261 case 0x0:
1262 // Strongly-ordered or Device memory
1263 if (attr_3_0 == 0x0)
1264 te.mtype = TlbEntry::MemoryType::StronglyOrdered;
1265 else if (attr_3_0 == 0x4)
1266 te.mtype = TlbEntry::MemoryType::Device;
1267 else
1268 panic("Unpredictable behavior\n");
1269 te.nonCacheable = true;
1270 te.outerAttrs = 0;
1271 break;
1272 case 0x4:
1273 // Normal memory, Outer Non-cacheable
1274 te.mtype = TlbEntry::MemoryType::Normal;
1275 te.outerAttrs = 0;
1276 if (attr_3_0 == 0x4)
1277 // Inner Non-cacheable
1278 te.nonCacheable = true;
1279 else if (attr_3_0 < 0x8)
1280 panic("Unpredictable behavior\n");
1281 break;
1282 case 0x8:
1283 case 0x9:
1284 case 0xa:
1285 case 0xb:
1286 case 0xc:
1287 case 0xd:
1288 case 0xe:
1289 case 0xf:
1290 if (attr_7_4 & 0x4) {
1291 te.outerAttrs = (attr_7_4 & 1) ? 1 : 3;
1292 } else {
1293 te.outerAttrs = 0x2;
1294 }
1295 // Normal memory, Outer Cacheable
1296 te.mtype = TlbEntry::MemoryType::Normal;
1297 if (attr_3_0 != 0x4 && attr_3_0 < 0x8)
1298 panic("Unpredictable behavior\n");
1299 break;
1300 default:
1301 panic("Unpredictable behavior\n");
1302 break;
1303 }
1304
1305 switch (attr_3_0) {
1306 case 0x0:
1307 te.innerAttrs = 0x1;
1308 break;
1309 case 0x4:
1310 te.innerAttrs = attr_7_4 == 0 ? 0x3 : 0;
1311 break;
1312 case 0x8:
1313 case 0x9:
1314 case 0xA:
1315 case 0xB:
1316 te.innerAttrs = 6;
1317 break;
1318 case 0xC:
1319 case 0xD:
1320 case 0xE:
1321 case 0xF:
1322 te.innerAttrs = attr_3_0 & 1 ? 0x5 : 0x7;
1323 break;
1324 default:
1325 panic("Unpredictable behavior\n");
1326 break;
1327 }
1328 }
1329
1330 te.outerShareable = sh == 2;
1331 te.shareable = (sh & 0x2) ? true : false;
1332 te.setAttributes(true);
1333 te.attributes |= (uint64_t) attr << 56;
1334}
1335
1336void
1337TableWalker::memAttrsAArch64(ThreadContext *tc, TlbEntry &te,
1338 LongDescriptor &lDescriptor)
1339{
1340 uint8_t attr;
1341 uint8_t attr_hi;
1342 uint8_t attr_lo;
1343 uint8_t sh = lDescriptor.sh();
1344
1345 if (isStage2) {
1346 attr = lDescriptor.memAttr();
1347 uint8_t attr_hi = (attr >> 2) & 0x3;
1348 uint8_t attr_lo = attr & 0x3;
1349
1350 DPRINTF(TLBVerbose, "memAttrsAArch64 MemAttr:%#x sh:%#x\n", attr, sh);
1351
1352 if (attr_hi == 0) {
1353 te.mtype = attr_lo == 0 ? TlbEntry::MemoryType::StronglyOrdered
1354 : TlbEntry::MemoryType::Device;
1355 te.outerAttrs = 0;
1356 te.innerAttrs = attr_lo == 0 ? 1 : 3;
1357 te.nonCacheable = true;
1358 } else {
1359 te.mtype = TlbEntry::MemoryType::Normal;
1360 te.outerAttrs = attr_hi == 1 ? 0 :
1361 attr_hi == 2 ? 2 : 1;
1362 te.innerAttrs = attr_lo == 1 ? 0 :
1363 attr_lo == 2 ? 6 : 5;
1364 // Treat write-through memory as uncacheable, this is safe
1365 // but for performance reasons not optimal.
1366 te.nonCacheable = (attr_hi == 1) || (attr_hi == 2) ||
1367 (attr_lo == 1) || (attr_lo == 2);
1368 }
1369 } else {
1370 uint8_t attrIndx = lDescriptor.attrIndx();
1371
1372 DPRINTF(TLBVerbose, "memAttrsAArch64 AttrIndx:%#x sh:%#x\n", attrIndx, sh);
1373
1374 // Select MAIR
1375 uint64_t mair;
1376 switch (currState->el) {
1377 case EL0:
1378 case EL1:
1379 mair = tc->readMiscReg(MISCREG_MAIR_EL1);
1380 break;
1381 case EL2:
1382 mair = tc->readMiscReg(MISCREG_MAIR_EL2);
1383 break;
1384 case EL3:
1385 mair = tc->readMiscReg(MISCREG_MAIR_EL3);
1386 break;
1387 default:
1388 panic("Invalid exception level");
1389 break;
1390 }
1391
1392 // Select attributes
1393 attr = bits(mair, 8 * attrIndx + 7, 8 * attrIndx);
1394 attr_lo = bits(attr, 3, 0);
1395 attr_hi = bits(attr, 7, 4);
1396
1397 // Memory type
1398 te.mtype = attr_hi == 0 ? TlbEntry::MemoryType::Device : TlbEntry::MemoryType::Normal;
1399
1400 // Cacheability
1401 te.nonCacheable = false;
1402 if (te.mtype == TlbEntry::MemoryType::Device) { // Device memory
1403 te.nonCacheable = true;
1404 }
1405 // Treat write-through memory as uncacheable, this is safe
1406 // but for performance reasons not optimal.
1407 switch (attr_hi) {
1408 case 0x1 ... 0x3: // Normal Memory, Outer Write-through transient
1409 case 0x4: // Normal memory, Outer Non-cacheable
1410 case 0x8 ... 0xb: // Normal Memory, Outer Write-through non-transient
1411 te.nonCacheable = true;
1412 }
1413 switch (attr_lo) {
1414 case 0x1 ... 0x3: // Normal Memory, Inner Write-through transient
1415 case 0x9 ... 0xb: // Normal Memory, Inner Write-through non-transient
1416 warn_if(!attr_hi, "Unpredictable behavior");
1417 M5_FALLTHROUGH;
1418 case 0x4: // Device-nGnRE memory or
1419 // Normal memory, Inner Non-cacheable
1420 case 0x8: // Device-nGRE memory or
1421 // Normal memory, Inner Write-through non-transient
1422 te.nonCacheable = true;
1423 }
1424
1425 te.shareable = sh == 2;
1426 te.outerShareable = (sh & 0x2) ? true : false;
1427 // Attributes formatted according to the 64-bit PAR
1428 te.attributes = ((uint64_t) attr << 56) |
1429 (1 << 11) | // LPAE bit
1430 (te.ns << 9) | // NS bit
1431 (sh << 7);
1432 }
1433}
1434
1435void
1436TableWalker::doL1Descriptor()
1437{
1438 if (currState->fault != NoFault) {
1439 return;
1440 }
1441
1442 currState->l1Desc.data = htog(currState->l1Desc.data,
1443 byteOrder(currState->tc));
1444
1445 DPRINTF(TLB, "L1 descriptor for %#x is %#x\n",
1446 currState->vaddr_tainted, currState->l1Desc.data);
1447 TlbEntry te;
1448
1449 switch (currState->l1Desc.type()) {
1450 case L1Descriptor::Ignore:
1451 case L1Descriptor::Reserved:
1452 if (!currState->timing) {
1453 currState->tc = NULL;
1454 currState->req = NULL;
1455 }
1456 DPRINTF(TLB, "L1 Descriptor Reserved/Ignore, causing fault\n");
1457 if (currState->isFetch)
1458 currState->fault =
1459 std::make_shared<PrefetchAbort>(
1460 currState->vaddr_tainted,
1461 ArmFault::TranslationLL + L1,
1462 isStage2,
1463 ArmFault::VmsaTran);
1464 else
1465 currState->fault =
1466 std::make_shared<DataAbort>(
1467 currState->vaddr_tainted,
1468 TlbEntry::DomainType::NoAccess,
1469 currState->isWrite,
1470 ArmFault::TranslationLL + L1, isStage2,
1471 ArmFault::VmsaTran);
1472 return;
1473 case L1Descriptor::Section:
1474 if (currState->sctlr.afe && bits(currState->l1Desc.ap(), 0) == 0) {
1475 /** @todo: check sctlr.ha (bit[17]) if Hardware Access Flag is
1476 * enabled if set, do l1.Desc.setAp0() instead of generating
1477 * AccessFlag0
1478 */
1479
1480 currState->fault = std::make_shared<DataAbort>(
1481 currState->vaddr_tainted,
1482 currState->l1Desc.domain(),
1483 currState->isWrite,
1484 ArmFault::AccessFlagLL + L1,
1485 isStage2,
1486 ArmFault::VmsaTran);
1487 }
1488 if (currState->l1Desc.supersection()) {
1489 panic("Haven't implemented supersections\n");
1490 }
1491 insertTableEntry(currState->l1Desc, false);
1492 return;
1493 case L1Descriptor::PageTable:
1494 {
1495 Addr l2desc_addr;
1496 l2desc_addr = currState->l1Desc.l2Addr() |
1497 (bits(currState->vaddr, 19, 12) << 2);
1498 DPRINTF(TLB, "L1 descriptor points to page table at: %#x (%s)\n",
1499 l2desc_addr, currState->isSecure ? "s" : "ns");
1500
1501 // Trickbox address check
1502 currState->fault = testWalk(l2desc_addr, sizeof(uint32_t),
1503 currState->l1Desc.domain(), L2);
1504
1505 if (currState->fault) {
1506 if (!currState->timing) {
1507 currState->tc = NULL;
1508 currState->req = NULL;
1509 }
1510 return;
1511 }
1512
1513 Request::Flags flag = Request::PT_WALK;
1514 if (currState->isSecure)
1515 flag.set(Request::SECURE);
1516
1517 bool delayed;
1518 delayed = fetchDescriptor(l2desc_addr,
1519 (uint8_t*)&currState->l2Desc.data,
1520 sizeof(uint32_t), flag, -1, &doL2DescEvent,
1521 &TableWalker::doL2Descriptor);
1522 if (delayed) {
1523 currState->delayed = true;
1524 }
1525
1526 return;
1527 }
1528 default:
1529 panic("A new type in a 2 bit field?\n");
1530 }
1531}
1532
1533void
1534TableWalker::doLongDescriptor()
1535{
1536 if (currState->fault != NoFault) {
1537 return;
1538 }
1539
1540 currState->longDesc.data = htog(currState->longDesc.data,
1541 byteOrder(currState->tc));
1542
1543 DPRINTF(TLB, "L%d descriptor for %#llx is %#llx (%s)\n",
1544 currState->longDesc.lookupLevel, currState->vaddr_tainted,
1545 currState->longDesc.data,
1546 currState->aarch64 ? "AArch64" : "long-desc.");
1547
1548 if ((currState->longDesc.type() == LongDescriptor::Block) ||
1549 (currState->longDesc.type() == LongDescriptor::Page)) {
1550 DPRINTF(TLBVerbose, "Analyzing L%d descriptor: %#llx, pxn: %d, "
1551 "xn: %d, ap: %d, af: %d, type: %d\n",
1552 currState->longDesc.lookupLevel,
1553 currState->longDesc.data,
1554 currState->longDesc.pxn(),
1555 currState->longDesc.xn(),
1556 currState->longDesc.ap(),
1557 currState->longDesc.af(),
1558 currState->longDesc.type());
1559 } else {
1560 DPRINTF(TLBVerbose, "Analyzing L%d descriptor: %#llx, type: %d\n",
1561 currState->longDesc.lookupLevel,
1562 currState->longDesc.data,
1563 currState->longDesc.type());
1564 }
1565
1566 TlbEntry te;
1567
1568 switch (currState->longDesc.type()) {
1569 case LongDescriptor::Invalid:
1570 if (!currState->timing) {
1571 currState->tc = NULL;
1572 currState->req = NULL;
1573 }
1574
1575 DPRINTF(TLB, "L%d descriptor Invalid, causing fault type %d\n",
1576 currState->longDesc.lookupLevel,
1577 ArmFault::TranslationLL + currState->longDesc.lookupLevel);
1578 if (currState->isFetch)
1579 currState->fault = std::make_shared<PrefetchAbort>(
1580 currState->vaddr_tainted,
1581 ArmFault::TranslationLL + currState->longDesc.lookupLevel,
1582 isStage2,
1583 ArmFault::LpaeTran);
1584 else
1585 currState->fault = std::make_shared<DataAbort>(
1586 currState->vaddr_tainted,
1587 TlbEntry::DomainType::NoAccess,
1588 currState->isWrite,
1589 ArmFault::TranslationLL + currState->longDesc.lookupLevel,
1590 isStage2,
1591 ArmFault::LpaeTran);
1592 return;
1593 case LongDescriptor::Block:
1594 case LongDescriptor::Page:
1595 {
1596 bool fault = false;
1597 bool aff = false;
1598 // Check for address size fault
1599 if (checkAddrSizeFaultAArch64(
1600 mbits(currState->longDesc.data, MaxPhysAddrRange - 1,
1601 currState->longDesc.offsetBits()),
1602 currState->physAddrRange)) {
1603 fault = true;
1604 DPRINTF(TLB, "L%d descriptor causing Address Size Fault\n",
1605 currState->longDesc.lookupLevel);
1606 // Check for access fault
1607 } else if (currState->longDesc.af() == 0) {
1608 fault = true;
1609 DPRINTF(TLB, "L%d descriptor causing Access Fault\n",
1610 currState->longDesc.lookupLevel);
1611 aff = true;
1612 }
1613 if (fault) {
1614 if (currState->isFetch)
1615 currState->fault = std::make_shared<PrefetchAbort>(
1616 currState->vaddr_tainted,
1617 (aff ? ArmFault::AccessFlagLL : ArmFault::AddressSizeLL) +
1618 currState->longDesc.lookupLevel,
1619 isStage2,
1620 ArmFault::LpaeTran);
1621 else
1622 currState->fault = std::make_shared<DataAbort>(
1623 currState->vaddr_tainted,
1624 TlbEntry::DomainType::NoAccess, currState->isWrite,
1625 (aff ? ArmFault::AccessFlagLL : ArmFault::AddressSizeLL) +
1626 currState->longDesc.lookupLevel,
1627 isStage2,
1628 ArmFault::LpaeTran);
1629 } else {
1630 insertTableEntry(currState->longDesc, true);
1631 }
1632 }
1633 return;
1634 case LongDescriptor::Table:
1635 {
1636 // Set hierarchical permission flags
1637 currState->secureLookup = currState->secureLookup &&
1638 currState->longDesc.secureTable();
1639 currState->rwTable = currState->rwTable &&
1640 currState->longDesc.rwTable();
1641 currState->userTable = currState->userTable &&
1642 currState->longDesc.userTable();
1643 currState->xnTable = currState->xnTable ||
1644 currState->longDesc.xnTable();
1645 currState->pxnTable = currState->pxnTable ||
1646 currState->longDesc.pxnTable();
1647
1648 // Set up next level lookup
1649 Addr next_desc_addr = currState->longDesc.nextDescAddr(
1650 currState->vaddr);
1651
1652 DPRINTF(TLB, "L%d descriptor points to L%d descriptor at: %#x (%s)\n",
1653 currState->longDesc.lookupLevel,
1654 currState->longDesc.lookupLevel + 1,
1655 next_desc_addr,
1656 currState->secureLookup ? "s" : "ns");
1657
1658 // Check for address size fault
1659 if (currState->aarch64 && checkAddrSizeFaultAArch64(
1660 next_desc_addr, currState->physAddrRange)) {
1661 DPRINTF(TLB, "L%d descriptor causing Address Size Fault\n",
1662 currState->longDesc.lookupLevel);
1663 if (currState->isFetch)
1664 currState->fault = std::make_shared<PrefetchAbort>(
1665 currState->vaddr_tainted,
1666 ArmFault::AddressSizeLL
1667 + currState->longDesc.lookupLevel,
1668 isStage2,
1669 ArmFault::LpaeTran);
1670 else
1671 currState->fault = std::make_shared<DataAbort>(
1672 currState->vaddr_tainted,
1673 TlbEntry::DomainType::NoAccess, currState->isWrite,
1674 ArmFault::AddressSizeLL
1675 + currState->longDesc.lookupLevel,
1676 isStage2,
1677 ArmFault::LpaeTran);
1678 return;
1679 }
1680
1681 // Trickbox address check
1682 currState->fault = testWalk(
1683 next_desc_addr, sizeof(uint64_t), TlbEntry::DomainType::Client,
1684 toLookupLevel(currState->longDesc.lookupLevel +1));
1685
1686 if (currState->fault) {
1687 if (!currState->timing) {
1688 currState->tc = NULL;
1689 currState->req = NULL;
1690 }
1691 return;
1692 }
1693
1694 Request::Flags flag = Request::PT_WALK;
1695 if (currState->secureLookup)
1696 flag.set(Request::SECURE);
1697
1698 LookupLevel L = currState->longDesc.lookupLevel =
1699 (LookupLevel) (currState->longDesc.lookupLevel + 1);
1700 Event *event = NULL;
1701 switch (L) {
1702 case L1:
1703 assert(currState->aarch64);
1704 case L2:
1705 case L3:
1706 event = LongDescEventByLevel[L];
1707 break;
1708 default:
1709 panic("Wrong lookup level in table walk\n");
1710 break;
1711 }
1712
1713 bool delayed;
1714 delayed = fetchDescriptor(next_desc_addr, (uint8_t*)&currState->longDesc.data,
1715 sizeof(uint64_t), flag, -1, event,
1716 &TableWalker::doLongDescriptor);
1717 if (delayed) {
1718 currState->delayed = true;
1719 }
1720 }
1721 return;
1722 default:
1723 panic("A new type in a 2 bit field?\n");
1724 }
1725}
1726
1727void
1728TableWalker::doL2Descriptor()
1729{
1730 if (currState->fault != NoFault) {
1731 return;
1732 }
1733
1734 currState->l2Desc.data = htog(currState->l2Desc.data,
1735 byteOrder(currState->tc));
1736
1737 DPRINTF(TLB, "L2 descriptor for %#x is %#x\n",
1738 currState->vaddr_tainted, currState->l2Desc.data);
1739 TlbEntry te;
1740
1741 if (currState->l2Desc.invalid()) {
1742 DPRINTF(TLB, "L2 descriptor invalid, causing fault\n");
1743 if (!currState->timing) {
1744 currState->tc = NULL;
1745 currState->req = NULL;
1746 }
1747 if (currState->isFetch)
1748 currState->fault = std::make_shared<PrefetchAbort>(
1749 currState->vaddr_tainted,
1750 ArmFault::TranslationLL + L2,
1751 isStage2,
1752 ArmFault::VmsaTran);
1753 else
1754 currState->fault = std::make_shared<DataAbort>(
1755 currState->vaddr_tainted, currState->l1Desc.domain(),
1756 currState->isWrite, ArmFault::TranslationLL + L2,
1757 isStage2,
1758 ArmFault::VmsaTran);
1759 return;
1760 }
1761
1762 if (currState->sctlr.afe && bits(currState->l2Desc.ap(), 0) == 0) {
1763 /** @todo: check sctlr.ha (bit[17]) if Hardware Access Flag is enabled
1764 * if set, do l2.Desc.setAp0() instead of generating AccessFlag0
1765 */
1766 DPRINTF(TLB, "Generating access fault at L2, afe: %d, ap: %d\n",
1767 currState->sctlr.afe, currState->l2Desc.ap());
1768
1769 currState->fault = std::make_shared<DataAbort>(
1770 currState->vaddr_tainted,
1771 TlbEntry::DomainType::NoAccess, currState->isWrite,
1772 ArmFault::AccessFlagLL + L2, isStage2,
1773 ArmFault::VmsaTran);
1774 }
1775
1776 insertTableEntry(currState->l2Desc, false);
1777}
1778
1779void
1780TableWalker::doL1DescriptorWrapper()
1781{
1782 currState = stateQueues[L1].front();
1783 currState->delayed = false;
1784 // if there's a stage2 translation object we don't need it any more
1785 if (currState->stage2Tran) {
1786 delete currState->stage2Tran;
1787 currState->stage2Tran = NULL;
1788 }
1789
1790
1791 DPRINTF(TLBVerbose, "L1 Desc object host addr: %p\n",&currState->l1Desc.data);
1792 DPRINTF(TLBVerbose, "L1 Desc object data: %08x\n",currState->l1Desc.data);
1793
1794 DPRINTF(TLBVerbose, "calling doL1Descriptor for vaddr:%#x\n", currState->vaddr_tainted);
1795 doL1Descriptor();
1796
1797 stateQueues[L1].pop_front();
1798 // Check if fault was generated
1799 if (currState->fault != NoFault) {
1800 currState->transState->finish(currState->fault, currState->req,
1801 currState->tc, currState->mode);
1802 statWalksShortTerminatedAtLevel[0]++;
1803
1804 pending = false;
1805 nextWalk(currState->tc);
1806
1807 currState->req = NULL;
1808 currState->tc = NULL;
1809 currState->delayed = false;
1810 delete currState;
1811 }
1812 else if (!currState->delayed) {
1813 // delay is not set so there is no L2 to do
1814 // Don't finish the translation if a stage 2 look up is underway
|
1952
1953 pending = false;
1954 nextWalk(currState->tc);
1955
1956 currState->req = NULL;
1957 currState->tc = NULL;
1958 currState->delayed = false;
1959 delete currState;
1960 } else {
1961 if (curr_lookup_level >= MAX_LOOKUP_LEVELS - 1)
1962 panic("Max. number of lookups already reached in table walk\n");
1963 // Need to perform additional lookups
1964 stateQueues[currState->longDesc.lookupLevel].push_back(currState);
1965 }
1966 currState = NULL;
1967}
1968
1969
1970void
1971TableWalker::nextWalk(ThreadContext *tc)
1972{
1973 if (pendingQueue.size())
1974 schedule(doProcessEvent, clockEdge(Cycles(1)));
1975 else
1976 completeDrain();
1977}
1978
1979bool
1980TableWalker::fetchDescriptor(Addr descAddr, uint8_t *data, int numBytes,
1981 Request::Flags flags, int queueIndex, Event *event,
1982 void (TableWalker::*doDescriptor)())
1983{
1984 bool isTiming = currState->timing;
1985
1986 DPRINTF(TLBVerbose, "Fetching descriptor at address: 0x%x stage2Req: %d\n",
1987 descAddr, currState->stage2Req);
1988
1989 // If this translation has a stage 2 then we know descAddr is an IPA and
1990 // needs to be translated before we can access the page table. Do that
1991 // check here.
1992 if (currState->stage2Req) {
1993 Fault fault;
1994 flags = flags | TLB::MustBeOne;
1995
1996 if (isTiming) {
1997 Stage2MMU::Stage2Translation *tran = new
1998 Stage2MMU::Stage2Translation(*stage2Mmu, data, event,
1999 currState->vaddr);
2000 currState->stage2Tran = tran;
2001 stage2Mmu->readDataTimed(currState->tc, descAddr, tran, numBytes,
2002 flags);
2003 fault = tran->fault;
2004 } else {
2005 fault = stage2Mmu->readDataUntimed(currState->tc,
2006 currState->vaddr, descAddr, data, numBytes, flags,
2007 currState->functional);
2008 }
2009
2010 if (fault != NoFault) {
2011 currState->fault = fault;
2012 }
2013 if (isTiming) {
2014 if (queueIndex >= 0) {
2015 DPRINTF(TLBVerbose, "Adding to walker fifo: queue size before adding: %d\n",
2016 stateQueues[queueIndex].size());
2017 stateQueues[queueIndex].push_back(currState);
2018 currState = NULL;
2019 }
2020 } else {
2021 (this->*doDescriptor)();
2022 }
2023 } else {
2024 if (isTiming) {
2025 port->dmaAction(MemCmd::ReadReq, descAddr, numBytes, event, data,
2026 currState->tc->getCpuPtr()->clockPeriod(),flags);
2027 if (queueIndex >= 0) {
2028 DPRINTF(TLBVerbose, "Adding to walker fifo: queue size before adding: %d\n",
2029 stateQueues[queueIndex].size());
2030 stateQueues[queueIndex].push_back(currState);
2031 currState = NULL;
2032 }
2033 } else if (!currState->functional) {
2034 port->dmaAction(MemCmd::ReadReq, descAddr, numBytes, NULL, data,
2035 currState->tc->getCpuPtr()->clockPeriod(), flags);
2036 (this->*doDescriptor)();
2037 } else {
2038 RequestPtr req = new Request(descAddr, numBytes, flags, masterId);
2039 req->taskId(ContextSwitchTaskId::DMA);
2040 PacketPtr pkt = new Packet(req, MemCmd::ReadReq);
2041 pkt->dataStatic(data);
2042 port->sendFunctional(pkt);
2043 (this->*doDescriptor)();
2044 delete req;
2045 delete pkt;
2046 }
2047 }
2048 return (isTiming);
2049}
2050
2051void
2052TableWalker::insertTableEntry(DescriptorBase &descriptor, bool longDescriptor)
2053{
2054 TlbEntry te;
2055
2056 // Create and fill a new page table entry
2057 te.valid = true;
2058 te.longDescFormat = longDescriptor;
2059 te.isHyp = currState->isHyp;
2060 te.asid = currState->asid;
2061 te.vmid = currState->vmid;
2062 te.N = descriptor.offsetBits();
2063 te.vpn = currState->vaddr >> te.N;
2064 te.size = (1<<te.N) - 1;
2065 te.pfn = descriptor.pfn();
2066 te.domain = descriptor.domain();
2067 te.lookupLevel = descriptor.lookupLevel;
2068 te.ns = !descriptor.secure(haveSecurity, currState) || isStage2;
2069 te.nstid = !currState->isSecure;
2070 te.xn = descriptor.xn();
2071 if (currState->aarch64)
2072 te.el = currState->el;
2073 else
2074 te.el = 1;
2075
2076 statPageSizes[pageSizeNtoStatBin(te.N)]++;
2077 statRequestOrigin[COMPLETED][currState->isFetch]++;
2078
2079 // ASID has no meaning for stage 2 TLB entries, so mark all stage 2 entries
2080 // as global
2081 te.global = descriptor.global(currState) || isStage2;
2082 if (longDescriptor) {
2083 LongDescriptor lDescriptor =
2084 dynamic_cast<LongDescriptor &>(descriptor);
2085
2086 te.xn |= currState->xnTable;
2087 te.pxn = currState->pxnTable || lDescriptor.pxn();
2088 if (isStage2) {
2089 // this is actually the HAP field, but its stored in the same bit
2090 // possitions as the AP field in a stage 1 translation.
2091 te.hap = lDescriptor.ap();
2092 } else {
2093 te.ap = ((!currState->rwTable || descriptor.ap() >> 1) << 1) |
2094 (currState->userTable && (descriptor.ap() & 0x1));
2095 }
2096 if (currState->aarch64)
2097 memAttrsAArch64(currState->tc, te, lDescriptor);
2098 else
2099 memAttrsLPAE(currState->tc, te, lDescriptor);
2100 } else {
2101 te.ap = descriptor.ap();
2102 memAttrs(currState->tc, te, currState->sctlr, descriptor.texcb(),
2103 descriptor.shareable());
2104 }
2105
2106 // Debug output
2107 DPRINTF(TLB, descriptor.dbgHeader().c_str());
2108 DPRINTF(TLB, " - N:%d pfn:%#x size:%#x global:%d valid:%d\n",
2109 te.N, te.pfn, te.size, te.global, te.valid);
2110 DPRINTF(TLB, " - vpn:%#x xn:%d pxn:%d ap:%d domain:%d asid:%d "
2111 "vmid:%d hyp:%d nc:%d ns:%d\n", te.vpn, te.xn, te.pxn,
2112 te.ap, static_cast<uint8_t>(te.domain), te.asid, te.vmid, te.isHyp,
2113 te.nonCacheable, te.ns);
2114 DPRINTF(TLB, " - domain from L%d desc:%d data:%#x\n",
2115 descriptor.lookupLevel, static_cast<uint8_t>(descriptor.domain()),
2116 descriptor.getRawData());
2117
2118 // Insert the entry into the TLB
2119 tlb->insert(currState->vaddr, te);
2120 if (!currState->timing) {
2121 currState->tc = NULL;
2122 currState->req = NULL;
2123 }
2124}
2125
2126ArmISA::TableWalker *
2127ArmTableWalkerParams::create()
2128{
2129 return new ArmISA::TableWalker(this);
2130}
2131
2132LookupLevel
2133TableWalker::toLookupLevel(uint8_t lookup_level_as_int)
2134{
2135 switch (lookup_level_as_int) {
2136 case L1:
2137 return L1;
2138 case L2:
2139 return L2;
2140 case L3:
2141 return L3;
2142 default:
2143 panic("Invalid lookup level conversion");
2144 }
2145}
2146
2147/* this method keeps track of the table walker queue's residency, so
2148 * needs to be called whenever requests start and complete. */
2149void
2150TableWalker::pendingChange()
2151{
2152 unsigned n = pendingQueue.size();
2153 if ((currState != NULL) && (currState != pendingQueue.front())) {
2154 ++n;
2155 }
2156
2157 if (n != pendingReqs) {
2158 Tick now = curTick();
2159 statPendingWalks.sample(pendingReqs, now - pendingChangeTick);
2160 pendingReqs = n;
2161 pendingChangeTick = now;
2162 }
2163}
2164
2165Fault
2166TableWalker::testWalk(Addr pa, Addr size, TlbEntry::DomainType domain,
2167 LookupLevel lookup_level)
2168{
2169 return tlb->testWalk(pa, size, currState->vaddr, currState->isSecure,
2170 currState->mode, domain, lookup_level);
2171}
2172
2173
2174uint8_t
2175TableWalker::pageSizeNtoStatBin(uint8_t N)
2176{
2177 /* for statPageSizes */
2178 switch(N) {
2179 case 12: return 0; // 4K
2180 case 14: return 1; // 16K (using 16K granule in v8-64)
2181 case 16: return 2; // 64K
2182 case 20: return 3; // 1M
2183 case 21: return 4; // 2M-LPAE
2184 case 24: return 5; // 16M
2185 case 25: return 6; // 32M (using 16K granule in v8-64)
2186 case 29: return 7; // 512M (using 64K granule in v8-64)
2187 case 30: return 8; // 1G-LPAE
2188 default:
2189 panic("unknown page size");
2190 return 255;
2191 }
2192}
2193
2194void
2195TableWalker::regStats()
2196{
2197 ClockedObject::regStats();
2198
2199 statWalks
2200 .name(name() + ".walks")
2201 .desc("Table walker walks requested")
2202 ;
2203
2204 statWalksShortDescriptor
2205 .name(name() + ".walksShort")
2206 .desc("Table walker walks initiated with short descriptors")
2207 .flags(Stats::nozero)
2208 ;
2209
2210 statWalksLongDescriptor
2211 .name(name() + ".walksLong")
2212 .desc("Table walker walks initiated with long descriptors")
2213 .flags(Stats::nozero)
2214 ;
2215
2216 statWalksShortTerminatedAtLevel
2217 .init(2)
2218 .name(name() + ".walksShortTerminationLevel")
2219 .desc("Level at which table walker walks "
2220 "with short descriptors terminate")
2221 .flags(Stats::nozero)
2222 ;
2223 statWalksShortTerminatedAtLevel.subname(0, "Level1");
2224 statWalksShortTerminatedAtLevel.subname(1, "Level2");
2225
2226 statWalksLongTerminatedAtLevel
2227 .init(4)
2228 .name(name() + ".walksLongTerminationLevel")
2229 .desc("Level at which table walker walks "
2230 "with long descriptors terminate")
2231 .flags(Stats::nozero)
2232 ;
2233 statWalksLongTerminatedAtLevel.subname(0, "Level0");
2234 statWalksLongTerminatedAtLevel.subname(1, "Level1");
2235 statWalksLongTerminatedAtLevel.subname(2, "Level2");
2236 statWalksLongTerminatedAtLevel.subname(3, "Level3");
2237
2238 statSquashedBefore
2239 .name(name() + ".walksSquashedBefore")
2240 .desc("Table walks squashed before starting")
2241 .flags(Stats::nozero)
2242 ;
2243
2244 statSquashedAfter
2245 .name(name() + ".walksSquashedAfter")
2246 .desc("Table walks squashed after completion")
2247 .flags(Stats::nozero)
2248 ;
2249
2250 statWalkWaitTime
2251 .init(16)
2252 .name(name() + ".walkWaitTime")
2253 .desc("Table walker wait (enqueue to first request) latency")
2254 .flags(Stats::pdf | Stats::nozero | Stats::nonan)
2255 ;
2256
2257 statWalkServiceTime
2258 .init(16)
2259 .name(name() + ".walkCompletionTime")
2260 .desc("Table walker service (enqueue to completion) latency")
2261 .flags(Stats::pdf | Stats::nozero | Stats::nonan)
2262 ;
2263
2264 statPendingWalks
2265 .init(16)
2266 .name(name() + ".walksPending")
2267 .desc("Table walker pending requests distribution")
2268 .flags(Stats::pdf | Stats::dist | Stats::nozero | Stats::nonan)
2269 ;
2270
2271 statPageSizes // see DDI 0487A D4-1661
2272 .init(9)
2273 .name(name() + ".walkPageSizes")
2274 .desc("Table walker page sizes translated")
2275 .flags(Stats::total | Stats::pdf | Stats::dist | Stats::nozero)
2276 ;
2277 statPageSizes.subname(0, "4K");
2278 statPageSizes.subname(1, "16K");
2279 statPageSizes.subname(2, "64K");
2280 statPageSizes.subname(3, "1M");
2281 statPageSizes.subname(4, "2M");
2282 statPageSizes.subname(5, "16M");
2283 statPageSizes.subname(6, "32M");
2284 statPageSizes.subname(7, "512M");
2285 statPageSizes.subname(8, "1G");
2286
2287 statRequestOrigin
2288 .init(2,2) // Instruction/Data, requests/completed
2289 .name(name() + ".walkRequestOrigin")
2290 .desc("Table walker requests started/completed, data/inst")
2291 .flags(Stats::total)
2292 ;
2293 statRequestOrigin.subname(0,"Requested");
2294 statRequestOrigin.subname(1,"Completed");
2295 statRequestOrigin.ysubname(0,"Data");
2296 statRequestOrigin.ysubname(1,"Inst");
2297}
| 1938
1939 pending = false;
1940 nextWalk(currState->tc);
1941
1942 currState->req = NULL;
1943 currState->tc = NULL;
1944 currState->delayed = false;
1945 delete currState;
1946 } else {
1947 if (curr_lookup_level >= MAX_LOOKUP_LEVELS - 1)
1948 panic("Max. number of lookups already reached in table walk\n");
1949 // Need to perform additional lookups
1950 stateQueues[currState->longDesc.lookupLevel].push_back(currState);
1951 }
1952 currState = NULL;
1953}
1954
1955
1956void
1957TableWalker::nextWalk(ThreadContext *tc)
1958{
1959 if (pendingQueue.size())
1960 schedule(doProcessEvent, clockEdge(Cycles(1)));
1961 else
1962 completeDrain();
1963}
1964
1965bool
1966TableWalker::fetchDescriptor(Addr descAddr, uint8_t *data, int numBytes,
1967 Request::Flags flags, int queueIndex, Event *event,
1968 void (TableWalker::*doDescriptor)())
1969{
1970 bool isTiming = currState->timing;
1971
1972 DPRINTF(TLBVerbose, "Fetching descriptor at address: 0x%x stage2Req: %d\n",
1973 descAddr, currState->stage2Req);
1974
1975 // If this translation has a stage 2 then we know descAddr is an IPA and
1976 // needs to be translated before we can access the page table. Do that
1977 // check here.
1978 if (currState->stage2Req) {
1979 Fault fault;
1980 flags = flags | TLB::MustBeOne;
1981
1982 if (isTiming) {
1983 Stage2MMU::Stage2Translation *tran = new
1984 Stage2MMU::Stage2Translation(*stage2Mmu, data, event,
1985 currState->vaddr);
1986 currState->stage2Tran = tran;
1987 stage2Mmu->readDataTimed(currState->tc, descAddr, tran, numBytes,
1988 flags);
1989 fault = tran->fault;
1990 } else {
1991 fault = stage2Mmu->readDataUntimed(currState->tc,
1992 currState->vaddr, descAddr, data, numBytes, flags,
1993 currState->functional);
1994 }
1995
1996 if (fault != NoFault) {
1997 currState->fault = fault;
1998 }
1999 if (isTiming) {
2000 if (queueIndex >= 0) {
2001 DPRINTF(TLBVerbose, "Adding to walker fifo: queue size before adding: %d\n",
2002 stateQueues[queueIndex].size());
2003 stateQueues[queueIndex].push_back(currState);
2004 currState = NULL;
2005 }
2006 } else {
2007 (this->*doDescriptor)();
2008 }
2009 } else {
2010 if (isTiming) {
2011 port->dmaAction(MemCmd::ReadReq, descAddr, numBytes, event, data,
2012 currState->tc->getCpuPtr()->clockPeriod(),flags);
2013 if (queueIndex >= 0) {
2014 DPRINTF(TLBVerbose, "Adding to walker fifo: queue size before adding: %d\n",
2015 stateQueues[queueIndex].size());
2016 stateQueues[queueIndex].push_back(currState);
2017 currState = NULL;
2018 }
2019 } else if (!currState->functional) {
2020 port->dmaAction(MemCmd::ReadReq, descAddr, numBytes, NULL, data,
2021 currState->tc->getCpuPtr()->clockPeriod(), flags);
2022 (this->*doDescriptor)();
2023 } else {
2024 RequestPtr req = new Request(descAddr, numBytes, flags, masterId);
2025 req->taskId(ContextSwitchTaskId::DMA);
2026 PacketPtr pkt = new Packet(req, MemCmd::ReadReq);
2027 pkt->dataStatic(data);
2028 port->sendFunctional(pkt);
2029 (this->*doDescriptor)();
2030 delete req;
2031 delete pkt;
2032 }
2033 }
2034 return (isTiming);
2035}
2036
2037void
2038TableWalker::insertTableEntry(DescriptorBase &descriptor, bool longDescriptor)
2039{
2040 TlbEntry te;
2041
2042 // Create and fill a new page table entry
2043 te.valid = true;
2044 te.longDescFormat = longDescriptor;
2045 te.isHyp = currState->isHyp;
2046 te.asid = currState->asid;
2047 te.vmid = currState->vmid;
2048 te.N = descriptor.offsetBits();
2049 te.vpn = currState->vaddr >> te.N;
2050 te.size = (1<<te.N) - 1;
2051 te.pfn = descriptor.pfn();
2052 te.domain = descriptor.domain();
2053 te.lookupLevel = descriptor.lookupLevel;
2054 te.ns = !descriptor.secure(haveSecurity, currState) || isStage2;
2055 te.nstid = !currState->isSecure;
2056 te.xn = descriptor.xn();
2057 if (currState->aarch64)
2058 te.el = currState->el;
2059 else
2060 te.el = 1;
2061
2062 statPageSizes[pageSizeNtoStatBin(te.N)]++;
2063 statRequestOrigin[COMPLETED][currState->isFetch]++;
2064
2065 // ASID has no meaning for stage 2 TLB entries, so mark all stage 2 entries
2066 // as global
2067 te.global = descriptor.global(currState) || isStage2;
2068 if (longDescriptor) {
2069 LongDescriptor lDescriptor =
2070 dynamic_cast<LongDescriptor &>(descriptor);
2071
2072 te.xn |= currState->xnTable;
2073 te.pxn = currState->pxnTable || lDescriptor.pxn();
2074 if (isStage2) {
2075 // this is actually the HAP field, but its stored in the same bit
2076 // possitions as the AP field in a stage 1 translation.
2077 te.hap = lDescriptor.ap();
2078 } else {
2079 te.ap = ((!currState->rwTable || descriptor.ap() >> 1) << 1) |
2080 (currState->userTable && (descriptor.ap() & 0x1));
2081 }
2082 if (currState->aarch64)
2083 memAttrsAArch64(currState->tc, te, lDescriptor);
2084 else
2085 memAttrsLPAE(currState->tc, te, lDescriptor);
2086 } else {
2087 te.ap = descriptor.ap();
2088 memAttrs(currState->tc, te, currState->sctlr, descriptor.texcb(),
2089 descriptor.shareable());
2090 }
2091
2092 // Debug output
2093 DPRINTF(TLB, descriptor.dbgHeader().c_str());
2094 DPRINTF(TLB, " - N:%d pfn:%#x size:%#x global:%d valid:%d\n",
2095 te.N, te.pfn, te.size, te.global, te.valid);
2096 DPRINTF(TLB, " - vpn:%#x xn:%d pxn:%d ap:%d domain:%d asid:%d "
2097 "vmid:%d hyp:%d nc:%d ns:%d\n", te.vpn, te.xn, te.pxn,
2098 te.ap, static_cast<uint8_t>(te.domain), te.asid, te.vmid, te.isHyp,
2099 te.nonCacheable, te.ns);
2100 DPRINTF(TLB, " - domain from L%d desc:%d data:%#x\n",
2101 descriptor.lookupLevel, static_cast<uint8_t>(descriptor.domain()),
2102 descriptor.getRawData());
2103
2104 // Insert the entry into the TLB
2105 tlb->insert(currState->vaddr, te);
2106 if (!currState->timing) {
2107 currState->tc = NULL;
2108 currState->req = NULL;
2109 }
2110}
2111
2112ArmISA::TableWalker *
2113ArmTableWalkerParams::create()
2114{
2115 return new ArmISA::TableWalker(this);
2116}
2117
2118LookupLevel
2119TableWalker::toLookupLevel(uint8_t lookup_level_as_int)
2120{
2121 switch (lookup_level_as_int) {
2122 case L1:
2123 return L1;
2124 case L2:
2125 return L2;
2126 case L3:
2127 return L3;
2128 default:
2129 panic("Invalid lookup level conversion");
2130 }
2131}
2132
2133/* this method keeps track of the table walker queue's residency, so
2134 * needs to be called whenever requests start and complete. */
2135void
2136TableWalker::pendingChange()
2137{
2138 unsigned n = pendingQueue.size();
2139 if ((currState != NULL) && (currState != pendingQueue.front())) {
2140 ++n;
2141 }
2142
2143 if (n != pendingReqs) {
2144 Tick now = curTick();
2145 statPendingWalks.sample(pendingReqs, now - pendingChangeTick);
2146 pendingReqs = n;
2147 pendingChangeTick = now;
2148 }
2149}
2150
2151Fault
2152TableWalker::testWalk(Addr pa, Addr size, TlbEntry::DomainType domain,
2153 LookupLevel lookup_level)
2154{
2155 return tlb->testWalk(pa, size, currState->vaddr, currState->isSecure,
2156 currState->mode, domain, lookup_level);
2157}
2158
2159
2160uint8_t
2161TableWalker::pageSizeNtoStatBin(uint8_t N)
2162{
2163 /* for statPageSizes */
2164 switch(N) {
2165 case 12: return 0; // 4K
2166 case 14: return 1; // 16K (using 16K granule in v8-64)
2167 case 16: return 2; // 64K
2168 case 20: return 3; // 1M
2169 case 21: return 4; // 2M-LPAE
2170 case 24: return 5; // 16M
2171 case 25: return 6; // 32M (using 16K granule in v8-64)
2172 case 29: return 7; // 512M (using 64K granule in v8-64)
2173 case 30: return 8; // 1G-LPAE
2174 default:
2175 panic("unknown page size");
2176 return 255;
2177 }
2178}
2179
2180void
2181TableWalker::regStats()
2182{
2183 ClockedObject::regStats();
2184
2185 statWalks
2186 .name(name() + ".walks")
2187 .desc("Table walker walks requested")
2188 ;
2189
2190 statWalksShortDescriptor
2191 .name(name() + ".walksShort")
2192 .desc("Table walker walks initiated with short descriptors")
2193 .flags(Stats::nozero)
2194 ;
2195
2196 statWalksLongDescriptor
2197 .name(name() + ".walksLong")
2198 .desc("Table walker walks initiated with long descriptors")
2199 .flags(Stats::nozero)
2200 ;
2201
2202 statWalksShortTerminatedAtLevel
2203 .init(2)
2204 .name(name() + ".walksShortTerminationLevel")
2205 .desc("Level at which table walker walks "
2206 "with short descriptors terminate")
2207 .flags(Stats::nozero)
2208 ;
2209 statWalksShortTerminatedAtLevel.subname(0, "Level1");
2210 statWalksShortTerminatedAtLevel.subname(1, "Level2");
2211
2212 statWalksLongTerminatedAtLevel
2213 .init(4)
2214 .name(name() + ".walksLongTerminationLevel")
2215 .desc("Level at which table walker walks "
2216 "with long descriptors terminate")
2217 .flags(Stats::nozero)
2218 ;
2219 statWalksLongTerminatedAtLevel.subname(0, "Level0");
2220 statWalksLongTerminatedAtLevel.subname(1, "Level1");
2221 statWalksLongTerminatedAtLevel.subname(2, "Level2");
2222 statWalksLongTerminatedAtLevel.subname(3, "Level3");
2223
2224 statSquashedBefore
2225 .name(name() + ".walksSquashedBefore")
2226 .desc("Table walks squashed before starting")
2227 .flags(Stats::nozero)
2228 ;
2229
2230 statSquashedAfter
2231 .name(name() + ".walksSquashedAfter")
2232 .desc("Table walks squashed after completion")
2233 .flags(Stats::nozero)
2234 ;
2235
2236 statWalkWaitTime
2237 .init(16)
2238 .name(name() + ".walkWaitTime")
2239 .desc("Table walker wait (enqueue to first request) latency")
2240 .flags(Stats::pdf | Stats::nozero | Stats::nonan)
2241 ;
2242
2243 statWalkServiceTime
2244 .init(16)
2245 .name(name() + ".walkCompletionTime")
2246 .desc("Table walker service (enqueue to completion) latency")
2247 .flags(Stats::pdf | Stats::nozero | Stats::nonan)
2248 ;
2249
2250 statPendingWalks
2251 .init(16)
2252 .name(name() + ".walksPending")
2253 .desc("Table walker pending requests distribution")
2254 .flags(Stats::pdf | Stats::dist | Stats::nozero | Stats::nonan)
2255 ;
2256
2257 statPageSizes // see DDI 0487A D4-1661
2258 .init(9)
2259 .name(name() + ".walkPageSizes")
2260 .desc("Table walker page sizes translated")
2261 .flags(Stats::total | Stats::pdf | Stats::dist | Stats::nozero)
2262 ;
2263 statPageSizes.subname(0, "4K");
2264 statPageSizes.subname(1, "16K");
2265 statPageSizes.subname(2, "64K");
2266 statPageSizes.subname(3, "1M");
2267 statPageSizes.subname(4, "2M");
2268 statPageSizes.subname(5, "16M");
2269 statPageSizes.subname(6, "32M");
2270 statPageSizes.subname(7, "512M");
2271 statPageSizes.subname(8, "1G");
2272
2273 statRequestOrigin
2274 .init(2,2) // Instruction/Data, requests/completed
2275 .name(name() + ".walkRequestOrigin")
2276 .desc("Table walker requests started/completed, data/inst")
2277 .flags(Stats::total)
2278 ;
2279 statRequestOrigin.subname(0,"Requested");
2280 statRequestOrigin.subname(1,"Completed");
2281 statRequestOrigin.ysubname(0,"Data");
2282 statRequestOrigin.ysubname(1,"Inst");
2283}
|