On 1/6/26 05:14, Gabriel Brookman wrote:
According to ARM ARM, section "Memory region tagging types", tag-store
instructions targeting canonically tagged regions cause a stage 1
permission fault.
Signed-off-by: Gabriel Brookman <[email protected]>
---
target/arm/tcg/mte_helper.c | 44 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
index 795a5ad20b..8f06ed3162 100644
--- a/target/arm/tcg/mte_helper.c
+++ b/target/arm/tcg/mte_helper.c
@@ -227,6 +227,20 @@ uint8_t *allocation_tag_mem_probe(CPUARMState *env, int
ptr_mmu_idx,
#endif
}
+static void canonical_tag_write_fail(CPUARMState *env,
+ uint64_t dirty_ptr, uintptr_t ra)
+{
+ uint64_t syn;
+
+ env->exception.vaddress = dirty_ptr;
+
+ syn = syn_data_abort_no_iss(arm_current_el(env) != 0, 0, 0, 0, 0, 1, 0);
+ syn |= BIT_ULL(42); /* TnD is bit 42 */
+
+ raise_exception_ra(env, EXCP_DATA_ABORT, syn, exception_target_el(env),
ra);
+ g_assert_not_reached();
+}
+
static uint8_t *allocation_tag_mem(CPUARMState *env, int ptr_mmu_idx,
uint64_t ptr, MMUAccessType ptr_access,
int ptr_size, MMUAccessType tag_access,
@@ -363,6 +377,11 @@ static inline void do_stg(CPUARMState *env, uint64_t ptr,
uint64_t xt,
int mmu_idx = arm_env_mmu_index(env);
uint8_t *mem;
+ if (mtx_check(env, 1 & (ptr >> 55))) {
+ canonical_tag_write_fail(env, ptr, ra);
+ return;
+ }
+
check_tag_aligned(env, ptr, ra);
These are mis-placed, as the alignment check has priority, as does pte_attrs ==
0xf0.
Compare S1DecodeMemAttrs vs allocation_tag_mem_probe.
r~
