"(We do seem to not quite be getting the effect of TTBCR.N right, though: if N > 0 then although we correctly take more bits from TTBR0 (by adjusting c2_base_mask) we aren't masking out the high bits [31..32-N] of the MVA. But that's a different problem.)"
Looking more closely, I was wrong here. In the case where N>0 and we're using TTBR0 then we are guaranteed that [31..32-N] of the MVA are zero, because that is exactly the condition that controls using TTBR0 rather than TTBR1. So the code as it stands is correct. "Why do you think this is wrong?" Since the bug submitter never replied to this, and the code is as far as I can tell correct both in theory and in practice, I'm going to resolve this bug as invalid. ** Changed in: qemu Status: New => Invalid -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/749522 Title: qemu-system-arm reads wrong entry in L1 page table for cortex-a8 Status in QEMU: Invalid Bug description: target-arm/helper.c:920 [current] table |= (address >> 18) & 0x3ffc [fix] table |= (address >> 20) & 0xfff To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/749522/+subscriptions