2 * virtual page mapping and translated block handling
4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
23 #include <sys/types.h>
36 #include "qemu-common.h"
41 #include "qemu-timer.h"
42 #if defined(CONFIG_USER_ONLY)
45 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
46 #include <sys/param.h>
47 #if __FreeBSD_version >= 700104
48 #define HAVE_KINFO_GETVMMAP
49 #define sigqueue sigqueue_freebsd /* avoid redefinition */
52 #include <machine/profile.h>
62 //#define DEBUG_TB_INVALIDATE
65 //#define DEBUG_UNASSIGNED
67 /* make various TB consistency checks */
68 //#define DEBUG_TB_CHECK
69 //#define DEBUG_TLB_CHECK
71 //#define DEBUG_IOPORT
72 //#define DEBUG_SUBPAGE
74 #if !defined(CONFIG_USER_ONLY)
75 /* TB consistency checks only implemented for usermode emulation. */
79 #define SMC_BITMAP_USE_THRESHOLD 10
81 static TranslationBlock *tbs;
82 int code_gen_max_blocks;
83 TranslationBlock *tb_phys_hash[CODE_GEN_PHYS_HASH_SIZE];
85 /* any access to the tbs or the page table must use this lock */
86 spinlock_t tb_lock = SPIN_LOCK_UNLOCKED;
88 #if defined(__arm__) || defined(__sparc_v9__)
89 /* The prologue must be reachable with a direct jump. ARM and Sparc64
90 have limited branch ranges (possibly also PPC) so place it in a
91 section close to code segment. */
92 #define code_gen_section \
93 __attribute__((__section__(".gen_code"))) \
94 __attribute__((aligned (32)))
96 /* Maximum alignment for Win32 is 16. */
97 #define code_gen_section \
98 __attribute__((aligned (16)))
100 #define code_gen_section \
101 __attribute__((aligned (32)))
104 uint8_t code_gen_prologue[1024] code_gen_section;
105 static uint8_t *code_gen_buffer;
106 static unsigned long code_gen_buffer_size;
107 /* threshold to flush the translated code buffer */
108 static unsigned long code_gen_buffer_max_size;
109 uint8_t *code_gen_ptr;
111 #if !defined(CONFIG_USER_ONLY)
113 uint8_t *phys_ram_dirty;
114 static int in_migration;
116 typedef struct RAMBlock {
120 struct RAMBlock *next;
123 static RAMBlock *ram_blocks;
124 /* TODO: When we implement (and use) ram deallocation (e.g. for hotplug)
125 then we can no longer assume contiguous ram offsets, and external uses
126 of this variable will break. */
127 ram_addr_t last_ram_offset;
131 /* current CPU in the current thread. It is only valid inside
133 CPUState *cpu_single_env;
134 /* 0 = Do not count executed instructions.
135 1 = Precise instruction counting.
136 2 = Adaptive rate instruction counting. */
138 /* Current instruction counter. While executing translated code this may
139 include some instructions that have not yet been executed. */
142 typedef struct PageDesc {
143 /* list of TBs intersecting this ram page */
144 TranslationBlock *first_tb;
145 /* in order to optimize self modifying code, we count the number
146 of lookups we do to a given page to use a bitmap */
147 unsigned int code_write_count;
148 uint8_t *code_bitmap;
149 #if defined(CONFIG_USER_ONLY)
154 /* In system mode we want L1_MAP to be based on ram offsets,
155 while in user mode we want it to be based on virtual addresses. */
156 #if !defined(CONFIG_USER_ONLY)
157 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
158 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
160 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
163 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
166 /* Size of the L2 (and L3, etc) page tables. */
168 #define L2_SIZE (1 << L2_BITS)
170 /* The bits remaining after N lower levels of page tables. */
171 #define P_L1_BITS_REM \
172 ((TARGET_PHYS_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % L2_BITS)
173 #define V_L1_BITS_REM \
174 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % L2_BITS)
176 /* Size of the L1 page table. Avoid silly small sizes. */
177 #if P_L1_BITS_REM < 4
178 #define P_L1_BITS (P_L1_BITS_REM + L2_BITS)
180 #define P_L1_BITS P_L1_BITS_REM
183 #if V_L1_BITS_REM < 4
184 #define V_L1_BITS (V_L1_BITS_REM + L2_BITS)
186 #define V_L1_BITS V_L1_BITS_REM
189 #define P_L1_SIZE ((target_phys_addr_t)1 << P_L1_BITS)
190 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
192 #define P_L1_SHIFT (TARGET_PHYS_ADDR_SPACE_BITS - TARGET_PAGE_BITS - P_L1_BITS)
193 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
195 unsigned long qemu_real_host_page_size;
196 unsigned long qemu_host_page_bits;
197 unsigned long qemu_host_page_size;
198 unsigned long qemu_host_page_mask;
200 /* This is a multi-level map on the virtual address space.
201 The bottom level has pointers to PageDesc. */
202 static void *l1_map[V_L1_SIZE];
204 #if !defined(CONFIG_USER_ONLY)
205 typedef struct PhysPageDesc {
206 /* offset in host memory of the page + io_index in the low bits */
207 ram_addr_t phys_offset;
208 ram_addr_t region_offset;
211 /* This is a multi-level map on the physical address space.
212 The bottom level has pointers to PhysPageDesc. */
213 static void *l1_phys_map[P_L1_SIZE];
215 static void io_mem_init(void);
217 /* io memory support */
218 CPUWriteMemoryFunc *io_mem_write[IO_MEM_NB_ENTRIES][4];
219 CPUReadMemoryFunc *io_mem_read[IO_MEM_NB_ENTRIES][4];
220 void *io_mem_opaque[IO_MEM_NB_ENTRIES];
221 static char io_mem_used[IO_MEM_NB_ENTRIES];
222 static int io_mem_watch;
227 static const char *logfilename = "qemu.log";
229 static const char *logfilename = "/tmp/qemu.log";
233 static int log_append = 0;
236 #if !defined(CONFIG_USER_ONLY)
237 static int tlb_flush_count;
239 static int tb_flush_count;
240 static int tb_phys_invalidate_count;
243 static void map_exec(void *addr, long size)
246 VirtualProtect(addr, size,
247 PAGE_EXECUTE_READWRITE, &old_protect);
251 static void map_exec(void *addr, long size)
253 unsigned long start, end, page_size;
255 page_size = getpagesize();
256 start = (unsigned long)addr;
257 start &= ~(page_size - 1);
259 end = (unsigned long)addr + size;
260 end += page_size - 1;
261 end &= ~(page_size - 1);
263 mprotect((void *)start, end - start,
264 PROT_READ | PROT_WRITE | PROT_EXEC);
268 static void page_init(void)
270 /* NOTE: we can always suppose that qemu_host_page_size >=
274 SYSTEM_INFO system_info;
276 GetSystemInfo(&system_info);
277 qemu_real_host_page_size = system_info.dwPageSize;
280 qemu_real_host_page_size = getpagesize();
282 if (qemu_host_page_size == 0)
283 qemu_host_page_size = qemu_real_host_page_size;
284 if (qemu_host_page_size < TARGET_PAGE_SIZE)
285 qemu_host_page_size = TARGET_PAGE_SIZE;
286 qemu_host_page_bits = 0;
287 while ((1 << qemu_host_page_bits) < qemu_host_page_size)
288 qemu_host_page_bits++;
289 qemu_host_page_mask = ~(qemu_host_page_size - 1);
291 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
293 #ifdef HAVE_KINFO_GETVMMAP
294 struct kinfo_vmentry *freep;
297 freep = kinfo_getvmmap(getpid(), &cnt);
300 for (i = 0; i < cnt; i++) {
301 unsigned long startaddr, endaddr;
303 startaddr = freep[i].kve_start;
304 endaddr = freep[i].kve_end;
305 if (h2g_valid(startaddr)) {
306 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
308 if (h2g_valid(endaddr)) {
309 endaddr = h2g(endaddr);
310 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
312 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
314 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
325 last_brk = (unsigned long)sbrk(0);
327 f = fopen("/compat/linux/proc/self/maps", "r");
332 unsigned long startaddr, endaddr;
335 n = fscanf (f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
337 if (n == 2 && h2g_valid(startaddr)) {
338 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
340 if (h2g_valid(endaddr)) {
341 endaddr = h2g(endaddr);
345 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
357 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
363 #if defined(CONFIG_USER_ONLY)
364 /* We can't use qemu_malloc because it may recurse into a locked mutex. */
365 # define ALLOC(P, SIZE) \
367 P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
368 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
371 # define ALLOC(P, SIZE) \
372 do { P = qemu_mallocz(SIZE); } while (0)
375 /* Level 1. Always allocated. */
376 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
379 for (i = V_L1_SHIFT / L2_BITS - 1; i > 0; i--) {
386 ALLOC(p, sizeof(void *) * L2_SIZE);
390 lp = p + ((index >> (i * L2_BITS)) & (L2_SIZE - 1));
398 ALLOC(pd, sizeof(PageDesc) * L2_SIZE);
404 return pd + (index & (L2_SIZE - 1));
407 static inline PageDesc *page_find(tb_page_addr_t index)
409 return page_find_alloc(index, 0);
412 #if !defined(CONFIG_USER_ONLY)
413 static PhysPageDesc *phys_page_find_alloc(target_phys_addr_t index, int alloc)
419 /* Level 1. Always allocated. */
420 lp = l1_phys_map + ((index >> P_L1_SHIFT) & (P_L1_SIZE - 1));
423 for (i = P_L1_SHIFT / L2_BITS - 1; i > 0; i--) {
429 *lp = p = qemu_mallocz(sizeof(void *) * L2_SIZE);
431 lp = p + ((index >> (i * L2_BITS)) & (L2_SIZE - 1));
442 *lp = pd = qemu_malloc(sizeof(PhysPageDesc) * L2_SIZE);
444 for (i = 0; i < L2_SIZE; i++) {
445 pd[i].phys_offset = IO_MEM_UNASSIGNED;
446 pd[i].region_offset = (index + i) << TARGET_PAGE_BITS;
450 return pd + (index & (L2_SIZE - 1));
453 static inline PhysPageDesc *phys_page_find(target_phys_addr_t index)
455 return phys_page_find_alloc(index, 0);
458 static void tlb_protect_code(ram_addr_t ram_addr);
459 static void tlb_unprotect_code_phys(CPUState *env, ram_addr_t ram_addr,
461 #define mmap_lock() do { } while(0)
462 #define mmap_unlock() do { } while(0)
465 #define DEFAULT_CODE_GEN_BUFFER_SIZE (32 * 1024 * 1024)
467 #if defined(CONFIG_USER_ONLY)
468 /* Currently it is not recommended to allocate big chunks of data in
469 user mode. It will change when a dedicated libc will be used */
470 #define USE_STATIC_CODE_GEN_BUFFER
473 #ifdef USE_STATIC_CODE_GEN_BUFFER
474 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
475 __attribute__((aligned (CODE_GEN_ALIGN)));
478 static void code_gen_alloc(unsigned long tb_size)
480 #ifdef USE_STATIC_CODE_GEN_BUFFER
481 code_gen_buffer = static_code_gen_buffer;
482 code_gen_buffer_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
483 map_exec(code_gen_buffer, code_gen_buffer_size);
485 code_gen_buffer_size = tb_size;
486 if (code_gen_buffer_size == 0) {
487 #if defined(CONFIG_USER_ONLY)
488 /* in user mode, phys_ram_size is not meaningful */
489 code_gen_buffer_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
491 /* XXX: needs adjustments */
492 code_gen_buffer_size = (unsigned long)(ram_size / 4);
495 if (code_gen_buffer_size < MIN_CODE_GEN_BUFFER_SIZE)
496 code_gen_buffer_size = MIN_CODE_GEN_BUFFER_SIZE;
497 /* The code gen buffer location may have constraints depending on
498 the host cpu and OS */
499 #if defined(__linux__)
504 flags = MAP_PRIVATE | MAP_ANONYMOUS;
505 #if defined(__x86_64__)
507 /* Cannot map more than that */
508 if (code_gen_buffer_size > (800 * 1024 * 1024))
509 code_gen_buffer_size = (800 * 1024 * 1024);
510 #elif defined(__sparc_v9__)
511 // Map the buffer below 2G, so we can use direct calls and branches
513 start = (void *) 0x60000000UL;
514 if (code_gen_buffer_size > (512 * 1024 * 1024))
515 code_gen_buffer_size = (512 * 1024 * 1024);
516 #elif defined(__arm__)
517 /* Map the buffer below 32M, so we can use direct calls and branches */
519 start = (void *) 0x01000000UL;
520 if (code_gen_buffer_size > 16 * 1024 * 1024)
521 code_gen_buffer_size = 16 * 1024 * 1024;
523 code_gen_buffer = mmap(start, code_gen_buffer_size,
524 PROT_WRITE | PROT_READ | PROT_EXEC,
526 if (code_gen_buffer == MAP_FAILED) {
527 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
531 #elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) || defined(__DragonFly__)
535 flags = MAP_PRIVATE | MAP_ANONYMOUS;
536 #if defined(__x86_64__)
537 /* FreeBSD doesn't have MAP_32BIT, use MAP_FIXED and assume
538 * 0x40000000 is free */
540 addr = (void *)0x40000000;
541 /* Cannot map more than that */
542 if (code_gen_buffer_size > (800 * 1024 * 1024))
543 code_gen_buffer_size = (800 * 1024 * 1024);
545 code_gen_buffer = mmap(addr, code_gen_buffer_size,
546 PROT_WRITE | PROT_READ | PROT_EXEC,
548 if (code_gen_buffer == MAP_FAILED) {
549 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
554 code_gen_buffer = qemu_malloc(code_gen_buffer_size);
555 map_exec(code_gen_buffer, code_gen_buffer_size);
557 #endif /* !USE_STATIC_CODE_GEN_BUFFER */
558 map_exec(code_gen_prologue, sizeof(code_gen_prologue));
559 code_gen_buffer_max_size = code_gen_buffer_size -
560 code_gen_max_block_size();
561 code_gen_max_blocks = code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
562 tbs = qemu_malloc(code_gen_max_blocks * sizeof(TranslationBlock));
565 /* Must be called before using the QEMU cpus. 'tb_size' is the size
566 (in bytes) allocated to the translation buffer. Zero means default
568 void cpu_exec_init_all(unsigned long tb_size)
571 code_gen_alloc(tb_size);
572 code_gen_ptr = code_gen_buffer;
574 #if !defined(CONFIG_USER_ONLY)
579 #if defined(CPU_SAVE_VERSION) && !defined(CONFIG_USER_ONLY)
581 static int cpu_common_post_load(void *opaque, int version_id)
583 CPUState *env = opaque;
585 /* 0x01 was CPU_INTERRUPT_EXIT. This line can be removed when the
586 version_id is increased. */
587 env->interrupt_request &= ~0x01;
593 static const VMStateDescription vmstate_cpu_common = {
594 .name = "cpu_common",
596 .minimum_version_id = 1,
597 .minimum_version_id_old = 1,
598 .post_load = cpu_common_post_load,
599 .fields = (VMStateField []) {
600 VMSTATE_UINT32(halted, CPUState),
601 VMSTATE_UINT32(interrupt_request, CPUState),
602 VMSTATE_END_OF_LIST()
607 CPUState *qemu_get_cpu(int cpu)
609 CPUState *env = first_cpu;
612 if (env->cpu_index == cpu)
620 void cpu_exec_init(CPUState *env)
625 #if defined(CONFIG_USER_ONLY)
628 env->next_cpu = NULL;
631 while (*penv != NULL) {
632 penv = &(*penv)->next_cpu;
635 env->cpu_index = cpu_index;
637 QTAILQ_INIT(&env->breakpoints);
638 QTAILQ_INIT(&env->watchpoints);
640 #if defined(CONFIG_USER_ONLY)
643 #if defined(CPU_SAVE_VERSION) && !defined(CONFIG_USER_ONLY)
644 vmstate_register(cpu_index, &vmstate_cpu_common, env);
645 register_savevm("cpu", cpu_index, CPU_SAVE_VERSION,
646 cpu_save, cpu_load, env);
650 static inline void invalidate_page_bitmap(PageDesc *p)
652 if (p->code_bitmap) {
653 qemu_free(p->code_bitmap);
654 p->code_bitmap = NULL;
656 p->code_write_count = 0;
659 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
661 static void page_flush_tb_1 (int level, void **lp)
670 for (i = 0; i < L2_SIZE; ++i) {
671 pd[i].first_tb = NULL;
672 invalidate_page_bitmap(pd + i);
676 for (i = 0; i < L2_SIZE; ++i) {
677 page_flush_tb_1 (level - 1, pp + i);
682 static void page_flush_tb(void)
685 for (i = 0; i < V_L1_SIZE; i++) {
686 page_flush_tb_1(V_L1_SHIFT / L2_BITS - 1, l1_map + i);
690 /* flush all the translation blocks */
691 /* XXX: tb_flush is currently not thread safe */
692 void tb_flush(CPUState *env1)
695 #if defined(DEBUG_FLUSH)
696 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
697 (unsigned long)(code_gen_ptr - code_gen_buffer),
699 ((unsigned long)(code_gen_ptr - code_gen_buffer)) / nb_tbs : 0);
701 if ((unsigned long)(code_gen_ptr - code_gen_buffer) > code_gen_buffer_size)
702 cpu_abort(env1, "Internal error: code buffer overflow\n");
706 for(env = first_cpu; env != NULL; env = env->next_cpu) {
707 memset (env->tb_jmp_cache, 0, TB_JMP_CACHE_SIZE * sizeof (void *));
710 memset (tb_phys_hash, 0, CODE_GEN_PHYS_HASH_SIZE * sizeof (void *));
713 code_gen_ptr = code_gen_buffer;
714 /* XXX: flush processor icache at this point if cache flush is
719 #ifdef DEBUG_TB_CHECK
721 static void tb_invalidate_check(target_ulong address)
723 TranslationBlock *tb;
725 address &= TARGET_PAGE_MASK;
726 for(i = 0;i < CODE_GEN_PHYS_HASH_SIZE; i++) {
727 for(tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
728 if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
729 address >= tb->pc + tb->size)) {
730 printf("ERROR invalidate: address=" TARGET_FMT_lx
731 " PC=%08lx size=%04x\n",
732 address, (long)tb->pc, tb->size);
738 /* verify that all the pages have correct rights for code */
739 static void tb_page_check(void)
741 TranslationBlock *tb;
742 int i, flags1, flags2;
744 for(i = 0;i < CODE_GEN_PHYS_HASH_SIZE; i++) {
745 for(tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
746 flags1 = page_get_flags(tb->pc);
747 flags2 = page_get_flags(tb->pc + tb->size - 1);
748 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
749 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
750 (long)tb->pc, tb->size, flags1, flags2);
758 /* invalidate one TB */
759 static inline void tb_remove(TranslationBlock **ptb, TranslationBlock *tb,
762 TranslationBlock *tb1;
766 *ptb = *(TranslationBlock **)((char *)tb1 + next_offset);
769 ptb = (TranslationBlock **)((char *)tb1 + next_offset);
773 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
775 TranslationBlock *tb1;
781 tb1 = (TranslationBlock *)((long)tb1 & ~3);
783 *ptb = tb1->page_next[n1];
786 ptb = &tb1->page_next[n1];
790 static inline void tb_jmp_remove(TranslationBlock *tb, int n)
792 TranslationBlock *tb1, **ptb;
795 ptb = &tb->jmp_next[n];
798 /* find tb(n) in circular list */
802 tb1 = (TranslationBlock *)((long)tb1 & ~3);
803 if (n1 == n && tb1 == tb)
806 ptb = &tb1->jmp_first;
808 ptb = &tb1->jmp_next[n1];
811 /* now we can suppress tb(n) from the list */
812 *ptb = tb->jmp_next[n];
814 tb->jmp_next[n] = NULL;
818 /* reset the jump entry 'n' of a TB so that it is not chained to
820 static inline void tb_reset_jump(TranslationBlock *tb, int n)
822 tb_set_jmp_target(tb, n, (unsigned long)(tb->tc_ptr + tb->tb_next_offset[n]));
825 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
830 tb_page_addr_t phys_pc;
831 TranslationBlock *tb1, *tb2;
833 /* remove the TB from the hash list */
834 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
835 h = tb_phys_hash_func(phys_pc);
836 tb_remove(&tb_phys_hash[h], tb,
837 offsetof(TranslationBlock, phys_hash_next));
839 /* remove the TB from the page list */
840 if (tb->page_addr[0] != page_addr) {
841 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
842 tb_page_remove(&p->first_tb, tb);
843 invalidate_page_bitmap(p);
845 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
846 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
847 tb_page_remove(&p->first_tb, tb);
848 invalidate_page_bitmap(p);
851 tb_invalidated_flag = 1;
853 /* remove the TB from the hash list */
854 h = tb_jmp_cache_hash_func(tb->pc);
855 for(env = first_cpu; env != NULL; env = env->next_cpu) {
856 if (env->tb_jmp_cache[h] == tb)
857 env->tb_jmp_cache[h] = NULL;
860 /* suppress this TB from the two jump lists */
861 tb_jmp_remove(tb, 0);
862 tb_jmp_remove(tb, 1);
864 /* suppress any remaining jumps to this TB */
870 tb1 = (TranslationBlock *)((long)tb1 & ~3);
871 tb2 = tb1->jmp_next[n1];
872 tb_reset_jump(tb1, n1);
873 tb1->jmp_next[n1] = NULL;
876 tb->jmp_first = (TranslationBlock *)((long)tb | 2); /* fail safe */
878 tb_phys_invalidate_count++;
881 static inline void set_bits(uint8_t *tab, int start, int len)
887 mask = 0xff << (start & 7);
888 if ((start & ~7) == (end & ~7)) {
890 mask &= ~(0xff << (end & 7));
895 start = (start + 8) & ~7;
897 while (start < end1) {
902 mask = ~(0xff << (end & 7));
908 static void build_page_bitmap(PageDesc *p)
910 int n, tb_start, tb_end;
911 TranslationBlock *tb;
913 p->code_bitmap = qemu_mallocz(TARGET_PAGE_SIZE / 8);
918 tb = (TranslationBlock *)((long)tb & ~3);
919 /* NOTE: this is subtle as a TB may span two physical pages */
921 /* NOTE: tb_end may be after the end of the page, but
922 it is not a problem */
923 tb_start = tb->pc & ~TARGET_PAGE_MASK;
924 tb_end = tb_start + tb->size;
925 if (tb_end > TARGET_PAGE_SIZE)
926 tb_end = TARGET_PAGE_SIZE;
929 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
931 set_bits(p->code_bitmap, tb_start, tb_end - tb_start);
932 tb = tb->page_next[n];
936 TranslationBlock *tb_gen_code(CPUState *env,
937 target_ulong pc, target_ulong cs_base,
938 int flags, int cflags)
940 TranslationBlock *tb;
942 tb_page_addr_t phys_pc, phys_page2;
943 target_ulong virt_page2;
946 phys_pc = get_page_addr_code(env, pc);
949 /* flush must be done */
951 /* cannot fail at this point */
953 /* Don't forget to invalidate previous TB info. */
954 tb_invalidated_flag = 1;
956 tc_ptr = code_gen_ptr;
958 tb->cs_base = cs_base;
961 cpu_gen_code(env, tb, &code_gen_size);
962 code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
964 /* check next page if needed */
965 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
967 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
968 phys_page2 = get_page_addr_code(env, virt_page2);
970 tb_link_page(tb, phys_pc, phys_page2);
974 /* invalidate all TBs which intersect with the target physical page
975 starting in range [start;end[. NOTE: start and end must refer to
976 the same physical page. 'is_cpu_write_access' should be true if called
977 from a real cpu write access: the virtual CPU will exit the current
978 TB if code is modified inside this TB. */
979 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
980 int is_cpu_write_access)
982 TranslationBlock *tb, *tb_next, *saved_tb;
983 CPUState *env = cpu_single_env;
984 tb_page_addr_t tb_start, tb_end;
987 #ifdef TARGET_HAS_PRECISE_SMC
988 int current_tb_not_found = is_cpu_write_access;
989 TranslationBlock *current_tb = NULL;
990 int current_tb_modified = 0;
991 target_ulong current_pc = 0;
992 target_ulong current_cs_base = 0;
993 int current_flags = 0;
994 #endif /* TARGET_HAS_PRECISE_SMC */
996 p = page_find(start >> TARGET_PAGE_BITS);
999 if (!p->code_bitmap &&
1000 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD &&
1001 is_cpu_write_access) {
1002 /* build code bitmap */
1003 build_page_bitmap(p);
1006 /* we remove all the TBs in the range [start, end[ */
1007 /* XXX: see if in some cases it could be faster to invalidate all the code */
1009 while (tb != NULL) {
1011 tb = (TranslationBlock *)((long)tb & ~3);
1012 tb_next = tb->page_next[n];
1013 /* NOTE: this is subtle as a TB may span two physical pages */
1015 /* NOTE: tb_end may be after the end of the page, but
1016 it is not a problem */
1017 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1018 tb_end = tb_start + tb->size;
1020 tb_start = tb->page_addr[1];
1021 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1023 if (!(tb_end <= start || tb_start >= end)) {
1024 #ifdef TARGET_HAS_PRECISE_SMC
1025 if (current_tb_not_found) {
1026 current_tb_not_found = 0;
1028 if (env->mem_io_pc) {
1029 /* now we have a real cpu fault */
1030 current_tb = tb_find_pc(env->mem_io_pc);
1033 if (current_tb == tb &&
1034 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1035 /* If we are modifying the current TB, we must stop
1036 its execution. We could be more precise by checking
1037 that the modification is after the current PC, but it
1038 would require a specialized function to partially
1039 restore the CPU state */
1041 current_tb_modified = 1;
1042 cpu_restore_state(current_tb, env,
1043 env->mem_io_pc, NULL);
1044 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1047 #endif /* TARGET_HAS_PRECISE_SMC */
1048 /* we need to do that to handle the case where a signal
1049 occurs while doing tb_phys_invalidate() */
1052 saved_tb = env->current_tb;
1053 env->current_tb = NULL;
1055 tb_phys_invalidate(tb, -1);
1057 env->current_tb = saved_tb;
1058 if (env->interrupt_request && env->current_tb)
1059 cpu_interrupt(env, env->interrupt_request);
1064 #if !defined(CONFIG_USER_ONLY)
1065 /* if no code remaining, no need to continue to use slow writes */
1067 invalidate_page_bitmap(p);
1068 if (is_cpu_write_access) {
1069 tlb_unprotect_code_phys(env, start, env->mem_io_vaddr);
1073 #ifdef TARGET_HAS_PRECISE_SMC
1074 if (current_tb_modified) {
1075 /* we generate a block containing just the instruction
1076 modifying the memory. It will ensure that it cannot modify
1078 env->current_tb = NULL;
1079 tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
1080 cpu_resume_from_signal(env, NULL);
1085 /* len must be <= 8 and start must be a multiple of len */
1086 static inline void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1092 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1093 cpu_single_env->mem_io_vaddr, len,
1094 cpu_single_env->eip,
1095 cpu_single_env->eip + (long)cpu_single_env->segs[R_CS].base);
1098 p = page_find(start >> TARGET_PAGE_BITS);
1101 if (p->code_bitmap) {
1102 offset = start & ~TARGET_PAGE_MASK;
1103 b = p->code_bitmap[offset >> 3] >> (offset & 7);
1104 if (b & ((1 << len) - 1))
1108 tb_invalidate_phys_page_range(start, start + len, 1);
1112 #if !defined(CONFIG_SOFTMMU)
1113 static void tb_invalidate_phys_page(tb_page_addr_t addr,
1114 unsigned long pc, void *puc)
1116 TranslationBlock *tb;
1119 #ifdef TARGET_HAS_PRECISE_SMC
1120 TranslationBlock *current_tb = NULL;
1121 CPUState *env = cpu_single_env;
1122 int current_tb_modified = 0;
1123 target_ulong current_pc = 0;
1124 target_ulong current_cs_base = 0;
1125 int current_flags = 0;
1128 addr &= TARGET_PAGE_MASK;
1129 p = page_find(addr >> TARGET_PAGE_BITS);
1133 #ifdef TARGET_HAS_PRECISE_SMC
1134 if (tb && pc != 0) {
1135 current_tb = tb_find_pc(pc);
1138 while (tb != NULL) {
1140 tb = (TranslationBlock *)((long)tb & ~3);
1141 #ifdef TARGET_HAS_PRECISE_SMC
1142 if (current_tb == tb &&
1143 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1144 /* If we are modifying the current TB, we must stop
1145 its execution. We could be more precise by checking
1146 that the modification is after the current PC, but it
1147 would require a specialized function to partially
1148 restore the CPU state */
1150 current_tb_modified = 1;
1151 cpu_restore_state(current_tb, env, pc, puc);
1152 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1155 #endif /* TARGET_HAS_PRECISE_SMC */
1156 tb_phys_invalidate(tb, addr);
1157 tb = tb->page_next[n];
1160 #ifdef TARGET_HAS_PRECISE_SMC
1161 if (current_tb_modified) {
1162 /* we generate a block containing just the instruction
1163 modifying the memory. It will ensure that it cannot modify
1165 env->current_tb = NULL;
1166 tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
1167 cpu_resume_from_signal(env, puc);
1173 /* add the tb in the target page and protect it if necessary */
1174 static inline void tb_alloc_page(TranslationBlock *tb,
1175 unsigned int n, tb_page_addr_t page_addr)
1178 TranslationBlock *last_first_tb;
1180 tb->page_addr[n] = page_addr;
1181 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1182 tb->page_next[n] = p->first_tb;
1183 last_first_tb = p->first_tb;
1184 p->first_tb = (TranslationBlock *)((long)tb | n);
1185 invalidate_page_bitmap(p);
1187 #if defined(TARGET_HAS_SMC) || 1
1189 #if defined(CONFIG_USER_ONLY)
1190 if (p->flags & PAGE_WRITE) {
1195 /* force the host page as non writable (writes will have a
1196 page fault + mprotect overhead) */
1197 page_addr &= qemu_host_page_mask;
1199 for(addr = page_addr; addr < page_addr + qemu_host_page_size;
1200 addr += TARGET_PAGE_SIZE) {
1202 p2 = page_find (addr >> TARGET_PAGE_BITS);
1206 p2->flags &= ~PAGE_WRITE;
1208 mprotect(g2h(page_addr), qemu_host_page_size,
1209 (prot & PAGE_BITS) & ~PAGE_WRITE);
1210 #ifdef DEBUG_TB_INVALIDATE
1211 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1216 /* if some code is already present, then the pages are already
1217 protected. So we handle the case where only the first TB is
1218 allocated in a physical page */
1219 if (!last_first_tb) {
1220 tlb_protect_code(page_addr);
1224 #endif /* TARGET_HAS_SMC */
1227 /* Allocate a new translation block. Flush the translation buffer if
1228 too many translation blocks or too much generated code. */
1229 TranslationBlock *tb_alloc(target_ulong pc)
1231 TranslationBlock *tb;
1233 if (nb_tbs >= code_gen_max_blocks ||
1234 (code_gen_ptr - code_gen_buffer) >= code_gen_buffer_max_size)
1236 tb = &tbs[nb_tbs++];
1242 void tb_free(TranslationBlock *tb)
1244 /* In practice this is mostly used for single use temporary TB
1245 Ignore the hard cases and just back up if this TB happens to
1246 be the last one generated. */
1247 if (nb_tbs > 0 && tb == &tbs[nb_tbs - 1]) {
1248 code_gen_ptr = tb->tc_ptr;
1253 /* add a new TB and link it to the physical page tables. phys_page2 is
1254 (-1) to indicate that only one page contains the TB. */
1255 void tb_link_page(TranslationBlock *tb,
1256 tb_page_addr_t phys_pc, tb_page_addr_t phys_page2)
1259 TranslationBlock **ptb;
1261 /* Grab the mmap lock to stop another thread invalidating this TB
1262 before we are done. */
1264 /* add in the physical hash table */
1265 h = tb_phys_hash_func(phys_pc);
1266 ptb = &tb_phys_hash[h];
1267 tb->phys_hash_next = *ptb;
1270 /* add in the page list */
1271 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1272 if (phys_page2 != -1)
1273 tb_alloc_page(tb, 1, phys_page2);
1275 tb->page_addr[1] = -1;
1277 tb->jmp_first = (TranslationBlock *)((long)tb | 2);
1278 tb->jmp_next[0] = NULL;
1279 tb->jmp_next[1] = NULL;
1281 /* init original jump addresses */
1282 if (tb->tb_next_offset[0] != 0xffff)
1283 tb_reset_jump(tb, 0);
1284 if (tb->tb_next_offset[1] != 0xffff)
1285 tb_reset_jump(tb, 1);
1287 #ifdef DEBUG_TB_CHECK
1293 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1294 tb[1].tc_ptr. Return NULL if not found */
1295 TranslationBlock *tb_find_pc(unsigned long tc_ptr)
1297 int m_min, m_max, m;
1299 TranslationBlock *tb;
1303 if (tc_ptr < (unsigned long)code_gen_buffer ||
1304 tc_ptr >= (unsigned long)code_gen_ptr)
1306 /* binary search (cf Knuth) */
1309 while (m_min <= m_max) {
1310 m = (m_min + m_max) >> 1;
1312 v = (unsigned long)tb->tc_ptr;
1315 else if (tc_ptr < v) {
1324 static void tb_reset_jump_recursive(TranslationBlock *tb);
1326 static inline void tb_reset_jump_recursive2(TranslationBlock *tb, int n)
1328 TranslationBlock *tb1, *tb_next, **ptb;
1331 tb1 = tb->jmp_next[n];
1333 /* find head of list */
1336 tb1 = (TranslationBlock *)((long)tb1 & ~3);
1339 tb1 = tb1->jmp_next[n1];
1341 /* we are now sure now that tb jumps to tb1 */
1344 /* remove tb from the jmp_first list */
1345 ptb = &tb_next->jmp_first;
1349 tb1 = (TranslationBlock *)((long)tb1 & ~3);
1350 if (n1 == n && tb1 == tb)
1352 ptb = &tb1->jmp_next[n1];
1354 *ptb = tb->jmp_next[n];
1355 tb->jmp_next[n] = NULL;
1357 /* suppress the jump to next tb in generated code */
1358 tb_reset_jump(tb, n);
1360 /* suppress jumps in the tb on which we could have jumped */
1361 tb_reset_jump_recursive(tb_next);
1365 static void tb_reset_jump_recursive(TranslationBlock *tb)
1367 tb_reset_jump_recursive2(tb, 0);
1368 tb_reset_jump_recursive2(tb, 1);
1371 #if defined(TARGET_HAS_ICE)
1372 #if defined(CONFIG_USER_ONLY)
1373 static void breakpoint_invalidate(CPUState *env, target_ulong pc)
1375 tb_invalidate_phys_page_range(pc, pc + 1, 0);
1378 static void breakpoint_invalidate(CPUState *env, target_ulong pc)
1380 target_phys_addr_t addr;
1382 ram_addr_t ram_addr;
1385 addr = cpu_get_phys_page_debug(env, pc);
1386 p = phys_page_find(addr >> TARGET_PAGE_BITS);
1388 pd = IO_MEM_UNASSIGNED;
1390 pd = p->phys_offset;
1392 ram_addr = (pd & TARGET_PAGE_MASK) | (pc & ~TARGET_PAGE_MASK);
1393 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1396 #endif /* TARGET_HAS_ICE */
1398 #if defined(CONFIG_USER_ONLY)
1399 void cpu_watchpoint_remove_all(CPUState *env, int mask)
1404 int cpu_watchpoint_insert(CPUState *env, target_ulong addr, target_ulong len,
1405 int flags, CPUWatchpoint **watchpoint)
1410 /* Add a watchpoint. */
1411 int cpu_watchpoint_insert(CPUState *env, target_ulong addr, target_ulong len,
1412 int flags, CPUWatchpoint **watchpoint)
1414 target_ulong len_mask = ~(len - 1);
1417 /* sanity checks: allow power-of-2 lengths, deny unaligned watchpoints */
1418 if ((len != 1 && len != 2 && len != 4 && len != 8) || (addr & ~len_mask)) {
1419 fprintf(stderr, "qemu: tried to set invalid watchpoint at "
1420 TARGET_FMT_lx ", len=" TARGET_FMT_lu "\n", addr, len);
1423 wp = qemu_malloc(sizeof(*wp));
1426 wp->len_mask = len_mask;
1429 /* keep all GDB-injected watchpoints in front */
1431 QTAILQ_INSERT_HEAD(&env->watchpoints, wp, entry);
1433 QTAILQ_INSERT_TAIL(&env->watchpoints, wp, entry);
1435 tlb_flush_page(env, addr);
1442 /* Remove a specific watchpoint. */
1443 int cpu_watchpoint_remove(CPUState *env, target_ulong addr, target_ulong len,
1446 target_ulong len_mask = ~(len - 1);
1449 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1450 if (addr == wp->vaddr && len_mask == wp->len_mask
1451 && flags == (wp->flags & ~BP_WATCHPOINT_HIT)) {
1452 cpu_watchpoint_remove_by_ref(env, wp);
1459 /* Remove a specific watchpoint by reference. */
1460 void cpu_watchpoint_remove_by_ref(CPUState *env, CPUWatchpoint *watchpoint)
1462 QTAILQ_REMOVE(&env->watchpoints, watchpoint, entry);
1464 tlb_flush_page(env, watchpoint->vaddr);
1466 qemu_free(watchpoint);
1469 /* Remove all matching watchpoints. */
1470 void cpu_watchpoint_remove_all(CPUState *env, int mask)
1472 CPUWatchpoint *wp, *next;
1474 QTAILQ_FOREACH_SAFE(wp, &env->watchpoints, entry, next) {
1475 if (wp->flags & mask)
1476 cpu_watchpoint_remove_by_ref(env, wp);
1481 /* Add a breakpoint. */
1482 int cpu_breakpoint_insert(CPUState *env, target_ulong pc, int flags,
1483 CPUBreakpoint **breakpoint)
1485 #if defined(TARGET_HAS_ICE)
1488 bp = qemu_malloc(sizeof(*bp));
1493 /* keep all GDB-injected breakpoints in front */
1495 QTAILQ_INSERT_HEAD(&env->breakpoints, bp, entry);
1497 QTAILQ_INSERT_TAIL(&env->breakpoints, bp, entry);
1499 breakpoint_invalidate(env, pc);
1509 /* Remove a specific breakpoint. */
1510 int cpu_breakpoint_remove(CPUState *env, target_ulong pc, int flags)
1512 #if defined(TARGET_HAS_ICE)
1515 QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
1516 if (bp->pc == pc && bp->flags == flags) {
1517 cpu_breakpoint_remove_by_ref(env, bp);
1527 /* Remove a specific breakpoint by reference. */
1528 void cpu_breakpoint_remove_by_ref(CPUState *env, CPUBreakpoint *breakpoint)
1530 #if defined(TARGET_HAS_ICE)
1531 QTAILQ_REMOVE(&env->breakpoints, breakpoint, entry);
1533 breakpoint_invalidate(env, breakpoint->pc);
1535 qemu_free(breakpoint);
1539 /* Remove all matching breakpoints. */
1540 void cpu_breakpoint_remove_all(CPUState *env, int mask)
1542 #if defined(TARGET_HAS_ICE)
1543 CPUBreakpoint *bp, *next;
1545 QTAILQ_FOREACH_SAFE(bp, &env->breakpoints, entry, next) {
1546 if (bp->flags & mask)
1547 cpu_breakpoint_remove_by_ref(env, bp);
1552 /* enable or disable single step mode. EXCP_DEBUG is returned by the
1553 CPU loop after each instruction */
1554 void cpu_single_step(CPUState *env, int enabled)
1556 #if defined(TARGET_HAS_ICE)
1557 if (env->singlestep_enabled != enabled) {
1558 env->singlestep_enabled = enabled;
1560 kvm_update_guest_debug(env, 0);
1562 /* must flush all the translated code to avoid inconsistencies */
1563 /* XXX: only flush what is necessary */
1570 /* enable or disable low levels log */
1571 void cpu_set_log(int log_flags)
1573 loglevel = log_flags;
1574 if (loglevel && !logfile) {
1575 logfile = fopen(logfilename, log_append ? "a" : "w");
1577 perror(logfilename);
1580 #if !defined(CONFIG_SOFTMMU)
1581 /* must avoid mmap() usage of glibc by setting a buffer "by hand" */
1583 static char logfile_buf[4096];
1584 setvbuf(logfile, logfile_buf, _IOLBF, sizeof(logfile_buf));
1586 #elif !defined(_WIN32)
1587 /* Win32 doesn't support line-buffering and requires size >= 2 */
1588 setvbuf(logfile, NULL, _IOLBF, 0);
1592 if (!loglevel && logfile) {
1598 void cpu_set_log_filename(const char *filename)
1600 logfilename = strdup(filename);
1605 cpu_set_log(loglevel);
1608 static void cpu_unlink_tb(CPUState *env)
1610 /* FIXME: TB unchaining isn't SMP safe. For now just ignore the
1611 problem and hope the cpu will stop of its own accord. For userspace
1612 emulation this often isn't actually as bad as it sounds. Often
1613 signals are used primarily to interrupt blocking syscalls. */
1614 TranslationBlock *tb;
1615 static spinlock_t interrupt_lock = SPIN_LOCK_UNLOCKED;
1617 spin_lock(&interrupt_lock);
1618 tb = env->current_tb;
1619 /* if the cpu is currently executing code, we must unlink it and
1620 all the potentially executing TB */
1622 env->current_tb = NULL;
1623 tb_reset_jump_recursive(tb);
1625 spin_unlock(&interrupt_lock);
1628 /* mask must never be zero, except for A20 change call */
1629 void cpu_interrupt(CPUState *env, int mask)
1633 old_mask = env->interrupt_request;
1634 env->interrupt_request |= mask;
1636 #ifndef CONFIG_USER_ONLY
1638 * If called from iothread context, wake the target cpu in
1641 if (!qemu_cpu_self(env)) {
1648 env->icount_decr.u16.high = 0xffff;
1649 #ifndef CONFIG_USER_ONLY
1651 && (mask & ~old_mask) != 0) {
1652 cpu_abort(env, "Raised interrupt while not in I/O function");
1660 void cpu_reset_interrupt(CPUState *env, int mask)
1662 env->interrupt_request &= ~mask;
1665 void cpu_exit(CPUState *env)
1667 env->exit_request = 1;
1671 const CPULogItem cpu_log_items[] = {
1672 { CPU_LOG_TB_OUT_ASM, "out_asm",
1673 "show generated host assembly code for each compiled TB" },
1674 { CPU_LOG_TB_IN_ASM, "in_asm",
1675 "show target assembly code for each compiled TB" },
1676 { CPU_LOG_TB_OP, "op",
1677 "show micro ops for each compiled TB" },
1678 { CPU_LOG_TB_OP_OPT, "op_opt",
1681 "before eflags optimization and "
1683 "after liveness analysis" },
1684 { CPU_LOG_INT, "int",
1685 "show interrupts/exceptions in short format" },
1686 { CPU_LOG_EXEC, "exec",
1687 "show trace before each executed TB (lots of logs)" },
1688 { CPU_LOG_TB_CPU, "cpu",
1689 "show CPU state before block translation" },
1691 { CPU_LOG_PCALL, "pcall",
1692 "show protected mode far calls/returns/exceptions" },
1693 { CPU_LOG_RESET, "cpu_reset",
1694 "show CPU state before CPU resets" },
1697 { CPU_LOG_IOPORT, "ioport",
1698 "show all i/o ports accesses" },
1703 #ifndef CONFIG_USER_ONLY
1704 static QLIST_HEAD(memory_client_list, CPUPhysMemoryClient) memory_client_list
1705 = QLIST_HEAD_INITIALIZER(memory_client_list);
1707 static void cpu_notify_set_memory(target_phys_addr_t start_addr,
1709 ram_addr_t phys_offset)
1711 CPUPhysMemoryClient *client;
1712 QLIST_FOREACH(client, &memory_client_list, list) {
1713 client->set_memory(client, start_addr, size, phys_offset);
1717 static int cpu_notify_sync_dirty_bitmap(target_phys_addr_t start,
1718 target_phys_addr_t end)
1720 CPUPhysMemoryClient *client;
1721 QLIST_FOREACH(client, &memory_client_list, list) {
1722 int r = client->sync_dirty_bitmap(client, start, end);
1729 static int cpu_notify_migration_log(int enable)
1731 CPUPhysMemoryClient *client;
1732 QLIST_FOREACH(client, &memory_client_list, list) {
1733 int r = client->migration_log(client, enable);
1740 static void phys_page_for_each_1(CPUPhysMemoryClient *client,
1741 int level, void **lp)
1749 PhysPageDesc *pd = *lp;
1750 for (i = 0; i < L2_SIZE; ++i) {
1751 if (pd[i].phys_offset != IO_MEM_UNASSIGNED) {
1752 client->set_memory(client, pd[i].region_offset,
1753 TARGET_PAGE_SIZE, pd[i].phys_offset);
1758 for (i = 0; i < L2_SIZE; ++i) {
1759 phys_page_for_each_1(client, level - 1, pp + i);
1764 static void phys_page_for_each(CPUPhysMemoryClient *client)
1767 for (i = 0; i < P_L1_SIZE; ++i) {
1768 phys_page_for_each_1(client, P_L1_SHIFT / L2_BITS - 1,
1773 void cpu_register_phys_memory_client(CPUPhysMemoryClient *client)
1775 QLIST_INSERT_HEAD(&memory_client_list, client, list);
1776 phys_page_for_each(client);
1779 void cpu_unregister_phys_memory_client(CPUPhysMemoryClient *client)
1781 QLIST_REMOVE(client, list);
1785 static int cmp1(const char *s1, int n, const char *s2)
1787 if (strlen(s2) != n)
1789 return memcmp(s1, s2, n) == 0;
1792 /* takes a comma separated list of log masks. Return 0 if error. */
1793 int cpu_str_to_log_mask(const char *str)
1795 const CPULogItem *item;
1802 p1 = strchr(p, ',');
1805 if(cmp1(p,p1-p,"all")) {
1806 for(item = cpu_log_items; item->mask != 0; item++) {
1810 for(item = cpu_log_items; item->mask != 0; item++) {
1811 if (cmp1(p, p1 - p, item->name))
1825 void cpu_abort(CPUState *env, const char *fmt, ...)
1832 fprintf(stderr, "qemu: fatal: ");
1833 vfprintf(stderr, fmt, ap);
1834 fprintf(stderr, "\n");
1836 cpu_dump_state(env, stderr, fprintf, X86_DUMP_FPU | X86_DUMP_CCOP);
1838 cpu_dump_state(env, stderr, fprintf, 0);
1840 if (qemu_log_enabled()) {
1841 qemu_log("qemu: fatal: ");
1842 qemu_log_vprintf(fmt, ap2);
1845 log_cpu_state(env, X86_DUMP_FPU | X86_DUMP_CCOP);
1847 log_cpu_state(env, 0);
1854 #if defined(CONFIG_USER_ONLY)
1856 struct sigaction act;
1857 sigfillset(&act.sa_mask);
1858 act.sa_handler = SIG_DFL;
1859 sigaction(SIGABRT, &act, NULL);
1865 CPUState *cpu_copy(CPUState *env)
1867 CPUState *new_env = cpu_init(env->cpu_model_str);
1868 CPUState *next_cpu = new_env->next_cpu;
1869 int cpu_index = new_env->cpu_index;
1870 #if defined(TARGET_HAS_ICE)
1875 memcpy(new_env, env, sizeof(CPUState));
1877 /* Preserve chaining and index. */
1878 new_env->next_cpu = next_cpu;
1879 new_env->cpu_index = cpu_index;
1881 /* Clone all break/watchpoints.
1882 Note: Once we support ptrace with hw-debug register access, make sure
1883 BP_CPU break/watchpoints are handled correctly on clone. */
1884 QTAILQ_INIT(&env->breakpoints);
1885 QTAILQ_INIT(&env->watchpoints);
1886 #if defined(TARGET_HAS_ICE)
1887 QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
1888 cpu_breakpoint_insert(new_env, bp->pc, bp->flags, NULL);
1890 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1891 cpu_watchpoint_insert(new_env, wp->vaddr, (~wp->len_mask) + 1,
1899 #if !defined(CONFIG_USER_ONLY)
1901 static inline void tlb_flush_jmp_cache(CPUState *env, target_ulong addr)
1905 /* Discard jump cache entries for any tb which might potentially
1906 overlap the flushed page. */
1907 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1908 memset (&env->tb_jmp_cache[i], 0,
1909 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1911 i = tb_jmp_cache_hash_page(addr);
1912 memset (&env->tb_jmp_cache[i], 0,
1913 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1916 static CPUTLBEntry s_cputlb_empty_entry = {
1923 /* NOTE: if flush_global is true, also flush global entries (not
1925 void tlb_flush(CPUState *env, int flush_global)
1929 #if defined(DEBUG_TLB)
1930 printf("tlb_flush:\n");
1932 /* must reset current TB so that interrupts cannot modify the
1933 links while we are modifying them */
1934 env->current_tb = NULL;
1936 for(i = 0; i < CPU_TLB_SIZE; i++) {
1938 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1939 env->tlb_table[mmu_idx][i] = s_cputlb_empty_entry;
1943 memset (env->tb_jmp_cache, 0, TB_JMP_CACHE_SIZE * sizeof (void *));
1945 env->tlb_flush_addr = -1;
1946 env->tlb_flush_mask = 0;
1950 static inline void tlb_flush_entry(CPUTLBEntry *tlb_entry, target_ulong addr)
1952 if (addr == (tlb_entry->addr_read &
1953 (TARGET_PAGE_MASK | TLB_INVALID_MASK)) ||
1954 addr == (tlb_entry->addr_write &
1955 (TARGET_PAGE_MASK | TLB_INVALID_MASK)) ||
1956 addr == (tlb_entry->addr_code &
1957 (TARGET_PAGE_MASK | TLB_INVALID_MASK))) {
1958 *tlb_entry = s_cputlb_empty_entry;
1962 void tlb_flush_page(CPUState *env, target_ulong addr)
1967 #if defined(DEBUG_TLB)
1968 printf("tlb_flush_page: " TARGET_FMT_lx "\n", addr);
1970 /* Check if we need to flush due to large pages. */
1971 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) {
1972 #if defined(DEBUG_TLB)
1973 printf("tlb_flush_page: forced full flush ("
1974 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
1975 env->tlb_flush_addr, env->tlb_flush_mask);
1980 /* must reset current TB so that interrupts cannot modify the
1981 links while we are modifying them */
1982 env->current_tb = NULL;
1984 addr &= TARGET_PAGE_MASK;
1985 i = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
1986 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++)
1987 tlb_flush_entry(&env->tlb_table[mmu_idx][i], addr);
1989 tlb_flush_jmp_cache(env, addr);
1992 /* update the TLBs so that writes to code in the virtual page 'addr'
1994 static void tlb_protect_code(ram_addr_t ram_addr)
1996 cpu_physical_memory_reset_dirty(ram_addr,
1997 ram_addr + TARGET_PAGE_SIZE,
2001 /* update the TLB so that writes in physical page 'phys_addr' are no longer
2002 tested for self modifying code */
2003 static void tlb_unprotect_code_phys(CPUState *env, ram_addr_t ram_addr,
2006 cpu_physical_memory_set_dirty_flags(ram_addr, CODE_DIRTY_FLAG);
2009 static inline void tlb_reset_dirty_range(CPUTLBEntry *tlb_entry,
2010 unsigned long start, unsigned long length)
2013 if ((tlb_entry->addr_write & ~TARGET_PAGE_MASK) == IO_MEM_RAM) {
2014 addr = (tlb_entry->addr_write & TARGET_PAGE_MASK) + tlb_entry->addend;
2015 if ((addr - start) < length) {
2016 tlb_entry->addr_write = (tlb_entry->addr_write & TARGET_PAGE_MASK) | TLB_NOTDIRTY;
2021 /* Note: start and end must be within the same ram block. */
2022 void cpu_physical_memory_reset_dirty(ram_addr_t start, ram_addr_t end,
2026 unsigned long length, start1;
2029 start &= TARGET_PAGE_MASK;
2030 end = TARGET_PAGE_ALIGN(end);
2032 length = end - start;
2035 cpu_physical_memory_mask_dirty_range(start, length, dirty_flags);
2037 /* we modify the TLB cache so that the dirty bit will be set again
2038 when accessing the range */
2039 start1 = (unsigned long)qemu_get_ram_ptr(start);
2040 /* Chek that we don't span multiple blocks - this breaks the
2041 address comparisons below. */
2042 if ((unsigned long)qemu_get_ram_ptr(end - 1) - start1
2043 != (end - 1) - start) {
2047 for(env = first_cpu; env != NULL; env = env->next_cpu) {
2049 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
2050 for(i = 0; i < CPU_TLB_SIZE; i++)
2051 tlb_reset_dirty_range(&env->tlb_table[mmu_idx][i],
2057 int cpu_physical_memory_set_dirty_tracking(int enable)
2060 in_migration = enable;
2061 ret = cpu_notify_migration_log(!!enable);
2065 int cpu_physical_memory_get_dirty_tracking(void)
2067 return in_migration;
2070 int cpu_physical_sync_dirty_bitmap(target_phys_addr_t start_addr,
2071 target_phys_addr_t end_addr)
2075 ret = cpu_notify_sync_dirty_bitmap(start_addr, end_addr);
2079 static inline void tlb_update_dirty(CPUTLBEntry *tlb_entry)
2081 ram_addr_t ram_addr;
2084 if ((tlb_entry->addr_write & ~TARGET_PAGE_MASK) == IO_MEM_RAM) {
2085 p = (void *)(unsigned long)((tlb_entry->addr_write & TARGET_PAGE_MASK)
2086 + tlb_entry->addend);
2087 ram_addr = qemu_ram_addr_from_host(p);
2088 if (!cpu_physical_memory_is_dirty(ram_addr)) {
2089 tlb_entry->addr_write |= TLB_NOTDIRTY;
2094 /* update the TLB according to the current state of the dirty bits */
2095 void cpu_tlb_update_dirty(CPUState *env)
2099 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
2100 for(i = 0; i < CPU_TLB_SIZE; i++)
2101 tlb_update_dirty(&env->tlb_table[mmu_idx][i]);
2105 static inline void tlb_set_dirty1(CPUTLBEntry *tlb_entry, target_ulong vaddr)
2107 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY))
2108 tlb_entry->addr_write = vaddr;
2111 /* update the TLB corresponding to virtual page vaddr
2112 so that it is no longer dirty */
2113 static inline void tlb_set_dirty(CPUState *env, target_ulong vaddr)
2118 vaddr &= TARGET_PAGE_MASK;
2119 i = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
2120 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++)
2121 tlb_set_dirty1(&env->tlb_table[mmu_idx][i], vaddr);
2124 /* Our TLB does not support large pages, so remember the area covered by
2125 large pages and trigger a full TLB flush if these are invalidated. */
2126 static void tlb_add_large_page(CPUState *env, target_ulong vaddr,
2129 target_ulong mask = ~(size - 1);
2131 if (env->tlb_flush_addr == (target_ulong)-1) {
2132 env->tlb_flush_addr = vaddr & mask;
2133 env->tlb_flush_mask = mask;
2136 /* Extend the existing region to include the new page.
2137 This is a compromise between unnecessary flushes and the cost
2138 of maintaining a full variable size TLB. */
2139 mask &= env->tlb_flush_mask;
2140 while (((env->tlb_flush_addr ^ vaddr) & mask) != 0) {
2143 env->tlb_flush_addr &= mask;
2144 env->tlb_flush_mask = mask;
2147 /* Add a new TLB entry. At most one entry for a given virtual address
2148 is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
2149 supplied size is only used by tlb_flush_page. */
2150 void tlb_set_page(CPUState *env, target_ulong vaddr,
2151 target_phys_addr_t paddr, int prot,
2152 int mmu_idx, target_ulong size)
2157 target_ulong address;
2158 target_ulong code_address;
2159 unsigned long addend;
2162 target_phys_addr_t iotlb;
2164 assert(size >= TARGET_PAGE_SIZE);
2165 if (size != TARGET_PAGE_SIZE) {
2166 tlb_add_large_page(env, vaddr, size);
2168 p = phys_page_find(paddr >> TARGET_PAGE_BITS);
2170 pd = IO_MEM_UNASSIGNED;
2172 pd = p->phys_offset;
2174 #if defined(DEBUG_TLB)
2175 printf("tlb_set_page: vaddr=" TARGET_FMT_lx " paddr=0x%08x prot=%x idx=%d smmu=%d pd=0x%08lx\n",
2176 vaddr, (int)paddr, prot, mmu_idx, is_softmmu, pd);
2180 if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM && !(pd & IO_MEM_ROMD)) {
2181 /* IO memory case (romd handled later) */
2182 address |= TLB_MMIO;
2184 addend = (unsigned long)qemu_get_ram_ptr(pd & TARGET_PAGE_MASK);
2185 if ((pd & ~TARGET_PAGE_MASK) <= IO_MEM_ROM) {
2187 iotlb = pd & TARGET_PAGE_MASK;
2188 if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_RAM)
2189 iotlb |= IO_MEM_NOTDIRTY;
2191 iotlb |= IO_MEM_ROM;
2193 /* IO handlers are currently passed a physical address.
2194 It would be nice to pass an offset from the base address
2195 of that region. This would avoid having to special case RAM,
2196 and avoid full address decoding in every device.
2197 We can't use the high bits of pd for this because
2198 IO_MEM_ROMD uses these as a ram address. */
2199 iotlb = (pd & ~TARGET_PAGE_MASK);
2201 iotlb += p->region_offset;
2207 code_address = address;
2208 /* Make accesses to pages with watchpoints go via the
2209 watchpoint trap routines. */
2210 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
2211 if (vaddr == (wp->vaddr & TARGET_PAGE_MASK)) {
2212 iotlb = io_mem_watch + paddr;
2213 /* TODO: The memory case can be optimized by not trapping
2214 reads of pages with a write breakpoint. */
2215 address |= TLB_MMIO;
2219 index = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
2220 env->iotlb[mmu_idx][index] = iotlb - vaddr;
2221 te = &env->tlb_table[mmu_idx][index];
2222 te->addend = addend - vaddr;
2223 if (prot & PAGE_READ) {
2224 te->addr_read = address;
2229 if (prot & PAGE_EXEC) {
2230 te->addr_code = code_address;
2234 if (prot & PAGE_WRITE) {
2235 if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_ROM ||
2236 (pd & IO_MEM_ROMD)) {
2237 /* Write access calls the I/O callback. */
2238 te->addr_write = address | TLB_MMIO;
2239 } else if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_RAM &&
2240 !cpu_physical_memory_is_dirty(pd)) {
2241 te->addr_write = address | TLB_NOTDIRTY;
2243 te->addr_write = address;
2246 te->addr_write = -1;
2252 void tlb_flush(CPUState *env, int flush_global)
2256 void tlb_flush_page(CPUState *env, target_ulong addr)
2261 * Walks guest process memory "regions" one by one
2262 * and calls callback function 'fn' for each region.
2265 struct walk_memory_regions_data
2267 walk_memory_regions_fn fn;
2269 unsigned long start;
2273 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
2274 abi_ulong end, int new_prot)
2276 if (data->start != -1ul) {
2277 int rc = data->fn(data->priv, data->start, end, data->prot);
2283 data->start = (new_prot ? end : -1ul);
2284 data->prot = new_prot;
2289 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
2290 abi_ulong base, int level, void **lp)
2296 return walk_memory_regions_end(data, base, 0);
2301 for (i = 0; i < L2_SIZE; ++i) {
2302 int prot = pd[i].flags;
2304 pa = base | (i << TARGET_PAGE_BITS);
2305 if (prot != data->prot) {
2306 rc = walk_memory_regions_end(data, pa, prot);
2314 for (i = 0; i < L2_SIZE; ++i) {
2315 pa = base | ((abi_ulong)i <<
2316 (TARGET_PAGE_BITS + L2_BITS * level));
2317 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
2327 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
2329 struct walk_memory_regions_data data;
2337 for (i = 0; i < V_L1_SIZE; i++) {
2338 int rc = walk_memory_regions_1(&data, (abi_ulong)i << V_L1_SHIFT,
2339 V_L1_SHIFT / L2_BITS - 1, l1_map + i);
2345 return walk_memory_regions_end(&data, 0, 0);
2348 static int dump_region(void *priv, abi_ulong start,
2349 abi_ulong end, unsigned long prot)
2351 FILE *f = (FILE *)priv;
2353 (void) fprintf(f, TARGET_ABI_FMT_lx"-"TARGET_ABI_FMT_lx
2354 " "TARGET_ABI_FMT_lx" %c%c%c\n",
2355 start, end, end - start,
2356 ((prot & PAGE_READ) ? 'r' : '-'),
2357 ((prot & PAGE_WRITE) ? 'w' : '-'),
2358 ((prot & PAGE_EXEC) ? 'x' : '-'));
2363 /* dump memory mappings */
2364 void page_dump(FILE *f)
2366 (void) fprintf(f, "%-8s %-8s %-8s %s\n",
2367 "start", "end", "size", "prot");
2368 walk_memory_regions(f, dump_region);
2371 int page_get_flags(target_ulong address)
2375 p = page_find(address >> TARGET_PAGE_BITS);
2381 /* Modify the flags of a page and invalidate the code if necessary.
2382 The flag PAGE_WRITE_ORG is positioned automatically depending
2383 on PAGE_WRITE. The mmap_lock should already be held. */
2384 void page_set_flags(target_ulong start, target_ulong end, int flags)
2386 target_ulong addr, len;
2388 /* This function should never be called with addresses outside the
2389 guest address space. If this assert fires, it probably indicates
2390 a missing call to h2g_valid. */
2391 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
2392 assert(end < ((abi_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
2394 assert(start < end);
2396 start = start & TARGET_PAGE_MASK;
2397 end = TARGET_PAGE_ALIGN(end);
2399 if (flags & PAGE_WRITE) {
2400 flags |= PAGE_WRITE_ORG;
2403 for (addr = start, len = end - start;
2405 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
2406 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
2408 /* If the write protection bit is set, then we invalidate
2410 if (!(p->flags & PAGE_WRITE) &&
2411 (flags & PAGE_WRITE) &&
2413 tb_invalidate_phys_page(addr, 0, NULL);
2419 int page_check_range(target_ulong start, target_ulong len, int flags)
2425 /* This function should never be called with addresses outside the
2426 guest address space. If this assert fires, it probably indicates
2427 a missing call to h2g_valid. */
2428 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
2429 assert(start < ((abi_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
2435 if (start + len - 1 < start) {
2436 /* We've wrapped around. */
2440 end = TARGET_PAGE_ALIGN(start+len); /* must do before we loose bits in the next step */
2441 start = start & TARGET_PAGE_MASK;
2443 for (addr = start, len = end - start;
2445 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
2446 p = page_find(addr >> TARGET_PAGE_BITS);
2449 if( !(p->flags & PAGE_VALID) )
2452 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ))
2454 if (flags & PAGE_WRITE) {
2455 if (!(p->flags & PAGE_WRITE_ORG))
2457 /* unprotect the page if it was put read-only because it
2458 contains translated code */
2459 if (!(p->flags & PAGE_WRITE)) {
2460 if (!page_unprotect(addr, 0, NULL))
2469 /* called from signal handler: invalidate the code and unprotect the
2470 page. Return TRUE if the fault was successfully handled. */
2471 int page_unprotect(target_ulong address, unsigned long pc, void *puc)
2475 target_ulong host_start, host_end, addr;
2477 /* Technically this isn't safe inside a signal handler. However we
2478 know this only ever happens in a synchronous SEGV handler, so in
2479 practice it seems to be ok. */
2482 p = page_find(address >> TARGET_PAGE_BITS);
2488 /* if the page was really writable, then we change its
2489 protection back to writable */
2490 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
2491 host_start = address & qemu_host_page_mask;
2492 host_end = host_start + qemu_host_page_size;
2495 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
2496 p = page_find(addr >> TARGET_PAGE_BITS);
2497 p->flags |= PAGE_WRITE;
2500 /* and since the content will be modified, we must invalidate
2501 the corresponding translated code. */
2502 tb_invalidate_phys_page(addr, pc, puc);
2503 #ifdef DEBUG_TB_CHECK
2504 tb_invalidate_check(addr);
2507 mprotect((void *)g2h(host_start), qemu_host_page_size,
2517 static inline void tlb_set_dirty(CPUState *env,
2518 unsigned long addr, target_ulong vaddr)
2521 #endif /* defined(CONFIG_USER_ONLY) */
2523 #if !defined(CONFIG_USER_ONLY)
2525 #define SUBPAGE_IDX(addr) ((addr) & ~TARGET_PAGE_MASK)
2526 typedef struct subpage_t {
2527 target_phys_addr_t base;
2528 ram_addr_t sub_io_index[TARGET_PAGE_SIZE];
2529 ram_addr_t region_offset[TARGET_PAGE_SIZE];
2532 static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
2533 ram_addr_t memory, ram_addr_t region_offset);
2534 static subpage_t *subpage_init (target_phys_addr_t base, ram_addr_t *phys,
2535 ram_addr_t orig_memory,
2536 ram_addr_t region_offset);
2537 #define CHECK_SUBPAGE(addr, start_addr, start_addr2, end_addr, end_addr2, \
2540 if (addr > start_addr) \
2543 start_addr2 = start_addr & ~TARGET_PAGE_MASK; \
2544 if (start_addr2 > 0) \
2548 if ((start_addr + orig_size) - addr >= TARGET_PAGE_SIZE) \
2549 end_addr2 = TARGET_PAGE_SIZE - 1; \
2551 end_addr2 = (start_addr + orig_size - 1) & ~TARGET_PAGE_MASK; \
2552 if (end_addr2 < TARGET_PAGE_SIZE - 1) \
2557 /* register physical memory.
2558 For RAM, 'size' must be a multiple of the target page size.
2559 If (phys_offset & ~TARGET_PAGE_MASK) != 0, then it is an
2560 io memory page. The address used when calling the IO function is
2561 the offset from the start of the region, plus region_offset. Both
2562 start_addr and region_offset are rounded down to a page boundary
2563 before calculating this offset. This should not be a problem unless
2564 the low bits of start_addr and region_offset differ. */
2565 void cpu_register_physical_memory_offset(target_phys_addr_t start_addr,
2567 ram_addr_t phys_offset,
2568 ram_addr_t region_offset)
2570 target_phys_addr_t addr, end_addr;
2573 ram_addr_t orig_size = size;
2576 cpu_notify_set_memory(start_addr, size, phys_offset);
2578 if (phys_offset == IO_MEM_UNASSIGNED) {
2579 region_offset = start_addr;
2581 region_offset &= TARGET_PAGE_MASK;
2582 size = (size + TARGET_PAGE_SIZE - 1) & TARGET_PAGE_MASK;
2583 end_addr = start_addr + (target_phys_addr_t)size;
2584 for(addr = start_addr; addr != end_addr; addr += TARGET_PAGE_SIZE) {
2585 p = phys_page_find(addr >> TARGET_PAGE_BITS);
2586 if (p && p->phys_offset != IO_MEM_UNASSIGNED) {
2587 ram_addr_t orig_memory = p->phys_offset;
2588 target_phys_addr_t start_addr2, end_addr2;
2589 int need_subpage = 0;
2591 CHECK_SUBPAGE(addr, start_addr, start_addr2, end_addr, end_addr2,
2594 if (!(orig_memory & IO_MEM_SUBPAGE)) {
2595 subpage = subpage_init((addr & TARGET_PAGE_MASK),
2596 &p->phys_offset, orig_memory,
2599 subpage = io_mem_opaque[(orig_memory & ~TARGET_PAGE_MASK)
2602 subpage_register(subpage, start_addr2, end_addr2, phys_offset,
2604 p->region_offset = 0;
2606 p->phys_offset = phys_offset;
2607 if ((phys_offset & ~TARGET_PAGE_MASK) <= IO_MEM_ROM ||
2608 (phys_offset & IO_MEM_ROMD))
2609 phys_offset += TARGET_PAGE_SIZE;
2612 p = phys_page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
2613 p->phys_offset = phys_offset;
2614 p->region_offset = region_offset;
2615 if ((phys_offset & ~TARGET_PAGE_MASK) <= IO_MEM_ROM ||
2616 (phys_offset & IO_MEM_ROMD)) {
2617 phys_offset += TARGET_PAGE_SIZE;
2619 target_phys_addr_t start_addr2, end_addr2;
2620 int need_subpage = 0;
2622 CHECK_SUBPAGE(addr, start_addr, start_addr2, end_addr,
2623 end_addr2, need_subpage);
2626 subpage = subpage_init((addr & TARGET_PAGE_MASK),
2627 &p->phys_offset, IO_MEM_UNASSIGNED,
2628 addr & TARGET_PAGE_MASK);
2629 subpage_register(subpage, start_addr2, end_addr2,
2630 phys_offset, region_offset);
2631 p->region_offset = 0;
2635 region_offset += TARGET_PAGE_SIZE;
2638 /* since each CPU stores ram addresses in its TLB cache, we must
2639 reset the modified entries */
2641 for(env = first_cpu; env != NULL; env = env->next_cpu) {
2646 /* XXX: temporary until new memory mapping API */
2647 ram_addr_t cpu_get_physical_page_desc(target_phys_addr_t addr)
2651 p = phys_page_find(addr >> TARGET_PAGE_BITS);
2653 return IO_MEM_UNASSIGNED;
2654 return p->phys_offset;
2657 void qemu_register_coalesced_mmio(target_phys_addr_t addr, ram_addr_t size)
2660 kvm_coalesce_mmio_region(addr, size);
2663 void qemu_unregister_coalesced_mmio(target_phys_addr_t addr, ram_addr_t size)
2666 kvm_uncoalesce_mmio_region(addr, size);
2669 void qemu_flush_coalesced_mmio_buffer(void)
2672 kvm_flush_coalesced_mmio_buffer();
2675 #if defined(__linux__) && !defined(TARGET_S390X)
2677 #include <sys/vfs.h>
2679 #define HUGETLBFS_MAGIC 0x958458f6
2681 static long gethugepagesize(const char *path)
2687 ret = statfs(path, &fs);
2688 } while (ret != 0 && errno == EINTR);
2695 if (fs.f_type != HUGETLBFS_MAGIC)
2696 fprintf(stderr, "Warning: path not on HugeTLBFS: %s\n", path);
2701 static void *file_ram_alloc(ram_addr_t memory, const char *path)
2709 unsigned long hpagesize;
2711 hpagesize = gethugepagesize(path);
2716 if (memory < hpagesize) {
2720 if (kvm_enabled() && !kvm_has_sync_mmu()) {
2721 fprintf(stderr, "host lacks kvm mmu notifiers, -mem-path unsupported\n");
2725 if (asprintf(&filename, "%s/qemu_back_mem.XXXXXX", path) == -1) {
2729 fd = mkstemp(filename);
2731 perror("unable to create backing store for hugepages");
2738 memory = (memory+hpagesize-1) & ~(hpagesize-1);
2741 * ftruncate is not supported by hugetlbfs in older
2742 * hosts, so don't bother bailing out on errors.
2743 * If anything goes wrong with it under other filesystems,
2746 if (ftruncate(fd, memory))
2747 perror("ftruncate");
2750 /* NB: MAP_POPULATE won't exhaustively alloc all phys pages in the case
2751 * MAP_PRIVATE is requested. For mem_prealloc we mmap as MAP_SHARED
2752 * to sidestep this quirk.
2754 flags = mem_prealloc ? MAP_POPULATE | MAP_SHARED : MAP_PRIVATE;
2755 area = mmap(0, memory, PROT_READ | PROT_WRITE, flags, fd, 0);
2757 area = mmap(0, memory, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
2759 if (area == MAP_FAILED) {
2760 perror("file_ram_alloc: can't mmap RAM pages");
2768 ram_addr_t qemu_ram_alloc(ram_addr_t size)
2770 RAMBlock *new_block;
2772 size = TARGET_PAGE_ALIGN(size);
2773 new_block = qemu_malloc(sizeof(*new_block));
2776 #if defined (__linux__) && !defined(TARGET_S390X)
2777 new_block->host = file_ram_alloc(size, mem_path);
2778 if (!new_block->host)
2781 fprintf(stderr, "-mem-path option unsupported\n");
2785 #if defined(TARGET_S390X) && defined(CONFIG_KVM)
2786 /* XXX S390 KVM requires the topmost vma of the RAM to be < 256GB */
2787 new_block->host = mmap((void*)0x1000000, size,
2788 PROT_EXEC|PROT_READ|PROT_WRITE,
2789 MAP_SHARED | MAP_ANONYMOUS, -1, 0);
2791 new_block->host = qemu_vmalloc(size);
2793 #ifdef MADV_MERGEABLE
2794 madvise(new_block->host, size, MADV_MERGEABLE);
2797 new_block->offset = last_ram_offset;
2798 new_block->length = size;
2800 new_block->next = ram_blocks;
2801 ram_blocks = new_block;
2803 phys_ram_dirty = qemu_realloc(phys_ram_dirty,
2804 (last_ram_offset + size) >> TARGET_PAGE_BITS);
2805 memset(phys_ram_dirty + (last_ram_offset >> TARGET_PAGE_BITS),
2806 0xff, size >> TARGET_PAGE_BITS);
2808 last_ram_offset += size;
2811 kvm_setup_guest_memory(new_block->host, size);
2813 return new_block->offset;
2816 void qemu_ram_free(ram_addr_t addr)
2818 /* TODO: implement this. */
2821 /* Return a host pointer to ram allocated with qemu_ram_alloc.
2822 With the exception of the softmmu code in this file, this should
2823 only be used for local memory (e.g. video ram) that the device owns,
2824 and knows it isn't going to access beyond the end of the block.
2826 It should not be used for general purpose DMA.
2827 Use cpu_physical_memory_map/cpu_physical_memory_rw instead.
2829 void *qemu_get_ram_ptr(ram_addr_t addr)
2836 prevp = &ram_blocks;
2838 while (block && (block->offset > addr
2839 || block->offset + block->length <= addr)) {
2841 prevp = &prev->next;
2843 block = block->next;
2846 fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
2849 /* Move this entry to to start of the list. */
2851 prev->next = block->next;
2852 block->next = *prevp;
2855 return block->host + (addr - block->offset);
2858 /* Some of the softmmu routines need to translate from a host pointer
2859 (typically a TLB entry) back to a ram offset. */
2860 ram_addr_t qemu_ram_addr_from_host(void *ptr)
2863 uint8_t *host = ptr;
2866 while (block && (block->host > host
2867 || block->host + block->length <= host)) {
2868 block = block->next;
2871 fprintf(stderr, "Bad ram pointer %p\n", ptr);
2874 return block->offset + (host - block->host);
2877 static uint32_t unassigned_mem_readb(void *opaque, target_phys_addr_t addr)
2879 #ifdef DEBUG_UNASSIGNED
2880 printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2882 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2883 do_unassigned_access(addr, 0, 0, 0, 1);
2888 static uint32_t unassigned_mem_readw(void *opaque, target_phys_addr_t addr)
2890 #ifdef DEBUG_UNASSIGNED
2891 printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2893 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2894 do_unassigned_access(addr, 0, 0, 0, 2);
2899 static uint32_t unassigned_mem_readl(void *opaque, target_phys_addr_t addr)
2901 #ifdef DEBUG_UNASSIGNED
2902 printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2904 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2905 do_unassigned_access(addr, 0, 0, 0, 4);
2910 static void unassigned_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
2912 #ifdef DEBUG_UNASSIGNED
2913 printf("Unassigned mem write " TARGET_FMT_plx " = 0x%x\n", addr, val);
2915 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2916 do_unassigned_access(addr, 1, 0, 0, 1);
2920 static void unassigned_mem_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
2922 #ifdef DEBUG_UNASSIGNED
2923 printf("Unassigned mem write " TARGET_FMT_plx " = 0x%x\n", addr, val);
2925 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2926 do_unassigned_access(addr, 1, 0, 0, 2);
2930 static void unassigned_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
2932 #ifdef DEBUG_UNASSIGNED
2933 printf("Unassigned mem write " TARGET_FMT_plx " = 0x%x\n", addr, val);
2935 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2936 do_unassigned_access(addr, 1, 0, 0, 4);
2940 static CPUReadMemoryFunc * const unassigned_mem_read[3] = {
2941 unassigned_mem_readb,
2942 unassigned_mem_readw,
2943 unassigned_mem_readl,
2946 static CPUWriteMemoryFunc * const unassigned_mem_write[3] = {
2947 unassigned_mem_writeb,
2948 unassigned_mem_writew,
2949 unassigned_mem_writel,
2952 static void notdirty_mem_writeb(void *opaque, target_phys_addr_t ram_addr,
2956 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2957 if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2958 #if !defined(CONFIG_USER_ONLY)
2959 tb_invalidate_phys_page_fast(ram_addr, 1);
2960 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2963 stb_p(qemu_get_ram_ptr(ram_addr), val);
2964 dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
2965 cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
2966 /* we remove the notdirty callback only if the code has been
2968 if (dirty_flags == 0xff)
2969 tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
2972 static void notdirty_mem_writew(void *opaque, target_phys_addr_t ram_addr,
2976 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2977 if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2978 #if !defined(CONFIG_USER_ONLY)
2979 tb_invalidate_phys_page_fast(ram_addr, 2);
2980 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2983 stw_p(qemu_get_ram_ptr(ram_addr), val);
2984 dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
2985 cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
2986 /* we remove the notdirty callback only if the code has been
2988 if (dirty_flags == 0xff)
2989 tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
2992 static void notdirty_mem_writel(void *opaque, target_phys_addr_t ram_addr,
2996 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2997 if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2998 #if !defined(CONFIG_USER_ONLY)
2999 tb_invalidate_phys_page_fast(ram_addr, 4);
3000 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
3003 stl_p(qemu_get_ram_ptr(ram_addr), val);
3004 dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
3005 cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
3006 /* we remove the notdirty callback only if the code has been
3008 if (dirty_flags == 0xff)
3009 tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
3012 static CPUReadMemoryFunc * const error_mem_read[3] = {
3013 NULL, /* never used */
3014 NULL, /* never used */
3015 NULL, /* never used */
3018 static CPUWriteMemoryFunc * const notdirty_mem_write[3] = {
3019 notdirty_mem_writeb,
3020 notdirty_mem_writew,
3021 notdirty_mem_writel,
3024 /* Generate a debug exception if a watchpoint has been hit. */
3025 static void check_watchpoint(int offset, int len_mask, int flags)
3027 CPUState *env = cpu_single_env;
3028 target_ulong pc, cs_base;
3029 TranslationBlock *tb;
3034 if (env->watchpoint_hit) {
3035 /* We re-entered the check after replacing the TB. Now raise
3036 * the debug interrupt so that is will trigger after the
3037 * current instruction. */
3038 cpu_interrupt(env, CPU_INTERRUPT_DEBUG);
3041 vaddr = (env->mem_io_vaddr & TARGET_PAGE_MASK) + offset;
3042 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
3043 if ((vaddr == (wp->vaddr & len_mask) ||
3044 (vaddr & wp->len_mask) == wp->vaddr) && (wp->flags & flags)) {
3045 wp->flags |= BP_WATCHPOINT_HIT;
3046 if (!env->watchpoint_hit) {
3047 env->watchpoint_hit = wp;
3048 tb = tb_find_pc(env->mem_io_pc);
3050 cpu_abort(env, "check_watchpoint: could not find TB for "
3051 "pc=%p", (void *)env->mem_io_pc);
3053 cpu_restore_state(tb, env, env->mem_io_pc, NULL);
3054 tb_phys_invalidate(tb, -1);
3055 if (wp->flags & BP_STOP_BEFORE_ACCESS) {
3056 env->exception_index = EXCP_DEBUG;
3058 cpu_get_tb_cpu_state(env, &pc, &cs_base, &cpu_flags);
3059 tb_gen_code(env, pc, cs_base, cpu_flags, 1);
3061 cpu_resume_from_signal(env, NULL);
3064 wp->flags &= ~BP_WATCHPOINT_HIT;
3069 /* Watchpoint access routines. Watchpoints are inserted using TLB tricks,
3070 so these check for a hit then pass through to the normal out-of-line
3072 static uint32_t watch_mem_readb(void *opaque, target_phys_addr_t addr)
3074 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x0, BP_MEM_READ);
3075 return ldub_phys(addr);
3078 static uint32_t watch_mem_readw(void *opaque, target_phys_addr_t addr)
3080 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x1, BP_MEM_READ);
3081 return lduw_phys(addr);
3084 static uint32_t watch_mem_readl(void *opaque, target_phys_addr_t addr)
3086 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x3, BP_MEM_READ);
3087 return ldl_phys(addr);
3090 static void watch_mem_writeb(void *opaque, target_phys_addr_t addr,
3093 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x0, BP_MEM_WRITE);
3094 stb_phys(addr, val);
3097 static void watch_mem_writew(void *opaque, target_phys_addr_t addr,
3100 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x1, BP_MEM_WRITE);
3101 stw_phys(addr, val);
3104 static void watch_mem_writel(void *opaque, target_phys_addr_t addr,
3107 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x3, BP_MEM_WRITE);
3108 stl_phys(addr, val);
3111 static CPUReadMemoryFunc * const watch_mem_read[3] = {
3117 static CPUWriteMemoryFunc * const watch_mem_write[3] = {
3123 static inline uint32_t subpage_readlen (subpage_t *mmio,
3124 target_phys_addr_t addr,
3127 unsigned int idx = SUBPAGE_IDX(addr);
3128 #if defined(DEBUG_SUBPAGE)
3129 printf("%s: subpage %p len %d addr " TARGET_FMT_plx " idx %d\n", __func__,
3130 mmio, len, addr, idx);
3133 addr += mmio->region_offset[idx];
3134 idx = mmio->sub_io_index[idx];
3135 return io_mem_read[idx][len](io_mem_opaque[idx], addr);
3138 static inline void subpage_writelen (subpage_t *mmio, target_phys_addr_t addr,
3139 uint32_t value, unsigned int len)
3141 unsigned int idx = SUBPAGE_IDX(addr);
3142 #if defined(DEBUG_SUBPAGE)
3143 printf("%s: subpage %p len %d addr " TARGET_FMT_plx " idx %d value %08x\n",
3144 __func__, mmio, len, addr, idx, value);
3147 addr += mmio->region_offset[idx];
3148 idx = mmio->sub_io_index[idx];
3149 io_mem_write[idx][len](io_mem_opaque[idx], addr, value);
3152 static uint32_t subpage_readb (void *opaque, target_phys_addr_t addr)
3154 return subpage_readlen(opaque, addr, 0);
3157 static void subpage_writeb (void *opaque, target_phys_addr_t addr,
3160 subpage_writelen(opaque, addr, value, 0);
3163 static uint32_t subpage_readw (void *opaque, target_phys_addr_t addr)
3165 return subpage_readlen(opaque, addr, 1);
3168 static void subpage_writew (void *opaque, target_phys_addr_t addr,
3171 subpage_writelen(opaque, addr, value, 1);
3174 static uint32_t subpage_readl (void *opaque, target_phys_addr_t addr)
3176 return subpage_readlen(opaque, addr, 2);
3179 static void subpage_writel (void *opaque, target_phys_addr_t addr,
3182 subpage_writelen(opaque, addr, value, 2);
3185 static CPUReadMemoryFunc * const subpage_read[] = {
3191 static CPUWriteMemoryFunc * const subpage_write[] = {
3197 static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
3198 ram_addr_t memory, ram_addr_t region_offset)
3202 if (start >= TARGET_PAGE_SIZE || end >= TARGET_PAGE_SIZE)
3204 idx = SUBPAGE_IDX(start);
3205 eidx = SUBPAGE_IDX(end);
3206 #if defined(DEBUG_SUBPAGE)
3207 printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__,
3208 mmio, start, end, idx, eidx, memory);
3210 memory = (memory >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3211 for (; idx <= eidx; idx++) {
3212 mmio->sub_io_index[idx] = memory;
3213 mmio->region_offset[idx] = region_offset;
3219 static subpage_t *subpage_init (target_phys_addr_t base, ram_addr_t *phys,
3220 ram_addr_t orig_memory,
3221 ram_addr_t region_offset)
3226 mmio = qemu_mallocz(sizeof(subpage_t));
3229 subpage_memory = cpu_register_io_memory(subpage_read, subpage_write, mmio);
3230 #if defined(DEBUG_SUBPAGE)
3231 printf("%s: %p base " TARGET_FMT_plx " len %08x %d\n", __func__,
3232 mmio, base, TARGET_PAGE_SIZE, subpage_memory);
3234 *phys = subpage_memory | IO_MEM_SUBPAGE;
3235 subpage_register(mmio, 0, TARGET_PAGE_SIZE-1, orig_memory, region_offset);
3240 static int get_free_io_mem_idx(void)
3244 for (i = 0; i<IO_MEM_NB_ENTRIES; i++)
3245 if (!io_mem_used[i]) {
3249 fprintf(stderr, "RAN out out io_mem_idx, max %d !\n", IO_MEM_NB_ENTRIES);
3253 /* mem_read and mem_write are arrays of functions containing the
3254 function to access byte (index 0), word (index 1) and dword (index
3255 2). Functions can be omitted with a NULL function pointer.
3256 If io_index is non zero, the corresponding io zone is
3257 modified. If it is zero, a new io zone is allocated. The return
3258 value can be used with cpu_register_physical_memory(). (-1) is
3259 returned if error. */
3260 static int cpu_register_io_memory_fixed(int io_index,
3261 CPUReadMemoryFunc * const *mem_read,
3262 CPUWriteMemoryFunc * const *mem_write,
3265 if (io_index <= 0) {
3266 io_index = get_free_io_mem_idx();
3270 io_index >>= IO_MEM_SHIFT;
3271 if (io_index >= IO_MEM_NB_ENTRIES)
3275 memcpy(io_mem_read[io_index], mem_read, 3 * sizeof(CPUReadMemoryFunc*));
3276 memcpy(io_mem_write[io_index], mem_write, 3 * sizeof(CPUWriteMemoryFunc*));
3277 io_mem_opaque[io_index] = opaque;
3279 return (io_index << IO_MEM_SHIFT);
3282 int cpu_register_io_memory(CPUReadMemoryFunc * const *mem_read,
3283 CPUWriteMemoryFunc * const *mem_write,
3286 return cpu_register_io_memory_fixed(0, mem_read, mem_write, opaque);
3289 void cpu_unregister_io_memory(int io_table_address)
3292 int io_index = io_table_address >> IO_MEM_SHIFT;
3294 for (i=0;i < 3; i++) {
3295 io_mem_read[io_index][i] = unassigned_mem_read[i];
3296 io_mem_write[io_index][i] = unassigned_mem_write[i];
3298 io_mem_opaque[io_index] = NULL;
3299 io_mem_used[io_index] = 0;
3302 static void io_mem_init(void)
3306 cpu_register_io_memory_fixed(IO_MEM_ROM, error_mem_read, unassigned_mem_write, NULL);
3307 cpu_register_io_memory_fixed(IO_MEM_UNASSIGNED, unassigned_mem_read, unassigned_mem_write, NULL);
3308 cpu_register_io_memory_fixed(IO_MEM_NOTDIRTY, error_mem_read, notdirty_mem_write, NULL);
3312 io_mem_watch = cpu_register_io_memory(watch_mem_read,
3313 watch_mem_write, NULL);
3316 #endif /* !defined(CONFIG_USER_ONLY) */
3318 /* physical memory access (slow version, mainly for debug) */
3319 #if defined(CONFIG_USER_ONLY)
3320 int cpu_memory_rw_debug(CPUState *env, target_ulong addr,
3321 uint8_t *buf, int len, int is_write)
3328 page = addr & TARGET_PAGE_MASK;
3329 l = (page + TARGET_PAGE_SIZE) - addr;
3332 flags = page_get_flags(page);
3333 if (!(flags & PAGE_VALID))
3336 if (!(flags & PAGE_WRITE))
3338 /* XXX: this code should not depend on lock_user */
3339 if (!(p = lock_user(VERIFY_WRITE, addr, l, 0)))
3342 unlock_user(p, addr, l);
3344 if (!(flags & PAGE_READ))
3346 /* XXX: this code should not depend on lock_user */
3347 if (!(p = lock_user(VERIFY_READ, addr, l, 1)))
3350 unlock_user(p, addr, 0);
3360 void cpu_physical_memory_rw(target_phys_addr_t addr, uint8_t *buf,
3361 int len, int is_write)
3366 target_phys_addr_t page;
3371 page = addr & TARGET_PAGE_MASK;
3372 l = (page + TARGET_PAGE_SIZE) - addr;
3375 p = phys_page_find(page >> TARGET_PAGE_BITS);
3377 pd = IO_MEM_UNASSIGNED;
3379 pd = p->phys_offset;
3383 if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3384 target_phys_addr_t addr1 = addr;
3385 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3387 addr1 = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3388 /* XXX: could force cpu_single_env to NULL to avoid
3390 if (l >= 4 && ((addr1 & 3) == 0)) {
3391 /* 32 bit write access */
3393 io_mem_write[io_index][2](io_mem_opaque[io_index], addr1, val);
3395 } else if (l >= 2 && ((addr1 & 1) == 0)) {
3396 /* 16 bit write access */
3398 io_mem_write[io_index][1](io_mem_opaque[io_index], addr1, val);
3401 /* 8 bit write access */
3403 io_mem_write[io_index][0](io_mem_opaque[io_index], addr1, val);
3407 unsigned long addr1;
3408 addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3410 ptr = qemu_get_ram_ptr(addr1);
3411 memcpy(ptr, buf, l);
3412 if (!cpu_physical_memory_is_dirty(addr1)) {
3413 /* invalidate code */
3414 tb_invalidate_phys_page_range(addr1, addr1 + l, 0);
3416 cpu_physical_memory_set_dirty_flags(
3417 addr1, (0xff & ~CODE_DIRTY_FLAG));
3421 if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM &&
3422 !(pd & IO_MEM_ROMD)) {
3423 target_phys_addr_t addr1 = addr;
3425 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3427 addr1 = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3428 if (l >= 4 && ((addr1 & 3) == 0)) {
3429 /* 32 bit read access */
3430 val = io_mem_read[io_index][2](io_mem_opaque[io_index], addr1);
3433 } else if (l >= 2 && ((addr1 & 1) == 0)) {
3434 /* 16 bit read access */
3435 val = io_mem_read[io_index][1](io_mem_opaque[io_index], addr1);
3439 /* 8 bit read access */
3440 val = io_mem_read[io_index][0](io_mem_opaque[io_index], addr1);
3446 ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3447 (addr & ~TARGET_PAGE_MASK);
3448 memcpy(buf, ptr, l);
3457 /* used for ROM loading : can write in RAM and ROM */
3458 void cpu_physical_memory_write_rom(target_phys_addr_t addr,
3459 const uint8_t *buf, int len)
3463 target_phys_addr_t page;
3468 page = addr & TARGET_PAGE_MASK;
3469 l = (page + TARGET_PAGE_SIZE) - addr;
3472 p = phys_page_find(page >> TARGET_PAGE_BITS);
3474 pd = IO_MEM_UNASSIGNED;
3476 pd = p->phys_offset;
3479 if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM &&
3480 (pd & ~TARGET_PAGE_MASK) != IO_MEM_ROM &&
3481 !(pd & IO_MEM_ROMD)) {
3484 unsigned long addr1;
3485 addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3487 ptr = qemu_get_ram_ptr(addr1);
3488 memcpy(ptr, buf, l);
3498 target_phys_addr_t addr;
3499 target_phys_addr_t len;
3502 static BounceBuffer bounce;
3504 typedef struct MapClient {
3506 void (*callback)(void *opaque);
3507 QLIST_ENTRY(MapClient) link;
3510 static QLIST_HEAD(map_client_list, MapClient) map_client_list
3511 = QLIST_HEAD_INITIALIZER(map_client_list);
3513 void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
3515 MapClient *client = qemu_malloc(sizeof(*client));
3517 client->opaque = opaque;
3518 client->callback = callback;
3519 QLIST_INSERT_HEAD(&map_client_list, client, link);
3523 void cpu_unregister_map_client(void *_client)
3525 MapClient *client = (MapClient *)_client;
3527 QLIST_REMOVE(client, link);
3531 static void cpu_notify_map_clients(void)
3535 while (!QLIST_EMPTY(&map_client_list)) {
3536 client = QLIST_FIRST(&map_client_list);
3537 client->callback(client->opaque);
3538 cpu_unregister_map_client(client);
3542 /* Map a physical memory region into a host virtual address.
3543 * May map a subset of the requested range, given by and returned in *plen.
3544 * May return NULL if resources needed to perform the mapping are exhausted.
3545 * Use only for reads OR writes - not for read-modify-write operations.
3546 * Use cpu_register_map_client() to know when retrying the map operation is
3547 * likely to succeed.
3549 void *cpu_physical_memory_map(target_phys_addr_t addr,
3550 target_phys_addr_t *plen,
3553 target_phys_addr_t len = *plen;
3554 target_phys_addr_t done = 0;
3556 uint8_t *ret = NULL;
3558 target_phys_addr_t page;
3561 unsigned long addr1;
3564 page = addr & TARGET_PAGE_MASK;
3565 l = (page + TARGET_PAGE_SIZE) - addr;
3568 p = phys_page_find(page >> TARGET_PAGE_BITS);
3570 pd = IO_MEM_UNASSIGNED;
3572 pd = p->phys_offset;
3575 if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3576 if (done || bounce.buffer) {
3579 bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
3583 cpu_physical_memory_rw(addr, bounce.buffer, l, 0);
3585 ptr = bounce.buffer;
3587 addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3588 ptr = qemu_get_ram_ptr(addr1);
3592 } else if (ret + done != ptr) {
3604 /* Unmaps a memory region previously mapped by cpu_physical_memory_map().
3605 * Will also mark the memory as dirty if is_write == 1. access_len gives
3606 * the amount of memory that was actually read or written by the caller.
3608 void cpu_physical_memory_unmap(void *buffer, target_phys_addr_t len,
3609 int is_write, target_phys_addr_t access_len)
3611 if (buffer != bounce.buffer) {
3613 ram_addr_t addr1 = qemu_ram_addr_from_host(buffer);
3614 while (access_len) {
3616 l = TARGET_PAGE_SIZE;
3619 if (!cpu_physical_memory_is_dirty(addr1)) {
3620 /* invalidate code */
3621 tb_invalidate_phys_page_range(addr1, addr1 + l, 0);
3623 cpu_physical_memory_set_dirty_flags(
3624 addr1, (0xff & ~CODE_DIRTY_FLAG));
3633 cpu_physical_memory_write(bounce.addr, bounce.buffer, access_len);
3635 qemu_vfree(bounce.buffer);
3636 bounce.buffer = NULL;
3637 cpu_notify_map_clients();
3640 /* warning: addr must be aligned */
3641 uint32_t ldl_phys(target_phys_addr_t addr)
3649 p = phys_page_find(addr >> TARGET_PAGE_BITS);
3651 pd = IO_MEM_UNASSIGNED;
3653 pd = p->phys_offset;
3656 if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM &&
3657 !(pd & IO_MEM_ROMD)) {
3659 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3661 addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3662 val = io_mem_read[io_index][2](io_mem_opaque[io_index], addr);
3665 ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3666 (addr & ~TARGET_PAGE_MASK);
3672 /* warning: addr must be aligned */
3673 uint64_t ldq_phys(target_phys_addr_t addr)
3681 p = phys_page_find(addr >> TARGET_PAGE_BITS);
3683 pd = IO_MEM_UNASSIGNED;
3685 pd = p->phys_offset;
3688 if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM &&
3689 !(pd & IO_MEM_ROMD)) {
3691 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3693 addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3694 #ifdef TARGET_WORDS_BIGENDIAN
3695 val = (uint64_t)io_mem_read[io_index][2](io_mem_opaque[io_index], addr) << 32;
3696 val |= io_mem_read[io_index][2](io_mem_opaque[io_index], addr + 4);
3698 val = io_mem_read[io_index][2](io_mem_opaque[io_index], addr);
3699 val |= (uint64_t)io_mem_read[io_index][2](io_mem_opaque[io_index], addr + 4) << 32;
3703 ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3704 (addr & ~TARGET_PAGE_MASK);
3711 uint32_t ldub_phys(target_phys_addr_t addr)
3714 cpu_physical_memory_read(addr, &val, 1);
3719 uint32_t lduw_phys(target_phys_addr_t addr)
3722 cpu_physical_memory_read(addr, (uint8_t *)&val, 2);
3723 return tswap16(val);
3726 /* warning: addr must be aligned. The ram page is not masked as dirty
3727 and the code inside is not invalidated. It is useful if the dirty
3728 bits are used to track modified PTEs */
3729 void stl_phys_notdirty(target_phys_addr_t addr, uint32_t val)
3736 p = phys_page_find(addr >> TARGET_PAGE_BITS);
3738 pd = IO_MEM_UNASSIGNED;
3740 pd = p->phys_offset;
3743 if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3744 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3746 addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3747 io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
3749 unsigned long addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3750 ptr = qemu_get_ram_ptr(addr1);
3753 if (unlikely(in_migration)) {
3754 if (!cpu_physical_memory_is_dirty(addr1)) {
3755 /* invalidate code */
3756 tb_invalidate_phys_page_range(addr1, addr1 + 4, 0);
3758 cpu_physical_memory_set_dirty_flags(
3759 addr1, (0xff & ~CODE_DIRTY_FLAG));
3765 void stq_phys_notdirty(target_phys_addr_t addr, uint64_t val)
3772 p = phys_page_find(addr >> TARGET_PAGE_BITS);
3774 pd = IO_MEM_UNASSIGNED;
3776 pd = p->phys_offset;
3779 if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3780 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3782 addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3783 #ifdef TARGET_WORDS_BIGENDIAN
3784 io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val >> 32);
3785 io_mem_write[io_index][2](io_mem_opaque[io_index], addr + 4, val);
3787 io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
3788 io_mem_write[io_index][2](io_mem_opaque[io_index], addr + 4, val >> 32);
3791 ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3792 (addr & ~TARGET_PAGE_MASK);
3797 /* warning: addr must be aligned */
3798 void stl_phys(target_phys_addr_t addr, uint32_t val)
3805 p = phys_page_find(addr >> TARGET_PAGE_BITS);
3807 pd = IO_MEM_UNASSIGNED;
3809 pd = p->phys_offset;
3812 if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3813 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3815 addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3816 io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
3818 unsigned long addr1;
3819 addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3821 ptr = qemu_get_ram_ptr(addr1);
3823 if (!cpu_physical_memory_is_dirty(addr1)) {
3824 /* invalidate code */
3825 tb_invalidate_phys_page_range(addr1, addr1 + 4, 0);
3827 cpu_physical_memory_set_dirty_flags(addr1,
3828 (0xff & ~CODE_DIRTY_FLAG));
3834 void stb_phys(target_phys_addr_t addr, uint32_t val)
3837 cpu_physical_memory_write(addr, &v, 1);
3841 void stw_phys(target_phys_addr_t addr, uint32_t val)
3843 uint16_t v = tswap16(val);
3844 cpu_physical_memory_write(addr, (const uint8_t *)&v, 2);
3848 void stq_phys(target_phys_addr_t addr, uint64_t val)
3851 cpu_physical_memory_write(addr, (const uint8_t *)&val, 8);
3854 /* virtual memory access for debug (includes writing to ROM) */
3855 int cpu_memory_rw_debug(CPUState *env, target_ulong addr,
3856 uint8_t *buf, int len, int is_write)
3859 target_phys_addr_t phys_addr;
3863 page = addr & TARGET_PAGE_MASK;
3864 phys_addr = cpu_get_phys_page_debug(env, page);
3865 /* if no physical page mapped, return an error */
3866 if (phys_addr == -1)
3868 l = (page + TARGET_PAGE_SIZE) - addr;
3871 phys_addr += (addr & ~TARGET_PAGE_MASK);
3873 cpu_physical_memory_write_rom(phys_addr, buf, l);
3875 cpu_physical_memory_rw(phys_addr, buf, l, is_write);
3884 /* in deterministic execution mode, instructions doing device I/Os
3885 must be at the end of the TB */
3886 void cpu_io_recompile(CPUState *env, void *retaddr)
3888 TranslationBlock *tb;
3890 target_ulong pc, cs_base;
3893 tb = tb_find_pc((unsigned long)retaddr);
3895 cpu_abort(env, "cpu_io_recompile: could not find TB for pc=%p",
3898 n = env->icount_decr.u16.low + tb->icount;
3899 cpu_restore_state(tb, env, (unsigned long)retaddr, NULL);
3900 /* Calculate how many instructions had been executed before the fault
3902 n = n - env->icount_decr.u16.low;
3903 /* Generate a new TB ending on the I/O insn. */
3905 /* On MIPS and SH, delay slot instructions can only be restarted if
3906 they were already the first instruction in the TB. If this is not
3907 the first instruction in a TB then re-execute the preceding
3909 #if defined(TARGET_MIPS)
3910 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
3911 env->active_tc.PC -= 4;
3912 env->icount_decr.u16.low++;
3913 env->hflags &= ~MIPS_HFLAG_BMASK;
3915 #elif defined(TARGET_SH4)
3916 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
3919 env->icount_decr.u16.low++;
3920 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
3923 /* This should never happen. */
3924 if (n > CF_COUNT_MASK)
3925 cpu_abort(env, "TB too big during recompile");
3927 cflags = n | CF_LAST_IO;
3929 cs_base = tb->cs_base;
3931 tb_phys_invalidate(tb, -1);
3932 /* FIXME: In theory this could raise an exception. In practice
3933 we have already translated the block once so it's probably ok. */
3934 tb_gen_code(env, pc, cs_base, flags, cflags);
3935 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
3936 the first in the TB) then we end up generating a whole new TB and
3937 repeating the fault, which is horribly inefficient.
3938 Better would be to execute just this insn uncached, or generate a
3940 cpu_resume_from_signal(env, NULL);
3943 #if !defined(CONFIG_USER_ONLY)
3945 void dump_exec_info(FILE *f,
3946 int (*cpu_fprintf)(FILE *f, const char *fmt, ...))
3948 int i, target_code_size, max_target_code_size;
3949 int direct_jmp_count, direct_jmp2_count, cross_page;
3950 TranslationBlock *tb;
3952 target_code_size = 0;
3953 max_target_code_size = 0;
3955 direct_jmp_count = 0;
3956 direct_jmp2_count = 0;
3957 for(i = 0; i < nb_tbs; i++) {
3959 target_code_size += tb->size;
3960 if (tb->size > max_target_code_size)
3961 max_target_code_size = tb->size;
3962 if (tb->page_addr[1] != -1)
3964 if (tb->tb_next_offset[0] != 0xffff) {
3966 if (tb->tb_next_offset[1] != 0xffff) {
3967 direct_jmp2_count++;
3971 /* XXX: avoid using doubles ? */
3972 cpu_fprintf(f, "Translation buffer state:\n");
3973 cpu_fprintf(f, "gen code size %ld/%ld\n",
3974 code_gen_ptr - code_gen_buffer, code_gen_buffer_max_size);
3975 cpu_fprintf(f, "TB count %d/%d\n",
3976 nb_tbs, code_gen_max_blocks);
3977 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
3978 nb_tbs ? target_code_size / nb_tbs : 0,
3979 max_target_code_size);
3980 cpu_fprintf(f, "TB avg host size %d bytes (expansion ratio: %0.1f)\n",
3981 nb_tbs ? (code_gen_ptr - code_gen_buffer) / nb_tbs : 0,
3982 target_code_size ? (double) (code_gen_ptr - code_gen_buffer) / target_code_size : 0);
3983 cpu_fprintf(f, "cross page TB count %d (%d%%)\n",
3985 nb_tbs ? (cross_page * 100) / nb_tbs : 0);
3986 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
3988 nb_tbs ? (direct_jmp_count * 100) / nb_tbs : 0,
3990 nb_tbs ? (direct_jmp2_count * 100) / nb_tbs : 0);
3991 cpu_fprintf(f, "\nStatistics:\n");
3992 cpu_fprintf(f, "TB flush count %d\n", tb_flush_count);
3993 cpu_fprintf(f, "TB invalidate count %d\n", tb_phys_invalidate_count);
3994 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
3995 tcg_dump_info(f, cpu_fprintf);
3998 #define MMUSUFFIX _cmmu
3999 #define GETPC() NULL
4000 #define env cpu_single_env
4001 #define SOFTMMU_CODE_ACCESS
4004 #include "softmmu_template.h"
4007 #include "softmmu_template.h"
4010 #include "softmmu_template.h"
4013 #include "softmmu_template.h"
projects / qemu.git / blob