2 * virtual page mapping and translated block handling
4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
23 #include <sys/types.h>
27 #include "qemu-common.h"
35 #include "qemu-timer.h"
38 #include "exec-memory.h"
39 #if defined(CONFIG_USER_ONLY)
41 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
42 #include <sys/param.h>
43 #if __FreeBSD_version >= 700104
44 #define HAVE_KINFO_GETVMMAP
45 #define sigqueue sigqueue_freebsd /* avoid redefinition */
48 #include <machine/profile.h>
56 #else /* !CONFIG_USER_ONLY */
57 #include "xen-mapcache.h"
63 #include "memory-internal.h"
65 //#define DEBUG_TB_INVALIDATE
67 //#define DEBUG_UNASSIGNED
69 /* make various TB consistency checks */
70 //#define DEBUG_TB_CHECK
72 //#define DEBUG_IOPORT
73 //#define DEBUG_SUBPAGE
75 #if !defined(CONFIG_USER_ONLY)
76 /* TB consistency checks only implemented for usermode emulation. */
80 #define SMC_BITMAP_USE_THRESHOLD 10
82 /* Code generation and translation blocks */
83 static TranslationBlock *tbs;
84 static int code_gen_max_blocks;
85 TranslationBlock *tb_phys_hash[CODE_GEN_PHYS_HASH_SIZE];
87 /* any access to the tbs or the page table must use this lock */
88 spinlock_t tb_lock = SPIN_LOCK_UNLOCKED;
90 uint8_t *code_gen_prologue;
91 static uint8_t *code_gen_buffer;
92 static size_t code_gen_buffer_size;
93 /* threshold to flush the translated code buffer */
94 static size_t code_gen_buffer_max_size;
95 static uint8_t *code_gen_ptr;
97 #if !defined(CONFIG_USER_ONLY)
99 static int in_migration;
101 RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list.blocks) };
103 static MemoryRegion *system_memory;
104 static MemoryRegion *system_io;
106 AddressSpace address_space_io;
107 AddressSpace address_space_memory;
108 DMAContext dma_context_memory;
110 MemoryRegion io_mem_ram, io_mem_rom, io_mem_unassigned, io_mem_notdirty;
111 static MemoryRegion io_mem_subpage_ram;
115 CPUArchState *first_cpu;
116 /* current CPU in the current thread. It is only valid inside
118 DEFINE_TLS(CPUArchState *,cpu_single_env);
119 /* 0 = Do not count executed instructions.
120 1 = Precise instruction counting.
121 2 = Adaptive rate instruction counting. */
124 typedef struct PageDesc {
125 /* list of TBs intersecting this ram page */
126 TranslationBlock *first_tb;
127 /* in order to optimize self modifying code, we count the number
128 of lookups we do to a given page to use a bitmap */
129 unsigned int code_write_count;
130 uint8_t *code_bitmap;
131 #if defined(CONFIG_USER_ONLY)
136 /* In system mode we want L1_MAP to be based on ram offsets,
137 while in user mode we want it to be based on virtual addresses. */
138 #if !defined(CONFIG_USER_ONLY)
139 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
140 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
142 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
145 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
148 /* Size of the L2 (and L3, etc) page tables. */
150 #define L2_SIZE (1 << L2_BITS)
152 #define P_L2_LEVELS \
153 (((TARGET_PHYS_ADDR_SPACE_BITS - TARGET_PAGE_BITS - 1) / L2_BITS) + 1)
155 /* The bits remaining after N lower levels of page tables. */
156 #define V_L1_BITS_REM \
157 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % L2_BITS)
159 #if V_L1_BITS_REM < 4
160 #define V_L1_BITS (V_L1_BITS_REM + L2_BITS)
162 #define V_L1_BITS V_L1_BITS_REM
165 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
167 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
169 uintptr_t qemu_real_host_page_size;
170 uintptr_t qemu_host_page_size;
171 uintptr_t qemu_host_page_mask;
173 /* This is a multi-level map on the virtual address space.
174 The bottom level has pointers to PageDesc. */
175 static void *l1_map[V_L1_SIZE];
177 #if !defined(CONFIG_USER_ONLY)
179 static MemoryRegionSection *phys_sections;
180 static unsigned phys_sections_nb, phys_sections_nb_alloc;
181 static uint16_t phys_section_unassigned;
182 static uint16_t phys_section_notdirty;
183 static uint16_t phys_section_rom;
184 static uint16_t phys_section_watch;
186 /* Simple allocator for PhysPageEntry nodes */
187 static PhysPageEntry (*phys_map_nodes)[L2_SIZE];
188 static unsigned phys_map_nodes_nb, phys_map_nodes_nb_alloc;
190 #define PHYS_MAP_NODE_NIL (((uint16_t)~0) >> 1)
192 static void io_mem_init(void);
193 static void memory_map_init(void);
194 static void *qemu_safe_ram_ptr(ram_addr_t addr);
196 static MemoryRegion io_mem_watch;
198 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
199 tb_page_addr_t phys_page2);
202 static int tb_flush_count;
203 static int tb_phys_invalidate_count;
206 static inline void map_exec(void *addr, long size)
209 VirtualProtect(addr, size,
210 PAGE_EXECUTE_READWRITE, &old_protect);
213 static inline void map_exec(void *addr, long size)
215 unsigned long start, end, page_size;
217 page_size = getpagesize();
218 start = (unsigned long)addr;
219 start &= ~(page_size - 1);
221 end = (unsigned long)addr + size;
222 end += page_size - 1;
223 end &= ~(page_size - 1);
225 mprotect((void *)start, end - start,
226 PROT_READ | PROT_WRITE | PROT_EXEC);
230 static void page_init(void)
232 /* NOTE: we can always suppose that qemu_host_page_size >=
236 SYSTEM_INFO system_info;
238 GetSystemInfo(&system_info);
239 qemu_real_host_page_size = system_info.dwPageSize;
242 qemu_real_host_page_size = getpagesize();
244 if (qemu_host_page_size == 0) {
245 qemu_host_page_size = qemu_real_host_page_size;
247 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
248 qemu_host_page_size = TARGET_PAGE_SIZE;
250 qemu_host_page_mask = ~(qemu_host_page_size - 1);
252 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
254 #ifdef HAVE_KINFO_GETVMMAP
255 struct kinfo_vmentry *freep;
258 freep = kinfo_getvmmap(getpid(), &cnt);
261 for (i = 0; i < cnt; i++) {
262 unsigned long startaddr, endaddr;
264 startaddr = freep[i].kve_start;
265 endaddr = freep[i].kve_end;
266 if (h2g_valid(startaddr)) {
267 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
269 if (h2g_valid(endaddr)) {
270 endaddr = h2g(endaddr);
271 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
273 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
275 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
286 last_brk = (unsigned long)sbrk(0);
288 f = fopen("/compat/linux/proc/self/maps", "r");
293 unsigned long startaddr, endaddr;
296 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
298 if (n == 2 && h2g_valid(startaddr)) {
299 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
301 if (h2g_valid(endaddr)) {
302 endaddr = h2g(endaddr);
306 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
318 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
324 #if defined(CONFIG_USER_ONLY)
325 /* We can't use g_malloc because it may recurse into a locked mutex. */
326 # define ALLOC(P, SIZE) \
328 P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
329 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
332 # define ALLOC(P, SIZE) \
333 do { P = g_malloc0(SIZE); } while (0)
336 /* Level 1. Always allocated. */
337 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
340 for (i = V_L1_SHIFT / L2_BITS - 1; i > 0; i--) {
347 ALLOC(p, sizeof(void *) * L2_SIZE);
351 lp = p + ((index >> (i * L2_BITS)) & (L2_SIZE - 1));
359 ALLOC(pd, sizeof(PageDesc) * L2_SIZE);
365 return pd + (index & (L2_SIZE - 1));
368 static inline PageDesc *page_find(tb_page_addr_t index)
370 return page_find_alloc(index, 0);
373 #if !defined(CONFIG_USER_ONLY)
375 static void phys_map_node_reserve(unsigned nodes)
377 if (phys_map_nodes_nb + nodes > phys_map_nodes_nb_alloc) {
378 typedef PhysPageEntry Node[L2_SIZE];
379 phys_map_nodes_nb_alloc = MAX(phys_map_nodes_nb_alloc * 2, 16);
380 phys_map_nodes_nb_alloc = MAX(phys_map_nodes_nb_alloc,
381 phys_map_nodes_nb + nodes);
382 phys_map_nodes = g_renew(Node, phys_map_nodes,
383 phys_map_nodes_nb_alloc);
387 static uint16_t phys_map_node_alloc(void)
392 ret = phys_map_nodes_nb++;
393 assert(ret != PHYS_MAP_NODE_NIL);
394 assert(ret != phys_map_nodes_nb_alloc);
395 for (i = 0; i < L2_SIZE; ++i) {
396 phys_map_nodes[ret][i].is_leaf = 0;
397 phys_map_nodes[ret][i].ptr = PHYS_MAP_NODE_NIL;
402 static void phys_map_nodes_reset(void)
404 phys_map_nodes_nb = 0;
408 static void phys_page_set_level(PhysPageEntry *lp, hwaddr *index,
409 hwaddr *nb, uint16_t leaf,
414 hwaddr step = (hwaddr)1 << (level * L2_BITS);
416 if (!lp->is_leaf && lp->ptr == PHYS_MAP_NODE_NIL) {
417 lp->ptr = phys_map_node_alloc();
418 p = phys_map_nodes[lp->ptr];
420 for (i = 0; i < L2_SIZE; i++) {
422 p[i].ptr = phys_section_unassigned;
426 p = phys_map_nodes[lp->ptr];
428 lp = &p[(*index >> (level * L2_BITS)) & (L2_SIZE - 1)];
430 while (*nb && lp < &p[L2_SIZE]) {
431 if ((*index & (step - 1)) == 0 && *nb >= step) {
437 phys_page_set_level(lp, index, nb, leaf, level - 1);
443 static void phys_page_set(AddressSpaceDispatch *d,
444 hwaddr index, hwaddr nb,
447 /* Wildly overreserve - it doesn't matter much. */
448 phys_map_node_reserve(3 * P_L2_LEVELS);
450 phys_page_set_level(&d->phys_map, &index, &nb, leaf, P_L2_LEVELS - 1);
453 MemoryRegionSection *phys_page_find(AddressSpaceDispatch *d, hwaddr index)
455 PhysPageEntry lp = d->phys_map;
458 uint16_t s_index = phys_section_unassigned;
460 for (i = P_L2_LEVELS - 1; i >= 0 && !lp.is_leaf; i--) {
461 if (lp.ptr == PHYS_MAP_NODE_NIL) {
464 p = phys_map_nodes[lp.ptr];
465 lp = p[(index >> (i * L2_BITS)) & (L2_SIZE - 1)];
470 return &phys_sections[s_index];
473 bool memory_region_is_unassigned(MemoryRegion *mr)
475 return mr != &io_mem_ram && mr != &io_mem_rom
476 && mr != &io_mem_notdirty && !mr->rom_device
477 && mr != &io_mem_watch;
480 #define mmap_lock() do { } while(0)
481 #define mmap_unlock() do { } while(0)
484 #if defined(CONFIG_USER_ONLY)
485 /* Currently it is not recommended to allocate big chunks of data in
486 user mode. It will change when a dedicated libc will be used. */
487 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
488 region in which the guest needs to run. Revisit this. */
489 #define USE_STATIC_CODE_GEN_BUFFER
492 /* ??? Should configure for this, not list operating systems here. */
493 #if (defined(__linux__) \
494 || defined(__FreeBSD__) || defined(__FreeBSD_kernel__) \
495 || defined(__DragonFly__) || defined(__OpenBSD__) \
496 || defined(__NetBSD__))
500 /* Minimum size of the code gen buffer. This number is randomly chosen,
501 but not so small that we can't have a fair number of TB's live. */
502 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
504 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
505 indicated, this is constrained by the range of direct branches on the
506 host cpu, as used by the TCG implementation of goto_tb. */
507 #if defined(__x86_64__)
508 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
509 #elif defined(__sparc__)
510 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
511 #elif defined(__arm__)
512 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
513 #elif defined(__s390x__)
514 /* We have a +- 4GB range on the branches; leave some slop. */
515 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
517 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
520 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
522 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
523 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
524 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
526 static inline size_t size_code_gen_buffer(size_t tb_size)
528 /* Size the buffer. */
530 #ifdef USE_STATIC_CODE_GEN_BUFFER
531 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
533 /* ??? Needs adjustments. */
534 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
535 static buffer, we could size this on RESERVED_VA, on the text
536 segment size of the executable, or continue to use the default. */
537 tb_size = (unsigned long)(ram_size / 4);
540 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
541 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
543 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
544 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
546 code_gen_buffer_size = tb_size;
550 #ifdef USE_STATIC_CODE_GEN_BUFFER
551 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
552 __attribute__((aligned(CODE_GEN_ALIGN)));
554 static inline void *alloc_code_gen_buffer(void)
556 map_exec(static_code_gen_buffer, code_gen_buffer_size);
557 return static_code_gen_buffer;
559 #elif defined(USE_MMAP)
560 static inline void *alloc_code_gen_buffer(void)
562 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
566 /* Constrain the position of the buffer based on the host cpu.
567 Note that these addresses are chosen in concert with the
568 addresses assigned in the relevant linker script file. */
569 # if defined(__PIE__) || defined(__PIC__)
570 /* Don't bother setting a preferred location if we're building
571 a position-independent executable. We're more likely to get
572 an address near the main executable if we let the kernel
573 choose the address. */
574 # elif defined(__x86_64__) && defined(MAP_32BIT)
575 /* Force the memory down into low memory with the executable.
576 Leave the choice of exact location with the kernel. */
578 /* Cannot expect to map more than 800MB in low memory. */
579 if (code_gen_buffer_size > 800u * 1024 * 1024) {
580 code_gen_buffer_size = 800u * 1024 * 1024;
582 # elif defined(__sparc__)
583 start = 0x40000000ul;
584 # elif defined(__s390x__)
585 start = 0x90000000ul;
588 buf = mmap((void *)start, code_gen_buffer_size,
589 PROT_WRITE | PROT_READ | PROT_EXEC, flags, -1, 0);
590 return buf == MAP_FAILED ? NULL : buf;
593 static inline void *alloc_code_gen_buffer(void)
595 void *buf = g_malloc(code_gen_buffer_size);
598 map_exec(buf, code_gen_buffer_size);
602 #endif /* USE_STATIC_CODE_GEN_BUFFER, USE_MMAP */
604 static inline void code_gen_alloc(size_t tb_size)
606 code_gen_buffer_size = size_code_gen_buffer(tb_size);
607 code_gen_buffer = alloc_code_gen_buffer();
608 if (code_gen_buffer == NULL) {
609 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
613 qemu_madvise(code_gen_buffer, code_gen_buffer_size, QEMU_MADV_HUGEPAGE);
615 /* Steal room for the prologue at the end of the buffer. This ensures
616 (via the MAX_CODE_GEN_BUFFER_SIZE limits above) that direct branches
617 from TB's to the prologue are going to be in range. It also means
618 that we don't need to mark (additional) portions of the data segment
620 code_gen_prologue = code_gen_buffer + code_gen_buffer_size - 1024;
621 code_gen_buffer_size -= 1024;
623 code_gen_buffer_max_size = code_gen_buffer_size -
624 (TCG_MAX_OP_SIZE * OPC_BUF_SIZE);
625 code_gen_max_blocks = code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
626 tbs = g_malloc(code_gen_max_blocks * sizeof(TranslationBlock));
629 /* Must be called before using the QEMU cpus. 'tb_size' is the size
630 (in bytes) allocated to the translation buffer. Zero means default
632 void tcg_exec_init(unsigned long tb_size)
635 code_gen_alloc(tb_size);
636 code_gen_ptr = code_gen_buffer;
637 tcg_register_jit(code_gen_buffer, code_gen_buffer_size);
639 #if !defined(CONFIG_USER_ONLY) || !defined(CONFIG_USE_GUEST_BASE)
640 /* There's no guest base to take into account, so go ahead and
641 initialize the prologue now. */
642 tcg_prologue_init(&tcg_ctx);
646 bool tcg_enabled(void)
648 return code_gen_buffer != NULL;
651 void cpu_exec_init_all(void)
653 #if !defined(CONFIG_USER_ONLY)
659 #if defined(CPU_SAVE_VERSION) && !defined(CONFIG_USER_ONLY)
661 static int cpu_common_post_load(void *opaque, int version_id)
663 CPUArchState *env = opaque;
665 /* 0x01 was CPU_INTERRUPT_EXIT. This line can be removed when the
666 version_id is increased. */
667 env->interrupt_request &= ~0x01;
673 static const VMStateDescription vmstate_cpu_common = {
674 .name = "cpu_common",
676 .minimum_version_id = 1,
677 .minimum_version_id_old = 1,
678 .post_load = cpu_common_post_load,
679 .fields = (VMStateField []) {
680 VMSTATE_UINT32(halted, CPUArchState),
681 VMSTATE_UINT32(interrupt_request, CPUArchState),
682 VMSTATE_END_OF_LIST()
687 CPUArchState *qemu_get_cpu(int cpu)
689 CPUArchState *env = first_cpu;
692 if (env->cpu_index == cpu)
700 void cpu_exec_init(CPUArchState *env)
702 #ifndef CONFIG_USER_ONLY
703 CPUState *cpu = ENV_GET_CPU(env);
708 #if defined(CONFIG_USER_ONLY)
711 env->next_cpu = NULL;
714 while (*penv != NULL) {
715 penv = &(*penv)->next_cpu;
718 env->cpu_index = cpu_index;
720 QTAILQ_INIT(&env->breakpoints);
721 QTAILQ_INIT(&env->watchpoints);
722 #ifndef CONFIG_USER_ONLY
723 cpu->thread_id = qemu_get_thread_id();
726 #if defined(CONFIG_USER_ONLY)
729 #if defined(CPU_SAVE_VERSION) && !defined(CONFIG_USER_ONLY)
730 vmstate_register(NULL, cpu_index, &vmstate_cpu_common, env);
731 register_savevm(NULL, "cpu", cpu_index, CPU_SAVE_VERSION,
732 cpu_save, cpu_load, env);
736 /* Allocate a new translation block. Flush the translation buffer if
737 too many translation blocks or too much generated code. */
738 static TranslationBlock *tb_alloc(target_ulong pc)
740 TranslationBlock *tb;
742 if (nb_tbs >= code_gen_max_blocks ||
743 (code_gen_ptr - code_gen_buffer) >= code_gen_buffer_max_size) {
752 void tb_free(TranslationBlock *tb)
754 /* In practice this is mostly used for single use temporary TB
755 Ignore the hard cases and just back up if this TB happens to
756 be the last one generated. */
757 if (nb_tbs > 0 && tb == &tbs[nb_tbs - 1]) {
758 code_gen_ptr = tb->tc_ptr;
763 static inline void invalidate_page_bitmap(PageDesc *p)
765 if (p->code_bitmap) {
766 g_free(p->code_bitmap);
767 p->code_bitmap = NULL;
769 p->code_write_count = 0;
772 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
773 static void page_flush_tb_1(int level, void **lp)
783 for (i = 0; i < L2_SIZE; ++i) {
784 pd[i].first_tb = NULL;
785 invalidate_page_bitmap(pd + i);
790 for (i = 0; i < L2_SIZE; ++i) {
791 page_flush_tb_1(level - 1, pp + i);
796 static void page_flush_tb(void)
800 for (i = 0; i < V_L1_SIZE; i++) {
801 page_flush_tb_1(V_L1_SHIFT / L2_BITS - 1, l1_map + i);
805 /* flush all the translation blocks */
806 /* XXX: tb_flush is currently not thread safe */
807 void tb_flush(CPUArchState *env1)
811 #if defined(DEBUG_FLUSH)
812 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
813 (unsigned long)(code_gen_ptr - code_gen_buffer),
815 ((unsigned long)(code_gen_ptr - code_gen_buffer)) / nb_tbs : 0);
817 if ((unsigned long)(code_gen_ptr - code_gen_buffer)
818 > code_gen_buffer_size) {
819 cpu_abort(env1, "Internal error: code buffer overflow\n");
823 for (env = first_cpu; env != NULL; env = env->next_cpu) {
824 memset(env->tb_jmp_cache, 0, TB_JMP_CACHE_SIZE * sizeof(void *));
827 memset(tb_phys_hash, 0, CODE_GEN_PHYS_HASH_SIZE * sizeof(void *));
830 code_gen_ptr = code_gen_buffer;
831 /* XXX: flush processor icache at this point if cache flush is
836 #ifdef DEBUG_TB_CHECK
838 static void tb_invalidate_check(target_ulong address)
840 TranslationBlock *tb;
843 address &= TARGET_PAGE_MASK;
844 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
845 for (tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
846 if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
847 address >= tb->pc + tb->size)) {
848 printf("ERROR invalidate: address=" TARGET_FMT_lx
849 " PC=%08lx size=%04x\n",
850 address, (long)tb->pc, tb->size);
856 /* verify that all the pages have correct rights for code */
857 static void tb_page_check(void)
859 TranslationBlock *tb;
860 int i, flags1, flags2;
862 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
863 for (tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
864 flags1 = page_get_flags(tb->pc);
865 flags2 = page_get_flags(tb->pc + tb->size - 1);
866 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
867 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
868 (long)tb->pc, tb->size, flags1, flags2);
877 /* invalidate one TB */
878 static inline void tb_remove(TranslationBlock **ptb, TranslationBlock *tb,
881 TranslationBlock *tb1;
886 *ptb = *(TranslationBlock **)((char *)tb1 + next_offset);
889 ptb = (TranslationBlock **)((char *)tb1 + next_offset);
893 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
895 TranslationBlock *tb1;
900 n1 = (uintptr_t)tb1 & 3;
901 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
903 *ptb = tb1->page_next[n1];
906 ptb = &tb1->page_next[n1];
910 static inline void tb_jmp_remove(TranslationBlock *tb, int n)
912 TranslationBlock *tb1, **ptb;
915 ptb = &tb->jmp_next[n];
918 /* find tb(n) in circular list */
921 n1 = (uintptr_t)tb1 & 3;
922 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
923 if (n1 == n && tb1 == tb) {
927 ptb = &tb1->jmp_first;
929 ptb = &tb1->jmp_next[n1];
932 /* now we can suppress tb(n) from the list */
933 *ptb = tb->jmp_next[n];
935 tb->jmp_next[n] = NULL;
939 /* reset the jump entry 'n' of a TB so that it is not chained to
941 static inline void tb_reset_jump(TranslationBlock *tb, int n)
943 tb_set_jmp_target(tb, n, (uintptr_t)(tb->tc_ptr + tb->tb_next_offset[n]));
946 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
951 tb_page_addr_t phys_pc;
952 TranslationBlock *tb1, *tb2;
954 /* remove the TB from the hash list */
955 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
956 h = tb_phys_hash_func(phys_pc);
957 tb_remove(&tb_phys_hash[h], tb,
958 offsetof(TranslationBlock, phys_hash_next));
960 /* remove the TB from the page list */
961 if (tb->page_addr[0] != page_addr) {
962 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
963 tb_page_remove(&p->first_tb, tb);
964 invalidate_page_bitmap(p);
966 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
967 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
968 tb_page_remove(&p->first_tb, tb);
969 invalidate_page_bitmap(p);
972 tb_invalidated_flag = 1;
974 /* remove the TB from the hash list */
975 h = tb_jmp_cache_hash_func(tb->pc);
976 for (env = first_cpu; env != NULL; env = env->next_cpu) {
977 if (env->tb_jmp_cache[h] == tb) {
978 env->tb_jmp_cache[h] = NULL;
982 /* suppress this TB from the two jump lists */
983 tb_jmp_remove(tb, 0);
984 tb_jmp_remove(tb, 1);
986 /* suppress any remaining jumps to this TB */
989 n1 = (uintptr_t)tb1 & 3;
993 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
994 tb2 = tb1->jmp_next[n1];
995 tb_reset_jump(tb1, n1);
996 tb1->jmp_next[n1] = NULL;
999 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2); /* fail safe */
1001 tb_phys_invalidate_count++;
1004 static inline void set_bits(uint8_t *tab, int start, int len)
1006 int end, mask, end1;
1010 mask = 0xff << (start & 7);
1011 if ((start & ~7) == (end & ~7)) {
1013 mask &= ~(0xff << (end & 7));
1018 start = (start + 8) & ~7;
1020 while (start < end1) {
1025 mask = ~(0xff << (end & 7));
1031 static void build_page_bitmap(PageDesc *p)
1033 int n, tb_start, tb_end;
1034 TranslationBlock *tb;
1036 p->code_bitmap = g_malloc0(TARGET_PAGE_SIZE / 8);
1039 while (tb != NULL) {
1040 n = (uintptr_t)tb & 3;
1041 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1042 /* NOTE: this is subtle as a TB may span two physical pages */
1044 /* NOTE: tb_end may be after the end of the page, but
1045 it is not a problem */
1046 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1047 tb_end = tb_start + tb->size;
1048 if (tb_end > TARGET_PAGE_SIZE) {
1049 tb_end = TARGET_PAGE_SIZE;
1053 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1055 set_bits(p->code_bitmap, tb_start, tb_end - tb_start);
1056 tb = tb->page_next[n];
1060 TranslationBlock *tb_gen_code(CPUArchState *env,
1061 target_ulong pc, target_ulong cs_base,
1062 int flags, int cflags)
1064 TranslationBlock *tb;
1066 tb_page_addr_t phys_pc, phys_page2;
1067 target_ulong virt_page2;
1070 phys_pc = get_page_addr_code(env, pc);
1073 /* flush must be done */
1075 /* cannot fail at this point */
1077 /* Don't forget to invalidate previous TB info. */
1078 tb_invalidated_flag = 1;
1080 tc_ptr = code_gen_ptr;
1081 tb->tc_ptr = tc_ptr;
1082 tb->cs_base = cs_base;
1084 tb->cflags = cflags;
1085 cpu_gen_code(env, tb, &code_gen_size);
1086 code_gen_ptr = (void *)(((uintptr_t)code_gen_ptr + code_gen_size +
1087 CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
1089 /* check next page if needed */
1090 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1092 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1093 phys_page2 = get_page_addr_code(env, virt_page2);
1095 tb_link_page(tb, phys_pc, phys_page2);
1100 * Invalidate all TBs which intersect with the target physical address range
1101 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1102 * 'is_cpu_write_access' should be true if called from a real cpu write
1103 * access: the virtual CPU will exit the current TB if code is modified inside
1106 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end,
1107 int is_cpu_write_access)
1109 while (start < end) {
1110 tb_invalidate_phys_page_range(start, end, is_cpu_write_access);
1111 start &= TARGET_PAGE_MASK;
1112 start += TARGET_PAGE_SIZE;
1117 * Invalidate all TBs which intersect with the target physical address range
1118 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1119 * 'is_cpu_write_access' should be true if called from a real cpu write
1120 * access: the virtual CPU will exit the current TB if code is modified inside
1123 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1124 int is_cpu_write_access)
1126 TranslationBlock *tb, *tb_next, *saved_tb;
1127 CPUArchState *env = cpu_single_env;
1128 tb_page_addr_t tb_start, tb_end;
1131 #ifdef TARGET_HAS_PRECISE_SMC
1132 int current_tb_not_found = is_cpu_write_access;
1133 TranslationBlock *current_tb = NULL;
1134 int current_tb_modified = 0;
1135 target_ulong current_pc = 0;
1136 target_ulong current_cs_base = 0;
1137 int current_flags = 0;
1138 #endif /* TARGET_HAS_PRECISE_SMC */
1140 p = page_find(start >> TARGET_PAGE_BITS);
1144 if (!p->code_bitmap &&
1145 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD &&
1146 is_cpu_write_access) {
1147 /* build code bitmap */
1148 build_page_bitmap(p);
1151 /* we remove all the TBs in the range [start, end[ */
1152 /* XXX: see if in some cases it could be faster to invalidate all
1155 while (tb != NULL) {
1156 n = (uintptr_t)tb & 3;
1157 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1158 tb_next = tb->page_next[n];
1159 /* NOTE: this is subtle as a TB may span two physical pages */
1161 /* NOTE: tb_end may be after the end of the page, but
1162 it is not a problem */
1163 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1164 tb_end = tb_start + tb->size;
1166 tb_start = tb->page_addr[1];
1167 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1169 if (!(tb_end <= start || tb_start >= end)) {
1170 #ifdef TARGET_HAS_PRECISE_SMC
1171 if (current_tb_not_found) {
1172 current_tb_not_found = 0;
1174 if (env->mem_io_pc) {
1175 /* now we have a real cpu fault */
1176 current_tb = tb_find_pc(env->mem_io_pc);
1179 if (current_tb == tb &&
1180 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1181 /* If we are modifying the current TB, we must stop
1182 its execution. We could be more precise by checking
1183 that the modification is after the current PC, but it
1184 would require a specialized function to partially
1185 restore the CPU state */
1187 current_tb_modified = 1;
1188 cpu_restore_state(current_tb, env, env->mem_io_pc);
1189 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1192 #endif /* TARGET_HAS_PRECISE_SMC */
1193 /* we need to do that to handle the case where a signal
1194 occurs while doing tb_phys_invalidate() */
1197 saved_tb = env->current_tb;
1198 env->current_tb = NULL;
1200 tb_phys_invalidate(tb, -1);
1202 env->current_tb = saved_tb;
1203 if (env->interrupt_request && env->current_tb) {
1204 cpu_interrupt(env, env->interrupt_request);
1210 #if !defined(CONFIG_USER_ONLY)
1211 /* if no code remaining, no need to continue to use slow writes */
1213 invalidate_page_bitmap(p);
1214 if (is_cpu_write_access) {
1215 tlb_unprotect_code_phys(env, start, env->mem_io_vaddr);
1219 #ifdef TARGET_HAS_PRECISE_SMC
1220 if (current_tb_modified) {
1221 /* we generate a block containing just the instruction
1222 modifying the memory. It will ensure that it cannot modify
1224 env->current_tb = NULL;
1225 tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
1226 cpu_resume_from_signal(env, NULL);
1231 /* len must be <= 8 and start must be a multiple of len */
1232 static inline void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1239 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1240 cpu_single_env->mem_io_vaddr, len,
1241 cpu_single_env->eip,
1242 cpu_single_env->eip +
1243 (intptr_t)cpu_single_env->segs[R_CS].base);
1246 p = page_find(start >> TARGET_PAGE_BITS);
1250 if (p->code_bitmap) {
1251 offset = start & ~TARGET_PAGE_MASK;
1252 b = p->code_bitmap[offset >> 3] >> (offset & 7);
1253 if (b & ((1 << len) - 1)) {
1258 tb_invalidate_phys_page_range(start, start + len, 1);
1262 #if !defined(CONFIG_SOFTMMU)
1263 static void tb_invalidate_phys_page(tb_page_addr_t addr,
1264 uintptr_t pc, void *puc)
1266 TranslationBlock *tb;
1269 #ifdef TARGET_HAS_PRECISE_SMC
1270 TranslationBlock *current_tb = NULL;
1271 CPUArchState *env = cpu_single_env;
1272 int current_tb_modified = 0;
1273 target_ulong current_pc = 0;
1274 target_ulong current_cs_base = 0;
1275 int current_flags = 0;
1278 addr &= TARGET_PAGE_MASK;
1279 p = page_find(addr >> TARGET_PAGE_BITS);
1284 #ifdef TARGET_HAS_PRECISE_SMC
1285 if (tb && pc != 0) {
1286 current_tb = tb_find_pc(pc);
1289 while (tb != NULL) {
1290 n = (uintptr_t)tb & 3;
1291 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1292 #ifdef TARGET_HAS_PRECISE_SMC
1293 if (current_tb == tb &&
1294 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1295 /* If we are modifying the current TB, we must stop
1296 its execution. We could be more precise by checking
1297 that the modification is after the current PC, but it
1298 would require a specialized function to partially
1299 restore the CPU state */
1301 current_tb_modified = 1;
1302 cpu_restore_state(current_tb, env, pc);
1303 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1306 #endif /* TARGET_HAS_PRECISE_SMC */
1307 tb_phys_invalidate(tb, addr);
1308 tb = tb->page_next[n];
1311 #ifdef TARGET_HAS_PRECISE_SMC
1312 if (current_tb_modified) {
1313 /* we generate a block containing just the instruction
1314 modifying the memory. It will ensure that it cannot modify
1316 env->current_tb = NULL;
1317 tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
1318 cpu_resume_from_signal(env, puc);
1324 /* add the tb in the target page and protect it if necessary */
1325 static inline void tb_alloc_page(TranslationBlock *tb,
1326 unsigned int n, tb_page_addr_t page_addr)
1329 #ifndef CONFIG_USER_ONLY
1330 bool page_already_protected;
1333 tb->page_addr[n] = page_addr;
1334 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1335 tb->page_next[n] = p->first_tb;
1336 #ifndef CONFIG_USER_ONLY
1337 page_already_protected = p->first_tb != NULL;
1339 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1340 invalidate_page_bitmap(p);
1342 #if defined(TARGET_HAS_SMC) || 1
1344 #if defined(CONFIG_USER_ONLY)
1345 if (p->flags & PAGE_WRITE) {
1350 /* force the host page as non writable (writes will have a
1351 page fault + mprotect overhead) */
1352 page_addr &= qemu_host_page_mask;
1354 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1355 addr += TARGET_PAGE_SIZE) {
1357 p2 = page_find(addr >> TARGET_PAGE_BITS);
1362 p2->flags &= ~PAGE_WRITE;
1364 mprotect(g2h(page_addr), qemu_host_page_size,
1365 (prot & PAGE_BITS) & ~PAGE_WRITE);
1366 #ifdef DEBUG_TB_INVALIDATE
1367 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1372 /* if some code is already present, then the pages are already
1373 protected. So we handle the case where only the first TB is
1374 allocated in a physical page */
1375 if (!page_already_protected) {
1376 tlb_protect_code(page_addr);
1380 #endif /* TARGET_HAS_SMC */
1383 /* add a new TB and link it to the physical page tables. phys_page2 is
1384 (-1) to indicate that only one page contains the TB. */
1385 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1386 tb_page_addr_t phys_page2)
1389 TranslationBlock **ptb;
1391 /* Grab the mmap lock to stop another thread invalidating this TB
1392 before we are done. */
1394 /* add in the physical hash table */
1395 h = tb_phys_hash_func(phys_pc);
1396 ptb = &tb_phys_hash[h];
1397 tb->phys_hash_next = *ptb;
1400 /* add in the page list */
1401 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1402 if (phys_page2 != -1) {
1403 tb_alloc_page(tb, 1, phys_page2);
1405 tb->page_addr[1] = -1;
1408 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2);
1409 tb->jmp_next[0] = NULL;
1410 tb->jmp_next[1] = NULL;
1412 /* init original jump addresses */
1413 if (tb->tb_next_offset[0] != 0xffff) {
1414 tb_reset_jump(tb, 0);
1416 if (tb->tb_next_offset[1] != 0xffff) {
1417 tb_reset_jump(tb, 1);
1420 #ifdef DEBUG_TB_CHECK
1426 #if defined(CONFIG_QEMU_LDST_OPTIMIZATION) && defined(CONFIG_SOFTMMU)
1427 /* check whether the given addr is in TCG generated code buffer or not */
1428 bool is_tcg_gen_code(uintptr_t tc_ptr)
1430 /* This can be called during code generation, code_gen_buffer_max_size
1431 is used instead of code_gen_ptr for upper boundary checking */
1432 return (tc_ptr >= (uintptr_t)code_gen_buffer &&
1433 tc_ptr < (uintptr_t)(code_gen_buffer + code_gen_buffer_max_size));
1437 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1438 tb[1].tc_ptr. Return NULL if not found */
1439 TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1441 int m_min, m_max, m;
1443 TranslationBlock *tb;
1448 if (tc_ptr < (uintptr_t)code_gen_buffer ||
1449 tc_ptr >= (uintptr_t)code_gen_ptr) {
1452 /* binary search (cf Knuth) */
1455 while (m_min <= m_max) {
1456 m = (m_min + m_max) >> 1;
1458 v = (uintptr_t)tb->tc_ptr;
1461 } else if (tc_ptr < v) {
1470 static void tb_reset_jump_recursive(TranslationBlock *tb);
1472 static inline void tb_reset_jump_recursive2(TranslationBlock *tb, int n)
1474 TranslationBlock *tb1, *tb_next, **ptb;
1477 tb1 = tb->jmp_next[n];
1479 /* find head of list */
1481 n1 = (uintptr_t)tb1 & 3;
1482 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
1486 tb1 = tb1->jmp_next[n1];
1488 /* we are now sure now that tb jumps to tb1 */
1491 /* remove tb from the jmp_first list */
1492 ptb = &tb_next->jmp_first;
1495 n1 = (uintptr_t)tb1 & 3;
1496 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
1497 if (n1 == n && tb1 == tb) {
1500 ptb = &tb1->jmp_next[n1];
1502 *ptb = tb->jmp_next[n];
1503 tb->jmp_next[n] = NULL;
1505 /* suppress the jump to next tb in generated code */
1506 tb_reset_jump(tb, n);
1508 /* suppress jumps in the tb on which we could have jumped */
1509 tb_reset_jump_recursive(tb_next);
1513 static void tb_reset_jump_recursive(TranslationBlock *tb)
1515 tb_reset_jump_recursive2(tb, 0);
1516 tb_reset_jump_recursive2(tb, 1);
1519 #if defined(TARGET_HAS_ICE)
1520 #if defined(CONFIG_USER_ONLY)
1521 static void breakpoint_invalidate(CPUArchState *env, target_ulong pc)
1523 tb_invalidate_phys_page_range(pc, pc + 1, 0);
1526 void tb_invalidate_phys_addr(hwaddr addr)
1528 ram_addr_t ram_addr;
1529 MemoryRegionSection *section;
1531 section = phys_page_find(address_space_memory.dispatch,
1532 addr >> TARGET_PAGE_BITS);
1533 if (!(memory_region_is_ram(section->mr)
1534 || (section->mr->rom_device && section->mr->readable))) {
1537 ram_addr = (memory_region_get_ram_addr(section->mr) & TARGET_PAGE_MASK)
1538 + memory_region_section_addr(section, addr);
1539 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1542 static void breakpoint_invalidate(CPUArchState *env, target_ulong pc)
1544 tb_invalidate_phys_addr(cpu_get_phys_page_debug(env, pc) |
1545 (pc & ~TARGET_PAGE_MASK));
1548 #endif /* TARGET_HAS_ICE */
1550 #if defined(CONFIG_USER_ONLY)
1551 void cpu_watchpoint_remove_all(CPUArchState *env, int mask)
1556 int cpu_watchpoint_insert(CPUArchState *env, target_ulong addr, target_ulong len,
1557 int flags, CPUWatchpoint **watchpoint)
1562 /* Add a watchpoint. */
1563 int cpu_watchpoint_insert(CPUArchState *env, target_ulong addr, target_ulong len,
1564 int flags, CPUWatchpoint **watchpoint)
1566 target_ulong len_mask = ~(len - 1);
1569 /* sanity checks: allow power-of-2 lengths, deny unaligned watchpoints */
1570 if ((len & (len - 1)) || (addr & ~len_mask) ||
1571 len == 0 || len > TARGET_PAGE_SIZE) {
1572 fprintf(stderr, "qemu: tried to set invalid watchpoint at "
1573 TARGET_FMT_lx ", len=" TARGET_FMT_lu "\n", addr, len);
1576 wp = g_malloc(sizeof(*wp));
1579 wp->len_mask = len_mask;
1582 /* keep all GDB-injected watchpoints in front */
1584 QTAILQ_INSERT_HEAD(&env->watchpoints, wp, entry);
1586 QTAILQ_INSERT_TAIL(&env->watchpoints, wp, entry);
1588 tlb_flush_page(env, addr);
1595 /* Remove a specific watchpoint. */
1596 int cpu_watchpoint_remove(CPUArchState *env, target_ulong addr, target_ulong len,
1599 target_ulong len_mask = ~(len - 1);
1602 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1603 if (addr == wp->vaddr && len_mask == wp->len_mask
1604 && flags == (wp->flags & ~BP_WATCHPOINT_HIT)) {
1605 cpu_watchpoint_remove_by_ref(env, wp);
1612 /* Remove a specific watchpoint by reference. */
1613 void cpu_watchpoint_remove_by_ref(CPUArchState *env, CPUWatchpoint *watchpoint)
1615 QTAILQ_REMOVE(&env->watchpoints, watchpoint, entry);
1617 tlb_flush_page(env, watchpoint->vaddr);
1622 /* Remove all matching watchpoints. */
1623 void cpu_watchpoint_remove_all(CPUArchState *env, int mask)
1625 CPUWatchpoint *wp, *next;
1627 QTAILQ_FOREACH_SAFE(wp, &env->watchpoints, entry, next) {
1628 if (wp->flags & mask)
1629 cpu_watchpoint_remove_by_ref(env, wp);
1634 /* Add a breakpoint. */
1635 int cpu_breakpoint_insert(CPUArchState *env, target_ulong pc, int flags,
1636 CPUBreakpoint **breakpoint)
1638 #if defined(TARGET_HAS_ICE)
1641 bp = g_malloc(sizeof(*bp));
1646 /* keep all GDB-injected breakpoints in front */
1648 QTAILQ_INSERT_HEAD(&env->breakpoints, bp, entry);
1650 QTAILQ_INSERT_TAIL(&env->breakpoints, bp, entry);
1652 breakpoint_invalidate(env, pc);
1662 /* Remove a specific breakpoint. */
1663 int cpu_breakpoint_remove(CPUArchState *env, target_ulong pc, int flags)
1665 #if defined(TARGET_HAS_ICE)
1668 QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
1669 if (bp->pc == pc && bp->flags == flags) {
1670 cpu_breakpoint_remove_by_ref(env, bp);
1680 /* Remove a specific breakpoint by reference. */
1681 void cpu_breakpoint_remove_by_ref(CPUArchState *env, CPUBreakpoint *breakpoint)
1683 #if defined(TARGET_HAS_ICE)
1684 QTAILQ_REMOVE(&env->breakpoints, breakpoint, entry);
1686 breakpoint_invalidate(env, breakpoint->pc);
1692 /* Remove all matching breakpoints. */
1693 void cpu_breakpoint_remove_all(CPUArchState *env, int mask)
1695 #if defined(TARGET_HAS_ICE)
1696 CPUBreakpoint *bp, *next;
1698 QTAILQ_FOREACH_SAFE(bp, &env->breakpoints, entry, next) {
1699 if (bp->flags & mask)
1700 cpu_breakpoint_remove_by_ref(env, bp);
1705 /* enable or disable single step mode. EXCP_DEBUG is returned by the
1706 CPU loop after each instruction */
1707 void cpu_single_step(CPUArchState *env, int enabled)
1709 #if defined(TARGET_HAS_ICE)
1710 if (env->singlestep_enabled != enabled) {
1711 env->singlestep_enabled = enabled;
1713 kvm_update_guest_debug(env, 0);
1715 /* must flush all the translated code to avoid inconsistencies */
1716 /* XXX: only flush what is necessary */
1723 static void cpu_unlink_tb(CPUArchState *env)
1725 /* FIXME: TB unchaining isn't SMP safe. For now just ignore the
1726 problem and hope the cpu will stop of its own accord. For userspace
1727 emulation this often isn't actually as bad as it sounds. Often
1728 signals are used primarily to interrupt blocking syscalls. */
1729 TranslationBlock *tb;
1730 static spinlock_t interrupt_lock = SPIN_LOCK_UNLOCKED;
1732 spin_lock(&interrupt_lock);
1733 tb = env->current_tb;
1734 /* if the cpu is currently executing code, we must unlink it and
1735 all the potentially executing TB */
1737 env->current_tb = NULL;
1738 tb_reset_jump_recursive(tb);
1740 spin_unlock(&interrupt_lock);
1743 #ifndef CONFIG_USER_ONLY
1744 /* mask must never be zero, except for A20 change call */
1745 static void tcg_handle_interrupt(CPUArchState *env, int mask)
1747 CPUState *cpu = ENV_GET_CPU(env);
1750 old_mask = env->interrupt_request;
1751 env->interrupt_request |= mask;
1754 * If called from iothread context, wake the target cpu in
1757 if (!qemu_cpu_is_self(cpu)) {
1763 env->icount_decr.u16.high = 0xffff;
1765 && (mask & ~old_mask) != 0) {
1766 cpu_abort(env, "Raised interrupt while not in I/O function");
1773 CPUInterruptHandler cpu_interrupt_handler = tcg_handle_interrupt;
1775 #else /* CONFIG_USER_ONLY */
1777 void cpu_interrupt(CPUArchState *env, int mask)
1779 env->interrupt_request |= mask;
1782 #endif /* CONFIG_USER_ONLY */
1784 void cpu_reset_interrupt(CPUArchState *env, int mask)
1786 env->interrupt_request &= ~mask;
1789 void cpu_exit(CPUArchState *env)
1791 env->exit_request = 1;
1795 void cpu_abort(CPUArchState *env, const char *fmt, ...)
1802 fprintf(stderr, "qemu: fatal: ");
1803 vfprintf(stderr, fmt, ap);
1804 fprintf(stderr, "\n");
1805 cpu_dump_state(env, stderr, fprintf, CPU_DUMP_FPU | CPU_DUMP_CCOP);
1806 if (qemu_log_enabled()) {
1807 qemu_log("qemu: fatal: ");
1808 qemu_log_vprintf(fmt, ap2);
1810 log_cpu_state(env, CPU_DUMP_FPU | CPU_DUMP_CCOP);
1816 #if defined(CONFIG_USER_ONLY)
1818 struct sigaction act;
1819 sigfillset(&act.sa_mask);
1820 act.sa_handler = SIG_DFL;
1821 sigaction(SIGABRT, &act, NULL);
1827 CPUArchState *cpu_copy(CPUArchState *env)
1829 CPUArchState *new_env = cpu_init(env->cpu_model_str);
1830 CPUArchState *next_cpu = new_env->next_cpu;
1831 int cpu_index = new_env->cpu_index;
1832 #if defined(TARGET_HAS_ICE)
1837 memcpy(new_env, env, sizeof(CPUArchState));
1839 /* Preserve chaining and index. */
1840 new_env->next_cpu = next_cpu;
1841 new_env->cpu_index = cpu_index;
1843 /* Clone all break/watchpoints.
1844 Note: Once we support ptrace with hw-debug register access, make sure
1845 BP_CPU break/watchpoints are handled correctly on clone. */
1846 QTAILQ_INIT(&env->breakpoints);
1847 QTAILQ_INIT(&env->watchpoints);
1848 #if defined(TARGET_HAS_ICE)
1849 QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
1850 cpu_breakpoint_insert(new_env, bp->pc, bp->flags, NULL);
1852 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1853 cpu_watchpoint_insert(new_env, wp->vaddr, (~wp->len_mask) + 1,
1861 #if !defined(CONFIG_USER_ONLY)
1862 void tb_flush_jmp_cache(CPUArchState *env, target_ulong addr)
1866 /* Discard jump cache entries for any tb which might potentially
1867 overlap the flushed page. */
1868 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1869 memset (&env->tb_jmp_cache[i], 0,
1870 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1872 i = tb_jmp_cache_hash_page(addr);
1873 memset (&env->tb_jmp_cache[i], 0,
1874 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1877 static void tlb_reset_dirty_range_all(ram_addr_t start, ram_addr_t end,
1882 /* we modify the TLB cache so that the dirty bit will be set again
1883 when accessing the range */
1884 start1 = (uintptr_t)qemu_safe_ram_ptr(start);
1885 /* Check that we don't span multiple blocks - this breaks the
1886 address comparisons below. */
1887 if ((uintptr_t)qemu_safe_ram_ptr(end - 1) - start1
1888 != (end - 1) - start) {
1891 cpu_tlb_reset_dirty_all(start1, length);
1895 /* Note: start and end must be within the same ram block. */
1896 void cpu_physical_memory_reset_dirty(ram_addr_t start, ram_addr_t end,
1901 start &= TARGET_PAGE_MASK;
1902 end = TARGET_PAGE_ALIGN(end);
1904 length = end - start;
1907 cpu_physical_memory_mask_dirty_range(start, length, dirty_flags);
1909 if (tcg_enabled()) {
1910 tlb_reset_dirty_range_all(start, end, length);
1914 static int cpu_physical_memory_set_dirty_tracking(int enable)
1917 in_migration = enable;
1921 hwaddr memory_region_section_get_iotlb(CPUArchState *env,
1922 MemoryRegionSection *section,
1926 target_ulong *address)
1931 if (memory_region_is_ram(section->mr)) {
1933 iotlb = (memory_region_get_ram_addr(section->mr) & TARGET_PAGE_MASK)
1934 + memory_region_section_addr(section, paddr);
1935 if (!section->readonly) {
1936 iotlb |= phys_section_notdirty;
1938 iotlb |= phys_section_rom;
1941 /* IO handlers are currently passed a physical address.
1942 It would be nice to pass an offset from the base address
1943 of that region. This would avoid having to special case RAM,
1944 and avoid full address decoding in every device.
1945 We can't use the high bits of pd for this because
1946 IO_MEM_ROMD uses these as a ram address. */
1947 iotlb = section - phys_sections;
1948 iotlb += memory_region_section_addr(section, paddr);
1951 /* Make accesses to pages with watchpoints go via the
1952 watchpoint trap routines. */
1953 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1954 if (vaddr == (wp->vaddr & TARGET_PAGE_MASK)) {
1955 /* Avoid trapping reads of pages with a write breakpoint. */
1956 if ((prot & PAGE_WRITE) || (wp->flags & BP_MEM_READ)) {
1957 iotlb = phys_section_watch + paddr;
1958 *address |= TLB_MMIO;
1969 * Walks guest process memory "regions" one by one
1970 * and calls callback function 'fn' for each region.
1972 struct walk_memory_regions_data {
1973 walk_memory_regions_fn fn;
1979 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1980 abi_ulong end, int new_prot)
1982 if (data->start != -1ul) {
1983 int rc = data->fn(data->priv, data->start, end, data->prot);
1989 data->start = (new_prot ? end : -1ul);
1990 data->prot = new_prot;
1995 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1996 abi_ulong base, int level, void **lp)
2002 return walk_memory_regions_end(data, base, 0);
2008 for (i = 0; i < L2_SIZE; ++i) {
2009 int prot = pd[i].flags;
2011 pa = base | (i << TARGET_PAGE_BITS);
2012 if (prot != data->prot) {
2013 rc = walk_memory_regions_end(data, pa, prot);
2022 for (i = 0; i < L2_SIZE; ++i) {
2023 pa = base | ((abi_ulong)i <<
2024 (TARGET_PAGE_BITS + L2_BITS * level));
2025 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
2035 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
2037 struct walk_memory_regions_data data;
2045 for (i = 0; i < V_L1_SIZE; i++) {
2046 int rc = walk_memory_regions_1(&data, (abi_ulong)i << V_L1_SHIFT,
2047 V_L1_SHIFT / L2_BITS - 1, l1_map + i);
2054 return walk_memory_regions_end(&data, 0, 0);
2057 static int dump_region(void *priv, abi_ulong start,
2058 abi_ulong end, unsigned long prot)
2060 FILE *f = (FILE *)priv;
2062 (void) fprintf(f, TARGET_ABI_FMT_lx"-"TARGET_ABI_FMT_lx
2063 " "TARGET_ABI_FMT_lx" %c%c%c\n",
2064 start, end, end - start,
2065 ((prot & PAGE_READ) ? 'r' : '-'),
2066 ((prot & PAGE_WRITE) ? 'w' : '-'),
2067 ((prot & PAGE_EXEC) ? 'x' : '-'));
2072 /* dump memory mappings */
2073 void page_dump(FILE *f)
2075 (void) fprintf(f, "%-8s %-8s %-8s %s\n",
2076 "start", "end", "size", "prot");
2077 walk_memory_regions(f, dump_region);
2080 int page_get_flags(target_ulong address)
2084 p = page_find(address >> TARGET_PAGE_BITS);
2091 /* Modify the flags of a page and invalidate the code if necessary.
2092 The flag PAGE_WRITE_ORG is positioned automatically depending
2093 on PAGE_WRITE. The mmap_lock should already be held. */
2094 void page_set_flags(target_ulong start, target_ulong end, int flags)
2096 target_ulong addr, len;
2098 /* This function should never be called with addresses outside the
2099 guest address space. If this assert fires, it probably indicates
2100 a missing call to h2g_valid. */
2101 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
2102 assert(end < ((abi_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
2104 assert(start < end);
2106 start = start & TARGET_PAGE_MASK;
2107 end = TARGET_PAGE_ALIGN(end);
2109 if (flags & PAGE_WRITE) {
2110 flags |= PAGE_WRITE_ORG;
2113 for (addr = start, len = end - start;
2115 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
2116 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
2118 /* If the write protection bit is set, then we invalidate
2120 if (!(p->flags & PAGE_WRITE) &&
2121 (flags & PAGE_WRITE) &&
2123 tb_invalidate_phys_page(addr, 0, NULL);
2129 int page_check_range(target_ulong start, target_ulong len, int flags)
2135 /* This function should never be called with addresses outside the
2136 guest address space. If this assert fires, it probably indicates
2137 a missing call to h2g_valid. */
2138 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
2139 assert(start < ((abi_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
2145 if (start + len - 1 < start) {
2146 /* We've wrapped around. */
2150 /* must do before we loose bits in the next step */
2151 end = TARGET_PAGE_ALIGN(start + len);
2152 start = start & TARGET_PAGE_MASK;
2154 for (addr = start, len = end - start;
2156 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
2157 p = page_find(addr >> TARGET_PAGE_BITS);
2161 if (!(p->flags & PAGE_VALID)) {
2165 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
2168 if (flags & PAGE_WRITE) {
2169 if (!(p->flags & PAGE_WRITE_ORG)) {
2172 /* unprotect the page if it was put read-only because it
2173 contains translated code */
2174 if (!(p->flags & PAGE_WRITE)) {
2175 if (!page_unprotect(addr, 0, NULL)) {
2185 /* called from signal handler: invalidate the code and unprotect the
2186 page. Return TRUE if the fault was successfully handled. */
2187 int page_unprotect(target_ulong address, uintptr_t pc, void *puc)
2191 target_ulong host_start, host_end, addr;
2193 /* Technically this isn't safe inside a signal handler. However we
2194 know this only ever happens in a synchronous SEGV handler, so in
2195 practice it seems to be ok. */
2198 p = page_find(address >> TARGET_PAGE_BITS);
2204 /* if the page was really writable, then we change its
2205 protection back to writable */
2206 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
2207 host_start = address & qemu_host_page_mask;
2208 host_end = host_start + qemu_host_page_size;
2211 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
2212 p = page_find(addr >> TARGET_PAGE_BITS);
2213 p->flags |= PAGE_WRITE;
2216 /* and since the content will be modified, we must invalidate
2217 the corresponding translated code. */
2218 tb_invalidate_phys_page(addr, pc, puc);
2219 #ifdef DEBUG_TB_CHECK
2220 tb_invalidate_check(addr);
2223 mprotect((void *)g2h(host_start), qemu_host_page_size,
2232 #endif /* defined(CONFIG_USER_ONLY) */
2234 #if !defined(CONFIG_USER_ONLY)
2236 #define SUBPAGE_IDX(addr) ((addr) & ~TARGET_PAGE_MASK)
2237 typedef struct subpage_t {
2240 uint16_t sub_section[TARGET_PAGE_SIZE];
2243 static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
2245 static subpage_t *subpage_init(hwaddr base);
2246 static void destroy_page_desc(uint16_t section_index)
2248 MemoryRegionSection *section = &phys_sections[section_index];
2249 MemoryRegion *mr = section->mr;
2252 subpage_t *subpage = container_of(mr, subpage_t, iomem);
2253 memory_region_destroy(&subpage->iomem);
2258 static void destroy_l2_mapping(PhysPageEntry *lp, unsigned level)
2263 if (lp->ptr == PHYS_MAP_NODE_NIL) {
2267 p = phys_map_nodes[lp->ptr];
2268 for (i = 0; i < L2_SIZE; ++i) {
2269 if (!p[i].is_leaf) {
2270 destroy_l2_mapping(&p[i], level - 1);
2272 destroy_page_desc(p[i].ptr);
2276 lp->ptr = PHYS_MAP_NODE_NIL;
2279 static void destroy_all_mappings(AddressSpaceDispatch *d)
2281 destroy_l2_mapping(&d->phys_map, P_L2_LEVELS - 1);
2282 phys_map_nodes_reset();
2285 static uint16_t phys_section_add(MemoryRegionSection *section)
2287 if (phys_sections_nb == phys_sections_nb_alloc) {
2288 phys_sections_nb_alloc = MAX(phys_sections_nb_alloc * 2, 16);
2289 phys_sections = g_renew(MemoryRegionSection, phys_sections,
2290 phys_sections_nb_alloc);
2292 phys_sections[phys_sections_nb] = *section;
2293 return phys_sections_nb++;
2296 static void phys_sections_clear(void)
2298 phys_sections_nb = 0;
2301 static void register_subpage(AddressSpaceDispatch *d, MemoryRegionSection *section)
2304 hwaddr base = section->offset_within_address_space
2306 MemoryRegionSection *existing = phys_page_find(d, base >> TARGET_PAGE_BITS);
2307 MemoryRegionSection subsection = {
2308 .offset_within_address_space = base,
2309 .size = TARGET_PAGE_SIZE,
2313 assert(existing->mr->subpage || existing->mr == &io_mem_unassigned);
2315 if (!(existing->mr->subpage)) {
2316 subpage = subpage_init(base);
2317 subsection.mr = &subpage->iomem;
2318 phys_page_set(d, base >> TARGET_PAGE_BITS, 1,
2319 phys_section_add(&subsection));
2321 subpage = container_of(existing->mr, subpage_t, iomem);
2323 start = section->offset_within_address_space & ~TARGET_PAGE_MASK;
2324 end = start + section->size - 1;
2325 subpage_register(subpage, start, end, phys_section_add(section));
2329 static void register_multipage(AddressSpaceDispatch *d, MemoryRegionSection *section)
2331 hwaddr start_addr = section->offset_within_address_space;
2332 ram_addr_t size = section->size;
2334 uint16_t section_index = phys_section_add(section);
2339 phys_page_set(d, addr >> TARGET_PAGE_BITS, size >> TARGET_PAGE_BITS,
2343 static void mem_add(MemoryListener *listener, MemoryRegionSection *section)
2345 AddressSpaceDispatch *d = container_of(listener, AddressSpaceDispatch, listener);
2346 MemoryRegionSection now = *section, remain = *section;
2348 if ((now.offset_within_address_space & ~TARGET_PAGE_MASK)
2349 || (now.size < TARGET_PAGE_SIZE)) {
2350 now.size = MIN(TARGET_PAGE_ALIGN(now.offset_within_address_space)
2351 - now.offset_within_address_space,
2353 register_subpage(d, &now);
2354 remain.size -= now.size;
2355 remain.offset_within_address_space += now.size;
2356 remain.offset_within_region += now.size;
2358 while (remain.size >= TARGET_PAGE_SIZE) {
2360 if (remain.offset_within_region & ~TARGET_PAGE_MASK) {
2361 now.size = TARGET_PAGE_SIZE;
2362 register_subpage(d, &now);
2364 now.size &= TARGET_PAGE_MASK;
2365 register_multipage(d, &now);
2367 remain.size -= now.size;
2368 remain.offset_within_address_space += now.size;
2369 remain.offset_within_region += now.size;
2373 register_subpage(d, &now);
2377 void qemu_flush_coalesced_mmio_buffer(void)
2380 kvm_flush_coalesced_mmio_buffer();
2383 #if defined(__linux__) && !defined(TARGET_S390X)
2385 #include <sys/vfs.h>
2387 #define HUGETLBFS_MAGIC 0x958458f6
2389 static long gethugepagesize(const char *path)
2395 ret = statfs(path, &fs);
2396 } while (ret != 0 && errno == EINTR);
2403 if (fs.f_type != HUGETLBFS_MAGIC)
2404 fprintf(stderr, "Warning: path not on HugeTLBFS: %s\n", path);
2409 static void *file_ram_alloc(RAMBlock *block,
2419 unsigned long hpagesize;
2421 hpagesize = gethugepagesize(path);
2426 if (memory < hpagesize) {
2430 if (kvm_enabled() && !kvm_has_sync_mmu()) {
2431 fprintf(stderr, "host lacks kvm mmu notifiers, -mem-path unsupported\n");
2435 if (asprintf(&filename, "%s/qemu_back_mem.XXXXXX", path) == -1) {
2439 fd = mkstemp(filename);
2441 perror("unable to create backing store for hugepages");
2448 memory = (memory+hpagesize-1) & ~(hpagesize-1);
2451 * ftruncate is not supported by hugetlbfs in older
2452 * hosts, so don't bother bailing out on errors.
2453 * If anything goes wrong with it under other filesystems,
2456 if (ftruncate(fd, memory))
2457 perror("ftruncate");
2460 /* NB: MAP_POPULATE won't exhaustively alloc all phys pages in the case
2461 * MAP_PRIVATE is requested. For mem_prealloc we mmap as MAP_SHARED
2462 * to sidestep this quirk.
2464 flags = mem_prealloc ? MAP_POPULATE | MAP_SHARED : MAP_PRIVATE;
2465 area = mmap(0, memory, PROT_READ | PROT_WRITE, flags, fd, 0);
2467 area = mmap(0, memory, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
2469 if (area == MAP_FAILED) {
2470 perror("file_ram_alloc: can't mmap RAM pages");
2479 static ram_addr_t find_ram_offset(ram_addr_t size)
2481 RAMBlock *block, *next_block;
2482 ram_addr_t offset = RAM_ADDR_MAX, mingap = RAM_ADDR_MAX;
2484 if (QLIST_EMPTY(&ram_list.blocks))
2487 QLIST_FOREACH(block, &ram_list.blocks, next) {
2488 ram_addr_t end, next = RAM_ADDR_MAX;
2490 end = block->offset + block->length;
2492 QLIST_FOREACH(next_block, &ram_list.blocks, next) {
2493 if (next_block->offset >= end) {
2494 next = MIN(next, next_block->offset);
2497 if (next - end >= size && next - end < mingap) {
2499 mingap = next - end;
2503 if (offset == RAM_ADDR_MAX) {
2504 fprintf(stderr, "Failed to find gap of requested size: %" PRIu64 "\n",
2512 ram_addr_t last_ram_offset(void)
2515 ram_addr_t last = 0;
2517 QLIST_FOREACH(block, &ram_list.blocks, next)
2518 last = MAX(last, block->offset + block->length);
2523 static void qemu_ram_setup_dump(void *addr, ram_addr_t size)
2526 QemuOpts *machine_opts;
2528 /* Use MADV_DONTDUMP, if user doesn't want the guest memory in the core */
2529 machine_opts = qemu_opts_find(qemu_find_opts("machine"), 0);
2531 !qemu_opt_get_bool(machine_opts, "dump-guest-core", true)) {
2532 ret = qemu_madvise(addr, size, QEMU_MADV_DONTDUMP);
2534 perror("qemu_madvise");
2535 fprintf(stderr, "madvise doesn't support MADV_DONTDUMP, "
2536 "but dump_guest_core=off specified\n");
2541 void qemu_ram_set_idstr(ram_addr_t addr, const char *name, DeviceState *dev)
2543 RAMBlock *new_block, *block;
2546 QLIST_FOREACH(block, &ram_list.blocks, next) {
2547 if (block->offset == addr) {
2553 assert(!new_block->idstr[0]);
2556 char *id = qdev_get_dev_path(dev);
2558 snprintf(new_block->idstr, sizeof(new_block->idstr), "%s/", id);
2562 pstrcat(new_block->idstr, sizeof(new_block->idstr), name);
2564 QLIST_FOREACH(block, &ram_list.blocks, next) {
2565 if (block != new_block && !strcmp(block->idstr, new_block->idstr)) {
2566 fprintf(stderr, "RAMBlock \"%s\" already registered, abort!\n",
2573 static int memory_try_enable_merging(void *addr, size_t len)
2577 opts = qemu_opts_find(qemu_find_opts("machine"), 0);
2578 if (opts && !qemu_opt_get_bool(opts, "mem-merge", true)) {
2579 /* disabled by the user */
2583 return qemu_madvise(addr, len, QEMU_MADV_MERGEABLE);
2586 ram_addr_t qemu_ram_alloc_from_ptr(ram_addr_t size, void *host,
2589 RAMBlock *new_block;
2591 size = TARGET_PAGE_ALIGN(size);
2592 new_block = g_malloc0(sizeof(*new_block));
2595 new_block->offset = find_ram_offset(size);
2597 new_block->host = host;
2598 new_block->flags |= RAM_PREALLOC_MASK;
2601 #if defined (__linux__) && !defined(TARGET_S390X)
2602 new_block->host = file_ram_alloc(new_block, size, mem_path);
2603 if (!new_block->host) {
2604 new_block->host = qemu_vmalloc(size);
2605 memory_try_enable_merging(new_block->host, size);
2608 fprintf(stderr, "-mem-path option unsupported\n");
2612 if (xen_enabled()) {
2613 xen_ram_alloc(new_block->offset, size, mr);
2614 } else if (kvm_enabled()) {
2615 /* some s390/kvm configurations have special constraints */
2616 new_block->host = kvm_vmalloc(size);
2618 new_block->host = qemu_vmalloc(size);
2620 memory_try_enable_merging(new_block->host, size);
2623 new_block->length = size;
2625 QLIST_INSERT_HEAD(&ram_list.blocks, new_block, next);
2627 ram_list.phys_dirty = g_realloc(ram_list.phys_dirty,
2628 last_ram_offset() >> TARGET_PAGE_BITS);
2629 memset(ram_list.phys_dirty + (new_block->offset >> TARGET_PAGE_BITS),
2630 0, size >> TARGET_PAGE_BITS);
2631 cpu_physical_memory_set_dirty_range(new_block->offset, size, 0xff);
2633 qemu_ram_setup_dump(new_block->host, size);
2634 qemu_madvise(new_block->host, size, QEMU_MADV_HUGEPAGE);
2637 kvm_setup_guest_memory(new_block->host, size);
2639 return new_block->offset;
2642 ram_addr_t qemu_ram_alloc(ram_addr_t size, MemoryRegion *mr)
2644 return qemu_ram_alloc_from_ptr(size, NULL, mr);
2647 void qemu_ram_free_from_ptr(ram_addr_t addr)
2651 QLIST_FOREACH(block, &ram_list.blocks, next) {
2652 if (addr == block->offset) {
2653 QLIST_REMOVE(block, next);
2660 void qemu_ram_free(ram_addr_t addr)
2664 QLIST_FOREACH(block, &ram_list.blocks, next) {
2665 if (addr == block->offset) {
2666 QLIST_REMOVE(block, next);
2667 if (block->flags & RAM_PREALLOC_MASK) {
2669 } else if (mem_path) {
2670 #if defined (__linux__) && !defined(TARGET_S390X)
2672 munmap(block->host, block->length);
2675 qemu_vfree(block->host);
2681 #if defined(TARGET_S390X) && defined(CONFIG_KVM)
2682 munmap(block->host, block->length);
2684 if (xen_enabled()) {
2685 xen_invalidate_map_cache_entry(block->host);
2687 qemu_vfree(block->host);
2699 void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
2706 QLIST_FOREACH(block, &ram_list.blocks, next) {
2707 offset = addr - block->offset;
2708 if (offset < block->length) {
2709 vaddr = block->host + offset;
2710 if (block->flags & RAM_PREALLOC_MASK) {
2714 munmap(vaddr, length);
2716 #if defined(__linux__) && !defined(TARGET_S390X)
2719 flags |= mem_prealloc ? MAP_POPULATE | MAP_SHARED :
2722 flags |= MAP_PRIVATE;
2724 area = mmap(vaddr, length, PROT_READ | PROT_WRITE,
2725 flags, block->fd, offset);
2727 flags |= MAP_PRIVATE | MAP_ANONYMOUS;
2728 area = mmap(vaddr, length, PROT_READ | PROT_WRITE,
2735 #if defined(TARGET_S390X) && defined(CONFIG_KVM)
2736 flags |= MAP_SHARED | MAP_ANONYMOUS;
2737 area = mmap(vaddr, length, PROT_EXEC|PROT_READ|PROT_WRITE,
2740 flags |= MAP_PRIVATE | MAP_ANONYMOUS;
2741 area = mmap(vaddr, length, PROT_READ | PROT_WRITE,
2745 if (area != vaddr) {
2746 fprintf(stderr, "Could not remap addr: "
2747 RAM_ADDR_FMT "@" RAM_ADDR_FMT "\n",
2751 memory_try_enable_merging(vaddr, length);
2752 qemu_ram_setup_dump(vaddr, length);
2758 #endif /* !_WIN32 */
2760 /* Return a host pointer to ram allocated with qemu_ram_alloc.
2761 With the exception of the softmmu code in this file, this should
2762 only be used for local memory (e.g. video ram) that the device owns,
2763 and knows it isn't going to access beyond the end of the block.
2765 It should not be used for general purpose DMA.
2766 Use cpu_physical_memory_map/cpu_physical_memory_rw instead.
2768 void *qemu_get_ram_ptr(ram_addr_t addr)
2772 QLIST_FOREACH(block, &ram_list.blocks, next) {
2773 if (addr - block->offset < block->length) {
2774 /* Move this entry to to start of the list. */
2775 if (block != QLIST_FIRST(&ram_list.blocks)) {
2776 QLIST_REMOVE(block, next);
2777 QLIST_INSERT_HEAD(&ram_list.blocks, block, next);
2779 if (xen_enabled()) {
2780 /* We need to check if the requested address is in the RAM
2781 * because we don't want to map the entire memory in QEMU.
2782 * In that case just map until the end of the page.
2784 if (block->offset == 0) {
2785 return xen_map_cache(addr, 0, 0);
2786 } else if (block->host == NULL) {
2788 xen_map_cache(block->offset, block->length, 1);
2791 return block->host + (addr - block->offset);
2795 fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
2801 /* Return a host pointer to ram allocated with qemu_ram_alloc.
2802 * Same as qemu_get_ram_ptr but avoid reordering ramblocks.
2804 static void *qemu_safe_ram_ptr(ram_addr_t addr)
2808 QLIST_FOREACH(block, &ram_list.blocks, next) {
2809 if (addr - block->offset < block->length) {
2810 if (xen_enabled()) {
2811 /* We need to check if the requested address is in the RAM
2812 * because we don't want to map the entire memory in QEMU.
2813 * In that case just map until the end of the page.
2815 if (block->offset == 0) {
2816 return xen_map_cache(addr, 0, 0);
2817 } else if (block->host == NULL) {
2819 xen_map_cache(block->offset, block->length, 1);
2822 return block->host + (addr - block->offset);
2826 fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
2832 /* Return a host pointer to guest's ram. Similar to qemu_get_ram_ptr
2833 * but takes a size argument */
2834 static void *qemu_ram_ptr_length(ram_addr_t addr, ram_addr_t *size)
2839 if (xen_enabled()) {
2840 return xen_map_cache(addr, *size, 1);
2844 QLIST_FOREACH(block, &ram_list.blocks, next) {
2845 if (addr - block->offset < block->length) {
2846 if (addr - block->offset + *size > block->length)
2847 *size = block->length - addr + block->offset;
2848 return block->host + (addr - block->offset);
2852 fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
2857 void qemu_put_ram_ptr(void *addr)
2859 trace_qemu_put_ram_ptr(addr);
2862 int qemu_ram_addr_from_host(void *ptr, ram_addr_t *ram_addr)
2865 uint8_t *host = ptr;
2867 if (xen_enabled()) {
2868 *ram_addr = xen_ram_addr_from_mapcache(ptr);
2872 QLIST_FOREACH(block, &ram_list.blocks, next) {
2873 /* This case append when the block is not mapped. */
2874 if (block->host == NULL) {
2877 if (host - block->host < block->length) {
2878 *ram_addr = block->offset + (host - block->host);
2886 /* Some of the softmmu routines need to translate from a host pointer
2887 (typically a TLB entry) back to a ram offset. */
2888 ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
2890 ram_addr_t ram_addr;
2892 if (qemu_ram_addr_from_host(ptr, &ram_addr)) {
2893 fprintf(stderr, "Bad ram pointer %p\n", ptr);
2899 static uint64_t unassigned_mem_read(void *opaque, hwaddr addr,
2902 #ifdef DEBUG_UNASSIGNED
2903 printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2905 #if defined(TARGET_ALPHA) || defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2906 cpu_unassigned_access(cpu_single_env, addr, 0, 0, 0, size);
2911 static void unassigned_mem_write(void *opaque, hwaddr addr,
2912 uint64_t val, unsigned size)
2914 #ifdef DEBUG_UNASSIGNED
2915 printf("Unassigned mem write " TARGET_FMT_plx " = 0x%"PRIx64"\n", addr, val);
2917 #if defined(TARGET_ALPHA) || defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2918 cpu_unassigned_access(cpu_single_env, addr, 1, 0, 0, size);
2922 static const MemoryRegionOps unassigned_mem_ops = {
2923 .read = unassigned_mem_read,
2924 .write = unassigned_mem_write,
2925 .endianness = DEVICE_NATIVE_ENDIAN,
2928 static uint64_t error_mem_read(void *opaque, hwaddr addr,
2934 static void error_mem_write(void *opaque, hwaddr addr,
2935 uint64_t value, unsigned size)
2940 static const MemoryRegionOps error_mem_ops = {
2941 .read = error_mem_read,
2942 .write = error_mem_write,
2943 .endianness = DEVICE_NATIVE_ENDIAN,
2946 static const MemoryRegionOps rom_mem_ops = {
2947 .read = error_mem_read,
2948 .write = unassigned_mem_write,
2949 .endianness = DEVICE_NATIVE_ENDIAN,
2952 static void notdirty_mem_write(void *opaque, hwaddr ram_addr,
2953 uint64_t val, unsigned size)
2956 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2957 if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2958 #if !defined(CONFIG_USER_ONLY)
2959 tb_invalidate_phys_page_fast(ram_addr, size);
2960 dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2965 stb_p(qemu_get_ram_ptr(ram_addr), val);
2968 stw_p(qemu_get_ram_ptr(ram_addr), val);
2971 stl_p(qemu_get_ram_ptr(ram_addr), val);
2976 dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
2977 cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
2978 /* we remove the notdirty callback only if the code has been
2980 if (dirty_flags == 0xff)
2981 tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
2984 static const MemoryRegionOps notdirty_mem_ops = {
2985 .read = error_mem_read,
2986 .write = notdirty_mem_write,
2987 .endianness = DEVICE_NATIVE_ENDIAN,
2990 static void tb_check_watchpoint(CPUArchState *env)
2992 TranslationBlock *tb;
2994 tb = tb_find_pc(env->mem_io_pc);
2996 cpu_abort(env, "check_watchpoint: could not find TB for pc=%p",
2997 (void *)env->mem_io_pc);
2999 cpu_restore_state(tb, env, env->mem_io_pc);
3000 tb_phys_invalidate(tb, -1);
3003 /* Generate a debug exception if a watchpoint has been hit. */
3004 static void check_watchpoint(int offset, int len_mask, int flags)
3006 CPUArchState *env = cpu_single_env;
3007 target_ulong pc, cs_base;
3012 if (env->watchpoint_hit) {
3013 /* We re-entered the check after replacing the TB. Now raise
3014 * the debug interrupt so that is will trigger after the
3015 * current instruction. */
3016 cpu_interrupt(env, CPU_INTERRUPT_DEBUG);
3019 vaddr = (env->mem_io_vaddr & TARGET_PAGE_MASK) + offset;
3020 QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
3021 if ((vaddr == (wp->vaddr & len_mask) ||
3022 (vaddr & wp->len_mask) == wp->vaddr) && (wp->flags & flags)) {
3023 wp->flags |= BP_WATCHPOINT_HIT;
3024 if (!env->watchpoint_hit) {
3025 env->watchpoint_hit = wp;
3026 tb_check_watchpoint(env);
3027 if (wp->flags & BP_STOP_BEFORE_ACCESS) {
3028 env->exception_index = EXCP_DEBUG;
3031 cpu_get_tb_cpu_state(env, &pc, &cs_base, &cpu_flags);
3032 tb_gen_code(env, pc, cs_base, cpu_flags, 1);
3033 cpu_resume_from_signal(env, NULL);
3037 wp->flags &= ~BP_WATCHPOINT_HIT;
3042 /* Watchpoint access routines. Watchpoints are inserted using TLB tricks,
3043 so these check for a hit then pass through to the normal out-of-line
3045 static uint64_t watch_mem_read(void *opaque, hwaddr addr,
3048 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~(size - 1), BP_MEM_READ);
3050 case 1: return ldub_phys(addr);
3051 case 2: return lduw_phys(addr);
3052 case 4: return ldl_phys(addr);
3057 static void watch_mem_write(void *opaque, hwaddr addr,
3058 uint64_t val, unsigned size)
3060 check_watchpoint(addr & ~TARGET_PAGE_MASK, ~(size - 1), BP_MEM_WRITE);
3063 stb_phys(addr, val);
3066 stw_phys(addr, val);
3069 stl_phys(addr, val);
3075 static const MemoryRegionOps watch_mem_ops = {
3076 .read = watch_mem_read,
3077 .write = watch_mem_write,
3078 .endianness = DEVICE_NATIVE_ENDIAN,
3081 static uint64_t subpage_read(void *opaque, hwaddr addr,
3084 subpage_t *mmio = opaque;
3085 unsigned int idx = SUBPAGE_IDX(addr);
3086 MemoryRegionSection *section;
3087 #if defined(DEBUG_SUBPAGE)
3088 printf("%s: subpage %p len %d addr " TARGET_FMT_plx " idx %d\n", __func__,
3089 mmio, len, addr, idx);
3092 section = &phys_sections[mmio->sub_section[idx]];
3094 addr -= section->offset_within_address_space;
3095 addr += section->offset_within_region;
3096 return io_mem_read(section->mr, addr, len);
3099 static void subpage_write(void *opaque, hwaddr addr,
3100 uint64_t value, unsigned len)
3102 subpage_t *mmio = opaque;
3103 unsigned int idx = SUBPAGE_IDX(addr);
3104 MemoryRegionSection *section;
3105 #if defined(DEBUG_SUBPAGE)
3106 printf("%s: subpage %p len %d addr " TARGET_FMT_plx
3107 " idx %d value %"PRIx64"\n",
3108 __func__, mmio, len, addr, idx, value);
3111 section = &phys_sections[mmio->sub_section[idx]];
3113 addr -= section->offset_within_address_space;
3114 addr += section->offset_within_region;
3115 io_mem_write(section->mr, addr, value, len);
3118 static const MemoryRegionOps subpage_ops = {
3119 .read = subpage_read,
3120 .write = subpage_write,
3121 .endianness = DEVICE_NATIVE_ENDIAN,
3124 static uint64_t subpage_ram_read(void *opaque, hwaddr addr,
3127 ram_addr_t raddr = addr;
3128 void *ptr = qemu_get_ram_ptr(raddr);
3130 case 1: return ldub_p(ptr);
3131 case 2: return lduw_p(ptr);
3132 case 4: return ldl_p(ptr);
3137 static void subpage_ram_write(void *opaque, hwaddr addr,
3138 uint64_t value, unsigned size)
3140 ram_addr_t raddr = addr;
3141 void *ptr = qemu_get_ram_ptr(raddr);
3143 case 1: return stb_p(ptr, value);
3144 case 2: return stw_p(ptr, value);
3145 case 4: return stl_p(ptr, value);
3150 static const MemoryRegionOps subpage_ram_ops = {
3151 .read = subpage_ram_read,
3152 .write = subpage_ram_write,
3153 .endianness = DEVICE_NATIVE_ENDIAN,
3156 static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
3161 if (start >= TARGET_PAGE_SIZE || end >= TARGET_PAGE_SIZE)
3163 idx = SUBPAGE_IDX(start);
3164 eidx = SUBPAGE_IDX(end);
3165 #if defined(DEBUG_SUBPAGE)
3166 printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__,
3167 mmio, start, end, idx, eidx, memory);
3169 if (memory_region_is_ram(phys_sections[section].mr)) {
3170 MemoryRegionSection new_section = phys_sections[section];
3171 new_section.mr = &io_mem_subpage_ram;
3172 section = phys_section_add(&new_section);
3174 for (; idx <= eidx; idx++) {
3175 mmio->sub_section[idx] = section;
3181 static subpage_t *subpage_init(hwaddr base)
3185 mmio = g_malloc0(sizeof(subpage_t));
3188 memory_region_init_io(&mmio->iomem, &subpage_ops, mmio,
3189 "subpage", TARGET_PAGE_SIZE);
3190 mmio->iomem.subpage = true;
3191 #if defined(DEBUG_SUBPAGE)
3192 printf("%s: %p base " TARGET_FMT_plx " len %08x %d\n", __func__,
3193 mmio, base, TARGET_PAGE_SIZE, subpage_memory);
3195 subpage_register(mmio, 0, TARGET_PAGE_SIZE-1, phys_section_unassigned);
3200 static uint16_t dummy_section(MemoryRegion *mr)
3202 MemoryRegionSection section = {
3204 .offset_within_address_space = 0,
3205 .offset_within_region = 0,
3209 return phys_section_add(§ion);
3212 MemoryRegion *iotlb_to_region(hwaddr index)
3214 return phys_sections[index & ~TARGET_PAGE_MASK].mr;
3217 static void io_mem_init(void)
3219 memory_region_init_io(&io_mem_ram, &error_mem_ops, NULL, "ram", UINT64_MAX);
3220 memory_region_init_io(&io_mem_rom, &rom_mem_ops, NULL, "rom", UINT64_MAX);
3221 memory_region_init_io(&io_mem_unassigned, &unassigned_mem_ops, NULL,
3222 "unassigned", UINT64_MAX);
3223 memory_region_init_io(&io_mem_notdirty, ¬dirty_mem_ops, NULL,
3224 "notdirty", UINT64_MAX);
3225 memory_region_init_io(&io_mem_subpage_ram, &subpage_ram_ops, NULL,
3226 "subpage-ram", UINT64_MAX);
3227 memory_region_init_io(&io_mem_watch, &watch_mem_ops, NULL,
3228 "watch", UINT64_MAX);
3231 static void mem_begin(MemoryListener *listener)
3233 AddressSpaceDispatch *d = container_of(listener, AddressSpaceDispatch, listener);
3235 destroy_all_mappings(d);
3236 d->phys_map.ptr = PHYS_MAP_NODE_NIL;
3239 static void core_begin(MemoryListener *listener)
3241 phys_sections_clear();
3242 phys_section_unassigned = dummy_section(&io_mem_unassigned);
3243 phys_section_notdirty = dummy_section(&io_mem_notdirty);
3244 phys_section_rom = dummy_section(&io_mem_rom);
3245 phys_section_watch = dummy_section(&io_mem_watch);
3248 static void tcg_commit(MemoryListener *listener)
3252 /* since each CPU stores ram addresses in its TLB cache, we must
3253 reset the modified entries */
3255 for(env = first_cpu; env != NULL; env = env->next_cpu) {
3260 static void core_log_global_start(MemoryListener *listener)
3262 cpu_physical_memory_set_dirty_tracking(1);
3265 static void core_log_global_stop(MemoryListener *listener)
3267 cpu_physical_memory_set_dirty_tracking(0);
3270 static void io_region_add(MemoryListener *listener,
3271 MemoryRegionSection *section)
3273 MemoryRegionIORange *mrio = g_new(MemoryRegionIORange, 1);
3275 mrio->mr = section->mr;
3276 mrio->offset = section->offset_within_region;
3277 iorange_init(&mrio->iorange, &memory_region_iorange_ops,
3278 section->offset_within_address_space, section->size);
3279 ioport_register(&mrio->iorange);
3282 static void io_region_del(MemoryListener *listener,
3283 MemoryRegionSection *section)
3285 isa_unassign_ioport(section->offset_within_address_space, section->size);
3288 static MemoryListener core_memory_listener = {
3289 .begin = core_begin,
3290 .log_global_start = core_log_global_start,
3291 .log_global_stop = core_log_global_stop,
3295 static MemoryListener io_memory_listener = {
3296 .region_add = io_region_add,
3297 .region_del = io_region_del,
3301 static MemoryListener tcg_memory_listener = {
3302 .commit = tcg_commit,
3305 void address_space_init_dispatch(AddressSpace *as)
3307 AddressSpaceDispatch *d = g_new(AddressSpaceDispatch, 1);
3309 d->phys_map = (PhysPageEntry) { .ptr = PHYS_MAP_NODE_NIL, .is_leaf = 0 };
3310 d->listener = (MemoryListener) {
3312 .region_add = mem_add,
3313 .region_nop = mem_add,
3317 memory_listener_register(&d->listener, as);
3320 void address_space_destroy_dispatch(AddressSpace *as)
3322 AddressSpaceDispatch *d = as->dispatch;
3324 memory_listener_unregister(&d->listener);
3325 destroy_l2_mapping(&d->phys_map, P_L2_LEVELS - 1);
3327 as->dispatch = NULL;
3330 static void memory_map_init(void)
3332 system_memory = g_malloc(sizeof(*system_memory));
3333 memory_region_init(system_memory, "system", INT64_MAX);
3334 address_space_init(&address_space_memory, system_memory);
3335 address_space_memory.name = "memory";
3337 system_io = g_malloc(sizeof(*system_io));
3338 memory_region_init(system_io, "io", 65536);
3339 address_space_init(&address_space_io, system_io);
3340 address_space_io.name = "I/O";
3342 memory_listener_register(&core_memory_listener, &address_space_memory);
3343 memory_listener_register(&io_memory_listener, &address_space_io);
3344 memory_listener_register(&tcg_memory_listener, &address_space_memory);
3346 dma_context_init(&dma_context_memory, &address_space_memory,
3350 MemoryRegion *get_system_memory(void)
3352 return system_memory;
3355 MemoryRegion *get_system_io(void)
3360 #endif /* !defined(CONFIG_USER_ONLY) */
3362 /* physical memory access (slow version, mainly for debug) */
3363 #if defined(CONFIG_USER_ONLY)
3364 int cpu_memory_rw_debug(CPUArchState *env, target_ulong addr,
3365 uint8_t *buf, int len, int is_write)
3372 page = addr & TARGET_PAGE_MASK;
3373 l = (page + TARGET_PAGE_SIZE) - addr;
3376 flags = page_get_flags(page);
3377 if (!(flags & PAGE_VALID))
3380 if (!(flags & PAGE_WRITE))
3382 /* XXX: this code should not depend on lock_user */
3383 if (!(p = lock_user(VERIFY_WRITE, addr, l, 0)))
3386 unlock_user(p, addr, l);
3388 if (!(flags & PAGE_READ))
3390 /* XXX: this code should not depend on lock_user */
3391 if (!(p = lock_user(VERIFY_READ, addr, l, 1)))
3394 unlock_user(p, addr, 0);
3405 static void invalidate_and_set_dirty(hwaddr addr,
3408 if (!cpu_physical_memory_is_dirty(addr)) {
3409 /* invalidate code */
3410 tb_invalidate_phys_page_range(addr, addr + length, 0);
3412 cpu_physical_memory_set_dirty_flags(addr, (0xff & ~CODE_DIRTY_FLAG));
3414 xen_modified_memory(addr, length);
3417 void address_space_rw(AddressSpace *as, hwaddr addr, uint8_t *buf,
3418 int len, bool is_write)
3420 AddressSpaceDispatch *d = as->dispatch;
3425 MemoryRegionSection *section;
3428 page = addr & TARGET_PAGE_MASK;
3429 l = (page + TARGET_PAGE_SIZE) - addr;
3432 section = phys_page_find(d, page >> TARGET_PAGE_BITS);
3435 if (!memory_region_is_ram(section->mr)) {
3437 addr1 = memory_region_section_addr(section, addr);
3438 /* XXX: could force cpu_single_env to NULL to avoid
3440 if (l >= 4 && ((addr1 & 3) == 0)) {
3441 /* 32 bit write access */
3443 io_mem_write(section->mr, addr1, val, 4);
3445 } else if (l >= 2 && ((addr1 & 1) == 0)) {
3446 /* 16 bit write access */
3448 io_mem_write(section->mr, addr1, val, 2);
3451 /* 8 bit write access */
3453 io_mem_write(section->mr, addr1, val, 1);
3456 } else if (!section->readonly) {
3458 addr1 = memory_region_get_ram_addr(section->mr)
3459 + memory_region_section_addr(section, addr);
3461 ptr = qemu_get_ram_ptr(addr1);
3462 memcpy(ptr, buf, l);
3463 invalidate_and_set_dirty(addr1, l);
3464 qemu_put_ram_ptr(ptr);
3467 if (!(memory_region_is_ram(section->mr) ||
3468 memory_region_is_romd(section->mr))) {
3471 addr1 = memory_region_section_addr(section, addr);
3472 if (l >= 4 && ((addr1 & 3) == 0)) {
3473 /* 32 bit read access */
3474 val = io_mem_read(section->mr, addr1, 4);
3477 } else if (l >= 2 && ((addr1 & 1) == 0)) {
3478 /* 16 bit read access */
3479 val = io_mem_read(section->mr, addr1, 2);
3483 /* 8 bit read access */
3484 val = io_mem_read(section->mr, addr1, 1);
3490 ptr = qemu_get_ram_ptr(section->mr->ram_addr
3491 + memory_region_section_addr(section,
3493 memcpy(buf, ptr, l);
3494 qemu_put_ram_ptr(ptr);
3503 void address_space_write(AddressSpace *as, hwaddr addr,
3504 const uint8_t *buf, int len)
3506 address_space_rw(as, addr, (uint8_t *)buf, len, true);
3510 * address_space_read: read from an address space.
3512 * @as: #AddressSpace to be accessed
3513 * @addr: address within that address space
3514 * @buf: buffer with the data transferred
3516 void address_space_read(AddressSpace *as, hwaddr addr, uint8_t *buf, int len)
3518 address_space_rw(as, addr, buf, len, false);
3522 void cpu_physical_memory_rw(hwaddr addr, uint8_t *buf,
3523 int len, int is_write)
3525 return address_space_rw(&address_space_memory, addr, buf, len, is_write);
3528 /* used for ROM loading : can write in RAM and ROM */
3529 void cpu_physical_memory_write_rom(hwaddr addr,
3530 const uint8_t *buf, int len)
3532 AddressSpaceDispatch *d = address_space_memory.dispatch;
3536 MemoryRegionSection *section;
3539 page = addr & TARGET_PAGE_MASK;
3540 l = (page + TARGET_PAGE_SIZE) - addr;
3543 section = phys_page_find(d, page >> TARGET_PAGE_BITS);
3545 if (!(memory_region_is_ram(section->mr) ||
3546 memory_region_is_romd(section->mr))) {
3549 unsigned long addr1;
3550 addr1 = memory_region_get_ram_addr(section->mr)
3551 + memory_region_section_addr(section, addr);
3553 ptr = qemu_get_ram_ptr(addr1);
3554 memcpy(ptr, buf, l);
3555 invalidate_and_set_dirty(addr1, l);
3556 qemu_put_ram_ptr(ptr);
3570 static BounceBuffer bounce;
3572 typedef struct MapClient {
3574 void (*callback)(void *opaque);
3575 QLIST_ENTRY(MapClient) link;
3578 static QLIST_HEAD(map_client_list, MapClient) map_client_list
3579 = QLIST_HEAD_INITIALIZER(map_client_list);
3581 void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
3583 MapClient *client = g_malloc(sizeof(*client));
3585 client->opaque = opaque;
3586 client->callback = callback;
3587 QLIST_INSERT_HEAD(&map_client_list, client, link);
3591 static void cpu_unregister_map_client(void *_client)
3593 MapClient *client = (MapClient *)_client;
3595 QLIST_REMOVE(client, link);
3599 static void cpu_notify_map_clients(void)
3603 while (!QLIST_EMPTY(&map_client_list)) {
3604 client = QLIST_FIRST(&map_client_list);
3605 client->callback(client->opaque);
3606 cpu_unregister_map_client(client);
3610 /* Map a physical memory region into a host virtual address.
3611 * May map a subset of the requested range, given by and returned in *plen.
3612 * May return NULL if resources needed to perform the mapping are exhausted.
3613 * Use only for reads OR writes - not for read-modify-write operations.
3614 * Use cpu_register_map_client() to know when retrying the map operation is
3615 * likely to succeed.
3617 void *address_space_map(AddressSpace *as,
3622 AddressSpaceDispatch *d = as->dispatch;
3627 MemoryRegionSection *section;
3628 ram_addr_t raddr = RAM_ADDR_MAX;
3633 page = addr & TARGET_PAGE_MASK;
3634 l = (page + TARGET_PAGE_SIZE) - addr;
3637 section = phys_page_find(d, page >> TARGET_PAGE_BITS);
3639 if (!(memory_region_is_ram(section->mr) && !section->readonly)) {
3640 if (todo || bounce.buffer) {
3643 bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
3647 address_space_read(as, addr, bounce.buffer, l);
3651 return bounce.buffer;
3654 raddr = memory_region_get_ram_addr(section->mr)
3655 + memory_region_section_addr(section, addr);
3663 ret = qemu_ram_ptr_length(raddr, &rlen);
3668 /* Unmaps a memory region previously mapped by address_space_map().
3669 * Will also mark the memory as dirty if is_write == 1. access_len gives
3670 * the amount of memory that was actually read or written by the caller.
3672 void address_space_unmap(AddressSpace *as, void *buffer, hwaddr len,
3673 int is_write, hwaddr access_len)
3675 if (buffer != bounce.buffer) {
3677 ram_addr_t addr1 = qemu_ram_addr_from_host_nofail(buffer);
3678 while (access_len) {
3680 l = TARGET_PAGE_SIZE;
3683 invalidate_and_set_dirty(addr1, l);
3688 if (xen_enabled()) {
3689 xen_invalidate_map_cache_entry(buffer);
3694 address_space_write(as, bounce.addr, bounce.buffer, access_len);
3696 qemu_vfree(bounce.buffer);
3697 bounce.buffer = NULL;
3698 cpu_notify_map_clients();
3701 void *cpu_physical_memory_map(hwaddr addr,
3705 return address_space_map(&address_space_memory, addr, plen, is_write);
3708 void cpu_physical_memory_unmap(void *buffer, hwaddr len,
3709 int is_write, hwaddr access_len)
3711 return address_space_unmap(&address_space_memory, buffer, len, is_write, access_len);
3714 /* warning: addr must be aligned */
3715 static inline uint32_t ldl_phys_internal(hwaddr addr,
3716 enum device_endian endian)
3720 MemoryRegionSection *section;
3722 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
3724 if (!(memory_region_is_ram(section->mr) ||
3725 memory_region_is_romd(section->mr))) {
3727 addr = memory_region_section_addr(section, addr);
3728 val = io_mem_read(section->mr, addr, 4);
3729 #if defined(TARGET_WORDS_BIGENDIAN)
3730 if (endian == DEVICE_LITTLE_ENDIAN) {
3734 if (endian == DEVICE_BIG_ENDIAN) {
3740 ptr = qemu_get_ram_ptr((memory_region_get_ram_addr(section->mr)
3742 + memory_region_section_addr(section, addr));
3744 case DEVICE_LITTLE_ENDIAN:
3745 val = ldl_le_p(ptr);
3747 case DEVICE_BIG_ENDIAN:
3748 val = ldl_be_p(ptr);
3758 uint32_t ldl_phys(hwaddr addr)
3760 return ldl_phys_internal(addr, DEVICE_NATIVE_ENDIAN);
3763 uint32_t ldl_le_phys(hwaddr addr)
3765 return ldl_phys_internal(addr, DEVICE_LITTLE_ENDIAN);
3768 uint32_t ldl_be_phys(hwaddr addr)
3770 return ldl_phys_internal(addr, DEVICE_BIG_ENDIAN);
3773 /* warning: addr must be aligned */
3774 static inline uint64_t ldq_phys_internal(hwaddr addr,
3775 enum device_endian endian)
3779 MemoryRegionSection *section;
3781 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
3783 if (!(memory_region_is_ram(section->mr) ||
3784 memory_region_is_romd(section->mr))) {
3786 addr = memory_region_section_addr(section, addr);
3788 /* XXX This is broken when device endian != cpu endian.
3789 Fix and add "endian" variable check */
3790 #ifdef TARGET_WORDS_BIGENDIAN
3791 val = io_mem_read(section->mr, addr, 4) << 32;
3792 val |= io_mem_read(section->mr, addr + 4, 4);
3794 val = io_mem_read(section->mr, addr, 4);
3795 val |= io_mem_read(section->mr, addr + 4, 4) << 32;
3799 ptr = qemu_get_ram_ptr((memory_region_get_ram_addr(section->mr)
3801 + memory_region_section_addr(section, addr));
3803 case DEVICE_LITTLE_ENDIAN:
3804 val = ldq_le_p(ptr);
3806 case DEVICE_BIG_ENDIAN:
3807 val = ldq_be_p(ptr);
3817 uint64_t ldq_phys(hwaddr addr)
3819 return ldq_phys_internal(addr, DEVICE_NATIVE_ENDIAN);
3822 uint64_t ldq_le_phys(hwaddr addr)
3824 return ldq_phys_internal(addr, DEVICE_LITTLE_ENDIAN);
3827 uint64_t ldq_be_phys(hwaddr addr)
3829 return ldq_phys_internal(addr, DEVICE_BIG_ENDIAN);
3833 uint32_t ldub_phys(hwaddr addr)
3836 cpu_physical_memory_read(addr, &val, 1);
3840 /* warning: addr must be aligned */
3841 static inline uint32_t lduw_phys_internal(hwaddr addr,
3842 enum device_endian endian)
3846 MemoryRegionSection *section;
3848 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
3850 if (!(memory_region_is_ram(section->mr) ||
3851 memory_region_is_romd(section->mr))) {
3853 addr = memory_region_section_addr(section, addr);
3854 val = io_mem_read(section->mr, addr, 2);
3855 #if defined(TARGET_WORDS_BIGENDIAN)
3856 if (endian == DEVICE_LITTLE_ENDIAN) {
3860 if (endian == DEVICE_BIG_ENDIAN) {
3866 ptr = qemu_get_ram_ptr((memory_region_get_ram_addr(section->mr)
3868 + memory_region_section_addr(section, addr));
3870 case DEVICE_LITTLE_ENDIAN:
3871 val = lduw_le_p(ptr);
3873 case DEVICE_BIG_ENDIAN:
3874 val = lduw_be_p(ptr);
3884 uint32_t lduw_phys(hwaddr addr)
3886 return lduw_phys_internal(addr, DEVICE_NATIVE_ENDIAN);
3889 uint32_t lduw_le_phys(hwaddr addr)
3891 return lduw_phys_internal(addr, DEVICE_LITTLE_ENDIAN);
3894 uint32_t lduw_be_phys(hwaddr addr)
3896 return lduw_phys_internal(addr, DEVICE_BIG_ENDIAN);
3899 /* warning: addr must be aligned. The ram page is not masked as dirty
3900 and the code inside is not invalidated. It is useful if the dirty
3901 bits are used to track modified PTEs */
3902 void stl_phys_notdirty(hwaddr addr, uint32_t val)
3905 MemoryRegionSection *section;
3907 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
3909 if (!memory_region_is_ram(section->mr) || section->readonly) {
3910 addr = memory_region_section_addr(section, addr);
3911 if (memory_region_is_ram(section->mr)) {
3912 section = &phys_sections[phys_section_rom];
3914 io_mem_write(section->mr, addr, val, 4);
3916 unsigned long addr1 = (memory_region_get_ram_addr(section->mr)
3918 + memory_region_section_addr(section, addr);
3919 ptr = qemu_get_ram_ptr(addr1);
3922 if (unlikely(in_migration)) {
3923 if (!cpu_physical_memory_is_dirty(addr1)) {
3924 /* invalidate code */
3925 tb_invalidate_phys_page_range(addr1, addr1 + 4, 0);
3927 cpu_physical_memory_set_dirty_flags(
3928 addr1, (0xff & ~CODE_DIRTY_FLAG));
3934 void stq_phys_notdirty(hwaddr addr, uint64_t val)
3937 MemoryRegionSection *section;
3939 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
3941 if (!memory_region_is_ram(section->mr) || section->readonly) {
3942 addr = memory_region_section_addr(section, addr);
3943 if (memory_region_is_ram(section->mr)) {
3944 section = &phys_sections[phys_section_rom];
3946 #ifdef TARGET_WORDS_BIGENDIAN
3947 io_mem_write(section->mr, addr, val >> 32, 4);
3948 io_mem_write(section->mr, addr + 4, (uint32_t)val, 4);
3950 io_mem_write(section->mr, addr, (uint32_t)val, 4);
3951 io_mem_write(section->mr, addr + 4, val >> 32, 4);
3954 ptr = qemu_get_ram_ptr((memory_region_get_ram_addr(section->mr)
3956 + memory_region_section_addr(section, addr));
3961 /* warning: addr must be aligned */
3962 static inline void stl_phys_internal(hwaddr addr, uint32_t val,
3963 enum device_endian endian)
3966 MemoryRegionSection *section;
3968 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
3970 if (!memory_region_is_ram(section->mr) || section->readonly) {
3971 addr = memory_region_section_addr(section, addr);
3972 if (memory_region_is_ram(section->mr)) {
3973 section = &phys_sections[phys_section_rom];
3975 #if defined(TARGET_WORDS_BIGENDIAN)
3976 if (endian == DEVICE_LITTLE_ENDIAN) {
3980 if (endian == DEVICE_BIG_ENDIAN) {
3984 io_mem_write(section->mr, addr, val, 4);
3986 unsigned long addr1;
3987 addr1 = (memory_region_get_ram_addr(section->mr) & TARGET_PAGE_MASK)
3988 + memory_region_section_addr(section, addr);
3990 ptr = qemu_get_ram_ptr(addr1);
3992 case DEVICE_LITTLE_ENDIAN:
3995 case DEVICE_BIG_ENDIAN:
4002 invalidate_and_set_dirty(addr1, 4);
4006 void stl_phys(hwaddr addr, uint32_t val)
4008 stl_phys_internal(addr, val, DEVICE_NATIVE_ENDIAN);
4011 void stl_le_phys(hwaddr addr, uint32_t val)
4013 stl_phys_internal(addr, val, DEVICE_LITTLE_ENDIAN);
4016 void stl_be_phys(hwaddr addr, uint32_t val)
4018 stl_phys_internal(addr, val, DEVICE_BIG_ENDIAN);
4022 void stb_phys(hwaddr addr, uint32_t val)
4025 cpu_physical_memory_write(addr, &v, 1);
4028 /* warning: addr must be aligned */
4029 static inline void stw_phys_internal(hwaddr addr, uint32_t val,
4030 enum device_endian endian)
4033 MemoryRegionSection *section;
4035 section = phys_page_find(address_space_memory.dispatch, addr >> TARGET_PAGE_BITS);
4037 if (!memory_region_is_ram(section->mr) || section->readonly) {
4038 addr = memory_region_section_addr(section, addr);
4039 if (memory_region_is_ram(section->mr)) {
4040 section = &phys_sections[phys_section_rom];
4042 #if defined(TARGET_WORDS_BIGENDIAN)
4043 if (endian == DEVICE_LITTLE_ENDIAN) {
4047 if (endian == DEVICE_BIG_ENDIAN) {
4051 io_mem_write(section->mr, addr, val, 2);
4053 unsigned long addr1;
4054 addr1 = (memory_region_get_ram_addr(section->mr) & TARGET_PAGE_MASK)
4055 + memory_region_section_addr(section, addr);
4057 ptr = qemu_get_ram_ptr(addr1);
4059 case DEVICE_LITTLE_ENDIAN:
4062 case DEVICE_BIG_ENDIAN:
4069 invalidate_and_set_dirty(addr1, 2);
4073 void stw_phys(hwaddr addr, uint32_t val)
4075 stw_phys_internal(addr, val, DEVICE_NATIVE_ENDIAN);
4078 void stw_le_phys(hwaddr addr, uint32_t val)
4080 stw_phys_internal(addr, val, DEVICE_LITTLE_ENDIAN);
4083 void stw_be_phys(hwaddr addr, uint32_t val)
4085 stw_phys_internal(addr, val, DEVICE_BIG_ENDIAN);
4089 void stq_phys(hwaddr addr, uint64_t val)
4092 cpu_physical_memory_write(addr, &val, 8);
4095 void stq_le_phys(hwaddr addr, uint64_t val)
4097 val = cpu_to_le64(val);
4098 cpu_physical_memory_write(addr, &val, 8);
4101 void stq_be_phys(hwaddr addr, uint64_t val)
4103 val = cpu_to_be64(val);
4104 cpu_physical_memory_write(addr, &val, 8);
4107 /* virtual memory access for debug (includes writing to ROM) */
4108 int cpu_memory_rw_debug(CPUArchState *env, target_ulong addr,
4109 uint8_t *buf, int len, int is_write)
4116 page = addr & TARGET_PAGE_MASK;
4117 phys_addr = cpu_get_phys_page_debug(env, page);
4118 /* if no physical page mapped, return an error */
4119 if (phys_addr == -1)
4121 l = (page + TARGET_PAGE_SIZE) - addr;
4124 phys_addr += (addr & ~TARGET_PAGE_MASK);
4126 cpu_physical_memory_write_rom(phys_addr, buf, l);
4128 cpu_physical_memory_rw(phys_addr, buf, l, is_write);
4137 /* in deterministic execution mode, instructions doing device I/Os
4138 must be at the end of the TB */
4139 void cpu_io_recompile(CPUArchState *env, uintptr_t retaddr)
4141 TranslationBlock *tb;
4143 target_ulong pc, cs_base;
4146 tb = tb_find_pc(retaddr);
4148 cpu_abort(env, "cpu_io_recompile: could not find TB for pc=%p",
4151 n = env->icount_decr.u16.low + tb->icount;
4152 cpu_restore_state(tb, env, retaddr);
4153 /* Calculate how many instructions had been executed before the fault
4155 n = n - env->icount_decr.u16.low;
4156 /* Generate a new TB ending on the I/O insn. */
4158 /* On MIPS and SH, delay slot instructions can only be restarted if
4159 they were already the first instruction in the TB. If this is not
4160 the first instruction in a TB then re-execute the preceding
4162 #if defined(TARGET_MIPS)
4163 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
4164 env->active_tc.PC -= 4;
4165 env->icount_decr.u16.low++;
4166 env->hflags &= ~MIPS_HFLAG_BMASK;
4168 #elif defined(TARGET_SH4)
4169 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
4172 env->icount_decr.u16.low++;
4173 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
4176 /* This should never happen. */
4177 if (n > CF_COUNT_MASK) {
4178 cpu_abort(env, "TB too big during recompile");
4181 cflags = n | CF_LAST_IO;
4183 cs_base = tb->cs_base;
4185 tb_phys_invalidate(tb, -1);
4186 /* FIXME: In theory this could raise an exception. In practice
4187 we have already translated the block once so it's probably ok. */
4188 tb_gen_code(env, pc, cs_base, flags, cflags);
4189 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
4190 the first in the TB) then we end up generating a whole new TB and
4191 repeating the fault, which is horribly inefficient.
4192 Better would be to execute just this insn uncached, or generate a
4194 cpu_resume_from_signal(env, NULL);
4197 #if !defined(CONFIG_USER_ONLY)
4199 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
4201 int i, target_code_size, max_target_code_size;
4202 int direct_jmp_count, direct_jmp2_count, cross_page;
4203 TranslationBlock *tb;
4205 target_code_size = 0;
4206 max_target_code_size = 0;
4208 direct_jmp_count = 0;
4209 direct_jmp2_count = 0;
4210 for (i = 0; i < nb_tbs; i++) {
4212 target_code_size += tb->size;
4213 if (tb->size > max_target_code_size) {
4214 max_target_code_size = tb->size;
4216 if (tb->page_addr[1] != -1) {
4219 if (tb->tb_next_offset[0] != 0xffff) {
4221 if (tb->tb_next_offset[1] != 0xffff) {
4222 direct_jmp2_count++;
4226 /* XXX: avoid using doubles ? */
4227 cpu_fprintf(f, "Translation buffer state:\n");
4228 cpu_fprintf(f, "gen code size %td/%zd\n",
4229 code_gen_ptr - code_gen_buffer, code_gen_buffer_max_size);
4230 cpu_fprintf(f, "TB count %d/%d\n",
4231 nb_tbs, code_gen_max_blocks);
4232 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
4233 nb_tbs ? target_code_size / nb_tbs : 0,
4234 max_target_code_size);
4235 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
4236 nb_tbs ? (code_gen_ptr - code_gen_buffer) / nb_tbs : 0,
4237 target_code_size ? (double) (code_gen_ptr - code_gen_buffer)
4238 / target_code_size : 0);
4239 cpu_fprintf(f, "cross page TB count %d (%d%%)\n",
4241 nb_tbs ? (cross_page * 100) / nb_tbs : 0);
4242 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
4244 nb_tbs ? (direct_jmp_count * 100) / nb_tbs : 0,
4246 nb_tbs ? (direct_jmp2_count * 100) / nb_tbs : 0);
4247 cpu_fprintf(f, "\nStatistics:\n");
4248 cpu_fprintf(f, "TB flush count %d\n", tb_flush_count);
4249 cpu_fprintf(f, "TB invalidate count %d\n", tb_phys_invalidate_count);
4250 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
4251 tcg_dump_info(f, cpu_fprintf);
4255 * A helper function for the _utterly broken_ virtio device model to find out if
4256 * it's running on a big endian machine. Don't do this at home kids!
4258 bool virtio_is_big_endian(void);
4259 bool virtio_is_big_endian(void)
4261 #if defined(TARGET_WORDS_BIGENDIAN)
4270 #ifndef CONFIG_USER_ONLY
4271 bool cpu_physical_memory_is_io(hwaddr phys_addr)
4273 MemoryRegionSection *section;
4275 section = phys_page_find(address_space_memory.dispatch,
4276 phys_addr >> TARGET_PAGE_BITS);
4278 return !(memory_region_is_ram(section->mr) ||
4279 memory_region_is_romd(section->mr));
projects / qemu.git / blob