4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
24 #include "qemu/osdep.h"
27 #include "qemu-common.h"
28 #define NO_CPU_IO_DEFS
31 #include "disas/disas.h"
33 #if defined(CONFIG_USER_ONLY)
35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
36 #include <sys/param.h>
37 #if __FreeBSD_version >= 700104
38 #define HAVE_KINFO_GETVMMAP
39 #define sigqueue sigqueue_freebsd /* avoid redefinition */
41 #include <machine/profile.h>
50 #include "exec/address-spaces.h"
53 #include "exec/cputlb.h"
54 #include "exec/tb-hash.h"
55 #include "translate-all.h"
56 #include "qemu/bitmap.h"
57 #include "qemu/timer.h"
59 //#define DEBUG_TB_INVALIDATE
61 /* make various TB consistency checks */
62 //#define DEBUG_TB_CHECK
64 #if !defined(CONFIG_USER_ONLY)
65 /* TB consistency checks only implemented for usermode emulation. */
69 #define SMC_BITMAP_USE_THRESHOLD 10
71 typedef struct PageDesc {
72 /* list of TBs intersecting this ram page */
73 TranslationBlock *first_tb;
74 /* in order to optimize self modifying code, we count the number
75 of lookups we do to a given page to use a bitmap */
76 unsigned int code_write_count;
77 unsigned long *code_bitmap;
78 #if defined(CONFIG_USER_ONLY)
83 /* In system mode we want L1_MAP to be based on ram offsets,
84 while in user mode we want it to be based on virtual addresses. */
85 #if !defined(CONFIG_USER_ONLY)
86 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
87 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
89 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
92 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
95 /* Size of the L2 (and L3, etc) page tables. */
97 #define V_L2_SIZE (1 << V_L2_BITS)
99 /* The bits remaining after N lower levels of page tables. */
100 #define V_L1_BITS_REM \
101 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS)
103 #if V_L1_BITS_REM < 4
104 #define V_L1_BITS (V_L1_BITS_REM + V_L2_BITS)
106 #define V_L1_BITS V_L1_BITS_REM
109 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
111 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
113 uintptr_t qemu_host_page_size;
114 intptr_t qemu_host_page_mask;
116 /* The bottom level has pointers to PageDesc */
117 static void *l1_map[V_L1_SIZE];
119 /* code generation context */
122 /* translation block context */
123 #ifdef CONFIG_USER_ONLY
124 __thread int have_tb_lock;
129 #ifdef CONFIG_USER_ONLY
130 assert(!have_tb_lock);
131 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock);
138 #ifdef CONFIG_USER_ONLY
139 assert(have_tb_lock);
141 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
145 void tb_lock_reset(void)
147 #ifdef CONFIG_USER_ONLY
149 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
155 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
156 tb_page_addr_t phys_page2);
157 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr);
159 void cpu_gen_init(void)
161 tcg_context_init(&tcg_ctx);
164 /* Encode VAL as a signed leb128 sequence at P.
165 Return P incremented past the encoded value. */
166 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
173 more = !((val == 0 && (byte & 0x40) == 0)
174 || (val == -1 && (byte & 0x40) != 0));
184 /* Decode a signed leb128 sequence at *PP; increment *PP past the
185 decoded value. Return the decoded value. */
186 static target_long decode_sleb128(uint8_t **pp)
194 val |= (target_ulong)(byte & 0x7f) << shift;
196 } while (byte & 0x80);
197 if (shift < TARGET_LONG_BITS && (byte & 0x40)) {
198 val |= -(target_ulong)1 << shift;
205 /* Encode the data collected about the instructions while compiling TB.
206 Place the data at BLOCK, and return the number of bytes consumed.
208 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's,
209 which come from the target's insn_start data, followed by a uintptr_t
210 which comes from the host pc of the end of the code implementing the insn.
212 Each line of the table is encoded as sleb128 deltas from the previous
213 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }.
214 That is, the first column is seeded with the guest pc, the last column
215 with the host pc, and the middle columns with zeros. */
217 static int encode_search(TranslationBlock *tb, uint8_t *block)
219 uint8_t *highwater = tcg_ctx.code_gen_highwater;
223 tb->tc_search = block;
225 for (i = 0, n = tb->icount; i < n; ++i) {
228 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
230 prev = (j == 0 ? tb->pc : 0);
232 prev = tcg_ctx.gen_insn_data[i - 1][j];
234 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev);
236 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]);
237 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev);
239 /* Test for (pending) buffer overflow. The assumption is that any
240 one row beginning below the high water mark cannot overrun
241 the buffer completely. Thus we can test for overflow after
242 encoding a row without having to check during encoding. */
243 if (unlikely(p > highwater)) {
251 /* The cpu state corresponding to 'searched_pc' is restored. */
252 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
253 uintptr_t searched_pc)
255 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
256 uintptr_t host_pc = (uintptr_t)tb->tc_ptr;
257 CPUArchState *env = cpu->env_ptr;
258 uint8_t *p = tb->tc_search;
259 int i, j, num_insns = tb->icount;
260 #ifdef CONFIG_PROFILER
261 int64_t ti = profile_getclock();
264 if (searched_pc < host_pc) {
268 /* Reconstruct the stored insn data while looking for the point at
269 which the end of the insn exceeds the searched_pc. */
270 for (i = 0; i < num_insns; ++i) {
271 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
272 data[j] += decode_sleb128(&p);
274 host_pc += decode_sleb128(&p);
275 if (host_pc > searched_pc) {
282 if (tb->cflags & CF_USE_ICOUNT) {
284 /* Reset the cycle counter to the start of the block. */
285 cpu->icount_decr.u16.low += num_insns;
286 /* Clear the IO flag. */
289 cpu->icount_decr.u16.low -= i;
290 restore_state_to_opc(env, tb, data);
292 #ifdef CONFIG_PROFILER
293 tcg_ctx.restore_time += profile_getclock() - ti;
294 tcg_ctx.restore_count++;
299 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr)
301 TranslationBlock *tb;
303 tb = tb_find_pc(retaddr);
305 cpu_restore_state_from_tb(cpu, tb, retaddr);
306 if (tb->cflags & CF_NOCACHE) {
307 /* one-shot translation, invalidate it immediately */
308 cpu->current_tb = NULL;
309 tb_phys_invalidate(tb, -1);
317 void page_size_init(void)
319 /* NOTE: we can always suppose that qemu_host_page_size >=
321 qemu_real_host_page_size = getpagesize();
322 qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
323 if (qemu_host_page_size == 0) {
324 qemu_host_page_size = qemu_real_host_page_size;
326 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
327 qemu_host_page_size = TARGET_PAGE_SIZE;
329 qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
332 static void page_init(void)
335 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
337 #ifdef HAVE_KINFO_GETVMMAP
338 struct kinfo_vmentry *freep;
341 freep = kinfo_getvmmap(getpid(), &cnt);
344 for (i = 0; i < cnt; i++) {
345 unsigned long startaddr, endaddr;
347 startaddr = freep[i].kve_start;
348 endaddr = freep[i].kve_end;
349 if (h2g_valid(startaddr)) {
350 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
352 if (h2g_valid(endaddr)) {
353 endaddr = h2g(endaddr);
354 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
356 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
358 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
369 last_brk = (unsigned long)sbrk(0);
371 f = fopen("/compat/linux/proc/self/maps", "r");
376 unsigned long startaddr, endaddr;
379 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
381 if (n == 2 && h2g_valid(startaddr)) {
382 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
384 if (h2g_valid(endaddr)) {
385 endaddr = h2g(endaddr);
389 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
402 * Called with mmap_lock held for user-mode emulation.
404 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
410 /* Level 1. Always allocated. */
411 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
414 for (i = V_L1_SHIFT / V_L2_BITS - 1; i > 0; i--) {
415 void **p = atomic_rcu_read(lp);
421 p = g_new0(void *, V_L2_SIZE);
422 atomic_rcu_set(lp, p);
425 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1));
428 pd = atomic_rcu_read(lp);
433 pd = g_new0(PageDesc, V_L2_SIZE);
434 atomic_rcu_set(lp, pd);
437 return pd + (index & (V_L2_SIZE - 1));
440 static inline PageDesc *page_find(tb_page_addr_t index)
442 return page_find_alloc(index, 0);
445 #if defined(CONFIG_USER_ONLY)
446 /* Currently it is not recommended to allocate big chunks of data in
447 user mode. It will change when a dedicated libc will be used. */
448 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
449 region in which the guest needs to run. Revisit this. */
450 #define USE_STATIC_CODE_GEN_BUFFER
453 /* Minimum size of the code gen buffer. This number is randomly chosen,
454 but not so small that we can't have a fair number of TB's live. */
455 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
457 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
458 indicated, this is constrained by the range of direct branches on the
459 host cpu, as used by the TCG implementation of goto_tb. */
460 #if defined(__x86_64__)
461 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
462 #elif defined(__sparc__)
463 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
464 #elif defined(__powerpc64__)
465 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
466 #elif defined(__aarch64__)
467 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
468 #elif defined(__arm__)
469 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
470 #elif defined(__s390x__)
471 /* We have a +- 4GB range on the branches; leave some slop. */
472 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
473 #elif defined(__mips__)
474 /* We have a 256MB branch region, but leave room to make sure the
475 main executable is also within that region. */
476 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
478 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
481 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
483 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
484 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
485 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
487 static inline size_t size_code_gen_buffer(size_t tb_size)
489 /* Size the buffer. */
491 #ifdef USE_STATIC_CODE_GEN_BUFFER
492 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
494 /* ??? Needs adjustments. */
495 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
496 static buffer, we could size this on RESERVED_VA, on the text
497 segment size of the executable, or continue to use the default. */
498 tb_size = (unsigned long)(ram_size / 4);
501 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
502 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
504 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
505 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
507 tcg_ctx.code_gen_buffer_size = tb_size;
512 /* In order to use J and JAL within the code_gen_buffer, we require
513 that the buffer not cross a 256MB boundary. */
514 static inline bool cross_256mb(void *addr, size_t size)
516 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & 0xf0000000;
519 /* We weren't able to allocate a buffer without crossing that boundary,
520 so make do with the larger portion of the buffer that doesn't cross.
521 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */
522 static inline void *split_cross_256mb(void *buf1, size_t size1)
524 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & 0xf0000000);
525 size_t size2 = buf1 + size1 - buf2;
533 tcg_ctx.code_gen_buffer_size = size1;
538 #ifdef USE_STATIC_CODE_GEN_BUFFER
539 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
540 __attribute__((aligned(CODE_GEN_ALIGN)));
543 static inline void do_protect(void *addr, long size, int prot)
546 VirtualProtect(addr, size, prot, &old_protect);
549 static inline void map_exec(void *addr, long size)
551 do_protect(addr, size, PAGE_EXECUTE_READWRITE);
554 static inline void map_none(void *addr, long size)
556 do_protect(addr, size, PAGE_NOACCESS);
559 static inline void do_protect(void *addr, long size, int prot)
561 uintptr_t start, end;
563 start = (uintptr_t)addr;
564 start &= qemu_real_host_page_mask;
566 end = (uintptr_t)addr + size;
567 end = ROUND_UP(end, qemu_real_host_page_size);
569 mprotect((void *)start, end - start, prot);
572 static inline void map_exec(void *addr, long size)
574 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
577 static inline void map_none(void *addr, long size)
579 do_protect(addr, size, PROT_NONE);
583 static inline void *alloc_code_gen_buffer(void)
585 void *buf = static_code_gen_buffer;
586 size_t full_size, size;
588 /* The size of the buffer, rounded down to end on a page boundary. */
589 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer))
590 & qemu_real_host_page_mask) - (uintptr_t)buf;
592 /* Reserve a guard page. */
593 size = full_size - qemu_real_host_page_size;
595 /* Honor a command-line option limiting the size of the buffer. */
596 if (size > tcg_ctx.code_gen_buffer_size) {
597 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size)
598 & qemu_real_host_page_mask) - (uintptr_t)buf;
600 tcg_ctx.code_gen_buffer_size = size;
603 if (cross_256mb(buf, size)) {
604 buf = split_cross_256mb(buf, size);
605 size = tcg_ctx.code_gen_buffer_size;
610 map_none(buf + size, qemu_real_host_page_size);
611 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
615 #elif defined(_WIN32)
616 static inline void *alloc_code_gen_buffer(void)
618 size_t size = tcg_ctx.code_gen_buffer_size;
621 /* Perform the allocation in two steps, so that the guard page
622 is reserved but uncommitted. */
623 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size,
624 MEM_RESERVE, PAGE_NOACCESS);
626 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
627 assert(buf1 == buf2);
633 static inline void *alloc_code_gen_buffer(void)
635 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
637 size_t size = tcg_ctx.code_gen_buffer_size;
640 /* Constrain the position of the buffer based on the host cpu.
641 Note that these addresses are chosen in concert with the
642 addresses assigned in the relevant linker script file. */
643 # if defined(__PIE__) || defined(__PIC__)
644 /* Don't bother setting a preferred location if we're building
645 a position-independent executable. We're more likely to get
646 an address near the main executable if we let the kernel
647 choose the address. */
648 # elif defined(__x86_64__) && defined(MAP_32BIT)
649 /* Force the memory down into low memory with the executable.
650 Leave the choice of exact location with the kernel. */
652 /* Cannot expect to map more than 800MB in low memory. */
653 if (size > 800u * 1024 * 1024) {
654 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024;
656 # elif defined(__sparc__)
657 start = 0x40000000ul;
658 # elif defined(__s390x__)
659 start = 0x90000000ul;
660 # elif defined(__mips__)
661 # if _MIPS_SIM == _ABI64
662 start = 0x128000000ul;
664 start = 0x08000000ul;
668 buf = mmap((void *)start, size + qemu_real_host_page_size,
669 PROT_NONE, flags, -1, 0);
670 if (buf == MAP_FAILED) {
675 if (cross_256mb(buf, size)) {
676 /* Try again, with the original still mapped, to avoid re-acquiring
677 that 256mb crossing. This time don't specify an address. */
679 void *buf2 = mmap(NULL, size + qemu_real_host_page_size,
680 PROT_NONE, flags, -1, 0);
681 switch (buf2 != MAP_FAILED) {
683 if (!cross_256mb(buf2, size)) {
684 /* Success! Use the new buffer. */
688 /* Failure. Work with what we had. */
692 /* Split the original buffer. Free the smaller half. */
693 buf2 = split_cross_256mb(buf, size);
694 size2 = tcg_ctx.code_gen_buffer_size;
696 munmap(buf + size2 + qemu_real_host_page_size, size - size2);
698 munmap(buf, size - size2);
707 /* Make the final buffer accessible. The guard page at the end
708 will remain inaccessible with PROT_NONE. */
709 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC);
711 /* Request large pages for the buffer. */
712 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
716 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
718 static inline void code_gen_alloc(size_t tb_size)
720 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size);
721 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer();
722 if (tcg_ctx.code_gen_buffer == NULL) {
723 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
727 /* Estimate a good size for the number of TBs we can support. We
728 still haven't deducted the prologue from the buffer size here,
729 but that's minimal and won't affect the estimate much. */
730 tcg_ctx.code_gen_max_blocks
731 = tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
732 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock, tcg_ctx.code_gen_max_blocks);
734 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock);
737 /* Must be called before using the QEMU cpus. 'tb_size' is the size
738 (in bytes) allocated to the translation buffer. Zero means default
740 void tcg_exec_init(unsigned long tb_size)
744 code_gen_alloc(tb_size);
745 #if defined(CONFIG_SOFTMMU)
746 /* There's no guest base to take into account, so go ahead and
747 initialize the prologue now. */
748 tcg_prologue_init(&tcg_ctx);
752 bool tcg_enabled(void)
754 return tcg_ctx.code_gen_buffer != NULL;
757 /* Allocate a new translation block. Flush the translation buffer if
758 too many translation blocks or too much generated code. */
759 static TranslationBlock *tb_alloc(target_ulong pc)
761 TranslationBlock *tb;
763 if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
766 tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
772 void tb_free(TranslationBlock *tb)
774 /* In practice this is mostly used for single use temporary TB
775 Ignore the hard cases and just back up if this TB happens to
776 be the last one generated. */
777 if (tcg_ctx.tb_ctx.nb_tbs > 0 &&
778 tb == &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) {
779 tcg_ctx.code_gen_ptr = tb->tc_ptr;
780 tcg_ctx.tb_ctx.nb_tbs--;
784 static inline void invalidate_page_bitmap(PageDesc *p)
786 g_free(p->code_bitmap);
787 p->code_bitmap = NULL;
788 p->code_write_count = 0;
791 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
792 static void page_flush_tb_1(int level, void **lp)
802 for (i = 0; i < V_L2_SIZE; ++i) {
803 pd[i].first_tb = NULL;
804 invalidate_page_bitmap(pd + i);
809 for (i = 0; i < V_L2_SIZE; ++i) {
810 page_flush_tb_1(level - 1, pp + i);
815 static void page_flush_tb(void)
819 for (i = 0; i < V_L1_SIZE; i++) {
820 page_flush_tb_1(V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
824 /* flush all the translation blocks */
825 /* XXX: tb_flush is currently not thread safe */
826 void tb_flush(CPUState *cpu)
828 #if defined(DEBUG_FLUSH)
829 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
830 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer),
831 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ?
832 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
833 tcg_ctx.tb_ctx.nb_tbs : 0);
835 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
836 > tcg_ctx.code_gen_buffer_size) {
837 cpu_abort(cpu, "Internal error: code buffer overflow\n");
839 tcg_ctx.tb_ctx.nb_tbs = 0;
842 memset(cpu->tb_jmp_cache, 0, sizeof(cpu->tb_jmp_cache));
845 memset(tcg_ctx.tb_ctx.tb_phys_hash, 0, sizeof(tcg_ctx.tb_ctx.tb_phys_hash));
848 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer;
849 /* XXX: flush processor icache at this point if cache flush is
851 tcg_ctx.tb_ctx.tb_flush_count++;
854 #ifdef DEBUG_TB_CHECK
856 static void tb_invalidate_check(target_ulong address)
858 TranslationBlock *tb;
861 address &= TARGET_PAGE_MASK;
862 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
863 for (tb = tb_ctx.tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
864 if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
865 address >= tb->pc + tb->size)) {
866 printf("ERROR invalidate: address=" TARGET_FMT_lx
867 " PC=%08lx size=%04x\n",
868 address, (long)tb->pc, tb->size);
874 /* verify that all the pages have correct rights for code */
875 static void tb_page_check(void)
877 TranslationBlock *tb;
878 int i, flags1, flags2;
880 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
881 for (tb = tcg_ctx.tb_ctx.tb_phys_hash[i]; tb != NULL;
882 tb = tb->phys_hash_next) {
883 flags1 = page_get_flags(tb->pc);
884 flags2 = page_get_flags(tb->pc + tb->size - 1);
885 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
886 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
887 (long)tb->pc, tb->size, flags1, flags2);
895 static inline void tb_hash_remove(TranslationBlock **ptb, TranslationBlock *tb)
897 TranslationBlock *tb1;
902 *ptb = tb1->phys_hash_next;
905 ptb = &tb1->phys_hash_next;
909 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
911 TranslationBlock *tb1;
916 n1 = (uintptr_t)tb1 & 3;
917 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
919 *ptb = tb1->page_next[n1];
922 ptb = &tb1->page_next[n1];
926 static inline void tb_jmp_remove(TranslationBlock *tb, int n)
928 TranslationBlock *tb1, **ptb;
931 ptb = &tb->jmp_next[n];
934 /* find tb(n) in circular list */
937 n1 = (uintptr_t)tb1 & 3;
938 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
939 if (n1 == n && tb1 == tb) {
943 ptb = &tb1->jmp_first;
945 ptb = &tb1->jmp_next[n1];
948 /* now we can suppress tb(n) from the list */
949 *ptb = tb->jmp_next[n];
951 tb->jmp_next[n] = NULL;
955 /* reset the jump entry 'n' of a TB so that it is not chained to
957 static inline void tb_reset_jump(TranslationBlock *tb, int n)
959 tb_set_jmp_target(tb, n, (uintptr_t)(tb->tc_ptr + tb->tb_next_offset[n]));
962 /* invalidate one TB */
963 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
968 tb_page_addr_t phys_pc;
969 TranslationBlock *tb1, *tb2;
971 /* remove the TB from the hash list */
972 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
973 h = tb_phys_hash_func(phys_pc);
974 tb_hash_remove(&tcg_ctx.tb_ctx.tb_phys_hash[h], tb);
976 /* remove the TB from the page list */
977 if (tb->page_addr[0] != page_addr) {
978 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
979 tb_page_remove(&p->first_tb, tb);
980 invalidate_page_bitmap(p);
982 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
983 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
984 tb_page_remove(&p->first_tb, tb);
985 invalidate_page_bitmap(p);
988 tcg_ctx.tb_ctx.tb_invalidated_flag = 1;
990 /* remove the TB from the hash list */
991 h = tb_jmp_cache_hash_func(tb->pc);
993 if (cpu->tb_jmp_cache[h] == tb) {
994 cpu->tb_jmp_cache[h] = NULL;
998 /* suppress this TB from the two jump lists */
999 tb_jmp_remove(tb, 0);
1000 tb_jmp_remove(tb, 1);
1002 /* suppress any remaining jumps to this TB */
1003 tb1 = tb->jmp_first;
1005 n1 = (uintptr_t)tb1 & 3;
1009 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
1010 tb2 = tb1->jmp_next[n1];
1011 tb_reset_jump(tb1, n1);
1012 tb1->jmp_next[n1] = NULL;
1015 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2); /* fail safe */
1017 tcg_ctx.tb_ctx.tb_phys_invalidate_count++;
1020 static void build_page_bitmap(PageDesc *p)
1022 int n, tb_start, tb_end;
1023 TranslationBlock *tb;
1025 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE);
1028 while (tb != NULL) {
1029 n = (uintptr_t)tb & 3;
1030 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1031 /* NOTE: this is subtle as a TB may span two physical pages */
1033 /* NOTE: tb_end may be after the end of the page, but
1034 it is not a problem */
1035 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1036 tb_end = tb_start + tb->size;
1037 if (tb_end > TARGET_PAGE_SIZE) {
1038 tb_end = TARGET_PAGE_SIZE;
1042 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1044 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start);
1045 tb = tb->page_next[n];
1049 /* Called with mmap_lock held for user mode emulation. */
1050 TranslationBlock *tb_gen_code(CPUState *cpu,
1051 target_ulong pc, target_ulong cs_base,
1052 int flags, int cflags)
1054 CPUArchState *env = cpu->env_ptr;
1055 TranslationBlock *tb;
1056 tb_page_addr_t phys_pc, phys_page2;
1057 target_ulong virt_page2;
1058 tcg_insn_unit *gen_code_buf;
1059 int gen_code_size, search_size;
1060 #ifdef CONFIG_PROFILER
1064 phys_pc = get_page_addr_code(env, pc);
1065 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) {
1066 cflags |= CF_USE_ICOUNT;
1070 if (unlikely(!tb)) {
1072 /* flush must be done */
1074 /* cannot fail at this point */
1077 /* Don't forget to invalidate previous TB info. */
1078 tcg_ctx.tb_ctx.tb_invalidated_flag = 1;
1081 gen_code_buf = tcg_ctx.code_gen_ptr;
1082 tb->tc_ptr = gen_code_buf;
1083 tb->cs_base = cs_base;
1085 tb->cflags = cflags;
1087 #ifdef CONFIG_PROFILER
1088 tcg_ctx.tb_count1++; /* includes aborted translations because of
1090 ti = profile_getclock();
1093 tcg_func_start(&tcg_ctx);
1095 gen_intermediate_code(env, tb);
1097 trace_translate_block(tb, tb->pc, tb->tc_ptr);
1099 /* generate machine code */
1100 tb->tb_next_offset[0] = 0xffff;
1101 tb->tb_next_offset[1] = 0xffff;
1102 tcg_ctx.tb_next_offset = tb->tb_next_offset;
1103 #ifdef USE_DIRECT_JUMP
1104 tcg_ctx.tb_jmp_offset = tb->tb_jmp_offset;
1105 tcg_ctx.tb_next = NULL;
1107 tcg_ctx.tb_jmp_offset = NULL;
1108 tcg_ctx.tb_next = tb->tb_next;
1111 #ifdef CONFIG_PROFILER
1113 tcg_ctx.interm_time += profile_getclock() - ti;
1114 tcg_ctx.code_time -= profile_getclock();
1117 /* ??? Overflow could be handled better here. In particular, we
1118 don't need to re-do gen_intermediate_code, nor should we re-do
1119 the tcg optimization currently hidden inside tcg_gen_code. All
1120 that should be required is to flush the TBs, allocate a new TB,
1121 re-initialize it per above, and re-do the actual code generation. */
1122 gen_code_size = tcg_gen_code(&tcg_ctx, gen_code_buf);
1123 if (unlikely(gen_code_size < 0)) {
1124 goto buffer_overflow;
1126 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
1127 if (unlikely(search_size < 0)) {
1128 goto buffer_overflow;
1131 #ifdef CONFIG_PROFILER
1132 tcg_ctx.code_time += profile_getclock();
1133 tcg_ctx.code_in_len += tb->size;
1134 tcg_ctx.code_out_len += gen_code_size;
1135 tcg_ctx.search_out_len += search_size;
1139 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
1140 qemu_log("OUT: [size=%d]\n", gen_code_size);
1141 log_disas(tb->tc_ptr, gen_code_size);
1147 tcg_ctx.code_gen_ptr = (void *)
1148 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
1151 /* check next page if needed */
1152 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1154 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1155 phys_page2 = get_page_addr_code(env, virt_page2);
1157 tb_link_page(tb, phys_pc, phys_page2);
1162 * Invalidate all TBs which intersect with the target physical address range
1163 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1164 * 'is_cpu_write_access' should be true if called from a real cpu write
1165 * access: the virtual CPU will exit the current TB if code is modified inside
1168 * Called with mmap_lock held for user-mode emulation
1170 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1172 while (start < end) {
1173 tb_invalidate_phys_page_range(start, end, 0);
1174 start &= TARGET_PAGE_MASK;
1175 start += TARGET_PAGE_SIZE;
1180 * Invalidate all TBs which intersect with the target physical address range
1181 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1182 * 'is_cpu_write_access' should be true if called from a real cpu write
1183 * access: the virtual CPU will exit the current TB if code is modified inside
1186 * Called with mmap_lock held for user-mode emulation
1188 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1189 int is_cpu_write_access)
1191 TranslationBlock *tb, *tb_next, *saved_tb;
1192 CPUState *cpu = current_cpu;
1193 #if defined(TARGET_HAS_PRECISE_SMC)
1194 CPUArchState *env = NULL;
1196 tb_page_addr_t tb_start, tb_end;
1199 #ifdef TARGET_HAS_PRECISE_SMC
1200 int current_tb_not_found = is_cpu_write_access;
1201 TranslationBlock *current_tb = NULL;
1202 int current_tb_modified = 0;
1203 target_ulong current_pc = 0;
1204 target_ulong current_cs_base = 0;
1205 int current_flags = 0;
1206 #endif /* TARGET_HAS_PRECISE_SMC */
1208 p = page_find(start >> TARGET_PAGE_BITS);
1212 #if defined(TARGET_HAS_PRECISE_SMC)
1218 /* we remove all the TBs in the range [start, end[ */
1219 /* XXX: see if in some cases it could be faster to invalidate all
1222 while (tb != NULL) {
1223 n = (uintptr_t)tb & 3;
1224 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1225 tb_next = tb->page_next[n];
1226 /* NOTE: this is subtle as a TB may span two physical pages */
1228 /* NOTE: tb_end may be after the end of the page, but
1229 it is not a problem */
1230 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1231 tb_end = tb_start + tb->size;
1233 tb_start = tb->page_addr[1];
1234 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1236 if (!(tb_end <= start || tb_start >= end)) {
1237 #ifdef TARGET_HAS_PRECISE_SMC
1238 if (current_tb_not_found) {
1239 current_tb_not_found = 0;
1241 if (cpu->mem_io_pc) {
1242 /* now we have a real cpu fault */
1243 current_tb = tb_find_pc(cpu->mem_io_pc);
1246 if (current_tb == tb &&
1247 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1248 /* If we are modifying the current TB, we must stop
1249 its execution. We could be more precise by checking
1250 that the modification is after the current PC, but it
1251 would require a specialized function to partially
1252 restore the CPU state */
1254 current_tb_modified = 1;
1255 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
1256 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1259 #endif /* TARGET_HAS_PRECISE_SMC */
1260 /* we need to do that to handle the case where a signal
1261 occurs while doing tb_phys_invalidate() */
1264 saved_tb = cpu->current_tb;
1265 cpu->current_tb = NULL;
1267 tb_phys_invalidate(tb, -1);
1269 cpu->current_tb = saved_tb;
1270 if (cpu->interrupt_request && cpu->current_tb) {
1271 cpu_interrupt(cpu, cpu->interrupt_request);
1277 #if !defined(CONFIG_USER_ONLY)
1278 /* if no code remaining, no need to continue to use slow writes */
1280 invalidate_page_bitmap(p);
1281 tlb_unprotect_code(start);
1284 #ifdef TARGET_HAS_PRECISE_SMC
1285 if (current_tb_modified) {
1286 /* we generate a block containing just the instruction
1287 modifying the memory. It will ensure that it cannot modify
1289 cpu->current_tb = NULL;
1290 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1291 cpu_resume_from_signal(cpu, NULL);
1296 /* len must be <= 8 and start must be a multiple of len */
1297 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1303 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1304 cpu_single_env->mem_io_vaddr, len,
1305 cpu_single_env->eip,
1306 cpu_single_env->eip +
1307 (intptr_t)cpu_single_env->segs[R_CS].base);
1310 p = page_find(start >> TARGET_PAGE_BITS);
1314 if (!p->code_bitmap &&
1315 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) {
1316 /* build code bitmap */
1317 build_page_bitmap(p);
1319 if (p->code_bitmap) {
1323 nr = start & ~TARGET_PAGE_MASK;
1324 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1));
1325 if (b & ((1 << len) - 1)) {
1330 tb_invalidate_phys_page_range(start, start + len, 1);
1334 #if !defined(CONFIG_SOFTMMU)
1335 /* Called with mmap_lock held. */
1336 static void tb_invalidate_phys_page(tb_page_addr_t addr,
1337 uintptr_t pc, void *puc,
1340 TranslationBlock *tb;
1343 #ifdef TARGET_HAS_PRECISE_SMC
1344 TranslationBlock *current_tb = NULL;
1345 CPUState *cpu = current_cpu;
1346 CPUArchState *env = NULL;
1347 int current_tb_modified = 0;
1348 target_ulong current_pc = 0;
1349 target_ulong current_cs_base = 0;
1350 int current_flags = 0;
1353 addr &= TARGET_PAGE_MASK;
1354 p = page_find(addr >> TARGET_PAGE_BITS);
1359 #ifdef TARGET_HAS_PRECISE_SMC
1360 if (tb && pc != 0) {
1361 current_tb = tb_find_pc(pc);
1367 while (tb != NULL) {
1368 n = (uintptr_t)tb & 3;
1369 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1370 #ifdef TARGET_HAS_PRECISE_SMC
1371 if (current_tb == tb &&
1372 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1373 /* If we are modifying the current TB, we must stop
1374 its execution. We could be more precise by checking
1375 that the modification is after the current PC, but it
1376 would require a specialized function to partially
1377 restore the CPU state */
1379 current_tb_modified = 1;
1380 cpu_restore_state_from_tb(cpu, current_tb, pc);
1381 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1384 #endif /* TARGET_HAS_PRECISE_SMC */
1385 tb_phys_invalidate(tb, addr);
1386 tb = tb->page_next[n];
1389 #ifdef TARGET_HAS_PRECISE_SMC
1390 if (current_tb_modified) {
1391 /* we generate a block containing just the instruction
1392 modifying the memory. It will ensure that it cannot modify
1394 cpu->current_tb = NULL;
1395 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1399 cpu_resume_from_signal(cpu, puc);
1405 /* add the tb in the target page and protect it if necessary
1407 * Called with mmap_lock held for user-mode emulation.
1409 static inline void tb_alloc_page(TranslationBlock *tb,
1410 unsigned int n, tb_page_addr_t page_addr)
1413 #ifndef CONFIG_USER_ONLY
1414 bool page_already_protected;
1417 tb->page_addr[n] = page_addr;
1418 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1419 tb->page_next[n] = p->first_tb;
1420 #ifndef CONFIG_USER_ONLY
1421 page_already_protected = p->first_tb != NULL;
1423 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1424 invalidate_page_bitmap(p);
1426 #if defined(CONFIG_USER_ONLY)
1427 if (p->flags & PAGE_WRITE) {
1432 /* force the host page as non writable (writes will have a
1433 page fault + mprotect overhead) */
1434 page_addr &= qemu_host_page_mask;
1436 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1437 addr += TARGET_PAGE_SIZE) {
1439 p2 = page_find(addr >> TARGET_PAGE_BITS);
1444 p2->flags &= ~PAGE_WRITE;
1446 mprotect(g2h(page_addr), qemu_host_page_size,
1447 (prot & PAGE_BITS) & ~PAGE_WRITE);
1448 #ifdef DEBUG_TB_INVALIDATE
1449 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1454 /* if some code is already present, then the pages are already
1455 protected. So we handle the case where only the first TB is
1456 allocated in a physical page */
1457 if (!page_already_protected) {
1458 tlb_protect_code(page_addr);
1463 /* add a new TB and link it to the physical page tables. phys_page2 is
1464 * (-1) to indicate that only one page contains the TB.
1466 * Called with mmap_lock held for user-mode emulation.
1468 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1469 tb_page_addr_t phys_page2)
1472 TranslationBlock **ptb;
1474 /* add in the physical hash table */
1475 h = tb_phys_hash_func(phys_pc);
1476 ptb = &tcg_ctx.tb_ctx.tb_phys_hash[h];
1477 tb->phys_hash_next = *ptb;
1480 /* add in the page list */
1481 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1482 if (phys_page2 != -1) {
1483 tb_alloc_page(tb, 1, phys_page2);
1485 tb->page_addr[1] = -1;
1488 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2);
1489 tb->jmp_next[0] = NULL;
1490 tb->jmp_next[1] = NULL;
1492 /* init original jump addresses */
1493 if (tb->tb_next_offset[0] != 0xffff) {
1494 tb_reset_jump(tb, 0);
1496 if (tb->tb_next_offset[1] != 0xffff) {
1497 tb_reset_jump(tb, 1);
1500 #ifdef DEBUG_TB_CHECK
1505 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1506 tb[1].tc_ptr. Return NULL if not found */
1507 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1509 int m_min, m_max, m;
1511 TranslationBlock *tb;
1513 if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
1516 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
1517 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
1520 /* binary search (cf Knuth) */
1522 m_max = tcg_ctx.tb_ctx.nb_tbs - 1;
1523 while (m_min <= m_max) {
1524 m = (m_min + m_max) >> 1;
1525 tb = &tcg_ctx.tb_ctx.tbs[m];
1526 v = (uintptr_t)tb->tc_ptr;
1529 } else if (tc_ptr < v) {
1535 return &tcg_ctx.tb_ctx.tbs[m_max];
1538 #if !defined(CONFIG_USER_ONLY)
1539 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
1541 ram_addr_t ram_addr;
1546 mr = address_space_translate(as, addr, &addr, &l, false);
1547 if (!(memory_region_is_ram(mr)
1548 || memory_region_is_romd(mr))) {
1552 ram_addr = (memory_region_get_ram_addr(mr) & TARGET_PAGE_MASK)
1554 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1557 #endif /* !defined(CONFIG_USER_ONLY) */
1559 void tb_check_watchpoint(CPUState *cpu)
1561 TranslationBlock *tb;
1563 tb = tb_find_pc(cpu->mem_io_pc);
1565 /* We can use retranslation to find the PC. */
1566 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
1567 tb_phys_invalidate(tb, -1);
1569 /* The exception probably happened in a helper. The CPU state should
1570 have been saved before calling it. Fetch the PC from there. */
1571 CPUArchState *env = cpu->env_ptr;
1572 target_ulong pc, cs_base;
1573 tb_page_addr_t addr;
1576 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
1577 addr = get_page_addr_code(env, pc);
1578 tb_invalidate_phys_range(addr, addr + 1);
1582 #ifndef CONFIG_USER_ONLY
1583 /* in deterministic execution mode, instructions doing device I/Os
1584 must be at the end of the TB */
1585 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
1587 #if defined(TARGET_MIPS) || defined(TARGET_SH4)
1588 CPUArchState *env = cpu->env_ptr;
1590 TranslationBlock *tb;
1592 target_ulong pc, cs_base;
1595 tb = tb_find_pc(retaddr);
1597 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
1600 n = cpu->icount_decr.u16.low + tb->icount;
1601 cpu_restore_state_from_tb(cpu, tb, retaddr);
1602 /* Calculate how many instructions had been executed before the fault
1604 n = n - cpu->icount_decr.u16.low;
1605 /* Generate a new TB ending on the I/O insn. */
1607 /* On MIPS and SH, delay slot instructions can only be restarted if
1608 they were already the first instruction in the TB. If this is not
1609 the first instruction in a TB then re-execute the preceding
1611 #if defined(TARGET_MIPS)
1612 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
1613 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4);
1614 cpu->icount_decr.u16.low++;
1615 env->hflags &= ~MIPS_HFLAG_BMASK;
1617 #elif defined(TARGET_SH4)
1618 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
1621 cpu->icount_decr.u16.low++;
1622 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
1625 /* This should never happen. */
1626 if (n > CF_COUNT_MASK) {
1627 cpu_abort(cpu, "TB too big during recompile");
1630 cflags = n | CF_LAST_IO;
1632 cs_base = tb->cs_base;
1634 tb_phys_invalidate(tb, -1);
1635 if (tb->cflags & CF_NOCACHE) {
1637 /* Invalidate original TB if this TB was generated in
1638 * cpu_exec_nocache() */
1639 tb_phys_invalidate(tb->orig_tb, -1);
1643 /* FIXME: In theory this could raise an exception. In practice
1644 we have already translated the block once so it's probably ok. */
1645 tb_gen_code(cpu, pc, cs_base, flags, cflags);
1646 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
1647 the first in the TB) then we end up generating a whole new TB and
1648 repeating the fault, which is horribly inefficient.
1649 Better would be to execute just this insn uncached, or generate a
1651 cpu_resume_from_signal(cpu, NULL);
1654 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
1658 /* Discard jump cache entries for any tb which might potentially
1659 overlap the flushed page. */
1660 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1661 memset(&cpu->tb_jmp_cache[i], 0,
1662 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1664 i = tb_jmp_cache_hash_page(addr);
1665 memset(&cpu->tb_jmp_cache[i], 0,
1666 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1669 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
1671 int i, target_code_size, max_target_code_size;
1672 int direct_jmp_count, direct_jmp2_count, cross_page;
1673 TranslationBlock *tb;
1675 target_code_size = 0;
1676 max_target_code_size = 0;
1678 direct_jmp_count = 0;
1679 direct_jmp2_count = 0;
1680 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) {
1681 tb = &tcg_ctx.tb_ctx.tbs[i];
1682 target_code_size += tb->size;
1683 if (tb->size > max_target_code_size) {
1684 max_target_code_size = tb->size;
1686 if (tb->page_addr[1] != -1) {
1689 if (tb->tb_next_offset[0] != 0xffff) {
1691 if (tb->tb_next_offset[1] != 0xffff) {
1692 direct_jmp2_count++;
1696 /* XXX: avoid using doubles ? */
1697 cpu_fprintf(f, "Translation buffer state:\n");
1698 cpu_fprintf(f, "gen code size %td/%zd\n",
1699 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer,
1700 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer);
1701 cpu_fprintf(f, "TB count %d/%d\n",
1702 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.code_gen_max_blocks);
1703 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
1704 tcg_ctx.tb_ctx.nb_tbs ? target_code_size /
1705 tcg_ctx.tb_ctx.nb_tbs : 0,
1706 max_target_code_size);
1707 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
1708 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr -
1709 tcg_ctx.code_gen_buffer) /
1710 tcg_ctx.tb_ctx.nb_tbs : 0,
1711 target_code_size ? (double) (tcg_ctx.code_gen_ptr -
1712 tcg_ctx.code_gen_buffer) /
1713 target_code_size : 0);
1714 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page,
1715 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) /
1716 tcg_ctx.tb_ctx.nb_tbs : 0);
1717 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
1719 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) /
1720 tcg_ctx.tb_ctx.nb_tbs : 0,
1722 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) /
1723 tcg_ctx.tb_ctx.nb_tbs : 0);
1724 cpu_fprintf(f, "\nStatistics:\n");
1725 cpu_fprintf(f, "TB flush count %d\n", tcg_ctx.tb_ctx.tb_flush_count);
1726 cpu_fprintf(f, "TB invalidate count %d\n",
1727 tcg_ctx.tb_ctx.tb_phys_invalidate_count);
1728 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
1729 tcg_dump_info(f, cpu_fprintf);
1732 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf)
1734 tcg_dump_op_count(f, cpu_fprintf);
1737 #else /* CONFIG_USER_ONLY */
1739 void cpu_interrupt(CPUState *cpu, int mask)
1741 cpu->interrupt_request |= mask;
1742 cpu->tcg_exit_req = 1;
1746 * Walks guest process memory "regions" one by one
1747 * and calls callback function 'fn' for each region.
1749 struct walk_memory_regions_data {
1750 walk_memory_regions_fn fn;
1756 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1757 target_ulong end, int new_prot)
1759 if (data->start != -1u) {
1760 int rc = data->fn(data->priv, data->start, end, data->prot);
1766 data->start = (new_prot ? end : -1u);
1767 data->prot = new_prot;
1772 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1773 target_ulong base, int level, void **lp)
1779 return walk_memory_regions_end(data, base, 0);
1785 for (i = 0; i < V_L2_SIZE; ++i) {
1786 int prot = pd[i].flags;
1788 pa = base | (i << TARGET_PAGE_BITS);
1789 if (prot != data->prot) {
1790 rc = walk_memory_regions_end(data, pa, prot);
1799 for (i = 0; i < V_L2_SIZE; ++i) {
1800 pa = base | ((target_ulong)i <<
1801 (TARGET_PAGE_BITS + V_L2_BITS * level));
1802 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
1812 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
1814 struct walk_memory_regions_data data;
1822 for (i = 0; i < V_L1_SIZE; i++) {
1823 int rc = walk_memory_regions_1(&data, (target_ulong)i << (V_L1_SHIFT + TARGET_PAGE_BITS),
1824 V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
1830 return walk_memory_regions_end(&data, 0, 0);
1833 static int dump_region(void *priv, target_ulong start,
1834 target_ulong end, unsigned long prot)
1836 FILE *f = (FILE *)priv;
1838 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx
1839 " "TARGET_FMT_lx" %c%c%c\n",
1840 start, end, end - start,
1841 ((prot & PAGE_READ) ? 'r' : '-'),
1842 ((prot & PAGE_WRITE) ? 'w' : '-'),
1843 ((prot & PAGE_EXEC) ? 'x' : '-'));
1848 /* dump memory mappings */
1849 void page_dump(FILE *f)
1851 const int length = sizeof(target_ulong) * 2;
1852 (void) fprintf(f, "%-*s %-*s %-*s %s\n",
1853 length, "start", length, "end", length, "size", "prot");
1854 walk_memory_regions(f, dump_region);
1857 int page_get_flags(target_ulong address)
1861 p = page_find(address >> TARGET_PAGE_BITS);
1868 /* Modify the flags of a page and invalidate the code if necessary.
1869 The flag PAGE_WRITE_ORG is positioned automatically depending
1870 on PAGE_WRITE. The mmap_lock should already be held. */
1871 void page_set_flags(target_ulong start, target_ulong end, int flags)
1873 target_ulong addr, len;
1875 /* This function should never be called with addresses outside the
1876 guest address space. If this assert fires, it probably indicates
1877 a missing call to h2g_valid. */
1878 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1879 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1881 assert(start < end);
1883 start = start & TARGET_PAGE_MASK;
1884 end = TARGET_PAGE_ALIGN(end);
1886 if (flags & PAGE_WRITE) {
1887 flags |= PAGE_WRITE_ORG;
1890 for (addr = start, len = end - start;
1892 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1893 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
1895 /* If the write protection bit is set, then we invalidate
1897 if (!(p->flags & PAGE_WRITE) &&
1898 (flags & PAGE_WRITE) &&
1900 tb_invalidate_phys_page(addr, 0, NULL, false);
1906 int page_check_range(target_ulong start, target_ulong len, int flags)
1912 /* This function should never be called with addresses outside the
1913 guest address space. If this assert fires, it probably indicates
1914 a missing call to h2g_valid. */
1915 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1916 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1922 if (start + len - 1 < start) {
1923 /* We've wrapped around. */
1927 /* must do before we loose bits in the next step */
1928 end = TARGET_PAGE_ALIGN(start + len);
1929 start = start & TARGET_PAGE_MASK;
1931 for (addr = start, len = end - start;
1933 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1934 p = page_find(addr >> TARGET_PAGE_BITS);
1938 if (!(p->flags & PAGE_VALID)) {
1942 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
1945 if (flags & PAGE_WRITE) {
1946 if (!(p->flags & PAGE_WRITE_ORG)) {
1949 /* unprotect the page if it was put read-only because it
1950 contains translated code */
1951 if (!(p->flags & PAGE_WRITE)) {
1952 if (!page_unprotect(addr, 0, NULL)) {
1961 /* called from signal handler: invalidate the code and unprotect the
1962 page. Return TRUE if the fault was successfully handled. */
1963 int page_unprotect(target_ulong address, uintptr_t pc, void *puc)
1967 target_ulong host_start, host_end, addr;
1969 /* Technically this isn't safe inside a signal handler. However we
1970 know this only ever happens in a synchronous SEGV handler, so in
1971 practice it seems to be ok. */
1974 p = page_find(address >> TARGET_PAGE_BITS);
1980 /* if the page was really writable, then we change its
1981 protection back to writable */
1982 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
1983 host_start = address & qemu_host_page_mask;
1984 host_end = host_start + qemu_host_page_size;
1987 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
1988 p = page_find(addr >> TARGET_PAGE_BITS);
1989 p->flags |= PAGE_WRITE;
1992 /* and since the content will be modified, we must invalidate
1993 the corresponding translated code. */
1994 tb_invalidate_phys_page(addr, pc, puc, true);
1995 #ifdef DEBUG_TB_CHECK
1996 tb_invalidate_check(addr);
1999 mprotect((void *)g2h(host_start), qemu_host_page_size,
2008 #endif /* CONFIG_USER_ONLY */
projects / qemu.git / blob