4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
22 #include "qemu/osdep.h"
25 #include "qemu-common.h"
26 #define NO_CPU_IO_DEFS
29 #include "disas/disas.h"
30 #include "exec/exec-all.h"
32 #if defined(CONFIG_USER_ONLY)
34 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
35 #include <sys/param.h>
36 #if __FreeBSD_version >= 700104
37 #define HAVE_KINFO_GETVMMAP
38 #define sigqueue sigqueue_freebsd /* avoid redefinition */
40 #include <machine/profile.h>
49 #include "exec/address-spaces.h"
52 #include "exec/cputlb.h"
53 #include "exec/tb-hash.h"
54 #include "translate-all.h"
55 #include "qemu/bitmap.h"
56 #include "qemu/timer.h"
59 //#define DEBUG_TB_INVALIDATE
61 /* make various TB consistency checks */
62 //#define DEBUG_TB_CHECK
64 #if !defined(CONFIG_USER_ONLY)
65 /* TB consistency checks only implemented for usermode emulation. */
69 #define SMC_BITMAP_USE_THRESHOLD 10
71 typedef struct PageDesc {
72 /* list of TBs intersecting this ram page */
73 TranslationBlock *first_tb;
75 /* in order to optimize self modifying code, we count the number
76 of lookups we do to a given page to use a bitmap */
77 unsigned int code_write_count;
78 unsigned long *code_bitmap;
84 /* In system mode we want L1_MAP to be based on ram offsets,
85 while in user mode we want it to be based on virtual addresses. */
86 #if !defined(CONFIG_USER_ONLY)
87 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
88 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
90 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
93 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
96 /* Size of the L2 (and L3, etc) page tables. */
98 #define V_L2_SIZE (1 << V_L2_BITS)
100 /* The bits remaining after N lower levels of page tables. */
101 #define V_L1_BITS_REM \
102 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS)
104 #if V_L1_BITS_REM < 4
105 #define V_L1_BITS (V_L1_BITS_REM + V_L2_BITS)
107 #define V_L1_BITS V_L1_BITS_REM
110 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
112 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
114 uintptr_t qemu_host_page_size;
115 intptr_t qemu_host_page_mask;
117 /* The bottom level has pointers to PageDesc */
118 static void *l1_map[V_L1_SIZE];
120 /* code generation context */
123 /* translation block context */
124 #ifdef CONFIG_USER_ONLY
125 __thread int have_tb_lock;
130 #ifdef CONFIG_USER_ONLY
131 assert(!have_tb_lock);
132 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock);
139 #ifdef CONFIG_USER_ONLY
140 assert(have_tb_lock);
142 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
146 void tb_lock_reset(void)
148 #ifdef CONFIG_USER_ONLY
150 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
156 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr);
158 void cpu_gen_init(void)
160 tcg_context_init(&tcg_ctx);
163 /* Encode VAL as a signed leb128 sequence at P.
164 Return P incremented past the encoded value. */
165 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
172 more = !((val == 0 && (byte & 0x40) == 0)
173 || (val == -1 && (byte & 0x40) != 0));
183 /* Decode a signed leb128 sequence at *PP; increment *PP past the
184 decoded value. Return the decoded value. */
185 static target_long decode_sleb128(uint8_t **pp)
193 val |= (target_ulong)(byte & 0x7f) << shift;
195 } while (byte & 0x80);
196 if (shift < TARGET_LONG_BITS && (byte & 0x40)) {
197 val |= -(target_ulong)1 << shift;
204 /* Encode the data collected about the instructions while compiling TB.
205 Place the data at BLOCK, and return the number of bytes consumed.
207 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's,
208 which come from the target's insn_start data, followed by a uintptr_t
209 which comes from the host pc of the end of the code implementing the insn.
211 Each line of the table is encoded as sleb128 deltas from the previous
212 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }.
213 That is, the first column is seeded with the guest pc, the last column
214 with the host pc, and the middle columns with zeros. */
216 static int encode_search(TranslationBlock *tb, uint8_t *block)
218 uint8_t *highwater = tcg_ctx.code_gen_highwater;
222 tb->tc_search = block;
224 for (i = 0, n = tb->icount; i < n; ++i) {
227 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
229 prev = (j == 0 ? tb->pc : 0);
231 prev = tcg_ctx.gen_insn_data[i - 1][j];
233 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev);
235 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]);
236 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev);
238 /* Test for (pending) buffer overflow. The assumption is that any
239 one row beginning below the high water mark cannot overrun
240 the buffer completely. Thus we can test for overflow after
241 encoding a row without having to check during encoding. */
242 if (unlikely(p > highwater)) {
250 /* The cpu state corresponding to 'searched_pc' is restored. */
251 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
252 uintptr_t searched_pc)
254 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
255 uintptr_t host_pc = (uintptr_t)tb->tc_ptr;
256 CPUArchState *env = cpu->env_ptr;
257 uint8_t *p = tb->tc_search;
258 int i, j, num_insns = tb->icount;
259 #ifdef CONFIG_PROFILER
260 int64_t ti = profile_getclock();
263 if (searched_pc < host_pc) {
267 /* Reconstruct the stored insn data while looking for the point at
268 which the end of the insn exceeds the searched_pc. */
269 for (i = 0; i < num_insns; ++i) {
270 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
271 data[j] += decode_sleb128(&p);
273 host_pc += decode_sleb128(&p);
274 if (host_pc > searched_pc) {
281 if (tb->cflags & CF_USE_ICOUNT) {
283 /* Reset the cycle counter to the start of the block. */
284 cpu->icount_decr.u16.low += num_insns;
285 /* Clear the IO flag. */
288 cpu->icount_decr.u16.low -= i;
289 restore_state_to_opc(env, tb, data);
291 #ifdef CONFIG_PROFILER
292 tcg_ctx.restore_time += profile_getclock() - ti;
293 tcg_ctx.restore_count++;
298 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr)
300 TranslationBlock *tb;
302 tb = tb_find_pc(retaddr);
304 cpu_restore_state_from_tb(cpu, tb, retaddr);
305 if (tb->cflags & CF_NOCACHE) {
306 /* one-shot translation, invalidate it immediately */
307 tb_phys_invalidate(tb, -1);
315 void page_size_init(void)
317 /* NOTE: we can always suppose that qemu_host_page_size >=
319 qemu_real_host_page_size = getpagesize();
320 qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
321 if (qemu_host_page_size == 0) {
322 qemu_host_page_size = qemu_real_host_page_size;
324 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
325 qemu_host_page_size = TARGET_PAGE_SIZE;
327 qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
330 static void page_init(void)
333 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
335 #ifdef HAVE_KINFO_GETVMMAP
336 struct kinfo_vmentry *freep;
339 freep = kinfo_getvmmap(getpid(), &cnt);
342 for (i = 0; i < cnt; i++) {
343 unsigned long startaddr, endaddr;
345 startaddr = freep[i].kve_start;
346 endaddr = freep[i].kve_end;
347 if (h2g_valid(startaddr)) {
348 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
350 if (h2g_valid(endaddr)) {
351 endaddr = h2g(endaddr);
352 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
354 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
356 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
367 last_brk = (unsigned long)sbrk(0);
369 f = fopen("/compat/linux/proc/self/maps", "r");
374 unsigned long startaddr, endaddr;
377 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
379 if (n == 2 && h2g_valid(startaddr)) {
380 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
382 if (h2g_valid(endaddr)) {
383 endaddr = h2g(endaddr);
387 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
400 * Called with mmap_lock held for user-mode emulation.
402 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
408 /* Level 1. Always allocated. */
409 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
412 for (i = V_L1_SHIFT / V_L2_BITS - 1; i > 0; i--) {
413 void **p = atomic_rcu_read(lp);
419 p = g_new0(void *, V_L2_SIZE);
420 atomic_rcu_set(lp, p);
423 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1));
426 pd = atomic_rcu_read(lp);
431 pd = g_new0(PageDesc, V_L2_SIZE);
432 atomic_rcu_set(lp, pd);
435 return pd + (index & (V_L2_SIZE - 1));
438 static inline PageDesc *page_find(tb_page_addr_t index)
440 return page_find_alloc(index, 0);
443 #if defined(CONFIG_USER_ONLY)
444 /* Currently it is not recommended to allocate big chunks of data in
445 user mode. It will change when a dedicated libc will be used. */
446 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
447 region in which the guest needs to run. Revisit this. */
448 #define USE_STATIC_CODE_GEN_BUFFER
451 /* Minimum size of the code gen buffer. This number is randomly chosen,
452 but not so small that we can't have a fair number of TB's live. */
453 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
455 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
456 indicated, this is constrained by the range of direct branches on the
457 host cpu, as used by the TCG implementation of goto_tb. */
458 #if defined(__x86_64__)
459 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
460 #elif defined(__sparc__)
461 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
462 #elif defined(__powerpc64__)
463 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
464 #elif defined(__powerpc__)
465 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024)
466 #elif defined(__aarch64__)
467 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
468 #elif defined(__arm__)
469 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
470 #elif defined(__s390x__)
471 /* We have a +- 4GB range on the branches; leave some slop. */
472 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
473 #elif defined(__mips__)
474 /* We have a 256MB branch region, but leave room to make sure the
475 main executable is also within that region. */
476 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
478 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
481 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
483 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
484 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
485 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
487 static inline size_t size_code_gen_buffer(size_t tb_size)
489 /* Size the buffer. */
491 #ifdef USE_STATIC_CODE_GEN_BUFFER
492 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
494 /* ??? Needs adjustments. */
495 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
496 static buffer, we could size this on RESERVED_VA, on the text
497 segment size of the executable, or continue to use the default. */
498 tb_size = (unsigned long)(ram_size / 4);
501 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
502 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
504 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
505 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
511 /* In order to use J and JAL within the code_gen_buffer, we require
512 that the buffer not cross a 256MB boundary. */
513 static inline bool cross_256mb(void *addr, size_t size)
515 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
518 /* We weren't able to allocate a buffer without crossing that boundary,
519 so make do with the larger portion of the buffer that doesn't cross.
520 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */
521 static inline void *split_cross_256mb(void *buf1, size_t size1)
523 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
524 size_t size2 = buf1 + size1 - buf2;
532 tcg_ctx.code_gen_buffer_size = size1;
537 #ifdef USE_STATIC_CODE_GEN_BUFFER
538 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
539 __attribute__((aligned(CODE_GEN_ALIGN)));
542 static inline void do_protect(void *addr, long size, int prot)
545 VirtualProtect(addr, size, prot, &old_protect);
548 static inline void map_exec(void *addr, long size)
550 do_protect(addr, size, PAGE_EXECUTE_READWRITE);
553 static inline void map_none(void *addr, long size)
555 do_protect(addr, size, PAGE_NOACCESS);
558 static inline void do_protect(void *addr, long size, int prot)
560 uintptr_t start, end;
562 start = (uintptr_t)addr;
563 start &= qemu_real_host_page_mask;
565 end = (uintptr_t)addr + size;
566 end = ROUND_UP(end, qemu_real_host_page_size);
568 mprotect((void *)start, end - start, prot);
571 static inline void map_exec(void *addr, long size)
573 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
576 static inline void map_none(void *addr, long size)
578 do_protect(addr, size, PROT_NONE);
582 static inline void *alloc_code_gen_buffer(void)
584 void *buf = static_code_gen_buffer;
585 size_t full_size, size;
587 /* The size of the buffer, rounded down to end on a page boundary. */
588 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer))
589 & qemu_real_host_page_mask) - (uintptr_t)buf;
591 /* Reserve a guard page. */
592 size = full_size - qemu_real_host_page_size;
594 /* Honor a command-line option limiting the size of the buffer. */
595 if (size > tcg_ctx.code_gen_buffer_size) {
596 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size)
597 & qemu_real_host_page_mask) - (uintptr_t)buf;
599 tcg_ctx.code_gen_buffer_size = size;
602 if (cross_256mb(buf, size)) {
603 buf = split_cross_256mb(buf, size);
604 size = tcg_ctx.code_gen_buffer_size;
609 map_none(buf + size, qemu_real_host_page_size);
610 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
614 #elif defined(_WIN32)
615 static inline void *alloc_code_gen_buffer(void)
617 size_t size = tcg_ctx.code_gen_buffer_size;
620 /* Perform the allocation in two steps, so that the guard page
621 is reserved but uncommitted. */
622 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size,
623 MEM_RESERVE, PAGE_NOACCESS);
625 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
626 assert(buf1 == buf2);
632 static inline void *alloc_code_gen_buffer(void)
634 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
636 size_t size = tcg_ctx.code_gen_buffer_size;
639 /* Constrain the position of the buffer based on the host cpu.
640 Note that these addresses are chosen in concert with the
641 addresses assigned in the relevant linker script file. */
642 # if defined(__PIE__) || defined(__PIC__)
643 /* Don't bother setting a preferred location if we're building
644 a position-independent executable. We're more likely to get
645 an address near the main executable if we let the kernel
646 choose the address. */
647 # elif defined(__x86_64__) && defined(MAP_32BIT)
648 /* Force the memory down into low memory with the executable.
649 Leave the choice of exact location with the kernel. */
651 /* Cannot expect to map more than 800MB in low memory. */
652 if (size > 800u * 1024 * 1024) {
653 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024;
655 # elif defined(__sparc__)
656 start = 0x40000000ul;
657 # elif defined(__s390x__)
658 start = 0x90000000ul;
659 # elif defined(__mips__)
660 # if _MIPS_SIM == _ABI64
661 start = 0x128000000ul;
663 start = 0x08000000ul;
667 buf = mmap((void *)start, size + qemu_real_host_page_size,
668 PROT_NONE, flags, -1, 0);
669 if (buf == MAP_FAILED) {
674 if (cross_256mb(buf, size)) {
675 /* Try again, with the original still mapped, to avoid re-acquiring
676 that 256mb crossing. This time don't specify an address. */
678 void *buf2 = mmap(NULL, size + qemu_real_host_page_size,
679 PROT_NONE, flags, -1, 0);
680 switch (buf2 != MAP_FAILED) {
682 if (!cross_256mb(buf2, size)) {
683 /* Success! Use the new buffer. */
684 munmap(buf, size + qemu_real_host_page_size);
687 /* Failure. Work with what we had. */
688 munmap(buf2, size + qemu_real_host_page_size);
691 /* Split the original buffer. Free the smaller half. */
692 buf2 = split_cross_256mb(buf, size);
693 size2 = tcg_ctx.code_gen_buffer_size;
695 munmap(buf + size2 + qemu_real_host_page_size, size - size2);
697 munmap(buf, size - size2);
706 /* Make the final buffer accessible. The guard page at the end
707 will remain inaccessible with PROT_NONE. */
708 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC);
710 /* Request large pages for the buffer. */
711 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
715 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
717 static inline void code_gen_alloc(size_t tb_size)
719 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size);
720 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer();
721 if (tcg_ctx.code_gen_buffer == NULL) {
722 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
726 /* Estimate a good size for the number of TBs we can support. We
727 still haven't deducted the prologue from the buffer size here,
728 but that's minimal and won't affect the estimate much. */
729 tcg_ctx.code_gen_max_blocks
730 = tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
731 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock, tcg_ctx.code_gen_max_blocks);
733 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock);
736 static void tb_htable_init(void)
738 unsigned int mode = QHT_MODE_AUTO_RESIZE;
740 qht_init(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE, mode);
743 /* Must be called before using the QEMU cpus. 'tb_size' is the size
744 (in bytes) allocated to the translation buffer. Zero means default
746 void tcg_exec_init(unsigned long tb_size)
751 code_gen_alloc(tb_size);
752 #if defined(CONFIG_SOFTMMU)
753 /* There's no guest base to take into account, so go ahead and
754 initialize the prologue now. */
755 tcg_prologue_init(&tcg_ctx);
759 bool tcg_enabled(void)
761 return tcg_ctx.code_gen_buffer != NULL;
764 /* Allocate a new translation block. Flush the translation buffer if
765 too many translation blocks or too much generated code. */
766 static TranslationBlock *tb_alloc(target_ulong pc)
768 TranslationBlock *tb;
770 if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
773 tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
780 void tb_free(TranslationBlock *tb)
782 /* In practice this is mostly used for single use temporary TB
783 Ignore the hard cases and just back up if this TB happens to
784 be the last one generated. */
785 if (tcg_ctx.tb_ctx.nb_tbs > 0 &&
786 tb == &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) {
787 tcg_ctx.code_gen_ptr = tb->tc_ptr;
788 tcg_ctx.tb_ctx.nb_tbs--;
792 static inline void invalidate_page_bitmap(PageDesc *p)
794 #ifdef CONFIG_SOFTMMU
795 g_free(p->code_bitmap);
796 p->code_bitmap = NULL;
797 p->code_write_count = 0;
801 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
802 static void page_flush_tb_1(int level, void **lp)
812 for (i = 0; i < V_L2_SIZE; ++i) {
813 pd[i].first_tb = NULL;
814 invalidate_page_bitmap(pd + i);
819 for (i = 0; i < V_L2_SIZE; ++i) {
820 page_flush_tb_1(level - 1, pp + i);
825 static void page_flush_tb(void)
829 for (i = 0; i < V_L1_SIZE; i++) {
830 page_flush_tb_1(V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
834 /* flush all the translation blocks */
835 /* XXX: tb_flush is currently not thread safe */
836 void tb_flush(CPUState *cpu)
838 if (!tcg_enabled()) {
841 #if defined(DEBUG_FLUSH)
842 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
843 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer),
844 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ?
845 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
846 tcg_ctx.tb_ctx.nb_tbs : 0);
848 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
849 > tcg_ctx.code_gen_buffer_size) {
850 cpu_abort(cpu, "Internal error: code buffer overflow\n");
856 for (i = 0; i < TB_JMP_CACHE_SIZE; ++i) {
857 atomic_set(&cpu->tb_jmp_cache[i], NULL);
859 atomic_mb_set(&cpu->tb_flushed, true);
862 tcg_ctx.tb_ctx.nb_tbs = 0;
863 qht_reset_size(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE);
866 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer;
867 /* XXX: flush processor icache at this point if cache flush is
869 tcg_ctx.tb_ctx.tb_flush_count++;
872 #ifdef DEBUG_TB_CHECK
875 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp)
877 TranslationBlock *tb = p;
878 target_ulong addr = *(target_ulong *)userp;
880 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) {
881 printf("ERROR invalidate: address=" TARGET_FMT_lx
882 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size);
886 static void tb_invalidate_check(target_ulong address)
888 address &= TARGET_PAGE_MASK;
889 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_invalidate_check, &address);
893 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp)
895 TranslationBlock *tb = p;
898 flags1 = page_get_flags(tb->pc);
899 flags2 = page_get_flags(tb->pc + tb->size - 1);
900 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
901 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
902 (long)tb->pc, tb->size, flags1, flags2);
906 /* verify that all the pages have correct rights for code */
907 static void tb_page_check(void)
909 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_page_check, NULL);
914 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
916 TranslationBlock *tb1;
921 n1 = (uintptr_t)tb1 & 3;
922 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
924 *ptb = tb1->page_next[n1];
927 ptb = &tb1->page_next[n1];
931 /* remove the TB from a list of TBs jumping to the n-th jump target of the TB */
932 static inline void tb_remove_from_jmp_list(TranslationBlock *tb, int n)
934 TranslationBlock *tb1;
938 ptb = &tb->jmp_list_next[n];
940 /* find tb(n) in circular list */
944 tb1 = (TranslationBlock *)(ntb & ~3);
945 if (n1 == n && tb1 == tb) {
949 ptb = &tb1->jmp_list_first;
951 ptb = &tb1->jmp_list_next[n1];
954 /* now we can suppress tb(n) from the list */
955 *ptb = tb->jmp_list_next[n];
957 tb->jmp_list_next[n] = (uintptr_t)NULL;
961 /* reset the jump entry 'n' of a TB so that it is not chained to
963 static inline void tb_reset_jump(TranslationBlock *tb, int n)
965 uintptr_t addr = (uintptr_t)(tb->tc_ptr + tb->jmp_reset_offset[n]);
966 tb_set_jmp_target(tb, n, addr);
969 /* remove any jumps to the TB */
970 static inline void tb_jmp_unlink(TranslationBlock *tb)
972 TranslationBlock *tb1;
976 ptb = &tb->jmp_list_first;
980 tb1 = (TranslationBlock *)(ntb & ~3);
984 tb_reset_jump(tb1, n1);
985 *ptb = tb1->jmp_list_next[n1];
986 tb1->jmp_list_next[n1] = (uintptr_t)NULL;
990 /* invalidate one TB */
991 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
996 tb_page_addr_t phys_pc;
998 atomic_set(&tb->invalid, true);
1000 /* remove the TB from the hash list */
1001 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1002 h = tb_hash_func(phys_pc, tb->pc, tb->flags);
1003 qht_remove(&tcg_ctx.tb_ctx.htable, tb, h);
1005 /* remove the TB from the page list */
1006 if (tb->page_addr[0] != page_addr) {
1007 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
1008 tb_page_remove(&p->first_tb, tb);
1009 invalidate_page_bitmap(p);
1011 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
1012 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
1013 tb_page_remove(&p->first_tb, tb);
1014 invalidate_page_bitmap(p);
1017 /* remove the TB from the hash list */
1018 h = tb_jmp_cache_hash_func(tb->pc);
1020 if (atomic_read(&cpu->tb_jmp_cache[h]) == tb) {
1021 atomic_set(&cpu->tb_jmp_cache[h], NULL);
1025 /* suppress this TB from the two jump lists */
1026 tb_remove_from_jmp_list(tb, 0);
1027 tb_remove_from_jmp_list(tb, 1);
1029 /* suppress any remaining jumps to this TB */
1032 tcg_ctx.tb_ctx.tb_phys_invalidate_count++;
1035 #ifdef CONFIG_SOFTMMU
1036 static void build_page_bitmap(PageDesc *p)
1038 int n, tb_start, tb_end;
1039 TranslationBlock *tb;
1041 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE);
1044 while (tb != NULL) {
1045 n = (uintptr_t)tb & 3;
1046 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1047 /* NOTE: this is subtle as a TB may span two physical pages */
1049 /* NOTE: tb_end may be after the end of the page, but
1050 it is not a problem */
1051 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1052 tb_end = tb_start + tb->size;
1053 if (tb_end > TARGET_PAGE_SIZE) {
1054 tb_end = TARGET_PAGE_SIZE;
1058 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1060 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start);
1061 tb = tb->page_next[n];
1066 /* add the tb in the target page and protect it if necessary
1068 * Called with mmap_lock held for user-mode emulation.
1070 static inline void tb_alloc_page(TranslationBlock *tb,
1071 unsigned int n, tb_page_addr_t page_addr)
1074 #ifndef CONFIG_USER_ONLY
1075 bool page_already_protected;
1078 tb->page_addr[n] = page_addr;
1079 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1080 tb->page_next[n] = p->first_tb;
1081 #ifndef CONFIG_USER_ONLY
1082 page_already_protected = p->first_tb != NULL;
1084 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1085 invalidate_page_bitmap(p);
1087 #if defined(CONFIG_USER_ONLY)
1088 if (p->flags & PAGE_WRITE) {
1093 /* force the host page as non writable (writes will have a
1094 page fault + mprotect overhead) */
1095 page_addr &= qemu_host_page_mask;
1097 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1098 addr += TARGET_PAGE_SIZE) {
1100 p2 = page_find(addr >> TARGET_PAGE_BITS);
1105 p2->flags &= ~PAGE_WRITE;
1107 mprotect(g2h(page_addr), qemu_host_page_size,
1108 (prot & PAGE_BITS) & ~PAGE_WRITE);
1109 #ifdef DEBUG_TB_INVALIDATE
1110 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1115 /* if some code is already present, then the pages are already
1116 protected. So we handle the case where only the first TB is
1117 allocated in a physical page */
1118 if (!page_already_protected) {
1119 tlb_protect_code(page_addr);
1124 /* add a new TB and link it to the physical page tables. phys_page2 is
1125 * (-1) to indicate that only one page contains the TB.
1127 * Called with mmap_lock held for user-mode emulation.
1129 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1130 tb_page_addr_t phys_page2)
1134 /* add in the page list */
1135 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1136 if (phys_page2 != -1) {
1137 tb_alloc_page(tb, 1, phys_page2);
1139 tb->page_addr[1] = -1;
1142 /* add in the hash table */
1143 h = tb_hash_func(phys_pc, tb->pc, tb->flags);
1144 qht_insert(&tcg_ctx.tb_ctx.htable, tb, h);
1146 #ifdef DEBUG_TB_CHECK
1151 /* Called with mmap_lock held for user mode emulation. */
1152 TranslationBlock *tb_gen_code(CPUState *cpu,
1153 target_ulong pc, target_ulong cs_base,
1154 uint32_t flags, int cflags)
1156 CPUArchState *env = cpu->env_ptr;
1157 TranslationBlock *tb;
1158 tb_page_addr_t phys_pc, phys_page2;
1159 target_ulong virt_page2;
1160 tcg_insn_unit *gen_code_buf;
1161 int gen_code_size, search_size;
1162 #ifdef CONFIG_PROFILER
1166 phys_pc = get_page_addr_code(env, pc);
1167 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) {
1168 cflags |= CF_USE_ICOUNT;
1172 if (unlikely(!tb)) {
1174 /* flush must be done */
1176 /* cannot fail at this point */
1181 gen_code_buf = tcg_ctx.code_gen_ptr;
1182 tb->tc_ptr = gen_code_buf;
1183 tb->cs_base = cs_base;
1185 tb->cflags = cflags;
1187 #ifdef CONFIG_PROFILER
1188 tcg_ctx.tb_count1++; /* includes aborted translations because of
1190 ti = profile_getclock();
1193 tcg_func_start(&tcg_ctx);
1195 tcg_ctx.cpu = ENV_GET_CPU(env);
1196 gen_intermediate_code(env, tb);
1199 trace_translate_block(tb, tb->pc, tb->tc_ptr);
1201 /* generate machine code */
1202 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID;
1203 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID;
1204 tcg_ctx.tb_jmp_reset_offset = tb->jmp_reset_offset;
1205 #ifdef USE_DIRECT_JUMP
1206 tcg_ctx.tb_jmp_insn_offset = tb->jmp_insn_offset;
1207 tcg_ctx.tb_jmp_target_addr = NULL;
1209 tcg_ctx.tb_jmp_insn_offset = NULL;
1210 tcg_ctx.tb_jmp_target_addr = tb->jmp_target_addr;
1213 #ifdef CONFIG_PROFILER
1215 tcg_ctx.interm_time += profile_getclock() - ti;
1216 tcg_ctx.code_time -= profile_getclock();
1219 /* ??? Overflow could be handled better here. In particular, we
1220 don't need to re-do gen_intermediate_code, nor should we re-do
1221 the tcg optimization currently hidden inside tcg_gen_code. All
1222 that should be required is to flush the TBs, allocate a new TB,
1223 re-initialize it per above, and re-do the actual code generation. */
1224 gen_code_size = tcg_gen_code(&tcg_ctx, tb);
1225 if (unlikely(gen_code_size < 0)) {
1226 goto buffer_overflow;
1228 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
1229 if (unlikely(search_size < 0)) {
1230 goto buffer_overflow;
1233 #ifdef CONFIG_PROFILER
1234 tcg_ctx.code_time += profile_getclock();
1235 tcg_ctx.code_in_len += tb->size;
1236 tcg_ctx.code_out_len += gen_code_size;
1237 tcg_ctx.search_out_len += search_size;
1241 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) &&
1242 qemu_log_in_addr_range(tb->pc)) {
1243 qemu_log("OUT: [size=%d]\n", gen_code_size);
1244 log_disas(tb->tc_ptr, gen_code_size);
1250 tcg_ctx.code_gen_ptr = (void *)
1251 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
1254 /* init jump list */
1255 assert(((uintptr_t)tb & 3) == 0);
1256 tb->jmp_list_first = (uintptr_t)tb | 2;
1257 tb->jmp_list_next[0] = (uintptr_t)NULL;
1258 tb->jmp_list_next[1] = (uintptr_t)NULL;
1260 /* init original jump addresses wich has been set during tcg_gen_code() */
1261 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
1262 tb_reset_jump(tb, 0);
1264 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
1265 tb_reset_jump(tb, 1);
1268 /* check next page if needed */
1269 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1271 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1272 phys_page2 = get_page_addr_code(env, virt_page2);
1274 /* As long as consistency of the TB stuff is provided by tb_lock in user
1275 * mode and is implicit in single-threaded softmmu emulation, no explicit
1276 * memory barrier is required before tb_link_page() makes the TB visible
1277 * through the physical hash table and physical page list.
1279 tb_link_page(tb, phys_pc, phys_page2);
1284 * Invalidate all TBs which intersect with the target physical address range
1285 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1286 * 'is_cpu_write_access' should be true if called from a real cpu write
1287 * access: the virtual CPU will exit the current TB if code is modified inside
1290 * Called with mmap_lock held for user-mode emulation
1292 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1294 while (start < end) {
1295 tb_invalidate_phys_page_range(start, end, 0);
1296 start &= TARGET_PAGE_MASK;
1297 start += TARGET_PAGE_SIZE;
1302 * Invalidate all TBs which intersect with the target physical address range
1303 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1304 * 'is_cpu_write_access' should be true if called from a real cpu write
1305 * access: the virtual CPU will exit the current TB if code is modified inside
1308 * Called with mmap_lock held for user-mode emulation
1310 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1311 int is_cpu_write_access)
1313 TranslationBlock *tb, *tb_next;
1314 #if defined(TARGET_HAS_PRECISE_SMC)
1315 CPUState *cpu = current_cpu;
1316 CPUArchState *env = NULL;
1318 tb_page_addr_t tb_start, tb_end;
1321 #ifdef TARGET_HAS_PRECISE_SMC
1322 int current_tb_not_found = is_cpu_write_access;
1323 TranslationBlock *current_tb = NULL;
1324 int current_tb_modified = 0;
1325 target_ulong current_pc = 0;
1326 target_ulong current_cs_base = 0;
1327 uint32_t current_flags = 0;
1328 #endif /* TARGET_HAS_PRECISE_SMC */
1330 p = page_find(start >> TARGET_PAGE_BITS);
1334 #if defined(TARGET_HAS_PRECISE_SMC)
1340 /* we remove all the TBs in the range [start, end[ */
1341 /* XXX: see if in some cases it could be faster to invalidate all
1344 while (tb != NULL) {
1345 n = (uintptr_t)tb & 3;
1346 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1347 tb_next = tb->page_next[n];
1348 /* NOTE: this is subtle as a TB may span two physical pages */
1350 /* NOTE: tb_end may be after the end of the page, but
1351 it is not a problem */
1352 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1353 tb_end = tb_start + tb->size;
1355 tb_start = tb->page_addr[1];
1356 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1358 if (!(tb_end <= start || tb_start >= end)) {
1359 #ifdef TARGET_HAS_PRECISE_SMC
1360 if (current_tb_not_found) {
1361 current_tb_not_found = 0;
1363 if (cpu->mem_io_pc) {
1364 /* now we have a real cpu fault */
1365 current_tb = tb_find_pc(cpu->mem_io_pc);
1368 if (current_tb == tb &&
1369 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1370 /* If we are modifying the current TB, we must stop
1371 its execution. We could be more precise by checking
1372 that the modification is after the current PC, but it
1373 would require a specialized function to partially
1374 restore the CPU state */
1376 current_tb_modified = 1;
1377 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
1378 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1381 #endif /* TARGET_HAS_PRECISE_SMC */
1382 tb_phys_invalidate(tb, -1);
1386 #if !defined(CONFIG_USER_ONLY)
1387 /* if no code remaining, no need to continue to use slow writes */
1389 invalidate_page_bitmap(p);
1390 tlb_unprotect_code(start);
1393 #ifdef TARGET_HAS_PRECISE_SMC
1394 if (current_tb_modified) {
1395 /* we generate a block containing just the instruction
1396 modifying the memory. It will ensure that it cannot modify
1398 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1399 cpu_loop_exit_noexc(cpu);
1404 #ifdef CONFIG_SOFTMMU
1405 /* len must be <= 8 and start must be a multiple of len */
1406 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1412 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1413 cpu_single_env->mem_io_vaddr, len,
1414 cpu_single_env->eip,
1415 cpu_single_env->eip +
1416 (intptr_t)cpu_single_env->segs[R_CS].base);
1419 p = page_find(start >> TARGET_PAGE_BITS);
1423 if (!p->code_bitmap &&
1424 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) {
1425 /* build code bitmap */
1426 build_page_bitmap(p);
1428 if (p->code_bitmap) {
1432 nr = start & ~TARGET_PAGE_MASK;
1433 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1));
1434 if (b & ((1 << len) - 1)) {
1439 tb_invalidate_phys_page_range(start, start + len, 1);
1443 /* Called with mmap_lock held. If pc is not 0 then it indicates the
1444 * host PC of the faulting store instruction that caused this invalidate.
1445 * Returns true if the caller needs to abort execution of the current
1446 * TB (because it was modified by this store and the guest CPU has
1447 * precise-SMC semantics).
1449 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc)
1451 TranslationBlock *tb;
1454 #ifdef TARGET_HAS_PRECISE_SMC
1455 TranslationBlock *current_tb = NULL;
1456 CPUState *cpu = current_cpu;
1457 CPUArchState *env = NULL;
1458 int current_tb_modified = 0;
1459 target_ulong current_pc = 0;
1460 target_ulong current_cs_base = 0;
1461 uint32_t current_flags = 0;
1464 addr &= TARGET_PAGE_MASK;
1465 p = page_find(addr >> TARGET_PAGE_BITS);
1470 #ifdef TARGET_HAS_PRECISE_SMC
1471 if (tb && pc != 0) {
1472 current_tb = tb_find_pc(pc);
1478 while (tb != NULL) {
1479 n = (uintptr_t)tb & 3;
1480 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1481 #ifdef TARGET_HAS_PRECISE_SMC
1482 if (current_tb == tb &&
1483 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1484 /* If we are modifying the current TB, we must stop
1485 its execution. We could be more precise by checking
1486 that the modification is after the current PC, but it
1487 would require a specialized function to partially
1488 restore the CPU state */
1490 current_tb_modified = 1;
1491 cpu_restore_state_from_tb(cpu, current_tb, pc);
1492 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1495 #endif /* TARGET_HAS_PRECISE_SMC */
1496 tb_phys_invalidate(tb, addr);
1497 tb = tb->page_next[n];
1500 #ifdef TARGET_HAS_PRECISE_SMC
1501 if (current_tb_modified) {
1502 /* we generate a block containing just the instruction
1503 modifying the memory. It will ensure that it cannot modify
1505 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1513 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1514 tb[1].tc_ptr. Return NULL if not found */
1515 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1517 int m_min, m_max, m;
1519 TranslationBlock *tb;
1521 if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
1524 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
1525 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
1528 /* binary search (cf Knuth) */
1530 m_max = tcg_ctx.tb_ctx.nb_tbs - 1;
1531 while (m_min <= m_max) {
1532 m = (m_min + m_max) >> 1;
1533 tb = &tcg_ctx.tb_ctx.tbs[m];
1534 v = (uintptr_t)tb->tc_ptr;
1537 } else if (tc_ptr < v) {
1543 return &tcg_ctx.tb_ctx.tbs[m_max];
1546 #if !defined(CONFIG_USER_ONLY)
1547 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
1549 ram_addr_t ram_addr;
1554 mr = address_space_translate(as, addr, &addr, &l, false);
1555 if (!(memory_region_is_ram(mr)
1556 || memory_region_is_romd(mr))) {
1560 ram_addr = memory_region_get_ram_addr(mr) + addr;
1561 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1564 #endif /* !defined(CONFIG_USER_ONLY) */
1566 void tb_check_watchpoint(CPUState *cpu)
1568 TranslationBlock *tb;
1570 tb = tb_find_pc(cpu->mem_io_pc);
1572 /* We can use retranslation to find the PC. */
1573 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
1574 tb_phys_invalidate(tb, -1);
1576 /* The exception probably happened in a helper. The CPU state should
1577 have been saved before calling it. Fetch the PC from there. */
1578 CPUArchState *env = cpu->env_ptr;
1579 target_ulong pc, cs_base;
1580 tb_page_addr_t addr;
1583 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
1584 addr = get_page_addr_code(env, pc);
1585 tb_invalidate_phys_range(addr, addr + 1);
1589 #ifndef CONFIG_USER_ONLY
1590 /* in deterministic execution mode, instructions doing device I/Os
1591 must be at the end of the TB */
1592 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
1594 #if defined(TARGET_MIPS) || defined(TARGET_SH4)
1595 CPUArchState *env = cpu->env_ptr;
1597 TranslationBlock *tb;
1599 target_ulong pc, cs_base;
1602 tb = tb_find_pc(retaddr);
1604 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
1607 n = cpu->icount_decr.u16.low + tb->icount;
1608 cpu_restore_state_from_tb(cpu, tb, retaddr);
1609 /* Calculate how many instructions had been executed before the fault
1611 n = n - cpu->icount_decr.u16.low;
1612 /* Generate a new TB ending on the I/O insn. */
1614 /* On MIPS and SH, delay slot instructions can only be restarted if
1615 they were already the first instruction in the TB. If this is not
1616 the first instruction in a TB then re-execute the preceding
1618 #if defined(TARGET_MIPS)
1619 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
1620 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4);
1621 cpu->icount_decr.u16.low++;
1622 env->hflags &= ~MIPS_HFLAG_BMASK;
1624 #elif defined(TARGET_SH4)
1625 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
1628 cpu->icount_decr.u16.low++;
1629 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
1632 /* This should never happen. */
1633 if (n > CF_COUNT_MASK) {
1634 cpu_abort(cpu, "TB too big during recompile");
1637 cflags = n | CF_LAST_IO;
1639 cs_base = tb->cs_base;
1641 tb_phys_invalidate(tb, -1);
1642 if (tb->cflags & CF_NOCACHE) {
1644 /* Invalidate original TB if this TB was generated in
1645 * cpu_exec_nocache() */
1646 tb_phys_invalidate(tb->orig_tb, -1);
1650 /* FIXME: In theory this could raise an exception. In practice
1651 we have already translated the block once so it's probably ok. */
1652 tb_gen_code(cpu, pc, cs_base, flags, cflags);
1653 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
1654 the first in the TB) then we end up generating a whole new TB and
1655 repeating the fault, which is horribly inefficient.
1656 Better would be to execute just this insn uncached, or generate a
1658 cpu_loop_exit_noexc(cpu);
1661 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
1665 /* Discard jump cache entries for any tb which might potentially
1666 overlap the flushed page. */
1667 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1668 memset(&cpu->tb_jmp_cache[i], 0,
1669 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1671 i = tb_jmp_cache_hash_page(addr);
1672 memset(&cpu->tb_jmp_cache[i], 0,
1673 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1676 static void print_qht_statistics(FILE *f, fprintf_function cpu_fprintf,
1677 struct qht_stats hst)
1679 uint32_t hgram_opts;
1683 if (!hst.head_buckets) {
1686 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n",
1687 hst.used_head_buckets, hst.head_buckets,
1688 (double)hst.used_head_buckets / hst.head_buckets * 100);
1690 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
1691 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT;
1692 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) {
1693 hgram_opts |= QDIST_PR_NODECIMAL;
1695 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts);
1696 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n",
1697 qdist_avg(&hst.occupancy) * 100, hgram);
1700 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
1701 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain);
1702 if (hgram_bins > 10) {
1706 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE;
1708 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts);
1709 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n",
1710 qdist_avg(&hst.chain), hgram);
1714 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
1716 int i, target_code_size, max_target_code_size;
1717 int direct_jmp_count, direct_jmp2_count, cross_page;
1718 TranslationBlock *tb;
1719 struct qht_stats hst;
1721 target_code_size = 0;
1722 max_target_code_size = 0;
1724 direct_jmp_count = 0;
1725 direct_jmp2_count = 0;
1726 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) {
1727 tb = &tcg_ctx.tb_ctx.tbs[i];
1728 target_code_size += tb->size;
1729 if (tb->size > max_target_code_size) {
1730 max_target_code_size = tb->size;
1732 if (tb->page_addr[1] != -1) {
1735 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
1737 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
1738 direct_jmp2_count++;
1742 /* XXX: avoid using doubles ? */
1743 cpu_fprintf(f, "Translation buffer state:\n");
1744 cpu_fprintf(f, "gen code size %td/%zd\n",
1745 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer,
1746 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer);
1747 cpu_fprintf(f, "TB count %d/%d\n",
1748 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.code_gen_max_blocks);
1749 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
1750 tcg_ctx.tb_ctx.nb_tbs ? target_code_size /
1751 tcg_ctx.tb_ctx.nb_tbs : 0,
1752 max_target_code_size);
1753 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
1754 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr -
1755 tcg_ctx.code_gen_buffer) /
1756 tcg_ctx.tb_ctx.nb_tbs : 0,
1757 target_code_size ? (double) (tcg_ctx.code_gen_ptr -
1758 tcg_ctx.code_gen_buffer) /
1759 target_code_size : 0);
1760 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page,
1761 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) /
1762 tcg_ctx.tb_ctx.nb_tbs : 0);
1763 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
1765 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) /
1766 tcg_ctx.tb_ctx.nb_tbs : 0,
1768 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) /
1769 tcg_ctx.tb_ctx.nb_tbs : 0);
1771 qht_statistics_init(&tcg_ctx.tb_ctx.htable, &hst);
1772 print_qht_statistics(f, cpu_fprintf, hst);
1773 qht_statistics_destroy(&hst);
1775 cpu_fprintf(f, "\nStatistics:\n");
1776 cpu_fprintf(f, "TB flush count %d\n", tcg_ctx.tb_ctx.tb_flush_count);
1777 cpu_fprintf(f, "TB invalidate count %d\n",
1778 tcg_ctx.tb_ctx.tb_phys_invalidate_count);
1779 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
1780 tcg_dump_info(f, cpu_fprintf);
1783 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf)
1785 tcg_dump_op_count(f, cpu_fprintf);
1788 #else /* CONFIG_USER_ONLY */
1790 void cpu_interrupt(CPUState *cpu, int mask)
1792 cpu->interrupt_request |= mask;
1793 cpu->tcg_exit_req = 1;
1797 * Walks guest process memory "regions" one by one
1798 * and calls callback function 'fn' for each region.
1800 struct walk_memory_regions_data {
1801 walk_memory_regions_fn fn;
1807 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1808 target_ulong end, int new_prot)
1810 if (data->start != -1u) {
1811 int rc = data->fn(data->priv, data->start, end, data->prot);
1817 data->start = (new_prot ? end : -1u);
1818 data->prot = new_prot;
1823 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1824 target_ulong base, int level, void **lp)
1830 return walk_memory_regions_end(data, base, 0);
1836 for (i = 0; i < V_L2_SIZE; ++i) {
1837 int prot = pd[i].flags;
1839 pa = base | (i << TARGET_PAGE_BITS);
1840 if (prot != data->prot) {
1841 rc = walk_memory_regions_end(data, pa, prot);
1850 for (i = 0; i < V_L2_SIZE; ++i) {
1851 pa = base | ((target_ulong)i <<
1852 (TARGET_PAGE_BITS + V_L2_BITS * level));
1853 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
1863 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
1865 struct walk_memory_regions_data data;
1873 for (i = 0; i < V_L1_SIZE; i++) {
1874 int rc = walk_memory_regions_1(&data, (target_ulong)i << (V_L1_SHIFT + TARGET_PAGE_BITS),
1875 V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
1881 return walk_memory_regions_end(&data, 0, 0);
1884 static int dump_region(void *priv, target_ulong start,
1885 target_ulong end, unsigned long prot)
1887 FILE *f = (FILE *)priv;
1889 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx
1890 " "TARGET_FMT_lx" %c%c%c\n",
1891 start, end, end - start,
1892 ((prot & PAGE_READ) ? 'r' : '-'),
1893 ((prot & PAGE_WRITE) ? 'w' : '-'),
1894 ((prot & PAGE_EXEC) ? 'x' : '-'));
1899 /* dump memory mappings */
1900 void page_dump(FILE *f)
1902 const int length = sizeof(target_ulong) * 2;
1903 (void) fprintf(f, "%-*s %-*s %-*s %s\n",
1904 length, "start", length, "end", length, "size", "prot");
1905 walk_memory_regions(f, dump_region);
1908 int page_get_flags(target_ulong address)
1912 p = page_find(address >> TARGET_PAGE_BITS);
1919 /* Modify the flags of a page and invalidate the code if necessary.
1920 The flag PAGE_WRITE_ORG is positioned automatically depending
1921 on PAGE_WRITE. The mmap_lock should already be held. */
1922 void page_set_flags(target_ulong start, target_ulong end, int flags)
1924 target_ulong addr, len;
1926 /* This function should never be called with addresses outside the
1927 guest address space. If this assert fires, it probably indicates
1928 a missing call to h2g_valid. */
1929 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1930 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1932 assert(start < end);
1934 start = start & TARGET_PAGE_MASK;
1935 end = TARGET_PAGE_ALIGN(end);
1937 if (flags & PAGE_WRITE) {
1938 flags |= PAGE_WRITE_ORG;
1941 for (addr = start, len = end - start;
1943 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1944 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
1946 /* If the write protection bit is set, then we invalidate
1948 if (!(p->flags & PAGE_WRITE) &&
1949 (flags & PAGE_WRITE) &&
1951 tb_invalidate_phys_page(addr, 0);
1957 int page_check_range(target_ulong start, target_ulong len, int flags)
1963 /* This function should never be called with addresses outside the
1964 guest address space. If this assert fires, it probably indicates
1965 a missing call to h2g_valid. */
1966 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1967 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1973 if (start + len - 1 < start) {
1974 /* We've wrapped around. */
1978 /* must do before we loose bits in the next step */
1979 end = TARGET_PAGE_ALIGN(start + len);
1980 start = start & TARGET_PAGE_MASK;
1982 for (addr = start, len = end - start;
1984 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1985 p = page_find(addr >> TARGET_PAGE_BITS);
1989 if (!(p->flags & PAGE_VALID)) {
1993 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
1996 if (flags & PAGE_WRITE) {
1997 if (!(p->flags & PAGE_WRITE_ORG)) {
2000 /* unprotect the page if it was put read-only because it
2001 contains translated code */
2002 if (!(p->flags & PAGE_WRITE)) {
2003 if (!page_unprotect(addr, 0)) {
2012 /* called from signal handler: invalidate the code and unprotect the
2013 * page. Return 0 if the fault was not handled, 1 if it was handled,
2014 * and 2 if it was handled but the caller must cause the TB to be
2015 * immediately exited. (We can only return 2 if the 'pc' argument is
2018 int page_unprotect(target_ulong address, uintptr_t pc)
2021 bool current_tb_invalidated;
2023 target_ulong host_start, host_end, addr;
2025 /* Technically this isn't safe inside a signal handler. However we
2026 know this only ever happens in a synchronous SEGV handler, so in
2027 practice it seems to be ok. */
2030 p = page_find(address >> TARGET_PAGE_BITS);
2036 /* if the page was really writable, then we change its
2037 protection back to writable */
2038 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
2039 host_start = address & qemu_host_page_mask;
2040 host_end = host_start + qemu_host_page_size;
2043 current_tb_invalidated = false;
2044 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
2045 p = page_find(addr >> TARGET_PAGE_BITS);
2046 p->flags |= PAGE_WRITE;
2049 /* and since the content will be modified, we must invalidate
2050 the corresponding translated code. */
2051 current_tb_invalidated |= tb_invalidate_phys_page(addr, pc);
2052 #ifdef DEBUG_TB_CHECK
2053 tb_invalidate_check(addr);
2056 mprotect((void *)g2h(host_start), qemu_host_page_size,
2060 /* If current TB was invalidated return to main loop */
2061 return current_tb_invalidated ? 2 : 1;
2066 #endif /* CONFIG_USER_ONLY */
projects / qemu.git / blob