4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
22 #include "qemu/osdep.h"
25 #include "qemu-common.h"
26 #define NO_CPU_IO_DEFS
29 #include "disas/disas.h"
30 #include "exec/exec-all.h"
32 #if defined(CONFIG_USER_ONLY)
34 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
35 #include <sys/param.h>
36 #if __FreeBSD_version >= 700104
37 #define HAVE_KINFO_GETVMMAP
38 #define sigqueue sigqueue_freebsd /* avoid redefinition */
40 #include <machine/profile.h>
49 #include "exec/address-spaces.h"
52 #include "exec/cputlb.h"
53 #include "exec/tb-hash.h"
54 #include "translate-all.h"
55 #include "qemu/bitmap.h"
56 #include "qemu/timer.h"
59 //#define DEBUG_TB_INVALIDATE
61 /* make various TB consistency checks */
62 //#define DEBUG_TB_CHECK
64 #if !defined(CONFIG_USER_ONLY)
65 /* TB consistency checks only implemented for usermode emulation. */
69 #define SMC_BITMAP_USE_THRESHOLD 10
71 typedef struct PageDesc {
72 /* list of TBs intersecting this ram page */
73 TranslationBlock *first_tb;
75 /* in order to optimize self modifying code, we count the number
76 of lookups we do to a given page to use a bitmap */
77 unsigned int code_write_count;
78 unsigned long *code_bitmap;
84 /* In system mode we want L1_MAP to be based on ram offsets,
85 while in user mode we want it to be based on virtual addresses. */
86 #if !defined(CONFIG_USER_ONLY)
87 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
88 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
90 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
93 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
96 /* Size of the L2 (and L3, etc) page tables. */
98 #define V_L2_SIZE (1 << V_L2_BITS)
100 /* The bits remaining after N lower levels of page tables. */
101 #define V_L1_BITS_REM \
102 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS)
104 #if V_L1_BITS_REM < 4
105 #define V_L1_BITS (V_L1_BITS_REM + V_L2_BITS)
107 #define V_L1_BITS V_L1_BITS_REM
110 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
112 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
114 uintptr_t qemu_host_page_size;
115 intptr_t qemu_host_page_mask;
117 /* The bottom level has pointers to PageDesc */
118 static void *l1_map[V_L1_SIZE];
120 /* code generation context */
123 /* translation block context */
124 #ifdef CONFIG_USER_ONLY
125 __thread int have_tb_lock;
130 #ifdef CONFIG_USER_ONLY
131 assert(!have_tb_lock);
132 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock);
139 #ifdef CONFIG_USER_ONLY
140 assert(have_tb_lock);
142 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
146 void tb_lock_reset(void)
148 #ifdef CONFIG_USER_ONLY
150 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
156 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr);
158 void cpu_gen_init(void)
160 tcg_context_init(&tcg_ctx);
163 /* Encode VAL as a signed leb128 sequence at P.
164 Return P incremented past the encoded value. */
165 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
172 more = !((val == 0 && (byte & 0x40) == 0)
173 || (val == -1 && (byte & 0x40) != 0));
183 /* Decode a signed leb128 sequence at *PP; increment *PP past the
184 decoded value. Return the decoded value. */
185 static target_long decode_sleb128(uint8_t **pp)
193 val |= (target_ulong)(byte & 0x7f) << shift;
195 } while (byte & 0x80);
196 if (shift < TARGET_LONG_BITS && (byte & 0x40)) {
197 val |= -(target_ulong)1 << shift;
204 /* Encode the data collected about the instructions while compiling TB.
205 Place the data at BLOCK, and return the number of bytes consumed.
207 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's,
208 which come from the target's insn_start data, followed by a uintptr_t
209 which comes from the host pc of the end of the code implementing the insn.
211 Each line of the table is encoded as sleb128 deltas from the previous
212 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }.
213 That is, the first column is seeded with the guest pc, the last column
214 with the host pc, and the middle columns with zeros. */
216 static int encode_search(TranslationBlock *tb, uint8_t *block)
218 uint8_t *highwater = tcg_ctx.code_gen_highwater;
222 tb->tc_search = block;
224 for (i = 0, n = tb->icount; i < n; ++i) {
227 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
229 prev = (j == 0 ? tb->pc : 0);
231 prev = tcg_ctx.gen_insn_data[i - 1][j];
233 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev);
235 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]);
236 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev);
238 /* Test for (pending) buffer overflow. The assumption is that any
239 one row beginning below the high water mark cannot overrun
240 the buffer completely. Thus we can test for overflow after
241 encoding a row without having to check during encoding. */
242 if (unlikely(p > highwater)) {
250 /* The cpu state corresponding to 'searched_pc' is restored. */
251 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
252 uintptr_t searched_pc)
254 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
255 uintptr_t host_pc = (uintptr_t)tb->tc_ptr;
256 CPUArchState *env = cpu->env_ptr;
257 uint8_t *p = tb->tc_search;
258 int i, j, num_insns = tb->icount;
259 #ifdef CONFIG_PROFILER
260 int64_t ti = profile_getclock();
263 if (searched_pc < host_pc) {
267 /* Reconstruct the stored insn data while looking for the point at
268 which the end of the insn exceeds the searched_pc. */
269 for (i = 0; i < num_insns; ++i) {
270 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
271 data[j] += decode_sleb128(&p);
273 host_pc += decode_sleb128(&p);
274 if (host_pc > searched_pc) {
281 if (tb->cflags & CF_USE_ICOUNT) {
283 /* Reset the cycle counter to the start of the block. */
284 cpu->icount_decr.u16.low += num_insns;
285 /* Clear the IO flag. */
288 cpu->icount_decr.u16.low -= i;
289 restore_state_to_opc(env, tb, data);
291 #ifdef CONFIG_PROFILER
292 tcg_ctx.restore_time += profile_getclock() - ti;
293 tcg_ctx.restore_count++;
298 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr)
300 TranslationBlock *tb;
302 tb = tb_find_pc(retaddr);
304 cpu_restore_state_from_tb(cpu, tb, retaddr);
305 if (tb->cflags & CF_NOCACHE) {
306 /* one-shot translation, invalidate it immediately */
307 tb_phys_invalidate(tb, -1);
315 void page_size_init(void)
317 /* NOTE: we can always suppose that qemu_host_page_size >=
319 qemu_real_host_page_size = getpagesize();
320 qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
321 if (qemu_host_page_size == 0) {
322 qemu_host_page_size = qemu_real_host_page_size;
324 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
325 qemu_host_page_size = TARGET_PAGE_SIZE;
327 qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
330 static void page_init(void)
333 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
335 #ifdef HAVE_KINFO_GETVMMAP
336 struct kinfo_vmentry *freep;
339 freep = kinfo_getvmmap(getpid(), &cnt);
342 for (i = 0; i < cnt; i++) {
343 unsigned long startaddr, endaddr;
345 startaddr = freep[i].kve_start;
346 endaddr = freep[i].kve_end;
347 if (h2g_valid(startaddr)) {
348 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
350 if (h2g_valid(endaddr)) {
351 endaddr = h2g(endaddr);
352 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
354 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
356 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
367 last_brk = (unsigned long)sbrk(0);
369 f = fopen("/compat/linux/proc/self/maps", "r");
374 unsigned long startaddr, endaddr;
377 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
379 if (n == 2 && h2g_valid(startaddr)) {
380 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
382 if (h2g_valid(endaddr)) {
383 endaddr = h2g(endaddr);
387 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
400 * Called with mmap_lock held for user-mode emulation.
402 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
408 /* Level 1. Always allocated. */
409 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
412 for (i = V_L1_SHIFT / V_L2_BITS - 1; i > 0; i--) {
413 void **p = atomic_rcu_read(lp);
419 p = g_new0(void *, V_L2_SIZE);
420 atomic_rcu_set(lp, p);
423 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1));
426 pd = atomic_rcu_read(lp);
431 pd = g_new0(PageDesc, V_L2_SIZE);
432 atomic_rcu_set(lp, pd);
435 return pd + (index & (V_L2_SIZE - 1));
438 static inline PageDesc *page_find(tb_page_addr_t index)
440 return page_find_alloc(index, 0);
443 #if defined(CONFIG_USER_ONLY)
444 /* Currently it is not recommended to allocate big chunks of data in
445 user mode. It will change when a dedicated libc will be used. */
446 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
447 region in which the guest needs to run. Revisit this. */
448 #define USE_STATIC_CODE_GEN_BUFFER
451 /* Minimum size of the code gen buffer. This number is randomly chosen,
452 but not so small that we can't have a fair number of TB's live. */
453 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
455 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
456 indicated, this is constrained by the range of direct branches on the
457 host cpu, as used by the TCG implementation of goto_tb. */
458 #if defined(__x86_64__)
459 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
460 #elif defined(__sparc__)
461 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
462 #elif defined(__powerpc64__)
463 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
464 #elif defined(__powerpc__)
465 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024)
466 #elif defined(__aarch64__)
467 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
468 #elif defined(__arm__)
469 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
470 #elif defined(__s390x__)
471 /* We have a +- 4GB range on the branches; leave some slop. */
472 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
473 #elif defined(__mips__)
474 /* We have a 256MB branch region, but leave room to make sure the
475 main executable is also within that region. */
476 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
478 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
481 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
483 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
484 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
485 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
487 static inline size_t size_code_gen_buffer(size_t tb_size)
489 /* Size the buffer. */
491 #ifdef USE_STATIC_CODE_GEN_BUFFER
492 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
494 /* ??? Needs adjustments. */
495 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
496 static buffer, we could size this on RESERVED_VA, on the text
497 segment size of the executable, or continue to use the default. */
498 tb_size = (unsigned long)(ram_size / 4);
501 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
502 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
504 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
505 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
511 /* In order to use J and JAL within the code_gen_buffer, we require
512 that the buffer not cross a 256MB boundary. */
513 static inline bool cross_256mb(void *addr, size_t size)
515 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
518 /* We weren't able to allocate a buffer without crossing that boundary,
519 so make do with the larger portion of the buffer that doesn't cross.
520 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */
521 static inline void *split_cross_256mb(void *buf1, size_t size1)
523 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
524 size_t size2 = buf1 + size1 - buf2;
532 tcg_ctx.code_gen_buffer_size = size1;
537 #ifdef USE_STATIC_CODE_GEN_BUFFER
538 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
539 __attribute__((aligned(CODE_GEN_ALIGN)));
542 static inline void do_protect(void *addr, long size, int prot)
545 VirtualProtect(addr, size, prot, &old_protect);
548 static inline void map_exec(void *addr, long size)
550 do_protect(addr, size, PAGE_EXECUTE_READWRITE);
553 static inline void map_none(void *addr, long size)
555 do_protect(addr, size, PAGE_NOACCESS);
558 static inline void do_protect(void *addr, long size, int prot)
560 uintptr_t start, end;
562 start = (uintptr_t)addr;
563 start &= qemu_real_host_page_mask;
565 end = (uintptr_t)addr + size;
566 end = ROUND_UP(end, qemu_real_host_page_size);
568 mprotect((void *)start, end - start, prot);
571 static inline void map_exec(void *addr, long size)
573 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
576 static inline void map_none(void *addr, long size)
578 do_protect(addr, size, PROT_NONE);
582 static inline void *alloc_code_gen_buffer(void)
584 void *buf = static_code_gen_buffer;
585 size_t full_size, size;
587 /* The size of the buffer, rounded down to end on a page boundary. */
588 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer))
589 & qemu_real_host_page_mask) - (uintptr_t)buf;
591 /* Reserve a guard page. */
592 size = full_size - qemu_real_host_page_size;
594 /* Honor a command-line option limiting the size of the buffer. */
595 if (size > tcg_ctx.code_gen_buffer_size) {
596 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size)
597 & qemu_real_host_page_mask) - (uintptr_t)buf;
599 tcg_ctx.code_gen_buffer_size = size;
602 if (cross_256mb(buf, size)) {
603 buf = split_cross_256mb(buf, size);
604 size = tcg_ctx.code_gen_buffer_size;
609 map_none(buf + size, qemu_real_host_page_size);
610 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
614 #elif defined(_WIN32)
615 static inline void *alloc_code_gen_buffer(void)
617 size_t size = tcg_ctx.code_gen_buffer_size;
620 /* Perform the allocation in two steps, so that the guard page
621 is reserved but uncommitted. */
622 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size,
623 MEM_RESERVE, PAGE_NOACCESS);
625 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
626 assert(buf1 == buf2);
632 static inline void *alloc_code_gen_buffer(void)
634 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
636 size_t size = tcg_ctx.code_gen_buffer_size;
639 /* Constrain the position of the buffer based on the host cpu.
640 Note that these addresses are chosen in concert with the
641 addresses assigned in the relevant linker script file. */
642 # if defined(__PIE__) || defined(__PIC__)
643 /* Don't bother setting a preferred location if we're building
644 a position-independent executable. We're more likely to get
645 an address near the main executable if we let the kernel
646 choose the address. */
647 # elif defined(__x86_64__) && defined(MAP_32BIT)
648 /* Force the memory down into low memory with the executable.
649 Leave the choice of exact location with the kernel. */
651 /* Cannot expect to map more than 800MB in low memory. */
652 if (size > 800u * 1024 * 1024) {
653 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024;
655 # elif defined(__sparc__)
656 start = 0x40000000ul;
657 # elif defined(__s390x__)
658 start = 0x90000000ul;
659 # elif defined(__mips__)
660 # if _MIPS_SIM == _ABI64
661 start = 0x128000000ul;
663 start = 0x08000000ul;
667 buf = mmap((void *)start, size + qemu_real_host_page_size,
668 PROT_NONE, flags, -1, 0);
669 if (buf == MAP_FAILED) {
674 if (cross_256mb(buf, size)) {
675 /* Try again, with the original still mapped, to avoid re-acquiring
676 that 256mb crossing. This time don't specify an address. */
678 void *buf2 = mmap(NULL, size + qemu_real_host_page_size,
679 PROT_NONE, flags, -1, 0);
680 switch (buf2 != MAP_FAILED) {
682 if (!cross_256mb(buf2, size)) {
683 /* Success! Use the new buffer. */
684 munmap(buf, size + qemu_real_host_page_size);
687 /* Failure. Work with what we had. */
688 munmap(buf2, size + qemu_real_host_page_size);
691 /* Split the original buffer. Free the smaller half. */
692 buf2 = split_cross_256mb(buf, size);
693 size2 = tcg_ctx.code_gen_buffer_size;
695 munmap(buf + size2 + qemu_real_host_page_size, size - size2);
697 munmap(buf, size - size2);
706 /* Make the final buffer accessible. The guard page at the end
707 will remain inaccessible with PROT_NONE. */
708 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC);
710 /* Request large pages for the buffer. */
711 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
715 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
717 static inline void code_gen_alloc(size_t tb_size)
719 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size);
720 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer();
721 if (tcg_ctx.code_gen_buffer == NULL) {
722 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
726 /* Estimate a good size for the number of TBs we can support. We
727 still haven't deducted the prologue from the buffer size here,
728 but that's minimal and won't affect the estimate much. */
729 tcg_ctx.code_gen_max_blocks
730 = tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
731 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock, tcg_ctx.code_gen_max_blocks);
733 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock);
736 static void tb_htable_init(void)
738 unsigned int mode = QHT_MODE_AUTO_RESIZE;
740 qht_init(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE, mode);
743 /* Must be called before using the QEMU cpus. 'tb_size' is the size
744 (in bytes) allocated to the translation buffer. Zero means default
746 void tcg_exec_init(unsigned long tb_size)
751 code_gen_alloc(tb_size);
752 #if defined(CONFIG_SOFTMMU)
753 /* There's no guest base to take into account, so go ahead and
754 initialize the prologue now. */
755 tcg_prologue_init(&tcg_ctx);
759 bool tcg_enabled(void)
761 return tcg_ctx.code_gen_buffer != NULL;
764 /* Allocate a new translation block. Flush the translation buffer if
765 too many translation blocks or too much generated code. */
766 static TranslationBlock *tb_alloc(target_ulong pc)
768 TranslationBlock *tb;
770 if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
773 tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
779 void tb_free(TranslationBlock *tb)
781 /* In practice this is mostly used for single use temporary TB
782 Ignore the hard cases and just back up if this TB happens to
783 be the last one generated. */
784 if (tcg_ctx.tb_ctx.nb_tbs > 0 &&
785 tb == &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) {
786 tcg_ctx.code_gen_ptr = tb->tc_ptr;
787 tcg_ctx.tb_ctx.nb_tbs--;
791 static inline void invalidate_page_bitmap(PageDesc *p)
793 #ifdef CONFIG_SOFTMMU
794 g_free(p->code_bitmap);
795 p->code_bitmap = NULL;
796 p->code_write_count = 0;
800 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
801 static void page_flush_tb_1(int level, void **lp)
811 for (i = 0; i < V_L2_SIZE; ++i) {
812 pd[i].first_tb = NULL;
813 invalidate_page_bitmap(pd + i);
818 for (i = 0; i < V_L2_SIZE; ++i) {
819 page_flush_tb_1(level - 1, pp + i);
824 static void page_flush_tb(void)
828 for (i = 0; i < V_L1_SIZE; i++) {
829 page_flush_tb_1(V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
833 /* flush all the translation blocks */
834 /* XXX: tb_flush is currently not thread safe */
835 void tb_flush(CPUState *cpu)
837 #if defined(DEBUG_FLUSH)
838 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
839 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer),
840 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ?
841 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
842 tcg_ctx.tb_ctx.nb_tbs : 0);
844 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
845 > tcg_ctx.code_gen_buffer_size) {
846 cpu_abort(cpu, "Internal error: code buffer overflow\n");
848 tcg_ctx.tb_ctx.nb_tbs = 0;
851 memset(cpu->tb_jmp_cache, 0, sizeof(cpu->tb_jmp_cache));
852 cpu->tb_flushed = true;
855 qht_reset_size(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE);
858 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer;
859 /* XXX: flush processor icache at this point if cache flush is
861 tcg_ctx.tb_ctx.tb_flush_count++;
864 #ifdef DEBUG_TB_CHECK
867 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp)
869 TranslationBlock *tb = p;
870 target_ulong addr = *(target_ulong *)userp;
872 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) {
873 printf("ERROR invalidate: address=" TARGET_FMT_lx
874 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size);
878 static void tb_invalidate_check(target_ulong address)
880 address &= TARGET_PAGE_MASK;
881 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_invalidate_check, &address);
885 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp)
887 TranslationBlock *tb = p;
890 flags1 = page_get_flags(tb->pc);
891 flags2 = page_get_flags(tb->pc + tb->size - 1);
892 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
893 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
894 (long)tb->pc, tb->size, flags1, flags2);
898 /* verify that all the pages have correct rights for code */
899 static void tb_page_check(void)
901 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_page_check, NULL);
906 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
908 TranslationBlock *tb1;
913 n1 = (uintptr_t)tb1 & 3;
914 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
916 *ptb = tb1->page_next[n1];
919 ptb = &tb1->page_next[n1];
923 /* remove the TB from a list of TBs jumping to the n-th jump target of the TB */
924 static inline void tb_remove_from_jmp_list(TranslationBlock *tb, int n)
926 TranslationBlock *tb1;
930 ptb = &tb->jmp_list_next[n];
932 /* find tb(n) in circular list */
936 tb1 = (TranslationBlock *)(ntb & ~3);
937 if (n1 == n && tb1 == tb) {
941 ptb = &tb1->jmp_list_first;
943 ptb = &tb1->jmp_list_next[n1];
946 /* now we can suppress tb(n) from the list */
947 *ptb = tb->jmp_list_next[n];
949 tb->jmp_list_next[n] = (uintptr_t)NULL;
953 /* reset the jump entry 'n' of a TB so that it is not chained to
955 static inline void tb_reset_jump(TranslationBlock *tb, int n)
957 uintptr_t addr = (uintptr_t)(tb->tc_ptr + tb->jmp_reset_offset[n]);
958 tb_set_jmp_target(tb, n, addr);
961 /* remove any jumps to the TB */
962 static inline void tb_jmp_unlink(TranslationBlock *tb)
964 TranslationBlock *tb1;
968 ptb = &tb->jmp_list_first;
972 tb1 = (TranslationBlock *)(ntb & ~3);
976 tb_reset_jump(tb1, n1);
977 *ptb = tb1->jmp_list_next[n1];
978 tb1->jmp_list_next[n1] = (uintptr_t)NULL;
982 /* invalidate one TB */
983 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
988 tb_page_addr_t phys_pc;
990 /* remove the TB from the hash list */
991 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
992 h = tb_hash_func(phys_pc, tb->pc, tb->flags);
993 qht_remove(&tcg_ctx.tb_ctx.htable, tb, h);
995 /* remove the TB from the page list */
996 if (tb->page_addr[0] != page_addr) {
997 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
998 tb_page_remove(&p->first_tb, tb);
999 invalidate_page_bitmap(p);
1001 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
1002 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
1003 tb_page_remove(&p->first_tb, tb);
1004 invalidate_page_bitmap(p);
1007 /* remove the TB from the hash list */
1008 h = tb_jmp_cache_hash_func(tb->pc);
1010 if (cpu->tb_jmp_cache[h] == tb) {
1011 cpu->tb_jmp_cache[h] = NULL;
1015 /* suppress this TB from the two jump lists */
1016 tb_remove_from_jmp_list(tb, 0);
1017 tb_remove_from_jmp_list(tb, 1);
1019 /* suppress any remaining jumps to this TB */
1022 tcg_ctx.tb_ctx.tb_phys_invalidate_count++;
1025 #ifdef CONFIG_SOFTMMU
1026 static void build_page_bitmap(PageDesc *p)
1028 int n, tb_start, tb_end;
1029 TranslationBlock *tb;
1031 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE);
1034 while (tb != NULL) {
1035 n = (uintptr_t)tb & 3;
1036 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1037 /* NOTE: this is subtle as a TB may span two physical pages */
1039 /* NOTE: tb_end may be after the end of the page, but
1040 it is not a problem */
1041 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1042 tb_end = tb_start + tb->size;
1043 if (tb_end > TARGET_PAGE_SIZE) {
1044 tb_end = TARGET_PAGE_SIZE;
1048 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1050 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start);
1051 tb = tb->page_next[n];
1056 /* add the tb in the target page and protect it if necessary
1058 * Called with mmap_lock held for user-mode emulation.
1060 static inline void tb_alloc_page(TranslationBlock *tb,
1061 unsigned int n, tb_page_addr_t page_addr)
1064 #ifndef CONFIG_USER_ONLY
1065 bool page_already_protected;
1068 tb->page_addr[n] = page_addr;
1069 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1070 tb->page_next[n] = p->first_tb;
1071 #ifndef CONFIG_USER_ONLY
1072 page_already_protected = p->first_tb != NULL;
1074 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1075 invalidate_page_bitmap(p);
1077 #if defined(CONFIG_USER_ONLY)
1078 if (p->flags & PAGE_WRITE) {
1083 /* force the host page as non writable (writes will have a
1084 page fault + mprotect overhead) */
1085 page_addr &= qemu_host_page_mask;
1087 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1088 addr += TARGET_PAGE_SIZE) {
1090 p2 = page_find(addr >> TARGET_PAGE_BITS);
1095 p2->flags &= ~PAGE_WRITE;
1097 mprotect(g2h(page_addr), qemu_host_page_size,
1098 (prot & PAGE_BITS) & ~PAGE_WRITE);
1099 #ifdef DEBUG_TB_INVALIDATE
1100 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1105 /* if some code is already present, then the pages are already
1106 protected. So we handle the case where only the first TB is
1107 allocated in a physical page */
1108 if (!page_already_protected) {
1109 tlb_protect_code(page_addr);
1114 /* add a new TB and link it to the physical page tables. phys_page2 is
1115 * (-1) to indicate that only one page contains the TB.
1117 * Called with mmap_lock held for user-mode emulation.
1119 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1120 tb_page_addr_t phys_page2)
1124 /* add in the hash table */
1125 h = tb_hash_func(phys_pc, tb->pc, tb->flags);
1126 qht_insert(&tcg_ctx.tb_ctx.htable, tb, h);
1128 /* add in the page list */
1129 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1130 if (phys_page2 != -1) {
1131 tb_alloc_page(tb, 1, phys_page2);
1133 tb->page_addr[1] = -1;
1136 #ifdef DEBUG_TB_CHECK
1141 /* Called with mmap_lock held for user mode emulation. */
1142 TranslationBlock *tb_gen_code(CPUState *cpu,
1143 target_ulong pc, target_ulong cs_base,
1144 uint32_t flags, int cflags)
1146 CPUArchState *env = cpu->env_ptr;
1147 TranslationBlock *tb;
1148 tb_page_addr_t phys_pc, phys_page2;
1149 target_ulong virt_page2;
1150 tcg_insn_unit *gen_code_buf;
1151 int gen_code_size, search_size;
1152 #ifdef CONFIG_PROFILER
1156 phys_pc = get_page_addr_code(env, pc);
1157 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) {
1158 cflags |= CF_USE_ICOUNT;
1162 if (unlikely(!tb)) {
1164 /* flush must be done */
1166 /* cannot fail at this point */
1171 gen_code_buf = tcg_ctx.code_gen_ptr;
1172 tb->tc_ptr = gen_code_buf;
1173 tb->cs_base = cs_base;
1175 tb->cflags = cflags;
1177 #ifdef CONFIG_PROFILER
1178 tcg_ctx.tb_count1++; /* includes aborted translations because of
1180 ti = profile_getclock();
1183 tcg_func_start(&tcg_ctx);
1185 gen_intermediate_code(env, tb);
1187 trace_translate_block(tb, tb->pc, tb->tc_ptr);
1189 /* generate machine code */
1190 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID;
1191 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID;
1192 tcg_ctx.tb_jmp_reset_offset = tb->jmp_reset_offset;
1193 #ifdef USE_DIRECT_JUMP
1194 tcg_ctx.tb_jmp_insn_offset = tb->jmp_insn_offset;
1195 tcg_ctx.tb_jmp_target_addr = NULL;
1197 tcg_ctx.tb_jmp_insn_offset = NULL;
1198 tcg_ctx.tb_jmp_target_addr = tb->jmp_target_addr;
1201 #ifdef CONFIG_PROFILER
1203 tcg_ctx.interm_time += profile_getclock() - ti;
1204 tcg_ctx.code_time -= profile_getclock();
1207 /* ??? Overflow could be handled better here. In particular, we
1208 don't need to re-do gen_intermediate_code, nor should we re-do
1209 the tcg optimization currently hidden inside tcg_gen_code. All
1210 that should be required is to flush the TBs, allocate a new TB,
1211 re-initialize it per above, and re-do the actual code generation. */
1212 gen_code_size = tcg_gen_code(&tcg_ctx, tb);
1213 if (unlikely(gen_code_size < 0)) {
1214 goto buffer_overflow;
1216 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
1217 if (unlikely(search_size < 0)) {
1218 goto buffer_overflow;
1221 #ifdef CONFIG_PROFILER
1222 tcg_ctx.code_time += profile_getclock();
1223 tcg_ctx.code_in_len += tb->size;
1224 tcg_ctx.code_out_len += gen_code_size;
1225 tcg_ctx.search_out_len += search_size;
1229 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) &&
1230 qemu_log_in_addr_range(tb->pc)) {
1231 qemu_log("OUT: [size=%d]\n", gen_code_size);
1232 log_disas(tb->tc_ptr, gen_code_size);
1238 tcg_ctx.code_gen_ptr = (void *)
1239 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
1242 /* init jump list */
1243 assert(((uintptr_t)tb & 3) == 0);
1244 tb->jmp_list_first = (uintptr_t)tb | 2;
1245 tb->jmp_list_next[0] = (uintptr_t)NULL;
1246 tb->jmp_list_next[1] = (uintptr_t)NULL;
1248 /* init original jump addresses wich has been set during tcg_gen_code() */
1249 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
1250 tb_reset_jump(tb, 0);
1252 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
1253 tb_reset_jump(tb, 1);
1256 /* check next page if needed */
1257 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1259 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1260 phys_page2 = get_page_addr_code(env, virt_page2);
1262 /* As long as consistency of the TB stuff is provided by tb_lock in user
1263 * mode and is implicit in single-threaded softmmu emulation, no explicit
1264 * memory barrier is required before tb_link_page() makes the TB visible
1265 * through the physical hash table and physical page list.
1267 tb_link_page(tb, phys_pc, phys_page2);
1272 * Invalidate all TBs which intersect with the target physical address range
1273 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1274 * 'is_cpu_write_access' should be true if called from a real cpu write
1275 * access: the virtual CPU will exit the current TB if code is modified inside
1278 * Called with mmap_lock held for user-mode emulation
1280 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1282 while (start < end) {
1283 tb_invalidate_phys_page_range(start, end, 0);
1284 start &= TARGET_PAGE_MASK;
1285 start += TARGET_PAGE_SIZE;
1290 * Invalidate all TBs which intersect with the target physical address range
1291 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1292 * 'is_cpu_write_access' should be true if called from a real cpu write
1293 * access: the virtual CPU will exit the current TB if code is modified inside
1296 * Called with mmap_lock held for user-mode emulation
1298 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1299 int is_cpu_write_access)
1301 TranslationBlock *tb, *tb_next;
1302 #if defined(TARGET_HAS_PRECISE_SMC)
1303 CPUState *cpu = current_cpu;
1304 CPUArchState *env = NULL;
1306 tb_page_addr_t tb_start, tb_end;
1309 #ifdef TARGET_HAS_PRECISE_SMC
1310 int current_tb_not_found = is_cpu_write_access;
1311 TranslationBlock *current_tb = NULL;
1312 int current_tb_modified = 0;
1313 target_ulong current_pc = 0;
1314 target_ulong current_cs_base = 0;
1315 uint32_t current_flags = 0;
1316 #endif /* TARGET_HAS_PRECISE_SMC */
1318 p = page_find(start >> TARGET_PAGE_BITS);
1322 #if defined(TARGET_HAS_PRECISE_SMC)
1328 /* we remove all the TBs in the range [start, end[ */
1329 /* XXX: see if in some cases it could be faster to invalidate all
1332 while (tb != NULL) {
1333 n = (uintptr_t)tb & 3;
1334 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1335 tb_next = tb->page_next[n];
1336 /* NOTE: this is subtle as a TB may span two physical pages */
1338 /* NOTE: tb_end may be after the end of the page, but
1339 it is not a problem */
1340 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1341 tb_end = tb_start + tb->size;
1343 tb_start = tb->page_addr[1];
1344 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1346 if (!(tb_end <= start || tb_start >= end)) {
1347 #ifdef TARGET_HAS_PRECISE_SMC
1348 if (current_tb_not_found) {
1349 current_tb_not_found = 0;
1351 if (cpu->mem_io_pc) {
1352 /* now we have a real cpu fault */
1353 current_tb = tb_find_pc(cpu->mem_io_pc);
1356 if (current_tb == tb &&
1357 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1358 /* If we are modifying the current TB, we must stop
1359 its execution. We could be more precise by checking
1360 that the modification is after the current PC, but it
1361 would require a specialized function to partially
1362 restore the CPU state */
1364 current_tb_modified = 1;
1365 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
1366 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1369 #endif /* TARGET_HAS_PRECISE_SMC */
1370 tb_phys_invalidate(tb, -1);
1374 #if !defined(CONFIG_USER_ONLY)
1375 /* if no code remaining, no need to continue to use slow writes */
1377 invalidate_page_bitmap(p);
1378 tlb_unprotect_code(start);
1381 #ifdef TARGET_HAS_PRECISE_SMC
1382 if (current_tb_modified) {
1383 /* we generate a block containing just the instruction
1384 modifying the memory. It will ensure that it cannot modify
1386 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1387 cpu_loop_exit_noexc(cpu);
1392 #ifdef CONFIG_SOFTMMU
1393 /* len must be <= 8 and start must be a multiple of len */
1394 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1400 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1401 cpu_single_env->mem_io_vaddr, len,
1402 cpu_single_env->eip,
1403 cpu_single_env->eip +
1404 (intptr_t)cpu_single_env->segs[R_CS].base);
1407 p = page_find(start >> TARGET_PAGE_BITS);
1411 if (!p->code_bitmap &&
1412 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) {
1413 /* build code bitmap */
1414 build_page_bitmap(p);
1416 if (p->code_bitmap) {
1420 nr = start & ~TARGET_PAGE_MASK;
1421 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1));
1422 if (b & ((1 << len) - 1)) {
1427 tb_invalidate_phys_page_range(start, start + len, 1);
1431 /* Called with mmap_lock held. If pc is not 0 then it indicates the
1432 * host PC of the faulting store instruction that caused this invalidate.
1433 * Returns true if the caller needs to abort execution of the current
1434 * TB (because it was modified by this store and the guest CPU has
1435 * precise-SMC semantics).
1437 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc)
1439 TranslationBlock *tb;
1442 #ifdef TARGET_HAS_PRECISE_SMC
1443 TranslationBlock *current_tb = NULL;
1444 CPUState *cpu = current_cpu;
1445 CPUArchState *env = NULL;
1446 int current_tb_modified = 0;
1447 target_ulong current_pc = 0;
1448 target_ulong current_cs_base = 0;
1449 uint32_t current_flags = 0;
1452 addr &= TARGET_PAGE_MASK;
1453 p = page_find(addr >> TARGET_PAGE_BITS);
1458 #ifdef TARGET_HAS_PRECISE_SMC
1459 if (tb && pc != 0) {
1460 current_tb = tb_find_pc(pc);
1466 while (tb != NULL) {
1467 n = (uintptr_t)tb & 3;
1468 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1469 #ifdef TARGET_HAS_PRECISE_SMC
1470 if (current_tb == tb &&
1471 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1472 /* If we are modifying the current TB, we must stop
1473 its execution. We could be more precise by checking
1474 that the modification is after the current PC, but it
1475 would require a specialized function to partially
1476 restore the CPU state */
1478 current_tb_modified = 1;
1479 cpu_restore_state_from_tb(cpu, current_tb, pc);
1480 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1483 #endif /* TARGET_HAS_PRECISE_SMC */
1484 tb_phys_invalidate(tb, addr);
1485 tb = tb->page_next[n];
1488 #ifdef TARGET_HAS_PRECISE_SMC
1489 if (current_tb_modified) {
1490 /* we generate a block containing just the instruction
1491 modifying the memory. It will ensure that it cannot modify
1493 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1501 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1502 tb[1].tc_ptr. Return NULL if not found */
1503 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1505 int m_min, m_max, m;
1507 TranslationBlock *tb;
1509 if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
1512 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
1513 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
1516 /* binary search (cf Knuth) */
1518 m_max = tcg_ctx.tb_ctx.nb_tbs - 1;
1519 while (m_min <= m_max) {
1520 m = (m_min + m_max) >> 1;
1521 tb = &tcg_ctx.tb_ctx.tbs[m];
1522 v = (uintptr_t)tb->tc_ptr;
1525 } else if (tc_ptr < v) {
1531 return &tcg_ctx.tb_ctx.tbs[m_max];
1534 #if !defined(CONFIG_USER_ONLY)
1535 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
1537 ram_addr_t ram_addr;
1542 mr = address_space_translate(as, addr, &addr, &l, false);
1543 if (!(memory_region_is_ram(mr)
1544 || memory_region_is_romd(mr))) {
1548 ram_addr = memory_region_get_ram_addr(mr) + addr;
1549 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1552 #endif /* !defined(CONFIG_USER_ONLY) */
1554 void tb_check_watchpoint(CPUState *cpu)
1556 TranslationBlock *tb;
1558 tb = tb_find_pc(cpu->mem_io_pc);
1560 /* We can use retranslation to find the PC. */
1561 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
1562 tb_phys_invalidate(tb, -1);
1564 /* The exception probably happened in a helper. The CPU state should
1565 have been saved before calling it. Fetch the PC from there. */
1566 CPUArchState *env = cpu->env_ptr;
1567 target_ulong pc, cs_base;
1568 tb_page_addr_t addr;
1571 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
1572 addr = get_page_addr_code(env, pc);
1573 tb_invalidate_phys_range(addr, addr + 1);
1577 #ifndef CONFIG_USER_ONLY
1578 /* in deterministic execution mode, instructions doing device I/Os
1579 must be at the end of the TB */
1580 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
1582 #if defined(TARGET_MIPS) || defined(TARGET_SH4)
1583 CPUArchState *env = cpu->env_ptr;
1585 TranslationBlock *tb;
1587 target_ulong pc, cs_base;
1590 tb = tb_find_pc(retaddr);
1592 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
1595 n = cpu->icount_decr.u16.low + tb->icount;
1596 cpu_restore_state_from_tb(cpu, tb, retaddr);
1597 /* Calculate how many instructions had been executed before the fault
1599 n = n - cpu->icount_decr.u16.low;
1600 /* Generate a new TB ending on the I/O insn. */
1602 /* On MIPS and SH, delay slot instructions can only be restarted if
1603 they were already the first instruction in the TB. If this is not
1604 the first instruction in a TB then re-execute the preceding
1606 #if defined(TARGET_MIPS)
1607 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
1608 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4);
1609 cpu->icount_decr.u16.low++;
1610 env->hflags &= ~MIPS_HFLAG_BMASK;
1612 #elif defined(TARGET_SH4)
1613 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
1616 cpu->icount_decr.u16.low++;
1617 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
1620 /* This should never happen. */
1621 if (n > CF_COUNT_MASK) {
1622 cpu_abort(cpu, "TB too big during recompile");
1625 cflags = n | CF_LAST_IO;
1627 cs_base = tb->cs_base;
1629 tb_phys_invalidate(tb, -1);
1630 if (tb->cflags & CF_NOCACHE) {
1632 /* Invalidate original TB if this TB was generated in
1633 * cpu_exec_nocache() */
1634 tb_phys_invalidate(tb->orig_tb, -1);
1638 /* FIXME: In theory this could raise an exception. In practice
1639 we have already translated the block once so it's probably ok. */
1640 tb_gen_code(cpu, pc, cs_base, flags, cflags);
1641 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
1642 the first in the TB) then we end up generating a whole new TB and
1643 repeating the fault, which is horribly inefficient.
1644 Better would be to execute just this insn uncached, or generate a
1646 cpu_loop_exit_noexc(cpu);
1649 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
1653 /* Discard jump cache entries for any tb which might potentially
1654 overlap the flushed page. */
1655 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1656 memset(&cpu->tb_jmp_cache[i], 0,
1657 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1659 i = tb_jmp_cache_hash_page(addr);
1660 memset(&cpu->tb_jmp_cache[i], 0,
1661 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1664 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
1666 int i, target_code_size, max_target_code_size;
1667 int direct_jmp_count, direct_jmp2_count, cross_page;
1668 TranslationBlock *tb;
1669 struct qht_stats hst;
1670 uint32_t hgram_opts;
1674 target_code_size = 0;
1675 max_target_code_size = 0;
1677 direct_jmp_count = 0;
1678 direct_jmp2_count = 0;
1679 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) {
1680 tb = &tcg_ctx.tb_ctx.tbs[i];
1681 target_code_size += tb->size;
1682 if (tb->size > max_target_code_size) {
1683 max_target_code_size = tb->size;
1685 if (tb->page_addr[1] != -1) {
1688 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
1690 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
1691 direct_jmp2_count++;
1695 /* XXX: avoid using doubles ? */
1696 cpu_fprintf(f, "Translation buffer state:\n");
1697 cpu_fprintf(f, "gen code size %td/%zd\n",
1698 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer,
1699 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer);
1700 cpu_fprintf(f, "TB count %d/%d\n",
1701 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.code_gen_max_blocks);
1702 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
1703 tcg_ctx.tb_ctx.nb_tbs ? target_code_size /
1704 tcg_ctx.tb_ctx.nb_tbs : 0,
1705 max_target_code_size);
1706 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
1707 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr -
1708 tcg_ctx.code_gen_buffer) /
1709 tcg_ctx.tb_ctx.nb_tbs : 0,
1710 target_code_size ? (double) (tcg_ctx.code_gen_ptr -
1711 tcg_ctx.code_gen_buffer) /
1712 target_code_size : 0);
1713 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page,
1714 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) /
1715 tcg_ctx.tb_ctx.nb_tbs : 0);
1716 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
1718 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) /
1719 tcg_ctx.tb_ctx.nb_tbs : 0,
1721 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) /
1722 tcg_ctx.tb_ctx.nb_tbs : 0);
1724 qht_statistics_init(&tcg_ctx.tb_ctx.htable, &hst);
1726 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n",
1727 hst.used_head_buckets, hst.head_buckets,
1728 (double)hst.used_head_buckets / hst.head_buckets * 100);
1730 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
1731 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT;
1732 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) {
1733 hgram_opts |= QDIST_PR_NODECIMAL;
1735 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts);
1736 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n",
1737 qdist_avg(&hst.occupancy) * 100, hgram);
1740 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
1741 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain);
1742 if (hgram_bins > 10) {
1746 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE;
1748 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts);
1749 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n",
1750 qdist_avg(&hst.chain), hgram);
1753 qht_statistics_destroy(&hst);
1755 cpu_fprintf(f, "\nStatistics:\n");
1756 cpu_fprintf(f, "TB flush count %d\n", tcg_ctx.tb_ctx.tb_flush_count);
1757 cpu_fprintf(f, "TB invalidate count %d\n",
1758 tcg_ctx.tb_ctx.tb_phys_invalidate_count);
1759 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
1760 tcg_dump_info(f, cpu_fprintf);
1763 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf)
1765 tcg_dump_op_count(f, cpu_fprintf);
1768 #else /* CONFIG_USER_ONLY */
1770 void cpu_interrupt(CPUState *cpu, int mask)
1772 cpu->interrupt_request |= mask;
1773 cpu->tcg_exit_req = 1;
1777 * Walks guest process memory "regions" one by one
1778 * and calls callback function 'fn' for each region.
1780 struct walk_memory_regions_data {
1781 walk_memory_regions_fn fn;
1787 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1788 target_ulong end, int new_prot)
1790 if (data->start != -1u) {
1791 int rc = data->fn(data->priv, data->start, end, data->prot);
1797 data->start = (new_prot ? end : -1u);
1798 data->prot = new_prot;
1803 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1804 target_ulong base, int level, void **lp)
1810 return walk_memory_regions_end(data, base, 0);
1816 for (i = 0; i < V_L2_SIZE; ++i) {
1817 int prot = pd[i].flags;
1819 pa = base | (i << TARGET_PAGE_BITS);
1820 if (prot != data->prot) {
1821 rc = walk_memory_regions_end(data, pa, prot);
1830 for (i = 0; i < V_L2_SIZE; ++i) {
1831 pa = base | ((target_ulong)i <<
1832 (TARGET_PAGE_BITS + V_L2_BITS * level));
1833 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
1843 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
1845 struct walk_memory_regions_data data;
1853 for (i = 0; i < V_L1_SIZE; i++) {
1854 int rc = walk_memory_regions_1(&data, (target_ulong)i << (V_L1_SHIFT + TARGET_PAGE_BITS),
1855 V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
1861 return walk_memory_regions_end(&data, 0, 0);
1864 static int dump_region(void *priv, target_ulong start,
1865 target_ulong end, unsigned long prot)
1867 FILE *f = (FILE *)priv;
1869 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx
1870 " "TARGET_FMT_lx" %c%c%c\n",
1871 start, end, end - start,
1872 ((prot & PAGE_READ) ? 'r' : '-'),
1873 ((prot & PAGE_WRITE) ? 'w' : '-'),
1874 ((prot & PAGE_EXEC) ? 'x' : '-'));
1879 /* dump memory mappings */
1880 void page_dump(FILE *f)
1882 const int length = sizeof(target_ulong) * 2;
1883 (void) fprintf(f, "%-*s %-*s %-*s %s\n",
1884 length, "start", length, "end", length, "size", "prot");
1885 walk_memory_regions(f, dump_region);
1888 int page_get_flags(target_ulong address)
1892 p = page_find(address >> TARGET_PAGE_BITS);
1899 /* Modify the flags of a page and invalidate the code if necessary.
1900 The flag PAGE_WRITE_ORG is positioned automatically depending
1901 on PAGE_WRITE. The mmap_lock should already be held. */
1902 void page_set_flags(target_ulong start, target_ulong end, int flags)
1904 target_ulong addr, len;
1906 /* This function should never be called with addresses outside the
1907 guest address space. If this assert fires, it probably indicates
1908 a missing call to h2g_valid. */
1909 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1910 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1912 assert(start < end);
1914 start = start & TARGET_PAGE_MASK;
1915 end = TARGET_PAGE_ALIGN(end);
1917 if (flags & PAGE_WRITE) {
1918 flags |= PAGE_WRITE_ORG;
1921 for (addr = start, len = end - start;
1923 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1924 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
1926 /* If the write protection bit is set, then we invalidate
1928 if (!(p->flags & PAGE_WRITE) &&
1929 (flags & PAGE_WRITE) &&
1931 tb_invalidate_phys_page(addr, 0);
1937 int page_check_range(target_ulong start, target_ulong len, int flags)
1943 /* This function should never be called with addresses outside the
1944 guest address space. If this assert fires, it probably indicates
1945 a missing call to h2g_valid. */
1946 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1947 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1953 if (start + len - 1 < start) {
1954 /* We've wrapped around. */
1958 /* must do before we loose bits in the next step */
1959 end = TARGET_PAGE_ALIGN(start + len);
1960 start = start & TARGET_PAGE_MASK;
1962 for (addr = start, len = end - start;
1964 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1965 p = page_find(addr >> TARGET_PAGE_BITS);
1969 if (!(p->flags & PAGE_VALID)) {
1973 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
1976 if (flags & PAGE_WRITE) {
1977 if (!(p->flags & PAGE_WRITE_ORG)) {
1980 /* unprotect the page if it was put read-only because it
1981 contains translated code */
1982 if (!(p->flags & PAGE_WRITE)) {
1983 if (!page_unprotect(addr, 0)) {
1992 /* called from signal handler: invalidate the code and unprotect the
1993 * page. Return 0 if the fault was not handled, 1 if it was handled,
1994 * and 2 if it was handled but the caller must cause the TB to be
1995 * immediately exited. (We can only return 2 if the 'pc' argument is
1998 int page_unprotect(target_ulong address, uintptr_t pc)
2002 target_ulong host_start, host_end, addr;
2004 /* Technically this isn't safe inside a signal handler. However we
2005 know this only ever happens in a synchronous SEGV handler, so in
2006 practice it seems to be ok. */
2009 p = page_find(address >> TARGET_PAGE_BITS);
2015 /* if the page was really writable, then we change its
2016 protection back to writable */
2017 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
2018 host_start = address & qemu_host_page_mask;
2019 host_end = host_start + qemu_host_page_size;
2022 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
2023 p = page_find(addr >> TARGET_PAGE_BITS);
2024 p->flags |= PAGE_WRITE;
2027 /* and since the content will be modified, we must invalidate
2028 the corresponding translated code. */
2029 if (tb_invalidate_phys_page(addr, pc)) {
2033 #ifdef DEBUG_TB_CHECK
2034 tb_invalidate_check(addr);
2037 mprotect((void *)g2h(host_start), qemu_host_page_size,
2046 #endif /* CONFIG_USER_ONLY */
projects / qemu.git / blob