4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
24 #include "qemu/osdep.h"
27 #include "qemu-common.h"
28 #define NO_CPU_IO_DEFS
31 #include "disas/disas.h"
33 #if defined(CONFIG_USER_ONLY)
35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
36 #include <sys/param.h>
37 #if __FreeBSD_version >= 700104
38 #define HAVE_KINFO_GETVMMAP
39 #define sigqueue sigqueue_freebsd /* avoid redefinition */
41 #include <machine/profile.h>
50 #include "exec/address-spaces.h"
53 #include "exec/cputlb.h"
54 #include "exec/tb-hash.h"
55 #include "translate-all.h"
56 #include "qemu/bitmap.h"
57 #include "qemu/timer.h"
60 //#define DEBUG_TB_INVALIDATE
62 /* make various TB consistency checks */
63 //#define DEBUG_TB_CHECK
65 #if !defined(CONFIG_USER_ONLY)
66 /* TB consistency checks only implemented for usermode emulation. */
70 #define SMC_BITMAP_USE_THRESHOLD 10
72 typedef struct PageDesc {
73 /* list of TBs intersecting this ram page */
74 TranslationBlock *first_tb;
75 /* in order to optimize self modifying code, we count the number
76 of lookups we do to a given page to use a bitmap */
77 unsigned int code_write_count;
78 unsigned long *code_bitmap;
79 #if defined(CONFIG_USER_ONLY)
84 /* In system mode we want L1_MAP to be based on ram offsets,
85 while in user mode we want it to be based on virtual addresses. */
86 #if !defined(CONFIG_USER_ONLY)
87 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
88 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
90 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
93 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
96 /* Size of the L2 (and L3, etc) page tables. */
98 #define V_L2_SIZE (1 << V_L2_BITS)
100 /* The bits remaining after N lower levels of page tables. */
101 #define V_L1_BITS_REM \
102 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS)
104 #if V_L1_BITS_REM < 4
105 #define V_L1_BITS (V_L1_BITS_REM + V_L2_BITS)
107 #define V_L1_BITS V_L1_BITS_REM
110 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
112 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
114 uintptr_t qemu_host_page_size;
115 intptr_t qemu_host_page_mask;
117 /* The bottom level has pointers to PageDesc */
118 static void *l1_map[V_L1_SIZE];
120 /* code generation context */
123 /* translation block context */
124 #ifdef CONFIG_USER_ONLY
125 __thread int have_tb_lock;
130 #ifdef CONFIG_USER_ONLY
131 assert(!have_tb_lock);
132 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock);
139 #ifdef CONFIG_USER_ONLY
140 assert(have_tb_lock);
142 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
146 void tb_lock_reset(void)
148 #ifdef CONFIG_USER_ONLY
150 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
156 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
157 tb_page_addr_t phys_page2);
158 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr);
160 void cpu_gen_init(void)
162 tcg_context_init(&tcg_ctx);
165 /* Encode VAL as a signed leb128 sequence at P.
166 Return P incremented past the encoded value. */
167 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
174 more = !((val == 0 && (byte & 0x40) == 0)
175 || (val == -1 && (byte & 0x40) != 0));
185 /* Decode a signed leb128 sequence at *PP; increment *PP past the
186 decoded value. Return the decoded value. */
187 static target_long decode_sleb128(uint8_t **pp)
195 val |= (target_ulong)(byte & 0x7f) << shift;
197 } while (byte & 0x80);
198 if (shift < TARGET_LONG_BITS && (byte & 0x40)) {
199 val |= -(target_ulong)1 << shift;
206 /* Encode the data collected about the instructions while compiling TB.
207 Place the data at BLOCK, and return the number of bytes consumed.
209 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's,
210 which come from the target's insn_start data, followed by a uintptr_t
211 which comes from the host pc of the end of the code implementing the insn.
213 Each line of the table is encoded as sleb128 deltas from the previous
214 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }.
215 That is, the first column is seeded with the guest pc, the last column
216 with the host pc, and the middle columns with zeros. */
218 static int encode_search(TranslationBlock *tb, uint8_t *block)
220 uint8_t *highwater = tcg_ctx.code_gen_highwater;
224 tb->tc_search = block;
226 for (i = 0, n = tb->icount; i < n; ++i) {
229 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
231 prev = (j == 0 ? tb->pc : 0);
233 prev = tcg_ctx.gen_insn_data[i - 1][j];
235 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev);
237 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]);
238 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev);
240 /* Test for (pending) buffer overflow. The assumption is that any
241 one row beginning below the high water mark cannot overrun
242 the buffer completely. Thus we can test for overflow after
243 encoding a row without having to check during encoding. */
244 if (unlikely(p > highwater)) {
252 /* The cpu state corresponding to 'searched_pc' is restored. */
253 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
254 uintptr_t searched_pc)
256 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
257 uintptr_t host_pc = (uintptr_t)tb->tc_ptr;
258 CPUArchState *env = cpu->env_ptr;
259 uint8_t *p = tb->tc_search;
260 int i, j, num_insns = tb->icount;
261 #ifdef CONFIG_PROFILER
262 int64_t ti = profile_getclock();
265 if (searched_pc < host_pc) {
269 /* Reconstruct the stored insn data while looking for the point at
270 which the end of the insn exceeds the searched_pc. */
271 for (i = 0; i < num_insns; ++i) {
272 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
273 data[j] += decode_sleb128(&p);
275 host_pc += decode_sleb128(&p);
276 if (host_pc > searched_pc) {
283 if (tb->cflags & CF_USE_ICOUNT) {
285 /* Reset the cycle counter to the start of the block. */
286 cpu->icount_decr.u16.low += num_insns;
287 /* Clear the IO flag. */
290 cpu->icount_decr.u16.low -= i;
291 restore_state_to_opc(env, tb, data);
293 #ifdef CONFIG_PROFILER
294 tcg_ctx.restore_time += profile_getclock() - ti;
295 tcg_ctx.restore_count++;
300 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr)
302 TranslationBlock *tb;
304 tb = tb_find_pc(retaddr);
306 cpu_restore_state_from_tb(cpu, tb, retaddr);
307 if (tb->cflags & CF_NOCACHE) {
308 /* one-shot translation, invalidate it immediately */
309 cpu->current_tb = NULL;
310 tb_phys_invalidate(tb, -1);
318 void page_size_init(void)
320 /* NOTE: we can always suppose that qemu_host_page_size >=
322 qemu_real_host_page_size = getpagesize();
323 qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
324 if (qemu_host_page_size == 0) {
325 qemu_host_page_size = qemu_real_host_page_size;
327 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
328 qemu_host_page_size = TARGET_PAGE_SIZE;
330 qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
333 static void page_init(void)
336 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
338 #ifdef HAVE_KINFO_GETVMMAP
339 struct kinfo_vmentry *freep;
342 freep = kinfo_getvmmap(getpid(), &cnt);
345 for (i = 0; i < cnt; i++) {
346 unsigned long startaddr, endaddr;
348 startaddr = freep[i].kve_start;
349 endaddr = freep[i].kve_end;
350 if (h2g_valid(startaddr)) {
351 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
353 if (h2g_valid(endaddr)) {
354 endaddr = h2g(endaddr);
355 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
357 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
359 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
370 last_brk = (unsigned long)sbrk(0);
372 f = fopen("/compat/linux/proc/self/maps", "r");
377 unsigned long startaddr, endaddr;
380 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
382 if (n == 2 && h2g_valid(startaddr)) {
383 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
385 if (h2g_valid(endaddr)) {
386 endaddr = h2g(endaddr);
390 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
403 * Called with mmap_lock held for user-mode emulation.
405 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
411 /* Level 1. Always allocated. */
412 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
415 for (i = V_L1_SHIFT / V_L2_BITS - 1; i > 0; i--) {
416 void **p = atomic_rcu_read(lp);
422 p = g_new0(void *, V_L2_SIZE);
423 atomic_rcu_set(lp, p);
426 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1));
429 pd = atomic_rcu_read(lp);
434 pd = g_new0(PageDesc, V_L2_SIZE);
435 atomic_rcu_set(lp, pd);
438 return pd + (index & (V_L2_SIZE - 1));
441 static inline PageDesc *page_find(tb_page_addr_t index)
443 return page_find_alloc(index, 0);
446 #if defined(CONFIG_USER_ONLY)
447 /* Currently it is not recommended to allocate big chunks of data in
448 user mode. It will change when a dedicated libc will be used. */
449 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
450 region in which the guest needs to run. Revisit this. */
451 #define USE_STATIC_CODE_GEN_BUFFER
454 /* Minimum size of the code gen buffer. This number is randomly chosen,
455 but not so small that we can't have a fair number of TB's live. */
456 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
458 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
459 indicated, this is constrained by the range of direct branches on the
460 host cpu, as used by the TCG implementation of goto_tb. */
461 #if defined(__x86_64__)
462 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
463 #elif defined(__sparc__)
464 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
465 #elif defined(__powerpc64__)
466 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
467 #elif defined(__aarch64__)
468 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
469 #elif defined(__arm__)
470 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
471 #elif defined(__s390x__)
472 /* We have a +- 4GB range on the branches; leave some slop. */
473 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
474 #elif defined(__mips__)
475 /* We have a 256MB branch region, but leave room to make sure the
476 main executable is also within that region. */
477 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
479 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
482 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
484 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
485 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
486 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
488 static inline size_t size_code_gen_buffer(size_t tb_size)
490 /* Size the buffer. */
492 #ifdef USE_STATIC_CODE_GEN_BUFFER
493 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
495 /* ??? Needs adjustments. */
496 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
497 static buffer, we could size this on RESERVED_VA, on the text
498 segment size of the executable, or continue to use the default. */
499 tb_size = (unsigned long)(ram_size / 4);
502 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
503 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
505 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
506 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
508 tcg_ctx.code_gen_buffer_size = tb_size;
513 /* In order to use J and JAL within the code_gen_buffer, we require
514 that the buffer not cross a 256MB boundary. */
515 static inline bool cross_256mb(void *addr, size_t size)
517 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & 0xf0000000;
520 /* We weren't able to allocate a buffer without crossing that boundary,
521 so make do with the larger portion of the buffer that doesn't cross.
522 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */
523 static inline void *split_cross_256mb(void *buf1, size_t size1)
525 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & 0xf0000000);
526 size_t size2 = buf1 + size1 - buf2;
534 tcg_ctx.code_gen_buffer_size = size1;
539 #ifdef USE_STATIC_CODE_GEN_BUFFER
540 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
541 __attribute__((aligned(CODE_GEN_ALIGN)));
544 static inline void do_protect(void *addr, long size, int prot)
547 VirtualProtect(addr, size, prot, &old_protect);
550 static inline void map_exec(void *addr, long size)
552 do_protect(addr, size, PAGE_EXECUTE_READWRITE);
555 static inline void map_none(void *addr, long size)
557 do_protect(addr, size, PAGE_NOACCESS);
560 static inline void do_protect(void *addr, long size, int prot)
562 uintptr_t start, end;
564 start = (uintptr_t)addr;
565 start &= qemu_real_host_page_mask;
567 end = (uintptr_t)addr + size;
568 end = ROUND_UP(end, qemu_real_host_page_size);
570 mprotect((void *)start, end - start, prot);
573 static inline void map_exec(void *addr, long size)
575 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
578 static inline void map_none(void *addr, long size)
580 do_protect(addr, size, PROT_NONE);
584 static inline void *alloc_code_gen_buffer(void)
586 void *buf = static_code_gen_buffer;
587 size_t full_size, size;
589 /* The size of the buffer, rounded down to end on a page boundary. */
590 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer))
591 & qemu_real_host_page_mask) - (uintptr_t)buf;
593 /* Reserve a guard page. */
594 size = full_size - qemu_real_host_page_size;
596 /* Honor a command-line option limiting the size of the buffer. */
597 if (size > tcg_ctx.code_gen_buffer_size) {
598 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size)
599 & qemu_real_host_page_mask) - (uintptr_t)buf;
601 tcg_ctx.code_gen_buffer_size = size;
604 if (cross_256mb(buf, size)) {
605 buf = split_cross_256mb(buf, size);
606 size = tcg_ctx.code_gen_buffer_size;
611 map_none(buf + size, qemu_real_host_page_size);
612 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
616 #elif defined(_WIN32)
617 static inline void *alloc_code_gen_buffer(void)
619 size_t size = tcg_ctx.code_gen_buffer_size;
622 /* Perform the allocation in two steps, so that the guard page
623 is reserved but uncommitted. */
624 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size,
625 MEM_RESERVE, PAGE_NOACCESS);
627 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
628 assert(buf1 == buf2);
634 static inline void *alloc_code_gen_buffer(void)
636 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
638 size_t size = tcg_ctx.code_gen_buffer_size;
641 /* Constrain the position of the buffer based on the host cpu.
642 Note that these addresses are chosen in concert with the
643 addresses assigned in the relevant linker script file. */
644 # if defined(__PIE__) || defined(__PIC__)
645 /* Don't bother setting a preferred location if we're building
646 a position-independent executable. We're more likely to get
647 an address near the main executable if we let the kernel
648 choose the address. */
649 # elif defined(__x86_64__) && defined(MAP_32BIT)
650 /* Force the memory down into low memory with the executable.
651 Leave the choice of exact location with the kernel. */
653 /* Cannot expect to map more than 800MB in low memory. */
654 if (size > 800u * 1024 * 1024) {
655 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024;
657 # elif defined(__sparc__)
658 start = 0x40000000ul;
659 # elif defined(__s390x__)
660 start = 0x90000000ul;
661 # elif defined(__mips__)
662 # if _MIPS_SIM == _ABI64
663 start = 0x128000000ul;
665 start = 0x08000000ul;
669 buf = mmap((void *)start, size + qemu_real_host_page_size,
670 PROT_NONE, flags, -1, 0);
671 if (buf == MAP_FAILED) {
676 if (cross_256mb(buf, size)) {
677 /* Try again, with the original still mapped, to avoid re-acquiring
678 that 256mb crossing. This time don't specify an address. */
680 void *buf2 = mmap(NULL, size + qemu_real_host_page_size,
681 PROT_NONE, flags, -1, 0);
682 switch (buf2 != MAP_FAILED) {
684 if (!cross_256mb(buf2, size)) {
685 /* Success! Use the new buffer. */
689 /* Failure. Work with what we had. */
693 /* Split the original buffer. Free the smaller half. */
694 buf2 = split_cross_256mb(buf, size);
695 size2 = tcg_ctx.code_gen_buffer_size;
697 munmap(buf + size2 + qemu_real_host_page_size, size - size2);
699 munmap(buf, size - size2);
708 /* Make the final buffer accessible. The guard page at the end
709 will remain inaccessible with PROT_NONE. */
710 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC);
712 /* Request large pages for the buffer. */
713 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
717 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
719 static inline void code_gen_alloc(size_t tb_size)
721 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size);
722 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer();
723 if (tcg_ctx.code_gen_buffer == NULL) {
724 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
728 /* Estimate a good size for the number of TBs we can support. We
729 still haven't deducted the prologue from the buffer size here,
730 but that's minimal and won't affect the estimate much. */
731 tcg_ctx.code_gen_max_blocks
732 = tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
733 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock, tcg_ctx.code_gen_max_blocks);
735 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock);
738 /* Must be called before using the QEMU cpus. 'tb_size' is the size
739 (in bytes) allocated to the translation buffer. Zero means default
741 void tcg_exec_init(unsigned long tb_size)
745 code_gen_alloc(tb_size);
746 #if defined(CONFIG_SOFTMMU)
747 /* There's no guest base to take into account, so go ahead and
748 initialize the prologue now. */
749 tcg_prologue_init(&tcg_ctx);
753 bool tcg_enabled(void)
755 return tcg_ctx.code_gen_buffer != NULL;
758 /* Allocate a new translation block. Flush the translation buffer if
759 too many translation blocks or too much generated code. */
760 static TranslationBlock *tb_alloc(target_ulong pc)
762 TranslationBlock *tb;
764 if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
767 tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
773 void tb_free(TranslationBlock *tb)
775 /* In practice this is mostly used for single use temporary TB
776 Ignore the hard cases and just back up if this TB happens to
777 be the last one generated. */
778 if (tcg_ctx.tb_ctx.nb_tbs > 0 &&
779 tb == &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) {
780 tcg_ctx.code_gen_ptr = tb->tc_ptr;
781 tcg_ctx.tb_ctx.nb_tbs--;
785 static inline void invalidate_page_bitmap(PageDesc *p)
787 g_free(p->code_bitmap);
788 p->code_bitmap = NULL;
789 p->code_write_count = 0;
792 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
793 static void page_flush_tb_1(int level, void **lp)
803 for (i = 0; i < V_L2_SIZE; ++i) {
804 pd[i].first_tb = NULL;
805 invalidate_page_bitmap(pd + i);
810 for (i = 0; i < V_L2_SIZE; ++i) {
811 page_flush_tb_1(level - 1, pp + i);
816 static void page_flush_tb(void)
820 for (i = 0; i < V_L1_SIZE; i++) {
821 page_flush_tb_1(V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
825 /* flush all the translation blocks */
826 /* XXX: tb_flush is currently not thread safe */
827 void tb_flush(CPUState *cpu)
829 #if defined(DEBUG_FLUSH)
830 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
831 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer),
832 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ?
833 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
834 tcg_ctx.tb_ctx.nb_tbs : 0);
836 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
837 > tcg_ctx.code_gen_buffer_size) {
838 cpu_abort(cpu, "Internal error: code buffer overflow\n");
840 tcg_ctx.tb_ctx.nb_tbs = 0;
843 memset(cpu->tb_jmp_cache, 0, sizeof(cpu->tb_jmp_cache));
846 memset(tcg_ctx.tb_ctx.tb_phys_hash, 0, sizeof(tcg_ctx.tb_ctx.tb_phys_hash));
849 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer;
850 /* XXX: flush processor icache at this point if cache flush is
852 tcg_ctx.tb_ctx.tb_flush_count++;
855 #ifdef DEBUG_TB_CHECK
857 static void tb_invalidate_check(target_ulong address)
859 TranslationBlock *tb;
862 address &= TARGET_PAGE_MASK;
863 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
864 for (tb = tb_ctx.tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
865 if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
866 address >= tb->pc + tb->size)) {
867 printf("ERROR invalidate: address=" TARGET_FMT_lx
868 " PC=%08lx size=%04x\n",
869 address, (long)tb->pc, tb->size);
875 /* verify that all the pages have correct rights for code */
876 static void tb_page_check(void)
878 TranslationBlock *tb;
879 int i, flags1, flags2;
881 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
882 for (tb = tcg_ctx.tb_ctx.tb_phys_hash[i]; tb != NULL;
883 tb = tb->phys_hash_next) {
884 flags1 = page_get_flags(tb->pc);
885 flags2 = page_get_flags(tb->pc + tb->size - 1);
886 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
887 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
888 (long)tb->pc, tb->size, flags1, flags2);
896 static inline void tb_hash_remove(TranslationBlock **ptb, TranslationBlock *tb)
898 TranslationBlock *tb1;
903 *ptb = tb1->phys_hash_next;
906 ptb = &tb1->phys_hash_next;
910 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
912 TranslationBlock *tb1;
917 n1 = (uintptr_t)tb1 & 3;
918 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
920 *ptb = tb1->page_next[n1];
923 ptb = &tb1->page_next[n1];
927 static inline void tb_jmp_remove(TranslationBlock *tb, int n)
929 TranslationBlock *tb1, **ptb;
932 ptb = &tb->jmp_next[n];
935 /* find tb(n) in circular list */
938 n1 = (uintptr_t)tb1 & 3;
939 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
940 if (n1 == n && tb1 == tb) {
944 ptb = &tb1->jmp_first;
946 ptb = &tb1->jmp_next[n1];
949 /* now we can suppress tb(n) from the list */
950 *ptb = tb->jmp_next[n];
952 tb->jmp_next[n] = NULL;
956 /* reset the jump entry 'n' of a TB so that it is not chained to
958 static inline void tb_reset_jump(TranslationBlock *tb, int n)
960 tb_set_jmp_target(tb, n, (uintptr_t)(tb->tc_ptr + tb->tb_next_offset[n]));
963 /* invalidate one TB */
964 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
969 tb_page_addr_t phys_pc;
970 TranslationBlock *tb1, *tb2;
972 /* remove the TB from the hash list */
973 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
974 h = tb_phys_hash_func(phys_pc);
975 tb_hash_remove(&tcg_ctx.tb_ctx.tb_phys_hash[h], tb);
977 /* remove the TB from the page list */
978 if (tb->page_addr[0] != page_addr) {
979 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
980 tb_page_remove(&p->first_tb, tb);
981 invalidate_page_bitmap(p);
983 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
984 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
985 tb_page_remove(&p->first_tb, tb);
986 invalidate_page_bitmap(p);
989 tcg_ctx.tb_ctx.tb_invalidated_flag = 1;
991 /* remove the TB from the hash list */
992 h = tb_jmp_cache_hash_func(tb->pc);
994 if (cpu->tb_jmp_cache[h] == tb) {
995 cpu->tb_jmp_cache[h] = NULL;
999 /* suppress this TB from the two jump lists */
1000 tb_jmp_remove(tb, 0);
1001 tb_jmp_remove(tb, 1);
1003 /* suppress any remaining jumps to this TB */
1004 tb1 = tb->jmp_first;
1006 n1 = (uintptr_t)tb1 & 3;
1010 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
1011 tb2 = tb1->jmp_next[n1];
1012 tb_reset_jump(tb1, n1);
1013 tb1->jmp_next[n1] = NULL;
1016 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2); /* fail safe */
1018 tcg_ctx.tb_ctx.tb_phys_invalidate_count++;
1021 static void build_page_bitmap(PageDesc *p)
1023 int n, tb_start, tb_end;
1024 TranslationBlock *tb;
1026 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE);
1029 while (tb != NULL) {
1030 n = (uintptr_t)tb & 3;
1031 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1032 /* NOTE: this is subtle as a TB may span two physical pages */
1034 /* NOTE: tb_end may be after the end of the page, but
1035 it is not a problem */
1036 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1037 tb_end = tb_start + tb->size;
1038 if (tb_end > TARGET_PAGE_SIZE) {
1039 tb_end = TARGET_PAGE_SIZE;
1043 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1045 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start);
1046 tb = tb->page_next[n];
1050 /* Called with mmap_lock held for user mode emulation. */
1051 TranslationBlock *tb_gen_code(CPUState *cpu,
1052 target_ulong pc, target_ulong cs_base,
1053 int flags, int cflags)
1055 CPUArchState *env = cpu->env_ptr;
1056 TranslationBlock *tb;
1057 tb_page_addr_t phys_pc, phys_page2;
1058 target_ulong virt_page2;
1059 tcg_insn_unit *gen_code_buf;
1060 int gen_code_size, search_size;
1061 #ifdef CONFIG_PROFILER
1065 phys_pc = get_page_addr_code(env, pc);
1066 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) {
1067 cflags |= CF_USE_ICOUNT;
1071 if (unlikely(!tb)) {
1073 /* flush must be done */
1075 /* cannot fail at this point */
1078 /* Don't forget to invalidate previous TB info. */
1079 tcg_ctx.tb_ctx.tb_invalidated_flag = 1;
1082 gen_code_buf = tcg_ctx.code_gen_ptr;
1083 tb->tc_ptr = gen_code_buf;
1084 tb->cs_base = cs_base;
1086 tb->cflags = cflags;
1088 #ifdef CONFIG_PROFILER
1089 tcg_ctx.tb_count1++; /* includes aborted translations because of
1091 ti = profile_getclock();
1094 tcg_func_start(&tcg_ctx);
1096 gen_intermediate_code(env, tb);
1098 trace_translate_block(tb, tb->pc, tb->tc_ptr);
1100 /* generate machine code */
1101 tb->tb_next_offset[0] = 0xffff;
1102 tb->tb_next_offset[1] = 0xffff;
1103 tcg_ctx.tb_next_offset = tb->tb_next_offset;
1104 #ifdef USE_DIRECT_JUMP
1105 tcg_ctx.tb_jmp_offset = tb->tb_jmp_offset;
1106 tcg_ctx.tb_next = NULL;
1108 tcg_ctx.tb_jmp_offset = NULL;
1109 tcg_ctx.tb_next = tb->tb_next;
1112 #ifdef CONFIG_PROFILER
1114 tcg_ctx.interm_time += profile_getclock() - ti;
1115 tcg_ctx.code_time -= profile_getclock();
1118 /* ??? Overflow could be handled better here. In particular, we
1119 don't need to re-do gen_intermediate_code, nor should we re-do
1120 the tcg optimization currently hidden inside tcg_gen_code. All
1121 that should be required is to flush the TBs, allocate a new TB,
1122 re-initialize it per above, and re-do the actual code generation. */
1123 gen_code_size = tcg_gen_code(&tcg_ctx, gen_code_buf);
1124 if (unlikely(gen_code_size < 0)) {
1125 goto buffer_overflow;
1127 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
1128 if (unlikely(search_size < 0)) {
1129 goto buffer_overflow;
1132 #ifdef CONFIG_PROFILER
1133 tcg_ctx.code_time += profile_getclock();
1134 tcg_ctx.code_in_len += tb->size;
1135 tcg_ctx.code_out_len += gen_code_size;
1136 tcg_ctx.search_out_len += search_size;
1140 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
1141 qemu_log("OUT: [size=%d]\n", gen_code_size);
1142 log_disas(tb->tc_ptr, gen_code_size);
1148 tcg_ctx.code_gen_ptr = (void *)
1149 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
1152 /* check next page if needed */
1153 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1155 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1156 phys_page2 = get_page_addr_code(env, virt_page2);
1158 tb_link_page(tb, phys_pc, phys_page2);
1163 * Invalidate all TBs which intersect with the target physical address range
1164 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1165 * 'is_cpu_write_access' should be true if called from a real cpu write
1166 * access: the virtual CPU will exit the current TB if code is modified inside
1169 * Called with mmap_lock held for user-mode emulation
1171 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1173 while (start < end) {
1174 tb_invalidate_phys_page_range(start, end, 0);
1175 start &= TARGET_PAGE_MASK;
1176 start += TARGET_PAGE_SIZE;
1181 * Invalidate all TBs which intersect with the target physical address range
1182 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1183 * 'is_cpu_write_access' should be true if called from a real cpu write
1184 * access: the virtual CPU will exit the current TB if code is modified inside
1187 * Called with mmap_lock held for user-mode emulation
1189 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1190 int is_cpu_write_access)
1192 TranslationBlock *tb, *tb_next, *saved_tb;
1193 CPUState *cpu = current_cpu;
1194 #if defined(TARGET_HAS_PRECISE_SMC)
1195 CPUArchState *env = NULL;
1197 tb_page_addr_t tb_start, tb_end;
1200 #ifdef TARGET_HAS_PRECISE_SMC
1201 int current_tb_not_found = is_cpu_write_access;
1202 TranslationBlock *current_tb = NULL;
1203 int current_tb_modified = 0;
1204 target_ulong current_pc = 0;
1205 target_ulong current_cs_base = 0;
1206 int current_flags = 0;
1207 #endif /* TARGET_HAS_PRECISE_SMC */
1209 p = page_find(start >> TARGET_PAGE_BITS);
1213 #if defined(TARGET_HAS_PRECISE_SMC)
1219 /* we remove all the TBs in the range [start, end[ */
1220 /* XXX: see if in some cases it could be faster to invalidate all
1223 while (tb != NULL) {
1224 n = (uintptr_t)tb & 3;
1225 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1226 tb_next = tb->page_next[n];
1227 /* NOTE: this is subtle as a TB may span two physical pages */
1229 /* NOTE: tb_end may be after the end of the page, but
1230 it is not a problem */
1231 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1232 tb_end = tb_start + tb->size;
1234 tb_start = tb->page_addr[1];
1235 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1237 if (!(tb_end <= start || tb_start >= end)) {
1238 #ifdef TARGET_HAS_PRECISE_SMC
1239 if (current_tb_not_found) {
1240 current_tb_not_found = 0;
1242 if (cpu->mem_io_pc) {
1243 /* now we have a real cpu fault */
1244 current_tb = tb_find_pc(cpu->mem_io_pc);
1247 if (current_tb == tb &&
1248 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1249 /* If we are modifying the current TB, we must stop
1250 its execution. We could be more precise by checking
1251 that the modification is after the current PC, but it
1252 would require a specialized function to partially
1253 restore the CPU state */
1255 current_tb_modified = 1;
1256 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
1257 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1260 #endif /* TARGET_HAS_PRECISE_SMC */
1261 /* we need to do that to handle the case where a signal
1262 occurs while doing tb_phys_invalidate() */
1265 saved_tb = cpu->current_tb;
1266 cpu->current_tb = NULL;
1268 tb_phys_invalidate(tb, -1);
1270 cpu->current_tb = saved_tb;
1271 if (cpu->interrupt_request && cpu->current_tb) {
1272 cpu_interrupt(cpu, cpu->interrupt_request);
1278 #if !defined(CONFIG_USER_ONLY)
1279 /* if no code remaining, no need to continue to use slow writes */
1281 invalidate_page_bitmap(p);
1282 tlb_unprotect_code(start);
1285 #ifdef TARGET_HAS_PRECISE_SMC
1286 if (current_tb_modified) {
1287 /* we generate a block containing just the instruction
1288 modifying the memory. It will ensure that it cannot modify
1290 cpu->current_tb = NULL;
1291 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1292 cpu_resume_from_signal(cpu, NULL);
1297 /* len must be <= 8 and start must be a multiple of len */
1298 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1304 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1305 cpu_single_env->mem_io_vaddr, len,
1306 cpu_single_env->eip,
1307 cpu_single_env->eip +
1308 (intptr_t)cpu_single_env->segs[R_CS].base);
1311 p = page_find(start >> TARGET_PAGE_BITS);
1315 if (!p->code_bitmap &&
1316 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) {
1317 /* build code bitmap */
1318 build_page_bitmap(p);
1320 if (p->code_bitmap) {
1324 nr = start & ~TARGET_PAGE_MASK;
1325 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1));
1326 if (b & ((1 << len) - 1)) {
1331 tb_invalidate_phys_page_range(start, start + len, 1);
1335 #if !defined(CONFIG_SOFTMMU)
1336 /* Called with mmap_lock held. */
1337 static void tb_invalidate_phys_page(tb_page_addr_t addr,
1338 uintptr_t pc, void *puc,
1341 TranslationBlock *tb;
1344 #ifdef TARGET_HAS_PRECISE_SMC
1345 TranslationBlock *current_tb = NULL;
1346 CPUState *cpu = current_cpu;
1347 CPUArchState *env = NULL;
1348 int current_tb_modified = 0;
1349 target_ulong current_pc = 0;
1350 target_ulong current_cs_base = 0;
1351 int current_flags = 0;
1354 addr &= TARGET_PAGE_MASK;
1355 p = page_find(addr >> TARGET_PAGE_BITS);
1360 #ifdef TARGET_HAS_PRECISE_SMC
1361 if (tb && pc != 0) {
1362 current_tb = tb_find_pc(pc);
1368 while (tb != NULL) {
1369 n = (uintptr_t)tb & 3;
1370 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1371 #ifdef TARGET_HAS_PRECISE_SMC
1372 if (current_tb == tb &&
1373 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1374 /* If we are modifying the current TB, we must stop
1375 its execution. We could be more precise by checking
1376 that the modification is after the current PC, but it
1377 would require a specialized function to partially
1378 restore the CPU state */
1380 current_tb_modified = 1;
1381 cpu_restore_state_from_tb(cpu, current_tb, pc);
1382 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1385 #endif /* TARGET_HAS_PRECISE_SMC */
1386 tb_phys_invalidate(tb, addr);
1387 tb = tb->page_next[n];
1390 #ifdef TARGET_HAS_PRECISE_SMC
1391 if (current_tb_modified) {
1392 /* we generate a block containing just the instruction
1393 modifying the memory. It will ensure that it cannot modify
1395 cpu->current_tb = NULL;
1396 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1400 cpu_resume_from_signal(cpu, puc);
1406 /* add the tb in the target page and protect it if necessary
1408 * Called with mmap_lock held for user-mode emulation.
1410 static inline void tb_alloc_page(TranslationBlock *tb,
1411 unsigned int n, tb_page_addr_t page_addr)
1414 #ifndef CONFIG_USER_ONLY
1415 bool page_already_protected;
1418 tb->page_addr[n] = page_addr;
1419 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1420 tb->page_next[n] = p->first_tb;
1421 #ifndef CONFIG_USER_ONLY
1422 page_already_protected = p->first_tb != NULL;
1424 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1425 invalidate_page_bitmap(p);
1427 #if defined(CONFIG_USER_ONLY)
1428 if (p->flags & PAGE_WRITE) {
1433 /* force the host page as non writable (writes will have a
1434 page fault + mprotect overhead) */
1435 page_addr &= qemu_host_page_mask;
1437 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1438 addr += TARGET_PAGE_SIZE) {
1440 p2 = page_find(addr >> TARGET_PAGE_BITS);
1445 p2->flags &= ~PAGE_WRITE;
1447 mprotect(g2h(page_addr), qemu_host_page_size,
1448 (prot & PAGE_BITS) & ~PAGE_WRITE);
1449 #ifdef DEBUG_TB_INVALIDATE
1450 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1455 /* if some code is already present, then the pages are already
1456 protected. So we handle the case where only the first TB is
1457 allocated in a physical page */
1458 if (!page_already_protected) {
1459 tlb_protect_code(page_addr);
1464 /* add a new TB and link it to the physical page tables. phys_page2 is
1465 * (-1) to indicate that only one page contains the TB.
1467 * Called with mmap_lock held for user-mode emulation.
1469 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1470 tb_page_addr_t phys_page2)
1473 TranslationBlock **ptb;
1475 /* add in the physical hash table */
1476 h = tb_phys_hash_func(phys_pc);
1477 ptb = &tcg_ctx.tb_ctx.tb_phys_hash[h];
1478 tb->phys_hash_next = *ptb;
1481 /* add in the page list */
1482 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1483 if (phys_page2 != -1) {
1484 tb_alloc_page(tb, 1, phys_page2);
1486 tb->page_addr[1] = -1;
1489 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2);
1490 tb->jmp_next[0] = NULL;
1491 tb->jmp_next[1] = NULL;
1493 /* init original jump addresses */
1494 if (tb->tb_next_offset[0] != 0xffff) {
1495 tb_reset_jump(tb, 0);
1497 if (tb->tb_next_offset[1] != 0xffff) {
1498 tb_reset_jump(tb, 1);
1501 #ifdef DEBUG_TB_CHECK
1506 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1507 tb[1].tc_ptr. Return NULL if not found */
1508 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1510 int m_min, m_max, m;
1512 TranslationBlock *tb;
1514 if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
1517 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
1518 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
1521 /* binary search (cf Knuth) */
1523 m_max = tcg_ctx.tb_ctx.nb_tbs - 1;
1524 while (m_min <= m_max) {
1525 m = (m_min + m_max) >> 1;
1526 tb = &tcg_ctx.tb_ctx.tbs[m];
1527 v = (uintptr_t)tb->tc_ptr;
1530 } else if (tc_ptr < v) {
1536 return &tcg_ctx.tb_ctx.tbs[m_max];
1539 #if !defined(CONFIG_USER_ONLY)
1540 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
1542 ram_addr_t ram_addr;
1547 mr = address_space_translate(as, addr, &addr, &l, false);
1548 if (!(memory_region_is_ram(mr)
1549 || memory_region_is_romd(mr))) {
1553 ram_addr = (memory_region_get_ram_addr(mr) & TARGET_PAGE_MASK)
1555 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1558 #endif /* !defined(CONFIG_USER_ONLY) */
1560 void tb_check_watchpoint(CPUState *cpu)
1562 TranslationBlock *tb;
1564 tb = tb_find_pc(cpu->mem_io_pc);
1566 /* We can use retranslation to find the PC. */
1567 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
1568 tb_phys_invalidate(tb, -1);
1570 /* The exception probably happened in a helper. The CPU state should
1571 have been saved before calling it. Fetch the PC from there. */
1572 CPUArchState *env = cpu->env_ptr;
1573 target_ulong pc, cs_base;
1574 tb_page_addr_t addr;
1577 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
1578 addr = get_page_addr_code(env, pc);
1579 tb_invalidate_phys_range(addr, addr + 1);
1583 #ifndef CONFIG_USER_ONLY
1584 /* in deterministic execution mode, instructions doing device I/Os
1585 must be at the end of the TB */
1586 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
1588 #if defined(TARGET_MIPS) || defined(TARGET_SH4)
1589 CPUArchState *env = cpu->env_ptr;
1591 TranslationBlock *tb;
1593 target_ulong pc, cs_base;
1596 tb = tb_find_pc(retaddr);
1598 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
1601 n = cpu->icount_decr.u16.low + tb->icount;
1602 cpu_restore_state_from_tb(cpu, tb, retaddr);
1603 /* Calculate how many instructions had been executed before the fault
1605 n = n - cpu->icount_decr.u16.low;
1606 /* Generate a new TB ending on the I/O insn. */
1608 /* On MIPS and SH, delay slot instructions can only be restarted if
1609 they were already the first instruction in the TB. If this is not
1610 the first instruction in a TB then re-execute the preceding
1612 #if defined(TARGET_MIPS)
1613 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
1614 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4);
1615 cpu->icount_decr.u16.low++;
1616 env->hflags &= ~MIPS_HFLAG_BMASK;
1618 #elif defined(TARGET_SH4)
1619 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
1622 cpu->icount_decr.u16.low++;
1623 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
1626 /* This should never happen. */
1627 if (n > CF_COUNT_MASK) {
1628 cpu_abort(cpu, "TB too big during recompile");
1631 cflags = n | CF_LAST_IO;
1633 cs_base = tb->cs_base;
1635 tb_phys_invalidate(tb, -1);
1636 if (tb->cflags & CF_NOCACHE) {
1638 /* Invalidate original TB if this TB was generated in
1639 * cpu_exec_nocache() */
1640 tb_phys_invalidate(tb->orig_tb, -1);
1644 /* FIXME: In theory this could raise an exception. In practice
1645 we have already translated the block once so it's probably ok. */
1646 tb_gen_code(cpu, pc, cs_base, flags, cflags);
1647 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
1648 the first in the TB) then we end up generating a whole new TB and
1649 repeating the fault, which is horribly inefficient.
1650 Better would be to execute just this insn uncached, or generate a
1652 cpu_resume_from_signal(cpu, NULL);
1655 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
1659 /* Discard jump cache entries for any tb which might potentially
1660 overlap the flushed page. */
1661 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1662 memset(&cpu->tb_jmp_cache[i], 0,
1663 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1665 i = tb_jmp_cache_hash_page(addr);
1666 memset(&cpu->tb_jmp_cache[i], 0,
1667 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1670 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
1672 int i, target_code_size, max_target_code_size;
1673 int direct_jmp_count, direct_jmp2_count, cross_page;
1674 TranslationBlock *tb;
1676 target_code_size = 0;
1677 max_target_code_size = 0;
1679 direct_jmp_count = 0;
1680 direct_jmp2_count = 0;
1681 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) {
1682 tb = &tcg_ctx.tb_ctx.tbs[i];
1683 target_code_size += tb->size;
1684 if (tb->size > max_target_code_size) {
1685 max_target_code_size = tb->size;
1687 if (tb->page_addr[1] != -1) {
1690 if (tb->tb_next_offset[0] != 0xffff) {
1692 if (tb->tb_next_offset[1] != 0xffff) {
1693 direct_jmp2_count++;
1697 /* XXX: avoid using doubles ? */
1698 cpu_fprintf(f, "Translation buffer state:\n");
1699 cpu_fprintf(f, "gen code size %td/%zd\n",
1700 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer,
1701 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer);
1702 cpu_fprintf(f, "TB count %d/%d\n",
1703 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.code_gen_max_blocks);
1704 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
1705 tcg_ctx.tb_ctx.nb_tbs ? target_code_size /
1706 tcg_ctx.tb_ctx.nb_tbs : 0,
1707 max_target_code_size);
1708 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
1709 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr -
1710 tcg_ctx.code_gen_buffer) /
1711 tcg_ctx.tb_ctx.nb_tbs : 0,
1712 target_code_size ? (double) (tcg_ctx.code_gen_ptr -
1713 tcg_ctx.code_gen_buffer) /
1714 target_code_size : 0);
1715 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page,
1716 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) /
1717 tcg_ctx.tb_ctx.nb_tbs : 0);
1718 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
1720 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) /
1721 tcg_ctx.tb_ctx.nb_tbs : 0,
1723 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) /
1724 tcg_ctx.tb_ctx.nb_tbs : 0);
1725 cpu_fprintf(f, "\nStatistics:\n");
1726 cpu_fprintf(f, "TB flush count %d\n", tcg_ctx.tb_ctx.tb_flush_count);
1727 cpu_fprintf(f, "TB invalidate count %d\n",
1728 tcg_ctx.tb_ctx.tb_phys_invalidate_count);
1729 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
1730 tcg_dump_info(f, cpu_fprintf);
1733 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf)
1735 tcg_dump_op_count(f, cpu_fprintf);
1738 #else /* CONFIG_USER_ONLY */
1740 void cpu_interrupt(CPUState *cpu, int mask)
1742 cpu->interrupt_request |= mask;
1743 cpu->tcg_exit_req = 1;
1747 * Walks guest process memory "regions" one by one
1748 * and calls callback function 'fn' for each region.
1750 struct walk_memory_regions_data {
1751 walk_memory_regions_fn fn;
1757 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1758 target_ulong end, int new_prot)
1760 if (data->start != -1u) {
1761 int rc = data->fn(data->priv, data->start, end, data->prot);
1767 data->start = (new_prot ? end : -1u);
1768 data->prot = new_prot;
1773 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1774 target_ulong base, int level, void **lp)
1780 return walk_memory_regions_end(data, base, 0);
1786 for (i = 0; i < V_L2_SIZE; ++i) {
1787 int prot = pd[i].flags;
1789 pa = base | (i << TARGET_PAGE_BITS);
1790 if (prot != data->prot) {
1791 rc = walk_memory_regions_end(data, pa, prot);
1800 for (i = 0; i < V_L2_SIZE; ++i) {
1801 pa = base | ((target_ulong)i <<
1802 (TARGET_PAGE_BITS + V_L2_BITS * level));
1803 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
1813 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
1815 struct walk_memory_regions_data data;
1823 for (i = 0; i < V_L1_SIZE; i++) {
1824 int rc = walk_memory_regions_1(&data, (target_ulong)i << (V_L1_SHIFT + TARGET_PAGE_BITS),
1825 V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
1831 return walk_memory_regions_end(&data, 0, 0);
1834 static int dump_region(void *priv, target_ulong start,
1835 target_ulong end, unsigned long prot)
1837 FILE *f = (FILE *)priv;
1839 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx
1840 " "TARGET_FMT_lx" %c%c%c\n",
1841 start, end, end - start,
1842 ((prot & PAGE_READ) ? 'r' : '-'),
1843 ((prot & PAGE_WRITE) ? 'w' : '-'),
1844 ((prot & PAGE_EXEC) ? 'x' : '-'));
1849 /* dump memory mappings */
1850 void page_dump(FILE *f)
1852 const int length = sizeof(target_ulong) * 2;
1853 (void) fprintf(f, "%-*s %-*s %-*s %s\n",
1854 length, "start", length, "end", length, "size", "prot");
1855 walk_memory_regions(f, dump_region);
1858 int page_get_flags(target_ulong address)
1862 p = page_find(address >> TARGET_PAGE_BITS);
1869 /* Modify the flags of a page and invalidate the code if necessary.
1870 The flag PAGE_WRITE_ORG is positioned automatically depending
1871 on PAGE_WRITE. The mmap_lock should already be held. */
1872 void page_set_flags(target_ulong start, target_ulong end, int flags)
1874 target_ulong addr, len;
1876 /* This function should never be called with addresses outside the
1877 guest address space. If this assert fires, it probably indicates
1878 a missing call to h2g_valid. */
1879 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1880 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1882 assert(start < end);
1884 start = start & TARGET_PAGE_MASK;
1885 end = TARGET_PAGE_ALIGN(end);
1887 if (flags & PAGE_WRITE) {
1888 flags |= PAGE_WRITE_ORG;
1891 for (addr = start, len = end - start;
1893 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1894 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
1896 /* If the write protection bit is set, then we invalidate
1898 if (!(p->flags & PAGE_WRITE) &&
1899 (flags & PAGE_WRITE) &&
1901 tb_invalidate_phys_page(addr, 0, NULL, false);
1907 int page_check_range(target_ulong start, target_ulong len, int flags)
1913 /* This function should never be called with addresses outside the
1914 guest address space. If this assert fires, it probably indicates
1915 a missing call to h2g_valid. */
1916 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1917 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1923 if (start + len - 1 < start) {
1924 /* We've wrapped around. */
1928 /* must do before we loose bits in the next step */
1929 end = TARGET_PAGE_ALIGN(start + len);
1930 start = start & TARGET_PAGE_MASK;
1932 for (addr = start, len = end - start;
1934 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1935 p = page_find(addr >> TARGET_PAGE_BITS);
1939 if (!(p->flags & PAGE_VALID)) {
1943 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
1946 if (flags & PAGE_WRITE) {
1947 if (!(p->flags & PAGE_WRITE_ORG)) {
1950 /* unprotect the page if it was put read-only because it
1951 contains translated code */
1952 if (!(p->flags & PAGE_WRITE)) {
1953 if (!page_unprotect(addr, 0, NULL)) {
1962 /* called from signal handler: invalidate the code and unprotect the
1963 page. Return TRUE if the fault was successfully handled. */
1964 int page_unprotect(target_ulong address, uintptr_t pc, void *puc)
1968 target_ulong host_start, host_end, addr;
1970 /* Technically this isn't safe inside a signal handler. However we
1971 know this only ever happens in a synchronous SEGV handler, so in
1972 practice it seems to be ok. */
1975 p = page_find(address >> TARGET_PAGE_BITS);
1981 /* if the page was really writable, then we change its
1982 protection back to writable */
1983 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
1984 host_start = address & qemu_host_page_mask;
1985 host_end = host_start + qemu_host_page_size;
1988 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
1989 p = page_find(addr >> TARGET_PAGE_BITS);
1990 p->flags |= PAGE_WRITE;
1993 /* and since the content will be modified, we must invalidate
1994 the corresponding translated code. */
1995 tb_invalidate_phys_page(addr, pc, puc, true);
1996 #ifdef DEBUG_TB_CHECK
1997 tb_invalidate_check(addr);
2000 mprotect((void *)g2h(host_start), qemu_host_page_size,
2009 #endif /* CONFIG_USER_ONLY */
projects / qemu.git / blob