4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
22 #include "qemu/osdep.h"
25 #include "qemu-common.h"
26 #define NO_CPU_IO_DEFS
28 #include "trace-root.h"
29 #include "disas/disas.h"
30 #include "exec/exec-all.h"
32 #if defined(CONFIG_USER_ONLY)
34 #include "exec/exec-all.h"
35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
36 #include <sys/param.h>
37 #if __FreeBSD_version >= 700104
38 #define HAVE_KINFO_GETVMMAP
39 #define sigqueue sigqueue_freebsd /* avoid redefinition */
41 #include <machine/profile.h>
50 #include "exec/address-spaces.h"
53 #include "exec/cputlb.h"
54 #include "exec/tb-hash.h"
55 #include "translate-all.h"
56 #include "qemu/bitmap.h"
57 #include "qemu/timer.h"
58 #include "qemu/main-loop.h"
61 /* #define DEBUG_TB_INVALIDATE */
62 /* #define DEBUG_TB_FLUSH */
63 /* make various TB consistency checks */
64 /* #define DEBUG_TB_CHECK */
66 #if !defined(CONFIG_USER_ONLY)
67 /* TB consistency checks only implemented for usermode emulation. */
71 /* Access to the various translations structures need to be serialised via locks
72 * for consistency. This is automatic for SoftMMU based system
73 * emulation due to its single threaded nature. In user-mode emulation
74 * access to the memory related structures are protected with the
78 #define assert_memory_lock() tcg_debug_assert(have_tb_lock)
80 #define assert_memory_lock() tcg_debug_assert(have_mmap_lock())
83 #define SMC_BITMAP_USE_THRESHOLD 10
85 typedef struct PageDesc {
86 /* list of TBs intersecting this ram page */
87 TranslationBlock *first_tb;
89 /* in order to optimize self modifying code, we count the number
90 of lookups we do to a given page to use a bitmap */
91 unsigned int code_write_count;
92 unsigned long *code_bitmap;
98 /* In system mode we want L1_MAP to be based on ram offsets,
99 while in user mode we want it to be based on virtual addresses. */
100 #if !defined(CONFIG_USER_ONLY)
101 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
102 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
104 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
107 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
110 /* Size of the L2 (and L3, etc) page tables. */
112 #define V_L2_SIZE (1 << V_L2_BITS)
114 uintptr_t qemu_host_page_size;
115 intptr_t qemu_host_page_mask;
118 * L1 Mapping properties
120 static int v_l1_size;
121 static int v_l1_shift;
122 static int v_l2_levels;
124 /* The bottom level has pointers to PageDesc, and is indexed by
125 * anything from 4 to (V_L2_BITS + 3) bits, depending on target page size.
127 #define V_L1_MIN_BITS 4
128 #define V_L1_MAX_BITS (V_L2_BITS + 3)
129 #define V_L1_MAX_SIZE (1 << V_L1_MAX_BITS)
131 static void *l1_map[V_L1_MAX_SIZE];
133 /* code generation context */
137 /* translation block context */
138 __thread int have_tb_lock;
140 static void page_table_config_init(void)
144 assert(TARGET_PAGE_BITS);
145 /* The bits remaining after N lower levels of page tables. */
146 v_l1_bits = (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS;
147 if (v_l1_bits < V_L1_MIN_BITS) {
148 v_l1_bits += V_L2_BITS;
151 v_l1_size = 1 << v_l1_bits;
152 v_l1_shift = L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - v_l1_bits;
153 v_l2_levels = v_l1_shift / V_L2_BITS - 1;
155 assert(v_l1_bits <= V_L1_MAX_BITS);
156 assert(v_l1_shift % V_L2_BITS == 0);
157 assert(v_l2_levels >= 0);
160 #define assert_tb_locked() tcg_debug_assert(have_tb_lock)
161 #define assert_tb_unlocked() tcg_debug_assert(!have_tb_lock)
165 assert_tb_unlocked();
166 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock);
174 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
177 void tb_lock_reset(void)
180 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
185 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr);
187 void cpu_gen_init(void)
189 tcg_context_init(&tcg_ctx);
192 /* Encode VAL as a signed leb128 sequence at P.
193 Return P incremented past the encoded value. */
194 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
201 more = !((val == 0 && (byte & 0x40) == 0)
202 || (val == -1 && (byte & 0x40) != 0));
212 /* Decode a signed leb128 sequence at *PP; increment *PP past the
213 decoded value. Return the decoded value. */
214 static target_long decode_sleb128(uint8_t **pp)
222 val |= (target_ulong)(byte & 0x7f) << shift;
224 } while (byte & 0x80);
225 if (shift < TARGET_LONG_BITS && (byte & 0x40)) {
226 val |= -(target_ulong)1 << shift;
233 /* Encode the data collected about the instructions while compiling TB.
234 Place the data at BLOCK, and return the number of bytes consumed.
236 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's,
237 which come from the target's insn_start data, followed by a uintptr_t
238 which comes from the host pc of the end of the code implementing the insn.
240 Each line of the table is encoded as sleb128 deltas from the previous
241 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }.
242 That is, the first column is seeded with the guest pc, the last column
243 with the host pc, and the middle columns with zeros. */
245 static int encode_search(TranslationBlock *tb, uint8_t *block)
247 uint8_t *highwater = tcg_ctx.code_gen_highwater;
251 tb->tc_search = block;
253 for (i = 0, n = tb->icount; i < n; ++i) {
256 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
258 prev = (j == 0 ? tb->pc : 0);
260 prev = tcg_ctx.gen_insn_data[i - 1][j];
262 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev);
264 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]);
265 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev);
267 /* Test for (pending) buffer overflow. The assumption is that any
268 one row beginning below the high water mark cannot overrun
269 the buffer completely. Thus we can test for overflow after
270 encoding a row without having to check during encoding. */
271 if (unlikely(p > highwater)) {
279 /* The cpu state corresponding to 'searched_pc' is restored.
280 * Called with tb_lock held.
282 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
283 uintptr_t searched_pc)
285 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
286 uintptr_t host_pc = (uintptr_t)tb->tc_ptr;
287 CPUArchState *env = cpu->env_ptr;
288 uint8_t *p = tb->tc_search;
289 int i, j, num_insns = tb->icount;
290 #ifdef CONFIG_PROFILER
291 int64_t ti = profile_getclock();
294 searched_pc -= GETPC_ADJ;
296 if (searched_pc < host_pc) {
300 /* Reconstruct the stored insn data while looking for the point at
301 which the end of the insn exceeds the searched_pc. */
302 for (i = 0; i < num_insns; ++i) {
303 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
304 data[j] += decode_sleb128(&p);
306 host_pc += decode_sleb128(&p);
307 if (host_pc > searched_pc) {
314 if (tb->cflags & CF_USE_ICOUNT) {
316 /* Reset the cycle counter to the start of the block. */
317 cpu->icount_decr.u16.low += num_insns;
318 /* Clear the IO flag. */
321 cpu->icount_decr.u16.low -= i;
322 restore_state_to_opc(env, tb, data);
324 #ifdef CONFIG_PROFILER
325 tcg_ctx.restore_time += profile_getclock() - ti;
326 tcg_ctx.restore_count++;
331 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr)
333 TranslationBlock *tb;
337 tb = tb_find_pc(retaddr);
339 cpu_restore_state_from_tb(cpu, tb, retaddr);
340 if (tb->cflags & CF_NOCACHE) {
341 /* one-shot translation, invalidate it immediately */
342 tb_phys_invalidate(tb, -1);
352 void page_size_init(void)
354 /* NOTE: we can always suppose that qemu_host_page_size >=
356 qemu_real_host_page_size = getpagesize();
357 qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
358 if (qemu_host_page_size == 0) {
359 qemu_host_page_size = qemu_real_host_page_size;
361 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
362 qemu_host_page_size = TARGET_PAGE_SIZE;
364 qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
367 static void page_init(void)
370 page_table_config_init();
372 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
374 #ifdef HAVE_KINFO_GETVMMAP
375 struct kinfo_vmentry *freep;
378 freep = kinfo_getvmmap(getpid(), &cnt);
381 for (i = 0; i < cnt; i++) {
382 unsigned long startaddr, endaddr;
384 startaddr = freep[i].kve_start;
385 endaddr = freep[i].kve_end;
386 if (h2g_valid(startaddr)) {
387 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
389 if (h2g_valid(endaddr)) {
390 endaddr = h2g(endaddr);
391 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
393 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
395 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
406 last_brk = (unsigned long)sbrk(0);
408 f = fopen("/compat/linux/proc/self/maps", "r");
413 unsigned long startaddr, endaddr;
416 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
418 if (n == 2 && h2g_valid(startaddr)) {
419 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
421 if (h2g_valid(endaddr)) {
422 endaddr = h2g(endaddr);
426 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
439 * Called with tb_lock held for system emulation.
440 * Called with mmap_lock held for user-mode emulation.
442 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
449 assert_memory_lock();
452 /* Level 1. Always allocated. */
453 lp = l1_map + ((index >> v_l1_shift) & (v_l1_size - 1));
456 for (i = v_l2_levels; i > 0; i--) {
457 void **p = atomic_rcu_read(lp);
463 p = g_new0(void *, V_L2_SIZE);
464 atomic_rcu_set(lp, p);
467 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1));
470 pd = atomic_rcu_read(lp);
475 pd = g_new0(PageDesc, V_L2_SIZE);
476 atomic_rcu_set(lp, pd);
479 return pd + (index & (V_L2_SIZE - 1));
482 static inline PageDesc *page_find(tb_page_addr_t index)
484 return page_find_alloc(index, 0);
487 #if defined(CONFIG_USER_ONLY)
488 /* Currently it is not recommended to allocate big chunks of data in
489 user mode. It will change when a dedicated libc will be used. */
490 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
491 region in which the guest needs to run. Revisit this. */
492 #define USE_STATIC_CODE_GEN_BUFFER
495 /* Minimum size of the code gen buffer. This number is randomly chosen,
496 but not so small that we can't have a fair number of TB's live. */
497 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
499 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
500 indicated, this is constrained by the range of direct branches on the
501 host cpu, as used by the TCG implementation of goto_tb. */
502 #if defined(__x86_64__)
503 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
504 #elif defined(__sparc__)
505 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
506 #elif defined(__powerpc64__)
507 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
508 #elif defined(__powerpc__)
509 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024)
510 #elif defined(__aarch64__)
511 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
512 #elif defined(__arm__)
513 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
514 #elif defined(__s390x__)
515 /* We have a +- 4GB range on the branches; leave some slop. */
516 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
517 #elif defined(__mips__)
518 /* We have a 256MB branch region, but leave room to make sure the
519 main executable is also within that region. */
520 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
522 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
525 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
527 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
528 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
529 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
531 static inline size_t size_code_gen_buffer(size_t tb_size)
533 /* Size the buffer. */
535 #ifdef USE_STATIC_CODE_GEN_BUFFER
536 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
538 /* ??? Needs adjustments. */
539 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
540 static buffer, we could size this on RESERVED_VA, on the text
541 segment size of the executable, or continue to use the default. */
542 tb_size = (unsigned long)(ram_size / 4);
545 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
546 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
548 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
549 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
555 /* In order to use J and JAL within the code_gen_buffer, we require
556 that the buffer not cross a 256MB boundary. */
557 static inline bool cross_256mb(void *addr, size_t size)
559 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
562 /* We weren't able to allocate a buffer without crossing that boundary,
563 so make do with the larger portion of the buffer that doesn't cross.
564 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */
565 static inline void *split_cross_256mb(void *buf1, size_t size1)
567 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
568 size_t size2 = buf1 + size1 - buf2;
576 tcg_ctx.code_gen_buffer_size = size1;
581 #ifdef USE_STATIC_CODE_GEN_BUFFER
582 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
583 __attribute__((aligned(CODE_GEN_ALIGN)));
586 static inline void do_protect(void *addr, long size, int prot)
589 VirtualProtect(addr, size, prot, &old_protect);
592 static inline void map_exec(void *addr, long size)
594 do_protect(addr, size, PAGE_EXECUTE_READWRITE);
597 static inline void map_none(void *addr, long size)
599 do_protect(addr, size, PAGE_NOACCESS);
602 static inline void do_protect(void *addr, long size, int prot)
604 uintptr_t start, end;
606 start = (uintptr_t)addr;
607 start &= qemu_real_host_page_mask;
609 end = (uintptr_t)addr + size;
610 end = ROUND_UP(end, qemu_real_host_page_size);
612 mprotect((void *)start, end - start, prot);
615 static inline void map_exec(void *addr, long size)
617 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
620 static inline void map_none(void *addr, long size)
622 do_protect(addr, size, PROT_NONE);
626 static inline void *alloc_code_gen_buffer(void)
628 void *buf = static_code_gen_buffer;
629 size_t full_size, size;
631 /* The size of the buffer, rounded down to end on a page boundary. */
632 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer))
633 & qemu_real_host_page_mask) - (uintptr_t)buf;
635 /* Reserve a guard page. */
636 size = full_size - qemu_real_host_page_size;
638 /* Honor a command-line option limiting the size of the buffer. */
639 if (size > tcg_ctx.code_gen_buffer_size) {
640 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size)
641 & qemu_real_host_page_mask) - (uintptr_t)buf;
643 tcg_ctx.code_gen_buffer_size = size;
646 if (cross_256mb(buf, size)) {
647 buf = split_cross_256mb(buf, size);
648 size = tcg_ctx.code_gen_buffer_size;
653 map_none(buf + size, qemu_real_host_page_size);
654 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
658 #elif defined(_WIN32)
659 static inline void *alloc_code_gen_buffer(void)
661 size_t size = tcg_ctx.code_gen_buffer_size;
664 /* Perform the allocation in two steps, so that the guard page
665 is reserved but uncommitted. */
666 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size,
667 MEM_RESERVE, PAGE_NOACCESS);
669 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
670 assert(buf1 == buf2);
676 static inline void *alloc_code_gen_buffer(void)
678 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
680 size_t size = tcg_ctx.code_gen_buffer_size;
683 /* Constrain the position of the buffer based on the host cpu.
684 Note that these addresses are chosen in concert with the
685 addresses assigned in the relevant linker script file. */
686 # if defined(__PIE__) || defined(__PIC__)
687 /* Don't bother setting a preferred location if we're building
688 a position-independent executable. We're more likely to get
689 an address near the main executable if we let the kernel
690 choose the address. */
691 # elif defined(__x86_64__) && defined(MAP_32BIT)
692 /* Force the memory down into low memory with the executable.
693 Leave the choice of exact location with the kernel. */
695 /* Cannot expect to map more than 800MB in low memory. */
696 if (size > 800u * 1024 * 1024) {
697 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024;
699 # elif defined(__sparc__)
700 start = 0x40000000ul;
701 # elif defined(__s390x__)
702 start = 0x90000000ul;
703 # elif defined(__mips__)
704 # if _MIPS_SIM == _ABI64
705 start = 0x128000000ul;
707 start = 0x08000000ul;
711 buf = mmap((void *)start, size + qemu_real_host_page_size,
712 PROT_NONE, flags, -1, 0);
713 if (buf == MAP_FAILED) {
718 if (cross_256mb(buf, size)) {
719 /* Try again, with the original still mapped, to avoid re-acquiring
720 that 256mb crossing. This time don't specify an address. */
722 void *buf2 = mmap(NULL, size + qemu_real_host_page_size,
723 PROT_NONE, flags, -1, 0);
724 switch ((int)(buf2 != MAP_FAILED)) {
726 if (!cross_256mb(buf2, size)) {
727 /* Success! Use the new buffer. */
728 munmap(buf, size + qemu_real_host_page_size);
731 /* Failure. Work with what we had. */
732 munmap(buf2, size + qemu_real_host_page_size);
735 /* Split the original buffer. Free the smaller half. */
736 buf2 = split_cross_256mb(buf, size);
737 size2 = tcg_ctx.code_gen_buffer_size;
739 munmap(buf + size2 + qemu_real_host_page_size, size - size2);
741 munmap(buf, size - size2);
750 /* Make the final buffer accessible. The guard page at the end
751 will remain inaccessible with PROT_NONE. */
752 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC);
754 /* Request large pages for the buffer. */
755 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
759 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
761 static inline void code_gen_alloc(size_t tb_size)
763 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size);
764 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer();
765 if (tcg_ctx.code_gen_buffer == NULL) {
766 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
770 /* Estimate a good size for the number of TBs we can support. We
771 still haven't deducted the prologue from the buffer size here,
772 but that's minimal and won't affect the estimate much. */
773 tcg_ctx.code_gen_max_blocks
774 = tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
775 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock, tcg_ctx.code_gen_max_blocks);
777 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock);
780 static void tb_htable_init(void)
782 unsigned int mode = QHT_MODE_AUTO_RESIZE;
784 qht_init(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE, mode);
787 /* Must be called before using the QEMU cpus. 'tb_size' is the size
788 (in bytes) allocated to the translation buffer. Zero means default
790 void tcg_exec_init(unsigned long tb_size)
795 code_gen_alloc(tb_size);
796 #if defined(CONFIG_SOFTMMU)
797 /* There's no guest base to take into account, so go ahead and
798 initialize the prologue now. */
799 tcg_prologue_init(&tcg_ctx);
803 bool tcg_enabled(void)
805 return tcg_ctx.code_gen_buffer != NULL;
809 * Allocate a new translation block. Flush the translation buffer if
810 * too many translation blocks or too much generated code.
812 * Called with tb_lock held.
814 static TranslationBlock *tb_alloc(target_ulong pc)
816 TranslationBlock *tb;
820 if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
823 tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
830 /* Called with tb_lock held. */
831 void tb_free(TranslationBlock *tb)
835 /* In practice this is mostly used for single use temporary TB
836 Ignore the hard cases and just back up if this TB happens to
837 be the last one generated. */
838 if (tcg_ctx.tb_ctx.nb_tbs > 0 &&
839 tb == &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) {
840 tcg_ctx.code_gen_ptr = tb->tc_ptr;
841 tcg_ctx.tb_ctx.nb_tbs--;
845 static inline void invalidate_page_bitmap(PageDesc *p)
847 #ifdef CONFIG_SOFTMMU
848 g_free(p->code_bitmap);
849 p->code_bitmap = NULL;
850 p->code_write_count = 0;
854 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
855 static void page_flush_tb_1(int level, void **lp)
865 for (i = 0; i < V_L2_SIZE; ++i) {
866 pd[i].first_tb = NULL;
867 invalidate_page_bitmap(pd + i);
872 for (i = 0; i < V_L2_SIZE; ++i) {
873 page_flush_tb_1(level - 1, pp + i);
878 static void page_flush_tb(void)
880 int i, l1_sz = v_l1_size;
882 for (i = 0; i < l1_sz; i++) {
883 page_flush_tb_1(v_l2_levels, l1_map + i);
887 /* flush all the translation blocks */
888 static void do_tb_flush(CPUState *cpu, run_on_cpu_data tb_flush_count)
892 /* If it is already been done on request of another CPU,
895 if (tcg_ctx.tb_ctx.tb_flush_count != tb_flush_count.host_int) {
899 #if defined(DEBUG_TB_FLUSH)
900 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
901 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer),
902 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ?
903 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
904 tcg_ctx.tb_ctx.nb_tbs : 0);
906 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
907 > tcg_ctx.code_gen_buffer_size) {
908 cpu_abort(cpu, "Internal error: code buffer overflow\n");
914 for (i = 0; i < TB_JMP_CACHE_SIZE; ++i) {
915 atomic_set(&cpu->tb_jmp_cache[i], NULL);
919 tcg_ctx.tb_ctx.nb_tbs = 0;
920 qht_reset_size(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE);
923 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer;
924 /* XXX: flush processor icache at this point if cache flush is
926 atomic_mb_set(&tcg_ctx.tb_ctx.tb_flush_count,
927 tcg_ctx.tb_ctx.tb_flush_count + 1);
933 void tb_flush(CPUState *cpu)
936 unsigned tb_flush_count = atomic_mb_read(&tcg_ctx.tb_ctx.tb_flush_count);
937 async_safe_run_on_cpu(cpu, do_tb_flush,
938 RUN_ON_CPU_HOST_INT(tb_flush_count));
942 #ifdef DEBUG_TB_CHECK
945 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp)
947 TranslationBlock *tb = p;
948 target_ulong addr = *(target_ulong *)userp;
950 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) {
951 printf("ERROR invalidate: address=" TARGET_FMT_lx
952 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size);
956 /* verify that all the pages have correct rights for code
958 * Called with tb_lock held.
960 static void tb_invalidate_check(target_ulong address)
962 address &= TARGET_PAGE_MASK;
963 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_invalidate_check, &address);
967 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp)
969 TranslationBlock *tb = p;
972 flags1 = page_get_flags(tb->pc);
973 flags2 = page_get_flags(tb->pc + tb->size - 1);
974 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
975 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
976 (long)tb->pc, tb->size, flags1, flags2);
980 /* verify that all the pages have correct rights for code */
981 static void tb_page_check(void)
983 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_page_check, NULL);
988 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
990 TranslationBlock *tb1;
995 n1 = (uintptr_t)tb1 & 3;
996 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
998 *ptb = tb1->page_next[n1];
1001 ptb = &tb1->page_next[n1];
1005 /* remove the TB from a list of TBs jumping to the n-th jump target of the TB */
1006 static inline void tb_remove_from_jmp_list(TranslationBlock *tb, int n)
1008 TranslationBlock *tb1;
1009 uintptr_t *ptb, ntb;
1012 ptb = &tb->jmp_list_next[n];
1014 /* find tb(n) in circular list */
1018 tb1 = (TranslationBlock *)(ntb & ~3);
1019 if (n1 == n && tb1 == tb) {
1023 ptb = &tb1->jmp_list_first;
1025 ptb = &tb1->jmp_list_next[n1];
1028 /* now we can suppress tb(n) from the list */
1029 *ptb = tb->jmp_list_next[n];
1031 tb->jmp_list_next[n] = (uintptr_t)NULL;
1035 /* reset the jump entry 'n' of a TB so that it is not chained to
1037 static inline void tb_reset_jump(TranslationBlock *tb, int n)
1039 uintptr_t addr = (uintptr_t)(tb->tc_ptr + tb->jmp_reset_offset[n]);
1040 tb_set_jmp_target(tb, n, addr);
1043 /* remove any jumps to the TB */
1044 static inline void tb_jmp_unlink(TranslationBlock *tb)
1046 TranslationBlock *tb1;
1047 uintptr_t *ptb, ntb;
1050 ptb = &tb->jmp_list_first;
1054 tb1 = (TranslationBlock *)(ntb & ~3);
1058 tb_reset_jump(tb1, n1);
1059 *ptb = tb1->jmp_list_next[n1];
1060 tb1->jmp_list_next[n1] = (uintptr_t)NULL;
1064 /* invalidate one TB
1066 * Called with tb_lock held.
1068 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
1073 tb_page_addr_t phys_pc;
1077 atomic_set(&tb->invalid, true);
1079 /* remove the TB from the hash list */
1080 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1081 h = tb_hash_func(phys_pc, tb->pc, tb->flags);
1082 qht_remove(&tcg_ctx.tb_ctx.htable, tb, h);
1084 /* remove the TB from the page list */
1085 if (tb->page_addr[0] != page_addr) {
1086 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
1087 tb_page_remove(&p->first_tb, tb);
1088 invalidate_page_bitmap(p);
1090 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
1091 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
1092 tb_page_remove(&p->first_tb, tb);
1093 invalidate_page_bitmap(p);
1096 /* remove the TB from the hash list */
1097 h = tb_jmp_cache_hash_func(tb->pc);
1099 if (atomic_read(&cpu->tb_jmp_cache[h]) == tb) {
1100 atomic_set(&cpu->tb_jmp_cache[h], NULL);
1104 /* suppress this TB from the two jump lists */
1105 tb_remove_from_jmp_list(tb, 0);
1106 tb_remove_from_jmp_list(tb, 1);
1108 /* suppress any remaining jumps to this TB */
1111 tcg_ctx.tb_ctx.tb_phys_invalidate_count++;
1114 #ifdef CONFIG_SOFTMMU
1115 static void build_page_bitmap(PageDesc *p)
1117 int n, tb_start, tb_end;
1118 TranslationBlock *tb;
1120 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE);
1123 while (tb != NULL) {
1124 n = (uintptr_t)tb & 3;
1125 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1126 /* NOTE: this is subtle as a TB may span two physical pages */
1128 /* NOTE: tb_end may be after the end of the page, but
1129 it is not a problem */
1130 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1131 tb_end = tb_start + tb->size;
1132 if (tb_end > TARGET_PAGE_SIZE) {
1133 tb_end = TARGET_PAGE_SIZE;
1137 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1139 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start);
1140 tb = tb->page_next[n];
1145 /* add the tb in the target page and protect it if necessary
1147 * Called with mmap_lock held for user-mode emulation.
1149 static inline void tb_alloc_page(TranslationBlock *tb,
1150 unsigned int n, tb_page_addr_t page_addr)
1153 #ifndef CONFIG_USER_ONLY
1154 bool page_already_protected;
1157 assert_memory_lock();
1159 tb->page_addr[n] = page_addr;
1160 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1161 tb->page_next[n] = p->first_tb;
1162 #ifndef CONFIG_USER_ONLY
1163 page_already_protected = p->first_tb != NULL;
1165 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1166 invalidate_page_bitmap(p);
1168 #if defined(CONFIG_USER_ONLY)
1169 if (p->flags & PAGE_WRITE) {
1174 /* force the host page as non writable (writes will have a
1175 page fault + mprotect overhead) */
1176 page_addr &= qemu_host_page_mask;
1178 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1179 addr += TARGET_PAGE_SIZE) {
1181 p2 = page_find(addr >> TARGET_PAGE_BITS);
1186 p2->flags &= ~PAGE_WRITE;
1188 mprotect(g2h(page_addr), qemu_host_page_size,
1189 (prot & PAGE_BITS) & ~PAGE_WRITE);
1190 #ifdef DEBUG_TB_INVALIDATE
1191 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1196 /* if some code is already present, then the pages are already
1197 protected. So we handle the case where only the first TB is
1198 allocated in a physical page */
1199 if (!page_already_protected) {
1200 tlb_protect_code(page_addr);
1205 /* add a new TB and link it to the physical page tables. phys_page2 is
1206 * (-1) to indicate that only one page contains the TB.
1208 * Called with mmap_lock held for user-mode emulation.
1210 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1211 tb_page_addr_t phys_page2)
1215 assert_memory_lock();
1217 /* add in the page list */
1218 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1219 if (phys_page2 != -1) {
1220 tb_alloc_page(tb, 1, phys_page2);
1222 tb->page_addr[1] = -1;
1225 /* add in the hash table */
1226 h = tb_hash_func(phys_pc, tb->pc, tb->flags);
1227 qht_insert(&tcg_ctx.tb_ctx.htable, tb, h);
1229 #ifdef DEBUG_TB_CHECK
1234 /* Called with mmap_lock held for user mode emulation. */
1235 TranslationBlock *tb_gen_code(CPUState *cpu,
1236 target_ulong pc, target_ulong cs_base,
1237 uint32_t flags, int cflags)
1239 CPUArchState *env = cpu->env_ptr;
1240 TranslationBlock *tb;
1241 tb_page_addr_t phys_pc, phys_page2;
1242 target_ulong virt_page2;
1243 tcg_insn_unit *gen_code_buf;
1244 int gen_code_size, search_size;
1245 #ifdef CONFIG_PROFILER
1248 assert_memory_lock();
1250 phys_pc = get_page_addr_code(env, pc);
1251 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) {
1252 cflags |= CF_USE_ICOUNT;
1256 if (unlikely(!tb)) {
1258 /* flush must be done */
1261 /* Make the execution loop process the flush as soon as possible. */
1262 cpu->exception_index = EXCP_INTERRUPT;
1266 gen_code_buf = tcg_ctx.code_gen_ptr;
1267 tb->tc_ptr = gen_code_buf;
1268 tb->cs_base = cs_base;
1270 tb->cflags = cflags;
1272 #ifdef CONFIG_PROFILER
1273 tcg_ctx.tb_count1++; /* includes aborted translations because of
1275 ti = profile_getclock();
1278 tcg_func_start(&tcg_ctx);
1280 tcg_ctx.cpu = ENV_GET_CPU(env);
1281 gen_intermediate_code(env, tb);
1284 trace_translate_block(tb, tb->pc, tb->tc_ptr);
1286 /* generate machine code */
1287 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID;
1288 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID;
1289 tcg_ctx.tb_jmp_reset_offset = tb->jmp_reset_offset;
1290 #ifdef USE_DIRECT_JUMP
1291 tcg_ctx.tb_jmp_insn_offset = tb->jmp_insn_offset;
1292 tcg_ctx.tb_jmp_target_addr = NULL;
1294 tcg_ctx.tb_jmp_insn_offset = NULL;
1295 tcg_ctx.tb_jmp_target_addr = tb->jmp_target_addr;
1298 #ifdef CONFIG_PROFILER
1300 tcg_ctx.interm_time += profile_getclock() - ti;
1301 tcg_ctx.code_time -= profile_getclock();
1304 /* ??? Overflow could be handled better here. In particular, we
1305 don't need to re-do gen_intermediate_code, nor should we re-do
1306 the tcg optimization currently hidden inside tcg_gen_code. All
1307 that should be required is to flush the TBs, allocate a new TB,
1308 re-initialize it per above, and re-do the actual code generation. */
1309 gen_code_size = tcg_gen_code(&tcg_ctx, tb);
1310 if (unlikely(gen_code_size < 0)) {
1311 goto buffer_overflow;
1313 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
1314 if (unlikely(search_size < 0)) {
1315 goto buffer_overflow;
1318 #ifdef CONFIG_PROFILER
1319 tcg_ctx.code_time += profile_getclock();
1320 tcg_ctx.code_in_len += tb->size;
1321 tcg_ctx.code_out_len += gen_code_size;
1322 tcg_ctx.search_out_len += search_size;
1326 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) &&
1327 qemu_log_in_addr_range(tb->pc)) {
1329 qemu_log("OUT: [size=%d]\n", gen_code_size);
1330 log_disas(tb->tc_ptr, gen_code_size);
1337 tcg_ctx.code_gen_ptr = (void *)
1338 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
1341 /* init jump list */
1342 assert(((uintptr_t)tb & 3) == 0);
1343 tb->jmp_list_first = (uintptr_t)tb | 2;
1344 tb->jmp_list_next[0] = (uintptr_t)NULL;
1345 tb->jmp_list_next[1] = (uintptr_t)NULL;
1347 /* init original jump addresses wich has been set during tcg_gen_code() */
1348 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
1349 tb_reset_jump(tb, 0);
1351 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
1352 tb_reset_jump(tb, 1);
1355 /* check next page if needed */
1356 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1358 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1359 phys_page2 = get_page_addr_code(env, virt_page2);
1361 /* As long as consistency of the TB stuff is provided by tb_lock in user
1362 * mode and is implicit in single-threaded softmmu emulation, no explicit
1363 * memory barrier is required before tb_link_page() makes the TB visible
1364 * through the physical hash table and physical page list.
1366 tb_link_page(tb, phys_pc, phys_page2);
1371 * Invalidate all TBs which intersect with the target physical address range
1372 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1373 * 'is_cpu_write_access' should be true if called from a real cpu write
1374 * access: the virtual CPU will exit the current TB if code is modified inside
1377 * Called with mmap_lock held for user-mode emulation, grabs tb_lock
1378 * Called with tb_lock held for system-mode emulation
1380 static void tb_invalidate_phys_range_1(tb_page_addr_t start, tb_page_addr_t end)
1382 while (start < end) {
1383 tb_invalidate_phys_page_range(start, end, 0);
1384 start &= TARGET_PAGE_MASK;
1385 start += TARGET_PAGE_SIZE;
1389 #ifdef CONFIG_SOFTMMU
1390 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1393 tb_invalidate_phys_range_1(start, end);
1396 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1398 assert_memory_lock();
1400 tb_invalidate_phys_range_1(start, end);
1405 * Invalidate all TBs which intersect with the target physical address range
1406 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1407 * 'is_cpu_write_access' should be true if called from a real cpu write
1408 * access: the virtual CPU will exit the current TB if code is modified inside
1411 * Called with tb_lock/mmap_lock held for user-mode emulation
1412 * Called with tb_lock held for system-mode emulation
1414 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1415 int is_cpu_write_access)
1417 TranslationBlock *tb, *tb_next;
1418 #if defined(TARGET_HAS_PRECISE_SMC)
1419 CPUState *cpu = current_cpu;
1420 CPUArchState *env = NULL;
1422 tb_page_addr_t tb_start, tb_end;
1425 #ifdef TARGET_HAS_PRECISE_SMC
1426 int current_tb_not_found = is_cpu_write_access;
1427 TranslationBlock *current_tb = NULL;
1428 int current_tb_modified = 0;
1429 target_ulong current_pc = 0;
1430 target_ulong current_cs_base = 0;
1431 uint32_t current_flags = 0;
1432 #endif /* TARGET_HAS_PRECISE_SMC */
1434 assert_memory_lock();
1437 p = page_find(start >> TARGET_PAGE_BITS);
1441 #if defined(TARGET_HAS_PRECISE_SMC)
1447 /* we remove all the TBs in the range [start, end[ */
1448 /* XXX: see if in some cases it could be faster to invalidate all
1451 while (tb != NULL) {
1452 n = (uintptr_t)tb & 3;
1453 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1454 tb_next = tb->page_next[n];
1455 /* NOTE: this is subtle as a TB may span two physical pages */
1457 /* NOTE: tb_end may be after the end of the page, but
1458 it is not a problem */
1459 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1460 tb_end = tb_start + tb->size;
1462 tb_start = tb->page_addr[1];
1463 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1465 if (!(tb_end <= start || tb_start >= end)) {
1466 #ifdef TARGET_HAS_PRECISE_SMC
1467 if (current_tb_not_found) {
1468 current_tb_not_found = 0;
1470 if (cpu->mem_io_pc) {
1471 /* now we have a real cpu fault */
1472 current_tb = tb_find_pc(cpu->mem_io_pc);
1475 if (current_tb == tb &&
1476 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1477 /* If we are modifying the current TB, we must stop
1478 its execution. We could be more precise by checking
1479 that the modification is after the current PC, but it
1480 would require a specialized function to partially
1481 restore the CPU state */
1483 current_tb_modified = 1;
1484 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
1485 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1488 #endif /* TARGET_HAS_PRECISE_SMC */
1489 tb_phys_invalidate(tb, -1);
1493 #if !defined(CONFIG_USER_ONLY)
1494 /* if no code remaining, no need to continue to use slow writes */
1496 invalidate_page_bitmap(p);
1497 tlb_unprotect_code(start);
1500 #ifdef TARGET_HAS_PRECISE_SMC
1501 if (current_tb_modified) {
1502 /* we generate a block containing just the instruction
1503 modifying the memory. It will ensure that it cannot modify
1505 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1506 cpu_loop_exit_noexc(cpu);
1511 #ifdef CONFIG_SOFTMMU
1512 /* len must be <= 8 and start must be a multiple of len.
1513 * Called via softmmu_template.h when code areas are written to with
1514 * iothread mutex not held.
1516 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1522 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1523 cpu_single_env->mem_io_vaddr, len,
1524 cpu_single_env->eip,
1525 cpu_single_env->eip +
1526 (intptr_t)cpu_single_env->segs[R_CS].base);
1529 assert_memory_lock();
1531 p = page_find(start >> TARGET_PAGE_BITS);
1535 if (!p->code_bitmap &&
1536 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) {
1537 /* build code bitmap. FIXME: writes should be protected by
1538 * tb_lock, reads by tb_lock or RCU.
1540 build_page_bitmap(p);
1542 if (p->code_bitmap) {
1546 nr = start & ~TARGET_PAGE_MASK;
1547 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1));
1548 if (b & ((1 << len) - 1)) {
1553 tb_invalidate_phys_page_range(start, start + len, 1);
1557 /* Called with mmap_lock held. If pc is not 0 then it indicates the
1558 * host PC of the faulting store instruction that caused this invalidate.
1559 * Returns true if the caller needs to abort execution of the current
1560 * TB (because it was modified by this store and the guest CPU has
1561 * precise-SMC semantics).
1563 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc)
1565 TranslationBlock *tb;
1568 #ifdef TARGET_HAS_PRECISE_SMC
1569 TranslationBlock *current_tb = NULL;
1570 CPUState *cpu = current_cpu;
1571 CPUArchState *env = NULL;
1572 int current_tb_modified = 0;
1573 target_ulong current_pc = 0;
1574 target_ulong current_cs_base = 0;
1575 uint32_t current_flags = 0;
1578 assert_memory_lock();
1580 addr &= TARGET_PAGE_MASK;
1581 p = page_find(addr >> TARGET_PAGE_BITS);
1588 #ifdef TARGET_HAS_PRECISE_SMC
1589 if (tb && pc != 0) {
1590 current_tb = tb_find_pc(pc);
1596 while (tb != NULL) {
1597 n = (uintptr_t)tb & 3;
1598 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1599 #ifdef TARGET_HAS_PRECISE_SMC
1600 if (current_tb == tb &&
1601 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1602 /* If we are modifying the current TB, we must stop
1603 its execution. We could be more precise by checking
1604 that the modification is after the current PC, but it
1605 would require a specialized function to partially
1606 restore the CPU state */
1608 current_tb_modified = 1;
1609 cpu_restore_state_from_tb(cpu, current_tb, pc);
1610 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base,
1613 #endif /* TARGET_HAS_PRECISE_SMC */
1614 tb_phys_invalidate(tb, addr);
1615 tb = tb->page_next[n];
1618 #ifdef TARGET_HAS_PRECISE_SMC
1619 if (current_tb_modified) {
1620 /* we generate a block containing just the instruction
1621 modifying the memory. It will ensure that it cannot modify
1623 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1624 /* tb_lock will be reset after cpu_loop_exit_noexc longjmps
1625 * back into the cpu_exec loop. */
1635 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1636 tb[1].tc_ptr. Return NULL if not found */
1637 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1639 int m_min, m_max, m;
1641 TranslationBlock *tb;
1643 if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
1646 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
1647 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
1650 /* binary search (cf Knuth) */
1652 m_max = tcg_ctx.tb_ctx.nb_tbs - 1;
1653 while (m_min <= m_max) {
1654 m = (m_min + m_max) >> 1;
1655 tb = &tcg_ctx.tb_ctx.tbs[m];
1656 v = (uintptr_t)tb->tc_ptr;
1659 } else if (tc_ptr < v) {
1665 return &tcg_ctx.tb_ctx.tbs[m_max];
1668 #if !defined(CONFIG_USER_ONLY)
1669 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
1671 ram_addr_t ram_addr;
1676 mr = address_space_translate(as, addr, &addr, &l, false);
1677 if (!(memory_region_is_ram(mr)
1678 || memory_region_is_romd(mr))) {
1682 ram_addr = memory_region_get_ram_addr(mr) + addr;
1684 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1688 #endif /* !defined(CONFIG_USER_ONLY) */
1690 /* Called with tb_lock held. */
1691 void tb_check_watchpoint(CPUState *cpu)
1693 TranslationBlock *tb;
1695 tb = tb_find_pc(cpu->mem_io_pc);
1697 /* We can use retranslation to find the PC. */
1698 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
1699 tb_phys_invalidate(tb, -1);
1701 /* The exception probably happened in a helper. The CPU state should
1702 have been saved before calling it. Fetch the PC from there. */
1703 CPUArchState *env = cpu->env_ptr;
1704 target_ulong pc, cs_base;
1705 tb_page_addr_t addr;
1708 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
1709 addr = get_page_addr_code(env, pc);
1710 tb_invalidate_phys_range(addr, addr + 1);
1714 #ifndef CONFIG_USER_ONLY
1715 /* in deterministic execution mode, instructions doing device I/Os
1716 * must be at the end of the TB.
1718 * Called by softmmu_template.h, with iothread mutex not held.
1720 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
1722 #if defined(TARGET_MIPS) || defined(TARGET_SH4)
1723 CPUArchState *env = cpu->env_ptr;
1725 TranslationBlock *tb;
1727 target_ulong pc, cs_base;
1731 tb = tb_find_pc(retaddr);
1733 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
1736 n = cpu->icount_decr.u16.low + tb->icount;
1737 cpu_restore_state_from_tb(cpu, tb, retaddr);
1738 /* Calculate how many instructions had been executed before the fault
1740 n = n - cpu->icount_decr.u16.low;
1741 /* Generate a new TB ending on the I/O insn. */
1743 /* On MIPS and SH, delay slot instructions can only be restarted if
1744 they were already the first instruction in the TB. If this is not
1745 the first instruction in a TB then re-execute the preceding
1747 #if defined(TARGET_MIPS)
1748 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
1749 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4);
1750 cpu->icount_decr.u16.low++;
1751 env->hflags &= ~MIPS_HFLAG_BMASK;
1753 #elif defined(TARGET_SH4)
1754 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
1757 cpu->icount_decr.u16.low++;
1758 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
1761 /* This should never happen. */
1762 if (n > CF_COUNT_MASK) {
1763 cpu_abort(cpu, "TB too big during recompile");
1766 cflags = n | CF_LAST_IO;
1768 cs_base = tb->cs_base;
1770 tb_phys_invalidate(tb, -1);
1771 if (tb->cflags & CF_NOCACHE) {
1773 /* Invalidate original TB if this TB was generated in
1774 * cpu_exec_nocache() */
1775 tb_phys_invalidate(tb->orig_tb, -1);
1779 /* FIXME: In theory this could raise an exception. In practice
1780 we have already translated the block once so it's probably ok. */
1781 tb_gen_code(cpu, pc, cs_base, flags, cflags);
1783 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
1784 * the first in the TB) then we end up generating a whole new TB and
1785 * repeating the fault, which is horribly inefficient.
1786 * Better would be to execute just this insn uncached, or generate a
1789 * cpu_loop_exit_noexc will longjmp back to cpu_exec where the
1790 * tb_lock gets reset.
1792 cpu_loop_exit_noexc(cpu);
1795 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
1799 /* Discard jump cache entries for any tb which might potentially
1800 overlap the flushed page. */
1801 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1802 memset(&cpu->tb_jmp_cache[i], 0,
1803 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1805 i = tb_jmp_cache_hash_page(addr);
1806 memset(&cpu->tb_jmp_cache[i], 0,
1807 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1810 static void print_qht_statistics(FILE *f, fprintf_function cpu_fprintf,
1811 struct qht_stats hst)
1813 uint32_t hgram_opts;
1817 if (!hst.head_buckets) {
1820 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n",
1821 hst.used_head_buckets, hst.head_buckets,
1822 (double)hst.used_head_buckets / hst.head_buckets * 100);
1824 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
1825 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT;
1826 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) {
1827 hgram_opts |= QDIST_PR_NODECIMAL;
1829 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts);
1830 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n",
1831 qdist_avg(&hst.occupancy) * 100, hgram);
1834 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
1835 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain);
1836 if (hgram_bins > 10) {
1840 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE;
1842 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts);
1843 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n",
1844 qdist_avg(&hst.chain), hgram);
1848 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
1850 int i, target_code_size, max_target_code_size;
1851 int direct_jmp_count, direct_jmp2_count, cross_page;
1852 TranslationBlock *tb;
1853 struct qht_stats hst;
1857 target_code_size = 0;
1858 max_target_code_size = 0;
1860 direct_jmp_count = 0;
1861 direct_jmp2_count = 0;
1862 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) {
1863 tb = &tcg_ctx.tb_ctx.tbs[i];
1864 target_code_size += tb->size;
1865 if (tb->size > max_target_code_size) {
1866 max_target_code_size = tb->size;
1868 if (tb->page_addr[1] != -1) {
1871 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) {
1873 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) {
1874 direct_jmp2_count++;
1878 /* XXX: avoid using doubles ? */
1879 cpu_fprintf(f, "Translation buffer state:\n");
1880 cpu_fprintf(f, "gen code size %td/%zd\n",
1881 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer,
1882 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer);
1883 cpu_fprintf(f, "TB count %d/%d\n",
1884 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.code_gen_max_blocks);
1885 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
1886 tcg_ctx.tb_ctx.nb_tbs ? target_code_size /
1887 tcg_ctx.tb_ctx.nb_tbs : 0,
1888 max_target_code_size);
1889 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
1890 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr -
1891 tcg_ctx.code_gen_buffer) /
1892 tcg_ctx.tb_ctx.nb_tbs : 0,
1893 target_code_size ? (double) (tcg_ctx.code_gen_ptr -
1894 tcg_ctx.code_gen_buffer) /
1895 target_code_size : 0);
1896 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page,
1897 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) /
1898 tcg_ctx.tb_ctx.nb_tbs : 0);
1899 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
1901 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) /
1902 tcg_ctx.tb_ctx.nb_tbs : 0,
1904 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) /
1905 tcg_ctx.tb_ctx.nb_tbs : 0);
1907 qht_statistics_init(&tcg_ctx.tb_ctx.htable, &hst);
1908 print_qht_statistics(f, cpu_fprintf, hst);
1909 qht_statistics_destroy(&hst);
1911 cpu_fprintf(f, "\nStatistics:\n");
1912 cpu_fprintf(f, "TB flush count %u\n",
1913 atomic_read(&tcg_ctx.tb_ctx.tb_flush_count));
1914 cpu_fprintf(f, "TB invalidate count %d\n",
1915 tcg_ctx.tb_ctx.tb_phys_invalidate_count);
1916 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
1917 tcg_dump_info(f, cpu_fprintf);
1922 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf)
1924 tcg_dump_op_count(f, cpu_fprintf);
1927 #else /* CONFIG_USER_ONLY */
1929 void cpu_interrupt(CPUState *cpu, int mask)
1931 g_assert(qemu_mutex_iothread_locked());
1932 cpu->interrupt_request |= mask;
1933 cpu->icount_decr.u16.high = -1;
1937 * Walks guest process memory "regions" one by one
1938 * and calls callback function 'fn' for each region.
1940 struct walk_memory_regions_data {
1941 walk_memory_regions_fn fn;
1947 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1948 target_ulong end, int new_prot)
1950 if (data->start != -1u) {
1951 int rc = data->fn(data->priv, data->start, end, data->prot);
1957 data->start = (new_prot ? end : -1u);
1958 data->prot = new_prot;
1963 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1964 target_ulong base, int level, void **lp)
1970 return walk_memory_regions_end(data, base, 0);
1976 for (i = 0; i < V_L2_SIZE; ++i) {
1977 int prot = pd[i].flags;
1979 pa = base | (i << TARGET_PAGE_BITS);
1980 if (prot != data->prot) {
1981 rc = walk_memory_regions_end(data, pa, prot);
1990 for (i = 0; i < V_L2_SIZE; ++i) {
1991 pa = base | ((target_ulong)i <<
1992 (TARGET_PAGE_BITS + V_L2_BITS * level));
1993 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
2003 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
2005 struct walk_memory_regions_data data;
2006 uintptr_t i, l1_sz = v_l1_size;
2013 for (i = 0; i < l1_sz; i++) {
2014 target_ulong base = i << (v_l1_shift + TARGET_PAGE_BITS);
2015 int rc = walk_memory_regions_1(&data, base, v_l2_levels, l1_map + i);
2021 return walk_memory_regions_end(&data, 0, 0);
2024 static int dump_region(void *priv, target_ulong start,
2025 target_ulong end, unsigned long prot)
2027 FILE *f = (FILE *)priv;
2029 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx
2030 " "TARGET_FMT_lx" %c%c%c\n",
2031 start, end, end - start,
2032 ((prot & PAGE_READ) ? 'r' : '-'),
2033 ((prot & PAGE_WRITE) ? 'w' : '-'),
2034 ((prot & PAGE_EXEC) ? 'x' : '-'));
2039 /* dump memory mappings */
2040 void page_dump(FILE *f)
2042 const int length = sizeof(target_ulong) * 2;
2043 (void) fprintf(f, "%-*s %-*s %-*s %s\n",
2044 length, "start", length, "end", length, "size", "prot");
2045 walk_memory_regions(f, dump_region);
2048 int page_get_flags(target_ulong address)
2052 p = page_find(address >> TARGET_PAGE_BITS);
2059 /* Modify the flags of a page and invalidate the code if necessary.
2060 The flag PAGE_WRITE_ORG is positioned automatically depending
2061 on PAGE_WRITE. The mmap_lock should already be held. */
2062 void page_set_flags(target_ulong start, target_ulong end, int flags)
2064 target_ulong addr, len;
2066 /* This function should never be called with addresses outside the
2067 guest address space. If this assert fires, it probably indicates
2068 a missing call to h2g_valid. */
2069 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
2070 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
2072 assert(start < end);
2073 assert_memory_lock();
2075 start = start & TARGET_PAGE_MASK;
2076 end = TARGET_PAGE_ALIGN(end);
2078 if (flags & PAGE_WRITE) {
2079 flags |= PAGE_WRITE_ORG;
2082 for (addr = start, len = end - start;
2084 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
2085 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
2087 /* If the write protection bit is set, then we invalidate
2089 if (!(p->flags & PAGE_WRITE) &&
2090 (flags & PAGE_WRITE) &&
2092 tb_invalidate_phys_page(addr, 0);
2098 int page_check_range(target_ulong start, target_ulong len, int flags)
2104 /* This function should never be called with addresses outside the
2105 guest address space. If this assert fires, it probably indicates
2106 a missing call to h2g_valid. */
2107 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
2108 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
2114 if (start + len - 1 < start) {
2115 /* We've wrapped around. */
2119 /* must do before we loose bits in the next step */
2120 end = TARGET_PAGE_ALIGN(start + len);
2121 start = start & TARGET_PAGE_MASK;
2123 for (addr = start, len = end - start;
2125 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
2126 p = page_find(addr >> TARGET_PAGE_BITS);
2130 if (!(p->flags & PAGE_VALID)) {
2134 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
2137 if (flags & PAGE_WRITE) {
2138 if (!(p->flags & PAGE_WRITE_ORG)) {
2141 /* unprotect the page if it was put read-only because it
2142 contains translated code */
2143 if (!(p->flags & PAGE_WRITE)) {
2144 if (!page_unprotect(addr, 0)) {
2153 /* called from signal handler: invalidate the code and unprotect the
2154 * page. Return 0 if the fault was not handled, 1 if it was handled,
2155 * and 2 if it was handled but the caller must cause the TB to be
2156 * immediately exited. (We can only return 2 if the 'pc' argument is
2159 int page_unprotect(target_ulong address, uintptr_t pc)
2162 bool current_tb_invalidated;
2164 target_ulong host_start, host_end, addr;
2166 /* Technically this isn't safe inside a signal handler. However we
2167 know this only ever happens in a synchronous SEGV handler, so in
2168 practice it seems to be ok. */
2171 p = page_find(address >> TARGET_PAGE_BITS);
2177 /* if the page was really writable, then we change its
2178 protection back to writable */
2179 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
2180 host_start = address & qemu_host_page_mask;
2181 host_end = host_start + qemu_host_page_size;
2184 current_tb_invalidated = false;
2185 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
2186 p = page_find(addr >> TARGET_PAGE_BITS);
2187 p->flags |= PAGE_WRITE;
2190 /* and since the content will be modified, we must invalidate
2191 the corresponding translated code. */
2192 current_tb_invalidated |= tb_invalidate_phys_page(addr, pc);
2193 #ifdef DEBUG_TB_CHECK
2194 tb_invalidate_check(addr);
2197 mprotect((void *)g2h(host_start), qemu_host_page_size,
2201 /* If current TB was invalidated return to main loop */
2202 return current_tb_invalidated ? 2 : 1;
2207 #endif /* CONFIG_USER_ONLY */
projects / qemu.git / blob