Merge remote-tracking branch 'remotes/kraxel/tags/pull-vga-20160203-1' into staging
[qemu.git] / translate-all.c
blobab61fac66c52c697c53ee13a7277344431e4cf6f
1 /*
2 * Host code generation
4 * Copyright (c) 2003 Fabrice Bellard
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
19 #ifdef _WIN32
20 #include <windows.h>
21 #else
22 #include <sys/mman.h>
23 #endif
24 #include "qemu/osdep.h"
27 #include "qemu-common.h"
28 #define NO_CPU_IO_DEFS
29 #include "cpu.h"
30 #include "trace.h"
31 #include "disas/disas.h"
32 #include "tcg.h"
33 #if defined(CONFIG_USER_ONLY)
34 #include "qemu.h"
35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
36 #include <sys/param.h>
37 #if __FreeBSD_version >= 700104
38 #define HAVE_KINFO_GETVMMAP
39 #define sigqueue sigqueue_freebsd /* avoid redefinition */
40 #include <sys/proc.h>
41 #include <machine/profile.h>
42 #define _KERNEL
43 #include <sys/user.h>
44 #undef _KERNEL
45 #undef sigqueue
46 #include <libutil.h>
47 #endif
48 #endif
49 #else
50 #include "exec/address-spaces.h"
51 #endif
53 #include "exec/cputlb.h"
54 #include "exec/tb-hash.h"
55 #include "translate-all.h"
56 #include "qemu/bitmap.h"
57 #include "qemu/timer.h"
59 //#define DEBUG_TB_INVALIDATE
60 //#define DEBUG_FLUSH
61 /* make various TB consistency checks */
62 //#define DEBUG_TB_CHECK
64 #if !defined(CONFIG_USER_ONLY)
65 /* TB consistency checks only implemented for usermode emulation. */
66 #undef DEBUG_TB_CHECK
67 #endif
69 #define SMC_BITMAP_USE_THRESHOLD 10
71 typedef struct PageDesc {
72 /* list of TBs intersecting this ram page */
73 TranslationBlock *first_tb;
74 /* in order to optimize self modifying code, we count the number
75 of lookups we do to a given page to use a bitmap */
76 unsigned int code_write_count;
77 unsigned long *code_bitmap;
78 #if defined(CONFIG_USER_ONLY)
79 unsigned long flags;
80 #endif
81 } PageDesc;
83 /* In system mode we want L1_MAP to be based on ram offsets,
84 while in user mode we want it to be based on virtual addresses. */
85 #if !defined(CONFIG_USER_ONLY)
86 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS
87 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS
88 #else
89 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS
90 #endif
91 #else
92 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS
93 #endif
95 /* Size of the L2 (and L3, etc) page tables. */
96 #define V_L2_BITS 10
97 #define V_L2_SIZE (1 << V_L2_BITS)
99 /* The bits remaining after N lower levels of page tables. */
100 #define V_L1_BITS_REM \
101 ((L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS)
103 #if V_L1_BITS_REM < 4
104 #define V_L1_BITS (V_L1_BITS_REM + V_L2_BITS)
105 #else
106 #define V_L1_BITS V_L1_BITS_REM
107 #endif
109 #define V_L1_SIZE ((target_ulong)1 << V_L1_BITS)
111 #define V_L1_SHIFT (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - V_L1_BITS)
113 uintptr_t qemu_host_page_size;
114 intptr_t qemu_host_page_mask;
116 /* The bottom level has pointers to PageDesc */
117 static void *l1_map[V_L1_SIZE];
119 /* code generation context */
120 TCGContext tcg_ctx;
122 /* translation block context */
123 #ifdef CONFIG_USER_ONLY
124 __thread int have_tb_lock;
125 #endif
127 void tb_lock(void)
129 #ifdef CONFIG_USER_ONLY
130 assert(!have_tb_lock);
131 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock);
132 have_tb_lock++;
133 #endif
136 void tb_unlock(void)
138 #ifdef CONFIG_USER_ONLY
139 assert(have_tb_lock);
140 have_tb_lock--;
141 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
142 #endif
145 void tb_lock_reset(void)
147 #ifdef CONFIG_USER_ONLY
148 if (have_tb_lock) {
149 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock);
150 have_tb_lock = 0;
152 #endif
155 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
156 tb_page_addr_t phys_page2);
157 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr);
159 void cpu_gen_init(void)
161 tcg_context_init(&tcg_ctx);
164 /* Encode VAL as a signed leb128 sequence at P.
165 Return P incremented past the encoded value. */
166 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
168 int more, byte;
170 do {
171 byte = val & 0x7f;
172 val >>= 7;
173 more = !((val == 0 && (byte & 0x40) == 0)
174 || (val == -1 && (byte & 0x40) != 0));
175 if (more) {
176 byte |= 0x80;
178 *p++ = byte;
179 } while (more);
181 return p;
184 /* Decode a signed leb128 sequence at *PP; increment *PP past the
185 decoded value. Return the decoded value. */
186 static target_long decode_sleb128(uint8_t **pp)
188 uint8_t *p = *pp;
189 target_long val = 0;
190 int byte, shift = 0;
192 do {
193 byte = *p++;
194 val |= (target_ulong)(byte & 0x7f) << shift;
195 shift += 7;
196 } while (byte & 0x80);
197 if (shift < TARGET_LONG_BITS && (byte & 0x40)) {
198 val |= -(target_ulong)1 << shift;
201 *pp = p;
202 return val;
205 /* Encode the data collected about the instructions while compiling TB.
206 Place the data at BLOCK, and return the number of bytes consumed.
208 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's,
209 which come from the target's insn_start data, followed by a uintptr_t
210 which comes from the host pc of the end of the code implementing the insn.
212 Each line of the table is encoded as sleb128 deltas from the previous
213 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }.
214 That is, the first column is seeded with the guest pc, the last column
215 with the host pc, and the middle columns with zeros. */
217 static int encode_search(TranslationBlock *tb, uint8_t *block)
219 uint8_t *highwater = tcg_ctx.code_gen_highwater;
220 uint8_t *p = block;
221 int i, j, n;
223 tb->tc_search = block;
225 for (i = 0, n = tb->icount; i < n; ++i) {
226 target_ulong prev;
228 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
229 if (i == 0) {
230 prev = (j == 0 ? tb->pc : 0);
231 } else {
232 prev = tcg_ctx.gen_insn_data[i - 1][j];
234 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev);
236 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]);
237 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev);
239 /* Test for (pending) buffer overflow. The assumption is that any
240 one row beginning below the high water mark cannot overrun
241 the buffer completely. Thus we can test for overflow after
242 encoding a row without having to check during encoding. */
243 if (unlikely(p > highwater)) {
244 return -1;
248 return p - block;
251 /* The cpu state corresponding to 'searched_pc' is restored. */
252 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
253 uintptr_t searched_pc)
255 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
256 uintptr_t host_pc = (uintptr_t)tb->tc_ptr;
257 CPUArchState *env = cpu->env_ptr;
258 uint8_t *p = tb->tc_search;
259 int i, j, num_insns = tb->icount;
260 #ifdef CONFIG_PROFILER
261 int64_t ti = profile_getclock();
262 #endif
264 if (searched_pc < host_pc) {
265 return -1;
268 /* Reconstruct the stored insn data while looking for the point at
269 which the end of the insn exceeds the searched_pc. */
270 for (i = 0; i < num_insns; ++i) {
271 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) {
272 data[j] += decode_sleb128(&p);
274 host_pc += decode_sleb128(&p);
275 if (host_pc > searched_pc) {
276 goto found;
279 return -1;
281 found:
282 if (tb->cflags & CF_USE_ICOUNT) {
283 assert(use_icount);
284 /* Reset the cycle counter to the start of the block. */
285 cpu->icount_decr.u16.low += num_insns;
286 /* Clear the IO flag. */
287 cpu->can_do_io = 0;
289 cpu->icount_decr.u16.low -= i;
290 restore_state_to_opc(env, tb, data);
292 #ifdef CONFIG_PROFILER
293 tcg_ctx.restore_time += profile_getclock() - ti;
294 tcg_ctx.restore_count++;
295 #endif
296 return 0;
299 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr)
301 TranslationBlock *tb;
303 tb = tb_find_pc(retaddr);
304 if (tb) {
305 cpu_restore_state_from_tb(cpu, tb, retaddr);
306 if (tb->cflags & CF_NOCACHE) {
307 /* one-shot translation, invalidate it immediately */
308 cpu->current_tb = NULL;
309 tb_phys_invalidate(tb, -1);
310 tb_free(tb);
312 return true;
314 return false;
317 void page_size_init(void)
319 /* NOTE: we can always suppose that qemu_host_page_size >=
320 TARGET_PAGE_SIZE */
321 qemu_real_host_page_size = getpagesize();
322 qemu_real_host_page_mask = -(intptr_t)qemu_real_host_page_size;
323 if (qemu_host_page_size == 0) {
324 qemu_host_page_size = qemu_real_host_page_size;
326 if (qemu_host_page_size < TARGET_PAGE_SIZE) {
327 qemu_host_page_size = TARGET_PAGE_SIZE;
329 qemu_host_page_mask = -(intptr_t)qemu_host_page_size;
332 static void page_init(void)
334 page_size_init();
335 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY)
337 #ifdef HAVE_KINFO_GETVMMAP
338 struct kinfo_vmentry *freep;
339 int i, cnt;
341 freep = kinfo_getvmmap(getpid(), &cnt);
342 if (freep) {
343 mmap_lock();
344 for (i = 0; i < cnt; i++) {
345 unsigned long startaddr, endaddr;
347 startaddr = freep[i].kve_start;
348 endaddr = freep[i].kve_end;
349 if (h2g_valid(startaddr)) {
350 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
352 if (h2g_valid(endaddr)) {
353 endaddr = h2g(endaddr);
354 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
355 } else {
356 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS
357 endaddr = ~0ul;
358 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
359 #endif
363 free(freep);
364 mmap_unlock();
366 #else
367 FILE *f;
369 last_brk = (unsigned long)sbrk(0);
371 f = fopen("/compat/linux/proc/self/maps", "r");
372 if (f) {
373 mmap_lock();
375 do {
376 unsigned long startaddr, endaddr;
377 int n;
379 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr);
381 if (n == 2 && h2g_valid(startaddr)) {
382 startaddr = h2g(startaddr) & TARGET_PAGE_MASK;
384 if (h2g_valid(endaddr)) {
385 endaddr = h2g(endaddr);
386 } else {
387 endaddr = ~0ul;
389 page_set_flags(startaddr, endaddr, PAGE_RESERVED);
391 } while (!feof(f));
393 fclose(f);
394 mmap_unlock();
396 #endif
398 #endif
401 /* If alloc=1:
402 * Called with mmap_lock held for user-mode emulation.
404 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc)
406 PageDesc *pd;
407 void **lp;
408 int i;
410 /* Level 1. Always allocated. */
411 lp = l1_map + ((index >> V_L1_SHIFT) & (V_L1_SIZE - 1));
413 /* Level 2..N-1. */
414 for (i = V_L1_SHIFT / V_L2_BITS - 1; i > 0; i--) {
415 void **p = atomic_rcu_read(lp);
417 if (p == NULL) {
418 if (!alloc) {
419 return NULL;
421 p = g_new0(void *, V_L2_SIZE);
422 atomic_rcu_set(lp, p);
425 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1));
428 pd = atomic_rcu_read(lp);
429 if (pd == NULL) {
430 if (!alloc) {
431 return NULL;
433 pd = g_new0(PageDesc, V_L2_SIZE);
434 atomic_rcu_set(lp, pd);
437 return pd + (index & (V_L2_SIZE - 1));
440 static inline PageDesc *page_find(tb_page_addr_t index)
442 return page_find_alloc(index, 0);
445 #if defined(CONFIG_USER_ONLY)
446 /* Currently it is not recommended to allocate big chunks of data in
447 user mode. It will change when a dedicated libc will be used. */
448 /* ??? 64-bit hosts ought to have no problem mmaping data outside the
449 region in which the guest needs to run. Revisit this. */
450 #define USE_STATIC_CODE_GEN_BUFFER
451 #endif
453 /* Minimum size of the code gen buffer. This number is randomly chosen,
454 but not so small that we can't have a fair number of TB's live. */
455 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024)
457 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise
458 indicated, this is constrained by the range of direct branches on the
459 host cpu, as used by the TCG implementation of goto_tb. */
460 #if defined(__x86_64__)
461 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
462 #elif defined(__sparc__)
463 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
464 #elif defined(__powerpc64__)
465 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024)
466 #elif defined(__aarch64__)
467 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
468 #elif defined(__arm__)
469 # define MAX_CODE_GEN_BUFFER_SIZE (16u * 1024 * 1024)
470 #elif defined(__s390x__)
471 /* We have a +- 4GB range on the branches; leave some slop. */
472 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024)
473 #elif defined(__mips__)
474 /* We have a 256MB branch region, but leave room to make sure the
475 main executable is also within that region. */
476 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024)
477 #else
478 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1)
479 #endif
481 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024)
483 #define DEFAULT_CODE_GEN_BUFFER_SIZE \
484 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
485 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
487 static inline size_t size_code_gen_buffer(size_t tb_size)
489 /* Size the buffer. */
490 if (tb_size == 0) {
491 #ifdef USE_STATIC_CODE_GEN_BUFFER
492 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
493 #else
494 /* ??? Needs adjustments. */
495 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the
496 static buffer, we could size this on RESERVED_VA, on the text
497 segment size of the executable, or continue to use the default. */
498 tb_size = (unsigned long)(ram_size / 4);
499 #endif
501 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
502 tb_size = MIN_CODE_GEN_BUFFER_SIZE;
504 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
505 tb_size = MAX_CODE_GEN_BUFFER_SIZE;
507 tcg_ctx.code_gen_buffer_size = tb_size;
508 return tb_size;
511 #ifdef __mips__
512 /* In order to use J and JAL within the code_gen_buffer, we require
513 that the buffer not cross a 256MB boundary. */
514 static inline bool cross_256mb(void *addr, size_t size)
516 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & 0xf0000000;
519 /* We weren't able to allocate a buffer without crossing that boundary,
520 so make do with the larger portion of the buffer that doesn't cross.
521 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */
522 static inline void *split_cross_256mb(void *buf1, size_t size1)
524 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & 0xf0000000);
525 size_t size2 = buf1 + size1 - buf2;
527 size1 = buf2 - buf1;
528 if (size1 < size2) {
529 size1 = size2;
530 buf1 = buf2;
533 tcg_ctx.code_gen_buffer_size = size1;
534 return buf1;
536 #endif
538 #ifdef USE_STATIC_CODE_GEN_BUFFER
539 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
540 __attribute__((aligned(CODE_GEN_ALIGN)));
542 # ifdef _WIN32
543 static inline void do_protect(void *addr, long size, int prot)
545 DWORD old_protect;
546 VirtualProtect(addr, size, prot, &old_protect);
549 static inline void map_exec(void *addr, long size)
551 do_protect(addr, size, PAGE_EXECUTE_READWRITE);
554 static inline void map_none(void *addr, long size)
556 do_protect(addr, size, PAGE_NOACCESS);
558 # else
559 static inline void do_protect(void *addr, long size, int prot)
561 uintptr_t start, end;
563 start = (uintptr_t)addr;
564 start &= qemu_real_host_page_mask;
566 end = (uintptr_t)addr + size;
567 end = ROUND_UP(end, qemu_real_host_page_size);
569 mprotect((void *)start, end - start, prot);
572 static inline void map_exec(void *addr, long size)
574 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC);
577 static inline void map_none(void *addr, long size)
579 do_protect(addr, size, PROT_NONE);
581 # endif /* WIN32 */
583 static inline void *alloc_code_gen_buffer(void)
585 void *buf = static_code_gen_buffer;
586 size_t full_size, size;
588 /* The size of the buffer, rounded down to end on a page boundary. */
589 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer))
590 & qemu_real_host_page_mask) - (uintptr_t)buf;
592 /* Reserve a guard page. */
593 size = full_size - qemu_real_host_page_size;
595 /* Honor a command-line option limiting the size of the buffer. */
596 if (size > tcg_ctx.code_gen_buffer_size) {
597 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size)
598 & qemu_real_host_page_mask) - (uintptr_t)buf;
600 tcg_ctx.code_gen_buffer_size = size;
602 #ifdef __mips__
603 if (cross_256mb(buf, size)) {
604 buf = split_cross_256mb(buf, size);
605 size = tcg_ctx.code_gen_buffer_size;
607 #endif
609 map_exec(buf, size);
610 map_none(buf + size, qemu_real_host_page_size);
611 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
613 return buf;
615 #elif defined(_WIN32)
616 static inline void *alloc_code_gen_buffer(void)
618 size_t size = tcg_ctx.code_gen_buffer_size;
619 void *buf1, *buf2;
621 /* Perform the allocation in two steps, so that the guard page
622 is reserved but uncommitted. */
623 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size,
624 MEM_RESERVE, PAGE_NOACCESS);
625 if (buf1 != NULL) {
626 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
627 assert(buf1 == buf2);
630 return buf1;
632 #else
633 static inline void *alloc_code_gen_buffer(void)
635 int flags = MAP_PRIVATE | MAP_ANONYMOUS;
636 uintptr_t start = 0;
637 size_t size = tcg_ctx.code_gen_buffer_size;
638 void *buf;
640 /* Constrain the position of the buffer based on the host cpu.
641 Note that these addresses are chosen in concert with the
642 addresses assigned in the relevant linker script file. */
643 # if defined(__PIE__) || defined(__PIC__)
644 /* Don't bother setting a preferred location if we're building
645 a position-independent executable. We're more likely to get
646 an address near the main executable if we let the kernel
647 choose the address. */
648 # elif defined(__x86_64__) && defined(MAP_32BIT)
649 /* Force the memory down into low memory with the executable.
650 Leave the choice of exact location with the kernel. */
651 flags |= MAP_32BIT;
652 /* Cannot expect to map more than 800MB in low memory. */
653 if (size > 800u * 1024 * 1024) {
654 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024;
656 # elif defined(__sparc__)
657 start = 0x40000000ul;
658 # elif defined(__s390x__)
659 start = 0x90000000ul;
660 # elif defined(__mips__)
661 # if _MIPS_SIM == _ABI64
662 start = 0x128000000ul;
663 # else
664 start = 0x08000000ul;
665 # endif
666 # endif
668 buf = mmap((void *)start, size + qemu_real_host_page_size,
669 PROT_NONE, flags, -1, 0);
670 if (buf == MAP_FAILED) {
671 return NULL;
674 #ifdef __mips__
675 if (cross_256mb(buf, size)) {
676 /* Try again, with the original still mapped, to avoid re-acquiring
677 that 256mb crossing. This time don't specify an address. */
678 size_t size2;
679 void *buf2 = mmap(NULL, size + qemu_real_host_page_size,
680 PROT_NONE, flags, -1, 0);
681 switch (buf2 != MAP_FAILED) {
682 case 1:
683 if (!cross_256mb(buf2, size)) {
684 /* Success! Use the new buffer. */
685 munmap(buf, size);
686 break;
688 /* Failure. Work with what we had. */
689 munmap(buf2, size);
690 /* fallthru */
691 default:
692 /* Split the original buffer. Free the smaller half. */
693 buf2 = split_cross_256mb(buf, size);
694 size2 = tcg_ctx.code_gen_buffer_size;
695 if (buf == buf2) {
696 munmap(buf + size2 + qemu_real_host_page_size, size - size2);
697 } else {
698 munmap(buf, size - size2);
700 size = size2;
701 break;
703 buf = buf2;
705 #endif
707 /* Make the final buffer accessible. The guard page at the end
708 will remain inaccessible with PROT_NONE. */
709 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC);
711 /* Request large pages for the buffer. */
712 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
714 return buf;
716 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
718 static inline void code_gen_alloc(size_t tb_size)
720 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size);
721 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer();
722 if (tcg_ctx.code_gen_buffer == NULL) {
723 fprintf(stderr, "Could not allocate dynamic translator buffer\n");
724 exit(1);
727 /* Estimate a good size for the number of TBs we can support. We
728 still haven't deducted the prologue from the buffer size here,
729 but that's minimal and won't affect the estimate much. */
730 tcg_ctx.code_gen_max_blocks
731 = tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
732 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock, tcg_ctx.code_gen_max_blocks);
734 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock);
737 /* Must be called before using the QEMU cpus. 'tb_size' is the size
738 (in bytes) allocated to the translation buffer. Zero means default
739 size. */
740 void tcg_exec_init(unsigned long tb_size)
742 cpu_gen_init();
743 page_init();
744 code_gen_alloc(tb_size);
745 #if defined(CONFIG_SOFTMMU)
746 /* There's no guest base to take into account, so go ahead and
747 initialize the prologue now. */
748 tcg_prologue_init(&tcg_ctx);
749 #endif
752 bool tcg_enabled(void)
754 return tcg_ctx.code_gen_buffer != NULL;
757 /* Allocate a new translation block. Flush the translation buffer if
758 too many translation blocks or too much generated code. */
759 static TranslationBlock *tb_alloc(target_ulong pc)
761 TranslationBlock *tb;
763 if (tcg_ctx.tb_ctx.nb_tbs >= tcg_ctx.code_gen_max_blocks) {
764 return NULL;
766 tb = &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs++];
767 tb->pc = pc;
768 tb->cflags = 0;
769 return tb;
772 void tb_free(TranslationBlock *tb)
774 /* In practice this is mostly used for single use temporary TB
775 Ignore the hard cases and just back up if this TB happens to
776 be the last one generated. */
777 if (tcg_ctx.tb_ctx.nb_tbs > 0 &&
778 tb == &tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) {
779 tcg_ctx.code_gen_ptr = tb->tc_ptr;
780 tcg_ctx.tb_ctx.nb_tbs--;
784 static inline void invalidate_page_bitmap(PageDesc *p)
786 g_free(p->code_bitmap);
787 p->code_bitmap = NULL;
788 p->code_write_count = 0;
791 /* Set to NULL all the 'first_tb' fields in all PageDescs. */
792 static void page_flush_tb_1(int level, void **lp)
794 int i;
796 if (*lp == NULL) {
797 return;
799 if (level == 0) {
800 PageDesc *pd = *lp;
802 for (i = 0; i < V_L2_SIZE; ++i) {
803 pd[i].first_tb = NULL;
804 invalidate_page_bitmap(pd + i);
806 } else {
807 void **pp = *lp;
809 for (i = 0; i < V_L2_SIZE; ++i) {
810 page_flush_tb_1(level - 1, pp + i);
815 static void page_flush_tb(void)
817 int i;
819 for (i = 0; i < V_L1_SIZE; i++) {
820 page_flush_tb_1(V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
824 /* flush all the translation blocks */
825 /* XXX: tb_flush is currently not thread safe */
826 void tb_flush(CPUState *cpu)
828 #if defined(DEBUG_FLUSH)
829 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
830 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer),
831 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ?
832 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) /
833 tcg_ctx.tb_ctx.nb_tbs : 0);
834 #endif
835 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)
836 > tcg_ctx.code_gen_buffer_size) {
837 cpu_abort(cpu, "Internal error: code buffer overflow\n");
839 tcg_ctx.tb_ctx.nb_tbs = 0;
841 CPU_FOREACH(cpu) {
842 memset(cpu->tb_jmp_cache, 0, sizeof(cpu->tb_jmp_cache));
845 memset(tcg_ctx.tb_ctx.tb_phys_hash, 0, sizeof(tcg_ctx.tb_ctx.tb_phys_hash));
846 page_flush_tb();
848 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer;
849 /* XXX: flush processor icache at this point if cache flush is
850 expensive */
851 tcg_ctx.tb_ctx.tb_flush_count++;
854 #ifdef DEBUG_TB_CHECK
856 static void tb_invalidate_check(target_ulong address)
858 TranslationBlock *tb;
859 int i;
861 address &= TARGET_PAGE_MASK;
862 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
863 for (tb = tb_ctx.tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
864 if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
865 address >= tb->pc + tb->size)) {
866 printf("ERROR invalidate: address=" TARGET_FMT_lx
867 " PC=%08lx size=%04x\n",
868 address, (long)tb->pc, tb->size);
874 /* verify that all the pages have correct rights for code */
875 static void tb_page_check(void)
877 TranslationBlock *tb;
878 int i, flags1, flags2;
880 for (i = 0; i < CODE_GEN_PHYS_HASH_SIZE; i++) {
881 for (tb = tcg_ctx.tb_ctx.tb_phys_hash[i]; tb != NULL;
882 tb = tb->phys_hash_next) {
883 flags1 = page_get_flags(tb->pc);
884 flags2 = page_get_flags(tb->pc + tb->size - 1);
885 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
886 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
887 (long)tb->pc, tb->size, flags1, flags2);
893 #endif
895 static inline void tb_hash_remove(TranslationBlock **ptb, TranslationBlock *tb)
897 TranslationBlock *tb1;
899 for (;;) {
900 tb1 = *ptb;
901 if (tb1 == tb) {
902 *ptb = tb1->phys_hash_next;
903 break;
905 ptb = &tb1->phys_hash_next;
909 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
911 TranslationBlock *tb1;
912 unsigned int n1;
914 for (;;) {
915 tb1 = *ptb;
916 n1 = (uintptr_t)tb1 & 3;
917 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
918 if (tb1 == tb) {
919 *ptb = tb1->page_next[n1];
920 break;
922 ptb = &tb1->page_next[n1];
926 static inline void tb_jmp_remove(TranslationBlock *tb, int n)
928 TranslationBlock *tb1, **ptb;
929 unsigned int n1;
931 ptb = &tb->jmp_next[n];
932 tb1 = *ptb;
933 if (tb1) {
934 /* find tb(n) in circular list */
935 for (;;) {
936 tb1 = *ptb;
937 n1 = (uintptr_t)tb1 & 3;
938 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
939 if (n1 == n && tb1 == tb) {
940 break;
942 if (n1 == 2) {
943 ptb = &tb1->jmp_first;
944 } else {
945 ptb = &tb1->jmp_next[n1];
948 /* now we can suppress tb(n) from the list */
949 *ptb = tb->jmp_next[n];
951 tb->jmp_next[n] = NULL;
955 /* reset the jump entry 'n' of a TB so that it is not chained to
956 another TB */
957 static inline void tb_reset_jump(TranslationBlock *tb, int n)
959 tb_set_jmp_target(tb, n, (uintptr_t)(tb->tc_ptr + tb->tb_next_offset[n]));
962 /* invalidate one TB */
963 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr)
965 CPUState *cpu;
966 PageDesc *p;
967 unsigned int h, n1;
968 tb_page_addr_t phys_pc;
969 TranslationBlock *tb1, *tb2;
971 /* remove the TB from the hash list */
972 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
973 h = tb_phys_hash_func(phys_pc);
974 tb_hash_remove(&tcg_ctx.tb_ctx.tb_phys_hash[h], tb);
976 /* remove the TB from the page list */
977 if (tb->page_addr[0] != page_addr) {
978 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
979 tb_page_remove(&p->first_tb, tb);
980 invalidate_page_bitmap(p);
982 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
983 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
984 tb_page_remove(&p->first_tb, tb);
985 invalidate_page_bitmap(p);
988 tcg_ctx.tb_ctx.tb_invalidated_flag = 1;
990 /* remove the TB from the hash list */
991 h = tb_jmp_cache_hash_func(tb->pc);
992 CPU_FOREACH(cpu) {
993 if (cpu->tb_jmp_cache[h] == tb) {
994 cpu->tb_jmp_cache[h] = NULL;
998 /* suppress this TB from the two jump lists */
999 tb_jmp_remove(tb, 0);
1000 tb_jmp_remove(tb, 1);
1002 /* suppress any remaining jumps to this TB */
1003 tb1 = tb->jmp_first;
1004 for (;;) {
1005 n1 = (uintptr_t)tb1 & 3;
1006 if (n1 == 2) {
1007 break;
1009 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3);
1010 tb2 = tb1->jmp_next[n1];
1011 tb_reset_jump(tb1, n1);
1012 tb1->jmp_next[n1] = NULL;
1013 tb1 = tb2;
1015 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2); /* fail safe */
1017 tcg_ctx.tb_ctx.tb_phys_invalidate_count++;
1020 static void build_page_bitmap(PageDesc *p)
1022 int n, tb_start, tb_end;
1023 TranslationBlock *tb;
1025 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE);
1027 tb = p->first_tb;
1028 while (tb != NULL) {
1029 n = (uintptr_t)tb & 3;
1030 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1031 /* NOTE: this is subtle as a TB may span two physical pages */
1032 if (n == 0) {
1033 /* NOTE: tb_end may be after the end of the page, but
1034 it is not a problem */
1035 tb_start = tb->pc & ~TARGET_PAGE_MASK;
1036 tb_end = tb_start + tb->size;
1037 if (tb_end > TARGET_PAGE_SIZE) {
1038 tb_end = TARGET_PAGE_SIZE;
1040 } else {
1041 tb_start = 0;
1042 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1044 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start);
1045 tb = tb->page_next[n];
1049 /* Called with mmap_lock held for user mode emulation. */
1050 TranslationBlock *tb_gen_code(CPUState *cpu,
1051 target_ulong pc, target_ulong cs_base,
1052 int flags, int cflags)
1054 CPUArchState *env = cpu->env_ptr;
1055 TranslationBlock *tb;
1056 tb_page_addr_t phys_pc, phys_page2;
1057 target_ulong virt_page2;
1058 tcg_insn_unit *gen_code_buf;
1059 int gen_code_size, search_size;
1060 #ifdef CONFIG_PROFILER
1061 int64_t ti;
1062 #endif
1064 phys_pc = get_page_addr_code(env, pc);
1065 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) {
1066 cflags |= CF_USE_ICOUNT;
1069 tb = tb_alloc(pc);
1070 if (unlikely(!tb)) {
1071 buffer_overflow:
1072 /* flush must be done */
1073 tb_flush(cpu);
1074 /* cannot fail at this point */
1075 tb = tb_alloc(pc);
1076 assert(tb != NULL);
1077 /* Don't forget to invalidate previous TB info. */
1078 tcg_ctx.tb_ctx.tb_invalidated_flag = 1;
1081 gen_code_buf = tcg_ctx.code_gen_ptr;
1082 tb->tc_ptr = gen_code_buf;
1083 tb->cs_base = cs_base;
1084 tb->flags = flags;
1085 tb->cflags = cflags;
1087 #ifdef CONFIG_PROFILER
1088 tcg_ctx.tb_count1++; /* includes aborted translations because of
1089 exceptions */
1090 ti = profile_getclock();
1091 #endif
1093 tcg_func_start(&tcg_ctx);
1095 gen_intermediate_code(env, tb);
1097 trace_translate_block(tb, tb->pc, tb->tc_ptr);
1099 /* generate machine code */
1100 tb->tb_next_offset[0] = 0xffff;
1101 tb->tb_next_offset[1] = 0xffff;
1102 tcg_ctx.tb_next_offset = tb->tb_next_offset;
1103 #ifdef USE_DIRECT_JUMP
1104 tcg_ctx.tb_jmp_offset = tb->tb_jmp_offset;
1105 tcg_ctx.tb_next = NULL;
1106 #else
1107 tcg_ctx.tb_jmp_offset = NULL;
1108 tcg_ctx.tb_next = tb->tb_next;
1109 #endif
1111 #ifdef CONFIG_PROFILER
1112 tcg_ctx.tb_count++;
1113 tcg_ctx.interm_time += profile_getclock() - ti;
1114 tcg_ctx.code_time -= profile_getclock();
1115 #endif
1117 /* ??? Overflow could be handled better here. In particular, we
1118 don't need to re-do gen_intermediate_code, nor should we re-do
1119 the tcg optimization currently hidden inside tcg_gen_code. All
1120 that should be required is to flush the TBs, allocate a new TB,
1121 re-initialize it per above, and re-do the actual code generation. */
1122 gen_code_size = tcg_gen_code(&tcg_ctx, gen_code_buf);
1123 if (unlikely(gen_code_size < 0)) {
1124 goto buffer_overflow;
1126 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size);
1127 if (unlikely(search_size < 0)) {
1128 goto buffer_overflow;
1131 #ifdef CONFIG_PROFILER
1132 tcg_ctx.code_time += profile_getclock();
1133 tcg_ctx.code_in_len += tb->size;
1134 tcg_ctx.code_out_len += gen_code_size;
1135 tcg_ctx.search_out_len += search_size;
1136 #endif
1138 #ifdef DEBUG_DISAS
1139 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
1140 qemu_log("OUT: [size=%d]\n", gen_code_size);
1141 log_disas(tb->tc_ptr, gen_code_size);
1142 qemu_log("\n");
1143 qemu_log_flush();
1145 #endif
1147 tcg_ctx.code_gen_ptr = (void *)
1148 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size,
1149 CODE_GEN_ALIGN);
1151 /* check next page if needed */
1152 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
1153 phys_page2 = -1;
1154 if ((pc & TARGET_PAGE_MASK) != virt_page2) {
1155 phys_page2 = get_page_addr_code(env, virt_page2);
1157 tb_link_page(tb, phys_pc, phys_page2);
1158 return tb;
1162 * Invalidate all TBs which intersect with the target physical address range
1163 * [start;end[. NOTE: start and end may refer to *different* physical pages.
1164 * 'is_cpu_write_access' should be true if called from a real cpu write
1165 * access: the virtual CPU will exit the current TB if code is modified inside
1166 * this TB.
1168 * Called with mmap_lock held for user-mode emulation
1170 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
1172 while (start < end) {
1173 tb_invalidate_phys_page_range(start, end, 0);
1174 start &= TARGET_PAGE_MASK;
1175 start += TARGET_PAGE_SIZE;
1180 * Invalidate all TBs which intersect with the target physical address range
1181 * [start;end[. NOTE: start and end must refer to the *same* physical page.
1182 * 'is_cpu_write_access' should be true if called from a real cpu write
1183 * access: the virtual CPU will exit the current TB if code is modified inside
1184 * this TB.
1186 * Called with mmap_lock held for user-mode emulation
1188 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
1189 int is_cpu_write_access)
1191 TranslationBlock *tb, *tb_next, *saved_tb;
1192 CPUState *cpu = current_cpu;
1193 #if defined(TARGET_HAS_PRECISE_SMC)
1194 CPUArchState *env = NULL;
1195 #endif
1196 tb_page_addr_t tb_start, tb_end;
1197 PageDesc *p;
1198 int n;
1199 #ifdef TARGET_HAS_PRECISE_SMC
1200 int current_tb_not_found = is_cpu_write_access;
1201 TranslationBlock *current_tb = NULL;
1202 int current_tb_modified = 0;
1203 target_ulong current_pc = 0;
1204 target_ulong current_cs_base = 0;
1205 int current_flags = 0;
1206 #endif /* TARGET_HAS_PRECISE_SMC */
1208 p = page_find(start >> TARGET_PAGE_BITS);
1209 if (!p) {
1210 return;
1212 #if defined(TARGET_HAS_PRECISE_SMC)
1213 if (cpu != NULL) {
1214 env = cpu->env_ptr;
1216 #endif
1218 /* we remove all the TBs in the range [start, end[ */
1219 /* XXX: see if in some cases it could be faster to invalidate all
1220 the code */
1221 tb = p->first_tb;
1222 while (tb != NULL) {
1223 n = (uintptr_t)tb & 3;
1224 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1225 tb_next = tb->page_next[n];
1226 /* NOTE: this is subtle as a TB may span two physical pages */
1227 if (n == 0) {
1228 /* NOTE: tb_end may be after the end of the page, but
1229 it is not a problem */
1230 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
1231 tb_end = tb_start + tb->size;
1232 } else {
1233 tb_start = tb->page_addr[1];
1234 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
1236 if (!(tb_end <= start || tb_start >= end)) {
1237 #ifdef TARGET_HAS_PRECISE_SMC
1238 if (current_tb_not_found) {
1239 current_tb_not_found = 0;
1240 current_tb = NULL;
1241 if (cpu->mem_io_pc) {
1242 /* now we have a real cpu fault */
1243 current_tb = tb_find_pc(cpu->mem_io_pc);
1246 if (current_tb == tb &&
1247 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1248 /* If we are modifying the current TB, we must stop
1249 its execution. We could be more precise by checking
1250 that the modification is after the current PC, but it
1251 would require a specialized function to partially
1252 restore the CPU state */
1254 current_tb_modified = 1;
1255 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
1256 cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
1257 &current_flags);
1259 #endif /* TARGET_HAS_PRECISE_SMC */
1260 /* we need to do that to handle the case where a signal
1261 occurs while doing tb_phys_invalidate() */
1262 saved_tb = NULL;
1263 if (cpu != NULL) {
1264 saved_tb = cpu->current_tb;
1265 cpu->current_tb = NULL;
1267 tb_phys_invalidate(tb, -1);
1268 if (cpu != NULL) {
1269 cpu->current_tb = saved_tb;
1270 if (cpu->interrupt_request && cpu->current_tb) {
1271 cpu_interrupt(cpu, cpu->interrupt_request);
1275 tb = tb_next;
1277 #if !defined(CONFIG_USER_ONLY)
1278 /* if no code remaining, no need to continue to use slow writes */
1279 if (!p->first_tb) {
1280 invalidate_page_bitmap(p);
1281 tlb_unprotect_code(start);
1283 #endif
1284 #ifdef TARGET_HAS_PRECISE_SMC
1285 if (current_tb_modified) {
1286 /* we generate a block containing just the instruction
1287 modifying the memory. It will ensure that it cannot modify
1288 itself */
1289 cpu->current_tb = NULL;
1290 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1291 cpu_resume_from_signal(cpu, NULL);
1293 #endif
1296 /* len must be <= 8 and start must be a multiple of len */
1297 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len)
1299 PageDesc *p;
1301 #if 0
1302 if (1) {
1303 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1304 cpu_single_env->mem_io_vaddr, len,
1305 cpu_single_env->eip,
1306 cpu_single_env->eip +
1307 (intptr_t)cpu_single_env->segs[R_CS].base);
1309 #endif
1310 p = page_find(start >> TARGET_PAGE_BITS);
1311 if (!p) {
1312 return;
1314 if (!p->code_bitmap &&
1315 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) {
1316 /* build code bitmap */
1317 build_page_bitmap(p);
1319 if (p->code_bitmap) {
1320 unsigned int nr;
1321 unsigned long b;
1323 nr = start & ~TARGET_PAGE_MASK;
1324 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1));
1325 if (b & ((1 << len) - 1)) {
1326 goto do_invalidate;
1328 } else {
1329 do_invalidate:
1330 tb_invalidate_phys_page_range(start, start + len, 1);
1334 #if !defined(CONFIG_SOFTMMU)
1335 /* Called with mmap_lock held. */
1336 static void tb_invalidate_phys_page(tb_page_addr_t addr,
1337 uintptr_t pc, void *puc,
1338 bool locked)
1340 TranslationBlock *tb;
1341 PageDesc *p;
1342 int n;
1343 #ifdef TARGET_HAS_PRECISE_SMC
1344 TranslationBlock *current_tb = NULL;
1345 CPUState *cpu = current_cpu;
1346 CPUArchState *env = NULL;
1347 int current_tb_modified = 0;
1348 target_ulong current_pc = 0;
1349 target_ulong current_cs_base = 0;
1350 int current_flags = 0;
1351 #endif
1353 addr &= TARGET_PAGE_MASK;
1354 p = page_find(addr >> TARGET_PAGE_BITS);
1355 if (!p) {
1356 return;
1358 tb = p->first_tb;
1359 #ifdef TARGET_HAS_PRECISE_SMC
1360 if (tb && pc != 0) {
1361 current_tb = tb_find_pc(pc);
1363 if (cpu != NULL) {
1364 env = cpu->env_ptr;
1366 #endif
1367 while (tb != NULL) {
1368 n = (uintptr_t)tb & 3;
1369 tb = (TranslationBlock *)((uintptr_t)tb & ~3);
1370 #ifdef TARGET_HAS_PRECISE_SMC
1371 if (current_tb == tb &&
1372 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1373 /* If we are modifying the current TB, we must stop
1374 its execution. We could be more precise by checking
1375 that the modification is after the current PC, but it
1376 would require a specialized function to partially
1377 restore the CPU state */
1379 current_tb_modified = 1;
1380 cpu_restore_state_from_tb(cpu, current_tb, pc);
1381 cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
1382 &current_flags);
1384 #endif /* TARGET_HAS_PRECISE_SMC */
1385 tb_phys_invalidate(tb, addr);
1386 tb = tb->page_next[n];
1388 p->first_tb = NULL;
1389 #ifdef TARGET_HAS_PRECISE_SMC
1390 if (current_tb_modified) {
1391 /* we generate a block containing just the instruction
1392 modifying the memory. It will ensure that it cannot modify
1393 itself */
1394 cpu->current_tb = NULL;
1395 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1);
1396 if (locked) {
1397 mmap_unlock();
1399 cpu_resume_from_signal(cpu, puc);
1401 #endif
1403 #endif
1405 /* add the tb in the target page and protect it if necessary
1407 * Called with mmap_lock held for user-mode emulation.
1409 static inline void tb_alloc_page(TranslationBlock *tb,
1410 unsigned int n, tb_page_addr_t page_addr)
1412 PageDesc *p;
1413 #ifndef CONFIG_USER_ONLY
1414 bool page_already_protected;
1415 #endif
1417 tb->page_addr[n] = page_addr;
1418 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1);
1419 tb->page_next[n] = p->first_tb;
1420 #ifndef CONFIG_USER_ONLY
1421 page_already_protected = p->first_tb != NULL;
1422 #endif
1423 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n);
1424 invalidate_page_bitmap(p);
1426 #if defined(CONFIG_USER_ONLY)
1427 if (p->flags & PAGE_WRITE) {
1428 target_ulong addr;
1429 PageDesc *p2;
1430 int prot;
1432 /* force the host page as non writable (writes will have a
1433 page fault + mprotect overhead) */
1434 page_addr &= qemu_host_page_mask;
1435 prot = 0;
1436 for (addr = page_addr; addr < page_addr + qemu_host_page_size;
1437 addr += TARGET_PAGE_SIZE) {
1439 p2 = page_find(addr >> TARGET_PAGE_BITS);
1440 if (!p2) {
1441 continue;
1443 prot |= p2->flags;
1444 p2->flags &= ~PAGE_WRITE;
1446 mprotect(g2h(page_addr), qemu_host_page_size,
1447 (prot & PAGE_BITS) & ~PAGE_WRITE);
1448 #ifdef DEBUG_TB_INVALIDATE
1449 printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1450 page_addr);
1451 #endif
1453 #else
1454 /* if some code is already present, then the pages are already
1455 protected. So we handle the case where only the first TB is
1456 allocated in a physical page */
1457 if (!page_already_protected) {
1458 tlb_protect_code(page_addr);
1460 #endif
1463 /* add a new TB and link it to the physical page tables. phys_page2 is
1464 * (-1) to indicate that only one page contains the TB.
1466 * Called with mmap_lock held for user-mode emulation.
1468 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
1469 tb_page_addr_t phys_page2)
1471 unsigned int h;
1472 TranslationBlock **ptb;
1474 /* add in the physical hash table */
1475 h = tb_phys_hash_func(phys_pc);
1476 ptb = &tcg_ctx.tb_ctx.tb_phys_hash[h];
1477 tb->phys_hash_next = *ptb;
1478 *ptb = tb;
1480 /* add in the page list */
1481 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1482 if (phys_page2 != -1) {
1483 tb_alloc_page(tb, 1, phys_page2);
1484 } else {
1485 tb->page_addr[1] = -1;
1488 tb->jmp_first = (TranslationBlock *)((uintptr_t)tb | 2);
1489 tb->jmp_next[0] = NULL;
1490 tb->jmp_next[1] = NULL;
1492 /* init original jump addresses */
1493 if (tb->tb_next_offset[0] != 0xffff) {
1494 tb_reset_jump(tb, 0);
1496 if (tb->tb_next_offset[1] != 0xffff) {
1497 tb_reset_jump(tb, 1);
1500 #ifdef DEBUG_TB_CHECK
1501 tb_page_check();
1502 #endif
1505 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1506 tb[1].tc_ptr. Return NULL if not found */
1507 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr)
1509 int m_min, m_max, m;
1510 uintptr_t v;
1511 TranslationBlock *tb;
1513 if (tcg_ctx.tb_ctx.nb_tbs <= 0) {
1514 return NULL;
1516 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer ||
1517 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) {
1518 return NULL;
1520 /* binary search (cf Knuth) */
1521 m_min = 0;
1522 m_max = tcg_ctx.tb_ctx.nb_tbs - 1;
1523 while (m_min <= m_max) {
1524 m = (m_min + m_max) >> 1;
1525 tb = &tcg_ctx.tb_ctx.tbs[m];
1526 v = (uintptr_t)tb->tc_ptr;
1527 if (v == tc_ptr) {
1528 return tb;
1529 } else if (tc_ptr < v) {
1530 m_max = m - 1;
1531 } else {
1532 m_min = m + 1;
1535 return &tcg_ctx.tb_ctx.tbs[m_max];
1538 #if !defined(CONFIG_USER_ONLY)
1539 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr)
1541 ram_addr_t ram_addr;
1542 MemoryRegion *mr;
1543 hwaddr l = 1;
1545 rcu_read_lock();
1546 mr = address_space_translate(as, addr, &addr, &l, false);
1547 if (!(memory_region_is_ram(mr)
1548 || memory_region_is_romd(mr))) {
1549 rcu_read_unlock();
1550 return;
1552 ram_addr = (memory_region_get_ram_addr(mr) & TARGET_PAGE_MASK)
1553 + addr;
1554 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1555 rcu_read_unlock();
1557 #endif /* !defined(CONFIG_USER_ONLY) */
1559 void tb_check_watchpoint(CPUState *cpu)
1561 TranslationBlock *tb;
1563 tb = tb_find_pc(cpu->mem_io_pc);
1564 if (tb) {
1565 /* We can use retranslation to find the PC. */
1566 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
1567 tb_phys_invalidate(tb, -1);
1568 } else {
1569 /* The exception probably happened in a helper. The CPU state should
1570 have been saved before calling it. Fetch the PC from there. */
1571 CPUArchState *env = cpu->env_ptr;
1572 target_ulong pc, cs_base;
1573 tb_page_addr_t addr;
1574 int flags;
1576 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
1577 addr = get_page_addr_code(env, pc);
1578 tb_invalidate_phys_range(addr, addr + 1);
1582 #ifndef CONFIG_USER_ONLY
1583 /* in deterministic execution mode, instructions doing device I/Os
1584 must be at the end of the TB */
1585 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
1587 #if defined(TARGET_MIPS) || defined(TARGET_SH4)
1588 CPUArchState *env = cpu->env_ptr;
1589 #endif
1590 TranslationBlock *tb;
1591 uint32_t n, cflags;
1592 target_ulong pc, cs_base;
1593 uint64_t flags;
1595 tb = tb_find_pc(retaddr);
1596 if (!tb) {
1597 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
1598 (void *)retaddr);
1600 n = cpu->icount_decr.u16.low + tb->icount;
1601 cpu_restore_state_from_tb(cpu, tb, retaddr);
1602 /* Calculate how many instructions had been executed before the fault
1603 occurred. */
1604 n = n - cpu->icount_decr.u16.low;
1605 /* Generate a new TB ending on the I/O insn. */
1606 n++;
1607 /* On MIPS and SH, delay slot instructions can only be restarted if
1608 they were already the first instruction in the TB. If this is not
1609 the first instruction in a TB then re-execute the preceding
1610 branch. */
1611 #if defined(TARGET_MIPS)
1612 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
1613 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4);
1614 cpu->icount_decr.u16.low++;
1615 env->hflags &= ~MIPS_HFLAG_BMASK;
1617 #elif defined(TARGET_SH4)
1618 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
1619 && n > 1) {
1620 env->pc -= 2;
1621 cpu->icount_decr.u16.low++;
1622 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
1624 #endif
1625 /* This should never happen. */
1626 if (n > CF_COUNT_MASK) {
1627 cpu_abort(cpu, "TB too big during recompile");
1630 cflags = n | CF_LAST_IO;
1631 pc = tb->pc;
1632 cs_base = tb->cs_base;
1633 flags = tb->flags;
1634 tb_phys_invalidate(tb, -1);
1635 if (tb->cflags & CF_NOCACHE) {
1636 if (tb->orig_tb) {
1637 /* Invalidate original TB if this TB was generated in
1638 * cpu_exec_nocache() */
1639 tb_phys_invalidate(tb->orig_tb, -1);
1641 tb_free(tb);
1643 /* FIXME: In theory this could raise an exception. In practice
1644 we have already translated the block once so it's probably ok. */
1645 tb_gen_code(cpu, pc, cs_base, flags, cflags);
1646 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
1647 the first in the TB) then we end up generating a whole new TB and
1648 repeating the fault, which is horribly inefficient.
1649 Better would be to execute just this insn uncached, or generate a
1650 second new TB. */
1651 cpu_resume_from_signal(cpu, NULL);
1654 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
1656 unsigned int i;
1658 /* Discard jump cache entries for any tb which might potentially
1659 overlap the flushed page. */
1660 i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1661 memset(&cpu->tb_jmp_cache[i], 0,
1662 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1664 i = tb_jmp_cache_hash_page(addr);
1665 memset(&cpu->tb_jmp_cache[i], 0,
1666 TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1669 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
1671 int i, target_code_size, max_target_code_size;
1672 int direct_jmp_count, direct_jmp2_count, cross_page;
1673 TranslationBlock *tb;
1675 target_code_size = 0;
1676 max_target_code_size = 0;
1677 cross_page = 0;
1678 direct_jmp_count = 0;
1679 direct_jmp2_count = 0;
1680 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) {
1681 tb = &tcg_ctx.tb_ctx.tbs[i];
1682 target_code_size += tb->size;
1683 if (tb->size > max_target_code_size) {
1684 max_target_code_size = tb->size;
1686 if (tb->page_addr[1] != -1) {
1687 cross_page++;
1689 if (tb->tb_next_offset[0] != 0xffff) {
1690 direct_jmp_count++;
1691 if (tb->tb_next_offset[1] != 0xffff) {
1692 direct_jmp2_count++;
1696 /* XXX: avoid using doubles ? */
1697 cpu_fprintf(f, "Translation buffer state:\n");
1698 cpu_fprintf(f, "gen code size %td/%zd\n",
1699 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer,
1700 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer);
1701 cpu_fprintf(f, "TB count %d/%d\n",
1702 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.code_gen_max_blocks);
1703 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n",
1704 tcg_ctx.tb_ctx.nb_tbs ? target_code_size /
1705 tcg_ctx.tb_ctx.nb_tbs : 0,
1706 max_target_code_size);
1707 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n",
1708 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr -
1709 tcg_ctx.code_gen_buffer) /
1710 tcg_ctx.tb_ctx.nb_tbs : 0,
1711 target_code_size ? (double) (tcg_ctx.code_gen_ptr -
1712 tcg_ctx.code_gen_buffer) /
1713 target_code_size : 0);
1714 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page,
1715 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) /
1716 tcg_ctx.tb_ctx.nb_tbs : 0);
1717 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n",
1718 direct_jmp_count,
1719 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) /
1720 tcg_ctx.tb_ctx.nb_tbs : 0,
1721 direct_jmp2_count,
1722 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) /
1723 tcg_ctx.tb_ctx.nb_tbs : 0);
1724 cpu_fprintf(f, "\nStatistics:\n");
1725 cpu_fprintf(f, "TB flush count %d\n", tcg_ctx.tb_ctx.tb_flush_count);
1726 cpu_fprintf(f, "TB invalidate count %d\n",
1727 tcg_ctx.tb_ctx.tb_phys_invalidate_count);
1728 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count);
1729 tcg_dump_info(f, cpu_fprintf);
1732 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf)
1734 tcg_dump_op_count(f, cpu_fprintf);
1737 #else /* CONFIG_USER_ONLY */
1739 void cpu_interrupt(CPUState *cpu, int mask)
1741 cpu->interrupt_request |= mask;
1742 cpu->tcg_exit_req = 1;
1746 * Walks guest process memory "regions" one by one
1747 * and calls callback function 'fn' for each region.
1749 struct walk_memory_regions_data {
1750 walk_memory_regions_fn fn;
1751 void *priv;
1752 target_ulong start;
1753 int prot;
1756 static int walk_memory_regions_end(struct walk_memory_regions_data *data,
1757 target_ulong end, int new_prot)
1759 if (data->start != -1u) {
1760 int rc = data->fn(data->priv, data->start, end, data->prot);
1761 if (rc != 0) {
1762 return rc;
1766 data->start = (new_prot ? end : -1u);
1767 data->prot = new_prot;
1769 return 0;
1772 static int walk_memory_regions_1(struct walk_memory_regions_data *data,
1773 target_ulong base, int level, void **lp)
1775 target_ulong pa;
1776 int i, rc;
1778 if (*lp == NULL) {
1779 return walk_memory_regions_end(data, base, 0);
1782 if (level == 0) {
1783 PageDesc *pd = *lp;
1785 for (i = 0; i < V_L2_SIZE; ++i) {
1786 int prot = pd[i].flags;
1788 pa = base | (i << TARGET_PAGE_BITS);
1789 if (prot != data->prot) {
1790 rc = walk_memory_regions_end(data, pa, prot);
1791 if (rc != 0) {
1792 return rc;
1796 } else {
1797 void **pp = *lp;
1799 for (i = 0; i < V_L2_SIZE; ++i) {
1800 pa = base | ((target_ulong)i <<
1801 (TARGET_PAGE_BITS + V_L2_BITS * level));
1802 rc = walk_memory_regions_1(data, pa, level - 1, pp + i);
1803 if (rc != 0) {
1804 return rc;
1809 return 0;
1812 int walk_memory_regions(void *priv, walk_memory_regions_fn fn)
1814 struct walk_memory_regions_data data;
1815 uintptr_t i;
1817 data.fn = fn;
1818 data.priv = priv;
1819 data.start = -1u;
1820 data.prot = 0;
1822 for (i = 0; i < V_L1_SIZE; i++) {
1823 int rc = walk_memory_regions_1(&data, (target_ulong)i << (V_L1_SHIFT + TARGET_PAGE_BITS),
1824 V_L1_SHIFT / V_L2_BITS - 1, l1_map + i);
1825 if (rc != 0) {
1826 return rc;
1830 return walk_memory_regions_end(&data, 0, 0);
1833 static int dump_region(void *priv, target_ulong start,
1834 target_ulong end, unsigned long prot)
1836 FILE *f = (FILE *)priv;
1838 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx
1839 " "TARGET_FMT_lx" %c%c%c\n",
1840 start, end, end - start,
1841 ((prot & PAGE_READ) ? 'r' : '-'),
1842 ((prot & PAGE_WRITE) ? 'w' : '-'),
1843 ((prot & PAGE_EXEC) ? 'x' : '-'));
1845 return 0;
1848 /* dump memory mappings */
1849 void page_dump(FILE *f)
1851 const int length = sizeof(target_ulong) * 2;
1852 (void) fprintf(f, "%-*s %-*s %-*s %s\n",
1853 length, "start", length, "end", length, "size", "prot");
1854 walk_memory_regions(f, dump_region);
1857 int page_get_flags(target_ulong address)
1859 PageDesc *p;
1861 p = page_find(address >> TARGET_PAGE_BITS);
1862 if (!p) {
1863 return 0;
1865 return p->flags;
1868 /* Modify the flags of a page and invalidate the code if necessary.
1869 The flag PAGE_WRITE_ORG is positioned automatically depending
1870 on PAGE_WRITE. The mmap_lock should already be held. */
1871 void page_set_flags(target_ulong start, target_ulong end, int flags)
1873 target_ulong addr, len;
1875 /* This function should never be called with addresses outside the
1876 guest address space. If this assert fires, it probably indicates
1877 a missing call to h2g_valid. */
1878 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1879 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1880 #endif
1881 assert(start < end);
1883 start = start & TARGET_PAGE_MASK;
1884 end = TARGET_PAGE_ALIGN(end);
1886 if (flags & PAGE_WRITE) {
1887 flags |= PAGE_WRITE_ORG;
1890 for (addr = start, len = end - start;
1891 len != 0;
1892 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1893 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
1895 /* If the write protection bit is set, then we invalidate
1896 the code inside. */
1897 if (!(p->flags & PAGE_WRITE) &&
1898 (flags & PAGE_WRITE) &&
1899 p->first_tb) {
1900 tb_invalidate_phys_page(addr, 0, NULL, false);
1902 p->flags = flags;
1906 int page_check_range(target_ulong start, target_ulong len, int flags)
1908 PageDesc *p;
1909 target_ulong end;
1910 target_ulong addr;
1912 /* This function should never be called with addresses outside the
1913 guest address space. If this assert fires, it probably indicates
1914 a missing call to h2g_valid. */
1915 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS
1916 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS));
1917 #endif
1919 if (len == 0) {
1920 return 0;
1922 if (start + len - 1 < start) {
1923 /* We've wrapped around. */
1924 return -1;
1927 /* must do before we loose bits in the next step */
1928 end = TARGET_PAGE_ALIGN(start + len);
1929 start = start & TARGET_PAGE_MASK;
1931 for (addr = start, len = end - start;
1932 len != 0;
1933 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) {
1934 p = page_find(addr >> TARGET_PAGE_BITS);
1935 if (!p) {
1936 return -1;
1938 if (!(p->flags & PAGE_VALID)) {
1939 return -1;
1942 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) {
1943 return -1;
1945 if (flags & PAGE_WRITE) {
1946 if (!(p->flags & PAGE_WRITE_ORG)) {
1947 return -1;
1949 /* unprotect the page if it was put read-only because it
1950 contains translated code */
1951 if (!(p->flags & PAGE_WRITE)) {
1952 if (!page_unprotect(addr, 0, NULL)) {
1953 return -1;
1958 return 0;
1961 /* called from signal handler: invalidate the code and unprotect the
1962 page. Return TRUE if the fault was successfully handled. */
1963 int page_unprotect(target_ulong address, uintptr_t pc, void *puc)
1965 unsigned int prot;
1966 PageDesc *p;
1967 target_ulong host_start, host_end, addr;
1969 /* Technically this isn't safe inside a signal handler. However we
1970 know this only ever happens in a synchronous SEGV handler, so in
1971 practice it seems to be ok. */
1972 mmap_lock();
1974 p = page_find(address >> TARGET_PAGE_BITS);
1975 if (!p) {
1976 mmap_unlock();
1977 return 0;
1980 /* if the page was really writable, then we change its
1981 protection back to writable */
1982 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) {
1983 host_start = address & qemu_host_page_mask;
1984 host_end = host_start + qemu_host_page_size;
1986 prot = 0;
1987 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) {
1988 p = page_find(addr >> TARGET_PAGE_BITS);
1989 p->flags |= PAGE_WRITE;
1990 prot |= p->flags;
1992 /* and since the content will be modified, we must invalidate
1993 the corresponding translated code. */
1994 tb_invalidate_phys_page(addr, pc, puc, true);
1995 #ifdef DEBUG_TB_CHECK
1996 tb_invalidate_check(addr);
1997 #endif
1999 mprotect((void *)g2h(host_start), qemu_host_page_size,
2000 prot & PAGE_BITS);
2002 mmap_unlock();
2003 return 1;
2005 mmap_unlock();
2006 return 0;
2008 #endif /* CONFIG_USER_ONLY */