search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
plugins: implement helpers for resolving hwaddr
[qemu/ar7.git] / accel / tcg / cputlb.c
blob2c06b57272ec864391844de3577f388a69c80da0
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "exec/memory.h"
25 #include "exec/address-spaces.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/cputlb.h"
28 #include "exec/memory-internal.h"
29 #include "exec/ram_addr.h"
30 #include "tcg/tcg.h"
31 #include "qemu/error-report.h"
32 #include "exec/log.h"
33 #include "exec/helper-proto.h"
34 #include "qemu/atomic.h"
35 #include "qemu/atomic128.h"
36 #include "translate-all.h"
37 #ifdef CONFIG_PLUGIN
38 #include "qemu/plugin-memory.h"
39 #endif
40
41 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
42 /* #define DEBUG_TLB */
43 /* #define DEBUG_TLB_LOG */
44
45 #ifdef DEBUG_TLB
46 # define DEBUG_TLB_GATE 1
47 # ifdef DEBUG_TLB_LOG
48 # define DEBUG_TLB_LOG_GATE 1
49 # else
50 # define DEBUG_TLB_LOG_GATE 0
51 # endif
52 #else
53 # define DEBUG_TLB_GATE 0
54 # define DEBUG_TLB_LOG_GATE 0
55 #endif
56
57 #define tlb_debug(fmt, ...) do { \
58 if (DEBUG_TLB_LOG_GATE) { \
59 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
60 ## __VA_ARGS__); \
61 } else if (DEBUG_TLB_GATE) { \
62 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
63 } \
64 } while (0)
65
66 #define assert_cpu_is_self(cpu) do { \
67 if (DEBUG_TLB_GATE) { \
68 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
69 } \
70 } while (0)
71
72 /* run_on_cpu_data.target_ptr should always be big enough for a
73 * target_ulong even on 32 bit builds */
74 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
75
76 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
77 */
78 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
79 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
80
81 static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
82 {
83 return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
84 }
85
86 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
87 size_t max_entries)
88 {
89 desc->window_begin_ns = ns;
90 desc->window_max_entries = max_entries;
91 }
92
93 static void tlb_dyn_init(CPUArchState *env)
94 {
95 int i;
96
97 for (i = 0; i < NB_MMU_MODES; i++) {
98 CPUTLBDesc *desc = &env_tlb(env)->d[i];
99 size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
100
101 tlb_window_reset(desc, get_clock_realtime(), 0);
102 desc->n_used_entries = 0;
103 env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
104 env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
105 env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
106 }
107 }
108
109 /**
110 * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
111 * @env: CPU that owns the TLB
112 * @mmu_idx: MMU index of the TLB
113 *
114 * Called with tlb_lock_held.
115 *
116 * We have two main constraints when resizing a TLB: (1) we only resize it
117 * on a TLB flush (otherwise we'd have to take a perf hit by either rehashing
118 * the array or unnecessarily flushing it), which means we do not control how
119 * frequently the resizing can occur; (2) we don't have access to the guest's
120 * future scheduling decisions, and therefore have to decide the magnitude of
121 * the resize based on past observations.
122 *
123 * In general, a memory-hungry process can benefit greatly from an appropriately
124 * sized TLB, since a guest TLB miss is very expensive. This doesn't mean that
125 * we just have to make the TLB as large as possible; while an oversized TLB
126 * results in minimal TLB miss rates, it also takes longer to be flushed
127 * (flushes can be _very_ frequent), and the reduced locality can also hurt
128 * performance.
129 *
130 * To achieve near-optimal performance for all kinds of workloads, we:
131 *
132 * 1. Aggressively increase the size of the TLB when the use rate of the
133 * TLB being flushed is high, since it is likely that in the near future this
134 * memory-hungry process will execute again, and its memory hungriness will
135 * probably be similar.
136 *
137 * 2. Slowly reduce the size of the TLB as the use rate declines over a
138 * reasonably large time window. The rationale is that if in such a time window
139 * we have not observed a high TLB use rate, it is likely that we won't observe
140 * it in the near future. In that case, once a time window expires we downsize
141 * the TLB to match the maximum use rate observed in the window.
142 *
143 * 3. Try to keep the maximum use rate in a time window in the 30-70% range,
144 * since in that range performance is likely near-optimal. Recall that the TLB
145 * is direct mapped, so we want the use rate to be low (or at least not too
146 * high), since otherwise we are likely to have a significant amount of
147 * conflict misses.
148 */
149 static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
150 {
151 CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
152 size_t old_size = tlb_n_entries(env, mmu_idx);
153 size_t rate;
154 size_t new_size = old_size;
155 int64_t now = get_clock_realtime();
156 int64_t window_len_ms = 100;
157 int64_t window_len_ns = window_len_ms * 1000 * 1000;
158 bool window_expired = now > desc->window_begin_ns + window_len_ns;
159
160 if (desc->n_used_entries > desc->window_max_entries) {
161 desc->window_max_entries = desc->n_used_entries;
162 }
163 rate = desc->window_max_entries * 100 / old_size;
164
165 if (rate > 70) {
166 new_size = MIN(old_size << 1, 1 << CPU_TLB_DYN_MAX_BITS);
167 } else if (rate < 30 && window_expired) {
168 size_t ceil = pow2ceil(desc->window_max_entries);
169 size_t expected_rate = desc->window_max_entries * 100 / ceil;
170
171 /*
172 * Avoid undersizing when the max number of entries seen is just below
173 * a pow2. For instance, if max_entries == 1025, the expected use rate
174 * would be 1025/2048==50%. However, if max_entries == 1023, we'd get
175 * 1023/1024==99.9% use rate, so we'd likely end up doubling the size
176 * later. Thus, make sure that the expected use rate remains below 70%.
177 * (and since we double the size, that means the lowest rate we'd
178 * expect to get is 35%, which is still in the 30-70% range where
179 * we consider that the size is appropriate.)
180 */
181 if (expected_rate > 70) {
182 ceil *= 2;
183 }
184 new_size = MAX(ceil, 1 << CPU_TLB_DYN_MIN_BITS);
185 }
186
187 if (new_size == old_size) {
188 if (window_expired) {
189 tlb_window_reset(desc, now, desc->n_used_entries);
190 }
191 return;
192 }
193
194 g_free(env_tlb(env)->f[mmu_idx].table);
195 g_free(env_tlb(env)->d[mmu_idx].iotlb);
196
197 tlb_window_reset(desc, now, 0);
198 /* desc->n_used_entries is cleared by the caller */
199 env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
200 env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
201 env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
202 /*
203 * If the allocations fail, try smaller sizes. We just freed some
204 * memory, so going back to half of new_size has a good chance of working.
205 * Increased memory pressure elsewhere in the system might cause the
206 * allocations to fail though, so we progressively reduce the allocation
207 * size, aborting if we cannot even allocate the smallest TLB we support.
208 */
209 while (env_tlb(env)->f[mmu_idx].table == NULL ||
210 env_tlb(env)->d[mmu_idx].iotlb == NULL) {
211 if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
212 error_report("%s: %s", __func__, strerror(errno));
213 abort();
214 }
215 new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
216 env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
217
218 g_free(env_tlb(env)->f[mmu_idx].table);
219 g_free(env_tlb(env)->d[mmu_idx].iotlb);
220 env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
221 env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
222 }
223 }
224
225 static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
226 {
227 tlb_mmu_resize_locked(env, mmu_idx);
228 memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
229 env_tlb(env)->d[mmu_idx].n_used_entries = 0;
230 }
231
232 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
233 {
234 env_tlb(env)->d[mmu_idx].n_used_entries++;
235 }
236
237 static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
238 {
239 env_tlb(env)->d[mmu_idx].n_used_entries--;
240 }
241
242 void tlb_init(CPUState *cpu)
243 {
244 CPUArchState *env = cpu->env_ptr;
245
246 qemu_spin_init(&env_tlb(env)->c.lock);
247
248 /* Ensure that cpu_reset performs a full flush. */
249 env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
250
251 tlb_dyn_init(env);
252 }
253
254 /* flush_all_helper: run fn across all cpus
255 *
256 * If the wait flag is set then the src cpu's helper will be queued as
257 * "safe" work and the loop exited creating a synchronisation point
258 * where all queued work will be finished before execution starts
259 * again.
260 */
261 static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
262 run_on_cpu_data d)
263 {
264 CPUState *cpu;
265
266 CPU_FOREACH(cpu) {
267 if (cpu != src) {
268 async_run_on_cpu(cpu, fn, d);
269 }
270 }
271 }
272
273 void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
274 {
275 CPUState *cpu;
276 size_t full = 0, part = 0, elide = 0;
277
278 CPU_FOREACH(cpu) {
279 CPUArchState *env = cpu->env_ptr;
280
281 full += atomic_read(&env_tlb(env)->c.full_flush_count);
282 part += atomic_read(&env_tlb(env)->c.part_flush_count);
283 elide += atomic_read(&env_tlb(env)->c.elide_flush_count);
284 }
285 *pfull = full;
286 *ppart = part;
287 *pelide = elide;
288 }
289
290 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
291 {
292 tlb_table_flush_by_mmuidx(env, mmu_idx);
293 env_tlb(env)->d[mmu_idx].large_page_addr = -1;
294 env_tlb(env)->d[mmu_idx].large_page_mask = -1;
295 env_tlb(env)->d[mmu_idx].vindex = 0;
296 memset(env_tlb(env)->d[mmu_idx].vtable, -1,
297 sizeof(env_tlb(env)->d[0].vtable));
298 }
299
300 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
301 {
302 CPUArchState *env = cpu->env_ptr;
303 uint16_t asked = data.host_int;
304 uint16_t all_dirty, work, to_clean;
305
306 assert_cpu_is_self(cpu);
307
308 tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked);
309
310 qemu_spin_lock(&env_tlb(env)->c.lock);
311
312 all_dirty = env_tlb(env)->c.dirty;
313 to_clean = asked & all_dirty;
314 all_dirty &= ~to_clean;
315 env_tlb(env)->c.dirty = all_dirty;
316
317 for (work = to_clean; work != 0; work &= work - 1) {
318 int mmu_idx = ctz32(work);
319 tlb_flush_one_mmuidx_locked(env, mmu_idx);
320 }
321
322 qemu_spin_unlock(&env_tlb(env)->c.lock);
323
324 cpu_tb_jmp_cache_clear(cpu);
325
326 if (to_clean == ALL_MMUIDX_BITS) {
327 atomic_set(&env_tlb(env)->c.full_flush_count,
328 env_tlb(env)->c.full_flush_count + 1);
329 } else {
330 atomic_set(&env_tlb(env)->c.part_flush_count,
331 env_tlb(env)->c.part_flush_count + ctpop16(to_clean));
332 if (to_clean != asked) {
333 atomic_set(&env_tlb(env)->c.elide_flush_count,
334 env_tlb(env)->c.elide_flush_count +
335 ctpop16(asked & ~to_clean));
336 }
337 }
338 }
339
340 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
341 {
342 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
343
344 if (cpu->created && !qemu_cpu_is_self(cpu)) {
345 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work,
346 RUN_ON_CPU_HOST_INT(idxmap));
347 } else {
348 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap));
349 }
350 }
351
352 void tlb_flush(CPUState *cpu)
353 {
354 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS);
355 }
356
357 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap)
358 {
359 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
360
361 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
362
363 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
364 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap));
365 }
366
367 void tlb_flush_all_cpus(CPUState *src_cpu)
368 {
369 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS);
370 }
371
372 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap)
373 {
374 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
375
376 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
377
378 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
379 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
380 }
381
382 void tlb_flush_all_cpus_synced(CPUState *src_cpu)
383 {
384 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS);
385 }
386
387 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry,
388 target_ulong page)
389 {
390 return tlb_hit_page(tlb_entry->addr_read, page) ||
391 tlb_hit_page(tlb_addr_write(tlb_entry), page) ||
392 tlb_hit_page(tlb_entry->addr_code, page);
393 }
394
395 /**
396 * tlb_entry_is_empty - return true if the entry is not in use
397 * @te: pointer to CPUTLBEntry
398 */
399 static inline bool tlb_entry_is_empty(const CPUTLBEntry *te)
400 {
401 return te->addr_read == -1 && te->addr_write == -1 && te->addr_code == -1;
402 }
403
404 /* Called with tlb_c.lock held */
405 static inline bool tlb_flush_entry_locked(CPUTLBEntry *tlb_entry,
406 target_ulong page)
407 {
408 if (tlb_hit_page_anyprot(tlb_entry, page)) {
409 memset(tlb_entry, -1, sizeof(*tlb_entry));
410 return true;
411 }
412 return false;
413 }
414
415 /* Called with tlb_c.lock held */
416 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx,
417 target_ulong page)
418 {
419 CPUTLBDesc *d = &env_tlb(env)->d[mmu_idx];
420 int k;
421
422 assert_cpu_is_self(env_cpu(env));
423 for (k = 0; k < CPU_VTLB_SIZE; k++) {
424 if (tlb_flush_entry_locked(&d->vtable[k], page)) {
425 tlb_n_used_entries_dec(env, mmu_idx);
426 }
427 }
428 }
429
430 static void tlb_flush_page_locked(CPUArchState *env, int midx,
431 target_ulong page)
432 {
433 target_ulong lp_addr = env_tlb(env)->d[midx].large_page_addr;
434 target_ulong lp_mask = env_tlb(env)->d[midx].large_page_mask;
435
436 /* Check if we need to flush due to large pages. */
437 if ((page & lp_mask) == lp_addr) {
438 tlb_debug("forcing full flush midx %d ("
439 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
440 midx, lp_addr, lp_mask);
441 tlb_flush_one_mmuidx_locked(env, midx);
442 } else {
443 if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
444 tlb_n_used_entries_dec(env, midx);
445 }
446 tlb_flush_vtlb_page_locked(env, midx, page);
447 }
448 }
449
450 /* As we are going to hijack the bottom bits of the page address for a
451 * mmuidx bit mask we need to fail to build if we can't do that
452 */
453 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
454
455 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
456 run_on_cpu_data data)
457 {
458 CPUArchState *env = cpu->env_ptr;
459 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
460 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
461 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
462 int mmu_idx;
463
464 assert_cpu_is_self(cpu);
465
466 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
467 addr, mmu_idx_bitmap);
468
469 qemu_spin_lock(&env_tlb(env)->c.lock);
470 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
471 if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
472 tlb_flush_page_locked(env, mmu_idx, addr);
473 }
474 }
475 qemu_spin_unlock(&env_tlb(env)->c.lock);
476
477 tb_flush_jmp_cache(cpu, addr);
478 }
479
480 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
481 {
482 target_ulong addr_and_mmu_idx;
483
484 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
485
486 /* This should already be page aligned */
487 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
488 addr_and_mmu_idx |= idxmap;
489
490 if (!qemu_cpu_is_self(cpu)) {
491 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
492 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
493 } else {
494 tlb_flush_page_by_mmuidx_async_work(
495 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
496 }
497 }
498
499 void tlb_flush_page(CPUState *cpu, target_ulong addr)
500 {
501 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS);
502 }
503
504 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
505 uint16_t idxmap)
506 {
507 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
508 target_ulong addr_and_mmu_idx;
509
510 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
511
512 /* This should already be page aligned */
513 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
514 addr_and_mmu_idx |= idxmap;
515
516 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
517 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
518 }
519
520 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
521 {
522 tlb_flush_page_by_mmuidx_all_cpus(src, addr, ALL_MMUIDX_BITS);
523 }
524
525 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
526 target_ulong addr,
527 uint16_t idxmap)
528 {
529 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
530 target_ulong addr_and_mmu_idx;
531
532 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
533
534 /* This should already be page aligned */
535 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
536 addr_and_mmu_idx |= idxmap;
537
538 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
539 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
540 }
541
542 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
543 {
544 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS);
545 }
546
547 /* update the TLBs so that writes to code in the virtual page 'addr'
548 can be detected */
549 void tlb_protect_code(ram_addr_t ram_addr)
550 {
551 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE,
552 DIRTY_MEMORY_CODE);
553 }
554
555 /* update the TLB so that writes in physical page 'phys_addr' are no longer
556 tested for self modifying code */
557 void tlb_unprotect_code(ram_addr_t ram_addr)
558 {
559 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
560 }
561
562
563 /*
564 * Dirty write flag handling
565 *
566 * When the TCG code writes to a location it looks up the address in
567 * the TLB and uses that data to compute the final address. If any of
568 * the lower bits of the address are set then the slow path is forced.
569 * There are a number of reasons to do this but for normal RAM the
570 * most usual is detecting writes to code regions which may invalidate
571 * generated code.
572 *
573 * Other vCPUs might be reading their TLBs during guest execution, so we update
574 * te->addr_write with atomic_set. We don't need to worry about this for
575 * oversized guests as MTTCG is disabled for them.
576 *
577 * Called with tlb_c.lock held.
578 */
579 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
580 uintptr_t start, uintptr_t length)
581 {
582 uintptr_t addr = tlb_entry->addr_write;
583
584 if ((addr & (TLB_INVALID_MASK | TLB_MMIO |
585 TLB_DISCARD_WRITE | TLB_NOTDIRTY)) == 0) {
586 addr &= TARGET_PAGE_MASK;
587 addr += tlb_entry->addend;
588 if ((addr - start) < length) {
589 #if TCG_OVERSIZED_GUEST
590 tlb_entry->addr_write |= TLB_NOTDIRTY;
591 #else
592 atomic_set(&tlb_entry->addr_write,
593 tlb_entry->addr_write | TLB_NOTDIRTY);
594 #endif
595 }
596 }
597 }
598
599 /*
600 * Called with tlb_c.lock held.
601 * Called only from the vCPU context, i.e. the TLB's owner thread.
602 */
603 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s)
604 {
605 *d = *s;
606 }
607
608 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
609 * the target vCPU).
610 * We must take tlb_c.lock to avoid racing with another vCPU update. The only
611 * thing actually updated is the target TLB entry ->addr_write flags.
612 */
613 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
614 {
615 CPUArchState *env;
616
617 int mmu_idx;
618
619 env = cpu->env_ptr;
620 qemu_spin_lock(&env_tlb(env)->c.lock);
621 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
622 unsigned int i;
623 unsigned int n = tlb_n_entries(env, mmu_idx);
624
625 for (i = 0; i < n; i++) {
626 tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
627 start1, length);
628 }
629
630 for (i = 0; i < CPU_VTLB_SIZE; i++) {
631 tlb_reset_dirty_range_locked(&env_tlb(env)->d[mmu_idx].vtable[i],
632 start1, length);
633 }
634 }
635 qemu_spin_unlock(&env_tlb(env)->c.lock);
636 }
637
638 /* Called with tlb_c.lock held */
639 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry,
640 target_ulong vaddr)
641 {
642 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) {
643 tlb_entry->addr_write = vaddr;
644 }
645 }
646
647 /* update the TLB corresponding to virtual page vaddr
648 so that it is no longer dirty */
649 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
650 {
651 CPUArchState *env = cpu->env_ptr;
652 int mmu_idx;
653
654 assert_cpu_is_self(cpu);
655
656 vaddr &= TARGET_PAGE_MASK;
657 qemu_spin_lock(&env_tlb(env)->c.lock);
658 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
659 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr);
660 }
661
662 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
663 int k;
664 for (k = 0; k < CPU_VTLB_SIZE; k++) {
665 tlb_set_dirty1_locked(&env_tlb(env)->d[mmu_idx].vtable[k], vaddr);
666 }
667 }
668 qemu_spin_unlock(&env_tlb(env)->c.lock);
669 }
670
671 /* Our TLB does not support large pages, so remember the area covered by
672 large pages and trigger a full TLB flush if these are invalidated. */
673 static void tlb_add_large_page(CPUArchState *env, int mmu_idx,
674 target_ulong vaddr, target_ulong size)
675 {
676 target_ulong lp_addr = env_tlb(env)->d[mmu_idx].large_page_addr;
677 target_ulong lp_mask = ~(size - 1);
678
679 if (lp_addr == (target_ulong)-1) {
680 /* No previous large page. */
681 lp_addr = vaddr;
682 } else {
683 /* Extend the existing region to include the new page.
684 This is a compromise between unnecessary flushes and
685 the cost of maintaining a full variable size TLB. */
686 lp_mask &= env_tlb(env)->d[mmu_idx].large_page_mask;
687 while (((lp_addr ^ vaddr) & lp_mask) != 0) {
688 lp_mask <<= 1;
689 }
690 }
691 env_tlb(env)->d[mmu_idx].large_page_addr = lp_addr & lp_mask;
692 env_tlb(env)->d[mmu_idx].large_page_mask = lp_mask;
693 }
694
695 /* Add a new TLB entry. At most one entry for a given virtual address
696 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
697 * supplied size is only used by tlb_flush_page.
698 *
699 * Called from TCG-generated code, which is under an RCU read-side
700 * critical section.
701 */
702 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
703 hwaddr paddr, MemTxAttrs attrs, int prot,
704 int mmu_idx, target_ulong size)
705 {
706 CPUArchState *env = cpu->env_ptr;
707 CPUTLB *tlb = env_tlb(env);
708 CPUTLBDesc *desc = &tlb->d[mmu_idx];
709 MemoryRegionSection *section;
710 unsigned int index;
711 target_ulong address;
712 target_ulong write_address;
713 uintptr_t addend;
714 CPUTLBEntry *te, tn;
715 hwaddr iotlb, xlat, sz, paddr_page;
716 target_ulong vaddr_page;
717 int asidx = cpu_asidx_from_attrs(cpu, attrs);
718 int wp_flags;
719 bool is_ram, is_romd;
720
721 assert_cpu_is_self(cpu);
722
723 if (size <= TARGET_PAGE_SIZE) {
724 sz = TARGET_PAGE_SIZE;
725 } else {
726 tlb_add_large_page(env, mmu_idx, vaddr, size);
727 sz = size;
728 }
729 vaddr_page = vaddr & TARGET_PAGE_MASK;
730 paddr_page = paddr & TARGET_PAGE_MASK;
731
732 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
733 &xlat, &sz, attrs, &prot);
734 assert(sz >= TARGET_PAGE_SIZE);
735
736 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
737 " prot=%x idx=%d\n",
738 vaddr, paddr, prot, mmu_idx);
739
740 address = vaddr_page;
741 if (size < TARGET_PAGE_SIZE) {
742 /* Repeat the MMU check and TLB fill on every access. */
743 address |= TLB_INVALID_MASK;
744 }
745 if (attrs.byte_swap) {
746 address |= TLB_BSWAP;
747 }
748
749 is_ram = memory_region_is_ram(section->mr);
750 is_romd = memory_region_is_romd(section->mr);
751
752 if (is_ram || is_romd) {
753 /* RAM and ROMD both have associated host memory. */
754 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
755 } else {
756 /* I/O does not; force the host address to NULL. */
757 addend = 0;
758 }
759
760 write_address = address;
761 if (is_ram) {
762 iotlb = memory_region_get_ram_addr(section->mr) + xlat;
763 /*
764 * Computing is_clean is expensive; avoid all that unless
765 * the page is actually writable.
766 */
767 if (prot & PAGE_WRITE) {
768 if (section->readonly) {
769 write_address |= TLB_DISCARD_WRITE;
770 } else if (cpu_physical_memory_is_clean(iotlb)) {
771 write_address |= TLB_NOTDIRTY;
772 }
773 }
774 } else {
775 /* I/O or ROMD */
776 iotlb = memory_region_section_get_iotlb(cpu, section) + xlat;
777 /*
778 * Writes to romd devices must go through MMIO to enable write.
779 * Reads to romd devices go through the ram_ptr found above,
780 * but of course reads to I/O must go through MMIO.
781 */
782 write_address |= TLB_MMIO;
783 if (!is_romd) {
784 address = write_address;
785 }
786 }
787
788 wp_flags = cpu_watchpoint_address_matches(cpu, vaddr_page,
789 TARGET_PAGE_SIZE);
790
791 index = tlb_index(env, mmu_idx, vaddr_page);
792 te = tlb_entry(env, mmu_idx, vaddr_page);
793
794 /*
795 * Hold the TLB lock for the rest of the function. We could acquire/release
796 * the lock several times in the function, but it is faster to amortize the
797 * acquisition cost by acquiring it just once. Note that this leads to
798 * a longer critical section, but this is not a concern since the TLB lock
799 * is unlikely to be contended.
800 */
801 qemu_spin_lock(&tlb->c.lock);
802
803 /* Note that the tlb is no longer clean. */
804 tlb->c.dirty |= 1 << mmu_idx;
805
806 /* Make sure there's no cached translation for the new page. */
807 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page);
808
809 /*
810 * Only evict the old entry to the victim tlb if it's for a
811 * different page; otherwise just overwrite the stale data.
812 */
813 if (!tlb_hit_page_anyprot(te, vaddr_page) && !tlb_entry_is_empty(te)) {
814 unsigned vidx = desc->vindex++ % CPU_VTLB_SIZE;
815 CPUTLBEntry *tv = &desc->vtable[vidx];
816
817 /* Evict the old entry into the victim tlb. */
818 copy_tlb_helper_locked(tv, te);
819 desc->viotlb[vidx] = desc->iotlb[index];
820 tlb_n_used_entries_dec(env, mmu_idx);
821 }
822
823 /* refill the tlb */
824 /*
825 * At this point iotlb contains a physical section number in the lower
826 * TARGET_PAGE_BITS, and either
827 * + the ram_addr_t of the page base of the target RAM (RAM)
828 * + the offset within section->mr of the page base (I/O, ROMD)
829 * We subtract the vaddr_page (which is page aligned and thus won't
830 * disturb the low bits) to give an offset which can be added to the
831 * (non-page-aligned) vaddr of the eventual memory access to get
832 * the MemoryRegion offset for the access. Note that the vaddr we
833 * subtract here is that of the page base, and not the same as the
834 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
835 */
836 desc->iotlb[index].addr = iotlb - vaddr_page;
837 desc->iotlb[index].attrs = attrs;
838
839 /* Now calculate the new entry */
840 tn.addend = addend - vaddr_page;
841 if (prot & PAGE_READ) {
842 tn.addr_read = address;
843 if (wp_flags & BP_MEM_READ) {
844 tn.addr_read |= TLB_WATCHPOINT;
845 }
846 } else {
847 tn.addr_read = -1;
848 }
849
850 if (prot & PAGE_EXEC) {
851 tn.addr_code = address;
852 } else {
853 tn.addr_code = -1;
854 }
855
856 tn.addr_write = -1;
857 if (prot & PAGE_WRITE) {
858 tn.addr_write = write_address;
859 if (prot & PAGE_WRITE_INV) {
860 tn.addr_write |= TLB_INVALID_MASK;
861 }
862 if (wp_flags & BP_MEM_WRITE) {
863 tn.addr_write |= TLB_WATCHPOINT;
864 }
865 }
866
867 copy_tlb_helper_locked(te, &tn);
868 tlb_n_used_entries_inc(env, mmu_idx);
869 qemu_spin_unlock(&tlb->c.lock);
870 }
871
872 /* Add a new TLB entry, but without specifying the memory
873 * transaction attributes to be used.
874 */
875 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
876 hwaddr paddr, int prot,
877 int mmu_idx, target_ulong size)
878 {
879 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED,
880 prot, mmu_idx, size);
881 }
882
883 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
884 {
885 ram_addr_t ram_addr;
886
887 ram_addr = qemu_ram_addr_from_host(ptr);
888 if (ram_addr == RAM_ADDR_INVALID) {
889 error_report("Bad ram pointer %p", ptr);
890 abort();
891 }
892 return ram_addr;
893 }
894
895 /*
896 * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
897 * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
898 * be discarded and looked up again (e.g. via tlb_entry()).
899 */
900 static void tlb_fill(CPUState *cpu, target_ulong addr, int size,
901 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
902 {
903 CPUClass *cc = CPU_GET_CLASS(cpu);
904 bool ok;
905
906 /*
907 * This is not a probe, so only valid return is success; failure
908 * should result in exception + longjmp to the cpu loop.
909 */
910 ok = cc->tlb_fill(cpu, addr, size, access_type, mmu_idx, false, retaddr);
911 assert(ok);
912 }
913
914 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
915 int mmu_idx, target_ulong addr, uintptr_t retaddr,
916 MMUAccessType access_type, MemOp op)
917 {
918 CPUState *cpu = env_cpu(env);
919 hwaddr mr_offset;
920 MemoryRegionSection *section;
921 MemoryRegion *mr;
922 uint64_t val;
923 bool locked = false;
924 MemTxResult r;
925
926 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
927 mr = section->mr;
928 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
929 cpu->mem_io_pc = retaddr;
930 if (!cpu->can_do_io) {
931 cpu_io_recompile(cpu, retaddr);
932 }
933
934 cpu->mem_io_access_type = access_type;
935
936 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
937 qemu_mutex_lock_iothread();
938 locked = true;
939 }
940 r = memory_region_dispatch_read(mr, mr_offset, &val, op, iotlbentry->attrs);
941 if (r != MEMTX_OK) {
942 hwaddr physaddr = mr_offset +
943 section->offset_within_address_space -
944 section->offset_within_region;
945
946 cpu_transaction_failed(cpu, physaddr, addr, memop_size(op), access_type,
947 mmu_idx, iotlbentry->attrs, r, retaddr);
948 }
949 if (locked) {
950 qemu_mutex_unlock_iothread();
951 }
952
953 return val;
954 }
955
956 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
957 int mmu_idx, uint64_t val, target_ulong addr,
958 uintptr_t retaddr, MemOp op)
959 {
960 CPUState *cpu = env_cpu(env);
961 hwaddr mr_offset;
962 MemoryRegionSection *section;
963 MemoryRegion *mr;
964 bool locked = false;
965 MemTxResult r;
966
967 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
968 mr = section->mr;
969 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
970 if (!cpu->can_do_io) {
971 cpu_io_recompile(cpu, retaddr);
972 }
973 cpu->mem_io_pc = retaddr;
974
975 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
976 qemu_mutex_lock_iothread();
977 locked = true;
978 }
979 r = memory_region_dispatch_write(mr, mr_offset, val, op, iotlbentry->attrs);
980 if (r != MEMTX_OK) {
981 hwaddr physaddr = mr_offset +
982 section->offset_within_address_space -
983 section->offset_within_region;
984
985 cpu_transaction_failed(cpu, physaddr, addr, memop_size(op),
986 MMU_DATA_STORE, mmu_idx, iotlbentry->attrs, r,
987 retaddr);
988 }
989 if (locked) {
990 qemu_mutex_unlock_iothread();
991 }
992 }
993
994 static inline target_ulong tlb_read_ofs(CPUTLBEntry *entry, size_t ofs)
995 {
996 #if TCG_OVERSIZED_GUEST
997 return *(target_ulong *)((uintptr_t)entry + ofs);
998 #else
999 /* ofs might correspond to .addr_write, so use atomic_read */
1000 return atomic_read((target_ulong *)((uintptr_t)entry + ofs));
1001 #endif
1002 }
1003
1004 /* Return true if ADDR is present in the victim tlb, and has been copied
1005 back to the main tlb. */
1006 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
1007 size_t elt_ofs, target_ulong page)
1008 {
1009 size_t vidx;
1010
1011 assert_cpu_is_self(env_cpu(env));
1012 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
1013 CPUTLBEntry *vtlb = &env_tlb(env)->d[mmu_idx].vtable[vidx];
1014 target_ulong cmp;
1015
1016 /* elt_ofs might correspond to .addr_write, so use atomic_read */
1017 #if TCG_OVERSIZED_GUEST
1018 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
1019 #else
1020 cmp = atomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
1021 #endif
1022
1023 if (cmp == page) {
1024 /* Found entry in victim tlb, swap tlb and iotlb. */
1025 CPUTLBEntry tmptlb, *tlb = &env_tlb(env)->f[mmu_idx].table[index];
1026
1027 qemu_spin_lock(&env_tlb(env)->c.lock);
1028 copy_tlb_helper_locked(&tmptlb, tlb);
1029 copy_tlb_helper_locked(tlb, vtlb);
1030 copy_tlb_helper_locked(vtlb, &tmptlb);
1031 qemu_spin_unlock(&env_tlb(env)->c.lock);
1032
1033 CPUIOTLBEntry tmpio, *io = &env_tlb(env)->d[mmu_idx].iotlb[index];
1034 CPUIOTLBEntry *vio = &env_tlb(env)->d[mmu_idx].viotlb[vidx];
1035 tmpio = *io; *io = *vio; *vio = tmpio;
1036 return true;
1037 }
1038 }
1039 return false;
1040 }
1041
1042 /* Macro to call the above, with local variables from the use context. */
1043 #define VICTIM_TLB_HIT(TY, ADDR) \
1044 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
1045 (ADDR) & TARGET_PAGE_MASK)
1046
1047 /*
1048 * Return a ram_addr_t for the virtual address for execution.
1049 *
1050 * Return -1 if we can't translate and execute from an entire page
1051 * of RAM. This will force us to execute by loading and translating
1052 * one insn at a time, without caching.
1053 *
1054 * NOTE: This function will trigger an exception if the page is
1055 * not executable.
1056 */
1057 tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
1058 void **hostp)
1059 {
1060 uintptr_t mmu_idx = cpu_mmu_index(env, true);
1061 uintptr_t index = tlb_index(env, mmu_idx, addr);
1062 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1063 void *p;
1064
1065 if (unlikely(!tlb_hit(entry->addr_code, addr))) {
1066 if (!VICTIM_TLB_HIT(addr_code, addr)) {
1067 tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
1068 index = tlb_index(env, mmu_idx, addr);
1069 entry = tlb_entry(env, mmu_idx, addr);
1070
1071 if (unlikely(entry->addr_code & TLB_INVALID_MASK)) {
1072 /*
1073 * The MMU protection covers a smaller range than a target
1074 * page, so we must redo the MMU check for every insn.
1075 */
1076 return -1;
1077 }
1078 }
1079 assert(tlb_hit(entry->addr_code, addr));
1080 }
1081
1082 if (unlikely(entry->addr_code & TLB_MMIO)) {
1083 /* The region is not backed by RAM. */
1084 if (hostp) {
1085 *hostp = NULL;
1086 }
1087 return -1;
1088 }
1089
1090 p = (void *)((uintptr_t)addr + entry->addend);
1091 if (hostp) {
1092 *hostp = p;
1093 }
1094 return qemu_ram_addr_from_host_nofail(p);
1095 }
1096
1097 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
1098 {
1099 return get_page_addr_code_hostp(env, addr, NULL);
1100 }
1101
1102 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
1103 CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
1104 {
1105 ram_addr_t ram_addr = mem_vaddr + iotlbentry->addr;
1106
1107 trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size);
1108
1109 if (!cpu_physical_memory_get_dirty_flag(ram_addr, DIRTY_MEMORY_CODE)) {
1110 struct page_collection *pages
1111 = page_collection_lock(ram_addr, ram_addr + size);
1112 tb_invalidate_phys_page_fast(pages, ram_addr, size, retaddr);
1113 page_collection_unlock(pages);
1114 }
1115
1116 /*
1117 * Set both VGA and migration bits for simplicity and to remove
1118 * the notdirty callback faster.
1119 */
1120 cpu_physical_memory_set_dirty_range(ram_addr, size, DIRTY_CLIENTS_NOCODE);
1121
1122 /* We remove the notdirty callback only if the code has been flushed. */
1123 if (!cpu_physical_memory_is_clean(ram_addr)) {
1124 trace_memory_notdirty_set_dirty(mem_vaddr);
1125 tlb_set_dirty(cpu, mem_vaddr);
1126 }
1127 }
1128
1129 /*
1130 * Probe for whether the specified guest access is permitted. If it is not
1131 * permitted then an exception will be taken in the same way as if this
1132 * were a real access (and we will not return).
1133 * If the size is 0 or the page requires I/O access, returns NULL; otherwise,
1134 * returns the address of the host page similar to tlb_vaddr_to_host().
1135 */
1136 void *probe_access(CPUArchState *env, target_ulong addr, int size,
1137 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
1138 {
1139 uintptr_t index = tlb_index(env, mmu_idx, addr);
1140 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1141 target_ulong tlb_addr;
1142 size_t elt_ofs;
1143 int wp_access;
1144
1145 g_assert(-(addr | TARGET_PAGE_MASK) >= size);
1146
1147 switch (access_type) {
1148 case MMU_DATA_LOAD:
1149 elt_ofs = offsetof(CPUTLBEntry, addr_read);
1150 wp_access = BP_MEM_READ;
1151 break;
1152 case MMU_DATA_STORE:
1153 elt_ofs = offsetof(CPUTLBEntry, addr_write);
1154 wp_access = BP_MEM_WRITE;
1155 break;
1156 case MMU_INST_FETCH:
1157 elt_ofs = offsetof(CPUTLBEntry, addr_code);
1158 wp_access = BP_MEM_READ;
1159 break;
1160 default:
1161 g_assert_not_reached();
1162 }
1163 tlb_addr = tlb_read_ofs(entry, elt_ofs);
1164
1165 if (unlikely(!tlb_hit(tlb_addr, addr))) {
1166 if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs,
1167 addr & TARGET_PAGE_MASK)) {
1168 tlb_fill(env_cpu(env), addr, size, access_type, mmu_idx, retaddr);
1169 /* TLB resize via tlb_fill may have moved the entry. */
1170 index = tlb_index(env, mmu_idx, addr);
1171 entry = tlb_entry(env, mmu_idx, addr);
1172 }
1173 tlb_addr = tlb_read_ofs(entry, elt_ofs);
1174 }
1175
1176 if (!size) {
1177 return NULL;
1178 }
1179
1180 if (unlikely(tlb_addr & TLB_FLAGS_MASK)) {
1181 CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1182
1183 /* Reject I/O access, or other required slow-path. */
1184 if (tlb_addr & (TLB_MMIO | TLB_BSWAP | TLB_DISCARD_WRITE)) {
1185 return NULL;
1186 }
1187
1188 /* Handle watchpoints. */
1189 if (tlb_addr & TLB_WATCHPOINT) {
1190 cpu_check_watchpoint(env_cpu(env), addr, size,
1191 iotlbentry->attrs, wp_access, retaddr);
1192 }
1193
1194 /* Handle clean RAM pages. */
1195 if (tlb_addr & TLB_NOTDIRTY) {
1196 notdirty_write(env_cpu(env), addr, size, iotlbentry, retaddr);
1197 }
1198 }
1199
1200 return (void *)((uintptr_t)addr + entry->addend);
1201 }
1202
1203 void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
1204 MMUAccessType access_type, int mmu_idx)
1205 {
1206 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1207 uintptr_t tlb_addr, page;
1208 size_t elt_ofs;
1209
1210 switch (access_type) {
1211 case MMU_DATA_LOAD:
1212 elt_ofs = offsetof(CPUTLBEntry, addr_read);
1213 break;
1214 case MMU_DATA_STORE:
1215 elt_ofs = offsetof(CPUTLBEntry, addr_write);
1216 break;
1217 case MMU_INST_FETCH:
1218 elt_ofs = offsetof(CPUTLBEntry, addr_code);
1219 break;
1220 default:
1221 g_assert_not_reached();
1222 }
1223
1224 page = addr & TARGET_PAGE_MASK;
1225 tlb_addr = tlb_read_ofs(entry, elt_ofs);
1226
1227 if (!tlb_hit_page(tlb_addr, page)) {
1228 uintptr_t index = tlb_index(env, mmu_idx, addr);
1229
1230 if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page)) {
1231 CPUState *cs = env_cpu(env);
1232 CPUClass *cc = CPU_GET_CLASS(cs);
1233
1234 if (!cc->tlb_fill(cs, addr, 0, access_type, mmu_idx, true, 0)) {
1235 /* Non-faulting page table read failed. */
1236 return NULL;
1237 }
1238
1239 /* TLB resize via tlb_fill may have moved the entry. */
1240 entry = tlb_entry(env, mmu_idx, addr);
1241 }
1242 tlb_addr = tlb_read_ofs(entry, elt_ofs);
1243 }
1244
1245 if (tlb_addr & ~TARGET_PAGE_MASK) {
1246 /* IO access */
1247 return NULL;
1248 }
1249
1250 return (void *)((uintptr_t)addr + entry->addend);
1251 }
1252
1253
1254 #ifdef CONFIG_PLUGIN
1255 /*
1256 * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
1257 * This should be a hot path as we will have just looked this path up
1258 * in the softmmu lookup code (or helper). We don't handle re-fills or
1259 * checking the victim table. This is purely informational.
1260 *
1261 * This should never fail as the memory access being instrumented
1262 * should have just filled the TLB.
1263 */
1264
1265 bool tlb_plugin_lookup(CPUState *cpu, target_ulong addr, int mmu_idx,
1266 bool is_store, struct qemu_plugin_hwaddr *data)
1267 {
1268 CPUArchState *env = cpu->env_ptr;
1269 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
1270 uintptr_t index = tlb_index(env, mmu_idx, addr);
1271 target_ulong tlb_addr = is_store ? tlb_addr_write(tlbe) : tlbe->addr_read;
1272
1273 if (likely(tlb_hit(tlb_addr, addr))) {
1274 /* We must have an iotlb entry for MMIO */
1275 if (tlb_addr & TLB_MMIO) {
1276 CPUIOTLBEntry *iotlbentry;
1277 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1278 data->is_io = true;
1279 data->v.io.section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
1280 data->v.io.offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
1281 } else {
1282 data->is_io = false;
1283 data->v.ram.hostaddr = addr + tlbe->addend;
1284 }
1285 return true;
1286 }
1287 return false;
1288 }
1289
1290 #endif
1291
1292 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
1293 * operations, or io operations to proceed. Return the host address. */
1294 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
1295 TCGMemOpIdx oi, uintptr_t retaddr)
1296 {
1297 size_t mmu_idx = get_mmuidx(oi);
1298 uintptr_t index = tlb_index(env, mmu_idx, addr);
1299 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
1300 target_ulong tlb_addr = tlb_addr_write(tlbe);
1301 MemOp mop = get_memop(oi);
1302 int a_bits = get_alignment_bits(mop);
1303 int s_bits = mop & MO_SIZE;
1304 void *hostaddr;
1305
1306 /* Adjust the given return address. */
1307 retaddr -= GETPC_ADJ;
1308
1309 /* Enforce guest required alignment. */
1310 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
1311 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
1312 cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE,
1313 mmu_idx, retaddr);
1314 }
1315
1316 /* Enforce qemu required alignment. */
1317 if (unlikely(addr & ((1 << s_bits) - 1))) {
1318 /* We get here if guest alignment was not requested,
1319 or was not enforced by cpu_unaligned_access above.
1320 We might widen the access and emulate, but for now
1321 mark an exception and exit the cpu loop. */
1322 goto stop_the_world;
1323 }
1324
1325 /* Check TLB entry and enforce page permissions. */
1326 if (!tlb_hit(tlb_addr, addr)) {
1327 if (!VICTIM_TLB_HIT(addr_write, addr)) {
1328 tlb_fill(env_cpu(env), addr, 1 << s_bits, MMU_DATA_STORE,
1329 mmu_idx, retaddr);
1330 index = tlb_index(env, mmu_idx, addr);
1331 tlbe = tlb_entry(env, mmu_idx, addr);
1332 }
1333 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK;
1334 }
1335
1336 /* Notice an IO access or a needs-MMU-lookup access */
1337 if (unlikely(tlb_addr & TLB_MMIO)) {
1338 /* There's really nothing that can be done to
1339 support this apart from stop-the-world. */
1340 goto stop_the_world;
1341 }
1342
1343 /* Let the guest notice RMW on a write-only page. */
1344 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) {
1345 tlb_fill(env_cpu(env), addr, 1 << s_bits, MMU_DATA_LOAD,
1346 mmu_idx, retaddr);
1347 /* Since we don't support reads and writes to different addresses,
1348 and we do have the proper page loaded for write, this shouldn't
1349 ever return. But just in case, handle via stop-the-world. */
1350 goto stop_the_world;
1351 }
1352
1353 hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
1354
1355 if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
1356 notdirty_write(env_cpu(env), addr, 1 << s_bits,
1357 &env_tlb(env)->d[mmu_idx].iotlb[index], retaddr);
1358 }
1359
1360 return hostaddr;
1361
1362 stop_the_world:
1363 cpu_loop_exit_atomic(env_cpu(env), retaddr);
1364 }
1365
1366 /*
1367 * Load Helpers
1368 *
1369 * We support two different access types. SOFTMMU_CODE_ACCESS is
1370 * specifically for reading instructions from system memory. It is
1371 * called by the translation loop and in some helpers where the code
1372 * is disassembled. It shouldn't be called directly by guest code.
1373 */
1374
1375 typedef uint64_t FullLoadHelper(CPUArchState *env, target_ulong addr,
1376 TCGMemOpIdx oi, uintptr_t retaddr);
1377
1378 static inline uint64_t QEMU_ALWAYS_INLINE
1379 load_memop(const void *haddr, MemOp op)
1380 {
1381 switch (op) {
1382 case MO_UB:
1383 return ldub_p(haddr);
1384 case MO_BEUW:
1385 return lduw_be_p(haddr);
1386 case MO_LEUW:
1387 return lduw_le_p(haddr);
1388 case MO_BEUL:
1389 return (uint32_t)ldl_be_p(haddr);
1390 case MO_LEUL:
1391 return (uint32_t)ldl_le_p(haddr);
1392 case MO_BEQ:
1393 return ldq_be_p(haddr);
1394 case MO_LEQ:
1395 return ldq_le_p(haddr);
1396 default:
1397 qemu_build_not_reached();
1398 }
1399 }
1400
1401 static inline uint64_t QEMU_ALWAYS_INLINE
1402 load_helper(CPUArchState *env, target_ulong addr, TCGMemOpIdx oi,
1403 uintptr_t retaddr, MemOp op, bool code_read,
1404 FullLoadHelper *full_load)
1405 {
1406 uintptr_t mmu_idx = get_mmuidx(oi);
1407 uintptr_t index = tlb_index(env, mmu_idx, addr);
1408 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1409 target_ulong tlb_addr = code_read ? entry->addr_code : entry->addr_read;
1410 const size_t tlb_off = code_read ?
1411 offsetof(CPUTLBEntry, addr_code) : offsetof(CPUTLBEntry, addr_read);
1412 const MMUAccessType access_type =
1413 code_read ? MMU_INST_FETCH : MMU_DATA_LOAD;
1414 unsigned a_bits = get_alignment_bits(get_memop(oi));
1415 void *haddr;
1416 uint64_t res;
1417 size_t size = memop_size(op);
1418
1419 /* Handle CPU specific unaligned behaviour */
1420 if (addr & ((1 << a_bits) - 1)) {
1421 cpu_unaligned_access(env_cpu(env), addr, access_type,
1422 mmu_idx, retaddr);
1423 }
1424
1425 /* If the TLB entry is for a different page, reload and try again. */
1426 if (!tlb_hit(tlb_addr, addr)) {
1427 if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
1428 addr & TARGET_PAGE_MASK)) {
1429 tlb_fill(env_cpu(env), addr, size,
1430 access_type, mmu_idx, retaddr);
1431 index = tlb_index(env, mmu_idx, addr);
1432 entry = tlb_entry(env, mmu_idx, addr);
1433 }
1434 tlb_addr = code_read ? entry->addr_code : entry->addr_read;
1435 tlb_addr &= ~TLB_INVALID_MASK;
1436 }
1437
1438 /* Handle anything that isn't just a straight memory access. */
1439 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
1440 CPUIOTLBEntry *iotlbentry;
1441 bool need_swap;
1442
1443 /* For anything that is unaligned, recurse through full_load. */
1444 if ((addr & (size - 1)) != 0) {
1445 goto do_unaligned_access;
1446 }
1447
1448 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1449
1450 /* Handle watchpoints. */
1451 if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
1452 /* On watchpoint hit, this will longjmp out. */
1453 cpu_check_watchpoint(env_cpu(env), addr, size,
1454 iotlbentry->attrs, BP_MEM_READ, retaddr);
1455 }
1456
1457 need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
1458
1459 /* Handle I/O access. */
1460 if (likely(tlb_addr & TLB_MMIO)) {
1461 return io_readx(env, iotlbentry, mmu_idx, addr, retaddr,
1462 access_type, op ^ (need_swap * MO_BSWAP));
1463 }
1464
1465 haddr = (void *)((uintptr_t)addr + entry->addend);
1466
1467 /*
1468 * Keep these two load_memop separate to ensure that the compiler
1469 * is able to fold the entire function to a single instruction.
1470 * There is a build-time assert inside to remind you of this. ;-)
1471 */
1472 if (unlikely(need_swap)) {
1473 return load_memop(haddr, op ^ MO_BSWAP);
1474 }
1475 return load_memop(haddr, op);
1476 }
1477
1478 /* Handle slow unaligned access (it spans two pages or IO). */
1479 if (size > 1
1480 && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
1481 >= TARGET_PAGE_SIZE)) {
1482 target_ulong addr1, addr2;
1483 uint64_t r1, r2;
1484 unsigned shift;
1485 do_unaligned_access:
1486 addr1 = addr & ~((target_ulong)size - 1);
1487 addr2 = addr1 + size;
1488 r1 = full_load(env, addr1, oi, retaddr);
1489 r2 = full_load(env, addr2, oi, retaddr);
1490 shift = (addr & (size - 1)) * 8;
1491
1492 if (memop_big_endian(op)) {
1493 /* Big-endian combine. */
1494 res = (r1 << shift) | (r2 >> ((size * 8) - shift));
1495 } else {
1496 /* Little-endian combine. */
1497 res = (r1 >> shift) | (r2 << ((size * 8) - shift));
1498 }
1499 return res & MAKE_64BIT_MASK(0, size * 8);
1500 }
1501
1502 haddr = (void *)((uintptr_t)addr + entry->addend);
1503 return load_memop(haddr, op);
1504 }
1505
1506 /*
1507 * For the benefit of TCG generated code, we want to avoid the
1508 * complication of ABI-specific return type promotion and always
1509 * return a value extended to the register size of the host. This is
1510 * tcg_target_long, except in the case of a 32-bit host and 64-bit
1511 * data, and for that we always have uint64_t.
1512 *
1513 * We don't bother with this widened value for SOFTMMU_CODE_ACCESS.
1514 */
1515
1516 static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr,
1517 TCGMemOpIdx oi, uintptr_t retaddr)
1518 {
1519 return load_helper(env, addr, oi, retaddr, MO_UB, false, full_ldub_mmu);
1520 }
1521
1522 tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr,
1523 TCGMemOpIdx oi, uintptr_t retaddr)
1524 {
1525 return full_ldub_mmu(env, addr, oi, retaddr);
1526 }
1527
1528 static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr,
1529 TCGMemOpIdx oi, uintptr_t retaddr)
1530 {
1531 return load_helper(env, addr, oi, retaddr, MO_LEUW, false,
1532 full_le_lduw_mmu);
1533 }
1534
1535 tcg_target_ulong helper_le_lduw_mmu(CPUArchState *env, target_ulong addr,
1536 TCGMemOpIdx oi, uintptr_t retaddr)
1537 {
1538 return full_le_lduw_mmu(env, addr, oi, retaddr);
1539 }
1540
1541 static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr,
1542 TCGMemOpIdx oi, uintptr_t retaddr)
1543 {
1544 return load_helper(env, addr, oi, retaddr, MO_BEUW, false,
1545 full_be_lduw_mmu);
1546 }
1547
1548 tcg_target_ulong helper_be_lduw_mmu(CPUArchState *env, target_ulong addr,
1549 TCGMemOpIdx oi, uintptr_t retaddr)
1550 {
1551 return full_be_lduw_mmu(env, addr, oi, retaddr);
1552 }
1553
1554 static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr,
1555 TCGMemOpIdx oi, uintptr_t retaddr)
1556 {
1557 return load_helper(env, addr, oi, retaddr, MO_LEUL, false,
1558 full_le_ldul_mmu);
1559 }
1560
1561 tcg_target_ulong helper_le_ldul_mmu(CPUArchState *env, target_ulong addr,
1562 TCGMemOpIdx oi, uintptr_t retaddr)
1563 {
1564 return full_le_ldul_mmu(env, addr, oi, retaddr);
1565 }
1566
1567 static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr,
1568 TCGMemOpIdx oi, uintptr_t retaddr)
1569 {
1570 return load_helper(env, addr, oi, retaddr, MO_BEUL, false,
1571 full_be_ldul_mmu);
1572 }
1573
1574 tcg_target_ulong helper_be_ldul_mmu(CPUArchState *env, target_ulong addr,
1575 TCGMemOpIdx oi, uintptr_t retaddr)
1576 {
1577 return full_be_ldul_mmu(env, addr, oi, retaddr);
1578 }
1579
1580 uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr,
1581 TCGMemOpIdx oi, uintptr_t retaddr)
1582 {
1583 return load_helper(env, addr, oi, retaddr, MO_LEQ, false,
1584 helper_le_ldq_mmu);
1585 }
1586
1587 uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr,
1588 TCGMemOpIdx oi, uintptr_t retaddr)
1589 {
1590 return load_helper(env, addr, oi, retaddr, MO_BEQ, false,
1591 helper_be_ldq_mmu);
1592 }
1593
1594 /*
1595 * Provide signed versions of the load routines as well. We can of course
1596 * avoid this for 64-bit data, or for 32-bit data on 32-bit host.
1597 */
1598
1599
1600 tcg_target_ulong helper_ret_ldsb_mmu(CPUArchState *env, target_ulong addr,
1601 TCGMemOpIdx oi, uintptr_t retaddr)
1602 {
1603 return (int8_t)helper_ret_ldub_mmu(env, addr, oi, retaddr);
1604 }
1605
1606 tcg_target_ulong helper_le_ldsw_mmu(CPUArchState *env, target_ulong addr,
1607 TCGMemOpIdx oi, uintptr_t retaddr)
1608 {
1609 return (int16_t)helper_le_lduw_mmu(env, addr, oi, retaddr);
1610 }
1611
1612 tcg_target_ulong helper_be_ldsw_mmu(CPUArchState *env, target_ulong addr,
1613 TCGMemOpIdx oi, uintptr_t retaddr)
1614 {
1615 return (int16_t)helper_be_lduw_mmu(env, addr, oi, retaddr);
1616 }
1617
1618 tcg_target_ulong helper_le_ldsl_mmu(CPUArchState *env, target_ulong addr,
1619 TCGMemOpIdx oi, uintptr_t retaddr)
1620 {
1621 return (int32_t)helper_le_ldul_mmu(env, addr, oi, retaddr);
1622 }
1623
1624 tcg_target_ulong helper_be_ldsl_mmu(CPUArchState *env, target_ulong addr,
1625 TCGMemOpIdx oi, uintptr_t retaddr)
1626 {
1627 return (int32_t)helper_be_ldul_mmu(env, addr, oi, retaddr);
1628 }
1629
1630 /*
1631 * Store Helpers
1632 */
1633
1634 static inline void QEMU_ALWAYS_INLINE
1635 store_memop(void *haddr, uint64_t val, MemOp op)
1636 {
1637 switch (op) {
1638 case MO_UB:
1639 stb_p(haddr, val);
1640 break;
1641 case MO_BEUW:
1642 stw_be_p(haddr, val);
1643 break;
1644 case MO_LEUW:
1645 stw_le_p(haddr, val);
1646 break;
1647 case MO_BEUL:
1648 stl_be_p(haddr, val);
1649 break;
1650 case MO_LEUL:
1651 stl_le_p(haddr, val);
1652 break;
1653 case MO_BEQ:
1654 stq_be_p(haddr, val);
1655 break;
1656 case MO_LEQ:
1657 stq_le_p(haddr, val);
1658 break;
1659 default:
1660 qemu_build_not_reached();
1661 }
1662 }
1663
1664 static inline void QEMU_ALWAYS_INLINE
1665 store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
1666 TCGMemOpIdx oi, uintptr_t retaddr, MemOp op)
1667 {
1668 uintptr_t mmu_idx = get_mmuidx(oi);
1669 uintptr_t index = tlb_index(env, mmu_idx, addr);
1670 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1671 target_ulong tlb_addr = tlb_addr_write(entry);
1672 const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
1673 unsigned a_bits = get_alignment_bits(get_memop(oi));
1674 void *haddr;
1675 size_t size = memop_size(op);
1676
1677 /* Handle CPU specific unaligned behaviour */
1678 if (addr & ((1 << a_bits) - 1)) {
1679 cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE,
1680 mmu_idx, retaddr);
1681 }
1682
1683 /* If the TLB entry is for a different page, reload and try again. */
1684 if (!tlb_hit(tlb_addr, addr)) {
1685 if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
1686 addr & TARGET_PAGE_MASK)) {
1687 tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
1688 mmu_idx, retaddr);
1689 index = tlb_index(env, mmu_idx, addr);
1690 entry = tlb_entry(env, mmu_idx, addr);
1691 }
1692 tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK;
1693 }
1694
1695 /* Handle anything that isn't just a straight memory access. */
1696 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
1697 CPUIOTLBEntry *iotlbentry;
1698 bool need_swap;
1699
1700 /* For anything that is unaligned, recurse through byte stores. */
1701 if ((addr & (size - 1)) != 0) {
1702 goto do_unaligned_access;
1703 }
1704
1705 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1706
1707 /* Handle watchpoints. */
1708 if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
1709 /* On watchpoint hit, this will longjmp out. */
1710 cpu_check_watchpoint(env_cpu(env), addr, size,
1711 iotlbentry->attrs, BP_MEM_WRITE, retaddr);
1712 }
1713
1714 need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
1715
1716 /* Handle I/O access. */
1717 if (tlb_addr & TLB_MMIO) {
1718 io_writex(env, iotlbentry, mmu_idx, val, addr, retaddr,
1719 op ^ (need_swap * MO_BSWAP));
1720 return;
1721 }
1722
1723 /* Ignore writes to ROM. */
1724 if (unlikely(tlb_addr & TLB_DISCARD_WRITE)) {
1725 return;
1726 }
1727
1728 /* Handle clean RAM pages. */
1729 if (tlb_addr & TLB_NOTDIRTY) {
1730 notdirty_write(env_cpu(env), addr, size, iotlbentry, retaddr);
1731 }
1732
1733 haddr = (void *)((uintptr_t)addr + entry->addend);
1734
1735 /*
1736 * Keep these two store_memop separate to ensure that the compiler
1737 * is able to fold the entire function to a single instruction.
1738 * There is a build-time assert inside to remind you of this. ;-)
1739 */
1740 if (unlikely(need_swap)) {
1741 store_memop(haddr, val, op ^ MO_BSWAP);
1742 } else {
1743 store_memop(haddr, val, op);
1744 }
1745 return;
1746 }
1747
1748 /* Handle slow unaligned access (it spans two pages or IO). */
1749 if (size > 1
1750 && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
1751 >= TARGET_PAGE_SIZE)) {
1752 int i;
1753 uintptr_t index2;
1754 CPUTLBEntry *entry2;
1755 target_ulong page2, tlb_addr2;
1756 size_t size2;
1757
1758 do_unaligned_access:
1759 /*
1760 * Ensure the second page is in the TLB. Note that the first page
1761 * is already guaranteed to be filled, and that the second page
1762 * cannot evict the first.
1763 */
1764 page2 = (addr + size) & TARGET_PAGE_MASK;
1765 size2 = (addr + size) & ~TARGET_PAGE_MASK;
1766 index2 = tlb_index(env, mmu_idx, page2);
1767 entry2 = tlb_entry(env, mmu_idx, page2);
1768 tlb_addr2 = tlb_addr_write(entry2);
1769 if (!tlb_hit_page(tlb_addr2, page2)) {
1770 if (!victim_tlb_hit(env, mmu_idx, index2, tlb_off, page2)) {
1771 tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE,
1772 mmu_idx, retaddr);
1773 index2 = tlb_index(env, mmu_idx, page2);
1774 entry2 = tlb_entry(env, mmu_idx, page2);
1775 }
1776 tlb_addr2 = tlb_addr_write(entry2);
1777 }
1778
1779 /*
1780 * Handle watchpoints. Since this may trap, all checks
1781 * must happen before any store.
1782 */
1783 if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
1784 cpu_check_watchpoint(env_cpu(env), addr, size - size2,
1785 env_tlb(env)->d[mmu_idx].iotlb[index].attrs,
1786 BP_MEM_WRITE, retaddr);
1787 }
1788 if (unlikely(tlb_addr2 & TLB_WATCHPOINT)) {
1789 cpu_check_watchpoint(env_cpu(env), page2, size2,
1790 env_tlb(env)->d[mmu_idx].iotlb[index2].attrs,
1791 BP_MEM_WRITE, retaddr);
1792 }
1793
1794 /*
1795 * XXX: not efficient, but simple.
1796 * This loop must go in the forward direction to avoid issues
1797 * with self-modifying code in Windows 64-bit.
1798 */
1799 for (i = 0; i < size; ++i) {
1800 uint8_t val8;
1801 if (memop_big_endian(op)) {
1802 /* Big-endian extract. */
1803 val8 = val >> (((size - 1) * 8) - (i * 8));
1804 } else {
1805 /* Little-endian extract. */
1806 val8 = val >> (i * 8);
1807 }
1808 helper_ret_stb_mmu(env, addr + i, val8, oi, retaddr);
1809 }
1810 return;
1811 }
1812
1813 haddr = (void *)((uintptr_t)addr + entry->addend);
1814 store_memop(haddr, val, op);
1815 }
1816
1817 void helper_ret_stb_mmu(CPUArchState *env, target_ulong addr, uint8_t val,
1818 TCGMemOpIdx oi, uintptr_t retaddr)
1819 {
1820 store_helper(env, addr, val, oi, retaddr, MO_UB);
1821 }
1822
1823 void helper_le_stw_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
1824 TCGMemOpIdx oi, uintptr_t retaddr)
1825 {
1826 store_helper(env, addr, val, oi, retaddr, MO_LEUW);
1827 }
1828
1829 void helper_be_stw_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
1830 TCGMemOpIdx oi, uintptr_t retaddr)
1831 {
1832 store_helper(env, addr, val, oi, retaddr, MO_BEUW);
1833 }
1834
1835 void helper_le_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
1836 TCGMemOpIdx oi, uintptr_t retaddr)
1837 {
1838 store_helper(env, addr, val, oi, retaddr, MO_LEUL);
1839 }
1840
1841 void helper_be_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
1842 TCGMemOpIdx oi, uintptr_t retaddr)
1843 {
1844 store_helper(env, addr, val, oi, retaddr, MO_BEUL);
1845 }
1846
1847 void helper_le_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
1848 TCGMemOpIdx oi, uintptr_t retaddr)
1849 {
1850 store_helper(env, addr, val, oi, retaddr, MO_LEQ);
1851 }
1852
1853 void helper_be_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
1854 TCGMemOpIdx oi, uintptr_t retaddr)
1855 {
1856 store_helper(env, addr, val, oi, retaddr, MO_BEQ);
1857 }
1858
1859 /* First set of helpers allows passing in of OI and RETADDR. This makes
1860 them callable from other helpers. */
1861
1862 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
1863 #define ATOMIC_NAME(X) \
1864 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
1865 #define ATOMIC_MMU_DECLS
1866 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr)
1867 #define ATOMIC_MMU_CLEANUP
1868 #define ATOMIC_MMU_IDX get_mmuidx(oi)
1869
1870 #include "atomic_common.inc.c"
1871
1872 #define DATA_SIZE 1
1873 #include "atomic_template.h"
1874
1875 #define DATA_SIZE 2
1876 #include "atomic_template.h"
1877
1878 #define DATA_SIZE 4
1879 #include "atomic_template.h"
1880
1881 #ifdef CONFIG_ATOMIC64
1882 #define DATA_SIZE 8
1883 #include "atomic_template.h"
1884 #endif
1885
1886 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128
1887 #define DATA_SIZE 16
1888 #include "atomic_template.h"
1889 #endif
1890
1891 /* Second set of helpers are directly callable from TCG as helpers. */
1892
1893 #undef EXTRA_ARGS
1894 #undef ATOMIC_NAME
1895 #undef ATOMIC_MMU_LOOKUP
1896 #define EXTRA_ARGS , TCGMemOpIdx oi
1897 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
1898 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC())
1899
1900 #define DATA_SIZE 1
1901 #include "atomic_template.h"
1902
1903 #define DATA_SIZE 2
1904 #include "atomic_template.h"
1905
1906 #define DATA_SIZE 4
1907 #include "atomic_template.h"
1908
1909 #ifdef CONFIG_ATOMIC64
1910 #define DATA_SIZE 8
1911 #include "atomic_template.h"
1912 #endif
1913 #undef ATOMIC_MMU_IDX
1914
1915 /* Code access functions. */
1916
1917 static uint64_t full_ldub_cmmu(CPUArchState *env, target_ulong addr,
1918 TCGMemOpIdx oi, uintptr_t retaddr)
1919 {
1920 return load_helper(env, addr, oi, retaddr, MO_8, true, full_ldub_cmmu);
1921 }
1922
1923 uint8_t helper_ret_ldb_cmmu(CPUArchState *env, target_ulong addr,
1924 TCGMemOpIdx oi, uintptr_t retaddr)
1925 {
1926 return full_ldub_cmmu(env, addr, oi, retaddr);
1927 }
1928
1929 static uint64_t full_le_lduw_cmmu(CPUArchState *env, target_ulong addr,
1930 TCGMemOpIdx oi, uintptr_t retaddr)
1931 {
1932 return load_helper(env, addr, oi, retaddr, MO_LEUW, true,
1933 full_le_lduw_cmmu);
1934 }
1935
1936 uint16_t helper_le_ldw_cmmu(CPUArchState *env, target_ulong addr,
1937 TCGMemOpIdx oi, uintptr_t retaddr)
1938 {
1939 return full_le_lduw_cmmu(env, addr, oi, retaddr);
1940 }
1941
1942 static uint64_t full_be_lduw_cmmu(CPUArchState *env, target_ulong addr,
1943 TCGMemOpIdx oi, uintptr_t retaddr)
1944 {
1945 return load_helper(env, addr, oi, retaddr, MO_BEUW, true,
1946 full_be_lduw_cmmu);
1947 }
1948
1949 uint16_t helper_be_ldw_cmmu(CPUArchState *env, target_ulong addr,
1950 TCGMemOpIdx oi, uintptr_t retaddr)
1951 {
1952 return full_be_lduw_cmmu(env, addr, oi, retaddr);
1953 }
1954
1955 static uint64_t full_le_ldul_cmmu(CPUArchState *env, target_ulong addr,
1956 TCGMemOpIdx oi, uintptr_t retaddr)
1957 {
1958 return load_helper(env, addr, oi, retaddr, MO_LEUL, true,
1959 full_le_ldul_cmmu);
1960 }
1961
1962 uint32_t helper_le_ldl_cmmu(CPUArchState *env, target_ulong addr,
1963 TCGMemOpIdx oi, uintptr_t retaddr)
1964 {
1965 return full_le_ldul_cmmu(env, addr, oi, retaddr);
1966 }
1967
1968 static uint64_t full_be_ldul_cmmu(CPUArchState *env, target_ulong addr,
1969 TCGMemOpIdx oi, uintptr_t retaddr)
1970 {
1971 return load_helper(env, addr, oi, retaddr, MO_BEUL, true,
1972 full_be_ldul_cmmu);
1973 }
1974
1975 uint32_t helper_be_ldl_cmmu(CPUArchState *env, target_ulong addr,
1976 TCGMemOpIdx oi, uintptr_t retaddr)
1977 {
1978 return full_be_ldul_cmmu(env, addr, oi, retaddr);
1979 }
1980
1981 uint64_t helper_le_ldq_cmmu(CPUArchState *env, target_ulong addr,
1982 TCGMemOpIdx oi, uintptr_t retaddr)
1983 {
1984 return load_helper(env, addr, oi, retaddr, MO_LEQ, true,
1985 helper_le_ldq_cmmu);
1986 }
1987
1988 uint64_t helper_be_ldq_cmmu(CPUArchState *env, target_ulong addr,
1989 TCGMemOpIdx oi, uintptr_t retaddr)
1990 {
1991 return load_helper(env, addr, oi, retaddr, MO_BEQ, true,
1992 helper_be_ldq_cmmu);
1993 }
AR7 emulation for QEMU