search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
exec: introduce tlb_init
[qemu/ar7.git] / accel / tcg / cputlb.c
blob502eea28509f2465b0c71da930ebd1543a908e5c
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "exec/memory.h"
25 #include "exec/address-spaces.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/cputlb.h"
28 #include "exec/memory-internal.h"
29 #include "exec/ram_addr.h"
30 #include "tcg/tcg.h"
31 #include "qemu/error-report.h"
32 #include "exec/log.h"
33 #include "exec/helper-proto.h"
34 #include "qemu/atomic.h"
35
36 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
37 /* #define DEBUG_TLB */
38 /* #define DEBUG_TLB_LOG */
39
40 #ifdef DEBUG_TLB
41 # define DEBUG_TLB_GATE 1
42 # ifdef DEBUG_TLB_LOG
43 # define DEBUG_TLB_LOG_GATE 1
44 # else
45 # define DEBUG_TLB_LOG_GATE 0
46 # endif
47 #else
48 # define DEBUG_TLB_GATE 0
49 # define DEBUG_TLB_LOG_GATE 0
50 #endif
51
52 #define tlb_debug(fmt, ...) do { \
53 if (DEBUG_TLB_LOG_GATE) { \
54 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
55 ## __VA_ARGS__); \
56 } else if (DEBUG_TLB_GATE) { \
57 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
58 } \
59 } while (0)
60
61 #define assert_cpu_is_self(this_cpu) do { \
62 if (DEBUG_TLB_GATE) { \
63 g_assert(!cpu->created || qemu_cpu_is_self(cpu)); \
64 } \
65 } while (0)
66
67 /* run_on_cpu_data.target_ptr should always be big enough for a
68 * target_ulong even on 32 bit builds */
69 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
70
71 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
72 */
73 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
74 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
75
76 void tlb_init(CPUState *cpu)
77 {
78 }
79
80 /* flush_all_helper: run fn across all cpus
81 *
82 * If the wait flag is set then the src cpu's helper will be queued as
83 * "safe" work and the loop exited creating a synchronisation point
84 * where all queued work will be finished before execution starts
85 * again.
86 */
87 static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
88 run_on_cpu_data d)
89 {
90 CPUState *cpu;
91
92 CPU_FOREACH(cpu) {
93 if (cpu != src) {
94 async_run_on_cpu(cpu, fn, d);
95 }
96 }
97 }
98
99 size_t tlb_flush_count(void)
100 {
101 CPUState *cpu;
102 size_t count = 0;
103
104 CPU_FOREACH(cpu) {
105 CPUArchState *env = cpu->env_ptr;
106
107 count += atomic_read(&env->tlb_flush_count);
108 }
109 return count;
110 }
111
112 /* This is OK because CPU architectures generally permit an
113 * implementation to drop entries from the TLB at any time, so
114 * flushing more entries than required is only an efficiency issue,
115 * not a correctness issue.
116 */
117 static void tlb_flush_nocheck(CPUState *cpu)
118 {
119 CPUArchState *env = cpu->env_ptr;
120
121 /* The QOM tests will trigger tlb_flushes without setting up TCG
122 * so we bug out here in that case.
123 */
124 if (!tcg_enabled()) {
125 return;
126 }
127
128 assert_cpu_is_self(cpu);
129 atomic_set(&env->tlb_flush_count, env->tlb_flush_count + 1);
130 tlb_debug("(count: %zu)\n", tlb_flush_count());
131
132 memset(env->tlb_table, -1, sizeof(env->tlb_table));
133 memset(env->tlb_v_table, -1, sizeof(env->tlb_v_table));
134 cpu_tb_jmp_cache_clear(cpu);
135
136 env->vtlb_index = 0;
137 env->tlb_flush_addr = -1;
138 env->tlb_flush_mask = 0;
139
140 atomic_mb_set(&cpu->pending_tlb_flush, 0);
141 }
142
143 static void tlb_flush_global_async_work(CPUState *cpu, run_on_cpu_data data)
144 {
145 tlb_flush_nocheck(cpu);
146 }
147
148 void tlb_flush(CPUState *cpu)
149 {
150 if (cpu->created && !qemu_cpu_is_self(cpu)) {
151 if (atomic_mb_read(&cpu->pending_tlb_flush) != ALL_MMUIDX_BITS) {
152 atomic_mb_set(&cpu->pending_tlb_flush, ALL_MMUIDX_BITS);
153 async_run_on_cpu(cpu, tlb_flush_global_async_work,
154 RUN_ON_CPU_NULL);
155 }
156 } else {
157 tlb_flush_nocheck(cpu);
158 }
159 }
160
161 void tlb_flush_all_cpus(CPUState *src_cpu)
162 {
163 const run_on_cpu_func fn = tlb_flush_global_async_work;
164 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL);
165 fn(src_cpu, RUN_ON_CPU_NULL);
166 }
167
168 void tlb_flush_all_cpus_synced(CPUState *src_cpu)
169 {
170 const run_on_cpu_func fn = tlb_flush_global_async_work;
171 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL);
172 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_NULL);
173 }
174
175 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
176 {
177 CPUArchState *env = cpu->env_ptr;
178 unsigned long mmu_idx_bitmask = data.host_int;
179 int mmu_idx;
180
181 assert_cpu_is_self(cpu);
182
183 tlb_debug("start: mmu_idx:0x%04lx\n", mmu_idx_bitmask);
184
185 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
186
187 if (test_bit(mmu_idx, &mmu_idx_bitmask)) {
188 tlb_debug("%d\n", mmu_idx);
189
190 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0]));
191 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0]));
192 }
193 }
194
195 cpu_tb_jmp_cache_clear(cpu);
196
197 tlb_debug("done\n");
198 }
199
200 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
201 {
202 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
203
204 if (!qemu_cpu_is_self(cpu)) {
205 uint16_t pending_flushes = idxmap;
206 pending_flushes &= ~atomic_mb_read(&cpu->pending_tlb_flush);
207
208 if (pending_flushes) {
209 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", pending_flushes);
210
211 atomic_or(&cpu->pending_tlb_flush, pending_flushes);
212 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work,
213 RUN_ON_CPU_HOST_INT(pending_flushes));
214 }
215 } else {
216 tlb_flush_by_mmuidx_async_work(cpu,
217 RUN_ON_CPU_HOST_INT(idxmap));
218 }
219 }
220
221 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap)
222 {
223 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
224
225 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
226
227 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
228 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap));
229 }
230
231 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
232 uint16_t idxmap)
233 {
234 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
235
236 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
237
238 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
239 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
240 }
241
242 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry,
243 target_ulong page)
244 {
245 return tlb_hit_page(tlb_entry->addr_read, page) ||
246 tlb_hit_page(tlb_entry->addr_write, page) ||
247 tlb_hit_page(tlb_entry->addr_code, page);
248 }
249
250 static inline void tlb_flush_entry(CPUTLBEntry *tlb_entry, target_ulong page)
251 {
252 if (tlb_hit_page_anyprot(tlb_entry, page)) {
253 memset(tlb_entry, -1, sizeof(*tlb_entry));
254 }
255 }
256
257 static inline void tlb_flush_vtlb_page(CPUArchState *env, int mmu_idx,
258 target_ulong page)
259 {
260 int k;
261 for (k = 0; k < CPU_VTLB_SIZE; k++) {
262 tlb_flush_entry(&env->tlb_v_table[mmu_idx][k], page);
263 }
264 }
265
266 static void tlb_flush_page_async_work(CPUState *cpu, run_on_cpu_data data)
267 {
268 CPUArchState *env = cpu->env_ptr;
269 target_ulong addr = (target_ulong) data.target_ptr;
270 int i;
271 int mmu_idx;
272
273 assert_cpu_is_self(cpu);
274
275 tlb_debug("page :" TARGET_FMT_lx "\n", addr);
276
277 /* Check if we need to flush due to large pages. */
278 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) {
279 tlb_debug("forcing full flush ("
280 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
281 env->tlb_flush_addr, env->tlb_flush_mask);
282
283 tlb_flush(cpu);
284 return;
285 }
286
287 addr &= TARGET_PAGE_MASK;
288 i = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
289 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
290 tlb_flush_entry(&env->tlb_table[mmu_idx][i], addr);
291 tlb_flush_vtlb_page(env, mmu_idx, addr);
292 }
293
294 tb_flush_jmp_cache(cpu, addr);
295 }
296
297 void tlb_flush_page(CPUState *cpu, target_ulong addr)
298 {
299 tlb_debug("page :" TARGET_FMT_lx "\n", addr);
300
301 if (!qemu_cpu_is_self(cpu)) {
302 async_run_on_cpu(cpu, tlb_flush_page_async_work,
303 RUN_ON_CPU_TARGET_PTR(addr));
304 } else {
305 tlb_flush_page_async_work(cpu, RUN_ON_CPU_TARGET_PTR(addr));
306 }
307 }
308
309 /* As we are going to hijack the bottom bits of the page address for a
310 * mmuidx bit mask we need to fail to build if we can't do that
311 */
312 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
313
314 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
315 run_on_cpu_data data)
316 {
317 CPUArchState *env = cpu->env_ptr;
318 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
319 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
320 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
321 int page = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
322 int mmu_idx;
323
324 assert_cpu_is_self(cpu);
325
326 tlb_debug("page:%d addr:"TARGET_FMT_lx" mmu_idx:0x%lx\n",
327 page, addr, mmu_idx_bitmap);
328
329 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
330 if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
331 tlb_flush_entry(&env->tlb_table[mmu_idx][page], addr);
332 tlb_flush_vtlb_page(env, mmu_idx, addr);
333 }
334 }
335
336 tb_flush_jmp_cache(cpu, addr);
337 }
338
339 static void tlb_check_page_and_flush_by_mmuidx_async_work(CPUState *cpu,
340 run_on_cpu_data data)
341 {
342 CPUArchState *env = cpu->env_ptr;
343 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
344 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
345 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
346
347 tlb_debug("addr:"TARGET_FMT_lx" mmu_idx: %04lx\n", addr, mmu_idx_bitmap);
348
349 /* Check if we need to flush due to large pages. */
350 if ((addr & env->tlb_flush_mask) == env->tlb_flush_addr) {
351 tlb_debug("forced full flush ("
352 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
353 env->tlb_flush_addr, env->tlb_flush_mask);
354
355 tlb_flush_by_mmuidx_async_work(cpu,
356 RUN_ON_CPU_HOST_INT(mmu_idx_bitmap));
357 } else {
358 tlb_flush_page_by_mmuidx_async_work(cpu, data);
359 }
360 }
361
362 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
363 {
364 target_ulong addr_and_mmu_idx;
365
366 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
367
368 /* This should already be page aligned */
369 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
370 addr_and_mmu_idx |= idxmap;
371
372 if (!qemu_cpu_is_self(cpu)) {
373 async_run_on_cpu(cpu, tlb_check_page_and_flush_by_mmuidx_async_work,
374 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
375 } else {
376 tlb_check_page_and_flush_by_mmuidx_async_work(
377 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
378 }
379 }
380
381 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
382 uint16_t idxmap)
383 {
384 const run_on_cpu_func fn = tlb_check_page_and_flush_by_mmuidx_async_work;
385 target_ulong addr_and_mmu_idx;
386
387 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
388
389 /* This should already be page aligned */
390 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
391 addr_and_mmu_idx |= idxmap;
392
393 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
394 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
395 }
396
397 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
398 target_ulong addr,
399 uint16_t idxmap)
400 {
401 const run_on_cpu_func fn = tlb_check_page_and_flush_by_mmuidx_async_work;
402 target_ulong addr_and_mmu_idx;
403
404 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
405
406 /* This should already be page aligned */
407 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
408 addr_and_mmu_idx |= idxmap;
409
410 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
411 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
412 }
413
414 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
415 {
416 const run_on_cpu_func fn = tlb_flush_page_async_work;
417
418 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
419 fn(src, RUN_ON_CPU_TARGET_PTR(addr));
420 }
421
422 void tlb_flush_page_all_cpus_synced(CPUState *src,
423 target_ulong addr)
424 {
425 const run_on_cpu_func fn = tlb_flush_page_async_work;
426
427 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
428 async_safe_run_on_cpu(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
429 }
430
431 /* update the TLBs so that writes to code in the virtual page 'addr'
432 can be detected */
433 void tlb_protect_code(ram_addr_t ram_addr)
434 {
435 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE,
436 DIRTY_MEMORY_CODE);
437 }
438
439 /* update the TLB so that writes in physical page 'phys_addr' are no longer
440 tested for self modifying code */
441 void tlb_unprotect_code(ram_addr_t ram_addr)
442 {
443 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
444 }
445
446
447 /*
448 * Dirty write flag handling
449 *
450 * When the TCG code writes to a location it looks up the address in
451 * the TLB and uses that data to compute the final address. If any of
452 * the lower bits of the address are set then the slow path is forced.
453 * There are a number of reasons to do this but for normal RAM the
454 * most usual is detecting writes to code regions which may invalidate
455 * generated code.
456 *
457 * Because we want other vCPUs to respond to changes straight away we
458 * update the te->addr_write field atomically. If the TLB entry has
459 * been changed by the vCPU in the mean time we skip the update.
460 *
461 * As this function uses atomic accesses we also need to ensure
462 * updates to tlb_entries follow the same access rules. We don't need
463 * to worry about this for oversized guests as MTTCG is disabled for
464 * them.
465 */
466
467 static void tlb_reset_dirty_range(CPUTLBEntry *tlb_entry, uintptr_t start,
468 uintptr_t length)
469 {
470 #if TCG_OVERSIZED_GUEST
471 uintptr_t addr = tlb_entry->addr_write;
472
473 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) {
474 addr &= TARGET_PAGE_MASK;
475 addr += tlb_entry->addend;
476 if ((addr - start) < length) {
477 tlb_entry->addr_write |= TLB_NOTDIRTY;
478 }
479 }
480 #else
481 /* paired with atomic_mb_set in tlb_set_page_with_attrs */
482 uintptr_t orig_addr = atomic_mb_read(&tlb_entry->addr_write);
483 uintptr_t addr = orig_addr;
484
485 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) {
486 addr &= TARGET_PAGE_MASK;
487 addr += atomic_read(&tlb_entry->addend);
488 if ((addr - start) < length) {
489 uintptr_t notdirty_addr = orig_addr | TLB_NOTDIRTY;
490 atomic_cmpxchg(&tlb_entry->addr_write, orig_addr, notdirty_addr);
491 }
492 }
493 #endif
494 }
495
496 /* For atomic correctness when running MTTCG we need to use the right
497 * primitives when copying entries */
498 static inline void copy_tlb_helper(CPUTLBEntry *d, CPUTLBEntry *s,
499 bool atomic_set)
500 {
501 #if TCG_OVERSIZED_GUEST
502 *d = *s;
503 #else
504 if (atomic_set) {
505 d->addr_read = s->addr_read;
506 d->addr_code = s->addr_code;
507 atomic_set(&d->addend, atomic_read(&s->addend));
508 /* Pairs with flag setting in tlb_reset_dirty_range */
509 atomic_mb_set(&d->addr_write, atomic_read(&s->addr_write));
510 } else {
511 d->addr_read = s->addr_read;
512 d->addr_write = atomic_read(&s->addr_write);
513 d->addr_code = s->addr_code;
514 d->addend = atomic_read(&s->addend);
515 }
516 #endif
517 }
518
519 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
520 * the target vCPU). As such care needs to be taken that we don't
521 * dangerously race with another vCPU update. The only thing actually
522 * updated is the target TLB entry ->addr_write flags.
523 */
524 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
525 {
526 CPUArchState *env;
527
528 int mmu_idx;
529
530 env = cpu->env_ptr;
531 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
532 unsigned int i;
533
534 for (i = 0; i < CPU_TLB_SIZE; i++) {
535 tlb_reset_dirty_range(&env->tlb_table[mmu_idx][i],
536 start1, length);
537 }
538
539 for (i = 0; i < CPU_VTLB_SIZE; i++) {
540 tlb_reset_dirty_range(&env->tlb_v_table[mmu_idx][i],
541 start1, length);
542 }
543 }
544 }
545
546 static inline void tlb_set_dirty1(CPUTLBEntry *tlb_entry, target_ulong vaddr)
547 {
548 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) {
549 tlb_entry->addr_write = vaddr;
550 }
551 }
552
553 /* update the TLB corresponding to virtual page vaddr
554 so that it is no longer dirty */
555 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
556 {
557 CPUArchState *env = cpu->env_ptr;
558 int i;
559 int mmu_idx;
560
561 assert_cpu_is_self(cpu);
562
563 vaddr &= TARGET_PAGE_MASK;
564 i = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
565 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
566 tlb_set_dirty1(&env->tlb_table[mmu_idx][i], vaddr);
567 }
568
569 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
570 int k;
571 for (k = 0; k < CPU_VTLB_SIZE; k++) {
572 tlb_set_dirty1(&env->tlb_v_table[mmu_idx][k], vaddr);
573 }
574 }
575 }
576
577 /* Our TLB does not support large pages, so remember the area covered by
578 large pages and trigger a full TLB flush if these are invalidated. */
579 static void tlb_add_large_page(CPUArchState *env, target_ulong vaddr,
580 target_ulong size)
581 {
582 target_ulong mask = ~(size - 1);
583
584 if (env->tlb_flush_addr == (target_ulong)-1) {
585 env->tlb_flush_addr = vaddr & mask;
586 env->tlb_flush_mask = mask;
587 return;
588 }
589 /* Extend the existing region to include the new page.
590 This is a compromise between unnecessary flushes and the cost
591 of maintaining a full variable size TLB. */
592 mask &= env->tlb_flush_mask;
593 while (((env->tlb_flush_addr ^ vaddr) & mask) != 0) {
594 mask <<= 1;
595 }
596 env->tlb_flush_addr &= mask;
597 env->tlb_flush_mask = mask;
598 }
599
600 /* Add a new TLB entry. At most one entry for a given virtual address
601 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
602 * supplied size is only used by tlb_flush_page.
603 *
604 * Called from TCG-generated code, which is under an RCU read-side
605 * critical section.
606 */
607 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
608 hwaddr paddr, MemTxAttrs attrs, int prot,
609 int mmu_idx, target_ulong size)
610 {
611 CPUArchState *env = cpu->env_ptr;
612 MemoryRegionSection *section;
613 unsigned int index;
614 target_ulong address;
615 target_ulong code_address;
616 uintptr_t addend;
617 CPUTLBEntry *te, tn;
618 hwaddr iotlb, xlat, sz, paddr_page;
619 target_ulong vaddr_page;
620 int asidx = cpu_asidx_from_attrs(cpu, attrs);
621
622 assert_cpu_is_self(cpu);
623
624 if (size < TARGET_PAGE_SIZE) {
625 sz = TARGET_PAGE_SIZE;
626 } else {
627 if (size > TARGET_PAGE_SIZE) {
628 tlb_add_large_page(env, vaddr, size);
629 }
630 sz = size;
631 }
632 vaddr_page = vaddr & TARGET_PAGE_MASK;
633 paddr_page = paddr & TARGET_PAGE_MASK;
634
635 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
636 &xlat, &sz, attrs, &prot);
637 assert(sz >= TARGET_PAGE_SIZE);
638
639 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
640 " prot=%x idx=%d\n",
641 vaddr, paddr, prot, mmu_idx);
642
643 address = vaddr_page;
644 if (size < TARGET_PAGE_SIZE) {
645 /*
646 * Slow-path the TLB entries; we will repeat the MMU check and TLB
647 * fill on every access.
648 */
649 address |= TLB_RECHECK;
650 }
651 if (!memory_region_is_ram(section->mr) &&
652 !memory_region_is_romd(section->mr)) {
653 /* IO memory case */
654 address |= TLB_MMIO;
655 addend = 0;
656 } else {
657 /* TLB_MMIO for rom/romd handled below */
658 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
659 }
660
661 /* Make sure there's no cached translation for the new page. */
662 tlb_flush_vtlb_page(env, mmu_idx, vaddr_page);
663
664 code_address = address;
665 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page,
666 paddr_page, xlat, prot, &address);
667
668 index = (vaddr_page >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
669 te = &env->tlb_table[mmu_idx][index];
670
671 /*
672 * Only evict the old entry to the victim tlb if it's for a
673 * different page; otherwise just overwrite the stale data.
674 */
675 if (!tlb_hit_page_anyprot(te, vaddr_page)) {
676 unsigned vidx = env->vtlb_index++ % CPU_VTLB_SIZE;
677 CPUTLBEntry *tv = &env->tlb_v_table[mmu_idx][vidx];
678
679 /* Evict the old entry into the victim tlb. */
680 copy_tlb_helper(tv, te, true);
681 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index];
682 }
683
684 /* refill the tlb */
685 /*
686 * At this point iotlb contains a physical section number in the lower
687 * TARGET_PAGE_BITS, and either
688 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM)
689 * + the offset within section->mr of the page base (otherwise)
690 * We subtract the vaddr_page (which is page aligned and thus won't
691 * disturb the low bits) to give an offset which can be added to the
692 * (non-page-aligned) vaddr of the eventual memory access to get
693 * the MemoryRegion offset for the access. Note that the vaddr we
694 * subtract here is that of the page base, and not the same as the
695 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
696 */
697 env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page;
698 env->iotlb[mmu_idx][index].attrs = attrs;
699
700 /* Now calculate the new entry */
701 tn.addend = addend - vaddr_page;
702 if (prot & PAGE_READ) {
703 tn.addr_read = address;
704 } else {
705 tn.addr_read = -1;
706 }
707
708 if (prot & PAGE_EXEC) {
709 tn.addr_code = code_address;
710 } else {
711 tn.addr_code = -1;
712 }
713
714 tn.addr_write = -1;
715 if (prot & PAGE_WRITE) {
716 if ((memory_region_is_ram(section->mr) && section->readonly)
717 || memory_region_is_romd(section->mr)) {
718 /* Write access calls the I/O callback. */
719 tn.addr_write = address | TLB_MMIO;
720 } else if (memory_region_is_ram(section->mr)
721 && cpu_physical_memory_is_clean(
722 memory_region_get_ram_addr(section->mr) + xlat)) {
723 tn.addr_write = address | TLB_NOTDIRTY;
724 } else {
725 tn.addr_write = address;
726 }
727 if (prot & PAGE_WRITE_INV) {
728 tn.addr_write |= TLB_INVALID_MASK;
729 }
730 }
731
732 /* Pairs with flag setting in tlb_reset_dirty_range */
733 copy_tlb_helper(te, &tn, true);
734 /* atomic_mb_set(&te->addr_write, write_address); */
735 }
736
737 /* Add a new TLB entry, but without specifying the memory
738 * transaction attributes to be used.
739 */
740 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
741 hwaddr paddr, int prot,
742 int mmu_idx, target_ulong size)
743 {
744 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED,
745 prot, mmu_idx, size);
746 }
747
748 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
749 {
750 ram_addr_t ram_addr;
751
752 ram_addr = qemu_ram_addr_from_host(ptr);
753 if (ram_addr == RAM_ADDR_INVALID) {
754 error_report("Bad ram pointer %p", ptr);
755 abort();
756 }
757 return ram_addr;
758 }
759
760 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
761 int mmu_idx,
762 target_ulong addr, uintptr_t retaddr,
763 bool recheck, MMUAccessType access_type, int size)
764 {
765 CPUState *cpu = ENV_GET_CPU(env);
766 hwaddr mr_offset;
767 MemoryRegionSection *section;
768 MemoryRegion *mr;
769 uint64_t val;
770 bool locked = false;
771 MemTxResult r;
772
773 if (recheck) {
774 /*
775 * This is a TLB_RECHECK access, where the MMU protection
776 * covers a smaller range than a target page, and we must
777 * repeat the MMU check here. This tlb_fill() call might
778 * longjump out if this access should cause a guest exception.
779 */
780 int index;
781 target_ulong tlb_addr;
782
783 tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
784
785 index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
786 tlb_addr = env->tlb_table[mmu_idx][index].addr_read;
787 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
788 /* RAM access */
789 uintptr_t haddr = addr + env->tlb_table[mmu_idx][index].addend;
790
791 return ldn_p((void *)haddr, size);
792 }
793 /* Fall through for handling IO accesses */
794 }
795
796 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
797 mr = section->mr;
798 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
799 cpu->mem_io_pc = retaddr;
800 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
801 cpu_io_recompile(cpu, retaddr);
802 }
803
804 cpu->mem_io_vaddr = addr;
805 cpu->mem_io_access_type = access_type;
806
807 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
808 qemu_mutex_lock_iothread();
809 locked = true;
810 }
811 r = memory_region_dispatch_read(mr, mr_offset,
812 &val, size, iotlbentry->attrs);
813 if (r != MEMTX_OK) {
814 hwaddr physaddr = mr_offset +
815 section->offset_within_address_space -
816 section->offset_within_region;
817
818 cpu_transaction_failed(cpu, physaddr, addr, size, access_type,
819 mmu_idx, iotlbentry->attrs, r, retaddr);
820 }
821 if (locked) {
822 qemu_mutex_unlock_iothread();
823 }
824
825 return val;
826 }
827
828 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
829 int mmu_idx,
830 uint64_t val, target_ulong addr,
831 uintptr_t retaddr, bool recheck, int size)
832 {
833 CPUState *cpu = ENV_GET_CPU(env);
834 hwaddr mr_offset;
835 MemoryRegionSection *section;
836 MemoryRegion *mr;
837 bool locked = false;
838 MemTxResult r;
839
840 if (recheck) {
841 /*
842 * This is a TLB_RECHECK access, where the MMU protection
843 * covers a smaller range than a target page, and we must
844 * repeat the MMU check here. This tlb_fill() call might
845 * longjump out if this access should cause a guest exception.
846 */
847 int index;
848 target_ulong tlb_addr;
849
850 tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr);
851
852 index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
853 tlb_addr = env->tlb_table[mmu_idx][index].addr_write;
854 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
855 /* RAM access */
856 uintptr_t haddr = addr + env->tlb_table[mmu_idx][index].addend;
857
858 stn_p((void *)haddr, size, val);
859 return;
860 }
861 /* Fall through for handling IO accesses */
862 }
863
864 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
865 mr = section->mr;
866 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
867 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
868 cpu_io_recompile(cpu, retaddr);
869 }
870 cpu->mem_io_vaddr = addr;
871 cpu->mem_io_pc = retaddr;
872
873 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
874 qemu_mutex_lock_iothread();
875 locked = true;
876 }
877 r = memory_region_dispatch_write(mr, mr_offset,
878 val, size, iotlbentry->attrs);
879 if (r != MEMTX_OK) {
880 hwaddr physaddr = mr_offset +
881 section->offset_within_address_space -
882 section->offset_within_region;
883
884 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE,
885 mmu_idx, iotlbentry->attrs, r, retaddr);
886 }
887 if (locked) {
888 qemu_mutex_unlock_iothread();
889 }
890 }
891
892 /* Return true if ADDR is present in the victim tlb, and has been copied
893 back to the main tlb. */
894 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
895 size_t elt_ofs, target_ulong page)
896 {
897 size_t vidx;
898 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
899 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx];
900 target_ulong cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
901
902 if (cmp == page) {
903 /* Found entry in victim tlb, swap tlb and iotlb. */
904 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index];
905
906 copy_tlb_helper(&tmptlb, tlb, false);
907 copy_tlb_helper(tlb, vtlb, true);
908 copy_tlb_helper(vtlb, &tmptlb, true);
909
910 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index];
911 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx];
912 tmpio = *io; *io = *vio; *vio = tmpio;
913 return true;
914 }
915 }
916 return false;
917 }
918
919 /* Macro to call the above, with local variables from the use context. */
920 #define VICTIM_TLB_HIT(TY, ADDR) \
921 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
922 (ADDR) & TARGET_PAGE_MASK)
923
924 /* NOTE: this function can trigger an exception */
925 /* NOTE2: the returned address is not exactly the physical address: it
926 * is actually a ram_addr_t (in system mode; the user mode emulation
927 * version of this function returns a guest virtual address).
928 */
929 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
930 {
931 int mmu_idx, index;
932 void *p;
933
934 index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
935 mmu_idx = cpu_mmu_index(env, true);
936 if (unlikely(!tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr))) {
937 if (!VICTIM_TLB_HIT(addr_code, addr)) {
938 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
939 }
940 assert(tlb_hit(env->tlb_table[mmu_idx][index].addr_code, addr));
941 }
942
943 if (unlikely(env->tlb_table[mmu_idx][index].addr_code &
944 (TLB_RECHECK | TLB_MMIO))) {
945 /*
946 * Return -1 if we can't translate and execute from an entire
947 * page of RAM here, which will cause us to execute by loading
948 * and translating one insn at a time, without caching:
949 * - TLB_RECHECK: means the MMU protection covers a smaller range
950 * than a target page, so we must redo the MMU check every insn
951 * - TLB_MMIO: region is not backed by RAM
952 */
953 return -1;
954 }
955
956 p = (void *)((uintptr_t)addr + env->tlb_table[mmu_idx][index].addend);
957 return qemu_ram_addr_from_host_nofail(p);
958 }
959
960 /* Probe for whether the specified guest write access is permitted.
961 * If it is not permitted then an exception will be taken in the same
962 * way as if this were a real write access (and we will not return).
963 * Otherwise the function will return, and there will be a valid
964 * entry in the TLB for this access.
965 */
966 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
967 uintptr_t retaddr)
968 {
969 int index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
970 target_ulong tlb_addr = env->tlb_table[mmu_idx][index].addr_write;
971
972 if (!tlb_hit(tlb_addr, addr)) {
973 /* TLB entry is for a different page */
974 if (!VICTIM_TLB_HIT(addr_write, addr)) {
975 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE,
976 mmu_idx, retaddr);
977 }
978 }
979 }
980
981 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
982 * operations, or io operations to proceed. Return the host address. */
983 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
984 TCGMemOpIdx oi, uintptr_t retaddr,
985 NotDirtyInfo *ndi)
986 {
987 size_t mmu_idx = get_mmuidx(oi);
988 size_t index = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
989 CPUTLBEntry *tlbe = &env->tlb_table[mmu_idx][index];
990 target_ulong tlb_addr = tlbe->addr_write;
991 TCGMemOp mop = get_memop(oi);
992 int a_bits = get_alignment_bits(mop);
993 int s_bits = mop & MO_SIZE;
994 void *hostaddr;
995
996 /* Adjust the given return address. */
997 retaddr -= GETPC_ADJ;
998
999 /* Enforce guest required alignment. */
1000 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
1001 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
1002 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE,
1003 mmu_idx, retaddr);
1004 }
1005
1006 /* Enforce qemu required alignment. */
1007 if (unlikely(addr & ((1 << s_bits) - 1))) {
1008 /* We get here if guest alignment was not requested,
1009 or was not enforced by cpu_unaligned_access above.
1010 We might widen the access and emulate, but for now
1011 mark an exception and exit the cpu loop. */
1012 goto stop_the_world;
1013 }
1014
1015 /* Check TLB entry and enforce page permissions. */
1016 if (!tlb_hit(tlb_addr, addr)) {
1017 if (!VICTIM_TLB_HIT(addr_write, addr)) {
1018 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE,
1019 mmu_idx, retaddr);
1020 }
1021 tlb_addr = tlbe->addr_write & ~TLB_INVALID_MASK;
1022 }
1023
1024 /* Notice an IO access or a needs-MMU-lookup access */
1025 if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) {
1026 /* There's really nothing that can be done to
1027 support this apart from stop-the-world. */
1028 goto stop_the_world;
1029 }
1030
1031 /* Let the guest notice RMW on a write-only page. */
1032 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) {
1033 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD,
1034 mmu_idx, retaddr);
1035 /* Since we don't support reads and writes to different addresses,
1036 and we do have the proper page loaded for write, this shouldn't
1037 ever return. But just in case, handle via stop-the-world. */
1038 goto stop_the_world;
1039 }
1040
1041 hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
1042
1043 ndi->active = false;
1044 if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
1045 ndi->active = true;
1046 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr,
1047 qemu_ram_addr_from_host_nofail(hostaddr),
1048 1 << s_bits);
1049 }
1050
1051 return hostaddr;
1052
1053 stop_the_world:
1054 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr);
1055 }
1056
1057 #ifdef TARGET_WORDS_BIGENDIAN
1058 # define TGT_BE(X) (X)
1059 # define TGT_LE(X) BSWAP(X)
1060 #else
1061 # define TGT_BE(X) BSWAP(X)
1062 # define TGT_LE(X) (X)
1063 #endif
1064
1065 #define MMUSUFFIX _mmu
1066
1067 #define DATA_SIZE 1
1068 #include "softmmu_template.h"
1069
1070 #define DATA_SIZE 2
1071 #include "softmmu_template.h"
1072
1073 #define DATA_SIZE 4
1074 #include "softmmu_template.h"
1075
1076 #define DATA_SIZE 8
1077 #include "softmmu_template.h"
1078
1079 /* First set of helpers allows passing in of OI and RETADDR. This makes
1080 them callable from other helpers. */
1081
1082 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
1083 #define ATOMIC_NAME(X) \
1084 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
1085 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi
1086 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi)
1087 #define ATOMIC_MMU_CLEANUP \
1088 do { \
1089 if (unlikely(ndi.active)) { \
1090 memory_notdirty_write_complete(&ndi); \
1091 } \
1092 } while (0)
1093
1094 #define DATA_SIZE 1
1095 #include "atomic_template.h"
1096
1097 #define DATA_SIZE 2
1098 #include "atomic_template.h"
1099
1100 #define DATA_SIZE 4
1101 #include "atomic_template.h"
1102
1103 #ifdef CONFIG_ATOMIC64
1104 #define DATA_SIZE 8
1105 #include "atomic_template.h"
1106 #endif
1107
1108 #ifdef CONFIG_ATOMIC128
1109 #define DATA_SIZE 16
1110 #include "atomic_template.h"
1111 #endif
1112
1113 /* Second set of helpers are directly callable from TCG as helpers. */
1114
1115 #undef EXTRA_ARGS
1116 #undef ATOMIC_NAME
1117 #undef ATOMIC_MMU_LOOKUP
1118 #define EXTRA_ARGS , TCGMemOpIdx oi
1119 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
1120 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi)
1121
1122 #define DATA_SIZE 1
1123 #include "atomic_template.h"
1124
1125 #define DATA_SIZE 2
1126 #include "atomic_template.h"
1127
1128 #define DATA_SIZE 4
1129 #include "atomic_template.h"
1130
1131 #ifdef CONFIG_ATOMIC64
1132 #define DATA_SIZE 8
1133 #include "atomic_template.h"
1134 #endif
1135
1136 /* Code access functions. */
1137
1138 #undef MMUSUFFIX
1139 #define MMUSUFFIX _cmmu
1140 #undef GETPC
1141 #define GETPC() ((uintptr_t)0)
1142 #define SOFTMMU_CODE_ACCESS
1143
1144 #define DATA_SIZE 1
1145 #include "softmmu_template.h"
1146
1147 #define DATA_SIZE 2
1148 #include "softmmu_template.h"
1149
1150 #define DATA_SIZE 4
1151 #include "softmmu_template.h"
1152
1153 #define DATA_SIZE 8
1154 #include "softmmu_template.h"
AR7 emulation for QEMU