search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
cputlb: Merge tlb_flush_page into tlb_flush_page_by_mmuidx
[qemu/kevin.git] / accel / tcg / cputlb.c
blob1f7764de94c6c78b4f5881324eab298de9013808
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "exec/memory.h"
25 #include "exec/address-spaces.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/cputlb.h"
28 #include "exec/memory-internal.h"
29 #include "exec/ram_addr.h"
30 #include "tcg/tcg.h"
31 #include "qemu/error-report.h"
32 #include "exec/log.h"
33 #include "exec/helper-proto.h"
34 #include "qemu/atomic.h"
35 #include "qemu/atomic128.h"
36
37 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
38 /* #define DEBUG_TLB */
39 /* #define DEBUG_TLB_LOG */
40
41 #ifdef DEBUG_TLB
42 # define DEBUG_TLB_GATE 1
43 # ifdef DEBUG_TLB_LOG
44 # define DEBUG_TLB_LOG_GATE 1
45 # else
46 # define DEBUG_TLB_LOG_GATE 0
47 # endif
48 #else
49 # define DEBUG_TLB_GATE 0
50 # define DEBUG_TLB_LOG_GATE 0
51 #endif
52
53 #define tlb_debug(fmt, ...) do { \
54 if (DEBUG_TLB_LOG_GATE) { \
55 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
56 ## __VA_ARGS__); \
57 } else if (DEBUG_TLB_GATE) { \
58 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
59 } \
60 } while (0)
61
62 #define assert_cpu_is_self(cpu) do { \
63 if (DEBUG_TLB_GATE) { \
64 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
65 } \
66 } while (0)
67
68 /* run_on_cpu_data.target_ptr should always be big enough for a
69 * target_ulong even on 32 bit builds */
70 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
71
72 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
73 */
74 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
75 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
76
77 void tlb_init(CPUState *cpu)
78 {
79 CPUArchState *env = cpu->env_ptr;
80
81 qemu_spin_init(&env->tlb_c.lock);
82 }
83
84 /* flush_all_helper: run fn across all cpus
85 *
86 * If the wait flag is set then the src cpu's helper will be queued as
87 * "safe" work and the loop exited creating a synchronisation point
88 * where all queued work will be finished before execution starts
89 * again.
90 */
91 static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
92 run_on_cpu_data d)
93 {
94 CPUState *cpu;
95
96 CPU_FOREACH(cpu) {
97 if (cpu != src) {
98 async_run_on_cpu(cpu, fn, d);
99 }
100 }
101 }
102
103 size_t tlb_flush_count(void)
104 {
105 CPUState *cpu;
106 size_t count = 0;
107
108 CPU_FOREACH(cpu) {
109 CPUArchState *env = cpu->env_ptr;
110
111 count += atomic_read(&env->tlb_flush_count);
112 }
113 return count;
114 }
115
116 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
117 {
118 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0]));
119 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0]));
120 env->tlb_d[mmu_idx].large_page_addr = -1;
121 env->tlb_d[mmu_idx].large_page_mask = -1;
122 env->tlb_d[mmu_idx].vindex = 0;
123 }
124
125 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
126 {
127 CPUArchState *env = cpu->env_ptr;
128 unsigned long mmu_idx_bitmask = data.host_int;
129 int mmu_idx;
130
131 assert_cpu_is_self(cpu);
132
133 tlb_debug("mmu_idx:0x%04lx\n", mmu_idx_bitmask);
134
135 qemu_spin_lock(&env->tlb_c.lock);
136 env->tlb_c.pending_flush &= ~mmu_idx_bitmask;
137
138 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
139 if (test_bit(mmu_idx, &mmu_idx_bitmask)) {
140 tlb_flush_one_mmuidx_locked(env, mmu_idx);
141 }
142 }
143 qemu_spin_unlock(&env->tlb_c.lock);
144
145 cpu_tb_jmp_cache_clear(cpu);
146
147 if (mmu_idx_bitmask == ALL_MMUIDX_BITS) {
148 atomic_set(&env->tlb_flush_count, env->tlb_flush_count + 1);
149 }
150 }
151
152 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
153 {
154 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
155
156 if (cpu->created && !qemu_cpu_is_self(cpu)) {
157 CPUArchState *env = cpu->env_ptr;
158 uint16_t pending, to_clean;
159
160 qemu_spin_lock(&env->tlb_c.lock);
161 pending = env->tlb_c.pending_flush;
162 to_clean = idxmap & ~pending;
163 env->tlb_c.pending_flush = pending | idxmap;
164 qemu_spin_unlock(&env->tlb_c.lock);
165
166 if (to_clean) {
167 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", to_clean);
168 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work,
169 RUN_ON_CPU_HOST_INT(to_clean));
170 }
171 } else {
172 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap));
173 }
174 }
175
176 void tlb_flush(CPUState *cpu)
177 {
178 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS);
179 }
180
181 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap)
182 {
183 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
184
185 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
186
187 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
188 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap));
189 }
190
191 void tlb_flush_all_cpus(CPUState *src_cpu)
192 {
193 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS);
194 }
195
196 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap)
197 {
198 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
199
200 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
201
202 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
203 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
204 }
205
206 void tlb_flush_all_cpus_synced(CPUState *src_cpu)
207 {
208 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS);
209 }
210
211 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry,
212 target_ulong page)
213 {
214 return tlb_hit_page(tlb_entry->addr_read, page) ||
215 tlb_hit_page(tlb_addr_write(tlb_entry), page) ||
216 tlb_hit_page(tlb_entry->addr_code, page);
217 }
218
219 /* Called with tlb_c.lock held */
220 static inline void tlb_flush_entry_locked(CPUTLBEntry *tlb_entry,
221 target_ulong page)
222 {
223 if (tlb_hit_page_anyprot(tlb_entry, page)) {
224 memset(tlb_entry, -1, sizeof(*tlb_entry));
225 }
226 }
227
228 /* Called with tlb_c.lock held */
229 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx,
230 target_ulong page)
231 {
232 int k;
233
234 assert_cpu_is_self(ENV_GET_CPU(env));
235 for (k = 0; k < CPU_VTLB_SIZE; k++) {
236 tlb_flush_entry_locked(&env->tlb_v_table[mmu_idx][k], page);
237 }
238 }
239
240 static void tlb_flush_page_locked(CPUArchState *env, int midx,
241 target_ulong page)
242 {
243 target_ulong lp_addr = env->tlb_d[midx].large_page_addr;
244 target_ulong lp_mask = env->tlb_d[midx].large_page_mask;
245
246 /* Check if we need to flush due to large pages. */
247 if ((page & lp_mask) == lp_addr) {
248 tlb_debug("forcing full flush midx %d ("
249 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
250 midx, lp_addr, lp_mask);
251 tlb_flush_one_mmuidx_locked(env, midx);
252 } else {
253 tlb_flush_entry_locked(tlb_entry(env, midx, page), page);
254 tlb_flush_vtlb_page_locked(env, midx, page);
255 }
256 }
257
258 /* As we are going to hijack the bottom bits of the page address for a
259 * mmuidx bit mask we need to fail to build if we can't do that
260 */
261 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
262
263 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
264 run_on_cpu_data data)
265 {
266 CPUArchState *env = cpu->env_ptr;
267 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
268 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
269 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
270 int mmu_idx;
271
272 assert_cpu_is_self(cpu);
273
274 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
275 addr, mmu_idx_bitmap);
276
277 qemu_spin_lock(&env->tlb_c.lock);
278 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
279 if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
280 tlb_flush_page_locked(env, mmu_idx, addr);
281 }
282 }
283 qemu_spin_unlock(&env->tlb_c.lock);
284
285 tb_flush_jmp_cache(cpu, addr);
286 }
287
288 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
289 {
290 target_ulong addr_and_mmu_idx;
291
292 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
293
294 /* This should already be page aligned */
295 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
296 addr_and_mmu_idx |= idxmap;
297
298 if (!qemu_cpu_is_self(cpu)) {
299 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
300 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
301 } else {
302 tlb_flush_page_by_mmuidx_async_work(
303 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
304 }
305 }
306
307 void tlb_flush_page(CPUState *cpu, target_ulong addr)
308 {
309 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS);
310 }
311
312 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
313 uint16_t idxmap)
314 {
315 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
316 target_ulong addr_and_mmu_idx;
317
318 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
319
320 /* This should already be page aligned */
321 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
322 addr_and_mmu_idx |= idxmap;
323
324 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
325 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
326 }
327
328 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
329 {
330 tlb_flush_page_by_mmuidx_all_cpus(src, addr, ALL_MMUIDX_BITS);
331 }
332
333 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
334 target_ulong addr,
335 uint16_t idxmap)
336 {
337 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
338 target_ulong addr_and_mmu_idx;
339
340 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
341
342 /* This should already be page aligned */
343 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
344 addr_and_mmu_idx |= idxmap;
345
346 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
347 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
348 }
349
350 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
351 {
352 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS);
353 }
354
355 /* update the TLBs so that writes to code in the virtual page 'addr'
356 can be detected */
357 void tlb_protect_code(ram_addr_t ram_addr)
358 {
359 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE,
360 DIRTY_MEMORY_CODE);
361 }
362
363 /* update the TLB so that writes in physical page 'phys_addr' are no longer
364 tested for self modifying code */
365 void tlb_unprotect_code(ram_addr_t ram_addr)
366 {
367 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
368 }
369
370
371 /*
372 * Dirty write flag handling
373 *
374 * When the TCG code writes to a location it looks up the address in
375 * the TLB and uses that data to compute the final address. If any of
376 * the lower bits of the address are set then the slow path is forced.
377 * There are a number of reasons to do this but for normal RAM the
378 * most usual is detecting writes to code regions which may invalidate
379 * generated code.
380 *
381 * Other vCPUs might be reading their TLBs during guest execution, so we update
382 * te->addr_write with atomic_set. We don't need to worry about this for
383 * oversized guests as MTTCG is disabled for them.
384 *
385 * Called with tlb_c.lock held.
386 */
387 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
388 uintptr_t start, uintptr_t length)
389 {
390 uintptr_t addr = tlb_entry->addr_write;
391
392 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) {
393 addr &= TARGET_PAGE_MASK;
394 addr += tlb_entry->addend;
395 if ((addr - start) < length) {
396 #if TCG_OVERSIZED_GUEST
397 tlb_entry->addr_write |= TLB_NOTDIRTY;
398 #else
399 atomic_set(&tlb_entry->addr_write,
400 tlb_entry->addr_write | TLB_NOTDIRTY);
401 #endif
402 }
403 }
404 }
405
406 /*
407 * Called with tlb_c.lock held.
408 * Called only from the vCPU context, i.e. the TLB's owner thread.
409 */
410 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s)
411 {
412 *d = *s;
413 }
414
415 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
416 * the target vCPU).
417 * We must take tlb_c.lock to avoid racing with another vCPU update. The only
418 * thing actually updated is the target TLB entry ->addr_write flags.
419 */
420 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
421 {
422 CPUArchState *env;
423
424 int mmu_idx;
425
426 env = cpu->env_ptr;
427 qemu_spin_lock(&env->tlb_c.lock);
428 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
429 unsigned int i;
430
431 for (i = 0; i < CPU_TLB_SIZE; i++) {
432 tlb_reset_dirty_range_locked(&env->tlb_table[mmu_idx][i], start1,
433 length);
434 }
435
436 for (i = 0; i < CPU_VTLB_SIZE; i++) {
437 tlb_reset_dirty_range_locked(&env->tlb_v_table[mmu_idx][i], start1,
438 length);
439 }
440 }
441 qemu_spin_unlock(&env->tlb_c.lock);
442 }
443
444 /* Called with tlb_c.lock held */
445 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry,
446 target_ulong vaddr)
447 {
448 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) {
449 tlb_entry->addr_write = vaddr;
450 }
451 }
452
453 /* update the TLB corresponding to virtual page vaddr
454 so that it is no longer dirty */
455 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
456 {
457 CPUArchState *env = cpu->env_ptr;
458 int mmu_idx;
459
460 assert_cpu_is_self(cpu);
461
462 vaddr &= TARGET_PAGE_MASK;
463 qemu_spin_lock(&env->tlb_c.lock);
464 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
465 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr);
466 }
467
468 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
469 int k;
470 for (k = 0; k < CPU_VTLB_SIZE; k++) {
471 tlb_set_dirty1_locked(&env->tlb_v_table[mmu_idx][k], vaddr);
472 }
473 }
474 qemu_spin_unlock(&env->tlb_c.lock);
475 }
476
477 /* Our TLB does not support large pages, so remember the area covered by
478 large pages and trigger a full TLB flush if these are invalidated. */
479 static void tlb_add_large_page(CPUArchState *env, int mmu_idx,
480 target_ulong vaddr, target_ulong size)
481 {
482 target_ulong lp_addr = env->tlb_d[mmu_idx].large_page_addr;
483 target_ulong lp_mask = ~(size - 1);
484
485 if (lp_addr == (target_ulong)-1) {
486 /* No previous large page. */
487 lp_addr = vaddr;
488 } else {
489 /* Extend the existing region to include the new page.
490 This is a compromise between unnecessary flushes and
491 the cost of maintaining a full variable size TLB. */
492 lp_mask &= env->tlb_d[mmu_idx].large_page_mask;
493 while (((lp_addr ^ vaddr) & lp_mask) != 0) {
494 lp_mask <<= 1;
495 }
496 }
497 env->tlb_d[mmu_idx].large_page_addr = lp_addr & lp_mask;
498 env->tlb_d[mmu_idx].large_page_mask = lp_mask;
499 }
500
501 /* Add a new TLB entry. At most one entry for a given virtual address
502 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
503 * supplied size is only used by tlb_flush_page.
504 *
505 * Called from TCG-generated code, which is under an RCU read-side
506 * critical section.
507 */
508 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
509 hwaddr paddr, MemTxAttrs attrs, int prot,
510 int mmu_idx, target_ulong size)
511 {
512 CPUArchState *env = cpu->env_ptr;
513 MemoryRegionSection *section;
514 unsigned int index;
515 target_ulong address;
516 target_ulong code_address;
517 uintptr_t addend;
518 CPUTLBEntry *te, tn;
519 hwaddr iotlb, xlat, sz, paddr_page;
520 target_ulong vaddr_page;
521 int asidx = cpu_asidx_from_attrs(cpu, attrs);
522
523 assert_cpu_is_self(cpu);
524
525 if (size <= TARGET_PAGE_SIZE) {
526 sz = TARGET_PAGE_SIZE;
527 } else {
528 tlb_add_large_page(env, mmu_idx, vaddr, size);
529 sz = size;
530 }
531 vaddr_page = vaddr & TARGET_PAGE_MASK;
532 paddr_page = paddr & TARGET_PAGE_MASK;
533
534 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
535 &xlat, &sz, attrs, &prot);
536 assert(sz >= TARGET_PAGE_SIZE);
537
538 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
539 " prot=%x idx=%d\n",
540 vaddr, paddr, prot, mmu_idx);
541
542 address = vaddr_page;
543 if (size < TARGET_PAGE_SIZE) {
544 /*
545 * Slow-path the TLB entries; we will repeat the MMU check and TLB
546 * fill on every access.
547 */
548 address |= TLB_RECHECK;
549 }
550 if (!memory_region_is_ram(section->mr) &&
551 !memory_region_is_romd(section->mr)) {
552 /* IO memory case */
553 address |= TLB_MMIO;
554 addend = 0;
555 } else {
556 /* TLB_MMIO for rom/romd handled below */
557 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
558 }
559
560 code_address = address;
561 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page,
562 paddr_page, xlat, prot, &address);
563
564 index = tlb_index(env, mmu_idx, vaddr_page);
565 te = tlb_entry(env, mmu_idx, vaddr_page);
566
567 /*
568 * Hold the TLB lock for the rest of the function. We could acquire/release
569 * the lock several times in the function, but it is faster to amortize the
570 * acquisition cost by acquiring it just once. Note that this leads to
571 * a longer critical section, but this is not a concern since the TLB lock
572 * is unlikely to be contended.
573 */
574 qemu_spin_lock(&env->tlb_c.lock);
575
576 /* Make sure there's no cached translation for the new page. */
577 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page);
578
579 /*
580 * Only evict the old entry to the victim tlb if it's for a
581 * different page; otherwise just overwrite the stale data.
582 */
583 if (!tlb_hit_page_anyprot(te, vaddr_page)) {
584 unsigned vidx = env->tlb_d[mmu_idx].vindex++ % CPU_VTLB_SIZE;
585 CPUTLBEntry *tv = &env->tlb_v_table[mmu_idx][vidx];
586
587 /* Evict the old entry into the victim tlb. */
588 copy_tlb_helper_locked(tv, te);
589 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index];
590 }
591
592 /* refill the tlb */
593 /*
594 * At this point iotlb contains a physical section number in the lower
595 * TARGET_PAGE_BITS, and either
596 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM)
597 * + the offset within section->mr of the page base (otherwise)
598 * We subtract the vaddr_page (which is page aligned and thus won't
599 * disturb the low bits) to give an offset which can be added to the
600 * (non-page-aligned) vaddr of the eventual memory access to get
601 * the MemoryRegion offset for the access. Note that the vaddr we
602 * subtract here is that of the page base, and not the same as the
603 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
604 */
605 env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page;
606 env->iotlb[mmu_idx][index].attrs = attrs;
607
608 /* Now calculate the new entry */
609 tn.addend = addend - vaddr_page;
610 if (prot & PAGE_READ) {
611 tn.addr_read = address;
612 } else {
613 tn.addr_read = -1;
614 }
615
616 if (prot & PAGE_EXEC) {
617 tn.addr_code = code_address;
618 } else {
619 tn.addr_code = -1;
620 }
621
622 tn.addr_write = -1;
623 if (prot & PAGE_WRITE) {
624 if ((memory_region_is_ram(section->mr) && section->readonly)
625 || memory_region_is_romd(section->mr)) {
626 /* Write access calls the I/O callback. */
627 tn.addr_write = address | TLB_MMIO;
628 } else if (memory_region_is_ram(section->mr)
629 && cpu_physical_memory_is_clean(
630 memory_region_get_ram_addr(section->mr) + xlat)) {
631 tn.addr_write = address | TLB_NOTDIRTY;
632 } else {
633 tn.addr_write = address;
634 }
635 if (prot & PAGE_WRITE_INV) {
636 tn.addr_write |= TLB_INVALID_MASK;
637 }
638 }
639
640 copy_tlb_helper_locked(te, &tn);
641 qemu_spin_unlock(&env->tlb_c.lock);
642 }
643
644 /* Add a new TLB entry, but without specifying the memory
645 * transaction attributes to be used.
646 */
647 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
648 hwaddr paddr, int prot,
649 int mmu_idx, target_ulong size)
650 {
651 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED,
652 prot, mmu_idx, size);
653 }
654
655 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
656 {
657 ram_addr_t ram_addr;
658
659 ram_addr = qemu_ram_addr_from_host(ptr);
660 if (ram_addr == RAM_ADDR_INVALID) {
661 error_report("Bad ram pointer %p", ptr);
662 abort();
663 }
664 return ram_addr;
665 }
666
667 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
668 int mmu_idx,
669 target_ulong addr, uintptr_t retaddr,
670 bool recheck, MMUAccessType access_type, int size)
671 {
672 CPUState *cpu = ENV_GET_CPU(env);
673 hwaddr mr_offset;
674 MemoryRegionSection *section;
675 MemoryRegion *mr;
676 uint64_t val;
677 bool locked = false;
678 MemTxResult r;
679
680 if (recheck) {
681 /*
682 * This is a TLB_RECHECK access, where the MMU protection
683 * covers a smaller range than a target page, and we must
684 * repeat the MMU check here. This tlb_fill() call might
685 * longjump out if this access should cause a guest exception.
686 */
687 CPUTLBEntry *entry;
688 target_ulong tlb_addr;
689
690 tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
691
692 entry = tlb_entry(env, mmu_idx, addr);
693 tlb_addr = entry->addr_read;
694 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
695 /* RAM access */
696 uintptr_t haddr = addr + entry->addend;
697
698 return ldn_p((void *)haddr, size);
699 }
700 /* Fall through for handling IO accesses */
701 }
702
703 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
704 mr = section->mr;
705 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
706 cpu->mem_io_pc = retaddr;
707 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
708 cpu_io_recompile(cpu, retaddr);
709 }
710
711 cpu->mem_io_vaddr = addr;
712 cpu->mem_io_access_type = access_type;
713
714 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
715 qemu_mutex_lock_iothread();
716 locked = true;
717 }
718 r = memory_region_dispatch_read(mr, mr_offset,
719 &val, size, iotlbentry->attrs);
720 if (r != MEMTX_OK) {
721 hwaddr physaddr = mr_offset +
722 section->offset_within_address_space -
723 section->offset_within_region;
724
725 cpu_transaction_failed(cpu, physaddr, addr, size, access_type,
726 mmu_idx, iotlbentry->attrs, r, retaddr);
727 }
728 if (locked) {
729 qemu_mutex_unlock_iothread();
730 }
731
732 return val;
733 }
734
735 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
736 int mmu_idx,
737 uint64_t val, target_ulong addr,
738 uintptr_t retaddr, bool recheck, int size)
739 {
740 CPUState *cpu = ENV_GET_CPU(env);
741 hwaddr mr_offset;
742 MemoryRegionSection *section;
743 MemoryRegion *mr;
744 bool locked = false;
745 MemTxResult r;
746
747 if (recheck) {
748 /*
749 * This is a TLB_RECHECK access, where the MMU protection
750 * covers a smaller range than a target page, and we must
751 * repeat the MMU check here. This tlb_fill() call might
752 * longjump out if this access should cause a guest exception.
753 */
754 CPUTLBEntry *entry;
755 target_ulong tlb_addr;
756
757 tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr);
758
759 entry = tlb_entry(env, mmu_idx, addr);
760 tlb_addr = tlb_addr_write(entry);
761 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
762 /* RAM access */
763 uintptr_t haddr = addr + entry->addend;
764
765 stn_p((void *)haddr, size, val);
766 return;
767 }
768 /* Fall through for handling IO accesses */
769 }
770
771 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
772 mr = section->mr;
773 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
774 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
775 cpu_io_recompile(cpu, retaddr);
776 }
777 cpu->mem_io_vaddr = addr;
778 cpu->mem_io_pc = retaddr;
779
780 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
781 qemu_mutex_lock_iothread();
782 locked = true;
783 }
784 r = memory_region_dispatch_write(mr, mr_offset,
785 val, size, iotlbentry->attrs);
786 if (r != MEMTX_OK) {
787 hwaddr physaddr = mr_offset +
788 section->offset_within_address_space -
789 section->offset_within_region;
790
791 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE,
792 mmu_idx, iotlbentry->attrs, r, retaddr);
793 }
794 if (locked) {
795 qemu_mutex_unlock_iothread();
796 }
797 }
798
799 /* Return true if ADDR is present in the victim tlb, and has been copied
800 back to the main tlb. */
801 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
802 size_t elt_ofs, target_ulong page)
803 {
804 size_t vidx;
805
806 assert_cpu_is_self(ENV_GET_CPU(env));
807 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
808 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx];
809 target_ulong cmp;
810
811 /* elt_ofs might correspond to .addr_write, so use atomic_read */
812 #if TCG_OVERSIZED_GUEST
813 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
814 #else
815 cmp = atomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
816 #endif
817
818 if (cmp == page) {
819 /* Found entry in victim tlb, swap tlb and iotlb. */
820 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index];
821
822 qemu_spin_lock(&env->tlb_c.lock);
823 copy_tlb_helper_locked(&tmptlb, tlb);
824 copy_tlb_helper_locked(tlb, vtlb);
825 copy_tlb_helper_locked(vtlb, &tmptlb);
826 qemu_spin_unlock(&env->tlb_c.lock);
827
828 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index];
829 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx];
830 tmpio = *io; *io = *vio; *vio = tmpio;
831 return true;
832 }
833 }
834 return false;
835 }
836
837 /* Macro to call the above, with local variables from the use context. */
838 #define VICTIM_TLB_HIT(TY, ADDR) \
839 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
840 (ADDR) & TARGET_PAGE_MASK)
841
842 /* NOTE: this function can trigger an exception */
843 /* NOTE2: the returned address is not exactly the physical address: it
844 * is actually a ram_addr_t (in system mode; the user mode emulation
845 * version of this function returns a guest virtual address).
846 */
847 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
848 {
849 uintptr_t mmu_idx = cpu_mmu_index(env, true);
850 uintptr_t index = tlb_index(env, mmu_idx, addr);
851 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
852 void *p;
853
854 if (unlikely(!tlb_hit(entry->addr_code, addr))) {
855 if (!VICTIM_TLB_HIT(addr_code, addr)) {
856 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
857 }
858 assert(tlb_hit(entry->addr_code, addr));
859 }
860
861 if (unlikely(entry->addr_code & (TLB_RECHECK | TLB_MMIO))) {
862 /*
863 * Return -1 if we can't translate and execute from an entire
864 * page of RAM here, which will cause us to execute by loading
865 * and translating one insn at a time, without caching:
866 * - TLB_RECHECK: means the MMU protection covers a smaller range
867 * than a target page, so we must redo the MMU check every insn
868 * - TLB_MMIO: region is not backed by RAM
869 */
870 return -1;
871 }
872
873 p = (void *)((uintptr_t)addr + entry->addend);
874 return qemu_ram_addr_from_host_nofail(p);
875 }
876
877 /* Probe for whether the specified guest write access is permitted.
878 * If it is not permitted then an exception will be taken in the same
879 * way as if this were a real write access (and we will not return).
880 * Otherwise the function will return, and there will be a valid
881 * entry in the TLB for this access.
882 */
883 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
884 uintptr_t retaddr)
885 {
886 uintptr_t index = tlb_index(env, mmu_idx, addr);
887 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
888
889 if (!tlb_hit(tlb_addr_write(entry), addr)) {
890 /* TLB entry is for a different page */
891 if (!VICTIM_TLB_HIT(addr_write, addr)) {
892 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE,
893 mmu_idx, retaddr);
894 }
895 }
896 }
897
898 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
899 * operations, or io operations to proceed. Return the host address. */
900 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
901 TCGMemOpIdx oi, uintptr_t retaddr,
902 NotDirtyInfo *ndi)
903 {
904 size_t mmu_idx = get_mmuidx(oi);
905 uintptr_t index = tlb_index(env, mmu_idx, addr);
906 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
907 target_ulong tlb_addr = tlb_addr_write(tlbe);
908 TCGMemOp mop = get_memop(oi);
909 int a_bits = get_alignment_bits(mop);
910 int s_bits = mop & MO_SIZE;
911 void *hostaddr;
912
913 /* Adjust the given return address. */
914 retaddr -= GETPC_ADJ;
915
916 /* Enforce guest required alignment. */
917 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
918 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
919 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE,
920 mmu_idx, retaddr);
921 }
922
923 /* Enforce qemu required alignment. */
924 if (unlikely(addr & ((1 << s_bits) - 1))) {
925 /* We get here if guest alignment was not requested,
926 or was not enforced by cpu_unaligned_access above.
927 We might widen the access and emulate, but for now
928 mark an exception and exit the cpu loop. */
929 goto stop_the_world;
930 }
931
932 /* Check TLB entry and enforce page permissions. */
933 if (!tlb_hit(tlb_addr, addr)) {
934 if (!VICTIM_TLB_HIT(addr_write, addr)) {
935 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE,
936 mmu_idx, retaddr);
937 }
938 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK;
939 }
940
941 /* Notice an IO access or a needs-MMU-lookup access */
942 if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) {
943 /* There's really nothing that can be done to
944 support this apart from stop-the-world. */
945 goto stop_the_world;
946 }
947
948 /* Let the guest notice RMW on a write-only page. */
949 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) {
950 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD,
951 mmu_idx, retaddr);
952 /* Since we don't support reads and writes to different addresses,
953 and we do have the proper page loaded for write, this shouldn't
954 ever return. But just in case, handle via stop-the-world. */
955 goto stop_the_world;
956 }
957
958 hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
959
960 ndi->active = false;
961 if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
962 ndi->active = true;
963 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr,
964 qemu_ram_addr_from_host_nofail(hostaddr),
965 1 << s_bits);
966 }
967
968 return hostaddr;
969
970 stop_the_world:
971 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr);
972 }
973
974 #ifdef TARGET_WORDS_BIGENDIAN
975 # define TGT_BE(X) (X)
976 # define TGT_LE(X) BSWAP(X)
977 #else
978 # define TGT_BE(X) BSWAP(X)
979 # define TGT_LE(X) (X)
980 #endif
981
982 #define MMUSUFFIX _mmu
983
984 #define DATA_SIZE 1
985 #include "softmmu_template.h"
986
987 #define DATA_SIZE 2
988 #include "softmmu_template.h"
989
990 #define DATA_SIZE 4
991 #include "softmmu_template.h"
992
993 #define DATA_SIZE 8
994 #include "softmmu_template.h"
995
996 /* First set of helpers allows passing in of OI and RETADDR. This makes
997 them callable from other helpers. */
998
999 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
1000 #define ATOMIC_NAME(X) \
1001 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
1002 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi
1003 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi)
1004 #define ATOMIC_MMU_CLEANUP \
1005 do { \
1006 if (unlikely(ndi.active)) { \
1007 memory_notdirty_write_complete(&ndi); \
1008 } \
1009 } while (0)
1010
1011 #define DATA_SIZE 1
1012 #include "atomic_template.h"
1013
1014 #define DATA_SIZE 2
1015 #include "atomic_template.h"
1016
1017 #define DATA_SIZE 4
1018 #include "atomic_template.h"
1019
1020 #ifdef CONFIG_ATOMIC64
1021 #define DATA_SIZE 8
1022 #include "atomic_template.h"
1023 #endif
1024
1025 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128
1026 #define DATA_SIZE 16
1027 #include "atomic_template.h"
1028 #endif
1029
1030 /* Second set of helpers are directly callable from TCG as helpers. */
1031
1032 #undef EXTRA_ARGS
1033 #undef ATOMIC_NAME
1034 #undef ATOMIC_MMU_LOOKUP
1035 #define EXTRA_ARGS , TCGMemOpIdx oi
1036 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
1037 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi)
1038
1039 #define DATA_SIZE 1
1040 #include "atomic_template.h"
1041
1042 #define DATA_SIZE 2
1043 #include "atomic_template.h"
1044
1045 #define DATA_SIZE 4
1046 #include "atomic_template.h"
1047
1048 #ifdef CONFIG_ATOMIC64
1049 #define DATA_SIZE 8
1050 #include "atomic_template.h"
1051 #endif
1052
1053 /* Code access functions. */
1054
1055 #undef MMUSUFFIX
1056 #define MMUSUFFIX _cmmu
1057 #undef GETPC
1058 #define GETPC() ((uintptr_t)0)
1059 #define SOFTMMU_CODE_ACCESS
1060
1061 #define DATA_SIZE 1
1062 #include "softmmu_template.h"
1063
1064 #define DATA_SIZE 2
1065 #include "softmmu_template.h"
1066
1067 #define DATA_SIZE 4
1068 #include "softmmu_template.h"
1069
1070 #define DATA_SIZE 8
1071 #include "softmmu_template.h"
Random patches