1 /* 2 * Common CPU TLB handling 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/main-loop.h" 22 #include "cpu.h" 23 #include "hw/core/tcg-cpu-ops.h" 24 #include "exec/exec-all.h" 25 #include "exec/memory.h" 26 #include "exec/address-spaces.h" 27 #include "exec/cpu_ldst.h" 28 #include "exec/cputlb.h" 29 #include "exec/tb-hash.h" 30 #include "exec/memory-internal.h" 31 #include "exec/ram_addr.h" 32 #include "tcg/tcg.h" 33 #include "qemu/error-report.h" 34 #include "exec/log.h" 35 #include "exec/helper-proto.h" 36 #include "qemu/atomic.h" 37 #include "qemu/atomic128.h" 38 #include "exec/translate-all.h" 39 #include "trace/trace-root.h" 40 #include "trace/mem.h" 41 #include "internal.h" 42 #ifdef CONFIG_PLUGIN 43 #include "qemu/plugin-memory.h" 44 #endif 45 46 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */ 47 /* #define DEBUG_TLB */ 48 /* #define DEBUG_TLB_LOG */ 49 50 #ifdef DEBUG_TLB 51 # define DEBUG_TLB_GATE 1 52 # ifdef DEBUG_TLB_LOG 53 # define DEBUG_TLB_LOG_GATE 1 54 # else 55 # define DEBUG_TLB_LOG_GATE 0 56 # endif 57 #else 58 # define DEBUG_TLB_GATE 0 59 # define DEBUG_TLB_LOG_GATE 0 60 #endif 61 62 #define tlb_debug(fmt, ...) do { \ 63 if (DEBUG_TLB_LOG_GATE) { \ 64 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \ 65 ## __VA_ARGS__); \ 66 } else if (DEBUG_TLB_GATE) { \ 67 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \ 68 } \ 69 } while (0) 70 71 #define assert_cpu_is_self(cpu) do { \ 72 if (DEBUG_TLB_GATE) { \ 73 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \ 74 } \ 75 } while (0) 76 77 /* run_on_cpu_data.target_ptr should always be big enough for a 78 * target_ulong even on 32 bit builds */ 79 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data)); 80 81 /* We currently can't handle more than 16 bits in the MMUIDX bitmask. 82 */ 83 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); 84 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) 85 86 static inline size_t tlb_n_entries(CPUTLBDescFast *fast) 87 { 88 return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1; 89 } 90 91 static inline size_t sizeof_tlb(CPUTLBDescFast *fast) 92 { 93 return fast->mask + (1 << CPU_TLB_ENTRY_BITS); 94 } 95 96 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns, 97 size_t max_entries) 98 { 99 desc->window_begin_ns = ns; 100 desc->window_max_entries = max_entries; 101 } 102 103 static void tb_jmp_cache_clear_page(CPUState *cpu, target_ulong page_addr) 104 { 105 unsigned int i, i0 = tb_jmp_cache_hash_page(page_addr); 106 107 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) { 108 qatomic_set(&cpu->tb_jmp_cache[i0 + i], NULL); 109 } 110 } 111 112 static void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr) 113 { 114 /* Discard jump cache entries for any tb which might potentially 115 overlap the flushed page. */ 116 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE); 117 tb_jmp_cache_clear_page(cpu, addr); 118 } 119 120 /** 121 * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary 122 * @desc: The CPUTLBDesc portion of the TLB 123 * @fast: The CPUTLBDescFast portion of the same TLB 124 * 125 * Called with tlb_lock_held. 126 * 127 * We have two main constraints when resizing a TLB: (1) we only resize it 128 * on a TLB flush (otherwise we'd have to take a perf hit by either rehashing 129 * the array or unnecessarily flushing it), which means we do not control how 130 * frequently the resizing can occur; (2) we don't have access to the guest's 131 * future scheduling decisions, and therefore have to decide the magnitude of 132 * the resize based on past observations. 133 * 134 * In general, a memory-hungry process can benefit greatly from an appropriately 135 * sized TLB, since a guest TLB miss is very expensive. This doesn't mean that 136 * we just have to make the TLB as large as possible; while an oversized TLB 137 * results in minimal TLB miss rates, it also takes longer to be flushed 138 * (flushes can be _very_ frequent), and the reduced locality can also hurt 139 * performance. 140 * 141 * To achieve near-optimal performance for all kinds of workloads, we: 142 * 143 * 1. Aggressively increase the size of the TLB when the use rate of the 144 * TLB being flushed is high, since it is likely that in the near future this 145 * memory-hungry process will execute again, and its memory hungriness will 146 * probably be similar. 147 * 148 * 2. Slowly reduce the size of the TLB as the use rate declines over a 149 * reasonably large time window. The rationale is that if in such a time window 150 * we have not observed a high TLB use rate, it is likely that we won't observe 151 * it in the near future. In that case, once a time window expires we downsize 152 * the TLB to match the maximum use rate observed in the window. 153 * 154 * 3. Try to keep the maximum use rate in a time window in the 30-70% range, 155 * since in that range performance is likely near-optimal. Recall that the TLB 156 * is direct mapped, so we want the use rate to be low (or at least not too 157 * high), since otherwise we are likely to have a significant amount of 158 * conflict misses. 159 */ 160 static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast, 161 int64_t now) 162 { 163 size_t old_size = tlb_n_entries(fast); 164 size_t rate; 165 size_t new_size = old_size; 166 int64_t window_len_ms = 100; 167 int64_t window_len_ns = window_len_ms * 1000 * 1000; 168 bool window_expired = now > desc->window_begin_ns + window_len_ns; 169 170 if (desc->n_used_entries > desc->window_max_entries) { 171 desc->window_max_entries = desc->n_used_entries; 172 } 173 rate = desc->window_max_entries * 100 / old_size; 174 175 if (rate > 70) { 176 new_size = MIN(old_size << 1, 1 << CPU_TLB_DYN_MAX_BITS); 177 } else if (rate < 30 && window_expired) { 178 size_t ceil = pow2ceil(desc->window_max_entries); 179 size_t expected_rate = desc->window_max_entries * 100 / ceil; 180 181 /* 182 * Avoid undersizing when the max number of entries seen is just below 183 * a pow2. For instance, if max_entries == 1025, the expected use rate 184 * would be 1025/2048==50%. However, if max_entries == 1023, we'd get 185 * 1023/1024==99.9% use rate, so we'd likely end up doubling the size 186 * later. Thus, make sure that the expected use rate remains below 70%. 187 * (and since we double the size, that means the lowest rate we'd 188 * expect to get is 35%, which is still in the 30-70% range where 189 * we consider that the size is appropriate.) 190 */ 191 if (expected_rate > 70) { 192 ceil *= 2; 193 } 194 new_size = MAX(ceil, 1 << CPU_TLB_DYN_MIN_BITS); 195 } 196 197 if (new_size == old_size) { 198 if (window_expired) { 199 tlb_window_reset(desc, now, desc->n_used_entries); 200 } 201 return; 202 } 203 204 g_free(fast->table); 205 g_free(desc->iotlb); 206 207 tlb_window_reset(desc, now, 0); 208 /* desc->n_used_entries is cleared by the caller */ 209 fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS; 210 fast->table = g_try_new(CPUTLBEntry, new_size); 211 desc->iotlb = g_try_new(CPUIOTLBEntry, new_size); 212 213 /* 214 * If the allocations fail, try smaller sizes. We just freed some 215 * memory, so going back to half of new_size has a good chance of working. 216 * Increased memory pressure elsewhere in the system might cause the 217 * allocations to fail though, so we progressively reduce the allocation 218 * size, aborting if we cannot even allocate the smallest TLB we support. 219 */ 220 while (fast->table == NULL || desc->iotlb == NULL) { 221 if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) { 222 error_report("%s: %s", __func__, strerror(errno)); 223 abort(); 224 } 225 new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS); 226 fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS; 227 228 g_free(fast->table); 229 g_free(desc->iotlb); 230 fast->table = g_try_new(CPUTLBEntry, new_size); 231 desc->iotlb = g_try_new(CPUIOTLBEntry, new_size); 232 } 233 } 234 235 static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast) 236 { 237 desc->n_used_entries = 0; 238 desc->large_page_addr = -1; 239 desc->large_page_mask = -1; 240 desc->vindex = 0; 241 memset(fast->table, -1, sizeof_tlb(fast)); 242 memset(desc->vtable, -1, sizeof(desc->vtable)); 243 } 244 245 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx, 246 int64_t now) 247 { 248 CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx]; 249 CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx]; 250 251 tlb_mmu_resize_locked(desc, fast, now); 252 tlb_mmu_flush_locked(desc, fast); 253 } 254 255 static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now) 256 { 257 size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS; 258 259 tlb_window_reset(desc, now, 0); 260 desc->n_used_entries = 0; 261 fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS; 262 fast->table = g_new(CPUTLBEntry, n_entries); 263 desc->iotlb = g_new(CPUIOTLBEntry, n_entries); 264 tlb_mmu_flush_locked(desc, fast); 265 } 266 267 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx) 268 { 269 env_tlb(env)->d[mmu_idx].n_used_entries++; 270 } 271 272 static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx) 273 { 274 env_tlb(env)->d[mmu_idx].n_used_entries--; 275 } 276 277 void tlb_init(CPUState *cpu) 278 { 279 CPUArchState *env = cpu->env_ptr; 280 int64_t now = get_clock_realtime(); 281 int i; 282 283 qemu_spin_init(&env_tlb(env)->c.lock); 284 285 /* All tlbs are initialized flushed. */ 286 env_tlb(env)->c.dirty = 0; 287 288 for (i = 0; i < NB_MMU_MODES; i++) { 289 tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now); 290 } 291 } 292 293 void tlb_destroy(CPUState *cpu) 294 { 295 CPUArchState *env = cpu->env_ptr; 296 int i; 297 298 qemu_spin_destroy(&env_tlb(env)->c.lock); 299 for (i = 0; i < NB_MMU_MODES; i++) { 300 CPUTLBDesc *desc = &env_tlb(env)->d[i]; 301 CPUTLBDescFast *fast = &env_tlb(env)->f[i]; 302 303 g_free(fast->table); 304 g_free(desc->iotlb); 305 } 306 } 307 308 /* flush_all_helper: run fn across all cpus 309 * 310 * If the wait flag is set then the src cpu's helper will be queued as 311 * "safe" work and the loop exited creating a synchronisation point 312 * where all queued work will be finished before execution starts 313 * again. 314 */ 315 static void flush_all_helper(CPUState *src, run_on_cpu_func fn, 316 run_on_cpu_data d) 317 { 318 CPUState *cpu; 319 320 CPU_FOREACH(cpu) { 321 if (cpu != src) { 322 async_run_on_cpu(cpu, fn, d); 323 } 324 } 325 } 326 327 void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide) 328 { 329 CPUState *cpu; 330 size_t full = 0, part = 0, elide = 0; 331 332 CPU_FOREACH(cpu) { 333 CPUArchState *env = cpu->env_ptr; 334 335 full += qatomic_read(&env_tlb(env)->c.full_flush_count); 336 part += qatomic_read(&env_tlb(env)->c.part_flush_count); 337 elide += qatomic_read(&env_tlb(env)->c.elide_flush_count); 338 } 339 *pfull = full; 340 *ppart = part; 341 *pelide = elide; 342 } 343 344 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data) 345 { 346 CPUArchState *env = cpu->env_ptr; 347 uint16_t asked = data.host_int; 348 uint16_t all_dirty, work, to_clean; 349 int64_t now = get_clock_realtime(); 350 351 assert_cpu_is_self(cpu); 352 353 tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked); 354 355 qemu_spin_lock(&env_tlb(env)->c.lock); 356 357 all_dirty = env_tlb(env)->c.dirty; 358 to_clean = asked & all_dirty; 359 all_dirty &= ~to_clean; 360 env_tlb(env)->c.dirty = all_dirty; 361 362 for (work = to_clean; work != 0; work &= work - 1) { 363 int mmu_idx = ctz32(work); 364 tlb_flush_one_mmuidx_locked(env, mmu_idx, now); 365 } 366 367 qemu_spin_unlock(&env_tlb(env)->c.lock); 368 369 cpu_tb_jmp_cache_clear(cpu); 370 371 if (to_clean == ALL_MMUIDX_BITS) { 372 qatomic_set(&env_tlb(env)->c.full_flush_count, 373 env_tlb(env)->c.full_flush_count + 1); 374 } else { 375 qatomic_set(&env_tlb(env)->c.part_flush_count, 376 env_tlb(env)->c.part_flush_count + ctpop16(to_clean)); 377 if (to_clean != asked) { 378 qatomic_set(&env_tlb(env)->c.elide_flush_count, 379 env_tlb(env)->c.elide_flush_count + 380 ctpop16(asked & ~to_clean)); 381 } 382 } 383 } 384 385 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap) 386 { 387 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap); 388 389 if (cpu->created && !qemu_cpu_is_self(cpu)) { 390 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work, 391 RUN_ON_CPU_HOST_INT(idxmap)); 392 } else { 393 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap)); 394 } 395 } 396 397 void tlb_flush(CPUState *cpu) 398 { 399 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS); 400 } 401 402 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap) 403 { 404 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 405 406 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 407 408 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 409 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap)); 410 } 411 412 void tlb_flush_all_cpus(CPUState *src_cpu) 413 { 414 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS); 415 } 416 417 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap) 418 { 419 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 420 421 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 422 423 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 424 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 425 } 426 427 void tlb_flush_all_cpus_synced(CPUState *src_cpu) 428 { 429 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS); 430 } 431 432 static bool tlb_hit_page_mask_anyprot(CPUTLBEntry *tlb_entry, 433 target_ulong page, target_ulong mask) 434 { 435 page &= mask; 436 mask &= TARGET_PAGE_MASK | TLB_INVALID_MASK; 437 438 return (page == (tlb_entry->addr_read & mask) || 439 page == (tlb_addr_write(tlb_entry) & mask) || 440 page == (tlb_entry->addr_code & mask)); 441 } 442 443 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry, 444 target_ulong page) 445 { 446 return tlb_hit_page_mask_anyprot(tlb_entry, page, -1); 447 } 448 449 /** 450 * tlb_entry_is_empty - return true if the entry is not in use 451 * @te: pointer to CPUTLBEntry 452 */ 453 static inline bool tlb_entry_is_empty(const CPUTLBEntry *te) 454 { 455 return te->addr_read == -1 && te->addr_write == -1 && te->addr_code == -1; 456 } 457 458 /* Called with tlb_c.lock held */ 459 static bool tlb_flush_entry_mask_locked(CPUTLBEntry *tlb_entry, 460 target_ulong page, 461 target_ulong mask) 462 { 463 if (tlb_hit_page_mask_anyprot(tlb_entry, page, mask)) { 464 memset(tlb_entry, -1, sizeof(*tlb_entry)); 465 return true; 466 } 467 return false; 468 } 469 470 static inline bool tlb_flush_entry_locked(CPUTLBEntry *tlb_entry, 471 target_ulong page) 472 { 473 return tlb_flush_entry_mask_locked(tlb_entry, page, -1); 474 } 475 476 /* Called with tlb_c.lock held */ 477 static void tlb_flush_vtlb_page_mask_locked(CPUArchState *env, int mmu_idx, 478 target_ulong page, 479 target_ulong mask) 480 { 481 CPUTLBDesc *d = &env_tlb(env)->d[mmu_idx]; 482 int k; 483 484 assert_cpu_is_self(env_cpu(env)); 485 for (k = 0; k < CPU_VTLB_SIZE; k++) { 486 if (tlb_flush_entry_mask_locked(&d->vtable[k], page, mask)) { 487 tlb_n_used_entries_dec(env, mmu_idx); 488 } 489 } 490 } 491 492 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx, 493 target_ulong page) 494 { 495 tlb_flush_vtlb_page_mask_locked(env, mmu_idx, page, -1); 496 } 497 498 static void tlb_flush_page_locked(CPUArchState *env, int midx, 499 target_ulong page) 500 { 501 target_ulong lp_addr = env_tlb(env)->d[midx].large_page_addr; 502 target_ulong lp_mask = env_tlb(env)->d[midx].large_page_mask; 503 504 /* Check if we need to flush due to large pages. */ 505 if ((page & lp_mask) == lp_addr) { 506 tlb_debug("forcing full flush midx %d (" 507 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 508 midx, lp_addr, lp_mask); 509 tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime()); 510 } else { 511 if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) { 512 tlb_n_used_entries_dec(env, midx); 513 } 514 tlb_flush_vtlb_page_locked(env, midx, page); 515 } 516 } 517 518 /** 519 * tlb_flush_page_by_mmuidx_async_0: 520 * @cpu: cpu on which to flush 521 * @addr: page of virtual address to flush 522 * @idxmap: set of mmu_idx to flush 523 * 524 * Helper for tlb_flush_page_by_mmuidx and friends, flush one page 525 * at @addr from the tlbs indicated by @idxmap from @cpu. 526 */ 527 static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu, 528 target_ulong addr, 529 uint16_t idxmap) 530 { 531 CPUArchState *env = cpu->env_ptr; 532 int mmu_idx; 533 534 assert_cpu_is_self(cpu); 535 536 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap); 537 538 qemu_spin_lock(&env_tlb(env)->c.lock); 539 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 540 if ((idxmap >> mmu_idx) & 1) { 541 tlb_flush_page_locked(env, mmu_idx, addr); 542 } 543 } 544 qemu_spin_unlock(&env_tlb(env)->c.lock); 545 546 tb_flush_jmp_cache(cpu, addr); 547 } 548 549 /** 550 * tlb_flush_page_by_mmuidx_async_1: 551 * @cpu: cpu on which to flush 552 * @data: encoded addr + idxmap 553 * 554 * Helper for tlb_flush_page_by_mmuidx and friends, called through 555 * async_run_on_cpu. The idxmap parameter is encoded in the page 556 * offset of the target_ptr field. This limits the set of mmu_idx 557 * that can be passed via this method. 558 */ 559 static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu, 560 run_on_cpu_data data) 561 { 562 target_ulong addr_and_idxmap = (target_ulong) data.target_ptr; 563 target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK; 564 uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK; 565 566 tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap); 567 } 568 569 typedef struct { 570 target_ulong addr; 571 uint16_t idxmap; 572 } TLBFlushPageByMMUIdxData; 573 574 /** 575 * tlb_flush_page_by_mmuidx_async_2: 576 * @cpu: cpu on which to flush 577 * @data: allocated addr + idxmap 578 * 579 * Helper for tlb_flush_page_by_mmuidx and friends, called through 580 * async_run_on_cpu. The addr+idxmap parameters are stored in a 581 * TLBFlushPageByMMUIdxData structure that has been allocated 582 * specifically for this helper. Free the structure when done. 583 */ 584 static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu, 585 run_on_cpu_data data) 586 { 587 TLBFlushPageByMMUIdxData *d = data.host_ptr; 588 589 tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap); 590 g_free(d); 591 } 592 593 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap) 594 { 595 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap); 596 597 /* This should already be page aligned */ 598 addr &= TARGET_PAGE_MASK; 599 600 if (qemu_cpu_is_self(cpu)) { 601 tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap); 602 } else if (idxmap < TARGET_PAGE_SIZE) { 603 /* 604 * Most targets have only a few mmu_idx. In the case where 605 * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid 606 * allocating memory for this operation. 607 */ 608 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1, 609 RUN_ON_CPU_TARGET_PTR(addr | idxmap)); 610 } else { 611 TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1); 612 613 /* Otherwise allocate a structure, freed by the worker. */ 614 d->addr = addr; 615 d->idxmap = idxmap; 616 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2, 617 RUN_ON_CPU_HOST_PTR(d)); 618 } 619 } 620 621 void tlb_flush_page(CPUState *cpu, target_ulong addr) 622 { 623 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS); 624 } 625 626 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr, 627 uint16_t idxmap) 628 { 629 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 630 631 /* This should already be page aligned */ 632 addr &= TARGET_PAGE_MASK; 633 634 /* 635 * Allocate memory to hold addr+idxmap only when needed. 636 * See tlb_flush_page_by_mmuidx for details. 637 */ 638 if (idxmap < TARGET_PAGE_SIZE) { 639 flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1, 640 RUN_ON_CPU_TARGET_PTR(addr | idxmap)); 641 } else { 642 CPUState *dst_cpu; 643 644 /* Allocate a separate data block for each destination cpu. */ 645 CPU_FOREACH(dst_cpu) { 646 if (dst_cpu != src_cpu) { 647 TLBFlushPageByMMUIdxData *d 648 = g_new(TLBFlushPageByMMUIdxData, 1); 649 650 d->addr = addr; 651 d->idxmap = idxmap; 652 async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2, 653 RUN_ON_CPU_HOST_PTR(d)); 654 } 655 } 656 } 657 658 tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap); 659 } 660 661 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr) 662 { 663 tlb_flush_page_by_mmuidx_all_cpus(src, addr, ALL_MMUIDX_BITS); 664 } 665 666 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 667 target_ulong addr, 668 uint16_t idxmap) 669 { 670 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap); 671 672 /* This should already be page aligned */ 673 addr &= TARGET_PAGE_MASK; 674 675 /* 676 * Allocate memory to hold addr+idxmap only when needed. 677 * See tlb_flush_page_by_mmuidx for details. 678 */ 679 if (idxmap < TARGET_PAGE_SIZE) { 680 flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1, 681 RUN_ON_CPU_TARGET_PTR(addr | idxmap)); 682 async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1, 683 RUN_ON_CPU_TARGET_PTR(addr | idxmap)); 684 } else { 685 CPUState *dst_cpu; 686 TLBFlushPageByMMUIdxData *d; 687 688 /* Allocate a separate data block for each destination cpu. */ 689 CPU_FOREACH(dst_cpu) { 690 if (dst_cpu != src_cpu) { 691 d = g_new(TLBFlushPageByMMUIdxData, 1); 692 d->addr = addr; 693 d->idxmap = idxmap; 694 async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2, 695 RUN_ON_CPU_HOST_PTR(d)); 696 } 697 } 698 699 d = g_new(TLBFlushPageByMMUIdxData, 1); 700 d->addr = addr; 701 d->idxmap = idxmap; 702 async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2, 703 RUN_ON_CPU_HOST_PTR(d)); 704 } 705 } 706 707 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr) 708 { 709 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS); 710 } 711 712 static void tlb_flush_page_bits_locked(CPUArchState *env, int midx, 713 target_ulong page, unsigned bits) 714 { 715 CPUTLBDesc *d = &env_tlb(env)->d[midx]; 716 CPUTLBDescFast *f = &env_tlb(env)->f[midx]; 717 target_ulong mask = MAKE_64BIT_MASK(0, bits); 718 719 /* 720 * If @bits is smaller than the tlb size, there may be multiple entries 721 * within the TLB; otherwise all addresses that match under @mask hit 722 * the same TLB entry. 723 * 724 * TODO: Perhaps allow bits to be a few bits less than the size. 725 * For now, just flush the entire TLB. 726 */ 727 if (mask < f->mask) { 728 tlb_debug("forcing full flush midx %d (" 729 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 730 midx, page, mask); 731 tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime()); 732 return; 733 } 734 735 /* Check if we need to flush due to large pages. */ 736 if ((page & d->large_page_mask) == d->large_page_addr) { 737 tlb_debug("forcing full flush midx %d (" 738 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n", 739 midx, d->large_page_addr, d->large_page_mask); 740 tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime()); 741 return; 742 } 743 744 if (tlb_flush_entry_mask_locked(tlb_entry(env, midx, page), page, mask)) { 745 tlb_n_used_entries_dec(env, midx); 746 } 747 tlb_flush_vtlb_page_mask_locked(env, midx, page, mask); 748 } 749 750 typedef struct { 751 target_ulong addr; 752 uint16_t idxmap; 753 uint16_t bits; 754 } TLBFlushPageBitsByMMUIdxData; 755 756 static void 757 tlb_flush_page_bits_by_mmuidx_async_0(CPUState *cpu, 758 TLBFlushPageBitsByMMUIdxData d) 759 { 760 CPUArchState *env = cpu->env_ptr; 761 int mmu_idx; 762 763 assert_cpu_is_self(cpu); 764 765 tlb_debug("page addr:" TARGET_FMT_lx "/%u mmu_map:0x%x\n", 766 d.addr, d.bits, d.idxmap); 767 768 qemu_spin_lock(&env_tlb(env)->c.lock); 769 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 770 if ((d.idxmap >> mmu_idx) & 1) { 771 tlb_flush_page_bits_locked(env, mmu_idx, d.addr, d.bits); 772 } 773 } 774 qemu_spin_unlock(&env_tlb(env)->c.lock); 775 776 tb_flush_jmp_cache(cpu, d.addr); 777 } 778 779 static bool encode_pbm_to_runon(run_on_cpu_data *out, 780 TLBFlushPageBitsByMMUIdxData d) 781 { 782 /* We need 6 bits to hold to hold @bits up to 63. */ 783 if (d.idxmap <= MAKE_64BIT_MASK(0, TARGET_PAGE_BITS - 6)) { 784 *out = RUN_ON_CPU_TARGET_PTR(d.addr | (d.idxmap << 6) | d.bits); 785 return true; 786 } 787 return false; 788 } 789 790 static TLBFlushPageBitsByMMUIdxData 791 decode_runon_to_pbm(run_on_cpu_data data) 792 { 793 target_ulong addr_map_bits = (target_ulong) data.target_ptr; 794 return (TLBFlushPageBitsByMMUIdxData){ 795 .addr = addr_map_bits & TARGET_PAGE_MASK, 796 .idxmap = (addr_map_bits & ~TARGET_PAGE_MASK) >> 6, 797 .bits = addr_map_bits & 0x3f 798 }; 799 } 800 801 static void tlb_flush_page_bits_by_mmuidx_async_1(CPUState *cpu, 802 run_on_cpu_data runon) 803 { 804 tlb_flush_page_bits_by_mmuidx_async_0(cpu, decode_runon_to_pbm(runon)); 805 } 806 807 static void tlb_flush_page_bits_by_mmuidx_async_2(CPUState *cpu, 808 run_on_cpu_data data) 809 { 810 TLBFlushPageBitsByMMUIdxData *d = data.host_ptr; 811 tlb_flush_page_bits_by_mmuidx_async_0(cpu, *d); 812 g_free(d); 813 } 814 815 void tlb_flush_page_bits_by_mmuidx(CPUState *cpu, target_ulong addr, 816 uint16_t idxmap, unsigned bits) 817 { 818 TLBFlushPageBitsByMMUIdxData d; 819 run_on_cpu_data runon; 820 821 /* If all bits are significant, this devolves to tlb_flush_page. */ 822 if (bits >= TARGET_LONG_BITS) { 823 tlb_flush_page_by_mmuidx(cpu, addr, idxmap); 824 return; 825 } 826 /* If no page bits are significant, this devolves to tlb_flush. */ 827 if (bits < TARGET_PAGE_BITS) { 828 tlb_flush_by_mmuidx(cpu, idxmap); 829 return; 830 } 831 832 /* This should already be page aligned */ 833 d.addr = addr & TARGET_PAGE_MASK; 834 d.idxmap = idxmap; 835 d.bits = bits; 836 837 if (qemu_cpu_is_self(cpu)) { 838 tlb_flush_page_bits_by_mmuidx_async_0(cpu, d); 839 } else if (encode_pbm_to_runon(&runon, d)) { 840 async_run_on_cpu(cpu, tlb_flush_page_bits_by_mmuidx_async_1, runon); 841 } else { 842 TLBFlushPageBitsByMMUIdxData *p 843 = g_new(TLBFlushPageBitsByMMUIdxData, 1); 844 845 /* Otherwise allocate a structure, freed by the worker. */ 846 *p = d; 847 async_run_on_cpu(cpu, tlb_flush_page_bits_by_mmuidx_async_2, 848 RUN_ON_CPU_HOST_PTR(p)); 849 } 850 } 851 852 void tlb_flush_page_bits_by_mmuidx_all_cpus(CPUState *src_cpu, 853 target_ulong addr, 854 uint16_t idxmap, 855 unsigned bits) 856 { 857 TLBFlushPageBitsByMMUIdxData d; 858 run_on_cpu_data runon; 859 860 /* If all bits are significant, this devolves to tlb_flush_page. */ 861 if (bits >= TARGET_LONG_BITS) { 862 tlb_flush_page_by_mmuidx_all_cpus(src_cpu, addr, idxmap); 863 return; 864 } 865 /* If no page bits are significant, this devolves to tlb_flush. */ 866 if (bits < TARGET_PAGE_BITS) { 867 tlb_flush_by_mmuidx_all_cpus(src_cpu, idxmap); 868 return; 869 } 870 871 /* This should already be page aligned */ 872 d.addr = addr & TARGET_PAGE_MASK; 873 d.idxmap = idxmap; 874 d.bits = bits; 875 876 if (encode_pbm_to_runon(&runon, d)) { 877 flush_all_helper(src_cpu, tlb_flush_page_bits_by_mmuidx_async_1, runon); 878 } else { 879 CPUState *dst_cpu; 880 TLBFlushPageBitsByMMUIdxData *p; 881 882 /* Allocate a separate data block for each destination cpu. */ 883 CPU_FOREACH(dst_cpu) { 884 if (dst_cpu != src_cpu) { 885 p = g_new(TLBFlushPageBitsByMMUIdxData, 1); 886 *p = d; 887 async_run_on_cpu(dst_cpu, 888 tlb_flush_page_bits_by_mmuidx_async_2, 889 RUN_ON_CPU_HOST_PTR(p)); 890 } 891 } 892 } 893 894 tlb_flush_page_bits_by_mmuidx_async_0(src_cpu, d); 895 } 896 897 void tlb_flush_page_bits_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 898 target_ulong addr, 899 uint16_t idxmap, 900 unsigned bits) 901 { 902 TLBFlushPageBitsByMMUIdxData d; 903 run_on_cpu_data runon; 904 905 /* If all bits are significant, this devolves to tlb_flush_page. */ 906 if (bits >= TARGET_LONG_BITS) { 907 tlb_flush_page_by_mmuidx_all_cpus_synced(src_cpu, addr, idxmap); 908 return; 909 } 910 /* If no page bits are significant, this devolves to tlb_flush. */ 911 if (bits < TARGET_PAGE_BITS) { 912 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, idxmap); 913 return; 914 } 915 916 /* This should already be page aligned */ 917 d.addr = addr & TARGET_PAGE_MASK; 918 d.idxmap = idxmap; 919 d.bits = bits; 920 921 if (encode_pbm_to_runon(&runon, d)) { 922 flush_all_helper(src_cpu, tlb_flush_page_bits_by_mmuidx_async_1, runon); 923 async_safe_run_on_cpu(src_cpu, tlb_flush_page_bits_by_mmuidx_async_1, 924 runon); 925 } else { 926 CPUState *dst_cpu; 927 TLBFlushPageBitsByMMUIdxData *p; 928 929 /* Allocate a separate data block for each destination cpu. */ 930 CPU_FOREACH(dst_cpu) { 931 if (dst_cpu != src_cpu) { 932 p = g_new(TLBFlushPageBitsByMMUIdxData, 1); 933 *p = d; 934 async_run_on_cpu(dst_cpu, tlb_flush_page_bits_by_mmuidx_async_2, 935 RUN_ON_CPU_HOST_PTR(p)); 936 } 937 } 938 939 p = g_new(TLBFlushPageBitsByMMUIdxData, 1); 940 *p = d; 941 async_safe_run_on_cpu(src_cpu, tlb_flush_page_bits_by_mmuidx_async_2, 942 RUN_ON_CPU_HOST_PTR(p)); 943 } 944 } 945 946 /* update the TLBs so that writes to code in the virtual page 'addr' 947 can be detected */ 948 void tlb_protect_code(ram_addr_t ram_addr) 949 { 950 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE, 951 DIRTY_MEMORY_CODE); 952 } 953 954 /* update the TLB so that writes in physical page 'phys_addr' are no longer 955 tested for self modifying code */ 956 void tlb_unprotect_code(ram_addr_t ram_addr) 957 { 958 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE); 959 } 960 961 962 /* 963 * Dirty write flag handling 964 * 965 * When the TCG code writes to a location it looks up the address in 966 * the TLB and uses that data to compute the final address. If any of 967 * the lower bits of the address are set then the slow path is forced. 968 * There are a number of reasons to do this but for normal RAM the 969 * most usual is detecting writes to code regions which may invalidate 970 * generated code. 971 * 972 * Other vCPUs might be reading their TLBs during guest execution, so we update 973 * te->addr_write with qatomic_set. We don't need to worry about this for 974 * oversized guests as MTTCG is disabled for them. 975 * 976 * Called with tlb_c.lock held. 977 */ 978 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry, 979 uintptr_t start, uintptr_t length) 980 { 981 uintptr_t addr = tlb_entry->addr_write; 982 983 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | 984 TLB_DISCARD_WRITE | TLB_NOTDIRTY)) == 0) { 985 addr &= TARGET_PAGE_MASK; 986 addr += tlb_entry->addend; 987 if ((addr - start) < length) { 988 #if TCG_OVERSIZED_GUEST 989 tlb_entry->addr_write |= TLB_NOTDIRTY; 990 #else 991 qatomic_set(&tlb_entry->addr_write, 992 tlb_entry->addr_write | TLB_NOTDIRTY); 993 #endif 994 } 995 } 996 } 997 998 /* 999 * Called with tlb_c.lock held. 1000 * Called only from the vCPU context, i.e. the TLB's owner thread. 1001 */ 1002 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s) 1003 { 1004 *d = *s; 1005 } 1006 1007 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of 1008 * the target vCPU). 1009 * We must take tlb_c.lock to avoid racing with another vCPU update. The only 1010 * thing actually updated is the target TLB entry ->addr_write flags. 1011 */ 1012 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length) 1013 { 1014 CPUArchState *env; 1015 1016 int mmu_idx; 1017 1018 env = cpu->env_ptr; 1019 qemu_spin_lock(&env_tlb(env)->c.lock); 1020 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 1021 unsigned int i; 1022 unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]); 1023 1024 for (i = 0; i < n; i++) { 1025 tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i], 1026 start1, length); 1027 } 1028 1029 for (i = 0; i < CPU_VTLB_SIZE; i++) { 1030 tlb_reset_dirty_range_locked(&env_tlb(env)->d[mmu_idx].vtable[i], 1031 start1, length); 1032 } 1033 } 1034 qemu_spin_unlock(&env_tlb(env)->c.lock); 1035 } 1036 1037 /* Called with tlb_c.lock held */ 1038 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry, 1039 target_ulong vaddr) 1040 { 1041 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) { 1042 tlb_entry->addr_write = vaddr; 1043 } 1044 } 1045 1046 /* update the TLB corresponding to virtual page vaddr 1047 so that it is no longer dirty */ 1048 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr) 1049 { 1050 CPUArchState *env = cpu->env_ptr; 1051 int mmu_idx; 1052 1053 assert_cpu_is_self(cpu); 1054 1055 vaddr &= TARGET_PAGE_MASK; 1056 qemu_spin_lock(&env_tlb(env)->c.lock); 1057 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 1058 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr); 1059 } 1060 1061 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 1062 int k; 1063 for (k = 0; k < CPU_VTLB_SIZE; k++) { 1064 tlb_set_dirty1_locked(&env_tlb(env)->d[mmu_idx].vtable[k], vaddr); 1065 } 1066 } 1067 qemu_spin_unlock(&env_tlb(env)->c.lock); 1068 } 1069 1070 /* Our TLB does not support large pages, so remember the area covered by 1071 large pages and trigger a full TLB flush if these are invalidated. */ 1072 static void tlb_add_large_page(CPUArchState *env, int mmu_idx, 1073 target_ulong vaddr, target_ulong size) 1074 { 1075 target_ulong lp_addr = env_tlb(env)->d[mmu_idx].large_page_addr; 1076 target_ulong lp_mask = ~(size - 1); 1077 1078 if (lp_addr == (target_ulong)-1) { 1079 /* No previous large page. */ 1080 lp_addr = vaddr; 1081 } else { 1082 /* Extend the existing region to include the new page. 1083 This is a compromise between unnecessary flushes and 1084 the cost of maintaining a full variable size TLB. */ 1085 lp_mask &= env_tlb(env)->d[mmu_idx].large_page_mask; 1086 while (((lp_addr ^ vaddr) & lp_mask) != 0) { 1087 lp_mask <<= 1; 1088 } 1089 } 1090 env_tlb(env)->d[mmu_idx].large_page_addr = lp_addr & lp_mask; 1091 env_tlb(env)->d[mmu_idx].large_page_mask = lp_mask; 1092 } 1093 1094 /* Add a new TLB entry. At most one entry for a given virtual address 1095 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the 1096 * supplied size is only used by tlb_flush_page. 1097 * 1098 * Called from TCG-generated code, which is under an RCU read-side 1099 * critical section. 1100 */ 1101 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr, 1102 hwaddr paddr, MemTxAttrs attrs, int prot, 1103 int mmu_idx, target_ulong size) 1104 { 1105 CPUArchState *env = cpu->env_ptr; 1106 CPUTLB *tlb = env_tlb(env); 1107 CPUTLBDesc *desc = &tlb->d[mmu_idx]; 1108 MemoryRegionSection *section; 1109 unsigned int index; 1110 target_ulong address; 1111 target_ulong write_address; 1112 uintptr_t addend; 1113 CPUTLBEntry *te, tn; 1114 hwaddr iotlb, xlat, sz, paddr_page; 1115 target_ulong vaddr_page; 1116 int asidx = cpu_asidx_from_attrs(cpu, attrs); 1117 int wp_flags; 1118 bool is_ram, is_romd; 1119 1120 assert_cpu_is_self(cpu); 1121 1122 if (size <= TARGET_PAGE_SIZE) { 1123 sz = TARGET_PAGE_SIZE; 1124 } else { 1125 tlb_add_large_page(env, mmu_idx, vaddr, size); 1126 sz = size; 1127 } 1128 vaddr_page = vaddr & TARGET_PAGE_MASK; 1129 paddr_page = paddr & TARGET_PAGE_MASK; 1130 1131 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page, 1132 &xlat, &sz, attrs, &prot); 1133 assert(sz >= TARGET_PAGE_SIZE); 1134 1135 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx 1136 " prot=%x idx=%d\n", 1137 vaddr, paddr, prot, mmu_idx); 1138 1139 address = vaddr_page; 1140 if (size < TARGET_PAGE_SIZE) { 1141 /* Repeat the MMU check and TLB fill on every access. */ 1142 address |= TLB_INVALID_MASK; 1143 } 1144 if (attrs.byte_swap) { 1145 address |= TLB_BSWAP; 1146 } 1147 1148 is_ram = memory_region_is_ram(section->mr); 1149 is_romd = memory_region_is_romd(section->mr); 1150 1151 if (is_ram || is_romd) { 1152 /* RAM and ROMD both have associated host memory. */ 1153 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat; 1154 } else { 1155 /* I/O does not; force the host address to NULL. */ 1156 addend = 0; 1157 } 1158 1159 write_address = address; 1160 if (is_ram) { 1161 iotlb = memory_region_get_ram_addr(section->mr) + xlat; 1162 /* 1163 * Computing is_clean is expensive; avoid all that unless 1164 * the page is actually writable. 1165 */ 1166 if (prot & PAGE_WRITE) { 1167 if (section->readonly) { 1168 write_address |= TLB_DISCARD_WRITE; 1169 } else if (cpu_physical_memory_is_clean(iotlb)) { 1170 write_address |= TLB_NOTDIRTY; 1171 } 1172 } 1173 } else { 1174 /* I/O or ROMD */ 1175 iotlb = memory_region_section_get_iotlb(cpu, section) + xlat; 1176 /* 1177 * Writes to romd devices must go through MMIO to enable write. 1178 * Reads to romd devices go through the ram_ptr found above, 1179 * but of course reads to I/O must go through MMIO. 1180 */ 1181 write_address |= TLB_MMIO; 1182 if (!is_romd) { 1183 address = write_address; 1184 } 1185 } 1186 1187 wp_flags = cpu_watchpoint_address_matches(cpu, vaddr_page, 1188 TARGET_PAGE_SIZE); 1189 1190 index = tlb_index(env, mmu_idx, vaddr_page); 1191 te = tlb_entry(env, mmu_idx, vaddr_page); 1192 1193 /* 1194 * Hold the TLB lock for the rest of the function. We could acquire/release 1195 * the lock several times in the function, but it is faster to amortize the 1196 * acquisition cost by acquiring it just once. Note that this leads to 1197 * a longer critical section, but this is not a concern since the TLB lock 1198 * is unlikely to be contended. 1199 */ 1200 qemu_spin_lock(&tlb->c.lock); 1201 1202 /* Note that the tlb is no longer clean. */ 1203 tlb->c.dirty |= 1 << mmu_idx; 1204 1205 /* Make sure there's no cached translation for the new page. */ 1206 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page); 1207 1208 /* 1209 * Only evict the old entry to the victim tlb if it's for a 1210 * different page; otherwise just overwrite the stale data. 1211 */ 1212 if (!tlb_hit_page_anyprot(te, vaddr_page) && !tlb_entry_is_empty(te)) { 1213 unsigned vidx = desc->vindex++ % CPU_VTLB_SIZE; 1214 CPUTLBEntry *tv = &desc->vtable[vidx]; 1215 1216 /* Evict the old entry into the victim tlb. */ 1217 copy_tlb_helper_locked(tv, te); 1218 desc->viotlb[vidx] = desc->iotlb[index]; 1219 tlb_n_used_entries_dec(env, mmu_idx); 1220 } 1221 1222 /* refill the tlb */ 1223 /* 1224 * At this point iotlb contains a physical section number in the lower 1225 * TARGET_PAGE_BITS, and either 1226 * + the ram_addr_t of the page base of the target RAM (RAM) 1227 * + the offset within section->mr of the page base (I/O, ROMD) 1228 * We subtract the vaddr_page (which is page aligned and thus won't 1229 * disturb the low bits) to give an offset which can be added to the 1230 * (non-page-aligned) vaddr of the eventual memory access to get 1231 * the MemoryRegion offset for the access. Note that the vaddr we 1232 * subtract here is that of the page base, and not the same as the 1233 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code(). 1234 */ 1235 desc->iotlb[index].addr = iotlb - vaddr_page; 1236 desc->iotlb[index].attrs = attrs; 1237 1238 /* Now calculate the new entry */ 1239 tn.addend = addend - vaddr_page; 1240 if (prot & PAGE_READ) { 1241 tn.addr_read = address; 1242 if (wp_flags & BP_MEM_READ) { 1243 tn.addr_read |= TLB_WATCHPOINT; 1244 } 1245 } else { 1246 tn.addr_read = -1; 1247 } 1248 1249 if (prot & PAGE_EXEC) { 1250 tn.addr_code = address; 1251 } else { 1252 tn.addr_code = -1; 1253 } 1254 1255 tn.addr_write = -1; 1256 if (prot & PAGE_WRITE) { 1257 tn.addr_write = write_address; 1258 if (prot & PAGE_WRITE_INV) { 1259 tn.addr_write |= TLB_INVALID_MASK; 1260 } 1261 if (wp_flags & BP_MEM_WRITE) { 1262 tn.addr_write |= TLB_WATCHPOINT; 1263 } 1264 } 1265 1266 copy_tlb_helper_locked(te, &tn); 1267 tlb_n_used_entries_inc(env, mmu_idx); 1268 qemu_spin_unlock(&tlb->c.lock); 1269 } 1270 1271 /* Add a new TLB entry, but without specifying the memory 1272 * transaction attributes to be used. 1273 */ 1274 void tlb_set_page(CPUState *cpu, target_ulong vaddr, 1275 hwaddr paddr, int prot, 1276 int mmu_idx, target_ulong size) 1277 { 1278 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED, 1279 prot, mmu_idx, size); 1280 } 1281 1282 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr) 1283 { 1284 ram_addr_t ram_addr; 1285 1286 ram_addr = qemu_ram_addr_from_host(ptr); 1287 if (ram_addr == RAM_ADDR_INVALID) { 1288 error_report("Bad ram pointer %p", ptr); 1289 abort(); 1290 } 1291 return ram_addr; 1292 } 1293 1294 /* 1295 * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the 1296 * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must 1297 * be discarded and looked up again (e.g. via tlb_entry()). 1298 */ 1299 static void tlb_fill(CPUState *cpu, target_ulong addr, int size, 1300 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr) 1301 { 1302 CPUClass *cc = CPU_GET_CLASS(cpu); 1303 bool ok; 1304 1305 /* 1306 * This is not a probe, so only valid return is success; failure 1307 * should result in exception + longjmp to the cpu loop. 1308 */ 1309 ok = cc->tcg_ops->tlb_fill(cpu, addr, size, 1310 access_type, mmu_idx, false, retaddr); 1311 assert(ok); 1312 } 1313 1314 static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr, 1315 MMUAccessType access_type, 1316 int mmu_idx, uintptr_t retaddr) 1317 { 1318 CPUClass *cc = CPU_GET_CLASS(cpu); 1319 1320 cc->tcg_ops->do_unaligned_access(cpu, addr, access_type, mmu_idx, retaddr); 1321 } 1322 1323 static inline void cpu_transaction_failed(CPUState *cpu, hwaddr physaddr, 1324 vaddr addr, unsigned size, 1325 MMUAccessType access_type, 1326 int mmu_idx, MemTxAttrs attrs, 1327 MemTxResult response, 1328 uintptr_t retaddr) 1329 { 1330 CPUClass *cc = CPU_GET_CLASS(cpu); 1331 1332 if (!cpu->ignore_memory_transaction_failures && 1333 cc->tcg_ops->do_transaction_failed) { 1334 cc->tcg_ops->do_transaction_failed(cpu, physaddr, addr, size, 1335 access_type, mmu_idx, attrs, 1336 response, retaddr); 1337 } 1338 } 1339 1340 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 1341 int mmu_idx, target_ulong addr, uintptr_t retaddr, 1342 MMUAccessType access_type, MemOp op) 1343 { 1344 CPUState *cpu = env_cpu(env); 1345 hwaddr mr_offset; 1346 MemoryRegionSection *section; 1347 MemoryRegion *mr; 1348 uint64_t val; 1349 bool locked = false; 1350 MemTxResult r; 1351 1352 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 1353 mr = section->mr; 1354 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 1355 cpu->mem_io_pc = retaddr; 1356 if (!cpu->can_do_io) { 1357 cpu_io_recompile(cpu, retaddr); 1358 } 1359 1360 if (!qemu_mutex_iothread_locked()) { 1361 qemu_mutex_lock_iothread(); 1362 locked = true; 1363 } 1364 r = memory_region_dispatch_read(mr, mr_offset, &val, op, iotlbentry->attrs); 1365 if (r != MEMTX_OK) { 1366 hwaddr physaddr = mr_offset + 1367 section->offset_within_address_space - 1368 section->offset_within_region; 1369 1370 cpu_transaction_failed(cpu, physaddr, addr, memop_size(op), access_type, 1371 mmu_idx, iotlbentry->attrs, r, retaddr); 1372 } 1373 if (locked) { 1374 qemu_mutex_unlock_iothread(); 1375 } 1376 1377 return val; 1378 } 1379 1380 /* 1381 * Save a potentially trashed IOTLB entry for later lookup by plugin. 1382 * This is read by tlb_plugin_lookup if the iotlb entry doesn't match 1383 * because of the side effect of io_writex changing memory layout. 1384 */ 1385 static void save_iotlb_data(CPUState *cs, hwaddr addr, 1386 MemoryRegionSection *section, hwaddr mr_offset) 1387 { 1388 #ifdef CONFIG_PLUGIN 1389 SavedIOTLB *saved = &cs->saved_iotlb; 1390 saved->addr = addr; 1391 saved->section = section; 1392 saved->mr_offset = mr_offset; 1393 #endif 1394 } 1395 1396 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry, 1397 int mmu_idx, uint64_t val, target_ulong addr, 1398 uintptr_t retaddr, MemOp op) 1399 { 1400 CPUState *cpu = env_cpu(env); 1401 hwaddr mr_offset; 1402 MemoryRegionSection *section; 1403 MemoryRegion *mr; 1404 bool locked = false; 1405 MemTxResult r; 1406 1407 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 1408 mr = section->mr; 1409 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 1410 if (!cpu->can_do_io) { 1411 cpu_io_recompile(cpu, retaddr); 1412 } 1413 cpu->mem_io_pc = retaddr; 1414 1415 /* 1416 * The memory_region_dispatch may trigger a flush/resize 1417 * so for plugins we save the iotlb_data just in case. 1418 */ 1419 save_iotlb_data(cpu, iotlbentry->addr, section, mr_offset); 1420 1421 if (!qemu_mutex_iothread_locked()) { 1422 qemu_mutex_lock_iothread(); 1423 locked = true; 1424 } 1425 r = memory_region_dispatch_write(mr, mr_offset, val, op, iotlbentry->attrs); 1426 if (r != MEMTX_OK) { 1427 hwaddr physaddr = mr_offset + 1428 section->offset_within_address_space - 1429 section->offset_within_region; 1430 1431 cpu_transaction_failed(cpu, physaddr, addr, memop_size(op), 1432 MMU_DATA_STORE, mmu_idx, iotlbentry->attrs, r, 1433 retaddr); 1434 } 1435 if (locked) { 1436 qemu_mutex_unlock_iothread(); 1437 } 1438 } 1439 1440 static inline target_ulong tlb_read_ofs(CPUTLBEntry *entry, size_t ofs) 1441 { 1442 #if TCG_OVERSIZED_GUEST 1443 return *(target_ulong *)((uintptr_t)entry + ofs); 1444 #else 1445 /* ofs might correspond to .addr_write, so use qatomic_read */ 1446 return qatomic_read((target_ulong *)((uintptr_t)entry + ofs)); 1447 #endif 1448 } 1449 1450 /* Return true if ADDR is present in the victim tlb, and has been copied 1451 back to the main tlb. */ 1452 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index, 1453 size_t elt_ofs, target_ulong page) 1454 { 1455 size_t vidx; 1456 1457 assert_cpu_is_self(env_cpu(env)); 1458 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) { 1459 CPUTLBEntry *vtlb = &env_tlb(env)->d[mmu_idx].vtable[vidx]; 1460 target_ulong cmp; 1461 1462 /* elt_ofs might correspond to .addr_write, so use qatomic_read */ 1463 #if TCG_OVERSIZED_GUEST 1464 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs); 1465 #else 1466 cmp = qatomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs)); 1467 #endif 1468 1469 if (cmp == page) { 1470 /* Found entry in victim tlb, swap tlb and iotlb. */ 1471 CPUTLBEntry tmptlb, *tlb = &env_tlb(env)->f[mmu_idx].table[index]; 1472 1473 qemu_spin_lock(&env_tlb(env)->c.lock); 1474 copy_tlb_helper_locked(&tmptlb, tlb); 1475 copy_tlb_helper_locked(tlb, vtlb); 1476 copy_tlb_helper_locked(vtlb, &tmptlb); 1477 qemu_spin_unlock(&env_tlb(env)->c.lock); 1478 1479 CPUIOTLBEntry tmpio, *io = &env_tlb(env)->d[mmu_idx].iotlb[index]; 1480 CPUIOTLBEntry *vio = &env_tlb(env)->d[mmu_idx].viotlb[vidx]; 1481 tmpio = *io; *io = *vio; *vio = tmpio; 1482 return true; 1483 } 1484 } 1485 return false; 1486 } 1487 1488 /* Macro to call the above, with local variables from the use context. */ 1489 #define VICTIM_TLB_HIT(TY, ADDR) \ 1490 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \ 1491 (ADDR) & TARGET_PAGE_MASK) 1492 1493 /* 1494 * Return a ram_addr_t for the virtual address for execution. 1495 * 1496 * Return -1 if we can't translate and execute from an entire page 1497 * of RAM. This will force us to execute by loading and translating 1498 * one insn at a time, without caching. 1499 * 1500 * NOTE: This function will trigger an exception if the page is 1501 * not executable. 1502 */ 1503 tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr, 1504 void **hostp) 1505 { 1506 uintptr_t mmu_idx = cpu_mmu_index(env, true); 1507 uintptr_t index = tlb_index(env, mmu_idx, addr); 1508 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 1509 void *p; 1510 1511 if (unlikely(!tlb_hit(entry->addr_code, addr))) { 1512 if (!VICTIM_TLB_HIT(addr_code, addr)) { 1513 tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0); 1514 index = tlb_index(env, mmu_idx, addr); 1515 entry = tlb_entry(env, mmu_idx, addr); 1516 1517 if (unlikely(entry->addr_code & TLB_INVALID_MASK)) { 1518 /* 1519 * The MMU protection covers a smaller range than a target 1520 * page, so we must redo the MMU check for every insn. 1521 */ 1522 return -1; 1523 } 1524 } 1525 assert(tlb_hit(entry->addr_code, addr)); 1526 } 1527 1528 if (unlikely(entry->addr_code & TLB_MMIO)) { 1529 /* The region is not backed by RAM. */ 1530 if (hostp) { 1531 *hostp = NULL; 1532 } 1533 return -1; 1534 } 1535 1536 p = (void *)((uintptr_t)addr + entry->addend); 1537 if (hostp) { 1538 *hostp = p; 1539 } 1540 return qemu_ram_addr_from_host_nofail(p); 1541 } 1542 1543 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr) 1544 { 1545 return get_page_addr_code_hostp(env, addr, NULL); 1546 } 1547 1548 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size, 1549 CPUIOTLBEntry *iotlbentry, uintptr_t retaddr) 1550 { 1551 ram_addr_t ram_addr = mem_vaddr + iotlbentry->addr; 1552 1553 trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size); 1554 1555 if (!cpu_physical_memory_get_dirty_flag(ram_addr, DIRTY_MEMORY_CODE)) { 1556 struct page_collection *pages 1557 = page_collection_lock(ram_addr, ram_addr + size); 1558 tb_invalidate_phys_page_fast(pages, ram_addr, size, retaddr); 1559 page_collection_unlock(pages); 1560 } 1561 1562 /* 1563 * Set both VGA and migration bits for simplicity and to remove 1564 * the notdirty callback faster. 1565 */ 1566 cpu_physical_memory_set_dirty_range(ram_addr, size, DIRTY_CLIENTS_NOCODE); 1567 1568 /* We remove the notdirty callback only if the code has been flushed. */ 1569 if (!cpu_physical_memory_is_clean(ram_addr)) { 1570 trace_memory_notdirty_set_dirty(mem_vaddr); 1571 tlb_set_dirty(cpu, mem_vaddr); 1572 } 1573 } 1574 1575 static int probe_access_internal(CPUArchState *env, target_ulong addr, 1576 int fault_size, MMUAccessType access_type, 1577 int mmu_idx, bool nonfault, 1578 void **phost, uintptr_t retaddr) 1579 { 1580 uintptr_t index = tlb_index(env, mmu_idx, addr); 1581 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 1582 target_ulong tlb_addr, page_addr; 1583 size_t elt_ofs; 1584 int flags; 1585 1586 switch (access_type) { 1587 case MMU_DATA_LOAD: 1588 elt_ofs = offsetof(CPUTLBEntry, addr_read); 1589 break; 1590 case MMU_DATA_STORE: 1591 elt_ofs = offsetof(CPUTLBEntry, addr_write); 1592 break; 1593 case MMU_INST_FETCH: 1594 elt_ofs = offsetof(CPUTLBEntry, addr_code); 1595 break; 1596 default: 1597 g_assert_not_reached(); 1598 } 1599 tlb_addr = tlb_read_ofs(entry, elt_ofs); 1600 1601 page_addr = addr & TARGET_PAGE_MASK; 1602 if (!tlb_hit_page(tlb_addr, page_addr)) { 1603 if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page_addr)) { 1604 CPUState *cs = env_cpu(env); 1605 CPUClass *cc = CPU_GET_CLASS(cs); 1606 1607 if (!cc->tcg_ops->tlb_fill(cs, addr, fault_size, access_type, 1608 mmu_idx, nonfault, retaddr)) { 1609 /* Non-faulting page table read failed. */ 1610 *phost = NULL; 1611 return TLB_INVALID_MASK; 1612 } 1613 1614 /* TLB resize via tlb_fill may have moved the entry. */ 1615 entry = tlb_entry(env, mmu_idx, addr); 1616 } 1617 tlb_addr = tlb_read_ofs(entry, elt_ofs); 1618 } 1619 flags = tlb_addr & TLB_FLAGS_MASK; 1620 1621 /* Fold all "mmio-like" bits into TLB_MMIO. This is not RAM. */ 1622 if (unlikely(flags & ~(TLB_WATCHPOINT | TLB_NOTDIRTY))) { 1623 *phost = NULL; 1624 return TLB_MMIO; 1625 } 1626 1627 /* Everything else is RAM. */ 1628 *phost = (void *)((uintptr_t)addr + entry->addend); 1629 return flags; 1630 } 1631 1632 int probe_access_flags(CPUArchState *env, target_ulong addr, 1633 MMUAccessType access_type, int mmu_idx, 1634 bool nonfault, void **phost, uintptr_t retaddr) 1635 { 1636 int flags; 1637 1638 flags = probe_access_internal(env, addr, 0, access_type, mmu_idx, 1639 nonfault, phost, retaddr); 1640 1641 /* Handle clean RAM pages. */ 1642 if (unlikely(flags & TLB_NOTDIRTY)) { 1643 uintptr_t index = tlb_index(env, mmu_idx, addr); 1644 CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index]; 1645 1646 notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr); 1647 flags &= ~TLB_NOTDIRTY; 1648 } 1649 1650 return flags; 1651 } 1652 1653 void *probe_access(CPUArchState *env, target_ulong addr, int size, 1654 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr) 1655 { 1656 void *host; 1657 int flags; 1658 1659 g_assert(-(addr | TARGET_PAGE_MASK) >= size); 1660 1661 flags = probe_access_internal(env, addr, size, access_type, mmu_idx, 1662 false, &host, retaddr); 1663 1664 /* Per the interface, size == 0 merely faults the access. */ 1665 if (size == 0) { 1666 return NULL; 1667 } 1668 1669 if (unlikely(flags & (TLB_NOTDIRTY | TLB_WATCHPOINT))) { 1670 uintptr_t index = tlb_index(env, mmu_idx, addr); 1671 CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index]; 1672 1673 /* Handle watchpoints. */ 1674 if (flags & TLB_WATCHPOINT) { 1675 int wp_access = (access_type == MMU_DATA_STORE 1676 ? BP_MEM_WRITE : BP_MEM_READ); 1677 cpu_check_watchpoint(env_cpu(env), addr, size, 1678 iotlbentry->attrs, wp_access, retaddr); 1679 } 1680 1681 /* Handle clean RAM pages. */ 1682 if (flags & TLB_NOTDIRTY) { 1683 notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr); 1684 } 1685 } 1686 1687 return host; 1688 } 1689 1690 void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr, 1691 MMUAccessType access_type, int mmu_idx) 1692 { 1693 void *host; 1694 int flags; 1695 1696 flags = probe_access_internal(env, addr, 0, access_type, 1697 mmu_idx, true, &host, 0); 1698 1699 /* No combination of flags are expected by the caller. */ 1700 return flags ? NULL : host; 1701 } 1702 1703 #ifdef CONFIG_PLUGIN 1704 /* 1705 * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure. 1706 * This should be a hot path as we will have just looked this path up 1707 * in the softmmu lookup code (or helper). We don't handle re-fills or 1708 * checking the victim table. This is purely informational. 1709 * 1710 * This almost never fails as the memory access being instrumented 1711 * should have just filled the TLB. The one corner case is io_writex 1712 * which can cause TLB flushes and potential resizing of the TLBs 1713 * losing the information we need. In those cases we need to recover 1714 * data from a copy of the iotlbentry. As long as this always occurs 1715 * from the same thread (which a mem callback will be) this is safe. 1716 */ 1717 1718 bool tlb_plugin_lookup(CPUState *cpu, target_ulong addr, int mmu_idx, 1719 bool is_store, struct qemu_plugin_hwaddr *data) 1720 { 1721 CPUArchState *env = cpu->env_ptr; 1722 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr); 1723 uintptr_t index = tlb_index(env, mmu_idx, addr); 1724 target_ulong tlb_addr = is_store ? tlb_addr_write(tlbe) : tlbe->addr_read; 1725 1726 if (likely(tlb_hit(tlb_addr, addr))) { 1727 /* We must have an iotlb entry for MMIO */ 1728 if (tlb_addr & TLB_MMIO) { 1729 CPUIOTLBEntry *iotlbentry; 1730 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index]; 1731 data->is_io = true; 1732 data->v.io.section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs); 1733 data->v.io.offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr; 1734 } else { 1735 data->is_io = false; 1736 data->v.ram.hostaddr = addr + tlbe->addend; 1737 } 1738 return true; 1739 } else { 1740 SavedIOTLB *saved = &cpu->saved_iotlb; 1741 data->is_io = true; 1742 data->v.io.section = saved->section; 1743 data->v.io.offset = saved->mr_offset; 1744 return true; 1745 } 1746 } 1747 1748 #endif 1749 1750 /* Probe for a read-modify-write atomic operation. Do not allow unaligned 1751 * operations, or io operations to proceed. Return the host address. */ 1752 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr, 1753 TCGMemOpIdx oi, uintptr_t retaddr) 1754 { 1755 size_t mmu_idx = get_mmuidx(oi); 1756 uintptr_t index = tlb_index(env, mmu_idx, addr); 1757 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr); 1758 target_ulong tlb_addr = tlb_addr_write(tlbe); 1759 MemOp mop = get_memop(oi); 1760 int a_bits = get_alignment_bits(mop); 1761 int s_bits = mop & MO_SIZE; 1762 void *hostaddr; 1763 1764 /* Adjust the given return address. */ 1765 retaddr -= GETPC_ADJ; 1766 1767 /* Enforce guest required alignment. */ 1768 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) { 1769 /* ??? Maybe indicate atomic op to cpu_unaligned_access */ 1770 cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE, 1771 mmu_idx, retaddr); 1772 } 1773 1774 /* Enforce qemu required alignment. */ 1775 if (unlikely(addr & ((1 << s_bits) - 1))) { 1776 /* We get here if guest alignment was not requested, 1777 or was not enforced by cpu_unaligned_access above. 1778 We might widen the access and emulate, but for now 1779 mark an exception and exit the cpu loop. */ 1780 goto stop_the_world; 1781 } 1782 1783 /* Check TLB entry and enforce page permissions. */ 1784 if (!tlb_hit(tlb_addr, addr)) { 1785 if (!VICTIM_TLB_HIT(addr_write, addr)) { 1786 tlb_fill(env_cpu(env), addr, 1 << s_bits, MMU_DATA_STORE, 1787 mmu_idx, retaddr); 1788 index = tlb_index(env, mmu_idx, addr); 1789 tlbe = tlb_entry(env, mmu_idx, addr); 1790 } 1791 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK; 1792 } 1793 1794 /* Notice an IO access or a needs-MMU-lookup access */ 1795 if (unlikely(tlb_addr & TLB_MMIO)) { 1796 /* There's really nothing that can be done to 1797 support this apart from stop-the-world. */ 1798 goto stop_the_world; 1799 } 1800 1801 /* Let the guest notice RMW on a write-only page. */ 1802 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) { 1803 tlb_fill(env_cpu(env), addr, 1 << s_bits, MMU_DATA_LOAD, 1804 mmu_idx, retaddr); 1805 /* Since we don't support reads and writes to different addresses, 1806 and we do have the proper page loaded for write, this shouldn't 1807 ever return. But just in case, handle via stop-the-world. */ 1808 goto stop_the_world; 1809 } 1810 1811 hostaddr = (void *)((uintptr_t)addr + tlbe->addend); 1812 1813 if (unlikely(tlb_addr & TLB_NOTDIRTY)) { 1814 notdirty_write(env_cpu(env), addr, 1 << s_bits, 1815 &env_tlb(env)->d[mmu_idx].iotlb[index], retaddr); 1816 } 1817 1818 return hostaddr; 1819 1820 stop_the_world: 1821 cpu_loop_exit_atomic(env_cpu(env), retaddr); 1822 } 1823 1824 /* 1825 * Load Helpers 1826 * 1827 * We support two different access types. SOFTMMU_CODE_ACCESS is 1828 * specifically for reading instructions from system memory. It is 1829 * called by the translation loop and in some helpers where the code 1830 * is disassembled. It shouldn't be called directly by guest code. 1831 */ 1832 1833 typedef uint64_t FullLoadHelper(CPUArchState *env, target_ulong addr, 1834 TCGMemOpIdx oi, uintptr_t retaddr); 1835 1836 static inline uint64_t QEMU_ALWAYS_INLINE 1837 load_memop(const void *haddr, MemOp op) 1838 { 1839 switch (op) { 1840 case MO_UB: 1841 return ldub_p(haddr); 1842 case MO_BEUW: 1843 return lduw_be_p(haddr); 1844 case MO_LEUW: 1845 return lduw_le_p(haddr); 1846 case MO_BEUL: 1847 return (uint32_t)ldl_be_p(haddr); 1848 case MO_LEUL: 1849 return (uint32_t)ldl_le_p(haddr); 1850 case MO_BEQ: 1851 return ldq_be_p(haddr); 1852 case MO_LEQ: 1853 return ldq_le_p(haddr); 1854 default: 1855 qemu_build_not_reached(); 1856 } 1857 } 1858 1859 static inline uint64_t QEMU_ALWAYS_INLINE 1860 load_helper(CPUArchState *env, target_ulong addr, TCGMemOpIdx oi, 1861 uintptr_t retaddr, MemOp op, bool code_read, 1862 FullLoadHelper *full_load) 1863 { 1864 uintptr_t mmu_idx = get_mmuidx(oi); 1865 uintptr_t index = tlb_index(env, mmu_idx, addr); 1866 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 1867 target_ulong tlb_addr = code_read ? entry->addr_code : entry->addr_read; 1868 const size_t tlb_off = code_read ? 1869 offsetof(CPUTLBEntry, addr_code) : offsetof(CPUTLBEntry, addr_read); 1870 const MMUAccessType access_type = 1871 code_read ? MMU_INST_FETCH : MMU_DATA_LOAD; 1872 unsigned a_bits = get_alignment_bits(get_memop(oi)); 1873 void *haddr; 1874 uint64_t res; 1875 size_t size = memop_size(op); 1876 1877 /* Handle CPU specific unaligned behaviour */ 1878 if (addr & ((1 << a_bits) - 1)) { 1879 cpu_unaligned_access(env_cpu(env), addr, access_type, 1880 mmu_idx, retaddr); 1881 } 1882 1883 /* If the TLB entry is for a different page, reload and try again. */ 1884 if (!tlb_hit(tlb_addr, addr)) { 1885 if (!victim_tlb_hit(env, mmu_idx, index, tlb_off, 1886 addr & TARGET_PAGE_MASK)) { 1887 tlb_fill(env_cpu(env), addr, size, 1888 access_type, mmu_idx, retaddr); 1889 index = tlb_index(env, mmu_idx, addr); 1890 entry = tlb_entry(env, mmu_idx, addr); 1891 } 1892 tlb_addr = code_read ? entry->addr_code : entry->addr_read; 1893 tlb_addr &= ~TLB_INVALID_MASK; 1894 } 1895 1896 /* Handle anything that isn't just a straight memory access. */ 1897 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) { 1898 CPUIOTLBEntry *iotlbentry; 1899 bool need_swap; 1900 1901 /* For anything that is unaligned, recurse through full_load. */ 1902 if ((addr & (size - 1)) != 0) { 1903 goto do_unaligned_access; 1904 } 1905 1906 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index]; 1907 1908 /* Handle watchpoints. */ 1909 if (unlikely(tlb_addr & TLB_WATCHPOINT)) { 1910 /* On watchpoint hit, this will longjmp out. */ 1911 cpu_check_watchpoint(env_cpu(env), addr, size, 1912 iotlbentry->attrs, BP_MEM_READ, retaddr); 1913 } 1914 1915 need_swap = size > 1 && (tlb_addr & TLB_BSWAP); 1916 1917 /* Handle I/O access. */ 1918 if (likely(tlb_addr & TLB_MMIO)) { 1919 return io_readx(env, iotlbentry, mmu_idx, addr, retaddr, 1920 access_type, op ^ (need_swap * MO_BSWAP)); 1921 } 1922 1923 haddr = (void *)((uintptr_t)addr + entry->addend); 1924 1925 /* 1926 * Keep these two load_memop separate to ensure that the compiler 1927 * is able to fold the entire function to a single instruction. 1928 * There is a build-time assert inside to remind you of this. ;-) 1929 */ 1930 if (unlikely(need_swap)) { 1931 return load_memop(haddr, op ^ MO_BSWAP); 1932 } 1933 return load_memop(haddr, op); 1934 } 1935 1936 /* Handle slow unaligned access (it spans two pages or IO). */ 1937 if (size > 1 1938 && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1 1939 >= TARGET_PAGE_SIZE)) { 1940 target_ulong addr1, addr2; 1941 uint64_t r1, r2; 1942 unsigned shift; 1943 do_unaligned_access: 1944 addr1 = addr & ~((target_ulong)size - 1); 1945 addr2 = addr1 + size; 1946 r1 = full_load(env, addr1, oi, retaddr); 1947 r2 = full_load(env, addr2, oi, retaddr); 1948 shift = (addr & (size - 1)) * 8; 1949 1950 if (memop_big_endian(op)) { 1951 /* Big-endian combine. */ 1952 res = (r1 << shift) | (r2 >> ((size * 8) - shift)); 1953 } else { 1954 /* Little-endian combine. */ 1955 res = (r1 >> shift) | (r2 << ((size * 8) - shift)); 1956 } 1957 return res & MAKE_64BIT_MASK(0, size * 8); 1958 } 1959 1960 haddr = (void *)((uintptr_t)addr + entry->addend); 1961 return load_memop(haddr, op); 1962 } 1963 1964 /* 1965 * For the benefit of TCG generated code, we want to avoid the 1966 * complication of ABI-specific return type promotion and always 1967 * return a value extended to the register size of the host. This is 1968 * tcg_target_long, except in the case of a 32-bit host and 64-bit 1969 * data, and for that we always have uint64_t. 1970 * 1971 * We don't bother with this widened value for SOFTMMU_CODE_ACCESS. 1972 */ 1973 1974 static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr, 1975 TCGMemOpIdx oi, uintptr_t retaddr) 1976 { 1977 return load_helper(env, addr, oi, retaddr, MO_UB, false, full_ldub_mmu); 1978 } 1979 1980 tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr, 1981 TCGMemOpIdx oi, uintptr_t retaddr) 1982 { 1983 return full_ldub_mmu(env, addr, oi, retaddr); 1984 } 1985 1986 static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr, 1987 TCGMemOpIdx oi, uintptr_t retaddr) 1988 { 1989 return load_helper(env, addr, oi, retaddr, MO_LEUW, false, 1990 full_le_lduw_mmu); 1991 } 1992 1993 tcg_target_ulong helper_le_lduw_mmu(CPUArchState *env, target_ulong addr, 1994 TCGMemOpIdx oi, uintptr_t retaddr) 1995 { 1996 return full_le_lduw_mmu(env, addr, oi, retaddr); 1997 } 1998 1999 static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr, 2000 TCGMemOpIdx oi, uintptr_t retaddr) 2001 { 2002 return load_helper(env, addr, oi, retaddr, MO_BEUW, false, 2003 full_be_lduw_mmu); 2004 } 2005 2006 tcg_target_ulong helper_be_lduw_mmu(CPUArchState *env, target_ulong addr, 2007 TCGMemOpIdx oi, uintptr_t retaddr) 2008 { 2009 return full_be_lduw_mmu(env, addr, oi, retaddr); 2010 } 2011 2012 static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr, 2013 TCGMemOpIdx oi, uintptr_t retaddr) 2014 { 2015 return load_helper(env, addr, oi, retaddr, MO_LEUL, false, 2016 full_le_ldul_mmu); 2017 } 2018 2019 tcg_target_ulong helper_le_ldul_mmu(CPUArchState *env, target_ulong addr, 2020 TCGMemOpIdx oi, uintptr_t retaddr) 2021 { 2022 return full_le_ldul_mmu(env, addr, oi, retaddr); 2023 } 2024 2025 static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr, 2026 TCGMemOpIdx oi, uintptr_t retaddr) 2027 { 2028 return load_helper(env, addr, oi, retaddr, MO_BEUL, false, 2029 full_be_ldul_mmu); 2030 } 2031 2032 tcg_target_ulong helper_be_ldul_mmu(CPUArchState *env, target_ulong addr, 2033 TCGMemOpIdx oi, uintptr_t retaddr) 2034 { 2035 return full_be_ldul_mmu(env, addr, oi, retaddr); 2036 } 2037 2038 uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr, 2039 TCGMemOpIdx oi, uintptr_t retaddr) 2040 { 2041 return load_helper(env, addr, oi, retaddr, MO_LEQ, false, 2042 helper_le_ldq_mmu); 2043 } 2044 2045 uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr, 2046 TCGMemOpIdx oi, uintptr_t retaddr) 2047 { 2048 return load_helper(env, addr, oi, retaddr, MO_BEQ, false, 2049 helper_be_ldq_mmu); 2050 } 2051 2052 /* 2053 * Provide signed versions of the load routines as well. We can of course 2054 * avoid this for 64-bit data, or for 32-bit data on 32-bit host. 2055 */ 2056 2057 2058 tcg_target_ulong helper_ret_ldsb_mmu(CPUArchState *env, target_ulong addr, 2059 TCGMemOpIdx oi, uintptr_t retaddr) 2060 { 2061 return (int8_t)helper_ret_ldub_mmu(env, addr, oi, retaddr); 2062 } 2063 2064 tcg_target_ulong helper_le_ldsw_mmu(CPUArchState *env, target_ulong addr, 2065 TCGMemOpIdx oi, uintptr_t retaddr) 2066 { 2067 return (int16_t)helper_le_lduw_mmu(env, addr, oi, retaddr); 2068 } 2069 2070 tcg_target_ulong helper_be_ldsw_mmu(CPUArchState *env, target_ulong addr, 2071 TCGMemOpIdx oi, uintptr_t retaddr) 2072 { 2073 return (int16_t)helper_be_lduw_mmu(env, addr, oi, retaddr); 2074 } 2075 2076 tcg_target_ulong helper_le_ldsl_mmu(CPUArchState *env, target_ulong addr, 2077 TCGMemOpIdx oi, uintptr_t retaddr) 2078 { 2079 return (int32_t)helper_le_ldul_mmu(env, addr, oi, retaddr); 2080 } 2081 2082 tcg_target_ulong helper_be_ldsl_mmu(CPUArchState *env, target_ulong addr, 2083 TCGMemOpIdx oi, uintptr_t retaddr) 2084 { 2085 return (int32_t)helper_be_ldul_mmu(env, addr, oi, retaddr); 2086 } 2087 2088 /* 2089 * Load helpers for cpu_ldst.h. 2090 */ 2091 2092 static inline uint64_t cpu_load_helper(CPUArchState *env, abi_ptr addr, 2093 int mmu_idx, uintptr_t retaddr, 2094 MemOp op, FullLoadHelper *full_load) 2095 { 2096 uint16_t meminfo; 2097 TCGMemOpIdx oi; 2098 uint64_t ret; 2099 2100 meminfo = trace_mem_get_info(op, mmu_idx, false); 2101 trace_guest_mem_before_exec(env_cpu(env), addr, meminfo); 2102 2103 op &= ~MO_SIGN; 2104 oi = make_memop_idx(op, mmu_idx); 2105 ret = full_load(env, addr, oi, retaddr); 2106 2107 qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, meminfo); 2108 2109 return ret; 2110 } 2111 2112 uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2113 int mmu_idx, uintptr_t ra) 2114 { 2115 return cpu_load_helper(env, addr, mmu_idx, ra, MO_UB, full_ldub_mmu); 2116 } 2117 2118 int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2119 int mmu_idx, uintptr_t ra) 2120 { 2121 return (int8_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_SB, 2122 full_ldub_mmu); 2123 } 2124 2125 uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2126 int mmu_idx, uintptr_t ra) 2127 { 2128 return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUW, full_be_lduw_mmu); 2129 } 2130 2131 int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2132 int mmu_idx, uintptr_t ra) 2133 { 2134 return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_BESW, 2135 full_be_lduw_mmu); 2136 } 2137 2138 uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2139 int mmu_idx, uintptr_t ra) 2140 { 2141 return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUL, full_be_ldul_mmu); 2142 } 2143 2144 uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2145 int mmu_idx, uintptr_t ra) 2146 { 2147 return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEQ, helper_be_ldq_mmu); 2148 } 2149 2150 uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2151 int mmu_idx, uintptr_t ra) 2152 { 2153 return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUW, full_le_lduw_mmu); 2154 } 2155 2156 int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2157 int mmu_idx, uintptr_t ra) 2158 { 2159 return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_LESW, 2160 full_le_lduw_mmu); 2161 } 2162 2163 uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2164 int mmu_idx, uintptr_t ra) 2165 { 2166 return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUL, full_le_ldul_mmu); 2167 } 2168 2169 uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, 2170 int mmu_idx, uintptr_t ra) 2171 { 2172 return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEQ, helper_le_ldq_mmu); 2173 } 2174 2175 uint32_t cpu_ldub_data_ra(CPUArchState *env, target_ulong ptr, 2176 uintptr_t retaddr) 2177 { 2178 return cpu_ldub_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2179 } 2180 2181 int cpu_ldsb_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr) 2182 { 2183 return cpu_ldsb_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2184 } 2185 2186 uint32_t cpu_lduw_be_data_ra(CPUArchState *env, target_ulong ptr, 2187 uintptr_t retaddr) 2188 { 2189 return cpu_lduw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2190 } 2191 2192 int cpu_ldsw_be_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr) 2193 { 2194 return cpu_ldsw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2195 } 2196 2197 uint32_t cpu_ldl_be_data_ra(CPUArchState *env, target_ulong ptr, 2198 uintptr_t retaddr) 2199 { 2200 return cpu_ldl_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2201 } 2202 2203 uint64_t cpu_ldq_be_data_ra(CPUArchState *env, target_ulong ptr, 2204 uintptr_t retaddr) 2205 { 2206 return cpu_ldq_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2207 } 2208 2209 uint32_t cpu_lduw_le_data_ra(CPUArchState *env, target_ulong ptr, 2210 uintptr_t retaddr) 2211 { 2212 return cpu_lduw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2213 } 2214 2215 int cpu_ldsw_le_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr) 2216 { 2217 return cpu_ldsw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2218 } 2219 2220 uint32_t cpu_ldl_le_data_ra(CPUArchState *env, target_ulong ptr, 2221 uintptr_t retaddr) 2222 { 2223 return cpu_ldl_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2224 } 2225 2226 uint64_t cpu_ldq_le_data_ra(CPUArchState *env, target_ulong ptr, 2227 uintptr_t retaddr) 2228 { 2229 return cpu_ldq_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr); 2230 } 2231 2232 uint32_t cpu_ldub_data(CPUArchState *env, target_ulong ptr) 2233 { 2234 return cpu_ldub_data_ra(env, ptr, 0); 2235 } 2236 2237 int cpu_ldsb_data(CPUArchState *env, target_ulong ptr) 2238 { 2239 return cpu_ldsb_data_ra(env, ptr, 0); 2240 } 2241 2242 uint32_t cpu_lduw_be_data(CPUArchState *env, target_ulong ptr) 2243 { 2244 return cpu_lduw_be_data_ra(env, ptr, 0); 2245 } 2246 2247 int cpu_ldsw_be_data(CPUArchState *env, target_ulong ptr) 2248 { 2249 return cpu_ldsw_be_data_ra(env, ptr, 0); 2250 } 2251 2252 uint32_t cpu_ldl_be_data(CPUArchState *env, target_ulong ptr) 2253 { 2254 return cpu_ldl_be_data_ra(env, ptr, 0); 2255 } 2256 2257 uint64_t cpu_ldq_be_data(CPUArchState *env, target_ulong ptr) 2258 { 2259 return cpu_ldq_be_data_ra(env, ptr, 0); 2260 } 2261 2262 uint32_t cpu_lduw_le_data(CPUArchState *env, target_ulong ptr) 2263 { 2264 return cpu_lduw_le_data_ra(env, ptr, 0); 2265 } 2266 2267 int cpu_ldsw_le_data(CPUArchState *env, target_ulong ptr) 2268 { 2269 return cpu_ldsw_le_data_ra(env, ptr, 0); 2270 } 2271 2272 uint32_t cpu_ldl_le_data(CPUArchState *env, target_ulong ptr) 2273 { 2274 return cpu_ldl_le_data_ra(env, ptr, 0); 2275 } 2276 2277 uint64_t cpu_ldq_le_data(CPUArchState *env, target_ulong ptr) 2278 { 2279 return cpu_ldq_le_data_ra(env, ptr, 0); 2280 } 2281 2282 /* 2283 * Store Helpers 2284 */ 2285 2286 static inline void QEMU_ALWAYS_INLINE 2287 store_memop(void *haddr, uint64_t val, MemOp op) 2288 { 2289 switch (op) { 2290 case MO_UB: 2291 stb_p(haddr, val); 2292 break; 2293 case MO_BEUW: 2294 stw_be_p(haddr, val); 2295 break; 2296 case MO_LEUW: 2297 stw_le_p(haddr, val); 2298 break; 2299 case MO_BEUL: 2300 stl_be_p(haddr, val); 2301 break; 2302 case MO_LEUL: 2303 stl_le_p(haddr, val); 2304 break; 2305 case MO_BEQ: 2306 stq_be_p(haddr, val); 2307 break; 2308 case MO_LEQ: 2309 stq_le_p(haddr, val); 2310 break; 2311 default: 2312 qemu_build_not_reached(); 2313 } 2314 } 2315 2316 static void __attribute__((noinline)) 2317 store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val, 2318 uintptr_t retaddr, size_t size, uintptr_t mmu_idx, 2319 bool big_endian) 2320 { 2321 const size_t tlb_off = offsetof(CPUTLBEntry, addr_write); 2322 uintptr_t index, index2; 2323 CPUTLBEntry *entry, *entry2; 2324 target_ulong page2, tlb_addr, tlb_addr2; 2325 TCGMemOpIdx oi; 2326 size_t size2; 2327 int i; 2328 2329 /* 2330 * Ensure the second page is in the TLB. Note that the first page 2331 * is already guaranteed to be filled, and that the second page 2332 * cannot evict the first. 2333 */ 2334 page2 = (addr + size) & TARGET_PAGE_MASK; 2335 size2 = (addr + size) & ~TARGET_PAGE_MASK; 2336 index2 = tlb_index(env, mmu_idx, page2); 2337 entry2 = tlb_entry(env, mmu_idx, page2); 2338 2339 tlb_addr2 = tlb_addr_write(entry2); 2340 if (!tlb_hit_page(tlb_addr2, page2)) { 2341 if (!victim_tlb_hit(env, mmu_idx, index2, tlb_off, page2)) { 2342 tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE, 2343 mmu_idx, retaddr); 2344 index2 = tlb_index(env, mmu_idx, page2); 2345 entry2 = tlb_entry(env, mmu_idx, page2); 2346 } 2347 tlb_addr2 = tlb_addr_write(entry2); 2348 } 2349 2350 index = tlb_index(env, mmu_idx, addr); 2351 entry = tlb_entry(env, mmu_idx, addr); 2352 tlb_addr = tlb_addr_write(entry); 2353 2354 /* 2355 * Handle watchpoints. Since this may trap, all checks 2356 * must happen before any store. 2357 */ 2358 if (unlikely(tlb_addr & TLB_WATCHPOINT)) { 2359 cpu_check_watchpoint(env_cpu(env), addr, size - size2, 2360 env_tlb(env)->d[mmu_idx].iotlb[index].attrs, 2361 BP_MEM_WRITE, retaddr); 2362 } 2363 if (unlikely(tlb_addr2 & TLB_WATCHPOINT)) { 2364 cpu_check_watchpoint(env_cpu(env), page2, size2, 2365 env_tlb(env)->d[mmu_idx].iotlb[index2].attrs, 2366 BP_MEM_WRITE, retaddr); 2367 } 2368 2369 /* 2370 * XXX: not efficient, but simple. 2371 * This loop must go in the forward direction to avoid issues 2372 * with self-modifying code in Windows 64-bit. 2373 */ 2374 oi = make_memop_idx(MO_UB, mmu_idx); 2375 if (big_endian) { 2376 for (i = 0; i < size; ++i) { 2377 /* Big-endian extract. */ 2378 uint8_t val8 = val >> (((size - 1) * 8) - (i * 8)); 2379 helper_ret_stb_mmu(env, addr + i, val8, oi, retaddr); 2380 } 2381 } else { 2382 for (i = 0; i < size; ++i) { 2383 /* Little-endian extract. */ 2384 uint8_t val8 = val >> (i * 8); 2385 helper_ret_stb_mmu(env, addr + i, val8, oi, retaddr); 2386 } 2387 } 2388 } 2389 2390 static inline void QEMU_ALWAYS_INLINE 2391 store_helper(CPUArchState *env, target_ulong addr, uint64_t val, 2392 TCGMemOpIdx oi, uintptr_t retaddr, MemOp op) 2393 { 2394 uintptr_t mmu_idx = get_mmuidx(oi); 2395 uintptr_t index = tlb_index(env, mmu_idx, addr); 2396 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr); 2397 target_ulong tlb_addr = tlb_addr_write(entry); 2398 const size_t tlb_off = offsetof(CPUTLBEntry, addr_write); 2399 unsigned a_bits = get_alignment_bits(get_memop(oi)); 2400 void *haddr; 2401 size_t size = memop_size(op); 2402 2403 /* Handle CPU specific unaligned behaviour */ 2404 if (addr & ((1 << a_bits) - 1)) { 2405 cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE, 2406 mmu_idx, retaddr); 2407 } 2408 2409 /* If the TLB entry is for a different page, reload and try again. */ 2410 if (!tlb_hit(tlb_addr, addr)) { 2411 if (!victim_tlb_hit(env, mmu_idx, index, tlb_off, 2412 addr & TARGET_PAGE_MASK)) { 2413 tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE, 2414 mmu_idx, retaddr); 2415 index = tlb_index(env, mmu_idx, addr); 2416 entry = tlb_entry(env, mmu_idx, addr); 2417 } 2418 tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK; 2419 } 2420 2421 /* Handle anything that isn't just a straight memory access. */ 2422 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) { 2423 CPUIOTLBEntry *iotlbentry; 2424 bool need_swap; 2425 2426 /* For anything that is unaligned, recurse through byte stores. */ 2427 if ((addr & (size - 1)) != 0) { 2428 goto do_unaligned_access; 2429 } 2430 2431 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index]; 2432 2433 /* Handle watchpoints. */ 2434 if (unlikely(tlb_addr & TLB_WATCHPOINT)) { 2435 /* On watchpoint hit, this will longjmp out. */ 2436 cpu_check_watchpoint(env_cpu(env), addr, size, 2437 iotlbentry->attrs, BP_MEM_WRITE, retaddr); 2438 } 2439 2440 need_swap = size > 1 && (tlb_addr & TLB_BSWAP); 2441 2442 /* Handle I/O access. */ 2443 if (tlb_addr & TLB_MMIO) { 2444 io_writex(env, iotlbentry, mmu_idx, val, addr, retaddr, 2445 op ^ (need_swap * MO_BSWAP)); 2446 return; 2447 } 2448 2449 /* Ignore writes to ROM. */ 2450 if (unlikely(tlb_addr & TLB_DISCARD_WRITE)) { 2451 return; 2452 } 2453 2454 /* Handle clean RAM pages. */ 2455 if (tlb_addr & TLB_NOTDIRTY) { 2456 notdirty_write(env_cpu(env), addr, size, iotlbentry, retaddr); 2457 } 2458 2459 haddr = (void *)((uintptr_t)addr + entry->addend); 2460 2461 /* 2462 * Keep these two store_memop separate to ensure that the compiler 2463 * is able to fold the entire function to a single instruction. 2464 * There is a build-time assert inside to remind you of this. ;-) 2465 */ 2466 if (unlikely(need_swap)) { 2467 store_memop(haddr, val, op ^ MO_BSWAP); 2468 } else { 2469 store_memop(haddr, val, op); 2470 } 2471 return; 2472 } 2473 2474 /* Handle slow unaligned access (it spans two pages or IO). */ 2475 if (size > 1 2476 && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1 2477 >= TARGET_PAGE_SIZE)) { 2478 do_unaligned_access: 2479 store_helper_unaligned(env, addr, val, retaddr, size, 2480 mmu_idx, memop_big_endian(op)); 2481 return; 2482 } 2483 2484 haddr = (void *)((uintptr_t)addr + entry->addend); 2485 store_memop(haddr, val, op); 2486 } 2487 2488 void __attribute__((noinline)) 2489 helper_ret_stb_mmu(CPUArchState *env, target_ulong addr, uint8_t val, 2490 TCGMemOpIdx oi, uintptr_t retaddr) 2491 { 2492 store_helper(env, addr, val, oi, retaddr, MO_UB); 2493 } 2494 2495 void helper_le_stw_mmu(CPUArchState *env, target_ulong addr, uint16_t val, 2496 TCGMemOpIdx oi, uintptr_t retaddr) 2497 { 2498 store_helper(env, addr, val, oi, retaddr, MO_LEUW); 2499 } 2500 2501 void helper_be_stw_mmu(CPUArchState *env, target_ulong addr, uint16_t val, 2502 TCGMemOpIdx oi, uintptr_t retaddr) 2503 { 2504 store_helper(env, addr, val, oi, retaddr, MO_BEUW); 2505 } 2506 2507 void helper_le_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val, 2508 TCGMemOpIdx oi, uintptr_t retaddr) 2509 { 2510 store_helper(env, addr, val, oi, retaddr, MO_LEUL); 2511 } 2512 2513 void helper_be_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val, 2514 TCGMemOpIdx oi, uintptr_t retaddr) 2515 { 2516 store_helper(env, addr, val, oi, retaddr, MO_BEUL); 2517 } 2518 2519 void helper_le_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val, 2520 TCGMemOpIdx oi, uintptr_t retaddr) 2521 { 2522 store_helper(env, addr, val, oi, retaddr, MO_LEQ); 2523 } 2524 2525 void helper_be_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val, 2526 TCGMemOpIdx oi, uintptr_t retaddr) 2527 { 2528 store_helper(env, addr, val, oi, retaddr, MO_BEQ); 2529 } 2530 2531 /* 2532 * Store Helpers for cpu_ldst.h 2533 */ 2534 2535 static inline void QEMU_ALWAYS_INLINE 2536 cpu_store_helper(CPUArchState *env, target_ulong addr, uint64_t val, 2537 int mmu_idx, uintptr_t retaddr, MemOp op) 2538 { 2539 TCGMemOpIdx oi; 2540 uint16_t meminfo; 2541 2542 meminfo = trace_mem_get_info(op, mmu_idx, true); 2543 trace_guest_mem_before_exec(env_cpu(env), addr, meminfo); 2544 2545 oi = make_memop_idx(op, mmu_idx); 2546 store_helper(env, addr, val, oi, retaddr, op); 2547 2548 qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, meminfo); 2549 } 2550 2551 void cpu_stb_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val, 2552 int mmu_idx, uintptr_t retaddr) 2553 { 2554 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_UB); 2555 } 2556 2557 void cpu_stw_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val, 2558 int mmu_idx, uintptr_t retaddr) 2559 { 2560 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUW); 2561 } 2562 2563 void cpu_stl_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val, 2564 int mmu_idx, uintptr_t retaddr) 2565 { 2566 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUL); 2567 } 2568 2569 void cpu_stq_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val, 2570 int mmu_idx, uintptr_t retaddr) 2571 { 2572 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEQ); 2573 } 2574 2575 void cpu_stw_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val, 2576 int mmu_idx, uintptr_t retaddr) 2577 { 2578 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUW); 2579 } 2580 2581 void cpu_stl_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val, 2582 int mmu_idx, uintptr_t retaddr) 2583 { 2584 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUL); 2585 } 2586 2587 void cpu_stq_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val, 2588 int mmu_idx, uintptr_t retaddr) 2589 { 2590 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEQ); 2591 } 2592 2593 void cpu_stb_data_ra(CPUArchState *env, target_ulong ptr, 2594 uint32_t val, uintptr_t retaddr) 2595 { 2596 cpu_stb_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2597 } 2598 2599 void cpu_stw_be_data_ra(CPUArchState *env, target_ulong ptr, 2600 uint32_t val, uintptr_t retaddr) 2601 { 2602 cpu_stw_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2603 } 2604 2605 void cpu_stl_be_data_ra(CPUArchState *env, target_ulong ptr, 2606 uint32_t val, uintptr_t retaddr) 2607 { 2608 cpu_stl_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2609 } 2610 2611 void cpu_stq_be_data_ra(CPUArchState *env, target_ulong ptr, 2612 uint64_t val, uintptr_t retaddr) 2613 { 2614 cpu_stq_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2615 } 2616 2617 void cpu_stw_le_data_ra(CPUArchState *env, target_ulong ptr, 2618 uint32_t val, uintptr_t retaddr) 2619 { 2620 cpu_stw_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2621 } 2622 2623 void cpu_stl_le_data_ra(CPUArchState *env, target_ulong ptr, 2624 uint32_t val, uintptr_t retaddr) 2625 { 2626 cpu_stl_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2627 } 2628 2629 void cpu_stq_le_data_ra(CPUArchState *env, target_ulong ptr, 2630 uint64_t val, uintptr_t retaddr) 2631 { 2632 cpu_stq_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr); 2633 } 2634 2635 void cpu_stb_data(CPUArchState *env, target_ulong ptr, uint32_t val) 2636 { 2637 cpu_stb_data_ra(env, ptr, val, 0); 2638 } 2639 2640 void cpu_stw_be_data(CPUArchState *env, target_ulong ptr, uint32_t val) 2641 { 2642 cpu_stw_be_data_ra(env, ptr, val, 0); 2643 } 2644 2645 void cpu_stl_be_data(CPUArchState *env, target_ulong ptr, uint32_t val) 2646 { 2647 cpu_stl_be_data_ra(env, ptr, val, 0); 2648 } 2649 2650 void cpu_stq_be_data(CPUArchState *env, target_ulong ptr, uint64_t val) 2651 { 2652 cpu_stq_be_data_ra(env, ptr, val, 0); 2653 } 2654 2655 void cpu_stw_le_data(CPUArchState *env, target_ulong ptr, uint32_t val) 2656 { 2657 cpu_stw_le_data_ra(env, ptr, val, 0); 2658 } 2659 2660 void cpu_stl_le_data(CPUArchState *env, target_ulong ptr, uint32_t val) 2661 { 2662 cpu_stl_le_data_ra(env, ptr, val, 0); 2663 } 2664 2665 void cpu_stq_le_data(CPUArchState *env, target_ulong ptr, uint64_t val) 2666 { 2667 cpu_stq_le_data_ra(env, ptr, val, 0); 2668 } 2669 2670 /* First set of helpers allows passing in of OI and RETADDR. This makes 2671 them callable from other helpers. */ 2672 2673 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr 2674 #define ATOMIC_NAME(X) \ 2675 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu)) 2676 #define ATOMIC_MMU_DECLS 2677 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr) 2678 #define ATOMIC_MMU_CLEANUP 2679 #define ATOMIC_MMU_IDX get_mmuidx(oi) 2680 2681 #include "atomic_common.c.inc" 2682 2683 #define DATA_SIZE 1 2684 #include "atomic_template.h" 2685 2686 #define DATA_SIZE 2 2687 #include "atomic_template.h" 2688 2689 #define DATA_SIZE 4 2690 #include "atomic_template.h" 2691 2692 #ifdef CONFIG_ATOMIC64 2693 #define DATA_SIZE 8 2694 #include "atomic_template.h" 2695 #endif 2696 2697 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128 2698 #define DATA_SIZE 16 2699 #include "atomic_template.h" 2700 #endif 2701 2702 /* Second set of helpers are directly callable from TCG as helpers. */ 2703 2704 #undef EXTRA_ARGS 2705 #undef ATOMIC_NAME 2706 #undef ATOMIC_MMU_LOOKUP 2707 #define EXTRA_ARGS , TCGMemOpIdx oi 2708 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END)) 2709 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC()) 2710 2711 #define DATA_SIZE 1 2712 #include "atomic_template.h" 2713 2714 #define DATA_SIZE 2 2715 #include "atomic_template.h" 2716 2717 #define DATA_SIZE 4 2718 #include "atomic_template.h" 2719 2720 #ifdef CONFIG_ATOMIC64 2721 #define DATA_SIZE 8 2722 #include "atomic_template.h" 2723 #endif 2724 #undef ATOMIC_MMU_IDX 2725 2726 /* Code access functions. */ 2727 2728 static uint64_t full_ldub_code(CPUArchState *env, target_ulong addr, 2729 TCGMemOpIdx oi, uintptr_t retaddr) 2730 { 2731 return load_helper(env, addr, oi, retaddr, MO_8, true, full_ldub_code); 2732 } 2733 2734 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr) 2735 { 2736 TCGMemOpIdx oi = make_memop_idx(MO_UB, cpu_mmu_index(env, true)); 2737 return full_ldub_code(env, addr, oi, 0); 2738 } 2739 2740 static uint64_t full_lduw_code(CPUArchState *env, target_ulong addr, 2741 TCGMemOpIdx oi, uintptr_t retaddr) 2742 { 2743 return load_helper(env, addr, oi, retaddr, MO_TEUW, true, full_lduw_code); 2744 } 2745 2746 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr) 2747 { 2748 TCGMemOpIdx oi = make_memop_idx(MO_TEUW, cpu_mmu_index(env, true)); 2749 return full_lduw_code(env, addr, oi, 0); 2750 } 2751 2752 static uint64_t full_ldl_code(CPUArchState *env, target_ulong addr, 2753 TCGMemOpIdx oi, uintptr_t retaddr) 2754 { 2755 return load_helper(env, addr, oi, retaddr, MO_TEUL, true, full_ldl_code); 2756 } 2757 2758 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr) 2759 { 2760 TCGMemOpIdx oi = make_memop_idx(MO_TEUL, cpu_mmu_index(env, true)); 2761 return full_ldl_code(env, addr, oi, 0); 2762 } 2763 2764 static uint64_t full_ldq_code(CPUArchState *env, target_ulong addr, 2765 TCGMemOpIdx oi, uintptr_t retaddr) 2766 { 2767 return load_helper(env, addr, oi, retaddr, MO_TEQ, true, full_ldq_code); 2768 } 2769 2770 uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr) 2771 { 2772 TCGMemOpIdx oi = make_memop_idx(MO_TEQ, cpu_mmu_index(env, true)); 2773 return full_ldq_code(env, addr, oi, 0); 2774 } 2775