1 /* 2 * Host code generation 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 #ifdef _WIN32 20 #include <windows.h> 21 #endif 22 #include "qemu/osdep.h" 23 24 25 #include "qemu-common.h" 26 #define NO_CPU_IO_DEFS 27 #include "cpu.h" 28 #include "trace.h" 29 #include "disas/disas.h" 30 #include "exec/exec-all.h" 31 #include "tcg.h" 32 #if defined(CONFIG_USER_ONLY) 33 #include "qemu.h" 34 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) 35 #include <sys/param.h> 36 #if __FreeBSD_version >= 700104 37 #define HAVE_KINFO_GETVMMAP 38 #define sigqueue sigqueue_freebsd /* avoid redefinition */ 39 #include <sys/proc.h> 40 #include <machine/profile.h> 41 #define _KERNEL 42 #include <sys/user.h> 43 #undef _KERNEL 44 #undef sigqueue 45 #include <libutil.h> 46 #endif 47 #endif 48 #else 49 #include "exec/address-spaces.h" 50 #endif 51 52 #include "exec/cputlb.h" 53 #include "exec/tb-hash.h" 54 #include "translate-all.h" 55 #include "qemu/bitmap.h" 56 #include "qemu/error-report.h" 57 #include "qemu/timer.h" 58 #include "qemu/main-loop.h" 59 #include "exec/log.h" 60 #include "sysemu/cpus.h" 61 62 /* #define DEBUG_TB_INVALIDATE */ 63 /* #define DEBUG_TB_FLUSH */ 64 /* make various TB consistency checks */ 65 /* #define DEBUG_TB_CHECK */ 66 67 #ifdef DEBUG_TB_INVALIDATE 68 #define DEBUG_TB_INVALIDATE_GATE 1 69 #else 70 #define DEBUG_TB_INVALIDATE_GATE 0 71 #endif 72 73 #ifdef DEBUG_TB_FLUSH 74 #define DEBUG_TB_FLUSH_GATE 1 75 #else 76 #define DEBUG_TB_FLUSH_GATE 0 77 #endif 78 79 #if !defined(CONFIG_USER_ONLY) 80 /* TB consistency checks only implemented for usermode emulation. */ 81 #undef DEBUG_TB_CHECK 82 #endif 83 84 #ifdef DEBUG_TB_CHECK 85 #define DEBUG_TB_CHECK_GATE 1 86 #else 87 #define DEBUG_TB_CHECK_GATE 0 88 #endif 89 90 /* Access to the various translations structures need to be serialised via locks 91 * for consistency. This is automatic for SoftMMU based system 92 * emulation due to its single threaded nature. In user-mode emulation 93 * access to the memory related structures are protected with the 94 * mmap_lock. 95 */ 96 #ifdef CONFIG_SOFTMMU 97 #define assert_memory_lock() tcg_debug_assert(have_tb_lock) 98 #else 99 #define assert_memory_lock() tcg_debug_assert(have_mmap_lock()) 100 #endif 101 102 #define SMC_BITMAP_USE_THRESHOLD 10 103 104 typedef struct PageDesc { 105 /* list of TBs intersecting this ram page */ 106 uintptr_t first_tb; 107 #ifdef CONFIG_SOFTMMU 108 /* in order to optimize self modifying code, we count the number 109 of lookups we do to a given page to use a bitmap */ 110 unsigned long *code_bitmap; 111 unsigned int code_write_count; 112 #else 113 unsigned long flags; 114 #endif 115 #ifndef CONFIG_USER_ONLY 116 QemuSpin lock; 117 #endif 118 } PageDesc; 119 120 /** 121 * struct page_entry - page descriptor entry 122 * @pd: pointer to the &struct PageDesc of the page this entry represents 123 * @index: page index of the page 124 * @locked: whether the page is locked 125 * 126 * This struct helps us keep track of the locked state of a page, without 127 * bloating &struct PageDesc. 128 * 129 * A page lock protects accesses to all fields of &struct PageDesc. 130 * 131 * See also: &struct page_collection. 132 */ 133 struct page_entry { 134 PageDesc *pd; 135 tb_page_addr_t index; 136 bool locked; 137 }; 138 139 /** 140 * struct page_collection - tracks a set of pages (i.e. &struct page_entry's) 141 * @tree: Binary search tree (BST) of the pages, with key == page index 142 * @max: Pointer to the page in @tree with the highest page index 143 * 144 * To avoid deadlock we lock pages in ascending order of page index. 145 * When operating on a set of pages, we need to keep track of them so that 146 * we can lock them in order and also unlock them later. For this we collect 147 * pages (i.e. &struct page_entry's) in a binary search @tree. Given that the 148 * @tree implementation we use does not provide an O(1) operation to obtain the 149 * highest-ranked element, we use @max to keep track of the inserted page 150 * with the highest index. This is valuable because if a page is not in 151 * the tree and its index is higher than @max's, then we can lock it 152 * without breaking the locking order rule. 153 * 154 * Note on naming: 'struct page_set' would be shorter, but we already have a few 155 * page_set_*() helpers, so page_collection is used instead to avoid confusion. 156 * 157 * See also: page_collection_lock(). 158 */ 159 struct page_collection { 160 GTree *tree; 161 struct page_entry *max; 162 }; 163 164 /* list iterators for lists of tagged pointers in TranslationBlock */ 165 #define TB_FOR_EACH_TAGGED(head, tb, n, field) \ 166 for (n = (head) & 1, tb = (TranslationBlock *)((head) & ~1); \ 167 tb; tb = (TranslationBlock *)tb->field[n], n = (uintptr_t)tb & 1, \ 168 tb = (TranslationBlock *)((uintptr_t)tb & ~1)) 169 170 #define PAGE_FOR_EACH_TB(pagedesc, tb, n) \ 171 TB_FOR_EACH_TAGGED((pagedesc)->first_tb, tb, n, page_next) 172 173 #define TB_FOR_EACH_JMP(head_tb, tb, n) \ 174 TB_FOR_EACH_TAGGED((head_tb)->jmp_list_head, tb, n, jmp_list_next) 175 176 /* In system mode we want L1_MAP to be based on ram offsets, 177 while in user mode we want it to be based on virtual addresses. */ 178 #if !defined(CONFIG_USER_ONLY) 179 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS 180 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS 181 #else 182 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS 183 #endif 184 #else 185 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS 186 #endif 187 188 /* Size of the L2 (and L3, etc) page tables. */ 189 #define V_L2_BITS 10 190 #define V_L2_SIZE (1 << V_L2_BITS) 191 192 /* Make sure all possible CPU event bits fit in tb->trace_vcpu_dstate */ 193 QEMU_BUILD_BUG_ON(CPU_TRACE_DSTATE_MAX_EVENTS > 194 sizeof(((TranslationBlock *)0)->trace_vcpu_dstate) 195 * BITS_PER_BYTE); 196 197 /* 198 * L1 Mapping properties 199 */ 200 static int v_l1_size; 201 static int v_l1_shift; 202 static int v_l2_levels; 203 204 /* The bottom level has pointers to PageDesc, and is indexed by 205 * anything from 4 to (V_L2_BITS + 3) bits, depending on target page size. 206 */ 207 #define V_L1_MIN_BITS 4 208 #define V_L1_MAX_BITS (V_L2_BITS + 3) 209 #define V_L1_MAX_SIZE (1 << V_L1_MAX_BITS) 210 211 static void *l1_map[V_L1_MAX_SIZE]; 212 213 /* code generation context */ 214 TCGContext tcg_init_ctx; 215 __thread TCGContext *tcg_ctx; 216 TBContext tb_ctx; 217 bool parallel_cpus; 218 219 /* translation block context */ 220 static __thread int have_tb_lock; 221 222 static void page_table_config_init(void) 223 { 224 uint32_t v_l1_bits; 225 226 assert(TARGET_PAGE_BITS); 227 /* The bits remaining after N lower levels of page tables. */ 228 v_l1_bits = (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS; 229 if (v_l1_bits < V_L1_MIN_BITS) { 230 v_l1_bits += V_L2_BITS; 231 } 232 233 v_l1_size = 1 << v_l1_bits; 234 v_l1_shift = L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - v_l1_bits; 235 v_l2_levels = v_l1_shift / V_L2_BITS - 1; 236 237 assert(v_l1_bits <= V_L1_MAX_BITS); 238 assert(v_l1_shift % V_L2_BITS == 0); 239 assert(v_l2_levels >= 0); 240 } 241 242 #define assert_tb_locked() tcg_debug_assert(have_tb_lock) 243 #define assert_tb_unlocked() tcg_debug_assert(!have_tb_lock) 244 245 void tb_lock(void) 246 { 247 assert_tb_unlocked(); 248 qemu_mutex_lock(&tb_ctx.tb_lock); 249 have_tb_lock++; 250 } 251 252 void tb_unlock(void) 253 { 254 assert_tb_locked(); 255 have_tb_lock--; 256 qemu_mutex_unlock(&tb_ctx.tb_lock); 257 } 258 259 void tb_lock_reset(void) 260 { 261 if (have_tb_lock) { 262 qemu_mutex_unlock(&tb_ctx.tb_lock); 263 have_tb_lock = 0; 264 } 265 } 266 267 void cpu_gen_init(void) 268 { 269 tcg_context_init(&tcg_init_ctx); 270 } 271 272 /* Encode VAL as a signed leb128 sequence at P. 273 Return P incremented past the encoded value. */ 274 static uint8_t *encode_sleb128(uint8_t *p, target_long val) 275 { 276 int more, byte; 277 278 do { 279 byte = val & 0x7f; 280 val >>= 7; 281 more = !((val == 0 && (byte & 0x40) == 0) 282 || (val == -1 && (byte & 0x40) != 0)); 283 if (more) { 284 byte |= 0x80; 285 } 286 *p++ = byte; 287 } while (more); 288 289 return p; 290 } 291 292 /* Decode a signed leb128 sequence at *PP; increment *PP past the 293 decoded value. Return the decoded value. */ 294 static target_long decode_sleb128(uint8_t **pp) 295 { 296 uint8_t *p = *pp; 297 target_long val = 0; 298 int byte, shift = 0; 299 300 do { 301 byte = *p++; 302 val |= (target_ulong)(byte & 0x7f) << shift; 303 shift += 7; 304 } while (byte & 0x80); 305 if (shift < TARGET_LONG_BITS && (byte & 0x40)) { 306 val |= -(target_ulong)1 << shift; 307 } 308 309 *pp = p; 310 return val; 311 } 312 313 /* Encode the data collected about the instructions while compiling TB. 314 Place the data at BLOCK, and return the number of bytes consumed. 315 316 The logical table consists of TARGET_INSN_START_WORDS target_ulong's, 317 which come from the target's insn_start data, followed by a uintptr_t 318 which comes from the host pc of the end of the code implementing the insn. 319 320 Each line of the table is encoded as sleb128 deltas from the previous 321 line. The seed for the first line is { tb->pc, 0..., tb->tc.ptr }. 322 That is, the first column is seeded with the guest pc, the last column 323 with the host pc, and the middle columns with zeros. */ 324 325 static int encode_search(TranslationBlock *tb, uint8_t *block) 326 { 327 uint8_t *highwater = tcg_ctx->code_gen_highwater; 328 uint8_t *p = block; 329 int i, j, n; 330 331 for (i = 0, n = tb->icount; i < n; ++i) { 332 target_ulong prev; 333 334 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 335 if (i == 0) { 336 prev = (j == 0 ? tb->pc : 0); 337 } else { 338 prev = tcg_ctx->gen_insn_data[i - 1][j]; 339 } 340 p = encode_sleb128(p, tcg_ctx->gen_insn_data[i][j] - prev); 341 } 342 prev = (i == 0 ? 0 : tcg_ctx->gen_insn_end_off[i - 1]); 343 p = encode_sleb128(p, tcg_ctx->gen_insn_end_off[i] - prev); 344 345 /* Test for (pending) buffer overflow. The assumption is that any 346 one row beginning below the high water mark cannot overrun 347 the buffer completely. Thus we can test for overflow after 348 encoding a row without having to check during encoding. */ 349 if (unlikely(p > highwater)) { 350 return -1; 351 } 352 } 353 354 return p - block; 355 } 356 357 /* The cpu state corresponding to 'searched_pc' is restored. 358 * Called with tb_lock held. 359 * When reset_icount is true, current TB will be interrupted and 360 * icount should be recalculated. 361 */ 362 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb, 363 uintptr_t searched_pc, bool reset_icount) 364 { 365 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc }; 366 uintptr_t host_pc = (uintptr_t)tb->tc.ptr; 367 CPUArchState *env = cpu->env_ptr; 368 uint8_t *p = tb->tc.ptr + tb->tc.size; 369 int i, j, num_insns = tb->icount; 370 #ifdef CONFIG_PROFILER 371 TCGProfile *prof = &tcg_ctx->prof; 372 int64_t ti = profile_getclock(); 373 #endif 374 375 searched_pc -= GETPC_ADJ; 376 377 if (searched_pc < host_pc) { 378 return -1; 379 } 380 381 /* Reconstruct the stored insn data while looking for the point at 382 which the end of the insn exceeds the searched_pc. */ 383 for (i = 0; i < num_insns; ++i) { 384 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 385 data[j] += decode_sleb128(&p); 386 } 387 host_pc += decode_sleb128(&p); 388 if (host_pc > searched_pc) { 389 goto found; 390 } 391 } 392 return -1; 393 394 found: 395 if (reset_icount && (tb_cflags(tb) & CF_USE_ICOUNT)) { 396 assert(use_icount); 397 /* Reset the cycle counter to the start of the block 398 and shift if to the number of actually executed instructions */ 399 cpu->icount_decr.u16.low += num_insns - i; 400 } 401 restore_state_to_opc(env, tb, data); 402 403 #ifdef CONFIG_PROFILER 404 atomic_set(&prof->restore_time, 405 prof->restore_time + profile_getclock() - ti); 406 atomic_set(&prof->restore_count, prof->restore_count + 1); 407 #endif 408 return 0; 409 } 410 411 bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc, bool will_exit) 412 { 413 TranslationBlock *tb; 414 bool r = false; 415 uintptr_t check_offset; 416 417 /* The host_pc has to be in the region of current code buffer. If 418 * it is not we will not be able to resolve it here. The two cases 419 * where host_pc will not be correct are: 420 * 421 * - fault during translation (instruction fetch) 422 * - fault from helper (not using GETPC() macro) 423 * 424 * Either way we need return early to avoid blowing up on a 425 * recursive tb_lock() as we can't resolve it here. 426 * 427 * We are using unsigned arithmetic so if host_pc < 428 * tcg_init_ctx.code_gen_buffer check_offset will wrap to way 429 * above the code_gen_buffer_size 430 */ 431 check_offset = host_pc - (uintptr_t) tcg_init_ctx.code_gen_buffer; 432 433 if (check_offset < tcg_init_ctx.code_gen_buffer_size) { 434 tb_lock(); 435 tb = tcg_tb_lookup(host_pc); 436 if (tb) { 437 cpu_restore_state_from_tb(cpu, tb, host_pc, will_exit); 438 if (tb_cflags(tb) & CF_NOCACHE) { 439 /* one-shot translation, invalidate it immediately */ 440 tb_phys_invalidate(tb, -1); 441 tcg_tb_remove(tb); 442 } 443 r = true; 444 } 445 tb_unlock(); 446 } 447 448 return r; 449 } 450 451 static void page_init(void) 452 { 453 page_size_init(); 454 page_table_config_init(); 455 456 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY) 457 { 458 #ifdef HAVE_KINFO_GETVMMAP 459 struct kinfo_vmentry *freep; 460 int i, cnt; 461 462 freep = kinfo_getvmmap(getpid(), &cnt); 463 if (freep) { 464 mmap_lock(); 465 for (i = 0; i < cnt; i++) { 466 unsigned long startaddr, endaddr; 467 468 startaddr = freep[i].kve_start; 469 endaddr = freep[i].kve_end; 470 if (h2g_valid(startaddr)) { 471 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 472 473 if (h2g_valid(endaddr)) { 474 endaddr = h2g(endaddr); 475 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 476 } else { 477 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS 478 endaddr = ~0ul; 479 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 480 #endif 481 } 482 } 483 } 484 free(freep); 485 mmap_unlock(); 486 } 487 #else 488 FILE *f; 489 490 last_brk = (unsigned long)sbrk(0); 491 492 f = fopen("/compat/linux/proc/self/maps", "r"); 493 if (f) { 494 mmap_lock(); 495 496 do { 497 unsigned long startaddr, endaddr; 498 int n; 499 500 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr); 501 502 if (n == 2 && h2g_valid(startaddr)) { 503 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 504 505 if (h2g_valid(endaddr)) { 506 endaddr = h2g(endaddr); 507 } else { 508 endaddr = ~0ul; 509 } 510 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 511 } 512 } while (!feof(f)); 513 514 fclose(f); 515 mmap_unlock(); 516 } 517 #endif 518 } 519 #endif 520 } 521 522 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc) 523 { 524 PageDesc *pd; 525 void **lp; 526 int i; 527 528 /* Level 1. Always allocated. */ 529 lp = l1_map + ((index >> v_l1_shift) & (v_l1_size - 1)); 530 531 /* Level 2..N-1. */ 532 for (i = v_l2_levels; i > 0; i--) { 533 void **p = atomic_rcu_read(lp); 534 535 if (p == NULL) { 536 void *existing; 537 538 if (!alloc) { 539 return NULL; 540 } 541 p = g_new0(void *, V_L2_SIZE); 542 existing = atomic_cmpxchg(lp, NULL, p); 543 if (unlikely(existing)) { 544 g_free(p); 545 p = existing; 546 } 547 } 548 549 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1)); 550 } 551 552 pd = atomic_rcu_read(lp); 553 if (pd == NULL) { 554 void *existing; 555 556 if (!alloc) { 557 return NULL; 558 } 559 pd = g_new0(PageDesc, V_L2_SIZE); 560 #ifndef CONFIG_USER_ONLY 561 { 562 int i; 563 564 for (i = 0; i < V_L2_SIZE; i++) { 565 qemu_spin_init(&pd[i].lock); 566 } 567 } 568 #endif 569 existing = atomic_cmpxchg(lp, NULL, pd); 570 if (unlikely(existing)) { 571 g_free(pd); 572 pd = existing; 573 } 574 } 575 576 return pd + (index & (V_L2_SIZE - 1)); 577 } 578 579 static inline PageDesc *page_find(tb_page_addr_t index) 580 { 581 return page_find_alloc(index, 0); 582 } 583 584 static void page_lock_pair(PageDesc **ret_p1, tb_page_addr_t phys1, 585 PageDesc **ret_p2, tb_page_addr_t phys2, int alloc); 586 587 /* In user-mode page locks aren't used; mmap_lock is enough */ 588 #ifdef CONFIG_USER_ONLY 589 590 #define assert_page_locked(pd) tcg_debug_assert(have_mmap_lock()) 591 592 static inline void page_lock(PageDesc *pd) 593 { } 594 595 static inline void page_unlock(PageDesc *pd) 596 { } 597 598 static inline void page_lock_tb(const TranslationBlock *tb) 599 { } 600 601 static inline void page_unlock_tb(const TranslationBlock *tb) 602 { } 603 604 struct page_collection * 605 page_collection_lock(tb_page_addr_t start, tb_page_addr_t end) 606 { 607 return NULL; 608 } 609 610 void page_collection_unlock(struct page_collection *set) 611 { } 612 #else /* !CONFIG_USER_ONLY */ 613 614 #ifdef CONFIG_DEBUG_TCG 615 616 static __thread GHashTable *ht_pages_locked_debug; 617 618 static void ht_pages_locked_debug_init(void) 619 { 620 if (ht_pages_locked_debug) { 621 return; 622 } 623 ht_pages_locked_debug = g_hash_table_new(NULL, NULL); 624 } 625 626 static bool page_is_locked(const PageDesc *pd) 627 { 628 PageDesc *found; 629 630 ht_pages_locked_debug_init(); 631 found = g_hash_table_lookup(ht_pages_locked_debug, pd); 632 return !!found; 633 } 634 635 static void page_lock__debug(PageDesc *pd) 636 { 637 ht_pages_locked_debug_init(); 638 g_assert(!page_is_locked(pd)); 639 g_hash_table_insert(ht_pages_locked_debug, pd, pd); 640 } 641 642 static void page_unlock__debug(const PageDesc *pd) 643 { 644 bool removed; 645 646 ht_pages_locked_debug_init(); 647 g_assert(page_is_locked(pd)); 648 removed = g_hash_table_remove(ht_pages_locked_debug, pd); 649 g_assert(removed); 650 } 651 652 static void 653 do_assert_page_locked(const PageDesc *pd, const char *file, int line) 654 { 655 if (unlikely(!page_is_locked(pd))) { 656 error_report("assert_page_lock: PageDesc %p not locked @ %s:%d", 657 pd, file, line); 658 abort(); 659 } 660 } 661 662 #define assert_page_locked(pd) do_assert_page_locked(pd, __FILE__, __LINE__) 663 664 void assert_no_pages_locked(void) 665 { 666 ht_pages_locked_debug_init(); 667 g_assert(g_hash_table_size(ht_pages_locked_debug) == 0); 668 } 669 670 #else /* !CONFIG_DEBUG_TCG */ 671 672 #define assert_page_locked(pd) 673 674 static inline void page_lock__debug(const PageDesc *pd) 675 { 676 } 677 678 static inline void page_unlock__debug(const PageDesc *pd) 679 { 680 } 681 682 #endif /* CONFIG_DEBUG_TCG */ 683 684 static inline void page_lock(PageDesc *pd) 685 { 686 page_lock__debug(pd); 687 qemu_spin_lock(&pd->lock); 688 } 689 690 static inline void page_unlock(PageDesc *pd) 691 { 692 qemu_spin_unlock(&pd->lock); 693 page_unlock__debug(pd); 694 } 695 696 /* lock the page(s) of a TB in the correct acquisition order */ 697 static inline void page_lock_tb(const TranslationBlock *tb) 698 { 699 page_lock_pair(NULL, tb->page_addr[0], NULL, tb->page_addr[1], 0); 700 } 701 702 static inline void page_unlock_tb(const TranslationBlock *tb) 703 { 704 page_unlock(page_find(tb->page_addr[0] >> TARGET_PAGE_BITS)); 705 if (unlikely(tb->page_addr[1] != -1)) { 706 page_unlock(page_find(tb->page_addr[1] >> TARGET_PAGE_BITS)); 707 } 708 } 709 710 static inline struct page_entry * 711 page_entry_new(PageDesc *pd, tb_page_addr_t index) 712 { 713 struct page_entry *pe = g_malloc(sizeof(*pe)); 714 715 pe->index = index; 716 pe->pd = pd; 717 pe->locked = false; 718 return pe; 719 } 720 721 static void page_entry_destroy(gpointer p) 722 { 723 struct page_entry *pe = p; 724 725 g_assert(pe->locked); 726 page_unlock(pe->pd); 727 g_free(pe); 728 } 729 730 /* returns false on success */ 731 static bool page_entry_trylock(struct page_entry *pe) 732 { 733 bool busy; 734 735 busy = qemu_spin_trylock(&pe->pd->lock); 736 if (!busy) { 737 g_assert(!pe->locked); 738 pe->locked = true; 739 page_lock__debug(pe->pd); 740 } 741 return busy; 742 } 743 744 static void do_page_entry_lock(struct page_entry *pe) 745 { 746 page_lock(pe->pd); 747 g_assert(!pe->locked); 748 pe->locked = true; 749 } 750 751 static gboolean page_entry_lock(gpointer key, gpointer value, gpointer data) 752 { 753 struct page_entry *pe = value; 754 755 do_page_entry_lock(pe); 756 return FALSE; 757 } 758 759 static gboolean page_entry_unlock(gpointer key, gpointer value, gpointer data) 760 { 761 struct page_entry *pe = value; 762 763 if (pe->locked) { 764 pe->locked = false; 765 page_unlock(pe->pd); 766 } 767 return FALSE; 768 } 769 770 /* 771 * Trylock a page, and if successful, add the page to a collection. 772 * Returns true ("busy") if the page could not be locked; false otherwise. 773 */ 774 static bool page_trylock_add(struct page_collection *set, tb_page_addr_t addr) 775 { 776 tb_page_addr_t index = addr >> TARGET_PAGE_BITS; 777 struct page_entry *pe; 778 PageDesc *pd; 779 780 pe = g_tree_lookup(set->tree, &index); 781 if (pe) { 782 return false; 783 } 784 785 pd = page_find(index); 786 if (pd == NULL) { 787 return false; 788 } 789 790 pe = page_entry_new(pd, index); 791 g_tree_insert(set->tree, &pe->index, pe); 792 793 /* 794 * If this is either (1) the first insertion or (2) a page whose index 795 * is higher than any other so far, just lock the page and move on. 796 */ 797 if (set->max == NULL || pe->index > set->max->index) { 798 set->max = pe; 799 do_page_entry_lock(pe); 800 return false; 801 } 802 /* 803 * Try to acquire out-of-order lock; if busy, return busy so that we acquire 804 * locks in order. 805 */ 806 return page_entry_trylock(pe); 807 } 808 809 static gint tb_page_addr_cmp(gconstpointer ap, gconstpointer bp, gpointer udata) 810 { 811 tb_page_addr_t a = *(const tb_page_addr_t *)ap; 812 tb_page_addr_t b = *(const tb_page_addr_t *)bp; 813 814 if (a == b) { 815 return 0; 816 } else if (a < b) { 817 return -1; 818 } 819 return 1; 820 } 821 822 /* 823 * Lock a range of pages ([@start,@end[) as well as the pages of all 824 * intersecting TBs. 825 * Locking order: acquire locks in ascending order of page index. 826 */ 827 struct page_collection * 828 page_collection_lock(tb_page_addr_t start, tb_page_addr_t end) 829 { 830 struct page_collection *set = g_malloc(sizeof(*set)); 831 tb_page_addr_t index; 832 PageDesc *pd; 833 834 start >>= TARGET_PAGE_BITS; 835 end >>= TARGET_PAGE_BITS; 836 g_assert(start <= end); 837 838 set->tree = g_tree_new_full(tb_page_addr_cmp, NULL, NULL, 839 page_entry_destroy); 840 set->max = NULL; 841 assert_no_pages_locked(); 842 843 retry: 844 g_tree_foreach(set->tree, page_entry_lock, NULL); 845 846 for (index = start; index <= end; index++) { 847 TranslationBlock *tb; 848 int n; 849 850 pd = page_find(index); 851 if (pd == NULL) { 852 continue; 853 } 854 if (page_trylock_add(set, index << TARGET_PAGE_BITS)) { 855 g_tree_foreach(set->tree, page_entry_unlock, NULL); 856 goto retry; 857 } 858 assert_page_locked(pd); 859 PAGE_FOR_EACH_TB(pd, tb, n) { 860 if (page_trylock_add(set, tb->page_addr[0]) || 861 (tb->page_addr[1] != -1 && 862 page_trylock_add(set, tb->page_addr[1]))) { 863 /* drop all locks, and reacquire in order */ 864 g_tree_foreach(set->tree, page_entry_unlock, NULL); 865 goto retry; 866 } 867 } 868 } 869 return set; 870 } 871 872 void page_collection_unlock(struct page_collection *set) 873 { 874 /* entries are unlocked and freed via page_entry_destroy */ 875 g_tree_destroy(set->tree); 876 g_free(set); 877 } 878 879 #endif /* !CONFIG_USER_ONLY */ 880 881 static void page_lock_pair(PageDesc **ret_p1, tb_page_addr_t phys1, 882 PageDesc **ret_p2, tb_page_addr_t phys2, int alloc) 883 { 884 PageDesc *p1, *p2; 885 886 assert_memory_lock(); 887 g_assert(phys1 != -1 && phys1 != phys2); 888 p1 = page_find_alloc(phys1 >> TARGET_PAGE_BITS, alloc); 889 if (ret_p1) { 890 *ret_p1 = p1; 891 } 892 if (likely(phys2 == -1)) { 893 page_lock(p1); 894 return; 895 } 896 p2 = page_find_alloc(phys2 >> TARGET_PAGE_BITS, alloc); 897 if (ret_p2) { 898 *ret_p2 = p2; 899 } 900 if (phys1 < phys2) { 901 page_lock(p1); 902 page_lock(p2); 903 } else { 904 page_lock(p2); 905 page_lock(p1); 906 } 907 } 908 909 #if defined(CONFIG_USER_ONLY) 910 /* Currently it is not recommended to allocate big chunks of data in 911 user mode. It will change when a dedicated libc will be used. */ 912 /* ??? 64-bit hosts ought to have no problem mmaping data outside the 913 region in which the guest needs to run. Revisit this. */ 914 #define USE_STATIC_CODE_GEN_BUFFER 915 #endif 916 917 /* Minimum size of the code gen buffer. This number is randomly chosen, 918 but not so small that we can't have a fair number of TB's live. */ 919 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024) 920 921 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise 922 indicated, this is constrained by the range of direct branches on the 923 host cpu, as used by the TCG implementation of goto_tb. */ 924 #if defined(__x86_64__) 925 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 926 #elif defined(__sparc__) 927 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 928 #elif defined(__powerpc64__) 929 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 930 #elif defined(__powerpc__) 931 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024) 932 #elif defined(__aarch64__) 933 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 934 #elif defined(__s390x__) 935 /* We have a +- 4GB range on the branches; leave some slop. */ 936 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024) 937 #elif defined(__mips__) 938 /* We have a 256MB branch region, but leave room to make sure the 939 main executable is also within that region. */ 940 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024) 941 #else 942 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1) 943 #endif 944 945 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024) 946 947 #define DEFAULT_CODE_GEN_BUFFER_SIZE \ 948 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \ 949 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE) 950 951 static inline size_t size_code_gen_buffer(size_t tb_size) 952 { 953 /* Size the buffer. */ 954 if (tb_size == 0) { 955 #ifdef USE_STATIC_CODE_GEN_BUFFER 956 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE; 957 #else 958 /* ??? Needs adjustments. */ 959 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the 960 static buffer, we could size this on RESERVED_VA, on the text 961 segment size of the executable, or continue to use the default. */ 962 tb_size = (unsigned long)(ram_size / 4); 963 #endif 964 } 965 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) { 966 tb_size = MIN_CODE_GEN_BUFFER_SIZE; 967 } 968 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) { 969 tb_size = MAX_CODE_GEN_BUFFER_SIZE; 970 } 971 return tb_size; 972 } 973 974 #ifdef __mips__ 975 /* In order to use J and JAL within the code_gen_buffer, we require 976 that the buffer not cross a 256MB boundary. */ 977 static inline bool cross_256mb(void *addr, size_t size) 978 { 979 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful; 980 } 981 982 /* We weren't able to allocate a buffer without crossing that boundary, 983 so make do with the larger portion of the buffer that doesn't cross. 984 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */ 985 static inline void *split_cross_256mb(void *buf1, size_t size1) 986 { 987 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful); 988 size_t size2 = buf1 + size1 - buf2; 989 990 size1 = buf2 - buf1; 991 if (size1 < size2) { 992 size1 = size2; 993 buf1 = buf2; 994 } 995 996 tcg_ctx->code_gen_buffer_size = size1; 997 return buf1; 998 } 999 #endif 1000 1001 #ifdef USE_STATIC_CODE_GEN_BUFFER 1002 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE] 1003 __attribute__((aligned(CODE_GEN_ALIGN))); 1004 1005 static inline void *alloc_code_gen_buffer(void) 1006 { 1007 void *buf = static_code_gen_buffer; 1008 void *end = static_code_gen_buffer + sizeof(static_code_gen_buffer); 1009 size_t size; 1010 1011 /* page-align the beginning and end of the buffer */ 1012 buf = QEMU_ALIGN_PTR_UP(buf, qemu_real_host_page_size); 1013 end = QEMU_ALIGN_PTR_DOWN(end, qemu_real_host_page_size); 1014 1015 size = end - buf; 1016 1017 /* Honor a command-line option limiting the size of the buffer. */ 1018 if (size > tcg_ctx->code_gen_buffer_size) { 1019 size = QEMU_ALIGN_DOWN(tcg_ctx->code_gen_buffer_size, 1020 qemu_real_host_page_size); 1021 } 1022 tcg_ctx->code_gen_buffer_size = size; 1023 1024 #ifdef __mips__ 1025 if (cross_256mb(buf, size)) { 1026 buf = split_cross_256mb(buf, size); 1027 size = tcg_ctx->code_gen_buffer_size; 1028 } 1029 #endif 1030 1031 if (qemu_mprotect_rwx(buf, size)) { 1032 abort(); 1033 } 1034 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 1035 1036 return buf; 1037 } 1038 #elif defined(_WIN32) 1039 static inline void *alloc_code_gen_buffer(void) 1040 { 1041 size_t size = tcg_ctx->code_gen_buffer_size; 1042 return VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT, 1043 PAGE_EXECUTE_READWRITE); 1044 } 1045 #else 1046 static inline void *alloc_code_gen_buffer(void) 1047 { 1048 int prot = PROT_WRITE | PROT_READ | PROT_EXEC; 1049 int flags = MAP_PRIVATE | MAP_ANONYMOUS; 1050 uintptr_t start = 0; 1051 size_t size = tcg_ctx->code_gen_buffer_size; 1052 void *buf; 1053 1054 /* Constrain the position of the buffer based on the host cpu. 1055 Note that these addresses are chosen in concert with the 1056 addresses assigned in the relevant linker script file. */ 1057 # if defined(__PIE__) || defined(__PIC__) 1058 /* Don't bother setting a preferred location if we're building 1059 a position-independent executable. We're more likely to get 1060 an address near the main executable if we let the kernel 1061 choose the address. */ 1062 # elif defined(__x86_64__) && defined(MAP_32BIT) 1063 /* Force the memory down into low memory with the executable. 1064 Leave the choice of exact location with the kernel. */ 1065 flags |= MAP_32BIT; 1066 /* Cannot expect to map more than 800MB in low memory. */ 1067 if (size > 800u * 1024 * 1024) { 1068 tcg_ctx->code_gen_buffer_size = size = 800u * 1024 * 1024; 1069 } 1070 # elif defined(__sparc__) 1071 start = 0x40000000ul; 1072 # elif defined(__s390x__) 1073 start = 0x90000000ul; 1074 # elif defined(__mips__) 1075 # if _MIPS_SIM == _ABI64 1076 start = 0x128000000ul; 1077 # else 1078 start = 0x08000000ul; 1079 # endif 1080 # endif 1081 1082 buf = mmap((void *)start, size, prot, flags, -1, 0); 1083 if (buf == MAP_FAILED) { 1084 return NULL; 1085 } 1086 1087 #ifdef __mips__ 1088 if (cross_256mb(buf, size)) { 1089 /* Try again, with the original still mapped, to avoid re-acquiring 1090 that 256mb crossing. This time don't specify an address. */ 1091 size_t size2; 1092 void *buf2 = mmap(NULL, size, prot, flags, -1, 0); 1093 switch ((int)(buf2 != MAP_FAILED)) { 1094 case 1: 1095 if (!cross_256mb(buf2, size)) { 1096 /* Success! Use the new buffer. */ 1097 munmap(buf, size); 1098 break; 1099 } 1100 /* Failure. Work with what we had. */ 1101 munmap(buf2, size); 1102 /* fallthru */ 1103 default: 1104 /* Split the original buffer. Free the smaller half. */ 1105 buf2 = split_cross_256mb(buf, size); 1106 size2 = tcg_ctx->code_gen_buffer_size; 1107 if (buf == buf2) { 1108 munmap(buf + size2, size - size2); 1109 } else { 1110 munmap(buf, size - size2); 1111 } 1112 size = size2; 1113 break; 1114 } 1115 buf = buf2; 1116 } 1117 #endif 1118 1119 /* Request large pages for the buffer. */ 1120 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 1121 1122 return buf; 1123 } 1124 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */ 1125 1126 static inline void code_gen_alloc(size_t tb_size) 1127 { 1128 tcg_ctx->code_gen_buffer_size = size_code_gen_buffer(tb_size); 1129 tcg_ctx->code_gen_buffer = alloc_code_gen_buffer(); 1130 if (tcg_ctx->code_gen_buffer == NULL) { 1131 fprintf(stderr, "Could not allocate dynamic translator buffer\n"); 1132 exit(1); 1133 } 1134 qemu_mutex_init(&tb_ctx.tb_lock); 1135 } 1136 1137 static bool tb_cmp(const void *ap, const void *bp) 1138 { 1139 const TranslationBlock *a = ap; 1140 const TranslationBlock *b = bp; 1141 1142 return a->pc == b->pc && 1143 a->cs_base == b->cs_base && 1144 a->flags == b->flags && 1145 (tb_cflags(a) & CF_HASH_MASK) == (tb_cflags(b) & CF_HASH_MASK) && 1146 a->trace_vcpu_dstate == b->trace_vcpu_dstate && 1147 a->page_addr[0] == b->page_addr[0] && 1148 a->page_addr[1] == b->page_addr[1]; 1149 } 1150 1151 static void tb_htable_init(void) 1152 { 1153 unsigned int mode = QHT_MODE_AUTO_RESIZE; 1154 1155 qht_init(&tb_ctx.htable, tb_cmp, CODE_GEN_HTABLE_SIZE, mode); 1156 } 1157 1158 /* Must be called before using the QEMU cpus. 'tb_size' is the size 1159 (in bytes) allocated to the translation buffer. Zero means default 1160 size. */ 1161 void tcg_exec_init(unsigned long tb_size) 1162 { 1163 tcg_allowed = true; 1164 cpu_gen_init(); 1165 page_init(); 1166 tb_htable_init(); 1167 code_gen_alloc(tb_size); 1168 #if defined(CONFIG_SOFTMMU) 1169 /* There's no guest base to take into account, so go ahead and 1170 initialize the prologue now. */ 1171 tcg_prologue_init(tcg_ctx); 1172 #endif 1173 } 1174 1175 /* 1176 * Allocate a new translation block. Flush the translation buffer if 1177 * too many translation blocks or too much generated code. 1178 * 1179 * Called with tb_lock held. 1180 */ 1181 static TranslationBlock *tb_alloc(target_ulong pc) 1182 { 1183 TranslationBlock *tb; 1184 1185 assert_tb_locked(); 1186 1187 tb = tcg_tb_alloc(tcg_ctx); 1188 if (unlikely(tb == NULL)) { 1189 return NULL; 1190 } 1191 return tb; 1192 } 1193 1194 /* call with @p->lock held */ 1195 static inline void invalidate_page_bitmap(PageDesc *p) 1196 { 1197 assert_page_locked(p); 1198 #ifdef CONFIG_SOFTMMU 1199 g_free(p->code_bitmap); 1200 p->code_bitmap = NULL; 1201 p->code_write_count = 0; 1202 #endif 1203 } 1204 1205 /* Set to NULL all the 'first_tb' fields in all PageDescs. */ 1206 static void page_flush_tb_1(int level, void **lp) 1207 { 1208 int i; 1209 1210 if (*lp == NULL) { 1211 return; 1212 } 1213 if (level == 0) { 1214 PageDesc *pd = *lp; 1215 1216 for (i = 0; i < V_L2_SIZE; ++i) { 1217 page_lock(&pd[i]); 1218 pd[i].first_tb = (uintptr_t)NULL; 1219 invalidate_page_bitmap(pd + i); 1220 page_unlock(&pd[i]); 1221 } 1222 } else { 1223 void **pp = *lp; 1224 1225 for (i = 0; i < V_L2_SIZE; ++i) { 1226 page_flush_tb_1(level - 1, pp + i); 1227 } 1228 } 1229 } 1230 1231 static void page_flush_tb(void) 1232 { 1233 int i, l1_sz = v_l1_size; 1234 1235 for (i = 0; i < l1_sz; i++) { 1236 page_flush_tb_1(v_l2_levels, l1_map + i); 1237 } 1238 } 1239 1240 static gboolean tb_host_size_iter(gpointer key, gpointer value, gpointer data) 1241 { 1242 const TranslationBlock *tb = value; 1243 size_t *size = data; 1244 1245 *size += tb->tc.size; 1246 return false; 1247 } 1248 1249 /* flush all the translation blocks */ 1250 static void do_tb_flush(CPUState *cpu, run_on_cpu_data tb_flush_count) 1251 { 1252 tb_lock(); 1253 1254 /* If it is already been done on request of another CPU, 1255 * just retry. 1256 */ 1257 if (tb_ctx.tb_flush_count != tb_flush_count.host_int) { 1258 goto done; 1259 } 1260 1261 if (DEBUG_TB_FLUSH_GATE) { 1262 size_t nb_tbs = tcg_nb_tbs(); 1263 size_t host_size = 0; 1264 1265 tcg_tb_foreach(tb_host_size_iter, &host_size); 1266 printf("qemu: flush code_size=%zu nb_tbs=%zu avg_tb_size=%zu\n", 1267 tcg_code_size(), nb_tbs, nb_tbs > 0 ? host_size / nb_tbs : 0); 1268 } 1269 1270 CPU_FOREACH(cpu) { 1271 cpu_tb_jmp_cache_clear(cpu); 1272 } 1273 1274 qht_reset_size(&tb_ctx.htable, CODE_GEN_HTABLE_SIZE); 1275 page_flush_tb(); 1276 1277 tcg_region_reset_all(); 1278 /* XXX: flush processor icache at this point if cache flush is 1279 expensive */ 1280 atomic_mb_set(&tb_ctx.tb_flush_count, tb_ctx.tb_flush_count + 1); 1281 1282 done: 1283 tb_unlock(); 1284 } 1285 1286 void tb_flush(CPUState *cpu) 1287 { 1288 if (tcg_enabled()) { 1289 unsigned tb_flush_count = atomic_mb_read(&tb_ctx.tb_flush_count); 1290 async_safe_run_on_cpu(cpu, do_tb_flush, 1291 RUN_ON_CPU_HOST_INT(tb_flush_count)); 1292 } 1293 } 1294 1295 /* 1296 * Formerly ifdef DEBUG_TB_CHECK. These debug functions are user-mode-only, 1297 * so in order to prevent bit rot we compile them unconditionally in user-mode, 1298 * and let the optimizer get rid of them by wrapping their user-only callers 1299 * with if (DEBUG_TB_CHECK_GATE). 1300 */ 1301 #ifdef CONFIG_USER_ONLY 1302 1303 static void 1304 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp) 1305 { 1306 TranslationBlock *tb = p; 1307 target_ulong addr = *(target_ulong *)userp; 1308 1309 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) { 1310 printf("ERROR invalidate: address=" TARGET_FMT_lx 1311 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size); 1312 } 1313 } 1314 1315 /* verify that all the pages have correct rights for code 1316 * 1317 * Called with tb_lock held. 1318 */ 1319 static void tb_invalidate_check(target_ulong address) 1320 { 1321 address &= TARGET_PAGE_MASK; 1322 qht_iter(&tb_ctx.htable, do_tb_invalidate_check, &address); 1323 } 1324 1325 static void 1326 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp) 1327 { 1328 TranslationBlock *tb = p; 1329 int flags1, flags2; 1330 1331 flags1 = page_get_flags(tb->pc); 1332 flags2 = page_get_flags(tb->pc + tb->size - 1); 1333 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) { 1334 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n", 1335 (long)tb->pc, tb->size, flags1, flags2); 1336 } 1337 } 1338 1339 /* verify that all the pages have correct rights for code */ 1340 static void tb_page_check(void) 1341 { 1342 qht_iter(&tb_ctx.htable, do_tb_page_check, NULL); 1343 } 1344 1345 #endif /* CONFIG_USER_ONLY */ 1346 1347 /* call with @pd->lock held */ 1348 static inline void tb_page_remove(PageDesc *pd, TranslationBlock *tb) 1349 { 1350 TranslationBlock *tb1; 1351 uintptr_t *pprev; 1352 unsigned int n1; 1353 1354 assert_page_locked(pd); 1355 pprev = &pd->first_tb; 1356 PAGE_FOR_EACH_TB(pd, tb1, n1) { 1357 if (tb1 == tb) { 1358 *pprev = tb1->page_next[n1]; 1359 return; 1360 } 1361 pprev = &tb1->page_next[n1]; 1362 } 1363 g_assert_not_reached(); 1364 } 1365 1366 /* remove @orig from its @n_orig-th jump list */ 1367 static inline void tb_remove_from_jmp_list(TranslationBlock *orig, int n_orig) 1368 { 1369 uintptr_t ptr, ptr_locked; 1370 TranslationBlock *dest; 1371 TranslationBlock *tb; 1372 uintptr_t *pprev; 1373 int n; 1374 1375 /* mark the LSB of jmp_dest[] so that no further jumps can be inserted */ 1376 ptr = atomic_or_fetch(&orig->jmp_dest[n_orig], 1); 1377 dest = (TranslationBlock *)(ptr & ~1); 1378 if (dest == NULL) { 1379 return; 1380 } 1381 1382 qemu_spin_lock(&dest->jmp_lock); 1383 /* 1384 * While acquiring the lock, the jump might have been removed if the 1385 * destination TB was invalidated; check again. 1386 */ 1387 ptr_locked = atomic_read(&orig->jmp_dest[n_orig]); 1388 if (ptr_locked != ptr) { 1389 qemu_spin_unlock(&dest->jmp_lock); 1390 /* 1391 * The only possibility is that the jump was unlinked via 1392 * tb_jump_unlink(dest). Seeing here another destination would be a bug, 1393 * because we set the LSB above. 1394 */ 1395 g_assert(ptr_locked == 1 && dest->cflags & CF_INVALID); 1396 return; 1397 } 1398 /* 1399 * We first acquired the lock, and since the destination pointer matches, 1400 * we know for sure that @orig is in the jmp list. 1401 */ 1402 pprev = &dest->jmp_list_head; 1403 TB_FOR_EACH_JMP(dest, tb, n) { 1404 if (tb == orig && n == n_orig) { 1405 *pprev = tb->jmp_list_next[n]; 1406 /* no need to set orig->jmp_dest[n]; setting the LSB was enough */ 1407 qemu_spin_unlock(&dest->jmp_lock); 1408 return; 1409 } 1410 pprev = &tb->jmp_list_next[n]; 1411 } 1412 g_assert_not_reached(); 1413 } 1414 1415 /* reset the jump entry 'n' of a TB so that it is not chained to 1416 another TB */ 1417 static inline void tb_reset_jump(TranslationBlock *tb, int n) 1418 { 1419 uintptr_t addr = (uintptr_t)(tb->tc.ptr + tb->jmp_reset_offset[n]); 1420 tb_set_jmp_target(tb, n, addr); 1421 } 1422 1423 /* remove any jumps to the TB */ 1424 static inline void tb_jmp_unlink(TranslationBlock *dest) 1425 { 1426 TranslationBlock *tb; 1427 int n; 1428 1429 qemu_spin_lock(&dest->jmp_lock); 1430 1431 TB_FOR_EACH_JMP(dest, tb, n) { 1432 tb_reset_jump(tb, n); 1433 atomic_and(&tb->jmp_dest[n], (uintptr_t)NULL | 1); 1434 /* No need to clear the list entry; setting the dest ptr is enough */ 1435 } 1436 dest->jmp_list_head = (uintptr_t)NULL; 1437 1438 qemu_spin_unlock(&dest->jmp_lock); 1439 } 1440 1441 /* If @rm_from_page_list is set, call with the TB's pages' locks held */ 1442 static void do_tb_phys_invalidate(TranslationBlock *tb, bool rm_from_page_list) 1443 { 1444 CPUState *cpu; 1445 PageDesc *p; 1446 uint32_t h; 1447 tb_page_addr_t phys_pc; 1448 1449 assert_tb_locked(); 1450 1451 /* make sure no further incoming jumps will be chained to this TB */ 1452 qemu_spin_lock(&tb->jmp_lock); 1453 atomic_set(&tb->cflags, tb->cflags | CF_INVALID); 1454 qemu_spin_unlock(&tb->jmp_lock); 1455 1456 /* remove the TB from the hash list */ 1457 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1458 h = tb_hash_func(phys_pc, tb->pc, tb->flags, tb_cflags(tb) & CF_HASH_MASK, 1459 tb->trace_vcpu_dstate); 1460 if (!qht_remove(&tb_ctx.htable, tb, h)) { 1461 return; 1462 } 1463 1464 /* remove the TB from the page list */ 1465 if (rm_from_page_list) { 1466 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS); 1467 tb_page_remove(p, tb); 1468 invalidate_page_bitmap(p); 1469 if (tb->page_addr[1] != -1) { 1470 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS); 1471 tb_page_remove(p, tb); 1472 invalidate_page_bitmap(p); 1473 } 1474 } 1475 1476 /* remove the TB from the hash list */ 1477 h = tb_jmp_cache_hash_func(tb->pc); 1478 CPU_FOREACH(cpu) { 1479 if (atomic_read(&cpu->tb_jmp_cache[h]) == tb) { 1480 atomic_set(&cpu->tb_jmp_cache[h], NULL); 1481 } 1482 } 1483 1484 /* suppress this TB from the two jump lists */ 1485 tb_remove_from_jmp_list(tb, 0); 1486 tb_remove_from_jmp_list(tb, 1); 1487 1488 /* suppress any remaining jumps to this TB */ 1489 tb_jmp_unlink(tb); 1490 1491 atomic_set(&tcg_ctx->tb_phys_invalidate_count, 1492 tcg_ctx->tb_phys_invalidate_count + 1); 1493 } 1494 1495 static void tb_phys_invalidate__locked(TranslationBlock *tb) 1496 { 1497 do_tb_phys_invalidate(tb, true); 1498 } 1499 1500 /* invalidate one TB 1501 * 1502 * Called with tb_lock held. 1503 */ 1504 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr) 1505 { 1506 if (page_addr == -1) { 1507 page_lock_tb(tb); 1508 do_tb_phys_invalidate(tb, true); 1509 page_unlock_tb(tb); 1510 } else { 1511 do_tb_phys_invalidate(tb, false); 1512 } 1513 } 1514 1515 #ifdef CONFIG_SOFTMMU 1516 /* call with @p->lock held */ 1517 static void build_page_bitmap(PageDesc *p) 1518 { 1519 int n, tb_start, tb_end; 1520 TranslationBlock *tb; 1521 1522 assert_page_locked(p); 1523 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE); 1524 1525 PAGE_FOR_EACH_TB(p, tb, n) { 1526 /* NOTE: this is subtle as a TB may span two physical pages */ 1527 if (n == 0) { 1528 /* NOTE: tb_end may be after the end of the page, but 1529 it is not a problem */ 1530 tb_start = tb->pc & ~TARGET_PAGE_MASK; 1531 tb_end = tb_start + tb->size; 1532 if (tb_end > TARGET_PAGE_SIZE) { 1533 tb_end = TARGET_PAGE_SIZE; 1534 } 1535 } else { 1536 tb_start = 0; 1537 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1538 } 1539 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start); 1540 } 1541 } 1542 #endif 1543 1544 /* add the tb in the target page and protect it if necessary 1545 * 1546 * Called with mmap_lock held for user-mode emulation. 1547 * Called with @p->lock held. 1548 */ 1549 static inline void tb_page_add(PageDesc *p, TranslationBlock *tb, 1550 unsigned int n, tb_page_addr_t page_addr) 1551 { 1552 #ifndef CONFIG_USER_ONLY 1553 bool page_already_protected; 1554 #endif 1555 1556 assert_page_locked(p); 1557 1558 tb->page_addr[n] = page_addr; 1559 tb->page_next[n] = p->first_tb; 1560 #ifndef CONFIG_USER_ONLY 1561 page_already_protected = p->first_tb != (uintptr_t)NULL; 1562 #endif 1563 p->first_tb = (uintptr_t)tb | n; 1564 invalidate_page_bitmap(p); 1565 1566 #if defined(CONFIG_USER_ONLY) 1567 if (p->flags & PAGE_WRITE) { 1568 target_ulong addr; 1569 PageDesc *p2; 1570 int prot; 1571 1572 /* force the host page as non writable (writes will have a 1573 page fault + mprotect overhead) */ 1574 page_addr &= qemu_host_page_mask; 1575 prot = 0; 1576 for (addr = page_addr; addr < page_addr + qemu_host_page_size; 1577 addr += TARGET_PAGE_SIZE) { 1578 1579 p2 = page_find(addr >> TARGET_PAGE_BITS); 1580 if (!p2) { 1581 continue; 1582 } 1583 prot |= p2->flags; 1584 p2->flags &= ~PAGE_WRITE; 1585 } 1586 mprotect(g2h(page_addr), qemu_host_page_size, 1587 (prot & PAGE_BITS) & ~PAGE_WRITE); 1588 if (DEBUG_TB_INVALIDATE_GATE) { 1589 printf("protecting code page: 0x" TB_PAGE_ADDR_FMT "\n", page_addr); 1590 } 1591 } 1592 #else 1593 /* if some code is already present, then the pages are already 1594 protected. So we handle the case where only the first TB is 1595 allocated in a physical page */ 1596 if (!page_already_protected) { 1597 tlb_protect_code(page_addr); 1598 } 1599 #endif 1600 } 1601 1602 /* add a new TB and link it to the physical page tables. phys_page2 is 1603 * (-1) to indicate that only one page contains the TB. 1604 * 1605 * Called with mmap_lock held for user-mode emulation. 1606 * 1607 * Returns a pointer @tb, or a pointer to an existing TB that matches @tb. 1608 * Note that in !user-mode, another thread might have already added a TB 1609 * for the same block of guest code that @tb corresponds to. In that case, 1610 * the caller should discard the original @tb, and use instead the returned TB. 1611 */ 1612 static TranslationBlock * 1613 tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc, 1614 tb_page_addr_t phys_page2) 1615 { 1616 PageDesc *p; 1617 PageDesc *p2 = NULL; 1618 void *existing_tb = NULL; 1619 uint32_t h; 1620 1621 assert_memory_lock(); 1622 1623 /* 1624 * Add the TB to the page list, acquiring first the pages's locks. 1625 * We keep the locks held until after inserting the TB in the hash table, 1626 * so that if the insertion fails we know for sure that the TBs are still 1627 * in the page descriptors. 1628 * Note that inserting into the hash table first isn't an option, since 1629 * we can only insert TBs that are fully initialized. 1630 */ 1631 page_lock_pair(&p, phys_pc, &p2, phys_page2, 1); 1632 tb_page_add(p, tb, 0, phys_pc & TARGET_PAGE_MASK); 1633 if (p2) { 1634 tb_page_add(p2, tb, 1, phys_page2); 1635 } else { 1636 tb->page_addr[1] = -1; 1637 } 1638 1639 /* add in the hash table */ 1640 h = tb_hash_func(phys_pc, tb->pc, tb->flags, tb->cflags & CF_HASH_MASK, 1641 tb->trace_vcpu_dstate); 1642 qht_insert(&tb_ctx.htable, tb, h, &existing_tb); 1643 1644 /* remove TB from the page(s) if we couldn't insert it */ 1645 if (unlikely(existing_tb)) { 1646 tb_page_remove(p, tb); 1647 invalidate_page_bitmap(p); 1648 if (p2) { 1649 tb_page_remove(p2, tb); 1650 invalidate_page_bitmap(p2); 1651 } 1652 tb = existing_tb; 1653 } 1654 1655 if (p2) { 1656 page_unlock(p2); 1657 } 1658 page_unlock(p); 1659 1660 #ifdef CONFIG_USER_ONLY 1661 if (DEBUG_TB_CHECK_GATE) { 1662 tb_page_check(); 1663 } 1664 #endif 1665 return tb; 1666 } 1667 1668 /* Called with mmap_lock held for user mode emulation. */ 1669 TranslationBlock *tb_gen_code(CPUState *cpu, 1670 target_ulong pc, target_ulong cs_base, 1671 uint32_t flags, int cflags) 1672 { 1673 CPUArchState *env = cpu->env_ptr; 1674 TranslationBlock *tb, *existing_tb; 1675 tb_page_addr_t phys_pc, phys_page2; 1676 target_ulong virt_page2; 1677 tcg_insn_unit *gen_code_buf; 1678 int gen_code_size, search_size; 1679 #ifdef CONFIG_PROFILER 1680 TCGProfile *prof = &tcg_ctx->prof; 1681 int64_t ti; 1682 #endif 1683 assert_memory_lock(); 1684 1685 phys_pc = get_page_addr_code(env, pc); 1686 1687 buffer_overflow: 1688 tb = tb_alloc(pc); 1689 if (unlikely(!tb)) { 1690 /* flush must be done */ 1691 tb_flush(cpu); 1692 mmap_unlock(); 1693 /* Make the execution loop process the flush as soon as possible. */ 1694 cpu->exception_index = EXCP_INTERRUPT; 1695 cpu_loop_exit(cpu); 1696 } 1697 1698 gen_code_buf = tcg_ctx->code_gen_ptr; 1699 tb->tc.ptr = gen_code_buf; 1700 tb->pc = pc; 1701 tb->cs_base = cs_base; 1702 tb->flags = flags; 1703 tb->cflags = cflags; 1704 tb->trace_vcpu_dstate = *cpu->trace_dstate; 1705 tcg_ctx->tb_cflags = cflags; 1706 1707 #ifdef CONFIG_PROFILER 1708 /* includes aborted translations because of exceptions */ 1709 atomic_set(&prof->tb_count1, prof->tb_count1 + 1); 1710 ti = profile_getclock(); 1711 #endif 1712 1713 tcg_func_start(tcg_ctx); 1714 1715 tcg_ctx->cpu = ENV_GET_CPU(env); 1716 gen_intermediate_code(cpu, tb); 1717 tcg_ctx->cpu = NULL; 1718 1719 trace_translate_block(tb, tb->pc, tb->tc.ptr); 1720 1721 /* generate machine code */ 1722 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID; 1723 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID; 1724 tcg_ctx->tb_jmp_reset_offset = tb->jmp_reset_offset; 1725 if (TCG_TARGET_HAS_direct_jump) { 1726 tcg_ctx->tb_jmp_insn_offset = tb->jmp_target_arg; 1727 tcg_ctx->tb_jmp_target_addr = NULL; 1728 } else { 1729 tcg_ctx->tb_jmp_insn_offset = NULL; 1730 tcg_ctx->tb_jmp_target_addr = tb->jmp_target_arg; 1731 } 1732 1733 #ifdef CONFIG_PROFILER 1734 atomic_set(&prof->tb_count, prof->tb_count + 1); 1735 atomic_set(&prof->interm_time, prof->interm_time + profile_getclock() - ti); 1736 ti = profile_getclock(); 1737 #endif 1738 1739 /* ??? Overflow could be handled better here. In particular, we 1740 don't need to re-do gen_intermediate_code, nor should we re-do 1741 the tcg optimization currently hidden inside tcg_gen_code. All 1742 that should be required is to flush the TBs, allocate a new TB, 1743 re-initialize it per above, and re-do the actual code generation. */ 1744 gen_code_size = tcg_gen_code(tcg_ctx, tb); 1745 if (unlikely(gen_code_size < 0)) { 1746 goto buffer_overflow; 1747 } 1748 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size); 1749 if (unlikely(search_size < 0)) { 1750 goto buffer_overflow; 1751 } 1752 tb->tc.size = gen_code_size; 1753 1754 #ifdef CONFIG_PROFILER 1755 atomic_set(&prof->code_time, prof->code_time + profile_getclock() - ti); 1756 atomic_set(&prof->code_in_len, prof->code_in_len + tb->size); 1757 atomic_set(&prof->code_out_len, prof->code_out_len + gen_code_size); 1758 atomic_set(&prof->search_out_len, prof->search_out_len + search_size); 1759 #endif 1760 1761 #ifdef DEBUG_DISAS 1762 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) && 1763 qemu_log_in_addr_range(tb->pc)) { 1764 qemu_log_lock(); 1765 qemu_log("OUT: [size=%d]\n", gen_code_size); 1766 if (tcg_ctx->data_gen_ptr) { 1767 size_t code_size = tcg_ctx->data_gen_ptr - tb->tc.ptr; 1768 size_t data_size = gen_code_size - code_size; 1769 size_t i; 1770 1771 log_disas(tb->tc.ptr, code_size); 1772 1773 for (i = 0; i < data_size; i += sizeof(tcg_target_ulong)) { 1774 if (sizeof(tcg_target_ulong) == 8) { 1775 qemu_log("0x%08" PRIxPTR ": .quad 0x%016" PRIx64 "\n", 1776 (uintptr_t)tcg_ctx->data_gen_ptr + i, 1777 *(uint64_t *)(tcg_ctx->data_gen_ptr + i)); 1778 } else { 1779 qemu_log("0x%08" PRIxPTR ": .long 0x%08x\n", 1780 (uintptr_t)tcg_ctx->data_gen_ptr + i, 1781 *(uint32_t *)(tcg_ctx->data_gen_ptr + i)); 1782 } 1783 } 1784 } else { 1785 log_disas(tb->tc.ptr, gen_code_size); 1786 } 1787 qemu_log("\n"); 1788 qemu_log_flush(); 1789 qemu_log_unlock(); 1790 } 1791 #endif 1792 1793 atomic_set(&tcg_ctx->code_gen_ptr, (void *) 1794 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size, 1795 CODE_GEN_ALIGN)); 1796 1797 /* init jump list */ 1798 qemu_spin_init(&tb->jmp_lock); 1799 tb->jmp_list_head = (uintptr_t)NULL; 1800 tb->jmp_list_next[0] = (uintptr_t)NULL; 1801 tb->jmp_list_next[1] = (uintptr_t)NULL; 1802 tb->jmp_dest[0] = (uintptr_t)NULL; 1803 tb->jmp_dest[1] = (uintptr_t)NULL; 1804 1805 /* init original jump addresses wich has been set during tcg_gen_code() */ 1806 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1807 tb_reset_jump(tb, 0); 1808 } 1809 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1810 tb_reset_jump(tb, 1); 1811 } 1812 1813 /* check next page if needed */ 1814 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK; 1815 phys_page2 = -1; 1816 if ((pc & TARGET_PAGE_MASK) != virt_page2) { 1817 phys_page2 = get_page_addr_code(env, virt_page2); 1818 } 1819 /* As long as consistency of the TB stuff is provided by tb_lock in user 1820 * mode and is implicit in single-threaded softmmu emulation, no explicit 1821 * memory barrier is required before tb_link_page() makes the TB visible 1822 * through the physical hash table and physical page list. 1823 */ 1824 existing_tb = tb_link_page(tb, phys_pc, phys_page2); 1825 /* if the TB already exists, discard what we just translated */ 1826 if (unlikely(existing_tb != tb)) { 1827 uintptr_t orig_aligned = (uintptr_t)gen_code_buf; 1828 1829 orig_aligned -= ROUND_UP(sizeof(*tb), qemu_icache_linesize); 1830 atomic_set(&tcg_ctx->code_gen_ptr, (void *)orig_aligned); 1831 return existing_tb; 1832 } 1833 tcg_tb_insert(tb); 1834 return tb; 1835 } 1836 1837 /* 1838 * Call with all @pages locked. 1839 * @p must be non-NULL. 1840 */ 1841 static void 1842 tb_invalidate_phys_page_range__locked(struct page_collection *pages, 1843 PageDesc *p, tb_page_addr_t start, 1844 tb_page_addr_t end, 1845 int is_cpu_write_access) 1846 { 1847 TranslationBlock *tb; 1848 tb_page_addr_t tb_start, tb_end; 1849 int n; 1850 #ifdef TARGET_HAS_PRECISE_SMC 1851 CPUState *cpu = current_cpu; 1852 CPUArchState *env = NULL; 1853 int current_tb_not_found = is_cpu_write_access; 1854 TranslationBlock *current_tb = NULL; 1855 int current_tb_modified = 0; 1856 target_ulong current_pc = 0; 1857 target_ulong current_cs_base = 0; 1858 uint32_t current_flags = 0; 1859 #endif /* TARGET_HAS_PRECISE_SMC */ 1860 1861 assert_page_locked(p); 1862 1863 #if defined(TARGET_HAS_PRECISE_SMC) 1864 if (cpu != NULL) { 1865 env = cpu->env_ptr; 1866 } 1867 #endif 1868 1869 /* we remove all the TBs in the range [start, end[ */ 1870 /* XXX: see if in some cases it could be faster to invalidate all 1871 the code */ 1872 PAGE_FOR_EACH_TB(p, tb, n) { 1873 assert_page_locked(p); 1874 /* NOTE: this is subtle as a TB may span two physical pages */ 1875 if (n == 0) { 1876 /* NOTE: tb_end may be after the end of the page, but 1877 it is not a problem */ 1878 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1879 tb_end = tb_start + tb->size; 1880 } else { 1881 tb_start = tb->page_addr[1]; 1882 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1883 } 1884 if (!(tb_end <= start || tb_start >= end)) { 1885 #ifdef TARGET_HAS_PRECISE_SMC 1886 if (current_tb_not_found) { 1887 current_tb_not_found = 0; 1888 current_tb = NULL; 1889 if (cpu->mem_io_pc) { 1890 /* now we have a real cpu fault */ 1891 current_tb = tcg_tb_lookup(cpu->mem_io_pc); 1892 } 1893 } 1894 if (current_tb == tb && 1895 (tb_cflags(current_tb) & CF_COUNT_MASK) != 1) { 1896 /* If we are modifying the current TB, we must stop 1897 its execution. We could be more precise by checking 1898 that the modification is after the current PC, but it 1899 would require a specialized function to partially 1900 restore the CPU state */ 1901 1902 current_tb_modified = 1; 1903 cpu_restore_state_from_tb(cpu, current_tb, 1904 cpu->mem_io_pc, true); 1905 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1906 ¤t_flags); 1907 } 1908 #endif /* TARGET_HAS_PRECISE_SMC */ 1909 tb_phys_invalidate__locked(tb); 1910 } 1911 } 1912 #if !defined(CONFIG_USER_ONLY) 1913 /* if no code remaining, no need to continue to use slow writes */ 1914 if (!p->first_tb) { 1915 invalidate_page_bitmap(p); 1916 tlb_unprotect_code(start); 1917 } 1918 #endif 1919 #ifdef TARGET_HAS_PRECISE_SMC 1920 if (current_tb_modified) { 1921 page_collection_unlock(pages); 1922 /* Force execution of one insn next time. */ 1923 cpu->cflags_next_tb = 1 | curr_cflags(); 1924 cpu_loop_exit_noexc(cpu); 1925 } 1926 #endif 1927 } 1928 1929 /* 1930 * Invalidate all TBs which intersect with the target physical address range 1931 * [start;end[. NOTE: start and end must refer to the *same* physical page. 1932 * 'is_cpu_write_access' should be true if called from a real cpu write 1933 * access: the virtual CPU will exit the current TB if code is modified inside 1934 * this TB. 1935 * 1936 * Called with tb_lock/mmap_lock held for user-mode emulation 1937 * Called with tb_lock held for system-mode emulation 1938 */ 1939 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end, 1940 int is_cpu_write_access) 1941 { 1942 struct page_collection *pages; 1943 PageDesc *p; 1944 1945 assert_memory_lock(); 1946 assert_tb_locked(); 1947 1948 p = page_find(start >> TARGET_PAGE_BITS); 1949 if (p == NULL) { 1950 return; 1951 } 1952 pages = page_collection_lock(start, end); 1953 tb_invalidate_phys_page_range__locked(pages, p, start, end, 1954 is_cpu_write_access); 1955 page_collection_unlock(pages); 1956 } 1957 1958 /* 1959 * Invalidate all TBs which intersect with the target physical address range 1960 * [start;end[. NOTE: start and end may refer to *different* physical pages. 1961 * 'is_cpu_write_access' should be true if called from a real cpu write 1962 * access: the virtual CPU will exit the current TB if code is modified inside 1963 * this TB. 1964 * 1965 * Called with mmap_lock held for user-mode emulation, grabs tb_lock 1966 * Called with tb_lock held for system-mode emulation 1967 */ 1968 static void tb_invalidate_phys_range_1(tb_page_addr_t start, tb_page_addr_t end) 1969 { 1970 struct page_collection *pages; 1971 tb_page_addr_t next; 1972 1973 pages = page_collection_lock(start, end); 1974 for (next = (start & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE; 1975 start < end; 1976 start = next, next += TARGET_PAGE_SIZE) { 1977 PageDesc *pd = page_find(start >> TARGET_PAGE_BITS); 1978 tb_page_addr_t bound = MIN(next, end); 1979 1980 if (pd == NULL) { 1981 continue; 1982 } 1983 tb_invalidate_phys_page_range__locked(pages, pd, start, bound, 0); 1984 } 1985 page_collection_unlock(pages); 1986 } 1987 1988 #ifdef CONFIG_SOFTMMU 1989 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1990 { 1991 assert_tb_locked(); 1992 tb_invalidate_phys_range_1(start, end); 1993 } 1994 #else 1995 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1996 { 1997 assert_memory_lock(); 1998 tb_lock(); 1999 tb_invalidate_phys_range_1(start, end); 2000 tb_unlock(); 2001 } 2002 #endif 2003 2004 #ifdef CONFIG_SOFTMMU 2005 /* len must be <= 8 and start must be a multiple of len. 2006 * Called via softmmu_template.h when code areas are written to with 2007 * iothread mutex not held. 2008 */ 2009 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len) 2010 { 2011 struct page_collection *pages; 2012 PageDesc *p; 2013 2014 #if 0 2015 if (1) { 2016 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n", 2017 cpu_single_env->mem_io_vaddr, len, 2018 cpu_single_env->eip, 2019 cpu_single_env->eip + 2020 (intptr_t)cpu_single_env->segs[R_CS].base); 2021 } 2022 #endif 2023 assert_memory_lock(); 2024 2025 p = page_find(start >> TARGET_PAGE_BITS); 2026 if (!p) { 2027 return; 2028 } 2029 2030 pages = page_collection_lock(start, start + len); 2031 assert_page_locked(p); 2032 if (!p->code_bitmap && 2033 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) { 2034 build_page_bitmap(p); 2035 } 2036 if (p->code_bitmap) { 2037 unsigned int nr; 2038 unsigned long b; 2039 2040 nr = start & ~TARGET_PAGE_MASK; 2041 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1)); 2042 if (b & ((1 << len) - 1)) { 2043 goto do_invalidate; 2044 } 2045 } else { 2046 do_invalidate: 2047 tb_invalidate_phys_page_range__locked(pages, p, start, start + len, 1); 2048 } 2049 page_collection_unlock(pages); 2050 } 2051 #else 2052 /* Called with mmap_lock held. If pc is not 0 then it indicates the 2053 * host PC of the faulting store instruction that caused this invalidate. 2054 * Returns true if the caller needs to abort execution of the current 2055 * TB (because it was modified by this store and the guest CPU has 2056 * precise-SMC semantics). 2057 */ 2058 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc) 2059 { 2060 TranslationBlock *tb; 2061 PageDesc *p; 2062 int n; 2063 #ifdef TARGET_HAS_PRECISE_SMC 2064 TranslationBlock *current_tb = NULL; 2065 CPUState *cpu = current_cpu; 2066 CPUArchState *env = NULL; 2067 int current_tb_modified = 0; 2068 target_ulong current_pc = 0; 2069 target_ulong current_cs_base = 0; 2070 uint32_t current_flags = 0; 2071 #endif 2072 2073 assert_memory_lock(); 2074 2075 addr &= TARGET_PAGE_MASK; 2076 p = page_find(addr >> TARGET_PAGE_BITS); 2077 if (!p) { 2078 return false; 2079 } 2080 2081 tb_lock(); 2082 #ifdef TARGET_HAS_PRECISE_SMC 2083 if (p->first_tb && pc != 0) { 2084 current_tb = tcg_tb_lookup(pc); 2085 } 2086 if (cpu != NULL) { 2087 env = cpu->env_ptr; 2088 } 2089 #endif 2090 assert_page_locked(p); 2091 PAGE_FOR_EACH_TB(p, tb, n) { 2092 #ifdef TARGET_HAS_PRECISE_SMC 2093 if (current_tb == tb && 2094 (tb_cflags(current_tb) & CF_COUNT_MASK) != 1) { 2095 /* If we are modifying the current TB, we must stop 2096 its execution. We could be more precise by checking 2097 that the modification is after the current PC, but it 2098 would require a specialized function to partially 2099 restore the CPU state */ 2100 2101 current_tb_modified = 1; 2102 cpu_restore_state_from_tb(cpu, current_tb, pc, true); 2103 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 2104 ¤t_flags); 2105 } 2106 #endif /* TARGET_HAS_PRECISE_SMC */ 2107 tb_phys_invalidate(tb, addr); 2108 } 2109 p->first_tb = (uintptr_t)NULL; 2110 #ifdef TARGET_HAS_PRECISE_SMC 2111 if (current_tb_modified) { 2112 /* Force execution of one insn next time. */ 2113 cpu->cflags_next_tb = 1 | curr_cflags(); 2114 /* tb_lock will be reset after cpu_loop_exit_noexc longjmps 2115 * back into the cpu_exec loop. */ 2116 return true; 2117 } 2118 #endif 2119 tb_unlock(); 2120 2121 return false; 2122 } 2123 #endif 2124 2125 #if !defined(CONFIG_USER_ONLY) 2126 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs) 2127 { 2128 ram_addr_t ram_addr; 2129 MemoryRegion *mr; 2130 hwaddr l = 1; 2131 2132 rcu_read_lock(); 2133 mr = address_space_translate(as, addr, &addr, &l, false, attrs); 2134 if (!(memory_region_is_ram(mr) 2135 || memory_region_is_romd(mr))) { 2136 rcu_read_unlock(); 2137 return; 2138 } 2139 ram_addr = memory_region_get_ram_addr(mr) + addr; 2140 tb_lock(); 2141 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0); 2142 tb_unlock(); 2143 rcu_read_unlock(); 2144 } 2145 #endif /* !defined(CONFIG_USER_ONLY) */ 2146 2147 /* Called with tb_lock held. */ 2148 void tb_check_watchpoint(CPUState *cpu) 2149 { 2150 TranslationBlock *tb; 2151 2152 tb = tcg_tb_lookup(cpu->mem_io_pc); 2153 if (tb) { 2154 /* We can use retranslation to find the PC. */ 2155 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc, true); 2156 tb_phys_invalidate(tb, -1); 2157 } else { 2158 /* The exception probably happened in a helper. The CPU state should 2159 have been saved before calling it. Fetch the PC from there. */ 2160 CPUArchState *env = cpu->env_ptr; 2161 target_ulong pc, cs_base; 2162 tb_page_addr_t addr; 2163 uint32_t flags; 2164 2165 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags); 2166 addr = get_page_addr_code(env, pc); 2167 tb_invalidate_phys_range(addr, addr + 1); 2168 } 2169 } 2170 2171 #ifndef CONFIG_USER_ONLY 2172 /* in deterministic execution mode, instructions doing device I/Os 2173 * must be at the end of the TB. 2174 * 2175 * Called by softmmu_template.h, with iothread mutex not held. 2176 */ 2177 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr) 2178 { 2179 #if defined(TARGET_MIPS) || defined(TARGET_SH4) 2180 CPUArchState *env = cpu->env_ptr; 2181 #endif 2182 TranslationBlock *tb; 2183 uint32_t n; 2184 2185 tb_lock(); 2186 tb = tcg_tb_lookup(retaddr); 2187 if (!tb) { 2188 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p", 2189 (void *)retaddr); 2190 } 2191 cpu_restore_state_from_tb(cpu, tb, retaddr, true); 2192 2193 /* On MIPS and SH, delay slot instructions can only be restarted if 2194 they were already the first instruction in the TB. If this is not 2195 the first instruction in a TB then re-execute the preceding 2196 branch. */ 2197 n = 1; 2198 #if defined(TARGET_MIPS) 2199 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 2200 && env->active_tc.PC != tb->pc) { 2201 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4); 2202 cpu->icount_decr.u16.low++; 2203 env->hflags &= ~MIPS_HFLAG_BMASK; 2204 n = 2; 2205 } 2206 #elif defined(TARGET_SH4) 2207 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0 2208 && env->pc != tb->pc) { 2209 env->pc -= 2; 2210 cpu->icount_decr.u16.low++; 2211 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL); 2212 n = 2; 2213 } 2214 #endif 2215 2216 /* Generate a new TB executing the I/O insn. */ 2217 cpu->cflags_next_tb = curr_cflags() | CF_LAST_IO | n; 2218 2219 if (tb_cflags(tb) & CF_NOCACHE) { 2220 if (tb->orig_tb) { 2221 /* Invalidate original TB if this TB was generated in 2222 * cpu_exec_nocache() */ 2223 tb_phys_invalidate(tb->orig_tb, -1); 2224 } 2225 tcg_tb_remove(tb); 2226 } 2227 2228 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not 2229 * the first in the TB) then we end up generating a whole new TB and 2230 * repeating the fault, which is horribly inefficient. 2231 * Better would be to execute just this insn uncached, or generate a 2232 * second new TB. 2233 * 2234 * cpu_loop_exit_noexc will longjmp back to cpu_exec where the 2235 * tb_lock gets reset. 2236 */ 2237 cpu_loop_exit_noexc(cpu); 2238 } 2239 2240 static void tb_jmp_cache_clear_page(CPUState *cpu, target_ulong page_addr) 2241 { 2242 unsigned int i, i0 = tb_jmp_cache_hash_page(page_addr); 2243 2244 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) { 2245 atomic_set(&cpu->tb_jmp_cache[i0 + i], NULL); 2246 } 2247 } 2248 2249 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr) 2250 { 2251 /* Discard jump cache entries for any tb which might potentially 2252 overlap the flushed page. */ 2253 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE); 2254 tb_jmp_cache_clear_page(cpu, addr); 2255 } 2256 2257 static void print_qht_statistics(FILE *f, fprintf_function cpu_fprintf, 2258 struct qht_stats hst) 2259 { 2260 uint32_t hgram_opts; 2261 size_t hgram_bins; 2262 char *hgram; 2263 2264 if (!hst.head_buckets) { 2265 return; 2266 } 2267 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n", 2268 hst.used_head_buckets, hst.head_buckets, 2269 (double)hst.used_head_buckets / hst.head_buckets * 100); 2270 2271 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 2272 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT; 2273 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) { 2274 hgram_opts |= QDIST_PR_NODECIMAL; 2275 } 2276 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts); 2277 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n", 2278 qdist_avg(&hst.occupancy) * 100, hgram); 2279 g_free(hgram); 2280 2281 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 2282 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain); 2283 if (hgram_bins > 10) { 2284 hgram_bins = 10; 2285 } else { 2286 hgram_bins = 0; 2287 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE; 2288 } 2289 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts); 2290 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n", 2291 qdist_avg(&hst.chain), hgram); 2292 g_free(hgram); 2293 } 2294 2295 struct tb_tree_stats { 2296 size_t nb_tbs; 2297 size_t host_size; 2298 size_t target_size; 2299 size_t max_target_size; 2300 size_t direct_jmp_count; 2301 size_t direct_jmp2_count; 2302 size_t cross_page; 2303 }; 2304 2305 static gboolean tb_tree_stats_iter(gpointer key, gpointer value, gpointer data) 2306 { 2307 const TranslationBlock *tb = value; 2308 struct tb_tree_stats *tst = data; 2309 2310 tst->nb_tbs++; 2311 tst->host_size += tb->tc.size; 2312 tst->target_size += tb->size; 2313 if (tb->size > tst->max_target_size) { 2314 tst->max_target_size = tb->size; 2315 } 2316 if (tb->page_addr[1] != -1) { 2317 tst->cross_page++; 2318 } 2319 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 2320 tst->direct_jmp_count++; 2321 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 2322 tst->direct_jmp2_count++; 2323 } 2324 } 2325 return false; 2326 } 2327 2328 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf) 2329 { 2330 struct tb_tree_stats tst = {}; 2331 struct qht_stats hst; 2332 size_t nb_tbs; 2333 2334 tcg_tb_foreach(tb_tree_stats_iter, &tst); 2335 nb_tbs = tst.nb_tbs; 2336 /* XXX: avoid using doubles ? */ 2337 cpu_fprintf(f, "Translation buffer state:\n"); 2338 /* 2339 * Report total code size including the padding and TB structs; 2340 * otherwise users might think "-tb-size" is not honoured. 2341 * For avg host size we use the precise numbers from tb_tree_stats though. 2342 */ 2343 cpu_fprintf(f, "gen code size %zu/%zu\n", 2344 tcg_code_size(), tcg_code_capacity()); 2345 cpu_fprintf(f, "TB count %zu\n", nb_tbs); 2346 cpu_fprintf(f, "TB avg target size %zu max=%zu bytes\n", 2347 nb_tbs ? tst.target_size / nb_tbs : 0, 2348 tst.max_target_size); 2349 cpu_fprintf(f, "TB avg host size %zu bytes (expansion ratio: %0.1f)\n", 2350 nb_tbs ? tst.host_size / nb_tbs : 0, 2351 tst.target_size ? (double)tst.host_size / tst.target_size : 0); 2352 cpu_fprintf(f, "cross page TB count %zu (%zu%%)\n", tst.cross_page, 2353 nb_tbs ? (tst.cross_page * 100) / nb_tbs : 0); 2354 cpu_fprintf(f, "direct jump count %zu (%zu%%) (2 jumps=%zu %zu%%)\n", 2355 tst.direct_jmp_count, 2356 nb_tbs ? (tst.direct_jmp_count * 100) / nb_tbs : 0, 2357 tst.direct_jmp2_count, 2358 nb_tbs ? (tst.direct_jmp2_count * 100) / nb_tbs : 0); 2359 2360 qht_statistics_init(&tb_ctx.htable, &hst); 2361 print_qht_statistics(f, cpu_fprintf, hst); 2362 qht_statistics_destroy(&hst); 2363 2364 cpu_fprintf(f, "\nStatistics:\n"); 2365 cpu_fprintf(f, "TB flush count %u\n", 2366 atomic_read(&tb_ctx.tb_flush_count)); 2367 cpu_fprintf(f, "TB invalidate count %zu\n", tcg_tb_phys_invalidate_count()); 2368 cpu_fprintf(f, "TLB flush count %zu\n", tlb_flush_count()); 2369 tcg_dump_info(f, cpu_fprintf); 2370 } 2371 2372 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf) 2373 { 2374 tcg_dump_op_count(f, cpu_fprintf); 2375 } 2376 2377 #else /* CONFIG_USER_ONLY */ 2378 2379 void cpu_interrupt(CPUState *cpu, int mask) 2380 { 2381 g_assert(qemu_mutex_iothread_locked()); 2382 cpu->interrupt_request |= mask; 2383 cpu->icount_decr.u16.high = -1; 2384 } 2385 2386 /* 2387 * Walks guest process memory "regions" one by one 2388 * and calls callback function 'fn' for each region. 2389 */ 2390 struct walk_memory_regions_data { 2391 walk_memory_regions_fn fn; 2392 void *priv; 2393 target_ulong start; 2394 int prot; 2395 }; 2396 2397 static int walk_memory_regions_end(struct walk_memory_regions_data *data, 2398 target_ulong end, int new_prot) 2399 { 2400 if (data->start != -1u) { 2401 int rc = data->fn(data->priv, data->start, end, data->prot); 2402 if (rc != 0) { 2403 return rc; 2404 } 2405 } 2406 2407 data->start = (new_prot ? end : -1u); 2408 data->prot = new_prot; 2409 2410 return 0; 2411 } 2412 2413 static int walk_memory_regions_1(struct walk_memory_regions_data *data, 2414 target_ulong base, int level, void **lp) 2415 { 2416 target_ulong pa; 2417 int i, rc; 2418 2419 if (*lp == NULL) { 2420 return walk_memory_regions_end(data, base, 0); 2421 } 2422 2423 if (level == 0) { 2424 PageDesc *pd = *lp; 2425 2426 for (i = 0; i < V_L2_SIZE; ++i) { 2427 int prot = pd[i].flags; 2428 2429 pa = base | (i << TARGET_PAGE_BITS); 2430 if (prot != data->prot) { 2431 rc = walk_memory_regions_end(data, pa, prot); 2432 if (rc != 0) { 2433 return rc; 2434 } 2435 } 2436 } 2437 } else { 2438 void **pp = *lp; 2439 2440 for (i = 0; i < V_L2_SIZE; ++i) { 2441 pa = base | ((target_ulong)i << 2442 (TARGET_PAGE_BITS + V_L2_BITS * level)); 2443 rc = walk_memory_regions_1(data, pa, level - 1, pp + i); 2444 if (rc != 0) { 2445 return rc; 2446 } 2447 } 2448 } 2449 2450 return 0; 2451 } 2452 2453 int walk_memory_regions(void *priv, walk_memory_regions_fn fn) 2454 { 2455 struct walk_memory_regions_data data; 2456 uintptr_t i, l1_sz = v_l1_size; 2457 2458 data.fn = fn; 2459 data.priv = priv; 2460 data.start = -1u; 2461 data.prot = 0; 2462 2463 for (i = 0; i < l1_sz; i++) { 2464 target_ulong base = i << (v_l1_shift + TARGET_PAGE_BITS); 2465 int rc = walk_memory_regions_1(&data, base, v_l2_levels, l1_map + i); 2466 if (rc != 0) { 2467 return rc; 2468 } 2469 } 2470 2471 return walk_memory_regions_end(&data, 0, 0); 2472 } 2473 2474 static int dump_region(void *priv, target_ulong start, 2475 target_ulong end, unsigned long prot) 2476 { 2477 FILE *f = (FILE *)priv; 2478 2479 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx 2480 " "TARGET_FMT_lx" %c%c%c\n", 2481 start, end, end - start, 2482 ((prot & PAGE_READ) ? 'r' : '-'), 2483 ((prot & PAGE_WRITE) ? 'w' : '-'), 2484 ((prot & PAGE_EXEC) ? 'x' : '-')); 2485 2486 return 0; 2487 } 2488 2489 /* dump memory mappings */ 2490 void page_dump(FILE *f) 2491 { 2492 const int length = sizeof(target_ulong) * 2; 2493 (void) fprintf(f, "%-*s %-*s %-*s %s\n", 2494 length, "start", length, "end", length, "size", "prot"); 2495 walk_memory_regions(f, dump_region); 2496 } 2497 2498 int page_get_flags(target_ulong address) 2499 { 2500 PageDesc *p; 2501 2502 p = page_find(address >> TARGET_PAGE_BITS); 2503 if (!p) { 2504 return 0; 2505 } 2506 return p->flags; 2507 } 2508 2509 /* Modify the flags of a page and invalidate the code if necessary. 2510 The flag PAGE_WRITE_ORG is positioned automatically depending 2511 on PAGE_WRITE. The mmap_lock should already be held. */ 2512 void page_set_flags(target_ulong start, target_ulong end, int flags) 2513 { 2514 target_ulong addr, len; 2515 2516 /* This function should never be called with addresses outside the 2517 guest address space. If this assert fires, it probably indicates 2518 a missing call to h2g_valid. */ 2519 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2520 assert(end <= ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2521 #endif 2522 assert(start < end); 2523 assert_memory_lock(); 2524 2525 start = start & TARGET_PAGE_MASK; 2526 end = TARGET_PAGE_ALIGN(end); 2527 2528 if (flags & PAGE_WRITE) { 2529 flags |= PAGE_WRITE_ORG; 2530 } 2531 2532 for (addr = start, len = end - start; 2533 len != 0; 2534 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2535 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1); 2536 2537 /* If the write protection bit is set, then we invalidate 2538 the code inside. */ 2539 if (!(p->flags & PAGE_WRITE) && 2540 (flags & PAGE_WRITE) && 2541 p->first_tb) { 2542 tb_invalidate_phys_page(addr, 0); 2543 } 2544 p->flags = flags; 2545 } 2546 } 2547 2548 int page_check_range(target_ulong start, target_ulong len, int flags) 2549 { 2550 PageDesc *p; 2551 target_ulong end; 2552 target_ulong addr; 2553 2554 /* This function should never be called with addresses outside the 2555 guest address space. If this assert fires, it probably indicates 2556 a missing call to h2g_valid. */ 2557 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2558 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2559 #endif 2560 2561 if (len == 0) { 2562 return 0; 2563 } 2564 if (start + len - 1 < start) { 2565 /* We've wrapped around. */ 2566 return -1; 2567 } 2568 2569 /* must do before we loose bits in the next step */ 2570 end = TARGET_PAGE_ALIGN(start + len); 2571 start = start & TARGET_PAGE_MASK; 2572 2573 for (addr = start, len = end - start; 2574 len != 0; 2575 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2576 p = page_find(addr >> TARGET_PAGE_BITS); 2577 if (!p) { 2578 return -1; 2579 } 2580 if (!(p->flags & PAGE_VALID)) { 2581 return -1; 2582 } 2583 2584 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) { 2585 return -1; 2586 } 2587 if (flags & PAGE_WRITE) { 2588 if (!(p->flags & PAGE_WRITE_ORG)) { 2589 return -1; 2590 } 2591 /* unprotect the page if it was put read-only because it 2592 contains translated code */ 2593 if (!(p->flags & PAGE_WRITE)) { 2594 if (!page_unprotect(addr, 0)) { 2595 return -1; 2596 } 2597 } 2598 } 2599 } 2600 return 0; 2601 } 2602 2603 /* called from signal handler: invalidate the code and unprotect the 2604 * page. Return 0 if the fault was not handled, 1 if it was handled, 2605 * and 2 if it was handled but the caller must cause the TB to be 2606 * immediately exited. (We can only return 2 if the 'pc' argument is 2607 * non-zero.) 2608 */ 2609 int page_unprotect(target_ulong address, uintptr_t pc) 2610 { 2611 unsigned int prot; 2612 bool current_tb_invalidated; 2613 PageDesc *p; 2614 target_ulong host_start, host_end, addr; 2615 2616 /* Technically this isn't safe inside a signal handler. However we 2617 know this only ever happens in a synchronous SEGV handler, so in 2618 practice it seems to be ok. */ 2619 mmap_lock(); 2620 2621 p = page_find(address >> TARGET_PAGE_BITS); 2622 if (!p) { 2623 mmap_unlock(); 2624 return 0; 2625 } 2626 2627 /* if the page was really writable, then we change its 2628 protection back to writable */ 2629 if (p->flags & PAGE_WRITE_ORG) { 2630 current_tb_invalidated = false; 2631 if (p->flags & PAGE_WRITE) { 2632 /* If the page is actually marked WRITE then assume this is because 2633 * this thread raced with another one which got here first and 2634 * set the page to PAGE_WRITE and did the TB invalidate for us. 2635 */ 2636 #ifdef TARGET_HAS_PRECISE_SMC 2637 TranslationBlock *current_tb = tcg_tb_lookup(pc); 2638 if (current_tb) { 2639 current_tb_invalidated = tb_cflags(current_tb) & CF_INVALID; 2640 } 2641 #endif 2642 } else { 2643 host_start = address & qemu_host_page_mask; 2644 host_end = host_start + qemu_host_page_size; 2645 2646 prot = 0; 2647 for (addr = host_start; addr < host_end; addr += TARGET_PAGE_SIZE) { 2648 p = page_find(addr >> TARGET_PAGE_BITS); 2649 p->flags |= PAGE_WRITE; 2650 prot |= p->flags; 2651 2652 /* and since the content will be modified, we must invalidate 2653 the corresponding translated code. */ 2654 current_tb_invalidated |= tb_invalidate_phys_page(addr, pc); 2655 #ifdef CONFIG_USER_ONLY 2656 if (DEBUG_TB_CHECK_GATE) { 2657 tb_invalidate_check(addr); 2658 } 2659 #endif 2660 } 2661 mprotect((void *)g2h(host_start), qemu_host_page_size, 2662 prot & PAGE_BITS); 2663 } 2664 mmap_unlock(); 2665 /* If current TB was invalidated return to main loop */ 2666 return current_tb_invalidated ? 2 : 1; 2667 } 2668 mmap_unlock(); 2669 return 0; 2670 } 2671 #endif /* CONFIG_USER_ONLY */ 2672 2673 /* This is a wrapper for common code that can not use CONFIG_SOFTMMU */ 2674 void tcg_flush_softmmu_tlb(CPUState *cs) 2675 { 2676 #ifdef CONFIG_SOFTMMU 2677 tlb_flush(cs); 2678 #endif 2679 } 2680