1 /* 2 * Host code generation 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 #ifdef _WIN32 20 #include <windows.h> 21 #endif 22 #include "qemu/osdep.h" 23 24 25 #include "qemu-common.h" 26 #define NO_CPU_IO_DEFS 27 #include "cpu.h" 28 #include "trace.h" 29 #include "disas/disas.h" 30 #include "exec/exec-all.h" 31 #include "tcg.h" 32 #if defined(CONFIG_USER_ONLY) 33 #include "qemu.h" 34 #include "exec/exec-all.h" 35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) 36 #include <sys/param.h> 37 #if __FreeBSD_version >= 700104 38 #define HAVE_KINFO_GETVMMAP 39 #define sigqueue sigqueue_freebsd /* avoid redefinition */ 40 #include <sys/proc.h> 41 #include <machine/profile.h> 42 #define _KERNEL 43 #include <sys/user.h> 44 #undef _KERNEL 45 #undef sigqueue 46 #include <libutil.h> 47 #endif 48 #endif 49 #else 50 #include "exec/address-spaces.h" 51 #endif 52 53 #include "exec/cputlb.h" 54 #include "exec/tb-hash.h" 55 #include "translate-all.h" 56 #include "qemu/bitmap.h" 57 #include "qemu/error-report.h" 58 #include "qemu/timer.h" 59 #include "qemu/main-loop.h" 60 #include "exec/log.h" 61 #include "sysemu/cpus.h" 62 63 /* #define DEBUG_TB_INVALIDATE */ 64 /* #define DEBUG_TB_FLUSH */ 65 /* make various TB consistency checks */ 66 /* #define DEBUG_TB_CHECK */ 67 68 #ifdef DEBUG_TB_INVALIDATE 69 #define DEBUG_TB_INVALIDATE_GATE 1 70 #else 71 #define DEBUG_TB_INVALIDATE_GATE 0 72 #endif 73 74 #ifdef DEBUG_TB_FLUSH 75 #define DEBUG_TB_FLUSH_GATE 1 76 #else 77 #define DEBUG_TB_FLUSH_GATE 0 78 #endif 79 80 #if !defined(CONFIG_USER_ONLY) 81 /* TB consistency checks only implemented for usermode emulation. */ 82 #undef DEBUG_TB_CHECK 83 #endif 84 85 #ifdef DEBUG_TB_CHECK 86 #define DEBUG_TB_CHECK_GATE 1 87 #else 88 #define DEBUG_TB_CHECK_GATE 0 89 #endif 90 91 /* Access to the various translations structures need to be serialised via locks 92 * for consistency. This is automatic for SoftMMU based system 93 * emulation due to its single threaded nature. In user-mode emulation 94 * access to the memory related structures are protected with the 95 * mmap_lock. 96 */ 97 #ifdef CONFIG_SOFTMMU 98 #define assert_memory_lock() tcg_debug_assert(have_tb_lock) 99 #else 100 #define assert_memory_lock() tcg_debug_assert(have_mmap_lock()) 101 #endif 102 103 #define SMC_BITMAP_USE_THRESHOLD 10 104 105 typedef struct PageDesc { 106 /* list of TBs intersecting this ram page */ 107 TranslationBlock *first_tb; 108 #ifdef CONFIG_SOFTMMU 109 /* in order to optimize self modifying code, we count the number 110 of lookups we do to a given page to use a bitmap */ 111 unsigned int code_write_count; 112 unsigned long *code_bitmap; 113 #else 114 unsigned long flags; 115 #endif 116 } PageDesc; 117 118 /* In system mode we want L1_MAP to be based on ram offsets, 119 while in user mode we want it to be based on virtual addresses. */ 120 #if !defined(CONFIG_USER_ONLY) 121 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS 122 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS 123 #else 124 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS 125 #endif 126 #else 127 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS 128 #endif 129 130 /* Size of the L2 (and L3, etc) page tables. */ 131 #define V_L2_BITS 10 132 #define V_L2_SIZE (1 << V_L2_BITS) 133 134 /* Make sure all possible CPU event bits fit in tb->trace_vcpu_dstate */ 135 QEMU_BUILD_BUG_ON(CPU_TRACE_DSTATE_MAX_EVENTS > 136 sizeof(((TranslationBlock *)0)->trace_vcpu_dstate) 137 * BITS_PER_BYTE); 138 139 /* 140 * L1 Mapping properties 141 */ 142 static int v_l1_size; 143 static int v_l1_shift; 144 static int v_l2_levels; 145 146 /* The bottom level has pointers to PageDesc, and is indexed by 147 * anything from 4 to (V_L2_BITS + 3) bits, depending on target page size. 148 */ 149 #define V_L1_MIN_BITS 4 150 #define V_L1_MAX_BITS (V_L2_BITS + 3) 151 #define V_L1_MAX_SIZE (1 << V_L1_MAX_BITS) 152 153 static void *l1_map[V_L1_MAX_SIZE]; 154 155 /* code generation context */ 156 TCGContext tcg_init_ctx; 157 __thread TCGContext *tcg_ctx; 158 TBContext tb_ctx; 159 bool parallel_cpus; 160 161 /* translation block context */ 162 static __thread int have_tb_lock; 163 164 static void page_table_config_init(void) 165 { 166 uint32_t v_l1_bits; 167 168 assert(TARGET_PAGE_BITS); 169 /* The bits remaining after N lower levels of page tables. */ 170 v_l1_bits = (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS; 171 if (v_l1_bits < V_L1_MIN_BITS) { 172 v_l1_bits += V_L2_BITS; 173 } 174 175 v_l1_size = 1 << v_l1_bits; 176 v_l1_shift = L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - v_l1_bits; 177 v_l2_levels = v_l1_shift / V_L2_BITS - 1; 178 179 assert(v_l1_bits <= V_L1_MAX_BITS); 180 assert(v_l1_shift % V_L2_BITS == 0); 181 assert(v_l2_levels >= 0); 182 } 183 184 #define assert_tb_locked() tcg_debug_assert(have_tb_lock) 185 #define assert_tb_unlocked() tcg_debug_assert(!have_tb_lock) 186 187 void tb_lock(void) 188 { 189 assert_tb_unlocked(); 190 qemu_mutex_lock(&tb_ctx.tb_lock); 191 have_tb_lock++; 192 } 193 194 void tb_unlock(void) 195 { 196 assert_tb_locked(); 197 have_tb_lock--; 198 qemu_mutex_unlock(&tb_ctx.tb_lock); 199 } 200 201 void tb_lock_reset(void) 202 { 203 if (have_tb_lock) { 204 qemu_mutex_unlock(&tb_ctx.tb_lock); 205 have_tb_lock = 0; 206 } 207 } 208 209 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr); 210 211 void cpu_gen_init(void) 212 { 213 tcg_context_init(&tcg_init_ctx); 214 } 215 216 /* Encode VAL as a signed leb128 sequence at P. 217 Return P incremented past the encoded value. */ 218 static uint8_t *encode_sleb128(uint8_t *p, target_long val) 219 { 220 int more, byte; 221 222 do { 223 byte = val & 0x7f; 224 val >>= 7; 225 more = !((val == 0 && (byte & 0x40) == 0) 226 || (val == -1 && (byte & 0x40) != 0)); 227 if (more) { 228 byte |= 0x80; 229 } 230 *p++ = byte; 231 } while (more); 232 233 return p; 234 } 235 236 /* Decode a signed leb128 sequence at *PP; increment *PP past the 237 decoded value. Return the decoded value. */ 238 static target_long decode_sleb128(uint8_t **pp) 239 { 240 uint8_t *p = *pp; 241 target_long val = 0; 242 int byte, shift = 0; 243 244 do { 245 byte = *p++; 246 val |= (target_ulong)(byte & 0x7f) << shift; 247 shift += 7; 248 } while (byte & 0x80); 249 if (shift < TARGET_LONG_BITS && (byte & 0x40)) { 250 val |= -(target_ulong)1 << shift; 251 } 252 253 *pp = p; 254 return val; 255 } 256 257 /* Encode the data collected about the instructions while compiling TB. 258 Place the data at BLOCK, and return the number of bytes consumed. 259 260 The logical table consists of TARGET_INSN_START_WORDS target_ulong's, 261 which come from the target's insn_start data, followed by a uintptr_t 262 which comes from the host pc of the end of the code implementing the insn. 263 264 Each line of the table is encoded as sleb128 deltas from the previous 265 line. The seed for the first line is { tb->pc, 0..., tb->tc.ptr }. 266 That is, the first column is seeded with the guest pc, the last column 267 with the host pc, and the middle columns with zeros. */ 268 269 static int encode_search(TranslationBlock *tb, uint8_t *block) 270 { 271 uint8_t *highwater = tcg_ctx->code_gen_highwater; 272 uint8_t *p = block; 273 int i, j, n; 274 275 for (i = 0, n = tb->icount; i < n; ++i) { 276 target_ulong prev; 277 278 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 279 if (i == 0) { 280 prev = (j == 0 ? tb->pc : 0); 281 } else { 282 prev = tcg_ctx->gen_insn_data[i - 1][j]; 283 } 284 p = encode_sleb128(p, tcg_ctx->gen_insn_data[i][j] - prev); 285 } 286 prev = (i == 0 ? 0 : tcg_ctx->gen_insn_end_off[i - 1]); 287 p = encode_sleb128(p, tcg_ctx->gen_insn_end_off[i] - prev); 288 289 /* Test for (pending) buffer overflow. The assumption is that any 290 one row beginning below the high water mark cannot overrun 291 the buffer completely. Thus we can test for overflow after 292 encoding a row without having to check during encoding. */ 293 if (unlikely(p > highwater)) { 294 return -1; 295 } 296 } 297 298 return p - block; 299 } 300 301 /* The cpu state corresponding to 'searched_pc' is restored. 302 * Called with tb_lock held. 303 */ 304 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb, 305 uintptr_t searched_pc) 306 { 307 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc }; 308 uintptr_t host_pc = (uintptr_t)tb->tc.ptr; 309 CPUArchState *env = cpu->env_ptr; 310 uint8_t *p = tb->tc.ptr + tb->tc.size; 311 int i, j, num_insns = tb->icount; 312 #ifdef CONFIG_PROFILER 313 TCGProfile *prof = &tcg_ctx->prof; 314 int64_t ti = profile_getclock(); 315 #endif 316 317 searched_pc -= GETPC_ADJ; 318 319 if (searched_pc < host_pc) { 320 return -1; 321 } 322 323 /* Reconstruct the stored insn data while looking for the point at 324 which the end of the insn exceeds the searched_pc. */ 325 for (i = 0; i < num_insns; ++i) { 326 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 327 data[j] += decode_sleb128(&p); 328 } 329 host_pc += decode_sleb128(&p); 330 if (host_pc > searched_pc) { 331 goto found; 332 } 333 } 334 return -1; 335 336 found: 337 if (tb->cflags & CF_USE_ICOUNT) { 338 assert(use_icount); 339 /* Reset the cycle counter to the start of the block. */ 340 cpu->icount_decr.u16.low += num_insns; 341 /* Clear the IO flag. */ 342 cpu->can_do_io = 0; 343 } 344 cpu->icount_decr.u16.low -= i; 345 restore_state_to_opc(env, tb, data); 346 347 #ifdef CONFIG_PROFILER 348 atomic_set(&prof->restore_time, 349 prof->restore_time + profile_getclock() - ti); 350 atomic_set(&prof->restore_count, prof->restore_count + 1); 351 #endif 352 return 0; 353 } 354 355 bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc) 356 { 357 TranslationBlock *tb; 358 bool r = false; 359 uintptr_t check_offset; 360 361 /* The host_pc has to be in the region of current code buffer. If 362 * it is not we will not be able to resolve it here. The two cases 363 * where host_pc will not be correct are: 364 * 365 * - fault during translation (instruction fetch) 366 * - fault from helper (not using GETPC() macro) 367 * 368 * Either way we need return early to avoid blowing up on a 369 * recursive tb_lock() as we can't resolve it here. 370 * 371 * We are using unsigned arithmetic so if host_pc < 372 * tcg_init_ctx.code_gen_buffer check_offset will wrap to way 373 * above the code_gen_buffer_size 374 */ 375 check_offset = host_pc - (uintptr_t) tcg_init_ctx.code_gen_buffer; 376 377 if (check_offset < tcg_init_ctx.code_gen_buffer_size) { 378 tb_lock(); 379 tb = tb_find_pc(host_pc); 380 if (tb) { 381 cpu_restore_state_from_tb(cpu, tb, host_pc); 382 if (tb->cflags & CF_NOCACHE) { 383 /* one-shot translation, invalidate it immediately */ 384 tb_phys_invalidate(tb, -1); 385 tb_remove(tb); 386 } 387 r = true; 388 } 389 tb_unlock(); 390 } 391 392 return r; 393 } 394 395 static void page_init(void) 396 { 397 page_size_init(); 398 page_table_config_init(); 399 400 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY) 401 { 402 #ifdef HAVE_KINFO_GETVMMAP 403 struct kinfo_vmentry *freep; 404 int i, cnt; 405 406 freep = kinfo_getvmmap(getpid(), &cnt); 407 if (freep) { 408 mmap_lock(); 409 for (i = 0; i < cnt; i++) { 410 unsigned long startaddr, endaddr; 411 412 startaddr = freep[i].kve_start; 413 endaddr = freep[i].kve_end; 414 if (h2g_valid(startaddr)) { 415 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 416 417 if (h2g_valid(endaddr)) { 418 endaddr = h2g(endaddr); 419 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 420 } else { 421 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS 422 endaddr = ~0ul; 423 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 424 #endif 425 } 426 } 427 } 428 free(freep); 429 mmap_unlock(); 430 } 431 #else 432 FILE *f; 433 434 last_brk = (unsigned long)sbrk(0); 435 436 f = fopen("/compat/linux/proc/self/maps", "r"); 437 if (f) { 438 mmap_lock(); 439 440 do { 441 unsigned long startaddr, endaddr; 442 int n; 443 444 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr); 445 446 if (n == 2 && h2g_valid(startaddr)) { 447 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 448 449 if (h2g_valid(endaddr)) { 450 endaddr = h2g(endaddr); 451 } else { 452 endaddr = ~0ul; 453 } 454 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 455 } 456 } while (!feof(f)); 457 458 fclose(f); 459 mmap_unlock(); 460 } 461 #endif 462 } 463 #endif 464 } 465 466 /* If alloc=1: 467 * Called with tb_lock held for system emulation. 468 * Called with mmap_lock held for user-mode emulation. 469 */ 470 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc) 471 { 472 PageDesc *pd; 473 void **lp; 474 int i; 475 476 if (alloc) { 477 assert_memory_lock(); 478 } 479 480 /* Level 1. Always allocated. */ 481 lp = l1_map + ((index >> v_l1_shift) & (v_l1_size - 1)); 482 483 /* Level 2..N-1. */ 484 for (i = v_l2_levels; i > 0; i--) { 485 void **p = atomic_rcu_read(lp); 486 487 if (p == NULL) { 488 if (!alloc) { 489 return NULL; 490 } 491 p = g_new0(void *, V_L2_SIZE); 492 atomic_rcu_set(lp, p); 493 } 494 495 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1)); 496 } 497 498 pd = atomic_rcu_read(lp); 499 if (pd == NULL) { 500 if (!alloc) { 501 return NULL; 502 } 503 pd = g_new0(PageDesc, V_L2_SIZE); 504 atomic_rcu_set(lp, pd); 505 } 506 507 return pd + (index & (V_L2_SIZE - 1)); 508 } 509 510 static inline PageDesc *page_find(tb_page_addr_t index) 511 { 512 return page_find_alloc(index, 0); 513 } 514 515 #if defined(CONFIG_USER_ONLY) 516 /* Currently it is not recommended to allocate big chunks of data in 517 user mode. It will change when a dedicated libc will be used. */ 518 /* ??? 64-bit hosts ought to have no problem mmaping data outside the 519 region in which the guest needs to run. Revisit this. */ 520 #define USE_STATIC_CODE_GEN_BUFFER 521 #endif 522 523 /* Minimum size of the code gen buffer. This number is randomly chosen, 524 but not so small that we can't have a fair number of TB's live. */ 525 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024) 526 527 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise 528 indicated, this is constrained by the range of direct branches on the 529 host cpu, as used by the TCG implementation of goto_tb. */ 530 #if defined(__x86_64__) 531 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 532 #elif defined(__sparc__) 533 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 534 #elif defined(__powerpc64__) 535 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 536 #elif defined(__powerpc__) 537 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024) 538 #elif defined(__aarch64__) 539 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 540 #elif defined(__s390x__) 541 /* We have a +- 4GB range on the branches; leave some slop. */ 542 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024) 543 #elif defined(__mips__) 544 /* We have a 256MB branch region, but leave room to make sure the 545 main executable is also within that region. */ 546 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024) 547 #else 548 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1) 549 #endif 550 551 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024) 552 553 #define DEFAULT_CODE_GEN_BUFFER_SIZE \ 554 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \ 555 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE) 556 557 static inline size_t size_code_gen_buffer(size_t tb_size) 558 { 559 /* Size the buffer. */ 560 if (tb_size == 0) { 561 #ifdef USE_STATIC_CODE_GEN_BUFFER 562 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE; 563 #else 564 /* ??? Needs adjustments. */ 565 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the 566 static buffer, we could size this on RESERVED_VA, on the text 567 segment size of the executable, or continue to use the default. */ 568 tb_size = (unsigned long)(ram_size / 4); 569 #endif 570 } 571 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) { 572 tb_size = MIN_CODE_GEN_BUFFER_SIZE; 573 } 574 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) { 575 tb_size = MAX_CODE_GEN_BUFFER_SIZE; 576 } 577 return tb_size; 578 } 579 580 #ifdef __mips__ 581 /* In order to use J and JAL within the code_gen_buffer, we require 582 that the buffer not cross a 256MB boundary. */ 583 static inline bool cross_256mb(void *addr, size_t size) 584 { 585 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful; 586 } 587 588 /* We weren't able to allocate a buffer without crossing that boundary, 589 so make do with the larger portion of the buffer that doesn't cross. 590 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */ 591 static inline void *split_cross_256mb(void *buf1, size_t size1) 592 { 593 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful); 594 size_t size2 = buf1 + size1 - buf2; 595 596 size1 = buf2 - buf1; 597 if (size1 < size2) { 598 size1 = size2; 599 buf1 = buf2; 600 } 601 602 tcg_ctx->code_gen_buffer_size = size1; 603 return buf1; 604 } 605 #endif 606 607 #ifdef USE_STATIC_CODE_GEN_BUFFER 608 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE] 609 __attribute__((aligned(CODE_GEN_ALIGN))); 610 611 static inline void *alloc_code_gen_buffer(void) 612 { 613 void *buf = static_code_gen_buffer; 614 void *end = static_code_gen_buffer + sizeof(static_code_gen_buffer); 615 size_t size; 616 617 /* page-align the beginning and end of the buffer */ 618 buf = QEMU_ALIGN_PTR_UP(buf, qemu_real_host_page_size); 619 end = QEMU_ALIGN_PTR_DOWN(end, qemu_real_host_page_size); 620 621 size = end - buf; 622 623 /* Honor a command-line option limiting the size of the buffer. */ 624 if (size > tcg_ctx->code_gen_buffer_size) { 625 size = QEMU_ALIGN_DOWN(tcg_ctx->code_gen_buffer_size, 626 qemu_real_host_page_size); 627 } 628 tcg_ctx->code_gen_buffer_size = size; 629 630 #ifdef __mips__ 631 if (cross_256mb(buf, size)) { 632 buf = split_cross_256mb(buf, size); 633 size = tcg_ctx->code_gen_buffer_size; 634 } 635 #endif 636 637 if (qemu_mprotect_rwx(buf, size)) { 638 abort(); 639 } 640 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 641 642 return buf; 643 } 644 #elif defined(_WIN32) 645 static inline void *alloc_code_gen_buffer(void) 646 { 647 size_t size = tcg_ctx->code_gen_buffer_size; 648 void *buf; 649 650 buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT, 651 PAGE_EXECUTE_READWRITE); 652 return buf; 653 } 654 #else 655 static inline void *alloc_code_gen_buffer(void) 656 { 657 int prot = PROT_WRITE | PROT_READ | PROT_EXEC; 658 int flags = MAP_PRIVATE | MAP_ANONYMOUS; 659 uintptr_t start = 0; 660 size_t size = tcg_ctx->code_gen_buffer_size; 661 void *buf; 662 663 /* Constrain the position of the buffer based on the host cpu. 664 Note that these addresses are chosen in concert with the 665 addresses assigned in the relevant linker script file. */ 666 # if defined(__PIE__) || defined(__PIC__) 667 /* Don't bother setting a preferred location if we're building 668 a position-independent executable. We're more likely to get 669 an address near the main executable if we let the kernel 670 choose the address. */ 671 # elif defined(__x86_64__) && defined(MAP_32BIT) 672 /* Force the memory down into low memory with the executable. 673 Leave the choice of exact location with the kernel. */ 674 flags |= MAP_32BIT; 675 /* Cannot expect to map more than 800MB in low memory. */ 676 if (size > 800u * 1024 * 1024) { 677 tcg_ctx->code_gen_buffer_size = size = 800u * 1024 * 1024; 678 } 679 # elif defined(__sparc__) 680 start = 0x40000000ul; 681 # elif defined(__s390x__) 682 start = 0x90000000ul; 683 # elif defined(__mips__) 684 # if _MIPS_SIM == _ABI64 685 start = 0x128000000ul; 686 # else 687 start = 0x08000000ul; 688 # endif 689 # endif 690 691 buf = mmap((void *)start, size, prot, flags, -1, 0); 692 if (buf == MAP_FAILED) { 693 return NULL; 694 } 695 696 #ifdef __mips__ 697 if (cross_256mb(buf, size)) { 698 /* Try again, with the original still mapped, to avoid re-acquiring 699 that 256mb crossing. This time don't specify an address. */ 700 size_t size2; 701 void *buf2 = mmap(NULL, size, prot, flags, -1, 0); 702 switch ((int)(buf2 != MAP_FAILED)) { 703 case 1: 704 if (!cross_256mb(buf2, size)) { 705 /* Success! Use the new buffer. */ 706 munmap(buf, size); 707 break; 708 } 709 /* Failure. Work with what we had. */ 710 munmap(buf2, size); 711 /* fallthru */ 712 default: 713 /* Split the original buffer. Free the smaller half. */ 714 buf2 = split_cross_256mb(buf, size); 715 size2 = tcg_ctx->code_gen_buffer_size; 716 if (buf == buf2) { 717 munmap(buf + size2, size - size2); 718 } else { 719 munmap(buf, size - size2); 720 } 721 size = size2; 722 break; 723 } 724 buf = buf2; 725 } 726 #endif 727 728 /* Request large pages for the buffer. */ 729 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 730 731 return buf; 732 } 733 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */ 734 735 /* compare a pointer @ptr and a tb_tc @s */ 736 static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s) 737 { 738 if (ptr >= s->ptr + s->size) { 739 return 1; 740 } else if (ptr < s->ptr) { 741 return -1; 742 } 743 return 0; 744 } 745 746 static gint tb_tc_cmp(gconstpointer ap, gconstpointer bp) 747 { 748 const struct tb_tc *a = ap; 749 const struct tb_tc *b = bp; 750 751 /* 752 * When both sizes are set, we know this isn't a lookup. 753 * This is the most likely case: every TB must be inserted; lookups 754 * are a lot less frequent. 755 */ 756 if (likely(a->size && b->size)) { 757 if (a->ptr > b->ptr) { 758 return 1; 759 } else if (a->ptr < b->ptr) { 760 return -1; 761 } 762 /* a->ptr == b->ptr should happen only on deletions */ 763 g_assert(a->size == b->size); 764 return 0; 765 } 766 /* 767 * All lookups have either .size field set to 0. 768 * From the glib sources we see that @ap is always the lookup key. However 769 * the docs provide no guarantee, so we just mark this case as likely. 770 */ 771 if (likely(a->size == 0)) { 772 return ptr_cmp_tb_tc(a->ptr, b); 773 } 774 return ptr_cmp_tb_tc(b->ptr, a); 775 } 776 777 static inline void code_gen_alloc(size_t tb_size) 778 { 779 tcg_ctx->code_gen_buffer_size = size_code_gen_buffer(tb_size); 780 tcg_ctx->code_gen_buffer = alloc_code_gen_buffer(); 781 if (tcg_ctx->code_gen_buffer == NULL) { 782 fprintf(stderr, "Could not allocate dynamic translator buffer\n"); 783 exit(1); 784 } 785 tb_ctx.tb_tree = g_tree_new(tb_tc_cmp); 786 qemu_mutex_init(&tb_ctx.tb_lock); 787 } 788 789 static void tb_htable_init(void) 790 { 791 unsigned int mode = QHT_MODE_AUTO_RESIZE; 792 793 qht_init(&tb_ctx.htable, CODE_GEN_HTABLE_SIZE, mode); 794 } 795 796 /* Must be called before using the QEMU cpus. 'tb_size' is the size 797 (in bytes) allocated to the translation buffer. Zero means default 798 size. */ 799 void tcg_exec_init(unsigned long tb_size) 800 { 801 tcg_allowed = true; 802 cpu_gen_init(); 803 page_init(); 804 tb_htable_init(); 805 code_gen_alloc(tb_size); 806 #if defined(CONFIG_SOFTMMU) 807 /* There's no guest base to take into account, so go ahead and 808 initialize the prologue now. */ 809 tcg_prologue_init(tcg_ctx); 810 #endif 811 } 812 813 /* 814 * Allocate a new translation block. Flush the translation buffer if 815 * too many translation blocks or too much generated code. 816 * 817 * Called with tb_lock held. 818 */ 819 static TranslationBlock *tb_alloc(target_ulong pc) 820 { 821 TranslationBlock *tb; 822 823 assert_tb_locked(); 824 825 tb = tcg_tb_alloc(tcg_ctx); 826 if (unlikely(tb == NULL)) { 827 return NULL; 828 } 829 return tb; 830 } 831 832 /* Called with tb_lock held. */ 833 void tb_remove(TranslationBlock *tb) 834 { 835 assert_tb_locked(); 836 837 g_tree_remove(tb_ctx.tb_tree, &tb->tc); 838 } 839 840 static inline void invalidate_page_bitmap(PageDesc *p) 841 { 842 #ifdef CONFIG_SOFTMMU 843 g_free(p->code_bitmap); 844 p->code_bitmap = NULL; 845 p->code_write_count = 0; 846 #endif 847 } 848 849 /* Set to NULL all the 'first_tb' fields in all PageDescs. */ 850 static void page_flush_tb_1(int level, void **lp) 851 { 852 int i; 853 854 if (*lp == NULL) { 855 return; 856 } 857 if (level == 0) { 858 PageDesc *pd = *lp; 859 860 for (i = 0; i < V_L2_SIZE; ++i) { 861 pd[i].first_tb = NULL; 862 invalidate_page_bitmap(pd + i); 863 } 864 } else { 865 void **pp = *lp; 866 867 for (i = 0; i < V_L2_SIZE; ++i) { 868 page_flush_tb_1(level - 1, pp + i); 869 } 870 } 871 } 872 873 static void page_flush_tb(void) 874 { 875 int i, l1_sz = v_l1_size; 876 877 for (i = 0; i < l1_sz; i++) { 878 page_flush_tb_1(v_l2_levels, l1_map + i); 879 } 880 } 881 882 static gboolean tb_host_size_iter(gpointer key, gpointer value, gpointer data) 883 { 884 const TranslationBlock *tb = value; 885 size_t *size = data; 886 887 *size += tb->tc.size; 888 return false; 889 } 890 891 /* flush all the translation blocks */ 892 static void do_tb_flush(CPUState *cpu, run_on_cpu_data tb_flush_count) 893 { 894 tb_lock(); 895 896 /* If it is already been done on request of another CPU, 897 * just retry. 898 */ 899 if (tb_ctx.tb_flush_count != tb_flush_count.host_int) { 900 goto done; 901 } 902 903 if (DEBUG_TB_FLUSH_GATE) { 904 size_t nb_tbs = g_tree_nnodes(tb_ctx.tb_tree); 905 size_t host_size = 0; 906 907 g_tree_foreach(tb_ctx.tb_tree, tb_host_size_iter, &host_size); 908 printf("qemu: flush code_size=%zu nb_tbs=%zu avg_tb_size=%zu\n", 909 tcg_code_size(), nb_tbs, nb_tbs > 0 ? host_size / nb_tbs : 0); 910 } 911 912 CPU_FOREACH(cpu) { 913 cpu_tb_jmp_cache_clear(cpu); 914 } 915 916 /* Increment the refcount first so that destroy acts as a reset */ 917 g_tree_ref(tb_ctx.tb_tree); 918 g_tree_destroy(tb_ctx.tb_tree); 919 920 qht_reset_size(&tb_ctx.htable, CODE_GEN_HTABLE_SIZE); 921 page_flush_tb(); 922 923 tcg_region_reset_all(); 924 /* XXX: flush processor icache at this point if cache flush is 925 expensive */ 926 atomic_mb_set(&tb_ctx.tb_flush_count, tb_ctx.tb_flush_count + 1); 927 928 done: 929 tb_unlock(); 930 } 931 932 void tb_flush(CPUState *cpu) 933 { 934 if (tcg_enabled()) { 935 unsigned tb_flush_count = atomic_mb_read(&tb_ctx.tb_flush_count); 936 async_safe_run_on_cpu(cpu, do_tb_flush, 937 RUN_ON_CPU_HOST_INT(tb_flush_count)); 938 } 939 } 940 941 /* 942 * Formerly ifdef DEBUG_TB_CHECK. These debug functions are user-mode-only, 943 * so in order to prevent bit rot we compile them unconditionally in user-mode, 944 * and let the optimizer get rid of them by wrapping their user-only callers 945 * with if (DEBUG_TB_CHECK_GATE). 946 */ 947 #ifdef CONFIG_USER_ONLY 948 949 static void 950 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp) 951 { 952 TranslationBlock *tb = p; 953 target_ulong addr = *(target_ulong *)userp; 954 955 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) { 956 printf("ERROR invalidate: address=" TARGET_FMT_lx 957 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size); 958 } 959 } 960 961 /* verify that all the pages have correct rights for code 962 * 963 * Called with tb_lock held. 964 */ 965 static void tb_invalidate_check(target_ulong address) 966 { 967 address &= TARGET_PAGE_MASK; 968 qht_iter(&tb_ctx.htable, do_tb_invalidate_check, &address); 969 } 970 971 static void 972 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp) 973 { 974 TranslationBlock *tb = p; 975 int flags1, flags2; 976 977 flags1 = page_get_flags(tb->pc); 978 flags2 = page_get_flags(tb->pc + tb->size - 1); 979 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) { 980 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n", 981 (long)tb->pc, tb->size, flags1, flags2); 982 } 983 } 984 985 /* verify that all the pages have correct rights for code */ 986 static void tb_page_check(void) 987 { 988 qht_iter(&tb_ctx.htable, do_tb_page_check, NULL); 989 } 990 991 #endif /* CONFIG_USER_ONLY */ 992 993 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb) 994 { 995 TranslationBlock *tb1; 996 unsigned int n1; 997 998 for (;;) { 999 tb1 = *ptb; 1000 n1 = (uintptr_t)tb1 & 3; 1001 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3); 1002 if (tb1 == tb) { 1003 *ptb = tb1->page_next[n1]; 1004 break; 1005 } 1006 ptb = &tb1->page_next[n1]; 1007 } 1008 } 1009 1010 /* remove the TB from a list of TBs jumping to the n-th jump target of the TB */ 1011 static inline void tb_remove_from_jmp_list(TranslationBlock *tb, int n) 1012 { 1013 TranslationBlock *tb1; 1014 uintptr_t *ptb, ntb; 1015 unsigned int n1; 1016 1017 ptb = &tb->jmp_list_next[n]; 1018 if (*ptb) { 1019 /* find tb(n) in circular list */ 1020 for (;;) { 1021 ntb = *ptb; 1022 n1 = ntb & 3; 1023 tb1 = (TranslationBlock *)(ntb & ~3); 1024 if (n1 == n && tb1 == tb) { 1025 break; 1026 } 1027 if (n1 == 2) { 1028 ptb = &tb1->jmp_list_first; 1029 } else { 1030 ptb = &tb1->jmp_list_next[n1]; 1031 } 1032 } 1033 /* now we can suppress tb(n) from the list */ 1034 *ptb = tb->jmp_list_next[n]; 1035 1036 tb->jmp_list_next[n] = (uintptr_t)NULL; 1037 } 1038 } 1039 1040 /* reset the jump entry 'n' of a TB so that it is not chained to 1041 another TB */ 1042 static inline void tb_reset_jump(TranslationBlock *tb, int n) 1043 { 1044 uintptr_t addr = (uintptr_t)(tb->tc.ptr + tb->jmp_reset_offset[n]); 1045 tb_set_jmp_target(tb, n, addr); 1046 } 1047 1048 /* remove any jumps to the TB */ 1049 static inline void tb_jmp_unlink(TranslationBlock *tb) 1050 { 1051 TranslationBlock *tb1; 1052 uintptr_t *ptb, ntb; 1053 unsigned int n1; 1054 1055 ptb = &tb->jmp_list_first; 1056 for (;;) { 1057 ntb = *ptb; 1058 n1 = ntb & 3; 1059 tb1 = (TranslationBlock *)(ntb & ~3); 1060 if (n1 == 2) { 1061 break; 1062 } 1063 tb_reset_jump(tb1, n1); 1064 *ptb = tb1->jmp_list_next[n1]; 1065 tb1->jmp_list_next[n1] = (uintptr_t)NULL; 1066 } 1067 } 1068 1069 /* invalidate one TB 1070 * 1071 * Called with tb_lock held. 1072 */ 1073 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr) 1074 { 1075 CPUState *cpu; 1076 PageDesc *p; 1077 uint32_t h; 1078 tb_page_addr_t phys_pc; 1079 1080 assert_tb_locked(); 1081 1082 atomic_set(&tb->cflags, tb->cflags | CF_INVALID); 1083 1084 /* remove the TB from the hash list */ 1085 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1086 h = tb_hash_func(phys_pc, tb->pc, tb->flags, tb->cflags & CF_HASH_MASK, 1087 tb->trace_vcpu_dstate); 1088 if (!qht_remove(&tb_ctx.htable, tb, h)) { 1089 return; 1090 } 1091 1092 /* remove the TB from the page list */ 1093 if (tb->page_addr[0] != page_addr) { 1094 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS); 1095 tb_page_remove(&p->first_tb, tb); 1096 invalidate_page_bitmap(p); 1097 } 1098 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) { 1099 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS); 1100 tb_page_remove(&p->first_tb, tb); 1101 invalidate_page_bitmap(p); 1102 } 1103 1104 /* remove the TB from the hash list */ 1105 h = tb_jmp_cache_hash_func(tb->pc); 1106 CPU_FOREACH(cpu) { 1107 if (atomic_read(&cpu->tb_jmp_cache[h]) == tb) { 1108 atomic_set(&cpu->tb_jmp_cache[h], NULL); 1109 } 1110 } 1111 1112 /* suppress this TB from the two jump lists */ 1113 tb_remove_from_jmp_list(tb, 0); 1114 tb_remove_from_jmp_list(tb, 1); 1115 1116 /* suppress any remaining jumps to this TB */ 1117 tb_jmp_unlink(tb); 1118 1119 tb_ctx.tb_phys_invalidate_count++; 1120 } 1121 1122 #ifdef CONFIG_SOFTMMU 1123 static void build_page_bitmap(PageDesc *p) 1124 { 1125 int n, tb_start, tb_end; 1126 TranslationBlock *tb; 1127 1128 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE); 1129 1130 tb = p->first_tb; 1131 while (tb != NULL) { 1132 n = (uintptr_t)tb & 3; 1133 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1134 /* NOTE: this is subtle as a TB may span two physical pages */ 1135 if (n == 0) { 1136 /* NOTE: tb_end may be after the end of the page, but 1137 it is not a problem */ 1138 tb_start = tb->pc & ~TARGET_PAGE_MASK; 1139 tb_end = tb_start + tb->size; 1140 if (tb_end > TARGET_PAGE_SIZE) { 1141 tb_end = TARGET_PAGE_SIZE; 1142 } 1143 } else { 1144 tb_start = 0; 1145 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1146 } 1147 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start); 1148 tb = tb->page_next[n]; 1149 } 1150 } 1151 #endif 1152 1153 /* add the tb in the target page and protect it if necessary 1154 * 1155 * Called with mmap_lock held for user-mode emulation. 1156 */ 1157 static inline void tb_alloc_page(TranslationBlock *tb, 1158 unsigned int n, tb_page_addr_t page_addr) 1159 { 1160 PageDesc *p; 1161 #ifndef CONFIG_USER_ONLY 1162 bool page_already_protected; 1163 #endif 1164 1165 assert_memory_lock(); 1166 1167 tb->page_addr[n] = page_addr; 1168 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1); 1169 tb->page_next[n] = p->first_tb; 1170 #ifndef CONFIG_USER_ONLY 1171 page_already_protected = p->first_tb != NULL; 1172 #endif 1173 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n); 1174 invalidate_page_bitmap(p); 1175 1176 #if defined(CONFIG_USER_ONLY) 1177 if (p->flags & PAGE_WRITE) { 1178 target_ulong addr; 1179 PageDesc *p2; 1180 int prot; 1181 1182 /* force the host page as non writable (writes will have a 1183 page fault + mprotect overhead) */ 1184 page_addr &= qemu_host_page_mask; 1185 prot = 0; 1186 for (addr = page_addr; addr < page_addr + qemu_host_page_size; 1187 addr += TARGET_PAGE_SIZE) { 1188 1189 p2 = page_find(addr >> TARGET_PAGE_BITS); 1190 if (!p2) { 1191 continue; 1192 } 1193 prot |= p2->flags; 1194 p2->flags &= ~PAGE_WRITE; 1195 } 1196 mprotect(g2h(page_addr), qemu_host_page_size, 1197 (prot & PAGE_BITS) & ~PAGE_WRITE); 1198 if (DEBUG_TB_INVALIDATE_GATE) { 1199 printf("protecting code page: 0x" TB_PAGE_ADDR_FMT "\n", page_addr); 1200 } 1201 } 1202 #else 1203 /* if some code is already present, then the pages are already 1204 protected. So we handle the case where only the first TB is 1205 allocated in a physical page */ 1206 if (!page_already_protected) { 1207 tlb_protect_code(page_addr); 1208 } 1209 #endif 1210 } 1211 1212 /* add a new TB and link it to the physical page tables. phys_page2 is 1213 * (-1) to indicate that only one page contains the TB. 1214 * 1215 * Called with mmap_lock held for user-mode emulation. 1216 */ 1217 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc, 1218 tb_page_addr_t phys_page2) 1219 { 1220 uint32_t h; 1221 1222 assert_memory_lock(); 1223 1224 /* add in the page list */ 1225 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK); 1226 if (phys_page2 != -1) { 1227 tb_alloc_page(tb, 1, phys_page2); 1228 } else { 1229 tb->page_addr[1] = -1; 1230 } 1231 1232 /* add in the hash table */ 1233 h = tb_hash_func(phys_pc, tb->pc, tb->flags, tb->cflags & CF_HASH_MASK, 1234 tb->trace_vcpu_dstate); 1235 qht_insert(&tb_ctx.htable, tb, h); 1236 1237 #ifdef CONFIG_USER_ONLY 1238 if (DEBUG_TB_CHECK_GATE) { 1239 tb_page_check(); 1240 } 1241 #endif 1242 } 1243 1244 /* Called with mmap_lock held for user mode emulation. */ 1245 TranslationBlock *tb_gen_code(CPUState *cpu, 1246 target_ulong pc, target_ulong cs_base, 1247 uint32_t flags, int cflags) 1248 { 1249 CPUArchState *env = cpu->env_ptr; 1250 TranslationBlock *tb; 1251 tb_page_addr_t phys_pc, phys_page2; 1252 target_ulong virt_page2; 1253 tcg_insn_unit *gen_code_buf; 1254 int gen_code_size, search_size; 1255 #ifdef CONFIG_PROFILER 1256 TCGProfile *prof = &tcg_ctx->prof; 1257 int64_t ti; 1258 #endif 1259 assert_memory_lock(); 1260 1261 phys_pc = get_page_addr_code(env, pc); 1262 1263 buffer_overflow: 1264 tb = tb_alloc(pc); 1265 if (unlikely(!tb)) { 1266 /* flush must be done */ 1267 tb_flush(cpu); 1268 mmap_unlock(); 1269 /* Make the execution loop process the flush as soon as possible. */ 1270 cpu->exception_index = EXCP_INTERRUPT; 1271 cpu_loop_exit(cpu); 1272 } 1273 1274 gen_code_buf = tcg_ctx->code_gen_ptr; 1275 tb->tc.ptr = gen_code_buf; 1276 tb->pc = pc; 1277 tb->cs_base = cs_base; 1278 tb->flags = flags; 1279 tb->cflags = cflags; 1280 tb->trace_vcpu_dstate = *cpu->trace_dstate; 1281 tcg_ctx->tb_cflags = cflags; 1282 1283 #ifdef CONFIG_PROFILER 1284 /* includes aborted translations because of exceptions */ 1285 atomic_set(&prof->tb_count1, prof->tb_count1 + 1); 1286 ti = profile_getclock(); 1287 #endif 1288 1289 tcg_func_start(tcg_ctx); 1290 1291 tcg_ctx->cpu = ENV_GET_CPU(env); 1292 gen_intermediate_code(cpu, tb); 1293 tcg_ctx->cpu = NULL; 1294 1295 trace_translate_block(tb, tb->pc, tb->tc.ptr); 1296 1297 /* generate machine code */ 1298 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID; 1299 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID; 1300 tcg_ctx->tb_jmp_reset_offset = tb->jmp_reset_offset; 1301 if (TCG_TARGET_HAS_direct_jump) { 1302 tcg_ctx->tb_jmp_insn_offset = tb->jmp_target_arg; 1303 tcg_ctx->tb_jmp_target_addr = NULL; 1304 } else { 1305 tcg_ctx->tb_jmp_insn_offset = NULL; 1306 tcg_ctx->tb_jmp_target_addr = tb->jmp_target_arg; 1307 } 1308 1309 #ifdef CONFIG_PROFILER 1310 atomic_set(&prof->tb_count, prof->tb_count + 1); 1311 atomic_set(&prof->interm_time, prof->interm_time + profile_getclock() - ti); 1312 ti = profile_getclock(); 1313 #endif 1314 1315 /* ??? Overflow could be handled better here. In particular, we 1316 don't need to re-do gen_intermediate_code, nor should we re-do 1317 the tcg optimization currently hidden inside tcg_gen_code. All 1318 that should be required is to flush the TBs, allocate a new TB, 1319 re-initialize it per above, and re-do the actual code generation. */ 1320 gen_code_size = tcg_gen_code(tcg_ctx, tb); 1321 if (unlikely(gen_code_size < 0)) { 1322 goto buffer_overflow; 1323 } 1324 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size); 1325 if (unlikely(search_size < 0)) { 1326 goto buffer_overflow; 1327 } 1328 tb->tc.size = gen_code_size; 1329 1330 #ifdef CONFIG_PROFILER 1331 atomic_set(&prof->code_time, prof->code_time + profile_getclock() - ti); 1332 atomic_set(&prof->code_in_len, prof->code_in_len + tb->size); 1333 atomic_set(&prof->code_out_len, prof->code_out_len + gen_code_size); 1334 atomic_set(&prof->search_out_len, prof->search_out_len + search_size); 1335 #endif 1336 1337 #ifdef DEBUG_DISAS 1338 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) && 1339 qemu_log_in_addr_range(tb->pc)) { 1340 qemu_log_lock(); 1341 qemu_log("OUT: [size=%d]\n", gen_code_size); 1342 if (tcg_ctx->data_gen_ptr) { 1343 size_t code_size = tcg_ctx->data_gen_ptr - tb->tc.ptr; 1344 size_t data_size = gen_code_size - code_size; 1345 size_t i; 1346 1347 log_disas(tb->tc.ptr, code_size); 1348 1349 for (i = 0; i < data_size; i += sizeof(tcg_target_ulong)) { 1350 if (sizeof(tcg_target_ulong) == 8) { 1351 qemu_log("0x%08" PRIxPTR ": .quad 0x%016" PRIx64 "\n", 1352 (uintptr_t)tcg_ctx->data_gen_ptr + i, 1353 *(uint64_t *)(tcg_ctx->data_gen_ptr + i)); 1354 } else { 1355 qemu_log("0x%08" PRIxPTR ": .long 0x%08x\n", 1356 (uintptr_t)tcg_ctx->data_gen_ptr + i, 1357 *(uint32_t *)(tcg_ctx->data_gen_ptr + i)); 1358 } 1359 } 1360 } else { 1361 log_disas(tb->tc.ptr, gen_code_size); 1362 } 1363 qemu_log("\n"); 1364 qemu_log_flush(); 1365 qemu_log_unlock(); 1366 } 1367 #endif 1368 1369 atomic_set(&tcg_ctx->code_gen_ptr, (void *) 1370 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size, 1371 CODE_GEN_ALIGN)); 1372 1373 /* init jump list */ 1374 assert(((uintptr_t)tb & 3) == 0); 1375 tb->jmp_list_first = (uintptr_t)tb | 2; 1376 tb->jmp_list_next[0] = (uintptr_t)NULL; 1377 tb->jmp_list_next[1] = (uintptr_t)NULL; 1378 1379 /* init original jump addresses wich has been set during tcg_gen_code() */ 1380 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1381 tb_reset_jump(tb, 0); 1382 } 1383 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1384 tb_reset_jump(tb, 1); 1385 } 1386 1387 /* check next page if needed */ 1388 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK; 1389 phys_page2 = -1; 1390 if ((pc & TARGET_PAGE_MASK) != virt_page2) { 1391 phys_page2 = get_page_addr_code(env, virt_page2); 1392 } 1393 /* As long as consistency of the TB stuff is provided by tb_lock in user 1394 * mode and is implicit in single-threaded softmmu emulation, no explicit 1395 * memory barrier is required before tb_link_page() makes the TB visible 1396 * through the physical hash table and physical page list. 1397 */ 1398 tb_link_page(tb, phys_pc, phys_page2); 1399 g_tree_insert(tb_ctx.tb_tree, &tb->tc, tb); 1400 return tb; 1401 } 1402 1403 /* 1404 * Invalidate all TBs which intersect with the target physical address range 1405 * [start;end[. NOTE: start and end may refer to *different* physical pages. 1406 * 'is_cpu_write_access' should be true if called from a real cpu write 1407 * access: the virtual CPU will exit the current TB if code is modified inside 1408 * this TB. 1409 * 1410 * Called with mmap_lock held for user-mode emulation, grabs tb_lock 1411 * Called with tb_lock held for system-mode emulation 1412 */ 1413 static void tb_invalidate_phys_range_1(tb_page_addr_t start, tb_page_addr_t end) 1414 { 1415 while (start < end) { 1416 tb_invalidate_phys_page_range(start, end, 0); 1417 start &= TARGET_PAGE_MASK; 1418 start += TARGET_PAGE_SIZE; 1419 } 1420 } 1421 1422 #ifdef CONFIG_SOFTMMU 1423 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1424 { 1425 assert_tb_locked(); 1426 tb_invalidate_phys_range_1(start, end); 1427 } 1428 #else 1429 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1430 { 1431 assert_memory_lock(); 1432 tb_lock(); 1433 tb_invalidate_phys_range_1(start, end); 1434 tb_unlock(); 1435 } 1436 #endif 1437 /* 1438 * Invalidate all TBs which intersect with the target physical address range 1439 * [start;end[. NOTE: start and end must refer to the *same* physical page. 1440 * 'is_cpu_write_access' should be true if called from a real cpu write 1441 * access: the virtual CPU will exit the current TB if code is modified inside 1442 * this TB. 1443 * 1444 * Called with tb_lock/mmap_lock held for user-mode emulation 1445 * Called with tb_lock held for system-mode emulation 1446 */ 1447 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end, 1448 int is_cpu_write_access) 1449 { 1450 TranslationBlock *tb, *tb_next; 1451 tb_page_addr_t tb_start, tb_end; 1452 PageDesc *p; 1453 int n; 1454 #ifdef TARGET_HAS_PRECISE_SMC 1455 CPUState *cpu = current_cpu; 1456 CPUArchState *env = NULL; 1457 int current_tb_not_found = is_cpu_write_access; 1458 TranslationBlock *current_tb = NULL; 1459 int current_tb_modified = 0; 1460 target_ulong current_pc = 0; 1461 target_ulong current_cs_base = 0; 1462 uint32_t current_flags = 0; 1463 #endif /* TARGET_HAS_PRECISE_SMC */ 1464 1465 assert_memory_lock(); 1466 assert_tb_locked(); 1467 1468 p = page_find(start >> TARGET_PAGE_BITS); 1469 if (!p) { 1470 return; 1471 } 1472 #if defined(TARGET_HAS_PRECISE_SMC) 1473 if (cpu != NULL) { 1474 env = cpu->env_ptr; 1475 } 1476 #endif 1477 1478 /* we remove all the TBs in the range [start, end[ */ 1479 /* XXX: see if in some cases it could be faster to invalidate all 1480 the code */ 1481 tb = p->first_tb; 1482 while (tb != NULL) { 1483 n = (uintptr_t)tb & 3; 1484 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1485 tb_next = tb->page_next[n]; 1486 /* NOTE: this is subtle as a TB may span two physical pages */ 1487 if (n == 0) { 1488 /* NOTE: tb_end may be after the end of the page, but 1489 it is not a problem */ 1490 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1491 tb_end = tb_start + tb->size; 1492 } else { 1493 tb_start = tb->page_addr[1]; 1494 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1495 } 1496 if (!(tb_end <= start || tb_start >= end)) { 1497 #ifdef TARGET_HAS_PRECISE_SMC 1498 if (current_tb_not_found) { 1499 current_tb_not_found = 0; 1500 current_tb = NULL; 1501 if (cpu->mem_io_pc) { 1502 /* now we have a real cpu fault */ 1503 current_tb = tb_find_pc(cpu->mem_io_pc); 1504 } 1505 } 1506 if (current_tb == tb && 1507 (current_tb->cflags & CF_COUNT_MASK) != 1) { 1508 /* If we are modifying the current TB, we must stop 1509 its execution. We could be more precise by checking 1510 that the modification is after the current PC, but it 1511 would require a specialized function to partially 1512 restore the CPU state */ 1513 1514 current_tb_modified = 1; 1515 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc); 1516 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1517 ¤t_flags); 1518 } 1519 #endif /* TARGET_HAS_PRECISE_SMC */ 1520 tb_phys_invalidate(tb, -1); 1521 } 1522 tb = tb_next; 1523 } 1524 #if !defined(CONFIG_USER_ONLY) 1525 /* if no code remaining, no need to continue to use slow writes */ 1526 if (!p->first_tb) { 1527 invalidate_page_bitmap(p); 1528 tlb_unprotect_code(start); 1529 } 1530 #endif 1531 #ifdef TARGET_HAS_PRECISE_SMC 1532 if (current_tb_modified) { 1533 /* Force execution of one insn next time. */ 1534 cpu->cflags_next_tb = 1 | curr_cflags(); 1535 cpu_loop_exit_noexc(cpu); 1536 } 1537 #endif 1538 } 1539 1540 #ifdef CONFIG_SOFTMMU 1541 /* len must be <= 8 and start must be a multiple of len. 1542 * Called via softmmu_template.h when code areas are written to with 1543 * iothread mutex not held. 1544 */ 1545 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len) 1546 { 1547 PageDesc *p; 1548 1549 #if 0 1550 if (1) { 1551 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n", 1552 cpu_single_env->mem_io_vaddr, len, 1553 cpu_single_env->eip, 1554 cpu_single_env->eip + 1555 (intptr_t)cpu_single_env->segs[R_CS].base); 1556 } 1557 #endif 1558 assert_memory_lock(); 1559 1560 p = page_find(start >> TARGET_PAGE_BITS); 1561 if (!p) { 1562 return; 1563 } 1564 if (!p->code_bitmap && 1565 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) { 1566 /* build code bitmap. FIXME: writes should be protected by 1567 * tb_lock, reads by tb_lock or RCU. 1568 */ 1569 build_page_bitmap(p); 1570 } 1571 if (p->code_bitmap) { 1572 unsigned int nr; 1573 unsigned long b; 1574 1575 nr = start & ~TARGET_PAGE_MASK; 1576 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1)); 1577 if (b & ((1 << len) - 1)) { 1578 goto do_invalidate; 1579 } 1580 } else { 1581 do_invalidate: 1582 tb_invalidate_phys_page_range(start, start + len, 1); 1583 } 1584 } 1585 #else 1586 /* Called with mmap_lock held. If pc is not 0 then it indicates the 1587 * host PC of the faulting store instruction that caused this invalidate. 1588 * Returns true if the caller needs to abort execution of the current 1589 * TB (because it was modified by this store and the guest CPU has 1590 * precise-SMC semantics). 1591 */ 1592 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc) 1593 { 1594 TranslationBlock *tb; 1595 PageDesc *p; 1596 int n; 1597 #ifdef TARGET_HAS_PRECISE_SMC 1598 TranslationBlock *current_tb = NULL; 1599 CPUState *cpu = current_cpu; 1600 CPUArchState *env = NULL; 1601 int current_tb_modified = 0; 1602 target_ulong current_pc = 0; 1603 target_ulong current_cs_base = 0; 1604 uint32_t current_flags = 0; 1605 #endif 1606 1607 assert_memory_lock(); 1608 1609 addr &= TARGET_PAGE_MASK; 1610 p = page_find(addr >> TARGET_PAGE_BITS); 1611 if (!p) { 1612 return false; 1613 } 1614 1615 tb_lock(); 1616 tb = p->first_tb; 1617 #ifdef TARGET_HAS_PRECISE_SMC 1618 if (tb && pc != 0) { 1619 current_tb = tb_find_pc(pc); 1620 } 1621 if (cpu != NULL) { 1622 env = cpu->env_ptr; 1623 } 1624 #endif 1625 while (tb != NULL) { 1626 n = (uintptr_t)tb & 3; 1627 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1628 #ifdef TARGET_HAS_PRECISE_SMC 1629 if (current_tb == tb && 1630 (current_tb->cflags & CF_COUNT_MASK) != 1) { 1631 /* If we are modifying the current TB, we must stop 1632 its execution. We could be more precise by checking 1633 that the modification is after the current PC, but it 1634 would require a specialized function to partially 1635 restore the CPU state */ 1636 1637 current_tb_modified = 1; 1638 cpu_restore_state_from_tb(cpu, current_tb, pc); 1639 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1640 ¤t_flags); 1641 } 1642 #endif /* TARGET_HAS_PRECISE_SMC */ 1643 tb_phys_invalidate(tb, addr); 1644 tb = tb->page_next[n]; 1645 } 1646 p->first_tb = NULL; 1647 #ifdef TARGET_HAS_PRECISE_SMC 1648 if (current_tb_modified) { 1649 /* Force execution of one insn next time. */ 1650 cpu->cflags_next_tb = 1 | curr_cflags(); 1651 /* tb_lock will be reset after cpu_loop_exit_noexc longjmps 1652 * back into the cpu_exec loop. */ 1653 return true; 1654 } 1655 #endif 1656 tb_unlock(); 1657 1658 return false; 1659 } 1660 #endif 1661 1662 /* 1663 * Find the TB 'tb' such that 1664 * tb->tc.ptr <= tc_ptr < tb->tc.ptr + tb->tc.size 1665 * Return NULL if not found. 1666 */ 1667 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr) 1668 { 1669 struct tb_tc s = { .ptr = (void *)tc_ptr }; 1670 1671 return g_tree_lookup(tb_ctx.tb_tree, &s); 1672 } 1673 1674 #if !defined(CONFIG_USER_ONLY) 1675 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr) 1676 { 1677 ram_addr_t ram_addr; 1678 MemoryRegion *mr; 1679 hwaddr l = 1; 1680 1681 rcu_read_lock(); 1682 mr = address_space_translate(as, addr, &addr, &l, false); 1683 if (!(memory_region_is_ram(mr) 1684 || memory_region_is_romd(mr))) { 1685 rcu_read_unlock(); 1686 return; 1687 } 1688 ram_addr = memory_region_get_ram_addr(mr) + addr; 1689 tb_lock(); 1690 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0); 1691 tb_unlock(); 1692 rcu_read_unlock(); 1693 } 1694 #endif /* !defined(CONFIG_USER_ONLY) */ 1695 1696 /* Called with tb_lock held. */ 1697 void tb_check_watchpoint(CPUState *cpu) 1698 { 1699 TranslationBlock *tb; 1700 1701 tb = tb_find_pc(cpu->mem_io_pc); 1702 if (tb) { 1703 /* We can use retranslation to find the PC. */ 1704 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc); 1705 tb_phys_invalidate(tb, -1); 1706 } else { 1707 /* The exception probably happened in a helper. The CPU state should 1708 have been saved before calling it. Fetch the PC from there. */ 1709 CPUArchState *env = cpu->env_ptr; 1710 target_ulong pc, cs_base; 1711 tb_page_addr_t addr; 1712 uint32_t flags; 1713 1714 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags); 1715 addr = get_page_addr_code(env, pc); 1716 tb_invalidate_phys_range(addr, addr + 1); 1717 } 1718 } 1719 1720 #ifndef CONFIG_USER_ONLY 1721 /* in deterministic execution mode, instructions doing device I/Os 1722 * must be at the end of the TB. 1723 * 1724 * Called by softmmu_template.h, with iothread mutex not held. 1725 */ 1726 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr) 1727 { 1728 #if defined(TARGET_MIPS) || defined(TARGET_SH4) 1729 CPUArchState *env = cpu->env_ptr; 1730 #endif 1731 TranslationBlock *tb; 1732 uint32_t n; 1733 1734 tb_lock(); 1735 tb = tb_find_pc(retaddr); 1736 if (!tb) { 1737 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p", 1738 (void *)retaddr); 1739 } 1740 n = cpu->icount_decr.u16.low + tb->icount; 1741 cpu_restore_state_from_tb(cpu, tb, retaddr); 1742 /* Calculate how many instructions had been executed before the fault 1743 occurred. */ 1744 n = n - cpu->icount_decr.u16.low; 1745 /* Generate a new TB ending on the I/O insn. */ 1746 n++; 1747 /* On MIPS and SH, delay slot instructions can only be restarted if 1748 they were already the first instruction in the TB. If this is not 1749 the first instruction in a TB then re-execute the preceding 1750 branch. */ 1751 #if defined(TARGET_MIPS) 1752 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) { 1753 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4); 1754 cpu->icount_decr.u16.low++; 1755 env->hflags &= ~MIPS_HFLAG_BMASK; 1756 } 1757 #elif defined(TARGET_SH4) 1758 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0 1759 && n > 1) { 1760 env->pc -= 2; 1761 cpu->icount_decr.u16.low++; 1762 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL); 1763 } 1764 #endif 1765 /* This should never happen. */ 1766 if (n > CF_COUNT_MASK) { 1767 cpu_abort(cpu, "TB too big during recompile"); 1768 } 1769 1770 /* Adjust the execution state of the next TB. */ 1771 cpu->cflags_next_tb = curr_cflags() | CF_LAST_IO | n; 1772 1773 if (tb->cflags & CF_NOCACHE) { 1774 if (tb->orig_tb) { 1775 /* Invalidate original TB if this TB was generated in 1776 * cpu_exec_nocache() */ 1777 tb_phys_invalidate(tb->orig_tb, -1); 1778 } 1779 tb_remove(tb); 1780 } 1781 1782 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not 1783 * the first in the TB) then we end up generating a whole new TB and 1784 * repeating the fault, which is horribly inefficient. 1785 * Better would be to execute just this insn uncached, or generate a 1786 * second new TB. 1787 * 1788 * cpu_loop_exit_noexc will longjmp back to cpu_exec where the 1789 * tb_lock gets reset. 1790 */ 1791 cpu_loop_exit_noexc(cpu); 1792 } 1793 1794 static void tb_jmp_cache_clear_page(CPUState *cpu, target_ulong page_addr) 1795 { 1796 unsigned int i, i0 = tb_jmp_cache_hash_page(page_addr); 1797 1798 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) { 1799 atomic_set(&cpu->tb_jmp_cache[i0 + i], NULL); 1800 } 1801 } 1802 1803 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr) 1804 { 1805 /* Discard jump cache entries for any tb which might potentially 1806 overlap the flushed page. */ 1807 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE); 1808 tb_jmp_cache_clear_page(cpu, addr); 1809 } 1810 1811 static void print_qht_statistics(FILE *f, fprintf_function cpu_fprintf, 1812 struct qht_stats hst) 1813 { 1814 uint32_t hgram_opts; 1815 size_t hgram_bins; 1816 char *hgram; 1817 1818 if (!hst.head_buckets) { 1819 return; 1820 } 1821 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n", 1822 hst.used_head_buckets, hst.head_buckets, 1823 (double)hst.used_head_buckets / hst.head_buckets * 100); 1824 1825 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 1826 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT; 1827 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) { 1828 hgram_opts |= QDIST_PR_NODECIMAL; 1829 } 1830 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts); 1831 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n", 1832 qdist_avg(&hst.occupancy) * 100, hgram); 1833 g_free(hgram); 1834 1835 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 1836 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain); 1837 if (hgram_bins > 10) { 1838 hgram_bins = 10; 1839 } else { 1840 hgram_bins = 0; 1841 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE; 1842 } 1843 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts); 1844 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n", 1845 qdist_avg(&hst.chain), hgram); 1846 g_free(hgram); 1847 } 1848 1849 struct tb_tree_stats { 1850 size_t host_size; 1851 size_t target_size; 1852 size_t max_target_size; 1853 size_t direct_jmp_count; 1854 size_t direct_jmp2_count; 1855 size_t cross_page; 1856 }; 1857 1858 static gboolean tb_tree_stats_iter(gpointer key, gpointer value, gpointer data) 1859 { 1860 const TranslationBlock *tb = value; 1861 struct tb_tree_stats *tst = data; 1862 1863 tst->host_size += tb->tc.size; 1864 tst->target_size += tb->size; 1865 if (tb->size > tst->max_target_size) { 1866 tst->max_target_size = tb->size; 1867 } 1868 if (tb->page_addr[1] != -1) { 1869 tst->cross_page++; 1870 } 1871 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1872 tst->direct_jmp_count++; 1873 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1874 tst->direct_jmp2_count++; 1875 } 1876 } 1877 return false; 1878 } 1879 1880 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf) 1881 { 1882 struct tb_tree_stats tst = {}; 1883 struct qht_stats hst; 1884 size_t nb_tbs; 1885 1886 tb_lock(); 1887 1888 nb_tbs = g_tree_nnodes(tb_ctx.tb_tree); 1889 g_tree_foreach(tb_ctx.tb_tree, tb_tree_stats_iter, &tst); 1890 /* XXX: avoid using doubles ? */ 1891 cpu_fprintf(f, "Translation buffer state:\n"); 1892 /* 1893 * Report total code size including the padding and TB structs; 1894 * otherwise users might think "-tb-size" is not honoured. 1895 * For avg host size we use the precise numbers from tb_tree_stats though. 1896 */ 1897 cpu_fprintf(f, "gen code size %zu/%zu\n", 1898 tcg_code_size(), tcg_code_capacity()); 1899 cpu_fprintf(f, "TB count %zu\n", nb_tbs); 1900 cpu_fprintf(f, "TB avg target size %zu max=%zu bytes\n", 1901 nb_tbs ? tst.target_size / nb_tbs : 0, 1902 tst.max_target_size); 1903 cpu_fprintf(f, "TB avg host size %zu bytes (expansion ratio: %0.1f)\n", 1904 nb_tbs ? tst.host_size / nb_tbs : 0, 1905 tst.target_size ? (double)tst.host_size / tst.target_size : 0); 1906 cpu_fprintf(f, "cross page TB count %zu (%zu%%)\n", tst.cross_page, 1907 nb_tbs ? (tst.cross_page * 100) / nb_tbs : 0); 1908 cpu_fprintf(f, "direct jump count %zu (%zu%%) (2 jumps=%zu %zu%%)\n", 1909 tst.direct_jmp_count, 1910 nb_tbs ? (tst.direct_jmp_count * 100) / nb_tbs : 0, 1911 tst.direct_jmp2_count, 1912 nb_tbs ? (tst.direct_jmp2_count * 100) / nb_tbs : 0); 1913 1914 qht_statistics_init(&tb_ctx.htable, &hst); 1915 print_qht_statistics(f, cpu_fprintf, hst); 1916 qht_statistics_destroy(&hst); 1917 1918 cpu_fprintf(f, "\nStatistics:\n"); 1919 cpu_fprintf(f, "TB flush count %u\n", 1920 atomic_read(&tb_ctx.tb_flush_count)); 1921 cpu_fprintf(f, "TB invalidate count %d\n", tb_ctx.tb_phys_invalidate_count); 1922 cpu_fprintf(f, "TLB flush count %zu\n", tlb_flush_count()); 1923 tcg_dump_info(f, cpu_fprintf); 1924 1925 tb_unlock(); 1926 } 1927 1928 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf) 1929 { 1930 tcg_dump_op_count(f, cpu_fprintf); 1931 } 1932 1933 #else /* CONFIG_USER_ONLY */ 1934 1935 void cpu_interrupt(CPUState *cpu, int mask) 1936 { 1937 g_assert(qemu_mutex_iothread_locked()); 1938 cpu->interrupt_request |= mask; 1939 cpu->icount_decr.u16.high = -1; 1940 } 1941 1942 /* 1943 * Walks guest process memory "regions" one by one 1944 * and calls callback function 'fn' for each region. 1945 */ 1946 struct walk_memory_regions_data { 1947 walk_memory_regions_fn fn; 1948 void *priv; 1949 target_ulong start; 1950 int prot; 1951 }; 1952 1953 static int walk_memory_regions_end(struct walk_memory_regions_data *data, 1954 target_ulong end, int new_prot) 1955 { 1956 if (data->start != -1u) { 1957 int rc = data->fn(data->priv, data->start, end, data->prot); 1958 if (rc != 0) { 1959 return rc; 1960 } 1961 } 1962 1963 data->start = (new_prot ? end : -1u); 1964 data->prot = new_prot; 1965 1966 return 0; 1967 } 1968 1969 static int walk_memory_regions_1(struct walk_memory_regions_data *data, 1970 target_ulong base, int level, void **lp) 1971 { 1972 target_ulong pa; 1973 int i, rc; 1974 1975 if (*lp == NULL) { 1976 return walk_memory_regions_end(data, base, 0); 1977 } 1978 1979 if (level == 0) { 1980 PageDesc *pd = *lp; 1981 1982 for (i = 0; i < V_L2_SIZE; ++i) { 1983 int prot = pd[i].flags; 1984 1985 pa = base | (i << TARGET_PAGE_BITS); 1986 if (prot != data->prot) { 1987 rc = walk_memory_regions_end(data, pa, prot); 1988 if (rc != 0) { 1989 return rc; 1990 } 1991 } 1992 } 1993 } else { 1994 void **pp = *lp; 1995 1996 for (i = 0; i < V_L2_SIZE; ++i) { 1997 pa = base | ((target_ulong)i << 1998 (TARGET_PAGE_BITS + V_L2_BITS * level)); 1999 rc = walk_memory_regions_1(data, pa, level - 1, pp + i); 2000 if (rc != 0) { 2001 return rc; 2002 } 2003 } 2004 } 2005 2006 return 0; 2007 } 2008 2009 int walk_memory_regions(void *priv, walk_memory_regions_fn fn) 2010 { 2011 struct walk_memory_regions_data data; 2012 uintptr_t i, l1_sz = v_l1_size; 2013 2014 data.fn = fn; 2015 data.priv = priv; 2016 data.start = -1u; 2017 data.prot = 0; 2018 2019 for (i = 0; i < l1_sz; i++) { 2020 target_ulong base = i << (v_l1_shift + TARGET_PAGE_BITS); 2021 int rc = walk_memory_regions_1(&data, base, v_l2_levels, l1_map + i); 2022 if (rc != 0) { 2023 return rc; 2024 } 2025 } 2026 2027 return walk_memory_regions_end(&data, 0, 0); 2028 } 2029 2030 static int dump_region(void *priv, target_ulong start, 2031 target_ulong end, unsigned long prot) 2032 { 2033 FILE *f = (FILE *)priv; 2034 2035 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx 2036 " "TARGET_FMT_lx" %c%c%c\n", 2037 start, end, end - start, 2038 ((prot & PAGE_READ) ? 'r' : '-'), 2039 ((prot & PAGE_WRITE) ? 'w' : '-'), 2040 ((prot & PAGE_EXEC) ? 'x' : '-')); 2041 2042 return 0; 2043 } 2044 2045 /* dump memory mappings */ 2046 void page_dump(FILE *f) 2047 { 2048 const int length = sizeof(target_ulong) * 2; 2049 (void) fprintf(f, "%-*s %-*s %-*s %s\n", 2050 length, "start", length, "end", length, "size", "prot"); 2051 walk_memory_regions(f, dump_region); 2052 } 2053 2054 int page_get_flags(target_ulong address) 2055 { 2056 PageDesc *p; 2057 2058 p = page_find(address >> TARGET_PAGE_BITS); 2059 if (!p) { 2060 return 0; 2061 } 2062 return p->flags; 2063 } 2064 2065 /* Modify the flags of a page and invalidate the code if necessary. 2066 The flag PAGE_WRITE_ORG is positioned automatically depending 2067 on PAGE_WRITE. The mmap_lock should already be held. */ 2068 void page_set_flags(target_ulong start, target_ulong end, int flags) 2069 { 2070 target_ulong addr, len; 2071 2072 /* This function should never be called with addresses outside the 2073 guest address space. If this assert fires, it probably indicates 2074 a missing call to h2g_valid. */ 2075 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2076 assert(end <= ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2077 #endif 2078 assert(start < end); 2079 assert_memory_lock(); 2080 2081 start = start & TARGET_PAGE_MASK; 2082 end = TARGET_PAGE_ALIGN(end); 2083 2084 if (flags & PAGE_WRITE) { 2085 flags |= PAGE_WRITE_ORG; 2086 } 2087 2088 for (addr = start, len = end - start; 2089 len != 0; 2090 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2091 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1); 2092 2093 /* If the write protection bit is set, then we invalidate 2094 the code inside. */ 2095 if (!(p->flags & PAGE_WRITE) && 2096 (flags & PAGE_WRITE) && 2097 p->first_tb) { 2098 tb_invalidate_phys_page(addr, 0); 2099 } 2100 p->flags = flags; 2101 } 2102 } 2103 2104 int page_check_range(target_ulong start, target_ulong len, int flags) 2105 { 2106 PageDesc *p; 2107 target_ulong end; 2108 target_ulong addr; 2109 2110 /* This function should never be called with addresses outside the 2111 guest address space. If this assert fires, it probably indicates 2112 a missing call to h2g_valid. */ 2113 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2114 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2115 #endif 2116 2117 if (len == 0) { 2118 return 0; 2119 } 2120 if (start + len - 1 < start) { 2121 /* We've wrapped around. */ 2122 return -1; 2123 } 2124 2125 /* must do before we loose bits in the next step */ 2126 end = TARGET_PAGE_ALIGN(start + len); 2127 start = start & TARGET_PAGE_MASK; 2128 2129 for (addr = start, len = end - start; 2130 len != 0; 2131 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2132 p = page_find(addr >> TARGET_PAGE_BITS); 2133 if (!p) { 2134 return -1; 2135 } 2136 if (!(p->flags & PAGE_VALID)) { 2137 return -1; 2138 } 2139 2140 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) { 2141 return -1; 2142 } 2143 if (flags & PAGE_WRITE) { 2144 if (!(p->flags & PAGE_WRITE_ORG)) { 2145 return -1; 2146 } 2147 /* unprotect the page if it was put read-only because it 2148 contains translated code */ 2149 if (!(p->flags & PAGE_WRITE)) { 2150 if (!page_unprotect(addr, 0)) { 2151 return -1; 2152 } 2153 } 2154 } 2155 } 2156 return 0; 2157 } 2158 2159 /* called from signal handler: invalidate the code and unprotect the 2160 * page. Return 0 if the fault was not handled, 1 if it was handled, 2161 * and 2 if it was handled but the caller must cause the TB to be 2162 * immediately exited. (We can only return 2 if the 'pc' argument is 2163 * non-zero.) 2164 */ 2165 int page_unprotect(target_ulong address, uintptr_t pc) 2166 { 2167 unsigned int prot; 2168 bool current_tb_invalidated; 2169 PageDesc *p; 2170 target_ulong host_start, host_end, addr; 2171 2172 /* Technically this isn't safe inside a signal handler. However we 2173 know this only ever happens in a synchronous SEGV handler, so in 2174 practice it seems to be ok. */ 2175 mmap_lock(); 2176 2177 p = page_find(address >> TARGET_PAGE_BITS); 2178 if (!p) { 2179 mmap_unlock(); 2180 return 0; 2181 } 2182 2183 /* if the page was really writable, then we change its 2184 protection back to writable */ 2185 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) { 2186 host_start = address & qemu_host_page_mask; 2187 host_end = host_start + qemu_host_page_size; 2188 2189 prot = 0; 2190 current_tb_invalidated = false; 2191 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) { 2192 p = page_find(addr >> TARGET_PAGE_BITS); 2193 p->flags |= PAGE_WRITE; 2194 prot |= p->flags; 2195 2196 /* and since the content will be modified, we must invalidate 2197 the corresponding translated code. */ 2198 current_tb_invalidated |= tb_invalidate_phys_page(addr, pc); 2199 #ifdef CONFIG_USER_ONLY 2200 if (DEBUG_TB_CHECK_GATE) { 2201 tb_invalidate_check(addr); 2202 } 2203 #endif 2204 } 2205 mprotect((void *)g2h(host_start), qemu_host_page_size, 2206 prot & PAGE_BITS); 2207 2208 mmap_unlock(); 2209 /* If current TB was invalidated return to main loop */ 2210 return current_tb_invalidated ? 2 : 1; 2211 } 2212 mmap_unlock(); 2213 return 0; 2214 } 2215 #endif /* CONFIG_USER_ONLY */ 2216 2217 /* This is a wrapper for common code that can not use CONFIG_SOFTMMU */ 2218 void tcg_flush_softmmu_tlb(CPUState *cs) 2219 { 2220 #ifdef CONFIG_SOFTMMU 2221 tlb_flush(cs); 2222 #endif 2223 } 2224