1 /* 2 * Host code generation 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 #ifdef _WIN32 20 #include <windows.h> 21 #endif 22 #include "qemu/osdep.h" 23 24 25 #include "qemu-common.h" 26 #define NO_CPU_IO_DEFS 27 #include "cpu.h" 28 #include "trace.h" 29 #include "disas/disas.h" 30 #include "exec/exec-all.h" 31 #include "tcg.h" 32 #if defined(CONFIG_USER_ONLY) 33 #include "qemu.h" 34 #include "exec/exec-all.h" 35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) 36 #include <sys/param.h> 37 #if __FreeBSD_version >= 700104 38 #define HAVE_KINFO_GETVMMAP 39 #define sigqueue sigqueue_freebsd /* avoid redefinition */ 40 #include <sys/proc.h> 41 #include <machine/profile.h> 42 #define _KERNEL 43 #include <sys/user.h> 44 #undef _KERNEL 45 #undef sigqueue 46 #include <libutil.h> 47 #endif 48 #endif 49 #else 50 #include "exec/address-spaces.h" 51 #endif 52 53 #include "exec/cputlb.h" 54 #include "exec/tb-hash.h" 55 #include "translate-all.h" 56 #include "qemu/bitmap.h" 57 #include "qemu/timer.h" 58 #include "qemu/main-loop.h" 59 #include "exec/log.h" 60 #include "sysemu/cpus.h" 61 62 /* #define DEBUG_TB_INVALIDATE */ 63 /* #define DEBUG_TB_FLUSH */ 64 /* make various TB consistency checks */ 65 /* #define DEBUG_TB_CHECK */ 66 67 #if !defined(CONFIG_USER_ONLY) 68 /* TB consistency checks only implemented for usermode emulation. */ 69 #undef DEBUG_TB_CHECK 70 #endif 71 72 /* Access to the various translations structures need to be serialised via locks 73 * for consistency. This is automatic for SoftMMU based system 74 * emulation due to its single threaded nature. In user-mode emulation 75 * access to the memory related structures are protected with the 76 * mmap_lock. 77 */ 78 #ifdef CONFIG_SOFTMMU 79 #define assert_memory_lock() tcg_debug_assert(have_tb_lock) 80 #else 81 #define assert_memory_lock() tcg_debug_assert(have_mmap_lock()) 82 #endif 83 84 #define SMC_BITMAP_USE_THRESHOLD 10 85 86 typedef struct PageDesc { 87 /* list of TBs intersecting this ram page */ 88 TranslationBlock *first_tb; 89 #ifdef CONFIG_SOFTMMU 90 /* in order to optimize self modifying code, we count the number 91 of lookups we do to a given page to use a bitmap */ 92 unsigned int code_write_count; 93 unsigned long *code_bitmap; 94 #else 95 unsigned long flags; 96 #endif 97 } PageDesc; 98 99 /* In system mode we want L1_MAP to be based on ram offsets, 100 while in user mode we want it to be based on virtual addresses. */ 101 #if !defined(CONFIG_USER_ONLY) 102 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS 103 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS 104 #else 105 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS 106 #endif 107 #else 108 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS 109 #endif 110 111 /* Size of the L2 (and L3, etc) page tables. */ 112 #define V_L2_BITS 10 113 #define V_L2_SIZE (1 << V_L2_BITS) 114 115 /* 116 * L1 Mapping properties 117 */ 118 static int v_l1_size; 119 static int v_l1_shift; 120 static int v_l2_levels; 121 122 /* The bottom level has pointers to PageDesc, and is indexed by 123 * anything from 4 to (V_L2_BITS + 3) bits, depending on target page size. 124 */ 125 #define V_L1_MIN_BITS 4 126 #define V_L1_MAX_BITS (V_L2_BITS + 3) 127 #define V_L1_MAX_SIZE (1 << V_L1_MAX_BITS) 128 129 static void *l1_map[V_L1_MAX_SIZE]; 130 131 /* code generation context */ 132 TCGContext tcg_ctx; 133 bool parallel_cpus; 134 135 /* translation block context */ 136 __thread int have_tb_lock; 137 138 static void page_table_config_init(void) 139 { 140 uint32_t v_l1_bits; 141 142 assert(TARGET_PAGE_BITS); 143 /* The bits remaining after N lower levels of page tables. */ 144 v_l1_bits = (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS; 145 if (v_l1_bits < V_L1_MIN_BITS) { 146 v_l1_bits += V_L2_BITS; 147 } 148 149 v_l1_size = 1 << v_l1_bits; 150 v_l1_shift = L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - v_l1_bits; 151 v_l2_levels = v_l1_shift / V_L2_BITS - 1; 152 153 assert(v_l1_bits <= V_L1_MAX_BITS); 154 assert(v_l1_shift % V_L2_BITS == 0); 155 assert(v_l2_levels >= 0); 156 } 157 158 #define assert_tb_locked() tcg_debug_assert(have_tb_lock) 159 #define assert_tb_unlocked() tcg_debug_assert(!have_tb_lock) 160 161 void tb_lock(void) 162 { 163 assert_tb_unlocked(); 164 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock); 165 have_tb_lock++; 166 } 167 168 void tb_unlock(void) 169 { 170 assert_tb_locked(); 171 have_tb_lock--; 172 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock); 173 } 174 175 void tb_lock_reset(void) 176 { 177 if (have_tb_lock) { 178 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock); 179 have_tb_lock = 0; 180 } 181 } 182 183 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr); 184 185 void cpu_gen_init(void) 186 { 187 tcg_context_init(&tcg_ctx); 188 } 189 190 /* Encode VAL as a signed leb128 sequence at P. 191 Return P incremented past the encoded value. */ 192 static uint8_t *encode_sleb128(uint8_t *p, target_long val) 193 { 194 int more, byte; 195 196 do { 197 byte = val & 0x7f; 198 val >>= 7; 199 more = !((val == 0 && (byte & 0x40) == 0) 200 || (val == -1 && (byte & 0x40) != 0)); 201 if (more) { 202 byte |= 0x80; 203 } 204 *p++ = byte; 205 } while (more); 206 207 return p; 208 } 209 210 /* Decode a signed leb128 sequence at *PP; increment *PP past the 211 decoded value. Return the decoded value. */ 212 static target_long decode_sleb128(uint8_t **pp) 213 { 214 uint8_t *p = *pp; 215 target_long val = 0; 216 int byte, shift = 0; 217 218 do { 219 byte = *p++; 220 val |= (target_ulong)(byte & 0x7f) << shift; 221 shift += 7; 222 } while (byte & 0x80); 223 if (shift < TARGET_LONG_BITS && (byte & 0x40)) { 224 val |= -(target_ulong)1 << shift; 225 } 226 227 *pp = p; 228 return val; 229 } 230 231 /* Encode the data collected about the instructions while compiling TB. 232 Place the data at BLOCK, and return the number of bytes consumed. 233 234 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's, 235 which come from the target's insn_start data, followed by a uintptr_t 236 which comes from the host pc of the end of the code implementing the insn. 237 238 Each line of the table is encoded as sleb128 deltas from the previous 239 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }. 240 That is, the first column is seeded with the guest pc, the last column 241 with the host pc, and the middle columns with zeros. */ 242 243 static int encode_search(TranslationBlock *tb, uint8_t *block) 244 { 245 uint8_t *highwater = tcg_ctx.code_gen_highwater; 246 uint8_t *p = block; 247 int i, j, n; 248 249 tb->tc_search = block; 250 251 for (i = 0, n = tb->icount; i < n; ++i) { 252 target_ulong prev; 253 254 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 255 if (i == 0) { 256 prev = (j == 0 ? tb->pc : 0); 257 } else { 258 prev = tcg_ctx.gen_insn_data[i - 1][j]; 259 } 260 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev); 261 } 262 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]); 263 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev); 264 265 /* Test for (pending) buffer overflow. The assumption is that any 266 one row beginning below the high water mark cannot overrun 267 the buffer completely. Thus we can test for overflow after 268 encoding a row without having to check during encoding. */ 269 if (unlikely(p > highwater)) { 270 return -1; 271 } 272 } 273 274 return p - block; 275 } 276 277 /* The cpu state corresponding to 'searched_pc' is restored. 278 * Called with tb_lock held. 279 */ 280 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb, 281 uintptr_t searched_pc) 282 { 283 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc }; 284 uintptr_t host_pc = (uintptr_t)tb->tc_ptr; 285 CPUArchState *env = cpu->env_ptr; 286 uint8_t *p = tb->tc_search; 287 int i, j, num_insns = tb->icount; 288 #ifdef CONFIG_PROFILER 289 int64_t ti = profile_getclock(); 290 #endif 291 292 searched_pc -= GETPC_ADJ; 293 294 if (searched_pc < host_pc) { 295 return -1; 296 } 297 298 /* Reconstruct the stored insn data while looking for the point at 299 which the end of the insn exceeds the searched_pc. */ 300 for (i = 0; i < num_insns; ++i) { 301 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 302 data[j] += decode_sleb128(&p); 303 } 304 host_pc += decode_sleb128(&p); 305 if (host_pc > searched_pc) { 306 goto found; 307 } 308 } 309 return -1; 310 311 found: 312 if (tb->cflags & CF_USE_ICOUNT) { 313 assert(use_icount); 314 /* Reset the cycle counter to the start of the block. */ 315 cpu->icount_decr.u16.low += num_insns; 316 /* Clear the IO flag. */ 317 cpu->can_do_io = 0; 318 } 319 cpu->icount_decr.u16.low -= i; 320 restore_state_to_opc(env, tb, data); 321 322 #ifdef CONFIG_PROFILER 323 tcg_ctx.restore_time += profile_getclock() - ti; 324 tcg_ctx.restore_count++; 325 #endif 326 return 0; 327 } 328 329 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr) 330 { 331 TranslationBlock *tb; 332 bool r = false; 333 334 /* A retaddr of zero is invalid so we really shouldn't have ended 335 * up here. The target code has likely forgotten to check retaddr 336 * != 0 before attempting to restore state. We return early to 337 * avoid blowing up on a recursive tb_lock(). The target must have 338 * previously survived a failed cpu_restore_state because 339 * tb_find_pc(0) would have failed anyway. It still should be 340 * fixed though. 341 */ 342 343 if (!retaddr) { 344 return r; 345 } 346 347 tb_lock(); 348 tb = tb_find_pc(retaddr); 349 if (tb) { 350 cpu_restore_state_from_tb(cpu, tb, retaddr); 351 if (tb->cflags & CF_NOCACHE) { 352 /* one-shot translation, invalidate it immediately */ 353 tb_phys_invalidate(tb, -1); 354 tb_free(tb); 355 } 356 r = true; 357 } 358 tb_unlock(); 359 360 return r; 361 } 362 363 static void page_init(void) 364 { 365 page_size_init(); 366 page_table_config_init(); 367 368 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY) 369 { 370 #ifdef HAVE_KINFO_GETVMMAP 371 struct kinfo_vmentry *freep; 372 int i, cnt; 373 374 freep = kinfo_getvmmap(getpid(), &cnt); 375 if (freep) { 376 mmap_lock(); 377 for (i = 0; i < cnt; i++) { 378 unsigned long startaddr, endaddr; 379 380 startaddr = freep[i].kve_start; 381 endaddr = freep[i].kve_end; 382 if (h2g_valid(startaddr)) { 383 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 384 385 if (h2g_valid(endaddr)) { 386 endaddr = h2g(endaddr); 387 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 388 } else { 389 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS 390 endaddr = ~0ul; 391 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 392 #endif 393 } 394 } 395 } 396 free(freep); 397 mmap_unlock(); 398 } 399 #else 400 FILE *f; 401 402 last_brk = (unsigned long)sbrk(0); 403 404 f = fopen("/compat/linux/proc/self/maps", "r"); 405 if (f) { 406 mmap_lock(); 407 408 do { 409 unsigned long startaddr, endaddr; 410 int n; 411 412 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr); 413 414 if (n == 2 && h2g_valid(startaddr)) { 415 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 416 417 if (h2g_valid(endaddr)) { 418 endaddr = h2g(endaddr); 419 } else { 420 endaddr = ~0ul; 421 } 422 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 423 } 424 } while (!feof(f)); 425 426 fclose(f); 427 mmap_unlock(); 428 } 429 #endif 430 } 431 #endif 432 } 433 434 /* If alloc=1: 435 * Called with tb_lock held for system emulation. 436 * Called with mmap_lock held for user-mode emulation. 437 */ 438 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc) 439 { 440 PageDesc *pd; 441 void **lp; 442 int i; 443 444 if (alloc) { 445 assert_memory_lock(); 446 } 447 448 /* Level 1. Always allocated. */ 449 lp = l1_map + ((index >> v_l1_shift) & (v_l1_size - 1)); 450 451 /* Level 2..N-1. */ 452 for (i = v_l2_levels; i > 0; i--) { 453 void **p = atomic_rcu_read(lp); 454 455 if (p == NULL) { 456 if (!alloc) { 457 return NULL; 458 } 459 p = g_new0(void *, V_L2_SIZE); 460 atomic_rcu_set(lp, p); 461 } 462 463 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1)); 464 } 465 466 pd = atomic_rcu_read(lp); 467 if (pd == NULL) { 468 if (!alloc) { 469 return NULL; 470 } 471 pd = g_new0(PageDesc, V_L2_SIZE); 472 atomic_rcu_set(lp, pd); 473 } 474 475 return pd + (index & (V_L2_SIZE - 1)); 476 } 477 478 static inline PageDesc *page_find(tb_page_addr_t index) 479 { 480 return page_find_alloc(index, 0); 481 } 482 483 #if defined(CONFIG_USER_ONLY) 484 /* Currently it is not recommended to allocate big chunks of data in 485 user mode. It will change when a dedicated libc will be used. */ 486 /* ??? 64-bit hosts ought to have no problem mmaping data outside the 487 region in which the guest needs to run. Revisit this. */ 488 #define USE_STATIC_CODE_GEN_BUFFER 489 #endif 490 491 /* Minimum size of the code gen buffer. This number is randomly chosen, 492 but not so small that we can't have a fair number of TB's live. */ 493 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024) 494 495 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise 496 indicated, this is constrained by the range of direct branches on the 497 host cpu, as used by the TCG implementation of goto_tb. */ 498 #if defined(__x86_64__) 499 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 500 #elif defined(__sparc__) 501 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 502 #elif defined(__powerpc64__) 503 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 504 #elif defined(__powerpc__) 505 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024) 506 #elif defined(__aarch64__) 507 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024) 508 #elif defined(__s390x__) 509 /* We have a +- 4GB range on the branches; leave some slop. */ 510 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024) 511 #elif defined(__mips__) 512 /* We have a 256MB branch region, but leave room to make sure the 513 main executable is also within that region. */ 514 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024) 515 #else 516 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1) 517 #endif 518 519 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024) 520 521 #define DEFAULT_CODE_GEN_BUFFER_SIZE \ 522 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \ 523 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE) 524 525 static inline size_t size_code_gen_buffer(size_t tb_size) 526 { 527 /* Size the buffer. */ 528 if (tb_size == 0) { 529 #ifdef USE_STATIC_CODE_GEN_BUFFER 530 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE; 531 #else 532 /* ??? Needs adjustments. */ 533 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the 534 static buffer, we could size this on RESERVED_VA, on the text 535 segment size of the executable, or continue to use the default. */ 536 tb_size = (unsigned long)(ram_size / 4); 537 #endif 538 } 539 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) { 540 tb_size = MIN_CODE_GEN_BUFFER_SIZE; 541 } 542 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) { 543 tb_size = MAX_CODE_GEN_BUFFER_SIZE; 544 } 545 return tb_size; 546 } 547 548 #ifdef __mips__ 549 /* In order to use J and JAL within the code_gen_buffer, we require 550 that the buffer not cross a 256MB boundary. */ 551 static inline bool cross_256mb(void *addr, size_t size) 552 { 553 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful; 554 } 555 556 /* We weren't able to allocate a buffer without crossing that boundary, 557 so make do with the larger portion of the buffer that doesn't cross. 558 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */ 559 static inline void *split_cross_256mb(void *buf1, size_t size1) 560 { 561 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful); 562 size_t size2 = buf1 + size1 - buf2; 563 564 size1 = buf2 - buf1; 565 if (size1 < size2) { 566 size1 = size2; 567 buf1 = buf2; 568 } 569 570 tcg_ctx.code_gen_buffer_size = size1; 571 return buf1; 572 } 573 #endif 574 575 #ifdef USE_STATIC_CODE_GEN_BUFFER 576 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE] 577 __attribute__((aligned(CODE_GEN_ALIGN))); 578 579 # ifdef _WIN32 580 static inline void do_protect(void *addr, long size, int prot) 581 { 582 DWORD old_protect; 583 VirtualProtect(addr, size, prot, &old_protect); 584 } 585 586 static inline void map_exec(void *addr, long size) 587 { 588 do_protect(addr, size, PAGE_EXECUTE_READWRITE); 589 } 590 591 static inline void map_none(void *addr, long size) 592 { 593 do_protect(addr, size, PAGE_NOACCESS); 594 } 595 # else 596 static inline void do_protect(void *addr, long size, int prot) 597 { 598 uintptr_t start, end; 599 600 start = (uintptr_t)addr; 601 start &= qemu_real_host_page_mask; 602 603 end = (uintptr_t)addr + size; 604 end = ROUND_UP(end, qemu_real_host_page_size); 605 606 mprotect((void *)start, end - start, prot); 607 } 608 609 static inline void map_exec(void *addr, long size) 610 { 611 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC); 612 } 613 614 static inline void map_none(void *addr, long size) 615 { 616 do_protect(addr, size, PROT_NONE); 617 } 618 # endif /* WIN32 */ 619 620 static inline void *alloc_code_gen_buffer(void) 621 { 622 void *buf = static_code_gen_buffer; 623 size_t full_size, size; 624 625 /* The size of the buffer, rounded down to end on a page boundary. */ 626 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer)) 627 & qemu_real_host_page_mask) - (uintptr_t)buf; 628 629 /* Reserve a guard page. */ 630 size = full_size - qemu_real_host_page_size; 631 632 /* Honor a command-line option limiting the size of the buffer. */ 633 if (size > tcg_ctx.code_gen_buffer_size) { 634 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size) 635 & qemu_real_host_page_mask) - (uintptr_t)buf; 636 } 637 tcg_ctx.code_gen_buffer_size = size; 638 639 #ifdef __mips__ 640 if (cross_256mb(buf, size)) { 641 buf = split_cross_256mb(buf, size); 642 size = tcg_ctx.code_gen_buffer_size; 643 } 644 #endif 645 646 map_exec(buf, size); 647 map_none(buf + size, qemu_real_host_page_size); 648 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 649 650 return buf; 651 } 652 #elif defined(_WIN32) 653 static inline void *alloc_code_gen_buffer(void) 654 { 655 size_t size = tcg_ctx.code_gen_buffer_size; 656 void *buf1, *buf2; 657 658 /* Perform the allocation in two steps, so that the guard page 659 is reserved but uncommitted. */ 660 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size, 661 MEM_RESERVE, PAGE_NOACCESS); 662 if (buf1 != NULL) { 663 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 664 assert(buf1 == buf2); 665 } 666 667 return buf1; 668 } 669 #else 670 static inline void *alloc_code_gen_buffer(void) 671 { 672 int flags = MAP_PRIVATE | MAP_ANONYMOUS; 673 uintptr_t start = 0; 674 size_t size = tcg_ctx.code_gen_buffer_size; 675 void *buf; 676 677 /* Constrain the position of the buffer based on the host cpu. 678 Note that these addresses are chosen in concert with the 679 addresses assigned in the relevant linker script file. */ 680 # if defined(__PIE__) || defined(__PIC__) 681 /* Don't bother setting a preferred location if we're building 682 a position-independent executable. We're more likely to get 683 an address near the main executable if we let the kernel 684 choose the address. */ 685 # elif defined(__x86_64__) && defined(MAP_32BIT) 686 /* Force the memory down into low memory with the executable. 687 Leave the choice of exact location with the kernel. */ 688 flags |= MAP_32BIT; 689 /* Cannot expect to map more than 800MB in low memory. */ 690 if (size > 800u * 1024 * 1024) { 691 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024; 692 } 693 # elif defined(__sparc__) 694 start = 0x40000000ul; 695 # elif defined(__s390x__) 696 start = 0x90000000ul; 697 # elif defined(__mips__) 698 # if _MIPS_SIM == _ABI64 699 start = 0x128000000ul; 700 # else 701 start = 0x08000000ul; 702 # endif 703 # endif 704 705 buf = mmap((void *)start, size + qemu_real_host_page_size, 706 PROT_NONE, flags, -1, 0); 707 if (buf == MAP_FAILED) { 708 return NULL; 709 } 710 711 #ifdef __mips__ 712 if (cross_256mb(buf, size)) { 713 /* Try again, with the original still mapped, to avoid re-acquiring 714 that 256mb crossing. This time don't specify an address. */ 715 size_t size2; 716 void *buf2 = mmap(NULL, size + qemu_real_host_page_size, 717 PROT_NONE, flags, -1, 0); 718 switch ((int)(buf2 != MAP_FAILED)) { 719 case 1: 720 if (!cross_256mb(buf2, size)) { 721 /* Success! Use the new buffer. */ 722 munmap(buf, size + qemu_real_host_page_size); 723 break; 724 } 725 /* Failure. Work with what we had. */ 726 munmap(buf2, size + qemu_real_host_page_size); 727 /* fallthru */ 728 default: 729 /* Split the original buffer. Free the smaller half. */ 730 buf2 = split_cross_256mb(buf, size); 731 size2 = tcg_ctx.code_gen_buffer_size; 732 if (buf == buf2) { 733 munmap(buf + size2 + qemu_real_host_page_size, size - size2); 734 } else { 735 munmap(buf, size - size2); 736 } 737 size = size2; 738 break; 739 } 740 buf = buf2; 741 } 742 #endif 743 744 /* Make the final buffer accessible. The guard page at the end 745 will remain inaccessible with PROT_NONE. */ 746 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC); 747 748 /* Request large pages for the buffer. */ 749 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 750 751 return buf; 752 } 753 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */ 754 755 static inline void code_gen_alloc(size_t tb_size) 756 { 757 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size); 758 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer(); 759 if (tcg_ctx.code_gen_buffer == NULL) { 760 fprintf(stderr, "Could not allocate dynamic translator buffer\n"); 761 exit(1); 762 } 763 764 /* size this conservatively -- realloc later if needed */ 765 tcg_ctx.tb_ctx.tbs_size = 766 tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE / 8; 767 if (unlikely(!tcg_ctx.tb_ctx.tbs_size)) { 768 tcg_ctx.tb_ctx.tbs_size = 64 * 1024; 769 } 770 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock *, tcg_ctx.tb_ctx.tbs_size); 771 772 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock); 773 } 774 775 static void tb_htable_init(void) 776 { 777 unsigned int mode = QHT_MODE_AUTO_RESIZE; 778 779 qht_init(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE, mode); 780 } 781 782 /* Must be called before using the QEMU cpus. 'tb_size' is the size 783 (in bytes) allocated to the translation buffer. Zero means default 784 size. */ 785 void tcg_exec_init(unsigned long tb_size) 786 { 787 cpu_gen_init(); 788 page_init(); 789 tb_htable_init(); 790 code_gen_alloc(tb_size); 791 #if defined(CONFIG_SOFTMMU) 792 /* There's no guest base to take into account, so go ahead and 793 initialize the prologue now. */ 794 tcg_prologue_init(&tcg_ctx); 795 #endif 796 } 797 798 bool tcg_enabled(void) 799 { 800 return tcg_ctx.code_gen_buffer != NULL; 801 } 802 803 /* 804 * Allocate a new translation block. Flush the translation buffer if 805 * too many translation blocks or too much generated code. 806 * 807 * Called with tb_lock held. 808 */ 809 static TranslationBlock *tb_alloc(target_ulong pc) 810 { 811 TranslationBlock *tb; 812 TBContext *ctx; 813 814 assert_tb_locked(); 815 816 tb = tcg_tb_alloc(&tcg_ctx); 817 if (unlikely(tb == NULL)) { 818 return NULL; 819 } 820 ctx = &tcg_ctx.tb_ctx; 821 if (unlikely(ctx->nb_tbs == ctx->tbs_size)) { 822 ctx->tbs_size *= 2; 823 ctx->tbs = g_renew(TranslationBlock *, ctx->tbs, ctx->tbs_size); 824 } 825 ctx->tbs[ctx->nb_tbs++] = tb; 826 return tb; 827 } 828 829 /* Called with tb_lock held. */ 830 void tb_free(TranslationBlock *tb) 831 { 832 assert_tb_locked(); 833 834 /* In practice this is mostly used for single use temporary TB 835 Ignore the hard cases and just back up if this TB happens to 836 be the last one generated. */ 837 if (tcg_ctx.tb_ctx.nb_tbs > 0 && 838 tb == tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) { 839 size_t struct_size = ROUND_UP(sizeof(*tb), qemu_icache_linesize); 840 841 tcg_ctx.code_gen_ptr = tb->tc_ptr - struct_size; 842 tcg_ctx.tb_ctx.nb_tbs--; 843 } 844 } 845 846 static inline void invalidate_page_bitmap(PageDesc *p) 847 { 848 #ifdef CONFIG_SOFTMMU 849 g_free(p->code_bitmap); 850 p->code_bitmap = NULL; 851 p->code_write_count = 0; 852 #endif 853 } 854 855 /* Set to NULL all the 'first_tb' fields in all PageDescs. */ 856 static void page_flush_tb_1(int level, void **lp) 857 { 858 int i; 859 860 if (*lp == NULL) { 861 return; 862 } 863 if (level == 0) { 864 PageDesc *pd = *lp; 865 866 for (i = 0; i < V_L2_SIZE; ++i) { 867 pd[i].first_tb = NULL; 868 invalidate_page_bitmap(pd + i); 869 } 870 } else { 871 void **pp = *lp; 872 873 for (i = 0; i < V_L2_SIZE; ++i) { 874 page_flush_tb_1(level - 1, pp + i); 875 } 876 } 877 } 878 879 static void page_flush_tb(void) 880 { 881 int i, l1_sz = v_l1_size; 882 883 for (i = 0; i < l1_sz; i++) { 884 page_flush_tb_1(v_l2_levels, l1_map + i); 885 } 886 } 887 888 /* flush all the translation blocks */ 889 static void do_tb_flush(CPUState *cpu, run_on_cpu_data tb_flush_count) 890 { 891 tb_lock(); 892 893 /* If it is already been done on request of another CPU, 894 * just retry. 895 */ 896 if (tcg_ctx.tb_ctx.tb_flush_count != tb_flush_count.host_int) { 897 goto done; 898 } 899 900 #if defined(DEBUG_TB_FLUSH) 901 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n", 902 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer), 903 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ? 904 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) / 905 tcg_ctx.tb_ctx.nb_tbs : 0); 906 #endif 907 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer) 908 > tcg_ctx.code_gen_buffer_size) { 909 cpu_abort(cpu, "Internal error: code buffer overflow\n"); 910 } 911 912 CPU_FOREACH(cpu) { 913 cpu_tb_jmp_cache_clear(cpu); 914 } 915 916 tcg_ctx.tb_ctx.nb_tbs = 0; 917 qht_reset_size(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE); 918 page_flush_tb(); 919 920 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer; 921 /* XXX: flush processor icache at this point if cache flush is 922 expensive */ 923 atomic_mb_set(&tcg_ctx.tb_ctx.tb_flush_count, 924 tcg_ctx.tb_ctx.tb_flush_count + 1); 925 926 done: 927 tb_unlock(); 928 } 929 930 void tb_flush(CPUState *cpu) 931 { 932 if (tcg_enabled()) { 933 unsigned tb_flush_count = atomic_mb_read(&tcg_ctx.tb_ctx.tb_flush_count); 934 async_safe_run_on_cpu(cpu, do_tb_flush, 935 RUN_ON_CPU_HOST_INT(tb_flush_count)); 936 } 937 } 938 939 #ifdef DEBUG_TB_CHECK 940 941 static void 942 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp) 943 { 944 TranslationBlock *tb = p; 945 target_ulong addr = *(target_ulong *)userp; 946 947 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) { 948 printf("ERROR invalidate: address=" TARGET_FMT_lx 949 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size); 950 } 951 } 952 953 /* verify that all the pages have correct rights for code 954 * 955 * Called with tb_lock held. 956 */ 957 static void tb_invalidate_check(target_ulong address) 958 { 959 address &= TARGET_PAGE_MASK; 960 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_invalidate_check, &address); 961 } 962 963 static void 964 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp) 965 { 966 TranslationBlock *tb = p; 967 int flags1, flags2; 968 969 flags1 = page_get_flags(tb->pc); 970 flags2 = page_get_flags(tb->pc + tb->size - 1); 971 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) { 972 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n", 973 (long)tb->pc, tb->size, flags1, flags2); 974 } 975 } 976 977 /* verify that all the pages have correct rights for code */ 978 static void tb_page_check(void) 979 { 980 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_page_check, NULL); 981 } 982 983 #endif 984 985 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb) 986 { 987 TranslationBlock *tb1; 988 unsigned int n1; 989 990 for (;;) { 991 tb1 = *ptb; 992 n1 = (uintptr_t)tb1 & 3; 993 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3); 994 if (tb1 == tb) { 995 *ptb = tb1->page_next[n1]; 996 break; 997 } 998 ptb = &tb1->page_next[n1]; 999 } 1000 } 1001 1002 /* remove the TB from a list of TBs jumping to the n-th jump target of the TB */ 1003 static inline void tb_remove_from_jmp_list(TranslationBlock *tb, int n) 1004 { 1005 TranslationBlock *tb1; 1006 uintptr_t *ptb, ntb; 1007 unsigned int n1; 1008 1009 ptb = &tb->jmp_list_next[n]; 1010 if (*ptb) { 1011 /* find tb(n) in circular list */ 1012 for (;;) { 1013 ntb = *ptb; 1014 n1 = ntb & 3; 1015 tb1 = (TranslationBlock *)(ntb & ~3); 1016 if (n1 == n && tb1 == tb) { 1017 break; 1018 } 1019 if (n1 == 2) { 1020 ptb = &tb1->jmp_list_first; 1021 } else { 1022 ptb = &tb1->jmp_list_next[n1]; 1023 } 1024 } 1025 /* now we can suppress tb(n) from the list */ 1026 *ptb = tb->jmp_list_next[n]; 1027 1028 tb->jmp_list_next[n] = (uintptr_t)NULL; 1029 } 1030 } 1031 1032 /* reset the jump entry 'n' of a TB so that it is not chained to 1033 another TB */ 1034 static inline void tb_reset_jump(TranslationBlock *tb, int n) 1035 { 1036 uintptr_t addr = (uintptr_t)(tb->tc_ptr + tb->jmp_reset_offset[n]); 1037 tb_set_jmp_target(tb, n, addr); 1038 } 1039 1040 /* remove any jumps to the TB */ 1041 static inline void tb_jmp_unlink(TranslationBlock *tb) 1042 { 1043 TranslationBlock *tb1; 1044 uintptr_t *ptb, ntb; 1045 unsigned int n1; 1046 1047 ptb = &tb->jmp_list_first; 1048 for (;;) { 1049 ntb = *ptb; 1050 n1 = ntb & 3; 1051 tb1 = (TranslationBlock *)(ntb & ~3); 1052 if (n1 == 2) { 1053 break; 1054 } 1055 tb_reset_jump(tb1, n1); 1056 *ptb = tb1->jmp_list_next[n1]; 1057 tb1->jmp_list_next[n1] = (uintptr_t)NULL; 1058 } 1059 } 1060 1061 /* invalidate one TB 1062 * 1063 * Called with tb_lock held. 1064 */ 1065 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr) 1066 { 1067 CPUState *cpu; 1068 PageDesc *p; 1069 uint32_t h; 1070 tb_page_addr_t phys_pc; 1071 1072 assert_tb_locked(); 1073 1074 atomic_set(&tb->invalid, true); 1075 1076 /* remove the TB from the hash list */ 1077 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1078 h = tb_hash_func(phys_pc, tb->pc, tb->flags); 1079 qht_remove(&tcg_ctx.tb_ctx.htable, tb, h); 1080 1081 /* remove the TB from the page list */ 1082 if (tb->page_addr[0] != page_addr) { 1083 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS); 1084 tb_page_remove(&p->first_tb, tb); 1085 invalidate_page_bitmap(p); 1086 } 1087 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) { 1088 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS); 1089 tb_page_remove(&p->first_tb, tb); 1090 invalidate_page_bitmap(p); 1091 } 1092 1093 /* remove the TB from the hash list */ 1094 h = tb_jmp_cache_hash_func(tb->pc); 1095 CPU_FOREACH(cpu) { 1096 if (atomic_read(&cpu->tb_jmp_cache[h]) == tb) { 1097 atomic_set(&cpu->tb_jmp_cache[h], NULL); 1098 } 1099 } 1100 1101 /* suppress this TB from the two jump lists */ 1102 tb_remove_from_jmp_list(tb, 0); 1103 tb_remove_from_jmp_list(tb, 1); 1104 1105 /* suppress any remaining jumps to this TB */ 1106 tb_jmp_unlink(tb); 1107 1108 tcg_ctx.tb_ctx.tb_phys_invalidate_count++; 1109 } 1110 1111 #ifdef CONFIG_SOFTMMU 1112 static void build_page_bitmap(PageDesc *p) 1113 { 1114 int n, tb_start, tb_end; 1115 TranslationBlock *tb; 1116 1117 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE); 1118 1119 tb = p->first_tb; 1120 while (tb != NULL) { 1121 n = (uintptr_t)tb & 3; 1122 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1123 /* NOTE: this is subtle as a TB may span two physical pages */ 1124 if (n == 0) { 1125 /* NOTE: tb_end may be after the end of the page, but 1126 it is not a problem */ 1127 tb_start = tb->pc & ~TARGET_PAGE_MASK; 1128 tb_end = tb_start + tb->size; 1129 if (tb_end > TARGET_PAGE_SIZE) { 1130 tb_end = TARGET_PAGE_SIZE; 1131 } 1132 } else { 1133 tb_start = 0; 1134 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1135 } 1136 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start); 1137 tb = tb->page_next[n]; 1138 } 1139 } 1140 #endif 1141 1142 /* add the tb in the target page and protect it if necessary 1143 * 1144 * Called with mmap_lock held for user-mode emulation. 1145 */ 1146 static inline void tb_alloc_page(TranslationBlock *tb, 1147 unsigned int n, tb_page_addr_t page_addr) 1148 { 1149 PageDesc *p; 1150 #ifndef CONFIG_USER_ONLY 1151 bool page_already_protected; 1152 #endif 1153 1154 assert_memory_lock(); 1155 1156 tb->page_addr[n] = page_addr; 1157 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1); 1158 tb->page_next[n] = p->first_tb; 1159 #ifndef CONFIG_USER_ONLY 1160 page_already_protected = p->first_tb != NULL; 1161 #endif 1162 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n); 1163 invalidate_page_bitmap(p); 1164 1165 #if defined(CONFIG_USER_ONLY) 1166 if (p->flags & PAGE_WRITE) { 1167 target_ulong addr; 1168 PageDesc *p2; 1169 int prot; 1170 1171 /* force the host page as non writable (writes will have a 1172 page fault + mprotect overhead) */ 1173 page_addr &= qemu_host_page_mask; 1174 prot = 0; 1175 for (addr = page_addr; addr < page_addr + qemu_host_page_size; 1176 addr += TARGET_PAGE_SIZE) { 1177 1178 p2 = page_find(addr >> TARGET_PAGE_BITS); 1179 if (!p2) { 1180 continue; 1181 } 1182 prot |= p2->flags; 1183 p2->flags &= ~PAGE_WRITE; 1184 } 1185 mprotect(g2h(page_addr), qemu_host_page_size, 1186 (prot & PAGE_BITS) & ~PAGE_WRITE); 1187 #ifdef DEBUG_TB_INVALIDATE 1188 printf("protecting code page: 0x" TARGET_FMT_lx "\n", 1189 page_addr); 1190 #endif 1191 } 1192 #else 1193 /* if some code is already present, then the pages are already 1194 protected. So we handle the case where only the first TB is 1195 allocated in a physical page */ 1196 if (!page_already_protected) { 1197 tlb_protect_code(page_addr); 1198 } 1199 #endif 1200 } 1201 1202 /* add a new TB and link it to the physical page tables. phys_page2 is 1203 * (-1) to indicate that only one page contains the TB. 1204 * 1205 * Called with mmap_lock held for user-mode emulation. 1206 */ 1207 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc, 1208 tb_page_addr_t phys_page2) 1209 { 1210 uint32_t h; 1211 1212 assert_memory_lock(); 1213 1214 /* add in the page list */ 1215 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK); 1216 if (phys_page2 != -1) { 1217 tb_alloc_page(tb, 1, phys_page2); 1218 } else { 1219 tb->page_addr[1] = -1; 1220 } 1221 1222 /* add in the hash table */ 1223 h = tb_hash_func(phys_pc, tb->pc, tb->flags); 1224 qht_insert(&tcg_ctx.tb_ctx.htable, tb, h); 1225 1226 #ifdef DEBUG_TB_CHECK 1227 tb_page_check(); 1228 #endif 1229 } 1230 1231 /* Called with mmap_lock held for user mode emulation. */ 1232 TranslationBlock *tb_gen_code(CPUState *cpu, 1233 target_ulong pc, target_ulong cs_base, 1234 uint32_t flags, int cflags) 1235 { 1236 CPUArchState *env = cpu->env_ptr; 1237 TranslationBlock *tb; 1238 tb_page_addr_t phys_pc, phys_page2; 1239 target_ulong virt_page2; 1240 tcg_insn_unit *gen_code_buf; 1241 int gen_code_size, search_size; 1242 #ifdef CONFIG_PROFILER 1243 int64_t ti; 1244 #endif 1245 assert_memory_lock(); 1246 1247 phys_pc = get_page_addr_code(env, pc); 1248 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) { 1249 cflags |= CF_USE_ICOUNT; 1250 } 1251 1252 tb = tb_alloc(pc); 1253 if (unlikely(!tb)) { 1254 buffer_overflow: 1255 /* flush must be done */ 1256 tb_flush(cpu); 1257 mmap_unlock(); 1258 /* Make the execution loop process the flush as soon as possible. */ 1259 cpu->exception_index = EXCP_INTERRUPT; 1260 cpu_loop_exit(cpu); 1261 } 1262 1263 gen_code_buf = tcg_ctx.code_gen_ptr; 1264 tb->tc_ptr = gen_code_buf; 1265 tb->pc = pc; 1266 tb->cs_base = cs_base; 1267 tb->flags = flags; 1268 tb->cflags = cflags; 1269 tb->invalid = false; 1270 1271 #ifdef CONFIG_PROFILER 1272 tcg_ctx.tb_count1++; /* includes aborted translations because of 1273 exceptions */ 1274 ti = profile_getclock(); 1275 #endif 1276 1277 tcg_func_start(&tcg_ctx); 1278 1279 tcg_ctx.cpu = ENV_GET_CPU(env); 1280 gen_intermediate_code(env, tb); 1281 tcg_ctx.cpu = NULL; 1282 1283 trace_translate_block(tb, tb->pc, tb->tc_ptr); 1284 1285 /* generate machine code */ 1286 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID; 1287 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID; 1288 tcg_ctx.tb_jmp_reset_offset = tb->jmp_reset_offset; 1289 #ifdef USE_DIRECT_JUMP 1290 tcg_ctx.tb_jmp_insn_offset = tb->jmp_insn_offset; 1291 tcg_ctx.tb_jmp_target_addr = NULL; 1292 #else 1293 tcg_ctx.tb_jmp_insn_offset = NULL; 1294 tcg_ctx.tb_jmp_target_addr = tb->jmp_target_addr; 1295 #endif 1296 1297 #ifdef CONFIG_PROFILER 1298 tcg_ctx.tb_count++; 1299 tcg_ctx.interm_time += profile_getclock() - ti; 1300 tcg_ctx.code_time -= profile_getclock(); 1301 #endif 1302 1303 /* ??? Overflow could be handled better here. In particular, we 1304 don't need to re-do gen_intermediate_code, nor should we re-do 1305 the tcg optimization currently hidden inside tcg_gen_code. All 1306 that should be required is to flush the TBs, allocate a new TB, 1307 re-initialize it per above, and re-do the actual code generation. */ 1308 gen_code_size = tcg_gen_code(&tcg_ctx, tb); 1309 if (unlikely(gen_code_size < 0)) { 1310 goto buffer_overflow; 1311 } 1312 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size); 1313 if (unlikely(search_size < 0)) { 1314 goto buffer_overflow; 1315 } 1316 1317 #ifdef CONFIG_PROFILER 1318 tcg_ctx.code_time += profile_getclock(); 1319 tcg_ctx.code_in_len += tb->size; 1320 tcg_ctx.code_out_len += gen_code_size; 1321 tcg_ctx.search_out_len += search_size; 1322 #endif 1323 1324 #ifdef DEBUG_DISAS 1325 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) && 1326 qemu_log_in_addr_range(tb->pc)) { 1327 qemu_log_lock(); 1328 qemu_log("OUT: [size=%d]\n", gen_code_size); 1329 log_disas(tb->tc_ptr, gen_code_size); 1330 qemu_log("\n"); 1331 qemu_log_flush(); 1332 qemu_log_unlock(); 1333 } 1334 #endif 1335 1336 tcg_ctx.code_gen_ptr = (void *) 1337 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size, 1338 CODE_GEN_ALIGN); 1339 1340 /* init jump list */ 1341 assert(((uintptr_t)tb & 3) == 0); 1342 tb->jmp_list_first = (uintptr_t)tb | 2; 1343 tb->jmp_list_next[0] = (uintptr_t)NULL; 1344 tb->jmp_list_next[1] = (uintptr_t)NULL; 1345 1346 /* init original jump addresses wich has been set during tcg_gen_code() */ 1347 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1348 tb_reset_jump(tb, 0); 1349 } 1350 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1351 tb_reset_jump(tb, 1); 1352 } 1353 1354 /* check next page if needed */ 1355 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK; 1356 phys_page2 = -1; 1357 if ((pc & TARGET_PAGE_MASK) != virt_page2) { 1358 phys_page2 = get_page_addr_code(env, virt_page2); 1359 } 1360 /* As long as consistency of the TB stuff is provided by tb_lock in user 1361 * mode and is implicit in single-threaded softmmu emulation, no explicit 1362 * memory barrier is required before tb_link_page() makes the TB visible 1363 * through the physical hash table and physical page list. 1364 */ 1365 tb_link_page(tb, phys_pc, phys_page2); 1366 return tb; 1367 } 1368 1369 /* 1370 * Invalidate all TBs which intersect with the target physical address range 1371 * [start;end[. NOTE: start and end may refer to *different* physical pages. 1372 * 'is_cpu_write_access' should be true if called from a real cpu write 1373 * access: the virtual CPU will exit the current TB if code is modified inside 1374 * this TB. 1375 * 1376 * Called with mmap_lock held for user-mode emulation, grabs tb_lock 1377 * Called with tb_lock held for system-mode emulation 1378 */ 1379 static void tb_invalidate_phys_range_1(tb_page_addr_t start, tb_page_addr_t end) 1380 { 1381 while (start < end) { 1382 tb_invalidate_phys_page_range(start, end, 0); 1383 start &= TARGET_PAGE_MASK; 1384 start += TARGET_PAGE_SIZE; 1385 } 1386 } 1387 1388 #ifdef CONFIG_SOFTMMU 1389 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1390 { 1391 assert_tb_locked(); 1392 tb_invalidate_phys_range_1(start, end); 1393 } 1394 #else 1395 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1396 { 1397 assert_memory_lock(); 1398 tb_lock(); 1399 tb_invalidate_phys_range_1(start, end); 1400 tb_unlock(); 1401 } 1402 #endif 1403 /* 1404 * Invalidate all TBs which intersect with the target physical address range 1405 * [start;end[. NOTE: start and end must refer to the *same* physical page. 1406 * 'is_cpu_write_access' should be true if called from a real cpu write 1407 * access: the virtual CPU will exit the current TB if code is modified inside 1408 * this TB. 1409 * 1410 * Called with tb_lock/mmap_lock held for user-mode emulation 1411 * Called with tb_lock held for system-mode emulation 1412 */ 1413 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end, 1414 int is_cpu_write_access) 1415 { 1416 TranslationBlock *tb, *tb_next; 1417 #if defined(TARGET_HAS_PRECISE_SMC) 1418 CPUState *cpu = current_cpu; 1419 CPUArchState *env = NULL; 1420 #endif 1421 tb_page_addr_t tb_start, tb_end; 1422 PageDesc *p; 1423 int n; 1424 #ifdef TARGET_HAS_PRECISE_SMC 1425 int current_tb_not_found = is_cpu_write_access; 1426 TranslationBlock *current_tb = NULL; 1427 int current_tb_modified = 0; 1428 target_ulong current_pc = 0; 1429 target_ulong current_cs_base = 0; 1430 uint32_t current_flags = 0; 1431 #endif /* TARGET_HAS_PRECISE_SMC */ 1432 1433 assert_memory_lock(); 1434 assert_tb_locked(); 1435 1436 p = page_find(start >> TARGET_PAGE_BITS); 1437 if (!p) { 1438 return; 1439 } 1440 #if defined(TARGET_HAS_PRECISE_SMC) 1441 if (cpu != NULL) { 1442 env = cpu->env_ptr; 1443 } 1444 #endif 1445 1446 /* we remove all the TBs in the range [start, end[ */ 1447 /* XXX: see if in some cases it could be faster to invalidate all 1448 the code */ 1449 tb = p->first_tb; 1450 while (tb != NULL) { 1451 n = (uintptr_t)tb & 3; 1452 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1453 tb_next = tb->page_next[n]; 1454 /* NOTE: this is subtle as a TB may span two physical pages */ 1455 if (n == 0) { 1456 /* NOTE: tb_end may be after the end of the page, but 1457 it is not a problem */ 1458 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1459 tb_end = tb_start + tb->size; 1460 } else { 1461 tb_start = tb->page_addr[1]; 1462 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1463 } 1464 if (!(tb_end <= start || tb_start >= end)) { 1465 #ifdef TARGET_HAS_PRECISE_SMC 1466 if (current_tb_not_found) { 1467 current_tb_not_found = 0; 1468 current_tb = NULL; 1469 if (cpu->mem_io_pc) { 1470 /* now we have a real cpu fault */ 1471 current_tb = tb_find_pc(cpu->mem_io_pc); 1472 } 1473 } 1474 if (current_tb == tb && 1475 (current_tb->cflags & CF_COUNT_MASK) != 1) { 1476 /* If we are modifying the current TB, we must stop 1477 its execution. We could be more precise by checking 1478 that the modification is after the current PC, but it 1479 would require a specialized function to partially 1480 restore the CPU state */ 1481 1482 current_tb_modified = 1; 1483 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc); 1484 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1485 ¤t_flags); 1486 } 1487 #endif /* TARGET_HAS_PRECISE_SMC */ 1488 tb_phys_invalidate(tb, -1); 1489 } 1490 tb = tb_next; 1491 } 1492 #if !defined(CONFIG_USER_ONLY) 1493 /* if no code remaining, no need to continue to use slow writes */ 1494 if (!p->first_tb) { 1495 invalidate_page_bitmap(p); 1496 tlb_unprotect_code(start); 1497 } 1498 #endif 1499 #ifdef TARGET_HAS_PRECISE_SMC 1500 if (current_tb_modified) { 1501 /* we generate a block containing just the instruction 1502 modifying the memory. It will ensure that it cannot modify 1503 itself */ 1504 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1); 1505 cpu_loop_exit_noexc(cpu); 1506 } 1507 #endif 1508 } 1509 1510 #ifdef CONFIG_SOFTMMU 1511 /* len must be <= 8 and start must be a multiple of len. 1512 * Called via softmmu_template.h when code areas are written to with 1513 * iothread mutex not held. 1514 */ 1515 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len) 1516 { 1517 PageDesc *p; 1518 1519 #if 0 1520 if (1) { 1521 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n", 1522 cpu_single_env->mem_io_vaddr, len, 1523 cpu_single_env->eip, 1524 cpu_single_env->eip + 1525 (intptr_t)cpu_single_env->segs[R_CS].base); 1526 } 1527 #endif 1528 assert_memory_lock(); 1529 1530 p = page_find(start >> TARGET_PAGE_BITS); 1531 if (!p) { 1532 return; 1533 } 1534 if (!p->code_bitmap && 1535 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) { 1536 /* build code bitmap. FIXME: writes should be protected by 1537 * tb_lock, reads by tb_lock or RCU. 1538 */ 1539 build_page_bitmap(p); 1540 } 1541 if (p->code_bitmap) { 1542 unsigned int nr; 1543 unsigned long b; 1544 1545 nr = start & ~TARGET_PAGE_MASK; 1546 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1)); 1547 if (b & ((1 << len) - 1)) { 1548 goto do_invalidate; 1549 } 1550 } else { 1551 do_invalidate: 1552 tb_invalidate_phys_page_range(start, start + len, 1); 1553 } 1554 } 1555 #else 1556 /* Called with mmap_lock held. If pc is not 0 then it indicates the 1557 * host PC of the faulting store instruction that caused this invalidate. 1558 * Returns true if the caller needs to abort execution of the current 1559 * TB (because it was modified by this store and the guest CPU has 1560 * precise-SMC semantics). 1561 */ 1562 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc) 1563 { 1564 TranslationBlock *tb; 1565 PageDesc *p; 1566 int n; 1567 #ifdef TARGET_HAS_PRECISE_SMC 1568 TranslationBlock *current_tb = NULL; 1569 CPUState *cpu = current_cpu; 1570 CPUArchState *env = NULL; 1571 int current_tb_modified = 0; 1572 target_ulong current_pc = 0; 1573 target_ulong current_cs_base = 0; 1574 uint32_t current_flags = 0; 1575 #endif 1576 1577 assert_memory_lock(); 1578 1579 addr &= TARGET_PAGE_MASK; 1580 p = page_find(addr >> TARGET_PAGE_BITS); 1581 if (!p) { 1582 return false; 1583 } 1584 1585 tb_lock(); 1586 tb = p->first_tb; 1587 #ifdef TARGET_HAS_PRECISE_SMC 1588 if (tb && pc != 0) { 1589 current_tb = tb_find_pc(pc); 1590 } 1591 if (cpu != NULL) { 1592 env = cpu->env_ptr; 1593 } 1594 #endif 1595 while (tb != NULL) { 1596 n = (uintptr_t)tb & 3; 1597 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1598 #ifdef TARGET_HAS_PRECISE_SMC 1599 if (current_tb == tb && 1600 (current_tb->cflags & CF_COUNT_MASK) != 1) { 1601 /* If we are modifying the current TB, we must stop 1602 its execution. We could be more precise by checking 1603 that the modification is after the current PC, but it 1604 would require a specialized function to partially 1605 restore the CPU state */ 1606 1607 current_tb_modified = 1; 1608 cpu_restore_state_from_tb(cpu, current_tb, pc); 1609 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1610 ¤t_flags); 1611 } 1612 #endif /* TARGET_HAS_PRECISE_SMC */ 1613 tb_phys_invalidate(tb, addr); 1614 tb = tb->page_next[n]; 1615 } 1616 p->first_tb = NULL; 1617 #ifdef TARGET_HAS_PRECISE_SMC 1618 if (current_tb_modified) { 1619 /* we generate a block containing just the instruction 1620 modifying the memory. It will ensure that it cannot modify 1621 itself */ 1622 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1); 1623 /* tb_lock will be reset after cpu_loop_exit_noexc longjmps 1624 * back into the cpu_exec loop. */ 1625 return true; 1626 } 1627 #endif 1628 tb_unlock(); 1629 1630 return false; 1631 } 1632 #endif 1633 1634 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr < 1635 tb[1].tc_ptr. Return NULL if not found */ 1636 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr) 1637 { 1638 int m_min, m_max, m; 1639 uintptr_t v; 1640 TranslationBlock *tb; 1641 1642 if (tcg_ctx.tb_ctx.nb_tbs <= 0) { 1643 return NULL; 1644 } 1645 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer || 1646 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) { 1647 return NULL; 1648 } 1649 /* binary search (cf Knuth) */ 1650 m_min = 0; 1651 m_max = tcg_ctx.tb_ctx.nb_tbs - 1; 1652 while (m_min <= m_max) { 1653 m = (m_min + m_max) >> 1; 1654 tb = tcg_ctx.tb_ctx.tbs[m]; 1655 v = (uintptr_t)tb->tc_ptr; 1656 if (v == tc_ptr) { 1657 return tb; 1658 } else if (tc_ptr < v) { 1659 m_max = m - 1; 1660 } else { 1661 m_min = m + 1; 1662 } 1663 } 1664 return tcg_ctx.tb_ctx.tbs[m_max]; 1665 } 1666 1667 #if !defined(CONFIG_USER_ONLY) 1668 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr) 1669 { 1670 ram_addr_t ram_addr; 1671 MemoryRegion *mr; 1672 hwaddr l = 1; 1673 1674 rcu_read_lock(); 1675 mr = address_space_translate(as, addr, &addr, &l, false); 1676 if (!(memory_region_is_ram(mr) 1677 || memory_region_is_romd(mr))) { 1678 rcu_read_unlock(); 1679 return; 1680 } 1681 ram_addr = memory_region_get_ram_addr(mr) + addr; 1682 tb_lock(); 1683 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0); 1684 tb_unlock(); 1685 rcu_read_unlock(); 1686 } 1687 #endif /* !defined(CONFIG_USER_ONLY) */ 1688 1689 /* Called with tb_lock held. */ 1690 void tb_check_watchpoint(CPUState *cpu) 1691 { 1692 TranslationBlock *tb; 1693 1694 tb = tb_find_pc(cpu->mem_io_pc); 1695 if (tb) { 1696 /* We can use retranslation to find the PC. */ 1697 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc); 1698 tb_phys_invalidate(tb, -1); 1699 } else { 1700 /* The exception probably happened in a helper. The CPU state should 1701 have been saved before calling it. Fetch the PC from there. */ 1702 CPUArchState *env = cpu->env_ptr; 1703 target_ulong pc, cs_base; 1704 tb_page_addr_t addr; 1705 uint32_t flags; 1706 1707 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags); 1708 addr = get_page_addr_code(env, pc); 1709 tb_invalidate_phys_range(addr, addr + 1); 1710 } 1711 } 1712 1713 #ifndef CONFIG_USER_ONLY 1714 /* in deterministic execution mode, instructions doing device I/Os 1715 * must be at the end of the TB. 1716 * 1717 * Called by softmmu_template.h, with iothread mutex not held. 1718 */ 1719 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr) 1720 { 1721 #if defined(TARGET_MIPS) || defined(TARGET_SH4) 1722 CPUArchState *env = cpu->env_ptr; 1723 #endif 1724 TranslationBlock *tb; 1725 uint32_t n, cflags; 1726 target_ulong pc, cs_base; 1727 uint32_t flags; 1728 1729 tb_lock(); 1730 tb = tb_find_pc(retaddr); 1731 if (!tb) { 1732 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p", 1733 (void *)retaddr); 1734 } 1735 n = cpu->icount_decr.u16.low + tb->icount; 1736 cpu_restore_state_from_tb(cpu, tb, retaddr); 1737 /* Calculate how many instructions had been executed before the fault 1738 occurred. */ 1739 n = n - cpu->icount_decr.u16.low; 1740 /* Generate a new TB ending on the I/O insn. */ 1741 n++; 1742 /* On MIPS and SH, delay slot instructions can only be restarted if 1743 they were already the first instruction in the TB. If this is not 1744 the first instruction in a TB then re-execute the preceding 1745 branch. */ 1746 #if defined(TARGET_MIPS) 1747 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) { 1748 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4); 1749 cpu->icount_decr.u16.low++; 1750 env->hflags &= ~MIPS_HFLAG_BMASK; 1751 } 1752 #elif defined(TARGET_SH4) 1753 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0 1754 && n > 1) { 1755 env->pc -= 2; 1756 cpu->icount_decr.u16.low++; 1757 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL); 1758 } 1759 #endif 1760 /* This should never happen. */ 1761 if (n > CF_COUNT_MASK) { 1762 cpu_abort(cpu, "TB too big during recompile"); 1763 } 1764 1765 cflags = n | CF_LAST_IO; 1766 pc = tb->pc; 1767 cs_base = tb->cs_base; 1768 flags = tb->flags; 1769 tb_phys_invalidate(tb, -1); 1770 if (tb->cflags & CF_NOCACHE) { 1771 if (tb->orig_tb) { 1772 /* Invalidate original TB if this TB was generated in 1773 * cpu_exec_nocache() */ 1774 tb_phys_invalidate(tb->orig_tb, -1); 1775 } 1776 tb_free(tb); 1777 } 1778 /* FIXME: In theory this could raise an exception. In practice 1779 we have already translated the block once so it's probably ok. */ 1780 tb_gen_code(cpu, pc, cs_base, flags, cflags); 1781 1782 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not 1783 * the first in the TB) then we end up generating a whole new TB and 1784 * repeating the fault, which is horribly inefficient. 1785 * Better would be to execute just this insn uncached, or generate a 1786 * second new TB. 1787 * 1788 * cpu_loop_exit_noexc will longjmp back to cpu_exec where the 1789 * tb_lock gets reset. 1790 */ 1791 cpu_loop_exit_noexc(cpu); 1792 } 1793 1794 static void tb_jmp_cache_clear_page(CPUState *cpu, target_ulong page_addr) 1795 { 1796 unsigned int i, i0 = tb_jmp_cache_hash_page(page_addr); 1797 1798 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) { 1799 atomic_set(&cpu->tb_jmp_cache[i0 + i], NULL); 1800 } 1801 } 1802 1803 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr) 1804 { 1805 /* Discard jump cache entries for any tb which might potentially 1806 overlap the flushed page. */ 1807 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE); 1808 tb_jmp_cache_clear_page(cpu, addr); 1809 } 1810 1811 static void print_qht_statistics(FILE *f, fprintf_function cpu_fprintf, 1812 struct qht_stats hst) 1813 { 1814 uint32_t hgram_opts; 1815 size_t hgram_bins; 1816 char *hgram; 1817 1818 if (!hst.head_buckets) { 1819 return; 1820 } 1821 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n", 1822 hst.used_head_buckets, hst.head_buckets, 1823 (double)hst.used_head_buckets / hst.head_buckets * 100); 1824 1825 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 1826 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT; 1827 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) { 1828 hgram_opts |= QDIST_PR_NODECIMAL; 1829 } 1830 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts); 1831 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n", 1832 qdist_avg(&hst.occupancy) * 100, hgram); 1833 g_free(hgram); 1834 1835 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 1836 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain); 1837 if (hgram_bins > 10) { 1838 hgram_bins = 10; 1839 } else { 1840 hgram_bins = 0; 1841 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE; 1842 } 1843 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts); 1844 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n", 1845 qdist_avg(&hst.chain), hgram); 1846 g_free(hgram); 1847 } 1848 1849 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf) 1850 { 1851 int i, target_code_size, max_target_code_size; 1852 int direct_jmp_count, direct_jmp2_count, cross_page; 1853 TranslationBlock *tb; 1854 struct qht_stats hst; 1855 1856 tb_lock(); 1857 1858 target_code_size = 0; 1859 max_target_code_size = 0; 1860 cross_page = 0; 1861 direct_jmp_count = 0; 1862 direct_jmp2_count = 0; 1863 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) { 1864 tb = tcg_ctx.tb_ctx.tbs[i]; 1865 target_code_size += tb->size; 1866 if (tb->size > max_target_code_size) { 1867 max_target_code_size = tb->size; 1868 } 1869 if (tb->page_addr[1] != -1) { 1870 cross_page++; 1871 } 1872 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1873 direct_jmp_count++; 1874 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1875 direct_jmp2_count++; 1876 } 1877 } 1878 } 1879 /* XXX: avoid using doubles ? */ 1880 cpu_fprintf(f, "Translation buffer state:\n"); 1881 cpu_fprintf(f, "gen code size %td/%zd\n", 1882 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer, 1883 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer); 1884 cpu_fprintf(f, "TB count %d\n", tcg_ctx.tb_ctx.nb_tbs); 1885 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n", 1886 tcg_ctx.tb_ctx.nb_tbs ? target_code_size / 1887 tcg_ctx.tb_ctx.nb_tbs : 0, 1888 max_target_code_size); 1889 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n", 1890 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr - 1891 tcg_ctx.code_gen_buffer) / 1892 tcg_ctx.tb_ctx.nb_tbs : 0, 1893 target_code_size ? (double) (tcg_ctx.code_gen_ptr - 1894 tcg_ctx.code_gen_buffer) / 1895 target_code_size : 0); 1896 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page, 1897 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) / 1898 tcg_ctx.tb_ctx.nb_tbs : 0); 1899 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n", 1900 direct_jmp_count, 1901 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) / 1902 tcg_ctx.tb_ctx.nb_tbs : 0, 1903 direct_jmp2_count, 1904 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) / 1905 tcg_ctx.tb_ctx.nb_tbs : 0); 1906 1907 qht_statistics_init(&tcg_ctx.tb_ctx.htable, &hst); 1908 print_qht_statistics(f, cpu_fprintf, hst); 1909 qht_statistics_destroy(&hst); 1910 1911 cpu_fprintf(f, "\nStatistics:\n"); 1912 cpu_fprintf(f, "TB flush count %u\n", 1913 atomic_read(&tcg_ctx.tb_ctx.tb_flush_count)); 1914 cpu_fprintf(f, "TB invalidate count %d\n", 1915 tcg_ctx.tb_ctx.tb_phys_invalidate_count); 1916 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count); 1917 tcg_dump_info(f, cpu_fprintf); 1918 1919 tb_unlock(); 1920 } 1921 1922 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf) 1923 { 1924 tcg_dump_op_count(f, cpu_fprintf); 1925 } 1926 1927 #else /* CONFIG_USER_ONLY */ 1928 1929 void cpu_interrupt(CPUState *cpu, int mask) 1930 { 1931 g_assert(qemu_mutex_iothread_locked()); 1932 cpu->interrupt_request |= mask; 1933 cpu->icount_decr.u16.high = -1; 1934 } 1935 1936 /* 1937 * Walks guest process memory "regions" one by one 1938 * and calls callback function 'fn' for each region. 1939 */ 1940 struct walk_memory_regions_data { 1941 walk_memory_regions_fn fn; 1942 void *priv; 1943 target_ulong start; 1944 int prot; 1945 }; 1946 1947 static int walk_memory_regions_end(struct walk_memory_regions_data *data, 1948 target_ulong end, int new_prot) 1949 { 1950 if (data->start != -1u) { 1951 int rc = data->fn(data->priv, data->start, end, data->prot); 1952 if (rc != 0) { 1953 return rc; 1954 } 1955 } 1956 1957 data->start = (new_prot ? end : -1u); 1958 data->prot = new_prot; 1959 1960 return 0; 1961 } 1962 1963 static int walk_memory_regions_1(struct walk_memory_regions_data *data, 1964 target_ulong base, int level, void **lp) 1965 { 1966 target_ulong pa; 1967 int i, rc; 1968 1969 if (*lp == NULL) { 1970 return walk_memory_regions_end(data, base, 0); 1971 } 1972 1973 if (level == 0) { 1974 PageDesc *pd = *lp; 1975 1976 for (i = 0; i < V_L2_SIZE; ++i) { 1977 int prot = pd[i].flags; 1978 1979 pa = base | (i << TARGET_PAGE_BITS); 1980 if (prot != data->prot) { 1981 rc = walk_memory_regions_end(data, pa, prot); 1982 if (rc != 0) { 1983 return rc; 1984 } 1985 } 1986 } 1987 } else { 1988 void **pp = *lp; 1989 1990 for (i = 0; i < V_L2_SIZE; ++i) { 1991 pa = base | ((target_ulong)i << 1992 (TARGET_PAGE_BITS + V_L2_BITS * level)); 1993 rc = walk_memory_regions_1(data, pa, level - 1, pp + i); 1994 if (rc != 0) { 1995 return rc; 1996 } 1997 } 1998 } 1999 2000 return 0; 2001 } 2002 2003 int walk_memory_regions(void *priv, walk_memory_regions_fn fn) 2004 { 2005 struct walk_memory_regions_data data; 2006 uintptr_t i, l1_sz = v_l1_size; 2007 2008 data.fn = fn; 2009 data.priv = priv; 2010 data.start = -1u; 2011 data.prot = 0; 2012 2013 for (i = 0; i < l1_sz; i++) { 2014 target_ulong base = i << (v_l1_shift + TARGET_PAGE_BITS); 2015 int rc = walk_memory_regions_1(&data, base, v_l2_levels, l1_map + i); 2016 if (rc != 0) { 2017 return rc; 2018 } 2019 } 2020 2021 return walk_memory_regions_end(&data, 0, 0); 2022 } 2023 2024 static int dump_region(void *priv, target_ulong start, 2025 target_ulong end, unsigned long prot) 2026 { 2027 FILE *f = (FILE *)priv; 2028 2029 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx 2030 " "TARGET_FMT_lx" %c%c%c\n", 2031 start, end, end - start, 2032 ((prot & PAGE_READ) ? 'r' : '-'), 2033 ((prot & PAGE_WRITE) ? 'w' : '-'), 2034 ((prot & PAGE_EXEC) ? 'x' : '-')); 2035 2036 return 0; 2037 } 2038 2039 /* dump memory mappings */ 2040 void page_dump(FILE *f) 2041 { 2042 const int length = sizeof(target_ulong) * 2; 2043 (void) fprintf(f, "%-*s %-*s %-*s %s\n", 2044 length, "start", length, "end", length, "size", "prot"); 2045 walk_memory_regions(f, dump_region); 2046 } 2047 2048 int page_get_flags(target_ulong address) 2049 { 2050 PageDesc *p; 2051 2052 p = page_find(address >> TARGET_PAGE_BITS); 2053 if (!p) { 2054 return 0; 2055 } 2056 return p->flags; 2057 } 2058 2059 /* Modify the flags of a page and invalidate the code if necessary. 2060 The flag PAGE_WRITE_ORG is positioned automatically depending 2061 on PAGE_WRITE. The mmap_lock should already be held. */ 2062 void page_set_flags(target_ulong start, target_ulong end, int flags) 2063 { 2064 target_ulong addr, len; 2065 2066 /* This function should never be called with addresses outside the 2067 guest address space. If this assert fires, it probably indicates 2068 a missing call to h2g_valid. */ 2069 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2070 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2071 #endif 2072 assert(start < end); 2073 assert_memory_lock(); 2074 2075 start = start & TARGET_PAGE_MASK; 2076 end = TARGET_PAGE_ALIGN(end); 2077 2078 if (flags & PAGE_WRITE) { 2079 flags |= PAGE_WRITE_ORG; 2080 } 2081 2082 for (addr = start, len = end - start; 2083 len != 0; 2084 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2085 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1); 2086 2087 /* If the write protection bit is set, then we invalidate 2088 the code inside. */ 2089 if (!(p->flags & PAGE_WRITE) && 2090 (flags & PAGE_WRITE) && 2091 p->first_tb) { 2092 tb_invalidate_phys_page(addr, 0); 2093 } 2094 p->flags = flags; 2095 } 2096 } 2097 2098 int page_check_range(target_ulong start, target_ulong len, int flags) 2099 { 2100 PageDesc *p; 2101 target_ulong end; 2102 target_ulong addr; 2103 2104 /* This function should never be called with addresses outside the 2105 guest address space. If this assert fires, it probably indicates 2106 a missing call to h2g_valid. */ 2107 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2108 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2109 #endif 2110 2111 if (len == 0) { 2112 return 0; 2113 } 2114 if (start + len - 1 < start) { 2115 /* We've wrapped around. */ 2116 return -1; 2117 } 2118 2119 /* must do before we loose bits in the next step */ 2120 end = TARGET_PAGE_ALIGN(start + len); 2121 start = start & TARGET_PAGE_MASK; 2122 2123 for (addr = start, len = end - start; 2124 len != 0; 2125 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2126 p = page_find(addr >> TARGET_PAGE_BITS); 2127 if (!p) { 2128 return -1; 2129 } 2130 if (!(p->flags & PAGE_VALID)) { 2131 return -1; 2132 } 2133 2134 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) { 2135 return -1; 2136 } 2137 if (flags & PAGE_WRITE) { 2138 if (!(p->flags & PAGE_WRITE_ORG)) { 2139 return -1; 2140 } 2141 /* unprotect the page if it was put read-only because it 2142 contains translated code */ 2143 if (!(p->flags & PAGE_WRITE)) { 2144 if (!page_unprotect(addr, 0)) { 2145 return -1; 2146 } 2147 } 2148 } 2149 } 2150 return 0; 2151 } 2152 2153 /* called from signal handler: invalidate the code and unprotect the 2154 * page. Return 0 if the fault was not handled, 1 if it was handled, 2155 * and 2 if it was handled but the caller must cause the TB to be 2156 * immediately exited. (We can only return 2 if the 'pc' argument is 2157 * non-zero.) 2158 */ 2159 int page_unprotect(target_ulong address, uintptr_t pc) 2160 { 2161 unsigned int prot; 2162 bool current_tb_invalidated; 2163 PageDesc *p; 2164 target_ulong host_start, host_end, addr; 2165 2166 /* Technically this isn't safe inside a signal handler. However we 2167 know this only ever happens in a synchronous SEGV handler, so in 2168 practice it seems to be ok. */ 2169 mmap_lock(); 2170 2171 p = page_find(address >> TARGET_PAGE_BITS); 2172 if (!p) { 2173 mmap_unlock(); 2174 return 0; 2175 } 2176 2177 /* if the page was really writable, then we change its 2178 protection back to writable */ 2179 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) { 2180 host_start = address & qemu_host_page_mask; 2181 host_end = host_start + qemu_host_page_size; 2182 2183 prot = 0; 2184 current_tb_invalidated = false; 2185 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) { 2186 p = page_find(addr >> TARGET_PAGE_BITS); 2187 p->flags |= PAGE_WRITE; 2188 prot |= p->flags; 2189 2190 /* and since the content will be modified, we must invalidate 2191 the corresponding translated code. */ 2192 current_tb_invalidated |= tb_invalidate_phys_page(addr, pc); 2193 #ifdef DEBUG_TB_CHECK 2194 tb_invalidate_check(addr); 2195 #endif 2196 } 2197 mprotect((void *)g2h(host_start), qemu_host_page_size, 2198 prot & PAGE_BITS); 2199 2200 mmap_unlock(); 2201 /* If current TB was invalidated return to main loop */ 2202 return current_tb_invalidated ? 2 : 1; 2203 } 2204 mmap_unlock(); 2205 return 0; 2206 } 2207 #endif /* CONFIG_USER_ONLY */ 2208 2209 /* This is a wrapper for common code that can not use CONFIG_SOFTMMU */ 2210 void tcg_flush_softmmu_tlb(CPUState *cs) 2211 { 2212 #ifdef CONFIG_SOFTMMU 2213 tlb_flush(cs); 2214 #endif 2215 } 2216