1 /* 2 * Host code generation 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 #ifdef _WIN32 20 #include <windows.h> 21 #endif 22 #include "qemu/osdep.h" 23 24 25 #include "qemu-common.h" 26 #define NO_CPU_IO_DEFS 27 #include "cpu.h" 28 #include "trace.h" 29 #include "disas/disas.h" 30 #include "exec/exec-all.h" 31 #include "tcg.h" 32 #if defined(CONFIG_USER_ONLY) 33 #include "qemu.h" 34 #include "exec/exec-all.h" 35 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__) 36 #include <sys/param.h> 37 #if __FreeBSD_version >= 700104 38 #define HAVE_KINFO_GETVMMAP 39 #define sigqueue sigqueue_freebsd /* avoid redefinition */ 40 #include <sys/proc.h> 41 #include <machine/profile.h> 42 #define _KERNEL 43 #include <sys/user.h> 44 #undef _KERNEL 45 #undef sigqueue 46 #include <libutil.h> 47 #endif 48 #endif 49 #else 50 #include "exec/address-spaces.h" 51 #endif 52 53 #include "exec/cputlb.h" 54 #include "exec/tb-hash.h" 55 #include "translate-all.h" 56 #include "qemu/bitmap.h" 57 #include "qemu/timer.h" 58 #include "qemu/main-loop.h" 59 #include "exec/log.h" 60 #include "sysemu/cpus.h" 61 62 /* #define DEBUG_TB_INVALIDATE */ 63 /* #define DEBUG_TB_FLUSH */ 64 /* make various TB consistency checks */ 65 /* #define DEBUG_TB_CHECK */ 66 67 #if !defined(CONFIG_USER_ONLY) 68 /* TB consistency checks only implemented for usermode emulation. */ 69 #undef DEBUG_TB_CHECK 70 #endif 71 72 /* Access to the various translations structures need to be serialised via locks 73 * for consistency. This is automatic for SoftMMU based system 74 * emulation due to its single threaded nature. In user-mode emulation 75 * access to the memory related structures are protected with the 76 * mmap_lock. 77 */ 78 #ifdef CONFIG_SOFTMMU 79 #define assert_memory_lock() tcg_debug_assert(have_tb_lock) 80 #else 81 #define assert_memory_lock() tcg_debug_assert(have_mmap_lock()) 82 #endif 83 84 #define SMC_BITMAP_USE_THRESHOLD 10 85 86 typedef struct PageDesc { 87 /* list of TBs intersecting this ram page */ 88 TranslationBlock *first_tb; 89 #ifdef CONFIG_SOFTMMU 90 /* in order to optimize self modifying code, we count the number 91 of lookups we do to a given page to use a bitmap */ 92 unsigned int code_write_count; 93 unsigned long *code_bitmap; 94 #else 95 unsigned long flags; 96 #endif 97 } PageDesc; 98 99 /* In system mode we want L1_MAP to be based on ram offsets, 100 while in user mode we want it to be based on virtual addresses. */ 101 #if !defined(CONFIG_USER_ONLY) 102 #if HOST_LONG_BITS < TARGET_PHYS_ADDR_SPACE_BITS 103 # define L1_MAP_ADDR_SPACE_BITS HOST_LONG_BITS 104 #else 105 # define L1_MAP_ADDR_SPACE_BITS TARGET_PHYS_ADDR_SPACE_BITS 106 #endif 107 #else 108 # define L1_MAP_ADDR_SPACE_BITS TARGET_VIRT_ADDR_SPACE_BITS 109 #endif 110 111 /* Size of the L2 (and L3, etc) page tables. */ 112 #define V_L2_BITS 10 113 #define V_L2_SIZE (1 << V_L2_BITS) 114 115 /* 116 * L1 Mapping properties 117 */ 118 static int v_l1_size; 119 static int v_l1_shift; 120 static int v_l2_levels; 121 122 /* The bottom level has pointers to PageDesc, and is indexed by 123 * anything from 4 to (V_L2_BITS + 3) bits, depending on target page size. 124 */ 125 #define V_L1_MIN_BITS 4 126 #define V_L1_MAX_BITS (V_L2_BITS + 3) 127 #define V_L1_MAX_SIZE (1 << V_L1_MAX_BITS) 128 129 static void *l1_map[V_L1_MAX_SIZE]; 130 131 /* code generation context */ 132 TCGContext tcg_ctx; 133 bool parallel_cpus; 134 135 /* translation block context */ 136 __thread int have_tb_lock; 137 138 static void page_table_config_init(void) 139 { 140 uint32_t v_l1_bits; 141 142 assert(TARGET_PAGE_BITS); 143 /* The bits remaining after N lower levels of page tables. */ 144 v_l1_bits = (L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS) % V_L2_BITS; 145 if (v_l1_bits < V_L1_MIN_BITS) { 146 v_l1_bits += V_L2_BITS; 147 } 148 149 v_l1_size = 1 << v_l1_bits; 150 v_l1_shift = L1_MAP_ADDR_SPACE_BITS - TARGET_PAGE_BITS - v_l1_bits; 151 v_l2_levels = v_l1_shift / V_L2_BITS - 1; 152 153 assert(v_l1_bits <= V_L1_MAX_BITS); 154 assert(v_l1_shift % V_L2_BITS == 0); 155 assert(v_l2_levels >= 0); 156 } 157 158 #define assert_tb_locked() tcg_debug_assert(have_tb_lock) 159 #define assert_tb_unlocked() tcg_debug_assert(!have_tb_lock) 160 161 void tb_lock(void) 162 { 163 assert_tb_unlocked(); 164 qemu_mutex_lock(&tcg_ctx.tb_ctx.tb_lock); 165 have_tb_lock++; 166 } 167 168 void tb_unlock(void) 169 { 170 assert_tb_locked(); 171 have_tb_lock--; 172 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock); 173 } 174 175 void tb_lock_reset(void) 176 { 177 if (have_tb_lock) { 178 qemu_mutex_unlock(&tcg_ctx.tb_ctx.tb_lock); 179 have_tb_lock = 0; 180 } 181 } 182 183 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr); 184 185 void cpu_gen_init(void) 186 { 187 tcg_context_init(&tcg_ctx); 188 } 189 190 /* Encode VAL as a signed leb128 sequence at P. 191 Return P incremented past the encoded value. */ 192 static uint8_t *encode_sleb128(uint8_t *p, target_long val) 193 { 194 int more, byte; 195 196 do { 197 byte = val & 0x7f; 198 val >>= 7; 199 more = !((val == 0 && (byte & 0x40) == 0) 200 || (val == -1 && (byte & 0x40) != 0)); 201 if (more) { 202 byte |= 0x80; 203 } 204 *p++ = byte; 205 } while (more); 206 207 return p; 208 } 209 210 /* Decode a signed leb128 sequence at *PP; increment *PP past the 211 decoded value. Return the decoded value. */ 212 static target_long decode_sleb128(uint8_t **pp) 213 { 214 uint8_t *p = *pp; 215 target_long val = 0; 216 int byte, shift = 0; 217 218 do { 219 byte = *p++; 220 val |= (target_ulong)(byte & 0x7f) << shift; 221 shift += 7; 222 } while (byte & 0x80); 223 if (shift < TARGET_LONG_BITS && (byte & 0x40)) { 224 val |= -(target_ulong)1 << shift; 225 } 226 227 *pp = p; 228 return val; 229 } 230 231 /* Encode the data collected about the instructions while compiling TB. 232 Place the data at BLOCK, and return the number of bytes consumed. 233 234 The logical table consisits of TARGET_INSN_START_WORDS target_ulong's, 235 which come from the target's insn_start data, followed by a uintptr_t 236 which comes from the host pc of the end of the code implementing the insn. 237 238 Each line of the table is encoded as sleb128 deltas from the previous 239 line. The seed for the first line is { tb->pc, 0..., tb->tc_ptr }. 240 That is, the first column is seeded with the guest pc, the last column 241 with the host pc, and the middle columns with zeros. */ 242 243 static int encode_search(TranslationBlock *tb, uint8_t *block) 244 { 245 uint8_t *highwater = tcg_ctx.code_gen_highwater; 246 uint8_t *p = block; 247 int i, j, n; 248 249 tb->tc_search = block; 250 251 for (i = 0, n = tb->icount; i < n; ++i) { 252 target_ulong prev; 253 254 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 255 if (i == 0) { 256 prev = (j == 0 ? tb->pc : 0); 257 } else { 258 prev = tcg_ctx.gen_insn_data[i - 1][j]; 259 } 260 p = encode_sleb128(p, tcg_ctx.gen_insn_data[i][j] - prev); 261 } 262 prev = (i == 0 ? 0 : tcg_ctx.gen_insn_end_off[i - 1]); 263 p = encode_sleb128(p, tcg_ctx.gen_insn_end_off[i] - prev); 264 265 /* Test for (pending) buffer overflow. The assumption is that any 266 one row beginning below the high water mark cannot overrun 267 the buffer completely. Thus we can test for overflow after 268 encoding a row without having to check during encoding. */ 269 if (unlikely(p > highwater)) { 270 return -1; 271 } 272 } 273 274 return p - block; 275 } 276 277 /* The cpu state corresponding to 'searched_pc' is restored. 278 * Called with tb_lock held. 279 */ 280 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb, 281 uintptr_t searched_pc) 282 { 283 target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc }; 284 uintptr_t host_pc = (uintptr_t)tb->tc_ptr; 285 CPUArchState *env = cpu->env_ptr; 286 uint8_t *p = tb->tc_search; 287 int i, j, num_insns = tb->icount; 288 #ifdef CONFIG_PROFILER 289 int64_t ti = profile_getclock(); 290 #endif 291 292 searched_pc -= GETPC_ADJ; 293 294 if (searched_pc < host_pc) { 295 return -1; 296 } 297 298 /* Reconstruct the stored insn data while looking for the point at 299 which the end of the insn exceeds the searched_pc. */ 300 for (i = 0; i < num_insns; ++i) { 301 for (j = 0; j < TARGET_INSN_START_WORDS; ++j) { 302 data[j] += decode_sleb128(&p); 303 } 304 host_pc += decode_sleb128(&p); 305 if (host_pc > searched_pc) { 306 goto found; 307 } 308 } 309 return -1; 310 311 found: 312 if (tb->cflags & CF_USE_ICOUNT) { 313 assert(use_icount); 314 /* Reset the cycle counter to the start of the block. */ 315 cpu->icount_decr.u16.low += num_insns; 316 /* Clear the IO flag. */ 317 cpu->can_do_io = 0; 318 } 319 cpu->icount_decr.u16.low -= i; 320 restore_state_to_opc(env, tb, data); 321 322 #ifdef CONFIG_PROFILER 323 tcg_ctx.restore_time += profile_getclock() - ti; 324 tcg_ctx.restore_count++; 325 #endif 326 return 0; 327 } 328 329 bool cpu_restore_state(CPUState *cpu, uintptr_t retaddr) 330 { 331 TranslationBlock *tb; 332 bool r = false; 333 334 /* A retaddr of zero is invalid so we really shouldn't have ended 335 * up here. The target code has likely forgotten to check retaddr 336 * != 0 before attempting to restore state. We return early to 337 * avoid blowing up on a recursive tb_lock(). The target must have 338 * previously survived a failed cpu_restore_state because 339 * tb_find_pc(0) would have failed anyway. It still should be 340 * fixed though. 341 */ 342 343 if (!retaddr) { 344 return r; 345 } 346 347 tb_lock(); 348 tb = tb_find_pc(retaddr); 349 if (tb) { 350 cpu_restore_state_from_tb(cpu, tb, retaddr); 351 if (tb->cflags & CF_NOCACHE) { 352 /* one-shot translation, invalidate it immediately */ 353 tb_phys_invalidate(tb, -1); 354 tb_free(tb); 355 } 356 r = true; 357 } 358 tb_unlock(); 359 360 return r; 361 } 362 363 static void page_init(void) 364 { 365 page_size_init(); 366 page_table_config_init(); 367 368 #if defined(CONFIG_BSD) && defined(CONFIG_USER_ONLY) 369 { 370 #ifdef HAVE_KINFO_GETVMMAP 371 struct kinfo_vmentry *freep; 372 int i, cnt; 373 374 freep = kinfo_getvmmap(getpid(), &cnt); 375 if (freep) { 376 mmap_lock(); 377 for (i = 0; i < cnt; i++) { 378 unsigned long startaddr, endaddr; 379 380 startaddr = freep[i].kve_start; 381 endaddr = freep[i].kve_end; 382 if (h2g_valid(startaddr)) { 383 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 384 385 if (h2g_valid(endaddr)) { 386 endaddr = h2g(endaddr); 387 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 388 } else { 389 #if TARGET_ABI_BITS <= L1_MAP_ADDR_SPACE_BITS 390 endaddr = ~0ul; 391 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 392 #endif 393 } 394 } 395 } 396 free(freep); 397 mmap_unlock(); 398 } 399 #else 400 FILE *f; 401 402 last_brk = (unsigned long)sbrk(0); 403 404 f = fopen("/compat/linux/proc/self/maps", "r"); 405 if (f) { 406 mmap_lock(); 407 408 do { 409 unsigned long startaddr, endaddr; 410 int n; 411 412 n = fscanf(f, "%lx-%lx %*[^\n]\n", &startaddr, &endaddr); 413 414 if (n == 2 && h2g_valid(startaddr)) { 415 startaddr = h2g(startaddr) & TARGET_PAGE_MASK; 416 417 if (h2g_valid(endaddr)) { 418 endaddr = h2g(endaddr); 419 } else { 420 endaddr = ~0ul; 421 } 422 page_set_flags(startaddr, endaddr, PAGE_RESERVED); 423 } 424 } while (!feof(f)); 425 426 fclose(f); 427 mmap_unlock(); 428 } 429 #endif 430 } 431 #endif 432 } 433 434 /* If alloc=1: 435 * Called with tb_lock held for system emulation. 436 * Called with mmap_lock held for user-mode emulation. 437 */ 438 static PageDesc *page_find_alloc(tb_page_addr_t index, int alloc) 439 { 440 PageDesc *pd; 441 void **lp; 442 int i; 443 444 if (alloc) { 445 assert_memory_lock(); 446 } 447 448 /* Level 1. Always allocated. */ 449 lp = l1_map + ((index >> v_l1_shift) & (v_l1_size - 1)); 450 451 /* Level 2..N-1. */ 452 for (i = v_l2_levels; i > 0; i--) { 453 void **p = atomic_rcu_read(lp); 454 455 if (p == NULL) { 456 if (!alloc) { 457 return NULL; 458 } 459 p = g_new0(void *, V_L2_SIZE); 460 atomic_rcu_set(lp, p); 461 } 462 463 lp = p + ((index >> (i * V_L2_BITS)) & (V_L2_SIZE - 1)); 464 } 465 466 pd = atomic_rcu_read(lp); 467 if (pd == NULL) { 468 if (!alloc) { 469 return NULL; 470 } 471 pd = g_new0(PageDesc, V_L2_SIZE); 472 atomic_rcu_set(lp, pd); 473 } 474 475 return pd + (index & (V_L2_SIZE - 1)); 476 } 477 478 static inline PageDesc *page_find(tb_page_addr_t index) 479 { 480 return page_find_alloc(index, 0); 481 } 482 483 #if defined(CONFIG_USER_ONLY) 484 /* Currently it is not recommended to allocate big chunks of data in 485 user mode. It will change when a dedicated libc will be used. */ 486 /* ??? 64-bit hosts ought to have no problem mmaping data outside the 487 region in which the guest needs to run. Revisit this. */ 488 #define USE_STATIC_CODE_GEN_BUFFER 489 #endif 490 491 /* Minimum size of the code gen buffer. This number is randomly chosen, 492 but not so small that we can't have a fair number of TB's live. */ 493 #define MIN_CODE_GEN_BUFFER_SIZE (1024u * 1024) 494 495 /* Maximum size of the code gen buffer we'd like to use. Unless otherwise 496 indicated, this is constrained by the range of direct branches on the 497 host cpu, as used by the TCG implementation of goto_tb. */ 498 #if defined(__x86_64__) 499 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 500 #elif defined(__sparc__) 501 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 502 #elif defined(__powerpc64__) 503 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 504 #elif defined(__powerpc__) 505 # define MAX_CODE_GEN_BUFFER_SIZE (32u * 1024 * 1024) 506 #elif defined(__aarch64__) 507 # define MAX_CODE_GEN_BUFFER_SIZE (2ul * 1024 * 1024 * 1024) 508 #elif defined(__s390x__) 509 /* We have a +- 4GB range on the branches; leave some slop. */ 510 # define MAX_CODE_GEN_BUFFER_SIZE (3ul * 1024 * 1024 * 1024) 511 #elif defined(__mips__) 512 /* We have a 256MB branch region, but leave room to make sure the 513 main executable is also within that region. */ 514 # define MAX_CODE_GEN_BUFFER_SIZE (128ul * 1024 * 1024) 515 #else 516 # define MAX_CODE_GEN_BUFFER_SIZE ((size_t)-1) 517 #endif 518 519 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32u * 1024 * 1024) 520 521 #define DEFAULT_CODE_GEN_BUFFER_SIZE \ 522 (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \ 523 ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE) 524 525 static inline size_t size_code_gen_buffer(size_t tb_size) 526 { 527 /* Size the buffer. */ 528 if (tb_size == 0) { 529 #ifdef USE_STATIC_CODE_GEN_BUFFER 530 tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE; 531 #else 532 /* ??? Needs adjustments. */ 533 /* ??? If we relax the requirement that CONFIG_USER_ONLY use the 534 static buffer, we could size this on RESERVED_VA, on the text 535 segment size of the executable, or continue to use the default. */ 536 tb_size = (unsigned long)(ram_size / 4); 537 #endif 538 } 539 if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) { 540 tb_size = MIN_CODE_GEN_BUFFER_SIZE; 541 } 542 if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) { 543 tb_size = MAX_CODE_GEN_BUFFER_SIZE; 544 } 545 return tb_size; 546 } 547 548 #ifdef __mips__ 549 /* In order to use J and JAL within the code_gen_buffer, we require 550 that the buffer not cross a 256MB boundary. */ 551 static inline bool cross_256mb(void *addr, size_t size) 552 { 553 return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful; 554 } 555 556 /* We weren't able to allocate a buffer without crossing that boundary, 557 so make do with the larger portion of the buffer that doesn't cross. 558 Returns the new base of the buffer, and adjusts code_gen_buffer_size. */ 559 static inline void *split_cross_256mb(void *buf1, size_t size1) 560 { 561 void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful); 562 size_t size2 = buf1 + size1 - buf2; 563 564 size1 = buf2 - buf1; 565 if (size1 < size2) { 566 size1 = size2; 567 buf1 = buf2; 568 } 569 570 tcg_ctx.code_gen_buffer_size = size1; 571 return buf1; 572 } 573 #endif 574 575 #ifdef USE_STATIC_CODE_GEN_BUFFER 576 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE] 577 __attribute__((aligned(CODE_GEN_ALIGN))); 578 579 # ifdef _WIN32 580 static inline void do_protect(void *addr, long size, int prot) 581 { 582 DWORD old_protect; 583 VirtualProtect(addr, size, prot, &old_protect); 584 } 585 586 static inline void map_exec(void *addr, long size) 587 { 588 do_protect(addr, size, PAGE_EXECUTE_READWRITE); 589 } 590 591 static inline void map_none(void *addr, long size) 592 { 593 do_protect(addr, size, PAGE_NOACCESS); 594 } 595 # else 596 static inline void do_protect(void *addr, long size, int prot) 597 { 598 uintptr_t start, end; 599 600 start = (uintptr_t)addr; 601 start &= qemu_real_host_page_mask; 602 603 end = (uintptr_t)addr + size; 604 end = ROUND_UP(end, qemu_real_host_page_size); 605 606 mprotect((void *)start, end - start, prot); 607 } 608 609 static inline void map_exec(void *addr, long size) 610 { 611 do_protect(addr, size, PROT_READ | PROT_WRITE | PROT_EXEC); 612 } 613 614 static inline void map_none(void *addr, long size) 615 { 616 do_protect(addr, size, PROT_NONE); 617 } 618 # endif /* WIN32 */ 619 620 static inline void *alloc_code_gen_buffer(void) 621 { 622 void *buf = static_code_gen_buffer; 623 size_t full_size, size; 624 625 /* The size of the buffer, rounded down to end on a page boundary. */ 626 full_size = (((uintptr_t)buf + sizeof(static_code_gen_buffer)) 627 & qemu_real_host_page_mask) - (uintptr_t)buf; 628 629 /* Reserve a guard page. */ 630 size = full_size - qemu_real_host_page_size; 631 632 /* Honor a command-line option limiting the size of the buffer. */ 633 if (size > tcg_ctx.code_gen_buffer_size) { 634 size = (((uintptr_t)buf + tcg_ctx.code_gen_buffer_size) 635 & qemu_real_host_page_mask) - (uintptr_t)buf; 636 } 637 tcg_ctx.code_gen_buffer_size = size; 638 639 #ifdef __mips__ 640 if (cross_256mb(buf, size)) { 641 buf = split_cross_256mb(buf, size); 642 size = tcg_ctx.code_gen_buffer_size; 643 } 644 #endif 645 646 map_exec(buf, size); 647 map_none(buf + size, qemu_real_host_page_size); 648 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 649 650 return buf; 651 } 652 #elif defined(_WIN32) 653 static inline void *alloc_code_gen_buffer(void) 654 { 655 size_t size = tcg_ctx.code_gen_buffer_size; 656 void *buf1, *buf2; 657 658 /* Perform the allocation in two steps, so that the guard page 659 is reserved but uncommitted. */ 660 buf1 = VirtualAlloc(NULL, size + qemu_real_host_page_size, 661 MEM_RESERVE, PAGE_NOACCESS); 662 if (buf1 != NULL) { 663 buf2 = VirtualAlloc(buf1, size, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 664 assert(buf1 == buf2); 665 } 666 667 return buf1; 668 } 669 #else 670 static inline void *alloc_code_gen_buffer(void) 671 { 672 int flags = MAP_PRIVATE | MAP_ANONYMOUS; 673 uintptr_t start = 0; 674 size_t size = tcg_ctx.code_gen_buffer_size; 675 void *buf; 676 677 /* Constrain the position of the buffer based on the host cpu. 678 Note that these addresses are chosen in concert with the 679 addresses assigned in the relevant linker script file. */ 680 # if defined(__PIE__) || defined(__PIC__) 681 /* Don't bother setting a preferred location if we're building 682 a position-independent executable. We're more likely to get 683 an address near the main executable if we let the kernel 684 choose the address. */ 685 # elif defined(__x86_64__) && defined(MAP_32BIT) 686 /* Force the memory down into low memory with the executable. 687 Leave the choice of exact location with the kernel. */ 688 flags |= MAP_32BIT; 689 /* Cannot expect to map more than 800MB in low memory. */ 690 if (size > 800u * 1024 * 1024) { 691 tcg_ctx.code_gen_buffer_size = size = 800u * 1024 * 1024; 692 } 693 # elif defined(__sparc__) 694 start = 0x40000000ul; 695 # elif defined(__s390x__) 696 start = 0x90000000ul; 697 # elif defined(__mips__) 698 # if _MIPS_SIM == _ABI64 699 start = 0x128000000ul; 700 # else 701 start = 0x08000000ul; 702 # endif 703 # endif 704 705 buf = mmap((void *)start, size + qemu_real_host_page_size, 706 PROT_NONE, flags, -1, 0); 707 if (buf == MAP_FAILED) { 708 return NULL; 709 } 710 711 #ifdef __mips__ 712 if (cross_256mb(buf, size)) { 713 /* Try again, with the original still mapped, to avoid re-acquiring 714 that 256mb crossing. This time don't specify an address. */ 715 size_t size2; 716 void *buf2 = mmap(NULL, size + qemu_real_host_page_size, 717 PROT_NONE, flags, -1, 0); 718 switch ((int)(buf2 != MAP_FAILED)) { 719 case 1: 720 if (!cross_256mb(buf2, size)) { 721 /* Success! Use the new buffer. */ 722 munmap(buf, size + qemu_real_host_page_size); 723 break; 724 } 725 /* Failure. Work with what we had. */ 726 munmap(buf2, size + qemu_real_host_page_size); 727 /* fallthru */ 728 default: 729 /* Split the original buffer. Free the smaller half. */ 730 buf2 = split_cross_256mb(buf, size); 731 size2 = tcg_ctx.code_gen_buffer_size; 732 if (buf == buf2) { 733 munmap(buf + size2 + qemu_real_host_page_size, size - size2); 734 } else { 735 munmap(buf, size - size2); 736 } 737 size = size2; 738 break; 739 } 740 buf = buf2; 741 } 742 #endif 743 744 /* Make the final buffer accessible. The guard page at the end 745 will remain inaccessible with PROT_NONE. */ 746 mprotect(buf, size, PROT_WRITE | PROT_READ | PROT_EXEC); 747 748 /* Request large pages for the buffer. */ 749 qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE); 750 751 return buf; 752 } 753 #endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */ 754 755 static inline void code_gen_alloc(size_t tb_size) 756 { 757 tcg_ctx.code_gen_buffer_size = size_code_gen_buffer(tb_size); 758 tcg_ctx.code_gen_buffer = alloc_code_gen_buffer(); 759 if (tcg_ctx.code_gen_buffer == NULL) { 760 fprintf(stderr, "Could not allocate dynamic translator buffer\n"); 761 exit(1); 762 } 763 764 /* size this conservatively -- realloc later if needed */ 765 tcg_ctx.tb_ctx.tbs_size = 766 tcg_ctx.code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE / 8; 767 if (unlikely(!tcg_ctx.tb_ctx.tbs_size)) { 768 tcg_ctx.tb_ctx.tbs_size = 64 * 1024; 769 } 770 tcg_ctx.tb_ctx.tbs = g_new(TranslationBlock *, tcg_ctx.tb_ctx.tbs_size); 771 772 qemu_mutex_init(&tcg_ctx.tb_ctx.tb_lock); 773 } 774 775 static void tb_htable_init(void) 776 { 777 unsigned int mode = QHT_MODE_AUTO_RESIZE; 778 779 qht_init(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE, mode); 780 } 781 782 /* Must be called before using the QEMU cpus. 'tb_size' is the size 783 (in bytes) allocated to the translation buffer. Zero means default 784 size. */ 785 void tcg_exec_init(unsigned long tb_size) 786 { 787 tcg_allowed = true; 788 cpu_gen_init(); 789 page_init(); 790 tb_htable_init(); 791 code_gen_alloc(tb_size); 792 #if defined(CONFIG_SOFTMMU) 793 /* There's no guest base to take into account, so go ahead and 794 initialize the prologue now. */ 795 tcg_prologue_init(&tcg_ctx); 796 #endif 797 } 798 799 /* 800 * Allocate a new translation block. Flush the translation buffer if 801 * too many translation blocks or too much generated code. 802 * 803 * Called with tb_lock held. 804 */ 805 static TranslationBlock *tb_alloc(target_ulong pc) 806 { 807 TranslationBlock *tb; 808 TBContext *ctx; 809 810 assert_tb_locked(); 811 812 tb = tcg_tb_alloc(&tcg_ctx); 813 if (unlikely(tb == NULL)) { 814 return NULL; 815 } 816 ctx = &tcg_ctx.tb_ctx; 817 if (unlikely(ctx->nb_tbs == ctx->tbs_size)) { 818 ctx->tbs_size *= 2; 819 ctx->tbs = g_renew(TranslationBlock *, ctx->tbs, ctx->tbs_size); 820 } 821 ctx->tbs[ctx->nb_tbs++] = tb; 822 return tb; 823 } 824 825 /* Called with tb_lock held. */ 826 void tb_free(TranslationBlock *tb) 827 { 828 assert_tb_locked(); 829 830 /* In practice this is mostly used for single use temporary TB 831 Ignore the hard cases and just back up if this TB happens to 832 be the last one generated. */ 833 if (tcg_ctx.tb_ctx.nb_tbs > 0 && 834 tb == tcg_ctx.tb_ctx.tbs[tcg_ctx.tb_ctx.nb_tbs - 1]) { 835 size_t struct_size = ROUND_UP(sizeof(*tb), qemu_icache_linesize); 836 837 tcg_ctx.code_gen_ptr = tb->tc_ptr - struct_size; 838 tcg_ctx.tb_ctx.nb_tbs--; 839 } 840 } 841 842 static inline void invalidate_page_bitmap(PageDesc *p) 843 { 844 #ifdef CONFIG_SOFTMMU 845 g_free(p->code_bitmap); 846 p->code_bitmap = NULL; 847 p->code_write_count = 0; 848 #endif 849 } 850 851 /* Set to NULL all the 'first_tb' fields in all PageDescs. */ 852 static void page_flush_tb_1(int level, void **lp) 853 { 854 int i; 855 856 if (*lp == NULL) { 857 return; 858 } 859 if (level == 0) { 860 PageDesc *pd = *lp; 861 862 for (i = 0; i < V_L2_SIZE; ++i) { 863 pd[i].first_tb = NULL; 864 invalidate_page_bitmap(pd + i); 865 } 866 } else { 867 void **pp = *lp; 868 869 for (i = 0; i < V_L2_SIZE; ++i) { 870 page_flush_tb_1(level - 1, pp + i); 871 } 872 } 873 } 874 875 static void page_flush_tb(void) 876 { 877 int i, l1_sz = v_l1_size; 878 879 for (i = 0; i < l1_sz; i++) { 880 page_flush_tb_1(v_l2_levels, l1_map + i); 881 } 882 } 883 884 /* flush all the translation blocks */ 885 static void do_tb_flush(CPUState *cpu, run_on_cpu_data tb_flush_count) 886 { 887 tb_lock(); 888 889 /* If it is already been done on request of another CPU, 890 * just retry. 891 */ 892 if (tcg_ctx.tb_ctx.tb_flush_count != tb_flush_count.host_int) { 893 goto done; 894 } 895 896 #if defined(DEBUG_TB_FLUSH) 897 printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n", 898 (unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer), 899 tcg_ctx.tb_ctx.nb_tbs, tcg_ctx.tb_ctx.nb_tbs > 0 ? 900 ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer)) / 901 tcg_ctx.tb_ctx.nb_tbs : 0); 902 #endif 903 if ((unsigned long)(tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer) 904 > tcg_ctx.code_gen_buffer_size) { 905 cpu_abort(cpu, "Internal error: code buffer overflow\n"); 906 } 907 908 CPU_FOREACH(cpu) { 909 cpu_tb_jmp_cache_clear(cpu); 910 } 911 912 tcg_ctx.tb_ctx.nb_tbs = 0; 913 qht_reset_size(&tcg_ctx.tb_ctx.htable, CODE_GEN_HTABLE_SIZE); 914 page_flush_tb(); 915 916 tcg_ctx.code_gen_ptr = tcg_ctx.code_gen_buffer; 917 /* XXX: flush processor icache at this point if cache flush is 918 expensive */ 919 atomic_mb_set(&tcg_ctx.tb_ctx.tb_flush_count, 920 tcg_ctx.tb_ctx.tb_flush_count + 1); 921 922 done: 923 tb_unlock(); 924 } 925 926 void tb_flush(CPUState *cpu) 927 { 928 if (tcg_enabled()) { 929 unsigned tb_flush_count = atomic_mb_read(&tcg_ctx.tb_ctx.tb_flush_count); 930 async_safe_run_on_cpu(cpu, do_tb_flush, 931 RUN_ON_CPU_HOST_INT(tb_flush_count)); 932 } 933 } 934 935 #ifdef DEBUG_TB_CHECK 936 937 static void 938 do_tb_invalidate_check(struct qht *ht, void *p, uint32_t hash, void *userp) 939 { 940 TranslationBlock *tb = p; 941 target_ulong addr = *(target_ulong *)userp; 942 943 if (!(addr + TARGET_PAGE_SIZE <= tb->pc || addr >= tb->pc + tb->size)) { 944 printf("ERROR invalidate: address=" TARGET_FMT_lx 945 " PC=%08lx size=%04x\n", addr, (long)tb->pc, tb->size); 946 } 947 } 948 949 /* verify that all the pages have correct rights for code 950 * 951 * Called with tb_lock held. 952 */ 953 static void tb_invalidate_check(target_ulong address) 954 { 955 address &= TARGET_PAGE_MASK; 956 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_invalidate_check, &address); 957 } 958 959 static void 960 do_tb_page_check(struct qht *ht, void *p, uint32_t hash, void *userp) 961 { 962 TranslationBlock *tb = p; 963 int flags1, flags2; 964 965 flags1 = page_get_flags(tb->pc); 966 flags2 = page_get_flags(tb->pc + tb->size - 1); 967 if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) { 968 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n", 969 (long)tb->pc, tb->size, flags1, flags2); 970 } 971 } 972 973 /* verify that all the pages have correct rights for code */ 974 static void tb_page_check(void) 975 { 976 qht_iter(&tcg_ctx.tb_ctx.htable, do_tb_page_check, NULL); 977 } 978 979 #endif 980 981 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb) 982 { 983 TranslationBlock *tb1; 984 unsigned int n1; 985 986 for (;;) { 987 tb1 = *ptb; 988 n1 = (uintptr_t)tb1 & 3; 989 tb1 = (TranslationBlock *)((uintptr_t)tb1 & ~3); 990 if (tb1 == tb) { 991 *ptb = tb1->page_next[n1]; 992 break; 993 } 994 ptb = &tb1->page_next[n1]; 995 } 996 } 997 998 /* remove the TB from a list of TBs jumping to the n-th jump target of the TB */ 999 static inline void tb_remove_from_jmp_list(TranslationBlock *tb, int n) 1000 { 1001 TranslationBlock *tb1; 1002 uintptr_t *ptb, ntb; 1003 unsigned int n1; 1004 1005 ptb = &tb->jmp_list_next[n]; 1006 if (*ptb) { 1007 /* find tb(n) in circular list */ 1008 for (;;) { 1009 ntb = *ptb; 1010 n1 = ntb & 3; 1011 tb1 = (TranslationBlock *)(ntb & ~3); 1012 if (n1 == n && tb1 == tb) { 1013 break; 1014 } 1015 if (n1 == 2) { 1016 ptb = &tb1->jmp_list_first; 1017 } else { 1018 ptb = &tb1->jmp_list_next[n1]; 1019 } 1020 } 1021 /* now we can suppress tb(n) from the list */ 1022 *ptb = tb->jmp_list_next[n]; 1023 1024 tb->jmp_list_next[n] = (uintptr_t)NULL; 1025 } 1026 } 1027 1028 /* reset the jump entry 'n' of a TB so that it is not chained to 1029 another TB */ 1030 static inline void tb_reset_jump(TranslationBlock *tb, int n) 1031 { 1032 uintptr_t addr = (uintptr_t)(tb->tc_ptr + tb->jmp_reset_offset[n]); 1033 tb_set_jmp_target(tb, n, addr); 1034 } 1035 1036 /* remove any jumps to the TB */ 1037 static inline void tb_jmp_unlink(TranslationBlock *tb) 1038 { 1039 TranslationBlock *tb1; 1040 uintptr_t *ptb, ntb; 1041 unsigned int n1; 1042 1043 ptb = &tb->jmp_list_first; 1044 for (;;) { 1045 ntb = *ptb; 1046 n1 = ntb & 3; 1047 tb1 = (TranslationBlock *)(ntb & ~3); 1048 if (n1 == 2) { 1049 break; 1050 } 1051 tb_reset_jump(tb1, n1); 1052 *ptb = tb1->jmp_list_next[n1]; 1053 tb1->jmp_list_next[n1] = (uintptr_t)NULL; 1054 } 1055 } 1056 1057 /* invalidate one TB 1058 * 1059 * Called with tb_lock held. 1060 */ 1061 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr) 1062 { 1063 CPUState *cpu; 1064 PageDesc *p; 1065 uint32_t h; 1066 tb_page_addr_t phys_pc; 1067 1068 assert_tb_locked(); 1069 1070 atomic_set(&tb->invalid, true); 1071 1072 /* remove the TB from the hash list */ 1073 phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1074 h = tb_hash_func(phys_pc, tb->pc, tb->flags); 1075 qht_remove(&tcg_ctx.tb_ctx.htable, tb, h); 1076 1077 /* remove the TB from the page list */ 1078 if (tb->page_addr[0] != page_addr) { 1079 p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS); 1080 tb_page_remove(&p->first_tb, tb); 1081 invalidate_page_bitmap(p); 1082 } 1083 if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) { 1084 p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS); 1085 tb_page_remove(&p->first_tb, tb); 1086 invalidate_page_bitmap(p); 1087 } 1088 1089 /* remove the TB from the hash list */ 1090 h = tb_jmp_cache_hash_func(tb->pc); 1091 CPU_FOREACH(cpu) { 1092 if (atomic_read(&cpu->tb_jmp_cache[h]) == tb) { 1093 atomic_set(&cpu->tb_jmp_cache[h], NULL); 1094 } 1095 } 1096 1097 /* suppress this TB from the two jump lists */ 1098 tb_remove_from_jmp_list(tb, 0); 1099 tb_remove_from_jmp_list(tb, 1); 1100 1101 /* suppress any remaining jumps to this TB */ 1102 tb_jmp_unlink(tb); 1103 1104 tcg_ctx.tb_ctx.tb_phys_invalidate_count++; 1105 } 1106 1107 #ifdef CONFIG_SOFTMMU 1108 static void build_page_bitmap(PageDesc *p) 1109 { 1110 int n, tb_start, tb_end; 1111 TranslationBlock *tb; 1112 1113 p->code_bitmap = bitmap_new(TARGET_PAGE_SIZE); 1114 1115 tb = p->first_tb; 1116 while (tb != NULL) { 1117 n = (uintptr_t)tb & 3; 1118 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1119 /* NOTE: this is subtle as a TB may span two physical pages */ 1120 if (n == 0) { 1121 /* NOTE: tb_end may be after the end of the page, but 1122 it is not a problem */ 1123 tb_start = tb->pc & ~TARGET_PAGE_MASK; 1124 tb_end = tb_start + tb->size; 1125 if (tb_end > TARGET_PAGE_SIZE) { 1126 tb_end = TARGET_PAGE_SIZE; 1127 } 1128 } else { 1129 tb_start = 0; 1130 tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1131 } 1132 bitmap_set(p->code_bitmap, tb_start, tb_end - tb_start); 1133 tb = tb->page_next[n]; 1134 } 1135 } 1136 #endif 1137 1138 /* add the tb in the target page and protect it if necessary 1139 * 1140 * Called with mmap_lock held for user-mode emulation. 1141 */ 1142 static inline void tb_alloc_page(TranslationBlock *tb, 1143 unsigned int n, tb_page_addr_t page_addr) 1144 { 1145 PageDesc *p; 1146 #ifndef CONFIG_USER_ONLY 1147 bool page_already_protected; 1148 #endif 1149 1150 assert_memory_lock(); 1151 1152 tb->page_addr[n] = page_addr; 1153 p = page_find_alloc(page_addr >> TARGET_PAGE_BITS, 1); 1154 tb->page_next[n] = p->first_tb; 1155 #ifndef CONFIG_USER_ONLY 1156 page_already_protected = p->first_tb != NULL; 1157 #endif 1158 p->first_tb = (TranslationBlock *)((uintptr_t)tb | n); 1159 invalidate_page_bitmap(p); 1160 1161 #if defined(CONFIG_USER_ONLY) 1162 if (p->flags & PAGE_WRITE) { 1163 target_ulong addr; 1164 PageDesc *p2; 1165 int prot; 1166 1167 /* force the host page as non writable (writes will have a 1168 page fault + mprotect overhead) */ 1169 page_addr &= qemu_host_page_mask; 1170 prot = 0; 1171 for (addr = page_addr; addr < page_addr + qemu_host_page_size; 1172 addr += TARGET_PAGE_SIZE) { 1173 1174 p2 = page_find(addr >> TARGET_PAGE_BITS); 1175 if (!p2) { 1176 continue; 1177 } 1178 prot |= p2->flags; 1179 p2->flags &= ~PAGE_WRITE; 1180 } 1181 mprotect(g2h(page_addr), qemu_host_page_size, 1182 (prot & PAGE_BITS) & ~PAGE_WRITE); 1183 #ifdef DEBUG_TB_INVALIDATE 1184 printf("protecting code page: 0x" TARGET_FMT_lx "\n", 1185 page_addr); 1186 #endif 1187 } 1188 #else 1189 /* if some code is already present, then the pages are already 1190 protected. So we handle the case where only the first TB is 1191 allocated in a physical page */ 1192 if (!page_already_protected) { 1193 tlb_protect_code(page_addr); 1194 } 1195 #endif 1196 } 1197 1198 /* add a new TB and link it to the physical page tables. phys_page2 is 1199 * (-1) to indicate that only one page contains the TB. 1200 * 1201 * Called with mmap_lock held for user-mode emulation. 1202 */ 1203 static void tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc, 1204 tb_page_addr_t phys_page2) 1205 { 1206 uint32_t h; 1207 1208 assert_memory_lock(); 1209 1210 /* add in the page list */ 1211 tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK); 1212 if (phys_page2 != -1) { 1213 tb_alloc_page(tb, 1, phys_page2); 1214 } else { 1215 tb->page_addr[1] = -1; 1216 } 1217 1218 /* add in the hash table */ 1219 h = tb_hash_func(phys_pc, tb->pc, tb->flags); 1220 qht_insert(&tcg_ctx.tb_ctx.htable, tb, h); 1221 1222 #ifdef DEBUG_TB_CHECK 1223 tb_page_check(); 1224 #endif 1225 } 1226 1227 /* Called with mmap_lock held for user mode emulation. */ 1228 TranslationBlock *tb_gen_code(CPUState *cpu, 1229 target_ulong pc, target_ulong cs_base, 1230 uint32_t flags, int cflags) 1231 { 1232 CPUArchState *env = cpu->env_ptr; 1233 TranslationBlock *tb; 1234 tb_page_addr_t phys_pc, phys_page2; 1235 target_ulong virt_page2; 1236 tcg_insn_unit *gen_code_buf; 1237 int gen_code_size, search_size; 1238 #ifdef CONFIG_PROFILER 1239 int64_t ti; 1240 #endif 1241 assert_memory_lock(); 1242 1243 phys_pc = get_page_addr_code(env, pc); 1244 if (use_icount && !(cflags & CF_IGNORE_ICOUNT)) { 1245 cflags |= CF_USE_ICOUNT; 1246 } 1247 1248 tb = tb_alloc(pc); 1249 if (unlikely(!tb)) { 1250 buffer_overflow: 1251 /* flush must be done */ 1252 tb_flush(cpu); 1253 mmap_unlock(); 1254 /* Make the execution loop process the flush as soon as possible. */ 1255 cpu->exception_index = EXCP_INTERRUPT; 1256 cpu_loop_exit(cpu); 1257 } 1258 1259 gen_code_buf = tcg_ctx.code_gen_ptr; 1260 tb->tc_ptr = gen_code_buf; 1261 tb->pc = pc; 1262 tb->cs_base = cs_base; 1263 tb->flags = flags; 1264 tb->cflags = cflags; 1265 tb->invalid = false; 1266 1267 #ifdef CONFIG_PROFILER 1268 tcg_ctx.tb_count1++; /* includes aborted translations because of 1269 exceptions */ 1270 ti = profile_getclock(); 1271 #endif 1272 1273 tcg_func_start(&tcg_ctx); 1274 1275 tcg_ctx.cpu = ENV_GET_CPU(env); 1276 gen_intermediate_code(env, tb); 1277 tcg_ctx.cpu = NULL; 1278 1279 trace_translate_block(tb, tb->pc, tb->tc_ptr); 1280 1281 /* generate machine code */ 1282 tb->jmp_reset_offset[0] = TB_JMP_RESET_OFFSET_INVALID; 1283 tb->jmp_reset_offset[1] = TB_JMP_RESET_OFFSET_INVALID; 1284 tcg_ctx.tb_jmp_reset_offset = tb->jmp_reset_offset; 1285 #ifdef USE_DIRECT_JUMP 1286 tcg_ctx.tb_jmp_insn_offset = tb->jmp_insn_offset; 1287 tcg_ctx.tb_jmp_target_addr = NULL; 1288 #else 1289 tcg_ctx.tb_jmp_insn_offset = NULL; 1290 tcg_ctx.tb_jmp_target_addr = tb->jmp_target_addr; 1291 #endif 1292 1293 #ifdef CONFIG_PROFILER 1294 tcg_ctx.tb_count++; 1295 tcg_ctx.interm_time += profile_getclock() - ti; 1296 tcg_ctx.code_time -= profile_getclock(); 1297 #endif 1298 1299 /* ??? Overflow could be handled better here. In particular, we 1300 don't need to re-do gen_intermediate_code, nor should we re-do 1301 the tcg optimization currently hidden inside tcg_gen_code. All 1302 that should be required is to flush the TBs, allocate a new TB, 1303 re-initialize it per above, and re-do the actual code generation. */ 1304 gen_code_size = tcg_gen_code(&tcg_ctx, tb); 1305 if (unlikely(gen_code_size < 0)) { 1306 goto buffer_overflow; 1307 } 1308 search_size = encode_search(tb, (void *)gen_code_buf + gen_code_size); 1309 if (unlikely(search_size < 0)) { 1310 goto buffer_overflow; 1311 } 1312 1313 #ifdef CONFIG_PROFILER 1314 tcg_ctx.code_time += profile_getclock(); 1315 tcg_ctx.code_in_len += tb->size; 1316 tcg_ctx.code_out_len += gen_code_size; 1317 tcg_ctx.search_out_len += search_size; 1318 #endif 1319 1320 #ifdef DEBUG_DISAS 1321 if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM) && 1322 qemu_log_in_addr_range(tb->pc)) { 1323 qemu_log_lock(); 1324 qemu_log("OUT: [size=%d]\n", gen_code_size); 1325 log_disas(tb->tc_ptr, gen_code_size); 1326 qemu_log("\n"); 1327 qemu_log_flush(); 1328 qemu_log_unlock(); 1329 } 1330 #endif 1331 1332 tcg_ctx.code_gen_ptr = (void *) 1333 ROUND_UP((uintptr_t)gen_code_buf + gen_code_size + search_size, 1334 CODE_GEN_ALIGN); 1335 1336 /* init jump list */ 1337 assert(((uintptr_t)tb & 3) == 0); 1338 tb->jmp_list_first = (uintptr_t)tb | 2; 1339 tb->jmp_list_next[0] = (uintptr_t)NULL; 1340 tb->jmp_list_next[1] = (uintptr_t)NULL; 1341 1342 /* init original jump addresses wich has been set during tcg_gen_code() */ 1343 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1344 tb_reset_jump(tb, 0); 1345 } 1346 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1347 tb_reset_jump(tb, 1); 1348 } 1349 1350 /* check next page if needed */ 1351 virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK; 1352 phys_page2 = -1; 1353 if ((pc & TARGET_PAGE_MASK) != virt_page2) { 1354 phys_page2 = get_page_addr_code(env, virt_page2); 1355 } 1356 /* As long as consistency of the TB stuff is provided by tb_lock in user 1357 * mode and is implicit in single-threaded softmmu emulation, no explicit 1358 * memory barrier is required before tb_link_page() makes the TB visible 1359 * through the physical hash table and physical page list. 1360 */ 1361 tb_link_page(tb, phys_pc, phys_page2); 1362 return tb; 1363 } 1364 1365 /* 1366 * Invalidate all TBs which intersect with the target physical address range 1367 * [start;end[. NOTE: start and end may refer to *different* physical pages. 1368 * 'is_cpu_write_access' should be true if called from a real cpu write 1369 * access: the virtual CPU will exit the current TB if code is modified inside 1370 * this TB. 1371 * 1372 * Called with mmap_lock held for user-mode emulation, grabs tb_lock 1373 * Called with tb_lock held for system-mode emulation 1374 */ 1375 static void tb_invalidate_phys_range_1(tb_page_addr_t start, tb_page_addr_t end) 1376 { 1377 while (start < end) { 1378 tb_invalidate_phys_page_range(start, end, 0); 1379 start &= TARGET_PAGE_MASK; 1380 start += TARGET_PAGE_SIZE; 1381 } 1382 } 1383 1384 #ifdef CONFIG_SOFTMMU 1385 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1386 { 1387 assert_tb_locked(); 1388 tb_invalidate_phys_range_1(start, end); 1389 } 1390 #else 1391 void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end) 1392 { 1393 assert_memory_lock(); 1394 tb_lock(); 1395 tb_invalidate_phys_range_1(start, end); 1396 tb_unlock(); 1397 } 1398 #endif 1399 /* 1400 * Invalidate all TBs which intersect with the target physical address range 1401 * [start;end[. NOTE: start and end must refer to the *same* physical page. 1402 * 'is_cpu_write_access' should be true if called from a real cpu write 1403 * access: the virtual CPU will exit the current TB if code is modified inside 1404 * this TB. 1405 * 1406 * Called with tb_lock/mmap_lock held for user-mode emulation 1407 * Called with tb_lock held for system-mode emulation 1408 */ 1409 void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end, 1410 int is_cpu_write_access) 1411 { 1412 TranslationBlock *tb, *tb_next; 1413 #if defined(TARGET_HAS_PRECISE_SMC) 1414 CPUState *cpu = current_cpu; 1415 CPUArchState *env = NULL; 1416 #endif 1417 tb_page_addr_t tb_start, tb_end; 1418 PageDesc *p; 1419 int n; 1420 #ifdef TARGET_HAS_PRECISE_SMC 1421 int current_tb_not_found = is_cpu_write_access; 1422 TranslationBlock *current_tb = NULL; 1423 int current_tb_modified = 0; 1424 target_ulong current_pc = 0; 1425 target_ulong current_cs_base = 0; 1426 uint32_t current_flags = 0; 1427 #endif /* TARGET_HAS_PRECISE_SMC */ 1428 1429 assert_memory_lock(); 1430 assert_tb_locked(); 1431 1432 p = page_find(start >> TARGET_PAGE_BITS); 1433 if (!p) { 1434 return; 1435 } 1436 #if defined(TARGET_HAS_PRECISE_SMC) 1437 if (cpu != NULL) { 1438 env = cpu->env_ptr; 1439 } 1440 #endif 1441 1442 /* we remove all the TBs in the range [start, end[ */ 1443 /* XXX: see if in some cases it could be faster to invalidate all 1444 the code */ 1445 tb = p->first_tb; 1446 while (tb != NULL) { 1447 n = (uintptr_t)tb & 3; 1448 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1449 tb_next = tb->page_next[n]; 1450 /* NOTE: this is subtle as a TB may span two physical pages */ 1451 if (n == 0) { 1452 /* NOTE: tb_end may be after the end of the page, but 1453 it is not a problem */ 1454 tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK); 1455 tb_end = tb_start + tb->size; 1456 } else { 1457 tb_start = tb->page_addr[1]; 1458 tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK); 1459 } 1460 if (!(tb_end <= start || tb_start >= end)) { 1461 #ifdef TARGET_HAS_PRECISE_SMC 1462 if (current_tb_not_found) { 1463 current_tb_not_found = 0; 1464 current_tb = NULL; 1465 if (cpu->mem_io_pc) { 1466 /* now we have a real cpu fault */ 1467 current_tb = tb_find_pc(cpu->mem_io_pc); 1468 } 1469 } 1470 if (current_tb == tb && 1471 (current_tb->cflags & CF_COUNT_MASK) != 1) { 1472 /* If we are modifying the current TB, we must stop 1473 its execution. We could be more precise by checking 1474 that the modification is after the current PC, but it 1475 would require a specialized function to partially 1476 restore the CPU state */ 1477 1478 current_tb_modified = 1; 1479 cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc); 1480 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1481 ¤t_flags); 1482 } 1483 #endif /* TARGET_HAS_PRECISE_SMC */ 1484 tb_phys_invalidate(tb, -1); 1485 } 1486 tb = tb_next; 1487 } 1488 #if !defined(CONFIG_USER_ONLY) 1489 /* if no code remaining, no need to continue to use slow writes */ 1490 if (!p->first_tb) { 1491 invalidate_page_bitmap(p); 1492 tlb_unprotect_code(start); 1493 } 1494 #endif 1495 #ifdef TARGET_HAS_PRECISE_SMC 1496 if (current_tb_modified) { 1497 /* we generate a block containing just the instruction 1498 modifying the memory. It will ensure that it cannot modify 1499 itself */ 1500 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1); 1501 cpu_loop_exit_noexc(cpu); 1502 } 1503 #endif 1504 } 1505 1506 #ifdef CONFIG_SOFTMMU 1507 /* len must be <= 8 and start must be a multiple of len. 1508 * Called via softmmu_template.h when code areas are written to with 1509 * iothread mutex not held. 1510 */ 1511 void tb_invalidate_phys_page_fast(tb_page_addr_t start, int len) 1512 { 1513 PageDesc *p; 1514 1515 #if 0 1516 if (1) { 1517 qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n", 1518 cpu_single_env->mem_io_vaddr, len, 1519 cpu_single_env->eip, 1520 cpu_single_env->eip + 1521 (intptr_t)cpu_single_env->segs[R_CS].base); 1522 } 1523 #endif 1524 assert_memory_lock(); 1525 1526 p = page_find(start >> TARGET_PAGE_BITS); 1527 if (!p) { 1528 return; 1529 } 1530 if (!p->code_bitmap && 1531 ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD) { 1532 /* build code bitmap. FIXME: writes should be protected by 1533 * tb_lock, reads by tb_lock or RCU. 1534 */ 1535 build_page_bitmap(p); 1536 } 1537 if (p->code_bitmap) { 1538 unsigned int nr; 1539 unsigned long b; 1540 1541 nr = start & ~TARGET_PAGE_MASK; 1542 b = p->code_bitmap[BIT_WORD(nr)] >> (nr & (BITS_PER_LONG - 1)); 1543 if (b & ((1 << len) - 1)) { 1544 goto do_invalidate; 1545 } 1546 } else { 1547 do_invalidate: 1548 tb_invalidate_phys_page_range(start, start + len, 1); 1549 } 1550 } 1551 #else 1552 /* Called with mmap_lock held. If pc is not 0 then it indicates the 1553 * host PC of the faulting store instruction that caused this invalidate. 1554 * Returns true if the caller needs to abort execution of the current 1555 * TB (because it was modified by this store and the guest CPU has 1556 * precise-SMC semantics). 1557 */ 1558 static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc) 1559 { 1560 TranslationBlock *tb; 1561 PageDesc *p; 1562 int n; 1563 #ifdef TARGET_HAS_PRECISE_SMC 1564 TranslationBlock *current_tb = NULL; 1565 CPUState *cpu = current_cpu; 1566 CPUArchState *env = NULL; 1567 int current_tb_modified = 0; 1568 target_ulong current_pc = 0; 1569 target_ulong current_cs_base = 0; 1570 uint32_t current_flags = 0; 1571 #endif 1572 1573 assert_memory_lock(); 1574 1575 addr &= TARGET_PAGE_MASK; 1576 p = page_find(addr >> TARGET_PAGE_BITS); 1577 if (!p) { 1578 return false; 1579 } 1580 1581 tb_lock(); 1582 tb = p->first_tb; 1583 #ifdef TARGET_HAS_PRECISE_SMC 1584 if (tb && pc != 0) { 1585 current_tb = tb_find_pc(pc); 1586 } 1587 if (cpu != NULL) { 1588 env = cpu->env_ptr; 1589 } 1590 #endif 1591 while (tb != NULL) { 1592 n = (uintptr_t)tb & 3; 1593 tb = (TranslationBlock *)((uintptr_t)tb & ~3); 1594 #ifdef TARGET_HAS_PRECISE_SMC 1595 if (current_tb == tb && 1596 (current_tb->cflags & CF_COUNT_MASK) != 1) { 1597 /* If we are modifying the current TB, we must stop 1598 its execution. We could be more precise by checking 1599 that the modification is after the current PC, but it 1600 would require a specialized function to partially 1601 restore the CPU state */ 1602 1603 current_tb_modified = 1; 1604 cpu_restore_state_from_tb(cpu, current_tb, pc); 1605 cpu_get_tb_cpu_state(env, ¤t_pc, ¤t_cs_base, 1606 ¤t_flags); 1607 } 1608 #endif /* TARGET_HAS_PRECISE_SMC */ 1609 tb_phys_invalidate(tb, addr); 1610 tb = tb->page_next[n]; 1611 } 1612 p->first_tb = NULL; 1613 #ifdef TARGET_HAS_PRECISE_SMC 1614 if (current_tb_modified) { 1615 /* we generate a block containing just the instruction 1616 modifying the memory. It will ensure that it cannot modify 1617 itself */ 1618 tb_gen_code(cpu, current_pc, current_cs_base, current_flags, 1); 1619 /* tb_lock will be reset after cpu_loop_exit_noexc longjmps 1620 * back into the cpu_exec loop. */ 1621 return true; 1622 } 1623 #endif 1624 tb_unlock(); 1625 1626 return false; 1627 } 1628 #endif 1629 1630 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr < 1631 tb[1].tc_ptr. Return NULL if not found */ 1632 static TranslationBlock *tb_find_pc(uintptr_t tc_ptr) 1633 { 1634 int m_min, m_max, m; 1635 uintptr_t v; 1636 TranslationBlock *tb; 1637 1638 if (tcg_ctx.tb_ctx.nb_tbs <= 0) { 1639 return NULL; 1640 } 1641 if (tc_ptr < (uintptr_t)tcg_ctx.code_gen_buffer || 1642 tc_ptr >= (uintptr_t)tcg_ctx.code_gen_ptr) { 1643 return NULL; 1644 } 1645 /* binary search (cf Knuth) */ 1646 m_min = 0; 1647 m_max = tcg_ctx.tb_ctx.nb_tbs - 1; 1648 while (m_min <= m_max) { 1649 m = (m_min + m_max) >> 1; 1650 tb = tcg_ctx.tb_ctx.tbs[m]; 1651 v = (uintptr_t)tb->tc_ptr; 1652 if (v == tc_ptr) { 1653 return tb; 1654 } else if (tc_ptr < v) { 1655 m_max = m - 1; 1656 } else { 1657 m_min = m + 1; 1658 } 1659 } 1660 return tcg_ctx.tb_ctx.tbs[m_max]; 1661 } 1662 1663 #if !defined(CONFIG_USER_ONLY) 1664 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr) 1665 { 1666 ram_addr_t ram_addr; 1667 MemoryRegion *mr; 1668 hwaddr l = 1; 1669 1670 rcu_read_lock(); 1671 mr = address_space_translate(as, addr, &addr, &l, false); 1672 if (!(memory_region_is_ram(mr) 1673 || memory_region_is_romd(mr))) { 1674 rcu_read_unlock(); 1675 return; 1676 } 1677 ram_addr = memory_region_get_ram_addr(mr) + addr; 1678 tb_lock(); 1679 tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0); 1680 tb_unlock(); 1681 rcu_read_unlock(); 1682 } 1683 #endif /* !defined(CONFIG_USER_ONLY) */ 1684 1685 /* Called with tb_lock held. */ 1686 void tb_check_watchpoint(CPUState *cpu) 1687 { 1688 TranslationBlock *tb; 1689 1690 tb = tb_find_pc(cpu->mem_io_pc); 1691 if (tb) { 1692 /* We can use retranslation to find the PC. */ 1693 cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc); 1694 tb_phys_invalidate(tb, -1); 1695 } else { 1696 /* The exception probably happened in a helper. The CPU state should 1697 have been saved before calling it. Fetch the PC from there. */ 1698 CPUArchState *env = cpu->env_ptr; 1699 target_ulong pc, cs_base; 1700 tb_page_addr_t addr; 1701 uint32_t flags; 1702 1703 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags); 1704 addr = get_page_addr_code(env, pc); 1705 tb_invalidate_phys_range(addr, addr + 1); 1706 } 1707 } 1708 1709 #ifndef CONFIG_USER_ONLY 1710 /* in deterministic execution mode, instructions doing device I/Os 1711 * must be at the end of the TB. 1712 * 1713 * Called by softmmu_template.h, with iothread mutex not held. 1714 */ 1715 void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr) 1716 { 1717 #if defined(TARGET_MIPS) || defined(TARGET_SH4) 1718 CPUArchState *env = cpu->env_ptr; 1719 #endif 1720 TranslationBlock *tb; 1721 uint32_t n, cflags; 1722 target_ulong pc, cs_base; 1723 uint32_t flags; 1724 1725 tb_lock(); 1726 tb = tb_find_pc(retaddr); 1727 if (!tb) { 1728 cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p", 1729 (void *)retaddr); 1730 } 1731 n = cpu->icount_decr.u16.low + tb->icount; 1732 cpu_restore_state_from_tb(cpu, tb, retaddr); 1733 /* Calculate how many instructions had been executed before the fault 1734 occurred. */ 1735 n = n - cpu->icount_decr.u16.low; 1736 /* Generate a new TB ending on the I/O insn. */ 1737 n++; 1738 /* On MIPS and SH, delay slot instructions can only be restarted if 1739 they were already the first instruction in the TB. If this is not 1740 the first instruction in a TB then re-execute the preceding 1741 branch. */ 1742 #if defined(TARGET_MIPS) 1743 if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) { 1744 env->active_tc.PC -= (env->hflags & MIPS_HFLAG_B16 ? 2 : 4); 1745 cpu->icount_decr.u16.low++; 1746 env->hflags &= ~MIPS_HFLAG_BMASK; 1747 } 1748 #elif defined(TARGET_SH4) 1749 if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0 1750 && n > 1) { 1751 env->pc -= 2; 1752 cpu->icount_decr.u16.low++; 1753 env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL); 1754 } 1755 #endif 1756 /* This should never happen. */ 1757 if (n > CF_COUNT_MASK) { 1758 cpu_abort(cpu, "TB too big during recompile"); 1759 } 1760 1761 cflags = n | CF_LAST_IO; 1762 pc = tb->pc; 1763 cs_base = tb->cs_base; 1764 flags = tb->flags; 1765 tb_phys_invalidate(tb, -1); 1766 if (tb->cflags & CF_NOCACHE) { 1767 if (tb->orig_tb) { 1768 /* Invalidate original TB if this TB was generated in 1769 * cpu_exec_nocache() */ 1770 tb_phys_invalidate(tb->orig_tb, -1); 1771 } 1772 tb_free(tb); 1773 } 1774 /* FIXME: In theory this could raise an exception. In practice 1775 we have already translated the block once so it's probably ok. */ 1776 tb_gen_code(cpu, pc, cs_base, flags, cflags); 1777 1778 /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not 1779 * the first in the TB) then we end up generating a whole new TB and 1780 * repeating the fault, which is horribly inefficient. 1781 * Better would be to execute just this insn uncached, or generate a 1782 * second new TB. 1783 * 1784 * cpu_loop_exit_noexc will longjmp back to cpu_exec where the 1785 * tb_lock gets reset. 1786 */ 1787 cpu_loop_exit_noexc(cpu); 1788 } 1789 1790 static void tb_jmp_cache_clear_page(CPUState *cpu, target_ulong page_addr) 1791 { 1792 unsigned int i, i0 = tb_jmp_cache_hash_page(page_addr); 1793 1794 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) { 1795 atomic_set(&cpu->tb_jmp_cache[i0 + i], NULL); 1796 } 1797 } 1798 1799 void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr) 1800 { 1801 /* Discard jump cache entries for any tb which might potentially 1802 overlap the flushed page. */ 1803 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE); 1804 tb_jmp_cache_clear_page(cpu, addr); 1805 } 1806 1807 static void print_qht_statistics(FILE *f, fprintf_function cpu_fprintf, 1808 struct qht_stats hst) 1809 { 1810 uint32_t hgram_opts; 1811 size_t hgram_bins; 1812 char *hgram; 1813 1814 if (!hst.head_buckets) { 1815 return; 1816 } 1817 cpu_fprintf(f, "TB hash buckets %zu/%zu (%0.2f%% head buckets used)\n", 1818 hst.used_head_buckets, hst.head_buckets, 1819 (double)hst.used_head_buckets / hst.head_buckets * 100); 1820 1821 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 1822 hgram_opts |= QDIST_PR_100X | QDIST_PR_PERCENT; 1823 if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) { 1824 hgram_opts |= QDIST_PR_NODECIMAL; 1825 } 1826 hgram = qdist_pr(&hst.occupancy, 10, hgram_opts); 1827 cpu_fprintf(f, "TB hash occupancy %0.2f%% avg chain occ. Histogram: %s\n", 1828 qdist_avg(&hst.occupancy) * 100, hgram); 1829 g_free(hgram); 1830 1831 hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS; 1832 hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain); 1833 if (hgram_bins > 10) { 1834 hgram_bins = 10; 1835 } else { 1836 hgram_bins = 0; 1837 hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE; 1838 } 1839 hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts); 1840 cpu_fprintf(f, "TB hash avg chain %0.3f buckets. Histogram: %s\n", 1841 qdist_avg(&hst.chain), hgram); 1842 g_free(hgram); 1843 } 1844 1845 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf) 1846 { 1847 int i, target_code_size, max_target_code_size; 1848 int direct_jmp_count, direct_jmp2_count, cross_page; 1849 TranslationBlock *tb; 1850 struct qht_stats hst; 1851 1852 tb_lock(); 1853 1854 target_code_size = 0; 1855 max_target_code_size = 0; 1856 cross_page = 0; 1857 direct_jmp_count = 0; 1858 direct_jmp2_count = 0; 1859 for (i = 0; i < tcg_ctx.tb_ctx.nb_tbs; i++) { 1860 tb = tcg_ctx.tb_ctx.tbs[i]; 1861 target_code_size += tb->size; 1862 if (tb->size > max_target_code_size) { 1863 max_target_code_size = tb->size; 1864 } 1865 if (tb->page_addr[1] != -1) { 1866 cross_page++; 1867 } 1868 if (tb->jmp_reset_offset[0] != TB_JMP_RESET_OFFSET_INVALID) { 1869 direct_jmp_count++; 1870 if (tb->jmp_reset_offset[1] != TB_JMP_RESET_OFFSET_INVALID) { 1871 direct_jmp2_count++; 1872 } 1873 } 1874 } 1875 /* XXX: avoid using doubles ? */ 1876 cpu_fprintf(f, "Translation buffer state:\n"); 1877 cpu_fprintf(f, "gen code size %td/%zd\n", 1878 tcg_ctx.code_gen_ptr - tcg_ctx.code_gen_buffer, 1879 tcg_ctx.code_gen_highwater - tcg_ctx.code_gen_buffer); 1880 cpu_fprintf(f, "TB count %d\n", tcg_ctx.tb_ctx.nb_tbs); 1881 cpu_fprintf(f, "TB avg target size %d max=%d bytes\n", 1882 tcg_ctx.tb_ctx.nb_tbs ? target_code_size / 1883 tcg_ctx.tb_ctx.nb_tbs : 0, 1884 max_target_code_size); 1885 cpu_fprintf(f, "TB avg host size %td bytes (expansion ratio: %0.1f)\n", 1886 tcg_ctx.tb_ctx.nb_tbs ? (tcg_ctx.code_gen_ptr - 1887 tcg_ctx.code_gen_buffer) / 1888 tcg_ctx.tb_ctx.nb_tbs : 0, 1889 target_code_size ? (double) (tcg_ctx.code_gen_ptr - 1890 tcg_ctx.code_gen_buffer) / 1891 target_code_size : 0); 1892 cpu_fprintf(f, "cross page TB count %d (%d%%)\n", cross_page, 1893 tcg_ctx.tb_ctx.nb_tbs ? (cross_page * 100) / 1894 tcg_ctx.tb_ctx.nb_tbs : 0); 1895 cpu_fprintf(f, "direct jump count %d (%d%%) (2 jumps=%d %d%%)\n", 1896 direct_jmp_count, 1897 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp_count * 100) / 1898 tcg_ctx.tb_ctx.nb_tbs : 0, 1899 direct_jmp2_count, 1900 tcg_ctx.tb_ctx.nb_tbs ? (direct_jmp2_count * 100) / 1901 tcg_ctx.tb_ctx.nb_tbs : 0); 1902 1903 qht_statistics_init(&tcg_ctx.tb_ctx.htable, &hst); 1904 print_qht_statistics(f, cpu_fprintf, hst); 1905 qht_statistics_destroy(&hst); 1906 1907 cpu_fprintf(f, "\nStatistics:\n"); 1908 cpu_fprintf(f, "TB flush count %u\n", 1909 atomic_read(&tcg_ctx.tb_ctx.tb_flush_count)); 1910 cpu_fprintf(f, "TB invalidate count %d\n", 1911 tcg_ctx.tb_ctx.tb_phys_invalidate_count); 1912 cpu_fprintf(f, "TLB flush count %d\n", tlb_flush_count); 1913 tcg_dump_info(f, cpu_fprintf); 1914 1915 tb_unlock(); 1916 } 1917 1918 void dump_opcount_info(FILE *f, fprintf_function cpu_fprintf) 1919 { 1920 tcg_dump_op_count(f, cpu_fprintf); 1921 } 1922 1923 #else /* CONFIG_USER_ONLY */ 1924 1925 void cpu_interrupt(CPUState *cpu, int mask) 1926 { 1927 g_assert(qemu_mutex_iothread_locked()); 1928 cpu->interrupt_request |= mask; 1929 cpu->icount_decr.u16.high = -1; 1930 } 1931 1932 /* 1933 * Walks guest process memory "regions" one by one 1934 * and calls callback function 'fn' for each region. 1935 */ 1936 struct walk_memory_regions_data { 1937 walk_memory_regions_fn fn; 1938 void *priv; 1939 target_ulong start; 1940 int prot; 1941 }; 1942 1943 static int walk_memory_regions_end(struct walk_memory_regions_data *data, 1944 target_ulong end, int new_prot) 1945 { 1946 if (data->start != -1u) { 1947 int rc = data->fn(data->priv, data->start, end, data->prot); 1948 if (rc != 0) { 1949 return rc; 1950 } 1951 } 1952 1953 data->start = (new_prot ? end : -1u); 1954 data->prot = new_prot; 1955 1956 return 0; 1957 } 1958 1959 static int walk_memory_regions_1(struct walk_memory_regions_data *data, 1960 target_ulong base, int level, void **lp) 1961 { 1962 target_ulong pa; 1963 int i, rc; 1964 1965 if (*lp == NULL) { 1966 return walk_memory_regions_end(data, base, 0); 1967 } 1968 1969 if (level == 0) { 1970 PageDesc *pd = *lp; 1971 1972 for (i = 0; i < V_L2_SIZE; ++i) { 1973 int prot = pd[i].flags; 1974 1975 pa = base | (i << TARGET_PAGE_BITS); 1976 if (prot != data->prot) { 1977 rc = walk_memory_regions_end(data, pa, prot); 1978 if (rc != 0) { 1979 return rc; 1980 } 1981 } 1982 } 1983 } else { 1984 void **pp = *lp; 1985 1986 for (i = 0; i < V_L2_SIZE; ++i) { 1987 pa = base | ((target_ulong)i << 1988 (TARGET_PAGE_BITS + V_L2_BITS * level)); 1989 rc = walk_memory_regions_1(data, pa, level - 1, pp + i); 1990 if (rc != 0) { 1991 return rc; 1992 } 1993 } 1994 } 1995 1996 return 0; 1997 } 1998 1999 int walk_memory_regions(void *priv, walk_memory_regions_fn fn) 2000 { 2001 struct walk_memory_regions_data data; 2002 uintptr_t i, l1_sz = v_l1_size; 2003 2004 data.fn = fn; 2005 data.priv = priv; 2006 data.start = -1u; 2007 data.prot = 0; 2008 2009 for (i = 0; i < l1_sz; i++) { 2010 target_ulong base = i << (v_l1_shift + TARGET_PAGE_BITS); 2011 int rc = walk_memory_regions_1(&data, base, v_l2_levels, l1_map + i); 2012 if (rc != 0) { 2013 return rc; 2014 } 2015 } 2016 2017 return walk_memory_regions_end(&data, 0, 0); 2018 } 2019 2020 static int dump_region(void *priv, target_ulong start, 2021 target_ulong end, unsigned long prot) 2022 { 2023 FILE *f = (FILE *)priv; 2024 2025 (void) fprintf(f, TARGET_FMT_lx"-"TARGET_FMT_lx 2026 " "TARGET_FMT_lx" %c%c%c\n", 2027 start, end, end - start, 2028 ((prot & PAGE_READ) ? 'r' : '-'), 2029 ((prot & PAGE_WRITE) ? 'w' : '-'), 2030 ((prot & PAGE_EXEC) ? 'x' : '-')); 2031 2032 return 0; 2033 } 2034 2035 /* dump memory mappings */ 2036 void page_dump(FILE *f) 2037 { 2038 const int length = sizeof(target_ulong) * 2; 2039 (void) fprintf(f, "%-*s %-*s %-*s %s\n", 2040 length, "start", length, "end", length, "size", "prot"); 2041 walk_memory_regions(f, dump_region); 2042 } 2043 2044 int page_get_flags(target_ulong address) 2045 { 2046 PageDesc *p; 2047 2048 p = page_find(address >> TARGET_PAGE_BITS); 2049 if (!p) { 2050 return 0; 2051 } 2052 return p->flags; 2053 } 2054 2055 /* Modify the flags of a page and invalidate the code if necessary. 2056 The flag PAGE_WRITE_ORG is positioned automatically depending 2057 on PAGE_WRITE. The mmap_lock should already be held. */ 2058 void page_set_flags(target_ulong start, target_ulong end, int flags) 2059 { 2060 target_ulong addr, len; 2061 2062 /* This function should never be called with addresses outside the 2063 guest address space. If this assert fires, it probably indicates 2064 a missing call to h2g_valid. */ 2065 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2066 assert(end < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2067 #endif 2068 assert(start < end); 2069 assert_memory_lock(); 2070 2071 start = start & TARGET_PAGE_MASK; 2072 end = TARGET_PAGE_ALIGN(end); 2073 2074 if (flags & PAGE_WRITE) { 2075 flags |= PAGE_WRITE_ORG; 2076 } 2077 2078 for (addr = start, len = end - start; 2079 len != 0; 2080 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2081 PageDesc *p = page_find_alloc(addr >> TARGET_PAGE_BITS, 1); 2082 2083 /* If the write protection bit is set, then we invalidate 2084 the code inside. */ 2085 if (!(p->flags & PAGE_WRITE) && 2086 (flags & PAGE_WRITE) && 2087 p->first_tb) { 2088 tb_invalidate_phys_page(addr, 0); 2089 } 2090 p->flags = flags; 2091 } 2092 } 2093 2094 int page_check_range(target_ulong start, target_ulong len, int flags) 2095 { 2096 PageDesc *p; 2097 target_ulong end; 2098 target_ulong addr; 2099 2100 /* This function should never be called with addresses outside the 2101 guest address space. If this assert fires, it probably indicates 2102 a missing call to h2g_valid. */ 2103 #if TARGET_ABI_BITS > L1_MAP_ADDR_SPACE_BITS 2104 assert(start < ((target_ulong)1 << L1_MAP_ADDR_SPACE_BITS)); 2105 #endif 2106 2107 if (len == 0) { 2108 return 0; 2109 } 2110 if (start + len - 1 < start) { 2111 /* We've wrapped around. */ 2112 return -1; 2113 } 2114 2115 /* must do before we loose bits in the next step */ 2116 end = TARGET_PAGE_ALIGN(start + len); 2117 start = start & TARGET_PAGE_MASK; 2118 2119 for (addr = start, len = end - start; 2120 len != 0; 2121 len -= TARGET_PAGE_SIZE, addr += TARGET_PAGE_SIZE) { 2122 p = page_find(addr >> TARGET_PAGE_BITS); 2123 if (!p) { 2124 return -1; 2125 } 2126 if (!(p->flags & PAGE_VALID)) { 2127 return -1; 2128 } 2129 2130 if ((flags & PAGE_READ) && !(p->flags & PAGE_READ)) { 2131 return -1; 2132 } 2133 if (flags & PAGE_WRITE) { 2134 if (!(p->flags & PAGE_WRITE_ORG)) { 2135 return -1; 2136 } 2137 /* unprotect the page if it was put read-only because it 2138 contains translated code */ 2139 if (!(p->flags & PAGE_WRITE)) { 2140 if (!page_unprotect(addr, 0)) { 2141 return -1; 2142 } 2143 } 2144 } 2145 } 2146 return 0; 2147 } 2148 2149 /* called from signal handler: invalidate the code and unprotect the 2150 * page. Return 0 if the fault was not handled, 1 if it was handled, 2151 * and 2 if it was handled but the caller must cause the TB to be 2152 * immediately exited. (We can only return 2 if the 'pc' argument is 2153 * non-zero.) 2154 */ 2155 int page_unprotect(target_ulong address, uintptr_t pc) 2156 { 2157 unsigned int prot; 2158 bool current_tb_invalidated; 2159 PageDesc *p; 2160 target_ulong host_start, host_end, addr; 2161 2162 /* Technically this isn't safe inside a signal handler. However we 2163 know this only ever happens in a synchronous SEGV handler, so in 2164 practice it seems to be ok. */ 2165 mmap_lock(); 2166 2167 p = page_find(address >> TARGET_PAGE_BITS); 2168 if (!p) { 2169 mmap_unlock(); 2170 return 0; 2171 } 2172 2173 /* if the page was really writable, then we change its 2174 protection back to writable */ 2175 if ((p->flags & PAGE_WRITE_ORG) && !(p->flags & PAGE_WRITE)) { 2176 host_start = address & qemu_host_page_mask; 2177 host_end = host_start + qemu_host_page_size; 2178 2179 prot = 0; 2180 current_tb_invalidated = false; 2181 for (addr = host_start ; addr < host_end ; addr += TARGET_PAGE_SIZE) { 2182 p = page_find(addr >> TARGET_PAGE_BITS); 2183 p->flags |= PAGE_WRITE; 2184 prot |= p->flags; 2185 2186 /* and since the content will be modified, we must invalidate 2187 the corresponding translated code. */ 2188 current_tb_invalidated |= tb_invalidate_phys_page(addr, pc); 2189 #ifdef DEBUG_TB_CHECK 2190 tb_invalidate_check(addr); 2191 #endif 2192 } 2193 mprotect((void *)g2h(host_start), qemu_host_page_size, 2194 prot & PAGE_BITS); 2195 2196 mmap_unlock(); 2197 /* If current TB was invalidated return to main loop */ 2198 return current_tb_invalidated ? 2 : 1; 2199 } 2200 mmap_unlock(); 2201 return 0; 2202 } 2203 #endif /* CONFIG_USER_ONLY */ 2204 2205 /* This is a wrapper for common code that can not use CONFIG_SOFTMMU */ 2206 void tcg_flush_softmmu_tlb(CPUState *cs) 2207 { 2208 #ifdef CONFIG_SOFTMMU 2209 tlb_flush(cs); 2210 #endif 2211 } 2212