1.. 2 Copyright (c) 2015-2020 Linaro Ltd. 3 4 This work is licensed under the terms of the GNU GPL, version 2 or 5 later. See the COPYING file in the top-level directory. 6 7Introduction 8============ 9 10This document outlines the design for multi-threaded TCG (a.k.a MTTCG) 11system-mode emulation. user-mode emulation has always mirrored the 12thread structure of the translated executable although some of the 13changes done for MTTCG system emulation have improved the stability of 14linux-user emulation. 15 16The original system-mode TCG implementation was single threaded and 17dealt with multiple CPUs with simple round-robin scheduling. This 18simplified a lot of things but became increasingly limited as systems 19being emulated gained additional cores and per-core performance gains 20for host systems started to level off. 21 22vCPU Scheduling 23=============== 24 25We introduce a new running mode where each vCPU will run on its own 26user-space thread. This is enabled by default for all FE/BE 27combinations where the host memory model is able to accommodate the 28guest (TCG_GUEST_DEFAULT_MO & ~TCG_TARGET_DEFAULT_MO is zero) and the 29guest has had the required work done to support this safely 30(TARGET_SUPPORTS_MTTCG). 31 32System emulation will fall back to the original round robin approach 33if: 34 35* forced by --accel tcg,thread=single 36* enabling --icount mode 37* 64 bit guests on 32 bit hosts (TCG_OVERSIZED_GUEST) 38 39In the general case of running translated code there should be no 40inter-vCPU dependencies and all vCPUs should be able to run at full 41speed. Synchronisation will only be required while accessing internal 42shared data structures or when the emulated architecture requires a 43coherent representation of the emulated machine state. 44 45Shared Data Structures 46====================== 47 48Main Run Loop 49------------- 50 51Even when there is no code being generated there are a number of 52structures associated with the hot-path through the main run-loop. 53These are associated with looking up the next translation block to 54execute. These include: 55 56 tb_jmp_cache (per-vCPU, cache of recent jumps) 57 tb_ctx.htable (global hash table, phys address->tb lookup) 58 59As TB linking only occurs when blocks are in the same page this code 60is critical to performance as looking up the next TB to execute is the 61most common reason to exit the generated code. 62 63DESIGN REQUIREMENT: Make access to lookup structures safe with 64multiple reader/writer threads. Minimise any lock contention to do it. 65 66The hot-path avoids using locks where possible. The tb_jmp_cache is 67updated with atomic accesses to ensure consistent results. The fall 68back QHT based hash table is also designed for lockless lookups. Locks 69are only taken when code generation is required or TranslationBlocks 70have their block-to-block jumps patched. 71 72Global TCG State 73---------------- 74 75User-mode emulation 76~~~~~~~~~~~~~~~~~~~ 77 78We need to protect the entire code generation cycle including any post 79generation patching of the translated code. This also implies a shared 80translation buffer which contains code running on all cores. Any 81execution path that comes to the main run loop will need to hold a 82mutex for code generation. This also includes times when we need flush 83code or entries from any shared lookups/caches. Structures held on a 84per-vCPU basis won't need locking unless other vCPUs will need to 85modify them. 86 87DESIGN REQUIREMENT: Add locking around all code generation and TB 88patching. 89 90(Current solution) 91 92Code generation is serialised with mmap_lock(). 93 94!User-mode emulation 95~~~~~~~~~~~~~~~~~~~~ 96 97Each vCPU has its own TCG context and associated TCG region, thereby 98requiring no locking during translation. 99 100Translation Blocks 101------------------ 102 103Currently the whole system shares a single code generation buffer 104which when full will force a flush of all translations and start from 105scratch again. Some operations also force a full flush of translations 106including: 107 108 - debugging operations (breakpoint insertion/removal) 109 - some CPU helper functions 110 - linux-user spawning it's first thread 111 112This is done with the async_safe_run_on_cpu() mechanism to ensure all 113vCPUs are quiescent when changes are being made to shared global 114structures. 115 116More granular translation invalidation events are typically due 117to a change of the state of a physical page: 118 119 - code modification (self modify code, patching code) 120 - page changes (new page mapping in linux-user mode) 121 122While setting the invalid flag in a TranslationBlock will stop it 123being used when looked up in the hot-path there are a number of other 124book-keeping structures that need to be safely cleared. 125 126Any TranslationBlocks which have been patched to jump directly to the 127now invalid blocks need the jump patches reversing so they will return 128to the C code. 129 130There are a number of look-up caches that need to be properly updated 131including the: 132 133 - jump lookup cache 134 - the physical-to-tb lookup hash table 135 - the global page table 136 137The global page table (l1_map) which provides a multi-level look-up 138for PageDesc structures which contain pointers to the start of a 139linked list of all Translation Blocks in that page (see page_next). 140 141Both the jump patching and the page cache involve linked lists that 142the invalidated TranslationBlock needs to be removed from. 143 144DESIGN REQUIREMENT: Safely handle invalidation of TBs 145 - safely patch/revert direct jumps 146 - remove central PageDesc lookup entries 147 - ensure lookup caches/hashes are safely updated 148 149(Current solution) 150 151The direct jump themselves are updated atomically by the TCG 152tb_set_jmp_target() code. Modification to the linked lists that allow 153searching for linked pages are done under the protection of tb->jmp_lock, 154where tb is the destination block of a jump. Each origin block keeps a 155pointer to its destinations so that the appropriate lock can be acquired before 156iterating over a jump list. 157 158The global page table is a lockless radix tree; cmpxchg is used 159to atomically insert new elements. 160 161The lookup caches are updated atomically and the lookup hash uses QHT 162which is designed for concurrent safe lookup. 163 164Parallel code generation is supported. QHT is used at insertion time 165as the synchronization point across threads, thereby ensuring that we only 166keep track of a single TranslationBlock for each guest code block. 167 168Memory maps and TLBs 169-------------------- 170 171The memory handling code is fairly critical to the speed of memory 172access in the emulated system. The SoftMMU code is designed so the 173hot-path can be handled entirely within translated code. This is 174handled with a per-vCPU TLB structure which once populated will allow 175a series of accesses to the page to occur without exiting the 176translated code. It is possible to set flags in the TLB address which 177will ensure the slow-path is taken for each access. This can be done 178to support: 179 180 - Memory regions (dividing up access to PIO, MMIO and RAM) 181 - Dirty page tracking (for code gen, SMC detection, migration and display) 182 - Virtual TLB (for translating guest address->real address) 183 184When the TLB tables are updated by a vCPU thread other than their own 185we need to ensure it is done in a safe way so no inconsistent state is 186seen by the vCPU thread. 187 188Some operations require updating a number of vCPUs TLBs at the same 189time in a synchronised manner. 190 191DESIGN REQUIREMENTS: 192 193 - TLB Flush All/Page 194 - can be across-vCPUs 195 - cross vCPU TLB flush may need other vCPU brought to halt 196 - change may need to be visible to the calling vCPU immediately 197 - TLB Flag Update 198 - usually cross-vCPU 199 - want change to be visible as soon as possible 200 - TLB Update (update a CPUTLBEntry, via tlb_set_page_with_attrs) 201 - This is a per-vCPU table - by definition can't race 202 - updated by its own thread when the slow-path is forced 203 204(Current solution) 205 206We have updated cputlb.c to defer operations when a cross-vCPU 207operation with async_run_on_cpu() which ensures each vCPU sees a 208coherent state when it next runs its work (in a few instructions 209time). 210 211A new set up operations (tlb_flush_*_all_cpus) take an additional flag 212which when set will force synchronisation by setting the source vCPUs 213work as "safe work" and exiting the cpu run loop. This ensure by the 214time execution restarts all flush operations have completed. 215 216TLB flag updates are all done atomically and are also protected by the 217corresponding page lock. 218 219(Known limitation) 220 221Not really a limitation but the wait mechanism is overly strict for 222some architectures which only need flushes completed by a barrier 223instruction. This could be a future optimisation. 224 225Emulated hardware state 226----------------------- 227 228Currently thanks to KVM work any access to IO memory is automatically 229protected by the global iothread mutex, also known as the BQL (Big 230Qemu Lock). Any IO region that doesn't use global mutex is expected to 231do its own locking. 232 233However IO memory isn't the only way emulated hardware state can be 234modified. Some architectures have model specific registers that 235trigger hardware emulation features. Generally any translation helper 236that needs to update more than a single vCPUs of state should take the 237BQL. 238 239As the BQL, or global iothread mutex is shared across the system we 240push the use of the lock as far down into the TCG code as possible to 241minimise contention. 242 243(Current solution) 244 245MMIO access automatically serialises hardware emulation by way of the 246BQL. Currently Arm targets serialise all ARM_CP_IO register accesses 247and also defer the reset/startup of vCPUs to the vCPU context by way 248of async_run_on_cpu(). 249 250Updates to interrupt state are also protected by the BQL as they can 251often be cross vCPU. 252 253Memory Consistency 254================== 255 256Between emulated guests and host systems there are a range of memory 257consistency models. Even emulating weakly ordered systems on strongly 258ordered hosts needs to ensure things like store-after-load re-ordering 259can be prevented when the guest wants to. 260 261Memory Barriers 262--------------- 263 264Barriers (sometimes known as fences) provide a mechanism for software 265to enforce a particular ordering of memory operations from the point 266of view of external observers (e.g. another processor core). They can 267apply to any memory operations as well as just loads or stores. 268 269The Linux kernel has an excellent `write-up 270<https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/plain/Documentation/memory-barriers.txt>` 271on the various forms of memory barrier and the guarantees they can 272provide. 273 274Barriers are often wrapped around synchronisation primitives to 275provide explicit memory ordering semantics. However they can be used 276by themselves to provide safe lockless access by ensuring for example 277a change to a signal flag will only be visible once the changes to 278payload are. 279 280DESIGN REQUIREMENT: Add a new tcg_memory_barrier op 281 282This would enforce a strong load/store ordering so all loads/stores 283complete at the memory barrier. On single-core non-SMP strongly 284ordered backends this could become a NOP. 285 286Aside from explicit standalone memory barrier instructions there are 287also implicit memory ordering semantics which comes with each guest 288memory access instruction. For example all x86 load/stores come with 289fairly strong guarantees of sequential consistency whereas Arm has 290special variants of load/store instructions that imply acquire/release 291semantics. 292 293In the case of a strongly ordered guest architecture being emulated on 294a weakly ordered host the scope for a heavy performance impact is 295quite high. 296 297DESIGN REQUIREMENTS: Be efficient with use of memory barriers 298 - host systems with stronger implied guarantees can skip some barriers 299 - merge consecutive barriers to the strongest one 300 301(Current solution) 302 303The system currently has a tcg_gen_mb() which will add memory barrier 304operations if code generation is being done in a parallel context. The 305tcg_optimize() function attempts to merge barriers up to their 306strongest form before any load/store operations. The solution was 307originally developed and tested for linux-user based systems. All 308backends have been converted to emit fences when required. So far the 309following front-ends have been updated to emit fences when required: 310 311 - target-i386 312 - target-arm 313 - target-aarch64 314 - target-alpha 315 - target-mips 316 317Memory Control and Maintenance 318------------------------------ 319 320This includes a class of instructions for controlling system cache 321behaviour. While QEMU doesn't model cache behaviour these instructions 322are often seen when code modification has taken place to ensure the 323changes take effect. 324 325Synchronisation Primitives 326-------------------------- 327 328There are two broad types of synchronisation primitives found in 329modern ISAs: atomic instructions and exclusive regions. 330 331The first type offer a simple atomic instruction which will guarantee 332some sort of test and conditional store will be truly atomic w.r.t. 333other cores sharing access to the memory. The classic example is the 334x86 cmpxchg instruction. 335 336The second type offer a pair of load/store instructions which offer a 337guarantee that a region of memory has not been touched between the 338load and store instructions. An example of this is Arm's ldrex/strex 339pair where the strex instruction will return a flag indicating a 340successful store only if no other CPU has accessed the memory region 341since the ldrex. 342 343Traditionally TCG has generated a series of operations that work 344because they are within the context of a single translation block so 345will have completed before another CPU is scheduled. However with 346the ability to have multiple threads running to emulate multiple CPUs 347we will need to explicitly expose these semantics. 348 349DESIGN REQUIREMENTS: 350 - Support classic atomic instructions 351 - Support load/store exclusive (or load link/store conditional) pairs 352 - Generic enough infrastructure to support all guest architectures 353CURRENT OPEN QUESTIONS: 354 - How problematic is the ABA problem in general? 355 356(Current solution) 357 358The TCG provides a number of atomic helpers (tcg_gen_atomic_*) which 359can be used directly or combined to emulate other instructions like 360Arm's ldrex/strex instructions. While they are susceptible to the ABA 361problem so far common guests have not implemented patterns where 362this may be a problem - typically presenting a locking ABI which 363assumes cmpxchg like semantics. 364 365The code also includes a fall-back for cases where multi-threaded TCG 366ops can't work (e.g. guest atomic width > host atomic width). In this 367case an EXCP_ATOMIC exit occurs and the instruction is emulated with 368an exclusive lock which ensures all emulation is serialised. 369 370While the atomic helpers look good enough for now there may be a need 371to look at solutions that can more closely model the guest 372architectures semantics. 373