]> git.proxmox.com Git - mirror_qemu.git/blob - accel/tcg/cputlb.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
cputlb: Split large page tracking per mmu_idx
[mirror_qemu.git] / accel / tcg / cputlb.c
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "exec/memory.h"
25 #include "exec/address-spaces.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/cputlb.h"
28 #include "exec/memory-internal.h"
29 #include "exec/ram_addr.h"
30 #include "tcg/tcg.h"
31 #include "qemu/error-report.h"
32 #include "exec/log.h"
33 #include "exec/helper-proto.h"
34 #include "qemu/atomic.h"
35 #include "qemu/atomic128.h"
36
37 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
38 /* #define DEBUG_TLB */
39 /* #define DEBUG_TLB_LOG */
40
41 #ifdef DEBUG_TLB
42 # define DEBUG_TLB_GATE 1
43 # ifdef DEBUG_TLB_LOG
44 # define DEBUG_TLB_LOG_GATE 1
45 # else
46 # define DEBUG_TLB_LOG_GATE 0
47 # endif
48 #else
49 # define DEBUG_TLB_GATE 0
50 # define DEBUG_TLB_LOG_GATE 0
51 #endif
52
53 #define tlb_debug(fmt, ...) do { \
54 if (DEBUG_TLB_LOG_GATE) { \
55 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
56 ## __VA_ARGS__); \
57 } else if (DEBUG_TLB_GATE) { \
58 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
59 } \
60 } while (0)
61
62 #define assert_cpu_is_self(cpu) do { \
63 if (DEBUG_TLB_GATE) { \
64 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
65 } \
66 } while (0)
67
68 /* run_on_cpu_data.target_ptr should always be big enough for a
69 * target_ulong even on 32 bit builds */
70 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
71
72 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
73 */
74 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
75 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
76
77 void tlb_init(CPUState *cpu)
78 {
79 CPUArchState *env = cpu->env_ptr;
80
81 qemu_spin_init(&env->tlb_c.lock);
82 }
83
84 /* flush_all_helper: run fn across all cpus
85 *
86 * If the wait flag is set then the src cpu's helper will be queued as
87 * "safe" work and the loop exited creating a synchronisation point
88 * where all queued work will be finished before execution starts
89 * again.
90 */
91 static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
92 run_on_cpu_data d)
93 {
94 CPUState *cpu;
95
96 CPU_FOREACH(cpu) {
97 if (cpu != src) {
98 async_run_on_cpu(cpu, fn, d);
99 }
100 }
101 }
102
103 size_t tlb_flush_count(void)
104 {
105 CPUState *cpu;
106 size_t count = 0;
107
108 CPU_FOREACH(cpu) {
109 CPUArchState *env = cpu->env_ptr;
110
111 count += atomic_read(&env->tlb_flush_count);
112 }
113 return count;
114 }
115
116 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
117 {
118 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0]));
119 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0]));
120 env->tlb_d[mmu_idx].large_page_addr = -1;
121 env->tlb_d[mmu_idx].large_page_mask = -1;
122 }
123
124 /* This is OK because CPU architectures generally permit an
125 * implementation to drop entries from the TLB at any time, so
126 * flushing more entries than required is only an efficiency issue,
127 * not a correctness issue.
128 */
129 static void tlb_flush_nocheck(CPUState *cpu)
130 {
131 CPUArchState *env = cpu->env_ptr;
132 int mmu_idx;
133
134 assert_cpu_is_self(cpu);
135 atomic_set(&env->tlb_flush_count, env->tlb_flush_count + 1);
136 tlb_debug("(count: %zu)\n", tlb_flush_count());
137
138 /*
139 * tlb_table/tlb_v_table updates from any thread must hold tlb_c.lock.
140 * However, updates from the owner thread (as is the case here; see the
141 * above assert_cpu_is_self) do not need atomic_set because all reads
142 * that do not hold the lock are performed by the same owner thread.
143 */
144 qemu_spin_lock(&env->tlb_c.lock);
145 env->tlb_c.pending_flush = 0;
146 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
147 tlb_flush_one_mmuidx_locked(env, mmu_idx);
148 }
149 qemu_spin_unlock(&env->tlb_c.lock);
150
151 cpu_tb_jmp_cache_clear(cpu);
152
153 env->vtlb_index = 0;
154 }
155
156 static void tlb_flush_global_async_work(CPUState *cpu, run_on_cpu_data data)
157 {
158 tlb_flush_nocheck(cpu);
159 }
160
161 void tlb_flush(CPUState *cpu)
162 {
163 if (cpu->created && !qemu_cpu_is_self(cpu)) {
164 CPUArchState *env = cpu->env_ptr;
165 uint16_t pending;
166
167 qemu_spin_lock(&env->tlb_c.lock);
168 pending = env->tlb_c.pending_flush;
169 env->tlb_c.pending_flush = ALL_MMUIDX_BITS;
170 qemu_spin_unlock(&env->tlb_c.lock);
171
172 if (pending != ALL_MMUIDX_BITS) {
173 async_run_on_cpu(cpu, tlb_flush_global_async_work,
174 RUN_ON_CPU_NULL);
175 }
176 } else {
177 tlb_flush_nocheck(cpu);
178 }
179 }
180
181 void tlb_flush_all_cpus(CPUState *src_cpu)
182 {
183 const run_on_cpu_func fn = tlb_flush_global_async_work;
184 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL);
185 fn(src_cpu, RUN_ON_CPU_NULL);
186 }
187
188 void tlb_flush_all_cpus_synced(CPUState *src_cpu)
189 {
190 const run_on_cpu_func fn = tlb_flush_global_async_work;
191 flush_all_helper(src_cpu, fn, RUN_ON_CPU_NULL);
192 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_NULL);
193 }
194
195 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
196 {
197 CPUArchState *env = cpu->env_ptr;
198 unsigned long mmu_idx_bitmask = data.host_int;
199 int mmu_idx;
200
201 assert_cpu_is_self(cpu);
202
203 tlb_debug("mmu_idx:0x%04lx\n", mmu_idx_bitmask);
204
205 qemu_spin_lock(&env->tlb_c.lock);
206 env->tlb_c.pending_flush &= ~mmu_idx_bitmask;
207
208 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
209 if (test_bit(mmu_idx, &mmu_idx_bitmask)) {
210 tlb_flush_one_mmuidx_locked(env, mmu_idx);
211 }
212 }
213 qemu_spin_unlock(&env->tlb_c.lock);
214
215 cpu_tb_jmp_cache_clear(cpu);
216 }
217
218 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
219 {
220 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
221
222 if (!qemu_cpu_is_self(cpu)) {
223 CPUArchState *env = cpu->env_ptr;
224 uint16_t pending, to_clean;
225
226 qemu_spin_lock(&env->tlb_c.lock);
227 pending = env->tlb_c.pending_flush;
228 to_clean = idxmap & ~pending;
229 env->tlb_c.pending_flush = pending | idxmap;
230 qemu_spin_unlock(&env->tlb_c.lock);
231
232 if (to_clean) {
233 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", to_clean);
234 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work,
235 RUN_ON_CPU_HOST_INT(to_clean));
236 }
237 } else {
238 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap));
239 }
240 }
241
242 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap)
243 {
244 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
245
246 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
247
248 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
249 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap));
250 }
251
252 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
253 uint16_t idxmap)
254 {
255 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
256
257 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
258
259 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
260 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
261 }
262
263 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry,
264 target_ulong page)
265 {
266 return tlb_hit_page(tlb_entry->addr_read, page) ||
267 tlb_hit_page(tlb_addr_write(tlb_entry), page) ||
268 tlb_hit_page(tlb_entry->addr_code, page);
269 }
270
271 /* Called with tlb_c.lock held */
272 static inline void tlb_flush_entry_locked(CPUTLBEntry *tlb_entry,
273 target_ulong page)
274 {
275 if (tlb_hit_page_anyprot(tlb_entry, page)) {
276 memset(tlb_entry, -1, sizeof(*tlb_entry));
277 }
278 }
279
280 /* Called with tlb_c.lock held */
281 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx,
282 target_ulong page)
283 {
284 int k;
285
286 assert_cpu_is_self(ENV_GET_CPU(env));
287 for (k = 0; k < CPU_VTLB_SIZE; k++) {
288 tlb_flush_entry_locked(&env->tlb_v_table[mmu_idx][k], page);
289 }
290 }
291
292 static void tlb_flush_page_locked(CPUArchState *env, int midx,
293 target_ulong page)
294 {
295 target_ulong lp_addr = env->tlb_d[midx].large_page_addr;
296 target_ulong lp_mask = env->tlb_d[midx].large_page_mask;
297
298 /* Check if we need to flush due to large pages. */
299 if ((page & lp_mask) == lp_addr) {
300 tlb_debug("forcing full flush midx %d ("
301 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
302 midx, lp_addr, lp_mask);
303 tlb_flush_one_mmuidx_locked(env, midx);
304 } else {
305 tlb_flush_entry_locked(tlb_entry(env, midx, page), page);
306 tlb_flush_vtlb_page_locked(env, midx, page);
307 }
308 }
309
310 static void tlb_flush_page_async_work(CPUState *cpu, run_on_cpu_data data)
311 {
312 CPUArchState *env = cpu->env_ptr;
313 target_ulong addr = (target_ulong) data.target_ptr;
314 int mmu_idx;
315
316 assert_cpu_is_self(cpu);
317
318 tlb_debug("page addr:" TARGET_FMT_lx "\n", addr);
319
320 addr &= TARGET_PAGE_MASK;
321 qemu_spin_lock(&env->tlb_c.lock);
322 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
323 tlb_flush_page_locked(env, mmu_idx, addr);
324 }
325 qemu_spin_unlock(&env->tlb_c.lock);
326
327 tb_flush_jmp_cache(cpu, addr);
328 }
329
330 void tlb_flush_page(CPUState *cpu, target_ulong addr)
331 {
332 tlb_debug("page :" TARGET_FMT_lx "\n", addr);
333
334 if (!qemu_cpu_is_self(cpu)) {
335 async_run_on_cpu(cpu, tlb_flush_page_async_work,
336 RUN_ON_CPU_TARGET_PTR(addr));
337 } else {
338 tlb_flush_page_async_work(cpu, RUN_ON_CPU_TARGET_PTR(addr));
339 }
340 }
341
342 /* As we are going to hijack the bottom bits of the page address for a
343 * mmuidx bit mask we need to fail to build if we can't do that
344 */
345 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
346
347 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
348 run_on_cpu_data data)
349 {
350 CPUArchState *env = cpu->env_ptr;
351 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
352 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
353 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
354 int mmu_idx;
355
356 assert_cpu_is_self(cpu);
357
358 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
359 addr, mmu_idx_bitmap);
360
361 qemu_spin_lock(&env->tlb_c.lock);
362 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
363 if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
364 tlb_flush_page_locked(env, mmu_idx, addr);
365 }
366 }
367 qemu_spin_unlock(&env->tlb_c.lock);
368
369 tb_flush_jmp_cache(cpu, addr);
370 }
371
372 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
373 {
374 target_ulong addr_and_mmu_idx;
375
376 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
377
378 /* This should already be page aligned */
379 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
380 addr_and_mmu_idx |= idxmap;
381
382 if (!qemu_cpu_is_self(cpu)) {
383 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
384 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
385 } else {
386 tlb_flush_page_by_mmuidx_async_work(
387 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
388 }
389 }
390
391 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
392 uint16_t idxmap)
393 {
394 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
395 target_ulong addr_and_mmu_idx;
396
397 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
398
399 /* This should already be page aligned */
400 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
401 addr_and_mmu_idx |= idxmap;
402
403 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
404 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
405 }
406
407 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
408 target_ulong addr,
409 uint16_t idxmap)
410 {
411 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
412 target_ulong addr_and_mmu_idx;
413
414 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
415
416 /* This should already be page aligned */
417 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
418 addr_and_mmu_idx |= idxmap;
419
420 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
421 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
422 }
423
424 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
425 {
426 const run_on_cpu_func fn = tlb_flush_page_async_work;
427
428 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
429 fn(src, RUN_ON_CPU_TARGET_PTR(addr));
430 }
431
432 void tlb_flush_page_all_cpus_synced(CPUState *src,
433 target_ulong addr)
434 {
435 const run_on_cpu_func fn = tlb_flush_page_async_work;
436
437 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
438 async_safe_run_on_cpu(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
439 }
440
441 /* update the TLBs so that writes to code in the virtual page 'addr'
442 can be detected */
443 void tlb_protect_code(ram_addr_t ram_addr)
444 {
445 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE,
446 DIRTY_MEMORY_CODE);
447 }
448
449 /* update the TLB so that writes in physical page 'phys_addr' are no longer
450 tested for self modifying code */
451 void tlb_unprotect_code(ram_addr_t ram_addr)
452 {
453 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
454 }
455
456
457 /*
458 * Dirty write flag handling
459 *
460 * When the TCG code writes to a location it looks up the address in
461 * the TLB and uses that data to compute the final address. If any of
462 * the lower bits of the address are set then the slow path is forced.
463 * There are a number of reasons to do this but for normal RAM the
464 * most usual is detecting writes to code regions which may invalidate
465 * generated code.
466 *
467 * Other vCPUs might be reading their TLBs during guest execution, so we update
468 * te->addr_write with atomic_set. We don't need to worry about this for
469 * oversized guests as MTTCG is disabled for them.
470 *
471 * Called with tlb_c.lock held.
472 */
473 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
474 uintptr_t start, uintptr_t length)
475 {
476 uintptr_t addr = tlb_entry->addr_write;
477
478 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) {
479 addr &= TARGET_PAGE_MASK;
480 addr += tlb_entry->addend;
481 if ((addr - start) < length) {
482 #if TCG_OVERSIZED_GUEST
483 tlb_entry->addr_write |= TLB_NOTDIRTY;
484 #else
485 atomic_set(&tlb_entry->addr_write,
486 tlb_entry->addr_write | TLB_NOTDIRTY);
487 #endif
488 }
489 }
490 }
491
492 /*
493 * Called with tlb_c.lock held.
494 * Called only from the vCPU context, i.e. the TLB's owner thread.
495 */
496 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s)
497 {
498 *d = *s;
499 }
500
501 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
502 * the target vCPU).
503 * We must take tlb_c.lock to avoid racing with another vCPU update. The only
504 * thing actually updated is the target TLB entry ->addr_write flags.
505 */
506 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
507 {
508 CPUArchState *env;
509
510 int mmu_idx;
511
512 env = cpu->env_ptr;
513 qemu_spin_lock(&env->tlb_c.lock);
514 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
515 unsigned int i;
516
517 for (i = 0; i < CPU_TLB_SIZE; i++) {
518 tlb_reset_dirty_range_locked(&env->tlb_table[mmu_idx][i], start1,
519 length);
520 }
521
522 for (i = 0; i < CPU_VTLB_SIZE; i++) {
523 tlb_reset_dirty_range_locked(&env->tlb_v_table[mmu_idx][i], start1,
524 length);
525 }
526 }
527 qemu_spin_unlock(&env->tlb_c.lock);
528 }
529
530 /* Called with tlb_c.lock held */
531 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry,
532 target_ulong vaddr)
533 {
534 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) {
535 tlb_entry->addr_write = vaddr;
536 }
537 }
538
539 /* update the TLB corresponding to virtual page vaddr
540 so that it is no longer dirty */
541 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
542 {
543 CPUArchState *env = cpu->env_ptr;
544 int mmu_idx;
545
546 assert_cpu_is_self(cpu);
547
548 vaddr &= TARGET_PAGE_MASK;
549 qemu_spin_lock(&env->tlb_c.lock);
550 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
551 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr);
552 }
553
554 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
555 int k;
556 for (k = 0; k < CPU_VTLB_SIZE; k++) {
557 tlb_set_dirty1_locked(&env->tlb_v_table[mmu_idx][k], vaddr);
558 }
559 }
560 qemu_spin_unlock(&env->tlb_c.lock);
561 }
562
563 /* Our TLB does not support large pages, so remember the area covered by
564 large pages and trigger a full TLB flush if these are invalidated. */
565 static void tlb_add_large_page(CPUArchState *env, int mmu_idx,
566 target_ulong vaddr, target_ulong size)
567 {
568 target_ulong lp_addr = env->tlb_d[mmu_idx].large_page_addr;
569 target_ulong lp_mask = ~(size - 1);
570
571 if (lp_addr == (target_ulong)-1) {
572 /* No previous large page. */
573 lp_addr = vaddr;
574 } else {
575 /* Extend the existing region to include the new page.
576 This is a compromise between unnecessary flushes and
577 the cost of maintaining a full variable size TLB. */
578 lp_mask &= env->tlb_d[mmu_idx].large_page_mask;
579 while (((lp_addr ^ vaddr) & lp_mask) != 0) {
580 lp_mask <<= 1;
581 }
582 }
583 env->tlb_d[mmu_idx].large_page_addr = lp_addr & lp_mask;
584 env->tlb_d[mmu_idx].large_page_mask = lp_mask;
585 }
586
587 /* Add a new TLB entry. At most one entry for a given virtual address
588 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
589 * supplied size is only used by tlb_flush_page.
590 *
591 * Called from TCG-generated code, which is under an RCU read-side
592 * critical section.
593 */
594 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
595 hwaddr paddr, MemTxAttrs attrs, int prot,
596 int mmu_idx, target_ulong size)
597 {
598 CPUArchState *env = cpu->env_ptr;
599 MemoryRegionSection *section;
600 unsigned int index;
601 target_ulong address;
602 target_ulong code_address;
603 uintptr_t addend;
604 CPUTLBEntry *te, tn;
605 hwaddr iotlb, xlat, sz, paddr_page;
606 target_ulong vaddr_page;
607 int asidx = cpu_asidx_from_attrs(cpu, attrs);
608
609 assert_cpu_is_self(cpu);
610
611 if (size <= TARGET_PAGE_SIZE) {
612 sz = TARGET_PAGE_SIZE;
613 } else {
614 tlb_add_large_page(env, mmu_idx, vaddr, size);
615 sz = size;
616 }
617 vaddr_page = vaddr & TARGET_PAGE_MASK;
618 paddr_page = paddr & TARGET_PAGE_MASK;
619
620 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
621 &xlat, &sz, attrs, &prot);
622 assert(sz >= TARGET_PAGE_SIZE);
623
624 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
625 " prot=%x idx=%d\n",
626 vaddr, paddr, prot, mmu_idx);
627
628 address = vaddr_page;
629 if (size < TARGET_PAGE_SIZE) {
630 /*
631 * Slow-path the TLB entries; we will repeat the MMU check and TLB
632 * fill on every access.
633 */
634 address |= TLB_RECHECK;
635 }
636 if (!memory_region_is_ram(section->mr) &&
637 !memory_region_is_romd(section->mr)) {
638 /* IO memory case */
639 address |= TLB_MMIO;
640 addend = 0;
641 } else {
642 /* TLB_MMIO for rom/romd handled below */
643 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
644 }
645
646 code_address = address;
647 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page,
648 paddr_page, xlat, prot, &address);
649
650 index = tlb_index(env, mmu_idx, vaddr_page);
651 te = tlb_entry(env, mmu_idx, vaddr_page);
652
653 /*
654 * Hold the TLB lock for the rest of the function. We could acquire/release
655 * the lock several times in the function, but it is faster to amortize the
656 * acquisition cost by acquiring it just once. Note that this leads to
657 * a longer critical section, but this is not a concern since the TLB lock
658 * is unlikely to be contended.
659 */
660 qemu_spin_lock(&env->tlb_c.lock);
661
662 /* Make sure there's no cached translation for the new page. */
663 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page);
664
665 /*
666 * Only evict the old entry to the victim tlb if it's for a
667 * different page; otherwise just overwrite the stale data.
668 */
669 if (!tlb_hit_page_anyprot(te, vaddr_page)) {
670 unsigned vidx = env->vtlb_index++ % CPU_VTLB_SIZE;
671 CPUTLBEntry *tv = &env->tlb_v_table[mmu_idx][vidx];
672
673 /* Evict the old entry into the victim tlb. */
674 copy_tlb_helper_locked(tv, te);
675 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index];
676 }
677
678 /* refill the tlb */
679 /*
680 * At this point iotlb contains a physical section number in the lower
681 * TARGET_PAGE_BITS, and either
682 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM)
683 * + the offset within section->mr of the page base (otherwise)
684 * We subtract the vaddr_page (which is page aligned and thus won't
685 * disturb the low bits) to give an offset which can be added to the
686 * (non-page-aligned) vaddr of the eventual memory access to get
687 * the MemoryRegion offset for the access. Note that the vaddr we
688 * subtract here is that of the page base, and not the same as the
689 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
690 */
691 env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page;
692 env->iotlb[mmu_idx][index].attrs = attrs;
693
694 /* Now calculate the new entry */
695 tn.addend = addend - vaddr_page;
696 if (prot & PAGE_READ) {
697 tn.addr_read = address;
698 } else {
699 tn.addr_read = -1;
700 }
701
702 if (prot & PAGE_EXEC) {
703 tn.addr_code = code_address;
704 } else {
705 tn.addr_code = -1;
706 }
707
708 tn.addr_write = -1;
709 if (prot & PAGE_WRITE) {
710 if ((memory_region_is_ram(section->mr) && section->readonly)
711 || memory_region_is_romd(section->mr)) {
712 /* Write access calls the I/O callback. */
713 tn.addr_write = address | TLB_MMIO;
714 } else if (memory_region_is_ram(section->mr)
715 && cpu_physical_memory_is_clean(
716 memory_region_get_ram_addr(section->mr) + xlat)) {
717 tn.addr_write = address | TLB_NOTDIRTY;
718 } else {
719 tn.addr_write = address;
720 }
721 if (prot & PAGE_WRITE_INV) {
722 tn.addr_write |= TLB_INVALID_MASK;
723 }
724 }
725
726 copy_tlb_helper_locked(te, &tn);
727 qemu_spin_unlock(&env->tlb_c.lock);
728 }
729
730 /* Add a new TLB entry, but without specifying the memory
731 * transaction attributes to be used.
732 */
733 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
734 hwaddr paddr, int prot,
735 int mmu_idx, target_ulong size)
736 {
737 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED,
738 prot, mmu_idx, size);
739 }
740
741 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
742 {
743 ram_addr_t ram_addr;
744
745 ram_addr = qemu_ram_addr_from_host(ptr);
746 if (ram_addr == RAM_ADDR_INVALID) {
747 error_report("Bad ram pointer %p", ptr);
748 abort();
749 }
750 return ram_addr;
751 }
752
753 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
754 int mmu_idx,
755 target_ulong addr, uintptr_t retaddr,
756 bool recheck, MMUAccessType access_type, int size)
757 {
758 CPUState *cpu = ENV_GET_CPU(env);
759 hwaddr mr_offset;
760 MemoryRegionSection *section;
761 MemoryRegion *mr;
762 uint64_t val;
763 bool locked = false;
764 MemTxResult r;
765
766 if (recheck) {
767 /*
768 * This is a TLB_RECHECK access, where the MMU protection
769 * covers a smaller range than a target page, and we must
770 * repeat the MMU check here. This tlb_fill() call might
771 * longjump out if this access should cause a guest exception.
772 */
773 CPUTLBEntry *entry;
774 target_ulong tlb_addr;
775
776 tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
777
778 entry = tlb_entry(env, mmu_idx, addr);
779 tlb_addr = entry->addr_read;
780 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
781 /* RAM access */
782 uintptr_t haddr = addr + entry->addend;
783
784 return ldn_p((void *)haddr, size);
785 }
786 /* Fall through for handling IO accesses */
787 }
788
789 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
790 mr = section->mr;
791 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
792 cpu->mem_io_pc = retaddr;
793 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
794 cpu_io_recompile(cpu, retaddr);
795 }
796
797 cpu->mem_io_vaddr = addr;
798 cpu->mem_io_access_type = access_type;
799
800 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
801 qemu_mutex_lock_iothread();
802 locked = true;
803 }
804 r = memory_region_dispatch_read(mr, mr_offset,
805 &val, size, iotlbentry->attrs);
806 if (r != MEMTX_OK) {
807 hwaddr physaddr = mr_offset +
808 section->offset_within_address_space -
809 section->offset_within_region;
810
811 cpu_transaction_failed(cpu, physaddr, addr, size, access_type,
812 mmu_idx, iotlbentry->attrs, r, retaddr);
813 }
814 if (locked) {
815 qemu_mutex_unlock_iothread();
816 }
817
818 return val;
819 }
820
821 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
822 int mmu_idx,
823 uint64_t val, target_ulong addr,
824 uintptr_t retaddr, bool recheck, int size)
825 {
826 CPUState *cpu = ENV_GET_CPU(env);
827 hwaddr mr_offset;
828 MemoryRegionSection *section;
829 MemoryRegion *mr;
830 bool locked = false;
831 MemTxResult r;
832
833 if (recheck) {
834 /*
835 * This is a TLB_RECHECK access, where the MMU protection
836 * covers a smaller range than a target page, and we must
837 * repeat the MMU check here. This tlb_fill() call might
838 * longjump out if this access should cause a guest exception.
839 */
840 CPUTLBEntry *entry;
841 target_ulong tlb_addr;
842
843 tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr);
844
845 entry = tlb_entry(env, mmu_idx, addr);
846 tlb_addr = tlb_addr_write(entry);
847 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
848 /* RAM access */
849 uintptr_t haddr = addr + entry->addend;
850
851 stn_p((void *)haddr, size, val);
852 return;
853 }
854 /* Fall through for handling IO accesses */
855 }
856
857 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
858 mr = section->mr;
859 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
860 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
861 cpu_io_recompile(cpu, retaddr);
862 }
863 cpu->mem_io_vaddr = addr;
864 cpu->mem_io_pc = retaddr;
865
866 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
867 qemu_mutex_lock_iothread();
868 locked = true;
869 }
870 r = memory_region_dispatch_write(mr, mr_offset,
871 val, size, iotlbentry->attrs);
872 if (r != MEMTX_OK) {
873 hwaddr physaddr = mr_offset +
874 section->offset_within_address_space -
875 section->offset_within_region;
876
877 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE,
878 mmu_idx, iotlbentry->attrs, r, retaddr);
879 }
880 if (locked) {
881 qemu_mutex_unlock_iothread();
882 }
883 }
884
885 /* Return true if ADDR is present in the victim tlb, and has been copied
886 back to the main tlb. */
887 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
888 size_t elt_ofs, target_ulong page)
889 {
890 size_t vidx;
891
892 assert_cpu_is_self(ENV_GET_CPU(env));
893 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
894 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx];
895 target_ulong cmp;
896
897 /* elt_ofs might correspond to .addr_write, so use atomic_read */
898 #if TCG_OVERSIZED_GUEST
899 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
900 #else
901 cmp = atomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
902 #endif
903
904 if (cmp == page) {
905 /* Found entry in victim tlb, swap tlb and iotlb. */
906 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index];
907
908 qemu_spin_lock(&env->tlb_c.lock);
909 copy_tlb_helper_locked(&tmptlb, tlb);
910 copy_tlb_helper_locked(tlb, vtlb);
911 copy_tlb_helper_locked(vtlb, &tmptlb);
912 qemu_spin_unlock(&env->tlb_c.lock);
913
914 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index];
915 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx];
916 tmpio = *io; *io = *vio; *vio = tmpio;
917 return true;
918 }
919 }
920 return false;
921 }
922
923 /* Macro to call the above, with local variables from the use context. */
924 #define VICTIM_TLB_HIT(TY, ADDR) \
925 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
926 (ADDR) & TARGET_PAGE_MASK)
927
928 /* NOTE: this function can trigger an exception */
929 /* NOTE2: the returned address is not exactly the physical address: it
930 * is actually a ram_addr_t (in system mode; the user mode emulation
931 * version of this function returns a guest virtual address).
932 */
933 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
934 {
935 uintptr_t mmu_idx = cpu_mmu_index(env, true);
936 uintptr_t index = tlb_index(env, mmu_idx, addr);
937 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
938 void *p;
939
940 if (unlikely(!tlb_hit(entry->addr_code, addr))) {
941 if (!VICTIM_TLB_HIT(addr_code, addr)) {
942 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
943 }
944 assert(tlb_hit(entry->addr_code, addr));
945 }
946
947 if (unlikely(entry->addr_code & (TLB_RECHECK | TLB_MMIO))) {
948 /*
949 * Return -1 if we can't translate and execute from an entire
950 * page of RAM here, which will cause us to execute by loading
951 * and translating one insn at a time, without caching:
952 * - TLB_RECHECK: means the MMU protection covers a smaller range
953 * than a target page, so we must redo the MMU check every insn
954 * - TLB_MMIO: region is not backed by RAM
955 */
956 return -1;
957 }
958
959 p = (void *)((uintptr_t)addr + entry->addend);
960 return qemu_ram_addr_from_host_nofail(p);
961 }
962
963 /* Probe for whether the specified guest write access is permitted.
964 * If it is not permitted then an exception will be taken in the same
965 * way as if this were a real write access (and we will not return).
966 * Otherwise the function will return, and there will be a valid
967 * entry in the TLB for this access.
968 */
969 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
970 uintptr_t retaddr)
971 {
972 uintptr_t index = tlb_index(env, mmu_idx, addr);
973 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
974
975 if (!tlb_hit(tlb_addr_write(entry), addr)) {
976 /* TLB entry is for a different page */
977 if (!VICTIM_TLB_HIT(addr_write, addr)) {
978 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE,
979 mmu_idx, retaddr);
980 }
981 }
982 }
983
984 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
985 * operations, or io operations to proceed. Return the host address. */
986 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
987 TCGMemOpIdx oi, uintptr_t retaddr,
988 NotDirtyInfo *ndi)
989 {
990 size_t mmu_idx = get_mmuidx(oi);
991 uintptr_t index = tlb_index(env, mmu_idx, addr);
992 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
993 target_ulong tlb_addr = tlb_addr_write(tlbe);
994 TCGMemOp mop = get_memop(oi);
995 int a_bits = get_alignment_bits(mop);
996 int s_bits = mop & MO_SIZE;
997 void *hostaddr;
998
999 /* Adjust the given return address. */
1000 retaddr -= GETPC_ADJ;
1001
1002 /* Enforce guest required alignment. */
1003 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
1004 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
1005 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE,
1006 mmu_idx, retaddr);
1007 }
1008
1009 /* Enforce qemu required alignment. */
1010 if (unlikely(addr & ((1 << s_bits) - 1))) {
1011 /* We get here if guest alignment was not requested,
1012 or was not enforced by cpu_unaligned_access above.
1013 We might widen the access and emulate, but for now
1014 mark an exception and exit the cpu loop. */
1015 goto stop_the_world;
1016 }
1017
1018 /* Check TLB entry and enforce page permissions. */
1019 if (!tlb_hit(tlb_addr, addr)) {
1020 if (!VICTIM_TLB_HIT(addr_write, addr)) {
1021 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE,
1022 mmu_idx, retaddr);
1023 }
1024 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK;
1025 }
1026
1027 /* Notice an IO access or a needs-MMU-lookup access */
1028 if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) {
1029 /* There's really nothing that can be done to
1030 support this apart from stop-the-world. */
1031 goto stop_the_world;
1032 }
1033
1034 /* Let the guest notice RMW on a write-only page. */
1035 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) {
1036 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD,
1037 mmu_idx, retaddr);
1038 /* Since we don't support reads and writes to different addresses,
1039 and we do have the proper page loaded for write, this shouldn't
1040 ever return. But just in case, handle via stop-the-world. */
1041 goto stop_the_world;
1042 }
1043
1044 hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
1045
1046 ndi->active = false;
1047 if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
1048 ndi->active = true;
1049 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr,
1050 qemu_ram_addr_from_host_nofail(hostaddr),
1051 1 << s_bits);
1052 }
1053
1054 return hostaddr;
1055
1056 stop_the_world:
1057 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr);
1058 }
1059
1060 #ifdef TARGET_WORDS_BIGENDIAN
1061 # define TGT_BE(X) (X)
1062 # define TGT_LE(X) BSWAP(X)
1063 #else
1064 # define TGT_BE(X) BSWAP(X)
1065 # define TGT_LE(X) (X)
1066 #endif
1067
1068 #define MMUSUFFIX _mmu
1069
1070 #define DATA_SIZE 1
1071 #include "softmmu_template.h"
1072
1073 #define DATA_SIZE 2
1074 #include "softmmu_template.h"
1075
1076 #define DATA_SIZE 4
1077 #include "softmmu_template.h"
1078
1079 #define DATA_SIZE 8
1080 #include "softmmu_template.h"
1081
1082 /* First set of helpers allows passing in of OI and RETADDR. This makes
1083 them callable from other helpers. */
1084
1085 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
1086 #define ATOMIC_NAME(X) \
1087 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
1088 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi
1089 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi)
1090 #define ATOMIC_MMU_CLEANUP \
1091 do { \
1092 if (unlikely(ndi.active)) { \
1093 memory_notdirty_write_complete(&ndi); \
1094 } \
1095 } while (0)
1096
1097 #define DATA_SIZE 1
1098 #include "atomic_template.h"
1099
1100 #define DATA_SIZE 2
1101 #include "atomic_template.h"
1102
1103 #define DATA_SIZE 4
1104 #include "atomic_template.h"
1105
1106 #ifdef CONFIG_ATOMIC64
1107 #define DATA_SIZE 8
1108 #include "atomic_template.h"
1109 #endif
1110
1111 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128
1112 #define DATA_SIZE 16
1113 #include "atomic_template.h"
1114 #endif
1115
1116 /* Second set of helpers are directly callable from TCG as helpers. */
1117
1118 #undef EXTRA_ARGS
1119 #undef ATOMIC_NAME
1120 #undef ATOMIC_MMU_LOOKUP
1121 #define EXTRA_ARGS , TCGMemOpIdx oi
1122 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
1123 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi)
1124
1125 #define DATA_SIZE 1
1126 #include "atomic_template.h"
1127
1128 #define DATA_SIZE 2
1129 #include "atomic_template.h"
1130
1131 #define DATA_SIZE 4
1132 #include "atomic_template.h"
1133
1134 #ifdef CONFIG_ATOMIC64
1135 #define DATA_SIZE 8
1136 #include "atomic_template.h"
1137 #endif
1138
1139 /* Code access functions. */
1140
1141 #undef MMUSUFFIX
1142 #define MMUSUFFIX _cmmu
1143 #undef GETPC
1144 #define GETPC() ((uintptr_t)0)
1145 #define SOFTMMU_CODE_ACCESS
1146
1147 #define DATA_SIZE 1
1148 #include "softmmu_template.h"
1149
1150 #define DATA_SIZE 2
1151 #include "softmmu_template.h"
1152
1153 #define DATA_SIZE 4
1154 #include "softmmu_template.h"
1155
1156 #define DATA_SIZE 8
1157 #include "softmmu_template.h"
QEMU mirror