]> git.proxmox.com Git - mirror_qemu.git/blob - accel/tcg/cputlb.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge remote-tracking branch 'remotes/bonzini-gitlab/tags/for-upstream' into staging
[mirror_qemu.git] / accel / tcg / cputlb.c
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
22 #include "hw/core/tcg-cpu-ops.h"
23 #include "exec/exec-all.h"
24 #include "exec/memory.h"
25 #include "exec/cpu_ldst.h"
26 #include "exec/cputlb.h"
27 #include "exec/tb-hash.h"
28 #include "exec/memory-internal.h"
29 #include "exec/ram_addr.h"
30 #include "tcg/tcg.h"
31 #include "qemu/error-report.h"
32 #include "exec/log.h"
33 #include "exec/helper-proto.h"
34 #include "qemu/atomic.h"
35 #include "qemu/atomic128.h"
36 #include "exec/translate-all.h"
37 #include "trace/trace-root.h"
38 #include "trace/mem.h"
39 #include "internal.h"
40 #ifdef CONFIG_PLUGIN
41 #include "qemu/plugin-memory.h"
42 #endif
43
44 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
45 /* #define DEBUG_TLB */
46 /* #define DEBUG_TLB_LOG */
47
48 #ifdef DEBUG_TLB
49 # define DEBUG_TLB_GATE 1
50 # ifdef DEBUG_TLB_LOG
51 # define DEBUG_TLB_LOG_GATE 1
52 # else
53 # define DEBUG_TLB_LOG_GATE 0
54 # endif
55 #else
56 # define DEBUG_TLB_GATE 0
57 # define DEBUG_TLB_LOG_GATE 0
58 #endif
59
60 #define tlb_debug(fmt, ...) do { \
61 if (DEBUG_TLB_LOG_GATE) { \
62 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
63 ## __VA_ARGS__); \
64 } else if (DEBUG_TLB_GATE) { \
65 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
66 } \
67 } while (0)
68
69 #define assert_cpu_is_self(cpu) do { \
70 if (DEBUG_TLB_GATE) { \
71 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
72 } \
73 } while (0)
74
75 /* run_on_cpu_data.target_ptr should always be big enough for a
76 * target_ulong even on 32 bit builds */
77 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
78
79 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
80 */
81 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
82 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
83
84 static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
85 {
86 return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
87 }
88
89 static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
90 {
91 return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
92 }
93
94 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
95 size_t max_entries)
96 {
97 desc->window_begin_ns = ns;
98 desc->window_max_entries = max_entries;
99 }
100
101 static void tb_jmp_cache_clear_page(CPUState *cpu, target_ulong page_addr)
102 {
103 unsigned int i, i0 = tb_jmp_cache_hash_page(page_addr);
104
105 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) {
106 qatomic_set(&cpu->tb_jmp_cache[i0 + i], NULL);
107 }
108 }
109
110 static void tb_flush_jmp_cache(CPUState *cpu, target_ulong addr)
111 {
112 /* Discard jump cache entries for any tb which might potentially
113 overlap the flushed page. */
114 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE);
115 tb_jmp_cache_clear_page(cpu, addr);
116 }
117
118 /**
119 * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
120 * @desc: The CPUTLBDesc portion of the TLB
121 * @fast: The CPUTLBDescFast portion of the same TLB
122 *
123 * Called with tlb_lock_held.
124 *
125 * We have two main constraints when resizing a TLB: (1) we only resize it
126 * on a TLB flush (otherwise we'd have to take a perf hit by either rehashing
127 * the array or unnecessarily flushing it), which means we do not control how
128 * frequently the resizing can occur; (2) we don't have access to the guest's
129 * future scheduling decisions, and therefore have to decide the magnitude of
130 * the resize based on past observations.
131 *
132 * In general, a memory-hungry process can benefit greatly from an appropriately
133 * sized TLB, since a guest TLB miss is very expensive. This doesn't mean that
134 * we just have to make the TLB as large as possible; while an oversized TLB
135 * results in minimal TLB miss rates, it also takes longer to be flushed
136 * (flushes can be _very_ frequent), and the reduced locality can also hurt
137 * performance.
138 *
139 * To achieve near-optimal performance for all kinds of workloads, we:
140 *
141 * 1. Aggressively increase the size of the TLB when the use rate of the
142 * TLB being flushed is high, since it is likely that in the near future this
143 * memory-hungry process will execute again, and its memory hungriness will
144 * probably be similar.
145 *
146 * 2. Slowly reduce the size of the TLB as the use rate declines over a
147 * reasonably large time window. The rationale is that if in such a time window
148 * we have not observed a high TLB use rate, it is likely that we won't observe
149 * it in the near future. In that case, once a time window expires we downsize
150 * the TLB to match the maximum use rate observed in the window.
151 *
152 * 3. Try to keep the maximum use rate in a time window in the 30-70% range,
153 * since in that range performance is likely near-optimal. Recall that the TLB
154 * is direct mapped, so we want the use rate to be low (or at least not too
155 * high), since otherwise we are likely to have a significant amount of
156 * conflict misses.
157 */
158 static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
159 int64_t now)
160 {
161 size_t old_size = tlb_n_entries(fast);
162 size_t rate;
163 size_t new_size = old_size;
164 int64_t window_len_ms = 100;
165 int64_t window_len_ns = window_len_ms * 1000 * 1000;
166 bool window_expired = now > desc->window_begin_ns + window_len_ns;
167
168 if (desc->n_used_entries > desc->window_max_entries) {
169 desc->window_max_entries = desc->n_used_entries;
170 }
171 rate = desc->window_max_entries * 100 / old_size;
172
173 if (rate > 70) {
174 new_size = MIN(old_size << 1, 1 << CPU_TLB_DYN_MAX_BITS);
175 } else if (rate < 30 && window_expired) {
176 size_t ceil = pow2ceil(desc->window_max_entries);
177 size_t expected_rate = desc->window_max_entries * 100 / ceil;
178
179 /*
180 * Avoid undersizing when the max number of entries seen is just below
181 * a pow2. For instance, if max_entries == 1025, the expected use rate
182 * would be 1025/2048==50%. However, if max_entries == 1023, we'd get
183 * 1023/1024==99.9% use rate, so we'd likely end up doubling the size
184 * later. Thus, make sure that the expected use rate remains below 70%.
185 * (and since we double the size, that means the lowest rate we'd
186 * expect to get is 35%, which is still in the 30-70% range where
187 * we consider that the size is appropriate.)
188 */
189 if (expected_rate > 70) {
190 ceil *= 2;
191 }
192 new_size = MAX(ceil, 1 << CPU_TLB_DYN_MIN_BITS);
193 }
194
195 if (new_size == old_size) {
196 if (window_expired) {
197 tlb_window_reset(desc, now, desc->n_used_entries);
198 }
199 return;
200 }
201
202 g_free(fast->table);
203 g_free(desc->iotlb);
204
205 tlb_window_reset(desc, now, 0);
206 /* desc->n_used_entries is cleared by the caller */
207 fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
208 fast->table = g_try_new(CPUTLBEntry, new_size);
209 desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
210
211 /*
212 * If the allocations fail, try smaller sizes. We just freed some
213 * memory, so going back to half of new_size has a good chance of working.
214 * Increased memory pressure elsewhere in the system might cause the
215 * allocations to fail though, so we progressively reduce the allocation
216 * size, aborting if we cannot even allocate the smallest TLB we support.
217 */
218 while (fast->table == NULL || desc->iotlb == NULL) {
219 if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
220 error_report("%s: %s", __func__, strerror(errno));
221 abort();
222 }
223 new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
224 fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
225
226 g_free(fast->table);
227 g_free(desc->iotlb);
228 fast->table = g_try_new(CPUTLBEntry, new_size);
229 desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
230 }
231 }
232
233 static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
234 {
235 desc->n_used_entries = 0;
236 desc->large_page_addr = -1;
237 desc->large_page_mask = -1;
238 desc->vindex = 0;
239 memset(fast->table, -1, sizeof_tlb(fast));
240 memset(desc->vtable, -1, sizeof(desc->vtable));
241 }
242
243 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
244 int64_t now)
245 {
246 CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
247 CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
248
249 tlb_mmu_resize_locked(desc, fast, now);
250 tlb_mmu_flush_locked(desc, fast);
251 }
252
253 static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
254 {
255 size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
256
257 tlb_window_reset(desc, now, 0);
258 desc->n_used_entries = 0;
259 fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
260 fast->table = g_new(CPUTLBEntry, n_entries);
261 desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
262 tlb_mmu_flush_locked(desc, fast);
263 }
264
265 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
266 {
267 env_tlb(env)->d[mmu_idx].n_used_entries++;
268 }
269
270 static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
271 {
272 env_tlb(env)->d[mmu_idx].n_used_entries--;
273 }
274
275 void tlb_init(CPUState *cpu)
276 {
277 CPUArchState *env = cpu->env_ptr;
278 int64_t now = get_clock_realtime();
279 int i;
280
281 qemu_spin_init(&env_tlb(env)->c.lock);
282
283 /* All tlbs are initialized flushed. */
284 env_tlb(env)->c.dirty = 0;
285
286 for (i = 0; i < NB_MMU_MODES; i++) {
287 tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
288 }
289 }
290
291 void tlb_destroy(CPUState *cpu)
292 {
293 CPUArchState *env = cpu->env_ptr;
294 int i;
295
296 qemu_spin_destroy(&env_tlb(env)->c.lock);
297 for (i = 0; i < NB_MMU_MODES; i++) {
298 CPUTLBDesc *desc = &env_tlb(env)->d[i];
299 CPUTLBDescFast *fast = &env_tlb(env)->f[i];
300
301 g_free(fast->table);
302 g_free(desc->iotlb);
303 }
304 }
305
306 /* flush_all_helper: run fn across all cpus
307 *
308 * If the wait flag is set then the src cpu's helper will be queued as
309 * "safe" work and the loop exited creating a synchronisation point
310 * where all queued work will be finished before execution starts
311 * again.
312 */
313 static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
314 run_on_cpu_data d)
315 {
316 CPUState *cpu;
317
318 CPU_FOREACH(cpu) {
319 if (cpu != src) {
320 async_run_on_cpu(cpu, fn, d);
321 }
322 }
323 }
324
325 void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
326 {
327 CPUState *cpu;
328 size_t full = 0, part = 0, elide = 0;
329
330 CPU_FOREACH(cpu) {
331 CPUArchState *env = cpu->env_ptr;
332
333 full += qatomic_read(&env_tlb(env)->c.full_flush_count);
334 part += qatomic_read(&env_tlb(env)->c.part_flush_count);
335 elide += qatomic_read(&env_tlb(env)->c.elide_flush_count);
336 }
337 *pfull = full;
338 *ppart = part;
339 *pelide = elide;
340 }
341
342 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
343 {
344 CPUArchState *env = cpu->env_ptr;
345 uint16_t asked = data.host_int;
346 uint16_t all_dirty, work, to_clean;
347 int64_t now = get_clock_realtime();
348
349 assert_cpu_is_self(cpu);
350
351 tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked);
352
353 qemu_spin_lock(&env_tlb(env)->c.lock);
354
355 all_dirty = env_tlb(env)->c.dirty;
356 to_clean = asked & all_dirty;
357 all_dirty &= ~to_clean;
358 env_tlb(env)->c.dirty = all_dirty;
359
360 for (work = to_clean; work != 0; work &= work - 1) {
361 int mmu_idx = ctz32(work);
362 tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
363 }
364
365 qemu_spin_unlock(&env_tlb(env)->c.lock);
366
367 cpu_tb_jmp_cache_clear(cpu);
368
369 if (to_clean == ALL_MMUIDX_BITS) {
370 qatomic_set(&env_tlb(env)->c.full_flush_count,
371 env_tlb(env)->c.full_flush_count + 1);
372 } else {
373 qatomic_set(&env_tlb(env)->c.part_flush_count,
374 env_tlb(env)->c.part_flush_count + ctpop16(to_clean));
375 if (to_clean != asked) {
376 qatomic_set(&env_tlb(env)->c.elide_flush_count,
377 env_tlb(env)->c.elide_flush_count +
378 ctpop16(asked & ~to_clean));
379 }
380 }
381 }
382
383 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
384 {
385 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
386
387 if (cpu->created && !qemu_cpu_is_self(cpu)) {
388 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work,
389 RUN_ON_CPU_HOST_INT(idxmap));
390 } else {
391 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap));
392 }
393 }
394
395 void tlb_flush(CPUState *cpu)
396 {
397 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS);
398 }
399
400 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap)
401 {
402 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
403
404 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
405
406 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
407 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap));
408 }
409
410 void tlb_flush_all_cpus(CPUState *src_cpu)
411 {
412 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS);
413 }
414
415 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap)
416 {
417 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
418
419 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
420
421 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
422 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
423 }
424
425 void tlb_flush_all_cpus_synced(CPUState *src_cpu)
426 {
427 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS);
428 }
429
430 static bool tlb_hit_page_mask_anyprot(CPUTLBEntry *tlb_entry,
431 target_ulong page, target_ulong mask)
432 {
433 page &= mask;
434 mask &= TARGET_PAGE_MASK | TLB_INVALID_MASK;
435
436 return (page == (tlb_entry->addr_read & mask) ||
437 page == (tlb_addr_write(tlb_entry) & mask) ||
438 page == (tlb_entry->addr_code & mask));
439 }
440
441 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry,
442 target_ulong page)
443 {
444 return tlb_hit_page_mask_anyprot(tlb_entry, page, -1);
445 }
446
447 /**
448 * tlb_entry_is_empty - return true if the entry is not in use
449 * @te: pointer to CPUTLBEntry
450 */
451 static inline bool tlb_entry_is_empty(const CPUTLBEntry *te)
452 {
453 return te->addr_read == -1 && te->addr_write == -1 && te->addr_code == -1;
454 }
455
456 /* Called with tlb_c.lock held */
457 static bool tlb_flush_entry_mask_locked(CPUTLBEntry *tlb_entry,
458 target_ulong page,
459 target_ulong mask)
460 {
461 if (tlb_hit_page_mask_anyprot(tlb_entry, page, mask)) {
462 memset(tlb_entry, -1, sizeof(*tlb_entry));
463 return true;
464 }
465 return false;
466 }
467
468 static inline bool tlb_flush_entry_locked(CPUTLBEntry *tlb_entry,
469 target_ulong page)
470 {
471 return tlb_flush_entry_mask_locked(tlb_entry, page, -1);
472 }
473
474 /* Called with tlb_c.lock held */
475 static void tlb_flush_vtlb_page_mask_locked(CPUArchState *env, int mmu_idx,
476 target_ulong page,
477 target_ulong mask)
478 {
479 CPUTLBDesc *d = &env_tlb(env)->d[mmu_idx];
480 int k;
481
482 assert_cpu_is_self(env_cpu(env));
483 for (k = 0; k < CPU_VTLB_SIZE; k++) {
484 if (tlb_flush_entry_mask_locked(&d->vtable[k], page, mask)) {
485 tlb_n_used_entries_dec(env, mmu_idx);
486 }
487 }
488 }
489
490 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx,
491 target_ulong page)
492 {
493 tlb_flush_vtlb_page_mask_locked(env, mmu_idx, page, -1);
494 }
495
496 static void tlb_flush_page_locked(CPUArchState *env, int midx,
497 target_ulong page)
498 {
499 target_ulong lp_addr = env_tlb(env)->d[midx].large_page_addr;
500 target_ulong lp_mask = env_tlb(env)->d[midx].large_page_mask;
501
502 /* Check if we need to flush due to large pages. */
503 if ((page & lp_mask) == lp_addr) {
504 tlb_debug("forcing full flush midx %d ("
505 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
506 midx, lp_addr, lp_mask);
507 tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
508 } else {
509 if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
510 tlb_n_used_entries_dec(env, midx);
511 }
512 tlb_flush_vtlb_page_locked(env, midx, page);
513 }
514 }
515
516 /**
517 * tlb_flush_page_by_mmuidx_async_0:
518 * @cpu: cpu on which to flush
519 * @addr: page of virtual address to flush
520 * @idxmap: set of mmu_idx to flush
521 *
522 * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
523 * at @addr from the tlbs indicated by @idxmap from @cpu.
524 */
525 static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
526 target_ulong addr,
527 uint16_t idxmap)
528 {
529 CPUArchState *env = cpu->env_ptr;
530 int mmu_idx;
531
532 assert_cpu_is_self(cpu);
533
534 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
535
536 qemu_spin_lock(&env_tlb(env)->c.lock);
537 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
538 if ((idxmap >> mmu_idx) & 1) {
539 tlb_flush_page_locked(env, mmu_idx, addr);
540 }
541 }
542 qemu_spin_unlock(&env_tlb(env)->c.lock);
543
544 tb_flush_jmp_cache(cpu, addr);
545 }
546
547 /**
548 * tlb_flush_page_by_mmuidx_async_1:
549 * @cpu: cpu on which to flush
550 * @data: encoded addr + idxmap
551 *
552 * Helper for tlb_flush_page_by_mmuidx and friends, called through
553 * async_run_on_cpu. The idxmap parameter is encoded in the page
554 * offset of the target_ptr field. This limits the set of mmu_idx
555 * that can be passed via this method.
556 */
557 static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
558 run_on_cpu_data data)
559 {
560 target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
561 target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
562 uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
563
564 tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
565 }
566
567 typedef struct {
568 target_ulong addr;
569 uint16_t idxmap;
570 } TLBFlushPageByMMUIdxData;
571
572 /**
573 * tlb_flush_page_by_mmuidx_async_2:
574 * @cpu: cpu on which to flush
575 * @data: allocated addr + idxmap
576 *
577 * Helper for tlb_flush_page_by_mmuidx and friends, called through
578 * async_run_on_cpu. The addr+idxmap parameters are stored in a
579 * TLBFlushPageByMMUIdxData structure that has been allocated
580 * specifically for this helper. Free the structure when done.
581 */
582 static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
583 run_on_cpu_data data)
584 {
585 TLBFlushPageByMMUIdxData *d = data.host_ptr;
586
587 tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
588 g_free(d);
589 }
590
591 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
592 {
593 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
594
595 /* This should already be page aligned */
596 addr &= TARGET_PAGE_MASK;
597
598 if (qemu_cpu_is_self(cpu)) {
599 tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
600 } else if (idxmap < TARGET_PAGE_SIZE) {
601 /*
602 * Most targets have only a few mmu_idx. In the case where
603 * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
604 * allocating memory for this operation.
605 */
606 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
607 RUN_ON_CPU_TARGET_PTR(addr | idxmap));
608 } else {
609 TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
610
611 /* Otherwise allocate a structure, freed by the worker. */
612 d->addr = addr;
613 d->idxmap = idxmap;
614 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
615 RUN_ON_CPU_HOST_PTR(d));
616 }
617 }
618
619 void tlb_flush_page(CPUState *cpu, target_ulong addr)
620 {
621 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS);
622 }
623
624 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
625 uint16_t idxmap)
626 {
627 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
628
629 /* This should already be page aligned */
630 addr &= TARGET_PAGE_MASK;
631
632 /*
633 * Allocate memory to hold addr+idxmap only when needed.
634 * See tlb_flush_page_by_mmuidx for details.
635 */
636 if (idxmap < TARGET_PAGE_SIZE) {
637 flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
638 RUN_ON_CPU_TARGET_PTR(addr | idxmap));
639 } else {
640 CPUState *dst_cpu;
641
642 /* Allocate a separate data block for each destination cpu. */
643 CPU_FOREACH(dst_cpu) {
644 if (dst_cpu != src_cpu) {
645 TLBFlushPageByMMUIdxData *d
646 = g_new(TLBFlushPageByMMUIdxData, 1);
647
648 d->addr = addr;
649 d->idxmap = idxmap;
650 async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
651 RUN_ON_CPU_HOST_PTR(d));
652 }
653 }
654 }
655
656 tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
657 }
658
659 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
660 {
661 tlb_flush_page_by_mmuidx_all_cpus(src, addr, ALL_MMUIDX_BITS);
662 }
663
664 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
665 target_ulong addr,
666 uint16_t idxmap)
667 {
668 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
669
670 /* This should already be page aligned */
671 addr &= TARGET_PAGE_MASK;
672
673 /*
674 * Allocate memory to hold addr+idxmap only when needed.
675 * See tlb_flush_page_by_mmuidx for details.
676 */
677 if (idxmap < TARGET_PAGE_SIZE) {
678 flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
679 RUN_ON_CPU_TARGET_PTR(addr | idxmap));
680 async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
681 RUN_ON_CPU_TARGET_PTR(addr | idxmap));
682 } else {
683 CPUState *dst_cpu;
684 TLBFlushPageByMMUIdxData *d;
685
686 /* Allocate a separate data block for each destination cpu. */
687 CPU_FOREACH(dst_cpu) {
688 if (dst_cpu != src_cpu) {
689 d = g_new(TLBFlushPageByMMUIdxData, 1);
690 d->addr = addr;
691 d->idxmap = idxmap;
692 async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
693 RUN_ON_CPU_HOST_PTR(d));
694 }
695 }
696
697 d = g_new(TLBFlushPageByMMUIdxData, 1);
698 d->addr = addr;
699 d->idxmap = idxmap;
700 async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
701 RUN_ON_CPU_HOST_PTR(d));
702 }
703 }
704
705 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
706 {
707 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS);
708 }
709
710 static void tlb_flush_page_bits_locked(CPUArchState *env, int midx,
711 target_ulong page, unsigned bits)
712 {
713 CPUTLBDesc *d = &env_tlb(env)->d[midx];
714 CPUTLBDescFast *f = &env_tlb(env)->f[midx];
715 target_ulong mask = MAKE_64BIT_MASK(0, bits);
716
717 /*
718 * If @bits is smaller than the tlb size, there may be multiple entries
719 * within the TLB; otherwise all addresses that match under @mask hit
720 * the same TLB entry.
721 *
722 * TODO: Perhaps allow bits to be a few bits less than the size.
723 * For now, just flush the entire TLB.
724 */
725 if (mask < f->mask) {
726 tlb_debug("forcing full flush midx %d ("
727 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
728 midx, page, mask);
729 tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
730 return;
731 }
732
733 /* Check if we need to flush due to large pages. */
734 if ((page & d->large_page_mask) == d->large_page_addr) {
735 tlb_debug("forcing full flush midx %d ("
736 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
737 midx, d->large_page_addr, d->large_page_mask);
738 tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
739 return;
740 }
741
742 if (tlb_flush_entry_mask_locked(tlb_entry(env, midx, page), page, mask)) {
743 tlb_n_used_entries_dec(env, midx);
744 }
745 tlb_flush_vtlb_page_mask_locked(env, midx, page, mask);
746 }
747
748 typedef struct {
749 target_ulong addr;
750 uint16_t idxmap;
751 uint16_t bits;
752 } TLBFlushPageBitsByMMUIdxData;
753
754 static void
755 tlb_flush_page_bits_by_mmuidx_async_0(CPUState *cpu,
756 TLBFlushPageBitsByMMUIdxData d)
757 {
758 CPUArchState *env = cpu->env_ptr;
759 int mmu_idx;
760
761 assert_cpu_is_self(cpu);
762
763 tlb_debug("page addr:" TARGET_FMT_lx "/%u mmu_map:0x%x\n",
764 d.addr, d.bits, d.idxmap);
765
766 qemu_spin_lock(&env_tlb(env)->c.lock);
767 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
768 if ((d.idxmap >> mmu_idx) & 1) {
769 tlb_flush_page_bits_locked(env, mmu_idx, d.addr, d.bits);
770 }
771 }
772 qemu_spin_unlock(&env_tlb(env)->c.lock);
773
774 tb_flush_jmp_cache(cpu, d.addr);
775 }
776
777 static bool encode_pbm_to_runon(run_on_cpu_data *out,
778 TLBFlushPageBitsByMMUIdxData d)
779 {
780 /* We need 6 bits to hold to hold @bits up to 63. */
781 if (d.idxmap <= MAKE_64BIT_MASK(0, TARGET_PAGE_BITS - 6)) {
782 *out = RUN_ON_CPU_TARGET_PTR(d.addr | (d.idxmap << 6) | d.bits);
783 return true;
784 }
785 return false;
786 }
787
788 static TLBFlushPageBitsByMMUIdxData
789 decode_runon_to_pbm(run_on_cpu_data data)
790 {
791 target_ulong addr_map_bits = (target_ulong) data.target_ptr;
792 return (TLBFlushPageBitsByMMUIdxData){
793 .addr = addr_map_bits & TARGET_PAGE_MASK,
794 .idxmap = (addr_map_bits & ~TARGET_PAGE_MASK) >> 6,
795 .bits = addr_map_bits & 0x3f
796 };
797 }
798
799 static void tlb_flush_page_bits_by_mmuidx_async_1(CPUState *cpu,
800 run_on_cpu_data runon)
801 {
802 tlb_flush_page_bits_by_mmuidx_async_0(cpu, decode_runon_to_pbm(runon));
803 }
804
805 static void tlb_flush_page_bits_by_mmuidx_async_2(CPUState *cpu,
806 run_on_cpu_data data)
807 {
808 TLBFlushPageBitsByMMUIdxData *d = data.host_ptr;
809 tlb_flush_page_bits_by_mmuidx_async_0(cpu, *d);
810 g_free(d);
811 }
812
813 void tlb_flush_page_bits_by_mmuidx(CPUState *cpu, target_ulong addr,
814 uint16_t idxmap, unsigned bits)
815 {
816 TLBFlushPageBitsByMMUIdxData d;
817 run_on_cpu_data runon;
818
819 /* If all bits are significant, this devolves to tlb_flush_page. */
820 if (bits >= TARGET_LONG_BITS) {
821 tlb_flush_page_by_mmuidx(cpu, addr, idxmap);
822 return;
823 }
824 /* If no page bits are significant, this devolves to tlb_flush. */
825 if (bits < TARGET_PAGE_BITS) {
826 tlb_flush_by_mmuidx(cpu, idxmap);
827 return;
828 }
829
830 /* This should already be page aligned */
831 d.addr = addr & TARGET_PAGE_MASK;
832 d.idxmap = idxmap;
833 d.bits = bits;
834
835 if (qemu_cpu_is_self(cpu)) {
836 tlb_flush_page_bits_by_mmuidx_async_0(cpu, d);
837 } else if (encode_pbm_to_runon(&runon, d)) {
838 async_run_on_cpu(cpu, tlb_flush_page_bits_by_mmuidx_async_1, runon);
839 } else {
840 TLBFlushPageBitsByMMUIdxData *p
841 = g_new(TLBFlushPageBitsByMMUIdxData, 1);
842
843 /* Otherwise allocate a structure, freed by the worker. */
844 *p = d;
845 async_run_on_cpu(cpu, tlb_flush_page_bits_by_mmuidx_async_2,
846 RUN_ON_CPU_HOST_PTR(p));
847 }
848 }
849
850 void tlb_flush_page_bits_by_mmuidx_all_cpus(CPUState *src_cpu,
851 target_ulong addr,
852 uint16_t idxmap,
853 unsigned bits)
854 {
855 TLBFlushPageBitsByMMUIdxData d;
856 run_on_cpu_data runon;
857
858 /* If all bits are significant, this devolves to tlb_flush_page. */
859 if (bits >= TARGET_LONG_BITS) {
860 tlb_flush_page_by_mmuidx_all_cpus(src_cpu, addr, idxmap);
861 return;
862 }
863 /* If no page bits are significant, this devolves to tlb_flush. */
864 if (bits < TARGET_PAGE_BITS) {
865 tlb_flush_by_mmuidx_all_cpus(src_cpu, idxmap);
866 return;
867 }
868
869 /* This should already be page aligned */
870 d.addr = addr & TARGET_PAGE_MASK;
871 d.idxmap = idxmap;
872 d.bits = bits;
873
874 if (encode_pbm_to_runon(&runon, d)) {
875 flush_all_helper(src_cpu, tlb_flush_page_bits_by_mmuidx_async_1, runon);
876 } else {
877 CPUState *dst_cpu;
878 TLBFlushPageBitsByMMUIdxData *p;
879
880 /* Allocate a separate data block for each destination cpu. */
881 CPU_FOREACH(dst_cpu) {
882 if (dst_cpu != src_cpu) {
883 p = g_new(TLBFlushPageBitsByMMUIdxData, 1);
884 *p = d;
885 async_run_on_cpu(dst_cpu,
886 tlb_flush_page_bits_by_mmuidx_async_2,
887 RUN_ON_CPU_HOST_PTR(p));
888 }
889 }
890 }
891
892 tlb_flush_page_bits_by_mmuidx_async_0(src_cpu, d);
893 }
894
895 void tlb_flush_page_bits_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
896 target_ulong addr,
897 uint16_t idxmap,
898 unsigned bits)
899 {
900 TLBFlushPageBitsByMMUIdxData d;
901 run_on_cpu_data runon;
902
903 /* If all bits are significant, this devolves to tlb_flush_page. */
904 if (bits >= TARGET_LONG_BITS) {
905 tlb_flush_page_by_mmuidx_all_cpus_synced(src_cpu, addr, idxmap);
906 return;
907 }
908 /* If no page bits are significant, this devolves to tlb_flush. */
909 if (bits < TARGET_PAGE_BITS) {
910 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, idxmap);
911 return;
912 }
913
914 /* This should already be page aligned */
915 d.addr = addr & TARGET_PAGE_MASK;
916 d.idxmap = idxmap;
917 d.bits = bits;
918
919 if (encode_pbm_to_runon(&runon, d)) {
920 flush_all_helper(src_cpu, tlb_flush_page_bits_by_mmuidx_async_1, runon);
921 async_safe_run_on_cpu(src_cpu, tlb_flush_page_bits_by_mmuidx_async_1,
922 runon);
923 } else {
924 CPUState *dst_cpu;
925 TLBFlushPageBitsByMMUIdxData *p;
926
927 /* Allocate a separate data block for each destination cpu. */
928 CPU_FOREACH(dst_cpu) {
929 if (dst_cpu != src_cpu) {
930 p = g_new(TLBFlushPageBitsByMMUIdxData, 1);
931 *p = d;
932 async_run_on_cpu(dst_cpu, tlb_flush_page_bits_by_mmuidx_async_2,
933 RUN_ON_CPU_HOST_PTR(p));
934 }
935 }
936
937 p = g_new(TLBFlushPageBitsByMMUIdxData, 1);
938 *p = d;
939 async_safe_run_on_cpu(src_cpu, tlb_flush_page_bits_by_mmuidx_async_2,
940 RUN_ON_CPU_HOST_PTR(p));
941 }
942 }
943
944 /* update the TLBs so that writes to code in the virtual page 'addr'
945 can be detected */
946 void tlb_protect_code(ram_addr_t ram_addr)
947 {
948 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE,
949 DIRTY_MEMORY_CODE);
950 }
951
952 /* update the TLB so that writes in physical page 'phys_addr' are no longer
953 tested for self modifying code */
954 void tlb_unprotect_code(ram_addr_t ram_addr)
955 {
956 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
957 }
958
959
960 /*
961 * Dirty write flag handling
962 *
963 * When the TCG code writes to a location it looks up the address in
964 * the TLB and uses that data to compute the final address. If any of
965 * the lower bits of the address are set then the slow path is forced.
966 * There are a number of reasons to do this but for normal RAM the
967 * most usual is detecting writes to code regions which may invalidate
968 * generated code.
969 *
970 * Other vCPUs might be reading their TLBs during guest execution, so we update
971 * te->addr_write with qatomic_set. We don't need to worry about this for
972 * oversized guests as MTTCG is disabled for them.
973 *
974 * Called with tlb_c.lock held.
975 */
976 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
977 uintptr_t start, uintptr_t length)
978 {
979 uintptr_t addr = tlb_entry->addr_write;
980
981 if ((addr & (TLB_INVALID_MASK | TLB_MMIO |
982 TLB_DISCARD_WRITE | TLB_NOTDIRTY)) == 0) {
983 addr &= TARGET_PAGE_MASK;
984 addr += tlb_entry->addend;
985 if ((addr - start) < length) {
986 #if TCG_OVERSIZED_GUEST
987 tlb_entry->addr_write |= TLB_NOTDIRTY;
988 #else
989 qatomic_set(&tlb_entry->addr_write,
990 tlb_entry->addr_write | TLB_NOTDIRTY);
991 #endif
992 }
993 }
994 }
995
996 /*
997 * Called with tlb_c.lock held.
998 * Called only from the vCPU context, i.e. the TLB's owner thread.
999 */
1000 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s)
1001 {
1002 *d = *s;
1003 }
1004
1005 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
1006 * the target vCPU).
1007 * We must take tlb_c.lock to avoid racing with another vCPU update. The only
1008 * thing actually updated is the target TLB entry ->addr_write flags.
1009 */
1010 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
1011 {
1012 CPUArchState *env;
1013
1014 int mmu_idx;
1015
1016 env = cpu->env_ptr;
1017 qemu_spin_lock(&env_tlb(env)->c.lock);
1018 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1019 unsigned int i;
1020 unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
1021
1022 for (i = 0; i < n; i++) {
1023 tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
1024 start1, length);
1025 }
1026
1027 for (i = 0; i < CPU_VTLB_SIZE; i++) {
1028 tlb_reset_dirty_range_locked(&env_tlb(env)->d[mmu_idx].vtable[i],
1029 start1, length);
1030 }
1031 }
1032 qemu_spin_unlock(&env_tlb(env)->c.lock);
1033 }
1034
1035 /* Called with tlb_c.lock held */
1036 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry,
1037 target_ulong vaddr)
1038 {
1039 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) {
1040 tlb_entry->addr_write = vaddr;
1041 }
1042 }
1043
1044 /* update the TLB corresponding to virtual page vaddr
1045 so that it is no longer dirty */
1046 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
1047 {
1048 CPUArchState *env = cpu->env_ptr;
1049 int mmu_idx;
1050
1051 assert_cpu_is_self(cpu);
1052
1053 vaddr &= TARGET_PAGE_MASK;
1054 qemu_spin_lock(&env_tlb(env)->c.lock);
1055 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1056 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr);
1057 }
1058
1059 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1060 int k;
1061 for (k = 0; k < CPU_VTLB_SIZE; k++) {
1062 tlb_set_dirty1_locked(&env_tlb(env)->d[mmu_idx].vtable[k], vaddr);
1063 }
1064 }
1065 qemu_spin_unlock(&env_tlb(env)->c.lock);
1066 }
1067
1068 /* Our TLB does not support large pages, so remember the area covered by
1069 large pages and trigger a full TLB flush if these are invalidated. */
1070 static void tlb_add_large_page(CPUArchState *env, int mmu_idx,
1071 target_ulong vaddr, target_ulong size)
1072 {
1073 target_ulong lp_addr = env_tlb(env)->d[mmu_idx].large_page_addr;
1074 target_ulong lp_mask = ~(size - 1);
1075
1076 if (lp_addr == (target_ulong)-1) {
1077 /* No previous large page. */
1078 lp_addr = vaddr;
1079 } else {
1080 /* Extend the existing region to include the new page.
1081 This is a compromise between unnecessary flushes and
1082 the cost of maintaining a full variable size TLB. */
1083 lp_mask &= env_tlb(env)->d[mmu_idx].large_page_mask;
1084 while (((lp_addr ^ vaddr) & lp_mask) != 0) {
1085 lp_mask <<= 1;
1086 }
1087 }
1088 env_tlb(env)->d[mmu_idx].large_page_addr = lp_addr & lp_mask;
1089 env_tlb(env)->d[mmu_idx].large_page_mask = lp_mask;
1090 }
1091
1092 /* Add a new TLB entry. At most one entry for a given virtual address
1093 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
1094 * supplied size is only used by tlb_flush_page.
1095 *
1096 * Called from TCG-generated code, which is under an RCU read-side
1097 * critical section.
1098 */
1099 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
1100 hwaddr paddr, MemTxAttrs attrs, int prot,
1101 int mmu_idx, target_ulong size)
1102 {
1103 CPUArchState *env = cpu->env_ptr;
1104 CPUTLB *tlb = env_tlb(env);
1105 CPUTLBDesc *desc = &tlb->d[mmu_idx];
1106 MemoryRegionSection *section;
1107 unsigned int index;
1108 target_ulong address;
1109 target_ulong write_address;
1110 uintptr_t addend;
1111 CPUTLBEntry *te, tn;
1112 hwaddr iotlb, xlat, sz, paddr_page;
1113 target_ulong vaddr_page;
1114 int asidx = cpu_asidx_from_attrs(cpu, attrs);
1115 int wp_flags;
1116 bool is_ram, is_romd;
1117
1118 assert_cpu_is_self(cpu);
1119
1120 if (size <= TARGET_PAGE_SIZE) {
1121 sz = TARGET_PAGE_SIZE;
1122 } else {
1123 tlb_add_large_page(env, mmu_idx, vaddr, size);
1124 sz = size;
1125 }
1126 vaddr_page = vaddr & TARGET_PAGE_MASK;
1127 paddr_page = paddr & TARGET_PAGE_MASK;
1128
1129 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
1130 &xlat, &sz, attrs, &prot);
1131 assert(sz >= TARGET_PAGE_SIZE);
1132
1133 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
1134 " prot=%x idx=%d\n",
1135 vaddr, paddr, prot, mmu_idx);
1136
1137 address = vaddr_page;
1138 if (size < TARGET_PAGE_SIZE) {
1139 /* Repeat the MMU check and TLB fill on every access. */
1140 address |= TLB_INVALID_MASK;
1141 }
1142 if (attrs.byte_swap) {
1143 address |= TLB_BSWAP;
1144 }
1145
1146 is_ram = memory_region_is_ram(section->mr);
1147 is_romd = memory_region_is_romd(section->mr);
1148
1149 if (is_ram || is_romd) {
1150 /* RAM and ROMD both have associated host memory. */
1151 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
1152 } else {
1153 /* I/O does not; force the host address to NULL. */
1154 addend = 0;
1155 }
1156
1157 write_address = address;
1158 if (is_ram) {
1159 iotlb = memory_region_get_ram_addr(section->mr) + xlat;
1160 /*
1161 * Computing is_clean is expensive; avoid all that unless
1162 * the page is actually writable.
1163 */
1164 if (prot & PAGE_WRITE) {
1165 if (section->readonly) {
1166 write_address |= TLB_DISCARD_WRITE;
1167 } else if (cpu_physical_memory_is_clean(iotlb)) {
1168 write_address |= TLB_NOTDIRTY;
1169 }
1170 }
1171 } else {
1172 /* I/O or ROMD */
1173 iotlb = memory_region_section_get_iotlb(cpu, section) + xlat;
1174 /*
1175 * Writes to romd devices must go through MMIO to enable write.
1176 * Reads to romd devices go through the ram_ptr found above,
1177 * but of course reads to I/O must go through MMIO.
1178 */
1179 write_address |= TLB_MMIO;
1180 if (!is_romd) {
1181 address = write_address;
1182 }
1183 }
1184
1185 wp_flags = cpu_watchpoint_address_matches(cpu, vaddr_page,
1186 TARGET_PAGE_SIZE);
1187
1188 index = tlb_index(env, mmu_idx, vaddr_page);
1189 te = tlb_entry(env, mmu_idx, vaddr_page);
1190
1191 /*
1192 * Hold the TLB lock for the rest of the function. We could acquire/release
1193 * the lock several times in the function, but it is faster to amortize the
1194 * acquisition cost by acquiring it just once. Note that this leads to
1195 * a longer critical section, but this is not a concern since the TLB lock
1196 * is unlikely to be contended.
1197 */
1198 qemu_spin_lock(&tlb->c.lock);
1199
1200 /* Note that the tlb is no longer clean. */
1201 tlb->c.dirty |= 1 << mmu_idx;
1202
1203 /* Make sure there's no cached translation for the new page. */
1204 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page);
1205
1206 /*
1207 * Only evict the old entry to the victim tlb if it's for a
1208 * different page; otherwise just overwrite the stale data.
1209 */
1210 if (!tlb_hit_page_anyprot(te, vaddr_page) && !tlb_entry_is_empty(te)) {
1211 unsigned vidx = desc->vindex++ % CPU_VTLB_SIZE;
1212 CPUTLBEntry *tv = &desc->vtable[vidx];
1213
1214 /* Evict the old entry into the victim tlb. */
1215 copy_tlb_helper_locked(tv, te);
1216 desc->viotlb[vidx] = desc->iotlb[index];
1217 tlb_n_used_entries_dec(env, mmu_idx);
1218 }
1219
1220 /* refill the tlb */
1221 /*
1222 * At this point iotlb contains a physical section number in the lower
1223 * TARGET_PAGE_BITS, and either
1224 * + the ram_addr_t of the page base of the target RAM (RAM)
1225 * + the offset within section->mr of the page base (I/O, ROMD)
1226 * We subtract the vaddr_page (which is page aligned and thus won't
1227 * disturb the low bits) to give an offset which can be added to the
1228 * (non-page-aligned) vaddr of the eventual memory access to get
1229 * the MemoryRegion offset for the access. Note that the vaddr we
1230 * subtract here is that of the page base, and not the same as the
1231 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
1232 */
1233 desc->iotlb[index].addr = iotlb - vaddr_page;
1234 desc->iotlb[index].attrs = attrs;
1235
1236 /* Now calculate the new entry */
1237 tn.addend = addend - vaddr_page;
1238 if (prot & PAGE_READ) {
1239 tn.addr_read = address;
1240 if (wp_flags & BP_MEM_READ) {
1241 tn.addr_read |= TLB_WATCHPOINT;
1242 }
1243 } else {
1244 tn.addr_read = -1;
1245 }
1246
1247 if (prot & PAGE_EXEC) {
1248 tn.addr_code = address;
1249 } else {
1250 tn.addr_code = -1;
1251 }
1252
1253 tn.addr_write = -1;
1254 if (prot & PAGE_WRITE) {
1255 tn.addr_write = write_address;
1256 if (prot & PAGE_WRITE_INV) {
1257 tn.addr_write |= TLB_INVALID_MASK;
1258 }
1259 if (wp_flags & BP_MEM_WRITE) {
1260 tn.addr_write |= TLB_WATCHPOINT;
1261 }
1262 }
1263
1264 copy_tlb_helper_locked(te, &tn);
1265 tlb_n_used_entries_inc(env, mmu_idx);
1266 qemu_spin_unlock(&tlb->c.lock);
1267 }
1268
1269 /* Add a new TLB entry, but without specifying the memory
1270 * transaction attributes to be used.
1271 */
1272 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
1273 hwaddr paddr, int prot,
1274 int mmu_idx, target_ulong size)
1275 {
1276 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED,
1277 prot, mmu_idx, size);
1278 }
1279
1280 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
1281 {
1282 ram_addr_t ram_addr;
1283
1284 ram_addr = qemu_ram_addr_from_host(ptr);
1285 if (ram_addr == RAM_ADDR_INVALID) {
1286 error_report("Bad ram pointer %p", ptr);
1287 abort();
1288 }
1289 return ram_addr;
1290 }
1291
1292 /*
1293 * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
1294 * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
1295 * be discarded and looked up again (e.g. via tlb_entry()).
1296 */
1297 static void tlb_fill(CPUState *cpu, target_ulong addr, int size,
1298 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
1299 {
1300 CPUClass *cc = CPU_GET_CLASS(cpu);
1301 bool ok;
1302
1303 /*
1304 * This is not a probe, so only valid return is success; failure
1305 * should result in exception + longjmp to the cpu loop.
1306 */
1307 ok = cc->tcg_ops->tlb_fill(cpu, addr, size,
1308 access_type, mmu_idx, false, retaddr);
1309 assert(ok);
1310 }
1311
1312 static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,
1313 MMUAccessType access_type,
1314 int mmu_idx, uintptr_t retaddr)
1315 {
1316 CPUClass *cc = CPU_GET_CLASS(cpu);
1317
1318 cc->tcg_ops->do_unaligned_access(cpu, addr, access_type, mmu_idx, retaddr);
1319 }
1320
1321 static inline void cpu_transaction_failed(CPUState *cpu, hwaddr physaddr,
1322 vaddr addr, unsigned size,
1323 MMUAccessType access_type,
1324 int mmu_idx, MemTxAttrs attrs,
1325 MemTxResult response,
1326 uintptr_t retaddr)
1327 {
1328 CPUClass *cc = CPU_GET_CLASS(cpu);
1329
1330 if (!cpu->ignore_memory_transaction_failures &&
1331 cc->tcg_ops->do_transaction_failed) {
1332 cc->tcg_ops->do_transaction_failed(cpu, physaddr, addr, size,
1333 access_type, mmu_idx, attrs,
1334 response, retaddr);
1335 }
1336 }
1337
1338 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
1339 int mmu_idx, target_ulong addr, uintptr_t retaddr,
1340 MMUAccessType access_type, MemOp op)
1341 {
1342 CPUState *cpu = env_cpu(env);
1343 hwaddr mr_offset;
1344 MemoryRegionSection *section;
1345 MemoryRegion *mr;
1346 uint64_t val;
1347 bool locked = false;
1348 MemTxResult r;
1349
1350 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
1351 mr = section->mr;
1352 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
1353 cpu->mem_io_pc = retaddr;
1354 if (!cpu->can_do_io) {
1355 cpu_io_recompile(cpu, retaddr);
1356 }
1357
1358 if (!qemu_mutex_iothread_locked()) {
1359 qemu_mutex_lock_iothread();
1360 locked = true;
1361 }
1362 r = memory_region_dispatch_read(mr, mr_offset, &val, op, iotlbentry->attrs);
1363 if (r != MEMTX_OK) {
1364 hwaddr physaddr = mr_offset +
1365 section->offset_within_address_space -
1366 section->offset_within_region;
1367
1368 cpu_transaction_failed(cpu, physaddr, addr, memop_size(op), access_type,
1369 mmu_idx, iotlbentry->attrs, r, retaddr);
1370 }
1371 if (locked) {
1372 qemu_mutex_unlock_iothread();
1373 }
1374
1375 return val;
1376 }
1377
1378 /*
1379 * Save a potentially trashed IOTLB entry for later lookup by plugin.
1380 * This is read by tlb_plugin_lookup if the iotlb entry doesn't match
1381 * because of the side effect of io_writex changing memory layout.
1382 */
1383 static void save_iotlb_data(CPUState *cs, hwaddr addr,
1384 MemoryRegionSection *section, hwaddr mr_offset)
1385 {
1386 #ifdef CONFIG_PLUGIN
1387 SavedIOTLB *saved = &cs->saved_iotlb;
1388 saved->addr = addr;
1389 saved->section = section;
1390 saved->mr_offset = mr_offset;
1391 #endif
1392 }
1393
1394 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
1395 int mmu_idx, uint64_t val, target_ulong addr,
1396 uintptr_t retaddr, MemOp op)
1397 {
1398 CPUState *cpu = env_cpu(env);
1399 hwaddr mr_offset;
1400 MemoryRegionSection *section;
1401 MemoryRegion *mr;
1402 bool locked = false;
1403 MemTxResult r;
1404
1405 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
1406 mr = section->mr;
1407 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
1408 if (!cpu->can_do_io) {
1409 cpu_io_recompile(cpu, retaddr);
1410 }
1411 cpu->mem_io_pc = retaddr;
1412
1413 /*
1414 * The memory_region_dispatch may trigger a flush/resize
1415 * so for plugins we save the iotlb_data just in case.
1416 */
1417 save_iotlb_data(cpu, iotlbentry->addr, section, mr_offset);
1418
1419 if (!qemu_mutex_iothread_locked()) {
1420 qemu_mutex_lock_iothread();
1421 locked = true;
1422 }
1423 r = memory_region_dispatch_write(mr, mr_offset, val, op, iotlbentry->attrs);
1424 if (r != MEMTX_OK) {
1425 hwaddr physaddr = mr_offset +
1426 section->offset_within_address_space -
1427 section->offset_within_region;
1428
1429 cpu_transaction_failed(cpu, physaddr, addr, memop_size(op),
1430 MMU_DATA_STORE, mmu_idx, iotlbentry->attrs, r,
1431 retaddr);
1432 }
1433 if (locked) {
1434 qemu_mutex_unlock_iothread();
1435 }
1436 }
1437
1438 static inline target_ulong tlb_read_ofs(CPUTLBEntry *entry, size_t ofs)
1439 {
1440 #if TCG_OVERSIZED_GUEST
1441 return *(target_ulong *)((uintptr_t)entry + ofs);
1442 #else
1443 /* ofs might correspond to .addr_write, so use qatomic_read */
1444 return qatomic_read((target_ulong *)((uintptr_t)entry + ofs));
1445 #endif
1446 }
1447
1448 /* Return true if ADDR is present in the victim tlb, and has been copied
1449 back to the main tlb. */
1450 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
1451 size_t elt_ofs, target_ulong page)
1452 {
1453 size_t vidx;
1454
1455 assert_cpu_is_self(env_cpu(env));
1456 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
1457 CPUTLBEntry *vtlb = &env_tlb(env)->d[mmu_idx].vtable[vidx];
1458 target_ulong cmp;
1459
1460 /* elt_ofs might correspond to .addr_write, so use qatomic_read */
1461 #if TCG_OVERSIZED_GUEST
1462 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
1463 #else
1464 cmp = qatomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
1465 #endif
1466
1467 if (cmp == page) {
1468 /* Found entry in victim tlb, swap tlb and iotlb. */
1469 CPUTLBEntry tmptlb, *tlb = &env_tlb(env)->f[mmu_idx].table[index];
1470
1471 qemu_spin_lock(&env_tlb(env)->c.lock);
1472 copy_tlb_helper_locked(&tmptlb, tlb);
1473 copy_tlb_helper_locked(tlb, vtlb);
1474 copy_tlb_helper_locked(vtlb, &tmptlb);
1475 qemu_spin_unlock(&env_tlb(env)->c.lock);
1476
1477 CPUIOTLBEntry tmpio, *io = &env_tlb(env)->d[mmu_idx].iotlb[index];
1478 CPUIOTLBEntry *vio = &env_tlb(env)->d[mmu_idx].viotlb[vidx];
1479 tmpio = *io; *io = *vio; *vio = tmpio;
1480 return true;
1481 }
1482 }
1483 return false;
1484 }
1485
1486 /* Macro to call the above, with local variables from the use context. */
1487 #define VICTIM_TLB_HIT(TY, ADDR) \
1488 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
1489 (ADDR) & TARGET_PAGE_MASK)
1490
1491 /*
1492 * Return a ram_addr_t for the virtual address for execution.
1493 *
1494 * Return -1 if we can't translate and execute from an entire page
1495 * of RAM. This will force us to execute by loading and translating
1496 * one insn at a time, without caching.
1497 *
1498 * NOTE: This function will trigger an exception if the page is
1499 * not executable.
1500 */
1501 tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
1502 void **hostp)
1503 {
1504 uintptr_t mmu_idx = cpu_mmu_index(env, true);
1505 uintptr_t index = tlb_index(env, mmu_idx, addr);
1506 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1507 void *p;
1508
1509 if (unlikely(!tlb_hit(entry->addr_code, addr))) {
1510 if (!VICTIM_TLB_HIT(addr_code, addr)) {
1511 tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
1512 index = tlb_index(env, mmu_idx, addr);
1513 entry = tlb_entry(env, mmu_idx, addr);
1514
1515 if (unlikely(entry->addr_code & TLB_INVALID_MASK)) {
1516 /*
1517 * The MMU protection covers a smaller range than a target
1518 * page, so we must redo the MMU check for every insn.
1519 */
1520 return -1;
1521 }
1522 }
1523 assert(tlb_hit(entry->addr_code, addr));
1524 }
1525
1526 if (unlikely(entry->addr_code & TLB_MMIO)) {
1527 /* The region is not backed by RAM. */
1528 if (hostp) {
1529 *hostp = NULL;
1530 }
1531 return -1;
1532 }
1533
1534 p = (void *)((uintptr_t)addr + entry->addend);
1535 if (hostp) {
1536 *hostp = p;
1537 }
1538 return qemu_ram_addr_from_host_nofail(p);
1539 }
1540
1541 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
1542 {
1543 return get_page_addr_code_hostp(env, addr, NULL);
1544 }
1545
1546 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
1547 CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
1548 {
1549 ram_addr_t ram_addr = mem_vaddr + iotlbentry->addr;
1550
1551 trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size);
1552
1553 if (!cpu_physical_memory_get_dirty_flag(ram_addr, DIRTY_MEMORY_CODE)) {
1554 struct page_collection *pages
1555 = page_collection_lock(ram_addr, ram_addr + size);
1556 tb_invalidate_phys_page_fast(pages, ram_addr, size, retaddr);
1557 page_collection_unlock(pages);
1558 }
1559
1560 /*
1561 * Set both VGA and migration bits for simplicity and to remove
1562 * the notdirty callback faster.
1563 */
1564 cpu_physical_memory_set_dirty_range(ram_addr, size, DIRTY_CLIENTS_NOCODE);
1565
1566 /* We remove the notdirty callback only if the code has been flushed. */
1567 if (!cpu_physical_memory_is_clean(ram_addr)) {
1568 trace_memory_notdirty_set_dirty(mem_vaddr);
1569 tlb_set_dirty(cpu, mem_vaddr);
1570 }
1571 }
1572
1573 static int probe_access_internal(CPUArchState *env, target_ulong addr,
1574 int fault_size, MMUAccessType access_type,
1575 int mmu_idx, bool nonfault,
1576 void **phost, uintptr_t retaddr)
1577 {
1578 uintptr_t index = tlb_index(env, mmu_idx, addr);
1579 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1580 target_ulong tlb_addr, page_addr;
1581 size_t elt_ofs;
1582 int flags;
1583
1584 switch (access_type) {
1585 case MMU_DATA_LOAD:
1586 elt_ofs = offsetof(CPUTLBEntry, addr_read);
1587 break;
1588 case MMU_DATA_STORE:
1589 elt_ofs = offsetof(CPUTLBEntry, addr_write);
1590 break;
1591 case MMU_INST_FETCH:
1592 elt_ofs = offsetof(CPUTLBEntry, addr_code);
1593 break;
1594 default:
1595 g_assert_not_reached();
1596 }
1597 tlb_addr = tlb_read_ofs(entry, elt_ofs);
1598
1599 page_addr = addr & TARGET_PAGE_MASK;
1600 if (!tlb_hit_page(tlb_addr, page_addr)) {
1601 if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page_addr)) {
1602 CPUState *cs = env_cpu(env);
1603 CPUClass *cc = CPU_GET_CLASS(cs);
1604
1605 if (!cc->tcg_ops->tlb_fill(cs, addr, fault_size, access_type,
1606 mmu_idx, nonfault, retaddr)) {
1607 /* Non-faulting page table read failed. */
1608 *phost = NULL;
1609 return TLB_INVALID_MASK;
1610 }
1611
1612 /* TLB resize via tlb_fill may have moved the entry. */
1613 entry = tlb_entry(env, mmu_idx, addr);
1614 }
1615 tlb_addr = tlb_read_ofs(entry, elt_ofs);
1616 }
1617 flags = tlb_addr & TLB_FLAGS_MASK;
1618
1619 /* Fold all "mmio-like" bits into TLB_MMIO. This is not RAM. */
1620 if (unlikely(flags & ~(TLB_WATCHPOINT | TLB_NOTDIRTY))) {
1621 *phost = NULL;
1622 return TLB_MMIO;
1623 }
1624
1625 /* Everything else is RAM. */
1626 *phost = (void *)((uintptr_t)addr + entry->addend);
1627 return flags;
1628 }
1629
1630 int probe_access_flags(CPUArchState *env, target_ulong addr,
1631 MMUAccessType access_type, int mmu_idx,
1632 bool nonfault, void **phost, uintptr_t retaddr)
1633 {
1634 int flags;
1635
1636 flags = probe_access_internal(env, addr, 0, access_type, mmu_idx,
1637 nonfault, phost, retaddr);
1638
1639 /* Handle clean RAM pages. */
1640 if (unlikely(flags & TLB_NOTDIRTY)) {
1641 uintptr_t index = tlb_index(env, mmu_idx, addr);
1642 CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1643
1644 notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr);
1645 flags &= ~TLB_NOTDIRTY;
1646 }
1647
1648 return flags;
1649 }
1650
1651 void *probe_access(CPUArchState *env, target_ulong addr, int size,
1652 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
1653 {
1654 void *host;
1655 int flags;
1656
1657 g_assert(-(addr | TARGET_PAGE_MASK) >= size);
1658
1659 flags = probe_access_internal(env, addr, size, access_type, mmu_idx,
1660 false, &host, retaddr);
1661
1662 /* Per the interface, size == 0 merely faults the access. */
1663 if (size == 0) {
1664 return NULL;
1665 }
1666
1667 if (unlikely(flags & (TLB_NOTDIRTY | TLB_WATCHPOINT))) {
1668 uintptr_t index = tlb_index(env, mmu_idx, addr);
1669 CPUIOTLBEntry *iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1670
1671 /* Handle watchpoints. */
1672 if (flags & TLB_WATCHPOINT) {
1673 int wp_access = (access_type == MMU_DATA_STORE
1674 ? BP_MEM_WRITE : BP_MEM_READ);
1675 cpu_check_watchpoint(env_cpu(env), addr, size,
1676 iotlbentry->attrs, wp_access, retaddr);
1677 }
1678
1679 /* Handle clean RAM pages. */
1680 if (flags & TLB_NOTDIRTY) {
1681 notdirty_write(env_cpu(env), addr, 1, iotlbentry, retaddr);
1682 }
1683 }
1684
1685 return host;
1686 }
1687
1688 void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
1689 MMUAccessType access_type, int mmu_idx)
1690 {
1691 void *host;
1692 int flags;
1693
1694 flags = probe_access_internal(env, addr, 0, access_type,
1695 mmu_idx, true, &host, 0);
1696
1697 /* No combination of flags are expected by the caller. */
1698 return flags ? NULL : host;
1699 }
1700
1701 #ifdef CONFIG_PLUGIN
1702 /*
1703 * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
1704 * This should be a hot path as we will have just looked this path up
1705 * in the softmmu lookup code (or helper). We don't handle re-fills or
1706 * checking the victim table. This is purely informational.
1707 *
1708 * This almost never fails as the memory access being instrumented
1709 * should have just filled the TLB. The one corner case is io_writex
1710 * which can cause TLB flushes and potential resizing of the TLBs
1711 * losing the information we need. In those cases we need to recover
1712 * data from a copy of the iotlbentry. As long as this always occurs
1713 * from the same thread (which a mem callback will be) this is safe.
1714 */
1715
1716 bool tlb_plugin_lookup(CPUState *cpu, target_ulong addr, int mmu_idx,
1717 bool is_store, struct qemu_plugin_hwaddr *data)
1718 {
1719 CPUArchState *env = cpu->env_ptr;
1720 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
1721 uintptr_t index = tlb_index(env, mmu_idx, addr);
1722 target_ulong tlb_addr = is_store ? tlb_addr_write(tlbe) : tlbe->addr_read;
1723
1724 if (likely(tlb_hit(tlb_addr, addr))) {
1725 /* We must have an iotlb entry for MMIO */
1726 if (tlb_addr & TLB_MMIO) {
1727 CPUIOTLBEntry *iotlbentry;
1728 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1729 data->is_io = true;
1730 data->v.io.section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
1731 data->v.io.offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
1732 } else {
1733 data->is_io = false;
1734 data->v.ram.hostaddr = addr + tlbe->addend;
1735 }
1736 return true;
1737 } else {
1738 SavedIOTLB *saved = &cpu->saved_iotlb;
1739 data->is_io = true;
1740 data->v.io.section = saved->section;
1741 data->v.io.offset = saved->mr_offset;
1742 return true;
1743 }
1744 }
1745
1746 #endif
1747
1748 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
1749 * operations, or io operations to proceed. Return the host address. */
1750 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
1751 TCGMemOpIdx oi, uintptr_t retaddr)
1752 {
1753 size_t mmu_idx = get_mmuidx(oi);
1754 uintptr_t index = tlb_index(env, mmu_idx, addr);
1755 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
1756 target_ulong tlb_addr = tlb_addr_write(tlbe);
1757 MemOp mop = get_memop(oi);
1758 int a_bits = get_alignment_bits(mop);
1759 int s_bits = mop & MO_SIZE;
1760 void *hostaddr;
1761
1762 /* Adjust the given return address. */
1763 retaddr -= GETPC_ADJ;
1764
1765 /* Enforce guest required alignment. */
1766 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
1767 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
1768 cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE,
1769 mmu_idx, retaddr);
1770 }
1771
1772 /* Enforce qemu required alignment. */
1773 if (unlikely(addr & ((1 << s_bits) - 1))) {
1774 /* We get here if guest alignment was not requested,
1775 or was not enforced by cpu_unaligned_access above.
1776 We might widen the access and emulate, but for now
1777 mark an exception and exit the cpu loop. */
1778 goto stop_the_world;
1779 }
1780
1781 /* Check TLB entry and enforce page permissions. */
1782 if (!tlb_hit(tlb_addr, addr)) {
1783 if (!VICTIM_TLB_HIT(addr_write, addr)) {
1784 tlb_fill(env_cpu(env), addr, 1 << s_bits, MMU_DATA_STORE,
1785 mmu_idx, retaddr);
1786 index = tlb_index(env, mmu_idx, addr);
1787 tlbe = tlb_entry(env, mmu_idx, addr);
1788 }
1789 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK;
1790 }
1791
1792 /* Notice an IO access or a needs-MMU-lookup access */
1793 if (unlikely(tlb_addr & TLB_MMIO)) {
1794 /* There's really nothing that can be done to
1795 support this apart from stop-the-world. */
1796 goto stop_the_world;
1797 }
1798
1799 /* Let the guest notice RMW on a write-only page. */
1800 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) {
1801 tlb_fill(env_cpu(env), addr, 1 << s_bits, MMU_DATA_LOAD,
1802 mmu_idx, retaddr);
1803 /* Since we don't support reads and writes to different addresses,
1804 and we do have the proper page loaded for write, this shouldn't
1805 ever return. But just in case, handle via stop-the-world. */
1806 goto stop_the_world;
1807 }
1808
1809 hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
1810
1811 if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
1812 notdirty_write(env_cpu(env), addr, 1 << s_bits,
1813 &env_tlb(env)->d[mmu_idx].iotlb[index], retaddr);
1814 }
1815
1816 return hostaddr;
1817
1818 stop_the_world:
1819 cpu_loop_exit_atomic(env_cpu(env), retaddr);
1820 }
1821
1822 /*
1823 * Load Helpers
1824 *
1825 * We support two different access types. SOFTMMU_CODE_ACCESS is
1826 * specifically for reading instructions from system memory. It is
1827 * called by the translation loop and in some helpers where the code
1828 * is disassembled. It shouldn't be called directly by guest code.
1829 */
1830
1831 typedef uint64_t FullLoadHelper(CPUArchState *env, target_ulong addr,
1832 TCGMemOpIdx oi, uintptr_t retaddr);
1833
1834 static inline uint64_t QEMU_ALWAYS_INLINE
1835 load_memop(const void *haddr, MemOp op)
1836 {
1837 switch (op) {
1838 case MO_UB:
1839 return ldub_p(haddr);
1840 case MO_BEUW:
1841 return lduw_be_p(haddr);
1842 case MO_LEUW:
1843 return lduw_le_p(haddr);
1844 case MO_BEUL:
1845 return (uint32_t)ldl_be_p(haddr);
1846 case MO_LEUL:
1847 return (uint32_t)ldl_le_p(haddr);
1848 case MO_BEQ:
1849 return ldq_be_p(haddr);
1850 case MO_LEQ:
1851 return ldq_le_p(haddr);
1852 default:
1853 qemu_build_not_reached();
1854 }
1855 }
1856
1857 static inline uint64_t QEMU_ALWAYS_INLINE
1858 load_helper(CPUArchState *env, target_ulong addr, TCGMemOpIdx oi,
1859 uintptr_t retaddr, MemOp op, bool code_read,
1860 FullLoadHelper *full_load)
1861 {
1862 uintptr_t mmu_idx = get_mmuidx(oi);
1863 uintptr_t index = tlb_index(env, mmu_idx, addr);
1864 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
1865 target_ulong tlb_addr = code_read ? entry->addr_code : entry->addr_read;
1866 const size_t tlb_off = code_read ?
1867 offsetof(CPUTLBEntry, addr_code) : offsetof(CPUTLBEntry, addr_read);
1868 const MMUAccessType access_type =
1869 code_read ? MMU_INST_FETCH : MMU_DATA_LOAD;
1870 unsigned a_bits = get_alignment_bits(get_memop(oi));
1871 void *haddr;
1872 uint64_t res;
1873 size_t size = memop_size(op);
1874
1875 /* Handle CPU specific unaligned behaviour */
1876 if (addr & ((1 << a_bits) - 1)) {
1877 cpu_unaligned_access(env_cpu(env), addr, access_type,
1878 mmu_idx, retaddr);
1879 }
1880
1881 /* If the TLB entry is for a different page, reload and try again. */
1882 if (!tlb_hit(tlb_addr, addr)) {
1883 if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
1884 addr & TARGET_PAGE_MASK)) {
1885 tlb_fill(env_cpu(env), addr, size,
1886 access_type, mmu_idx, retaddr);
1887 index = tlb_index(env, mmu_idx, addr);
1888 entry = tlb_entry(env, mmu_idx, addr);
1889 }
1890 tlb_addr = code_read ? entry->addr_code : entry->addr_read;
1891 tlb_addr &= ~TLB_INVALID_MASK;
1892 }
1893
1894 /* Handle anything that isn't just a straight memory access. */
1895 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
1896 CPUIOTLBEntry *iotlbentry;
1897 bool need_swap;
1898
1899 /* For anything that is unaligned, recurse through full_load. */
1900 if ((addr & (size - 1)) != 0) {
1901 goto do_unaligned_access;
1902 }
1903
1904 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
1905
1906 /* Handle watchpoints. */
1907 if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
1908 /* On watchpoint hit, this will longjmp out. */
1909 cpu_check_watchpoint(env_cpu(env), addr, size,
1910 iotlbentry->attrs, BP_MEM_READ, retaddr);
1911 }
1912
1913 need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
1914
1915 /* Handle I/O access. */
1916 if (likely(tlb_addr & TLB_MMIO)) {
1917 return io_readx(env, iotlbentry, mmu_idx, addr, retaddr,
1918 access_type, op ^ (need_swap * MO_BSWAP));
1919 }
1920
1921 haddr = (void *)((uintptr_t)addr + entry->addend);
1922
1923 /*
1924 * Keep these two load_memop separate to ensure that the compiler
1925 * is able to fold the entire function to a single instruction.
1926 * There is a build-time assert inside to remind you of this. ;-)
1927 */
1928 if (unlikely(need_swap)) {
1929 return load_memop(haddr, op ^ MO_BSWAP);
1930 }
1931 return load_memop(haddr, op);
1932 }
1933
1934 /* Handle slow unaligned access (it spans two pages or IO). */
1935 if (size > 1
1936 && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
1937 >= TARGET_PAGE_SIZE)) {
1938 target_ulong addr1, addr2;
1939 uint64_t r1, r2;
1940 unsigned shift;
1941 do_unaligned_access:
1942 addr1 = addr & ~((target_ulong)size - 1);
1943 addr2 = addr1 + size;
1944 r1 = full_load(env, addr1, oi, retaddr);
1945 r2 = full_load(env, addr2, oi, retaddr);
1946 shift = (addr & (size - 1)) * 8;
1947
1948 if (memop_big_endian(op)) {
1949 /* Big-endian combine. */
1950 res = (r1 << shift) | (r2 >> ((size * 8) - shift));
1951 } else {
1952 /* Little-endian combine. */
1953 res = (r1 >> shift) | (r2 << ((size * 8) - shift));
1954 }
1955 return res & MAKE_64BIT_MASK(0, size * 8);
1956 }
1957
1958 haddr = (void *)((uintptr_t)addr + entry->addend);
1959 return load_memop(haddr, op);
1960 }
1961
1962 /*
1963 * For the benefit of TCG generated code, we want to avoid the
1964 * complication of ABI-specific return type promotion and always
1965 * return a value extended to the register size of the host. This is
1966 * tcg_target_long, except in the case of a 32-bit host and 64-bit
1967 * data, and for that we always have uint64_t.
1968 *
1969 * We don't bother with this widened value for SOFTMMU_CODE_ACCESS.
1970 */
1971
1972 static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr,
1973 TCGMemOpIdx oi, uintptr_t retaddr)
1974 {
1975 return load_helper(env, addr, oi, retaddr, MO_UB, false, full_ldub_mmu);
1976 }
1977
1978 tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr,
1979 TCGMemOpIdx oi, uintptr_t retaddr)
1980 {
1981 return full_ldub_mmu(env, addr, oi, retaddr);
1982 }
1983
1984 static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr,
1985 TCGMemOpIdx oi, uintptr_t retaddr)
1986 {
1987 return load_helper(env, addr, oi, retaddr, MO_LEUW, false,
1988 full_le_lduw_mmu);
1989 }
1990
1991 tcg_target_ulong helper_le_lduw_mmu(CPUArchState *env, target_ulong addr,
1992 TCGMemOpIdx oi, uintptr_t retaddr)
1993 {
1994 return full_le_lduw_mmu(env, addr, oi, retaddr);
1995 }
1996
1997 static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr,
1998 TCGMemOpIdx oi, uintptr_t retaddr)
1999 {
2000 return load_helper(env, addr, oi, retaddr, MO_BEUW, false,
2001 full_be_lduw_mmu);
2002 }
2003
2004 tcg_target_ulong helper_be_lduw_mmu(CPUArchState *env, target_ulong addr,
2005 TCGMemOpIdx oi, uintptr_t retaddr)
2006 {
2007 return full_be_lduw_mmu(env, addr, oi, retaddr);
2008 }
2009
2010 static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr,
2011 TCGMemOpIdx oi, uintptr_t retaddr)
2012 {
2013 return load_helper(env, addr, oi, retaddr, MO_LEUL, false,
2014 full_le_ldul_mmu);
2015 }
2016
2017 tcg_target_ulong helper_le_ldul_mmu(CPUArchState *env, target_ulong addr,
2018 TCGMemOpIdx oi, uintptr_t retaddr)
2019 {
2020 return full_le_ldul_mmu(env, addr, oi, retaddr);
2021 }
2022
2023 static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr,
2024 TCGMemOpIdx oi, uintptr_t retaddr)
2025 {
2026 return load_helper(env, addr, oi, retaddr, MO_BEUL, false,
2027 full_be_ldul_mmu);
2028 }
2029
2030 tcg_target_ulong helper_be_ldul_mmu(CPUArchState *env, target_ulong addr,
2031 TCGMemOpIdx oi, uintptr_t retaddr)
2032 {
2033 return full_be_ldul_mmu(env, addr, oi, retaddr);
2034 }
2035
2036 uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr,
2037 TCGMemOpIdx oi, uintptr_t retaddr)
2038 {
2039 return load_helper(env, addr, oi, retaddr, MO_LEQ, false,
2040 helper_le_ldq_mmu);
2041 }
2042
2043 uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr,
2044 TCGMemOpIdx oi, uintptr_t retaddr)
2045 {
2046 return load_helper(env, addr, oi, retaddr, MO_BEQ, false,
2047 helper_be_ldq_mmu);
2048 }
2049
2050 /*
2051 * Provide signed versions of the load routines as well. We can of course
2052 * avoid this for 64-bit data, or for 32-bit data on 32-bit host.
2053 */
2054
2055
2056 tcg_target_ulong helper_ret_ldsb_mmu(CPUArchState *env, target_ulong addr,
2057 TCGMemOpIdx oi, uintptr_t retaddr)
2058 {
2059 return (int8_t)helper_ret_ldub_mmu(env, addr, oi, retaddr);
2060 }
2061
2062 tcg_target_ulong helper_le_ldsw_mmu(CPUArchState *env, target_ulong addr,
2063 TCGMemOpIdx oi, uintptr_t retaddr)
2064 {
2065 return (int16_t)helper_le_lduw_mmu(env, addr, oi, retaddr);
2066 }
2067
2068 tcg_target_ulong helper_be_ldsw_mmu(CPUArchState *env, target_ulong addr,
2069 TCGMemOpIdx oi, uintptr_t retaddr)
2070 {
2071 return (int16_t)helper_be_lduw_mmu(env, addr, oi, retaddr);
2072 }
2073
2074 tcg_target_ulong helper_le_ldsl_mmu(CPUArchState *env, target_ulong addr,
2075 TCGMemOpIdx oi, uintptr_t retaddr)
2076 {
2077 return (int32_t)helper_le_ldul_mmu(env, addr, oi, retaddr);
2078 }
2079
2080 tcg_target_ulong helper_be_ldsl_mmu(CPUArchState *env, target_ulong addr,
2081 TCGMemOpIdx oi, uintptr_t retaddr)
2082 {
2083 return (int32_t)helper_be_ldul_mmu(env, addr, oi, retaddr);
2084 }
2085
2086 /*
2087 * Load helpers for cpu_ldst.h.
2088 */
2089
2090 static inline uint64_t cpu_load_helper(CPUArchState *env, abi_ptr addr,
2091 int mmu_idx, uintptr_t retaddr,
2092 MemOp op, FullLoadHelper *full_load)
2093 {
2094 uint16_t meminfo;
2095 TCGMemOpIdx oi;
2096 uint64_t ret;
2097
2098 meminfo = trace_mem_get_info(op, mmu_idx, false);
2099 trace_guest_mem_before_exec(env_cpu(env), addr, meminfo);
2100
2101 op &= ~MO_SIGN;
2102 oi = make_memop_idx(op, mmu_idx);
2103 ret = full_load(env, addr, oi, retaddr);
2104
2105 qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, meminfo);
2106
2107 return ret;
2108 }
2109
2110 uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2111 int mmu_idx, uintptr_t ra)
2112 {
2113 return cpu_load_helper(env, addr, mmu_idx, ra, MO_UB, full_ldub_mmu);
2114 }
2115
2116 int cpu_ldsb_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2117 int mmu_idx, uintptr_t ra)
2118 {
2119 return (int8_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_SB,
2120 full_ldub_mmu);
2121 }
2122
2123 uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2124 int mmu_idx, uintptr_t ra)
2125 {
2126 return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUW, full_be_lduw_mmu);
2127 }
2128
2129 int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2130 int mmu_idx, uintptr_t ra)
2131 {
2132 return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_BESW,
2133 full_be_lduw_mmu);
2134 }
2135
2136 uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2137 int mmu_idx, uintptr_t ra)
2138 {
2139 return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEUL, full_be_ldul_mmu);
2140 }
2141
2142 uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2143 int mmu_idx, uintptr_t ra)
2144 {
2145 return cpu_load_helper(env, addr, mmu_idx, ra, MO_BEQ, helper_be_ldq_mmu);
2146 }
2147
2148 uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2149 int mmu_idx, uintptr_t ra)
2150 {
2151 return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUW, full_le_lduw_mmu);
2152 }
2153
2154 int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2155 int mmu_idx, uintptr_t ra)
2156 {
2157 return (int16_t)cpu_load_helper(env, addr, mmu_idx, ra, MO_LESW,
2158 full_le_lduw_mmu);
2159 }
2160
2161 uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2162 int mmu_idx, uintptr_t ra)
2163 {
2164 return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEUL, full_le_ldul_mmu);
2165 }
2166
2167 uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
2168 int mmu_idx, uintptr_t ra)
2169 {
2170 return cpu_load_helper(env, addr, mmu_idx, ra, MO_LEQ, helper_le_ldq_mmu);
2171 }
2172
2173 uint32_t cpu_ldub_data_ra(CPUArchState *env, target_ulong ptr,
2174 uintptr_t retaddr)
2175 {
2176 return cpu_ldub_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2177 }
2178
2179 int cpu_ldsb_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
2180 {
2181 return cpu_ldsb_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2182 }
2183
2184 uint32_t cpu_lduw_be_data_ra(CPUArchState *env, target_ulong ptr,
2185 uintptr_t retaddr)
2186 {
2187 return cpu_lduw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2188 }
2189
2190 int cpu_ldsw_be_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
2191 {
2192 return cpu_ldsw_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2193 }
2194
2195 uint32_t cpu_ldl_be_data_ra(CPUArchState *env, target_ulong ptr,
2196 uintptr_t retaddr)
2197 {
2198 return cpu_ldl_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2199 }
2200
2201 uint64_t cpu_ldq_be_data_ra(CPUArchState *env, target_ulong ptr,
2202 uintptr_t retaddr)
2203 {
2204 return cpu_ldq_be_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2205 }
2206
2207 uint32_t cpu_lduw_le_data_ra(CPUArchState *env, target_ulong ptr,
2208 uintptr_t retaddr)
2209 {
2210 return cpu_lduw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2211 }
2212
2213 int cpu_ldsw_le_data_ra(CPUArchState *env, target_ulong ptr, uintptr_t retaddr)
2214 {
2215 return cpu_ldsw_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2216 }
2217
2218 uint32_t cpu_ldl_le_data_ra(CPUArchState *env, target_ulong ptr,
2219 uintptr_t retaddr)
2220 {
2221 return cpu_ldl_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2222 }
2223
2224 uint64_t cpu_ldq_le_data_ra(CPUArchState *env, target_ulong ptr,
2225 uintptr_t retaddr)
2226 {
2227 return cpu_ldq_le_mmuidx_ra(env, ptr, cpu_mmu_index(env, false), retaddr);
2228 }
2229
2230 uint32_t cpu_ldub_data(CPUArchState *env, target_ulong ptr)
2231 {
2232 return cpu_ldub_data_ra(env, ptr, 0);
2233 }
2234
2235 int cpu_ldsb_data(CPUArchState *env, target_ulong ptr)
2236 {
2237 return cpu_ldsb_data_ra(env, ptr, 0);
2238 }
2239
2240 uint32_t cpu_lduw_be_data(CPUArchState *env, target_ulong ptr)
2241 {
2242 return cpu_lduw_be_data_ra(env, ptr, 0);
2243 }
2244
2245 int cpu_ldsw_be_data(CPUArchState *env, target_ulong ptr)
2246 {
2247 return cpu_ldsw_be_data_ra(env, ptr, 0);
2248 }
2249
2250 uint32_t cpu_ldl_be_data(CPUArchState *env, target_ulong ptr)
2251 {
2252 return cpu_ldl_be_data_ra(env, ptr, 0);
2253 }
2254
2255 uint64_t cpu_ldq_be_data(CPUArchState *env, target_ulong ptr)
2256 {
2257 return cpu_ldq_be_data_ra(env, ptr, 0);
2258 }
2259
2260 uint32_t cpu_lduw_le_data(CPUArchState *env, target_ulong ptr)
2261 {
2262 return cpu_lduw_le_data_ra(env, ptr, 0);
2263 }
2264
2265 int cpu_ldsw_le_data(CPUArchState *env, target_ulong ptr)
2266 {
2267 return cpu_ldsw_le_data_ra(env, ptr, 0);
2268 }
2269
2270 uint32_t cpu_ldl_le_data(CPUArchState *env, target_ulong ptr)
2271 {
2272 return cpu_ldl_le_data_ra(env, ptr, 0);
2273 }
2274
2275 uint64_t cpu_ldq_le_data(CPUArchState *env, target_ulong ptr)
2276 {
2277 return cpu_ldq_le_data_ra(env, ptr, 0);
2278 }
2279
2280 /*
2281 * Store Helpers
2282 */
2283
2284 static inline void QEMU_ALWAYS_INLINE
2285 store_memop(void *haddr, uint64_t val, MemOp op)
2286 {
2287 switch (op) {
2288 case MO_UB:
2289 stb_p(haddr, val);
2290 break;
2291 case MO_BEUW:
2292 stw_be_p(haddr, val);
2293 break;
2294 case MO_LEUW:
2295 stw_le_p(haddr, val);
2296 break;
2297 case MO_BEUL:
2298 stl_be_p(haddr, val);
2299 break;
2300 case MO_LEUL:
2301 stl_le_p(haddr, val);
2302 break;
2303 case MO_BEQ:
2304 stq_be_p(haddr, val);
2305 break;
2306 case MO_LEQ:
2307 stq_le_p(haddr, val);
2308 break;
2309 default:
2310 qemu_build_not_reached();
2311 }
2312 }
2313
2314 static void __attribute__((noinline))
2315 store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
2316 uintptr_t retaddr, size_t size, uintptr_t mmu_idx,
2317 bool big_endian)
2318 {
2319 const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
2320 uintptr_t index, index2;
2321 CPUTLBEntry *entry, *entry2;
2322 target_ulong page2, tlb_addr, tlb_addr2;
2323 TCGMemOpIdx oi;
2324 size_t size2;
2325 int i;
2326
2327 /*
2328 * Ensure the second page is in the TLB. Note that the first page
2329 * is already guaranteed to be filled, and that the second page
2330 * cannot evict the first.
2331 */
2332 page2 = (addr + size) & TARGET_PAGE_MASK;
2333 size2 = (addr + size) & ~TARGET_PAGE_MASK;
2334 index2 = tlb_index(env, mmu_idx, page2);
2335 entry2 = tlb_entry(env, mmu_idx, page2);
2336
2337 tlb_addr2 = tlb_addr_write(entry2);
2338 if (!tlb_hit_page(tlb_addr2, page2)) {
2339 if (!victim_tlb_hit(env, mmu_idx, index2, tlb_off, page2)) {
2340 tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE,
2341 mmu_idx, retaddr);
2342 index2 = tlb_index(env, mmu_idx, page2);
2343 entry2 = tlb_entry(env, mmu_idx, page2);
2344 }
2345 tlb_addr2 = tlb_addr_write(entry2);
2346 }
2347
2348 index = tlb_index(env, mmu_idx, addr);
2349 entry = tlb_entry(env, mmu_idx, addr);
2350 tlb_addr = tlb_addr_write(entry);
2351
2352 /*
2353 * Handle watchpoints. Since this may trap, all checks
2354 * must happen before any store.
2355 */
2356 if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
2357 cpu_check_watchpoint(env_cpu(env), addr, size - size2,
2358 env_tlb(env)->d[mmu_idx].iotlb[index].attrs,
2359 BP_MEM_WRITE, retaddr);
2360 }
2361 if (unlikely(tlb_addr2 & TLB_WATCHPOINT)) {
2362 cpu_check_watchpoint(env_cpu(env), page2, size2,
2363 env_tlb(env)->d[mmu_idx].iotlb[index2].attrs,
2364 BP_MEM_WRITE, retaddr);
2365 }
2366
2367 /*
2368 * XXX: not efficient, but simple.
2369 * This loop must go in the forward direction to avoid issues
2370 * with self-modifying code in Windows 64-bit.
2371 */
2372 oi = make_memop_idx(MO_UB, mmu_idx);
2373 if (big_endian) {
2374 for (i = 0; i < size; ++i) {
2375 /* Big-endian extract. */
2376 uint8_t val8 = val >> (((size - 1) * 8) - (i * 8));
2377 helper_ret_stb_mmu(env, addr + i, val8, oi, retaddr);
2378 }
2379 } else {
2380 for (i = 0; i < size; ++i) {
2381 /* Little-endian extract. */
2382 uint8_t val8 = val >> (i * 8);
2383 helper_ret_stb_mmu(env, addr + i, val8, oi, retaddr);
2384 }
2385 }
2386 }
2387
2388 static inline void QEMU_ALWAYS_INLINE
2389 store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
2390 TCGMemOpIdx oi, uintptr_t retaddr, MemOp op)
2391 {
2392 uintptr_t mmu_idx = get_mmuidx(oi);
2393 uintptr_t index = tlb_index(env, mmu_idx, addr);
2394 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
2395 target_ulong tlb_addr = tlb_addr_write(entry);
2396 const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
2397 unsigned a_bits = get_alignment_bits(get_memop(oi));
2398 void *haddr;
2399 size_t size = memop_size(op);
2400
2401 /* Handle CPU specific unaligned behaviour */
2402 if (addr & ((1 << a_bits) - 1)) {
2403 cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE,
2404 mmu_idx, retaddr);
2405 }
2406
2407 /* If the TLB entry is for a different page, reload and try again. */
2408 if (!tlb_hit(tlb_addr, addr)) {
2409 if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
2410 addr & TARGET_PAGE_MASK)) {
2411 tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
2412 mmu_idx, retaddr);
2413 index = tlb_index(env, mmu_idx, addr);
2414 entry = tlb_entry(env, mmu_idx, addr);
2415 }
2416 tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK;
2417 }
2418
2419 /* Handle anything that isn't just a straight memory access. */
2420 if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
2421 CPUIOTLBEntry *iotlbentry;
2422 bool need_swap;
2423
2424 /* For anything that is unaligned, recurse through byte stores. */
2425 if ((addr & (size - 1)) != 0) {
2426 goto do_unaligned_access;
2427 }
2428
2429 iotlbentry = &env_tlb(env)->d[mmu_idx].iotlb[index];
2430
2431 /* Handle watchpoints. */
2432 if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
2433 /* On watchpoint hit, this will longjmp out. */
2434 cpu_check_watchpoint(env_cpu(env), addr, size,
2435 iotlbentry->attrs, BP_MEM_WRITE, retaddr);
2436 }
2437
2438 need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
2439
2440 /* Handle I/O access. */
2441 if (tlb_addr & TLB_MMIO) {
2442 io_writex(env, iotlbentry, mmu_idx, val, addr, retaddr,
2443 op ^ (need_swap * MO_BSWAP));
2444 return;
2445 }
2446
2447 /* Ignore writes to ROM. */
2448 if (unlikely(tlb_addr & TLB_DISCARD_WRITE)) {
2449 return;
2450 }
2451
2452 /* Handle clean RAM pages. */
2453 if (tlb_addr & TLB_NOTDIRTY) {
2454 notdirty_write(env_cpu(env), addr, size, iotlbentry, retaddr);
2455 }
2456
2457 haddr = (void *)((uintptr_t)addr + entry->addend);
2458
2459 /*
2460 * Keep these two store_memop separate to ensure that the compiler
2461 * is able to fold the entire function to a single instruction.
2462 * There is a build-time assert inside to remind you of this. ;-)
2463 */
2464 if (unlikely(need_swap)) {
2465 store_memop(haddr, val, op ^ MO_BSWAP);
2466 } else {
2467 store_memop(haddr, val, op);
2468 }
2469 return;
2470 }
2471
2472 /* Handle slow unaligned access (it spans two pages or IO). */
2473 if (size > 1
2474 && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
2475 >= TARGET_PAGE_SIZE)) {
2476 do_unaligned_access:
2477 store_helper_unaligned(env, addr, val, retaddr, size,
2478 mmu_idx, memop_big_endian(op));
2479 return;
2480 }
2481
2482 haddr = (void *)((uintptr_t)addr + entry->addend);
2483 store_memop(haddr, val, op);
2484 }
2485
2486 void __attribute__((noinline))
2487 helper_ret_stb_mmu(CPUArchState *env, target_ulong addr, uint8_t val,
2488 TCGMemOpIdx oi, uintptr_t retaddr)
2489 {
2490 store_helper(env, addr, val, oi, retaddr, MO_UB);
2491 }
2492
2493 void helper_le_stw_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
2494 TCGMemOpIdx oi, uintptr_t retaddr)
2495 {
2496 store_helper(env, addr, val, oi, retaddr, MO_LEUW);
2497 }
2498
2499 void helper_be_stw_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
2500 TCGMemOpIdx oi, uintptr_t retaddr)
2501 {
2502 store_helper(env, addr, val, oi, retaddr, MO_BEUW);
2503 }
2504
2505 void helper_le_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
2506 TCGMemOpIdx oi, uintptr_t retaddr)
2507 {
2508 store_helper(env, addr, val, oi, retaddr, MO_LEUL);
2509 }
2510
2511 void helper_be_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
2512 TCGMemOpIdx oi, uintptr_t retaddr)
2513 {
2514 store_helper(env, addr, val, oi, retaddr, MO_BEUL);
2515 }
2516
2517 void helper_le_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
2518 TCGMemOpIdx oi, uintptr_t retaddr)
2519 {
2520 store_helper(env, addr, val, oi, retaddr, MO_LEQ);
2521 }
2522
2523 void helper_be_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
2524 TCGMemOpIdx oi, uintptr_t retaddr)
2525 {
2526 store_helper(env, addr, val, oi, retaddr, MO_BEQ);
2527 }
2528
2529 /*
2530 * Store Helpers for cpu_ldst.h
2531 */
2532
2533 static inline void QEMU_ALWAYS_INLINE
2534 cpu_store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
2535 int mmu_idx, uintptr_t retaddr, MemOp op)
2536 {
2537 TCGMemOpIdx oi;
2538 uint16_t meminfo;
2539
2540 meminfo = trace_mem_get_info(op, mmu_idx, true);
2541 trace_guest_mem_before_exec(env_cpu(env), addr, meminfo);
2542
2543 oi = make_memop_idx(op, mmu_idx);
2544 store_helper(env, addr, val, oi, retaddr, op);
2545
2546 qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, meminfo);
2547 }
2548
2549 void cpu_stb_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
2550 int mmu_idx, uintptr_t retaddr)
2551 {
2552 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_UB);
2553 }
2554
2555 void cpu_stw_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
2556 int mmu_idx, uintptr_t retaddr)
2557 {
2558 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUW);
2559 }
2560
2561 void cpu_stl_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
2562 int mmu_idx, uintptr_t retaddr)
2563 {
2564 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEUL);
2565 }
2566
2567 void cpu_stq_be_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
2568 int mmu_idx, uintptr_t retaddr)
2569 {
2570 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_BEQ);
2571 }
2572
2573 void cpu_stw_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
2574 int mmu_idx, uintptr_t retaddr)
2575 {
2576 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUW);
2577 }
2578
2579 void cpu_stl_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint32_t val,
2580 int mmu_idx, uintptr_t retaddr)
2581 {
2582 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEUL);
2583 }
2584
2585 void cpu_stq_le_mmuidx_ra(CPUArchState *env, target_ulong addr, uint64_t val,
2586 int mmu_idx, uintptr_t retaddr)
2587 {
2588 cpu_store_helper(env, addr, val, mmu_idx, retaddr, MO_LEQ);
2589 }
2590
2591 void cpu_stb_data_ra(CPUArchState *env, target_ulong ptr,
2592 uint32_t val, uintptr_t retaddr)
2593 {
2594 cpu_stb_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2595 }
2596
2597 void cpu_stw_be_data_ra(CPUArchState *env, target_ulong ptr,
2598 uint32_t val, uintptr_t retaddr)
2599 {
2600 cpu_stw_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2601 }
2602
2603 void cpu_stl_be_data_ra(CPUArchState *env, target_ulong ptr,
2604 uint32_t val, uintptr_t retaddr)
2605 {
2606 cpu_stl_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2607 }
2608
2609 void cpu_stq_be_data_ra(CPUArchState *env, target_ulong ptr,
2610 uint64_t val, uintptr_t retaddr)
2611 {
2612 cpu_stq_be_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2613 }
2614
2615 void cpu_stw_le_data_ra(CPUArchState *env, target_ulong ptr,
2616 uint32_t val, uintptr_t retaddr)
2617 {
2618 cpu_stw_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2619 }
2620
2621 void cpu_stl_le_data_ra(CPUArchState *env, target_ulong ptr,
2622 uint32_t val, uintptr_t retaddr)
2623 {
2624 cpu_stl_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2625 }
2626
2627 void cpu_stq_le_data_ra(CPUArchState *env, target_ulong ptr,
2628 uint64_t val, uintptr_t retaddr)
2629 {
2630 cpu_stq_le_mmuidx_ra(env, ptr, val, cpu_mmu_index(env, false), retaddr);
2631 }
2632
2633 void cpu_stb_data(CPUArchState *env, target_ulong ptr, uint32_t val)
2634 {
2635 cpu_stb_data_ra(env, ptr, val, 0);
2636 }
2637
2638 void cpu_stw_be_data(CPUArchState *env, target_ulong ptr, uint32_t val)
2639 {
2640 cpu_stw_be_data_ra(env, ptr, val, 0);
2641 }
2642
2643 void cpu_stl_be_data(CPUArchState *env, target_ulong ptr, uint32_t val)
2644 {
2645 cpu_stl_be_data_ra(env, ptr, val, 0);
2646 }
2647
2648 void cpu_stq_be_data(CPUArchState *env, target_ulong ptr, uint64_t val)
2649 {
2650 cpu_stq_be_data_ra(env, ptr, val, 0);
2651 }
2652
2653 void cpu_stw_le_data(CPUArchState *env, target_ulong ptr, uint32_t val)
2654 {
2655 cpu_stw_le_data_ra(env, ptr, val, 0);
2656 }
2657
2658 void cpu_stl_le_data(CPUArchState *env, target_ulong ptr, uint32_t val)
2659 {
2660 cpu_stl_le_data_ra(env, ptr, val, 0);
2661 }
2662
2663 void cpu_stq_le_data(CPUArchState *env, target_ulong ptr, uint64_t val)
2664 {
2665 cpu_stq_le_data_ra(env, ptr, val, 0);
2666 }
2667
2668 /* First set of helpers allows passing in of OI and RETADDR. This makes
2669 them callable from other helpers. */
2670
2671 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
2672 #define ATOMIC_NAME(X) \
2673 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
2674 #define ATOMIC_MMU_DECLS
2675 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr)
2676 #define ATOMIC_MMU_CLEANUP
2677 #define ATOMIC_MMU_IDX get_mmuidx(oi)
2678
2679 #include "atomic_common.c.inc"
2680
2681 #define DATA_SIZE 1
2682 #include "atomic_template.h"
2683
2684 #define DATA_SIZE 2
2685 #include "atomic_template.h"
2686
2687 #define DATA_SIZE 4
2688 #include "atomic_template.h"
2689
2690 #ifdef CONFIG_ATOMIC64
2691 #define DATA_SIZE 8
2692 #include "atomic_template.h"
2693 #endif
2694
2695 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128
2696 #define DATA_SIZE 16
2697 #include "atomic_template.h"
2698 #endif
2699
2700 /* Second set of helpers are directly callable from TCG as helpers. */
2701
2702 #undef EXTRA_ARGS
2703 #undef ATOMIC_NAME
2704 #undef ATOMIC_MMU_LOOKUP
2705 #define EXTRA_ARGS , TCGMemOpIdx oi
2706 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
2707 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC())
2708
2709 #define DATA_SIZE 1
2710 #include "atomic_template.h"
2711
2712 #define DATA_SIZE 2
2713 #include "atomic_template.h"
2714
2715 #define DATA_SIZE 4
2716 #include "atomic_template.h"
2717
2718 #ifdef CONFIG_ATOMIC64
2719 #define DATA_SIZE 8
2720 #include "atomic_template.h"
2721 #endif
2722 #undef ATOMIC_MMU_IDX
2723
2724 /* Code access functions. */
2725
2726 static uint64_t full_ldub_code(CPUArchState *env, target_ulong addr,
2727 TCGMemOpIdx oi, uintptr_t retaddr)
2728 {
2729 return load_helper(env, addr, oi, retaddr, MO_8, true, full_ldub_code);
2730 }
2731
2732 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
2733 {
2734 TCGMemOpIdx oi = make_memop_idx(MO_UB, cpu_mmu_index(env, true));
2735 return full_ldub_code(env, addr, oi, 0);
2736 }
2737
2738 static uint64_t full_lduw_code(CPUArchState *env, target_ulong addr,
2739 TCGMemOpIdx oi, uintptr_t retaddr)
2740 {
2741 return load_helper(env, addr, oi, retaddr, MO_TEUW, true, full_lduw_code);
2742 }
2743
2744 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
2745 {
2746 TCGMemOpIdx oi = make_memop_idx(MO_TEUW, cpu_mmu_index(env, true));
2747 return full_lduw_code(env, addr, oi, 0);
2748 }
2749
2750 static uint64_t full_ldl_code(CPUArchState *env, target_ulong addr,
2751 TCGMemOpIdx oi, uintptr_t retaddr)
2752 {
2753 return load_helper(env, addr, oi, retaddr, MO_TEUL, true, full_ldl_code);
2754 }
2755
2756 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
2757 {
2758 TCGMemOpIdx oi = make_memop_idx(MO_TEUL, cpu_mmu_index(env, true));
2759 return full_ldl_code(env, addr, oi, 0);
2760 }
2761
2762 static uint64_t full_ldq_code(CPUArchState *env, target_ulong addr,
2763 TCGMemOpIdx oi, uintptr_t retaddr)
2764 {
2765 return load_helper(env, addr, oi, retaddr, MO_TEQ, true, full_ldq_code);
2766 }
2767
2768 uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
2769 {
2770 TCGMemOpIdx oi = make_memop_idx(MO_TEQ, cpu_mmu_index(env, true));
2771 return full_ldq_code(env, addr, oi, 0);
2772 }
QEMU mirror