]> git.proxmox.com Git - mirror_qemu.git/blob - accel/tcg/cputlb.c
projects / mirror_qemu.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
cputlb: Merge tlb_flush_nocheck into tlb_flush_by_mmuidx_async_work
[mirror_qemu.git] / accel / tcg / cputlb.c
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "qemu/osdep.h"
21 #include "qemu/main-loop.h"
22 #include "cpu.h"
23 #include "exec/exec-all.h"
24 #include "exec/memory.h"
25 #include "exec/address-spaces.h"
26 #include "exec/cpu_ldst.h"
27 #include "exec/cputlb.h"
28 #include "exec/memory-internal.h"
29 #include "exec/ram_addr.h"
30 #include "tcg/tcg.h"
31 #include "qemu/error-report.h"
32 #include "exec/log.h"
33 #include "exec/helper-proto.h"
34 #include "qemu/atomic.h"
35 #include "qemu/atomic128.h"
36
37 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
38 /* #define DEBUG_TLB */
39 /* #define DEBUG_TLB_LOG */
40
41 #ifdef DEBUG_TLB
42 # define DEBUG_TLB_GATE 1
43 # ifdef DEBUG_TLB_LOG
44 # define DEBUG_TLB_LOG_GATE 1
45 # else
46 # define DEBUG_TLB_LOG_GATE 0
47 # endif
48 #else
49 # define DEBUG_TLB_GATE 0
50 # define DEBUG_TLB_LOG_GATE 0
51 #endif
52
53 #define tlb_debug(fmt, ...) do { \
54 if (DEBUG_TLB_LOG_GATE) { \
55 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
56 ## __VA_ARGS__); \
57 } else if (DEBUG_TLB_GATE) { \
58 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
59 } \
60 } while (0)
61
62 #define assert_cpu_is_self(cpu) do { \
63 if (DEBUG_TLB_GATE) { \
64 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
65 } \
66 } while (0)
67
68 /* run_on_cpu_data.target_ptr should always be big enough for a
69 * target_ulong even on 32 bit builds */
70 QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
71
72 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
73 */
74 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
75 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
76
77 void tlb_init(CPUState *cpu)
78 {
79 CPUArchState *env = cpu->env_ptr;
80
81 qemu_spin_init(&env->tlb_c.lock);
82 }
83
84 /* flush_all_helper: run fn across all cpus
85 *
86 * If the wait flag is set then the src cpu's helper will be queued as
87 * "safe" work and the loop exited creating a synchronisation point
88 * where all queued work will be finished before execution starts
89 * again.
90 */
91 static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
92 run_on_cpu_data d)
93 {
94 CPUState *cpu;
95
96 CPU_FOREACH(cpu) {
97 if (cpu != src) {
98 async_run_on_cpu(cpu, fn, d);
99 }
100 }
101 }
102
103 size_t tlb_flush_count(void)
104 {
105 CPUState *cpu;
106 size_t count = 0;
107
108 CPU_FOREACH(cpu) {
109 CPUArchState *env = cpu->env_ptr;
110
111 count += atomic_read(&env->tlb_flush_count);
112 }
113 return count;
114 }
115
116 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
117 {
118 memset(env->tlb_table[mmu_idx], -1, sizeof(env->tlb_table[0]));
119 memset(env->tlb_v_table[mmu_idx], -1, sizeof(env->tlb_v_table[0]));
120 env->tlb_d[mmu_idx].large_page_addr = -1;
121 env->tlb_d[mmu_idx].large_page_mask = -1;
122 env->tlb_d[mmu_idx].vindex = 0;
123 }
124
125 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
126 {
127 CPUArchState *env = cpu->env_ptr;
128 unsigned long mmu_idx_bitmask = data.host_int;
129 int mmu_idx;
130
131 assert_cpu_is_self(cpu);
132
133 tlb_debug("mmu_idx:0x%04lx\n", mmu_idx_bitmask);
134
135 qemu_spin_lock(&env->tlb_c.lock);
136 env->tlb_c.pending_flush &= ~mmu_idx_bitmask;
137
138 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
139 if (test_bit(mmu_idx, &mmu_idx_bitmask)) {
140 tlb_flush_one_mmuidx_locked(env, mmu_idx);
141 }
142 }
143 qemu_spin_unlock(&env->tlb_c.lock);
144
145 cpu_tb_jmp_cache_clear(cpu);
146
147 if (mmu_idx_bitmask == ALL_MMUIDX_BITS) {
148 atomic_set(&env->tlb_flush_count, env->tlb_flush_count + 1);
149 }
150 }
151
152 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
153 {
154 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
155
156 if (cpu->created && !qemu_cpu_is_self(cpu)) {
157 CPUArchState *env = cpu->env_ptr;
158 uint16_t pending, to_clean;
159
160 qemu_spin_lock(&env->tlb_c.lock);
161 pending = env->tlb_c.pending_flush;
162 to_clean = idxmap & ~pending;
163 env->tlb_c.pending_flush = pending | idxmap;
164 qemu_spin_unlock(&env->tlb_c.lock);
165
166 if (to_clean) {
167 tlb_debug("reduced mmu_idx: 0x%" PRIx16 "\n", to_clean);
168 async_run_on_cpu(cpu, tlb_flush_by_mmuidx_async_work,
169 RUN_ON_CPU_HOST_INT(to_clean));
170 }
171 } else {
172 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap));
173 }
174 }
175
176 void tlb_flush(CPUState *cpu)
177 {
178 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS);
179 }
180
181 void tlb_flush_by_mmuidx_all_cpus(CPUState *src_cpu, uint16_t idxmap)
182 {
183 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
184
185 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
186
187 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
188 fn(src_cpu, RUN_ON_CPU_HOST_INT(idxmap));
189 }
190
191 void tlb_flush_all_cpus(CPUState *src_cpu)
192 {
193 tlb_flush_by_mmuidx_all_cpus(src_cpu, ALL_MMUIDX_BITS);
194 }
195
196 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap)
197 {
198 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
199
200 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
201
202 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
203 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
204 }
205
206 void tlb_flush_all_cpus_synced(CPUState *src_cpu)
207 {
208 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS);
209 }
210
211 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry,
212 target_ulong page)
213 {
214 return tlb_hit_page(tlb_entry->addr_read, page) ||
215 tlb_hit_page(tlb_addr_write(tlb_entry), page) ||
216 tlb_hit_page(tlb_entry->addr_code, page);
217 }
218
219 /* Called with tlb_c.lock held */
220 static inline void tlb_flush_entry_locked(CPUTLBEntry *tlb_entry,
221 target_ulong page)
222 {
223 if (tlb_hit_page_anyprot(tlb_entry, page)) {
224 memset(tlb_entry, -1, sizeof(*tlb_entry));
225 }
226 }
227
228 /* Called with tlb_c.lock held */
229 static inline void tlb_flush_vtlb_page_locked(CPUArchState *env, int mmu_idx,
230 target_ulong page)
231 {
232 int k;
233
234 assert_cpu_is_self(ENV_GET_CPU(env));
235 for (k = 0; k < CPU_VTLB_SIZE; k++) {
236 tlb_flush_entry_locked(&env->tlb_v_table[mmu_idx][k], page);
237 }
238 }
239
240 static void tlb_flush_page_locked(CPUArchState *env, int midx,
241 target_ulong page)
242 {
243 target_ulong lp_addr = env->tlb_d[midx].large_page_addr;
244 target_ulong lp_mask = env->tlb_d[midx].large_page_mask;
245
246 /* Check if we need to flush due to large pages. */
247 if ((page & lp_mask) == lp_addr) {
248 tlb_debug("forcing full flush midx %d ("
249 TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
250 midx, lp_addr, lp_mask);
251 tlb_flush_one_mmuidx_locked(env, midx);
252 } else {
253 tlb_flush_entry_locked(tlb_entry(env, midx, page), page);
254 tlb_flush_vtlb_page_locked(env, midx, page);
255 }
256 }
257
258 static void tlb_flush_page_async_work(CPUState *cpu, run_on_cpu_data data)
259 {
260 CPUArchState *env = cpu->env_ptr;
261 target_ulong addr = (target_ulong) data.target_ptr;
262 int mmu_idx;
263
264 assert_cpu_is_self(cpu);
265
266 tlb_debug("page addr:" TARGET_FMT_lx "\n", addr);
267
268 addr &= TARGET_PAGE_MASK;
269 qemu_spin_lock(&env->tlb_c.lock);
270 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
271 tlb_flush_page_locked(env, mmu_idx, addr);
272 }
273 qemu_spin_unlock(&env->tlb_c.lock);
274
275 tb_flush_jmp_cache(cpu, addr);
276 }
277
278 void tlb_flush_page(CPUState *cpu, target_ulong addr)
279 {
280 tlb_debug("page :" TARGET_FMT_lx "\n", addr);
281
282 if (!qemu_cpu_is_self(cpu)) {
283 async_run_on_cpu(cpu, tlb_flush_page_async_work,
284 RUN_ON_CPU_TARGET_PTR(addr));
285 } else {
286 tlb_flush_page_async_work(cpu, RUN_ON_CPU_TARGET_PTR(addr));
287 }
288 }
289
290 /* As we are going to hijack the bottom bits of the page address for a
291 * mmuidx bit mask we need to fail to build if we can't do that
292 */
293 QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
294
295 static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
296 run_on_cpu_data data)
297 {
298 CPUArchState *env = cpu->env_ptr;
299 target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
300 target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
301 unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
302 int mmu_idx;
303
304 assert_cpu_is_self(cpu);
305
306 tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
307 addr, mmu_idx_bitmap);
308
309 qemu_spin_lock(&env->tlb_c.lock);
310 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
311 if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
312 tlb_flush_page_locked(env, mmu_idx, addr);
313 }
314 }
315 qemu_spin_unlock(&env->tlb_c.lock);
316
317 tb_flush_jmp_cache(cpu, addr);
318 }
319
320 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
321 {
322 target_ulong addr_and_mmu_idx;
323
324 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
325
326 /* This should already be page aligned */
327 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
328 addr_and_mmu_idx |= idxmap;
329
330 if (!qemu_cpu_is_self(cpu)) {
331 async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
332 RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
333 } else {
334 tlb_flush_page_by_mmuidx_async_work(
335 cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
336 }
337 }
338
339 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
340 uint16_t idxmap)
341 {
342 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
343 target_ulong addr_and_mmu_idx;
344
345 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
346
347 /* This should already be page aligned */
348 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
349 addr_and_mmu_idx |= idxmap;
350
351 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
352 fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
353 }
354
355 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
356 target_ulong addr,
357 uint16_t idxmap)
358 {
359 const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
360 target_ulong addr_and_mmu_idx;
361
362 tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
363
364 /* This should already be page aligned */
365 addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
366 addr_and_mmu_idx |= idxmap;
367
368 flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
369 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
370 }
371
372 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
373 {
374 const run_on_cpu_func fn = tlb_flush_page_async_work;
375
376 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
377 fn(src, RUN_ON_CPU_TARGET_PTR(addr));
378 }
379
380 void tlb_flush_page_all_cpus_synced(CPUState *src,
381 target_ulong addr)
382 {
383 const run_on_cpu_func fn = tlb_flush_page_async_work;
384
385 flush_all_helper(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
386 async_safe_run_on_cpu(src, fn, RUN_ON_CPU_TARGET_PTR(addr));
387 }
388
389 /* update the TLBs so that writes to code in the virtual page 'addr'
390 can be detected */
391 void tlb_protect_code(ram_addr_t ram_addr)
392 {
393 cpu_physical_memory_test_and_clear_dirty(ram_addr, TARGET_PAGE_SIZE,
394 DIRTY_MEMORY_CODE);
395 }
396
397 /* update the TLB so that writes in physical page 'phys_addr' are no longer
398 tested for self modifying code */
399 void tlb_unprotect_code(ram_addr_t ram_addr)
400 {
401 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
402 }
403
404
405 /*
406 * Dirty write flag handling
407 *
408 * When the TCG code writes to a location it looks up the address in
409 * the TLB and uses that data to compute the final address. If any of
410 * the lower bits of the address are set then the slow path is forced.
411 * There are a number of reasons to do this but for normal RAM the
412 * most usual is detecting writes to code regions which may invalidate
413 * generated code.
414 *
415 * Other vCPUs might be reading their TLBs during guest execution, so we update
416 * te->addr_write with atomic_set. We don't need to worry about this for
417 * oversized guests as MTTCG is disabled for them.
418 *
419 * Called with tlb_c.lock held.
420 */
421 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
422 uintptr_t start, uintptr_t length)
423 {
424 uintptr_t addr = tlb_entry->addr_write;
425
426 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | TLB_NOTDIRTY)) == 0) {
427 addr &= TARGET_PAGE_MASK;
428 addr += tlb_entry->addend;
429 if ((addr - start) < length) {
430 #if TCG_OVERSIZED_GUEST
431 tlb_entry->addr_write |= TLB_NOTDIRTY;
432 #else
433 atomic_set(&tlb_entry->addr_write,
434 tlb_entry->addr_write | TLB_NOTDIRTY);
435 #endif
436 }
437 }
438 }
439
440 /*
441 * Called with tlb_c.lock held.
442 * Called only from the vCPU context, i.e. the TLB's owner thread.
443 */
444 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s)
445 {
446 *d = *s;
447 }
448
449 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
450 * the target vCPU).
451 * We must take tlb_c.lock to avoid racing with another vCPU update. The only
452 * thing actually updated is the target TLB entry ->addr_write flags.
453 */
454 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
455 {
456 CPUArchState *env;
457
458 int mmu_idx;
459
460 env = cpu->env_ptr;
461 qemu_spin_lock(&env->tlb_c.lock);
462 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
463 unsigned int i;
464
465 for (i = 0; i < CPU_TLB_SIZE; i++) {
466 tlb_reset_dirty_range_locked(&env->tlb_table[mmu_idx][i], start1,
467 length);
468 }
469
470 for (i = 0; i < CPU_VTLB_SIZE; i++) {
471 tlb_reset_dirty_range_locked(&env->tlb_v_table[mmu_idx][i], start1,
472 length);
473 }
474 }
475 qemu_spin_unlock(&env->tlb_c.lock);
476 }
477
478 /* Called with tlb_c.lock held */
479 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry,
480 target_ulong vaddr)
481 {
482 if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY)) {
483 tlb_entry->addr_write = vaddr;
484 }
485 }
486
487 /* update the TLB corresponding to virtual page vaddr
488 so that it is no longer dirty */
489 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
490 {
491 CPUArchState *env = cpu->env_ptr;
492 int mmu_idx;
493
494 assert_cpu_is_self(cpu);
495
496 vaddr &= TARGET_PAGE_MASK;
497 qemu_spin_lock(&env->tlb_c.lock);
498 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
499 tlb_set_dirty1_locked(tlb_entry(env, mmu_idx, vaddr), vaddr);
500 }
501
502 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
503 int k;
504 for (k = 0; k < CPU_VTLB_SIZE; k++) {
505 tlb_set_dirty1_locked(&env->tlb_v_table[mmu_idx][k], vaddr);
506 }
507 }
508 qemu_spin_unlock(&env->tlb_c.lock);
509 }
510
511 /* Our TLB does not support large pages, so remember the area covered by
512 large pages and trigger a full TLB flush if these are invalidated. */
513 static void tlb_add_large_page(CPUArchState *env, int mmu_idx,
514 target_ulong vaddr, target_ulong size)
515 {
516 target_ulong lp_addr = env->tlb_d[mmu_idx].large_page_addr;
517 target_ulong lp_mask = ~(size - 1);
518
519 if (lp_addr == (target_ulong)-1) {
520 /* No previous large page. */
521 lp_addr = vaddr;
522 } else {
523 /* Extend the existing region to include the new page.
524 This is a compromise between unnecessary flushes and
525 the cost of maintaining a full variable size TLB. */
526 lp_mask &= env->tlb_d[mmu_idx].large_page_mask;
527 while (((lp_addr ^ vaddr) & lp_mask) != 0) {
528 lp_mask <<= 1;
529 }
530 }
531 env->tlb_d[mmu_idx].large_page_addr = lp_addr & lp_mask;
532 env->tlb_d[mmu_idx].large_page_mask = lp_mask;
533 }
534
535 /* Add a new TLB entry. At most one entry for a given virtual address
536 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
537 * supplied size is only used by tlb_flush_page.
538 *
539 * Called from TCG-generated code, which is under an RCU read-side
540 * critical section.
541 */
542 void tlb_set_page_with_attrs(CPUState *cpu, target_ulong vaddr,
543 hwaddr paddr, MemTxAttrs attrs, int prot,
544 int mmu_idx, target_ulong size)
545 {
546 CPUArchState *env = cpu->env_ptr;
547 MemoryRegionSection *section;
548 unsigned int index;
549 target_ulong address;
550 target_ulong code_address;
551 uintptr_t addend;
552 CPUTLBEntry *te, tn;
553 hwaddr iotlb, xlat, sz, paddr_page;
554 target_ulong vaddr_page;
555 int asidx = cpu_asidx_from_attrs(cpu, attrs);
556
557 assert_cpu_is_self(cpu);
558
559 if (size <= TARGET_PAGE_SIZE) {
560 sz = TARGET_PAGE_SIZE;
561 } else {
562 tlb_add_large_page(env, mmu_idx, vaddr, size);
563 sz = size;
564 }
565 vaddr_page = vaddr & TARGET_PAGE_MASK;
566 paddr_page = paddr & TARGET_PAGE_MASK;
567
568 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
569 &xlat, &sz, attrs, &prot);
570 assert(sz >= TARGET_PAGE_SIZE);
571
572 tlb_debug("vaddr=" TARGET_FMT_lx " paddr=0x" TARGET_FMT_plx
573 " prot=%x idx=%d\n",
574 vaddr, paddr, prot, mmu_idx);
575
576 address = vaddr_page;
577 if (size < TARGET_PAGE_SIZE) {
578 /*
579 * Slow-path the TLB entries; we will repeat the MMU check and TLB
580 * fill on every access.
581 */
582 address |= TLB_RECHECK;
583 }
584 if (!memory_region_is_ram(section->mr) &&
585 !memory_region_is_romd(section->mr)) {
586 /* IO memory case */
587 address |= TLB_MMIO;
588 addend = 0;
589 } else {
590 /* TLB_MMIO for rom/romd handled below */
591 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
592 }
593
594 code_address = address;
595 iotlb = memory_region_section_get_iotlb(cpu, section, vaddr_page,
596 paddr_page, xlat, prot, &address);
597
598 index = tlb_index(env, mmu_idx, vaddr_page);
599 te = tlb_entry(env, mmu_idx, vaddr_page);
600
601 /*
602 * Hold the TLB lock for the rest of the function. We could acquire/release
603 * the lock several times in the function, but it is faster to amortize the
604 * acquisition cost by acquiring it just once. Note that this leads to
605 * a longer critical section, but this is not a concern since the TLB lock
606 * is unlikely to be contended.
607 */
608 qemu_spin_lock(&env->tlb_c.lock);
609
610 /* Make sure there's no cached translation for the new page. */
611 tlb_flush_vtlb_page_locked(env, mmu_idx, vaddr_page);
612
613 /*
614 * Only evict the old entry to the victim tlb if it's for a
615 * different page; otherwise just overwrite the stale data.
616 */
617 if (!tlb_hit_page_anyprot(te, vaddr_page)) {
618 unsigned vidx = env->tlb_d[mmu_idx].vindex++ % CPU_VTLB_SIZE;
619 CPUTLBEntry *tv = &env->tlb_v_table[mmu_idx][vidx];
620
621 /* Evict the old entry into the victim tlb. */
622 copy_tlb_helper_locked(tv, te);
623 env->iotlb_v[mmu_idx][vidx] = env->iotlb[mmu_idx][index];
624 }
625
626 /* refill the tlb */
627 /*
628 * At this point iotlb contains a physical section number in the lower
629 * TARGET_PAGE_BITS, and either
630 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM)
631 * + the offset within section->mr of the page base (otherwise)
632 * We subtract the vaddr_page (which is page aligned and thus won't
633 * disturb the low bits) to give an offset which can be added to the
634 * (non-page-aligned) vaddr of the eventual memory access to get
635 * the MemoryRegion offset for the access. Note that the vaddr we
636 * subtract here is that of the page base, and not the same as the
637 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
638 */
639 env->iotlb[mmu_idx][index].addr = iotlb - vaddr_page;
640 env->iotlb[mmu_idx][index].attrs = attrs;
641
642 /* Now calculate the new entry */
643 tn.addend = addend - vaddr_page;
644 if (prot & PAGE_READ) {
645 tn.addr_read = address;
646 } else {
647 tn.addr_read = -1;
648 }
649
650 if (prot & PAGE_EXEC) {
651 tn.addr_code = code_address;
652 } else {
653 tn.addr_code = -1;
654 }
655
656 tn.addr_write = -1;
657 if (prot & PAGE_WRITE) {
658 if ((memory_region_is_ram(section->mr) && section->readonly)
659 || memory_region_is_romd(section->mr)) {
660 /* Write access calls the I/O callback. */
661 tn.addr_write = address | TLB_MMIO;
662 } else if (memory_region_is_ram(section->mr)
663 && cpu_physical_memory_is_clean(
664 memory_region_get_ram_addr(section->mr) + xlat)) {
665 tn.addr_write = address | TLB_NOTDIRTY;
666 } else {
667 tn.addr_write = address;
668 }
669 if (prot & PAGE_WRITE_INV) {
670 tn.addr_write |= TLB_INVALID_MASK;
671 }
672 }
673
674 copy_tlb_helper_locked(te, &tn);
675 qemu_spin_unlock(&env->tlb_c.lock);
676 }
677
678 /* Add a new TLB entry, but without specifying the memory
679 * transaction attributes to be used.
680 */
681 void tlb_set_page(CPUState *cpu, target_ulong vaddr,
682 hwaddr paddr, int prot,
683 int mmu_idx, target_ulong size)
684 {
685 tlb_set_page_with_attrs(cpu, vaddr, paddr, MEMTXATTRS_UNSPECIFIED,
686 prot, mmu_idx, size);
687 }
688
689 static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
690 {
691 ram_addr_t ram_addr;
692
693 ram_addr = qemu_ram_addr_from_host(ptr);
694 if (ram_addr == RAM_ADDR_INVALID) {
695 error_report("Bad ram pointer %p", ptr);
696 abort();
697 }
698 return ram_addr;
699 }
700
701 static uint64_t io_readx(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
702 int mmu_idx,
703 target_ulong addr, uintptr_t retaddr,
704 bool recheck, MMUAccessType access_type, int size)
705 {
706 CPUState *cpu = ENV_GET_CPU(env);
707 hwaddr mr_offset;
708 MemoryRegionSection *section;
709 MemoryRegion *mr;
710 uint64_t val;
711 bool locked = false;
712 MemTxResult r;
713
714 if (recheck) {
715 /*
716 * This is a TLB_RECHECK access, where the MMU protection
717 * covers a smaller range than a target page, and we must
718 * repeat the MMU check here. This tlb_fill() call might
719 * longjump out if this access should cause a guest exception.
720 */
721 CPUTLBEntry *entry;
722 target_ulong tlb_addr;
723
724 tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
725
726 entry = tlb_entry(env, mmu_idx, addr);
727 tlb_addr = entry->addr_read;
728 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
729 /* RAM access */
730 uintptr_t haddr = addr + entry->addend;
731
732 return ldn_p((void *)haddr, size);
733 }
734 /* Fall through for handling IO accesses */
735 }
736
737 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
738 mr = section->mr;
739 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
740 cpu->mem_io_pc = retaddr;
741 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
742 cpu_io_recompile(cpu, retaddr);
743 }
744
745 cpu->mem_io_vaddr = addr;
746 cpu->mem_io_access_type = access_type;
747
748 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
749 qemu_mutex_lock_iothread();
750 locked = true;
751 }
752 r = memory_region_dispatch_read(mr, mr_offset,
753 &val, size, iotlbentry->attrs);
754 if (r != MEMTX_OK) {
755 hwaddr physaddr = mr_offset +
756 section->offset_within_address_space -
757 section->offset_within_region;
758
759 cpu_transaction_failed(cpu, physaddr, addr, size, access_type,
760 mmu_idx, iotlbentry->attrs, r, retaddr);
761 }
762 if (locked) {
763 qemu_mutex_unlock_iothread();
764 }
765
766 return val;
767 }
768
769 static void io_writex(CPUArchState *env, CPUIOTLBEntry *iotlbentry,
770 int mmu_idx,
771 uint64_t val, target_ulong addr,
772 uintptr_t retaddr, bool recheck, int size)
773 {
774 CPUState *cpu = ENV_GET_CPU(env);
775 hwaddr mr_offset;
776 MemoryRegionSection *section;
777 MemoryRegion *mr;
778 bool locked = false;
779 MemTxResult r;
780
781 if (recheck) {
782 /*
783 * This is a TLB_RECHECK access, where the MMU protection
784 * covers a smaller range than a target page, and we must
785 * repeat the MMU check here. This tlb_fill() call might
786 * longjump out if this access should cause a guest exception.
787 */
788 CPUTLBEntry *entry;
789 target_ulong tlb_addr;
790
791 tlb_fill(cpu, addr, size, MMU_DATA_STORE, mmu_idx, retaddr);
792
793 entry = tlb_entry(env, mmu_idx, addr);
794 tlb_addr = tlb_addr_write(entry);
795 if (!(tlb_addr & ~(TARGET_PAGE_MASK | TLB_RECHECK))) {
796 /* RAM access */
797 uintptr_t haddr = addr + entry->addend;
798
799 stn_p((void *)haddr, size, val);
800 return;
801 }
802 /* Fall through for handling IO accesses */
803 }
804
805 section = iotlb_to_section(cpu, iotlbentry->addr, iotlbentry->attrs);
806 mr = section->mr;
807 mr_offset = (iotlbentry->addr & TARGET_PAGE_MASK) + addr;
808 if (mr != &io_mem_rom && mr != &io_mem_notdirty && !cpu->can_do_io) {
809 cpu_io_recompile(cpu, retaddr);
810 }
811 cpu->mem_io_vaddr = addr;
812 cpu->mem_io_pc = retaddr;
813
814 if (mr->global_locking && !qemu_mutex_iothread_locked()) {
815 qemu_mutex_lock_iothread();
816 locked = true;
817 }
818 r = memory_region_dispatch_write(mr, mr_offset,
819 val, size, iotlbentry->attrs);
820 if (r != MEMTX_OK) {
821 hwaddr physaddr = mr_offset +
822 section->offset_within_address_space -
823 section->offset_within_region;
824
825 cpu_transaction_failed(cpu, physaddr, addr, size, MMU_DATA_STORE,
826 mmu_idx, iotlbentry->attrs, r, retaddr);
827 }
828 if (locked) {
829 qemu_mutex_unlock_iothread();
830 }
831 }
832
833 /* Return true if ADDR is present in the victim tlb, and has been copied
834 back to the main tlb. */
835 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
836 size_t elt_ofs, target_ulong page)
837 {
838 size_t vidx;
839
840 assert_cpu_is_self(ENV_GET_CPU(env));
841 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
842 CPUTLBEntry *vtlb = &env->tlb_v_table[mmu_idx][vidx];
843 target_ulong cmp;
844
845 /* elt_ofs might correspond to .addr_write, so use atomic_read */
846 #if TCG_OVERSIZED_GUEST
847 cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
848 #else
849 cmp = atomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
850 #endif
851
852 if (cmp == page) {
853 /* Found entry in victim tlb, swap tlb and iotlb. */
854 CPUTLBEntry tmptlb, *tlb = &env->tlb_table[mmu_idx][index];
855
856 qemu_spin_lock(&env->tlb_c.lock);
857 copy_tlb_helper_locked(&tmptlb, tlb);
858 copy_tlb_helper_locked(tlb, vtlb);
859 copy_tlb_helper_locked(vtlb, &tmptlb);
860 qemu_spin_unlock(&env->tlb_c.lock);
861
862 CPUIOTLBEntry tmpio, *io = &env->iotlb[mmu_idx][index];
863 CPUIOTLBEntry *vio = &env->iotlb_v[mmu_idx][vidx];
864 tmpio = *io; *io = *vio; *vio = tmpio;
865 return true;
866 }
867 }
868 return false;
869 }
870
871 /* Macro to call the above, with local variables from the use context. */
872 #define VICTIM_TLB_HIT(TY, ADDR) \
873 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
874 (ADDR) & TARGET_PAGE_MASK)
875
876 /* NOTE: this function can trigger an exception */
877 /* NOTE2: the returned address is not exactly the physical address: it
878 * is actually a ram_addr_t (in system mode; the user mode emulation
879 * version of this function returns a guest virtual address).
880 */
881 tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
882 {
883 uintptr_t mmu_idx = cpu_mmu_index(env, true);
884 uintptr_t index = tlb_index(env, mmu_idx, addr);
885 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
886 void *p;
887
888 if (unlikely(!tlb_hit(entry->addr_code, addr))) {
889 if (!VICTIM_TLB_HIT(addr_code, addr)) {
890 tlb_fill(ENV_GET_CPU(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
891 }
892 assert(tlb_hit(entry->addr_code, addr));
893 }
894
895 if (unlikely(entry->addr_code & (TLB_RECHECK | TLB_MMIO))) {
896 /*
897 * Return -1 if we can't translate and execute from an entire
898 * page of RAM here, which will cause us to execute by loading
899 * and translating one insn at a time, without caching:
900 * - TLB_RECHECK: means the MMU protection covers a smaller range
901 * than a target page, so we must redo the MMU check every insn
902 * - TLB_MMIO: region is not backed by RAM
903 */
904 return -1;
905 }
906
907 p = (void *)((uintptr_t)addr + entry->addend);
908 return qemu_ram_addr_from_host_nofail(p);
909 }
910
911 /* Probe for whether the specified guest write access is permitted.
912 * If it is not permitted then an exception will be taken in the same
913 * way as if this were a real write access (and we will not return).
914 * Otherwise the function will return, and there will be a valid
915 * entry in the TLB for this access.
916 */
917 void probe_write(CPUArchState *env, target_ulong addr, int size, int mmu_idx,
918 uintptr_t retaddr)
919 {
920 uintptr_t index = tlb_index(env, mmu_idx, addr);
921 CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
922
923 if (!tlb_hit(tlb_addr_write(entry), addr)) {
924 /* TLB entry is for a different page */
925 if (!VICTIM_TLB_HIT(addr_write, addr)) {
926 tlb_fill(ENV_GET_CPU(env), addr, size, MMU_DATA_STORE,
927 mmu_idx, retaddr);
928 }
929 }
930 }
931
932 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
933 * operations, or io operations to proceed. Return the host address. */
934 static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
935 TCGMemOpIdx oi, uintptr_t retaddr,
936 NotDirtyInfo *ndi)
937 {
938 size_t mmu_idx = get_mmuidx(oi);
939 uintptr_t index = tlb_index(env, mmu_idx, addr);
940 CPUTLBEntry *tlbe = tlb_entry(env, mmu_idx, addr);
941 target_ulong tlb_addr = tlb_addr_write(tlbe);
942 TCGMemOp mop = get_memop(oi);
943 int a_bits = get_alignment_bits(mop);
944 int s_bits = mop & MO_SIZE;
945 void *hostaddr;
946
947 /* Adjust the given return address. */
948 retaddr -= GETPC_ADJ;
949
950 /* Enforce guest required alignment. */
951 if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
952 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
953 cpu_unaligned_access(ENV_GET_CPU(env), addr, MMU_DATA_STORE,
954 mmu_idx, retaddr);
955 }
956
957 /* Enforce qemu required alignment. */
958 if (unlikely(addr & ((1 << s_bits) - 1))) {
959 /* We get here if guest alignment was not requested,
960 or was not enforced by cpu_unaligned_access above.
961 We might widen the access and emulate, but for now
962 mark an exception and exit the cpu loop. */
963 goto stop_the_world;
964 }
965
966 /* Check TLB entry and enforce page permissions. */
967 if (!tlb_hit(tlb_addr, addr)) {
968 if (!VICTIM_TLB_HIT(addr_write, addr)) {
969 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_STORE,
970 mmu_idx, retaddr);
971 }
972 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK;
973 }
974
975 /* Notice an IO access or a needs-MMU-lookup access */
976 if (unlikely(tlb_addr & (TLB_MMIO | TLB_RECHECK))) {
977 /* There's really nothing that can be done to
978 support this apart from stop-the-world. */
979 goto stop_the_world;
980 }
981
982 /* Let the guest notice RMW on a write-only page. */
983 if (unlikely(tlbe->addr_read != (tlb_addr & ~TLB_NOTDIRTY))) {
984 tlb_fill(ENV_GET_CPU(env), addr, 1 << s_bits, MMU_DATA_LOAD,
985 mmu_idx, retaddr);
986 /* Since we don't support reads and writes to different addresses,
987 and we do have the proper page loaded for write, this shouldn't
988 ever return. But just in case, handle via stop-the-world. */
989 goto stop_the_world;
990 }
991
992 hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
993
994 ndi->active = false;
995 if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
996 ndi->active = true;
997 memory_notdirty_write_prepare(ndi, ENV_GET_CPU(env), addr,
998 qemu_ram_addr_from_host_nofail(hostaddr),
999 1 << s_bits);
1000 }
1001
1002 return hostaddr;
1003
1004 stop_the_world:
1005 cpu_loop_exit_atomic(ENV_GET_CPU(env), retaddr);
1006 }
1007
1008 #ifdef TARGET_WORDS_BIGENDIAN
1009 # define TGT_BE(X) (X)
1010 # define TGT_LE(X) BSWAP(X)
1011 #else
1012 # define TGT_BE(X) BSWAP(X)
1013 # define TGT_LE(X) (X)
1014 #endif
1015
1016 #define MMUSUFFIX _mmu
1017
1018 #define DATA_SIZE 1
1019 #include "softmmu_template.h"
1020
1021 #define DATA_SIZE 2
1022 #include "softmmu_template.h"
1023
1024 #define DATA_SIZE 4
1025 #include "softmmu_template.h"
1026
1027 #define DATA_SIZE 8
1028 #include "softmmu_template.h"
1029
1030 /* First set of helpers allows passing in of OI and RETADDR. This makes
1031 them callable from other helpers. */
1032
1033 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
1034 #define ATOMIC_NAME(X) \
1035 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
1036 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi
1037 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi)
1038 #define ATOMIC_MMU_CLEANUP \
1039 do { \
1040 if (unlikely(ndi.active)) { \
1041 memory_notdirty_write_complete(&ndi); \
1042 } \
1043 } while (0)
1044
1045 #define DATA_SIZE 1
1046 #include "atomic_template.h"
1047
1048 #define DATA_SIZE 2
1049 #include "atomic_template.h"
1050
1051 #define DATA_SIZE 4
1052 #include "atomic_template.h"
1053
1054 #ifdef CONFIG_ATOMIC64
1055 #define DATA_SIZE 8
1056 #include "atomic_template.h"
1057 #endif
1058
1059 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128
1060 #define DATA_SIZE 16
1061 #include "atomic_template.h"
1062 #endif
1063
1064 /* Second set of helpers are directly callable from TCG as helpers. */
1065
1066 #undef EXTRA_ARGS
1067 #undef ATOMIC_NAME
1068 #undef ATOMIC_MMU_LOOKUP
1069 #define EXTRA_ARGS , TCGMemOpIdx oi
1070 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
1071 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi)
1072
1073 #define DATA_SIZE 1
1074 #include "atomic_template.h"
1075
1076 #define DATA_SIZE 2
1077 #include "atomic_template.h"
1078
1079 #define DATA_SIZE 4
1080 #include "atomic_template.h"
1081
1082 #ifdef CONFIG_ATOMIC64
1083 #define DATA_SIZE 8
1084 #include "atomic_template.h"
1085 #endif
1086
1087 /* Code access functions. */
1088
1089 #undef MMUSUFFIX
1090 #define MMUSUFFIX _cmmu
1091 #undef GETPC
1092 #define GETPC() ((uintptr_t)0)
1093 #define SOFTMMU_CODE_ACCESS
1094
1095 #define DATA_SIZE 1
1096 #include "softmmu_template.h"
1097
1098 #define DATA_SIZE 2
1099 #include "softmmu_template.h"
1100
1101 #define DATA_SIZE 4
1102 #include "softmmu_template.h"
1103
1104 #define DATA_SIZE 8
1105 #include "softmmu_template.h"
QEMU mirror