• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  virtual page mapping and translated block handling
3  *
4  *  Copyright (c) 2003 Fabrice Bellard
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  */
19 #include "config.h"
20 #ifdef _WIN32
21 #define WIN32_LEAN_AND_MEAN
22 #include <windows.h>
23 #else
24 #include <sys/types.h>
25 #include <sys/mman.h>
26 #endif
27 #include <stdlib.h>
28 #include <stdio.h>
29 #include <stdarg.h>
30 #include <string.h>
31 #include <errno.h>
32 #include <unistd.h>
33 #include <inttypes.h>
34 
35 #include "cpu.h"
36 #include "exec-all.h"
37 #include "qemu-common.h"
38 #include "tcg.h"
39 #include "hw/hw.h"
40 #include "osdep.h"
41 #include "kvm.h"
42 #include "hax.h"
43 #include "qemu-timer.h"
44 #if defined(CONFIG_USER_ONLY)
45 #include <qemu.h>
46 #endif
47 #ifdef CONFIG_MEMCHECK
48 #include "memcheck/memcheck_api.h"
49 #endif  // CONFIG_MEMCHECK
50 
51 //#define DEBUG_TB_INVALIDATE
52 //#define DEBUG_FLUSH
53 //#define DEBUG_TLB
54 //#define DEBUG_UNASSIGNED
55 
56 /* make various TB consistency checks */
57 //#define DEBUG_TB_CHECK
58 //#define DEBUG_TLB_CHECK
59 
60 //#define DEBUG_IOPORT
61 //#define DEBUG_SUBPAGE
62 
63 #if !defined(CONFIG_USER_ONLY)
64 /* TB consistency checks only implemented for usermode emulation.  */
65 #undef DEBUG_TB_CHECK
66 #endif
67 
68 #define SMC_BITMAP_USE_THRESHOLD 10
69 
70 #if defined(TARGET_SPARC64)
71 #define TARGET_PHYS_ADDR_SPACE_BITS 41
72 #elif defined(TARGET_SPARC)
73 #define TARGET_PHYS_ADDR_SPACE_BITS 36
74 #elif defined(TARGET_ALPHA)
75 #define TARGET_PHYS_ADDR_SPACE_BITS 42
76 #define TARGET_VIRT_ADDR_SPACE_BITS 42
77 #elif defined(TARGET_PPC64)
78 #define TARGET_PHYS_ADDR_SPACE_BITS 42
79 #elif defined(TARGET_X86_64)
80 #define TARGET_PHYS_ADDR_SPACE_BITS 42
81 #elif defined(TARGET_I386)
82 #define TARGET_PHYS_ADDR_SPACE_BITS 36
83 #else
84 #define TARGET_PHYS_ADDR_SPACE_BITS 32
85 #endif
86 
87 static TranslationBlock *tbs;
88 int code_gen_max_blocks;
89 TranslationBlock *tb_phys_hash[CODE_GEN_PHYS_HASH_SIZE];
90 static int nb_tbs;
91 /* any access to the tbs or the page table must use this lock */
92 spinlock_t tb_lock = SPIN_LOCK_UNLOCKED;
93 
94 #if defined(__arm__) || defined(__sparc_v9__)
95 /* The prologue must be reachable with a direct jump. ARM and Sparc64
96  have limited branch ranges (possibly also PPC) so place it in a
97  section close to code segment. */
98 #define code_gen_section                                \
99     __attribute__((__section__(".gen_code")))           \
100     __attribute__((aligned (32)))
101 #elif defined(_WIN32)
102 /* Maximum alignment for Win32 is 16. */
103 #define code_gen_section                                \
104     __attribute__((aligned (16)))
105 #else
106 #define code_gen_section                                \
107     __attribute__((aligned (32)))
108 #endif
109 
110 uint8_t code_gen_prologue[1024] code_gen_section;
111 static uint8_t *code_gen_buffer;
112 static unsigned long code_gen_buffer_size;
113 /* threshold to flush the translated code buffer */
114 static unsigned long code_gen_buffer_max_size;
115 uint8_t *code_gen_ptr;
116 
117 #if !defined(CONFIG_USER_ONLY)
118 int phys_ram_fd;
119 static int in_migration;
120 
121 RAMList ram_list = { .blocks = QLIST_HEAD_INITIALIZER(ram_list) };
122 #endif
123 
124 CPUState *first_cpu;
125 /* current CPU in the current thread. It is only valid inside
126    cpu_exec() */
127 CPUState *cpu_single_env;
128 /* 0 = Do not count executed instructions.
129    1 = Precise instruction counting.
130    2 = Adaptive rate instruction counting.  */
131 int use_icount = 0;
132 /* Current instruction counter.  While executing translated code this may
133    include some instructions that have not yet been executed.  */
134 int64_t qemu_icount;
135 
136 typedef struct PageDesc {
137     /* list of TBs intersecting this ram page */
138     TranslationBlock *first_tb;
139     /* in order to optimize self modifying code, we count the number
140        of lookups we do to a given page to use a bitmap */
141     unsigned int code_write_count;
142     uint8_t *code_bitmap;
143 #if defined(CONFIG_USER_ONLY)
144     unsigned long flags;
145 #endif
146 } PageDesc;
147 
148 typedef struct PhysPageDesc {
149     /* offset in host memory of the page + io_index in the low bits */
150     ram_addr_t phys_offset;
151     ram_addr_t region_offset;
152 } PhysPageDesc;
153 
154 #define L2_BITS 10
155 #if defined(CONFIG_USER_ONLY) && defined(TARGET_VIRT_ADDR_SPACE_BITS)
156 /* XXX: this is a temporary hack for alpha target.
157  *      In the future, this is to be replaced by a multi-level table
158  *      to actually be able to handle the complete 64 bits address space.
159  */
160 #define L1_BITS (TARGET_VIRT_ADDR_SPACE_BITS - L2_BITS - TARGET_PAGE_BITS)
161 #else
162 #define L1_BITS (32 - L2_BITS - TARGET_PAGE_BITS)
163 #endif
164 
165 #define L1_SIZE (1 << L1_BITS)
166 #define L2_SIZE (1 << L2_BITS)
167 
168 unsigned long qemu_real_host_page_size;
169 unsigned long qemu_host_page_bits;
170 unsigned long qemu_host_page_size;
171 unsigned long qemu_host_page_mask;
172 
173 /* XXX: for system emulation, it could just be an array */
174 static PageDesc *l1_map[L1_SIZE];
175 static PhysPageDesc **l1_phys_map;
176 
177 #if !defined(CONFIG_USER_ONLY)
178 static void io_mem_init(void);
179 
180 /* io memory support */
181 CPUWriteMemoryFunc *io_mem_write[IO_MEM_NB_ENTRIES][4];
182 CPUReadMemoryFunc *io_mem_read[IO_MEM_NB_ENTRIES][4];
183 void *io_mem_opaque[IO_MEM_NB_ENTRIES];
184 static char io_mem_used[IO_MEM_NB_ENTRIES];
185 static int io_mem_watch;
186 #endif
187 
188 /* log support */
189 #ifdef WIN32
190 static const char *logfilename = "qemu.log";
191 #else
192 static const char *logfilename = "/tmp/qemu.log";
193 #endif
194 FILE *logfile;
195 int loglevel;
196 static int log_append = 0;
197 
198 /* statistics */
199 static int tlb_flush_count;
200 static int tb_flush_count;
201 static int tb_phys_invalidate_count;
202 
203 #define SUBPAGE_IDX(addr) ((addr) & ~TARGET_PAGE_MASK)
204 typedef struct subpage_t {
205     target_phys_addr_t base;
206     CPUReadMemoryFunc **mem_read[TARGET_PAGE_SIZE][4];
207     CPUWriteMemoryFunc **mem_write[TARGET_PAGE_SIZE][4];
208     void *opaque[TARGET_PAGE_SIZE][2][4];
209     ram_addr_t region_offset[TARGET_PAGE_SIZE][2][4];
210 } subpage_t;
211 
212 #ifdef _WIN32
map_exec(void * addr,long size)213 static void map_exec(void *addr, long size)
214 {
215     DWORD old_protect;
216     VirtualProtect(addr, size,
217                    PAGE_EXECUTE_READWRITE, &old_protect);
218 
219 }
220 #else
map_exec(void * addr,long size)221 static void map_exec(void *addr, long size)
222 {
223     unsigned long start, end, page_size;
224 
225     page_size = getpagesize();
226     start = (unsigned long)addr;
227     start &= ~(page_size - 1);
228 
229     end = (unsigned long)addr + size;
230     end += page_size - 1;
231     end &= ~(page_size - 1);
232 
233     mprotect((void *)start, end - start,
234              PROT_READ | PROT_WRITE | PROT_EXEC);
235 }
236 #endif
237 
page_init(void)238 static void page_init(void)
239 {
240     /* NOTE: we can always suppose that qemu_host_page_size >=
241        TARGET_PAGE_SIZE */
242 #ifdef _WIN32
243     {
244         SYSTEM_INFO system_info;
245 
246         GetSystemInfo(&system_info);
247         qemu_real_host_page_size = system_info.dwPageSize;
248     }
249 #else
250     qemu_real_host_page_size = getpagesize();
251 #endif
252     if (qemu_host_page_size == 0)
253         qemu_host_page_size = qemu_real_host_page_size;
254     if (qemu_host_page_size < TARGET_PAGE_SIZE)
255         qemu_host_page_size = TARGET_PAGE_SIZE;
256     qemu_host_page_bits = 0;
257     while ((1 << qemu_host_page_bits) < qemu_host_page_size)
258         qemu_host_page_bits++;
259     qemu_host_page_mask = ~(qemu_host_page_size - 1);
260     l1_phys_map = qemu_vmalloc(L1_SIZE * sizeof(void *));
261     memset(l1_phys_map, 0, L1_SIZE * sizeof(void *));
262 
263 #if !defined(_WIN32) && defined(CONFIG_USER_ONLY)
264     {
265         long long startaddr, endaddr;
266         FILE *f;
267         int n;
268 
269         mmap_lock();
270         last_brk = (unsigned long)sbrk(0);
271         f = fopen("/proc/self/maps", "r");
272         if (f) {
273             do {
274                 n = fscanf (f, "%llx-%llx %*[^\n]\n", &startaddr, &endaddr);
275                 if (n == 2) {
276                     startaddr = MIN(startaddr,
277                                     (1ULL << TARGET_PHYS_ADDR_SPACE_BITS) - 1);
278                     endaddr = MIN(endaddr,
279                                     (1ULL << TARGET_PHYS_ADDR_SPACE_BITS) - 1);
280                     page_set_flags(startaddr & TARGET_PAGE_MASK,
281                                    TARGET_PAGE_ALIGN(endaddr),
282                                    PAGE_RESERVED);
283                 }
284             } while (!feof(f));
285             fclose(f);
286         }
287         mmap_unlock();
288     }
289 #endif
290 }
291 
page_l1_map(target_ulong index)292 static inline PageDesc **page_l1_map(target_ulong index)
293 {
294 #if TARGET_LONG_BITS > 32
295     /* Host memory outside guest VM.  For 32-bit targets we have already
296        excluded high addresses.  */
297     if (index > ((target_ulong)L2_SIZE * L1_SIZE))
298         return NULL;
299 #endif
300     return &l1_map[index >> L2_BITS];
301 }
302 
page_find_alloc(target_ulong index)303 static inline PageDesc *page_find_alloc(target_ulong index)
304 {
305     PageDesc **lp, *p;
306     lp = page_l1_map(index);
307     if (!lp)
308         return NULL;
309 
310     p = *lp;
311     if (!p) {
312         /* allocate if not found */
313 #if defined(CONFIG_USER_ONLY)
314         size_t len = sizeof(PageDesc) * L2_SIZE;
315         /* Don't use qemu_malloc because it may recurse.  */
316         p = mmap(NULL, len, PROT_READ | PROT_WRITE,
317                  MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
318         *lp = p;
319         if (h2g_valid(p)) {
320             unsigned long addr = h2g(p);
321             page_set_flags(addr & TARGET_PAGE_MASK,
322                            TARGET_PAGE_ALIGN(addr + len),
323                            PAGE_RESERVED);
324         }
325 #else
326         p = qemu_mallocz(sizeof(PageDesc) * L2_SIZE);
327         *lp = p;
328 #endif
329     }
330     return p + (index & (L2_SIZE - 1));
331 }
332 
page_find(target_ulong index)333 static inline PageDesc *page_find(target_ulong index)
334 {
335     PageDesc **lp, *p;
336     lp = page_l1_map(index);
337     if (!lp)
338         return NULL;
339 
340     p = *lp;
341     if (!p) {
342         return NULL;
343     }
344     return p + (index & (L2_SIZE - 1));
345 }
346 
phys_page_find_alloc(target_phys_addr_t index,int alloc)347 static PhysPageDesc *phys_page_find_alloc(target_phys_addr_t index, int alloc)
348 {
349     void **lp, **p;
350     PhysPageDesc *pd;
351 
352     p = (void **)l1_phys_map;
353 #if TARGET_PHYS_ADDR_SPACE_BITS > 32
354 
355 #if TARGET_PHYS_ADDR_SPACE_BITS > (32 + L1_BITS)
356 #error unsupported TARGET_PHYS_ADDR_SPACE_BITS
357 #endif
358     lp = p + ((index >> (L1_BITS + L2_BITS)) & (L1_SIZE - 1));
359     p = *lp;
360     if (!p) {
361         /* allocate if not found */
362         if (!alloc)
363             return NULL;
364         p = qemu_vmalloc(sizeof(void *) * L1_SIZE);
365         memset(p, 0, sizeof(void *) * L1_SIZE);
366         *lp = p;
367     }
368 #endif
369     lp = p + ((index >> L2_BITS) & (L1_SIZE - 1));
370     pd = *lp;
371     if (!pd) {
372         int i;
373         /* allocate if not found */
374         if (!alloc)
375             return NULL;
376         pd = qemu_vmalloc(sizeof(PhysPageDesc) * L2_SIZE);
377         *lp = pd;
378         for (i = 0; i < L2_SIZE; i++) {
379           pd[i].phys_offset = IO_MEM_UNASSIGNED;
380           pd[i].region_offset = (index + i) << TARGET_PAGE_BITS;
381         }
382     }
383     return ((PhysPageDesc *)pd) + (index & (L2_SIZE - 1));
384 }
385 
phys_page_find(target_phys_addr_t index)386 static inline PhysPageDesc *phys_page_find(target_phys_addr_t index)
387 {
388     return phys_page_find_alloc(index, 0);
389 }
390 
391 #if !defined(CONFIG_USER_ONLY)
392 static void tlb_protect_code(ram_addr_t ram_addr);
393 static void tlb_unprotect_code_phys(CPUState *env, ram_addr_t ram_addr,
394                                     target_ulong vaddr);
395 #define mmap_lock() do { } while(0)
396 #define mmap_unlock() do { } while(0)
397 #endif
398 
399 #define DEFAULT_CODE_GEN_BUFFER_SIZE (32 * 1024 * 1024)
400 
401 #if defined(CONFIG_USER_ONLY)
402 /* Currently it is not recommended to allocate big chunks of data in
403    user mode. It will change when a dedicated libc will be used */
404 #define USE_STATIC_CODE_GEN_BUFFER
405 #endif
406 
407 #ifdef USE_STATIC_CODE_GEN_BUFFER
408 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE];
409 #endif
410 
code_gen_alloc(unsigned long tb_size)411 static void code_gen_alloc(unsigned long tb_size)
412 {
413 #ifdef USE_STATIC_CODE_GEN_BUFFER
414     code_gen_buffer = static_code_gen_buffer;
415     code_gen_buffer_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
416     map_exec(code_gen_buffer, code_gen_buffer_size);
417 #else
418     code_gen_buffer_size = tb_size;
419     if (code_gen_buffer_size == 0) {
420 #if defined(CONFIG_USER_ONLY)
421         /* in user mode, phys_ram_size is not meaningful */
422         code_gen_buffer_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
423 #else
424         /* XXX: needs adjustments */
425         code_gen_buffer_size = (unsigned long)(ram_size / 4);
426 #endif
427     }
428     if (code_gen_buffer_size < MIN_CODE_GEN_BUFFER_SIZE)
429         code_gen_buffer_size = MIN_CODE_GEN_BUFFER_SIZE;
430     /* The code gen buffer location may have constraints depending on
431        the host cpu and OS */
432 #if defined(__linux__)
433     {
434         int flags;
435         void *start = NULL;
436 
437         flags = MAP_PRIVATE | MAP_ANONYMOUS;
438 #if defined(__x86_64__)
439         flags |= MAP_32BIT;
440         /* Cannot map more than that */
441         if (code_gen_buffer_size > (800 * 1024 * 1024))
442             code_gen_buffer_size = (800 * 1024 * 1024);
443 #elif defined(__sparc_v9__)
444         // Map the buffer below 2G, so we can use direct calls and branches
445         flags |= MAP_FIXED;
446         start = (void *) 0x60000000UL;
447         if (code_gen_buffer_size > (512 * 1024 * 1024))
448             code_gen_buffer_size = (512 * 1024 * 1024);
449 #elif defined(__arm__)
450         /* Map the buffer below 32M, so we can use direct calls and branches */
451         flags |= MAP_FIXED;
452         start = (void *) 0x01000000UL;
453         if (code_gen_buffer_size > 16 * 1024 * 1024)
454             code_gen_buffer_size = 16 * 1024 * 1024;
455 #elif defined(__s390x__)
456         /* Map the buffer so that we can use direct calls and branches.  */
457         /* We have a +- 4GB range on the branches; leave some slop.  */
458         if (code_gen_buffer_size > (3ul * 1024 * 1024 * 1024)) {
459             code_gen_buffer_size = 3ul * 1024 * 1024 * 1024;
460         }
461         start = (void *)0x90000000UL;
462 #endif
463         code_gen_buffer = mmap(start, code_gen_buffer_size,
464                                PROT_WRITE | PROT_READ | PROT_EXEC,
465                                flags, -1, 0);
466         if (code_gen_buffer == MAP_FAILED) {
467             fprintf(stderr, "Could not allocate dynamic translator buffer\n");
468             exit(1);
469         }
470     }
471 #elif defined(__FreeBSD__) || defined(__FreeBSD_kernel__) \
472     || defined(__DragonFly__) || defined(__OpenBSD__)
473     {
474         int flags;
475         void *addr = NULL;
476         flags = MAP_PRIVATE | MAP_ANONYMOUS;
477 #if defined(__x86_64__)
478         /* FreeBSD doesn't have MAP_32BIT, use MAP_FIXED and assume
479          * 0x40000000 is free */
480         flags |= MAP_FIXED;
481         addr = (void *)0x40000000;
482         /* Cannot map more than that */
483         if (code_gen_buffer_size > (800 * 1024 * 1024))
484             code_gen_buffer_size = (800 * 1024 * 1024);
485 #elif defined(__sparc_v9__)
486         // Map the buffer below 2G, so we can use direct calls and branches
487         flags |= MAP_FIXED;
488         addr = (void *) 0x60000000UL;
489         if (code_gen_buffer_size > (512 * 1024 * 1024)) {
490             code_gen_buffer_size = (512 * 1024 * 1024);
491         }
492 #endif
493         code_gen_buffer = mmap(addr, code_gen_buffer_size,
494                                PROT_WRITE | PROT_READ | PROT_EXEC,
495                                flags, -1, 0);
496         if (code_gen_buffer == MAP_FAILED) {
497             fprintf(stderr, "Could not allocate dynamic translator buffer\n");
498             exit(1);
499         }
500     }
501 #else
502     code_gen_buffer = qemu_malloc(code_gen_buffer_size);
503     map_exec(code_gen_buffer, code_gen_buffer_size);
504 #endif
505 #endif /* !USE_STATIC_CODE_GEN_BUFFER */
506     map_exec(code_gen_prologue, sizeof(code_gen_prologue));
507     code_gen_buffer_max_size = code_gen_buffer_size -
508         code_gen_max_block_size();
509     code_gen_max_blocks = code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
510     tbs = qemu_malloc(code_gen_max_blocks * sizeof(TranslationBlock));
511 }
512 
513 /* Must be called before using the QEMU cpus. 'tb_size' is the size
514    (in bytes) allocated to the translation buffer. Zero means default
515    size. */
cpu_exec_init_all(unsigned long tb_size)516 void cpu_exec_init_all(unsigned long tb_size)
517 {
518     cpu_gen_init();
519     code_gen_alloc(tb_size);
520     code_gen_ptr = code_gen_buffer;
521     page_init();
522 #if !defined(CONFIG_USER_ONLY)
523     io_mem_init();
524 #endif
525 #if !defined(CONFIG_USER_ONLY) || !defined(CONFIG_USE_GUEST_BASE)
526     /* There's no guest base to take into account, so go ahead and
527        initialize the prologue now.  */
528     tcg_prologue_init(&tcg_ctx);
529 #endif
530 }
531 
532 #if defined(CPU_SAVE_VERSION) && !defined(CONFIG_USER_ONLY)
533 
534 #define CPU_COMMON_SAVE_VERSION 1
535 
cpu_common_save(QEMUFile * f,void * opaque)536 static void cpu_common_save(QEMUFile *f, void *opaque)
537 {
538     CPUState *env = opaque;
539 
540     cpu_synchronize_state(env, 0);
541 
542     qemu_put_be32s(f, &env->halted);
543     qemu_put_be32s(f, &env->interrupt_request);
544 }
545 
cpu_common_load(QEMUFile * f,void * opaque,int version_id)546 static int cpu_common_load(QEMUFile *f, void *opaque, int version_id)
547 {
548     CPUState *env = opaque;
549 
550     if (version_id != CPU_COMMON_SAVE_VERSION)
551         return -EINVAL;
552 
553     qemu_get_be32s(f, &env->halted);
554     qemu_get_be32s(f, &env->interrupt_request);
555     /* 0x01 was CPU_INTERRUPT_EXIT. This line can be removed when the
556        version_id is increased. */
557     env->interrupt_request &= ~0x01;
558     tlb_flush(env, 1);
559     cpu_synchronize_state(env, 1);
560 
561     return 0;
562 }
563 #endif
564 
qemu_get_cpu(int cpu)565 CPUState *qemu_get_cpu(int cpu)
566 {
567     CPUState *env = first_cpu;
568 
569     while (env) {
570         if (env->cpu_index == cpu)
571             break;
572         env = env->next_cpu;
573     }
574 
575     return env;
576 }
577 
cpu_exec_init(CPUState * env)578 void cpu_exec_init(CPUState *env)
579 {
580     CPUState **penv;
581     int cpu_index;
582 
583 #if defined(CONFIG_USER_ONLY)
584     cpu_list_lock();
585 #endif
586     env->next_cpu = NULL;
587     penv = &first_cpu;
588     cpu_index = 0;
589     while (*penv != NULL) {
590         penv = &(*penv)->next_cpu;
591         cpu_index++;
592     }
593     env->cpu_index = cpu_index;
594     env->numa_node = 0;
595     QTAILQ_INIT(&env->breakpoints);
596     QTAILQ_INIT(&env->watchpoints);
597     *penv = env;
598 #if defined(CONFIG_USER_ONLY)
599     cpu_list_unlock();
600 #endif
601 #if defined(CPU_SAVE_VERSION) && !defined(CONFIG_USER_ONLY)
602     register_savevm("cpu_common", cpu_index, CPU_COMMON_SAVE_VERSION,
603                     cpu_common_save, cpu_common_load, env);
604     register_savevm("cpu", cpu_index, CPU_SAVE_VERSION,
605                     cpu_save, cpu_load, env);
606 #endif
607 }
608 
invalidate_page_bitmap(PageDesc * p)609 static inline void invalidate_page_bitmap(PageDesc *p)
610 {
611     if (p->code_bitmap) {
612         qemu_free(p->code_bitmap);
613         p->code_bitmap = NULL;
614     }
615     p->code_write_count = 0;
616 }
617 
618 /* set to NULL all the 'first_tb' fields in all PageDescs */
page_flush_tb(void)619 static void page_flush_tb(void)
620 {
621     int i, j;
622     PageDesc *p;
623 
624     for(i = 0; i < L1_SIZE; i++) {
625         p = l1_map[i];
626         if (p) {
627             for(j = 0; j < L2_SIZE; j++) {
628                 p->first_tb = NULL;
629                 invalidate_page_bitmap(p);
630                 p++;
631             }
632         }
633     }
634 }
635 
636 /* flush all the translation blocks */
637 /* XXX: tb_flush is currently not thread safe */
tb_flush(CPUState * env1)638 void tb_flush(CPUState *env1)
639 {
640     CPUState *env;
641 #if defined(DEBUG_FLUSH)
642     printf("qemu: flush code_size=%ld nb_tbs=%d avg_tb_size=%ld\n",
643            (unsigned long)(code_gen_ptr - code_gen_buffer),
644            nb_tbs, nb_tbs > 0 ?
645            ((unsigned long)(code_gen_ptr - code_gen_buffer)) / nb_tbs : 0);
646 #endif
647     if ((unsigned long)(code_gen_ptr - code_gen_buffer) > code_gen_buffer_size)
648         cpu_abort(env1, "Internal error: code buffer overflow\n");
649 
650     nb_tbs = 0;
651 
652     for(env = first_cpu; env != NULL; env = env->next_cpu) {
653 #ifdef CONFIG_MEMCHECK
654         int tb_to_clean;
655         for (tb_to_clean = 0; tb_to_clean < TB_JMP_CACHE_SIZE; tb_to_clean++) {
656             if (env->tb_jmp_cache[tb_to_clean] != NULL &&
657                 env->tb_jmp_cache[tb_to_clean]->tpc2gpc != NULL) {
658                 qemu_free(env->tb_jmp_cache[tb_to_clean]->tpc2gpc);
659                 env->tb_jmp_cache[tb_to_clean]->tpc2gpc = NULL;
660                 env->tb_jmp_cache[tb_to_clean]->tpc2gpc_pairs = 0;
661             }
662         }
663 #endif  // CONFIG_MEMCHECK
664         memset (env->tb_jmp_cache, 0, TB_JMP_CACHE_SIZE * sizeof (void *));
665     }
666 
667     memset (tb_phys_hash, 0, CODE_GEN_PHYS_HASH_SIZE * sizeof (void *));
668     page_flush_tb();
669 
670     code_gen_ptr = code_gen_buffer;
671     /* XXX: flush processor icache at this point if cache flush is
672        expensive */
673     tb_flush_count++;
674 }
675 
676 #ifdef DEBUG_TB_CHECK
677 
tb_invalidate_check(target_ulong address)678 static void tb_invalidate_check(target_ulong address)
679 {
680     TranslationBlock *tb;
681     int i;
682     address &= TARGET_PAGE_MASK;
683     for(i = 0;i < CODE_GEN_PHYS_HASH_SIZE; i++) {
684         for(tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
685             if (!(address + TARGET_PAGE_SIZE <= tb->pc ||
686                   address >= tb->pc + tb->size)) {
687                 printf("ERROR invalidate: address=" TARGET_FMT_lx
688                        " PC=%08lx size=%04x\n",
689                        address, (long)tb->pc, tb->size);
690             }
691         }
692     }
693 }
694 
695 /* verify that all the pages have correct rights for code */
tb_page_check(void)696 static void tb_page_check(void)
697 {
698     TranslationBlock *tb;
699     int i, flags1, flags2;
700 
701     for(i = 0;i < CODE_GEN_PHYS_HASH_SIZE; i++) {
702         for(tb = tb_phys_hash[i]; tb != NULL; tb = tb->phys_hash_next) {
703             flags1 = page_get_flags(tb->pc);
704             flags2 = page_get_flags(tb->pc + tb->size - 1);
705             if ((flags1 & PAGE_WRITE) || (flags2 & PAGE_WRITE)) {
706                 printf("ERROR page flags: PC=%08lx size=%04x f1=%x f2=%x\n",
707                        (long)tb->pc, tb->size, flags1, flags2);
708             }
709         }
710     }
711 }
712 
713 #endif
714 
715 /* invalidate one TB */
tb_remove(TranslationBlock ** ptb,TranslationBlock * tb,int next_offset)716 static inline void tb_remove(TranslationBlock **ptb, TranslationBlock *tb,
717                              int next_offset)
718 {
719     TranslationBlock *tb1;
720     for(;;) {
721         tb1 = *ptb;
722         if (tb1 == tb) {
723             *ptb = *(TranslationBlock **)((char *)tb1 + next_offset);
724             break;
725         }
726         ptb = (TranslationBlock **)((char *)tb1 + next_offset);
727     }
728 }
729 
tb_page_remove(TranslationBlock ** ptb,TranslationBlock * tb)730 static inline void tb_page_remove(TranslationBlock **ptb, TranslationBlock *tb)
731 {
732     TranslationBlock *tb1;
733     unsigned int n1;
734 
735     for(;;) {
736         tb1 = *ptb;
737         n1 = (long)tb1 & 3;
738         tb1 = (TranslationBlock *)((long)tb1 & ~3);
739         if (tb1 == tb) {
740             *ptb = tb1->page_next[n1];
741             break;
742         }
743         ptb = &tb1->page_next[n1];
744     }
745 }
746 
tb_jmp_remove(TranslationBlock * tb,int n)747 static inline void tb_jmp_remove(TranslationBlock *tb, int n)
748 {
749     TranslationBlock *tb1, **ptb;
750     unsigned int n1;
751 
752     ptb = &tb->jmp_next[n];
753     tb1 = *ptb;
754     if (tb1) {
755         /* find tb(n) in circular list */
756         for(;;) {
757             tb1 = *ptb;
758             n1 = (long)tb1 & 3;
759             tb1 = (TranslationBlock *)((long)tb1 & ~3);
760             if (n1 == n && tb1 == tb)
761                 break;
762             if (n1 == 2) {
763                 ptb = &tb1->jmp_first;
764             } else {
765                 ptb = &tb1->jmp_next[n1];
766             }
767         }
768         /* now we can suppress tb(n) from the list */
769         *ptb = tb->jmp_next[n];
770 
771         tb->jmp_next[n] = NULL;
772     }
773 }
774 
775 /* reset the jump entry 'n' of a TB so that it is not chained to
776    another TB */
tb_reset_jump(TranslationBlock * tb,int n)777 static inline void tb_reset_jump(TranslationBlock *tb, int n)
778 {
779     tb_set_jmp_target(tb, n, (unsigned long)(tb->tc_ptr + tb->tb_next_offset[n]));
780 }
781 
tb_phys_invalidate(TranslationBlock * tb,target_ulong page_addr)782 void tb_phys_invalidate(TranslationBlock *tb, target_ulong page_addr)
783 {
784     CPUState *env;
785     PageDesc *p;
786     unsigned int h, n1;
787     target_phys_addr_t phys_pc;
788     TranslationBlock *tb1, *tb2;
789 
790     /* remove the TB from the hash list */
791     phys_pc = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
792     h = tb_phys_hash_func(phys_pc);
793     tb_remove(&tb_phys_hash[h], tb,
794               offsetof(TranslationBlock, phys_hash_next));
795 
796     /* remove the TB from the page list */
797     if (tb->page_addr[0] != page_addr) {
798         p = page_find(tb->page_addr[0] >> TARGET_PAGE_BITS);
799         tb_page_remove(&p->first_tb, tb);
800         invalidate_page_bitmap(p);
801     }
802     if (tb->page_addr[1] != -1 && tb->page_addr[1] != page_addr) {
803         p = page_find(tb->page_addr[1] >> TARGET_PAGE_BITS);
804         tb_page_remove(&p->first_tb, tb);
805         invalidate_page_bitmap(p);
806     }
807 
808     tb_invalidated_flag = 1;
809 
810     /* remove the TB from the hash list */
811     h = tb_jmp_cache_hash_func(tb->pc);
812     for(env = first_cpu; env != NULL; env = env->next_cpu) {
813         if (env->tb_jmp_cache[h] == tb)
814             env->tb_jmp_cache[h] = NULL;
815     }
816 
817     /* suppress this TB from the two jump lists */
818     tb_jmp_remove(tb, 0);
819     tb_jmp_remove(tb, 1);
820 
821     /* suppress any remaining jumps to this TB */
822     tb1 = tb->jmp_first;
823     for(;;) {
824         n1 = (long)tb1 & 3;
825         if (n1 == 2)
826             break;
827         tb1 = (TranslationBlock *)((long)tb1 & ~3);
828         tb2 = tb1->jmp_next[n1];
829         tb_reset_jump(tb1, n1);
830         tb1->jmp_next[n1] = NULL;
831         tb1 = tb2;
832     }
833     tb->jmp_first = (TranslationBlock *)((long)tb | 2); /* fail safe */
834 
835 #ifdef CONFIG_MEMCHECK
836     if (tb->tpc2gpc != NULL) {
837         qemu_free(tb->tpc2gpc);
838         tb->tpc2gpc = NULL;
839         tb->tpc2gpc_pairs = 0;
840     }
841 #endif  // CONFIG_MEMCHECK
842 
843     tb_phys_invalidate_count++;
844 }
845 
set_bits(uint8_t * tab,int start,int len)846 static inline void set_bits(uint8_t *tab, int start, int len)
847 {
848     int end, mask, end1;
849 
850     end = start + len;
851     tab += start >> 3;
852     mask = 0xff << (start & 7);
853     if ((start & ~7) == (end & ~7)) {
854         if (start < end) {
855             mask &= ~(0xff << (end & 7));
856             *tab |= mask;
857         }
858     } else {
859         *tab++ |= mask;
860         start = (start + 8) & ~7;
861         end1 = end & ~7;
862         while (start < end1) {
863             *tab++ = 0xff;
864             start += 8;
865         }
866         if (start < end) {
867             mask = ~(0xff << (end & 7));
868             *tab |= mask;
869         }
870     }
871 }
872 
build_page_bitmap(PageDesc * p)873 static void build_page_bitmap(PageDesc *p)
874 {
875     int n, tb_start, tb_end;
876     TranslationBlock *tb;
877 
878     p->code_bitmap = qemu_mallocz(TARGET_PAGE_SIZE / 8);
879 
880     tb = p->first_tb;
881     while (tb != NULL) {
882         n = (long)tb & 3;
883         tb = (TranslationBlock *)((long)tb & ~3);
884         /* NOTE: this is subtle as a TB may span two physical pages */
885         if (n == 0) {
886             /* NOTE: tb_end may be after the end of the page, but
887                it is not a problem */
888             tb_start = tb->pc & ~TARGET_PAGE_MASK;
889             tb_end = tb_start + tb->size;
890             if (tb_end > TARGET_PAGE_SIZE)
891                 tb_end = TARGET_PAGE_SIZE;
892         } else {
893             tb_start = 0;
894             tb_end = ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
895         }
896         set_bits(p->code_bitmap, tb_start, tb_end - tb_start);
897         tb = tb->page_next[n];
898     }
899 }
900 
tb_gen_code(CPUState * env,target_ulong pc,target_ulong cs_base,int flags,int cflags)901 TranslationBlock *tb_gen_code(CPUState *env,
902                               target_ulong pc, target_ulong cs_base,
903                               int flags, int cflags)
904 {
905     TranslationBlock *tb;
906     uint8_t *tc_ptr;
907     target_ulong phys_pc, phys_page2, virt_page2;
908     int code_gen_size;
909 
910     phys_pc = get_phys_addr_code(env, pc);
911     tb = tb_alloc(pc);
912     if (!tb) {
913         /* flush must be done */
914         tb_flush(env);
915         /* cannot fail at this point */
916         tb = tb_alloc(pc);
917         /* Don't forget to invalidate previous TB info.  */
918         tb_invalidated_flag = 1;
919     }
920     tc_ptr = code_gen_ptr;
921     tb->tc_ptr = tc_ptr;
922     tb->cs_base = cs_base;
923     tb->flags = flags;
924     tb->cflags = cflags;
925 #ifdef CONFIG_TRACE
926     tb->bb_rec = NULL;
927     tb->prev_time = 0;
928 #endif
929     cpu_gen_code(env, tb, &code_gen_size);
930     code_gen_ptr = (void *)(((unsigned long)code_gen_ptr + code_gen_size + CODE_GEN_ALIGN - 1) & ~(CODE_GEN_ALIGN - 1));
931 
932     /* check next page if needed */
933     virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
934     phys_page2 = -1;
935     if ((pc & TARGET_PAGE_MASK) != virt_page2) {
936         phys_page2 = get_phys_addr_code(env, virt_page2);
937     }
938     tb_link_phys(tb, phys_pc, phys_page2);
939     return tb;
940 }
941 
942 /* invalidate all TBs which intersect with the target physical page
943    starting in range [start;end[. NOTE: start and end must refer to
944    the same physical page. 'is_cpu_write_access' should be true if called
945    from a real cpu write access: the virtual CPU will exit the current
946    TB if code is modified inside this TB. */
tb_invalidate_phys_page_range(target_phys_addr_t start,target_phys_addr_t end,int is_cpu_write_access)947 void tb_invalidate_phys_page_range(target_phys_addr_t start, target_phys_addr_t end,
948                                    int is_cpu_write_access)
949 {
950     TranslationBlock *tb, *tb_next, *saved_tb;
951     CPUState *env = cpu_single_env;
952     target_ulong tb_start, tb_end;
953     PageDesc *p;
954     int n;
955 #ifdef TARGET_HAS_PRECISE_SMC
956     int current_tb_not_found = is_cpu_write_access;
957     TranslationBlock *current_tb = NULL;
958     int current_tb_modified = 0;
959     target_ulong current_pc = 0;
960     target_ulong current_cs_base = 0;
961     int current_flags = 0;
962 #endif /* TARGET_HAS_PRECISE_SMC */
963 
964     p = page_find(start >> TARGET_PAGE_BITS);
965     if (!p)
966         return;
967     if (!p->code_bitmap &&
968         ++p->code_write_count >= SMC_BITMAP_USE_THRESHOLD &&
969         is_cpu_write_access) {
970         /* build code bitmap */
971         build_page_bitmap(p);
972     }
973 
974     /* we remove all the TBs in the range [start, end[ */
975     /* XXX: see if in some cases it could be faster to invalidate all the code */
976     tb = p->first_tb;
977     while (tb != NULL) {
978         n = (long)tb & 3;
979         tb = (TranslationBlock *)((long)tb & ~3);
980         tb_next = tb->page_next[n];
981         /* NOTE: this is subtle as a TB may span two physical pages */
982         if (n == 0) {
983             /* NOTE: tb_end may be after the end of the page, but
984                it is not a problem */
985             tb_start = tb->page_addr[0] + (tb->pc & ~TARGET_PAGE_MASK);
986             tb_end = tb_start + tb->size;
987         } else {
988             tb_start = tb->page_addr[1];
989             tb_end = tb_start + ((tb->pc + tb->size) & ~TARGET_PAGE_MASK);
990         }
991         if (!(tb_end <= start || tb_start >= end)) {
992 #ifdef TARGET_HAS_PRECISE_SMC
993             if (current_tb_not_found) {
994                 current_tb_not_found = 0;
995                 current_tb = NULL;
996                 if (env->mem_io_pc) {
997                     /* now we have a real cpu fault */
998                     current_tb = tb_find_pc(env->mem_io_pc);
999                 }
1000             }
1001             if (current_tb == tb &&
1002                 (current_tb->cflags & CF_COUNT_MASK) != 1) {
1003                 /* If we are modifying the current TB, we must stop
1004                 its execution. We could be more precise by checking
1005                 that the modification is after the current PC, but it
1006                 would require a specialized function to partially
1007                 restore the CPU state */
1008 
1009                 current_tb_modified = 1;
1010                 cpu_restore_state(current_tb, env,  env->mem_io_pc);
1011                 cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
1012                                      &current_flags);
1013             }
1014 #endif /* TARGET_HAS_PRECISE_SMC */
1015             /* we need to do that to handle the case where a signal
1016                occurs while doing tb_phys_invalidate() */
1017             saved_tb = NULL;
1018             if (env) {
1019                 saved_tb = env->current_tb;
1020                 env->current_tb = NULL;
1021             }
1022             tb_phys_invalidate(tb, -1);
1023             if (env) {
1024                 env->current_tb = saved_tb;
1025                 if (env->interrupt_request && env->current_tb)
1026                     cpu_interrupt(env, env->interrupt_request);
1027             }
1028         }
1029         tb = tb_next;
1030     }
1031 #if !defined(CONFIG_USER_ONLY)
1032     /* if no code remaining, no need to continue to use slow writes */
1033     if (!p->first_tb) {
1034         invalidate_page_bitmap(p);
1035         if (is_cpu_write_access) {
1036             tlb_unprotect_code_phys(env, start, env->mem_io_vaddr);
1037         }
1038     }
1039 #endif
1040 #ifdef TARGET_HAS_PRECISE_SMC
1041     if (current_tb_modified) {
1042         /* we generate a block containing just the instruction
1043            modifying the memory. It will ensure that it cannot modify
1044            itself */
1045         env->current_tb = NULL;
1046         tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
1047         cpu_resume_from_signal(env, NULL);
1048     }
1049 #endif
1050 }
1051 
1052 /* len must be <= 8 and start must be a multiple of len */
tb_invalidate_phys_page_fast(target_phys_addr_t start,int len)1053 static inline void tb_invalidate_phys_page_fast(target_phys_addr_t start, int len)
1054 {
1055     PageDesc *p;
1056     int offset, b;
1057 #if 0
1058     if (1) {
1059         qemu_log("modifying code at 0x%x size=%d EIP=%x PC=%08x\n",
1060                   cpu_single_env->mem_io_vaddr, len,
1061                   cpu_single_env->eip,
1062                   cpu_single_env->eip + (long)cpu_single_env->segs[R_CS].base);
1063     }
1064 #endif
1065     p = page_find(start >> TARGET_PAGE_BITS);
1066     if (!p)
1067         return;
1068     if (p->code_bitmap) {
1069         offset = start & ~TARGET_PAGE_MASK;
1070         b = p->code_bitmap[offset >> 3] >> (offset & 7);
1071         if (b & ((1 << len) - 1))
1072             goto do_invalidate;
1073     } else {
1074     do_invalidate:
1075         tb_invalidate_phys_page_range(start, start + len, 1);
1076     }
1077 }
1078 
1079 #if !defined(CONFIG_SOFTMMU)
tb_invalidate_phys_page(target_phys_addr_t addr,unsigned long pc,void * puc)1080 static void tb_invalidate_phys_page(target_phys_addr_t addr,
1081                                     unsigned long pc, void *puc)
1082 {
1083     TranslationBlock *tb;
1084     PageDesc *p;
1085     int n;
1086 #ifdef TARGET_HAS_PRECISE_SMC
1087     TranslationBlock *current_tb = NULL;
1088     CPUState *env = cpu_single_env;
1089     int current_tb_modified = 0;
1090     target_ulong current_pc = 0;
1091     target_ulong current_cs_base = 0;
1092     int current_flags = 0;
1093 #endif
1094 
1095     addr &= TARGET_PAGE_MASK;
1096     p = page_find(addr >> TARGET_PAGE_BITS);
1097     if (!p)
1098         return;
1099     tb = p->first_tb;
1100 #ifdef TARGET_HAS_PRECISE_SMC
1101     if (tb && pc != 0) {
1102         current_tb = tb_find_pc(pc);
1103     }
1104 #endif
1105     while (tb != NULL) {
1106         n = (long)tb & 3;
1107         tb = (TranslationBlock *)((long)tb & ~3);
1108 #ifdef TARGET_HAS_PRECISE_SMC
1109         if (current_tb == tb &&
1110             (current_tb->cflags & CF_COUNT_MASK) != 1) {
1111                 /* If we are modifying the current TB, we must stop
1112                    its execution. We could be more precise by checking
1113                    that the modification is after the current PC, but it
1114                    would require a specialized function to partially
1115                    restore the CPU state */
1116 
1117             current_tb_modified = 1;
1118             cpu_restore_state(current_tb, env, pc);
1119             cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
1120                                  &current_flags);
1121         }
1122 #endif /* TARGET_HAS_PRECISE_SMC */
1123         tb_phys_invalidate(tb, addr);
1124         tb = tb->page_next[n];
1125     }
1126     p->first_tb = NULL;
1127 #ifdef TARGET_HAS_PRECISE_SMC
1128     if (current_tb_modified) {
1129         /* we generate a block containing just the instruction
1130            modifying the memory. It will ensure that it cannot modify
1131            itself */
1132         env->current_tb = NULL;
1133         tb_gen_code(env, current_pc, current_cs_base, current_flags, 1);
1134         cpu_resume_from_signal(env, puc);
1135     }
1136 #endif
1137 }
1138 #endif
1139 
1140 /* add the tb in the target page and protect it if necessary */
tb_alloc_page(TranslationBlock * tb,unsigned int n,target_ulong page_addr)1141 static inline void tb_alloc_page(TranslationBlock *tb,
1142                                  unsigned int n, target_ulong page_addr)
1143 {
1144     PageDesc *p;
1145     TranslationBlock *last_first_tb;
1146 
1147     tb->page_addr[n] = page_addr;
1148     p = page_find_alloc(page_addr >> TARGET_PAGE_BITS);
1149     tb->page_next[n] = p->first_tb;
1150     last_first_tb = p->first_tb;
1151     p->first_tb = (TranslationBlock *)((long)tb | n);
1152     invalidate_page_bitmap(p);
1153 
1154 #if defined(TARGET_HAS_SMC) || 1
1155 
1156 #if defined(CONFIG_USER_ONLY)
1157     if (p->flags & PAGE_WRITE) {
1158         target_ulong addr;
1159         PageDesc *p2;
1160         int prot;
1161 
1162         /* force the host page as non writable (writes will have a
1163            page fault + mprotect overhead) */
1164         page_addr &= qemu_host_page_mask;
1165         prot = 0;
1166         for(addr = page_addr; addr < page_addr + qemu_host_page_size;
1167             addr += TARGET_PAGE_SIZE) {
1168 
1169             p2 = page_find (addr >> TARGET_PAGE_BITS);
1170             if (!p2)
1171                 continue;
1172             prot |= p2->flags;
1173             p2->flags &= ~PAGE_WRITE;
1174             page_get_flags(addr);
1175           }
1176         mprotect(g2h(page_addr), qemu_host_page_size,
1177                  (prot & PAGE_BITS) & ~PAGE_WRITE);
1178 #ifdef DEBUG_TB_INVALIDATE
1179         printf("protecting code page: 0x" TARGET_FMT_lx "\n",
1180                page_addr);
1181 #endif
1182     }
1183 #else
1184     /* if some code is already present, then the pages are already
1185        protected. So we handle the case where only the first TB is
1186        allocated in a physical page */
1187     if (!last_first_tb) {
1188         tlb_protect_code(page_addr);
1189     }
1190 #endif
1191 
1192 #endif /* TARGET_HAS_SMC */
1193 }
1194 
1195 /* Allocate a new translation block. Flush the translation buffer if
1196    too many translation blocks or too much generated code. */
tb_alloc(target_ulong pc)1197 TranslationBlock *tb_alloc(target_ulong pc)
1198 {
1199     TranslationBlock *tb;
1200 
1201     if (nb_tbs >= code_gen_max_blocks ||
1202         (code_gen_ptr - code_gen_buffer) >= code_gen_buffer_max_size)
1203         return NULL;
1204     tb = &tbs[nb_tbs++];
1205     tb->pc = pc;
1206     tb->cflags = 0;
1207 #ifdef CONFIG_MEMCHECK
1208     tb->tpc2gpc = NULL;
1209     tb->tpc2gpc_pairs = 0;
1210 #endif  // CONFIG_MEMCHECK
1211     return tb;
1212 }
1213 
tb_free(TranslationBlock * tb)1214 void tb_free(TranslationBlock *tb)
1215 {
1216     /* In practice this is mostly used for single use temporary TB
1217        Ignore the hard cases and just back up if this TB happens to
1218        be the last one generated.  */
1219     if (nb_tbs > 0 && tb == &tbs[nb_tbs - 1]) {
1220         code_gen_ptr = tb->tc_ptr;
1221         nb_tbs--;
1222     }
1223 }
1224 
1225 /* add a new TB and link it to the physical page tables. phys_page2 is
1226    (-1) to indicate that only one page contains the TB. */
tb_link_phys(TranslationBlock * tb,target_ulong phys_pc,target_ulong phys_page2)1227 void tb_link_phys(TranslationBlock *tb,
1228                   target_ulong phys_pc, target_ulong phys_page2)
1229 {
1230     unsigned int h;
1231     TranslationBlock **ptb;
1232 
1233     /* Grab the mmap lock to stop another thread invalidating this TB
1234        before we are done.  */
1235     mmap_lock();
1236     /* add in the physical hash table */
1237     h = tb_phys_hash_func(phys_pc);
1238     ptb = &tb_phys_hash[h];
1239     tb->phys_hash_next = *ptb;
1240     *ptb = tb;
1241 
1242     /* add in the page list */
1243     tb_alloc_page(tb, 0, phys_pc & TARGET_PAGE_MASK);
1244     if (phys_page2 != -1)
1245         tb_alloc_page(tb, 1, phys_page2);
1246     else
1247         tb->page_addr[1] = -1;
1248 
1249     tb->jmp_first = (TranslationBlock *)((long)tb | 2);
1250     tb->jmp_next[0] = NULL;
1251     tb->jmp_next[1] = NULL;
1252 
1253     /* init original jump addresses */
1254     if (tb->tb_next_offset[0] != 0xffff)
1255         tb_reset_jump(tb, 0);
1256     if (tb->tb_next_offset[1] != 0xffff)
1257         tb_reset_jump(tb, 1);
1258 
1259 #ifdef DEBUG_TB_CHECK
1260     tb_page_check();
1261 #endif
1262     mmap_unlock();
1263 }
1264 
1265 /* find the TB 'tb' such that tb[0].tc_ptr <= tc_ptr <
1266    tb[1].tc_ptr. Return NULL if not found */
tb_find_pc(unsigned long tc_ptr)1267 TranslationBlock *tb_find_pc(unsigned long tc_ptr)
1268 {
1269     int m_min, m_max, m;
1270     unsigned long v;
1271     TranslationBlock *tb;
1272 
1273     if (nb_tbs <= 0)
1274         return NULL;
1275     if (tc_ptr < (unsigned long)code_gen_buffer ||
1276         tc_ptr >= (unsigned long)code_gen_ptr)
1277         return NULL;
1278     /* binary search (cf Knuth) */
1279     m_min = 0;
1280     m_max = nb_tbs - 1;
1281     while (m_min <= m_max) {
1282         m = (m_min + m_max) >> 1;
1283         tb = &tbs[m];
1284         v = (unsigned long)tb->tc_ptr;
1285         if (v == tc_ptr)
1286             return tb;
1287         else if (tc_ptr < v) {
1288             m_max = m - 1;
1289         } else {
1290             m_min = m + 1;
1291         }
1292     }
1293     return &tbs[m_max];
1294 }
1295 
1296 static void tb_reset_jump_recursive(TranslationBlock *tb);
1297 
tb_reset_jump_recursive2(TranslationBlock * tb,int n)1298 static inline void tb_reset_jump_recursive2(TranslationBlock *tb, int n)
1299 {
1300     TranslationBlock *tb1, *tb_next, **ptb;
1301     unsigned int n1;
1302 
1303     tb1 = tb->jmp_next[n];
1304     if (tb1 != NULL) {
1305         /* find head of list */
1306         for(;;) {
1307             n1 = (long)tb1 & 3;
1308             tb1 = (TranslationBlock *)((long)tb1 & ~3);
1309             if (n1 == 2)
1310                 break;
1311             tb1 = tb1->jmp_next[n1];
1312         }
1313         /* we are now sure now that tb jumps to tb1 */
1314         tb_next = tb1;
1315 
1316         /* remove tb from the jmp_first list */
1317         ptb = &tb_next->jmp_first;
1318         for(;;) {
1319             tb1 = *ptb;
1320             n1 = (long)tb1 & 3;
1321             tb1 = (TranslationBlock *)((long)tb1 & ~3);
1322             if (n1 == n && tb1 == tb)
1323                 break;
1324             ptb = &tb1->jmp_next[n1];
1325         }
1326         *ptb = tb->jmp_next[n];
1327         tb->jmp_next[n] = NULL;
1328 
1329         /* suppress the jump to next tb in generated code */
1330         tb_reset_jump(tb, n);
1331 
1332         /* suppress jumps in the tb on which we could have jumped */
1333         tb_reset_jump_recursive(tb_next);
1334     }
1335 }
1336 
tb_reset_jump_recursive(TranslationBlock * tb)1337 static void tb_reset_jump_recursive(TranslationBlock *tb)
1338 {
1339     tb_reset_jump_recursive2(tb, 0);
1340     tb_reset_jump_recursive2(tb, 1);
1341 }
1342 
1343 #if defined(TARGET_HAS_ICE)
breakpoint_invalidate(CPUState * env,target_ulong pc)1344 static void breakpoint_invalidate(CPUState *env, target_ulong pc)
1345 {
1346     target_phys_addr_t addr;
1347     target_ulong pd;
1348     ram_addr_t ram_addr;
1349     PhysPageDesc *p;
1350 
1351     addr = cpu_get_phys_page_debug(env, pc);
1352     p = phys_page_find(addr >> TARGET_PAGE_BITS);
1353     if (!p) {
1354         pd = IO_MEM_UNASSIGNED;
1355     } else {
1356         pd = p->phys_offset;
1357     }
1358     ram_addr = (pd & TARGET_PAGE_MASK) | (pc & ~TARGET_PAGE_MASK);
1359     tb_invalidate_phys_page_range(ram_addr, ram_addr + 1, 0);
1360 }
1361 #endif
1362 
1363 /* Add a watchpoint.  */
cpu_watchpoint_insert(CPUState * env,target_ulong addr,target_ulong len,int flags,CPUWatchpoint ** watchpoint)1364 int cpu_watchpoint_insert(CPUState *env, target_ulong addr, target_ulong len,
1365                           int flags, CPUWatchpoint **watchpoint)
1366 {
1367     target_ulong len_mask = ~(len - 1);
1368     CPUWatchpoint *wp;
1369 
1370     /* sanity checks: allow power-of-2 lengths, deny unaligned watchpoints */
1371     if ((len != 1 && len != 2 && len != 4 && len != 8) || (addr & ~len_mask)) {
1372         fprintf(stderr, "qemu: tried to set invalid watchpoint at "
1373                 TARGET_FMT_lx ", len=" TARGET_FMT_lu "\n", addr, len);
1374         return -EINVAL;
1375     }
1376     wp = qemu_malloc(sizeof(*wp));
1377 
1378     wp->vaddr = addr;
1379     wp->len_mask = len_mask;
1380     wp->flags = flags;
1381 
1382     /* keep all GDB-injected watchpoints in front */
1383     if (flags & BP_GDB)
1384         QTAILQ_INSERT_HEAD(&env->watchpoints, wp, entry);
1385     else
1386         QTAILQ_INSERT_TAIL(&env->watchpoints, wp, entry);
1387 
1388     tlb_flush_page(env, addr);
1389 
1390     if (watchpoint)
1391         *watchpoint = wp;
1392     return 0;
1393 }
1394 
1395 /* Remove a specific watchpoint.  */
cpu_watchpoint_remove(CPUState * env,target_ulong addr,target_ulong len,int flags)1396 int cpu_watchpoint_remove(CPUState *env, target_ulong addr, target_ulong len,
1397                           int flags)
1398 {
1399     target_ulong len_mask = ~(len - 1);
1400     CPUWatchpoint *wp;
1401 
1402     QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1403         if (addr == wp->vaddr && len_mask == wp->len_mask
1404                 && flags == (wp->flags & ~BP_WATCHPOINT_HIT)) {
1405             cpu_watchpoint_remove_by_ref(env, wp);
1406             return 0;
1407         }
1408     }
1409     return -ENOENT;
1410 }
1411 
1412 /* Remove a specific watchpoint by reference.  */
cpu_watchpoint_remove_by_ref(CPUState * env,CPUWatchpoint * watchpoint)1413 void cpu_watchpoint_remove_by_ref(CPUState *env, CPUWatchpoint *watchpoint)
1414 {
1415     QTAILQ_REMOVE(&env->watchpoints, watchpoint, entry);
1416 
1417     tlb_flush_page(env, watchpoint->vaddr);
1418 
1419     qemu_free(watchpoint);
1420 }
1421 
1422 /* Remove all matching watchpoints.  */
cpu_watchpoint_remove_all(CPUState * env,int mask)1423 void cpu_watchpoint_remove_all(CPUState *env, int mask)
1424 {
1425     CPUWatchpoint *wp, *next;
1426 
1427     QTAILQ_FOREACH_SAFE(wp, &env->watchpoints, entry, next) {
1428         if (wp->flags & mask)
1429             cpu_watchpoint_remove_by_ref(env, wp);
1430     }
1431 }
1432 
1433 /* Add a breakpoint.  */
cpu_breakpoint_insert(CPUState * env,target_ulong pc,int flags,CPUBreakpoint ** breakpoint)1434 int cpu_breakpoint_insert(CPUState *env, target_ulong pc, int flags,
1435                           CPUBreakpoint **breakpoint)
1436 {
1437 #if defined(TARGET_HAS_ICE)
1438     CPUBreakpoint *bp;
1439 
1440     bp = qemu_malloc(sizeof(*bp));
1441 
1442     bp->pc = pc;
1443     bp->flags = flags;
1444 
1445     /* keep all GDB-injected breakpoints in front */
1446     if (flags & BP_GDB)
1447         QTAILQ_INSERT_HEAD(&env->breakpoints, bp, entry);
1448     else
1449         QTAILQ_INSERT_TAIL(&env->breakpoints, bp, entry);
1450 
1451     breakpoint_invalidate(env, pc);
1452 
1453     if (breakpoint)
1454         *breakpoint = bp;
1455     return 0;
1456 #else
1457     return -ENOSYS;
1458 #endif
1459 }
1460 
1461 /* Remove a specific breakpoint.  */
cpu_breakpoint_remove(CPUState * env,target_ulong pc,int flags)1462 int cpu_breakpoint_remove(CPUState *env, target_ulong pc, int flags)
1463 {
1464 #if defined(TARGET_HAS_ICE)
1465     CPUBreakpoint *bp;
1466 
1467     QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
1468         if (bp->pc == pc && bp->flags == flags) {
1469             cpu_breakpoint_remove_by_ref(env, bp);
1470             return 0;
1471         }
1472     }
1473     return -ENOENT;
1474 #else
1475     return -ENOSYS;
1476 #endif
1477 }
1478 
1479 /* Remove a specific breakpoint by reference.  */
cpu_breakpoint_remove_by_ref(CPUState * env,CPUBreakpoint * breakpoint)1480 void cpu_breakpoint_remove_by_ref(CPUState *env, CPUBreakpoint *breakpoint)
1481 {
1482 #if defined(TARGET_HAS_ICE)
1483     QTAILQ_REMOVE(&env->breakpoints, breakpoint, entry);
1484 
1485     breakpoint_invalidate(env, breakpoint->pc);
1486 
1487     qemu_free(breakpoint);
1488 #endif
1489 }
1490 
1491 /* Remove all matching breakpoints. */
cpu_breakpoint_remove_all(CPUState * env,int mask)1492 void cpu_breakpoint_remove_all(CPUState *env, int mask)
1493 {
1494 #if defined(TARGET_HAS_ICE)
1495     CPUBreakpoint *bp, *next;
1496 
1497     QTAILQ_FOREACH_SAFE(bp, &env->breakpoints, entry, next) {
1498         if (bp->flags & mask)
1499             cpu_breakpoint_remove_by_ref(env, bp);
1500     }
1501 #endif
1502 }
1503 
1504 /* enable or disable single step mode. EXCP_DEBUG is returned by the
1505    CPU loop after each instruction */
cpu_single_step(CPUState * env,int enabled)1506 void cpu_single_step(CPUState *env, int enabled)
1507 {
1508 #if defined(TARGET_HAS_ICE)
1509     if (env->singlestep_enabled != enabled) {
1510         env->singlestep_enabled = enabled;
1511         if (kvm_enabled())
1512             kvm_update_guest_debug(env, 0);
1513         else {
1514             /* must flush all the translated code to avoid inconsistencies */
1515             /* XXX: only flush what is necessary */
1516             tb_flush(env);
1517         }
1518     }
1519 #endif
1520 }
1521 
1522 /* enable or disable low levels log */
cpu_set_log(int log_flags)1523 void cpu_set_log(int log_flags)
1524 {
1525     loglevel = log_flags;
1526     if (loglevel && !logfile) {
1527         logfile = fopen(logfilename, log_append ? "a" : "w");
1528         if (!logfile) {
1529             perror(logfilename);
1530             exit(1);
1531         }
1532 #if !defined(CONFIG_SOFTMMU)
1533         /* must avoid mmap() usage of glibc by setting a buffer "by hand" */
1534         {
1535             static char logfile_buf[4096];
1536             setvbuf(logfile, logfile_buf, _IOLBF, sizeof(logfile_buf));
1537         }
1538 #elif !defined(_WIN32)
1539         /* Win32 doesn't support line-buffering and requires size >= 2 */
1540         setvbuf(logfile, NULL, _IOLBF, 0);
1541 #endif
1542         log_append = 1;
1543     }
1544     if (!loglevel && logfile) {
1545         fclose(logfile);
1546         logfile = NULL;
1547     }
1548 }
1549 
cpu_set_log_filename(const char * filename)1550 void cpu_set_log_filename(const char *filename)
1551 {
1552     logfilename = strdup(filename);
1553     if (logfile) {
1554         fclose(logfile);
1555         logfile = NULL;
1556     }
1557     cpu_set_log(loglevel);
1558 }
1559 
cpu_unlink_tb(CPUState * env)1560 static void cpu_unlink_tb(CPUState *env)
1561 {
1562     /* FIXME: TB unchaining isn't SMP safe.  For now just ignore the
1563        problem and hope the cpu will stop of its own accord.  For userspace
1564        emulation this often isn't actually as bad as it sounds.  Often
1565        signals are used primarily to interrupt blocking syscalls.  */
1566     TranslationBlock *tb;
1567     static spinlock_t interrupt_lock = SPIN_LOCK_UNLOCKED;
1568 
1569     spin_lock(&interrupt_lock);
1570     tb = env->current_tb;
1571     /* if the cpu is currently executing code, we must unlink it and
1572        all the potentially executing TB */
1573     if (tb) {
1574         env->current_tb = NULL;
1575         tb_reset_jump_recursive(tb);
1576     }
1577     spin_unlock(&interrupt_lock);
1578 }
1579 
1580 /* mask must never be zero, except for A20 change call */
cpu_interrupt(CPUState * env,int mask)1581 void cpu_interrupt(CPUState *env, int mask)
1582 {
1583     int old_mask;
1584 
1585     old_mask = env->interrupt_request;
1586     env->interrupt_request |= mask;
1587 
1588 #ifndef CONFIG_USER_ONLY
1589     /*
1590      * If called from iothread context, wake the target cpu in
1591      * case its halted.
1592      */
1593     if (!qemu_cpu_self(env)) {
1594         qemu_cpu_kick(env);
1595         return;
1596     }
1597 #endif
1598 
1599     if (use_icount) {
1600         env->icount_decr.u16.high = 0xffff;
1601 #ifndef CONFIG_USER_ONLY
1602         if (!can_do_io(env)
1603             && (mask & ~old_mask) != 0) {
1604             cpu_abort(env, "Raised interrupt while not in I/O function");
1605         }
1606 #endif
1607     } else {
1608         cpu_unlink_tb(env);
1609     }
1610 }
1611 
cpu_reset_interrupt(CPUState * env,int mask)1612 void cpu_reset_interrupt(CPUState *env, int mask)
1613 {
1614     env->interrupt_request &= ~mask;
1615 }
1616 
cpu_exit(CPUState * env)1617 void cpu_exit(CPUState *env)
1618 {
1619     env->exit_request = 1;
1620     cpu_unlink_tb(env);
1621 }
1622 
1623 const CPULogItem cpu_log_items[] = {
1624     { CPU_LOG_TB_OUT_ASM, "out_asm",
1625       "show generated host assembly code for each compiled TB" },
1626     { CPU_LOG_TB_IN_ASM, "in_asm",
1627       "show target assembly code for each compiled TB" },
1628     { CPU_LOG_TB_OP, "op",
1629       "show micro ops for each compiled TB" },
1630     { CPU_LOG_TB_OP_OPT, "op_opt",
1631       "show micro ops "
1632 #ifdef TARGET_I386
1633       "before eflags optimization and "
1634 #endif
1635       "after liveness analysis" },
1636     { CPU_LOG_INT, "int",
1637       "show interrupts/exceptions in short format" },
1638     { CPU_LOG_EXEC, "exec",
1639       "show trace before each executed TB (lots of logs)" },
1640     { CPU_LOG_TB_CPU, "cpu",
1641       "show CPU state before block translation" },
1642 #ifdef TARGET_I386
1643     { CPU_LOG_PCALL, "pcall",
1644       "show protected mode far calls/returns/exceptions" },
1645     { CPU_LOG_RESET, "cpu_reset",
1646       "show CPU state before CPU resets" },
1647 #endif
1648 #ifdef DEBUG_IOPORT
1649     { CPU_LOG_IOPORT, "ioport",
1650       "show all i/o ports accesses" },
1651 #endif
1652     { 0, NULL, NULL },
1653 };
1654 
cmp1(const char * s1,int n,const char * s2)1655 static int cmp1(const char *s1, int n, const char *s2)
1656 {
1657     if (strlen(s2) != n)
1658         return 0;
1659     return memcmp(s1, s2, n) == 0;
1660 }
1661 
1662 /* takes a comma separated list of log masks. Return 0 if error. */
cpu_str_to_log_mask(const char * str)1663 int cpu_str_to_log_mask(const char *str)
1664 {
1665     const CPULogItem *item;
1666     int mask;
1667     const char *p, *p1;
1668 
1669     p = str;
1670     mask = 0;
1671     for(;;) {
1672         p1 = strchr(p, ',');
1673         if (!p1)
1674             p1 = p + strlen(p);
1675 	if(cmp1(p,p1-p,"all")) {
1676 		for(item = cpu_log_items; item->mask != 0; item++) {
1677 			mask |= item->mask;
1678 		}
1679 	} else {
1680         for(item = cpu_log_items; item->mask != 0; item++) {
1681             if (cmp1(p, p1 - p, item->name))
1682                 goto found;
1683         }
1684         return 0;
1685 	}
1686     found:
1687         mask |= item->mask;
1688         if (*p1 != ',')
1689             break;
1690         p = p1 + 1;
1691     }
1692     return mask;
1693 }
1694 
cpu_abort(CPUState * env,const char * fmt,...)1695 void cpu_abort(CPUState *env, const char *fmt, ...)
1696 {
1697     va_list ap;
1698     va_list ap2;
1699 
1700     va_start(ap, fmt);
1701     va_copy(ap2, ap);
1702     fprintf(stderr, "qemu: fatal: ");
1703     vfprintf(stderr, fmt, ap);
1704     fprintf(stderr, "\n");
1705 #ifdef TARGET_I386
1706     cpu_dump_state(env, stderr, fprintf, X86_DUMP_FPU | X86_DUMP_CCOP);
1707 #else
1708     cpu_dump_state(env, stderr, fprintf, 0);
1709 #endif
1710     if (qemu_log_enabled()) {
1711         qemu_log("qemu: fatal: ");
1712         qemu_log_vprintf(fmt, ap2);
1713         qemu_log("\n");
1714 #ifdef TARGET_I386
1715         log_cpu_state(env, X86_DUMP_FPU | X86_DUMP_CCOP);
1716 #else
1717         log_cpu_state(env, 0);
1718 #endif
1719         qemu_log_flush();
1720         qemu_log_close();
1721     }
1722     va_end(ap2);
1723     va_end(ap);
1724 #if defined(CONFIG_USER_ONLY)
1725     {
1726         struct sigaction act;
1727         sigfillset(&act.sa_mask);
1728         act.sa_handler = SIG_DFL;
1729         sigaction(SIGABRT, &act, NULL);
1730     }
1731 #endif
1732     abort();
1733 }
1734 
cpu_copy(CPUState * env)1735 CPUState *cpu_copy(CPUState *env)
1736 {
1737     CPUState *new_env = cpu_init(env->cpu_model_str);
1738     CPUState *next_cpu = new_env->next_cpu;
1739     int cpu_index = new_env->cpu_index;
1740 #if defined(TARGET_HAS_ICE)
1741     CPUBreakpoint *bp;
1742     CPUWatchpoint *wp;
1743 #endif
1744 
1745     memcpy(new_env, env, sizeof(CPUState));
1746 
1747     /* Preserve chaining and index. */
1748     new_env->next_cpu = next_cpu;
1749     new_env->cpu_index = cpu_index;
1750 
1751     /* Clone all break/watchpoints.
1752        Note: Once we support ptrace with hw-debug register access, make sure
1753        BP_CPU break/watchpoints are handled correctly on clone. */
1754     QTAILQ_INIT(&env->breakpoints);
1755     QTAILQ_INIT(&env->watchpoints);
1756 #if defined(TARGET_HAS_ICE)
1757     QTAILQ_FOREACH(bp, &env->breakpoints, entry) {
1758         cpu_breakpoint_insert(new_env, bp->pc, bp->flags, NULL);
1759     }
1760     QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
1761         cpu_watchpoint_insert(new_env, wp->vaddr, (~wp->len_mask) + 1,
1762                               wp->flags, NULL);
1763     }
1764 #endif
1765 
1766     return new_env;
1767 }
1768 
1769 #if !defined(CONFIG_USER_ONLY)
1770 
tlb_flush_jmp_cache(CPUState * env,target_ulong addr)1771 static inline void tlb_flush_jmp_cache(CPUState *env, target_ulong addr)
1772 {
1773     unsigned int i;
1774 
1775     /* Discard jump cache entries for any tb which might potentially
1776        overlap the flushed page.  */
1777     i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
1778     memset (&env->tb_jmp_cache[i], 0,
1779             TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1780 
1781     i = tb_jmp_cache_hash_page(addr);
1782     memset (&env->tb_jmp_cache[i], 0,
1783             TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
1784 }
1785 
1786 /* NOTE: if flush_global is true, also flush global entries (not
1787    implemented yet) */
tlb_flush(CPUState * env,int flush_global)1788 void tlb_flush(CPUState *env, int flush_global)
1789 {
1790     int i;
1791 
1792 #if defined(DEBUG_TLB)
1793     printf("tlb_flush:\n");
1794 #endif
1795     /* must reset current TB so that interrupts cannot modify the
1796        links while we are modifying them */
1797     env->current_tb = NULL;
1798 
1799     for(i = 0; i < CPU_TLB_SIZE; i++) {
1800         int mmu_idx;
1801         for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1802             env->tlb_table[mmu_idx][i].addr_read = -1;
1803             env->tlb_table[mmu_idx][i].addr_write = -1;
1804             env->tlb_table[mmu_idx][i].addr_code = -1;
1805         }
1806     }
1807 
1808     memset (env->tb_jmp_cache, 0, TB_JMP_CACHE_SIZE * sizeof (void *));
1809 
1810 #ifdef CONFIG_KQEMU
1811     if (env->kqemu_enabled) {
1812         kqemu_flush(env, flush_global);
1813     }
1814 #endif
1815     tlb_flush_count++;
1816 }
1817 
tlb_flush_entry(CPUTLBEntry * tlb_entry,target_ulong addr)1818 static inline void tlb_flush_entry(CPUTLBEntry *tlb_entry, target_ulong addr)
1819 {
1820     if (addr == (tlb_entry->addr_read &
1821                  (TARGET_PAGE_MASK | TLB_INVALID_MASK)) ||
1822         addr == (tlb_entry->addr_write &
1823                  (TARGET_PAGE_MASK | TLB_INVALID_MASK)) ||
1824         addr == (tlb_entry->addr_code &
1825                  (TARGET_PAGE_MASK | TLB_INVALID_MASK))) {
1826         tlb_entry->addr_read = -1;
1827         tlb_entry->addr_write = -1;
1828         tlb_entry->addr_code = -1;
1829     }
1830 }
1831 
tlb_flush_page(CPUState * env,target_ulong addr)1832 void tlb_flush_page(CPUState *env, target_ulong addr)
1833 {
1834     int i;
1835     int mmu_idx;
1836 
1837 #if defined(DEBUG_TLB)
1838     printf("tlb_flush_page: " TARGET_FMT_lx "\n", addr);
1839 #endif
1840     /* must reset current TB so that interrupts cannot modify the
1841        links while we are modifying them */
1842     env->current_tb = NULL;
1843 
1844     addr &= TARGET_PAGE_MASK;
1845     i = (addr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
1846     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++)
1847         tlb_flush_entry(&env->tlb_table[mmu_idx][i], addr);
1848 
1849     tlb_flush_jmp_cache(env, addr);
1850 }
1851 
1852 /* update the TLBs so that writes to code in the virtual page 'addr'
1853    can be detected */
tlb_protect_code(ram_addr_t ram_addr)1854 static void tlb_protect_code(ram_addr_t ram_addr)
1855 {
1856     cpu_physical_memory_reset_dirty(ram_addr,
1857                                     ram_addr + TARGET_PAGE_SIZE,
1858                                     CODE_DIRTY_FLAG);
1859 }
1860 
1861 /* update the TLB so that writes in physical page 'phys_addr' are no longer
1862    tested for self modifying code */
tlb_unprotect_code_phys(CPUState * env,ram_addr_t ram_addr,target_ulong vaddr)1863 static void tlb_unprotect_code_phys(CPUState *env, ram_addr_t ram_addr,
1864                                     target_ulong vaddr)
1865 {
1866     cpu_physical_memory_set_dirty_flags(ram_addr, CODE_DIRTY_FLAG);
1867 }
1868 
tlb_reset_dirty_range(CPUTLBEntry * tlb_entry,unsigned long start,unsigned long length)1869 static inline void tlb_reset_dirty_range(CPUTLBEntry *tlb_entry,
1870                                          unsigned long start, unsigned long length)
1871 {
1872     unsigned long addr;
1873     if ((tlb_entry->addr_write & ~TARGET_PAGE_MASK) == IO_MEM_RAM) {
1874         addr = (tlb_entry->addr_write & TARGET_PAGE_MASK) + tlb_entry->addend;
1875         if ((addr - start) < length) {
1876             tlb_entry->addr_write = (tlb_entry->addr_write & TARGET_PAGE_MASK) | TLB_NOTDIRTY;
1877         }
1878     }
1879 }
1880 
1881 /* Note: start and end must be within the same ram block.  */
cpu_physical_memory_reset_dirty(ram_addr_t start,ram_addr_t end,int dirty_flags)1882 void cpu_physical_memory_reset_dirty(ram_addr_t start, ram_addr_t end,
1883                                      int dirty_flags)
1884 {
1885     CPUState *env;
1886     unsigned long length, start1;
1887     int i;
1888 
1889     start &= TARGET_PAGE_MASK;
1890     end = TARGET_PAGE_ALIGN(end);
1891 
1892     length = end - start;
1893     if (length == 0)
1894         return;
1895     cpu_physical_memory_mask_dirty_range(start, length, dirty_flags);
1896 
1897     /* we modify the TLB cache so that the dirty bit will be set again
1898        when accessing the range */
1899     start1 = (unsigned long)qemu_safe_ram_ptr(start);
1900     /* Chek that we don't span multiple blocks - this breaks the
1901        address comparisons below.  */
1902     if ((unsigned long)qemu_safe_ram_ptr(end - 1) - start1
1903             != (end - 1) - start) {
1904         abort();
1905     }
1906 
1907     for(env = first_cpu; env != NULL; env = env->next_cpu) {
1908         int mmu_idx;
1909         for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1910             for(i = 0; i < CPU_TLB_SIZE; i++)
1911                 tlb_reset_dirty_range(&env->tlb_table[mmu_idx][i],
1912                                       start1, length);
1913         }
1914     }
1915 }
1916 
cpu_physical_memory_set_dirty_tracking(int enable)1917 int cpu_physical_memory_set_dirty_tracking(int enable)
1918 {
1919     in_migration = enable;
1920     if (kvm_enabled()) {
1921         return kvm_set_migration_log(enable);
1922     }
1923     return 0;
1924 }
1925 
cpu_physical_memory_get_dirty_tracking(void)1926 int cpu_physical_memory_get_dirty_tracking(void)
1927 {
1928     return in_migration;
1929 }
1930 
cpu_physical_sync_dirty_bitmap(target_phys_addr_t start_addr,target_phys_addr_t end_addr)1931 int cpu_physical_sync_dirty_bitmap(target_phys_addr_t start_addr,
1932                                    target_phys_addr_t end_addr)
1933 {
1934     int ret = 0;
1935 
1936     if (kvm_enabled())
1937         ret = kvm_physical_sync_dirty_bitmap(start_addr, end_addr);
1938     return ret;
1939 }
1940 
tlb_update_dirty(CPUTLBEntry * tlb_entry)1941 static inline void tlb_update_dirty(CPUTLBEntry *tlb_entry)
1942 {
1943     ram_addr_t ram_addr;
1944     void *p;
1945 
1946     if ((tlb_entry->addr_write & ~TARGET_PAGE_MASK) == IO_MEM_RAM) {
1947         p = (void *)(unsigned long)((tlb_entry->addr_write & TARGET_PAGE_MASK)
1948             + tlb_entry->addend);
1949         ram_addr = qemu_ram_addr_from_host_nofail(p);
1950         if (!cpu_physical_memory_is_dirty(ram_addr)) {
1951             tlb_entry->addr_write |= TLB_NOTDIRTY;
1952         }
1953     }
1954 }
1955 
1956 /* update the TLB according to the current state of the dirty bits */
cpu_tlb_update_dirty(CPUState * env)1957 void cpu_tlb_update_dirty(CPUState *env)
1958 {
1959     int i;
1960     int mmu_idx;
1961     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
1962         for(i = 0; i < CPU_TLB_SIZE; i++)
1963             tlb_update_dirty(&env->tlb_table[mmu_idx][i]);
1964     }
1965 }
1966 
tlb_set_dirty1(CPUTLBEntry * tlb_entry,target_ulong vaddr)1967 static inline void tlb_set_dirty1(CPUTLBEntry *tlb_entry, target_ulong vaddr)
1968 {
1969     if (tlb_entry->addr_write == (vaddr | TLB_NOTDIRTY))
1970         tlb_entry->addr_write = vaddr;
1971 }
1972 
1973 /* update the TLB corresponding to virtual page vaddr
1974    so that it is no longer dirty */
tlb_set_dirty(CPUState * env,target_ulong vaddr)1975 static inline void tlb_set_dirty(CPUState *env, target_ulong vaddr)
1976 {
1977     int i;
1978     int mmu_idx;
1979 
1980     vaddr &= TARGET_PAGE_MASK;
1981     i = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
1982     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++)
1983         tlb_set_dirty1(&env->tlb_table[mmu_idx][i], vaddr);
1984 }
1985 
1986 /* add a new TLB entry. At most one entry for a given virtual address
1987    is permitted. Return 0 if OK or 2 if the page could not be mapped
1988    (can only happen in non SOFTMMU mode for I/O pages or pages
1989    conflicting with the host address space). */
tlb_set_page_exec(CPUState * env,target_ulong vaddr,target_phys_addr_t paddr,int prot,int mmu_idx,int is_softmmu)1990 int tlb_set_page_exec(CPUState *env, target_ulong vaddr,
1991                       target_phys_addr_t paddr, int prot,
1992                       int mmu_idx, int is_softmmu)
1993 {
1994     PhysPageDesc *p;
1995     unsigned long pd;
1996     unsigned int index;
1997     target_ulong address;
1998     target_ulong code_address;
1999     ptrdiff_t addend;
2000     int ret;
2001     CPUTLBEntry *te;
2002     CPUWatchpoint *wp;
2003     target_phys_addr_t iotlb;
2004 
2005     p = phys_page_find(paddr >> TARGET_PAGE_BITS);
2006     if (!p) {
2007         pd = IO_MEM_UNASSIGNED;
2008     } else {
2009         pd = p->phys_offset;
2010     }
2011 #if defined(DEBUG_TLB)
2012     printf("tlb_set_page: vaddr=" TARGET_FMT_lx " paddr=0x%08x prot=%x idx=%d smmu=%d pd=0x%08lx\n",
2013            vaddr, (int)paddr, prot, mmu_idx, is_softmmu, pd);
2014 #endif
2015 
2016     ret = 0;
2017     address = vaddr;
2018     if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM && !(pd & IO_MEM_ROMD)) {
2019         /* IO memory case (romd handled later) */
2020         address |= TLB_MMIO;
2021     }
2022     addend = (ptrdiff_t)qemu_get_ram_ptr(pd & TARGET_PAGE_MASK);
2023     if ((pd & ~TARGET_PAGE_MASK) <= IO_MEM_ROM) {
2024         /* Normal RAM.  */
2025         iotlb = pd & TARGET_PAGE_MASK;
2026         if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_RAM)
2027             iotlb |= IO_MEM_NOTDIRTY;
2028         else
2029             iotlb |= IO_MEM_ROM;
2030     } else {
2031         /* IO handlers are currently passed a physical address.
2032            It would be nice to pass an offset from the base address
2033            of that region.  This would avoid having to special case RAM,
2034            and avoid full address decoding in every device.
2035            We can't use the high bits of pd for this because
2036            IO_MEM_ROMD uses these as a ram address.  */
2037         iotlb = (pd & ~TARGET_PAGE_MASK);
2038         if (p) {
2039             iotlb += p->region_offset;
2040         } else {
2041             iotlb += paddr;
2042         }
2043     }
2044 
2045     code_address = address;
2046     /* Make accesses to pages with watchpoints go via the
2047        watchpoint trap routines.  */
2048     QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
2049         if (vaddr == (wp->vaddr & TARGET_PAGE_MASK)) {
2050             iotlb = io_mem_watch + paddr;
2051             /* TODO: The memory case can be optimized by not trapping
2052                reads of pages with a write breakpoint.  */
2053             address |= TLB_MMIO;
2054         }
2055     }
2056 
2057     index = (vaddr >> TARGET_PAGE_BITS) & (CPU_TLB_SIZE - 1);
2058     env->iotlb[mmu_idx][index] = iotlb - vaddr;
2059     te = &env->tlb_table[mmu_idx][index];
2060     te->addend = addend - vaddr;
2061     if (prot & PAGE_READ) {
2062         te->addr_read = address;
2063     } else {
2064         te->addr_read = -1;
2065     }
2066 
2067     if (prot & PAGE_EXEC) {
2068         te->addr_code = code_address;
2069     } else {
2070         te->addr_code = -1;
2071     }
2072     if (prot & PAGE_WRITE) {
2073         if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_ROM ||
2074             (pd & IO_MEM_ROMD)) {
2075             /* Write access calls the I/O callback.  */
2076             te->addr_write = address | TLB_MMIO;
2077         } else if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_RAM &&
2078                    !cpu_physical_memory_is_dirty(pd)) {
2079             te->addr_write = address | TLB_NOTDIRTY;
2080         } else {
2081             te->addr_write = address;
2082         }
2083     } else {
2084         te->addr_write = -1;
2085     }
2086 
2087 #ifdef CONFIG_MEMCHECK
2088     /*
2089      * If we have memchecker running, we need to make sure that page, cached
2090      * into TLB as the result of this operation will comply with our requirement
2091      * to cause __ld/__stx_mmu being called for memory access on the pages
2092      * containing memory blocks that require access violation checks.
2093      *
2094      * We need to check with memory checker if we should invalidate this page
2095      * iff:
2096      *  - Memchecking is enabled.
2097      *  - Page that's been cached belongs to the user space.
2098      *  - Request to cache this page didn't come from softmmu. We're covered
2099      *    there, because after page was cached here we will invalidate it in
2100      *    the __ld/__stx_mmu wrapper.
2101      *  - Cached page belongs to RAM, not I/O area.
2102      *  - Page is cached for read, or write access.
2103      */
2104     if (memcheck_instrument_mmu && mmu_idx == 1 && !is_softmmu &&
2105         (pd & ~TARGET_PAGE_MASK) == IO_MEM_RAM &&
2106         (prot & (PAGE_READ | PAGE_WRITE)) &&
2107         memcheck_is_checked(vaddr & TARGET_PAGE_MASK, TARGET_PAGE_SIZE)) {
2108         if (prot & PAGE_READ) {
2109             te->addr_read ^= TARGET_PAGE_MASK;
2110         }
2111         if (prot & PAGE_WRITE) {
2112             te->addr_write ^= TARGET_PAGE_MASK;
2113         }
2114     }
2115 #endif  // CONFIG_MEMCHECK
2116 
2117     return ret;
2118 }
2119 
2120 #else
2121 
tlb_flush(CPUState * env,int flush_global)2122 void tlb_flush(CPUState *env, int flush_global)
2123 {
2124 }
2125 
tlb_flush_page(CPUState * env,target_ulong addr)2126 void tlb_flush_page(CPUState *env, target_ulong addr)
2127 {
2128 }
2129 
tlb_set_page_exec(CPUState * env,target_ulong vaddr,target_phys_addr_t paddr,int prot,int mmu_idx,int is_softmmu)2130 int tlb_set_page_exec(CPUState *env, target_ulong vaddr,
2131                       target_phys_addr_t paddr, int prot,
2132                       int mmu_idx, int is_softmmu)
2133 {
2134     return 0;
2135 }
2136 
2137 /*
2138  * Walks guest process memory "regions" one by one
2139  * and calls callback function 'fn' for each region.
2140  */
walk_memory_regions(void * priv,int (* fn)(void *,unsigned long,unsigned long,unsigned long))2141 int walk_memory_regions(void *priv,
2142     int (*fn)(void *, unsigned long, unsigned long, unsigned long))
2143 {
2144     unsigned long start, end;
2145     PageDesc *p = NULL;
2146     int i, j, prot, prot1;
2147     int rc = 0;
2148 
2149     start = end = -1;
2150     prot = 0;
2151 
2152     for (i = 0; i <= L1_SIZE; i++) {
2153         p = (i < L1_SIZE) ? l1_map[i] : NULL;
2154         for (j = 0; j < L2_SIZE; j++) {
2155             prot1 = (p == NULL) ? 0 : p[j].flags;
2156             /*
2157              * "region" is one continuous chunk of memory
2158              * that has same protection flags set.
2159              */
2160             if (prot1 != prot) {
2161                 end = (i << (32 - L1_BITS)) | (j << TARGET_PAGE_BITS);
2162                 if (start != -1) {
2163                     rc = (*fn)(priv, start, end, prot);
2164                     /* callback can stop iteration by returning != 0 */
2165                     if (rc != 0)
2166                         return (rc);
2167                 }
2168                 if (prot1 != 0)
2169                     start = end;
2170                 else
2171                     start = -1;
2172                 prot = prot1;
2173             }
2174             if (p == NULL)
2175                 break;
2176         }
2177     }
2178     return (rc);
2179 }
2180 
dump_region(void * priv,unsigned long start,unsigned long end,unsigned long prot)2181 static int dump_region(void *priv, unsigned long start,
2182     unsigned long end, unsigned long prot)
2183 {
2184     FILE *f = (FILE *)priv;
2185 
2186     (void) fprintf(f, "%08lx-%08lx %08lx %c%c%c\n",
2187         start, end, end - start,
2188         ((prot & PAGE_READ) ? 'r' : '-'),
2189         ((prot & PAGE_WRITE) ? 'w' : '-'),
2190         ((prot & PAGE_EXEC) ? 'x' : '-'));
2191 
2192     return (0);
2193 }
2194 
2195 /* dump memory mappings */
page_dump(FILE * f)2196 void page_dump(FILE *f)
2197 {
2198     (void) fprintf(f, "%-8s %-8s %-8s %s\n",
2199             "start", "end", "size", "prot");
2200     walk_memory_regions(f, dump_region);
2201 }
2202 
page_get_flags(target_ulong address)2203 int page_get_flags(target_ulong address)
2204 {
2205     PageDesc *p;
2206 
2207     p = page_find(address >> TARGET_PAGE_BITS);
2208     if (!p)
2209         return 0;
2210     return p->flags;
2211 }
2212 
2213 /* Modify the flags of a page and invalidate the code if necessary.
2214    The flag PAGE_WRITE_ORG is positioned automatically depending
2215    on PAGE_WRITE.  The mmap_lock should already be held.  */
page_set_flags(target_ulong start,target_ulong end,int flags)2216 void page_set_flags(target_ulong start, target_ulong end, int flags)
2217 {
2218     PageDesc *p;
2219     target_ulong addr;
2220 
2221     /* mmap_lock should already be held.  */
2222     start = start & TARGET_PAGE_MASK;
2223     end = TARGET_PAGE_ALIGN(end);
2224     if (flags & PAGE_WRITE)
2225         flags |= PAGE_WRITE_ORG;
2226     for(addr = start; addr < end; addr += TARGET_PAGE_SIZE) {
2227         p = page_find_alloc(addr >> TARGET_PAGE_BITS);
2228         /* We may be called for host regions that are outside guest
2229            address space.  */
2230         if (!p)
2231             return;
2232         /* if the write protection is set, then we invalidate the code
2233            inside */
2234         if (!(p->flags & PAGE_WRITE) &&
2235             (flags & PAGE_WRITE) &&
2236             p->first_tb) {
2237             tb_invalidate_phys_page(addr, 0, NULL);
2238         }
2239         p->flags = flags;
2240     }
2241 }
2242 
page_check_range(target_ulong start,target_ulong len,int flags)2243 int page_check_range(target_ulong start, target_ulong len, int flags)
2244 {
2245     PageDesc *p;
2246     target_ulong end;
2247     target_ulong addr;
2248 
2249     if (start + len < start)
2250         /* we've wrapped around */
2251         return -1;
2252 
2253     end = TARGET_PAGE_ALIGN(start+len); /* must do before we loose bits in the next step */
2254     start = start & TARGET_PAGE_MASK;
2255 
2256     for(addr = start; addr < end; addr += TARGET_PAGE_SIZE) {
2257         p = page_find(addr >> TARGET_PAGE_BITS);
2258         if( !p )
2259             return -1;
2260         if( !(p->flags & PAGE_VALID) )
2261             return -1;
2262 
2263         if ((flags & PAGE_READ) && !(p->flags & PAGE_READ))
2264             return -1;
2265         if (flags & PAGE_WRITE) {
2266             if (!(p->flags & PAGE_WRITE_ORG))
2267                 return -1;
2268             /* unprotect the page if it was put read-only because it
2269                contains translated code */
2270             if (!(p->flags & PAGE_WRITE)) {
2271                 if (!page_unprotect(addr, 0, NULL))
2272                     return -1;
2273             }
2274             return 0;
2275         }
2276     }
2277     return 0;
2278 }
2279 
2280 /* called from signal handler: invalidate the code and unprotect the
2281    page. Return TRUE if the fault was successfully handled. */
page_unprotect(target_ulong address,unsigned long pc,void * puc)2282 int page_unprotect(target_ulong address, unsigned long pc, void *puc)
2283 {
2284     unsigned int page_index, prot, pindex;
2285     PageDesc *p, *p1;
2286     target_ulong host_start, host_end, addr;
2287 
2288     /* Technically this isn't safe inside a signal handler.  However we
2289        know this only ever happens in a synchronous SEGV handler, so in
2290        practice it seems to be ok.  */
2291     mmap_lock();
2292 
2293     host_start = address & qemu_host_page_mask;
2294     page_index = host_start >> TARGET_PAGE_BITS;
2295     p1 = page_find(page_index);
2296     if (!p1) {
2297         mmap_unlock();
2298         return 0;
2299     }
2300     host_end = host_start + qemu_host_page_size;
2301     p = p1;
2302     prot = 0;
2303     for(addr = host_start;addr < host_end; addr += TARGET_PAGE_SIZE) {
2304         prot |= p->flags;
2305         p++;
2306     }
2307     /* if the page was really writable, then we change its
2308        protection back to writable */
2309     if (prot & PAGE_WRITE_ORG) {
2310         pindex = (address - host_start) >> TARGET_PAGE_BITS;
2311         if (!(p1[pindex].flags & PAGE_WRITE)) {
2312             mprotect((void *)g2h(host_start), qemu_host_page_size,
2313                      (prot & PAGE_BITS) | PAGE_WRITE);
2314             p1[pindex].flags |= PAGE_WRITE;
2315             /* and since the content will be modified, we must invalidate
2316                the corresponding translated code. */
2317             tb_invalidate_phys_page(address, pc, puc);
2318 #ifdef DEBUG_TB_CHECK
2319             tb_invalidate_check(address);
2320 #endif
2321             mmap_unlock();
2322             return 1;
2323         }
2324     }
2325     mmap_unlock();
2326     return 0;
2327 }
2328 
tlb_set_dirty(CPUState * env,unsigned long addr,target_ulong vaddr)2329 static inline void tlb_set_dirty(CPUState *env,
2330                                  unsigned long addr, target_ulong vaddr)
2331 {
2332 }
2333 #endif /* defined(CONFIG_USER_ONLY) */
2334 
2335 #if !defined(CONFIG_USER_ONLY)
2336 
2337 static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
2338                              ram_addr_t memory, ram_addr_t region_offset);
2339 static void *subpage_init (target_phys_addr_t base, ram_addr_t *phys,
2340                            ram_addr_t orig_memory, ram_addr_t region_offset);
2341 #define CHECK_SUBPAGE(addr, start_addr, start_addr2, end_addr, end_addr2, \
2342                       need_subpage)                                     \
2343     do {                                                                \
2344         if (addr > start_addr)                                          \
2345             start_addr2 = 0;                                            \
2346         else {                                                          \
2347             start_addr2 = start_addr & ~TARGET_PAGE_MASK;               \
2348             if (start_addr2 > 0)                                        \
2349                 need_subpage = 1;                                       \
2350         }                                                               \
2351                                                                         \
2352         if ((start_addr + orig_size) - addr >= TARGET_PAGE_SIZE)        \
2353             end_addr2 = TARGET_PAGE_SIZE - 1;                           \
2354         else {                                                          \
2355             end_addr2 = (start_addr + orig_size - 1) & ~TARGET_PAGE_MASK; \
2356             if (end_addr2 < TARGET_PAGE_SIZE - 1)                       \
2357                 need_subpage = 1;                                       \
2358         }                                                               \
2359     } while (0)
2360 
2361 /* register physical memory.
2362    For RAM, 'size' must be a multiple of the target page size.
2363    If (phys_offset & ~TARGET_PAGE_MASK) != 0, then it is an
2364    io memory page.  The address used when calling the IO function is
2365    the offset from the start of the region, plus region_offset.  Both
2366    start_addr and region_offset are rounded down to a page boundary
2367    before calculating this offset.  This should not be a problem unless
2368    the low bits of start_addr and region_offset differ.  */
cpu_register_physical_memory_log(target_phys_addr_t start_addr,ram_addr_t size,ram_addr_t phys_offset,ram_addr_t region_offset,bool log_dirty)2369 void cpu_register_physical_memory_log(target_phys_addr_t start_addr,
2370                                          ram_addr_t size,
2371                                          ram_addr_t phys_offset,
2372                                          ram_addr_t region_offset,
2373                                          bool log_dirty)
2374 {
2375     target_phys_addr_t addr, end_addr;
2376     PhysPageDesc *p;
2377     CPUState *env;
2378     ram_addr_t orig_size = size;
2379     subpage_t *subpage;
2380 
2381     if (kvm_enabled())
2382         kvm_set_phys_mem(start_addr, size, phys_offset);
2383 #ifdef CONFIG_HAX
2384     if (hax_enabled())
2385         hax_set_phys_mem(start_addr, size, phys_offset);
2386 #endif
2387 
2388     if (phys_offset == IO_MEM_UNASSIGNED) {
2389         region_offset = start_addr;
2390     }
2391     region_offset &= TARGET_PAGE_MASK;
2392     size = (size + TARGET_PAGE_SIZE - 1) & TARGET_PAGE_MASK;
2393     end_addr = start_addr + (target_phys_addr_t)size;
2394 
2395     addr = start_addr;
2396     do {
2397         p = phys_page_find(addr >> TARGET_PAGE_BITS);
2398         if (p && p->phys_offset != IO_MEM_UNASSIGNED) {
2399             ram_addr_t orig_memory = p->phys_offset;
2400             target_phys_addr_t start_addr2, end_addr2;
2401             int need_subpage = 0;
2402 
2403             CHECK_SUBPAGE(addr, start_addr, start_addr2, end_addr, end_addr2,
2404                           need_subpage);
2405             if (need_subpage) {
2406                 if (!(orig_memory & IO_MEM_SUBPAGE)) {
2407                     subpage = subpage_init((addr & TARGET_PAGE_MASK),
2408                                            &p->phys_offset, orig_memory,
2409                                            p->region_offset);
2410                 } else {
2411                     subpage = io_mem_opaque[(orig_memory & ~TARGET_PAGE_MASK)
2412                                             >> IO_MEM_SHIFT];
2413                 }
2414                 subpage_register(subpage, start_addr2, end_addr2, phys_offset,
2415                                  region_offset);
2416                 p->region_offset = 0;
2417             } else {
2418                 p->phys_offset = phys_offset;
2419                 if ((phys_offset & ~TARGET_PAGE_MASK) <= IO_MEM_ROM ||
2420                     (phys_offset & IO_MEM_ROMD))
2421                     phys_offset += TARGET_PAGE_SIZE;
2422             }
2423         } else {
2424             p = phys_page_find_alloc(addr >> TARGET_PAGE_BITS, 1);
2425             p->phys_offset = phys_offset;
2426             p->region_offset = region_offset;
2427             if ((phys_offset & ~TARGET_PAGE_MASK) <= IO_MEM_ROM ||
2428                 (phys_offset & IO_MEM_ROMD)) {
2429                 phys_offset += TARGET_PAGE_SIZE;
2430             } else {
2431                 target_phys_addr_t start_addr2, end_addr2;
2432                 int need_subpage = 0;
2433 
2434                 CHECK_SUBPAGE(addr, start_addr, start_addr2, end_addr,
2435                               end_addr2, need_subpage);
2436 
2437                 if (need_subpage) {
2438                     subpage = subpage_init((addr & TARGET_PAGE_MASK),
2439                                            &p->phys_offset, IO_MEM_UNASSIGNED,
2440                                            addr & TARGET_PAGE_MASK);
2441                     subpage_register(subpage, start_addr2, end_addr2,
2442                                      phys_offset, region_offset);
2443                     p->region_offset = 0;
2444                 }
2445             }
2446         }
2447         region_offset += TARGET_PAGE_SIZE;
2448         addr += TARGET_PAGE_SIZE;
2449     } while (addr != end_addr);
2450 
2451     /* since each CPU stores ram addresses in its TLB cache, we must
2452        reset the modified entries */
2453     /* XXX: slow ! */
2454     for(env = first_cpu; env != NULL; env = env->next_cpu) {
2455         tlb_flush(env, 1);
2456     }
2457 }
2458 
2459 /* XXX: temporary until new memory mapping API */
cpu_get_physical_page_desc(target_phys_addr_t addr)2460 ram_addr_t cpu_get_physical_page_desc(target_phys_addr_t addr)
2461 {
2462     PhysPageDesc *p;
2463 
2464     p = phys_page_find(addr >> TARGET_PAGE_BITS);
2465     if (!p)
2466         return IO_MEM_UNASSIGNED;
2467     return p->phys_offset;
2468 }
2469 
qemu_register_coalesced_mmio(target_phys_addr_t addr,ram_addr_t size)2470 void qemu_register_coalesced_mmio(target_phys_addr_t addr, ram_addr_t size)
2471 {
2472     if (kvm_enabled())
2473         kvm_coalesce_mmio_region(addr, size);
2474 }
2475 
qemu_unregister_coalesced_mmio(target_phys_addr_t addr,ram_addr_t size)2476 void qemu_unregister_coalesced_mmio(target_phys_addr_t addr, ram_addr_t size)
2477 {
2478     if (kvm_enabled())
2479         kvm_uncoalesce_mmio_region(addr, size);
2480 }
2481 
find_ram_offset(ram_addr_t size)2482 static ram_addr_t find_ram_offset(ram_addr_t size)
2483 {
2484     RAMBlock *block, *next_block;
2485     ram_addr_t offset = 0, mingap = ULONG_MAX;
2486 
2487     if (QLIST_EMPTY(&ram_list.blocks))
2488         return 0;
2489 
2490     QLIST_FOREACH(block, &ram_list.blocks, next) {
2491         ram_addr_t end, next = ULONG_MAX;
2492 
2493         end = block->offset + block->length;
2494 
2495         QLIST_FOREACH(next_block, &ram_list.blocks, next) {
2496             if (next_block->offset >= end) {
2497                 next = MIN(next, next_block->offset);
2498             }
2499         }
2500         if (next - end >= size && next - end < mingap) {
2501             offset =  end;
2502             mingap = next - end;
2503         }
2504     }
2505     return offset;
2506 }
2507 
last_ram_offset(void)2508 static ram_addr_t last_ram_offset(void)
2509 {
2510     RAMBlock *block;
2511     ram_addr_t last = 0;
2512 
2513     QLIST_FOREACH(block, &ram_list.blocks, next)
2514         last = MAX(last, block->offset + block->length);
2515 
2516     return last;
2517 }
2518 
qemu_ram_alloc_from_ptr(DeviceState * dev,const char * name,ram_addr_t size,void * host)2519 ram_addr_t qemu_ram_alloc_from_ptr(DeviceState *dev, const char *name,
2520                                    ram_addr_t size, void *host)
2521 {
2522     RAMBlock *new_block, *block;
2523 
2524     size = TARGET_PAGE_ALIGN(size);
2525     new_block = qemu_mallocz(sizeof(*new_block));
2526 
2527 #if 0
2528     if (dev && dev->parent_bus && dev->parent_bus->info->get_dev_path) {
2529         char *id = dev->parent_bus->info->get_dev_path(dev);
2530         if (id) {
2531             snprintf(new_block->idstr, sizeof(new_block->idstr), "%s/", id);
2532             qemu_free(id);
2533         }
2534     }
2535 #endif
2536     pstrcat(new_block->idstr, sizeof(new_block->idstr), name);
2537 
2538     QLIST_FOREACH(block, &ram_list.blocks, next) {
2539         if (!strcmp(block->idstr, new_block->idstr)) {
2540             fprintf(stderr, "RAMBlock \"%s\" already registered, abort!\n",
2541                     new_block->idstr);
2542             abort();
2543         }
2544     }
2545 
2546     if (host) {
2547         new_block->host = host;
2548         new_block->flags |= RAM_PREALLOC_MASK;
2549     } else {
2550         if (mem_path) {
2551 #if 0 && defined (__linux__) && !defined(TARGET_S390X)
2552             new_block->host = file_ram_alloc(new_block, size, mem_path);
2553             if (!new_block->host) {
2554                 new_block->host = qemu_vmalloc(size);
2555                 qemu_madvise(new_block->host, size, QEMU_MADV_MERGEABLE);
2556             }
2557 #else
2558             fprintf(stderr, "-mem-path option unsupported\n");
2559             exit(1);
2560 #endif
2561         } else {
2562 #if defined(TARGET_S390X) && defined(CONFIG_KVM)
2563             /* XXX S390 KVM requires the topmost vma of the RAM to be < 256GB */
2564             new_block->host = mmap((void*)0x1000000, size,
2565                                    PROT_EXEC|PROT_READ|PROT_WRITE,
2566                                    MAP_SHARED | MAP_ANONYMOUS, -1, 0);
2567 #else
2568             new_block->host = qemu_vmalloc(size);
2569 
2570 #ifdef CONFIG_HAX
2571         /*
2572          * In HAX, qemu allocates the virtual address, and HAX kernel
2573          * module populates the region with physical memory. Currently
2574          * we don’t populate guest memory on demand, thus we should
2575          * make sure that sufficient amount of memory is available in
2576          * advance.
2577          */
2578         if (hax_enabled())
2579         {
2580             int ret;
2581             ret = hax_populate_ram((uint64_t)new_block->host, size);
2582             if (ret < 0)
2583             {
2584                 fprintf(stderr, "Hax failed to populate ram\n");
2585                 exit(-1);
2586             }
2587         }
2588 #endif
2589 
2590 #endif
2591 #ifdef MADV_MERGEABLE
2592             madvise(new_block->host, size, MADV_MERGEABLE);
2593 #endif
2594         }
2595     }
2596 
2597     new_block->offset = find_ram_offset(size);
2598     new_block->length = size;
2599 
2600     QLIST_INSERT_HEAD(&ram_list.blocks, new_block, next);
2601 
2602     ram_list.phys_dirty = qemu_realloc(ram_list.phys_dirty,
2603                                        last_ram_offset() >> TARGET_PAGE_BITS);
2604     memset(ram_list.phys_dirty + (new_block->offset >> TARGET_PAGE_BITS),
2605            0xff, size >> TARGET_PAGE_BITS);
2606 
2607     if (kvm_enabled())
2608         kvm_setup_guest_memory(new_block->host, size);
2609 
2610     return new_block->offset;
2611 }
2612 
qemu_ram_alloc(DeviceState * dev,const char * name,ram_addr_t size)2613 ram_addr_t qemu_ram_alloc(DeviceState *dev, const char *name, ram_addr_t size)
2614 {
2615     return qemu_ram_alloc_from_ptr(dev, name, size, NULL);
2616 }
2617 
qemu_ram_free(ram_addr_t addr)2618 void qemu_ram_free(ram_addr_t addr)
2619 {
2620     RAMBlock *block;
2621 
2622     QLIST_FOREACH(block, &ram_list.blocks, next) {
2623         if (addr == block->offset) {
2624             QLIST_REMOVE(block, next);
2625             if (block->flags & RAM_PREALLOC_MASK) {
2626                 ;
2627             } else if (mem_path) {
2628 #if defined (__linux__) && !defined(TARGET_S390X)
2629                 if (block->fd) {
2630                     munmap(block->host, block->length);
2631                     close(block->fd);
2632                 } else {
2633                     qemu_vfree(block->host);
2634                 }
2635 #else
2636                 abort();
2637 #endif
2638             } else {
2639 #if defined(TARGET_S390X) && defined(CONFIG_KVM)
2640                 munmap(block->host, block->length);
2641 #else
2642                 qemu_vfree(block->host);
2643 #endif
2644             }
2645             qemu_free(block);
2646             return;
2647         }
2648     }
2649 
2650 }
2651 
2652 #ifndef _WIN32
qemu_ram_remap(ram_addr_t addr,ram_addr_t length)2653 void qemu_ram_remap(ram_addr_t addr, ram_addr_t length)
2654 {
2655 #ifndef CONFIG_ANDROID
2656     RAMBlock *block;
2657     ram_addr_t offset;
2658     int flags;
2659     void *area, *vaddr;
2660 
2661     QLIST_FOREACH(block, &ram_list.blocks, next) {
2662         offset = addr - block->offset;
2663         if (offset < block->length) {
2664             vaddr = block->host + offset;
2665             if (block->flags & RAM_PREALLOC_MASK) {
2666                 ;
2667             } else {
2668                 flags = MAP_FIXED;
2669                 munmap(vaddr, length);
2670                 if (mem_path) {
2671 #if defined(__linux__) && !defined(TARGET_S390X)
2672                     if (block->fd) {
2673 #ifdef MAP_POPULATE
2674                         flags |= mem_prealloc ? MAP_POPULATE | MAP_SHARED :
2675                             MAP_PRIVATE;
2676 #else
2677                         flags |= MAP_PRIVATE;
2678 #endif
2679                         area = mmap(vaddr, length, PROT_READ | PROT_WRITE,
2680                                     flags, block->fd, offset);
2681                     } else {
2682                         flags |= MAP_PRIVATE | MAP_ANONYMOUS;
2683                         area = mmap(vaddr, length, PROT_READ | PROT_WRITE,
2684                                     flags, -1, 0);
2685                     }
2686 #else
2687                     abort();
2688 #endif
2689                 } else {
2690 #if defined(TARGET_S390X) && defined(CONFIG_KVM)
2691                     flags |= MAP_SHARED | MAP_ANONYMOUS;
2692                     area = mmap(vaddr, length, PROT_EXEC|PROT_READ|PROT_WRITE,
2693                                 flags, -1, 0);
2694 #else
2695                     flags |= MAP_PRIVATE | MAP_ANONYMOUS;
2696                     area = mmap(vaddr, length, PROT_READ | PROT_WRITE,
2697                                 flags, -1, 0);
2698 #endif
2699                 }
2700                 if (area != vaddr) {
2701                     fprintf(stderr, "Could not remap addr: %lx@%lx\n",
2702                             length, addr);
2703                     exit(1);
2704                 }
2705                 qemu_madvise(vaddr, length, QEMU_MADV_MERGEABLE);
2706             }
2707             return;
2708         }
2709     }
2710 #endif /* !CONFIG_ANDROID */
2711 }
2712 #endif /* !_WIN32 */
2713 
2714 /* Return a host pointer to ram allocated with qemu_ram_alloc.
2715    With the exception of the softmmu code in this file, this should
2716    only be used for local memory (e.g. video ram) that the device owns,
2717    and knows it isn't going to access beyond the end of the block.
2718 
2719    It should not be used for general purpose DMA.
2720    Use cpu_physical_memory_map/cpu_physical_memory_rw instead.
2721  */
qemu_get_ram_ptr(ram_addr_t addr)2722 void *qemu_get_ram_ptr(ram_addr_t addr)
2723 {
2724     RAMBlock *block;
2725 
2726     QLIST_FOREACH(block, &ram_list.blocks, next) {
2727         if (addr - block->offset < block->length) {
2728             /* Move this entry to to start of the list.  */
2729             if (block != QLIST_FIRST(&ram_list.blocks)) {
2730                 QLIST_REMOVE(block, next);
2731                 QLIST_INSERT_HEAD(&ram_list.blocks, block, next);
2732     }
2733             return block->host + (addr - block->offset);
2734         }
2735     }
2736 
2737         fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
2738         abort();
2739 
2740     return NULL;
2741     }
2742 
2743 /* Return a host pointer to ram allocated with qemu_ram_alloc.
2744  * Same as qemu_get_ram_ptr but avoid reordering ramblocks.
2745  */
qemu_safe_ram_ptr(ram_addr_t addr)2746 void *qemu_safe_ram_ptr(ram_addr_t addr)
2747 {
2748     RAMBlock *block;
2749 
2750     QLIST_FOREACH(block, &ram_list.blocks, next) {
2751         if (addr - block->offset < block->length) {
2752     return block->host + (addr - block->offset);
2753 }
2754     }
2755 
2756     fprintf(stderr, "Bad ram offset %" PRIx64 "\n", (uint64_t)addr);
2757     abort();
2758 
2759     return NULL;
2760 }
2761 
qemu_ram_addr_from_host(void * ptr,ram_addr_t * ram_addr)2762 int qemu_ram_addr_from_host(void *ptr, ram_addr_t *ram_addr)
2763 {
2764     RAMBlock *block;
2765     uint8_t *host = ptr;
2766 
2767     QLIST_FOREACH(block, &ram_list.blocks, next) {
2768         if (host - block->host < block->length) {
2769             *ram_addr = block->offset + (host - block->host);
2770             return 0;
2771     }
2772     }
2773     return -1;
2774 }
2775 
2776 /* Some of the softmmu routines need to translate from a host pointer
2777    (typically a TLB entry) back to a ram offset.  */
qemu_ram_addr_from_host_nofail(void * ptr)2778 ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
2779 {
2780     ram_addr_t ram_addr;
2781 
2782     if (qemu_ram_addr_from_host(ptr, &ram_addr)) {
2783         fprintf(stderr, "Bad ram pointer %p\n", ptr);
2784         abort();
2785     }
2786     return ram_addr;
2787 }
2788 
unassigned_mem_readb(void * opaque,target_phys_addr_t addr)2789 static uint32_t unassigned_mem_readb(void *opaque, target_phys_addr_t addr)
2790 {
2791 #ifdef DEBUG_UNASSIGNED
2792     printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2793 #endif
2794 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2795     do_unassigned_access(addr, 0, 0, 0, 1);
2796 #endif
2797     return 0;
2798 }
2799 
unassigned_mem_readw(void * opaque,target_phys_addr_t addr)2800 static uint32_t unassigned_mem_readw(void *opaque, target_phys_addr_t addr)
2801 {
2802 #ifdef DEBUG_UNASSIGNED
2803     printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2804 #endif
2805 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2806     do_unassigned_access(addr, 0, 0, 0, 2);
2807 #endif
2808     return 0;
2809 }
2810 
unassigned_mem_readl(void * opaque,target_phys_addr_t addr)2811 static uint32_t unassigned_mem_readl(void *opaque, target_phys_addr_t addr)
2812 {
2813 #ifdef DEBUG_UNASSIGNED
2814     printf("Unassigned mem read " TARGET_FMT_plx "\n", addr);
2815 #endif
2816 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2817     do_unassigned_access(addr, 0, 0, 0, 4);
2818 #endif
2819     return 0;
2820 }
2821 
unassigned_mem_writeb(void * opaque,target_phys_addr_t addr,uint32_t val)2822 static void unassigned_mem_writeb(void *opaque, target_phys_addr_t addr, uint32_t val)
2823 {
2824 #ifdef DEBUG_UNASSIGNED
2825     printf("Unassigned mem write " TARGET_FMT_plx " = 0x%x\n", addr, val);
2826 #endif
2827 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2828     do_unassigned_access(addr, 1, 0, 0, 1);
2829 #endif
2830 }
2831 
unassigned_mem_writew(void * opaque,target_phys_addr_t addr,uint32_t val)2832 static void unassigned_mem_writew(void *opaque, target_phys_addr_t addr, uint32_t val)
2833 {
2834 #ifdef DEBUG_UNASSIGNED
2835     printf("Unassigned mem write " TARGET_FMT_plx " = 0x%x\n", addr, val);
2836 #endif
2837 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2838     do_unassigned_access(addr, 1, 0, 0, 2);
2839 #endif
2840 }
2841 
unassigned_mem_writel(void * opaque,target_phys_addr_t addr,uint32_t val)2842 static void unassigned_mem_writel(void *opaque, target_phys_addr_t addr, uint32_t val)
2843 {
2844 #ifdef DEBUG_UNASSIGNED
2845     printf("Unassigned mem write " TARGET_FMT_plx " = 0x%x\n", addr, val);
2846 #endif
2847 #if defined(TARGET_SPARC) || defined(TARGET_MICROBLAZE)
2848     do_unassigned_access(addr, 1, 0, 0, 4);
2849 #endif
2850 }
2851 
2852 static CPUReadMemoryFunc * const unassigned_mem_read[3] = {
2853     unassigned_mem_readb,
2854     unassigned_mem_readw,
2855     unassigned_mem_readl,
2856 };
2857 
2858 static CPUWriteMemoryFunc * const unassigned_mem_write[3] = {
2859     unassigned_mem_writeb,
2860     unassigned_mem_writew,
2861     unassigned_mem_writel,
2862 };
2863 
notdirty_mem_writeb(void * opaque,target_phys_addr_t ram_addr,uint32_t val)2864 static void notdirty_mem_writeb(void *opaque, target_phys_addr_t ram_addr,
2865                                 uint32_t val)
2866 {
2867     int dirty_flags;
2868     dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2869     if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2870 #if !defined(CONFIG_USER_ONLY)
2871         tb_invalidate_phys_page_fast(ram_addr, 1);
2872         dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2873 #endif
2874     }
2875     stb_p(qemu_get_ram_ptr(ram_addr), val);
2876     dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
2877     cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
2878     /* we remove the notdirty callback only if the code has been
2879        flushed */
2880     if (dirty_flags == 0xff)
2881         tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
2882 }
2883 
notdirty_mem_writew(void * opaque,target_phys_addr_t ram_addr,uint32_t val)2884 static void notdirty_mem_writew(void *opaque, target_phys_addr_t ram_addr,
2885                                 uint32_t val)
2886 {
2887     int dirty_flags;
2888     dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2889     if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2890 #if !defined(CONFIG_USER_ONLY)
2891         tb_invalidate_phys_page_fast(ram_addr, 2);
2892         dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2893 #endif
2894     }
2895     stw_p(qemu_get_ram_ptr(ram_addr), val);
2896     dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
2897     cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
2898     /* we remove the notdirty callback only if the code has been
2899        flushed */
2900     if (dirty_flags == 0xff)
2901         tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
2902 }
2903 
notdirty_mem_writel(void * opaque,target_phys_addr_t ram_addr,uint32_t val)2904 static void notdirty_mem_writel(void *opaque, target_phys_addr_t ram_addr,
2905                                 uint32_t val)
2906 {
2907     int dirty_flags;
2908     dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2909     if (!(dirty_flags & CODE_DIRTY_FLAG)) {
2910 #if !defined(CONFIG_USER_ONLY)
2911         tb_invalidate_phys_page_fast(ram_addr, 4);
2912         dirty_flags = cpu_physical_memory_get_dirty_flags(ram_addr);
2913 #endif
2914     }
2915     stl_p(qemu_get_ram_ptr(ram_addr), val);
2916     dirty_flags |= (0xff & ~CODE_DIRTY_FLAG);
2917     cpu_physical_memory_set_dirty_flags(ram_addr, dirty_flags);
2918     /* we remove the notdirty callback only if the code has been
2919        flushed */
2920     if (dirty_flags == 0xff)
2921         tlb_set_dirty(cpu_single_env, cpu_single_env->mem_io_vaddr);
2922 }
2923 
2924 static CPUReadMemoryFunc * const error_mem_read[3] = {
2925     NULL, /* never used */
2926     NULL, /* never used */
2927     NULL, /* never used */
2928 };
2929 
2930 static CPUWriteMemoryFunc * const notdirty_mem_write[3] = {
2931     notdirty_mem_writeb,
2932     notdirty_mem_writew,
2933     notdirty_mem_writel,
2934 };
2935 
2936 /* Generate a debug exception if a watchpoint has been hit.  */
check_watchpoint(int offset,int len_mask,int flags)2937 static void check_watchpoint(int offset, int len_mask, int flags)
2938 {
2939     CPUState *env = cpu_single_env;
2940     target_ulong pc, cs_base;
2941     TranslationBlock *tb;
2942     target_ulong vaddr;
2943     CPUWatchpoint *wp;
2944     int cpu_flags;
2945 
2946     if (env->watchpoint_hit) {
2947         /* We re-entered the check after replacing the TB. Now raise
2948          * the debug interrupt so that is will trigger after the
2949          * current instruction. */
2950         cpu_interrupt(env, CPU_INTERRUPT_DEBUG);
2951         return;
2952     }
2953     vaddr = (env->mem_io_vaddr & TARGET_PAGE_MASK) + offset;
2954     QTAILQ_FOREACH(wp, &env->watchpoints, entry) {
2955         if ((vaddr == (wp->vaddr & len_mask) ||
2956              (vaddr & wp->len_mask) == wp->vaddr) && (wp->flags & flags)) {
2957             wp->flags |= BP_WATCHPOINT_HIT;
2958             if (!env->watchpoint_hit) {
2959                 env->watchpoint_hit = wp;
2960                 tb = tb_find_pc(env->mem_io_pc);
2961                 if (!tb) {
2962                     cpu_abort(env, "check_watchpoint: could not find TB for "
2963                               "pc=%p", (void *)env->mem_io_pc);
2964                 }
2965                 cpu_restore_state(tb, env, env->mem_io_pc);
2966                 tb_phys_invalidate(tb, -1);
2967                 if (wp->flags & BP_STOP_BEFORE_ACCESS) {
2968                     env->exception_index = EXCP_DEBUG;
2969                 } else {
2970                     cpu_get_tb_cpu_state(env, &pc, &cs_base, &cpu_flags);
2971                     tb_gen_code(env, pc, cs_base, cpu_flags, 1);
2972                 }
2973                 cpu_resume_from_signal(env, NULL);
2974             }
2975         } else {
2976             wp->flags &= ~BP_WATCHPOINT_HIT;
2977         }
2978     }
2979 }
2980 
2981 /* Watchpoint access routines.  Watchpoints are inserted using TLB tricks,
2982    so these check for a hit then pass through to the normal out-of-line
2983    phys routines.  */
watch_mem_readb(void * opaque,target_phys_addr_t addr)2984 static uint32_t watch_mem_readb(void *opaque, target_phys_addr_t addr)
2985 {
2986     check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x0, BP_MEM_READ);
2987     return ldub_phys(addr);
2988 }
2989 
watch_mem_readw(void * opaque,target_phys_addr_t addr)2990 static uint32_t watch_mem_readw(void *opaque, target_phys_addr_t addr)
2991 {
2992     check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x1, BP_MEM_READ);
2993     return lduw_phys(addr);
2994 }
2995 
watch_mem_readl(void * opaque,target_phys_addr_t addr)2996 static uint32_t watch_mem_readl(void *opaque, target_phys_addr_t addr)
2997 {
2998     check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x3, BP_MEM_READ);
2999     return ldl_phys(addr);
3000 }
3001 
watch_mem_writeb(void * opaque,target_phys_addr_t addr,uint32_t val)3002 static void watch_mem_writeb(void *opaque, target_phys_addr_t addr,
3003                              uint32_t val)
3004 {
3005     check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x0, BP_MEM_WRITE);
3006     stb_phys(addr, val);
3007 }
3008 
watch_mem_writew(void * opaque,target_phys_addr_t addr,uint32_t val)3009 static void watch_mem_writew(void *opaque, target_phys_addr_t addr,
3010                              uint32_t val)
3011 {
3012     check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x1, BP_MEM_WRITE);
3013     stw_phys(addr, val);
3014 }
3015 
watch_mem_writel(void * opaque,target_phys_addr_t addr,uint32_t val)3016 static void watch_mem_writel(void *opaque, target_phys_addr_t addr,
3017                              uint32_t val)
3018 {
3019     check_watchpoint(addr & ~TARGET_PAGE_MASK, ~0x3, BP_MEM_WRITE);
3020     stl_phys(addr, val);
3021 }
3022 
3023 static CPUReadMemoryFunc * const watch_mem_read[3] = {
3024     watch_mem_readb,
3025     watch_mem_readw,
3026     watch_mem_readl,
3027 };
3028 
3029 static CPUWriteMemoryFunc * const watch_mem_write[3] = {
3030     watch_mem_writeb,
3031     watch_mem_writew,
3032     watch_mem_writel,
3033 };
3034 
subpage_readlen(subpage_t * mmio,target_phys_addr_t addr,unsigned int len)3035 static inline uint32_t subpage_readlen (subpage_t *mmio, target_phys_addr_t addr,
3036                                  unsigned int len)
3037 {
3038     uint32_t ret;
3039     unsigned int idx;
3040 
3041     idx = SUBPAGE_IDX(addr);
3042 #if defined(DEBUG_SUBPAGE)
3043     printf("%s: subpage %p len %d addr " TARGET_FMT_plx " idx %d\n", __func__,
3044            mmio, len, addr, idx);
3045 #endif
3046     ret = (**mmio->mem_read[idx][len])(mmio->opaque[idx][0][len],
3047                                        addr + mmio->region_offset[idx][0][len]);
3048 
3049     return ret;
3050 }
3051 
subpage_writelen(subpage_t * mmio,target_phys_addr_t addr,uint32_t value,unsigned int len)3052 static inline void subpage_writelen (subpage_t *mmio, target_phys_addr_t addr,
3053                               uint32_t value, unsigned int len)
3054 {
3055     unsigned int idx;
3056 
3057     idx = SUBPAGE_IDX(addr);
3058 #if defined(DEBUG_SUBPAGE)
3059     printf("%s: subpage %p len %d addr " TARGET_FMT_plx " idx %d value %08x\n", __func__,
3060            mmio, len, addr, idx, value);
3061 #endif
3062     (**mmio->mem_write[idx][len])(mmio->opaque[idx][1][len],
3063                                   addr + mmio->region_offset[idx][1][len],
3064                                   value);
3065 }
3066 
subpage_readb(void * opaque,target_phys_addr_t addr)3067 static uint32_t subpage_readb (void *opaque, target_phys_addr_t addr)
3068 {
3069 #if defined(DEBUG_SUBPAGE)
3070     printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
3071 #endif
3072 
3073     return subpage_readlen(opaque, addr, 0);
3074 }
3075 
subpage_writeb(void * opaque,target_phys_addr_t addr,uint32_t value)3076 static void subpage_writeb (void *opaque, target_phys_addr_t addr,
3077                             uint32_t value)
3078 {
3079 #if defined(DEBUG_SUBPAGE)
3080     printf("%s: addr " TARGET_FMT_plx " val %08x\n", __func__, addr, value);
3081 #endif
3082     subpage_writelen(opaque, addr, value, 0);
3083 }
3084 
subpage_readw(void * opaque,target_phys_addr_t addr)3085 static uint32_t subpage_readw (void *opaque, target_phys_addr_t addr)
3086 {
3087 #if defined(DEBUG_SUBPAGE)
3088     printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
3089 #endif
3090 
3091     return subpage_readlen(opaque, addr, 1);
3092 }
3093 
subpage_writew(void * opaque,target_phys_addr_t addr,uint32_t value)3094 static void subpage_writew (void *opaque, target_phys_addr_t addr,
3095                             uint32_t value)
3096 {
3097 #if defined(DEBUG_SUBPAGE)
3098     printf("%s: addr " TARGET_FMT_plx " val %08x\n", __func__, addr, value);
3099 #endif
3100     subpage_writelen(opaque, addr, value, 1);
3101 }
3102 
subpage_readl(void * opaque,target_phys_addr_t addr)3103 static uint32_t subpage_readl (void *opaque, target_phys_addr_t addr)
3104 {
3105 #if defined(DEBUG_SUBPAGE)
3106     printf("%s: addr " TARGET_FMT_plx "\n", __func__, addr);
3107 #endif
3108 
3109     return subpage_readlen(opaque, addr, 2);
3110 }
3111 
subpage_writel(void * opaque,target_phys_addr_t addr,uint32_t value)3112 static void subpage_writel (void *opaque,
3113                          target_phys_addr_t addr, uint32_t value)
3114 {
3115 #if defined(DEBUG_SUBPAGE)
3116     printf("%s: addr " TARGET_FMT_plx " val %08x\n", __func__, addr, value);
3117 #endif
3118     subpage_writelen(opaque, addr, value, 2);
3119 }
3120 
3121 static CPUReadMemoryFunc * const subpage_read[] = {
3122     &subpage_readb,
3123     &subpage_readw,
3124     &subpage_readl,
3125 };
3126 
3127 static CPUWriteMemoryFunc * const subpage_write[] = {
3128     &subpage_writeb,
3129     &subpage_writew,
3130     &subpage_writel,
3131 };
3132 
subpage_register(subpage_t * mmio,uint32_t start,uint32_t end,ram_addr_t memory,ram_addr_t region_offset)3133 static int subpage_register (subpage_t *mmio, uint32_t start, uint32_t end,
3134                              ram_addr_t memory, ram_addr_t region_offset)
3135 {
3136     int idx, eidx;
3137     unsigned int i;
3138 
3139     if (start >= TARGET_PAGE_SIZE || end >= TARGET_PAGE_SIZE)
3140         return -1;
3141     idx = SUBPAGE_IDX(start);
3142     eidx = SUBPAGE_IDX(end);
3143 #if defined(DEBUG_SUBPAGE)
3144     printf("%s: %p start %08x end %08x idx %08x eidx %08x mem %ld\n", __func__,
3145            mmio, start, end, idx, eidx, memory);
3146 #endif
3147     memory >>= IO_MEM_SHIFT;
3148     for (; idx <= eidx; idx++) {
3149         for (i = 0; i < 4; i++) {
3150             if (io_mem_read[memory][i]) {
3151                 mmio->mem_read[idx][i] = &io_mem_read[memory][i];
3152                 mmio->opaque[idx][0][i] = io_mem_opaque[memory];
3153                 mmio->region_offset[idx][0][i] = region_offset;
3154             }
3155             if (io_mem_write[memory][i]) {
3156                 mmio->mem_write[idx][i] = &io_mem_write[memory][i];
3157                 mmio->opaque[idx][1][i] = io_mem_opaque[memory];
3158                 mmio->region_offset[idx][1][i] = region_offset;
3159             }
3160         }
3161     }
3162 
3163     return 0;
3164 }
3165 
subpage_init(target_phys_addr_t base,ram_addr_t * phys,ram_addr_t orig_memory,ram_addr_t region_offset)3166 static void *subpage_init (target_phys_addr_t base, ram_addr_t *phys,
3167                            ram_addr_t orig_memory, ram_addr_t region_offset)
3168 {
3169     subpage_t *mmio;
3170     int subpage_memory;
3171 
3172     mmio = qemu_mallocz(sizeof(subpage_t));
3173 
3174     mmio->base = base;
3175     subpage_memory = cpu_register_io_memory(subpage_read, subpage_write, mmio);
3176 #if defined(DEBUG_SUBPAGE)
3177     printf("%s: %p base " TARGET_FMT_plx " len %08x %d\n", __func__,
3178            mmio, base, TARGET_PAGE_SIZE, subpage_memory);
3179 #endif
3180     *phys = subpage_memory | IO_MEM_SUBPAGE;
3181     subpage_register(mmio, 0, TARGET_PAGE_SIZE - 1, orig_memory,
3182                          region_offset);
3183 
3184     return mmio;
3185 }
3186 
get_free_io_mem_idx(void)3187 static int get_free_io_mem_idx(void)
3188 {
3189     int i;
3190 
3191     for (i = 0; i<IO_MEM_NB_ENTRIES; i++)
3192         if (!io_mem_used[i]) {
3193             io_mem_used[i] = 1;
3194             return i;
3195         }
3196     fprintf(stderr, "RAN out out io_mem_idx, max %d !\n", IO_MEM_NB_ENTRIES);
3197     return -1;
3198 }
3199 
3200 /* mem_read and mem_write are arrays of functions containing the
3201    function to access byte (index 0), word (index 1) and dword (index
3202    2). Functions can be omitted with a NULL function pointer.
3203    If io_index is non zero, the corresponding io zone is
3204    modified. If it is zero, a new io zone is allocated. The return
3205    value can be used with cpu_register_physical_memory(). (-1) is
3206    returned if error. */
cpu_register_io_memory_fixed(int io_index,CPUReadMemoryFunc * const * mem_read,CPUWriteMemoryFunc * const * mem_write,void * opaque)3207 static int cpu_register_io_memory_fixed(int io_index,
3208                                         CPUReadMemoryFunc * const *mem_read,
3209                                         CPUWriteMemoryFunc * const *mem_write,
3210                                         void *opaque)
3211 {
3212     int i, subwidth = 0;
3213 
3214     if (io_index <= 0) {
3215         io_index = get_free_io_mem_idx();
3216         if (io_index == -1)
3217             return io_index;
3218     } else {
3219         io_index >>= IO_MEM_SHIFT;
3220         if (io_index >= IO_MEM_NB_ENTRIES)
3221             return -1;
3222     }
3223 
3224     for(i = 0;i < 3; i++) {
3225         if (!mem_read[i] || !mem_write[i])
3226             subwidth = IO_MEM_SUBWIDTH;
3227         io_mem_read[io_index][i] = mem_read[i];
3228         io_mem_write[io_index][i] = mem_write[i];
3229     }
3230     io_mem_opaque[io_index] = opaque;
3231     return (io_index << IO_MEM_SHIFT) | subwidth;
3232 }
3233 
cpu_register_io_memory(CPUReadMemoryFunc * const * mem_read,CPUWriteMemoryFunc * const * mem_write,void * opaque)3234 int cpu_register_io_memory(CPUReadMemoryFunc * const *mem_read,
3235                            CPUWriteMemoryFunc * const *mem_write,
3236                            void *opaque)
3237 {
3238     return cpu_register_io_memory_fixed(0, mem_read, mem_write, opaque);
3239 }
3240 
cpu_unregister_io_memory(int io_table_address)3241 void cpu_unregister_io_memory(int io_table_address)
3242 {
3243     int i;
3244     int io_index = io_table_address >> IO_MEM_SHIFT;
3245 
3246     for (i=0;i < 3; i++) {
3247         io_mem_read[io_index][i] = unassigned_mem_read[i];
3248         io_mem_write[io_index][i] = unassigned_mem_write[i];
3249     }
3250     io_mem_opaque[io_index] = NULL;
3251     io_mem_used[io_index] = 0;
3252 }
3253 
io_mem_init(void)3254 static void io_mem_init(void)
3255 {
3256     int i;
3257 
3258     cpu_register_io_memory_fixed(IO_MEM_ROM, error_mem_read, unassigned_mem_write, NULL);
3259     cpu_register_io_memory_fixed(IO_MEM_UNASSIGNED, unassigned_mem_read, unassigned_mem_write, NULL);
3260     cpu_register_io_memory_fixed(IO_MEM_NOTDIRTY, error_mem_read, notdirty_mem_write, NULL);
3261     for (i=0; i<5; i++)
3262         io_mem_used[i] = 1;
3263 
3264     io_mem_watch = cpu_register_io_memory(watch_mem_read,
3265                                           watch_mem_write, NULL);
3266 }
3267 
3268 #endif /* !defined(CONFIG_USER_ONLY) */
3269 
3270 /* physical memory access (slow version, mainly for debug) */
3271 #if defined(CONFIG_USER_ONLY)
cpu_physical_memory_rw(target_phys_addr_t addr,uint8_t * buf,int len,int is_write)3272 void cpu_physical_memory_rw(target_phys_addr_t addr, uint8_t *buf,
3273                             int len, int is_write)
3274 {
3275     int l, flags;
3276     target_ulong page;
3277     void * p;
3278 
3279     while (len > 0) {
3280         page = addr & TARGET_PAGE_MASK;
3281         l = (page + TARGET_PAGE_SIZE) - addr;
3282         if (l > len)
3283             l = len;
3284         flags = page_get_flags(page);
3285         if (!(flags & PAGE_VALID))
3286             return;
3287         if (is_write) {
3288             if (!(flags & PAGE_WRITE))
3289                 return;
3290             /* XXX: this code should not depend on lock_user */
3291             if (!(p = lock_user(VERIFY_WRITE, addr, l, 0)))
3292                 /* FIXME - should this return an error rather than just fail? */
3293                 return;
3294             memcpy(p, buf, l);
3295             unlock_user(p, addr, l);
3296         } else {
3297             if (!(flags & PAGE_READ))
3298                 return;
3299             /* XXX: this code should not depend on lock_user */
3300             if (!(p = lock_user(VERIFY_READ, addr, l, 1)))
3301                 /* FIXME - should this return an error rather than just fail? */
3302                 return;
3303             memcpy(buf, p, l);
3304             unlock_user(p, addr, 0);
3305         }
3306         len -= l;
3307         buf += l;
3308         addr += l;
3309     }
3310 }
3311 
3312 #else
cpu_physical_memory_rw(target_phys_addr_t addr,uint8_t * buf,int len,int is_write)3313 void cpu_physical_memory_rw(target_phys_addr_t addr, uint8_t *buf,
3314                             int len, int is_write)
3315 {
3316     int l, io_index;
3317     uint8_t *ptr;
3318     uint32_t val;
3319     target_phys_addr_t page;
3320     unsigned long pd;
3321     PhysPageDesc *p;
3322 
3323     while (len > 0) {
3324         page = addr & TARGET_PAGE_MASK;
3325         l = (page + TARGET_PAGE_SIZE) - addr;
3326         if (l > len)
3327             l = len;
3328         p = phys_page_find(page >> TARGET_PAGE_BITS);
3329         if (!p) {
3330             pd = IO_MEM_UNASSIGNED;
3331         } else {
3332             pd = p->phys_offset;
3333         }
3334 
3335         if (is_write) {
3336             if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3337                 target_phys_addr_t addr1 = addr;
3338                 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3339                 if (p)
3340                     addr1 = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3341                 /* XXX: could force cpu_single_env to NULL to avoid
3342                    potential bugs */
3343                 if (l >= 4 && ((addr1 & 3) == 0)) {
3344                     /* 32 bit write access */
3345                     val = ldl_p(buf);
3346                     io_mem_write[io_index][2](io_mem_opaque[io_index], addr1, val);
3347                     l = 4;
3348                 } else if (l >= 2 && ((addr1 & 1) == 0)) {
3349                     /* 16 bit write access */
3350                     val = lduw_p(buf);
3351                     io_mem_write[io_index][1](io_mem_opaque[io_index], addr1, val);
3352                     l = 2;
3353                 } else {
3354                     /* 8 bit write access */
3355                     val = ldub_p(buf);
3356                     io_mem_write[io_index][0](io_mem_opaque[io_index], addr1, val);
3357                     l = 1;
3358                 }
3359             } else {
3360                 unsigned long addr1;
3361                 addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3362                 /* RAM case */
3363                 ptr = qemu_get_ram_ptr(addr1);
3364                 memcpy(ptr, buf, l);
3365                 if (!cpu_physical_memory_is_dirty(addr1)) {
3366                     /* invalidate code */
3367                     tb_invalidate_phys_page_range(addr1, addr1 + l, 0);
3368                     /* set dirty bit */
3369                     cpu_physical_memory_set_dirty_flags(
3370                         addr1, (0xff & ~CODE_DIRTY_FLAG));
3371                 }
3372             }
3373         } else {
3374             if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM &&
3375                 !(pd & IO_MEM_ROMD)) {
3376                 target_phys_addr_t addr1 = addr;
3377                 /* I/O case */
3378                 io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3379                 if (p)
3380                     addr1 = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3381                 if (l >= 4 && ((addr1 & 3) == 0)) {
3382                     /* 32 bit read access */
3383                     val = io_mem_read[io_index][2](io_mem_opaque[io_index], addr1);
3384                     stl_p(buf, val);
3385                     l = 4;
3386                 } else if (l >= 2 && ((addr1 & 1) == 0)) {
3387                     /* 16 bit read access */
3388                     val = io_mem_read[io_index][1](io_mem_opaque[io_index], addr1);
3389                     stw_p(buf, val);
3390                     l = 2;
3391                 } else {
3392                     /* 8 bit read access */
3393                     val = io_mem_read[io_index][0](io_mem_opaque[io_index], addr1);
3394                     stb_p(buf, val);
3395                     l = 1;
3396                 }
3397             } else {
3398                 /* RAM case */
3399                 ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3400                     (addr & ~TARGET_PAGE_MASK);
3401                 memcpy(buf, ptr, l);
3402             }
3403         }
3404         len -= l;
3405         buf += l;
3406         addr += l;
3407     }
3408 }
3409 
3410 /* used for ROM loading : can write in RAM and ROM */
cpu_physical_memory_write_rom(target_phys_addr_t addr,const uint8_t * buf,int len)3411 void cpu_physical_memory_write_rom(target_phys_addr_t addr,
3412                                    const uint8_t *buf, int len)
3413 {
3414     int l;
3415     uint8_t *ptr;
3416     target_phys_addr_t page;
3417     unsigned long pd;
3418     PhysPageDesc *p;
3419 
3420     while (len > 0) {
3421         page = addr & TARGET_PAGE_MASK;
3422         l = (page + TARGET_PAGE_SIZE) - addr;
3423         if (l > len)
3424             l = len;
3425         p = phys_page_find(page >> TARGET_PAGE_BITS);
3426         if (!p) {
3427             pd = IO_MEM_UNASSIGNED;
3428         } else {
3429             pd = p->phys_offset;
3430         }
3431 
3432         if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM &&
3433             (pd & ~TARGET_PAGE_MASK) != IO_MEM_ROM &&
3434             !(pd & IO_MEM_ROMD)) {
3435             /* do nothing */
3436         } else {
3437             unsigned long addr1;
3438             addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3439             /* ROM/RAM case */
3440             ptr = qemu_get_ram_ptr(addr1);
3441             memcpy(ptr, buf, l);
3442         }
3443         len -= l;
3444         buf += l;
3445         addr += l;
3446     }
3447 }
3448 
3449 typedef struct {
3450     void *buffer;
3451     target_phys_addr_t addr;
3452     target_phys_addr_t len;
3453 } BounceBuffer;
3454 
3455 static BounceBuffer bounce;
3456 
3457 typedef struct MapClient {
3458     void *opaque;
3459     void (*callback)(void *opaque);
3460     QLIST_ENTRY(MapClient) link;
3461 } MapClient;
3462 
3463 static QLIST_HEAD(map_client_list, MapClient) map_client_list
3464     = QLIST_HEAD_INITIALIZER(map_client_list);
3465 
cpu_register_map_client(void * opaque,void (* callback)(void * opaque))3466 void *cpu_register_map_client(void *opaque, void (*callback)(void *opaque))
3467 {
3468     MapClient *client = qemu_malloc(sizeof(*client));
3469 
3470     client->opaque = opaque;
3471     client->callback = callback;
3472     QLIST_INSERT_HEAD(&map_client_list, client, link);
3473     return client;
3474 }
3475 
cpu_unregister_map_client(void * _client)3476 void cpu_unregister_map_client(void *_client)
3477 {
3478     MapClient *client = (MapClient *)_client;
3479 
3480     QLIST_REMOVE(client, link);
3481     qemu_free(client);
3482 }
3483 
cpu_notify_map_clients(void)3484 static void cpu_notify_map_clients(void)
3485 {
3486     MapClient *client;
3487 
3488     while (!QLIST_EMPTY(&map_client_list)) {
3489         client = QLIST_FIRST(&map_client_list);
3490         client->callback(client->opaque);
3491         QLIST_REMOVE(client, link);
3492     }
3493 }
3494 
3495 /* Map a physical memory region into a host virtual address.
3496  * May map a subset of the requested range, given by and returned in *plen.
3497  * May return NULL if resources needed to perform the mapping are exhausted.
3498  * Use only for reads OR writes - not for read-modify-write operations.
3499  * Use cpu_register_map_client() to know when retrying the map operation is
3500  * likely to succeed.
3501  */
cpu_physical_memory_map(target_phys_addr_t addr,target_phys_addr_t * plen,int is_write)3502 void *cpu_physical_memory_map(target_phys_addr_t addr,
3503                               target_phys_addr_t *plen,
3504                               int is_write)
3505 {
3506     target_phys_addr_t len = *plen;
3507     target_phys_addr_t done = 0;
3508     int l;
3509     uint8_t *ret = NULL;
3510     uint8_t *ptr;
3511     target_phys_addr_t page;
3512     unsigned long pd;
3513     PhysPageDesc *p;
3514     unsigned long addr1;
3515 
3516     while (len > 0) {
3517         page = addr & TARGET_PAGE_MASK;
3518         l = (page + TARGET_PAGE_SIZE) - addr;
3519         if (l > len)
3520             l = len;
3521         p = phys_page_find(page >> TARGET_PAGE_BITS);
3522         if (!p) {
3523             pd = IO_MEM_UNASSIGNED;
3524         } else {
3525             pd = p->phys_offset;
3526         }
3527 
3528         if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3529             if (done || bounce.buffer) {
3530                 break;
3531             }
3532             bounce.buffer = qemu_memalign(TARGET_PAGE_SIZE, TARGET_PAGE_SIZE);
3533             bounce.addr = addr;
3534             bounce.len = l;
3535             if (!is_write) {
3536                 cpu_physical_memory_rw(addr, bounce.buffer, l, 0);
3537             }
3538             ptr = bounce.buffer;
3539         } else {
3540             addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3541             ptr = qemu_get_ram_ptr(addr1);
3542         }
3543         if (!done) {
3544             ret = ptr;
3545         } else if (ret + done != ptr) {
3546             break;
3547         }
3548 
3549         len -= l;
3550         addr += l;
3551         done += l;
3552     }
3553     *plen = done;
3554     return ret;
3555 }
3556 
3557 /* Unmaps a memory region previously mapped by cpu_physical_memory_map().
3558  * Will also mark the memory as dirty if is_write == 1.  access_len gives
3559  * the amount of memory that was actually read or written by the caller.
3560  */
cpu_physical_memory_unmap(void * buffer,target_phys_addr_t len,int is_write,target_phys_addr_t access_len)3561 void cpu_physical_memory_unmap(void *buffer, target_phys_addr_t len,
3562                                int is_write, target_phys_addr_t access_len)
3563 {
3564     if (buffer != bounce.buffer) {
3565         if (is_write) {
3566             ram_addr_t addr1 = qemu_ram_addr_from_host_nofail(buffer);
3567             while (access_len) {
3568                 unsigned l;
3569                 l = TARGET_PAGE_SIZE;
3570                 if (l > access_len)
3571                     l = access_len;
3572                 if (!cpu_physical_memory_is_dirty(addr1)) {
3573                     /* invalidate code */
3574                     tb_invalidate_phys_page_range(addr1, addr1 + l, 0);
3575                     /* set dirty bit */
3576                     cpu_physical_memory_set_dirty_flags(
3577                         addr1, (0xff & ~CODE_DIRTY_FLAG));
3578                 }
3579                 addr1 += l;
3580                 access_len -= l;
3581             }
3582         }
3583         return;
3584     }
3585     if (is_write) {
3586         cpu_physical_memory_write(bounce.addr, bounce.buffer, access_len);
3587     }
3588     qemu_vfree(bounce.buffer);
3589     bounce.buffer = NULL;
3590     cpu_notify_map_clients();
3591 }
3592 
3593 /* warning: addr must be aligned */
ldl_phys(target_phys_addr_t addr)3594 uint32_t ldl_phys(target_phys_addr_t addr)
3595 {
3596     int io_index;
3597     uint8_t *ptr;
3598     uint32_t val;
3599     unsigned long pd;
3600     PhysPageDesc *p;
3601 
3602     p = phys_page_find(addr >> TARGET_PAGE_BITS);
3603     if (!p) {
3604         pd = IO_MEM_UNASSIGNED;
3605     } else {
3606         pd = p->phys_offset;
3607     }
3608 
3609     if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM &&
3610         !(pd & IO_MEM_ROMD)) {
3611         /* I/O case */
3612         io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3613         if (p)
3614             addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3615         val = io_mem_read[io_index][2](io_mem_opaque[io_index], addr);
3616     } else {
3617         /* RAM case */
3618         ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3619             (addr & ~TARGET_PAGE_MASK);
3620         val = ldl_p(ptr);
3621     }
3622     return val;
3623 }
3624 
3625 /* warning: addr must be aligned */
ldq_phys(target_phys_addr_t addr)3626 uint64_t ldq_phys(target_phys_addr_t addr)
3627 {
3628     int io_index;
3629     uint8_t *ptr;
3630     uint64_t val;
3631     unsigned long pd;
3632     PhysPageDesc *p;
3633 
3634     p = phys_page_find(addr >> TARGET_PAGE_BITS);
3635     if (!p) {
3636         pd = IO_MEM_UNASSIGNED;
3637     } else {
3638         pd = p->phys_offset;
3639     }
3640 
3641     if ((pd & ~TARGET_PAGE_MASK) > IO_MEM_ROM &&
3642         !(pd & IO_MEM_ROMD)) {
3643         /* I/O case */
3644         io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3645         if (p)
3646             addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3647 #ifdef TARGET_WORDS_BIGENDIAN
3648         val = (uint64_t)io_mem_read[io_index][2](io_mem_opaque[io_index], addr) << 32;
3649         val |= io_mem_read[io_index][2](io_mem_opaque[io_index], addr + 4);
3650 #else
3651         val = io_mem_read[io_index][2](io_mem_opaque[io_index], addr);
3652         val |= (uint64_t)io_mem_read[io_index][2](io_mem_opaque[io_index], addr + 4) << 32;
3653 #endif
3654     } else {
3655         /* RAM case */
3656         ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3657             (addr & ~TARGET_PAGE_MASK);
3658         val = ldq_p(ptr);
3659     }
3660     return val;
3661 }
3662 
3663 /* XXX: optimize */
ldub_phys(target_phys_addr_t addr)3664 uint32_t ldub_phys(target_phys_addr_t addr)
3665 {
3666     uint8_t val;
3667     cpu_physical_memory_read(addr, &val, 1);
3668     return val;
3669 }
3670 
3671 /* XXX: optimize */
lduw_phys(target_phys_addr_t addr)3672 uint32_t lduw_phys(target_phys_addr_t addr)
3673 {
3674     uint16_t val;
3675     cpu_physical_memory_read(addr, (uint8_t *)&val, 2);
3676     return tswap16(val);
3677 }
3678 
3679 /* warning: addr must be aligned. The ram page is not masked as dirty
3680    and the code inside is not invalidated. It is useful if the dirty
3681    bits are used to track modified PTEs */
stl_phys_notdirty(target_phys_addr_t addr,uint32_t val)3682 void stl_phys_notdirty(target_phys_addr_t addr, uint32_t val)
3683 {
3684     int io_index;
3685     uint8_t *ptr;
3686     unsigned long pd;
3687     PhysPageDesc *p;
3688 
3689     p = phys_page_find(addr >> TARGET_PAGE_BITS);
3690     if (!p) {
3691         pd = IO_MEM_UNASSIGNED;
3692     } else {
3693         pd = p->phys_offset;
3694     }
3695 
3696     if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3697         io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3698         if (p)
3699             addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3700         io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
3701     } else {
3702         unsigned long addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3703         ptr = qemu_get_ram_ptr(addr1);
3704         stl_p(ptr, val);
3705 
3706         if (unlikely(in_migration)) {
3707             if (!cpu_physical_memory_is_dirty(addr1)) {
3708                 /* invalidate code */
3709                 tb_invalidate_phys_page_range(addr1, addr1 + 4, 0);
3710                 /* set dirty bit */
3711                 cpu_physical_memory_set_dirty_flags(
3712                     addr1, (0xff & ~CODE_DIRTY_FLAG));
3713             }
3714         }
3715     }
3716 }
3717 
stq_phys_notdirty(target_phys_addr_t addr,uint64_t val)3718 void stq_phys_notdirty(target_phys_addr_t addr, uint64_t val)
3719 {
3720     int io_index;
3721     uint8_t *ptr;
3722     unsigned long pd;
3723     PhysPageDesc *p;
3724 
3725     p = phys_page_find(addr >> TARGET_PAGE_BITS);
3726     if (!p) {
3727         pd = IO_MEM_UNASSIGNED;
3728     } else {
3729         pd = p->phys_offset;
3730     }
3731 
3732     if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3733         io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3734         if (p)
3735             addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3736 #ifdef TARGET_WORDS_BIGENDIAN
3737         io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val >> 32);
3738         io_mem_write[io_index][2](io_mem_opaque[io_index], addr + 4, val);
3739 #else
3740         io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
3741         io_mem_write[io_index][2](io_mem_opaque[io_index], addr + 4, val >> 32);
3742 #endif
3743     } else {
3744         ptr = qemu_get_ram_ptr(pd & TARGET_PAGE_MASK) +
3745             (addr & ~TARGET_PAGE_MASK);
3746         stq_p(ptr, val);
3747     }
3748 }
3749 
3750 /* warning: addr must be aligned */
stl_phys(target_phys_addr_t addr,uint32_t val)3751 void stl_phys(target_phys_addr_t addr, uint32_t val)
3752 {
3753     int io_index;
3754     uint8_t *ptr;
3755     unsigned long pd;
3756     PhysPageDesc *p;
3757 
3758     p = phys_page_find(addr >> TARGET_PAGE_BITS);
3759     if (!p) {
3760         pd = IO_MEM_UNASSIGNED;
3761     } else {
3762         pd = p->phys_offset;
3763     }
3764 
3765     if ((pd & ~TARGET_PAGE_MASK) != IO_MEM_RAM) {
3766         io_index = (pd >> IO_MEM_SHIFT) & (IO_MEM_NB_ENTRIES - 1);
3767         if (p)
3768             addr = (addr & ~TARGET_PAGE_MASK) + p->region_offset;
3769         io_mem_write[io_index][2](io_mem_opaque[io_index], addr, val);
3770     } else {
3771         unsigned long addr1;
3772         addr1 = (pd & TARGET_PAGE_MASK) + (addr & ~TARGET_PAGE_MASK);
3773         /* RAM case */
3774         ptr = qemu_get_ram_ptr(addr1);
3775         stl_p(ptr, val);
3776         if (!cpu_physical_memory_is_dirty(addr1)) {
3777             /* invalidate code */
3778             tb_invalidate_phys_page_range(addr1, addr1 + 4, 0);
3779             /* set dirty bit */
3780             cpu_physical_memory_set_dirty_flags(addr1,
3781                 (0xff & ~CODE_DIRTY_FLAG));
3782         }
3783     }
3784 }
3785 
3786 /* XXX: optimize */
stb_phys(target_phys_addr_t addr,uint32_t val)3787 void stb_phys(target_phys_addr_t addr, uint32_t val)
3788 {
3789     uint8_t v = val;
3790     cpu_physical_memory_write(addr, &v, 1);
3791 }
3792 
3793 /* XXX: optimize */
stw_phys(target_phys_addr_t addr,uint32_t val)3794 void stw_phys(target_phys_addr_t addr, uint32_t val)
3795 {
3796     uint16_t v = tswap16(val);
3797     cpu_physical_memory_write(addr, (const uint8_t *)&v, 2);
3798 }
3799 
3800 /* XXX: optimize */
stq_phys(target_phys_addr_t addr,uint64_t val)3801 void stq_phys(target_phys_addr_t addr, uint64_t val)
3802 {
3803     val = tswap64(val);
3804     cpu_physical_memory_write(addr, (const uint8_t *)&val, 8);
3805 }
3806 
3807 #endif
3808 
3809 /* virtual memory access for debug (includes writing to ROM) */
cpu_memory_rw_debug(CPUState * env,target_ulong addr,uint8_t * buf,int len,int is_write)3810 int cpu_memory_rw_debug(CPUState *env, target_ulong addr,
3811                         uint8_t *buf, int len, int is_write)
3812 {
3813     int l;
3814     target_phys_addr_t phys_addr;
3815     target_ulong page;
3816 
3817     while (len > 0) {
3818         page = addr & TARGET_PAGE_MASK;
3819         phys_addr = cpu_get_phys_page_debug(env, page);
3820         /* if no physical page mapped, return an error */
3821         if (phys_addr == -1)
3822             return -1;
3823         l = (page + TARGET_PAGE_SIZE) - addr;
3824         if (l > len)
3825             l = len;
3826         phys_addr += (addr & ~TARGET_PAGE_MASK);
3827 #if !defined(CONFIG_USER_ONLY)
3828         if (is_write)
3829             cpu_physical_memory_write_rom(phys_addr, buf, l);
3830         else
3831 #endif
3832             cpu_physical_memory_rw(phys_addr, buf, l, is_write);
3833         len -= l;
3834         buf += l;
3835         addr += l;
3836     }
3837     return 0;
3838 }
3839 
3840 /* in deterministic execution mode, instructions doing device I/Os
3841    must be at the end of the TB */
cpu_io_recompile(CPUState * env,void * retaddr)3842 void cpu_io_recompile(CPUState *env, void *retaddr)
3843 {
3844     TranslationBlock *tb;
3845     uint32_t n, cflags;
3846     target_ulong pc, cs_base;
3847     uint64_t flags;
3848 
3849     tb = tb_find_pc((unsigned long)retaddr);
3850     if (!tb) {
3851         cpu_abort(env, "cpu_io_recompile: could not find TB for pc=%p",
3852                   retaddr);
3853     }
3854     n = env->icount_decr.u16.low + tb->icount;
3855     cpu_restore_state(tb, env, (unsigned long)retaddr);
3856     /* Calculate how many instructions had been executed before the fault
3857        occurred.  */
3858     n = n - env->icount_decr.u16.low;
3859     /* Generate a new TB ending on the I/O insn.  */
3860     n++;
3861     /* On MIPS and SH, delay slot instructions can only be restarted if
3862        they were already the first instruction in the TB.  If this is not
3863        the first instruction in a TB then re-execute the preceding
3864        branch.  */
3865 #if defined(TARGET_MIPS)
3866     if ((env->hflags & MIPS_HFLAG_BMASK) != 0 && n > 1) {
3867         env->active_tc.PC -= 4;
3868         env->icount_decr.u16.low++;
3869         env->hflags &= ~MIPS_HFLAG_BMASK;
3870     }
3871 #elif defined(TARGET_SH4)
3872     if ((env->flags & ((DELAY_SLOT | DELAY_SLOT_CONDITIONAL))) != 0
3873             && n > 1) {
3874         env->pc -= 2;
3875         env->icount_decr.u16.low++;
3876         env->flags &= ~(DELAY_SLOT | DELAY_SLOT_CONDITIONAL);
3877     }
3878 #endif
3879     /* This should never happen.  */
3880     if (n > CF_COUNT_MASK)
3881         cpu_abort(env, "TB too big during recompile");
3882 
3883     cflags = n | CF_LAST_IO;
3884     pc = tb->pc;
3885     cs_base = tb->cs_base;
3886     flags = tb->flags;
3887     tb_phys_invalidate(tb, -1);
3888     /* FIXME: In theory this could raise an exception.  In practice
3889        we have already translated the block once so it's probably ok.  */
3890     tb_gen_code(env, pc, cs_base, flags, cflags);
3891     /* TODO: If env->pc != tb->pc (i.e. the faulting instruction was not
3892        the first in the TB) then we end up generating a whole new TB and
3893        repeating the fault, which is horribly inefficient.
3894        Better would be to execute just this insn uncached, or generate a
3895        second new TB.  */
3896     cpu_resume_from_signal(env, NULL);
3897 }
3898 
3899 #if !defined(CONFIG_USER_ONLY)
3900 
dump_exec_info(FILE * f,fprintf_function cpu_fprintf)3901 void dump_exec_info(FILE *f, fprintf_function cpu_fprintf)
3902 {
3903     int i, target_code_size, max_target_code_size;
3904     int direct_jmp_count, direct_jmp2_count, cross_page;
3905     TranslationBlock *tb;
3906 
3907     target_code_size = 0;
3908     max_target_code_size = 0;
3909     cross_page = 0;
3910     direct_jmp_count = 0;
3911     direct_jmp2_count = 0;
3912     for(i = 0; i < nb_tbs; i++) {
3913         tb = &tbs[i];
3914         target_code_size += tb->size;
3915         if (tb->size > max_target_code_size)
3916             max_target_code_size = tb->size;
3917         if (tb->page_addr[1] != -1)
3918             cross_page++;
3919         if (tb->tb_next_offset[0] != 0xffff) {
3920             direct_jmp_count++;
3921             if (tb->tb_next_offset[1] != 0xffff) {
3922                 direct_jmp2_count++;
3923             }
3924         }
3925     }
3926     /* XXX: avoid using doubles ? */
3927     cpu_fprintf(f, "Translation buffer state:\n");
3928     cpu_fprintf(f, "gen code size       %td/%ld\n",
3929                 code_gen_ptr - code_gen_buffer, code_gen_buffer_max_size);
3930     cpu_fprintf(f, "TB count            %d/%d\n",
3931                 nb_tbs, code_gen_max_blocks);
3932     cpu_fprintf(f, "TB avg target size  %d max=%d bytes\n",
3933                 nb_tbs ? target_code_size / nb_tbs : 0,
3934                 max_target_code_size);
3935     cpu_fprintf(f, "TB avg host size    %td bytes (expansion ratio: %0.1f)\n",
3936                 nb_tbs ? (code_gen_ptr - code_gen_buffer) / nb_tbs : 0,
3937                 target_code_size ? (double) (code_gen_ptr - code_gen_buffer) / target_code_size : 0);
3938     cpu_fprintf(f, "cross page TB count %d (%d%%)\n",
3939             cross_page,
3940             nb_tbs ? (cross_page * 100) / nb_tbs : 0);
3941     cpu_fprintf(f, "direct jump count   %d (%d%%) (2 jumps=%d %d%%)\n",
3942                 direct_jmp_count,
3943                 nb_tbs ? (direct_jmp_count * 100) / nb_tbs : 0,
3944                 direct_jmp2_count,
3945                 nb_tbs ? (direct_jmp2_count * 100) / nb_tbs : 0);
3946     cpu_fprintf(f, "\nStatistics:\n");
3947     cpu_fprintf(f, "TB flush count      %d\n", tb_flush_count);
3948     cpu_fprintf(f, "TB invalidate count %d\n", tb_phys_invalidate_count);
3949     cpu_fprintf(f, "TLB flush count     %d\n", tlb_flush_count);
3950     tcg_dump_info(f, cpu_fprintf);
3951 }
3952 
3953 #define MMUSUFFIX _cmmu
3954 #define GETPC() NULL
3955 #define env cpu_single_env
3956 #define SOFTMMU_CODE_ACCESS
3957 
3958 #define SHIFT 0
3959 #include "softmmu_template.h"
3960 
3961 #define SHIFT 1
3962 #include "softmmu_template.h"
3963 
3964 #define SHIFT 2
3965 #include "softmmu_template.h"
3966 
3967 #define SHIFT 3
3968 #include "softmmu_template.h"
3969 
3970 #undef env
3971 
3972 #endif
3973