1 /* 2 * Common CPU TLB handling 3 * 4 * Copyright (c) 2003 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20 #include "qemu/osdep.h" 21 #include "qemu/main-loop.h" 22 #include "hw/core/tcg-cpu-ops.h" 23 #include "exec/exec-all.h" 24 #include "exec/page-protection.h" 25 #include "exec/memory.h" 26 #include "exec/cpu_ldst.h" 27 #include "exec/cputlb.h" 28 #include "exec/tb-flush.h" 29 #include "exec/memory-internal.h" 30 #include "exec/ram_addr.h" 31 #include "exec/mmu-access-type.h" 32 #include "exec/tlb-common.h" 33 #include "exec/vaddr.h" 34 #include "tcg/tcg.h" 35 #include "qemu/error-report.h" 36 #include "exec/log.h" 37 #include "exec/helper-proto-common.h" 38 #include "qemu/atomic.h" 39 #include "qemu/atomic128.h" 40 #include "tb-internal.h" 41 #include "trace.h" 42 #include "tb-hash.h" 43 #include "tb-internal.h" 44 #include "internal-common.h" 45 #include "internal-target.h" 46 #ifdef CONFIG_PLUGIN 47 #include "qemu/plugin-memory.h" 48 #endif 49 #include "tcg/tcg-ldst.h" 50 #include "tcg/oversized-guest.h" 51 52 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */ 53 /* #define DEBUG_TLB */ 54 /* #define DEBUG_TLB_LOG */ 55 56 #ifdef DEBUG_TLB 57 # define DEBUG_TLB_GATE 1 58 # ifdef DEBUG_TLB_LOG 59 # define DEBUG_TLB_LOG_GATE 1 60 # else 61 # define DEBUG_TLB_LOG_GATE 0 62 # endif 63 #else 64 # define DEBUG_TLB_GATE 0 65 # define DEBUG_TLB_LOG_GATE 0 66 #endif 67 68 #define tlb_debug(fmt, ...) do { \ 69 if (DEBUG_TLB_LOG_GATE) { \ 70 qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \ 71 ## __VA_ARGS__); \ 72 } else if (DEBUG_TLB_GATE) { \ 73 fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \ 74 } \ 75 } while (0) 76 77 #define assert_cpu_is_self(cpu) do { \ 78 if (DEBUG_TLB_GATE) { \ 79 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \ 80 } \ 81 } while (0) 82 83 /* run_on_cpu_data.target_ptr should always be big enough for a 84 * vaddr even on 32 bit builds 85 */ 86 QEMU_BUILD_BUG_ON(sizeof(vaddr) > sizeof(run_on_cpu_data)); 87 88 /* We currently can't handle more than 16 bits in the MMUIDX bitmask. 89 */ 90 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16); 91 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1) 92 93 static inline size_t tlb_n_entries(CPUTLBDescFast *fast) 94 { 95 return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1; 96 } 97 98 static inline size_t sizeof_tlb(CPUTLBDescFast *fast) 99 { 100 return fast->mask + (1 << CPU_TLB_ENTRY_BITS); 101 } 102 103 static inline uint64_t tlb_read_idx(const CPUTLBEntry *entry, 104 MMUAccessType access_type) 105 { 106 /* Do not rearrange the CPUTLBEntry structure members. */ 107 QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_read) != 108 MMU_DATA_LOAD * sizeof(uint64_t)); 109 QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_write) != 110 MMU_DATA_STORE * sizeof(uint64_t)); 111 QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_code) != 112 MMU_INST_FETCH * sizeof(uint64_t)); 113 114 #if TARGET_LONG_BITS == 32 115 /* Use qatomic_read, in case of addr_write; only care about low bits. */ 116 const uint32_t *ptr = (uint32_t *)&entry->addr_idx[access_type]; 117 ptr += HOST_BIG_ENDIAN; 118 return qatomic_read(ptr); 119 #else 120 const uint64_t *ptr = &entry->addr_idx[access_type]; 121 # if TCG_OVERSIZED_GUEST 122 return *ptr; 123 # else 124 /* ofs might correspond to .addr_write, so use qatomic_read */ 125 return qatomic_read(ptr); 126 # endif 127 #endif 128 } 129 130 static inline uint64_t tlb_addr_write(const CPUTLBEntry *entry) 131 { 132 return tlb_read_idx(entry, MMU_DATA_STORE); 133 } 134 135 /* Find the TLB index corresponding to the mmu_idx + address pair. */ 136 static inline uintptr_t tlb_index(CPUState *cpu, uintptr_t mmu_idx, 137 vaddr addr) 138 { 139 uintptr_t size_mask = cpu->neg.tlb.f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS; 140 141 return (addr >> TARGET_PAGE_BITS) & size_mask; 142 } 143 144 /* Find the TLB entry corresponding to the mmu_idx + address pair. */ 145 static inline CPUTLBEntry *tlb_entry(CPUState *cpu, uintptr_t mmu_idx, 146 vaddr addr) 147 { 148 return &cpu->neg.tlb.f[mmu_idx].table[tlb_index(cpu, mmu_idx, addr)]; 149 } 150 151 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns, 152 size_t max_entries) 153 { 154 desc->window_begin_ns = ns; 155 desc->window_max_entries = max_entries; 156 } 157 158 static void tb_jmp_cache_clear_page(CPUState *cpu, vaddr page_addr) 159 { 160 CPUJumpCache *jc = cpu->tb_jmp_cache; 161 int i, i0; 162 163 if (unlikely(!jc)) { 164 return; 165 } 166 167 i0 = tb_jmp_cache_hash_page(page_addr); 168 for (i = 0; i < TB_JMP_PAGE_SIZE; i++) { 169 qatomic_set(&jc->array[i0 + i].tb, NULL); 170 } 171 } 172 173 /** 174 * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary 175 * @desc: The CPUTLBDesc portion of the TLB 176 * @fast: The CPUTLBDescFast portion of the same TLB 177 * 178 * Called with tlb_lock_held. 179 * 180 * We have two main constraints when resizing a TLB: (1) we only resize it 181 * on a TLB flush (otherwise we'd have to take a perf hit by either rehashing 182 * the array or unnecessarily flushing it), which means we do not control how 183 * frequently the resizing can occur; (2) we don't have access to the guest's 184 * future scheduling decisions, and therefore have to decide the magnitude of 185 * the resize based on past observations. 186 * 187 * In general, a memory-hungry process can benefit greatly from an appropriately 188 * sized TLB, since a guest TLB miss is very expensive. This doesn't mean that 189 * we just have to make the TLB as large as possible; while an oversized TLB 190 * results in minimal TLB miss rates, it also takes longer to be flushed 191 * (flushes can be _very_ frequent), and the reduced locality can also hurt 192 * performance. 193 * 194 * To achieve near-optimal performance for all kinds of workloads, we: 195 * 196 * 1. Aggressively increase the size of the TLB when the use rate of the 197 * TLB being flushed is high, since it is likely that in the near future this 198 * memory-hungry process will execute again, and its memory hungriness will 199 * probably be similar. 200 * 201 * 2. Slowly reduce the size of the TLB as the use rate declines over a 202 * reasonably large time window. The rationale is that if in such a time window 203 * we have not observed a high TLB use rate, it is likely that we won't observe 204 * it in the near future. In that case, once a time window expires we downsize 205 * the TLB to match the maximum use rate observed in the window. 206 * 207 * 3. Try to keep the maximum use rate in a time window in the 30-70% range, 208 * since in that range performance is likely near-optimal. Recall that the TLB 209 * is direct mapped, so we want the use rate to be low (or at least not too 210 * high), since otherwise we are likely to have a significant amount of 211 * conflict misses. 212 */ 213 static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast, 214 int64_t now) 215 { 216 size_t old_size = tlb_n_entries(fast); 217 size_t rate; 218 size_t new_size = old_size; 219 int64_t window_len_ms = 100; 220 int64_t window_len_ns = window_len_ms * 1000 * 1000; 221 bool window_expired = now > desc->window_begin_ns + window_len_ns; 222 223 if (desc->n_used_entries > desc->window_max_entries) { 224 desc->window_max_entries = desc->n_used_entries; 225 } 226 rate = desc->window_max_entries * 100 / old_size; 227 228 if (rate > 70) { 229 new_size = MIN(old_size << 1, 1 << CPU_TLB_DYN_MAX_BITS); 230 } else if (rate < 30 && window_expired) { 231 size_t ceil = pow2ceil(desc->window_max_entries); 232 size_t expected_rate = desc->window_max_entries * 100 / ceil; 233 234 /* 235 * Avoid undersizing when the max number of entries seen is just below 236 * a pow2. For instance, if max_entries == 1025, the expected use rate 237 * would be 1025/2048==50%. However, if max_entries == 1023, we'd get 238 * 1023/1024==99.9% use rate, so we'd likely end up doubling the size 239 * later. Thus, make sure that the expected use rate remains below 70%. 240 * (and since we double the size, that means the lowest rate we'd 241 * expect to get is 35%, which is still in the 30-70% range where 242 * we consider that the size is appropriate.) 243 */ 244 if (expected_rate > 70) { 245 ceil *= 2; 246 } 247 new_size = MAX(ceil, 1 << CPU_TLB_DYN_MIN_BITS); 248 } 249 250 if (new_size == old_size) { 251 if (window_expired) { 252 tlb_window_reset(desc, now, desc->n_used_entries); 253 } 254 return; 255 } 256 257 g_free(fast->table); 258 g_free(desc->fulltlb); 259 260 tlb_window_reset(desc, now, 0); 261 /* desc->n_used_entries is cleared by the caller */ 262 fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS; 263 fast->table = g_try_new(CPUTLBEntry, new_size); 264 desc->fulltlb = g_try_new(CPUTLBEntryFull, new_size); 265 266 /* 267 * If the allocations fail, try smaller sizes. We just freed some 268 * memory, so going back to half of new_size has a good chance of working. 269 * Increased memory pressure elsewhere in the system might cause the 270 * allocations to fail though, so we progressively reduce the allocation 271 * size, aborting if we cannot even allocate the smallest TLB we support. 272 */ 273 while (fast->table == NULL || desc->fulltlb == NULL) { 274 if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) { 275 error_report("%s: %s", __func__, strerror(errno)); 276 abort(); 277 } 278 new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS); 279 fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS; 280 281 g_free(fast->table); 282 g_free(desc->fulltlb); 283 fast->table = g_try_new(CPUTLBEntry, new_size); 284 desc->fulltlb = g_try_new(CPUTLBEntryFull, new_size); 285 } 286 } 287 288 static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast) 289 { 290 desc->n_used_entries = 0; 291 desc->large_page_addr = -1; 292 desc->large_page_mask = -1; 293 desc->vindex = 0; 294 memset(fast->table, -1, sizeof_tlb(fast)); 295 memset(desc->vtable, -1, sizeof(desc->vtable)); 296 } 297 298 static void tlb_flush_one_mmuidx_locked(CPUState *cpu, int mmu_idx, 299 int64_t now) 300 { 301 CPUTLBDesc *desc = &cpu->neg.tlb.d[mmu_idx]; 302 CPUTLBDescFast *fast = &cpu->neg.tlb.f[mmu_idx]; 303 304 tlb_mmu_resize_locked(desc, fast, now); 305 tlb_mmu_flush_locked(desc, fast); 306 } 307 308 static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now) 309 { 310 size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS; 311 312 tlb_window_reset(desc, now, 0); 313 desc->n_used_entries = 0; 314 fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS; 315 fast->table = g_new(CPUTLBEntry, n_entries); 316 desc->fulltlb = g_new(CPUTLBEntryFull, n_entries); 317 tlb_mmu_flush_locked(desc, fast); 318 } 319 320 static inline void tlb_n_used_entries_inc(CPUState *cpu, uintptr_t mmu_idx) 321 { 322 cpu->neg.tlb.d[mmu_idx].n_used_entries++; 323 } 324 325 static inline void tlb_n_used_entries_dec(CPUState *cpu, uintptr_t mmu_idx) 326 { 327 cpu->neg.tlb.d[mmu_idx].n_used_entries--; 328 } 329 330 void tlb_init(CPUState *cpu) 331 { 332 int64_t now = get_clock_realtime(); 333 int i; 334 335 qemu_spin_init(&cpu->neg.tlb.c.lock); 336 337 /* All tlbs are initialized flushed. */ 338 cpu->neg.tlb.c.dirty = 0; 339 340 for (i = 0; i < NB_MMU_MODES; i++) { 341 tlb_mmu_init(&cpu->neg.tlb.d[i], &cpu->neg.tlb.f[i], now); 342 } 343 } 344 345 void tlb_destroy(CPUState *cpu) 346 { 347 int i; 348 349 qemu_spin_destroy(&cpu->neg.tlb.c.lock); 350 for (i = 0; i < NB_MMU_MODES; i++) { 351 CPUTLBDesc *desc = &cpu->neg.tlb.d[i]; 352 CPUTLBDescFast *fast = &cpu->neg.tlb.f[i]; 353 354 g_free(fast->table); 355 g_free(desc->fulltlb); 356 } 357 } 358 359 /* flush_all_helper: run fn across all cpus 360 * 361 * If the wait flag is set then the src cpu's helper will be queued as 362 * "safe" work and the loop exited creating a synchronisation point 363 * where all queued work will be finished before execution starts 364 * again. 365 */ 366 static void flush_all_helper(CPUState *src, run_on_cpu_func fn, 367 run_on_cpu_data d) 368 { 369 CPUState *cpu; 370 371 CPU_FOREACH(cpu) { 372 if (cpu != src) { 373 async_run_on_cpu(cpu, fn, d); 374 } 375 } 376 } 377 378 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data) 379 { 380 uint16_t asked = data.host_int; 381 uint16_t all_dirty, work, to_clean; 382 int64_t now = get_clock_realtime(); 383 384 assert_cpu_is_self(cpu); 385 386 tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked); 387 388 qemu_spin_lock(&cpu->neg.tlb.c.lock); 389 390 all_dirty = cpu->neg.tlb.c.dirty; 391 to_clean = asked & all_dirty; 392 all_dirty &= ~to_clean; 393 cpu->neg.tlb.c.dirty = all_dirty; 394 395 for (work = to_clean; work != 0; work &= work - 1) { 396 int mmu_idx = ctz32(work); 397 tlb_flush_one_mmuidx_locked(cpu, mmu_idx, now); 398 } 399 400 qemu_spin_unlock(&cpu->neg.tlb.c.lock); 401 402 tcg_flush_jmp_cache(cpu); 403 404 if (to_clean == ALL_MMUIDX_BITS) { 405 qatomic_set(&cpu->neg.tlb.c.full_flush_count, 406 cpu->neg.tlb.c.full_flush_count + 1); 407 } else { 408 qatomic_set(&cpu->neg.tlb.c.part_flush_count, 409 cpu->neg.tlb.c.part_flush_count + ctpop16(to_clean)); 410 if (to_clean != asked) { 411 qatomic_set(&cpu->neg.tlb.c.elide_flush_count, 412 cpu->neg.tlb.c.elide_flush_count + 413 ctpop16(asked & ~to_clean)); 414 } 415 } 416 } 417 418 void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap) 419 { 420 tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap); 421 422 assert_cpu_is_self(cpu); 423 424 tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap)); 425 } 426 427 void tlb_flush(CPUState *cpu) 428 { 429 tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS); 430 } 431 432 void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap) 433 { 434 const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work; 435 436 tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap); 437 438 flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 439 async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap)); 440 } 441 442 void tlb_flush_all_cpus_synced(CPUState *src_cpu) 443 { 444 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS); 445 } 446 447 static bool tlb_hit_page_mask_anyprot(CPUTLBEntry *tlb_entry, 448 vaddr page, vaddr mask) 449 { 450 page &= mask; 451 mask &= TARGET_PAGE_MASK | TLB_INVALID_MASK; 452 453 return (page == (tlb_entry->addr_read & mask) || 454 page == (tlb_addr_write(tlb_entry) & mask) || 455 page == (tlb_entry->addr_code & mask)); 456 } 457 458 static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry, vaddr page) 459 { 460 return tlb_hit_page_mask_anyprot(tlb_entry, page, -1); 461 } 462 463 /** 464 * tlb_entry_is_empty - return true if the entry is not in use 465 * @te: pointer to CPUTLBEntry 466 */ 467 static inline bool tlb_entry_is_empty(const CPUTLBEntry *te) 468 { 469 return te->addr_read == -1 && te->addr_write == -1 && te->addr_code == -1; 470 } 471 472 /* Called with tlb_c.lock held */ 473 static bool tlb_flush_entry_mask_locked(CPUTLBEntry *tlb_entry, 474 vaddr page, 475 vaddr mask) 476 { 477 if (tlb_hit_page_mask_anyprot(tlb_entry, page, mask)) { 478 memset(tlb_entry, -1, sizeof(*tlb_entry)); 479 return true; 480 } 481 return false; 482 } 483 484 static inline bool tlb_flush_entry_locked(CPUTLBEntry *tlb_entry, vaddr page) 485 { 486 return tlb_flush_entry_mask_locked(tlb_entry, page, -1); 487 } 488 489 /* Called with tlb_c.lock held */ 490 static void tlb_flush_vtlb_page_mask_locked(CPUState *cpu, int mmu_idx, 491 vaddr page, 492 vaddr mask) 493 { 494 CPUTLBDesc *d = &cpu->neg.tlb.d[mmu_idx]; 495 int k; 496 497 assert_cpu_is_self(cpu); 498 for (k = 0; k < CPU_VTLB_SIZE; k++) { 499 if (tlb_flush_entry_mask_locked(&d->vtable[k], page, mask)) { 500 tlb_n_used_entries_dec(cpu, mmu_idx); 501 } 502 } 503 } 504 505 static inline void tlb_flush_vtlb_page_locked(CPUState *cpu, int mmu_idx, 506 vaddr page) 507 { 508 tlb_flush_vtlb_page_mask_locked(cpu, mmu_idx, page, -1); 509 } 510 511 static void tlb_flush_page_locked(CPUState *cpu, int midx, vaddr page) 512 { 513 vaddr lp_addr = cpu->neg.tlb.d[midx].large_page_addr; 514 vaddr lp_mask = cpu->neg.tlb.d[midx].large_page_mask; 515 516 /* Check if we need to flush due to large pages. */ 517 if ((page & lp_mask) == lp_addr) { 518 tlb_debug("forcing full flush midx %d (%016" 519 VADDR_PRIx "/%016" VADDR_PRIx ")\n", 520 midx, lp_addr, lp_mask); 521 tlb_flush_one_mmuidx_locked(cpu, midx, get_clock_realtime()); 522 } else { 523 if (tlb_flush_entry_locked(tlb_entry(cpu, midx, page), page)) { 524 tlb_n_used_entries_dec(cpu, midx); 525 } 526 tlb_flush_vtlb_page_locked(cpu, midx, page); 527 } 528 } 529 530 /** 531 * tlb_flush_page_by_mmuidx_async_0: 532 * @cpu: cpu on which to flush 533 * @addr: page of virtual address to flush 534 * @idxmap: set of mmu_idx to flush 535 * 536 * Helper for tlb_flush_page_by_mmuidx and friends, flush one page 537 * at @addr from the tlbs indicated by @idxmap from @cpu. 538 */ 539 static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu, 540 vaddr addr, 541 uint16_t idxmap) 542 { 543 int mmu_idx; 544 545 assert_cpu_is_self(cpu); 546 547 tlb_debug("page addr: %016" VADDR_PRIx " mmu_map:0x%x\n", addr, idxmap); 548 549 qemu_spin_lock(&cpu->neg.tlb.c.lock); 550 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 551 if ((idxmap >> mmu_idx) & 1) { 552 tlb_flush_page_locked(cpu, mmu_idx, addr); 553 } 554 } 555 qemu_spin_unlock(&cpu->neg.tlb.c.lock); 556 557 /* 558 * Discard jump cache entries for any tb which might potentially 559 * overlap the flushed page, which includes the previous. 560 */ 561 tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE); 562 tb_jmp_cache_clear_page(cpu, addr); 563 } 564 565 /** 566 * tlb_flush_page_by_mmuidx_async_1: 567 * @cpu: cpu on which to flush 568 * @data: encoded addr + idxmap 569 * 570 * Helper for tlb_flush_page_by_mmuidx and friends, called through 571 * async_run_on_cpu. The idxmap parameter is encoded in the page 572 * offset of the target_ptr field. This limits the set of mmu_idx 573 * that can be passed via this method. 574 */ 575 static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu, 576 run_on_cpu_data data) 577 { 578 vaddr addr_and_idxmap = data.target_ptr; 579 vaddr addr = addr_and_idxmap & TARGET_PAGE_MASK; 580 uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK; 581 582 tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap); 583 } 584 585 typedef struct { 586 vaddr addr; 587 uint16_t idxmap; 588 } TLBFlushPageByMMUIdxData; 589 590 /** 591 * tlb_flush_page_by_mmuidx_async_2: 592 * @cpu: cpu on which to flush 593 * @data: allocated addr + idxmap 594 * 595 * Helper for tlb_flush_page_by_mmuidx and friends, called through 596 * async_run_on_cpu. The addr+idxmap parameters are stored in a 597 * TLBFlushPageByMMUIdxData structure that has been allocated 598 * specifically for this helper. Free the structure when done. 599 */ 600 static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu, 601 run_on_cpu_data data) 602 { 603 TLBFlushPageByMMUIdxData *d = data.host_ptr; 604 605 tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap); 606 g_free(d); 607 } 608 609 void tlb_flush_page_by_mmuidx(CPUState *cpu, vaddr addr, uint16_t idxmap) 610 { 611 tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%" PRIx16 "\n", addr, idxmap); 612 613 assert_cpu_is_self(cpu); 614 615 /* This should already be page aligned */ 616 addr &= TARGET_PAGE_MASK; 617 618 tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap); 619 } 620 621 void tlb_flush_page(CPUState *cpu, vaddr addr) 622 { 623 tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS); 624 } 625 626 void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 627 vaddr addr, 628 uint16_t idxmap) 629 { 630 tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap); 631 632 /* This should already be page aligned */ 633 addr &= TARGET_PAGE_MASK; 634 635 /* 636 * Allocate memory to hold addr+idxmap only when needed. 637 * See tlb_flush_page_by_mmuidx for details. 638 */ 639 if (idxmap < TARGET_PAGE_SIZE) { 640 flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1, 641 RUN_ON_CPU_TARGET_PTR(addr | idxmap)); 642 async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1, 643 RUN_ON_CPU_TARGET_PTR(addr | idxmap)); 644 } else { 645 CPUState *dst_cpu; 646 TLBFlushPageByMMUIdxData *d; 647 648 /* Allocate a separate data block for each destination cpu. */ 649 CPU_FOREACH(dst_cpu) { 650 if (dst_cpu != src_cpu) { 651 d = g_new(TLBFlushPageByMMUIdxData, 1); 652 d->addr = addr; 653 d->idxmap = idxmap; 654 async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2, 655 RUN_ON_CPU_HOST_PTR(d)); 656 } 657 } 658 659 d = g_new(TLBFlushPageByMMUIdxData, 1); 660 d->addr = addr; 661 d->idxmap = idxmap; 662 async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2, 663 RUN_ON_CPU_HOST_PTR(d)); 664 } 665 } 666 667 void tlb_flush_page_all_cpus_synced(CPUState *src, vaddr addr) 668 { 669 tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS); 670 } 671 672 static void tlb_flush_range_locked(CPUState *cpu, int midx, 673 vaddr addr, vaddr len, 674 unsigned bits) 675 { 676 CPUTLBDesc *d = &cpu->neg.tlb.d[midx]; 677 CPUTLBDescFast *f = &cpu->neg.tlb.f[midx]; 678 vaddr mask = MAKE_64BIT_MASK(0, bits); 679 680 /* 681 * If @bits is smaller than the tlb size, there may be multiple entries 682 * within the TLB; otherwise all addresses that match under @mask hit 683 * the same TLB entry. 684 * TODO: Perhaps allow bits to be a few bits less than the size. 685 * For now, just flush the entire TLB. 686 * 687 * If @len is larger than the tlb size, then it will take longer to 688 * test all of the entries in the TLB than it will to flush it all. 689 */ 690 if (mask < f->mask || len > f->mask) { 691 tlb_debug("forcing full flush midx %d (" 692 "%016" VADDR_PRIx "/%016" VADDR_PRIx "+%016" VADDR_PRIx ")\n", 693 midx, addr, mask, len); 694 tlb_flush_one_mmuidx_locked(cpu, midx, get_clock_realtime()); 695 return; 696 } 697 698 /* 699 * Check if we need to flush due to large pages. 700 * Because large_page_mask contains all 1's from the msb, 701 * we only need to test the end of the range. 702 */ 703 if (((addr + len - 1) & d->large_page_mask) == d->large_page_addr) { 704 tlb_debug("forcing full flush midx %d (" 705 "%016" VADDR_PRIx "/%016" VADDR_PRIx ")\n", 706 midx, d->large_page_addr, d->large_page_mask); 707 tlb_flush_one_mmuidx_locked(cpu, midx, get_clock_realtime()); 708 return; 709 } 710 711 for (vaddr i = 0; i < len; i += TARGET_PAGE_SIZE) { 712 vaddr page = addr + i; 713 CPUTLBEntry *entry = tlb_entry(cpu, midx, page); 714 715 if (tlb_flush_entry_mask_locked(entry, page, mask)) { 716 tlb_n_used_entries_dec(cpu, midx); 717 } 718 tlb_flush_vtlb_page_mask_locked(cpu, midx, page, mask); 719 } 720 } 721 722 typedef struct { 723 vaddr addr; 724 vaddr len; 725 uint16_t idxmap; 726 uint16_t bits; 727 } TLBFlushRangeData; 728 729 static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu, 730 TLBFlushRangeData d) 731 { 732 int mmu_idx; 733 734 assert_cpu_is_self(cpu); 735 736 tlb_debug("range: %016" VADDR_PRIx "/%u+%016" VADDR_PRIx " mmu_map:0x%x\n", 737 d.addr, d.bits, d.len, d.idxmap); 738 739 qemu_spin_lock(&cpu->neg.tlb.c.lock); 740 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 741 if ((d.idxmap >> mmu_idx) & 1) { 742 tlb_flush_range_locked(cpu, mmu_idx, d.addr, d.len, d.bits); 743 } 744 } 745 qemu_spin_unlock(&cpu->neg.tlb.c.lock); 746 747 /* 748 * If the length is larger than the jump cache size, then it will take 749 * longer to clear each entry individually than it will to clear it all. 750 */ 751 if (d.len >= (TARGET_PAGE_SIZE * TB_JMP_CACHE_SIZE)) { 752 tcg_flush_jmp_cache(cpu); 753 return; 754 } 755 756 /* 757 * Discard jump cache entries for any tb which might potentially 758 * overlap the flushed pages, which includes the previous. 759 */ 760 d.addr -= TARGET_PAGE_SIZE; 761 for (vaddr i = 0, n = d.len / TARGET_PAGE_SIZE + 1; i < n; i++) { 762 tb_jmp_cache_clear_page(cpu, d.addr); 763 d.addr += TARGET_PAGE_SIZE; 764 } 765 } 766 767 static void tlb_flush_range_by_mmuidx_async_1(CPUState *cpu, 768 run_on_cpu_data data) 769 { 770 TLBFlushRangeData *d = data.host_ptr; 771 tlb_flush_range_by_mmuidx_async_0(cpu, *d); 772 g_free(d); 773 } 774 775 void tlb_flush_range_by_mmuidx(CPUState *cpu, vaddr addr, 776 vaddr len, uint16_t idxmap, 777 unsigned bits) 778 { 779 TLBFlushRangeData d; 780 781 assert_cpu_is_self(cpu); 782 783 /* 784 * If all bits are significant, and len is small, 785 * this devolves to tlb_flush_page. 786 */ 787 if (bits >= TARGET_LONG_BITS && len <= TARGET_PAGE_SIZE) { 788 tlb_flush_page_by_mmuidx(cpu, addr, idxmap); 789 return; 790 } 791 /* If no page bits are significant, this devolves to tlb_flush. */ 792 if (bits < TARGET_PAGE_BITS) { 793 tlb_flush_by_mmuidx(cpu, idxmap); 794 return; 795 } 796 797 /* This should already be page aligned */ 798 d.addr = addr & TARGET_PAGE_MASK; 799 d.len = len; 800 d.idxmap = idxmap; 801 d.bits = bits; 802 803 tlb_flush_range_by_mmuidx_async_0(cpu, d); 804 } 805 806 void tlb_flush_page_bits_by_mmuidx(CPUState *cpu, vaddr addr, 807 uint16_t idxmap, unsigned bits) 808 { 809 tlb_flush_range_by_mmuidx(cpu, addr, TARGET_PAGE_SIZE, idxmap, bits); 810 } 811 812 void tlb_flush_range_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 813 vaddr addr, 814 vaddr len, 815 uint16_t idxmap, 816 unsigned bits) 817 { 818 TLBFlushRangeData d, *p; 819 CPUState *dst_cpu; 820 821 /* 822 * If all bits are significant, and len is small, 823 * this devolves to tlb_flush_page. 824 */ 825 if (bits >= TARGET_LONG_BITS && len <= TARGET_PAGE_SIZE) { 826 tlb_flush_page_by_mmuidx_all_cpus_synced(src_cpu, addr, idxmap); 827 return; 828 } 829 /* If no page bits are significant, this devolves to tlb_flush. */ 830 if (bits < TARGET_PAGE_BITS) { 831 tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, idxmap); 832 return; 833 } 834 835 /* This should already be page aligned */ 836 d.addr = addr & TARGET_PAGE_MASK; 837 d.len = len; 838 d.idxmap = idxmap; 839 d.bits = bits; 840 841 /* Allocate a separate data block for each destination cpu. */ 842 CPU_FOREACH(dst_cpu) { 843 if (dst_cpu != src_cpu) { 844 p = g_memdup(&d, sizeof(d)); 845 async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1, 846 RUN_ON_CPU_HOST_PTR(p)); 847 } 848 } 849 850 p = g_memdup(&d, sizeof(d)); 851 async_safe_run_on_cpu(src_cpu, tlb_flush_range_by_mmuidx_async_1, 852 RUN_ON_CPU_HOST_PTR(p)); 853 } 854 855 void tlb_flush_page_bits_by_mmuidx_all_cpus_synced(CPUState *src_cpu, 856 vaddr addr, 857 uint16_t idxmap, 858 unsigned bits) 859 { 860 tlb_flush_range_by_mmuidx_all_cpus_synced(src_cpu, addr, TARGET_PAGE_SIZE, 861 idxmap, bits); 862 } 863 864 /* update the TLBs so that writes to code in the virtual page 'addr' 865 can be detected */ 866 void tlb_protect_code(ram_addr_t ram_addr) 867 { 868 cpu_physical_memory_test_and_clear_dirty(ram_addr & TARGET_PAGE_MASK, 869 TARGET_PAGE_SIZE, 870 DIRTY_MEMORY_CODE); 871 } 872 873 /* update the TLB so that writes in physical page 'phys_addr' are no longer 874 tested for self modifying code */ 875 void tlb_unprotect_code(ram_addr_t ram_addr) 876 { 877 cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE); 878 } 879 880 881 /* 882 * Dirty write flag handling 883 * 884 * When the TCG code writes to a location it looks up the address in 885 * the TLB and uses that data to compute the final address. If any of 886 * the lower bits of the address are set then the slow path is forced. 887 * There are a number of reasons to do this but for normal RAM the 888 * most usual is detecting writes to code regions which may invalidate 889 * generated code. 890 * 891 * Other vCPUs might be reading their TLBs during guest execution, so we update 892 * te->addr_write with qatomic_set. We don't need to worry about this for 893 * oversized guests as MTTCG is disabled for them. 894 * 895 * Called with tlb_c.lock held. 896 */ 897 static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry, 898 uintptr_t start, uintptr_t length) 899 { 900 uintptr_t addr = tlb_entry->addr_write; 901 902 if ((addr & (TLB_INVALID_MASK | TLB_MMIO | 903 TLB_DISCARD_WRITE | TLB_NOTDIRTY)) == 0) { 904 addr &= TARGET_PAGE_MASK; 905 addr += tlb_entry->addend; 906 if ((addr - start) < length) { 907 #if TARGET_LONG_BITS == 32 908 uint32_t *ptr_write = (uint32_t *)&tlb_entry->addr_write; 909 ptr_write += HOST_BIG_ENDIAN; 910 qatomic_set(ptr_write, *ptr_write | TLB_NOTDIRTY); 911 #elif TCG_OVERSIZED_GUEST 912 tlb_entry->addr_write |= TLB_NOTDIRTY; 913 #else 914 qatomic_set(&tlb_entry->addr_write, 915 tlb_entry->addr_write | TLB_NOTDIRTY); 916 #endif 917 } 918 } 919 } 920 921 /* 922 * Called with tlb_c.lock held. 923 * Called only from the vCPU context, i.e. the TLB's owner thread. 924 */ 925 static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s) 926 { 927 *d = *s; 928 } 929 930 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of 931 * the target vCPU). 932 * We must take tlb_c.lock to avoid racing with another vCPU update. The only 933 * thing actually updated is the target TLB entry ->addr_write flags. 934 */ 935 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length) 936 { 937 int mmu_idx; 938 939 qemu_spin_lock(&cpu->neg.tlb.c.lock); 940 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 941 unsigned int i; 942 unsigned int n = tlb_n_entries(&cpu->neg.tlb.f[mmu_idx]); 943 944 for (i = 0; i < n; i++) { 945 tlb_reset_dirty_range_locked(&cpu->neg.tlb.f[mmu_idx].table[i], 946 start1, length); 947 } 948 949 for (i = 0; i < CPU_VTLB_SIZE; i++) { 950 tlb_reset_dirty_range_locked(&cpu->neg.tlb.d[mmu_idx].vtable[i], 951 start1, length); 952 } 953 } 954 qemu_spin_unlock(&cpu->neg.tlb.c.lock); 955 } 956 957 /* Called with tlb_c.lock held */ 958 static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry, 959 vaddr addr) 960 { 961 if (tlb_entry->addr_write == (addr | TLB_NOTDIRTY)) { 962 tlb_entry->addr_write = addr; 963 } 964 } 965 966 /* update the TLB corresponding to virtual page vaddr 967 so that it is no longer dirty */ 968 static void tlb_set_dirty(CPUState *cpu, vaddr addr) 969 { 970 int mmu_idx; 971 972 assert_cpu_is_self(cpu); 973 974 addr &= TARGET_PAGE_MASK; 975 qemu_spin_lock(&cpu->neg.tlb.c.lock); 976 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 977 tlb_set_dirty1_locked(tlb_entry(cpu, mmu_idx, addr), addr); 978 } 979 980 for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) { 981 int k; 982 for (k = 0; k < CPU_VTLB_SIZE; k++) { 983 tlb_set_dirty1_locked(&cpu->neg.tlb.d[mmu_idx].vtable[k], addr); 984 } 985 } 986 qemu_spin_unlock(&cpu->neg.tlb.c.lock); 987 } 988 989 /* Our TLB does not support large pages, so remember the area covered by 990 large pages and trigger a full TLB flush if these are invalidated. */ 991 static void tlb_add_large_page(CPUState *cpu, int mmu_idx, 992 vaddr addr, uint64_t size) 993 { 994 vaddr lp_addr = cpu->neg.tlb.d[mmu_idx].large_page_addr; 995 vaddr lp_mask = ~(size - 1); 996 997 if (lp_addr == (vaddr)-1) { 998 /* No previous large page. */ 999 lp_addr = addr; 1000 } else { 1001 /* Extend the existing region to include the new page. 1002 This is a compromise between unnecessary flushes and 1003 the cost of maintaining a full variable size TLB. */ 1004 lp_mask &= cpu->neg.tlb.d[mmu_idx].large_page_mask; 1005 while (((lp_addr ^ addr) & lp_mask) != 0) { 1006 lp_mask <<= 1; 1007 } 1008 } 1009 cpu->neg.tlb.d[mmu_idx].large_page_addr = lp_addr & lp_mask; 1010 cpu->neg.tlb.d[mmu_idx].large_page_mask = lp_mask; 1011 } 1012 1013 static inline void tlb_set_compare(CPUTLBEntryFull *full, CPUTLBEntry *ent, 1014 vaddr address, int flags, 1015 MMUAccessType access_type, bool enable) 1016 { 1017 if (enable) { 1018 address |= flags & TLB_FLAGS_MASK; 1019 flags &= TLB_SLOW_FLAGS_MASK; 1020 if (flags) { 1021 address |= TLB_FORCE_SLOW; 1022 } 1023 } else { 1024 address = -1; 1025 flags = 0; 1026 } 1027 ent->addr_idx[access_type] = address; 1028 full->slow_flags[access_type] = flags; 1029 } 1030 1031 /* 1032 * Add a new TLB entry. At most one entry for a given virtual address 1033 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the 1034 * supplied size is only used by tlb_flush_page. 1035 * 1036 * Called from TCG-generated code, which is under an RCU read-side 1037 * critical section. 1038 */ 1039 void tlb_set_page_full(CPUState *cpu, int mmu_idx, 1040 vaddr addr, CPUTLBEntryFull *full) 1041 { 1042 CPUTLB *tlb = &cpu->neg.tlb; 1043 CPUTLBDesc *desc = &tlb->d[mmu_idx]; 1044 MemoryRegionSection *section; 1045 unsigned int index, read_flags, write_flags; 1046 uintptr_t addend; 1047 CPUTLBEntry *te, tn; 1048 hwaddr iotlb, xlat, sz, paddr_page; 1049 vaddr addr_page; 1050 int asidx, wp_flags, prot; 1051 bool is_ram, is_romd; 1052 1053 assert_cpu_is_self(cpu); 1054 1055 if (full->lg_page_size <= TARGET_PAGE_BITS) { 1056 sz = TARGET_PAGE_SIZE; 1057 } else { 1058 sz = (hwaddr)1 << full->lg_page_size; 1059 tlb_add_large_page(cpu, mmu_idx, addr, sz); 1060 } 1061 addr_page = addr & TARGET_PAGE_MASK; 1062 paddr_page = full->phys_addr & TARGET_PAGE_MASK; 1063 1064 prot = full->prot; 1065 asidx = cpu_asidx_from_attrs(cpu, full->attrs); 1066 section = address_space_translate_for_iotlb(cpu, asidx, paddr_page, 1067 &xlat, &sz, full->attrs, &prot); 1068 assert(sz >= TARGET_PAGE_SIZE); 1069 1070 tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx 1071 " prot=%x idx=%d\n", 1072 addr, full->phys_addr, prot, mmu_idx); 1073 1074 read_flags = full->tlb_fill_flags; 1075 if (full->lg_page_size < TARGET_PAGE_BITS) { 1076 /* Repeat the MMU check and TLB fill on every access. */ 1077 read_flags |= TLB_INVALID_MASK; 1078 } 1079 1080 is_ram = memory_region_is_ram(section->mr); 1081 is_romd = memory_region_is_romd(section->mr); 1082 1083 if (is_ram || is_romd) { 1084 /* RAM and ROMD both have associated host memory. */ 1085 addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat; 1086 } else { 1087 /* I/O does not; force the host address to NULL. */ 1088 addend = 0; 1089 } 1090 1091 write_flags = read_flags; 1092 if (is_ram) { 1093 iotlb = memory_region_get_ram_addr(section->mr) + xlat; 1094 assert(!(iotlb & ~TARGET_PAGE_MASK)); 1095 /* 1096 * Computing is_clean is expensive; avoid all that unless 1097 * the page is actually writable. 1098 */ 1099 if (prot & PAGE_WRITE) { 1100 if (section->readonly) { 1101 write_flags |= TLB_DISCARD_WRITE; 1102 } else if (cpu_physical_memory_is_clean(iotlb)) { 1103 write_flags |= TLB_NOTDIRTY; 1104 } 1105 } 1106 } else { 1107 /* I/O or ROMD */ 1108 iotlb = memory_region_section_get_iotlb(cpu, section) + xlat; 1109 /* 1110 * Writes to romd devices must go through MMIO to enable write. 1111 * Reads to romd devices go through the ram_ptr found above, 1112 * but of course reads to I/O must go through MMIO. 1113 */ 1114 write_flags |= TLB_MMIO; 1115 if (!is_romd) { 1116 read_flags = write_flags; 1117 } 1118 } 1119 1120 wp_flags = cpu_watchpoint_address_matches(cpu, addr_page, 1121 TARGET_PAGE_SIZE); 1122 1123 index = tlb_index(cpu, mmu_idx, addr_page); 1124 te = tlb_entry(cpu, mmu_idx, addr_page); 1125 1126 /* 1127 * Hold the TLB lock for the rest of the function. We could acquire/release 1128 * the lock several times in the function, but it is faster to amortize the 1129 * acquisition cost by acquiring it just once. Note that this leads to 1130 * a longer critical section, but this is not a concern since the TLB lock 1131 * is unlikely to be contended. 1132 */ 1133 qemu_spin_lock(&tlb->c.lock); 1134 1135 /* Note that the tlb is no longer clean. */ 1136 tlb->c.dirty |= 1 << mmu_idx; 1137 1138 /* Make sure there's no cached translation for the new page. */ 1139 tlb_flush_vtlb_page_locked(cpu, mmu_idx, addr_page); 1140 1141 /* 1142 * Only evict the old entry to the victim tlb if it's for a 1143 * different page; otherwise just overwrite the stale data. 1144 */ 1145 if (!tlb_hit_page_anyprot(te, addr_page) && !tlb_entry_is_empty(te)) { 1146 unsigned vidx = desc->vindex++ % CPU_VTLB_SIZE; 1147 CPUTLBEntry *tv = &desc->vtable[vidx]; 1148 1149 /* Evict the old entry into the victim tlb. */ 1150 copy_tlb_helper_locked(tv, te); 1151 desc->vfulltlb[vidx] = desc->fulltlb[index]; 1152 tlb_n_used_entries_dec(cpu, mmu_idx); 1153 } 1154 1155 /* refill the tlb */ 1156 /* 1157 * When memory region is ram, iotlb contains a TARGET_PAGE_BITS 1158 * aligned ram_addr_t of the page base of the target RAM. 1159 * Otherwise, iotlb contains 1160 * - a physical section number in the lower TARGET_PAGE_BITS 1161 * - the offset within section->mr of the page base (I/O, ROMD) with the 1162 * TARGET_PAGE_BITS masked off. 1163 * We subtract addr_page (which is page aligned and thus won't 1164 * disturb the low bits) to give an offset which can be added to the 1165 * (non-page-aligned) vaddr of the eventual memory access to get 1166 * the MemoryRegion offset for the access. Note that the vaddr we 1167 * subtract here is that of the page base, and not the same as the 1168 * vaddr we add back in io_prepare()/get_page_addr_code(). 1169 */ 1170 desc->fulltlb[index] = *full; 1171 full = &desc->fulltlb[index]; 1172 full->xlat_section = iotlb - addr_page; 1173 full->phys_addr = paddr_page; 1174 1175 /* Now calculate the new entry */ 1176 tn.addend = addend - addr_page; 1177 1178 tlb_set_compare(full, &tn, addr_page, read_flags, 1179 MMU_INST_FETCH, prot & PAGE_EXEC); 1180 1181 if (wp_flags & BP_MEM_READ) { 1182 read_flags |= TLB_WATCHPOINT; 1183 } 1184 tlb_set_compare(full, &tn, addr_page, read_flags, 1185 MMU_DATA_LOAD, prot & PAGE_READ); 1186 1187 if (prot & PAGE_WRITE_INV) { 1188 write_flags |= TLB_INVALID_MASK; 1189 } 1190 if (wp_flags & BP_MEM_WRITE) { 1191 write_flags |= TLB_WATCHPOINT; 1192 } 1193 tlb_set_compare(full, &tn, addr_page, write_flags, 1194 MMU_DATA_STORE, prot & PAGE_WRITE); 1195 1196 copy_tlb_helper_locked(te, &tn); 1197 tlb_n_used_entries_inc(cpu, mmu_idx); 1198 qemu_spin_unlock(&tlb->c.lock); 1199 } 1200 1201 void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr, 1202 hwaddr paddr, MemTxAttrs attrs, int prot, 1203 int mmu_idx, uint64_t size) 1204 { 1205 CPUTLBEntryFull full = { 1206 .phys_addr = paddr, 1207 .attrs = attrs, 1208 .prot = prot, 1209 .lg_page_size = ctz64(size) 1210 }; 1211 1212 assert(is_power_of_2(size)); 1213 tlb_set_page_full(cpu, mmu_idx, addr, &full); 1214 } 1215 1216 void tlb_set_page(CPUState *cpu, vaddr addr, 1217 hwaddr paddr, int prot, 1218 int mmu_idx, uint64_t size) 1219 { 1220 tlb_set_page_with_attrs(cpu, addr, paddr, MEMTXATTRS_UNSPECIFIED, 1221 prot, mmu_idx, size); 1222 } 1223 1224 /* 1225 * Note: tlb_fill_align() can trigger a resize of the TLB. 1226 * This means that all of the caller's prior references to the TLB table 1227 * (e.g. CPUTLBEntry pointers) must be discarded and looked up again 1228 * (e.g. via tlb_entry()). 1229 */ 1230 static bool tlb_fill_align(CPUState *cpu, vaddr addr, MMUAccessType type, 1231 int mmu_idx, MemOp memop, int size, 1232 bool probe, uintptr_t ra) 1233 { 1234 const TCGCPUOps *ops = cpu->cc->tcg_ops; 1235 CPUTLBEntryFull full; 1236 1237 if (ops->tlb_fill_align) { 1238 if (ops->tlb_fill_align(cpu, &full, addr, type, mmu_idx, 1239 memop, size, probe, ra)) { 1240 tlb_set_page_full(cpu, mmu_idx, addr, &full); 1241 return true; 1242 } 1243 } else { 1244 /* Legacy behaviour is alignment before paging. */ 1245 if (addr & ((1u << memop_alignment_bits(memop)) - 1)) { 1246 ops->do_unaligned_access(cpu, addr, type, mmu_idx, ra); 1247 } 1248 if (ops->tlb_fill(cpu, addr, size, type, mmu_idx, probe, ra)) { 1249 return true; 1250 } 1251 } 1252 assert(probe); 1253 return false; 1254 } 1255 1256 static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr, 1257 MMUAccessType access_type, 1258 int mmu_idx, uintptr_t retaddr) 1259 { 1260 cpu->cc->tcg_ops->do_unaligned_access(cpu, addr, access_type, 1261 mmu_idx, retaddr); 1262 } 1263 1264 static MemoryRegionSection * 1265 io_prepare(hwaddr *out_offset, CPUState *cpu, hwaddr xlat, 1266 MemTxAttrs attrs, vaddr addr, uintptr_t retaddr) 1267 { 1268 MemoryRegionSection *section; 1269 hwaddr mr_offset; 1270 1271 section = iotlb_to_section(cpu, xlat, attrs); 1272 mr_offset = (xlat & TARGET_PAGE_MASK) + addr; 1273 cpu->mem_io_pc = retaddr; 1274 if (!cpu->neg.can_do_io) { 1275 cpu_io_recompile(cpu, retaddr); 1276 } 1277 1278 *out_offset = mr_offset; 1279 return section; 1280 } 1281 1282 static void io_failed(CPUState *cpu, CPUTLBEntryFull *full, vaddr addr, 1283 unsigned size, MMUAccessType access_type, int mmu_idx, 1284 MemTxResult response, uintptr_t retaddr) 1285 { 1286 if (!cpu->ignore_memory_transaction_failures 1287 && cpu->cc->tcg_ops->do_transaction_failed) { 1288 hwaddr physaddr = full->phys_addr | (addr & ~TARGET_PAGE_MASK); 1289 1290 cpu->cc->tcg_ops->do_transaction_failed(cpu, physaddr, addr, size, 1291 access_type, mmu_idx, 1292 full->attrs, response, retaddr); 1293 } 1294 } 1295 1296 /* Return true if ADDR is present in the victim tlb, and has been copied 1297 back to the main tlb. */ 1298 static bool victim_tlb_hit(CPUState *cpu, size_t mmu_idx, size_t index, 1299 MMUAccessType access_type, vaddr page) 1300 { 1301 size_t vidx; 1302 1303 assert_cpu_is_self(cpu); 1304 for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) { 1305 CPUTLBEntry *vtlb = &cpu->neg.tlb.d[mmu_idx].vtable[vidx]; 1306 uint64_t cmp = tlb_read_idx(vtlb, access_type); 1307 1308 if (cmp == page) { 1309 /* Found entry in victim tlb, swap tlb and iotlb. */ 1310 CPUTLBEntry tmptlb, *tlb = &cpu->neg.tlb.f[mmu_idx].table[index]; 1311 1312 qemu_spin_lock(&cpu->neg.tlb.c.lock); 1313 copy_tlb_helper_locked(&tmptlb, tlb); 1314 copy_tlb_helper_locked(tlb, vtlb); 1315 copy_tlb_helper_locked(vtlb, &tmptlb); 1316 qemu_spin_unlock(&cpu->neg.tlb.c.lock); 1317 1318 CPUTLBEntryFull *f1 = &cpu->neg.tlb.d[mmu_idx].fulltlb[index]; 1319 CPUTLBEntryFull *f2 = &cpu->neg.tlb.d[mmu_idx].vfulltlb[vidx]; 1320 CPUTLBEntryFull tmpf; 1321 tmpf = *f1; *f1 = *f2; *f2 = tmpf; 1322 return true; 1323 } 1324 } 1325 return false; 1326 } 1327 1328 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size, 1329 CPUTLBEntryFull *full, uintptr_t retaddr) 1330 { 1331 ram_addr_t ram_addr = mem_vaddr + full->xlat_section; 1332 1333 trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size); 1334 1335 if (!cpu_physical_memory_get_dirty_flag(ram_addr, DIRTY_MEMORY_CODE)) { 1336 tb_invalidate_phys_range_fast(ram_addr, size, retaddr); 1337 } 1338 1339 /* 1340 * Set both VGA and migration bits for simplicity and to remove 1341 * the notdirty callback faster. 1342 */ 1343 cpu_physical_memory_set_dirty_range(ram_addr, size, DIRTY_CLIENTS_NOCODE); 1344 1345 /* We remove the notdirty callback only if the code has been flushed. */ 1346 if (!cpu_physical_memory_is_clean(ram_addr)) { 1347 trace_memory_notdirty_set_dirty(mem_vaddr); 1348 tlb_set_dirty(cpu, mem_vaddr); 1349 } 1350 } 1351 1352 static int probe_access_internal(CPUState *cpu, vaddr addr, 1353 int fault_size, MMUAccessType access_type, 1354 int mmu_idx, bool nonfault, 1355 void **phost, CPUTLBEntryFull **pfull, 1356 uintptr_t retaddr, bool check_mem_cbs) 1357 { 1358 uintptr_t index = tlb_index(cpu, mmu_idx, addr); 1359 CPUTLBEntry *entry = tlb_entry(cpu, mmu_idx, addr); 1360 uint64_t tlb_addr = tlb_read_idx(entry, access_type); 1361 vaddr page_addr = addr & TARGET_PAGE_MASK; 1362 int flags = TLB_FLAGS_MASK & ~TLB_FORCE_SLOW; 1363 bool force_mmio = check_mem_cbs && cpu_plugin_mem_cbs_enabled(cpu); 1364 CPUTLBEntryFull *full; 1365 1366 if (!tlb_hit_page(tlb_addr, page_addr)) { 1367 if (!victim_tlb_hit(cpu, mmu_idx, index, access_type, page_addr)) { 1368 if (!tlb_fill_align(cpu, addr, access_type, mmu_idx, 1369 0, fault_size, nonfault, retaddr)) { 1370 /* Non-faulting page table read failed. */ 1371 *phost = NULL; 1372 *pfull = NULL; 1373 return TLB_INVALID_MASK; 1374 } 1375 1376 /* TLB resize via tlb_fill_align may have moved the entry. */ 1377 index = tlb_index(cpu, mmu_idx, addr); 1378 entry = tlb_entry(cpu, mmu_idx, addr); 1379 1380 /* 1381 * With PAGE_WRITE_INV, we set TLB_INVALID_MASK immediately, 1382 * to force the next access through tlb_fill_align. We've just 1383 * called tlb_fill_align, so we know that this entry *is* valid. 1384 */ 1385 flags &= ~TLB_INVALID_MASK; 1386 } 1387 tlb_addr = tlb_read_idx(entry, access_type); 1388 } 1389 flags &= tlb_addr; 1390 1391 *pfull = full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index]; 1392 flags |= full->slow_flags[access_type]; 1393 1394 /* Fold all "mmio-like" bits into TLB_MMIO. This is not RAM. */ 1395 if (unlikely(flags & ~(TLB_WATCHPOINT | TLB_NOTDIRTY | TLB_CHECK_ALIGNED)) 1396 || (access_type != MMU_INST_FETCH && force_mmio)) { 1397 *phost = NULL; 1398 return TLB_MMIO; 1399 } 1400 1401 /* Everything else is RAM. */ 1402 *phost = (void *)((uintptr_t)addr + entry->addend); 1403 return flags; 1404 } 1405 1406 int probe_access_full(CPUArchState *env, vaddr addr, int size, 1407 MMUAccessType access_type, int mmu_idx, 1408 bool nonfault, void **phost, CPUTLBEntryFull **pfull, 1409 uintptr_t retaddr) 1410 { 1411 int flags = probe_access_internal(env_cpu(env), addr, size, access_type, 1412 mmu_idx, nonfault, phost, pfull, retaddr, 1413 true); 1414 1415 /* Handle clean RAM pages. */ 1416 if (unlikely(flags & TLB_NOTDIRTY)) { 1417 int dirtysize = size == 0 ? 1 : size; 1418 notdirty_write(env_cpu(env), addr, dirtysize, *pfull, retaddr); 1419 flags &= ~TLB_NOTDIRTY; 1420 } 1421 1422 return flags; 1423 } 1424 1425 int probe_access_full_mmu(CPUArchState *env, vaddr addr, int size, 1426 MMUAccessType access_type, int mmu_idx, 1427 void **phost, CPUTLBEntryFull **pfull) 1428 { 1429 void *discard_phost; 1430 CPUTLBEntryFull *discard_tlb; 1431 1432 /* privately handle users that don't need full results */ 1433 phost = phost ? phost : &discard_phost; 1434 pfull = pfull ? pfull : &discard_tlb; 1435 1436 int flags = probe_access_internal(env_cpu(env), addr, size, access_type, 1437 mmu_idx, true, phost, pfull, 0, false); 1438 1439 /* Handle clean RAM pages. */ 1440 if (unlikely(flags & TLB_NOTDIRTY)) { 1441 int dirtysize = size == 0 ? 1 : size; 1442 notdirty_write(env_cpu(env), addr, dirtysize, *pfull, 0); 1443 flags &= ~TLB_NOTDIRTY; 1444 } 1445 1446 return flags; 1447 } 1448 1449 int probe_access_flags(CPUArchState *env, vaddr addr, int size, 1450 MMUAccessType access_type, int mmu_idx, 1451 bool nonfault, void **phost, uintptr_t retaddr) 1452 { 1453 CPUTLBEntryFull *full; 1454 int flags; 1455 1456 g_assert(-(addr | TARGET_PAGE_MASK) >= size); 1457 1458 flags = probe_access_internal(env_cpu(env), addr, size, access_type, 1459 mmu_idx, nonfault, phost, &full, retaddr, 1460 true); 1461 1462 /* Handle clean RAM pages. */ 1463 if (unlikely(flags & TLB_NOTDIRTY)) { 1464 int dirtysize = size == 0 ? 1 : size; 1465 notdirty_write(env_cpu(env), addr, dirtysize, full, retaddr); 1466 flags &= ~TLB_NOTDIRTY; 1467 } 1468 1469 return flags; 1470 } 1471 1472 void *probe_access(CPUArchState *env, vaddr addr, int size, 1473 MMUAccessType access_type, int mmu_idx, uintptr_t retaddr) 1474 { 1475 CPUTLBEntryFull *full; 1476 void *host; 1477 int flags; 1478 1479 g_assert(-(addr | TARGET_PAGE_MASK) >= size); 1480 1481 flags = probe_access_internal(env_cpu(env), addr, size, access_type, 1482 mmu_idx, false, &host, &full, retaddr, 1483 true); 1484 1485 /* Per the interface, size == 0 merely faults the access. */ 1486 if (size == 0) { 1487 return NULL; 1488 } 1489 1490 if (unlikely(flags & (TLB_NOTDIRTY | TLB_WATCHPOINT))) { 1491 /* Handle watchpoints. */ 1492 if (flags & TLB_WATCHPOINT) { 1493 int wp_access = (access_type == MMU_DATA_STORE 1494 ? BP_MEM_WRITE : BP_MEM_READ); 1495 cpu_check_watchpoint(env_cpu(env), addr, size, 1496 full->attrs, wp_access, retaddr); 1497 } 1498 1499 /* Handle clean RAM pages. */ 1500 if (flags & TLB_NOTDIRTY) { 1501 notdirty_write(env_cpu(env), addr, size, full, retaddr); 1502 } 1503 } 1504 1505 return host; 1506 } 1507 1508 void *tlb_vaddr_to_host(CPUArchState *env, vaddr addr, 1509 MMUAccessType access_type, int mmu_idx) 1510 { 1511 CPUTLBEntryFull *full; 1512 void *host; 1513 int flags; 1514 1515 flags = probe_access_internal(env_cpu(env), addr, 0, access_type, 1516 mmu_idx, true, &host, &full, 0, false); 1517 1518 /* No combination of flags are expected by the caller. */ 1519 return flags ? NULL : host; 1520 } 1521 1522 /* 1523 * Return a ram_addr_t for the virtual address for execution. 1524 * 1525 * Return -1 if we can't translate and execute from an entire page 1526 * of RAM. This will force us to execute by loading and translating 1527 * one insn at a time, without caching. 1528 * 1529 * NOTE: This function will trigger an exception if the page is 1530 * not executable. 1531 */ 1532 tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, vaddr addr, 1533 void **hostp) 1534 { 1535 CPUTLBEntryFull *full; 1536 void *p; 1537 1538 (void)probe_access_internal(env_cpu(env), addr, 1, MMU_INST_FETCH, 1539 cpu_mmu_index(env_cpu(env), true), false, 1540 &p, &full, 0, false); 1541 if (p == NULL) { 1542 return -1; 1543 } 1544 1545 if (full->lg_page_size < TARGET_PAGE_BITS) { 1546 return -1; 1547 } 1548 1549 if (hostp) { 1550 *hostp = p; 1551 } 1552 return qemu_ram_addr_from_host_nofail(p); 1553 } 1554 1555 /* Load/store with atomicity primitives. */ 1556 #include "ldst_atomicity.c.inc" 1557 1558 #ifdef CONFIG_PLUGIN 1559 /* 1560 * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure. 1561 * This should be a hot path as we will have just looked this path up 1562 * in the softmmu lookup code (or helper). We don't handle re-fills or 1563 * checking the victim table. This is purely informational. 1564 * 1565 * The one corner case is i/o write, which can cause changes to the 1566 * address space. Those changes, and the corresponding tlb flush, 1567 * should be delayed until the next TB, so even then this ought not fail. 1568 * But check, Just in Case. 1569 */ 1570 bool tlb_plugin_lookup(CPUState *cpu, vaddr addr, int mmu_idx, 1571 bool is_store, struct qemu_plugin_hwaddr *data) 1572 { 1573 CPUTLBEntry *tlbe = tlb_entry(cpu, mmu_idx, addr); 1574 uintptr_t index = tlb_index(cpu, mmu_idx, addr); 1575 MMUAccessType access_type = is_store ? MMU_DATA_STORE : MMU_DATA_LOAD; 1576 uint64_t tlb_addr = tlb_read_idx(tlbe, access_type); 1577 CPUTLBEntryFull *full; 1578 1579 if (unlikely(!tlb_hit(tlb_addr, addr))) { 1580 return false; 1581 } 1582 1583 full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index]; 1584 data->phys_addr = full->phys_addr | (addr & ~TARGET_PAGE_MASK); 1585 1586 /* We must have an iotlb entry for MMIO */ 1587 if (tlb_addr & TLB_MMIO) { 1588 MemoryRegionSection *section = 1589 iotlb_to_section(cpu, full->xlat_section & ~TARGET_PAGE_MASK, 1590 full->attrs); 1591 data->is_io = true; 1592 data->mr = section->mr; 1593 } else { 1594 data->is_io = false; 1595 data->mr = NULL; 1596 } 1597 return true; 1598 } 1599 #endif 1600 1601 /* 1602 * Probe for a load/store operation. 1603 * Return the host address and into @flags. 1604 */ 1605 1606 typedef struct MMULookupPageData { 1607 CPUTLBEntryFull *full; 1608 void *haddr; 1609 vaddr addr; 1610 int flags; 1611 int size; 1612 } MMULookupPageData; 1613 1614 typedef struct MMULookupLocals { 1615 MMULookupPageData page[2]; 1616 MemOp memop; 1617 int mmu_idx; 1618 } MMULookupLocals; 1619 1620 /** 1621 * mmu_lookup1: translate one page 1622 * @cpu: generic cpu state 1623 * @data: lookup parameters 1624 * @memop: memory operation for the access, or 0 1625 * @mmu_idx: virtual address context 1626 * @access_type: load/store/code 1627 * @ra: return address into tcg generated code, or 0 1628 * 1629 * Resolve the translation for the one page at @data.addr, filling in 1630 * the rest of @data with the results. If the translation fails, 1631 * tlb_fill_align will longjmp out. Return true if the softmmu tlb for 1632 * @mmu_idx may have resized. 1633 */ 1634 static bool mmu_lookup1(CPUState *cpu, MMULookupPageData *data, MemOp memop, 1635 int mmu_idx, MMUAccessType access_type, uintptr_t ra) 1636 { 1637 vaddr addr = data->addr; 1638 uintptr_t index = tlb_index(cpu, mmu_idx, addr); 1639 CPUTLBEntry *entry = tlb_entry(cpu, mmu_idx, addr); 1640 uint64_t tlb_addr = tlb_read_idx(entry, access_type); 1641 bool maybe_resized = false; 1642 CPUTLBEntryFull *full; 1643 int flags; 1644 1645 /* If the TLB entry is for a different page, reload and try again. */ 1646 if (!tlb_hit(tlb_addr, addr)) { 1647 if (!victim_tlb_hit(cpu, mmu_idx, index, access_type, 1648 addr & TARGET_PAGE_MASK)) { 1649 tlb_fill_align(cpu, addr, access_type, mmu_idx, 1650 memop, data->size, false, ra); 1651 maybe_resized = true; 1652 index = tlb_index(cpu, mmu_idx, addr); 1653 entry = tlb_entry(cpu, mmu_idx, addr); 1654 } 1655 tlb_addr = tlb_read_idx(entry, access_type) & ~TLB_INVALID_MASK; 1656 } 1657 1658 full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index]; 1659 flags = tlb_addr & (TLB_FLAGS_MASK & ~TLB_FORCE_SLOW); 1660 flags |= full->slow_flags[access_type]; 1661 1662 if (likely(!maybe_resized)) { 1663 /* Alignment has not been checked by tlb_fill_align. */ 1664 int a_bits = memop_alignment_bits(memop); 1665 1666 /* 1667 * This alignment check differs from the one above, in that this is 1668 * based on the atomicity of the operation. The intended use case is 1669 * the ARM memory type field of each PTE, where access to pages with 1670 * Device memory type require alignment. 1671 */ 1672 if (unlikely(flags & TLB_CHECK_ALIGNED)) { 1673 int at_bits = memop_atomicity_bits(memop); 1674 a_bits = MAX(a_bits, at_bits); 1675 } 1676 if (unlikely(addr & ((1 << a_bits) - 1))) { 1677 cpu_unaligned_access(cpu, addr, access_type, mmu_idx, ra); 1678 } 1679 } 1680 1681 data->full = full; 1682 data->flags = flags; 1683 /* Compute haddr speculatively; depending on flags it might be invalid. */ 1684 data->haddr = (void *)((uintptr_t)addr + entry->addend); 1685 1686 return maybe_resized; 1687 } 1688 1689 /** 1690 * mmu_watch_or_dirty 1691 * @cpu: generic cpu state 1692 * @data: lookup parameters 1693 * @access_type: load/store/code 1694 * @ra: return address into tcg generated code, or 0 1695 * 1696 * Trigger watchpoints for @data.addr:@data.size; 1697 * record writes to protected clean pages. 1698 */ 1699 static void mmu_watch_or_dirty(CPUState *cpu, MMULookupPageData *data, 1700 MMUAccessType access_type, uintptr_t ra) 1701 { 1702 CPUTLBEntryFull *full = data->full; 1703 vaddr addr = data->addr; 1704 int flags = data->flags; 1705 int size = data->size; 1706 1707 /* On watchpoint hit, this will longjmp out. */ 1708 if (flags & TLB_WATCHPOINT) { 1709 int wp = access_type == MMU_DATA_STORE ? BP_MEM_WRITE : BP_MEM_READ; 1710 cpu_check_watchpoint(cpu, addr, size, full->attrs, wp, ra); 1711 flags &= ~TLB_WATCHPOINT; 1712 } 1713 1714 /* Note that notdirty is only set for writes. */ 1715 if (flags & TLB_NOTDIRTY) { 1716 notdirty_write(cpu, addr, size, full, ra); 1717 flags &= ~TLB_NOTDIRTY; 1718 } 1719 data->flags = flags; 1720 } 1721 1722 /** 1723 * mmu_lookup: translate page(s) 1724 * @cpu: generic cpu state 1725 * @addr: virtual address 1726 * @oi: combined mmu_idx and MemOp 1727 * @ra: return address into tcg generated code, or 0 1728 * @access_type: load/store/code 1729 * @l: output result 1730 * 1731 * Resolve the translation for the page(s) beginning at @addr, for MemOp.size 1732 * bytes. Return true if the lookup crosses a page boundary. 1733 */ 1734 static bool mmu_lookup(CPUState *cpu, vaddr addr, MemOpIdx oi, 1735 uintptr_t ra, MMUAccessType type, MMULookupLocals *l) 1736 { 1737 bool crosspage; 1738 int flags; 1739 1740 l->memop = get_memop(oi); 1741 l->mmu_idx = get_mmuidx(oi); 1742 1743 tcg_debug_assert(l->mmu_idx < NB_MMU_MODES); 1744 1745 l->page[0].addr = addr; 1746 l->page[0].size = memop_size(l->memop); 1747 l->page[1].addr = (addr + l->page[0].size - 1) & TARGET_PAGE_MASK; 1748 l->page[1].size = 0; 1749 crosspage = (addr ^ l->page[1].addr) & TARGET_PAGE_MASK; 1750 1751 if (likely(!crosspage)) { 1752 mmu_lookup1(cpu, &l->page[0], l->memop, l->mmu_idx, type, ra); 1753 1754 flags = l->page[0].flags; 1755 if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) { 1756 mmu_watch_or_dirty(cpu, &l->page[0], type, ra); 1757 } 1758 if (unlikely(flags & TLB_BSWAP)) { 1759 l->memop ^= MO_BSWAP; 1760 } 1761 } else { 1762 /* Finish compute of page crossing. */ 1763 int size0 = l->page[1].addr - addr; 1764 l->page[1].size = l->page[0].size - size0; 1765 l->page[0].size = size0; 1766 1767 /* 1768 * Lookup both pages, recognizing exceptions from either. If the 1769 * second lookup potentially resized, refresh first CPUTLBEntryFull. 1770 */ 1771 mmu_lookup1(cpu, &l->page[0], l->memop, l->mmu_idx, type, ra); 1772 if (mmu_lookup1(cpu, &l->page[1], 0, l->mmu_idx, type, ra)) { 1773 uintptr_t index = tlb_index(cpu, l->mmu_idx, addr); 1774 l->page[0].full = &cpu->neg.tlb.d[l->mmu_idx].fulltlb[index]; 1775 } 1776 1777 flags = l->page[0].flags | l->page[1].flags; 1778 if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) { 1779 mmu_watch_or_dirty(cpu, &l->page[0], type, ra); 1780 mmu_watch_or_dirty(cpu, &l->page[1], type, ra); 1781 } 1782 1783 /* 1784 * Since target/sparc is the only user of TLB_BSWAP, and all 1785 * Sparc accesses are aligned, any treatment across two pages 1786 * would be arbitrary. Refuse it until there's a use. 1787 */ 1788 tcg_debug_assert((flags & TLB_BSWAP) == 0); 1789 } 1790 1791 return crosspage; 1792 } 1793 1794 /* 1795 * Probe for an atomic operation. Do not allow unaligned operations, 1796 * or io operations to proceed. Return the host address. 1797 */ 1798 static void *atomic_mmu_lookup(CPUState *cpu, vaddr addr, MemOpIdx oi, 1799 int size, uintptr_t retaddr) 1800 { 1801 uintptr_t mmu_idx = get_mmuidx(oi); 1802 MemOp mop = get_memop(oi); 1803 uintptr_t index; 1804 CPUTLBEntry *tlbe; 1805 vaddr tlb_addr; 1806 void *hostaddr; 1807 CPUTLBEntryFull *full; 1808 bool did_tlb_fill = false; 1809 1810 tcg_debug_assert(mmu_idx < NB_MMU_MODES); 1811 1812 /* Adjust the given return address. */ 1813 retaddr -= GETPC_ADJ; 1814 1815 index = tlb_index(cpu, mmu_idx, addr); 1816 tlbe = tlb_entry(cpu, mmu_idx, addr); 1817 1818 /* Check TLB entry and enforce page permissions. */ 1819 tlb_addr = tlb_addr_write(tlbe); 1820 if (!tlb_hit(tlb_addr, addr)) { 1821 if (!victim_tlb_hit(cpu, mmu_idx, index, MMU_DATA_STORE, 1822 addr & TARGET_PAGE_MASK)) { 1823 tlb_fill_align(cpu, addr, MMU_DATA_STORE, mmu_idx, 1824 mop, size, false, retaddr); 1825 did_tlb_fill = true; 1826 index = tlb_index(cpu, mmu_idx, addr); 1827 tlbe = tlb_entry(cpu, mmu_idx, addr); 1828 } 1829 tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK; 1830 } 1831 1832 /* 1833 * Let the guest notice RMW on a write-only page. 1834 * We have just verified that the page is writable. 1835 * Subpage lookups may have left TLB_INVALID_MASK set, 1836 * but addr_read will only be -1 if PAGE_READ was unset. 1837 */ 1838 if (unlikely(tlbe->addr_read == -1)) { 1839 tlb_fill_align(cpu, addr, MMU_DATA_LOAD, mmu_idx, 1840 0, size, false, retaddr); 1841 /* 1842 * Since we don't support reads and writes to different 1843 * addresses, and we do have the proper page loaded for 1844 * write, this shouldn't ever return. 1845 */ 1846 g_assert_not_reached(); 1847 } 1848 1849 /* Enforce guest required alignment, if not handled by tlb_fill_align. */ 1850 if (!did_tlb_fill && (addr & ((1 << memop_alignment_bits(mop)) - 1))) { 1851 cpu_unaligned_access(cpu, addr, MMU_DATA_STORE, mmu_idx, retaddr); 1852 } 1853 1854 /* Enforce qemu required alignment. */ 1855 if (unlikely(addr & (size - 1))) { 1856 /* 1857 * We get here if guest alignment was not requested, or was not 1858 * enforced by cpu_unaligned_access or tlb_fill_align above. 1859 * We might widen the access and emulate, but for now 1860 * mark an exception and exit the cpu loop. 1861 */ 1862 goto stop_the_world; 1863 } 1864 1865 /* Collect tlb flags for read. */ 1866 tlb_addr |= tlbe->addr_read; 1867 1868 /* Notice an IO access or a needs-MMU-lookup access */ 1869 if (unlikely(tlb_addr & (TLB_MMIO | TLB_DISCARD_WRITE))) { 1870 /* There's really nothing that can be done to 1871 support this apart from stop-the-world. */ 1872 goto stop_the_world; 1873 } 1874 1875 hostaddr = (void *)((uintptr_t)addr + tlbe->addend); 1876 full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index]; 1877 1878 if (unlikely(tlb_addr & TLB_NOTDIRTY)) { 1879 notdirty_write(cpu, addr, size, full, retaddr); 1880 } 1881 1882 if (unlikely(tlb_addr & TLB_FORCE_SLOW)) { 1883 int wp_flags = 0; 1884 1885 if (full->slow_flags[MMU_DATA_STORE] & TLB_WATCHPOINT) { 1886 wp_flags |= BP_MEM_WRITE; 1887 } 1888 if (full->slow_flags[MMU_DATA_LOAD] & TLB_WATCHPOINT) { 1889 wp_flags |= BP_MEM_READ; 1890 } 1891 if (wp_flags) { 1892 cpu_check_watchpoint(cpu, addr, size, 1893 full->attrs, wp_flags, retaddr); 1894 } 1895 } 1896 1897 return hostaddr; 1898 1899 stop_the_world: 1900 cpu_loop_exit_atomic(cpu, retaddr); 1901 } 1902 1903 /* 1904 * Load Helpers 1905 * 1906 * We support two different access types. SOFTMMU_CODE_ACCESS is 1907 * specifically for reading instructions from system memory. It is 1908 * called by the translation loop and in some helpers where the code 1909 * is disassembled. It shouldn't be called directly by guest code. 1910 * 1911 * For the benefit of TCG generated code, we want to avoid the 1912 * complication of ABI-specific return type promotion and always 1913 * return a value extended to the register size of the host. This is 1914 * tcg_target_long, except in the case of a 32-bit host and 64-bit 1915 * data, and for that we always have uint64_t. 1916 * 1917 * We don't bother with this widened value for SOFTMMU_CODE_ACCESS. 1918 */ 1919 1920 /** 1921 * do_ld_mmio_beN: 1922 * @cpu: generic cpu state 1923 * @full: page parameters 1924 * @ret_be: accumulated data 1925 * @addr: virtual address 1926 * @size: number of bytes 1927 * @mmu_idx: virtual address context 1928 * @ra: return address into tcg generated code, or 0 1929 * Context: BQL held 1930 * 1931 * Load @size bytes from @addr, which is memory-mapped i/o. 1932 * The bytes are concatenated in big-endian order with @ret_be. 1933 */ 1934 static uint64_t int_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, 1935 uint64_t ret_be, vaddr addr, int size, 1936 int mmu_idx, MMUAccessType type, uintptr_t ra, 1937 MemoryRegion *mr, hwaddr mr_offset) 1938 { 1939 do { 1940 MemOp this_mop; 1941 unsigned this_size; 1942 uint64_t val; 1943 MemTxResult r; 1944 1945 /* Read aligned pieces up to 8 bytes. */ 1946 this_mop = ctz32(size | (int)addr | 8); 1947 this_size = 1 << this_mop; 1948 this_mop |= MO_BE; 1949 1950 r = memory_region_dispatch_read(mr, mr_offset, &val, 1951 this_mop, full->attrs); 1952 if (unlikely(r != MEMTX_OK)) { 1953 io_failed(cpu, full, addr, this_size, type, mmu_idx, r, ra); 1954 } 1955 if (this_size == 8) { 1956 return val; 1957 } 1958 1959 ret_be = (ret_be << (this_size * 8)) | val; 1960 addr += this_size; 1961 mr_offset += this_size; 1962 size -= this_size; 1963 } while (size); 1964 1965 return ret_be; 1966 } 1967 1968 static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, 1969 uint64_t ret_be, vaddr addr, int size, 1970 int mmu_idx, MMUAccessType type, uintptr_t ra) 1971 { 1972 MemoryRegionSection *section; 1973 MemoryRegion *mr; 1974 hwaddr mr_offset; 1975 MemTxAttrs attrs; 1976 1977 tcg_debug_assert(size > 0 && size <= 8); 1978 1979 attrs = full->attrs; 1980 section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); 1981 mr = section->mr; 1982 1983 BQL_LOCK_GUARD(); 1984 return int_ld_mmio_beN(cpu, full, ret_be, addr, size, mmu_idx, 1985 type, ra, mr, mr_offset); 1986 } 1987 1988 static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full, 1989 uint64_t ret_be, vaddr addr, int size, 1990 int mmu_idx, uintptr_t ra) 1991 { 1992 MemoryRegionSection *section; 1993 MemoryRegion *mr; 1994 hwaddr mr_offset; 1995 MemTxAttrs attrs; 1996 uint64_t a, b; 1997 1998 tcg_debug_assert(size > 8 && size <= 16); 1999 2000 attrs = full->attrs; 2001 section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); 2002 mr = section->mr; 2003 2004 BQL_LOCK_GUARD(); 2005 a = int_ld_mmio_beN(cpu, full, ret_be, addr, size - 8, mmu_idx, 2006 MMU_DATA_LOAD, ra, mr, mr_offset); 2007 b = int_ld_mmio_beN(cpu, full, ret_be, addr + size - 8, 8, mmu_idx, 2008 MMU_DATA_LOAD, ra, mr, mr_offset + size - 8); 2009 return int128_make128(b, a); 2010 } 2011 2012 /** 2013 * do_ld_bytes_beN 2014 * @p: translation parameters 2015 * @ret_be: accumulated data 2016 * 2017 * Load @p->size bytes from @p->haddr, which is RAM. 2018 * The bytes to concatenated in big-endian order with @ret_be. 2019 */ 2020 static uint64_t do_ld_bytes_beN(MMULookupPageData *p, uint64_t ret_be) 2021 { 2022 uint8_t *haddr = p->haddr; 2023 int i, size = p->size; 2024 2025 for (i = 0; i < size; i++) { 2026 ret_be = (ret_be << 8) | haddr[i]; 2027 } 2028 return ret_be; 2029 } 2030 2031 /** 2032 * do_ld_parts_beN 2033 * @p: translation parameters 2034 * @ret_be: accumulated data 2035 * 2036 * As do_ld_bytes_beN, but atomically on each aligned part. 2037 */ 2038 static uint64_t do_ld_parts_beN(MMULookupPageData *p, uint64_t ret_be) 2039 { 2040 void *haddr = p->haddr; 2041 int size = p->size; 2042 2043 do { 2044 uint64_t x; 2045 int n; 2046 2047 /* 2048 * Find minimum of alignment and size. 2049 * This is slightly stronger than required by MO_ATOM_SUBALIGN, which 2050 * would have only checked the low bits of addr|size once at the start, 2051 * but is just as easy. 2052 */ 2053 switch (((uintptr_t)haddr | size) & 7) { 2054 case 4: 2055 x = cpu_to_be32(load_atomic4(haddr)); 2056 ret_be = (ret_be << 32) | x; 2057 n = 4; 2058 break; 2059 case 2: 2060 case 6: 2061 x = cpu_to_be16(load_atomic2(haddr)); 2062 ret_be = (ret_be << 16) | x; 2063 n = 2; 2064 break; 2065 default: 2066 x = *(uint8_t *)haddr; 2067 ret_be = (ret_be << 8) | x; 2068 n = 1; 2069 break; 2070 case 0: 2071 g_assert_not_reached(); 2072 } 2073 haddr += n; 2074 size -= n; 2075 } while (size != 0); 2076 return ret_be; 2077 } 2078 2079 /** 2080 * do_ld_parts_be4 2081 * @p: translation parameters 2082 * @ret_be: accumulated data 2083 * 2084 * As do_ld_bytes_beN, but with one atomic load. 2085 * Four aligned bytes are guaranteed to cover the load. 2086 */ 2087 static uint64_t do_ld_whole_be4(MMULookupPageData *p, uint64_t ret_be) 2088 { 2089 int o = p->addr & 3; 2090 uint32_t x = load_atomic4(p->haddr - o); 2091 2092 x = cpu_to_be32(x); 2093 x <<= o * 8; 2094 x >>= (4 - p->size) * 8; 2095 return (ret_be << (p->size * 8)) | x; 2096 } 2097 2098 /** 2099 * do_ld_parts_be8 2100 * @p: translation parameters 2101 * @ret_be: accumulated data 2102 * 2103 * As do_ld_bytes_beN, but with one atomic load. 2104 * Eight aligned bytes are guaranteed to cover the load. 2105 */ 2106 static uint64_t do_ld_whole_be8(CPUState *cpu, uintptr_t ra, 2107 MMULookupPageData *p, uint64_t ret_be) 2108 { 2109 int o = p->addr & 7; 2110 uint64_t x = load_atomic8_or_exit(cpu, ra, p->haddr - o); 2111 2112 x = cpu_to_be64(x); 2113 x <<= o * 8; 2114 x >>= (8 - p->size) * 8; 2115 return (ret_be << (p->size * 8)) | x; 2116 } 2117 2118 /** 2119 * do_ld_parts_be16 2120 * @p: translation parameters 2121 * @ret_be: accumulated data 2122 * 2123 * As do_ld_bytes_beN, but with one atomic load. 2124 * 16 aligned bytes are guaranteed to cover the load. 2125 */ 2126 static Int128 do_ld_whole_be16(CPUState *cpu, uintptr_t ra, 2127 MMULookupPageData *p, uint64_t ret_be) 2128 { 2129 int o = p->addr & 15; 2130 Int128 x, y = load_atomic16_or_exit(cpu, ra, p->haddr - o); 2131 int size = p->size; 2132 2133 if (!HOST_BIG_ENDIAN) { 2134 y = bswap128(y); 2135 } 2136 y = int128_lshift(y, o * 8); 2137 y = int128_urshift(y, (16 - size) * 8); 2138 x = int128_make64(ret_be); 2139 x = int128_lshift(x, size * 8); 2140 return int128_or(x, y); 2141 } 2142 2143 /* 2144 * Wrapper for the above. 2145 */ 2146 static uint64_t do_ld_beN(CPUState *cpu, MMULookupPageData *p, 2147 uint64_t ret_be, int mmu_idx, MMUAccessType type, 2148 MemOp mop, uintptr_t ra) 2149 { 2150 MemOp atom; 2151 unsigned tmp, half_size; 2152 2153 if (unlikely(p->flags & TLB_MMIO)) { 2154 return do_ld_mmio_beN(cpu, p->full, ret_be, p->addr, p->size, 2155 mmu_idx, type, ra); 2156 } 2157 2158 /* 2159 * It is a given that we cross a page and therefore there is no 2160 * atomicity for the load as a whole, but subobjects may need attention. 2161 */ 2162 atom = mop & MO_ATOM_MASK; 2163 switch (atom) { 2164 case MO_ATOM_SUBALIGN: 2165 return do_ld_parts_beN(p, ret_be); 2166 2167 case MO_ATOM_IFALIGN_PAIR: 2168 case MO_ATOM_WITHIN16_PAIR: 2169 tmp = mop & MO_SIZE; 2170 tmp = tmp ? tmp - 1 : 0; 2171 half_size = 1 << tmp; 2172 if (atom == MO_ATOM_IFALIGN_PAIR 2173 ? p->size == half_size 2174 : p->size >= half_size) { 2175 if (!HAVE_al8_fast && p->size < 4) { 2176 return do_ld_whole_be4(p, ret_be); 2177 } else { 2178 return do_ld_whole_be8(cpu, ra, p, ret_be); 2179 } 2180 } 2181 /* fall through */ 2182 2183 case MO_ATOM_IFALIGN: 2184 case MO_ATOM_WITHIN16: 2185 case MO_ATOM_NONE: 2186 return do_ld_bytes_beN(p, ret_be); 2187 2188 default: 2189 g_assert_not_reached(); 2190 } 2191 } 2192 2193 /* 2194 * Wrapper for the above, for 8 < size < 16. 2195 */ 2196 static Int128 do_ld16_beN(CPUState *cpu, MMULookupPageData *p, 2197 uint64_t a, int mmu_idx, MemOp mop, uintptr_t ra) 2198 { 2199 int size = p->size; 2200 uint64_t b; 2201 MemOp atom; 2202 2203 if (unlikely(p->flags & TLB_MMIO)) { 2204 return do_ld16_mmio_beN(cpu, p->full, a, p->addr, size, mmu_idx, ra); 2205 } 2206 2207 /* 2208 * It is a given that we cross a page and therefore there is no 2209 * atomicity for the load as a whole, but subobjects may need attention. 2210 */ 2211 atom = mop & MO_ATOM_MASK; 2212 switch (atom) { 2213 case MO_ATOM_SUBALIGN: 2214 p->size = size - 8; 2215 a = do_ld_parts_beN(p, a); 2216 p->haddr += size - 8; 2217 p->size = 8; 2218 b = do_ld_parts_beN(p, 0); 2219 break; 2220 2221 case MO_ATOM_WITHIN16_PAIR: 2222 /* Since size > 8, this is the half that must be atomic. */ 2223 return do_ld_whole_be16(cpu, ra, p, a); 2224 2225 case MO_ATOM_IFALIGN_PAIR: 2226 /* 2227 * Since size > 8, both halves are misaligned, 2228 * and so neither is atomic. 2229 */ 2230 case MO_ATOM_IFALIGN: 2231 case MO_ATOM_WITHIN16: 2232 case MO_ATOM_NONE: 2233 p->size = size - 8; 2234 a = do_ld_bytes_beN(p, a); 2235 b = ldq_be_p(p->haddr + size - 8); 2236 break; 2237 2238 default: 2239 g_assert_not_reached(); 2240 } 2241 2242 return int128_make128(b, a); 2243 } 2244 2245 static uint8_t do_ld_1(CPUState *cpu, MMULookupPageData *p, int mmu_idx, 2246 MMUAccessType type, uintptr_t ra) 2247 { 2248 if (unlikely(p->flags & TLB_MMIO)) { 2249 return do_ld_mmio_beN(cpu, p->full, 0, p->addr, 1, mmu_idx, type, ra); 2250 } else { 2251 return *(uint8_t *)p->haddr; 2252 } 2253 } 2254 2255 static uint16_t do_ld_2(CPUState *cpu, MMULookupPageData *p, int mmu_idx, 2256 MMUAccessType type, MemOp memop, uintptr_t ra) 2257 { 2258 uint16_t ret; 2259 2260 if (unlikely(p->flags & TLB_MMIO)) { 2261 ret = do_ld_mmio_beN(cpu, p->full, 0, p->addr, 2, mmu_idx, type, ra); 2262 if ((memop & MO_BSWAP) == MO_LE) { 2263 ret = bswap16(ret); 2264 } 2265 } else { 2266 /* Perform the load host endian, then swap if necessary. */ 2267 ret = load_atom_2(cpu, ra, p->haddr, memop); 2268 if (memop & MO_BSWAP) { 2269 ret = bswap16(ret); 2270 } 2271 } 2272 return ret; 2273 } 2274 2275 static uint32_t do_ld_4(CPUState *cpu, MMULookupPageData *p, int mmu_idx, 2276 MMUAccessType type, MemOp memop, uintptr_t ra) 2277 { 2278 uint32_t ret; 2279 2280 if (unlikely(p->flags & TLB_MMIO)) { 2281 ret = do_ld_mmio_beN(cpu, p->full, 0, p->addr, 4, mmu_idx, type, ra); 2282 if ((memop & MO_BSWAP) == MO_LE) { 2283 ret = bswap32(ret); 2284 } 2285 } else { 2286 /* Perform the load host endian. */ 2287 ret = load_atom_4(cpu, ra, p->haddr, memop); 2288 if (memop & MO_BSWAP) { 2289 ret = bswap32(ret); 2290 } 2291 } 2292 return ret; 2293 } 2294 2295 static uint64_t do_ld_8(CPUState *cpu, MMULookupPageData *p, int mmu_idx, 2296 MMUAccessType type, MemOp memop, uintptr_t ra) 2297 { 2298 uint64_t ret; 2299 2300 if (unlikely(p->flags & TLB_MMIO)) { 2301 ret = do_ld_mmio_beN(cpu, p->full, 0, p->addr, 8, mmu_idx, type, ra); 2302 if ((memop & MO_BSWAP) == MO_LE) { 2303 ret = bswap64(ret); 2304 } 2305 } else { 2306 /* Perform the load host endian. */ 2307 ret = load_atom_8(cpu, ra, p->haddr, memop); 2308 if (memop & MO_BSWAP) { 2309 ret = bswap64(ret); 2310 } 2311 } 2312 return ret; 2313 } 2314 2315 static uint8_t do_ld1_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi, 2316 uintptr_t ra, MMUAccessType access_type) 2317 { 2318 MMULookupLocals l; 2319 bool crosspage; 2320 2321 cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD); 2322 crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l); 2323 tcg_debug_assert(!crosspage); 2324 2325 return do_ld_1(cpu, &l.page[0], l.mmu_idx, access_type, ra); 2326 } 2327 2328 static uint16_t do_ld2_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi, 2329 uintptr_t ra, MMUAccessType access_type) 2330 { 2331 MMULookupLocals l; 2332 bool crosspage; 2333 uint16_t ret; 2334 uint8_t a, b; 2335 2336 cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD); 2337 crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l); 2338 if (likely(!crosspage)) { 2339 return do_ld_2(cpu, &l.page[0], l.mmu_idx, access_type, l.memop, ra); 2340 } 2341 2342 a = do_ld_1(cpu, &l.page[0], l.mmu_idx, access_type, ra); 2343 b = do_ld_1(cpu, &l.page[1], l.mmu_idx, access_type, ra); 2344 2345 if ((l.memop & MO_BSWAP) == MO_LE) { 2346 ret = a | (b << 8); 2347 } else { 2348 ret = b | (a << 8); 2349 } 2350 return ret; 2351 } 2352 2353 static uint32_t do_ld4_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi, 2354 uintptr_t ra, MMUAccessType access_type) 2355 { 2356 MMULookupLocals l; 2357 bool crosspage; 2358 uint32_t ret; 2359 2360 cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD); 2361 crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l); 2362 if (likely(!crosspage)) { 2363 return do_ld_4(cpu, &l.page[0], l.mmu_idx, access_type, l.memop, ra); 2364 } 2365 2366 ret = do_ld_beN(cpu, &l.page[0], 0, l.mmu_idx, access_type, l.memop, ra); 2367 ret = do_ld_beN(cpu, &l.page[1], ret, l.mmu_idx, access_type, l.memop, ra); 2368 if ((l.memop & MO_BSWAP) == MO_LE) { 2369 ret = bswap32(ret); 2370 } 2371 return ret; 2372 } 2373 2374 static uint64_t do_ld8_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi, 2375 uintptr_t ra, MMUAccessType access_type) 2376 { 2377 MMULookupLocals l; 2378 bool crosspage; 2379 uint64_t ret; 2380 2381 cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD); 2382 crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l); 2383 if (likely(!crosspage)) { 2384 return do_ld_8(cpu, &l.page[0], l.mmu_idx, access_type, l.memop, ra); 2385 } 2386 2387 ret = do_ld_beN(cpu, &l.page[0], 0, l.mmu_idx, access_type, l.memop, ra); 2388 ret = do_ld_beN(cpu, &l.page[1], ret, l.mmu_idx, access_type, l.memop, ra); 2389 if ((l.memop & MO_BSWAP) == MO_LE) { 2390 ret = bswap64(ret); 2391 } 2392 return ret; 2393 } 2394 2395 static Int128 do_ld16_mmu(CPUState *cpu, vaddr addr, 2396 MemOpIdx oi, uintptr_t ra) 2397 { 2398 MMULookupLocals l; 2399 bool crosspage; 2400 uint64_t a, b; 2401 Int128 ret; 2402 int first; 2403 2404 cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD); 2405 crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_LOAD, &l); 2406 if (likely(!crosspage)) { 2407 if (unlikely(l.page[0].flags & TLB_MMIO)) { 2408 ret = do_ld16_mmio_beN(cpu, l.page[0].full, 0, addr, 16, 2409 l.mmu_idx, ra); 2410 if ((l.memop & MO_BSWAP) == MO_LE) { 2411 ret = bswap128(ret); 2412 } 2413 } else { 2414 /* Perform the load host endian. */ 2415 ret = load_atom_16(cpu, ra, l.page[0].haddr, l.memop); 2416 if (l.memop & MO_BSWAP) { 2417 ret = bswap128(ret); 2418 } 2419 } 2420 return ret; 2421 } 2422 2423 first = l.page[0].size; 2424 if (first == 8) { 2425 MemOp mop8 = (l.memop & ~MO_SIZE) | MO_64; 2426 2427 a = do_ld_8(cpu, &l.page[0], l.mmu_idx, MMU_DATA_LOAD, mop8, ra); 2428 b = do_ld_8(cpu, &l.page[1], l.mmu_idx, MMU_DATA_LOAD, mop8, ra); 2429 if ((mop8 & MO_BSWAP) == MO_LE) { 2430 ret = int128_make128(a, b); 2431 } else { 2432 ret = int128_make128(b, a); 2433 } 2434 return ret; 2435 } 2436 2437 if (first < 8) { 2438 a = do_ld_beN(cpu, &l.page[0], 0, l.mmu_idx, 2439 MMU_DATA_LOAD, l.memop, ra); 2440 ret = do_ld16_beN(cpu, &l.page[1], a, l.mmu_idx, l.memop, ra); 2441 } else { 2442 ret = do_ld16_beN(cpu, &l.page[0], 0, l.mmu_idx, l.memop, ra); 2443 b = int128_getlo(ret); 2444 ret = int128_lshift(ret, l.page[1].size * 8); 2445 a = int128_gethi(ret); 2446 b = do_ld_beN(cpu, &l.page[1], b, l.mmu_idx, 2447 MMU_DATA_LOAD, l.memop, ra); 2448 ret = int128_make128(b, a); 2449 } 2450 if ((l.memop & MO_BSWAP) == MO_LE) { 2451 ret = bswap128(ret); 2452 } 2453 return ret; 2454 } 2455 2456 /* 2457 * Store Helpers 2458 */ 2459 2460 /** 2461 * do_st_mmio_leN: 2462 * @cpu: generic cpu state 2463 * @full: page parameters 2464 * @val_le: data to store 2465 * @addr: virtual address 2466 * @size: number of bytes 2467 * @mmu_idx: virtual address context 2468 * @ra: return address into tcg generated code, or 0 2469 * Context: BQL held 2470 * 2471 * Store @size bytes at @addr, which is memory-mapped i/o. 2472 * The bytes to store are extracted in little-endian order from @val_le; 2473 * return the bytes of @val_le beyond @p->size that have not been stored. 2474 */ 2475 static uint64_t int_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, 2476 uint64_t val_le, vaddr addr, int size, 2477 int mmu_idx, uintptr_t ra, 2478 MemoryRegion *mr, hwaddr mr_offset) 2479 { 2480 do { 2481 MemOp this_mop; 2482 unsigned this_size; 2483 MemTxResult r; 2484 2485 /* Store aligned pieces up to 8 bytes. */ 2486 this_mop = ctz32(size | (int)addr | 8); 2487 this_size = 1 << this_mop; 2488 this_mop |= MO_LE; 2489 2490 r = memory_region_dispatch_write(mr, mr_offset, val_le, 2491 this_mop, full->attrs); 2492 if (unlikely(r != MEMTX_OK)) { 2493 io_failed(cpu, full, addr, this_size, MMU_DATA_STORE, 2494 mmu_idx, r, ra); 2495 } 2496 if (this_size == 8) { 2497 return 0; 2498 } 2499 2500 val_le >>= this_size * 8; 2501 addr += this_size; 2502 mr_offset += this_size; 2503 size -= this_size; 2504 } while (size); 2505 2506 return val_le; 2507 } 2508 2509 static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, 2510 uint64_t val_le, vaddr addr, int size, 2511 int mmu_idx, uintptr_t ra) 2512 { 2513 MemoryRegionSection *section; 2514 hwaddr mr_offset; 2515 MemoryRegion *mr; 2516 MemTxAttrs attrs; 2517 2518 tcg_debug_assert(size > 0 && size <= 8); 2519 2520 attrs = full->attrs; 2521 section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); 2522 mr = section->mr; 2523 2524 BQL_LOCK_GUARD(); 2525 return int_st_mmio_leN(cpu, full, val_le, addr, size, mmu_idx, 2526 ra, mr, mr_offset); 2527 } 2528 2529 static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full, 2530 Int128 val_le, vaddr addr, int size, 2531 int mmu_idx, uintptr_t ra) 2532 { 2533 MemoryRegionSection *section; 2534 MemoryRegion *mr; 2535 hwaddr mr_offset; 2536 MemTxAttrs attrs; 2537 2538 tcg_debug_assert(size > 8 && size <= 16); 2539 2540 attrs = full->attrs; 2541 section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra); 2542 mr = section->mr; 2543 2544 BQL_LOCK_GUARD(); 2545 int_st_mmio_leN(cpu, full, int128_getlo(val_le), addr, 8, 2546 mmu_idx, ra, mr, mr_offset); 2547 return int_st_mmio_leN(cpu, full, int128_gethi(val_le), addr + 8, 2548 size - 8, mmu_idx, ra, mr, mr_offset + 8); 2549 } 2550 2551 /* 2552 * Wrapper for the above. 2553 */ 2554 static uint64_t do_st_leN(CPUState *cpu, MMULookupPageData *p, 2555 uint64_t val_le, int mmu_idx, 2556 MemOp mop, uintptr_t ra) 2557 { 2558 MemOp atom; 2559 unsigned tmp, half_size; 2560 2561 if (unlikely(p->flags & TLB_MMIO)) { 2562 return do_st_mmio_leN(cpu, p->full, val_le, p->addr, 2563 p->size, mmu_idx, ra); 2564 } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) { 2565 return val_le >> (p->size * 8); 2566 } 2567 2568 /* 2569 * It is a given that we cross a page and therefore there is no atomicity 2570 * for the store as a whole, but subobjects may need attention. 2571 */ 2572 atom = mop & MO_ATOM_MASK; 2573 switch (atom) { 2574 case MO_ATOM_SUBALIGN: 2575 return store_parts_leN(p->haddr, p->size, val_le); 2576 2577 case MO_ATOM_IFALIGN_PAIR: 2578 case MO_ATOM_WITHIN16_PAIR: 2579 tmp = mop & MO_SIZE; 2580 tmp = tmp ? tmp - 1 : 0; 2581 half_size = 1 << tmp; 2582 if (atom == MO_ATOM_IFALIGN_PAIR 2583 ? p->size == half_size 2584 : p->size >= half_size) { 2585 if (!HAVE_al8_fast && p->size <= 4) { 2586 return store_whole_le4(p->haddr, p->size, val_le); 2587 } else if (HAVE_al8) { 2588 return store_whole_le8(p->haddr, p->size, val_le); 2589 } else { 2590 cpu_loop_exit_atomic(cpu, ra); 2591 } 2592 } 2593 /* fall through */ 2594 2595 case MO_ATOM_IFALIGN: 2596 case MO_ATOM_WITHIN16: 2597 case MO_ATOM_NONE: 2598 return store_bytes_leN(p->haddr, p->size, val_le); 2599 2600 default: 2601 g_assert_not_reached(); 2602 } 2603 } 2604 2605 /* 2606 * Wrapper for the above, for 8 < size < 16. 2607 */ 2608 static uint64_t do_st16_leN(CPUState *cpu, MMULookupPageData *p, 2609 Int128 val_le, int mmu_idx, 2610 MemOp mop, uintptr_t ra) 2611 { 2612 int size = p->size; 2613 MemOp atom; 2614 2615 if (unlikely(p->flags & TLB_MMIO)) { 2616 return do_st16_mmio_leN(cpu, p->full, val_le, p->addr, 2617 size, mmu_idx, ra); 2618 } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) { 2619 return int128_gethi(val_le) >> ((size - 8) * 8); 2620 } 2621 2622 /* 2623 * It is a given that we cross a page and therefore there is no atomicity 2624 * for the store as a whole, but subobjects may need attention. 2625 */ 2626 atom = mop & MO_ATOM_MASK; 2627 switch (atom) { 2628 case MO_ATOM_SUBALIGN: 2629 store_parts_leN(p->haddr, 8, int128_getlo(val_le)); 2630 return store_parts_leN(p->haddr + 8, p->size - 8, 2631 int128_gethi(val_le)); 2632 2633 case MO_ATOM_WITHIN16_PAIR: 2634 /* Since size > 8, this is the half that must be atomic. */ 2635 if (!HAVE_CMPXCHG128) { 2636 cpu_loop_exit_atomic(cpu, ra); 2637 } 2638 return store_whole_le16(p->haddr, p->size, val_le); 2639 2640 case MO_ATOM_IFALIGN_PAIR: 2641 /* 2642 * Since size > 8, both halves are misaligned, 2643 * and so neither is atomic. 2644 */ 2645 case MO_ATOM_IFALIGN: 2646 case MO_ATOM_WITHIN16: 2647 case MO_ATOM_NONE: 2648 stq_le_p(p->haddr, int128_getlo(val_le)); 2649 return store_bytes_leN(p->haddr + 8, p->size - 8, 2650 int128_gethi(val_le)); 2651 2652 default: 2653 g_assert_not_reached(); 2654 } 2655 } 2656 2657 static void do_st_1(CPUState *cpu, MMULookupPageData *p, uint8_t val, 2658 int mmu_idx, uintptr_t ra) 2659 { 2660 if (unlikely(p->flags & TLB_MMIO)) { 2661 do_st_mmio_leN(cpu, p->full, val, p->addr, 1, mmu_idx, ra); 2662 } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) { 2663 /* nothing */ 2664 } else { 2665 *(uint8_t *)p->haddr = val; 2666 } 2667 } 2668 2669 static void do_st_2(CPUState *cpu, MMULookupPageData *p, uint16_t val, 2670 int mmu_idx, MemOp memop, uintptr_t ra) 2671 { 2672 if (unlikely(p->flags & TLB_MMIO)) { 2673 if ((memop & MO_BSWAP) != MO_LE) { 2674 val = bswap16(val); 2675 } 2676 do_st_mmio_leN(cpu, p->full, val, p->addr, 2, mmu_idx, ra); 2677 } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) { 2678 /* nothing */ 2679 } else { 2680 /* Swap to host endian if necessary, then store. */ 2681 if (memop & MO_BSWAP) { 2682 val = bswap16(val); 2683 } 2684 store_atom_2(cpu, ra, p->haddr, memop, val); 2685 } 2686 } 2687 2688 static void do_st_4(CPUState *cpu, MMULookupPageData *p, uint32_t val, 2689 int mmu_idx, MemOp memop, uintptr_t ra) 2690 { 2691 if (unlikely(p->flags & TLB_MMIO)) { 2692 if ((memop & MO_BSWAP) != MO_LE) { 2693 val = bswap32(val); 2694 } 2695 do_st_mmio_leN(cpu, p->full, val, p->addr, 4, mmu_idx, ra); 2696 } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) { 2697 /* nothing */ 2698 } else { 2699 /* Swap to host endian if necessary, then store. */ 2700 if (memop & MO_BSWAP) { 2701 val = bswap32(val); 2702 } 2703 store_atom_4(cpu, ra, p->haddr, memop, val); 2704 } 2705 } 2706 2707 static void do_st_8(CPUState *cpu, MMULookupPageData *p, uint64_t val, 2708 int mmu_idx, MemOp memop, uintptr_t ra) 2709 { 2710 if (unlikely(p->flags & TLB_MMIO)) { 2711 if ((memop & MO_BSWAP) != MO_LE) { 2712 val = bswap64(val); 2713 } 2714 do_st_mmio_leN(cpu, p->full, val, p->addr, 8, mmu_idx, ra); 2715 } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) { 2716 /* nothing */ 2717 } else { 2718 /* Swap to host endian if necessary, then store. */ 2719 if (memop & MO_BSWAP) { 2720 val = bswap64(val); 2721 } 2722 store_atom_8(cpu, ra, p->haddr, memop, val); 2723 } 2724 } 2725 2726 static void do_st1_mmu(CPUState *cpu, vaddr addr, uint8_t val, 2727 MemOpIdx oi, uintptr_t ra) 2728 { 2729 MMULookupLocals l; 2730 bool crosspage; 2731 2732 cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST); 2733 crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l); 2734 tcg_debug_assert(!crosspage); 2735 2736 do_st_1(cpu, &l.page[0], val, l.mmu_idx, ra); 2737 } 2738 2739 static void do_st2_mmu(CPUState *cpu, vaddr addr, uint16_t val, 2740 MemOpIdx oi, uintptr_t ra) 2741 { 2742 MMULookupLocals l; 2743 bool crosspage; 2744 uint8_t a, b; 2745 2746 cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST); 2747 crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l); 2748 if (likely(!crosspage)) { 2749 do_st_2(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra); 2750 return; 2751 } 2752 2753 if ((l.memop & MO_BSWAP) == MO_LE) { 2754 a = val, b = val >> 8; 2755 } else { 2756 b = val, a = val >> 8; 2757 } 2758 do_st_1(cpu, &l.page[0], a, l.mmu_idx, ra); 2759 do_st_1(cpu, &l.page[1], b, l.mmu_idx, ra); 2760 } 2761 2762 static void do_st4_mmu(CPUState *cpu, vaddr addr, uint32_t val, 2763 MemOpIdx oi, uintptr_t ra) 2764 { 2765 MMULookupLocals l; 2766 bool crosspage; 2767 2768 cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST); 2769 crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l); 2770 if (likely(!crosspage)) { 2771 do_st_4(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra); 2772 return; 2773 } 2774 2775 /* Swap to little endian for simplicity, then store by bytes. */ 2776 if ((l.memop & MO_BSWAP) != MO_LE) { 2777 val = bswap32(val); 2778 } 2779 val = do_st_leN(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra); 2780 (void) do_st_leN(cpu, &l.page[1], val, l.mmu_idx, l.memop, ra); 2781 } 2782 2783 static void do_st8_mmu(CPUState *cpu, vaddr addr, uint64_t val, 2784 MemOpIdx oi, uintptr_t ra) 2785 { 2786 MMULookupLocals l; 2787 bool crosspage; 2788 2789 cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST); 2790 crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l); 2791 if (likely(!crosspage)) { 2792 do_st_8(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra); 2793 return; 2794 } 2795 2796 /* Swap to little endian for simplicity, then store by bytes. */ 2797 if ((l.memop & MO_BSWAP) != MO_LE) { 2798 val = bswap64(val); 2799 } 2800 val = do_st_leN(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra); 2801 (void) do_st_leN(cpu, &l.page[1], val, l.mmu_idx, l.memop, ra); 2802 } 2803 2804 static void do_st16_mmu(CPUState *cpu, vaddr addr, Int128 val, 2805 MemOpIdx oi, uintptr_t ra) 2806 { 2807 MMULookupLocals l; 2808 bool crosspage; 2809 uint64_t a, b; 2810 int first; 2811 2812 cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST); 2813 crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l); 2814 if (likely(!crosspage)) { 2815 if (unlikely(l.page[0].flags & TLB_MMIO)) { 2816 if ((l.memop & MO_BSWAP) != MO_LE) { 2817 val = bswap128(val); 2818 } 2819 do_st16_mmio_leN(cpu, l.page[0].full, val, addr, 16, l.mmu_idx, ra); 2820 } else if (unlikely(l.page[0].flags & TLB_DISCARD_WRITE)) { 2821 /* nothing */ 2822 } else { 2823 /* Swap to host endian if necessary, then store. */ 2824 if (l.memop & MO_BSWAP) { 2825 val = bswap128(val); 2826 } 2827 store_atom_16(cpu, ra, l.page[0].haddr, l.memop, val); 2828 } 2829 return; 2830 } 2831 2832 first = l.page[0].size; 2833 if (first == 8) { 2834 MemOp mop8 = (l.memop & ~(MO_SIZE | MO_BSWAP)) | MO_64; 2835 2836 if (l.memop & MO_BSWAP) { 2837 val = bswap128(val); 2838 } 2839 if (HOST_BIG_ENDIAN) { 2840 b = int128_getlo(val), a = int128_gethi(val); 2841 } else { 2842 a = int128_getlo(val), b = int128_gethi(val); 2843 } 2844 do_st_8(cpu, &l.page[0], a, l.mmu_idx, mop8, ra); 2845 do_st_8(cpu, &l.page[1], b, l.mmu_idx, mop8, ra); 2846 return; 2847 } 2848 2849 if ((l.memop & MO_BSWAP) != MO_LE) { 2850 val = bswap128(val); 2851 } 2852 if (first < 8) { 2853 do_st_leN(cpu, &l.page[0], int128_getlo(val), l.mmu_idx, l.memop, ra); 2854 val = int128_urshift(val, first * 8); 2855 do_st16_leN(cpu, &l.page[1], val, l.mmu_idx, l.memop, ra); 2856 } else { 2857 b = do_st16_leN(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra); 2858 do_st_leN(cpu, &l.page[1], b, l.mmu_idx, l.memop, ra); 2859 } 2860 } 2861 2862 #include "ldst_common.c.inc" 2863 2864 /* 2865 * First set of functions passes in OI and RETADDR. 2866 * This makes them callable from other helpers. 2867 */ 2868 2869 #define ATOMIC_NAME(X) \ 2870 glue(glue(glue(cpu_atomic_ ## X, SUFFIX), END), _mmu) 2871 2872 #define ATOMIC_MMU_CLEANUP 2873 2874 #include "atomic_common.c.inc" 2875 2876 #define DATA_SIZE 1 2877 #include "atomic_template.h" 2878 2879 #define DATA_SIZE 2 2880 #include "atomic_template.h" 2881 2882 #define DATA_SIZE 4 2883 #include "atomic_template.h" 2884 2885 #ifdef CONFIG_ATOMIC64 2886 #define DATA_SIZE 8 2887 #include "atomic_template.h" 2888 #endif 2889 2890 #if defined(CONFIG_ATOMIC128) || HAVE_CMPXCHG128 2891 #define DATA_SIZE 16 2892 #include "atomic_template.h" 2893 #endif 2894 2895 /* Code access functions. */ 2896 2897 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr) 2898 { 2899 CPUState *cs = env_cpu(env); 2900 MemOpIdx oi = make_memop_idx(MO_UB, cpu_mmu_index(cs, true)); 2901 return do_ld1_mmu(cs, addr, oi, 0, MMU_INST_FETCH); 2902 } 2903 2904 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr) 2905 { 2906 CPUState *cs = env_cpu(env); 2907 MemOpIdx oi = make_memop_idx(MO_TEUW, cpu_mmu_index(cs, true)); 2908 return do_ld2_mmu(cs, addr, oi, 0, MMU_INST_FETCH); 2909 } 2910 2911 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr) 2912 { 2913 CPUState *cs = env_cpu(env); 2914 MemOpIdx oi = make_memop_idx(MO_TEUL, cpu_mmu_index(cs, true)); 2915 return do_ld4_mmu(cs, addr, oi, 0, MMU_INST_FETCH); 2916 } 2917 2918 uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr) 2919 { 2920 CPUState *cs = env_cpu(env); 2921 MemOpIdx oi = make_memop_idx(MO_TEUQ, cpu_mmu_index(cs, true)); 2922 return do_ld8_mmu(cs, addr, oi, 0, MMU_INST_FETCH); 2923 } 2924 2925 uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr, 2926 MemOpIdx oi, uintptr_t retaddr) 2927 { 2928 return do_ld1_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH); 2929 } 2930 2931 uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr, 2932 MemOpIdx oi, uintptr_t retaddr) 2933 { 2934 return do_ld2_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH); 2935 } 2936 2937 uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr, 2938 MemOpIdx oi, uintptr_t retaddr) 2939 { 2940 return do_ld4_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH); 2941 } 2942 2943 uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr, 2944 MemOpIdx oi, uintptr_t retaddr) 2945 { 2946 return do_ld8_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH); 2947 } 2948