2012-04-09 20:50:52 +04:00
|
|
|
/*
|
|
|
|
* Common CPU TLB handling
|
|
|
|
*
|
|
|
|
* Copyright (c) 2003 Fabrice Bellard
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
2019-01-23 17:08:56 +03:00
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
2012-04-09 20:50:52 +04:00
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
2016-01-26 21:16:56 +03:00
|
|
|
#include "qemu/osdep.h"
|
tcg: drop global lock during TCG code execution
This finally allows TCG to benefit from the iothread introduction: Drop
the global mutex while running pure TCG CPU code. Reacquire the lock
when entering MMIO or PIO emulation, or when leaving the TCG loop.
We have to revert a few optimization for the current TCG threading
model, namely kicking the TCG thread in qemu_mutex_lock_iothread and not
kicking it in qemu_cpu_kick. We also need to disable RAM block
reordering until we have a more efficient locking mechanism at hand.
Still, a Linux x86 UP guest and my Musicpal ARM model boot fine here.
These numbers demonstrate where we gain something:
20338 jan 20 0 331m 75m 6904 R 99 0.9 0:50.95 qemu-system-arm
20337 jan 20 0 331m 75m 6904 S 20 0.9 0:26.50 qemu-system-arm
The guest CPU was fully loaded, but the iothread could still run mostly
independent on a second core. Without the patch we don't get beyond
32206 jan 20 0 330m 73m 7036 R 82 0.9 1:06.00 qemu-system-arm
32204 jan 20 0 330m 73m 7036 S 21 0.9 0:17.03 qemu-system-arm
We don't benefit significantly, though, when the guest is not fully
loading a host CPU.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Message-Id: <1439220437-23957-10-git-send-email-fred.konrad@greensocs.com>
[FK: Rebase, fix qemu_devices_reset deadlock, rm address_space_* mutex]
Signed-off-by: KONRAD Frederic <fred.konrad@greensocs.com>
[EGC: fixed iothread lock for cpu-exec IRQ handling]
Signed-off-by: Emilio G. Cota <cota@braap.org>
[AJB: -smp single-threaded fix, clean commit msg, BQL fixes]
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Reviewed-by: Pranith Kumar <bobby.prani@gmail.com>
[PM: target-arm changes]
Acked-by: Peter Maydell <peter.maydell@linaro.org>
2017-02-23 21:29:11 +03:00
|
|
|
#include "qemu/main-loop.h"
|
2021-02-04 19:39:23 +03:00
|
|
|
#include "hw/core/tcg-cpu-ops.h"
|
2012-12-17 21:19:49 +04:00
|
|
|
#include "exec/exec-all.h"
|
2023-12-06 22:27:32 +03:00
|
|
|
#include "exec/page-protection.h"
|
2012-12-17 21:19:49 +04:00
|
|
|
#include "exec/memory.h"
|
2014-03-28 22:42:10 +04:00
|
|
|
#include "exec/cpu_ldst.h"
|
2012-12-17 21:19:49 +04:00
|
|
|
#include "exec/cputlb.h"
|
2023-09-18 10:56:14 +03:00
|
|
|
#include "exec/tb-flush.h"
|
2012-12-17 21:19:49 +04:00
|
|
|
#include "exec/memory-internal.h"
|
2013-10-14 19:13:59 +04:00
|
|
|
#include "exec/ram_addr.h"
|
2024-04-03 15:13:18 +03:00
|
|
|
#include "exec/mmu-access-type.h"
|
|
|
|
#include "exec/tlb-common.h"
|
|
|
|
#include "exec/vaddr.h"
|
2014-03-28 20:55:24 +04:00
|
|
|
#include "tcg/tcg.h"
|
cputlb: don't cpu_abort() if guest tries to execute outside RAM or RAM
In get_page_addr_code(), if the guest program counter turns out not to
be in ROM or RAM, we can't handle executing from it, and we call
cpu_abort(). This results in the message
qemu: fatal: Trying to execute code outside RAM or ROM at 0x08000000
followed by a guest register dump, and then QEMU dumps core.
This situation happens in one of two cases:
(1) a guest kernel bug, where it jumped off into nowhere
(2) a user command line mistake, where they tried to run an image for
board A on a QEMU model of board B, or where they didn't provide
an image at all, and QEMU executed through a ROM or RAM full of
NOP instructions and then fell off the end
In either case, a core dump of QEMU itself is entirely useless, and
only confuses users into thinking that this is a bug in QEMU rather
than a bug in the guest or a problem with their command line. (This
is a variation on the general idea that we shouldn't assert() on
something the user can accidentally provoke.)
Replace the cpu_abort() with something that explains the situation
a bit better and exits QEMU without dumping core.
(See LP:1062220 for several examples of confused users.)
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Richard Henderson <rth@twiddle.net>
Message-id: 1466442425-11885-1-git-send-email-peter.maydell@linaro.org
2016-06-20 20:07:05 +03:00
|
|
|
#include "qemu/error-report.h"
|
|
|
|
#include "exec/log.h"
|
2023-04-01 06:13:36 +03:00
|
|
|
#include "exec/helper-proto-common.h"
|
2016-06-28 21:37:27 +03:00
|
|
|
#include "qemu/atomic.h"
|
2018-08-16 02:31:47 +03:00
|
|
|
#include "qemu/atomic128.h"
|
2020-12-16 15:27:58 +03:00
|
|
|
#include "exec/translate-all.h"
|
2022-12-09 12:36:46 +03:00
|
|
|
#include "trace.h"
|
2021-05-24 20:04:53 +03:00
|
|
|
#include "tb-hash.h"
|
2023-09-14 21:57:17 +03:00
|
|
|
#include "internal-common.h"
|
2023-09-14 21:57:14 +03:00
|
|
|
#include "internal-target.h"
|
2019-06-19 22:20:08 +03:00
|
|
|
#ifdef CONFIG_PLUGIN
|
|
|
|
#include "qemu/plugin-memory.h"
|
|
|
|
#endif
|
2021-07-28 00:10:22 +03:00
|
|
|
#include "tcg/tcg-ldst.h"
|
2023-03-28 04:32:36 +03:00
|
|
|
#include "tcg/oversized-guest.h"
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2016-03-15 17:30:24 +03:00
|
|
|
/* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
|
|
|
|
/* #define DEBUG_TLB */
|
|
|
|
/* #define DEBUG_TLB_LOG */
|
|
|
|
|
|
|
|
#ifdef DEBUG_TLB
|
|
|
|
# define DEBUG_TLB_GATE 1
|
|
|
|
# ifdef DEBUG_TLB_LOG
|
|
|
|
# define DEBUG_TLB_LOG_GATE 1
|
|
|
|
# else
|
|
|
|
# define DEBUG_TLB_LOG_GATE 0
|
|
|
|
# endif
|
|
|
|
#else
|
|
|
|
# define DEBUG_TLB_GATE 0
|
|
|
|
# define DEBUG_TLB_LOG_GATE 0
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#define tlb_debug(fmt, ...) do { \
|
|
|
|
if (DEBUG_TLB_LOG_GATE) { \
|
|
|
|
qemu_log_mask(CPU_LOG_MMU, "%s: " fmt, __func__, \
|
|
|
|
## __VA_ARGS__); \
|
|
|
|
} else if (DEBUG_TLB_GATE) { \
|
|
|
|
fprintf(stderr, "%s: " fmt, __func__, ## __VA_ARGS__); \
|
|
|
|
} \
|
|
|
|
} while (0)
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2018-10-09 20:45:55 +03:00
|
|
|
#define assert_cpu_is_self(cpu) do { \
|
2017-02-23 21:29:16 +03:00
|
|
|
if (DEBUG_TLB_GATE) { \
|
2018-10-09 20:45:55 +03:00
|
|
|
g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
|
2017-02-23 21:29:16 +03:00
|
|
|
} \
|
|
|
|
} while (0)
|
|
|
|
|
2017-02-23 21:29:18 +03:00
|
|
|
/* run_on_cpu_data.target_ptr should always be big enough for a
|
2023-08-07 18:57:06 +03:00
|
|
|
* vaddr even on 32 bit builds
|
|
|
|
*/
|
|
|
|
QEMU_BUILD_BUG_ON(sizeof(vaddr) > sizeof(run_on_cpu_data));
|
2017-02-23 21:29:18 +03:00
|
|
|
|
2017-02-23 21:29:20 +03:00
|
|
|
/* We currently can't handle more than 16 bits in the MMUIDX bitmask.
|
|
|
|
*/
|
|
|
|
QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
|
|
|
|
#define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
|
|
|
|
|
2019-12-07 22:47:41 +03:00
|
|
|
static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
|
2019-12-07 22:37:57 +03:00
|
|
|
{
|
2019-12-07 22:47:41 +03:00
|
|
|
return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
|
2019-12-07 22:37:57 +03:00
|
|
|
}
|
|
|
|
|
2019-12-07 22:47:41 +03:00
|
|
|
static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
|
2019-01-16 20:01:13 +03:00
|
|
|
{
|
2019-12-07 22:47:41 +03:00
|
|
|
return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
|
2024-04-03 15:13:18 +03:00
|
|
|
static inline uint64_t tlb_read_idx(const CPUTLBEntry *entry,
|
|
|
|
MMUAccessType access_type)
|
|
|
|
{
|
|
|
|
/* Do not rearrange the CPUTLBEntry structure members. */
|
|
|
|
QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_read) !=
|
|
|
|
MMU_DATA_LOAD * sizeof(uint64_t));
|
|
|
|
QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_write) !=
|
|
|
|
MMU_DATA_STORE * sizeof(uint64_t));
|
|
|
|
QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_code) !=
|
|
|
|
MMU_INST_FETCH * sizeof(uint64_t));
|
|
|
|
|
|
|
|
#if TARGET_LONG_BITS == 32
|
|
|
|
/* Use qatomic_read, in case of addr_write; only care about low bits. */
|
|
|
|
const uint32_t *ptr = (uint32_t *)&entry->addr_idx[access_type];
|
|
|
|
ptr += HOST_BIG_ENDIAN;
|
|
|
|
return qatomic_read(ptr);
|
|
|
|
#else
|
|
|
|
const uint64_t *ptr = &entry->addr_idx[access_type];
|
|
|
|
# if TCG_OVERSIZED_GUEST
|
|
|
|
return *ptr;
|
|
|
|
# else
|
|
|
|
/* ofs might correspond to .addr_write, so use qatomic_read */
|
|
|
|
return qatomic_read(ptr);
|
|
|
|
# endif
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline uint64_t tlb_addr_write(const CPUTLBEntry *entry)
|
|
|
|
{
|
|
|
|
return tlb_read_idx(entry, MMU_DATA_STORE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Find the TLB index corresponding to the mmu_idx + address pair. */
|
|
|
|
static inline uintptr_t tlb_index(CPUState *cpu, uintptr_t mmu_idx,
|
|
|
|
vaddr addr)
|
|
|
|
{
|
|
|
|
uintptr_t size_mask = cpu->neg.tlb.f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS;
|
|
|
|
|
|
|
|
return (addr >> TARGET_PAGE_BITS) & size_mask;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Find the TLB entry corresponding to the mmu_idx + address pair. */
|
|
|
|
static inline CPUTLBEntry *tlb_entry(CPUState *cpu, uintptr_t mmu_idx,
|
|
|
|
vaddr addr)
|
|
|
|
{
|
|
|
|
return &cpu->neg.tlb.f[mmu_idx].table[tlb_index(cpu, mmu_idx, addr)];
|
|
|
|
}
|
|
|
|
|
2019-03-22 18:36:40 +03:00
|
|
|
static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
|
2019-01-16 20:01:13 +03:00
|
|
|
size_t max_entries)
|
|
|
|
{
|
2019-03-22 18:36:40 +03:00
|
|
|
desc->window_begin_ns = ns;
|
|
|
|
desc->window_max_entries = max_entries;
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:28 +03:00
|
|
|
static void tb_jmp_cache_clear_page(CPUState *cpu, vaddr page_addr)
|
2021-01-21 08:53:20 +03:00
|
|
|
{
|
2022-08-15 23:13:05 +03:00
|
|
|
CPUJumpCache *jc = cpu->tb_jmp_cache;
|
2023-02-03 20:15:10 +03:00
|
|
|
int i, i0;
|
2021-01-21 08:53:20 +03:00
|
|
|
|
2023-02-03 20:15:10 +03:00
|
|
|
if (unlikely(!jc)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
i0 = tb_jmp_cache_hash_page(page_addr);
|
2021-01-21 08:53:20 +03:00
|
|
|
for (i = 0; i < TB_JMP_PAGE_SIZE; i++) {
|
2022-08-15 23:13:05 +03:00
|
|
|
qatomic_set(&jc->array[i0 + i].tb, NULL);
|
2021-01-21 08:53:20 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-16 20:01:13 +03:00
|
|
|
/**
|
|
|
|
* tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
|
2019-12-07 22:58:50 +03:00
|
|
|
* @desc: The CPUTLBDesc portion of the TLB
|
|
|
|
* @fast: The CPUTLBDescFast portion of the same TLB
|
2019-01-16 20:01:13 +03:00
|
|
|
*
|
|
|
|
* Called with tlb_lock_held.
|
|
|
|
*
|
|
|
|
* We have two main constraints when resizing a TLB: (1) we only resize it
|
|
|
|
* on a TLB flush (otherwise we'd have to take a perf hit by either rehashing
|
|
|
|
* the array or unnecessarily flushing it), which means we do not control how
|
|
|
|
* frequently the resizing can occur; (2) we don't have access to the guest's
|
|
|
|
* future scheduling decisions, and therefore have to decide the magnitude of
|
|
|
|
* the resize based on past observations.
|
|
|
|
*
|
|
|
|
* In general, a memory-hungry process can benefit greatly from an appropriately
|
|
|
|
* sized TLB, since a guest TLB miss is very expensive. This doesn't mean that
|
|
|
|
* we just have to make the TLB as large as possible; while an oversized TLB
|
|
|
|
* results in minimal TLB miss rates, it also takes longer to be flushed
|
|
|
|
* (flushes can be _very_ frequent), and the reduced locality can also hurt
|
|
|
|
* performance.
|
|
|
|
*
|
|
|
|
* To achieve near-optimal performance for all kinds of workloads, we:
|
|
|
|
*
|
|
|
|
* 1. Aggressively increase the size of the TLB when the use rate of the
|
|
|
|
* TLB being flushed is high, since it is likely that in the near future this
|
|
|
|
* memory-hungry process will execute again, and its memory hungriness will
|
|
|
|
* probably be similar.
|
|
|
|
*
|
|
|
|
* 2. Slowly reduce the size of the TLB as the use rate declines over a
|
|
|
|
* reasonably large time window. The rationale is that if in such a time window
|
|
|
|
* we have not observed a high TLB use rate, it is likely that we won't observe
|
|
|
|
* it in the near future. In that case, once a time window expires we downsize
|
|
|
|
* the TLB to match the maximum use rate observed in the window.
|
|
|
|
*
|
|
|
|
* 3. Try to keep the maximum use rate in a time window in the 30-70% range,
|
|
|
|
* since in that range performance is likely near-optimal. Recall that the TLB
|
|
|
|
* is direct mapped, so we want the use rate to be low (or at least not too
|
|
|
|
* high), since otherwise we are likely to have a significant amount of
|
|
|
|
* conflict misses.
|
|
|
|
*/
|
2019-12-08 01:36:01 +03:00
|
|
|
static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
|
|
|
|
int64_t now)
|
2019-01-16 20:01:13 +03:00
|
|
|
{
|
2019-12-07 22:58:50 +03:00
|
|
|
size_t old_size = tlb_n_entries(fast);
|
2019-01-16 20:01:13 +03:00
|
|
|
size_t rate;
|
|
|
|
size_t new_size = old_size;
|
|
|
|
int64_t window_len_ms = 100;
|
|
|
|
int64_t window_len_ns = window_len_ms * 1000 * 1000;
|
2019-03-22 18:36:40 +03:00
|
|
|
bool window_expired = now > desc->window_begin_ns + window_len_ns;
|
2019-01-16 20:01:13 +03:00
|
|
|
|
2019-03-22 18:36:40 +03:00
|
|
|
if (desc->n_used_entries > desc->window_max_entries) {
|
|
|
|
desc->window_max_entries = desc->n_used_entries;
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
2019-03-22 18:36:40 +03:00
|
|
|
rate = desc->window_max_entries * 100 / old_size;
|
2019-01-16 20:01:13 +03:00
|
|
|
|
|
|
|
if (rate > 70) {
|
|
|
|
new_size = MIN(old_size << 1, 1 << CPU_TLB_DYN_MAX_BITS);
|
|
|
|
} else if (rate < 30 && window_expired) {
|
2019-03-22 18:36:40 +03:00
|
|
|
size_t ceil = pow2ceil(desc->window_max_entries);
|
|
|
|
size_t expected_rate = desc->window_max_entries * 100 / ceil;
|
2019-01-16 20:01:13 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Avoid undersizing when the max number of entries seen is just below
|
|
|
|
* a pow2. For instance, if max_entries == 1025, the expected use rate
|
|
|
|
* would be 1025/2048==50%. However, if max_entries == 1023, we'd get
|
|
|
|
* 1023/1024==99.9% use rate, so we'd likely end up doubling the size
|
|
|
|
* later. Thus, make sure that the expected use rate remains below 70%.
|
|
|
|
* (and since we double the size, that means the lowest rate we'd
|
|
|
|
* expect to get is 35%, which is still in the 30-70% range where
|
|
|
|
* we consider that the size is appropriate.)
|
|
|
|
*/
|
|
|
|
if (expected_rate > 70) {
|
|
|
|
ceil *= 2;
|
|
|
|
}
|
|
|
|
new_size = MAX(ceil, 1 << CPU_TLB_DYN_MIN_BITS);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (new_size == old_size) {
|
|
|
|
if (window_expired) {
|
2019-03-22 18:36:40 +03:00
|
|
|
tlb_window_reset(desc, now, desc->n_used_entries);
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-12-07 22:58:50 +03:00
|
|
|
g_free(fast->table);
|
2022-08-20 00:20:37 +03:00
|
|
|
g_free(desc->fulltlb);
|
2019-01-16 20:01:13 +03:00
|
|
|
|
2019-03-22 18:36:40 +03:00
|
|
|
tlb_window_reset(desc, now, 0);
|
2019-01-16 20:01:13 +03:00
|
|
|
/* desc->n_used_entries is cleared by the caller */
|
2019-12-07 22:58:50 +03:00
|
|
|
fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
|
|
|
|
fast->table = g_try_new(CPUTLBEntry, new_size);
|
2022-08-20 00:20:37 +03:00
|
|
|
desc->fulltlb = g_try_new(CPUTLBEntryFull, new_size);
|
2019-12-07 22:58:50 +03:00
|
|
|
|
2019-01-16 20:01:13 +03:00
|
|
|
/*
|
|
|
|
* If the allocations fail, try smaller sizes. We just freed some
|
|
|
|
* memory, so going back to half of new_size has a good chance of working.
|
|
|
|
* Increased memory pressure elsewhere in the system might cause the
|
|
|
|
* allocations to fail though, so we progressively reduce the allocation
|
|
|
|
* size, aborting if we cannot even allocate the smallest TLB we support.
|
|
|
|
*/
|
2022-08-20 00:20:37 +03:00
|
|
|
while (fast->table == NULL || desc->fulltlb == NULL) {
|
2019-01-16 20:01:13 +03:00
|
|
|
if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
|
|
|
|
error_report("%s: %s", __func__, strerror(errno));
|
|
|
|
abort();
|
|
|
|
}
|
|
|
|
new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
|
2019-12-07 22:58:50 +03:00
|
|
|
fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
|
2019-01-16 20:01:13 +03:00
|
|
|
|
2019-12-07 22:58:50 +03:00
|
|
|
g_free(fast->table);
|
2022-08-20 00:20:37 +03:00
|
|
|
g_free(desc->fulltlb);
|
2019-12-07 22:58:50 +03:00
|
|
|
fast->table = g_try_new(CPUTLBEntry, new_size);
|
2022-08-20 00:20:37 +03:00
|
|
|
desc->fulltlb = g_try_new(CPUTLBEntryFull, new_size);
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-12-07 23:08:04 +03:00
|
|
|
static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
|
2019-01-16 20:01:13 +03:00
|
|
|
{
|
2019-12-07 23:00:56 +03:00
|
|
|
desc->n_used_entries = 0;
|
|
|
|
desc->large_page_addr = -1;
|
|
|
|
desc->large_page_mask = -1;
|
|
|
|
desc->vindex = 0;
|
|
|
|
memset(fast->table, -1, sizeof_tlb(fast));
|
|
|
|
memset(desc->vtable, -1, sizeof(desc->vtable));
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
static void tlb_flush_one_mmuidx_locked(CPUState *cpu, int mmu_idx,
|
2019-12-08 01:36:01 +03:00
|
|
|
int64_t now)
|
2019-12-07 23:08:04 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBDesc *desc = &cpu->neg.tlb.d[mmu_idx];
|
|
|
|
CPUTLBDescFast *fast = &cpu->neg.tlb.f[mmu_idx];
|
2019-12-07 23:08:04 +03:00
|
|
|
|
2019-12-08 01:36:01 +03:00
|
|
|
tlb_mmu_resize_locked(desc, fast, now);
|
2019-12-07 23:08:04 +03:00
|
|
|
tlb_mmu_flush_locked(desc, fast);
|
|
|
|
}
|
|
|
|
|
2019-12-08 00:22:19 +03:00
|
|
|
static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
|
|
|
|
{
|
|
|
|
size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
|
|
|
|
|
|
|
|
tlb_window_reset(desc, now, 0);
|
|
|
|
desc->n_used_entries = 0;
|
|
|
|
fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
|
|
|
|
fast->table = g_new(CPUTLBEntry, n_entries);
|
2022-08-20 00:20:37 +03:00
|
|
|
desc->fulltlb = g_new(CPUTLBEntryFull, n_entries);
|
2020-01-09 03:23:56 +03:00
|
|
|
tlb_mmu_flush_locked(desc, fast);
|
2019-12-08 00:22:19 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
static inline void tlb_n_used_entries_inc(CPUState *cpu, uintptr_t mmu_idx)
|
2019-01-16 20:01:13 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
cpu->neg.tlb.d[mmu_idx].n_used_entries++;
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
static inline void tlb_n_used_entries_dec(CPUState *cpu, uintptr_t mmu_idx)
|
2019-01-16 20:01:13 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
cpu->neg.tlb.d[mmu_idx].n_used_entries--;
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
|
|
|
|
2018-10-09 20:45:54 +03:00
|
|
|
void tlb_init(CPUState *cpu)
|
|
|
|
{
|
2019-12-08 00:22:19 +03:00
|
|
|
int64_t now = get_clock_realtime();
|
|
|
|
int i;
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_init(&cpu->neg.tlb.c.lock);
|
2018-10-20 22:04:57 +03:00
|
|
|
|
2020-01-09 03:23:56 +03:00
|
|
|
/* All tlbs are initialized flushed. */
|
2023-09-12 18:34:20 +03:00
|
|
|
cpu->neg.tlb.c.dirty = 0;
|
2019-01-16 20:01:13 +03:00
|
|
|
|
2019-12-08 00:22:19 +03:00
|
|
|
for (i = 0; i < NB_MMU_MODES; i++) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_mmu_init(&cpu->neg.tlb.d[i], &cpu->neg.tlb.f[i], now);
|
2019-12-08 00:22:19 +03:00
|
|
|
}
|
2018-10-09 20:45:54 +03:00
|
|
|
}
|
|
|
|
|
2020-06-12 22:02:26 +03:00
|
|
|
void tlb_destroy(CPUState *cpu)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_destroy(&cpu->neg.tlb.c.lock);
|
2020-06-12 22:02:26 +03:00
|
|
|
for (i = 0; i < NB_MMU_MODES; i++) {
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBDesc *desc = &cpu->neg.tlb.d[i];
|
|
|
|
CPUTLBDescFast *fast = &cpu->neg.tlb.f[i];
|
2020-06-12 22:02:26 +03:00
|
|
|
|
|
|
|
g_free(fast->table);
|
2022-08-20 00:20:37 +03:00
|
|
|
g_free(desc->fulltlb);
|
2020-06-12 22:02:26 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-02-23 21:29:22 +03:00
|
|
|
/* flush_all_helper: run fn across all cpus
|
|
|
|
*
|
|
|
|
* If the wait flag is set then the src cpu's helper will be queued as
|
|
|
|
* "safe" work and the loop exited creating a synchronisation point
|
|
|
|
* where all queued work will be finished before execution starts
|
|
|
|
* again.
|
|
|
|
*/
|
|
|
|
static void flush_all_helper(CPUState *src, run_on_cpu_func fn,
|
|
|
|
run_on_cpu_data d)
|
|
|
|
{
|
|
|
|
CPUState *cpu;
|
|
|
|
|
|
|
|
CPU_FOREACH(cpu) {
|
|
|
|
if (cpu != src) {
|
|
|
|
async_run_on_cpu(cpu, fn, d);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-02-23 21:29:20 +03:00
|
|
|
static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
|
2015-08-25 17:45:09 +03:00
|
|
|
{
|
2018-10-20 22:04:57 +03:00
|
|
|
uint16_t asked = data.host_int;
|
|
|
|
uint16_t all_dirty, work, to_clean;
|
2019-12-08 01:36:01 +03:00
|
|
|
int64_t now = get_clock_realtime();
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2017-02-23 21:29:16 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2018-10-20 22:04:57 +03:00
|
|
|
tlb_debug("mmu_idx:0x%04" PRIx16 "\n", asked);
|
2017-02-23 21:29:20 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_lock(&cpu->neg.tlb.c.lock);
|
2018-10-20 23:54:46 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
all_dirty = cpu->neg.tlb.c.dirty;
|
2018-10-20 22:04:57 +03:00
|
|
|
to_clean = asked & all_dirty;
|
|
|
|
all_dirty &= ~to_clean;
|
2023-09-12 18:34:20 +03:00
|
|
|
cpu->neg.tlb.c.dirty = all_dirty;
|
2018-10-20 22:04:57 +03:00
|
|
|
|
|
|
|
for (work = to_clean; work != 0; work &= work - 1) {
|
|
|
|
int mmu_idx = ctz32(work);
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_one_mmuidx_locked(cpu, mmu_idx, now);
|
2015-08-25 17:45:09 +03:00
|
|
|
}
|
2018-10-20 22:04:57 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_unlock(&cpu->neg.tlb.c.lock);
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2022-08-15 23:13:05 +03:00
|
|
|
tcg_flush_jmp_cache(cpu);
|
2018-10-23 08:01:01 +03:00
|
|
|
|
2018-10-20 22:04:57 +03:00
|
|
|
if (to_clean == ALL_MMUIDX_BITS) {
|
2023-09-12 18:34:20 +03:00
|
|
|
qatomic_set(&cpu->neg.tlb.c.full_flush_count,
|
|
|
|
cpu->neg.tlb.c.full_flush_count + 1);
|
2018-10-20 00:36:43 +03:00
|
|
|
} else {
|
2023-09-12 18:34:20 +03:00
|
|
|
qatomic_set(&cpu->neg.tlb.c.part_flush_count,
|
|
|
|
cpu->neg.tlb.c.part_flush_count + ctpop16(to_clean));
|
2018-10-20 22:04:57 +03:00
|
|
|
if (to_clean != asked) {
|
2023-09-12 18:34:20 +03:00
|
|
|
qatomic_set(&cpu->neg.tlb.c.elide_flush_count,
|
|
|
|
cpu->neg.tlb.c.elide_flush_count +
|
|
|
|
ctpop16(asked & ~to_clean));
|
2018-10-20 22:04:57 +03:00
|
|
|
}
|
2018-10-23 08:01:01 +03:00
|
|
|
}
|
2015-08-25 17:45:09 +03:00
|
|
|
}
|
|
|
|
|
2017-02-23 21:29:19 +03:00
|
|
|
void tlb_flush_by_mmuidx(CPUState *cpu, uint16_t idxmap)
|
2015-08-25 17:45:09 +03:00
|
|
|
{
|
2017-02-23 21:29:20 +03:00
|
|
|
tlb_debug("mmu_idx: 0x%" PRIx16 "\n", idxmap);
|
|
|
|
|
2024-03-26 17:18:14 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
|
|
|
|
|
|
|
tlb_flush_by_mmuidx_async_work(cpu, RUN_ON_CPU_HOST_INT(idxmap));
|
2015-08-25 17:45:09 +03:00
|
|
|
}
|
|
|
|
|
2018-10-23 08:01:01 +03:00
|
|
|
void tlb_flush(CPUState *cpu)
|
|
|
|
{
|
|
|
|
tlb_flush_by_mmuidx(cpu, ALL_MMUIDX_BITS);
|
|
|
|
}
|
|
|
|
|
|
|
|
void tlb_flush_by_mmuidx_all_cpus_synced(CPUState *src_cpu, uint16_t idxmap)
|
2017-02-23 21:29:22 +03:00
|
|
|
{
|
|
|
|
const run_on_cpu_func fn = tlb_flush_by_mmuidx_async_work;
|
|
|
|
|
|
|
|
tlb_debug("mmu_idx: 0x%"PRIx16"\n", idxmap);
|
|
|
|
|
|
|
|
flush_all_helper(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
|
|
|
|
async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_HOST_INT(idxmap));
|
|
|
|
}
|
|
|
|
|
2018-10-23 08:01:01 +03:00
|
|
|
void tlb_flush_all_cpus_synced(CPUState *src_cpu)
|
|
|
|
{
|
|
|
|
tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, ALL_MMUIDX_BITS);
|
|
|
|
}
|
|
|
|
|
2020-10-17 00:07:53 +03:00
|
|
|
static bool tlb_hit_page_mask_anyprot(CPUTLBEntry *tlb_entry,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr page, vaddr mask)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
|
|
|
page &= mask;
|
|
|
|
mask &= TARGET_PAGE_MASK | TLB_INVALID_MASK;
|
|
|
|
|
|
|
|
return (page == (tlb_entry->addr_read & mask) ||
|
|
|
|
page == (tlb_addr_write(tlb_entry) & mask) ||
|
|
|
|
page == (tlb_entry->addr_code & mask));
|
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
static inline bool tlb_hit_page_anyprot(CPUTLBEntry *tlb_entry, vaddr page)
|
2018-06-29 23:07:08 +03:00
|
|
|
{
|
2020-10-17 00:07:53 +03:00
|
|
|
return tlb_hit_page_mask_anyprot(tlb_entry, page, -1);
|
2018-06-29 23:07:08 +03:00
|
|
|
}
|
2017-02-23 21:29:22 +03:00
|
|
|
|
2019-01-16 20:01:12 +03:00
|
|
|
/**
|
|
|
|
* tlb_entry_is_empty - return true if the entry is not in use
|
|
|
|
* @te: pointer to CPUTLBEntry
|
|
|
|
*/
|
|
|
|
static inline bool tlb_entry_is_empty(const CPUTLBEntry *te)
|
|
|
|
{
|
|
|
|
return te->addr_read == -1 && te->addr_write == -1 && te->addr_code == -1;
|
|
|
|
}
|
|
|
|
|
2018-10-23 05:57:11 +03:00
|
|
|
/* Called with tlb_c.lock held */
|
2020-10-17 00:07:53 +03:00
|
|
|
static bool tlb_flush_entry_mask_locked(CPUTLBEntry *tlb_entry,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr page,
|
|
|
|
vaddr mask)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2020-10-17 00:07:53 +03:00
|
|
|
if (tlb_hit_page_mask_anyprot(tlb_entry, page, mask)) {
|
2013-12-07 01:44:51 +04:00
|
|
|
memset(tlb_entry, -1, sizeof(*tlb_entry));
|
2019-01-16 20:01:13 +03:00
|
|
|
return true;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
2019-01-16 20:01:13 +03:00
|
|
|
return false;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
static inline bool tlb_flush_entry_locked(CPUTLBEntry *tlb_entry, vaddr page)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
|
|
|
return tlb_flush_entry_mask_locked(tlb_entry, page, -1);
|
|
|
|
}
|
|
|
|
|
2018-10-23 05:57:11 +03:00
|
|
|
/* Called with tlb_c.lock held */
|
2023-09-12 18:34:20 +03:00
|
|
|
static void tlb_flush_vtlb_page_mask_locked(CPUState *cpu, int mmu_idx,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr page,
|
|
|
|
vaddr mask)
|
2018-06-29 23:07:08 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBDesc *d = &cpu->neg.tlb.d[mmu_idx];
|
2018-06-29 23:07:08 +03:00
|
|
|
int k;
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
2018-06-29 23:07:08 +03:00
|
|
|
for (k = 0; k < CPU_VTLB_SIZE; k++) {
|
2020-10-17 00:07:53 +03:00
|
|
|
if (tlb_flush_entry_mask_locked(&d->vtable[k], page, mask)) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_n_used_entries_dec(cpu, mmu_idx);
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
2018-06-29 23:07:08 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
static inline void tlb_flush_vtlb_page_locked(CPUState *cpu, int mmu_idx,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr page)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_vtlb_page_mask_locked(cpu, mmu_idx, page, -1);
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
static void tlb_flush_page_locked(CPUState *cpu, int midx, vaddr page)
|
2018-10-17 21:48:40 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
vaddr lp_addr = cpu->neg.tlb.d[midx].large_page_addr;
|
|
|
|
vaddr lp_mask = cpu->neg.tlb.d[midx].large_page_mask;
|
2018-10-17 21:48:40 +03:00
|
|
|
|
|
|
|
/* Check if we need to flush due to large pages. */
|
|
|
|
if ((page & lp_mask) == lp_addr) {
|
2023-07-13 15:07:46 +03:00
|
|
|
tlb_debug("forcing full flush midx %d (%016"
|
|
|
|
VADDR_PRIx "/%016" VADDR_PRIx ")\n",
|
2018-10-17 21:48:40 +03:00
|
|
|
midx, lp_addr, lp_mask);
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_one_mmuidx_locked(cpu, midx, get_clock_realtime());
|
2018-10-17 21:48:40 +03:00
|
|
|
} else {
|
2023-09-12 18:34:20 +03:00
|
|
|
if (tlb_flush_entry_locked(tlb_entry(cpu, midx, page), page)) {
|
|
|
|
tlb_n_used_entries_dec(cpu, midx);
|
2019-01-16 20:01:13 +03:00
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_vtlb_page_locked(cpu, midx, page);
|
2018-10-17 21:48:40 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-11-11 16:53:30 +03:00
|
|
|
/**
|
|
|
|
* tlb_flush_page_by_mmuidx_async_0:
|
|
|
|
* @cpu: cpu on which to flush
|
|
|
|
* @addr: page of virtual address to flush
|
|
|
|
* @idxmap: set of mmu_idx to flush
|
|
|
|
*
|
|
|
|
* Helper for tlb_flush_page_by_mmuidx and friends, flush one page
|
|
|
|
* at @addr from the tlbs indicated by @idxmap from @cpu.
|
2017-02-23 21:29:20 +03:00
|
|
|
*/
|
2019-11-11 16:53:30 +03:00
|
|
|
static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr,
|
2019-11-11 16:53:30 +03:00
|
|
|
uint16_t idxmap)
|
2015-08-25 17:45:09 +03:00
|
|
|
{
|
2017-02-23 21:29:20 +03:00
|
|
|
int mmu_idx;
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2017-02-23 21:29:16 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2023-07-13 15:07:46 +03:00
|
|
|
tlb_debug("page addr: %016" VADDR_PRIx " mmu_map:0x%x\n", addr, idxmap);
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_lock(&cpu->neg.tlb.c.lock);
|
2017-02-23 21:29:19 +03:00
|
|
|
for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
|
2019-11-11 16:53:30 +03:00
|
|
|
if ((idxmap >> mmu_idx) & 1) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_page_locked(cpu, mmu_idx, addr);
|
2015-08-25 17:45:09 +03:00
|
|
|
}
|
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_unlock(&cpu->neg.tlb.c.lock);
|
2015-08-25 17:45:09 +03:00
|
|
|
|
2022-09-29 20:51:21 +03:00
|
|
|
/*
|
|
|
|
* Discard jump cache entries for any tb which might potentially
|
|
|
|
* overlap the flushed page, which includes the previous.
|
|
|
|
*/
|
|
|
|
tb_jmp_cache_clear_page(cpu, addr - TARGET_PAGE_SIZE);
|
|
|
|
tb_jmp_cache_clear_page(cpu, addr);
|
2015-08-25 17:45:09 +03:00
|
|
|
}
|
|
|
|
|
2019-11-11 16:53:30 +03:00
|
|
|
/**
|
|
|
|
* tlb_flush_page_by_mmuidx_async_1:
|
|
|
|
* @cpu: cpu on which to flush
|
|
|
|
* @data: encoded addr + idxmap
|
|
|
|
*
|
|
|
|
* Helper for tlb_flush_page_by_mmuidx and friends, called through
|
|
|
|
* async_run_on_cpu. The idxmap parameter is encoded in the page
|
|
|
|
* offset of the target_ptr field. This limits the set of mmu_idx
|
|
|
|
* that can be passed via this method.
|
|
|
|
*/
|
|
|
|
static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
|
|
|
|
run_on_cpu_data data)
|
|
|
|
{
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr_and_idxmap = data.target_ptr;
|
|
|
|
vaddr addr = addr_and_idxmap & TARGET_PAGE_MASK;
|
2019-11-11 16:53:30 +03:00
|
|
|
uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
|
|
|
|
|
|
|
|
tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
|
|
|
|
}
|
|
|
|
|
|
|
|
typedef struct {
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr;
|
2019-11-11 16:53:30 +03:00
|
|
|
uint16_t idxmap;
|
|
|
|
} TLBFlushPageByMMUIdxData;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* tlb_flush_page_by_mmuidx_async_2:
|
|
|
|
* @cpu: cpu on which to flush
|
|
|
|
* @data: allocated addr + idxmap
|
|
|
|
*
|
|
|
|
* Helper for tlb_flush_page_by_mmuidx and friends, called through
|
|
|
|
* async_run_on_cpu. The addr+idxmap parameters are stored in a
|
|
|
|
* TLBFlushPageByMMUIdxData structure that has been allocated
|
|
|
|
* specifically for this helper. Free the structure when done.
|
|
|
|
*/
|
|
|
|
static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
|
|
|
|
run_on_cpu_data data)
|
2017-02-23 21:29:20 +03:00
|
|
|
{
|
2019-11-11 16:53:30 +03:00
|
|
|
TLBFlushPageByMMUIdxData *d = data.host_ptr;
|
|
|
|
|
|
|
|
tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
|
|
|
|
g_free(d);
|
|
|
|
}
|
2017-02-23 21:29:20 +03:00
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_flush_page_by_mmuidx(CPUState *cpu, vaddr addr, uint16_t idxmap)
|
2019-11-11 16:53:30 +03:00
|
|
|
{
|
2023-07-13 15:07:46 +03:00
|
|
|
tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%" PRIx16 "\n", addr, idxmap);
|
2017-02-23 21:29:20 +03:00
|
|
|
|
2024-03-26 17:18:14 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
|
|
|
|
2017-02-23 21:29:20 +03:00
|
|
|
/* This should already be page aligned */
|
2019-11-11 16:53:30 +03:00
|
|
|
addr &= TARGET_PAGE_MASK;
|
2017-02-23 21:29:20 +03:00
|
|
|
|
2024-03-26 17:18:14 +03:00
|
|
|
tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
|
2017-02-23 21:29:20 +03:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_flush_page(CPUState *cpu, vaddr addr)
|
2018-10-20 00:25:09 +03:00
|
|
|
{
|
|
|
|
tlb_flush_page_by_mmuidx(cpu, addr, ALL_MMUIDX_BITS);
|
|
|
|
}
|
|
|
|
|
2017-02-23 21:29:22 +03:00
|
|
|
void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr,
|
2018-10-17 21:48:40 +03:00
|
|
|
uint16_t idxmap)
|
2017-02-23 21:29:22 +03:00
|
|
|
{
|
2023-07-13 15:07:46 +03:00
|
|
|
tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
|
2017-02-23 21:29:22 +03:00
|
|
|
|
|
|
|
/* This should already be page aligned */
|
2019-11-11 16:53:30 +03:00
|
|
|
addr &= TARGET_PAGE_MASK;
|
2017-02-23 21:29:22 +03:00
|
|
|
|
2019-11-11 16:53:30 +03:00
|
|
|
/*
|
|
|
|
* Allocate memory to hold addr+idxmap only when needed.
|
|
|
|
* See tlb_flush_page_by_mmuidx for details.
|
|
|
|
*/
|
|
|
|
if (idxmap < TARGET_PAGE_SIZE) {
|
|
|
|
flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
|
|
|
|
RUN_ON_CPU_TARGET_PTR(addr | idxmap));
|
|
|
|
async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
|
|
|
|
RUN_ON_CPU_TARGET_PTR(addr | idxmap));
|
|
|
|
} else {
|
|
|
|
CPUState *dst_cpu;
|
|
|
|
TLBFlushPageByMMUIdxData *d;
|
|
|
|
|
|
|
|
/* Allocate a separate data block for each destination cpu. */
|
|
|
|
CPU_FOREACH(dst_cpu) {
|
|
|
|
if (dst_cpu != src_cpu) {
|
|
|
|
d = g_new(TLBFlushPageByMMUIdxData, 1);
|
|
|
|
d->addr = addr;
|
|
|
|
d->idxmap = idxmap;
|
|
|
|
async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
|
|
|
|
RUN_ON_CPU_HOST_PTR(d));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
d = g_new(TLBFlushPageByMMUIdxData, 1);
|
|
|
|
d->addr = addr;
|
|
|
|
d->idxmap = idxmap;
|
|
|
|
async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
|
|
|
|
RUN_ON_CPU_HOST_PTR(d));
|
|
|
|
}
|
2017-02-23 21:29:22 +03:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_flush_page_all_cpus_synced(CPUState *src, vaddr addr)
|
2017-02-23 21:29:22 +03:00
|
|
|
{
|
2018-10-20 00:25:09 +03:00
|
|
|
tlb_flush_page_by_mmuidx_all_cpus_synced(src, addr, ALL_MMUIDX_BITS);
|
2017-02-23 21:29:18 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
static void tlb_flush_range_locked(CPUState *cpu, int midx,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr, vaddr len,
|
2021-05-09 18:16:11 +03:00
|
|
|
unsigned bits)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBDesc *d = &cpu->neg.tlb.d[midx];
|
|
|
|
CPUTLBDescFast *f = &cpu->neg.tlb.f[midx];
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr mask = MAKE_64BIT_MASK(0, bits);
|
2020-10-17 00:07:53 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If @bits is smaller than the tlb size, there may be multiple entries
|
|
|
|
* within the TLB; otherwise all addresses that match under @mask hit
|
|
|
|
* the same TLB entry.
|
|
|
|
* TODO: Perhaps allow bits to be a few bits less than the size.
|
|
|
|
* For now, just flush the entire TLB.
|
2021-05-09 18:16:11 +03:00
|
|
|
*
|
|
|
|
* If @len is larger than the tlb size, then it will take longer to
|
|
|
|
* test all of the entries in the TLB than it will to flush it all.
|
2020-10-17 00:07:53 +03:00
|
|
|
*/
|
2021-05-09 18:16:11 +03:00
|
|
|
if (mask < f->mask || len > f->mask) {
|
2020-10-17 00:07:53 +03:00
|
|
|
tlb_debug("forcing full flush midx %d ("
|
2023-07-13 15:07:46 +03:00
|
|
|
"%016" VADDR_PRIx "/%016" VADDR_PRIx "+%016" VADDR_PRIx ")\n",
|
2021-05-09 18:16:11 +03:00
|
|
|
midx, addr, mask, len);
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_one_mmuidx_locked(cpu, midx, get_clock_realtime());
|
2020-10-17 00:07:53 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2021-05-09 18:16:11 +03:00
|
|
|
/*
|
|
|
|
* Check if we need to flush due to large pages.
|
|
|
|
* Because large_page_mask contains all 1's from the msb,
|
|
|
|
* we only need to test the end of the range.
|
|
|
|
*/
|
|
|
|
if (((addr + len - 1) & d->large_page_mask) == d->large_page_addr) {
|
2020-10-17 00:07:53 +03:00
|
|
|
tlb_debug("forcing full flush midx %d ("
|
2023-07-13 15:07:46 +03:00
|
|
|
"%016" VADDR_PRIx "/%016" VADDR_PRIx ")\n",
|
2020-10-17 00:07:53 +03:00
|
|
|
midx, d->large_page_addr, d->large_page_mask);
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_one_mmuidx_locked(cpu, midx, get_clock_realtime());
|
2020-10-17 00:07:53 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
for (vaddr i = 0; i < len; i += TARGET_PAGE_SIZE) {
|
|
|
|
vaddr page = addr + i;
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBEntry *entry = tlb_entry(cpu, midx, page);
|
2021-05-09 18:16:11 +03:00
|
|
|
|
|
|
|
if (tlb_flush_entry_mask_locked(entry, page, mask)) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_n_used_entries_dec(cpu, midx);
|
2021-05-09 18:16:11 +03:00
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_vtlb_page_mask_locked(cpu, midx, page, mask);
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
typedef struct {
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr;
|
|
|
|
vaddr len;
|
2020-10-17 00:07:53 +03:00
|
|
|
uint16_t idxmap;
|
|
|
|
uint16_t bits;
|
2021-05-09 18:16:12 +03:00
|
|
|
} TLBFlushRangeData;
|
2020-10-17 00:07:53 +03:00
|
|
|
|
2021-05-09 18:16:16 +03:00
|
|
|
static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu,
|
|
|
|
TLBFlushRangeData d)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
|
|
|
int mmu_idx;
|
|
|
|
|
|
|
|
assert_cpu_is_self(cpu);
|
|
|
|
|
2023-07-13 15:07:46 +03:00
|
|
|
tlb_debug("range: %016" VADDR_PRIx "/%u+%016" VADDR_PRIx " mmu_map:0x%x\n",
|
2021-05-09 18:16:11 +03:00
|
|
|
d.addr, d.bits, d.len, d.idxmap);
|
2020-10-17 00:07:53 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_lock(&cpu->neg.tlb.c.lock);
|
2020-10-17 00:07:53 +03:00
|
|
|
for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
|
|
|
|
if ((d.idxmap >> mmu_idx) & 1) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_range_locked(cpu, mmu_idx, d.addr, d.len, d.bits);
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_unlock(&cpu->neg.tlb.c.lock);
|
2020-10-17 00:07:53 +03:00
|
|
|
|
2022-01-10 19:47:53 +03:00
|
|
|
/*
|
|
|
|
* If the length is larger than the jump cache size, then it will take
|
|
|
|
* longer to clear each entry individually than it will to clear it all.
|
|
|
|
*/
|
|
|
|
if (d.len >= (TARGET_PAGE_SIZE * TB_JMP_CACHE_SIZE)) {
|
2022-08-15 23:13:05 +03:00
|
|
|
tcg_flush_jmp_cache(cpu);
|
2022-01-10 19:47:53 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2022-09-29 20:51:21 +03:00
|
|
|
/*
|
|
|
|
* Discard jump cache entries for any tb which might potentially
|
|
|
|
* overlap the flushed pages, which includes the previous.
|
|
|
|
*/
|
|
|
|
d.addr -= TARGET_PAGE_SIZE;
|
2023-06-21 16:56:22 +03:00
|
|
|
for (vaddr i = 0, n = d.len / TARGET_PAGE_SIZE + 1; i < n; i++) {
|
2022-09-29 20:51:21 +03:00
|
|
|
tb_jmp_cache_clear_page(cpu, d.addr);
|
|
|
|
d.addr += TARGET_PAGE_SIZE;
|
2021-05-09 18:16:11 +03:00
|
|
|
}
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
|
2021-05-09 18:16:17 +03:00
|
|
|
static void tlb_flush_range_by_mmuidx_async_1(CPUState *cpu,
|
|
|
|
run_on_cpu_data data)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
2021-05-09 18:16:12 +03:00
|
|
|
TLBFlushRangeData *d = data.host_ptr;
|
2021-05-09 18:16:16 +03:00
|
|
|
tlb_flush_range_by_mmuidx_async_0(cpu, *d);
|
2020-10-17 00:07:53 +03:00
|
|
|
g_free(d);
|
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_flush_range_by_mmuidx(CPUState *cpu, vaddr addr,
|
|
|
|
vaddr len, uint16_t idxmap,
|
2021-05-09 18:16:13 +03:00
|
|
|
unsigned bits)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
2021-05-09 18:16:12 +03:00
|
|
|
TLBFlushRangeData d;
|
2020-10-17 00:07:53 +03:00
|
|
|
|
2024-03-26 17:18:14 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
|
|
|
|
2021-05-09 18:16:13 +03:00
|
|
|
/*
|
|
|
|
* If all bits are significant, and len is small,
|
|
|
|
* this devolves to tlb_flush_page.
|
|
|
|
*/
|
|
|
|
if (bits >= TARGET_LONG_BITS && len <= TARGET_PAGE_SIZE) {
|
2020-10-17 00:07:53 +03:00
|
|
|
tlb_flush_page_by_mmuidx(cpu, addr, idxmap);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* If no page bits are significant, this devolves to tlb_flush. */
|
|
|
|
if (bits < TARGET_PAGE_BITS) {
|
|
|
|
tlb_flush_by_mmuidx(cpu, idxmap);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This should already be page aligned */
|
|
|
|
d.addr = addr & TARGET_PAGE_MASK;
|
2021-05-09 18:16:13 +03:00
|
|
|
d.len = len;
|
2020-10-17 00:07:53 +03:00
|
|
|
d.idxmap = idxmap;
|
|
|
|
d.bits = bits;
|
|
|
|
|
2024-03-26 17:18:14 +03:00
|
|
|
tlb_flush_range_by_mmuidx_async_0(cpu, d);
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_flush_page_bits_by_mmuidx(CPUState *cpu, vaddr addr,
|
2021-05-09 18:16:13 +03:00
|
|
|
uint16_t idxmap, unsigned bits)
|
|
|
|
{
|
|
|
|
tlb_flush_range_by_mmuidx(cpu, addr, TARGET_PAGE_SIZE, idxmap, bits);
|
|
|
|
}
|
|
|
|
|
2021-05-09 18:16:15 +03:00
|
|
|
void tlb_flush_range_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr,
|
|
|
|
vaddr len,
|
2021-05-09 18:16:15 +03:00
|
|
|
uint16_t idxmap,
|
|
|
|
unsigned bits)
|
2020-10-17 00:07:53 +03:00
|
|
|
{
|
2021-05-09 18:16:18 +03:00
|
|
|
TLBFlushRangeData d, *p;
|
|
|
|
CPUState *dst_cpu;
|
2020-10-17 00:07:53 +03:00
|
|
|
|
2021-05-09 18:16:15 +03:00
|
|
|
/*
|
|
|
|
* If all bits are significant, and len is small,
|
|
|
|
* this devolves to tlb_flush_page.
|
|
|
|
*/
|
|
|
|
if (bits >= TARGET_LONG_BITS && len <= TARGET_PAGE_SIZE) {
|
2020-10-17 00:07:53 +03:00
|
|
|
tlb_flush_page_by_mmuidx_all_cpus_synced(src_cpu, addr, idxmap);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
/* If no page bits are significant, this devolves to tlb_flush. */
|
|
|
|
if (bits < TARGET_PAGE_BITS) {
|
|
|
|
tlb_flush_by_mmuidx_all_cpus_synced(src_cpu, idxmap);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* This should already be page aligned */
|
|
|
|
d.addr = addr & TARGET_PAGE_MASK;
|
2021-05-09 18:16:15 +03:00
|
|
|
d.len = len;
|
2020-10-17 00:07:53 +03:00
|
|
|
d.idxmap = idxmap;
|
|
|
|
d.bits = bits;
|
|
|
|
|
2021-05-09 18:16:18 +03:00
|
|
|
/* Allocate a separate data block for each destination cpu. */
|
|
|
|
CPU_FOREACH(dst_cpu) {
|
|
|
|
if (dst_cpu != src_cpu) {
|
|
|
|
p = g_memdup(&d, sizeof(d));
|
2021-05-09 18:16:17 +03:00
|
|
|
async_run_on_cpu(dst_cpu, tlb_flush_range_by_mmuidx_async_1,
|
2021-05-09 18:16:18 +03:00
|
|
|
RUN_ON_CPU_HOST_PTR(p));
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
}
|
2021-05-09 18:16:18 +03:00
|
|
|
|
|
|
|
p = g_memdup(&d, sizeof(d));
|
2021-05-09 18:16:17 +03:00
|
|
|
async_safe_run_on_cpu(src_cpu, tlb_flush_range_by_mmuidx_async_1,
|
2021-05-09 18:16:18 +03:00
|
|
|
RUN_ON_CPU_HOST_PTR(p));
|
2020-10-17 00:07:53 +03:00
|
|
|
}
|
|
|
|
|
2021-05-09 18:16:15 +03:00
|
|
|
void tlb_flush_page_bits_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr,
|
2021-05-09 18:16:15 +03:00
|
|
|
uint16_t idxmap,
|
|
|
|
unsigned bits)
|
|
|
|
{
|
|
|
|
tlb_flush_range_by_mmuidx_all_cpus_synced(src_cpu, addr, TARGET_PAGE_SIZE,
|
|
|
|
idxmap, bits);
|
|
|
|
}
|
|
|
|
|
2012-04-09 20:50:52 +04:00
|
|
|
/* update the TLBs so that writes to code in the virtual page 'addr'
|
|
|
|
can be detected */
|
|
|
|
void tlb_protect_code(ram_addr_t ram_addr)
|
|
|
|
{
|
2022-08-15 23:00:57 +03:00
|
|
|
cpu_physical_memory_test_and_clear_dirty(ram_addr & TARGET_PAGE_MASK,
|
|
|
|
TARGET_PAGE_SIZE,
|
2014-12-02 14:23:18 +03:00
|
|
|
DIRTY_MEMORY_CODE);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* update the TLB so that writes in physical page 'phys_addr' are no longer
|
|
|
|
tested for self modifying code */
|
2015-04-22 15:24:54 +03:00
|
|
|
void tlb_unprotect_code(ram_addr_t ram_addr)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2013-10-08 14:44:04 +04:00
|
|
|
cpu_physical_memory_set_dirty_flag(ram_addr, DIRTY_MEMORY_CODE);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-02-23 21:29:21 +03:00
|
|
|
/*
|
|
|
|
* Dirty write flag handling
|
|
|
|
*
|
|
|
|
* When the TCG code writes to a location it looks up the address in
|
|
|
|
* the TLB and uses that data to compute the final address. If any of
|
|
|
|
* the lower bits of the address are set then the slow path is forced.
|
|
|
|
* There are a number of reasons to do this but for normal RAM the
|
|
|
|
* most usual is detecting writes to code regions which may invalidate
|
|
|
|
* generated code.
|
|
|
|
*
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
* Other vCPUs might be reading their TLBs during guest execution, so we update
|
2020-09-23 13:56:46 +03:00
|
|
|
* te->addr_write with qatomic_set. We don't need to worry about this for
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
* oversized guests as MTTCG is disabled for them.
|
2017-02-23 21:29:21 +03:00
|
|
|
*
|
2018-10-23 05:57:11 +03:00
|
|
|
* Called with tlb_c.lock held.
|
2017-02-23 21:29:21 +03:00
|
|
|
*/
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
static void tlb_reset_dirty_range_locked(CPUTLBEntry *tlb_entry,
|
|
|
|
uintptr_t start, uintptr_t length)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2017-02-23 21:29:21 +03:00
|
|
|
uintptr_t addr = tlb_entry->addr_write;
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2019-09-20 03:54:10 +03:00
|
|
|
if ((addr & (TLB_INVALID_MASK | TLB_MMIO |
|
|
|
|
TLB_DISCARD_WRITE | TLB_NOTDIRTY)) == 0) {
|
2017-02-23 21:29:21 +03:00
|
|
|
addr &= TARGET_PAGE_MASK;
|
|
|
|
addr += tlb_entry->addend;
|
2012-04-09 20:50:52 +04:00
|
|
|
if ((addr - start) < length) {
|
tcg: Widen CPUTLBEntry comparators to 64-bits
This makes CPUTLBEntry agnostic to the address size of the guest.
When 32-bit addresses are in effect, we can simply read the low
32 bits of the 64-bit field. Similarly when we need to update
the field for setting TLB_NOTDIRTY.
For TCG backends that could in theory be big-endian, but in
practice are not (arm, loongarch, riscv), use QEMU_BUILD_BUG_ON
to document and ensure this is not accidentally missed.
For s390x, which is always big-endian, use HOST_BIG_ENDIAN anyway,
to document the reason for the adjustment.
For sparc64 and ppc64, always perform a 64-bit load, and rely on
the following 32-bit comparison to ignore the high bits.
Rearrange mips and ppc if ladders for clarity.
Reviewed-by: Anton Johansson <anjo@rev.ng>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-03-24 23:02:59 +03:00
|
|
|
#if TARGET_LONG_BITS == 32
|
|
|
|
uint32_t *ptr_write = (uint32_t *)&tlb_entry->addr_write;
|
|
|
|
ptr_write += HOST_BIG_ENDIAN;
|
|
|
|
qatomic_set(ptr_write, *ptr_write | TLB_NOTDIRTY);
|
|
|
|
#elif TCG_OVERSIZED_GUEST
|
2012-04-09 20:50:52 +04:00
|
|
|
tlb_entry->addr_write |= TLB_NOTDIRTY;
|
2017-02-23 21:29:21 +03:00
|
|
|
#else
|
2020-09-23 13:56:46 +03:00
|
|
|
qatomic_set(&tlb_entry->addr_write,
|
tcg: Widen CPUTLBEntry comparators to 64-bits
This makes CPUTLBEntry agnostic to the address size of the guest.
When 32-bit addresses are in effect, we can simply read the low
32 bits of the 64-bit field. Similarly when we need to update
the field for setting TLB_NOTDIRTY.
For TCG backends that could in theory be big-endian, but in
practice are not (arm, loongarch, riscv), use QEMU_BUILD_BUG_ON
to document and ensure this is not accidentally missed.
For s390x, which is always big-endian, use HOST_BIG_ENDIAN anyway,
to document the reason for the adjustment.
For sparc64 and ppc64, always perform a 64-bit load, and rely on
the following 32-bit comparison to ignore the high bits.
Rearrange mips and ppc if ladders for clarity.
Reviewed-by: Anton Johansson <anjo@rev.ng>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-03-24 23:02:59 +03:00
|
|
|
tlb_entry->addr_write | TLB_NOTDIRTY);
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
#endif
|
2017-02-23 21:29:21 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
/*
|
2018-10-23 05:57:11 +03:00
|
|
|
* Called with tlb_c.lock held.
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
* Called only from the vCPU context, i.e. the TLB's owner thread.
|
|
|
|
*/
|
|
|
|
static inline void copy_tlb_helper_locked(CPUTLBEntry *d, const CPUTLBEntry *s)
|
2017-02-23 21:29:21 +03:00
|
|
|
{
|
|
|
|
*d = *s;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
2017-02-23 21:29:21 +03:00
|
|
|
/* This is a cross vCPU call (i.e. another vCPU resetting the flags of
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
* the target vCPU).
|
2018-10-23 05:57:11 +03:00
|
|
|
* We must take tlb_c.lock to avoid racing with another vCPU update. The only
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
* thing actually updated is the target TLB entry ->addr_write flags.
|
2017-02-23 21:29:21 +03:00
|
|
|
*/
|
2015-09-11 08:39:41 +03:00
|
|
|
void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2015-09-11 08:39:41 +03:00
|
|
|
int mmu_idx;
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_lock(&cpu->neg.tlb.c.lock);
|
2015-09-11 08:39:41 +03:00
|
|
|
for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
|
|
|
|
unsigned int i;
|
2023-09-12 18:34:20 +03:00
|
|
|
unsigned int n = tlb_n_entries(&cpu->neg.tlb.f[mmu_idx]);
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2019-01-16 20:01:13 +03:00
|
|
|
for (i = 0; i < n; i++) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_reset_dirty_range_locked(&cpu->neg.tlb.f[mmu_idx].table[i],
|
2019-03-22 23:52:09 +03:00
|
|
|
start1, length);
|
2015-09-11 08:39:41 +03:00
|
|
|
}
|
implementing victim TLB for QEMU system emulated TLB
QEMU system mode page table walks are expensive. Taken by running QEMU
qemu-system-x86_64 system mode on Intel PIN , a TLB miss and walking a
4-level page tables in guest Linux OS takes ~450 X86 instructions on
average.
QEMU system mode TLB is implemented using a directly-mapped hashtable.
This structure suffers from conflict misses. Increasing the
associativity of the TLB may not be the solution to conflict misses as
all the ways may have to be walked in serial.
A victim TLB is a TLB used to hold translations evicted from the
primary TLB upon replacement. The victim TLB lies between the main TLB
and its refill path. Victim TLB is of greater associativity (fully
associative in this patch). It takes longer to lookup the victim TLB,
but its likely better than a full page table walk. The memory
translation path is changed as follows :
Before Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. TLB refill.
5. Do the memory access.
6. Return to code cache.
After Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. Victim TLB lookup.
5. If victim TLB misses, TLB refill
6. Do the memory access.
7. Return to code cache
The advantage is that victim TLB can offer more associativity to a
directly mapped TLB and thus potentially fewer page table walks while
still keeping the time taken to flush within reasonable limits.
However, placing a victim TLB before the refill path increase TLB
refill path as the victim TLB is consulted before the TLB refill. The
performance results demonstrate that the pros outweigh the cons.
some performance results taken on SPECINT2006 train
datasets and kernel boot and qemu configure script on an
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz Linux machine are shown in the
Google Doc link below.
https://docs.google.com/spreadsheets/d/1eiItzekZwNQOal_h-5iJmC4tMDi051m9qidi5_nwvH4/edit?usp=sharing
In summary, victim TLB improves the performance of qemu-system-x86_64 by
11% on average on SPECINT2006, kernelboot and qemu configscript and with
highest improvement of in 26% in 456.hmmer. And victim TLB does not result
in any performance degradation in any of the measured benchmarks. Furthermore,
the implemented victim TLB is architecture independent and is expected to
benefit other architectures in QEMU as well.
Although there are measurement fluctuations, the performance
improvement is very significant and by no means in the range of
noises.
Signed-off-by: Xin Tong <trent.tong@gmail.com>
Message-id: 1407202523-23553-1-git-send-email-trent.tong@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-08-05 05:35:23 +04:00
|
|
|
|
2015-09-11 08:39:41 +03:00
|
|
|
for (i = 0; i < CPU_VTLB_SIZE; i++) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_reset_dirty_range_locked(&cpu->neg.tlb.d[mmu_idx].vtable[i],
|
2019-03-22 23:52:09 +03:00
|
|
|
start1, length);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_unlock(&cpu->neg.tlb.c.lock);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
2018-10-23 05:57:11 +03:00
|
|
|
/* Called with tlb_c.lock held */
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
static inline void tlb_set_dirty1_locked(CPUTLBEntry *tlb_entry,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2023-06-21 16:56:22 +03:00
|
|
|
if (tlb_entry->addr_write == (addr | TLB_NOTDIRTY)) {
|
|
|
|
tlb_entry->addr_write = addr;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* update the TLB corresponding to virtual page vaddr
|
|
|
|
so that it is no longer dirty */
|
2023-09-14 22:40:07 +03:00
|
|
|
static void tlb_set_dirty(CPUState *cpu, vaddr addr)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
|
|
|
int mmu_idx;
|
|
|
|
|
2017-02-23 21:29:16 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
addr &= TARGET_PAGE_MASK;
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_lock(&cpu->neg.tlb.c.lock);
|
2012-04-09 20:50:52 +04:00
|
|
|
for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_set_dirty1_locked(tlb_entry(cpu, mmu_idx, addr), addr);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
implementing victim TLB for QEMU system emulated TLB
QEMU system mode page table walks are expensive. Taken by running QEMU
qemu-system-x86_64 system mode on Intel PIN , a TLB miss and walking a
4-level page tables in guest Linux OS takes ~450 X86 instructions on
average.
QEMU system mode TLB is implemented using a directly-mapped hashtable.
This structure suffers from conflict misses. Increasing the
associativity of the TLB may not be the solution to conflict misses as
all the ways may have to be walked in serial.
A victim TLB is a TLB used to hold translations evicted from the
primary TLB upon replacement. The victim TLB lies between the main TLB
and its refill path. Victim TLB is of greater associativity (fully
associative in this patch). It takes longer to lookup the victim TLB,
but its likely better than a full page table walk. The memory
translation path is changed as follows :
Before Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. TLB refill.
5. Do the memory access.
6. Return to code cache.
After Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. Victim TLB lookup.
5. If victim TLB misses, TLB refill
6. Do the memory access.
7. Return to code cache
The advantage is that victim TLB can offer more associativity to a
directly mapped TLB and thus potentially fewer page table walks while
still keeping the time taken to flush within reasonable limits.
However, placing a victim TLB before the refill path increase TLB
refill path as the victim TLB is consulted before the TLB refill. The
performance results demonstrate that the pros outweigh the cons.
some performance results taken on SPECINT2006 train
datasets and kernel boot and qemu configure script on an
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz Linux machine are shown in the
Google Doc link below.
https://docs.google.com/spreadsheets/d/1eiItzekZwNQOal_h-5iJmC4tMDi051m9qidi5_nwvH4/edit?usp=sharing
In summary, victim TLB improves the performance of qemu-system-x86_64 by
11% on average on SPECINT2006, kernelboot and qemu configscript and with
highest improvement of in 26% in 456.hmmer. And victim TLB does not result
in any performance degradation in any of the measured benchmarks. Furthermore,
the implemented victim TLB is architecture independent and is expected to
benefit other architectures in QEMU as well.
Although there are measurement fluctuations, the performance
improvement is very significant and by no means in the range of
noises.
Signed-off-by: Xin Tong <trent.tong@gmail.com>
Message-id: 1407202523-23553-1-git-send-email-trent.tong@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-08-05 05:35:23 +04:00
|
|
|
|
|
|
|
for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
|
|
|
|
int k;
|
|
|
|
for (k = 0; k < CPU_VTLB_SIZE; k++) {
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_set_dirty1_locked(&cpu->neg.tlb.d[mmu_idx].vtable[k], addr);
|
implementing victim TLB for QEMU system emulated TLB
QEMU system mode page table walks are expensive. Taken by running QEMU
qemu-system-x86_64 system mode on Intel PIN , a TLB miss and walking a
4-level page tables in guest Linux OS takes ~450 X86 instructions on
average.
QEMU system mode TLB is implemented using a directly-mapped hashtable.
This structure suffers from conflict misses. Increasing the
associativity of the TLB may not be the solution to conflict misses as
all the ways may have to be walked in serial.
A victim TLB is a TLB used to hold translations evicted from the
primary TLB upon replacement. The victim TLB lies between the main TLB
and its refill path. Victim TLB is of greater associativity (fully
associative in this patch). It takes longer to lookup the victim TLB,
but its likely better than a full page table walk. The memory
translation path is changed as follows :
Before Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. TLB refill.
5. Do the memory access.
6. Return to code cache.
After Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. Victim TLB lookup.
5. If victim TLB misses, TLB refill
6. Do the memory access.
7. Return to code cache
The advantage is that victim TLB can offer more associativity to a
directly mapped TLB and thus potentially fewer page table walks while
still keeping the time taken to flush within reasonable limits.
However, placing a victim TLB before the refill path increase TLB
refill path as the victim TLB is consulted before the TLB refill. The
performance results demonstrate that the pros outweigh the cons.
some performance results taken on SPECINT2006 train
datasets and kernel boot and qemu configure script on an
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz Linux machine are shown in the
Google Doc link below.
https://docs.google.com/spreadsheets/d/1eiItzekZwNQOal_h-5iJmC4tMDi051m9qidi5_nwvH4/edit?usp=sharing
In summary, victim TLB improves the performance of qemu-system-x86_64 by
11% on average on SPECINT2006, kernelboot and qemu configscript and with
highest improvement of in 26% in 456.hmmer. And victim TLB does not result
in any performance degradation in any of the measured benchmarks. Furthermore,
the implemented victim TLB is architecture independent and is expected to
benefit other architectures in QEMU as well.
Although there are measurement fluctuations, the performance
improvement is very significant and by no means in the range of
noises.
Signed-off-by: Xin Tong <trent.tong@gmail.com>
Message-id: 1407202523-23553-1-git-send-email-trent.tong@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-08-05 05:35:23 +04:00
|
|
|
}
|
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_unlock(&cpu->neg.tlb.c.lock);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Our TLB does not support large pages, so remember the area covered by
|
|
|
|
large pages and trigger a full TLB flush if these are invalidated. */
|
2023-09-12 18:34:20 +03:00
|
|
|
static void tlb_add_large_page(CPUState *cpu, int mmu_idx,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr, uint64_t size)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
vaddr lp_addr = cpu->neg.tlb.d[mmu_idx].large_page_addr;
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr lp_mask = ~(size - 1);
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
if (lp_addr == (vaddr)-1) {
|
2018-10-17 21:48:40 +03:00
|
|
|
/* No previous large page. */
|
2023-06-21 16:56:22 +03:00
|
|
|
lp_addr = addr;
|
2018-10-17 21:48:40 +03:00
|
|
|
} else {
|
|
|
|
/* Extend the existing region to include the new page.
|
|
|
|
This is a compromise between unnecessary flushes and
|
|
|
|
the cost of maintaining a full variable size TLB. */
|
2023-09-12 18:34:20 +03:00
|
|
|
lp_mask &= cpu->neg.tlb.d[mmu_idx].large_page_mask;
|
2023-06-21 16:56:22 +03:00
|
|
|
while (((lp_addr ^ addr) & lp_mask) != 0) {
|
2018-10-17 21:48:40 +03:00
|
|
|
lp_mask <<= 1;
|
|
|
|
}
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
2023-09-12 18:34:20 +03:00
|
|
|
cpu->neg.tlb.d[mmu_idx].large_page_addr = lp_addr & lp_mask;
|
|
|
|
cpu->neg.tlb.d[mmu_idx].large_page_mask = lp_mask;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
2023-02-23 08:17:52 +03:00
|
|
|
static inline void tlb_set_compare(CPUTLBEntryFull *full, CPUTLBEntry *ent,
|
2023-08-07 18:57:05 +03:00
|
|
|
vaddr address, int flags,
|
2023-02-23 08:17:52 +03:00
|
|
|
MMUAccessType access_type, bool enable)
|
|
|
|
{
|
|
|
|
if (enable) {
|
|
|
|
address |= flags & TLB_FLAGS_MASK;
|
|
|
|
flags &= TLB_SLOW_FLAGS_MASK;
|
|
|
|
if (flags) {
|
|
|
|
address |= TLB_FORCE_SLOW;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
address = -1;
|
|
|
|
flags = 0;
|
|
|
|
}
|
|
|
|
ent->addr_idx[access_type] = address;
|
|
|
|
full->slow_flags[access_type] = flags;
|
|
|
|
}
|
|
|
|
|
2022-08-20 02:33:23 +03:00
|
|
|
/*
|
|
|
|
* Add a new TLB entry. At most one entry for a given virtual address
|
2015-01-21 14:09:14 +03:00
|
|
|
* is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
|
|
|
|
* supplied size is only used by tlb_flush_page.
|
|
|
|
*
|
|
|
|
* Called from TCG-generated code, which is under an RCU read-side
|
|
|
|
* critical section.
|
|
|
|
*/
|
2022-08-20 02:33:23 +03:00
|
|
|
void tlb_set_page_full(CPUState *cpu, int mmu_idx,
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr, CPUTLBEntryFull *full)
|
2012-04-09 20:50:52 +04:00
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLB *tlb = &cpu->neg.tlb;
|
2019-03-22 23:52:09 +03:00
|
|
|
CPUTLBDesc *desc = &tlb->d[mmu_idx];
|
2012-04-09 20:50:52 +04:00
|
|
|
MemoryRegionSection *section;
|
2023-02-23 08:17:52 +03:00
|
|
|
unsigned int index, read_flags, write_flags;
|
2012-04-09 20:50:52 +04:00
|
|
|
uintptr_t addend;
|
2018-06-29 23:07:08 +03:00
|
|
|
CPUTLBEntry *te, tn;
|
2018-06-26 19:50:41 +03:00
|
|
|
hwaddr iotlb, xlat, sz, paddr_page;
|
2023-06-21 16:56:22 +03:00
|
|
|
vaddr addr_page;
|
2022-08-20 02:33:23 +03:00
|
|
|
int asidx, wp_flags, prot;
|
2019-09-20 07:09:58 +03:00
|
|
|
bool is_ram, is_romd;
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2017-02-23 21:29:16 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
2018-06-26 19:50:41 +03:00
|
|
|
|
2022-08-20 02:33:23 +03:00
|
|
|
if (full->lg_page_size <= TARGET_PAGE_BITS) {
|
2018-06-26 19:50:41 +03:00
|
|
|
sz = TARGET_PAGE_SIZE;
|
|
|
|
} else {
|
2022-08-20 02:33:23 +03:00
|
|
|
sz = (hwaddr)1 << full->lg_page_size;
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_add_large_page(cpu, mmu_idx, addr, sz);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
2023-06-21 16:56:22 +03:00
|
|
|
addr_page = addr & TARGET_PAGE_MASK;
|
2022-08-20 02:33:23 +03:00
|
|
|
paddr_page = full->phys_addr & TARGET_PAGE_MASK;
|
2013-05-24 14:59:37 +04:00
|
|
|
|
2022-08-20 02:33:23 +03:00
|
|
|
prot = full->prot;
|
|
|
|
asidx = cpu_asidx_from_attrs(cpu, full->attrs);
|
2018-06-26 19:50:41 +03:00
|
|
|
section = address_space_translate_for_iotlb(cpu, asidx, paddr_page,
|
2022-08-20 02:33:23 +03:00
|
|
|
&xlat, &sz, full->attrs, &prot);
|
2013-05-24 14:59:37 +04:00
|
|
|
assert(sz >= TARGET_PAGE_SIZE);
|
|
|
|
|
2023-07-13 15:07:46 +03:00
|
|
|
tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx
|
2016-03-15 17:30:24 +03:00
|
|
|
" prot=%x idx=%d\n",
|
2023-06-21 16:56:22 +03:00
|
|
|
addr, full->phys_addr, prot, mmu_idx);
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2024-03-01 23:41:07 +03:00
|
|
|
read_flags = full->tlb_fill_flags;
|
2022-08-20 02:33:23 +03:00
|
|
|
if (full->lg_page_size < TARGET_PAGE_BITS) {
|
2019-08-24 01:12:32 +03:00
|
|
|
/* Repeat the MMU check and TLB fill on every access. */
|
2023-02-23 08:17:52 +03:00
|
|
|
read_flags |= TLB_INVALID_MASK;
|
2018-06-26 19:50:41 +03:00
|
|
|
}
|
2019-09-20 07:09:58 +03:00
|
|
|
|
|
|
|
is_ram = memory_region_is_ram(section->mr);
|
|
|
|
is_romd = memory_region_is_romd(section->mr);
|
|
|
|
|
|
|
|
if (is_ram || is_romd) {
|
|
|
|
/* RAM and ROMD both have associated host memory. */
|
|
|
|
addend = (uintptr_t)memory_region_get_ram_ptr(section->mr) + xlat;
|
|
|
|
} else {
|
|
|
|
/* I/O does not; force the host address to NULL. */
|
2013-05-24 18:45:30 +04:00
|
|
|
addend = 0;
|
2019-09-20 07:09:58 +03:00
|
|
|
}
|
|
|
|
|
2023-02-23 08:17:52 +03:00
|
|
|
write_flags = read_flags;
|
2019-09-20 07:09:58 +03:00
|
|
|
if (is_ram) {
|
|
|
|
iotlb = memory_region_get_ram_addr(section->mr) + xlat;
|
2023-09-01 09:01:18 +03:00
|
|
|
assert(!(iotlb & ~TARGET_PAGE_MASK));
|
2019-09-20 07:09:58 +03:00
|
|
|
/*
|
|
|
|
* Computing is_clean is expensive; avoid all that unless
|
|
|
|
* the page is actually writable.
|
|
|
|
*/
|
|
|
|
if (prot & PAGE_WRITE) {
|
|
|
|
if (section->readonly) {
|
2023-02-23 08:17:52 +03:00
|
|
|
write_flags |= TLB_DISCARD_WRITE;
|
2019-09-20 07:09:58 +03:00
|
|
|
} else if (cpu_physical_memory_is_clean(iotlb)) {
|
2023-02-23 08:17:52 +03:00
|
|
|
write_flags |= TLB_NOTDIRTY;
|
2019-09-20 07:09:58 +03:00
|
|
|
}
|
|
|
|
}
|
2013-05-24 18:45:30 +04:00
|
|
|
} else {
|
2019-09-20 07:09:58 +03:00
|
|
|
/* I/O or ROMD */
|
|
|
|
iotlb = memory_region_section_get_iotlb(cpu, section) + xlat;
|
|
|
|
/*
|
|
|
|
* Writes to romd devices must go through MMIO to enable write.
|
|
|
|
* Reads to romd devices go through the ram_ptr found above,
|
|
|
|
* but of course reads to I/O must go through MMIO.
|
|
|
|
*/
|
2023-02-23 08:17:52 +03:00
|
|
|
write_flags |= TLB_MMIO;
|
2019-09-20 07:09:58 +03:00
|
|
|
if (!is_romd) {
|
2023-02-23 08:17:52 +03:00
|
|
|
read_flags = write_flags;
|
2019-09-20 07:09:58 +03:00
|
|
|
}
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
wp_flags = cpu_watchpoint_address_matches(cpu, addr_page,
|
2019-08-24 19:51:09 +03:00
|
|
|
TARGET_PAGE_SIZE);
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
index = tlb_index(cpu, mmu_idx, addr_page);
|
|
|
|
te = tlb_entry(cpu, mmu_idx, addr_page);
|
2017-02-23 21:29:21 +03:00
|
|
|
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
/*
|
|
|
|
* Hold the TLB lock for the rest of the function. We could acquire/release
|
|
|
|
* the lock several times in the function, but it is faster to amortize the
|
|
|
|
* acquisition cost by acquiring it just once. Note that this leads to
|
|
|
|
* a longer critical section, but this is not a concern since the TLB lock
|
|
|
|
* is unlikely to be contended.
|
|
|
|
*/
|
2019-03-22 23:52:09 +03:00
|
|
|
qemu_spin_lock(&tlb->c.lock);
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
|
2018-10-20 22:04:57 +03:00
|
|
|
/* Note that the tlb is no longer clean. */
|
2019-03-22 23:52:09 +03:00
|
|
|
tlb->c.dirty |= 1 << mmu_idx;
|
2018-10-20 22:04:57 +03:00
|
|
|
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
/* Make sure there's no cached translation for the new page. */
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_flush_vtlb_page_locked(cpu, mmu_idx, addr_page);
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
|
2018-06-29 23:07:08 +03:00
|
|
|
/*
|
|
|
|
* Only evict the old entry to the victim tlb if it's for a
|
|
|
|
* different page; otherwise just overwrite the stale data.
|
|
|
|
*/
|
2023-06-21 16:56:22 +03:00
|
|
|
if (!tlb_hit_page_anyprot(te, addr_page) && !tlb_entry_is_empty(te)) {
|
2019-03-22 23:52:09 +03:00
|
|
|
unsigned vidx = desc->vindex++ % CPU_VTLB_SIZE;
|
|
|
|
CPUTLBEntry *tv = &desc->vtable[vidx];
|
2017-02-23 21:29:21 +03:00
|
|
|
|
2018-06-29 23:07:08 +03:00
|
|
|
/* Evict the old entry into the victim tlb. */
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
copy_tlb_helper_locked(tv, te);
|
2022-08-20 00:20:37 +03:00
|
|
|
desc->vfulltlb[vidx] = desc->fulltlb[index];
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_n_used_entries_dec(cpu, mmu_idx);
|
2018-06-29 23:07:08 +03:00
|
|
|
}
|
implementing victim TLB for QEMU system emulated TLB
QEMU system mode page table walks are expensive. Taken by running QEMU
qemu-system-x86_64 system mode on Intel PIN , a TLB miss and walking a
4-level page tables in guest Linux OS takes ~450 X86 instructions on
average.
QEMU system mode TLB is implemented using a directly-mapped hashtable.
This structure suffers from conflict misses. Increasing the
associativity of the TLB may not be the solution to conflict misses as
all the ways may have to be walked in serial.
A victim TLB is a TLB used to hold translations evicted from the
primary TLB upon replacement. The victim TLB lies between the main TLB
and its refill path. Victim TLB is of greater associativity (fully
associative in this patch). It takes longer to lookup the victim TLB,
but its likely better than a full page table walk. The memory
translation path is changed as follows :
Before Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. TLB refill.
5. Do the memory access.
6. Return to code cache.
After Victim TLB:
1. Inline TLB lookup
2. Exit code cache on TLB miss.
3. Check for unaligned, IO accesses
4. Victim TLB lookup.
5. If victim TLB misses, TLB refill
6. Do the memory access.
7. Return to code cache
The advantage is that victim TLB can offer more associativity to a
directly mapped TLB and thus potentially fewer page table walks while
still keeping the time taken to flush within reasonable limits.
However, placing a victim TLB before the refill path increase TLB
refill path as the victim TLB is consulted before the TLB refill. The
performance results demonstrate that the pros outweigh the cons.
some performance results taken on SPECINT2006 train
datasets and kernel boot and qemu configure script on an
Intel(R) Xeon(R) CPU E5620 @ 2.40GHz Linux machine are shown in the
Google Doc link below.
https://docs.google.com/spreadsheets/d/1eiItzekZwNQOal_h-5iJmC4tMDi051m9qidi5_nwvH4/edit?usp=sharing
In summary, victim TLB improves the performance of qemu-system-x86_64 by
11% on average on SPECINT2006, kernelboot and qemu configscript and with
highest improvement of in 26% in 456.hmmer. And victim TLB does not result
in any performance degradation in any of the measured benchmarks. Furthermore,
the implemented victim TLB is architecture independent and is expected to
benefit other architectures in QEMU as well.
Although there are measurement fluctuations, the performance
improvement is very significant and by no means in the range of
noises.
Signed-off-by: Xin Tong <trent.tong@gmail.com>
Message-id: 1407202523-23553-1-git-send-email-trent.tong@gmail.com
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
2014-08-05 05:35:23 +04:00
|
|
|
|
|
|
|
/* refill the tlb */
|
2018-06-15 16:57:14 +03:00
|
|
|
/*
|
2023-09-01 09:01:18 +03:00
|
|
|
* When memory region is ram, iotlb contains a TARGET_PAGE_BITS
|
|
|
|
* aligned ram_addr_t of the page base of the target RAM.
|
|
|
|
* Otherwise, iotlb contains
|
|
|
|
* - a physical section number in the lower TARGET_PAGE_BITS
|
|
|
|
* - the offset within section->mr of the page base (I/O, ROMD) with the
|
|
|
|
* TARGET_PAGE_BITS masked off.
|
2023-02-23 08:17:52 +03:00
|
|
|
* We subtract addr_page (which is page aligned and thus won't
|
2018-06-15 16:57:14 +03:00
|
|
|
* disturb the low bits) to give an offset which can be added to the
|
|
|
|
* (non-page-aligned) vaddr of the eventual memory access to get
|
|
|
|
* the MemoryRegion offset for the access. Note that the vaddr we
|
|
|
|
* subtract here is that of the page base, and not the same as the
|
2023-08-28 03:31:27 +03:00
|
|
|
* vaddr we add back in io_prepare()/get_page_addr_code().
|
2018-06-15 16:57:14 +03:00
|
|
|
*/
|
2022-08-20 02:33:23 +03:00
|
|
|
desc->fulltlb[index] = *full;
|
2023-02-23 08:17:52 +03:00
|
|
|
full = &desc->fulltlb[index];
|
|
|
|
full->xlat_section = iotlb - addr_page;
|
|
|
|
full->phys_addr = paddr_page;
|
2017-02-23 21:29:21 +03:00
|
|
|
|
|
|
|
/* Now calculate the new entry */
|
2023-06-21 16:56:22 +03:00
|
|
|
tn.addend = addend - addr_page;
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2023-02-23 08:17:52 +03:00
|
|
|
tlb_set_compare(full, &tn, addr_page, read_flags,
|
|
|
|
MMU_INST_FETCH, prot & PAGE_EXEC);
|
|
|
|
|
|
|
|
if (wp_flags & BP_MEM_READ) {
|
|
|
|
read_flags |= TLB_WATCHPOINT;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
2023-02-23 08:17:52 +03:00
|
|
|
tlb_set_compare(full, &tn, addr_page, read_flags,
|
|
|
|
MMU_DATA_LOAD, prot & PAGE_READ);
|
2017-02-23 21:29:21 +03:00
|
|
|
|
2023-02-23 08:17:52 +03:00
|
|
|
if (prot & PAGE_WRITE_INV) {
|
|
|
|
write_flags |= TLB_INVALID_MASK;
|
|
|
|
}
|
|
|
|
if (wp_flags & BP_MEM_WRITE) {
|
|
|
|
write_flags |= TLB_WATCHPOINT;
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
2023-02-23 08:17:52 +03:00
|
|
|
tlb_set_compare(full, &tn, addr_page, write_flags,
|
|
|
|
MMU_DATA_STORE, prot & PAGE_WRITE);
|
2017-02-23 21:29:21 +03:00
|
|
|
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
copy_tlb_helper_locked(te, &tn);
|
2023-09-12 18:34:20 +03:00
|
|
|
tlb_n_used_entries_inc(cpu, mmu_idx);
|
2019-03-22 23:52:09 +03:00
|
|
|
qemu_spin_unlock(&tlb->c.lock);
|
2012-04-09 20:50:52 +04:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_set_page_with_attrs(CPUState *cpu, vaddr addr,
|
2022-08-20 02:33:23 +03:00
|
|
|
hwaddr paddr, MemTxAttrs attrs, int prot,
|
2023-06-21 16:56:22 +03:00
|
|
|
int mmu_idx, uint64_t size)
|
2022-08-20 02:33:23 +03:00
|
|
|
{
|
|
|
|
CPUTLBEntryFull full = {
|
|
|
|
.phys_addr = paddr,
|
|
|
|
.attrs = attrs,
|
|
|
|
.prot = prot,
|
|
|
|
.lg_page_size = ctz64(size)
|
|
|
|
};
|
|
|
|
|
|
|
|
assert(is_power_of_2(size));
|
2023-06-21 16:56:22 +03:00
|
|
|
tlb_set_page_full(cpu, mmu_idx, addr, &full);
|
2022-08-20 02:33:23 +03:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:22 +03:00
|
|
|
void tlb_set_page(CPUState *cpu, vaddr addr,
|
2015-04-26 18:49:24 +03:00
|
|
|
hwaddr paddr, int prot,
|
2023-06-21 16:56:22 +03:00
|
|
|
int mmu_idx, uint64_t size)
|
2015-04-26 18:49:24 +03:00
|
|
|
{
|
2023-06-21 16:56:22 +03:00
|
|
|
tlb_set_page_with_attrs(cpu, addr, paddr, MEMTXATTRS_UNSPECIFIED,
|
2015-04-26 18:49:24 +03:00
|
|
|
prot, mmu_idx, size);
|
|
|
|
}
|
|
|
|
|
2019-04-03 05:07:11 +03:00
|
|
|
/*
|
|
|
|
* Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
|
|
|
|
* caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
|
|
|
|
* be discarded and looked up again (e.g. via tlb_entry()).
|
|
|
|
*/
|
2023-06-21 16:56:22 +03:00
|
|
|
static void tlb_fill(CPUState *cpu, vaddr addr, int size,
|
2019-04-03 05:07:11 +03:00
|
|
|
MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
|
|
|
|
{
|
|
|
|
bool ok;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This is not a probe, so only valid return is success; failure
|
|
|
|
* should result in exception + longjmp to the cpu loop.
|
|
|
|
*/
|
2022-09-23 11:48:01 +03:00
|
|
|
ok = cpu->cc->tcg_ops->tlb_fill(cpu, addr, size,
|
|
|
|
access_type, mmu_idx, false, retaddr);
|
2019-04-03 05:07:11 +03:00
|
|
|
assert(ok);
|
|
|
|
}
|
|
|
|
|
2021-02-04 19:39:23 +03:00
|
|
|
static inline void cpu_unaligned_access(CPUState *cpu, vaddr addr,
|
|
|
|
MMUAccessType access_type,
|
|
|
|
int mmu_idx, uintptr_t retaddr)
|
|
|
|
{
|
2022-09-23 11:48:01 +03:00
|
|
|
cpu->cc->tcg_ops->do_unaligned_access(cpu, addr, access_type,
|
|
|
|
mmu_idx, retaddr);
|
2021-02-04 19:39:23 +03:00
|
|
|
}
|
|
|
|
|
2023-08-28 03:31:27 +03:00
|
|
|
static MemoryRegionSection *
|
2023-09-12 18:34:22 +03:00
|
|
|
io_prepare(hwaddr *out_offset, CPUState *cpu, hwaddr xlat,
|
2023-08-28 03:31:27 +03:00
|
|
|
MemTxAttrs attrs, vaddr addr, uintptr_t retaddr)
|
|
|
|
{
|
|
|
|
MemoryRegionSection *section;
|
|
|
|
hwaddr mr_offset;
|
|
|
|
|
|
|
|
section = iotlb_to_section(cpu, xlat, attrs);
|
|
|
|
mr_offset = (xlat & TARGET_PAGE_MASK) + addr;
|
|
|
|
cpu->mem_io_pc = retaddr;
|
2023-09-16 01:41:39 +03:00
|
|
|
if (!cpu->neg.can_do_io) {
|
2023-08-28 03:31:27 +03:00
|
|
|
cpu_io_recompile(cpu, retaddr);
|
|
|
|
}
|
|
|
|
|
|
|
|
*out_offset = mr_offset;
|
|
|
|
return section;
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void io_failed(CPUState *cpu, CPUTLBEntryFull *full, vaddr addr,
|
2023-08-28 03:31:27 +03:00
|
|
|
unsigned size, MMUAccessType access_type, int mmu_idx,
|
2023-08-28 04:22:41 +03:00
|
|
|
MemTxResult response, uintptr_t retaddr)
|
2023-08-28 03:31:27 +03:00
|
|
|
{
|
2023-09-12 18:34:22 +03:00
|
|
|
if (!cpu->ignore_memory_transaction_failures
|
|
|
|
&& cpu->cc->tcg_ops->do_transaction_failed) {
|
|
|
|
hwaddr physaddr = full->phys_addr | (addr & ~TARGET_PAGE_MASK);
|
2023-08-27 18:54:50 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
cpu->cc->tcg_ops->do_transaction_failed(cpu, physaddr, addr, size,
|
|
|
|
access_type, mmu_idx,
|
|
|
|
full->attrs, response, retaddr);
|
2023-08-27 18:54:50 +03:00
|
|
|
}
|
2023-08-28 03:31:27 +03:00
|
|
|
}
|
|
|
|
|
2016-07-08 22:19:32 +03:00
|
|
|
/* Return true if ADDR is present in the victim tlb, and has been copied
|
|
|
|
back to the main tlb. */
|
2023-09-12 18:34:20 +03:00
|
|
|
static bool victim_tlb_hit(CPUState *cpu, size_t mmu_idx, size_t index,
|
2023-06-21 16:56:22 +03:00
|
|
|
MMUAccessType access_type, vaddr page)
|
2016-07-08 22:19:32 +03:00
|
|
|
{
|
|
|
|
size_t vidx;
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
assert_cpu_is_self(cpu);
|
2016-07-08 22:19:32 +03:00
|
|
|
for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBEntry *vtlb = &cpu->neg.tlb.d[mmu_idx].vtable[vidx];
|
2023-06-21 16:56:25 +03:00
|
|
|
uint64_t cmp = tlb_read_idx(vtlb, access_type);
|
2016-07-08 22:19:32 +03:00
|
|
|
|
|
|
|
if (cmp == page) {
|
|
|
|
/* Found entry in victim tlb, swap tlb and iotlb. */
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBEntry tmptlb, *tlb = &cpu->neg.tlb.f[mmu_idx].table[index];
|
2017-02-23 21:29:21 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_lock(&cpu->neg.tlb.c.lock);
|
cputlb: serialize tlb updates with env->tlb_lock
Currently we rely on atomic operations for cross-CPU invalidations.
There are two cases that these atomics miss: cross-CPU invalidations
can race with either (1) vCPU threads flushing their TLB, which
happens via memset, or (2) vCPUs calling tlb_reset_dirty on their TLB,
which updates .addr_write with a regular store. This results in
undefined behaviour, since we're mixing regular and atomic ops
on concurrent accesses.
Fix it by using tlb_lock, a per-vCPU lock. All updaters of tlb_table
and the corresponding victim cache now hold the lock.
The readers that do not hold tlb_lock must use atomic reads when
reading .addr_write, since this field can be updated by other threads;
the conversion to atomic reads is done in the next patch.
Note that an alternative fix would be to expand the use of atomic ops.
However, in the case of TLB flushes this would have a huge performance
impact, since (1) TLB flushes can happen very frequently and (2) we
currently use a full memory barrier to flush each TLB entry, and a TLB
has many entries. Instead, acquiring the lock is barely slower than a
full memory barrier since it is uncontended, and with a single lock
acquisition we can flush the entire TLB.
Tested-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Emilio G. Cota <cota@braap.org>
Message-Id: <20181009174557.16125-6-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2018-10-09 20:45:56 +03:00
|
|
|
copy_tlb_helper_locked(&tmptlb, tlb);
|
|
|
|
copy_tlb_helper_locked(tlb, vtlb);
|
|
|
|
copy_tlb_helper_locked(vtlb, &tmptlb);
|
2023-09-12 18:34:20 +03:00
|
|
|
qemu_spin_unlock(&cpu->neg.tlb.c.lock);
|
2017-02-23 21:29:21 +03:00
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBEntryFull *f1 = &cpu->neg.tlb.d[mmu_idx].fulltlb[index];
|
|
|
|
CPUTLBEntryFull *f2 = &cpu->neg.tlb.d[mmu_idx].vfulltlb[vidx];
|
2022-08-20 00:20:37 +03:00
|
|
|
CPUTLBEntryFull tmpf;
|
|
|
|
tmpf = *f1; *f1 = *f2; *f2 = tmpf;
|
2016-07-08 22:19:32 +03:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2019-09-22 04:47:59 +03:00
|
|
|
static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
|
2022-08-20 00:20:37 +03:00
|
|
|
CPUTLBEntryFull *full, uintptr_t retaddr)
|
2019-09-22 04:47:59 +03:00
|
|
|
{
|
2022-08-20 00:20:37 +03:00
|
|
|
ram_addr_t ram_addr = mem_vaddr + full->xlat_section;
|
2019-09-22 04:47:59 +03:00
|
|
|
|
|
|
|
trace_memory_notdirty_write_access(mem_vaddr, ram_addr, size);
|
|
|
|
|
|
|
|
if (!cpu_physical_memory_get_dirty_flag(ram_addr, DIRTY_MEMORY_CODE)) {
|
2022-12-09 12:36:48 +03:00
|
|
|
tb_invalidate_phys_range_fast(ram_addr, size, retaddr);
|
2019-09-22 04:47:59 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Set both VGA and migration bits for simplicity and to remove
|
|
|
|
* the notdirty callback faster.
|
|
|
|
*/
|
|
|
|
cpu_physical_memory_set_dirty_range(ram_addr, size, DIRTY_CLIENTS_NOCODE);
|
|
|
|
|
|
|
|
/* We remove the notdirty callback only if the code has been flushed. */
|
|
|
|
if (!cpu_physical_memory_is_clean(ram_addr)) {
|
|
|
|
trace_memory_notdirty_set_dirty(mem_vaddr);
|
|
|
|
tlb_set_dirty(cpu, mem_vaddr);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
static int probe_access_internal(CPUState *cpu, vaddr addr,
|
2020-05-08 18:43:45 +03:00
|
|
|
int fault_size, MMUAccessType access_type,
|
|
|
|
int mmu_idx, bool nonfault,
|
2022-08-20 01:49:41 +03:00
|
|
|
void **phost, CPUTLBEntryFull **pfull,
|
plugins: force slow path when plugins instrument memory ops
The lack of SVE memory instrumentation has been an omission in plugin
handling since it was introduced. Fortunately we can utilise the
probe_* functions to force all all memory access to follow the slow
path. We do this by checking the access type and presence of plugin
memory callbacks and if set return the TLB_MMIO flag.
We have to jump through a few hoops in user mode to re-use the flag
but it was the desired effect:
./qemu-system-aarch64 -display none -serial mon:stdio \
-M virt -cpu max -semihosting-config enable=on \
-kernel ./tests/tcg/aarch64-softmmu/memory-sve \
-plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
gives (disas doesn't currently understand st1w):
0, 0x40001808, 0xe54342a0, ".byte 0xa0, 0x42, 0x43, 0xe5", store, 0x40213010, RAM, store, 0x40213014, RAM, store, 0x40213018, RAM
And for user-mode:
./qemu-aarch64 \
-plugin contrib/plugins/libexeclog.so,afilter=0x4007c0 \
-d plugin \
./tests/tcg/aarch64-linux-user/sha512-sve
gives:
1..10
ok 1 - do_test(&tests[i])
0, 0x4007c0, 0xa4004b80, ".byte 0x80, 0x4b, 0x00, 0xa4", load, 0x5500800370, load, 0x5500800371, load, 0x5500800372, load, 0x5500800373, load, 0x5500800374, load, 0x5500800375, load, 0x5500800376, load, 0x5500800377, load, 0x5500800378, load, 0x5500800379, load, 0x550080037a, load, 0x550080037b, load, 0x550080037c, load, 0x550080037d, load, 0x550080037e, load, 0x550080037f, load, 0x5500800380, load, 0x5500800381, load, 0x5500800382, load, 0x5500800383, load, 0x5500800384, load, 0x5500800385, load, 0x5500800386, lo
ad, 0x5500800387, load, 0x5500800388, load, 0x5500800389, load, 0x550080038a, load, 0x550080038b, load, 0x550080038c, load, 0x550080038d, load, 0x550080038e, load, 0x550080038f, load, 0x5500800390, load, 0x5500800391, load, 0x5500800392, load, 0x5500800393, load, 0x5500800394, load, 0x5500800395, load, 0x5500800396, load, 0x5500800397, load, 0x5500800398, load, 0x5500800399, load, 0x550080039a, load, 0x550080039b, load, 0x550080039c, load, 0x550080039d, load, 0x550080039e, load, 0x550080039f, load, 0x55008003a0, load, 0x55008003a1, load, 0x55008003a2, load, 0x55008003a3, load, 0x55008003a4, load, 0x55008003a5, load, 0x55008003a6, load, 0x55008003a7, load, 0x55008003a8, load, 0x55008003a9, load, 0x55008003aa, load, 0x55008003ab, load, 0x55008003ac, load, 0x55008003ad, load, 0x55008003ae, load, 0x55008003af
(4007c0 is the ld1b in the sha512-sve)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Robert Henry <robhenry@microsoft.com>
Cc: Aaron Lindsay <aaron@os.amperecomputing.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230630180423.558337-20-alex.bennee@linaro.org>
2023-06-30 21:04:04 +03:00
|
|
|
uintptr_t retaddr, bool check_mem_cbs)
|
2016-07-09 04:22:26 +03:00
|
|
|
{
|
2023-09-12 18:34:21 +03:00
|
|
|
uintptr_t index = tlb_index(cpu, mmu_idx, addr);
|
|
|
|
CPUTLBEntry *entry = tlb_entry(cpu, mmu_idx, addr);
|
2023-06-21 16:56:25 +03:00
|
|
|
uint64_t tlb_addr = tlb_read_idx(entry, access_type);
|
2023-06-21 16:56:29 +03:00
|
|
|
vaddr page_addr = addr & TARGET_PAGE_MASK;
|
2023-02-23 08:17:52 +03:00
|
|
|
int flags = TLB_FLAGS_MASK & ~TLB_FORCE_SLOW;
|
2023-09-12 18:34:21 +03:00
|
|
|
bool force_mmio = check_mem_cbs && cpu_plugin_mem_cbs_enabled(cpu);
|
2023-02-23 08:17:52 +03:00
|
|
|
CPUTLBEntryFull *full;
|
2019-08-30 13:09:59 +03:00
|
|
|
|
2020-05-08 18:43:45 +03:00
|
|
|
if (!tlb_hit_page(tlb_addr, page_addr)) {
|
2023-09-12 18:34:21 +03:00
|
|
|
if (!victim_tlb_hit(cpu, mmu_idx, index, access_type, page_addr)) {
|
|
|
|
if (!cpu->cc->tcg_ops->tlb_fill(cpu, addr, fault_size, access_type,
|
|
|
|
mmu_idx, nonfault, retaddr)) {
|
2020-05-08 18:43:45 +03:00
|
|
|
/* Non-faulting page table read failed. */
|
|
|
|
*phost = NULL;
|
2022-08-20 01:49:41 +03:00
|
|
|
*pfull = NULL;
|
2020-05-08 18:43:45 +03:00
|
|
|
return TLB_INVALID_MASK;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* TLB resize via tlb_fill may have moved the entry. */
|
2023-09-12 18:34:21 +03:00
|
|
|
index = tlb_index(cpu, mmu_idx, addr);
|
|
|
|
entry = tlb_entry(cpu, mmu_idx, addr);
|
2022-08-20 01:28:05 +03:00
|
|
|
|
|
|
|
/*
|
|
|
|
* With PAGE_WRITE_INV, we set TLB_INVALID_MASK immediately,
|
|
|
|
* to force the next access through tlb_fill. We've just
|
|
|
|
* called tlb_fill, so we know that this entry *is* valid.
|
|
|
|
*/
|
|
|
|
flags &= ~TLB_INVALID_MASK;
|
2016-07-09 04:22:26 +03:00
|
|
|
}
|
2023-05-05 23:55:01 +03:00
|
|
|
tlb_addr = tlb_read_idx(entry, access_type);
|
2019-08-23 13:07:41 +03:00
|
|
|
}
|
2022-08-20 01:28:05 +03:00
|
|
|
flags &= tlb_addr;
|
2019-08-23 13:07:41 +03:00
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
*pfull = full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index];
|
2023-02-23 08:17:52 +03:00
|
|
|
flags |= full->slow_flags[access_type];
|
2022-08-20 01:49:41 +03:00
|
|
|
|
2020-05-08 18:43:45 +03:00
|
|
|
/* Fold all "mmio-like" bits into TLB_MMIO. This is not RAM. */
|
2024-03-01 23:41:08 +03:00
|
|
|
if (unlikely(flags & ~(TLB_WATCHPOINT | TLB_NOTDIRTY | TLB_CHECK_ALIGNED))
|
|
|
|
|| (access_type != MMU_INST_FETCH && force_mmio)) {
|
2020-05-08 18:43:45 +03:00
|
|
|
*phost = NULL;
|
|
|
|
return TLB_MMIO;
|
2019-08-30 13:09:58 +03:00
|
|
|
}
|
|
|
|
|
2020-05-08 18:43:45 +03:00
|
|
|
/* Everything else is RAM. */
|
|
|
|
*phost = (void *)((uintptr_t)addr + entry->addend);
|
|
|
|
return flags;
|
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:29 +03:00
|
|
|
int probe_access_full(CPUArchState *env, vaddr addr, int size,
|
2022-08-20 01:49:41 +03:00
|
|
|
MMUAccessType access_type, int mmu_idx,
|
|
|
|
bool nonfault, void **phost, CPUTLBEntryFull **pfull,
|
|
|
|
uintptr_t retaddr)
|
2020-05-08 18:43:45 +03:00
|
|
|
{
|
2023-09-12 18:34:21 +03:00
|
|
|
int flags = probe_access_internal(env_cpu(env), addr, size, access_type,
|
|
|
|
mmu_idx, nonfault, phost, pfull, retaddr,
|
|
|
|
true);
|
2020-05-08 18:43:45 +03:00
|
|
|
|
|
|
|
/* Handle clean RAM pages. */
|
|
|
|
if (unlikely(flags & TLB_NOTDIRTY)) {
|
accel/tcg: Forward probe size on to notdirty_write
Without this, we just dirty a single byte, and so if the caller writes
more than one byte to the host memory then we won't have invalidated any
translation blocks that start after the first byte and overlap those
writes. In particular, AArch64's DC ZVA implementation uses probe_access
(via probe_write), and so we don't invalidate the entire block, only the
TB overlapping the first byte (and, in the unusual case an unaligned VA
is given to the instruction, we also probe that specific address in
order to get the right VA reported on an exception, so will invalidate a
TB overlapping that address too). Since our IC IVAU implementation is a
no-op for system emulation that relies on the softmmu already having
detected self-modifying code via this mechanism, this means we have
observably wrong behaviour when jumping to code that has been DC ZVA'ed.
In practice this is an unusual thing for software to do, as in reality
the OS will DC ZVA the page and the application will go and write actual
instructions to it that aren't UDF #0, but you can write a test that
clearly shows the faulty behaviour.
For functions other than probe_access it's not clear what size to use
when 0 is passed in. Arguably a size of 0 shouldn't dirty at all, since
if you want to actually write then you should pass in a real size, but I
have conservatively kept the implementation as dirtying the first byte
in that case so as to avoid breaking any assumptions about that
behaviour.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Message-Id: <20231104031232.3246614-1-jrtc27@jrtc27.com>
[rth: Move the dirtysize computation next to notdirty_write.]
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-11 08:43:03 +03:00
|
|
|
int dirtysize = size == 0 ? 1 : size;
|
|
|
|
notdirty_write(env_cpu(env), addr, dirtysize, *pfull, retaddr);
|
2020-05-08 18:43:45 +03:00
|
|
|
flags &= ~TLB_NOTDIRTY;
|
|
|
|
}
|
|
|
|
|
|
|
|
return flags;
|
|
|
|
}
|
|
|
|
|
plugins: force slow path when plugins instrument memory ops
The lack of SVE memory instrumentation has been an omission in plugin
handling since it was introduced. Fortunately we can utilise the
probe_* functions to force all all memory access to follow the slow
path. We do this by checking the access type and presence of plugin
memory callbacks and if set return the TLB_MMIO flag.
We have to jump through a few hoops in user mode to re-use the flag
but it was the desired effect:
./qemu-system-aarch64 -display none -serial mon:stdio \
-M virt -cpu max -semihosting-config enable=on \
-kernel ./tests/tcg/aarch64-softmmu/memory-sve \
-plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
gives (disas doesn't currently understand st1w):
0, 0x40001808, 0xe54342a0, ".byte 0xa0, 0x42, 0x43, 0xe5", store, 0x40213010, RAM, store, 0x40213014, RAM, store, 0x40213018, RAM
And for user-mode:
./qemu-aarch64 \
-plugin contrib/plugins/libexeclog.so,afilter=0x4007c0 \
-d plugin \
./tests/tcg/aarch64-linux-user/sha512-sve
gives:
1..10
ok 1 - do_test(&tests[i])
0, 0x4007c0, 0xa4004b80, ".byte 0x80, 0x4b, 0x00, 0xa4", load, 0x5500800370, load, 0x5500800371, load, 0x5500800372, load, 0x5500800373, load, 0x5500800374, load, 0x5500800375, load, 0x5500800376, load, 0x5500800377, load, 0x5500800378, load, 0x5500800379, load, 0x550080037a, load, 0x550080037b, load, 0x550080037c, load, 0x550080037d, load, 0x550080037e, load, 0x550080037f, load, 0x5500800380, load, 0x5500800381, load, 0x5500800382, load, 0x5500800383, load, 0x5500800384, load, 0x5500800385, load, 0x5500800386, lo
ad, 0x5500800387, load, 0x5500800388, load, 0x5500800389, load, 0x550080038a, load, 0x550080038b, load, 0x550080038c, load, 0x550080038d, load, 0x550080038e, load, 0x550080038f, load, 0x5500800390, load, 0x5500800391, load, 0x5500800392, load, 0x5500800393, load, 0x5500800394, load, 0x5500800395, load, 0x5500800396, load, 0x5500800397, load, 0x5500800398, load, 0x5500800399, load, 0x550080039a, load, 0x550080039b, load, 0x550080039c, load, 0x550080039d, load, 0x550080039e, load, 0x550080039f, load, 0x55008003a0, load, 0x55008003a1, load, 0x55008003a2, load, 0x55008003a3, load, 0x55008003a4, load, 0x55008003a5, load, 0x55008003a6, load, 0x55008003a7, load, 0x55008003a8, load, 0x55008003a9, load, 0x55008003aa, load, 0x55008003ab, load, 0x55008003ac, load, 0x55008003ad, load, 0x55008003ae, load, 0x55008003af
(4007c0 is the ld1b in the sha512-sve)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Robert Henry <robhenry@microsoft.com>
Cc: Aaron Lindsay <aaron@os.amperecomputing.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230630180423.558337-20-alex.bennee@linaro.org>
2023-06-30 21:04:04 +03:00
|
|
|
int probe_access_full_mmu(CPUArchState *env, vaddr addr, int size,
|
|
|
|
MMUAccessType access_type, int mmu_idx,
|
|
|
|
void **phost, CPUTLBEntryFull **pfull)
|
|
|
|
{
|
|
|
|
void *discard_phost;
|
|
|
|
CPUTLBEntryFull *discard_tlb;
|
|
|
|
|
|
|
|
/* privately handle users that don't need full results */
|
|
|
|
phost = phost ? phost : &discard_phost;
|
|
|
|
pfull = pfull ? pfull : &discard_tlb;
|
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
int flags = probe_access_internal(env_cpu(env), addr, size, access_type,
|
|
|
|
mmu_idx, true, phost, pfull, 0, false);
|
plugins: force slow path when plugins instrument memory ops
The lack of SVE memory instrumentation has been an omission in plugin
handling since it was introduced. Fortunately we can utilise the
probe_* functions to force all all memory access to follow the slow
path. We do this by checking the access type and presence of plugin
memory callbacks and if set return the TLB_MMIO flag.
We have to jump through a few hoops in user mode to re-use the flag
but it was the desired effect:
./qemu-system-aarch64 -display none -serial mon:stdio \
-M virt -cpu max -semihosting-config enable=on \
-kernel ./tests/tcg/aarch64-softmmu/memory-sve \
-plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
gives (disas doesn't currently understand st1w):
0, 0x40001808, 0xe54342a0, ".byte 0xa0, 0x42, 0x43, 0xe5", store, 0x40213010, RAM, store, 0x40213014, RAM, store, 0x40213018, RAM
And for user-mode:
./qemu-aarch64 \
-plugin contrib/plugins/libexeclog.so,afilter=0x4007c0 \
-d plugin \
./tests/tcg/aarch64-linux-user/sha512-sve
gives:
1..10
ok 1 - do_test(&tests[i])
0, 0x4007c0, 0xa4004b80, ".byte 0x80, 0x4b, 0x00, 0xa4", load, 0x5500800370, load, 0x5500800371, load, 0x5500800372, load, 0x5500800373, load, 0x5500800374, load, 0x5500800375, load, 0x5500800376, load, 0x5500800377, load, 0x5500800378, load, 0x5500800379, load, 0x550080037a, load, 0x550080037b, load, 0x550080037c, load, 0x550080037d, load, 0x550080037e, load, 0x550080037f, load, 0x5500800380, load, 0x5500800381, load, 0x5500800382, load, 0x5500800383, load, 0x5500800384, load, 0x5500800385, load, 0x5500800386, lo
ad, 0x5500800387, load, 0x5500800388, load, 0x5500800389, load, 0x550080038a, load, 0x550080038b, load, 0x550080038c, load, 0x550080038d, load, 0x550080038e, load, 0x550080038f, load, 0x5500800390, load, 0x5500800391, load, 0x5500800392, load, 0x5500800393, load, 0x5500800394, load, 0x5500800395, load, 0x5500800396, load, 0x5500800397, load, 0x5500800398, load, 0x5500800399, load, 0x550080039a, load, 0x550080039b, load, 0x550080039c, load, 0x550080039d, load, 0x550080039e, load, 0x550080039f, load, 0x55008003a0, load, 0x55008003a1, load, 0x55008003a2, load, 0x55008003a3, load, 0x55008003a4, load, 0x55008003a5, load, 0x55008003a6, load, 0x55008003a7, load, 0x55008003a8, load, 0x55008003a9, load, 0x55008003aa, load, 0x55008003ab, load, 0x55008003ac, load, 0x55008003ad, load, 0x55008003ae, load, 0x55008003af
(4007c0 is the ld1b in the sha512-sve)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Robert Henry <robhenry@microsoft.com>
Cc: Aaron Lindsay <aaron@os.amperecomputing.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230630180423.558337-20-alex.bennee@linaro.org>
2023-06-30 21:04:04 +03:00
|
|
|
|
|
|
|
/* Handle clean RAM pages. */
|
|
|
|
if (unlikely(flags & TLB_NOTDIRTY)) {
|
accel/tcg: Forward probe size on to notdirty_write
Without this, we just dirty a single byte, and so if the caller writes
more than one byte to the host memory then we won't have invalidated any
translation blocks that start after the first byte and overlap those
writes. In particular, AArch64's DC ZVA implementation uses probe_access
(via probe_write), and so we don't invalidate the entire block, only the
TB overlapping the first byte (and, in the unusual case an unaligned VA
is given to the instruction, we also probe that specific address in
order to get the right VA reported on an exception, so will invalidate a
TB overlapping that address too). Since our IC IVAU implementation is a
no-op for system emulation that relies on the softmmu already having
detected self-modifying code via this mechanism, this means we have
observably wrong behaviour when jumping to code that has been DC ZVA'ed.
In practice this is an unusual thing for software to do, as in reality
the OS will DC ZVA the page and the application will go and write actual
instructions to it that aren't UDF #0, but you can write a test that
clearly shows the faulty behaviour.
For functions other than probe_access it's not clear what size to use
when 0 is passed in. Arguably a size of 0 shouldn't dirty at all, since
if you want to actually write then you should pass in a real size, but I
have conservatively kept the implementation as dirtying the first byte
in that case so as to avoid breaking any assumptions about that
behaviour.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Message-Id: <20231104031232.3246614-1-jrtc27@jrtc27.com>
[rth: Move the dirtysize computation next to notdirty_write.]
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-11 08:43:03 +03:00
|
|
|
int dirtysize = size == 0 ? 1 : size;
|
|
|
|
notdirty_write(env_cpu(env), addr, dirtysize, *pfull, 0);
|
plugins: force slow path when plugins instrument memory ops
The lack of SVE memory instrumentation has been an omission in plugin
handling since it was introduced. Fortunately we can utilise the
probe_* functions to force all all memory access to follow the slow
path. We do this by checking the access type and presence of plugin
memory callbacks and if set return the TLB_MMIO flag.
We have to jump through a few hoops in user mode to re-use the flag
but it was the desired effect:
./qemu-system-aarch64 -display none -serial mon:stdio \
-M virt -cpu max -semihosting-config enable=on \
-kernel ./tests/tcg/aarch64-softmmu/memory-sve \
-plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
gives (disas doesn't currently understand st1w):
0, 0x40001808, 0xe54342a0, ".byte 0xa0, 0x42, 0x43, 0xe5", store, 0x40213010, RAM, store, 0x40213014, RAM, store, 0x40213018, RAM
And for user-mode:
./qemu-aarch64 \
-plugin contrib/plugins/libexeclog.so,afilter=0x4007c0 \
-d plugin \
./tests/tcg/aarch64-linux-user/sha512-sve
gives:
1..10
ok 1 - do_test(&tests[i])
0, 0x4007c0, 0xa4004b80, ".byte 0x80, 0x4b, 0x00, 0xa4", load, 0x5500800370, load, 0x5500800371, load, 0x5500800372, load, 0x5500800373, load, 0x5500800374, load, 0x5500800375, load, 0x5500800376, load, 0x5500800377, load, 0x5500800378, load, 0x5500800379, load, 0x550080037a, load, 0x550080037b, load, 0x550080037c, load, 0x550080037d, load, 0x550080037e, load, 0x550080037f, load, 0x5500800380, load, 0x5500800381, load, 0x5500800382, load, 0x5500800383, load, 0x5500800384, load, 0x5500800385, load, 0x5500800386, lo
ad, 0x5500800387, load, 0x5500800388, load, 0x5500800389, load, 0x550080038a, load, 0x550080038b, load, 0x550080038c, load, 0x550080038d, load, 0x550080038e, load, 0x550080038f, load, 0x5500800390, load, 0x5500800391, load, 0x5500800392, load, 0x5500800393, load, 0x5500800394, load, 0x5500800395, load, 0x5500800396, load, 0x5500800397, load, 0x5500800398, load, 0x5500800399, load, 0x550080039a, load, 0x550080039b, load, 0x550080039c, load, 0x550080039d, load, 0x550080039e, load, 0x550080039f, load, 0x55008003a0, load, 0x55008003a1, load, 0x55008003a2, load, 0x55008003a3, load, 0x55008003a4, load, 0x55008003a5, load, 0x55008003a6, load, 0x55008003a7, load, 0x55008003a8, load, 0x55008003a9, load, 0x55008003aa, load, 0x55008003ab, load, 0x55008003ac, load, 0x55008003ad, load, 0x55008003ae, load, 0x55008003af
(4007c0 is the ld1b in the sha512-sve)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Robert Henry <robhenry@microsoft.com>
Cc: Aaron Lindsay <aaron@os.amperecomputing.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230630180423.558337-20-alex.bennee@linaro.org>
2023-06-30 21:04:04 +03:00
|
|
|
flags &= ~TLB_NOTDIRTY;
|
|
|
|
}
|
|
|
|
|
|
|
|
return flags;
|
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:29 +03:00
|
|
|
int probe_access_flags(CPUArchState *env, vaddr addr, int size,
|
2022-08-20 01:49:41 +03:00
|
|
|
MMUAccessType access_type, int mmu_idx,
|
|
|
|
bool nonfault, void **phost, uintptr_t retaddr)
|
|
|
|
{
|
|
|
|
CPUTLBEntryFull *full;
|
2023-02-24 02:44:24 +03:00
|
|
|
int flags;
|
|
|
|
|
|
|
|
g_assert(-(addr | TARGET_PAGE_MASK) >= size);
|
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
flags = probe_access_internal(env_cpu(env), addr, size, access_type,
|
|
|
|
mmu_idx, nonfault, phost, &full, retaddr,
|
|
|
|
true);
|
2022-08-20 01:49:41 +03:00
|
|
|
|
2023-02-24 02:44:24 +03:00
|
|
|
/* Handle clean RAM pages. */
|
|
|
|
if (unlikely(flags & TLB_NOTDIRTY)) {
|
accel/tcg: Forward probe size on to notdirty_write
Without this, we just dirty a single byte, and so if the caller writes
more than one byte to the host memory then we won't have invalidated any
translation blocks that start after the first byte and overlap those
writes. In particular, AArch64's DC ZVA implementation uses probe_access
(via probe_write), and so we don't invalidate the entire block, only the
TB overlapping the first byte (and, in the unusual case an unaligned VA
is given to the instruction, we also probe that specific address in
order to get the right VA reported on an exception, so will invalidate a
TB overlapping that address too). Since our IC IVAU implementation is a
no-op for system emulation that relies on the softmmu already having
detected self-modifying code via this mechanism, this means we have
observably wrong behaviour when jumping to code that has been DC ZVA'ed.
In practice this is an unusual thing for software to do, as in reality
the OS will DC ZVA the page and the application will go and write actual
instructions to it that aren't UDF #0, but you can write a test that
clearly shows the faulty behaviour.
For functions other than probe_access it's not clear what size to use
when 0 is passed in. Arguably a size of 0 shouldn't dirty at all, since
if you want to actually write then you should pass in a real size, but I
have conservatively kept the implementation as dirtying the first byte
in that case so as to avoid breaking any assumptions about that
behaviour.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Message-Id: <20231104031232.3246614-1-jrtc27@jrtc27.com>
[rth: Move the dirtysize computation next to notdirty_write.]
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-11 08:43:03 +03:00
|
|
|
int dirtysize = size == 0 ? 1 : size;
|
|
|
|
notdirty_write(env_cpu(env), addr, dirtysize, full, retaddr);
|
2023-02-24 02:44:24 +03:00
|
|
|
flags &= ~TLB_NOTDIRTY;
|
|
|
|
}
|
|
|
|
|
|
|
|
return flags;
|
2022-08-20 01:49:41 +03:00
|
|
|
}
|
|
|
|
|
2023-06-21 16:56:29 +03:00
|
|
|
void *probe_access(CPUArchState *env, vaddr addr, int size,
|
2020-05-08 18:43:45 +03:00
|
|
|
MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
|
|
|
|
{
|
2022-08-20 01:49:41 +03:00
|
|
|
CPUTLBEntryFull *full;
|
2020-05-08 18:43:45 +03:00
|
|
|
void *host;
|
|
|
|
int flags;
|
|
|
|
|
|
|
|
g_assert(-(addr | TARGET_PAGE_MASK) >= size);
|
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
flags = probe_access_internal(env_cpu(env), addr, size, access_type,
|
|
|
|
mmu_idx, false, &host, &full, retaddr,
|
|
|
|
true);
|
2020-05-08 18:43:45 +03:00
|
|
|
|
|
|
|
/* Per the interface, size == 0 merely faults the access. */
|
|
|
|
if (size == 0) {
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (unlikely(flags & (TLB_NOTDIRTY | TLB_WATCHPOINT))) {
|
2019-09-22 05:28:48 +03:00
|
|
|
/* Handle watchpoints. */
|
2020-05-08 18:43:45 +03:00
|
|
|
if (flags & TLB_WATCHPOINT) {
|
|
|
|
int wp_access = (access_type == MMU_DATA_STORE
|
|
|
|
? BP_MEM_WRITE : BP_MEM_READ);
|
2019-09-22 05:28:48 +03:00
|
|
|
cpu_check_watchpoint(env_cpu(env), addr, size,
|
2022-08-20 00:20:37 +03:00
|
|
|
full->attrs, wp_access, retaddr);
|
2019-09-22 05:28:48 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Handle clean RAM pages. */
|
2020-05-08 18:43:45 +03:00
|
|
|
if (flags & TLB_NOTDIRTY) {
|
accel/tcg: Forward probe size on to notdirty_write
Without this, we just dirty a single byte, and so if the caller writes
more than one byte to the host memory then we won't have invalidated any
translation blocks that start after the first byte and overlap those
writes. In particular, AArch64's DC ZVA implementation uses probe_access
(via probe_write), and so we don't invalidate the entire block, only the
TB overlapping the first byte (and, in the unusual case an unaligned VA
is given to the instruction, we also probe that specific address in
order to get the right VA reported on an exception, so will invalidate a
TB overlapping that address too). Since our IC IVAU implementation is a
no-op for system emulation that relies on the softmmu already having
detected self-modifying code via this mechanism, this means we have
observably wrong behaviour when jumping to code that has been DC ZVA'ed.
In practice this is an unusual thing for software to do, as in reality
the OS will DC ZVA the page and the application will go and write actual
instructions to it that aren't UDF #0, but you can write a test that
clearly shows the faulty behaviour.
For functions other than probe_access it's not clear what size to use
when 0 is passed in. Arguably a size of 0 shouldn't dirty at all, since
if you want to actually write then you should pass in a real size, but I
have conservatively kept the implementation as dirtying the first byte
in that case so as to avoid breaking any assumptions about that
behaviour.
Signed-off-by: Jessica Clarke <jrtc27@jrtc27.com>
Message-Id: <20231104031232.3246614-1-jrtc27@jrtc27.com>
[rth: Move the dirtysize computation next to notdirty_write.]
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2023-11-11 08:43:03 +03:00
|
|
|
notdirty_write(env_cpu(env), addr, size, full, retaddr);
|
2019-09-22 05:28:48 +03:00
|
|
|
}
|
2019-08-30 13:09:58 +03:00
|
|
|
}
|
|
|
|
|
2020-05-08 18:43:45 +03:00
|
|
|
return host;
|
2016-07-09 04:22:26 +03:00
|
|
|
}
|
|
|
|
|
2019-04-03 06:16:56 +03:00
|
|
|
void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
|
|
|
|
MMUAccessType access_type, int mmu_idx)
|
|
|
|
{
|
2022-08-20 01:49:41 +03:00
|
|
|
CPUTLBEntryFull *full;
|
2020-05-08 18:43:45 +03:00
|
|
|
void *host;
|
|
|
|
int flags;
|
2019-04-03 06:16:56 +03:00
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
flags = probe_access_internal(env_cpu(env), addr, 0, access_type,
|
plugins: force slow path when plugins instrument memory ops
The lack of SVE memory instrumentation has been an omission in plugin
handling since it was introduced. Fortunately we can utilise the
probe_* functions to force all all memory access to follow the slow
path. We do this by checking the access type and presence of plugin
memory callbacks and if set return the TLB_MMIO flag.
We have to jump through a few hoops in user mode to re-use the flag
but it was the desired effect:
./qemu-system-aarch64 -display none -serial mon:stdio \
-M virt -cpu max -semihosting-config enable=on \
-kernel ./tests/tcg/aarch64-softmmu/memory-sve \
-plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
gives (disas doesn't currently understand st1w):
0, 0x40001808, 0xe54342a0, ".byte 0xa0, 0x42, 0x43, 0xe5", store, 0x40213010, RAM, store, 0x40213014, RAM, store, 0x40213018, RAM
And for user-mode:
./qemu-aarch64 \
-plugin contrib/plugins/libexeclog.so,afilter=0x4007c0 \
-d plugin \
./tests/tcg/aarch64-linux-user/sha512-sve
gives:
1..10
ok 1 - do_test(&tests[i])
0, 0x4007c0, 0xa4004b80, ".byte 0x80, 0x4b, 0x00, 0xa4", load, 0x5500800370, load, 0x5500800371, load, 0x5500800372, load, 0x5500800373, load, 0x5500800374, load, 0x5500800375, load, 0x5500800376, load, 0x5500800377, load, 0x5500800378, load, 0x5500800379, load, 0x550080037a, load, 0x550080037b, load, 0x550080037c, load, 0x550080037d, load, 0x550080037e, load, 0x550080037f, load, 0x5500800380, load, 0x5500800381, load, 0x5500800382, load, 0x5500800383, load, 0x5500800384, load, 0x5500800385, load, 0x5500800386, lo
ad, 0x5500800387, load, 0x5500800388, load, 0x5500800389, load, 0x550080038a, load, 0x550080038b, load, 0x550080038c, load, 0x550080038d, load, 0x550080038e, load, 0x550080038f, load, 0x5500800390, load, 0x5500800391, load, 0x5500800392, load, 0x5500800393, load, 0x5500800394, load, 0x5500800395, load, 0x5500800396, load, 0x5500800397, load, 0x5500800398, load, 0x5500800399, load, 0x550080039a, load, 0x550080039b, load, 0x550080039c, load, 0x550080039d, load, 0x550080039e, load, 0x550080039f, load, 0x55008003a0, load, 0x55008003a1, load, 0x55008003a2, load, 0x55008003a3, load, 0x55008003a4, load, 0x55008003a5, load, 0x55008003a6, load, 0x55008003a7, load, 0x55008003a8, load, 0x55008003a9, load, 0x55008003aa, load, 0x55008003ab, load, 0x55008003ac, load, 0x55008003ad, load, 0x55008003ae, load, 0x55008003af
(4007c0 is the ld1b in the sha512-sve)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Robert Henry <robhenry@microsoft.com>
Cc: Aaron Lindsay <aaron@os.amperecomputing.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230630180423.558337-20-alex.bennee@linaro.org>
2023-06-30 21:04:04 +03:00
|
|
|
mmu_idx, true, &host, &full, 0, false);
|
2019-04-03 06:16:56 +03:00
|
|
|
|
2020-05-08 18:43:45 +03:00
|
|
|
/* No combination of flags are expected by the caller. */
|
|
|
|
return flags ? NULL : host;
|
2019-04-03 06:16:56 +03:00
|
|
|
}
|
|
|
|
|
2022-08-11 00:13:30 +03:00
|
|
|
/*
|
|
|
|
* Return a ram_addr_t for the virtual address for execution.
|
|
|
|
*
|
|
|
|
* Return -1 if we can't translate and execute from an entire page
|
|
|
|
* of RAM. This will force us to execute by loading and translating
|
|
|
|
* one insn at a time, without caching.
|
|
|
|
*
|
|
|
|
* NOTE: This function will trigger an exception if the page is
|
|
|
|
* not executable.
|
|
|
|
*/
|
2023-06-21 16:56:29 +03:00
|
|
|
tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, vaddr addr,
|
2022-08-11 00:13:30 +03:00
|
|
|
void **hostp)
|
|
|
|
{
|
2022-08-20 01:49:41 +03:00
|
|
|
CPUTLBEntryFull *full;
|
2022-08-11 00:13:30 +03:00
|
|
|
void *p;
|
|
|
|
|
2023-09-12 18:34:21 +03:00
|
|
|
(void)probe_access_internal(env_cpu(env), addr, 1, MMU_INST_FETCH,
|
2024-01-29 13:35:06 +03:00
|
|
|
cpu_mmu_index(env_cpu(env), true), false,
|
plugins: force slow path when plugins instrument memory ops
The lack of SVE memory instrumentation has been an omission in plugin
handling since it was introduced. Fortunately we can utilise the
probe_* functions to force all all memory access to follow the slow
path. We do this by checking the access type and presence of plugin
memory callbacks and if set return the TLB_MMIO flag.
We have to jump through a few hoops in user mode to re-use the flag
but it was the desired effect:
./qemu-system-aarch64 -display none -serial mon:stdio \
-M virt -cpu max -semihosting-config enable=on \
-kernel ./tests/tcg/aarch64-softmmu/memory-sve \
-plugin ./contrib/plugins/libexeclog.so,ifilter=st1w,afilter=0x40001808 -d plugin
gives (disas doesn't currently understand st1w):
0, 0x40001808, 0xe54342a0, ".byte 0xa0, 0x42, 0x43, 0xe5", store, 0x40213010, RAM, store, 0x40213014, RAM, store, 0x40213018, RAM
And for user-mode:
./qemu-aarch64 \
-plugin contrib/plugins/libexeclog.so,afilter=0x4007c0 \
-d plugin \
./tests/tcg/aarch64-linux-user/sha512-sve
gives:
1..10
ok 1 - do_test(&tests[i])
0, 0x4007c0, 0xa4004b80, ".byte 0x80, 0x4b, 0x00, 0xa4", load, 0x5500800370, load, 0x5500800371, load, 0x5500800372, load, 0x5500800373, load, 0x5500800374, load, 0x5500800375, load, 0x5500800376, load, 0x5500800377, load, 0x5500800378, load, 0x5500800379, load, 0x550080037a, load, 0x550080037b, load, 0x550080037c, load, 0x550080037d, load, 0x550080037e, load, 0x550080037f, load, 0x5500800380, load, 0x5500800381, load, 0x5500800382, load, 0x5500800383, load, 0x5500800384, load, 0x5500800385, load, 0x5500800386, lo
ad, 0x5500800387, load, 0x5500800388, load, 0x5500800389, load, 0x550080038a, load, 0x550080038b, load, 0x550080038c, load, 0x550080038d, load, 0x550080038e, load, 0x550080038f, load, 0x5500800390, load, 0x5500800391, load, 0x5500800392, load, 0x5500800393, load, 0x5500800394, load, 0x5500800395, load, 0x5500800396, load, 0x5500800397, load, 0x5500800398, load, 0x5500800399, load, 0x550080039a, load, 0x550080039b, load, 0x550080039c, load, 0x550080039d, load, 0x550080039e, load, 0x550080039f, load, 0x55008003a0, load, 0x55008003a1, load, 0x55008003a2, load, 0x55008003a3, load, 0x55008003a4, load, 0x55008003a5, load, 0x55008003a6, load, 0x55008003a7, load, 0x55008003a8, load, 0x55008003a9, load, 0x55008003aa, load, 0x55008003ab, load, 0x55008003ac, load, 0x55008003ad, load, 0x55008003ae, load, 0x55008003af
(4007c0 is the ld1b in the sha512-sve)
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Cc: Robert Henry <robhenry@microsoft.com>
Cc: Aaron Lindsay <aaron@os.amperecomputing.com>
Signed-off-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230630180423.558337-20-alex.bennee@linaro.org>
2023-06-30 21:04:04 +03:00
|
|
|
&p, &full, 0, false);
|
2022-08-11 00:13:30 +03:00
|
|
|
if (p == NULL) {
|
|
|
|
return -1;
|
|
|
|
}
|
2023-04-22 16:03:27 +03:00
|
|
|
|
|
|
|
if (full->lg_page_size < TARGET_PAGE_BITS) {
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2022-08-11 00:13:30 +03:00
|
|
|
if (hostp) {
|
|
|
|
*hostp = p;
|
|
|
|
}
|
|
|
|
return qemu_ram_addr_from_host_nofail(p);
|
|
|
|
}
|
|
|
|
|
2022-10-29 08:01:04 +03:00
|
|
|
/* Load/store with atomicity primitives. */
|
|
|
|
#include "ldst_atomicity.c.inc"
|
|
|
|
|
2019-06-19 22:20:08 +03:00
|
|
|
#ifdef CONFIG_PLUGIN
|
|
|
|
/*
|
|
|
|
* Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
|
|
|
|
* This should be a hot path as we will have just looked this path up
|
|
|
|
* in the softmmu lookup code (or helper). We don't handle re-fills or
|
|
|
|
* checking the victim table. This is purely informational.
|
|
|
|
*
|
2023-08-28 03:28:16 +03:00
|
|
|
* The one corner case is i/o write, which can cause changes to the
|
|
|
|
* address space. Those changes, and the corresponding tlb flush,
|
|
|
|
* should be delayed until the next TB, so even then this ought not fail.
|
|
|
|
* But check, Just in Case.
|
2019-06-19 22:20:08 +03:00
|
|
|
*/
|
2023-06-21 16:56:22 +03:00
|
|
|
bool tlb_plugin_lookup(CPUState *cpu, vaddr addr, int mmu_idx,
|
2019-06-19 22:20:08 +03:00
|
|
|
bool is_store, struct qemu_plugin_hwaddr *data)
|
|
|
|
{
|
2023-09-12 18:34:20 +03:00
|
|
|
CPUTLBEntry *tlbe = tlb_entry(cpu, mmu_idx, addr);
|
|
|
|
uintptr_t index = tlb_index(cpu, mmu_idx, addr);
|
2023-08-28 03:28:16 +03:00
|
|
|
MMUAccessType access_type = is_store ? MMU_DATA_STORE : MMU_DATA_LOAD;
|
|
|
|
uint64_t tlb_addr = tlb_read_idx(tlbe, access_type);
|
2023-08-28 04:58:15 +03:00
|
|
|
CPUTLBEntryFull *full;
|
2023-08-28 03:28:16 +03:00
|
|
|
|
|
|
|
if (unlikely(!tlb_hit(tlb_addr, addr))) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:20 +03:00
|
|
|
full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index];
|
2023-08-28 04:58:15 +03:00
|
|
|
data->phys_addr = full->phys_addr | (addr & ~TARGET_PAGE_MASK);
|
|
|
|
|
2023-08-28 03:28:16 +03:00
|
|
|
/* We must have an iotlb entry for MMIO */
|
|
|
|
if (tlb_addr & TLB_MMIO) {
|
2023-08-28 04:58:15 +03:00
|
|
|
MemoryRegionSection *section =
|
|
|
|
iotlb_to_section(cpu, full->xlat_section & ~TARGET_PAGE_MASK,
|
|
|
|
full->attrs);
|
2020-07-13 23:04:10 +03:00
|
|
|
data->is_io = true;
|
2023-08-28 04:58:15 +03:00
|
|
|
data->mr = section->mr;
|
2023-08-28 03:28:16 +03:00
|
|
|
} else {
|
|
|
|
data->is_io = false;
|
2023-08-28 04:58:15 +03:00
|
|
|
data->mr = NULL;
|
2019-06-19 22:20:08 +03:00
|
|
|
}
|
2023-08-28 03:28:16 +03:00
|
|
|
return true;
|
2019-06-19 22:20:08 +03:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
/*
|
|
|
|
* Probe for a load/store operation.
|
|
|
|
* Return the host address and into @flags.
|
|
|
|
*/
|
|
|
|
|
|
|
|
typedef struct MMULookupPageData {
|
|
|
|
CPUTLBEntryFull *full;
|
|
|
|
void *haddr;
|
2023-06-21 16:56:26 +03:00
|
|
|
vaddr addr;
|
2022-10-29 00:40:51 +03:00
|
|
|
int flags;
|
|
|
|
int size;
|
|
|
|
} MMULookupPageData;
|
|
|
|
|
|
|
|
typedef struct MMULookupLocals {
|
|
|
|
MMULookupPageData page[2];
|
|
|
|
MemOp memop;
|
|
|
|
int mmu_idx;
|
|
|
|
} MMULookupLocals;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* mmu_lookup1: translate one page
|
2023-09-12 18:34:22 +03:00
|
|
|
* @cpu: generic cpu state
|
2022-10-29 00:40:51 +03:00
|
|
|
* @data: lookup parameters
|
|
|
|
* @mmu_idx: virtual address context
|
|
|
|
* @access_type: load/store/code
|
|
|
|
* @ra: return address into tcg generated code, or 0
|
|
|
|
*
|
|
|
|
* Resolve the translation for the one page at @data.addr, filling in
|
|
|
|
* the rest of @data with the results. If the translation fails,
|
|
|
|
* tlb_fill will longjmp out. Return true if the softmmu tlb for
|
|
|
|
* @mmu_idx may have resized.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static bool mmu_lookup1(CPUState *cpu, MMULookupPageData *data,
|
2022-10-29 00:40:51 +03:00
|
|
|
int mmu_idx, MMUAccessType access_type, uintptr_t ra)
|
|
|
|
{
|
2023-06-21 16:56:26 +03:00
|
|
|
vaddr addr = data->addr;
|
2023-09-12 18:34:22 +03:00
|
|
|
uintptr_t index = tlb_index(cpu, mmu_idx, addr);
|
|
|
|
CPUTLBEntry *entry = tlb_entry(cpu, mmu_idx, addr);
|
2023-06-21 16:56:25 +03:00
|
|
|
uint64_t tlb_addr = tlb_read_idx(entry, access_type);
|
2022-10-29 00:40:51 +03:00
|
|
|
bool maybe_resized = false;
|
2023-02-23 08:17:52 +03:00
|
|
|
CPUTLBEntryFull *full;
|
|
|
|
int flags;
|
2022-10-29 00:40:51 +03:00
|
|
|
|
|
|
|
/* If the TLB entry is for a different page, reload and try again. */
|
|
|
|
if (!tlb_hit(tlb_addr, addr)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
if (!victim_tlb_hit(cpu, mmu_idx, index, access_type,
|
2022-10-29 00:40:51 +03:00
|
|
|
addr & TARGET_PAGE_MASK)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
tlb_fill(cpu, addr, data->size, access_type, mmu_idx, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
maybe_resized = true;
|
2023-09-12 18:34:22 +03:00
|
|
|
index = tlb_index(cpu, mmu_idx, addr);
|
|
|
|
entry = tlb_entry(cpu, mmu_idx, addr);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
tlb_addr = tlb_read_idx(entry, access_type) & ~TLB_INVALID_MASK;
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index];
|
2023-02-23 08:17:52 +03:00
|
|
|
flags = tlb_addr & (TLB_FLAGS_MASK & ~TLB_FORCE_SLOW);
|
|
|
|
flags |= full->slow_flags[access_type];
|
|
|
|
|
|
|
|
data->full = full;
|
|
|
|
data->flags = flags;
|
2022-10-29 00:40:51 +03:00
|
|
|
/* Compute haddr speculatively; depending on flags it might be invalid. */
|
|
|
|
data->haddr = (void *)((uintptr_t)addr + entry->addend);
|
|
|
|
|
|
|
|
return maybe_resized;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* mmu_watch_or_dirty
|
2023-09-12 18:34:22 +03:00
|
|
|
* @cpu: generic cpu state
|
2022-10-29 00:40:51 +03:00
|
|
|
* @data: lookup parameters
|
|
|
|
* @access_type: load/store/code
|
|
|
|
* @ra: return address into tcg generated code, or 0
|
|
|
|
*
|
|
|
|
* Trigger watchpoints for @data.addr:@data.size;
|
|
|
|
* record writes to protected clean pages.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static void mmu_watch_or_dirty(CPUState *cpu, MMULookupPageData *data,
|
2022-10-29 00:40:51 +03:00
|
|
|
MMUAccessType access_type, uintptr_t ra)
|
|
|
|
{
|
|
|
|
CPUTLBEntryFull *full = data->full;
|
2023-06-21 16:56:26 +03:00
|
|
|
vaddr addr = data->addr;
|
2022-10-29 00:40:51 +03:00
|
|
|
int flags = data->flags;
|
|
|
|
int size = data->size;
|
|
|
|
|
|
|
|
/* On watchpoint hit, this will longjmp out. */
|
|
|
|
if (flags & TLB_WATCHPOINT) {
|
|
|
|
int wp = access_type == MMU_DATA_STORE ? BP_MEM_WRITE : BP_MEM_READ;
|
2023-09-12 18:34:22 +03:00
|
|
|
cpu_check_watchpoint(cpu, addr, size, full->attrs, wp, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
flags &= ~TLB_WATCHPOINT;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Note that notdirty is only set for writes. */
|
|
|
|
if (flags & TLB_NOTDIRTY) {
|
2023-09-12 18:34:22 +03:00
|
|
|
notdirty_write(cpu, addr, size, full, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
flags &= ~TLB_NOTDIRTY;
|
|
|
|
}
|
|
|
|
data->flags = flags;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* mmu_lookup: translate page(s)
|
2023-09-12 18:34:22 +03:00
|
|
|
* @cpu: generic cpu state
|
2022-10-29 00:40:51 +03:00
|
|
|
* @addr: virtual address
|
|
|
|
* @oi: combined mmu_idx and MemOp
|
|
|
|
* @ra: return address into tcg generated code, or 0
|
|
|
|
* @access_type: load/store/code
|
|
|
|
* @l: output result
|
|
|
|
*
|
|
|
|
* Resolve the translation for the page(s) beginning at @addr, for MemOp.size
|
|
|
|
* bytes. Return true if the lookup crosses a page boundary.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static bool mmu_lookup(CPUState *cpu, vaddr addr, MemOpIdx oi,
|
2022-10-29 00:40:51 +03:00
|
|
|
uintptr_t ra, MMUAccessType type, MMULookupLocals *l)
|
|
|
|
{
|
|
|
|
unsigned a_bits;
|
|
|
|
bool crosspage;
|
|
|
|
int flags;
|
|
|
|
|
|
|
|
l->memop = get_memop(oi);
|
|
|
|
l->mmu_idx = get_mmuidx(oi);
|
|
|
|
|
|
|
|
tcg_debug_assert(l->mmu_idx < NB_MMU_MODES);
|
|
|
|
|
|
|
|
/* Handle CPU specific unaligned behaviour */
|
|
|
|
a_bits = get_alignment_bits(l->memop);
|
|
|
|
if (addr & ((1 << a_bits) - 1)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
cpu_unaligned_access(cpu, addr, type, l->mmu_idx, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
l->page[0].addr = addr;
|
|
|
|
l->page[0].size = memop_size(l->memop);
|
|
|
|
l->page[1].addr = (addr + l->page[0].size - 1) & TARGET_PAGE_MASK;
|
|
|
|
l->page[1].size = 0;
|
|
|
|
crosspage = (addr ^ l->page[1].addr) & TARGET_PAGE_MASK;
|
|
|
|
|
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
mmu_lookup1(cpu, &l->page[0], l->mmu_idx, type, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
|
|
|
|
flags = l->page[0].flags;
|
|
|
|
if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) {
|
2023-09-12 18:34:22 +03:00
|
|
|
mmu_watch_or_dirty(cpu, &l->page[0], type, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
if (unlikely(flags & TLB_BSWAP)) {
|
|
|
|
l->memop ^= MO_BSWAP;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* Finish compute of page crossing. */
|
|
|
|
int size0 = l->page[1].addr - addr;
|
|
|
|
l->page[1].size = l->page[0].size - size0;
|
|
|
|
l->page[0].size = size0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Lookup both pages, recognizing exceptions from either. If the
|
|
|
|
* second lookup potentially resized, refresh first CPUTLBEntryFull.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
mmu_lookup1(cpu, &l->page[0], l->mmu_idx, type, ra);
|
|
|
|
if (mmu_lookup1(cpu, &l->page[1], l->mmu_idx, type, ra)) {
|
|
|
|
uintptr_t index = tlb_index(cpu, l->mmu_idx, addr);
|
|
|
|
l->page[0].full = &cpu->neg.tlb.d[l->mmu_idx].fulltlb[index];
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
flags = l->page[0].flags | l->page[1].flags;
|
|
|
|
if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) {
|
2023-09-12 18:34:22 +03:00
|
|
|
mmu_watch_or_dirty(cpu, &l->page[0], type, ra);
|
|
|
|
mmu_watch_or_dirty(cpu, &l->page[1], type, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Since target/sparc is the only user of TLB_BSWAP, and all
|
|
|
|
* Sparc accesses are aligned, any treatment across two pages
|
|
|
|
* would be arbitrary. Refuse it until there's a use.
|
|
|
|
*/
|
|
|
|
tcg_debug_assert((flags & TLB_BSWAP) == 0);
|
|
|
|
}
|
|
|
|
|
2024-03-01 23:41:08 +03:00
|
|
|
/*
|
|
|
|
* This alignment check differs from the one above, in that this is
|
|
|
|
* based on the atomicity of the operation. The intended use case is
|
|
|
|
* the ARM memory type field of each PTE, where access to pages with
|
|
|
|
* Device memory type require alignment.
|
|
|
|
*/
|
|
|
|
if (unlikely(flags & TLB_CHECK_ALIGNED)) {
|
|
|
|
MemOp size = l->memop & MO_SIZE;
|
|
|
|
|
|
|
|
switch (l->memop & MO_ATOM_MASK) {
|
|
|
|
case MO_ATOM_NONE:
|
|
|
|
size = MO_8;
|
|
|
|
break;
|
|
|
|
case MO_ATOM_IFALIGN_PAIR:
|
|
|
|
case MO_ATOM_WITHIN16_PAIR:
|
|
|
|
size = size ? size - 1 : 0;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (addr & ((1 << size) - 1)) {
|
|
|
|
cpu_unaligned_access(cpu, addr, type, l->mmu_idx, ra);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
return crosspage;
|
|
|
|
}
|
|
|
|
|
2021-06-13 03:21:06 +03:00
|
|
|
/*
|
|
|
|
* Probe for an atomic operation. Do not allow unaligned operations,
|
|
|
|
* or io operations to proceed. Return the host address.
|
|
|
|
*/
|
2023-09-12 18:34:23 +03:00
|
|
|
static void *atomic_mmu_lookup(CPUState *cpu, vaddr addr, MemOpIdx oi,
|
2023-06-21 16:56:30 +03:00
|
|
|
int size, uintptr_t retaddr)
|
2016-06-28 21:37:27 +03:00
|
|
|
{
|
2022-04-01 20:08:13 +03:00
|
|
|
uintptr_t mmu_idx = get_mmuidx(oi);
|
2019-08-23 21:10:58 +03:00
|
|
|
MemOp mop = get_memop(oi);
|
2016-06-28 21:37:27 +03:00
|
|
|
int a_bits = get_alignment_bits(mop);
|
2021-06-13 03:21:06 +03:00
|
|
|
uintptr_t index;
|
|
|
|
CPUTLBEntry *tlbe;
|
2023-06-21 16:56:30 +03:00
|
|
|
vaddr tlb_addr;
|
2017-11-20 21:08:28 +03:00
|
|
|
void *hostaddr;
|
2023-02-23 11:41:01 +03:00
|
|
|
CPUTLBEntryFull *full;
|
2016-06-28 21:37:27 +03:00
|
|
|
|
2022-04-01 20:08:13 +03:00
|
|
|
tcg_debug_assert(mmu_idx < NB_MMU_MODES);
|
|
|
|
|
2016-06-28 21:37:27 +03:00
|
|
|
/* Adjust the given return address. */
|
|
|
|
retaddr -= GETPC_ADJ;
|
|
|
|
|
|
|
|
/* Enforce guest required alignment. */
|
|
|
|
if (unlikely(a_bits > 0 && (addr & ((1 << a_bits) - 1)))) {
|
|
|
|
/* ??? Maybe indicate atomic op to cpu_unaligned_access */
|
2023-09-12 18:34:23 +03:00
|
|
|
cpu_unaligned_access(cpu, addr, MMU_DATA_STORE,
|
2016-06-28 21:37:27 +03:00
|
|
|
mmu_idx, retaddr);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Enforce qemu required alignment. */
|
2021-06-13 03:21:06 +03:00
|
|
|
if (unlikely(addr & (size - 1))) {
|
2016-06-28 21:37:27 +03:00
|
|
|
/* We get here if guest alignment was not requested,
|
|
|
|
or was not enforced by cpu_unaligned_access above.
|
|
|
|
We might widen the access and emulate, but for now
|
|
|
|
mark an exception and exit the cpu loop. */
|
|
|
|
goto stop_the_world;
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:23 +03:00
|
|
|
index = tlb_index(cpu, mmu_idx, addr);
|
|
|
|
tlbe = tlb_entry(cpu, mmu_idx, addr);
|
2021-06-13 03:21:06 +03:00
|
|
|
|
2016-06-28 21:37:27 +03:00
|
|
|
/* Check TLB entry and enforce page permissions. */
|
2023-05-20 03:54:18 +03:00
|
|
|
tlb_addr = tlb_addr_write(tlbe);
|
|
|
|
if (!tlb_hit(tlb_addr, addr)) {
|
2023-09-12 18:34:23 +03:00
|
|
|
if (!victim_tlb_hit(cpu, mmu_idx, index, MMU_DATA_STORE,
|
2023-05-20 03:54:18 +03:00
|
|
|
addr & TARGET_PAGE_MASK)) {
|
2023-09-12 18:34:23 +03:00
|
|
|
tlb_fill(cpu, addr, size,
|
2023-05-20 03:54:18 +03:00
|
|
|
MMU_DATA_STORE, mmu_idx, retaddr);
|
2023-09-12 18:34:23 +03:00
|
|
|
index = tlb_index(cpu, mmu_idx, addr);
|
|
|
|
tlbe = tlb_entry(cpu, mmu_idx, addr);
|
2021-06-13 03:21:06 +03:00
|
|
|
}
|
2023-05-20 03:54:18 +03:00
|
|
|
tlb_addr = tlb_addr_write(tlbe) & ~TLB_INVALID_MASK;
|
|
|
|
}
|
2021-06-13 03:21:06 +03:00
|
|
|
|
2023-05-20 03:54:18 +03:00
|
|
|
/*
|
|
|
|
* Let the guest notice RMW on a write-only page.
|
|
|
|
* We have just verified that the page is writable.
|
|
|
|
* Subpage lookups may have left TLB_INVALID_MASK set,
|
|
|
|
* but addr_read will only be -1 if PAGE_READ was unset.
|
|
|
|
*/
|
|
|
|
if (unlikely(tlbe->addr_read == -1)) {
|
2023-09-12 18:34:23 +03:00
|
|
|
tlb_fill(cpu, addr, size, MMU_DATA_LOAD, mmu_idx, retaddr);
|
2023-05-20 03:54:18 +03:00
|
|
|
/*
|
|
|
|
* Since we don't support reads and writes to different
|
|
|
|
* addresses, and we do have the proper page loaded for
|
|
|
|
* write, this shouldn't ever return. But just in case,
|
|
|
|
* handle via stop-the-world.
|
|
|
|
*/
|
|
|
|
goto stop_the_world;
|
2016-06-28 21:37:27 +03:00
|
|
|
}
|
2023-02-23 12:09:43 +03:00
|
|
|
/* Collect tlb flags for read. */
|
2023-05-20 03:54:18 +03:00
|
|
|
tlb_addr |= tlbe->addr_read;
|
2016-06-28 21:37:27 +03:00
|
|
|
|
2018-06-26 19:50:41 +03:00
|
|
|
/* Notice an IO access or a needs-MMU-lookup access */
|
2023-02-23 12:05:01 +03:00
|
|
|
if (unlikely(tlb_addr & (TLB_MMIO | TLB_DISCARD_WRITE))) {
|
2016-06-28 21:37:27 +03:00
|
|
|
/* There's really nothing that can be done to
|
|
|
|
support this apart from stop-the-world. */
|
|
|
|
goto stop_the_world;
|
|
|
|
}
|
|
|
|
|
2017-11-20 21:08:28 +03:00
|
|
|
hostaddr = (void *)((uintptr_t)addr + tlbe->addend);
|
2023-09-12 18:34:23 +03:00
|
|
|
full = &cpu->neg.tlb.d[mmu_idx].fulltlb[index];
|
2017-11-20 21:08:28 +03:00
|
|
|
|
|
|
|
if (unlikely(tlb_addr & TLB_NOTDIRTY)) {
|
2023-09-12 18:34:23 +03:00
|
|
|
notdirty_write(cpu, addr, size, full, retaddr);
|
2023-02-23 11:41:01 +03:00
|
|
|
}
|
|
|
|
|
2023-02-23 12:09:43 +03:00
|
|
|
if (unlikely(tlb_addr & TLB_FORCE_SLOW)) {
|
|
|
|
int wp_flags = 0;
|
|
|
|
|
|
|
|
if (full->slow_flags[MMU_DATA_STORE] & TLB_WATCHPOINT) {
|
|
|
|
wp_flags |= BP_MEM_WRITE;
|
|
|
|
}
|
|
|
|
if (full->slow_flags[MMU_DATA_LOAD] & TLB_WATCHPOINT) {
|
|
|
|
wp_flags |= BP_MEM_READ;
|
|
|
|
}
|
|
|
|
if (wp_flags) {
|
2023-09-12 18:34:23 +03:00
|
|
|
cpu_check_watchpoint(cpu, addr, size,
|
2023-02-23 12:09:43 +03:00
|
|
|
full->attrs, wp_flags, retaddr);
|
|
|
|
}
|
2017-11-20 21:08:28 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return hostaddr;
|
2016-06-28 21:37:27 +03:00
|
|
|
|
|
|
|
stop_the_world:
|
2023-09-12 18:34:23 +03:00
|
|
|
cpu_loop_exit_atomic(cpu, retaddr);
|
2016-06-28 21:37:27 +03:00
|
|
|
}
|
|
|
|
|
2019-02-15 17:31:13 +03:00
|
|
|
/*
|
|
|
|
* Load Helpers
|
|
|
|
*
|
|
|
|
* We support two different access types. SOFTMMU_CODE_ACCESS is
|
|
|
|
* specifically for reading instructions from system memory. It is
|
|
|
|
* called by the translation loop and in some helpers where the code
|
|
|
|
* is disassembled. It shouldn't be called directly by guest code.
|
2022-10-29 08:01:04 +03:00
|
|
|
*
|
2022-10-29 00:40:51 +03:00
|
|
|
* For the benefit of TCG generated code, we want to avoid the
|
|
|
|
* complication of ABI-specific return type promotion and always
|
|
|
|
* return a value extended to the register size of the host. This is
|
|
|
|
* tcg_target_long, except in the case of a 32-bit host and 64-bit
|
|
|
|
* data, and for that we always have uint64_t.
|
|
|
|
*
|
|
|
|
* We don't bother with this widened value for SOFTMMU_CODE_ACCESS.
|
|
|
|
*/
|
2022-04-01 20:08:13 +03:00
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
/**
|
|
|
|
* do_ld_mmio_beN:
|
2023-09-12 18:34:22 +03:00
|
|
|
* @cpu: generic cpu state
|
2023-08-01 17:55:38 +03:00
|
|
|
* @full: page parameters
|
2022-10-29 00:40:51 +03:00
|
|
|
* @ret_be: accumulated data
|
2023-08-01 17:55:38 +03:00
|
|
|
* @addr: virtual address
|
|
|
|
* @size: number of bytes
|
2022-10-29 00:40:51 +03:00
|
|
|
* @mmu_idx: virtual address context
|
|
|
|
* @ra: return address into tcg generated code, or 0
|
2024-01-02 18:35:28 +03:00
|
|
|
* Context: BQL held
|
2022-10-29 00:40:51 +03:00
|
|
|
*
|
2023-08-01 17:55:38 +03:00
|
|
|
* Load @size bytes from @addr, which is memory-mapped i/o.
|
2022-10-29 00:40:51 +03:00
|
|
|
* The bytes are concatenated in big-endian order with @ret_be.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t int_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
|
2023-08-28 05:54:54 +03:00
|
|
|
uint64_t ret_be, vaddr addr, int size,
|
|
|
|
int mmu_idx, MMUAccessType type, uintptr_t ra,
|
|
|
|
MemoryRegion *mr, hwaddr mr_offset)
|
2022-10-29 00:40:51 +03:00
|
|
|
{
|
2023-08-01 20:10:45 +03:00
|
|
|
do {
|
2023-08-27 19:50:41 +03:00
|
|
|
MemOp this_mop;
|
|
|
|
unsigned this_size;
|
|
|
|
uint64_t val;
|
|
|
|
MemTxResult r;
|
|
|
|
|
2023-08-01 20:10:45 +03:00
|
|
|
/* Read aligned pieces up to 8 bytes. */
|
2023-08-27 19:50:41 +03:00
|
|
|
this_mop = ctz32(size | (int)addr | 8);
|
|
|
|
this_size = 1 << this_mop;
|
|
|
|
this_mop |= MO_BE;
|
|
|
|
|
2023-08-28 05:54:54 +03:00
|
|
|
r = memory_region_dispatch_read(mr, mr_offset, &val,
|
|
|
|
this_mop, full->attrs);
|
2023-08-27 19:50:41 +03:00
|
|
|
if (unlikely(r != MEMTX_OK)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
io_failed(cpu, full, addr, this_size, type, mmu_idx, r, ra);
|
2023-08-01 20:10:45 +03:00
|
|
|
}
|
2023-08-27 19:50:41 +03:00
|
|
|
if (this_size == 8) {
|
|
|
|
return val;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret_be = (ret_be << (this_size * 8)) | val;
|
|
|
|
addr += this_size;
|
|
|
|
mr_offset += this_size;
|
|
|
|
size -= this_size;
|
2023-08-01 20:10:45 +03:00
|
|
|
} while (size);
|
2023-08-27 19:50:41 +03:00
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
return ret_be;
|
|
|
|
}
|
2014-03-28 20:55:24 +04:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_ld_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
|
2023-08-28 05:54:54 +03:00
|
|
|
uint64_t ret_be, vaddr addr, int size,
|
|
|
|
int mmu_idx, MMUAccessType type, uintptr_t ra)
|
|
|
|
{
|
|
|
|
MemoryRegionSection *section;
|
|
|
|
MemoryRegion *mr;
|
|
|
|
hwaddr mr_offset;
|
|
|
|
MemTxAttrs attrs;
|
|
|
|
|
|
|
|
tcg_debug_assert(size > 0 && size <= 8);
|
|
|
|
|
|
|
|
attrs = full->attrs;
|
2023-09-12 18:34:22 +03:00
|
|
|
section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
|
2023-08-28 05:54:54 +03:00
|
|
|
mr = section->mr;
|
|
|
|
|
tcg: Avoid double lock if page tables happen to be in mmio memory.
On i386, after fixing the page walking code to work with pages in
MMIO memory (specifically CXL emulated interleaved memory),
a crash was seen in an interrupt handling path.
Useful part of backtrace
7 0x0000555555ab1929 in bql_lock_impl (file=0x555556049122 "../../accel/tcg/cputlb.c", line=2033) at ../../system/cpus.c:524
8 bql_lock_impl (file=file@entry=0x555556049122 "../../accel/tcg/cputlb.c", line=line@entry=2033) at ../../system/cpus.c:520
9 0x0000555555c9f7d6 in do_ld_mmio_beN (cpu=0x5555578e0cb0, full=0x7ffe88012950, ret_be=ret_be@entry=0, addr=19595792376, size=size@entry=8, mmu_idx=4, type=MMU_DATA_LOAD, ra=0) at ../../accel/tcg/cputlb.c:2033
10 0x0000555555ca0fbd in do_ld_8 (cpu=cpu@entry=0x5555578e0cb0, p=p@entry=0x7ffff4efd1d0, mmu_idx=<optimized out>, type=type@entry=MMU_DATA_LOAD, memop=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:2356
11 0x0000555555ca341f in do_ld8_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=19595792376, oi=oi@entry=52, ra=0, ra@entry=52, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2439
12 0x0000555555ca5f59 in cpu_ldq_mmu (ra=52, oi=52, addr=19595792376, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:169
13 cpu_ldq_le_mmuidx_ra (env=0x5555578e3470, addr=19595792376, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:301
14 0x0000555555b4b5fc in ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:98
15 ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:93
16 mmu_translate (env=env@entry=0x5555578e3470, in=0x7ffff4efd3e0, out=0x7ffff4efd3b0, err=err@entry=0x7ffff4efd3c0, ra=ra@entry=0) at ../../target/i386/tcg/sysemu/excp_helper.c:174
17 0x0000555555b4c4b3 in get_physical_address (ra=0, err=0x7ffff4efd3c0, out=0x7ffff4efd3b0, mmu_idx=0, access_type=MMU_DATA_LOAD, addr=18446741874686299840, env=0x5555578e3470) at ../../target/i386/tcg/sysemu/excp_helper.c:580
18 x86_cpu_tlb_fill (cs=0x5555578e0cb0, addr=18446741874686299840, size=<optimized out>, access_type=MMU_DATA_LOAD, mmu_idx=0, probe=<optimized out>, retaddr=0) at ../../target/i386/tcg/sysemu/excp_helper.c:606
19 0x0000555555ca0ee9 in tlb_fill (retaddr=0, mmu_idx=0, access_type=MMU_DATA_LOAD, size=<optimized out>, addr=18446741874686299840, cpu=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1315
20 mmu_lookup1 (cpu=cpu@entry=0x5555578e0cb0, data=data@entry=0x7ffff4efd540, mmu_idx=0, access_type=access_type@entry=MMU_DATA_LOAD, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:1713
21 0x0000555555ca2c61 in mmu_lookup (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, type=type@entry=MMU_DATA_LOAD, l=l@entry=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1803
22 0x0000555555ca3165 in do_ld4_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2416
23 0x0000555555ca5ef9 in cpu_ldl_mmu (ra=0, oi=32, addr=18446741874686299840, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:158
24 cpu_ldl_le_mmuidx_ra (env=env@entry=0x5555578e3470, addr=addr@entry=18446741874686299840, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:294
25 0x0000555555bb6cdd in do_interrupt64 (is_hw=1, next_eip=18446744072399775809, error_code=0, is_int=0, intno=236, env=0x5555578e3470) at ../../target/i386/tcg/seg_helper.c:889
26 do_interrupt_all (cpu=cpu@entry=0x5555578e0cb0, intno=236, is_int=is_int@entry=0, error_code=error_code@entry=0, next_eip=next_eip@entry=0, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1130
27 0x0000555555bb87da in do_interrupt_x86_hardirq (env=env@entry=0x5555578e3470, intno=<optimized out>, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1162
28 0x0000555555b5039c in x86_cpu_exec_interrupt (cs=0x5555578e0cb0, interrupt_request=<optimized out>) at ../../target/i386/tcg/sysemu/seg_helper.c:197
29 0x0000555555c94480 in cpu_handle_interrupt (last_tb=<synthetic pointer>, cpu=0x5555578e0cb0) at ../../accel/tcg/cpu-exec.c:844
Peter identified this as being due to the BQL already being
held when the page table walker encounters MMIO memory and attempts
to take the lock again. There are other examples of similar paths
TCG, so this follows the approach taken in those of simply checking
if the lock is already held and if it is, don't take it again.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240219173153.12114-4-Jonathan.Cameron@huawei.com>
[rth: Use BQL_LOCK_GUARD]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-02-19 20:31:53 +03:00
|
|
|
BQL_LOCK_GUARD();
|
|
|
|
return int_ld_mmio_beN(cpu, full, ret_be, addr, size, mmu_idx,
|
|
|
|
type, ra, mr, mr_offset);
|
2023-08-28 05:54:54 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static Int128 do_ld16_mmio_beN(CPUState *cpu, CPUTLBEntryFull *full,
|
2023-08-28 05:54:54 +03:00
|
|
|
uint64_t ret_be, vaddr addr, int size,
|
|
|
|
int mmu_idx, uintptr_t ra)
|
|
|
|
{
|
|
|
|
MemoryRegionSection *section;
|
|
|
|
MemoryRegion *mr;
|
|
|
|
hwaddr mr_offset;
|
|
|
|
MemTxAttrs attrs;
|
|
|
|
uint64_t a, b;
|
|
|
|
|
|
|
|
tcg_debug_assert(size > 8 && size <= 16);
|
|
|
|
|
|
|
|
attrs = full->attrs;
|
2023-09-12 18:34:22 +03:00
|
|
|
section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
|
2023-08-28 05:54:54 +03:00
|
|
|
mr = section->mr;
|
|
|
|
|
tcg: Avoid double lock if page tables happen to be in mmio memory.
On i386, after fixing the page walking code to work with pages in
MMIO memory (specifically CXL emulated interleaved memory),
a crash was seen in an interrupt handling path.
Useful part of backtrace
7 0x0000555555ab1929 in bql_lock_impl (file=0x555556049122 "../../accel/tcg/cputlb.c", line=2033) at ../../system/cpus.c:524
8 bql_lock_impl (file=file@entry=0x555556049122 "../../accel/tcg/cputlb.c", line=line@entry=2033) at ../../system/cpus.c:520
9 0x0000555555c9f7d6 in do_ld_mmio_beN (cpu=0x5555578e0cb0, full=0x7ffe88012950, ret_be=ret_be@entry=0, addr=19595792376, size=size@entry=8, mmu_idx=4, type=MMU_DATA_LOAD, ra=0) at ../../accel/tcg/cputlb.c:2033
10 0x0000555555ca0fbd in do_ld_8 (cpu=cpu@entry=0x5555578e0cb0, p=p@entry=0x7ffff4efd1d0, mmu_idx=<optimized out>, type=type@entry=MMU_DATA_LOAD, memop=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:2356
11 0x0000555555ca341f in do_ld8_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=19595792376, oi=oi@entry=52, ra=0, ra@entry=52, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2439
12 0x0000555555ca5f59 in cpu_ldq_mmu (ra=52, oi=52, addr=19595792376, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:169
13 cpu_ldq_le_mmuidx_ra (env=0x5555578e3470, addr=19595792376, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:301
14 0x0000555555b4b5fc in ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:98
15 ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:93
16 mmu_translate (env=env@entry=0x5555578e3470, in=0x7ffff4efd3e0, out=0x7ffff4efd3b0, err=err@entry=0x7ffff4efd3c0, ra=ra@entry=0) at ../../target/i386/tcg/sysemu/excp_helper.c:174
17 0x0000555555b4c4b3 in get_physical_address (ra=0, err=0x7ffff4efd3c0, out=0x7ffff4efd3b0, mmu_idx=0, access_type=MMU_DATA_LOAD, addr=18446741874686299840, env=0x5555578e3470) at ../../target/i386/tcg/sysemu/excp_helper.c:580
18 x86_cpu_tlb_fill (cs=0x5555578e0cb0, addr=18446741874686299840, size=<optimized out>, access_type=MMU_DATA_LOAD, mmu_idx=0, probe=<optimized out>, retaddr=0) at ../../target/i386/tcg/sysemu/excp_helper.c:606
19 0x0000555555ca0ee9 in tlb_fill (retaddr=0, mmu_idx=0, access_type=MMU_DATA_LOAD, size=<optimized out>, addr=18446741874686299840, cpu=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1315
20 mmu_lookup1 (cpu=cpu@entry=0x5555578e0cb0, data=data@entry=0x7ffff4efd540, mmu_idx=0, access_type=access_type@entry=MMU_DATA_LOAD, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:1713
21 0x0000555555ca2c61 in mmu_lookup (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, type=type@entry=MMU_DATA_LOAD, l=l@entry=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1803
22 0x0000555555ca3165 in do_ld4_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2416
23 0x0000555555ca5ef9 in cpu_ldl_mmu (ra=0, oi=32, addr=18446741874686299840, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:158
24 cpu_ldl_le_mmuidx_ra (env=env@entry=0x5555578e3470, addr=addr@entry=18446741874686299840, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:294
25 0x0000555555bb6cdd in do_interrupt64 (is_hw=1, next_eip=18446744072399775809, error_code=0, is_int=0, intno=236, env=0x5555578e3470) at ../../target/i386/tcg/seg_helper.c:889
26 do_interrupt_all (cpu=cpu@entry=0x5555578e0cb0, intno=236, is_int=is_int@entry=0, error_code=error_code@entry=0, next_eip=next_eip@entry=0, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1130
27 0x0000555555bb87da in do_interrupt_x86_hardirq (env=env@entry=0x5555578e3470, intno=<optimized out>, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1162
28 0x0000555555b5039c in x86_cpu_exec_interrupt (cs=0x5555578e0cb0, interrupt_request=<optimized out>) at ../../target/i386/tcg/sysemu/seg_helper.c:197
29 0x0000555555c94480 in cpu_handle_interrupt (last_tb=<synthetic pointer>, cpu=0x5555578e0cb0) at ../../accel/tcg/cpu-exec.c:844
Peter identified this as being due to the BQL already being
held when the page table walker encounters MMIO memory and attempts
to take the lock again. There are other examples of similar paths
TCG, so this follows the approach taken in those of simply checking
if the lock is already held and if it is, don't take it again.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240219173153.12114-4-Jonathan.Cameron@huawei.com>
[rth: Use BQL_LOCK_GUARD]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-02-19 20:31:53 +03:00
|
|
|
BQL_LOCK_GUARD();
|
2023-09-12 18:34:22 +03:00
|
|
|
a = int_ld_mmio_beN(cpu, full, ret_be, addr, size - 8, mmu_idx,
|
2023-08-28 05:54:54 +03:00
|
|
|
MMU_DATA_LOAD, ra, mr, mr_offset);
|
2023-09-12 18:34:22 +03:00
|
|
|
b = int_ld_mmio_beN(cpu, full, ret_be, addr + size - 8, 8, mmu_idx,
|
2023-08-28 05:54:54 +03:00
|
|
|
MMU_DATA_LOAD, ra, mr, mr_offset + size - 8);
|
|
|
|
return int128_make128(b, a);
|
|
|
|
}
|
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
/**
|
|
|
|
* do_ld_bytes_beN
|
|
|
|
* @p: translation parameters
|
|
|
|
* @ret_be: accumulated data
|
|
|
|
*
|
|
|
|
* Load @p->size bytes from @p->haddr, which is RAM.
|
|
|
|
* The bytes to concatenated in big-endian order with @ret_be.
|
|
|
|
*/
|
|
|
|
static uint64_t do_ld_bytes_beN(MMULookupPageData *p, uint64_t ret_be)
|
|
|
|
{
|
|
|
|
uint8_t *haddr = p->haddr;
|
|
|
|
int i, size = p->size;
|
2022-04-01 20:08:13 +03:00
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
for (i = 0; i < size; i++) {
|
|
|
|
ret_be = (ret_be << 8) | haddr[i];
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2022-10-29 00:40:51 +03:00
|
|
|
return ret_be;
|
|
|
|
}
|
2019-02-15 17:31:13 +03:00
|
|
|
|
2022-10-29 08:01:04 +03:00
|
|
|
/**
|
|
|
|
* do_ld_parts_beN
|
|
|
|
* @p: translation parameters
|
|
|
|
* @ret_be: accumulated data
|
|
|
|
*
|
|
|
|
* As do_ld_bytes_beN, but atomically on each aligned part.
|
|
|
|
*/
|
|
|
|
static uint64_t do_ld_parts_beN(MMULookupPageData *p, uint64_t ret_be)
|
|
|
|
{
|
|
|
|
void *haddr = p->haddr;
|
|
|
|
int size = p->size;
|
|
|
|
|
|
|
|
do {
|
|
|
|
uint64_t x;
|
|
|
|
int n;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Find minimum of alignment and size.
|
|
|
|
* This is slightly stronger than required by MO_ATOM_SUBALIGN, which
|
|
|
|
* would have only checked the low bits of addr|size once at the start,
|
|
|
|
* but is just as easy.
|
|
|
|
*/
|
|
|
|
switch (((uintptr_t)haddr | size) & 7) {
|
|
|
|
case 4:
|
|
|
|
x = cpu_to_be32(load_atomic4(haddr));
|
|
|
|
ret_be = (ret_be << 32) | x;
|
|
|
|
n = 4;
|
|
|
|
break;
|
|
|
|
case 2:
|
|
|
|
case 6:
|
|
|
|
x = cpu_to_be16(load_atomic2(haddr));
|
|
|
|
ret_be = (ret_be << 16) | x;
|
|
|
|
n = 2;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
x = *(uint8_t *)haddr;
|
|
|
|
ret_be = (ret_be << 8) | x;
|
|
|
|
n = 1;
|
|
|
|
break;
|
|
|
|
case 0:
|
|
|
|
g_assert_not_reached();
|
|
|
|
}
|
|
|
|
haddr += n;
|
|
|
|
size -= n;
|
|
|
|
} while (size != 0);
|
|
|
|
return ret_be;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* do_ld_parts_be4
|
|
|
|
* @p: translation parameters
|
|
|
|
* @ret_be: accumulated data
|
|
|
|
*
|
|
|
|
* As do_ld_bytes_beN, but with one atomic load.
|
|
|
|
* Four aligned bytes are guaranteed to cover the load.
|
|
|
|
*/
|
|
|
|
static uint64_t do_ld_whole_be4(MMULookupPageData *p, uint64_t ret_be)
|
|
|
|
{
|
|
|
|
int o = p->addr & 3;
|
|
|
|
uint32_t x = load_atomic4(p->haddr - o);
|
|
|
|
|
|
|
|
x = cpu_to_be32(x);
|
|
|
|
x <<= o * 8;
|
|
|
|
x >>= (4 - p->size) * 8;
|
|
|
|
return (ret_be << (p->size * 8)) | x;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* do_ld_parts_be8
|
|
|
|
* @p: translation parameters
|
|
|
|
* @ret_be: accumulated data
|
|
|
|
*
|
|
|
|
* As do_ld_bytes_beN, but with one atomic load.
|
|
|
|
* Eight aligned bytes are guaranteed to cover the load.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_ld_whole_be8(CPUState *cpu, uintptr_t ra,
|
2022-10-29 08:01:04 +03:00
|
|
|
MMULookupPageData *p, uint64_t ret_be)
|
|
|
|
{
|
|
|
|
int o = p->addr & 7;
|
2023-09-12 18:34:24 +03:00
|
|
|
uint64_t x = load_atomic8_or_exit(cpu, ra, p->haddr - o);
|
2022-10-29 08:01:04 +03:00
|
|
|
|
|
|
|
x = cpu_to_be64(x);
|
|
|
|
x <<= o * 8;
|
|
|
|
x >>= (8 - p->size) * 8;
|
|
|
|
return (ret_be << (p->size * 8)) | x;
|
|
|
|
}
|
|
|
|
|
2023-02-15 11:16:17 +03:00
|
|
|
/**
|
|
|
|
* do_ld_parts_be16
|
|
|
|
* @p: translation parameters
|
|
|
|
* @ret_be: accumulated data
|
|
|
|
*
|
|
|
|
* As do_ld_bytes_beN, but with one atomic load.
|
|
|
|
* 16 aligned bytes are guaranteed to cover the load.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static Int128 do_ld_whole_be16(CPUState *cpu, uintptr_t ra,
|
2023-02-15 11:16:17 +03:00
|
|
|
MMULookupPageData *p, uint64_t ret_be)
|
|
|
|
{
|
|
|
|
int o = p->addr & 15;
|
2023-09-12 18:34:24 +03:00
|
|
|
Int128 x, y = load_atomic16_or_exit(cpu, ra, p->haddr - o);
|
2023-02-15 11:16:17 +03:00
|
|
|
int size = p->size;
|
|
|
|
|
|
|
|
if (!HOST_BIG_ENDIAN) {
|
|
|
|
y = bswap128(y);
|
|
|
|
}
|
|
|
|
y = int128_lshift(y, o * 8);
|
|
|
|
y = int128_urshift(y, (16 - size) * 8);
|
|
|
|
x = int128_make64(ret_be);
|
|
|
|
x = int128_lshift(x, size * 8);
|
|
|
|
return int128_or(x, y);
|
|
|
|
}
|
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
/*
|
|
|
|
* Wrapper for the above.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_ld_beN(CPUState *cpu, MMULookupPageData *p,
|
2022-10-29 08:01:04 +03:00
|
|
|
uint64_t ret_be, int mmu_idx, MMUAccessType type,
|
|
|
|
MemOp mop, uintptr_t ra)
|
2022-10-29 00:40:51 +03:00
|
|
|
{
|
2022-10-29 08:01:04 +03:00
|
|
|
MemOp atom;
|
|
|
|
unsigned tmp, half_size;
|
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_mmio_beN(cpu, p->full, ret_be, p->addr, p->size,
|
2023-08-01 17:55:38 +03:00
|
|
|
mmu_idx, type, ra);
|
2022-10-29 08:01:04 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It is a given that we cross a page and therefore there is no
|
|
|
|
* atomicity for the load as a whole, but subobjects may need attention.
|
|
|
|
*/
|
|
|
|
atom = mop & MO_ATOM_MASK;
|
|
|
|
switch (atom) {
|
|
|
|
case MO_ATOM_SUBALIGN:
|
|
|
|
return do_ld_parts_beN(p, ret_be);
|
|
|
|
|
|
|
|
case MO_ATOM_IFALIGN_PAIR:
|
|
|
|
case MO_ATOM_WITHIN16_PAIR:
|
|
|
|
tmp = mop & MO_SIZE;
|
|
|
|
tmp = tmp ? tmp - 1 : 0;
|
|
|
|
half_size = 1 << tmp;
|
|
|
|
if (atom == MO_ATOM_IFALIGN_PAIR
|
|
|
|
? p->size == half_size
|
|
|
|
: p->size >= half_size) {
|
|
|
|
if (!HAVE_al8_fast && p->size < 4) {
|
|
|
|
return do_ld_whole_be4(p, ret_be);
|
|
|
|
} else {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_whole_be8(cpu, ra, p, ret_be);
|
2022-10-29 08:01:04 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
/* fall through */
|
|
|
|
|
|
|
|
case MO_ATOM_IFALIGN:
|
|
|
|
case MO_ATOM_WITHIN16:
|
|
|
|
case MO_ATOM_NONE:
|
2022-10-29 00:40:51 +03:00
|
|
|
return do_ld_bytes_beN(p, ret_be);
|
2022-10-29 08:01:04 +03:00
|
|
|
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
}
|
2019-08-24 19:51:09 +03:00
|
|
|
|
2023-02-15 11:16:17 +03:00
|
|
|
/*
|
|
|
|
* Wrapper for the above, for 8 < size < 16.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static Int128 do_ld16_beN(CPUState *cpu, MMULookupPageData *p,
|
2023-02-15 11:16:17 +03:00
|
|
|
uint64_t a, int mmu_idx, MemOp mop, uintptr_t ra)
|
|
|
|
{
|
|
|
|
int size = p->size;
|
|
|
|
uint64_t b;
|
|
|
|
MemOp atom;
|
|
|
|
|
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld16_mmio_beN(cpu, p->full, a, p->addr, size, mmu_idx, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It is a given that we cross a page and therefore there is no
|
|
|
|
* atomicity for the load as a whole, but subobjects may need attention.
|
|
|
|
*/
|
|
|
|
atom = mop & MO_ATOM_MASK;
|
|
|
|
switch (atom) {
|
|
|
|
case MO_ATOM_SUBALIGN:
|
|
|
|
p->size = size - 8;
|
|
|
|
a = do_ld_parts_beN(p, a);
|
|
|
|
p->haddr += size - 8;
|
|
|
|
p->size = 8;
|
|
|
|
b = do_ld_parts_beN(p, 0);
|
|
|
|
break;
|
|
|
|
|
|
|
|
case MO_ATOM_WITHIN16_PAIR:
|
|
|
|
/* Since size > 8, this is the half that must be atomic. */
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_whole_be16(cpu, ra, p, a);
|
2023-02-15 11:16:17 +03:00
|
|
|
|
|
|
|
case MO_ATOM_IFALIGN_PAIR:
|
|
|
|
/*
|
|
|
|
* Since size > 8, both halves are misaligned,
|
|
|
|
* and so neither is atomic.
|
|
|
|
*/
|
|
|
|
case MO_ATOM_IFALIGN:
|
|
|
|
case MO_ATOM_WITHIN16:
|
|
|
|
case MO_ATOM_NONE:
|
|
|
|
p->size = size - 8;
|
|
|
|
a = do_ld_bytes_beN(p, a);
|
|
|
|
b = ldq_be_p(p->haddr + size - 8);
|
|
|
|
break;
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
|
|
|
}
|
|
|
|
|
|
|
|
return int128_make128(b, a);
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint8_t do_ld_1(CPUState *cpu, MMULookupPageData *p, int mmu_idx,
|
2022-10-29 00:40:51 +03:00
|
|
|
MMUAccessType type, uintptr_t ra)
|
|
|
|
{
|
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_mmio_beN(cpu, p->full, 0, p->addr, 1, mmu_idx, type, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
} else {
|
|
|
|
return *(uint8_t *)p->haddr;
|
|
|
|
}
|
|
|
|
}
|
2019-08-24 19:51:09 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint16_t do_ld_2(CPUState *cpu, MMULookupPageData *p, int mmu_idx,
|
2022-10-29 00:40:51 +03:00
|
|
|
MMUAccessType type, MemOp memop, uintptr_t ra)
|
|
|
|
{
|
2023-08-01 20:46:03 +03:00
|
|
|
uint16_t ret;
|
2019-08-24 19:51:09 +03:00
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld_mmio_beN(cpu, p->full, 0, p->addr, 2, mmu_idx, type, ra);
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap16(ret);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* Perform the load host endian, then swap if necessary. */
|
2023-09-12 18:34:24 +03:00
|
|
|
ret = load_atom_2(cpu, ra, p->haddr, memop);
|
2023-08-01 20:46:03 +03:00
|
|
|
if (memop & MO_BSWAP) {
|
|
|
|
ret = bswap16(ret);
|
|
|
|
}
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
2019-09-10 22:47:39 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint32_t do_ld_4(CPUState *cpu, MMULookupPageData *p, int mmu_idx,
|
2022-10-29 00:40:51 +03:00
|
|
|
MMUAccessType type, MemOp memop, uintptr_t ra)
|
|
|
|
{
|
|
|
|
uint32_t ret;
|
2019-09-10 22:47:39 +03:00
|
|
|
|
2022-10-29 00:40:51 +03:00
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld_mmio_beN(cpu, p->full, 0, p->addr, 4, mmu_idx, type, ra);
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap32(ret);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* Perform the load host endian. */
|
2023-09-12 18:34:24 +03:00
|
|
|
ret = load_atom_4(cpu, ra, p->haddr, memop);
|
2023-08-01 20:46:03 +03:00
|
|
|
if (memop & MO_BSWAP) {
|
|
|
|
ret = bswap32(ret);
|
|
|
|
}
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2022-10-29 00:40:51 +03:00
|
|
|
return ret;
|
|
|
|
}
|
2019-02-15 17:31:13 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_ld_8(CPUState *cpu, MMULookupPageData *p, int mmu_idx,
|
2022-10-29 00:40:51 +03:00
|
|
|
MMUAccessType type, MemOp memop, uintptr_t ra)
|
|
|
|
{
|
|
|
|
uint64_t ret;
|
|
|
|
|
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld_mmio_beN(cpu, p->full, 0, p->addr, 8, mmu_idx, type, ra);
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap64(ret);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* Perform the load host endian. */
|
2023-09-12 18:34:24 +03:00
|
|
|
ret = load_atom_8(cpu, ra, p->haddr, memop);
|
2023-08-01 20:46:03 +03:00
|
|
|
if (memop & MO_BSWAP) {
|
|
|
|
ret = bswap64(ret);
|
|
|
|
}
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
return ret;
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint8_t do_ld1_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi,
|
2022-10-29 00:40:51 +03:00
|
|
|
uintptr_t ra, MMUAccessType access_type)
|
2019-04-26 06:48:57 +03:00
|
|
|
{
|
2022-10-29 00:40:51 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l);
|
2022-10-29 00:40:51 +03:00
|
|
|
tcg_debug_assert(!crosspage);
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_1(cpu, &l.page[0], l.mmu_idx, access_type, ra);
|
2019-04-26 06:48:57 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint16_t do_ld2_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi,
|
2022-10-29 00:40:51 +03:00
|
|
|
uintptr_t ra, MMUAccessType access_type)
|
2019-04-26 06:48:57 +03:00
|
|
|
{
|
2022-10-29 00:40:51 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
uint16_t ret;
|
|
|
|
uint8_t a, b;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l);
|
2022-10-29 00:40:51 +03:00
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_2(cpu, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
a = do_ld_1(cpu, &l.page[0], l.mmu_idx, access_type, ra);
|
|
|
|
b = do_ld_1(cpu, &l.page[1], l.mmu_idx, access_type, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
|
|
|
|
if ((l.memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = a | (b << 8);
|
|
|
|
} else {
|
|
|
|
ret = b | (a << 8);
|
|
|
|
}
|
|
|
|
return ret;
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint32_t do_ld4_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi,
|
2022-10-29 00:40:51 +03:00
|
|
|
uintptr_t ra, MMUAccessType access_type)
|
2019-04-26 06:48:57 +03:00
|
|
|
{
|
2022-10-29 00:40:51 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
uint32_t ret;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l);
|
2022-10-29 00:40:51 +03:00
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_4(cpu, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld_beN(cpu, &l.page[0], 0, l.mmu_idx, access_type, l.memop, ra);
|
|
|
|
ret = do_ld_beN(cpu, &l.page[1], ret, l.mmu_idx, access_type, l.memop, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
if ((l.memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap32(ret);
|
|
|
|
}
|
|
|
|
return ret;
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_ld8_mmu(CPUState *cpu, vaddr addr, MemOpIdx oi,
|
2022-10-29 00:40:51 +03:00
|
|
|
uintptr_t ra, MMUAccessType access_type)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2022-10-29 00:40:51 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
uint64_t ret;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, access_type, &l);
|
2022-10-29 00:40:51 +03:00
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld_8(cpu, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld_beN(cpu, &l.page[0], 0, l.mmu_idx, access_type, l.memop, ra);
|
|
|
|
ret = do_ld_beN(cpu, &l.page[1], ret, l.mmu_idx, access_type, l.memop, ra);
|
2022-10-29 00:40:51 +03:00
|
|
|
if ((l.memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap64(ret);
|
|
|
|
}
|
|
|
|
return ret;
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static Int128 do_ld16_mmu(CPUState *cpu, vaddr addr,
|
2023-02-15 11:16:17 +03:00
|
|
|
MemOpIdx oi, uintptr_t ra)
|
|
|
|
{
|
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
uint64_t a, b;
|
|
|
|
Int128 ret;
|
|
|
|
int first;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_LD | TCG_MO_ST_LD);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_LOAD, &l);
|
2023-02-15 11:16:17 +03:00
|
|
|
if (likely(!crosspage)) {
|
|
|
|
if (unlikely(l.page[0].flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld16_mmio_beN(cpu, l.page[0].full, 0, addr, 16,
|
2023-08-28 05:54:54 +03:00
|
|
|
l.mmu_idx, ra);
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((l.memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap128(ret);
|
|
|
|
}
|
2023-02-15 11:16:17 +03:00
|
|
|
} else {
|
2023-08-01 20:46:03 +03:00
|
|
|
/* Perform the load host endian. */
|
2023-09-12 18:34:24 +03:00
|
|
|
ret = load_atom_16(cpu, ra, l.page[0].haddr, l.memop);
|
2023-08-01 20:46:03 +03:00
|
|
|
if (l.memop & MO_BSWAP) {
|
|
|
|
ret = bswap128(ret);
|
|
|
|
}
|
2023-02-15 11:16:17 +03:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
first = l.page[0].size;
|
|
|
|
if (first == 8) {
|
|
|
|
MemOp mop8 = (l.memop & ~MO_SIZE) | MO_64;
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
a = do_ld_8(cpu, &l.page[0], l.mmu_idx, MMU_DATA_LOAD, mop8, ra);
|
|
|
|
b = do_ld_8(cpu, &l.page[1], l.mmu_idx, MMU_DATA_LOAD, mop8, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
if ((mop8 & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = int128_make128(a, b);
|
|
|
|
} else {
|
|
|
|
ret = int128_make128(b, a);
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (first < 8) {
|
2023-09-12 18:34:22 +03:00
|
|
|
a = do_ld_beN(cpu, &l.page[0], 0, l.mmu_idx,
|
2023-02-15 11:16:17 +03:00
|
|
|
MMU_DATA_LOAD, l.memop, ra);
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld16_beN(cpu, &l.page[1], a, l.mmu_idx, l.memop, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
} else {
|
2023-09-12 18:34:22 +03:00
|
|
|
ret = do_ld16_beN(cpu, &l.page[0], 0, l.mmu_idx, l.memop, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
b = int128_getlo(ret);
|
|
|
|
ret = int128_lshift(ret, l.page[1].size * 8);
|
|
|
|
a = int128_gethi(ret);
|
2023-09-12 18:34:22 +03:00
|
|
|
b = do_ld_beN(cpu, &l.page[1], b, l.mmu_idx,
|
2023-02-15 11:16:17 +03:00
|
|
|
MMU_DATA_LOAD, l.memop, ra);
|
|
|
|
ret = int128_make128(b, a);
|
|
|
|
}
|
|
|
|
if ((l.memop & MO_BSWAP) == MO_LE) {
|
|
|
|
ret = bswap128(ret);
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2019-02-15 17:31:13 +03:00
|
|
|
/*
|
|
|
|
* Store Helpers
|
|
|
|
*/
|
|
|
|
|
2022-10-30 04:07:32 +03:00
|
|
|
/**
|
|
|
|
* do_st_mmio_leN:
|
2023-09-12 18:34:22 +03:00
|
|
|
* @cpu: generic cpu state
|
2023-08-01 17:55:38 +03:00
|
|
|
* @full: page parameters
|
2022-10-30 04:07:32 +03:00
|
|
|
* @val_le: data to store
|
2023-08-01 17:55:38 +03:00
|
|
|
* @addr: virtual address
|
|
|
|
* @size: number of bytes
|
2022-10-30 04:07:32 +03:00
|
|
|
* @mmu_idx: virtual address context
|
|
|
|
* @ra: return address into tcg generated code, or 0
|
2024-01-02 18:35:28 +03:00
|
|
|
* Context: BQL held
|
2022-10-30 04:07:32 +03:00
|
|
|
*
|
2023-08-01 17:55:38 +03:00
|
|
|
* Store @size bytes at @addr, which is memory-mapped i/o.
|
2022-10-30 04:07:32 +03:00
|
|
|
* The bytes to store are extracted in little-endian order from @val_le;
|
|
|
|
* return the bytes of @val_le beyond @p->size that have not been stored.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t int_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
|
2023-08-28 06:09:58 +03:00
|
|
|
uint64_t val_le, vaddr addr, int size,
|
|
|
|
int mmu_idx, uintptr_t ra,
|
|
|
|
MemoryRegion *mr, hwaddr mr_offset)
|
2022-10-30 04:07:32 +03:00
|
|
|
{
|
2023-08-01 20:10:45 +03:00
|
|
|
do {
|
2023-08-27 21:25:25 +03:00
|
|
|
MemOp this_mop;
|
|
|
|
unsigned this_size;
|
|
|
|
MemTxResult r;
|
|
|
|
|
2023-08-01 20:10:45 +03:00
|
|
|
/* Store aligned pieces up to 8 bytes. */
|
2023-08-27 21:25:25 +03:00
|
|
|
this_mop = ctz32(size | (int)addr | 8);
|
|
|
|
this_size = 1 << this_mop;
|
|
|
|
this_mop |= MO_LE;
|
|
|
|
|
|
|
|
r = memory_region_dispatch_write(mr, mr_offset, val_le,
|
2023-08-28 06:09:58 +03:00
|
|
|
this_mop, full->attrs);
|
2023-08-27 21:25:25 +03:00
|
|
|
if (unlikely(r != MEMTX_OK)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
io_failed(cpu, full, addr, this_size, MMU_DATA_STORE,
|
2023-08-27 21:25:25 +03:00
|
|
|
mmu_idx, r, ra);
|
|
|
|
}
|
|
|
|
if (this_size == 8) {
|
2023-08-01 20:10:45 +03:00
|
|
|
return 0;
|
|
|
|
}
|
2023-08-27 21:25:25 +03:00
|
|
|
|
|
|
|
val_le >>= this_size * 8;
|
|
|
|
addr += this_size;
|
|
|
|
mr_offset += this_size;
|
|
|
|
size -= this_size;
|
2023-08-01 20:10:45 +03:00
|
|
|
} while (size);
|
|
|
|
|
2022-10-30 04:07:32 +03:00
|
|
|
return val_le;
|
|
|
|
}
|
2020-07-27 01:39:53 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_st_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
|
2023-08-28 06:09:58 +03:00
|
|
|
uint64_t val_le, vaddr addr, int size,
|
|
|
|
int mmu_idx, uintptr_t ra)
|
|
|
|
{
|
|
|
|
MemoryRegionSection *section;
|
|
|
|
hwaddr mr_offset;
|
|
|
|
MemoryRegion *mr;
|
|
|
|
MemTxAttrs attrs;
|
|
|
|
|
|
|
|
tcg_debug_assert(size > 0 && size <= 8);
|
|
|
|
|
|
|
|
attrs = full->attrs;
|
2023-09-12 18:34:22 +03:00
|
|
|
section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
|
2023-08-28 06:09:58 +03:00
|
|
|
mr = section->mr;
|
|
|
|
|
tcg: Avoid double lock if page tables happen to be in mmio memory.
On i386, after fixing the page walking code to work with pages in
MMIO memory (specifically CXL emulated interleaved memory),
a crash was seen in an interrupt handling path.
Useful part of backtrace
7 0x0000555555ab1929 in bql_lock_impl (file=0x555556049122 "../../accel/tcg/cputlb.c", line=2033) at ../../system/cpus.c:524
8 bql_lock_impl (file=file@entry=0x555556049122 "../../accel/tcg/cputlb.c", line=line@entry=2033) at ../../system/cpus.c:520
9 0x0000555555c9f7d6 in do_ld_mmio_beN (cpu=0x5555578e0cb0, full=0x7ffe88012950, ret_be=ret_be@entry=0, addr=19595792376, size=size@entry=8, mmu_idx=4, type=MMU_DATA_LOAD, ra=0) at ../../accel/tcg/cputlb.c:2033
10 0x0000555555ca0fbd in do_ld_8 (cpu=cpu@entry=0x5555578e0cb0, p=p@entry=0x7ffff4efd1d0, mmu_idx=<optimized out>, type=type@entry=MMU_DATA_LOAD, memop=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:2356
11 0x0000555555ca341f in do_ld8_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=19595792376, oi=oi@entry=52, ra=0, ra@entry=52, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2439
12 0x0000555555ca5f59 in cpu_ldq_mmu (ra=52, oi=52, addr=19595792376, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:169
13 cpu_ldq_le_mmuidx_ra (env=0x5555578e3470, addr=19595792376, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:301
14 0x0000555555b4b5fc in ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:98
15 ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:93
16 mmu_translate (env=env@entry=0x5555578e3470, in=0x7ffff4efd3e0, out=0x7ffff4efd3b0, err=err@entry=0x7ffff4efd3c0, ra=ra@entry=0) at ../../target/i386/tcg/sysemu/excp_helper.c:174
17 0x0000555555b4c4b3 in get_physical_address (ra=0, err=0x7ffff4efd3c0, out=0x7ffff4efd3b0, mmu_idx=0, access_type=MMU_DATA_LOAD, addr=18446741874686299840, env=0x5555578e3470) at ../../target/i386/tcg/sysemu/excp_helper.c:580
18 x86_cpu_tlb_fill (cs=0x5555578e0cb0, addr=18446741874686299840, size=<optimized out>, access_type=MMU_DATA_LOAD, mmu_idx=0, probe=<optimized out>, retaddr=0) at ../../target/i386/tcg/sysemu/excp_helper.c:606
19 0x0000555555ca0ee9 in tlb_fill (retaddr=0, mmu_idx=0, access_type=MMU_DATA_LOAD, size=<optimized out>, addr=18446741874686299840, cpu=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1315
20 mmu_lookup1 (cpu=cpu@entry=0x5555578e0cb0, data=data@entry=0x7ffff4efd540, mmu_idx=0, access_type=access_type@entry=MMU_DATA_LOAD, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:1713
21 0x0000555555ca2c61 in mmu_lookup (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, type=type@entry=MMU_DATA_LOAD, l=l@entry=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1803
22 0x0000555555ca3165 in do_ld4_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2416
23 0x0000555555ca5ef9 in cpu_ldl_mmu (ra=0, oi=32, addr=18446741874686299840, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:158
24 cpu_ldl_le_mmuidx_ra (env=env@entry=0x5555578e3470, addr=addr@entry=18446741874686299840, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:294
25 0x0000555555bb6cdd in do_interrupt64 (is_hw=1, next_eip=18446744072399775809, error_code=0, is_int=0, intno=236, env=0x5555578e3470) at ../../target/i386/tcg/seg_helper.c:889
26 do_interrupt_all (cpu=cpu@entry=0x5555578e0cb0, intno=236, is_int=is_int@entry=0, error_code=error_code@entry=0, next_eip=next_eip@entry=0, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1130
27 0x0000555555bb87da in do_interrupt_x86_hardirq (env=env@entry=0x5555578e3470, intno=<optimized out>, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1162
28 0x0000555555b5039c in x86_cpu_exec_interrupt (cs=0x5555578e0cb0, interrupt_request=<optimized out>) at ../../target/i386/tcg/sysemu/seg_helper.c:197
29 0x0000555555c94480 in cpu_handle_interrupt (last_tb=<synthetic pointer>, cpu=0x5555578e0cb0) at ../../accel/tcg/cpu-exec.c:844
Peter identified this as being due to the BQL already being
held when the page table walker encounters MMIO memory and attempts
to take the lock again. There are other examples of similar paths
TCG, so this follows the approach taken in those of simply checking
if the lock is already held and if it is, don't take it again.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240219173153.12114-4-Jonathan.Cameron@huawei.com>
[rth: Use BQL_LOCK_GUARD]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-02-19 20:31:53 +03:00
|
|
|
BQL_LOCK_GUARD();
|
|
|
|
return int_st_mmio_leN(cpu, full, val_le, addr, size, mmu_idx,
|
|
|
|
ra, mr, mr_offset);
|
2023-08-28 06:09:58 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_st16_mmio_leN(CPUState *cpu, CPUTLBEntryFull *full,
|
2023-08-28 06:09:58 +03:00
|
|
|
Int128 val_le, vaddr addr, int size,
|
|
|
|
int mmu_idx, uintptr_t ra)
|
|
|
|
{
|
|
|
|
MemoryRegionSection *section;
|
|
|
|
MemoryRegion *mr;
|
|
|
|
hwaddr mr_offset;
|
|
|
|
MemTxAttrs attrs;
|
|
|
|
|
|
|
|
tcg_debug_assert(size > 8 && size <= 16);
|
|
|
|
|
|
|
|
attrs = full->attrs;
|
2023-09-12 18:34:22 +03:00
|
|
|
section = io_prepare(&mr_offset, cpu, full->xlat_section, attrs, addr, ra);
|
2023-08-28 06:09:58 +03:00
|
|
|
mr = section->mr;
|
|
|
|
|
tcg: Avoid double lock if page tables happen to be in mmio memory.
On i386, after fixing the page walking code to work with pages in
MMIO memory (specifically CXL emulated interleaved memory),
a crash was seen in an interrupt handling path.
Useful part of backtrace
7 0x0000555555ab1929 in bql_lock_impl (file=0x555556049122 "../../accel/tcg/cputlb.c", line=2033) at ../../system/cpus.c:524
8 bql_lock_impl (file=file@entry=0x555556049122 "../../accel/tcg/cputlb.c", line=line@entry=2033) at ../../system/cpus.c:520
9 0x0000555555c9f7d6 in do_ld_mmio_beN (cpu=0x5555578e0cb0, full=0x7ffe88012950, ret_be=ret_be@entry=0, addr=19595792376, size=size@entry=8, mmu_idx=4, type=MMU_DATA_LOAD, ra=0) at ../../accel/tcg/cputlb.c:2033
10 0x0000555555ca0fbd in do_ld_8 (cpu=cpu@entry=0x5555578e0cb0, p=p@entry=0x7ffff4efd1d0, mmu_idx=<optimized out>, type=type@entry=MMU_DATA_LOAD, memop=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:2356
11 0x0000555555ca341f in do_ld8_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=19595792376, oi=oi@entry=52, ra=0, ra@entry=52, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2439
12 0x0000555555ca5f59 in cpu_ldq_mmu (ra=52, oi=52, addr=19595792376, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:169
13 cpu_ldq_le_mmuidx_ra (env=0x5555578e3470, addr=19595792376, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:301
14 0x0000555555b4b5fc in ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:98
15 ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:93
16 mmu_translate (env=env@entry=0x5555578e3470, in=0x7ffff4efd3e0, out=0x7ffff4efd3b0, err=err@entry=0x7ffff4efd3c0, ra=ra@entry=0) at ../../target/i386/tcg/sysemu/excp_helper.c:174
17 0x0000555555b4c4b3 in get_physical_address (ra=0, err=0x7ffff4efd3c0, out=0x7ffff4efd3b0, mmu_idx=0, access_type=MMU_DATA_LOAD, addr=18446741874686299840, env=0x5555578e3470) at ../../target/i386/tcg/sysemu/excp_helper.c:580
18 x86_cpu_tlb_fill (cs=0x5555578e0cb0, addr=18446741874686299840, size=<optimized out>, access_type=MMU_DATA_LOAD, mmu_idx=0, probe=<optimized out>, retaddr=0) at ../../target/i386/tcg/sysemu/excp_helper.c:606
19 0x0000555555ca0ee9 in tlb_fill (retaddr=0, mmu_idx=0, access_type=MMU_DATA_LOAD, size=<optimized out>, addr=18446741874686299840, cpu=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1315
20 mmu_lookup1 (cpu=cpu@entry=0x5555578e0cb0, data=data@entry=0x7ffff4efd540, mmu_idx=0, access_type=access_type@entry=MMU_DATA_LOAD, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:1713
21 0x0000555555ca2c61 in mmu_lookup (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, type=type@entry=MMU_DATA_LOAD, l=l@entry=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1803
22 0x0000555555ca3165 in do_ld4_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2416
23 0x0000555555ca5ef9 in cpu_ldl_mmu (ra=0, oi=32, addr=18446741874686299840, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:158
24 cpu_ldl_le_mmuidx_ra (env=env@entry=0x5555578e3470, addr=addr@entry=18446741874686299840, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:294
25 0x0000555555bb6cdd in do_interrupt64 (is_hw=1, next_eip=18446744072399775809, error_code=0, is_int=0, intno=236, env=0x5555578e3470) at ../../target/i386/tcg/seg_helper.c:889
26 do_interrupt_all (cpu=cpu@entry=0x5555578e0cb0, intno=236, is_int=is_int@entry=0, error_code=error_code@entry=0, next_eip=next_eip@entry=0, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1130
27 0x0000555555bb87da in do_interrupt_x86_hardirq (env=env@entry=0x5555578e3470, intno=<optimized out>, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1162
28 0x0000555555b5039c in x86_cpu_exec_interrupt (cs=0x5555578e0cb0, interrupt_request=<optimized out>) at ../../target/i386/tcg/sysemu/seg_helper.c:197
29 0x0000555555c94480 in cpu_handle_interrupt (last_tb=<synthetic pointer>, cpu=0x5555578e0cb0) at ../../accel/tcg/cpu-exec.c:844
Peter identified this as being due to the BQL already being
held when the page table walker encounters MMIO memory and attempts
to take the lock again. There are other examples of similar paths
TCG, so this follows the approach taken in those of simply checking
if the lock is already held and if it is, don't take it again.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240219173153.12114-4-Jonathan.Cameron@huawei.com>
[rth: Use BQL_LOCK_GUARD]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-02-19 20:31:53 +03:00
|
|
|
BQL_LOCK_GUARD();
|
2023-09-12 18:34:22 +03:00
|
|
|
int_st_mmio_leN(cpu, full, int128_getlo(val_le), addr, 8,
|
2023-08-28 06:09:58 +03:00
|
|
|
mmu_idx, ra, mr, mr_offset);
|
tcg: Avoid double lock if page tables happen to be in mmio memory.
On i386, after fixing the page walking code to work with pages in
MMIO memory (specifically CXL emulated interleaved memory),
a crash was seen in an interrupt handling path.
Useful part of backtrace
7 0x0000555555ab1929 in bql_lock_impl (file=0x555556049122 "../../accel/tcg/cputlb.c", line=2033) at ../../system/cpus.c:524
8 bql_lock_impl (file=file@entry=0x555556049122 "../../accel/tcg/cputlb.c", line=line@entry=2033) at ../../system/cpus.c:520
9 0x0000555555c9f7d6 in do_ld_mmio_beN (cpu=0x5555578e0cb0, full=0x7ffe88012950, ret_be=ret_be@entry=0, addr=19595792376, size=size@entry=8, mmu_idx=4, type=MMU_DATA_LOAD, ra=0) at ../../accel/tcg/cputlb.c:2033
10 0x0000555555ca0fbd in do_ld_8 (cpu=cpu@entry=0x5555578e0cb0, p=p@entry=0x7ffff4efd1d0, mmu_idx=<optimized out>, type=type@entry=MMU_DATA_LOAD, memop=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:2356
11 0x0000555555ca341f in do_ld8_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=19595792376, oi=oi@entry=52, ra=0, ra@entry=52, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2439
12 0x0000555555ca5f59 in cpu_ldq_mmu (ra=52, oi=52, addr=19595792376, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:169
13 cpu_ldq_le_mmuidx_ra (env=0x5555578e3470, addr=19595792376, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:301
14 0x0000555555b4b5fc in ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:98
15 ptw_ldq (ra=0, in=0x7ffff4efd320) at ../../target/i386/tcg/sysemu/excp_helper.c:93
16 mmu_translate (env=env@entry=0x5555578e3470, in=0x7ffff4efd3e0, out=0x7ffff4efd3b0, err=err@entry=0x7ffff4efd3c0, ra=ra@entry=0) at ../../target/i386/tcg/sysemu/excp_helper.c:174
17 0x0000555555b4c4b3 in get_physical_address (ra=0, err=0x7ffff4efd3c0, out=0x7ffff4efd3b0, mmu_idx=0, access_type=MMU_DATA_LOAD, addr=18446741874686299840, env=0x5555578e3470) at ../../target/i386/tcg/sysemu/excp_helper.c:580
18 x86_cpu_tlb_fill (cs=0x5555578e0cb0, addr=18446741874686299840, size=<optimized out>, access_type=MMU_DATA_LOAD, mmu_idx=0, probe=<optimized out>, retaddr=0) at ../../target/i386/tcg/sysemu/excp_helper.c:606
19 0x0000555555ca0ee9 in tlb_fill (retaddr=0, mmu_idx=0, access_type=MMU_DATA_LOAD, size=<optimized out>, addr=18446741874686299840, cpu=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1315
20 mmu_lookup1 (cpu=cpu@entry=0x5555578e0cb0, data=data@entry=0x7ffff4efd540, mmu_idx=0, access_type=access_type@entry=MMU_DATA_LOAD, ra=ra@entry=0) at ../../accel/tcg/cputlb.c:1713
21 0x0000555555ca2c61 in mmu_lookup (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, type=type@entry=MMU_DATA_LOAD, l=l@entry=0x7ffff4efd540) at ../../accel/tcg/cputlb.c:1803
22 0x0000555555ca3165 in do_ld4_mmu (cpu=cpu@entry=0x5555578e0cb0, addr=addr@entry=18446741874686299840, oi=oi@entry=32, ra=ra@entry=0, access_type=access_type@entry=MMU_DATA_LOAD) at ../../accel/tcg/cputlb.c:2416
23 0x0000555555ca5ef9 in cpu_ldl_mmu (ra=0, oi=32, addr=18446741874686299840, env=0x5555578e3470) at ../../accel/tcg/ldst_common.c.inc:158
24 cpu_ldl_le_mmuidx_ra (env=env@entry=0x5555578e3470, addr=addr@entry=18446741874686299840, mmu_idx=<optimized out>, ra=ra@entry=0) at ../../accel/tcg/ldst_common.c.inc:294
25 0x0000555555bb6cdd in do_interrupt64 (is_hw=1, next_eip=18446744072399775809, error_code=0, is_int=0, intno=236, env=0x5555578e3470) at ../../target/i386/tcg/seg_helper.c:889
26 do_interrupt_all (cpu=cpu@entry=0x5555578e0cb0, intno=236, is_int=is_int@entry=0, error_code=error_code@entry=0, next_eip=next_eip@entry=0, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1130
27 0x0000555555bb87da in do_interrupt_x86_hardirq (env=env@entry=0x5555578e3470, intno=<optimized out>, is_hw=is_hw@entry=1) at ../../target/i386/tcg/seg_helper.c:1162
28 0x0000555555b5039c in x86_cpu_exec_interrupt (cs=0x5555578e0cb0, interrupt_request=<optimized out>) at ../../target/i386/tcg/sysemu/seg_helper.c:197
29 0x0000555555c94480 in cpu_handle_interrupt (last_tb=<synthetic pointer>, cpu=0x5555578e0cb0) at ../../accel/tcg/cpu-exec.c:844
Peter identified this as being due to the BQL already being
held when the page table walker encounters MMIO memory and attempts
to take the lock again. There are other examples of similar paths
TCG, so this follows the approach taken in those of simply checking
if the lock is already held and if it is, don't take it again.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Message-Id: <20240219173153.12114-4-Jonathan.Cameron@huawei.com>
[rth: Use BQL_LOCK_GUARD]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
2024-02-19 20:31:53 +03:00
|
|
|
return int_st_mmio_leN(cpu, full, int128_gethi(val_le), addr + 8,
|
|
|
|
size - 8, mmu_idx, ra, mr, mr_offset + 8);
|
2023-08-28 06:09:58 +03:00
|
|
|
}
|
|
|
|
|
2022-10-30 04:07:32 +03:00
|
|
|
/*
|
|
|
|
* Wrapper for the above.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_st_leN(CPUState *cpu, MMULookupPageData *p,
|
2022-10-30 02:46:12 +03:00
|
|
|
uint64_t val_le, int mmu_idx,
|
|
|
|
MemOp mop, uintptr_t ra)
|
2022-10-30 04:07:32 +03:00
|
|
|
{
|
2022-10-30 02:46:12 +03:00
|
|
|
MemOp atom;
|
|
|
|
unsigned tmp, half_size;
|
|
|
|
|
2022-10-30 04:07:32 +03:00
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_st_mmio_leN(cpu, p->full, val_le, p->addr,
|
2023-08-01 17:55:38 +03:00
|
|
|
p->size, mmu_idx, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
} else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
|
|
|
|
return val_le >> (p->size * 8);
|
2022-10-30 02:46:12 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It is a given that we cross a page and therefore there is no atomicity
|
|
|
|
* for the store as a whole, but subobjects may need attention.
|
|
|
|
*/
|
|
|
|
atom = mop & MO_ATOM_MASK;
|
|
|
|
switch (atom) {
|
|
|
|
case MO_ATOM_SUBALIGN:
|
|
|
|
return store_parts_leN(p->haddr, p->size, val_le);
|
|
|
|
|
|
|
|
case MO_ATOM_IFALIGN_PAIR:
|
|
|
|
case MO_ATOM_WITHIN16_PAIR:
|
|
|
|
tmp = mop & MO_SIZE;
|
|
|
|
tmp = tmp ? tmp - 1 : 0;
|
|
|
|
half_size = 1 << tmp;
|
|
|
|
if (atom == MO_ATOM_IFALIGN_PAIR
|
|
|
|
? p->size == half_size
|
|
|
|
: p->size >= half_size) {
|
|
|
|
if (!HAVE_al8_fast && p->size <= 4) {
|
|
|
|
return store_whole_le4(p->haddr, p->size, val_le);
|
|
|
|
} else if (HAVE_al8) {
|
|
|
|
return store_whole_le8(p->haddr, p->size, val_le);
|
|
|
|
} else {
|
2023-09-12 18:34:22 +03:00
|
|
|
cpu_loop_exit_atomic(cpu, ra);
|
2022-10-30 02:46:12 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
/* fall through */
|
|
|
|
|
|
|
|
case MO_ATOM_IFALIGN:
|
|
|
|
case MO_ATOM_WITHIN16:
|
|
|
|
case MO_ATOM_NONE:
|
|
|
|
return store_bytes_leN(p->haddr, p->size, val_le);
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
2020-07-27 01:39:53 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-02-15 11:16:17 +03:00
|
|
|
/*
|
|
|
|
* Wrapper for the above, for 8 < size < 16.
|
|
|
|
*/
|
2023-09-12 18:34:22 +03:00
|
|
|
static uint64_t do_st16_leN(CPUState *cpu, MMULookupPageData *p,
|
2023-02-15 11:16:17 +03:00
|
|
|
Int128 val_le, int mmu_idx,
|
|
|
|
MemOp mop, uintptr_t ra)
|
|
|
|
{
|
|
|
|
int size = p->size;
|
|
|
|
MemOp atom;
|
|
|
|
|
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_st16_mmio_leN(cpu, p->full, val_le, p->addr,
|
2023-08-28 06:09:58 +03:00
|
|
|
size, mmu_idx, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
} else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
|
|
|
|
return int128_gethi(val_le) >> ((size - 8) * 8);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* It is a given that we cross a page and therefore there is no atomicity
|
|
|
|
* for the store as a whole, but subobjects may need attention.
|
|
|
|
*/
|
|
|
|
atom = mop & MO_ATOM_MASK;
|
|
|
|
switch (atom) {
|
|
|
|
case MO_ATOM_SUBALIGN:
|
|
|
|
store_parts_leN(p->haddr, 8, int128_getlo(val_le));
|
|
|
|
return store_parts_leN(p->haddr + 8, p->size - 8,
|
|
|
|
int128_gethi(val_le));
|
|
|
|
|
|
|
|
case MO_ATOM_WITHIN16_PAIR:
|
|
|
|
/* Since size > 8, this is the half that must be atomic. */
|
2023-09-17 01:01:51 +03:00
|
|
|
if (!HAVE_CMPXCHG128) {
|
2023-09-12 18:34:22 +03:00
|
|
|
cpu_loop_exit_atomic(cpu, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
}
|
|
|
|
return store_whole_le16(p->haddr, p->size, val_le);
|
|
|
|
|
|
|
|
case MO_ATOM_IFALIGN_PAIR:
|
|
|
|
/*
|
|
|
|
* Since size > 8, both halves are misaligned,
|
|
|
|
* and so neither is atomic.
|
|
|
|
*/
|
|
|
|
case MO_ATOM_IFALIGN:
|
2023-06-19 16:23:14 +03:00
|
|
|
case MO_ATOM_WITHIN16:
|
2023-02-15 11:16:17 +03:00
|
|
|
case MO_ATOM_NONE:
|
|
|
|
stq_le_p(p->haddr, int128_getlo(val_le));
|
|
|
|
return store_bytes_leN(p->haddr + 8, p->size - 8,
|
|
|
|
int128_gethi(val_le));
|
|
|
|
|
|
|
|
default:
|
|
|
|
g_assert_not_reached();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st_1(CPUState *cpu, MMULookupPageData *p, uint8_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
int mmu_idx, uintptr_t ra)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2022-10-30 04:07:32 +03:00
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_mmio_leN(cpu, p->full, val, p->addr, 1, mmu_idx, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
} else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
|
|
|
|
/* nothing */
|
|
|
|
} else {
|
|
|
|
*(uint8_t *)p->haddr = val;
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2022-10-30 04:07:32 +03:00
|
|
|
}
|
2019-02-15 17:31:13 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st_2(CPUState *cpu, MMULookupPageData *p, uint16_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
int mmu_idx, MemOp memop, uintptr_t ra)
|
|
|
|
{
|
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap16(val);
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_mmio_leN(cpu, p->full, val, p->addr, 2, mmu_idx, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
} else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
|
|
|
|
/* nothing */
|
|
|
|
} else {
|
|
|
|
/* Swap to host endian if necessary, then store. */
|
|
|
|
if (memop & MO_BSWAP) {
|
|
|
|
val = bswap16(val);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2023-09-12 18:34:24 +03:00
|
|
|
store_atom_2(cpu, ra, p->haddr, memop, val);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2022-10-30 04:07:32 +03:00
|
|
|
}
|
2019-02-15 17:31:13 +03:00
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st_4(CPUState *cpu, MMULookupPageData *p, uint32_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
int mmu_idx, MemOp memop, uintptr_t ra)
|
|
|
|
{
|
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap32(val);
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_mmio_leN(cpu, p->full, val, p->addr, 4, mmu_idx, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
} else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
|
|
|
|
/* nothing */
|
|
|
|
} else {
|
|
|
|
/* Swap to host endian if necessary, then store. */
|
|
|
|
if (memop & MO_BSWAP) {
|
|
|
|
val = bswap32(val);
|
2019-09-10 22:47:39 +03:00
|
|
|
}
|
2023-09-12 18:34:24 +03:00
|
|
|
store_atom_4(cpu, ra, p->haddr, memop, val);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st_8(CPUState *cpu, MMULookupPageData *p, uint64_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
int mmu_idx, MemOp memop, uintptr_t ra)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2022-10-30 04:07:32 +03:00
|
|
|
if (unlikely(p->flags & TLB_MMIO)) {
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap64(val);
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_mmio_leN(cpu, p->full, val, p->addr, 8, mmu_idx, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
} else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
|
|
|
|
/* nothing */
|
|
|
|
} else {
|
|
|
|
/* Swap to host endian if necessary, then store. */
|
|
|
|
if (memop & MO_BSWAP) {
|
|
|
|
val = bswap64(val);
|
|
|
|
}
|
2023-09-12 18:34:24 +03:00
|
|
|
store_atom_8(cpu, ra, p->haddr, memop, val);
|
2022-10-30 04:07:32 +03:00
|
|
|
}
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:27 +03:00
|
|
|
static void do_st1_mmu(CPUState *cpu, vaddr addr, uint8_t val,
|
|
|
|
MemOpIdx oi, uintptr_t ra)
|
2021-07-27 20:48:55 +03:00
|
|
|
{
|
2022-10-30 04:07:32 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST);
|
2023-09-12 18:34:27 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l);
|
2022-10-30 04:07:32 +03:00
|
|
|
tcg_debug_assert(!crosspage);
|
|
|
|
|
2023-09-12 18:34:27 +03:00
|
|
|
do_st_1(cpu, &l.page[0], val, l.mmu_idx, ra);
|
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st2_mmu(CPUState *cpu, vaddr addr, uint16_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
MemOpIdx oi, uintptr_t ra)
|
2021-07-27 20:48:55 +03:00
|
|
|
{
|
2022-10-30 04:07:32 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
uint8_t a, b;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l);
|
2022-10-30 04:07:32 +03:00
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_2(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((l.memop & MO_BSWAP) == MO_LE) {
|
|
|
|
a = val, b = val >> 8;
|
|
|
|
} else {
|
|
|
|
b = val, a = val >> 8;
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_1(cpu, &l.page[0], a, l.mmu_idx, ra);
|
|
|
|
do_st_1(cpu, &l.page[1], b, l.mmu_idx, ra);
|
2021-07-27 20:48:55 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st4_mmu(CPUState *cpu, vaddr addr, uint32_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
MemOpIdx oi, uintptr_t ra)
|
2021-07-27 20:48:55 +03:00
|
|
|
{
|
2022-10-30 04:07:32 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l);
|
2022-10-30 04:07:32 +03:00
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_4(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Swap to little endian for simplicity, then store by bytes. */
|
|
|
|
if ((l.memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap32(val);
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
val = do_st_leN(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra);
|
|
|
|
(void) do_st_leN(cpu, &l.page[1], val, l.mmu_idx, l.memop, ra);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st8_mmu(CPUState *cpu, vaddr addr, uint64_t val,
|
2022-10-30 04:07:32 +03:00
|
|
|
MemOpIdx oi, uintptr_t ra)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2022-10-30 04:07:32 +03:00
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l);
|
2022-10-30 04:07:32 +03:00
|
|
|
if (likely(!crosspage)) {
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_8(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra);
|
2022-10-30 04:07:32 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Swap to little endian for simplicity, then store by bytes. */
|
|
|
|
if ((l.memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap64(val);
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
val = do_st_leN(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra);
|
|
|
|
(void) do_st_leN(cpu, &l.page[1], val, l.mmu_idx, l.memop, ra);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2023-09-12 18:34:22 +03:00
|
|
|
static void do_st16_mmu(CPUState *cpu, vaddr addr, Int128 val,
|
2023-02-15 11:16:17 +03:00
|
|
|
MemOpIdx oi, uintptr_t ra)
|
|
|
|
{
|
|
|
|
MMULookupLocals l;
|
|
|
|
bool crosspage;
|
|
|
|
uint64_t a, b;
|
|
|
|
int first;
|
|
|
|
|
2022-03-03 18:57:10 +03:00
|
|
|
cpu_req_mo(TCG_MO_LD_ST | TCG_MO_ST_ST);
|
2023-09-12 18:34:22 +03:00
|
|
|
crosspage = mmu_lookup(cpu, addr, oi, ra, MMU_DATA_STORE, &l);
|
2023-02-15 11:16:17 +03:00
|
|
|
if (likely(!crosspage)) {
|
|
|
|
if (unlikely(l.page[0].flags & TLB_MMIO)) {
|
2023-08-01 20:46:03 +03:00
|
|
|
if ((l.memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap128(val);
|
2023-02-15 11:16:17 +03:00
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st16_mmio_leN(cpu, l.page[0].full, val, addr, 16, l.mmu_idx, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
} else if (unlikely(l.page[0].flags & TLB_DISCARD_WRITE)) {
|
|
|
|
/* nothing */
|
|
|
|
} else {
|
2023-08-01 20:46:03 +03:00
|
|
|
/* Swap to host endian if necessary, then store. */
|
|
|
|
if (l.memop & MO_BSWAP) {
|
|
|
|
val = bswap128(val);
|
|
|
|
}
|
2023-09-12 18:34:24 +03:00
|
|
|
store_atom_16(cpu, ra, l.page[0].haddr, l.memop, val);
|
2023-02-15 11:16:17 +03:00
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
first = l.page[0].size;
|
|
|
|
if (first == 8) {
|
|
|
|
MemOp mop8 = (l.memop & ~(MO_SIZE | MO_BSWAP)) | MO_64;
|
|
|
|
|
|
|
|
if (l.memop & MO_BSWAP) {
|
|
|
|
val = bswap128(val);
|
|
|
|
}
|
|
|
|
if (HOST_BIG_ENDIAN) {
|
|
|
|
b = int128_getlo(val), a = int128_gethi(val);
|
|
|
|
} else {
|
|
|
|
a = int128_getlo(val), b = int128_gethi(val);
|
|
|
|
}
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_8(cpu, &l.page[0], a, l.mmu_idx, mop8, ra);
|
|
|
|
do_st_8(cpu, &l.page[1], b, l.mmu_idx, mop8, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((l.memop & MO_BSWAP) != MO_LE) {
|
|
|
|
val = bswap128(val);
|
|
|
|
}
|
|
|
|
if (first < 8) {
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st_leN(cpu, &l.page[0], int128_getlo(val), l.mmu_idx, l.memop, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
val = int128_urshift(val, first * 8);
|
2023-09-12 18:34:22 +03:00
|
|
|
do_st16_leN(cpu, &l.page[1], val, l.mmu_idx, l.memop, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
} else {
|
2023-09-12 18:34:22 +03:00
|
|
|
b = do_st16_leN(cpu, &l.page[0], val, l.mmu_idx, l.memop, ra);
|
|
|
|
do_st_leN(cpu, &l.page[1], b, l.mmu_idx, l.memop, ra);
|
2023-02-15 11:16:17 +03:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-07-27 20:48:55 +03:00
|
|
|
#include "ldst_common.c.inc"
|
2019-12-11 21:33:26 +03:00
|
|
|
|
2021-07-17 00:20:49 +03:00
|
|
|
/*
|
|
|
|
* First set of functions passes in OI and RETADDR.
|
|
|
|
* This makes them callable from other helpers.
|
|
|
|
*/
|
2016-06-28 21:37:27 +03:00
|
|
|
|
|
|
|
#define ATOMIC_NAME(X) \
|
2021-07-17 00:20:49 +03:00
|
|
|
glue(glue(glue(cpu_atomic_ ## X, SUFFIX), END), _mmu)
|
2021-07-17 03:49:09 +03:00
|
|
|
|
2019-09-22 04:47:59 +03:00
|
|
|
#define ATOMIC_MMU_CLEANUP
|
2016-06-28 21:37:27 +03:00
|
|
|
|
2020-02-04 14:41:01 +03:00
|
|
|
#include "atomic_common.c.inc"
|
2016-06-28 21:37:27 +03:00
|
|
|
|
|
|
|
#define DATA_SIZE 1
|
|
|
|
#include "atomic_template.h"
|
|
|
|
|
|
|
|
#define DATA_SIZE 2
|
|
|
|
#include "atomic_template.h"
|
|
|
|
|
|
|
|
#define DATA_SIZE 4
|
|
|
|
#include "atomic_template.h"
|
|
|
|
|
2016-09-02 22:23:57 +03:00
|
|
|
#ifdef CONFIG_ATOMIC64
|
2016-06-28 21:37:27 +03:00
|
|
|
#define DATA_SIZE 8
|
|
|
|
#include "atomic_template.h"
|
2016-09-02 22:23:57 +03:00
|
|
|
#endif
|
2016-06-28 21:37:27 +03:00
|
|
|
|
2023-07-13 23:06:15 +03:00
|
|
|
#if defined(CONFIG_ATOMIC128) || HAVE_CMPXCHG128
|
2016-06-30 07:10:59 +03:00
|
|
|
#define DATA_SIZE 16
|
|
|
|
#include "atomic_template.h"
|
|
|
|
#endif
|
|
|
|
|
2016-06-28 21:37:27 +03:00
|
|
|
/* Code access functions. */
|
|
|
|
|
2019-12-11 22:25:10 +03:00
|
|
|
uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2024-01-29 13:35:06 +03:00
|
|
|
CPUState *cs = env_cpu(env);
|
|
|
|
MemOpIdx oi = make_memop_idx(MO_UB, cpu_mmu_index(cs, true));
|
|
|
|
return do_ld1_mmu(cs, addr, oi, 0, MMU_INST_FETCH);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2019-12-11 22:25:10 +03:00
|
|
|
uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2024-01-29 13:35:06 +03:00
|
|
|
CPUState *cs = env_cpu(env);
|
|
|
|
MemOpIdx oi = make_memop_idx(MO_TEUW, cpu_mmu_index(cs, true));
|
|
|
|
return do_ld2_mmu(cs, addr, oi, 0, MMU_INST_FETCH);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2012-04-09 20:50:52 +04:00
|
|
|
|
2019-12-11 22:25:10 +03:00
|
|
|
uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2024-01-29 13:35:06 +03:00
|
|
|
CPUState *cs = env_cpu(env);
|
|
|
|
MemOpIdx oi = make_memop_idx(MO_TEUL, cpu_mmu_index(cs, true));
|
|
|
|
return do_ld4_mmu(cs, addr, oi, 0, MMU_INST_FETCH);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
|
|
|
|
2019-12-11 22:25:10 +03:00
|
|
|
uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
|
2019-02-15 17:31:13 +03:00
|
|
|
{
|
2024-01-29 13:35:06 +03:00
|
|
|
CPUState *cs = env_cpu(env);
|
|
|
|
MemOpIdx oi = make_memop_idx(MO_TEUQ, cpu_mmu_index(cs, true));
|
|
|
|
return do_ld8_mmu(cs, addr, oi, 0, MMU_INST_FETCH);
|
2019-02-15 17:31:13 +03:00
|
|
|
}
|
2023-04-12 14:43:16 +03:00
|
|
|
|
|
|
|
uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
|
|
|
|
MemOpIdx oi, uintptr_t retaddr)
|
|
|
|
{
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld1_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH);
|
2023-04-12 14:43:16 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
|
|
|
|
MemOpIdx oi, uintptr_t retaddr)
|
|
|
|
{
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld2_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH);
|
2023-04-12 14:43:16 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
|
|
|
|
MemOpIdx oi, uintptr_t retaddr)
|
|
|
|
{
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld4_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH);
|
2023-04-12 14:43:16 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
|
|
|
|
MemOpIdx oi, uintptr_t retaddr)
|
|
|
|
{
|
2023-09-12 18:34:22 +03:00
|
|
|
return do_ld8_mmu(env_cpu(env), addr, oi, retaddr, MMU_INST_FETCH);
|
2023-04-12 14:43:16 +03:00
|
|
|
}
|