| blob | bb9897b25a3ae2088748b845a0e83e30f6b78241 |
1 /*
2 * Common CPU TLB handling
3 *
4 * Copyright (c) 2003 Fabrice Bellard
5 *
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation; either
9 * version 2.1 of the License, or (at your option) any later version.
10 *
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
15 *
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18 */
37 /* DEBUG defines, enable DEBUG_TLB_LOG to log to the CPU_LOG_MMU target */
38 /* #define DEBUG_TLB */
39 /* #define DEBUG_TLB_LOG */
41 #ifdef DEBUG_TLB
42 # define DEBUG_TLB_GATE 1
43 # ifdef DEBUG_TLB_LOG
44 # define DEBUG_TLB_LOG_GATE 1
45 # else
46 # define DEBUG_TLB_LOG_GATE 0
47 # endif
48 #else
49 # define DEBUG_TLB_GATE 0
50 # define DEBUG_TLB_LOG_GATE 0
51 #endif
53 #define tlb_debug(fmt, ...) do { \
54 if (DEBUG_TLB_LOG_GATE) { \
56 ## __VA_ARGS__); \
57 } else if (DEBUG_TLB_GATE) { \
59 } \
60 } while (0)
62 #define assert_cpu_is_self(cpu) do { \
63 if (DEBUG_TLB_GATE) { \
64 g_assert(!(cpu)->created || qemu_cpu_is_self(cpu)); \
65 } \
66 } while (0)
68 /* run_on_cpu_data.target_ptr should always be big enough for a
69 * target_ulong even on 32 bit builds */
72 /* We currently can't handle more than 16 bits in the MMUIDX bitmask.
73 */
75 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
78 {
80 }
84 {
87 }
90 {
102 }
103 }
105 /**
106 * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
107 * @env: CPU that owns the TLB
108 * @mmu_idx: MMU index of the TLB
109 *
110 * Called with tlb_lock_held.
111 *
112 * We have two main constraints when resizing a TLB: (1) we only resize it
113 * on a TLB flush (otherwise we'd have to take a perf hit by either rehashing
114 * the array or unnecessarily flushing it), which means we do not control how
115 * frequently the resizing can occur; (2) we don't have access to the guest's
116 * future scheduling decisions, and therefore have to decide the magnitude of
117 * the resize based on past observations.
118 *
119 * In general, a memory-hungry process can benefit greatly from an appropriately
120 * sized TLB, since a guest TLB miss is very expensive. This doesn't mean that
121 * we just have to make the TLB as large as possible; while an oversized TLB
122 * results in minimal TLB miss rates, it also takes longer to be flushed
123 * (flushes can be _very_ frequent), and the reduced locality can also hurt
124 * performance.
125 *
126 * To achieve near-optimal performance for all kinds of workloads, we:
127 *
128 * 1. Aggressively increase the size of the TLB when the use rate of the
129 * TLB being flushed is high, since it is likely that in the near future this
130 * memory-hungry process will execute again, and its memory hungriness will
131 * probably be similar.
132 *
133 * 2. Slowly reduce the size of the TLB as the use rate declines over a
134 * reasonably large time window. The rationale is that if in such a time window
135 * we have not observed a high TLB use rate, it is likely that we won't observe
136 * it in the near future. In that case, once a time window expires we downsize
137 * the TLB to match the maximum use rate observed in the window.
138 *
139 * 3. Try to keep the maximum use rate in a time window in the 30-70% range,
140 * since in that range performance is likely near-optimal. Recall that the TLB
141 * is direct mapped, so we want the use rate to be low (or at least not too
142 * high), since otherwise we are likely to have a significant amount of
143 * conflict misses.
144 */
146 {
158 }
167 /*
168 * Avoid undersizing when the max number of entries seen is just below
169 * a pow2. For instance, if max_entries == 1025, the expected use rate
170 * would be 1025/2048==50%. However, if max_entries == 1023, we'd get
171 * 1023/1024==99.9% use rate, so we'd likely end up doubling the size
172 * later. Thus, make sure that the expected use rate remains below 70%.
173 * (and since we double the size, that means the lowest rate we'd
174 * expect to get is 35%, which is still in the 30-70% range where
175 * we consider that the size is appropriate.)
176 */
179 }
181 }
186 }
188 }
194 /* desc->n_used_entries is cleared by the caller */
198 /*
199 * If the allocations fail, try smaller sizes. We just freed some
200 * memory, so going back to half of new_size has a good chance of working.
201 * Increased memory pressure elsewhere in the system might cause the
202 * allocations to fail though, so we progressively reduce the allocation
203 * size, aborting if we cannot even allocate the smallest TLB we support.
204 */
210 }
218 }
219 }
222 {
226 }
229 {
231 }
234 {
236 }
239 {
244 /* Ensure that cpu_reset performs a full flush. */
248 }
250 /* flush_all_helper: run fn across all cpus
251 *
252 * If the wait flag is set then the src cpu's helper will be queued as
253 * "safe" work and the loop exited creating a synchronisation point
254 * where all queued work will be finished before execution starts
255 * again.
256 */
258 run_on_cpu_data d)
259 {
265 }
266 }
267 }
270 {
280 }
284 }
287 {
294 }
297 {
316 }
332 }
333 }
334 }
337 {
345 }
346 }
349 {
351 }
354 {
361 }
364 {
366 }
369 {
376 }
379 {
381 }
384 target_ulong page)
385 {
389 }
391 /**
392 * tlb_entry_is_empty - return true if the entry is not in use
393 * @te: pointer to CPUTLBEntry
394 */
396 {
398 }
400 /* Called with tlb_c.lock held */
402 target_ulong page)
403 {
407 }
409 }
411 /* Called with tlb_c.lock held */
413 target_ulong page)
414 {
422 }
423 }
424 }
427 target_ulong page)
428 {
432 /* Check if we need to flush due to large pages. */
441 }
443 }
444 }
446 /* As we are going to hijack the bottom bits of the page address for a
447 * mmuidx bit mask we need to fail to build if we can't do that
448 */
452 run_on_cpu_data data)
453 {
469 }
470 }
474 }
477 {
478 target_ulong addr_and_mmu_idx;
482 /* This should already be page aligned */
492 }
493 }
496 {
498 }
502 {
504 target_ulong addr_and_mmu_idx;
508 /* This should already be page aligned */
514 }
517 {
519 }
522 target_ulong addr,
524 {
526 target_ulong addr_and_mmu_idx;
530 /* This should already be page aligned */
536 }
539 {
541 }
543 /* update the TLBs so that writes to code in the virtual page 'addr'
544 can be detected */
546 {
548 DIRTY_MEMORY_CODE);
549 }
551 /* update the TLB so that writes in physical page 'phys_addr' are no longer
552 tested for self modifying code */
554 {
556 }
559 /*
560 * Dirty write flag handling
561 *
562 * When the TCG code writes to a location it looks up the address in
563 * the TLB and uses that data to compute the final address. If any of
564 * the lower bits of the address are set then the slow path is forced.
565 * There are a number of reasons to do this but for normal RAM the
566 * most usual is detecting writes to code regions which may invalidate
567 * generated code.
568 *
569 * Other vCPUs might be reading their TLBs during guest execution, so we update
570 * te->addr_write with atomic_set. We don't need to worry about this for
571 * oversized guests as MTTCG is disabled for them.
572 *
573 * Called with tlb_c.lock held.
574 */
577 {
584 #if TCG_OVERSIZED_GUEST
586 #else
589 #endif
590 }
591 }
592 }
594 /*
595 * Called with tlb_c.lock held.
596 * Called only from the vCPU context, i.e. the TLB's owner thread.
597 */
599 {
601 }
603 /* This is a cross vCPU call (i.e. another vCPU resetting the flags of
604 * the target vCPU).
605 * We must take tlb_c.lock to avoid racing with another vCPU update. The only
606 * thing actually updated is the target TLB entry ->addr_write flags.
607 */
609 {
623 }
628 }
629 }
631 }
633 /* Called with tlb_c.lock held */
635 target_ulong vaddr)
636 {
639 }
640 }
642 /* update the TLB corresponding to virtual page vaddr
643 so that it is no longer dirty */
645 {
655 }
661 }
662 }
664 }
666 /* Our TLB does not support large pages, so remember the area covered by
667 large pages and trigger a full TLB flush if these are invalidated. */
670 {
675 /* No previous large page. */
678 /* Extend the existing region to include the new page.
679 This is a compromise between unnecessary flushes and
680 the cost of maintaining a full variable size TLB. */
684 }
685 }
688 }
690 /* Add a new TLB entry. At most one entry for a given virtual address
691 * is permitted. Only a single TARGET_PAGE_SIZE region is mapped, the
692 * supplied size is only used by tlb_flush_page.
693 *
694 * Called from TCG-generated code, which is under an RCU read-side
695 * critical section.
696 */
700 {
706 target_ulong address;
707 target_ulong code_address;
711 target_ulong vaddr_page;
721 }
735 /*
736 * Slow-path the TLB entries; we will repeat the MMU check and TLB
737 * fill on every access.
738 */
740 }
743 /* IO memory case */
747 /* TLB_MMIO for rom/romd handled below */
749 }
758 /*
759 * Hold the TLB lock for the rest of the function. We could acquire/release
760 * the lock several times in the function, but it is faster to amortize the
761 * acquisition cost by acquiring it just once. Note that this leads to
762 * a longer critical section, but this is not a concern since the TLB lock
763 * is unlikely to be contended.
764 */
767 /* Note that the tlb is no longer clean. */
770 /* Make sure there's no cached translation for the new page. */
773 /*
774 * Only evict the old entry to the victim tlb if it's for a
775 * different page; otherwise just overwrite the stale data.
776 */
781 /* Evict the old entry into the victim tlb. */
785 }
787 /* refill the tlb */
788 /*
789 * At this point iotlb contains a physical section number in the lower
790 * TARGET_PAGE_BITS, and either
791 * + the ram_addr_t of the page base of the target RAM (if NOTDIRTY or ROM)
792 * + the offset within section->mr of the page base (otherwise)
793 * We subtract the vaddr_page (which is page aligned and thus won't
794 * disturb the low bits) to give an offset which can be added to the
795 * (non-page-aligned) vaddr of the eventual memory access to get
796 * the MemoryRegion offset for the access. Note that the vaddr we
797 * subtract here is that of the page base, and not the same as the
798 * vaddr we add back in io_readx()/io_writex()/get_page_addr_code().
799 */
803 /* Now calculate the new entry */
809 }
815 }
821 /* Write access calls the I/O callback. */
829 }
832 }
833 }
838 }
840 /* Add a new TLB entry, but without specifying the memory
841 * transaction attributes to be used.
842 */
846 {
849 }
852 {
853 ram_addr_t ram_addr;
859 }
861 }
863 /*
864 * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
865 * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
866 * be discarded and looked up again (e.g. via tlb_entry()).
867 */
870 {
874 /*
875 * This is not a probe, so only valid return is success; failure
876 * should result in exception + longjmp to the cpu loop.
877 */
880 }
885 {
887 hwaddr mr_offset;
892 MemTxResult r;
900 }
908 }
918 }
921 }
924 }
929 {
931 hwaddr mr_offset;
935 MemTxResult r;
942 }
949 }
959 }
962 }
963 }
966 {
967 #if TCG_OVERSIZED_GUEST
969 #else
970 /* ofs might correspond to .addr_write, so use atomic_read */
972 #endif
973 }
975 /* Return true if ADDR is present in the victim tlb, and has been copied
976 back to the main tlb. */
979 {
985 target_ulong cmp;
987 /* elt_ofs might correspond to .addr_write, so use atomic_read */
988 #if TCG_OVERSIZED_GUEST
990 #else
992 #endif
995 /* Found entry in victim tlb, swap tlb and iotlb. */
1008 }
1009 }
1011 }
1013 /* Macro to call the above, with local variables from the use context. */
1014 #define VICTIM_TLB_HIT(TY, ADDR) \
1015 victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
1016 (ADDR) & TARGET_PAGE_MASK)
1018 /* NOTE: this function can trigger an exception */
1019 /* NOTE2: the returned address is not exactly the physical address: it
1020 * is actually a ram_addr_t (in system mode; the user mode emulation
1021 * version of this function returns a guest virtual address).
1022 */
1024 {
1035 }
1037 }
1040 /*
1041 * Return -1 if we can't translate and execute from an entire
1042 * page of RAM here, which will cause us to execute by loading
1043 * and translating one insn at a time, without caching:
1044 * - TLB_RECHECK: means the MMU protection covers a smaller range
1045 * than a target page, so we must redo the MMU check every insn
1046 * - TLB_MMIO: region is not backed by RAM
1047 */
1049 }
1053 }
1055 /* Probe for whether the specified guest write access is permitted.
1056 * If it is not permitted then an exception will be taken in the same
1057 * way as if this were a real write access (and we will not return).
1058 * Otherwise the function will return, and there will be a valid
1059 * entry in the TLB for this access.
1060 */
1063 {
1068 /* TLB entry is for a different page */
1072 }
1073 }
1074 }
1078 {
1095 }
1108 /* Non-faulting page table read failed. */
1110 }
1112 /* TLB resize via tlb_fill may have moved the entry. */
1114 }
1116 }
1119 /* IO access */
1121 }
1124 }
1126 /* Probe for a read-modify-write atomic operation. Do not allow unaligned
1127 * operations, or io operations to proceed. Return the host address. */
1131 {
1141 /* Adjust the given return address. */
1144 /* Enforce guest required alignment. */
1146 /* ??? Maybe indicate atomic op to cpu_unaligned_access */
1149 }
1151 /* Enforce qemu required alignment. */
1153 /* We get here if guest alignment was not requested,
1154 or was not enforced by cpu_unaligned_access above.
1155 We might widen the access and emulate, but for now
1156 mark an exception and exit the cpu loop. */
1158 }
1160 /* Check TLB entry and enforce page permissions. */
1167 }
1169 }
1171 /* Notice an IO access or a needs-MMU-lookup access */
1173 /* There's really nothing that can be done to
1174 support this apart from stop-the-world. */
1176 }
1178 /* Let the guest notice RMW on a write-only page. */
1182 /* Since we don't support reads and writes to different addresses,
1183 and we do have the proper page loaded for write, this shouldn't
1184 ever return. But just in case, handle via stop-the-world. */
1186 }
1196 }
1200 stop_the_world:
1202 }
1204 #ifdef TARGET_WORDS_BIGENDIAN
1205 #define NEED_BE_BSWAP 0
1206 #define NEED_LE_BSWAP 1
1207 #else
1208 #define NEED_BE_BSWAP 1
1209 #define NEED_LE_BSWAP 0
1210 #endif
1212 /*
1213 * Byte Swap Helper
1214 *
1215 * This should all dead code away depending on the build host and
1216 * access type.
1217 */
1220 {
1229 }
1232 }
1233 }
1235 /*
1236 * Load Helpers
1237 *
1238 * We support two different access types. SOFTMMU_CODE_ACCESS is
1239 * specifically for reading instructions from system memory. It is
1240 * called by the translation loop and in some helpers where the code
1241 * is disassembled. It shouldn't be called directly by guest code.
1242 */
1251 {
1264 /* Handle CPU specific unaligned behaviour */
1268 }
1270 /* If the TLB entry is for a different page, reload and try again. */
1278 }
1280 }
1282 /* Handle an IO access. */
1286 }
1289 /*
1290 * This is a TLB_RECHECK access, where the MMU protection
1291 * covers a smaller range than a target page, and we must
1292 * repeat the MMU check here. This tlb_fill() call might
1293 * longjump out if this access should cause a guest exception.
1294 */
1303 /* RAM access */
1305 }
1306 }
1311 }
1313 /* Handle slow unaligned access (it spans two pages or IO). */
1320 do_unaligned_access:
1328 /* Big-endian combine. */
1331 /* Little-endian combine. */
1333 }
1335 }
1337 do_aligned_access:
1348 }
1355 }
1362 }
1366 }
1369 }
1371 /*
1372 * For the benefit of TCG generated code, we want to avoid the
1373 * complication of ABI-specific return type promotion and always
1374 * return a value extended to the register size of the host. This is
1375 * tcg_target_long, except in the case of a 32-bit host and 64-bit
1376 * data, and for that we always have uint64_t.
1377 *
1378 * We don't bother with this widened value for SOFTMMU_CODE_ACCESS.
1379 */
1383 {
1385 full_ldub_mmu);
1386 }
1390 {
1392 }
1396 {
1398 full_le_lduw_mmu);
1399 }
1403 {
1405 }
1409 {
1411 full_be_lduw_mmu);
1412 }
1416 {
1418 }
1422 {
1424 full_le_ldul_mmu);
1425 }
1429 {
1431 }
1435 {
1437 full_be_ldul_mmu);
1438 }
1442 {
1444 }
1448 {
1450 helper_le_ldq_mmu);
1451 }
1455 {
1457 helper_be_ldq_mmu);
1458 }
1460 /*
1461 * Provide signed versions of the load routines as well. We can of course
1462 * avoid this for 64-bit data, or for 32-bit data on 32-bit host.
1463 */
1468 {
1470 }
1474 {
1476 }
1480 {
1482 }
1486 {
1488 }
1492 {
1494 }
1496 /*
1497 * Store Helpers
1498 */
1503 {
1512 /* Handle CPU specific unaligned behaviour */
1516 }
1518 /* If the TLB entry is for a different page, reload and try again. */
1526 }
1528 }
1530 /* Handle an IO access. */
1534 }
1537 /*
1538 * This is a TLB_RECHECK access, where the MMU protection
1539 * covers a smaller range than a target page, and we must
1540 * repeat the MMU check here. This tlb_fill() call might
1541 * longjump out if this access should cause a guest exception.
1542 */
1551 /* RAM access */
1553 }
1554 }
1560 }
1562 /* Handle slow unaligned access (it spans two pages or IO). */
1570 do_unaligned_access:
1571 /*
1572 * Ensure the second page is in the TLB. Note that the first page
1573 * is already guaranteed to be filled, and that the second page
1574 * cannot evict the first.
1575 */
1585 }
1587 /*
1588 * XXX: not efficient, but simple.
1589 * This loop must go in the forward direction to avoid issues
1590 * with self-modifying code in Windows 64-bit.
1591 */
1595 /* Big-endian extract. */
1598 /* Little-endian extract. */
1600 }
1602 }
1604 }
1606 do_aligned_access:
1617 }
1624 }
1631 }
1636 }
1637 }
1641 {
1643 }
1647 {
1649 }
1653 {
1655 }
1659 {
1661 }
1665 {
1667 }
1671 {
1673 }
1677 {
1679 }
1681 /* First set of helpers allows passing in of OI and RETADDR. This makes
1682 them callable from other helpers. */
1684 #define EXTRA_ARGS , TCGMemOpIdx oi, uintptr_t retaddr
1685 #define ATOMIC_NAME(X) \
1686 HELPER(glue(glue(glue(atomic_ ## X, SUFFIX), END), _mmu))
1687 #define ATOMIC_MMU_DECLS NotDirtyInfo ndi
1688 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, retaddr, &ndi)
1689 #define ATOMIC_MMU_CLEANUP \
1690 do { \
1691 if (unlikely(ndi.active)) { \
1692 memory_notdirty_write_complete(&ndi); \
1693 } \
1694 } while (0)
1696 #define DATA_SIZE 1
1699 #define DATA_SIZE 2
1702 #define DATA_SIZE 4
1705 #ifdef CONFIG_ATOMIC64
1706 #define DATA_SIZE 8
1708 #endif
1710 #if HAVE_CMPXCHG128 || HAVE_ATOMIC128
1711 #define DATA_SIZE 16
1713 #endif
1715 /* Second set of helpers are directly callable from TCG as helpers. */
1717 #undef EXTRA_ARGS
1718 #undef ATOMIC_NAME
1719 #undef ATOMIC_MMU_LOOKUP
1720 #define EXTRA_ARGS , TCGMemOpIdx oi
1721 #define ATOMIC_NAME(X) HELPER(glue(glue(atomic_ ## X, SUFFIX), END))
1722 #define ATOMIC_MMU_LOOKUP atomic_mmu_lookup(env, addr, oi, GETPC(), &ndi)
1724 #define DATA_SIZE 1
1727 #define DATA_SIZE 2
1730 #define DATA_SIZE 4
1733 #ifdef CONFIG_ATOMIC64
1734 #define DATA_SIZE 8
1736 #endif
1738 /* Code access functions. */
1742 {
1744 full_ldub_cmmu);
1745 }
1749 {
1751 }
1755 {
1757 full_le_lduw_cmmu);
1758 }
1762 {
1764 }
1768 {
1770 full_be_lduw_cmmu);
1771 }
1775 {
1777 }
1781 {
1783 full_le_ldul_cmmu);
1784 }
1788 {
1790 }
1794 {
1796 full_be_ldul_cmmu);
1797 }
1801 {
1803 }
1807 {
1809 helper_le_ldq_cmmu);
1810 }
1814 {
1816 helper_be_ldq_cmmu);
1817 }