cpu-exec.c (32687B)
1/* 2 * emulator main execution loop 3 * 4 * Copyright (c) 2003-2005 Fabrice Bellard 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2.1 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 */ 19 20#include "qemu/osdep.h" 21#include "qemu-common.h" 22#include "qemu/qemu-print.h" 23#include "hw/core/tcg-cpu-ops.h" 24#include "trace.h" 25#include "disas/disas.h" 26#include "exec/exec-all.h" 27#include "tcg/tcg.h" 28#include "qemu/atomic.h" 29#include "qemu/compiler.h" 30#include "qemu/timer.h" 31#include "qemu/rcu.h" 32#include "exec/log.h" 33#include "qemu/main-loop.h" 34#if defined(TARGET_I386) && !defined(CONFIG_USER_ONLY) 35#include "hw/i386/apic.h" 36#endif 37#include "sysemu/cpus.h" 38#include "exec/cpu-all.h" 39#include "sysemu/cpu-timers.h" 40#include "sysemu/replay.h" 41#include "exec/helper-proto.h" 42#include "tb-hash.h" 43#include "tb-context.h" 44#include "internal.h" 45 46/* -icount align implementation. */ 47 48typedef struct SyncClocks { 49 int64_t diff_clk; 50 int64_t last_cpu_icount; 51 int64_t realtime_clock; 52} SyncClocks; 53 54#if !defined(CONFIG_USER_ONLY) 55/* Allow the guest to have a max 3ms advance. 56 * The difference between the 2 clocks could therefore 57 * oscillate around 0. 58 */ 59#define VM_CLOCK_ADVANCE 3000000 60#define THRESHOLD_REDUCE 1.5 61#define MAX_DELAY_PRINT_RATE 2000000000LL 62#define MAX_NB_PRINTS 100 63 64static int64_t max_delay; 65static int64_t max_advance; 66 67static void align_clocks(SyncClocks *sc, CPUState *cpu) 68{ 69 int64_t cpu_icount; 70 71 if (!icount_align_option) { 72 return; 73 } 74 75 cpu_icount = cpu->icount_extra + cpu_neg(cpu)->icount_decr.u16.low; 76 sc->diff_clk += icount_to_ns(sc->last_cpu_icount - cpu_icount); 77 sc->last_cpu_icount = cpu_icount; 78 79 if (sc->diff_clk > VM_CLOCK_ADVANCE) { 80#ifndef _WIN32 81 struct timespec sleep_delay, rem_delay; 82 sleep_delay.tv_sec = sc->diff_clk / 1000000000LL; 83 sleep_delay.tv_nsec = sc->diff_clk % 1000000000LL; 84 if (nanosleep(&sleep_delay, &rem_delay) < 0) { 85 sc->diff_clk = rem_delay.tv_sec * 1000000000LL + rem_delay.tv_nsec; 86 } else { 87 sc->diff_clk = 0; 88 } 89#else 90 Sleep(sc->diff_clk / SCALE_MS); 91 sc->diff_clk = 0; 92#endif 93 } 94} 95 96static void print_delay(const SyncClocks *sc) 97{ 98 static float threshold_delay; 99 static int64_t last_realtime_clock; 100 static int nb_prints; 101 102 if (icount_align_option && 103 sc->realtime_clock - last_realtime_clock >= MAX_DELAY_PRINT_RATE && 104 nb_prints < MAX_NB_PRINTS) { 105 if ((-sc->diff_clk / (float)1000000000LL > threshold_delay) || 106 (-sc->diff_clk / (float)1000000000LL < 107 (threshold_delay - THRESHOLD_REDUCE))) { 108 threshold_delay = (-sc->diff_clk / 1000000000LL) + 1; 109 qemu_printf("Warning: The guest is now late by %.1f to %.1f seconds\n", 110 threshold_delay - 1, 111 threshold_delay); 112 nb_prints++; 113 last_realtime_clock = sc->realtime_clock; 114 } 115 } 116} 117 118static void init_delay_params(SyncClocks *sc, CPUState *cpu) 119{ 120 if (!icount_align_option) { 121 return; 122 } 123 sc->realtime_clock = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL_RT); 124 sc->diff_clk = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - sc->realtime_clock; 125 sc->last_cpu_icount 126 = cpu->icount_extra + cpu_neg(cpu)->icount_decr.u16.low; 127 if (sc->diff_clk < max_delay) { 128 max_delay = sc->diff_clk; 129 } 130 if (sc->diff_clk > max_advance) { 131 max_advance = sc->diff_clk; 132 } 133 134 /* Print every 2s max if the guest is late. We limit the number 135 of printed messages to NB_PRINT_MAX(currently 100) */ 136 print_delay(sc); 137} 138#else 139static void align_clocks(SyncClocks *sc, const CPUState *cpu) 140{ 141} 142 143static void init_delay_params(SyncClocks *sc, const CPUState *cpu) 144{ 145} 146#endif /* CONFIG USER ONLY */ 147 148uint32_t curr_cflags(CPUState *cpu) 149{ 150 uint32_t cflags = cpu->tcg_cflags; 151 152 /* 153 * Record gdb single-step. We should be exiting the TB by raising 154 * EXCP_DEBUG, but to simplify other tests, disable chaining too. 155 * 156 * For singlestep and -d nochain, suppress goto_tb so that 157 * we can log -d cpu,exec after every TB. 158 */ 159 if (unlikely(cpu->singlestep_enabled)) { 160 cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | CF_SINGLE_STEP | 1; 161 } else if (singlestep) { 162 cflags |= CF_NO_GOTO_TB | 1; 163 } else if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) { 164 cflags |= CF_NO_GOTO_TB; 165 } 166 167 return cflags; 168} 169 170/* Might cause an exception, so have a longjmp destination ready */ 171static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc, 172 target_ulong cs_base, 173 uint32_t flags, uint32_t cflags) 174{ 175 TranslationBlock *tb; 176 uint32_t hash; 177 178 /* we should never be trying to look up an INVALID tb */ 179 tcg_debug_assert(!(cflags & CF_INVALID)); 180 181 hash = tb_jmp_cache_hash_func(pc); 182 tb = qatomic_rcu_read(&cpu->tb_jmp_cache[hash]); 183 184 if (likely(tb && 185 tb->pc == pc && 186 tb->cs_base == cs_base && 187 tb->flags == flags && 188 tb->trace_vcpu_dstate == *cpu->trace_dstate && 189 tb_cflags(tb) == cflags)) { 190 return tb; 191 } 192 tb = tb_htable_lookup(cpu, pc, cs_base, flags, cflags); 193 if (tb == NULL) { 194 return NULL; 195 } 196 qatomic_set(&cpu->tb_jmp_cache[hash], tb); 197 return tb; 198} 199 200static inline void log_cpu_exec(target_ulong pc, CPUState *cpu, 201 const TranslationBlock *tb) 202{ 203 if (unlikely(qemu_loglevel_mask(CPU_LOG_TB_CPU | CPU_LOG_EXEC)) 204 && qemu_log_in_addr_range(pc)) { 205 206 qemu_log_mask(CPU_LOG_EXEC, 207 "Trace %d: %p [" TARGET_FMT_lx 208 "/" TARGET_FMT_lx "/%08x/%08x] %s\n", 209 cpu->cpu_index, tb->tc.ptr, tb->cs_base, pc, 210 tb->flags, tb->cflags, lookup_symbol(pc)); 211 212#if defined(DEBUG_DISAS) 213 if (qemu_loglevel_mask(CPU_LOG_TB_CPU)) { 214 FILE *logfile = qemu_log_lock(); 215 int flags = 0; 216 217 if (qemu_loglevel_mask(CPU_LOG_TB_FPU)) { 218 flags |= CPU_DUMP_FPU; 219 } 220#if defined(TARGET_I386) 221 flags |= CPU_DUMP_CCOP; 222#endif 223 log_cpu_state(cpu, flags); 224 qemu_log_unlock(logfile); 225 } 226#endif /* DEBUG_DISAS */ 227 } 228} 229 230static bool check_for_breakpoints(CPUState *cpu, target_ulong pc, 231 uint32_t *cflags) 232{ 233 CPUBreakpoint *bp; 234 bool match_page = false; 235 236 if (likely(QTAILQ_EMPTY(&cpu->breakpoints))) { 237 return false; 238 } 239 240 /* 241 * Singlestep overrides breakpoints. 242 * This requirement is visible in the record-replay tests, where 243 * we would fail to make forward progress in reverse-continue. 244 * 245 * TODO: gdb singlestep should only override gdb breakpoints, 246 * so that one could (gdb) singlestep into the guest kernel's 247 * architectural breakpoint handler. 248 */ 249 if (cpu->singlestep_enabled) { 250 return false; 251 } 252 253 QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) { 254 /* 255 * If we have an exact pc match, trigger the breakpoint. 256 * Otherwise, note matches within the page. 257 */ 258 if (pc == bp->pc) { 259 bool match_bp = false; 260 261 if (bp->flags & BP_GDB) { 262 match_bp = true; 263 } else if (bp->flags & BP_CPU) { 264#ifdef CONFIG_USER_ONLY 265 g_assert_not_reached(); 266#else 267 CPUClass *cc = CPU_GET_CLASS(cpu); 268 assert(cc->tcg_ops->debug_check_breakpoint); 269 match_bp = cc->tcg_ops->debug_check_breakpoint(cpu); 270#endif 271 } 272 273 if (match_bp) { 274 cpu->exception_index = EXCP_DEBUG; 275 return true; 276 } 277 } else if (((pc ^ bp->pc) & TARGET_PAGE_MASK) == 0) { 278 match_page = true; 279 } 280 } 281 282 /* 283 * Within the same page as a breakpoint, single-step, 284 * returning to helper_lookup_tb_ptr after each insn looking 285 * for the actual breakpoint. 286 * 287 * TODO: Perhaps better to record all of the TBs associated 288 * with a given virtual page that contains a breakpoint, and 289 * then invalidate them when a new overlapping breakpoint is 290 * set on the page. Non-overlapping TBs would not be 291 * invalidated, nor would any TB need to be invalidated as 292 * breakpoints are removed. 293 */ 294 if (match_page) { 295 *cflags = (*cflags & ~CF_COUNT_MASK) | CF_NO_GOTO_TB | 1; 296 } 297 return false; 298} 299 300/** 301 * helper_lookup_tb_ptr: quick check for next tb 302 * @env: current cpu state 303 * 304 * Look for an existing TB matching the current cpu state. 305 * If found, return the code pointer. If not found, return 306 * the tcg epilogue so that we return into cpu_tb_exec. 307 */ 308const void *HELPER(lookup_tb_ptr)(CPUArchState *env) 309{ 310 CPUState *cpu = env_cpu(env); 311 TranslationBlock *tb; 312 target_ulong cs_base, pc; 313 uint32_t flags, cflags; 314 315 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags); 316 317 cflags = curr_cflags(cpu); 318 if (check_for_breakpoints(cpu, pc, &cflags)) { 319 cpu_loop_exit(cpu); 320 } 321 322 tb = tb_lookup(cpu, pc, cs_base, flags, cflags); 323 if (tb == NULL) { 324 return tcg_code_gen_epilogue; 325 } 326 327 log_cpu_exec(pc, cpu, tb); 328 329 return tb->tc.ptr; 330} 331 332/* Execute a TB, and fix up the CPU state afterwards if necessary */ 333/* 334 * Disable CFI checks. 335 * TCG creates binary blobs at runtime, with the transformed code. 336 * A TB is a blob of binary code, created at runtime and called with an 337 * indirect function call. Since such function did not exist at compile time, 338 * the CFI runtime has no way to verify its signature and would fail. 339 * TCG is not considered a security-sensitive part of QEMU so this does not 340 * affect the impact of CFI in environment with high security requirements 341 */ 342static inline TranslationBlock * QEMU_DISABLE_CFI 343cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit) 344{ 345 CPUArchState *env = cpu->env_ptr; 346 uintptr_t ret; 347 TranslationBlock *last_tb; 348 const void *tb_ptr = itb->tc.ptr; 349 350 log_cpu_exec(itb->pc, cpu, itb); 351 352 qemu_thread_jit_execute(); 353 ret = tcg_qemu_tb_exec(env, tb_ptr); 354 cpu->can_do_io = 1; 355 /* 356 * TODO: Delay swapping back to the read-write region of the TB 357 * until we actually need to modify the TB. The read-only copy, 358 * coming from the rx region, shares the same host TLB entry as 359 * the code that executed the exit_tb opcode that arrived here. 360 * If we insist on touching both the RX and the RW pages, we 361 * double the host TLB pressure. 362 */ 363 last_tb = tcg_splitwx_to_rw((void *)(ret & ~TB_EXIT_MASK)); 364 *tb_exit = ret & TB_EXIT_MASK; 365 366 trace_exec_tb_exit(last_tb, *tb_exit); 367 368 if (*tb_exit > TB_EXIT_IDX1) { 369 /* We didn't start executing this TB (eg because the instruction 370 * counter hit zero); we must restore the guest PC to the address 371 * of the start of the TB. 372 */ 373 CPUClass *cc = CPU_GET_CLASS(cpu); 374 qemu_log_mask_and_addr(CPU_LOG_EXEC, last_tb->pc, 375 "Stopped execution of TB chain before %p [" 376 TARGET_FMT_lx "] %s\n", 377 last_tb->tc.ptr, last_tb->pc, 378 lookup_symbol(last_tb->pc)); 379 if (cc->tcg_ops->synchronize_from_tb) { 380 cc->tcg_ops->synchronize_from_tb(cpu, last_tb); 381 } else { 382 assert(cc->set_pc); 383 cc->set_pc(cpu, last_tb->pc); 384 } 385 } 386 return last_tb; 387} 388 389 390static void cpu_exec_enter(CPUState *cpu) 391{ 392 CPUClass *cc = CPU_GET_CLASS(cpu); 393 394 if (cc->tcg_ops->cpu_exec_enter) { 395 cc->tcg_ops->cpu_exec_enter(cpu); 396 } 397} 398 399static void cpu_exec_exit(CPUState *cpu) 400{ 401 CPUClass *cc = CPU_GET_CLASS(cpu); 402 403 if (cc->tcg_ops->cpu_exec_exit) { 404 cc->tcg_ops->cpu_exec_exit(cpu); 405 } 406} 407 408void cpu_exec_step_atomic(CPUState *cpu) 409{ 410 CPUArchState *env = (CPUArchState *)cpu->env_ptr; 411 TranslationBlock *tb; 412 target_ulong cs_base, pc; 413 uint32_t flags, cflags; 414 int tb_exit; 415 416 if (sigsetjmp(cpu->jmp_env, 0) == 0) { 417 start_exclusive(); 418 g_assert(cpu == current_cpu); 419 g_assert(!cpu->running); 420 cpu->running = true; 421 422 cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags); 423 424 cflags = curr_cflags(cpu); 425 /* Execute in a serial context. */ 426 cflags &= ~CF_PARALLEL; 427 /* After 1 insn, return and release the exclusive lock. */ 428 cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | 1; 429 /* 430 * No need to check_for_breakpoints here. 431 * We only arrive in cpu_exec_step_atomic after beginning execution 432 * of an insn that includes an atomic operation we can't handle. 433 * Any breakpoint for this insn will have been recognized earlier. 434 */ 435 436 tb = tb_lookup(cpu, pc, cs_base, flags, cflags); 437 if (tb == NULL) { 438 mmap_lock(); 439 tb = tb_gen_code(cpu, pc, cs_base, flags, cflags); 440 mmap_unlock(); 441 } 442 443 cpu_exec_enter(cpu); 444 /* execute the generated code */ 445 trace_exec_tb(tb, pc); 446 cpu_tb_exec(cpu, tb, &tb_exit); 447 cpu_exec_exit(cpu); 448 } else { 449 /* 450 * The mmap_lock is dropped by tb_gen_code if it runs out of 451 * memory. 452 */ 453#ifndef CONFIG_SOFTMMU 454 tcg_debug_assert(!have_mmap_lock()); 455#endif 456 if (qemu_mutex_iothread_locked()) { 457 qemu_mutex_unlock_iothread(); 458 } 459 assert_no_pages_locked(); 460 qemu_plugin_disable_mem_helpers(cpu); 461 } 462 463 464 /* 465 * As we start the exclusive region before codegen we must still 466 * be in the region if we longjump out of either the codegen or 467 * the execution. 468 */ 469 g_assert(cpu_in_exclusive_context(cpu)); 470 cpu->running = false; 471 end_exclusive(); 472} 473 474struct tb_desc { 475 target_ulong pc; 476 target_ulong cs_base; 477 CPUArchState *env; 478 tb_page_addr_t phys_page1; 479 uint32_t flags; 480 uint32_t cflags; 481 uint32_t trace_vcpu_dstate; 482}; 483 484static bool tb_lookup_cmp(const void *p, const void *d) 485{ 486 const TranslationBlock *tb = p; 487 const struct tb_desc *desc = d; 488 489 if (tb->pc == desc->pc && 490 tb->page_addr[0] == desc->phys_page1 && 491 tb->cs_base == desc->cs_base && 492 tb->flags == desc->flags && 493 tb->trace_vcpu_dstate == desc->trace_vcpu_dstate && 494 tb_cflags(tb) == desc->cflags) { 495 /* check next page if needed */ 496 if (tb->page_addr[1] == -1) { 497 return true; 498 } else { 499 tb_page_addr_t phys_page2; 500 target_ulong virt_page2; 501 502 virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE; 503 phys_page2 = get_page_addr_code(desc->env, virt_page2); 504 if (tb->page_addr[1] == phys_page2) { 505 return true; 506 } 507 } 508 } 509 return false; 510} 511 512TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc, 513 target_ulong cs_base, uint32_t flags, 514 uint32_t cflags) 515{ 516 tb_page_addr_t phys_pc; 517 struct tb_desc desc; 518 uint32_t h; 519 520 desc.env = (CPUArchState *)cpu->env_ptr; 521 desc.cs_base = cs_base; 522 desc.flags = flags; 523 desc.cflags = cflags; 524 desc.trace_vcpu_dstate = *cpu->trace_dstate; 525 desc.pc = pc; 526 phys_pc = get_page_addr_code(desc.env, pc); 527 if (phys_pc == -1) { 528 return NULL; 529 } 530 desc.phys_page1 = phys_pc & TARGET_PAGE_MASK; 531 h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate); 532 return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp); 533} 534 535void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr) 536{ 537 if (TCG_TARGET_HAS_direct_jump) { 538 uintptr_t offset = tb->jmp_target_arg[n]; 539 uintptr_t tc_ptr = (uintptr_t)tb->tc.ptr; 540 uintptr_t jmp_rx = tc_ptr + offset; 541 uintptr_t jmp_rw = jmp_rx - tcg_splitwx_diff; 542 tb_target_set_jmp_target(tc_ptr, jmp_rx, jmp_rw, addr); 543 } else { 544 tb->jmp_target_arg[n] = addr; 545 } 546} 547 548static inline void tb_add_jump(TranslationBlock *tb, int n, 549 TranslationBlock *tb_next) 550{ 551 uintptr_t old; 552 553 qemu_thread_jit_write(); 554 assert(n < ARRAY_SIZE(tb->jmp_list_next)); 555 qemu_spin_lock(&tb_next->jmp_lock); 556 557 /* make sure the destination TB is valid */ 558 if (tb_next->cflags & CF_INVALID) { 559 goto out_unlock_next; 560 } 561 /* Atomically claim the jump destination slot only if it was NULL */ 562 old = qatomic_cmpxchg(&tb->jmp_dest[n], (uintptr_t)NULL, 563 (uintptr_t)tb_next); 564 if (old) { 565 goto out_unlock_next; 566 } 567 568 /* patch the native jump address */ 569 tb_set_jmp_target(tb, n, (uintptr_t)tb_next->tc.ptr); 570 571 /* add in TB jmp list */ 572 tb->jmp_list_next[n] = tb_next->jmp_list_head; 573 tb_next->jmp_list_head = (uintptr_t)tb | n; 574 575 qemu_spin_unlock(&tb_next->jmp_lock); 576 577 qemu_log_mask_and_addr(CPU_LOG_EXEC, tb->pc, 578 "Linking TBs %p [" TARGET_FMT_lx 579 "] index %d -> %p [" TARGET_FMT_lx "]\n", 580 tb->tc.ptr, tb->pc, n, 581 tb_next->tc.ptr, tb_next->pc); 582 return; 583 584 out_unlock_next: 585 qemu_spin_unlock(&tb_next->jmp_lock); 586 return; 587} 588 589static inline bool cpu_handle_halt(CPUState *cpu) 590{ 591#ifndef CONFIG_USER_ONLY 592 if (cpu->halted) { 593#if defined(TARGET_I386) 594 if (cpu->interrupt_request & CPU_INTERRUPT_POLL) { 595 X86CPU *x86_cpu = X86_CPU(cpu); 596 qemu_mutex_lock_iothread(); 597 apic_poll_irq(x86_cpu->apic_state); 598 cpu_reset_interrupt(cpu, CPU_INTERRUPT_POLL); 599 qemu_mutex_unlock_iothread(); 600 } 601#endif /* TARGET_I386 */ 602 if (!cpu_has_work(cpu)) { 603 return true; 604 } 605 606 cpu->halted = 0; 607 } 608#endif /* !CONFIG_USER_ONLY */ 609 610 return false; 611} 612 613static inline void cpu_handle_debug_exception(CPUState *cpu) 614{ 615 CPUClass *cc = CPU_GET_CLASS(cpu); 616 CPUWatchpoint *wp; 617 618 if (!cpu->watchpoint_hit) { 619 QTAILQ_FOREACH(wp, &cpu->watchpoints, entry) { 620 wp->flags &= ~BP_WATCHPOINT_HIT; 621 } 622 } 623 624 if (cc->tcg_ops->debug_excp_handler) { 625 cc->tcg_ops->debug_excp_handler(cpu); 626 } 627} 628 629static inline bool cpu_handle_exception(CPUState *cpu, int *ret) 630{ 631 if (cpu->exception_index < 0) { 632#ifndef CONFIG_USER_ONLY 633 if (replay_has_exception() 634 && cpu_neg(cpu)->icount_decr.u16.low + cpu->icount_extra == 0) { 635 /* Execute just one insn to trigger exception pending in the log */ 636 cpu->cflags_next_tb = (curr_cflags(cpu) & ~CF_USE_ICOUNT) | 1; 637 } 638#endif 639 return false; 640 } 641 if (cpu->exception_index >= EXCP_INTERRUPT) { 642 /* exit request from the cpu execution loop */ 643 *ret = cpu->exception_index; 644 if (*ret == EXCP_DEBUG) { 645 cpu_handle_debug_exception(cpu); 646 } 647 cpu->exception_index = -1; 648 return true; 649 } else { 650#if defined(CONFIG_USER_ONLY) 651 /* if user mode only, we simulate a fake exception 652 which will be handled outside the cpu execution 653 loop */ 654#if defined(TARGET_I386) 655 CPUClass *cc = CPU_GET_CLASS(cpu); 656 cc->tcg_ops->fake_user_interrupt(cpu); 657#endif /* TARGET_I386 */ 658 *ret = cpu->exception_index; 659 cpu->exception_index = -1; 660 return true; 661#else 662 if (replay_exception()) { 663 CPUClass *cc = CPU_GET_CLASS(cpu); 664 qemu_mutex_lock_iothread(); 665 cc->tcg_ops->do_interrupt(cpu); 666 qemu_mutex_unlock_iothread(); 667 cpu->exception_index = -1; 668 669 if (unlikely(cpu->singlestep_enabled)) { 670 /* 671 * After processing the exception, ensure an EXCP_DEBUG is 672 * raised when single-stepping so that GDB doesn't miss the 673 * next instruction. 674 */ 675 *ret = EXCP_DEBUG; 676 cpu_handle_debug_exception(cpu); 677 return true; 678 } 679 } else if (!replay_has_interrupt()) { 680 /* give a chance to iothread in replay mode */ 681 *ret = EXCP_INTERRUPT; 682 return true; 683 } 684#endif 685 } 686 687 return false; 688} 689 690#ifndef CONFIG_USER_ONLY 691/* 692 * CPU_INTERRUPT_POLL is a virtual event which gets converted into a 693 * "real" interrupt event later. It does not need to be recorded for 694 * replay purposes. 695 */ 696static inline bool need_replay_interrupt(int interrupt_request) 697{ 698#if defined(TARGET_I386) 699 return !(interrupt_request & CPU_INTERRUPT_POLL); 700#else 701 return true; 702#endif 703} 704#endif /* !CONFIG_USER_ONLY */ 705 706static inline bool cpu_handle_interrupt(CPUState *cpu, 707 TranslationBlock **last_tb) 708{ 709 /* Clear the interrupt flag now since we're processing 710 * cpu->interrupt_request and cpu->exit_request. 711 * Ensure zeroing happens before reading cpu->exit_request or 712 * cpu->interrupt_request (see also smp_wmb in cpu_exit()) 713 */ 714 qatomic_mb_set(&cpu_neg(cpu)->icount_decr.u16.high, 0); 715 716 if (unlikely(qatomic_read(&cpu->interrupt_request))) { 717 int interrupt_request; 718 qemu_mutex_lock_iothread(); 719 interrupt_request = cpu->interrupt_request; 720 if (unlikely(cpu->singlestep_enabled & SSTEP_NOIRQ)) { 721 /* Mask out external interrupts for this step. */ 722 interrupt_request &= ~CPU_INTERRUPT_SSTEP_MASK; 723 } 724 if (interrupt_request & CPU_INTERRUPT_DEBUG) { 725 cpu->interrupt_request &= ~CPU_INTERRUPT_DEBUG; 726 cpu->exception_index = EXCP_DEBUG; 727 qemu_mutex_unlock_iothread(); 728 return true; 729 } 730#if !defined(CONFIG_USER_ONLY) 731 if (replay_mode == REPLAY_MODE_PLAY && !replay_has_interrupt()) { 732 /* Do nothing */ 733 } else if (interrupt_request & CPU_INTERRUPT_HALT) { 734 replay_interrupt(); 735 cpu->interrupt_request &= ~CPU_INTERRUPT_HALT; 736 cpu->halted = 1; 737 cpu->exception_index = EXCP_HLT; 738 qemu_mutex_unlock_iothread(); 739 return true; 740 } 741#if defined(TARGET_I386) 742 else if (interrupt_request & CPU_INTERRUPT_INIT) { 743 X86CPU *x86_cpu = X86_CPU(cpu); 744 CPUArchState *env = &x86_cpu->env; 745 replay_interrupt(); 746 cpu_svm_check_intercept_param(env, SVM_EXIT_INIT, 0, 0); 747 do_cpu_init(x86_cpu); 748 cpu->exception_index = EXCP_HALTED; 749 qemu_mutex_unlock_iothread(); 750 return true; 751 } 752#else 753 else if (interrupt_request & CPU_INTERRUPT_RESET) { 754 replay_interrupt(); 755 cpu_reset(cpu); 756 qemu_mutex_unlock_iothread(); 757 return true; 758 } 759#endif /* !TARGET_I386 */ 760 /* The target hook has 3 exit conditions: 761 False when the interrupt isn't processed, 762 True when it is, and we should restart on a new TB, 763 and via longjmp via cpu_loop_exit. */ 764 else { 765 CPUClass *cc = CPU_GET_CLASS(cpu); 766 767 if (cc->tcg_ops->cpu_exec_interrupt && 768 cc->tcg_ops->cpu_exec_interrupt(cpu, interrupt_request)) { 769 if (need_replay_interrupt(interrupt_request)) { 770 replay_interrupt(); 771 } 772 /* 773 * After processing the interrupt, ensure an EXCP_DEBUG is 774 * raised when single-stepping so that GDB doesn't miss the 775 * next instruction. 776 */ 777 cpu->exception_index = 778 (cpu->singlestep_enabled ? EXCP_DEBUG : -1); 779 *last_tb = NULL; 780 } 781 /* The target hook may have updated the 'cpu->interrupt_request'; 782 * reload the 'interrupt_request' value */ 783 interrupt_request = cpu->interrupt_request; 784 } 785#endif /* !CONFIG_USER_ONLY */ 786 if (interrupt_request & CPU_INTERRUPT_EXITTB) { 787 cpu->interrupt_request &= ~CPU_INTERRUPT_EXITTB; 788 /* ensure that no TB jump will be modified as 789 the program flow was changed */ 790 *last_tb = NULL; 791 } 792 793 /* If we exit via cpu_loop_exit/longjmp it is reset in cpu_exec */ 794 qemu_mutex_unlock_iothread(); 795 } 796 797 /* Finally, check if we need to exit to the main loop. */ 798 if (unlikely(qatomic_read(&cpu->exit_request)) 799 || (icount_enabled() 800 && (cpu->cflags_next_tb == -1 || cpu->cflags_next_tb & CF_USE_ICOUNT) 801 && cpu_neg(cpu)->icount_decr.u16.low + cpu->icount_extra == 0)) { 802 qatomic_set(&cpu->exit_request, 0); 803 if (cpu->exception_index == -1) { 804 cpu->exception_index = EXCP_INTERRUPT; 805 } 806 return true; 807 } 808 809 return false; 810} 811 812static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb, 813 TranslationBlock **last_tb, int *tb_exit) 814{ 815 int32_t insns_left; 816 817 trace_exec_tb(tb, tb->pc); 818 tb = cpu_tb_exec(cpu, tb, tb_exit); 819 if (*tb_exit != TB_EXIT_REQUESTED) { 820 *last_tb = tb; 821 return; 822 } 823 824 *last_tb = NULL; 825 insns_left = qatomic_read(&cpu_neg(cpu)->icount_decr.u32); 826 if (insns_left < 0) { 827 /* Something asked us to stop executing chained TBs; just 828 * continue round the main loop. Whatever requested the exit 829 * will also have set something else (eg exit_request or 830 * interrupt_request) which will be handled by 831 * cpu_handle_interrupt. cpu_handle_interrupt will also 832 * clear cpu->icount_decr.u16.high. 833 */ 834 return; 835 } 836 837 /* Instruction counter expired. */ 838 assert(icount_enabled()); 839#ifndef CONFIG_USER_ONLY 840 /* Ensure global icount has gone forward */ 841 icount_update(cpu); 842 /* Refill decrementer and continue execution. */ 843 insns_left = MIN(0xffff, cpu->icount_budget); 844 cpu_neg(cpu)->icount_decr.u16.low = insns_left; 845 cpu->icount_extra = cpu->icount_budget - insns_left; 846 847 /* 848 * If the next tb has more instructions than we have left to 849 * execute we need to ensure we find/generate a TB with exactly 850 * insns_left instructions in it. 851 */ 852 if (insns_left > 0 && insns_left < tb->icount) { 853 assert(insns_left <= CF_COUNT_MASK); 854 assert(cpu->icount_extra == 0); 855 cpu->cflags_next_tb = (tb->cflags & ~CF_COUNT_MASK) | insns_left; 856 } 857#endif 858} 859 860/* main execution loop */ 861 862int cpu_exec(CPUState *cpu) 863{ 864 int ret; 865 SyncClocks sc = { 0 }; 866 867 /* replay_interrupt may need current_cpu */ 868 current_cpu = cpu; 869 870 if (cpu_handle_halt(cpu)) { 871 return EXCP_HALTED; 872 } 873 874 rcu_read_lock(); 875 876 cpu_exec_enter(cpu); 877 878 /* Calculate difference between guest clock and host clock. 879 * This delay includes the delay of the last cycle, so 880 * what we have to do is sleep until it is 0. As for the 881 * advance/delay we gain here, we try to fix it next time. 882 */ 883 init_delay_params(&sc, cpu); 884 885 /* prepare setjmp context for exception handling */ 886 if (sigsetjmp(cpu->jmp_env, 0) != 0) { 887#if defined(__clang__) 888 /* 889 * Some compilers wrongly smash all local variables after 890 * siglongjmp (the spec requires that only non-volatile locals 891 * which are changed between the sigsetjmp and siglongjmp are 892 * permitted to be trashed). There were bug reports for gcc 893 * 4.5.0 and clang. The bug is fixed in all versions of gcc 894 * that we support, but is still unfixed in clang: 895 * https://bugs.llvm.org/show_bug.cgi?id=21183 896 * 897 * Reload an essential local variable here for those compilers. 898 * Newer versions of gcc would complain about this code (-Wclobbered), 899 * so we only perform the workaround for clang. 900 */ 901 cpu = current_cpu; 902#else 903 /* Non-buggy compilers preserve this; assert the correct value. */ 904 g_assert(cpu == current_cpu); 905#endif 906 907#ifndef CONFIG_SOFTMMU 908 tcg_debug_assert(!have_mmap_lock()); 909#endif 910 if (qemu_mutex_iothread_locked()) { 911 qemu_mutex_unlock_iothread(); 912 } 913 qemu_plugin_disable_mem_helpers(cpu); 914 915 assert_no_pages_locked(); 916 } 917 918 /* if an exception is pending, we execute it here */ 919 while (!cpu_handle_exception(cpu, &ret)) { 920 TranslationBlock *last_tb = NULL; 921 int tb_exit = 0; 922 923 while (!cpu_handle_interrupt(cpu, &last_tb)) { 924 TranslationBlock *tb; 925 target_ulong cs_base, pc; 926 uint32_t flags, cflags; 927 928 cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags); 929 930 /* 931 * When requested, use an exact setting for cflags for the next 932 * execution. This is used for icount, precise smc, and stop- 933 * after-access watchpoints. Since this request should never 934 * have CF_INVALID set, -1 is a convenient invalid value that 935 * does not require tcg headers for cpu_common_reset. 936 */ 937 cflags = cpu->cflags_next_tb; 938 if (cflags == -1) { 939 cflags = curr_cflags(cpu); 940 } else { 941 cpu->cflags_next_tb = -1; 942 } 943 944 if (check_for_breakpoints(cpu, pc, &cflags)) { 945 break; 946 } 947 948 tb = tb_lookup(cpu, pc, cs_base, flags, cflags); 949 if (tb == NULL) { 950 mmap_lock(); 951 tb = tb_gen_code(cpu, pc, cs_base, flags, cflags); 952 mmap_unlock(); 953 /* 954 * We add the TB in the virtual pc hash table 955 * for the fast lookup 956 */ 957 qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb); 958 } 959 960#ifndef CONFIG_USER_ONLY 961 /* 962 * We don't take care of direct jumps when address mapping 963 * changes in system emulation. So it's not safe to make a 964 * direct jump to a TB spanning two pages because the mapping 965 * for the second page can change. 966 */ 967 if (tb->page_addr[1] != -1) { 968 last_tb = NULL; 969 } 970#endif 971 /* See if we can patch the calling TB. */ 972 if (last_tb) { 973 tb_add_jump(last_tb, tb_exit, tb); 974 } 975 976 cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit); 977 978 /* Try to align the host and virtual clocks 979 if the guest is in advance */ 980 align_clocks(&sc, cpu); 981 } 982 } 983 984 cpu_exec_exit(cpu); 985 rcu_read_unlock(); 986 987 return ret; 988} 989 990void tcg_exec_realizefn(CPUState *cpu, Error **errp) 991{ 992 static bool tcg_target_initialized; 993 CPUClass *cc = CPU_GET_CLASS(cpu); 994 995 if (!tcg_target_initialized) { 996 cc->tcg_ops->initialize(); 997 tcg_target_initialized = true; 998 } 999 tlb_init(cpu); 1000 qemu_plugin_vcpu_init_hook(cpu); 1001 1002#ifndef CONFIG_USER_ONLY 1003 tcg_iommu_init_notifier_list(cpu); 1004#endif /* !CONFIG_USER_ONLY */ 1005} 1006 1007/* undo the initializations in reverse order */ 1008void tcg_exec_unrealizefn(CPUState *cpu) 1009{ 1010#ifndef CONFIG_USER_ONLY 1011 tcg_iommu_free_notifier_list(cpu); 1012#endif /* !CONFIG_USER_ONLY */ 1013 1014 qemu_plugin_vcpu_exit_hook(cpu); 1015 tlb_destroy(cpu); 1016} 1017 1018#ifndef CONFIG_USER_ONLY 1019 1020void dump_drift_info(void) 1021{ 1022 if (!icount_enabled()) { 1023 return; 1024 } 1025 1026 qemu_printf("Host - Guest clock %"PRIi64" ms\n", 1027 (cpu_get_clock() - icount_get()) / SCALE_MS); 1028 if (icount_align_option) { 1029 qemu_printf("Max guest delay %"PRIi64" ms\n", 1030 -max_delay / SCALE_MS); 1031 qemu_printf("Max guest advance %"PRIi64" ms\n", 1032 max_advance / SCALE_MS); 1033 } else { 1034 qemu_printf("Max guest delay NA\n"); 1035 qemu_printf("Max guest advance NA\n"); 1036 } 1037} 1038 1039#endif /* !CONFIG_USER_ONLY */