2015-08-21 07:04:50 +00:00
|
|
|
/*
|
|
|
|
* emulator main execution loop
|
|
|
|
*
|
|
|
|
* Copyright (c) 2003-2005 Fabrice Bellard
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
/* Modified for Unicorn Engine by Nguyen Anh Quynh, 2015 */
|
|
|
|
|
2018-02-19 05:49:52 +00:00
|
|
|
#include "qemu/osdep.h"
|
2018-02-24 07:26:26 +00:00
|
|
|
#include "cpu.h"
|
|
|
|
#include "exec/exec-all.h"
|
2015-08-21 07:04:50 +00:00
|
|
|
#include "tcg.h"
|
2018-02-27 16:12:36 +00:00
|
|
|
#include "qemu/atomic.h"
|
|
|
|
#include "qemu/timer.h"
|
2015-08-21 07:04:50 +00:00
|
|
|
#include "sysemu/sysemu.h"
|
2018-02-12 20:20:15 +00:00
|
|
|
#include "exec/address-spaces.h"
|
2018-02-14 13:12:24 +00:00
|
|
|
#include "exec/tb-hash.h"
|
tcg: consolidate TB lookups in tb_lookup__cpu_state
This avoids duplicating code. cpu_exec_step will also use the
new common function once we integrate parallel_cpus into tb->cflags.
Note that in this commit we also fix a race, described by Richard Henderson
during review. Think of this scenario with threads A and B:
(A) Lookup succeeds for TB in hash without tb_lock
(B) Sets the TB's tb->invalid flag
(B) Removes the TB from tb_htable
(B) Clears all CPU's tb_jmp_cache
(A) Store TB into local tb_jmp_cache
Given that order of events, (A) will keep executing that invalid TB until
another flush of its tb_jmp_cache happens, which in theory might never happen.
We can fix this by checking the tb->invalid flag every time we look up a TB
from tb_jmp_cache, so that in the above scenario, next time we try to find
that TB in tb_jmp_cache, we won't, and will therefore be forced to look it
up in tb_htable.
Performance-wise, I measured a small improvement when booting debian-arm.
Note that inlining pays off:
Performance counter stats for 'taskset -c 0 qemu-system-arm \
-machine type=virt -nographic -smp 1 -m 4096 \
-netdev user,id=unet,hostfwd=tcp::2222-:22 \
-device virtio-net-device,netdev=unet \
-drive file=jessie.qcow2,id=myblock,index=0,if=none \
-device virtio-blk-device,drive=myblock \
-kernel kernel.img -append console=ttyAMA0 root=/dev/vda1 \
-name arm,debug-threads=on -smp 1' (10 runs):
Before:
18714.917392 task-clock # 0.952 CPUs utilized ( +- 0.95% )
23,142 context-switches # 0.001 M/sec ( +- 0.50% )
1 CPU-migrations # 0.000 M/sec
10,558 page-faults # 0.001 M/sec ( +- 0.95% )
53,957,727,252 cycles # 2.883 GHz ( +- 0.91% ) [83.33%]
24,440,599,852 stalled-cycles-frontend # 45.30% frontend cycles idle ( +- 1.20% ) [83.33%]
16,495,714,424 stalled-cycles-backend # 30.57% backend cycles idle ( +- 0.95% ) [66.66%]
76,267,572,582 instructions # 1.41 insns per cycle
12,692,186,323 branches # 678.186 M/sec ( +- 0.92% ) [83.35%]
263,486,879 branch-misses # 2.08% of all branches ( +- 0.73% ) [83.34%]
19.648474449 seconds time elapsed ( +- 0.82% )
After, w/ inline (this patch):
18471.376627 task-clock # 0.955 CPUs utilized ( +- 0.96% )
23,048 context-switches # 0.001 M/sec ( +- 0.48% )
1 CPU-migrations # 0.000 M/sec
10,708 page-faults # 0.001 M/sec ( +- 0.81% )
53,208,990,796 cycles # 2.881 GHz ( +- 0.98% ) [83.34%]
23,941,071,673 stalled-cycles-frontend # 44.99% frontend cycles idle ( +- 0.95% ) [83.34%]
16,161,773,848 stalled-cycles-backend # 30.37% backend cycles idle ( +- 0.76% ) [66.67%]
75,786,269,766 instructions # 1.42 insns per cycle
12,573,617,143 branches # 680.708 M/sec ( +- 1.34% ) [83.33%]
260,235,550 branch-misses # 2.07% of all branches ( +- 0.66% ) [83.33%]
19.340502161 seconds time elapsed ( +- 0.56% )
After, w/o inline:
18791.253967 task-clock # 0.954 CPUs utilized ( +- 0.78% )
23,230 context-switches # 0.001 M/sec ( +- 0.42% )
1 CPU-migrations # 0.000 M/sec
10,563 page-faults # 0.001 M/sec ( +- 1.27% )
54,168,674,622 cycles # 2.883 GHz ( +- 0.80% ) [83.34%]
24,244,712,629 stalled-cycles-frontend # 44.76% frontend cycles idle ( +- 1.37% ) [83.33%]
16,288,648,572 stalled-cycles-backend # 30.07% backend cycles idle ( +- 0.95% ) [66.66%]
77,659,755,503 instructions # 1.43 insns per cycle
12,922,780,045 branches # 687.702 M/sec ( +- 1.06% ) [83.34%]
261,962,386 branch-misses # 2.03% of all branches ( +- 0.71% ) [83.35%]
19.700174670 seconds time elapsed ( +- 0.56% )
Backports commit f6bb84d53110398f4899c19dab4e0fe9908ec060 from qemu
2018-03-05 07:41:31 +00:00
|
|
|
#include "exec/tb-lookup.h"
|
2015-08-21 07:04:50 +00:00
|
|
|
|
|
|
|
#include "uc_priv.h"
|
|
|
|
|
2018-02-24 04:50:26 +00:00
|
|
|
/* Execute a TB, and fix up the CPU state afterwards if necessary */
|
|
|
|
static inline tcg_target_ulong cpu_tb_exec(CPUState *cpu, TranslationBlock *itb)
|
|
|
|
{
|
|
|
|
CPUArchState *env = cpu->env_ptr;
|
|
|
|
TCGContext *tcg_ctx = env->uc->tcg_ctx;
|
|
|
|
uintptr_t ret;
|
|
|
|
TranslationBlock *last_tb;
|
|
|
|
int tb_exit;
|
2018-03-05 07:57:19 +00:00
|
|
|
uint8_t *tb_ptr = itb->tc.ptr;
|
2018-02-24 04:50:26 +00:00
|
|
|
|
|
|
|
// Unicorn: commented out
|
|
|
|
//qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
|
|
|
|
// "Trace %p [" TARGET_FMT_lx "] %s\n",
|
2018-03-05 07:57:19 +00:00
|
|
|
// itb->tc.ptr, itb->pc, lookup_symbol(itb->pc));
|
2018-02-24 04:50:26 +00:00
|
|
|
ret = tcg_qemu_tb_exec(env, tb_ptr);
|
|
|
|
last_tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
|
|
|
|
tb_exit = ret & TB_EXIT_MASK;
|
|
|
|
//trace_exec_tb_exit(last_tb, tb_exit);
|
|
|
|
|
|
|
|
if (tb_exit > TB_EXIT_IDX1) {
|
|
|
|
/* We didn't start executing this TB (eg because the instruction
|
|
|
|
* counter hit zero); we must restore the guest PC to the address
|
|
|
|
* of the start of the TB.
|
|
|
|
*/
|
|
|
|
CPUClass *cc = CPU_GET_CLASS(env->uc, cpu);
|
|
|
|
// Unicorn: commented out
|
|
|
|
//qemu_log_mask_and_addr(CPU_LOG_EXEC, last_tb->pc,
|
|
|
|
// "Stopped execution of TB chain before %p ["
|
|
|
|
// TARGET_FMT_lx "] %s\n",
|
2018-03-05 07:57:19 +00:00
|
|
|
// last_tb->tc.ptr, last_tb->pc,
|
2018-02-24 04:50:26 +00:00
|
|
|
// lookup_symbol(last_tb->pc));
|
|
|
|
if (cc->synchronize_from_tb) {
|
|
|
|
// avoid sync twice when helper_uc_tracecode() already did this.
|
|
|
|
if (env->uc->emu_counter <= env->uc->emu_count &&
|
|
|
|
!env->uc->stop_request && !env->uc->quit_request) {
|
|
|
|
cc->synchronize_from_tb(cpu, last_tb);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
assert(cc->set_pc);
|
|
|
|
// avoid sync twice when helper_uc_tracecode() already did this.
|
|
|
|
if (env->uc->emu_counter <= env->uc->emu_count && !env->uc->quit_request) {
|
|
|
|
cc->set_pc(cpu, last_tb->pc);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (tb_exit == TB_EXIT_REQUESTED) {
|
|
|
|
/* We were asked to stop executing TBs (probably a pending
|
|
|
|
* interrupt. We've now stopped, so clear the flag.
|
|
|
|
*/
|
2018-02-26 10:11:14 +00:00
|
|
|
atomic_set(&cpu->tcg_exit_req, 0);
|
2018-02-24 04:50:26 +00:00
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-02-27 16:12:36 +00:00
|
|
|
/* Execute the code without caching the generated code. An interpreter
|
|
|
|
could be used if available. */
|
|
|
|
static void cpu_exec_nocache(CPUState *cpu, int max_cycles,
|
|
|
|
TranslationBlock *orig_tb, bool ignore_icount)
|
|
|
|
{
|
|
|
|
TranslationBlock *tb;
|
|
|
|
CPUArchState *env = (CPUArchState *)cpu->env_ptr;
|
|
|
|
|
|
|
|
/* Should never happen.
|
|
|
|
We only end up here when an existing TB is too long. */
|
|
|
|
if (max_cycles > CF_COUNT_MASK) {
|
|
|
|
max_cycles = CF_COUNT_MASK;
|
|
|
|
}
|
|
|
|
|
|
|
|
tb = tb_gen_code(cpu, orig_tb->pc, orig_tb->cs_base, orig_tb->flags,
|
|
|
|
max_cycles | CF_NOCACHE);
|
|
|
|
tb->orig_tb = orig_tb;
|
|
|
|
/* execute the generated code */
|
|
|
|
// Unicorn: commented out
|
|
|
|
//trace_exec_tb_nocache(tb, tb->pc);
|
|
|
|
cpu_tb_exec(cpu, tb);
|
|
|
|
tb_phys_invalidate(env->uc, tb, -1);
|
|
|
|
tb_free(env->uc, tb);
|
|
|
|
}
|
|
|
|
|
tb hash: track translated blocks with qht
Having a fixed-size hash table for keeping track of all translation blocks
is suboptimal: some workloads are just too big or too small to get maximum
performance from the hash table. The MRU promotion policy helps improve
performance when the hash table is a little undersized, but it cannot
make up for severely undersized hash tables.
Furthermore, frequent MRU promotions result in writes that are a scalability
bottleneck. For scalability, lookups should only perform reads, not writes.
This is not a big deal for now, but it will become one once MTTCG matures.
The appended fixes these issues by using qht as the implementation of
the TB hash table. This solution is superior to other alternatives considered,
namely:
- master: implementation in QEMU before this patchset
- xxhash: before this patch, i.e. fixed buckets + xxhash hashing + MRU.
- xxhash-rcu: fixed buckets + xxhash + RCU list + MRU.
MRU is implemented here by adding an intermediate struct
that contains the u32 hash and a pointer to the TB; this
allows us, on an MRU promotion, to copy said struct (that is not
at the head), and put this new copy at the head. After a grace
period, the original non-head struct can be eliminated, and
after another grace period, freed.
- qht-fixed-nomru: fixed buckets + xxhash + qht without auto-resize +
no MRU for lookups; MRU for inserts.
The appended solution is the following:
- qht-dyn-nomru: dynamic number of buckets + xxhash + qht w/ auto-resize +
no MRU for lookups; MRU for inserts.
The plots below compare the considered solutions. The Y axis shows the
boot time (in seconds) of a debian jessie image with arm-softmmu; the X axis
sweeps the number of buckets (or initial number of buckets for qht-autoresize).
The plots in PNG format (and with errorbars) can be seen here:
http://imgur.com/a/Awgnq
Each test runs 5 times, and the entire QEMU process is pinned to a
single core for repeatability of results.
Host: Intel Xeon E5-2690
28 ++------------+-------------+-------------+-------------+------------++
A***** + + + master **A*** +
27 ++ * xxhash ##B###++
| A******A****** xxhash-rcu $$C$$$ |
26 C$$ A******A****** qht-fixed-nomru*%%D%%%++
D%%$$ A******A******A*qht-dyn-mru A*E****A
25 ++ %%$$ qht-dyn-nomru &&F&&&++
B#####% |
24 ++ #C$$$$$ ++
| B### $ |
| ## C$$$$$$ |
23 ++ # C$$$$$$ ++
| B###### C$$$$$$ %%%D
22 ++ %B###### C$$$$$$C$$$$$$C$$$$$$C$$$$$$C$$$$$$C
| D%%%%%%B###### @E@@@@@@ %%%D%%%@@@E@@@@@@E
21 E@@@@@@E@@@@@@F&&&@@@E@@@&&&D%%%%%%B######B######B######B######B######B
+ E@@@ F&&& + E@ + F&&& + +
20 ++------------+-------------+-------------+-------------+------------++
14 16 18 20 22 24
log2 number of buckets
Host: Intel i7-4790K
14.5 ++------------+------------+-------------+------------+------------++
A** + + + master **A*** +
14 ++ ** xxhash ##B###++
13.5 ++ ** xxhash-rcu $$C$$$++
| qht-fixed-nomru %%D%%% |
13 ++ A****** qht-dyn-mru @@E@@@++
| A*****A******A****** qht-dyn-nomru &&F&&& |
12.5 C$$ A******A******A*****A****** ***A
12 ++ $$ A*** ++
D%%% $$ |
11.5 ++ %% ++
B### %C$$$$$$ |
11 ++ ## D%%%%% C$$$$$ ++
| # % C$$$$$$ |
10.5 F&&&&&&B######D%%%%% C$$$$$$C$$$$$$C$$$$$$C$$$$$C$$$$$$ $$$C
10 E@@@@@@E@@@@@@B#####B######B######E@@@@@@E@@@%%%D%%%%%D%%%###B######B
+ F&& D%%%%%%B######B######B#####B###@@@D%%% +
9.5 ++------------+------------+-------------+------------+------------++
14 16 18 20 22 24
log2 number of buckets
Note that the original point before this patch series is X=15 for "master";
the little sensitivity to the increased number of buckets is due to the
poor hashing function in master.
xxhash-rcu has significant overhead due to the constant churn of allocating
and deallocating intermediate structs for implementing MRU. An alternative
would be do consider failed lookups as "maybe not there", and then
acquire the external lock (tb_lock in this case) to really confirm that
there was indeed a failed lookup. This, however, would not be enough
to implement dynamic resizing--this is more complex: see
"Resizable, Scalable, Concurrent Hash Tables via Relativistic
Programming" by Triplett, McKenney and Walpole. This solution was
discarded due to the very coarse RCU read critical sections that we have
in MTTCG; resizing requires waiting for readers after every pointer update,
and resizes require many pointer updates, so this would quickly become
prohibitive.
qht-fixed-nomru shows that MRU promotion is advisable for undersized
hash tables.
However, qht-dyn-mru shows that MRU promotion is not important if the
hash table is properly sized: there is virtually no difference in
performance between qht-dyn-nomru and qht-dyn-mru.
Before this patch, we're at X=15 on "xxhash"; after this patch, we're at
X=15 @ qht-dyn-nomru. This patch thus matches the best performance that we
can achieve with optimum sizing of the hash table, while keeping the hash
table scalable for readers.
The improvement we get before and after this patch for booting debian jessie
with arm-softmmu is:
- Intel Xeon E5-2690: 10.5% less time
- Intel i7-4790K: 5.2% less time
We could get this same improvement _for this particular workload_ by
statically increasing the size of the hash table. But this would hurt
workloads that do not need a large hash table. The dynamic (upward)
resizing allows us to start small and enlarge the hash table as needed.
A quick note on downsizing: the table is resized back to 2**15 buckets
on every tb_flush; this makes sense because it is not guaranteed that the
table will reach the same number of TBs later on (e.g. most bootup code is
thrown away after boot); it makes sense to grow the hash table as
more code blocks are translated. This also avoids the complication of
having to build downsizing hysteresis logic into qht.
Backports commit 909eaac9bbc2ed4f3a82ce38e905b87d478a3e00 from qemu
2018-03-13 17:59:38 +00:00
|
|
|
struct tb_desc {
|
|
|
|
target_ulong pc;
|
|
|
|
target_ulong cs_base;
|
|
|
|
CPUArchState *env;
|
|
|
|
tb_page_addr_t phys_page1;
|
|
|
|
uint32_t flags;
|
|
|
|
};
|
|
|
|
|
|
|
|
static bool tb_cmp(const void *p, const void *d)
|
|
|
|
{
|
|
|
|
const TranslationBlock *tb = p;
|
|
|
|
const struct tb_desc *desc = d;
|
|
|
|
|
|
|
|
if (tb->pc == desc->pc &&
|
|
|
|
tb->page_addr[0] == desc->phys_page1 &&
|
|
|
|
tb->cs_base == desc->cs_base &&
|
|
|
|
tb->flags == desc->flags) {
|
|
|
|
/* check next page if needed */
|
|
|
|
if (tb->page_addr[1] == -1) {
|
|
|
|
return true;
|
|
|
|
} else {
|
|
|
|
tb_page_addr_t phys_page2;
|
|
|
|
target_ulong virt_page2;
|
|
|
|
|
|
|
|
virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
|
|
|
|
phys_page2 = get_page_addr_code(desc->env, virt_page2);
|
|
|
|
if (tb->page_addr[1] == phys_page2) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-03-03 01:56:29 +00:00
|
|
|
TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
|
|
|
|
target_ulong cs_base, uint32_t flags)
|
2018-02-24 04:50:26 +00:00
|
|
|
{
|
tb hash: hash phys_pc, pc, and flags with xxhash
For some workloads such as arm bootup, tb_phys_hash is performance-critical.
The is due to the high frequency of accesses to the hash table, originated
by (frequent) TLB flushes that wipe out the cpu-private tb_jmp_cache's.
More info:
https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg05098.html
To dig further into this I modified an arm image booting debian jessie to
immediately shut down after boot. Analysis revealed that quite a bit of time
is unnecessarily spent in tb_phys_hash: the cause is poor hashing that
results in very uneven loading of chains in the hash table's buckets;
the longest observed chain had ~550 elements.
The appended addresses this with two changes:
1) Use xxhash as the hash table's hash function. xxhash is a fast,
high-quality hashing function.
2) Feed the hashing function with not just tb_phys, but also pc and flags.
This improves performance over using just tb_phys for hashing, since that
resulted in some hash buckets having many TB's, while others getting very few;
with these changes, the longest observed chain on a single hash bucket is
brought down from ~550 to ~40.
Tests show that the other element checked for in tb_find_physical,
cs_base, is always a match when tb_phys+pc+flags are a match,
so hashing cs_base is wasteful. It could be that this is an ARM-only
thing, though. UPDATE:
On Tue, Apr 05, 2016 at 08:41:43 -0700, Richard Henderson wrote:
> The cs_base field is only used by i386 (in 16-bit modes), and sparc (for a TB
> consisting of only a delay slot).
> It may well still turn out to be reasonable to ignore cs_base for hashing.
BTW, after this change the hash table should not be called "tb_hash_phys"
anymore; this is addressed later in this series.
This change gives consistent bootup time improvements. I tested two
host machines:
- Intel Xeon E5-2690: 11.6% less time
- Intel i7-4790K: 19.2% less time
Increasing the number of hash buckets yields further improvements. However,
using a larger, fixed number of buckets can degrade performance for other
workloads that do not translate as many blocks (600K+ for debian-jessie arm
bootup). This is dealt with later in this series.
Backports commit 42bd32287f3a18d823f2258b813824a39ed7c6d9 from qemu
2018-02-24 22:45:39 +00:00
|
|
|
TCGContext *tcg_ctx = cpu->uc->tcg_ctx;
|
tb hash: track translated blocks with qht
Having a fixed-size hash table for keeping track of all translation blocks
is suboptimal: some workloads are just too big or too small to get maximum
performance from the hash table. The MRU promotion policy helps improve
performance when the hash table is a little undersized, but it cannot
make up for severely undersized hash tables.
Furthermore, frequent MRU promotions result in writes that are a scalability
bottleneck. For scalability, lookups should only perform reads, not writes.
This is not a big deal for now, but it will become one once MTTCG matures.
The appended fixes these issues by using qht as the implementation of
the TB hash table. This solution is superior to other alternatives considered,
namely:
- master: implementation in QEMU before this patchset
- xxhash: before this patch, i.e. fixed buckets + xxhash hashing + MRU.
- xxhash-rcu: fixed buckets + xxhash + RCU list + MRU.
MRU is implemented here by adding an intermediate struct
that contains the u32 hash and a pointer to the TB; this
allows us, on an MRU promotion, to copy said struct (that is not
at the head), and put this new copy at the head. After a grace
period, the original non-head struct can be eliminated, and
after another grace period, freed.
- qht-fixed-nomru: fixed buckets + xxhash + qht without auto-resize +
no MRU for lookups; MRU for inserts.
The appended solution is the following:
- qht-dyn-nomru: dynamic number of buckets + xxhash + qht w/ auto-resize +
no MRU for lookups; MRU for inserts.
The plots below compare the considered solutions. The Y axis shows the
boot time (in seconds) of a debian jessie image with arm-softmmu; the X axis
sweeps the number of buckets (or initial number of buckets for qht-autoresize).
The plots in PNG format (and with errorbars) can be seen here:
http://imgur.com/a/Awgnq
Each test runs 5 times, and the entire QEMU process is pinned to a
single core for repeatability of results.
Host: Intel Xeon E5-2690
28 ++------------+-------------+-------------+-------------+------------++
A***** + + + master **A*** +
27 ++ * xxhash ##B###++
| A******A****** xxhash-rcu $$C$$$ |
26 C$$ A******A****** qht-fixed-nomru*%%D%%%++
D%%$$ A******A******A*qht-dyn-mru A*E****A
25 ++ %%$$ qht-dyn-nomru &&F&&&++
B#####% |
24 ++ #C$$$$$ ++
| B### $ |
| ## C$$$$$$ |
23 ++ # C$$$$$$ ++
| B###### C$$$$$$ %%%D
22 ++ %B###### C$$$$$$C$$$$$$C$$$$$$C$$$$$$C$$$$$$C
| D%%%%%%B###### @E@@@@@@ %%%D%%%@@@E@@@@@@E
21 E@@@@@@E@@@@@@F&&&@@@E@@@&&&D%%%%%%B######B######B######B######B######B
+ E@@@ F&&& + E@ + F&&& + +
20 ++------------+-------------+-------------+-------------+------------++
14 16 18 20 22 24
log2 number of buckets
Host: Intel i7-4790K
14.5 ++------------+------------+-------------+------------+------------++
A** + + + master **A*** +
14 ++ ** xxhash ##B###++
13.5 ++ ** xxhash-rcu $$C$$$++
| qht-fixed-nomru %%D%%% |
13 ++ A****** qht-dyn-mru @@E@@@++
| A*****A******A****** qht-dyn-nomru &&F&&& |
12.5 C$$ A******A******A*****A****** ***A
12 ++ $$ A*** ++
D%%% $$ |
11.5 ++ %% ++
B### %C$$$$$$ |
11 ++ ## D%%%%% C$$$$$ ++
| # % C$$$$$$ |
10.5 F&&&&&&B######D%%%%% C$$$$$$C$$$$$$C$$$$$$C$$$$$C$$$$$$ $$$C
10 E@@@@@@E@@@@@@B#####B######B######E@@@@@@E@@@%%%D%%%%%D%%%###B######B
+ F&& D%%%%%%B######B######B#####B###@@@D%%% +
9.5 ++------------+------------+-------------+------------+------------++
14 16 18 20 22 24
log2 number of buckets
Note that the original point before this patch series is X=15 for "master";
the little sensitivity to the increased number of buckets is due to the
poor hashing function in master.
xxhash-rcu has significant overhead due to the constant churn of allocating
and deallocating intermediate structs for implementing MRU. An alternative
would be do consider failed lookups as "maybe not there", and then
acquire the external lock (tb_lock in this case) to really confirm that
there was indeed a failed lookup. This, however, would not be enough
to implement dynamic resizing--this is more complex: see
"Resizable, Scalable, Concurrent Hash Tables via Relativistic
Programming" by Triplett, McKenney and Walpole. This solution was
discarded due to the very coarse RCU read critical sections that we have
in MTTCG; resizing requires waiting for readers after every pointer update,
and resizes require many pointer updates, so this would quickly become
prohibitive.
qht-fixed-nomru shows that MRU promotion is advisable for undersized
hash tables.
However, qht-dyn-mru shows that MRU promotion is not important if the
hash table is properly sized: there is virtually no difference in
performance between qht-dyn-nomru and qht-dyn-mru.
Before this patch, we're at X=15 on "xxhash"; after this patch, we're at
X=15 @ qht-dyn-nomru. This patch thus matches the best performance that we
can achieve with optimum sizing of the hash table, while keeping the hash
table scalable for readers.
The improvement we get before and after this patch for booting debian jessie
with arm-softmmu is:
- Intel Xeon E5-2690: 10.5% less time
- Intel i7-4790K: 5.2% less time
We could get this same improvement _for this particular workload_ by
statically increasing the size of the hash table. But this would hurt
workloads that do not need a large hash table. The dynamic (upward)
resizing allows us to start small and enlarge the hash table as needed.
A quick note on downsizing: the table is resized back to 2**15 buckets
on every tb_flush; this makes sense because it is not guaranteed that the
table will reach the same number of TBs later on (e.g. most bootup code is
thrown away after boot); it makes sense to grow the hash table as
more code blocks are translated. This also avoids the complication of
having to build downsizing hysteresis logic into qht.
Backports commit 909eaac9bbc2ed4f3a82ce38e905b87d478a3e00 from qemu
2018-03-13 17:59:38 +00:00
|
|
|
tb_page_addr_t phys_pc;
|
|
|
|
struct tb_desc desc;
|
tb hash: hash phys_pc, pc, and flags with xxhash
For some workloads such as arm bootup, tb_phys_hash is performance-critical.
The is due to the high frequency of accesses to the hash table, originated
by (frequent) TLB flushes that wipe out the cpu-private tb_jmp_cache's.
More info:
https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg05098.html
To dig further into this I modified an arm image booting debian jessie to
immediately shut down after boot. Analysis revealed that quite a bit of time
is unnecessarily spent in tb_phys_hash: the cause is poor hashing that
results in very uneven loading of chains in the hash table's buckets;
the longest observed chain had ~550 elements.
The appended addresses this with two changes:
1) Use xxhash as the hash table's hash function. xxhash is a fast,
high-quality hashing function.
2) Feed the hashing function with not just tb_phys, but also pc and flags.
This improves performance over using just tb_phys for hashing, since that
resulted in some hash buckets having many TB's, while others getting very few;
with these changes, the longest observed chain on a single hash bucket is
brought down from ~550 to ~40.
Tests show that the other element checked for in tb_find_physical,
cs_base, is always a match when tb_phys+pc+flags are a match,
so hashing cs_base is wasteful. It could be that this is an ARM-only
thing, though. UPDATE:
On Tue, Apr 05, 2016 at 08:41:43 -0700, Richard Henderson wrote:
> The cs_base field is only used by i386 (in 16-bit modes), and sparc (for a TB
> consisting of only a delay slot).
> It may well still turn out to be reasonable to ignore cs_base for hashing.
BTW, after this change the hash table should not be called "tb_hash_phys"
anymore; this is addressed later in this series.
This change gives consistent bootup time improvements. I tested two
host machines:
- Intel Xeon E5-2690: 11.6% less time
- Intel i7-4790K: 19.2% less time
Increasing the number of hash buckets yields further improvements. However,
using a larger, fixed number of buckets can degrade performance for other
workloads that do not translate as many blocks (600K+ for debian-jessie arm
bootup). This is dealt with later in this series.
Backports commit 42bd32287f3a18d823f2258b813824a39ed7c6d9 from qemu
2018-02-24 22:45:39 +00:00
|
|
|
uint32_t h;
|
2018-02-24 04:50:26 +00:00
|
|
|
|
|
|
|
/* find translated block using physical mappings */
|
tb hash: track translated blocks with qht
Having a fixed-size hash table for keeping track of all translation blocks
is suboptimal: some workloads are just too big or too small to get maximum
performance from the hash table. The MRU promotion policy helps improve
performance when the hash table is a little undersized, but it cannot
make up for severely undersized hash tables.
Furthermore, frequent MRU promotions result in writes that are a scalability
bottleneck. For scalability, lookups should only perform reads, not writes.
This is not a big deal for now, but it will become one once MTTCG matures.
The appended fixes these issues by using qht as the implementation of
the TB hash table. This solution is superior to other alternatives considered,
namely:
- master: implementation in QEMU before this patchset
- xxhash: before this patch, i.e. fixed buckets + xxhash hashing + MRU.
- xxhash-rcu: fixed buckets + xxhash + RCU list + MRU.
MRU is implemented here by adding an intermediate struct
that contains the u32 hash and a pointer to the TB; this
allows us, on an MRU promotion, to copy said struct (that is not
at the head), and put this new copy at the head. After a grace
period, the original non-head struct can be eliminated, and
after another grace period, freed.
- qht-fixed-nomru: fixed buckets + xxhash + qht without auto-resize +
no MRU for lookups; MRU for inserts.
The appended solution is the following:
- qht-dyn-nomru: dynamic number of buckets + xxhash + qht w/ auto-resize +
no MRU for lookups; MRU for inserts.
The plots below compare the considered solutions. The Y axis shows the
boot time (in seconds) of a debian jessie image with arm-softmmu; the X axis
sweeps the number of buckets (or initial number of buckets for qht-autoresize).
The plots in PNG format (and with errorbars) can be seen here:
http://imgur.com/a/Awgnq
Each test runs 5 times, and the entire QEMU process is pinned to a
single core for repeatability of results.
Host: Intel Xeon E5-2690
28 ++------------+-------------+-------------+-------------+------------++
A***** + + + master **A*** +
27 ++ * xxhash ##B###++
| A******A****** xxhash-rcu $$C$$$ |
26 C$$ A******A****** qht-fixed-nomru*%%D%%%++
D%%$$ A******A******A*qht-dyn-mru A*E****A
25 ++ %%$$ qht-dyn-nomru &&F&&&++
B#####% |
24 ++ #C$$$$$ ++
| B### $ |
| ## C$$$$$$ |
23 ++ # C$$$$$$ ++
| B###### C$$$$$$ %%%D
22 ++ %B###### C$$$$$$C$$$$$$C$$$$$$C$$$$$$C$$$$$$C
| D%%%%%%B###### @E@@@@@@ %%%D%%%@@@E@@@@@@E
21 E@@@@@@E@@@@@@F&&&@@@E@@@&&&D%%%%%%B######B######B######B######B######B
+ E@@@ F&&& + E@ + F&&& + +
20 ++------------+-------------+-------------+-------------+------------++
14 16 18 20 22 24
log2 number of buckets
Host: Intel i7-4790K
14.5 ++------------+------------+-------------+------------+------------++
A** + + + master **A*** +
14 ++ ** xxhash ##B###++
13.5 ++ ** xxhash-rcu $$C$$$++
| qht-fixed-nomru %%D%%% |
13 ++ A****** qht-dyn-mru @@E@@@++
| A*****A******A****** qht-dyn-nomru &&F&&& |
12.5 C$$ A******A******A*****A****** ***A
12 ++ $$ A*** ++
D%%% $$ |
11.5 ++ %% ++
B### %C$$$$$$ |
11 ++ ## D%%%%% C$$$$$ ++
| # % C$$$$$$ |
10.5 F&&&&&&B######D%%%%% C$$$$$$C$$$$$$C$$$$$$C$$$$$C$$$$$$ $$$C
10 E@@@@@@E@@@@@@B#####B######B######E@@@@@@E@@@%%%D%%%%%D%%%###B######B
+ F&& D%%%%%%B######B######B#####B###@@@D%%% +
9.5 ++------------+------------+-------------+------------+------------++
14 16 18 20 22 24
log2 number of buckets
Note that the original point before this patch series is X=15 for "master";
the little sensitivity to the increased number of buckets is due to the
poor hashing function in master.
xxhash-rcu has significant overhead due to the constant churn of allocating
and deallocating intermediate structs for implementing MRU. An alternative
would be do consider failed lookups as "maybe not there", and then
acquire the external lock (tb_lock in this case) to really confirm that
there was indeed a failed lookup. This, however, would not be enough
to implement dynamic resizing--this is more complex: see
"Resizable, Scalable, Concurrent Hash Tables via Relativistic
Programming" by Triplett, McKenney and Walpole. This solution was
discarded due to the very coarse RCU read critical sections that we have
in MTTCG; resizing requires waiting for readers after every pointer update,
and resizes require many pointer updates, so this would quickly become
prohibitive.
qht-fixed-nomru shows that MRU promotion is advisable for undersized
hash tables.
However, qht-dyn-mru shows that MRU promotion is not important if the
hash table is properly sized: there is virtually no difference in
performance between qht-dyn-nomru and qht-dyn-mru.
Before this patch, we're at X=15 on "xxhash"; after this patch, we're at
X=15 @ qht-dyn-nomru. This patch thus matches the best performance that we
can achieve with optimum sizing of the hash table, while keeping the hash
table scalable for readers.
The improvement we get before and after this patch for booting debian jessie
with arm-softmmu is:
- Intel Xeon E5-2690: 10.5% less time
- Intel i7-4790K: 5.2% less time
We could get this same improvement _for this particular workload_ by
statically increasing the size of the hash table. But this would hurt
workloads that do not need a large hash table. The dynamic (upward)
resizing allows us to start small and enlarge the hash table as needed.
A quick note on downsizing: the table is resized back to 2**15 buckets
on every tb_flush; this makes sense because it is not guaranteed that the
table will reach the same number of TBs later on (e.g. most bootup code is
thrown away after boot); it makes sense to grow the hash table as
more code blocks are translated. This also avoids the complication of
having to build downsizing hysteresis logic into qht.
Backports commit 909eaac9bbc2ed4f3a82ce38e905b87d478a3e00 from qemu
2018-03-13 17:59:38 +00:00
|
|
|
desc.env = (CPUArchState *)cpu->env_ptr;
|
|
|
|
desc.cs_base = cs_base;
|
|
|
|
desc.flags = flags;
|
|
|
|
desc.pc = pc;
|
|
|
|
phys_pc = get_page_addr_code(desc.env, pc);
|
|
|
|
desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
|
tb hash: hash phys_pc, pc, and flags with xxhash
For some workloads such as arm bootup, tb_phys_hash is performance-critical.
The is due to the high frequency of accesses to the hash table, originated
by (frequent) TLB flushes that wipe out the cpu-private tb_jmp_cache's.
More info:
https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg05098.html
To dig further into this I modified an arm image booting debian jessie to
immediately shut down after boot. Analysis revealed that quite a bit of time
is unnecessarily spent in tb_phys_hash: the cause is poor hashing that
results in very uneven loading of chains in the hash table's buckets;
the longest observed chain had ~550 elements.
The appended addresses this with two changes:
1) Use xxhash as the hash table's hash function. xxhash is a fast,
high-quality hashing function.
2) Feed the hashing function with not just tb_phys, but also pc and flags.
This improves performance over using just tb_phys for hashing, since that
resulted in some hash buckets having many TB's, while others getting very few;
with these changes, the longest observed chain on a single hash bucket is
brought down from ~550 to ~40.
Tests show that the other element checked for in tb_find_physical,
cs_base, is always a match when tb_phys+pc+flags are a match,
so hashing cs_base is wasteful. It could be that this is an ARM-only
thing, though. UPDATE:
On Tue, Apr 05, 2016 at 08:41:43 -0700, Richard Henderson wrote:
> The cs_base field is only used by i386 (in 16-bit modes), and sparc (for a TB
> consisting of only a delay slot).
> It may well still turn out to be reasonable to ignore cs_base for hashing.
BTW, after this change the hash table should not be called "tb_hash_phys"
anymore; this is addressed later in this series.
This change gives consistent bootup time improvements. I tested two
host machines:
- Intel Xeon E5-2690: 11.6% less time
- Intel i7-4790K: 19.2% less time
Increasing the number of hash buckets yields further improvements. However,
using a larger, fixed number of buckets can degrade performance for other
workloads that do not translate as many blocks (600K+ for debian-jessie arm
bootup). This is dealt with later in this series.
Backports commit 42bd32287f3a18d823f2258b813824a39ed7c6d9 from qemu
2018-02-24 22:45:39 +00:00
|
|
|
h = tb_hash_func(phys_pc, pc, flags);
|
|
|
|
|
tb hash: track translated blocks with qht
Having a fixed-size hash table for keeping track of all translation blocks
is suboptimal: some workloads are just too big or too small to get maximum
performance from the hash table. The MRU promotion policy helps improve
performance when the hash table is a little undersized, but it cannot
make up for severely undersized hash tables.
Furthermore, frequent MRU promotions result in writes that are a scalability
bottleneck. For scalability, lookups should only perform reads, not writes.
This is not a big deal for now, but it will become one once MTTCG matures.
The appended fixes these issues by using qht as the implementation of
the TB hash table. This solution is superior to other alternatives considered,
namely:
- master: implementation in QEMU before this patchset
- xxhash: before this patch, i.e. fixed buckets + xxhash hashing + MRU.
- xxhash-rcu: fixed buckets + xxhash + RCU list + MRU.
MRU is implemented here by adding an intermediate struct
that contains the u32 hash and a pointer to the TB; this
allows us, on an MRU promotion, to copy said struct (that is not
at the head), and put this new copy at the head. After a grace
period, the original non-head struct can be eliminated, and
after another grace period, freed.
- qht-fixed-nomru: fixed buckets + xxhash + qht without auto-resize +
no MRU for lookups; MRU for inserts.
The appended solution is the following:
- qht-dyn-nomru: dynamic number of buckets + xxhash + qht w/ auto-resize +
no MRU for lookups; MRU for inserts.
The plots below compare the considered solutions. The Y axis shows the
boot time (in seconds) of a debian jessie image with arm-softmmu; the X axis
sweeps the number of buckets (or initial number of buckets for qht-autoresize).
The plots in PNG format (and with errorbars) can be seen here:
http://imgur.com/a/Awgnq
Each test runs 5 times, and the entire QEMU process is pinned to a
single core for repeatability of results.
Host: Intel Xeon E5-2690
28 ++------------+-------------+-------------+-------------+------------++
A***** + + + master **A*** +
27 ++ * xxhash ##B###++
| A******A****** xxhash-rcu $$C$$$ |
26 C$$ A******A****** qht-fixed-nomru*%%D%%%++
D%%$$ A******A******A*qht-dyn-mru A*E****A
25 ++ %%$$ qht-dyn-nomru &&F&&&++
B#####% |
24 ++ #C$$$$$ ++
| B### $ |
| ## C$$$$$$ |
23 ++ # C$$$$$$ ++
| B###### C$$$$$$ %%%D
22 ++ %B###### C$$$$$$C$$$$$$C$$$$$$C$$$$$$C$$$$$$C
| D%%%%%%B###### @E@@@@@@ %%%D%%%@@@E@@@@@@E
21 E@@@@@@E@@@@@@F&&&@@@E@@@&&&D%%%%%%B######B######B######B######B######B
+ E@@@ F&&& + E@ + F&&& + +
20 ++------------+-------------+-------------+-------------+------------++
14 16 18 20 22 24
log2 number of buckets
Host: Intel i7-4790K
14.5 ++------------+------------+-------------+------------+------------++
A** + + + master **A*** +
14 ++ ** xxhash ##B###++
13.5 ++ ** xxhash-rcu $$C$$$++
| qht-fixed-nomru %%D%%% |
13 ++ A****** qht-dyn-mru @@E@@@++
| A*****A******A****** qht-dyn-nomru &&F&&& |
12.5 C$$ A******A******A*****A****** ***A
12 ++ $$ A*** ++
D%%% $$ |
11.5 ++ %% ++
B### %C$$$$$$ |
11 ++ ## D%%%%% C$$$$$ ++
| # % C$$$$$$ |
10.5 F&&&&&&B######D%%%%% C$$$$$$C$$$$$$C$$$$$$C$$$$$C$$$$$$ $$$C
10 E@@@@@@E@@@@@@B#####B######B######E@@@@@@E@@@%%%D%%%%%D%%%###B######B
+ F&& D%%%%%%B######B######B#####B###@@@D%%% +
9.5 ++------------+------------+-------------+------------+------------++
14 16 18 20 22 24
log2 number of buckets
Note that the original point before this patch series is X=15 for "master";
the little sensitivity to the increased number of buckets is due to the
poor hashing function in master.
xxhash-rcu has significant overhead due to the constant churn of allocating
and deallocating intermediate structs for implementing MRU. An alternative
would be do consider failed lookups as "maybe not there", and then
acquire the external lock (tb_lock in this case) to really confirm that
there was indeed a failed lookup. This, however, would not be enough
to implement dynamic resizing--this is more complex: see
"Resizable, Scalable, Concurrent Hash Tables via Relativistic
Programming" by Triplett, McKenney and Walpole. This solution was
discarded due to the very coarse RCU read critical sections that we have
in MTTCG; resizing requires waiting for readers after every pointer update,
and resizes require many pointer updates, so this would quickly become
prohibitive.
qht-fixed-nomru shows that MRU promotion is advisable for undersized
hash tables.
However, qht-dyn-mru shows that MRU promotion is not important if the
hash table is properly sized: there is virtually no difference in
performance between qht-dyn-nomru and qht-dyn-mru.
Before this patch, we're at X=15 on "xxhash"; after this patch, we're at
X=15 @ qht-dyn-nomru. This patch thus matches the best performance that we
can achieve with optimum sizing of the hash table, while keeping the hash
table scalable for readers.
The improvement we get before and after this patch for booting debian jessie
with arm-softmmu is:
- Intel Xeon E5-2690: 10.5% less time
- Intel i7-4790K: 5.2% less time
We could get this same improvement _for this particular workload_ by
statically increasing the size of the hash table. But this would hurt
workloads that do not need a large hash table. The dynamic (upward)
resizing allows us to start small and enlarge the hash table as needed.
A quick note on downsizing: the table is resized back to 2**15 buckets
on every tb_flush; this makes sense because it is not guaranteed that the
table will reach the same number of TBs later on (e.g. most bootup code is
thrown away after boot); it makes sense to grow the hash table as
more code blocks are translated. This also avoids the complication of
having to build downsizing hysteresis logic into qht.
Backports commit 909eaac9bbc2ed4f3a82ce38e905b87d478a3e00 from qemu
2018-03-13 17:59:38 +00:00
|
|
|
return qht_lookup(&tcg_ctx->tb_ctx.htable, tb_cmp, &desc, h);
|
tb hash: hash phys_pc, pc, and flags with xxhash
For some workloads such as arm bootup, tb_phys_hash is performance-critical.
The is due to the high frequency of accesses to the hash table, originated
by (frequent) TLB flushes that wipe out the cpu-private tb_jmp_cache's.
More info:
https://lists.nongnu.org/archive/html/qemu-devel/2016-03/msg05098.html
To dig further into this I modified an arm image booting debian jessie to
immediately shut down after boot. Analysis revealed that quite a bit of time
is unnecessarily spent in tb_phys_hash: the cause is poor hashing that
results in very uneven loading of chains in the hash table's buckets;
the longest observed chain had ~550 elements.
The appended addresses this with two changes:
1) Use xxhash as the hash table's hash function. xxhash is a fast,
high-quality hashing function.
2) Feed the hashing function with not just tb_phys, but also pc and flags.
This improves performance over using just tb_phys for hashing, since that
resulted in some hash buckets having many TB's, while others getting very few;
with these changes, the longest observed chain on a single hash bucket is
brought down from ~550 to ~40.
Tests show that the other element checked for in tb_find_physical,
cs_base, is always a match when tb_phys+pc+flags are a match,
so hashing cs_base is wasteful. It could be that this is an ARM-only
thing, though. UPDATE:
On Tue, Apr 05, 2016 at 08:41:43 -0700, Richard Henderson wrote:
> The cs_base field is only used by i386 (in 16-bit modes), and sparc (for a TB
> consisting of only a delay slot).
> It may well still turn out to be reasonable to ignore cs_base for hashing.
BTW, after this change the hash table should not be called "tb_hash_phys"
anymore; this is addressed later in this series.
This change gives consistent bootup time improvements. I tested two
host machines:
- Intel Xeon E5-2690: 11.6% less time
- Intel i7-4790K: 19.2% less time
Increasing the number of hash buckets yields further improvements. However,
using a larger, fixed number of buckets can degrade performance for other
workloads that do not translate as many blocks (600K+ for debian-jessie arm
bootup). This is dealt with later in this series.
Backports commit 42bd32287f3a18d823f2258b813824a39ed7c6d9 from qemu
2018-02-24 22:45:39 +00:00
|
|
|
}
|
|
|
|
|
2018-03-05 02:47:57 +00:00
|
|
|
void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr)
|
|
|
|
{
|
|
|
|
if (TCG_TARGET_HAS_direct_jump) {
|
|
|
|
uintptr_t offset = tb->jmp_target_arg[n];
|
2018-03-05 07:57:19 +00:00
|
|
|
uintptr_t tc_ptr = (uintptr_t)tb->tc.ptr;
|
2018-03-05 02:47:57 +00:00
|
|
|
tb_target_set_jmp_target(tc_ptr, tc_ptr + offset, addr);
|
|
|
|
} else {
|
|
|
|
tb->jmp_target_arg[n] = addr;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Called with tb_lock held. */
|
|
|
|
static inline void tb_add_jump(TranslationBlock *tb, int n,
|
|
|
|
TranslationBlock *tb_next)
|
|
|
|
{
|
|
|
|
assert(n < ARRAY_SIZE(tb->jmp_list_next));
|
|
|
|
if (tb->jmp_list_next[n]) {
|
|
|
|
/* Another thread has already done this while we were
|
|
|
|
* outside of the lock; nothing to do in this case */
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
qemu_log_mask_and_addr(CPU_LOG_EXEC, tb->pc,
|
|
|
|
"Linking TBs %p [" TARGET_FMT_lx
|
|
|
|
"] index %d -> %p [" TARGET_FMT_lx "]\n",
|
2018-03-05 07:57:19 +00:00
|
|
|
tb->tc.ptr, tb->pc, n,
|
|
|
|
tb_next->tc.ptr, tb_next->pc);
|
2018-03-05 02:47:57 +00:00
|
|
|
|
|
|
|
/* patch the native jump address */
|
2018-03-05 07:57:19 +00:00
|
|
|
tb_set_jmp_target(tb, n, (uintptr_t)tb_next->tc.ptr);
|
2018-03-05 02:47:57 +00:00
|
|
|
|
|
|
|
/* add in TB jmp circular list */
|
|
|
|
tb->jmp_list_next[n] = tb_next->jmp_list_first;
|
|
|
|
tb_next->jmp_list_first = (uintptr_t)tb | n;
|
|
|
|
}
|
|
|
|
|
2018-02-26 07:05:14 +00:00
|
|
|
static inline TranslationBlock *tb_find(CPUState *cpu,
|
|
|
|
TranslationBlock *last_tb,
|
|
|
|
int tb_exit)
|
2018-02-24 04:50:26 +00:00
|
|
|
{
|
|
|
|
TranslationBlock *tb;
|
|
|
|
target_ulong cs_base, pc;
|
|
|
|
uint32_t flags;
|
2018-03-05 07:09:40 +00:00
|
|
|
bool acquired_tb_lock = false;
|
2018-02-24 04:50:26 +00:00
|
|
|
|
tcg: consolidate TB lookups in tb_lookup__cpu_state
This avoids duplicating code. cpu_exec_step will also use the
new common function once we integrate parallel_cpus into tb->cflags.
Note that in this commit we also fix a race, described by Richard Henderson
during review. Think of this scenario with threads A and B:
(A) Lookup succeeds for TB in hash without tb_lock
(B) Sets the TB's tb->invalid flag
(B) Removes the TB from tb_htable
(B) Clears all CPU's tb_jmp_cache
(A) Store TB into local tb_jmp_cache
Given that order of events, (A) will keep executing that invalid TB until
another flush of its tb_jmp_cache happens, which in theory might never happen.
We can fix this by checking the tb->invalid flag every time we look up a TB
from tb_jmp_cache, so that in the above scenario, next time we try to find
that TB in tb_jmp_cache, we won't, and will therefore be forced to look it
up in tb_htable.
Performance-wise, I measured a small improvement when booting debian-arm.
Note that inlining pays off:
Performance counter stats for 'taskset -c 0 qemu-system-arm \
-machine type=virt -nographic -smp 1 -m 4096 \
-netdev user,id=unet,hostfwd=tcp::2222-:22 \
-device virtio-net-device,netdev=unet \
-drive file=jessie.qcow2,id=myblock,index=0,if=none \
-device virtio-blk-device,drive=myblock \
-kernel kernel.img -append console=ttyAMA0 root=/dev/vda1 \
-name arm,debug-threads=on -smp 1' (10 runs):
Before:
18714.917392 task-clock # 0.952 CPUs utilized ( +- 0.95% )
23,142 context-switches # 0.001 M/sec ( +- 0.50% )
1 CPU-migrations # 0.000 M/sec
10,558 page-faults # 0.001 M/sec ( +- 0.95% )
53,957,727,252 cycles # 2.883 GHz ( +- 0.91% ) [83.33%]
24,440,599,852 stalled-cycles-frontend # 45.30% frontend cycles idle ( +- 1.20% ) [83.33%]
16,495,714,424 stalled-cycles-backend # 30.57% backend cycles idle ( +- 0.95% ) [66.66%]
76,267,572,582 instructions # 1.41 insns per cycle
12,692,186,323 branches # 678.186 M/sec ( +- 0.92% ) [83.35%]
263,486,879 branch-misses # 2.08% of all branches ( +- 0.73% ) [83.34%]
19.648474449 seconds time elapsed ( +- 0.82% )
After, w/ inline (this patch):
18471.376627 task-clock # 0.955 CPUs utilized ( +- 0.96% )
23,048 context-switches # 0.001 M/sec ( +- 0.48% )
1 CPU-migrations # 0.000 M/sec
10,708 page-faults # 0.001 M/sec ( +- 0.81% )
53,208,990,796 cycles # 2.881 GHz ( +- 0.98% ) [83.34%]
23,941,071,673 stalled-cycles-frontend # 44.99% frontend cycles idle ( +- 0.95% ) [83.34%]
16,161,773,848 stalled-cycles-backend # 30.37% backend cycles idle ( +- 0.76% ) [66.67%]
75,786,269,766 instructions # 1.42 insns per cycle
12,573,617,143 branches # 680.708 M/sec ( +- 1.34% ) [83.33%]
260,235,550 branch-misses # 2.07% of all branches ( +- 0.66% ) [83.33%]
19.340502161 seconds time elapsed ( +- 0.56% )
After, w/o inline:
18791.253967 task-clock # 0.954 CPUs utilized ( +- 0.78% )
23,230 context-switches # 0.001 M/sec ( +- 0.42% )
1 CPU-migrations # 0.000 M/sec
10,563 page-faults # 0.001 M/sec ( +- 1.27% )
54,168,674,622 cycles # 2.883 GHz ( +- 0.80% ) [83.34%]
24,244,712,629 stalled-cycles-frontend # 44.76% frontend cycles idle ( +- 1.37% ) [83.33%]
16,288,648,572 stalled-cycles-backend # 30.07% backend cycles idle ( +- 0.95% ) [66.66%]
77,659,755,503 instructions # 1.43 insns per cycle
12,922,780,045 branches # 687.702 M/sec ( +- 1.06% ) [83.34%]
261,962,386 branch-misses # 2.03% of all branches ( +- 0.71% ) [83.35%]
19.700174670 seconds time elapsed ( +- 0.56% )
Backports commit f6bb84d53110398f4899c19dab4e0fe9908ec060 from qemu
2018-03-05 07:41:31 +00:00
|
|
|
tb = tb_lookup__cpu_state(cpu, &pc, &cs_base, &flags);
|
|
|
|
if (tb == NULL) {
|
|
|
|
/* mmap_lock is needed by tb_gen_code, and mmap_lock must be
|
|
|
|
* taken outside tb_lock. As system emulation is currently
|
|
|
|
* single threaded the locks are NOPs.
|
|
|
|
*/
|
|
|
|
mmap_lock();
|
|
|
|
//tb_lock();
|
|
|
|
acquired_tb_lock = true;
|
2018-02-26 07:05:14 +00:00
|
|
|
|
tcg: consolidate TB lookups in tb_lookup__cpu_state
This avoids duplicating code. cpu_exec_step will also use the
new common function once we integrate parallel_cpus into tb->cflags.
Note that in this commit we also fix a race, described by Richard Henderson
during review. Think of this scenario with threads A and B:
(A) Lookup succeeds for TB in hash without tb_lock
(B) Sets the TB's tb->invalid flag
(B) Removes the TB from tb_htable
(B) Clears all CPU's tb_jmp_cache
(A) Store TB into local tb_jmp_cache
Given that order of events, (A) will keep executing that invalid TB until
another flush of its tb_jmp_cache happens, which in theory might never happen.
We can fix this by checking the tb->invalid flag every time we look up a TB
from tb_jmp_cache, so that in the above scenario, next time we try to find
that TB in tb_jmp_cache, we won't, and will therefore be forced to look it
up in tb_htable.
Performance-wise, I measured a small improvement when booting debian-arm.
Note that inlining pays off:
Performance counter stats for 'taskset -c 0 qemu-system-arm \
-machine type=virt -nographic -smp 1 -m 4096 \
-netdev user,id=unet,hostfwd=tcp::2222-:22 \
-device virtio-net-device,netdev=unet \
-drive file=jessie.qcow2,id=myblock,index=0,if=none \
-device virtio-blk-device,drive=myblock \
-kernel kernel.img -append console=ttyAMA0 root=/dev/vda1 \
-name arm,debug-threads=on -smp 1' (10 runs):
Before:
18714.917392 task-clock # 0.952 CPUs utilized ( +- 0.95% )
23,142 context-switches # 0.001 M/sec ( +- 0.50% )
1 CPU-migrations # 0.000 M/sec
10,558 page-faults # 0.001 M/sec ( +- 0.95% )
53,957,727,252 cycles # 2.883 GHz ( +- 0.91% ) [83.33%]
24,440,599,852 stalled-cycles-frontend # 45.30% frontend cycles idle ( +- 1.20% ) [83.33%]
16,495,714,424 stalled-cycles-backend # 30.57% backend cycles idle ( +- 0.95% ) [66.66%]
76,267,572,582 instructions # 1.41 insns per cycle
12,692,186,323 branches # 678.186 M/sec ( +- 0.92% ) [83.35%]
263,486,879 branch-misses # 2.08% of all branches ( +- 0.73% ) [83.34%]
19.648474449 seconds time elapsed ( +- 0.82% )
After, w/ inline (this patch):
18471.376627 task-clock # 0.955 CPUs utilized ( +- 0.96% )
23,048 context-switches # 0.001 M/sec ( +- 0.48% )
1 CPU-migrations # 0.000 M/sec
10,708 page-faults # 0.001 M/sec ( +- 0.81% )
53,208,990,796 cycles # 2.881 GHz ( +- 0.98% ) [83.34%]
23,941,071,673 stalled-cycles-frontend # 44.99% frontend cycles idle ( +- 0.95% ) [83.34%]
16,161,773,848 stalled-cycles-backend # 30.37% backend cycles idle ( +- 0.76% ) [66.67%]
75,786,269,766 instructions # 1.42 insns per cycle
12,573,617,143 branches # 680.708 M/sec ( +- 1.34% ) [83.33%]
260,235,550 branch-misses # 2.07% of all branches ( +- 0.66% ) [83.33%]
19.340502161 seconds time elapsed ( +- 0.56% )
After, w/o inline:
18791.253967 task-clock # 0.954 CPUs utilized ( +- 0.78% )
23,230 context-switches # 0.001 M/sec ( +- 0.42% )
1 CPU-migrations # 0.000 M/sec
10,563 page-faults # 0.001 M/sec ( +- 1.27% )
54,168,674,622 cycles # 2.883 GHz ( +- 0.80% ) [83.34%]
24,244,712,629 stalled-cycles-frontend # 44.76% frontend cycles idle ( +- 1.37% ) [83.33%]
16,288,648,572 stalled-cycles-backend # 30.07% backend cycles idle ( +- 0.95% ) [66.66%]
77,659,755,503 instructions # 1.43 insns per cycle
12,922,780,045 branches # 687.702 M/sec ( +- 1.06% ) [83.34%]
261,962,386 branch-misses # 2.03% of all branches ( +- 0.71% ) [83.35%]
19.700174670 seconds time elapsed ( +- 0.56% )
Backports commit f6bb84d53110398f4899c19dab4e0fe9908ec060 from qemu
2018-03-05 07:41:31 +00:00
|
|
|
/* There's a chance that our desired tb has been translated while
|
|
|
|
* taking the locks so we check again inside the lock.
|
|
|
|
*/
|
|
|
|
tb = tb_htable_lookup(cpu, pc, cs_base, flags);
|
|
|
|
if (likely(tb == NULL)) {
|
|
|
|
/* if no translated code available, then translate it now */
|
|
|
|
tb = tb_gen_code(cpu, pc, cs_base, flags, 0);
|
2018-02-26 07:05:14 +00:00
|
|
|
}
|
|
|
|
|
tcg: consolidate TB lookups in tb_lookup__cpu_state
This avoids duplicating code. cpu_exec_step will also use the
new common function once we integrate parallel_cpus into tb->cflags.
Note that in this commit we also fix a race, described by Richard Henderson
during review. Think of this scenario with threads A and B:
(A) Lookup succeeds for TB in hash without tb_lock
(B) Sets the TB's tb->invalid flag
(B) Removes the TB from tb_htable
(B) Clears all CPU's tb_jmp_cache
(A) Store TB into local tb_jmp_cache
Given that order of events, (A) will keep executing that invalid TB until
another flush of its tb_jmp_cache happens, which in theory might never happen.
We can fix this by checking the tb->invalid flag every time we look up a TB
from tb_jmp_cache, so that in the above scenario, next time we try to find
that TB in tb_jmp_cache, we won't, and will therefore be forced to look it
up in tb_htable.
Performance-wise, I measured a small improvement when booting debian-arm.
Note that inlining pays off:
Performance counter stats for 'taskset -c 0 qemu-system-arm \
-machine type=virt -nographic -smp 1 -m 4096 \
-netdev user,id=unet,hostfwd=tcp::2222-:22 \
-device virtio-net-device,netdev=unet \
-drive file=jessie.qcow2,id=myblock,index=0,if=none \
-device virtio-blk-device,drive=myblock \
-kernel kernel.img -append console=ttyAMA0 root=/dev/vda1 \
-name arm,debug-threads=on -smp 1' (10 runs):
Before:
18714.917392 task-clock # 0.952 CPUs utilized ( +- 0.95% )
23,142 context-switches # 0.001 M/sec ( +- 0.50% )
1 CPU-migrations # 0.000 M/sec
10,558 page-faults # 0.001 M/sec ( +- 0.95% )
53,957,727,252 cycles # 2.883 GHz ( +- 0.91% ) [83.33%]
24,440,599,852 stalled-cycles-frontend # 45.30% frontend cycles idle ( +- 1.20% ) [83.33%]
16,495,714,424 stalled-cycles-backend # 30.57% backend cycles idle ( +- 0.95% ) [66.66%]
76,267,572,582 instructions # 1.41 insns per cycle
12,692,186,323 branches # 678.186 M/sec ( +- 0.92% ) [83.35%]
263,486,879 branch-misses # 2.08% of all branches ( +- 0.73% ) [83.34%]
19.648474449 seconds time elapsed ( +- 0.82% )
After, w/ inline (this patch):
18471.376627 task-clock # 0.955 CPUs utilized ( +- 0.96% )
23,048 context-switches # 0.001 M/sec ( +- 0.48% )
1 CPU-migrations # 0.000 M/sec
10,708 page-faults # 0.001 M/sec ( +- 0.81% )
53,208,990,796 cycles # 2.881 GHz ( +- 0.98% ) [83.34%]
23,941,071,673 stalled-cycles-frontend # 44.99% frontend cycles idle ( +- 0.95% ) [83.34%]
16,161,773,848 stalled-cycles-backend # 30.37% backend cycles idle ( +- 0.76% ) [66.67%]
75,786,269,766 instructions # 1.42 insns per cycle
12,573,617,143 branches # 680.708 M/sec ( +- 1.34% ) [83.33%]
260,235,550 branch-misses # 2.07% of all branches ( +- 0.66% ) [83.33%]
19.340502161 seconds time elapsed ( +- 0.56% )
After, w/o inline:
18791.253967 task-clock # 0.954 CPUs utilized ( +- 0.78% )
23,230 context-switches # 0.001 M/sec ( +- 0.42% )
1 CPU-migrations # 0.000 M/sec
10,563 page-faults # 0.001 M/sec ( +- 1.27% )
54,168,674,622 cycles # 2.883 GHz ( +- 0.80% ) [83.34%]
24,244,712,629 stalled-cycles-frontend # 44.76% frontend cycles idle ( +- 1.37% ) [83.33%]
16,288,648,572 stalled-cycles-backend # 30.07% backend cycles idle ( +- 0.95% ) [66.66%]
77,659,755,503 instructions # 1.43 insns per cycle
12,922,780,045 branches # 687.702 M/sec ( +- 1.06% ) [83.34%]
261,962,386 branch-misses # 2.03% of all branches ( +- 0.71% ) [83.35%]
19.700174670 seconds time elapsed ( +- 0.56% )
Backports commit f6bb84d53110398f4899c19dab4e0fe9908ec060 from qemu
2018-03-05 07:41:31 +00:00
|
|
|
mmap_unlock();
|
|
|
|
|
2018-02-26 07:05:14 +00:00
|
|
|
/* We add the TB in the virtual pc hash table for the fast lookup */
|
|
|
|
atomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
|
2018-02-24 04:50:26 +00:00
|
|
|
}
|
2018-02-24 08:24:40 +00:00
|
|
|
#ifndef CONFIG_USER_ONLY
|
|
|
|
/* We don't take care of direct jumps when address mapping changes in
|
|
|
|
* system emulation. So it's not safe to make a direct jump to a TB
|
|
|
|
* spanning two pages because the mapping for the second page can change.
|
|
|
|
*/
|
|
|
|
if (tb->page_addr[1] != -1) {
|
2018-02-26 04:23:14 +00:00
|
|
|
last_tb = NULL;
|
2018-02-24 08:24:40 +00:00
|
|
|
}
|
|
|
|
#endif
|
2018-02-24 04:50:26 +00:00
|
|
|
/* See if we can patch the calling TB. */
|
2018-02-26 04:23:14 +00:00
|
|
|
if (last_tb && !qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
|
2018-03-05 07:09:40 +00:00
|
|
|
if (!acquired_tb_lock) {
|
2018-02-26 07:01:33 +00:00
|
|
|
// Unicorn: commented out
|
|
|
|
//tb_lock();
|
2018-03-05 07:09:40 +00:00
|
|
|
acquired_tb_lock = true;
|
2018-02-26 07:01:33 +00:00
|
|
|
}
|
2018-02-26 04:33:51 +00:00
|
|
|
/* Check if translation buffer has been flushed */
|
|
|
|
if (cpu->tb_flushed) {
|
|
|
|
cpu->tb_flushed = false;
|
2018-03-05 07:46:17 +00:00
|
|
|
} else if (!(tb->cflags & CF_INVALID)) {
|
2018-02-26 04:33:51 +00:00
|
|
|
tb_add_jump(last_tb, tb_exit, tb);
|
|
|
|
}
|
2018-02-26 07:01:33 +00:00
|
|
|
}
|
2018-03-05 07:09:40 +00:00
|
|
|
if (acquired_tb_lock) {
|
2018-02-26 06:58:27 +00:00
|
|
|
// Unicorn: commented out
|
|
|
|
//tb_unlock();
|
2018-02-24 04:50:26 +00:00
|
|
|
}
|
|
|
|
return tb;
|
|
|
|
}
|
|
|
|
|
2018-02-24 04:53:15 +00:00
|
|
|
static inline bool cpu_handle_halt(CPUState *cpu)
|
|
|
|
{
|
|
|
|
if (cpu->halted) {
|
|
|
|
if (!cpu_has_work(cpu)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
cpu->halted = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-02-24 05:02:28 +00:00
|
|
|
static inline void cpu_handle_debug_exception(CPUState *cpu)
|
2018-02-24 04:50:26 +00:00
|
|
|
{
|
|
|
|
CPUClass *cc = CPU_GET_CLASS(cpu->uc, cpu);
|
|
|
|
CPUWatchpoint *wp;
|
|
|
|
|
|
|
|
if (!cpu->watchpoint_hit) {
|
|
|
|
QTAILQ_FOREACH(wp, &cpu->watchpoints, entry) {
|
|
|
|
wp->flags &= ~BP_WATCHPOINT_HIT;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
cc->debug_excp_handler(cpu);
|
|
|
|
}
|
2015-08-21 07:04:50 +00:00
|
|
|
|
2018-02-24 05:02:28 +00:00
|
|
|
static inline bool cpu_handle_exception(struct uc_struct *uc, CPUState *cpu, int *ret)
|
|
|
|
{
|
|
|
|
struct hook *hook;
|
|
|
|
|
|
|
|
if (cpu->exception_index >= 0) {
|
|
|
|
if (uc->stop_interrupt && uc->stop_interrupt(cpu->exception_index)) {
|
|
|
|
cpu->halted = 1;
|
|
|
|
uc->invalid_error = UC_ERR_INSN_INVALID;
|
|
|
|
*ret = EXCP_HLT;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cpu->exception_index >= EXCP_INTERRUPT) {
|
|
|
|
/* exit request from the cpu execution loop */
|
|
|
|
*ret = cpu->exception_index;
|
|
|
|
if (*ret == EXCP_DEBUG) {
|
|
|
|
cpu_handle_debug_exception(cpu);
|
|
|
|
}
|
|
|
|
cpu->exception_index = -1;
|
|
|
|
return true;
|
|
|
|
} else {
|
|
|
|
#if defined(CONFIG_USER_ONLY)
|
|
|
|
/* if user mode only, we simulate a fake exception
|
|
|
|
which will be handled outside the cpu execution
|
|
|
|
loop */
|
|
|
|
#if defined(TARGET_I386)
|
2018-03-12 18:58:03 +00:00
|
|
|
CPUClass *cc = CPU_GET_CLASS(uc, cpu);
|
2018-02-24 05:02:28 +00:00
|
|
|
cc->do_interrupt(cpu);
|
|
|
|
#endif
|
|
|
|
*ret = cpu->exception_index;
|
|
|
|
cpu->exception_index = -1;
|
|
|
|
return true;
|
|
|
|
#else
|
|
|
|
bool catched = false;
|
|
|
|
// Unicorn: call registered interrupt callbacks
|
|
|
|
HOOK_FOREACH_VAR_DECLARE;
|
|
|
|
HOOK_FOREACH(uc, hook, UC_HOOK_INTR) {
|
|
|
|
((uc_cb_hookintr_t)hook->callback)(uc, cpu->exception_index, hook->user_data);
|
|
|
|
catched = true;
|
|
|
|
}
|
|
|
|
// Unicorn: If un-catched interrupt, stop executions.
|
|
|
|
if (!catched) {
|
|
|
|
cpu->halted = 1;
|
|
|
|
uc->invalid_error = UC_ERR_EXCEPTION;
|
|
|
|
*ret = EXCP_HLT;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
cpu->exception_index = -1;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2018-03-02 13:03:17 +00:00
|
|
|
static inline bool cpu_handle_interrupt(CPUState *cpu,
|
2018-02-24 05:08:24 +00:00
|
|
|
TranslationBlock **last_tb)
|
|
|
|
{
|
|
|
|
CPUClass *cc = CPU_GET_CLASS(cpu->uc, cpu);
|
|
|
|
int interrupt_request = cpu->interrupt_request;
|
|
|
|
|
|
|
|
if (unlikely(interrupt_request)) {
|
|
|
|
if (unlikely(cpu->singlestep_enabled & SSTEP_NOIRQ)) {
|
|
|
|
/* Mask out external interrupts for this step. */
|
|
|
|
interrupt_request &= ~CPU_INTERRUPT_SSTEP_MASK;
|
|
|
|
}
|
|
|
|
if (interrupt_request & CPU_INTERRUPT_DEBUG) {
|
|
|
|
cpu->interrupt_request &= ~CPU_INTERRUPT_DEBUG;
|
|
|
|
cpu->exception_index = EXCP_DEBUG;
|
2018-03-02 13:03:17 +00:00
|
|
|
return true;
|
2018-02-24 05:08:24 +00:00
|
|
|
}
|
|
|
|
if (interrupt_request & CPU_INTERRUPT_HALT) {
|
|
|
|
cpu->interrupt_request &= ~CPU_INTERRUPT_HALT;
|
|
|
|
cpu->halted = 1;
|
|
|
|
cpu->exception_index = EXCP_HLT;
|
2018-03-02 13:03:17 +00:00
|
|
|
return true;
|
2018-02-24 05:08:24 +00:00
|
|
|
}
|
|
|
|
#if defined(TARGET_I386)
|
2018-02-24 05:26:59 +00:00
|
|
|
else if (interrupt_request & CPU_INTERRUPT_INIT) {
|
2018-02-24 05:52:51 +00:00
|
|
|
X86CPU *x86_cpu = X86_CPU(cpu->uc, cpu);
|
|
|
|
CPUArchState *env = &x86_cpu->env;
|
2018-03-01 14:31:08 +00:00
|
|
|
cpu_svm_check_intercept_param(env, SVM_EXIT_INIT, 0, 0);
|
2018-02-24 05:08:24 +00:00
|
|
|
do_cpu_init(x86_cpu);
|
|
|
|
cpu->exception_index = EXCP_HALTED;
|
2018-03-02 13:03:17 +00:00
|
|
|
return true;
|
2018-02-24 05:08:24 +00:00
|
|
|
}
|
|
|
|
#else
|
2018-02-24 05:26:59 +00:00
|
|
|
else if (interrupt_request & CPU_INTERRUPT_RESET) {
|
2018-02-24 05:08:24 +00:00
|
|
|
cpu_reset(cpu);
|
|
|
|
}
|
|
|
|
#endif
|
2018-02-24 05:26:59 +00:00
|
|
|
else {
|
|
|
|
/* The target hook has 3 exit conditions:
|
|
|
|
False when the interrupt isn't processed,
|
|
|
|
True when it is, and we should restart on a new TB,
|
|
|
|
and via longjmp via cpu_loop_exit. */
|
|
|
|
if (cc->cpu_exec_interrupt(cpu, interrupt_request)) {
|
|
|
|
*last_tb = NULL;
|
|
|
|
}
|
|
|
|
/* The target hook may have updated the 'cpu->interrupt_request';
|
|
|
|
* reload the 'interrupt_request' value */
|
|
|
|
interrupt_request = cpu->interrupt_request;
|
2018-02-24 05:08:24 +00:00
|
|
|
}
|
2018-02-24 05:26:59 +00:00
|
|
|
|
|
|
|
if (interrupt_request & CPU_INTERRUPT_EXITTB) {
|
2018-02-24 05:08:24 +00:00
|
|
|
cpu->interrupt_request &= ~CPU_INTERRUPT_EXITTB;
|
|
|
|
/* ensure that no TB jump will be modified as
|
|
|
|
the program flow was changed */
|
|
|
|
*last_tb = NULL;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (unlikely(cpu->exit_request)) {
|
|
|
|
cpu->exit_request = 0;
|
|
|
|
cpu->exception_index = EXCP_INTERRUPT;
|
2018-03-02 13:03:17 +00:00
|
|
|
return true;
|
2018-02-24 05:08:24 +00:00
|
|
|
}
|
2018-03-02 13:03:17 +00:00
|
|
|
return false;
|
2018-02-24 05:08:24 +00:00
|
|
|
}
|
|
|
|
|
2018-02-24 05:14:29 +00:00
|
|
|
static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
|
|
|
|
TranslationBlock **last_tb, int *tb_exit)
|
|
|
|
{
|
|
|
|
uintptr_t ret;
|
|
|
|
|
|
|
|
/* execute the generated code */
|
|
|
|
ret = cpu_tb_exec(cpu, tb);
|
2018-03-01 14:16:51 +00:00
|
|
|
tb = (TranslationBlock *)(ret & ~TB_EXIT_MASK);
|
2018-02-24 05:14:29 +00:00
|
|
|
*tb_exit = ret & TB_EXIT_MASK;
|
|
|
|
switch (*tb_exit) {
|
|
|
|
case TB_EXIT_REQUESTED:
|
2018-03-02 14:36:41 +00:00
|
|
|
/* Something asked us to stop executing chained TBs; just
|
|
|
|
* continue round the main loop. Whatever requested the exit
|
|
|
|
* will also have set something else (eg interrupt_request)
|
|
|
|
* which we will handle next time around the loop. But we
|
|
|
|
* need to ensure the tcg_exit_req read in generated code
|
|
|
|
* comes before the next read of cpu->exit_request or
|
|
|
|
* cpu->interrupt_request.
|
2018-02-24 05:14:29 +00:00
|
|
|
*/
|
2018-03-02 13:01:00 +00:00
|
|
|
smp_mb();
|
2018-02-24 05:14:29 +00:00
|
|
|
*last_tb = NULL;
|
|
|
|
break;
|
2018-02-27 16:12:36 +00:00
|
|
|
case TB_EXIT_ICOUNT_EXPIRED:
|
|
|
|
{
|
|
|
|
/* Instruction counter expired. */
|
|
|
|
#ifdef CONFIG_USER_ONLY
|
|
|
|
abort();
|
|
|
|
#else
|
|
|
|
int insns_left = cpu->icount_decr.u32;
|
2018-03-01 14:16:51 +00:00
|
|
|
*last_tb = NULL;
|
2018-02-27 16:12:36 +00:00
|
|
|
if (cpu->icount_extra && insns_left >= 0) {
|
|
|
|
/* Refill decrementer and continue execution. */
|
|
|
|
cpu->icount_extra += insns_left;
|
|
|
|
insns_left = MIN(0xffff, cpu->icount_extra);
|
|
|
|
cpu->icount_extra -= insns_left;
|
|
|
|
cpu->icount_decr.u16.low = insns_left;
|
|
|
|
} else {
|
|
|
|
if (insns_left > 0) {
|
|
|
|
/* Execute remaining instructions. */
|
2018-03-01 14:16:51 +00:00
|
|
|
cpu_exec_nocache(cpu, insns_left, tb, false);
|
2018-02-27 16:12:36 +00:00
|
|
|
// Unicorn: commented out
|
|
|
|
//align_clocks(sc, cpu);
|
|
|
|
}
|
|
|
|
cpu->exception_index = EXCP_INTERRUPT;
|
|
|
|
cpu_loop_exit(cpu);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
#endif
|
|
|
|
}
|
2018-02-24 05:14:29 +00:00
|
|
|
default:
|
2018-03-01 14:16:51 +00:00
|
|
|
*last_tb = tb;
|
2018-02-24 05:14:29 +00:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-27 16:12:36 +00:00
|
|
|
static void cpu_exec_step(struct uc_struct *uc, CPUState *cpu)
|
|
|
|
{
|
|
|
|
CPUArchState *env = (CPUArchState *)cpu->env_ptr;
|
|
|
|
TranslationBlock *tb;
|
|
|
|
target_ulong cs_base, pc;
|
|
|
|
uint32_t flags;
|
|
|
|
|
|
|
|
cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
|
2018-03-02 14:56:35 +00:00
|
|
|
|
|
|
|
if (sigsetjmp(cpu->jmp_env, 0) == 0) {
|
|
|
|
mmap_lock();
|
|
|
|
tb = tb_gen_code(cpu, pc, cs_base, flags,
|
|
|
|
1 | CF_NOCACHE | CF_IGNORE_ICOUNT);
|
|
|
|
tb->orig_tb = NULL;
|
|
|
|
mmap_unlock();
|
|
|
|
|
|
|
|
/* execute the generated code */
|
|
|
|
cpu_tb_exec(cpu, tb);
|
|
|
|
tb_phys_invalidate(uc, tb, -1);
|
|
|
|
tb_free(uc, tb);
|
|
|
|
} else {
|
|
|
|
/* We may have exited due to another problem here, so we need
|
|
|
|
* to reset any tb_locks we may have taken but didn't release.
|
|
|
|
* The mmap_lock is dropped by tb_gen_code if it runs out of
|
|
|
|
* memory.
|
|
|
|
*/
|
|
|
|
#ifndef CONFIG_SOFTMMU
|
|
|
|
// Unicorn: Commented out
|
|
|
|
//tcg_debug_assert(!have_mmap_lock());
|
|
|
|
#endif
|
|
|
|
// Unicorn: commented out
|
|
|
|
//tb_lock_reset();
|
|
|
|
}
|
2018-02-27 16:12:36 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
void cpu_exec_step_atomic(struct uc_struct *uc, CPUState *cpu)
|
|
|
|
{
|
|
|
|
// Unicorn: commented out
|
|
|
|
//start_exclusive();
|
|
|
|
|
|
|
|
/* Since we got here, we know that parallel_cpus must be true. */
|
|
|
|
uc->parallel_cpus = false;
|
|
|
|
cpu_exec_step(uc, cpu);
|
|
|
|
uc->parallel_cpus = true;
|
|
|
|
|
|
|
|
// Unicorn: commented out
|
|
|
|
//end_exclusive();
|
|
|
|
}
|
|
|
|
|
2015-08-21 07:04:50 +00:00
|
|
|
/* main execution loop */
|
|
|
|
|
2018-02-14 19:59:56 +00:00
|
|
|
int cpu_exec(struct uc_struct *uc, CPUState *cpu)
|
2015-08-21 07:04:50 +00:00
|
|
|
{
|
2018-02-14 19:59:56 +00:00
|
|
|
CPUArchState *env = cpu->env_ptr;
|
2015-08-21 07:04:50 +00:00
|
|
|
CPUClass *cc = CPU_GET_CLASS(uc, cpu);
|
2018-02-24 05:08:24 +00:00
|
|
|
int ret;
|
2015-08-21 07:04:50 +00:00
|
|
|
|
2018-02-24 04:53:15 +00:00
|
|
|
if (cpu_handle_halt(cpu)) {
|
|
|
|
return EXCP_HALTED;
|
2015-08-21 07:04:50 +00:00
|
|
|
}
|
|
|
|
|
2018-03-02 14:26:31 +00:00
|
|
|
atomic_mb_set(&uc->current_cpu, cpu);
|
|
|
|
atomic_mb_set(&uc->tcg_current_rr_cpu, cpu);
|
2015-08-21 07:04:50 +00:00
|
|
|
|
|
|
|
cc->cpu_exec_enter(cpu);
|
|
|
|
cpu->exception_index = -1;
|
2016-01-11 16:11:31 +00:00
|
|
|
env->invalid_error = UC_ERR_OK;
|
2015-08-21 07:04:50 +00:00
|
|
|
|
2018-03-02 13:13:38 +00:00
|
|
|
/* prepare setjmp context for exception handling */
|
|
|
|
if (sigsetjmp(cpu->jmp_env, 0) != 0) {
|
2018-02-17 20:07:38 +00:00
|
|
|
#if defined(__clang__) || !QEMU_GNUC_PREREQ(4, 6)
|
2018-03-02 13:13:38 +00:00
|
|
|
/* Some compilers wrongly smash all local variables after
|
|
|
|
* siglongjmp. There were bug reports for gcc 4.5.0 and clang.
|
|
|
|
* Reload essential local variables here for those compilers.
|
|
|
|
* Newer versions of gcc would complain about this code (-Wclobbered). */
|
|
|
|
cpu = uc->current_cpu;
|
|
|
|
env = cpu->env_ptr;
|
|
|
|
cc = CPU_GET_CLASS(uc, cpu);
|
2018-02-17 20:07:38 +00:00
|
|
|
#else /* buggy compiler */
|
2018-03-02 13:13:38 +00:00
|
|
|
/* Assert that the compiler does not smash local variables. */
|
2018-03-12 18:58:03 +00:00
|
|
|
g_assert(cpu == uc->current_cpu);
|
|
|
|
g_assert(cc == CPU_GET_CLASS(uc, cpu));
|
2018-02-17 20:07:38 +00:00
|
|
|
#endif /* buggy compiler */
|
2018-03-02 13:13:38 +00:00
|
|
|
cpu->can_do_io = 1;
|
|
|
|
// Unicorn: commented out
|
|
|
|
//tb_lock_reset();
|
|
|
|
}
|
|
|
|
|
|
|
|
/* if an exception is pending, we execute it here */
|
|
|
|
while (!cpu_handle_exception(uc, cpu, &ret)) {
|
|
|
|
TranslationBlock *last_tb = NULL;
|
|
|
|
int tb_exit = 0;
|
|
|
|
|
|
|
|
while (!cpu_handle_interrupt(cpu, &last_tb)) {
|
|
|
|
TranslationBlock *tb = tb_find(cpu, last_tb, tb_exit);
|
|
|
|
if (!tb) { // invalid TB due to invalid code?
|
|
|
|
uc->invalid_error = UC_ERR_FETCH_UNMAPPED;
|
|
|
|
ret = EXCP_HLT;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);
|
2015-08-21 07:04:50 +00:00
|
|
|
}
|
2018-03-02 13:13:38 +00:00
|
|
|
}
|
2015-08-21 07:04:50 +00:00
|
|
|
|
|
|
|
cc->cpu_exec_exit(cpu);
|
|
|
|
|
2015-11-13 15:57:03 +00:00
|
|
|
// Unicorn: flush JIT cache to because emulation might stop in
|
|
|
|
// the middle of translation, thus generate incomplete code.
|
|
|
|
// TODO: optimize this for better performance
|
2018-02-14 18:56:00 +00:00
|
|
|
tb_flush(cpu);
|
2015-11-13 15:57:03 +00:00
|
|
|
|
2015-08-21 07:04:50 +00:00
|
|
|
return ret;
|
|
|
|
}
|