Series comparison

-[Qemu-devel] [PULL for-2.12 0/1] tcg patch queue
+[PULL 00/24] tcg patch queue
-The following changes since commit 26d6a7c87b05017ffabffb5e16837a0fccf67e90:
+The following changes since commit 6587b0c1331d427b0939c37e763842550ed581db:
-  Merge remote-tracking branch 'remotes/ericb/tags/pull-qapi-2018-04-10' into staging (2018-04-10 22:16:19 +0100)
+  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-10-15' into staging (2021-10-15 14:16:28 -0700)
 are available in the Git repository at:
-  git://github.com/rth7680/qemu.git tags/pull-tcg-20180411
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20211016
-for you to fetch changes up to afd46fcad2dceffda35c0586f5723c127b6e09d8:
+for you to fetch changes up to 995b87dedc78b0467f5f18bbc3546072ba97516a:
-  icount: fix cpu_restore_state_from_tb for non-tb-exit cases (2018-04-11 09:05:22 +1000)
+  Revert "cpu: Move cpu_common_props to hw/core/cpu.c" (2021-10-15 16:39:15 -0700)
 ----------------------------------------------------------------
-Handle read-modify-write i/o with icount
+Move gdb singlestep to generic code
 Fix cpu_common_props
 ----------------------------------------------------------------
-Pavel Dovgalyuk (1):
+Richard Henderson (24):
-      icount: fix cpu_restore_state_from_tb for non-tb-exit cases
+      accel/tcg: Handle gdb singlestep in cpu_tb_exec
       target/alpha: Drop checks for singlestep_enabled
       target/avr: Drop checks for singlestep_enabled
       target/cris: Drop checks for singlestep_enabled
       target/hexagon: Drop checks for singlestep_enabled
       target/arm: Drop checks for singlestep_enabled
       target/hppa: Drop checks for singlestep_enabled
       target/i386: Check CF_NO_GOTO_TB for dc->jmp_opt
       target/i386: Drop check for singlestep_enabled
       target/m68k: Drop checks for singlestep_enabled
       target/microblaze: Check CF_NO_GOTO_TB for DISAS_JUMP
       target/microblaze: Drop checks for singlestep_enabled
       target/mips: Fix single stepping
       target/mips: Drop exit checks for singlestep_enabled
       target/openrisc: Drop checks for singlestep_enabled
       target/ppc: Drop exit checks for singlestep_enabled
       target/riscv: Remove dead code after exception
       target/riscv: Remove exit_tb and lookup_and_goto_ptr
       target/rx: Drop checks for singlestep_enabled
       target/s390x: Drop check for singlestep_enabled
       target/sh4: Drop check for singlestep_enabled
       target/tricore: Drop check for singlestep_enabled
       target/xtensa: Drop check for singlestep_enabled
       Revert "cpu: Move cpu_common_props to hw/core/cpu.c"
- include/exec/exec-all.h      |  5 ++++-
+ include/hw/core/cpu.h                          |  1 +
- accel/tcg/cpu-exec-common.c  | 10 +++++-----
+ target/i386/helper.h                           |  1 -
- accel/tcg/cpu-exec.c         |  1 -
+ target/rx/helper.h                             |  1 -
- accel/tcg/translate-all.c    | 27 ++++++++++++++-------------
+ target/sh4/helper.h                            |  1 -
- accel/tcg/user-exec.c        |  2 +-
+ target/tricore/helper.h                        |  1 -
- hw/misc/mips_itu.c           |  3 +--
+ accel/tcg/cpu-exec.c                           | 11 ++++
- target/alpha/helper.c        |  2 +-
+ cpu.c                                          | 21 ++++++++
- target/alpha/mem_helper.c    |  6 ++----
+ hw/core/cpu-common.c                           | 17 +-----
- target/arm/op_helper.c       |  6 +++---
+ target/alpha/translate.c                       | 13 ++---
- target/cris/op_helper.c      |  4 ++--
+ target/arm/translate-a64.c                     | 10 +---
- target/i386/helper.c         |  2 +-
+ target/arm/translate.c                         | 36 +++----------
- target/i386/svm_helper.c     |  2 +-
+ target/avr/translate.c                         | 19 ++-----
- target/m68k/op_helper.c      |  4 ++--
+ target/cris/translate.c                        | 16 ------
- target/moxie/helper.c        |  2 +-
+ target/hexagon/translate.c                     | 12 +----
- target/openrisc/sys_helper.c |  8 ++++----
+ target/hppa/translate.c                        | 17 ++----
- target/tricore/op_helper.c   |  2 +-
+ target/i386/tcg/misc_helper.c                  |  8 ---
- target/xtensa/op_helper.c    |  4 ++--
+ target/i386/tcg/translate.c                    |  9 ++--
-files changed, 45 insertions(+), 45 deletions(-)
+ target/m68k/translate.c                        | 44 ++++-----------
  target/microblaze/translate.c                  | 18 ++-----
  target/mips/tcg/translate.c                    | 75 ++++++++++++--------------
  target/openrisc/translate.c                    | 18 ++-----
  target/ppc/translate.c                         | 38 +++----------
  target/riscv/translate.c                       | 27 +---------
  target/rx/op_helper.c                          |  8 ---
  target/rx/translate.c                          | 12 +----
  target/s390x/tcg/translate.c                   |  8 +--
  target/sh4/op_helper.c                         |  5 --
  target/sh4/translate.c                         | 14 ++---
  target/tricore/op_helper.c                     |  7 ---
  target/tricore/translate.c                     | 14 +----
  target/xtensa/translate.c                      | 25 +++------
  target/riscv/insn_trans/trans_privileged.c.inc | 10 ++--
  target/riscv/insn_trans/trans_rvi.c.inc        |  8 ++-
  target/riscv/insn_trans/trans_rvv.c.inc        |  2 +-
 files changed, 141 insertions(+), 386 deletions(-)

-New patch
+[PULL 01/24] accel/tcg: Handle gdb singlestep in cpu_tb_exec
+Currently the change in cpu_tb_exec is masked by the debug exception
+being raised by the translators.  But this allows us to remove that code.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/cpu-exec.c | 11 +++++++++++
+file changed, 11 insertions(+)
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/cpu-exec.c
++++ b/accel/tcg/cpu-exec.c
+@@ -XXX,XX +XXX,XX @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
+             cc->set_pc(cpu, last_tb->pc);
+         }
+     }
++
++    /*
++     * If gdb single-step, and we haven't raised another exception,
++     * raise a debug exception.  Single-step with another exception
++     * is handled in cpu_handle_exception.
++     */
++    if (unlikely(cpu->singlestep_enabled) && cpu->exception_index == -1) {
++        cpu->exception_index = EXCP_DEBUG;
++        cpu_loop_exit(cpu);
++    }
++
+     return last_tb;
+ }
+--
+.25.1

-New patch
+[PULL 02/24] target/alpha: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/alpha/translate.c | 13 +++----------
+file changed, 3 insertions(+), 10 deletions(-)
+diff --git a/target/alpha/translate.c b/target/alpha/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/alpha/translate.c
++++ b/target/alpha/translate.c
+@@ -XXX,XX +XXX,XX @@ static void alpha_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         tcg_gen_movi_i64(cpu_pc, ctx->base.pc_next);
+         /* FALLTHRU */
+     case DISAS_PC_UPDATED:
+-        if (!ctx->base.singlestep_enabled) {
+-            tcg_gen_lookup_and_goto_ptr();
+-            break;
+-        }
+-        /* FALLTHRU */
++        tcg_gen_lookup_and_goto_ptr();
++        break;
+     case DISAS_PC_UPDATED_NOCHAIN:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_excp_1(EXCP_DEBUG, 0);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     default:
+         g_assert_not_reached();
+--
+.25.1

-New patch
+[PULL 03/24] target/avr: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Tested-by: Michael Rolnik <mrolnik@gmail.com>
+Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/avr/translate.c | 19 ++++---------------
+file changed, 4 insertions(+), 15 deletions(-)
+diff --git a/target/avr/translate.c b/target/avr/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/avr/translate.c
++++ b/target/avr/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
+         tcg_gen_exit_tb(tb, n);
+     } else {
+         tcg_gen_movi_i32(cpu_pc, dest);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+     }
+     ctx->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+         tcg_gen_movi_tl(cpu_pc, ctx->npc);
+         /* fall through */
+     case DISAS_LOOKUP:
+-        if (!ctx->base.singlestep_enabled) {
+-            tcg_gen_lookup_and_goto_ptr();
+-            break;
+-        }
+-        /* fall through */
++        tcg_gen_lookup_and_goto_ptr();
++        break;
+     case DISAS_EXIT:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     default:
+         g_assert_not_reached();
+--
+.25.1

-New patch
+[PULL 04/24] target/cris: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/cris/translate.c | 16 ----------------
+file changed, 16 deletions(-)
+diff --git a/target/cris/translate.c b/target/cris/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/cris/translate.c
++++ b/target/cris/translate.c
+@@ -XXX,XX +XXX,XX @@ static void cris_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         }
+     }
+-    if (unlikely(dc->base.singlestep_enabled)) {
+-        switch (is_jmp) {
+-        case DISAS_TOO_MANY:
+-        case DISAS_UPDATE_NEXT:
+-            tcg_gen_movi_tl(env_pc, npc);
+-            /* fall through */
+-        case DISAS_JUMP:
+-        case DISAS_UPDATE:
+-            t_gen_raise_exception(EXCP_DEBUG);
+-            return;
+-        default:
+-            break;
+-        }
+-        g_assert_not_reached();
+-    }
+-
+     switch (is_jmp) {
+     case DISAS_TOO_MANY:
+         gen_goto_tb(dc, 0, npc);
+--
+.25.1

-New patch
+[PULL 05/24] target/hexagon: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/hexagon/translate.c | 12 ++----------
+file changed, 2 insertions(+), 10 deletions(-)
+diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/hexagon/translate.c
++++ b/target/hexagon/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_end_tb(DisasContext *ctx)
+ {
+     gen_exec_counters(ctx);
+     tcg_gen_mov_tl(hex_gpr[HEX_REG_PC], hex_next_PC);
+-    if (ctx->base.singlestep_enabled) {
+-        gen_exception_raw(EXCP_DEBUG);
+-    } else {
+-        tcg_gen_exit_tb(NULL, 0);
+-    }
++    tcg_gen_exit_tb(NULL, 0);
+     ctx->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static void hexagon_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+     case DISAS_TOO_MANY:
+         gen_exec_counters(ctx);
+         tcg_gen_movi_tl(hex_gpr[HEX_REG_PC], ctx->base.pc_next);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_exception_raw(EXCP_DEBUG);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     case DISAS_NORETURN:
+         break;
+--
+.25.1

-New patch
+[PULL 06/24] target/arm: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/arm/translate-a64.c | 10 ++--------
+ target/arm/translate.c     | 36 ++++++------------------------------
+files changed, 8 insertions(+), 38 deletions(-)
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-a64.c
++++ b/target/arm/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
+         gen_a64_set_pc_im(dest);
+         if (s->ss_active) {
+             gen_step_complete_exception(s);
+-        } else if (s->base.singlestep_enabled) {
+-            gen_exception_internal(EXCP_DEBUG);
+         } else {
+             tcg_gen_lookup_and_goto_ptr();
+             s->base.is_jmp = DISAS_NORETURN;
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    if (unlikely(dc->base.singlestep_enabled || dc->ss_active)) {
++    if (unlikely(dc->ss_active)) {
+         /* Note that this means single stepping WFI doesn't halt the CPU.
+          * For conditional branch insns this is harmless unreachable code as
+          * gen_goto_tb() has already handled emitting the debug exception
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+             /* fall through */
+         case DISAS_EXIT:
+         case DISAS_JUMP:
+-            if (dc->base.singlestep_enabled) {
+-                gen_exception_internal(EXCP_DEBUG);
+-            } else {
+-                gen_step_complete_exception(dc);
+-            }
++            gen_step_complete_exception(dc);
+             break;
+         case DISAS_NORETURN:
+             break;
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
+     tcg_temp_free_i32(tcg_excp);
+ }
+-static void gen_step_complete_exception(DisasContext *s)
++static void gen_singlestep_exception(DisasContext *s)
+ {
+     /* We just completed step of an insn. Move from Active-not-pending
+      * to Active-pending, and then also take the swstep exception.
+@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
+     s->base.is_jmp = DISAS_NORETURN;
+ }
+-static void gen_singlestep_exception(DisasContext *s)
+-{
+-    /* Generate the right kind of exception for singlestep, which is
+-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
+-     * gdb singlestepping.
+-     */
+-    if (s->ss_active) {
+-        gen_step_complete_exception(s);
+-    } else {
+-        gen_exception_internal(EXCP_DEBUG);
+-    }
+-}
+-
+-static inline bool is_singlestepping(DisasContext *s)
+-{
+-    /* Return true if we are singlestepping either because of
+-     * architectural singlestep or QEMU gdbstub singlestep. This does
+-     * not include the command line '-singlestep' mode which is rather
+-     * misnamed as it only means "one instruction per TB" and doesn't
+-     * affect the code we generate.
+-     */
+-    return s->base.singlestep_enabled || s->ss_active;
+-}
+-
+ void clear_eci_state(DisasContext *s)
+ {
+     /*
+@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
+     /* Is the new PC value in the magic range indicating exception return? */
+     tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
+     /* No: end the TB as we would for a DISAS_JMP */
+-    if (is_singlestepping(s)) {
++    if (s->ss_active) {
+         gen_singlestep_exception(s);
+     } else {
+         tcg_gen_exit_tb(NULL, 0);
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
+ /* Jump, specifying which TB number to use if we gen_goto_tb() */
+ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
+ {
+-    if (unlikely(is_singlestepping(s))) {
++    if (unlikely(s->ss_active)) {
+         /* An indirect jump so that we still trigger the debug exception.  */
+         gen_set_pc_im(s, dest);
+         s->base.is_jmp = DISAS_JUMP;
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
+     /* If architectural single step active, limit to 1.  */
+-    if (is_singlestepping(dc)) {
++    if (dc->ss_active) {
+         dc->base.max_insns = 1;
+     }
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+          * insn codepath itself.
+          */
+         gen_bx_excret_final_code(dc);
+-    } else if (unlikely(is_singlestepping(dc))) {
++    } else if (unlikely(dc->ss_active)) {
+         /* Unconditional and "condition passed" instruction codepath. */
+         switch (dc->base.is_jmp) {
+         case DISAS_SWI:
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         /* "Condition failed" instruction codepath for the branch/trap insn */
+         gen_set_label(dc->condlabel);
+         gen_set_condexec(dc);
+-        if (unlikely(is_singlestepping(dc))) {
++        if (unlikely(dc->ss_active)) {
+             gen_set_pc_im(dc, dc->base.pc_next);
+             gen_singlestep_exception(dc);
+         } else {
+--
+.25.1

-New patch
+[PULL 07/24] target/hppa: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/hppa/translate.c | 17 ++++-------------
+file changed, 4 insertions(+), 13 deletions(-)
+diff --git a/target/hppa/translate.c b/target/hppa/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/hppa/translate.c
++++ b/target/hppa/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int which,
+     } else {
+         copy_iaoq_entry(cpu_iaoq_f, f, cpu_iaoq_b);
+         copy_iaoq_entry(cpu_iaoq_b, b, ctx->iaoq_n_var);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_excp_1(EXCP_DEBUG);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static bool do_rfi(DisasContext *ctx, bool rfi_r)
+         gen_helper_rfi(cpu_env);
+     }
+     /* Exit the TB to recognize new interrupts.  */
+-    if (ctx->base.singlestep_enabled) {
+-        gen_excp_1(EXCP_DEBUG);
+-    } else {
+-        tcg_gen_exit_tb(NULL, 0);
+-    }
++    tcg_gen_exit_tb(NULL, 0);
+     ctx->base.is_jmp = DISAS_NORETURN;
+     return nullify_end(ctx);
+@@ -XXX,XX +XXX,XX @@ static void hppa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+         nullify_save(ctx);
+         /* FALLTHRU */
+     case DISAS_IAQ_N_UPDATED:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_excp_1(EXCP_DEBUG);
+-        } else if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
++        if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
+             tcg_gen_lookup_and_goto_ptr();
++            break;
+         }
+         /* FALLTHRU */
+     case DISAS_EXIT:
+--
+.25.1

-New patch
+[PULL 08/24] target/i386: Check CF_NO_GOTO_TB for dc->jmp_opt
+We were using singlestep_enabled as a proxy for whether
+translator_use_goto_tb would always return false.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/i386/tcg/translate.c | 5 +++--
+file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+     CPUX86State *env = cpu->env_ptr;
+     uint32_t flags = dc->base.tb->flags;
++    uint32_t cflags = tb_cflags(dc->base.tb);
+     int cpl = (flags >> HF_CPL_SHIFT) & 3;
+     int iopl = (flags >> IOPL_SHIFT) & 3;
+@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
+     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
+     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
+-    dc->jmp_opt = !(dc->base.singlestep_enabled ||
++    dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
+                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
+     /*
+      * If jmp_opt, we want to handle each string instruction individually.
+      * For icount also disable repz optimization so that each iteration
+      * is accounted separately.
+      */
+-    dc->repz_opt = !dc->jmp_opt && !(tb_cflags(dc->base.tb) & CF_USE_ICOUNT);
++    dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
+     dc->T0 = tcg_temp_new();
+     dc->T1 = tcg_temp_new();
+--
+.25.1

-New patch
+[PULL 09/24] target/i386: Drop check for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/i386/helper.h          | 1 -
+ target/i386/tcg/misc_helper.c | 8 --------
+ target/i386/tcg/translate.c   | 4 +---
+files changed, 1 insertion(+), 12 deletions(-)
+diff --git a/target/i386/helper.h b/target/i386/helper.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/helper.h
++++ b/target/i386/helper.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(syscall, void, env, int)
+ DEF_HELPER_2(sysret, void, env, int)
+ #endif
+ DEF_HELPER_FLAGS_2(pause, TCG_CALL_NO_WG, noreturn, env, int)
+-DEF_HELPER_FLAGS_1(debug, TCG_CALL_NO_WG, noreturn, env)
+ DEF_HELPER_1(reset_rf, void, env)
+ DEF_HELPER_FLAGS_3(raise_interrupt, TCG_CALL_NO_WG, noreturn, env, int, int)
+ DEF_HELPER_FLAGS_2(raise_exception, TCG_CALL_NO_WG, noreturn, env, int)
+diff --git a/target/i386/tcg/misc_helper.c b/target/i386/tcg/misc_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/misc_helper.c
++++ b/target/i386/tcg/misc_helper.c
+@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_pause(CPUX86State *env, int next_eip_addend)
+     do_pause(env);
+ }
+-void QEMU_NORETURN helper_debug(CPUX86State *env)
+-{
+-    CPUState *cs = env_cpu(env);
+-
+-    cs->exception_index = EXCP_DEBUG;
+-    cpu_loop_exit(cs);
+-}
+-
+ uint64_t helper_rdpkru(CPUX86State *env, uint32_t ecx)
+ {
+     if ((env->cr[4] & CR4_PKE_MASK) == 0) {
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
+     if (s->base.tb->flags & HF_RF_MASK) {
+         gen_helper_reset_rf(cpu_env);
+     }
+-    if (s->base.singlestep_enabled) {
+-        gen_helper_debug(cpu_env);
+-    } else if (recheck_tf) {
++    if (recheck_tf) {
+         gen_helper_rechecking_single_step(cpu_env);
+         tcg_gen_exit_tb(NULL, 0);
+     } else if (s->flags & HF_TF_MASK) {
+--
+.25.1

-New patch
+[PULL 10/24] target/m68k: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Acked-by: Laurent Vivier <laurent@vivier.eu>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/m68k/translate.c | 44 +++++++++--------------------------------
+file changed, 9 insertions(+), 35 deletions(-)
+diff --git a/target/m68k/translate.c b/target/m68k/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/m68k/translate.c
++++ b/target/m68k/translate.c
+@@ -XXX,XX +XXX,XX @@ static void do_writebacks(DisasContext *s)
+     }
+ }
+-static bool is_singlestepping(DisasContext *s)
+-{
+-    /*
+-     * Return true if we are singlestepping either because of
+-     * architectural singlestep or QEMU gdbstub singlestep. This does
+-     * not include the command line '-singlestep' mode which is rather
+-     * misnamed as it only means "one instruction per TB" and doesn't
+-     * affect the code we generate.
+-     */
+-    return s->base.singlestep_enabled || s->ss_active;
+-}
+-
+ /* is_jmp field values */
+ #define DISAS_JUMP      DISAS_TARGET_0 /* only pc was modified dynamically */
+ #define DISAS_EXIT      DISAS_TARGET_1 /* cpu state was modified dynamically */
+@@ -XXX,XX +XXX,XX @@ static void gen_exception(DisasContext *s, uint32_t dest, int nr)
+     s->base.is_jmp = DISAS_NORETURN;
+ }
+-static void gen_singlestep_exception(DisasContext *s)
+-{
+-    /*
+-     * Generate the right kind of exception for singlestep, which is
+-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
+-     * gdb singlestepping.
+-     */
+-    if (s->ss_active) {
+-        gen_raise_exception(EXCP_TRACE);
+-    } else {
+-        gen_raise_exception(EXCP_DEBUG);
+-    }
+-}
+-
+ static inline void gen_addr_fault(DisasContext *s)
+ {
+     gen_exception(s, s->base.pc_next, EXCP_ADDRESS);
+@@ -XXX,XX +XXX,XX @@ static void gen_exit_tb(DisasContext *s)
+ /* Generate a jump to an immediate address.  */
+ static void gen_jmp_tb(DisasContext *s, int n, uint32_t dest)
+ {
+-    if (unlikely(is_singlestepping(s))) {
++    if (unlikely(s->ss_active)) {
+         update_cc_op(s);
+         tcg_gen_movi_i32(QREG_PC, dest);
+-        gen_singlestep_exception(s);
++        gen_raise_exception(EXCP_TRACE);
+     } else if (translator_use_goto_tb(&s->base, dest)) {
+         tcg_gen_goto_tb(n);
+         tcg_gen_movi_i32(QREG_PC, dest);
+@@ -XXX,XX +XXX,XX @@ static void m68k_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+     dc->ss_active = (M68K_SR_TRACE(env->sr) == M68K_SR_TRACE_ANY_INS);
+     /* If architectural single step active, limit to 1 */
+-    if (is_singlestepping(dc)) {
++    if (dc->ss_active) {
+         dc->base.max_insns = 1;
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         break;
+     case DISAS_TOO_MANY:
+         update_cc_op(dc);
+-        if (is_singlestepping(dc)) {
++        if (dc->ss_active) {
+             tcg_gen_movi_i32(QREG_PC, dc->pc);
+-            gen_singlestep_exception(dc);
++            gen_raise_exception(EXCP_TRACE);
+         } else {
+             gen_jmp_tb(dc, 0, dc->pc);
+         }
+         break;
+     case DISAS_JUMP:
+         /* We updated CC_OP and PC in gen_jmp/gen_jmp_im.  */
+-        if (is_singlestepping(dc)) {
+-            gen_singlestep_exception(dc);
++        if (dc->ss_active) {
++            gen_raise_exception(EXCP_TRACE);
+         } else {
+             tcg_gen_lookup_and_goto_ptr();
+         }
+@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+          * We updated CC_OP and PC in gen_exit_tb, but also modified
+          * other state that may require returning to the main loop.
+          */
+-        if (is_singlestepping(dc)) {
+-            gen_singlestep_exception(dc);
++        if (dc->ss_active) {
++            gen_raise_exception(EXCP_TRACE);
+         } else {
+             tcg_gen_exit_tb(NULL, 0);
+         }
+--
+.25.1

-New patch
+[PULL 11/24] target/microblaze: Check CF_NO_GOTO_TB for DISAS_JUMP
+We were using singlestep_enabled as a proxy for whether
+translator_use_goto_tb would always return false.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/microblaze/translate.c | 4 ++--
+file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/microblaze/translate.c
++++ b/target/microblaze/translate.c
+@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
+         break;
+     case DISAS_JUMP:
+-        if (dc->jmp_dest != -1 && !cs->singlestep_enabled) {
++        if (dc->jmp_dest != -1 && !(tb_cflags(dc->base.tb) & CF_NO_GOTO_TB)) {
+             /* Direct jump. */
+             tcg_gen_discard_i32(cpu_btarget);
+@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
+             return;
+         }
+-        /* Indirect jump (or direct jump w/ singlestep) */
++        /* Indirect jump (or direct jump w/ goto_tb disabled) */
+         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
+         tcg_gen_discard_i32(cpu_btarget);
+--
+.25.1

-New patch
+[PULL 12/24] target/microblaze: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/microblaze/translate.c | 14 ++------------
+file changed, 2 insertions(+), 12 deletions(-)
+diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/microblaze/translate.c
++++ b/target/microblaze/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_raise_hw_excp(DisasContext *dc, uint32_t esr_ec)
+ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
+ {
+-    if (dc->base.singlestep_enabled) {
+-        TCGv_i32 tmp = tcg_const_i32(EXCP_DEBUG);
+-        tcg_gen_movi_i32(cpu_pc, dest);
+-        gen_helper_raise_exception(cpu_env, tmp);
+-        tcg_temp_free_i32(tmp);
+-    } else if (translator_use_goto_tb(&dc->base, dest)) {
++    if (translator_use_goto_tb(&dc->base, dest)) {
+         tcg_gen_goto_tb(n);
+         tcg_gen_movi_i32(cpu_pc, dest);
+         tcg_gen_exit_tb(dc->base.tb, n);
+@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
+         /* Indirect jump (or direct jump w/ goto_tb disabled) */
+         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
+         tcg_gen_discard_i32(cpu_btarget);
+-
+-        if (unlikely(cs->singlestep_enabled)) {
+-            gen_raise_exception(dc, EXCP_DEBUG);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+         return;
+     default:
+--
+.25.1

-New patch
+[PULL 13/24] target/mips: Fix single stepping
+As per an ancient comment in mips_tr_translate_insn about the
+expectations of gdb, when restarting the insn in a delay slot
+we also re-execute the branch.  Which means that we are
+expected to execute two insns in this case.
+This has been broken since 8b86d6d2580, where we forced max_insns
+to 1 while single-stepping.  This resulted in an exit from the
+translator loop after the branch but before the delay slot is
+translated.
+Increase the max_insns to 2 for this case.  In addition, bypass
+the end-of-page check, for when the branch itself ends the page.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/mips/tcg/translate.c | 25 ++++++++++++++++---------
+file changed, 16 insertions(+), 9 deletions(-)
+diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/mips/tcg/translate.c
++++ b/target/mips/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void mips_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     ctx->default_tcg_memop_mask = (ctx->insn_flags & (ISA_MIPS_R6 |
+                                   INSN_LOONGSON3A)) ? MO_UNALN : MO_ALIGN;
++    /*
++     * Execute a branch and its delay slot as a single instruction.
++     * This is what GDB expects and is consistent with what the
++     * hardware does (e.g. if a delay slot instruction faults, the
++     * reported PC is the PC of the branch).
++     */
++    if (ctx->base.singlestep_enabled && (ctx->hflags & MIPS_HFLAG_BMASK)) {
++        ctx->base.max_insns = 2;
++    }
++
+     LOG_DISAS("\ntb %p idx %d hflags %04x\n", ctx->base.tb, ctx->mem_idx,
+               ctx->hflags);
+ }
+@@ -XXX,XX +XXX,XX @@ static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+     if (ctx->base.is_jmp != DISAS_NEXT) {
+         return;
+     }
++
+     /*
+-     * Execute a branch and its delay slot as a single instruction.
+-     * This is what GDB expects and is consistent with what the
+-     * hardware does (e.g. if a delay slot instruction faults, the
+-     * reported PC is the PC of the branch).
++     * End the TB on (most) page crossings.
++     * See mips_tr_init_disas_context about single-stepping a branch
++     * together with its delay slot.
+      */
+-    if (ctx->base.singlestep_enabled &&
+-        (ctx->hflags & MIPS_HFLAG_BMASK) == 0) {
+-        ctx->base.is_jmp = DISAS_TOO_MANY;
+-    }
+-    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE) {
++    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE
++        && !ctx->base.singlestep_enabled) {
+         ctx->base.is_jmp = DISAS_TOO_MANY;
+     }
+ }
+--
+.25.1

-New patch
+[PULL 14/24] target/mips: Drop exit checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/mips/tcg/translate.c | 50 +++++++++++++------------------------
+file changed, 18 insertions(+), 32 deletions(-)
+diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/mips/tcg/translate.c
++++ b/target/mips/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
+         tcg_gen_exit_tb(ctx->base.tb, n);
+     } else {
+         gen_save_pc(dest);
+-        if (ctx->base.singlestep_enabled) {
+-            save_cpu_state(ctx, 0);
+-            gen_helper_raise_exception_debug(cpu_env);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static void gen_branch(DisasContext *ctx, int insn_bytes)
+             } else {
+                 tcg_gen_mov_tl(cpu_PC, btarget);
+             }
+-            if (ctx->base.singlestep_enabled) {
+-                save_cpu_state(ctx, 0);
+-                gen_helper_raise_exception_debug(cpu_env);
+-            }
+             tcg_gen_lookup_and_goto_ptr();
+             break;
+         default:
+@@ -XXX,XX +XXX,XX @@ static void mips_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+ {
+     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    if (ctx->base.singlestep_enabled && ctx->base.is_jmp != DISAS_NORETURN) {
+-        save_cpu_state(ctx, ctx->base.is_jmp != DISAS_EXIT);
+-        gen_helper_raise_exception_debug(cpu_env);
+-    } else {
+-        switch (ctx->base.is_jmp) {
+-        case DISAS_STOP:
+-            gen_save_pc(ctx->base.pc_next);
+-            tcg_gen_lookup_and_goto_ptr();
+-            break;
+-        case DISAS_NEXT:
+-        case DISAS_TOO_MANY:
+-            save_cpu_state(ctx, 0);
+-            gen_goto_tb(ctx, 0, ctx->base.pc_next);
+-            break;
+-        case DISAS_EXIT:
+-            tcg_gen_exit_tb(NULL, 0);
+-            break;
+-        case DISAS_NORETURN:
+-            break;
+-        default:
+-            g_assert_not_reached();
+-        }
++    switch (ctx->base.is_jmp) {
++    case DISAS_STOP:
++        gen_save_pc(ctx->base.pc_next);
++        tcg_gen_lookup_and_goto_ptr();
++        break;
++    case DISAS_NEXT:
++    case DISAS_TOO_MANY:
++        save_cpu_state(ctx, 0);
++        gen_goto_tb(ctx, 0, ctx->base.pc_next);
++        break;
++    case DISAS_EXIT:
++        tcg_gen_exit_tb(NULL, 0);
++        break;
++    case DISAS_NORETURN:
++        break;
++    default:
++        g_assert_not_reached();
+     }
+ }
+--
+.25.1

-New patch
+[PULL 15/24] target/openrisc: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/openrisc/translate.c | 18 +++---------------
+file changed, 3 insertions(+), 15 deletions(-)
+diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/openrisc/translate.c
++++ b/target/openrisc/translate.c
+@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+             /* The jump destination is indirect/computed; use jmp_pc.  */
+             tcg_gen_mov_tl(cpu_pc, jmp_pc);
+             tcg_gen_discard_tl(jmp_pc);
+-            if (unlikely(dc->base.singlestep_enabled)) {
+-                gen_exception(dc, EXCP_DEBUG);
+-            } else {
+-                tcg_gen_lookup_and_goto_ptr();
+-            }
++            tcg_gen_lookup_and_goto_ptr();
+             break;
+         }
+         /* The jump destination is direct; use jmp_pc_imm.
+@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+             break;
+         }
+         tcg_gen_movi_tl(cpu_pc, jmp_dest);
+-        if (unlikely(dc->base.singlestep_enabled)) {
+-            gen_exception(dc, EXCP_DEBUG);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+         break;
+     case DISAS_EXIT:
+-        if (unlikely(dc->base.singlestep_enabled)) {
+-            gen_exception(dc, EXCP_DEBUG);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     default:
+         g_assert_not_reached();
+--
+.25.1

-New patch
+[PULL 16/24] target/ppc: Drop exit checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reuse gen_debug_exception to handle architectural debug exceptions.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/ppc/translate.c | 38 ++++++++------------------------------
+file changed, 8 insertions(+), 30 deletions(-)
+diff --git a/target/ppc/translate.c b/target/ppc/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/ppc/translate.c
++++ b/target/ppc/translate.c
+@@ -XXX,XX +XXX,XX @@
+ #define CPU_SINGLE_STEP 0x1
+ #define CPU_BRANCH_STEP 0x2
+-#define GDBSTUB_SINGLE_STEP 0x4
+ /* Include definitions for instructions classes and implementations flags */
+ /* #define PPC_DEBUG_DISAS */
+@@ -XXX,XX +XXX,XX @@ static uint32_t gen_prep_dbgex(DisasContext *ctx)
+ static void gen_debug_exception(DisasContext *ctx)
+ {
+-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
++    gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
+     ctx->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *ctx, target_ulong dest)
+ static void gen_lookup_and_goto_ptr(DisasContext *ctx)
+ {
+-    int sse = ctx->singlestep_enabled;
+-    if (unlikely(sse)) {
+-        if (sse & GDBSTUB_SINGLE_STEP) {
+-            gen_debug_exception(ctx);
+-        } else if (sse & (CPU_SINGLE_STEP | CPU_BRANCH_STEP)) {
+-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++    if (unlikely(ctx->singlestep_enabled)) {
++        gen_debug_exception(ctx);
+     } else {
+         tcg_gen_lookup_and_goto_ptr();
+     }
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     ctx->singlestep_enabled = 0;
+     if ((hflags >> HFLAGS_SE) & 1) {
+         ctx->singlestep_enabled |= CPU_SINGLE_STEP;
++        ctx->base.max_insns = 1;
+     }
+     if ((hflags >> HFLAGS_BE) & 1) {
+         ctx->singlestep_enabled |= CPU_BRANCH_STEP;
+     }
+-    if (unlikely(ctx->base.singlestep_enabled)) {
+-        ctx->singlestep_enabled |= GDBSTUB_SINGLE_STEP;
+-    }
+-
+-    if (ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP)) {
+-        ctx->base.max_insns = 1;
+-    }
+ }
+ static void ppc_tr_tb_start(DisasContextBase *db, CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+     DisasJumpType is_jmp = ctx->base.is_jmp;
+     target_ulong nip = ctx->base.pc_next;
+-    int sse;
+     if (is_jmp == DISAS_NORETURN) {
+         /* We have already exited the TB. */
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+     }
+     /* Honor single stepping. */
+-    sse = ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP);
+-    if (unlikely(sse)) {
++    if (unlikely(ctx->singlestep_enabled & CPU_SINGLE_STEP)
++        && (nip <= 0x100 || nip > 0xf00)) {
+         switch (is_jmp) {
+         case DISAS_TOO_MANY:
+         case DISAS_EXIT_UPDATE:
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+             g_assert_not_reached();
+         }
+-        if (sse & GDBSTUB_SINGLE_STEP) {
+-            gen_debug_exception(ctx);
+-            return;
+-        }
+-        /* else CPU_SINGLE_STEP... */
+-        if (nip <= 0x100 || nip > 0xf00) {
+-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
+-            return;
+-        }
++        gen_debug_exception(ctx);
++        return;
+     }
+     switch (is_jmp) {
+--
+.25.1

-New patch
+[PULL 17/24] target/riscv: Remove dead code after exception
+We have already set DISAS_NORETURN in generate_exception,
+which makes the exit_tb unreachable.
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/riscv/insn_trans/trans_privileged.c.inc | 6 +-----
+file changed, 1 insertion(+), 5 deletions(-)
+diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/insn_trans/trans_privileged.c.inc
++++ b/target/riscv/insn_trans/trans_privileged.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool trans_ecall(DisasContext *ctx, arg_ecall *a)
+ {
+     /* always generates U-level ECALL, fixed in do_interrupt handler */
+     generate_exception(ctx, RISCV_EXCP_U_ECALL);
+-    exit_tb(ctx); /* no chaining */
+-    ctx->base.is_jmp = DISAS_NORETURN;
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool trans_ebreak(DisasContext *ctx, arg_ebreak *a)
+         post   = opcode_at(&ctx->base, post_addr);
+     }
+-    if  (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
++    if (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
+         generate_exception(ctx, RISCV_EXCP_SEMIHOST);
+     } else {
+         generate_exception(ctx, RISCV_EXCP_BREAKPOINT);
+     }
+-    exit_tb(ctx); /* no chaining */
+-    ctx->base.is_jmp = DISAS_NORETURN;
+     return true;
+ }
+--
+.25.1

-New patch
+[PULL 18/24] target/riscv: Remove exit_tb and lookup_and_goto_ptr
+GDB single-stepping is now handled generically, which means
+we don't need to do anything in the wrappers.
+Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/riscv/translate.c                      | 27 +------------------
+ .../riscv/insn_trans/trans_privileged.c.inc   |  4 +--
+ target/riscv/insn_trans/trans_rvi.c.inc       |  8 +++---
+ target/riscv/insn_trans/trans_rvv.c.inc       |  2 +-
+files changed, 7 insertions(+), 34 deletions(-)
+diff --git a/target/riscv/translate.c b/target/riscv/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/translate.c
++++ b/target/riscv/translate.c
+@@ -XXX,XX +XXX,XX @@ static void generate_exception_mtval(DisasContext *ctx, int excp)
+     ctx->base.is_jmp = DISAS_NORETURN;
+ }
+-static void gen_exception_debug(void)
+-{
+-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
+-}
+-
+-/* Wrapper around tcg_gen_exit_tb that handles single stepping */
+-static void exit_tb(DisasContext *ctx)
+-{
+-    if (ctx->base.singlestep_enabled) {
+-        gen_exception_debug();
+-    } else {
+-        tcg_gen_exit_tb(NULL, 0);
+-    }
+-}
+-
+-/* Wrapper around tcg_gen_lookup_and_goto_ptr that handles single stepping */
+-static void lookup_and_goto_ptr(DisasContext *ctx)
+-{
+-    if (ctx->base.singlestep_enabled) {
+-        gen_exception_debug();
+-    } else {
+-        tcg_gen_lookup_and_goto_ptr();
+-    }
+-}
+-
+ static void gen_exception_illegal(DisasContext *ctx)
+ {
+     generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
+         tcg_gen_exit_tb(ctx->base.tb, n);
+     } else {
+         tcg_gen_movi_tl(cpu_pc, dest);
+-        lookup_and_goto_ptr(ctx);
++        tcg_gen_lookup_and_goto_ptr();
+     }
+ }
+diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/insn_trans/trans_privileged.c.inc
++++ b/target/riscv/insn_trans/trans_privileged.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool trans_sret(DisasContext *ctx, arg_sret *a)
+     if (has_ext(ctx, RVS)) {
+         gen_helper_sret(cpu_pc, cpu_env, cpu_pc);
+-        exit_tb(ctx); /* no chaining */
++        tcg_gen_exit_tb(NULL, 0); /* no chaining */
+         ctx->base.is_jmp = DISAS_NORETURN;
+     } else {
+         return false;
+@@ -XXX,XX +XXX,XX @@ static bool trans_mret(DisasContext *ctx, arg_mret *a)
+ #ifndef CONFIG_USER_ONLY
+     tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
+     gen_helper_mret(cpu_pc, cpu_env, cpu_pc);
+-    exit_tb(ctx); /* no chaining */
++    tcg_gen_exit_tb(NULL, 0); /* no chaining */
+     ctx->base.is_jmp = DISAS_NORETURN;
+     return true;
+ #else
+diff --git a/target/riscv/insn_trans/trans_rvi.c.inc b/target/riscv/insn_trans/trans_rvi.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/insn_trans/trans_rvi.c.inc
++++ b/target/riscv/insn_trans/trans_rvi.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool trans_jalr(DisasContext *ctx, arg_jalr *a)
+     if (a->rd != 0) {
+         tcg_gen_movi_tl(cpu_gpr[a->rd], ctx->pc_succ_insn);
+     }
+-
+-    /* No chaining with JALR. */
+-    lookup_and_goto_ptr(ctx);
++    tcg_gen_lookup_and_goto_ptr();
+     if (misaligned) {
+         gen_set_label(misaligned);
+@@ -XXX,XX +XXX,XX @@ static bool trans_fence_i(DisasContext *ctx, arg_fence_i *a)
+      * however we need to end the translation block
+      */
+     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
+-    exit_tb(ctx);
++    tcg_gen_exit_tb(NULL, 0);
+     ctx->base.is_jmp = DISAS_NORETURN;
+     return true;
+ }
+@@ -XXX,XX +XXX,XX @@ static bool do_csr_post(DisasContext *ctx)
+ {
+     /* We may have changed important cpu state -- exit to main loop. */
+     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
+-    exit_tb(ctx);
++    tcg_gen_exit_tb(NULL, 0);
+     ctx->base.is_jmp = DISAS_NORETURN;
+     return true;
+ }
+diff --git a/target/riscv/insn_trans/trans_rvv.c.inc b/target/riscv/insn_trans/trans_rvv.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/riscv/insn_trans/trans_rvv.c.inc
++++ b/target/riscv/insn_trans/trans_rvv.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool trans_vsetvl(DisasContext *ctx, arg_vsetvl *a)
+     gen_set_gpr(ctx, a->rd, dst);
+     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
+-    lookup_and_goto_ptr(ctx);
++    tcg_gen_lookup_and_goto_ptr();
+     ctx->base.is_jmp = DISAS_NORETURN;
+     return true;
+ }
+--
+.25.1

-New patch
+[PULL 19/24] target/rx: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/rx/helper.h    |  1 -
+ target/rx/op_helper.c |  8 --------
+ target/rx/translate.c | 12 ++----------
+files changed, 2 insertions(+), 19 deletions(-)
+diff --git a/target/rx/helper.h b/target/rx/helper.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/rx/helper.h
++++ b/target/rx/helper.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
+ DEF_HELPER_1(raise_access_fault, noreturn, env)
+ DEF_HELPER_1(raise_privilege_violation, noreturn, env)
+ DEF_HELPER_1(wait, noreturn, env)
+-DEF_HELPER_1(debug, noreturn, env)
+ DEF_HELPER_2(rxint, noreturn, env, i32)
+ DEF_HELPER_1(rxbrk, noreturn, env)
+ DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
+diff --git a/target/rx/op_helper.c b/target/rx/op_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/rx/op_helper.c
++++ b/target/rx/op_helper.c
+@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_wait(CPURXState *env)
+     raise_exception(env, EXCP_HLT, 0);
+ }
+-void QEMU_NORETURN helper_debug(CPURXState *env)
+-{
+-    CPUState *cs = env_cpu(env);
+-
+-    cs->exception_index = EXCP_DEBUG;
+-    cpu_loop_exit(cs);
+-}
+-
+ void QEMU_NORETURN helper_rxint(CPURXState *env, uint32_t vec)
+ {
+     raise_exception(env, 0x100 + vec, 0);
+diff --git a/target/rx/translate.c b/target/rx/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/rx/translate.c
++++ b/target/rx/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
+         tcg_gen_exit_tb(dc->base.tb, n);
+     } else {
+         tcg_gen_movi_i32(cpu_pc, dest);
+-        if (dc->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+     }
+     dc->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static void rx_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+         gen_goto_tb(ctx, 0, dcbase->pc_next);
+         break;
+     case DISAS_JUMP:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+         break;
+     case DISAS_UPDATE:
+         tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
+--
+.25.1

-New patch
+[PULL 20/24] target/s390x: Drop check for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/s390x/tcg/translate.c | 8 ++------
+file changed, 2 insertions(+), 6 deletions(-)
+diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/s390x/tcg/translate.c
++++ b/target/s390x/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ struct DisasContext {
+     uint64_t pc_tmp;
+     uint32_t ilen;
+     enum cc_op cc_op;
+-    bool do_debug;
+ };
+ /* Information carried about a condition to be evaluated.  */
+@@ -XXX,XX +XXX,XX @@ static void s390x_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     dc->cc_op = CC_OP_DYNAMIC;
+     dc->ex_value = dc->base.tb->cs_base;
+-    dc->do_debug = dc->base.singlestep_enabled;
+ }
+ static void s390x_tr_tb_start(DisasContextBase *db, CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ static void s390x_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+         /* FALLTHRU */
+     case DISAS_PC_CC_UPDATED:
+         /* Exit the TB, either by raising a debug exception or by return.  */
+-        if (dc->do_debug) {
+-            gen_exception(EXCP_DEBUG);
+-        } else if ((dc->base.tb->flags & FLAG_MASK_PER) ||
+-                   dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
++        if ((dc->base.tb->flags & FLAG_MASK_PER) ||
++             dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
+             tcg_gen_exit_tb(NULL, 0);
+         } else {
+             tcg_gen_lookup_and_goto_ptr();
+--
+.25.1

-New patch
+[PULL 21/24] target/sh4: Drop check for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/sh4/helper.h    |  1 -
+ target/sh4/op_helper.c |  5 -----
+ target/sh4/translate.c | 14 +++-----------
+files changed, 3 insertions(+), 17 deletions(-)
+diff --git a/target/sh4/helper.h b/target/sh4/helper.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/sh4/helper.h
++++ b/target/sh4/helper.h
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
+ DEF_HELPER_1(raise_slot_illegal_instruction, noreturn, env)
+ DEF_HELPER_1(raise_fpu_disable, noreturn, env)
+ DEF_HELPER_1(raise_slot_fpu_disable, noreturn, env)
+-DEF_HELPER_1(debug, noreturn, env)
+ DEF_HELPER_1(sleep, noreturn, env)
+ DEF_HELPER_2(trapa, noreturn, env, i32)
+ DEF_HELPER_1(exclusive, noreturn, env)
+diff --git a/target/sh4/op_helper.c b/target/sh4/op_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/sh4/op_helper.c
++++ b/target/sh4/op_helper.c
+@@ -XXX,XX +XXX,XX @@ void helper_raise_slot_fpu_disable(CPUSH4State *env)
+     raise_exception(env, 0x820, 0);
+ }
+-void helper_debug(CPUSH4State *env)
+-{
+-    raise_exception(env, EXCP_DEBUG, 0);
+-}
+-
+ void helper_sleep(CPUSH4State *env)
+ {
+     CPUState *cs = env_cpu(env);
+diff --git a/target/sh4/translate.c b/target/sh4/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/sh4/translate.c
++++ b/target/sh4/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
+         tcg_gen_exit_tb(ctx->base.tb, n);
+     } else {
+         tcg_gen_movi_i32(cpu_pc, dest);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else if (use_exit_tb(ctx)) {
++        if (use_exit_tb(ctx)) {
+             tcg_gen_exit_tb(NULL, 0);
+         } else {
+             tcg_gen_lookup_and_goto_ptr();
+@@ -XXX,XX +XXX,XX @@ static void gen_jump(DisasContext * ctx)
+        delayed jump as immediate jump are conditinal jumps */
+     tcg_gen_mov_i32(cpu_pc, cpu_delayed_pc);
+         tcg_gen_discard_i32(cpu_delayed_pc);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else if (use_exit_tb(ctx)) {
++        if (use_exit_tb(ctx)) {
+             tcg_gen_exit_tb(NULL, 0);
+         } else {
+             tcg_gen_lookup_and_goto_ptr();
+@@ -XXX,XX +XXX,XX @@ static void sh4_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+     switch (ctx->base.is_jmp) {
+     case DISAS_STOP:
+         gen_save_cpu_state(ctx, true);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     case DISAS_NEXT:
+     case DISAS_TOO_MANY:
+--
+.25.1

-[Qemu-devel] [PULL for-2.12 1/1] icount: fix cpu_restore_state_from_tb for non-tb-exit cases
+[PULL 22/24] target/tricore: Drop check for singlestep_enabled
-From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
+GDB single-stepping is now handled generically.
-In icount mode, instructions that access io memory spaces in the middle
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 of the translation block invoke TB recompilation.  After recompilation,
 such instructions become last in the TB and are allowed to access io
 memory spaces.
 When the code includes instruction like i386 'xchg eax, 0xffffd080'
 which accesses APIC, QEMU goes into an infinite loop of the recompilation.
 This instruction includes two memory accesses - one read and one write.
 After the first access, APIC calls cpu_report_tpr_access, which restores
 the CPU state to get the current eip.  But cpu_restore_state_from_tb
 resets the cpu->can_do_io flag which makes the second memory access invalid.
 Therefore the second memory access causes a recompilation of the block.
 Then these operations repeat again and again.
 This patch moves resetting cpu->can_do_io flag from
 cpu_restore_state_from_tb to cpu_loop_exit* functions.
 It also adds a parameter for cpu_restore_state which controls restoring
 icount.  There is no need to restore icount when we only query CPU state
 without breaking the TB.  Restoring it in such cases leads to the
 incorrect flow of the virtual time.
 In most cases new parameter is true (icount should be recalculated).
 But there are two cases in i386 and openrisc when the CPU state is only
 queried without the need to break the TB.  This patch fixes both of
 these cases.
 Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
 Message-Id: <20180409091320.12504.35329.stgit@pasha-VirtualBox>
 [rth: Make can_do_io setting unconditional; move from cpu_exec;
 make cpu_loop_exit_{noexc,restore} call cpu_loop_exit.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/exec-all.h      |  5 ++++-
+ target/tricore/helper.h    |  1 -
- accel/tcg/cpu-exec-common.c  | 10 +++++-----
+ target/tricore/op_helper.c |  7 -------
- accel/tcg/cpu-exec.c         |  1 -
+ target/tricore/translate.c | 14 +-------------
- accel/tcg/translate-all.c    | 27 ++++++++++++++-------------
+files changed, 1 insertion(+), 21 deletions(-)
  accel/tcg/user-exec.c        |  2 +-
  hw/misc/mips_itu.c           |  3 +--
  target/alpha/helper.c        |  2 +-
  target/alpha/mem_helper.c    |  6 ++----
  target/arm/op_helper.c       |  6 +++---
  target/cris/op_helper.c      |  4 ++--
  target/i386/helper.c         |  2 +-
  target/i386/svm_helper.c     |  2 +-
  target/m68k/op_helper.c      |  4 ++--
  target/moxie/helper.c        |  2 +-
  target/openrisc/sys_helper.c |  8 ++++----
  target/tricore/op_helper.c   |  2 +-
  target/xtensa/op_helper.c    |  4 ++--
 files changed, 45 insertions(+), 45 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/target/tricore/helper.h b/target/tricore/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/target/tricore/helper.h
-+++ b/include/exec/exec-all.h
++++ b/target/tricore/helper.h
-@@ -XXX,XX +XXX,XX @@ void cpu_gen_init(void);
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(psw_write, void, env, i32)
-  * cpu_restore_state:
+ DEF_HELPER_1(psw_read, i32, env)
-  * @cpu: the vCPU state is to be restore to
+ /* Exceptions */
-  * @searched_pc: the host PC the fault occurred at
+ DEF_HELPER_3(raise_exception_sync, noreturn, env, i32, i32)
-+ * @will_exit: true if the TB executed will be interrupted after some
+-DEF_HELPER_2(qemu_excp, noreturn, env, i32)
 +               cpu adjustments. Required for maintaining the correct
 +               icount valus
   * @return: true if state was restored, false otherwise
   *
   * Attempt to restore the state for a fault occurring in translated
   * code. If the searched_pc is not in translated code no state is
   * restored and the function returns false.
   */
 -bool cpu_restore_state(CPUState *cpu, uintptr_t searched_pc);
 +bool cpu_restore_state(CPUState *cpu, uintptr_t searched_pc, bool will_exit);
  void QEMU_NORETURN cpu_loop_exit_noexc(CPUState *cpu);
  void QEMU_NORETURN cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
 diff --git a/accel/tcg/cpu-exec-common.c b/accel/tcg/cpu-exec-common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec-common.c
 +++ b/accel/tcg/cpu-exec-common.c
@@ -XXX,XX +XXX,XX @@ bool tcg_allowed;
  /* exit the current TB, but without causing any exception to be raised */
  void cpu_loop_exit_noexc(CPUState *cpu)
  {
 -    /* XXX: restore cpu registers saved in host registers */
 -
      cpu->exception_index = -1;
 -    siglongjmp(cpu->jmp_env, 1);
 +    cpu_loop_exit(cpu);
  }
  #if defined(CONFIG_SOFTMMU)
@@ -XXX,XX +XXX,XX @@ void cpu_reloading_memory_map(void)
  void cpu_loop_exit(CPUState *cpu)
  {
 +    /* Undo the setting in cpu_tb_exec.  */
 +    cpu->can_do_io = 1;
      siglongjmp(cpu->jmp_env, 1);
  }
  void cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
  {
      if (pc) {
 -        cpu_restore_state(cpu, pc);
 +        cpu_restore_state(cpu, pc, true);
      }
 -    siglongjmp(cpu->jmp_env, 1);
 +    cpu_loop_exit(cpu);
  }
  void cpu_loop_exit_atomic(CPUState *cpu, uintptr_t pc)
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
          g_assert(cpu == current_cpu);
          g_assert(cc == CPU_GET_CLASS(cpu));
  #endif /* buggy compiler */
 -        cpu->can_do_io = 1;
          tb_lock_reset();
          if (qemu_mutex_iothread_locked()) {
              qemu_mutex_unlock_iothread();
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static int encode_search(TranslationBlock *tb, uint8_t *block)
  /* The cpu state corresponding to 'searched_pc' is restored.
   * Called with tb_lock held.
 + * When reset_icount is true, current TB will be interrupted and
 + * icount should be recalculated.
   */
  static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
 -                                     uintptr_t searched_pc)
 +                                     uintptr_t searched_pc, bool reset_icount)
  {
      target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
      uintptr_t host_pc = (uintptr_t)tb->tc.ptr;
@@ -XXX,XX +XXX,XX @@ static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
      return -1;
   found:
 -    if (tb->cflags & CF_USE_ICOUNT) {
 +    if (reset_icount && (tb->cflags & CF_USE_ICOUNT)) {
          assert(use_icount);
 -        /* Reset the cycle counter to the start of the block.  */
 -        cpu->icount_decr.u16.low += num_insns;
 -        /* Clear the IO flag.  */
 -        cpu->can_do_io = 0;
 +        /* Reset the cycle counter to the start of the block
 +           and shift if to the number of actually executed instructions */
 +        cpu->icount_decr.u16.low += num_insns - i;
      }
 -    cpu->icount_decr.u16.low -= i;
      restore_state_to_opc(env, tb, data);
  #ifdef CONFIG_PROFILER
@@ -XXX,XX +XXX,XX @@ static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
      return 0;
  }
 -bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc)
 +bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc, bool will_exit)
  {
      TranslationBlock *tb;
      bool r = false;
@@ -XXX,XX +XXX,XX @@ bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc)
          tb_lock();
          tb = tb_find_pc(host_pc);
          if (tb) {
 -            cpu_restore_state_from_tb(cpu, tb, host_pc);
 +            cpu_restore_state_from_tb(cpu, tb, host_pc, will_exit);
              if (tb->cflags & CF_NOCACHE) {
                  /* one-shot translation, invalidate it immediately */
                  tb_phys_invalidate(tb, -1);
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
                  restore the CPU state */
                  current_tb_modified = 1;
 -                cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
 +                cpu_restore_state_from_tb(cpu, current_tb,
 +                                          cpu->mem_io_pc, true);
                  cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
                                       &current_flags);
              }
@@ -XXX,XX +XXX,XX @@ static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc)
                     restore the CPU state */
              current_tb_modified = 1;
 -            cpu_restore_state_from_tb(cpu, current_tb, pc);
 +            cpu_restore_state_from_tb(cpu, current_tb, pc, true);
              cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
                                   &current_flags);
          }
@@ -XXX,XX +XXX,XX @@ void tb_check_watchpoint(CPUState *cpu)
      tb = tb_find_pc(cpu->mem_io_pc);
      if (tb) {
          /* We can use retranslation to find the PC.  */
 -        cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
 +        cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc, true);
          tb_phys_invalidate(tb, -1);
      } else {
          /* The exception probably happened in a helper.  The CPU state should
@@ -XXX,XX +XXX,XX @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
          cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
                    (void *)retaddr);
      }
 -    cpu_restore_state_from_tb(cpu, tb, retaddr);
 +    cpu_restore_state_from_tb(cpu, tb, retaddr, true);
      /* On MIPS and SH, delay slot instructions can only be restarted if
         they were already the first instruction in the TB.  If this is not
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
      }
      /* Now we have a real cpu fault.  */
 -    cpu_restore_state(cpu, pc);
 +    cpu_restore_state(cpu, pc, true);
      sigprocmask(SIG_SETMASK, old_set, NULL);
      cpu_loop_exit(cpu);
 diff --git a/hw/misc/mips_itu.c b/hw/misc/mips_itu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/misc/mips_itu.c
 +++ b/hw/misc/mips_itu.c
@@ -XXX,XX +XXX,XX @@ static void wake_blocked_threads(ITCStorageCell *c)
  static void QEMU_NORETURN block_thread_and_exit(ITCStorageCell *c)
  {
      c->blocked_threads |= 1ULL << current_cpu->cpu_index;
 -    cpu_restore_state(current_cpu, current_cpu->mem_io_pc);
      current_cpu->halted = 1;
      current_cpu->exception_index = EXCP_HLT;
 -    cpu_loop_exit(current_cpu);
 +    cpu_loop_exit_restore(current_cpu, current_cpu->mem_io_pc);
  }
  /* ITC Bypass View */
 diff --git a/target/alpha/helper.c b/target/alpha/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/alpha/helper.c
 +++ b/target/alpha/helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN dynamic_excp(CPUAlphaState *env, uintptr_t retaddr,
      cs->exception_index = excp;
      env->error_code = error;
      if (retaddr) {
 -        cpu_restore_state(cs, retaddr);
 +        cpu_restore_state(cs, retaddr, true);
          /* Floating-point exceptions (our only users) point to the next PC.  */
          env->pc += 4;
      }
 diff --git a/target/alpha/mem_helper.c b/target/alpha/mem_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/alpha/mem_helper.c
 +++ b/target/alpha/mem_helper.c
@@ -XXX,XX +XXX,XX @@ void alpha_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
      uint64_t pc;
      uint32_t insn;
 -    cpu_restore_state(cs, retaddr);
 +    cpu_restore_state(cs, retaddr, true);
      pc = env->pc;
      insn = cpu_ldl_code(env, pc);
@@ -XXX,XX +XXX,XX @@ void alpha_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
      AlphaCPU *cpu = ALPHA_CPU(cs);
      CPUAlphaState *env = &cpu->env;
 -    cpu_restore_state(cs, retaddr);
 -
      env->trap_arg0 = addr;
      env->trap_arg1 = access_type == MMU_DATA_STORE ? 1 : 0;
      cs->exception_index = EXCP_MCHK;
      env->error_code = 0;
 -    cpu_loop_exit(cs);
 +    cpu_loop_exit_restore(cs, retaddr);
  }
  /* try to fill the TLB and return an exception if error. If retaddr is
 diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/op_helper.c
 +++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, int size,
          ARMCPU *cpu = ARM_CPU(cs);
          /* now we have a real cpu fault */
 -        cpu_restore_state(cs, retaddr);
 +        cpu_restore_state(cs, retaddr, true);
          deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
      }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
      ARMMMUFaultInfo fi = {};
      /* now we have a real cpu fault */
 -    cpu_restore_state(cs, retaddr);
 +    cpu_restore_state(cs, retaddr, true);
      fi.type = ARMFault_Alignment;
      deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
      ARMMMUFaultInfo fi = {};
      /* now we have a real cpu fault */
 -    cpu_restore_state(cs, retaddr);
 +    cpu_restore_state(cs, retaddr, true);
      fi.ea = arm_extabort_type(response);
      fi.type = ARMFault_SyncExternal;
 diff --git a/target/cris/op_helper.c b/target/cris/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/cris/op_helper.c
 +++ b/target/cris/op_helper.c
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, int size,
      if (unlikely(ret)) {
          if (retaddr) {
              /* now we have a real cpu fault */
 -            if (cpu_restore_state(cs, retaddr)) {
 -        /* Evaluate flags after retranslation.  */
 +            if (cpu_restore_state(cs, retaddr, true)) {
 +                /* Evaluate flags after retranslation. */
                  helper_top_evaluate_flags(env);
              }
          }
 diff --git a/target/i386/helper.c b/target/i386/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/helper.c
 +++ b/target/i386/helper.c
@@ -XXX,XX +XXX,XX @@ void cpu_report_tpr_access(CPUX86State *env, TPRAccess access)
          cpu_interrupt(cs, CPU_INTERRUPT_TPR);
      } else if (tcg_enabled()) {
 -        cpu_restore_state(cs, cs->mem_io_pc);
 +        cpu_restore_state(cs, cs->mem_io_pc, false);
          apic_handle_tpr_access_report(cpu->apic_state, env->eip, access);
      }
 diff --git a/target/i386/svm_helper.c b/target/i386/svm_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/svm_helper.c
 +++ b/target/i386/svm_helper.c
@@ -XXX,XX +XXX,XX @@ void cpu_vmexit(CPUX86State *env, uint32_t exit_code, uint64_t exit_info_1,
  {
      CPUState *cs = CPU(x86_env_get_cpu(env));
 -    cpu_restore_state(cs, retaddr);
 +    cpu_restore_state(cs, retaddr, true);
      qemu_log_mask(CPU_LOG_TB_IN_ASM, "vmexit(%08x, %016" PRIx64 ", %016"
                    PRIx64 ", " TARGET_FMT_lx ")!\n",
 diff --git a/target/m68k/op_helper.c b/target/m68k/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/m68k/op_helper.c
 +++ b/target/m68k/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(chk)(CPUM68KState *env, int32_t val, int32_t ub)
          CPUState *cs = CPU(m68k_env_get_cpu(env));
          /* Recover PC and CC_OP for the beginning of the insn.  */
 -        cpu_restore_state(cs, GETPC());
 +        cpu_restore_state(cs, GETPC(), true);
          /* flags have been modified by gen_flush_flags() */
          env->cc_op = CC_OP_FLAGS;
@@ -XXX,XX +XXX,XX @@ void HELPER(chk2)(CPUM68KState *env, int32_t val, int32_t lb, int32_t ub)
          CPUState *cs = CPU(m68k_env_get_cpu(env));
          /* Recover PC and CC_OP for the beginning of the insn.  */
 -        cpu_restore_state(cs, GETPC());
 +        cpu_restore_state(cs, GETPC(), true);
          /* flags have been modified by gen_flush_flags() */
          env->cc_op = CC_OP_FLAGS;
 diff --git a/target/moxie/helper.c b/target/moxie/helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/moxie/helper.c
 +++ b/target/moxie/helper.c
@@ -XXX,XX +XXX,XX @@ void helper_raise_exception(CPUMoxieState *env, int ex)
      /* Stash the exception type.  */
      env->sregs[2] = ex;
      /* Stash the address where the exception occurred.  */
 -    cpu_restore_state(cs, GETPC());
 +    cpu_restore_state(cs, GETPC(), true);
      env->sregs[5] = env->pc;
      /* Jump to the exception handline routine.  */
      env->pc = env->sregs[1];
 diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/openrisc/sys_helper.c
 +++ b/target/openrisc/sys_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env,
          break;
      case TO_SPR(0, 16): /* NPC */
 -        cpu_restore_state(cs, GETPC());
 +        cpu_restore_state(cs, GETPC(), true);
          /* ??? Mirror or1ksim in not trashing delayed branch state
             when "jumping" to the current instruction.  */
          if (env->pc != rb) {
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env,
      case TO_SPR(8, 0):  /* PMR */
          env->pmr = rb;
          if (env->pmr & PMR_DME || env->pmr & PMR_SME) {
 -            cpu_restore_state(cs, GETPC());
 +            cpu_restore_state(cs, GETPC(), true);
              env->pc += 4;
              cs->halted = 1;
              raise_exception(cpu, EXCP_HALTED);
@@ -XXX,XX +XXX,XX @@ target_ulong HELPER(mfspr)(CPUOpenRISCState *env,
          return env->evbar;
      case TO_SPR(0, 16): /* NPC (equals PC) */
 -        cpu_restore_state(cs, GETPC());
 +        cpu_restore_state(cs, GETPC(), false);
          return env->pc;
      case TO_SPR(0, 17): /* SR */
          return cpu_get_sr(env);
      case TO_SPR(0, 18): /* PPC */
 -        cpu_restore_state(cs, GETPC());
 +        cpu_restore_state(cs, GETPC(), false);
          return env->ppc;
      case TO_SPR(0, 32): /* EPCR */
 diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/tricore/op_helper.c
 +++ b/target/tricore/op_helper.c
-@@ -XXX,XX +XXX,XX @@ raise_exception_sync_internal(CPUTriCoreState *env, uint32_t class, int tin,
+@@ -XXX,XX +XXX,XX @@ static void raise_exception_sync_helper(CPUTriCoreState *env, uint32_t class,
      raise_exception_sync_internal(env, class, tin, pc, 0);
  }
 -void helper_qemu_excp(CPUTriCoreState *env, uint32_t excp)
 -{
 -    CPUState *cs = env_cpu(env);
 -    cs->exception_index = excp;
 -    cpu_loop_exit(cs);
 -}
 -
  /* Addressing mode helper */
  static uint16_t reverse16(uint16_t val)
 diff --git a/target/tricore/translate.c b/target/tricore/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/tricore/translate.c
 +++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_save_pc(target_ulong pc)
      tcg_gen_movi_tl(cpu_PC, pc);
  }
 -static void generate_qemu_excp(DisasContext *ctx, int excp)
 -{
 -    TCGv_i32 tmp = tcg_const_i32(excp);
 -    gen_helper_qemu_excp(cpu_env, tmp);
 -    ctx->base.is_jmp = DISAS_NORETURN;
 -    tcg_temp_free(tmp);
 -}
 -
  static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
  {
-     CPUState *cs = CPU(tricore_env_get_cpu(env));
+     if (translator_use_goto_tb(&ctx->base, dest)) {
-     /* in case we come from a helper-call we need to restore the PC */
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
--    cpu_restore_state(cs, pc);
+         tcg_gen_exit_tb(ctx->base.tb, n);
 +    cpu_restore_state(cs, pc, true);
      /* Tin is loaded into d[15] */
      env->gpr_d[15] = tin;
 diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/xtensa/op_helper.c
 +++ b/target/xtensa/op_helper.c
@@ -XXX,XX +XXX,XX @@ void xtensa_cpu_do_unaligned_access(CPUState *cs,
      if (xtensa_option_enabled(env->config, XTENSA_OPTION_UNALIGNED_EXCEPTION) &&
              !xtensa_option_enabled(env->config, XTENSA_OPTION_HW_ALIGNMENT)) {
 -        cpu_restore_state(CPU(cpu), retaddr);
 +        cpu_restore_state(CPU(cpu), retaddr, true);
          HELPER(exception_cause_vaddr)(env,
                  env->pc, LOAD_STORE_ALIGNMENT_CAUSE, addr);
      }
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong vaddr, int size,
                       paddr & TARGET_PAGE_MASK,
                       access, mmu_idx, page_size);
      } else {
--        cpu_restore_state(cs, retaddr);
+         gen_save_pc(dest);
-+        cpu_restore_state(cs, retaddr, true);
+-        if (ctx->base.singlestep_enabled) {
-         HELPER(exception_cause_vaddr)(env, env->pc, ret, vaddr);
+-            generate_qemu_excp(ctx, EXCP_DEBUG);
 -        } else {
 -            tcg_gen_lookup_and_goto_ptr();
 -        }
 +        tcg_gen_lookup_and_goto_ptr();
      }
  }
 --
-.14.3
+.25.1

-New patch
+[PULL 23/24] target/xtensa: Drop check for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/xtensa/translate.c | 25 ++++++++-----------------
+file changed, 8 insertions(+), 17 deletions(-)
+diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/xtensa/translate.c
++++ b/target/xtensa/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_jump_slot(DisasContext *dc, TCGv dest, int slot)
+     if (dc->icount) {
+         tcg_gen_mov_i32(cpu_SR[ICOUNT], dc->next_icount);
+     }
+-    if (dc->base.singlestep_enabled) {
+-        gen_exception(dc, EXCP_DEBUG);
++    if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
++        slot = gen_postprocess(dc, slot);
++    }
++    if (slot >= 0) {
++        tcg_gen_goto_tb(slot);
++        tcg_gen_exit_tb(dc->base.tb, slot);
+     } else {
+-        if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
+-            slot = gen_postprocess(dc, slot);
+-        }
+-        if (slot >= 0) {
+-            tcg_gen_goto_tb(slot);
+-            tcg_gen_exit_tb(dc->base.tb, slot);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+     }
+     dc->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static void xtensa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+     case DISAS_NORETURN:
+         break;
+     case DISAS_TOO_MANY:
+-        if (dc->base.singlestep_enabled) {
+-            tcg_gen_movi_i32(cpu_pc, dc->pc);
+-            gen_exception(dc, EXCP_DEBUG);
+-        } else {
+-            gen_jumpi(dc, dc->pc, 0);
+-        }
++        gen_jumpi(dc, dc->pc, 0);
+         break;
+     default:
+         g_assert_not_reached();
+--
+.25.1

-New patch
+[PULL 24/24] Revert "cpu: Move cpu_common_props to hw/core/cpu.c"
+This reverts commit 1b36e4f5a5de585210ea95f2257839c2312be28f.
+Despite a comment saying why cpu_common_props cannot be placed in
+a file that is compiled once, it was moved anyway.  Revert that.
+Since then, Property is not defined in hw/core/cpu.h, so it is now
+easier to declare a function to install the properties rather than
+the Property array itself.
+Cc: Eduardo Habkost <ehabkost@redhat.com>
+Suggested-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ include/hw/core/cpu.h |  1 +
+ cpu.c                 | 21 +++++++++++++++++++++
+ hw/core/cpu-common.c  | 17 +----------------
+files changed, 23 insertions(+), 16 deletions(-)
+diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/core/cpu.h
++++ b/include/hw/core/cpu.h
+@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN cpu_abort(CPUState *cpu, const char *fmt, ...)
+     GCC_FMT_ATTR(2, 3);
+ /* $(top_srcdir)/cpu.c */
++void cpu_class_init_props(DeviceClass *dc);
+ void cpu_exec_initfn(CPUState *cpu);
+ void cpu_exec_realizefn(CPUState *cpu, Error **errp);
+ void cpu_exec_unrealizefn(CPUState *cpu);
+diff --git a/cpu.c b/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/cpu.c
++++ b/cpu.c
+@@ -XXX,XX +XXX,XX @@ void cpu_exec_unrealizefn(CPUState *cpu)
+     cpu_list_remove(cpu);
+ }
++static Property cpu_common_props[] = {
++#ifndef CONFIG_USER_ONLY
++    /*
++     * Create a memory property for softmmu CPU object,
++     * so users can wire up its memory. (This can't go in hw/core/cpu.c
++     * because that file is compiled only once for both user-mode
++     * and system builds.) The default if no link is set up is to use
++     * the system address space.
++     */
++    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
++                     MemoryRegion *),
++#endif
++    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
++    DEFINE_PROP_END_OF_LIST(),
++};
++
++void cpu_class_init_props(DeviceClass *dc)
++{
++    device_class_set_props(dc, cpu_common_props);
++}
++
+ void cpu_exec_initfn(CPUState *cpu)
+ {
+     cpu->as = NULL;
+diff --git a/hw/core/cpu-common.c b/hw/core/cpu-common.c
+index XXXXXXX..XXXXXXX 100644
+--- a/hw/core/cpu-common.c
++++ b/hw/core/cpu-common.c
+@@ -XXX,XX +XXX,XX @@ static int64_t cpu_common_get_arch_id(CPUState *cpu)
+     return cpu->cpu_index;
+ }
+-static Property cpu_common_props[] = {
+-#ifndef CONFIG_USER_ONLY
+-    /* Create a memory property for softmmu CPU object,
+-     * so users can wire up its memory. (This can't go in hw/core/cpu.c
+-     * because that file is compiled only once for both user-mode
+-     * and system builds.) The default if no link is set up is to use
+-     * the system address space.
+-     */
+-    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
+-                     MemoryRegion *),
+-#endif
+-    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
+-    DEFINE_PROP_END_OF_LIST(),
+-};
+-
+ static void cpu_class_init(ObjectClass *klass, void *data)
+ {
+     DeviceClass *dc = DEVICE_CLASS(klass);
+@@ -XXX,XX +XXX,XX @@ static void cpu_class_init(ObjectClass *klass, void *data)
+     dc->realize = cpu_common_realizefn;
+     dc->unrealize = cpu_common_unrealizefn;
+     dc->reset = cpu_common_reset;
+-    device_class_set_props(dc, cpu_common_props);
++    cpu_class_init_props(dc);
+     /*
+      * Reason: CPUs still need special care by board code: wiring up
+      * IRQs, adding reset handlers, halting non-first CPUs, ...
+--
+.25.1

The following changes since commit 26d6a7c87b05017ffabffb5e16837a0fccf67e90:

Merge remote-tracking branch 'remotes/ericb/tags/pull-qapi-2018-04-10' into staging (2018-04-10 22:16:19 +0100)

are available in the Git repository at:

git://github.com/rth7680/qemu.git tags/pull-tcg-20180411

for you to fetch changes up to afd46fcad2dceffda35c0586f5723c127b6e09d8:

icount: fix cpu_restore_state_from_tb for non-tb-exit cases (2018-04-11 09:05:22 +1000)

----------------------------------------------------------------
Handle read-modify-write i/o with icount

----------------------------------------------------------------
Pavel Dovgalyuk (1):
      icount: fix cpu_restore_state_from_tb for non-tb-exit cases

From: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>

In icount mode, instructions that access io memory spaces in the middle
of the translation block invoke TB recompilation.  After recompilation,
such instructions become last in the TB and are allowed to access io
memory spaces.

When the code includes instruction like i386 'xchg eax, 0xffffd080'
which accesses APIC, QEMU goes into an infinite loop of the recompilation.

This instruction includes two memory accesses - one read and one write.
After the first access, APIC calls cpu_report_tpr_access, which restores
the CPU state to get the current eip.  But cpu_restore_state_from_tb
resets the cpu->can_do_io flag which makes the second memory access invalid.
Therefore the second memory access causes a recompilation of the block.
Then these operations repeat again and again.

This patch moves resetting cpu->can_do_io flag from
cpu_restore_state_from_tb to cpu_loop_exit* functions.

It also adds a parameter for cpu_restore_state which controls restoring
icount.  There is no need to restore icount when we only query CPU state
without breaking the TB.  Restoring it in such cases leads to the
incorrect flow of the virtual time.

In most cases new parameter is true (icount should be recalculated).
But there are two cases in i386 and openrisc when the CPU state is only
queried without the need to break the TB.  This patch fixes both of
these cases.

Signed-off-by: Pavel Dovgalyuk <Pavel.Dovgaluk@ispras.ru>
Message-Id: <20180409091320.12504.35329.stgit@pasha-VirtualBox>
[rth: Make can_do_io setting unconditional; move from cpu_exec;
make cpu_loop_exit_{noexc,restore} call cpu_loop_exit.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h      |  5 ++++-
 accel/tcg/cpu-exec-common.c  | 10 +++++-----
 accel/tcg/cpu-exec.c         |  1 -
 accel/tcg/translate-all.c    | 27 ++++++++++++++-------------
 accel/tcg/user-exec.c        |  2 +-
 hw/misc/mips_itu.c           |  3 +--
 target/alpha/helper.c        |  2 +-
 target/alpha/mem_helper.c    |  6 ++----
 target/arm/op_helper.c       |  6 +++---
 target/cris/op_helper.c      |  4 ++--
 target/i386/helper.c         |  2 +-
 target/i386/svm_helper.c     |  2 +-
 target/m68k/op_helper.c      |  4 ++--
 target/moxie/helper.c        |  2 +-
 target/openrisc/sys_helper.c |  8 ++++----
 target/tricore/op_helper.c   |  2 +-
 target/xtensa/op_helper.c    |  4 ++--
 17 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ void cpu_gen_init(void);
  * cpu_restore_state:
  * @cpu: the vCPU state is to be restore to
  * @searched_pc: the host PC the fault occurred at
+ * @will_exit: true if the TB executed will be interrupted after some
+               cpu adjustments. Required for maintaining the correct
+               icount valus
  * @return: true if state was restored, false otherwise
  *
  * Attempt to restore the state for a fault occurring in translated
  * code. If the searched_pc is not in translated code no state is
  * restored and the function returns false.
  */
-bool cpu_restore_state(CPUState *cpu, uintptr_t searched_pc);
+bool cpu_restore_state(CPUState *cpu, uintptr_t searched_pc, bool will_exit);
 
 void QEMU_NORETURN cpu_loop_exit_noexc(CPUState *cpu);
 void QEMU_NORETURN cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
diff --git a/accel/tcg/cpu-exec-common.c b/accel/tcg/cpu-exec-common.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec-common.c
+++ b/accel/tcg/cpu-exec-common.c
@@ -XXX,XX +XXX,XX @@ bool tcg_allowed;
 /* exit the current TB, but without causing any exception to be raised */
 void cpu_loop_exit_noexc(CPUState *cpu)
 {
-    /* XXX: restore cpu registers saved in host registers */
-
     cpu->exception_index = -1;
-    siglongjmp(cpu->jmp_env, 1);
+    cpu_loop_exit(cpu);
 }
 
 #if defined(CONFIG_SOFTMMU)
@@ -XXX,XX +XXX,XX @@ void cpu_reloading_memory_map(void)
 
 void cpu_loop_exit(CPUState *cpu)
 {
+    /* Undo the setting in cpu_tb_exec.  */
+    cpu->can_do_io = 1;
     siglongjmp(cpu->jmp_env, 1);
 }
 
 void cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
 {
     if (pc) {
-        cpu_restore_state(cpu, pc);
+        cpu_restore_state(cpu, pc, true);
     }
-    siglongjmp(cpu->jmp_env, 1);
+    cpu_loop_exit(cpu);
 }
 
 void cpu_loop_exit_atomic(CPUState *cpu, uintptr_t pc)
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
         g_assert(cpu == current_cpu);
         g_assert(cc == CPU_GET_CLASS(cpu));
 #endif /* buggy compiler */
-        cpu->can_do_io = 1;
         tb_lock_reset();
         if (qemu_mutex_iothread_locked()) {
             qemu_mutex_unlock_iothread();
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static int encode_search(TranslationBlock *tb, uint8_t *block)
 
 /* The cpu state corresponding to 'searched_pc' is restored.
  * Called with tb_lock held.
+ * When reset_icount is true, current TB will be interrupted and
+ * icount should be recalculated.
  */
 static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
-                                     uintptr_t searched_pc)
+                                     uintptr_t searched_pc, bool reset_icount)
 {
     target_ulong data[TARGET_INSN_START_WORDS] = { tb->pc };
     uintptr_t host_pc = (uintptr_t)tb->tc.ptr;
@@ -XXX,XX +XXX,XX @@ static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
     return -1;
 
  found:
-    if (tb->cflags & CF_USE_ICOUNT) {
+    if (reset_icount && (tb->cflags & CF_USE_ICOUNT)) {
         assert(use_icount);
-        /* Reset the cycle counter to the start of the block.  */
-        cpu->icount_decr.u16.low += num_insns;
-        /* Clear the IO flag.  */
-        cpu->can_do_io = 0;
+        /* Reset the cycle counter to the start of the block
+           and shift if to the number of actually executed instructions */
+        cpu->icount_decr.u16.low += num_insns - i;
     }
-    cpu->icount_decr.u16.low -= i;
     restore_state_to_opc(env, tb, data);
 
 #ifdef CONFIG_PROFILER
@@ -XXX,XX +XXX,XX @@ static int cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
     return 0;
 }
 
-bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc)
+bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc, bool will_exit)
 {
     TranslationBlock *tb;
     bool r = false;
@@ -XXX,XX +XXX,XX @@ bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc)
         tb_lock();
         tb = tb_find_pc(host_pc);
         if (tb) {
-            cpu_restore_state_from_tb(cpu, tb, host_pc);
+            cpu_restore_state_from_tb(cpu, tb, host_pc, will_exit);
             if (tb->cflags & CF_NOCACHE) {
                 /* one-shot translation, invalidate it immediately */
                 tb_phys_invalidate(tb, -1);
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_page_range(tb_page_addr_t start, tb_page_addr_t end,
                 restore the CPU state */
 
                 current_tb_modified = 1;
-                cpu_restore_state_from_tb(cpu, current_tb, cpu->mem_io_pc);
+                cpu_restore_state_from_tb(cpu, current_tb,
+                                          cpu->mem_io_pc, true);
                 cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
                                      &current_flags);
             }
@@ -XXX,XX +XXX,XX @@ static bool tb_invalidate_phys_page(tb_page_addr_t addr, uintptr_t pc)
                    restore the CPU state */
 
             current_tb_modified = 1;
-            cpu_restore_state_from_tb(cpu, current_tb, pc);
+            cpu_restore_state_from_tb(cpu, current_tb, pc, true);
             cpu_get_tb_cpu_state(env, &current_pc, &current_cs_base,
                                  &current_flags);
         }
@@ -XXX,XX +XXX,XX @@ void tb_check_watchpoint(CPUState *cpu)
     tb = tb_find_pc(cpu->mem_io_pc);
     if (tb) {
         /* We can use retranslation to find the PC.  */
-        cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc);
+        cpu_restore_state_from_tb(cpu, tb, cpu->mem_io_pc, true);
         tb_phys_invalidate(tb, -1);
     } else {
         /* The exception probably happened in a helper.  The CPU state should
@@ -XXX,XX +XXX,XX @@ void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr)
         cpu_abort(cpu, "cpu_io_recompile: could not find TB for pc=%p",
                   (void *)retaddr);
     }
-    cpu_restore_state_from_tb(cpu, tb, retaddr);
+    cpu_restore_state_from_tb(cpu, tb, retaddr, true);
 
     /* On MIPS and SH, delay slot instructions can only be restarted if
        they were already the first instruction in the TB.  If this is not
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static inline int handle_cpu_signal(uintptr_t pc, siginfo_t *info,
     }
 
     /* Now we have a real cpu fault.  */
-    cpu_restore_state(cpu, pc);
+    cpu_restore_state(cpu, pc, true);
 
     sigprocmask(SIG_SETMASK, old_set, NULL);
     cpu_loop_exit(cpu);
diff --git a/hw/misc/mips_itu.c b/hw/misc/mips_itu.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/misc/mips_itu.c
+++ b/hw/misc/mips_itu.c
@@ -XXX,XX +XXX,XX @@ static void wake_blocked_threads(ITCStorageCell *c)
 static void QEMU_NORETURN block_thread_and_exit(ITCStorageCell *c)
 {
     c->blocked_threads |= 1ULL << current_cpu->cpu_index;
-    cpu_restore_state(current_cpu, current_cpu->mem_io_pc);
     current_cpu->halted = 1;
     current_cpu->exception_index = EXCP_HLT;
-    cpu_loop_exit(current_cpu);
+    cpu_loop_exit_restore(current_cpu, current_cpu->mem_io_pc);
 }
 
 /* ITC Bypass View */
diff --git a/target/alpha/helper.c b/target/alpha/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/helper.c
+++ b/target/alpha/helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN dynamic_excp(CPUAlphaState *env, uintptr_t retaddr,
     cs->exception_index = excp;
     env->error_code = error;
     if (retaddr) {
-        cpu_restore_state(cs, retaddr);
+        cpu_restore_state(cs, retaddr, true);
         /* Floating-point exceptions (our only users) point to the next PC.  */
         env->pc += 4;
     }
diff --git a/target/alpha/mem_helper.c b/target/alpha/mem_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/mem_helper.c
+++ b/target/alpha/mem_helper.c
@@ -XXX,XX +XXX,XX @@ void alpha_cpu_do_unaligned_access(CPUState *cs, vaddr addr,
     uint64_t pc;
     uint32_t insn;
 
-    cpu_restore_state(cs, retaddr);
+    cpu_restore_state(cs, retaddr, true);
 
     pc = env->pc;
     insn = cpu_ldl_code(env, pc);
@@ -XXX,XX +XXX,XX @@ void alpha_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
     AlphaCPU *cpu = ALPHA_CPU(cs);
     CPUAlphaState *env = &cpu->env;
 
-    cpu_restore_state(cs, retaddr);
-
     env->trap_arg0 = addr;
     env->trap_arg1 = access_type == MMU_DATA_STORE ? 1 : 0;
     cs->exception_index = EXCP_MCHK;
     env->error_code = 0;
-    cpu_loop_exit(cs);
+    cpu_loop_exit_restore(cs, retaddr);
 }
 
 /* try to fill the TLB and return an exception if error. If retaddr is
diff --git a/target/arm/op_helper.c b/target/arm/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/op_helper.c
+++ b/target/arm/op_helper.c
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, int size,
         ARMCPU *cpu = ARM_CPU(cs);
 
         /* now we have a real cpu fault */
-        cpu_restore_state(cs, retaddr);
+        cpu_restore_state(cs, retaddr, true);
 
         deliver_fault(cpu, addr, access_type, mmu_idx, &fi);
     }
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_unaligned_access(CPUState *cs, vaddr vaddr,
     ARMMMUFaultInfo fi = {};
 
     /* now we have a real cpu fault */
-    cpu_restore_state(cs, retaddr);
+    cpu_restore_state(cs, retaddr, true);
 
     fi.type = ARMFault_Alignment;
     deliver_fault(cpu, vaddr, access_type, mmu_idx, &fi);
@@ -XXX,XX +XXX,XX @@ void arm_cpu_do_transaction_failed(CPUState *cs, hwaddr physaddr,
     ARMMMUFaultInfo fi = {};
 
     /* now we have a real cpu fault */
-    cpu_restore_state(cs, retaddr);
+    cpu_restore_state(cs, retaddr, true);
 
     fi.ea = arm_extabort_type(response);
     fi.type = ARMFault_SyncExternal;
diff --git a/target/cris/op_helper.c b/target/cris/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/cris/op_helper.c
+++ b/target/cris/op_helper.c
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong addr, int size,
     if (unlikely(ret)) {
         if (retaddr) {
             /* now we have a real cpu fault */
-            if (cpu_restore_state(cs, retaddr)) {
-		/* Evaluate flags after retranslation.  */
+            if (cpu_restore_state(cs, retaddr, true)) {
+                /* Evaluate flags after retranslation. */
                 helper_top_evaluate_flags(env);
             }
         }
diff --git a/target/i386/helper.c b/target/i386/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/helper.c
+++ b/target/i386/helper.c
@@ -XXX,XX +XXX,XX @@ void cpu_report_tpr_access(CPUX86State *env, TPRAccess access)
 
         cpu_interrupt(cs, CPU_INTERRUPT_TPR);
     } else if (tcg_enabled()) {
-        cpu_restore_state(cs, cs->mem_io_pc);
+        cpu_restore_state(cs, cs->mem_io_pc, false);
 
         apic_handle_tpr_access_report(cpu->apic_state, env->eip, access);
     }
diff --git a/target/i386/svm_helper.c b/target/i386/svm_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/svm_helper.c
+++ b/target/i386/svm_helper.c
@@ -XXX,XX +XXX,XX @@ void cpu_vmexit(CPUX86State *env, uint32_t exit_code, uint64_t exit_info_1,
 {
     CPUState *cs = CPU(x86_env_get_cpu(env));
 
-    cpu_restore_state(cs, retaddr);
+    cpu_restore_state(cs, retaddr, true);
 
     qemu_log_mask(CPU_LOG_TB_IN_ASM, "vmexit(%08x, %016" PRIx64 ", %016"
                   PRIx64 ", " TARGET_FMT_lx ")!\n",
diff --git a/target/m68k/op_helper.c b/target/m68k/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/op_helper.c
+++ b/target/m68k/op_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(chk)(CPUM68KState *env, int32_t val, int32_t ub)
         CPUState *cs = CPU(m68k_env_get_cpu(env));
 
         /* Recover PC and CC_OP for the beginning of the insn.  */
-        cpu_restore_state(cs, GETPC());
+        cpu_restore_state(cs, GETPC(), true);
 
         /* flags have been modified by gen_flush_flags() */
         env->cc_op = CC_OP_FLAGS;
@@ -XXX,XX +XXX,XX @@ void HELPER(chk2)(CPUM68KState *env, int32_t val, int32_t lb, int32_t ub)
         CPUState *cs = CPU(m68k_env_get_cpu(env));
 
         /* Recover PC and CC_OP for the beginning of the insn.  */
-        cpu_restore_state(cs, GETPC());
+        cpu_restore_state(cs, GETPC(), true);
 
         /* flags have been modified by gen_flush_flags() */
         env->cc_op = CC_OP_FLAGS;
diff --git a/target/moxie/helper.c b/target/moxie/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/moxie/helper.c
+++ b/target/moxie/helper.c
@@ -XXX,XX +XXX,XX @@ void helper_raise_exception(CPUMoxieState *env, int ex)
     /* Stash the exception type.  */
     env->sregs[2] = ex;
     /* Stash the address where the exception occurred.  */
-    cpu_restore_state(cs, GETPC());
+    cpu_restore_state(cs, GETPC(), true);
     env->sregs[5] = env->pc;
     /* Jump to the exception handline routine.  */
     env->pc = env->sregs[1];
diff --git a/target/openrisc/sys_helper.c b/target/openrisc/sys_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/sys_helper.c
+++ b/target/openrisc/sys_helper.c
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env,
         break;
 
     case TO_SPR(0, 16): /* NPC */
-        cpu_restore_state(cs, GETPC());
+        cpu_restore_state(cs, GETPC(), true);
         /* ??? Mirror or1ksim in not trashing delayed branch state
            when "jumping" to the current instruction.  */
         if (env->pc != rb) {
@@ -XXX,XX +XXX,XX @@ void HELPER(mtspr)(CPUOpenRISCState *env,
     case TO_SPR(8, 0):  /* PMR */
         env->pmr = rb;
         if (env->pmr & PMR_DME || env->pmr & PMR_SME) {
-            cpu_restore_state(cs, GETPC());
+            cpu_restore_state(cs, GETPC(), true);
             env->pc += 4;
             cs->halted = 1;
             raise_exception(cpu, EXCP_HALTED);
@@ -XXX,XX +XXX,XX @@ target_ulong HELPER(mfspr)(CPUOpenRISCState *env,
         return env->evbar;
 
     case TO_SPR(0, 16): /* NPC (equals PC) */
-        cpu_restore_state(cs, GETPC());
+        cpu_restore_state(cs, GETPC(), false);
         return env->pc;
 
     case TO_SPR(0, 17): /* SR */
         return cpu_get_sr(env);
 
     case TO_SPR(0, 18): /* PPC */
-        cpu_restore_state(cs, GETPC());
+        cpu_restore_state(cs, GETPC(), false);
         return env->ppc;
 
     case TO_SPR(0, 32): /* EPCR */
diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/op_helper.c
+++ b/target/tricore/op_helper.c
@@ -XXX,XX +XXX,XX @@ raise_exception_sync_internal(CPUTriCoreState *env, uint32_t class, int tin,
 {
     CPUState *cs = CPU(tricore_env_get_cpu(env));
     /* in case we come from a helper-call we need to restore the PC */
-    cpu_restore_state(cs, pc);
+    cpu_restore_state(cs, pc, true);
 
     /* Tin is loaded into d[15] */
     env->gpr_d[15] = tin;
diff --git a/target/xtensa/op_helper.c b/target/xtensa/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/op_helper.c
+++ b/target/xtensa/op_helper.c
@@ -XXX,XX +XXX,XX @@ void xtensa_cpu_do_unaligned_access(CPUState *cs,
 
     if (xtensa_option_enabled(env->config, XTENSA_OPTION_UNALIGNED_EXCEPTION) &&
             !xtensa_option_enabled(env->config, XTENSA_OPTION_HW_ALIGNMENT)) {
-        cpu_restore_state(CPU(cpu), retaddr);
+        cpu_restore_state(CPU(cpu), retaddr, true);
         HELPER(exception_cause_vaddr)(env,
                 env->pc, LOAD_STORE_ALIGNMENT_CAUSE, addr);
     }
@@ -XXX,XX +XXX,XX @@ void tlb_fill(CPUState *cs, target_ulong vaddr, int size,
                      paddr & TARGET_PAGE_MASK,
                      access, mmu_idx, page_size);
     } else {
-        cpu_restore_state(cs, retaddr);
+        cpu_restore_state(cs, retaddr, true);
         HELPER(exception_cause_vaddr)(env, env->pc, ret, vaddr);
     }
 }
-- 
2.14.3

The following changes since commit 6587b0c1331d427b0939c37e763842550ed581db:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-10-15' into staging (2021-10-15 14:16:28 -0700)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20211016

for you to fetch changes up to 995b87dedc78b0467f5f18bbc3546072ba97516a:

Revert "cpu: Move cpu_common_props to hw/core/cpu.c" (2021-10-15 16:39:15 -0700)

----------------------------------------------------------------
Move gdb singlestep to generic code
Fix cpu_common_props

----------------------------------------------------------------
Richard Henderson (24):
      accel/tcg: Handle gdb singlestep in cpu_tb_exec
      target/alpha: Drop checks for singlestep_enabled
      target/avr: Drop checks for singlestep_enabled
      target/cris: Drop checks for singlestep_enabled
      target/hexagon: Drop checks for singlestep_enabled
      target/arm: Drop checks for singlestep_enabled
      target/hppa: Drop checks for singlestep_enabled
      target/i386: Check CF_NO_GOTO_TB for dc->jmp_opt
      target/i386: Drop check for singlestep_enabled
      target/m68k: Drop checks for singlestep_enabled
      target/microblaze: Check CF_NO_GOTO_TB for DISAS_JUMP
      target/microblaze: Drop checks for singlestep_enabled
      target/mips: Fix single stepping
      target/mips: Drop exit checks for singlestep_enabled
      target/openrisc: Drop checks for singlestep_enabled
      target/ppc: Drop exit checks for singlestep_enabled
      target/riscv: Remove dead code after exception
      target/riscv: Remove exit_tb and lookup_and_goto_ptr
      target/rx: Drop checks for singlestep_enabled
      target/s390x: Drop check for singlestep_enabled
      target/sh4: Drop check for singlestep_enabled
      target/tricore: Drop check for singlestep_enabled
      target/xtensa: Drop check for singlestep_enabled
      Revert "cpu: Move cpu_common_props to hw/core/cpu.c"

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/alpha/translate.c | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static void alpha_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         tcg_gen_movi_i64(cpu_pc, ctx->base.pc_next);
         /* FALLTHRU */
     case DISAS_PC_UPDATED:
-        if (!ctx->base.singlestep_enabled) {
-            tcg_gen_lookup_and_goto_ptr();
-            break;
-        }
-        /* FALLTHRU */
+        tcg_gen_lookup_and_goto_ptr();
+        break;
     case DISAS_PC_UPDATED_NOCHAIN:
-        if (ctx->base.singlestep_enabled) {
-            gen_excp_1(EXCP_DEBUG, 0);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

GDB single-stepping is now handled generically.

Tested-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/translate.c | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(tb, n);
     } else {
         tcg_gen_movi_i32(cpu_pc, dest);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
     ctx->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         tcg_gen_movi_tl(cpu_pc, ctx->npc);
         /* fall through */
     case DISAS_LOOKUP:
-        if (!ctx->base.singlestep_enabled) {
-            tcg_gen_lookup_and_goto_ptr();
-            break;
-        }
-        /* fall through */
+        tcg_gen_lookup_and_goto_ptr();
+        break;
     case DISAS_EXIT:
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/hexagon/translate.c | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_end_tb(DisasContext *ctx)
 {
     gen_exec_counters(ctx);
     tcg_gen_mov_tl(hex_gpr[HEX_REG_PC], hex_next_PC);
-    if (ctx->base.singlestep_enabled) {
-        gen_exception_raw(EXCP_DEBUG);
-    } else {
-        tcg_gen_exit_tb(NULL, 0);
-    }
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static void hexagon_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
     case DISAS_TOO_MANY:
         gen_exec_counters(ctx);
         tcg_gen_movi_tl(hex_gpr[HEX_REG_PC], ctx->base.pc_next);
-        if (ctx->base.singlestep_enabled) {
-            gen_exception_raw(EXCP_DEBUG);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     case DISAS_NORETURN:
         break;
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/translate-a64.c | 10 ++--------
 target/arm/translate.c     | 36 ++++++------------------------------
 2 files changed, 8 insertions(+), 38 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
         gen_a64_set_pc_im(dest);
         if (s->ss_active) {
             gen_step_complete_exception(s);
-        } else if (s->base.singlestep_enabled) {
-            gen_exception_internal(EXCP_DEBUG);
         } else {
             tcg_gen_lookup_and_goto_ptr();
             s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    if (unlikely(dc->base.singlestep_enabled || dc->ss_active)) {
+    if (unlikely(dc->ss_active)) {
         /* Note that this means single stepping WFI doesn't halt the CPU.
          * For conditional branch insns this is harmless unreachable code as
          * gen_goto_tb() has already handled emitting the debug exception
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
             /* fall through */
         case DISAS_EXIT:
         case DISAS_JUMP:
-            if (dc->base.singlestep_enabled) {
-                gen_exception_internal(EXCP_DEBUG);
-            } else {
-                gen_step_complete_exception(dc);
-            }
+            gen_step_complete_exception(dc);
             break;
         case DISAS_NORETURN:
             break;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_step_complete_exception(DisasContext *s)
+static void gen_singlestep_exception(DisasContext *s)
 {
     /* We just completed step of an insn. Move from Active-not-pending
      * to Active-pending, and then also take the swstep exception.
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_singlestep_exception(DisasContext *s)
-{
-    /* Generate the right kind of exception for singlestep, which is
-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
-     * gdb singlestepping.
-     */
-    if (s->ss_active) {
-        gen_step_complete_exception(s);
-    } else {
-        gen_exception_internal(EXCP_DEBUG);
-    }
-}
-
-static inline bool is_singlestepping(DisasContext *s)
-{
-    /* Return true if we are singlestepping either because of
-     * architectural singlestep or QEMU gdbstub singlestep. This does
-     * not include the command line '-singlestep' mode which is rather
-     * misnamed as it only means "one instruction per TB" and doesn't
-     * affect the code we generate.
-     */
-    return s->base.singlestep_enabled || s->ss_active;
-}
-
 void clear_eci_state(DisasContext *s)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
     /* Is the new PC value in the magic range indicating exception return? */
     tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
     /* No: end the TB as we would for a DISAS_JMP */
-    if (is_singlestepping(s)) {
+    if (s->ss_active) {
         gen_singlestep_exception(s);
     } else {
         tcg_gen_exit_tb(NULL, 0);
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
 /* Jump, specifying which TB number to use if we gen_goto_tb() */
 static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
 {
-    if (unlikely(is_singlestepping(s))) {
+    if (unlikely(s->ss_active)) {
         /* An indirect jump so that we still trigger the debug exception.  */
         gen_set_pc_im(s, dest);
         s->base.is_jmp = DISAS_JUMP;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 
     /* If architectural single step active, limit to 1.  */
-    if (is_singlestepping(dc)) {
+    if (dc->ss_active) {
         dc->base.max_insns = 1;
     }
 
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          * insn codepath itself.
          */
         gen_bx_excret_final_code(dc);
-    } else if (unlikely(is_singlestepping(dc))) {
+    } else if (unlikely(dc->ss_active)) {
         /* Unconditional and "condition passed" instruction codepath. */
         switch (dc->base.is_jmp) {
         case DISAS_SWI:
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         /* "Condition failed" instruction codepath for the branch/trap insn */
         gen_set_label(dc->condlabel);
         gen_set_condexec(dc);
-        if (unlikely(is_singlestepping(dc))) {
+        if (unlikely(dc->ss_active)) {
             gen_set_pc_im(dc, dc->base.pc_next);
             gen_singlestep_exception(dc);
         } else {
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/hppa/translate.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int which,
     } else {
         copy_iaoq_entry(cpu_iaoq_f, f, cpu_iaoq_b);
         copy_iaoq_entry(cpu_iaoq_b, b, ctx->iaoq_n_var);
-        if (ctx->base.singlestep_enabled) {
-            gen_excp_1(EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static bool do_rfi(DisasContext *ctx, bool rfi_r)
         gen_helper_rfi(cpu_env);
     }
     /* Exit the TB to recognize new interrupts.  */
-    if (ctx->base.singlestep_enabled) {
-        gen_excp_1(EXCP_DEBUG);
-    } else {
-        tcg_gen_exit_tb(NULL, 0);
-    }
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
 
     return nullify_end(ctx);
@@ -XXX,XX +XXX,XX @@ static void hppa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         nullify_save(ctx);
         /* FALLTHRU */
     case DISAS_IAQ_N_UPDATED:
-        if (ctx->base.singlestep_enabled) {
-            gen_excp_1(EXCP_DEBUG);
-        } else if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
+        if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
             tcg_gen_lookup_and_goto_ptr();
+            break;
         }
         /* FALLTHRU */
     case DISAS_EXIT:
-- 
2.25.1

We were using singlestep_enabled as a proxy for whether
translator_use_goto_tb would always return false.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUX86State *env = cpu->env_ptr;
     uint32_t flags = dc->base.tb->flags;
+    uint32_t cflags = tb_cflags(dc->base.tb);
     int cpl = (flags >> HF_CPL_SHIFT) & 3;
     int iopl = (flags >> IOPL_SHIFT) & 3;
 
@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
-    dc->jmp_opt = !(dc->base.singlestep_enabled ||
+    dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
     /*
      * If jmp_opt, we want to handle each string instruction individually.
      * For icount also disable repz optimization so that each iteration
      * is accounted separately.
      */
-    dc->repz_opt = !dc->jmp_opt && !(tb_cflags(dc->base.tb) & CF_USE_ICOUNT);
+    dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
 
     dc->T0 = tcg_temp_new();
     dc->T1 = tcg_temp_new();
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/helper.h          | 1 -
 target/i386/tcg/misc_helper.c | 8 --------
 target/i386/tcg/translate.c   | 4 +---
 3 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/target/i386/helper.h b/target/i386/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/helper.h
+++ b/target/i386/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(syscall, void, env, int)
 DEF_HELPER_2(sysret, void, env, int)
 #endif
 DEF_HELPER_FLAGS_2(pause, TCG_CALL_NO_WG, noreturn, env, int)
-DEF_HELPER_FLAGS_1(debug, TCG_CALL_NO_WG, noreturn, env)
 DEF_HELPER_1(reset_rf, void, env)
 DEF_HELPER_FLAGS_3(raise_interrupt, TCG_CALL_NO_WG, noreturn, env, int, int)
 DEF_HELPER_FLAGS_2(raise_exception, TCG_CALL_NO_WG, noreturn, env, int)
diff --git a/target/i386/tcg/misc_helper.c b/target/i386/tcg/misc_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/misc_helper.c
+++ b/target/i386/tcg/misc_helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_pause(CPUX86State *env, int next_eip_addend)
     do_pause(env);
 }
 
-void QEMU_NORETURN helper_debug(CPUX86State *env)
-{
-    CPUState *cs = env_cpu(env);
-
-    cs->exception_index = EXCP_DEBUG;
-    cpu_loop_exit(cs);
-}
-
 uint64_t helper_rdpkru(CPUX86State *env, uint32_t ecx)
 {
     if ((env->cr[4] & CR4_PKE_MASK) == 0) {
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
     if (s->base.tb->flags & HF_RF_MASK) {
         gen_helper_reset_rf(cpu_env);
     }
-    if (s->base.singlestep_enabled) {
-        gen_helper_debug(cpu_env);
-    } else if (recheck_tf) {
+    if (recheck_tf) {
         gen_helper_rechecking_single_step(cpu_env);
         tcg_gen_exit_tb(NULL, 0);
     } else if (s->flags & HF_TF_MASK) {
-- 
2.25.1

GDB single-stepping is now handled generically.

Acked-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/m68k/translate.c | 44 +++++++++--------------------------------
 1 file changed, 9 insertions(+), 35 deletions(-)

diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static void do_writebacks(DisasContext *s)
     }
 }
 
-static bool is_singlestepping(DisasContext *s)
-{
-    /*
-     * Return true if we are singlestepping either because of
-     * architectural singlestep or QEMU gdbstub singlestep. This does
-     * not include the command line '-singlestep' mode which is rather
-     * misnamed as it only means "one instruction per TB" and doesn't
-     * affect the code we generate.
-     */
-    return s->base.singlestep_enabled || s->ss_active;
-}
-
 /* is_jmp field values */
 #define DISAS_JUMP      DISAS_TARGET_0 /* only pc was modified dynamically */
 #define DISAS_EXIT      DISAS_TARGET_1 /* cpu state was modified dynamically */
@@ -XXX,XX +XXX,XX @@ static void gen_exception(DisasContext *s, uint32_t dest, int nr)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_singlestep_exception(DisasContext *s)
-{
-    /*
-     * Generate the right kind of exception for singlestep, which is
-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
-     * gdb singlestepping.
-     */
-    if (s->ss_active) {
-        gen_raise_exception(EXCP_TRACE);
-    } else {
-        gen_raise_exception(EXCP_DEBUG);
-    }
-}
-
 static inline void gen_addr_fault(DisasContext *s)
 {
     gen_exception(s, s->base.pc_next, EXCP_ADDRESS);
@@ -XXX,XX +XXX,XX @@ static void gen_exit_tb(DisasContext *s)
 /* Generate a jump to an immediate address.  */
 static void gen_jmp_tb(DisasContext *s, int n, uint32_t dest)
 {
-    if (unlikely(is_singlestepping(s))) {
+    if (unlikely(s->ss_active)) {
         update_cc_op(s);
         tcg_gen_movi_i32(QREG_PC, dest);
-        gen_singlestep_exception(s);
+        gen_raise_exception(EXCP_TRACE);
     } else if (translator_use_goto_tb(&s->base, dest)) {
         tcg_gen_goto_tb(n);
         tcg_gen_movi_i32(QREG_PC, dest);
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
 
     dc->ss_active = (M68K_SR_TRACE(env->sr) == M68K_SR_TRACE_ANY_INS);
     /* If architectural single step active, limit to 1 */
-    if (is_singlestepping(dc)) {
+    if (dc->ss_active) {
         dc->base.max_insns = 1;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         break;
     case DISAS_TOO_MANY:
         update_cc_op(dc);
-        if (is_singlestepping(dc)) {
+        if (dc->ss_active) {
             tcg_gen_movi_i32(QREG_PC, dc->pc);
-            gen_singlestep_exception(dc);
+            gen_raise_exception(EXCP_TRACE);
         } else {
             gen_jmp_tb(dc, 0, dc->pc);
         }
         break;
     case DISAS_JUMP:
         /* We updated CC_OP and PC in gen_jmp/gen_jmp_im.  */
-        if (is_singlestepping(dc)) {
-            gen_singlestep_exception(dc);
+        if (dc->ss_active) {
+            gen_raise_exception(EXCP_TRACE);
         } else {
             tcg_gen_lookup_and_goto_ptr();
         }
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          * We updated CC_OP and PC in gen_exit_tb, but also modified
          * other state that may require returning to the main loop.
          */
-        if (is_singlestepping(dc)) {
-            gen_singlestep_exception(dc);
+        if (dc->ss_active) {
+            gen_raise_exception(EXCP_TRACE);
         } else {
             tcg_gen_exit_tb(NULL, 0);
         }
-- 
2.25.1

We were using singlestep_enabled as a proxy for whether
translator_use_goto_tb would always return false.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/microblaze/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
         break;
 
     case DISAS_JUMP:
-        if (dc->jmp_dest != -1 && !cs->singlestep_enabled) {
+        if (dc->jmp_dest != -1 && !(tb_cflags(dc->base.tb) & CF_NO_GOTO_TB)) {
             /* Direct jump. */
             tcg_gen_discard_i32(cpu_btarget);
 
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
             return;
         }
 
-        /* Indirect jump (or direct jump w/ singlestep) */
+        /* Indirect jump (or direct jump w/ goto_tb disabled) */
         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
         tcg_gen_discard_i32(cpu_btarget);
 
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/microblaze/translate.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_raise_hw_excp(DisasContext *dc, uint32_t esr_ec)
 
 static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
 {
-    if (dc->base.singlestep_enabled) {
-        TCGv_i32 tmp = tcg_const_i32(EXCP_DEBUG);
-        tcg_gen_movi_i32(cpu_pc, dest);
-        gen_helper_raise_exception(cpu_env, tmp);
-        tcg_temp_free_i32(tmp);
-    } else if (translator_use_goto_tb(&dc->base, dest)) {
+    if (translator_use_goto_tb(&dc->base, dest)) {
         tcg_gen_goto_tb(n);
         tcg_gen_movi_i32(cpu_pc, dest);
         tcg_gen_exit_tb(dc->base.tb, n);
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
         /* Indirect jump (or direct jump w/ goto_tb disabled) */
         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
         tcg_gen_discard_i32(cpu_btarget);
-
-        if (unlikely(cs->singlestep_enabled)) {
-            gen_raise_exception(dc, EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
         return;
 
     default:
-- 
2.25.1

As per an ancient comment in mips_tr_translate_insn about the
expectations of gdb, when restarting the insn in a delay slot
we also re-execute the branch.  Which means that we are
expected to execute two insns in this case.

This has been broken since 8b86d6d2580, where we forced max_insns
to 1 while single-stepping.  This resulted in an exit from the
translator loop after the branch but before the delay slot is
translated.

Increase the max_insns to 2 for this case.  In addition, bypass
the end-of-page check, for when the branch itself ends the page.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/mips/tcg/translate.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void mips_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     ctx->default_tcg_memop_mask = (ctx->insn_flags & (ISA_MIPS_R6 |
                                   INSN_LOONGSON3A)) ? MO_UNALN : MO_ALIGN;
 
+    /*
+     * Execute a branch and its delay slot as a single instruction.
+     * This is what GDB expects and is consistent with what the
+     * hardware does (e.g. if a delay slot instruction faults, the
+     * reported PC is the PC of the branch).
+     */
+    if (ctx->base.singlestep_enabled && (ctx->hflags & MIPS_HFLAG_BMASK)) {
+        ctx->base.max_insns = 2;
+    }
+
     LOG_DISAS("\ntb %p idx %d hflags %04x\n", ctx->base.tb, ctx->mem_idx,
               ctx->hflags);
 }
@@ -XXX,XX +XXX,XX @@ static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
     if (ctx->base.is_jmp != DISAS_NEXT) {
         return;
     }
+
     /*
-     * Execute a branch and its delay slot as a single instruction.
-     * This is what GDB expects and is consistent with what the
-     * hardware does (e.g. if a delay slot instruction faults, the
-     * reported PC is the PC of the branch).
+     * End the TB on (most) page crossings.
+     * See mips_tr_init_disas_context about single-stepping a branch
+     * together with its delay slot.
      */
-    if (ctx->base.singlestep_enabled &&
-        (ctx->hflags & MIPS_HFLAG_BMASK) == 0) {
-        ctx->base.is_jmp = DISAS_TOO_MANY;
-    }
-    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE) {
+    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE
+        && !ctx->base.singlestep_enabled) {
         ctx->base.is_jmp = DISAS_TOO_MANY;
     }
 }
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/mips/tcg/translate.c | 50 +++++++++++++------------------------
 1 file changed, 18 insertions(+), 32 deletions(-)

diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         gen_save_pc(dest);
-        if (ctx->base.singlestep_enabled) {
-            save_cpu_state(ctx, 0);
-            gen_helper_raise_exception_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void gen_branch(DisasContext *ctx, int insn_bytes)
             } else {
                 tcg_gen_mov_tl(cpu_PC, btarget);
             }
-            if (ctx->base.singlestep_enabled) {
-                save_cpu_state(ctx, 0);
-                gen_helper_raise_exception_debug(cpu_env);
-            }
             tcg_gen_lookup_and_goto_ptr();
             break;
         default:
@@ -XXX,XX +XXX,XX @@ static void mips_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
-    if (ctx->base.singlestep_enabled && ctx->base.is_jmp != DISAS_NORETURN) {
-        save_cpu_state(ctx, ctx->base.is_jmp != DISAS_EXIT);
-        gen_helper_raise_exception_debug(cpu_env);
-    } else {
-        switch (ctx->base.is_jmp) {
-        case DISAS_STOP:
-            gen_save_pc(ctx->base.pc_next);
-            tcg_gen_lookup_and_goto_ptr();
-            break;
-        case DISAS_NEXT:
-        case DISAS_TOO_MANY:
-            save_cpu_state(ctx, 0);
-            gen_goto_tb(ctx, 0, ctx->base.pc_next);
-            break;
-        case DISAS_EXIT:
-            tcg_gen_exit_tb(NULL, 0);
-            break;
-        case DISAS_NORETURN:
-            break;
-        default:
-            g_assert_not_reached();
-        }
+    switch (ctx->base.is_jmp) {
+    case DISAS_STOP:
+        gen_save_pc(ctx->base.pc_next);
+        tcg_gen_lookup_and_goto_ptr();
+        break;
+    case DISAS_NEXT:
+    case DISAS_TOO_MANY:
+        save_cpu_state(ctx, 0);
+        gen_goto_tb(ctx, 0, ctx->base.pc_next);
+        break;
+    case DISAS_EXIT:
+        tcg_gen_exit_tb(NULL, 0);
+        break;
+    case DISAS_NORETURN:
+        break;
+    default:
+        g_assert_not_reached();
     }
 }
 
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/openrisc/translate.c | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/translate.c
+++ b/target/openrisc/translate.c
@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
             /* The jump destination is indirect/computed; use jmp_pc.  */
             tcg_gen_mov_tl(cpu_pc, jmp_pc);
             tcg_gen_discard_tl(jmp_pc);
-            if (unlikely(dc->base.singlestep_enabled)) {
-                gen_exception(dc, EXCP_DEBUG);
-            } else {
-                tcg_gen_lookup_and_goto_ptr();
-            }
+            tcg_gen_lookup_and_goto_ptr();
             break;
         }
         /* The jump destination is direct; use jmp_pc_imm.
@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
             break;
         }
         tcg_gen_movi_tl(cpu_pc, jmp_dest);
-        if (unlikely(dc->base.singlestep_enabled)) {
-            gen_exception(dc, EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
         break;
 
     case DISAS_EXIT:
-        if (unlikely(dc->base.singlestep_enabled)) {
-            gen_exception(dc, EXCP_DEBUG);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

GDB single-stepping is now handled generically.
Reuse gen_debug_exception to handle architectural debug exceptions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/ppc/translate.c | 38 ++++++++------------------------------
 1 file changed, 8 insertions(+), 30 deletions(-)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -XXX,XX +XXX,XX @@
 
 #define CPU_SINGLE_STEP 0x1
 #define CPU_BRANCH_STEP 0x2
-#define GDBSTUB_SINGLE_STEP 0x4
 
 /* Include definitions for instructions classes and implementations flags */
 /* #define PPC_DEBUG_DISAS */
@@ -XXX,XX +XXX,XX @@ static uint32_t gen_prep_dbgex(DisasContext *ctx)
 
 static void gen_debug_exception(DisasContext *ctx)
 {
-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
+    gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *ctx, target_ulong dest)
 
 static void gen_lookup_and_goto_ptr(DisasContext *ctx)
 {
-    int sse = ctx->singlestep_enabled;
-    if (unlikely(sse)) {
-        if (sse & GDBSTUB_SINGLE_STEP) {
-            gen_debug_exception(ctx);
-        } else if (sse & (CPU_SINGLE_STEP | CPU_BRANCH_STEP)) {
-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+    if (unlikely(ctx->singlestep_enabled)) {
+        gen_debug_exception(ctx);
     } else {
         tcg_gen_lookup_and_goto_ptr();
     }
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     ctx->singlestep_enabled = 0;
     if ((hflags >> HFLAGS_SE) & 1) {
         ctx->singlestep_enabled |= CPU_SINGLE_STEP;
+        ctx->base.max_insns = 1;
     }
     if ((hflags >> HFLAGS_BE) & 1) {
         ctx->singlestep_enabled |= CPU_BRANCH_STEP;
     }
-    if (unlikely(ctx->base.singlestep_enabled)) {
-        ctx->singlestep_enabled |= GDBSTUB_SINGLE_STEP;
-    }
-
-    if (ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP)) {
-        ctx->base.max_insns = 1;
-    }
 }
 
 static void ppc_tr_tb_start(DisasContextBase *db, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
     DisasJumpType is_jmp = ctx->base.is_jmp;
     target_ulong nip = ctx->base.pc_next;
-    int sse;
 
     if (is_jmp == DISAS_NORETURN) {
         /* We have already exited the TB. */
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     }
 
     /* Honor single stepping. */
-    sse = ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP);
-    if (unlikely(sse)) {
+    if (unlikely(ctx->singlestep_enabled & CPU_SINGLE_STEP)
+        && (nip <= 0x100 || nip > 0xf00)) {
         switch (is_jmp) {
         case DISAS_TOO_MANY:
         case DISAS_EXIT_UPDATE:
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
             g_assert_not_reached();
         }
 
-        if (sse & GDBSTUB_SINGLE_STEP) {
-            gen_debug_exception(ctx);
-            return;
-        }
-        /* else CPU_SINGLE_STEP... */
-        if (nip <= 0x100 || nip > 0xf00) {
-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
-            return;
-        }
+        gen_debug_exception(ctx);
+        return;
     }
 
     switch (is_jmp) {
-- 
2.25.1

We have already set DISAS_NORETURN in generate_exception,
which makes the exit_tb unreachable.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/insn_trans/trans_privileged.c.inc | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_privileged.c.inc
+++ b/target/riscv/insn_trans/trans_privileged.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_ecall(DisasContext *ctx, arg_ecall *a)
 {
     /* always generates U-level ECALL, fixed in do_interrupt handler */
     generate_exception(ctx, RISCV_EXCP_U_ECALL);
-    exit_tb(ctx); /* no chaining */
-    ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_ebreak(DisasContext *ctx, arg_ebreak *a)
         post   = opcode_at(&ctx->base, post_addr);
     }
 
-    if  (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
+    if (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
         generate_exception(ctx, RISCV_EXCP_SEMIHOST);
     } else {
         generate_exception(ctx, RISCV_EXCP_BREAKPOINT);
     }
-    exit_tb(ctx); /* no chaining */
-    ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
 
-- 
2.25.1

GDB single-stepping is now handled generically, which means
we don't need to do anything in the wrappers.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/translate.c                      | 27 +------------------
 .../riscv/insn_trans/trans_privileged.c.inc   |  4 +--
 target/riscv/insn_trans/trans_rvi.c.inc       |  8 +++---
 target/riscv/insn_trans/trans_rvv.c.inc       |  2 +-
 4 files changed, 7 insertions(+), 34 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static void generate_exception_mtval(DisasContext *ctx, int excp)
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_exception_debug(void)
-{
-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
-}
-
-/* Wrapper around tcg_gen_exit_tb that handles single stepping */
-static void exit_tb(DisasContext *ctx)
-{
-    if (ctx->base.singlestep_enabled) {
-        gen_exception_debug();
-    } else {
-        tcg_gen_exit_tb(NULL, 0);
-    }
-}
-
-/* Wrapper around tcg_gen_lookup_and_goto_ptr that handles single stepping */
-static void lookup_and_goto_ptr(DisasContext *ctx)
-{
-    if (ctx->base.singlestep_enabled) {
-        gen_exception_debug();
-    } else {
-        tcg_gen_lookup_and_goto_ptr();
-    }
-}
-
 static void gen_exception_illegal(DisasContext *ctx)
 {
     generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         tcg_gen_movi_tl(cpu_pc, dest);
-        lookup_and_goto_ptr(ctx);
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_privileged.c.inc
+++ b/target/riscv/insn_trans/trans_privileged.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_sret(DisasContext *ctx, arg_sret *a)
 
     if (has_ext(ctx, RVS)) {
         gen_helper_sret(cpu_pc, cpu_env, cpu_pc);
-        exit_tb(ctx); /* no chaining */
+        tcg_gen_exit_tb(NULL, 0); /* no chaining */
         ctx->base.is_jmp = DISAS_NORETURN;
     } else {
         return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_mret(DisasContext *ctx, arg_mret *a)
 #ifndef CONFIG_USER_ONLY
     tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
     gen_helper_mret(cpu_pc, cpu_env, cpu_pc);
-    exit_tb(ctx); /* no chaining */
+    tcg_gen_exit_tb(NULL, 0); /* no chaining */
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 #else
diff --git a/target/riscv/insn_trans/trans_rvi.c.inc b/target/riscv/insn_trans/trans_rvi.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_jalr(DisasContext *ctx, arg_jalr *a)
     if (a->rd != 0) {
         tcg_gen_movi_tl(cpu_gpr[a->rd], ctx->pc_succ_insn);
     }
-
-    /* No chaining with JALR. */
-    lookup_and_goto_ptr(ctx);
+    tcg_gen_lookup_and_goto_ptr();
 
     if (misaligned) {
         gen_set_label(misaligned);
@@ -XXX,XX +XXX,XX @@ static bool trans_fence_i(DisasContext *ctx, arg_fence_i *a)
      * however we need to end the translation block
      */
     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
-    exit_tb(ctx);
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool do_csr_post(DisasContext *ctx)
 {
     /* We may have changed important cpu state -- exit to main loop. */
     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
-    exit_tb(ctx);
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
diff --git a/target/riscv/insn_trans/trans_rvv.c.inc b/target/riscv/insn_trans/trans_rvv.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_rvv.c.inc
+++ b/target/riscv/insn_trans/trans_rvv.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_vsetvl(DisasContext *ctx, arg_vsetvl *a)
     gen_set_gpr(ctx, a->rd, dst);
 
     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
-    lookup_and_goto_ptr(ctx);
+    tcg_gen_lookup_and_goto_ptr();
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/rx/helper.h    |  1 -
 target/rx/op_helper.c |  8 --------
 target/rx/translate.c | 12 ++----------
 3 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/target/rx/helper.h b/target/rx/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/helper.h
+++ b/target/rx/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
 DEF_HELPER_1(raise_access_fault, noreturn, env)
 DEF_HELPER_1(raise_privilege_violation, noreturn, env)
 DEF_HELPER_1(wait, noreturn, env)
-DEF_HELPER_1(debug, noreturn, env)
 DEF_HELPER_2(rxint, noreturn, env, i32)
 DEF_HELPER_1(rxbrk, noreturn, env)
 DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
diff --git a/target/rx/op_helper.c b/target/rx/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/op_helper.c
+++ b/target/rx/op_helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_wait(CPURXState *env)
     raise_exception(env, EXCP_HLT, 0);
 }
 
-void QEMU_NORETURN helper_debug(CPURXState *env)
-{
-    CPUState *cs = env_cpu(env);
-
-    cs->exception_index = EXCP_DEBUG;
-    cpu_loop_exit(cs);
-}
-
 void QEMU_NORETURN helper_rxint(CPURXState *env, uint32_t vec)
 {
     raise_exception(env, 0x100 + vec, 0);
diff --git a/target/rx/translate.c b/target/rx/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
         tcg_gen_exit_tb(dc->base.tb, n);
     } else {
         tcg_gen_movi_i32(cpu_pc, dest);
-        if (dc->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
     dc->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void rx_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         gen_goto_tb(ctx, 0, dcbase->pc_next);
         break;
     case DISAS_JUMP:
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
         break;
     case DISAS_UPDATE:
         tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/s390x/tcg/translate.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ struct DisasContext {
     uint64_t pc_tmp;
     uint32_t ilen;
     enum cc_op cc_op;
-    bool do_debug;
 };
 
 /* Information carried about a condition to be evaluated.  */
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
 
     dc->cc_op = CC_OP_DYNAMIC;
     dc->ex_value = dc->base.tb->cs_base;
-    dc->do_debug = dc->base.singlestep_enabled;
 }
 
 static void s390x_tr_tb_start(DisasContextBase *db, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         /* FALLTHRU */
     case DISAS_PC_CC_UPDATED:
         /* Exit the TB, either by raising a debug exception or by return.  */
-        if (dc->do_debug) {
-            gen_exception(EXCP_DEBUG);
-        } else if ((dc->base.tb->flags & FLAG_MASK_PER) ||
-                   dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
+        if ((dc->base.tb->flags & FLAG_MASK_PER) ||
+             dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
             tcg_gen_exit_tb(NULL, 0);
         } else {
             tcg_gen_lookup_and_goto_ptr();
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/sh4/helper.h    |  1 -
 target/sh4/op_helper.c |  5 -----
 target/sh4/translate.c | 14 +++-----------
 3 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/target/sh4/helper.h b/target/sh4/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/helper.h
+++ b/target/sh4/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
 DEF_HELPER_1(raise_slot_illegal_instruction, noreturn, env)
 DEF_HELPER_1(raise_fpu_disable, noreturn, env)
 DEF_HELPER_1(raise_slot_fpu_disable, noreturn, env)
-DEF_HELPER_1(debug, noreturn, env)
 DEF_HELPER_1(sleep, noreturn, env)
 DEF_HELPER_2(trapa, noreturn, env, i32)
 DEF_HELPER_1(exclusive, noreturn, env)
diff --git a/target/sh4/op_helper.c b/target/sh4/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/op_helper.c
+++ b/target/sh4/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_raise_slot_fpu_disable(CPUSH4State *env)
     raise_exception(env, 0x820, 0);
 }
 
-void helper_debug(CPUSH4State *env)
-{
-    raise_exception(env, EXCP_DEBUG, 0);
-}
-
 void helper_sleep(CPUSH4State *env)
 {
     CPUState *cs = env_cpu(env);
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         tcg_gen_movi_i32(cpu_pc, dest);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else if (use_exit_tb(ctx)) {
+        if (use_exit_tb(ctx)) {
             tcg_gen_exit_tb(NULL, 0);
         } else {
             tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void gen_jump(DisasContext * ctx)
 	   delayed jump as immediate jump are conditinal jumps */
 	tcg_gen_mov_i32(cpu_pc, cpu_delayed_pc);
         tcg_gen_discard_i32(cpu_delayed_pc);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else if (use_exit_tb(ctx)) {
+        if (use_exit_tb(ctx)) {
             tcg_gen_exit_tb(NULL, 0);
         } else {
             tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void sh4_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     switch (ctx->base.is_jmp) {
     case DISAS_STOP:
         gen_save_cpu_state(ctx, true);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     case DISAS_NEXT:
     case DISAS_TOO_MANY:
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/tricore/helper.h    |  1 -
 target/tricore/op_helper.c |  7 -------
 target/tricore/translate.c | 14 +-------------
 3 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/target/tricore/helper.h b/target/tricore/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/helper.h
+++ b/target/tricore/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(psw_write, void, env, i32)
 DEF_HELPER_1(psw_read, i32, env)
 /* Exceptions */
 DEF_HELPER_3(raise_exception_sync, noreturn, env, i32, i32)
-DEF_HELPER_2(qemu_excp, noreturn, env, i32)
diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/op_helper.c
+++ b/target/tricore/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void raise_exception_sync_helper(CPUTriCoreState *env, uint32_t class,
     raise_exception_sync_internal(env, class, tin, pc, 0);
 }
 
-void helper_qemu_excp(CPUTriCoreState *env, uint32_t excp)
-{
-    CPUState *cs = env_cpu(env);
-    cs->exception_index = excp;
-    cpu_loop_exit(cs);
-}
-
 /* Addressing mode helper */
 
 static uint16_t reverse16(uint16_t val)
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_save_pc(target_ulong pc)
     tcg_gen_movi_tl(cpu_PC, pc);
 }
 
-static void generate_qemu_excp(DisasContext *ctx, int excp)
-{
-    TCGv_i32 tmp = tcg_const_i32(excp);
-    gen_helper_qemu_excp(cpu_env, tmp);
-    ctx->base.is_jmp = DISAS_NORETURN;
-    tcg_temp_free(tmp);
-}
-
 static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
 {
     if (translator_use_goto_tb(&ctx->base, dest)) {
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         gen_save_pc(dest);
-        if (ctx->base.singlestep_enabled) {
-            generate_qemu_excp(ctx, EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/xtensa/translate.c | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_jump_slot(DisasContext *dc, TCGv dest, int slot)
     if (dc->icount) {
         tcg_gen_mov_i32(cpu_SR[ICOUNT], dc->next_icount);
     }
-    if (dc->base.singlestep_enabled) {
-        gen_exception(dc, EXCP_DEBUG);
+    if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
+        slot = gen_postprocess(dc, slot);
+    }
+    if (slot >= 0) {
+        tcg_gen_goto_tb(slot);
+        tcg_gen_exit_tb(dc->base.tb, slot);
     } else {
-        if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
-            slot = gen_postprocess(dc, slot);
-        }
-        if (slot >= 0) {
-            tcg_gen_goto_tb(slot);
-            tcg_gen_exit_tb(dc->base.tb, slot);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
     }
     dc->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void xtensa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
     case DISAS_NORETURN:
         break;
     case DISAS_TOO_MANY:
-        if (dc->base.singlestep_enabled) {
-            tcg_gen_movi_i32(cpu_pc, dc->pc);
-            gen_exception(dc, EXCP_DEBUG);
-        } else {
-            gen_jumpi(dc, dc->pc, 0);
-        }
+        gen_jumpi(dc, dc->pc, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

This reverts commit 1b36e4f5a5de585210ea95f2257839c2312be28f.

Despite a comment saying why cpu_common_props cannot be placed in
a file that is compiled once, it was moved anyway.  Revert that.

Since then, Property is not defined in hw/core/cpu.h, so it is now
easier to declare a function to install the properties rather than
the Property array itself.

Cc: Eduardo Habkost <ehabkost@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/hw/core/cpu.h |  1 +
 cpu.c                 | 21 +++++++++++++++++++++
 hw/core/cpu-common.c  | 17 +----------------
 3 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN cpu_abort(CPUState *cpu, const char *fmt, ...)
     GCC_FMT_ATTR(2, 3);
 
 /* $(top_srcdir)/cpu.c */
+void cpu_class_init_props(DeviceClass *dc);
 void cpu_exec_initfn(CPUState *cpu);
 void cpu_exec_realizefn(CPUState *cpu, Error **errp);
 void cpu_exec_unrealizefn(CPUState *cpu);
diff --git a/cpu.c b/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/cpu.c
+++ b/cpu.c
@@ -XXX,XX +XXX,XX @@ void cpu_exec_unrealizefn(CPUState *cpu)
     cpu_list_remove(cpu);
 }
 
+static Property cpu_common_props[] = {
+#ifndef CONFIG_USER_ONLY
+    /*
+     * Create a memory property for softmmu CPU object,
+     * so users can wire up its memory. (This can't go in hw/core/cpu.c
+     * because that file is compiled only once for both user-mode
+     * and system builds.) The default if no link is set up is to use
+     * the system address space.
+     */
+    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
+                     MemoryRegion *),
+#endif
+    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+void cpu_class_init_props(DeviceClass *dc)
+{
+    device_class_set_props(dc, cpu_common_props);
+}
+
 void cpu_exec_initfn(CPUState *cpu)
 {
     cpu->as = NULL;
diff --git a/hw/core/cpu-common.c b/hw/core/cpu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/cpu-common.c
+++ b/hw/core/cpu-common.c
@@ -XXX,XX +XXX,XX @@ static int64_t cpu_common_get_arch_id(CPUState *cpu)
     return cpu->cpu_index;
 }
 
-static Property cpu_common_props[] = {
-#ifndef CONFIG_USER_ONLY
-    /* Create a memory property for softmmu CPU object,
-     * so users can wire up its memory. (This can't go in hw/core/cpu.c
-     * because that file is compiled only once for both user-mode
-     * and system builds.) The default if no link is set up is to use
-     * the system address space.
-     */
-    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
-                     MemoryRegion *),
-#endif
-    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
-    DEFINE_PROP_END_OF_LIST(),
-};
-
 static void cpu_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
@@ -XXX,XX +XXX,XX @@ static void cpu_class_init(ObjectClass *klass, void *data)
     dc->realize = cpu_common_realizefn;
     dc->unrealize = cpu_common_unrealizefn;
     dc->reset = cpu_common_reset;
-    device_class_set_props(dc, cpu_common_props);
+    cpu_class_init_props(dc);
     /*
      * Reason: CPUs still need special care by board code: wiring up
      * IRQs, adding reset handlers, halting non-first CPUs, ...
-- 
2.25.1