Series comparison

-[PULL 00/16] tcg patch queue
+[PULL 00/34] tcg patch queue
-The following changes since commit 3e08b2b9cb64bff2b73fa9128c0e49bfcde0dd40:
+This is mostly my code_gen_buffer cleanup, plus a few other random
 changes thrown in.  Including a fix for a recent float32_exp2 bug.
-  Merge remote-tracking branch 'remotes/philmd-gitlab/tags/edk2-next-20200121' into staging (2020-01-21 15:29:25 +0000)
 r~
 The following changes since commit 894fc4fd670aaf04a67dc7507739f914ff4bacf2:
   Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging (2021-06-11 09:21:48 +0100)
 are available in the Git repository at:
-  https://github.com/rth7680/qemu.git tags/pull-tcg-20200121
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20210611
-for you to fetch changes up to 75fa376cdab5e5db2c7fdd107358e16f95503ac6:
+for you to fetch changes up to 60afaddc208d34f6dc86dd974f6e02724fba6eb6:
-  scripts/git.orderfile: Display decodetree before C source (2020-01-21 15:26:09 -1000)
+  docs/devel: Explain in more detail the TB chaining mechanisms (2021-06-11 09:41:25 -0700)
 ----------------------------------------------------------------
-Remove another limit to NB_MMU_MODES.
+Clean up code_gen_buffer allocation.
-Fix compilation using uclibc.
+Add tcg_remove_ops_after.
-Fix defaulting of -accel parameters.
+Fix tcg_constant_* documentation.
-Tidy cputlb basic routines.
+Improve TB chaining documentation.
-Adjust git.orderfile for decodetree.
+Fix float32_exp2.
 ----------------------------------------------------------------
-Carlos Santos (1):
+Jose R. Ziviani (1):
-      util/cacheinfo: fix crash when compiling with uClibc
+      tcg/arm: Fix tcg_out_op function signature
-Philippe Mathieu-Daudé (1):
+Luis Pires (1):
-      scripts/git.orderfile: Display decodetree before C source
+      docs/devel: Explain in more detail the TB chaining mechanisms
-Richard Henderson (14):
+Richard Henderson (32):
-      cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
+      meson: Split out tcg/meson.build
-      vl: Remove unused variable in configure_accelerators
+      meson: Split out fpu/meson.build
-      vl: Reduce scope of variables in configure_accelerators
+      tcg: Re-order tcg_region_init vs tcg_prologue_init
-      vl: Remove useless test in configure_accelerators
+      tcg: Remove error return from tcg_region_initial_alloc__locked
-      vl: Only choose enabled accelerators in configure_accelerators
+      tcg: Split out tcg_region_initial_alloc
-      cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
+      tcg: Split out tcg_region_prologue_set
-      cputlb: Make tlb_n_entries private to cputlb.c
+      tcg: Split out region.c
-      cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
+      accel/tcg: Inline cpu_gen_init
-      cputlb: Hoist tlb portions in tlb_mmu_resize_locked
+      accel/tcg: Move alloc_code_gen_buffer to tcg/region.c
-      cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
+      accel/tcg: Rename tcg_init to tcg_init_machine
-      cputlb: Split out tlb_mmu_flush_locked
+      tcg: Create tcg_init
-      cputlb: Partially merge tlb_dyn_init into tlb_init
+      accel/tcg: Merge tcg_exec_init into tcg_init_machine
-      cputlb: Initialize tlbs as flushed
+      accel/tcg: Use MiB in tcg_init_machine
-      cputlb: Hoist timestamp outside of loops over tlbs
+      accel/tcg: Pass down max_cpus to tcg_init
       tcg: Introduce tcg_max_ctxs
       tcg: Move MAX_CODE_GEN_BUFFER_SIZE to tcg-target.h
       tcg: Replace region.end with region.total_size
       tcg: Rename region.start to region.after_prologue
       tcg: Tidy tcg_n_regions
       tcg: Tidy split_cross_256mb
       tcg: Move in_code_gen_buffer and tests to region.c
       tcg: Allocate code_gen_buffer into struct tcg_region_state
       tcg: Return the map protection from alloc_code_gen_buffer
       tcg: Sink qemu_madvise call to common code
       util/osdep: Add qemu_mprotect_rw
       tcg: Round the tb_size default from qemu_get_host_physmem
       tcg: Merge buffer protection and guard page protection
       tcg: When allocating for !splitwx, begin with PROT_NONE
       tcg: Move tcg_init_ctx and tcg_ctx from accel/tcg/
       tcg: Introduce tcg_remove_ops_after
       tcg: Fix documentation for tcg_constant_* vs tcg_temp_free_*
       softfloat: Fix tp init in float32_exp2
- include/exec/cpu_ldst.h |   5 -
+ docs/devel/tcg.rst        | 101 ++++-
- accel/tcg/cputlb.c      | 287 +++++++++++++++++++++++++++++++++---------------
+ meson.build               |  12 +-
- util/cacheinfo.c        |  10 +-
+ accel/tcg/internal.h      |   2 +
- vl.c                    |  27 +++--
+ include/qemu/osdep.h      |   1 +
- scripts/git.orderfile   |   3 +
+ include/sysemu/tcg.h      |   2 -
-files changed, 223 insertions(+), 109 deletions(-)
+ include/tcg/tcg.h         |  28 +-
  tcg/aarch64/tcg-target.h  |   1 +
  tcg/arm/tcg-target.h      |   1 +
  tcg/i386/tcg-target.h     |   2 +
  tcg/mips/tcg-target.h     |   6 +
  tcg/ppc/tcg-target.h      |   2 +
  tcg/riscv/tcg-target.h    |   1 +
  tcg/s390/tcg-target.h     |   3 +
  tcg/sparc/tcg-target.h    |   1 +
  tcg/tcg-internal.h        |  40 ++
  tcg/tci/tcg-target.h      |   1 +
  accel/tcg/tcg-all.c       |  32 +-
  accel/tcg/translate-all.c | 439 +-------------------
  bsd-user/main.c           |   3 +-
  fpu/softfloat.c           |   2 +-
  linux-user/main.c         |   1 -
  tcg/region.c              | 999 ++++++++++++++++++++++++++++++++++++++++++++++
  tcg/tcg.c                 | 649 +++---------------------------
  util/osdep.c              |   9 +
  tcg/arm/tcg-target.c.inc  |   3 +-
  fpu/meson.build           |   1 +
  tcg/meson.build           |  14 +
 files changed, 1266 insertions(+), 1090 deletions(-)
  create mode 100644 tcg/tcg-internal.h
  create mode 100644 tcg/region.c
  create mode 100644 fpu/meson.build
  create mode 100644 tcg/meson.build

-New patch
+[PULL 01/34] meson: Split out tcg/meson.build
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ meson.build     |  8 +-------
+ tcg/meson.build | 13 +++++++++++++
+files changed, 14 insertions(+), 7 deletions(-)
+ create mode 100644 tcg/meson.build
+diff --git a/meson.build b/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/meson.build
++++ b/meson.build
+@@ -XXX,XX +XXX,XX @@ common_ss.add(capstone)
+ specific_ss.add(files('cpu.c', 'disas.c', 'gdbstub.c'), capstone)
+ specific_ss.add(when: 'CONFIG_TCG', if_true: files(
+   'fpu/softfloat.c',
+-  'tcg/optimize.c',
+-  'tcg/tcg-common.c',
+-  'tcg/tcg-op-gvec.c',
+-  'tcg/tcg-op-vec.c',
+-  'tcg/tcg-op.c',
+-  'tcg/tcg.c',
+ ))
+-specific_ss.add(when: 'CONFIG_TCG_INTERPRETER', if_true: files('tcg/tci.c'))
+ # Work around a gcc bug/misfeature wherein constant propagation looks
+ # through an alias:
+@@ -XXX,XX +XXX,XX @@ subdir('net')
+ subdir('replay')
+ subdir('semihosting')
+ subdir('hw')
++subdir('tcg')
+ subdir('accel')
+ subdir('plugins')
+ subdir('bsd-user')
+diff --git a/tcg/meson.build b/tcg/meson.build
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tcg/meson.build
+@@ -XXX,XX +XXX,XX @@
++tcg_ss = ss.source_set()
++
++tcg_ss.add(files(
++  'optimize.c',
++  'tcg.c',
++  'tcg-common.c',
++  'tcg-op.c',
++  'tcg-op-gvec.c',
++  'tcg-op-vec.c',
++))
++tcg_ss.add(when: 'CONFIG_TCG_INTERPRETER', if_true: files('tci.c'))
++
++specific_ss.add_all(when: 'CONFIG_TCG', if_true: tcg_ss)
+--
+.25.1

-New patch
+[PULL 02/34] meson: Split out fpu/meson.build
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ meson.build     | 4 +---
+ fpu/meson.build | 1 +
+files changed, 2 insertions(+), 3 deletions(-)
+ create mode 100644 fpu/meson.build
+diff --git a/meson.build b/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/meson.build
++++ b/meson.build
+@@ -XXX,XX +XXX,XX @@ subdir('softmmu')
+ common_ss.add(capstone)
+ specific_ss.add(files('cpu.c', 'disas.c', 'gdbstub.c'), capstone)
+-specific_ss.add(when: 'CONFIG_TCG', if_true: files(
+-  'fpu/softfloat.c',
+-))
+ # Work around a gcc bug/misfeature wherein constant propagation looks
+ # through an alias:
+@@ -XXX,XX +XXX,XX @@ subdir('replay')
+ subdir('semihosting')
+ subdir('hw')
+ subdir('tcg')
++subdir('fpu')
+ subdir('accel')
+ subdir('plugins')
+ subdir('bsd-user')
+diff --git a/fpu/meson.build b/fpu/meson.build
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/fpu/meson.build
+@@ -0,0 +1 @@
++specific_ss.add(when: 'CONFIG_TCG', if_true: files('softfloat.c'))
+--
+.25.1

-New patch
+[PULL 03/34] tcg: Re-order tcg_region_init vs tcg_prologue_init
+Instead of delaying tcg_region_init until after tcg_prologue_init
+is complete, do tcg_region_init first and let tcg_prologue_init
+shrink the first region by the size of the generated prologue.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/tcg-all.c       | 11 ---------
+ accel/tcg/translate-all.c |  3 +++
+ bsd-user/main.c           |  1 -
+ linux-user/main.c         |  1 -
+ tcg/tcg.c                 | 52 ++++++++++++++-------------------------
+files changed, 22 insertions(+), 46 deletions(-)
+diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/tcg-all.c
++++ b/accel/tcg/tcg-all.c
+@@ -XXX,XX +XXX,XX @@ static int tcg_init(MachineState *ms)
+     tcg_exec_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
+     mttcg_enabled = s->mttcg_enabled;
+-
+-    /*
+-     * Initialize TCG regions only for softmmu.
+-     *
+-     * This needs to be done later for user mode, because the prologue
+-     * generation needs to be delayed so that GUEST_BASE is already set.
+-     */
+-#ifndef CONFIG_USER_ONLY
+-    tcg_region_init();
+-#endif /* !CONFIG_USER_ONLY */
+-
+     return 0;
+ }
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/translate-all.c
++++ b/accel/tcg/translate-all.c
+@@ -XXX,XX +XXX,XX @@ void tcg_exec_init(unsigned long tb_size, int splitwx)
+                                splitwx, &error_fatal);
+     assert(ok);
++    /* TODO: allocating regions is hand-in-glove with code_gen_buffer. */
++    tcg_region_init();
++
+ #if defined(CONFIG_SOFTMMU)
+     /* There's no guest base to take into account, so go ahead and
+        initialize the prologue now.  */
+diff --git a/bsd-user/main.c b/bsd-user/main.c
+index XXXXXXX..XXXXXXX 100644
+--- a/bsd-user/main.c
++++ b/bsd-user/main.c
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
+      * the real value of GUEST_BASE into account.
+      */
+     tcg_prologue_init(tcg_ctx);
+-    tcg_region_init();
+     /* build Task State */
+     memset(ts, 0, sizeof(TaskState));
+diff --git a/linux-user/main.c b/linux-user/main.c
+index XXXXXXX..XXXXXXX 100644
+--- a/linux-user/main.c
++++ b/linux-user/main.c
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
+        generating the prologue until now so that the prologue can take
+        the real value of GUEST_BASE into account.  */
+     tcg_prologue_init(tcg_ctx);
+-    tcg_region_init();
+     target_cpu_copy_regs(env, regs);
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@ TranslationBlock *tcg_tb_alloc(TCGContext *s)
+ void tcg_prologue_init(TCGContext *s)
+ {
+-    size_t prologue_size, total_size;
+-    void *buf0, *buf1;
++    size_t prologue_size;
+     /* Put the prologue at the beginning of code_gen_buffer.  */
+-    buf0 = s->code_gen_buffer;
+-    total_size = s->code_gen_buffer_size;
+-    s->code_ptr = buf0;
+-    s->code_buf = buf0;
++    tcg_region_assign(s, 0);
++    s->code_ptr = s->code_gen_ptr;
++    s->code_buf = s->code_gen_ptr;
+     s->data_gen_ptr = NULL;
+-    /*
+-     * The region trees are not yet configured, but tcg_splitwx_to_rx
+-     * needs the bounds for an assert.
+-     */
+-    region.start = buf0;
+-    region.end = buf0 + total_size;
+-
+ #ifndef CONFIG_TCG_INTERPRETER
+-    tcg_qemu_tb_exec = (tcg_prologue_fn *)tcg_splitwx_to_rx(buf0);
++    tcg_qemu_tb_exec = (tcg_prologue_fn *)tcg_splitwx_to_rx(s->code_ptr);
+ #endif
+-    /* Compute a high-water mark, at which we voluntarily flush the buffer
+-       and start over.  The size here is arbitrary, significantly larger
+-       than we expect the code generation for any one opcode to require.  */
+-    s->code_gen_highwater = s->code_gen_buffer + (total_size - TCG_HIGHWATER);
+-
+ #ifdef TCG_TARGET_NEED_POOL_LABELS
+     s->pool_labels = NULL;
+ #endif
+@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
+     }
+ #endif
+-    buf1 = s->code_ptr;
++    prologue_size = tcg_current_code_size(s);
++
+ #ifndef CONFIG_TCG_INTERPRETER
+-    flush_idcache_range((uintptr_t)tcg_splitwx_to_rx(buf0), (uintptr_t)buf0,
+-                        tcg_ptr_byte_diff(buf1, buf0));
++    flush_idcache_range((uintptr_t)tcg_splitwx_to_rx(s->code_buf),
++                        (uintptr_t)s->code_buf, prologue_size);
+ #endif
+-    /* Deduct the prologue from the buffer.  */
+-    prologue_size = tcg_current_code_size(s);
+-    s->code_gen_ptr = buf1;
+-    s->code_gen_buffer = buf1;
+-    s->code_buf = buf1;
+-    total_size -= prologue_size;
+-    s->code_gen_buffer_size = total_size;
++    /* Deduct the prologue from the first region.  */
++    region.start = s->code_ptr;
+-    tcg_register_jit(tcg_splitwx_to_rx(s->code_gen_buffer), total_size);
++    /* Recompute boundaries of the first region. */
++    tcg_region_assign(s, 0);
++
++    tcg_register_jit(tcg_splitwx_to_rx(region.start),
++                     region.end - region.start);
+ #ifdef DEBUG_DISAS
+     if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
+         FILE *logfile = qemu_log_lock();
+         qemu_log("PROLOGUE: [size=%zu]\n", prologue_size);
+         if (s->data_gen_ptr) {
+-            size_t code_size = s->data_gen_ptr - buf0;
++            size_t code_size = s->data_gen_ptr - s->code_gen_ptr;
+             size_t data_size = prologue_size - code_size;
+             size_t i;
+-            log_disas(buf0, code_size);
++            log_disas(s->code_gen_ptr, code_size);
+             for (i = 0; i < data_size; i += sizeof(tcg_target_ulong)) {
+                 if (sizeof(tcg_target_ulong) == 8) {
+@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
+                 }
+             }
+         } else {
+-            log_disas(buf0, prologue_size);
++            log_disas(s->code_gen_ptr, prologue_size);
+         }
+         qemu_log("\n");
+         qemu_log_flush();
+--
+.25.1

-New patch
+[PULL 04/34] tcg: Remove error return from tcg_region_initial_alloc__locked
+All callers immediately assert on error, so move the assert
+into the function itself.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/tcg.c | 19 ++++++-------------
+file changed, 6 insertions(+), 13 deletions(-)
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@ static bool tcg_region_alloc(TCGContext *s)
+  * Perform a context's first region allocation.
+  * This function does _not_ increment region.agg_size_full.
+  */
+-static inline bool tcg_region_initial_alloc__locked(TCGContext *s)
++static void tcg_region_initial_alloc__locked(TCGContext *s)
+ {
+-    return tcg_region_alloc__locked(s);
++    bool err = tcg_region_alloc__locked(s);
++    g_assert(!err);
+ }
+ /* Call from a safe-work context */
+@@ -XXX,XX +XXX,XX @@ void tcg_region_reset_all(void)
+     for (i = 0; i < n_ctxs; i++) {
+         TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+-        bool err = tcg_region_initial_alloc__locked(s);
+-
+-        g_assert(!err);
++        tcg_region_initial_alloc__locked(s);
+     }
+     qemu_mutex_unlock(&region.lock);
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(void)
+     /* In user-mode we support only one ctx, so do the initial allocation now */
+ #ifdef CONFIG_USER_ONLY
+-    {
+-        bool err = tcg_region_initial_alloc__locked(tcg_ctx);
+-
+-        g_assert(!err);
+-    }
++    tcg_region_initial_alloc__locked(tcg_ctx);
+ #endif
+ }
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+     MachineState *ms = MACHINE(qdev_get_machine());
+     TCGContext *s = g_malloc(sizeof(*s));
+     unsigned int i, n;
+-    bool err;
+     *s = tcg_init_ctx;
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+     tcg_ctx = s;
+     qemu_mutex_lock(&region.lock);
+-    err = tcg_region_initial_alloc__locked(tcg_ctx);
+-    g_assert(!err);
++    tcg_region_initial_alloc__locked(s);
+     qemu_mutex_unlock(&region.lock);
+ }
+ #endif /* !CONFIG_USER_ONLY */
+--
+.25.1

-New patch
+[PULL 05/34] tcg: Split out tcg_region_initial_alloc
+This has only one user, and currently needs an ifdef,
+but will make more sense after some code motion.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/tcg.c | 13 ++++++++++---
+file changed, 10 insertions(+), 3 deletions(-)
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@ static void tcg_region_initial_alloc__locked(TCGContext *s)
+     g_assert(!err);
+ }
++#ifndef CONFIG_USER_ONLY
++static void tcg_region_initial_alloc(TCGContext *s)
++{
++    qemu_mutex_lock(&region.lock);
++    tcg_region_initial_alloc__locked(s);
++    qemu_mutex_unlock(&region.lock);
++}
++#endif
++
+ /* Call from a safe-work context */
+ void tcg_region_reset_all(void)
+ {
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+     }
+     tcg_ctx = s;
+-    qemu_mutex_lock(&region.lock);
+-    tcg_region_initial_alloc__locked(s);
+-    qemu_mutex_unlock(&region.lock);
++    tcg_region_initial_alloc(s);
+ }
+ #endif /* !CONFIG_USER_ONLY */
+--
+.25.1

-New patch
+[PULL 06/34] tcg: Split out tcg_region_prologue_set
+This has only one user, but will make more sense after some
+code motion.
+Always leave the tcg_init_ctx initialized to the first region,
+in preparation for tcg_prologue_init().  This also requires
+that we don't re-allocate the region for the first cpu, lest
+we hit the assertion for total number of regions allocated .
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/tcg.c | 37 ++++++++++++++++++++++---------------
+file changed, 22 insertions(+), 15 deletions(-)
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(void)
+     tcg_region_trees_init();
+-    /* In user-mode we support only one ctx, so do the initial allocation now */
+-#ifdef CONFIG_USER_ONLY
+-    tcg_region_initial_alloc__locked(tcg_ctx);
+-#endif
++    /*
++     * Leave the initial context initialized to the first region.
++     * This will be the context into which we generate the prologue.
++     * It is also the only context for CONFIG_USER_ONLY.
++     */
++    tcg_region_initial_alloc__locked(&tcg_init_ctx);
++}
++
++static void tcg_region_prologue_set(TCGContext *s)
++{
++    /* Deduct the prologue from the first region.  */
++    g_assert(region.start == s->code_gen_buffer);
++    region.start = s->code_ptr;
++
++    /* Recompute boundaries of the first region. */
++    tcg_region_assign(s, 0);
++
++    /* Register the balance of the buffer with gdb. */
++    tcg_register_jit(tcg_splitwx_to_rx(region.start),
++                     region.end - region.start);
+ }
+ #ifdef CONFIG_DEBUG_TCG
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+     if (n > 0) {
+         alloc_tcg_plugin_context(s);
++        tcg_region_initial_alloc(s);
+     }
+     tcg_ctx = s;
+-    tcg_region_initial_alloc(s);
+ }
+ #endif /* !CONFIG_USER_ONLY */
+@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
+ {
+     size_t prologue_size;
+-    /* Put the prologue at the beginning of code_gen_buffer.  */
+-    tcg_region_assign(s, 0);
+     s->code_ptr = s->code_gen_ptr;
+     s->code_buf = s->code_gen_ptr;
+     s->data_gen_ptr = NULL;
+@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
+                         (uintptr_t)s->code_buf, prologue_size);
+ #endif
+-    /* Deduct the prologue from the first region.  */
+-    region.start = s->code_ptr;
+-
+-    /* Recompute boundaries of the first region. */
+-    tcg_region_assign(s, 0);
+-
+-    tcg_register_jit(tcg_splitwx_to_rx(region.start),
+-                     region.end - region.start);
++    tcg_region_prologue_set(s);
+ #ifdef DEBUG_DISAS
+     if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
+--
+.25.1

-New patch
+[PULL 07/34] tcg: Split out region.c
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/tcg-internal.h |  37 +++
+ tcg/region.c       | 572 +++++++++++++++++++++++++++++++++++++++++++++
+ tcg/tcg.c          | 547 +------------------------------------------
+ tcg/meson.build    |   1 +
+files changed, 613 insertions(+), 544 deletions(-)
+ create mode 100644 tcg/tcg-internal.h
+ create mode 100644 tcg/region.c
+diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tcg/tcg-internal.h
+@@ -XXX,XX +XXX,XX @@
++/*
++ * Internal declarations for Tiny Code Generator for QEMU
++ *
++ * Copyright (c) 2008 Fabrice Bellard
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#ifndef TCG_INTERNAL_H
++#define TCG_INTERNAL_H 1
++
++#define TCG_HIGHWATER 1024
++
++extern TCGContext **tcg_ctxs;
++extern unsigned int n_tcg_ctxs;
++
++bool tcg_region_alloc(TCGContext *s);
++void tcg_region_initial_alloc(TCGContext *s);
++void tcg_region_prologue_set(TCGContext *s);
++
++#endif /* TCG_INTERNAL_H */
+diff --git a/tcg/region.c b/tcg/region.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@
++/*
++ * Memory region management for Tiny Code Generator for QEMU
++ *
++ * Copyright (c) 2008 Fabrice Bellard
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a copy
++ * of this software and associated documentation files (the "Software"), to deal
++ * in the Software without restriction, including without limitation the rights
++ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
++ * copies of the Software, and to permit persons to whom the Software is
++ * furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice shall be included in
++ * all copies or substantial portions of the Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
++ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
++ * THE SOFTWARE.
++ */
++
++#include "qemu/osdep.h"
++#include "exec/exec-all.h"
++#include "tcg/tcg.h"
++#if !defined(CONFIG_USER_ONLY)
++#include "hw/boards.h"
++#endif
++#include "tcg-internal.h"
++
++
++struct tcg_region_tree {
++    QemuMutex lock;
++    GTree *tree;
++    /* padding to avoid false sharing is computed at run-time */
++};
++
++/*
++ * We divide code_gen_buffer into equally-sized "regions" that TCG threads
++ * dynamically allocate from as demand dictates. Given appropriate region
++ * sizing, this minimizes flushes even when some TCG threads generate a lot
++ * more code than others.
++ */
++struct tcg_region_state {
++    QemuMutex lock;
++
++    /* fields set at init time */
++    void *start;
++    void *start_aligned;
++    void *end;
++    size_t n;
++    size_t size; /* size of one region */
++    size_t stride; /* .size + guard size */
++
++    /* fields protected by the lock */
++    size_t current; /* current region index */
++    size_t agg_size_full; /* aggregate size of full regions */
++};
++
++static struct tcg_region_state region;
++
++/*
++ * This is an array of struct tcg_region_tree's, with padding.
++ * We use void * to simplify the computation of region_trees[i]; each
++ * struct is found every tree_size bytes.
++ */
++static void *region_trees;
++static size_t tree_size;
++
++/* compare a pointer @ptr and a tb_tc @s */
++static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s)
++{
++    if (ptr >= s->ptr + s->size) {
++        return 1;
++    } else if (ptr < s->ptr) {
++        return -1;
++    }
++    return 0;
++}
++
++static gint tb_tc_cmp(gconstpointer ap, gconstpointer bp)
++{
++    const struct tb_tc *a = ap;
++    const struct tb_tc *b = bp;
++
++    /*
++     * When both sizes are set, we know this isn't a lookup.
++     * This is the most likely case: every TB must be inserted; lookups
++     * are a lot less frequent.
++     */
++    if (likely(a->size && b->size)) {
++        if (a->ptr > b->ptr) {
++            return 1;
++        } else if (a->ptr < b->ptr) {
++            return -1;
++        }
++        /* a->ptr == b->ptr should happen only on deletions */
++        g_assert(a->size == b->size);
++        return 0;
++    }
++    /*
++     * All lookups have either .size field set to 0.
++     * From the glib sources we see that @ap is always the lookup key. However
++     * the docs provide no guarantee, so we just mark this case as likely.
++     */
++    if (likely(a->size == 0)) {
++        return ptr_cmp_tb_tc(a->ptr, b);
++    }
++    return ptr_cmp_tb_tc(b->ptr, a);
++}
++
++static void tcg_region_trees_init(void)
++{
++    size_t i;
++
++    tree_size = ROUND_UP(sizeof(struct tcg_region_tree), qemu_dcache_linesize);
++    region_trees = qemu_memalign(qemu_dcache_linesize, region.n * tree_size);
++    for (i = 0; i < region.n; i++) {
++        struct tcg_region_tree *rt = region_trees + i * tree_size;
++
++        qemu_mutex_init(&rt->lock);
++        rt->tree = g_tree_new(tb_tc_cmp);
++    }
++}
++
++static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p)
++{
++    size_t region_idx;
++
++    /*
++     * Like tcg_splitwx_to_rw, with no assert.  The pc may come from
++     * a signal handler over which the caller has no control.
++     */
++    if (!in_code_gen_buffer(p)) {
++        p -= tcg_splitwx_diff;
++        if (!in_code_gen_buffer(p)) {
++            return NULL;
++        }
++    }
++
++    if (p < region.start_aligned) {
++        region_idx = 0;
++    } else {
++        ptrdiff_t offset = p - region.start_aligned;
++
++        if (offset > region.stride * (region.n - 1)) {
++            region_idx = region.n - 1;
++        } else {
++            region_idx = offset / region.stride;
++        }
++    }
++    return region_trees + region_idx * tree_size;
++}
++
++void tcg_tb_insert(TranslationBlock *tb)
++{
++    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
++
++    g_assert(rt != NULL);
++    qemu_mutex_lock(&rt->lock);
++    g_tree_insert(rt->tree, &tb->tc, tb);
++    qemu_mutex_unlock(&rt->lock);
++}
++
++void tcg_tb_remove(TranslationBlock *tb)
++{
++    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
++
++    g_assert(rt != NULL);
++    qemu_mutex_lock(&rt->lock);
++    g_tree_remove(rt->tree, &tb->tc);
++    qemu_mutex_unlock(&rt->lock);
++}
++
++/*
++ * Find the TB 'tb' such that
++ * tb->tc.ptr <= tc_ptr < tb->tc.ptr + tb->tc.size
++ * Return NULL if not found.
++ */
++TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
++{
++    struct tcg_region_tree *rt = tc_ptr_to_region_tree((void *)tc_ptr);
++    TranslationBlock *tb;
++    struct tb_tc s = { .ptr = (void *)tc_ptr };
++
++    if (rt == NULL) {
++        return NULL;
++    }
++
++    qemu_mutex_lock(&rt->lock);
++    tb = g_tree_lookup(rt->tree, &s);
++    qemu_mutex_unlock(&rt->lock);
++    return tb;
++}
++
++static void tcg_region_tree_lock_all(void)
++{
++    size_t i;
++
++    for (i = 0; i < region.n; i++) {
++        struct tcg_region_tree *rt = region_trees + i * tree_size;
++
++        qemu_mutex_lock(&rt->lock);
++    }
++}
++
++static void tcg_region_tree_unlock_all(void)
++{
++    size_t i;
++
++    for (i = 0; i < region.n; i++) {
++        struct tcg_region_tree *rt = region_trees + i * tree_size;
++
++        qemu_mutex_unlock(&rt->lock);
++    }
++}
++
++void tcg_tb_foreach(GTraverseFunc func, gpointer user_data)
++{
++    size_t i;
++
++    tcg_region_tree_lock_all();
++    for (i = 0; i < region.n; i++) {
++        struct tcg_region_tree *rt = region_trees + i * tree_size;
++
++        g_tree_foreach(rt->tree, func, user_data);
++    }
++    tcg_region_tree_unlock_all();
++}
++
++size_t tcg_nb_tbs(void)
++{
++    size_t nb_tbs = 0;
++    size_t i;
++
++    tcg_region_tree_lock_all();
++    for (i = 0; i < region.n; i++) {
++        struct tcg_region_tree *rt = region_trees + i * tree_size;
++
++        nb_tbs += g_tree_nnodes(rt->tree);
++    }
++    tcg_region_tree_unlock_all();
++    return nb_tbs;
++}
++
++static gboolean tcg_region_tree_traverse(gpointer k, gpointer v, gpointer data)
++{
++    TranslationBlock *tb = v;
++
++    tb_destroy(tb);
++    return FALSE;
++}
++
++static void tcg_region_tree_reset_all(void)
++{
++    size_t i;
++
++    tcg_region_tree_lock_all();
++    for (i = 0; i < region.n; i++) {
++        struct tcg_region_tree *rt = region_trees + i * tree_size;
++
++        g_tree_foreach(rt->tree, tcg_region_tree_traverse, NULL);
++        /* Increment the refcount first so that destroy acts as a reset */
++        g_tree_ref(rt->tree);
++        g_tree_destroy(rt->tree);
++    }
++    tcg_region_tree_unlock_all();
++}
++
++static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
++{
++    void *start, *end;
++
++    start = region.start_aligned + curr_region * region.stride;
++    end = start + region.size;
++
++    if (curr_region == 0) {
++        start = region.start;
++    }
++    if (curr_region == region.n - 1) {
++        end = region.end;
++    }
++
++    *pstart = start;
++    *pend = end;
++}
++
++static void tcg_region_assign(TCGContext *s, size_t curr_region)
++{
++    void *start, *end;
++
++    tcg_region_bounds(curr_region, &start, &end);
++
++    s->code_gen_buffer = start;
++    s->code_gen_ptr = start;
++    s->code_gen_buffer_size = end - start;
++    s->code_gen_highwater = end - TCG_HIGHWATER;
++}
++
++static bool tcg_region_alloc__locked(TCGContext *s)
++{
++    if (region.current == region.n) {
++        return true;
++    }
++    tcg_region_assign(s, region.current);
++    region.current++;
++    return false;
++}
++
++/*
++ * Request a new region once the one in use has filled up.
++ * Returns true on error.
++ */
++bool tcg_region_alloc(TCGContext *s)
++{
++    bool err;
++    /* read the region size now; alloc__locked will overwrite it on success */
++    size_t size_full = s->code_gen_buffer_size;
++
++    qemu_mutex_lock(&region.lock);
++    err = tcg_region_alloc__locked(s);
++    if (!err) {
++        region.agg_size_full += size_full - TCG_HIGHWATER;
++    }
++    qemu_mutex_unlock(&region.lock);
++    return err;
++}
++
++/*
++ * Perform a context's first region allocation.
++ * This function does _not_ increment region.agg_size_full.
++ */
++static void tcg_region_initial_alloc__locked(TCGContext *s)
++{
++    bool err = tcg_region_alloc__locked(s);
++    g_assert(!err);
++}
++
++void tcg_region_initial_alloc(TCGContext *s)
++{
++    qemu_mutex_lock(&region.lock);
++    tcg_region_initial_alloc__locked(s);
++    qemu_mutex_unlock(&region.lock);
++}
++
++/* Call from a safe-work context */
++void tcg_region_reset_all(void)
++{
++    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int i;
++
++    qemu_mutex_lock(&region.lock);
++    region.current = 0;
++    region.agg_size_full = 0;
++
++    for (i = 0; i < n_ctxs; i++) {
++        TCGContext *s = qatomic_read(&tcg_ctxs[i]);
++        tcg_region_initial_alloc__locked(s);
++    }
++    qemu_mutex_unlock(&region.lock);
++
++    tcg_region_tree_reset_all();
++}
++
++#ifdef CONFIG_USER_ONLY
++static size_t tcg_n_regions(void)
++{
++    return 1;
++}
++#else
++/*
++ * It is likely that some vCPUs will translate more code than others, so we
++ * first try to set more regions than max_cpus, with those regions being of
++ * reasonable size. If that's not possible we make do by evenly dividing
++ * the code_gen_buffer among the vCPUs.
++ */
++static size_t tcg_n_regions(void)
++{
++    size_t i;
++
++    /* Use a single region if all we have is one vCPU thread */
++#if !defined(CONFIG_USER_ONLY)
++    MachineState *ms = MACHINE(qdev_get_machine());
++    unsigned int max_cpus = ms->smp.max_cpus;
++#endif
++    if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
++        return 1;
++    }
++
++    /* Try to have more regions than max_cpus, with each region being >= 2 MB */
++    for (i = 8; i > 0; i--) {
++        size_t regions_per_thread = i;
++        size_t region_size;
++
++        region_size = tcg_init_ctx.code_gen_buffer_size;
++        region_size /= max_cpus * regions_per_thread;
++
++        if (region_size >= 2 * 1024u * 1024) {
++            return max_cpus * regions_per_thread;
++        }
++    }
++    /* If we can't, then just allocate one region per vCPU thread */
++    return max_cpus;
++}
++#endif
++
++/*
++ * Initializes region partitioning.
++ *
++ * Called at init time from the parent thread (i.e. the one calling
++ * tcg_context_init), after the target's TCG globals have been set.
++ *
++ * Region partitioning works by splitting code_gen_buffer into separate regions,
++ * and then assigning regions to TCG threads so that the threads can translate
++ * code in parallel without synchronization.
++ *
++ * In softmmu the number of TCG threads is bounded by max_cpus, so we use at
++ * least max_cpus regions in MTTCG. In !MTTCG we use a single region.
++ * Note that the TCG options from the command-line (i.e. -accel accel=tcg,[...])
++ * must have been parsed before calling this function, since it calls
++ * qemu_tcg_mttcg_enabled().
++ *
++ * In user-mode we use a single region.  Having multiple regions in user-mode
++ * is not supported, because the number of vCPU threads (recall that each thread
++ * spawned by the guest corresponds to a vCPU thread) is only bounded by the
++ * OS, and usually this number is huge (tens of thousands is not uncommon).
++ * Thus, given this large bound on the number of vCPU threads and the fact
++ * that code_gen_buffer is allocated at compile-time, we cannot guarantee
++ * that the availability of at least one region per vCPU thread.
++ *
++ * However, this user-mode limitation is unlikely to be a significant problem
++ * in practice. Multi-threaded guests share most if not all of their translated
++ * code, which makes parallel code generation less appealing than in softmmu.
++ */
++void tcg_region_init(void)
++{
++    void *buf = tcg_init_ctx.code_gen_buffer;
++    void *aligned;
++    size_t size = tcg_init_ctx.code_gen_buffer_size;
++    size_t page_size = qemu_real_host_page_size;
++    size_t region_size;
++    size_t n_regions;
++    size_t i;
++
++    n_regions = tcg_n_regions();
++
++    /* The first region will be 'aligned - buf' bytes larger than the others */
++    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
++    g_assert(aligned < tcg_init_ctx.code_gen_buffer + size);
++    /*
++     * Make region_size a multiple of page_size, using aligned as the start.
++     * As a result of this we might end up with a few extra pages at the end of
++     * the buffer; we will assign those to the last region.
++     */
++    region_size = (size - (aligned - buf)) / n_regions;
++    region_size = QEMU_ALIGN_DOWN(region_size, page_size);
++
++    /* A region must have at least 2 pages; one code, one guard */
++    g_assert(region_size >= 2 * page_size);
++
++    /* init the region struct */
++    qemu_mutex_init(&region.lock);
++    region.n = n_regions;
++    region.size = region_size - page_size;
++    region.stride = region_size;
++    region.start = buf;
++    region.start_aligned = aligned;
++    /* page-align the end, since its last page will be a guard page */
++    region.end = QEMU_ALIGN_PTR_DOWN(buf + size, page_size);
++    /* account for that last guard page */
++    region.end -= page_size;
++
++    /*
++     * Set guard pages in the rw buffer, as that's the one into which
++     * buffer overruns could occur.  Do not set guard pages in the rx
++     * buffer -- let that one use hugepages throughout.
++     */
++    for (i = 0; i < region.n; i++) {
++        void *start, *end;
++
++        tcg_region_bounds(i, &start, &end);
++
++        /*
++         * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
++         * rejects a permission change from RWX -> NONE.  Guard pages are
++         * nice for bug detection but are not essential; ignore any failure.
++         */
++        (void)qemu_mprotect_none(end, page_size);
++    }
++
++    tcg_region_trees_init();
++
++    /*
++     * Leave the initial context initialized to the first region.
++     * This will be the context into which we generate the prologue.
++     * It is also the only context for CONFIG_USER_ONLY.
++     */
++    tcg_region_initial_alloc__locked(&tcg_init_ctx);
++}
++
++void tcg_region_prologue_set(TCGContext *s)
++{
++    /* Deduct the prologue from the first region.  */
++    g_assert(region.start == s->code_gen_buffer);
++    region.start = s->code_ptr;
++
++    /* Recompute boundaries of the first region. */
++    tcg_region_assign(s, 0);
++
++    /* Register the balance of the buffer with gdb. */
++    tcg_register_jit(tcg_splitwx_to_rx(region.start),
++                     region.end - region.start);
++}
++
++/*
++ * Returns the size (in bytes) of all translated code (i.e. from all regions)
++ * currently in the cache.
++ * See also: tcg_code_capacity()
++ * Do not confuse with tcg_current_code_size(); that one applies to a single
++ * TCG context.
++ */
++size_t tcg_code_size(void)
++{
++    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int i;
++    size_t total;
++
++    qemu_mutex_lock(&region.lock);
++    total = region.agg_size_full;
++    for (i = 0; i < n_ctxs; i++) {
++        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
++        size_t size;
++
++        size = qatomic_read(&s->code_gen_ptr) - s->code_gen_buffer;
++        g_assert(size <= s->code_gen_buffer_size);
++        total += size;
++    }
++    qemu_mutex_unlock(&region.lock);
++    return total;
++}
++
++/*
++ * Returns the code capacity (in bytes) of the entire cache, i.e. including all
++ * regions.
++ * See also: tcg_code_size()
++ */
++size_t tcg_code_capacity(void)
++{
++    size_t guard_size, capacity;
++
++    /* no need for synchronization; these variables are set at init time */
++    guard_size = region.stride - region.size;
++    capacity = region.end + guard_size - region.start;
++    capacity -= region.n * (guard_size + TCG_HIGHWATER);
++    return capacity;
++}
++
++size_t tcg_tb_phys_invalidate_count(void)
++{
++    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int i;
++    size_t total = 0;
++
++    for (i = 0; i < n_ctxs; i++) {
++        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
++
++        total += qatomic_read(&s->tb_phys_invalidate_count);
++    }
++    return total;
++}
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@
+ #include "elf.h"
+ #include "exec/log.h"
++#include "tcg-internal.h"
+ /* Forward declarations for functions declared in tcg-target.c.inc and
+    used here. */
+@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct);
+ static int tcg_out_ldst_finalize(TCGContext *s);
+ #endif
+-#define TCG_HIGHWATER 1024
+-
+-static TCGContext **tcg_ctxs;
+-static unsigned int n_tcg_ctxs;
++TCGContext **tcg_ctxs;
++unsigned int n_tcg_ctxs;
+ TCGv_env cpu_env = 0;
+ const void *tcg_code_gen_epilogue;
+ uintptr_t tcg_splitwx_diff;
+@@ -XXX,XX +XXX,XX @@ uintptr_t tcg_splitwx_diff;
+ tcg_prologue_fn *tcg_qemu_tb_exec;
+ #endif
+-struct tcg_region_tree {
+-    QemuMutex lock;
+-    GTree *tree;
+-    /* padding to avoid false sharing is computed at run-time */
+-};
+-
+-/*
+- * We divide code_gen_buffer into equally-sized "regions" that TCG threads
+- * dynamically allocate from as demand dictates. Given appropriate region
+- * sizing, this minimizes flushes even when some TCG threads generate a lot
+- * more code than others.
+- */
+-struct tcg_region_state {
+-    QemuMutex lock;
+-
+-    /* fields set at init time */
+-    void *start;
+-    void *start_aligned;
+-    void *end;
+-    size_t n;
+-    size_t size; /* size of one region */
+-    size_t stride; /* .size + guard size */
+-
+-    /* fields protected by the lock */
+-    size_t current; /* current region index */
+-    size_t agg_size_full; /* aggregate size of full regions */
+-};
+-
+-static struct tcg_region_state region;
+-/*
+- * This is an array of struct tcg_region_tree's, with padding.
+- * We use void * to simplify the computation of region_trees[i]; each
+- * struct is found every tree_size bytes.
+- */
+-static void *region_trees;
+-static size_t tree_size;
+ static TCGRegSet tcg_target_available_regs[TCG_TYPE_COUNT];
+ static TCGRegSet tcg_target_call_clobber_regs;
+@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
+ #include "tcg-target.c.inc"
+-/* compare a pointer @ptr and a tb_tc @s */
+-static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s)
+-{
+-    if (ptr >= s->ptr + s->size) {
+-        return 1;
+-    } else if (ptr < s->ptr) {
+-        return -1;
+-    }
+-    return 0;
+-}
+-
+-static gint tb_tc_cmp(gconstpointer ap, gconstpointer bp)
+-{
+-    const struct tb_tc *a = ap;
+-    const struct tb_tc *b = bp;
+-
+-    /*
+-     * When both sizes are set, we know this isn't a lookup.
+-     * This is the most likely case: every TB must be inserted; lookups
+-     * are a lot less frequent.
+-     */
+-    if (likely(a->size && b->size)) {
+-        if (a->ptr > b->ptr) {
+-            return 1;
+-        } else if (a->ptr < b->ptr) {
+-            return -1;
+-        }
+-        /* a->ptr == b->ptr should happen only on deletions */
+-        g_assert(a->size == b->size);
+-        return 0;
+-    }
+-    /*
+-     * All lookups have either .size field set to 0.
+-     * From the glib sources we see that @ap is always the lookup key. However
+-     * the docs provide no guarantee, so we just mark this case as likely.
+-     */
+-    if (likely(a->size == 0)) {
+-        return ptr_cmp_tb_tc(a->ptr, b);
+-    }
+-    return ptr_cmp_tb_tc(b->ptr, a);
+-}
+-
+-static void tcg_region_trees_init(void)
+-{
+-    size_t i;
+-
+-    tree_size = ROUND_UP(sizeof(struct tcg_region_tree), qemu_dcache_linesize);
+-    region_trees = qemu_memalign(qemu_dcache_linesize, region.n * tree_size);
+-    for (i = 0; i < region.n; i++) {
+-        struct tcg_region_tree *rt = region_trees + i * tree_size;
+-
+-        qemu_mutex_init(&rt->lock);
+-        rt->tree = g_tree_new(tb_tc_cmp);
+-    }
+-}
+-
+-static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p)
+-{
+-    size_t region_idx;
+-
+-    /*
+-     * Like tcg_splitwx_to_rw, with no assert.  The pc may come from
+-     * a signal handler over which the caller has no control.
+-     */
+-    if (!in_code_gen_buffer(p)) {
+-        p -= tcg_splitwx_diff;
+-        if (!in_code_gen_buffer(p)) {
+-            return NULL;
+-        }
+-    }
+-
+-    if (p < region.start_aligned) {
+-        region_idx = 0;
+-    } else {
+-        ptrdiff_t offset = p - region.start_aligned;
+-
+-        if (offset > region.stride * (region.n - 1)) {
+-            region_idx = region.n - 1;
+-        } else {
+-            region_idx = offset / region.stride;
+-        }
+-    }
+-    return region_trees + region_idx * tree_size;
+-}
+-
+-void tcg_tb_insert(TranslationBlock *tb)
+-{
+-    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
+-
+-    g_assert(rt != NULL);
+-    qemu_mutex_lock(&rt->lock);
+-    g_tree_insert(rt->tree, &tb->tc, tb);
+-    qemu_mutex_unlock(&rt->lock);
+-}
+-
+-void tcg_tb_remove(TranslationBlock *tb)
+-{
+-    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
+-
+-    g_assert(rt != NULL);
+-    qemu_mutex_lock(&rt->lock);
+-    g_tree_remove(rt->tree, &tb->tc);
+-    qemu_mutex_unlock(&rt->lock);
+-}
+-
+-/*
+- * Find the TB 'tb' such that
+- * tb->tc.ptr <= tc_ptr < tb->tc.ptr + tb->tc.size
+- * Return NULL if not found.
+- */
+-TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
+-{
+-    struct tcg_region_tree *rt = tc_ptr_to_region_tree((void *)tc_ptr);
+-    TranslationBlock *tb;
+-    struct tb_tc s = { .ptr = (void *)tc_ptr };
+-
+-    if (rt == NULL) {
+-        return NULL;
+-    }
+-
+-    qemu_mutex_lock(&rt->lock);
+-    tb = g_tree_lookup(rt->tree, &s);
+-    qemu_mutex_unlock(&rt->lock);
+-    return tb;
+-}
+-
+-static void tcg_region_tree_lock_all(void)
+-{
+-    size_t i;
+-
+-    for (i = 0; i < region.n; i++) {
+-        struct tcg_region_tree *rt = region_trees + i * tree_size;
+-
+-        qemu_mutex_lock(&rt->lock);
+-    }
+-}
+-
+-static void tcg_region_tree_unlock_all(void)
+-{
+-    size_t i;
+-
+-    for (i = 0; i < region.n; i++) {
+-        struct tcg_region_tree *rt = region_trees + i * tree_size;
+-
+-        qemu_mutex_unlock(&rt->lock);
+-    }
+-}
+-
+-void tcg_tb_foreach(GTraverseFunc func, gpointer user_data)
+-{
+-    size_t i;
+-
+-    tcg_region_tree_lock_all();
+-    for (i = 0; i < region.n; i++) {
+-        struct tcg_region_tree *rt = region_trees + i * tree_size;
+-
+-        g_tree_foreach(rt->tree, func, user_data);
+-    }
+-    tcg_region_tree_unlock_all();
+-}
+-
+-size_t tcg_nb_tbs(void)
+-{
+-    size_t nb_tbs = 0;
+-    size_t i;
+-
+-    tcg_region_tree_lock_all();
+-    for (i = 0; i < region.n; i++) {
+-        struct tcg_region_tree *rt = region_trees + i * tree_size;
+-
+-        nb_tbs += g_tree_nnodes(rt->tree);
+-    }
+-    tcg_region_tree_unlock_all();
+-    return nb_tbs;
+-}
+-
+-static gboolean tcg_region_tree_traverse(gpointer k, gpointer v, gpointer data)
+-{
+-    TranslationBlock *tb = v;
+-
+-    tb_destroy(tb);
+-    return FALSE;
+-}
+-
+-static void tcg_region_tree_reset_all(void)
+-{
+-    size_t i;
+-
+-    tcg_region_tree_lock_all();
+-    for (i = 0; i < region.n; i++) {
+-        struct tcg_region_tree *rt = region_trees + i * tree_size;
+-
+-        g_tree_foreach(rt->tree, tcg_region_tree_traverse, NULL);
+-        /* Increment the refcount first so that destroy acts as a reset */
+-        g_tree_ref(rt->tree);
+-        g_tree_destroy(rt->tree);
+-    }
+-    tcg_region_tree_unlock_all();
+-}
+-
+-static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
+-{
+-    void *start, *end;
+-
+-    start = region.start_aligned + curr_region * region.stride;
+-    end = start + region.size;
+-
+-    if (curr_region == 0) {
+-        start = region.start;
+-    }
+-    if (curr_region == region.n - 1) {
+-        end = region.end;
+-    }
+-
+-    *pstart = start;
+-    *pend = end;
+-}
+-
+-static void tcg_region_assign(TCGContext *s, size_t curr_region)
+-{
+-    void *start, *end;
+-
+-    tcg_region_bounds(curr_region, &start, &end);
+-
+-    s->code_gen_buffer = start;
+-    s->code_gen_ptr = start;
+-    s->code_gen_buffer_size = end - start;
+-    s->code_gen_highwater = end - TCG_HIGHWATER;
+-}
+-
+-static bool tcg_region_alloc__locked(TCGContext *s)
+-{
+-    if (region.current == region.n) {
+-        return true;
+-    }
+-    tcg_region_assign(s, region.current);
+-    region.current++;
+-    return false;
+-}
+-
+-/*
+- * Request a new region once the one in use has filled up.
+- * Returns true on error.
+- */
+-static bool tcg_region_alloc(TCGContext *s)
+-{
+-    bool err;
+-    /* read the region size now; alloc__locked will overwrite it on success */
+-    size_t size_full = s->code_gen_buffer_size;
+-
+-    qemu_mutex_lock(&region.lock);
+-    err = tcg_region_alloc__locked(s);
+-    if (!err) {
+-        region.agg_size_full += size_full - TCG_HIGHWATER;
+-    }
+-    qemu_mutex_unlock(&region.lock);
+-    return err;
+-}
+-
+-/*
+- * Perform a context's first region allocation.
+- * This function does _not_ increment region.agg_size_full.
+- */
+-static void tcg_region_initial_alloc__locked(TCGContext *s)
+-{
+-    bool err = tcg_region_alloc__locked(s);
+-    g_assert(!err);
+-}
+-
+-#ifndef CONFIG_USER_ONLY
+-static void tcg_region_initial_alloc(TCGContext *s)
+-{
+-    qemu_mutex_lock(&region.lock);
+-    tcg_region_initial_alloc__locked(s);
+-    qemu_mutex_unlock(&region.lock);
+-}
+-#endif
+-
+-/* Call from a safe-work context */
+-void tcg_region_reset_all(void)
+-{
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+-    unsigned int i;
+-
+-    qemu_mutex_lock(&region.lock);
+-    region.current = 0;
+-    region.agg_size_full = 0;
+-
+-    for (i = 0; i < n_ctxs; i++) {
+-        TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+-        tcg_region_initial_alloc__locked(s);
+-    }
+-    qemu_mutex_unlock(&region.lock);
+-
+-    tcg_region_tree_reset_all();
+-}
+-
+-#ifdef CONFIG_USER_ONLY
+-static size_t tcg_n_regions(void)
+-{
+-    return 1;
+-}
+-#else
+-/*
+- * It is likely that some vCPUs will translate more code than others, so we
+- * first try to set more regions than max_cpus, with those regions being of
+- * reasonable size. If that's not possible we make do by evenly dividing
+- * the code_gen_buffer among the vCPUs.
+- */
+-static size_t tcg_n_regions(void)
+-{
+-    size_t i;
+-
+-    /* Use a single region if all we have is one vCPU thread */
+-#if !defined(CONFIG_USER_ONLY)
+-    MachineState *ms = MACHINE(qdev_get_machine());
+-    unsigned int max_cpus = ms->smp.max_cpus;
+-#endif
+-    if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
+-        return 1;
+-    }
+-
+-    /* Try to have more regions than max_cpus, with each region being >= 2 MB */
+-    for (i = 8; i > 0; i--) {
+-        size_t regions_per_thread = i;
+-        size_t region_size;
+-
+-        region_size = tcg_init_ctx.code_gen_buffer_size;
+-        region_size /= max_cpus * regions_per_thread;
+-
+-        if (region_size >= 2 * 1024u * 1024) {
+-            return max_cpus * regions_per_thread;
+-        }
+-    }
+-    /* If we can't, then just allocate one region per vCPU thread */
+-    return max_cpus;
+-}
+-#endif
+-
+-/*
+- * Initializes region partitioning.
+- *
+- * Called at init time from the parent thread (i.e. the one calling
+- * tcg_context_init), after the target's TCG globals have been set.
+- *
+- * Region partitioning works by splitting code_gen_buffer into separate regions,
+- * and then assigning regions to TCG threads so that the threads can translate
+- * code in parallel without synchronization.
+- *
+- * In softmmu the number of TCG threads is bounded by max_cpus, so we use at
+- * least max_cpus regions in MTTCG. In !MTTCG we use a single region.
+- * Note that the TCG options from the command-line (i.e. -accel accel=tcg,[...])
+- * must have been parsed before calling this function, since it calls
+- * qemu_tcg_mttcg_enabled().
+- *
+- * In user-mode we use a single region.  Having multiple regions in user-mode
+- * is not supported, because the number of vCPU threads (recall that each thread
+- * spawned by the guest corresponds to a vCPU thread) is only bounded by the
+- * OS, and usually this number is huge (tens of thousands is not uncommon).
+- * Thus, given this large bound on the number of vCPU threads and the fact
+- * that code_gen_buffer is allocated at compile-time, we cannot guarantee
+- * that the availability of at least one region per vCPU thread.
+- *
+- * However, this user-mode limitation is unlikely to be a significant problem
+- * in practice. Multi-threaded guests share most if not all of their translated
+- * code, which makes parallel code generation less appealing than in softmmu.
+- */
+-void tcg_region_init(void)
+-{
+-    void *buf = tcg_init_ctx.code_gen_buffer;
+-    void *aligned;
+-    size_t size = tcg_init_ctx.code_gen_buffer_size;
+-    size_t page_size = qemu_real_host_page_size;
+-    size_t region_size;
+-    size_t n_regions;
+-    size_t i;
+-
+-    n_regions = tcg_n_regions();
+-
+-    /* The first region will be 'aligned - buf' bytes larger than the others */
+-    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
+-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + size);
+-    /*
+-     * Make region_size a multiple of page_size, using aligned as the start.
+-     * As a result of this we might end up with a few extra pages at the end of
+-     * the buffer; we will assign those to the last region.
+-     */
+-    region_size = (size - (aligned - buf)) / n_regions;
+-    region_size = QEMU_ALIGN_DOWN(region_size, page_size);
+-
+-    /* A region must have at least 2 pages; one code, one guard */
+-    g_assert(region_size >= 2 * page_size);
+-
+-    /* init the region struct */
+-    qemu_mutex_init(&region.lock);
+-    region.n = n_regions;
+-    region.size = region_size - page_size;
+-    region.stride = region_size;
+-    region.start = buf;
+-    region.start_aligned = aligned;
+-    /* page-align the end, since its last page will be a guard page */
+-    region.end = QEMU_ALIGN_PTR_DOWN(buf + size, page_size);
+-    /* account for that last guard page */
+-    region.end -= page_size;
+-
+-    /*
+-     * Set guard pages in the rw buffer, as that's the one into which
+-     * buffer overruns could occur.  Do not set guard pages in the rx
+-     * buffer -- let that one use hugepages throughout.
+-     */
+-    for (i = 0; i < region.n; i++) {
+-        void *start, *end;
+-
+-        tcg_region_bounds(i, &start, &end);
+-
+-        /*
+-         * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
+-         * rejects a permission change from RWX -> NONE.  Guard pages are
+-         * nice for bug detection but are not essential; ignore any failure.
+-         */
+-        (void)qemu_mprotect_none(end, page_size);
+-    }
+-
+-    tcg_region_trees_init();
+-
+-    /*
+-     * Leave the initial context initialized to the first region.
+-     * This will be the context into which we generate the prologue.
+-     * It is also the only context for CONFIG_USER_ONLY.
+-     */
+-    tcg_region_initial_alloc__locked(&tcg_init_ctx);
+-}
+-
+-static void tcg_region_prologue_set(TCGContext *s)
+-{
+-    /* Deduct the prologue from the first region.  */
+-    g_assert(region.start == s->code_gen_buffer);
+-    region.start = s->code_ptr;
+-
+-    /* Recompute boundaries of the first region. */
+-    tcg_region_assign(s, 0);
+-
+-    /* Register the balance of the buffer with gdb. */
+-    tcg_register_jit(tcg_splitwx_to_rx(region.start),
+-                     region.end - region.start);
+-}
+-
+ #ifdef CONFIG_DEBUG_TCG
+ const void *tcg_splitwx_to_rx(void *rw)
+ {
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+ }
+ #endif /* !CONFIG_USER_ONLY */
+-/*
+- * Returns the size (in bytes) of all translated code (i.e. from all regions)
+- * currently in the cache.
+- * See also: tcg_code_capacity()
+- * Do not confuse with tcg_current_code_size(); that one applies to a single
+- * TCG context.
+- */
+-size_t tcg_code_size(void)
+-{
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+-    unsigned int i;
+-    size_t total;
+-
+-    qemu_mutex_lock(&region.lock);
+-    total = region.agg_size_full;
+-    for (i = 0; i < n_ctxs; i++) {
+-        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+-        size_t size;
+-
+-        size = qatomic_read(&s->code_gen_ptr) - s->code_gen_buffer;
+-        g_assert(size <= s->code_gen_buffer_size);
+-        total += size;
+-    }
+-    qemu_mutex_unlock(&region.lock);
+-    return total;
+-}
+-
+-/*
+- * Returns the code capacity (in bytes) of the entire cache, i.e. including all
+- * regions.
+- * See also: tcg_code_size()
+- */
+-size_t tcg_code_capacity(void)
+-{
+-    size_t guard_size, capacity;
+-
+-    /* no need for synchronization; these variables are set at init time */
+-    guard_size = region.stride - region.size;
+-    capacity = region.end + guard_size - region.start;
+-    capacity -= region.n * (guard_size + TCG_HIGHWATER);
+-    return capacity;
+-}
+-
+-size_t tcg_tb_phys_invalidate_count(void)
+-{
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+-    unsigned int i;
+-    size_t total = 0;
+-
+-    for (i = 0; i < n_ctxs; i++) {
+-        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+-
+-        total += qatomic_read(&s->tb_phys_invalidate_count);
+-    }
+-    return total;
+-}
+-
+ /* pool based memory allocation */
+ void *tcg_malloc_internal(TCGContext *s, int size)
+ {
+diff --git a/tcg/meson.build b/tcg/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/meson.build
++++ b/tcg/meson.build
+@@ -XXX,XX +XXX,XX @@ tcg_ss = ss.source_set()
+ tcg_ss.add(files(
+   'optimize.c',
++  'region.c',
+   'tcg.c',
+   'tcg-common.c',
+   'tcg-op.c',
+--
+.25.1

-New patch
+[PULL 08/34] accel/tcg: Inline cpu_gen_init
+It consists of one function call and has only one caller.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/translate-all.c | 7 +------
+file changed, 1 insertion(+), 6 deletions(-)
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/translate-all.c
++++ b/accel/tcg/translate-all.c
+@@ -XXX,XX +XXX,XX @@ static void page_table_config_init(void)
+     assert(v_l2_levels >= 0);
+ }
+-static void cpu_gen_init(void)
+-{
+-    tcg_context_init(&tcg_init_ctx);
+-}
+-
+ /* Encode VAL as a signed leb128 sequence at P.
+    Return P incremented past the encoded value.  */
+ static uint8_t *encode_sleb128(uint8_t *p, target_long val)
+@@ -XXX,XX +XXX,XX @@ void tcg_exec_init(unsigned long tb_size, int splitwx)
+     bool ok;
+     tcg_allowed = true;
+-    cpu_gen_init();
++    tcg_context_init(&tcg_init_ctx);
+     page_init();
+     tb_htable_init();
+--
+.25.1

-New patch
+[PULL 09/34] accel/tcg: Move alloc_code_gen_buffer to tcg/region.c
+Buffer management is integral to tcg.  Do not leave the allocation
+to code outside of tcg/.  This is code movement, with further
+cleanups to follow.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ include/tcg/tcg.h         |   2 +-
+ accel/tcg/translate-all.c | 414 +-----------------------------------
+ tcg/region.c              | 431 +++++++++++++++++++++++++++++++++++++-
+files changed, 428 insertions(+), 419 deletions(-)
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/tcg/tcg.h
++++ b/include/tcg/tcg.h
+@@ -XXX,XX +XXX,XX @@ void *tcg_malloc_internal(TCGContext *s, int size);
+ void tcg_pool_reset(TCGContext *s);
+ TranslationBlock *tcg_tb_alloc(TCGContext *s);
+-void tcg_region_init(void);
++void tcg_region_init(size_t tb_size, int splitwx);
+ void tb_destroy(TranslationBlock *tb);
+ void tcg_region_reset_all(void);
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/translate-all.c
++++ b/accel/tcg/translate-all.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
+-#include "qemu/units.h"
+ #include "qemu-common.h"
+ #define NO_CPU_IO_DEFS
+@@ -XXX,XX +XXX,XX @@
+ #include "exec/cputlb.h"
+ #include "exec/translate-all.h"
+ #include "qemu/bitmap.h"
+-#include "qemu/error-report.h"
+ #include "qemu/qemu-print.h"
+ #include "qemu/timer.h"
+ #include "qemu/main-loop.h"
+@@ -XXX,XX +XXX,XX @@ static void page_lock_pair(PageDesc **ret_p1, tb_page_addr_t phys1,
+     }
+ }
+-/* Minimum size of the code gen buffer.  This number is randomly chosen,
+-   but not so small that we can't have a fair number of TB's live.  */
+-#define MIN_CODE_GEN_BUFFER_SIZE     (1 * MiB)
+-
+-/* Maximum size of the code gen buffer we'd like to use.  Unless otherwise
+-   indicated, this is constrained by the range of direct branches on the
+-   host cpu, as used by the TCG implementation of goto_tb.  */
+-#if defined(__x86_64__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__sparc__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__powerpc64__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__powerpc__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
+-#elif defined(__aarch64__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__s390x__)
+-  /* We have a +- 4GB range on the branches; leave some slop.  */
+-# define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
+-#elif defined(__mips__)
+-  /* We have a 256MB branch region, but leave room to make sure the
+-     main executable is also within that region.  */
+-# define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
+-#else
+-# define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
+-#endif
+-
+-#if TCG_TARGET_REG_BITS == 32
+-#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32 * MiB)
+-#ifdef CONFIG_USER_ONLY
+-/*
+- * For user mode on smaller 32 bit systems we may run into trouble
+- * allocating big chunks of data in the right place. On these systems
+- * we utilise a static code generation buffer directly in the binary.
+- */
+-#define USE_STATIC_CODE_GEN_BUFFER
+-#endif
+-#else /* TCG_TARGET_REG_BITS == 64 */
+-#ifdef CONFIG_USER_ONLY
+-/*
+- * As user-mode emulation typically means running multiple instances
+- * of the translator don't go too nuts with our default code gen
+- * buffer lest we make things too hard for the OS.
+- */
+-#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (128 * MiB)
+-#else
+-/*
+- * We expect most system emulation to run one or two guests per host.
+- * Users running large scale system emulation may want to tweak their
+- * runtime setup via the tb-size control on the command line.
+- */
+-#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (1 * GiB)
+-#endif
+-#endif
+-
+-#define DEFAULT_CODE_GEN_BUFFER_SIZE \
+-  (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
+-   ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
+-
+-static size_t size_code_gen_buffer(size_t tb_size)
+-{
+-    /* Size the buffer.  */
+-    if (tb_size == 0) {
+-        size_t phys_mem = qemu_get_host_physmem();
+-        if (phys_mem == 0) {
+-            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
+-        } else {
+-            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, phys_mem / 8);
+-        }
+-    }
+-    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
+-        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
+-    }
+-    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
+-        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
+-    }
+-    return tb_size;
+-}
+-
+-#ifdef __mips__
+-/* In order to use J and JAL within the code_gen_buffer, we require
+-   that the buffer not cross a 256MB boundary.  */
+-static inline bool cross_256mb(void *addr, size_t size)
+-{
+-    return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
+-}
+-
+-/* We weren't able to allocate a buffer without crossing that boundary,
+-   so make do with the larger portion of the buffer that doesn't cross.
+-   Returns the new base of the buffer, and adjusts code_gen_buffer_size.  */
+-static inline void *split_cross_256mb(void *buf1, size_t size1)
+-{
+-    void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
+-    size_t size2 = buf1 + size1 - buf2;
+-
+-    size1 = buf2 - buf1;
+-    if (size1 < size2) {
+-        size1 = size2;
+-        buf1 = buf2;
+-    }
+-
+-    tcg_ctx->code_gen_buffer_size = size1;
+-    return buf1;
+-}
+-#endif
+-
+-#ifdef USE_STATIC_CODE_GEN_BUFFER
+-static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
+-    __attribute__((aligned(CODE_GEN_ALIGN)));
+-
+-static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
+-{
+-    void *buf, *end;
+-    size_t size;
+-
+-    if (splitwx > 0) {
+-        error_setg(errp, "jit split-wx not supported");
+-        return false;
+-    }
+-
+-    /* page-align the beginning and end of the buffer */
+-    buf = static_code_gen_buffer;
+-    end = static_code_gen_buffer + sizeof(static_code_gen_buffer);
+-    buf = QEMU_ALIGN_PTR_UP(buf, qemu_real_host_page_size);
+-    end = QEMU_ALIGN_PTR_DOWN(end, qemu_real_host_page_size);
+-
+-    size = end - buf;
+-
+-    /* Honor a command-line option limiting the size of the buffer.  */
+-    if (size > tb_size) {
+-        size = QEMU_ALIGN_DOWN(tb_size, qemu_real_host_page_size);
+-    }
+-    tcg_ctx->code_gen_buffer_size = size;
+-
+-#ifdef __mips__
+-    if (cross_256mb(buf, size)) {
+-        buf = split_cross_256mb(buf, size);
+-        size = tcg_ctx->code_gen_buffer_size;
+-    }
+-#endif
+-
+-    if (qemu_mprotect_rwx(buf, size)) {
+-        error_setg_errno(errp, errno, "mprotect of jit buffer");
+-        return false;
+-    }
+-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
+-
+-    tcg_ctx->code_gen_buffer = buf;
+-    return true;
+-}
+-#elif defined(_WIN32)
+-static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+-{
+-    void *buf;
+-
+-    if (splitwx > 0) {
+-        error_setg(errp, "jit split-wx not supported");
+-        return false;
+-    }
+-
+-    buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT,
+-                             PAGE_EXECUTE_READWRITE);
+-    if (buf == NULL) {
+-        error_setg_win32(errp, GetLastError(),
+-                         "allocate %zu bytes for jit buffer", size);
+-        return false;
+-    }
+-
+-    tcg_ctx->code_gen_buffer = buf;
+-    tcg_ctx->code_gen_buffer_size = size;
+-    return true;
+-}
+-#else
+-static bool alloc_code_gen_buffer_anon(size_t size, int prot,
+-                                       int flags, Error **errp)
+-{
+-    void *buf;
+-
+-    buf = mmap(NULL, size, prot, flags, -1, 0);
+-    if (buf == MAP_FAILED) {
+-        error_setg_errno(errp, errno,
+-                         "allocate %zu bytes for jit buffer", size);
+-        return false;
+-    }
+-    tcg_ctx->code_gen_buffer_size = size;
+-
+-#ifdef __mips__
+-    if (cross_256mb(buf, size)) {
+-        /*
+-         * Try again, with the original still mapped, to avoid re-acquiring
+-         * the same 256mb crossing.
+-         */
+-        size_t size2;
+-        void *buf2 = mmap(NULL, size, prot, flags, -1, 0);
+-        switch ((int)(buf2 != MAP_FAILED)) {
+-        case 1:
+-            if (!cross_256mb(buf2, size)) {
+-                /* Success!  Use the new buffer.  */
+-                munmap(buf, size);
+-                break;
+-            }
+-            /* Failure.  Work with what we had.  */
+-            munmap(buf2, size);
+-            /* fallthru */
+-        default:
+-            /* Split the original buffer.  Free the smaller half.  */
+-            buf2 = split_cross_256mb(buf, size);
+-            size2 = tcg_ctx->code_gen_buffer_size;
+-            if (buf == buf2) {
+-                munmap(buf + size2, size - size2);
+-            } else {
+-                munmap(buf, size - size2);
+-            }
+-            size = size2;
+-            break;
+-        }
+-        buf = buf2;
+-    }
+-#endif
+-
+-    /* Request large pages for the buffer.  */
+-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
+-
+-    tcg_ctx->code_gen_buffer = buf;
+-    return true;
+-}
+-
+-#ifndef CONFIG_TCG_INTERPRETER
+-#ifdef CONFIG_POSIX
+-#include "qemu/memfd.h"
+-
+-static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
+-{
+-    void *buf_rw = NULL, *buf_rx = MAP_FAILED;
+-    int fd = -1;
+-
+-#ifdef __mips__
+-    /* Find space for the RX mapping, vs the 256MiB regions. */
+-    if (!alloc_code_gen_buffer_anon(size, PROT_NONE,
+-                                    MAP_PRIVATE | MAP_ANONYMOUS |
+-                                    MAP_NORESERVE, errp)) {
+-        return false;
+-    }
+-    /* The size of the mapping may have been adjusted. */
+-    size = tcg_ctx->code_gen_buffer_size;
+-    buf_rx = tcg_ctx->code_gen_buffer;
+-#endif
+-
+-    buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
+-    if (buf_rw == NULL) {
+-        goto fail;
+-    }
+-
+-#ifdef __mips__
+-    void *tmp = mmap(buf_rx, size, PROT_READ | PROT_EXEC,
+-                     MAP_SHARED | MAP_FIXED, fd, 0);
+-    if (tmp != buf_rx) {
+-        goto fail_rx;
+-    }
+-#else
+-    buf_rx = mmap(NULL, size, PROT_READ | PROT_EXEC, MAP_SHARED, fd, 0);
+-    if (buf_rx == MAP_FAILED) {
+-        goto fail_rx;
+-    }
+-#endif
+-
+-    close(fd);
+-    tcg_ctx->code_gen_buffer = buf_rw;
+-    tcg_ctx->code_gen_buffer_size = size;
+-    tcg_splitwx_diff = buf_rx - buf_rw;
+-
+-    /* Request large pages for the buffer and the splitwx.  */
+-    qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
+-    qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
+-    return true;
+-
+- fail_rx:
+-    error_setg_errno(errp, errno, "failed to map shared memory for execute");
+- fail:
+-    if (buf_rx != MAP_FAILED) {
+-        munmap(buf_rx, size);
+-    }
+-    if (buf_rw) {
+-        munmap(buf_rw, size);
+-    }
+-    if (fd >= 0) {
+-        close(fd);
+-    }
+-    return false;
+-}
+-#endif /* CONFIG_POSIX */
+-
+-#ifdef CONFIG_DARWIN
+-#include <mach/mach.h>
+-
+-extern kern_return_t mach_vm_remap(vm_map_t target_task,
+-                                   mach_vm_address_t *target_address,
+-                                   mach_vm_size_t size,
+-                                   mach_vm_offset_t mask,
+-                                   int flags,
+-                                   vm_map_t src_task,
+-                                   mach_vm_address_t src_address,
+-                                   boolean_t copy,
+-                                   vm_prot_t *cur_protection,
+-                                   vm_prot_t *max_protection,
+-                                   vm_inherit_t inheritance);
+-
+-static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
+-{
+-    kern_return_t ret;
+-    mach_vm_address_t buf_rw, buf_rx;
+-    vm_prot_t cur_prot, max_prot;
+-
+-    /* Map the read-write portion via normal anon memory. */
+-    if (!alloc_code_gen_buffer_anon(size, PROT_READ | PROT_WRITE,
+-                                    MAP_PRIVATE | MAP_ANONYMOUS, errp)) {
+-        return false;
+-    }
+-
+-    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
+-    buf_rx = 0;
+-    ret = mach_vm_remap(mach_task_self(),
+-                        &buf_rx,
+-                        size,
+-                        0,
+-                        VM_FLAGS_ANYWHERE,
+-                        mach_task_self(),
+-                        buf_rw,
+-                        false,
+-                        &cur_prot,
+-                        &max_prot,
+-                        VM_INHERIT_NONE);
+-    if (ret != KERN_SUCCESS) {
+-        /* TODO: Convert "ret" to a human readable error message. */
+-        error_setg(errp, "vm_remap for jit splitwx failed");
+-        munmap((void *)buf_rw, size);
+-        return false;
+-    }
+-
+-    if (mprotect((void *)buf_rx, size, PROT_READ | PROT_EXEC) != 0) {
+-        error_setg_errno(errp, errno, "mprotect for jit splitwx");
+-        munmap((void *)buf_rx, size);
+-        munmap((void *)buf_rw, size);
+-        return false;
+-    }
+-
+-    tcg_splitwx_diff = buf_rx - buf_rw;
+-    return true;
+-}
+-#endif /* CONFIG_DARWIN */
+-#endif /* CONFIG_TCG_INTERPRETER */
+-
+-static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
+-{
+-#ifndef CONFIG_TCG_INTERPRETER
+-# ifdef CONFIG_DARWIN
+-    return alloc_code_gen_buffer_splitwx_vmremap(size, errp);
+-# endif
+-# ifdef CONFIG_POSIX
+-    return alloc_code_gen_buffer_splitwx_memfd(size, errp);
+-# endif
+-#endif
+-    error_setg(errp, "jit split-wx not supported");
+-    return false;
+-}
+-
+-static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+-{
+-    ERRP_GUARD();
+-    int prot, flags;
+-
+-    if (splitwx) {
+-        if (alloc_code_gen_buffer_splitwx(size, errp)) {
+-            return true;
+-        }
+-        /*
+-         * If splitwx force-on (1), fail;
+-         * if splitwx default-on (-1), fall through to splitwx off.
+-         */
+-        if (splitwx > 0) {
+-            return false;
+-        }
+-        error_free_or_abort(errp);
+-    }
+-
+-    prot = PROT_READ | PROT_WRITE | PROT_EXEC;
+-    flags = MAP_PRIVATE | MAP_ANONYMOUS;
+-#ifdef CONFIG_TCG_INTERPRETER
+-    /* The tcg interpreter does not need execute permission. */
+-    prot = PROT_READ | PROT_WRITE;
+-#elif defined(CONFIG_DARWIN)
+-    /* Applicable to both iOS and macOS (Apple Silicon). */
+-    if (!splitwx) {
+-        flags |= MAP_JIT;
+-    }
+-#endif
+-
+-    return alloc_code_gen_buffer_anon(size, prot, flags, errp);
+-}
+-#endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
+-
+ static bool tb_cmp(const void *ap, const void *bp)
+ {
+     const TranslationBlock *a = ap;
+@@ -XXX,XX +XXX,XX @@ static void tb_htable_init(void)
+    size. */
+ void tcg_exec_init(unsigned long tb_size, int splitwx)
+ {
+-    bool ok;
+-
+     tcg_allowed = true;
+     tcg_context_init(&tcg_init_ctx);
+     page_init();
+     tb_htable_init();
+-
+-    ok = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
+-                               splitwx, &error_fatal);
+-    assert(ok);
+-
+-    /* TODO: allocating regions is hand-in-glove with code_gen_buffer. */
+-    tcg_region_init();
++    tcg_region_init(tb_size, splitwx);
+ #if defined(CONFIG_SOFTMMU)
+     /* There's no guest base to take into account, so go ahead and
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@
+  */
+ #include "qemu/osdep.h"
++#include "qemu/units.h"
++#include "qapi/error.h"
+ #include "exec/exec-all.h"
+ #include "tcg/tcg.h"
+ #if !defined(CONFIG_USER_ONLY)
+@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(void)
+ }
+ #endif
++/*
++ * Minimum size of the code gen buffer.  This number is randomly chosen,
++ * but not so small that we can't have a fair number of TB's live.
++ */
++#define MIN_CODE_GEN_BUFFER_SIZE     (1 * MiB)
++
++/*
++ * Maximum size of the code gen buffer we'd like to use.  Unless otherwise
++ * indicated, this is constrained by the range of direct branches on the
++ * host cpu, as used by the TCG implementation of goto_tb.
++ */
++#if defined(__x86_64__)
++# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
++#elif defined(__sparc__)
++# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
++#elif defined(__powerpc64__)
++# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
++#elif defined(__powerpc__)
++# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
++#elif defined(__aarch64__)
++# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
++#elif defined(__s390x__)
++  /* We have a +- 4GB range on the branches; leave some slop.  */
++# define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
++#elif defined(__mips__)
++  /*
++   * We have a 256MB branch region, but leave room to make sure the
++   * main executable is also within that region.
++   */
++# define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
++#else
++# define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
++#endif
++
++#if TCG_TARGET_REG_BITS == 32
++#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32 * MiB)
++#ifdef CONFIG_USER_ONLY
++/*
++ * For user mode on smaller 32 bit systems we may run into trouble
++ * allocating big chunks of data in the right place. On these systems
++ * we utilise a static code generation buffer directly in the binary.
++ */
++#define USE_STATIC_CODE_GEN_BUFFER
++#endif
++#else /* TCG_TARGET_REG_BITS == 64 */
++#ifdef CONFIG_USER_ONLY
++/*
++ * As user-mode emulation typically means running multiple instances
++ * of the translator don't go too nuts with our default code gen
++ * buffer lest we make things too hard for the OS.
++ */
++#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (128 * MiB)
++#else
++/*
++ * We expect most system emulation to run one or two guests per host.
++ * Users running large scale system emulation may want to tweak their
++ * runtime setup via the tb-size control on the command line.
++ */
++#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (1 * GiB)
++#endif
++#endif
++
++#define DEFAULT_CODE_GEN_BUFFER_SIZE \
++  (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
++   ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
++
++static size_t size_code_gen_buffer(size_t tb_size)
++{
++    /* Size the buffer.  */
++    if (tb_size == 0) {
++        size_t phys_mem = qemu_get_host_physmem();
++        if (phys_mem == 0) {
++            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
++        } else {
++            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, phys_mem / 8);
++        }
++    }
++    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
++        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
++    }
++    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
++        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
++    }
++    return tb_size;
++}
++
++#ifdef __mips__
++/*
++ * In order to use J and JAL within the code_gen_buffer, we require
++ * that the buffer not cross a 256MB boundary.
++ */
++static inline bool cross_256mb(void *addr, size_t size)
++{
++    return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
++}
++
++/*
++ * We weren't able to allocate a buffer without crossing that boundary,
++ * so make do with the larger portion of the buffer that doesn't cross.
++ * Returns the new base of the buffer, and adjusts code_gen_buffer_size.
++ */
++static inline void *split_cross_256mb(void *buf1, size_t size1)
++{
++    void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
++    size_t size2 = buf1 + size1 - buf2;
++
++    size1 = buf2 - buf1;
++    if (size1 < size2) {
++        size1 = size2;
++        buf1 = buf2;
++    }
++
++    tcg_ctx->code_gen_buffer_size = size1;
++    return buf1;
++}
++#endif
++
++#ifdef USE_STATIC_CODE_GEN_BUFFER
++static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
++    __attribute__((aligned(CODE_GEN_ALIGN)));
++
++static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
++{
++    void *buf, *end;
++    size_t size;
++
++    if (splitwx > 0) {
++        error_setg(errp, "jit split-wx not supported");
++        return false;
++    }
++
++    /* page-align the beginning and end of the buffer */
++    buf = static_code_gen_buffer;
++    end = static_code_gen_buffer + sizeof(static_code_gen_buffer);
++    buf = QEMU_ALIGN_PTR_UP(buf, qemu_real_host_page_size);
++    end = QEMU_ALIGN_PTR_DOWN(end, qemu_real_host_page_size);
++
++    size = end - buf;
++
++    /* Honor a command-line option limiting the size of the buffer.  */
++    if (size > tb_size) {
++        size = QEMU_ALIGN_DOWN(tb_size, qemu_real_host_page_size);
++    }
++    tcg_ctx->code_gen_buffer_size = size;
++
++#ifdef __mips__
++    if (cross_256mb(buf, size)) {
++        buf = split_cross_256mb(buf, size);
++        size = tcg_ctx->code_gen_buffer_size;
++    }
++#endif
++
++    if (qemu_mprotect_rwx(buf, size)) {
++        error_setg_errno(errp, errno, "mprotect of jit buffer");
++        return false;
++    }
++    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
++
++    tcg_ctx->code_gen_buffer = buf;
++    return true;
++}
++#elif defined(_WIN32)
++static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
++{
++    void *buf;
++
++    if (splitwx > 0) {
++        error_setg(errp, "jit split-wx not supported");
++        return false;
++    }
++
++    buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT,
++                             PAGE_EXECUTE_READWRITE);
++    if (buf == NULL) {
++        error_setg_win32(errp, GetLastError(),
++                         "allocate %zu bytes for jit buffer", size);
++        return false;
++    }
++
++    tcg_ctx->code_gen_buffer = buf;
++    tcg_ctx->code_gen_buffer_size = size;
++    return true;
++}
++#else
++static bool alloc_code_gen_buffer_anon(size_t size, int prot,
++                                       int flags, Error **errp)
++{
++    void *buf;
++
++    buf = mmap(NULL, size, prot, flags, -1, 0);
++    if (buf == MAP_FAILED) {
++        error_setg_errno(errp, errno,
++                         "allocate %zu bytes for jit buffer", size);
++        return false;
++    }
++    tcg_ctx->code_gen_buffer_size = size;
++
++#ifdef __mips__
++    if (cross_256mb(buf, size)) {
++        /*
++         * Try again, with the original still mapped, to avoid re-acquiring
++         * the same 256mb crossing.
++         */
++        size_t size2;
++        void *buf2 = mmap(NULL, size, prot, flags, -1, 0);
++        switch ((int)(buf2 != MAP_FAILED)) {
++        case 1:
++            if (!cross_256mb(buf2, size)) {
++                /* Success!  Use the new buffer.  */
++                munmap(buf, size);
++                break;
++            }
++            /* Failure.  Work with what we had.  */
++            munmap(buf2, size);
++            /* fallthru */
++        default:
++            /* Split the original buffer.  Free the smaller half.  */
++            buf2 = split_cross_256mb(buf, size);
++            size2 = tcg_ctx->code_gen_buffer_size;
++            if (buf == buf2) {
++                munmap(buf + size2, size - size2);
++            } else {
++                munmap(buf, size - size2);
++            }
++            size = size2;
++            break;
++        }
++        buf = buf2;
++    }
++#endif
++
++    /* Request large pages for the buffer.  */
++    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
++
++    tcg_ctx->code_gen_buffer = buf;
++    return true;
++}
++
++#ifndef CONFIG_TCG_INTERPRETER
++#ifdef CONFIG_POSIX
++#include "qemu/memfd.h"
++
++static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
++{
++    void *buf_rw = NULL, *buf_rx = MAP_FAILED;
++    int fd = -1;
++
++#ifdef __mips__
++    /* Find space for the RX mapping, vs the 256MiB regions. */
++    if (!alloc_code_gen_buffer_anon(size, PROT_NONE,
++                                    MAP_PRIVATE | MAP_ANONYMOUS |
++                                    MAP_NORESERVE, errp)) {
++        return false;
++    }
++    /* The size of the mapping may have been adjusted. */
++    size = tcg_ctx->code_gen_buffer_size;
++    buf_rx = tcg_ctx->code_gen_buffer;
++#endif
++
++    buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
++    if (buf_rw == NULL) {
++        goto fail;
++    }
++
++#ifdef __mips__
++    void *tmp = mmap(buf_rx, size, PROT_READ | PROT_EXEC,
++                     MAP_SHARED | MAP_FIXED, fd, 0);
++    if (tmp != buf_rx) {
++        goto fail_rx;
++    }
++#else
++    buf_rx = mmap(NULL, size, PROT_READ | PROT_EXEC, MAP_SHARED, fd, 0);
++    if (buf_rx == MAP_FAILED) {
++        goto fail_rx;
++    }
++#endif
++
++    close(fd);
++    tcg_ctx->code_gen_buffer = buf_rw;
++    tcg_ctx->code_gen_buffer_size = size;
++    tcg_splitwx_diff = buf_rx - buf_rw;
++
++    /* Request large pages for the buffer and the splitwx.  */
++    qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
++    qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
++    return true;
++
++ fail_rx:
++    error_setg_errno(errp, errno, "failed to map shared memory for execute");
++ fail:
++    if (buf_rx != MAP_FAILED) {
++        munmap(buf_rx, size);
++    }
++    if (buf_rw) {
++        munmap(buf_rw, size);
++    }
++    if (fd >= 0) {
++        close(fd);
++    }
++    return false;
++}
++#endif /* CONFIG_POSIX */
++
++#ifdef CONFIG_DARWIN
++#include <mach/mach.h>
++
++extern kern_return_t mach_vm_remap(vm_map_t target_task,
++                                   mach_vm_address_t *target_address,
++                                   mach_vm_size_t size,
++                                   mach_vm_offset_t mask,
++                                   int flags,
++                                   vm_map_t src_task,
++                                   mach_vm_address_t src_address,
++                                   boolean_t copy,
++                                   vm_prot_t *cur_protection,
++                                   vm_prot_t *max_protection,
++                                   vm_inherit_t inheritance);
++
++static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
++{
++    kern_return_t ret;
++    mach_vm_address_t buf_rw, buf_rx;
++    vm_prot_t cur_prot, max_prot;
++
++    /* Map the read-write portion via normal anon memory. */
++    if (!alloc_code_gen_buffer_anon(size, PROT_READ | PROT_WRITE,
++                                    MAP_PRIVATE | MAP_ANONYMOUS, errp)) {
++        return false;
++    }
++
++    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
++    buf_rx = 0;
++    ret = mach_vm_remap(mach_task_self(),
++                        &buf_rx,
++                        size,
++                        0,
++                        VM_FLAGS_ANYWHERE,
++                        mach_task_self(),
++                        buf_rw,
++                        false,
++                        &cur_prot,
++                        &max_prot,
++                        VM_INHERIT_NONE);
++    if (ret != KERN_SUCCESS) {
++        /* TODO: Convert "ret" to a human readable error message. */
++        error_setg(errp, "vm_remap for jit splitwx failed");
++        munmap((void *)buf_rw, size);
++        return false;
++    }
++
++    if (mprotect((void *)buf_rx, size, PROT_READ | PROT_EXEC) != 0) {
++        error_setg_errno(errp, errno, "mprotect for jit splitwx");
++        munmap((void *)buf_rx, size);
++        munmap((void *)buf_rw, size);
++        return false;
++    }
++
++    tcg_splitwx_diff = buf_rx - buf_rw;
++    return true;
++}
++#endif /* CONFIG_DARWIN */
++#endif /* CONFIG_TCG_INTERPRETER */
++
++static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
++{
++#ifndef CONFIG_TCG_INTERPRETER
++# ifdef CONFIG_DARWIN
++    return alloc_code_gen_buffer_splitwx_vmremap(size, errp);
++# endif
++# ifdef CONFIG_POSIX
++    return alloc_code_gen_buffer_splitwx_memfd(size, errp);
++# endif
++#endif
++    error_setg(errp, "jit split-wx not supported");
++    return false;
++}
++
++static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
++{
++    ERRP_GUARD();
++    int prot, flags;
++
++    if (splitwx) {
++        if (alloc_code_gen_buffer_splitwx(size, errp)) {
++            return true;
++        }
++        /*
++         * If splitwx force-on (1), fail;
++         * if splitwx default-on (-1), fall through to splitwx off.
++         */
++        if (splitwx > 0) {
++            return false;
++        }
++        error_free_or_abort(errp);
++    }
++
++    prot = PROT_READ | PROT_WRITE | PROT_EXEC;
++    flags = MAP_PRIVATE | MAP_ANONYMOUS;
++#ifdef CONFIG_TCG_INTERPRETER
++    /* The tcg interpreter does not need execute permission. */
++    prot = PROT_READ | PROT_WRITE;
++#elif defined(CONFIG_DARWIN)
++    /* Applicable to both iOS and macOS (Apple Silicon). */
++    if (!splitwx) {
++        flags |= MAP_JIT;
++    }
++#endif
++
++    return alloc_code_gen_buffer_anon(size, prot, flags, errp);
++}
++#endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
++
+ /*
+  * Initializes region partitioning.
+  *
+@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(void)
+  * in practice. Multi-threaded guests share most if not all of their translated
+  * code, which makes parallel code generation less appealing than in softmmu.
+  */
+-void tcg_region_init(void)
++void tcg_region_init(size_t tb_size, int splitwx)
+ {
+-    void *buf = tcg_init_ctx.code_gen_buffer;
+-    void *aligned;
+-    size_t size = tcg_init_ctx.code_gen_buffer_size;
+-    size_t page_size = qemu_real_host_page_size;
++    void *buf, *aligned;
++    size_t size;
++    size_t page_size;
+     size_t region_size;
+     size_t n_regions;
+     size_t i;
++    bool ok;
++    ok = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
++                               splitwx, &error_fatal);
++    assert(ok);
++
++    buf = tcg_init_ctx.code_gen_buffer;
++    size = tcg_init_ctx.code_gen_buffer_size;
++    page_size = qemu_real_host_page_size;
+     n_regions = tcg_n_regions();
+     /* The first region will be 'aligned - buf' bytes larger than the others */
+--
+.25.1

-New patch
+[PULL 10/34] accel/tcg: Rename tcg_init to tcg_init_machine
+We shortly want to use tcg_init for something else.
+Since the hook is called init_machine, match that.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/tcg-all.c | 4 ++--
+file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/tcg-all.c
++++ b/accel/tcg/tcg-all.c
+@@ -XXX,XX +XXX,XX @@ static void tcg_accel_instance_init(Object *obj)
+ bool mttcg_enabled;
+-static int tcg_init(MachineState *ms)
++static int tcg_init_machine(MachineState *ms)
+ {
+     TCGState *s = TCG_STATE(current_accel());
+@@ -XXX,XX +XXX,XX @@ static void tcg_accel_class_init(ObjectClass *oc, void *data)
+ {
+     AccelClass *ac = ACCEL_CLASS(oc);
+     ac->name = "tcg";
+-    ac->init_machine = tcg_init;
++    ac->init_machine = tcg_init_machine;
+     ac->allowed = &tcg_allowed;
+     object_class_property_add_str(oc, "thread",
+--
+.25.1

-[PULL 12/16] cputlb: Split out tlb_mmu_flush_locked
+[PULL 11/34] tcg: Create tcg_init
-We will want to be able to flush a tlb without resizing.
+Perform both tcg_context_init and tcg_region_init.
 Do not leave this split to the caller.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 15 ++++++++++-----
+ include/tcg/tcg.h         | 3 +--
-file changed, 10 insertions(+), 5 deletions(-)
+ tcg/tcg-internal.h        | 1 +
  accel/tcg/translate-all.c | 3 +--
  tcg/tcg.c                 | 9 ++++++++-
 files changed, 11 insertions(+), 5 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/tcg/tcg.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/tcg/tcg.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ void *tcg_malloc_internal(TCGContext *s, int size);
  void tcg_pool_reset(TCGContext *s);
  TranslationBlock *tcg_tb_alloc(TCGContext *s);
 -void tcg_region_init(size_t tb_size, int splitwx);
  void tb_destroy(TranslationBlock *tb);
  void tcg_region_reset_all(void);
@@ -XXX,XX +XXX,XX @@ static inline void *tcg_malloc(int size)
      }
  }
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+-void tcg_context_init(TCGContext *s);
-+static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
++void tcg_init(size_t tb_size, int splitwx);
  void tcg_register_thread(void);
  void tcg_prologue_init(TCGContext *s);
  void tcg_func_start(TCGContext *s);
 diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg-internal.h
 +++ b/tcg/tcg-internal.h
@@ -XXX,XX +XXX,XX @@
  extern TCGContext **tcg_ctxs;
  extern unsigned int n_tcg_ctxs;
 +void tcg_region_init(size_t tb_size, int splitwx);
  bool tcg_region_alloc(TCGContext *s);
  void tcg_region_initial_alloc(TCGContext *s);
  void tcg_region_prologue_set(TCGContext *s);
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static void tb_htable_init(void)
  void tcg_exec_init(unsigned long tb_size, int splitwx)
  {
--    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+     tcg_allowed = true;
--    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+-    tcg_context_init(&tcg_init_ctx);
--
+     page_init();
--    tlb_mmu_resize_locked(desc, fast);
+     tb_htable_init();
-     desc->n_used_entries = 0;
+-    tcg_region_init(tb_size, splitwx);
-     desc->large_page_addr = -1;
++    tcg_init(tb_size, splitwx);
-     desc->large_page_mask = -1;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+ #if defined(CONFIG_SOFTMMU)
-     memset(desc->vtable, -1, sizeof(desc->vtable));
+     /* There's no guest base to take into account, so go ahead and
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg.c
 +++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static void process_op_defs(TCGContext *s);
  static TCGTemp *tcg_global_reg_new_internal(TCGContext *s, TCGType type,
                                              TCGReg reg, const char *name);
 -void tcg_context_init(TCGContext *s)
 +static void tcg_context_init(void)
  {
 +    TCGContext *s = &tcg_init_ctx;
      int op, total_args, n, i;
      TCGOpDef *def;
      TCGArgConstraint *args_ct;
@@ -XXX,XX +XXX,XX @@ void tcg_context_init(TCGContext *s)
      cpu_env = temp_tcgv_ptr(ts);
  }
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++void tcg_init(size_t tb_size, int splitwx)
 +{
-+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
++    tcg_context_init();
-+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
++    tcg_region_init(tb_size, splitwx);
 +
 +    tlb_mmu_resize_locked(desc, fast);
 +    tlb_mmu_flush_locked(desc, fast);
 +}
 +
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+ /*
- {
+  * Allocate TBs right before their corresponding translated code, making
-     env_tlb(env)->d[mmu_idx].n_used_entries++;
+  * sure that TBs and code are on different cache lines.
 --
-.20.1
+.25.1

-[PULL 07/16] cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
+[PULL 12/34] accel/tcg: Merge tcg_exec_init into tcg_init_machine
-There is only one caller for tlb_table_flush_by_mmuidx.  Place
+There is only one caller, and shortly we will need access
-the result at the earlier line number, due to an expected user
+to the MachineState, which tcg_init_machine already has.
 in the near future.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 19 +++++++------------
+ accel/tcg/internal.h      |  2 ++
-file changed, 7 insertions(+), 12 deletions(-)
+ include/sysemu/tcg.h      |  2 --
  accel/tcg/tcg-all.c       | 16 +++++++++++++++-
  accel/tcg/translate-all.c | 21 ++-------------------
  bsd-user/main.c           |  2 +-
 files changed, 20 insertions(+), 23 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/accel/tcg/internal.h b/accel/tcg/internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/accel/tcg/internal.h
-+++ b/accel/tcg/cputlb.c
++++ b/accel/tcg/internal.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu, target_ulong pc,
-     }
+                               int cflags);
  void QEMU_NORETURN cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
 +void page_init(void);
 +void tb_htable_init(void);
  #endif /* ACCEL_TCG_INTERNAL_H */
 diff --git a/include/sysemu/tcg.h b/include/sysemu/tcg.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/sysemu/tcg.h
 +++ b/include/sysemu/tcg.h
@@ -XXX,XX +XXX,XX @@
  #ifndef SYSEMU_TCG_H
  #define SYSEMU_TCG_H
 -void tcg_exec_init(unsigned long tb_size, int splitwx);
 -
  #ifdef CONFIG_TCG
  extern bool tcg_allowed;
  #define tcg_enabled() (tcg_allowed)
 diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tcg-all.c
 +++ b/accel/tcg/tcg-all.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/error-report.h"
  #include "qemu/accel.h"
  #include "qapi/qapi-builtin-visit.h"
 +#include "internal.h"
  struct TCGState {
      AccelState parent_obj;
@@ -XXX,XX +XXX,XX @@ static int tcg_init_machine(MachineState *ms)
  {
      TCGState *s = TCG_STATE(current_accel());
 -    tcg_exec_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
 +    tcg_allowed = true;
      mttcg_enabled = s->mttcg_enabled;
 +
 +    page_init();
 +    tb_htable_init();
 +    tcg_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
 +
 +#if defined(CONFIG_SOFTMMU)
 +    /*
 +     * There's no guest base to take into account, so go ahead and
 +     * initialize the prologue now.
 +     */
 +    tcg_prologue_init(tcg_ctx);
 +#endif
 +
      return 0;
  }
--static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc, bool will_exit)
      return false;
  }
 -static void page_init(void)
 +void page_init(void)
  {
-     tlb_mmu_resize_locked(env, mmu_idx);
+     page_size_init();
--    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+     page_table_config_init();
-     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
+@@ -XXX,XX +XXX,XX @@ static bool tb_cmp(const void *ap, const void *bp)
-+    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+         a->page_addr[1] == b->page_addr[1];
 +    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
 +    env_tlb(env)->d[mmu_idx].vindex = 0;
 +    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
 +    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
 +           sizeof(env_tlb(env)->d[0].vtable));
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+-static void tb_htable_init(void)
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
++void tb_htable_init(void)
-     *pelide = elide;
+ {
      unsigned int mode = QHT_MODE_AUTO_RESIZE;
      qht_init(&tb_ctx.htable, tb_cmp, CODE_GEN_HTABLE_SIZE, mode);
  }
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+-/* Must be called before using the QEMU cpus. 'tb_size' is the size
 -   (in bytes) allocated to the translation buffer. Zero means default
 -   size. */
 -void tcg_exec_init(unsigned long tb_size, int splitwx)
 -{
--    tlb_table_flush_by_mmuidx(env, mmu_idx);
+-    tcg_allowed = true;
--    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+-    page_init();
--    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+-    tb_htable_init();
--    env_tlb(env)->d[mmu_idx].vindex = 0;
+-    tcg_init(tb_size, splitwx);
--    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+-
--           sizeof(env_tlb(env)->d[0].vtable));
+-#if defined(CONFIG_SOFTMMU)
 -    /* There's no guest base to take into account, so go ahead and
 -       initialize the prologue now.  */
 -    tcg_prologue_init(tcg_ctx);
 -#endif
 -}
 -
- static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
+ /* call with @p->lock held */
  static inline void invalidate_page_bitmap(PageDesc *p)
  {
-     CPUArchState *env = cpu->env_ptr;
+diff --git a/bsd-user/main.c b/bsd-user/main.c
 index XXXXXXX..XXXXXXX 100644
 --- a/bsd-user/main.c
 +++ b/bsd-user/main.c
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
      envlist_free(envlist);
      /*
 -     * Now that page sizes are configured in tcg_exec_init() we can do
 +     * Now that page sizes are configured we can do
       * proper page alignment for guest_base.
       */
      guest_base = HOST_PAGE_ALIGN(guest_base);
 --
-.20.1
+.25.1

-New patch
+[PULL 13/34] accel/tcg: Use MiB in tcg_init_machine
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/tcg-all.c | 3 ++-
+file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/tcg-all.c
++++ b/accel/tcg/tcg-all.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/error-report.h"
+ #include "qemu/accel.h"
+ #include "qapi/qapi-builtin-visit.h"
++#include "qemu/units.h"
+ #include "internal.h"
+ struct TCGState {
+@@ -XXX,XX +XXX,XX @@ static int tcg_init_machine(MachineState *ms)
+     page_init();
+     tb_htable_init();
+-    tcg_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
++    tcg_init(s->tb_size * MiB, s->splitwx_enabled);
+ #if defined(CONFIG_SOFTMMU)
+     /*
+--
+.25.1

-[PULL 13/16] cputlb: Partially merge tlb_dyn_init into tlb_init
+[PULL 14/34] accel/tcg: Pass down max_cpus to tcg_init
-Merge into the only caller, but at the same time split
+Start removing the include of hw/boards.h from tcg/.
-out tlb_mmu_init to initialize a single tlb entry.
+Pass down the max_cpus value from tcg_init_machine,
 where we have the MachineState already.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 33 ++++++++++++++++-----------------
+ include/tcg/tcg.h   |  2 +-
-file changed, 16 insertions(+), 17 deletions(-)
+ tcg/tcg-internal.h  |  2 +-
  accel/tcg/tcg-all.c | 10 +++++++++-
  tcg/region.c        | 32 +++++++++++---------------------
  tcg/tcg.c           | 10 ++++------
 files changed, 26 insertions(+), 30 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/tcg/tcg.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/tcg/tcg.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+@@ -XXX,XX +XXX,XX @@ static inline void *tcg_malloc(int size)
-     desc->window_max_entries = max_entries;
+     }
  }
--static void tlb_dyn_init(CPUArchState *env)
+-void tcg_init(size_t tb_size, int splitwx);
 +void tcg_init(size_t tb_size, int splitwx, unsigned max_cpus);
  void tcg_register_thread(void);
  void tcg_prologue_init(TCGContext *s);
  void tcg_func_start(TCGContext *s);
 diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg-internal.h
 +++ b/tcg/tcg-internal.h
@@ -XXX,XX +XXX,XX @@
  extern TCGContext **tcg_ctxs;
  extern unsigned int n_tcg_ctxs;
 -void tcg_region_init(size_t tb_size, int splitwx);
 +void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus);
  bool tcg_region_alloc(TCGContext *s);
  void tcg_region_initial_alloc(TCGContext *s);
  void tcg_region_prologue_set(TCGContext *s);
 diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tcg-all.c
 +++ b/accel/tcg/tcg-all.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/accel.h"
  #include "qapi/qapi-builtin-visit.h"
  #include "qemu/units.h"
 +#if !defined(CONFIG_USER_ONLY)
 +#include "hw/boards.h"
 +#endif
  #include "internal.h"
  struct TCGState {
@@ -XXX,XX +XXX,XX @@ bool mttcg_enabled;
  static int tcg_init_machine(MachineState *ms)
  {
      TCGState *s = TCG_STATE(current_accel());
 +#ifdef CONFIG_USER_ONLY
 +    unsigned max_cpus = 1;
 +#else
 +    unsigned max_cpus = ms->smp.max_cpus;
 +#endif
      tcg_allowed = true;
      mttcg_enabled = s->mttcg_enabled;
      page_init();
      tb_htable_init();
 -    tcg_init(s->tb_size * MiB, s->splitwx_enabled);
 +    tcg_init(s->tb_size * MiB, s->splitwx_enabled, max_cpus);
  #if defined(CONFIG_SOFTMMU)
      /*
 diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/region.c
 +++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@
  #include "qapi/error.h"
  #include "exec/exec-all.h"
  #include "tcg/tcg.h"
 -#if !defined(CONFIG_USER_ONLY)
 -#include "hw/boards.h"
 -#endif
  #include "tcg-internal.h"
@@ -XXX,XX +XXX,XX @@ void tcg_region_reset_all(void)
      tcg_region_tree_reset_all();
  }
 +static size_t tcg_n_regions(unsigned max_cpus)
 +{
  #ifdef CONFIG_USER_ONLY
 -static size_t tcg_n_regions(void)
 -{
--    int i;
+     return 1;
 -
 -    for (i = 0; i < NB_MMU_MODES; i++) {
 -        CPUTLBDesc *desc = &env_tlb(env)->d[i];
 -        size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
 -
 -        tlb_window_reset(desc, get_clock_realtime(), 0);
 -        desc->n_used_entries = 0;
 -        env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
 -        env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
 -        env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
 -    }
 -}
--
+ #else
- /**
+-/*
-  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
+- * It is likely that some vCPUs will translate more code than others, so we
-  * @desc: The CPUTLBDesc portion of the TLB
+- * first try to set more regions than max_cpus, with those regions being of
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+- * reasonable size. If that's not possible we make do by evenly dividing
-     tlb_mmu_flush_locked(desc, fast);
+- * the code_gen_buffer among the vCPUs.
 - */
 -static size_t tcg_n_regions(void)
 -{
 +    /*
 +     * It is likely that some vCPUs will translate more code than others,
 +     * so we first try to set more regions than max_cpus, with those regions
 +     * being of reasonable size. If that's not possible we make do by evenly
 +     * dividing the code_gen_buffer among the vCPUs.
 +     */
      size_t i;
      /* Use a single region if all we have is one vCPU thread */
 -#if !defined(CONFIG_USER_ONLY)
 -    MachineState *ms = MACHINE(qdev_get_machine());
 -    unsigned int max_cpus = ms->smp.max_cpus;
 -#endif
      if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
          return 1;
      }
@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(void)
      }
      /* If we can't, then just allocate one region per vCPU thread */
      return max_cpus;
 -}
  #endif
 +}
  /*
   * Minimum size of the code gen buffer.  This number is randomly chosen,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
   * in practice. Multi-threaded guests share most if not all of their translated
   * code, which makes parallel code generation less appealing than in softmmu.
   */
 -void tcg_region_init(size_t tb_size, int splitwx)
 +void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
  {
      void *buf, *aligned;
      size_t size;
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx)
      buf = tcg_init_ctx.code_gen_buffer;
      size = tcg_init_ctx.code_gen_buffer_size;
      page_size = qemu_real_host_page_size;
 -    n_regions = tcg_n_regions();
 +    n_regions = tcg_n_regions(max_cpus);
      /* The first region will be 'aligned - buf' bytes larger than the others */
      aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg.c
 +++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static void process_op_defs(TCGContext *s);
  static TCGTemp *tcg_global_reg_new_internal(TCGContext *s, TCGType type,
                                              TCGReg reg, const char *name);
 -static void tcg_context_init(void)
 +static void tcg_context_init(unsigned max_cpus)
  {
      TCGContext *s = &tcg_init_ctx;
      int op, total_args, n, i;
@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(void)
      tcg_ctxs = &tcg_ctx;
      n_tcg_ctxs = 1;
  #else
 -    MachineState *ms = MACHINE(qdev_get_machine());
 -    unsigned int max_cpus = ms->smp.max_cpus;
      tcg_ctxs = g_new(TCGContext *, max_cpus);
  #endif
@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(void)
      cpu_env = temp_tcgv_ptr(ts);
  }
-+static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+-void tcg_init(size_t tb_size, int splitwx)
-+{
++void tcg_init(size_t tb_size, int splitwx, unsigned max_cpus)
 +    size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
 +
 +    tlb_window_reset(desc, now, 0);
 +    desc->n_used_entries = 0;
 +    fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
 +    fast->table = g_new(CPUTLBEntry, n_entries);
 +    desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
 +}
 +
  static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
  {
-     env_tlb(env)->d[mmu_idx].n_used_entries++;
+-    tcg_context_init();
-@@ -XXX,XX +XXX,XX @@ static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
+-    tcg_region_init(tb_size, splitwx);
- void tlb_init(CPUState *cpu)
++    tcg_context_init(max_cpus);
- {
++    tcg_region_init(tb_size, splitwx, max_cpus);
      CPUArchState *env = cpu->env_ptr;
 +    int64_t now = get_clock_realtime();
 +    int i;
      qemu_spin_init(&env_tlb(env)->c.lock);
      /* Ensure that cpu_reset performs a full flush.  */
      env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
 -    tlb_dyn_init(env);
 +    for (i = 0; i < NB_MMU_MODES; i++) {
 +        tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
 +    }
  }
- /* flush_all_helper: run fn across all cpus
+ /*
 --
-.20.1
+.25.1

-New patch
+[PULL 15/34] tcg: Introduce tcg_max_ctxs
+Finish the divorce of tcg/ from hw/, and do not take
+the max cpu value from MachineState; just remember what
+we were passed in tcg_init.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/tcg-internal.h |  3 ++-
+ tcg/region.c       |  6 +++---
+ tcg/tcg.c          | 23 ++++++++++-------------
+files changed, 15 insertions(+), 17 deletions(-)
+diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg-internal.h
++++ b/tcg/tcg-internal.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_HIGHWATER 1024
+ extern TCGContext **tcg_ctxs;
+-extern unsigned int n_tcg_ctxs;
++extern unsigned int tcg_cur_ctxs;
++extern unsigned int tcg_max_ctxs;
+ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus);
+ bool tcg_region_alloc(TCGContext *s);
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@ void tcg_region_initial_alloc(TCGContext *s)
+ /* Call from a safe-work context */
+ void tcg_region_reset_all(void)
+ {
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
+     unsigned int i;
+     qemu_mutex_lock(&region.lock);
+@@ -XXX,XX +XXX,XX @@ void tcg_region_prologue_set(TCGContext *s)
+  */
+ size_t tcg_code_size(void)
+ {
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
+     unsigned int i;
+     size_t total;
+@@ -XXX,XX +XXX,XX @@ size_t tcg_code_capacity(void)
+ size_t tcg_tb_phys_invalidate_count(void)
+ {
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
+     unsigned int i;
+     size_t total = 0;
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@
+ #define NO_CPU_IO_DEFS
+ #include "exec/exec-all.h"
+-
+-#if !defined(CONFIG_USER_ONLY)
+-#include "hw/boards.h"
+-#endif
+-
+ #include "tcg/tcg-op.h"
+ #if UINTPTR_MAX == UINT32_MAX
+@@ -XXX,XX +XXX,XX @@ static int tcg_out_ldst_finalize(TCGContext *s);
+ #endif
+ TCGContext **tcg_ctxs;
+-unsigned int n_tcg_ctxs;
++unsigned int tcg_cur_ctxs;
++unsigned int tcg_max_ctxs;
+ TCGv_env cpu_env = 0;
+ const void *tcg_code_gen_epilogue;
+ uintptr_t tcg_splitwx_diff;
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+ #else
+ void tcg_register_thread(void)
+ {
+-    MachineState *ms = MACHINE(qdev_get_machine());
+     TCGContext *s = g_malloc(sizeof(*s));
+     unsigned int i, n;
+@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
+     }
+     /* Claim an entry in tcg_ctxs */
+-    n = qatomic_fetch_inc(&n_tcg_ctxs);
+-    g_assert(n < ms->smp.max_cpus);
++    n = qatomic_fetch_inc(&tcg_cur_ctxs);
++    g_assert(n < tcg_max_ctxs);
+     qatomic_set(&tcg_ctxs[n], s);
+     if (n > 0) {
+@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(unsigned max_cpus)
+      */
+ #ifdef CONFIG_USER_ONLY
+     tcg_ctxs = &tcg_ctx;
+-    n_tcg_ctxs = 1;
++    tcg_cur_ctxs = 1;
++    tcg_max_ctxs = 1;
+ #else
+-    tcg_ctxs = g_new(TCGContext *, max_cpus);
++    tcg_max_ctxs = max_cpus;
++    tcg_ctxs = g_new0(TCGContext *, max_cpus);
+ #endif
+     tcg_debug_assert(!tcg_regset_test_reg(s->reserved_regs, TCG_AREG0));
+@@ -XXX,XX +XXX,XX @@ static void tcg_reg_alloc_call(TCGContext *s, TCGOp *op)
+ static inline
+ void tcg_profile_snapshot(TCGProfile *prof, bool counters, bool table)
+ {
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
+     unsigned int i;
+     for (i = 0; i < n_ctxs; i++) {
+@@ -XXX,XX +XXX,XX @@ void tcg_dump_op_count(void)
+ int64_t tcg_cpu_exec_time(void)
+ {
+-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
++    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
+     unsigned int i;
+     int64_t ret = 0;
+--
+.25.1

-New patch
+[PULL 16/34] tcg: Move MAX_CODE_GEN_BUFFER_SIZE to tcg-target.h
+Remove the ifdef ladder and move each define into the
+appropriate header file.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/aarch64/tcg-target.h |  1 +
+ tcg/arm/tcg-target.h     |  1 +
+ tcg/i386/tcg-target.h    |  2 ++
+ tcg/mips/tcg-target.h    |  6 ++++++
+ tcg/ppc/tcg-target.h     |  2 ++
+ tcg/riscv/tcg-target.h   |  1 +
+ tcg/s390/tcg-target.h    |  3 +++
+ tcg/sparc/tcg-target.h   |  1 +
+ tcg/tci/tcg-target.h     |  1 +
+ tcg/region.c             | 33 +++++----------------------------
+files changed, 23 insertions(+), 28 deletions(-)
+diff --git a/tcg/aarch64/tcg-target.h b/tcg/aarch64/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/aarch64/tcg-target.h
++++ b/tcg/aarch64/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_TARGET_INSN_UNIT_SIZE  4
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 24
++#define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+ #undef TCG_TARGET_STACK_GROWSUP
+ typedef enum {
+diff --git a/tcg/arm/tcg-target.h b/tcg/arm/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/arm/tcg-target.h
++++ b/tcg/arm/tcg-target.h
+@@ -XXX,XX +XXX,XX @@ extern int arm_arch;
+ #undef TCG_TARGET_STACK_GROWSUP
+ #define TCG_TARGET_INSN_UNIT_SIZE 4
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 16
++#define MAX_CODE_GEN_BUFFER_SIZE  UINT32_MAX
+ typedef enum {
+     TCG_REG_R0 = 0,
+diff --git a/tcg/i386/tcg-target.h b/tcg/i386/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/i386/tcg-target.h
++++ b/tcg/i386/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #ifdef __x86_64__
+ # define TCG_TARGET_REG_BITS  64
+ # define TCG_TARGET_NB_REGS   32
++# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+ #else
+ # define TCG_TARGET_REG_BITS  32
+ # define TCG_TARGET_NB_REGS   24
++# define MAX_CODE_GEN_BUFFER_SIZE  UINT32_MAX
+ #endif
+ typedef enum {
+diff --git a/tcg/mips/tcg-target.h b/tcg/mips/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target.h
++++ b/tcg/mips/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 16
+ #define TCG_TARGET_NB_REGS 32
++/*
++ * We have a 256MB branch region, but leave room to make sure the
++ * main executable is also within that region.
++ */
++#define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
++
+ typedef enum {
+     TCG_REG_ZERO = 0,
+     TCG_REG_AT,
+diff --git a/tcg/ppc/tcg-target.h b/tcg/ppc/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target.h
++++ b/tcg/ppc/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #ifdef _ARCH_PPC64
+ # define TCG_TARGET_REG_BITS  64
++# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+ #else
+ # define TCG_TARGET_REG_BITS  32
++# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
+ #endif
+ #define TCG_TARGET_NB_REGS 64
+diff --git a/tcg/riscv/tcg-target.h b/tcg/riscv/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/riscv/tcg-target.h
++++ b/tcg/riscv/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_TARGET_INSN_UNIT_SIZE 4
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 20
+ #define TCG_TARGET_NB_REGS 32
++#define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
+ typedef enum {
+     TCG_REG_ZERO,
+diff --git a/tcg/s390/tcg-target.h b/tcg/s390/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/s390/tcg-target.h
++++ b/tcg/s390/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_TARGET_INSN_UNIT_SIZE 2
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 19
++/* We have a +- 4GB range on the branches; leave some slop.  */
++#define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
++
+ typedef enum TCGReg {
+     TCG_REG_R0 = 0,
+     TCG_REG_R1,
+diff --git a/tcg/sparc/tcg-target.h b/tcg/sparc/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/sparc/tcg-target.h
++++ b/tcg/sparc/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_TARGET_INSN_UNIT_SIZE 4
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 32
+ #define TCG_TARGET_NB_REGS 32
++#define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+ typedef enum {
+     TCG_REG_G0 = 0,
+diff --git a/tcg/tci/tcg-target.h b/tcg/tci/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tci/tcg-target.h
++++ b/tcg/tci/tcg-target.h
+@@ -XXX,XX +XXX,XX @@
+ #define TCG_TARGET_INTERPRETER 1
+ #define TCG_TARGET_INSN_UNIT_SIZE 1
+ #define TCG_TARGET_TLB_DISPLACEMENT_BITS 32
++#define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
+ #if UINTPTR_MAX == UINT32_MAX
+ # define TCG_TARGET_REG_BITS 32
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(unsigned max_cpus)
+ /*
+  * Minimum size of the code gen buffer.  This number is randomly chosen,
+  * but not so small that we can't have a fair number of TB's live.
++ *
++ * Maximum size, MAX_CODE_GEN_BUFFER_SIZE, is defined in tcg-target.h.
++ * Unless otherwise indicated, this is constrained by the range of
++ * direct branches on the host cpu, as used by the TCG implementation
++ * of goto_tb.
+  */
+ #define MIN_CODE_GEN_BUFFER_SIZE     (1 * MiB)
+-/*
+- * Maximum size of the code gen buffer we'd like to use.  Unless otherwise
+- * indicated, this is constrained by the range of direct branches on the
+- * host cpu, as used by the TCG implementation of goto_tb.
+- */
+-#if defined(__x86_64__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__sparc__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__powerpc64__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__powerpc__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
+-#elif defined(__aarch64__)
+-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+-#elif defined(__s390x__)
+-  /* We have a +- 4GB range on the branches; leave some slop.  */
+-# define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
+-#elif defined(__mips__)
+-  /*
+-   * We have a 256MB branch region, but leave room to make sure the
+-   * main executable is also within that region.
+-   */
+-# define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
+-#else
+-# define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
+-#endif
+-
+ #if TCG_TARGET_REG_BITS == 32
+ #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32 * MiB)
+ #ifdef CONFIG_USER_ONLY
+--
+.25.1

-New patch
+[PULL 17/34] tcg: Replace region.end with region.total_size
+A size is easier to work with than an end point,
+particularly during initial buffer allocation.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/region.c | 30 ++++++++++++++++++------------
+file changed, 18 insertions(+), 12 deletions(-)
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@ struct tcg_region_state {
+     /* fields set at init time */
+     void *start;
+     void *start_aligned;
+-    void *end;
+     size_t n;
+     size_t size; /* size of one region */
+     size_t stride; /* .size + guard size */
++    size_t total_size; /* size of entire buffer, >= n * stride */
+     /* fields protected by the lock */
+     size_t current; /* current region index */
+@@ -XXX,XX +XXX,XX @@ static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
+     if (curr_region == 0) {
+         start = region.start;
+     }
++    /* The final region may have a few extra pages due to earlier rounding. */
+     if (curr_region == region.n - 1) {
+-        end = region.end;
++        end = region.start_aligned + region.total_size;
+     }
+     *pstart = start;
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+  */
+ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+ {
+-    void *buf, *aligned;
+-    size_t size;
++    void *buf, *aligned, *end;
++    size_t total_size;
+     size_t page_size;
+     size_t region_size;
+     size_t n_regions;
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+     assert(ok);
+     buf = tcg_init_ctx.code_gen_buffer;
+-    size = tcg_init_ctx.code_gen_buffer_size;
++    total_size = tcg_init_ctx.code_gen_buffer_size;
+     page_size = qemu_real_host_page_size;
+     n_regions = tcg_n_regions(max_cpus);
+     /* The first region will be 'aligned - buf' bytes larger than the others */
+     aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
+-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + size);
++    g_assert(aligned < tcg_init_ctx.code_gen_buffer + total_size);
++
+     /*
+      * Make region_size a multiple of page_size, using aligned as the start.
+      * As a result of this we might end up with a few extra pages at the end of
+      * the buffer; we will assign those to the last region.
+      */
+-    region_size = (size - (aligned - buf)) / n_regions;
++    region_size = (total_size - (aligned - buf)) / n_regions;
+     region_size = QEMU_ALIGN_DOWN(region_size, page_size);
+     /* A region must have at least 2 pages; one code, one guard */
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+     region.start = buf;
+     region.start_aligned = aligned;
+     /* page-align the end, since its last page will be a guard page */
+-    region.end = QEMU_ALIGN_PTR_DOWN(buf + size, page_size);
++    end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
+     /* account for that last guard page */
+-    region.end -= page_size;
++    end -= page_size;
++    total_size = end - aligned;
++    region.total_size = total_size;
+     /*
+      * Set guard pages in the rw buffer, as that's the one into which
+@@ -XXX,XX +XXX,XX @@ void tcg_region_prologue_set(TCGContext *s)
+     /* Register the balance of the buffer with gdb. */
+     tcg_register_jit(tcg_splitwx_to_rx(region.start),
+-                     region.end - region.start);
++                     region.start_aligned + region.total_size - region.start);
+ }
+ /*
+@@ -XXX,XX +XXX,XX @@ size_t tcg_code_capacity(void)
+     /* no need for synchronization; these variables are set at init time */
+     guard_size = region.stride - region.size;
+-    capacity = region.end + guard_size - region.start;
+-    capacity -= region.n * (guard_size + TCG_HIGHWATER);
++    capacity = region.total_size;
++    capacity -= (region.n - 1) * guard_size;
++    capacity -= region.n * TCG_HIGHWATER;
++
+     return capacity;
+ }
+--
+.25.1

-New patch
+[PULL 18/34] tcg: Rename region.start to region.after_prologue
+Give the field a name reflecting its actual meaning.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/region.c | 15 ++++++++-------
+file changed, 8 insertions(+), 7 deletions(-)
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@ struct tcg_region_state {
+     QemuMutex lock;
+     /* fields set at init time */
+-    void *start;
+     void *start_aligned;
++    void *after_prologue;
+     size_t n;
+     size_t size; /* size of one region */
+     size_t stride; /* .size + guard size */
+@@ -XXX,XX +XXX,XX @@ static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
+     end = start + region.size;
+     if (curr_region == 0) {
+-        start = region.start;
++        start = region.after_prologue;
+     }
+     /* The final region may have a few extra pages due to earlier rounding. */
+     if (curr_region == region.n - 1) {
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+     region.n = n_regions;
+     region.size = region_size - page_size;
+     region.stride = region_size;
+-    region.start = buf;
++    region.after_prologue = buf;
+     region.start_aligned = aligned;
+     /* page-align the end, since its last page will be a guard page */
+     end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+ void tcg_region_prologue_set(TCGContext *s)
+ {
+     /* Deduct the prologue from the first region.  */
+-    g_assert(region.start == s->code_gen_buffer);
+-    region.start = s->code_ptr;
++    g_assert(region.start_aligned == s->code_gen_buffer);
++    region.after_prologue = s->code_ptr;
+     /* Recompute boundaries of the first region. */
+     tcg_region_assign(s, 0);
+     /* Register the balance of the buffer with gdb. */
+-    tcg_register_jit(tcg_splitwx_to_rx(region.start),
+-                     region.start_aligned + region.total_size - region.start);
++    tcg_register_jit(tcg_splitwx_to_rx(region.after_prologue),
++                     region.start_aligned + region.total_size -
++                     region.after_prologue);
+ }
+ /*
+--
+.25.1

-New patch
+[PULL 19/34] tcg: Tidy tcg_n_regions
+Compute the value using straight division and bounds,
+rather than a loop.  Pass in tb_size rather than reading
+from tcg_init_ctx.code_gen_buffer_size,
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/region.c | 29 ++++++++++++-----------------
+file changed, 12 insertions(+), 17 deletions(-)
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@ void tcg_region_reset_all(void)
+     tcg_region_tree_reset_all();
+ }
+-static size_t tcg_n_regions(unsigned max_cpus)
++static size_t tcg_n_regions(size_t tb_size, unsigned max_cpus)
+ {
+ #ifdef CONFIG_USER_ONLY
+     return 1;
+ #else
++    size_t n_regions;
++
+     /*
+      * It is likely that some vCPUs will translate more code than others,
+      * so we first try to set more regions than max_cpus, with those regions
+      * being of reasonable size. If that's not possible we make do by evenly
+      * dividing the code_gen_buffer among the vCPUs.
+      */
+-    size_t i;
+-
+     /* Use a single region if all we have is one vCPU thread */
+     if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
+         return 1;
+     }
+-    /* Try to have more regions than max_cpus, with each region being >= 2 MB */
+-    for (i = 8; i > 0; i--) {
+-        size_t regions_per_thread = i;
+-        size_t region_size;
+-
+-        region_size = tcg_init_ctx.code_gen_buffer_size;
+-        region_size /= max_cpus * regions_per_thread;
+-
+-        if (region_size >= 2 * 1024u * 1024) {
+-            return max_cpus * regions_per_thread;
+-        }
++    /*
++     * Try to have more regions than max_cpus, with each region being >= 2 MB.
++     * If we can't, then just allocate one region per vCPU thread.
++     */
++    n_regions = tb_size / (2 * MiB);
++    if (n_regions <= max_cpus) {
++        return max_cpus;
+     }
+-    /* If we can't, then just allocate one region per vCPU thread */
+-    return max_cpus;
++    return MIN(n_regions, max_cpus * 8);
+ #endif
+ }
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
+     buf = tcg_init_ctx.code_gen_buffer;
+     total_size = tcg_init_ctx.code_gen_buffer_size;
+     page_size = qemu_real_host_page_size;
+-    n_regions = tcg_n_regions(max_cpus);
++    n_regions = tcg_n_regions(total_size, max_cpus);
+     /* The first region will be 'aligned - buf' bytes larger than the others */
+     aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
+--
+.25.1

-New patch
+[PULL 20/34] tcg: Tidy split_cross_256mb
+Return output buffer and size via output pointer arguments,
+rather than returning size via tcg_ctx->code_gen_buffer_size.
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/region.c | 19 +++++++++----------
+file changed, 9 insertions(+), 10 deletions(-)
+diff --git a/tcg/region.c b/tcg/region.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/region.c
++++ b/tcg/region.c
+@@ -XXX,XX +XXX,XX @@ static inline bool cross_256mb(void *addr, size_t size)
+ /*
+  * We weren't able to allocate a buffer without crossing that boundary,
+  * so make do with the larger portion of the buffer that doesn't cross.
+- * Returns the new base of the buffer, and adjusts code_gen_buffer_size.
++ * Returns the new base and size of the buffer in *obuf and *osize.
+  */
+-static inline void *split_cross_256mb(void *buf1, size_t size1)
++static inline void split_cross_256mb(void **obuf, size_t *osize,
++                                     void *buf1, size_t size1)
+ {
+     void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
+     size_t size2 = buf1 + size1 - buf2;
+@@ -XXX,XX +XXX,XX @@ static inline void *split_cross_256mb(void *buf1, size_t size1)
+         buf1 = buf2;
+     }
+-    tcg_ctx->code_gen_buffer_size = size1;
+-    return buf1;
++    *obuf = buf1;
++    *osize = size1;
+ }
+ #endif
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
+     if (size > tb_size) {
+         size = QEMU_ALIGN_DOWN(tb_size, qemu_real_host_page_size);
+     }
+-    tcg_ctx->code_gen_buffer_size = size;
+ #ifdef __mips__
+     if (cross_256mb(buf, size)) {
+-        buf = split_cross_256mb(buf, size);
+-        size = tcg_ctx->code_gen_buffer_size;
++        split_cross_256mb(&buf, &size, buf, size);
+     }
+ #endif
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
+     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
+     tcg_ctx->code_gen_buffer = buf;
++    tcg_ctx->code_gen_buffer_size = size;
+     return true;
+ }
+ #elif defined(_WIN32)
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
+                          "allocate %zu bytes for jit buffer", size);
+         return false;
+     }
+-    tcg_ctx->code_gen_buffer_size = size;
+ #ifdef __mips__
+     if (cross_256mb(buf, size)) {
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
+             /* fallthru */
+         default:
+             /* Split the original buffer.  Free the smaller half.  */
+-            buf2 = split_cross_256mb(buf, size);
+-            size2 = tcg_ctx->code_gen_buffer_size;
++            split_cross_256mb(&buf2, &size2, buf, size);
+             if (buf == buf2) {
+                 munmap(buf + size2, size - size2);
+             } else {
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
+     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
+     tcg_ctx->code_gen_buffer = buf;
++    tcg_ctx->code_gen_buffer_size = size;
+     return true;
+ }
+--
+.25.1

-[PULL 16/16] scripts/git.orderfile: Display decodetree before C source
+[PULL 21/34] tcg: Move in_code_gen_buffer and tests to region.c
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+Shortly, the full code_gen_buffer will only be visible
 to region.c, so move in_code_gen_buffer out-of-line.
-To avoid scrolling each instruction when reviewing tcg
+Move the debugging versions of tcg_splitwx_to_{rx,rw}
-helpers written for the decodetree script, display the
+to region.c as well, so that the compiler gets to see
-.decode files (similar to header declarations) before
+the implementation of in_code_gen_buffer.
 the C source (implementation of previous declarations).
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+This leaves exactly one use of in_code_gen_buffer outside
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+of region.c, in cpu_restore_state.  Which, being on the
 exception path, is not performance critical.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-Id: <20191230082856.30556-1-philmd@redhat.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- scripts/git.orderfile | 3 +++
+ include/tcg/tcg.h | 11 +----------
-file changed, 3 insertions(+)
+ tcg/region.c      | 34 ++++++++++++++++++++++++++++++++++
  tcg/tcg.c         | 23 -----------------------
 files changed, 35 insertions(+), 33 deletions(-)
-diff --git a/scripts/git.orderfile b/scripts/git.orderfile
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
 index XXXXXXX..XXXXXXX 100644
---- a/scripts/git.orderfile
+--- a/include/tcg/tcg.h
-+++ b/scripts/git.orderfile
++++ b/include/tcg/tcg.h
-@@ -XXX,XX +XXX,XX @@ qga/*.json
+@@ -XXX,XX +XXX,XX @@ extern const void *tcg_code_gen_epilogue;
- # headers
+ extern uintptr_t tcg_splitwx_diff;
- *.h
+ extern TCGv_env cpu_env;
-+# decoding tree specification
+-static inline bool in_code_gen_buffer(const void *p)
-+*.decode
+-{
 -    const TCGContext *s = &tcg_init_ctx;
 -    /*
 -     * Much like it is valid to have a pointer to the byte past the
 -     * end of an array (so long as you don't dereference it), allow
 -     * a pointer to the byte past the end of the code gen buffer.
 -     */
 -    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
 -}
 +bool in_code_gen_buffer(const void *p);
  #ifdef CONFIG_DEBUG_TCG
  const void *tcg_splitwx_to_rx(void *rw);
 diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/region.c
 +++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static struct tcg_region_state region;
  static void *region_trees;
  static size_t tree_size;
 +bool in_code_gen_buffer(const void *p)
 +{
 +    const TCGContext *s = &tcg_init_ctx;
 +    /*
 +     * Much like it is valid to have a pointer to the byte past the
 +     * end of an array (so long as you don't dereference it), allow
 +     * a pointer to the byte past the end of the code gen buffer.
 +     */
 +    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
 +}
 +
- # code
++#ifdef CONFIG_DEBUG_TCG
- *.c
++const void *tcg_splitwx_to_rx(void *rw)
 +{
 +    /* Pass NULL pointers unchanged. */
 +    if (rw) {
 +        g_assert(in_code_gen_buffer(rw));
 +        rw += tcg_splitwx_diff;
 +    }
 +    return rw;
 +}
 +
 +void *tcg_splitwx_to_rw(const void *rx)
 +{
 +    /* Pass NULL pointers unchanged. */
 +    if (rx) {
 +        rx -= tcg_splitwx_diff;
 +        /* Assert that we end with a pointer in the rw region. */
 +        g_assert(in_code_gen_buffer(rx));
 +    }
 +    return (void *)rx;
 +}
 +#endif /* CONFIG_DEBUG_TCG */
 +
  /* compare a pointer @ptr and a tb_tc @s */
  static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s)
  {
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg.c
 +++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
  #include "tcg-target.c.inc"
 -#ifdef CONFIG_DEBUG_TCG
 -const void *tcg_splitwx_to_rx(void *rw)
 -{
 -    /* Pass NULL pointers unchanged. */
 -    if (rw) {
 -        g_assert(in_code_gen_buffer(rw));
 -        rw += tcg_splitwx_diff;
 -    }
 -    return rw;
 -}
 -
 -void *tcg_splitwx_to_rw(const void *rx)
 -{
 -    /* Pass NULL pointers unchanged. */
 -    if (rx) {
 -        rx -= tcg_splitwx_diff;
 -        /* Assert that we end with a pointer in the rw region. */
 -        g_assert(in_code_gen_buffer(rx));
 -    }
 -    return (void *)rx;
 -}
 -#endif /* CONFIG_DEBUG_TCG */
 -
  static void alloc_tcg_plugin_context(TCGContext *s)
  {
  #ifdef CONFIG_PLUGIN
 --
-.20.1
+.25.1

-[PULL 09/16] cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
+[PULL 22/34] tcg: Allocate code_gen_buffer into struct tcg_region_state
-We do not need the entire CPUArchState to compute these values.
+Do not mess around with setting values within tcg_init_ctx.
 Put the values into 'region' directly, which is where they
 will live for the lifetime of the program.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 15 ++++++++-------
+ tcg/region.c | 64 ++++++++++++++++++++++------------------------------
-file changed, 8 insertions(+), 7 deletions(-)
+file changed, 27 insertions(+), 37 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/region.c
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/region.c
-@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
+@@ -XXX,XX +XXX,XX @@ static size_t tree_size;
- QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
- #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
+ bool in_code_gen_buffer(const void *p)
 -static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
 +static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
  {
--    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+-    const TCGContext *s = &tcg_init_ctx;
-+    return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
+     /*
       * Much like it is valid to have a pointer to the byte past the
       * end of an array (so long as you don't dereference it), allow
       * a pointer to the byte past the end of the code gen buffer.
       */
 -    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
 +    return (size_t)(p - region.start_aligned) <= region.total_size;
  }
--static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
+ #ifdef CONFIG_DEBUG_TCG
-+static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
      }
      qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 -    tcg_ctx->code_gen_buffer = buf;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf;
 +    region.total_size = size;
      return true;
  }
  #elif defined(_WIN32)
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
          return false;
      }
 -    tcg_ctx->code_gen_buffer = buf;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf;
 +    region.total_size = size;
      return true;
  }
  #else
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
      /* Request large pages for the buffer.  */
      qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 -    tcg_ctx->code_gen_buffer = buf;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf;
 +    region.total_size = size;
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
          return false;
      }
      /* The size of the mapping may have been adjusted. */
 -    size = tcg_ctx->code_gen_buffer_size;
 -    buf_rx = tcg_ctx->code_gen_buffer;
 +    buf_rx = region.start_aligned;
 +    size = region.total_size;
  #endif
      buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
  #endif
      close(fd);
 -    tcg_ctx->code_gen_buffer = buf_rw;
 -    tcg_ctx->code_gen_buffer_size = size;
 +    region.start_aligned = buf_rw;
 +    region.total_size = size;
      tcg_splitwx_diff = buf_rx - buf_rw;
      /* Request large pages for the buffer and the splitwx.  */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
          return false;
      }
 -    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
 +    buf_rw = region.start_aligned;
      buf_rx = 0;
      ret = mach_vm_remap(mach_task_self(),
                          &buf_rx,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
   */
  void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
  {
--    return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
+-    void *buf, *aligned, *end;
-+    return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
+-    size_t total_size;
- }
+     size_t page_size;
+     size_t region_size;
- static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+-    size_t n_regions;
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
+     size_t i;
- static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+     bool ok;
- {
-     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
--    size_t old_size = tlb_n_entries(env, mmu_idx);
+                                splitwx, &error_fatal);
-+    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
+     assert(ok);
-     size_t rate;
-     size_t new_size = old_size;
+-    buf = tcg_init_ctx.code_gen_buffer;
-     int64_t now = get_clock_realtime();
+-    total_size = tcg_init_ctx.code_gen_buffer_size;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+-    page_size = qemu_real_host_page_size;
-     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+-    n_regions = tcg_n_regions(total_size, max_cpus);
-     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+-
-     env_tlb(env)->d[mmu_idx].vindex = 0;
+-    /* The first region will be 'aligned - buf' bytes larger than the others */
--    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+-    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
-+    memset(env_tlb(env)->f[mmu_idx].table, -1,
+-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + total_size);
-+           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
+-
-     memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+     /*
-            sizeof(env_tlb(env)->d[0].vtable));
+      * Make region_size a multiple of page_size, using aligned as the start.
- }
+      * As a result of this we might end up with a few extra pages at the end of
-@@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
+      * the buffer; we will assign those to the last region.
-     qemu_spin_lock(&env_tlb(env)->c.lock);
+      */
-     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
+-    region_size = (total_size - (aligned - buf)) / n_regions;
-         unsigned int i;
++    region.n = tcg_n_regions(region.total_size, max_cpus);
--        unsigned int n = tlb_n_entries(env, mmu_idx);
++    page_size = qemu_real_host_page_size;
-+        unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
++    region_size = region.total_size / region.n;
+     region_size = QEMU_ALIGN_DOWN(region_size, page_size);
-         for (i = 0; i < n; i++) {
-             tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
+     /* A region must have at least 2 pages; one code, one guard */
      g_assert(region_size >= 2 * page_size);
 +    region.stride = region_size;
 +
 +    /* Reserve space for guard pages. */
 +    region.size = region_size - page_size;
 +    region.total_size -= page_size;
 +
 +    /*
 +     * The first region will be smaller than the others, via the prologue,
 +     * which has yet to be allocated.  For now, the first region begins at
 +     * the page boundary.
 +     */
 +    region.after_prologue = region.start_aligned;
      /* init the region struct */
      qemu_mutex_init(&region.lock);
 -    region.n = n_regions;
 -    region.size = region_size - page_size;
 -    region.stride = region_size;
 -    region.after_prologue = buf;
 -    region.start_aligned = aligned;
 -    /* page-align the end, since its last page will be a guard page */
 -    end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
 -    /* account for that last guard page */
 -    end -= page_size;
 -    total_size = end - aligned;
 -    region.total_size = total_size;
      /*
       * Set guard pages in the rw buffer, as that's the one into which
 --
-.20.1
+.25.1

-New patch
+[PULL 23/34] tcg: Return the map protection from alloc_code_gen_buffer
+Change the interface from a boolean error indication to a
 negative error vs a non-negative protection.  For the moment
 this is only interface change, not making use of the new data.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  tcg/region.c | 63 +++++++++++++++++++++++++++-------------------------
 file changed, 33 insertions(+), 30 deletions(-)
 diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/region.c
 +++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static inline void split_cross_256mb(void **obuf, size_t *osize,
  static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
      __attribute__((aligned(CODE_GEN_ALIGN)));
 -static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
 +static int alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
  {
      void *buf, *end;
      size_t size;
      if (splitwx > 0) {
          error_setg(errp, "jit split-wx not supported");
 -        return false;
 +        return -1;
      }
      /* page-align the beginning and end of the buffer */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
      region.start_aligned = buf;
      region.total_size = size;
 -    return true;
 +
 +    return PROT_READ | PROT_WRITE;
  }
  #elif defined(_WIN32)
 -static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
 +static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  {
      void *buf;
      if (splitwx > 0) {
          error_setg(errp, "jit split-wx not supported");
 -        return false;
 +        return -1;
      }
      buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
      region.start_aligned = buf;
      region.total_size = size;
 -    return true;
 +
 +    return PAGE_READ | PAGE_WRITE | PAGE_EXEC;
  }
  #else
 -static bool alloc_code_gen_buffer_anon(size_t size, int prot,
 -                                       int flags, Error **errp)
 +static int alloc_code_gen_buffer_anon(size_t size, int prot,
 +                                      int flags, Error **errp)
  {
      void *buf;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
      if (buf == MAP_FAILED) {
          error_setg_errno(errp, errno,
                           "allocate %zu bytes for jit buffer", size);
 -        return false;
 +        return -1;
      }
  #ifdef __mips__
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
      region.start_aligned = buf;
      region.total_size = size;
 -    return true;
 +    return prot;
  }
  #ifndef CONFIG_TCG_INTERPRETER
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
  #ifdef __mips__
      /* Find space for the RX mapping, vs the 256MiB regions. */
 -    if (!alloc_code_gen_buffer_anon(size, PROT_NONE,
 -                                    MAP_PRIVATE | MAP_ANONYMOUS |
 -                                    MAP_NORESERVE, errp)) {
 +    if (alloc_code_gen_buffer_anon(size, PROT_NONE,
 +                                   MAP_PRIVATE | MAP_ANONYMOUS |
 +                                   MAP_NORESERVE, errp) < 0) {
          return false;
      }
      /* The size of the mapping may have been adjusted. */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
      /* Request large pages for the buffer and the splitwx.  */
      qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
      qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
 -    return true;
 +    return PROT_READ | PROT_WRITE;
   fail_rx:
      error_setg_errno(errp, errno, "failed to map shared memory for execute");
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
      if (fd >= 0) {
          close(fd);
      }
 -    return false;
 +    return -1;
  }
  #endif /* CONFIG_POSIX */
@@ -XXX,XX +XXX,XX @@ extern kern_return_t mach_vm_remap(vm_map_t target_task,
                                     vm_prot_t *max_protection,
                                     vm_inherit_t inheritance);
 -static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
 +static int alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
  {
      kern_return_t ret;
      mach_vm_address_t buf_rw, buf_rx;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
      /* Map the read-write portion via normal anon memory. */
      if (!alloc_code_gen_buffer_anon(size, PROT_READ | PROT_WRITE,
                                      MAP_PRIVATE | MAP_ANONYMOUS, errp)) {
 -        return false;
 +        return -1;
      }
      buf_rw = region.start_aligned;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
          /* TODO: Convert "ret" to a human readable error message. */
          error_setg(errp, "vm_remap for jit splitwx failed");
          munmap((void *)buf_rw, size);
 -        return false;
 +        return -1;
      }
      if (mprotect((void *)buf_rx, size, PROT_READ | PROT_EXEC) != 0) {
          error_setg_errno(errp, errno, "mprotect for jit splitwx");
          munmap((void *)buf_rx, size);
          munmap((void *)buf_rw, size);
 -        return false;
 +        return -1;
      }
      tcg_splitwx_diff = buf_rx - buf_rw;
 -    return true;
 +    return PROT_READ | PROT_WRITE;
  }
  #endif /* CONFIG_DARWIN */
  #endif /* CONFIG_TCG_INTERPRETER */
 -static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
 +static int alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
  {
  #ifndef CONFIG_TCG_INTERPRETER
  # ifdef CONFIG_DARWIN
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
  # endif
  #endif
      error_setg(errp, "jit split-wx not supported");
 -    return false;
 +    return -1;
  }
 -static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
 +static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  {
      ERRP_GUARD();
      int prot, flags;
      if (splitwx) {
 -        if (alloc_code_gen_buffer_splitwx(size, errp)) {
 -            return true;
 +        prot = alloc_code_gen_buffer_splitwx(size, errp);
 +        if (prot >= 0) {
 +            return prot;
          }
          /*
           * If splitwx force-on (1), fail;
           * if splitwx default-on (-1), fall through to splitwx off.
           */
          if (splitwx > 0) {
 -            return false;
 +            return -1;
          }
          error_free_or_abort(errp);
      }
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
      size_t page_size;
      size_t region_size;
      size_t i;
 -    bool ok;
 +    int have_prot;
 -    ok = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
 -                               splitwx, &error_fatal);
 -    assert(ok);
 +    have_prot = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
 +                                      splitwx, &error_fatal);
 +    assert(have_prot >= 0);
      /*
       * Make region_size a multiple of page_size, using aligned as the start.
 --
 .25.1

-[PULL 10/16] cputlb: Hoist tlb portions in tlb_mmu_resize_locked
+[PULL 24/34] tcg: Sink qemu_madvise call to common code
-No functional change, but the smaller expressions make
+Move the call out of the N versions of alloc_code_gen_buffer
-the code easier to read.
+and into tcg_region_init.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 35 +++++++++++++++++------------------
+ tcg/region.c | 14 +++++++-------
-file changed, 17 insertions(+), 18 deletions(-)
+file changed, 7 insertions(+), 7 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/region.c
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/region.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
+@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
+         error_setg_errno(errp, errno, "mprotect of jit buffer");
- /**
+         return false;
   * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
 - * @env: CPU that owns the TLB
 - * @mmu_idx: MMU index of the TLB
 + * @desc: The CPUTLBDesc portion of the TLB
 + * @fast: The CPUTLBDescFast portion of the same TLB
   *
   * Called with tlb_lock_held.
   *
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
   * high), since otherwise we are likely to have a significant amount of
   * conflict misses.
   */
 -static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
 +static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
  {
 -    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
 -    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
 +    size_t old_size = tlb_n_entries(fast);
      size_t rate;
      size_t new_size = old_size;
      int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
          return;
      }
+-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
--    g_free(env_tlb(env)->f[mmu_idx].table);
--    g_free(env_tlb(env)->d[mmu_idx].iotlb);
+     region.start_aligned = buf;
-+    g_free(fast->table);
+     region.total_size = size;
-+    g_free(desc->iotlb);
+@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer_anon(size_t size, int prot,
+     }
-     tlb_window_reset(desc, now, 0);
+ #endif
-     /* desc->n_used_entries is cleared by the caller */
--    env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+-    /* Request large pages for the buffer.  */
--    env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
+-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
--    env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+-
-+    fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+     region.start_aligned = buf;
-+    fast->table = g_try_new(CPUTLBEntry, new_size);
+     region.total_size = size;
-+    desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
+     return prot;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
      region.total_size = size;
      tcg_splitwx_diff = buf_rx - buf_rw;
 -    /* Request large pages for the buffer and the splitwx.  */
 -    qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
 -    qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
      return PROT_READ | PROT_WRITE;
   fail_rx:
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
                                        splitwx, &error_fatal);
      assert(have_prot >= 0);
 +    /* Request large pages for the buffer and the splitwx.  */
 +    qemu_madvise(region.start_aligned, region.total_size, QEMU_MADV_HUGEPAGE);
 +    if (tcg_splitwx_diff) {
 +        qemu_madvise(region.start_aligned + tcg_splitwx_diff,
 +                     region.total_size, QEMU_MADV_HUGEPAGE);
 +    }
 +
      /*
-      * If the allocations fail, try smaller sizes. We just freed some
+      * Make region_size a multiple of page_size, using aligned as the start.
-      * memory, so going back to half of new_size has a good chance of working.
+      * As a result of this we might end up with a few extra pages at the end of
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
       * allocations to fail though, so we progressively reduce the allocation
       * size, aborting if we cannot even allocate the smallest TLB we support.
       */
 -    while (env_tlb(env)->f[mmu_idx].table == NULL ||
 -           env_tlb(env)->d[mmu_idx].iotlb == NULL) {
 +    while (fast->table == NULL || desc->iotlb == NULL) {
          if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
              error_report("%s: %s", __func__, strerror(errno));
              abort();
          }
          new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
 -        env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 +        fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 -        g_free(env_tlb(env)->f[mmu_idx].table);
 -        g_free(env_tlb(env)->d[mmu_idx].iotlb);
 -        env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
 -        env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
 +        g_free(fast->table);
 +        g_free(desc->iotlb);
 +        fast->table = g_try_new(CPUTLBEntry, new_size);
 +        desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
      }
  }
  static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
  {
 -    tlb_mmu_resize_locked(env, mmu_idx);
 +    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
      env_tlb(env)->d[mmu_idx].n_used_entries = 0;
      env_tlb(env)->d[mmu_idx].large_page_addr = -1;
      env_tlb(env)->d[mmu_idx].large_page_mask = -1;
 --
-.20.1
+.25.1

-[PULL 08/16] cputlb: Make tlb_n_entries private to cputlb.c
+[PULL 25/34] util/osdep: Add qemu_mprotect_rw
-There are no users of this function outside cputlb.c,
+For --enable-tcg-interpreter on Windows, we will need this.
 and its interface will change in the next patch.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/cpu_ldst.h | 5 -----
+ include/qemu/osdep.h | 1 +
- accel/tcg/cputlb.c      | 5 +++++
+ util/osdep.c         | 9 +++++++++
-files changed, 5 insertions(+), 5 deletions(-)
+files changed, 10 insertions(+)
-diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
+diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst.h
+--- a/include/qemu/osdep.h
-+++ b/include/exec/cpu_ldst.h
++++ b/include/qemu/osdep.h
-@@ -XXX,XX +XXX,XX @@ static inline uintptr_t tlb_index(CPUArchState *env, uintptr_t mmu_idx,
+@@ -XXX,XX +XXX,XX @@ void sigaction_invoke(struct sigaction *action,
-     return (addr >> TARGET_PAGE_BITS) & size_mask;
+ #endif
  int qemu_madvise(void *addr, size_t len, int advice);
 +int qemu_mprotect_rw(void *addr, size_t size);
  int qemu_mprotect_rwx(void *addr, size_t size);
  int qemu_mprotect_none(void *addr, size_t size);
 diff --git a/util/osdep.c b/util/osdep.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/osdep.c
 +++ b/util/osdep.c
@@ -XXX,XX +XXX,XX @@ static int qemu_mprotect__osdep(void *addr, size_t size, int prot)
  #endif
  }
--static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
++int qemu_mprotect_rw(void *addr, size_t size)
 -{
 -    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
 -}
 -
  /* Find the TLB entry corresponding to the mmu_idx + address pair.  */
  static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
                                       target_ulong addr)
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
  QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
  #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 +static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
 +{
-+    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
++#ifdef _WIN32
 +    return qemu_mprotect__osdep(addr, size, PAGE_READWRITE);
 +#else
 +    return qemu_mprotect__osdep(addr, size, PROT_READ | PROT_WRITE);
 +#endif
 +}
 +
- static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
+ int qemu_mprotect_rwx(void *addr, size_t size)
  {
-     return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
+ #ifdef _WIN32
 --
-.20.1
+.25.1

-[PULL 11/16] cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
+[PULL 26/34] tcg: Round the tb_size default from qemu_get_host_physmem
-No functional change, but the smaller expressions make
+If qemu_get_host_physmem returns an odd number of pages,
-the code easier to read.
+then physmem / 8 will not be a multiple of the page size.
 The following was observed on a gitlab runner:
 ERROR qtest-arm/boot-serial-test - Bail out!
 ERROR:../util/osdep.c:80:qemu_mprotect__osdep: \
   assertion failed: (!(size & ~qemu_real_host_page_mask))
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 19 ++++++++++---------
+ tcg/region.c | 47 +++++++++++++++++++++--------------------------
-file changed, 10 insertions(+), 9 deletions(-)
+file changed, 21 insertions(+), 26 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/region.c
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/region.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(size_t tb_size, unsigned max_cpus)
+   (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
- static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+    ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
 -static size_t size_code_gen_buffer(size_t tb_size)
 -{
 -    /* Size the buffer.  */
 -    if (tb_size == 0) {
 -        size_t phys_mem = qemu_get_host_physmem();
 -        if (phys_mem == 0) {
 -            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
 -        } else {
 -            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, phys_mem / 8);
 -        }
 -    }
 -    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
 -        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
 -    }
 -    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
 -        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
 -    }
 -    return tb_size;
 -}
 -
  #ifdef __mips__
  /*
   * In order to use J and JAL within the code_gen_buffer, we require
@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
   */
  void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
  {
--    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
+-    size_t page_size;
--    env_tlb(env)->d[mmu_idx].n_used_entries = 0;
++    const size_t page_size = qemu_real_host_page_size;
--    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+     size_t region_size;
--    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+     size_t i;
--    env_tlb(env)->d[mmu_idx].vindex = 0;
+     int have_prot;
--    memset(env_tlb(env)->f[mmu_idx].table, -1,
--           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
+-    have_prot = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
--    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+-                                      splitwx, &error_fatal);
--           sizeof(env_tlb(env)->d[0].vtable));
++    /* Size the buffer.  */
-+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
++    if (tb_size == 0) {
-+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
++        size_t phys_mem = qemu_get_host_physmem();
 +        if (phys_mem == 0) {
 +            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
 +        } else {
 +            tb_size = QEMU_ALIGN_DOWN(phys_mem / 8, page_size);
 +            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, tb_size);
 +        }
 +    }
 +    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
 +        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
 +    }
 +    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
 +        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
 +    }
 +
-+    tlb_mmu_resize_locked(desc, fast);
++    have_prot = alloc_code_gen_buffer(tb_size, splitwx, &error_fatal);
-+    desc->n_used_entries = 0;
+     assert(have_prot >= 0);
-+    desc->large_page_addr = -1;
-+    desc->large_page_mask = -1;
+     /* Request large pages for the buffer and the splitwx.  */
-+    desc->vindex = 0;
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
-+    memset(fast->table, -1, sizeof_tlb(fast));
+      * As a result of this we might end up with a few extra pages at the end of
-+    memset(desc->vtable, -1, sizeof(desc->vtable));
+      * the buffer; we will assign those to the last region.
- }
+      */
+-    region.n = tcg_n_regions(region.total_size, max_cpus);
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+-    page_size = qemu_real_host_page_size;
 -    region_size = region.total_size / region.n;
 +    region.n = tcg_n_regions(tb_size, max_cpus);
 +    region_size = tb_size / region.n;
      region_size = QEMU_ALIGN_DOWN(region_size, page_size);
      /* A region must have at least 2 pages; one code, one guard */
 --
-.20.1
+.25.1

-[PULL 15/16] cputlb: Hoist timestamp outside of loops over tlbs
+[PULL 27/34] tcg: Merge buffer protection and guard page protection
-Do not call get_clock_realtime() in tlb_mmu_resize_locked,
+Do not handle protections on a case-by-case basis in the
-but hoist outside of any loop over a set of tlbs.  This is
+various alloc_code_gen_buffer instances; do it within a
-only two (indirect) callers, tlb_flush_by_mmuidx_async_work
+single loop in tcg_region_init.
 and tlb_flush_page_locked, so not onerous.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 14 ++++++++------
+ tcg/region.c | 45 +++++++++++++++++++++++++++++++--------------
-file changed, 8 insertions(+), 6 deletions(-)
+file changed, 31 insertions(+), 14 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/region.c
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/region.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
-  * high), since otherwise we are likely to have a significant amount of
+     }
-  * conflict misses.
+ #endif
-  */
--static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+-    if (qemu_mprotect_rwx(buf, size)) {
-+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
+-        error_setg_errno(errp, errno, "mprotect of jit buffer");
-+                                  int64_t now)
+-        return false;
 -    }
 -
      region.start_aligned = buf;
      region.total_size = size;
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
  {
-     size_t old_size = tlb_n_entries(fast);
+     const size_t page_size = qemu_real_host_page_size;
-     size_t rate;
+     size_t region_size;
-     size_t new_size = old_size;
+-    size_t i;
--    int64_t now = get_clock_realtime();
+-    int have_prot;
-     int64_t window_len_ms = 100;
++    int have_prot, need_prot;
-     int64_t window_len_ns = window_len_ms * 1000 * 1000;
-     bool window_expired = now > desc->window_begin_ns + window_len_ns;
+     /* Size the buffer.  */
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+     if (tb_size == 0) {
-     memset(desc->vtable, -1, sizeof(desc->vtable));
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
- }
+      * Set guard pages in the rw buffer, as that's the one into which
+      * buffer overruns could occur.  Do not set guard pages in the rx
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+      * buffer -- let that one use hugepages throughout.
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
++     * Work with the page protections set up with the initial mapping.
-+                                        int64_t now)
+      */
- {
+-    for (i = 0; i < region.n; i++) {
-     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
++    need_prot = PAGE_READ | PAGE_WRITE;
-     CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
++#ifndef CONFIG_TCG_INTERPRETER
++    if (tcg_splitwx_diff == 0) {
--    tlb_mmu_resize_locked(desc, fast);
++        need_prot |= PAGE_EXEC;
-+    tlb_mmu_resize_locked(desc, fast, now);
++    }
-     tlb_mmu_flush_locked(desc, fast);
++#endif
- }
++    for (size_t i = 0, n = region.n; i < n; i++) {
+         void *start, *end;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
-     CPUArchState *env = cpu->env_ptr;
+         tcg_region_bounds(i, &start, &end);
-     uint16_t asked = data.host_int;
++        if (have_prot != need_prot) {
-     uint16_t all_dirty, work, to_clean;
++            int rc;
-+    int64_t now = get_clock_realtime();
+-        /*
-     assert_cpu_is_self(cpu);
+-         * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
+-         * rejects a permission change from RWX -> NONE.  Guard pages are
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
+-         * nice for bug detection but are not essential; ignore any failure.
+-         */
-     for (work = to_clean; work != 0; work &= work - 1) {
+-        (void)qemu_mprotect_none(end, page_size);
-         int mmu_idx = ctz32(work);
++            if (need_prot == (PAGE_READ | PAGE_WRITE | PAGE_EXEC)) {
--        tlb_flush_one_mmuidx_locked(env, mmu_idx);
++                rc = qemu_mprotect_rwx(start, end - start);
-+        tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
++            } else if (need_prot == (PAGE_READ | PAGE_WRITE)) {
 +                rc = qemu_mprotect_rw(start, end - start);
 +            } else {
 +                g_assert_not_reached();
 +            }
 +            if (rc) {
 +                error_setg_errno(&error_fatal, errno,
 +                                 "mprotect of jit buffer");
 +            }
 +        }
 +        if (have_prot != 0) {
 +            /*
 +             * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
 +             * rejects a permission change from RWX -> NONE.  Guard pages are
 +             * nice for bug detection but are not essential; ignore any failure.
 +             */
 +            (void)qemu_mprotect_none(end, page_size);
 +        }
      }
-     qemu_spin_unlock(&env_tlb(env)->c.lock);
+     tcg_region_trees_init();
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
          tlb_debug("forcing full flush midx %d ("
                    TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
                    midx, lp_addr, lp_mask);
 -        tlb_flush_one_mmuidx_locked(env, midx);
 +        tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
      } else {
          if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
              tlb_n_used_entries_dec(env, midx);
 --
-.20.1
+.25.1

-[PULL 06/16] vl: Only choose enabled accelerators in configure_accelerators
+[PULL 28/34] tcg: When allocating for !splitwx, begin with PROT_NONE
-By choosing "tcg:kvm" when kvm is not enabled, we generate
+There's a change in mprotect() behaviour [1] in the latest macOS
-an incorrect warning: "invalid accelerator kvm".
+on M1 and it's not yet clear if it's going to be fixed by Apple.
-At the same time, use g_str_has_suffix rather than open-coding
+In this case, instead of changing permissions of N guard pages,
-the same operation.
+we change permissions of N rwx regions.  The same number of
 syscalls are required either way.
-Presumably the inverse is also true with --disable-tcg.
+[1] https://gist.github.com/hikalium/75ae822466ee4da13cbbe486498a191f
-Fixes: 28a0961757fc
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 21 +++++++++++++--------
+ tcg/region.c | 19 +++++++++----------
-file changed, 13 insertions(+), 8 deletions(-)
+file changed, 9 insertions(+), 10 deletions(-)
-diff --git a/vl.c b/vl.c
+diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/tcg/region.c
-+++ b/vl.c
++++ b/tcg/region.c
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+         error_free_or_abort(errp);
-         if (accel == NULL) {
+     }
-             /* Select the default accelerator */
--            if (!accel_find("tcg") && !accel_find("kvm")) {
+-    prot = PROT_READ | PROT_WRITE | PROT_EXEC;
--                error_report("No accelerator selected and"
++    /*
--                             " no default accelerator available");
++     * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
--                exit(1);
++     * rejects a permission change from RWX -> NONE when reserving the
--            } else {
++     * guard pages later.  We can go the other way with the same number
--                int pnlen = strlen(progname);
++     * of syscalls, so always begin with PROT_NONE.
--                if (pnlen >= 3 && g_str_equal(&progname[pnlen - 3], "kvm")) {
++     */
-+            bool have_tcg = accel_find("tcg");
++    prot = PROT_NONE;
-+            bool have_kvm = accel_find("kvm");
+     flags = MAP_PRIVATE | MAP_ANONYMOUS;
-+
+-#ifdef CONFIG_TCG_INTERPRETER
-+            if (have_tcg && have_kvm) {
+-    /* The tcg interpreter does not need execute permission. */
-+                if (g_str_has_suffix(progname, "kvm")) {
+-    prot = PROT_READ | PROT_WRITE;
-                     /* If the program name ends with "kvm", we prefer KVM */
+-#elif defined(CONFIG_DARWIN)
-                     accel = "kvm:tcg";
++#ifdef CONFIG_DARWIN
-                 } else {
+     /* Applicable to both iOS and macOS (Apple Silicon). */
-                     accel = "tcg:kvm";
+     if (!splitwx) {
-                 }
+         flags |= MAP_JIT;
-+            } else if (have_kvm) {
+@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 +                accel = "kvm";
 +            } else if (have_tcg) {
 +                accel = "tcg";
 +            } else {
 +                error_report("No accelerator selected and"
 +                             " no default accelerator available");
 +                exit(1);
              }
          }
--
+         if (have_prot != 0) {
-         accel_list = g_strsplit(accel, ":", 0);
+-            /*
+-             * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
-         for (tmp = accel_list; *tmp; tmp++) {
+-             * rejects a permission change from RWX -> NONE.  Guard pages are
 -             * nice for bug detection but are not essential; ignore any failure.
 -             */
 +            /* Guard pages are nice for bug detection but are not essential. */
              (void)qemu_mprotect_none(end, page_size);
          }
      }
 --
-.20.1
+.25.1

-[PULL 14/16] cputlb: Initialize tlbs as flushed
+[PULL 29/34] tcg: Move tcg_init_ctx and tcg_ctx from accel/tcg/
-There's little point in leaving these data structures half initialized,
+These variables belong to the jit side, not the user side.
-and relying on a flush to be done during reset.
 Since tcg_init_ctx is no longer used outside of tcg/, move
 the declaration to tcg-internal.h.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 5 +++--
+ include/tcg/tcg.h         | 1 -
-file changed, 3 insertions(+), 2 deletions(-)
+ tcg/tcg-internal.h        | 1 +
  accel/tcg/translate-all.c | 3 ---
  tcg/tcg.c                 | 3 +++
 files changed, 4 insertions(+), 4 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/tcg/tcg.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/tcg/tcg.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+@@ -XXX,XX +XXX,XX @@ static inline bool temp_readonly(TCGTemp *ts)
-     fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+     return ts->kind >= TEMP_FIXED;
      fast->table = g_new(CPUTLBEntry, n_entries);
      desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
 +    tlb_mmu_flush_locked(desc, fast);
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+-extern TCGContext tcg_init_ctx;
-@@ -XXX,XX +XXX,XX @@ void tlb_init(CPUState *cpu)
+ extern __thread TCGContext *tcg_ctx;
+ extern const void *tcg_code_gen_epilogue;
-     qemu_spin_init(&env_tlb(env)->c.lock);
+ extern uintptr_t tcg_splitwx_diff;
+diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
--    /* Ensure that cpu_reset performs a full flush.  */
+index XXXXXXX..XXXXXXX 100644
--    env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
+--- a/tcg/tcg-internal.h
-+    /* All tlbs are initialized flushed. */
++++ b/tcg/tcg-internal.h
-+    env_tlb(env)->c.dirty = 0;
+@@ -XXX,XX +XXX,XX @@
-     for (i = 0; i < NB_MMU_MODES; i++) {
+ #define TCG_HIGHWATER 1024
-         tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
 +extern TCGContext tcg_init_ctx;
  extern TCGContext **tcg_ctxs;
  extern unsigned int tcg_cur_ctxs;
  extern unsigned int tcg_max_ctxs;
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static int v_l2_levels;
  static void *l1_map[V_L1_MAX_SIZE];
 -/* code generation context */
 -TCGContext tcg_init_ctx;
 -__thread TCGContext *tcg_ctx;
  TBContext tb_ctx;
  static void page_table_config_init(void)
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg.c
 +++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct);
  static int tcg_out_ldst_finalize(TCGContext *s);
  #endif
 +TCGContext tcg_init_ctx;
 +__thread TCGContext *tcg_ctx;
 +
  TCGContext **tcg_ctxs;
  unsigned int tcg_cur_ctxs;
  unsigned int tcg_max_ctxs;
 --
-.20.1
+.25.1

-[PULL 01/16] cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
+[PULL 30/34] tcg: Introduce tcg_remove_ops_after
-In target/arm we will shortly have "too many" mmu_idx.
+Introduce a function to remove everything emitted
-The current minimum barrier is caused by the way in which
+since a given point.
 tlb_flush_page_by_mmuidx is coded.
 We can remove this limitation by allocating memory for
 consumption by the worker.  Let us assume that this is
 the unlikely case, as will be the case for the majority
 of targets which have so far satisfied the BUILD_BUG_ON,
 and only allocate memory when necessary.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 167 +++++++++++++++++++++++++++++++++++----------
+ include/tcg/tcg.h | 10 ++++++++++
-file changed, 132 insertions(+), 35 deletions(-)
+ tcg/tcg.c         | 13 +++++++++++++
 files changed, 23 insertions(+)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/tcg/tcg.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/tcg/tcg.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
+@@ -XXX,XX +XXX,XX @@ void tcg_op_remove(TCGContext *s, TCGOp *op);
-     }
+ TCGOp *tcg_op_insert_before(TCGContext *s, TCGOp *op, TCGOpcode opc);
  TCGOp *tcg_op_insert_after(TCGContext *s, TCGOp *op, TCGOpcode opc);
 +/**
 + * tcg_remove_ops_after:
 + * @op: target operation
 + *
 + * Discard any opcodes emitted since @op.  Expected usage is to save
 + * a starting point with tcg_last_op(), speculatively emit opcodes,
 + * then decide whether or not to keep those opcodes after the fact.
 + */
 +void tcg_remove_ops_after(TCGOp *op);
 +
  void tcg_optimize(TCGContext *s);
  /* Allocate a new temporary and initialize it with a constant. */
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg.c
 +++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ void tcg_op_remove(TCGContext *s, TCGOp *op)
  #endif
  }
--/* As we are going to hijack the bottom bits of the page address for a
++void tcg_remove_ops_after(TCGOp *op)
 - * mmuidx bit mask we need to fail to build if we can't do that
 +/**
 + * tlb_flush_page_by_mmuidx_async_0:
 + * @cpu: cpu on which to flush
 + * @addr: page of virtual address to flush
 + * @idxmap: set of mmu_idx to flush
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
 + * at @addr from the tlbs indicated by @idxmap from @cpu.
   */
 -QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
 -
 -static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
 -                                                run_on_cpu_data data)
 +static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
 +                                             target_ulong addr,
 +                                             uint16_t idxmap)
  {
      CPUArchState *env = cpu->env_ptr;
 -    target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
 -    target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
 -    unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
      int mmu_idx;
      assert_cpu_is_self(cpu);
 -    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
 -              addr, mmu_idx_bitmap);
 +    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
      qemu_spin_lock(&env_tlb(env)->c.lock);
      for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
 -        if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
 +        if ((idxmap >> mmu_idx) & 1) {
              tlb_flush_page_locked(env, mmu_idx, addr);
          }
      }
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
      tb_flush_jmp_cache(cpu, addr);
  }
 +/**
 + * tlb_flush_page_by_mmuidx_async_1:
 + * @cpu: cpu on which to flush
 + * @data: encoded addr + idxmap
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, called through
 + * async_run_on_cpu.  The idxmap parameter is encoded in the page
 + * offset of the target_ptr field.  This limits the set of mmu_idx
 + * that can be passed via this method.
 + */
 +static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
 +                                             run_on_cpu_data data)
 +{
-+    target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
++    TCGContext *s = tcg_ctx;
 +    target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
 +    uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
 +
-+    tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
++    while (true) {
 +        TCGOp *last = tcg_last_op();
 +        if (last == op) {
 +            return;
 +        }
 +        tcg_op_remove(s, last);
 +    }
 +}
 +
-+typedef struct {
+ static TCGOp *tcg_op_alloc(TCGOpcode opc)
 +    target_ulong addr;
 +    uint16_t idxmap;
 +} TLBFlushPageByMMUIdxData;
 +
 +/**
 + * tlb_flush_page_by_mmuidx_async_2:
 + * @cpu: cpu on which to flush
 + * @data: allocated addr + idxmap
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, called through
 + * async_run_on_cpu.  The addr+idxmap parameters are stored in a
 + * TLBFlushPageByMMUIdxData structure that has been allocated
 + * specifically for this helper.  Free the structure when done.
 + */
 +static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
 +                                             run_on_cpu_data data)
 +{
 +    TLBFlushPageByMMUIdxData *d = data.host_ptr;
 +
 +    tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
 +    g_free(d);
 +}
 +
  void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
  {
--    target_ulong addr_and_mmu_idx;
+     TCGContext *s = tcg_ctx;
 -
      tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    if (!qemu_cpu_is_self(cpu)) {
 -        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
 -                         RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    if (qemu_cpu_is_self(cpu)) {
 +        tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
 +    } else if (idxmap < TARGET_PAGE_SIZE) {
 +        /*
 +         * Most targets have only a few mmu_idx.  In the case where
 +         * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
 +         * allocating memory for this operation.
 +         */
 +        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
      } else {
 -        tlb_flush_page_by_mmuidx_async_work(
 -            cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +        TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
 +
 +        /* Otherwise allocate a structure, freed by the worker.  */
 +        d->addr = addr;
 +        d->idxmap = idxmap;
 +        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
 +                         RUN_ON_CPU_HOST_PTR(d));
      }
  }
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
  void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
                                         uint16_t idxmap)
  {
 -    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
 -    target_ulong addr_and_mmu_idx;
 -
      tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 -    fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    /*
 +     * Allocate memory to hold addr+idxmap only when needed.
 +     * See tlb_flush_page_by_mmuidx for details.
 +     */
 +    if (idxmap < TARGET_PAGE_SIZE) {
 +        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
 +    } else {
 +        CPUState *dst_cpu;
 +
 +        /* Allocate a separate data block for each destination cpu.  */
 +        CPU_FOREACH(dst_cpu) {
 +            if (dst_cpu != src_cpu) {
 +                TLBFlushPageByMMUIdxData *d
 +                    = g_new(TLBFlushPageByMMUIdxData, 1);
 +
 +                d->addr = addr;
 +                d->idxmap = idxmap;
 +                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
 +                                 RUN_ON_CPU_HOST_PTR(d));
 +            }
 +        }
 +    }
 +
 +    tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
  }
  void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
                                                target_ulong addr,
                                                uint16_t idxmap)
  {
 -    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
 -    target_ulong addr_and_mmu_idx;
 -
      tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 -    async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    /*
 +     * Allocate memory to hold addr+idxmap only when needed.
 +     * See tlb_flush_page_by_mmuidx for details.
 +     */
 +    if (idxmap < TARGET_PAGE_SIZE) {
 +        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
 +        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
 +                              RUN_ON_CPU_TARGET_PTR(addr | idxmap));
 +    } else {
 +        CPUState *dst_cpu;
 +        TLBFlushPageByMMUIdxData *d;
 +
 +        /* Allocate a separate data block for each destination cpu.  */
 +        CPU_FOREACH(dst_cpu) {
 +            if (dst_cpu != src_cpu) {
 +                d = g_new(TLBFlushPageByMMUIdxData, 1);
 +                d->addr = addr;
 +                d->idxmap = idxmap;
 +                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
 +                                 RUN_ON_CPU_HOST_PTR(d));
 +            }
 +        }
 +
 +        d = g_new(TLBFlushPageByMMUIdxData, 1);
 +        d->addr = addr;
 +        d->idxmap = idxmap;
 +        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
 +                              RUN_ON_CPU_HOST_PTR(d));
 +    }
  }
  void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
 --
-.20.1
+.25.1

-[PULL 03/16] vl: Remove unused variable in configure_accelerators
+[PULL 31/34] tcg: Fix documentation for tcg_constant_* vs tcg_temp_free_*
-The accel_initialised variable no longer has any setters.
+At some point during the development of tcg_constant_*, I changed
 my mind about whether such temps should be able to be passed to
 tcg_temp_free_*.  The final version committed allows this, but the
 commentary was not updated to match.
-Fixes: 6f6e1698a68c
+Fixes: c0522136adf
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
 Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 3 +--
+ include/tcg/tcg.h | 3 ++-
-file changed, 1 insertion(+), 2 deletions(-)
+file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/vl.c b/vl.c
+diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/include/tcg/tcg.h
-+++ b/vl.c
++++ b/include/tcg/tcg.h
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ TCGv_vec tcg_const_ones_vec_matching(TCGv_vec);
- {
-     const char *accel;
+ /*
-     char **accel_list, **tmp;
+  * Locate or create a read-only temporary that is a constant.
--    bool accel_initialised = false;
+- * This kind of temporary need not and should not be freed.
-     bool init_failed = false;
++ * This kind of temporary need not be freed, but for convenience
++ * will be silently ignored by tcg_temp_free_*.
-     qemu_opts_foreach(qemu_find_opts("icount"),
+  */
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+ TCGTemp *tcg_constant_internal(TCGType type, int64_t val);
          accel_list = g_strsplit(accel, ":", 0);
 -        for (tmp = accel_list; !accel_initialised && tmp && *tmp; tmp++) {
 +        for (tmp = accel_list; tmp && *tmp; tmp++) {
              /*
               * Filter invalid accelerators here, to prevent obscenities
               * such as "-machine accel=tcg,,thread=single".
 --
-.20.1
+.25.1

-[PULL 04/16] vl: Reduce scope of variables in configure_accelerators
+[PULL 32/34] tcg/arm: Fix tcg_out_op function signature
-The accel_list and tmp variables are only used when manufacturing
+From: "Jose R. Ziviani" <jziviani@suse.de>
 -machine accel, options based on -accel.
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Commit 5e8892db93 fixed several function signatures but tcg_out_op for
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+arm is missing. This patch fixes it as well.
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
 Message-Id: <20210610224450.23425-1-jziviani@suse.de>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 3 ++-
+ tcg/arm/tcg-target.c.inc | 3 ++-
 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/vl.c b/vl.c
+diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/tcg/arm/tcg-target.c.inc
-+++ b/vl.c
++++ b/tcg/arm/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is64)
- static void configure_accelerators(const char *progname)
+ static void tcg_out_epilogue(TCGContext *s);
  static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
 -                const TCGArg *args, const int *const_args)
 +                const TCGArg args[TCG_MAX_OP_ARGS],
 +                const int const_args[TCG_MAX_OP_ARGS])
  {
-     const char *accel;
+     TCGArg a0, a1, a2, a3, a4, a5;
--    char **accel_list, **tmp;
+     int c;
      bool init_failed = false;
      qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
      accel = qemu_opt_get(qemu_get_machine_opts(), "accel");
      if (QTAILQ_EMPTY(&qemu_accel_opts.head)) {
 +        char **accel_list, **tmp;
 +
          if (accel == NULL) {
              /* Select the default accelerator */
              if (!accel_find("tcg") && !accel_find("kvm")) {
 --
-.20.1
+.25.1

-[PULL 05/16] vl: Remove useless test in configure_accelerators
+[PULL 33/34] softfloat: Fix tp init in float32_exp2
-The result of g_strsplit is never NULL.
+Typo in the conversion to FloatParts64.
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Fixes: 572c4d862ff2
 Fixes: Coverity CID 1457457
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Message-Id: <20210607223812.110596-1-richard.henderson@linaro.org>
 Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 2 +-
+ fpu/softfloat.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/vl.c b/vl.c
+diff --git a/fpu/softfloat.c b/fpu/softfloat.c
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/fpu/softfloat.c
-+++ b/vl.c
++++ b/fpu/softfloat.c
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ float32 float32_exp2(float32 a, float_status *status)
-         accel_list = g_strsplit(accel, ":", 0);
+     float_raise(float_flag_inexact, status);
--        for (tmp = accel_list; tmp && *tmp; tmp++) {
+-    float64_unpack_canonical(&xnp, float64_ln2, status);
-+        for (tmp = accel_list; *tmp; tmp++) {
++    float64_unpack_canonical(&tp, float64_ln2, status);
-             /*
+     xp = *parts_mul(&xp, &tp, status);
-              * Filter invalid accelerators here, to prevent obscenities
+     xnp = xp;
-              * such as "-machine accel=tcg,,thread=single".
 --
-.20.1
+.25.1

-[PULL 02/16] util/cacheinfo: fix crash when compiling with uClibc
+[PULL 34/34] docs/devel: Explain in more detail the TB chaining mechanisms
-From: Carlos Santos <casantos@redhat.com>
+From: Luis Pires <luis.pires@eldorado.org.br>
-uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
+Signed-off-by: Luis Pires <luis.pires@eldorado.org.br>
-but the corresponding sysconf calls returns -1, which is a valid result,
+Message-Id: <20210601125143.191165-1-luis.pires@eldorado.org.br>
 meaning that the limit is indeterminate.
 Handle this situation using the fallback values instead of crashing due
 to an assertion failure.
 Signed-off-by: Carlos Santos <casantos@redhat.com>
 Message-Id: <20191017123713.30192-1-casantos@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- util/cacheinfo.c | 10 ++++++++--
+ docs/devel/tcg.rst | 101 ++++++++++++++++++++++++++++++++++++++++-----
-file changed, 8 insertions(+), 2 deletions(-)
+file changed, 90 insertions(+), 11 deletions(-)
-diff --git a/util/cacheinfo.c b/util/cacheinfo.c
+diff --git a/docs/devel/tcg.rst b/docs/devel/tcg.rst
 index XXXXXXX..XXXXXXX 100644
---- a/util/cacheinfo.c
+--- a/docs/devel/tcg.rst
-+++ b/util/cacheinfo.c
++++ b/docs/devel/tcg.rst
-@@ -XXX,XX +XXX,XX @@ static void sys_cache_info(int *isize, int *dsize)
+@@ -XXX,XX +XXX,XX @@ performances.
- static void sys_cache_info(int *isize, int *dsize)
+ QEMU's dynamic translation backend is called TCG, for "Tiny Code
- {
+ Generator". For more information, please take a look at ``tcg/README``.
- # ifdef _SC_LEVEL1_ICACHE_LINESIZE
--    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+-Some notable features of QEMU's dynamic translator are:
-+    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
++The following sections outline some notable features and implementation
-+    if (tmp_isize > 0) {
++details of QEMU's dynamic translator.
-+        *isize = tmp_isize;
-+    }
+ CPU state optimisations
- # endif
+ -----------------------
- # ifdef _SC_LEVEL1_DCACHE_LINESIZE
--    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+-The target CPUs have many internal states which change the way it
-+    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+-evaluates instructions. In order to achieve a good speed, the
-+    if (tmp_dsize > 0) {
++The target CPUs have many internal states which change the way they
-+        *dsize = tmp_dsize;
++evaluate instructions. In order to achieve a good speed, the
-+    }
+ translation phase considers that some state information of the virtual
- # endif
+ CPU cannot change in it. The state is recorded in the Translation
- }
+ Block (TB). If the state changes (e.g. privilege level), a new TB will
- #endif /* sys_cache_info */
+@@ -XXX,XX +XXX,XX @@ Direct block chaining
  ---------------------
  After each translated basic block is executed, QEMU uses the simulated
 -Program Counter (PC) and other cpu state information (such as the CS
 +Program Counter (PC) and other CPU state information (such as the CS
  segment base value) to find the next basic block.
 -In order to accelerate the most common cases where the new simulated PC
 -is known, QEMU can patch a basic block so that it jumps directly to the
 -next one.
 +In its simplest, less optimized form, this is done by exiting from the
 +current TB, going through the TB epilogue, and then back to the
 +main loop. That’s where QEMU looks for the next TB to execute,
 +translating it from the guest architecture if it isn’t already available
 +in memory. Then QEMU proceeds to execute this next TB, starting at the
 +prologue and then moving on to the translated instructions.
 -The most portable code uses an indirect jump. An indirect jump makes
 -it easier to make the jump target modification atomic. On some host
 -architectures (such as x86 or PowerPC), the ``JUMP`` opcode is
 -directly patched so that the block chaining has no overhead.
 +Exiting from the TB this way will cause the ``cpu_exec_interrupt()``
 +callback to be re-evaluated before executing additional instructions.
 +It is mandatory to exit this way after any CPU state changes that may
 +unmask interrupts.
 +
 +In order to accelerate the cases where the TB for the new
 +simulated PC is already available, QEMU has mechanisms that allow
 +multiple TBs to be chained directly, without having to go back to the
 +main loop as described above. These mechanisms are:
 +
 +``lookup_and_goto_ptr``
 +^^^^^^^^^^^^^^^^^^^^^^^
 +
 +Calling ``tcg_gen_lookup_and_goto_ptr()`` will emit a call to
 +``helper_lookup_tb_ptr``. This helper will look for an existing TB that
 +matches the current CPU state. If the destination TB is available its
 +code address is returned, otherwise the address of the JIT epilogue is
 +returned. The call to the helper is always followed by the tcg ``goto_ptr``
 +opcode, which branches to the returned address. In this way, we either
 +branch to the next TB or return to the main loop.
 +
 +``goto_tb + exit_tb``
 +^^^^^^^^^^^^^^^^^^^^^
 +
 +The translation code usually implements branching by performing the
 +following steps:
 +
 +1. Call ``tcg_gen_goto_tb()`` passing a jump slot index (either 0 or 1)
 +   as a parameter.
 +
 +2. Emit TCG instructions to update the CPU state with any information
 +   that has been assumed constant and is required by the main loop to
 +   correctly locate and execute the next TB. For most guests, this is
 +   just the PC of the branch destination, but others may store additional
 +   data. The information updated in this step must be inferable from both
 +   ``cpu_get_tb_cpu_state()`` and ``cpu_restore_state()``.
 +
 +3. Call ``tcg_gen_exit_tb()`` passing the address of the current TB and
 +   the jump slot index again.
 +
 +Step 1, ``tcg_gen_goto_tb()``, will emit a ``goto_tb`` TCG
 +instruction that later on gets translated to a jump to an address
 +associated with the specified jump slot. Initially, this is the address
 +of step 2's instructions, which update the CPU state information. Step 3,
 +``tcg_gen_exit_tb()``, exits from the current TB returning a tagged
 +pointer composed of the last executed TB’s address and the jump slot
 +index.
 +
 +The first time this whole sequence is executed, step 1 simply jumps
 +to step 2. Then the CPU state information gets updated and we exit from
 +the current TB. As a result, the behavior is very similar to the less
 +optimized form described earlier in this section.
 +
 +Next, the main loop looks for the next TB to execute using the
 +current CPU state information (creating the TB if it wasn’t already
 +available) and, before starting to execute the new TB’s instructions,
 +patches the previously executed TB by associating one of its jump
 +slots (the one specified in the call to ``tcg_gen_exit_tb()``) with the
 +address of the new TB.
 +
 +The next time this previous TB is executed and we get to that same
 +``goto_tb`` step, it will already be patched (assuming the destination TB
 +is still in memory) and will jump directly to the first instruction of
 +the destination TB, without going back to the main loop.
 +
 +For the ``goto_tb + exit_tb`` mechanism to be used, the following
 +conditions need to be satisfied:
 +
 +* The change in CPU state must be constant, e.g., a direct branch and
 +  not an indirect branch.
 +
 +* The direct branch cannot cross a page boundary. Memory mappings
 +  may change, causing the code at the destination address to change.
 +
 +Note that, on step 3 (``tcg_gen_exit_tb()``), in addition to the
 +jump slot index, the address of the TB just executed is also returned.
 +This address corresponds to the TB that will be patched; it may be
 +different than the one that was directly executed from the main loop
 +if the latter had already been chained to other TBs.
  Self-modifying code and translated code invalidation
  ----------------------------------------------------
 --
-.20.1
+.25.1

The following changes since commit 3e08b2b9cb64bff2b73fa9128c0e49bfcde0dd40:

Merge remote-tracking branch 'remotes/philmd-gitlab/tags/edk2-next-20200121' into staging (2020-01-21 15:29:25 +0000)

are available in the Git repository at:

https://github.com/rth7680/qemu.git tags/pull-tcg-20200121

for you to fetch changes up to 75fa376cdab5e5db2c7fdd107358e16f95503ac6:

scripts/git.orderfile: Display decodetree before C source (2020-01-21 15:26:09 -1000)

----------------------------------------------------------------
Remove another limit to NB_MMU_MODES.
Fix compilation using uclibc.
Fix defaulting of -accel parameters.
Tidy cputlb basic routines.
Adjust git.orderfile for decodetree.

----------------------------------------------------------------
Carlos Santos (1):
      util/cacheinfo: fix crash when compiling with uClibc

Philippe Mathieu-Daudé (1):
      scripts/git.orderfile: Display decodetree before C source

Richard Henderson (14):
      cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
      vl: Remove unused variable in configure_accelerators
      vl: Reduce scope of variables in configure_accelerators
      vl: Remove useless test in configure_accelerators
      vl: Only choose enabled accelerators in configure_accelerators
      cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
      cputlb: Make tlb_n_entries private to cputlb.c
      cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
      cputlb: Hoist tlb portions in tlb_mmu_resize_locked
      cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
      cputlb: Split out tlb_mmu_flush_locked
      cputlb: Partially merge tlb_dyn_init into tlb_init
      cputlb: Initialize tlbs as flushed
      cputlb: Hoist timestamp outside of loops over tlbs

In target/arm we will shortly have "too many" mmu_idx.
The current minimum barrier is caused by the way in which
tlb_flush_page_by_mmuidx is coded.

We can remove this limitation by allocating memory for
consumption by the worker.  Let us assume that this is
the unlikely case, as will be the case for the majority
of targets which have so far satisfied the BUILD_BUG_ON,
and only allocate memory when necessary.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 167 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 132 insertions(+), 35 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
     }
 }
 
-/* As we are going to hijack the bottom bits of the page address for a
- * mmuidx bit mask we need to fail to build if we can't do that
+/**
+ * tlb_flush_page_by_mmuidx_async_0:
+ * @cpu: cpu on which to flush
+ * @addr: page of virtual address to flush
+ * @idxmap: set of mmu_idx to flush
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
+ * at @addr from the tlbs indicated by @idxmap from @cpu.
  */
-QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
-
-static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
-                                                run_on_cpu_data data)
+static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
+                                             target_ulong addr,
+                                             uint16_t idxmap)
 {
     CPUArchState *env = cpu->env_ptr;
-    target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
-    target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
-    unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
     int mmu_idx;
 
     assert_cpu_is_self(cpu);
 
-    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
-              addr, mmu_idx_bitmap);
+    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
 
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
-        if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
+        if ((idxmap >> mmu_idx) & 1) {
             tlb_flush_page_locked(env, mmu_idx, addr);
         }
     }
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
     tb_flush_jmp_cache(cpu, addr);
 }
 
+/**
+ * tlb_flush_page_by_mmuidx_async_1:
+ * @cpu: cpu on which to flush
+ * @data: encoded addr + idxmap
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
+ * async_run_on_cpu.  The idxmap parameter is encoded in the page
+ * offset of the target_ptr field.  This limits the set of mmu_idx
+ * that can be passed via this method.
+ */
+static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
+                                             run_on_cpu_data data)
+{
+    target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
+    target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
+    uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
+
+    tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
+}
+
+typedef struct {
+    target_ulong addr;
+    uint16_t idxmap;
+} TLBFlushPageByMMUIdxData;
+
+/**
+ * tlb_flush_page_by_mmuidx_async_2:
+ * @cpu: cpu on which to flush
+ * @data: allocated addr + idxmap
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
+ * async_run_on_cpu.  The addr+idxmap parameters are stored in a
+ * TLBFlushPageByMMUIdxData structure that has been allocated
+ * specifically for this helper.  Free the structure when done.
+ */
+static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
+                                             run_on_cpu_data data)
+{
+    TLBFlushPageByMMUIdxData *d = data.host_ptr;
+
+    tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
+    g_free(d);
+}
+
 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
 {
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    if (!qemu_cpu_is_self(cpu)) {
-        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
-                         RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    if (qemu_cpu_is_self(cpu)) {
+        tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
+    } else if (idxmap < TARGET_PAGE_SIZE) {
+        /*
+         * Most targets have only a few mmu_idx.  In the case where
+         * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
+         * allocating memory for this operation.
+         */
+        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
     } else {
-        tlb_flush_page_by_mmuidx_async_work(
-            cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+        TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
+
+        /* Otherwise allocate a structure, freed by the worker.  */
+        d->addr = addr;
+        d->idxmap = idxmap;
+        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
+                         RUN_ON_CPU_HOST_PTR(d));
     }
 }
 
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
                                        uint16_t idxmap)
 {
-    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-    fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    /*
+     * Allocate memory to hold addr+idxmap only when needed.
+     * See tlb_flush_page_by_mmuidx for details.
+     */
+    if (idxmap < TARGET_PAGE_SIZE) {
+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+    } else {
+        CPUState *dst_cpu;
+
+        /* Allocate a separate data block for each destination cpu.  */
+        CPU_FOREACH(dst_cpu) {
+            if (dst_cpu != src_cpu) {
+                TLBFlushPageByMMUIdxData *d
+                    = g_new(TLBFlushPageByMMUIdxData, 1);
+
+                d->addr = addr;
+                d->idxmap = idxmap;
+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
+                                 RUN_ON_CPU_HOST_PTR(d));
+            }
+        }
+    }
+
+    tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
 }
 
 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
                                               target_ulong addr,
                                               uint16_t idxmap)
 {
-    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-    async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    /*
+     * Allocate memory to hold addr+idxmap only when needed.
+     * See tlb_flush_page_by_mmuidx for details.
+     */
+    if (idxmap < TARGET_PAGE_SIZE) {
+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                              RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+    } else {
+        CPUState *dst_cpu;
+        TLBFlushPageByMMUIdxData *d;
+
+        /* Allocate a separate data block for each destination cpu.  */
+        CPU_FOREACH(dst_cpu) {
+            if (dst_cpu != src_cpu) {
+                d = g_new(TLBFlushPageByMMUIdxData, 1);
+                d->addr = addr;
+                d->idxmap = idxmap;
+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
+                                 RUN_ON_CPU_HOST_PTR(d));
+            }
+        }
+
+        d = g_new(TLBFlushPageByMMUIdxData, 1);
+        d->addr = addr;
+        d->idxmap = idxmap;
+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
+                              RUN_ON_CPU_HOST_PTR(d));
+    }
 }
 
 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
-- 
2.20.1

From: Carlos Santos <casantos@redhat.com>

uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
but the corresponding sysconf calls returns -1, which is a valid result,
meaning that the limit is indeterminate.

Handle this situation using the fallback values instead of crashing due
to an assertion failure.

Signed-off-by: Carlos Santos <casantos@redhat.com>
Message-Id: <20191017123713.30192-1-casantos@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 util/cacheinfo.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/util/cacheinfo.c b/util/cacheinfo.c
index XXXXXXX..XXXXXXX 100644
--- a/util/cacheinfo.c
+++ b/util/cacheinfo.c
@@ -XXX,XX +XXX,XX @@ static void sys_cache_info(int *isize, int *dsize)
 static void sys_cache_info(int *isize, int *dsize)
 {
 # ifdef _SC_LEVEL1_ICACHE_LINESIZE
-    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+    if (tmp_isize > 0) {
+        *isize = tmp_isize;
+    }
 # endif
 # ifdef _SC_LEVEL1_DCACHE_LINESIZE
-    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+    if (tmp_dsize > 0) {
+        *dsize = tmp_dsize;
+    }
 # endif
 }
 #endif /* sys_cache_info */
-- 
2.20.1

The accel_initialised variable no longer has any setters.

Fixes: 6f6e1698a68c
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 {
     const char *accel;
     char **accel_list, **tmp;
-    bool accel_initialised = false;
     bool init_failed = false;
 
     qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
         accel_list = g_strsplit(accel, ":", 0);
 
-        for (tmp = accel_list; !accel_initialised && tmp && *tmp; tmp++) {
+        for (tmp = accel_list; tmp && *tmp; tmp++) {
             /*
              * Filter invalid accelerators here, to prevent obscenities
              * such as "-machine accel=tcg,,thread=single".
-- 
2.20.1

The accel_list and tmp variables are only used when manufacturing
-machine accel, options based on -accel.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
 static void configure_accelerators(const char *progname)
 {
     const char *accel;
-    char **accel_list, **tmp;
     bool init_failed = false;
 
     qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
     accel = qemu_opt_get(qemu_get_machine_opts(), "accel");
     if (QTAILQ_EMPTY(&qemu_accel_opts.head)) {
+        char **accel_list, **tmp;
+
         if (accel == NULL) {
             /* Select the default accelerator */
             if (!accel_find("tcg") && !accel_find("kvm")) {
-- 
2.20.1

By choosing "tcg:kvm" when kvm is not enabled, we generate
an incorrect warning: "invalid accelerator kvm".

At the same time, use g_str_has_suffix rather than open-coding
the same operation.

Presumably the inverse is also true with --disable-tcg.

Fixes: 28a0961757fc
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
         if (accel == NULL) {
             /* Select the default accelerator */
-            if (!accel_find("tcg") && !accel_find("kvm")) {
-                error_report("No accelerator selected and"
-                             " no default accelerator available");
-                exit(1);
-            } else {
-                int pnlen = strlen(progname);
-                if (pnlen >= 3 && g_str_equal(&progname[pnlen - 3], "kvm")) {
+            bool have_tcg = accel_find("tcg");
+            bool have_kvm = accel_find("kvm");
+
+            if (have_tcg && have_kvm) {
+                if (g_str_has_suffix(progname, "kvm")) {
                     /* If the program name ends with "kvm", we prefer KVM */
                     accel = "kvm:tcg";
                 } else {
                     accel = "tcg:kvm";
                 }
+            } else if (have_kvm) {
+                accel = "kvm";
+            } else if (have_tcg) {
+                accel = "tcg";
+            } else {
+                error_report("No accelerator selected and"
+                             " no default accelerator available");
+                exit(1);
             }
         }
-
         accel_list = g_strsplit(accel, ":", 0);
 
         for (tmp = accel_list; *tmp; tmp++) {
-- 
2.20.1

There is only one caller for tlb_table_flush_by_mmuidx.  Place
the result at the earlier line number, due to an expected user
in the near future.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
     }
 }
 
-static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
     tlb_mmu_resize_locked(env, mmu_idx);
-    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
+    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+    env_tlb(env)->d[mmu_idx].vindex = 0;
+    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+           sizeof(env_tlb(env)->d[0].vtable));
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
     *pelide = elide;
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
-{
-    tlb_table_flush_by_mmuidx(env, mmu_idx);
-    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-    env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-           sizeof(env_tlb(env)->d[0].vtable));
-}
-
 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
 {
     CPUArchState *env = cpu->env_ptr;
-- 
2.20.1

There are no users of this function outside cputlb.c,
and its interface will change in the next patch.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu_ldst.h | 5 -----
 accel/tcg/cputlb.c      | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ static inline uintptr_t tlb_index(CPUArchState *env, uintptr_t mmu_idx,
     return (addr >> TARGET_PAGE_BITS) & size_mask;
 }
 
-static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
-{
-    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
-}
-
 /* Find the TLB entry corresponding to the mmu_idx + address pair.  */
 static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
                                      target_ulong addr)
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 
+static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+{
+    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+}
+
 static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
 {
     return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
-- 
2.20.1

We do not need the entire CPUArchState to compute these values.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 
-static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
 {
-    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+    return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
 }
 
-static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
+static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
 {
-    return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
+    return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
 }
 
 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
 static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
 {
     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    size_t old_size = tlb_n_entries(env, mmu_idx);
+    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
     size_t rate;
     size_t new_size = old_size;
     int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
     env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+    memset(env_tlb(env)->f[mmu_idx].table, -1,
+           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
     memset(env_tlb(env)->d[mmu_idx].vtable, -1,
            sizeof(env_tlb(env)->d[0].vtable));
 }
@@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
         unsigned int i;
-        unsigned int n = tlb_n_entries(env, mmu_idx);
+        unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
 
         for (i = 0; i < n; i++) {
             tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
-- 
2.20.1

No functional change, but the smaller expressions make
the code easier to read.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
 
 /**
  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
- * @env: CPU that owns the TLB
- * @mmu_idx: MMU index of the TLB
+ * @desc: The CPUTLBDesc portion of the TLB
+ * @fast: The CPUTLBDescFast portion of the same TLB
  *
  * Called with tlb_lock_held.
  *
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
  * high), since otherwise we are likely to have a significant amount of
  * conflict misses.
  */
-static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 {
-    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
+    size_t old_size = tlb_n_entries(fast);
     size_t rate;
     size_t new_size = old_size;
     int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
         return;
     }
 
-    g_free(env_tlb(env)->f[mmu_idx].table);
-    g_free(env_tlb(env)->d[mmu_idx].iotlb);
+    g_free(fast->table);
+    g_free(desc->iotlb);
 
     tlb_window_reset(desc, now, 0);
     /* desc->n_used_entries is cleared by the caller */
-    env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
-    env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
-    env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+    fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+    fast->table = g_try_new(CPUTLBEntry, new_size);
+    desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
+
     /*
      * If the allocations fail, try smaller sizes. We just freed some
      * memory, so going back to half of new_size has a good chance of working.
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
      * allocations to fail though, so we progressively reduce the allocation
      * size, aborting if we cannot even allocate the smallest TLB we support.
      */
-    while (env_tlb(env)->f[mmu_idx].table == NULL ||
-           env_tlb(env)->d[mmu_idx].iotlb == NULL) {
+    while (fast->table == NULL || desc->iotlb == NULL) {
         if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
             error_report("%s: %s", __func__, strerror(errno));
             abort();
         }
         new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
-        env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+        fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 
-        g_free(env_tlb(env)->f[mmu_idx].table);
-        g_free(env_tlb(env)->d[mmu_idx].iotlb);
-        env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
-        env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+        g_free(fast->table);
+        g_free(desc->iotlb);
+        fast->table = g_try_new(CPUTLBEntry, new_size);
+        desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
     }
 }
 
 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
-    tlb_mmu_resize_locked(env, mmu_idx);
+    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-- 
2.20.1

No functional change, but the smaller expressions make
the code easier to read.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 
 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
-    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
-    env_tlb(env)->d[mmu_idx].n_used_entries = 0;
-    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-    env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->f[mmu_idx].table, -1,
-           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
-    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-           sizeof(env_tlb(env)->d[0].vtable));
+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+
+    tlb_mmu_resize_locked(desc, fast);
+    desc->n_used_entries = 0;
+    desc->large_page_addr = -1;
+    desc->large_page_mask = -1;
+    desc->vindex = 0;
+    memset(fast->table, -1, sizeof_tlb(fast));
+    memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
-- 
2.20.1

We will want to be able to flush a tlb without resizing.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
     }
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 {
-    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
-
-    tlb_mmu_resize_locked(desc, fast);
     desc->n_used_entries = 0;
     desc->large_page_addr = -1;
     desc->large_page_mask = -1;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+{
+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+
+    tlb_mmu_resize_locked(desc, fast);
+    tlb_mmu_flush_locked(desc, fast);
+}
+
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
 {
     env_tlb(env)->d[mmu_idx].n_used_entries++;
-- 
2.20.1

Merge into the only caller, but at the same time split
out tlb_mmu_init to initialize a single tlb entry.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
     desc->window_max_entries = max_entries;
 }
 
-static void tlb_dyn_init(CPUArchState *env)
-{
-    int i;
-
-    for (i = 0; i < NB_MMU_MODES; i++) {
-        CPUTLBDesc *desc = &env_tlb(env)->d[i];
-        size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
-
-        tlb_window_reset(desc, get_clock_realtime(), 0);
-        desc->n_used_entries = 0;
-        env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
-        env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
-        env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
-    }
-}
-
 /**
  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
  * @desc: The CPUTLBDesc portion of the TLB
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     tlb_mmu_flush_locked(desc, fast);
 }
 
+static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+{
+    size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
+
+    tlb_window_reset(desc, now, 0);
+    desc->n_used_entries = 0;
+    fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+    fast->table = g_new(CPUTLBEntry, n_entries);
+    desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+}
+
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
 {
     env_tlb(env)->d[mmu_idx].n_used_entries++;
@@ -XXX,XX +XXX,XX @@ static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
 void tlb_init(CPUState *cpu)
 {
     CPUArchState *env = cpu->env_ptr;
+    int64_t now = get_clock_realtime();
+    int i;
 
     qemu_spin_init(&env_tlb(env)->c.lock);
 
     /* Ensure that cpu_reset performs a full flush.  */
     env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
 
-    tlb_dyn_init(env);
+    for (i = 0; i < NB_MMU_MODES; i++) {
+        tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
+    }
 }
 
 /* flush_all_helper: run fn across all cpus
-- 
2.20.1

There's little point in leaving these data structures half initialized,
and relying on a flush to be done during reset.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
     fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
     fast->table = g_new(CPUTLBEntry, n_entries);
     desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+    tlb_mmu_flush_locked(desc, fast);
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_init(CPUState *cpu)
 
     qemu_spin_init(&env_tlb(env)->c.lock);
 
-    /* Ensure that cpu_reset performs a full flush.  */
-    env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
+    /* All tlbs are initialized flushed. */
+    env_tlb(env)->c.dirty = 0;
 
     for (i = 0; i < NB_MMU_MODES; i++) {
         tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
-- 
2.20.1

Do not call get_clock_realtime() in tlb_mmu_resize_locked,
but hoist outside of any loop over a set of tlbs.  This is
only two (indirect) callers, tlb_flush_by_mmuidx_async_work
and tlb_flush_page_locked, so not onerous.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
  * high), since otherwise we are likely to have a significant amount of
  * conflict misses.
  */
-static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
+                                  int64_t now)
 {
     size_t old_size = tlb_n_entries(fast);
     size_t rate;
     size_t new_size = old_size;
-    int64_t now = get_clock_realtime();
     int64_t window_len_ms = 100;
     int64_t window_len_ns = window_len_ms * 1000 * 1000;
     bool window_expired = now > desc->window_begin_ns + window_len_ns;
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
     memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
+                                        int64_t now)
 {
     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
     CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 
-    tlb_mmu_resize_locked(desc, fast);
+    tlb_mmu_resize_locked(desc, fast, now);
     tlb_mmu_flush_locked(desc, fast);
 }
 
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
     CPUArchState *env = cpu->env_ptr;
     uint16_t asked = data.host_int;
     uint16_t all_dirty, work, to_clean;
+    int64_t now = get_clock_realtime();
 
     assert_cpu_is_self(cpu);
 
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
 
     for (work = to_clean; work != 0; work &= work - 1) {
         int mmu_idx = ctz32(work);
-        tlb_flush_one_mmuidx_locked(env, mmu_idx);
+        tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
     }
 
     qemu_spin_unlock(&env_tlb(env)->c.lock);
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
         tlb_debug("forcing full flush midx %d ("
                   TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
                   midx, lp_addr, lp_mask);
-        tlb_flush_one_mmuidx_locked(env, midx);
+        tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
     } else {
         if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
             tlb_n_used_entries_dec(env, midx);
-- 
2.20.1

This is mostly my code_gen_buffer cleanup, plus a few other random
changes thrown in.  Including a fix for a recent float32_exp2 bug.

The following changes since commit 894fc4fd670aaf04a67dc7507739f914ff4bacf2:

Merge remote-tracking branch 'remotes/jasowang/tags/net-pull-request' into staging (2021-06-11 09:21:48 +0100)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20210611

for you to fetch changes up to 60afaddc208d34f6dc86dd974f6e02724fba6eb6:

docs/devel: Explain in more detail the TB chaining mechanisms (2021-06-11 09:41:25 -0700)

----------------------------------------------------------------
Clean up code_gen_buffer allocation.
Add tcg_remove_ops_after.
Fix tcg_constant_* documentation.
Improve TB chaining documentation.
Fix float32_exp2.

----------------------------------------------------------------
Jose R. Ziviani (1):
      tcg/arm: Fix tcg_out_op function signature

Luis Pires (1):
      docs/devel: Explain in more detail the TB chaining mechanisms

Richard Henderson (32):
      meson: Split out tcg/meson.build
      meson: Split out fpu/meson.build
      tcg: Re-order tcg_region_init vs tcg_prologue_init
      tcg: Remove error return from tcg_region_initial_alloc__locked
      tcg: Split out tcg_region_initial_alloc
      tcg: Split out tcg_region_prologue_set
      tcg: Split out region.c
      accel/tcg: Inline cpu_gen_init
      accel/tcg: Move alloc_code_gen_buffer to tcg/region.c
      accel/tcg: Rename tcg_init to tcg_init_machine
      tcg: Create tcg_init
      accel/tcg: Merge tcg_exec_init into tcg_init_machine
      accel/tcg: Use MiB in tcg_init_machine
      accel/tcg: Pass down max_cpus to tcg_init
      tcg: Introduce tcg_max_ctxs
      tcg: Move MAX_CODE_GEN_BUFFER_SIZE to tcg-target.h
      tcg: Replace region.end with region.total_size
      tcg: Rename region.start to region.after_prologue
      tcg: Tidy tcg_n_regions
      tcg: Tidy split_cross_256mb
      tcg: Move in_code_gen_buffer and tests to region.c
      tcg: Allocate code_gen_buffer into struct tcg_region_state
      tcg: Return the map protection from alloc_code_gen_buffer
      tcg: Sink qemu_madvise call to common code
      util/osdep: Add qemu_mprotect_rw
      tcg: Round the tb_size default from qemu_get_host_physmem
      tcg: Merge buffer protection and guard page protection
      tcg: When allocating for !splitwx, begin with PROT_NONE
      tcg: Move tcg_init_ctx and tcg_ctx from accel/tcg/
      tcg: Introduce tcg_remove_ops_after
      tcg: Fix documentation for tcg_constant_* vs tcg_temp_free_*
      softfloat: Fix tp init in float32_exp2

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 meson.build     |  8 +-------
 tcg/meson.build | 13 +++++++++++++
 2 files changed, 14 insertions(+), 7 deletions(-)
 create mode 100644 tcg/meson.build

diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ common_ss.add(capstone)
 specific_ss.add(files('cpu.c', 'disas.c', 'gdbstub.c'), capstone)
 specific_ss.add(when: 'CONFIG_TCG', if_true: files(
   'fpu/softfloat.c',
-  'tcg/optimize.c',
-  'tcg/tcg-common.c',
-  'tcg/tcg-op-gvec.c',
-  'tcg/tcg-op-vec.c',
-  'tcg/tcg-op.c',
-  'tcg/tcg.c',
 ))
-specific_ss.add(when: 'CONFIG_TCG_INTERPRETER', if_true: files('tcg/tci.c'))
 
 # Work around a gcc bug/misfeature wherein constant propagation looks
 # through an alias:
@@ -XXX,XX +XXX,XX @@ subdir('net')
 subdir('replay')
 subdir('semihosting')
 subdir('hw')
+subdir('tcg')
 subdir('accel')
 subdir('plugins')
 subdir('bsd-user')
diff --git a/tcg/meson.build b/tcg/meson.build
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tcg/meson.build
@@ -XXX,XX +XXX,XX @@
+tcg_ss = ss.source_set()
+
+tcg_ss.add(files(
+  'optimize.c',
+  'tcg.c',
+  'tcg-common.c',
+  'tcg-op.c',
+  'tcg-op-gvec.c',
+  'tcg-op-vec.c',
+))
+tcg_ss.add(when: 'CONFIG_TCG_INTERPRETER', if_true: files('tci.c'))
+
+specific_ss.add_all(when: 'CONFIG_TCG', if_true: tcg_ss)
-- 
2.25.1

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 meson.build     | 4 +---
 fpu/meson.build | 1 +
 2 files changed, 2 insertions(+), 3 deletions(-)
 create mode 100644 fpu/meson.build

diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ subdir('softmmu')
 
 common_ss.add(capstone)
 specific_ss.add(files('cpu.c', 'disas.c', 'gdbstub.c'), capstone)
-specific_ss.add(when: 'CONFIG_TCG', if_true: files(
-  'fpu/softfloat.c',
-))
 
 # Work around a gcc bug/misfeature wherein constant propagation looks
 # through an alias:
@@ -XXX,XX +XXX,XX @@ subdir('replay')
 subdir('semihosting')
 subdir('hw')
 subdir('tcg')
+subdir('fpu')
 subdir('accel')
 subdir('plugins')
 subdir('bsd-user')
diff --git a/fpu/meson.build b/fpu/meson.build
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/fpu/meson.build
@@ -0,0 +1 @@
+specific_ss.add(when: 'CONFIG_TCG', if_true: files('softfloat.c'))
-- 
2.25.1

Instead of delaying tcg_region_init until after tcg_prologue_init
is complete, do tcg_region_init first and let tcg_prologue_init
shrink the first region by the size of the generated prologue.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/tcg-all.c       | 11 ---------
 accel/tcg/translate-all.c |  3 +++
 bsd-user/main.c           |  1 -
 linux-user/main.c         |  1 -
 tcg/tcg.c                 | 52 ++++++++++++++-------------------------
 5 files changed, 22 insertions(+), 46 deletions(-)

diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@@ -XXX,XX +XXX,XX @@ static int tcg_init(MachineState *ms)
 
     tcg_exec_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
     mttcg_enabled = s->mttcg_enabled;
-
-    /*
-     * Initialize TCG regions only for softmmu.
-     *
-     * This needs to be done later for user mode, because the prologue
-     * generation needs to be delayed so that GUEST_BASE is already set.
-     */
-#ifndef CONFIG_USER_ONLY
-    tcg_region_init();
-#endif /* !CONFIG_USER_ONLY */
-
     return 0;
 }
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void tcg_exec_init(unsigned long tb_size, int splitwx)
                                splitwx, &error_fatal);
     assert(ok);
 
+    /* TODO: allocating regions is hand-in-glove with code_gen_buffer. */
+    tcg_region_init();
+
 #if defined(CONFIG_SOFTMMU)
     /* There's no guest base to take into account, so go ahead and
        initialize the prologue now.  */
diff --git a/bsd-user/main.c b/bsd-user/main.c
index XXXXXXX..XXXXXXX 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
      * the real value of GUEST_BASE into account.
      */
     tcg_prologue_init(tcg_ctx);
-    tcg_region_init();
 
     /* build Task State */
     memset(ts, 0, sizeof(TaskState));
diff --git a/linux-user/main.c b/linux-user/main.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
        generating the prologue until now so that the prologue can take
        the real value of GUEST_BASE into account.  */
     tcg_prologue_init(tcg_ctx);
-    tcg_region_init();
 
     target_cpu_copy_regs(env, regs);
 
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tcg_tb_alloc(TCGContext *s)
 
 void tcg_prologue_init(TCGContext *s)
 {
-    size_t prologue_size, total_size;
-    void *buf0, *buf1;
+    size_t prologue_size;
 
     /* Put the prologue at the beginning of code_gen_buffer.  */
-    buf0 = s->code_gen_buffer;
-    total_size = s->code_gen_buffer_size;
-    s->code_ptr = buf0;
-    s->code_buf = buf0;
+    tcg_region_assign(s, 0);
+    s->code_ptr = s->code_gen_ptr;
+    s->code_buf = s->code_gen_ptr;
     s->data_gen_ptr = NULL;
 
-    /*
-     * The region trees are not yet configured, but tcg_splitwx_to_rx
-     * needs the bounds for an assert.
-     */
-    region.start = buf0;
-    region.end = buf0 + total_size;
-
 #ifndef CONFIG_TCG_INTERPRETER
-    tcg_qemu_tb_exec = (tcg_prologue_fn *)tcg_splitwx_to_rx(buf0);
+    tcg_qemu_tb_exec = (tcg_prologue_fn *)tcg_splitwx_to_rx(s->code_ptr);
 #endif
 
-    /* Compute a high-water mark, at which we voluntarily flush the buffer
-       and start over.  The size here is arbitrary, significantly larger
-       than we expect the code generation for any one opcode to require.  */
-    s->code_gen_highwater = s->code_gen_buffer + (total_size - TCG_HIGHWATER);
-
 #ifdef TCG_TARGET_NEED_POOL_LABELS
     s->pool_labels = NULL;
 #endif
@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
     }
 #endif
 
-    buf1 = s->code_ptr;
+    prologue_size = tcg_current_code_size(s);
+
 #ifndef CONFIG_TCG_INTERPRETER
-    flush_idcache_range((uintptr_t)tcg_splitwx_to_rx(buf0), (uintptr_t)buf0,
-                        tcg_ptr_byte_diff(buf1, buf0));
+    flush_idcache_range((uintptr_t)tcg_splitwx_to_rx(s->code_buf),
+                        (uintptr_t)s->code_buf, prologue_size);
 #endif
 
-    /* Deduct the prologue from the buffer.  */
-    prologue_size = tcg_current_code_size(s);
-    s->code_gen_ptr = buf1;
-    s->code_gen_buffer = buf1;
-    s->code_buf = buf1;
-    total_size -= prologue_size;
-    s->code_gen_buffer_size = total_size;
+    /* Deduct the prologue from the first region.  */
+    region.start = s->code_ptr;
 
-    tcg_register_jit(tcg_splitwx_to_rx(s->code_gen_buffer), total_size);
+    /* Recompute boundaries of the first region. */
+    tcg_region_assign(s, 0);
+
+    tcg_register_jit(tcg_splitwx_to_rx(region.start),
+                     region.end - region.start);
 
 #ifdef DEBUG_DISAS
     if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
         FILE *logfile = qemu_log_lock();
         qemu_log("PROLOGUE: [size=%zu]\n", prologue_size);
         if (s->data_gen_ptr) {
-            size_t code_size = s->data_gen_ptr - buf0;
+            size_t code_size = s->data_gen_ptr - s->code_gen_ptr;
             size_t data_size = prologue_size - code_size;
             size_t i;
 
-            log_disas(buf0, code_size);
+            log_disas(s->code_gen_ptr, code_size);
 
             for (i = 0; i < data_size; i += sizeof(tcg_target_ulong)) {
                 if (sizeof(tcg_target_ulong) == 8) {
@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
                 }
             }
         } else {
-            log_disas(buf0, prologue_size);
+            log_disas(s->code_gen_ptr, prologue_size);
         }
         qemu_log("\n");
         qemu_log_flush();
-- 
2.25.1

All callers immediately assert on error, so move the assert
into the function itself.

diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static bool tcg_region_alloc(TCGContext *s)
  * Perform a context's first region allocation.
  * This function does _not_ increment region.agg_size_full.
  */
-static inline bool tcg_region_initial_alloc__locked(TCGContext *s)
+static void tcg_region_initial_alloc__locked(TCGContext *s)
 {
-    return tcg_region_alloc__locked(s);
+    bool err = tcg_region_alloc__locked(s);
+    g_assert(!err);
 }
 
 /* Call from a safe-work context */
@@ -XXX,XX +XXX,XX @@ void tcg_region_reset_all(void)
 
     for (i = 0; i < n_ctxs; i++) {
         TCGContext *s = qatomic_read(&tcg_ctxs[i]);
-        bool err = tcg_region_initial_alloc__locked(s);
-
-        g_assert(!err);
+        tcg_region_initial_alloc__locked(s);
     }
     qemu_mutex_unlock(&region.lock);
 
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(void)
 
     /* In user-mode we support only one ctx, so do the initial allocation now */
 #ifdef CONFIG_USER_ONLY
-    {
-        bool err = tcg_region_initial_alloc__locked(tcg_ctx);
-
-        g_assert(!err);
-    }
+    tcg_region_initial_alloc__locked(tcg_ctx);
 #endif
 }
 
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
     MachineState *ms = MACHINE(qdev_get_machine());
     TCGContext *s = g_malloc(sizeof(*s));
     unsigned int i, n;
-    bool err;
 
     *s = tcg_init_ctx;
 
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
 
     tcg_ctx = s;
     qemu_mutex_lock(&region.lock);
-    err = tcg_region_initial_alloc__locked(tcg_ctx);
-    g_assert(!err);
+    tcg_region_initial_alloc__locked(s);
     qemu_mutex_unlock(&region.lock);
 }
 #endif /* !CONFIG_USER_ONLY */
-- 
2.25.1

This has only one user, and currently needs an ifdef,
but will make more sense after some code motion.

diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static void tcg_region_initial_alloc__locked(TCGContext *s)
     g_assert(!err);
 }
 
+#ifndef CONFIG_USER_ONLY
+static void tcg_region_initial_alloc(TCGContext *s)
+{
+    qemu_mutex_lock(&region.lock);
+    tcg_region_initial_alloc__locked(s);
+    qemu_mutex_unlock(&region.lock);
+}
+#endif
+
 /* Call from a safe-work context */
 void tcg_region_reset_all(void)
 {
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
     }
 
     tcg_ctx = s;
-    qemu_mutex_lock(&region.lock);
-    tcg_region_initial_alloc__locked(s);
-    qemu_mutex_unlock(&region.lock);
+    tcg_region_initial_alloc(s);
 }
 #endif /* !CONFIG_USER_ONLY */
 
-- 
2.25.1

This has only one user, but will make more sense after some
code motion.

Always leave the tcg_init_ctx initialized to the first region,
in preparation for tcg_prologue_init().  This also requires
that we don't re-allocate the region for the first cpu, lest
we hit the assertion for total number of regions allocated .

diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(void)
 
     tcg_region_trees_init();
 
-    /* In user-mode we support only one ctx, so do the initial allocation now */
-#ifdef CONFIG_USER_ONLY
-    tcg_region_initial_alloc__locked(tcg_ctx);
-#endif
+    /*
+     * Leave the initial context initialized to the first region.
+     * This will be the context into which we generate the prologue.
+     * It is also the only context for CONFIG_USER_ONLY.
+     */
+    tcg_region_initial_alloc__locked(&tcg_init_ctx);
+}
+
+static void tcg_region_prologue_set(TCGContext *s)
+{
+    /* Deduct the prologue from the first region.  */
+    g_assert(region.start == s->code_gen_buffer);
+    region.start = s->code_ptr;
+
+    /* Recompute boundaries of the first region. */
+    tcg_region_assign(s, 0);
+
+    /* Register the balance of the buffer with gdb. */
+    tcg_register_jit(tcg_splitwx_to_rx(region.start),
+                     region.end - region.start);
 }
 
 #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
 
     if (n > 0) {
         alloc_tcg_plugin_context(s);
+        tcg_region_initial_alloc(s);
     }
 
     tcg_ctx = s;
-    tcg_region_initial_alloc(s);
 }
 #endif /* !CONFIG_USER_ONLY */
 
@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
 {
     size_t prologue_size;
 
-    /* Put the prologue at the beginning of code_gen_buffer.  */
-    tcg_region_assign(s, 0);
     s->code_ptr = s->code_gen_ptr;
     s->code_buf = s->code_gen_ptr;
     s->data_gen_ptr = NULL;
@@ -XXX,XX +XXX,XX @@ void tcg_prologue_init(TCGContext *s)
                         (uintptr_t)s->code_buf, prologue_size);
 #endif
 
-    /* Deduct the prologue from the first region.  */
-    region.start = s->code_ptr;
-
-    /* Recompute boundaries of the first region. */
-    tcg_region_assign(s, 0);
-
-    tcg_register_jit(tcg_splitwx_to_rx(region.start),
-                     region.end - region.start);
+    tcg_region_prologue_set(s);
 
 #ifdef DEBUG_DISAS
     if (qemu_loglevel_mask(CPU_LOG_TB_OUT_ASM)) {
-- 
2.25.1

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg-internal.h |  37 +++
 tcg/region.c       | 572 +++++++++++++++++++++++++++++++++++++++++++++
 tcg/tcg.c          | 547 +------------------------------------------
 tcg/meson.build    |   1 +
 4 files changed, 613 insertions(+), 544 deletions(-)
 create mode 100644 tcg/tcg-internal.h
 create mode 100644 tcg/region.c

diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tcg/tcg-internal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Internal declarations for Tiny Code Generator for QEMU
+ *
+ * Copyright (c) 2008 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#ifndef TCG_INTERNAL_H
+#define TCG_INTERNAL_H 1
+
+#define TCG_HIGHWATER 1024
+
+extern TCGContext **tcg_ctxs;
+extern unsigned int n_tcg_ctxs;
+
+bool tcg_region_alloc(TCGContext *s);
+void tcg_region_initial_alloc(TCGContext *s);
+void tcg_region_prologue_set(TCGContext *s);
+
+#endif /* TCG_INTERNAL_H */
diff --git a/tcg/region.c b/tcg/region.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Memory region management for Tiny Code Generator for QEMU
+ *
+ * Copyright (c) 2008 Fabrice Bellard
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "qemu/osdep.h"
+#include "exec/exec-all.h"
+#include "tcg/tcg.h"
+#if !defined(CONFIG_USER_ONLY)
+#include "hw/boards.h"
+#endif
+#include "tcg-internal.h"
+
+
+struct tcg_region_tree {
+    QemuMutex lock;
+    GTree *tree;
+    /* padding to avoid false sharing is computed at run-time */
+};
+
+/*
+ * We divide code_gen_buffer into equally-sized "regions" that TCG threads
+ * dynamically allocate from as demand dictates. Given appropriate region
+ * sizing, this minimizes flushes even when some TCG threads generate a lot
+ * more code than others.
+ */
+struct tcg_region_state {
+    QemuMutex lock;
+
+    /* fields set at init time */
+    void *start;
+    void *start_aligned;
+    void *end;
+    size_t n;
+    size_t size; /* size of one region */
+    size_t stride; /* .size + guard size */
+
+    /* fields protected by the lock */
+    size_t current; /* current region index */
+    size_t agg_size_full; /* aggregate size of full regions */
+};
+
+static struct tcg_region_state region;
+
+/*
+ * This is an array of struct tcg_region_tree's, with padding.
+ * We use void * to simplify the computation of region_trees[i]; each
+ * struct is found every tree_size bytes.
+ */
+static void *region_trees;
+static size_t tree_size;
+
+/* compare a pointer @ptr and a tb_tc @s */
+static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s)
+{
+    if (ptr >= s->ptr + s->size) {
+        return 1;
+    } else if (ptr < s->ptr) {
+        return -1;
+    }
+    return 0;
+}
+
+static gint tb_tc_cmp(gconstpointer ap, gconstpointer bp)
+{
+    const struct tb_tc *a = ap;
+    const struct tb_tc *b = bp;
+
+    /*
+     * When both sizes are set, we know this isn't a lookup.
+     * This is the most likely case: every TB must be inserted; lookups
+     * are a lot less frequent.
+     */
+    if (likely(a->size && b->size)) {
+        if (a->ptr > b->ptr) {
+            return 1;
+        } else if (a->ptr < b->ptr) {
+            return -1;
+        }
+        /* a->ptr == b->ptr should happen only on deletions */
+        g_assert(a->size == b->size);
+        return 0;
+    }
+    /*
+     * All lookups have either .size field set to 0.
+     * From the glib sources we see that @ap is always the lookup key. However
+     * the docs provide no guarantee, so we just mark this case as likely.
+     */
+    if (likely(a->size == 0)) {
+        return ptr_cmp_tb_tc(a->ptr, b);
+    }
+    return ptr_cmp_tb_tc(b->ptr, a);
+}
+
+static void tcg_region_trees_init(void)
+{
+    size_t i;
+
+    tree_size = ROUND_UP(sizeof(struct tcg_region_tree), qemu_dcache_linesize);
+    region_trees = qemu_memalign(qemu_dcache_linesize, region.n * tree_size);
+    for (i = 0; i < region.n; i++) {
+        struct tcg_region_tree *rt = region_trees + i * tree_size;
+
+        qemu_mutex_init(&rt->lock);
+        rt->tree = g_tree_new(tb_tc_cmp);
+    }
+}
+
+static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p)
+{
+    size_t region_idx;
+
+    /*
+     * Like tcg_splitwx_to_rw, with no assert.  The pc may come from
+     * a signal handler over which the caller has no control.
+     */
+    if (!in_code_gen_buffer(p)) {
+        p -= tcg_splitwx_diff;
+        if (!in_code_gen_buffer(p)) {
+            return NULL;
+        }
+    }
+
+    if (p < region.start_aligned) {
+        region_idx = 0;
+    } else {
+        ptrdiff_t offset = p - region.start_aligned;
+
+        if (offset > region.stride * (region.n - 1)) {
+            region_idx = region.n - 1;
+        } else {
+            region_idx = offset / region.stride;
+        }
+    }
+    return region_trees + region_idx * tree_size;
+}
+
+void tcg_tb_insert(TranslationBlock *tb)
+{
+    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
+
+    g_assert(rt != NULL);
+    qemu_mutex_lock(&rt->lock);
+    g_tree_insert(rt->tree, &tb->tc, tb);
+    qemu_mutex_unlock(&rt->lock);
+}
+
+void tcg_tb_remove(TranslationBlock *tb)
+{
+    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
+
+    g_assert(rt != NULL);
+    qemu_mutex_lock(&rt->lock);
+    g_tree_remove(rt->tree, &tb->tc);
+    qemu_mutex_unlock(&rt->lock);
+}
+
+/*
+ * Find the TB 'tb' such that
+ * tb->tc.ptr <= tc_ptr < tb->tc.ptr + tb->tc.size
+ * Return NULL if not found.
+ */
+TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
+{
+    struct tcg_region_tree *rt = tc_ptr_to_region_tree((void *)tc_ptr);
+    TranslationBlock *tb;
+    struct tb_tc s = { .ptr = (void *)tc_ptr };
+
+    if (rt == NULL) {
+        return NULL;
+    }
+
+    qemu_mutex_lock(&rt->lock);
+    tb = g_tree_lookup(rt->tree, &s);
+    qemu_mutex_unlock(&rt->lock);
+    return tb;
+}
+
+static void tcg_region_tree_lock_all(void)
+{
+    size_t i;
+
+    for (i = 0; i < region.n; i++) {
+        struct tcg_region_tree *rt = region_trees + i * tree_size;
+
+        qemu_mutex_lock(&rt->lock);
+    }
+}
+
+static void tcg_region_tree_unlock_all(void)
+{
+    size_t i;
+
+    for (i = 0; i < region.n; i++) {
+        struct tcg_region_tree *rt = region_trees + i * tree_size;
+
+        qemu_mutex_unlock(&rt->lock);
+    }
+}
+
+void tcg_tb_foreach(GTraverseFunc func, gpointer user_data)
+{
+    size_t i;
+
+    tcg_region_tree_lock_all();
+    for (i = 0; i < region.n; i++) {
+        struct tcg_region_tree *rt = region_trees + i * tree_size;
+
+        g_tree_foreach(rt->tree, func, user_data);
+    }
+    tcg_region_tree_unlock_all();
+}
+
+size_t tcg_nb_tbs(void)
+{
+    size_t nb_tbs = 0;
+    size_t i;
+
+    tcg_region_tree_lock_all();
+    for (i = 0; i < region.n; i++) {
+        struct tcg_region_tree *rt = region_trees + i * tree_size;
+
+        nb_tbs += g_tree_nnodes(rt->tree);
+    }
+    tcg_region_tree_unlock_all();
+    return nb_tbs;
+}
+
+static gboolean tcg_region_tree_traverse(gpointer k, gpointer v, gpointer data)
+{
+    TranslationBlock *tb = v;
+
+    tb_destroy(tb);
+    return FALSE;
+}
+
+static void tcg_region_tree_reset_all(void)
+{
+    size_t i;
+
+    tcg_region_tree_lock_all();
+    for (i = 0; i < region.n; i++) {
+        struct tcg_region_tree *rt = region_trees + i * tree_size;
+
+        g_tree_foreach(rt->tree, tcg_region_tree_traverse, NULL);
+        /* Increment the refcount first so that destroy acts as a reset */
+        g_tree_ref(rt->tree);
+        g_tree_destroy(rt->tree);
+    }
+    tcg_region_tree_unlock_all();
+}
+
+static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
+{
+    void *start, *end;
+
+    start = region.start_aligned + curr_region * region.stride;
+    end = start + region.size;
+
+    if (curr_region == 0) {
+        start = region.start;
+    }
+    if (curr_region == region.n - 1) {
+        end = region.end;
+    }
+
+    *pstart = start;
+    *pend = end;
+}
+
+static void tcg_region_assign(TCGContext *s, size_t curr_region)
+{
+    void *start, *end;
+
+    tcg_region_bounds(curr_region, &start, &end);
+
+    s->code_gen_buffer = start;
+    s->code_gen_ptr = start;
+    s->code_gen_buffer_size = end - start;
+    s->code_gen_highwater = end - TCG_HIGHWATER;
+}
+
+static bool tcg_region_alloc__locked(TCGContext *s)
+{
+    if (region.current == region.n) {
+        return true;
+    }
+    tcg_region_assign(s, region.current);
+    region.current++;
+    return false;
+}
+
+/*
+ * Request a new region once the one in use has filled up.
+ * Returns true on error.
+ */
+bool tcg_region_alloc(TCGContext *s)
+{
+    bool err;
+    /* read the region size now; alloc__locked will overwrite it on success */
+    size_t size_full = s->code_gen_buffer_size;
+
+    qemu_mutex_lock(&region.lock);
+    err = tcg_region_alloc__locked(s);
+    if (!err) {
+        region.agg_size_full += size_full - TCG_HIGHWATER;
+    }
+    qemu_mutex_unlock(&region.lock);
+    return err;
+}
+
+/*
+ * Perform a context's first region allocation.
+ * This function does _not_ increment region.agg_size_full.
+ */
+static void tcg_region_initial_alloc__locked(TCGContext *s)
+{
+    bool err = tcg_region_alloc__locked(s);
+    g_assert(!err);
+}
+
+void tcg_region_initial_alloc(TCGContext *s)
+{
+    qemu_mutex_lock(&region.lock);
+    tcg_region_initial_alloc__locked(s);
+    qemu_mutex_unlock(&region.lock);
+}
+
+/* Call from a safe-work context */
+void tcg_region_reset_all(void)
+{
+    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int i;
+
+    qemu_mutex_lock(&region.lock);
+    region.current = 0;
+    region.agg_size_full = 0;
+
+    for (i = 0; i < n_ctxs; i++) {
+        TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+        tcg_region_initial_alloc__locked(s);
+    }
+    qemu_mutex_unlock(&region.lock);
+
+    tcg_region_tree_reset_all();
+}
+
+#ifdef CONFIG_USER_ONLY
+static size_t tcg_n_regions(void)
+{
+    return 1;
+}
+#else
+/*
+ * It is likely that some vCPUs will translate more code than others, so we
+ * first try to set more regions than max_cpus, with those regions being of
+ * reasonable size. If that's not possible we make do by evenly dividing
+ * the code_gen_buffer among the vCPUs.
+ */
+static size_t tcg_n_regions(void)
+{
+    size_t i;
+
+    /* Use a single region if all we have is one vCPU thread */
+#if !defined(CONFIG_USER_ONLY)
+    MachineState *ms = MACHINE(qdev_get_machine());
+    unsigned int max_cpus = ms->smp.max_cpus;
+#endif
+    if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
+        return 1;
+    }
+
+    /* Try to have more regions than max_cpus, with each region being >= 2 MB */
+    for (i = 8; i > 0; i--) {
+        size_t regions_per_thread = i;
+        size_t region_size;
+
+        region_size = tcg_init_ctx.code_gen_buffer_size;
+        region_size /= max_cpus * regions_per_thread;
+
+        if (region_size >= 2 * 1024u * 1024) {
+            return max_cpus * regions_per_thread;
+        }
+    }
+    /* If we can't, then just allocate one region per vCPU thread */
+    return max_cpus;
+}
+#endif
+
+/*
+ * Initializes region partitioning.
+ *
+ * Called at init time from the parent thread (i.e. the one calling
+ * tcg_context_init), after the target's TCG globals have been set.
+ *
+ * Region partitioning works by splitting code_gen_buffer into separate regions,
+ * and then assigning regions to TCG threads so that the threads can translate
+ * code in parallel without synchronization.
+ *
+ * In softmmu the number of TCG threads is bounded by max_cpus, so we use at
+ * least max_cpus regions in MTTCG. In !MTTCG we use a single region.
+ * Note that the TCG options from the command-line (i.e. -accel accel=tcg,[...])
+ * must have been parsed before calling this function, since it calls
+ * qemu_tcg_mttcg_enabled().
+ *
+ * In user-mode we use a single region.  Having multiple regions in user-mode
+ * is not supported, because the number of vCPU threads (recall that each thread
+ * spawned by the guest corresponds to a vCPU thread) is only bounded by the
+ * OS, and usually this number is huge (tens of thousands is not uncommon).
+ * Thus, given this large bound on the number of vCPU threads and the fact
+ * that code_gen_buffer is allocated at compile-time, we cannot guarantee
+ * that the availability of at least one region per vCPU thread.
+ *
+ * However, this user-mode limitation is unlikely to be a significant problem
+ * in practice. Multi-threaded guests share most if not all of their translated
+ * code, which makes parallel code generation less appealing than in softmmu.
+ */
+void tcg_region_init(void)
+{
+    void *buf = tcg_init_ctx.code_gen_buffer;
+    void *aligned;
+    size_t size = tcg_init_ctx.code_gen_buffer_size;
+    size_t page_size = qemu_real_host_page_size;
+    size_t region_size;
+    size_t n_regions;
+    size_t i;
+
+    n_regions = tcg_n_regions();
+
+    /* The first region will be 'aligned - buf' bytes larger than the others */
+    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
+    g_assert(aligned < tcg_init_ctx.code_gen_buffer + size);
+    /*
+     * Make region_size a multiple of page_size, using aligned as the start.
+     * As a result of this we might end up with a few extra pages at the end of
+     * the buffer; we will assign those to the last region.
+     */
+    region_size = (size - (aligned - buf)) / n_regions;
+    region_size = QEMU_ALIGN_DOWN(region_size, page_size);
+
+    /* A region must have at least 2 pages; one code, one guard */
+    g_assert(region_size >= 2 * page_size);
+
+    /* init the region struct */
+    qemu_mutex_init(&region.lock);
+    region.n = n_regions;
+    region.size = region_size - page_size;
+    region.stride = region_size;
+    region.start = buf;
+    region.start_aligned = aligned;
+    /* page-align the end, since its last page will be a guard page */
+    region.end = QEMU_ALIGN_PTR_DOWN(buf + size, page_size);
+    /* account for that last guard page */
+    region.end -= page_size;
+
+    /*
+     * Set guard pages in the rw buffer, as that's the one into which
+     * buffer overruns could occur.  Do not set guard pages in the rx
+     * buffer -- let that one use hugepages throughout.
+     */
+    for (i = 0; i < region.n; i++) {
+        void *start, *end;
+
+        tcg_region_bounds(i, &start, &end);
+
+        /*
+         * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
+         * rejects a permission change from RWX -> NONE.  Guard pages are
+         * nice for bug detection but are not essential; ignore any failure.
+         */
+        (void)qemu_mprotect_none(end, page_size);
+    }
+
+    tcg_region_trees_init();
+
+    /*
+     * Leave the initial context initialized to the first region.
+     * This will be the context into which we generate the prologue.
+     * It is also the only context for CONFIG_USER_ONLY.
+     */
+    tcg_region_initial_alloc__locked(&tcg_init_ctx);
+}
+
+void tcg_region_prologue_set(TCGContext *s)
+{
+    /* Deduct the prologue from the first region.  */
+    g_assert(region.start == s->code_gen_buffer);
+    region.start = s->code_ptr;
+
+    /* Recompute boundaries of the first region. */
+    tcg_region_assign(s, 0);
+
+    /* Register the balance of the buffer with gdb. */
+    tcg_register_jit(tcg_splitwx_to_rx(region.start),
+                     region.end - region.start);
+}
+
+/*
+ * Returns the size (in bytes) of all translated code (i.e. from all regions)
+ * currently in the cache.
+ * See also: tcg_code_capacity()
+ * Do not confuse with tcg_current_code_size(); that one applies to a single
+ * TCG context.
+ */
+size_t tcg_code_size(void)
+{
+    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int i;
+    size_t total;
+
+    qemu_mutex_lock(&region.lock);
+    total = region.agg_size_full;
+    for (i = 0; i < n_ctxs; i++) {
+        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+        size_t size;
+
+        size = qatomic_read(&s->code_gen_ptr) - s->code_gen_buffer;
+        g_assert(size <= s->code_gen_buffer_size);
+        total += size;
+    }
+    qemu_mutex_unlock(&region.lock);
+    return total;
+}
+
+/*
+ * Returns the code capacity (in bytes) of the entire cache, i.e. including all
+ * regions.
+ * See also: tcg_code_size()
+ */
+size_t tcg_code_capacity(void)
+{
+    size_t guard_size, capacity;
+
+    /* no need for synchronization; these variables are set at init time */
+    guard_size = region.stride - region.size;
+    capacity = region.end + guard_size - region.start;
+    capacity -= region.n * (guard_size + TCG_HIGHWATER);
+    return capacity;
+}
+
+size_t tcg_tb_phys_invalidate_count(void)
+{
+    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int i;
+    size_t total = 0;
+
+    for (i = 0; i < n_ctxs; i++) {
+        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
+
+        total += qatomic_read(&s->tb_phys_invalidate_count);
+    }
+    return total;
+}
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@
 
 #include "elf.h"
 #include "exec/log.h"
+#include "tcg-internal.h"
 
 /* Forward declarations for functions declared in tcg-target.c.inc and
    used here. */
@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct);
 static int tcg_out_ldst_finalize(TCGContext *s);
 #endif
 
-#define TCG_HIGHWATER 1024
-
-static TCGContext **tcg_ctxs;
-static unsigned int n_tcg_ctxs;
+TCGContext **tcg_ctxs;
+unsigned int n_tcg_ctxs;
 TCGv_env cpu_env = 0;
 const void *tcg_code_gen_epilogue;
 uintptr_t tcg_splitwx_diff;
@@ -XXX,XX +XXX,XX @@ uintptr_t tcg_splitwx_diff;
 tcg_prologue_fn *tcg_qemu_tb_exec;
 #endif
 
-struct tcg_region_tree {
-    QemuMutex lock;
-    GTree *tree;
-    /* padding to avoid false sharing is computed at run-time */
-};
-
-/*
- * We divide code_gen_buffer into equally-sized "regions" that TCG threads
- * dynamically allocate from as demand dictates. Given appropriate region
- * sizing, this minimizes flushes even when some TCG threads generate a lot
- * more code than others.
- */
-struct tcg_region_state {
-    QemuMutex lock;
-
-    /* fields set at init time */
-    void *start;
-    void *start_aligned;
-    void *end;
-    size_t n;
-    size_t size; /* size of one region */
-    size_t stride; /* .size + guard size */
-
-    /* fields protected by the lock */
-    size_t current; /* current region index */
-    size_t agg_size_full; /* aggregate size of full regions */
-};
-
-static struct tcg_region_state region;
-/*
- * This is an array of struct tcg_region_tree's, with padding.
- * We use void * to simplify the computation of region_trees[i]; each
- * struct is found every tree_size bytes.
- */
-static void *region_trees;
-static size_t tree_size;
 static TCGRegSet tcg_target_available_regs[TCG_TYPE_COUNT];
 static TCGRegSet tcg_target_call_clobber_regs;
 
@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
 
 #include "tcg-target.c.inc"
 
-/* compare a pointer @ptr and a tb_tc @s */
-static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s)
-{
-    if (ptr >= s->ptr + s->size) {
-        return 1;
-    } else if (ptr < s->ptr) {
-        return -1;
-    }
-    return 0;
-}
-
-static gint tb_tc_cmp(gconstpointer ap, gconstpointer bp)
-{
-    const struct tb_tc *a = ap;
-    const struct tb_tc *b = bp;
-
-    /*
-     * When both sizes are set, we know this isn't a lookup.
-     * This is the most likely case: every TB must be inserted; lookups
-     * are a lot less frequent.
-     */
-    if (likely(a->size && b->size)) {
-        if (a->ptr > b->ptr) {
-            return 1;
-        } else if (a->ptr < b->ptr) {
-            return -1;
-        }
-        /* a->ptr == b->ptr should happen only on deletions */
-        g_assert(a->size == b->size);
-        return 0;
-    }
-    /*
-     * All lookups have either .size field set to 0.
-     * From the glib sources we see that @ap is always the lookup key. However
-     * the docs provide no guarantee, so we just mark this case as likely.
-     */
-    if (likely(a->size == 0)) {
-        return ptr_cmp_tb_tc(a->ptr, b);
-    }
-    return ptr_cmp_tb_tc(b->ptr, a);
-}
-
-static void tcg_region_trees_init(void)
-{
-    size_t i;
-
-    tree_size = ROUND_UP(sizeof(struct tcg_region_tree), qemu_dcache_linesize);
-    region_trees = qemu_memalign(qemu_dcache_linesize, region.n * tree_size);
-    for (i = 0; i < region.n; i++) {
-        struct tcg_region_tree *rt = region_trees + i * tree_size;
-
-        qemu_mutex_init(&rt->lock);
-        rt->tree = g_tree_new(tb_tc_cmp);
-    }
-}
-
-static struct tcg_region_tree *tc_ptr_to_region_tree(const void *p)
-{
-    size_t region_idx;
-
-    /*
-     * Like tcg_splitwx_to_rw, with no assert.  The pc may come from
-     * a signal handler over which the caller has no control.
-     */
-    if (!in_code_gen_buffer(p)) {
-        p -= tcg_splitwx_diff;
-        if (!in_code_gen_buffer(p)) {
-            return NULL;
-        }
-    }
-
-    if (p < region.start_aligned) {
-        region_idx = 0;
-    } else {
-        ptrdiff_t offset = p - region.start_aligned;
-
-        if (offset > region.stride * (region.n - 1)) {
-            region_idx = region.n - 1;
-        } else {
-            region_idx = offset / region.stride;
-        }
-    }
-    return region_trees + region_idx * tree_size;
-}
-
-void tcg_tb_insert(TranslationBlock *tb)
-{
-    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
-
-    g_assert(rt != NULL);
-    qemu_mutex_lock(&rt->lock);
-    g_tree_insert(rt->tree, &tb->tc, tb);
-    qemu_mutex_unlock(&rt->lock);
-}
-
-void tcg_tb_remove(TranslationBlock *tb)
-{
-    struct tcg_region_tree *rt = tc_ptr_to_region_tree(tb->tc.ptr);
-
-    g_assert(rt != NULL);
-    qemu_mutex_lock(&rt->lock);
-    g_tree_remove(rt->tree, &tb->tc);
-    qemu_mutex_unlock(&rt->lock);
-}
-
-/*
- * Find the TB 'tb' such that
- * tb->tc.ptr <= tc_ptr < tb->tc.ptr + tb->tc.size
- * Return NULL if not found.
- */
-TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
-{
-    struct tcg_region_tree *rt = tc_ptr_to_region_tree((void *)tc_ptr);
-    TranslationBlock *tb;
-    struct tb_tc s = { .ptr = (void *)tc_ptr };
-
-    if (rt == NULL) {
-        return NULL;
-    }
-
-    qemu_mutex_lock(&rt->lock);
-    tb = g_tree_lookup(rt->tree, &s);
-    qemu_mutex_unlock(&rt->lock);
-    return tb;
-}
-
-static void tcg_region_tree_lock_all(void)
-{
-    size_t i;
-
-    for (i = 0; i < region.n; i++) {
-        struct tcg_region_tree *rt = region_trees + i * tree_size;
-
-        qemu_mutex_lock(&rt->lock);
-    }
-}
-
-static void tcg_region_tree_unlock_all(void)
-{
-    size_t i;
-
-    for (i = 0; i < region.n; i++) {
-        struct tcg_region_tree *rt = region_trees + i * tree_size;
-
-        qemu_mutex_unlock(&rt->lock);
-    }
-}
-
-void tcg_tb_foreach(GTraverseFunc func, gpointer user_data)
-{
-    size_t i;
-
-    tcg_region_tree_lock_all();
-    for (i = 0; i < region.n; i++) {
-        struct tcg_region_tree *rt = region_trees + i * tree_size;
-
-        g_tree_foreach(rt->tree, func, user_data);
-    }
-    tcg_region_tree_unlock_all();
-}
-
-size_t tcg_nb_tbs(void)
-{
-    size_t nb_tbs = 0;
-    size_t i;
-
-    tcg_region_tree_lock_all();
-    for (i = 0; i < region.n; i++) {
-        struct tcg_region_tree *rt = region_trees + i * tree_size;
-
-        nb_tbs += g_tree_nnodes(rt->tree);
-    }
-    tcg_region_tree_unlock_all();
-    return nb_tbs;
-}
-
-static gboolean tcg_region_tree_traverse(gpointer k, gpointer v, gpointer data)
-{
-    TranslationBlock *tb = v;
-
-    tb_destroy(tb);
-    return FALSE;
-}
-
-static void tcg_region_tree_reset_all(void)
-{
-    size_t i;
-
-    tcg_region_tree_lock_all();
-    for (i = 0; i < region.n; i++) {
-        struct tcg_region_tree *rt = region_trees + i * tree_size;
-
-        g_tree_foreach(rt->tree, tcg_region_tree_traverse, NULL);
-        /* Increment the refcount first so that destroy acts as a reset */
-        g_tree_ref(rt->tree);
-        g_tree_destroy(rt->tree);
-    }
-    tcg_region_tree_unlock_all();
-}
-
-static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
-{
-    void *start, *end;
-
-    start = region.start_aligned + curr_region * region.stride;
-    end = start + region.size;
-
-    if (curr_region == 0) {
-        start = region.start;
-    }
-    if (curr_region == region.n - 1) {
-        end = region.end;
-    }
-
-    *pstart = start;
-    *pend = end;
-}
-
-static void tcg_region_assign(TCGContext *s, size_t curr_region)
-{
-    void *start, *end;
-
-    tcg_region_bounds(curr_region, &start, &end);
-
-    s->code_gen_buffer = start;
-    s->code_gen_ptr = start;
-    s->code_gen_buffer_size = end - start;
-    s->code_gen_highwater = end - TCG_HIGHWATER;
-}
-
-static bool tcg_region_alloc__locked(TCGContext *s)
-{
-    if (region.current == region.n) {
-        return true;
-    }
-    tcg_region_assign(s, region.current);
-    region.current++;
-    return false;
-}
-
-/*
- * Request a new region once the one in use has filled up.
- * Returns true on error.
- */
-static bool tcg_region_alloc(TCGContext *s)
-{
-    bool err;
-    /* read the region size now; alloc__locked will overwrite it on success */
-    size_t size_full = s->code_gen_buffer_size;
-
-    qemu_mutex_lock(&region.lock);
-    err = tcg_region_alloc__locked(s);
-    if (!err) {
-        region.agg_size_full += size_full - TCG_HIGHWATER;
-    }
-    qemu_mutex_unlock(&region.lock);
-    return err;
-}
-
-/*
- * Perform a context's first region allocation.
- * This function does _not_ increment region.agg_size_full.
- */
-static void tcg_region_initial_alloc__locked(TCGContext *s)
-{
-    bool err = tcg_region_alloc__locked(s);
-    g_assert(!err);
-}
-
-#ifndef CONFIG_USER_ONLY
-static void tcg_region_initial_alloc(TCGContext *s)
-{
-    qemu_mutex_lock(&region.lock);
-    tcg_region_initial_alloc__locked(s);
-    qemu_mutex_unlock(&region.lock);
-}
-#endif
-
-/* Call from a safe-work context */
-void tcg_region_reset_all(void)
-{
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
-    unsigned int i;
-
-    qemu_mutex_lock(&region.lock);
-    region.current = 0;
-    region.agg_size_full = 0;
-
-    for (i = 0; i < n_ctxs; i++) {
-        TCGContext *s = qatomic_read(&tcg_ctxs[i]);
-        tcg_region_initial_alloc__locked(s);
-    }
-    qemu_mutex_unlock(&region.lock);
-
-    tcg_region_tree_reset_all();
-}
-
-#ifdef CONFIG_USER_ONLY
-static size_t tcg_n_regions(void)
-{
-    return 1;
-}
-#else
-/*
- * It is likely that some vCPUs will translate more code than others, so we
- * first try to set more regions than max_cpus, with those regions being of
- * reasonable size. If that's not possible we make do by evenly dividing
- * the code_gen_buffer among the vCPUs.
- */
-static size_t tcg_n_regions(void)
-{
-    size_t i;
-
-    /* Use a single region if all we have is one vCPU thread */
-#if !defined(CONFIG_USER_ONLY)
-    MachineState *ms = MACHINE(qdev_get_machine());
-    unsigned int max_cpus = ms->smp.max_cpus;
-#endif
-    if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
-        return 1;
-    }
-
-    /* Try to have more regions than max_cpus, with each region being >= 2 MB */
-    for (i = 8; i > 0; i--) {
-        size_t regions_per_thread = i;
-        size_t region_size;
-
-        region_size = tcg_init_ctx.code_gen_buffer_size;
-        region_size /= max_cpus * regions_per_thread;
-
-        if (region_size >= 2 * 1024u * 1024) {
-            return max_cpus * regions_per_thread;
-        }
-    }
-    /* If we can't, then just allocate one region per vCPU thread */
-    return max_cpus;
-}
-#endif
-
-/*
- * Initializes region partitioning.
- *
- * Called at init time from the parent thread (i.e. the one calling
- * tcg_context_init), after the target's TCG globals have been set.
- *
- * Region partitioning works by splitting code_gen_buffer into separate regions,
- * and then assigning regions to TCG threads so that the threads can translate
- * code in parallel without synchronization.
- *
- * In softmmu the number of TCG threads is bounded by max_cpus, so we use at
- * least max_cpus regions in MTTCG. In !MTTCG we use a single region.
- * Note that the TCG options from the command-line (i.e. -accel accel=tcg,[...])
- * must have been parsed before calling this function, since it calls
- * qemu_tcg_mttcg_enabled().
- *
- * In user-mode we use a single region.  Having multiple regions in user-mode
- * is not supported, because the number of vCPU threads (recall that each thread
- * spawned by the guest corresponds to a vCPU thread) is only bounded by the
- * OS, and usually this number is huge (tens of thousands is not uncommon).
- * Thus, given this large bound on the number of vCPU threads and the fact
- * that code_gen_buffer is allocated at compile-time, we cannot guarantee
- * that the availability of at least one region per vCPU thread.
- *
- * However, this user-mode limitation is unlikely to be a significant problem
- * in practice. Multi-threaded guests share most if not all of their translated
- * code, which makes parallel code generation less appealing than in softmmu.
- */
-void tcg_region_init(void)
-{
-    void *buf = tcg_init_ctx.code_gen_buffer;
-    void *aligned;
-    size_t size = tcg_init_ctx.code_gen_buffer_size;
-    size_t page_size = qemu_real_host_page_size;
-    size_t region_size;
-    size_t n_regions;
-    size_t i;
-
-    n_regions = tcg_n_regions();
-
-    /* The first region will be 'aligned - buf' bytes larger than the others */
-    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + size);
-    /*
-     * Make region_size a multiple of page_size, using aligned as the start.
-     * As a result of this we might end up with a few extra pages at the end of
-     * the buffer; we will assign those to the last region.
-     */
-    region_size = (size - (aligned - buf)) / n_regions;
-    region_size = QEMU_ALIGN_DOWN(region_size, page_size);
-
-    /* A region must have at least 2 pages; one code, one guard */
-    g_assert(region_size >= 2 * page_size);
-
-    /* init the region struct */
-    qemu_mutex_init(&region.lock);
-    region.n = n_regions;
-    region.size = region_size - page_size;
-    region.stride = region_size;
-    region.start = buf;
-    region.start_aligned = aligned;
-    /* page-align the end, since its last page will be a guard page */
-    region.end = QEMU_ALIGN_PTR_DOWN(buf + size, page_size);
-    /* account for that last guard page */
-    region.end -= page_size;
-
-    /*
-     * Set guard pages in the rw buffer, as that's the one into which
-     * buffer overruns could occur.  Do not set guard pages in the rx
-     * buffer -- let that one use hugepages throughout.
-     */
-    for (i = 0; i < region.n; i++) {
-        void *start, *end;
-
-        tcg_region_bounds(i, &start, &end);
-
-        /*
-         * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
-         * rejects a permission change from RWX -> NONE.  Guard pages are
-         * nice for bug detection but are not essential; ignore any failure.
-         */
-        (void)qemu_mprotect_none(end, page_size);
-    }
-
-    tcg_region_trees_init();
-
-    /*
-     * Leave the initial context initialized to the first region.
-     * This will be the context into which we generate the prologue.
-     * It is also the only context for CONFIG_USER_ONLY.
-     */
-    tcg_region_initial_alloc__locked(&tcg_init_ctx);
-}
-
-static void tcg_region_prologue_set(TCGContext *s)
-{
-    /* Deduct the prologue from the first region.  */
-    g_assert(region.start == s->code_gen_buffer);
-    region.start = s->code_ptr;
-
-    /* Recompute boundaries of the first region. */
-    tcg_region_assign(s, 0);
-
-    /* Register the balance of the buffer with gdb. */
-    tcg_register_jit(tcg_splitwx_to_rx(region.start),
-                     region.end - region.start);
-}
-
 #ifdef CONFIG_DEBUG_TCG
 const void *tcg_splitwx_to_rx(void *rw)
 {
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
 }
 #endif /* !CONFIG_USER_ONLY */
 
-/*
- * Returns the size (in bytes) of all translated code (i.e. from all regions)
- * currently in the cache.
- * See also: tcg_code_capacity()
- * Do not confuse with tcg_current_code_size(); that one applies to a single
- * TCG context.
- */
-size_t tcg_code_size(void)
-{
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
-    unsigned int i;
-    size_t total;
-
-    qemu_mutex_lock(&region.lock);
-    total = region.agg_size_full;
-    for (i = 0; i < n_ctxs; i++) {
-        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
-        size_t size;
-
-        size = qatomic_read(&s->code_gen_ptr) - s->code_gen_buffer;
-        g_assert(size <= s->code_gen_buffer_size);
-        total += size;
-    }
-    qemu_mutex_unlock(&region.lock);
-    return total;
-}
-
-/*
- * Returns the code capacity (in bytes) of the entire cache, i.e. including all
- * regions.
- * See also: tcg_code_size()
- */
-size_t tcg_code_capacity(void)
-{
-    size_t guard_size, capacity;
-
-    /* no need for synchronization; these variables are set at init time */
-    guard_size = region.stride - region.size;
-    capacity = region.end + guard_size - region.start;
-    capacity -= region.n * (guard_size + TCG_HIGHWATER);
-    return capacity;
-}
-
-size_t tcg_tb_phys_invalidate_count(void)
-{
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
-    unsigned int i;
-    size_t total = 0;
-
-    for (i = 0; i < n_ctxs; i++) {
-        const TCGContext *s = qatomic_read(&tcg_ctxs[i]);
-
-        total += qatomic_read(&s->tb_phys_invalidate_count);
-    }
-    return total;
-}
-
 /* pool based memory allocation */
 void *tcg_malloc_internal(TCGContext *s, int size)
 {
diff --git a/tcg/meson.build b/tcg/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tcg/meson.build
+++ b/tcg/meson.build
@@ -XXX,XX +XXX,XX @@ tcg_ss = ss.source_set()
 
 tcg_ss.add(files(
   'optimize.c',
+  'region.c',
   'tcg.c',
   'tcg-common.c',
   'tcg-op.c',
-- 
2.25.1

It consists of one function call and has only one caller.

diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static void page_table_config_init(void)
     assert(v_l2_levels >= 0);
 }
 
-static void cpu_gen_init(void)
-{
-    tcg_context_init(&tcg_init_ctx);
-}
-
 /* Encode VAL as a signed leb128 sequence at P.
    Return P incremented past the encoded value.  */
 static uint8_t *encode_sleb128(uint8_t *p, target_long val)
@@ -XXX,XX +XXX,XX @@ void tcg_exec_init(unsigned long tb_size, int splitwx)
     bool ok;
 
     tcg_allowed = true;
-    cpu_gen_init();
+    tcg_context_init(&tcg_init_ctx);
     page_init();
     tb_htable_init();
 
-- 
2.25.1

Buffer management is integral to tcg.  Do not leave the allocation
to code outside of tcg/.  This is code movement, with further
cleanups to follow.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h         |   2 +-
 accel/tcg/translate-all.c | 414 +-----------------------------------
 tcg/region.c              | 431 +++++++++++++++++++++++++++++++++++++-
 3 files changed, 428 insertions(+), 419 deletions(-)

diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ void *tcg_malloc_internal(TCGContext *s, int size);
 void tcg_pool_reset(TCGContext *s);
 TranslationBlock *tcg_tb_alloc(TCGContext *s);
 
-void tcg_region_init(void);
+void tcg_region_init(size_t tb_size, int splitwx);
 void tb_destroy(TranslationBlock *tb);
 void tcg_region_reset_all(void);
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
-#include "qemu/units.h"
 #include "qemu-common.h"
 
 #define NO_CPU_IO_DEFS
@@ -XXX,XX +XXX,XX @@
 #include "exec/cputlb.h"
 #include "exec/translate-all.h"
 #include "qemu/bitmap.h"
-#include "qemu/error-report.h"
 #include "qemu/qemu-print.h"
 #include "qemu/timer.h"
 #include "qemu/main-loop.h"
@@ -XXX,XX +XXX,XX @@ static void page_lock_pair(PageDesc **ret_p1, tb_page_addr_t phys1,
     }
 }
 
-/* Minimum size of the code gen buffer.  This number is randomly chosen,
-   but not so small that we can't have a fair number of TB's live.  */
-#define MIN_CODE_GEN_BUFFER_SIZE     (1 * MiB)
-
-/* Maximum size of the code gen buffer we'd like to use.  Unless otherwise
-   indicated, this is constrained by the range of direct branches on the
-   host cpu, as used by the TCG implementation of goto_tb.  */
-#if defined(__x86_64__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__sparc__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__powerpc64__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__powerpc__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
-#elif defined(__aarch64__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__s390x__)
-  /* We have a +- 4GB range on the branches; leave some slop.  */
-# define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
-#elif defined(__mips__)
-  /* We have a 256MB branch region, but leave room to make sure the
-     main executable is also within that region.  */
-# define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
-#else
-# define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
-#endif
-
-#if TCG_TARGET_REG_BITS == 32
-#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32 * MiB)
-#ifdef CONFIG_USER_ONLY
-/*
- * For user mode on smaller 32 bit systems we may run into trouble
- * allocating big chunks of data in the right place. On these systems
- * we utilise a static code generation buffer directly in the binary.
- */
-#define USE_STATIC_CODE_GEN_BUFFER
-#endif
-#else /* TCG_TARGET_REG_BITS == 64 */
-#ifdef CONFIG_USER_ONLY
-/*
- * As user-mode emulation typically means running multiple instances
- * of the translator don't go too nuts with our default code gen
- * buffer lest we make things too hard for the OS.
- */
-#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (128 * MiB)
-#else
-/*
- * We expect most system emulation to run one or two guests per host.
- * Users running large scale system emulation may want to tweak their
- * runtime setup via the tb-size control on the command line.
- */
-#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (1 * GiB)
-#endif
-#endif
-
-#define DEFAULT_CODE_GEN_BUFFER_SIZE \
-  (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
-   ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
-
-static size_t size_code_gen_buffer(size_t tb_size)
-{
-    /* Size the buffer.  */
-    if (tb_size == 0) {
-        size_t phys_mem = qemu_get_host_physmem();
-        if (phys_mem == 0) {
-            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
-        } else {
-            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, phys_mem / 8);
-        }
-    }
-    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
-        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
-    }
-    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
-        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
-    }
-    return tb_size;
-}
-
-#ifdef __mips__
-/* In order to use J and JAL within the code_gen_buffer, we require
-   that the buffer not cross a 256MB boundary.  */
-static inline bool cross_256mb(void *addr, size_t size)
-{
-    return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
-}
-
-/* We weren't able to allocate a buffer without crossing that boundary,
-   so make do with the larger portion of the buffer that doesn't cross.
-   Returns the new base of the buffer, and adjusts code_gen_buffer_size.  */
-static inline void *split_cross_256mb(void *buf1, size_t size1)
-{
-    void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
-    size_t size2 = buf1 + size1 - buf2;
-
-    size1 = buf2 - buf1;
-    if (size1 < size2) {
-        size1 = size2;
-        buf1 = buf2;
-    }
-
-    tcg_ctx->code_gen_buffer_size = size1;
-    return buf1;
-}
-#endif
-
-#ifdef USE_STATIC_CODE_GEN_BUFFER
-static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
-    __attribute__((aligned(CODE_GEN_ALIGN)));
-
-static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
-{
-    void *buf, *end;
-    size_t size;
-
-    if (splitwx > 0) {
-        error_setg(errp, "jit split-wx not supported");
-        return false;
-    }
-
-    /* page-align the beginning and end of the buffer */
-    buf = static_code_gen_buffer;
-    end = static_code_gen_buffer + sizeof(static_code_gen_buffer);
-    buf = QEMU_ALIGN_PTR_UP(buf, qemu_real_host_page_size);
-    end = QEMU_ALIGN_PTR_DOWN(end, qemu_real_host_page_size);
-
-    size = end - buf;
-
-    /* Honor a command-line option limiting the size of the buffer.  */
-    if (size > tb_size) {
-        size = QEMU_ALIGN_DOWN(tb_size, qemu_real_host_page_size);
-    }
-    tcg_ctx->code_gen_buffer_size = size;
-
-#ifdef __mips__
-    if (cross_256mb(buf, size)) {
-        buf = split_cross_256mb(buf, size);
-        size = tcg_ctx->code_gen_buffer_size;
-    }
-#endif
-
-    if (qemu_mprotect_rwx(buf, size)) {
-        error_setg_errno(errp, errno, "mprotect of jit buffer");
-        return false;
-    }
-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
-
-    tcg_ctx->code_gen_buffer = buf;
-    return true;
-}
-#elif defined(_WIN32)
-static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
-{
-    void *buf;
-
-    if (splitwx > 0) {
-        error_setg(errp, "jit split-wx not supported");
-        return false;
-    }
-
-    buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT,
-                             PAGE_EXECUTE_READWRITE);
-    if (buf == NULL) {
-        error_setg_win32(errp, GetLastError(),
-                         "allocate %zu bytes for jit buffer", size);
-        return false;
-    }
-
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
-    return true;
-}
-#else
-static bool alloc_code_gen_buffer_anon(size_t size, int prot,
-                                       int flags, Error **errp)
-{
-    void *buf;
-
-    buf = mmap(NULL, size, prot, flags, -1, 0);
-    if (buf == MAP_FAILED) {
-        error_setg_errno(errp, errno,
-                         "allocate %zu bytes for jit buffer", size);
-        return false;
-    }
-    tcg_ctx->code_gen_buffer_size = size;
-
-#ifdef __mips__
-    if (cross_256mb(buf, size)) {
-        /*
-         * Try again, with the original still mapped, to avoid re-acquiring
-         * the same 256mb crossing.
-         */
-        size_t size2;
-        void *buf2 = mmap(NULL, size, prot, flags, -1, 0);
-        switch ((int)(buf2 != MAP_FAILED)) {
-        case 1:
-            if (!cross_256mb(buf2, size)) {
-                /* Success!  Use the new buffer.  */
-                munmap(buf, size);
-                break;
-            }
-            /* Failure.  Work with what we had.  */
-            munmap(buf2, size);
-            /* fallthru */
-        default:
-            /* Split the original buffer.  Free the smaller half.  */
-            buf2 = split_cross_256mb(buf, size);
-            size2 = tcg_ctx->code_gen_buffer_size;
-            if (buf == buf2) {
-                munmap(buf + size2, size - size2);
-            } else {
-                munmap(buf, size - size2);
-            }
-            size = size2;
-            break;
-        }
-        buf = buf2;
-    }
-#endif
-
-    /* Request large pages for the buffer.  */
-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
-
-    tcg_ctx->code_gen_buffer = buf;
-    return true;
-}
-
-#ifndef CONFIG_TCG_INTERPRETER
-#ifdef CONFIG_POSIX
-#include "qemu/memfd.h"
-
-static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
-{
-    void *buf_rw = NULL, *buf_rx = MAP_FAILED;
-    int fd = -1;
-
-#ifdef __mips__
-    /* Find space for the RX mapping, vs the 256MiB regions. */
-    if (!alloc_code_gen_buffer_anon(size, PROT_NONE,
-                                    MAP_PRIVATE | MAP_ANONYMOUS |
-                                    MAP_NORESERVE, errp)) {
-        return false;
-    }
-    /* The size of the mapping may have been adjusted. */
-    size = tcg_ctx->code_gen_buffer_size;
-    buf_rx = tcg_ctx->code_gen_buffer;
-#endif
-
-    buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
-    if (buf_rw == NULL) {
-        goto fail;
-    }
-
-#ifdef __mips__
-    void *tmp = mmap(buf_rx, size, PROT_READ | PROT_EXEC,
-                     MAP_SHARED | MAP_FIXED, fd, 0);
-    if (tmp != buf_rx) {
-        goto fail_rx;
-    }
-#else
-    buf_rx = mmap(NULL, size, PROT_READ | PROT_EXEC, MAP_SHARED, fd, 0);
-    if (buf_rx == MAP_FAILED) {
-        goto fail_rx;
-    }
-#endif
-
-    close(fd);
-    tcg_ctx->code_gen_buffer = buf_rw;
-    tcg_ctx->code_gen_buffer_size = size;
-    tcg_splitwx_diff = buf_rx - buf_rw;
-
-    /* Request large pages for the buffer and the splitwx.  */
-    qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
-    qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
-    return true;
-
- fail_rx:
-    error_setg_errno(errp, errno, "failed to map shared memory for execute");
- fail:
-    if (buf_rx != MAP_FAILED) {
-        munmap(buf_rx, size);
-    }
-    if (buf_rw) {
-        munmap(buf_rw, size);
-    }
-    if (fd >= 0) {
-        close(fd);
-    }
-    return false;
-}
-#endif /* CONFIG_POSIX */
-
-#ifdef CONFIG_DARWIN
-#include <mach/mach.h>
-
-extern kern_return_t mach_vm_remap(vm_map_t target_task,
-                                   mach_vm_address_t *target_address,
-                                   mach_vm_size_t size,
-                                   mach_vm_offset_t mask,
-                                   int flags,
-                                   vm_map_t src_task,
-                                   mach_vm_address_t src_address,
-                                   boolean_t copy,
-                                   vm_prot_t *cur_protection,
-                                   vm_prot_t *max_protection,
-                                   vm_inherit_t inheritance);
-
-static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
-{
-    kern_return_t ret;
-    mach_vm_address_t buf_rw, buf_rx;
-    vm_prot_t cur_prot, max_prot;
-
-    /* Map the read-write portion via normal anon memory. */
-    if (!alloc_code_gen_buffer_anon(size, PROT_READ | PROT_WRITE,
-                                    MAP_PRIVATE | MAP_ANONYMOUS, errp)) {
-        return false;
-    }
-
-    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
-    buf_rx = 0;
-    ret = mach_vm_remap(mach_task_self(),
-                        &buf_rx,
-                        size,
-                        0,
-                        VM_FLAGS_ANYWHERE,
-                        mach_task_self(),
-                        buf_rw,
-                        false,
-                        &cur_prot,
-                        &max_prot,
-                        VM_INHERIT_NONE);
-    if (ret != KERN_SUCCESS) {
-        /* TODO: Convert "ret" to a human readable error message. */
-        error_setg(errp, "vm_remap for jit splitwx failed");
-        munmap((void *)buf_rw, size);
-        return false;
-    }
-
-    if (mprotect((void *)buf_rx, size, PROT_READ | PROT_EXEC) != 0) {
-        error_setg_errno(errp, errno, "mprotect for jit splitwx");
-        munmap((void *)buf_rx, size);
-        munmap((void *)buf_rw, size);
-        return false;
-    }
-
-    tcg_splitwx_diff = buf_rx - buf_rw;
-    return true;
-}
-#endif /* CONFIG_DARWIN */
-#endif /* CONFIG_TCG_INTERPRETER */
-
-static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
-{
-#ifndef CONFIG_TCG_INTERPRETER
-# ifdef CONFIG_DARWIN
-    return alloc_code_gen_buffer_splitwx_vmremap(size, errp);
-# endif
-# ifdef CONFIG_POSIX
-    return alloc_code_gen_buffer_splitwx_memfd(size, errp);
-# endif
-#endif
-    error_setg(errp, "jit split-wx not supported");
-    return false;
-}
-
-static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
-{
-    ERRP_GUARD();
-    int prot, flags;
-
-    if (splitwx) {
-        if (alloc_code_gen_buffer_splitwx(size, errp)) {
-            return true;
-        }
-        /*
-         * If splitwx force-on (1), fail;
-         * if splitwx default-on (-1), fall through to splitwx off.
-         */
-        if (splitwx > 0) {
-            return false;
-        }
-        error_free_or_abort(errp);
-    }
-
-    prot = PROT_READ | PROT_WRITE | PROT_EXEC;
-    flags = MAP_PRIVATE | MAP_ANONYMOUS;
-#ifdef CONFIG_TCG_INTERPRETER
-    /* The tcg interpreter does not need execute permission. */
-    prot = PROT_READ | PROT_WRITE;
-#elif defined(CONFIG_DARWIN)
-    /* Applicable to both iOS and macOS (Apple Silicon). */
-    if (!splitwx) {
-        flags |= MAP_JIT;
-    }
-#endif
-
-    return alloc_code_gen_buffer_anon(size, prot, flags, errp);
-}
-#endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
-
 static bool tb_cmp(const void *ap, const void *bp)
 {
     const TranslationBlock *a = ap;
@@ -XXX,XX +XXX,XX @@ static void tb_htable_init(void)
    size. */
 void tcg_exec_init(unsigned long tb_size, int splitwx)
 {
-    bool ok;
-
     tcg_allowed = true;
     tcg_context_init(&tcg_init_ctx);
     page_init();
     tb_htable_init();
-
-    ok = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
-                               splitwx, &error_fatal);
-    assert(ok);
-
-    /* TODO: allocating regions is hand-in-glove with code_gen_buffer. */
-    tcg_region_init();
+    tcg_region_init(tb_size, splitwx);
 
 #if defined(CONFIG_SOFTMMU)
     /* There's no guest base to take into account, so go ahead and
diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/units.h"
+#include "qapi/error.h"
 #include "exec/exec-all.h"
 #include "tcg/tcg.h"
 #if !defined(CONFIG_USER_ONLY)
@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(void)
 }
 #endif
 
+/*
+ * Minimum size of the code gen buffer.  This number is randomly chosen,
+ * but not so small that we can't have a fair number of TB's live.
+ */
+#define MIN_CODE_GEN_BUFFER_SIZE     (1 * MiB)
+
+/*
+ * Maximum size of the code gen buffer we'd like to use.  Unless otherwise
+ * indicated, this is constrained by the range of direct branches on the
+ * host cpu, as used by the TCG implementation of goto_tb.
+ */
+#if defined(__x86_64__)
+# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+#elif defined(__sparc__)
+# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+#elif defined(__powerpc64__)
+# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+#elif defined(__powerpc__)
+# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
+#elif defined(__aarch64__)
+# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
+#elif defined(__s390x__)
+  /* We have a +- 4GB range on the branches; leave some slop.  */
+# define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
+#elif defined(__mips__)
+  /*
+   * We have a 256MB branch region, but leave room to make sure the
+   * main executable is also within that region.
+   */
+# define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
+#else
+# define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
+#endif
+
+#if TCG_TARGET_REG_BITS == 32
+#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32 * MiB)
+#ifdef CONFIG_USER_ONLY
+/*
+ * For user mode on smaller 32 bit systems we may run into trouble
+ * allocating big chunks of data in the right place. On these systems
+ * we utilise a static code generation buffer directly in the binary.
+ */
+#define USE_STATIC_CODE_GEN_BUFFER
+#endif
+#else /* TCG_TARGET_REG_BITS == 64 */
+#ifdef CONFIG_USER_ONLY
+/*
+ * As user-mode emulation typically means running multiple instances
+ * of the translator don't go too nuts with our default code gen
+ * buffer lest we make things too hard for the OS.
+ */
+#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (128 * MiB)
+#else
+/*
+ * We expect most system emulation to run one or two guests per host.
+ * Users running large scale system emulation may want to tweak their
+ * runtime setup via the tb-size control on the command line.
+ */
+#define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (1 * GiB)
+#endif
+#endif
+
+#define DEFAULT_CODE_GEN_BUFFER_SIZE \
+  (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
+   ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
+
+static size_t size_code_gen_buffer(size_t tb_size)
+{
+    /* Size the buffer.  */
+    if (tb_size == 0) {
+        size_t phys_mem = qemu_get_host_physmem();
+        if (phys_mem == 0) {
+            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
+        } else {
+            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, phys_mem / 8);
+        }
+    }
+    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
+        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
+    }
+    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
+        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
+    }
+    return tb_size;
+}
+
+#ifdef __mips__
+/*
+ * In order to use J and JAL within the code_gen_buffer, we require
+ * that the buffer not cross a 256MB boundary.
+ */
+static inline bool cross_256mb(void *addr, size_t size)
+{
+    return ((uintptr_t)addr ^ ((uintptr_t)addr + size)) & ~0x0ffffffful;
+}
+
+/*
+ * We weren't able to allocate a buffer without crossing that boundary,
+ * so make do with the larger portion of the buffer that doesn't cross.
+ * Returns the new base of the buffer, and adjusts code_gen_buffer_size.
+ */
+static inline void *split_cross_256mb(void *buf1, size_t size1)
+{
+    void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
+    size_t size2 = buf1 + size1 - buf2;
+
+    size1 = buf2 - buf1;
+    if (size1 < size2) {
+        size1 = size2;
+        buf1 = buf2;
+    }
+
+    tcg_ctx->code_gen_buffer_size = size1;
+    return buf1;
+}
+#endif
+
+#ifdef USE_STATIC_CODE_GEN_BUFFER
+static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
+    __attribute__((aligned(CODE_GEN_ALIGN)));
+
+static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
+{
+    void *buf, *end;
+    size_t size;
+
+    if (splitwx > 0) {
+        error_setg(errp, "jit split-wx not supported");
+        return false;
+    }
+
+    /* page-align the beginning and end of the buffer */
+    buf = static_code_gen_buffer;
+    end = static_code_gen_buffer + sizeof(static_code_gen_buffer);
+    buf = QEMU_ALIGN_PTR_UP(buf, qemu_real_host_page_size);
+    end = QEMU_ALIGN_PTR_DOWN(end, qemu_real_host_page_size);
+
+    size = end - buf;
+
+    /* Honor a command-line option limiting the size of the buffer.  */
+    if (size > tb_size) {
+        size = QEMU_ALIGN_DOWN(tb_size, qemu_real_host_page_size);
+    }
+    tcg_ctx->code_gen_buffer_size = size;
+
+#ifdef __mips__
+    if (cross_256mb(buf, size)) {
+        buf = split_cross_256mb(buf, size);
+        size = tcg_ctx->code_gen_buffer_size;
+    }
+#endif
+
+    if (qemu_mprotect_rwx(buf, size)) {
+        error_setg_errno(errp, errno, "mprotect of jit buffer");
+        return false;
+    }
+    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
+
+    tcg_ctx->code_gen_buffer = buf;
+    return true;
+}
+#elif defined(_WIN32)
+static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+{
+    void *buf;
+
+    if (splitwx > 0) {
+        error_setg(errp, "jit split-wx not supported");
+        return false;
+    }
+
+    buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT,
+                             PAGE_EXECUTE_READWRITE);
+    if (buf == NULL) {
+        error_setg_win32(errp, GetLastError(),
+                         "allocate %zu bytes for jit buffer", size);
+        return false;
+    }
+
+    tcg_ctx->code_gen_buffer = buf;
+    tcg_ctx->code_gen_buffer_size = size;
+    return true;
+}
+#else
+static bool alloc_code_gen_buffer_anon(size_t size, int prot,
+                                       int flags, Error **errp)
+{
+    void *buf;
+
+    buf = mmap(NULL, size, prot, flags, -1, 0);
+    if (buf == MAP_FAILED) {
+        error_setg_errno(errp, errno,
+                         "allocate %zu bytes for jit buffer", size);
+        return false;
+    }
+    tcg_ctx->code_gen_buffer_size = size;
+
+#ifdef __mips__
+    if (cross_256mb(buf, size)) {
+        /*
+         * Try again, with the original still mapped, to avoid re-acquiring
+         * the same 256mb crossing.
+         */
+        size_t size2;
+        void *buf2 = mmap(NULL, size, prot, flags, -1, 0);
+        switch ((int)(buf2 != MAP_FAILED)) {
+        case 1:
+            if (!cross_256mb(buf2, size)) {
+                /* Success!  Use the new buffer.  */
+                munmap(buf, size);
+                break;
+            }
+            /* Failure.  Work with what we had.  */
+            munmap(buf2, size);
+            /* fallthru */
+        default:
+            /* Split the original buffer.  Free the smaller half.  */
+            buf2 = split_cross_256mb(buf, size);
+            size2 = tcg_ctx->code_gen_buffer_size;
+            if (buf == buf2) {
+                munmap(buf + size2, size - size2);
+            } else {
+                munmap(buf, size - size2);
+            }
+            size = size2;
+            break;
+        }
+        buf = buf2;
+    }
+#endif
+
+    /* Request large pages for the buffer.  */
+    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
+
+    tcg_ctx->code_gen_buffer = buf;
+    return true;
+}
+
+#ifndef CONFIG_TCG_INTERPRETER
+#ifdef CONFIG_POSIX
+#include "qemu/memfd.h"
+
+static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
+{
+    void *buf_rw = NULL, *buf_rx = MAP_FAILED;
+    int fd = -1;
+
+#ifdef __mips__
+    /* Find space for the RX mapping, vs the 256MiB regions. */
+    if (!alloc_code_gen_buffer_anon(size, PROT_NONE,
+                                    MAP_PRIVATE | MAP_ANONYMOUS |
+                                    MAP_NORESERVE, errp)) {
+        return false;
+    }
+    /* The size of the mapping may have been adjusted. */
+    size = tcg_ctx->code_gen_buffer_size;
+    buf_rx = tcg_ctx->code_gen_buffer;
+#endif
+
+    buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
+    if (buf_rw == NULL) {
+        goto fail;
+    }
+
+#ifdef __mips__
+    void *tmp = mmap(buf_rx, size, PROT_READ | PROT_EXEC,
+                     MAP_SHARED | MAP_FIXED, fd, 0);
+    if (tmp != buf_rx) {
+        goto fail_rx;
+    }
+#else
+    buf_rx = mmap(NULL, size, PROT_READ | PROT_EXEC, MAP_SHARED, fd, 0);
+    if (buf_rx == MAP_FAILED) {
+        goto fail_rx;
+    }
+#endif
+
+    close(fd);
+    tcg_ctx->code_gen_buffer = buf_rw;
+    tcg_ctx->code_gen_buffer_size = size;
+    tcg_splitwx_diff = buf_rx - buf_rw;
+
+    /* Request large pages for the buffer and the splitwx.  */
+    qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
+    qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
+    return true;
+
+ fail_rx:
+    error_setg_errno(errp, errno, "failed to map shared memory for execute");
+ fail:
+    if (buf_rx != MAP_FAILED) {
+        munmap(buf_rx, size);
+    }
+    if (buf_rw) {
+        munmap(buf_rw, size);
+    }
+    if (fd >= 0) {
+        close(fd);
+    }
+    return false;
+}
+#endif /* CONFIG_POSIX */
+
+#ifdef CONFIG_DARWIN
+#include <mach/mach.h>
+
+extern kern_return_t mach_vm_remap(vm_map_t target_task,
+                                   mach_vm_address_t *target_address,
+                                   mach_vm_size_t size,
+                                   mach_vm_offset_t mask,
+                                   int flags,
+                                   vm_map_t src_task,
+                                   mach_vm_address_t src_address,
+                                   boolean_t copy,
+                                   vm_prot_t *cur_protection,
+                                   vm_prot_t *max_protection,
+                                   vm_inherit_t inheritance);
+
+static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
+{
+    kern_return_t ret;
+    mach_vm_address_t buf_rw, buf_rx;
+    vm_prot_t cur_prot, max_prot;
+
+    /* Map the read-write portion via normal anon memory. */
+    if (!alloc_code_gen_buffer_anon(size, PROT_READ | PROT_WRITE,
+                                    MAP_PRIVATE | MAP_ANONYMOUS, errp)) {
+        return false;
+    }
+
+    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
+    buf_rx = 0;
+    ret = mach_vm_remap(mach_task_self(),
+                        &buf_rx,
+                        size,
+                        0,
+                        VM_FLAGS_ANYWHERE,
+                        mach_task_self(),
+                        buf_rw,
+                        false,
+                        &cur_prot,
+                        &max_prot,
+                        VM_INHERIT_NONE);
+    if (ret != KERN_SUCCESS) {
+        /* TODO: Convert "ret" to a human readable error message. */
+        error_setg(errp, "vm_remap for jit splitwx failed");
+        munmap((void *)buf_rw, size);
+        return false;
+    }
+
+    if (mprotect((void *)buf_rx, size, PROT_READ | PROT_EXEC) != 0) {
+        error_setg_errno(errp, errno, "mprotect for jit splitwx");
+        munmap((void *)buf_rx, size);
+        munmap((void *)buf_rw, size);
+        return false;
+    }
+
+    tcg_splitwx_diff = buf_rx - buf_rw;
+    return true;
+}
+#endif /* CONFIG_DARWIN */
+#endif /* CONFIG_TCG_INTERPRETER */
+
+static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
+{
+#ifndef CONFIG_TCG_INTERPRETER
+# ifdef CONFIG_DARWIN
+    return alloc_code_gen_buffer_splitwx_vmremap(size, errp);
+# endif
+# ifdef CONFIG_POSIX
+    return alloc_code_gen_buffer_splitwx_memfd(size, errp);
+# endif
+#endif
+    error_setg(errp, "jit split-wx not supported");
+    return false;
+}
+
+static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+{
+    ERRP_GUARD();
+    int prot, flags;
+
+    if (splitwx) {
+        if (alloc_code_gen_buffer_splitwx(size, errp)) {
+            return true;
+        }
+        /*
+         * If splitwx force-on (1), fail;
+         * if splitwx default-on (-1), fall through to splitwx off.
+         */
+        if (splitwx > 0) {
+            return false;
+        }
+        error_free_or_abort(errp);
+    }
+
+    prot = PROT_READ | PROT_WRITE | PROT_EXEC;
+    flags = MAP_PRIVATE | MAP_ANONYMOUS;
+#ifdef CONFIG_TCG_INTERPRETER
+    /* The tcg interpreter does not need execute permission. */
+    prot = PROT_READ | PROT_WRITE;
+#elif defined(CONFIG_DARWIN)
+    /* Applicable to both iOS and macOS (Apple Silicon). */
+    if (!splitwx) {
+        flags |= MAP_JIT;
+    }
+#endif
+
+    return alloc_code_gen_buffer_anon(size, prot, flags, errp);
+}
+#endif /* USE_STATIC_CODE_GEN_BUFFER, WIN32, POSIX */
+
 /*
  * Initializes region partitioning.
  *
@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(void)
  * in practice. Multi-threaded guests share most if not all of their translated
  * code, which makes parallel code generation less appealing than in softmmu.
  */
-void tcg_region_init(void)
+void tcg_region_init(size_t tb_size, int splitwx)
 {
-    void *buf = tcg_init_ctx.code_gen_buffer;
-    void *aligned;
-    size_t size = tcg_init_ctx.code_gen_buffer_size;
-    size_t page_size = qemu_real_host_page_size;
+    void *buf, *aligned;
+    size_t size;
+    size_t page_size;
     size_t region_size;
     size_t n_regions;
     size_t i;
+    bool ok;
 
+    ok = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
+                               splitwx, &error_fatal);
+    assert(ok);
+
+    buf = tcg_init_ctx.code_gen_buffer;
+    size = tcg_init_ctx.code_gen_buffer_size;
+    page_size = qemu_real_host_page_size;
     n_regions = tcg_n_regions();
 
     /* The first region will be 'aligned - buf' bytes larger than the others */
-- 
2.25.1

We shortly want to use tcg_init for something else.
Since the hook is called init_machine, match that.

diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@@ -XXX,XX +XXX,XX @@ static void tcg_accel_instance_init(Object *obj)
 
 bool mttcg_enabled;
 
-static int tcg_init(MachineState *ms)
+static int tcg_init_machine(MachineState *ms)
 {
     TCGState *s = TCG_STATE(current_accel());
 
@@ -XXX,XX +XXX,XX @@ static void tcg_accel_class_init(ObjectClass *oc, void *data)
 {
     AccelClass *ac = ACCEL_CLASS(oc);
     ac->name = "tcg";
-    ac->init_machine = tcg_init;
+    ac->init_machine = tcg_init_machine;
     ac->allowed = &tcg_allowed;
 
     object_class_property_add_str(oc, "thread",
-- 
2.25.1

Perform both tcg_context_init and tcg_region_init.
Do not leave this split to the caller.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h         | 3 +--
 tcg/tcg-internal.h        | 1 +
 accel/tcg/translate-all.c | 3 +--
 tcg/tcg.c                 | 9 ++++++++-
 4 files changed, 11 insertions(+), 5 deletions(-)

There is only one caller, and shortly we will need access
to the MachineState, which tcg_init_machine already has.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/internal.h      |  2 ++
 include/sysemu/tcg.h      |  2 --
 accel/tcg/tcg-all.c       | 16 +++++++++++++++-
 accel/tcg/translate-all.c | 21 ++-------------------
 bsd-user/main.c           |  2 +-
 5 files changed, 20 insertions(+), 23 deletions(-)

diff --git a/accel/tcg/internal.h b/accel/tcg/internal.h
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/internal.h
+++ b/accel/tcg/internal.h
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu, target_ulong pc,
                               int cflags);
 
 void QEMU_NORETURN cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
+void page_init(void);
+void tb_htable_init(void);
 
 #endif /* ACCEL_TCG_INTERNAL_H */
diff --git a/include/sysemu/tcg.h b/include/sysemu/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/sysemu/tcg.h
+++ b/include/sysemu/tcg.h
@@ -XXX,XX +XXX,XX @@
 #ifndef SYSEMU_TCG_H
 #define SYSEMU_TCG_H
 
-void tcg_exec_init(unsigned long tb_size, int splitwx);
-
 #ifdef CONFIG_TCG
 extern bool tcg_allowed;
 #define tcg_enabled() (tcg_allowed)
diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/error-report.h"
 #include "qemu/accel.h"
 #include "qapi/qapi-builtin-visit.h"
+#include "internal.h"
 
 struct TCGState {
     AccelState parent_obj;
@@ -XXX,XX +XXX,XX @@ static int tcg_init_machine(MachineState *ms)
 {
     TCGState *s = TCG_STATE(current_accel());
 
-    tcg_exec_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
+    tcg_allowed = true;
     mttcg_enabled = s->mttcg_enabled;
+
+    page_init();
+    tb_htable_init();
+    tcg_init(s->tb_size * 1024 * 1024, s->splitwx_enabled);
+
+#if defined(CONFIG_SOFTMMU)
+    /*
+     * There's no guest base to take into account, so go ahead and
+     * initialize the prologue now.
+     */
+    tcg_prologue_init(tcg_ctx);
+#endif
+
     return 0;
 }
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ bool cpu_restore_state(CPUState *cpu, uintptr_t host_pc, bool will_exit)
     return false;
 }
 
-static void page_init(void)
+void page_init(void)
 {
     page_size_init();
     page_table_config_init();
@@ -XXX,XX +XXX,XX @@ static bool tb_cmp(const void *ap, const void *bp)
         a->page_addr[1] == b->page_addr[1];
 }
 
-static void tb_htable_init(void)
+void tb_htable_init(void)
 {
     unsigned int mode = QHT_MODE_AUTO_RESIZE;
 
     qht_init(&tb_ctx.htable, tb_cmp, CODE_GEN_HTABLE_SIZE, mode);
 }
 
-/* Must be called before using the QEMU cpus. 'tb_size' is the size
-   (in bytes) allocated to the translation buffer. Zero means default
-   size. */
-void tcg_exec_init(unsigned long tb_size, int splitwx)
-{
-    tcg_allowed = true;
-    page_init();
-    tb_htable_init();
-    tcg_init(tb_size, splitwx);
-
-#if defined(CONFIG_SOFTMMU)
-    /* There's no guest base to take into account, so go ahead and
-       initialize the prologue now.  */
-    tcg_prologue_init(tcg_ctx);
-#endif
-}
-
 /* call with @p->lock held */
 static inline void invalidate_page_bitmap(PageDesc *p)
 {
diff --git a/bsd-user/main.c b/bsd-user/main.c
index XXXXXXX..XXXXXXX 100644
--- a/bsd-user/main.c
+++ b/bsd-user/main.c
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
     envlist_free(envlist);
 
     /*
-     * Now that page sizes are configured in tcg_exec_init() we can do
+     * Now that page sizes are configured we can do
      * proper page alignment for guest_base.
      */
     guest_base = HOST_PAGE_ALIGN(guest_base);
-- 
2.25.1

Start removing the include of hw/boards.h from tcg/.
Pass down the max_cpus value from tcg_init_machine,
where we have the MachineState already.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h   |  2 +-
 tcg/tcg-internal.h  |  2 +-
 accel/tcg/tcg-all.c | 10 +++++++++-
 tcg/region.c        | 32 +++++++++++---------------------
 tcg/tcg.c           | 10 ++++------
 5 files changed, 26 insertions(+), 30 deletions(-)

diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ static inline void *tcg_malloc(int size)
     }
 }
 
-void tcg_init(size_t tb_size, int splitwx);
+void tcg_init(size_t tb_size, int splitwx, unsigned max_cpus);
 void tcg_register_thread(void);
 void tcg_prologue_init(TCGContext *s);
 void tcg_func_start(TCGContext *s);
diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-internal.h
+++ b/tcg/tcg-internal.h
@@ -XXX,XX +XXX,XX @@
 extern TCGContext **tcg_ctxs;
 extern unsigned int n_tcg_ctxs;
 
-void tcg_region_init(size_t tb_size, int splitwx);
+void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus);
 bool tcg_region_alloc(TCGContext *s);
 void tcg_region_initial_alloc(TCGContext *s);
 void tcg_region_prologue_set(TCGContext *s);
diff --git a/accel/tcg/tcg-all.c b/accel/tcg/tcg-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/accel.h"
 #include "qapi/qapi-builtin-visit.h"
 #include "qemu/units.h"
+#if !defined(CONFIG_USER_ONLY)
+#include "hw/boards.h"
+#endif
 #include "internal.h"
 
 struct TCGState {
@@ -XXX,XX +XXX,XX @@ bool mttcg_enabled;
 static int tcg_init_machine(MachineState *ms)
 {
     TCGState *s = TCG_STATE(current_accel());
+#ifdef CONFIG_USER_ONLY
+    unsigned max_cpus = 1;
+#else
+    unsigned max_cpus = ms->smp.max_cpus;
+#endif
 
     tcg_allowed = true;
     mttcg_enabled = s->mttcg_enabled;
 
     page_init();
     tb_htable_init();
-    tcg_init(s->tb_size * MiB, s->splitwx_enabled);
+    tcg_init(s->tb_size * MiB, s->splitwx_enabled, max_cpus);
 
 #if defined(CONFIG_SOFTMMU)
     /*
diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@
 #include "qapi/error.h"
 #include "exec/exec-all.h"
 #include "tcg/tcg.h"
-#if !defined(CONFIG_USER_ONLY)
-#include "hw/boards.h"
-#endif
 #include "tcg-internal.h"
 
 
@@ -XXX,XX +XXX,XX @@ void tcg_region_reset_all(void)
     tcg_region_tree_reset_all();
 }
 
+static size_t tcg_n_regions(unsigned max_cpus)
+{
 #ifdef CONFIG_USER_ONLY
-static size_t tcg_n_regions(void)
-{
     return 1;
-}
 #else
-/*
- * It is likely that some vCPUs will translate more code than others, so we
- * first try to set more regions than max_cpus, with those regions being of
- * reasonable size. If that's not possible we make do by evenly dividing
- * the code_gen_buffer among the vCPUs.
- */
-static size_t tcg_n_regions(void)
-{
+    /*
+     * It is likely that some vCPUs will translate more code than others,
+     * so we first try to set more regions than max_cpus, with those regions
+     * being of reasonable size. If that's not possible we make do by evenly
+     * dividing the code_gen_buffer among the vCPUs.
+     */
     size_t i;
 
     /* Use a single region if all we have is one vCPU thread */
-#if !defined(CONFIG_USER_ONLY)
-    MachineState *ms = MACHINE(qdev_get_machine());
-    unsigned int max_cpus = ms->smp.max_cpus;
-#endif
     if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
         return 1;
     }
@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(void)
     }
     /* If we can't, then just allocate one region per vCPU thread */
     return max_cpus;
-}
 #endif
+}
 
 /*
  * Minimum size of the code gen buffer.  This number is randomly chosen,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  * in practice. Multi-threaded guests share most if not all of their translated
  * code, which makes parallel code generation less appealing than in softmmu.
  */
-void tcg_region_init(size_t tb_size, int splitwx)
+void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
     void *buf, *aligned;
     size_t size;
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx)
     buf = tcg_init_ctx.code_gen_buffer;
     size = tcg_init_ctx.code_gen_buffer_size;
     page_size = qemu_real_host_page_size;
-    n_regions = tcg_n_regions();
+    n_regions = tcg_n_regions(max_cpus);
 
     /* The first region will be 'aligned - buf' bytes larger than the others */
     aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static void process_op_defs(TCGContext *s);
 static TCGTemp *tcg_global_reg_new_internal(TCGContext *s, TCGType type,
                                             TCGReg reg, const char *name);
 
-static void tcg_context_init(void)
+static void tcg_context_init(unsigned max_cpus)
 {
     TCGContext *s = &tcg_init_ctx;
     int op, total_args, n, i;
@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(void)
     tcg_ctxs = &tcg_ctx;
     n_tcg_ctxs = 1;
 #else
-    MachineState *ms = MACHINE(qdev_get_machine());
-    unsigned int max_cpus = ms->smp.max_cpus;
     tcg_ctxs = g_new(TCGContext *, max_cpus);
 #endif
 
@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(void)
     cpu_env = temp_tcgv_ptr(ts);
 }
 
-void tcg_init(size_t tb_size, int splitwx)
+void tcg_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
-    tcg_context_init();
-    tcg_region_init(tb_size, splitwx);
+    tcg_context_init(max_cpus);
+    tcg_region_init(tb_size, splitwx, max_cpus);
 }
 
 /*
-- 
2.25.1

Finish the divorce of tcg/ from hw/, and do not take
the max cpu value from MachineState; just remember what
we were passed in tcg_init.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg-internal.h |  3 ++-
 tcg/region.c       |  6 +++---
 tcg/tcg.c          | 23 ++++++++++-------------
 3 files changed, 15 insertions(+), 17 deletions(-)

diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-internal.h
+++ b/tcg/tcg-internal.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_HIGHWATER 1024
 
 extern TCGContext **tcg_ctxs;
-extern unsigned int n_tcg_ctxs;
+extern unsigned int tcg_cur_ctxs;
+extern unsigned int tcg_max_ctxs;
 
 void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus);
 bool tcg_region_alloc(TCGContext *s);
diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ void tcg_region_initial_alloc(TCGContext *s)
 /* Call from a safe-work context */
 void tcg_region_reset_all(void)
 {
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
     unsigned int i;
 
     qemu_mutex_lock(&region.lock);
@@ -XXX,XX +XXX,XX @@ void tcg_region_prologue_set(TCGContext *s)
  */
 size_t tcg_code_size(void)
 {
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
     unsigned int i;
     size_t total;
 
@@ -XXX,XX +XXX,XX @@ size_t tcg_code_capacity(void)
 
 size_t tcg_tb_phys_invalidate_count(void)
 {
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
     unsigned int i;
     size_t total = 0;
 
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@
 #define NO_CPU_IO_DEFS
 
 #include "exec/exec-all.h"
-
-#if !defined(CONFIG_USER_ONLY)
-#include "hw/boards.h"
-#endif
-
 #include "tcg/tcg-op.h"
 
 #if UINTPTR_MAX == UINT32_MAX
@@ -XXX,XX +XXX,XX @@ static int tcg_out_ldst_finalize(TCGContext *s);
 #endif
 
 TCGContext **tcg_ctxs;
-unsigned int n_tcg_ctxs;
+unsigned int tcg_cur_ctxs;
+unsigned int tcg_max_ctxs;
 TCGv_env cpu_env = 0;
 const void *tcg_code_gen_epilogue;
 uintptr_t tcg_splitwx_diff;
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
 #else
 void tcg_register_thread(void)
 {
-    MachineState *ms = MACHINE(qdev_get_machine());
     TCGContext *s = g_malloc(sizeof(*s));
     unsigned int i, n;
 
@@ -XXX,XX +XXX,XX @@ void tcg_register_thread(void)
     }
 
     /* Claim an entry in tcg_ctxs */
-    n = qatomic_fetch_inc(&n_tcg_ctxs);
-    g_assert(n < ms->smp.max_cpus);
+    n = qatomic_fetch_inc(&tcg_cur_ctxs);
+    g_assert(n < tcg_max_ctxs);
     qatomic_set(&tcg_ctxs[n], s);
 
     if (n > 0) {
@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(unsigned max_cpus)
      */
 #ifdef CONFIG_USER_ONLY
     tcg_ctxs = &tcg_ctx;
-    n_tcg_ctxs = 1;
+    tcg_cur_ctxs = 1;
+    tcg_max_ctxs = 1;
 #else
-    tcg_ctxs = g_new(TCGContext *, max_cpus);
+    tcg_max_ctxs = max_cpus;
+    tcg_ctxs = g_new0(TCGContext *, max_cpus);
 #endif
 
     tcg_debug_assert(!tcg_regset_test_reg(s->reserved_regs, TCG_AREG0));
@@ -XXX,XX +XXX,XX @@ static void tcg_reg_alloc_call(TCGContext *s, TCGOp *op)
 static inline
 void tcg_profile_snapshot(TCGProfile *prof, bool counters, bool table)
 {
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
     unsigned int i;
 
     for (i = 0; i < n_ctxs; i++) {
@@ -XXX,XX +XXX,XX @@ void tcg_dump_op_count(void)
 
 int64_t tcg_cpu_exec_time(void)
 {
-    unsigned int n_ctxs = qatomic_read(&n_tcg_ctxs);
+    unsigned int n_ctxs = qatomic_read(&tcg_cur_ctxs);
     unsigned int i;
     int64_t ret = 0;
 
-- 
2.25.1

Remove the ifdef ladder and move each define into the
appropriate header file.

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/aarch64/tcg-target.h |  1 +
 tcg/arm/tcg-target.h     |  1 +
 tcg/i386/tcg-target.h    |  2 ++
 tcg/mips/tcg-target.h    |  6 ++++++
 tcg/ppc/tcg-target.h     |  2 ++
 tcg/riscv/tcg-target.h   |  1 +
 tcg/s390/tcg-target.h    |  3 +++
 tcg/sparc/tcg-target.h   |  1 +
 tcg/tci/tcg-target.h     |  1 +
 tcg/region.c             | 33 +++++----------------------------
 10 files changed, 23 insertions(+), 28 deletions(-)

diff --git a/tcg/aarch64/tcg-target.h b/tcg/aarch64/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/aarch64/tcg-target.h
+++ b/tcg/aarch64/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 
 #define TCG_TARGET_INSN_UNIT_SIZE  4
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 24
+#define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
 #undef TCG_TARGET_STACK_GROWSUP
 
 typedef enum {
diff --git a/tcg/arm/tcg-target.h b/tcg/arm/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/arm/tcg-target.h
+++ b/tcg/arm/tcg-target.h
@@ -XXX,XX +XXX,XX @@ extern int arm_arch;
 #undef TCG_TARGET_STACK_GROWSUP
 #define TCG_TARGET_INSN_UNIT_SIZE 4
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 16
+#define MAX_CODE_GEN_BUFFER_SIZE  UINT32_MAX
 
 typedef enum {
     TCG_REG_R0 = 0,
diff --git a/tcg/i386/tcg-target.h b/tcg/i386/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.h
+++ b/tcg/i386/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 #ifdef __x86_64__
 # define TCG_TARGET_REG_BITS  64
 # define TCG_TARGET_NB_REGS   32
+# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
 #else
 # define TCG_TARGET_REG_BITS  32
 # define TCG_TARGET_NB_REGS   24
+# define MAX_CODE_GEN_BUFFER_SIZE  UINT32_MAX
 #endif
 
 typedef enum {
diff --git a/tcg/mips/tcg-target.h b/tcg/mips/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.h
+++ b/tcg/mips/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 16
 #define TCG_TARGET_NB_REGS 32
 
+/*
+ * We have a 256MB branch region, but leave room to make sure the
+ * main executable is also within that region.
+ */
+#define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
+
 typedef enum {
     TCG_REG_ZERO = 0,
     TCG_REG_AT,
diff --git a/tcg/ppc/tcg-target.h b/tcg/ppc/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target.h
+++ b/tcg/ppc/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 
 #ifdef _ARCH_PPC64
 # define TCG_TARGET_REG_BITS  64
+# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
 #else
 # define TCG_TARGET_REG_BITS  32
+# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
 #endif
 
 #define TCG_TARGET_NB_REGS 64
diff --git a/tcg/riscv/tcg-target.h b/tcg/riscv/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/riscv/tcg-target.h
+++ b/tcg/riscv/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_TARGET_INSN_UNIT_SIZE 4
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 20
 #define TCG_TARGET_NB_REGS 32
+#define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
 
 typedef enum {
     TCG_REG_ZERO,
diff --git a/tcg/s390/tcg-target.h b/tcg/s390/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390/tcg-target.h
+++ b/tcg/s390/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_TARGET_INSN_UNIT_SIZE 2
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 19
 
+/* We have a +- 4GB range on the branches; leave some slop.  */
+#define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
+
 typedef enum TCGReg {
     TCG_REG_R0 = 0,
     TCG_REG_R1,
diff --git a/tcg/sparc/tcg-target.h b/tcg/sparc/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/sparc/tcg-target.h
+++ b/tcg/sparc/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_TARGET_INSN_UNIT_SIZE 4
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 32
 #define TCG_TARGET_NB_REGS 32
+#define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
 
 typedef enum {
     TCG_REG_G0 = 0,
diff --git a/tcg/tci/tcg-target.h b/tcg/tci/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tci/tcg-target.h
+++ b/tcg/tci/tcg-target.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_TARGET_INTERPRETER 1
 #define TCG_TARGET_INSN_UNIT_SIZE 1
 #define TCG_TARGET_TLB_DISPLACEMENT_BITS 32
+#define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
 
 #if UINTPTR_MAX == UINT32_MAX
 # define TCG_TARGET_REG_BITS 32
diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(unsigned max_cpus)
 /*
  * Minimum size of the code gen buffer.  This number is randomly chosen,
  * but not so small that we can't have a fair number of TB's live.
+ *
+ * Maximum size, MAX_CODE_GEN_BUFFER_SIZE, is defined in tcg-target.h.
+ * Unless otherwise indicated, this is constrained by the range of
+ * direct branches on the host cpu, as used by the TCG implementation
+ * of goto_tb.
  */
 #define MIN_CODE_GEN_BUFFER_SIZE     (1 * MiB)
 
-/*
- * Maximum size of the code gen buffer we'd like to use.  Unless otherwise
- * indicated, this is constrained by the range of direct branches on the
- * host cpu, as used by the TCG implementation of goto_tb.
- */
-#if defined(__x86_64__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__sparc__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__powerpc64__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__powerpc__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (32 * MiB)
-#elif defined(__aarch64__)
-# define MAX_CODE_GEN_BUFFER_SIZE  (2 * GiB)
-#elif defined(__s390x__)
-  /* We have a +- 4GB range on the branches; leave some slop.  */
-# define MAX_CODE_GEN_BUFFER_SIZE  (3 * GiB)
-#elif defined(__mips__)
-  /*
-   * We have a 256MB branch region, but leave room to make sure the
-   * main executable is also within that region.
-   */
-# define MAX_CODE_GEN_BUFFER_SIZE  (128 * MiB)
-#else
-# define MAX_CODE_GEN_BUFFER_SIZE  ((size_t)-1)
-#endif
-
 #if TCG_TARGET_REG_BITS == 32
 #define DEFAULT_CODE_GEN_BUFFER_SIZE_1 (32 * MiB)
 #ifdef CONFIG_USER_ONLY
-- 
2.25.1

A size is easier to work with than an end point,
particularly during initial buffer allocation.

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ struct tcg_region_state {
     /* fields set at init time */
     void *start;
     void *start_aligned;
-    void *end;
     size_t n;
     size_t size; /* size of one region */
     size_t stride; /* .size + guard size */
+    size_t total_size; /* size of entire buffer, >= n * stride */
 
     /* fields protected by the lock */
     size_t current; /* current region index */
@@ -XXX,XX +XXX,XX @@ static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
     if (curr_region == 0) {
         start = region.start;
     }
+    /* The final region may have a few extra pages due to earlier rounding. */
     if (curr_region == region.n - 1) {
-        end = region.end;
+        end = region.start_aligned + region.total_size;
     }
 
     *pstart = start;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  */
 void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
-    void *buf, *aligned;
-    size_t size;
+    void *buf, *aligned, *end;
+    size_t total_size;
     size_t page_size;
     size_t region_size;
     size_t n_regions;
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
     assert(ok);
 
     buf = tcg_init_ctx.code_gen_buffer;
-    size = tcg_init_ctx.code_gen_buffer_size;
+    total_size = tcg_init_ctx.code_gen_buffer_size;
     page_size = qemu_real_host_page_size;
     n_regions = tcg_n_regions(max_cpus);
 
     /* The first region will be 'aligned - buf' bytes larger than the others */
     aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + size);
+    g_assert(aligned < tcg_init_ctx.code_gen_buffer + total_size);
+
     /*
      * Make region_size a multiple of page_size, using aligned as the start.
      * As a result of this we might end up with a few extra pages at the end of
      * the buffer; we will assign those to the last region.
      */
-    region_size = (size - (aligned - buf)) / n_regions;
+    region_size = (total_size - (aligned - buf)) / n_regions;
     region_size = QEMU_ALIGN_DOWN(region_size, page_size);
 
     /* A region must have at least 2 pages; one code, one guard */
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
     region.start = buf;
     region.start_aligned = aligned;
     /* page-align the end, since its last page will be a guard page */
-    region.end = QEMU_ALIGN_PTR_DOWN(buf + size, page_size);
+    end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
     /* account for that last guard page */
-    region.end -= page_size;
+    end -= page_size;
+    total_size = end - aligned;
+    region.total_size = total_size;
 
     /*
      * Set guard pages in the rw buffer, as that's the one into which
@@ -XXX,XX +XXX,XX @@ void tcg_region_prologue_set(TCGContext *s)
 
     /* Register the balance of the buffer with gdb. */
     tcg_register_jit(tcg_splitwx_to_rx(region.start),
-                     region.end - region.start);
+                     region.start_aligned + region.total_size - region.start);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ size_t tcg_code_capacity(void)
 
     /* no need for synchronization; these variables are set at init time */
     guard_size = region.stride - region.size;
-    capacity = region.end + guard_size - region.start;
-    capacity -= region.n * (guard_size + TCG_HIGHWATER);
+    capacity = region.total_size;
+    capacity -= (region.n - 1) * guard_size;
+    capacity -= region.n * TCG_HIGHWATER;
+
     return capacity;
 }
 
-- 
2.25.1

Give the field a name reflecting its actual meaning.

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ struct tcg_region_state {
     QemuMutex lock;
 
     /* fields set at init time */
-    void *start;
     void *start_aligned;
+    void *after_prologue;
     size_t n;
     size_t size; /* size of one region */
     size_t stride; /* .size + guard size */
@@ -XXX,XX +XXX,XX @@ static void tcg_region_bounds(size_t curr_region, void **pstart, void **pend)
     end = start + region.size;
 
     if (curr_region == 0) {
-        start = region.start;
+        start = region.after_prologue;
     }
     /* The final region may have a few extra pages due to earlier rounding. */
     if (curr_region == region.n - 1) {
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
     region.n = n_regions;
     region.size = region_size - page_size;
     region.stride = region_size;
-    region.start = buf;
+    region.after_prologue = buf;
     region.start_aligned = aligned;
     /* page-align the end, since its last page will be a guard page */
     end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 void tcg_region_prologue_set(TCGContext *s)
 {
     /* Deduct the prologue from the first region.  */
-    g_assert(region.start == s->code_gen_buffer);
-    region.start = s->code_ptr;
+    g_assert(region.start_aligned == s->code_gen_buffer);
+    region.after_prologue = s->code_ptr;
 
     /* Recompute boundaries of the first region. */
     tcg_region_assign(s, 0);
 
     /* Register the balance of the buffer with gdb. */
-    tcg_register_jit(tcg_splitwx_to_rx(region.start),
-                     region.start_aligned + region.total_size - region.start);
+    tcg_register_jit(tcg_splitwx_to_rx(region.after_prologue),
+                     region.start_aligned + region.total_size -
+                     region.after_prologue);
 }
 
 /*
-- 
2.25.1

Compute the value using straight division and bounds,
rather than a loop.  Pass in tb_size rather than reading
from tcg_init_ctx.code_gen_buffer_size,

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ void tcg_region_reset_all(void)
     tcg_region_tree_reset_all();
 }
 
-static size_t tcg_n_regions(unsigned max_cpus)
+static size_t tcg_n_regions(size_t tb_size, unsigned max_cpus)
 {
 #ifdef CONFIG_USER_ONLY
     return 1;
 #else
+    size_t n_regions;
+
     /*
      * It is likely that some vCPUs will translate more code than others,
      * so we first try to set more regions than max_cpus, with those regions
      * being of reasonable size. If that's not possible we make do by evenly
      * dividing the code_gen_buffer among the vCPUs.
      */
-    size_t i;
-
     /* Use a single region if all we have is one vCPU thread */
     if (max_cpus == 1 || !qemu_tcg_mttcg_enabled()) {
         return 1;
     }
 
-    /* Try to have more regions than max_cpus, with each region being >= 2 MB */
-    for (i = 8; i > 0; i--) {
-        size_t regions_per_thread = i;
-        size_t region_size;
-
-        region_size = tcg_init_ctx.code_gen_buffer_size;
-        region_size /= max_cpus * regions_per_thread;
-
-        if (region_size >= 2 * 1024u * 1024) {
-            return max_cpus * regions_per_thread;
-        }
+    /*
+     * Try to have more regions than max_cpus, with each region being >= 2 MB.
+     * If we can't, then just allocate one region per vCPU thread.
+     */
+    n_regions = tb_size / (2 * MiB);
+    if (n_regions <= max_cpus) {
+        return max_cpus;
     }
-    /* If we can't, then just allocate one region per vCPU thread */
-    return max_cpus;
+    return MIN(n_regions, max_cpus * 8);
 #endif
 }
 
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
     buf = tcg_init_ctx.code_gen_buffer;
     total_size = tcg_init_ctx.code_gen_buffer_size;
     page_size = qemu_real_host_page_size;
-    n_regions = tcg_n_regions(max_cpus);
+    n_regions = tcg_n_regions(total_size, max_cpus);
 
     /* The first region will be 'aligned - buf' bytes larger than the others */
     aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
-- 
2.25.1

Return output buffer and size via output pointer arguments,
rather than returning size via tcg_ctx->code_gen_buffer_size.

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static inline bool cross_256mb(void *addr, size_t size)
 /*
  * We weren't able to allocate a buffer without crossing that boundary,
  * so make do with the larger portion of the buffer that doesn't cross.
- * Returns the new base of the buffer, and adjusts code_gen_buffer_size.
+ * Returns the new base and size of the buffer in *obuf and *osize.
  */
-static inline void *split_cross_256mb(void *buf1, size_t size1)
+static inline void split_cross_256mb(void **obuf, size_t *osize,
+                                     void *buf1, size_t size1)
 {
     void *buf2 = (void *)(((uintptr_t)buf1 + size1) & ~0x0ffffffful);
     size_t size2 = buf1 + size1 - buf2;
@@ -XXX,XX +XXX,XX @@ static inline void *split_cross_256mb(void *buf1, size_t size1)
         buf1 = buf2;
     }
 
-    tcg_ctx->code_gen_buffer_size = size1;
-    return buf1;
+    *obuf = buf1;
+    *osize = size1;
 }
 #endif
 
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
     if (size > tb_size) {
         size = QEMU_ALIGN_DOWN(tb_size, qemu_real_host_page_size);
     }
-    tcg_ctx->code_gen_buffer_size = size;
 
 #ifdef __mips__
     if (cross_256mb(buf, size)) {
-        buf = split_cross_256mb(buf, size);
-        size = tcg_ctx->code_gen_buffer_size;
+        split_cross_256mb(&buf, &size, buf, size);
     }
 #endif
 
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
     tcg_ctx->code_gen_buffer = buf;
+    tcg_ctx->code_gen_buffer_size = size;
     return true;
 }
 #elif defined(_WIN32)
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
                          "allocate %zu bytes for jit buffer", size);
         return false;
     }
-    tcg_ctx->code_gen_buffer_size = size;
 
 #ifdef __mips__
     if (cross_256mb(buf, size)) {
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
             /* fallthru */
         default:
             /* Split the original buffer.  Free the smaller half.  */
-            buf2 = split_cross_256mb(buf, size);
-            size2 = tcg_ctx->code_gen_buffer_size;
+            split_cross_256mb(&buf2, &size2, buf, size);
             if (buf == buf2) {
                 munmap(buf + size2, size - size2);
             } else {
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
     tcg_ctx->code_gen_buffer = buf;
+    tcg_ctx->code_gen_buffer_size = size;
     return true;
 }
 
-- 
2.25.1

Shortly, the full code_gen_buffer will only be visible
to region.c, so move in_code_gen_buffer out-of-line.

Move the debugging versions of tcg_splitwx_to_{rx,rw}
to region.c as well, so that the compiler gets to see
the implementation of in_code_gen_buffer.

This leaves exactly one use of in_code_gen_buffer outside
of region.c, in cpu_restore_state.  Which, being on the
exception path, is not performance critical.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h | 11 +----------
 tcg/region.c      | 34 ++++++++++++++++++++++++++++++++++
 tcg/tcg.c         | 23 -----------------------
 3 files changed, 35 insertions(+), 33 deletions(-)

diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ extern const void *tcg_code_gen_epilogue;
 extern uintptr_t tcg_splitwx_diff;
 extern TCGv_env cpu_env;
 
-static inline bool in_code_gen_buffer(const void *p)
-{
-    const TCGContext *s = &tcg_init_ctx;
-    /*
-     * Much like it is valid to have a pointer to the byte past the
-     * end of an array (so long as you don't dereference it), allow
-     * a pointer to the byte past the end of the code gen buffer.
-     */
-    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
-}
+bool in_code_gen_buffer(const void *p);
 
 #ifdef CONFIG_DEBUG_TCG
 const void *tcg_splitwx_to_rx(void *rw);
diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static struct tcg_region_state region;
 static void *region_trees;
 static size_t tree_size;
 
+bool in_code_gen_buffer(const void *p)
+{
+    const TCGContext *s = &tcg_init_ctx;
+    /*
+     * Much like it is valid to have a pointer to the byte past the
+     * end of an array (so long as you don't dereference it), allow
+     * a pointer to the byte past the end of the code gen buffer.
+     */
+    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
+}
+
+#ifdef CONFIG_DEBUG_TCG
+const void *tcg_splitwx_to_rx(void *rw)
+{
+    /* Pass NULL pointers unchanged. */
+    if (rw) {
+        g_assert(in_code_gen_buffer(rw));
+        rw += tcg_splitwx_diff;
+    }
+    return rw;
+}
+
+void *tcg_splitwx_to_rw(const void *rx)
+{
+    /* Pass NULL pointers unchanged. */
+    if (rx) {
+        rx -= tcg_splitwx_diff;
+        /* Assert that we end with a pointer in the rw region. */
+        g_assert(in_code_gen_buffer(rx));
+    }
+    return (void *)rx;
+}
+#endif /* CONFIG_DEBUG_TCG */
+
 /* compare a pointer @ptr and a tb_tc @s */
 static int ptr_cmp_tb_tc(const void *ptr, const struct tb_tc *s)
 {
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
 
 #include "tcg-target.c.inc"
 
-#ifdef CONFIG_DEBUG_TCG
-const void *tcg_splitwx_to_rx(void *rw)
-{
-    /* Pass NULL pointers unchanged. */
-    if (rw) {
-        g_assert(in_code_gen_buffer(rw));
-        rw += tcg_splitwx_diff;
-    }
-    return rw;
-}
-
-void *tcg_splitwx_to_rw(const void *rx)
-{
-    /* Pass NULL pointers unchanged. */
-    if (rx) {
-        rx -= tcg_splitwx_diff;
-        /* Assert that we end with a pointer in the rw region. */
-        g_assert(in_code_gen_buffer(rx));
-    }
-    return (void *)rx;
-}
-#endif /* CONFIG_DEBUG_TCG */
-
 static void alloc_tcg_plugin_context(TCGContext *s)
 {
 #ifdef CONFIG_PLUGIN
-- 
2.25.1

Do not mess around with setting values within tcg_init_ctx.
Put the values into 'region' directly, which is where they
will live for the lifetime of the program.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 64 ++++++++++++++++++++++------------------------------
 1 file changed, 27 insertions(+), 37 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static size_t tree_size;
 
 bool in_code_gen_buffer(const void *p)
 {
-    const TCGContext *s = &tcg_init_ctx;
     /*
      * Much like it is valid to have a pointer to the byte past the
      * end of an array (so long as you don't dereference it), allow
      * a pointer to the byte past the end of the code gen buffer.
      */
-    return (size_t)(p - s->code_gen_buffer) <= s->code_gen_buffer_size;
+    return (size_t)(p - region.start_aligned) <= region.total_size;
 }
 
 #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
     }
     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf;
+    region.total_size = size;
     return true;
 }
 #elif defined(_WIN32)
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
         return false;
     }
 
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf;
+    region.total_size = size;
     return true;
 }
 #else
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
     /* Request large pages for the buffer.  */
     qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
-    tcg_ctx->code_gen_buffer = buf;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf;
+    region.total_size = size;
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
         return false;
     }
     /* The size of the mapping may have been adjusted. */
-    size = tcg_ctx->code_gen_buffer_size;
-    buf_rx = tcg_ctx->code_gen_buffer;
+    buf_rx = region.start_aligned;
+    size = region.total_size;
 #endif
 
     buf_rw = qemu_memfd_alloc("tcg-jit", size, 0, &fd, errp);
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
 #endif
 
     close(fd);
-    tcg_ctx->code_gen_buffer = buf_rw;
-    tcg_ctx->code_gen_buffer_size = size;
+    region.start_aligned = buf_rw;
+    region.total_size = size;
     tcg_splitwx_diff = buf_rx - buf_rw;
 
     /* Request large pages for the buffer and the splitwx.  */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
         return false;
     }
 
-    buf_rw = (mach_vm_address_t)tcg_ctx->code_gen_buffer;
+    buf_rw = region.start_aligned;
     buf_rx = 0;
     ret = mach_vm_remap(mach_task_self(),
                         &buf_rx,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  */
 void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
-    void *buf, *aligned, *end;
-    size_t total_size;
     size_t page_size;
     size_t region_size;
-    size_t n_regions;
     size_t i;
     bool ok;
 
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
                                splitwx, &error_fatal);
     assert(ok);
 
-    buf = tcg_init_ctx.code_gen_buffer;
-    total_size = tcg_init_ctx.code_gen_buffer_size;
-    page_size = qemu_real_host_page_size;
-    n_regions = tcg_n_regions(total_size, max_cpus);
-
-    /* The first region will be 'aligned - buf' bytes larger than the others */
-    aligned = QEMU_ALIGN_PTR_UP(buf, page_size);
-    g_assert(aligned < tcg_init_ctx.code_gen_buffer + total_size);
-
     /*
      * Make region_size a multiple of page_size, using aligned as the start.
      * As a result of this we might end up with a few extra pages at the end of
      * the buffer; we will assign those to the last region.
      */
-    region_size = (total_size - (aligned - buf)) / n_regions;
+    region.n = tcg_n_regions(region.total_size, max_cpus);
+    page_size = qemu_real_host_page_size;
+    region_size = region.total_size / region.n;
     region_size = QEMU_ALIGN_DOWN(region_size, page_size);
 
     /* A region must have at least 2 pages; one code, one guard */
     g_assert(region_size >= 2 * page_size);
+    region.stride = region_size;
+
+    /* Reserve space for guard pages. */
+    region.size = region_size - page_size;
+    region.total_size -= page_size;
+
+    /*
+     * The first region will be smaller than the others, via the prologue,
+     * which has yet to be allocated.  For now, the first region begins at
+     * the page boundary.
+     */
+    region.after_prologue = region.start_aligned;
 
     /* init the region struct */
     qemu_mutex_init(&region.lock);
-    region.n = n_regions;
-    region.size = region_size - page_size;
-    region.stride = region_size;
-    region.after_prologue = buf;
-    region.start_aligned = aligned;
-    /* page-align the end, since its last page will be a guard page */
-    end = QEMU_ALIGN_PTR_DOWN(buf + total_size, page_size);
-    /* account for that last guard page */
-    end -= page_size;
-    total_size = end - aligned;
-    region.total_size = total_size;
 
     /*
      * Set guard pages in the rw buffer, as that's the one into which
-- 
2.25.1

Change the interface from a boolean error indication to a
negative error vs a non-negative protection.  For the moment
this is only interface change, not making use of the new data.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 63 +++++++++++++++++++++++++++-------------------------
 1 file changed, 33 insertions(+), 30 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static inline void split_cross_256mb(void **obuf, size_t *osize,
 static uint8_t static_code_gen_buffer[DEFAULT_CODE_GEN_BUFFER_SIZE]
     __attribute__((aligned(CODE_GEN_ALIGN)));
 
-static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
+static int alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
 {
     void *buf, *end;
     size_t size;
 
     if (splitwx > 0) {
         error_setg(errp, "jit split-wx not supported");
-        return false;
+        return -1;
     }
 
     /* page-align the beginning and end of the buffer */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
 
     region.start_aligned = buf;
     region.total_size = size;
-    return true;
+
+    return PROT_READ | PROT_WRITE;
 }
 #elif defined(_WIN32)
-static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
 {
     void *buf;
 
     if (splitwx > 0) {
         error_setg(errp, "jit split-wx not supported");
-        return false;
+        return -1;
     }
 
     buf = VirtualAlloc(NULL, size, MEM_RESERVE | MEM_COMMIT,
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
 
     region.start_aligned = buf;
     region.total_size = size;
-    return true;
+
+    return PAGE_READ | PAGE_WRITE | PAGE_EXEC;
 }
 #else
-static bool alloc_code_gen_buffer_anon(size_t size, int prot,
-                                       int flags, Error **errp)
+static int alloc_code_gen_buffer_anon(size_t size, int prot,
+                                      int flags, Error **errp)
 {
     void *buf;
 
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
     if (buf == MAP_FAILED) {
         error_setg_errno(errp, errno,
                          "allocate %zu bytes for jit buffer", size);
-        return false;
+        return -1;
     }
 
 #ifdef __mips__
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_anon(size_t size, int prot,
 
     region.start_aligned = buf;
     region.total_size = size;
-    return true;
+    return prot;
 }
 
 #ifndef CONFIG_TCG_INTERPRETER
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
 
 #ifdef __mips__
     /* Find space for the RX mapping, vs the 256MiB regions. */
-    if (!alloc_code_gen_buffer_anon(size, PROT_NONE,
-                                    MAP_PRIVATE | MAP_ANONYMOUS |
-                                    MAP_NORESERVE, errp)) {
+    if (alloc_code_gen_buffer_anon(size, PROT_NONE,
+                                   MAP_PRIVATE | MAP_ANONYMOUS |
+                                   MAP_NORESERVE, errp) < 0) {
         return false;
     }
     /* The size of the mapping may have been adjusted. */
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
     /* Request large pages for the buffer and the splitwx.  */
     qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
     qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
-    return true;
+    return PROT_READ | PROT_WRITE;
 
  fail_rx:
     error_setg_errno(errp, errno, "failed to map shared memory for execute");
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
     if (fd >= 0) {
         close(fd);
     }
-    return false;
+    return -1;
 }
 #endif /* CONFIG_POSIX */
 
@@ -XXX,XX +XXX,XX @@ extern kern_return_t mach_vm_remap(vm_map_t target_task,
                                    vm_prot_t *max_protection,
                                    vm_inherit_t inheritance);
 
-static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
+static int alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
 {
     kern_return_t ret;
     mach_vm_address_t buf_rw, buf_rx;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
     /* Map the read-write portion via normal anon memory. */
     if (!alloc_code_gen_buffer_anon(size, PROT_READ | PROT_WRITE,
                                     MAP_PRIVATE | MAP_ANONYMOUS, errp)) {
-        return false;
+        return -1;
     }
 
     buf_rw = region.start_aligned;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_vmremap(size_t size, Error **errp)
         /* TODO: Convert "ret" to a human readable error message. */
         error_setg(errp, "vm_remap for jit splitwx failed");
         munmap((void *)buf_rw, size);
-        return false;
+        return -1;
     }
 
     if (mprotect((void *)buf_rx, size, PROT_READ | PROT_EXEC) != 0) {
         error_setg_errno(errp, errno, "mprotect for jit splitwx");
         munmap((void *)buf_rx, size);
         munmap((void *)buf_rw, size);
-        return false;
+        return -1;
     }
 
     tcg_splitwx_diff = buf_rx - buf_rw;
-    return true;
+    return PROT_READ | PROT_WRITE;
 }
 #endif /* CONFIG_DARWIN */
 #endif /* CONFIG_TCG_INTERPRETER */
 
-static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
+static int alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
 {
 #ifndef CONFIG_TCG_INTERPRETER
 # ifdef CONFIG_DARWIN
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx(size_t size, Error **errp)
 # endif
 #endif
     error_setg(errp, "jit split-wx not supported");
-    return false;
+    return -1;
 }
 
-static bool alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
+static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
 {
     ERRP_GUARD();
     int prot, flags;
 
     if (splitwx) {
-        if (alloc_code_gen_buffer_splitwx(size, errp)) {
-            return true;
+        prot = alloc_code_gen_buffer_splitwx(size, errp);
+        if (prot >= 0) {
+            return prot;
         }
         /*
          * If splitwx force-on (1), fail;
          * if splitwx default-on (-1), fall through to splitwx off.
          */
         if (splitwx > 0) {
-            return false;
+            return -1;
         }
         error_free_or_abort(errp);
     }
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
     size_t page_size;
     size_t region_size;
     size_t i;
-    bool ok;
+    int have_prot;
 
-    ok = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
-                               splitwx, &error_fatal);
-    assert(ok);
+    have_prot = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
+                                      splitwx, &error_fatal);
+    assert(have_prot >= 0);
 
     /*
      * Make region_size a multiple of page_size, using aligned as the start.
-- 
2.25.1

Move the call out of the N versions of alloc_code_gen_buffer
and into tcg_region_init.

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
         error_setg_errno(errp, errno, "mprotect of jit buffer");
         return false;
     }
-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
 
     region.start_aligned = buf;
     region.total_size = size;
@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer_anon(size_t size, int prot,
     }
 #endif
 
-    /* Request large pages for the buffer.  */
-    qemu_madvise(buf, size, QEMU_MADV_HUGEPAGE);
-
     region.start_aligned = buf;
     region.total_size = size;
     return prot;
@@ -XXX,XX +XXX,XX @@ static bool alloc_code_gen_buffer_splitwx_memfd(size_t size, Error **errp)
     region.total_size = size;
     tcg_splitwx_diff = buf_rx - buf_rw;
 
-    /* Request large pages for the buffer and the splitwx.  */
-    qemu_madvise(buf_rw, size, QEMU_MADV_HUGEPAGE);
-    qemu_madvise(buf_rx, size, QEMU_MADV_HUGEPAGE);
     return PROT_READ | PROT_WRITE;
 
  fail_rx:
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
                                       splitwx, &error_fatal);
     assert(have_prot >= 0);
 
+    /* Request large pages for the buffer and the splitwx.  */
+    qemu_madvise(region.start_aligned, region.total_size, QEMU_MADV_HUGEPAGE);
+    if (tcg_splitwx_diff) {
+        qemu_madvise(region.start_aligned + tcg_splitwx_diff,
+                     region.total_size, QEMU_MADV_HUGEPAGE);
+    }
+
     /*
      * Make region_size a multiple of page_size, using aligned as the start.
      * As a result of this we might end up with a few extra pages at the end of
-- 
2.25.1

For --enable-tcg-interpreter on Windows, we will need this.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/qemu/osdep.h | 1 +
 util/osdep.c         | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/include/qemu/osdep.h b/include/qemu/osdep.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/osdep.h
+++ b/include/qemu/osdep.h
@@ -XXX,XX +XXX,XX @@ void sigaction_invoke(struct sigaction *action,
 #endif
 
 int qemu_madvise(void *addr, size_t len, int advice);
+int qemu_mprotect_rw(void *addr, size_t size);
 int qemu_mprotect_rwx(void *addr, size_t size);
 int qemu_mprotect_none(void *addr, size_t size);
 
diff --git a/util/osdep.c b/util/osdep.c
index XXXXXXX..XXXXXXX 100644
--- a/util/osdep.c
+++ b/util/osdep.c
@@ -XXX,XX +XXX,XX @@ static int qemu_mprotect__osdep(void *addr, size_t size, int prot)
 #endif
 }
 
+int qemu_mprotect_rw(void *addr, size_t size)
+{
+#ifdef _WIN32
+    return qemu_mprotect__osdep(addr, size, PAGE_READWRITE);
+#else
+    return qemu_mprotect__osdep(addr, size, PROT_READ | PROT_WRITE);
+#endif
+}
+
 int qemu_mprotect_rwx(void *addr, size_t size)
 {
 #ifdef _WIN32
-- 
2.25.1

If qemu_get_host_physmem returns an odd number of pages,
then physmem / 8 will not be a multiple of the page size.

The following was observed on a gitlab runner:

ERROR qtest-arm/boot-serial-test - Bail out!
ERROR:../util/osdep.c:80:qemu_mprotect__osdep: \
  assertion failed: (!(size & ~qemu_real_host_page_mask))

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 47 +++++++++++++++++++++--------------------------
 1 file changed, 21 insertions(+), 26 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static size_t tcg_n_regions(size_t tb_size, unsigned max_cpus)
   (DEFAULT_CODE_GEN_BUFFER_SIZE_1 < MAX_CODE_GEN_BUFFER_SIZE \
    ? DEFAULT_CODE_GEN_BUFFER_SIZE_1 : MAX_CODE_GEN_BUFFER_SIZE)
 
-static size_t size_code_gen_buffer(size_t tb_size)
-{
-    /* Size the buffer.  */
-    if (tb_size == 0) {
-        size_t phys_mem = qemu_get_host_physmem();
-        if (phys_mem == 0) {
-            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
-        } else {
-            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, phys_mem / 8);
-        }
-    }
-    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
-        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
-    }
-    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
-        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
-    }
-    return tb_size;
-}
-
 #ifdef __mips__
 /*
  * In order to use J and JAL within the code_gen_buffer, we require
@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
  */
 void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
-    size_t page_size;
+    const size_t page_size = qemu_real_host_page_size;
     size_t region_size;
     size_t i;
     int have_prot;
 
-    have_prot = alloc_code_gen_buffer(size_code_gen_buffer(tb_size),
-                                      splitwx, &error_fatal);
+    /* Size the buffer.  */
+    if (tb_size == 0) {
+        size_t phys_mem = qemu_get_host_physmem();
+        if (phys_mem == 0) {
+            tb_size = DEFAULT_CODE_GEN_BUFFER_SIZE;
+        } else {
+            tb_size = QEMU_ALIGN_DOWN(phys_mem / 8, page_size);
+            tb_size = MIN(DEFAULT_CODE_GEN_BUFFER_SIZE, tb_size);
+        }
+    }
+    if (tb_size < MIN_CODE_GEN_BUFFER_SIZE) {
+        tb_size = MIN_CODE_GEN_BUFFER_SIZE;
+    }
+    if (tb_size > MAX_CODE_GEN_BUFFER_SIZE) {
+        tb_size = MAX_CODE_GEN_BUFFER_SIZE;
+    }
+
+    have_prot = alloc_code_gen_buffer(tb_size, splitwx, &error_fatal);
     assert(have_prot >= 0);
 
     /* Request large pages for the buffer and the splitwx.  */
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
      * As a result of this we might end up with a few extra pages at the end of
      * the buffer; we will assign those to the last region.
      */
-    region.n = tcg_n_regions(region.total_size, max_cpus);
-    page_size = qemu_real_host_page_size;
-    region_size = region.total_size / region.n;
+    region.n = tcg_n_regions(tb_size, max_cpus);
+    region_size = tb_size / region.n;
     region_size = QEMU_ALIGN_DOWN(region_size, page_size);
 
     /* A region must have at least 2 pages; one code, one guard */
-- 
2.25.1

Do not handle protections on a case-by-case basis in the
various alloc_code_gen_buffer instances; do it within a
single loop in tcg_region_init.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 45 +++++++++++++++++++++++++++++++--------------
 1 file changed, 31 insertions(+), 14 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t tb_size, int splitwx, Error **errp)
     }
 #endif
 
-    if (qemu_mprotect_rwx(buf, size)) {
-        error_setg_errno(errp, errno, "mprotect of jit buffer");
-        return false;
-    }
-
     region.start_aligned = buf;
     region.total_size = size;
 
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
 {
     const size_t page_size = qemu_real_host_page_size;
     size_t region_size;
-    size_t i;
-    int have_prot;
+    int have_prot, need_prot;
 
     /* Size the buffer.  */
     if (tb_size == 0) {
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
      * Set guard pages in the rw buffer, as that's the one into which
      * buffer overruns could occur.  Do not set guard pages in the rx
      * buffer -- let that one use hugepages throughout.
+     * Work with the page protections set up with the initial mapping.
      */
-    for (i = 0; i < region.n; i++) {
+    need_prot = PAGE_READ | PAGE_WRITE;
+#ifndef CONFIG_TCG_INTERPRETER
+    if (tcg_splitwx_diff == 0) {
+        need_prot |= PAGE_EXEC;
+    }
+#endif
+    for (size_t i = 0, n = region.n; i < n; i++) {
         void *start, *end;
 
         tcg_region_bounds(i, &start, &end);
+        if (have_prot != need_prot) {
+            int rc;
 
-        /*
-         * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
-         * rejects a permission change from RWX -> NONE.  Guard pages are
-         * nice for bug detection but are not essential; ignore any failure.
-         */
-        (void)qemu_mprotect_none(end, page_size);
+            if (need_prot == (PAGE_READ | PAGE_WRITE | PAGE_EXEC)) {
+                rc = qemu_mprotect_rwx(start, end - start);
+            } else if (need_prot == (PAGE_READ | PAGE_WRITE)) {
+                rc = qemu_mprotect_rw(start, end - start);
+            } else {
+                g_assert_not_reached();
+            }
+            if (rc) {
+                error_setg_errno(&error_fatal, errno,
+                                 "mprotect of jit buffer");
+            }
+        }
+        if (have_prot != 0) {
+            /*
+             * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
+             * rejects a permission change from RWX -> NONE.  Guard pages are
+             * nice for bug detection but are not essential; ignore any failure.
+             */
+            (void)qemu_mprotect_none(end, page_size);
+        }
     }
 
     tcg_region_trees_init();
-- 
2.25.1

There's a change in mprotect() behaviour [1] in the latest macOS
on M1 and it's not yet clear if it's going to be fixed by Apple.

In this case, instead of changing permissions of N guard pages,
we change permissions of N rwx regions.  The same number of
syscalls are required either way.

[1] https://gist.github.com/hikalium/75ae822466ee4da13cbbe486498a191f

Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/region.c | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@ static int alloc_code_gen_buffer(size_t size, int splitwx, Error **errp)
         error_free_or_abort(errp);
     }
 
-    prot = PROT_READ | PROT_WRITE | PROT_EXEC;
+    /*
+     * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
+     * rejects a permission change from RWX -> NONE when reserving the
+     * guard pages later.  We can go the other way with the same number
+     * of syscalls, so always begin with PROT_NONE.
+     */
+    prot = PROT_NONE;
     flags = MAP_PRIVATE | MAP_ANONYMOUS;
-#ifdef CONFIG_TCG_INTERPRETER
-    /* The tcg interpreter does not need execute permission. */
-    prot = PROT_READ | PROT_WRITE;
-#elif defined(CONFIG_DARWIN)
+#ifdef CONFIG_DARWIN
     /* Applicable to both iOS and macOS (Apple Silicon). */
     if (!splitwx) {
         flags |= MAP_JIT;
@@ -XXX,XX +XXX,XX @@ void tcg_region_init(size_t tb_size, int splitwx, unsigned max_cpus)
             }
         }
         if (have_prot != 0) {
-            /*
-             * macOS 11.2 has a bug (Apple Feedback FB8994773) in which mprotect
-             * rejects a permission change from RWX -> NONE.  Guard pages are
-             * nice for bug detection but are not essential; ignore any failure.
-             */
+            /* Guard pages are nice for bug detection but are not essential. */
             (void)qemu_mprotect_none(end, page_size);
         }
     }
-- 
2.25.1

These variables belong to the jit side, not the user side.

Since tcg_init_ctx is no longer used outside of tcg/, move
the declaration to tcg-internal.h.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Suggested-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h         | 1 -
 tcg/tcg-internal.h        | 1 +
 accel/tcg/translate-all.c | 3 ---
 tcg/tcg.c                 | 3 +++
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ static inline bool temp_readonly(TCGTemp *ts)
     return ts->kind >= TEMP_FIXED;
 }
 
-extern TCGContext tcg_init_ctx;
 extern __thread TCGContext *tcg_ctx;
 extern const void *tcg_code_gen_epilogue;
 extern uintptr_t tcg_splitwx_diff;
diff --git a/tcg/tcg-internal.h b/tcg/tcg-internal.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-internal.h
+++ b/tcg/tcg-internal.h
@@ -XXX,XX +XXX,XX @@
 
 #define TCG_HIGHWATER 1024
 
+extern TCGContext tcg_init_ctx;
 extern TCGContext **tcg_ctxs;
 extern unsigned int tcg_cur_ctxs;
 extern unsigned int tcg_max_ctxs;
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ static int v_l2_levels;
 
 static void *l1_map[V_L1_MAX_SIZE];
 
-/* code generation context */
-TCGContext tcg_init_ctx;
-__thread TCGContext *tcg_ctx;
 TBContext tb_ctx;
 
 static void page_table_config_init(void)
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct);
 static int tcg_out_ldst_finalize(TCGContext *s);
 #endif
 
+TCGContext tcg_init_ctx;
+__thread TCGContext *tcg_ctx;
+
 TCGContext **tcg_ctxs;
 unsigned int tcg_cur_ctxs;
 unsigned int tcg_max_ctxs;
-- 
2.25.1

Introduce a function to remove everything emitted
since a given point.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h | 10 ++++++++++
 tcg/tcg.c         | 13 +++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ void tcg_op_remove(TCGContext *s, TCGOp *op);
 TCGOp *tcg_op_insert_before(TCGContext *s, TCGOp *op, TCGOpcode opc);
 TCGOp *tcg_op_insert_after(TCGContext *s, TCGOp *op, TCGOpcode opc);
 
+/**
+ * tcg_remove_ops_after:
+ * @op: target operation
+ *
+ * Discard any opcodes emitted since @op.  Expected usage is to save
+ * a starting point with tcg_last_op(), speculatively emit opcodes,
+ * then decide whether or not to keep those opcodes after the fact.
+ */
+void tcg_remove_ops_after(TCGOp *op);
+
 void tcg_optimize(TCGContext *s);
 
 /* Allocate a new temporary and initialize it with a constant. */
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ void tcg_op_remove(TCGContext *s, TCGOp *op)
 #endif
 }
 
+void tcg_remove_ops_after(TCGOp *op)
+{
+    TCGContext *s = tcg_ctx;
+
+    while (true) {
+        TCGOp *last = tcg_last_op();
+        if (last == op) {
+            return;
+        }
+        tcg_op_remove(s, last);
+    }
+}
+
 static TCGOp *tcg_op_alloc(TCGOpcode opc)
 {
     TCGContext *s = tcg_ctx;
-- 
2.25.1

At some point during the development of tcg_constant_*, I changed
my mind about whether such temps should be able to be passed to
tcg_temp_free_*.  The final version committed allows this, but the
commentary was not updated to match.

Fixes: c0522136adf
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Luis Pires <luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -XXX,XX +XXX,XX @@ TCGv_vec tcg_const_ones_vec_matching(TCGv_vec);
 
 /*
  * Locate or create a read-only temporary that is a constant.
- * This kind of temporary need not and should not be freed.
+ * This kind of temporary need not be freed, but for convenience
+ * will be silently ignored by tcg_temp_free_*.
  */
 TCGTemp *tcg_constant_internal(TCGType type, int64_t val);
 
-- 
2.25.1

From: "Jose R. Ziviani" <jziviani@suse.de>

Commit 5e8892db93 fixed several function signatures but tcg_out_op for
arm is missing. This patch fixes it as well.

Signed-off-by: Jose R. Ziviani <jziviani@suse.de>
Message-Id: <20210610224450.23425-1-jziviani@suse.de>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/arm/tcg-target.c.inc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/arm/tcg-target.c.inc
+++ b/tcg/arm/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, const TCGArg *args, bool is64)
 static void tcg_out_epilogue(TCGContext *s);
 
 static inline void tcg_out_op(TCGContext *s, TCGOpcode opc,
-                const TCGArg *args, const int *const_args)
+                const TCGArg args[TCG_MAX_OP_ARGS],
+                const int const_args[TCG_MAX_OP_ARGS])
 {
     TCGArg a0, a1, a2, a3, a4, a5;
     int c;
-- 
2.25.1

From: Luis Pires <luis.pires@eldorado.org.br>

Signed-off-by: Luis Pires <luis.pires@eldorado.org.br>
Message-Id: <20210601125143.191165-1-luis.pires@eldorado.org.br>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 docs/devel/tcg.rst | 101 ++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 90 insertions(+), 11 deletions(-)

diff --git a/docs/devel/tcg.rst b/docs/devel/tcg.rst
index XXXXXXX..XXXXXXX 100644
--- a/docs/devel/tcg.rst
+++ b/docs/devel/tcg.rst
@@ -XXX,XX +XXX,XX @@ performances.
 QEMU's dynamic translation backend is called TCG, for "Tiny Code
 Generator". For more information, please take a look at ``tcg/README``.
 
-Some notable features of QEMU's dynamic translator are:
+The following sections outline some notable features and implementation
+details of QEMU's dynamic translator.
 
 CPU state optimisations
 -----------------------
 
-The target CPUs have many internal states which change the way it
-evaluates instructions. In order to achieve a good speed, the
+The target CPUs have many internal states which change the way they
+evaluate instructions. In order to achieve a good speed, the
 translation phase considers that some state information of the virtual
 CPU cannot change in it. The state is recorded in the Translation
 Block (TB). If the state changes (e.g. privilege level), a new TB will
@@ -XXX,XX +XXX,XX @@ Direct block chaining
 ---------------------
 
 After each translated basic block is executed, QEMU uses the simulated
-Program Counter (PC) and other cpu state information (such as the CS
+Program Counter (PC) and other CPU state information (such as the CS
 segment base value) to find the next basic block.
 
-In order to accelerate the most common cases where the new simulated PC
-is known, QEMU can patch a basic block so that it jumps directly to the
-next one.
+In its simplest, less optimized form, this is done by exiting from the
+current TB, going through the TB epilogue, and then back to the
+main loop. That’s where QEMU looks for the next TB to execute,
+translating it from the guest architecture if it isn’t already available
+in memory. Then QEMU proceeds to execute this next TB, starting at the
+prologue and then moving on to the translated instructions.
 
-The most portable code uses an indirect jump. An indirect jump makes
-it easier to make the jump target modification atomic. On some host
-architectures (such as x86 or PowerPC), the ``JUMP`` opcode is
-directly patched so that the block chaining has no overhead.
+Exiting from the TB this way will cause the ``cpu_exec_interrupt()``
+callback to be re-evaluated before executing additional instructions.
+It is mandatory to exit this way after any CPU state changes that may
+unmask interrupts.
+
+In order to accelerate the cases where the TB for the new
+simulated PC is already available, QEMU has mechanisms that allow
+multiple TBs to be chained directly, without having to go back to the
+main loop as described above. These mechanisms are:
+
+``lookup_and_goto_ptr``
+^^^^^^^^^^^^^^^^^^^^^^^
+
+Calling ``tcg_gen_lookup_and_goto_ptr()`` will emit a call to
+``helper_lookup_tb_ptr``. This helper will look for an existing TB that
+matches the current CPU state. If the destination TB is available its
+code address is returned, otherwise the address of the JIT epilogue is
+returned. The call to the helper is always followed by the tcg ``goto_ptr``
+opcode, which branches to the returned address. In this way, we either
+branch to the next TB or return to the main loop.
+
+``goto_tb + exit_tb``
+^^^^^^^^^^^^^^^^^^^^^
+
+The translation code usually implements branching by performing the
+following steps:
+
+1. Call ``tcg_gen_goto_tb()`` passing a jump slot index (either 0 or 1)
+   as a parameter.
+
+2. Emit TCG instructions to update the CPU state with any information
+   that has been assumed constant and is required by the main loop to
+   correctly locate and execute the next TB. For most guests, this is
+   just the PC of the branch destination, but others may store additional
+   data. The information updated in this step must be inferable from both
+   ``cpu_get_tb_cpu_state()`` and ``cpu_restore_state()``.
+
+3. Call ``tcg_gen_exit_tb()`` passing the address of the current TB and
+   the jump slot index again.
+
+Step 1, ``tcg_gen_goto_tb()``, will emit a ``goto_tb`` TCG
+instruction that later on gets translated to a jump to an address
+associated with the specified jump slot. Initially, this is the address
+of step 2's instructions, which update the CPU state information. Step 3,
+``tcg_gen_exit_tb()``, exits from the current TB returning a tagged
+pointer composed of the last executed TB’s address and the jump slot
+index.
+
+The first time this whole sequence is executed, step 1 simply jumps
+to step 2. Then the CPU state information gets updated and we exit from
+the current TB. As a result, the behavior is very similar to the less
+optimized form described earlier in this section.
+
+Next, the main loop looks for the next TB to execute using the
+current CPU state information (creating the TB if it wasn’t already
+available) and, before starting to execute the new TB’s instructions,
+patches the previously executed TB by associating one of its jump
+slots (the one specified in the call to ``tcg_gen_exit_tb()``) with the
+address of the new TB.
+
+The next time this previous TB is executed and we get to that same
+``goto_tb`` step, it will already be patched (assuming the destination TB
+is still in memory) and will jump directly to the first instruction of
+the destination TB, without going back to the main loop.
+
+For the ``goto_tb + exit_tb`` mechanism to be used, the following
+conditions need to be satisfied:
+
+* The change in CPU state must be constant, e.g., a direct branch and
+  not an indirect branch.
+
+* The direct branch cannot cross a page boundary. Memory mappings
+  may change, causing the code at the destination address to change.
+
+Note that, on step 3 (``tcg_gen_exit_tb()``), in addition to the
+jump slot index, the address of the TB just executed is also returned.
+This address corresponds to the TB that will be patched; it may be
+different than the one that was directly executed from the main loop
+if the latter had already been chained to other TBs.
 
 Self-modifying code and translated code invalidation
 ----------------------------------------------------
-- 
2.25.1