Series comparison

-[PULL 00/16] tcg patch queue
+[PULL 00/24] tcg patch queue
-The following changes since commit 3e08b2b9cb64bff2b73fa9128c0e49bfcde0dd40:
+The following changes since commit 6587b0c1331d427b0939c37e763842550ed581db:
-  Merge remote-tracking branch 'remotes/philmd-gitlab/tags/edk2-next-20200121' into staging (2020-01-21 15:29:25 +0000)
+  Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-10-15' into staging (2021-10-15 14:16:28 -0700)
 are available in the Git repository at:
-  https://github.com/rth7680/qemu.git tags/pull-tcg-20200121
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20211016
-for you to fetch changes up to 75fa376cdab5e5db2c7fdd107358e16f95503ac6:
+for you to fetch changes up to 995b87dedc78b0467f5f18bbc3546072ba97516a:
-  scripts/git.orderfile: Display decodetree before C source (2020-01-21 15:26:09 -1000)
+  Revert "cpu: Move cpu_common_props to hw/core/cpu.c" (2021-10-15 16:39:15 -0700)
 ----------------------------------------------------------------
-Remove another limit to NB_MMU_MODES.
+Move gdb singlestep to generic code
-Fix compilation using uclibc.
+Fix cpu_common_props
 Fix defaulting of -accel parameters.
 Tidy cputlb basic routines.
 Adjust git.orderfile for decodetree.
 ----------------------------------------------------------------
-Carlos Santos (1):
+Richard Henderson (24):
-      util/cacheinfo: fix crash when compiling with uClibc
+      accel/tcg: Handle gdb singlestep in cpu_tb_exec
       target/alpha: Drop checks for singlestep_enabled
       target/avr: Drop checks for singlestep_enabled
       target/cris: Drop checks for singlestep_enabled
       target/hexagon: Drop checks for singlestep_enabled
       target/arm: Drop checks for singlestep_enabled
       target/hppa: Drop checks for singlestep_enabled
       target/i386: Check CF_NO_GOTO_TB for dc->jmp_opt
       target/i386: Drop check for singlestep_enabled
       target/m68k: Drop checks for singlestep_enabled
       target/microblaze: Check CF_NO_GOTO_TB for DISAS_JUMP
       target/microblaze: Drop checks for singlestep_enabled
       target/mips: Fix single stepping
       target/mips: Drop exit checks for singlestep_enabled
       target/openrisc: Drop checks for singlestep_enabled
       target/ppc: Drop exit checks for singlestep_enabled
       target/riscv: Remove dead code after exception
       target/riscv: Remove exit_tb and lookup_and_goto_ptr
       target/rx: Drop checks for singlestep_enabled
       target/s390x: Drop check for singlestep_enabled
       target/sh4: Drop check for singlestep_enabled
       target/tricore: Drop check for singlestep_enabled
       target/xtensa: Drop check for singlestep_enabled
       Revert "cpu: Move cpu_common_props to hw/core/cpu.c"
-Philippe Mathieu-Daudé (1):
+ include/hw/core/cpu.h                          |  1 +
-      scripts/git.orderfile: Display decodetree before C source
+ target/i386/helper.h                           |  1 -
  target/rx/helper.h                             |  1 -
  target/sh4/helper.h                            |  1 -
  target/tricore/helper.h                        |  1 -
  accel/tcg/cpu-exec.c                           | 11 ++++
  cpu.c                                          | 21 ++++++++
  hw/core/cpu-common.c                           | 17 +-----
  target/alpha/translate.c                       | 13 ++---
  target/arm/translate-a64.c                     | 10 +---
  target/arm/translate.c                         | 36 +++----------
  target/avr/translate.c                         | 19 ++-----
  target/cris/translate.c                        | 16 ------
  target/hexagon/translate.c                     | 12 +----
  target/hppa/translate.c                        | 17 ++----
  target/i386/tcg/misc_helper.c                  |  8 ---
  target/i386/tcg/translate.c                    |  9 ++--
  target/m68k/translate.c                        | 44 ++++-----------
  target/microblaze/translate.c                  | 18 ++-----
  target/mips/tcg/translate.c                    | 75 ++++++++++++--------------
  target/openrisc/translate.c                    | 18 ++-----
  target/ppc/translate.c                         | 38 +++----------
  target/riscv/translate.c                       | 27 +---------
  target/rx/op_helper.c                          |  8 ---
  target/rx/translate.c                          | 12 +----
  target/s390x/tcg/translate.c                   |  8 +--
  target/sh4/op_helper.c                         |  5 --
  target/sh4/translate.c                         | 14 ++---
  target/tricore/op_helper.c                     |  7 ---
  target/tricore/translate.c                     | 14 +----
  target/xtensa/translate.c                      | 25 +++------
  target/riscv/insn_trans/trans_privileged.c.inc | 10 ++--
  target/riscv/insn_trans/trans_rvi.c.inc        |  8 ++-
  target/riscv/insn_trans/trans_rvv.c.inc        |  2 +-
 files changed, 141 insertions(+), 386 deletions(-)
-Richard Henderson (14):
-      cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
-      vl: Remove unused variable in configure_accelerators
-      vl: Reduce scope of variables in configure_accelerators
-      vl: Remove useless test in configure_accelerators
-      vl: Only choose enabled accelerators in configure_accelerators
-      cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
-      cputlb: Make tlb_n_entries private to cputlb.c
-      cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
-      cputlb: Hoist tlb portions in tlb_mmu_resize_locked
-      cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
-      cputlb: Split out tlb_mmu_flush_locked
-      cputlb: Partially merge tlb_dyn_init into tlb_init
-      cputlb: Initialize tlbs as flushed
-      cputlb: Hoist timestamp outside of loops over tlbs
- include/exec/cpu_ldst.h |   5 -
- accel/tcg/cputlb.c      | 287 +++++++++++++++++++++++++++++++++---------------
- util/cacheinfo.c        |  10 +-
- vl.c                    |  27 +++--
- scripts/git.orderfile   |   3 +
-files changed, 223 insertions(+), 109 deletions(-)

-New patch
+[PULL 01/24] accel/tcg: Handle gdb singlestep in cpu_tb_exec
+Currently the change in cpu_tb_exec is masked by the debug exception
+being raised by the translators.  But this allows us to remove that code.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ accel/tcg/cpu-exec.c | 11 +++++++++++
+file changed, 11 insertions(+)
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/cpu-exec.c
++++ b/accel/tcg/cpu-exec.c
+@@ -XXX,XX +XXX,XX @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
+             cc->set_pc(cpu, last_tb->pc);
+         }
+     }
++
++    /*
++     * If gdb single-step, and we haven't raised another exception,
++     * raise a debug exception.  Single-step with another exception
++     * is handled in cpu_handle_exception.
++     */
++    if (unlikely(cpu->singlestep_enabled) && cpu->exception_index == -1) {
++        cpu->exception_index = EXCP_DEBUG;
++        cpu_loop_exit(cpu);
++    }
++
+     return last_tb;
+ }
+--
+.25.1

-New patch
+[PULL 02/24] target/alpha: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/alpha/translate.c | 13 +++----------
+file changed, 3 insertions(+), 10 deletions(-)
+diff --git a/target/alpha/translate.c b/target/alpha/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/alpha/translate.c
++++ b/target/alpha/translate.c
+@@ -XXX,XX +XXX,XX @@ static void alpha_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         tcg_gen_movi_i64(cpu_pc, ctx->base.pc_next);
+         /* FALLTHRU */
+     case DISAS_PC_UPDATED:
+-        if (!ctx->base.singlestep_enabled) {
+-            tcg_gen_lookup_and_goto_ptr();
+-            break;
+-        }
+-        /* FALLTHRU */
++        tcg_gen_lookup_and_goto_ptr();
++        break;
+     case DISAS_PC_UPDATED_NOCHAIN:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_excp_1(EXCP_DEBUG, 0);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     default:
+         g_assert_not_reached();
+--
+.25.1

-New patch
+[PULL 03/24] target/avr: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Tested-by: Michael Rolnik <mrolnik@gmail.com>
+Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/avr/translate.c | 19 ++++---------------
+file changed, 4 insertions(+), 15 deletions(-)
+diff --git a/target/avr/translate.c b/target/avr/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/avr/translate.c
++++ b/target/avr/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
+         tcg_gen_exit_tb(tb, n);
+     } else {
+         tcg_gen_movi_i32(cpu_pc, dest);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+     }
+     ctx->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+         tcg_gen_movi_tl(cpu_pc, ctx->npc);
+         /* fall through */
+     case DISAS_LOOKUP:
+-        if (!ctx->base.singlestep_enabled) {
+-            tcg_gen_lookup_and_goto_ptr();
+-            break;
+-        }
+-        /* fall through */
++        tcg_gen_lookup_and_goto_ptr();
++        break;
+     case DISAS_EXIT:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_helper_debug(cpu_env);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     default:
+         g_assert_not_reached();
+--
+.25.1

-New patch
+[PULL 04/24] target/cris: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/cris/translate.c | 16 ----------------
+file changed, 16 deletions(-)
+diff --git a/target/cris/translate.c b/target/cris/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/cris/translate.c
++++ b/target/cris/translate.c
+@@ -XXX,XX +XXX,XX @@ static void cris_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         }
+     }
+-    if (unlikely(dc->base.singlestep_enabled)) {
+-        switch (is_jmp) {
+-        case DISAS_TOO_MANY:
+-        case DISAS_UPDATE_NEXT:
+-            tcg_gen_movi_tl(env_pc, npc);
+-            /* fall through */
+-        case DISAS_JUMP:
+-        case DISAS_UPDATE:
+-            t_gen_raise_exception(EXCP_DEBUG);
+-            return;
+-        default:
+-            break;
+-        }
+-        g_assert_not_reached();
+-    }
+-
+     switch (is_jmp) {
+     case DISAS_TOO_MANY:
+         gen_goto_tb(dc, 0, npc);
+--
+.25.1

-New patch
+[PULL 05/24] target/hexagon: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/hexagon/translate.c | 12 ++----------
+file changed, 2 insertions(+), 10 deletions(-)
+diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/hexagon/translate.c
++++ b/target/hexagon/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_end_tb(DisasContext *ctx)
+ {
+     gen_exec_counters(ctx);
+     tcg_gen_mov_tl(hex_gpr[HEX_REG_PC], hex_next_PC);
+-    if (ctx->base.singlestep_enabled) {
+-        gen_exception_raw(EXCP_DEBUG);
+-    } else {
+-        tcg_gen_exit_tb(NULL, 0);
+-    }
++    tcg_gen_exit_tb(NULL, 0);
+     ctx->base.is_jmp = DISAS_NORETURN;
+ }
+@@ -XXX,XX +XXX,XX @@ static void hexagon_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+     case DISAS_TOO_MANY:
+         gen_exec_counters(ctx);
+         tcg_gen_movi_tl(hex_gpr[HEX_REG_PC], ctx->base.pc_next);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_exception_raw(EXCP_DEBUG);
+-        } else {
+-            tcg_gen_exit_tb(NULL, 0);
+-        }
++        tcg_gen_exit_tb(NULL, 0);
+         break;
+     case DISAS_NORETURN:
+         break;
+--
+.25.1

-New patch
+[PULL 06/24] target/arm: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/arm/translate-a64.c | 10 ++--------
+ target/arm/translate.c     | 36 ++++++------------------------------
+files changed, 8 insertions(+), 38 deletions(-)
+diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate-a64.c
++++ b/target/arm/translate-a64.c
+@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
+         gen_a64_set_pc_im(dest);
+         if (s->ss_active) {
+             gen_step_complete_exception(s);
+-        } else if (s->base.singlestep_enabled) {
+-            gen_exception_internal(EXCP_DEBUG);
+         } else {
+             tcg_gen_lookup_and_goto_ptr();
+             s->base.is_jmp = DISAS_NORETURN;
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    if (unlikely(dc->base.singlestep_enabled || dc->ss_active)) {
++    if (unlikely(dc->ss_active)) {
+         /* Note that this means single stepping WFI doesn't halt the CPU.
+          * For conditional branch insns this is harmless unreachable code as
+          * gen_goto_tb() has already handled emitting the debug exception
+@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+             /* fall through */
+         case DISAS_EXIT:
+         case DISAS_JUMP:
+-            if (dc->base.singlestep_enabled) {
+-                gen_exception_internal(EXCP_DEBUG);
+-            } else {
+-                gen_step_complete_exception(dc);
+-            }
++            gen_step_complete_exception(dc);
+             break;
+         case DISAS_NORETURN:
+             break;
+diff --git a/target/arm/translate.c b/target/arm/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/translate.c
++++ b/target/arm/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
+     tcg_temp_free_i32(tcg_excp);
+ }
+-static void gen_step_complete_exception(DisasContext *s)
++static void gen_singlestep_exception(DisasContext *s)
+ {
+     /* We just completed step of an insn. Move from Active-not-pending
+      * to Active-pending, and then also take the swstep exception.
+@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
+     s->base.is_jmp = DISAS_NORETURN;
+ }
+-static void gen_singlestep_exception(DisasContext *s)
+-{
+-    /* Generate the right kind of exception for singlestep, which is
+-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
+-     * gdb singlestepping.
+-     */
+-    if (s->ss_active) {
+-        gen_step_complete_exception(s);
+-    } else {
+-        gen_exception_internal(EXCP_DEBUG);
+-    }
+-}
+-
+-static inline bool is_singlestepping(DisasContext *s)
+-{
+-    /* Return true if we are singlestepping either because of
+-     * architectural singlestep or QEMU gdbstub singlestep. This does
+-     * not include the command line '-singlestep' mode which is rather
+-     * misnamed as it only means "one instruction per TB" and doesn't
+-     * affect the code we generate.
+-     */
+-    return s->base.singlestep_enabled || s->ss_active;
+-}
+-
+ void clear_eci_state(DisasContext *s)
+ {
+     /*
+@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
+     /* Is the new PC value in the magic range indicating exception return? */
+     tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
+     /* No: end the TB as we would for a DISAS_JMP */
+-    if (is_singlestepping(s)) {
++    if (s->ss_active) {
+         gen_singlestep_exception(s);
+     } else {
+         tcg_gen_exit_tb(NULL, 0);
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
+ /* Jump, specifying which TB number to use if we gen_goto_tb() */
+ static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
+ {
+-    if (unlikely(is_singlestepping(s))) {
++    if (unlikely(s->ss_active)) {
+         /* An indirect jump so that we still trigger the debug exception.  */
+         gen_set_pc_im(s, dest);
+         s->base.is_jmp = DISAS_JUMP;
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
+     /* If architectural single step active, limit to 1.  */
+-    if (is_singlestepping(dc)) {
++    if (dc->ss_active) {
+         dc->base.max_insns = 1;
+     }
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+          * insn codepath itself.
+          */
+         gen_bx_excret_final_code(dc);
+-    } else if (unlikely(is_singlestepping(dc))) {
++    } else if (unlikely(dc->ss_active)) {
+         /* Unconditional and "condition passed" instruction codepath. */
+         switch (dc->base.is_jmp) {
+         case DISAS_SWI:
+@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
+         /* "Condition failed" instruction codepath for the branch/trap insn */
+         gen_set_label(dc->condlabel);
+         gen_set_condexec(dc);
+-        if (unlikely(is_singlestepping(dc))) {
++        if (unlikely(dc->ss_active)) {
+             gen_set_pc_im(dc, dc->base.pc_next);
+             gen_singlestep_exception(dc);
+         } else {
+--
+.25.1

-New patch
+[PULL 07/24] target/hppa: Drop checks for singlestep_enabled
+GDB single-stepping is now handled generically.
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/hppa/translate.c | 17 ++++-------------
+file changed, 4 insertions(+), 13 deletions(-)
+diff --git a/target/hppa/translate.c b/target/hppa/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/hppa/translate.c
++++ b/target/hppa/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int which,
+     } else {
+         copy_iaoq_entry(cpu_iaoq_f, f, cpu_iaoq_b);
+         copy_iaoq_entry(cpu_iaoq_b, b, ctx->iaoq_n_var);
+-        if (ctx->base.singlestep_enabled) {
+-            gen_excp_1(EXCP_DEBUG);
+-        } else {
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
++        tcg_gen_lookup_and_goto_ptr();
+     }
+ }
+@@ -XXX,XX +XXX,XX @@ static bool do_rfi(DisasContext *ctx, bool rfi_r)
+         gen_helper_rfi(cpu_env);
+     }
+     /* Exit the TB to recognize new interrupts.  */
+-    if (ctx->base.singlestep_enabled) {
+-        gen_excp_1(EXCP_DEBUG);
+-    } else {
+-        tcg_gen_exit_tb(NULL, 0);
+-    }
++    tcg_gen_exit_tb(NULL, 0);
+     ctx->base.is_jmp = DISAS_NORETURN;
+     return nullify_end(ctx);
+@@ -XXX,XX +XXX,XX @@ static void hppa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+         nullify_save(ctx);
+         /* FALLTHRU */
+     case DISAS_IAQ_N_UPDATED:
+-        if (ctx->base.singlestep_enabled) {
+-            gen_excp_1(EXCP_DEBUG);
+-        } else if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
++        if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
+             tcg_gen_lookup_and_goto_ptr();
++            break;
+         }
+         /* FALLTHRU */
+     case DISAS_EXIT:
+--
+.25.1

-New patch
+[PULL 08/24] target/i386: Check CF_NO_GOTO_TB for dc->jmp_opt
+We were using singlestep_enabled as a proxy for whether
+translator_use_goto_tb would always return false.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/i386/tcg/translate.c | 5 +++--
+file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/translate.c
++++ b/target/i386/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+     CPUX86State *env = cpu->env_ptr;
+     uint32_t flags = dc->base.tb->flags;
++    uint32_t cflags = tb_cflags(dc->base.tb);
+     int cpl = (flags >> HF_CPL_SHIFT) & 3;
+     int iopl = (flags >> IOPL_SHIFT) & 3;
+@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
+     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
+     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
+     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
+-    dc->jmp_opt = !(dc->base.singlestep_enabled ||
++    dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
+                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
+     /*
+      * If jmp_opt, we want to handle each string instruction individually.
+      * For icount also disable repz optimization so that each iteration
+      * is accounted separately.
+      */
+-    dc->repz_opt = !dc->jmp_opt && !(tb_cflags(dc->base.tb) & CF_USE_ICOUNT);
++    dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
+     dc->T0 = tcg_temp_new();
+     dc->T1 = tcg_temp_new();
+--
+.25.1

-[PULL 16/16] scripts/git.orderfile: Display decodetree before C source
+[PULL 09/24] target/i386: Drop check for singlestep_enabled
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+GDB single-stepping is now handled generically.
-To avoid scrolling each instruction when reviewing tcg
-helpers written for the decodetree script, display the
-.decode files (similar to header declarations) before
-the C source (implementation of previous declarations).
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Message-Id: <20191230082856.30556-1-philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- scripts/git.orderfile | 3 +++
+ target/i386/helper.h          | 1 -
-file changed, 3 insertions(+)
+ target/i386/tcg/misc_helper.c | 8 --------
  target/i386/tcg/translate.c   | 4 +---
 files changed, 1 insertion(+), 12 deletions(-)
-diff --git a/scripts/git.orderfile b/scripts/git.orderfile
+diff --git a/target/i386/helper.h b/target/i386/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/scripts/git.orderfile
+--- a/target/i386/helper.h
-+++ b/scripts/git.orderfile
++++ b/target/i386/helper.h
-@@ -XXX,XX +XXX,XX @@ qga/*.json
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(syscall, void, env, int)
- # headers
+ DEF_HELPER_2(sysret, void, env, int)
- *.h
+ #endif
+ DEF_HELPER_FLAGS_2(pause, TCG_CALL_NO_WG, noreturn, env, int)
-+# decoding tree specification
+-DEF_HELPER_FLAGS_1(debug, TCG_CALL_NO_WG, noreturn, env)
-+*.decode
+ DEF_HELPER_1(reset_rf, void, env)
-+
+ DEF_HELPER_FLAGS_3(raise_interrupt, TCG_CALL_NO_WG, noreturn, env, int, int)
- # code
+ DEF_HELPER_FLAGS_2(raise_exception, TCG_CALL_NO_WG, noreturn, env, int)
- *.c
+diff --git a/target/i386/tcg/misc_helper.c b/target/i386/tcg/misc_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/misc_helper.c
 +++ b/target/i386/tcg/misc_helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_pause(CPUX86State *env, int next_eip_addend)
      do_pause(env);
  }
 -void QEMU_NORETURN helper_debug(CPUX86State *env)
 -{
 -    CPUState *cs = env_cpu(env);
 -
 -    cs->exception_index = EXCP_DEBUG;
 -    cpu_loop_exit(cs);
 -}
 -
  uint64_t helper_rdpkru(CPUX86State *env, uint32_t ecx)
  {
      if ((env->cr[4] & CR4_PKE_MASK) == 0) {
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
      if (s->base.tb->flags & HF_RF_MASK) {
          gen_helper_reset_rf(cpu_env);
      }
 -    if (s->base.singlestep_enabled) {
 -        gen_helper_debug(cpu_env);
 -    } else if (recheck_tf) {
 +    if (recheck_tf) {
          gen_helper_rechecking_single_step(cpu_env);
          tcg_gen_exit_tb(NULL, 0);
      } else if (s->flags & HF_TF_MASK) {
 --
-.20.1
+.25.1

-[PULL 07/16] cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
+[PULL 10/24] target/m68k: Drop checks for singlestep_enabled
-There is only one caller for tlb_table_flush_by_mmuidx.  Place
+GDB single-stepping is now handled generically.
 the result at the earlier line number, due to an expected user
 in the near future.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Acked-by: Laurent Vivier <laurent@vivier.eu>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 19 +++++++------------
+ target/m68k/translate.c | 44 +++++++++--------------------------------
-file changed, 7 insertions(+), 12 deletions(-)
+file changed, 9 insertions(+), 35 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/m68k/translate.c b/target/m68k/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/m68k/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/m68k/translate.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+@@ -XXX,XX +XXX,XX @@ static void do_writebacks(DisasContext *s)
      }
  }
--static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
+-static bool is_singlestepping(DisasContext *s)
 +static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
  {
      tlb_mmu_resize_locked(env, mmu_idx);
 -    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
      env_tlb(env)->d[mmu_idx].n_used_entries = 0;
 +    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
 +    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
 +    env_tlb(env)->d[mmu_idx].vindex = 0;
 +    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
 +    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
 +           sizeof(env_tlb(env)->d[0].vtable));
  }
  static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
      *pelide = elide;
  }
 -static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 -{
--    tlb_table_flush_by_mmuidx(env, mmu_idx);
+-    /*
--    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+-     * Return true if we are singlestepping either because of
--    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+-     * architectural singlestep or QEMU gdbstub singlestep. This does
--    env_tlb(env)->d[mmu_idx].vindex = 0;
+-     * not include the command line '-singlestep' mode which is rather
--    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+-     * misnamed as it only means "one instruction per TB" and doesn't
--           sizeof(env_tlb(env)->d[0].vtable));
+-     * affect the code we generate.
 -     */
 -    return s->base.singlestep_enabled || s->ss_active;
 -}
 -
- static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
+ /* is_jmp field values */
  #define DISAS_JUMP      DISAS_TARGET_0 /* only pc was modified dynamically */
  #define DISAS_EXIT      DISAS_TARGET_1 /* cpu state was modified dynamically */
@@ -XXX,XX +XXX,XX @@ static void gen_exception(DisasContext *s, uint32_t dest, int nr)
      s->base.is_jmp = DISAS_NORETURN;
  }
 -static void gen_singlestep_exception(DisasContext *s)
 -{
 -    /*
 -     * Generate the right kind of exception for singlestep, which is
 -     * either the architectural singlestep or EXCP_DEBUG for QEMU's
 -     * gdb singlestepping.
 -     */
 -    if (s->ss_active) {
 -        gen_raise_exception(EXCP_TRACE);
 -    } else {
 -        gen_raise_exception(EXCP_DEBUG);
 -    }
 -}
 -
  static inline void gen_addr_fault(DisasContext *s)
  {
-     CPUArchState *env = cpu->env_ptr;
+     gen_exception(s, s->base.pc_next, EXCP_ADDRESS);
@@ -XXX,XX +XXX,XX @@ static void gen_exit_tb(DisasContext *s)
  /* Generate a jump to an immediate address.  */
  static void gen_jmp_tb(DisasContext *s, int n, uint32_t dest)
  {
 -    if (unlikely(is_singlestepping(s))) {
 +    if (unlikely(s->ss_active)) {
          update_cc_op(s);
          tcg_gen_movi_i32(QREG_PC, dest);
 -        gen_singlestep_exception(s);
 +        gen_raise_exception(EXCP_TRACE);
      } else if (translator_use_goto_tb(&s->base, dest)) {
          tcg_gen_goto_tb(n);
          tcg_gen_movi_i32(QREG_PC, dest);
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
      dc->ss_active = (M68K_SR_TRACE(env->sr) == M68K_SR_TRACE_ANY_INS);
      /* If architectural single step active, limit to 1 */
 -    if (is_singlestepping(dc)) {
 +    if (dc->ss_active) {
          dc->base.max_insns = 1;
      }
  }
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          break;
      case DISAS_TOO_MANY:
          update_cc_op(dc);
 -        if (is_singlestepping(dc)) {
 +        if (dc->ss_active) {
              tcg_gen_movi_i32(QREG_PC, dc->pc);
 -            gen_singlestep_exception(dc);
 +            gen_raise_exception(EXCP_TRACE);
          } else {
              gen_jmp_tb(dc, 0, dc->pc);
          }
          break;
      case DISAS_JUMP:
          /* We updated CC_OP and PC in gen_jmp/gen_jmp_im.  */
 -        if (is_singlestepping(dc)) {
 -            gen_singlestep_exception(dc);
 +        if (dc->ss_active) {
 +            gen_raise_exception(EXCP_TRACE);
          } else {
              tcg_gen_lookup_and_goto_ptr();
          }
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
           * We updated CC_OP and PC in gen_exit_tb, but also modified
           * other state that may require returning to the main loop.
           */
 -        if (is_singlestepping(dc)) {
 -            gen_singlestep_exception(dc);
 +        if (dc->ss_active) {
 +            gen_raise_exception(EXCP_TRACE);
          } else {
              tcg_gen_exit_tb(NULL, 0);
          }
 --
-.20.1
+.25.1

-[PULL 06/16] vl: Only choose enabled accelerators in configure_accelerators
+[PULL 11/24] target/microblaze: Check CF_NO_GOTO_TB for DISAS_JUMP
-By choosing "tcg:kvm" when kvm is not enabled, we generate
+We were using singlestep_enabled as a proxy for whether
-an incorrect warning: "invalid accelerator kvm".
+translator_use_goto_tb would always return false.
-At the same time, use g_str_has_suffix rather than open-coding
-the same operation.
-Presumably the inverse is also true with --disable-tcg.
-Fixes: 28a0961757fc
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 21 +++++++++++++--------
+ target/microblaze/translate.c | 4 ++--
-file changed, 13 insertions(+), 8 deletions(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/vl.c b/vl.c
+diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/target/microblaze/translate.c
-+++ b/vl.c
++++ b/target/microblaze/translate.c
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
+         break;
-         if (accel == NULL) {
-             /* Select the default accelerator */
+     case DISAS_JUMP:
--            if (!accel_find("tcg") && !accel_find("kvm")) {
+-        if (dc->jmp_dest != -1 && !cs->singlestep_enabled) {
--                error_report("No accelerator selected and"
++        if (dc->jmp_dest != -1 && !(tb_cflags(dc->base.tb) & CF_NO_GOTO_TB)) {
--                             " no default accelerator available");
+             /* Direct jump. */
--                exit(1);
+             tcg_gen_discard_i32(cpu_btarget);
--            } else {
--                int pnlen = strlen(progname);
+@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
--                if (pnlen >= 3 && g_str_equal(&progname[pnlen - 3], "kvm")) {
+             return;
 +            bool have_tcg = accel_find("tcg");
 +            bool have_kvm = accel_find("kvm");
 +
 +            if (have_tcg && have_kvm) {
 +                if (g_str_has_suffix(progname, "kvm")) {
                      /* If the program name ends with "kvm", we prefer KVM */
                      accel = "kvm:tcg";
                  } else {
                      accel = "tcg:kvm";
                  }
 +            } else if (have_kvm) {
 +                accel = "kvm";
 +            } else if (have_tcg) {
 +                accel = "tcg";
 +            } else {
 +                error_report("No accelerator selected and"
 +                             " no default accelerator available");
 +                exit(1);
              }
          }
--
-         accel_list = g_strsplit(accel, ":", 0);
+-        /* Indirect jump (or direct jump w/ singlestep) */
++        /* Indirect jump (or direct jump w/ goto_tb disabled) */
-         for (tmp = accel_list; *tmp; tmp++) {
+         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
          tcg_gen_discard_i32(cpu_btarget);
 --
-.20.1
+.25.1

-[PULL 05/16] vl: Remove useless test in configure_accelerators
+[PULL 12/24] target/microblaze: Drop checks for singlestep_enabled
-The result of g_strsplit is never NULL.
+GDB single-stepping is now handled generically.
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 2 +-
+ target/microblaze/translate.c | 14 ++------------
-file changed, 1 insertion(+), 1 deletion(-)
+file changed, 2 insertions(+), 12 deletions(-)
-diff --git a/vl.c b/vl.c
+diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/target/microblaze/translate.c
-+++ b/vl.c
++++ b/target/microblaze/translate.c
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ static void gen_raise_hw_excp(DisasContext *dc, uint32_t esr_ec)
-         accel_list = g_strsplit(accel, ":", 0);
+ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
+ {
--        for (tmp = accel_list; tmp && *tmp; tmp++) {
+-    if (dc->base.singlestep_enabled) {
-+        for (tmp = accel_list; *tmp; tmp++) {
+-        TCGv_i32 tmp = tcg_const_i32(EXCP_DEBUG);
-             /*
+-        tcg_gen_movi_i32(cpu_pc, dest);
-              * Filter invalid accelerators here, to prevent obscenities
+-        gen_helper_raise_exception(cpu_env, tmp);
-              * such as "-machine accel=tcg,,thread=single".
+-        tcg_temp_free_i32(tmp);
 -    } else if (translator_use_goto_tb(&dc->base, dest)) {
 +    if (translator_use_goto_tb(&dc->base, dest)) {
          tcg_gen_goto_tb(n);
          tcg_gen_movi_i32(cpu_pc, dest);
          tcg_gen_exit_tb(dc->base.tb, n);
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
          /* Indirect jump (or direct jump w/ goto_tb disabled) */
          tcg_gen_mov_i32(cpu_pc, cpu_btarget);
          tcg_gen_discard_i32(cpu_btarget);
 -
 -        if (unlikely(cs->singlestep_enabled)) {
 -            gen_raise_exception(dc, EXCP_DEBUG);
 -        } else {
 -            tcg_gen_lookup_and_goto_ptr();
 -        }
 +        tcg_gen_lookup_and_goto_ptr();
          return;
      default:
 --
-.20.1
+.25.1

-[PULL 10/16] cputlb: Hoist tlb portions in tlb_mmu_resize_locked
+[PULL 13/24] target/mips: Fix single stepping
-No functional change, but the smaller expressions make
+As per an ancient comment in mips_tr_translate_insn about the
-the code easier to read.
+expectations of gdb, when restarting the insn in a delay slot
 we also re-execute the branch.  Which means that we are
 expected to execute two insns in this case.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+This has been broken since 8b86d6d2580, where we forced max_insns
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+to 1 while single-stepping.  This resulted in an exit from the
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+translator loop after the branch but before the delay slot is
 translated.
 Increase the max_insns to 2 for this case.  In addition, bypass
 the end-of-page check, for when the branch itself ends the page.
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 35 +++++++++++++++++------------------
+ target/mips/tcg/translate.c | 25 ++++++++++++++++---------
-file changed, 17 insertions(+), 18 deletions(-)
+file changed, 16 insertions(+), 9 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/mips/tcg/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/mips/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
+@@ -XXX,XX +XXX,XX @@ static void mips_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+     ctx->default_tcg_memop_mask = (ctx->insn_flags & (ISA_MIPS_R6 |
- /**
+                                   INSN_LOONGSON3A)) ? MO_UNALN : MO_ALIGN;
-  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
-- * @env: CPU that owns the TLB
++    /*
-- * @mmu_idx: MMU index of the TLB
++     * Execute a branch and its delay slot as a single instruction.
-+ * @desc: The CPUTLBDesc portion of the TLB
++     * This is what GDB expects and is consistent with what the
-+ * @fast: The CPUTLBDescFast portion of the same TLB
++     * hardware does (e.g. if a delay slot instruction faults, the
-  *
++     * reported PC is the PC of the branch).
-  * Called with tlb_lock_held.
++     */
-  *
++    if (ctx->base.singlestep_enabled && (ctx->hflags & MIPS_HFLAG_BMASK)) {
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
++        ctx->base.max_insns = 2;
-  * high), since otherwise we are likely to have a significant amount of
++    }
-  * conflict misses.
++
-  */
+     LOG_DISAS("\ntb %p idx %d hflags %04x\n", ctx->base.tb, ctx->mem_idx,
--static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+               ctx->hflags);
-+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+ }
- {
+@@ -XXX,XX +XXX,XX @@ static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
--    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+     if (ctx->base.is_jmp != DISAS_NEXT) {
 -    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
 +    size_t old_size = tlb_n_entries(fast);
      size_t rate;
      size_t new_size = old_size;
      int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
          return;
      }
--    g_free(env_tlb(env)->f[mmu_idx].table);
--    g_free(env_tlb(env)->d[mmu_idx].iotlb);
-+    g_free(fast->table);
-+    g_free(desc->iotlb);
-     tlb_window_reset(desc, now, 0);
-     /* desc->n_used_entries is cleared by the caller */
--    env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
--    env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
--    env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
-+    fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
-+    fast->table = g_try_new(CPUTLBEntry, new_size);
-+    desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
 +
      /*
-      * If the allocations fail, try smaller sizes. We just freed some
+-     * Execute a branch and its delay slot as a single instruction.
-      * memory, so going back to half of new_size has a good chance of working.
+-     * This is what GDB expects and is consistent with what the
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+-     * hardware does (e.g. if a delay slot instruction faults, the
-      * allocations to fail though, so we progressively reduce the allocation
+-     * reported PC is the PC of the branch).
-      * size, aborting if we cannot even allocate the smallest TLB we support.
++     * End the TB on (most) page crossings.
 +     * See mips_tr_init_disas_context about single-stepping a branch
 +     * together with its delay slot.
       */
--    while (env_tlb(env)->f[mmu_idx].table == NULL ||
+-    if (ctx->base.singlestep_enabled &&
--           env_tlb(env)->d[mmu_idx].iotlb == NULL) {
+-        (ctx->hflags & MIPS_HFLAG_BMASK) == 0) {
-+    while (fast->table == NULL || desc->iotlb == NULL) {
+-        ctx->base.is_jmp = DISAS_TOO_MANY;
-         if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
+-    }
-             error_report("%s: %s", __func__, strerror(errno));
+-    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE) {
-             abort();
++    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE
-         }
++        && !ctx->base.singlestep_enabled) {
-         new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
+         ctx->base.is_jmp = DISAS_TOO_MANY;
 -        env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 +        fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 -        g_free(env_tlb(env)->f[mmu_idx].table);
 -        g_free(env_tlb(env)->d[mmu_idx].iotlb);
 -        env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
 -        env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
 +        g_free(fast->table);
 +        g_free(desc->iotlb);
 +        fast->table = g_try_new(CPUTLBEntry, new_size);
 +        desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
      }
  }
- static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
- {
--    tlb_mmu_resize_locked(env, mmu_idx);
-+    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
-     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
-     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
 --
-.20.1
+.25.1

-[PULL 01/16] cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
+[PULL 14/24] target/mips: Drop exit checks for singlestep_enabled
-In target/arm we will shortly have "too many" mmu_idx.
+GDB single-stepping is now handled generically.
 The current minimum barrier is caused by the way in which
 tlb_flush_page_by_mmuidx is coded.
-We can remove this limitation by allocating memory for
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 consumption by the worker.  Let us assume that this is
 the unlikely case, as will be the case for the majority
 of targets which have so far satisfied the BUILD_BUG_ON,
 and only allocate memory when necessary.
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 167 +++++++++++++++++++++++++++++++++++----------
+ target/mips/tcg/translate.c | 50 +++++++++++++------------------------
-file changed, 132 insertions(+), 35 deletions(-)
+file changed, 18 insertions(+), 32 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/mips/tcg/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/mips/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
          tcg_gen_exit_tb(ctx->base.tb, n);
      } else {
          gen_save_pc(dest);
 -        if (ctx->base.singlestep_enabled) {
 -            save_cpu_state(ctx, 0);
 -            gen_helper_raise_exception_debug(cpu_env);
 -        } else {
 -            tcg_gen_lookup_and_goto_ptr();
 -        }
 +        tcg_gen_lookup_and_goto_ptr();
      }
  }
--/* As we are going to hijack the bottom bits of the page address for a
+@@ -XXX,XX +XXX,XX @@ static void gen_branch(DisasContext *ctx, int insn_bytes)
-- * mmuidx bit mask we need to fail to build if we can't do that
+             } else {
-+/**
+                 tcg_gen_mov_tl(cpu_PC, btarget);
-+ * tlb_flush_page_by_mmuidx_async_0:
+             }
-+ * @cpu: cpu on which to flush
+-            if (ctx->base.singlestep_enabled) {
-+ * @addr: page of virtual address to flush
+-                save_cpu_state(ctx, 0);
-+ * @idxmap: set of mmu_idx to flush
+-                gen_helper_raise_exception_debug(cpu_env);
-+ *
+-            }
-+ * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
+             tcg_gen_lookup_and_goto_ptr();
-+ * at @addr from the tlbs indicated by @idxmap from @cpu.
+             break;
-  */
+         default:
--QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
+@@ -XXX,XX +XXX,XX @@ static void mips_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
 -
 -static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
 -                                                run_on_cpu_data data)
 +static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
 +                                             target_ulong addr,
 +                                             uint16_t idxmap)
  {
-     CPUArchState *env = cpu->env_ptr;
+     DisasContext *ctx = container_of(dcbase, DisasContext, base);
--    target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
--    target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
+-    if (ctx->base.singlestep_enabled && ctx->base.is_jmp != DISAS_NORETURN) {
--    unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
+-        save_cpu_state(ctx, ctx->base.is_jmp != DISAS_EXIT);
-     int mmu_idx;
+-        gen_helper_raise_exception_debug(cpu_env);
+-    } else {
-     assert_cpu_is_self(cpu);
+-        switch (ctx->base.is_jmp) {
+-        case DISAS_STOP:
--    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
+-            gen_save_pc(ctx->base.pc_next);
--              addr, mmu_idx_bitmap);
+-            tcg_gen_lookup_and_goto_ptr();
-+    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
+-            break;
+-        case DISAS_NEXT:
-     qemu_spin_lock(&env_tlb(env)->c.lock);
+-        case DISAS_TOO_MANY:
-     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
+-            save_cpu_state(ctx, 0);
--        if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
+-            gen_goto_tb(ctx, 0, ctx->base.pc_next);
-+        if ((idxmap >> mmu_idx) & 1) {
+-            break;
-             tlb_flush_page_locked(env, mmu_idx, addr);
+-        case DISAS_EXIT:
-         }
+-            tcg_gen_exit_tb(NULL, 0);
-     }
+-            break;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
+-        case DISAS_NORETURN:
-     tb_flush_jmp_cache(cpu, addr);
+-            break;
- }
+-        default:
+-            g_assert_not_reached();
-+/**
+-        }
-+ * tlb_flush_page_by_mmuidx_async_1:
++    switch (ctx->base.is_jmp) {
-+ * @cpu: cpu on which to flush
++    case DISAS_STOP:
-+ * @data: encoded addr + idxmap
++        gen_save_pc(ctx->base.pc_next);
-+ *
++        tcg_gen_lookup_and_goto_ptr();
-+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
++        break;
-+ * async_run_on_cpu.  The idxmap parameter is encoded in the page
++    case DISAS_NEXT:
-+ * offset of the target_ptr field.  This limits the set of mmu_idx
++    case DISAS_TOO_MANY:
-+ * that can be passed via this method.
++        save_cpu_state(ctx, 0);
-+ */
++        gen_goto_tb(ctx, 0, ctx->base.pc_next);
-+static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
++        break;
-+                                             run_on_cpu_data data)
++    case DISAS_EXIT:
-+{
++        tcg_gen_exit_tb(NULL, 0);
-+    target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
++        break;
-+    target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
++    case DISAS_NORETURN:
-+    uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
++        break;
-+
++    default:
-+    tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
++        g_assert_not_reached();
 +}
 +
 +typedef struct {
 +    target_ulong addr;
 +    uint16_t idxmap;
 +} TLBFlushPageByMMUIdxData;
 +
 +/**
 + * tlb_flush_page_by_mmuidx_async_2:
 + * @cpu: cpu on which to flush
 + * @data: allocated addr + idxmap
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, called through
 + * async_run_on_cpu.  The addr+idxmap parameters are stored in a
 + * TLBFlushPageByMMUIdxData structure that has been allocated
 + * specifically for this helper.  Free the structure when done.
 + */
 +static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
 +                                             run_on_cpu_data data)
 +{
 +    TLBFlushPageByMMUIdxData *d = data.host_ptr;
 +
 +    tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
 +    g_free(d);
 +}
 +
  void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
  {
 -    target_ulong addr_and_mmu_idx;
 -
      tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    if (!qemu_cpu_is_self(cpu)) {
 -        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
 -                         RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    if (qemu_cpu_is_self(cpu)) {
 +        tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
 +    } else if (idxmap < TARGET_PAGE_SIZE) {
 +        /*
 +         * Most targets have only a few mmu_idx.  In the case where
 +         * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
 +         * allocating memory for this operation.
 +         */
 +        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
      } else {
 -        tlb_flush_page_by_mmuidx_async_work(
 -            cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +        TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
 +
 +        /* Otherwise allocate a structure, freed by the worker.  */
 +        d->addr = addr;
 +        d->idxmap = idxmap;
 +        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
 +                         RUN_ON_CPU_HOST_PTR(d));
      }
  }
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
- void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
-                                        uint16_t idxmap)
- {
--    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
--    target_ulong addr_and_mmu_idx;
--
-     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
-     /* This should already be page aligned */
--    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
--    addr_and_mmu_idx |= idxmap;
-+    addr &= TARGET_PAGE_MASK;
--    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
--    fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-+    /*
-+     * Allocate memory to hold addr+idxmap only when needed.
-+     * See tlb_flush_page_by_mmuidx for details.
-+     */
-+    if (idxmap < TARGET_PAGE_SIZE) {
-+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
-+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
-+    } else {
-+        CPUState *dst_cpu;
-+
-+        /* Allocate a separate data block for each destination cpu.  */
-+        CPU_FOREACH(dst_cpu) {
-+            if (dst_cpu != src_cpu) {
-+                TLBFlushPageByMMUIdxData *d
-+                    = g_new(TLBFlushPageByMMUIdxData, 1);
-+
-+                d->addr = addr;
-+                d->idxmap = idxmap;
-+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
-+                                 RUN_ON_CPU_HOST_PTR(d));
-+            }
-+        }
-+    }
-+
-+    tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
- }
- void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
-                                               target_ulong addr,
-                                               uint16_t idxmap)
- {
--    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
--    target_ulong addr_and_mmu_idx;
--
-     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
-     /* This should already be page aligned */
--    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
--    addr_and_mmu_idx |= idxmap;
-+    addr &= TARGET_PAGE_MASK;
--    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
--    async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-+    /*
-+     * Allocate memory to hold addr+idxmap only when needed.
-+     * See tlb_flush_page_by_mmuidx for details.
-+     */
-+    if (idxmap < TARGET_PAGE_SIZE) {
-+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
-+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
-+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
-+                              RUN_ON_CPU_TARGET_PTR(addr | idxmap));
-+    } else {
-+        CPUState *dst_cpu;
-+        TLBFlushPageByMMUIdxData *d;
-+
-+        /* Allocate a separate data block for each destination cpu.  */
-+        CPU_FOREACH(dst_cpu) {
-+            if (dst_cpu != src_cpu) {
-+                d = g_new(TLBFlushPageByMMUIdxData, 1);
-+                d->addr = addr;
-+                d->idxmap = idxmap;
-+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
-+                                 RUN_ON_CPU_HOST_PTR(d));
-+            }
-+        }
-+
-+        d = g_new(TLBFlushPageByMMUIdxData, 1);
-+        d->addr = addr;
-+        d->idxmap = idxmap;
-+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
-+                              RUN_ON_CPU_HOST_PTR(d));
-+    }
- }
- void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
 --
-.20.1
+.25.1

-[PULL 04/16] vl: Reduce scope of variables in configure_accelerators
+[PULL 15/24] target/openrisc: Drop checks for singlestep_enabled
-The accel_list and tmp variables are only used when manufacturing
+GDB single-stepping is now handled generically.
 -machine accel, options based on -accel.
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 3 ++-
+ target/openrisc/translate.c | 18 +++---------------
-file changed, 2 insertions(+), 1 deletion(-)
+file changed, 3 insertions(+), 15 deletions(-)
-diff --git a/vl.c b/vl.c
+diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/target/openrisc/translate.c
-+++ b/vl.c
++++ b/target/openrisc/translate.c
-@@ -XXX,XX +XXX,XX @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
+@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
- static void configure_accelerators(const char *progname)
+             /* The jump destination is indirect/computed; use jmp_pc.  */
- {
+             tcg_gen_mov_tl(cpu_pc, jmp_pc);
-     const char *accel;
+             tcg_gen_discard_tl(jmp_pc);
--    char **accel_list, **tmp;
+-            if (unlikely(dc->base.singlestep_enabled)) {
-     bool init_failed = false;
+-                gen_exception(dc, EXCP_DEBUG);
+-            } else {
-     qemu_opts_foreach(qemu_find_opts("icount"),
+-                tcg_gen_lookup_and_goto_ptr();
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+-            }
++            tcg_gen_lookup_and_goto_ptr();
-     accel = qemu_opt_get(qemu_get_machine_opts(), "accel");
+             break;
-     if (QTAILQ_EMPTY(&qemu_accel_opts.head)) {
+         }
-+        char **accel_list, **tmp;
+         /* The jump destination is direct; use jmp_pc_imm.
-+
+@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
-         if (accel == NULL) {
+             break;
-             /* Select the default accelerator */
+         }
-             if (!accel_find("tcg") && !accel_find("kvm")) {
+         tcg_gen_movi_tl(cpu_pc, jmp_dest);
 -        if (unlikely(dc->base.singlestep_enabled)) {
 -            gen_exception(dc, EXCP_DEBUG);
 -        } else {
 -            tcg_gen_lookup_and_goto_ptr();
 -        }
 +        tcg_gen_lookup_and_goto_ptr();
          break;
      case DISAS_EXIT:
 -        if (unlikely(dc->base.singlestep_enabled)) {
 -            gen_exception(dc, EXCP_DEBUG);
 -        } else {
 -            tcg_gen_exit_tb(NULL, 0);
 -        }
 +        tcg_gen_exit_tb(NULL, 0);
          break;
      default:
          g_assert_not_reached();
 --
-.20.1
+.25.1

-[PULL 15/16] cputlb: Hoist timestamp outside of loops over tlbs
+[PULL 16/24] target/ppc: Drop exit checks for singlestep_enabled
-Do not call get_clock_realtime() in tlb_mmu_resize_locked,
+GDB single-stepping is now handled generically.
-but hoist outside of any loop over a set of tlbs.  This is
+Reuse gen_debug_exception to handle architectural debug exceptions.
 only two (indirect) callers, tlb_flush_by_mmuidx_async_work
 and tlb_flush_page_locked, so not onerous.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 14 ++++++++------
+ target/ppc/translate.c | 38 ++++++++------------------------------
-file changed, 8 insertions(+), 6 deletions(-)
+file changed, 8 insertions(+), 30 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/ppc/translate.c b/target/ppc/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/ppc/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/ppc/translate.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+@@ -XXX,XX +XXX,XX @@
-  * high), since otherwise we are likely to have a significant amount of
-  * conflict misses.
+ #define CPU_SINGLE_STEP 0x1
-  */
+ #define CPU_BRANCH_STEP 0x2
--static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+-#define GDBSTUB_SINGLE_STEP 0x4
-+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
-+                                  int64_t now)
+ /* Include definitions for instructions classes and implementations flags */
  /* #define PPC_DEBUG_DISAS */
@@ -XXX,XX +XXX,XX @@ static uint32_t gen_prep_dbgex(DisasContext *ctx)
  static void gen_debug_exception(DisasContext *ctx)
  {
-     size_t old_size = tlb_n_entries(fast);
+-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
-     size_t rate;
++    gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
-     size_t new_size = old_size;
+     ctx->base.is_jmp = DISAS_NORETURN;
 -    int64_t now = get_clock_realtime();
      int64_t window_len_ms = 100;
      int64_t window_len_ns = window_len_ms * 1000 * 1000;
      bool window_expired = now > desc->window_begin_ns + window_len_ns;
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
      memset(desc->vtable, -1, sizeof(desc->vtable));
  }
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *ctx, target_ulong dest)
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
-+                                        int64_t now)
+ static void gen_lookup_and_goto_ptr(DisasContext *ctx)
  {
-     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+-    int sse = ctx->singlestep_enabled;
-     CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+-    if (unlikely(sse)) {
+-        if (sse & GDBSTUB_SINGLE_STEP) {
--    tlb_mmu_resize_locked(desc, fast);
+-            gen_debug_exception(ctx);
-+    tlb_mmu_resize_locked(desc, fast, now);
+-        } else if (sse & (CPU_SINGLE_STEP | CPU_BRANCH_STEP)) {
-     tlb_mmu_flush_locked(desc, fast);
+-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
 -        } else {
 -            tcg_gen_exit_tb(NULL, 0);
 -        }
 +    if (unlikely(ctx->singlestep_enabled)) {
 +        gen_debug_exception(ctx);
      } else {
          tcg_gen_lookup_and_goto_ptr();
      }
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
      ctx->singlestep_enabled = 0;
      if ((hflags >> HFLAGS_SE) & 1) {
          ctx->singlestep_enabled |= CPU_SINGLE_STEP;
 +        ctx->base.max_insns = 1;
      }
      if ((hflags >> HFLAGS_BE) & 1) {
          ctx->singlestep_enabled |= CPU_BRANCH_STEP;
      }
 -    if (unlikely(ctx->base.singlestep_enabled)) {
 -        ctx->singlestep_enabled |= GDBSTUB_SINGLE_STEP;
 -    }
 -
 -    if (ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP)) {
 -        ctx->base.max_insns = 1;
 -    }
  }
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
+ static void ppc_tr_tb_start(DisasContextBase *db, CPUState *cs)
-     CPUArchState *env = cpu->env_ptr;
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
-     uint16_t asked = data.host_int;
+     DisasContext *ctx = container_of(dcbase, DisasContext, base);
-     uint16_t all_dirty, work, to_clean;
+     DisasJumpType is_jmp = ctx->base.is_jmp;
-+    int64_t now = get_clock_realtime();
+     target_ulong nip = ctx->base.pc_next;
+-    int sse;
-     assert_cpu_is_self(cpu);
+     if (is_jmp == DISAS_NORETURN) {
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
+         /* We have already exited the TB. */
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
      for (work = to_clean; work != 0; work &= work - 1) {
          int mmu_idx = ctz32(work);
 -        tlb_flush_one_mmuidx_locked(env, mmu_idx);
 +        tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
      }
-     qemu_spin_unlock(&env_tlb(env)->c.lock);
+     /* Honor single stepping. */
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
+-    sse = ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP);
-         tlb_debug("forcing full flush midx %d ("
+-    if (unlikely(sse)) {
-                   TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
++    if (unlikely(ctx->singlestep_enabled & CPU_SINGLE_STEP)
-                   midx, lp_addr, lp_mask);
++        && (nip <= 0x100 || nip > 0xf00)) {
--        tlb_flush_one_mmuidx_locked(env, midx);
+         switch (is_jmp) {
-+        tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
+         case DISAS_TOO_MANY:
-     } else {
+         case DISAS_EXIT_UPDATE:
-         if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
+@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
-             tlb_n_used_entries_dec(env, midx);
+             g_assert_not_reached();
          }
 -        if (sse & GDBSTUB_SINGLE_STEP) {
 -            gen_debug_exception(ctx);
 -            return;
 -        }
 -        /* else CPU_SINGLE_STEP... */
 -        if (nip <= 0x100 || nip > 0xf00) {
 -            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
 -            return;
 -        }
 +        gen_debug_exception(ctx);
 +        return;
      }
      switch (is_jmp) {
 --
-.20.1
+.25.1

-[PULL 09/16] cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
+[PULL 17/24] target/riscv: Remove dead code after exception
-We do not need the entire CPUArchState to compute these values.
+We have already set DISAS_NORETURN in generate_exception,
 which makes the exit_tb unreachable.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 15 ++++++++-------
+ target/riscv/insn_trans/trans_privileged.c.inc | 6 +-----
-file changed, 8 insertions(+), 7 deletions(-)
+file changed, 1 insertion(+), 5 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/riscv/insn_trans/trans_privileged.c.inc
-+++ b/accel/tcg/cputlb.c
++++ b/target/riscv/insn_trans/trans_privileged.c.inc
-@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
+@@ -XXX,XX +XXX,XX @@ static bool trans_ecall(DisasContext *ctx, arg_ecall *a)
  QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
  #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 -static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
 +static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
  {
--    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+     /* always generates U-level ECALL, fixed in do_interrupt handler */
-+    return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
+     generate_exception(ctx, RISCV_EXCP_U_ECALL);
 -    exit_tb(ctx); /* no chaining */
 -    ctx->base.is_jmp = DISAS_NORETURN;
      return true;
  }
--static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
+@@ -XXX,XX +XXX,XX @@ static bool trans_ebreak(DisasContext *ctx, arg_ebreak *a)
-+static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
+         post   = opcode_at(&ctx->base, post_addr);
- {
+     }
--    return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
-+    return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
+-    if  (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
 +    if (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
          generate_exception(ctx, RISCV_EXCP_SEMIHOST);
      } else {
          generate_exception(ctx, RISCV_EXCP_BREAKPOINT);
      }
 -    exit_tb(ctx); /* no chaining */
 -    ctx->base.is_jmp = DISAS_NORETURN;
      return true;
  }
- static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
- static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
- {
-     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
--    size_t old_size = tlb_n_entries(env, mmu_idx);
-+    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
-     size_t rate;
-     size_t new_size = old_size;
-     int64_t now = get_clock_realtime();
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
-     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-     env_tlb(env)->d[mmu_idx].vindex = 0;
--    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
-+    memset(env_tlb(env)->f[mmu_idx].table, -1,
-+           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
-     memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-            sizeof(env_tlb(env)->d[0].vtable));
- }
-@@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
-     qemu_spin_lock(&env_tlb(env)->c.lock);
-     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
-         unsigned int i;
--        unsigned int n = tlb_n_entries(env, mmu_idx);
-+        unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
-         for (i = 0; i < n; i++) {
-             tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
 --
-.20.1
+.25.1

-[PULL 14/16] cputlb: Initialize tlbs as flushed
+[PULL 18/24] target/riscv: Remove exit_tb and lookup_and_goto_ptr
-There's little point in leaving these data structures half initialized,
+GDB single-stepping is now handled generically, which means
-and relying on a flush to be done during reset.
+we don't need to do anything in the wrappers.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 5 +++--
+ target/riscv/translate.c                      | 27 +------------------
-file changed, 3 insertions(+), 2 deletions(-)
+ .../riscv/insn_trans/trans_privileged.c.inc   |  4 +--
  target/riscv/insn_trans/trans_rvi.c.inc       |  8 +++---
  target/riscv/insn_trans/trans_rvv.c.inc       |  2 +-
 files changed, 7 insertions(+), 34 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/riscv/translate.c b/target/riscv/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/riscv/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/riscv/translate.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+@@ -XXX,XX +XXX,XX @@ static void generate_exception_mtval(DisasContext *ctx, int excp)
-     fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+     ctx->base.is_jmp = DISAS_NORETURN;
      fast->table = g_new(CPUTLBEntry, n_entries);
      desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
 +    tlb_mmu_flush_locked(desc, fast);
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+-static void gen_exception_debug(void)
-@@ -XXX,XX +XXX,XX @@ void tlb_init(CPUState *cpu)
+-{
+-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
-     qemu_spin_init(&env_tlb(env)->c.lock);
+-}
+-
--    /* Ensure that cpu_reset performs a full flush.  */
+-/* Wrapper around tcg_gen_exit_tb that handles single stepping */
--    env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
+-static void exit_tb(DisasContext *ctx)
-+    /* All tlbs are initialized flushed. */
+-{
-+    env_tlb(env)->c.dirty = 0;
+-    if (ctx->base.singlestep_enabled) {
+-        gen_exception_debug();
-     for (i = 0; i < NB_MMU_MODES; i++) {
+-    } else {
-         tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
+-        tcg_gen_exit_tb(NULL, 0);
 -    }
 -}
 -
 -/* Wrapper around tcg_gen_lookup_and_goto_ptr that handles single stepping */
 -static void lookup_and_goto_ptr(DisasContext *ctx)
 -{
 -    if (ctx->base.singlestep_enabled) {
 -        gen_exception_debug();
 -    } else {
 -        tcg_gen_lookup_and_goto_ptr();
 -    }
 -}
 -
  static void gen_exception_illegal(DisasContext *ctx)
  {
      generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
          tcg_gen_exit_tb(ctx->base.tb, n);
      } else {
          tcg_gen_movi_tl(cpu_pc, dest);
 -        lookup_and_goto_ptr(ctx);
 +        tcg_gen_lookup_and_goto_ptr();
      }
  }
 diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/insn_trans/trans_privileged.c.inc
 +++ b/target/riscv/insn_trans/trans_privileged.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_sret(DisasContext *ctx, arg_sret *a)
      if (has_ext(ctx, RVS)) {
          gen_helper_sret(cpu_pc, cpu_env, cpu_pc);
 -        exit_tb(ctx); /* no chaining */
 +        tcg_gen_exit_tb(NULL, 0); /* no chaining */
          ctx->base.is_jmp = DISAS_NORETURN;
      } else {
          return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_mret(DisasContext *ctx, arg_mret *a)
  #ifndef CONFIG_USER_ONLY
      tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
      gen_helper_mret(cpu_pc, cpu_env, cpu_pc);
 -    exit_tb(ctx); /* no chaining */
 +    tcg_gen_exit_tb(NULL, 0); /* no chaining */
      ctx->base.is_jmp = DISAS_NORETURN;
      return true;
  #else
 diff --git a/target/riscv/insn_trans/trans_rvi.c.inc b/target/riscv/insn_trans/trans_rvi.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/insn_trans/trans_rvi.c.inc
 +++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_jalr(DisasContext *ctx, arg_jalr *a)
      if (a->rd != 0) {
          tcg_gen_movi_tl(cpu_gpr[a->rd], ctx->pc_succ_insn);
      }
 -
 -    /* No chaining with JALR. */
 -    lookup_and_goto_ptr(ctx);
 +    tcg_gen_lookup_and_goto_ptr();
      if (misaligned) {
          gen_set_label(misaligned);
@@ -XXX,XX +XXX,XX @@ static bool trans_fence_i(DisasContext *ctx, arg_fence_i *a)
       * however we need to end the translation block
       */
      tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
 -    exit_tb(ctx);
 +    tcg_gen_exit_tb(NULL, 0);
      ctx->base.is_jmp = DISAS_NORETURN;
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool do_csr_post(DisasContext *ctx)
  {
      /* We may have changed important cpu state -- exit to main loop. */
      tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
 -    exit_tb(ctx);
 +    tcg_gen_exit_tb(NULL, 0);
      ctx->base.is_jmp = DISAS_NORETURN;
      return true;
  }
 diff --git a/target/riscv/insn_trans/trans_rvv.c.inc b/target/riscv/insn_trans/trans_rvv.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/insn_trans/trans_rvv.c.inc
 +++ b/target/riscv/insn_trans/trans_rvv.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_vsetvl(DisasContext *ctx, arg_vsetvl *a)
      gen_set_gpr(ctx, a->rd, dst);
      tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
 -    lookup_and_goto_ptr(ctx);
 +    tcg_gen_lookup_and_goto_ptr();
      ctx->base.is_jmp = DISAS_NORETURN;
      return true;
  }
 --
-.20.1
+.25.1

-[PULL 08/16] cputlb: Make tlb_n_entries private to cputlb.c
+[PULL 19/24] target/rx: Drop checks for singlestep_enabled
-There are no users of this function outside cputlb.c,
+GDB single-stepping is now handled generically.
 and its interface will change in the next patch.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/cpu_ldst.h | 5 -----
+ target/rx/helper.h    |  1 -
- accel/tcg/cputlb.c      | 5 +++++
+ target/rx/op_helper.c |  8 --------
-files changed, 5 insertions(+), 5 deletions(-)
+ target/rx/translate.c | 12 ++----------
 files changed, 2 insertions(+), 19 deletions(-)
-diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
+diff --git a/target/rx/helper.h b/target/rx/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/cpu_ldst.h
+--- a/target/rx/helper.h
-+++ b/include/exec/cpu_ldst.h
++++ b/target/rx/helper.h
-@@ -XXX,XX +XXX,XX @@ static inline uintptr_t tlb_index(CPUArchState *env, uintptr_t mmu_idx,
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
-     return (addr >> TARGET_PAGE_BITS) & size_mask;
+ DEF_HELPER_1(raise_access_fault, noreturn, env)
  DEF_HELPER_1(raise_privilege_violation, noreturn, env)
  DEF_HELPER_1(wait, noreturn, env)
 -DEF_HELPER_1(debug, noreturn, env)
  DEF_HELPER_2(rxint, noreturn, env, i32)
  DEF_HELPER_1(rxbrk, noreturn, env)
  DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
 diff --git a/target/rx/op_helper.c b/target/rx/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/rx/op_helper.c
 +++ b/target/rx/op_helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_wait(CPURXState *env)
      raise_exception(env, EXCP_HLT, 0);
  }
--static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+-void QEMU_NORETURN helper_debug(CPURXState *env)
 -{
--    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+-    CPUState *cs = env_cpu(env);
 -
 -    cs->exception_index = EXCP_DEBUG;
 -    cpu_loop_exit(cs);
 -}
 -
- /* Find the TLB entry corresponding to the mmu_idx + address pair.  */
+ void QEMU_NORETURN helper_rxint(CPURXState *env, uint32_t vec)
- static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
+ {
-                                      target_ulong addr)
+     raise_exception(env, 0x100 + vec, 0);
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/rx/translate.c b/target/rx/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/rx/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/rx/translate.c
-@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
- QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
+         tcg_gen_exit_tb(dc->base.tb, n);
- #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
+     } else {
+         tcg_gen_movi_i32(cpu_pc, dest);
-+static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+-        if (dc->base.singlestep_enabled) {
-+{
+-            gen_helper_debug(cpu_env);
-+    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+-        } else {
-+}
+-            tcg_gen_lookup_and_goto_ptr();
-+
+-        }
- static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
++        tcg_gen_lookup_and_goto_ptr();
- {
+     }
-     return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
+     dc->base.is_jmp = DISAS_NORETURN;
  }
@@ -XXX,XX +XXX,XX @@ static void rx_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
          gen_goto_tb(ctx, 0, dcbase->pc_next);
          break;
      case DISAS_JUMP:
 -        if (ctx->base.singlestep_enabled) {
 -            gen_helper_debug(cpu_env);
 -        } else {
 -            tcg_gen_lookup_and_goto_ptr();
 -        }
 +        tcg_gen_lookup_and_goto_ptr();
          break;
      case DISAS_UPDATE:
          tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
 --
-.20.1
+.25.1

-[PULL 11/16] cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
+[PULL 20/24] target/s390x: Drop check for singlestep_enabled
-No functional change, but the smaller expressions make
+GDB single-stepping is now handled generically.
 the code easier to read.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 19 ++++++++++---------
+ target/s390x/tcg/translate.c | 8 ++------
-file changed, 10 insertions(+), 9 deletions(-)
+file changed, 2 insertions(+), 6 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/s390x/tcg/translate.c
-+++ b/accel/tcg/cputlb.c
++++ b/target/s390x/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ struct DisasContext {
+     uint64_t pc_tmp;
- static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+     uint32_t ilen;
- {
+     enum cc_op cc_op;
--    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
+-    bool do_debug;
--    env_tlb(env)->d[mmu_idx].n_used_entries = 0;
+ };
--    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
--    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+ /* Information carried about a condition to be evaluated.  */
--    env_tlb(env)->d[mmu_idx].vindex = 0;
+@@ -XXX,XX +XXX,XX @@ static void s390x_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
--    memset(env_tlb(env)->f[mmu_idx].table, -1,
--           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
+     dc->cc_op = CC_OP_DYNAMIC;
--    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+     dc->ex_value = dc->base.tb->cs_base;
--           sizeof(env_tlb(env)->d[0].vtable));
+-    dc->do_debug = dc->base.singlestep_enabled;
 +    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
 +    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 +
 +    tlb_mmu_resize_locked(desc, fast);
 +    desc->n_used_entries = 0;
 +    desc->large_page_addr = -1;
 +    desc->large_page_mask = -1;
 +    desc->vindex = 0;
 +    memset(fast->table, -1, sizeof_tlb(fast));
 +    memset(desc->vtable, -1, sizeof(desc->vtable));
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+ static void s390x_tr_tb_start(DisasContextBase *db, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
          /* FALLTHRU */
      case DISAS_PC_CC_UPDATED:
          /* Exit the TB, either by raising a debug exception or by return.  */
 -        if (dc->do_debug) {
 -            gen_exception(EXCP_DEBUG);
 -        } else if ((dc->base.tb->flags & FLAG_MASK_PER) ||
 -                   dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
 +        if ((dc->base.tb->flags & FLAG_MASK_PER) ||
 +             dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
              tcg_gen_exit_tb(NULL, 0);
          } else {
              tcg_gen_lookup_and_goto_ptr();
 --
-.20.1
+.25.1

-[PULL 03/16] vl: Remove unused variable in configure_accelerators
+[PULL 21/24] target/sh4: Drop check for singlestep_enabled
-The accel_initialised variable no longer has any setters.
+GDB single-stepping is now handled generically.
-Fixes: 6f6e1698a68c
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 3 +--
+ target/sh4/helper.h    |  1 -
-file changed, 1 insertion(+), 2 deletions(-)
+ target/sh4/op_helper.c |  5 -----
  target/sh4/translate.c | 14 +++-----------
 files changed, 3 insertions(+), 17 deletions(-)
-diff --git a/vl.c b/vl.c
+diff --git a/target/sh4/helper.h b/target/sh4/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/target/sh4/helper.h
-+++ b/vl.c
++++ b/target/sh4/helper.h
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
  DEF_HELPER_1(raise_slot_illegal_instruction, noreturn, env)
  DEF_HELPER_1(raise_fpu_disable, noreturn, env)
  DEF_HELPER_1(raise_slot_fpu_disable, noreturn, env)
 -DEF_HELPER_1(debug, noreturn, env)
  DEF_HELPER_1(sleep, noreturn, env)
  DEF_HELPER_2(trapa, noreturn, env, i32)
  DEF_HELPER_1(exclusive, noreturn, env)
 diff --git a/target/sh4/op_helper.c b/target/sh4/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/sh4/op_helper.c
 +++ b/target/sh4/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_raise_slot_fpu_disable(CPUSH4State *env)
      raise_exception(env, 0x820, 0);
  }
 -void helper_debug(CPUSH4State *env)
 -{
 -    raise_exception(env, EXCP_DEBUG, 0);
 -}
 -
  void helper_sleep(CPUSH4State *env)
  {
-     const char *accel;
+     CPUState *cs = env_cpu(env);
-     char **accel_list, **tmp;
+diff --git a/target/sh4/translate.c b/target/sh4/translate.c
--    bool accel_initialised = false;
+index XXXXXXX..XXXXXXX 100644
-     bool init_failed = false;
+--- a/target/sh4/translate.c
++++ b/target/sh4/translate.c
-     qemu_opts_foreach(qemu_find_opts("icount"),
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+         tcg_gen_exit_tb(ctx->base.tb, n);
+     } else {
-         accel_list = g_strsplit(accel, ":", 0);
+         tcg_gen_movi_i32(cpu_pc, dest);
+-        if (ctx->base.singlestep_enabled) {
--        for (tmp = accel_list; !accel_initialised && tmp && *tmp; tmp++) {
+-            gen_helper_debug(cpu_env);
-+        for (tmp = accel_list; tmp && *tmp; tmp++) {
+-        } else if (use_exit_tb(ctx)) {
-             /*
++        if (use_exit_tb(ctx)) {
-              * Filter invalid accelerators here, to prevent obscenities
+             tcg_gen_exit_tb(NULL, 0);
-              * such as "-machine accel=tcg,,thread=single".
+         } else {
              tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void gen_jump(DisasContext * ctx)
         delayed jump as immediate jump are conditinal jumps */
      tcg_gen_mov_i32(cpu_pc, cpu_delayed_pc);
          tcg_gen_discard_i32(cpu_delayed_pc);
 -        if (ctx->base.singlestep_enabled) {
 -            gen_helper_debug(cpu_env);
 -        } else if (use_exit_tb(ctx)) {
 +        if (use_exit_tb(ctx)) {
              tcg_gen_exit_tb(NULL, 0);
          } else {
              tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void sh4_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
      switch (ctx->base.is_jmp) {
      case DISAS_STOP:
          gen_save_cpu_state(ctx, true);
 -        if (ctx->base.singlestep_enabled) {
 -            gen_helper_debug(cpu_env);
 -        } else {
 -            tcg_gen_exit_tb(NULL, 0);
 -        }
 +        tcg_gen_exit_tb(NULL, 0);
          break;
      case DISAS_NEXT:
      case DISAS_TOO_MANY:
 --
-.20.1
+.25.1

-[PULL 13/16] cputlb: Partially merge tlb_dyn_init into tlb_init
+[PULL 22/24] target/tricore: Drop check for singlestep_enabled
-Merge into the only caller, but at the same time split
+GDB single-stepping is now handled generically.
 out tlb_mmu_init to initialize a single tlb entry.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 33 ++++++++++++++++-----------------
+ target/tricore/helper.h    |  1 -
-file changed, 16 insertions(+), 17 deletions(-)
+ target/tricore/op_helper.c |  7 -------
  target/tricore/translate.c | 14 +-------------
 files changed, 1 insertion(+), 21 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/target/tricore/helper.h b/target/tricore/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/target/tricore/helper.h
-+++ b/accel/tcg/cputlb.c
++++ b/target/tricore/helper.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(psw_write, void, env, i32)
-     desc->window_max_entries = max_entries;
+ DEF_HELPER_1(psw_read, i32, env)
  /* Exceptions */
  DEF_HELPER_3(raise_exception_sync, noreturn, env, i32, i32)
 -DEF_HELPER_2(qemu_excp, noreturn, env, i32)
 diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/tricore/op_helper.c
 +++ b/target/tricore/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void raise_exception_sync_helper(CPUTriCoreState *env, uint32_t class,
      raise_exception_sync_internal(env, class, tin, pc, 0);
  }
--static void tlb_dyn_init(CPUArchState *env)
+-void helper_qemu_excp(CPUTriCoreState *env, uint32_t excp)
 -{
--    int i;
+-    CPUState *cs = env_cpu(env);
--
+-    cs->exception_index = excp;
--    for (i = 0; i < NB_MMU_MODES; i++) {
+-    cpu_loop_exit(cs);
 -        CPUTLBDesc *desc = &env_tlb(env)->d[i];
 -        size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
 -
 -        tlb_window_reset(desc, get_clock_realtime(), 0);
 -        desc->n_used_entries = 0;
 -        env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
 -        env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
 -        env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
 -    }
 -}
 -
- /**
+ /* Addressing mode helper */
-  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
-  * @desc: The CPUTLBDesc portion of the TLB
+ static uint16_t reverse16(uint16_t val)
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+diff --git a/target/tricore/translate.c b/target/tricore/translate.c
-     tlb_mmu_flush_locked(desc, fast);
+index XXXXXXX..XXXXXXX 100644
 --- a/target/tricore/translate.c
 +++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_save_pc(target_ulong pc)
      tcg_gen_movi_tl(cpu_PC, pc);
  }
-+static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+-static void generate_qemu_excp(DisasContext *ctx, int excp)
-+{
+-{
-+    size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
+-    TCGv_i32 tmp = tcg_const_i32(excp);
-+
+-    gen_helper_qemu_excp(cpu_env, tmp);
-+    tlb_window_reset(desc, now, 0);
+-    ctx->base.is_jmp = DISAS_NORETURN;
-+    desc->n_used_entries = 0;
+-    tcg_temp_free(tmp);
-+    fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+-}
-+    fast->table = g_new(CPUTLBEntry, n_entries);
+-
-+    desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
 +}
 +
  static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
  {
-     env_tlb(env)->d[mmu_idx].n_used_entries++;
+     if (translator_use_goto_tb(&ctx->base, dest)) {
-@@ -XXX,XX +XXX,XX @@ static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
+@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
- void tlb_init(CPUState *cpu)
+         tcg_gen_exit_tb(ctx->base.tb, n);
- {
+     } else {
-     CPUArchState *env = cpu->env_ptr;
+         gen_save_pc(dest);
-+    int64_t now = get_clock_realtime();
+-        if (ctx->base.singlestep_enabled) {
-+    int i;
+-            generate_qemu_excp(ctx, EXCP_DEBUG);
+-        } else {
-     qemu_spin_init(&env_tlb(env)->c.lock);
+-            tcg_gen_lookup_and_goto_ptr();
+-        }
-     /* Ensure that cpu_reset performs a full flush.  */
++        tcg_gen_lookup_and_goto_ptr();
-     env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
+     }
 -    tlb_dyn_init(env);
 +    for (i = 0; i < NB_MMU_MODES; i++) {
 +        tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
 +    }
  }
- /* flush_all_helper: run fn across all cpus
 --
-.20.1
+.25.1

-[PULL 02/16] util/cacheinfo: fix crash when compiling with uClibc
+[PULL 23/24] target/xtensa: Drop check for singlestep_enabled
-From: Carlos Santos <casantos@redhat.com>
+GDB single-stepping is now handled generically.
-uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
-but the corresponding sysconf calls returns -1, which is a valid result,
-meaning that the limit is indeterminate.
-Handle this situation using the fallback values instead of crashing due
-to an assertion failure.
-Signed-off-by: Carlos Santos <casantos@redhat.com>
-Message-Id: <20191017123713.30192-1-casantos@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- util/cacheinfo.c | 10 ++++++++--
+ target/xtensa/translate.c | 25 ++++++++-----------------
-file changed, 8 insertions(+), 2 deletions(-)
+file changed, 8 insertions(+), 17 deletions(-)
-diff --git a/util/cacheinfo.c b/util/cacheinfo.c
+diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/util/cacheinfo.c
+--- a/target/xtensa/translate.c
-+++ b/util/cacheinfo.c
++++ b/target/xtensa/translate.c
-@@ -XXX,XX +XXX,XX @@ static void sys_cache_info(int *isize, int *dsize)
+@@ -XXX,XX +XXX,XX @@ static void gen_jump_slot(DisasContext *dc, TCGv dest, int slot)
- static void sys_cache_info(int *isize, int *dsize)
+     if (dc->icount) {
- {
+         tcg_gen_mov_i32(cpu_SR[ICOUNT], dc->next_icount);
- # ifdef _SC_LEVEL1_ICACHE_LINESIZE
+     }
--    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+-    if (dc->base.singlestep_enabled) {
-+    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+-        gen_exception(dc, EXCP_DEBUG);
-+    if (tmp_isize > 0) {
++    if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
-+        *isize = tmp_isize;
++        slot = gen_postprocess(dc, slot);
 +    }
- # endif
++    if (slot >= 0) {
- # ifdef _SC_LEVEL1_DCACHE_LINESIZE
++        tcg_gen_goto_tb(slot);
--    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
++        tcg_gen_exit_tb(dc->base.tb, slot);
-+    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+     } else {
-+    if (tmp_dsize > 0) {
+-        if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
-+        *dsize = tmp_dsize;
+-            slot = gen_postprocess(dc, slot);
-+    }
+-        }
- # endif
+-        if (slot >= 0) {
 -            tcg_gen_goto_tb(slot);
 -            tcg_gen_exit_tb(dc->base.tb, slot);
 -        } else {
 -            tcg_gen_exit_tb(NULL, 0);
 -        }
 +        tcg_gen_exit_tb(NULL, 0);
      }
      dc->base.is_jmp = DISAS_NORETURN;
  }
- #endif /* sys_cache_info */
+@@ -XXX,XX +XXX,XX @@ static void xtensa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
      case DISAS_NORETURN:
          break;
      case DISAS_TOO_MANY:
 -        if (dc->base.singlestep_enabled) {
 -            tcg_gen_movi_i32(cpu_pc, dc->pc);
 -            gen_exception(dc, EXCP_DEBUG);
 -        } else {
 -            gen_jumpi(dc, dc->pc, 0);
 -        }
 +        gen_jumpi(dc, dc->pc, 0);
          break;
      default:
          g_assert_not_reached();
 --
-.20.1
+.25.1

-[PULL 12/16] cputlb: Split out tlb_mmu_flush_locked
+[PULL 24/24] Revert "cpu: Move cpu_common_props to hw/core/cpu.c"
-We will want to be able to flush a tlb without resizing.
+This reverts commit 1b36e4f5a5de585210ea95f2257839c2312be28f.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Despite a comment saying why cpu_common_props cannot be placed in
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+a file that is compiled once, it was moved anyway.  Revert that.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Since then, Property is not defined in hw/core/cpu.h, so it is now
 easier to declare a function to install the properties rather than
 the Property array itself.
 Cc: Eduardo Habkost <ehabkost@redhat.com>
 Suggested-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 15 ++++++++++-----
+ include/hw/core/cpu.h |  1 +
-file changed, 10 insertions(+), 5 deletions(-)
+ cpu.c                 | 21 +++++++++++++++++++++
  hw/core/cpu-common.c  | 17 +----------------
 files changed, 23 insertions(+), 16 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/hw/core/cpu.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/hw/core/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN cpu_abort(CPUState *cpu, const char *fmt, ...)
-     }
+     GCC_FMT_ATTR(2, 3);
  /* $(top_srcdir)/cpu.c */
 +void cpu_class_init_props(DeviceClass *dc);
  void cpu_exec_initfn(CPUState *cpu);
  void cpu_exec_realizefn(CPUState *cpu, Error **errp);
  void cpu_exec_unrealizefn(CPUState *cpu);
 diff --git a/cpu.c b/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/cpu.c
 +++ b/cpu.c
@@ -XXX,XX +XXX,XX @@ void cpu_exec_unrealizefn(CPUState *cpu)
      cpu_list_remove(cpu);
  }
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++static Property cpu_common_props[] = {
-+static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
++#ifndef CONFIG_USER_ONLY
- {
++    /*
--    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
++     * Create a memory property for softmmu CPU object,
--    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
++     * so users can wire up its memory. (This can't go in hw/core/cpu.c
--
++     * because that file is compiled only once for both user-mode
--    tlb_mmu_resize_locked(desc, fast);
++     * and system builds.) The default if no link is set up is to use
-     desc->n_used_entries = 0;
++     * the system address space.
-     desc->large_page_addr = -1;
++     */
-     desc->large_page_mask = -1;
++    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++                     MemoryRegion *),
-     memset(desc->vtable, -1, sizeof(desc->vtable));
++#endif
- }
++    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
++    DEFINE_PROP_END_OF_LIST(),
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++};
 +
 +void cpu_class_init_props(DeviceClass *dc)
 +{
-+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
++    device_class_set_props(dc, cpu_common_props);
 +    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 +
 +    tlb_mmu_resize_locked(desc, fast);
 +    tlb_mmu_flush_locked(desc, fast);
 +}
 +
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+ void cpu_exec_initfn(CPUState *cpu)
  {
-     env_tlb(env)->d[mmu_idx].n_used_entries++;
+     cpu->as = NULL;
 diff --git a/hw/core/cpu-common.c b/hw/core/cpu-common.c
 index XXXXXXX..XXXXXXX 100644
 --- a/hw/core/cpu-common.c
 +++ b/hw/core/cpu-common.c
@@ -XXX,XX +XXX,XX @@ static int64_t cpu_common_get_arch_id(CPUState *cpu)
      return cpu->cpu_index;
  }
 -static Property cpu_common_props[] = {
 -#ifndef CONFIG_USER_ONLY
 -    /* Create a memory property for softmmu CPU object,
 -     * so users can wire up its memory. (This can't go in hw/core/cpu.c
 -     * because that file is compiled only once for both user-mode
 -     * and system builds.) The default if no link is set up is to use
 -     * the system address space.
 -     */
 -    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
 -                     MemoryRegion *),
 -#endif
 -    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
 -    DEFINE_PROP_END_OF_LIST(),
 -};
 -
  static void cpu_class_init(ObjectClass *klass, void *data)
  {
      DeviceClass *dc = DEVICE_CLASS(klass);
@@ -XXX,XX +XXX,XX @@ static void cpu_class_init(ObjectClass *klass, void *data)
      dc->realize = cpu_common_realizefn;
      dc->unrealize = cpu_common_unrealizefn;
      dc->reset = cpu_common_reset;
 -    device_class_set_props(dc, cpu_common_props);
 +    cpu_class_init_props(dc);
      /*
       * Reason: CPUs still need special care by board code: wiring up
       * IRQs, adding reset handlers, halting non-first CPUs, ...
 --
-.20.1
+.25.1

The following changes since commit 3e08b2b9cb64bff2b73fa9128c0e49bfcde0dd40:

Merge remote-tracking branch 'remotes/philmd-gitlab/tags/edk2-next-20200121' into staging (2020-01-21 15:29:25 +0000)

are available in the Git repository at:

https://github.com/rth7680/qemu.git tags/pull-tcg-20200121

for you to fetch changes up to 75fa376cdab5e5db2c7fdd107358e16f95503ac6:

scripts/git.orderfile: Display decodetree before C source (2020-01-21 15:26:09 -1000)

----------------------------------------------------------------
Remove another limit to NB_MMU_MODES.
Fix compilation using uclibc.
Fix defaulting of -accel parameters.
Tidy cputlb basic routines.
Adjust git.orderfile for decodetree.

----------------------------------------------------------------
Carlos Santos (1):
      util/cacheinfo: fix crash when compiling with uClibc

Philippe Mathieu-Daudé (1):
      scripts/git.orderfile: Display decodetree before C source

Richard Henderson (14):
      cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
      vl: Remove unused variable in configure_accelerators
      vl: Reduce scope of variables in configure_accelerators
      vl: Remove useless test in configure_accelerators
      vl: Only choose enabled accelerators in configure_accelerators
      cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
      cputlb: Make tlb_n_entries private to cputlb.c
      cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
      cputlb: Hoist tlb portions in tlb_mmu_resize_locked
      cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
      cputlb: Split out tlb_mmu_flush_locked
      cputlb: Partially merge tlb_dyn_init into tlb_init
      cputlb: Initialize tlbs as flushed
      cputlb: Hoist timestamp outside of loops over tlbs

In target/arm we will shortly have "too many" mmu_idx.
The current minimum barrier is caused by the way in which
tlb_flush_page_by_mmuidx is coded.

We can remove this limitation by allocating memory for
consumption by the worker.  Let us assume that this is
the unlikely case, as will be the case for the majority
of targets which have so far satisfied the BUILD_BUG_ON,
and only allocate memory when necessary.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 167 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 132 insertions(+), 35 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
     }
 }
 
-/* As we are going to hijack the bottom bits of the page address for a
- * mmuidx bit mask we need to fail to build if we can't do that
+/**
+ * tlb_flush_page_by_mmuidx_async_0:
+ * @cpu: cpu on which to flush
+ * @addr: page of virtual address to flush
+ * @idxmap: set of mmu_idx to flush
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
+ * at @addr from the tlbs indicated by @idxmap from @cpu.
  */
-QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
-
-static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
-                                                run_on_cpu_data data)
+static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
+                                             target_ulong addr,
+                                             uint16_t idxmap)
 {
     CPUArchState *env = cpu->env_ptr;
-    target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
-    target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
-    unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
     int mmu_idx;
 
     assert_cpu_is_self(cpu);
 
-    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
-              addr, mmu_idx_bitmap);
+    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
 
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
-        if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
+        if ((idxmap >> mmu_idx) & 1) {
             tlb_flush_page_locked(env, mmu_idx, addr);
         }
     }
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
     tb_flush_jmp_cache(cpu, addr);
 }
 
+/**
+ * tlb_flush_page_by_mmuidx_async_1:
+ * @cpu: cpu on which to flush
+ * @data: encoded addr + idxmap
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
+ * async_run_on_cpu.  The idxmap parameter is encoded in the page
+ * offset of the target_ptr field.  This limits the set of mmu_idx
+ * that can be passed via this method.
+ */
+static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
+                                             run_on_cpu_data data)
+{
+    target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
+    target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
+    uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
+
+    tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
+}
+
+typedef struct {
+    target_ulong addr;
+    uint16_t idxmap;
+} TLBFlushPageByMMUIdxData;
+
+/**
+ * tlb_flush_page_by_mmuidx_async_2:
+ * @cpu: cpu on which to flush
+ * @data: allocated addr + idxmap
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
+ * async_run_on_cpu.  The addr+idxmap parameters are stored in a
+ * TLBFlushPageByMMUIdxData structure that has been allocated
+ * specifically for this helper.  Free the structure when done.
+ */
+static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
+                                             run_on_cpu_data data)
+{
+    TLBFlushPageByMMUIdxData *d = data.host_ptr;
+
+    tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
+    g_free(d);
+}
+
 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
 {
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    if (!qemu_cpu_is_self(cpu)) {
-        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
-                         RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    if (qemu_cpu_is_self(cpu)) {
+        tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
+    } else if (idxmap < TARGET_PAGE_SIZE) {
+        /*
+         * Most targets have only a few mmu_idx.  In the case where
+         * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
+         * allocating memory for this operation.
+         */
+        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
     } else {
-        tlb_flush_page_by_mmuidx_async_work(
-            cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+        TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
+
+        /* Otherwise allocate a structure, freed by the worker.  */
+        d->addr = addr;
+        d->idxmap = idxmap;
+        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
+                         RUN_ON_CPU_HOST_PTR(d));
     }
 }
 
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
                                        uint16_t idxmap)
 {
-    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-    fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    /*
+     * Allocate memory to hold addr+idxmap only when needed.
+     * See tlb_flush_page_by_mmuidx for details.
+     */
+    if (idxmap < TARGET_PAGE_SIZE) {
+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+    } else {
+        CPUState *dst_cpu;
+
+        /* Allocate a separate data block for each destination cpu.  */
+        CPU_FOREACH(dst_cpu) {
+            if (dst_cpu != src_cpu) {
+                TLBFlushPageByMMUIdxData *d
+                    = g_new(TLBFlushPageByMMUIdxData, 1);
+
+                d->addr = addr;
+                d->idxmap = idxmap;
+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
+                                 RUN_ON_CPU_HOST_PTR(d));
+            }
+        }
+    }
+
+    tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
 }
 
 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
                                               target_ulong addr,
                                               uint16_t idxmap)
 {
-    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-    async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    /*
+     * Allocate memory to hold addr+idxmap only when needed.
+     * See tlb_flush_page_by_mmuidx for details.
+     */
+    if (idxmap < TARGET_PAGE_SIZE) {
+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                              RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+    } else {
+        CPUState *dst_cpu;
+        TLBFlushPageByMMUIdxData *d;
+
+        /* Allocate a separate data block for each destination cpu.  */
+        CPU_FOREACH(dst_cpu) {
+            if (dst_cpu != src_cpu) {
+                d = g_new(TLBFlushPageByMMUIdxData, 1);
+                d->addr = addr;
+                d->idxmap = idxmap;
+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
+                                 RUN_ON_CPU_HOST_PTR(d));
+            }
+        }
+
+        d = g_new(TLBFlushPageByMMUIdxData, 1);
+        d->addr = addr;
+        d->idxmap = idxmap;
+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
+                              RUN_ON_CPU_HOST_PTR(d));
+    }
 }
 
 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
-- 
2.20.1

From: Carlos Santos <casantos@redhat.com>

uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
but the corresponding sysconf calls returns -1, which is a valid result,
meaning that the limit is indeterminate.

Handle this situation using the fallback values instead of crashing due
to an assertion failure.

Signed-off-by: Carlos Santos <casantos@redhat.com>
Message-Id: <20191017123713.30192-1-casantos@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 util/cacheinfo.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/util/cacheinfo.c b/util/cacheinfo.c
index XXXXXXX..XXXXXXX 100644
--- a/util/cacheinfo.c
+++ b/util/cacheinfo.c
@@ -XXX,XX +XXX,XX @@ static void sys_cache_info(int *isize, int *dsize)
 static void sys_cache_info(int *isize, int *dsize)
 {
 # ifdef _SC_LEVEL1_ICACHE_LINESIZE
-    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+    if (tmp_isize > 0) {
+        *isize = tmp_isize;
+    }
 # endif
 # ifdef _SC_LEVEL1_DCACHE_LINESIZE
-    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+    if (tmp_dsize > 0) {
+        *dsize = tmp_dsize;
+    }
 # endif
 }
 #endif /* sys_cache_info */
-- 
2.20.1

The accel_initialised variable no longer has any setters.

Fixes: 6f6e1698a68c
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 {
     const char *accel;
     char **accel_list, **tmp;
-    bool accel_initialised = false;
     bool init_failed = false;
 
     qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
         accel_list = g_strsplit(accel, ":", 0);
 
-        for (tmp = accel_list; !accel_initialised && tmp && *tmp; tmp++) {
+        for (tmp = accel_list; tmp && *tmp; tmp++) {
             /*
              * Filter invalid accelerators here, to prevent obscenities
              * such as "-machine accel=tcg,,thread=single".
-- 
2.20.1

The accel_list and tmp variables are only used when manufacturing
-machine accel, options based on -accel.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
 static void configure_accelerators(const char *progname)
 {
     const char *accel;
-    char **accel_list, **tmp;
     bool init_failed = false;
 
     qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
     accel = qemu_opt_get(qemu_get_machine_opts(), "accel");
     if (QTAILQ_EMPTY(&qemu_accel_opts.head)) {
+        char **accel_list, **tmp;
+
         if (accel == NULL) {
             /* Select the default accelerator */
             if (!accel_find("tcg") && !accel_find("kvm")) {
-- 
2.20.1

By choosing "tcg:kvm" when kvm is not enabled, we generate
an incorrect warning: "invalid accelerator kvm".

At the same time, use g_str_has_suffix rather than open-coding
the same operation.

Presumably the inverse is also true with --disable-tcg.

Fixes: 28a0961757fc
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
         if (accel == NULL) {
             /* Select the default accelerator */
-            if (!accel_find("tcg") && !accel_find("kvm")) {
-                error_report("No accelerator selected and"
-                             " no default accelerator available");
-                exit(1);
-            } else {
-                int pnlen = strlen(progname);
-                if (pnlen >= 3 && g_str_equal(&progname[pnlen - 3], "kvm")) {
+            bool have_tcg = accel_find("tcg");
+            bool have_kvm = accel_find("kvm");
+
+            if (have_tcg && have_kvm) {
+                if (g_str_has_suffix(progname, "kvm")) {
                     /* If the program name ends with "kvm", we prefer KVM */
                     accel = "kvm:tcg";
                 } else {
                     accel = "tcg:kvm";
                 }
+            } else if (have_kvm) {
+                accel = "kvm";
+            } else if (have_tcg) {
+                accel = "tcg";
+            } else {
+                error_report("No accelerator selected and"
+                             " no default accelerator available");
+                exit(1);
             }
         }
-
         accel_list = g_strsplit(accel, ":", 0);
 
         for (tmp = accel_list; *tmp; tmp++) {
-- 
2.20.1

There is only one caller for tlb_table_flush_by_mmuidx.  Place
the result at the earlier line number, due to an expected user
in the near future.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
     }
 }
 
-static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
     tlb_mmu_resize_locked(env, mmu_idx);
-    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
+    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+    env_tlb(env)->d[mmu_idx].vindex = 0;
+    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+           sizeof(env_tlb(env)->d[0].vtable));
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
     *pelide = elide;
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
-{
-    tlb_table_flush_by_mmuidx(env, mmu_idx);
-    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-    env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-           sizeof(env_tlb(env)->d[0].vtable));
-}
-
 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
 {
     CPUArchState *env = cpu->env_ptr;
-- 
2.20.1

There are no users of this function outside cputlb.c,
and its interface will change in the next patch.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu_ldst.h | 5 -----
 accel/tcg/cputlb.c      | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ static inline uintptr_t tlb_index(CPUArchState *env, uintptr_t mmu_idx,
     return (addr >> TARGET_PAGE_BITS) & size_mask;
 }
 
-static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
-{
-    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
-}
-
 /* Find the TLB entry corresponding to the mmu_idx + address pair.  */
 static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
                                      target_ulong addr)
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 
+static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+{
+    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+}
+
 static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
 {
     return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
-- 
2.20.1

We do not need the entire CPUArchState to compute these values.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 
-static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
 {
-    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+    return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
 }
 
-static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
+static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
 {
-    return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
+    return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
 }
 
 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
 static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
 {
     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    size_t old_size = tlb_n_entries(env, mmu_idx);
+    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
     size_t rate;
     size_t new_size = old_size;
     int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
     env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+    memset(env_tlb(env)->f[mmu_idx].table, -1,
+           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
     memset(env_tlb(env)->d[mmu_idx].vtable, -1,
            sizeof(env_tlb(env)->d[0].vtable));
 }
@@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
         unsigned int i;
-        unsigned int n = tlb_n_entries(env, mmu_idx);
+        unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
 
         for (i = 0; i < n; i++) {
             tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
-- 
2.20.1

No functional change, but the smaller expressions make
the code easier to read.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
 
 /**
  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
- * @env: CPU that owns the TLB
- * @mmu_idx: MMU index of the TLB
+ * @desc: The CPUTLBDesc portion of the TLB
+ * @fast: The CPUTLBDescFast portion of the same TLB
  *
  * Called with tlb_lock_held.
  *
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
  * high), since otherwise we are likely to have a significant amount of
  * conflict misses.
  */
-static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 {
-    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
+    size_t old_size = tlb_n_entries(fast);
     size_t rate;
     size_t new_size = old_size;
     int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
         return;
     }
 
-    g_free(env_tlb(env)->f[mmu_idx].table);
-    g_free(env_tlb(env)->d[mmu_idx].iotlb);
+    g_free(fast->table);
+    g_free(desc->iotlb);
 
     tlb_window_reset(desc, now, 0);
     /* desc->n_used_entries is cleared by the caller */
-    env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
-    env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
-    env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+    fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+    fast->table = g_try_new(CPUTLBEntry, new_size);
+    desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
+
     /*
      * If the allocations fail, try smaller sizes. We just freed some
      * memory, so going back to half of new_size has a good chance of working.
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
      * allocations to fail though, so we progressively reduce the allocation
      * size, aborting if we cannot even allocate the smallest TLB we support.
      */
-    while (env_tlb(env)->f[mmu_idx].table == NULL ||
-           env_tlb(env)->d[mmu_idx].iotlb == NULL) {
+    while (fast->table == NULL || desc->iotlb == NULL) {
         if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
             error_report("%s: %s", __func__, strerror(errno));
             abort();
         }
         new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
-        env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+        fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 
-        g_free(env_tlb(env)->f[mmu_idx].table);
-        g_free(env_tlb(env)->d[mmu_idx].iotlb);
-        env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
-        env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+        g_free(fast->table);
+        g_free(desc->iotlb);
+        fast->table = g_try_new(CPUTLBEntry, new_size);
+        desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
     }
 }
 
 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
-    tlb_mmu_resize_locked(env, mmu_idx);
+    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-- 
2.20.1

No functional change, but the smaller expressions make
the code easier to read.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 
 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
-    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
-    env_tlb(env)->d[mmu_idx].n_used_entries = 0;
-    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-    env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->f[mmu_idx].table, -1,
-           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
-    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-           sizeof(env_tlb(env)->d[0].vtable));
+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+
+    tlb_mmu_resize_locked(desc, fast);
+    desc->n_used_entries = 0;
+    desc->large_page_addr = -1;
+    desc->large_page_mask = -1;
+    desc->vindex = 0;
+    memset(fast->table, -1, sizeof_tlb(fast));
+    memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
-- 
2.20.1

We will want to be able to flush a tlb without resizing.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
     }
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 {
-    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
-
-    tlb_mmu_resize_locked(desc, fast);
     desc->n_used_entries = 0;
     desc->large_page_addr = -1;
     desc->large_page_mask = -1;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+{
+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+
+    tlb_mmu_resize_locked(desc, fast);
+    tlb_mmu_flush_locked(desc, fast);
+}
+
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
 {
     env_tlb(env)->d[mmu_idx].n_used_entries++;
-- 
2.20.1

Merge into the only caller, but at the same time split
out tlb_mmu_init to initialize a single tlb entry.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
     desc->window_max_entries = max_entries;
 }
 
-static void tlb_dyn_init(CPUArchState *env)
-{
-    int i;
-
-    for (i = 0; i < NB_MMU_MODES; i++) {
-        CPUTLBDesc *desc = &env_tlb(env)->d[i];
-        size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
-
-        tlb_window_reset(desc, get_clock_realtime(), 0);
-        desc->n_used_entries = 0;
-        env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
-        env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
-        env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
-    }
-}
-
 /**
  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
  * @desc: The CPUTLBDesc portion of the TLB
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     tlb_mmu_flush_locked(desc, fast);
 }
 
+static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+{
+    size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
+
+    tlb_window_reset(desc, now, 0);
+    desc->n_used_entries = 0;
+    fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+    fast->table = g_new(CPUTLBEntry, n_entries);
+    desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+}
+
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
 {
     env_tlb(env)->d[mmu_idx].n_used_entries++;
@@ -XXX,XX +XXX,XX @@ static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
 void tlb_init(CPUState *cpu)
 {
     CPUArchState *env = cpu->env_ptr;
+    int64_t now = get_clock_realtime();
+    int i;
 
     qemu_spin_init(&env_tlb(env)->c.lock);
 
     /* Ensure that cpu_reset performs a full flush.  */
     env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
 
-    tlb_dyn_init(env);
+    for (i = 0; i < NB_MMU_MODES; i++) {
+        tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
+    }
 }
 
 /* flush_all_helper: run fn across all cpus
-- 
2.20.1

There's little point in leaving these data structures half initialized,
and relying on a flush to be done during reset.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
     fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
     fast->table = g_new(CPUTLBEntry, n_entries);
     desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+    tlb_mmu_flush_locked(desc, fast);
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_init(CPUState *cpu)
 
     qemu_spin_init(&env_tlb(env)->c.lock);
 
-    /* Ensure that cpu_reset performs a full flush.  */
-    env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
+    /* All tlbs are initialized flushed. */
+    env_tlb(env)->c.dirty = 0;
 
     for (i = 0; i < NB_MMU_MODES; i++) {
         tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
-- 
2.20.1

Do not call get_clock_realtime() in tlb_mmu_resize_locked,
but hoist outside of any loop over a set of tlbs.  This is
only two (indirect) callers, tlb_flush_by_mmuidx_async_work
and tlb_flush_page_locked, so not onerous.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
  * high), since otherwise we are likely to have a significant amount of
  * conflict misses.
  */
-static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
+                                  int64_t now)
 {
     size_t old_size = tlb_n_entries(fast);
     size_t rate;
     size_t new_size = old_size;
-    int64_t now = get_clock_realtime();
     int64_t window_len_ms = 100;
     int64_t window_len_ns = window_len_ms * 1000 * 1000;
     bool window_expired = now > desc->window_begin_ns + window_len_ns;
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
     memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
+                                        int64_t now)
 {
     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
     CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 
-    tlb_mmu_resize_locked(desc, fast);
+    tlb_mmu_resize_locked(desc, fast, now);
     tlb_mmu_flush_locked(desc, fast);
 }
 
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
     CPUArchState *env = cpu->env_ptr;
     uint16_t asked = data.host_int;
     uint16_t all_dirty, work, to_clean;
+    int64_t now = get_clock_realtime();
 
     assert_cpu_is_self(cpu);
 
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
 
     for (work = to_clean; work != 0; work &= work - 1) {
         int mmu_idx = ctz32(work);
-        tlb_flush_one_mmuidx_locked(env, mmu_idx);
+        tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
     }
 
     qemu_spin_unlock(&env_tlb(env)->c.lock);
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
         tlb_debug("forcing full flush midx %d ("
                   TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
                   midx, lp_addr, lp_mask);
-        tlb_flush_one_mmuidx_locked(env, midx);
+        tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
     } else {
         if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
             tlb_n_used_entries_dec(env, midx);
-- 
2.20.1

The following changes since commit 6587b0c1331d427b0939c37e763842550ed581db:

Merge remote-tracking branch 'remotes/ericb/tags/pull-nbd-2021-10-15' into staging (2021-10-15 14:16:28 -0700)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20211016

for you to fetch changes up to 995b87dedc78b0467f5f18bbc3546072ba97516a:

Revert "cpu: Move cpu_common_props to hw/core/cpu.c" (2021-10-15 16:39:15 -0700)

----------------------------------------------------------------
Move gdb singlestep to generic code
Fix cpu_common_props

----------------------------------------------------------------
Richard Henderson (24):
      accel/tcg: Handle gdb singlestep in cpu_tb_exec
      target/alpha: Drop checks for singlestep_enabled
      target/avr: Drop checks for singlestep_enabled
      target/cris: Drop checks for singlestep_enabled
      target/hexagon: Drop checks for singlestep_enabled
      target/arm: Drop checks for singlestep_enabled
      target/hppa: Drop checks for singlestep_enabled
      target/i386: Check CF_NO_GOTO_TB for dc->jmp_opt
      target/i386: Drop check for singlestep_enabled
      target/m68k: Drop checks for singlestep_enabled
      target/microblaze: Check CF_NO_GOTO_TB for DISAS_JUMP
      target/microblaze: Drop checks for singlestep_enabled
      target/mips: Fix single stepping
      target/mips: Drop exit checks for singlestep_enabled
      target/openrisc: Drop checks for singlestep_enabled
      target/ppc: Drop exit checks for singlestep_enabled
      target/riscv: Remove dead code after exception
      target/riscv: Remove exit_tb and lookup_and_goto_ptr
      target/rx: Drop checks for singlestep_enabled
      target/s390x: Drop check for singlestep_enabled
      target/sh4: Drop check for singlestep_enabled
      target/tricore: Drop check for singlestep_enabled
      target/xtensa: Drop check for singlestep_enabled
      Revert "cpu: Move cpu_common_props to hw/core/cpu.c"

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/alpha/translate.c | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static void alpha_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         tcg_gen_movi_i64(cpu_pc, ctx->base.pc_next);
         /* FALLTHRU */
     case DISAS_PC_UPDATED:
-        if (!ctx->base.singlestep_enabled) {
-            tcg_gen_lookup_and_goto_ptr();
-            break;
-        }
-        /* FALLTHRU */
+        tcg_gen_lookup_and_goto_ptr();
+        break;
     case DISAS_PC_UPDATED_NOCHAIN:
-        if (ctx->base.singlestep_enabled) {
-            gen_excp_1(EXCP_DEBUG, 0);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

GDB single-stepping is now handled generically.

Tested-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/translate.c | 19 ++++---------------
 1 file changed, 4 insertions(+), 15 deletions(-)

diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(tb, n);
     } else {
         tcg_gen_movi_i32(cpu_pc, dest);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
     ctx->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         tcg_gen_movi_tl(cpu_pc, ctx->npc);
         /* fall through */
     case DISAS_LOOKUP:
-        if (!ctx->base.singlestep_enabled) {
-            tcg_gen_lookup_and_goto_ptr();
-            break;
-        }
-        /* fall through */
+        tcg_gen_lookup_and_goto_ptr();
+        break;
     case DISAS_EXIT:
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/hexagon/translate.c | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_end_tb(DisasContext *ctx)
 {
     gen_exec_counters(ctx);
     tcg_gen_mov_tl(hex_gpr[HEX_REG_PC], hex_next_PC);
-    if (ctx->base.singlestep_enabled) {
-        gen_exception_raw(EXCP_DEBUG);
-    } else {
-        tcg_gen_exit_tb(NULL, 0);
-    }
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static void hexagon_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
     case DISAS_TOO_MANY:
         gen_exec_counters(ctx);
         tcg_gen_movi_tl(hex_gpr[HEX_REG_PC], ctx->base.pc_next);
-        if (ctx->base.singlestep_enabled) {
-            gen_exception_raw(EXCP_DEBUG);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     case DISAS_NORETURN:
         break;
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/translate-a64.c | 10 ++--------
 target/arm/translate.c     | 36 ++++++------------------------------
 2 files changed, 8 insertions(+), 38 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_goto_tb(DisasContext *s, int n, uint64_t dest)
         gen_a64_set_pc_im(dest);
         if (s->ss_active) {
             gen_step_complete_exception(s);
-        } else if (s->base.singlestep_enabled) {
-            gen_exception_internal(EXCP_DEBUG);
         } else {
             tcg_gen_lookup_and_goto_ptr();
             s->base.is_jmp = DISAS_NORETURN;
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    if (unlikely(dc->base.singlestep_enabled || dc->ss_active)) {
+    if (unlikely(dc->ss_active)) {
         /* Note that this means single stepping WFI doesn't halt the CPU.
          * For conditional branch insns this is harmless unreachable code as
          * gen_goto_tb() has already handled emitting the debug exception
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
             /* fall through */
         case DISAS_EXIT:
         case DISAS_JUMP:
-            if (dc->base.singlestep_enabled) {
-                gen_exception_internal(EXCP_DEBUG);
-            } else {
-                gen_step_complete_exception(dc);
-            }
+            gen_step_complete_exception(dc);
             break;
         case DISAS_NORETURN:
             break;
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_exception_internal(int excp)
     tcg_temp_free_i32(tcg_excp);
 }
 
-static void gen_step_complete_exception(DisasContext *s)
+static void gen_singlestep_exception(DisasContext *s)
 {
     /* We just completed step of an insn. Move from Active-not-pending
      * to Active-pending, and then also take the swstep exception.
@@ -XXX,XX +XXX,XX @@ static void gen_step_complete_exception(DisasContext *s)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_singlestep_exception(DisasContext *s)
-{
-    /* Generate the right kind of exception for singlestep, which is
-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
-     * gdb singlestepping.
-     */
-    if (s->ss_active) {
-        gen_step_complete_exception(s);
-    } else {
-        gen_exception_internal(EXCP_DEBUG);
-    }
-}
-
-static inline bool is_singlestepping(DisasContext *s)
-{
-    /* Return true if we are singlestepping either because of
-     * architectural singlestep or QEMU gdbstub singlestep. This does
-     * not include the command line '-singlestep' mode which is rather
-     * misnamed as it only means "one instruction per TB" and doesn't
-     * affect the code we generate.
-     */
-    return s->base.singlestep_enabled || s->ss_active;
-}
-
 void clear_eci_state(DisasContext *s)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static inline void gen_bx_excret_final_code(DisasContext *s)
     /* Is the new PC value in the magic range indicating exception return? */
     tcg_gen_brcondi_i32(TCG_COND_GEU, cpu_R[15], min_magic, excret_label);
     /* No: end the TB as we would for a DISAS_JMP */
-    if (is_singlestepping(s)) {
+    if (s->ss_active) {
         gen_singlestep_exception(s);
     } else {
         tcg_gen_exit_tb(NULL, 0);
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *s, int n, target_ulong dest)
 /* Jump, specifying which TB number to use if we gen_goto_tb() */
 static inline void gen_jmp_tb(DisasContext *s, uint32_t dest, int tbno)
 {
-    if (unlikely(is_singlestepping(s))) {
+    if (unlikely(s->ss_active)) {
         /* An indirect jump so that we still trigger the debug exception.  */
         gen_set_pc_im(s, dest);
         s->base.is_jmp = DISAS_JUMP;
@@ -XXX,XX +XXX,XX @@ static void arm_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     dc->page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 
     /* If architectural single step active, limit to 1.  */
-    if (is_singlestepping(dc)) {
+    if (dc->ss_active) {
         dc->base.max_insns = 1;
     }
 
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          * insn codepath itself.
          */
         gen_bx_excret_final_code(dc);
-    } else if (unlikely(is_singlestepping(dc))) {
+    } else if (unlikely(dc->ss_active)) {
         /* Unconditional and "condition passed" instruction codepath. */
         switch (dc->base.is_jmp) {
         case DISAS_SWI:
@@ -XXX,XX +XXX,XX @@ static void arm_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         /* "Condition failed" instruction codepath for the branch/trap insn */
         gen_set_label(dc->condlabel);
         gen_set_condexec(dc);
-        if (unlikely(is_singlestepping(dc))) {
+        if (unlikely(dc->ss_active)) {
             gen_set_pc_im(dc, dc->base.pc_next);
             gen_singlestep_exception(dc);
         } else {
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/hppa/translate.c | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int which,
     } else {
         copy_iaoq_entry(cpu_iaoq_f, f, cpu_iaoq_b);
         copy_iaoq_entry(cpu_iaoq_b, b, ctx->iaoq_n_var);
-        if (ctx->base.singlestep_enabled) {
-            gen_excp_1(EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static bool do_rfi(DisasContext *ctx, bool rfi_r)
         gen_helper_rfi(cpu_env);
     }
     /* Exit the TB to recognize new interrupts.  */
-    if (ctx->base.singlestep_enabled) {
-        gen_excp_1(EXCP_DEBUG);
-    } else {
-        tcg_gen_exit_tb(NULL, 0);
-    }
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
 
     return nullify_end(ctx);
@@ -XXX,XX +XXX,XX @@ static void hppa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         nullify_save(ctx);
         /* FALLTHRU */
     case DISAS_IAQ_N_UPDATED:
-        if (ctx->base.singlestep_enabled) {
-            gen_excp_1(EXCP_DEBUG);
-        } else if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
+        if (is_jmp != DISAS_IAQ_N_STALE_EXIT) {
             tcg_gen_lookup_and_goto_ptr();
+            break;
         }
         /* FALLTHRU */
     case DISAS_EXIT:
-- 
2.25.1

We were using singlestep_enabled as a proxy for whether
translator_use_goto_tb would always return false.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     CPUX86State *env = cpu->env_ptr;
     uint32_t flags = dc->base.tb->flags;
+    uint32_t cflags = tb_cflags(dc->base.tb);
     int cpl = (flags >> HF_CPL_SHIFT) & 3;
     int iopl = (flags >> IOPL_SHIFT) & 3;
 
@@ -XXX,XX +XXX,XX @@ static void i386_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
     dc->cpuid_ext3_features = env->features[FEAT_8000_0001_ECX];
     dc->cpuid_7_0_ebx_features = env->features[FEAT_7_0_EBX];
     dc->cpuid_xsave_features = env->features[FEAT_XSAVE];
-    dc->jmp_opt = !(dc->base.singlestep_enabled ||
+    dc->jmp_opt = !((cflags & CF_NO_GOTO_TB) ||
                     (flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)));
     /*
      * If jmp_opt, we want to handle each string instruction individually.
      * For icount also disable repz optimization so that each iteration
      * is accounted separately.
      */
-    dc->repz_opt = !dc->jmp_opt && !(tb_cflags(dc->base.tb) & CF_USE_ICOUNT);
+    dc->repz_opt = !dc->jmp_opt && !(cflags & CF_USE_ICOUNT);
 
     dc->T0 = tcg_temp_new();
     dc->T1 = tcg_temp_new();
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/helper.h          | 1 -
 target/i386/tcg/misc_helper.c | 8 --------
 target/i386/tcg/translate.c   | 4 +---
 3 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/target/i386/helper.h b/target/i386/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/helper.h
+++ b/target/i386/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(syscall, void, env, int)
 DEF_HELPER_2(sysret, void, env, int)
 #endif
 DEF_HELPER_FLAGS_2(pause, TCG_CALL_NO_WG, noreturn, env, int)
-DEF_HELPER_FLAGS_1(debug, TCG_CALL_NO_WG, noreturn, env)
 DEF_HELPER_1(reset_rf, void, env)
 DEF_HELPER_FLAGS_3(raise_interrupt, TCG_CALL_NO_WG, noreturn, env, int, int)
 DEF_HELPER_FLAGS_2(raise_exception, TCG_CALL_NO_WG, noreturn, env, int)
diff --git a/target/i386/tcg/misc_helper.c b/target/i386/tcg/misc_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/misc_helper.c
+++ b/target/i386/tcg/misc_helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_pause(CPUX86State *env, int next_eip_addend)
     do_pause(env);
 }
 
-void QEMU_NORETURN helper_debug(CPUX86State *env)
-{
-    CPUState *cs = env_cpu(env);
-
-    cs->exception_index = EXCP_DEBUG;
-    cpu_loop_exit(cs);
-}
-
 uint64_t helper_rdpkru(CPUX86State *env, uint32_t ecx)
 {
     if ((env->cr[4] & CR4_PKE_MASK) == 0) {
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ do_gen_eob_worker(DisasContext *s, bool inhibit, bool recheck_tf, bool jr)
     if (s->base.tb->flags & HF_RF_MASK) {
         gen_helper_reset_rf(cpu_env);
     }
-    if (s->base.singlestep_enabled) {
-        gen_helper_debug(cpu_env);
-    } else if (recheck_tf) {
+    if (recheck_tf) {
         gen_helper_rechecking_single_step(cpu_env);
         tcg_gen_exit_tb(NULL, 0);
     } else if (s->flags & HF_TF_MASK) {
-- 
2.25.1

GDB single-stepping is now handled generically.

Acked-by: Laurent Vivier <laurent@vivier.eu>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/m68k/translate.c | 44 +++++++++--------------------------------
 1 file changed, 9 insertions(+), 35 deletions(-)

diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static void do_writebacks(DisasContext *s)
     }
 }
 
-static bool is_singlestepping(DisasContext *s)
-{
-    /*
-     * Return true if we are singlestepping either because of
-     * architectural singlestep or QEMU gdbstub singlestep. This does
-     * not include the command line '-singlestep' mode which is rather
-     * misnamed as it only means "one instruction per TB" and doesn't
-     * affect the code we generate.
-     */
-    return s->base.singlestep_enabled || s->ss_active;
-}
-
 /* is_jmp field values */
 #define DISAS_JUMP      DISAS_TARGET_0 /* only pc was modified dynamically */
 #define DISAS_EXIT      DISAS_TARGET_1 /* cpu state was modified dynamically */
@@ -XXX,XX +XXX,XX @@ static void gen_exception(DisasContext *s, uint32_t dest, int nr)
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_singlestep_exception(DisasContext *s)
-{
-    /*
-     * Generate the right kind of exception for singlestep, which is
-     * either the architectural singlestep or EXCP_DEBUG for QEMU's
-     * gdb singlestepping.
-     */
-    if (s->ss_active) {
-        gen_raise_exception(EXCP_TRACE);
-    } else {
-        gen_raise_exception(EXCP_DEBUG);
-    }
-}
-
 static inline void gen_addr_fault(DisasContext *s)
 {
     gen_exception(s, s->base.pc_next, EXCP_ADDRESS);
@@ -XXX,XX +XXX,XX @@ static void gen_exit_tb(DisasContext *s)
 /* Generate a jump to an immediate address.  */
 static void gen_jmp_tb(DisasContext *s, int n, uint32_t dest)
 {
-    if (unlikely(is_singlestepping(s))) {
+    if (unlikely(s->ss_active)) {
         update_cc_op(s);
         tcg_gen_movi_i32(QREG_PC, dest);
-        gen_singlestep_exception(s);
+        gen_raise_exception(EXCP_TRACE);
     } else if (translator_use_goto_tb(&s->base, dest)) {
         tcg_gen_goto_tb(n);
         tcg_gen_movi_i32(QREG_PC, dest);
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cpu)
 
     dc->ss_active = (M68K_SR_TRACE(env->sr) == M68K_SR_TRACE_ANY_INS);
     /* If architectural single step active, limit to 1 */
-    if (is_singlestepping(dc)) {
+    if (dc->ss_active) {
         dc->base.max_insns = 1;
     }
 }
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
         break;
     case DISAS_TOO_MANY:
         update_cc_op(dc);
-        if (is_singlestepping(dc)) {
+        if (dc->ss_active) {
             tcg_gen_movi_i32(QREG_PC, dc->pc);
-            gen_singlestep_exception(dc);
+            gen_raise_exception(EXCP_TRACE);
         } else {
             gen_jmp_tb(dc, 0, dc->pc);
         }
         break;
     case DISAS_JUMP:
         /* We updated CC_OP and PC in gen_jmp/gen_jmp_im.  */
-        if (is_singlestepping(dc)) {
-            gen_singlestep_exception(dc);
+        if (dc->ss_active) {
+            gen_raise_exception(EXCP_TRACE);
         } else {
             tcg_gen_lookup_and_goto_ptr();
         }
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
          * We updated CC_OP and PC in gen_exit_tb, but also modified
          * other state that may require returning to the main loop.
          */
-        if (is_singlestepping(dc)) {
-            gen_singlestep_exception(dc);
+        if (dc->ss_active) {
+            gen_raise_exception(EXCP_TRACE);
         } else {
             tcg_gen_exit_tb(NULL, 0);
         }
-- 
2.25.1

We were using singlestep_enabled as a proxy for whether
translator_use_goto_tb would always return false.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/microblaze/translate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
         break;
 
     case DISAS_JUMP:
-        if (dc->jmp_dest != -1 && !cs->singlestep_enabled) {
+        if (dc->jmp_dest != -1 && !(tb_cflags(dc->base.tb) & CF_NO_GOTO_TB)) {
             /* Direct jump. */
             tcg_gen_discard_i32(cpu_btarget);
 
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
             return;
         }
 
-        /* Indirect jump (or direct jump w/ singlestep) */
+        /* Indirect jump (or direct jump w/ goto_tb disabled) */
         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
         tcg_gen_discard_i32(cpu_btarget);
 
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/microblaze/translate.c | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_raise_hw_excp(DisasContext *dc, uint32_t esr_ec)
 
 static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
 {
-    if (dc->base.singlestep_enabled) {
-        TCGv_i32 tmp = tcg_const_i32(EXCP_DEBUG);
-        tcg_gen_movi_i32(cpu_pc, dest);
-        gen_helper_raise_exception(cpu_env, tmp);
-        tcg_temp_free_i32(tmp);
-    } else if (translator_use_goto_tb(&dc->base, dest)) {
+    if (translator_use_goto_tb(&dc->base, dest)) {
         tcg_gen_goto_tb(n);
         tcg_gen_movi_i32(cpu_pc, dest);
         tcg_gen_exit_tb(dc->base.tb, n);
@@ -XXX,XX +XXX,XX @@ static void mb_tr_tb_stop(DisasContextBase *dcb, CPUState *cs)
         /* Indirect jump (or direct jump w/ goto_tb disabled) */
         tcg_gen_mov_i32(cpu_pc, cpu_btarget);
         tcg_gen_discard_i32(cpu_btarget);
-
-        if (unlikely(cs->singlestep_enabled)) {
-            gen_raise_exception(dc, EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
         return;
 
     default:
-- 
2.25.1

As per an ancient comment in mips_tr_translate_insn about the
expectations of gdb, when restarting the insn in a delay slot
we also re-execute the branch.  Which means that we are
expected to execute two insns in this case.

This has been broken since 8b86d6d2580, where we forced max_insns
to 1 while single-stepping.  This resulted in an exit from the
translator loop after the branch but before the delay slot is
translated.

Increase the max_insns to 2 for this case.  In addition, bypass
the end-of-page check, for when the branch itself ends the page.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/mips/tcg/translate.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void mips_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     ctx->default_tcg_memop_mask = (ctx->insn_flags & (ISA_MIPS_R6 |
                                   INSN_LOONGSON3A)) ? MO_UNALN : MO_ALIGN;
 
+    /*
+     * Execute a branch and its delay slot as a single instruction.
+     * This is what GDB expects and is consistent with what the
+     * hardware does (e.g. if a delay slot instruction faults, the
+     * reported PC is the PC of the branch).
+     */
+    if (ctx->base.singlestep_enabled && (ctx->hflags & MIPS_HFLAG_BMASK)) {
+        ctx->base.max_insns = 2;
+    }
+
     LOG_DISAS("\ntb %p idx %d hflags %04x\n", ctx->base.tb, ctx->mem_idx,
               ctx->hflags);
 }
@@ -XXX,XX +XXX,XX @@ static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
     if (ctx->base.is_jmp != DISAS_NEXT) {
         return;
     }
+
     /*
-     * Execute a branch and its delay slot as a single instruction.
-     * This is what GDB expects and is consistent with what the
-     * hardware does (e.g. if a delay slot instruction faults, the
-     * reported PC is the PC of the branch).
+     * End the TB on (most) page crossings.
+     * See mips_tr_init_disas_context about single-stepping a branch
+     * together with its delay slot.
      */
-    if (ctx->base.singlestep_enabled &&
-        (ctx->hflags & MIPS_HFLAG_BMASK) == 0) {
-        ctx->base.is_jmp = DISAS_TOO_MANY;
-    }
-    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE) {
+    if (ctx->base.pc_next - ctx->page_start >= TARGET_PAGE_SIZE
+        && !ctx->base.singlestep_enabled) {
         ctx->base.is_jmp = DISAS_TOO_MANY;
     }
 }
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/mips/tcg/translate.c | 50 +++++++++++++------------------------
 1 file changed, 18 insertions(+), 32 deletions(-)

diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         gen_save_pc(dest);
-        if (ctx->base.singlestep_enabled) {
-            save_cpu_state(ctx, 0);
-            gen_helper_raise_exception_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void gen_branch(DisasContext *ctx, int insn_bytes)
             } else {
                 tcg_gen_mov_tl(cpu_PC, btarget);
             }
-            if (ctx->base.singlestep_enabled) {
-                save_cpu_state(ctx, 0);
-                gen_helper_raise_exception_debug(cpu_env);
-            }
             tcg_gen_lookup_and_goto_ptr();
             break;
         default:
@@ -XXX,XX +XXX,XX @@ static void mips_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
-    if (ctx->base.singlestep_enabled && ctx->base.is_jmp != DISAS_NORETURN) {
-        save_cpu_state(ctx, ctx->base.is_jmp != DISAS_EXIT);
-        gen_helper_raise_exception_debug(cpu_env);
-    } else {
-        switch (ctx->base.is_jmp) {
-        case DISAS_STOP:
-            gen_save_pc(ctx->base.pc_next);
-            tcg_gen_lookup_and_goto_ptr();
-            break;
-        case DISAS_NEXT:
-        case DISAS_TOO_MANY:
-            save_cpu_state(ctx, 0);
-            gen_goto_tb(ctx, 0, ctx->base.pc_next);
-            break;
-        case DISAS_EXIT:
-            tcg_gen_exit_tb(NULL, 0);
-            break;
-        case DISAS_NORETURN:
-            break;
-        default:
-            g_assert_not_reached();
-        }
+    switch (ctx->base.is_jmp) {
+    case DISAS_STOP:
+        gen_save_pc(ctx->base.pc_next);
+        tcg_gen_lookup_and_goto_ptr();
+        break;
+    case DISAS_NEXT:
+    case DISAS_TOO_MANY:
+        save_cpu_state(ctx, 0);
+        gen_goto_tb(ctx, 0, ctx->base.pc_next);
+        break;
+    case DISAS_EXIT:
+        tcg_gen_exit_tb(NULL, 0);
+        break;
+    case DISAS_NORETURN:
+        break;
+    default:
+        g_assert_not_reached();
     }
 }
 
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/openrisc/translate.c | 18 +++---------------
 1 file changed, 3 insertions(+), 15 deletions(-)

diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/translate.c
+++ b/target/openrisc/translate.c
@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
             /* The jump destination is indirect/computed; use jmp_pc.  */
             tcg_gen_mov_tl(cpu_pc, jmp_pc);
             tcg_gen_discard_tl(jmp_pc);
-            if (unlikely(dc->base.singlestep_enabled)) {
-                gen_exception(dc, EXCP_DEBUG);
-            } else {
-                tcg_gen_lookup_and_goto_ptr();
-            }
+            tcg_gen_lookup_and_goto_ptr();
             break;
         }
         /* The jump destination is direct; use jmp_pc_imm.
@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
             break;
         }
         tcg_gen_movi_tl(cpu_pc, jmp_dest);
-        if (unlikely(dc->base.singlestep_enabled)) {
-            gen_exception(dc, EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
         break;
 
     case DISAS_EXIT:
-        if (unlikely(dc->base.singlestep_enabled)) {
-            gen_exception(dc, EXCP_DEBUG);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

GDB single-stepping is now handled generically.
Reuse gen_debug_exception to handle architectural debug exceptions.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/ppc/translate.c | 38 ++++++++------------------------------
 1 file changed, 8 insertions(+), 30 deletions(-)

diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -XXX,XX +XXX,XX @@
 
 #define CPU_SINGLE_STEP 0x1
 #define CPU_BRANCH_STEP 0x2
-#define GDBSTUB_SINGLE_STEP 0x4
 
 /* Include definitions for instructions classes and implementations flags */
 /* #define PPC_DEBUG_DISAS */
@@ -XXX,XX +XXX,XX @@ static uint32_t gen_prep_dbgex(DisasContext *ctx)
 
 static void gen_debug_exception(DisasContext *ctx)
 {
-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
+    gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
@@ -XXX,XX +XXX,XX @@ static inline bool use_goto_tb(DisasContext *ctx, target_ulong dest)
 
 static void gen_lookup_and_goto_ptr(DisasContext *ctx)
 {
-    int sse = ctx->singlestep_enabled;
-    if (unlikely(sse)) {
-        if (sse & GDBSTUB_SINGLE_STEP) {
-            gen_debug_exception(ctx);
-        } else if (sse & (CPU_SINGLE_STEP | CPU_BRANCH_STEP)) {
-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+    if (unlikely(ctx->singlestep_enabled)) {
+        gen_debug_exception(ctx);
     } else {
         tcg_gen_lookup_and_goto_ptr();
     }
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
     ctx->singlestep_enabled = 0;
     if ((hflags >> HFLAGS_SE) & 1) {
         ctx->singlestep_enabled |= CPU_SINGLE_STEP;
+        ctx->base.max_insns = 1;
     }
     if ((hflags >> HFLAGS_BE) & 1) {
         ctx->singlestep_enabled |= CPU_BRANCH_STEP;
     }
-    if (unlikely(ctx->base.singlestep_enabled)) {
-        ctx->singlestep_enabled |= GDBSTUB_SINGLE_STEP;
-    }
-
-    if (ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP)) {
-        ctx->base.max_insns = 1;
-    }
 }
 
 static void ppc_tr_tb_start(DisasContextBase *db, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
     DisasJumpType is_jmp = ctx->base.is_jmp;
     target_ulong nip = ctx->base.pc_next;
-    int sse;
 
     if (is_jmp == DISAS_NORETURN) {
         /* We have already exited the TB. */
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     }
 
     /* Honor single stepping. */
-    sse = ctx->singlestep_enabled & (CPU_SINGLE_STEP | GDBSTUB_SINGLE_STEP);
-    if (unlikely(sse)) {
+    if (unlikely(ctx->singlestep_enabled & CPU_SINGLE_STEP)
+        && (nip <= 0x100 || nip > 0xf00)) {
         switch (is_jmp) {
         case DISAS_TOO_MANY:
         case DISAS_EXIT_UPDATE:
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
             g_assert_not_reached();
         }
 
-        if (sse & GDBSTUB_SINGLE_STEP) {
-            gen_debug_exception(ctx);
-            return;
-        }
-        /* else CPU_SINGLE_STEP... */
-        if (nip <= 0x100 || nip > 0xf00) {
-            gen_helper_raise_exception(cpu_env, tcg_constant_i32(gen_prep_dbgex(ctx)));
-            return;
-        }
+        gen_debug_exception(ctx);
+        return;
     }
 
     switch (is_jmp) {
-- 
2.25.1

We have already set DISAS_NORETURN in generate_exception,
which makes the exit_tb unreachable.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/insn_trans/trans_privileged.c.inc | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_privileged.c.inc
+++ b/target/riscv/insn_trans/trans_privileged.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_ecall(DisasContext *ctx, arg_ecall *a)
 {
     /* always generates U-level ECALL, fixed in do_interrupt handler */
     generate_exception(ctx, RISCV_EXCP_U_ECALL);
-    exit_tb(ctx); /* no chaining */
-    ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
 
@@ -XXX,XX +XXX,XX @@ static bool trans_ebreak(DisasContext *ctx, arg_ebreak *a)
         post   = opcode_at(&ctx->base, post_addr);
     }
 
-    if  (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
+    if (pre == 0x01f01013 && ebreak == 0x00100073 && post == 0x40705013) {
         generate_exception(ctx, RISCV_EXCP_SEMIHOST);
     } else {
         generate_exception(ctx, RISCV_EXCP_BREAKPOINT);
     }
-    exit_tb(ctx); /* no chaining */
-    ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
 
-- 
2.25.1

GDB single-stepping is now handled generically, which means
we don't need to do anything in the wrappers.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/translate.c                      | 27 +------------------
 .../riscv/insn_trans/trans_privileged.c.inc   |  4 +--
 target/riscv/insn_trans/trans_rvi.c.inc       |  8 +++---
 target/riscv/insn_trans/trans_rvv.c.inc       |  2 +-
 4 files changed, 7 insertions(+), 34 deletions(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static void generate_exception_mtval(DisasContext *ctx, int excp)
     ctx->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_exception_debug(void)
-{
-    gen_helper_raise_exception(cpu_env, tcg_constant_i32(EXCP_DEBUG));
-}
-
-/* Wrapper around tcg_gen_exit_tb that handles single stepping */
-static void exit_tb(DisasContext *ctx)
-{
-    if (ctx->base.singlestep_enabled) {
-        gen_exception_debug();
-    } else {
-        tcg_gen_exit_tb(NULL, 0);
-    }
-}
-
-/* Wrapper around tcg_gen_lookup_and_goto_ptr that handles single stepping */
-static void lookup_and_goto_ptr(DisasContext *ctx)
-{
-    if (ctx->base.singlestep_enabled) {
-        gen_exception_debug();
-    } else {
-        tcg_gen_lookup_and_goto_ptr();
-    }
-}
-
 static void gen_exception_illegal(DisasContext *ctx)
 {
     generate_exception(ctx, RISCV_EXCP_ILLEGAL_INST);
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         tcg_gen_movi_tl(cpu_pc, dest);
-        lookup_and_goto_ptr(ctx);
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
diff --git a/target/riscv/insn_trans/trans_privileged.c.inc b/target/riscv/insn_trans/trans_privileged.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_privileged.c.inc
+++ b/target/riscv/insn_trans/trans_privileged.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_sret(DisasContext *ctx, arg_sret *a)
 
     if (has_ext(ctx, RVS)) {
         gen_helper_sret(cpu_pc, cpu_env, cpu_pc);
-        exit_tb(ctx); /* no chaining */
+        tcg_gen_exit_tb(NULL, 0); /* no chaining */
         ctx->base.is_jmp = DISAS_NORETURN;
     } else {
         return false;
@@ -XXX,XX +XXX,XX @@ static bool trans_mret(DisasContext *ctx, arg_mret *a)
 #ifndef CONFIG_USER_ONLY
     tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
     gen_helper_mret(cpu_pc, cpu_env, cpu_pc);
-    exit_tb(ctx); /* no chaining */
+    tcg_gen_exit_tb(NULL, 0); /* no chaining */
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 #else
diff --git a/target/riscv/insn_trans/trans_rvi.c.inc b/target/riscv/insn_trans/trans_rvi.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_rvi.c.inc
+++ b/target/riscv/insn_trans/trans_rvi.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_jalr(DisasContext *ctx, arg_jalr *a)
     if (a->rd != 0) {
         tcg_gen_movi_tl(cpu_gpr[a->rd], ctx->pc_succ_insn);
     }
-
-    /* No chaining with JALR. */
-    lookup_and_goto_ptr(ctx);
+    tcg_gen_lookup_and_goto_ptr();
 
     if (misaligned) {
         gen_set_label(misaligned);
@@ -XXX,XX +XXX,XX @@ static bool trans_fence_i(DisasContext *ctx, arg_fence_i *a)
      * however we need to end the translation block
      */
     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
-    exit_tb(ctx);
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool do_csr_post(DisasContext *ctx)
 {
     /* We may have changed important cpu state -- exit to main loop. */
     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
-    exit_tb(ctx);
+    tcg_gen_exit_tb(NULL, 0);
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
diff --git a/target/riscv/insn_trans/trans_rvv.c.inc b/target/riscv/insn_trans/trans_rvv.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/insn_trans/trans_rvv.c.inc
+++ b/target/riscv/insn_trans/trans_rvv.c.inc
@@ -XXX,XX +XXX,XX @@ static bool trans_vsetvl(DisasContext *ctx, arg_vsetvl *a)
     gen_set_gpr(ctx, a->rd, dst);
 
     tcg_gen_movi_tl(cpu_pc, ctx->pc_succ_insn);
-    lookup_and_goto_ptr(ctx);
+    tcg_gen_lookup_and_goto_ptr();
     ctx->base.is_jmp = DISAS_NORETURN;
     return true;
 }
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/rx/helper.h    |  1 -
 target/rx/op_helper.c |  8 --------
 target/rx/translate.c | 12 ++----------
 3 files changed, 2 insertions(+), 19 deletions(-)

diff --git a/target/rx/helper.h b/target/rx/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/helper.h
+++ b/target/rx/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
 DEF_HELPER_1(raise_access_fault, noreturn, env)
 DEF_HELPER_1(raise_privilege_violation, noreturn, env)
 DEF_HELPER_1(wait, noreturn, env)
-DEF_HELPER_1(debug, noreturn, env)
 DEF_HELPER_2(rxint, noreturn, env, i32)
 DEF_HELPER_1(rxbrk, noreturn, env)
 DEF_HELPER_FLAGS_3(fadd, TCG_CALL_NO_WG, f32, env, f32, f32)
diff --git a/target/rx/op_helper.c b/target/rx/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/op_helper.c
+++ b/target/rx/op_helper.c
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN helper_wait(CPURXState *env)
     raise_exception(env, EXCP_HLT, 0);
 }
 
-void QEMU_NORETURN helper_debug(CPURXState *env)
-{
-    CPUState *cs = env_cpu(env);
-
-    cs->exception_index = EXCP_DEBUG;
-    cpu_loop_exit(cs);
-}
-
 void QEMU_NORETURN helper_rxint(CPURXState *env, uint32_t vec)
 {
     raise_exception(env, 0x100 + vec, 0);
diff --git a/target/rx/translate.c b/target/rx/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *dc, int n, target_ulong dest)
         tcg_gen_exit_tb(dc->base.tb, n);
     } else {
         tcg_gen_movi_i32(cpu_pc, dest);
-        if (dc->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
     dc->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void rx_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         gen_goto_tb(ctx, 0, dcbase->pc_next);
         break;
     case DISAS_JUMP:
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
         break;
     case DISAS_UPDATE:
         tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/s390x/tcg/translate.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ struct DisasContext {
     uint64_t pc_tmp;
     uint32_t ilen;
     enum cc_op cc_op;
-    bool do_debug;
 };
 
 /* Information carried about a condition to be evaluated.  */
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
 
     dc->cc_op = CC_OP_DYNAMIC;
     dc->ex_value = dc->base.tb->cs_base;
-    dc->do_debug = dc->base.singlestep_enabled;
 }
 
 static void s390x_tr_tb_start(DisasContextBase *db, CPUState *cs)
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         /* FALLTHRU */
     case DISAS_PC_CC_UPDATED:
         /* Exit the TB, either by raising a debug exception or by return.  */
-        if (dc->do_debug) {
-            gen_exception(EXCP_DEBUG);
-        } else if ((dc->base.tb->flags & FLAG_MASK_PER) ||
-                   dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
+        if ((dc->base.tb->flags & FLAG_MASK_PER) ||
+             dc->base.is_jmp == DISAS_PC_STALE_NOCHAIN) {
             tcg_gen_exit_tb(NULL, 0);
         } else {
             tcg_gen_lookup_and_goto_ptr();
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/sh4/helper.h    |  1 -
 target/sh4/op_helper.c |  5 -----
 target/sh4/translate.c | 14 +++-----------
 3 files changed, 3 insertions(+), 17 deletions(-)

diff --git a/target/sh4/helper.h b/target/sh4/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/helper.h
+++ b/target/sh4/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(raise_illegal_instruction, noreturn, env)
 DEF_HELPER_1(raise_slot_illegal_instruction, noreturn, env)
 DEF_HELPER_1(raise_fpu_disable, noreturn, env)
 DEF_HELPER_1(raise_slot_fpu_disable, noreturn, env)
-DEF_HELPER_1(debug, noreturn, env)
 DEF_HELPER_1(sleep, noreturn, env)
 DEF_HELPER_2(trapa, noreturn, env, i32)
 DEF_HELPER_1(exclusive, noreturn, env)
diff --git a/target/sh4/op_helper.c b/target/sh4/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/op_helper.c
+++ b/target/sh4/op_helper.c
@@ -XXX,XX +XXX,XX @@ void helper_raise_slot_fpu_disable(CPUSH4State *env)
     raise_exception(env, 0x820, 0);
 }
 
-void helper_debug(CPUSH4State *env)
-{
-    raise_exception(env, EXCP_DEBUG, 0);
-}
-
 void helper_sleep(CPUSH4State *env)
 {
     CPUState *cs = env_cpu(env);
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         tcg_gen_movi_i32(cpu_pc, dest);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else if (use_exit_tb(ctx)) {
+        if (use_exit_tb(ctx)) {
             tcg_gen_exit_tb(NULL, 0);
         } else {
             tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void gen_jump(DisasContext * ctx)
 	   delayed jump as immediate jump are conditinal jumps */
 	tcg_gen_mov_i32(cpu_pc, cpu_delayed_pc);
         tcg_gen_discard_i32(cpu_delayed_pc);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else if (use_exit_tb(ctx)) {
+        if (use_exit_tb(ctx)) {
             tcg_gen_exit_tb(NULL, 0);
         } else {
             tcg_gen_lookup_and_goto_ptr();
@@ -XXX,XX +XXX,XX @@ static void sh4_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     switch (ctx->base.is_jmp) {
     case DISAS_STOP:
         gen_save_cpu_state(ctx, true);
-        if (ctx->base.singlestep_enabled) {
-            gen_helper_debug(cpu_env);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
         break;
     case DISAS_NEXT:
     case DISAS_TOO_MANY:
-- 
2.25.1

GDB single-stepping is now handled generically.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/tricore/helper.h    |  1 -
 target/tricore/op_helper.c |  7 -------
 target/tricore/translate.c | 14 +-------------
 3 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/target/tricore/helper.h b/target/tricore/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/helper.h
+++ b/target/tricore/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_2(psw_write, void, env, i32)
 DEF_HELPER_1(psw_read, i32, env)
 /* Exceptions */
 DEF_HELPER_3(raise_exception_sync, noreturn, env, i32, i32)
-DEF_HELPER_2(qemu_excp, noreturn, env, i32)
diff --git a/target/tricore/op_helper.c b/target/tricore/op_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/op_helper.c
+++ b/target/tricore/op_helper.c
@@ -XXX,XX +XXX,XX @@ static void raise_exception_sync_helper(CPUTriCoreState *env, uint32_t class,
     raise_exception_sync_internal(env, class, tin, pc, 0);
 }
 
-void helper_qemu_excp(CPUTriCoreState *env, uint32_t excp)
-{
-    CPUState *cs = env_cpu(env);
-    cs->exception_index = excp;
-    cpu_loop_exit(cs);
-}
-
 /* Addressing mode helper */
 
 static uint16_t reverse16(uint16_t val)
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static inline void gen_save_pc(target_ulong pc)
     tcg_gen_movi_tl(cpu_PC, pc);
 }
 
-static void generate_qemu_excp(DisasContext *ctx, int excp)
-{
-    TCGv_i32 tmp = tcg_const_i32(excp);
-    gen_helper_qemu_excp(cpu_env, tmp);
-    ctx->base.is_jmp = DISAS_NORETURN;
-    tcg_temp_free(tmp);
-}
-
 static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
 {
     if (translator_use_goto_tb(&ctx->base, dest)) {
@@ -XXX,XX +XXX,XX @@ static void gen_goto_tb(DisasContext *ctx, int n, target_ulong dest)
         tcg_gen_exit_tb(ctx->base.tb, n);
     } else {
         gen_save_pc(dest);
-        if (ctx->base.singlestep_enabled) {
-            generate_qemu_excp(ctx, EXCP_DEBUG);
-        } else {
-            tcg_gen_lookup_and_goto_ptr();
-        }
+        tcg_gen_lookup_and_goto_ptr();
     }
 }
 
-- 
2.25.1

GDB single-stepping is now handled generically.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/xtensa/translate.c | 25 ++++++++-----------------
 1 file changed, 8 insertions(+), 17 deletions(-)

diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_jump_slot(DisasContext *dc, TCGv dest, int slot)
     if (dc->icount) {
         tcg_gen_mov_i32(cpu_SR[ICOUNT], dc->next_icount);
     }
-    if (dc->base.singlestep_enabled) {
-        gen_exception(dc, EXCP_DEBUG);
+    if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
+        slot = gen_postprocess(dc, slot);
+    }
+    if (slot >= 0) {
+        tcg_gen_goto_tb(slot);
+        tcg_gen_exit_tb(dc->base.tb, slot);
     } else {
-        if (dc->op_flags & XTENSA_OP_POSTPROCESS) {
-            slot = gen_postprocess(dc, slot);
-        }
-        if (slot >= 0) {
-            tcg_gen_goto_tb(slot);
-            tcg_gen_exit_tb(dc->base.tb, slot);
-        } else {
-            tcg_gen_exit_tb(NULL, 0);
-        }
+        tcg_gen_exit_tb(NULL, 0);
     }
     dc->base.is_jmp = DISAS_NORETURN;
 }
@@ -XXX,XX +XXX,XX @@ static void xtensa_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
     case DISAS_NORETURN:
         break;
     case DISAS_TOO_MANY:
-        if (dc->base.singlestep_enabled) {
-            tcg_gen_movi_i32(cpu_pc, dc->pc);
-            gen_exception(dc, EXCP_DEBUG);
-        } else {
-            gen_jumpi(dc, dc->pc, 0);
-        }
+        gen_jumpi(dc, dc->pc, 0);
         break;
     default:
         g_assert_not_reached();
-- 
2.25.1

This reverts commit 1b36e4f5a5de585210ea95f2257839c2312be28f.

Despite a comment saying why cpu_common_props cannot be placed in
a file that is compiled once, it was moved anyway.  Revert that.

Since then, Property is not defined in hw/core/cpu.h, so it is now
easier to declare a function to install the properties rather than
the Property array itself.

Cc: Eduardo Habkost <ehabkost@redhat.com>
Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/hw/core/cpu.h |  1 +
 cpu.c                 | 21 +++++++++++++++++++++
 hw/core/cpu-common.c  | 17 +----------------
 3 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/include/hw/core/cpu.h
+++ b/include/hw/core/cpu.h
@@ -XXX,XX +XXX,XX @@ void QEMU_NORETURN cpu_abort(CPUState *cpu, const char *fmt, ...)
     GCC_FMT_ATTR(2, 3);
 
 /* $(top_srcdir)/cpu.c */
+void cpu_class_init_props(DeviceClass *dc);
 void cpu_exec_initfn(CPUState *cpu);
 void cpu_exec_realizefn(CPUState *cpu, Error **errp);
 void cpu_exec_unrealizefn(CPUState *cpu);
diff --git a/cpu.c b/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/cpu.c
+++ b/cpu.c
@@ -XXX,XX +XXX,XX @@ void cpu_exec_unrealizefn(CPUState *cpu)
     cpu_list_remove(cpu);
 }
 
+static Property cpu_common_props[] = {
+#ifndef CONFIG_USER_ONLY
+    /*
+     * Create a memory property for softmmu CPU object,
+     * so users can wire up its memory. (This can't go in hw/core/cpu.c
+     * because that file is compiled only once for both user-mode
+     * and system builds.) The default if no link is set up is to use
+     * the system address space.
+     */
+    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
+                     MemoryRegion *),
+#endif
+    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
+    DEFINE_PROP_END_OF_LIST(),
+};
+
+void cpu_class_init_props(DeviceClass *dc)
+{
+    device_class_set_props(dc, cpu_common_props);
+}
+
 void cpu_exec_initfn(CPUState *cpu)
 {
     cpu->as = NULL;
diff --git a/hw/core/cpu-common.c b/hw/core/cpu-common.c
index XXXXXXX..XXXXXXX 100644
--- a/hw/core/cpu-common.c
+++ b/hw/core/cpu-common.c
@@ -XXX,XX +XXX,XX @@ static int64_t cpu_common_get_arch_id(CPUState *cpu)
     return cpu->cpu_index;
 }
 
-static Property cpu_common_props[] = {
-#ifndef CONFIG_USER_ONLY
-    /* Create a memory property for softmmu CPU object,
-     * so users can wire up its memory. (This can't go in hw/core/cpu.c
-     * because that file is compiled only once for both user-mode
-     * and system builds.) The default if no link is set up is to use
-     * the system address space.
-     */
-    DEFINE_PROP_LINK("memory", CPUState, memory, TYPE_MEMORY_REGION,
-                     MemoryRegion *),
-#endif
-    DEFINE_PROP_BOOL("start-powered-off", CPUState, start_powered_off, false),
-    DEFINE_PROP_END_OF_LIST(),
-};
-
 static void cpu_class_init(ObjectClass *klass, void *data)
 {
     DeviceClass *dc = DEVICE_CLASS(klass);
@@ -XXX,XX +XXX,XX @@ static void cpu_class_init(ObjectClass *klass, void *data)
     dc->realize = cpu_common_realizefn;
     dc->unrealize = cpu_common_unrealizefn;
     dc->reset = cpu_common_reset;
-    device_class_set_props(dc, cpu_common_props);
+    cpu_class_init_props(dc);
     /*
      * Reason: CPUs still need special care by board code: wiring up
      * IRQs, adding reset handlers, halting non-first CPUs, ...
-- 
2.25.1