Series comparison

-[PULL 00/16] tcg patch queue
+[PULL 00/12] tcg patch queue
-The following changes since commit 3e08b2b9cb64bff2b73fa9128c0e49bfcde0dd40:
+The following changes since commit 7c18f2d663521f1b31b821a13358ce38075eaf7d:
-  Merge remote-tracking branch 'remotes/philmd-gitlab/tags/edk2-next-20200121' into staging (2020-01-21 15:29:25 +0000)
+  Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2023-04-29 23:07:17 +0100)
 are available in the Git repository at:
-  https://github.com/rth7680/qemu.git tags/pull-tcg-20200121
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230502
-for you to fetch changes up to 75fa376cdab5e5db2c7fdd107358e16f95503ac6:
+for you to fetch changes up to bdc7fba1c5a29ae218b45353daac9308fe1aae82:
-  scripts/git.orderfile: Display decodetree before C source (2020-01-21 15:26:09 -1000)
+  tcg: Introduce tcg_out_movext2 (2023-05-02 12:15:41 +0100)
 ----------------------------------------------------------------
-Remove another limit to NB_MMU_MODES.
+Misc tcg-related patch queue.
 Fix compilation using uclibc.
 Fix defaulting of -accel parameters.
 Tidy cputlb basic routines.
 Adjust git.orderfile for decodetree.
 ----------------------------------------------------------------
-Carlos Santos (1):
+Dickon Hood (1):
-      util/cacheinfo: fix crash when compiling with uClibc
+      qemu/bitops.h: Limit rotate amounts
-Philippe Mathieu-Daudé (1):
+Kiran Ostrolenk (1):
-      scripts/git.orderfile: Display decodetree before C source
+      qemu/host-utils.h: Add clz and ctz functions for lower-bit integers
-Richard Henderson (14):
+Nazar Kazakov (2):
-      cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
+      tcg: Add tcg_gen_gvec_andcs
-      vl: Remove unused variable in configure_accelerators
+      tcg: Add tcg_gen_gvec_rotrs
       vl: Reduce scope of variables in configure_accelerators
       vl: Remove useless test in configure_accelerators
       vl: Only choose enabled accelerators in configure_accelerators
       cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
       cputlb: Make tlb_n_entries private to cputlb.c
       cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
       cputlb: Hoist tlb portions in tlb_mmu_resize_locked
       cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
       cputlb: Split out tlb_mmu_flush_locked
       cputlb: Partially merge tlb_dyn_init into tlb_init
       cputlb: Initialize tlbs as flushed
       cputlb: Hoist timestamp outside of loops over tlbs
- include/exec/cpu_ldst.h |   5 -
+Richard Henderson (7):
- accel/tcg/cputlb.c      | 287 +++++++++++++++++++++++++++++++++---------------
+      softmmu: Tidy dirtylimit_dirty_ring_full_time
- util/cacheinfo.c        |  10 +-
+      qemu/int128: Re-shuffle Int128Alias members
- vl.c                    |  27 +++--
+      migration/xbzrle: Use __attribute__((target)) for avx512
- scripts/git.orderfile   |   3 +
+      accel/tcg: Add cpu_ld*_code_mmu
-files changed, 223 insertions(+), 109 deletions(-)
+      tcg/loongarch64: Conditionalize tcg_out_exts_i32_i64
       tcg/mips: Conditionalize tcg_out_exts_i32_i64
       tcg: Introduce tcg_out_movext2
+Weiwei Li (1):
+      accel/tcg: Uncache the host address for instruction fetch when tlb size < 1
+ meson.build                      |  5 +--
+ accel/tcg/tcg-runtime.h          |  1 +
+ include/exec/cpu_ldst.h          |  9 ++++++
+ include/qemu/bitops.h            | 24 +++++++++-----
+ include/qemu/host-utils.h        | 54 +++++++++++++++++++++++++++++++
+ include/qemu/int128.h            |  4 +--
+ include/tcg/tcg-op-gvec.h        |  4 +++
+ accel/tcg/cputlb.c               | 53 ++++++++++++++++++++++++++++++
+ accel/tcg/tcg-runtime-gvec.c     | 11 +++++++
+ accel/tcg/user-exec.c            | 58 +++++++++++++++++++++++++++++++++
+ migration/xbzrle.c               |  9 +++---
+ softmmu/dirtylimit.c             | 15 ++++++---
+ tcg/tcg-op-gvec.c                | 28 ++++++++++++++++
+ tcg/tcg.c                        | 69 +++++++++++++++++++++++++++++++++++++---
+ tcg/arm/tcg-target.c.inc         | 44 +++++++++++--------------
+ tcg/i386/tcg-target.c.inc        | 19 +++++------
+ tcg/loongarch64/tcg-target.c.inc |  4 ++-
+ tcg/mips/tcg-target.c.inc        |  4 ++-
+files changed, 347 insertions(+), 68 deletions(-)

-[PULL 10/16] cputlb: Hoist tlb portions in tlb_mmu_resize_locked
+[PULL 01/12] softmmu: Tidy dirtylimit_dirty_ring_full_time
-No functional change, but the smaller expressions make
+Drop inline marker: let compiler decide.
 the code easier to read.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Change return type to uint64_t: this matches the computation in the
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+return statement and the local variable assignment in the caller.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Rename local to dirty_ring_size_MB to fix typo.
 Simplify conversion to MiB via qemu_target_page_bits and right shift.
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Thomas Huth <thuth@redhat.com>
 Reviewed-by: Juan Quintela <quintela@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 35 +++++++++++++++++------------------
+ softmmu/dirtylimit.c | 15 ++++++++++-----
-file changed, 17 insertions(+), 18 deletions(-)
+file changed, 10 insertions(+), 5 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/softmmu/dirtylimit.c
-+++ b/accel/tcg/cputlb.c
++++ b/softmmu/dirtylimit.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
+@@ -XXX,XX +XXX,XX @@ bool dirtylimit_vcpu_index_valid(int cpu_index)
+              cpu_index >= ms->smp.max_cpus);
- /**
+ }
-  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
-- * @env: CPU that owns the TLB
+-static inline int64_t dirtylimit_dirty_ring_full_time(uint64_t dirtyrate)
-- * @mmu_idx: MMU index of the TLB
++static uint64_t dirtylimit_dirty_ring_full_time(uint64_t dirtyrate)
 + * @desc: The CPUTLBDesc portion of the TLB
 + * @fast: The CPUTLBDescFast portion of the same TLB
   *
   * Called with tlb_lock_held.
   *
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
   * high), since otherwise we are likely to have a significant amount of
   * conflict misses.
   */
 -static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
 +static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
  {
--    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+     static uint64_t max_dirtyrate;
--    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
+-    uint32_t dirty_ring_size = kvm_dirty_ring_size();
-+    size_t old_size = tlb_n_entries(fast);
+-    uint64_t dirty_ring_size_meory_MB =
-     size_t rate;
+-        dirty_ring_size * qemu_target_page_size() >> 20;
-     size_t new_size = old_size;
++    unsigned target_page_bits = qemu_target_page_bits();
-     int64_t now = get_clock_realtime();
++    uint64_t dirty_ring_size_MB;
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
++
-         return;
++    /* So far, the largest (non-huge) page size is 64k, i.e. 16 bits. */
 +    assert(target_page_bits < 20);
 +
 +    /* Convert ring size (pages) to MiB (2**20). */
 +    dirty_ring_size_MB = kvm_dirty_ring_size() >> (20 - target_page_bits);
      if (max_dirtyrate < dirtyrate) {
          max_dirtyrate = dirtyrate;
      }
--    g_free(env_tlb(env)->f[mmu_idx].table);
+-    return dirty_ring_size_meory_MB * 1000000 / max_dirtyrate;
--    g_free(env_tlb(env)->d[mmu_idx].iotlb);
++    return dirty_ring_size_MB * 1000000 / max_dirtyrate;
 +    g_free(fast->table);
 +    g_free(desc->iotlb);
      tlb_window_reset(desc, now, 0);
      /* desc->n_used_entries is cleared by the caller */
 -    env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 -    env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
 -    env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
 +    fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 +    fast->table = g_try_new(CPUTLBEntry, new_size);
 +    desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
 +
      /*
       * If the allocations fail, try smaller sizes. We just freed some
       * memory, so going back to half of new_size has a good chance of working.
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
       * allocations to fail though, so we progressively reduce the allocation
       * size, aborting if we cannot even allocate the smallest TLB we support.
       */
 -    while (env_tlb(env)->f[mmu_idx].table == NULL ||
 -           env_tlb(env)->d[mmu_idx].iotlb == NULL) {
 +    while (fast->table == NULL || desc->iotlb == NULL) {
          if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
              error_report("%s: %s", __func__, strerror(errno));
              abort();
          }
          new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
 -        env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 +        fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 -        g_free(env_tlb(env)->f[mmu_idx].table);
 -        g_free(env_tlb(env)->d[mmu_idx].iotlb);
 -        env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
 -        env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
 +        g_free(fast->table);
 +        g_free(desc->iotlb);
 +        fast->table = g_try_new(CPUTLBEntry, new_size);
 +        desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
      }
  }
- static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+ static inline bool dirtylimit_done(uint64_t quota,
  {
 -    tlb_mmu_resize_locked(env, mmu_idx);
 +    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
      env_tlb(env)->d[mmu_idx].n_used_entries = 0;
      env_tlb(env)->d[mmu_idx].large_page_addr = -1;
      env_tlb(env)->d[mmu_idx].large_page_mask = -1;
 --
-.20.1
+.34.1

-[PULL 15/16] cputlb: Hoist timestamp outside of loops over tlbs
+[PULL 02/12] accel/tcg: Uncache the host address for instruction fetch when tlb size < 1
-Do not call get_clock_realtime() in tlb_mmu_resize_locked,
+From: Weiwei Li <liweiwei@iscas.ac.cn>
 but hoist outside of any loop over a set of tlbs.  This is
 only two (indirect) callers, tlb_flush_by_mmuidx_async_work
 and tlb_flush_page_locked, so not onerous.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+When PMP entry overlap part of the page, we'll set the tlb_size to 1, which
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+will make the address in tlb entry set with TLB_INVALID_MASK, and the next
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+access will again go through tlb_fill.However, this way will not work in
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+tb_gen_code() => get_page_addr_code_hostp(): the TLB host address will be
 cached, and the following instructions can use this host address directly
 which may lead to the bypass of PMP related check.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1542.
 Signed-off-by: Weiwei Li <liweiwei@iscas.ac.cn>
 Signed-off-by: Junqiang Wang <wangjunqiang@iscas.ac.cn>
 Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20230422130329.23555-6-liweiwei@iscas.ac.cn>
 ---
- accel/tcg/cputlb.c | 14 ++++++++------
+ accel/tcg/cputlb.c | 5 +++++
-file changed, 8 insertions(+), 6 deletions(-)
+file changed, 5 insertions(+)
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
-  * high), since otherwise we are likely to have a significant amount of
+     if (p == NULL) {
-  * conflict misses.
+         return -1;
   */
 -static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 +static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
 +                                  int64_t now)
  {
      size_t old_size = tlb_n_entries(fast);
      size_t rate;
      size_t new_size = old_size;
 -    int64_t now = get_clock_realtime();
      int64_t window_len_ms = 100;
      int64_t window_len_ns = window_len_ms * 1000 * 1000;
      bool window_expired = now > desc->window_begin_ns + window_len_ns;
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
      memset(desc->vtable, -1, sizeof(desc->vtable));
  }
 -static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 +static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
 +                                        int64_t now)
  {
      CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
      CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 -    tlb_mmu_resize_locked(desc, fast);
 +    tlb_mmu_resize_locked(desc, fast, now);
      tlb_mmu_flush_locked(desc, fast);
  }
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
      CPUArchState *env = cpu->env_ptr;
      uint16_t asked = data.host_int;
      uint16_t all_dirty, work, to_clean;
 +    int64_t now = get_clock_realtime();
      assert_cpu_is_self(cpu);
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
      for (work = to_clean; work != 0; work &= work - 1) {
          int mmu_idx = ctz32(work);
 -        tlb_flush_one_mmuidx_locked(env, mmu_idx);
 +        tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
      }
++
-     qemu_spin_unlock(&env_tlb(env)->c.lock);
++    if (full->lg_page_size < TARGET_PAGE_BITS) {
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
++        return -1;
-         tlb_debug("forcing full flush midx %d ("
++    }
-                   TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
++
-                   midx, lp_addr, lp_mask);
+     if (hostp) {
--        tlb_flush_one_mmuidx_locked(env, midx);
+         *hostp = p;
-+        tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
+     }
      } else {
          if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
              tlb_n_used_entries_dec(env, midx);
 --
-.20.1
+.34.1

-[PULL 01/16] cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
+[PULL 03/12] qemu/bitops.h: Limit rotate amounts
-In target/arm we will shortly have "too many" mmu_idx.
+From: Dickon Hood <dickon.hood@codethink.co.uk>
 The current minimum barrier is caused by the way in which
 tlb_flush_page_by_mmuidx is coded.
-We can remove this limitation by allocating memory for
+Rotates have been fixed up to only allow for reasonable rotate amounts
-consumption by the worker.  Let us assume that this is
+(ie, no rotates >7 on an 8b value etc.)  This fixes a problem with riscv
-the unlikely case, as will be the case for the majority
+vector rotate instructions.
 of targets which have so far satisfied the BUILD_BUG_ON,
 and only allocate memory when necessary.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Dickon Hood <dickon.hood@codethink.co.uk>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20230428144757.57530-9-lawrence.hunter@codethink.co.uk>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 167 +++++++++++++++++++++++++++++++++++----------
+ include/qemu/bitops.h | 24 ++++++++++++++++--------
-file changed, 132 insertions(+), 35 deletions(-)
+file changed, 16 insertions(+), 8 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/qemu/bitops.h b/include/qemu/bitops.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/qemu/bitops.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/qemu/bitops.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
+@@ -XXX,XX +XXX,XX @@ static inline unsigned long find_first_zero_bit(const unsigned long *addr,
-     }
+  */
  static inline uint8_t rol8(uint8_t word, unsigned int shift)
  {
 -    return (word << shift) | (word >> ((8 - shift) & 7));
 +    shift &= 7;
 +    return (word << shift) | (word >> (8 - shift));
  }
--/* As we are going to hijack the bottom bits of the page address for a
+ /**
-- * mmuidx bit mask we need to fail to build if we can't do that
+@@ -XXX,XX +XXX,XX @@ static inline uint8_t rol8(uint8_t word, unsigned int shift)
 +/**
 + * tlb_flush_page_by_mmuidx_async_0:
 + * @cpu: cpu on which to flush
 + * @addr: page of virtual address to flush
 + * @idxmap: set of mmu_idx to flush
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
 + * at @addr from the tlbs indicated by @idxmap from @cpu.
   */
--QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
+ static inline uint8_t ror8(uint8_t word, unsigned int shift)
 -
 -static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
 -                                                run_on_cpu_data data)
 +static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
 +                                             target_ulong addr,
 +                                             uint16_t idxmap)
  {
-     CPUArchState *env = cpu->env_ptr;
+-    return (word >> shift) | (word << ((8 - shift) & 7));
--    target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
++    shift &= 7;
--    target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
++    return (word >> shift) | (word << (8 - shift));
 -    unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
      int mmu_idx;
      assert_cpu_is_self(cpu);
 -    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
 -              addr, mmu_idx_bitmap);
 +    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
      qemu_spin_lock(&env_tlb(env)->c.lock);
      for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
 -        if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
 +        if ((idxmap >> mmu_idx) & 1) {
              tlb_flush_page_locked(env, mmu_idx, addr);
          }
      }
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
      tb_flush_jmp_cache(cpu, addr);
  }
-+/**
+ /**
-+ * tlb_flush_page_by_mmuidx_async_1:
+@@ -XXX,XX +XXX,XX @@ static inline uint8_t ror8(uint8_t word, unsigned int shift)
-+ * @cpu: cpu on which to flush
+  */
-+ * @data: encoded addr + idxmap
+ static inline uint16_t rol16(uint16_t word, unsigned int shift)
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, called through
 + * async_run_on_cpu.  The idxmap parameter is encoded in the page
 + * offset of the target_ptr field.  This limits the set of mmu_idx
 + * that can be passed via this method.
 + */
 +static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
 +                                             run_on_cpu_data data)
 +{
 +    target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
 +    target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
 +    uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
 +
 +    tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
 +}
 +
 +typedef struct {
 +    target_ulong addr;
 +    uint16_t idxmap;
 +} TLBFlushPageByMMUIdxData;
 +
 +/**
 + * tlb_flush_page_by_mmuidx_async_2:
 + * @cpu: cpu on which to flush
 + * @data: allocated addr + idxmap
 + *
 + * Helper for tlb_flush_page_by_mmuidx and friends, called through
 + * async_run_on_cpu.  The addr+idxmap parameters are stored in a
 + * TLBFlushPageByMMUIdxData structure that has been allocated
 + * specifically for this helper.  Free the structure when done.
 + */
 +static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
 +                                             run_on_cpu_data data)
 +{
 +    TLBFlushPageByMMUIdxData *d = data.host_ptr;
 +
 +    tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
 +    g_free(d);
 +}
 +
  void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
  {
--    target_ulong addr_and_mmu_idx;
+-    return (word << shift) | (word >> ((16 - shift) & 15));
--
++    shift &= 15;
-     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
++    return (word << shift) | (word >> (16 - shift));
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    if (!qemu_cpu_is_self(cpu)) {
 -        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
 -                         RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    if (qemu_cpu_is_self(cpu)) {
 +        tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
 +    } else if (idxmap < TARGET_PAGE_SIZE) {
 +        /*
 +         * Most targets have only a few mmu_idx.  In the case where
 +         * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
 +         * allocating memory for this operation.
 +         */
 +        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
      } else {
 -        tlb_flush_page_by_mmuidx_async_work(
 -            cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +        TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
 +
 +        /* Otherwise allocate a structure, freed by the worker.  */
 +        d->addr = addr;
 +        d->idxmap = idxmap;
 +        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
 +                         RUN_ON_CPU_HOST_PTR(d));
      }
  }
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
+ /**
- void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
+@@ -XXX,XX +XXX,XX @@ static inline uint16_t rol16(uint16_t word, unsigned int shift)
-                                        uint16_t idxmap)
+  */
  static inline uint16_t ror16(uint16_t word, unsigned int shift)
  {
--    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
+-    return (word >> shift) | (word << ((16 - shift) & 15));
--    target_ulong addr_and_mmu_idx;
++    shift &= 15;
--
++    return (word >> shift) | (word << (16 - shift));
      tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 -    fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    /*
 +     * Allocate memory to hold addr+idxmap only when needed.
 +     * See tlb_flush_page_by_mmuidx for details.
 +     */
 +    if (idxmap < TARGET_PAGE_SIZE) {
 +        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
 +    } else {
 +        CPUState *dst_cpu;
 +
 +        /* Allocate a separate data block for each destination cpu.  */
 +        CPU_FOREACH(dst_cpu) {
 +            if (dst_cpu != src_cpu) {
 +                TLBFlushPageByMMUIdxData *d
 +                    = g_new(TLBFlushPageByMMUIdxData, 1);
 +
 +                d->addr = addr;
 +                d->idxmap = idxmap;
 +                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
 +                                 RUN_ON_CPU_HOST_PTR(d));
 +            }
 +        }
 +    }
 +
 +    tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
  }
- void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
+ /**
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
+@@ -XXX,XX +XXX,XX @@ static inline uint16_t ror16(uint16_t word, unsigned int shift)
-                                               target_ulong addr,
+  */
-                                               uint16_t idxmap)
+ static inline uint32_t rol32(uint32_t word, unsigned int shift)
  {
--    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
+-    return (word << shift) | (word >> ((32 - shift) & 31));
--    target_ulong addr_and_mmu_idx;
++    shift &= 31;
--
++    return (word << shift) | (word >> (32 - shift));
      tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
      /* This should already be page aligned */
 -    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
 -    addr_and_mmu_idx |= idxmap;
 +    addr &= TARGET_PAGE_MASK;
 -    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 -    async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
 +    /*
 +     * Allocate memory to hold addr+idxmap only when needed.
 +     * See tlb_flush_page_by_mmuidx for details.
 +     */
 +    if (idxmap < TARGET_PAGE_SIZE) {
 +        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
 +                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
 +        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
 +                              RUN_ON_CPU_TARGET_PTR(addr | idxmap));
 +    } else {
 +        CPUState *dst_cpu;
 +        TLBFlushPageByMMUIdxData *d;
 +
 +        /* Allocate a separate data block for each destination cpu.  */
 +        CPU_FOREACH(dst_cpu) {
 +            if (dst_cpu != src_cpu) {
 +                d = g_new(TLBFlushPageByMMUIdxData, 1);
 +                d->addr = addr;
 +                d->idxmap = idxmap;
 +                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
 +                                 RUN_ON_CPU_HOST_PTR(d));
 +            }
 +        }
 +
 +        d = g_new(TLBFlushPageByMMUIdxData, 1);
 +        d->addr = addr;
 +        d->idxmap = idxmap;
 +        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
 +                              RUN_ON_CPU_HOST_PTR(d));
 +    }
  }
- void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
+ /**
@@ -XXX,XX +XXX,XX @@ static inline uint32_t rol32(uint32_t word, unsigned int shift)
   */
  static inline uint32_t ror32(uint32_t word, unsigned int shift)
  {
 -    return (word >> shift) | (word << ((32 - shift) & 31));
 +    shift &= 31;
 +    return (word >> shift) | (word << (32 - shift));
  }
  /**
@@ -XXX,XX +XXX,XX @@ static inline uint32_t ror32(uint32_t word, unsigned int shift)
   */
  static inline uint64_t rol64(uint64_t word, unsigned int shift)
  {
 -    return (word << shift) | (word >> ((64 - shift) & 63));
 +    shift &= 63;
 +    return (word << shift) | (word >> (64 - shift));
  }
  /**
@@ -XXX,XX +XXX,XX @@ static inline uint64_t rol64(uint64_t word, unsigned int shift)
   */
  static inline uint64_t ror64(uint64_t word, unsigned int shift)
  {
 -    return (word >> shift) | (word << ((64 - shift) & 63));
 +    shift &= 63;
 +    return (word >> shift) | (word << (64 - shift));
  }
  /**
 --
-.20.1
+.34.1

-[PULL 02/16] util/cacheinfo: fix crash when compiling with uClibc
+Deleted patch
-From: Carlos Santos <casantos@redhat.com>
-uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
-but the corresponding sysconf calls returns -1, which is a valid result,
-meaning that the limit is indeterminate.
-Handle this situation using the fallback values instead of crashing due
-to an assertion failure.
-Signed-off-by: Carlos Santos <casantos@redhat.com>
-Message-Id: <20191017123713.30192-1-casantos@redhat.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- util/cacheinfo.c | 10 ++++++++--
-file changed, 8 insertions(+), 2 deletions(-)
-diff --git a/util/cacheinfo.c b/util/cacheinfo.c
-index XXXXXXX..XXXXXXX 100644
---- a/util/cacheinfo.c
-+++ b/util/cacheinfo.c
-@@ -XXX,XX +XXX,XX @@ static void sys_cache_info(int *isize, int *dsize)
- static void sys_cache_info(int *isize, int *dsize)
- {
- # ifdef _SC_LEVEL1_ICACHE_LINESIZE
--    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
-+    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
-+    if (tmp_isize > 0) {
-+        *isize = tmp_isize;
-+    }
- # endif
- # ifdef _SC_LEVEL1_DCACHE_LINESIZE
--    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
-+    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
-+    if (tmp_dsize > 0) {
-+        *dsize = tmp_dsize;
-+    }
- # endif
- }
- #endif /* sys_cache_info */
---
-.20.1

-[PULL 03/16] vl: Remove unused variable in configure_accelerators
+Deleted patch
-The accel_initialised variable no longer has any setters.
-Fixes: 6f6e1698a68c
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- vl.c | 3 +--
-file changed, 1 insertion(+), 2 deletions(-)
-diff --git a/vl.c b/vl.c
-index XXXXXXX..XXXXXXX 100644
---- a/vl.c
-+++ b/vl.c
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
- {
-     const char *accel;
-     char **accel_list, **tmp;
--    bool accel_initialised = false;
-     bool init_failed = false;
-     qemu_opts_foreach(qemu_find_opts("icount"),
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
-         accel_list = g_strsplit(accel, ":", 0);
--        for (tmp = accel_list; !accel_initialised && tmp && *tmp; tmp++) {
-+        for (tmp = accel_list; tmp && *tmp; tmp++) {
-             /*
-              * Filter invalid accelerators here, to prevent obscenities
-              * such as "-machine accel=tcg,,thread=single".
---
-.20.1

-[PULL 04/16] vl: Reduce scope of variables in configure_accelerators
+Deleted patch
-The accel_list and tmp variables are only used when manufacturing
--machine accel, options based on -accel.
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- vl.c | 3 ++-
-file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/vl.c b/vl.c
-index XXXXXXX..XXXXXXX 100644
---- a/vl.c
-+++ b/vl.c
-@@ -XXX,XX +XXX,XX @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
- static void configure_accelerators(const char *progname)
- {
-     const char *accel;
--    char **accel_list, **tmp;
-     bool init_failed = false;
-     qemu_opts_foreach(qemu_find_opts("icount"),
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
-     accel = qemu_opt_get(qemu_get_machine_opts(), "accel");
-     if (QTAILQ_EMPTY(&qemu_accel_opts.head)) {
-+        char **accel_list, **tmp;
-+
-         if (accel == NULL) {
-             /* Select the default accelerator */
-             if (!accel_find("tcg") && !accel_find("kvm")) {
---
-.20.1

-[PULL 05/16] vl: Remove useless test in configure_accelerators
+Deleted patch
-The result of g_strsplit is never NULL.
-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- vl.c | 2 +-
-file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/vl.c b/vl.c
-index XXXXXXX..XXXXXXX 100644
---- a/vl.c
-+++ b/vl.c
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
-         accel_list = g_strsplit(accel, ":", 0);
--        for (tmp = accel_list; tmp && *tmp; tmp++) {
-+        for (tmp = accel_list; *tmp; tmp++) {
-             /*
-              * Filter invalid accelerators here, to prevent obscenities
-              * such as "-machine accel=tcg,,thread=single".
---
-.20.1

-[PULL 16/16] scripts/git.orderfile: Display decodetree before C source
+[PULL 04/12] qemu/host-utils.h: Add clz and ctz functions for lower-bit integers
-From: Philippe Mathieu-Daudé <philmd@redhat.com>
+From: Kiran Ostrolenk <kiran.ostrolenk@codethink.co.uk>
-To avoid scrolling each instruction when reviewing tcg
+This is for use in the RISC-V vclz and vctz instructions (implemented in
-helpers written for the decodetree script, display the
+proceeding commit).
 .decode files (similar to header declarations) before
 the C source (implementation of previous declarations).
-Signed-off-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+Signed-off-by: Kiran Ostrolenk <kiran.ostrolenk@codethink.co.uk>
-Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-Id: <20230428144757.57530-11-lawrence.hunter@codethink.co.uk>
 Message-Id: <20191230082856.30556-1-philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- scripts/git.orderfile | 3 +++
+ include/qemu/host-utils.h | 54 +++++++++++++++++++++++++++++++++++++++
-file changed, 3 insertions(+)
+file changed, 54 insertions(+)
-diff --git a/scripts/git.orderfile b/scripts/git.orderfile
+diff --git a/include/qemu/host-utils.h b/include/qemu/host-utils.h
 index XXXXXXX..XXXXXXX 100644
---- a/scripts/git.orderfile
+--- a/include/qemu/host-utils.h
-+++ b/scripts/git.orderfile
++++ b/include/qemu/host-utils.h
-@@ -XXX,XX +XXX,XX @@ qga/*.json
+@@ -XXX,XX +XXX,XX @@ static inline uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)
- # headers
+ }
- *.h
+ #endif
-+# decoding tree specification
++/**
-+*.decode
++ * clz8 - count leading zeros in a 8-bit value.
 + * @val: The value to search
 + *
 + * Returns 8 if the value is zero.  Note that the GCC builtin is
 + * undefined if the value is zero.
 + *
 + * Note that the GCC builtin will upcast its argument to an `unsigned int`
 + * so this function subtracts off the number of prepended zeroes.
 + */
 +static inline int clz8(uint8_t val)
 +{
 +    return val ? __builtin_clz(val) - 24 : 8;
 +}
 +
- # code
++/**
- *.c
++ * clz16 - count leading zeros in a 16-bit value.
 + * @val: The value to search
 + *
 + * Returns 16 if the value is zero.  Note that the GCC builtin is
 + * undefined if the value is zero.
 + *
 + * Note that the GCC builtin will upcast its argument to an `unsigned int`
 + * so this function subtracts off the number of prepended zeroes.
 + */
 +static inline int clz16(uint16_t val)
 +{
 +    return val ? __builtin_clz(val) - 16 : 16;
 +}
 +
  /**
   * clz32 - count leading zeros in a 32-bit value.
   * @val: The value to search
@@ -XXX,XX +XXX,XX @@ static inline int clo64(uint64_t val)
      return clz64(~val);
  }
 +/**
 + * ctz8 - count trailing zeros in a 8-bit value.
 + * @val: The value to search
 + *
 + * Returns 8 if the value is zero.  Note that the GCC builtin is
 + * undefined if the value is zero.
 + */
 +static inline int ctz8(uint8_t val)
 +{
 +    return val ? __builtin_ctz(val) : 8;
 +}
 +
 +/**
 + * ctz16 - count trailing zeros in a 16-bit value.
 + * @val: The value to search
 + *
 + * Returns 16 if the value is zero.  Note that the GCC builtin is
 + * undefined if the value is zero.
 + */
 +static inline int ctz16(uint16_t val)
 +{
 +    return val ? __builtin_ctz(val) : 16;
 +}
 +
  /**
   * ctz32 - count trailing zeros in a 32-bit value.
   * @val: The value to search
 --
-.20.1
+.34.1

-[PULL 07/16] cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
+[PULL 05/12] tcg: Add tcg_gen_gvec_andcs
-There is only one caller for tlb_table_flush_by_mmuidx.  Place
+From: Nazar Kazakov <nazar.kazakov@codethink.co.uk>
 the result at the earlier line number, due to an expected user
 in the near future.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Add tcg expander and helper functions for and-compliment
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+vector with scalar operand.
 Signed-off-by: Nazar Kazakov <nazar.kazakov@codethink.co.uk>
 Message-Id: <20230428144757.57530-10-lawrence.hunter@codethink.co.uk>
 [rth: Split out of larger patch.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 19 +++++++------------
+ accel/tcg/tcg-runtime.h      |  1 +
-file changed, 7 insertions(+), 12 deletions(-)
+ include/tcg/tcg-op-gvec.h    |  2 ++
  accel/tcg/tcg-runtime-gvec.c | 11 +++++++++++
  tcg/tcg-op-gvec.c            | 17 +++++++++++++++++
 files changed, 31 insertions(+)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/accel/tcg/tcg-runtime.h
-+++ b/accel/tcg/cputlb.c
++++ b/accel/tcg/tcg-runtime.h
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_nor, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
-     }
+ DEF_HELPER_FLAGS_4(gvec_eqv, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
  DEF_HELPER_FLAGS_4(gvec_ands, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 +DEF_HELPER_FLAGS_4(gvec_andcs, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
  DEF_HELPER_FLAGS_4(gvec_xors, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
  DEF_HELPER_FLAGS_4(gvec_ors, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/tcg/tcg-op-gvec.h
 +++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_ori(unsigned vece, uint32_t dofs, uint32_t aofs,
  void tcg_gen_gvec_ands(unsigned vece, uint32_t dofs, uint32_t aofs,
                         TCGv_i64 c, uint32_t oprsz, uint32_t maxsz);
 +void tcg_gen_gvec_andcs(unsigned vece, uint32_t dofs, uint32_t aofs,
 +                        TCGv_i64 c, uint32_t oprsz, uint32_t maxsz);
  void tcg_gen_gvec_xors(unsigned vece, uint32_t dofs, uint32_t aofs,
                         TCGv_i64 c, uint32_t oprsz, uint32_t maxsz);
  void tcg_gen_gvec_ors(unsigned vece, uint32_t dofs, uint32_t aofs,
 diff --git a/accel/tcg/tcg-runtime-gvec.c b/accel/tcg/tcg-runtime-gvec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tcg-runtime-gvec.c
 +++ b/accel/tcg/tcg-runtime-gvec.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_ands)(void *d, void *a, uint64_t b, uint32_t desc)
      clear_high(d, oprsz, desc);
  }
--static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
++void HELPER(gvec_andcs)(void *d, void *a, uint64_t b, uint32_t desc)
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++{
 +    intptr_t oprsz = simd_oprsz(desc);
 +    intptr_t i;
 +
 +    for (i = 0; i < oprsz; i += sizeof(uint64_t)) {
 +        *(uint64_t *)(d + i) = *(uint64_t *)(a + i) & ~b;
 +    }
 +    clear_high(d, oprsz, desc);
 +}
 +
  void HELPER(gvec_xors)(void *d, void *a, uint64_t b, uint32_t desc)
  {
-     tlb_mmu_resize_locked(env, mmu_idx);
+     intptr_t oprsz = simd_oprsz(desc);
--    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
-     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
+index XXXXXXX..XXXXXXX 100644
-+    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+--- a/tcg/tcg-op-gvec.c
-+    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
++++ b/tcg/tcg-op-gvec.c
-+    env_tlb(env)->d[mmu_idx].vindex = 0;
+@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_andi(unsigned vece, uint32_t dofs, uint32_t aofs,
-+    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+     tcg_gen_gvec_2s(dofs, aofs, oprsz, maxsz, tmp, &gop_ands);
 +    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
 +           sizeof(env_tlb(env)->d[0].vtable));
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
++void tcg_gen_gvec_andcs(unsigned vece, uint32_t dofs, uint32_t aofs,
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
++                        TCGv_i64 c, uint32_t oprsz, uint32_t maxsz)
-     *pelide = elide;
++{
- }
++    static GVecGen2s g = {
++        .fni8 = tcg_gen_andc_i64,
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++        .fniv = tcg_gen_andc_vec,
--{
++        .fno = gen_helper_gvec_andcs,
--    tlb_table_flush_by_mmuidx(env, mmu_idx);
++        .prefer_i64 = TCG_TARGET_REG_BITS == 64,
--    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
++        .vece = MO_64
--    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
++    };
--    env_tlb(env)->d[mmu_idx].vindex = 0;
++
--    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
++    TCGv_i64 tmp = tcg_temp_ebb_new_i64();
--           sizeof(env_tlb(env)->d[0].vtable));
++    tcg_gen_dup_i64(vece, tmp, c);
--}
++    tcg_gen_gvec_2s(dofs, aofs, oprsz, maxsz, c, &g);
--
++    tcg_temp_free_i64(tmp);
- static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
++}
- {
++
-     CPUArchState *env = cpu->env_ptr;
+ static const GVecGen2s gop_xors = {
      .fni8 = tcg_gen_xor_i64,
      .fniv = tcg_gen_xor_vec,
 --
-.20.1
+.34.1

-[PULL 09/16] cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
+[PULL 06/12] tcg: Add tcg_gen_gvec_rotrs
-We do not need the entire CPUArchState to compute these values.
+From: Nazar Kazakov <nazar.kazakov@codethink.co.uk>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Add tcg expander and helper functions for rotate right
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+vector with scalar operand.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Nazar Kazakov <nazar.kazakov@codethink.co.uk>
 Message-Id: <20230428144757.57530-10-lawrence.hunter@codethink.co.uk>
 [rth: Split out of larger patch; mask rotation count.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 15 ++++++++-------
+ include/tcg/tcg-op-gvec.h |  2 ++
-file changed, 8 insertions(+), 7 deletions(-)
+ tcg/tcg-op-gvec.c         | 11 +++++++++++
 files changed, 13 insertions(+)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/include/tcg/tcg-op-gvec.h
-+++ b/accel/tcg/cputlb.c
++++ b/include/tcg/tcg-op-gvec.h
-@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
+@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_sars(unsigned vece, uint32_t dofs, uint32_t aofs,
- QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
+                        TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz);
- #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
+ void tcg_gen_gvec_rotls(unsigned vece, uint32_t dofs, uint32_t aofs,
+                         TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz);
--static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
++void tcg_gen_gvec_rotrs(unsigned vece, uint32_t dofs, uint32_t aofs,
-+static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
++                        TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz);
- {
--    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+ /*
-+    return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
+  * Perform vector shift by vector element, modulo the element size.
 diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg-op-gvec.c
 +++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_rotls(unsigned vece, uint32_t dofs, uint32_t aofs,
      do_gvec_shifts(vece, dofs, aofs, shift, oprsz, maxsz, &g);
  }
--static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
++void tcg_gen_gvec_rotrs(unsigned vece, uint32_t dofs, uint32_t aofs,
-+static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
++                        TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz)
- {
++{
--    return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
++    TCGv_i32 tmp = tcg_temp_ebb_new_i32();
-+    return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
++
- }
++    tcg_gen_neg_i32(tmp, shift);
++    tcg_gen_andi_i32(tmp, tmp, (8 << vece) - 1);
- static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
++    tcg_gen_gvec_rotls(vece, dofs, aofs, tmp, oprsz, maxsz);
-@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
++    tcg_temp_free_i32(tmp);
- static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
++}
- {
++
-     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+ /*
--    size_t old_size = tlb_n_entries(env, mmu_idx);
+  * Expand D = A << (B % element bits)
-+    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
+  *
      size_t rate;
      size_t new_size = old_size;
      int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
      env_tlb(env)->d[mmu_idx].large_page_addr = -1;
      env_tlb(env)->d[mmu_idx].large_page_mask = -1;
      env_tlb(env)->d[mmu_idx].vindex = 0;
 -    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
 +    memset(env_tlb(env)->f[mmu_idx].table, -1,
 +           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
      memset(env_tlb(env)->d[mmu_idx].vtable, -1,
             sizeof(env_tlb(env)->d[0].vtable));
  }
@@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
      qemu_spin_lock(&env_tlb(env)->c.lock);
      for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
          unsigned int i;
 -        unsigned int n = tlb_n_entries(env, mmu_idx);
 +        unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
          for (i = 0; i < n; i++) {
              tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
 --
-.20.1
+.34.1

-[PULL 06/16] vl: Only choose enabled accelerators in configure_accelerators
+[PULL 07/12] qemu/int128: Re-shuffle Int128Alias members
-By choosing "tcg:kvm" when kvm is not enabled, we generate
+Clang 14, with --enable-tcg-interpreter errors with
 an incorrect warning: "invalid accelerator kvm".
-At the same time, use g_str_has_suffix rather than open-coding
+include/qemu/int128.h:487:16: error: alignment of field 'i' (128 bits)
-the same operation.
+  does not match the alignment of the first field in transparent union;
   transparent_union attribute ignored [-Werror,-Wignored-attributes]
     __int128_t i;
                ^
 include/qemu/int128.h:486:12: note: alignment of first field is 64 bits
     Int128 s;
            ^
 error generated.
-Presumably the inverse is also true with --disable-tcg.
+By placing the __uint128_t member first, this is avoided.
-Fixes: 28a0961757fc
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 Acked-by: Paolo Bonzini <pbonzini@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
+Message-Id: <20230501204625.277361-1-richard.henderson@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- vl.c | 21 +++++++++++++--------
+ include/qemu/int128.h | 4 ++--
-file changed, 13 insertions(+), 8 deletions(-)
+file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/vl.c b/vl.c
+diff --git a/include/qemu/int128.h b/include/qemu/int128.h
 index XXXXXXX..XXXXXXX 100644
---- a/vl.c
+--- a/include/qemu/int128.h
-+++ b/vl.c
++++ b/include/qemu/int128.h
-@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
+@@ -XXX,XX +XXX,XX @@ static inline void bswap128s(Int128 *s)
+  */
-         if (accel == NULL) {
+ #ifdef CONFIG_INT128
-             /* Select the default accelerator */
+ typedef union {
--            if (!accel_find("tcg") && !accel_find("kvm")) {
+-    Int128 s;
--                error_report("No accelerator selected and"
+-    __int128_t i;
--                             " no default accelerator available");
+     __uint128_t u;
--                exit(1);
++    __int128_t i;
--            } else {
++    Int128 s;
--                int pnlen = strlen(progname);
+ } Int128Alias __attribute__((transparent_union));
--                if (pnlen >= 3 && g_str_equal(&progname[pnlen - 3], "kvm")) {
+ #else
-+            bool have_tcg = accel_find("tcg");
+ typedef Int128 Int128Alias;
 +            bool have_kvm = accel_find("kvm");
 +
 +            if (have_tcg && have_kvm) {
 +                if (g_str_has_suffix(progname, "kvm")) {
                      /* If the program name ends with "kvm", we prefer KVM */
                      accel = "kvm:tcg";
                  } else {
                      accel = "tcg:kvm";
                  }
 +            } else if (have_kvm) {
 +                accel = "kvm";
 +            } else if (have_tcg) {
 +                accel = "tcg";
 +            } else {
 +                error_report("No accelerator selected and"
 +                             " no default accelerator available");
 +                exit(1);
              }
          }
 -
          accel_list = g_strsplit(accel, ":", 0);
          for (tmp = accel_list; *tmp; tmp++) {
 --
-.20.1
+.34.1

-[PULL 14/16] cputlb: Initialize tlbs as flushed
+[PULL 08/12] migration/xbzrle: Use __attribute__((target)) for avx512
-There's little point in leaving these data structures half initialized,
+Use the attribute, which is supported by clang, instead of
-and relying on a flush to be done during reset.
+the #pragma, which is not supported and, for some reason,
 also not detected by the meson probe, so we fail by -Werror.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Juan Quintela <quintela@redhat.com>
+Message-Id: <20230501210555.289806-1-richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 5 +++--
+ meson.build        | 5 +----
-file changed, 3 insertions(+), 2 deletions(-)
+ migration/xbzrle.c | 9 ++++-----
 files changed, 5 insertions(+), 9 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/meson.build b/meson.build
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/meson.build
-+++ b/accel/tcg/cputlb.c
++++ b/meson.build
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+@@ -XXX,XX +XXX,XX @@ config_host_data.set('CONFIG_AVX512F_OPT', get_option('avx512f') \
-     fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+ config_host_data.set('CONFIG_AVX512BW_OPT', get_option('avx512bw') \
-     fast->table = g_new(CPUTLBEntry, n_entries);
+   .require(have_cpuid_h, error_message: 'cpuid.h not available, cannot enable AVX512BW') \
-     desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+   .require(cc.links('''
-+    tlb_mmu_flush_locked(desc, fast);
+-    #pragma GCC push_options
 -    #pragma GCC target("avx512bw")
      #include <cpuid.h>
      #include <immintrin.h>
 -    static int bar(void *a) {
 -
 +    static int __attribute__((target("avx512bw"))) bar(void *a) {
        __m512i *x = a;
        __m512i res= _mm512_abs_epi8(*x);
        return res[1];
 diff --git a/migration/xbzrle.c b/migration/xbzrle.c
 index XXXXXXX..XXXXXXX 100644
 --- a/migration/xbzrle.c
 +++ b/migration/xbzrle.c
@@ -XXX,XX +XXX,XX @@ int xbzrle_decode_buffer(uint8_t *src, int slen, uint8_t *dst, int dlen)
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+ #if defined(CONFIG_AVX512BW_OPT)
-@@ -XXX,XX +XXX,XX @@ void tlb_init(CPUState *cpu)
+-#pragma GCC push_options
+-#pragma GCC target("avx512bw")
-     qemu_spin_init(&env_tlb(env)->c.lock);
+ #include <immintrin.h>
+-int xbzrle_encode_buffer_avx512(uint8_t *old_buf, uint8_t *new_buf, int slen,
--    /* Ensure that cpu_reset performs a full flush.  */
+-                             uint8_t *dst, int dlen)
--    env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
++
-+    /* All tlbs are initialized flushed. */
++int __attribute__((target("avx512bw")))
-+    env_tlb(env)->c.dirty = 0;
++xbzrle_encode_buffer_avx512(uint8_t *old_buf, uint8_t *new_buf, int slen,
++                            uint8_t *dst, int dlen)
-     for (i = 0; i < NB_MMU_MODES; i++) {
+ {
-         tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
+     uint32_t zrun_len = 0, nzrun_len = 0;
      int d = 0, i = 0, num = 0;
@@ -XXX,XX +XXX,XX @@ int xbzrle_encode_buffer_avx512(uint8_t *old_buf, uint8_t *new_buf, int slen,
      }
      return d;
  }
 -#pragma GCC pop_options
  #endif
 --
-.20.1
+.34.1

-[PULL 08/16] cputlb: Make tlb_n_entries private to cputlb.c
+[PULL 09/12] accel/tcg: Add cpu_ld*_code_mmu
-There are no users of this function outside cputlb.c,
+At least RISC-V has the need to be able to perform a read
-and its interface will change in the next patch.
+using execute permissions, outside of translation.
 Add helpers to facilitate this.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Weiwei Li <liweiwei@iscas.ac.cn>
+Tested-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Message-Id: <20230325105429.1142530-9-richard.henderson@linaro.org>
+Message-Id: <20230412114333.118895-9-richard.henderson@linaro.org>
 ---
- include/exec/cpu_ldst.h | 5 -----
+ include/exec/cpu_ldst.h |  9 +++++++
- accel/tcg/cputlb.c      | 5 +++++
+ accel/tcg/cputlb.c      | 48 ++++++++++++++++++++++++++++++++++
-files changed, 5 insertions(+), 5 deletions(-)
+ accel/tcg/user-exec.c   | 58 +++++++++++++++++++++++++++++++++++++++++
 files changed, 115 insertions(+)
 diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu_ldst.h
 +++ b/include/exec/cpu_ldst.h
-@@ -XXX,XX +XXX,XX @@ static inline uintptr_t tlb_index(CPUArchState *env, uintptr_t mmu_idx,
+@@ -XXX,XX +XXX,XX @@ static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
-     return (addr >> TARGET_PAGE_BITS) & size_mask;
+ # define cpu_stq_mmu          cpu_stq_le_mmu
- }
+ #endif
--static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
++uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
--{
++                         MemOpIdx oi, uintptr_t ra);
--    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
++uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
--}
++                          MemOpIdx oi, uintptr_t ra);
--
++uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
- /* Find the TLB entry corresponding to the mmu_idx + address pair.  */
++                          MemOpIdx oi, uintptr_t ra);
- static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
++uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
-                                      target_ulong addr)
++                          MemOpIdx oi, uintptr_t ra);
 +
  uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr);
  uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr);
  uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr);
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
-@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
+@@ -XXX,XX +XXX,XX @@ uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
- QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
+     MemOpIdx oi = make_memop_idx(MO_TEUQ, cpu_mmu_index(env, true));
- #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
+     return full_ldq_code(env, addr, oi, 0);
+ }
-+static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
++
 +uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
 +                         MemOpIdx oi, uintptr_t retaddr)
 +{
-+    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
++    return full_ldub_code(env, addr, oi, retaddr);
 +}
 +
- static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
++uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
- {
++                          MemOpIdx oi, uintptr_t retaddr)
-     return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
++{
 +    MemOp mop = get_memop(oi);
 +    int idx = get_mmuidx(oi);
 +    uint16_t ret;
 +
 +    ret = full_lduw_code(env, addr, make_memop_idx(MO_TEUW, idx), retaddr);
 +    if ((mop & MO_BSWAP) != MO_TE) {
 +        ret = bswap16(ret);
 +    }
 +    return ret;
 +}
 +
 +uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
 +                          MemOpIdx oi, uintptr_t retaddr)
 +{
 +    MemOp mop = get_memop(oi);
 +    int idx = get_mmuidx(oi);
 +    uint32_t ret;
 +
 +    ret = full_ldl_code(env, addr, make_memop_idx(MO_TEUL, idx), retaddr);
 +    if ((mop & MO_BSWAP) != MO_TE) {
 +        ret = bswap32(ret);
 +    }
 +    return ret;
 +}
 +
 +uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
 +                          MemOpIdx oi, uintptr_t retaddr)
 +{
 +    MemOp mop = get_memop(oi);
 +    int idx = get_mmuidx(oi);
 +    uint64_t ret;
 +
 +    ret = full_ldq_code(env, addr, make_memop_idx(MO_TEUQ, idx), retaddr);
 +    if ((mop & MO_BSWAP) != MO_TE) {
 +        ret = bswap64(ret);
 +    }
 +    return ret;
 +}
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr ptr)
      return ret;
  }
 +uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
 +                         MemOpIdx oi, uintptr_t ra)
 +{
 +    void *haddr;
 +    uint8_t ret;
 +
 +    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_INST_FETCH);
 +    ret = ldub_p(haddr);
 +    clear_helper_retaddr();
 +    return ret;
 +}
 +
 +uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
 +                          MemOpIdx oi, uintptr_t ra)
 +{
 +    void *haddr;
 +    uint16_t ret;
 +
 +    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_INST_FETCH);
 +    ret = lduw_p(haddr);
 +    clear_helper_retaddr();
 +    if (get_memop(oi) & MO_BSWAP) {
 +        ret = bswap16(ret);
 +    }
 +    return ret;
 +}
 +
 +uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
 +                          MemOpIdx oi, uintptr_t ra)
 +{
 +    void *haddr;
 +    uint32_t ret;
 +
 +    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_INST_FETCH);
 +    ret = ldl_p(haddr);
 +    clear_helper_retaddr();
 +    if (get_memop(oi) & MO_BSWAP) {
 +        ret = bswap32(ret);
 +    }
 +    return ret;
 +}
 +
 +uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
 +                          MemOpIdx oi, uintptr_t ra)
 +{
 +    void *haddr;
 +    uint64_t ret;
 +
 +    validate_memop(oi, MO_BEUQ);
 +    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_DATA_LOAD);
 +    ret = ldq_p(haddr);
 +    clear_helper_retaddr();
 +    if (get_memop(oi) & MO_BSWAP) {
 +        ret = bswap64(ret);
 +    }
 +    return ret;
 +}
 +
  #include "ldst_common.c.inc"
  /*
 --
-.20.1
+.34.1

-[PULL 13/16] cputlb: Partially merge tlb_dyn_init into tlb_init
+[PULL 10/12] tcg/loongarch64: Conditionalize tcg_out_exts_i32_i64
-Merge into the only caller, but at the same time split
+Since TCG_TYPE_I32 values are kept sign-extended in registers,
-out tlb_mmu_init to initialize a single tlb entry.
+via ".w" instructions, we need not extend if the register matches.
 This is already relied upon by comparisons.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 33 ++++++++++++++++-----------------
+ tcg/loongarch64/tcg-target.c.inc | 4 +++-
-file changed, 16 insertions(+), 17 deletions(-)
+file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/loongarch64/tcg-target.c.inc
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/loongarch64/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_ext32s(TCGContext *s, TCGReg ret, TCGReg arg)
-     desc->window_max_entries = max_entries;
- }
+ static void tcg_out_exts_i32_i64(TCGContext *s, TCGReg ret, TCGReg arg)
 -static void tlb_dyn_init(CPUArchState *env)
 -{
 -    int i;
 -
 -    for (i = 0; i < NB_MMU_MODES; i++) {
 -        CPUTLBDesc *desc = &env_tlb(env)->d[i];
 -        size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
 -
 -        tlb_window_reset(desc, get_clock_realtime(), 0);
 -        desc->n_used_entries = 0;
 -        env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
 -        env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
 -        env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
 -    }
 -}
 -
  /**
   * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
   * @desc: The CPUTLBDesc portion of the TLB
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
      tlb_mmu_flush_locked(desc, fast);
  }
 +static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
 +{
 +    size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
 +
 +    tlb_window_reset(desc, now, 0);
 +    desc->n_used_entries = 0;
 +    fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
 +    fast->table = g_new(CPUTLBEntry, n_entries);
 +    desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
 +}
 +
  static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
  {
-     env_tlb(env)->d[mmu_idx].n_used_entries++;
+-    tcg_out_ext32s(s, ret, arg);
-@@ -XXX,XX +XXX,XX @@ static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
++    if (ret != arg) {
- void tlb_init(CPUState *cpu)
++        tcg_out_ext32s(s, ret, arg);
  {
      CPUArchState *env = cpu->env_ptr;
 +    int64_t now = get_clock_realtime();
 +    int i;
      qemu_spin_init(&env_tlb(env)->c.lock);
      /* Ensure that cpu_reset performs a full flush.  */
      env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
 -    tlb_dyn_init(env);
 +    for (i = 0; i < NB_MMU_MODES; i++) {
 +        tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
 +    }
  }
- /* flush_all_helper: run fn across all cpus
+ static void tcg_out_extu_i32_i64(TCGContext *s, TCGReg ret, TCGReg arg)
 --
-.20.1
+.34.1

-[PULL 11/16] cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
+[PULL 11/12] tcg/mips: Conditionalize tcg_out_exts_i32_i64
-No functional change, but the smaller expressions make
+Since TCG_TYPE_I32 values are kept sign-extended in registers, we need not
-the code easier to read.
+extend if the register matches.  This is already relied upon by comparisons.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 19 ++++++++++---------
+ tcg/mips/tcg-target.c.inc | 4 +++-
-file changed, 10 insertions(+), 9 deletions(-)
+file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/mips/tcg-target.c.inc
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/mips/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_ext32s(TCGContext *s, TCGReg rd, TCGReg rs)
- static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+ static void tcg_out_exts_i32_i64(TCGContext *s, TCGReg rd, TCGReg rs)
  {
--    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
+-    tcg_out_ext32s(s, rd, rs);
--    env_tlb(env)->d[mmu_idx].n_used_entries = 0;
++    if (rd != rs) {
--    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
++        tcg_out_ext32s(s, rd, rs);
--    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
++    }
 -    env_tlb(env)->d[mmu_idx].vindex = 0;
 -    memset(env_tlb(env)->f[mmu_idx].table, -1,
 -           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
 -    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
 -           sizeof(env_tlb(env)->d[0].vtable));
 +    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
 +    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 +
 +    tlb_mmu_resize_locked(desc, fast);
 +    desc->n_used_entries = 0;
 +    desc->large_page_addr = -1;
 +    desc->large_page_mask = -1;
 +    desc->vindex = 0;
 +    memset(fast->table, -1, sizeof_tlb(fast));
 +    memset(desc->vtable, -1, sizeof(desc->vtable));
  }
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
+ static void tcg_out_extu_i32_i64(TCGContext *s, TCGReg rd, TCGReg rs)
 --
-.20.1
+.34.1

-[PULL 12/16] cputlb: Split out tlb_mmu_flush_locked
+[PULL 12/12] tcg: Introduce tcg_out_movext2
-We will want to be able to flush a tlb without resizing.
+This is common code in most qemu_{ld,st} slow paths, moving two
+registers when there may be overlap between sources and destinations.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+At present, this is only used by 32-bit hosts for 64-bit data,
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+but will shortly be used for more than that.
-Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 15 ++++++++++-----
+ tcg/tcg.c                 | 69 ++++++++++++++++++++++++++++++++++++---
-file changed, 10 insertions(+), 5 deletions(-)
+ tcg/arm/tcg-target.c.inc  | 44 ++++++++++---------------
+ tcg/i386/tcg-target.c.inc | 19 +++++------
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+files changed, 90 insertions(+), 42 deletions(-)
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/tcg/tcg.c
-+++ b/accel/tcg/cputlb.c
++++ b/tcg/tcg.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_exts_i32_i64(TCGContext *s, TCGReg ret, TCGReg arg);
-     }
+ static void tcg_out_extu_i32_i64(TCGContext *s, TCGReg ret, TCGReg arg);
  static void tcg_out_extrl_i64_i32(TCGContext *s, TCGReg ret, TCGReg arg);
  static void tcg_out_addi_ptr(TCGContext *s, TCGReg, TCGReg, tcg_target_long);
 -static bool tcg_out_xchg(TCGContext *s, TCGType type, TCGReg r1, TCGReg r2)
 -    __attribute__((unused));
 +static bool tcg_out_xchg(TCGContext *s, TCGType type, TCGReg r1, TCGReg r2);
  static void tcg_out_exit_tb(TCGContext *s, uintptr_t arg);
  static void tcg_out_goto_tb(TCGContext *s, int which);
  static void tcg_out_op(TCGContext *s, TCGOpcode opc,
@@ -XXX,XX +XXX,XX @@ void tcg_raise_tb_overflow(TCGContext *s)
      siglongjmp(s->jmp_trans, -2);
  }
--static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++typedef struct TCGMovExtend {
-+static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
++    TCGReg dst;
 +    TCGReg src;
 +    TCGType dst_type;
 +    TCGType src_type;
 +    MemOp src_ext;
 +} TCGMovExtend;
 +
  /**
   * tcg_out_movext -- move and extend
   * @s: tcg context
@@ -XXX,XX +XXX,XX @@ void tcg_raise_tb_overflow(TCGContext *s)
   *
   * Move or extend @src into @dst, depending on @src_ext and the types.
   */
 -static void __attribute__((unused))
 -tcg_out_movext(TCGContext *s, TCGType dst_type, TCGReg dst,
 -               TCGType src_type, MemOp src_ext, TCGReg src)
 +static void tcg_out_movext(TCGContext *s, TCGType dst_type, TCGReg dst,
 +                           TCGType src_type, MemOp src_ext, TCGReg src)
  {
--    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+     switch (src_ext) {
--    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+     case MO_UB:
--
+@@ -XXX,XX +XXX,XX @@ tcg_out_movext(TCGContext *s, TCGType dst_type, TCGReg dst,
--    tlb_mmu_resize_locked(desc, fast);
+     }
      desc->n_used_entries = 0;
      desc->large_page_addr = -1;
      desc->large_page_mask = -1;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
      memset(desc->vtable, -1, sizeof(desc->vtable));
  }
-+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
++/* Minor variations on a theme, using a structure. */
 +static void tcg_out_movext1_new_src(TCGContext *s, const TCGMovExtend *i,
 +                                    TCGReg src)
 +{
-+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
++    tcg_out_movext(s, i->dst_type, i->dst, i->src_type, i->src_ext, src);
 +    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 +
 +    tlb_mmu_resize_locked(desc, fast);
 +    tlb_mmu_flush_locked(desc, fast);
 +}
 +
- static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
++static void tcg_out_movext1(TCGContext *s, const TCGMovExtend *i)
 +{
 +    tcg_out_movext1_new_src(s, i, i->src);
 +}
 +
 +/**
 + * tcg_out_movext2 -- move and extend two pair
 + * @s: tcg context
 + * @i1: first move description
 + * @i2: second move description
 + * @scratch: temporary register, or -1 for none
 + *
 + * As tcg_out_movext, for both @i1 and @i2, caring for overlap
 + * between the sources and destinations.
 + */
 +
 +static void __attribute__((unused))
 +tcg_out_movext2(TCGContext *s, const TCGMovExtend *i1,
 +                const TCGMovExtend *i2, int scratch)
 +{
 +    TCGReg src1 = i1->src;
 +    TCGReg src2 = i2->src;
 +
 +    if (i1->dst != src2) {
 +        tcg_out_movext1(s, i1);
 +        tcg_out_movext1(s, i2);
 +        return;
 +    }
 +    if (i2->dst == src1) {
 +        TCGType src1_type = i1->src_type;
 +        TCGType src2_type = i2->src_type;
 +
 +        if (tcg_out_xchg(s, MAX(src1_type, src2_type), src1, src2)) {
 +            /* The data is now in the correct registers, now extend. */
 +            src1 = i2->src;
 +            src2 = i1->src;
 +        } else {
 +            tcg_debug_assert(scratch >= 0);
 +            tcg_out_mov(s, src1_type, scratch, src1);
 +            src1 = scratch;
 +        }
 +    }
 +    tcg_out_movext1_new_src(s, i2, src2);
 +    tcg_out_movext1_new_src(s, i1, src1);
 +}
 +
  #define C_PFX1(P, A)                    P##A
  #define C_PFX2(P, A, B)                 P##A##_##B
  #define C_PFX3(P, A, B, C)              P##A##_##B##_##C
 diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/arm/tcg-target.c.inc
 +++ b/tcg/arm/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void add_qemu_ldst_label(TCGContext *s, bool is_ld, MemOpIdx oi,
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
  {
-     env_tlb(env)->d[mmu_idx].n_used_entries++;
+-    TCGReg argreg, datalo, datahi;
 +    TCGReg argreg;
      MemOpIdx oi = lb->oi;
      MemOp opc = get_memop(oi);
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
      /* Use the canonical unsigned helpers and minimize icache usage. */
      tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE]);
 -    datalo = lb->datalo_reg;
 -    datahi = lb->datahi_reg;
      if ((opc & MO_SIZE) == MO_64) {
 -        if (datalo != TCG_REG_R1) {
 -            tcg_out_mov_reg(s, COND_AL, datalo, TCG_REG_R0);
 -            tcg_out_mov_reg(s, COND_AL, datahi, TCG_REG_R1);
 -        } else if (datahi != TCG_REG_R0) {
 -            tcg_out_mov_reg(s, COND_AL, datahi, TCG_REG_R1);
 -            tcg_out_mov_reg(s, COND_AL, datalo, TCG_REG_R0);
 -        } else {
 -            tcg_out_mov_reg(s, COND_AL, TCG_REG_TMP, TCG_REG_R0);
 -            tcg_out_mov_reg(s, COND_AL, datahi, TCG_REG_R1);
 -            tcg_out_mov_reg(s, COND_AL, datalo, TCG_REG_TMP);
 -        }
 +        TCGMovExtend ext[2] = {
 +            { .dst = lb->datalo_reg, .dst_type = TCG_TYPE_I32,
 +              .src = TCG_REG_R0, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 +            { .dst = lb->datahi_reg, .dst_type = TCG_TYPE_I32,
 +              .src = TCG_REG_R1, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 +        };
 +        tcg_out_movext2(s, &ext[0], &ext[1], TCG_REG_TMP);
      } else {
 -        tcg_out_movext(s, TCG_TYPE_I32, datalo,
 +        tcg_out_movext(s, TCG_TYPE_I32, lb->datalo_reg,
                         TCG_TYPE_I32, opc & MO_SSIZE, TCG_REG_R0);
      }
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
      if (TARGET_LONG_BITS == 64) {
          /* 64-bit target address is aligned into R2:R3. */
 -        if (l->addrhi_reg != TCG_REG_R2) {
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R2, l->addrlo_reg);
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R3, l->addrhi_reg);
 -        } else if (l->addrlo_reg != TCG_REG_R3) {
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R3, l->addrhi_reg);
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R2, l->addrlo_reg);
 -        } else {
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R1, TCG_REG_R2);
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R2, TCG_REG_R3);
 -            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R3, TCG_REG_R1);
 -        }
 +        TCGMovExtend ext[2] = {
 +            { .dst = TCG_REG_R2, .dst_type = TCG_TYPE_I32,
 +              .src = l->addrlo_reg,
 +              .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 +            { .dst = TCG_REG_R3, .dst_type = TCG_TYPE_I32,
 +              .src = l->addrhi_reg,
 +              .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 +        };
 +        tcg_out_movext2(s, &ext[0], &ext[1], TCG_REG_TMP);
      } else {
          tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R1, l->addrlo_reg);
      }
 diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/i386/tcg-target.c.inc
 +++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  {
      MemOpIdx oi = l->oi;
      MemOp opc = get_memop(oi);
 -    TCGReg data_reg;
      tcg_insn_unit **label_ptr = &l->label_ptr[0];
      /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
      tcg_out_branch(s, 1, qemu_ld_helpers[opc & (MO_BSWAP | MO_SIZE)]);
 -    data_reg = l->datalo_reg;
      if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
 -        if (data_reg == TCG_REG_EDX) {
 -            /* xchg %edx, %eax */
 -            tcg_out_opc(s, OPC_XCHG_ax_r32 + TCG_REG_EDX, 0, 0, 0);
 -            tcg_out_mov(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_EAX);
 -        } else {
 -            tcg_out_mov(s, TCG_TYPE_I32, data_reg, TCG_REG_EAX);
 -            tcg_out_mov(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_EDX);
 -        }
 +        TCGMovExtend ext[2] = {
 +            { .dst = l->datalo_reg, .dst_type = TCG_TYPE_I32,
 +              .src = TCG_REG_EAX, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 +            { .dst = l->datahi_reg, .dst_type = TCG_TYPE_I32,
 +              .src = TCG_REG_EDX, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 +        };
 +        tcg_out_movext2(s, &ext[0], &ext[1], -1);
      } else {
 -        tcg_out_movext(s, l->type, data_reg,
 +        tcg_out_movext(s, l->type, l->datalo_reg,
                         TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_EAX);
      }
 --
-.20.1
+.34.1

The following changes since commit 3e08b2b9cb64bff2b73fa9128c0e49bfcde0dd40:

Merge remote-tracking branch 'remotes/philmd-gitlab/tags/edk2-next-20200121' into staging (2020-01-21 15:29:25 +0000)

are available in the Git repository at:

https://github.com/rth7680/qemu.git tags/pull-tcg-20200121

for you to fetch changes up to 75fa376cdab5e5db2c7fdd107358e16f95503ac6:

scripts/git.orderfile: Display decodetree before C source (2020-01-21 15:26:09 -1000)

----------------------------------------------------------------
Remove another limit to NB_MMU_MODES.
Fix compilation using uclibc.
Fix defaulting of -accel parameters.
Tidy cputlb basic routines.
Adjust git.orderfile for decodetree.

----------------------------------------------------------------
Carlos Santos (1):
      util/cacheinfo: fix crash when compiling with uClibc

Philippe Mathieu-Daudé (1):
      scripts/git.orderfile: Display decodetree before C source

Richard Henderson (14):
      cputlb: Handle NB_MMU_MODES > TARGET_PAGE_BITS_MIN
      vl: Remove unused variable in configure_accelerators
      vl: Reduce scope of variables in configure_accelerators
      vl: Remove useless test in configure_accelerators
      vl: Only choose enabled accelerators in configure_accelerators
      cputlb: Merge tlb_table_flush_by_mmuidx into tlb_flush_one_mmuidx_locked
      cputlb: Make tlb_n_entries private to cputlb.c
      cputlb: Pass CPUTLBDescFast to tlb_n_entries and sizeof_tlb
      cputlb: Hoist tlb portions in tlb_mmu_resize_locked
      cputlb: Hoist tlb portions in tlb_flush_one_mmuidx_locked
      cputlb: Split out tlb_mmu_flush_locked
      cputlb: Partially merge tlb_dyn_init into tlb_init
      cputlb: Initialize tlbs as flushed
      cputlb: Hoist timestamp outside of loops over tlbs

In target/arm we will shortly have "too many" mmu_idx.
The current minimum barrier is caused by the way in which
tlb_flush_page_by_mmuidx is coded.

We can remove this limitation by allocating memory for
consumption by the worker.  Let us assume that this is
the unlikely case, as will be the case for the majority
of targets which have so far satisfied the BUILD_BUG_ON,
and only allocate memory when necessary.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 167 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 132 insertions(+), 35 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
     }
 }
 
-/* As we are going to hijack the bottom bits of the page address for a
- * mmuidx bit mask we need to fail to build if we can't do that
+/**
+ * tlb_flush_page_by_mmuidx_async_0:
+ * @cpu: cpu on which to flush
+ * @addr: page of virtual address to flush
+ * @idxmap: set of mmu_idx to flush
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, flush one page
+ * at @addr from the tlbs indicated by @idxmap from @cpu.
  */
-QEMU_BUILD_BUG_ON(NB_MMU_MODES > TARGET_PAGE_BITS_MIN);
-
-static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
-                                                run_on_cpu_data data)
+static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
+                                             target_ulong addr,
+                                             uint16_t idxmap)
 {
     CPUArchState *env = cpu->env_ptr;
-    target_ulong addr_and_mmuidx = (target_ulong) data.target_ptr;
-    target_ulong addr = addr_and_mmuidx & TARGET_PAGE_MASK;
-    unsigned long mmu_idx_bitmap = addr_and_mmuidx & ALL_MMUIDX_BITS;
     int mmu_idx;
 
     assert_cpu_is_self(cpu);
 
-    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%lx\n",
-              addr, mmu_idx_bitmap);
+    tlb_debug("page addr:" TARGET_FMT_lx " mmu_map:0x%x\n", addr, idxmap);
 
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
-        if (test_bit(mmu_idx, &mmu_idx_bitmap)) {
+        if ((idxmap >> mmu_idx) & 1) {
             tlb_flush_page_locked(env, mmu_idx, addr);
         }
     }
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_work(CPUState *cpu,
     tb_flush_jmp_cache(cpu, addr);
 }
 
+/**
+ * tlb_flush_page_by_mmuidx_async_1:
+ * @cpu: cpu on which to flush
+ * @data: encoded addr + idxmap
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
+ * async_run_on_cpu.  The idxmap parameter is encoded in the page
+ * offset of the target_ptr field.  This limits the set of mmu_idx
+ * that can be passed via this method.
+ */
+static void tlb_flush_page_by_mmuidx_async_1(CPUState *cpu,
+                                             run_on_cpu_data data)
+{
+    target_ulong addr_and_idxmap = (target_ulong) data.target_ptr;
+    target_ulong addr = addr_and_idxmap & TARGET_PAGE_MASK;
+    uint16_t idxmap = addr_and_idxmap & ~TARGET_PAGE_MASK;
+
+    tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
+}
+
+typedef struct {
+    target_ulong addr;
+    uint16_t idxmap;
+} TLBFlushPageByMMUIdxData;
+
+/**
+ * tlb_flush_page_by_mmuidx_async_2:
+ * @cpu: cpu on which to flush
+ * @data: allocated addr + idxmap
+ *
+ * Helper for tlb_flush_page_by_mmuidx and friends, called through
+ * async_run_on_cpu.  The addr+idxmap parameters are stored in a
+ * TLBFlushPageByMMUIdxData structure that has been allocated
+ * specifically for this helper.  Free the structure when done.
+ */
+static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
+                                             run_on_cpu_data data)
+{
+    TLBFlushPageByMMUIdxData *d = data.host_ptr;
+
+    tlb_flush_page_by_mmuidx_async_0(cpu, d->addr, d->idxmap);
+    g_free(d);
+}
+
 void tlb_flush_page_by_mmuidx(CPUState *cpu, target_ulong addr, uint16_t idxmap)
 {
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%" PRIx16 "\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    if (!qemu_cpu_is_self(cpu)) {
-        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_work,
-                         RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    if (qemu_cpu_is_self(cpu)) {
+        tlb_flush_page_by_mmuidx_async_0(cpu, addr, idxmap);
+    } else if (idxmap < TARGET_PAGE_SIZE) {
+        /*
+         * Most targets have only a few mmu_idx.  In the case where
+         * we can stuff idxmap into the low TARGET_PAGE_BITS, avoid
+         * allocating memory for this operation.
+         */
+        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
     } else {
-        tlb_flush_page_by_mmuidx_async_work(
-            cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+        TLBFlushPageByMMUIdxData *d = g_new(TLBFlushPageByMMUIdxData, 1);
+
+        /* Otherwise allocate a structure, freed by the worker.  */
+        d->addr = addr;
+        d->idxmap = idxmap;
+        async_run_on_cpu(cpu, tlb_flush_page_by_mmuidx_async_2,
+                         RUN_ON_CPU_HOST_PTR(d));
     }
 }
 
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, target_ulong addr)
 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, target_ulong addr,
                                        uint16_t idxmap)
 {
-    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-    fn(src_cpu, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    /*
+     * Allocate memory to hold addr+idxmap only when needed.
+     * See tlb_flush_page_by_mmuidx for details.
+     */
+    if (idxmap < TARGET_PAGE_SIZE) {
+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+    } else {
+        CPUState *dst_cpu;
+
+        /* Allocate a separate data block for each destination cpu.  */
+        CPU_FOREACH(dst_cpu) {
+            if (dst_cpu != src_cpu) {
+                TLBFlushPageByMMUIdxData *d
+                    = g_new(TLBFlushPageByMMUIdxData, 1);
+
+                d->addr = addr;
+                d->idxmap = idxmap;
+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
+                                 RUN_ON_CPU_HOST_PTR(d));
+            }
+        }
+    }
+
+    tlb_flush_page_by_mmuidx_async_0(src_cpu, addr, idxmap);
 }
 
 void tlb_flush_page_all_cpus(CPUState *src, target_ulong addr)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
                                               target_ulong addr,
                                               uint16_t idxmap)
 {
-    const run_on_cpu_func fn = tlb_flush_page_by_mmuidx_async_work;
-    target_ulong addr_and_mmu_idx;
-
     tlb_debug("addr: "TARGET_FMT_lx" mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
-    addr_and_mmu_idx = addr & TARGET_PAGE_MASK;
-    addr_and_mmu_idx |= idxmap;
+    addr &= TARGET_PAGE_MASK;
 
-    flush_all_helper(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
-    async_safe_run_on_cpu(src_cpu, fn, RUN_ON_CPU_TARGET_PTR(addr_and_mmu_idx));
+    /*
+     * Allocate memory to hold addr+idxmap only when needed.
+     * See tlb_flush_page_by_mmuidx for details.
+     */
+    if (idxmap < TARGET_PAGE_SIZE) {
+        flush_all_helper(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                         RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_1,
+                              RUN_ON_CPU_TARGET_PTR(addr | idxmap));
+    } else {
+        CPUState *dst_cpu;
+        TLBFlushPageByMMUIdxData *d;
+
+        /* Allocate a separate data block for each destination cpu.  */
+        CPU_FOREACH(dst_cpu) {
+            if (dst_cpu != src_cpu) {
+                d = g_new(TLBFlushPageByMMUIdxData, 1);
+                d->addr = addr;
+                d->idxmap = idxmap;
+                async_run_on_cpu(dst_cpu, tlb_flush_page_by_mmuidx_async_2,
+                                 RUN_ON_CPU_HOST_PTR(d));
+            }
+        }
+
+        d = g_new(TLBFlushPageByMMUIdxData, 1);
+        d->addr = addr;
+        d->idxmap = idxmap;
+        async_safe_run_on_cpu(src_cpu, tlb_flush_page_by_mmuidx_async_2,
+                              RUN_ON_CPU_HOST_PTR(d));
+    }
 }
 
 void tlb_flush_page_all_cpus_synced(CPUState *src, target_ulong addr)
-- 
2.20.1

From: Carlos Santos <casantos@redhat.com>

uClibc defines _SC_LEVEL1_ICACHE_LINESIZE and _SC_LEVEL1_DCACHE_LINESIZE
but the corresponding sysconf calls returns -1, which is a valid result,
meaning that the limit is indeterminate.

Handle this situation using the fallback values instead of crashing due
to an assertion failure.

Signed-off-by: Carlos Santos <casantos@redhat.com>
Message-Id: <20191017123713.30192-1-casantos@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 util/cacheinfo.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/util/cacheinfo.c b/util/cacheinfo.c
index XXXXXXX..XXXXXXX 100644
--- a/util/cacheinfo.c
+++ b/util/cacheinfo.c
@@ -XXX,XX +XXX,XX @@ static void sys_cache_info(int *isize, int *dsize)
 static void sys_cache_info(int *isize, int *dsize)
 {
 # ifdef _SC_LEVEL1_ICACHE_LINESIZE
-    *isize = sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+    int tmp_isize = (int) sysconf(_SC_LEVEL1_ICACHE_LINESIZE);
+    if (tmp_isize > 0) {
+        *isize = tmp_isize;
+    }
 # endif
 # ifdef _SC_LEVEL1_DCACHE_LINESIZE
-    *dsize = sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+    int tmp_dsize = (int) sysconf(_SC_LEVEL1_DCACHE_LINESIZE);
+    if (tmp_dsize > 0) {
+        *dsize = tmp_dsize;
+    }
 # endif
 }
 #endif /* sys_cache_info */
-- 
2.20.1

The accel_initialised variable no longer has any setters.

Fixes: 6f6e1698a68c
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 {
     const char *accel;
     char **accel_list, **tmp;
-    bool accel_initialised = false;
     bool init_failed = false;
 
     qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
         accel_list = g_strsplit(accel, ":", 0);
 
-        for (tmp = accel_list; !accel_initialised && tmp && *tmp; tmp++) {
+        for (tmp = accel_list; tmp && *tmp; tmp++) {
             /*
              * Filter invalid accelerators here, to prevent obscenities
              * such as "-machine accel=tcg,,thread=single".
-- 
2.20.1

The accel_list and tmp variables are only used when manufacturing
-machine accel, options based on -accel.

Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static int do_configure_accelerator(void *opaque, QemuOpts *opts, Error **errp)
 static void configure_accelerators(const char *progname)
 {
     const char *accel;
-    char **accel_list, **tmp;
     bool init_failed = false;
 
     qemu_opts_foreach(qemu_find_opts("icount"),
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
     accel = qemu_opt_get(qemu_get_machine_opts(), "accel");
     if (QTAILQ_EMPTY(&qemu_accel_opts.head)) {
+        char **accel_list, **tmp;
+
         if (accel == NULL) {
             /* Select the default accelerator */
             if (!accel_find("tcg") && !accel_find("kvm")) {
-- 
2.20.1

By choosing "tcg:kvm" when kvm is not enabled, we generate
an incorrect warning: "invalid accelerator kvm".

At the same time, use g_str_has_suffix rather than open-coding
the same operation.

Presumably the inverse is also true with --disable-tcg.

Fixes: 28a0961757fc
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed by: Aleksandar Markovic <amarkovic@wavecomp.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 vl.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/vl.c b/vl.c
index XXXXXXX..XXXXXXX 100644
--- a/vl.c
+++ b/vl.c
@@ -XXX,XX +XXX,XX @@ static void configure_accelerators(const char *progname)
 
         if (accel == NULL) {
             /* Select the default accelerator */
-            if (!accel_find("tcg") && !accel_find("kvm")) {
-                error_report("No accelerator selected and"
-                             " no default accelerator available");
-                exit(1);
-            } else {
-                int pnlen = strlen(progname);
-                if (pnlen >= 3 && g_str_equal(&progname[pnlen - 3], "kvm")) {
+            bool have_tcg = accel_find("tcg");
+            bool have_kvm = accel_find("kvm");
+
+            if (have_tcg && have_kvm) {
+                if (g_str_has_suffix(progname, "kvm")) {
                     /* If the program name ends with "kvm", we prefer KVM */
                     accel = "kvm:tcg";
                 } else {
                     accel = "tcg:kvm";
                 }
+            } else if (have_kvm) {
+                accel = "kvm";
+            } else if (have_tcg) {
+                accel = "tcg";
+            } else {
+                error_report("No accelerator selected and"
+                             " no default accelerator available");
+                exit(1);
             }
         }
-
         accel_list = g_strsplit(accel, ":", 0);
 
         for (tmp = accel_list; *tmp; tmp++) {
-- 
2.20.1

There is only one caller for tlb_table_flush_by_mmuidx.  Place
the result at the earlier line number, due to an expected user
in the near future.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
     }
 }
 
-static inline void tlb_table_flush_by_mmuidx(CPUArchState *env, int mmu_idx)
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
     tlb_mmu_resize_locked(env, mmu_idx);
-    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
+    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
+    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
+    env_tlb(env)->d[mmu_idx].vindex = 0;
+    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
+           sizeof(env_tlb(env)->d[0].vtable));
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
     *pelide = elide;
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
-{
-    tlb_table_flush_by_mmuidx(env, mmu_idx);
-    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-    env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-           sizeof(env_tlb(env)->d[0].vtable));
-}
-
 static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
 {
     CPUArchState *env = cpu->env_ptr;
-- 
2.20.1

There are no users of this function outside cputlb.c,
and its interface will change in the next patch.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu_ldst.h | 5 -----
 accel/tcg/cputlb.c      | 5 +++++
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ static inline uintptr_t tlb_index(CPUArchState *env, uintptr_t mmu_idx,
     return (addr >> TARGET_PAGE_BITS) & size_mask;
 }
 
-static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
-{
-    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
-}
-
 /* Find the TLB entry corresponding to the mmu_idx + address pair.  */
 static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
                                      target_ulong addr)
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 
+static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+{
+    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+}
+
 static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
 {
     return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
-- 
2.20.1

We do not need the entire CPUArchState to compute these values.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ QEMU_BUILD_BUG_ON(sizeof(target_ulong) > sizeof(run_on_cpu_data));
 QEMU_BUILD_BUG_ON(NB_MMU_MODES > 16);
 #define ALL_MMUIDX_BITS ((1 << NB_MMU_MODES) - 1)
 
-static inline size_t tlb_n_entries(CPUArchState *env, uintptr_t mmu_idx)
+static inline size_t tlb_n_entries(CPUTLBDescFast *fast)
 {
-    return (env_tlb(env)->f[mmu_idx].mask >> CPU_TLB_ENTRY_BITS) + 1;
+    return (fast->mask >> CPU_TLB_ENTRY_BITS) + 1;
 }
 
-static inline size_t sizeof_tlb(CPUArchState *env, uintptr_t mmu_idx)
+static inline size_t sizeof_tlb(CPUTLBDescFast *fast)
 {
-    return env_tlb(env)->f[mmu_idx].mask + (1 << CPU_TLB_ENTRY_BITS);
+    return fast->mask + (1 << CPU_TLB_ENTRY_BITS);
 }
 
 static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
 static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
 {
     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    size_t old_size = tlb_n_entries(env, mmu_idx);
+    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
     size_t rate;
     size_t new_size = old_size;
     int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
     env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->f[mmu_idx].table, -1, sizeof_tlb(env, mmu_idx));
+    memset(env_tlb(env)->f[mmu_idx].table, -1,
+           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
     memset(env_tlb(env)->d[mmu_idx].vtable, -1,
            sizeof(env_tlb(env)->d[0].vtable));
 }
@@ -XXX,XX +XXX,XX @@ void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length)
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
         unsigned int i;
-        unsigned int n = tlb_n_entries(env, mmu_idx);
+        unsigned int n = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
 
         for (i = 0; i < n; i++) {
             tlb_reset_dirty_range_locked(&env_tlb(env)->f[mmu_idx].table[i],
-- 
2.20.1

No functional change, but the smaller expressions make
the code easier to read.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 35 +++++++++++++++++------------------
 1 file changed, 17 insertions(+), 18 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
 
 /**
  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
- * @env: CPU that owns the TLB
- * @mmu_idx: MMU index of the TLB
+ * @desc: The CPUTLBDesc portion of the TLB
+ * @fast: The CPUTLBDescFast portion of the same TLB
  *
  * Called with tlb_lock_held.
  *
@@ -XXX,XX +XXX,XX @@ static void tlb_dyn_init(CPUArchState *env)
  * high), since otherwise we are likely to have a significant amount of
  * conflict misses.
  */
-static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 {
-    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    size_t old_size = tlb_n_entries(&env_tlb(env)->f[mmu_idx]);
+    size_t old_size = tlb_n_entries(fast);
     size_t rate;
     size_t new_size = old_size;
     int64_t now = get_clock_realtime();
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
         return;
     }
 
-    g_free(env_tlb(env)->f[mmu_idx].table);
-    g_free(env_tlb(env)->d[mmu_idx].iotlb);
+    g_free(fast->table);
+    g_free(desc->iotlb);
 
     tlb_window_reset(desc, now, 0);
     /* desc->n_used_entries is cleared by the caller */
-    env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
-    env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
-    env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+    fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+    fast->table = g_try_new(CPUTLBEntry, new_size);
+    desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
+
     /*
      * If the allocations fail, try smaller sizes. We just freed some
      * memory, so going back to half of new_size has a good chance of working.
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUArchState *env, int mmu_idx)
      * allocations to fail though, so we progressively reduce the allocation
      * size, aborting if we cannot even allocate the smallest TLB we support.
      */
-    while (env_tlb(env)->f[mmu_idx].table == NULL ||
-           env_tlb(env)->d[mmu_idx].iotlb == NULL) {
+    while (fast->table == NULL || desc->iotlb == NULL) {
         if (new_size == (1 << CPU_TLB_DYN_MIN_BITS)) {
             error_report("%s: %s", __func__, strerror(errno));
             abort();
         }
         new_size = MAX(new_size >> 1, 1 << CPU_TLB_DYN_MIN_BITS);
-        env_tlb(env)->f[mmu_idx].mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
+        fast->mask = (new_size - 1) << CPU_TLB_ENTRY_BITS;
 
-        g_free(env_tlb(env)->f[mmu_idx].table);
-        g_free(env_tlb(env)->d[mmu_idx].iotlb);
-        env_tlb(env)->f[mmu_idx].table = g_try_new(CPUTLBEntry, new_size);
-        env_tlb(env)->d[mmu_idx].iotlb = g_try_new(CPUIOTLBEntry, new_size);
+        g_free(fast->table);
+        g_free(desc->iotlb);
+        fast->table = g_try_new(CPUTLBEntry, new_size);
+        desc->iotlb = g_try_new(CPUIOTLBEntry, new_size);
     }
 }
 
 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
-    tlb_mmu_resize_locked(env, mmu_idx);
+    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
     env_tlb(env)->d[mmu_idx].n_used_entries = 0;
     env_tlb(env)->d[mmu_idx].large_page_addr = -1;
     env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-- 
2.20.1

No functional change, but the smaller expressions make
the code easier to read.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 
 static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
 {
-    tlb_mmu_resize_locked(&env_tlb(env)->d[mmu_idx], &env_tlb(env)->f[mmu_idx]);
-    env_tlb(env)->d[mmu_idx].n_used_entries = 0;
-    env_tlb(env)->d[mmu_idx].large_page_addr = -1;
-    env_tlb(env)->d[mmu_idx].large_page_mask = -1;
-    env_tlb(env)->d[mmu_idx].vindex = 0;
-    memset(env_tlb(env)->f[mmu_idx].table, -1,
-           sizeof_tlb(&env_tlb(env)->f[mmu_idx]));
-    memset(env_tlb(env)->d[mmu_idx].vtable, -1,
-           sizeof(env_tlb(env)->d[0].vtable));
+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+
+    tlb_mmu_resize_locked(desc, fast);
+    desc->n_used_entries = 0;
+    desc->large_page_addr = -1;
+    desc->large_page_mask = -1;
+    desc->vindex = 0;
+    memset(fast->table, -1, sizeof_tlb(fast));
+    memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
-- 
2.20.1

We will want to be able to flush a tlb without resizing.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
     }
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
 {
-    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
-    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
-
-    tlb_mmu_resize_locked(desc, fast);
     desc->n_used_entries = 0;
     desc->large_page_addr = -1;
     desc->large_page_mask = -1;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+{
+    CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
+    CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
+
+    tlb_mmu_resize_locked(desc, fast);
+    tlb_mmu_flush_locked(desc, fast);
+}
+
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
 {
     env_tlb(env)->d[mmu_idx].n_used_entries++;
-- 
2.20.1

Merge into the only caller, but at the same time split
out tlb_mmu_init to initialize a single tlb entry.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 33 ++++++++++++++++-----------------
 1 file changed, 16 insertions(+), 17 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
     desc->window_max_entries = max_entries;
 }
 
-static void tlb_dyn_init(CPUArchState *env)
-{
-    int i;
-
-    for (i = 0; i < NB_MMU_MODES; i++) {
-        CPUTLBDesc *desc = &env_tlb(env)->d[i];
-        size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
-
-        tlb_window_reset(desc, get_clock_realtime(), 0);
-        desc->n_used_entries = 0;
-        env_tlb(env)->f[i].mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
-        env_tlb(env)->f[i].table = g_new(CPUTLBEntry, n_entries);
-        env_tlb(env)->d[i].iotlb = g_new(CPUIOTLBEntry, n_entries);
-    }
-}
-
 /**
  * tlb_mmu_resize_locked() - perform TLB resize bookkeeping; resize if necessary
  * @desc: The CPUTLBDesc portion of the TLB
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
     tlb_mmu_flush_locked(desc, fast);
 }
 
+static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
+{
+    size_t n_entries = 1 << CPU_TLB_DYN_DEFAULT_BITS;
+
+    tlb_window_reset(desc, now, 0);
+    desc->n_used_entries = 0;
+    fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
+    fast->table = g_new(CPUTLBEntry, n_entries);
+    desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+}
+
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
 {
     env_tlb(env)->d[mmu_idx].n_used_entries++;
@@ -XXX,XX +XXX,XX @@ static inline void tlb_n_used_entries_dec(CPUArchState *env, uintptr_t mmu_idx)
 void tlb_init(CPUState *cpu)
 {
     CPUArchState *env = cpu->env_ptr;
+    int64_t now = get_clock_realtime();
+    int i;
 
     qemu_spin_init(&env_tlb(env)->c.lock);
 
     /* Ensure that cpu_reset performs a full flush.  */
     env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
 
-    tlb_dyn_init(env);
+    for (i = 0; i < NB_MMU_MODES; i++) {
+        tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
+    }
 }
 
 /* flush_all_helper: run fn across all cpus
-- 
2.20.1

There's little point in leaving these data structures half initialized,
and relying on a flush to be done during reset.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_init(CPUTLBDesc *desc, CPUTLBDescFast *fast, int64_t now)
     fast->mask = (n_entries - 1) << CPU_TLB_ENTRY_BITS;
     fast->table = g_new(CPUTLBEntry, n_entries);
     desc->iotlb = g_new(CPUIOTLBEntry, n_entries);
+    tlb_mmu_flush_locked(desc, fast);
 }
 
 static inline void tlb_n_used_entries_inc(CPUArchState *env, uintptr_t mmu_idx)
@@ -XXX,XX +XXX,XX @@ void tlb_init(CPUState *cpu)
 
     qemu_spin_init(&env_tlb(env)->c.lock);
 
-    /* Ensure that cpu_reset performs a full flush.  */
-    env_tlb(env)->c.dirty = ALL_MMUIDX_BITS;
+    /* All tlbs are initialized flushed. */
+    env_tlb(env)->c.dirty = 0;
 
     for (i = 0; i < NB_MMU_MODES; i++) {
         tlb_mmu_init(&env_tlb(env)->d[i], &env_tlb(env)->f[i], now);
-- 
2.20.1

Do not call get_clock_realtime() in tlb_mmu_resize_locked,
but hoist outside of any loop over a set of tlbs.  This is
only two (indirect) callers, tlb_flush_by_mmuidx_async_work
and tlb_flush_page_locked, so not onerous.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_window_reset(CPUTLBDesc *desc, int64_t ns,
  * high), since otherwise we are likely to have a significant amount of
  * conflict misses.
  */
-static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
+static void tlb_mmu_resize_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast,
+                                  int64_t now)
 {
     size_t old_size = tlb_n_entries(fast);
     size_t rate;
     size_t new_size = old_size;
-    int64_t now = get_clock_realtime();
     int64_t window_len_ms = 100;
     int64_t window_len_ns = window_len_ms * 1000 * 1000;
     bool window_expired = now > desc->window_begin_ns + window_len_ns;
@@ -XXX,XX +XXX,XX @@ static void tlb_mmu_flush_locked(CPUTLBDesc *desc, CPUTLBDescFast *fast)
     memset(desc->vtable, -1, sizeof(desc->vtable));
 }
 
-static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx)
+static void tlb_flush_one_mmuidx_locked(CPUArchState *env, int mmu_idx,
+                                        int64_t now)
 {
     CPUTLBDesc *desc = &env_tlb(env)->d[mmu_idx];
     CPUTLBDescFast *fast = &env_tlb(env)->f[mmu_idx];
 
-    tlb_mmu_resize_locked(desc, fast);
+    tlb_mmu_resize_locked(desc, fast, now);
     tlb_mmu_flush_locked(desc, fast);
 }
 
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
     CPUArchState *env = cpu->env_ptr;
     uint16_t asked = data.host_int;
     uint16_t all_dirty, work, to_clean;
+    int64_t now = get_clock_realtime();
 
     assert_cpu_is_self(cpu);
 
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_by_mmuidx_async_work(CPUState *cpu, run_on_cpu_data data)
 
     for (work = to_clean; work != 0; work &= work - 1) {
         int mmu_idx = ctz32(work);
-        tlb_flush_one_mmuidx_locked(env, mmu_idx);
+        tlb_flush_one_mmuidx_locked(env, mmu_idx, now);
     }
 
     qemu_spin_unlock(&env_tlb(env)->c.lock);
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx,
         tlb_debug("forcing full flush midx %d ("
                   TARGET_FMT_lx "/" TARGET_FMT_lx ")\n",
                   midx, lp_addr, lp_mask);
-        tlb_flush_one_mmuidx_locked(env, midx);
+        tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
     } else {
         if (tlb_flush_entry_locked(tlb_entry(env, midx, page), page)) {
             tlb_n_used_entries_dec(env, midx);
-- 
2.20.1

The following changes since commit 7c18f2d663521f1b31b821a13358ce38075eaf7d:

Merge tag 'for-upstream' of https://gitlab.com/bonzini/qemu into staging (2023-04-29 23:07:17 +0100)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230502

for you to fetch changes up to bdc7fba1c5a29ae218b45353daac9308fe1aae82:

tcg: Introduce tcg_out_movext2 (2023-05-02 12:15:41 +0100)

----------------------------------------------------------------
Misc tcg-related patch queue.

----------------------------------------------------------------
Dickon Hood (1):
      qemu/bitops.h: Limit rotate amounts

Kiran Ostrolenk (1):
      qemu/host-utils.h: Add clz and ctz functions for lower-bit integers

Nazar Kazakov (2):
      tcg: Add tcg_gen_gvec_andcs
      tcg: Add tcg_gen_gvec_rotrs

Richard Henderson (7):
      softmmu: Tidy dirtylimit_dirty_ring_full_time
      qemu/int128: Re-shuffle Int128Alias members
      migration/xbzrle: Use __attribute__((target)) for avx512
      accel/tcg: Add cpu_ld*_code_mmu
      tcg/loongarch64: Conditionalize tcg_out_exts_i32_i64
      tcg/mips: Conditionalize tcg_out_exts_i32_i64
      tcg: Introduce tcg_out_movext2

Weiwei Li (1):
      accel/tcg: Uncache the host address for instruction fetch when tlb size < 1

Drop inline marker: let compiler decide.

Change return type to uint64_t: this matches the computation in the
return statement and the local variable assignment in the caller.

Rename local to dirty_ring_size_MB to fix typo.
Simplify conversion to MiB via qemu_target_page_bits and right shift.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 softmmu/dirtylimit.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/softmmu/dirtylimit.c b/softmmu/dirtylimit.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/dirtylimit.c
+++ b/softmmu/dirtylimit.c
@@ -XXX,XX +XXX,XX @@ bool dirtylimit_vcpu_index_valid(int cpu_index)
              cpu_index >= ms->smp.max_cpus);
 }
 
-static inline int64_t dirtylimit_dirty_ring_full_time(uint64_t dirtyrate)
+static uint64_t dirtylimit_dirty_ring_full_time(uint64_t dirtyrate)
 {
     static uint64_t max_dirtyrate;
-    uint32_t dirty_ring_size = kvm_dirty_ring_size();
-    uint64_t dirty_ring_size_meory_MB =
-        dirty_ring_size * qemu_target_page_size() >> 20;
+    unsigned target_page_bits = qemu_target_page_bits();
+    uint64_t dirty_ring_size_MB;
+
+    /* So far, the largest (non-huge) page size is 64k, i.e. 16 bits. */
+    assert(target_page_bits < 20);
+
+    /* Convert ring size (pages) to MiB (2**20). */
+    dirty_ring_size_MB = kvm_dirty_ring_size() >> (20 - target_page_bits);
 
     if (max_dirtyrate < dirtyrate) {
         max_dirtyrate = dirtyrate;
     }
 
-    return dirty_ring_size_meory_MB * 1000000 / max_dirtyrate;
+    return dirty_ring_size_MB * 1000000 / max_dirtyrate;
 }
 
 static inline bool dirtylimit_done(uint64_t quota,
-- 
2.34.1

From: Weiwei Li <liweiwei@iscas.ac.cn>

When PMP entry overlap part of the page, we'll set the tlb_size to 1, which
will make the address in tlb entry set with TLB_INVALID_MASK, and the next
access will again go through tlb_fill.However, this way will not work in
tb_gen_code() => get_page_addr_code_hostp(): the TLB host address will be
cached, and the following instructions can use this host address directly
which may lead to the bypass of PMP related check.
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1542.

Signed-off-by: Weiwei Li <liweiwei@iscas.ac.cn>
Signed-off-by: Junqiang Wang <wangjunqiang@iscas.ac.cn>
Reviewed-by: LIU Zhiwei <zhiwei_liu@linux.alibaba.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230422130329.23555-6-liweiwei@iscas.ac.cn>
---
 accel/tcg/cputlb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
     if (p == NULL) {
         return -1;
     }
+
+    if (full->lg_page_size < TARGET_PAGE_BITS) {
+        return -1;
+    }
+
     if (hostp) {
         *hostp = p;
     }
-- 
2.34.1

From: Dickon Hood <dickon.hood@codethink.co.uk>

Rotates have been fixed up to only allow for reasonable rotate amounts
(ie, no rotates >7 on an 8b value etc.)  This fixes a problem with riscv
vector rotate instructions.

Signed-off-by: Dickon Hood <dickon.hood@codethink.co.uk>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230428144757.57530-9-lawrence.hunter@codethink.co.uk>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/qemu/bitops.h | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/include/qemu/bitops.h b/include/qemu/bitops.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/bitops.h
+++ b/include/qemu/bitops.h
@@ -XXX,XX +XXX,XX @@ static inline unsigned long find_first_zero_bit(const unsigned long *addr,
  */
 static inline uint8_t rol8(uint8_t word, unsigned int shift)
 {
-    return (word << shift) | (word >> ((8 - shift) & 7));
+    shift &= 7;
+    return (word << shift) | (word >> (8 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint8_t rol8(uint8_t word, unsigned int shift)
  */
 static inline uint8_t ror8(uint8_t word, unsigned int shift)
 {
-    return (word >> shift) | (word << ((8 - shift) & 7));
+    shift &= 7;
+    return (word >> shift) | (word << (8 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint8_t ror8(uint8_t word, unsigned int shift)
  */
 static inline uint16_t rol16(uint16_t word, unsigned int shift)
 {
-    return (word << shift) | (word >> ((16 - shift) & 15));
+    shift &= 15;
+    return (word << shift) | (word >> (16 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint16_t rol16(uint16_t word, unsigned int shift)
  */
 static inline uint16_t ror16(uint16_t word, unsigned int shift)
 {
-    return (word >> shift) | (word << ((16 - shift) & 15));
+    shift &= 15;
+    return (word >> shift) | (word << (16 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint16_t ror16(uint16_t word, unsigned int shift)
  */
 static inline uint32_t rol32(uint32_t word, unsigned int shift)
 {
-    return (word << shift) | (word >> ((32 - shift) & 31));
+    shift &= 31;
+    return (word << shift) | (word >> (32 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint32_t rol32(uint32_t word, unsigned int shift)
  */
 static inline uint32_t ror32(uint32_t word, unsigned int shift)
 {
-    return (word >> shift) | (word << ((32 - shift) & 31));
+    shift &= 31;
+    return (word >> shift) | (word << (32 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint32_t ror32(uint32_t word, unsigned int shift)
  */
 static inline uint64_t rol64(uint64_t word, unsigned int shift)
 {
-    return (word << shift) | (word >> ((64 - shift) & 63));
+    shift &= 63;
+    return (word << shift) | (word >> (64 - shift));
 }
 
 /**
@@ -XXX,XX +XXX,XX @@ static inline uint64_t rol64(uint64_t word, unsigned int shift)
  */
 static inline uint64_t ror64(uint64_t word, unsigned int shift)
 {
-    return (word >> shift) | (word << ((64 - shift) & 63));
+    shift &= 63;
+    return (word >> shift) | (word << (64 - shift));
 }
 
 /**
-- 
2.34.1

From: Kiran Ostrolenk <kiran.ostrolenk@codethink.co.uk>

This is for use in the RISC-V vclz and vctz instructions (implemented in
proceeding commit).

Signed-off-by: Kiran Ostrolenk <kiran.ostrolenk@codethink.co.uk>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230428144757.57530-11-lawrence.hunter@codethink.co.uk>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/qemu/host-utils.h | 54 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/include/qemu/host-utils.h b/include/qemu/host-utils.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/host-utils.h
+++ b/include/qemu/host-utils.h
@@ -XXX,XX +XXX,XX @@ static inline uint64_t muldiv64(uint64_t a, uint32_t b, uint32_t c)
 }
 #endif
 
+/**
+ * clz8 - count leading zeros in a 8-bit value.
+ * @val: The value to search
+ *
+ * Returns 8 if the value is zero.  Note that the GCC builtin is
+ * undefined if the value is zero.
+ *
+ * Note that the GCC builtin will upcast its argument to an `unsigned int`
+ * so this function subtracts off the number of prepended zeroes.
+ */
+static inline int clz8(uint8_t val)
+{
+    return val ? __builtin_clz(val) - 24 : 8;
+}
+
+/**
+ * clz16 - count leading zeros in a 16-bit value.
+ * @val: The value to search
+ *
+ * Returns 16 if the value is zero.  Note that the GCC builtin is
+ * undefined if the value is zero.
+ *
+ * Note that the GCC builtin will upcast its argument to an `unsigned int`
+ * so this function subtracts off the number of prepended zeroes.
+ */
+static inline int clz16(uint16_t val)
+{
+    return val ? __builtin_clz(val) - 16 : 16;
+}
+
 /**
  * clz32 - count leading zeros in a 32-bit value.
  * @val: The value to search
@@ -XXX,XX +XXX,XX @@ static inline int clo64(uint64_t val)
     return clz64(~val);
 }
 
+/**
+ * ctz8 - count trailing zeros in a 8-bit value.
+ * @val: The value to search
+ *
+ * Returns 8 if the value is zero.  Note that the GCC builtin is
+ * undefined if the value is zero.
+ */
+static inline int ctz8(uint8_t val)
+{
+    return val ? __builtin_ctz(val) : 8;
+}
+
+/**
+ * ctz16 - count trailing zeros in a 16-bit value.
+ * @val: The value to search
+ *
+ * Returns 16 if the value is zero.  Note that the GCC builtin is
+ * undefined if the value is zero.
+ */
+static inline int ctz16(uint16_t val)
+{
+    return val ? __builtin_ctz(val) : 16;
+}
+
 /**
  * ctz32 - count trailing zeros in a 32-bit value.
  * @val: The value to search
-- 
2.34.1

From: Nazar Kazakov <nazar.kazakov@codethink.co.uk>

Add tcg expander and helper functions for and-compliment
vector with scalar operand.

Signed-off-by: Nazar Kazakov <nazar.kazakov@codethink.co.uk>
Message-Id: <20230428144757.57530-10-lawrence.hunter@codethink.co.uk>
[rth: Split out of larger patch.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/tcg-runtime.h      |  1 +
 include/tcg/tcg-op-gvec.h    |  2 ++
 accel/tcg/tcg-runtime-gvec.c | 11 +++++++++++
 tcg/tcg-op-gvec.c            | 17 +++++++++++++++++
 4 files changed, 31 insertions(+)

diff --git a/accel/tcg/tcg-runtime.h b/accel/tcg/tcg-runtime.h
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-runtime.h
+++ b/accel/tcg/tcg-runtime.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_FLAGS_4(gvec_nor, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_eqv, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 
 DEF_HELPER_FLAGS_4(gvec_ands, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
+DEF_HELPER_FLAGS_4(gvec_andcs, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 DEF_HELPER_FLAGS_4(gvec_xors, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 DEF_HELPER_FLAGS_4(gvec_ors, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 
diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op-gvec.h
+++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_ori(unsigned vece, uint32_t dofs, uint32_t aofs,
 
 void tcg_gen_gvec_ands(unsigned vece, uint32_t dofs, uint32_t aofs,
                        TCGv_i64 c, uint32_t oprsz, uint32_t maxsz);
+void tcg_gen_gvec_andcs(unsigned vece, uint32_t dofs, uint32_t aofs,
+                        TCGv_i64 c, uint32_t oprsz, uint32_t maxsz);
 void tcg_gen_gvec_xors(unsigned vece, uint32_t dofs, uint32_t aofs,
                        TCGv_i64 c, uint32_t oprsz, uint32_t maxsz);
 void tcg_gen_gvec_ors(unsigned vece, uint32_t dofs, uint32_t aofs,
diff --git a/accel/tcg/tcg-runtime-gvec.c b/accel/tcg/tcg-runtime-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-runtime-gvec.c
+++ b/accel/tcg/tcg-runtime-gvec.c
@@ -XXX,XX +XXX,XX @@ void HELPER(gvec_ands)(void *d, void *a, uint64_t b, uint32_t desc)
     clear_high(d, oprsz, desc);
 }
 
+void HELPER(gvec_andcs)(void *d, void *a, uint64_t b, uint32_t desc)
+{
+    intptr_t oprsz = simd_oprsz(desc);
+    intptr_t i;
+
+    for (i = 0; i < oprsz; i += sizeof(uint64_t)) {
+        *(uint64_t *)(d + i) = *(uint64_t *)(a + i) & ~b;
+    }
+    clear_high(d, oprsz, desc);
+}
+
 void HELPER(gvec_xors)(void *d, void *a, uint64_t b, uint32_t desc)
 {
     intptr_t oprsz = simd_oprsz(desc);
diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_andi(unsigned vece, uint32_t dofs, uint32_t aofs,
     tcg_gen_gvec_2s(dofs, aofs, oprsz, maxsz, tmp, &gop_ands);
 }
 
+void tcg_gen_gvec_andcs(unsigned vece, uint32_t dofs, uint32_t aofs,
+                        TCGv_i64 c, uint32_t oprsz, uint32_t maxsz)
+{
+    static GVecGen2s g = {
+        .fni8 = tcg_gen_andc_i64,
+        .fniv = tcg_gen_andc_vec,
+        .fno = gen_helper_gvec_andcs,
+        .prefer_i64 = TCG_TARGET_REG_BITS == 64,
+        .vece = MO_64
+    };
+
+    TCGv_i64 tmp = tcg_temp_ebb_new_i64();
+    tcg_gen_dup_i64(vece, tmp, c);
+    tcg_gen_gvec_2s(dofs, aofs, oprsz, maxsz, c, &g);
+    tcg_temp_free_i64(tmp);
+}
+
 static const GVecGen2s gop_xors = {
     .fni8 = tcg_gen_xor_i64,
     .fniv = tcg_gen_xor_vec,
-- 
2.34.1

From: Nazar Kazakov <nazar.kazakov@codethink.co.uk>

Add tcg expander and helper functions for rotate right
vector with scalar operand.

Signed-off-by: Nazar Kazakov <nazar.kazakov@codethink.co.uk>
Message-Id: <20230428144757.57530-10-lawrence.hunter@codethink.co.uk>
[rth: Split out of larger patch; mask rotation count.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg-op-gvec.h |  2 ++
 tcg/tcg-op-gvec.c         | 11 +++++++++++
 2 files changed, 13 insertions(+)

diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op-gvec.h
+++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_sars(unsigned vece, uint32_t dofs, uint32_t aofs,
                        TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz);
 void tcg_gen_gvec_rotls(unsigned vece, uint32_t dofs, uint32_t aofs,
                         TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz);
+void tcg_gen_gvec_rotrs(unsigned vece, uint32_t dofs, uint32_t aofs,
+                        TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz);
 
 /*
  * Perform vector shift by vector element, modulo the element size.
diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_rotls(unsigned vece, uint32_t dofs, uint32_t aofs,
     do_gvec_shifts(vece, dofs, aofs, shift, oprsz, maxsz, &g);
 }
 
+void tcg_gen_gvec_rotrs(unsigned vece, uint32_t dofs, uint32_t aofs,
+                        TCGv_i32 shift, uint32_t oprsz, uint32_t maxsz)
+{
+    TCGv_i32 tmp = tcg_temp_ebb_new_i32();
+
+    tcg_gen_neg_i32(tmp, shift);
+    tcg_gen_andi_i32(tmp, tmp, (8 << vece) - 1);
+    tcg_gen_gvec_rotls(vece, dofs, aofs, tmp, oprsz, maxsz);
+    tcg_temp_free_i32(tmp);
+}
+
 /*
  * Expand D = A << (B % element bits)
  *
-- 
2.34.1

Clang 14, with --enable-tcg-interpreter errors with

include/qemu/int128.h:487:16: error: alignment of field 'i' (128 bits)
  does not match the alignment of the first field in transparent union;
  transparent_union attribute ignored [-Werror,-Wignored-attributes]
    __int128_t i;
               ^
include/qemu/int128.h:486:12: note: alignment of first field is 64 bits
    Int128 s;
           ^
1 error generated.

By placing the __uint128_t member first, this is avoided.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20230501204625.277361-1-richard.henderson@linaro.org>
---
 include/qemu/int128.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/qemu/int128.h b/include/qemu/int128.h
index XXXXXXX..XXXXXXX 100644
--- a/include/qemu/int128.h
+++ b/include/qemu/int128.h
@@ -XXX,XX +XXX,XX @@ static inline void bswap128s(Int128 *s)
  */
 #ifdef CONFIG_INT128
 typedef union {
-    Int128 s;
-    __int128_t i;
     __uint128_t u;
+    __int128_t i;
+    Int128 s;
 } Int128Alias __attribute__((transparent_union));
 #else
 typedef Int128 Int128Alias;
-- 
2.34.1

Use the attribute, which is supported by clang, instead of
the #pragma, which is not supported and, for some reason,
also not detected by the meson probe, so we fail by -Werror.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Juan Quintela <quintela@redhat.com>
Message-Id: <20230501210555.289806-1-richard.henderson@linaro.org>
---
 meson.build        | 5 +----
 migration/xbzrle.c | 9 ++++-----
 2 files changed, 5 insertions(+), 9 deletions(-)

diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ config_host_data.set('CONFIG_AVX512F_OPT', get_option('avx512f') \
 config_host_data.set('CONFIG_AVX512BW_OPT', get_option('avx512bw') \
   .require(have_cpuid_h, error_message: 'cpuid.h not available, cannot enable AVX512BW') \
   .require(cc.links('''
-    #pragma GCC push_options
-    #pragma GCC target("avx512bw")
     #include <cpuid.h>
     #include <immintrin.h>
-    static int bar(void *a) {
-
+    static int __attribute__((target("avx512bw"))) bar(void *a) {
       __m512i *x = a;
       __m512i res= _mm512_abs_epi8(*x);
       return res[1];
diff --git a/migration/xbzrle.c b/migration/xbzrle.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/xbzrle.c
+++ b/migration/xbzrle.c
@@ -XXX,XX +XXX,XX @@ int xbzrle_decode_buffer(uint8_t *src, int slen, uint8_t *dst, int dlen)
 }
 
 #if defined(CONFIG_AVX512BW_OPT)
-#pragma GCC push_options
-#pragma GCC target("avx512bw")
 #include <immintrin.h>
-int xbzrle_encode_buffer_avx512(uint8_t *old_buf, uint8_t *new_buf, int slen,
-                             uint8_t *dst, int dlen)
+
+int __attribute__((target("avx512bw")))
+xbzrle_encode_buffer_avx512(uint8_t *old_buf, uint8_t *new_buf, int slen,
+                            uint8_t *dst, int dlen)
 {
     uint32_t zrun_len = 0, nzrun_len = 0;
     int d = 0, i = 0, num = 0;
@@ -XXX,XX +XXX,XX @@ int xbzrle_encode_buffer_avx512(uint8_t *old_buf, uint8_t *new_buf, int slen,
     }
     return d;
 }
-#pragma GCC pop_options
 #endif
-- 
2.34.1

At least RISC-V has the need to be able to perform a read
using execute permissions, outside of translation.
Add helpers to facilitate this.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Reviewed-by: Weiwei Li <liweiwei@iscas.ac.cn>
Tested-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Message-Id: <20230325105429.1142530-9-richard.henderson@linaro.org>
Message-Id: <20230412114333.118895-9-richard.henderson@linaro.org>
---
 include/exec/cpu_ldst.h |  9 +++++++
 accel/tcg/cputlb.c      | 48 ++++++++++++++++++++++++++++++++++
 accel/tcg/user-exec.c   | 58 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 115 insertions(+)

diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ static inline CPUTLBEntry *tlb_entry(CPUArchState *env, uintptr_t mmu_idx,
 # define cpu_stq_mmu          cpu_stq_le_mmu
 #endif
 
+uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
+                         MemOpIdx oi, uintptr_t ra);
+uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t ra);
+uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t ra);
+uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t ra);
+
 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr);
 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr);
 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr);
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
     MemOpIdx oi = make_memop_idx(MO_TEUQ, cpu_mmu_index(env, true));
     return full_ldq_code(env, addr, oi, 0);
 }
+
+uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
+                         MemOpIdx oi, uintptr_t retaddr)
+{
+    return full_ldub_code(env, addr, oi, retaddr);
+}
+
+uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t retaddr)
+{
+    MemOp mop = get_memop(oi);
+    int idx = get_mmuidx(oi);
+    uint16_t ret;
+
+    ret = full_lduw_code(env, addr, make_memop_idx(MO_TEUW, idx), retaddr);
+    if ((mop & MO_BSWAP) != MO_TE) {
+        ret = bswap16(ret);
+    }
+    return ret;
+}
+
+uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t retaddr)
+{
+    MemOp mop = get_memop(oi);
+    int idx = get_mmuidx(oi);
+    uint32_t ret;
+
+    ret = full_ldl_code(env, addr, make_memop_idx(MO_TEUL, idx), retaddr);
+    if ((mop & MO_BSWAP) != MO_TE) {
+        ret = bswap32(ret);
+    }
+    return ret;
+}
+
+uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t retaddr)
+{
+    MemOp mop = get_memop(oi);
+    int idx = get_mmuidx(oi);
+    uint64_t ret;
+
+    ret = full_ldq_code(env, addr, make_memop_idx(MO_TEUQ, idx), retaddr);
+    if ((mop & MO_BSWAP) != MO_TE) {
+        ret = bswap64(ret);
+    }
+    return ret;
+}
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr ptr)
     return ret;
 }
 
+uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
+                         MemOpIdx oi, uintptr_t ra)
+{
+    void *haddr;
+    uint8_t ret;
+
+    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_INST_FETCH);
+    ret = ldub_p(haddr);
+    clear_helper_retaddr();
+    return ret;
+}
+
+uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t ra)
+{
+    void *haddr;
+    uint16_t ret;
+
+    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_INST_FETCH);
+    ret = lduw_p(haddr);
+    clear_helper_retaddr();
+    if (get_memop(oi) & MO_BSWAP) {
+        ret = bswap16(ret);
+    }
+    return ret;
+}
+
+uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t ra)
+{
+    void *haddr;
+    uint32_t ret;
+
+    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_INST_FETCH);
+    ret = ldl_p(haddr);
+    clear_helper_retaddr();
+    if (get_memop(oi) & MO_BSWAP) {
+        ret = bswap32(ret);
+    }
+    return ret;
+}
+
+uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
+                          MemOpIdx oi, uintptr_t ra)
+{
+    void *haddr;
+    uint64_t ret;
+
+    validate_memop(oi, MO_BEUQ);
+    haddr = cpu_mmu_lookup(env, addr, oi, ra, MMU_DATA_LOAD);
+    ret = ldq_p(haddr);
+    clear_helper_retaddr();
+    if (get_memop(oi) & MO_BSWAP) {
+        ret = bswap64(ret);
+    }
+    return ret;
+}
+
 #include "ldst_common.c.inc"
 
 /*
-- 
2.34.1

This is common code in most qemu_{ld,st} slow paths, moving two
registers when there may be overlap between sources and destinations.
At present, this is only used by 32-bit hosts for 64-bit data,
but will shortly be used for more than that.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg.c                 | 69 ++++++++++++++++++++++++++++++++++++---
 tcg/arm/tcg-target.c.inc  | 44 ++++++++++---------------
 tcg/i386/tcg-target.c.inc | 19 +++++------
 3 files changed, 90 insertions(+), 42 deletions(-)

diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static void tcg_out_exts_i32_i64(TCGContext *s, TCGReg ret, TCGReg arg);
 static void tcg_out_extu_i32_i64(TCGContext *s, TCGReg ret, TCGReg arg);
 static void tcg_out_extrl_i64_i32(TCGContext *s, TCGReg ret, TCGReg arg);
 static void tcg_out_addi_ptr(TCGContext *s, TCGReg, TCGReg, tcg_target_long);
-static bool tcg_out_xchg(TCGContext *s, TCGType type, TCGReg r1, TCGReg r2)
-    __attribute__((unused));
+static bool tcg_out_xchg(TCGContext *s, TCGType type, TCGReg r1, TCGReg r2);
 static void tcg_out_exit_tb(TCGContext *s, uintptr_t arg);
 static void tcg_out_goto_tb(TCGContext *s, int which);
 static void tcg_out_op(TCGContext *s, TCGOpcode opc,
@@ -XXX,XX +XXX,XX @@ void tcg_raise_tb_overflow(TCGContext *s)
     siglongjmp(s->jmp_trans, -2);
 }
 
+typedef struct TCGMovExtend {
+    TCGReg dst;
+    TCGReg src;
+    TCGType dst_type;
+    TCGType src_type;
+    MemOp src_ext;
+} TCGMovExtend;
+
 /**
  * tcg_out_movext -- move and extend
  * @s: tcg context
@@ -XXX,XX +XXX,XX @@ void tcg_raise_tb_overflow(TCGContext *s)
  *
  * Move or extend @src into @dst, depending on @src_ext and the types.
  */
-static void __attribute__((unused))
-tcg_out_movext(TCGContext *s, TCGType dst_type, TCGReg dst,
-               TCGType src_type, MemOp src_ext, TCGReg src)
+static void tcg_out_movext(TCGContext *s, TCGType dst_type, TCGReg dst,
+                           TCGType src_type, MemOp src_ext, TCGReg src)
 {
     switch (src_ext) {
     case MO_UB:
@@ -XXX,XX +XXX,XX @@ tcg_out_movext(TCGContext *s, TCGType dst_type, TCGReg dst,
     }
 }
 
+/* Minor variations on a theme, using a structure. */
+static void tcg_out_movext1_new_src(TCGContext *s, const TCGMovExtend *i,
+                                    TCGReg src)
+{
+    tcg_out_movext(s, i->dst_type, i->dst, i->src_type, i->src_ext, src);
+}
+
+static void tcg_out_movext1(TCGContext *s, const TCGMovExtend *i)
+{
+    tcg_out_movext1_new_src(s, i, i->src);
+}
+
+/**
+ * tcg_out_movext2 -- move and extend two pair
+ * @s: tcg context
+ * @i1: first move description
+ * @i2: second move description
+ * @scratch: temporary register, or -1 for none
+ *
+ * As tcg_out_movext, for both @i1 and @i2, caring for overlap
+ * between the sources and destinations.
+ */
+
+static void __attribute__((unused))
+tcg_out_movext2(TCGContext *s, const TCGMovExtend *i1,
+                const TCGMovExtend *i2, int scratch)
+{
+    TCGReg src1 = i1->src;
+    TCGReg src2 = i2->src;
+
+    if (i1->dst != src2) {
+        tcg_out_movext1(s, i1);
+        tcg_out_movext1(s, i2);
+        return;
+    }
+    if (i2->dst == src1) {
+        TCGType src1_type = i1->src_type;
+        TCGType src2_type = i2->src_type;
+
+        if (tcg_out_xchg(s, MAX(src1_type, src2_type), src1, src2)) {
+            /* The data is now in the correct registers, now extend. */
+            src1 = i2->src;
+            src2 = i1->src;
+        } else {
+            tcg_debug_assert(scratch >= 0);
+            tcg_out_mov(s, src1_type, scratch, src1);
+            src1 = scratch;
+        }
+    }
+    tcg_out_movext1_new_src(s, i2, src2);
+    tcg_out_movext1_new_src(s, i1, src1);
+}
+
 #define C_PFX1(P, A)                    P##A
 #define C_PFX2(P, A, B)                 P##A##_##B
 #define C_PFX3(P, A, B, C)              P##A##_##B##_##C
diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/arm/tcg-target.c.inc
+++ b/tcg/arm/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void add_qemu_ldst_label(TCGContext *s, bool is_ld, MemOpIdx oi,
 
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
-    TCGReg argreg, datalo, datahi;
+    TCGReg argreg;
     MemOpIdx oi = lb->oi;
     MemOp opc = get_memop(oi);
 
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     /* Use the canonical unsigned helpers and minimize icache usage. */
     tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE]);
 
-    datalo = lb->datalo_reg;
-    datahi = lb->datahi_reg;
     if ((opc & MO_SIZE) == MO_64) {
-        if (datalo != TCG_REG_R1) {
-            tcg_out_mov_reg(s, COND_AL, datalo, TCG_REG_R0);
-            tcg_out_mov_reg(s, COND_AL, datahi, TCG_REG_R1);
-        } else if (datahi != TCG_REG_R0) {
-            tcg_out_mov_reg(s, COND_AL, datahi, TCG_REG_R1);
-            tcg_out_mov_reg(s, COND_AL, datalo, TCG_REG_R0);
-        } else {
-            tcg_out_mov_reg(s, COND_AL, TCG_REG_TMP, TCG_REG_R0);
-            tcg_out_mov_reg(s, COND_AL, datahi, TCG_REG_R1);
-            tcg_out_mov_reg(s, COND_AL, datalo, TCG_REG_TMP);
-        }
+        TCGMovExtend ext[2] = {
+            { .dst = lb->datalo_reg, .dst_type = TCG_TYPE_I32,
+              .src = TCG_REG_R0, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+            { .dst = lb->datahi_reg, .dst_type = TCG_TYPE_I32,
+              .src = TCG_REG_R1, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+        };
+        tcg_out_movext2(s, &ext[0], &ext[1], TCG_REG_TMP);
     } else {
-        tcg_out_movext(s, TCG_TYPE_I32, datalo,
+        tcg_out_movext(s, TCG_TYPE_I32, lb->datalo_reg,
                        TCG_TYPE_I32, opc & MO_SSIZE, TCG_REG_R0);
     }
 
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 
     if (TARGET_LONG_BITS == 64) {
         /* 64-bit target address is aligned into R2:R3. */
-        if (l->addrhi_reg != TCG_REG_R2) {
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R2, l->addrlo_reg);
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R3, l->addrhi_reg);
-        } else if (l->addrlo_reg != TCG_REG_R3) {
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R3, l->addrhi_reg);
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R2, l->addrlo_reg);
-        } else {
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R1, TCG_REG_R2);
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R2, TCG_REG_R3);
-            tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R3, TCG_REG_R1);
-        }
+        TCGMovExtend ext[2] = {
+            { .dst = TCG_REG_R2, .dst_type = TCG_TYPE_I32,
+              .src = l->addrlo_reg,
+              .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+            { .dst = TCG_REG_R3, .dst_type = TCG_TYPE_I32,
+              .src = l->addrhi_reg,
+              .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+        };
+        tcg_out_movext2(s, &ext[0], &ext[1], TCG_REG_TMP);
     } else {
         tcg_out_mov(s, TCG_TYPE_I32, TCG_REG_R1, l->addrlo_reg);
     }
diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     MemOpIdx oi = l->oi;
     MemOp opc = get_memop(oi);
-    TCGReg data_reg;
     tcg_insn_unit **label_ptr = &l->label_ptr[0];
 
     /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 
     tcg_out_branch(s, 1, qemu_ld_helpers[opc & (MO_BSWAP | MO_SIZE)]);
 
-    data_reg = l->datalo_reg;
     if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
-        if (data_reg == TCG_REG_EDX) {
-            /* xchg %edx, %eax */
-            tcg_out_opc(s, OPC_XCHG_ax_r32 + TCG_REG_EDX, 0, 0, 0);
-            tcg_out_mov(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_EAX);
-        } else {
-            tcg_out_mov(s, TCG_TYPE_I32, data_reg, TCG_REG_EAX);
-            tcg_out_mov(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_EDX);
-        }
+        TCGMovExtend ext[2] = {
+            { .dst = l->datalo_reg, .dst_type = TCG_TYPE_I32,
+              .src = TCG_REG_EAX, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+            { .dst = l->datahi_reg, .dst_type = TCG_TYPE_I32,
+              .src = TCG_REG_EDX, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+        };
+        tcg_out_movext2(s, &ext[0], &ext[1], -1);
     } else {
-        tcg_out_movext(s, l->type, data_reg,
+        tcg_out_movext(s, l->type, l->datalo_reg,
                        TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_EAX);
     }
 
-- 
2.34.1