Series comparison

-[PULL 00/10] tcg patch queue
+[PULL 00/15] tcg patch queue
-The following changes since commit a36d64f43325fa503075cc9408ddabb69b32f829:
+The following changes since commit d37158bb2425e7ebffb167d611be01f1e9e6c86f:
-  Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-and-gdbstub-060520-1' into staging (2020-05-06 14:06:00 +0100)
+  Update version for v8.0.0-rc2 release (2023-03-28 20:43:21 +0100)
 are available in the Git repository at:
-  https://github.com/rth7680/qemu.git tags/pull-tcg-20200506
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230328
-for you to fetch changes up to 07dada0336a83002dfa8673a9220a88e13d9a45c:
+for you to fetch changes up to 87e303de70f93bf700f58412fb9b2c3ec918c4b5:
-  tcg: Fix integral argument type to tcg_gen_rot[rl]i_i{32,64} (2020-05-06 09:25:10 -0700)
+  softmmu: Restore use of CPU watchpoint for all accelerators (2023-03-28 15:24:06 -0700)
 ----------------------------------------------------------------
-Add tcg_gen_gvec_dup_imm
+Use a local version of GTree [#285]
-Misc tcg patches
+Fix page_set_flags vs the last page of the address space [#1528]
 Re-enable gdbstub breakpoints under KVM
 ----------------------------------------------------------------
+Emilio Cota (2):
+      util: import GTree as QTree
+      tcg: use QTree instead of GTree
+Philippe Mathieu-Daudé (3):
+      softmmu: Restrict cpu_check_watchpoint / address_matches to TCG accel
+      softmmu/watchpoint: Add missing 'qemu/error-report.h' include
+      softmmu: Restore use of CPU watchpoint for all accelerators
 Richard Henderson (10):
-      tcg: Add tcg_gen_gvec_dup_imm
+      linux-user: Diagnose misaligned -R size
-      target/s390x: Use tcg_gen_gvec_dup_imm
+      accel/tcg: Pass last not end to page_set_flags
-      target/ppc: Use tcg_gen_gvec_dup_imm
+      accel/tcg: Pass last not end to page_reset_target_data
-      target/arm: Use tcg_gen_gvec_dup_imm
+      accel/tcg: Pass last not end to PAGE_FOR_EACH_TB
-      tcg: Use tcg_gen_gvec_dup_imm in logical simplifications
+      accel/tcg: Pass last not end to page_collection_lock
-      tcg: Remove tcg_gen_gvec_dup{8,16,32,64}i
+      accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked
-      tcg: Add tcg_gen_gvec_dup_tl
+      accel/tcg: Pass last not end to tb_invalidate_phys_range
-      tcg: Improve vector tail clearing
+      linux-user: Pass last not end to probe_guest_base
-      tcg: Add load_dest parameter to GVecGen2
+      include/exec: Change reserved_va semantics to last byte
-      tcg: Fix integral argument type to tcg_gen_rot[rl]i_i{32,64}
+      linux-user/arm: Take more care allocating commpage
- include/tcg/tcg-op-gvec.h           |  13 ++-
+ configure                     |   15 +
- include/tcg/tcg-op.h                |   8 +-
+ meson.build                   |    4 +
- target/arm/translate-a64.c          |  10 +--
+ include/exec/cpu-all.h        |   15 +-
- target/arm/translate-sve.c          |  12 ++-
+ include/exec/exec-all.h       |    2 +-
- target/arm/translate.c              |   9 +-
+ include/hw/core/cpu.h         |   39 +-
- target/ppc/translate/vmx-impl.inc.c |  32 +++----
+ include/hw/core/tcg-cpu-ops.h |   43 ++
- target/ppc/translate/vsx-impl.inc.c |   2 +-
+ include/qemu/qtree.h          |  201 ++++++
- target/s390x/translate_vx.inc.c     |  41 ++-------
+ linux-user/arm/target_cpu.h   |    2 +-
- tcg/tcg-op-gvec.c                   | 162 +++++++++++++++++++++++-------------
+ linux-user/user-internals.h   |   12 +-
- tcg/tcg-op.c                        |  16 ++--
+ accel/tcg/tb-maint.c          |  112 ++--
-files changed, 166 insertions(+), 139 deletions(-)
+ accel/tcg/translate-all.c     |    2 +-
  accel/tcg/user-exec.c         |   25 +-
  bsd-user/main.c               |   10 +-
  bsd-user/mmap.c               |   10 +-
  linux-user/elfload.c          |   72 ++-
  linux-user/flatload.c         |    2 +-
  linux-user/main.c             |   31 +-
  linux-user/mmap.c             |   22 +-
  linux-user/syscall.c          |    4 +-
  softmmu/physmem.c             |    2 +-
  softmmu/watchpoint.c          |    5 +
  target/arm/tcg/mte_helper.c   |    1 +
  target/arm/tcg/sve_helper.c   |    1 +
  target/s390x/tcg/mem_helper.c |    1 +
  tcg/region.c                  |   19 +-
  tests/bench/qtree-bench.c     |  286 +++++++++
  tests/unit/test-qtree.c       |  333 ++++++++++
  util/qtree.c                  | 1390 +++++++++++++++++++++++++++++++++++++++++
  softmmu/meson.build           |    2 +-
  tests/bench/meson.build       |    4 +
  tests/unit/meson.build        |    1 +
  util/meson.build              |    1 +
 files changed, 2474 insertions(+), 195 deletions(-)
  create mode 100644 include/qemu/qtree.h
  create mode 100644 tests/bench/qtree-bench.c
  create mode 100644 tests/unit/test-qtree.c
  create mode 100644 util/qtree.c

-New patch
+[PULL 01/15] util: import GTree as QTree
+From: Emilio Cota <cota@braap.org>
+The only reason to add this implementation is to control the memory allocator
+used. Some users (e.g. TCG) cannot work reliably in multi-threaded
+environments (e.g. forking in user-mode) with GTree's allocator, GSlice.
+See https://gitlab.com/qemu-project/qemu/-/issues/285 for details.
+Importing GTree is a temporary workaround until GTree migrates away
+from GSlice.
+This implementation is identical to that in glib v2.75.0, except that
+we don't import recent additions to the API nor deprecated API calls,
+none of which are used in QEMU.
+I've imported tests from glib and added a benchmark just to
+make sure that performance is similar. Note: it cannot be identical
+because (1) we are not using GSlice, (2) we use different compilation flags
+(e.g. -fPIC) and (3) we're linking statically.
+$ cat /proc/cpuinfo| grep 'model name' | head -1
+model name      : AMD Ryzen 7 PRO 5850U with Radeon Graphics
+$ echo '0' | sudo tee /sys/devices/system/cpu/cpufreq/boost
+$ tests/bench/qtree-bench
+ Tree         Op      32            1024            4096          131072         1048576
+------------------------------------------------------------------------------------------------
+GTree     Lookup   83.23           43.08           25.31           19.40           16.22
+QTree     Lookup  113.42 (1.36x)   53.83 (1.25x)   28.38 (1.12x)   17.64 (0.91x)   13.04 (0.80x)
+GTree     Insert   44.23           29.37           25.83           19.49           17.03
+QTree     Insert   46.87 (1.06x)   25.62 (0.87x)   24.29 (0.94x)   16.83 (0.86x)   12.97 (0.76x)
+GTree     Remove   53.27           35.15           31.43           24.64           16.70
+QTree     Remove   57.32 (1.08x)   41.76 (1.19x)   38.37 (1.22x)   29.30 (1.19x)   15.07 (0.90x)
+GTree  RemoveAll  135.44          127.52          126.72          120.11           64.34
+QTree  RemoveAll  127.15 (0.94x)  110.37 (0.87x)  107.97 (0.85x)   97.13 (0.81x)   55.10 (0.86x)
+GTree   Traverse  277.71          276.09          272.78          246.72           98.47
+QTree   Traverse  370.33 (1.33x)  411.97 (1.49x)  400.23 (1.47x)  262.82 (1.07x)   78.52 (0.80x)
+------------------------------------------------------------------------------------------------
+As a sanity check, the same benchmark when Glib's version
+is >= $glib_dropped_gslice_version (i.e. QTree == GTree):
+ Tree         Op      32            1024            4096          131072         1048576
+------------------------------------------------------------------------------------------------
+GTree     Lookup   82.72           43.09           24.18           19.73           16.09
+QTree     Lookup   81.82 (0.99x)   43.10 (1.00x)   24.20 (1.00x)   19.76 (1.00x)   16.26 (1.01x)
+GTree     Insert   45.07           29.62           26.34           19.90           17.18
+QTree     Insert   45.72 (1.01x)   29.60 (1.00x)   26.38 (1.00x)   19.71 (0.99x)   17.20 (1.00x)
+GTree     Remove   54.48           35.36           31.77           24.97           16.95
+QTree     Remove   54.46 (1.00x)   35.32 (1.00x)   31.77 (1.00x)   24.91 (1.00x)   17.15 (1.01x)
+GTree  RemoveAll  140.68          127.36          125.43          121.45           68.20
+QTree  RemoveAll  140.65 (1.00x)  127.64 (1.00x)  125.01 (1.00x)  121.73 (1.00x)   67.06 (0.98x)
+GTree   Traverse  278.68          276.05          266.75          251.65          104.93
+QTree   Traverse  278.31 (1.00x)  275.78 (1.00x)  266.42 (1.00x)  247.89 (0.99x)  104.58 (1.00x)
+------------------------------------------------------------------------------------------------
+Signed-off-by: Emilio Cota <cota@braap.org>
+Message-Id: <20230205163758.416992-2-cota@braap.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ configure                 |   15 +
+ meson.build               |    4 +
+ include/qemu/qtree.h      |  201 ++++++
+ tests/bench/qtree-bench.c |  286 ++++++++
+ tests/unit/test-qtree.c   |  333 +++++++++
+ util/qtree.c              | 1390 +++++++++++++++++++++++++++++++++++++
+ tests/bench/meson.build   |    4 +
+ tests/unit/meson.build    |    1 +
+ util/meson.build          |    1 +
+files changed, 2235 insertions(+)
+ create mode 100644 include/qemu/qtree.h
+ create mode 100644 tests/bench/qtree-bench.c
+ create mode 100644 tests/unit/test-qtree.c
+ create mode 100644 util/qtree.c
+diff --git a/configure b/configure
+index XXXXXXX..XXXXXXX 100755
+--- a/configure
++++ b/configure
+@@ -XXX,XX +XXX,XX @@ safe_stack=""
+ use_containers="yes"
+ gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
+ gdb_arches=""
++glib_has_gslice="no"
+ if test -e "$source_path/.git"
+ then
+@@ -XXX,XX +XXX,XX @@ for i in $glib_modules; do
+     fi
+ done
++# Check whether glib has gslice, which we have to avoid for correctness.
++# TODO: remove this check and the corresponding workaround (qtree) when
++# the minimum supported glib is >= $glib_dropped_gslice_version.
++glib_dropped_gslice_version=2.75.3
++for i in $glib_modules; do
++    if ! $pkg_config --atleast-version=$glib_dropped_gslice_version $i; then
++        glib_has_gslice="yes"
++    break
++    fi
++done
++
+ glib_bindir="$($pkg_config --variable=bindir glib-2.0)"
+ if test -z "$glib_bindir" ; then
+     glib_bindir="$($pkg_config --variable=prefix glib-2.0)"/bin
+@@ -XXX,XX +XXX,XX @@ echo "GLIB_CFLAGS=$glib_cflags" >> $config_host_mak
+ echo "GLIB_LIBS=$glib_libs" >> $config_host_mak
+ echo "GLIB_BINDIR=$glib_bindir" >> $config_host_mak
+ echo "GLIB_VERSION=$($pkg_config --modversion glib-2.0)" >> $config_host_mak
++if test "$glib_has_gslice" = "yes" ; then
++    echo "HAVE_GLIB_WITH_SLICE_ALLOCATOR=y" >> $config_host_mak
++fi
+ echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
+ echo "EXESUF=$EXESUF" >> $config_host_mak
+diff --git a/meson.build b/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/meson.build
++++ b/meson.build
+@@ -XXX,XX +XXX,XX @@ glib = declare_dependency(compile_args: config_host['GLIB_CFLAGS'].split(),
+                           })
+ # override glib dep with the configure results (for subprojects)
+ meson.override_dependency('glib-2.0', glib)
++# pass down whether Glib has the slice allocator
++if config_host.has_key('HAVE_GLIB_WITH_SLICE_ALLOCATOR')
++  config_host_data.set('HAVE_GLIB_WITH_SLICE_ALLOCATOR', true)
++endif
+ gio = not_found
+ gdbus_codegen = not_found
+diff --git a/include/qemu/qtree.h b/include/qemu/qtree.h
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/include/qemu/qtree.h
+@@ -XXX,XX +XXX,XX @@
++/*
++ * GLIB - Library of useful routines for C programming
++ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
++ *
++ * SPDX-License-Identifier: LGPL-2.1-or-later
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++ */
++
++/*
++ * Modified by the GLib Team and others 1997-2000.  See the AUTHORS
++ * file for a list of people on the GLib Team.  See the ChangeLog
++ * files for a list of changes.  These files are distributed with
++ * GLib at ftp://ftp.gtk.org/pub/gtk/.
++ */
++
++/*
++ * QTree is a partial import of Glib's GTree. The parts excluded correspond
++ * to API calls either deprecated (e.g. g_tree_traverse) or recently added
++ * (e.g. g_tree_search_node, added in 2.68); neither have callers in QEMU.
++ *
++ * The reason for this import is to allow us to control the memory allocator
++ * used by the tree implementation. Until Glib 2.75.3, GTree uses Glib's
++ * slice allocator, which causes problems when forking in user-mode;
++ * see https://gitlab.com/qemu-project/qemu/-/issues/285 and glib's
++ * "45b5a6c1e gslice: Remove slice allocator and use malloc() instead".
++ *
++ * TODO: remove QTree when QEMU's minimum Glib version is >= 2.75.3.
++ */
++
++#ifndef QEMU_QTREE_H
++#define QEMU_QTREE_H
++
++#include "qemu/osdep.h"
++
++#ifdef HAVE_GLIB_WITH_SLICE_ALLOCATOR
++
++typedef struct _QTree  QTree;
++
++typedef struct _QTreeNode QTreeNode;
++
++typedef gboolean (*QTraverseNodeFunc)(QTreeNode *node,
++                                      gpointer user_data);
++
++/*
++ * Balanced binary trees
++ */
++QTree *q_tree_new(GCompareFunc key_compare_func);
++QTree *q_tree_new_with_data(GCompareDataFunc key_compare_func,
++                            gpointer key_compare_data);
++QTree *q_tree_new_full(GCompareDataFunc key_compare_func,
++                       gpointer key_compare_data,
++                       GDestroyNotify key_destroy_func,
++                       GDestroyNotify value_destroy_func);
++QTree *q_tree_ref(QTree *tree);
++void q_tree_unref(QTree *tree);
++void q_tree_destroy(QTree *tree);
++void q_tree_insert(QTree *tree,
++                   gpointer key,
++                   gpointer value);
++void q_tree_replace(QTree *tree,
++                    gpointer key,
++                    gpointer value);
++gboolean q_tree_remove(QTree *tree,
++                       gconstpointer key);
++gboolean q_tree_steal(QTree *tree,
++                      gconstpointer key);
++gpointer q_tree_lookup(QTree *tree,
++                       gconstpointer key);
++gboolean q_tree_lookup_extended(QTree *tree,
++                                gconstpointer lookup_key,
++                                gpointer *orig_key,
++                                gpointer *value);
++void q_tree_foreach(QTree *tree,
++                    GTraverseFunc func,
++                    gpointer user_data);
++gpointer q_tree_search(QTree *tree,
++                       GCompareFunc search_func,
++                       gconstpointer user_data);
++gint q_tree_height(QTree *tree);
++gint q_tree_nnodes(QTree *tree);
++
++#else /* !HAVE_GLIB_WITH_SLICE_ALLOCATOR */
++
++typedef GTree QTree;
++typedef GTreeNode QTreeNode;
++typedef GTraverseNodeFunc QTraverseNodeFunc;
++
++static inline QTree *q_tree_new(GCompareFunc key_compare_func)
++{
++    return g_tree_new(key_compare_func);
++}
++
++static inline QTree *q_tree_new_with_data(GCompareDataFunc key_compare_func,
++                                          gpointer key_compare_data)
++{
++    return g_tree_new_with_data(key_compare_func, key_compare_data);
++}
++
++static inline QTree *q_tree_new_full(GCompareDataFunc key_compare_func,
++                                     gpointer key_compare_data,
++                                     GDestroyNotify key_destroy_func,
++                                     GDestroyNotify value_destroy_func)
++{
++    return g_tree_new_full(key_compare_func, key_compare_data,
++                           key_destroy_func, value_destroy_func);
++}
++
++static inline QTree *q_tree_ref(QTree *tree)
++{
++    return g_tree_ref(tree);
++}
++
++static inline void q_tree_unref(QTree *tree)
++{
++    g_tree_unref(tree);
++}
++
++static inline void q_tree_destroy(QTree *tree)
++{
++    g_tree_destroy(tree);
++}
++
++static inline void q_tree_insert(QTree *tree,
++                                 gpointer key,
++                                 gpointer value)
++{
++    g_tree_insert(tree, key, value);
++}
++
++static inline void q_tree_replace(QTree *tree,
++                                  gpointer key,
++                                  gpointer value)
++{
++    g_tree_replace(tree, key, value);
++}
++
++static inline gboolean q_tree_remove(QTree *tree,
++                                     gconstpointer key)
++{
++    return g_tree_remove(tree, key);
++}
++
++static inline gboolean q_tree_steal(QTree *tree,
++                                    gconstpointer key)
++{
++    return g_tree_steal(tree, key);
++}
++
++static inline gpointer q_tree_lookup(QTree *tree,
++                                     gconstpointer key)
++{
++    return g_tree_lookup(tree, key);
++}
++
++static inline gboolean q_tree_lookup_extended(QTree *tree,
++                                              gconstpointer lookup_key,
++                                              gpointer *orig_key,
++                                              gpointer *value)
++{
++    return g_tree_lookup_extended(tree, lookup_key, orig_key, value);
++}
++
++static inline void q_tree_foreach(QTree *tree,
++                                  GTraverseFunc func,
++                                  gpointer user_data)
++{
++    return g_tree_foreach(tree, func, user_data);
++}
++
++static inline gpointer q_tree_search(QTree *tree,
++                                     GCompareFunc search_func,
++                                     gconstpointer user_data)
++{
++    return g_tree_search(tree, search_func, user_data);
++}
++
++static inline gint q_tree_height(QTree *tree)
++{
++    return g_tree_height(tree);
++}
++
++static inline gint q_tree_nnodes(QTree *tree)
++{
++    return g_tree_nnodes(tree);
++}
++
++#endif /* HAVE_GLIB_WITH_SLICE_ALLOCATOR */
++
++#endif /* QEMU_QTREE_H */
+diff --git a/tests/bench/qtree-bench.c b/tests/bench/qtree-bench.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/bench/qtree-bench.c
+@@ -XXX,XX +XXX,XX @@
++/* SPDX-License-Identifier: GPL-2.0-or-later */
++#include "qemu/osdep.h"
++#include "qemu/qtree.h"
++#include "qemu/timer.h"
++
++enum tree_op {
++    OP_LOOKUP,
++    OP_INSERT,
++    OP_REMOVE,
++    OP_REMOVE_ALL,
++    OP_TRAVERSE,
++};
++
++struct benchmark {
++    const char * const name;
++    enum tree_op op;
++    bool fill_on_init;
++};
++
++enum impl_type {
++    IMPL_GTREE,
++    IMPL_QTREE,
++};
++
++struct tree_implementation {
++    const char * const name;
++    enum impl_type type;
++};
++
++static const struct benchmark benchmarks[] = {
++    {
++        .name = "Lookup",
++        .op = OP_LOOKUP,
++        .fill_on_init = true,
++    },
++    {
++        .name = "Insert",
++        .op = OP_INSERT,
++        .fill_on_init = false,
++    },
++    {
++        .name = "Remove",
++        .op = OP_REMOVE,
++        .fill_on_init = true,
++    },
++    {
++        .name = "RemoveAll",
++        .op = OP_REMOVE_ALL,
++        .fill_on_init = true,
++    },
++    {
++        .name = "Traverse",
++        .op = OP_TRAVERSE,
++        .fill_on_init = true,
++    },
++};
++
++static const struct tree_implementation impls[] = {
++    {
++        .name = "GTree",
++        .type = IMPL_GTREE,
++    },
++    {
++        .name = "QTree",
++        .type = IMPL_QTREE,
++    },
++};
++
++static int compare_func(const void *ap, const void *bp)
++{
++    const size_t *a = ap;
++    const size_t *b = bp;
++
++    return *a - *b;
++}
++
++static void init_empty_tree_and_keys(enum impl_type impl,
++                                     void **ret_tree, size_t **ret_keys,
++                                     size_t n_elems)
++{
++    size_t *keys = g_malloc_n(n_elems, sizeof(*keys));
++    for (size_t i = 0; i < n_elems; i++) {
++        keys[i] = i;
++    }
++
++    void *tree;
++    switch (impl) {
++    case IMPL_GTREE:
++        tree = g_tree_new(compare_func);
++        break;
++    case IMPL_QTREE:
++        tree = q_tree_new(compare_func);
++        break;
++    default:
++        g_assert_not_reached();
++    }
++
++    *ret_tree = tree;
++    *ret_keys = keys;
++}
++
++static gboolean traverse_func(gpointer key, gpointer value, gpointer data)
++{
++    return FALSE;
++}
++
++static inline void remove_all(void *tree, enum impl_type impl)
++{
++    switch (impl) {
++    case IMPL_GTREE:
++        g_tree_destroy(tree);
++        break;
++    case IMPL_QTREE:
++        q_tree_destroy(tree);
++        break;
++    default:
++        g_assert_not_reached();
++    }
++}
++
++static int64_t run_benchmark(const struct benchmark *bench,
++                             enum impl_type impl,
++                             size_t n_elems)
++{
++    void *tree;
++    size_t *keys;
++
++    init_empty_tree_and_keys(impl, &tree, &keys, n_elems);
++    if (bench->fill_on_init) {
++        for (size_t i = 0; i < n_elems; i++) {
++            switch (impl) {
++            case IMPL_GTREE:
++                g_tree_insert(tree, &keys[i], &keys[i]);
++                break;
++            case IMPL_QTREE:
++                q_tree_insert(tree, &keys[i], &keys[i]);
++                break;
++            default:
++                g_assert_not_reached();
++            }
++        }
++    }
++
++    int64_t start_ns = get_clock();
++    switch (bench->op) {
++    case OP_LOOKUP:
++        for (size_t i = 0; i < n_elems; i++) {
++            void *value;
++            switch (impl) {
++            case IMPL_GTREE:
++                value = g_tree_lookup(tree, &keys[i]);
++                break;
++            case IMPL_QTREE:
++                value = q_tree_lookup(tree, &keys[i]);
++                break;
++            default:
++                g_assert_not_reached();
++            }
++            (void)value;
++        }
++        break;
++    case OP_INSERT:
++        for (size_t i = 0; i < n_elems; i++) {
++            switch (impl) {
++            case IMPL_GTREE:
++                g_tree_insert(tree, &keys[i], &keys[i]);
++                break;
++            case IMPL_QTREE:
++                q_tree_insert(tree, &keys[i], &keys[i]);
++                break;
++            default:
++                g_assert_not_reached();
++            }
++        }
++        break;
++    case OP_REMOVE:
++        for (size_t i = 0; i < n_elems; i++) {
++            switch (impl) {
++            case IMPL_GTREE:
++                g_tree_remove(tree, &keys[i]);
++                break;
++            case IMPL_QTREE:
++                q_tree_remove(tree, &keys[i]);
++                break;
++            default:
++                g_assert_not_reached();
++            }
++        }
++        break;
++    case OP_REMOVE_ALL:
++        remove_all(tree, impl);
++        break;
++    case OP_TRAVERSE:
++        switch (impl) {
++        case IMPL_GTREE:
++            g_tree_foreach(tree, traverse_func, NULL);
++            break;
++        case IMPL_QTREE:
++            q_tree_foreach(tree, traverse_func, NULL);
++            break;
++        default:
++            g_assert_not_reached();
++        }
++        break;
++    default:
++        g_assert_not_reached();
++    }
++    int64_t ns = get_clock() - start_ns;
++
++    if (bench->op != OP_REMOVE_ALL) {
++        remove_all(tree, impl);
++    }
++    g_free(keys);
++
++    return ns;
++}
++
++int main(int argc, char *argv[])
++{
++    size_t sizes[] = {
++        32,
++        1024,
++        1024 * 4,
++        1024 * 128,
++        1024 * 1024,
++    };
++
++    double res[ARRAY_SIZE(benchmarks)][ARRAY_SIZE(impls)][ARRAY_SIZE(sizes)];
++    for (int i = 0; i < ARRAY_SIZE(sizes); i++) {
++        size_t size = sizes[i];
++        for (int j = 0; j < ARRAY_SIZE(impls); j++) {
++            const struct tree_implementation *impl = &impls[j];
++            for (int k = 0; k < ARRAY_SIZE(benchmarks); k++) {
++                const struct benchmark *bench = &benchmarks[k];
++
++                /* warm-up run */
++                run_benchmark(bench, impl->type, size);
++
++                int64_t total_ns = 0;
++                int64_t n_runs = 0;
++                while (total_ns < 2e8 || n_runs < 5) {
++                    total_ns += run_benchmark(bench, impl->type, size);
++                    n_runs++;
++                }
++                double ns_per_run = (double)total_ns / n_runs;
++
++                /* Throughput, in Mops/s */
++                res[k][j][i] = size / ns_per_run * 1e3;
++            }
++        }
++    }
++
++    printf("# Results' breakdown: Tree, Op and #Elements. Units: Mops/s\n");
++    printf("%5s %10s ", "Tree", "Op");
++    for (int i = 0; i < ARRAY_SIZE(sizes); i++) {
++        printf("%7zu         ", sizes[i]);
++    }
++    printf("\n");
++    char separator[97];
++    for (int i = 0; i < ARRAY_SIZE(separator) - 1; i++) {
++        separator[i] = '-';
++    }
++    separator[ARRAY_SIZE(separator) - 1] = '\0';
++    printf("%s\n", separator);
++    for (int i = 0; i < ARRAY_SIZE(benchmarks); i++) {
++        for (int j = 0; j < ARRAY_SIZE(impls); j++) {
++            printf("%5s %10s ", impls[j].name, benchmarks[i].name);
++            for (int k = 0; k < ARRAY_SIZE(sizes); k++) {
++                printf("%7.2f ", res[i][j][k]);
++                if (j == 0) {
++                    printf("        ");
++                } else {
++                    if (res[i][0][k] != 0) {
++                        double speedup = res[i][j][k] / res[i][0][k];
++                        printf("(%4.2fx) ", speedup);
++                    } else {
++                        printf("(     ) ");
++                    }
++                }
++            }
++            printf("\n");
++        }
++    }
++    printf("%s\n", separator);
++    return 0;
++}
+diff --git a/tests/unit/test-qtree.c b/tests/unit/test-qtree.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/tests/unit/test-qtree.c
+@@ -XXX,XX +XXX,XX @@
++/*
++ * SPDX-License-Identifier: LGPL-2.1-or-later
++ *
++ * Tests for QTree.
++ * Original source: glib
++ *   https://gitlab.gnome.org/GNOME/glib/-/blob/main/glib/tests/tree.c
++ *   LGPL license.
++ *   Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald
++ */
++
++#include "qemu/osdep.h"
++#include "qemu/qtree.h"
++
++static gint my_compare(gconstpointer a, gconstpointer b)
++{
++    const char *cha = a;
++    const char *chb = b;
++
++    return *cha - *chb;
++}
++
++static gint my_compare_with_data(gconstpointer a,
++                                 gconstpointer b,
++                                 gpointer user_data)
++{
++    const char *cha = a;
++    const char *chb = b;
++
++    /* just check that we got the right data */
++    g_assert(GPOINTER_TO_INT(user_data) == 123);
++
++    return *cha - *chb;
++}
++
++static gint my_search(gconstpointer a, gconstpointer b)
++{
++    return my_compare(b, a);
++}
++
++static gpointer destroyed_key;
++static gpointer destroyed_value;
++static guint destroyed_key_count;
++static guint destroyed_value_count;
++
++static void my_key_destroy(gpointer key)
++{
++    destroyed_key = key;
++    destroyed_key_count++;
++}
++
++static void my_value_destroy(gpointer value)
++{
++    destroyed_value = value;
++    destroyed_value_count++;
++}
++
++static gint my_traverse(gpointer key, gpointer value, gpointer data)
++{
++    char *ch = key;
++
++    g_assert((*ch) > 0);
++
++    if (*ch == 'd') {
++        return TRUE;
++    }
++
++    return FALSE;
++}
++
++char chars[] =
++    "0123456789"
++    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
++    "abcdefghijklmnopqrstuvwxyz";
++
++char chars2[] =
++    "0123456789"
++    "abcdefghijklmnopqrstuvwxyz";
++
++static gint check_order(gpointer key, gpointer value, gpointer data)
++{
++    char **p = data;
++    char *ch = key;
++
++    g_assert(**p == *ch);
++
++    (*p)++;
++
++    return FALSE;
++}
++
++static void test_tree_search(void)
++{
++    gint i;
++    QTree *tree;
++    gboolean removed;
++    gchar c;
++    gchar *p, *d;
++
++    tree = q_tree_new_with_data(my_compare_with_data, GINT_TO_POINTER(123));
++
++    for (i = 0; chars[i]; i++) {
++        q_tree_insert(tree, &chars[i], &chars[i]);
++    }
++
++    q_tree_foreach(tree, my_traverse, NULL);
++
++    g_assert(q_tree_nnodes(tree) == strlen(chars));
++    g_assert(q_tree_height(tree) == 6);
++
++    p = chars;
++    q_tree_foreach(tree, check_order, &p);
++
++    for (i = 0; i < 26; i++) {
++        removed = q_tree_remove(tree, &chars[i + 10]);
++        g_assert(removed);
++    }
++
++    c = '\0';
++    removed = q_tree_remove(tree, &c);
++    g_assert(!removed);
++
++    q_tree_foreach(tree, my_traverse, NULL);
++
++    g_assert(q_tree_nnodes(tree) == strlen(chars2));
++    g_assert(q_tree_height(tree) == 6);
++
++    p = chars2;
++    q_tree_foreach(tree, check_order, &p);
++
++    for (i = 25; i >= 0; i--) {
++        q_tree_insert(tree, &chars[i + 10], &chars[i + 10]);
++    }
++
++    p = chars;
++    q_tree_foreach(tree, check_order, &p);
++
++    c = '0';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p && *p == c);
++    g_assert(q_tree_lookup_extended(tree, &c, (gpointer *)&d, (gpointer *)&p));
++    g_assert(c == *d && c == *p);
++
++    c = 'A';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p && *p == c);
++
++    c = 'a';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p && *p == c);
++
++    c = 'z';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p && *p == c);
++
++    c = '!';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p == NULL);
++
++    c = '=';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p == NULL);
++
++    c = '|';
++    p = q_tree_lookup(tree, &c);
++    g_assert(p == NULL);
++
++    c = '0';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p && *p == c);
++
++    c = 'A';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p && *p == c);
++
++    c = 'a';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p && *p == c);
++
++    c = 'z';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p && *p == c);
++
++    c = '!';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p == NULL);
++
++    c = '=';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p == NULL);
++
++    c = '|';
++    p = q_tree_search(tree, my_search, &c);
++    g_assert(p == NULL);
++
++    q_tree_destroy(tree);
++}
++
++static void test_tree_remove(void)
++{
++    QTree *tree;
++    char c, d;
++    gint i;
++    gboolean removed;
++
++    tree = q_tree_new_full((GCompareDataFunc)my_compare, NULL,
++                           my_key_destroy,
++                           my_value_destroy);
++
++    for (i = 0; chars[i]; i++) {
++        q_tree_insert(tree, &chars[i], &chars[i]);
++    }
++
++    c = '0';
++    q_tree_insert(tree, &c, &c);
++    g_assert(destroyed_key == &c);
++    g_assert(destroyed_value == &chars[0]);
++    destroyed_key = NULL;
++    destroyed_value = NULL;
++
++    d = '1';
++    q_tree_replace(tree, &d, &d);
++    g_assert(destroyed_key == &chars[1]);
++    g_assert(destroyed_value == &chars[1]);
++    destroyed_key = NULL;
++    destroyed_value = NULL;
++
++    c = '2';
++    removed = q_tree_remove(tree, &c);
++    g_assert(removed);
++    g_assert(destroyed_key == &chars[2]);
++    g_assert(destroyed_value == &chars[2]);
++    destroyed_key = NULL;
++    destroyed_value = NULL;
++
++    c = '3';
++    removed = q_tree_steal(tree, &c);
++    g_assert(removed);
++    g_assert(destroyed_key == NULL);
++    g_assert(destroyed_value == NULL);
++
++    const gchar *remove = "omkjigfedba";
++    for (i = 0; remove[i]; i++) {
++        removed = q_tree_remove(tree, &remove[i]);
++        g_assert(removed);
++    }
++
++    q_tree_destroy(tree);
++}
++
++static void test_tree_destroy(void)
++{
++    QTree *tree;
++    gint i;
++
++    tree = q_tree_new(my_compare);
++
++    for (i = 0; chars[i]; i++) {
++        q_tree_insert(tree, &chars[i], &chars[i]);
++    }
++
++    g_assert(q_tree_nnodes(tree) == strlen(chars));
++
++    g_test_message("nnodes: %d", q_tree_nnodes(tree));
++    q_tree_ref(tree);
++    q_tree_destroy(tree);
++
++    g_test_message("nnodes: %d", q_tree_nnodes(tree));
++    g_assert(q_tree_nnodes(tree) == 0);
++
++    q_tree_unref(tree);
++}
++
++static void test_tree_insert(void)
++{
++    QTree *tree;
++    gchar *p;
++    gint i;
++    gchar *scrambled;
++
++    tree = q_tree_new(my_compare);
++
++    for (i = 0; chars[i]; i++) {
++        q_tree_insert(tree, &chars[i], &chars[i]);
++    }
++    p = chars;
++    q_tree_foreach(tree, check_order, &p);
++
++    q_tree_unref(tree);
++    tree = q_tree_new(my_compare);
++
++    for (i = strlen(chars) - 1; i >= 0; i--) {
++        q_tree_insert(tree, &chars[i], &chars[i]);
++    }
++    p = chars;
++    q_tree_foreach(tree, check_order, &p);
++
++    q_tree_unref(tree);
++    tree = q_tree_new(my_compare);
++
++    scrambled = g_strdup(chars);
++
++    for (i = 0; i < 30; i++) {
++        gchar tmp;
++        gint a, b;
++
++        a = g_random_int_range(0, strlen(scrambled));
++        b = g_random_int_range(0, strlen(scrambled));
++        tmp = scrambled[a];
++        scrambled[a] = scrambled[b];
++        scrambled[b] = tmp;
++    }
++
++    for (i = 0; scrambled[i]; i++) {
++        q_tree_insert(tree, &scrambled[i], &scrambled[i]);
++    }
++    p = chars;
++    q_tree_foreach(tree, check_order, &p);
++
++    g_free(scrambled);
++    q_tree_unref(tree);
++}
++
++int main(int argc, char *argv[])
++{
++    g_test_init(&argc, &argv, NULL);
++
++    g_test_add_func("/qtree/search", test_tree_search);
++    g_test_add_func("/qtree/remove", test_tree_remove);
++    g_test_add_func("/qtree/destroy", test_tree_destroy);
++    g_test_add_func("/qtree/insert", test_tree_insert);
++
++    return g_test_run();
++}
+diff --git a/util/qtree.c b/util/qtree.c
+new file mode 100644
+index XXXXXXX..XXXXXXX
+--- /dev/null
++++ b/util/qtree.c
+@@ -XXX,XX +XXX,XX @@
++/*
++ * GLIB - Library of useful routines for C programming
++ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
++ *
++ * SPDX-License-Identifier: LGPL-2.1-or-later
++ *
++ * This library is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU Lesser General Public
++ * License as published by the Free Software Foundation; either
++ * version 2.1 of the License, or (at your option) any later version.
++ *
++ * This library is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++ * Lesser General Public License for more details.
++ *
++ * You should have received a copy of the GNU Lesser General Public
++ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
++ */
++
++/*
++ * Modified by the GLib Team and others 1997-2000.  See the AUTHORS
++ * file for a list of people on the GLib Team.  See the ChangeLog
++ * files for a list of changes.  These files are distributed with
++ * GLib at ftp://ftp.gtk.org/pub/gtk/.
++ */
++
++/*
++ * MT safe
++ */
++
++#include "qemu/osdep.h"
++#include "qemu/qtree.h"
++
++/**
++ * SECTION:trees-binary
++ * @title: Balanced Binary Trees
++ * @short_description: a sorted collection of key/value pairs optimized
++ *                     for searching and traversing in order
++ *
++ * The #QTree structure and its associated functions provide a sorted
++ * collection of key/value pairs optimized for searching and traversing
++ * in order. This means that most of the operations  (access, search,
++ * insertion, deletion, ...) on #QTree are O(log(n)) in average and O(n)
++ * in worst case for time complexity. But, note that maintaining a
++ * balanced sorted #QTree of n elements is done in time O(n log(n)).
++ *
++ * To create a new #QTree use q_tree_new().
++ *
++ * To insert a key/value pair into a #QTree use q_tree_insert()
++ * (O(n log(n))).
++ *
++ * To remove a key/value pair use q_tree_remove() (O(n log(n))).
++ *
++ * To look up the value corresponding to a given key, use
++ * q_tree_lookup() and q_tree_lookup_extended().
++ *
++ * To find out the number of nodes in a #QTree, use q_tree_nnodes(). To
++ * get the height of a #QTree, use q_tree_height().
++ *
++ * To traverse a #QTree, calling a function for each node visited in
++ * the traversal, use q_tree_foreach().
++ *
++ * To destroy a #QTree, use q_tree_destroy().
++ **/
++
++#define MAX_GTREE_HEIGHT 40
++
++/**
++ * QTree:
++ *
++ * The QTree struct is an opaque data structure representing a
++ * [balanced binary tree][glib-Balanced-Binary-Trees]. It should be
++ * accessed only by using the following functions.
++ */
++struct _QTree {
++    QTreeNode        *root;
++    GCompareDataFunc  key_compare;
++    GDestroyNotify    key_destroy_func;
++    GDestroyNotify    value_destroy_func;
++    gpointer          key_compare_data;
++    guint             nnodes;
++    gint              ref_count;
++};
++
++struct _QTreeNode {
++    gpointer   key;         /* key for this node */
++    gpointer   value;       /* value stored at this node */
++    QTreeNode *left;        /* left subtree */
++    QTreeNode *right;       /* right subtree */
++    gint8      balance;     /* height (right) - height (left) */
++    guint8     left_child;
++    guint8     right_child;
++};
++
++
++static QTreeNode *q_tree_node_new(gpointer       key,
++                                  gpointer       value);
++static QTreeNode *q_tree_insert_internal(QTree *tree,
++                                         gpointer key,
++                                         gpointer value,
++                                         gboolean replace);
++static gboolean   q_tree_remove_internal(QTree         *tree,
++                                         gconstpointer  key,
++                                         gboolean       steal);
++static QTreeNode *q_tree_node_balance(QTreeNode     *node);
++static QTreeNode *q_tree_find_node(QTree         *tree,
++                                   gconstpointer  key);
++static QTreeNode *q_tree_node_search(QTreeNode *node,
++                                     GCompareFunc search_func,
++                                     gconstpointer data);
++static QTreeNode *q_tree_node_rotate_left(QTreeNode     *node);
++static QTreeNode *q_tree_node_rotate_right(QTreeNode     *node);
++#ifdef Q_TREE_DEBUG
++static void       q_tree_node_check(QTreeNode     *node);
++#endif
++
++static QTreeNode*
++q_tree_node_new(gpointer key,
++                gpointer value)
++{
++    QTreeNode *node = g_new(QTreeNode, 1);
++
++    node->balance = 0;
++    node->left = NULL;
++    node->right = NULL;
++    node->left_child = FALSE;
++    node->right_child = FALSE;
++    node->key = key;
++    node->value = value;
++
++    return node;
++}
++
++/**
++ * q_tree_new:
++ * @key_compare_func: the function used to order the nodes in the #QTree.
++ *   It should return values similar to the standard strcmp() function -
++ *   0 if the two arguments are equal, a negative value if the first argument
++ *   comes before the second, or a positive value if the first argument comes
++ *   after the second.
++ *
++ * Creates a new #QTree.
++ *
++ * Returns: a newly allocated #QTree
++ */
++QTree *
++q_tree_new(GCompareFunc key_compare_func)
++{
++    g_return_val_if_fail(key_compare_func != NULL, NULL);
++
++    return q_tree_new_full((GCompareDataFunc) key_compare_func, NULL,
++                           NULL, NULL);
++}
++
++/**
++ * q_tree_new_with_data:
++ * @key_compare_func: qsort()-style comparison function
++ * @key_compare_data: data to pass to comparison function
++ *
++ * Creates a new #QTree with a comparison function that accepts user data.
++ * See q_tree_new() for more details.
++ *
++ * Returns: a newly allocated #QTree
++ */
++QTree *
++q_tree_new_with_data(GCompareDataFunc key_compare_func,
++                     gpointer         key_compare_data)
++{
++    g_return_val_if_fail(key_compare_func != NULL, NULL);
++
++    return q_tree_new_full(key_compare_func, key_compare_data,
++                           NULL, NULL);
++}
++
++/**
++ * q_tree_new_full:
++ * @key_compare_func: qsort()-style comparison function
++ * @key_compare_data: data to pass to comparison function
++ * @key_destroy_func: a function to free the memory allocated for the key
++ *   used when removing the entry from the #QTree or %NULL if you don't
++ *   want to supply such a function
++ * @value_destroy_func: a function to free the memory allocated for the
++ *   value used when removing the entry from the #QTree or %NULL if you
++ *   don't want to supply such a function
++ *
++ * Creates a new #QTree like q_tree_new() and allows to specify functions
++ * to free the memory allocated for the key and value that get called when
++ * removing the entry from the #QTree.
++ *
++ * Returns: a newly allocated #QTree
++ */
++QTree *
++q_tree_new_full(GCompareDataFunc key_compare_func,
++                gpointer         key_compare_data,
++                GDestroyNotify   key_destroy_func,
++                GDestroyNotify   value_destroy_func)
++{
++    QTree *tree;
++
++    g_return_val_if_fail(key_compare_func != NULL, NULL);
++
++    tree = g_new(QTree, 1);
++    tree->root               = NULL;
++    tree->key_compare        = key_compare_func;
++    tree->key_destroy_func   = key_destroy_func;
++    tree->value_destroy_func = value_destroy_func;
++    tree->key_compare_data   = key_compare_data;
++    tree->nnodes             = 0;
++    tree->ref_count          = 1;
++
++    return tree;
++}
++
++/**
++ * q_tree_node_first:
++ * @tree: a #QTree
++ *
++ * Returns the first in-order node of the tree, or %NULL
++ * for an empty tree.
++ *
++ * Returns: (nullable) (transfer none): the first node in the tree
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_node_first(QTree *tree)
++{
++    QTreeNode *tmp;
++
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    if (!tree->root) {
++        return NULL;
++    }
++
++    tmp = tree->root;
++
++    while (tmp->left_child) {
++        tmp = tmp->left;
++    }
++
++    return tmp;
++}
++
++/**
++ * q_tree_node_previous
++ * @node: a #QTree node
++ *
++ * Returns the previous in-order node of the tree, or %NULL
++ * if the passed node was already the first one.
++ *
++ * Returns: (nullable) (transfer none): the previous node in the tree
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_node_previous(QTreeNode *node)
++{
++    QTreeNode *tmp;
++
++    g_return_val_if_fail(node != NULL, NULL);
++
++    tmp = node->left;
++
++    if (node->left_child) {
++        while (tmp->right_child) {
++            tmp = tmp->right;
++        }
++    }
++
++    return tmp;
++}
++
++/**
++ * q_tree_node_next
++ * @node: a #QTree node
++ *
++ * Returns the next in-order node of the tree, or %NULL
++ * if the passed node was already the last one.
++ *
++ * Returns: (nullable) (transfer none): the next node in the tree
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_node_next(QTreeNode *node)
++{
++    QTreeNode *tmp;
++
++    g_return_val_if_fail(node != NULL, NULL);
++
++    tmp = node->right;
++
++    if (node->right_child) {
++        while (tmp->left_child) {
++            tmp = tmp->left;
++        }
++    }
++
++    return tmp;
++}
++
++/**
++ * q_tree_remove_all:
++ * @tree: a #QTree
++ *
++ * Removes all nodes from a #QTree and destroys their keys and values,
++ * then resets the #QTree’s root to %NULL.
++ *
++ * Since: 2.70 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static void
++q_tree_remove_all(QTree *tree)
++{
++    QTreeNode *node;
++    QTreeNode *next;
++
++    g_return_if_fail(tree != NULL);
++
++    node = q_tree_node_first(tree);
++
++    while (node) {
++        next = q_tree_node_next(node);
++
++        if (tree->key_destroy_func) {
++            tree->key_destroy_func(node->key);
++        }
++        if (tree->value_destroy_func) {
++            tree->value_destroy_func(node->value);
++        }
++        g_free(node);
++
++#ifdef Q_TREE_DEBUG
++        g_assert(tree->nnodes > 0);
++        tree->nnodes--;
++#endif
++
++        node = next;
++    }
++
++#ifdef Q_TREE_DEBUG
++    g_assert(tree->nnodes == 0);
++#endif
++
++    tree->root = NULL;
++#ifndef Q_TREE_DEBUG
++    tree->nnodes = 0;
++#endif
++}
++
++/**
++ * q_tree_ref:
++ * @tree: a #QTree
++ *
++ * Increments the reference count of @tree by one.
++ *
++ * It is safe to call this function from any thread.
++ *
++ * Returns: the passed in #QTree
++ *
++ * Since: 2.22
++ */
++QTree *
++q_tree_ref(QTree *tree)
++{
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    g_atomic_int_inc(&tree->ref_count);
++
++    return tree;
++}
++
++/**
++ * q_tree_unref:
++ * @tree: a #QTree
++ *
++ * Decrements the reference count of @tree by one.
++ * If the reference count drops to 0, all keys and values will
++ * be destroyed (if destroy functions were specified) and all
++ * memory allocated by @tree will be released.
++ *
++ * It is safe to call this function from any thread.
++ *
++ * Since: 2.22
++ */
++void
++q_tree_unref(QTree *tree)
++{
++    g_return_if_fail(tree != NULL);
++
++    if (g_atomic_int_dec_and_test(&tree->ref_count)) {
++        q_tree_remove_all(tree);
++        g_free(tree);
++    }
++}
++
++/**
++ * q_tree_destroy:
++ * @tree: a #QTree
++ *
++ * Removes all keys and values from the #QTree and decreases its
++ * reference count by one. If keys and/or values are dynamically
++ * allocated, you should either free them first or create the #QTree
++ * using q_tree_new_full(). In the latter case the destroy functions
++ * you supplied will be called on all keys and values before destroying
++ * the #QTree.
++ */
++void
++q_tree_destroy(QTree *tree)
++{
++    g_return_if_fail(tree != NULL);
++
++    q_tree_remove_all(tree);
++    q_tree_unref(tree);
++}
++
++/**
++ * q_tree_insert_node:
++ * @tree: a #QTree
++ * @key: the key to insert
++ * @value: the value corresponding to the key
++ *
++ * Inserts a key/value pair into a #QTree.
++ *
++ * If the given key already exists in the #QTree its corresponding value
++ * is set to the new value. If you supplied a @value_destroy_func when
++ * creating the #QTree, the old value is freed using that function. If
++ * you supplied a @key_destroy_func when creating the #QTree, the passed
++ * key is freed using that function.
++ *
++ * The tree is automatically 'balanced' as new key/value pairs are added,
++ * so that the distance from the root to every leaf is as small as possible.
++ * The cost of maintaining a balanced tree while inserting new key/value
++ * result in a O(n log(n)) operation where most of the other operations
++ * are O(log(n)).
++ *
++ * Returns: (transfer none): the inserted (or set) node.
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_insert_node(QTree    *tree,
++                   gpointer  key,
++                   gpointer  value)
++{
++    QTreeNode *node;
++
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    node = q_tree_insert_internal(tree, key, value, FALSE);
++
++#ifdef Q_TREE_DEBUG
++    q_tree_node_check(tree->root);
++#endif
++
++    return node;
++}
++
++/**
++ * q_tree_insert:
++ * @tree: a #QTree
++ * @key: the key to insert
++ * @value: the value corresponding to the key
++ *
++ * Inserts a key/value pair into a #QTree.
++ *
++ * Inserts a new key and value into a #QTree as q_tree_insert_node() does,
++ * only this function does not return the inserted or set node.
++ */
++void
++q_tree_insert(QTree    *tree,
++              gpointer  key,
++              gpointer  value)
++{
++    q_tree_insert_node(tree, key, value);
++}
++
++/**
++ * q_tree_replace_node:
++ * @tree: a #QTree
++ * @key: the key to insert
++ * @value: the value corresponding to the key
++ *
++ * Inserts a new key and value into a #QTree similar to q_tree_insert_node().
++ * The difference is that if the key already exists in the #QTree, it gets
++ * replaced by the new key. If you supplied a @value_destroy_func when
++ * creating the #QTree, the old value is freed using that function. If you
++ * supplied a @key_destroy_func when creating the #QTree, the old key is
++ * freed using that function.
++ *
++ * The tree is automatically 'balanced' as new key/value pairs are added,
++ * so that the distance from the root to every leaf is as small as possible.
++ *
++ * Returns: (transfer none): the inserted (or set) node.
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_replace_node(QTree    *tree,
++                    gpointer  key,
++                    gpointer  value)
++{
++    QTreeNode *node;
++
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    node = q_tree_insert_internal(tree, key, value, TRUE);
++
++#ifdef Q_TREE_DEBUG
++    q_tree_node_check(tree->root);
++#endif
++
++    return node;
++}
++
++/**
++ * q_tree_replace:
++ * @tree: a #QTree
++ * @key: the key to insert
++ * @value: the value corresponding to the key
++ *
++ * Inserts a new key and value into a #QTree as q_tree_replace_node() does,
++ * only this function does not return the inserted or set node.
++ */
++void
++q_tree_replace(QTree    *tree,
++               gpointer  key,
++               gpointer  value)
++{
++    q_tree_replace_node(tree, key, value);
++}
++
++/* internal insert routine */
++static QTreeNode *
++q_tree_insert_internal(QTree    *tree,
++                       gpointer  key,
++                       gpointer  value,
++                       gboolean  replace)
++{
++    QTreeNode *node, *retnode;
++    QTreeNode *path[MAX_GTREE_HEIGHT];
++    int idx;
++
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    if (!tree->root) {
++        tree->root = q_tree_node_new(key, value);
++        tree->nnodes++;
++        return tree->root;
++    }
++
++    idx = 0;
++    path[idx++] = NULL;
++    node = tree->root;
++
++    while (1) {
++        int cmp = tree->key_compare(key, node->key, tree->key_compare_data);
++
++        if (cmp == 0) {
++            if (tree->value_destroy_func) {
++                tree->value_destroy_func(node->value);
++            }
++
++            node->value = value;
++
++            if (replace) {
++                if (tree->key_destroy_func) {
++                    tree->key_destroy_func(node->key);
++                }
++
++                node->key = key;
++            } else {
++                /* free the passed key */
++                if (tree->key_destroy_func) {
++                    tree->key_destroy_func(key);
++                }
++            }
++
++            return node;
++        } else if (cmp < 0) {
++            if (node->left_child) {
++                path[idx++] = node;
++                node = node->left;
++            } else {
++                QTreeNode *child = q_tree_node_new(key, value);
++
++                child->left = node->left;
++                child->right = node;
++                node->left = child;
++                node->left_child = TRUE;
++                node->balance -= 1;
++
++                tree->nnodes++;
++
++                retnode = child;
++                break;
++            }
++        } else {
++            if (node->right_child) {
++                path[idx++] = node;
++                node = node->right;
++            } else {
++                QTreeNode *child = q_tree_node_new(key, value);
++
++                child->right = node->right;
++                child->left = node;
++                node->right = child;
++                node->right_child = TRUE;
++                node->balance += 1;
++
++                tree->nnodes++;
++
++                retnode = child;
++                break;
++            }
++        }
++    }
++
++    /*
++     * Restore balance. This is the goodness of a non-recursive
++     * implementation, when we are done with balancing we 'break'
++     * the loop and we are done.
++     */
++    while (1) {
++        QTreeNode *bparent = path[--idx];
++        gboolean left_node = (bparent && node == bparent->left);
++        g_assert(!bparent || bparent->left == node || bparent->right == node);
++
++        if (node->balance < -1 || node->balance > 1) {
++            node = q_tree_node_balance(node);
++            if (bparent == NULL) {
++                tree->root = node;
++            } else if (left_node) {
++                bparent->left = node;
++            } else {
++                bparent->right = node;
++            }
++        }
++
++        if (node->balance == 0 || bparent == NULL) {
++            break;
++        }
++
++        if (left_node) {
++            bparent->balance -= 1;
++        } else {
++            bparent->balance += 1;
++        }
++
++        node = bparent;
++    }
++
++    return retnode;
++}
++
++/**
++ * q_tree_remove:
++ * @tree: a #QTree
++ * @key: the key to remove
++ *
++ * Removes a key/value pair from a #QTree.
++ *
++ * If the #QTree was created using q_tree_new_full(), the key and value
++ * are freed using the supplied destroy functions, otherwise you have to
++ * make sure that any dynamically allocated values are freed yourself.
++ * If the key does not exist in the #QTree, the function does nothing.
++ *
++ * The cost of maintaining a balanced tree while removing a key/value
++ * result in a O(n log(n)) operation where most of the other operations
++ * are O(log(n)).
++ *
++ * Returns: %TRUE if the key was found (prior to 2.8, this function
++ *     returned nothing)
++ */
++gboolean
++q_tree_remove(QTree         *tree,
++              gconstpointer  key)
++{
++    gboolean removed;
++
++    g_return_val_if_fail(tree != NULL, FALSE);
++
++    removed = q_tree_remove_internal(tree, key, FALSE);
++
++#ifdef Q_TREE_DEBUG
++    q_tree_node_check(tree->root);
++#endif
++
++    return removed;
++}
++
++/**
++ * q_tree_steal:
++ * @tree: a #QTree
++ * @key: the key to remove
++ *
++ * Removes a key and its associated value from a #QTree without calling
++ * the key and value destroy functions.
++ *
++ * If the key does not exist in the #QTree, the function does nothing.
++ *
++ * Returns: %TRUE if the key was found (prior to 2.8, this function
++ *     returned nothing)
++ */
++gboolean
++q_tree_steal(QTree         *tree,
++             gconstpointer  key)
++{
++    gboolean removed;
++
++    g_return_val_if_fail(tree != NULL, FALSE);
++
++    removed = q_tree_remove_internal(tree, key, TRUE);
++
++#ifdef Q_TREE_DEBUG
++    q_tree_node_check(tree->root);
++#endif
++
++    return removed;
++}
++
++/* internal remove routine */
++static gboolean
++q_tree_remove_internal(QTree         *tree,
++                       gconstpointer  key,
++                       gboolean       steal)
++{
++    QTreeNode *node, *parent, *balance;
++    QTreeNode *path[MAX_GTREE_HEIGHT];
++    int idx;
++    gboolean left_node;
++
++    g_return_val_if_fail(tree != NULL, FALSE);
++
++    if (!tree->root) {
++        return FALSE;
++    }
++
++    idx = 0;
++    path[idx++] = NULL;
++    node = tree->root;
++
++    while (1) {
++        int cmp = tree->key_compare(key, node->key, tree->key_compare_data);
++
++        if (cmp == 0) {
++            break;
++        } else if (cmp < 0) {
++            if (!node->left_child) {
++                return FALSE;
++            }
++
++            path[idx++] = node;
++            node = node->left;
++        } else {
++            if (!node->right_child) {
++                return FALSE;
++            }
++
++            path[idx++] = node;
++            node = node->right;
++        }
++    }
++
++    /*
++     * The following code is almost equal to q_tree_remove_node,
++     * except that we do not have to call q_tree_node_parent.
++     */
++    balance = parent = path[--idx];
++    g_assert(!parent || parent->left == node || parent->right == node);
++    left_node = (parent && node == parent->left);
++
++    if (!node->left_child) {
++        if (!node->right_child) {
++            if (!parent) {
++                tree->root = NULL;
++            } else if (left_node) {
++                parent->left_child = FALSE;
++                parent->left = node->left;
++                parent->balance += 1;
++            } else {
++                parent->right_child = FALSE;
++                parent->right = node->right;
++                parent->balance -= 1;
++            }
++        } else {
++            /* node has a right child */
++            QTreeNode *tmp = q_tree_node_next(node);
++            tmp->left = node->left;
++
++            if (!parent) {
++                tree->root = node->right;
++            } else if (left_node) {
++                parent->left = node->right;
++                parent->balance += 1;
++            } else {
++                parent->right = node->right;
++                parent->balance -= 1;
++            }
++        }
++    } else {
++        /* node has a left child */
++        if (!node->right_child) {
++            QTreeNode *tmp = q_tree_node_previous(node);
++            tmp->right = node->right;
++
++            if (parent == NULL) {
++                tree->root = node->left;
++            } else if (left_node) {
++                parent->left = node->left;
++                parent->balance += 1;
++            } else {
++                parent->right = node->left;
++                parent->balance -= 1;
++            }
++        } else {
++            /* node has a both children (pant, pant!) */
++            QTreeNode *prev = node->left;
++            QTreeNode *next = node->right;
++            QTreeNode *nextp = node;
++            int old_idx = idx + 1;
++            idx++;
++
++            /* path[idx] == parent */
++            /* find the immediately next node (and its parent) */
++            while (next->left_child) {
++                path[++idx] = nextp = next;
++                next = next->left;
++            }
++
++            path[old_idx] = next;
++            balance = path[idx];
++
++            /* remove 'next' from the tree */
++            if (nextp != node) {
++                if (next->right_child) {
++                    nextp->left = next->right;
++                } else {
++                    nextp->left_child = FALSE;
++                }
++                nextp->balance += 1;
++
++                next->right_child = TRUE;
++                next->right = node->right;
++            } else {
++                node->balance -= 1;
++            }
++
++            /* set the prev to point to the right place */
++            while (prev->right_child) {
++                prev = prev->right;
++            }
++            prev->right = next;
++
++            /* prepare 'next' to replace 'node' */
++            next->left_child = TRUE;
++            next->left = node->left;
++            next->balance = node->balance;
++
++            if (!parent) {
++                tree->root = next;
++            } else if (left_node) {
++                parent->left = next;
++            } else {
++                parent->right = next;
++            }
++        }
++    }
++
++    /* restore balance */
++    if (balance) {
++        while (1) {
++            QTreeNode *bparent = path[--idx];
++            g_assert(!bparent ||
++                     bparent->left == balance ||
++                     bparent->right == balance);
++            left_node = (bparent && balance == bparent->left);
++
++            if (balance->balance < -1 || balance->balance > 1) {
++                balance = q_tree_node_balance(balance);
++                if (!bparent) {
++                    tree->root = balance;
++                } else if (left_node) {
++                    bparent->left = balance;
++                } else {
++                    bparent->right = balance;
++                }
++            }
++
++            if (balance->balance != 0 || !bparent) {
++                break;
++            }
++
++            if (left_node) {
++                bparent->balance += 1;
++            } else {
++                bparent->balance -= 1;
++            }
++
++            balance = bparent;
++        }
++    }
++
++    if (!steal) {
++        if (tree->key_destroy_func) {
++            tree->key_destroy_func(node->key);
++        }
++        if (tree->value_destroy_func) {
++            tree->value_destroy_func(node->value);
++        }
++    }
++
++    g_free(node);
++
++    tree->nnodes--;
++
++    return TRUE;
++}
++
++/**
++ * q_tree_lookup_node:
++ * @tree: a #QTree
++ * @key: the key to look up
++ *
++ * Gets the tree node corresponding to the given key. Since a #QTree is
++ * automatically balanced as key/value pairs are added, key lookup
++ * is O(log n) (where n is the number of key/value pairs in the tree).
++ *
++ * Returns: (nullable) (transfer none): the tree node corresponding to
++ *          the key, or %NULL if the key was not found
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_lookup_node(QTree         *tree,
++                   gconstpointer  key)
++{
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    return q_tree_find_node(tree, key);
++}
++
++/**
++ * q_tree_lookup:
++ * @tree: a #QTree
++ * @key: the key to look up
++ *
++ * Gets the value corresponding to the given key. Since a #QTree is
++ * automatically balanced as key/value pairs are added, key lookup
++ * is O(log n) (where n is the number of key/value pairs in the tree).
++ *
++ * Returns: the value corresponding to the key, or %NULL
++ *     if the key was not found
++ */
++gpointer
++q_tree_lookup(QTree         *tree,
++              gconstpointer  key)
++{
++    QTreeNode *node;
++
++    node = q_tree_lookup_node(tree, key);
++
++    return node ? node->value : NULL;
++}
++
++/**
++ * q_tree_lookup_extended:
++ * @tree: a #QTree
++ * @lookup_key: the key to look up
++ * @orig_key: (out) (optional) (nullable): returns the original key
++ * @value: (out) (optional) (nullable): returns the value associated with
++ *         the key
++ *
++ * Looks up a key in the #QTree, returning the original key and the
++ * associated value. This is useful if you need to free the memory
++ * allocated for the original key, for example before calling
++ * q_tree_remove().
++ *
++ * Returns: %TRUE if the key was found in the #QTree
++ */
++gboolean
++q_tree_lookup_extended(QTree         *tree,
++                       gconstpointer  lookup_key,
++                       gpointer      *orig_key,
++                       gpointer      *value)
++{
++    QTreeNode *node;
++
++    g_return_val_if_fail(tree != NULL, FALSE);
++
++    node = q_tree_find_node(tree, lookup_key);
++
++    if (node) {
++        if (orig_key) {
++            *orig_key = node->key;
++        }
++        if (value) {
++            *value = node->value;
++        }
++        return TRUE;
++    } else {
++        return FALSE;
++    }
++}
++
++/**
++ * q_tree_foreach:
++ * @tree: a #QTree
++ * @func: the function to call for each node visited.
++ *     If this function returns %TRUE, the traversal is stopped.
++ * @user_data: user data to pass to the function
++ *
++ * Calls the given function for each of the key/value pairs in the #QTree.
++ * The function is passed the key and value of each pair, and the given
++ * @data parameter. The tree is traversed in sorted order.
++ *
++ * The tree may not be modified while iterating over it (you can't
++ * add/remove items). To remove all items matching a predicate, you need
++ * to add each item to a list in your #GTraverseFunc as you walk over
++ * the tree, then walk the list and remove each item.
++ */
++void
++q_tree_foreach(QTree         *tree,
++               GTraverseFunc  func,
++               gpointer       user_data)
++{
++    QTreeNode *node;
++
++    g_return_if_fail(tree != NULL);
++
++    if (!tree->root) {
++        return;
++    }
++
++    node = q_tree_node_first(tree);
++
++    while (node) {
++        if ((*func)(node->key, node->value, user_data)) {
++            break;
++        }
++
++        node = q_tree_node_next(node);
++    }
++}
++
++/**
++ * q_tree_search_node:
++ * @tree: a #QTree
++ * @search_func: a function used to search the #QTree
++ * @user_data: the data passed as the second argument to @search_func
++ *
++ * Searches a #QTree using @search_func.
++ *
++ * The @search_func is called with a pointer to the key of a key/value
++ * pair in the tree, and the passed in @user_data. If @search_func returns
++ * 0 for a key/value pair, then the corresponding node is returned as
++ * the result of q_tree_search(). If @search_func returns -1, searching
++ * will proceed among the key/value pairs that have a smaller key; if
++ * @search_func returns 1, searching will proceed among the key/value
++ * pairs that have a larger key.
++ *
++ * Returns: (nullable) (transfer none): the node corresponding to the
++ *          found key, or %NULL if the key was not found
++ *
++ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
++ */
++static QTreeNode *
++q_tree_search_node(QTree         *tree,
++                   GCompareFunc   search_func,
++                   gconstpointer  user_data)
++{
++    g_return_val_if_fail(tree != NULL, NULL);
++
++    if (!tree->root) {
++        return NULL;
++    }
++
++    return q_tree_node_search(tree->root, search_func, user_data);
++}
++
++/**
++ * q_tree_search:
++ * @tree: a #QTree
++ * @search_func: a function used to search the #QTree
++ * @user_data: the data passed as the second argument to @search_func
++ *
++ * Searches a #QTree using @search_func.
++ *
++ * The @search_func is called with a pointer to the key of a key/value
++ * pair in the tree, and the passed in @user_data. If @search_func returns
++ * 0 for a key/value pair, then the corresponding value is returned as
++ * the result of q_tree_search(). If @search_func returns -1, searching
++ * will proceed among the key/value pairs that have a smaller key; if
++ * @search_func returns 1, searching will proceed among the key/value
++ * pairs that have a larger key.
++ *
++ * Returns: the value corresponding to the found key, or %NULL
++ *     if the key was not found
++ */
++gpointer
++q_tree_search(QTree         *tree,
++              GCompareFunc   search_func,
++              gconstpointer  user_data)
++{
++    QTreeNode *node;
++
++    node = q_tree_search_node(tree, search_func, user_data);
++
++    return node ? node->value : NULL;
++}
++
++/**
++ * q_tree_height:
++ * @tree: a #QTree
++ *
++ * Gets the height of a #QTree.
++ *
++ * If the #QTree contains no nodes, the height is 0.
++ * If the #QTree contains only one root node the height is 1.
++ * If the root node has children the height is 2, etc.
++ *
++ * Returns: the height of @tree
++ */
++gint
++q_tree_height(QTree *tree)
++{
++    QTreeNode *node;
++    gint height;
++
++    g_return_val_if_fail(tree != NULL, 0);
++
++    if (!tree->root) {
++        return 0;
++    }
++
++    height = 0;
++    node = tree->root;
++
++    while (1) {
++        height += 1 + MAX(node->balance, 0);
++
++        if (!node->left_child) {
++            return height;
++        }
++
++        node = node->left;
++    }
++}
++
++/**
++ * q_tree_nnodes:
++ * @tree: a #QTree
++ *
++ * Gets the number of nodes in a #QTree.
++ *
++ * Returns: the number of nodes in @tree
++ */
++gint
++q_tree_nnodes(QTree *tree)
++{
++    g_return_val_if_fail(tree != NULL, 0);
++
++    return tree->nnodes;
++}
++
++static QTreeNode *
++q_tree_node_balance(QTreeNode *node)
++{
++    if (node->balance < -1) {
++        if (node->left->balance > 0) {
++            node->left = q_tree_node_rotate_left(node->left);
++        }
++        node = q_tree_node_rotate_right(node);
++    } else if (node->balance > 1) {
++        if (node->right->balance < 0) {
++            node->right = q_tree_node_rotate_right(node->right);
++        }
++        node = q_tree_node_rotate_left(node);
++    }
++
++    return node;
++}
++
++static QTreeNode *
++q_tree_find_node(QTree        *tree,
++                 gconstpointer key)
++{
++    QTreeNode *node;
++    gint cmp;
++
++    node = tree->root;
++    if (!node) {
++        return NULL;
++    }
++
++    while (1) {
++        cmp = tree->key_compare(key, node->key, tree->key_compare_data);
++        if (cmp == 0) {
++            return node;
++        } else if (cmp < 0) {
++            if (!node->left_child) {
++                return NULL;
++            }
++
++            node = node->left;
++        } else {
++            if (!node->right_child) {
++                return NULL;
++            }
++
++            node = node->right;
++        }
++    }
++}
++
++static QTreeNode *
++q_tree_node_search(QTreeNode     *node,
++                   GCompareFunc   search_func,
++                   gconstpointer  data)
++{
++    gint dir;
++
++    if (!node) {
++        return NULL;
++    }
++
++    while (1) {
++        dir = (*search_func)(node->key, data);
++        if (dir == 0) {
++            return node;
++        } else if (dir < 0) {
++            if (!node->left_child) {
++                return NULL;
++            }
++
++            node = node->left;
++        } else {
++            if (!node->right_child) {
++                return NULL;
++            }
++
++            node = node->right;
++        }
++    }
++}
++
++static QTreeNode *
++q_tree_node_rotate_left(QTreeNode *node)
++{
++    QTreeNode *right;
++    gint a_bal;
++    gint b_bal;
++
++    right = node->right;
++
++    if (right->left_child) {
++        node->right = right->left;
++    } else {
++        node->right_child = FALSE;
++        right->left_child = TRUE;
++    }
++    right->left = node;
++
++    a_bal = node->balance;
++    b_bal = right->balance;
++
++    if (b_bal <= 0) {
++        if (a_bal >= 1) {
++            right->balance = b_bal - 1;
++        } else {
++            right->balance = a_bal + b_bal - 2;
++        }
++        node->balance = a_bal - 1;
++    } else {
++        if (a_bal <= b_bal) {
++            right->balance = a_bal - 2;
++        } else {
++            right->balance = b_bal - 1;
++        }
++        node->balance = a_bal - b_bal - 1;
++    }
++
++    return right;
++}
++
++static QTreeNode *
++q_tree_node_rotate_right(QTreeNode *node)
++{
++    QTreeNode *left;
++    gint a_bal;
++    gint b_bal;
++
++    left = node->left;
++
++    if (left->right_child) {
++        node->left = left->right;
++    } else {
++        node->left_child = FALSE;
++        left->right_child = TRUE;
++    }
++    left->right = node;
++
++    a_bal = node->balance;
++    b_bal = left->balance;
++
++    if (b_bal <= 0) {
++        if (b_bal > a_bal) {
++            left->balance = b_bal + 1;
++        } else {
++            left->balance = a_bal + 2;
++        }
++        node->balance = a_bal - b_bal + 1;
++    } else {
++        if (a_bal <= -1) {
++            left->balance = b_bal + 1;
++        } else {
++            left->balance = a_bal + b_bal + 2;
++        }
++        node->balance = a_bal + 1;
++    }
++
++    return left;
++}
++
++#ifdef Q_TREE_DEBUG
++static gint
++q_tree_node_height(QTreeNode *node)
++{
++    gint left_height;
++    gint right_height;
++
++    if (node) {
++        left_height = 0;
++        right_height = 0;
++
++        if (node->left_child) {
++            left_height = q_tree_node_height(node->left);
++        }
++
++        if (node->right_child) {
++            right_height = q_tree_node_height(node->right);
++        }
++
++        return MAX(left_height, right_height) + 1;
++    }
++
++    return 0;
++}
++
++static void q_tree_node_check(QTreeNode *node)
++{
++    gint left_height;
++    gint right_height;
++    gint balance;
++    QTreeNode *tmp;
++
++    if (node) {
++        if (node->left_child) {
++            tmp = q_tree_node_previous(node);
++            g_assert(tmp->right == node);
++        }
++
++        if (node->right_child) {
++            tmp = q_tree_node_next(node);
++            g_assert(tmp->left == node);
++        }
++
++        left_height = 0;
++        right_height = 0;
++
++        if (node->left_child) {
++            left_height = q_tree_node_height(node->left);
++        }
++        if (node->right_child) {
++            right_height = q_tree_node_height(node->right);
++        }
++
++        balance = right_height - left_height;
++        g_assert(balance == node->balance);
++
++        if (node->left_child) {
++            q_tree_node_check(node->left);
++        }
++        if (node->right_child) {
++            q_tree_node_check(node->right);
++        }
++    }
++}
++#endif
+diff --git a/tests/bench/meson.build b/tests/bench/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/bench/meson.build
++++ b/tests/bench/meson.build
+@@ -XXX,XX +XXX,XX @@ xbzrle_bench = executable('xbzrle-bench',
+                        dependencies: [qemuutil,migration])
+ endif
++qtree_bench = executable('qtree-bench',
++                         sources: 'qtree-bench.c',
++                         dependencies: [qemuutil])
++
+ executable('atomic_add-bench',
+            sources: files('atomic_add-bench.c'),
+            dependencies: [qemuutil],
+diff --git a/tests/unit/meson.build b/tests/unit/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/tests/unit/meson.build
++++ b/tests/unit/meson.build
+@@ -XXX,XX +XXX,XX @@ tests = {
+   'test-rcu-slist': [],
+   'test-qdist': [],
+   'test-qht': [],
++  'test-qtree': [],
+   'test-bitops': [],
+   'test-bitcnt': [],
+   'test-qgraph': ['../qtest/libqos/qgraph.c'],
+diff --git a/util/meson.build b/util/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/util/meson.build
++++ b/util/meson.build
+@@ -XXX,XX +XXX,XX @@ util_ss.add(when: 'CONFIG_WIN32', if_true: files('oslib-win32.c'))
+ util_ss.add(when: 'CONFIG_WIN32', if_true: files('qemu-thread-win32.c'))
+ util_ss.add(when: 'CONFIG_WIN32', if_true: winmm)
+ util_ss.add(when: 'CONFIG_WIN32', if_true: pathcch)
++util_ss.add(when: 'HAVE_GLIB_WITH_SLICE_ALLOCATOR', if_true: files('qtree.c'))
+ util_ss.add(files('envlist.c', 'path.c', 'module.c'))
+ util_ss.add(files('host-utils.c'))
+ util_ss.add(files('bitmap.c', 'bitops.c'))
+--
+.34.1

-New patch
+[PULL 02/15] tcg: use QTree instead of GTree
+From: Emilio Cota <cota@braap.org>
 qemu-user can hang in a multi-threaded fork. One common
 reason is that when creating a TB, between fork and exec
 we manipulate a GTree whose memory allocator (GSlice) is
 not fork-safe.
 Although POSIX does not mandate it, the system's allocator
 (e.g. tcmalloc, libc malloc) is probably fork-safe.
 Fix some of these hangs by using QTree, which uses the system's
 allocator regardless of the Glib version that we used at
 configuration time.
 Tested with the test program in the original bug report, i.e.:
 ```
 void garble() {
   int pid = fork();
   if (pid == 0) {
     exit(0);
   } else {
     int wstatus;
     waitpid(pid, &wstatus, 0);
   }
 }
 void supragarble(unsigned depth) {
   if (depth == 0)
     return ;
   std::thread a(supragarble, depth-1);
   std::thread b(supragarble, depth-1);
   garble();
   a.join();
   b.join();
 }
 int main() {
   supragarble(10);
 }
 ```
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/285
 Reported-by: Valentin David <me@valentindavid.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Emilio Cota <cota@braap.org>
 Message-Id: <20230205163758.416992-3-cota@braap.org>
 [rth: Add QEMU_DISABLE_CFI for all callback using functions.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  accel/tcg/tb-maint.c | 17 +++++++++--------
  tcg/region.c         | 19 ++++++++++---------
  util/qtree.c         |  8 ++++----
 files changed, 23 insertions(+), 21 deletions(-)
 diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tb-maint.c
 +++ b/accel/tcg/tb-maint.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/osdep.h"
  #include "qemu/interval-tree.h"
 +#include "qemu/qtree.h"
  #include "exec/cputlb.h"
  #include "exec/log.h"
  #include "exec/exec-all.h"
@@ -XXX,XX +XXX,XX @@ struct page_entry {
   * See also: page_collection_lock().
   */
  struct page_collection {
 -    GTree *tree;
 +    QTree *tree;
      struct page_entry *max;
  };
@@ -XXX,XX +XXX,XX @@ static bool page_trylock_add(struct page_collection *set, tb_page_addr_t addr)
      struct page_entry *pe;
      PageDesc *pd;
 -    pe = g_tree_lookup(set->tree, &index);
 +    pe = q_tree_lookup(set->tree, &index);
      if (pe) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ static bool page_trylock_add(struct page_collection *set, tb_page_addr_t addr)
      }
      pe = page_entry_new(pd, index);
 -    g_tree_insert(set->tree, &pe->index, pe);
 +    q_tree_insert(set->tree, &pe->index, pe);
      /*
       * If this is either (1) the first insertion or (2) a page whose index
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
      end   >>= TARGET_PAGE_BITS;
      g_assert(start <= end);
 -    set->tree = g_tree_new_full(tb_page_addr_cmp, NULL, NULL,
 +    set->tree = q_tree_new_full(tb_page_addr_cmp, NULL, NULL,
                                  page_entry_destroy);
      set->max = NULL;
      assert_no_pages_locked();
   retry:
 -    g_tree_foreach(set->tree, page_entry_lock, NULL);
 +    q_tree_foreach(set->tree, page_entry_lock, NULL);
      for (index = start; index <= end; index++) {
          TranslationBlock *tb;
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
              continue;
          }
          if (page_trylock_add(set, index << TARGET_PAGE_BITS)) {
 -            g_tree_foreach(set->tree, page_entry_unlock, NULL);
 +            q_tree_foreach(set->tree, page_entry_unlock, NULL);
              goto retry;
          }
          assert_page_locked(pd);
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
                  (tb_page_addr1(tb) != -1 &&
                   page_trylock_add(set, tb_page_addr1(tb)))) {
                  /* drop all locks, and reacquire in order */
 -                g_tree_foreach(set->tree, page_entry_unlock, NULL);
 +                q_tree_foreach(set->tree, page_entry_unlock, NULL);
                  goto retry;
              }
          }
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
  static void page_collection_unlock(struct page_collection *set)
  {
      /* entries are unlocked and freed via page_entry_destroy */
 -    g_tree_destroy(set->tree);
 +    q_tree_destroy(set->tree);
      g_free(set);
  }
 diff --git a/tcg/region.c b/tcg/region.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/region.c
 +++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/mprotect.h"
  #include "qemu/memalign.h"
  #include "qemu/cacheinfo.h"
 +#include "qemu/qtree.h"
  #include "qapi/error.h"
  #include "exec/exec-all.h"
  #include "tcg/tcg.h"
@@ -XXX,XX +XXX,XX @@
  struct tcg_region_tree {
      QemuMutex lock;
 -    GTree *tree;
 +    QTree *tree;
      /* padding to avoid false sharing is computed at run-time */
  };
@@ -XXX,XX +XXX,XX @@ static void tcg_region_trees_init(void)
          struct tcg_region_tree *rt = region_trees + i * tree_size;
          qemu_mutex_init(&rt->lock);
 -        rt->tree = g_tree_new_full(tb_tc_cmp, NULL, NULL, tb_destroy);
 +        rt->tree = q_tree_new_full(tb_tc_cmp, NULL, NULL, tb_destroy);
      }
  }
@@ -XXX,XX +XXX,XX @@ void tcg_tb_insert(TranslationBlock *tb)
      g_assert(rt != NULL);
      qemu_mutex_lock(&rt->lock);
 -    g_tree_insert(rt->tree, &tb->tc, tb);
 +    q_tree_insert(rt->tree, &tb->tc, tb);
      qemu_mutex_unlock(&rt->lock);
  }
@@ -XXX,XX +XXX,XX @@ void tcg_tb_remove(TranslationBlock *tb)
      g_assert(rt != NULL);
      qemu_mutex_lock(&rt->lock);
 -    g_tree_remove(rt->tree, &tb->tc);
 +    q_tree_remove(rt->tree, &tb->tc);
      qemu_mutex_unlock(&rt->lock);
  }
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
      }
      qemu_mutex_lock(&rt->lock);
 -    tb = g_tree_lookup(rt->tree, &s);
 +    tb = q_tree_lookup(rt->tree, &s);
      qemu_mutex_unlock(&rt->lock);
      return tb;
  }
@@ -XXX,XX +XXX,XX @@ void tcg_tb_foreach(GTraverseFunc func, gpointer user_data)
      for (i = 0; i < region.n; i++) {
          struct tcg_region_tree *rt = region_trees + i * tree_size;
 -        g_tree_foreach(rt->tree, func, user_data);
 +        q_tree_foreach(rt->tree, func, user_data);
      }
      tcg_region_tree_unlock_all();
  }
@@ -XXX,XX +XXX,XX @@ size_t tcg_nb_tbs(void)
      for (i = 0; i < region.n; i++) {
          struct tcg_region_tree *rt = region_trees + i * tree_size;
 -        nb_tbs += g_tree_nnodes(rt->tree);
 +        nb_tbs += q_tree_nnodes(rt->tree);
      }
      tcg_region_tree_unlock_all();
      return nb_tbs;
@@ -XXX,XX +XXX,XX @@ static void tcg_region_tree_reset_all(void)
          struct tcg_region_tree *rt = region_trees + i * tree_size;
          /* Increment the refcount first so that destroy acts as a reset */
 -        g_tree_ref(rt->tree);
 -        g_tree_destroy(rt->tree);
 +        q_tree_ref(rt->tree);
 +        q_tree_destroy(rt->tree);
      }
      tcg_region_tree_unlock_all();
  }
 diff --git a/util/qtree.c b/util/qtree.c
 index XXXXXXX..XXXXXXX 100644
 --- a/util/qtree.c
 +++ b/util/qtree.c
@@ -XXX,XX +XXX,XX @@ q_tree_node_next(QTreeNode *node)
   *
   * Since: 2.70 in GLib. Internal in Qtree, i.e. not in the public API.
   */
 -static void
 +static void QEMU_DISABLE_CFI
  q_tree_remove_all(QTree *tree)
  {
      QTreeNode *node;
@@ -XXX,XX +XXX,XX @@ q_tree_replace(QTree    *tree,
  }
  /* internal insert routine */
 -static QTreeNode *
 +static QTreeNode * QEMU_DISABLE_CFI
  q_tree_insert_internal(QTree    *tree,
                         gpointer  key,
                         gpointer  value,
@@ -XXX,XX +XXX,XX @@ q_tree_steal(QTree         *tree,
  }
  /* internal remove routine */
 -static gboolean
 +static gboolean QEMU_DISABLE_CFI
  q_tree_remove_internal(QTree         *tree,
                         gconstpointer  key,
                         gboolean       steal)
@@ -XXX,XX +XXX,XX @@ q_tree_node_balance(QTreeNode *node)
      return node;
  }
 -static QTreeNode *
 +static QTreeNode * QEMU_DISABLE_CFI
  q_tree_find_node(QTree        *tree,
                   gconstpointer key)
  {
 --
 .34.1

-[PULL 07/10] tcg: Add tcg_gen_gvec_dup_tl
+[PULL 03/15] linux-user: Diagnose misaligned -R size
-For use when a target needs to pass a configure-specific
+We have been enforcing host page alignment for the non-R
-target_ulong value to duplicate.
+fallback of MAX_RESERVED_VA, but failing to enforce for -R.
-Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: David Hildenbrand <david@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/tcg/tcg-op-gvec.h | 6 ++++++
+ linux-user/main.c | 6 ++++++
 file changed, 6 insertions(+)
-diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
+diff --git a/linux-user/main.c b/linux-user/main.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/tcg/tcg-op-gvec.h
+--- a/linux-user/main.c
-+++ b/include/tcg/tcg-op-gvec.h
++++ b/linux-user/main.c
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup_i32(unsigned vece, uint32_t dofs, uint32_t s,
+@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
- void tcg_gen_gvec_dup_i64(unsigned vece, uint32_t dofs, uint32_t s,
+      */
-                           uint32_t m, TCGv_i64);
+     max_reserved_va = MAX_RESERVED_VA(cpu);
+     if (reserved_va != 0) {
-+#if TARGET_LONG_BITS == 64
++        if (reserved_va % qemu_host_page_size) {
-+# define tcg_gen_gvec_dup_tl  tcg_gen_gvec_dup_i64
++            char *s = size_to_str(qemu_host_page_size);
-+#else
++            fprintf(stderr, "Reserved virtual address not aligned mod %s\n", s);
-+# define tcg_gen_gvec_dup_tl  tcg_gen_gvec_dup_i32
++            g_free(s);
-+#endif
++            exit(EXIT_FAILURE);
-+
++        }
- void tcg_gen_gvec_shli(unsigned vece, uint32_t dofs, uint32_t aofs,
+         if (max_reserved_va && reserved_va > max_reserved_va) {
-                        int64_t shift, uint32_t oprsz, uint32_t maxsz);
+             fprintf(stderr, "Reserved virtual address too big\n");
- void tcg_gen_gvec_shri(unsigned vece, uint32_t dofs, uint32_t aofs,
+             exit(EXIT_FAILURE);
 --
-.20.1
+.34.1

-New patch
+[PULL 04/15] accel/tcg: Pass last not end to page_set_flags
+Pass the address of the last byte to be changed, rather than
 the first address past the last byte.  This avoids overflow
 when the last page of the address space is involved.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1528
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/cpu-all.h |  2 +-
  accel/tcg/user-exec.c  | 16 +++++++---------
  bsd-user/mmap.c        |  6 +++---
  linux-user/elfload.c   | 11 ++++++-----
  linux-user/mmap.c      | 16 ++++++++--------
  linux-user/syscall.c   |  4 ++--
 files changed, 27 insertions(+), 28 deletions(-)
 diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu-all.h
 +++ b/include/exec/cpu-all.h
@@ -XXX,XX +XXX,XX @@ typedef int (*walk_memory_regions_fn)(void *, target_ulong,
  int walk_memory_regions(void *, walk_memory_regions_fn);
  int page_get_flags(target_ulong address);
 -void page_set_flags(target_ulong start, target_ulong end, int flags);
 +void page_set_flags(target_ulong start, target_ulong last, int flags);
  void page_reset_target_data(target_ulong start, target_ulong end);
  int page_check_range(target_ulong start, target_ulong len, int flags);
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ static bool pageflags_set_clear(target_ulong start, target_ulong last,
   * The flag PAGE_WRITE_ORG is positioned automatically depending
   * on PAGE_WRITE.  The mmap_lock should already be held.
   */
 -void page_set_flags(target_ulong start, target_ulong end, int flags)
 +void page_set_flags(target_ulong start, target_ulong last, int flags)
  {
 -    target_ulong last;
      bool reset = false;
      bool inval_tb = false;
      /* This function should never be called with addresses outside the
         guest address space.  If this assert fires, it probably indicates
         a missing call to h2g_valid.  */
 -    assert(start < end);
 -    assert(end - 1 <= GUEST_ADDR_MAX);
 +    assert(start <= last);
 +    assert(last <= GUEST_ADDR_MAX);
      /* Only set PAGE_ANON with new mappings. */
      assert(!(flags & PAGE_ANON) || (flags & PAGE_RESET));
      assert_memory_lock();
 -    start = start & TARGET_PAGE_MASK;
 -    end = TARGET_PAGE_ALIGN(end);
 -    last = end - 1;
 +    start &= TARGET_PAGE_MASK;
 +    last |= ~TARGET_PAGE_MASK;
      if (!(flags & PAGE_VALID)) {
          flags = 0;
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
      }
      if (!flags || reset) {
 -        page_reset_target_data(start, end);
 +        page_reset_target_data(start, last + 1);
          inval_tb |= pageflags_unset(start, last);
      }
      if (flags) {
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong end, int flags)
                                          ~(reset ? 0 : PAGE_STICKY));
      }
      if (inval_tb) {
 -        tb_invalidate_phys_range(start, end);
 +        tb_invalidate_phys_range(start, last + 1);
      }
  }
 diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
 index XXXXXXX..XXXXXXX 100644
 --- a/bsd-user/mmap.c
 +++ b/bsd-user/mmap.c
@@ -XXX,XX +XXX,XX @@ int target_mprotect(abi_ulong start, abi_ulong len, int prot)
          if (ret != 0)
              goto error;
      }
 -    page_set_flags(start, start + len, prot | PAGE_VALID);
 +    page_set_flags(start, start + len - 1, prot | PAGE_VALID);
      mmap_unlock();
      return 0;
  error:
@@ -XXX,XX +XXX,XX @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int prot,
          }
      }
   the_end1:
 -    page_set_flags(start, start + len, prot | PAGE_VALID);
 +    page_set_flags(start, start + len - 1, prot | PAGE_VALID);
   the_end:
  #ifdef DEBUG_MMAP
      printf("ret=0x" TARGET_ABI_FMT_lx "\n", start);
@@ -XXX,XX +XXX,XX @@ int target_munmap(abi_ulong start, abi_ulong len)
      }
      if (ret == 0) {
 -        page_set_flags(start, start + len, 0);
 +        page_set_flags(start, start + len - 1, 0);
      }
      mmap_unlock();
      return ret;
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
          exit(EXIT_FAILURE);
      }
      page_set_flags(TARGET_VSYSCALL_PAGE,
 -                   TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE,
 +                   TARGET_VSYSCALL_PAGE | ~TARGET_PAGE_MASK,
                     PAGE_EXEC | PAGE_VALID);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
          exit(EXIT_FAILURE);
      }
 -    page_set_flags(commpage, commpage + qemu_host_page_size,
 +    page_set_flags(commpage, commpage | ~qemu_host_page_mask,
                     PAGE_READ | PAGE_EXEC | PAGE_VALID);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
          exit(EXIT_FAILURE);
      }
 -    page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
 +    page_set_flags(LO_COMMPAGE, LO_COMMPAGE | ~TARGET_PAGE_MASK,
                     PAGE_READ | PAGE_EXEC | PAGE_VALID);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
       * and implement syscalls.  Here, simply mark the page executable.
       * Special case the entry points during translation (see do_page_zero).
       */
 -    page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
 +    page_set_flags(LO_COMMPAGE, LO_COMMPAGE | ~TARGET_PAGE_MASK,
                     PAGE_EXEC | PAGE_VALID);
      return true;
  }
@@ -XXX,XX +XXX,XX @@ static void zero_bss(abi_ulong elf_bss, abi_ulong last_bss, int prot)
      /* Ensure that the bss page(s) are valid */
      if ((page_get_flags(last_bss-1) & prot) != prot) {
 -        page_set_flags(elf_bss & TARGET_PAGE_MASK, last_bss, prot | PAGE_VALID);
 +        page_set_flags(elf_bss & TARGET_PAGE_MASK, last_bss - 1,
 +                       prot | PAGE_VALID);
      }
      if (host_start < host_map_start) {
 diff --git a/linux-user/mmap.c b/linux-user/mmap.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/mmap.c
 +++ b/linux-user/mmap.c
@@ -XXX,XX +XXX,XX @@ int target_mprotect(abi_ulong start, abi_ulong len, int target_prot)
          }
      }
 -    page_set_flags(start, start + len, page_flags);
 +    page_set_flags(start, start + len - 1, page_flags);
      ret = 0;
  error:
@@ -XXX,XX +XXX,XX @@ abi_long target_mmap(abi_ulong start, abi_ulong len, int target_prot,
      }
      page_flags |= PAGE_RESET;
      if (passthrough_start == passthrough_end) {
 -        page_set_flags(start, start + len, page_flags);
 +        page_set_flags(start, start + len - 1, page_flags);
      } else {
          if (start < passthrough_start) {
 -            page_set_flags(start, passthrough_start, page_flags);
 +            page_set_flags(start, passthrough_start - 1, page_flags);
          }
 -        page_set_flags(passthrough_start, passthrough_end,
 +        page_set_flags(passthrough_start, passthrough_end - 1,
                         page_flags | PAGE_PASSTHROUGH);
          if (passthrough_end < start + len) {
 -            page_set_flags(passthrough_end, start + len, page_flags);
 +            page_set_flags(passthrough_end, start + len - 1, page_flags);
          }
      }
   the_end:
@@ -XXX,XX +XXX,XX @@ int target_munmap(abi_ulong start, abi_ulong len)
      }
      if (ret == 0) {
 -        page_set_flags(start, start + len, 0);
 +        page_set_flags(start, start + len - 1, 0);
      }
      mmap_unlock();
      return ret;
@@ -XXX,XX +XXX,XX @@ abi_long target_mremap(abi_ulong old_addr, abi_ulong old_size,
      } else {
          new_addr = h2g(host_addr);
          prot = page_get_flags(old_addr);
 -        page_set_flags(old_addr, old_addr + old_size, 0);
 -        page_set_flags(new_addr, new_addr + new_size,
 +        page_set_flags(old_addr, old_addr + old_size - 1, 0);
 +        page_set_flags(new_addr, new_addr + new_size - 1,
                         prot | PAGE_VALID | PAGE_RESET);
      }
      mmap_unlock();
 diff --git a/linux-user/syscall.c b/linux-user/syscall.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/syscall.c
 +++ b/linux-user/syscall.c
@@ -XXX,XX +XXX,XX @@ static inline abi_ulong do_shmat(CPUArchState *cpu_env,
      }
      raddr=h2g((unsigned long)host_raddr);
 -    page_set_flags(raddr, raddr + shm_info.shm_segsz,
 +    page_set_flags(raddr, raddr + shm_info.shm_segsz - 1,
                     PAGE_VALID | PAGE_RESET | PAGE_READ |
                     (shmflg & SHM_RDONLY ? 0 : PAGE_WRITE));
@@ -XXX,XX +XXX,XX @@ static inline abi_long do_shmdt(abi_ulong shmaddr)
      for (i = 0; i < N_SHM_REGIONS; ++i) {
          if (shm_regions[i].in_use && shm_regions[i].start == shmaddr) {
              shm_regions[i].in_use = false;
 -            page_set_flags(shmaddr, shmaddr + shm_regions[i].size, 0);
 +            page_set_flags(shmaddr, shmaddr + shm_regions[i].size - 1, 0);
              break;
          }
      }
 --
 .34.1

-[PULL 05/10] tcg: Use tcg_gen_gvec_dup_imm in logical simplifications
+[PULL 05/15] accel/tcg: Pass last not end to page_reset_target_data
-Replace the outgoing interface.
+Pass the address of the last byte to be changed, rather than
 the first address past the last byte.  This avoids overflow
 when the last page of the address space is involved.
-Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- tcg/tcg-op-gvec.c | 8 ++++----
+ include/exec/cpu-all.h |  2 +-
-file changed, 4 insertions(+), 4 deletions(-)
+ accel/tcg/user-exec.c  | 11 +++++------
  linux-user/mmap.c      |  2 +-
 files changed, 7 insertions(+), 8 deletions(-)
-diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
+diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
 index XXXXXXX..XXXXXXX 100644
---- a/tcg/tcg-op-gvec.c
+--- a/include/exec/cpu-all.h
-+++ b/tcg/tcg-op-gvec.c
++++ b/include/exec/cpu-all.h
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_xor(unsigned vece, uint32_t dofs, uint32_t aofs,
+@@ -XXX,XX +XXX,XX @@ int walk_memory_regions(void *, walk_memory_regions_fn);
-     };
+ int page_get_flags(target_ulong address);
-     if (aofs == bofs) {
+ void page_set_flags(target_ulong start, target_ulong last, int flags);
--        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, 0);
+-void page_reset_target_data(target_ulong start, target_ulong end);
-+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, 0);
++void page_reset_target_data(target_ulong start, target_ulong last);
-     } else {
+ int page_check_range(target_ulong start, target_ulong len, int flags);
-         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
  /**
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong last, int flags)
      }
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_andc(unsigned vece, uint32_t dofs, uint32_t aofs,
-     };
+     if (!flags || reset) {
+-        page_reset_target_data(start, last + 1);
-     if (aofs == bofs) {
++        page_reset_target_data(start, last);
--        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, 0);
+         inval_tb |= pageflags_unset(start, last);
 +        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, 0);
      } else {
          tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
      }
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_orc(unsigned vece, uint32_t dofs, uint32_t aofs,
+     if (flags) {
-     };
+@@ -XXX,XX +XXX,XX @@ typedef struct TargetPageDataNode {
-     if (aofs == bofs) {
+ static IntervalTreeRoot targetdata_root;
--        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, -1);
-+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, -1);
+-void page_reset_target_data(target_ulong start, target_ulong end)
-     } else {
++void page_reset_target_data(target_ulong start, target_ulong last)
-         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
+ {
-     }
+     IntervalTreeNode *n, *next;
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_eqv(unsigned vece, uint32_t dofs, uint32_t aofs,
+-    target_ulong last;
-     };
+     assert_memory_lock();
-     if (aofs == bofs) {
--        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, -1);
+-    start = start & TARGET_PAGE_MASK;
-+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, -1);
+-    last = TARGET_PAGE_ALIGN(end) - 1;
-     } else {
++    start &= TARGET_PAGE_MASK;
-         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
++    last |= ~TARGET_PAGE_MASK;
      for (n = interval_tree_iter_first(&targetdata_root, start, last),
           next = n ? interval_tree_iter_next(n, start, last) : NULL;
@@ -XXX,XX +XXX,XX @@ void *page_get_target_data(target_ulong address)
      return t->data[(page - region) >> TARGET_PAGE_BITS];
  }
  #else
 -void page_reset_target_data(target_ulong start, target_ulong end) { }
 +void page_reset_target_data(target_ulong start, target_ulong last) { }
  #endif /* TARGET_PAGE_DATA_SIZE */
  /* The softmmu versions of these helpers are in cputlb.c.  */
 diff --git a/linux-user/mmap.c b/linux-user/mmap.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/mmap.c
 +++ b/linux-user/mmap.c
@@ -XXX,XX +XXX,XX @@ abi_long target_madvise(abi_ulong start, abi_ulong len_in, int advice)
          if (can_passthrough_madvise(start, end)) {
              ret = get_errno(madvise(g2h_untagged(start), len, advice));
              if ((advice == MADV_DONTNEED) && (ret == 0)) {
 -                page_reset_target_data(start, start + len);
 +                page_reset_target_data(start, start + len - 1);
              }
          }
      }
 --
-.20.1
+.34.1

-[PULL 06/10] tcg: Remove tcg_gen_gvec_dup{8,16,32,64}i
+[PULL 06/15] accel/tcg: Pass last not end to PAGE_FOR_EACH_TB
-These interfaces are now unused.
+Pass the address of the last byte to be changed, rather than
 the first address past the last byte.  This avoids overflow
 when the last page of the address space is involved.
-Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: David Hildenbrand <david@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/tcg/tcg-op-gvec.h |  5 -----
+ accel/tcg/tb-maint.c | 28 ++++++++++++++++------------
- tcg/tcg-op-gvec.c         | 28 ----------------------------
+file changed, 16 insertions(+), 12 deletions(-)
 files changed, 33 deletions(-)
-diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
+diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/tcg/tcg-op-gvec.h
+--- a/accel/tcg/tb-maint.c
-+++ b/include/tcg/tcg-op-gvec.h
++++ b/accel/tcg/tb-maint.c
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup_i32(unsigned vece, uint32_t dofs, uint32_t s,
+@@ -XXX,XX +XXX,XX @@ static void tb_remove(TranslationBlock *tb)
- void tcg_gen_gvec_dup_i64(unsigned vece, uint32_t dofs, uint32_t s,
+ }
-                           uint32_t m, TCGv_i64);
+ /* TODO: For now, still shared with translate-all.c for system mode. */
--void tcg_gen_gvec_dup8i(uint32_t dofs, uint32_t s, uint32_t m, uint8_t x);
+-#define PAGE_FOR_EACH_TB(start, end, pagedesc, T, N)    \
--void tcg_gen_gvec_dup16i(uint32_t dofs, uint32_t s, uint32_t m, uint16_t x);
+-    for (T = foreach_tb_first(start, end),              \
--void tcg_gen_gvec_dup32i(uint32_t dofs, uint32_t s, uint32_t m, uint32_t x);
+-         N = foreach_tb_next(T, start, end);            \
--void tcg_gen_gvec_dup64i(uint32_t dofs, uint32_t s, uint32_t m, uint64_t x);
++#define PAGE_FOR_EACH_TB(start, last, pagedesc, T, N)   \
--
++    for (T = foreach_tb_first(start, last),             \
- void tcg_gen_gvec_shli(unsigned vece, uint32_t dofs, uint32_t aofs,
++         N = foreach_tb_next(T, start, last);           \
-                        int64_t shift, uint32_t oprsz, uint32_t maxsz);
+          T != NULL;                                     \
- void tcg_gen_gvec_shri(unsigned vece, uint32_t dofs, uint32_t aofs,
+-         T = N, N = foreach_tb_next(N, start, end))
-diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
++         T = N, N = foreach_tb_next(N, start, last))
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/tcg-op-gvec.c
+ typedef TranslationBlock *PageForEachNext;
-+++ b/tcg/tcg-op-gvec.c
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup_mem(unsigned vece, uint32_t dofs, uint32_t aofs,
+ static PageForEachNext foreach_tb_first(tb_page_addr_t start,
 -                                        tb_page_addr_t end)
 +                                        tb_page_addr_t last)
  {
 -    IntervalTreeNode *n = interval_tree_iter_first(&tb_root, start, end - 1);
 +    IntervalTreeNode *n = interval_tree_iter_first(&tb_root, start, last);
      return n ? container_of(n, TranslationBlock, itree) : NULL;
  }
  static PageForEachNext foreach_tb_next(PageForEachNext tb,
                                         tb_page_addr_t start,
 -                                       tb_page_addr_t end)
 +                                       tb_page_addr_t last)
  {
      IntervalTreeNode *n;
      if (tb) {
 -        n = interval_tree_iter_next(&tb->itree, start, end - 1);
 +        n = interval_tree_iter_next(&tb->itree, start, last);
          if (n) {
              return container_of(n, TranslationBlock, itree);
          }
@@ -XXX,XX +XXX,XX @@ struct page_collection {
  };
  typedef int PageForEachNext;
 -#define PAGE_FOR_EACH_TB(start, end, pagedesc, tb, n) \
 +#define PAGE_FOR_EACH_TB(start, last, pagedesc, tb, n) \
      TB_FOR_EACH_TAGGED((pagedesc)->first_tb, tb, n, page_next)
  #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
  {
      TranslationBlock *tb;
      PageForEachNext n;
 +    tb_page_addr_t last = end - 1;
      assert_memory_lock();
 -    PAGE_FOR_EACH_TB(start, end, unused, tb, n) {
 +    PAGE_FOR_EACH_TB(start, last, unused, tb, n) {
          tb_phys_invalidate__locked(tb);
      }
  }
+@@ -XXX,XX +XXX,XX @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
--void tcg_gen_gvec_dup64i(uint32_t dofs, uint32_t oprsz,
+     bool current_tb_modified;
--                         uint32_t maxsz, uint64_t x)
+     TranslationBlock *tb;
--{
+     PageForEachNext n;
--    check_size_align(oprsz, maxsz, dofs);
++    tb_page_addr_t last;
--    do_dup(MO_64, dofs, oprsz, maxsz, NULL, NULL, x);
--}
+     /*
--
+      * Without precise smc semantics, or when outside of a TB,
--void tcg_gen_gvec_dup32i(uint32_t dofs, uint32_t oprsz,
+@@ -XXX,XX +XXX,XX @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
--                         uint32_t maxsz, uint32_t x)
+     assert_memory_lock();
--{
+     current_tb = tcg_tb_lookup(pc);
--    check_size_align(oprsz, maxsz, dofs);
--    do_dup(MO_32, dofs, oprsz, maxsz, NULL, NULL, x);
++    last = addr | ~TARGET_PAGE_MASK;
--}
+     addr &= TARGET_PAGE_MASK;
--
+     current_tb_modified = false;
--void tcg_gen_gvec_dup16i(uint32_t dofs, uint32_t oprsz,
--                         uint32_t maxsz, uint16_t x)
+-    PAGE_FOR_EACH_TB(addr, addr + TARGET_PAGE_SIZE, unused, tb, n) {
--{
++    PAGE_FOR_EACH_TB(addr, last, unused, tb, n) {
--    check_size_align(oprsz, maxsz, dofs);
+         if (current_tb == tb &&
--    do_dup(MO_16, dofs, oprsz, maxsz, NULL, NULL, x);
+             (tb_cflags(current_tb) & CF_COUNT_MASK) != 1) {
--}
+             /*
--
+@@ -XXX,XX +XXX,XX @@ tb_invalidate_phys_page_range__locked(struct page_collection *pages,
--void tcg_gen_gvec_dup8i(uint32_t dofs, uint32_t oprsz,
+     bool current_tb_modified = false;
--                         uint32_t maxsz, uint8_t x)
+     TranslationBlock *current_tb = retaddr ? tcg_tb_lookup(retaddr) : NULL;
--{
+ #endif /* TARGET_HAS_PRECISE_SMC */
--    check_size_align(oprsz, maxsz, dofs);
++    tb_page_addr_t last G_GNUC_UNUSED = end - 1;
--    do_dup(MO_8, dofs, oprsz, maxsz, NULL, NULL, x);
--}
+     /*
--
+      * We remove all the TBs in the range [start, end[.
- void tcg_gen_gvec_dup_imm(unsigned vece, uint32_t dofs, uint32_t oprsz,
+      * XXX: see if in some cases it could be faster to invalidate all the code
-                           uint32_t maxsz, uint64_t x)
+      */
- {
+-    PAGE_FOR_EACH_TB(start, end, p, tb, n) {
 +    PAGE_FOR_EACH_TB(start, last, p, tb, n) {
          /* NOTE: this is subtle as a TB may span two physical pages */
          if (n == 0) {
              /* NOTE: tb_end may be after the end of the page, but
 --
-.20.1
+.34.1

-[PULL 03/10] target/ppc: Use tcg_gen_gvec_dup_imm
+[PULL 07/15] accel/tcg: Pass last not end to page_collection_lock
-We can now unify the implementation of the 3 VSPLTI instructions.
+Pass the address of the last byte to be changed, rather than
 the first address past the last byte.  This avoids overflow
 when the last page of the address space is involved.
-Acked-by: David Gibson <david@gibson.dropbear.id.au>
+Fixes a bug in the loop comparision where "<= end" would lock
 one more page than required.
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/ppc/translate/vmx-impl.inc.c | 32 ++++++++++++++++-------------
+ accel/tcg/tb-maint.c | 22 +++++++++++-----------
- target/ppc/translate/vsx-impl.inc.c |  2 +-
+file changed, 11 insertions(+), 11 deletions(-)
 files changed, 19 insertions(+), 15 deletions(-)
-diff --git a/target/ppc/translate/vmx-impl.inc.c b/target/ppc/translate/vmx-impl.inc.c
+diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/ppc/translate/vmx-impl.inc.c
+--- a/accel/tcg/tb-maint.c
-+++ b/target/ppc/translate/vmx-impl.inc.c
++++ b/accel/tcg/tb-maint.c
-@@ -XXX,XX +XXX,XX @@ GEN_VXRFORM_DUAL(vcmpbfp, PPC_ALTIVEC, PPC_NONE, \
+@@ -XXX,XX +XXX,XX @@ static gint tb_page_addr_cmp(gconstpointer ap, gconstpointer bp, gpointer udata)
- GEN_VXRFORM_DUAL(vcmpgtfp, PPC_ALTIVEC, PPC_NONE, \
+ }
-                  vcmpgtud, PPC_NONE, PPC2_ALTIVEC_207)
+ /*
--#define GEN_VXFORM_DUPI(name, tcg_op, opc2, opc3)                       \
+- * Lock a range of pages ([@start,@end[) as well as the pages of all
--static void glue(gen_, name)(DisasContext *ctx)                         \
++ * Lock a range of pages ([@start,@last]) as well as the pages of all
--    {                                                                   \
+  * intersecting TBs.
--        int simm;                                                       \
+  * Locking order: acquire locks in ascending order of page index.
--        if (unlikely(!ctx->altivec_enabled)) {                          \
+  */
--            gen_exception(ctx, POWERPC_EXCP_VPU);                       \
+ static struct page_collection *page_collection_lock(tb_page_addr_t start,
--            return;                                                     \
+-                                                    tb_page_addr_t end)
--        }                                                               \
++                                                    tb_page_addr_t last)
--        simm = SIMM5(ctx->opcode);                                      \
+ {
--        tcg_op(avr_full_offset(rD(ctx->opcode)), 16, 16, simm);         \
+     struct page_collection *set = g_malloc(sizeof(*set));
-+static void gen_vsplti(DisasContext *ctx, int vece)
+     tb_page_addr_t index;
-+{
+     PageDesc *pd;
-+    int simm;
-+
+     start >>= TARGET_PAGE_BITS;
-+    if (unlikely(!ctx->altivec_enabled)) {
+-    end   >>= TARGET_PAGE_BITS;
-+        gen_exception(ctx, POWERPC_EXCP_VPU);
+-    g_assert(start <= end);
-+        return;
++    last >>= TARGET_PAGE_BITS;
 +    g_assert(start <= last);
      set->tree = q_tree_new_full(tb_page_addr_cmp, NULL, NULL,
                                  page_entry_destroy);
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
   retry:
      q_tree_foreach(set->tree, page_entry_lock, NULL);
 -    for (index = start; index <= end; index++) {
 +    for (index = start; index <= last; index++) {
          TranslationBlock *tb;
          PageForEachNext n;
@@ -XXX,XX +XXX,XX @@ tb_invalidate_phys_page_range__locked(struct page_collection *pages,
  void tb_invalidate_phys_page(tb_page_addr_t addr)
  {
      struct page_collection *pages;
 -    tb_page_addr_t start, end;
 +    tb_page_addr_t start, last;
      PageDesc *p;
      p = page_find(addr >> TARGET_PAGE_BITS);
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_page(tb_page_addr_t addr)
      }
--GEN_VXFORM_DUPI(vspltisb, tcg_gen_gvec_dup8i, 6, 12);
+     start = addr & TARGET_PAGE_MASK;
--GEN_VXFORM_DUPI(vspltish, tcg_gen_gvec_dup16i, 6, 13);
+-    end = start + TARGET_PAGE_SIZE;
--GEN_VXFORM_DUPI(vspltisw, tcg_gen_gvec_dup32i, 6, 14);
+-    pages = page_collection_lock(start, end);
-+    simm = SIMM5(ctx->opcode);
+-    tb_invalidate_phys_page_range__locked(pages, p, start, end, 0);
-+    tcg_gen_gvec_dup_imm(vece, avr_full_offset(rD(ctx->opcode)), 16, 16, simm);
++    last = addr | ~TARGET_PAGE_MASK;
-+}
++    pages = page_collection_lock(start, last);
-+
++    tb_invalidate_phys_page_range__locked(pages, p, start, last + 1, 0);
-+#define GEN_VXFORM_VSPLTI(name, vece, opc2, opc3) \
+     page_collection_unlock(pages);
 +static void glue(gen_, name)(DisasContext *ctx) { gen_vsplti(ctx, vece); }
 +
 +GEN_VXFORM_VSPLTI(vspltisb, MO_8, 6, 12);
 +GEN_VXFORM_VSPLTI(vspltish, MO_16, 6, 13);
 +GEN_VXFORM_VSPLTI(vspltisw, MO_32, 6, 14);
  #define GEN_VXFORM_NOA(name, opc2, opc3)                                \
  static void glue(gen_, name)(DisasContext *ctx)                         \
@@ -XXX,XX +XXX,XX @@ GEN_VXFORM_DUAL(vsldoi, PPC_ALTIVEC, PPC_NONE,
  #undef GEN_VXRFORM_DUAL
  #undef GEN_VXRFORM1
  #undef GEN_VXRFORM
 -#undef GEN_VXFORM_DUPI
 +#undef GEN_VXFORM_VSPLTI
  #undef GEN_VXFORM_NOA
  #undef GEN_VXFORM_UIMM
  #undef GEN_VAFORM_PAIRED
 diff --git a/target/ppc/translate/vsx-impl.inc.c b/target/ppc/translate/vsx-impl.inc.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/ppc/translate/vsx-impl.inc.c
 +++ b/target/ppc/translate/vsx-impl.inc.c
@@ -XXX,XX +XXX,XX @@ static void gen_xxspltib(DisasContext *ctx)
              return;
          }
      }
 -    tcg_gen_gvec_dup8i(vsr_full_offset(rt), 16, 16, uim8);
 +    tcg_gen_gvec_dup_imm(MO_8, vsr_full_offset(rt), 16, 16, uim8);
  }
- static void gen_xxsldwi(DisasContext *ctx)
+@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
      struct page_collection *pages;
      tb_page_addr_t next;
 -    pages = page_collection_lock(start, end);
 +    pages = page_collection_lock(start, end - 1);
      for (next = (start & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
           start < end;
           start = next, next += TARGET_PAGE_SIZE) {
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_range_fast(ram_addr_t ram_addr,
  {
      struct page_collection *pages;
 -    pages = page_collection_lock(ram_addr, ram_addr + size);
 +    pages = page_collection_lock(ram_addr, ram_addr + size - 1);
      tb_invalidate_phys_page_fast__locked(pages, ram_addr, size, retaddr);
      page_collection_unlock(pages);
  }
 --
-.20.1
+.34.1

-[PULL 09/10] tcg: Add load_dest parameter to GVecGen2
+[PULL 08/15] accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked
-We have this same parameter for GVecGen2i, GVecGen3,
+Pass the address of the last byte to be changed, rather than
-and GVecGen3i.  This will make some SVE2 insns easier
+the first address past the last byte.  This avoids overflow
-to parameterize.
+when the last page of the address space is involved.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Properly truncate tb_last to the end of the page; the comment about
 tb_end being past the end of the page being ok is not correct,
 considering overflow.
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/tcg/tcg-op-gvec.h |  2 ++
+ accel/tcg/tb-maint.c | 26 ++++++++++++--------------
- tcg/tcg-op-gvec.c         | 45 ++++++++++++++++++++++++++++-----------
+file changed, 12 insertions(+), 14 deletions(-)
 files changed, 34 insertions(+), 13 deletions(-)
-diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
+diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/tcg/tcg-op-gvec.h
+--- a/accel/tcg/tb-maint.c
-+++ b/include/tcg/tcg-op-gvec.h
++++ b/accel/tcg/tb-maint.c
-@@ -XXX,XX +XXX,XX @@ typedef struct {
+@@ -XXX,XX +XXX,XX @@ bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc)
-     uint8_t vece;
+ static void
-     /* Prefer i64 to v64.  */
+ tb_invalidate_phys_page_range__locked(struct page_collection *pages,
-     bool prefer_i64;
+                                       PageDesc *p, tb_page_addr_t start,
-+    /* Load dest as a 2nd source operand.  */
+-                                      tb_page_addr_t end,
-+    bool load_dest;
++                                      tb_page_addr_t last,
- } GVecGen2;
+                                       uintptr_t retaddr)
  typedef struct {
 diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg-op-gvec.c
 +++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ static void expand_clr(uint32_t dofs, uint32_t maxsz)
  /* Expand OPSZ bytes worth of two-operand operations using i32 elements.  */
  static void expand_2_i32(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
 -                         void (*fni)(TCGv_i32, TCGv_i32))
 +                         bool load_dest, void (*fni)(TCGv_i32, TCGv_i32))
  {
-     TCGv_i32 t0 = tcg_temp_new_i32();
+     TranslationBlock *tb;
-+    TCGv_i32 t1 = tcg_temp_new_i32();
+-    tb_page_addr_t tb_start, tb_end;
-     uint32_t i;
+     PageForEachNext n;
+ #ifdef TARGET_HAS_PRECISE_SMC
-     for (i = 0; i < oprsz; i += 4) {
+     bool current_tb_modified = false;
-         tcg_gen_ld_i32(t0, cpu_env, aofs + i);
+     TranslationBlock *current_tb = retaddr ? tcg_tb_lookup(retaddr) : NULL;
--        fni(t0, t0);
+ #endif /* TARGET_HAS_PRECISE_SMC */
--        tcg_gen_st_i32(t0, cpu_env, dofs + i);
+-    tb_page_addr_t last G_GNUC_UNUSED = end - 1;
-+        if (load_dest) {
-+            tcg_gen_ld_i32(t1, cpu_env, dofs + i);
+     /*
-+        }
+-     * We remove all the TBs in the range [start, end[.
-+        fni(t1, t0);
++     * We remove all the TBs in the range [start, last].
-+        tcg_gen_st_i32(t1, cpu_env, dofs + i);
+      * XXX: see if in some cases it could be faster to invalidate all the code
       */
      PAGE_FOR_EACH_TB(start, last, p, tb, n) {
 +        tb_page_addr_t tb_start, tb_last;
 +
          /* NOTE: this is subtle as a TB may span two physical pages */
 +        tb_start = tb_page_addr0(tb);
 +        tb_last = tb_start + tb->size - 1;
          if (n == 0) {
 -            /* NOTE: tb_end may be after the end of the page, but
 -               it is not a problem */
 -            tb_start = tb_page_addr0(tb);
 -            tb_end = tb_start + tb->size;
 +            tb_last = MIN(tb_last, tb_start | ~TARGET_PAGE_MASK);
          } else {
              tb_start = tb_page_addr1(tb);
 -            tb_end = tb_start + ((tb_page_addr0(tb) + tb->size)
 -                                 & ~TARGET_PAGE_MASK);
 +            tb_last = tb_start + (tb_last & ~TARGET_PAGE_MASK);
          }
 -        if (!(tb_end <= start || tb_start >= end)) {
 +        if (!(tb_last < start || tb_start > last)) {
  #ifdef TARGET_HAS_PRECISE_SMC
              if (current_tb == tb &&
                  (tb_cflags(current_tb) & CF_COUNT_MASK) != 1) {
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_page(tb_page_addr_t addr)
      start = addr & TARGET_PAGE_MASK;
      last = addr | ~TARGET_PAGE_MASK;
      pages = page_collection_lock(start, last);
 -    tb_invalidate_phys_page_range__locked(pages, p, start, last + 1, 0);
 +    tb_invalidate_phys_page_range__locked(pages, p, start, last, 0);
      page_collection_unlock(pages);
  }
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
              continue;
          }
          assert_page_locked(pd);
 -        tb_invalidate_phys_page_range__locked(pages, pd, start, bound, 0);
 +        tb_invalidate_phys_page_range__locked(pages, pd, start, bound - 1, 0);
      }
-     tcg_temp_free_i32(t0);
+     page_collection_unlock(pages);
 +    tcg_temp_free_i32(t1);
  }
+@@ -XXX,XX +XXX,XX @@ static void tb_invalidate_phys_page_fast__locked(struct page_collection *pages,
  static void expand_2i_i32(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
@@ -XXX,XX +XXX,XX @@ static void expand_4_i32(uint32_t dofs, uint32_t aofs, uint32_t bofs,
  /* Expand OPSZ bytes worth of two-operand operations using i64 elements.  */
  static void expand_2_i64(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
 -                         void (*fni)(TCGv_i64, TCGv_i64))
 +                         bool load_dest, void (*fni)(TCGv_i64, TCGv_i64))
  {
      TCGv_i64 t0 = tcg_temp_new_i64();
 +    TCGv_i64 t1 = tcg_temp_new_i64();
      uint32_t i;
      for (i = 0; i < oprsz; i += 8) {
          tcg_gen_ld_i64(t0, cpu_env, aofs + i);
 -        fni(t0, t0);
 -        tcg_gen_st_i64(t0, cpu_env, dofs + i);
 +        if (load_dest) {
 +            tcg_gen_ld_i64(t1, cpu_env, dofs + i);
 +        }
 +        fni(t1, t0);
 +        tcg_gen_st_i64(t1, cpu_env, dofs + i);
      }
-     tcg_temp_free_i64(t0);
-+    tcg_temp_free_i64(t1);
+     assert_page_locked(p);
 -    tb_invalidate_phys_page_range__locked(pages, p, start, start + len, ra);
 +    tb_invalidate_phys_page_range__locked(pages, p, start, start + len - 1, ra);
  }
- static void expand_2i_i64(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
+ /*
@@ -XXX,XX +XXX,XX @@ static void expand_4_i64(uint32_t dofs, uint32_t aofs, uint32_t bofs,
  /* Expand OPSZ bytes worth of two-operand operations using host vectors.  */
  static void expand_2_vec(unsigned vece, uint32_t dofs, uint32_t aofs,
                           uint32_t oprsz, uint32_t tysz, TCGType type,
 +                         bool load_dest,
                           void (*fni)(unsigned, TCGv_vec, TCGv_vec))
  {
      TCGv_vec t0 = tcg_temp_new_vec(type);
 +    TCGv_vec t1 = tcg_temp_new_vec(type);
      uint32_t i;
      for (i = 0; i < oprsz; i += tysz) {
          tcg_gen_ld_vec(t0, cpu_env, aofs + i);
 -        fni(vece, t0, t0);
 -        tcg_gen_st_vec(t0, cpu_env, dofs + i);
 +        if (load_dest) {
 +            tcg_gen_ld_vec(t1, cpu_env, dofs + i);
 +        }
 +        fni(vece, t1, t0);
 +        tcg_gen_st_vec(t1, cpu_env, dofs + i);
      }
      tcg_temp_free_vec(t0);
 +    tcg_temp_free_vec(t1);
  }
  /* Expand OPSZ bytes worth of two-vector operands and an immediate operand
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_2(uint32_t dofs, uint32_t aofs,
           * that e.g. size == 80 would be expanded with 2x32 + 1x16.
           */
          some = QEMU_ALIGN_DOWN(oprsz, 32);
 -        expand_2_vec(g->vece, dofs, aofs, some, 32, TCG_TYPE_V256, g->fniv);
 +        expand_2_vec(g->vece, dofs, aofs, some, 32, TCG_TYPE_V256,
 +                     g->load_dest, g->fniv);
          if (some == oprsz) {
              break;
          }
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_2(uint32_t dofs, uint32_t aofs,
          maxsz -= some;
          /* fallthru */
      case TCG_TYPE_V128:
 -        expand_2_vec(g->vece, dofs, aofs, oprsz, 16, TCG_TYPE_V128, g->fniv);
 +        expand_2_vec(g->vece, dofs, aofs, oprsz, 16, TCG_TYPE_V128,
 +                     g->load_dest, g->fniv);
          break;
      case TCG_TYPE_V64:
 -        expand_2_vec(g->vece, dofs, aofs, oprsz, 8, TCG_TYPE_V64, g->fniv);
 +        expand_2_vec(g->vece, dofs, aofs, oprsz, 8, TCG_TYPE_V64,
 +                     g->load_dest, g->fniv);
          break;
      case 0:
          if (g->fni8 && check_size_impl(oprsz, 8)) {
 -            expand_2_i64(dofs, aofs, oprsz, g->fni8);
 +            expand_2_i64(dofs, aofs, oprsz, g->load_dest, g->fni8);
          } else if (g->fni4 && check_size_impl(oprsz, 4)) {
 -            expand_2_i32(dofs, aofs, oprsz, g->fni4);
 +            expand_2_i32(dofs, aofs, oprsz, g->load_dest, g->fni4);
          } else {
              assert(g->fno != NULL);
              tcg_gen_gvec_2_ool(dofs, aofs, oprsz, maxsz, g->data, g->fno);
 --
-.20.1
+.34.1

-[PULL 10/10] tcg: Fix integral argument type to tcg_gen_rot[rl]i_i{32, 64}
+[PULL 09/15] accel/tcg: Pass last not end to tb_invalidate_phys_range
-For the benefit of compatibility of function pointer types,
+Pass the address of the last byte to be changed, rather than
-we have standardized on int32_t and int64_t as the integral
+the first address past the last byte.  This avoids overflow
-argument to tcg expanders.
+when the last page of the address space is involved.
-We converted most of them in 474b2e8f0f7, but missed the rotates.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/tcg/tcg-op.h |  8 ++++----
+ include/exec/exec-all.h   |  2 +-
- tcg/tcg-op.c         | 16 ++++++++--------
+ accel/tcg/tb-maint.c      | 31 ++++++++++++++++---------------
-files changed, 12 insertions(+), 12 deletions(-)
+ accel/tcg/translate-all.c |  2 +-
  accel/tcg/user-exec.c     |  2 +-
  softmmu/physmem.c         |  2 +-
 files changed, 20 insertions(+), 19 deletions(-)
-diff --git a/include/tcg/tcg-op.h b/include/tcg/tcg-op.h
+diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/tcg/tcg-op.h
+--- a/include/exec/exec-all.h
-+++ b/include/tcg/tcg-op.h
++++ b/include/exec/exec-all.h
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_ctzi_i32(TCGv_i32 ret, TCGv_i32 arg1, uint32_t arg2);
+@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(target_ulong addr);
- void tcg_gen_clrsb_i32(TCGv_i32 ret, TCGv_i32 arg);
+ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
- void tcg_gen_ctpop_i32(TCGv_i32 a1, TCGv_i32 a2);
+ #endif
- void tcg_gen_rotl_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2);
+ void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
--void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2);
+-void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end);
-+void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2);
++void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last);
- void tcg_gen_rotr_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2);
+ void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
--void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2);
-+void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2);
+ /* GETPC is the true target of the return instruction that we'll execute.  */
- void tcg_gen_deposit_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2,
+diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
                           unsigned int ofs, unsigned int len);
  void tcg_gen_deposit_z_i32(TCGv_i32 ret, TCGv_i32 arg,
@@ -XXX,XX +XXX,XX @@ void tcg_gen_ctzi_i64(TCGv_i64 ret, TCGv_i64 arg1, uint64_t arg2);
  void tcg_gen_clrsb_i64(TCGv_i64 ret, TCGv_i64 arg);
  void tcg_gen_ctpop_i64(TCGv_i64 a1, TCGv_i64 a2);
  void tcg_gen_rotl_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2);
 -void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2);
 +void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2);
  void tcg_gen_rotr_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2);
 -void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2);
 +void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2);
  void tcg_gen_deposit_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2,
                           unsigned int ofs, unsigned int len);
  void tcg_gen_deposit_z_i64(TCGv_i64 ret, TCGv_i64 arg,
 diff --git a/tcg/tcg-op.c b/tcg/tcg-op.c
 index XXXXXXX..XXXXXXX 100644
---- a/tcg/tcg-op.c
+--- a/accel/tcg/tb-maint.c
-+++ b/tcg/tcg-op.c
++++ b/accel/tcg/tb-maint.c
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotl_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
+@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_link_page(TranslationBlock *tb, tb_page_addr_t phys_pc,
   * Called with mmap_lock held for user-mode emulation.
   * NOTE: this function must not be called while a TB is running.
   */
 -void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
 +void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last)
  {
      TranslationBlock *tb;
      PageForEachNext n;
 -    tb_page_addr_t last = end - 1;
      assert_memory_lock();
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
   */
  void tb_invalidate_phys_page(tb_page_addr_t addr)
  {
 -    tb_page_addr_t start, end;
 +    tb_page_addr_t start, last;
      start = addr & TARGET_PAGE_MASK;
 -    end = start + TARGET_PAGE_SIZE;
 -    tb_invalidate_phys_range(start, end);
 +    last = addr | ~TARGET_PAGE_MASK;
 +    tb_invalidate_phys_range(start, last);
  }
  /*
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_page(tb_page_addr_t addr)
  /*
   * Invalidate all TBs which intersect with the target physical address range
 - * [start;end[. NOTE: start and end may refer to *different* physical pages.
 + * [start;last]. NOTE: start and end may refer to *different* physical pages.
   * 'is_cpu_write_access' should be true if called from a real cpu write
   * access: the virtual CPU will exit the current TB if code is modified inside
   * this TB.
   */
 -void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t end)
 +void tb_invalidate_phys_range(tb_page_addr_t start, tb_page_addr_t last)
  {
      struct page_collection *pages;
 -    tb_page_addr_t next;
 +    tb_page_addr_t index, index_last;
 -    pages = page_collection_lock(start, end - 1);
 -    for (next = (start & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
 -         start < end;
 -         start = next, next += TARGET_PAGE_SIZE) {
 -        PageDesc *pd = page_find(start >> TARGET_PAGE_BITS);
 -        tb_page_addr_t bound = MIN(next, end);
 +    pages = page_collection_lock(start, last);
 +
 +    index_last = last >> TARGET_PAGE_BITS;
 +    for (index = start >> TARGET_PAGE_BITS; index <= index_last; index++) {
 +        PageDesc *pd = page_find(index);
 +        tb_page_addr_t bound;
          if (pd == NULL) {
              continue;
          }
          assert_page_locked(pd);
 -        tb_invalidate_phys_page_range__locked(pages, pd, start, bound - 1, 0);
 +        bound = (index << TARGET_PAGE_BITS) | ~TARGET_PAGE_MASK;
 +        bound = MIN(bound, last);
 +        tb_invalidate_phys_page_range__locked(pages, pd, start, bound, 0);
      }
      page_collection_unlock(pages);
  }
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ void tb_check_watchpoint(CPUState *cpu, uintptr_t retaddr)
          cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
          addr = get_page_addr_code(env, pc);
          if (addr != -1) {
 -            tb_invalidate_phys_range(addr, addr + 1);
 +            tb_invalidate_phys_range(addr, addr);
          }
      }
  }
+diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
--void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2)
+index XXXXXXX..XXXXXXX 100644
-+void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2)
+--- a/accel/tcg/user-exec.c
- {
++++ b/accel/tcg/user-exec.c
--    tcg_debug_assert(arg2 < 32);
+@@ -XXX,XX +XXX,XX @@ void page_set_flags(target_ulong start, target_ulong last, int flags)
-+    tcg_debug_assert(arg2 >= 0 && arg2 < 32);
+                                         ~(reset ? 0 : PAGE_STICKY));
-     /* some cases can be optimized here */
+     }
-     if (arg2 == 0) {
+     if (inval_tb) {
-         tcg_gen_mov_i32(ret, arg1);
+-        tb_invalidate_phys_range(start, last + 1);
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotr_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
++        tb_invalidate_phys_range(start, last);
      }
  }
--void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2)
+diff --git a/softmmu/physmem.c b/softmmu/physmem.c
-+void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2)
+index XXXXXXX..XXXXXXX 100644
- {
+--- a/softmmu/physmem.c
--    tcg_debug_assert(arg2 < 32);
++++ b/softmmu/physmem.c
-+    tcg_debug_assert(arg2 >= 0 && arg2 < 32);
+@@ -XXX,XX +XXX,XX @@ static void invalidate_and_set_dirty(MemoryRegion *mr, hwaddr addr,
      /* some cases can be optimized here */
      if (arg2 == 0) {
          tcg_gen_mov_i32(ret, arg1);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotl_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2)
      }
- }
+     if (dirty_log_mask & (1 << DIRTY_MEMORY_CODE)) {
+         assert(tcg_enabled());
--void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2)
+-        tb_invalidate_phys_range(addr, addr + length);
-+void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2)
++        tb_invalidate_phys_range(addr, addr + length - 1);
- {
+         dirty_log_mask &= ~(1 << DIRTY_MEMORY_CODE);
 -    tcg_debug_assert(arg2 < 64);
 +    tcg_debug_assert(arg2 >= 0 && arg2 < 64);
      /* some cases can be optimized here */
      if (arg2 == 0) {
          tcg_gen_mov_i64(ret, arg1);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotr_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2)
      }
- }
+     cpu_physical_memory_set_dirty_range(addr, length, dirty_log_mask);
 -void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2)
 +void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2)
  {
 -    tcg_debug_assert(arg2 < 64);
 +    tcg_debug_assert(arg2 >= 0 && arg2 < 64);
      /* some cases can be optimized here */
      if (arg2 == 0) {
          tcg_gen_mov_i64(ret, arg1);
 --
-.20.1
+.34.1

-[PULL 02/10] target/s390x: Use tcg_gen_gvec_dup_imm
+[PULL 10/15] linux-user: Pass last not end to probe_guest_base
-The gen_gvec_dupi switch is unnecessary with the new function.
+Pass the address of the last byte of the image, rather than
-Replace it with a local gen_gvec_dup_imm that takes care of the
+the first address past the last byte.  This avoids overflow
-register to offset conversion and length arguments.
+when the last page of the address space is involved.
-Drop zero_vec and use use gen_gvec_dup_imm with 0.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: David Hildenbrand <david@redhat.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/s390x/translate_vx.inc.c | 41 +++++++--------------------------
+ linux-user/user-internals.h | 12 ++++++------
-file changed, 8 insertions(+), 33 deletions(-)
+ linux-user/elfload.c        | 24 ++++++++++++------------
  linux-user/flatload.c       |  2 +-
 files changed, 19 insertions(+), 19 deletions(-)
-diff --git a/target/s390x/translate_vx.inc.c b/target/s390x/translate_vx.inc.c
+diff --git a/linux-user/user-internals.h b/linux-user/user-internals.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/s390x/translate_vx.inc.c
+--- a/linux-user/user-internals.h
-+++ b/target/s390x/translate_vx.inc.c
++++ b/linux-user/user-internals.h
-@@ -XXX,XX +XXX,XX @@ static void get_vec_element_ptr_i64(TCGv_ptr ptr, uint8_t reg, TCGv_i64 enr,
+@@ -XXX,XX +XXX,XX @@ void fork_end(int child);
- #define gen_gvec_mov(v1, v2) \
+ /**
-     tcg_gen_gvec_mov(0, vec_full_reg_offset(v1), vec_full_reg_offset(v2), 16, \
+  * probe_guest_base:
-)
+  * @image_name: the executable being loaded
--#define gen_gvec_dup64i(v1, c) \
+- * @loaddr: the lowest fixed address in the executable
--    tcg_gen_gvec_dup64i(vec_full_reg_offset(v1), 16, 16, c)
+- * @hiaddr: the highest fixed address in the executable
-+#define gen_gvec_dup_imm(es, v1, c) \
++ * @loaddr: the lowest fixed address within the executable
-+    tcg_gen_gvec_dup_imm(es, vec_full_reg_offset(v1), 16, 16, c);
++ * @hiaddr: the highest fixed address within the executable
- #define gen_gvec_fn_2(fn, es, v1, v2) \
+  *
-     tcg_gen_gvec_##fn(es, vec_full_reg_offset(v1), vec_full_reg_offset(v2), \
+  * Creates the initial guest address space in the host memory space.
-, 16)
+  *
-@@ -XXX,XX +XXX,XX @@ static void gen_gvec128_4_i64(gen_gvec128_4_i64_fn fn, uint8_t d, uint8_t a,
+- * If @loaddr == 0, then no address in the executable is fixed,
-         tcg_temp_free_i64(cl);
+- * i.e. it is fully relocatable.  In that case @hiaddr is the size
 - * of the executable.
 + * If @loaddr == 0, then no address in the executable is fixed, i.e.
 + * it is fully relocatable.  In that case @hiaddr is the size of the
 + * executable minus one.
   *
   * This function will not return if a valid value for guest_base
   * cannot be chosen.  On return, the executable loader can expect
   *
 - *    target_mmap(loaddr, hiaddr - loaddr, ...)
 + *    target_mmap(loaddr, hiaddr - loaddr + 1, ...)
   *
   * to succeed.
   */
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
          if (guest_hiaddr > reserved_va) {
              error_report("%s: requires more than reserved virtual "
                           "address space (0x%" PRIx64 " > 0x%lx)",
 -                         image_name, (uint64_t)guest_hiaddr, reserved_va);
 +                         image_name, (uint64_t)guest_hiaddr + 1, reserved_va);
              exit(EXIT_FAILURE);
          }
      } else {
@@ -XXX,XX +XXX,XX @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
          if ((guest_hiaddr - guest_base) > ~(uintptr_t)0) {
              error_report("%s: requires more virtual address space "
                           "than the host can provide (0x%" PRIx64 ")",
 -                         image_name, (uint64_t)guest_hiaddr - guest_base);
 +                         image_name, (uint64_t)guest_hiaddr + 1 - guest_base);
              exit(EXIT_FAILURE);
          }
  #endif
@@ -XXX,XX +XXX,XX @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
      if (reserved_va) {
          guest_loaddr = (guest_base >= mmap_min_addr ? 0
                          : mmap_min_addr - guest_base);
 -        guest_hiaddr = reserved_va;
 +        guest_hiaddr = reserved_va - 1;
      }
      /* Reserve the address space for the binary, or reserved_va. */
      test = g2h_untagged(guest_loaddr);
 -    addr = mmap(test, guest_hiaddr - guest_loaddr, PROT_NONE, flags, -1, 0);
 +    addr = mmap(test, guest_hiaddr - guest_loaddr + 1, PROT_NONE, flags, -1, 0);
      if (test != addr) {
          pgb_fail_in_use(image_name);
      }
      qemu_log_mask(CPU_LOG_PAGE,
 -                  "%s: base @ %p for " TARGET_ABI_FMT_ld " bytes\n",
 -                  __func__, addr, guest_hiaddr - guest_loaddr);
 +                  "%s: base @ %p for %" PRIu64 " bytes\n",
 +                  __func__, addr, (uint64_t)guest_hiaddr - guest_loaddr + 1);
  }
--static void gen_gvec_dupi(uint8_t es, uint8_t reg, uint64_t c)
+ /**
--{
+@@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
--    switch (es) {
+     if (hiaddr != orig_hiaddr) {
--    case ES_8:
+         error_report("%s: requires virtual address space that the "
--        tcg_gen_gvec_dup8i(vec_full_reg_offset(reg), 16, 16, c);
+                      "host cannot provide (0x%" PRIx64 ")",
--        break;
+-                     image_name, (uint64_t)orig_hiaddr);
--    case ES_16:
++                     image_name, (uint64_t)orig_hiaddr + 1);
--        tcg_gen_gvec_dup16i(vec_full_reg_offset(reg), 16, 16, c);
+         exit(EXIT_FAILURE);
--        break;
+     }
--    case ES_32:
--        tcg_gen_gvec_dup32i(vec_full_reg_offset(reg), 16, 16, c);
+@@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
--        break;
+          * arithmetic wraps around.
 -    case ES_64:
 -        gen_gvec_dup64i(reg, c);
 -        break;
 -    default:
 -        g_assert_not_reached();
 -    }
 -}
 -
 -static void zero_vec(uint8_t reg)
 -{
 -    tcg_gen_gvec_dup8i(vec_full_reg_offset(reg), 16, 16, 0);
 -}
 -
  static void gen_addi2_i64(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 al, TCGv_i64 ah,
                            uint64_t b)
  {
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vgbm(DisasContext *s, DisasOps *o)
           * Masks for both 64 bit elements of the vector are the same.
           * Trust tcg to produce a good constant loading.
           */
--        gen_gvec_dup64i(get_field(s, v1),
+         if (sizeof(uintptr_t) == 8 || loaddr >= 0x80000000u) {
--                        generate_byte_mask(i2 & 0xff));
+-            hiaddr = (uintptr_t) 4 << 30;
-+        gen_gvec_dup_imm(ES_64, get_field(s, v1),
++            hiaddr = UINT32_MAX;
-+                         generate_byte_mask(i2 & 0xff));
+         } else {
-     } else {
+             offset = -(HI_COMMPAGE & -align);
          TCGv_i64 t = tcg_temp_new_i64();
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vgm(DisasContext *s, DisasOps *o)
          }
+@@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
+         loaddr = MIN(loaddr, LO_COMMPAGE & -align);
      }
--    gen_gvec_dupi(es, get_field(s, v1), mask);
+-    addr = pgb_find_hole(loaddr, hiaddr - loaddr, align, offset);
-+    gen_gvec_dup_imm(es, get_field(s, v1), mask);
++    addr = pgb_find_hole(loaddr, hiaddr - loaddr + 1, align, offset);
-     return DISAS_NEXT;
+     if (addr == -1) {
- }
+         /*
+          * If HI_COMMPAGE, there *might* be a non-consecutive allocation
-@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vllez(DisasContext *s, DisasOps *o)
+@@ -XXX,XX +XXX,XX @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
+     if (guest_hiaddr > reserved_va) {
-     t = tcg_temp_new_i64();
+         error_report("%s: requires more than reserved virtual "
-     tcg_gen_qemu_ld_i64(t, o->addr1, get_mem_index(s), MO_TE | es);
+                      "address space (0x%" PRIx64 " > 0x%lx)",
--    zero_vec(get_field(s, v1));
+-                     image_name, (uint64_t)guest_hiaddr, reserved_va);
-+    gen_gvec_dup_imm(es, get_field(s, v1), 0);
++                     image_name, (uint64_t)guest_hiaddr + 1, reserved_va);
-     write_vec_element_i64(t, get_field(s, v1), enr, es);
+         exit(EXIT_FAILURE);
      tcg_temp_free_i64(t);
      return DISAS_NEXT;
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vrepi(DisasContext *s, DisasOps *o)
          return DISAS_NORETURN;
      }
--    gen_gvec_dupi(es, get_field(s, v1), data);
+@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
-+    gen_gvec_dup_imm(es, get_field(s, v1), data);
+             if (a < loaddr) {
-     return DISAS_NEXT;
+                 loaddr = a;
- }
+             }
+-            a = eppnt->p_vaddr + eppnt->p_memsz;
-@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vcksm(DisasContext *s, DisasOps *o)
++            a = eppnt->p_vaddr + eppnt->p_memsz - 1;
-         read_vec_element_i32(tmp, get_field(s, v2), i, ES_32);
+             if (a > hiaddr) {
-         tcg_gen_add2_i32(tmp, sum, sum, sum, tmp, tmp);
+                 hiaddr = a;
-     }
+             }
--    zero_vec(get_field(s, v1));
+@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
-+    gen_gvec_dup_imm(ES_32, get_field(s, v1), 0);
+      * In both cases, we will overwrite pages in this range with mappings
-     write_vec_element_i32(sum, get_field(s, v1), 1, ES_32);
+      * from the executable.
+      */
-     tcg_temp_free_i32(tmp);
+-    load_addr = target_mmap(loaddr, hiaddr - loaddr, PROT_NONE,
 +    load_addr = target_mmap(loaddr, (size_t)hiaddr - loaddr + 1, PROT_NONE,
                              MAP_PRIVATE | MAP_ANON | MAP_NORESERVE |
                              (ehdr->e_type == ET_EXEC ? MAP_FIXED : 0),
                              -1, 0);
 diff --git a/linux-user/flatload.c b/linux-user/flatload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/flatload.c
 +++ b/linux-user/flatload.c
@@ -XXX,XX +XXX,XX @@ static int load_flat_file(struct linux_binprm * bprm,
       * Allocate the address space.
       */
      probe_guest_base(bprm->filename, 0,
 -                     text_len + data_len + extra + indx_len);
 +                     text_len + data_len + extra + indx_len - 1);
      /*
       * there are a couple of cases here,  the separate code/data
 --
-.20.1
+.34.1

-New patch
+[PULL 11/15] include/exec: Change reserved_va semantics to last byte
+Change the semantics to be the last byte of the guest va, rather
 than the following byte.  This avoids some overflow conditions.
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/cpu-all.h      | 11 ++++++++++-
  linux-user/arm/target_cpu.h |  2 +-
  bsd-user/main.c             | 10 +++-------
  bsd-user/mmap.c             |  4 ++--
  linux-user/elfload.c        | 14 +++++++-------
  linux-user/main.c           | 27 +++++++++++++--------------
  linux-user/mmap.c           |  4 ++--
 files changed, 38 insertions(+), 34 deletions(-)
 diff --git a/include/exec/cpu-all.h b/include/exec/cpu-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu-all.h
 +++ b/include/exec/cpu-all.h
@@ -XXX,XX +XXX,XX @@ static inline void tswap64s(uint64_t *s)
   */
  extern uintptr_t guest_base;
  extern bool have_guest_base;
 +
 +/*
 + * If non-zero, the guest virtual address space is a contiguous subset
 + * of the host virtual address space, i.e. '-R reserved_va' is in effect
 + * either from the command-line or by default.  The value is the last
 + * byte of the guest address space e.g. UINT32_MAX.
 + *
 + * If zero, the host and guest virtual address spaces are intermingled.
 + */
  extern unsigned long reserved_va;
  /*
@@ -XXX,XX +XXX,XX @@ extern unsigned long reserved_va;
  #define GUEST_ADDR_MAX_                                                 \
      ((MIN_CONST(TARGET_VIRT_ADDR_SPACE_BITS, TARGET_ABI_BITS) <= 32) ?  \
       UINT32_MAX : ~0ul)
 -#define GUEST_ADDR_MAX    (reserved_va ? reserved_va - 1 : GUEST_ADDR_MAX_)
 +#define GUEST_ADDR_MAX    (reserved_va ? : GUEST_ADDR_MAX_)
  #else
 diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/arm/target_cpu.h
 +++ b/linux-user/arm/target_cpu.h
@@ -XXX,XX +XXX,XX @@ static inline unsigned long arm_max_reserved_va(CPUState *cs)
           * the high addresses.  Restrict linux-user to the
           * cached write-back RAM in the system map.
           */
 -        return 0x80000000ul;
 +        return 0x7ffffffful;
      } else {
          /*
           * We need to be able to map the commpage.
 diff --git a/bsd-user/main.c b/bsd-user/main.c
 index XXXXXXX..XXXXXXX 100644
 --- a/bsd-user/main.c
 +++ b/bsd-user/main.c
@@ -XXX,XX +XXX,XX @@ bool have_guest_base;
  # if HOST_LONG_BITS > TARGET_VIRT_ADDR_SPACE_BITS
  #  if TARGET_VIRT_ADDR_SPACE_BITS == 32 && \
        (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
 -/*
 - * There are a number of places where we assign reserved_va to a variable
 - * of type abi_ulong and expect it to fit.  Avoid the last page.
 - */
 -#   define MAX_RESERVED_VA  (0xfffffffful & TARGET_PAGE_MASK)
 +#   define MAX_RESERVED_VA  0xfffffffful
  #  else
 -#   define MAX_RESERVED_VA  (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
 +#   define MAX_RESERVED_VA  ((1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
  #  endif
  # else
  #  define MAX_RESERVED_VA  0
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv)
      envlist_free(envlist);
      if (reserved_va) {
 -            mmap_next_start = reserved_va;
 +        mmap_next_start = reserved_va + 1;
      }
      {
 diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
 index XXXXXXX..XXXXXXX 100644
 --- a/bsd-user/mmap.c
 +++ b/bsd-user/mmap.c
@@ -XXX,XX +XXX,XX @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
      size = HOST_PAGE_ALIGN(size) + alignment;
      end_addr = start + size;
      if (end_addr > reserved_va) {
 -        end_addr = reserved_va;
 +        end_addr = reserved_va + 1;
      }
      addr = end_addr - qemu_host_page_size;
@@ -XXX,XX +XXX,XX @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
              if (looped) {
                  return (abi_ulong)-1;
              }
 -            end_addr = reserved_va;
 +            end_addr = reserved_va + 1;
              addr = end_addr - qemu_host_page_size;
              looped = 1;
              continue;
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
       * has specified -R reserved_va, which would trigger an assert().
       */
      if (reserved_va != 0 &&
 -        TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE >= reserved_va) {
 +        TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE - 1 > reserved_va) {
          error_report("Cannot allocate vsyscall page");
          exit(EXIT_FAILURE);
      }
@@ -XXX,XX +XXX,XX @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
          if (guest_hiaddr > reserved_va) {
              error_report("%s: requires more than reserved virtual "
                           "address space (0x%" PRIx64 " > 0x%lx)",
 -                         image_name, (uint64_t)guest_hiaddr + 1, reserved_va);
 +                         image_name, (uint64_t)guest_hiaddr, reserved_va);
              exit(EXIT_FAILURE);
          }
      } else {
@@ -XXX,XX +XXX,XX @@ static void pgb_have_guest_base(const char *image_name, abi_ulong guest_loaddr,
      if (reserved_va) {
          guest_loaddr = (guest_base >= mmap_min_addr ? 0
                          : mmap_min_addr - guest_base);
 -        guest_hiaddr = reserved_va - 1;
 +        guest_hiaddr = reserved_va;
      }
      /* Reserve the address space for the binary, or reserved_va. */
@@ -XXX,XX +XXX,XX @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
      if (guest_hiaddr > reserved_va) {
          error_report("%s: requires more than reserved virtual "
                       "address space (0x%" PRIx64 " > 0x%lx)",
 -                     image_name, (uint64_t)guest_hiaddr + 1, reserved_va);
 +                     image_name, (uint64_t)guest_hiaddr, reserved_va);
          exit(EXIT_FAILURE);
      }
@@ -XXX,XX +XXX,XX @@ static void pgb_reserved_va(const char *image_name, abi_ulong guest_loaddr,
      /* Reserve the memory on the host. */
      assert(guest_base != 0);
      test = g2h_untagged(0);
 -    addr = mmap(test, reserved_va, PROT_NONE, flags, -1, 0);
 +    addr = mmap(test, reserved_va + 1, PROT_NONE, flags, -1, 0);
      if (addr == MAP_FAILED || addr != test) {
          error_report("Unable to reserve 0x%lx bytes of virtual address "
                       "space at %p (%s) for use as guest address space (check your "
                       "virtual memory ulimit setting, min_mmap_addr or reserve less "
 -                     "using -R option)", reserved_va, test, strerror(errno));
 +                     "using -R option)", reserved_va + 1, test, strerror(errno));
          exit(EXIT_FAILURE);
      }
      qemu_log_mask(CPU_LOG_PAGE, "%s: base @ %p for %lu bytes\n",
 -                  __func__, addr, reserved_va);
 +                  __func__, addr, reserved_va + 1);
  }
  void probe_guest_base(const char *image_name, abi_ulong guest_loaddr,
 diff --git a/linux-user/main.c b/linux-user/main.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/main.c
 +++ b/linux-user/main.c
@@ -XXX,XX +XXX,XX @@ static const char *last_log_filename;
  # if HOST_LONG_BITS > TARGET_VIRT_ADDR_SPACE_BITS
  #  if TARGET_VIRT_ADDR_SPACE_BITS == 32 && \
        (TARGET_LONG_BITS == 32 || defined(TARGET_ABI32))
 -/* There are a number of places where we assign reserved_va to a variable
 -   of type abi_ulong and expect it to fit.  Avoid the last page.  */
 -#   define MAX_RESERVED_VA(CPU)  (0xfffffffful & TARGET_PAGE_MASK)
 +#   define MAX_RESERVED_VA(CPU)  0xfffffffful
  #  else
 -#   define MAX_RESERVED_VA(CPU)  (1ul << TARGET_VIRT_ADDR_SPACE_BITS)
 +#   define MAX_RESERVED_VA(CPU)  ((1ul << TARGET_VIRT_ADDR_SPACE_BITS) - 1)
  #  endif
  # else
  #  define MAX_RESERVED_VA(CPU)  0
@@ -XXX,XX +XXX,XX @@ static void handle_arg_reserved_va(const char *arg)
  {
      char *p;
      int shift = 0;
 -    reserved_va = strtoul(arg, &p, 0);
 +    unsigned long val;
 +
 +    val = strtoul(arg, &p, 0);
      switch (*p) {
      case 'k':
      case 'K':
@@ -XXX,XX +XXX,XX @@ static void handle_arg_reserved_va(const char *arg)
          break;
      }
      if (shift) {
 -        unsigned long unshifted = reserved_va;
 +        unsigned long unshifted = val;
          p++;
 -        reserved_va <<= shift;
 -        if (reserved_va >> shift != unshifted) {
 +        val <<= shift;
 +        if (val >> shift != unshifted) {
              fprintf(stderr, "Reserved virtual address too big\n");
              exit(EXIT_FAILURE);
          }
@@ -XXX,XX +XXX,XX @@ static void handle_arg_reserved_va(const char *arg)
          fprintf(stderr, "Unrecognised -R size suffix '%s'\n", p);
          exit(EXIT_FAILURE);
      }
 +    /* The representation is size - 1, with 0 remaining "default". */
 +    reserved_va = val ? val - 1 : 0;
  }
  static void handle_arg_singlestep(const char *arg)
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
       */
      max_reserved_va = MAX_RESERVED_VA(cpu);
      if (reserved_va != 0) {
 -        if (reserved_va % qemu_host_page_size) {
 +        if ((reserved_va + 1) % qemu_host_page_size) {
              char *s = size_to_str(qemu_host_page_size);
              fprintf(stderr, "Reserved virtual address not aligned mod %s\n", s);
              g_free(s);
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
              exit(EXIT_FAILURE);
          }
      } else if (HOST_LONG_BITS == 64 && TARGET_VIRT_ADDR_SPACE_BITS <= 32) {
 -        /*
 -         * reserved_va must be aligned with the host page size
 -         * as it is used with mmap()
 -         */
 -        reserved_va = max_reserved_va & qemu_host_page_mask;
 +        /* MAX_RESERVED_VA + 1 is a large power of 2, so is aligned. */
 +        reserved_va = max_reserved_va;
      }
      {
 diff --git a/linux-user/mmap.c b/linux-user/mmap.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/mmap.c
 +++ b/linux-user/mmap.c
@@ -XXX,XX +XXX,XX @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
      end_addr = start + size;
      if (start > reserved_va - size) {
          /* Start at the top of the address space.  */
 -        end_addr = ((reserved_va - size) & -align) + size;
 +        end_addr = ((reserved_va + 1 - size) & -align) + size;
          looped = true;
      }
@@ -XXX,XX +XXX,XX @@ static abi_ulong mmap_find_vma_reserved(abi_ulong start, abi_ulong size,
                  return (abi_ulong)-1;
              }
              /* Re-start at the top of the address space.  */
 -            addr = end_addr = ((reserved_va - size) & -align) + size;
 +            addr = end_addr = ((reserved_va + 1 - size) & -align) + size;
              looped = true;
          } else {
              prot = page_get_flags(addr);
 --
 .34.1

-[PULL 08/10] tcg: Improve vector tail clearing
+[PULL 12/15] linux-user/arm: Take more care allocating commpage
-Better handling of non-power-of-2 tails as seen with Arm 8-byte
+User setting of -R reserved_va can lead to an assertion
-vector operations.
+failure in page_set_flags.  Sanity check the value of
 reserved_va and print an error message instead.  Do not
 allocate a commpage at all for m-profile cpus.
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- tcg/tcg-op-gvec.c | 82 ++++++++++++++++++++++++++++++++++++-----------
+ linux-user/elfload.c | 37 +++++++++++++++++++++++++++----------
-file changed, 63 insertions(+), 19 deletions(-)
+file changed, 27 insertions(+), 10 deletions(-)
-diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
+diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
---- a/tcg/tcg-op-gvec.c
+--- a/linux-user/elfload.c
-+++ b/tcg/tcg-op-gvec.c
++++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_5_ptr(uint32_t dofs, uint32_t aofs, uint32_t bofs,
+@@ -XXX,XX +XXX,XX @@ enum {
-    in units of LNSZ.  This limits the expansion of inline code.  */
- static inline bool check_size_impl(uint32_t oprsz, uint32_t lnsz)
+ static bool init_guest_commpage(void)
  {
--    if (oprsz % lnsz == 0) {
+-    abi_ptr commpage = HI_COMMPAGE & -qemu_host_page_size;
--        uint32_t lnct = oprsz / lnsz;
+-    void *want = g2h_untagged(commpage);
--        return lnct >= 1 && lnct <= MAX_UNROLL;
+-    void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
-+    uint32_t q, r;
+-                      MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
-+
++    ARMCPU *cpu = ARM_CPU(thread_cpu);
-+    if (oprsz < lnsz) {
++    abi_ptr want = HI_COMMPAGE & TARGET_PAGE_MASK;
-+        return false;
++    abi_ptr addr;
-     }
--    return false;
+-    if (addr == MAP_FAILED) {
-+
++    /*
-+    q = oprsz / lnsz;
++     * M-profile allocates maximum of 2GB address space, so can never
-+    r = oprsz % lnsz;
++     * allocate the commpage.  Skip it.
-+    tcg_debug_assert((r & 7) == 0);
++     */
-+
++    if (arm_feature(&cpu->env, ARM_FEATURE_M)) {
-+    if (lnsz < 16) {
++        return true;
 +        /* For sizes below 16, accept no remainder. */
 +        if (r != 0) {
 +            return false;
 +        }
 +    } else {
 +        /*
 +         * Recall that ARM SVE allows vector sizes that are not a
 +         * power of 2, but always a multiple of 16.  The intent is
 +         * that e.g. size == 80 would be expanded with 2x32 + 1x16.
 +         * In addition, expand_clr needs to handle a multiple of 8.
 +         * Thus we can handle the tail with one more operation per
 +         * diminishing power of 2.
 +         */
 +        q += ctpop32(r);
 +    }
 +
-+    return q <= MAX_UNROLL;
- }
- static void expand_clr(uint32_t dofs, uint32_t maxsz);
-@@ -XXX,XX +XXX,XX @@ static void gen_dup_i64(unsigned vece, TCGv_i64 out, TCGv_i64 in)
- static TCGType choose_vector_type(const TCGOpcode *list, unsigned vece,
-                                   uint32_t size, bool prefer_i64)
- {
--    if (TCG_TARGET_HAS_v256 && check_size_impl(size, 32)) {
--        /*
--         * Recall that ARM SVE allows vector sizes that are not a
--         * power of 2, but always a multiple of 16.  The intent is
--         * that e.g. size == 80 would be expanded with 2x32 + 1x16.
--         * It is hard to imagine a case in which v256 is supported
--         * but v128 is not, but check anyway.
--         */
--        if (tcg_can_emit_vecop_list(list, TCG_TYPE_V256, vece)
--            && (size % 32 == 0
--                || tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece))) {
--            return TCG_TYPE_V256;
--        }
 +    /*
-+     * Recall that ARM SVE allows vector sizes that are not a
++     * If reserved_va does not cover the commpage, we get an assert
-+     * power of 2, but always a multiple of 16.  The intent is
++     * in page_set_flags.  Produce an intelligent error instead.
 +     * that e.g. size == 80 would be expanded with 2x32 + 1x16.
 +     * It is hard to imagine a case in which v256 is supported
 +     * but v128 is not, but check anyway.
 +     * In addition, expand_clr needs to handle a multiple of 8.
 +     */
-+    if (TCG_TARGET_HAS_v256 &&
++    if (reserved_va != 0 && want + TARGET_PAGE_SIZE - 1 > reserved_va) {
-+        check_size_impl(size, 32) &&
++        error_report("Allocating guest commpage: -R 0x%" PRIx64 " too small",
-+        tcg_can_emit_vecop_list(list, TCG_TYPE_V256, vece) &&
++                     (uint64_t)reserved_va + 1);
-+        (!(size & 16) ||
++        exit(EXIT_FAILURE);
 +         (TCG_TARGET_HAS_v128 &&
 +          tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece))) &&
 +        (!(size & 8) ||
 +         (TCG_TARGET_HAS_v64 &&
 +          tcg_can_emit_vecop_list(list, TCG_TYPE_V64, vece)))) {
 +        return TCG_TYPE_V256;
      }
 -    if (TCG_TARGET_HAS_v128 && check_size_impl(size, 16)
 -        && tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece)) {
 +    if (TCG_TARGET_HAS_v128 &&
 +        check_size_impl(size, 16) &&
 +        tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece) &&
 +        (!(size & 8) ||
 +         (TCG_TARGET_HAS_v64 &&
 +          tcg_can_emit_vecop_list(list, TCG_TYPE_V64, vece)))) {
          return TCG_TYPE_V128;
      }
      if (TCG_TARGET_HAS_v64 && !prefer_i64 && check_size_impl(size, 8)
@@ -XXX,XX +XXX,XX @@ static void do_dup_store(TCGType type, uint32_t dofs, uint32_t oprsz,
  {
      uint32_t i = 0;
 +    tcg_debug_assert(oprsz >= 8);
 +
 +    /*
 +     * This may be expand_clr for the tail of an operation, e.g.
 +     * oprsz == 8 && maxsz == 64.  The first 8 bytes of this store
 +     * are misaligned wrt the maximum vector size, so do that first.
 +     */
 +    if (dofs & 8) {
 +        tcg_gen_stl_vec(t_vec, cpu_env, dofs + i, TCG_TYPE_V64);
 +        i += 8;
 +    }
 +
-     switch (type) {
++    addr = target_mmap(want, TARGET_PAGE_SIZE, PROT_READ | PROT_WRITE,
-     case TCG_TYPE_V256:
++                       MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
-         /*
++
 +    if (addr == -1) {
          perror("Allocating guest commpage");
          exit(EXIT_FAILURE);
      }
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
      }
      /* Set kernel helper versions; rest of page is 0.  */
 -    __put_user(5, (uint32_t *)g2h_untagged(0xffff0ffcu));
 +    put_user_u32(5, 0xffff0ffcu);
 -    if (mprotect(addr, qemu_host_page_size, PROT_READ)) {
 +    if (target_mprotect(addr, qemu_host_page_size, PROT_READ | PROT_EXEC)) {
          perror("Protecting guest commpage");
          exit(EXIT_FAILURE);
      }
 -
 -    page_set_flags(commpage, commpage | ~qemu_host_page_mask,
 -                   PAGE_READ | PAGE_EXEC | PAGE_VALID);
      return true;
  }
 --
-.20.1
+.34.1

-[PULL 01/10] tcg: Add tcg_gen_gvec_dup_imm
+[PULL 13/15] softmmu: Restrict cpu_check_watchpoint / address_matches to TCG accel
-Add a version of tcg_gen_dup_* that takes both immediate and
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
 a vector element size operand.  This will replace the set of
 tcg_gen_gvec_dup{8,16,32,64}i functions that encode the element
 size within the function name.
-Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
+Both cpu_check_watchpoint() and cpu_watchpoint_address_matches()
-Reviewed-by: David Hildenbrand <david@redhat.com>
+are specific to TCG system emulation. Declare them in "tcg-cpu-ops.h"
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+to be sure accessing them from non-TCG code is a compilation error.
 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-Id: <20230328173117.15226-2-philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/tcg/tcg-op-gvec.h | 2 ++
+ include/hw/core/cpu.h         | 37 ------------------------------
- tcg/tcg-op-gvec.c         | 7 +++++++
+ include/hw/core/tcg-cpu-ops.h | 43 +++++++++++++++++++++++++++++++++++
-files changed, 9 insertions(+)
+ target/arm/tcg/mte_helper.c   |  1 +
  target/arm/tcg/sve_helper.c   |  1 +
  target/s390x/tcg/mem_helper.c |  1 +
 files changed, 46 insertions(+), 37 deletions(-)
-diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
+diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/include/tcg/tcg-op-gvec.h
+--- a/include/hw/core/cpu.h
-+++ b/include/tcg/tcg-op-gvec.h
++++ b/include/hw/core/cpu.h
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_ors(unsigned vece, uint32_t dofs, uint32_t aofs,
+@@ -XXX,XX +XXX,XX @@ static inline void cpu_watchpoint_remove_by_ref(CPUState *cpu,
+ static inline void cpu_watchpoint_remove_all(CPUState *cpu, int mask)
- void tcg_gen_gvec_dup_mem(unsigned vece, uint32_t dofs, uint32_t aofs,
+ {
-                           uint32_t s, uint32_t m);
+ }
-+void tcg_gen_gvec_dup_imm(unsigned vece, uint32_t dofs, uint32_t s,
+-
-+                          uint32_t m, uint64_t imm);
+-static inline void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
- void tcg_gen_gvec_dup_i32(unsigned vece, uint32_t dofs, uint32_t s,
+-                                        MemTxAttrs atr, int fl, uintptr_t ra)
-                           uint32_t m, TCGv_i32);
+-{
- void tcg_gen_gvec_dup_i64(unsigned vece, uint32_t dofs, uint32_t s,
+-}
-diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
+-
 -static inline int cpu_watchpoint_address_matches(CPUState *cpu,
 -                                                 vaddr addr, vaddr len)
 -{
 -    return 0;
 -}
  #else
  int cpu_watchpoint_insert(CPUState *cpu, vaddr addr, vaddr len,
                            int flags, CPUWatchpoint **watchpoint);
@@ -XXX,XX +XXX,XX @@ int cpu_watchpoint_remove(CPUState *cpu, vaddr addr,
                            vaddr len, int flags);
  void cpu_watchpoint_remove_by_ref(CPUState *cpu, CPUWatchpoint *watchpoint);
  void cpu_watchpoint_remove_all(CPUState *cpu, int mask);
 -
 -/**
 - * cpu_check_watchpoint:
 - * @cpu: cpu context
 - * @addr: guest virtual address
 - * @len: access length
 - * @attrs: memory access attributes
 - * @flags: watchpoint access type
 - * @ra: unwind return address
 - *
 - * Check for a watchpoint hit in [addr, addr+len) of the type
 - * specified by @flags.  Exit via exception with a hit.
 - */
 -void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
 -                          MemTxAttrs attrs, int flags, uintptr_t ra);
 -
 -/**
 - * cpu_watchpoint_address_matches:
 - * @cpu: cpu context
 - * @addr: guest virtual address
 - * @len: access length
 - *
 - * Return the watchpoint flags that apply to [addr, addr+len).
 - * If no watchpoint is registered for the range, the result is 0.
 - */
 -int cpu_watchpoint_address_matches(CPUState *cpu, vaddr addr, vaddr len);
  #endif
  /**
 diff --git a/include/hw/core/tcg-cpu-ops.h b/include/hw/core/tcg-cpu-ops.h
 index XXXXXXX..XXXXXXX 100644
---- a/tcg/tcg-op-gvec.c
+--- a/include/hw/core/tcg-cpu-ops.h
-+++ b/tcg/tcg-op-gvec.c
++++ b/include/hw/core/tcg-cpu-ops.h
-@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup8i(uint32_t dofs, uint32_t oprsz,
+@@ -XXX,XX +XXX,XX @@ struct TCGCPUOps {
-     do_dup(MO_8, dofs, oprsz, maxsz, NULL, NULL, x);
- }
+ };
-+void tcg_gen_gvec_dup_imm(unsigned vece, uint32_t dofs, uint32_t oprsz,
++#if defined(CONFIG_USER_ONLY)
-+                          uint32_t maxsz, uint64_t x)
++
 +static inline void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
 +                                        MemTxAttrs atr, int fl, uintptr_t ra)
 +{
-+    check_size_align(oprsz, maxsz, dofs);
-+    do_dup(vece, dofs, oprsz, maxsz, NULL, NULL, x);
 +}
 +
- void tcg_gen_gvec_not(unsigned vece, uint32_t dofs, uint32_t aofs,
++static inline int cpu_watchpoint_address_matches(CPUState *cpu,
-                       uint32_t oprsz, uint32_t maxsz)
++                                                 vaddr addr, vaddr len)
- {
++{
 +    return 0;
 +}
 +
 +#else
 +
 +/**
 + * cpu_check_watchpoint:
 + * @cpu: cpu context
 + * @addr: guest virtual address
 + * @len: access length
 + * @attrs: memory access attributes
 + * @flags: watchpoint access type
 + * @ra: unwind return address
 + *
 + * Check for a watchpoint hit in [addr, addr+len) of the type
 + * specified by @flags.  Exit via exception with a hit.
 + */
 +void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
 +                          MemTxAttrs attrs, int flags, uintptr_t ra);
 +
 +/**
 + * cpu_watchpoint_address_matches:
 + * @cpu: cpu context
 + * @addr: guest virtual address
 + * @len: access length
 + *
 + * Return the watchpoint flags that apply to [addr, addr+len).
 + * If no watchpoint is registered for the range, the result is 0.
 + */
 +int cpu_watchpoint_address_matches(CPUState *cpu, vaddr addr, vaddr len);
 +
 +#endif
 +
  #endif /* TCG_CPU_OPS_H */
 diff --git a/target/arm/tcg/mte_helper.c b/target/arm/tcg/mte_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/mte_helper.c
 +++ b/target/arm/tcg/mte_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "exec/ram_addr.h"
  #include "exec/cpu_ldst.h"
  #include "exec/helper-proto.h"
 +#include "hw/core/tcg-cpu-ops.h"
  #include "qapi/error.h"
  #include "qemu/guest-random.h"
 diff --git a/target/arm/tcg/sve_helper.c b/target/arm/tcg/sve_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/tcg/sve_helper.c
 +++ b/target/arm/tcg/sve_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "tcg/tcg.h"
  #include "vec_internal.h"
  #include "sve_ldst_internal.h"
 +#include "hw/core/tcg-cpu-ops.h"
  /* Return a value for NZCV as per the ARM PredTest pseudofunction.
 diff --git a/target/s390x/tcg/mem_helper.c b/target/s390x/tcg/mem_helper.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/tcg/mem_helper.c
 +++ b/target/s390x/tcg/mem_helper.c
@@ -XXX,XX +XXX,XX @@
  #include "exec/helper-proto.h"
  #include "exec/exec-all.h"
  #include "exec/cpu_ldst.h"
 +#include "hw/core/tcg-cpu-ops.h"
  #include "qemu/int128.h"
  #include "qemu/atomic128.h"
  #include "trace.h"
 --
-.20.1
+.34.1

-New patch
+[PULL 14/15] softmmu/watchpoint: Add missing 'qemu/error-report.h' include
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
+cpu_watchpoint_insert() calls error_report() which is declared
+in "qemu/error-report.h". When moving this code in commit 2609ec2868
+("softmmu: Extract watchpoint API from physmem.c") we neglected to
+include this header. This works so far because it is indirectly
+included by TCG headers -> "qemu/plugin.h" -> "qemu/error-report.h".
+Currently cpu_watchpoint_insert() is only built with the TCG
+accelerator. When building it with other ones (or without TCG)
+we get:
+  softmmu/watchpoint.c:38:9: error: implicit declaration of function 'error_report' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
+        error_report("tried to set invalid watchpoint at %"
+        ^
+Include "qemu/error-report.h" in order to fix this for non-TCG
+builds.
+Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Message-Id: <20230328173117.15226-3-philmd@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ softmmu/watchpoint.c | 1 +
+file changed, 1 insertion(+)
+diff --git a/softmmu/watchpoint.c b/softmmu/watchpoint.c
+index XXXXXXX..XXXXXXX 100644
+--- a/softmmu/watchpoint.c
++++ b/softmmu/watchpoint.c
+@@ -XXX,XX +XXX,XX @@
+ #include "qemu/osdep.h"
+ #include "qemu/main-loop.h"
++#include "qemu/error-report.h"
+ #include "exec/exec-all.h"
+ #include "exec/translate-all.h"
+ #include "sysemu/tcg.h"
+--
+.34.1

-[PULL 04/10] target/arm: Use tcg_gen_gvec_dup_imm
+[PULL 15/15] softmmu: Restore use of CPU watchpoint for all accelerators
-In a few cases, we're able to remove some manual replication.
+From: Philippe Mathieu-Daudé <philmd@linaro.org>
-Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+CPU watchpoints can be use by non-TCG accelerators.
 KVM uses them:
   $ git grep CPUWatchpoint|fgrep kvm
   target/arm/kvm64.c:1558:        CPUWatchpoint *wp = find_hw_watchpoint(cs, debug_exit->far);
   target/i386/kvm/kvm.c:5216:static CPUWatchpoint hw_watchpoint;
   target/ppc/kvm.c:443:static CPUWatchpoint hw_watchpoint;
   target/s390x/kvm/kvm.c:139:static CPUWatchpoint hw_watchpoint;
 See for example commit e4482ab7e3 ("target-arm: kvm - add support
 for HW assisted debug"):
      This adds basic support for HW assisted debug. The ioctl interface
      to KVM allows us to pass an implementation defined number of break
      and watch point registers. [...]
 This partially reverts commit 2609ec2868e6c286e755a73b4504714a0296a.
 Fixes: 2609ec2868 ("softmmu: Extract watchpoint API from physmem.c")
 Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Message-Id: <20230328173117.15226-4-philmd@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/arm/translate-a64.c | 10 +++++-----
+ include/hw/core/cpu.h | 2 +-
- target/arm/translate-sve.c | 12 +++++-------
+ softmmu/watchpoint.c  | 4 ++++
- target/arm/translate.c     |  9 ++++++---
+ softmmu/meson.build   | 2 +-
-files changed, 16 insertions(+), 15 deletions(-)
+files changed, 6 insertions(+), 2 deletions(-)
-diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
+diff --git a/include/hw/core/cpu.h b/include/hw/core/cpu.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate-a64.c
+--- a/include/hw/core/cpu.h
-+++ b/target/arm/translate-a64.c
++++ b/include/hw/core/cpu.h
-@@ -XXX,XX +XXX,XX @@ static void clear_vec_high(DisasContext *s, bool is_q, int rd)
+@@ -XXX,XX +XXX,XX @@ static inline bool cpu_breakpoint_test(CPUState *cpu, vaddr pc, int mask)
-         tcg_temp_free_i64(tcg_zero);
+     return false;
-     }
+ }
-     if (vsz > 16) {
--        tcg_gen_gvec_dup8i(ofs + 16, vsz - 16, vsz - 16, 0);
+-#if !defined(CONFIG_TCG) || defined(CONFIG_USER_ONLY)
-+        tcg_gen_gvec_dup_imm(MO_64, ofs + 16, vsz - 16, vsz - 16, 0);
++#if defined(CONFIG_USER_ONLY)
  static inline int cpu_watchpoint_insert(CPUState *cpu, vaddr addr, vaddr len,
                                          int flags, CPUWatchpoint **watchpoint)
  {
 diff --git a/softmmu/watchpoint.c b/softmmu/watchpoint.c
 index XXXXXXX..XXXXXXX 100644
 --- a/softmmu/watchpoint.c
 +++ b/softmmu/watchpoint.c
@@ -XXX,XX +XXX,XX @@ void cpu_watchpoint_remove_all(CPUState *cpu, int mask)
      }
  }
-@@ -XXX,XX +XXX,XX @@ static void disas_simd_mod_imm(DisasContext *s, uint32_t insn)
++#ifdef CONFIG_TCG
++
-     if (!((cmode & 0x9) == 0x1 || (cmode & 0xd) == 0x9)) {
+ /*
-         /* MOVI or MVNI, with MVNI negation handled above.  */
+  * Return true if this watchpoint address matches the specified
--        tcg_gen_gvec_dup64i(vec_full_reg_offset(s, rd), is_q ? 16 : 8,
+  * access (ie the address range covered by the watchpoint overlaps
--                            vec_full_reg_size(s), imm);
+@@ -XXX,XX +XXX,XX @@ void cpu_check_watchpoint(CPUState *cpu, vaddr addr, vaddr len,
 +        tcg_gen_gvec_dup_imm(MO_64, vec_full_reg_offset(s, rd), is_q ? 16 : 8,
 +                             vec_full_reg_size(s), imm);
      } else {
          /* ORR or BIC, with BIC negation to AND handled above.  */
          if (is_neg) {
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
          if (is_u) {
              if (shift == 8 << size) {
                  /* Shift count the same size as element size produces zero.  */
 -                tcg_gen_gvec_dup8i(vec_full_reg_offset(s, rd),
 -                                   is_q ? 16 : 8, vec_full_reg_size(s), 0);
 +                tcg_gen_gvec_dup_imm(size, vec_full_reg_offset(s, rd),
 +                                     is_q ? 16 : 8, vec_full_reg_size(s), 0);
              } else {
                  gen_gvec_fn2i(s, is_q, rd, rn, shift, tcg_gen_gvec_shri, size);
              }
 diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-sve.c
 +++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_mov_z(DisasContext *s, int rd, int rn)
  static void do_dupi_z(DisasContext *s, int rd, uint64_t word)
  {
      unsigned vsz = vec_full_reg_size(s);
 -    tcg_gen_gvec_dup64i(vec_full_reg_offset(s, rd), vsz, vsz, word);
 +    tcg_gen_gvec_dup_imm(MO_64, vec_full_reg_offset(s, rd), vsz, vsz, word);
  }
  /* Invoke a vector expander on two Pregs.  */
@@ -XXX,XX +XXX,XX @@ static bool do_predset(DisasContext *s, int esz, int rd, int pat, bool setflag)
          unsigned oprsz = size_for_gvec(setsz / 8);
          if (oprsz * 8 == setsz) {
 -            tcg_gen_gvec_dup64i(ofs, oprsz, maxsz, word);
 +            tcg_gen_gvec_dup_imm(MO_64, ofs, oprsz, maxsz, word);
              goto done;
          }
      }
-@@ -XXX,XX +XXX,XX @@ static bool trans_DUP_x(DisasContext *s, arg_DUP_x *a)
-             unsigned nofs = vec_reg_offset(s, a->rn, index, esz);
-             tcg_gen_gvec_dup_mem(esz, dofs, nofs, vsz, vsz);
-         } else {
--            tcg_gen_gvec_dup64i(dofs, vsz, vsz, 0);
-+            tcg_gen_gvec_dup_imm(esz, dofs, vsz, vsz, 0);
-         }
-     }
-     return true;
-@@ -XXX,XX +XXX,XX @@ static bool trans_FDUP(DisasContext *s, arg_FDUP *a)
-         /* Decode the VFP immediate.  */
-         imm = vfp_expand_imm(a->esz, a->imm);
--        imm = dup_const(a->esz, imm);
--
--        tcg_gen_gvec_dup64i(dofs, vsz, vsz, imm);
-+        tcg_gen_gvec_dup_imm(a->esz, dofs, vsz, vsz, imm);
-     }
-     return true;
  }
-@@ -XXX,XX +XXX,XX @@ static bool trans_DUP_i(DisasContext *s, arg_DUP_i *a)
++
-         unsigned vsz = vec_full_reg_size(s);
++#endif /* CONFIG_TCG */
-         int dofs = vec_full_reg_offset(s, a->rd);
+diff --git a/softmmu/meson.build b/softmmu/meson.build
 -        tcg_gen_gvec_dup64i(dofs, vsz, vsz, dup_const(a->esz, a->imm));
 +        tcg_gen_gvec_dup_imm(a->esz, dofs, vsz, vsz, a->imm);
      }
      return true;
  }
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/arm/translate.c
+--- a/softmmu/meson.build
-+++ b/target/arm/translate.c
++++ b/softmmu/meson.build
-@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
+@@ -XXX,XX +XXX,XX @@ specific_ss.add(when: 'CONFIG_SOFTMMU', if_true: [files(
-                                           MIN(shift, (8 << size) - 1),
+   'physmem.c',
-                                           vec_size, vec_size);
+   'qtest.c',
-                     } else if (shift >= 8 << size) {
+   'dirtylimit.c',
--                        tcg_gen_gvec_dup8i(rd_ofs, vec_size, vec_size, 0);
++  'watchpoint.c',
-+                        tcg_gen_gvec_dup_imm(MO_8, rd_ofs, vec_size,
+ )])
-+                                             vec_size, 0);
-                     } else {
+ specific_ss.add(when: ['CONFIG_SOFTMMU', 'CONFIG_TCG'], if_true: [files(
-                         tcg_gen_gvec_shri(size, rd_ofs, rm_ofs, shift,
+   'icount.c',
-                                           vec_size, vec_size);
+-  'watchpoint.c',
-@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
+ )])
-                          * architecturally valid and results in zero.
-                          */
+ softmmu_ss.add(files(
                          if (shift >= 8 << size) {
 -                            tcg_gen_gvec_dup8i(rd_ofs, vec_size, vec_size, 0);
 +                            tcg_gen_gvec_dup_imm(size, rd_ofs,
 +                                                 vec_size, vec_size, 0);
                          } else {
                              tcg_gen_gvec_shli(size, rd_ofs, rm_ofs, shift,
                                                vec_size, vec_size);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                      }
                      tcg_temp_free_i64(t64);
                  } else {
 -                    tcg_gen_gvec_dup32i(reg_ofs, vec_size, vec_size, imm);
 +                    tcg_gen_gvec_dup_imm(MO_32, reg_ofs, vec_size,
 +                                         vec_size, imm);
                  }
              }
          }
 --
-.20.1
+.34.1

The following changes since commit a36d64f43325fa503075cc9408ddabb69b32f829:

Merge remote-tracking branch 'remotes/stsquad/tags/pull-testing-and-gdbstub-060520-1' into staging (2020-05-06 14:06:00 +0100)

are available in the Git repository at:

https://github.com/rth7680/qemu.git tags/pull-tcg-20200506

for you to fetch changes up to 07dada0336a83002dfa8673a9220a88e13d9a45c:

tcg: Fix integral argument type to tcg_gen_rot[rl]i_i{32,64} (2020-05-06 09:25:10 -0700)

----------------------------------------------------------------
Add tcg_gen_gvec_dup_imm
Misc tcg patches

----------------------------------------------------------------
Richard Henderson (10):
      tcg: Add tcg_gen_gvec_dup_imm
      target/s390x: Use tcg_gen_gvec_dup_imm
      target/ppc: Use tcg_gen_gvec_dup_imm
      target/arm: Use tcg_gen_gvec_dup_imm
      tcg: Use tcg_gen_gvec_dup_imm in logical simplifications
      tcg: Remove tcg_gen_gvec_dup{8,16,32,64}i
      tcg: Add tcg_gen_gvec_dup_tl
      tcg: Improve vector tail clearing
      tcg: Add load_dest parameter to GVecGen2
      tcg: Fix integral argument type to tcg_gen_rot[rl]i_i{32,64}

Add a version of tcg_gen_dup_* that takes both immediate and
a vector element size operand.  This will replace the set of
tcg_gen_gvec_dup{8,16,32,64}i functions that encode the element
size within the function name.

Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg-op-gvec.h | 2 ++
 tcg/tcg-op-gvec.c         | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op-gvec.h
+++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_ors(unsigned vece, uint32_t dofs, uint32_t aofs,
 
 void tcg_gen_gvec_dup_mem(unsigned vece, uint32_t dofs, uint32_t aofs,
                           uint32_t s, uint32_t m);
+void tcg_gen_gvec_dup_imm(unsigned vece, uint32_t dofs, uint32_t s,
+                          uint32_t m, uint64_t imm);
 void tcg_gen_gvec_dup_i32(unsigned vece, uint32_t dofs, uint32_t s,
                           uint32_t m, TCGv_i32);
 void tcg_gen_gvec_dup_i64(unsigned vece, uint32_t dofs, uint32_t s,
diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup8i(uint32_t dofs, uint32_t oprsz,
     do_dup(MO_8, dofs, oprsz, maxsz, NULL, NULL, x);
 }
 
+void tcg_gen_gvec_dup_imm(unsigned vece, uint32_t dofs, uint32_t oprsz,
+                          uint32_t maxsz, uint64_t x)
+{
+    check_size_align(oprsz, maxsz, dofs);
+    do_dup(vece, dofs, oprsz, maxsz, NULL, NULL, x);
+}
+
 void tcg_gen_gvec_not(unsigned vece, uint32_t dofs, uint32_t aofs,
                       uint32_t oprsz, uint32_t maxsz)
 {
-- 
2.20.1

The gen_gvec_dupi switch is unnecessary with the new function.
Replace it with a local gen_gvec_dup_imm that takes care of the
register to offset conversion and length arguments.

Drop zero_vec and use use gen_gvec_dup_imm with 0.

Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/s390x/translate_vx.inc.c | 41 +++++++--------------------------
 1 file changed, 8 insertions(+), 33 deletions(-)

diff --git a/target/s390x/translate_vx.inc.c b/target/s390x/translate_vx.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/translate_vx.inc.c
+++ b/target/s390x/translate_vx.inc.c
@@ -XXX,XX +XXX,XX @@ static void get_vec_element_ptr_i64(TCGv_ptr ptr, uint8_t reg, TCGv_i64 enr,
 #define gen_gvec_mov(v1, v2) \
     tcg_gen_gvec_mov(0, vec_full_reg_offset(v1), vec_full_reg_offset(v2), 16, \
                      16)
-#define gen_gvec_dup64i(v1, c) \
-    tcg_gen_gvec_dup64i(vec_full_reg_offset(v1), 16, 16, c)
+#define gen_gvec_dup_imm(es, v1, c) \
+    tcg_gen_gvec_dup_imm(es, vec_full_reg_offset(v1), 16, 16, c);
 #define gen_gvec_fn_2(fn, es, v1, v2) \
     tcg_gen_gvec_##fn(es, vec_full_reg_offset(v1), vec_full_reg_offset(v2), \
                       16, 16)
@@ -XXX,XX +XXX,XX @@ static void gen_gvec128_4_i64(gen_gvec128_4_i64_fn fn, uint8_t d, uint8_t a,
         tcg_temp_free_i64(cl);
 }
 
-static void gen_gvec_dupi(uint8_t es, uint8_t reg, uint64_t c)
-{
-    switch (es) {
-    case ES_8:
-        tcg_gen_gvec_dup8i(vec_full_reg_offset(reg), 16, 16, c);
-        break;
-    case ES_16:
-        tcg_gen_gvec_dup16i(vec_full_reg_offset(reg), 16, 16, c);
-        break;
-    case ES_32:
-        tcg_gen_gvec_dup32i(vec_full_reg_offset(reg), 16, 16, c);
-        break;
-    case ES_64:
-        gen_gvec_dup64i(reg, c);
-        break;
-    default:
-        g_assert_not_reached();
-    }
-}
-
-static void zero_vec(uint8_t reg)
-{
-    tcg_gen_gvec_dup8i(vec_full_reg_offset(reg), 16, 16, 0);
-}
-
 static void gen_addi2_i64(TCGv_i64 dl, TCGv_i64 dh, TCGv_i64 al, TCGv_i64 ah,
                           uint64_t b)
 {
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vgbm(DisasContext *s, DisasOps *o)
          * Masks for both 64 bit elements of the vector are the same.
          * Trust tcg to produce a good constant loading.
          */
-        gen_gvec_dup64i(get_field(s, v1),
-                        generate_byte_mask(i2 & 0xff));
+        gen_gvec_dup_imm(ES_64, get_field(s, v1),
+                         generate_byte_mask(i2 & 0xff));
     } else {
         TCGv_i64 t = tcg_temp_new_i64();
 
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vgm(DisasContext *s, DisasOps *o)
         }
     }
 
-    gen_gvec_dupi(es, get_field(s, v1), mask);
+    gen_gvec_dup_imm(es, get_field(s, v1), mask);
     return DISAS_NEXT;
 }
 
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vllez(DisasContext *s, DisasOps *o)
 
     t = tcg_temp_new_i64();
     tcg_gen_qemu_ld_i64(t, o->addr1, get_mem_index(s), MO_TE | es);
-    zero_vec(get_field(s, v1));
+    gen_gvec_dup_imm(es, get_field(s, v1), 0);
     write_vec_element_i64(t, get_field(s, v1), enr, es);
     tcg_temp_free_i64(t);
     return DISAS_NEXT;
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vrepi(DisasContext *s, DisasOps *o)
         return DISAS_NORETURN;
     }
 
-    gen_gvec_dupi(es, get_field(s, v1), data);
+    gen_gvec_dup_imm(es, get_field(s, v1), data);
     return DISAS_NEXT;
 }
 
@@ -XXX,XX +XXX,XX @@ static DisasJumpType op_vcksm(DisasContext *s, DisasOps *o)
         read_vec_element_i32(tmp, get_field(s, v2), i, ES_32);
         tcg_gen_add2_i32(tmp, sum, sum, sum, tmp, tmp);
     }
-    zero_vec(get_field(s, v1));
+    gen_gvec_dup_imm(ES_32, get_field(s, v1), 0);
     write_vec_element_i32(sum, get_field(s, v1), 1, ES_32);
 
     tcg_temp_free_i32(tmp);
-- 
2.20.1

We can now unify the implementation of the 3 VSPLTI instructions.

Acked-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/ppc/translate/vmx-impl.inc.c | 32 ++++++++++++++++-------------
 target/ppc/translate/vsx-impl.inc.c |  2 +-
 2 files changed, 19 insertions(+), 15 deletions(-)

diff --git a/target/ppc/translate/vmx-impl.inc.c b/target/ppc/translate/vmx-impl.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate/vmx-impl.inc.c
+++ b/target/ppc/translate/vmx-impl.inc.c
@@ -XXX,XX +XXX,XX @@ GEN_VXRFORM_DUAL(vcmpbfp, PPC_ALTIVEC, PPC_NONE, \
 GEN_VXRFORM_DUAL(vcmpgtfp, PPC_ALTIVEC, PPC_NONE, \
                  vcmpgtud, PPC_NONE, PPC2_ALTIVEC_207)
 
-#define GEN_VXFORM_DUPI(name, tcg_op, opc2, opc3)                       \
-static void glue(gen_, name)(DisasContext *ctx)                         \
-    {                                                                   \
-        int simm;                                                       \
-        if (unlikely(!ctx->altivec_enabled)) {                          \
-            gen_exception(ctx, POWERPC_EXCP_VPU);                       \
-            return;                                                     \
-        }                                                               \
-        simm = SIMM5(ctx->opcode);                                      \
-        tcg_op(avr_full_offset(rD(ctx->opcode)), 16, 16, simm);         \
+static void gen_vsplti(DisasContext *ctx, int vece)
+{
+    int simm;
+
+    if (unlikely(!ctx->altivec_enabled)) {
+        gen_exception(ctx, POWERPC_EXCP_VPU);
+        return;
     }
 
-GEN_VXFORM_DUPI(vspltisb, tcg_gen_gvec_dup8i, 6, 12);
-GEN_VXFORM_DUPI(vspltish, tcg_gen_gvec_dup16i, 6, 13);
-GEN_VXFORM_DUPI(vspltisw, tcg_gen_gvec_dup32i, 6, 14);
+    simm = SIMM5(ctx->opcode);
+    tcg_gen_gvec_dup_imm(vece, avr_full_offset(rD(ctx->opcode)), 16, 16, simm);
+}
+
+#define GEN_VXFORM_VSPLTI(name, vece, opc2, opc3) \
+static void glue(gen_, name)(DisasContext *ctx) { gen_vsplti(ctx, vece); }
+
+GEN_VXFORM_VSPLTI(vspltisb, MO_8, 6, 12);
+GEN_VXFORM_VSPLTI(vspltish, MO_16, 6, 13);
+GEN_VXFORM_VSPLTI(vspltisw, MO_32, 6, 14);
 
 #define GEN_VXFORM_NOA(name, opc2, opc3)                                \
 static void glue(gen_, name)(DisasContext *ctx)                         \
@@ -XXX,XX +XXX,XX @@ GEN_VXFORM_DUAL(vsldoi, PPC_ALTIVEC, PPC_NONE,
 #undef GEN_VXRFORM_DUAL
 #undef GEN_VXRFORM1
 #undef GEN_VXRFORM
-#undef GEN_VXFORM_DUPI
+#undef GEN_VXFORM_VSPLTI
 #undef GEN_VXFORM_NOA
 #undef GEN_VXFORM_UIMM
 #undef GEN_VAFORM_PAIRED
diff --git a/target/ppc/translate/vsx-impl.inc.c b/target/ppc/translate/vsx-impl.inc.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate/vsx-impl.inc.c
+++ b/target/ppc/translate/vsx-impl.inc.c
@@ -XXX,XX +XXX,XX @@ static void gen_xxspltib(DisasContext *ctx)
             return;
         }
     }
-    tcg_gen_gvec_dup8i(vsr_full_offset(rt), 16, 16, uim8);
+    tcg_gen_gvec_dup_imm(MO_8, vsr_full_offset(rt), 16, 16, uim8);
 }
 
 static void gen_xxsldwi(DisasContext *ctx)
-- 
2.20.1

In a few cases, we're able to remove some manual replication.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/translate-a64.c | 10 +++++-----
 target/arm/translate-sve.c | 12 +++++-------
 target/arm/translate.c     |  9 ++++++---
 3 files changed, 16 insertions(+), 15 deletions(-)

diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void clear_vec_high(DisasContext *s, bool is_q, int rd)
         tcg_temp_free_i64(tcg_zero);
     }
     if (vsz > 16) {
-        tcg_gen_gvec_dup8i(ofs + 16, vsz - 16, vsz - 16, 0);
+        tcg_gen_gvec_dup_imm(MO_64, ofs + 16, vsz - 16, vsz - 16, 0);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ static void disas_simd_mod_imm(DisasContext *s, uint32_t insn)
 
     if (!((cmode & 0x9) == 0x1 || (cmode & 0xd) == 0x9)) {
         /* MOVI or MVNI, with MVNI negation handled above.  */
-        tcg_gen_gvec_dup64i(vec_full_reg_offset(s, rd), is_q ? 16 : 8,
-                            vec_full_reg_size(s), imm);
+        tcg_gen_gvec_dup_imm(MO_64, vec_full_reg_offset(s, rd), is_q ? 16 : 8,
+                             vec_full_reg_size(s), imm);
     } else {
         /* ORR or BIC, with BIC negation to AND handled above.  */
         if (is_neg) {
@@ -XXX,XX +XXX,XX @@ static void handle_vec_simd_shri(DisasContext *s, bool is_q, bool is_u,
         if (is_u) {
             if (shift == 8 << size) {
                 /* Shift count the same size as element size produces zero.  */
-                tcg_gen_gvec_dup8i(vec_full_reg_offset(s, rd),
-                                   is_q ? 16 : 8, vec_full_reg_size(s), 0);
+                tcg_gen_gvec_dup_imm(size, vec_full_reg_offset(s, rd),
+                                     is_q ? 16 : 8, vec_full_reg_size(s), 0);
             } else {
                 gen_gvec_fn2i(s, is_q, rd, rn, shift, tcg_gen_gvec_shri, size);
             }
diff --git a/target/arm/translate-sve.c b/target/arm/translate-sve.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-sve.c
+++ b/target/arm/translate-sve.c
@@ -XXX,XX +XXX,XX @@ static bool do_mov_z(DisasContext *s, int rd, int rn)
 static void do_dupi_z(DisasContext *s, int rd, uint64_t word)
 {
     unsigned vsz = vec_full_reg_size(s);
-    tcg_gen_gvec_dup64i(vec_full_reg_offset(s, rd), vsz, vsz, word);
+    tcg_gen_gvec_dup_imm(MO_64, vec_full_reg_offset(s, rd), vsz, vsz, word);
 }
 
 /* Invoke a vector expander on two Pregs.  */
@@ -XXX,XX +XXX,XX @@ static bool do_predset(DisasContext *s, int esz, int rd, int pat, bool setflag)
         unsigned oprsz = size_for_gvec(setsz / 8);
 
         if (oprsz * 8 == setsz) {
-            tcg_gen_gvec_dup64i(ofs, oprsz, maxsz, word);
+            tcg_gen_gvec_dup_imm(MO_64, ofs, oprsz, maxsz, word);
             goto done;
         }
     }
@@ -XXX,XX +XXX,XX @@ static bool trans_DUP_x(DisasContext *s, arg_DUP_x *a)
             unsigned nofs = vec_reg_offset(s, a->rn, index, esz);
             tcg_gen_gvec_dup_mem(esz, dofs, nofs, vsz, vsz);
         } else {
-            tcg_gen_gvec_dup64i(dofs, vsz, vsz, 0);
+            tcg_gen_gvec_dup_imm(esz, dofs, vsz, vsz, 0);
         }
     }
     return true;
@@ -XXX,XX +XXX,XX @@ static bool trans_FDUP(DisasContext *s, arg_FDUP *a)
 
         /* Decode the VFP immediate.  */
         imm = vfp_expand_imm(a->esz, a->imm);
-        imm = dup_const(a->esz, imm);
-
-        tcg_gen_gvec_dup64i(dofs, vsz, vsz, imm);
+        tcg_gen_gvec_dup_imm(a->esz, dofs, vsz, vsz, imm);
     }
     return true;
 }
@@ -XXX,XX +XXX,XX @@ static bool trans_DUP_i(DisasContext *s, arg_DUP_i *a)
         unsigned vsz = vec_full_reg_size(s);
         int dofs = vec_full_reg_offset(s, a->rd);
 
-        tcg_gen_gvec_dup64i(dofs, vsz, vsz, dup_const(a->esz, a->imm));
+        tcg_gen_gvec_dup_imm(a->esz, dofs, vsz, vsz, a->imm);
     }
     return true;
 }
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                                           MIN(shift, (8 << size) - 1),
                                           vec_size, vec_size);
                     } else if (shift >= 8 << size) {
-                        tcg_gen_gvec_dup8i(rd_ofs, vec_size, vec_size, 0);
+                        tcg_gen_gvec_dup_imm(MO_8, rd_ofs, vec_size,
+                                             vec_size, 0);
                     } else {
                         tcg_gen_gvec_shri(size, rd_ofs, rm_ofs, shift,
                                           vec_size, vec_size);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                          * architecturally valid and results in zero.
                          */
                         if (shift >= 8 << size) {
-                            tcg_gen_gvec_dup8i(rd_ofs, vec_size, vec_size, 0);
+                            tcg_gen_gvec_dup_imm(size, rd_ofs,
+                                                 vec_size, vec_size, 0);
                         } else {
                             tcg_gen_gvec_shli(size, rd_ofs, rm_ofs, shift,
                                               vec_size, vec_size);
@@ -XXX,XX +XXX,XX @@ static int disas_neon_data_insn(DisasContext *s, uint32_t insn)
                     }
                     tcg_temp_free_i64(t64);
                 } else {
-                    tcg_gen_gvec_dup32i(reg_ofs, vec_size, vec_size, imm);
+                    tcg_gen_gvec_dup_imm(MO_32, reg_ofs, vec_size,
+                                         vec_size, imm);
                 }
             }
         }
-- 
2.20.1

Replace the outgoing interface.

Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg-op-gvec.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_xor(unsigned vece, uint32_t dofs, uint32_t aofs,
     };
 
     if (aofs == bofs) {
-        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, 0);
+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, 0);
     } else {
         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
     }
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_andc(unsigned vece, uint32_t dofs, uint32_t aofs,
     };
 
     if (aofs == bofs) {
-        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, 0);
+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, 0);
     } else {
         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
     }
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_orc(unsigned vece, uint32_t dofs, uint32_t aofs,
     };
 
     if (aofs == bofs) {
-        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, -1);
+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, -1);
     } else {
         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
     }
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_eqv(unsigned vece, uint32_t dofs, uint32_t aofs,
     };
 
     if (aofs == bofs) {
-        tcg_gen_gvec_dup8i(dofs, oprsz, maxsz, -1);
+        tcg_gen_gvec_dup_imm(MO_64, dofs, oprsz, maxsz, -1);
     } else {
         tcg_gen_gvec_3(dofs, aofs, bofs, oprsz, maxsz, &g);
     }
-- 
2.20.1

These interfaces are now unused.

Reviewed-by: LIU Zhiwei <zhiwei_liu@c-sky.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg-op-gvec.h |  5 -----
 tcg/tcg-op-gvec.c         | 28 ----------------------------
 2 files changed, 33 deletions(-)

diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op-gvec.h
+++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup_i32(unsigned vece, uint32_t dofs, uint32_t s,
 void tcg_gen_gvec_dup_i64(unsigned vece, uint32_t dofs, uint32_t s,
                           uint32_t m, TCGv_i64);
 
-void tcg_gen_gvec_dup8i(uint32_t dofs, uint32_t s, uint32_t m, uint8_t x);
-void tcg_gen_gvec_dup16i(uint32_t dofs, uint32_t s, uint32_t m, uint16_t x);
-void tcg_gen_gvec_dup32i(uint32_t dofs, uint32_t s, uint32_t m, uint32_t x);
-void tcg_gen_gvec_dup64i(uint32_t dofs, uint32_t s, uint32_t m, uint64_t x);
-
 void tcg_gen_gvec_shli(unsigned vece, uint32_t dofs, uint32_t aofs,
                        int64_t shift, uint32_t oprsz, uint32_t maxsz);
 void tcg_gen_gvec_shri(unsigned vece, uint32_t dofs, uint32_t aofs,
diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup_mem(unsigned vece, uint32_t dofs, uint32_t aofs,
     }
 }
 
-void tcg_gen_gvec_dup64i(uint32_t dofs, uint32_t oprsz,
-                         uint32_t maxsz, uint64_t x)
-{
-    check_size_align(oprsz, maxsz, dofs);
-    do_dup(MO_64, dofs, oprsz, maxsz, NULL, NULL, x);
-}
-
-void tcg_gen_gvec_dup32i(uint32_t dofs, uint32_t oprsz,
-                         uint32_t maxsz, uint32_t x)
-{
-    check_size_align(oprsz, maxsz, dofs);
-    do_dup(MO_32, dofs, oprsz, maxsz, NULL, NULL, x);
-}
-
-void tcg_gen_gvec_dup16i(uint32_t dofs, uint32_t oprsz,
-                         uint32_t maxsz, uint16_t x)
-{
-    check_size_align(oprsz, maxsz, dofs);
-    do_dup(MO_16, dofs, oprsz, maxsz, NULL, NULL, x);
-}
-
-void tcg_gen_gvec_dup8i(uint32_t dofs, uint32_t oprsz,
-                         uint32_t maxsz, uint8_t x)
-{
-    check_size_align(oprsz, maxsz, dofs);
-    do_dup(MO_8, dofs, oprsz, maxsz, NULL, NULL, x);
-}
-
 void tcg_gen_gvec_dup_imm(unsigned vece, uint32_t dofs, uint32_t oprsz,
                           uint32_t maxsz, uint64_t x)
 {
-- 
2.20.1

For use when a target needs to pass a configure-specific
target_ulong value to duplicate.

diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op-gvec.h
+++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_dup_i32(unsigned vece, uint32_t dofs, uint32_t s,
 void tcg_gen_gvec_dup_i64(unsigned vece, uint32_t dofs, uint32_t s,
                           uint32_t m, TCGv_i64);
 
+#if TARGET_LONG_BITS == 64
+# define tcg_gen_gvec_dup_tl  tcg_gen_gvec_dup_i64
+#else
+# define tcg_gen_gvec_dup_tl  tcg_gen_gvec_dup_i32
+#endif
+
 void tcg_gen_gvec_shli(unsigned vece, uint32_t dofs, uint32_t aofs,
                        int64_t shift, uint32_t oprsz, uint32_t maxsz);
 void tcg_gen_gvec_shri(unsigned vece, uint32_t dofs, uint32_t aofs,
-- 
2.20.1

Better handling of non-power-of-2 tails as seen with Arm 8-byte
vector operations.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg-op-gvec.c | 82 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 63 insertions(+), 19 deletions(-)

diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_5_ptr(uint32_t dofs, uint32_t aofs, uint32_t bofs,
    in units of LNSZ.  This limits the expansion of inline code.  */
 static inline bool check_size_impl(uint32_t oprsz, uint32_t lnsz)
 {
-    if (oprsz % lnsz == 0) {
-        uint32_t lnct = oprsz / lnsz;
-        return lnct >= 1 && lnct <= MAX_UNROLL;
+    uint32_t q, r;
+
+    if (oprsz < lnsz) {
+        return false;
     }
-    return false;
+
+    q = oprsz / lnsz;
+    r = oprsz % lnsz;
+    tcg_debug_assert((r & 7) == 0);
+
+    if (lnsz < 16) {
+        /* For sizes below 16, accept no remainder. */
+        if (r != 0) {
+            return false;
+        }
+    } else {
+        /*
+         * Recall that ARM SVE allows vector sizes that are not a
+         * power of 2, but always a multiple of 16.  The intent is
+         * that e.g. size == 80 would be expanded with 2x32 + 1x16.
+         * In addition, expand_clr needs to handle a multiple of 8.
+         * Thus we can handle the tail with one more operation per
+         * diminishing power of 2.
+         */
+        q += ctpop32(r);
+    }
+
+    return q <= MAX_UNROLL;
 }
 
 static void expand_clr(uint32_t dofs, uint32_t maxsz);
@@ -XXX,XX +XXX,XX @@ static void gen_dup_i64(unsigned vece, TCGv_i64 out, TCGv_i64 in)
 static TCGType choose_vector_type(const TCGOpcode *list, unsigned vece,
                                   uint32_t size, bool prefer_i64)
 {
-    if (TCG_TARGET_HAS_v256 && check_size_impl(size, 32)) {
-        /*
-         * Recall that ARM SVE allows vector sizes that are not a
-         * power of 2, but always a multiple of 16.  The intent is
-         * that e.g. size == 80 would be expanded with 2x32 + 1x16.
-         * It is hard to imagine a case in which v256 is supported
-         * but v128 is not, but check anyway.
-         */
-        if (tcg_can_emit_vecop_list(list, TCG_TYPE_V256, vece)
-            && (size % 32 == 0
-                || tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece))) {
-            return TCG_TYPE_V256;
-        }
+    /*
+     * Recall that ARM SVE allows vector sizes that are not a
+     * power of 2, but always a multiple of 16.  The intent is
+     * that e.g. size == 80 would be expanded with 2x32 + 1x16.
+     * It is hard to imagine a case in which v256 is supported
+     * but v128 is not, but check anyway.
+     * In addition, expand_clr needs to handle a multiple of 8.
+     */
+    if (TCG_TARGET_HAS_v256 &&
+        check_size_impl(size, 32) &&
+        tcg_can_emit_vecop_list(list, TCG_TYPE_V256, vece) &&
+        (!(size & 16) ||
+         (TCG_TARGET_HAS_v128 &&
+          tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece))) &&
+        (!(size & 8) ||
+         (TCG_TARGET_HAS_v64 &&
+          tcg_can_emit_vecop_list(list, TCG_TYPE_V64, vece)))) {
+        return TCG_TYPE_V256;
     }
-    if (TCG_TARGET_HAS_v128 && check_size_impl(size, 16)
-        && tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece)) {
+    if (TCG_TARGET_HAS_v128 &&
+        check_size_impl(size, 16) &&
+        tcg_can_emit_vecop_list(list, TCG_TYPE_V128, vece) &&
+        (!(size & 8) ||
+         (TCG_TARGET_HAS_v64 &&
+          tcg_can_emit_vecop_list(list, TCG_TYPE_V64, vece)))) {
         return TCG_TYPE_V128;
     }
     if (TCG_TARGET_HAS_v64 && !prefer_i64 && check_size_impl(size, 8)
@@ -XXX,XX +XXX,XX @@ static void do_dup_store(TCGType type, uint32_t dofs, uint32_t oprsz,
 {
     uint32_t i = 0;
 
+    tcg_debug_assert(oprsz >= 8);
+
+    /*
+     * This may be expand_clr for the tail of an operation, e.g.
+     * oprsz == 8 && maxsz == 64.  The first 8 bytes of this store
+     * are misaligned wrt the maximum vector size, so do that first.
+     */
+    if (dofs & 8) {
+        tcg_gen_stl_vec(t_vec, cpu_env, dofs + i, TCG_TYPE_V64);
+        i += 8;
+    }
+
     switch (type) {
     case TCG_TYPE_V256:
         /*
-- 
2.20.1

We have this same parameter for GVecGen2i, GVecGen3,
and GVecGen3i.  This will make some SVE2 insns easier
to parameterize.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg-op-gvec.h |  2 ++
 tcg/tcg-op-gvec.c         | 45 ++++++++++++++++++++++++++++-----------
 2 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/include/tcg/tcg-op-gvec.h b/include/tcg/tcg-op-gvec.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op-gvec.h
+++ b/include/tcg/tcg-op-gvec.h
@@ -XXX,XX +XXX,XX @@ typedef struct {
     uint8_t vece;
     /* Prefer i64 to v64.  */
     bool prefer_i64;
+    /* Load dest as a 2nd source operand.  */
+    bool load_dest;
 } GVecGen2;
 
 typedef struct {
diff --git a/tcg/tcg-op-gvec.c b/tcg/tcg-op-gvec.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op-gvec.c
+++ b/tcg/tcg-op-gvec.c
@@ -XXX,XX +XXX,XX @@ static void expand_clr(uint32_t dofs, uint32_t maxsz)
 
 /* Expand OPSZ bytes worth of two-operand operations using i32 elements.  */
 static void expand_2_i32(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
-                         void (*fni)(TCGv_i32, TCGv_i32))
+                         bool load_dest, void (*fni)(TCGv_i32, TCGv_i32))
 {
     TCGv_i32 t0 = tcg_temp_new_i32();
+    TCGv_i32 t1 = tcg_temp_new_i32();
     uint32_t i;
 
     for (i = 0; i < oprsz; i += 4) {
         tcg_gen_ld_i32(t0, cpu_env, aofs + i);
-        fni(t0, t0);
-        tcg_gen_st_i32(t0, cpu_env, dofs + i);
+        if (load_dest) {
+            tcg_gen_ld_i32(t1, cpu_env, dofs + i);
+        }
+        fni(t1, t0);
+        tcg_gen_st_i32(t1, cpu_env, dofs + i);
     }
     tcg_temp_free_i32(t0);
+    tcg_temp_free_i32(t1);
 }
 
 static void expand_2i_i32(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
@@ -XXX,XX +XXX,XX @@ static void expand_4_i32(uint32_t dofs, uint32_t aofs, uint32_t bofs,
 
 /* Expand OPSZ bytes worth of two-operand operations using i64 elements.  */
 static void expand_2_i64(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
-                         void (*fni)(TCGv_i64, TCGv_i64))
+                         bool load_dest, void (*fni)(TCGv_i64, TCGv_i64))
 {
     TCGv_i64 t0 = tcg_temp_new_i64();
+    TCGv_i64 t1 = tcg_temp_new_i64();
     uint32_t i;
 
     for (i = 0; i < oprsz; i += 8) {
         tcg_gen_ld_i64(t0, cpu_env, aofs + i);
-        fni(t0, t0);
-        tcg_gen_st_i64(t0, cpu_env, dofs + i);
+        if (load_dest) {
+            tcg_gen_ld_i64(t1, cpu_env, dofs + i);
+        }
+        fni(t1, t0);
+        tcg_gen_st_i64(t1, cpu_env, dofs + i);
     }
     tcg_temp_free_i64(t0);
+    tcg_temp_free_i64(t1);
 }
 
 static void expand_2i_i64(uint32_t dofs, uint32_t aofs, uint32_t oprsz,
@@ -XXX,XX +XXX,XX @@ static void expand_4_i64(uint32_t dofs, uint32_t aofs, uint32_t bofs,
 /* Expand OPSZ bytes worth of two-operand operations using host vectors.  */
 static void expand_2_vec(unsigned vece, uint32_t dofs, uint32_t aofs,
                          uint32_t oprsz, uint32_t tysz, TCGType type,
+                         bool load_dest,
                          void (*fni)(unsigned, TCGv_vec, TCGv_vec))
 {
     TCGv_vec t0 = tcg_temp_new_vec(type);
+    TCGv_vec t1 = tcg_temp_new_vec(type);
     uint32_t i;
 
     for (i = 0; i < oprsz; i += tysz) {
         tcg_gen_ld_vec(t0, cpu_env, aofs + i);
-        fni(vece, t0, t0);
-        tcg_gen_st_vec(t0, cpu_env, dofs + i);
+        if (load_dest) {
+            tcg_gen_ld_vec(t1, cpu_env, dofs + i);
+        }
+        fni(vece, t1, t0);
+        tcg_gen_st_vec(t1, cpu_env, dofs + i);
     }
     tcg_temp_free_vec(t0);
+    tcg_temp_free_vec(t1);
 }
 
 /* Expand OPSZ bytes worth of two-vector operands and an immediate operand
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_2(uint32_t dofs, uint32_t aofs,
          * that e.g. size == 80 would be expanded with 2x32 + 1x16.
          */
         some = QEMU_ALIGN_DOWN(oprsz, 32);
-        expand_2_vec(g->vece, dofs, aofs, some, 32, TCG_TYPE_V256, g->fniv);
+        expand_2_vec(g->vece, dofs, aofs, some, 32, TCG_TYPE_V256,
+                     g->load_dest, g->fniv);
         if (some == oprsz) {
             break;
         }
@@ -XXX,XX +XXX,XX @@ void tcg_gen_gvec_2(uint32_t dofs, uint32_t aofs,
         maxsz -= some;
         /* fallthru */
     case TCG_TYPE_V128:
-        expand_2_vec(g->vece, dofs, aofs, oprsz, 16, TCG_TYPE_V128, g->fniv);
+        expand_2_vec(g->vece, dofs, aofs, oprsz, 16, TCG_TYPE_V128,
+                     g->load_dest, g->fniv);
         break;
     case TCG_TYPE_V64:
-        expand_2_vec(g->vece, dofs, aofs, oprsz, 8, TCG_TYPE_V64, g->fniv);
+        expand_2_vec(g->vece, dofs, aofs, oprsz, 8, TCG_TYPE_V64,
+                     g->load_dest, g->fniv);
         break;
 
     case 0:
         if (g->fni8 && check_size_impl(oprsz, 8)) {
-            expand_2_i64(dofs, aofs, oprsz, g->fni8);
+            expand_2_i64(dofs, aofs, oprsz, g->load_dest, g->fni8);
         } else if (g->fni4 && check_size_impl(oprsz, 4)) {
-            expand_2_i32(dofs, aofs, oprsz, g->fni4);
+            expand_2_i32(dofs, aofs, oprsz, g->load_dest, g->fni4);
         } else {
             assert(g->fno != NULL);
             tcg_gen_gvec_2_ool(dofs, aofs, oprsz, maxsz, g->data, g->fno);
-- 
2.20.1

For the benefit of compatibility of function pointer types,
we have standardized on int32_t and int64_t as the integral
argument to tcg expanders.

We converted most of them in 474b2e8f0f7, but missed the rotates.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/tcg/tcg-op.h |  8 ++++----
 tcg/tcg-op.c         | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/include/tcg/tcg-op.h b/include/tcg/tcg-op.h
index XXXXXXX..XXXXXXX 100644
--- a/include/tcg/tcg-op.h
+++ b/include/tcg/tcg-op.h
@@ -XXX,XX +XXX,XX @@ void tcg_gen_ctzi_i32(TCGv_i32 ret, TCGv_i32 arg1, uint32_t arg2);
 void tcg_gen_clrsb_i32(TCGv_i32 ret, TCGv_i32 arg);
 void tcg_gen_ctpop_i32(TCGv_i32 a1, TCGv_i32 a2);
 void tcg_gen_rotl_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2);
-void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2);
+void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2);
 void tcg_gen_rotr_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2);
-void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2);
+void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2);
 void tcg_gen_deposit_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2,
                          unsigned int ofs, unsigned int len);
 void tcg_gen_deposit_z_i32(TCGv_i32 ret, TCGv_i32 arg,
@@ -XXX,XX +XXX,XX @@ void tcg_gen_ctzi_i64(TCGv_i64 ret, TCGv_i64 arg1, uint64_t arg2);
 void tcg_gen_clrsb_i64(TCGv_i64 ret, TCGv_i64 arg);
 void tcg_gen_ctpop_i64(TCGv_i64 a1, TCGv_i64 a2);
 void tcg_gen_rotl_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2);
-void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2);
+void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2);
 void tcg_gen_rotr_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2);
-void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2);
+void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2);
 void tcg_gen_deposit_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2,
                          unsigned int ofs, unsigned int len);
 void tcg_gen_deposit_z_i64(TCGv_i64 ret, TCGv_i64 arg,
diff --git a/tcg/tcg-op.c b/tcg/tcg-op.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op.c
+++ b/tcg/tcg-op.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotl_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
     }
 }
 
-void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2)
+void tcg_gen_rotli_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2)
 {
-    tcg_debug_assert(arg2 < 32);
+    tcg_debug_assert(arg2 >= 0 && arg2 < 32);
     /* some cases can be optimized here */
     if (arg2 == 0) {
         tcg_gen_mov_i32(ret, arg1);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotr_i32(TCGv_i32 ret, TCGv_i32 arg1, TCGv_i32 arg2)
     }
 }
 
-void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, unsigned arg2)
+void tcg_gen_rotri_i32(TCGv_i32 ret, TCGv_i32 arg1, int32_t arg2)
 {
-    tcg_debug_assert(arg2 < 32);
+    tcg_debug_assert(arg2 >= 0 && arg2 < 32);
     /* some cases can be optimized here */
     if (arg2 == 0) {
         tcg_gen_mov_i32(ret, arg1);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotl_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2)
     }
 }
 
-void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2)
+void tcg_gen_rotli_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2)
 {
-    tcg_debug_assert(arg2 < 64);
+    tcg_debug_assert(arg2 >= 0 && arg2 < 64);
     /* some cases can be optimized here */
     if (arg2 == 0) {
         tcg_gen_mov_i64(ret, arg1);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_rotr_i64(TCGv_i64 ret, TCGv_i64 arg1, TCGv_i64 arg2)
     }
 }
 
-void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, unsigned arg2)
+void tcg_gen_rotri_i64(TCGv_i64 ret, TCGv_i64 arg1, int64_t arg2)
 {
-    tcg_debug_assert(arg2 < 64);
+    tcg_debug_assert(arg2 >= 0 && arg2 < 64);
     /* some cases can be optimized here */
     if (arg2 == 0) {
         tcg_gen_mov_i64(ret, arg1);
-- 
2.20.1

The following changes since commit d37158bb2425e7ebffb167d611be01f1e9e6c86f:

Update version for v8.0.0-rc2 release (2023-03-28 20:43:21 +0100)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230328

for you to fetch changes up to 87e303de70f93bf700f58412fb9b2c3ec918c4b5:

softmmu: Restore use of CPU watchpoint for all accelerators (2023-03-28 15:24:06 -0700)

----------------------------------------------------------------
Use a local version of GTree [#285]
Fix page_set_flags vs the last page of the address space [#1528]
Re-enable gdbstub breakpoints under KVM

----------------------------------------------------------------
Emilio Cota (2):
      util: import GTree as QTree
      tcg: use QTree instead of GTree

Philippe Mathieu-Daudé (3):
      softmmu: Restrict cpu_check_watchpoint / address_matches to TCG accel
      softmmu/watchpoint: Add missing 'qemu/error-report.h' include
      softmmu: Restore use of CPU watchpoint for all accelerators

Richard Henderson (10):
      linux-user: Diagnose misaligned -R size
      accel/tcg: Pass last not end to page_set_flags
      accel/tcg: Pass last not end to page_reset_target_data
      accel/tcg: Pass last not end to PAGE_FOR_EACH_TB
      accel/tcg: Pass last not end to page_collection_lock
      accel/tcg: Pass last not end to tb_invalidate_phys_page_range__locked
      accel/tcg: Pass last not end to tb_invalidate_phys_range
      linux-user: Pass last not end to probe_guest_base
      include/exec: Change reserved_va semantics to last byte
      linux-user/arm: Take more care allocating commpage

From: Emilio Cota <cota@braap.org>

The only reason to add this implementation is to control the memory allocator
used. Some users (e.g. TCG) cannot work reliably in multi-threaded
environments (e.g. forking in user-mode) with GTree's allocator, GSlice.
See https://gitlab.com/qemu-project/qemu/-/issues/285 for details.

Importing GTree is a temporary workaround until GTree migrates away
from GSlice.

This implementation is identical to that in glib v2.75.0, except that
we don't import recent additions to the API nor deprecated API calls,
none of which are used in QEMU.

I've imported tests from glib and added a benchmark just to
make sure that performance is similar. Note: it cannot be identical
because (1) we are not using GSlice, (2) we use different compilation flags
(e.g. -fPIC) and (3) we're linking statically.

$ cat /proc/cpuinfo| grep 'model name' | head -1
model name      : AMD Ryzen 7 PRO 5850U with Radeon Graphics
$ echo '0' | sudo tee /sys/devices/system/cpu/cpufreq/boost
$ tests/bench/qtree-bench

Tree         Op      32            1024            4096          131072         1048576
------------------------------------------------------------------------------------------------
GTree     Lookup   83.23           43.08           25.31           19.40           16.22
QTree     Lookup  113.42 (1.36x)   53.83 (1.25x)   28.38 (1.12x)   17.64 (0.91x)   13.04 (0.80x)
GTree     Insert   44.23           29.37           25.83           19.49           17.03
QTree     Insert   46.87 (1.06x)   25.62 (0.87x)   24.29 (0.94x)   16.83 (0.86x)   12.97 (0.76x)
GTree     Remove   53.27           35.15           31.43           24.64           16.70
QTree     Remove   57.32 (1.08x)   41.76 (1.19x)   38.37 (1.22x)   29.30 (1.19x)   15.07 (0.90x)
GTree  RemoveAll  135.44          127.52          126.72          120.11           64.34
QTree  RemoveAll  127.15 (0.94x)  110.37 (0.87x)  107.97 (0.85x)   97.13 (0.81x)   55.10 (0.86x)
GTree   Traverse  277.71          276.09          272.78          246.72           98.47
QTree   Traverse  370.33 (1.33x)  411.97 (1.49x)  400.23 (1.47x)  262.82 (1.07x)   78.52 (0.80x)
------------------------------------------------------------------------------------------------

As a sanity check, the same benchmark when Glib's version
is >= $glib_dropped_gslice_version (i.e. QTree == GTree):

Tree         Op      32            1024            4096          131072         1048576
------------------------------------------------------------------------------------------------
GTree     Lookup   82.72           43.09           24.18           19.73           16.09
QTree     Lookup   81.82 (0.99x)   43.10 (1.00x)   24.20 (1.00x)   19.76 (1.00x)   16.26 (1.01x)
GTree     Insert   45.07           29.62           26.34           19.90           17.18
QTree     Insert   45.72 (1.01x)   29.60 (1.00x)   26.38 (1.00x)   19.71 (0.99x)   17.20 (1.00x)
GTree     Remove   54.48           35.36           31.77           24.97           16.95
QTree     Remove   54.46 (1.00x)   35.32 (1.00x)   31.77 (1.00x)   24.91 (1.00x)   17.15 (1.01x)
GTree  RemoveAll  140.68          127.36          125.43          121.45           68.20
QTree  RemoveAll  140.65 (1.00x)  127.64 (1.00x)  125.01 (1.00x)  121.73 (1.00x)   67.06 (0.98x)
GTree   Traverse  278.68          276.05          266.75          251.65          104.93
QTree   Traverse  278.31 (1.00x)  275.78 (1.00x)  266.42 (1.00x)  247.89 (0.99x)  104.58 (1.00x)
------------------------------------------------------------------------------------------------

Signed-off-by: Emilio Cota <cota@braap.org>
Message-Id: <20230205163758.416992-2-cota@braap.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 configure                 |   15 +
 meson.build               |    4 +
 include/qemu/qtree.h      |  201 ++++++
 tests/bench/qtree-bench.c |  286 ++++++++
 tests/unit/test-qtree.c   |  333 +++++++++
 util/qtree.c              | 1390 +++++++++++++++++++++++++++++++++++++
 tests/bench/meson.build   |    4 +
 tests/unit/meson.build    |    1 +
 util/meson.build          |    1 +
 9 files changed, 2235 insertions(+)
 create mode 100644 include/qemu/qtree.h
 create mode 100644 tests/bench/qtree-bench.c
 create mode 100644 tests/unit/test-qtree.c
 create mode 100644 util/qtree.c

diff --git a/configure b/configure
index XXXXXXX..XXXXXXX 100755
--- a/configure
+++ b/configure
@@ -XXX,XX +XXX,XX @@ safe_stack=""
 use_containers="yes"
 gdb_bin=$(command -v "gdb-multiarch" || command -v "gdb")
 gdb_arches=""
+glib_has_gslice="no"
 
 if test -e "$source_path/.git"
 then
@@ -XXX,XX +XXX,XX @@ for i in $glib_modules; do
     fi
 done
 
+# Check whether glib has gslice, which we have to avoid for correctness.
+# TODO: remove this check and the corresponding workaround (qtree) when
+# the minimum supported glib is >= $glib_dropped_gslice_version.
+glib_dropped_gslice_version=2.75.3
+for i in $glib_modules; do
+    if ! $pkg_config --atleast-version=$glib_dropped_gslice_version $i; then
+        glib_has_gslice="yes"
+	break
+    fi
+done
+
 glib_bindir="$($pkg_config --variable=bindir glib-2.0)"
 if test -z "$glib_bindir" ; then
 	glib_bindir="$($pkg_config --variable=prefix glib-2.0)"/bin
@@ -XXX,XX +XXX,XX @@ echo "GLIB_CFLAGS=$glib_cflags" >> $config_host_mak
 echo "GLIB_LIBS=$glib_libs" >> $config_host_mak
 echo "GLIB_BINDIR=$glib_bindir" >> $config_host_mak
 echo "GLIB_VERSION=$($pkg_config --modversion glib-2.0)" >> $config_host_mak
+if test "$glib_has_gslice" = "yes" ; then
+    echo "HAVE_GLIB_WITH_SLICE_ALLOCATOR=y" >> $config_host_mak
+fi
 echo "QEMU_LDFLAGS=$QEMU_LDFLAGS" >> $config_host_mak
 echo "EXESUF=$EXESUF" >> $config_host_mak
 
diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ glib = declare_dependency(compile_args: config_host['GLIB_CFLAGS'].split(),
                           })
 # override glib dep with the configure results (for subprojects)
 meson.override_dependency('glib-2.0', glib)
+# pass down whether Glib has the slice allocator
+if config_host.has_key('HAVE_GLIB_WITH_SLICE_ALLOCATOR')
+  config_host_data.set('HAVE_GLIB_WITH_SLICE_ALLOCATOR', true)
+endif
 
 gio = not_found
 gdbus_codegen = not_found
diff --git a/include/qemu/qtree.h b/include/qemu/qtree.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/include/qemu/qtree.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * GLIB - Library of useful routines for C programming
+ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Modified by the GLib Team and others 1997-2000.  See the AUTHORS
+ * file for a list of people on the GLib Team.  See the ChangeLog
+ * files for a list of changes.  These files are distributed with
+ * GLib at ftp://ftp.gtk.org/pub/gtk/.
+ */
+
+/*
+ * QTree is a partial import of Glib's GTree. The parts excluded correspond
+ * to API calls either deprecated (e.g. g_tree_traverse) or recently added
+ * (e.g. g_tree_search_node, added in 2.68); neither have callers in QEMU.
+ *
+ * The reason for this import is to allow us to control the memory allocator
+ * used by the tree implementation. Until Glib 2.75.3, GTree uses Glib's
+ * slice allocator, which causes problems when forking in user-mode;
+ * see https://gitlab.com/qemu-project/qemu/-/issues/285 and glib's
+ * "45b5a6c1e gslice: Remove slice allocator and use malloc() instead".
+ *
+ * TODO: remove QTree when QEMU's minimum Glib version is >= 2.75.3.
+ */
+
+#ifndef QEMU_QTREE_H
+#define QEMU_QTREE_H
+
+#include "qemu/osdep.h"
+
+#ifdef HAVE_GLIB_WITH_SLICE_ALLOCATOR
+
+typedef struct _QTree  QTree;
+
+typedef struct _QTreeNode QTreeNode;
+
+typedef gboolean (*QTraverseNodeFunc)(QTreeNode *node,
+                                      gpointer user_data);
+
+/*
+ * Balanced binary trees
+ */
+QTree *q_tree_new(GCompareFunc key_compare_func);
+QTree *q_tree_new_with_data(GCompareDataFunc key_compare_func,
+                            gpointer key_compare_data);
+QTree *q_tree_new_full(GCompareDataFunc key_compare_func,
+                       gpointer key_compare_data,
+                       GDestroyNotify key_destroy_func,
+                       GDestroyNotify value_destroy_func);
+QTree *q_tree_ref(QTree *tree);
+void q_tree_unref(QTree *tree);
+void q_tree_destroy(QTree *tree);
+void q_tree_insert(QTree *tree,
+                   gpointer key,
+                   gpointer value);
+void q_tree_replace(QTree *tree,
+                    gpointer key,
+                    gpointer value);
+gboolean q_tree_remove(QTree *tree,
+                       gconstpointer key);
+gboolean q_tree_steal(QTree *tree,
+                      gconstpointer key);
+gpointer q_tree_lookup(QTree *tree,
+                       gconstpointer key);
+gboolean q_tree_lookup_extended(QTree *tree,
+                                gconstpointer lookup_key,
+                                gpointer *orig_key,
+                                gpointer *value);
+void q_tree_foreach(QTree *tree,
+                    GTraverseFunc func,
+                    gpointer user_data);
+gpointer q_tree_search(QTree *tree,
+                       GCompareFunc search_func,
+                       gconstpointer user_data);
+gint q_tree_height(QTree *tree);
+gint q_tree_nnodes(QTree *tree);
+
+#else /* !HAVE_GLIB_WITH_SLICE_ALLOCATOR */
+
+typedef GTree QTree;
+typedef GTreeNode QTreeNode;
+typedef GTraverseNodeFunc QTraverseNodeFunc;
+
+static inline QTree *q_tree_new(GCompareFunc key_compare_func)
+{
+    return g_tree_new(key_compare_func);
+}
+
+static inline QTree *q_tree_new_with_data(GCompareDataFunc key_compare_func,
+                                          gpointer key_compare_data)
+{
+    return g_tree_new_with_data(key_compare_func, key_compare_data);
+}
+
+static inline QTree *q_tree_new_full(GCompareDataFunc key_compare_func,
+                                     gpointer key_compare_data,
+                                     GDestroyNotify key_destroy_func,
+                                     GDestroyNotify value_destroy_func)
+{
+    return g_tree_new_full(key_compare_func, key_compare_data,
+                           key_destroy_func, value_destroy_func);
+}
+
+static inline QTree *q_tree_ref(QTree *tree)
+{
+    return g_tree_ref(tree);
+}
+
+static inline void q_tree_unref(QTree *tree)
+{
+    g_tree_unref(tree);
+}
+
+static inline void q_tree_destroy(QTree *tree)
+{
+    g_tree_destroy(tree);
+}
+
+static inline void q_tree_insert(QTree *tree,
+                                 gpointer key,
+                                 gpointer value)
+{
+    g_tree_insert(tree, key, value);
+}
+
+static inline void q_tree_replace(QTree *tree,
+                                  gpointer key,
+                                  gpointer value)
+{
+    g_tree_replace(tree, key, value);
+}
+
+static inline gboolean q_tree_remove(QTree *tree,
+                                     gconstpointer key)
+{
+    return g_tree_remove(tree, key);
+}
+
+static inline gboolean q_tree_steal(QTree *tree,
+                                    gconstpointer key)
+{
+    return g_tree_steal(tree, key);
+}
+
+static inline gpointer q_tree_lookup(QTree *tree,
+                                     gconstpointer key)
+{
+    return g_tree_lookup(tree, key);
+}
+
+static inline gboolean q_tree_lookup_extended(QTree *tree,
+                                              gconstpointer lookup_key,
+                                              gpointer *orig_key,
+                                              gpointer *value)
+{
+    return g_tree_lookup_extended(tree, lookup_key, orig_key, value);
+}
+
+static inline void q_tree_foreach(QTree *tree,
+                                  GTraverseFunc func,
+                                  gpointer user_data)
+{
+    return g_tree_foreach(tree, func, user_data);
+}
+
+static inline gpointer q_tree_search(QTree *tree,
+                                     GCompareFunc search_func,
+                                     gconstpointer user_data)
+{
+    return g_tree_search(tree, search_func, user_data);
+}
+
+static inline gint q_tree_height(QTree *tree)
+{
+    return g_tree_height(tree);
+}
+
+static inline gint q_tree_nnodes(QTree *tree)
+{
+    return g_tree_nnodes(tree);
+}
+
+#endif /* HAVE_GLIB_WITH_SLICE_ALLOCATOR */
+
+#endif /* QEMU_QTREE_H */
diff --git a/tests/bench/qtree-bench.c b/tests/bench/qtree-bench.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/bench/qtree-bench.c
@@ -XXX,XX +XXX,XX @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+#include "qemu/osdep.h"
+#include "qemu/qtree.h"
+#include "qemu/timer.h"
+
+enum tree_op {
+    OP_LOOKUP,
+    OP_INSERT,
+    OP_REMOVE,
+    OP_REMOVE_ALL,
+    OP_TRAVERSE,
+};
+
+struct benchmark {
+    const char * const name;
+    enum tree_op op;
+    bool fill_on_init;
+};
+
+enum impl_type {
+    IMPL_GTREE,
+    IMPL_QTREE,
+};
+
+struct tree_implementation {
+    const char * const name;
+    enum impl_type type;
+};
+
+static const struct benchmark benchmarks[] = {
+    {
+        .name = "Lookup",
+        .op = OP_LOOKUP,
+        .fill_on_init = true,
+    },
+    {
+        .name = "Insert",
+        .op = OP_INSERT,
+        .fill_on_init = false,
+    },
+    {
+        .name = "Remove",
+        .op = OP_REMOVE,
+        .fill_on_init = true,
+    },
+    {
+        .name = "RemoveAll",
+        .op = OP_REMOVE_ALL,
+        .fill_on_init = true,
+    },
+    {
+        .name = "Traverse",
+        .op = OP_TRAVERSE,
+        .fill_on_init = true,
+    },
+};
+
+static const struct tree_implementation impls[] = {
+    {
+        .name = "GTree",
+        .type = IMPL_GTREE,
+    },
+    {
+        .name = "QTree",
+        .type = IMPL_QTREE,
+    },
+};
+
+static int compare_func(const void *ap, const void *bp)
+{
+    const size_t *a = ap;
+    const size_t *b = bp;
+
+    return *a - *b;
+}
+
+static void init_empty_tree_and_keys(enum impl_type impl,
+                                     void **ret_tree, size_t **ret_keys,
+                                     size_t n_elems)
+{
+    size_t *keys = g_malloc_n(n_elems, sizeof(*keys));
+    for (size_t i = 0; i < n_elems; i++) {
+        keys[i] = i;
+    }
+
+    void *tree;
+    switch (impl) {
+    case IMPL_GTREE:
+        tree = g_tree_new(compare_func);
+        break;
+    case IMPL_QTREE:
+        tree = q_tree_new(compare_func);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    *ret_tree = tree;
+    *ret_keys = keys;
+}
+
+static gboolean traverse_func(gpointer key, gpointer value, gpointer data)
+{
+    return FALSE;
+}
+
+static inline void remove_all(void *tree, enum impl_type impl)
+{
+    switch (impl) {
+    case IMPL_GTREE:
+        g_tree_destroy(tree);
+        break;
+    case IMPL_QTREE:
+        q_tree_destroy(tree);
+        break;
+    default:
+        g_assert_not_reached();
+    }
+}
+
+static int64_t run_benchmark(const struct benchmark *bench,
+                             enum impl_type impl,
+                             size_t n_elems)
+{
+    void *tree;
+    size_t *keys;
+
+    init_empty_tree_and_keys(impl, &tree, &keys, n_elems);
+    if (bench->fill_on_init) {
+        for (size_t i = 0; i < n_elems; i++) {
+            switch (impl) {
+            case IMPL_GTREE:
+                g_tree_insert(tree, &keys[i], &keys[i]);
+                break;
+            case IMPL_QTREE:
+                q_tree_insert(tree, &keys[i], &keys[i]);
+                break;
+            default:
+                g_assert_not_reached();
+            }
+        }
+    }
+
+    int64_t start_ns = get_clock();
+    switch (bench->op) {
+    case OP_LOOKUP:
+        for (size_t i = 0; i < n_elems; i++) {
+            void *value;
+            switch (impl) {
+            case IMPL_GTREE:
+                value = g_tree_lookup(tree, &keys[i]);
+                break;
+            case IMPL_QTREE:
+                value = q_tree_lookup(tree, &keys[i]);
+                break;
+            default:
+                g_assert_not_reached();
+            }
+            (void)value;
+        }
+        break;
+    case OP_INSERT:
+        for (size_t i = 0; i < n_elems; i++) {
+            switch (impl) {
+            case IMPL_GTREE:
+                g_tree_insert(tree, &keys[i], &keys[i]);
+                break;
+            case IMPL_QTREE:
+                q_tree_insert(tree, &keys[i], &keys[i]);
+                break;
+            default:
+                g_assert_not_reached();
+            }
+        }
+        break;
+    case OP_REMOVE:
+        for (size_t i = 0; i < n_elems; i++) {
+            switch (impl) {
+            case IMPL_GTREE:
+                g_tree_remove(tree, &keys[i]);
+                break;
+            case IMPL_QTREE:
+                q_tree_remove(tree, &keys[i]);
+                break;
+            default:
+                g_assert_not_reached();
+            }
+        }
+        break;
+    case OP_REMOVE_ALL:
+        remove_all(tree, impl);
+        break;
+    case OP_TRAVERSE:
+        switch (impl) {
+        case IMPL_GTREE:
+            g_tree_foreach(tree, traverse_func, NULL);
+            break;
+        case IMPL_QTREE:
+            q_tree_foreach(tree, traverse_func, NULL);
+            break;
+        default:
+            g_assert_not_reached();
+        }
+        break;
+    default:
+        g_assert_not_reached();
+    }
+    int64_t ns = get_clock() - start_ns;
+
+    if (bench->op != OP_REMOVE_ALL) {
+        remove_all(tree, impl);
+    }
+    g_free(keys);
+
+    return ns;
+}
+
+int main(int argc, char *argv[])
+{
+    size_t sizes[] = {
+        32,
+        1024,
+        1024 * 4,
+        1024 * 128,
+        1024 * 1024,
+    };
+
+    double res[ARRAY_SIZE(benchmarks)][ARRAY_SIZE(impls)][ARRAY_SIZE(sizes)];
+    for (int i = 0; i < ARRAY_SIZE(sizes); i++) {
+        size_t size = sizes[i];
+        for (int j = 0; j < ARRAY_SIZE(impls); j++) {
+            const struct tree_implementation *impl = &impls[j];
+            for (int k = 0; k < ARRAY_SIZE(benchmarks); k++) {
+                const struct benchmark *bench = &benchmarks[k];
+
+                /* warm-up run */
+                run_benchmark(bench, impl->type, size);
+
+                int64_t total_ns = 0;
+                int64_t n_runs = 0;
+                while (total_ns < 2e8 || n_runs < 5) {
+                    total_ns += run_benchmark(bench, impl->type, size);
+                    n_runs++;
+                }
+                double ns_per_run = (double)total_ns / n_runs;
+
+                /* Throughput, in Mops/s */
+                res[k][j][i] = size / ns_per_run * 1e3;
+            }
+        }
+    }
+
+    printf("# Results' breakdown: Tree, Op and #Elements. Units: Mops/s\n");
+    printf("%5s %10s ", "Tree", "Op");
+    for (int i = 0; i < ARRAY_SIZE(sizes); i++) {
+        printf("%7zu         ", sizes[i]);
+    }
+    printf("\n");
+    char separator[97];
+    for (int i = 0; i < ARRAY_SIZE(separator) - 1; i++) {
+        separator[i] = '-';
+    }
+    separator[ARRAY_SIZE(separator) - 1] = '\0';
+    printf("%s\n", separator);
+    for (int i = 0; i < ARRAY_SIZE(benchmarks); i++) {
+        for (int j = 0; j < ARRAY_SIZE(impls); j++) {
+            printf("%5s %10s ", impls[j].name, benchmarks[i].name);
+            for (int k = 0; k < ARRAY_SIZE(sizes); k++) {
+                printf("%7.2f ", res[i][j][k]);
+                if (j == 0) {
+                    printf("        ");
+                } else {
+                    if (res[i][0][k] != 0) {
+                        double speedup = res[i][j][k] / res[i][0][k];
+                        printf("(%4.2fx) ", speedup);
+                    } else {
+                        printf("(     ) ");
+                    }
+                }
+            }
+            printf("\n");
+        }
+    }
+    printf("%s\n", separator);
+    return 0;
+}
diff --git a/tests/unit/test-qtree.c b/tests/unit/test-qtree.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/unit/test-qtree.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * Tests for QTree.
+ * Original source: glib
+ *   https://gitlab.gnome.org/GNOME/glib/-/blob/main/glib/tests/tree.c
+ *   LGPL license.
+ *   Copyright (C) 1995-1997 Peter Mattis, Spencer Kimball and Josh MacDonald
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/qtree.h"
+
+static gint my_compare(gconstpointer a, gconstpointer b)
+{
+    const char *cha = a;
+    const char *chb = b;
+
+    return *cha - *chb;
+}
+
+static gint my_compare_with_data(gconstpointer a,
+                                 gconstpointer b,
+                                 gpointer user_data)
+{
+    const char *cha = a;
+    const char *chb = b;
+
+    /* just check that we got the right data */
+    g_assert(GPOINTER_TO_INT(user_data) == 123);
+
+    return *cha - *chb;
+}
+
+static gint my_search(gconstpointer a, gconstpointer b)
+{
+    return my_compare(b, a);
+}
+
+static gpointer destroyed_key;
+static gpointer destroyed_value;
+static guint destroyed_key_count;
+static guint destroyed_value_count;
+
+static void my_key_destroy(gpointer key)
+{
+    destroyed_key = key;
+    destroyed_key_count++;
+}
+
+static void my_value_destroy(gpointer value)
+{
+    destroyed_value = value;
+    destroyed_value_count++;
+}
+
+static gint my_traverse(gpointer key, gpointer value, gpointer data)
+{
+    char *ch = key;
+
+    g_assert((*ch) > 0);
+
+    if (*ch == 'd') {
+        return TRUE;
+    }
+
+    return FALSE;
+}
+
+char chars[] =
+    "0123456789"
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+    "abcdefghijklmnopqrstuvwxyz";
+
+char chars2[] =
+    "0123456789"
+    "abcdefghijklmnopqrstuvwxyz";
+
+static gint check_order(gpointer key, gpointer value, gpointer data)
+{
+    char **p = data;
+    char *ch = key;
+
+    g_assert(**p == *ch);
+
+    (*p)++;
+
+    return FALSE;
+}
+
+static void test_tree_search(void)
+{
+    gint i;
+    QTree *tree;
+    gboolean removed;
+    gchar c;
+    gchar *p, *d;
+
+    tree = q_tree_new_with_data(my_compare_with_data, GINT_TO_POINTER(123));
+
+    for (i = 0; chars[i]; i++) {
+        q_tree_insert(tree, &chars[i], &chars[i]);
+    }
+
+    q_tree_foreach(tree, my_traverse, NULL);
+
+    g_assert(q_tree_nnodes(tree) == strlen(chars));
+    g_assert(q_tree_height(tree) == 6);
+
+    p = chars;
+    q_tree_foreach(tree, check_order, &p);
+
+    for (i = 0; i < 26; i++) {
+        removed = q_tree_remove(tree, &chars[i + 10]);
+        g_assert(removed);
+    }
+
+    c = '\0';
+    removed = q_tree_remove(tree, &c);
+    g_assert(!removed);
+
+    q_tree_foreach(tree, my_traverse, NULL);
+
+    g_assert(q_tree_nnodes(tree) == strlen(chars2));
+    g_assert(q_tree_height(tree) == 6);
+
+    p = chars2;
+    q_tree_foreach(tree, check_order, &p);
+
+    for (i = 25; i >= 0; i--) {
+        q_tree_insert(tree, &chars[i + 10], &chars[i + 10]);
+    }
+
+    p = chars;
+    q_tree_foreach(tree, check_order, &p);
+
+    c = '0';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p && *p == c);
+    g_assert(q_tree_lookup_extended(tree, &c, (gpointer *)&d, (gpointer *)&p));
+    g_assert(c == *d && c == *p);
+
+    c = 'A';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p && *p == c);
+
+    c = 'a';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p && *p == c);
+
+    c = 'z';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p && *p == c);
+
+    c = '!';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p == NULL);
+
+    c = '=';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p == NULL);
+
+    c = '|';
+    p = q_tree_lookup(tree, &c);
+    g_assert(p == NULL);
+
+    c = '0';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p && *p == c);
+
+    c = 'A';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p && *p == c);
+
+    c = 'a';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p && *p == c);
+
+    c = 'z';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p && *p == c);
+
+    c = '!';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p == NULL);
+
+    c = '=';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p == NULL);
+
+    c = '|';
+    p = q_tree_search(tree, my_search, &c);
+    g_assert(p == NULL);
+
+    q_tree_destroy(tree);
+}
+
+static void test_tree_remove(void)
+{
+    QTree *tree;
+    char c, d;
+    gint i;
+    gboolean removed;
+
+    tree = q_tree_new_full((GCompareDataFunc)my_compare, NULL,
+                           my_key_destroy,
+                           my_value_destroy);
+
+    for (i = 0; chars[i]; i++) {
+        q_tree_insert(tree, &chars[i], &chars[i]);
+    }
+
+    c = '0';
+    q_tree_insert(tree, &c, &c);
+    g_assert(destroyed_key == &c);
+    g_assert(destroyed_value == &chars[0]);
+    destroyed_key = NULL;
+    destroyed_value = NULL;
+
+    d = '1';
+    q_tree_replace(tree, &d, &d);
+    g_assert(destroyed_key == &chars[1]);
+    g_assert(destroyed_value == &chars[1]);
+    destroyed_key = NULL;
+    destroyed_value = NULL;
+
+    c = '2';
+    removed = q_tree_remove(tree, &c);
+    g_assert(removed);
+    g_assert(destroyed_key == &chars[2]);
+    g_assert(destroyed_value == &chars[2]);
+    destroyed_key = NULL;
+    destroyed_value = NULL;
+
+    c = '3';
+    removed = q_tree_steal(tree, &c);
+    g_assert(removed);
+    g_assert(destroyed_key == NULL);
+    g_assert(destroyed_value == NULL);
+
+    const gchar *remove = "omkjigfedba";
+    for (i = 0; remove[i]; i++) {
+        removed = q_tree_remove(tree, &remove[i]);
+        g_assert(removed);
+    }
+
+    q_tree_destroy(tree);
+}
+
+static void test_tree_destroy(void)
+{
+    QTree *tree;
+    gint i;
+
+    tree = q_tree_new(my_compare);
+
+    for (i = 0; chars[i]; i++) {
+        q_tree_insert(tree, &chars[i], &chars[i]);
+    }
+
+    g_assert(q_tree_nnodes(tree) == strlen(chars));
+
+    g_test_message("nnodes: %d", q_tree_nnodes(tree));
+    q_tree_ref(tree);
+    q_tree_destroy(tree);
+
+    g_test_message("nnodes: %d", q_tree_nnodes(tree));
+    g_assert(q_tree_nnodes(tree) == 0);
+
+    q_tree_unref(tree);
+}
+
+static void test_tree_insert(void)
+{
+    QTree *tree;
+    gchar *p;
+    gint i;
+    gchar *scrambled;
+
+    tree = q_tree_new(my_compare);
+
+    for (i = 0; chars[i]; i++) {
+        q_tree_insert(tree, &chars[i], &chars[i]);
+    }
+    p = chars;
+    q_tree_foreach(tree, check_order, &p);
+
+    q_tree_unref(tree);
+    tree = q_tree_new(my_compare);
+
+    for (i = strlen(chars) - 1; i >= 0; i--) {
+        q_tree_insert(tree, &chars[i], &chars[i]);
+    }
+    p = chars;
+    q_tree_foreach(tree, check_order, &p);
+
+    q_tree_unref(tree);
+    tree = q_tree_new(my_compare);
+
+    scrambled = g_strdup(chars);
+
+    for (i = 0; i < 30; i++) {
+        gchar tmp;
+        gint a, b;
+
+        a = g_random_int_range(0, strlen(scrambled));
+        b = g_random_int_range(0, strlen(scrambled));
+        tmp = scrambled[a];
+        scrambled[a] = scrambled[b];
+        scrambled[b] = tmp;
+    }
+
+    for (i = 0; scrambled[i]; i++) {
+        q_tree_insert(tree, &scrambled[i], &scrambled[i]);
+    }
+    p = chars;
+    q_tree_foreach(tree, check_order, &p);
+
+    g_free(scrambled);
+    q_tree_unref(tree);
+}
+
+int main(int argc, char *argv[])
+{
+    g_test_init(&argc, &argv, NULL);
+
+    g_test_add_func("/qtree/search", test_tree_search);
+    g_test_add_func("/qtree/remove", test_tree_remove);
+    g_test_add_func("/qtree/destroy", test_tree_destroy);
+    g_test_add_func("/qtree/insert", test_tree_insert);
+
+    return g_test_run();
+}
diff --git a/util/qtree.c b/util/qtree.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/util/qtree.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * GLIB - Library of useful routines for C programming
+ * Copyright (C) 1995-1997  Peter Mattis, Spencer Kimball and Josh MacDonald
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/*
+ * Modified by the GLib Team and others 1997-2000.  See the AUTHORS
+ * file for a list of people on the GLib Team.  See the ChangeLog
+ * files for a list of changes.  These files are distributed with
+ * GLib at ftp://ftp.gtk.org/pub/gtk/.
+ */
+
+/*
+ * MT safe
+ */
+
+#include "qemu/osdep.h"
+#include "qemu/qtree.h"
+
+/**
+ * SECTION:trees-binary
+ * @title: Balanced Binary Trees
+ * @short_description: a sorted collection of key/value pairs optimized
+ *                     for searching and traversing in order
+ *
+ * The #QTree structure and its associated functions provide a sorted
+ * collection of key/value pairs optimized for searching and traversing
+ * in order. This means that most of the operations  (access, search,
+ * insertion, deletion, ...) on #QTree are O(log(n)) in average and O(n)
+ * in worst case for time complexity. But, note that maintaining a
+ * balanced sorted #QTree of n elements is done in time O(n log(n)).
+ *
+ * To create a new #QTree use q_tree_new().
+ *
+ * To insert a key/value pair into a #QTree use q_tree_insert()
+ * (O(n log(n))).
+ *
+ * To remove a key/value pair use q_tree_remove() (O(n log(n))).
+ *
+ * To look up the value corresponding to a given key, use
+ * q_tree_lookup() and q_tree_lookup_extended().
+ *
+ * To find out the number of nodes in a #QTree, use q_tree_nnodes(). To
+ * get the height of a #QTree, use q_tree_height().
+ *
+ * To traverse a #QTree, calling a function for each node visited in
+ * the traversal, use q_tree_foreach().
+ *
+ * To destroy a #QTree, use q_tree_destroy().
+ **/
+
+#define MAX_GTREE_HEIGHT 40
+
+/**
+ * QTree:
+ *
+ * The QTree struct is an opaque data structure representing a
+ * [balanced binary tree][glib-Balanced-Binary-Trees]. It should be
+ * accessed only by using the following functions.
+ */
+struct _QTree {
+    QTreeNode        *root;
+    GCompareDataFunc  key_compare;
+    GDestroyNotify    key_destroy_func;
+    GDestroyNotify    value_destroy_func;
+    gpointer          key_compare_data;
+    guint             nnodes;
+    gint              ref_count;
+};
+
+struct _QTreeNode {
+    gpointer   key;         /* key for this node */
+    gpointer   value;       /* value stored at this node */
+    QTreeNode *left;        /* left subtree */
+    QTreeNode *right;       /* right subtree */
+    gint8      balance;     /* height (right) - height (left) */
+    guint8     left_child;
+    guint8     right_child;
+};
+
+
+static QTreeNode *q_tree_node_new(gpointer       key,
+                                  gpointer       value);
+static QTreeNode *q_tree_insert_internal(QTree *tree,
+                                         gpointer key,
+                                         gpointer value,
+                                         gboolean replace);
+static gboolean   q_tree_remove_internal(QTree         *tree,
+                                         gconstpointer  key,
+                                         gboolean       steal);
+static QTreeNode *q_tree_node_balance(QTreeNode     *node);
+static QTreeNode *q_tree_find_node(QTree         *tree,
+                                   gconstpointer  key);
+static QTreeNode *q_tree_node_search(QTreeNode *node,
+                                     GCompareFunc search_func,
+                                     gconstpointer data);
+static QTreeNode *q_tree_node_rotate_left(QTreeNode     *node);
+static QTreeNode *q_tree_node_rotate_right(QTreeNode     *node);
+#ifdef Q_TREE_DEBUG
+static void       q_tree_node_check(QTreeNode     *node);
+#endif
+
+static QTreeNode*
+q_tree_node_new(gpointer key,
+                gpointer value)
+{
+    QTreeNode *node = g_new(QTreeNode, 1);
+
+    node->balance = 0;
+    node->left = NULL;
+    node->right = NULL;
+    node->left_child = FALSE;
+    node->right_child = FALSE;
+    node->key = key;
+    node->value = value;
+
+    return node;
+}
+
+/**
+ * q_tree_new:
+ * @key_compare_func: the function used to order the nodes in the #QTree.
+ *   It should return values similar to the standard strcmp() function -
+ *   0 if the two arguments are equal, a negative value if the first argument
+ *   comes before the second, or a positive value if the first argument comes
+ *   after the second.
+ *
+ * Creates a new #QTree.
+ *
+ * Returns: a newly allocated #QTree
+ */
+QTree *
+q_tree_new(GCompareFunc key_compare_func)
+{
+    g_return_val_if_fail(key_compare_func != NULL, NULL);
+
+    return q_tree_new_full((GCompareDataFunc) key_compare_func, NULL,
+                           NULL, NULL);
+}
+
+/**
+ * q_tree_new_with_data:
+ * @key_compare_func: qsort()-style comparison function
+ * @key_compare_data: data to pass to comparison function
+ *
+ * Creates a new #QTree with a comparison function that accepts user data.
+ * See q_tree_new() for more details.
+ *
+ * Returns: a newly allocated #QTree
+ */
+QTree *
+q_tree_new_with_data(GCompareDataFunc key_compare_func,
+                     gpointer         key_compare_data)
+{
+    g_return_val_if_fail(key_compare_func != NULL, NULL);
+
+    return q_tree_new_full(key_compare_func, key_compare_data,
+                           NULL, NULL);
+}
+
+/**
+ * q_tree_new_full:
+ * @key_compare_func: qsort()-style comparison function
+ * @key_compare_data: data to pass to comparison function
+ * @key_destroy_func: a function to free the memory allocated for the key
+ *   used when removing the entry from the #QTree or %NULL if you don't
+ *   want to supply such a function
+ * @value_destroy_func: a function to free the memory allocated for the
+ *   value used when removing the entry from the #QTree or %NULL if you
+ *   don't want to supply such a function
+ *
+ * Creates a new #QTree like q_tree_new() and allows to specify functions
+ * to free the memory allocated for the key and value that get called when
+ * removing the entry from the #QTree.
+ *
+ * Returns: a newly allocated #QTree
+ */
+QTree *
+q_tree_new_full(GCompareDataFunc key_compare_func,
+                gpointer         key_compare_data,
+                GDestroyNotify   key_destroy_func,
+                GDestroyNotify   value_destroy_func)
+{
+    QTree *tree;
+
+    g_return_val_if_fail(key_compare_func != NULL, NULL);
+
+    tree = g_new(QTree, 1);
+    tree->root               = NULL;
+    tree->key_compare        = key_compare_func;
+    tree->key_destroy_func   = key_destroy_func;
+    tree->value_destroy_func = value_destroy_func;
+    tree->key_compare_data   = key_compare_data;
+    tree->nnodes             = 0;
+    tree->ref_count          = 1;
+
+    return tree;
+}
+
+/**
+ * q_tree_node_first:
+ * @tree: a #QTree
+ *
+ * Returns the first in-order node of the tree, or %NULL
+ * for an empty tree.
+ *
+ * Returns: (nullable) (transfer none): the first node in the tree
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_node_first(QTree *tree)
+{
+    QTreeNode *tmp;
+
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    if (!tree->root) {
+        return NULL;
+    }
+
+    tmp = tree->root;
+
+    while (tmp->left_child) {
+        tmp = tmp->left;
+    }
+
+    return tmp;
+}
+
+/**
+ * q_tree_node_previous
+ * @node: a #QTree node
+ *
+ * Returns the previous in-order node of the tree, or %NULL
+ * if the passed node was already the first one.
+ *
+ * Returns: (nullable) (transfer none): the previous node in the tree
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_node_previous(QTreeNode *node)
+{
+    QTreeNode *tmp;
+
+    g_return_val_if_fail(node != NULL, NULL);
+
+    tmp = node->left;
+
+    if (node->left_child) {
+        while (tmp->right_child) {
+            tmp = tmp->right;
+        }
+    }
+
+    return tmp;
+}
+
+/**
+ * q_tree_node_next
+ * @node: a #QTree node
+ *
+ * Returns the next in-order node of the tree, or %NULL
+ * if the passed node was already the last one.
+ *
+ * Returns: (nullable) (transfer none): the next node in the tree
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_node_next(QTreeNode *node)
+{
+    QTreeNode *tmp;
+
+    g_return_val_if_fail(node != NULL, NULL);
+
+    tmp = node->right;
+
+    if (node->right_child) {
+        while (tmp->left_child) {
+            tmp = tmp->left;
+        }
+    }
+
+    return tmp;
+}
+
+/**
+ * q_tree_remove_all:
+ * @tree: a #QTree
+ *
+ * Removes all nodes from a #QTree and destroys their keys and values,
+ * then resets the #QTree’s root to %NULL.
+ *
+ * Since: 2.70 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static void
+q_tree_remove_all(QTree *tree)
+{
+    QTreeNode *node;
+    QTreeNode *next;
+
+    g_return_if_fail(tree != NULL);
+
+    node = q_tree_node_first(tree);
+
+    while (node) {
+        next = q_tree_node_next(node);
+
+        if (tree->key_destroy_func) {
+            tree->key_destroy_func(node->key);
+        }
+        if (tree->value_destroy_func) {
+            tree->value_destroy_func(node->value);
+        }
+        g_free(node);
+
+#ifdef Q_TREE_DEBUG
+        g_assert(tree->nnodes > 0);
+        tree->nnodes--;
+#endif
+
+        node = next;
+    }
+
+#ifdef Q_TREE_DEBUG
+    g_assert(tree->nnodes == 0);
+#endif
+
+    tree->root = NULL;
+#ifndef Q_TREE_DEBUG
+    tree->nnodes = 0;
+#endif
+}
+
+/**
+ * q_tree_ref:
+ * @tree: a #QTree
+ *
+ * Increments the reference count of @tree by one.
+ *
+ * It is safe to call this function from any thread.
+ *
+ * Returns: the passed in #QTree
+ *
+ * Since: 2.22
+ */
+QTree *
+q_tree_ref(QTree *tree)
+{
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    g_atomic_int_inc(&tree->ref_count);
+
+    return tree;
+}
+
+/**
+ * q_tree_unref:
+ * @tree: a #QTree
+ *
+ * Decrements the reference count of @tree by one.
+ * If the reference count drops to 0, all keys and values will
+ * be destroyed (if destroy functions were specified) and all
+ * memory allocated by @tree will be released.
+ *
+ * It is safe to call this function from any thread.
+ *
+ * Since: 2.22
+ */
+void
+q_tree_unref(QTree *tree)
+{
+    g_return_if_fail(tree != NULL);
+
+    if (g_atomic_int_dec_and_test(&tree->ref_count)) {
+        q_tree_remove_all(tree);
+        g_free(tree);
+    }
+}
+
+/**
+ * q_tree_destroy:
+ * @tree: a #QTree
+ *
+ * Removes all keys and values from the #QTree and decreases its
+ * reference count by one. If keys and/or values are dynamically
+ * allocated, you should either free them first or create the #QTree
+ * using q_tree_new_full(). In the latter case the destroy functions
+ * you supplied will be called on all keys and values before destroying
+ * the #QTree.
+ */
+void
+q_tree_destroy(QTree *tree)
+{
+    g_return_if_fail(tree != NULL);
+
+    q_tree_remove_all(tree);
+    q_tree_unref(tree);
+}
+
+/**
+ * q_tree_insert_node:
+ * @tree: a #QTree
+ * @key: the key to insert
+ * @value: the value corresponding to the key
+ *
+ * Inserts a key/value pair into a #QTree.
+ *
+ * If the given key already exists in the #QTree its corresponding value
+ * is set to the new value. If you supplied a @value_destroy_func when
+ * creating the #QTree, the old value is freed using that function. If
+ * you supplied a @key_destroy_func when creating the #QTree, the passed
+ * key is freed using that function.
+ *
+ * The tree is automatically 'balanced' as new key/value pairs are added,
+ * so that the distance from the root to every leaf is as small as possible.
+ * The cost of maintaining a balanced tree while inserting new key/value
+ * result in a O(n log(n)) operation where most of the other operations
+ * are O(log(n)).
+ *
+ * Returns: (transfer none): the inserted (or set) node.
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_insert_node(QTree    *tree,
+                   gpointer  key,
+                   gpointer  value)
+{
+    QTreeNode *node;
+
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    node = q_tree_insert_internal(tree, key, value, FALSE);
+
+#ifdef Q_TREE_DEBUG
+    q_tree_node_check(tree->root);
+#endif
+
+    return node;
+}
+
+/**
+ * q_tree_insert:
+ * @tree: a #QTree
+ * @key: the key to insert
+ * @value: the value corresponding to the key
+ *
+ * Inserts a key/value pair into a #QTree.
+ *
+ * Inserts a new key and value into a #QTree as q_tree_insert_node() does,
+ * only this function does not return the inserted or set node.
+ */
+void
+q_tree_insert(QTree    *tree,
+              gpointer  key,
+              gpointer  value)
+{
+    q_tree_insert_node(tree, key, value);
+}
+
+/**
+ * q_tree_replace_node:
+ * @tree: a #QTree
+ * @key: the key to insert
+ * @value: the value corresponding to the key
+ *
+ * Inserts a new key and value into a #QTree similar to q_tree_insert_node().
+ * The difference is that if the key already exists in the #QTree, it gets
+ * replaced by the new key. If you supplied a @value_destroy_func when
+ * creating the #QTree, the old value is freed using that function. If you
+ * supplied a @key_destroy_func when creating the #QTree, the old key is
+ * freed using that function.
+ *
+ * The tree is automatically 'balanced' as new key/value pairs are added,
+ * so that the distance from the root to every leaf is as small as possible.
+ *
+ * Returns: (transfer none): the inserted (or set) node.
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_replace_node(QTree    *tree,
+                    gpointer  key,
+                    gpointer  value)
+{
+    QTreeNode *node;
+
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    node = q_tree_insert_internal(tree, key, value, TRUE);
+
+#ifdef Q_TREE_DEBUG
+    q_tree_node_check(tree->root);
+#endif
+
+    return node;
+}
+
+/**
+ * q_tree_replace:
+ * @tree: a #QTree
+ * @key: the key to insert
+ * @value: the value corresponding to the key
+ *
+ * Inserts a new key and value into a #QTree as q_tree_replace_node() does,
+ * only this function does not return the inserted or set node.
+ */
+void
+q_tree_replace(QTree    *tree,
+               gpointer  key,
+               gpointer  value)
+{
+    q_tree_replace_node(tree, key, value);
+}
+
+/* internal insert routine */
+static QTreeNode *
+q_tree_insert_internal(QTree    *tree,
+                       gpointer  key,
+                       gpointer  value,
+                       gboolean  replace)
+{
+    QTreeNode *node, *retnode;
+    QTreeNode *path[MAX_GTREE_HEIGHT];
+    int idx;
+
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    if (!tree->root) {
+        tree->root = q_tree_node_new(key, value);
+        tree->nnodes++;
+        return tree->root;
+    }
+
+    idx = 0;
+    path[idx++] = NULL;
+    node = tree->root;
+
+    while (1) {
+        int cmp = tree->key_compare(key, node->key, tree->key_compare_data);
+
+        if (cmp == 0) {
+            if (tree->value_destroy_func) {
+                tree->value_destroy_func(node->value);
+            }
+
+            node->value = value;
+
+            if (replace) {
+                if (tree->key_destroy_func) {
+                    tree->key_destroy_func(node->key);
+                }
+
+                node->key = key;
+            } else {
+                /* free the passed key */
+                if (tree->key_destroy_func) {
+                    tree->key_destroy_func(key);
+                }
+            }
+
+            return node;
+        } else if (cmp < 0) {
+            if (node->left_child) {
+                path[idx++] = node;
+                node = node->left;
+            } else {
+                QTreeNode *child = q_tree_node_new(key, value);
+
+                child->left = node->left;
+                child->right = node;
+                node->left = child;
+                node->left_child = TRUE;
+                node->balance -= 1;
+
+                tree->nnodes++;
+
+                retnode = child;
+                break;
+            }
+        } else {
+            if (node->right_child) {
+                path[idx++] = node;
+                node = node->right;
+            } else {
+                QTreeNode *child = q_tree_node_new(key, value);
+
+                child->right = node->right;
+                child->left = node;
+                node->right = child;
+                node->right_child = TRUE;
+                node->balance += 1;
+
+                tree->nnodes++;
+
+                retnode = child;
+                break;
+            }
+        }
+    }
+
+    /*
+     * Restore balance. This is the goodness of a non-recursive
+     * implementation, when we are done with balancing we 'break'
+     * the loop and we are done.
+     */
+    while (1) {
+        QTreeNode *bparent = path[--idx];
+        gboolean left_node = (bparent && node == bparent->left);
+        g_assert(!bparent || bparent->left == node || bparent->right == node);
+
+        if (node->balance < -1 || node->balance > 1) {
+            node = q_tree_node_balance(node);
+            if (bparent == NULL) {
+                tree->root = node;
+            } else if (left_node) {
+                bparent->left = node;
+            } else {
+                bparent->right = node;
+            }
+        }
+
+        if (node->balance == 0 || bparent == NULL) {
+            break;
+        }
+
+        if (left_node) {
+            bparent->balance -= 1;
+        } else {
+            bparent->balance += 1;
+        }
+
+        node = bparent;
+    }
+
+    return retnode;
+}
+
+/**
+ * q_tree_remove:
+ * @tree: a #QTree
+ * @key: the key to remove
+ *
+ * Removes a key/value pair from a #QTree.
+ *
+ * If the #QTree was created using q_tree_new_full(), the key and value
+ * are freed using the supplied destroy functions, otherwise you have to
+ * make sure that any dynamically allocated values are freed yourself.
+ * If the key does not exist in the #QTree, the function does nothing.
+ *
+ * The cost of maintaining a balanced tree while removing a key/value
+ * result in a O(n log(n)) operation where most of the other operations
+ * are O(log(n)).
+ *
+ * Returns: %TRUE if the key was found (prior to 2.8, this function
+ *     returned nothing)
+ */
+gboolean
+q_tree_remove(QTree         *tree,
+              gconstpointer  key)
+{
+    gboolean removed;
+
+    g_return_val_if_fail(tree != NULL, FALSE);
+
+    removed = q_tree_remove_internal(tree, key, FALSE);
+
+#ifdef Q_TREE_DEBUG
+    q_tree_node_check(tree->root);
+#endif
+
+    return removed;
+}
+
+/**
+ * q_tree_steal:
+ * @tree: a #QTree
+ * @key: the key to remove
+ *
+ * Removes a key and its associated value from a #QTree without calling
+ * the key and value destroy functions.
+ *
+ * If the key does not exist in the #QTree, the function does nothing.
+ *
+ * Returns: %TRUE if the key was found (prior to 2.8, this function
+ *     returned nothing)
+ */
+gboolean
+q_tree_steal(QTree         *tree,
+             gconstpointer  key)
+{
+    gboolean removed;
+
+    g_return_val_if_fail(tree != NULL, FALSE);
+
+    removed = q_tree_remove_internal(tree, key, TRUE);
+
+#ifdef Q_TREE_DEBUG
+    q_tree_node_check(tree->root);
+#endif
+
+    return removed;
+}
+
+/* internal remove routine */
+static gboolean
+q_tree_remove_internal(QTree         *tree,
+                       gconstpointer  key,
+                       gboolean       steal)
+{
+    QTreeNode *node, *parent, *balance;
+    QTreeNode *path[MAX_GTREE_HEIGHT];
+    int idx;
+    gboolean left_node;
+
+    g_return_val_if_fail(tree != NULL, FALSE);
+
+    if (!tree->root) {
+        return FALSE;
+    }
+
+    idx = 0;
+    path[idx++] = NULL;
+    node = tree->root;
+
+    while (1) {
+        int cmp = tree->key_compare(key, node->key, tree->key_compare_data);
+
+        if (cmp == 0) {
+            break;
+        } else if (cmp < 0) {
+            if (!node->left_child) {
+                return FALSE;
+            }
+
+            path[idx++] = node;
+            node = node->left;
+        } else {
+            if (!node->right_child) {
+                return FALSE;
+            }
+
+            path[idx++] = node;
+            node = node->right;
+        }
+    }
+
+    /*
+     * The following code is almost equal to q_tree_remove_node,
+     * except that we do not have to call q_tree_node_parent.
+     */
+    balance = parent = path[--idx];
+    g_assert(!parent || parent->left == node || parent->right == node);
+    left_node = (parent && node == parent->left);
+
+    if (!node->left_child) {
+        if (!node->right_child) {
+            if (!parent) {
+                tree->root = NULL;
+            } else if (left_node) {
+                parent->left_child = FALSE;
+                parent->left = node->left;
+                parent->balance += 1;
+            } else {
+                parent->right_child = FALSE;
+                parent->right = node->right;
+                parent->balance -= 1;
+            }
+        } else {
+            /* node has a right child */
+            QTreeNode *tmp = q_tree_node_next(node);
+            tmp->left = node->left;
+
+            if (!parent) {
+                tree->root = node->right;
+            } else if (left_node) {
+                parent->left = node->right;
+                parent->balance += 1;
+            } else {
+                parent->right = node->right;
+                parent->balance -= 1;
+            }
+        }
+    } else {
+        /* node has a left child */
+        if (!node->right_child) {
+            QTreeNode *tmp = q_tree_node_previous(node);
+            tmp->right = node->right;
+
+            if (parent == NULL) {
+                tree->root = node->left;
+            } else if (left_node) {
+                parent->left = node->left;
+                parent->balance += 1;
+            } else {
+                parent->right = node->left;
+                parent->balance -= 1;
+            }
+        } else {
+            /* node has a both children (pant, pant!) */
+            QTreeNode *prev = node->left;
+            QTreeNode *next = node->right;
+            QTreeNode *nextp = node;
+            int old_idx = idx + 1;
+            idx++;
+
+            /* path[idx] == parent */
+            /* find the immediately next node (and its parent) */
+            while (next->left_child) {
+                path[++idx] = nextp = next;
+                next = next->left;
+            }
+
+            path[old_idx] = next;
+            balance = path[idx];
+
+            /* remove 'next' from the tree */
+            if (nextp != node) {
+                if (next->right_child) {
+                    nextp->left = next->right;
+                } else {
+                    nextp->left_child = FALSE;
+                }
+                nextp->balance += 1;
+
+                next->right_child = TRUE;
+                next->right = node->right;
+            } else {
+                node->balance -= 1;
+            }
+
+            /* set the prev to point to the right place */
+            while (prev->right_child) {
+                prev = prev->right;
+            }
+            prev->right = next;
+
+            /* prepare 'next' to replace 'node' */
+            next->left_child = TRUE;
+            next->left = node->left;
+            next->balance = node->balance;
+
+            if (!parent) {
+                tree->root = next;
+            } else if (left_node) {
+                parent->left = next;
+            } else {
+                parent->right = next;
+            }
+        }
+    }
+
+    /* restore balance */
+    if (balance) {
+        while (1) {
+            QTreeNode *bparent = path[--idx];
+            g_assert(!bparent ||
+                     bparent->left == balance ||
+                     bparent->right == balance);
+            left_node = (bparent && balance == bparent->left);
+
+            if (balance->balance < -1 || balance->balance > 1) {
+                balance = q_tree_node_balance(balance);
+                if (!bparent) {
+                    tree->root = balance;
+                } else if (left_node) {
+                    bparent->left = balance;
+                } else {
+                    bparent->right = balance;
+                }
+            }
+
+            if (balance->balance != 0 || !bparent) {
+                break;
+            }
+
+            if (left_node) {
+                bparent->balance += 1;
+            } else {
+                bparent->balance -= 1;
+            }
+
+            balance = bparent;
+        }
+    }
+
+    if (!steal) {
+        if (tree->key_destroy_func) {
+            tree->key_destroy_func(node->key);
+        }
+        if (tree->value_destroy_func) {
+            tree->value_destroy_func(node->value);
+        }
+    }
+
+    g_free(node);
+
+    tree->nnodes--;
+
+    return TRUE;
+}
+
+/**
+ * q_tree_lookup_node:
+ * @tree: a #QTree
+ * @key: the key to look up
+ *
+ * Gets the tree node corresponding to the given key. Since a #QTree is
+ * automatically balanced as key/value pairs are added, key lookup
+ * is O(log n) (where n is the number of key/value pairs in the tree).
+ *
+ * Returns: (nullable) (transfer none): the tree node corresponding to
+ *          the key, or %NULL if the key was not found
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_lookup_node(QTree         *tree,
+                   gconstpointer  key)
+{
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    return q_tree_find_node(tree, key);
+}
+
+/**
+ * q_tree_lookup:
+ * @tree: a #QTree
+ * @key: the key to look up
+ *
+ * Gets the value corresponding to the given key. Since a #QTree is
+ * automatically balanced as key/value pairs are added, key lookup
+ * is O(log n) (where n is the number of key/value pairs in the tree).
+ *
+ * Returns: the value corresponding to the key, or %NULL
+ *     if the key was not found
+ */
+gpointer
+q_tree_lookup(QTree         *tree,
+              gconstpointer  key)
+{
+    QTreeNode *node;
+
+    node = q_tree_lookup_node(tree, key);
+
+    return node ? node->value : NULL;
+}
+
+/**
+ * q_tree_lookup_extended:
+ * @tree: a #QTree
+ * @lookup_key: the key to look up
+ * @orig_key: (out) (optional) (nullable): returns the original key
+ * @value: (out) (optional) (nullable): returns the value associated with
+ *         the key
+ *
+ * Looks up a key in the #QTree, returning the original key and the
+ * associated value. This is useful if you need to free the memory
+ * allocated for the original key, for example before calling
+ * q_tree_remove().
+ *
+ * Returns: %TRUE if the key was found in the #QTree
+ */
+gboolean
+q_tree_lookup_extended(QTree         *tree,
+                       gconstpointer  lookup_key,
+                       gpointer      *orig_key,
+                       gpointer      *value)
+{
+    QTreeNode *node;
+
+    g_return_val_if_fail(tree != NULL, FALSE);
+
+    node = q_tree_find_node(tree, lookup_key);
+
+    if (node) {
+        if (orig_key) {
+            *orig_key = node->key;
+        }
+        if (value) {
+            *value = node->value;
+        }
+        return TRUE;
+    } else {
+        return FALSE;
+    }
+}
+
+/**
+ * q_tree_foreach:
+ * @tree: a #QTree
+ * @func: the function to call for each node visited.
+ *     If this function returns %TRUE, the traversal is stopped.
+ * @user_data: user data to pass to the function
+ *
+ * Calls the given function for each of the key/value pairs in the #QTree.
+ * The function is passed the key and value of each pair, and the given
+ * @data parameter. The tree is traversed in sorted order.
+ *
+ * The tree may not be modified while iterating over it (you can't
+ * add/remove items). To remove all items matching a predicate, you need
+ * to add each item to a list in your #GTraverseFunc as you walk over
+ * the tree, then walk the list and remove each item.
+ */
+void
+q_tree_foreach(QTree         *tree,
+               GTraverseFunc  func,
+               gpointer       user_data)
+{
+    QTreeNode *node;
+
+    g_return_if_fail(tree != NULL);
+
+    if (!tree->root) {
+        return;
+    }
+
+    node = q_tree_node_first(tree);
+
+    while (node) {
+        if ((*func)(node->key, node->value, user_data)) {
+            break;
+        }
+
+        node = q_tree_node_next(node);
+    }
+}
+
+/**
+ * q_tree_search_node:
+ * @tree: a #QTree
+ * @search_func: a function used to search the #QTree
+ * @user_data: the data passed as the second argument to @search_func
+ *
+ * Searches a #QTree using @search_func.
+ *
+ * The @search_func is called with a pointer to the key of a key/value
+ * pair in the tree, and the passed in @user_data. If @search_func returns
+ * 0 for a key/value pair, then the corresponding node is returned as
+ * the result of q_tree_search(). If @search_func returns -1, searching
+ * will proceed among the key/value pairs that have a smaller key; if
+ * @search_func returns 1, searching will proceed among the key/value
+ * pairs that have a larger key.
+ *
+ * Returns: (nullable) (transfer none): the node corresponding to the
+ *          found key, or %NULL if the key was not found
+ *
+ * Since: 2.68 in GLib. Internal in Qtree, i.e. not in the public API.
+ */
+static QTreeNode *
+q_tree_search_node(QTree         *tree,
+                   GCompareFunc   search_func,
+                   gconstpointer  user_data)
+{
+    g_return_val_if_fail(tree != NULL, NULL);
+
+    if (!tree->root) {
+        return NULL;
+    }
+
+    return q_tree_node_search(tree->root, search_func, user_data);
+}
+
+/**
+ * q_tree_search:
+ * @tree: a #QTree
+ * @search_func: a function used to search the #QTree
+ * @user_data: the data passed as the second argument to @search_func
+ *
+ * Searches a #QTree using @search_func.
+ *
+ * The @search_func is called with a pointer to the key of a key/value
+ * pair in the tree, and the passed in @user_data. If @search_func returns
+ * 0 for a key/value pair, then the corresponding value is returned as
+ * the result of q_tree_search(). If @search_func returns -1, searching
+ * will proceed among the key/value pairs that have a smaller key; if
+ * @search_func returns 1, searching will proceed among the key/value
+ * pairs that have a larger key.
+ *
+ * Returns: the value corresponding to the found key, or %NULL
+ *     if the key was not found
+ */
+gpointer
+q_tree_search(QTree         *tree,
+              GCompareFunc   search_func,
+              gconstpointer  user_data)
+{
+    QTreeNode *node;
+
+    node = q_tree_search_node(tree, search_func, user_data);
+
+    return node ? node->value : NULL;
+}
+
+/**
+ * q_tree_height:
+ * @tree: a #QTree
+ *
+ * Gets the height of a #QTree.
+ *
+ * If the #QTree contains no nodes, the height is 0.
+ * If the #QTree contains only one root node the height is 1.
+ * If the root node has children the height is 2, etc.
+ *
+ * Returns: the height of @tree
+ */
+gint
+q_tree_height(QTree *tree)
+{
+    QTreeNode *node;
+    gint height;
+
+    g_return_val_if_fail(tree != NULL, 0);
+
+    if (!tree->root) {
+        return 0;
+    }
+
+    height = 0;
+    node = tree->root;
+
+    while (1) {
+        height += 1 + MAX(node->balance, 0);
+
+        if (!node->left_child) {
+            return height;
+        }
+
+        node = node->left;
+    }
+}
+
+/**
+ * q_tree_nnodes:
+ * @tree: a #QTree
+ *
+ * Gets the number of nodes in a #QTree.
+ *
+ * Returns: the number of nodes in @tree
+ */
+gint
+q_tree_nnodes(QTree *tree)
+{
+    g_return_val_if_fail(tree != NULL, 0);
+
+    return tree->nnodes;
+}
+
+static QTreeNode *
+q_tree_node_balance(QTreeNode *node)
+{
+    if (node->balance < -1) {
+        if (node->left->balance > 0) {
+            node->left = q_tree_node_rotate_left(node->left);
+        }
+        node = q_tree_node_rotate_right(node);
+    } else if (node->balance > 1) {
+        if (node->right->balance < 0) {
+            node->right = q_tree_node_rotate_right(node->right);
+        }
+        node = q_tree_node_rotate_left(node);
+    }
+
+    return node;
+}
+
+static QTreeNode *
+q_tree_find_node(QTree        *tree,
+                 gconstpointer key)
+{
+    QTreeNode *node;
+    gint cmp;
+
+    node = tree->root;
+    if (!node) {
+        return NULL;
+    }
+
+    while (1) {
+        cmp = tree->key_compare(key, node->key, tree->key_compare_data);
+        if (cmp == 0) {
+            return node;
+        } else if (cmp < 0) {
+            if (!node->left_child) {
+                return NULL;
+            }
+
+            node = node->left;
+        } else {
+            if (!node->right_child) {
+                return NULL;
+            }
+
+            node = node->right;
+        }
+    }
+}
+
+static QTreeNode *
+q_tree_node_search(QTreeNode     *node,
+                   GCompareFunc   search_func,
+                   gconstpointer  data)
+{
+    gint dir;
+
+    if (!node) {
+        return NULL;
+    }
+
+    while (1) {
+        dir = (*search_func)(node->key, data);
+        if (dir == 0) {
+            return node;
+        } else if (dir < 0) {
+            if (!node->left_child) {
+                return NULL;
+            }
+
+            node = node->left;
+        } else {
+            if (!node->right_child) {
+                return NULL;
+            }
+
+            node = node->right;
+        }
+    }
+}
+
+static QTreeNode *
+q_tree_node_rotate_left(QTreeNode *node)
+{
+    QTreeNode *right;
+    gint a_bal;
+    gint b_bal;
+
+    right = node->right;
+
+    if (right->left_child) {
+        node->right = right->left;
+    } else {
+        node->right_child = FALSE;
+        right->left_child = TRUE;
+    }
+    right->left = node;
+
+    a_bal = node->balance;
+    b_bal = right->balance;
+
+    if (b_bal <= 0) {
+        if (a_bal >= 1) {
+            right->balance = b_bal - 1;
+        } else {
+            right->balance = a_bal + b_bal - 2;
+        }
+        node->balance = a_bal - 1;
+    } else {
+        if (a_bal <= b_bal) {
+            right->balance = a_bal - 2;
+        } else {
+            right->balance = b_bal - 1;
+        }
+        node->balance = a_bal - b_bal - 1;
+    }
+
+    return right;
+}
+
+static QTreeNode *
+q_tree_node_rotate_right(QTreeNode *node)
+{
+    QTreeNode *left;
+    gint a_bal;
+    gint b_bal;
+
+    left = node->left;
+
+    if (left->right_child) {
+        node->left = left->right;
+    } else {
+        node->left_child = FALSE;
+        left->right_child = TRUE;
+    }
+    left->right = node;
+
+    a_bal = node->balance;
+    b_bal = left->balance;
+
+    if (b_bal <= 0) {
+        if (b_bal > a_bal) {
+            left->balance = b_bal + 1;
+        } else {
+            left->balance = a_bal + 2;
+        }
+        node->balance = a_bal - b_bal + 1;
+    } else {
+        if (a_bal <= -1) {
+            left->balance = b_bal + 1;
+        } else {
+            left->balance = a_bal + b_bal + 2;
+        }
+        node->balance = a_bal + 1;
+    }
+
+    return left;
+}
+
+#ifdef Q_TREE_DEBUG
+static gint
+q_tree_node_height(QTreeNode *node)
+{
+    gint left_height;
+    gint right_height;
+
+    if (node) {
+        left_height = 0;
+        right_height = 0;
+
+        if (node->left_child) {
+            left_height = q_tree_node_height(node->left);
+        }
+
+        if (node->right_child) {
+            right_height = q_tree_node_height(node->right);
+        }
+
+        return MAX(left_height, right_height) + 1;
+    }
+
+    return 0;
+}
+
+static void q_tree_node_check(QTreeNode *node)
+{
+    gint left_height;
+    gint right_height;
+    gint balance;
+    QTreeNode *tmp;
+
+    if (node) {
+        if (node->left_child) {
+            tmp = q_tree_node_previous(node);
+            g_assert(tmp->right == node);
+        }
+
+        if (node->right_child) {
+            tmp = q_tree_node_next(node);
+            g_assert(tmp->left == node);
+        }
+
+        left_height = 0;
+        right_height = 0;
+
+        if (node->left_child) {
+            left_height = q_tree_node_height(node->left);
+        }
+        if (node->right_child) {
+            right_height = q_tree_node_height(node->right);
+        }
+
+        balance = right_height - left_height;
+        g_assert(balance == node->balance);
+
+        if (node->left_child) {
+            q_tree_node_check(node->left);
+        }
+        if (node->right_child) {
+            q_tree_node_check(node->right);
+        }
+    }
+}
+#endif
diff --git a/tests/bench/meson.build b/tests/bench/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/bench/meson.build
+++ b/tests/bench/meson.build
@@ -XXX,XX +XXX,XX @@ xbzrle_bench = executable('xbzrle-bench',
                        dependencies: [qemuutil,migration])
 endif
 
+qtree_bench = executable('qtree-bench',
+                         sources: 'qtree-bench.c',
+                         dependencies: [qemuutil])
+
 executable('atomic_add-bench',
            sources: files('atomic_add-bench.c'),
            dependencies: [qemuutil],
diff --git a/tests/unit/meson.build b/tests/unit/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/tests/unit/meson.build
+++ b/tests/unit/meson.build
@@ -XXX,XX +XXX,XX @@ tests = {
   'test-rcu-slist': [],
   'test-qdist': [],
   'test-qht': [],
+  'test-qtree': [],
   'test-bitops': [],
   'test-bitcnt': [],
   'test-qgraph': ['../qtest/libqos/qgraph.c'],
diff --git a/util/meson.build b/util/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/util/meson.build
+++ b/util/meson.build
@@ -XXX,XX +XXX,XX @@ util_ss.add(when: 'CONFIG_WIN32', if_true: files('oslib-win32.c'))
 util_ss.add(when: 'CONFIG_WIN32', if_true: files('qemu-thread-win32.c'))
 util_ss.add(when: 'CONFIG_WIN32', if_true: winmm)
 util_ss.add(when: 'CONFIG_WIN32', if_true: pathcch)
+util_ss.add(when: 'HAVE_GLIB_WITH_SLICE_ALLOCATOR', if_true: files('qtree.c'))
 util_ss.add(files('envlist.c', 'path.c', 'module.c'))
 util_ss.add(files('host-utils.c'))
 util_ss.add(files('bitmap.c', 'bitops.c'))
-- 
2.34.1

From: Emilio Cota <cota@braap.org>

qemu-user can hang in a multi-threaded fork. One common
reason is that when creating a TB, between fork and exec
we manipulate a GTree whose memory allocator (GSlice) is
not fork-safe.

Although POSIX does not mandate it, the system's allocator
(e.g. tcmalloc, libc malloc) is probably fork-safe.

Fix some of these hangs by using QTree, which uses the system's
allocator regardless of the Glib version that we used at
configuration time.

Tested with the test program in the original bug report, i.e.:
```

void garble() {
  int pid = fork();
  if (pid == 0) {
    exit(0);
  } else {
    int wstatus;
    waitpid(pid, &wstatus, 0);
  }
}

void supragarble(unsigned depth) {
  if (depth == 0)
    return ;

std::thread a(supragarble, depth-1);
  std::thread b(supragarble, depth-1);
  garble();
  a.join();
  b.join();
}

int main() {
  supragarble(10);
}
```

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/285
Reported-by: Valentin David <me@valentindavid.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Emilio Cota <cota@braap.org>
Message-Id: <20230205163758.416992-3-cota@braap.org>
[rth: Add QEMU_DISABLE_CFI for all callback using functions.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/tb-maint.c | 17 +++++++++--------
 tcg/region.c         | 19 ++++++++++---------
 util/qtree.c         |  8 ++++----
 3 files changed, 23 insertions(+), 21 deletions(-)

diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -XXX,XX +XXX,XX @@
 
 #include "qemu/osdep.h"
 #include "qemu/interval-tree.h"
+#include "qemu/qtree.h"
 #include "exec/cputlb.h"
 #include "exec/log.h"
 #include "exec/exec-all.h"
@@ -XXX,XX +XXX,XX @@ struct page_entry {
  * See also: page_collection_lock().
  */
 struct page_collection {
-    GTree *tree;
+    QTree *tree;
     struct page_entry *max;
 };
 
@@ -XXX,XX +XXX,XX @@ static bool page_trylock_add(struct page_collection *set, tb_page_addr_t addr)
     struct page_entry *pe;
     PageDesc *pd;
 
-    pe = g_tree_lookup(set->tree, &index);
+    pe = q_tree_lookup(set->tree, &index);
     if (pe) {
         return false;
     }
@@ -XXX,XX +XXX,XX @@ static bool page_trylock_add(struct page_collection *set, tb_page_addr_t addr)
     }
 
     pe = page_entry_new(pd, index);
-    g_tree_insert(set->tree, &pe->index, pe);
+    q_tree_insert(set->tree, &pe->index, pe);
 
     /*
      * If this is either (1) the first insertion or (2) a page whose index
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
     end   >>= TARGET_PAGE_BITS;
     g_assert(start <= end);
 
-    set->tree = g_tree_new_full(tb_page_addr_cmp, NULL, NULL,
+    set->tree = q_tree_new_full(tb_page_addr_cmp, NULL, NULL,
                                 page_entry_destroy);
     set->max = NULL;
     assert_no_pages_locked();
 
  retry:
-    g_tree_foreach(set->tree, page_entry_lock, NULL);
+    q_tree_foreach(set->tree, page_entry_lock, NULL);
 
     for (index = start; index <= end; index++) {
         TranslationBlock *tb;
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
             continue;
         }
         if (page_trylock_add(set, index << TARGET_PAGE_BITS)) {
-            g_tree_foreach(set->tree, page_entry_unlock, NULL);
+            q_tree_foreach(set->tree, page_entry_unlock, NULL);
             goto retry;
         }
         assert_page_locked(pd);
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
                 (tb_page_addr1(tb) != -1 &&
                  page_trylock_add(set, tb_page_addr1(tb)))) {
                 /* drop all locks, and reacquire in order */
-                g_tree_foreach(set->tree, page_entry_unlock, NULL);
+                q_tree_foreach(set->tree, page_entry_unlock, NULL);
                 goto retry;
             }
         }
@@ -XXX,XX +XXX,XX @@ static struct page_collection *page_collection_lock(tb_page_addr_t start,
 static void page_collection_unlock(struct page_collection *set)
 {
     /* entries are unlocked and freed via page_entry_destroy */
-    g_tree_destroy(set->tree);
+    q_tree_destroy(set->tree);
     g_free(set);
 }
 
diff --git a/tcg/region.c b/tcg/region.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/region.c
+++ b/tcg/region.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/mprotect.h"
 #include "qemu/memalign.h"
 #include "qemu/cacheinfo.h"
+#include "qemu/qtree.h"
 #include "qapi/error.h"
 #include "exec/exec-all.h"
 #include "tcg/tcg.h"
@@ -XXX,XX +XXX,XX @@
 
 struct tcg_region_tree {
     QemuMutex lock;
-    GTree *tree;
+    QTree *tree;
     /* padding to avoid false sharing is computed at run-time */
 };
 
@@ -XXX,XX +XXX,XX @@ static void tcg_region_trees_init(void)
         struct tcg_region_tree *rt = region_trees + i * tree_size;
 
         qemu_mutex_init(&rt->lock);
-        rt->tree = g_tree_new_full(tb_tc_cmp, NULL, NULL, tb_destroy);
+        rt->tree = q_tree_new_full(tb_tc_cmp, NULL, NULL, tb_destroy);
     }
 }
 
@@ -XXX,XX +XXX,XX @@ void tcg_tb_insert(TranslationBlock *tb)
 
     g_assert(rt != NULL);
     qemu_mutex_lock(&rt->lock);
-    g_tree_insert(rt->tree, &tb->tc, tb);
+    q_tree_insert(rt->tree, &tb->tc, tb);
     qemu_mutex_unlock(&rt->lock);
 }
 
@@ -XXX,XX +XXX,XX @@ void tcg_tb_remove(TranslationBlock *tb)
 
     g_assert(rt != NULL);
     qemu_mutex_lock(&rt->lock);
-    g_tree_remove(rt->tree, &tb->tc);
+    q_tree_remove(rt->tree, &tb->tc);
     qemu_mutex_unlock(&rt->lock);
 }
 
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tcg_tb_lookup(uintptr_t tc_ptr)
     }
 
     qemu_mutex_lock(&rt->lock);
-    tb = g_tree_lookup(rt->tree, &s);
+    tb = q_tree_lookup(rt->tree, &s);
     qemu_mutex_unlock(&rt->lock);
     return tb;
 }
@@ -XXX,XX +XXX,XX @@ void tcg_tb_foreach(GTraverseFunc func, gpointer user_data)
     for (i = 0; i < region.n; i++) {
         struct tcg_region_tree *rt = region_trees + i * tree_size;
 
-        g_tree_foreach(rt->tree, func, user_data);
+        q_tree_foreach(rt->tree, func, user_data);
     }
     tcg_region_tree_unlock_all();
 }
@@ -XXX,XX +XXX,XX @@ size_t tcg_nb_tbs(void)
     for (i = 0; i < region.n; i++) {
         struct tcg_region_tree *rt = region_trees + i * tree_size;
 
-        nb_tbs += g_tree_nnodes(rt->tree);
+        nb_tbs += q_tree_nnodes(rt->tree);
     }
     tcg_region_tree_unlock_all();
     return nb_tbs;
@@ -XXX,XX +XXX,XX @@ static void tcg_region_tree_reset_all(void)
         struct tcg_region_tree *rt = region_trees + i * tree_size;
 
         /* Increment the refcount first so that destroy acts as a reset */
-        g_tree_ref(rt->tree);
-        g_tree_destroy(rt->tree);
+        q_tree_ref(rt->tree);
+        q_tree_destroy(rt->tree);
     }
     tcg_region_tree_unlock_all();
 }
diff --git a/util/qtree.c b/util/qtree.c
index XXXXXXX..XXXXXXX 100644
--- a/util/qtree.c
+++ b/util/qtree.c
@@ -XXX,XX +XXX,XX @@ q_tree_node_next(QTreeNode *node)
  *
  * Since: 2.70 in GLib. Internal in Qtree, i.e. not in the public API.
  */
-static void
+static void QEMU_DISABLE_CFI
 q_tree_remove_all(QTree *tree)
 {
     QTreeNode *node;
@@ -XXX,XX +XXX,XX @@ q_tree_replace(QTree    *tree,
 }
 
 /* internal insert routine */
-static QTreeNode *
+static QTreeNode * QEMU_DISABLE_CFI
 q_tree_insert_internal(QTree    *tree,
                        gpointer  key,
                        gpointer  value,
@@ -XXX,XX +XXX,XX @@ q_tree_steal(QTree         *tree,
 }
 
 /* internal remove routine */
-static gboolean
+static gboolean QEMU_DISABLE_CFI
 q_tree_remove_internal(QTree         *tree,
                        gconstpointer  key,
                        gboolean       steal)
@@ -XXX,XX +XXX,XX @@ q_tree_node_balance(QTreeNode *node)
     return node;
 }
 
-static QTreeNode *
+static QTreeNode * QEMU_DISABLE_CFI
 q_tree_find_node(QTree        *tree,
                  gconstpointer key)
 {
-- 
2.34.1

We have been enforcing host page alignment for the non-R
fallback of MAX_RESERVED_VA, but failing to enforce for -R.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/main.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/linux-user/main.c b/linux-user/main.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/main.c
+++ b/linux-user/main.c
@@ -XXX,XX +XXX,XX @@ int main(int argc, char **argv, char **envp)
      */
     max_reserved_va = MAX_RESERVED_VA(cpu);
     if (reserved_va != 0) {
+        if (reserved_va % qemu_host_page_size) {
+            char *s = size_to_str(qemu_host_page_size);
+            fprintf(stderr, "Reserved virtual address not aligned mod %s\n", s);
+            g_free(s);
+            exit(EXIT_FAILURE);
+        }
         if (max_reserved_va && reserved_va > max_reserved_va) {
             fprintf(stderr, "Reserved virtual address too big\n");
             exit(EXIT_FAILURE);
-- 
2.34.1