Series comparison

-[PATCH v2 00/10] tcg: breakpoint reorg
+[PATCH for-6.1 v5 00/15] tcg: breakpoint reorg
 This is fixing #404 ("windows xp boot takes much longer...")
 and several other similar reports.
-For v2, all prerequisites and 7 of the patches from v1 with
+Changes for v5:
-reviews are now upstream.
+  * Include missing hunk in tb_gen_code, as noted in reply to v4.
   * Remove helper_check_breakpoints from target/arm/.
   * Reorg cflags_for_breakpoints into check_for_breakpoints;
     reorg cpu_exec to use a break instead of a longjmp.
   * Move singlestep_enabled check from cflags_for_breakpoints
     to curr_cflags, which makes cpu_exec_step_atomic cleaner.
-Mark Cave-Ayland reported success with WinXP with v1, with
+Changes for v4:
-this patch set being even faster than b55f54bc~1.  Which was
+  * Issue breakpoints directly from cflags_for_breakpoints.
-a bit of a surprise, but I'll take it.  It means that it's
+    Do not generate code for a TB beginning with a BP at all.
-probably not worth making the breakpoint detection scheme
+  * Drop the problematic TranslatorOps.breakpoint_check hook entirely.
 any more complicated.
-I'd still like some more feedback.  Given this is fixing a
+Changes for v3:
-regression from qemu 5.2 I feel comfortable delaying this
+  * Map CF_COUNT_MASK == 0 -> TCG_MAX_INSNS.
-past soft freeze, but not past hard freeze on the 20th.
+  * Split out *_breakpoint_check fixes for avr, mips, riscv.
 Changes for v2:
   * All prerequisites and 7 of the patches from v1 with are merged.
 Patches lacking review are all new:
 -target-alpha-Drop-goto_tb-path-in-gen_call_pal.patch
 -hw-core-Introduce-TCGCPUOps.debug_check_breakpoin.patch
 -target-arm-Implement-debug_check_breakpoint.patch
 -target-i386-Implement-debug_check_breakpoint.patch
 -accel-tcg-Merge-tb_find-into-its-only-caller.patch
 -accel-tcg-Move-breakpoint-recognition-outside-tra.patch
 -accel-tcg-Remove-TranslatorOps.breakpoint_check.patch
 -accel-tcg-Record-singlestep_enabled-in-tb-cflags.patch
 r~
-Richard Henderson (10):
+Richard Henderson (15):
   accel/tcg: Reduce CF_COUNT_MASK to match TCG_MAX_INSNS
   accel/tcg: Move curr_cflags into cpu-exec.c
+  target/alpha: Drop goto_tb path in gen_call_pal
   accel/tcg: Add CF_NO_GOTO_TB and CF_NO_GOTO_PTR
   accel/tcg: Drop CF_NO_GOTO_PTR from -d nochain
   accel/tcg: Handle -singlestep in curr_cflags
-  accel/tcg: Use CF_NO_GOTO_{TB,PTR} in cpu_exec_step_atomic
+  accel/tcg: Use CF_NO_GOTO_{TB, PTR} in cpu_exec_step_atomic
-  accel/tcg: Move cflags lookup into tb_find
+  hw/core: Introduce TCGCPUOps.debug_check_breakpoint
-  accel/tcg: Adjust interface of TranslatorOps.breakpoint_check
+  target/arm: Implement debug_check_breakpoint
   target/i386: Implement debug_check_breakpoint
   accel/tcg: Merge tb_find into its only caller
   accel/tcg: Move breakpoint recognition outside translation
   accel/tcg: Remove TranslatorOps.breakpoint_check
   accel/tcg: Hoist tb_cflags to a local in translator_loop
-  accel/tcg: Encode breakpoint info into tb->cflags
+  accel/tcg: Record singlestep_enabled in tb->cflags
- include/exec/exec-all.h       |  30 +++++---
+ include/exec/exec-all.h       |  24 +++--
- include/exec/translator.h     |  17 +++--
+ include/exec/translator.h     |  11 --
- accel/tcg/cpu-exec.c          | 130 ++++++++++++++++++++++++++++------
+ include/hw/core/tcg-cpu-ops.h |   6 ++
  target/arm/helper.h           |   2 -
  target/arm/internals.h        |   3 +
  accel/tcg/cpu-exec.c          | 192 +++++++++++++++++++++++++---------
  accel/tcg/translate-all.c     |   7 +-
- accel/tcg/translator.c        |  79 ++++++++++++++-------
+ accel/tcg/translator.c        |  39 ++-----
- cpu.c                         |  24 -------
+ cpu.c                         |  24 -----
- target/alpha/translate.c      |  12 +---
+ target/alpha/translate.c      |  31 +-----
- target/arm/translate-a64.c    |  14 ++--
+ target/arm/cpu.c              |   1 +
- target/arm/translate.c        |  20 +++---
+ target/arm/cpu_tcg.c          |   1 +
- target/avr/translate.c        |   6 +-
+ target/arm/debug_helper.c     |  12 +--
- target/cris/translate.c       |  14 ++--
+ target/arm/translate-a64.c    |  25 -----
- target/hexagon/translate.c    |  13 +---
+ target/arm/translate.c        |  29 -----
- target/hppa/translate.c       |   7 +-
+ target/avr/translate.c        |  10 --
- target/i386/tcg/translate.c   |  15 ++--
+ target/cris/translate.c       |  20 ----
- target/m68k/translate.c       |  14 +---
+ target/hexagon/translate.c    |  17 ---
- target/microblaze/translate.c |  14 +---
+ target/hppa/translate.c       |  11 --
- target/mips/tcg/translate.c   |  14 ++--
+ target/i386/tcg/tcg-cpu.c     |  12 +++
- target/nios2/translate.c      |  13 +---
+ target/i386/tcg/translate.c   |  28 -----
- target/openrisc/translate.c   |  11 +--
+ target/m68k/translate.c       |  18 ----
- target/ppc/translate.c        |  13 +---
+ target/microblaze/translate.c |  18 ----
- target/riscv/translate.c      |  11 +--
+ target/mips/tcg/translate.c   |  19 ----
- target/rx/translate.c         |   8 +--
+ target/nios2/translate.c      |  27 -----
- target/s390x/translate.c      |  12 ++--
+ target/openrisc/translate.c   |  17 ---
- target/sh4/translate.c        |  12 ++--
+ target/ppc/translate.c        |  18 ----
- target/sparc/translate.c      |   9 ++-
+ target/riscv/translate.c      |  17 ---
- target/tricore/translate.c    |  13 +---
+ target/rx/translate.c         |  14 ---
- target/xtensa/translate.c     |  12 ++--
+ target/s390x/tcg/translate.c  |  24 -----
- tcg/tcg-op.c                  |  28 ++++----
+ target/sh4/translate.c        |  18 ----
-files changed, 280 insertions(+), 292 deletions(-)
+ target/sparc/translate.c      |  17 ---
  target/tricore/translate.c    |  16 ---
  target/xtensa/translate.c     |  17 ---
  tcg/tcg-op.c                  |  28 +++--
 files changed, 206 insertions(+), 567 deletions(-)
 --
 .25.1

-[PATCH v2 01/10] accel/tcg: Reduce CF_COUNT_MASK to match TCG_MAX_INSNS
+[PATCH for-6.1 v5 01/15] accel/tcg: Reduce CF_COUNT_MASK to match TCG_MAX_INSNS
 The space reserved for CF_COUNT_MASK was overly large.
 Reduce to free up cflags bits and eliminate an extra test.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20210717221851.2124573-2-richard.henderson@linaro.org>
 ---
  include/exec/exec-all.h   | 4 +++-
  accel/tcg/translate-all.c | 5 ++---
 files changed, 5 insertions(+), 4 deletions(-)
 ...
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
 @@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
+     max_insns = cflags & CF_COUNT_MASK;
      if (max_insns == 0) {
-         max_insns = CF_COUNT_MASK;
+-        max_insns = CF_COUNT_MASK;
 -    }
 -    if (max_insns > TCG_MAX_INSNS) {
          max_insns = TCG_MAX_INSNS;
      }
--    if (max_insns > TCG_MAX_INSNS) {
--        max_insns = TCG_MAX_INSNS;
--    }
 +    QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
 +
      if (cpu->singlestep_enabled || singlestep) {
          max_insns = 1;
      }
 --
 .25.1

-[PATCH v2 02/10] accel/tcg: Move curr_cflags into cpu-exec.c
+[PATCH for-6.1 v5 02/15] accel/tcg: Move curr_cflags into cpu-exec.c
 We will shortly have more than a simple member read here,
 with stuff not necessarily exposed to exec/exec-all.h.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Message-Id: <20210717221851.2124573-3-richard.henderson@linaro.org>
 ---
  include/exec/exec-all.h | 5 +----
  accel/tcg/cpu-exec.c    | 5 +++++
 files changed, 6 insertions(+), 4 deletions(-)
 ...

-New patch
+[PATCH for-6.1 v5 03/15] target/alpha: Drop goto_tb path in gen_call_pal
+We are certain of a page crossing here, entering the
+PALcode image, so the call to use_goto_tb that should
+have been here will never succeed.
+We are shortly going to add an assert to tcg_gen_goto_tb
+that would trigger for this case.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/alpha/translate.c | 15 ++-------------
+file changed, 2 insertions(+), 13 deletions(-)
+diff --git a/target/alpha/translate.c b/target/alpha/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/alpha/translate.c
++++ b/target/alpha/translate.c
+@@ -XXX,XX +XXX,XX @@ static DisasJumpType gen_call_pal(DisasContext *ctx, int palcode)
+                   ? 0x2000 + (palcode - 0x80) * 64
+                   : 0x1000 + palcode * 64);
+-        /* Since the destination is running in PALmode, we don't really
+-           need the page permissions check.  We'll see the existence of
+-           the page when we create the TB, and we'll flush all TBs if
+-           we change the PAL base register.  */
+-        if (!ctx->base.singlestep_enabled) {
+-            tcg_gen_goto_tb(0);
+-            tcg_gen_movi_i64(cpu_pc, entry);
+-            tcg_gen_exit_tb(ctx->base.tb, 0);
+-            return DISAS_NORETURN;
+-        } else {
+-            tcg_gen_movi_i64(cpu_pc, entry);
+-            return DISAS_PC_UPDATED;
+-        }
++        tcg_gen_movi_i64(cpu_pc, entry);
++        return DISAS_PC_UPDATED;
+     }
+ #endif
+ }
+--
+.25.1

-[PATCH v2 03/10] accel/tcg: Add CF_NO_GOTO_TB and CF_NO_GOTO_PTR
+[PATCH for-6.1 v5 04/15] accel/tcg: Add CF_NO_GOTO_TB and CF_NO_GOTO_PTR
 ...
 Set bits during curr_cflags, test them in translator_use_goto_tb,
 assert we're not doing anything odd in tcg_gen_goto_tb.  The test
 in tcg_gen_exit_tb is redundant with the assert for goto_tb_issue_mask.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20210717221851.2124573-4-richard.henderson@linaro.org>
 ---
  include/exec/exec-all.h | 16 +++++++++-------
  accel/tcg/cpu-exec.c    |  8 +++++++-
  accel/tcg/translator.c  |  5 +++++
  tcg/tcg-op.c            | 28 ++++++++++++----------------
 ...

-[PATCH v2 04/10] accel/tcg: Drop CF_NO_GOTO_PTR from -d nochain
+[PATCH for-6.1 v5 05/15] accel/tcg: Drop CF_NO_GOTO_PTR from -d nochain
 The purpose of suppressing goto_ptr from -d nochain had been
 to return to the main loop so that -d cpu would be recognized.
 But we now include -d cpu logging in helper_lookup_tb_ptr so
 there is no need to exclude goto_ptr.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20210717221851.2124573-5-richard.henderson@linaro.org>
 ---
  accel/tcg/cpu-exec.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 ...

-[PATCH v2 05/10] accel/tcg: Handle -singlestep in curr_cflags
+[PATCH for-6.1 v5 06/15] accel/tcg: Handle -singlestep in curr_cflags
 Exchange the test in translator_use_goto_tb for CF_NO_GOTO_TB,
 and the test in tb_gen_code for setting CF_COUNT_MASK to 1.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20210717221851.2124573-6-richard.henderson@linaro.org>
 ---
  accel/tcg/cpu-exec.c      | 8 +++++++-
  accel/tcg/translate-all.c | 2 +-
  accel/tcg/translator.c    | 2 +-
 files changed, 9 insertions(+), 3 deletions(-)
 ...

-[PATCH v2 06/10] accel/tcg: Use CF_NO_GOTO_{TB, PTR} in cpu_exec_step_atomic
+[PATCH for-6.1 v5 07/15] accel/tcg: Use CF_NO_GOTO_{TB, PTR} in cpu_exec_step_atomic
 Request that the one TB returns immediately, so that
 we release the exclusive lock as soon as possible.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Message-Id: <20210717221851.2124573-7-richard.henderson@linaro.org>
 ---
  accel/tcg/cpu-exec.c | 11 ++++++++---
 file changed, 8 insertions(+), 3 deletions(-)
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 ...

-New patch
+[PATCH for-6.1 v5 08/15] hw/core: Introduce TCGCPUOps.debug_check_breakpoint
+New hook to return true when an architectural breakpoint is
+to be recognized and false when it should be suppressed.
+First use must wait until other pieces are in place.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ include/hw/core/tcg-cpu-ops.h | 6 ++++++
+file changed, 6 insertions(+)
+diff --git a/include/hw/core/tcg-cpu-ops.h b/include/hw/core/tcg-cpu-ops.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/hw/core/tcg-cpu-ops.h
++++ b/include/hw/core/tcg-cpu-ops.h
+@@ -XXX,XX +XXX,XX @@ struct TCGCPUOps {
+      */
+     bool (*debug_check_watchpoint)(CPUState *cpu, CPUWatchpoint *wp);
++    /**
++     * @debug_check_breakpoint: return true if the architectural
++     * breakpoint whose PC has matched should really fire.
++     */
++    bool (*debug_check_breakpoint)(CPUState *cpu);
++
+     /**
+      * @io_recompile_replay_branch: Callback for cpu_io_recompile.
+      *
+--
+.25.1

-New patch
+[PATCH for-6.1 v5 09/15] target/arm: Implement debug_check_breakpoint
+Reuse the code at the bottom of helper_check_breakpoints,
+which is what we currently call from *_tr_breakpoint_check.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/arm/internals.h    | 3 +++
+ target/arm/cpu.c          | 1 +
+ target/arm/cpu_tcg.c      | 1 +
+ target/arm/debug_helper.c | 7 +++----
+files changed, 8 insertions(+), 4 deletions(-)
+diff --git a/target/arm/internals.h b/target/arm/internals.h
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/internals.h
++++ b/target/arm/internals.h
+@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n);
+  */
+ void hw_breakpoint_update_all(ARMCPU *cpu);
++/* Callback function for checking if a breakpoint should trigger. */
++bool arm_debug_check_breakpoint(CPUState *cs);
++
+ /* Callback function for checking if a watchpoint should trigger. */
+ bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp);
+diff --git a/target/arm/cpu.c b/target/arm/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu.c
++++ b/target/arm/cpu.c
+@@ -XXX,XX +XXX,XX @@ static const struct TCGCPUOps arm_tcg_ops = {
+     .do_unaligned_access = arm_cpu_do_unaligned_access,
+     .adjust_watchpoint_address = arm_adjust_watchpoint_address,
+     .debug_check_watchpoint = arm_debug_check_watchpoint,
++    .debug_check_breakpoint = arm_debug_check_breakpoint,
+ #endif /* !CONFIG_USER_ONLY */
+ };
+ #endif /* CONFIG_TCG */
+diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/cpu_tcg.c
++++ b/target/arm/cpu_tcg.c
+@@ -XXX,XX +XXX,XX @@ static const struct TCGCPUOps arm_v7m_tcg_ops = {
+     .do_unaligned_access = arm_cpu_do_unaligned_access,
+     .adjust_watchpoint_address = arm_adjust_watchpoint_address,
+     .debug_check_watchpoint = arm_debug_check_watchpoint,
++    .debug_check_breakpoint = arm_debug_check_breakpoint,
+ #endif /* !CONFIG_USER_ONLY */
+ };
+ #endif /* CONFIG_TCG */
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/debug_helper.c
++++ b/target/arm/debug_helper.c
+@@ -XXX,XX +XXX,XX @@ static bool check_watchpoints(ARMCPU *cpu)
+     return false;
+ }
+-static bool check_breakpoints(ARMCPU *cpu)
++bool arm_debug_check_breakpoint(CPUState *cs)
+ {
++    ARMCPU *cpu = ARM_CPU(cs);
+     CPUARMState *env = &cpu->env;
+     int n;
+@@ -XXX,XX +XXX,XX @@ static bool check_breakpoints(ARMCPU *cpu)
+ void HELPER(check_breakpoints)(CPUARMState *env)
+ {
+-    ARMCPU *cpu = env_archcpu(env);
+-
+-    if (check_breakpoints(cpu)) {
++    if (arm_debug_check_breakpoint(env_cpu(env))) {
+         HELPER(exception_internal(env, EXCP_DEBUG));
+     }
+ }
+--
+.25.1

-New patch
+[PATCH for-6.1 v5 10/15] target/i386: Implement debug_check_breakpoint
+Return false for RF set, as we do in i386_tr_breakpoint_check.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/i386/tcg/tcg-cpu.c | 12 ++++++++++++
+file changed, 12 insertions(+)
+diff --git a/target/i386/tcg/tcg-cpu.c b/target/i386/tcg/tcg-cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/i386/tcg/tcg-cpu.c
++++ b/target/i386/tcg/tcg-cpu.c
+@@ -XXX,XX +XXX,XX @@ static void x86_cpu_synchronize_from_tb(CPUState *cs,
+     cpu->env.eip = tb->pc - tb->cs_base;
+ }
++#ifndef CONFIG_USER_ONLY
++static bool x86_debug_check_breakpoint(CPUState *cs)
++{
++    X86CPU *cpu = X86_CPU(cs);
++    CPUX86State *env = &cpu->env;
++
++    /* RF disables all architectural breakpoints. */
++    return !(env->eflags & RF_MASK);
++}
++#endif
++
+ #include "hw/core/tcg-cpu-ops.h"
+ static const struct TCGCPUOps x86_tcg_ops = {
+@@ -XXX,XX +XXX,XX @@ static const struct TCGCPUOps x86_tcg_ops = {
+     .tlb_fill = x86_cpu_tlb_fill,
+ #ifndef CONFIG_USER_ONLY
+     .debug_excp_handler = breakpoint_handler,
++    .debug_check_breakpoint = x86_debug_check_breakpoint,
+ #endif /* !CONFIG_USER_ONLY */
+ };
+--
+.25.1

-[PATCH v2 07/10] accel/tcg: Move cflags lookup into tb_find
+[PATCH for-6.1 v5 11/15] accel/tcg: Merge tb_find into its only caller
-We will shortly require the guest pc for computing cflags,
+We are going to want two things:
-so move the choice just after cpu_get_tb_cpu_state.
+(1) check for breakpoints will want to break out of the loop here,
 (2) cflags can only be calculated with pc in hand.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cpu-exec.c | 34 +++++++++++++++++-----------------
+ accel/tcg/cpu-exec.c | 83 ++++++++++++++++++++++----------------------
-file changed, 17 insertions(+), 17 deletions(-)
+file changed, 41 insertions(+), 42 deletions(-)
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
 @@ -XXX,XX +XXX,XX @@ static inline void tb_add_jump(TranslationBlock *tb, int n,
+     return;
- static inline TranslationBlock *tb_find(CPUState *cpu,
+ }
-                                         TranslationBlock *last_tb,
 -static inline TranslationBlock *tb_find(CPUState *cpu,
 -                                        TranslationBlock *last_tb,
 -                                        int tb_exit, uint32_t cflags)
-+                                        int tb_exit)
+-{
 -    CPUArchState *env = (CPUArchState *)cpu->env_ptr;
 -    TranslationBlock *tb;
 -    target_ulong cs_base, pc;
 -    uint32_t flags;
 -
 -    cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
 -
 -    tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
 -    if (tb == NULL) {
 -        mmap_lock();
 -        tb = tb_gen_code(cpu, pc, cs_base, flags, cflags);
 -        mmap_unlock();
 -        /* We add the TB in the virtual pc hash table for the fast lookup */
 -        qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
 -    }
 -#ifndef CONFIG_USER_ONLY
 -    /* We don't take care of direct jumps when address mapping changes in
 -     * system emulation. So it's not safe to make a direct jump to a TB
 -     * spanning two pages because the mapping for the second page can change.
 -     */
 -    if (tb->page_addr[1] != -1) {
 -        last_tb = NULL;
 -    }
 -#endif
 -    /* See if we can patch the calling TB. */
 -    if (last_tb) {
 -        tb_add_jump(last_tb, tb_exit, tb);
 -    }
 -    return tb;
 -}
 -
  static inline bool cpu_handle_halt(CPUState *cpu)
  {
-     CPUArchState *env = (CPUArchState *)cpu->env_ptr;
+     if (cpu->halted) {
      TranslationBlock *tb;
      target_ulong cs_base, pc;
 -    uint32_t flags;
 +    uint32_t flags, cflags;
      cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
 +    /*
 +     * When requested, use an exact setting for cflags for the next
 +     * execution.  This is used for icount, precise smc, and stop-
 +     * after-access watchpoints.  Since this request should never
 +     * have CF_INVALID set, -1 is a convenient invalid value that
 +     * does not require tcg headers for cpu_common_reset.
 +     */
 +    cflags = cpu->cflags_next_tb;
 +    if (cflags == -1) {
 +        cflags = curr_cflags(cpu);
 +    } else {
 +        cpu->cflags_next_tb = -1;
 +    }
 +
      tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
      if (tb == NULL) {
          mmap_lock();
 @@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
          int tb_exit = 0;
          while (!cpu_handle_interrupt(cpu, &last_tb)) {
 -            uint32_t cflags = cpu->cflags_next_tb;
--            TranslationBlock *tb;
+             TranslationBlock *tb;
--
++            target_ulong cs_base, pc;
 +            uint32_t flags, cflags;
 -            /* When requested, use an exact setting for cflags for the next
 -               execution.  This is used for icount, precise smc, and stop-
 -               after-access watchpoints.  Since this request should never
 -               have CF_INVALID set, -1 is a convenient invalid value that
 -               does not require tcg headers for cpu_common_reset.  */
--            if (cflags == -1) {
++            /*
--                cflags = curr_cflags(cpu);
++             * When requested, use an exact setting for cflags for the next
--            } else {
++             * execution.  This is used for icount, precise smc, and stop-
--                cpu->cflags_next_tb = -1;
++             * after-access watchpoints.  Since this request should never
--            }
++             * have CF_INVALID set, -1 is a convenient invalid value that
--
++             * does not require tcg headers for cpu_common_reset.
 +             */
 +            cflags = cpu->cflags_next_tb;
              if (cflags == -1) {
                  cflags = curr_cflags(cpu);
              } else {
                  cpu->cflags_next_tb = -1;
              }
 -            tb = tb_find(cpu, last_tb, tb_exit, cflags);
-+            TranslationBlock *tb = tb_find(cpu, last_tb, tb_exit);
++            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);
 +
 +            tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
 +            if (tb == NULL) {
 +                mmap_lock();
 +                tb = tb_gen_code(cpu, pc, cs_base, flags, cflags);
 +                mmap_unlock();
 +                /*
 +                 * We add the TB in the virtual pc hash table
 +                 * for the fast lookup
 +                 */
 +                qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
 +            }
 +
 +#ifndef CONFIG_USER_ONLY
 +            /*
 +             * We don't take care of direct jumps when address mapping
 +             * changes in system emulation.  So it's not safe to make a
 +             * direct jump to a TB spanning two pages because the mapping
 +             * for the second page can change.
 +             */
 +            if (tb->page_addr[1] != -1) {
 +                last_tb = NULL;
 +            }
 +#endif
 +            /* See if we can patch the calling TB. */
 +            if (last_tb) {
 +                tb_add_jump(last_tb, tb_exit, tb);
 +            }
 +
              cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);
++
              /* Try to align the host and virtual clocks
                 if the guest is in advance */
+             align_clocks(&sc, cpu);
 --
 .25.1

-[PATCH v2 10/10] accel/tcg: Encode breakpoint info into tb->cflags
+[PATCH for-6.1 v5 12/15] accel/tcg: Move breakpoint recognition outside translation
-Having this data in cflags means that hashing takes care
+Trigger breakpoints before beginning translation of a TB
-of selecting a TB with or without exceptions built in.
+that would begin with a BP.  Thus we never generate code
-Which means that we no longer need to flush all TBs.
+for the BP at all.
-This does require that we single-step while we're within a page
+Single-step instructions within a page containing a BP so
-that contains a breakpoint, so it's not yet ideal, but should be
+that we are sure to check each insn for the BP as above.
-an improvement over some corner-case slowdowns.
+We no longer need to flush any TBs when changing BPs.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/286
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/404
+Resolves: https://gitlab.com/qemu-project/qemu/-/issues/489
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/exec-all.h   |  7 ++++
+ accel/tcg/cpu-exec.c   | 78 ++++++++++++++++++++++++++++++++++++++++--
- accel/tcg/cpu-exec.c      | 68 ++++++++++++++++++++++++++++++-
+ accel/tcg/translator.c | 24 +------------
- accel/tcg/translate-all.c |  4 --
+ cpu.c                  | 20 -----------
- accel/tcg/translator.c    | 85 +++++++++++++++++++++------------------
+files changed, 76 insertions(+), 46 deletions(-)
- cpu.c                     | 24 -----------
 files changed, 119 insertions(+), 69 deletions(-)
 diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/exec-all.h
 +++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
  #define CF_USE_ICOUNT    0x00020000
  #define CF_INVALID       0x00040000 /* TB is stale. Set with @jmp_lock held */
  #define CF_PARALLEL      0x00080000 /* Generate code for a parallel context */
 +#define CF_BP_MASK       0x00300000 /* See below */
 +#define CF_BP_SHIFT      20
  #define CF_CLUSTER_MASK  0xff000000 /* Top 8 bits are cluster ID */
  #define CF_CLUSTER_SHIFT 24
 +#define CF_BP_NONE       (0 << CF_BP_SHIFT) /* TB does not interact with BPs */
 +#define CF_BP_SSTEP      (1 << CF_BP_SHIFT) /* gdbstub single-step in effect */
 +#define CF_BP_GDB        (2 << CF_BP_SHIFT) /* gdbstub breakpoint at tb->pc */
 +#define CF_BP_CPU        (3 << CF_BP_SHIFT) /* arch breakpoint at tb->pc */
 +
      /* Per-vCPU dynamic tracing state used to generate this TB */
      uint32_t trace_vcpu_dstate;
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
 @@ -XXX,XX +XXX,XX @@ static inline void log_cpu_exec(target_ulong pc, CPUState *cpu,
      }
  }
-+static uint32_t cflags_for_breakpoints(CPUState *cpu, target_ulong pc,
++static bool check_for_breakpoints(CPUState *cpu, target_ulong pc,
-+                                       uint32_t cflags)
++                                  uint32_t *cflags)
 +{
-+    uint32_t bflags = 0;
++    CPUBreakpoint *bp;
-+
++    bool match_page = false;
-+    if (unlikely(cpu->singlestep_enabled)) {
++
-+        bflags = CF_BP_SSTEP;
++    if (likely(QTAILQ_EMPTY(&cpu->breakpoints))) {
-+    } else {
++        return false;
-+        bool match_page = false;
++    }
-+        CPUBreakpoint *bp;
++
-+
++    QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
-+        QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
++        /*
-+            /* Note exact pc matches */
++         * If we have an exact pc match, trigger the breakpoint.
-+            if (pc == bp->pc) {
++         * Otherwise, note matches within the page.
-+                if (bp->flags & BP_GDB) {
++         */
-+                    bflags = CF_BP_GDB;
++        if (pc == bp->pc) {
-+                    break;
++            bool match_bp = false;
-+                }
++
-+                if (bp->flags & BP_CPU) {
++            if (bp->flags & BP_GDB) {
-+                    bflags = CF_BP_CPU;
++                match_bp = true;
-+                    break;
++            } else if (bp->flags & BP_CPU) {
-+                }
++#ifdef CONFIG_USER_ONLY
 +                g_assert_not_reached();
 +#else
 +                CPUClass *cc = CPU_GET_CLASS(cpu);
 +                assert(cc->tcg_ops->debug_check_breakpoint);
 +                match_bp = cc->tcg_ops->debug_check_breakpoint(cpu);
 +#endif
 +            }
-+            /* Note page matches */
++
-+            if (((pc ^ bp->pc) & TARGET_PAGE_MASK) == 0) {
++            if (match_bp) {
-+                match_page = true;
++                cpu->exception_index = EXCP_DEBUG;
 +                return true;
 +            }
++        } else if (((pc ^ bp->pc) & TARGET_PAGE_MASK) == 0) {
++            match_page = true;
 +        }
-+
-+        if (likely(!bflags)) {
-+            if (likely(!match_page)) {
-+                return cflags;
-+            }
-+
-+            /*
-+             * Within the same page as a breakpoint, single-step,
-+             * returning to helper_lookup_tb_ptr after each looking
-+             * for the actual breakpoint.
-+             *
-+             * TODO: Perhaps better to record all of the TBs associated
-+             * with a given virtual page that contains a breakpoint, and
-+             * then invalidate them when a new overlapping breakpoint is
-+             * set on the page.  Non-overlapping TBs would not be
-+             * invalidated, nor would any TB need to be invalidated as
-+             * breakpoints are removed.
-+             */
-+            bflags = CF_NO_GOTO_TB;
-+        }
 +    }
 +
 +    /*
-+     * Reduce the TB to one insn.
++     * Within the same page as a breakpoint, single-step,
-+     * In the case of a BP hit, we will be raising an exception anyway.
++     * returning to helper_lookup_tb_ptr after each looking
-+     * In the case of a page hit, return to helper_lookup_tb_ptr after
++     * for the actual breakpoint.
-+     * every insn to look for the breakpoint.
++     *
 +     * TODO: Perhaps better to record all of the TBs associated
 +     * with a given virtual page that contains a breakpoint, and
 +     * then invalidate them when a new overlapping breakpoint is
 +     * set on the page.  Non-overlapping TBs would not be
 +     * invalidated, nor would any TB need to be invalidated as
 +     * breakpoints are removed.
 +     */
-+    return (cflags & ~CF_COUNT_MASK) | 1 | bflags;
++    if (match_page) {
 +        *cflags = (*cflags & ~CF_COUNT_MASK) | CF_NO_GOTO_TB | 1;
 +    }
 +    return false;
 +}
 +
  /**
   * helper_lookup_tb_ptr: quick check for next tb
   * @env: current cpu state
 ...
 +    uint32_t flags, cflags;
      cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
 -    tb = tb_lookup(cpu, pc, cs_base, flags, curr_cflags(cpu));
-+    cflags = cflags_for_breakpoints(cpu, pc, curr_cflags(cpu));
++    cflags = curr_cflags(cpu);
 +    if (check_for_breakpoints(cpu, pc, &cflags)) {
 +        cpu_loop_exit(cpu);
 +    }
 +
 +    tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
      if (tb == NULL) {
          return tcg_code_gen_epilogue;
      }
 @@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
          cflags &= ~CF_PARALLEL;
          /* After 1 insn, return and release the exclusive lock. */
          cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | 1;
-+        /* Raise any post-instruction debug exceptions. */
++        /*
-+        cflags = cflags_for_breakpoints(cpu, pc, cflags);
++         * No need to check_for_breakpoints here.
 +         * We only arrive in cpu_exec_step_atomic after beginning execution
 +         * of an insn that includes an atomic operation we can't handle.
 +         * Any breakpoint for this insn will have been recognized earlier.
 +         */
          tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
          if (tb == NULL) {
-@@ -XXX,XX +XXX,XX @@ static inline TranslationBlock *tb_find(CPUState *cpu,
+@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
-     } else {
+             target_ulong cs_base, pc;
-         cpu->cflags_next_tb = -1;
+             uint32_t flags, cflags;
-     }
-+    cflags = cflags_for_breakpoints(cpu, pc, cflags);
++            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);
++
-     tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
+             /*
-     if (tb == NULL) {
+              * When requested, use an exact setting for cflags for the next
-diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
+              * execution.  This is used for icount, precise smc, and stop-
-index XXXXXXX..XXXXXXX 100644
+@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
---- a/accel/tcg/translate-all.c
+                 cpu->cflags_next_tb = -1;
-+++ b/accel/tcg/translate-all.c
+             }
-@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
-     }
+-            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);
-     QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
++            if (check_for_breakpoints(cpu, pc, &cflags)) {
++                break;
--    if (cpu->singlestep_enabled) {
++            }
--        max_insns = 1;
--    }
+             tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
--
+             if (tb == NULL) {
   buffer_overflow:
      tb = tcg_tb_alloc(tcg_ctx);
      if (unlikely(!tb)) {
 diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translator.c
 +++ b/accel/tcg/translator.c
-@@ -XXX,XX +XXX,XX @@ void translator_loop_temp_check(DisasContextBase *db)
+@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
+ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
  bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
  {
 -    /* Suppress goto_tb if requested. */
 -    if (tb_cflags(db->tb) & CF_NO_GOTO_TB) {
 -        return false;
 -    }
 -
 -    /* Suppress goto_tb in the case of single-steping.  */
 -    if (db->singlestep_enabled) {
 +    /* Suppress goto_tb if requested, or required by breakpoints. */
 +    if (tb_cflags(db->tb) & (CF_NO_GOTO_TB | CF_BP_MASK)) {
          return false;
      }
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
                       CPUState *cpu, TranslationBlock *tb, int max_insns)
  {
-     uint32_t cflags = tb_cflags(tb);
+-    int bp_insn = 0;
 +    int bp_flags = 0;
      bool plugin_enabled;
      /* Initialize DisasContext */
 @@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
-     db->is_jmp = DISAS_NEXT;
+             plugin_gen_insn_start(cpu, db);
      db->num_insns = 0;
      db->max_insns = max_insns;
 -    db->singlestep_enabled = cpu->singlestep_enabled;
 +    db->singlestep_enabled = false;
 +
 +    switch (cflags & CF_BP_MASK) {
 +    case CF_BP_NONE:
 +        break;
 +    case CF_BP_SSTEP:
 +        db->singlestep_enabled = true;
 +        break;
 +    case CF_BP_GDB:
 +        bp_flags = BP_GDB;
 +        break;
 +    case CF_BP_CPU:
 +        bp_flags = BP_CPU;
 +        break;
 +    default:
 +        g_assert_not_reached();
 +    }
      ops->init_disas_context(db, cpu);
      tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
          }
-         /* Pass breakpoint hits to target for further processing */
+-        /* Pass breakpoint hits to target for further processing */
 -        if (!db->singlestep_enabled
 -            && unlikely(!QTAILQ_EMPTY(&cpu->breakpoints))) {
 -            CPUBreakpoint *bp;
 -            QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
 -                if (bp->pc == db->pc_next) {
--                    int len = ops->breakpoint_check(db, cpu, bp->flags);
+-                    if (ops->breakpoint_check(db, cpu, bp)) {
-+        if (unlikely(bp_flags)) {
+-                        bp_insn = 1;
-+            int len = ops->breakpoint_check(db, cpu, bp_flags);
+-                        break;
 -                    /*
 -                     * The breakpoint_check hook may use DISAS_TOO_MANY
 -                     * to indicate that only one more instruction is to
 -                     * be executed.  Otherwise it should use DISAS_NORETURN
 -                     * when generating an exception, but may use a
 -                     * DISAS_TARGET_* value for Something Else.
 -                     */
 -                    if (db->is_jmp > DISAS_TOO_MANY) {
 -                        /*
 -                         * The address covered by the breakpoint must be
 -                         * included in [tb->pc, tb->pc + tb->size) in order
 -                         * to for it to be properly cleared.  Thus we
 -                         * increment the PC here so that the logic setting
 -                         * tb->size below does the right thing.
 -                         */
 -                        tcg_debug_assert(len > 0);
 -                        db->pc_next += len;
 +            /*
 +             * When there is a bp hit, we're going to execute a maximum
 +             * of one instruction.  The breakpoint_check hook may use
 +             * DISAS_NEXT or DISAS_TOO_MANY to indicate that the current
 +             * instruction should be translated.  Anything else is taken
 +             * to mean that an exception has been raised and that zero
 +             * instructions will be executed.
 +             */
 +            if (db->is_jmp > DISAS_TOO_MANY) {
 +                /*
 +                 * The address covered by the breakpoint must be
 +                 * included in [tb->pc, tb->pc + tb->size) in order
 +                 * to for it to be properly cleared.  Thus we
 +                 * increment the PC here so that the logic setting
 +                 * tb->size below does the right thing.
 +                 */
 +                tcg_debug_assert(len > 0);
 +                db->pc_next += len;
 -                        /*
 -                         * The breakpoint definitely hit, so decrement the
 -                         * number of instructions completed for icount.
 -                         */
 -                        db->num_insns--;
 -                        goto done;
 -                    }
 -                }
-+                /*
+-            }
-+                 * The breakpoint definitely hit, so decrement the
+-            /* The breakpoint_check hook may use DISAS_TOO_MANY to indicate
-+                 * number of instructions completed for icount.
+-               that only one more instruction is to be executed.  Otherwise
-+                 */
+-               it should use DISAS_NORETURN when generating an exception,
-+                db->num_insns--;
+-               but may use a DISAS_TARGET_* value for Something Else.  */
-+                goto done;
+-            if (db->is_jmp > DISAS_TOO_MANY) {
-             }
+-                break;
-         }
+-            }
+-        }
 -
          /* Disassemble one instruction.  The translate_insn hook should
             update db->pc_next and db->is_jmp to indicate what should be
             done next -- either exiting this loop or locate the start of
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
      /* Emit code to exit the TB, as indicated by db->is_jmp.  */
      ops->tb_stop(db, cpu);
 -    gen_tb_end(db->tb, db->num_insns - bp_insn);
 +    gen_tb_end(db->tb, db->num_insns);
      if (plugin_enabled) {
          plugin_gen_tb_end(cpu);
 diff --git a/cpu.c b/cpu.c
 index XXXXXXX..XXXXXXX 100644
 --- a/cpu.c
 +++ b/cpu.c
 @@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(target_ulong addr)
 ...
 -    breakpoint_invalidate(cpu, bp->pc);
 -
      trace_breakpoint_remove(cpu->cpu_index, bp->pc, bp->flags);
      g_free(bp);
  }
-@@ -XXX,XX +XXX,XX @@ void cpu_single_step(CPUState *cpu, int enabled)
-         cpu->singlestep_enabled = enabled;
-         if (kvm_enabled()) {
-             kvm_update_guest_debug(cpu, 0);
--        } else {
--            /* must flush all the translated code to avoid inconsistencies */
--            /* XXX: only flush what is necessary */
--            tb_flush(cpu);
-         }
-         trace_breakpoint_singlestep(cpu->cpu_index, enabled);
-     }
 --
 .25.1

-[PATCH v2 08/10] accel/tcg: Adjust interface of TranslatorOps.breakpoint_check
+[PATCH for-6.1 v5 13/15] accel/tcg: Remove TranslatorOps.breakpoint_check
-We don't need the whole CPUBreakpoint structure in the check,
+The hook is now unused, with breakpoints checked outside translation.
 only the flags.  Return the instruction length to consolidate
 the adjustment of db->pc_next.
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/translator.h     | 17 +++++++++------
+ include/exec/translator.h     | 11 -----------
- accel/tcg/translator.c        | 40 ++++++++++++++++++++++++-----------
+ target/arm/helper.h           |  2 --
- target/alpha/translate.c      | 12 +++--------
+ target/alpha/translate.c      | 16 ----------------
- target/arm/translate-a64.c    | 14 ++++--------
+ target/arm/debug_helper.c     |  7 -------
- target/arm/translate.c        | 20 +++++++-----------
+ target/arm/translate-a64.c    | 25 -------------------------
- target/avr/translate.c        |  6 +++---
+ target/arm/translate.c        | 29 -----------------------------
- target/cris/translate.c       | 14 ++++--------
+ target/avr/translate.c        | 10 ----------
- target/hexagon/translate.c    | 13 +++---------
+ target/cris/translate.c       | 20 --------------------
- target/hppa/translate.c       |  7 +++---
+ target/hexagon/translate.c    | 17 -----------------
- target/i386/tcg/translate.c   | 15 ++++---------
+ target/hppa/translate.c       | 11 -----------
- target/m68k/translate.c       | 14 +++---------
+ target/i386/tcg/translate.c   | 28 ----------------------------
- target/microblaze/translate.c | 14 +++---------
+ target/m68k/translate.c       | 18 ------------------
- target/mips/tcg/translate.c   | 14 ++++--------
+ target/microblaze/translate.c | 18 ------------------
- target/nios2/translate.c      | 13 +++---------
+ target/mips/tcg/translate.c   | 19 -------------------
- target/openrisc/translate.c   | 11 +++-------
+ target/nios2/translate.c      | 27 ---------------------------
- target/ppc/translate.c        | 13 +++---------
+ target/openrisc/translate.c   | 17 -----------------
- target/riscv/translate.c      | 11 +++-------
+ target/ppc/translate.c        | 18 ------------------
- target/rx/translate.c         |  8 +++----
+ target/riscv/translate.c      | 17 -----------------
- target/s390x/translate.c      | 12 ++++-------
+ target/rx/translate.c         | 14 --------------
- target/sh4/translate.c        | 12 ++++-------
+ target/s390x/tcg/translate.c  | 24 ------------------------
- target/sparc/translate.c      |  9 ++++----
+ target/sh4/translate.c        | 18 ------------------
- target/tricore/translate.c    | 13 +++---------
+ target/sparc/translate.c      | 17 -----------------
- target/xtensa/translate.c     | 12 ++++-------
+ target/tricore/translate.c    | 16 ----------------
-files changed, 115 insertions(+), 199 deletions(-)
+ target/xtensa/translate.c     | 17 -----------------
 files changed, 416 deletions(-)
 diff --git a/include/exec/translator.h b/include/exec/translator.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/translator.h
 +++ b/include/exec/translator.h
 @@ -XXX,XX +XXX,XX @@ typedef struct DisasContextBase {
-  * @breakpoint_check:
+  * @insn_start:
-  *      When called, the breakpoint has already been checked to match the PC,
+  *      Emit the tcg_gen_insn_start opcode.
-  *      but the target may decide the breakpoint missed the address
+  *
 - * @breakpoint_check:
 - *      When called, the breakpoint has already been checked to match the PC,
 - *      but the target may decide the breakpoint missed the address
 - *      (e.g., due to conditions encoded in their flags).  Return true to
 - *      indicate that the breakpoint did hit, in which case no more breakpoints
 - *      are checked.  If the breakpoint did hit, emit any code required to
 - *      signal the exception, and set db->is_jmp as necessary to terminate
 - *      the main loop.
-+ *      (e.g., due to conditions encoded in their flags), in which case
+- *
 + *      db->is_jmp may be left as DISAS_NEXT or DISAS_TOO_MANY to indicate
 + *      that the insn should be translated.  Anything other than those two
 + *      will be taken to indicate an exception has been raised, but in most
 + *      cases db->is_jmp should be set to DISAS_NORETURN.
 + *
 + *      Return the minimum instruction size that should be applied to the TB.
 + *      The size of any TB cannot be zero, as that breaks the math used to
 + *      invalidate TBs.
   *
   * @translate_insn:
   *      Disassemble one instruction and set db->pc_next for the start
+  *      of the following instruction.  Set db->is_jmp as necessary to
 @@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
      void (*init_disas_context)(DisasContextBase *db, CPUState *cpu);
      void (*tb_start)(DisasContextBase *db, CPUState *cpu);
      void (*insn_start)(DisasContextBase *db, CPUState *cpu);
 -    bool (*breakpoint_check)(DisasContextBase *db, CPUState *cpu,
 -                             const CPUBreakpoint *bp);
-+    int (*breakpoint_check)(DisasContextBase *db, CPUState *cpu, int flags);
      void (*translate_insn)(DisasContextBase *db, CPUState *cpu);
      void (*tb_stop)(DisasContextBase *db, CPUState *cpu);
      void (*disas_log)(const DisasContextBase *db, CPUState *cpu);
-diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
+diff --git a/target/arm/helper.h b/target/arm/helper.h
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/translator.c
+--- a/target/arm/helper.h
-+++ b/accel/tcg/translator.c
++++ b/target/arm/helper.h
-@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
+@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(yield, void, env)
- void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
+ DEF_HELPER_1(pre_hvc, void, env)
-                      CPUState *cpu, TranslationBlock *tb, int max_insns)
+ DEF_HELPER_2(pre_smc, void, env, i32)
- {
--    int bp_insn = 0;
+-DEF_HELPER_1(check_breakpoints, void, env)
-     bool plugin_enabled;
+-
+ DEF_HELPER_3(cpsr_write, void, env, i32, i32)
-     /* Initialize DisasContext */
+ DEF_HELPER_2(cpsr_write_eret, void, env, i32)
-@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
+ DEF_HELPER_1(cpsr_read, i32, env)
              CPUBreakpoint *bp;
              QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
                  if (bp->pc == db->pc_next) {
 -                    if (ops->breakpoint_check(db, cpu, bp)) {
 -                        bp_insn = 1;
 -                        break;
 +                    int len = ops->breakpoint_check(db, cpu, bp->flags);
 +
 +                    /*
 +                     * The breakpoint_check hook may use DISAS_TOO_MANY
 +                     * to indicate that only one more instruction is to
 +                     * be executed.  Otherwise it should use DISAS_NORETURN
 +                     * when generating an exception, but may use a
 +                     * DISAS_TARGET_* value for Something Else.
 +                     */
 +                    if (db->is_jmp > DISAS_TOO_MANY) {
 +                        /*
 +                         * The address covered by the breakpoint must be
 +                         * included in [tb->pc, tb->pc + tb->size) in order
 +                         * to for it to be properly cleared.  Thus we
 +                         * increment the PC here so that the logic setting
 +                         * tb->size below does the right thing.
 +                         */
 +                        tcg_debug_assert(len > 0);
 +                        db->pc_next += len;
 +
 +                        /*
 +                         * The breakpoint definitely hit, so decrement the
 +                         * number of instructions completed for icount.
 +                         */
 +                        db->num_insns--;
 +                        goto done;
                      }
                  }
              }
 -            /* The breakpoint_check hook may use DISAS_TOO_MANY to indicate
 -               that only one more instruction is to be executed.  Otherwise
 -               it should use DISAS_NORETURN when generating an exception,
 -               but may use a DISAS_TARGET_* value for Something Else.  */
 -            if (db->is_jmp > DISAS_TOO_MANY) {
 -                break;
 -            }
          }
          /* Disassemble one instruction.  The translate_insn hook should
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
          }
      }
 + done:
      /* Emit code to exit the TB, as indicated by db->is_jmp.  */
      ops->tb_stop(db, cpu);
 -    gen_tb_end(db->tb, db->num_insns - bp_insn);
 +    gen_tb_end(db->tb, db->num_insns);
      if (plugin_enabled) {
          plugin_gen_tb_end(cpu);
 diff --git a/target/alpha/translate.c b/target/alpha/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/alpha/translate.c
 +++ b/target/alpha/translate.c
 @@ -XXX,XX +XXX,XX @@ static void alpha_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(dcbase->pc_next);
  }
 -static bool alpha_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                      const CPUBreakpoint *bp)
-+static int alpha_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                     int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    ctx->base.is_jmp = gen_excp(ctx, EXCP_DEBUG, 0);
      ctx->base.is_jmp = gen_excp(ctx, EXCP_DEBUG, 0);
 -
 -    /* The address covered by the breakpoint must be included in
 -       [tb->pc, tb->pc + tb->size) in order to for it to be
 -       properly cleared -- thus we increment the PC here so that
 -       the logic setting tb->size below does the right thing.  */
 -    ctx->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static void alpha_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps alpha_tr_ops = {
+     .init_disas_context = alpha_tr_init_disas_context,
+     .tb_start           = alpha_tr_tb_start,
+     .insn_start         = alpha_tr_insn_start,
+-    .breakpoint_check   = alpha_tr_breakpoint_check,
+     .translate_insn     = alpha_tr_translate_insn,
+     .tb_stop            = alpha_tr_tb_stop,
+     .disas_log          = alpha_tr_disas_log,
+diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/arm/debug_helper.c
++++ b/target/arm/debug_helper.c
+@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
+     return false;
+ }
+-void HELPER(check_breakpoints)(CPUARMState *env)
+-{
+-    if (arm_debug_check_breakpoint(env_cpu(env))) {
+-        HELPER(exception_internal(env, EXCP_DEBUG));
+-    }
+-}
+-
+ bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
+ {
+     /*
 diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate-a64.c
 +++ b/target/arm/translate-a64.c
 @@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      dc->insn_start = tcg_last_op();
  }
 -static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                        const CPUBreakpoint *bp)
-+static int aarch64_tr_breakpoint_check(DisasContextBase *dcbase,
+-{
-+                                       CPUState *cpu, int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 -    if (bp->flags & BP_CPU) {
-+    if (bp_flags & BP_CPU) {
+-        gen_a64_set_pc_im(dc->base.pc_next);
-         gen_a64_set_pc_im(dc->base.pc_next);
+-        gen_helper_check_breakpoints(cpu_env);
-         gen_helper_check_breakpoints(cpu_env);
+-        /* End the TB early; it likely won't be executed */
-         /* End the TB early; it likely won't be executed */
+-        dc->base.is_jmp = DISAS_TOO_MANY;
-         dc->base.is_jmp = DISAS_TOO_MANY;
+-    } else {
-     } else {
+-        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
          gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
 -        /* The address covered by the breakpoint must be
 -           included in [tb->pc, tb->pc + tb->size) in order
 -           to for it to be properly cleared -- thus we
 -           increment the PC here so that the logic setting
 -           tb->size below does the right thing.  */
 -        dc->base.pc_next += 4;
-         dc->base.is_jmp = DISAS_NORETURN;
+-        dc->base.is_jmp = DISAS_NORETURN;
-     }
+-    }
+-
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ const TranslatorOps aarch64_translator_ops = {
+     .init_disas_context = aarch64_tr_init_disas_context,
+     .tb_start           = aarch64_tr_tb_start,
+     .insn_start         = aarch64_tr_insn_start,
+-    .breakpoint_check   = aarch64_tr_breakpoint_check,
+     .translate_insn     = aarch64_tr_translate_insn,
+     .tb_stop            = aarch64_tr_tb_stop,
+     .disas_log          = aarch64_tr_disas_log,
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
 @@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      dc->insn_start = tcg_last_op();
  }
 -static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                    const CPUBreakpoint *bp)
-+static int arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                   int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 -    if (bp->flags & BP_CPU) {
-+    if (bp_flags & BP_CPU) {
+-        gen_set_condexec(dc);
-         gen_set_condexec(dc);
+-        gen_set_pc_im(dc, dc->base.pc_next);
-         gen_set_pc_im(dc, dc->base.pc_next);
+-        gen_helper_check_breakpoints(cpu_env);
-         gen_helper_check_breakpoints(cpu_env);
+-        /* End the TB early; it's likely not going to be executed */
-@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-        dc->base.is_jmp = DISAS_TOO_MANY;
-         dc->base.is_jmp = DISAS_TOO_MANY;
+-    } else {
-     } else {
+-        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
          gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
 -        /* The address covered by the breakpoint must be
 -           included in [tb->pc, tb->pc + tb->size) in order
 -           to for it to be properly cleared -- thus we
 -           increment the PC here so that the logic setting
 -           tb->size below does the right thing.  */
 -        /* TODO: Advance PC by correct instruction length to
 -         * avoid disassembler error messages */
 -        dc->base.pc_next += 2;
-         dc->base.is_jmp = DISAS_NORETURN;
+-        dc->base.is_jmp = DISAS_NORETURN;
-     }
+-    }
+-
 -    return true;
-+    /*
+-}
-+     * TODO: Advance PC by correct instruction length to avoid disassembler
+-
 +     * error messages.  In the meantime, minimum instruction length.
 +     */
 +    return 2;
  }
  static bool arm_pre_translate_insn(DisasContext *dc)
+ {
+ #ifdef CONFIG_USER_ONLY
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps arm_translator_ops = {
+     .init_disas_context = arm_tr_init_disas_context,
+     .tb_start           = arm_tr_tb_start,
+     .insn_start         = arm_tr_insn_start,
+-    .breakpoint_check   = arm_tr_breakpoint_check,
+     .translate_insn     = arm_tr_translate_insn,
+     .tb_stop            = arm_tr_tb_stop,
+     .disas_log          = arm_tr_disas_log,
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps thumb_translator_ops = {
+     .init_disas_context = arm_tr_init_disas_context,
+     .tb_start           = arm_tr_tb_start,
+     .insn_start         = arm_tr_insn_start,
+-    .breakpoint_check   = arm_tr_breakpoint_check,
+     .translate_insn     = thumb_tr_translate_insn,
+     .tb_stop            = arm_tr_tb_stop,
+     .disas_log          = arm_tr_disas_log,
 diff --git a/target/avr/translate.c b/target/avr/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/avr/translate.c
 +++ b/target/avr/translate.c
 @@ -XXX,XX +XXX,XX @@ static void avr_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      tcg_gen_insn_start(ctx->npc);
  }
 -static bool avr_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                    const CPUBreakpoint *bp)
-+static int avr_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                   int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
 -
 -    gen_breakpoint(ctx);
 -    return true;
 -}
 -
  static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
  {
      DisasContext *ctx = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps avr_tr_ops = {
-     gen_breakpoint(ctx);
+     .init_disas_context = avr_tr_init_disas_context,
--    return true;
+     .tb_start           = avr_tr_tb_start,
-+    return 2; /* minimum instruction length */
+     .insn_start         = avr_tr_insn_start,
- }
+-    .breakpoint_check   = avr_tr_breakpoint_check,
+     .translate_insn     = avr_tr_translate_insn,
- static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+     .tb_stop            = avr_tr_tb_stop,
      .disas_log          = avr_tr_disas_log,
 diff --git a/target/cris/translate.c b/target/cris/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/cris/translate.c
 +++ b/target/cris/translate.c
 @@ -XXX,XX +XXX,XX @@ static void cris_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(dc->delayed_branch == 1 ? dc->ppc | 1 : dc->pc);
  }
 -static bool cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                     const CPUBreakpoint *bp)
-+static int cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                    int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    cris_evaluate_flags(dc);
+-    tcg_gen_movi_tl(env_pc, dc->pc);
-@@ -XXX,XX +XXX,XX @@ static bool cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-    t_gen_raise_exception(EXCP_DEBUG);
-     tcg_gen_movi_tl(env_pc, dc->pc);
+-    dc->base.is_jmp = DISAS_NORETURN;
      t_gen_raise_exception(EXCP_DEBUG);
      dc->base.is_jmp = DISAS_NORETURN;
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    dc->pc += 2;
 -    return true;
-+
+-}
-+    return 2; /* minimum instruction length */
+-
  }
  static void cris_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps cris_tr_ops = {
+     .init_disas_context = cris_tr_init_disas_context,
+     .tb_start           = cris_tr_tb_start,
+     .insn_start         = cris_tr_insn_start,
+-    .breakpoint_check   = cris_tr_breakpoint_check,
+     .translate_insn     = cris_tr_translate_insn,
+     .tb_stop            = cris_tr_tb_stop,
+     .disas_log          = cris_tr_disas_log,
 diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hexagon/translate.c
 +++ b/target/hexagon/translate.c
 @@ -XXX,XX +XXX,XX @@ static void hexagon_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(ctx->base.pc_next);
  }
 -static bool hexagon_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                        const CPUBreakpoint *bp)
-+static int hexagon_tr_breakpoint_check(DisasContextBase *dcbase,
+-{
-+                                       CPUState *cpu, int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    gen_exception_end_tb(ctx, EXCP_DEBUG);
      gen_exception_end_tb(ctx, EXCP_DEBUG);
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    ctx->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum packet length */
+-}
- }
+-
  static bool pkt_crosses_page(CPUHexagonState *env, DisasContext *ctx)
+ {
+     target_ulong page_start = ctx->base.pc_first & TARGET_PAGE_MASK;
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hexagon_tr_ops = {
+     .init_disas_context = hexagon_tr_init_disas_context,
+     .tb_start           = hexagon_tr_tb_start,
+     .insn_start         = hexagon_tr_insn_start,
+-    .breakpoint_check   = hexagon_tr_breakpoint_check,
+     .translate_insn     = hexagon_tr_translate_packet,
+     .tb_stop            = hexagon_tr_tb_stop,
+     .disas_log          = hexagon_tr_disas_log,
 diff --git a/target/hppa/translate.c b/target/hppa/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hppa/translate.c
 +++ b/target/hppa/translate.c
 @@ -XXX,XX +XXX,XX @@ static void hppa_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      tcg_gen_insn_start(ctx->iaoq_f, ctx->iaoq_b);
  }
 -static bool hppa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                      const CPUBreakpoint *bp)
-+static int hppa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                    int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
 -
 -    gen_excp(ctx, EXCP_DEBUG);
 -    ctx->base.pc_next += 4;
 -    return true;
 -}
 -
  static void hppa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
  {
      DisasContext *ctx = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hppa_tr_ops = {
-     gen_excp(ctx, EXCP_DEBUG);
+     .init_disas_context = hppa_tr_init_disas_context,
--    ctx->base.pc_next += 4;
+     .tb_start           = hppa_tr_tb_start,
--    return true;
+     .insn_start         = hppa_tr_insn_start,
-+    return 4; /* minimum instruction length */
+-    .breakpoint_check   = hppa_tr_breakpoint_check,
- }
+     .translate_insn     = hppa_tr_translate_insn,
+     .tb_stop            = hppa_tr_tb_stop,
- static void hppa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+     .disas_log          = hppa_tr_disas_log,
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_interrupt(DisasContext *s, int intno,
+     s->base.is_jmp = DISAS_NORETURN;
+ }
+-static void gen_debug(DisasContext *s)
+-{
+-    gen_update_cc_op(s);
+-    gen_jmp_im(s, s->base.pc_next - s->cs_base);
+-    gen_helper_debug(cpu_env);
+-    s->base.is_jmp = DISAS_NORETURN;
+-}
+-
+ static void gen_set_hflag(DisasContext *s, uint32_t mask)
+ {
+     if ((s->flags & mask) == 0) {
 @@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
  }
 -static bool i386_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                     const CPUBreakpoint *bp)
-+static int i386_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                    int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-    /* If RF is set, suppress an internally generated breakpoint.  */
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    int flags = dc->base.tb->flags & HF_RF_MASK ? BP_GDB : BP_ANY;
      /* If RF is set, suppress an internally generated breakpoint.  */
      int flags = dc->base.tb->flags & HF_RF_MASK ? BP_GDB : BP_ANY;
 -    if (bp->flags & flags) {
-+    if (bp_flags & flags) {
+-        gen_debug(dc);
          gen_debug(dc);
 -        /* The address covered by the breakpoint must be included in
 -           [tb->pc, tb->pc + tb->size) in order to for it to be
 -           properly cleared -- thus we increment the PC here so that
 -           the generic logic setting tb->size later does the right thing.  */
 -        dc->base.pc_next += 1;
 -        return true;
 -    } else {
 -        return false;
-     }
+-    }
-+    return 1; /* minimum instruction length */
+-}
- }
+-
  static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps i386_tr_ops = {
+     .init_disas_context = i386_tr_init_disas_context,
+     .tb_start           = i386_tr_tb_start,
+     .insn_start         = i386_tr_insn_start,
+-    .breakpoint_check   = i386_tr_breakpoint_check,
+     .translate_insn     = i386_tr_translate_insn,
+     .tb_stop            = i386_tr_tb_stop,
+     .disas_log          = i386_tr_disas_log,
 diff --git a/target/m68k/translate.c b/target/m68k/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/m68k/translate.c
 +++ b/target/m68k/translate.c
 @@ -XXX,XX +XXX,XX @@ static void m68k_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
  }
 -static bool m68k_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                     const CPUBreakpoint *bp)
-+static int m68k_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                    int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    gen_exception(dc, dc->base.pc_next, EXCP_DEBUG);
      gen_exception(dc, dc->base.pc_next, EXCP_DEBUG);
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    dc->base.pc_next += 2;
 -
 -    return true;
-+    return 2; /* minimum instruction length */
+-}
- }
+-
  static void m68k_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps m68k_tr_ops = {
+     .init_disas_context = m68k_tr_init_disas_context,
+     .tb_start           = m68k_tr_tb_start,
+     .insn_start         = m68k_tr_insn_start,
+-    .breakpoint_check   = m68k_tr_breakpoint_check,
+     .translate_insn     = m68k_tr_translate_insn,
+     .tb_stop            = m68k_tr_tb_stop,
+     .disas_log          = m68k_tr_disas_log,
 diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/microblaze/translate.c
 +++ b/target/microblaze/translate.c
 @@ -XXX,XX +XXX,XX @@ static void mb_tr_insn_start(DisasContextBase *dcb, CPUState *cs)
      dc->insn_start = tcg_last_op();
  }
 -static bool mb_tr_breakpoint_check(DisasContextBase *dcb, CPUState *cs,
 -                                   const CPUBreakpoint *bp)
-+static int mb_tr_breakpoint_check(DisasContextBase *dcb, CPUState *cs,
+-{
-+                                  int bp_flags)
+-    DisasContext *dc = container_of(dcb, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcb, DisasContext, base);
+-    gen_raise_exception_sync(dc, EXCP_DEBUG);
      gen_raise_exception_sync(dc, EXCP_DEBUG);
 -
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    dc->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static void mb_tr_translate_insn(DisasContextBase *dcb, CPUState *cs)
+ {
+     DisasContext *dc = container_of(dcb, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mb_tr_ops = {
+     .init_disas_context = mb_tr_init_disas_context,
+     .tb_start           = mb_tr_tb_start,
+     .insn_start         = mb_tr_insn_start,
+-    .breakpoint_check   = mb_tr_breakpoint_check,
+     .translate_insn     = mb_tr_translate_insn,
+     .tb_stop            = mb_tr_tb_stop,
+     .disas_log          = mb_tr_disas_log,
 diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/tcg/translate.c
 +++ b/target/mips/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ static void mips_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
                         ctx->btarget);
  }
 -static bool mips_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                     const CPUBreakpoint *bp)
-+static int mips_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                    int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    save_cpu_state(ctx, 1);
+-    ctx->base.is_jmp = DISAS_NORETURN;
-     save_cpu_state(ctx, 1);
+-    gen_helper_raise_exception_debug(cpu_env);
      ctx->base.is_jmp = DISAS_NORETURN;
      gen_helper_raise_exception_debug(cpu_env);
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    ctx->base.pc_next += 4;
 -    return true;
-+
+-}
-+    return 2; /* minimum instruction length */
+-
  }
  static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     CPUMIPSState *env = cs->env_ptr;
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mips_tr_ops = {
+     .init_disas_context = mips_tr_init_disas_context,
+     .tb_start           = mips_tr_tb_start,
+     .insn_start         = mips_tr_insn_start,
+-    .breakpoint_check   = mips_tr_breakpoint_check,
+     .translate_insn     = mips_tr_translate_insn,
+     .tb_stop            = mips_tr_tb_stop,
+     .disas_log          = mips_tr_disas_log,
 diff --git a/target/nios2/translate.c b/target/nios2/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/nios2/translate.c
 +++ b/target/nios2/translate.c
+@@ -XXX,XX +XXX,XX @@ static const char * const regnames[] = {
+ #include "exec/gen-icount.h"
+-static void gen_exception(DisasContext *dc, uint32_t excp)
+-{
+-    TCGv_i32 tmp = tcg_const_i32(excp);
+-
+-    tcg_gen_movi_tl(cpu_R[R_PC], dc->pc);
+-    gen_helper_raise_exception(cpu_env, tmp);
+-    tcg_temp_free_i32(tmp);
+-    dc->base.is_jmp = DISAS_NORETURN;
+-}
+-
+ /* generate intermediate code for basic block 'tb'.  */
+ static void nios2_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
+ {
 @@ -XXX,XX +XXX,XX @@ static void nios2_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      tcg_gen_insn_start(dcbase->pc_next);
  }
 -static bool nios2_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                      const CPUBreakpoint *bp)
-+static int nios2_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                     int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    gen_exception(dc, EXCP_DEBUG);
      gen_exception(dc, EXCP_DEBUG);
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    dc->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static void nios2_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps nios2_tr_ops = {
+     .init_disas_context = nios2_tr_init_disas_context,
+     .tb_start           = nios2_tr_tb_start,
+     .insn_start         = nios2_tr_insn_start,
+-    .breakpoint_check   = nios2_tr_breakpoint_check,
+     .translate_insn     = nios2_tr_translate_insn,
+     .tb_stop            = nios2_tr_tb_stop,
+     .disas_log          = nios2_tr_disas_log,
 diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/openrisc/translate.c
 +++ b/target/openrisc/translate.c
 @@ -XXX,XX +XXX,XX @@ static void openrisc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
                         | (dc->base.num_insns > 1 ? 2 : 0));
  }
 -static bool openrisc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                         const CPUBreakpoint *bp)
-+static int openrisc_tr_breakpoint_check(DisasContextBase *dcbase,
+-{
-+                                        CPUState *cs, int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    tcg_gen_movi_tl(cpu_pc, dc->base.pc_next);
+-    gen_exception(dc, EXCP_DEBUG);
-     tcg_gen_movi_tl(cpu_pc, dc->base.pc_next);
+-    dc->base.is_jmp = DISAS_NORETURN;
      gen_exception(dc, EXCP_DEBUG);
      dc->base.is_jmp = DISAS_NORETURN;
 -    /* The address covered by the breakpoint must be included in
 -       [tb->pc, tb->pc + tb->size) in order to for it to be
 -       properly cleared -- thus we increment the PC here so that
 -       the logic setting tb->size below does the right thing.  */
 -    dc->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static void openrisc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps openrisc_tr_ops = {
+     .init_disas_context = openrisc_tr_init_disas_context,
+     .tb_start           = openrisc_tr_tb_start,
+     .insn_start         = openrisc_tr_insn_start,
+-    .breakpoint_check   = openrisc_tr_breakpoint_check,
+     .translate_insn     = openrisc_tr_translate_insn,
+     .tb_stop            = openrisc_tr_tb_stop,
+     .disas_log          = openrisc_tr_disas_log,
 diff --git a/target/ppc/translate.c b/target/ppc/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/ppc/translate.c
 +++ b/target/ppc/translate.c
 @@ -XXX,XX +XXX,XX @@ static void ppc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      tcg_gen_insn_start(dcbase->pc_next);
  }
 -static bool ppc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                    const CPUBreakpoint *bp)
-+static int ppc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                   int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    gen_update_nip(ctx, ctx->base.pc_next);
+-    gen_debug_exception(ctx);
      gen_update_nip(ctx, ctx->base.pc_next);
      gen_debug_exception(ctx);
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be properly
 -     * cleared -- thus we increment the PC here so that the logic
 -     * setting tb->size below does the right thing.
 -     */
 -    ctx->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static bool is_prefix_insn(DisasContext *ctx, uint32_t insn)
+ {
+     REQUIRE_INSNS_FLAGS2(ctx, ISA310);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps ppc_tr_ops = {
+     .init_disas_context = ppc_tr_init_disas_context,
+     .tb_start           = ppc_tr_tb_start,
+     .insn_start         = ppc_tr_insn_start,
+-    .breakpoint_check   = ppc_tr_breakpoint_check,
+     .translate_insn     = ppc_tr_translate_insn,
+     .tb_stop            = ppc_tr_tb_stop,
+     .disas_log          = ppc_tr_disas_log,
 diff --git a/target/riscv/translate.c b/target/riscv/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/translate.c
 +++ b/target/riscv/translate.c
 @@ -XXX,XX +XXX,XX @@ static void riscv_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(ctx->base.pc_next);
  }
 -static bool riscv_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                      const CPUBreakpoint *bp)
-+static int riscv_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                     int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
+-    ctx->base.is_jmp = DISAS_NORETURN;
-     tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
+-    gen_exception_debug();
      ctx->base.is_jmp = DISAS_NORETURN;
      gen_exception_debug();
 -    /* The address covered by the breakpoint must be included in
 -       [tb->pc, tb->pc + tb->size) in order to for it to be
 -       properly cleared -- thus we increment the PC here so that
 -       the logic setting tb->size below does the right thing.  */
 -    ctx->base.pc_next += 4;
 -    return true;
-+    return 2; /* minimum instruction length */
+-}
- }
+-
  static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps riscv_tr_ops = {
+     .init_disas_context = riscv_tr_init_disas_context,
+     .tb_start           = riscv_tr_tb_start,
+     .insn_start         = riscv_tr_insn_start,
+-    .breakpoint_check   = riscv_tr_breakpoint_check,
+     .translate_insn     = riscv_tr_translate_insn,
+     .tb_stop            = riscv_tr_tb_stop,
+     .disas_log          = riscv_tr_disas_log,
 diff --git a/target/rx/translate.c b/target/rx/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/rx/translate.c
 +++ b/target/rx/translate.c
 @@ -XXX,XX +XXX,XX @@ static void rx_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      tcg_gen_insn_start(ctx->base.pc_next);
  }
 -static bool rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                    const CPUBreakpoint *bp)
-+static int rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                  int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
 -
 -    /* We have hit a breakpoint - make sure PC is up-to-date */
 -    tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
 -    gen_helper_debug(cpu_env);
 -    ctx->base.is_jmp = DISAS_NORETURN;
 -    ctx->base.pc_next += 1;
 -    return true;
 -}
 -
  static void rx_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
  {
      DisasContext *ctx = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps rx_tr_ops = {
-@@ -XXX,XX +XXX,XX @@ static bool rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+     .init_disas_context = rx_tr_init_disas_context,
-     tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
+     .tb_start           = rx_tr_tb_start,
-     gen_helper_debug(cpu_env);
+     .insn_start         = rx_tr_insn_start,
-     ctx->base.is_jmp = DISAS_NORETURN;
+-    .breakpoint_check   = rx_tr_breakpoint_check,
--    ctx->base.pc_next += 1;
+     .translate_insn     = rx_tr_translate_insn,
--    return true;
+     .tb_stop            = rx_tr_tb_stop,
-+
+     .disas_log          = rx_tr_disas_log,
-+    return 1; /* minimum instruction length */
+diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
- }
+index XXXXXXX..XXXXXXX 100644
+--- a/target/s390x/tcg/translate.c
- static void rx_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
++++ b/target/s390x/tcg/translate.c
 diff --git a/target/s390x/translate.c b/target/s390x/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/translate.c
 +++ b/target/s390x/translate.c
 @@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
  {
  }
 -static bool s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                      const CPUBreakpoint *bp)
-+static int s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                     int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    /*
+-     * Emit an insn_start to accompany the breakpoint exception.
-@@ -XXX,XX +XXX,XX @@ static bool s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-     * The ILEN value is a dummy, since this does not result in
+-     * an s390x exception, but an internal qemu exception which
-     dc->base.is_jmp = DISAS_PC_STALE;
+-     * brings us back to interact with the gdbstub.
-     dc->do_debug = true;
+-     */
 -    tcg_gen_insn_start(dc->base.pc_next, dc->cc_op, 2);
 -
 -    dc->base.is_jmp = DISAS_PC_STALE;
 -    dc->do_debug = true;
 -    /* The address covered by the breakpoint must be included in
 -       [tb->pc, tb->pc + tb->size) in order to for it to be
 -       properly cleared -- thus we increment the PC here so that
 -       the logic setting tb->size does the right thing.  */
 -    dc->base.pc_next += 2;
 -    return true;
-+
+-}
-+    return 2; /* minimum instruction length */
+-
  }
  static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     CPUS390XState *env = cs->env_ptr;
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps s390x_tr_ops = {
+     .init_disas_context = s390x_tr_init_disas_context,
+     .tb_start           = s390x_tr_tb_start,
+     .insn_start         = s390x_tr_insn_start,
+-    .breakpoint_check   = s390x_tr_breakpoint_check,
+     .translate_insn     = s390x_tr_translate_insn,
+     .tb_stop            = s390x_tr_tb_stop,
+     .disas_log          = s390x_tr_disas_log,
 diff --git a/target/sh4/translate.c b/target/sh4/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/sh4/translate.c
 +++ b/target/sh4/translate.c
 @@ -XXX,XX +XXX,XX @@ static void sh4_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      tcg_gen_insn_start(ctx->base.pc_next, ctx->envflags);
  }
 -static bool sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                    const CPUBreakpoint *bp)
-+static int sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                   int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+-    /* We have hit a breakpoint - make sure PC is up-to-date */
+-    gen_save_cpu_state(ctx, true);
-@@ -XXX,XX +XXX,XX @@ static bool sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-    gen_helper_debug(cpu_env);
-     gen_save_cpu_state(ctx, true);
+-    ctx->base.is_jmp = DISAS_NORETURN;
      gen_helper_debug(cpu_env);
      ctx->base.is_jmp = DISAS_NORETURN;
 -    /* The address covered by the breakpoint must be included in
 -       [tb->pc, tb->pc + tb->size) in order to for it to be
 -       properly cleared -- thus we increment the PC here so that
 -       the logic setting tb->size below does the right thing.  */
 -    ctx->base.pc_next += 2;
 -    return true;
-+
+-}
-+    return 2; /* minimum instruction length */
+-
  }
  static void sh4_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     CPUSH4State *env = cs->env_ptr;
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sh4_tr_ops = {
+     .init_disas_context = sh4_tr_init_disas_context,
+     .tb_start           = sh4_tr_tb_start,
+     .insn_start         = sh4_tr_insn_start,
+-    .breakpoint_check   = sh4_tr_breakpoint_check,
+     .translate_insn     = sh4_tr_translate_insn,
+     .tb_stop            = sh4_tr_tb_stop,
+     .disas_log          = sh4_tr_disas_log,
 diff --git a/target/sparc/translate.c b/target/sparc/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/sparc/translate.c
 +++ b/target/sparc/translate.c
 @@ -XXX,XX +XXX,XX @@ static void sparc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      }
  }
 -static bool sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 -                                      const CPUBreakpoint *bp)
-+static int sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-{
-+                                     int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    if (dc->pc != dc->base.pc_first) {
+-        save_state(dc);
-@@ -XXX,XX +XXX,XX @@ static bool sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+-    }
-     gen_helper_debug(cpu_env);
+-    gen_helper_debug(cpu_env);
-     tcg_gen_exit_tb(NULL, 0);
+-    tcg_gen_exit_tb(NULL, 0);
-     dc->base.is_jmp = DISAS_NORETURN;
+-    dc->base.is_jmp = DISAS_NORETURN;
 -    /* update pc_next so that the current instruction is included in tb->size */
 -    dc->base.pc_next += 4;
 -    return true;
-+
+-}
-+    return 4; /* minimum instruction length */
+-
  }
  static void sparc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sparc_tr_ops = {
+     .init_disas_context = sparc_tr_init_disas_context,
+     .tb_start           = sparc_tr_tb_start,
+     .insn_start         = sparc_tr_insn_start,
+-    .breakpoint_check   = sparc_tr_breakpoint_check,
+     .translate_insn     = sparc_tr_translate_insn,
+     .tb_stop            = sparc_tr_tb_stop,
+     .disas_log          = sparc_tr_disas_log,
 diff --git a/target/tricore/translate.c b/target/tricore/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/tricore/translate.c
 +++ b/target/tricore/translate.c
 @@ -XXX,XX +XXX,XX @@ static void tricore_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(ctx->base.pc_next);
  }
 -static bool tricore_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                      const CPUBreakpoint *bp)
-+static int tricore_tr_breakpoint_check(DisasContextBase *dcbase,
+-{
-+                                       CPUState *cpu, int bp_flags)
+-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
- {
+-    generate_qemu_excp(ctx, EXCP_DEBUG);
      DisasContext *ctx = container_of(dcbase, DisasContext, base);
      generate_qemu_excp(ctx, EXCP_DEBUG);
 -    /*
 -     * The address covered by the breakpoint must be included in
 -     * [tb->pc, tb->pc + tb->size) in order to for it to be
 -     * properly cleared -- thus we increment the PC here so that
 -     * the logic setting tb->size below does the right thing.
 -     */
 -    ctx->base.pc_next += 4;
 -    return true;
-+    return 4; /* minimum instruction length */
+-}
- }
+-
  static bool insn_crosses_page(CPUTriCoreState *env, DisasContext *ctx)
+ {
+     /*
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps tricore_tr_ops = {
+     .init_disas_context = tricore_tr_init_disas_context,
+     .tb_start           = tricore_tr_tb_start,
+     .insn_start         = tricore_tr_insn_start,
+-    .breakpoint_check   = tricore_tr_breakpoint_check,
+     .translate_insn     = tricore_tr_translate_insn,
+     .tb_stop            = tricore_tr_tb_stop,
+     .disas_log          = tricore_tr_disas_log,
 diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/xtensa/translate.c
 +++ b/target/xtensa/translate.c
 @@ -XXX,XX +XXX,XX @@ static void xtensa_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
      tcg_gen_insn_start(dcbase->pc_next);
  }
 -static bool xtensa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
 -                                       const CPUBreakpoint *bp)
-+static int xtensa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+-{
-+                                      int bp_flags)
+-    DisasContext *dc = container_of(dcbase, DisasContext, base);
- {
+-
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-    tcg_gen_movi_i32(cpu_pc, dc->base.pc_next);
+-    gen_exception(dc, EXCP_DEBUG);
-     tcg_gen_movi_i32(cpu_pc, dc->base.pc_next);
+-    dc->base.is_jmp = DISAS_NORETURN;
      gen_exception(dc, EXCP_DEBUG);
      dc->base.is_jmp = DISAS_NORETURN;
 -    /* The address covered by the breakpoint must be included in
 -       [tb->pc, tb->pc + tb->size) in order to for it to be
 -       properly cleared -- thus we increment the PC here so that
 -       the logic setting tb->size below does the right thing.  */
 -    dc->base.pc_next += 2;
 -    return true;
-+
+-}
-+    return 2; /* minimum instruction length */
+-
  }
  static void xtensa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+ {
+     DisasContext *dc = container_of(dcbase, DisasContext, base);
+@@ -XXX,XX +XXX,XX @@ static const TranslatorOps xtensa_translator_ops = {
+     .init_disas_context = xtensa_tr_init_disas_context,
+     .tb_start           = xtensa_tr_tb_start,
+     .insn_start         = xtensa_tr_insn_start,
+-    .breakpoint_check   = xtensa_tr_breakpoint_check,
+     .translate_insn     = xtensa_tr_translate_insn,
+     .tb_stop            = xtensa_tr_tb_stop,
+     .disas_log          = xtensa_tr_disas_log,
 --
 .25.1

-[PATCH v2 09/10] accel/tcg: Hoist tb_cflags to a local in translator_loop
+[PATCH for-6.1 v5 14/15] accel/tcg: Hoist tb_cflags to a local in translator_loop
 The access internal to tb_cflags() is atomic.
 Avoid re-reading it as such for the multiple uses.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  accel/tcg/translator.c | 9 ++++-----
 file changed, 4 insertions(+), 5 deletions(-)
 ...

-New patch
+[PATCH for-6.1 v5 15/15] accel/tcg: Record singlestep_enabled in tb->cflags
+Set CF_SINGLE_STEP when single-stepping is enabled.
+This avoids the need to flush all tb's when turning
+single-stepping on or off.
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ include/exec/exec-all.h   | 1 +
+ accel/tcg/cpu-exec.c      | 7 ++++++-
+ accel/tcg/translate-all.c | 4 ----
+ accel/tcg/translator.c    | 7 +------
+ cpu.c                     | 4 ----
+files changed, 8 insertions(+), 15 deletions(-)
+diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/exec/exec-all.h
++++ b/include/exec/exec-all.h
+@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
+ #define CF_COUNT_MASK    0x000001ff
+ #define CF_NO_GOTO_TB    0x00000200 /* Do not chain with goto_tb */
+ #define CF_NO_GOTO_PTR   0x00000400 /* Do not chain with goto_ptr */
++#define CF_SINGLE_STEP   0x00000800 /* gdbstub single-step in effect */
+ #define CF_LAST_IO       0x00008000 /* Last insn may be an IO access.  */
+ #define CF_MEMI_ONLY     0x00010000 /* Only instrument memory ops */
+ #define CF_USE_ICOUNT    0x00020000
+diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/cpu-exec.c
++++ b/accel/tcg/cpu-exec.c
+@@ -XXX,XX +XXX,XX @@ uint32_t curr_cflags(CPUState *cpu)
+     uint32_t cflags = cpu->tcg_cflags;
+     /*
++     * Record gdb single-step.  We should be exiting the TB by raising
++     * EXCP_DEBUG, but to simplify other tests, disable chaining too.
++     *
+      * For singlestep and -d nochain, suppress goto_tb so that
+      * we can log -d cpu,exec after every TB.
+      */
+-    if (singlestep) {
++    if (unlikely(cpu->singlestep_enabled)) {
++        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | CF_SINGLE_STEP | 1;
++    } else if (singlestep) {
+         cflags |= CF_NO_GOTO_TB | 1;
+     } else if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
+         cflags |= CF_NO_GOTO_TB;
+diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/translate-all.c
++++ b/accel/tcg/translate-all.c
+@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
+     }
+     QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
+-    if (cpu->singlestep_enabled) {
+-        max_insns = 1;
+-    }
+-
+  buffer_overflow:
+     tb = tcg_tb_alloc(tcg_ctx);
+     if (unlikely(!tb)) {
+diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/translator.c
++++ b/accel/tcg/translator.c
+@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
+         return false;
+     }
+-    /* Suppress goto_tb in the case of single-steping.  */
+-    if (db->singlestep_enabled) {
+-        return false;
+-    }
+-
+     /* Check for the dest on the same page as the start of the TB.  */
+     return ((db->pc_first ^ dest) & TARGET_PAGE_MASK) == 0;
+ }
+@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
+     db->is_jmp = DISAS_NEXT;
+     db->num_insns = 0;
+     db->max_insns = max_insns;
+-    db->singlestep_enabled = cpu->singlestep_enabled;
++    db->singlestep_enabled = cflags & CF_SINGLE_STEP;
+     ops->init_disas_context(db, cpu);
+     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
+diff --git a/cpu.c b/cpu.c
+index XXXXXXX..XXXXXXX 100644
+--- a/cpu.c
++++ b/cpu.c
+@@ -XXX,XX +XXX,XX @@ void cpu_single_step(CPUState *cpu, int enabled)
+         cpu->singlestep_enabled = enabled;
+         if (kvm_enabled()) {
+             kvm_update_guest_debug(cpu, 0);
+-        } else {
+-            /* must flush all the translated code to avoid inconsistencies */
+-            /* XXX: only flush what is necessary */
+-            tb_flush(cpu);
+         }
+         trace_breakpoint_singlestep(cpu->cpu_index, enabled);
+     }
+--
+.25.1

This is fixing #404 ("windows xp boot takes much longer...")
and several other similar reports.

For v2, all prerequisites and 7 of the patches from v1 with
reviews are now upstream.

Mark Cave-Ayland reported success with WinXP with v1, with
this patch set being even faster than b55f54bc~1.  Which was
a bit of a surprise, but I'll take it.  It means that it's
probably not worth making the breakpoint detection scheme
any more complicated.

I'd still like some more feedback.  Given this is fixing a
regression from qemu 5.2 I feel comfortable delaying this
past soft freeze, but not past hard freeze on the 20th.

Richard Henderson (10):
  accel/tcg: Reduce CF_COUNT_MASK to match TCG_MAX_INSNS
  accel/tcg: Move curr_cflags into cpu-exec.c
  accel/tcg: Add CF_NO_GOTO_TB and CF_NO_GOTO_PTR
  accel/tcg: Drop CF_NO_GOTO_PTR from -d nochain
  accel/tcg: Handle -singlestep in curr_cflags
  accel/tcg: Use CF_NO_GOTO_{TB,PTR} in cpu_exec_step_atomic
  accel/tcg: Move cflags lookup into tb_find
  accel/tcg: Adjust interface of TranslatorOps.breakpoint_check
  accel/tcg: Hoist tb_cflags to a local in translator_loop
  accel/tcg: Encode breakpoint info into tb->cflags

-- 
2.25.1

The space reserved for CF_COUNT_MASK was overly large.
Reduce to free up cflags bits and eliminate an extra test.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h   | 4 +++-
 accel/tcg/translate-all.c | 5 ++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
     target_ulong cs_base; /* CS base for this block */
     uint32_t flags; /* flags defining in which context the code was generated */
     uint32_t cflags;    /* compile flags */
-#define CF_COUNT_MASK  0x00007fff
+
+/* Note that TCG_MAX_INSNS is 512; we validate this match elsewhere. */
+#define CF_COUNT_MASK  0x000001ff
 #define CF_LAST_IO     0x00008000 /* Last insn may be an IO access.  */
 #define CF_MEMI_ONLY   0x00010000 /* Only instrument memory ops */
 #define CF_USE_ICOUNT  0x00020000
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     if (max_insns == 0) {
         max_insns = CF_COUNT_MASK;
     }
-    if (max_insns > TCG_MAX_INSNS) {
-        max_insns = TCG_MAX_INSNS;
-    }
+    QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
+
     if (cpu->singlestep_enabled || singlestep) {
         max_insns = 1;
     }
-- 
2.25.1

We will shortly have more than a simple member read here,
with stuff not necessarily exposed to exec/exec-all.h.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 5 +----
 accel/tcg/cpu-exec.c    | 5 +++++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t tb_cflags(const TranslationBlock *tb)
 }
 
 /* current cflags for hashing/comparison */
-static inline uint32_t curr_cflags(CPUState *cpu)
-{
-    return cpu->tcg_cflags;
-}
+uint32_t curr_cflags(CPUState *cpu);
 
 /* TranslationBlock invalidate API */
 #if defined(CONFIG_USER_ONLY)
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static void init_delay_params(SyncClocks *sc, const CPUState *cpu)
 }
 #endif /* CONFIG USER ONLY */
 
+uint32_t curr_cflags(CPUState *cpu)
+{
+    return cpu->tcg_cflags;
+}
+
 /* Might cause an exception, so have a longjmp destination ready */
 static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
                                           target_ulong cs_base,
-- 
2.25.1

Move the -d nochain check to bits on tb->cflags.
These will be used for more than -d nochain shortly.

Set bits during curr_cflags, test them in translator_use_goto_tb,
assert we're not doing anything odd in tcg_gen_goto_tb.  The test
in tcg_gen_exit_tb is redundant with the assert for goto_tb_issue_mask.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 16 +++++++++-------
 accel/tcg/cpu-exec.c    |  8 +++++++-
 accel/tcg/translator.c  |  5 +++++
 tcg/tcg-op.c            | 28 ++++++++++++----------------
 4 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
     uint32_t cflags;    /* compile flags */
 
 /* Note that TCG_MAX_INSNS is 512; we validate this match elsewhere. */
-#define CF_COUNT_MASK  0x000001ff
-#define CF_LAST_IO     0x00008000 /* Last insn may be an IO access.  */
-#define CF_MEMI_ONLY   0x00010000 /* Only instrument memory ops */
-#define CF_USE_ICOUNT  0x00020000
-#define CF_INVALID     0x00040000 /* TB is stale. Set with @jmp_lock held */
-#define CF_PARALLEL    0x00080000 /* Generate code for a parallel context */
-#define CF_CLUSTER_MASK 0xff000000 /* Top 8 bits are cluster ID */
+#define CF_COUNT_MASK    0x000001ff
+#define CF_NO_GOTO_TB    0x00000200 /* Do not chain with goto_tb */
+#define CF_NO_GOTO_PTR   0x00000400 /* Do not chain with goto_ptr */
+#define CF_LAST_IO       0x00008000 /* Last insn may be an IO access.  */
+#define CF_MEMI_ONLY     0x00010000 /* Only instrument memory ops */
+#define CF_USE_ICOUNT    0x00020000
+#define CF_INVALID       0x00040000 /* TB is stale. Set with @jmp_lock held */
+#define CF_PARALLEL      0x00080000 /* Generate code for a parallel context */
+#define CF_CLUSTER_MASK  0xff000000 /* Top 8 bits are cluster ID */
 #define CF_CLUSTER_SHIFT 24
 
     /* Per-vCPU dynamic tracing state used to generate this TB */
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static void init_delay_params(SyncClocks *sc, const CPUState *cpu)
 
 uint32_t curr_cflags(CPUState *cpu)
 {
-    return cpu->tcg_cflags;
+    uint32_t cflags = cpu->tcg_cflags;
+
+    if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
+        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR;
+    }
+
+    return cflags;
 }
 
 /* Might cause an exception, so have a longjmp destination ready */
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ void translator_loop_temp_check(DisasContextBase *db)
 
 bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 {
+    /* Suppress goto_tb if requested. */
+    if (tb_cflags(db->tb) & CF_NO_GOTO_TB) {
+        return false;
+    }
+
     /* Suppress goto_tb in the case of single-steping.  */
     if (db->singlestep_enabled || singlestep) {
         return false;
diff --git a/tcg/tcg-op.c b/tcg/tcg-op.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op.c
+++ b/tcg/tcg-op.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_exit_tb(const TranslationBlock *tb, unsigned idx)
            seen this numbered exit before, via tcg_gen_goto_tb.  */
         tcg_debug_assert(tcg_ctx->goto_tb_issue_mask & (1 << idx));
 #endif
-        /* When not chaining, exit without indicating a link.  */
-        if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
-            val = 0;
-        }
     } else {
         /* This is an exit via the exitreq label.  */
         tcg_debug_assert(idx == TB_EXIT_REQUESTED);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_exit_tb(const TranslationBlock *tb, unsigned idx)
 
 void tcg_gen_goto_tb(unsigned idx)
 {
+    /* We tested CF_NO_GOTO_TB in translator_use_goto_tb. */
+    tcg_debug_assert(!(tcg_ctx->tb_cflags & CF_NO_GOTO_TB));
     /* We only support two chained exits.  */
     tcg_debug_assert(idx <= TB_EXIT_IDXMAX);
 #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ void tcg_gen_goto_tb(unsigned idx)
     tcg_ctx->goto_tb_issue_mask |= 1 << idx;
 #endif
     plugin_gen_disable_mem_helpers();
-    /* When not chaining, we simply fall through to the "fallback" exit.  */
-    if (!qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
-        tcg_gen_op1i(INDEX_op_goto_tb, idx);
-    }
+    tcg_gen_op1i(INDEX_op_goto_tb, idx);
 }
 
 void tcg_gen_lookup_and_goto_ptr(void)
 {
-    if (!qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
-        TCGv_ptr ptr;
+    TCGv_ptr ptr;
 
-        plugin_gen_disable_mem_helpers();
-        ptr = tcg_temp_new_ptr();
-        gen_helper_lookup_tb_ptr(ptr, cpu_env);
-        tcg_gen_op1i(INDEX_op_goto_ptr, tcgv_ptr_arg(ptr));
-        tcg_temp_free_ptr(ptr);
-    } else {
+    if (tcg_ctx->tb_cflags & CF_NO_GOTO_PTR) {
         tcg_gen_exit_tb(NULL, 0);
+        return;
     }
+
+    plugin_gen_disable_mem_helpers();
+    ptr = tcg_temp_new_ptr();
+    gen_helper_lookup_tb_ptr(ptr, cpu_env);
+    tcg_gen_op1i(INDEX_op_goto_ptr, tcgv_ptr_arg(ptr));
+    tcg_temp_free_ptr(ptr);
 }
 
 static inline MemOp tcg_canonicalize_memop(MemOp op, bool is64, bool st)
-- 
2.25.1

Exchange the test in translator_use_goto_tb for CF_NO_GOTO_TB,
and the test in tb_gen_code for setting CF_COUNT_MASK to 1.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c      | 8 +++++++-
 accel/tcg/translate-all.c | 2 +-
 accel/tcg/translator.c    | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ uint32_t curr_cflags(CPUState *cpu)
 {
     uint32_t cflags = cpu->tcg_cflags;
 
-    if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
+    /*
+     * For singlestep and -d nochain, suppress goto_tb so that
+     * we can log -d cpu,exec after every TB.
+     */
+    if (singlestep) {
+        cflags |= CF_NO_GOTO_TB | 1;
+    } else if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
         cflags |= CF_NO_GOTO_TB;
     }
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     }
     QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
 
-    if (cpu->singlestep_enabled || singlestep) {
+    if (cpu->singlestep_enabled) {
         max_insns = 1;
     }
 
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
     }
 
     /* Suppress goto_tb in the case of single-steping.  */
-    if (db->singlestep_enabled || singlestep) {
+    if (db->singlestep_enabled) {
         return false;
     }
 
-- 
2.25.1

Request that the one TB returns immediately, so that
we release the exclusive lock as soon as possible.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
     CPUArchState *env = (CPUArchState *)cpu->env_ptr;
     TranslationBlock *tb;
     target_ulong cs_base, pc;
-    uint32_t flags;
-    uint32_t cflags = (curr_cflags(cpu) & ~CF_PARALLEL) | 1;
+    uint32_t flags, cflags;
     int tb_exit;
 
     if (sigsetjmp(cpu->jmp_env, 0) == 0) {
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
         cpu->running = true;
 
         cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
-        tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
 
+        cflags = curr_cflags(cpu);
+        /* Execute in a serial context. */
+        cflags &= ~CF_PARALLEL;
+        /* After 1 insn, return and release the exclusive lock. */
+        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | 1;
+
+        tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
         if (tb == NULL) {
             mmap_lock();
             tb = tb_gen_code(cpu, pc, cs_base, flags, cflags);
-- 
2.25.1

We will shortly require the guest pc for computing cflags,
so move the choice just after cpu_get_tb_cpu_state.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 34 +++++++++++++++++-----------------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline void tb_add_jump(TranslationBlock *tb, int n,
 
 static inline TranslationBlock *tb_find(CPUState *cpu,
                                         TranslationBlock *last_tb,
-                                        int tb_exit, uint32_t cflags)
+                                        int tb_exit)
 {
     CPUArchState *env = (CPUArchState *)cpu->env_ptr;
     TranslationBlock *tb;
     target_ulong cs_base, pc;
-    uint32_t flags;
+    uint32_t flags, cflags;
 
     cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
 
+    /*
+     * When requested, use an exact setting for cflags for the next
+     * execution.  This is used for icount, precise smc, and stop-
+     * after-access watchpoints.  Since this request should never
+     * have CF_INVALID set, -1 is a convenient invalid value that
+     * does not require tcg headers for cpu_common_reset.
+     */
+    cflags = cpu->cflags_next_tb;
+    if (cflags == -1) {
+        cflags = curr_cflags(cpu);
+    } else {
+        cpu->cflags_next_tb = -1;
+    }
+
     tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
     if (tb == NULL) {
         mmap_lock();
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
         int tb_exit = 0;
 
         while (!cpu_handle_interrupt(cpu, &last_tb)) {
-            uint32_t cflags = cpu->cflags_next_tb;
-            TranslationBlock *tb;
-
-            /* When requested, use an exact setting for cflags for the next
-               execution.  This is used for icount, precise smc, and stop-
-               after-access watchpoints.  Since this request should never
-               have CF_INVALID set, -1 is a convenient invalid value that
-               does not require tcg headers for cpu_common_reset.  */
-            if (cflags == -1) {
-                cflags = curr_cflags(cpu);
-            } else {
-                cpu->cflags_next_tb = -1;
-            }
-
-            tb = tb_find(cpu, last_tb, tb_exit, cflags);
+            TranslationBlock *tb = tb_find(cpu, last_tb, tb_exit);
             cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);
             /* Try to align the host and virtual clocks
                if the guest is in advance */
-- 
2.25.1

We don't need the whole CPUBreakpoint structure in the check,
only the flags.  Return the instruction length to consolidate
the adjustment of db->pc_next.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h     | 17 +++++++++------
 accel/tcg/translator.c        | 40 ++++++++++++++++++++++++-----------
 target/alpha/translate.c      | 12 +++--------
 target/arm/translate-a64.c    | 14 ++++--------
 target/arm/translate.c        | 20 +++++++-----------
 target/avr/translate.c        |  6 +++---
 target/cris/translate.c       | 14 ++++--------
 target/hexagon/translate.c    | 13 +++---------
 target/hppa/translate.c       |  7 +++---
 target/i386/tcg/translate.c   | 15 ++++---------
 target/m68k/translate.c       | 14 +++---------
 target/microblaze/translate.c | 14 +++---------
 target/mips/tcg/translate.c   | 14 ++++--------
 target/nios2/translate.c      | 13 +++---------
 target/openrisc/translate.c   | 11 +++-------
 target/ppc/translate.c        | 13 +++---------
 target/riscv/translate.c      | 11 +++-------
 target/rx/translate.c         |  8 +++----
 target/s390x/translate.c      | 12 ++++-------
 target/sh4/translate.c        | 12 ++++-------
 target/sparc/translate.c      |  9 ++++----
 target/tricore/translate.c    | 13 +++---------
 target/xtensa/translate.c     | 12 ++++-------
 23 files changed, 115 insertions(+), 199 deletions(-)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContextBase {
  * @breakpoint_check:
  *      When called, the breakpoint has already been checked to match the PC,
  *      but the target may decide the breakpoint missed the address
- *      (e.g., due to conditions encoded in their flags).  Return true to
- *      indicate that the breakpoint did hit, in which case no more breakpoints
- *      are checked.  If the breakpoint did hit, emit any code required to
- *      signal the exception, and set db->is_jmp as necessary to terminate
- *      the main loop.
+ *      (e.g., due to conditions encoded in their flags), in which case
+ *      db->is_jmp may be left as DISAS_NEXT or DISAS_TOO_MANY to indicate
+ *      that the insn should be translated.  Anything other than those two
+ *      will be taken to indicate an exception has been raised, but in most
+ *      cases db->is_jmp should be set to DISAS_NORETURN.
+ *
+ *      Return the minimum instruction size that should be applied to the TB.
+ *      The size of any TB cannot be zero, as that breaks the math used to
+ *      invalidate TBs.
  *
  * @translate_insn:
  *      Disassemble one instruction and set db->pc_next for the start
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
     void (*init_disas_context)(DisasContextBase *db, CPUState *cpu);
     void (*tb_start)(DisasContextBase *db, CPUState *cpu);
     void (*insn_start)(DisasContextBase *db, CPUState *cpu);
-    bool (*breakpoint_check)(DisasContextBase *db, CPUState *cpu,
-                             const CPUBreakpoint *bp);
+    int (*breakpoint_check)(DisasContextBase *db, CPUState *cpu, int flags);
     void (*translate_insn)(DisasContextBase *db, CPUState *cpu);
     void (*tb_stop)(DisasContextBase *db, CPUState *cpu);
     void (*disas_log)(const DisasContextBase *db, CPUState *cpu);
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
                      CPUState *cpu, TranslationBlock *tb, int max_insns)
 {
-    int bp_insn = 0;
     bool plugin_enabled;
 
     /* Initialize DisasContext */
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
             CPUBreakpoint *bp;
             QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
                 if (bp->pc == db->pc_next) {
-                    if (ops->breakpoint_check(db, cpu, bp)) {
-                        bp_insn = 1;
-                        break;
+                    int len = ops->breakpoint_check(db, cpu, bp->flags);
+
+                    /*
+                     * The breakpoint_check hook may use DISAS_TOO_MANY
+                     * to indicate that only one more instruction is to
+                     * be executed.  Otherwise it should use DISAS_NORETURN
+                     * when generating an exception, but may use a
+                     * DISAS_TARGET_* value for Something Else.
+                     */
+                    if (db->is_jmp > DISAS_TOO_MANY) {
+                        /*
+                         * The address covered by the breakpoint must be
+                         * included in [tb->pc, tb->pc + tb->size) in order
+                         * to for it to be properly cleared.  Thus we
+                         * increment the PC here so that the logic setting
+                         * tb->size below does the right thing.
+                         */
+                        tcg_debug_assert(len > 0);
+                        db->pc_next += len;
+
+                        /*
+                         * The breakpoint definitely hit, so decrement the
+                         * number of instructions completed for icount.
+                         */
+                        db->num_insns--;
+                        goto done;
                     }
                 }
             }
-            /* The breakpoint_check hook may use DISAS_TOO_MANY to indicate
-               that only one more instruction is to be executed.  Otherwise
-               it should use DISAS_NORETURN when generating an exception,
-               but may use a DISAS_TARGET_* value for Something Else.  */
-            if (db->is_jmp > DISAS_TOO_MANY) {
-                break;
-            }
         }
 
         /* Disassemble one instruction.  The translate_insn hook should
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
         }
     }
 
+ done:
     /* Emit code to exit the TB, as indicated by db->is_jmp.  */
     ops->tb_stop(db, cpu);
-    gen_tb_end(db->tb, db->num_insns - bp_insn);
+    gen_tb_end(db->tb, db->num_insns);
 
     if (plugin_enabled) {
         plugin_gen_tb_end(cpu);
diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static void alpha_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool alpha_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                      const CPUBreakpoint *bp)
+static int alpha_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                     int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     ctx->base.is_jmp = gen_excp(ctx, EXCP_DEBUG, 0);
-
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    ctx->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static void alpha_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     dc->insn_start = tcg_last_op();
 }
 
-static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                        const CPUBreakpoint *bp)
+static int aarch64_tr_breakpoint_check(DisasContextBase *dcbase,
+                                       CPUState *cpu, int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    if (bp->flags & BP_CPU) {
+    if (bp_flags & BP_CPU) {
         gen_a64_set_pc_im(dc->base.pc_next);
         gen_helper_check_breakpoints(cpu_env);
         /* End the TB early; it likely won't be executed */
         dc->base.is_jmp = DISAS_TOO_MANY;
     } else {
         gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
-        /* The address covered by the breakpoint must be
-           included in [tb->pc, tb->pc + tb->size) in order
-           to for it to be properly cleared -- thus we
-           increment the PC here so that the logic setting
-           tb->size below does the right thing.  */
-        dc->base.pc_next += 4;
         dc->base.is_jmp = DISAS_NORETURN;
     }
 
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     dc->insn_start = tcg_last_op();
 }
 
-static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                    const CPUBreakpoint *bp)
+static int arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                   int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
-    if (bp->flags & BP_CPU) {
+    if (bp_flags & BP_CPU) {
         gen_set_condexec(dc);
         gen_set_pc_im(dc, dc->base.pc_next);
         gen_helper_check_breakpoints(cpu_env);
@@ -XXX,XX +XXX,XX @@ static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
         dc->base.is_jmp = DISAS_TOO_MANY;
     } else {
         gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
-        /* The address covered by the breakpoint must be
-           included in [tb->pc, tb->pc + tb->size) in order
-           to for it to be properly cleared -- thus we
-           increment the PC here so that the logic setting
-           tb->size below does the right thing.  */
-        /* TODO: Advance PC by correct instruction length to
-         * avoid disassembler error messages */
-        dc->base.pc_next += 2;
         dc->base.is_jmp = DISAS_NORETURN;
     }
 
-    return true;
+    /*
+     * TODO: Advance PC by correct instruction length to avoid disassembler
+     * error messages.  In the meantime, minimum instruction length.
+     */
+    return 2;
 }
 
 static bool arm_pre_translate_insn(DisasContext *dc)
diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static void avr_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->npc);
 }
 
-static bool avr_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
+static int avr_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                   int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     gen_breakpoint(ctx);
-    return true;
+    return 2; /* minimum instruction length */
 }
 
 static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/cris/translate.c b/target/cris/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/cris/translate.c
+++ b/target/cris/translate.c
@@ -XXX,XX +XXX,XX @@ static void cris_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dc->delayed_branch == 1 ? dc->ppc | 1 : dc->pc);
 }
 
-static bool cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                     const CPUBreakpoint *bp)
+static int cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                    int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
@@ -XXX,XX +XXX,XX @@ static bool cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
     tcg_gen_movi_tl(env_pc, dc->pc);
     t_gen_raise_exception(EXCP_DEBUG);
     dc->base.is_jmp = DISAS_NORETURN;
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->pc += 2;
-    return true;
+
+    return 2; /* minimum instruction length */
 }
 
 static void cris_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static void hexagon_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool hexagon_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                        const CPUBreakpoint *bp)
+static int hexagon_tr_breakpoint_check(DisasContextBase *dcbase,
+                                       CPUState *cpu, int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     gen_exception_end_tb(ctx, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
+    return 4; /* minimum packet length */
 }
 
 static bool pkt_crosses_page(CPUHexagonState *env, DisasContext *ctx)
diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static void hppa_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->iaoq_f, ctx->iaoq_b);
 }
 
-static bool hppa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
+static int hppa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                    int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     gen_excp(ctx, EXCP_DEBUG);
-    ctx->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static void hppa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 }
 
-static bool i386_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                     const CPUBreakpoint *bp)
+static int i386_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                    int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
     /* If RF is set, suppress an internally generated breakpoint.  */
     int flags = dc->base.tb->flags & HF_RF_MASK ? BP_GDB : BP_ANY;
-    if (bp->flags & flags) {
+    if (bp_flags & flags) {
         gen_debug(dc);
-        /* The address covered by the breakpoint must be included in
-           [tb->pc, tb->pc + tb->size) in order to for it to be
-           properly cleared -- thus we increment the PC here so that
-           the generic logic setting tb->size later does the right thing.  */
-        dc->base.pc_next += 1;
-        return true;
-    } else {
-        return false;
     }
+    return 1; /* minimum instruction length */
 }
 
 static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 }
 
-static bool m68k_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                     const CPUBreakpoint *bp)
+static int m68k_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                    int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
     gen_exception(dc, dc->base.pc_next, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->base.pc_next += 2;
-
-    return true;
+    return 2; /* minimum instruction length */
 }
 
 static void m68k_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static void mb_tr_insn_start(DisasContextBase *dcb, CPUState *cs)
     dc->insn_start = tcg_last_op();
 }
 
-static bool mb_tr_breakpoint_check(DisasContextBase *dcb, CPUState *cs,
-                                   const CPUBreakpoint *bp)
+static int mb_tr_breakpoint_check(DisasContextBase *dcb, CPUState *cs,
+                                  int bp_flags)
 {
     DisasContext *dc = container_of(dcb, DisasContext, base);
 
     gen_raise_exception_sync(dc, EXCP_DEBUG);
-
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static void mb_tr_translate_insn(DisasContextBase *dcb, CPUState *cs)
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void mips_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
                        ctx->btarget);
 }
 
-static bool mips_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                     const CPUBreakpoint *bp)
+static int mips_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                    int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     save_cpu_state(ctx, 1);
     ctx->base.is_jmp = DISAS_NORETURN;
     gen_helper_raise_exception_debug(cpu_env);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
+
+    return 2; /* minimum instruction length */
 }
 
 static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/nios2/translate.c b/target/nios2/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/translate.c
+++ b/target/nios2/translate.c
@@ -XXX,XX +XXX,XX @@ static void nios2_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool nios2_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
+static int nios2_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                     int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
     gen_exception(dc, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static void nios2_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/translate.c
+++ b/target/openrisc/translate.c
@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
                        | (dc->base.num_insns > 1 ? 2 : 0));
 }
 
-static bool openrisc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                         const CPUBreakpoint *bp)
+static int openrisc_tr_breakpoint_check(DisasContextBase *dcbase,
+                                        CPUState *cs, int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
     tcg_gen_movi_tl(cpu_pc, dc->base.pc_next);
     gen_exception(dc, EXCP_DEBUG);
     dc->base.is_jmp = DISAS_NORETURN;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    dc->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static void openrisc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool ppc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
+static int ppc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                   int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     gen_update_nip(ctx, ctx->base.pc_next);
     gen_debug_exception(ctx);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be properly
-     * cleared -- thus we increment the PC here so that the logic
-     * setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static bool is_prefix_insn(DisasContext *ctx, uint32_t insn)
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static void riscv_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool riscv_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                      const CPUBreakpoint *bp)
+static int riscv_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                     int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
     tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
     ctx->base.is_jmp = DISAS_NORETURN;
     gen_exception_debug();
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    ctx->base.pc_next += 4;
-    return true;
+    return 2; /* minimum instruction length */
 }
 
 static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/target/rx/translate.c b/target/rx/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -XXX,XX +XXX,XX @@ static void rx_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
+static int rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                  int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
@@ -XXX,XX +XXX,XX @@ static bool rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
     tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
     gen_helper_debug(cpu_env);
     ctx->base.is_jmp = DISAS_NORETURN;
-    ctx->base.pc_next += 1;
-    return true;
+
+    return 1; /* minimum instruction length */
 }
 
 static void rx_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/s390x/translate.c b/target/s390x/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/translate.c
+++ b/target/s390x/translate.c
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
 {
 }
 
-static bool s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
+static int s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                     int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
@@ -XXX,XX +XXX,XX @@ static bool s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
 
     dc->base.is_jmp = DISAS_PC_STALE;
     dc->do_debug = true;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size does the right thing.  */
-    dc->base.pc_next += 2;
-    return true;
+
+    return 2; /* minimum instruction length */
 }
 
 static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static void sh4_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->base.pc_next, ctx->envflags);
 }
 
-static bool sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
+static int sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                   int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
 
@@ -XXX,XX +XXX,XX @@ static bool sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
     gen_save_cpu_state(ctx, true);
     gen_helper_debug(cpu_env);
     ctx->base.is_jmp = DISAS_NORETURN;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    ctx->base.pc_next += 2;
-    return true;
+
+    return 2; /* minimum instruction length */
 }
 
 static void sh4_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/sparc/translate.c b/target/sparc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sparc/translate.c
+++ b/target/sparc/translate.c
@@ -XXX,XX +XXX,XX @@ static void sparc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     }
 }
 
-static bool sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
+static int sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
+                                     int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
@@ -XXX,XX +XXX,XX @@ static bool sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
     gen_helper_debug(cpu_env);
     tcg_gen_exit_tb(NULL, 0);
     dc->base.is_jmp = DISAS_NORETURN;
-    /* update pc_next so that the current instruction is included in tb->size */
-    dc->base.pc_next += 4;
-    return true;
+
+    return 4; /* minimum instruction length */
 }
 
 static void sparc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static void tricore_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool tricore_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                      const CPUBreakpoint *bp)
+static int tricore_tr_breakpoint_check(DisasContextBase *dcbase,
+                                       CPUState *cpu, int bp_flags)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
     generate_qemu_excp(ctx, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
+    return 4; /* minimum instruction length */
 }
 
 static bool insn_crosses_page(CPUTriCoreState *env, DisasContext *ctx)
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -XXX,XX +XXX,XX @@ static void xtensa_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool xtensa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                       const CPUBreakpoint *bp)
+static int xtensa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
+                                      int bp_flags)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
     tcg_gen_movi_i32(cpu_pc, dc->base.pc_next);
     gen_exception(dc, EXCP_DEBUG);
     dc->base.is_jmp = DISAS_NORETURN;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    dc->base.pc_next += 2;
-    return true;
+
+    return 2; /* minimum instruction length */
 }
 
 static void xtensa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
-- 
2.25.1

The access internal to tb_cflags() is atomic.
Avoid re-reading it as such for the multiple uses.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/translator.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
                      CPUState *cpu, TranslationBlock *tb, int max_insns)
 {
+    uint32_t cflags = tb_cflags(tb);
     bool plugin_enabled;
 
     /* Initialize DisasContext */
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
     ops->tb_start(db, cpu);
     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
 
-    plugin_enabled = plugin_gen_tb_start(cpu, tb,
-                                         tb_cflags(db->tb) & CF_MEMI_ONLY);
+    plugin_enabled = plugin_gen_tb_start(cpu, tb, cflags & CF_MEMI_ONLY);
 
     while (true) {
         db->num_insns++;
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
            update db->pc_next and db->is_jmp to indicate what should be
            done next -- either exiting this loop or locate the start of
            the next instruction.  */
-        if (db->num_insns == db->max_insns
-            && (tb_cflags(db->tb) & CF_LAST_IO)) {
+        if (db->num_insns == db->max_insns && (cflags & CF_LAST_IO)) {
             /* Accept I/O on the last instruction.  */
             gen_io_start();
             ops->translate_insn(db, cpu);
         } else {
             /* we should only see CF_MEMI_ONLY for io_recompile */
-            tcg_debug_assert(!(tb_cflags(db->tb) & CF_MEMI_ONLY));
+            tcg_debug_assert(!(cflags & CF_MEMI_ONLY));
             ops->translate_insn(db, cpu);
         }
 
-- 
2.25.1

Having this data in cflags means that hashing takes care
of selecting a TB with or without exceptions built in.
Which means that we no longer need to flush all TBs.

This does require that we single-step while we're within a page
that contains a breakpoint, so it's not yet ideal, but should be
an improvement over some corner-case slowdowns.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/404
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h   |  7 ++++
 accel/tcg/cpu-exec.c      | 68 ++++++++++++++++++++++++++++++-
 accel/tcg/translate-all.c |  4 --
 accel/tcg/translator.c    | 85 +++++++++++++++++++++------------------
 cpu.c                     | 24 -----------
 5 files changed, 119 insertions(+), 69 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
 #define CF_USE_ICOUNT    0x00020000
 #define CF_INVALID       0x00040000 /* TB is stale. Set with @jmp_lock held */
 #define CF_PARALLEL      0x00080000 /* Generate code for a parallel context */
+#define CF_BP_MASK       0x00300000 /* See below */
+#define CF_BP_SHIFT      20
 #define CF_CLUSTER_MASK  0xff000000 /* Top 8 bits are cluster ID */
 #define CF_CLUSTER_SHIFT 24
 
+#define CF_BP_NONE       (0 << CF_BP_SHIFT) /* TB does not interact with BPs */
+#define CF_BP_SSTEP      (1 << CF_BP_SHIFT) /* gdbstub single-step in effect */
+#define CF_BP_GDB        (2 << CF_BP_SHIFT) /* gdbstub breakpoint at tb->pc */
+#define CF_BP_CPU        (3 << CF_BP_SHIFT) /* arch breakpoint at tb->pc */
+
     /* Per-vCPU dynamic tracing state used to generate this TB */
     uint32_t trace_vcpu_dstate;
 
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline void log_cpu_exec(target_ulong pc, CPUState *cpu,
     }
 }
 
+static uint32_t cflags_for_breakpoints(CPUState *cpu, target_ulong pc,
+                                       uint32_t cflags)
+{
+    uint32_t bflags = 0;
+
+    if (unlikely(cpu->singlestep_enabled)) {
+        bflags = CF_BP_SSTEP;
+    } else {
+        bool match_page = false;
+        CPUBreakpoint *bp;
+
+        QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
+            /* Note exact pc matches */
+            if (pc == bp->pc) {
+                if (bp->flags & BP_GDB) {
+                    bflags = CF_BP_GDB;
+                    break;
+                }
+                if (bp->flags & BP_CPU) {
+                    bflags = CF_BP_CPU;
+                    break;
+                }
+            }
+            /* Note page matches */
+            if (((pc ^ bp->pc) & TARGET_PAGE_MASK) == 0) {
+                match_page = true;
+            }
+        }
+
+        if (likely(!bflags)) {
+            if (likely(!match_page)) {
+                return cflags;
+            }
+
+            /*
+             * Within the same page as a breakpoint, single-step,
+             * returning to helper_lookup_tb_ptr after each looking
+             * for the actual breakpoint.
+             *
+             * TODO: Perhaps better to record all of the TBs associated
+             * with a given virtual page that contains a breakpoint, and
+             * then invalidate them when a new overlapping breakpoint is
+             * set on the page.  Non-overlapping TBs would not be
+             * invalidated, nor would any TB need to be invalidated as
+             * breakpoints are removed.
+             */
+            bflags = CF_NO_GOTO_TB;
+        }
+    }
+
+    /*
+     * Reduce the TB to one insn.
+     * In the case of a BP hit, we will be raising an exception anyway.
+     * In the case of a page hit, return to helper_lookup_tb_ptr after
+     * every insn to look for the breakpoint.
+     */
+    return (cflags & ~CF_COUNT_MASK) | 1 | bflags;
+}
+
 /**
  * helper_lookup_tb_ptr: quick check for next tb
  * @env: current cpu state
@@ -XXX,XX +XXX,XX @@ const void *HELPER(lookup_tb_ptr)(CPUArchState *env)
     CPUState *cpu = env_cpu(env);
     TranslationBlock *tb;
     target_ulong cs_base, pc;
-    uint32_t flags;
+    uint32_t flags, cflags;
 
     cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
 
-    tb = tb_lookup(cpu, pc, cs_base, flags, curr_cflags(cpu));
+    cflags = cflags_for_breakpoints(cpu, pc, curr_cflags(cpu));
+
+    tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
     if (tb == NULL) {
         return tcg_code_gen_epilogue;
     }
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
         cflags &= ~CF_PARALLEL;
         /* After 1 insn, return and release the exclusive lock. */
         cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | 1;
+        /* Raise any post-instruction debug exceptions. */
+        cflags = cflags_for_breakpoints(cpu, pc, cflags);
 
         tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
         if (tb == NULL) {
@@ -XXX,XX +XXX,XX @@ static inline TranslationBlock *tb_find(CPUState *cpu,
     } else {
         cpu->cflags_next_tb = -1;
     }
+    cflags = cflags_for_breakpoints(cpu, pc, cflags);
 
     tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
     if (tb == NULL) {
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     }
     QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
 
-    if (cpu->singlestep_enabled) {
-        max_insns = 1;
-    }
-
  buffer_overflow:
     tb = tcg_tb_alloc(tcg_ctx);
     if (unlikely(!tb)) {
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ void translator_loop_temp_check(DisasContextBase *db)
 
 bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 {
-    /* Suppress goto_tb if requested. */
-    if (tb_cflags(db->tb) & CF_NO_GOTO_TB) {
-        return false;
-    }
-
-    /* Suppress goto_tb in the case of single-steping.  */
-    if (db->singlestep_enabled) {
+    /* Suppress goto_tb if requested, or required by breakpoints. */
+    if (tb_cflags(db->tb) & (CF_NO_GOTO_TB | CF_BP_MASK)) {
         return false;
     }
 
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
                      CPUState *cpu, TranslationBlock *tb, int max_insns)
 {
     uint32_t cflags = tb_cflags(tb);
+    int bp_flags = 0;
     bool plugin_enabled;
 
     /* Initialize DisasContext */
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
     db->is_jmp = DISAS_NEXT;
     db->num_insns = 0;
     db->max_insns = max_insns;
-    db->singlestep_enabled = cpu->singlestep_enabled;
+    db->singlestep_enabled = false;
+
+    switch (cflags & CF_BP_MASK) {
+    case CF_BP_NONE:
+        break;
+    case CF_BP_SSTEP:
+        db->singlestep_enabled = true;
+        break;
+    case CF_BP_GDB:
+        bp_flags = BP_GDB;
+        break;
+    case CF_BP_CPU:
+        bp_flags = BP_CPU;
+        break;
+    default:
+        g_assert_not_reached();
+    }
 
     ops->init_disas_context(db, cpu);
     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
         }
 
         /* Pass breakpoint hits to target for further processing */
-        if (!db->singlestep_enabled
-            && unlikely(!QTAILQ_EMPTY(&cpu->breakpoints))) {
-            CPUBreakpoint *bp;
-            QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
-                if (bp->pc == db->pc_next) {
-                    int len = ops->breakpoint_check(db, cpu, bp->flags);
+        if (unlikely(bp_flags)) {
+            int len = ops->breakpoint_check(db, cpu, bp_flags);
 
-                    /*
-                     * The breakpoint_check hook may use DISAS_TOO_MANY
-                     * to indicate that only one more instruction is to
-                     * be executed.  Otherwise it should use DISAS_NORETURN
-                     * when generating an exception, but may use a
-                     * DISAS_TARGET_* value for Something Else.
-                     */
-                    if (db->is_jmp > DISAS_TOO_MANY) {
-                        /*
-                         * The address covered by the breakpoint must be
-                         * included in [tb->pc, tb->pc + tb->size) in order
-                         * to for it to be properly cleared.  Thus we
-                         * increment the PC here so that the logic setting
-                         * tb->size below does the right thing.
-                         */
-                        tcg_debug_assert(len > 0);
-                        db->pc_next += len;
+            /*
+             * When there is a bp hit, we're going to execute a maximum
+             * of one instruction.  The breakpoint_check hook may use
+             * DISAS_NEXT or DISAS_TOO_MANY to indicate that the current
+             * instruction should be translated.  Anything else is taken
+             * to mean that an exception has been raised and that zero
+             * instructions will be executed.
+             */
+            if (db->is_jmp > DISAS_TOO_MANY) {
+                /*
+                 * The address covered by the breakpoint must be
+                 * included in [tb->pc, tb->pc + tb->size) in order
+                 * to for it to be properly cleared.  Thus we
+                 * increment the PC here so that the logic setting
+                 * tb->size below does the right thing.
+                 */
+                tcg_debug_assert(len > 0);
+                db->pc_next += len;
 
-                        /*
-                         * The breakpoint definitely hit, so decrement the
-                         * number of instructions completed for icount.
-                         */
-                        db->num_insns--;
-                        goto done;
-                    }
-                }
+                /*
+                 * The breakpoint definitely hit, so decrement the
+                 * number of instructions completed for icount.
+                 */
+                db->num_insns--;
+                goto done;
             }
         }
 
diff --git a/cpu.c b/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/cpu.c
+++ b/cpu.c
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(target_ulong addr)
     tb_invalidate_phys_page_range(addr, addr + 1);
     mmap_unlock();
 }
-
-static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
-{
-    tb_invalidate_phys_addr(pc);
-}
 #else
 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
 {
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
     ram_addr = memory_region_get_ram_addr(mr) + addr;
     tb_invalidate_phys_page_range(ram_addr, ram_addr + 1);
 }
-
-static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
-{
-    /*
-     * There may not be a virtual to physical translation for the pc
-     * right now, but there may exist cached TB for this pc.
-     * Flush the whole TB cache to force re-translation of such TBs.
-     * This is heavyweight, but we're debugging anyway.
-     */
-    tb_flush(cpu);
-}
 #endif
 
 /* Add a breakpoint.  */
@@ -XXX,XX +XXX,XX @@ int cpu_breakpoint_insert(CPUState *cpu, vaddr pc, int flags,
         QTAILQ_INSERT_TAIL(&cpu->breakpoints, bp, entry);
     }
 
-    breakpoint_invalidate(cpu, pc);
-
     if (breakpoint) {
         *breakpoint = bp;
     }
@@ -XXX,XX +XXX,XX @@ void cpu_breakpoint_remove_by_ref(CPUState *cpu, CPUBreakpoint *bp)
 {
     QTAILQ_REMOVE(&cpu->breakpoints, bp, entry);
 
-    breakpoint_invalidate(cpu, bp->pc);
-
     trace_breakpoint_remove(cpu->cpu_index, bp->pc, bp->flags);
     g_free(bp);
 }
@@ -XXX,XX +XXX,XX @@ void cpu_single_step(CPUState *cpu, int enabled)
         cpu->singlestep_enabled = enabled;
         if (kvm_enabled()) {
             kvm_update_guest_debug(cpu, 0);
-        } else {
-            /* must flush all the translated code to avoid inconsistencies */
-            /* XXX: only flush what is necessary */
-            tb_flush(cpu);
         }
         trace_breakpoint_singlestep(cpu->cpu_index, enabled);
     }
-- 
2.25.1

This is fixing #404 ("windows xp boot takes much longer...")
and several other similar reports.

Changes for v5:
  * Include missing hunk in tb_gen_code, as noted in reply to v4.
  * Remove helper_check_breakpoints from target/arm/.
  * Reorg cflags_for_breakpoints into check_for_breakpoints;
    reorg cpu_exec to use a break instead of a longjmp.
  * Move singlestep_enabled check from cflags_for_breakpoints
    to curr_cflags, which makes cpu_exec_step_atomic cleaner.

Changes for v4:
  * Issue breakpoints directly from cflags_for_breakpoints.
    Do not generate code for a TB beginning with a BP at all.
  * Drop the problematic TranslatorOps.breakpoint_check hook entirely.

Changes for v3:
  * Map CF_COUNT_MASK == 0 -> TCG_MAX_INSNS.
  * Split out *_breakpoint_check fixes for avr, mips, riscv.

Changes for v2:
  * All prerequisites and 7 of the patches from v1 with are merged.

Patches lacking review are all new:
  03-target-alpha-Drop-goto_tb-path-in-gen_call_pal.patch
  08-hw-core-Introduce-TCGCPUOps.debug_check_breakpoin.patch
  09-target-arm-Implement-debug_check_breakpoint.patch
  10-target-i386-Implement-debug_check_breakpoint.patch
  11-accel-tcg-Merge-tb_find-into-its-only-caller.patch
  12-accel-tcg-Move-breakpoint-recognition-outside-tra.patch
  13-accel-tcg-Remove-TranslatorOps.breakpoint_check.patch
  15-accel-tcg-Record-singlestep_enabled-in-tb-cflags.patch

Richard Henderson (15):
  accel/tcg: Reduce CF_COUNT_MASK to match TCG_MAX_INSNS
  accel/tcg: Move curr_cflags into cpu-exec.c
  target/alpha: Drop goto_tb path in gen_call_pal
  accel/tcg: Add CF_NO_GOTO_TB and CF_NO_GOTO_PTR
  accel/tcg: Drop CF_NO_GOTO_PTR from -d nochain
  accel/tcg: Handle -singlestep in curr_cflags
  accel/tcg: Use CF_NO_GOTO_{TB, PTR} in cpu_exec_step_atomic
  hw/core: Introduce TCGCPUOps.debug_check_breakpoint
  target/arm: Implement debug_check_breakpoint
  target/i386: Implement debug_check_breakpoint
  accel/tcg: Merge tb_find into its only caller
  accel/tcg: Move breakpoint recognition outside translation
  accel/tcg: Remove TranslatorOps.breakpoint_check
  accel/tcg: Hoist tb_cflags to a local in translator_loop
  accel/tcg: Record singlestep_enabled in tb->cflags

-- 
2.25.1

The space reserved for CF_COUNT_MASK was overly large.
Reduce to free up cflags bits and eliminate an extra test.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20210717221851.2124573-2-richard.henderson@linaro.org>
---
 include/exec/exec-all.h   | 4 +++-
 accel/tcg/translate-all.c | 5 ++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
     target_ulong cs_base; /* CS base for this block */
     uint32_t flags; /* flags defining in which context the code was generated */
     uint32_t cflags;    /* compile flags */
-#define CF_COUNT_MASK  0x00007fff
+
+/* Note that TCG_MAX_INSNS is 512; we validate this match elsewhere. */
+#define CF_COUNT_MASK  0x000001ff
 #define CF_LAST_IO     0x00008000 /* Last insn may be an IO access.  */
 #define CF_MEMI_ONLY   0x00010000 /* Only instrument memory ops */
 #define CF_USE_ICOUNT  0x00020000
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
 
     max_insns = cflags & CF_COUNT_MASK;
     if (max_insns == 0) {
-        max_insns = CF_COUNT_MASK;
-    }
-    if (max_insns > TCG_MAX_INSNS) {
         max_insns = TCG_MAX_INSNS;
     }
+    QEMU_BUILD_BUG_ON(CF_COUNT_MASK + 1 != TCG_MAX_INSNS);
+
     if (cpu->singlestep_enabled || singlestep) {
         max_insns = 1;
     }
-- 
2.25.1

We will shortly have more than a simple member read here,
with stuff not necessarily exposed to exec/exec-all.h.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Message-Id: <20210717221851.2124573-3-richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 5 +----
 accel/tcg/cpu-exec.c    | 5 +++++
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ static inline uint32_t tb_cflags(const TranslationBlock *tb)
 }
 
 /* current cflags for hashing/comparison */
-static inline uint32_t curr_cflags(CPUState *cpu)
-{
-    return cpu->tcg_cflags;
-}
+uint32_t curr_cflags(CPUState *cpu);
 
 /* TranslationBlock invalidate API */
 #if defined(CONFIG_USER_ONLY)
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static void init_delay_params(SyncClocks *sc, const CPUState *cpu)
 }
 #endif /* CONFIG USER ONLY */
 
+uint32_t curr_cflags(CPUState *cpu)
+{
+    return cpu->tcg_cflags;
+}
+
 /* Might cause an exception, so have a longjmp destination ready */
 static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
                                           target_ulong cs_base,
-- 
2.25.1

We are certain of a page crossing here, entering the
PALcode image, so the call to use_goto_tb that should
have been here will never succeed.

We are shortly going to add an assert to tcg_gen_goto_tb
that would trigger for this case.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/alpha/translate.c | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static DisasJumpType gen_call_pal(DisasContext *ctx, int palcode)
                   ? 0x2000 + (palcode - 0x80) * 64
                   : 0x1000 + palcode * 64);
 
-        /* Since the destination is running in PALmode, we don't really
-           need the page permissions check.  We'll see the existence of
-           the page when we create the TB, and we'll flush all TBs if
-           we change the PAL base register.  */
-        if (!ctx->base.singlestep_enabled) {
-            tcg_gen_goto_tb(0);
-            tcg_gen_movi_i64(cpu_pc, entry);
-            tcg_gen_exit_tb(ctx->base.tb, 0);
-            return DISAS_NORETURN;
-        } else {
-            tcg_gen_movi_i64(cpu_pc, entry);
-            return DISAS_PC_UPDATED;
-        }
+        tcg_gen_movi_i64(cpu_pc, entry);
+        return DISAS_PC_UPDATED;
     }
 #endif
 }
-- 
2.25.1

Move the -d nochain check to bits on tb->cflags.
These will be used for more than -d nochain shortly.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20210717221851.2124573-4-richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 16 +++++++++-------
 accel/tcg/cpu-exec.c    |  8 +++++++-
 accel/tcg/translator.c  |  5 +++++
 tcg/tcg-op.c            | 28 ++++++++++++----------------
 4 files changed, 33 insertions(+), 24 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct TranslationBlock {
     uint32_t cflags;    /* compile flags */
 
 /* Note that TCG_MAX_INSNS is 512; we validate this match elsewhere. */
-#define CF_COUNT_MASK  0x000001ff
-#define CF_LAST_IO     0x00008000 /* Last insn may be an IO access.  */
-#define CF_MEMI_ONLY   0x00010000 /* Only instrument memory ops */
-#define CF_USE_ICOUNT  0x00020000
-#define CF_INVALID     0x00040000 /* TB is stale. Set with @jmp_lock held */
-#define CF_PARALLEL    0x00080000 /* Generate code for a parallel context */
-#define CF_CLUSTER_MASK 0xff000000 /* Top 8 bits are cluster ID */
+#define CF_COUNT_MASK    0x000001ff
+#define CF_NO_GOTO_TB    0x00000200 /* Do not chain with goto_tb */
+#define CF_NO_GOTO_PTR   0x00000400 /* Do not chain with goto_ptr */
+#define CF_LAST_IO       0x00008000 /* Last insn may be an IO access.  */
+#define CF_MEMI_ONLY     0x00010000 /* Only instrument memory ops */
+#define CF_USE_ICOUNT    0x00020000
+#define CF_INVALID       0x00040000 /* TB is stale. Set with @jmp_lock held */
+#define CF_PARALLEL      0x00080000 /* Generate code for a parallel context */
+#define CF_CLUSTER_MASK  0xff000000 /* Top 8 bits are cluster ID */
 #define CF_CLUSTER_SHIFT 24
 
     /* Per-vCPU dynamic tracing state used to generate this TB */
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static void init_delay_params(SyncClocks *sc, const CPUState *cpu)
 
 uint32_t curr_cflags(CPUState *cpu)
 {
-    return cpu->tcg_cflags;
+    uint32_t cflags = cpu->tcg_cflags;
+
+    if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
+        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR;
+    }
+
+    return cflags;
 }
 
 /* Might cause an exception, so have a longjmp destination ready */
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ void translator_loop_temp_check(DisasContextBase *db)
 
 bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 {
+    /* Suppress goto_tb if requested. */
+    if (tb_cflags(db->tb) & CF_NO_GOTO_TB) {
+        return false;
+    }
+
     /* Suppress goto_tb in the case of single-steping.  */
     if (db->singlestep_enabled || singlestep) {
         return false;
diff --git a/tcg/tcg-op.c b/tcg/tcg-op.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg-op.c
+++ b/tcg/tcg-op.c
@@ -XXX,XX +XXX,XX @@ void tcg_gen_exit_tb(const TranslationBlock *tb, unsigned idx)
            seen this numbered exit before, via tcg_gen_goto_tb.  */
         tcg_debug_assert(tcg_ctx->goto_tb_issue_mask & (1 << idx));
 #endif
-        /* When not chaining, exit without indicating a link.  */
-        if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
-            val = 0;
-        }
     } else {
         /* This is an exit via the exitreq label.  */
         tcg_debug_assert(idx == TB_EXIT_REQUESTED);
@@ -XXX,XX +XXX,XX @@ void tcg_gen_exit_tb(const TranslationBlock *tb, unsigned idx)
 
 void tcg_gen_goto_tb(unsigned idx)
 {
+    /* We tested CF_NO_GOTO_TB in translator_use_goto_tb. */
+    tcg_debug_assert(!(tcg_ctx->tb_cflags & CF_NO_GOTO_TB));
     /* We only support two chained exits.  */
     tcg_debug_assert(idx <= TB_EXIT_IDXMAX);
 #ifdef CONFIG_DEBUG_TCG
@@ -XXX,XX +XXX,XX @@ void tcg_gen_goto_tb(unsigned idx)
     tcg_ctx->goto_tb_issue_mask |= 1 << idx;
 #endif
     plugin_gen_disable_mem_helpers();
-    /* When not chaining, we simply fall through to the "fallback" exit.  */
-    if (!qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
-        tcg_gen_op1i(INDEX_op_goto_tb, idx);
-    }
+    tcg_gen_op1i(INDEX_op_goto_tb, idx);
 }
 
 void tcg_gen_lookup_and_goto_ptr(void)
 {
-    if (!qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
-        TCGv_ptr ptr;
+    TCGv_ptr ptr;
 
-        plugin_gen_disable_mem_helpers();
-        ptr = tcg_temp_new_ptr();
-        gen_helper_lookup_tb_ptr(ptr, cpu_env);
-        tcg_gen_op1i(INDEX_op_goto_ptr, tcgv_ptr_arg(ptr));
-        tcg_temp_free_ptr(ptr);
-    } else {
+    if (tcg_ctx->tb_cflags & CF_NO_GOTO_PTR) {
         tcg_gen_exit_tb(NULL, 0);
+        return;
     }
+
+    plugin_gen_disable_mem_helpers();
+    ptr = tcg_temp_new_ptr();
+    gen_helper_lookup_tb_ptr(ptr, cpu_env);
+    tcg_gen_op1i(INDEX_op_goto_ptr, tcgv_ptr_arg(ptr));
+    tcg_temp_free_ptr(ptr);
 }
 
 static inline MemOp tcg_canonicalize_memop(MemOp op, bool is64, bool st)
-- 
2.25.1

Exchange the test in translator_use_goto_tb for CF_NO_GOTO_TB,
and the test in tb_gen_code for setting CF_COUNT_MASK to 1.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20210717221851.2124573-6-richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c      | 8 +++++++-
 accel/tcg/translate-all.c | 2 +-
 accel/tcg/translator.c    | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

Request that the one TB returns immediately, so that
we release the exclusive lock as soon as possible.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-Id: <20210717221851.2124573-7-richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

Reuse the code at the bottom of helper_check_breakpoints,
which is what we currently call from *_tr_breakpoint_check.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/arm/internals.h    | 3 +++
 target/arm/cpu.c          | 1 +
 target/arm/cpu_tcg.c      | 1 +
 target/arm/debug_helper.c | 7 +++----
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/target/arm/internals.h b/target/arm/internals.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/internals.h
+++ b/target/arm/internals.h
@@ -XXX,XX +XXX,XX @@ void hw_breakpoint_update(ARMCPU *cpu, int n);
  */
 void hw_breakpoint_update_all(ARMCPU *cpu);
 
+/* Callback function for checking if a breakpoint should trigger. */
+bool arm_debug_check_breakpoint(CPUState *cs);
+
 /* Callback function for checking if a watchpoint should trigger. */
 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp);
 
diff --git a/target/arm/cpu.c b/target/arm/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu.c
+++ b/target/arm/cpu.c
@@ -XXX,XX +XXX,XX @@ static const struct TCGCPUOps arm_tcg_ops = {
     .do_unaligned_access = arm_cpu_do_unaligned_access,
     .adjust_watchpoint_address = arm_adjust_watchpoint_address,
     .debug_check_watchpoint = arm_debug_check_watchpoint,
+    .debug_check_breakpoint = arm_debug_check_breakpoint,
 #endif /* !CONFIG_USER_ONLY */
 };
 #endif /* CONFIG_TCG */
diff --git a/target/arm/cpu_tcg.c b/target/arm/cpu_tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/cpu_tcg.c
+++ b/target/arm/cpu_tcg.c
@@ -XXX,XX +XXX,XX @@ static const struct TCGCPUOps arm_v7m_tcg_ops = {
     .do_unaligned_access = arm_cpu_do_unaligned_access,
     .adjust_watchpoint_address = arm_adjust_watchpoint_address,
     .debug_check_watchpoint = arm_debug_check_watchpoint,
+    .debug_check_breakpoint = arm_debug_check_breakpoint,
 #endif /* !CONFIG_USER_ONLY */
 };
 #endif /* CONFIG_TCG */
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ static bool check_watchpoints(ARMCPU *cpu)
     return false;
 }
 
-static bool check_breakpoints(ARMCPU *cpu)
+bool arm_debug_check_breakpoint(CPUState *cs)
 {
+    ARMCPU *cpu = ARM_CPU(cs);
     CPUARMState *env = &cpu->env;
     int n;
 
@@ -XXX,XX +XXX,XX @@ static bool check_breakpoints(ARMCPU *cpu)
 
 void HELPER(check_breakpoints)(CPUARMState *env)
 {
-    ARMCPU *cpu = env_archcpu(env);
-
-    if (check_breakpoints(cpu)) {
+    if (arm_debug_check_breakpoint(env_cpu(env))) {
         HELPER(exception_internal(env, EXCP_DEBUG));
     }
 }
-- 
2.25.1

Return false for RF set, as we do in i386_tr_breakpoint_check.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/tcg-cpu.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/target/i386/tcg/tcg-cpu.c b/target/i386/tcg/tcg-cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/tcg-cpu.c
+++ b/target/i386/tcg/tcg-cpu.c
@@ -XXX,XX +XXX,XX @@ static void x86_cpu_synchronize_from_tb(CPUState *cs,
     cpu->env.eip = tb->pc - tb->cs_base;
 }
 
+#ifndef CONFIG_USER_ONLY
+static bool x86_debug_check_breakpoint(CPUState *cs)
+{
+    X86CPU *cpu = X86_CPU(cs);
+    CPUX86State *env = &cpu->env;
+
+    /* RF disables all architectural breakpoints. */
+    return !(env->eflags & RF_MASK);
+}
+#endif
+
 #include "hw/core/tcg-cpu-ops.h"
 
 static const struct TCGCPUOps x86_tcg_ops = {
@@ -XXX,XX +XXX,XX @@ static const struct TCGCPUOps x86_tcg_ops = {
     .tlb_fill = x86_cpu_tlb_fill,
 #ifndef CONFIG_USER_ONLY
     .debug_excp_handler = breakpoint_handler,
+    .debug_check_breakpoint = x86_debug_check_breakpoint,
 #endif /* !CONFIG_USER_ONLY */
 };
 
-- 
2.25.1

We are going to want two things:
(1) check for breakpoints will want to break out of the loop here,
(2) cflags can only be calculated with pc in hand.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 83 ++++++++++++++++++++++----------------------
 1 file changed, 41 insertions(+), 42 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline void tb_add_jump(TranslationBlock *tb, int n,
     return;
 }
 
-static inline TranslationBlock *tb_find(CPUState *cpu,
-                                        TranslationBlock *last_tb,
-                                        int tb_exit, uint32_t cflags)
-{
-    CPUArchState *env = (CPUArchState *)cpu->env_ptr;
-    TranslationBlock *tb;
-    target_ulong cs_base, pc;
-    uint32_t flags;
-
-    cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
-
-    tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
-    if (tb == NULL) {
-        mmap_lock();
-        tb = tb_gen_code(cpu, pc, cs_base, flags, cflags);
-        mmap_unlock();
-        /* We add the TB in the virtual pc hash table for the fast lookup */
-        qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
-    }
-#ifndef CONFIG_USER_ONLY
-    /* We don't take care of direct jumps when address mapping changes in
-     * system emulation. So it's not safe to make a direct jump to a TB
-     * spanning two pages because the mapping for the second page can change.
-     */
-    if (tb->page_addr[1] != -1) {
-        last_tb = NULL;
-    }
-#endif
-    /* See if we can patch the calling TB. */
-    if (last_tb) {
-        tb_add_jump(last_tb, tb_exit, tb);
-    }
-    return tb;
-}
-
 static inline bool cpu_handle_halt(CPUState *cpu)
 {
     if (cpu->halted) {
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
         int tb_exit = 0;
 
         while (!cpu_handle_interrupt(cpu, &last_tb)) {
-            uint32_t cflags = cpu->cflags_next_tb;
             TranslationBlock *tb;
+            target_ulong cs_base, pc;
+            uint32_t flags, cflags;
 
-            /* When requested, use an exact setting for cflags for the next
-               execution.  This is used for icount, precise smc, and stop-
-               after-access watchpoints.  Since this request should never
-               have CF_INVALID set, -1 is a convenient invalid value that
-               does not require tcg headers for cpu_common_reset.  */
+            /*
+             * When requested, use an exact setting for cflags for the next
+             * execution.  This is used for icount, precise smc, and stop-
+             * after-access watchpoints.  Since this request should never
+             * have CF_INVALID set, -1 is a convenient invalid value that
+             * does not require tcg headers for cpu_common_reset.
+             */
+            cflags = cpu->cflags_next_tb;
             if (cflags == -1) {
                 cflags = curr_cflags(cpu);
             } else {
                 cpu->cflags_next_tb = -1;
             }
 
-            tb = tb_find(cpu, last_tb, tb_exit, cflags);
+            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);
+
+            tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
+            if (tb == NULL) {
+                mmap_lock();
+                tb = tb_gen_code(cpu, pc, cs_base, flags, cflags);
+                mmap_unlock();
+                /*
+                 * We add the TB in the virtual pc hash table
+                 * for the fast lookup
+                 */
+                qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
+            }
+
+#ifndef CONFIG_USER_ONLY
+            /*
+             * We don't take care of direct jumps when address mapping
+             * changes in system emulation.  So it's not safe to make a
+             * direct jump to a TB spanning two pages because the mapping
+             * for the second page can change.
+             */
+            if (tb->page_addr[1] != -1) {
+                last_tb = NULL;
+            }
+#endif
+            /* See if we can patch the calling TB. */
+            if (last_tb) {
+                tb_add_jump(last_tb, tb_exit, tb);
+            }
+
             cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);
+
             /* Try to align the host and virtual clocks
                if the guest is in advance */
             align_clocks(&sc, cpu);
-- 
2.25.1

Trigger breakpoints before beginning translation of a TB
that would begin with a BP.  Thus we never generate code
for the BP at all.

Single-step instructions within a page containing a BP so
that we are sure to check each insn for the BP as above.

We no longer need to flush any TBs when changing BPs.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/286
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/404
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/489
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c   | 78 ++++++++++++++++++++++++++++++++++++++++--
 accel/tcg/translator.c | 24 +------------
 cpu.c                  | 20 -----------
 3 files changed, 76 insertions(+), 46 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static inline void log_cpu_exec(target_ulong pc, CPUState *cpu,
     }
 }
 
+static bool check_for_breakpoints(CPUState *cpu, target_ulong pc,
+                                  uint32_t *cflags)
+{
+    CPUBreakpoint *bp;
+    bool match_page = false;
+
+    if (likely(QTAILQ_EMPTY(&cpu->breakpoints))) {
+        return false;
+    }
+
+    QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
+        /*
+         * If we have an exact pc match, trigger the breakpoint.
+         * Otherwise, note matches within the page.
+         */
+        if (pc == bp->pc) {
+            bool match_bp = false;
+
+            if (bp->flags & BP_GDB) {
+                match_bp = true;
+            } else if (bp->flags & BP_CPU) {
+#ifdef CONFIG_USER_ONLY
+                g_assert_not_reached();
+#else
+                CPUClass *cc = CPU_GET_CLASS(cpu);
+                assert(cc->tcg_ops->debug_check_breakpoint);
+                match_bp = cc->tcg_ops->debug_check_breakpoint(cpu);
+#endif
+            }
+
+            if (match_bp) {
+                cpu->exception_index = EXCP_DEBUG;
+                return true;
+            }
+        } else if (((pc ^ bp->pc) & TARGET_PAGE_MASK) == 0) {
+            match_page = true;
+        }
+    }
+
+    /*
+     * Within the same page as a breakpoint, single-step,
+     * returning to helper_lookup_tb_ptr after each looking
+     * for the actual breakpoint.
+     *
+     * TODO: Perhaps better to record all of the TBs associated
+     * with a given virtual page that contains a breakpoint, and
+     * then invalidate them when a new overlapping breakpoint is
+     * set on the page.  Non-overlapping TBs would not be
+     * invalidated, nor would any TB need to be invalidated as
+     * breakpoints are removed.
+     */
+    if (match_page) {
+        *cflags = (*cflags & ~CF_COUNT_MASK) | CF_NO_GOTO_TB | 1;
+    }
+    return false;
+}
+
 /**
  * helper_lookup_tb_ptr: quick check for next tb
  * @env: current cpu state
@@ -XXX,XX +XXX,XX @@ const void *HELPER(lookup_tb_ptr)(CPUArchState *env)
     CPUState *cpu = env_cpu(env);
     TranslationBlock *tb;
     target_ulong cs_base, pc;
-    uint32_t flags;
+    uint32_t flags, cflags;
 
     cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
 
-    tb = tb_lookup(cpu, pc, cs_base, flags, curr_cflags(cpu));
+    cflags = curr_cflags(cpu);
+    if (check_for_breakpoints(cpu, pc, &cflags)) {
+        cpu_loop_exit(cpu);
+    }
+
+    tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
     if (tb == NULL) {
         return tcg_code_gen_epilogue;
     }
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
         cflags &= ~CF_PARALLEL;
         /* After 1 insn, return and release the exclusive lock. */
         cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | 1;
+        /*
+         * No need to check_for_breakpoints here.
+         * We only arrive in cpu_exec_step_atomic after beginning execution
+         * of an insn that includes an atomic operation we can't handle.
+         * Any breakpoint for this insn will have been recognized earlier.
+         */
 
         tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
         if (tb == NULL) {
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
             target_ulong cs_base, pc;
             uint32_t flags, cflags;
 
+            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);
+
             /*
              * When requested, use an exact setting for cflags for the next
              * execution.  This is used for icount, precise smc, and stop-
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
                 cpu->cflags_next_tb = -1;
             }
 
-            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);
+            if (check_for_breakpoints(cpu, pc, &cflags)) {
+                break;
+            }
 
             tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
             if (tb == NULL) {
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
                      CPUState *cpu, TranslationBlock *tb, int max_insns)
 {
-    int bp_insn = 0;
     bool plugin_enabled;
 
     /* Initialize DisasContext */
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
             plugin_gen_insn_start(cpu, db);
         }
 
-        /* Pass breakpoint hits to target for further processing */
-        if (!db->singlestep_enabled
-            && unlikely(!QTAILQ_EMPTY(&cpu->breakpoints))) {
-            CPUBreakpoint *bp;
-            QTAILQ_FOREACH(bp, &cpu->breakpoints, entry) {
-                if (bp->pc == db->pc_next) {
-                    if (ops->breakpoint_check(db, cpu, bp)) {
-                        bp_insn = 1;
-                        break;
-                    }
-                }
-            }
-            /* The breakpoint_check hook may use DISAS_TOO_MANY to indicate
-               that only one more instruction is to be executed.  Otherwise
-               it should use DISAS_NORETURN when generating an exception,
-               but may use a DISAS_TARGET_* value for Something Else.  */
-            if (db->is_jmp > DISAS_TOO_MANY) {
-                break;
-            }
-        }
-
         /* Disassemble one instruction.  The translate_insn hook should
            update db->pc_next and db->is_jmp to indicate what should be
            done next -- either exiting this loop or locate the start of
@@ -XXX,XX +XXX,XX @@ void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
 
     /* Emit code to exit the TB, as indicated by db->is_jmp.  */
     ops->tb_stop(db, cpu);
-    gen_tb_end(db->tb, db->num_insns - bp_insn);
+    gen_tb_end(db->tb, db->num_insns);
 
     if (plugin_enabled) {
         plugin_gen_tb_end(cpu);
diff --git a/cpu.c b/cpu.c
index XXXXXXX..XXXXXXX 100644
--- a/cpu.c
+++ b/cpu.c
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(target_ulong addr)
     tb_invalidate_phys_page_range(addr, addr + 1);
     mmap_unlock();
 }
-
-static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
-{
-    tb_invalidate_phys_addr(pc);
-}
 #else
 void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
 {
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs)
     ram_addr = memory_region_get_ram_addr(mr) + addr;
     tb_invalidate_phys_page_range(ram_addr, ram_addr + 1);
 }
-
-static void breakpoint_invalidate(CPUState *cpu, target_ulong pc)
-{
-    /*
-     * There may not be a virtual to physical translation for the pc
-     * right now, but there may exist cached TB for this pc.
-     * Flush the whole TB cache to force re-translation of such TBs.
-     * This is heavyweight, but we're debugging anyway.
-     */
-    tb_flush(cpu);
-}
 #endif
 
 /* Add a breakpoint.  */
@@ -XXX,XX +XXX,XX @@ int cpu_breakpoint_insert(CPUState *cpu, vaddr pc, int flags,
         QTAILQ_INSERT_TAIL(&cpu->breakpoints, bp, entry);
     }
 
-    breakpoint_invalidate(cpu, pc);
-
     if (breakpoint) {
         *breakpoint = bp;
     }
@@ -XXX,XX +XXX,XX @@ void cpu_breakpoint_remove_by_ref(CPUState *cpu, CPUBreakpoint *bp)
 {
     QTAILQ_REMOVE(&cpu->breakpoints, bp, entry);
 
-    breakpoint_invalidate(cpu, bp->pc);
-
     trace_breakpoint_remove(cpu->cpu_index, bp->pc, bp->flags);
     g_free(bp);
 }
-- 
2.25.1

The hook is now unused, with breakpoints checked outside translation.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h     | 11 -----------
 target/arm/helper.h           |  2 --
 target/alpha/translate.c      | 16 ----------------
 target/arm/debug_helper.c     |  7 -------
 target/arm/translate-a64.c    | 25 -------------------------
 target/arm/translate.c        | 29 -----------------------------
 target/avr/translate.c        | 10 ----------
 target/cris/translate.c       | 20 --------------------
 target/hexagon/translate.c    | 17 -----------------
 target/hppa/translate.c       | 11 -----------
 target/i386/tcg/translate.c   | 28 ----------------------------
 target/m68k/translate.c       | 18 ------------------
 target/microblaze/translate.c | 18 ------------------
 target/mips/tcg/translate.c   | 19 -------------------
 target/nios2/translate.c      | 27 ---------------------------
 target/openrisc/translate.c   | 17 -----------------
 target/ppc/translate.c        | 18 ------------------
 target/riscv/translate.c      | 17 -----------------
 target/rx/translate.c         | 14 --------------
 target/s390x/tcg/translate.c  | 24 ------------------------
 target/sh4/translate.c        | 18 ------------------
 target/sparc/translate.c      | 17 -----------------
 target/tricore/translate.c    | 16 ----------------
 target/xtensa/translate.c     | 17 -----------------
 24 files changed, 416 deletions(-)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContextBase {
  * @insn_start:
  *      Emit the tcg_gen_insn_start opcode.
  *
- * @breakpoint_check:
- *      When called, the breakpoint has already been checked to match the PC,
- *      but the target may decide the breakpoint missed the address
- *      (e.g., due to conditions encoded in their flags).  Return true to
- *      indicate that the breakpoint did hit, in which case no more breakpoints
- *      are checked.  If the breakpoint did hit, emit any code required to
- *      signal the exception, and set db->is_jmp as necessary to terminate
- *      the main loop.
- *
  * @translate_insn:
  *      Disassemble one instruction and set db->pc_next for the start
  *      of the following instruction.  Set db->is_jmp as necessary to
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
     void (*init_disas_context)(DisasContextBase *db, CPUState *cpu);
     void (*tb_start)(DisasContextBase *db, CPUState *cpu);
     void (*insn_start)(DisasContextBase *db, CPUState *cpu);
-    bool (*breakpoint_check)(DisasContextBase *db, CPUState *cpu,
-                             const CPUBreakpoint *bp);
     void (*translate_insn)(DisasContextBase *db, CPUState *cpu);
     void (*tb_stop)(DisasContextBase *db, CPUState *cpu);
     void (*disas_log)(const DisasContextBase *db, CPUState *cpu);
diff --git a/target/arm/helper.h b/target/arm/helper.h
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -XXX,XX +XXX,XX @@ DEF_HELPER_1(yield, void, env)
 DEF_HELPER_1(pre_hvc, void, env)
 DEF_HELPER_2(pre_smc, void, env, i32)
 
-DEF_HELPER_1(check_breakpoints, void, env)
-
 DEF_HELPER_3(cpsr_write, void, env, i32, i32)
 DEF_HELPER_2(cpsr_write_eret, void, env, i32)
 DEF_HELPER_1(cpsr_read, i32, env)
diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static void alpha_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool alpha_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    ctx->base.is_jmp = gen_excp(ctx, EXCP_DEBUG, 0);
-
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static void alpha_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps alpha_tr_ops = {
     .init_disas_context = alpha_tr_init_disas_context,
     .tb_start           = alpha_tr_tb_start,
     .insn_start         = alpha_tr_insn_start,
-    .breakpoint_check   = alpha_tr_breakpoint_check,
     .translate_insn     = alpha_tr_translate_insn,
     .tb_stop            = alpha_tr_tb_stop,
     .disas_log          = alpha_tr_disas_log,
diff --git a/target/arm/debug_helper.c b/target/arm/debug_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/debug_helper.c
+++ b/target/arm/debug_helper.c
@@ -XXX,XX +XXX,XX @@ bool arm_debug_check_breakpoint(CPUState *cs)
     return false;
 }
 
-void HELPER(check_breakpoints)(CPUARMState *env)
-{
-    if (arm_debug_check_breakpoint(env_cpu(env))) {
-        HELPER(exception_internal(env, EXCP_DEBUG));
-    }
-}
-
 bool arm_debug_check_watchpoint(CPUState *cs, CPUWatchpoint *wp)
 {
     /*
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -XXX,XX +XXX,XX @@ static void aarch64_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     dc->insn_start = tcg_last_op();
 }
 
-static bool aarch64_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                        const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    if (bp->flags & BP_CPU) {
-        gen_a64_set_pc_im(dc->base.pc_next);
-        gen_helper_check_breakpoints(cpu_env);
-        /* End the TB early; it likely won't be executed */
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    } else {
-        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
-        /* The address covered by the breakpoint must be
-           included in [tb->pc, tb->pc + tb->size) in order
-           to for it to be properly cleared -- thus we
-           increment the PC here so that the logic setting
-           tb->size below does the right thing.  */
-        dc->base.pc_next += 4;
-        dc->base.is_jmp = DISAS_NORETURN;
-    }
-
-    return true;
-}
-
 static void aarch64_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ const TranslatorOps aarch64_translator_ops = {
     .init_disas_context = aarch64_tr_init_disas_context,
     .tb_start           = aarch64_tr_tb_start,
     .insn_start         = aarch64_tr_insn_start,
-    .breakpoint_check   = aarch64_tr_breakpoint_check,
     .translate_insn     = aarch64_tr_translate_insn,
     .tb_stop            = aarch64_tr_tb_stop,
     .disas_log          = aarch64_tr_disas_log,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static void arm_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     dc->insn_start = tcg_last_op();
 }
 
-static bool arm_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                    const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    if (bp->flags & BP_CPU) {
-        gen_set_condexec(dc);
-        gen_set_pc_im(dc, dc->base.pc_next);
-        gen_helper_check_breakpoints(cpu_env);
-        /* End the TB early; it's likely not going to be executed */
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    } else {
-        gen_exception_internal_insn(dc, dc->base.pc_next, EXCP_DEBUG);
-        /* The address covered by the breakpoint must be
-           included in [tb->pc, tb->pc + tb->size) in order
-           to for it to be properly cleared -- thus we
-           increment the PC here so that the logic setting
-           tb->size below does the right thing.  */
-        /* TODO: Advance PC by correct instruction length to
-         * avoid disassembler error messages */
-        dc->base.pc_next += 2;
-        dc->base.is_jmp = DISAS_NORETURN;
-    }
-
-    return true;
-}
-
 static bool arm_pre_translate_insn(DisasContext *dc)
 {
 #ifdef CONFIG_USER_ONLY
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps arm_translator_ops = {
     .init_disas_context = arm_tr_init_disas_context,
     .tb_start           = arm_tr_tb_start,
     .insn_start         = arm_tr_insn_start,
-    .breakpoint_check   = arm_tr_breakpoint_check,
     .translate_insn     = arm_tr_translate_insn,
     .tb_stop            = arm_tr_tb_stop,
     .disas_log          = arm_tr_disas_log,
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps thumb_translator_ops = {
     .init_disas_context = arm_tr_init_disas_context,
     .tb_start           = arm_tr_tb_start,
     .insn_start         = arm_tr_insn_start,
-    .breakpoint_check   = arm_tr_breakpoint_check,
     .translate_insn     = thumb_tr_translate_insn,
     .tb_stop            = arm_tr_tb_stop,
     .disas_log          = arm_tr_disas_log,
diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static void avr_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->npc);
 }
 
-static bool avr_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    gen_breakpoint(ctx);
-    return true;
-}
-
 static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps avr_tr_ops = {
     .init_disas_context = avr_tr_init_disas_context,
     .tb_start           = avr_tr_tb_start,
     .insn_start         = avr_tr_insn_start,
-    .breakpoint_check   = avr_tr_breakpoint_check,
     .translate_insn     = avr_tr_translate_insn,
     .tb_stop            = avr_tr_tb_stop,
     .disas_log          = avr_tr_disas_log,
diff --git a/target/cris/translate.c b/target/cris/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/cris/translate.c
+++ b/target/cris/translate.c
@@ -XXX,XX +XXX,XX @@ static void cris_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dc->delayed_branch == 1 ? dc->ppc | 1 : dc->pc);
 }
 
-static bool cris_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                     const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    cris_evaluate_flags(dc);
-    tcg_gen_movi_tl(env_pc, dc->pc);
-    t_gen_raise_exception(EXCP_DEBUG);
-    dc->base.is_jmp = DISAS_NORETURN;
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->pc += 2;
-    return true;
-}
-
 static void cris_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps cris_tr_ops = {
     .init_disas_context = cris_tr_init_disas_context,
     .tb_start           = cris_tr_tb_start,
     .insn_start         = cris_tr_insn_start,
-    .breakpoint_check   = cris_tr_breakpoint_check,
     .translate_insn     = cris_tr_translate_insn,
     .tb_stop            = cris_tr_tb_stop,
     .disas_log          = cris_tr_disas_log,
diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static void hexagon_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool hexagon_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                        const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    gen_exception_end_tb(ctx, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static bool pkt_crosses_page(CPUHexagonState *env, DisasContext *ctx)
 {
     target_ulong page_start = ctx->base.pc_first & TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hexagon_tr_ops = {
     .init_disas_context = hexagon_tr_init_disas_context,
     .tb_start           = hexagon_tr_tb_start,
     .insn_start         = hexagon_tr_insn_start,
-    .breakpoint_check   = hexagon_tr_breakpoint_check,
     .translate_insn     = hexagon_tr_translate_packet,
     .tb_stop            = hexagon_tr_tb_stop,
     .disas_log          = hexagon_tr_disas_log,
diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static void hppa_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->iaoq_f, ctx->iaoq_b);
 }
 
-static bool hppa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    gen_excp(ctx, EXCP_DEBUG);
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static void hppa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hppa_tr_ops = {
     .init_disas_context = hppa_tr_init_disas_context,
     .tb_start           = hppa_tr_tb_start,
     .insn_start         = hppa_tr_insn_start,
-    .breakpoint_check   = hppa_tr_breakpoint_check,
     .translate_insn     = hppa_tr_translate_insn,
     .tb_stop            = hppa_tr_tb_stop,
     .disas_log          = hppa_tr_disas_log,
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_interrupt(DisasContext *s, int intno,
     s->base.is_jmp = DISAS_NORETURN;
 }
 
-static void gen_debug(DisasContext *s)
-{
-    gen_update_cc_op(s);
-    gen_jmp_im(s, s->base.pc_next - s->cs_base);
-    gen_helper_debug(cpu_env);
-    s->base.is_jmp = DISAS_NORETURN;
-}
-
 static void gen_set_hflag(DisasContext *s, uint32_t mask)
 {
     if ((s->flags & mask) == 0) {
@@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 }
 
-static bool i386_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                     const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-    /* If RF is set, suppress an internally generated breakpoint.  */
-    int flags = dc->base.tb->flags & HF_RF_MASK ? BP_GDB : BP_ANY;
-    if (bp->flags & flags) {
-        gen_debug(dc);
-        /* The address covered by the breakpoint must be included in
-           [tb->pc, tb->pc + tb->size) in order to for it to be
-           properly cleared -- thus we increment the PC here so that
-           the generic logic setting tb->size later does the right thing.  */
-        dc->base.pc_next += 1;
-        return true;
-    } else {
-        return false;
-    }
-}
-
 static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps i386_tr_ops = {
     .init_disas_context = i386_tr_init_disas_context,
     .tb_start           = i386_tr_tb_start,
     .insn_start         = i386_tr_insn_start,
-    .breakpoint_check   = i386_tr_breakpoint_check,
     .translate_insn     = i386_tr_translate_insn,
     .tb_stop            = i386_tr_tb_stop,
     .disas_log          = i386_tr_disas_log,
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static void m68k_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 }
 
-static bool m68k_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                     const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    gen_exception(dc, dc->base.pc_next, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->base.pc_next += 2;
-
-    return true;
-}
-
 static void m68k_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps m68k_tr_ops = {
     .init_disas_context = m68k_tr_init_disas_context,
     .tb_start           = m68k_tr_tb_start,
     .insn_start         = m68k_tr_insn_start,
-    .breakpoint_check   = m68k_tr_breakpoint_check,
     .translate_insn     = m68k_tr_translate_insn,
     .tb_stop            = m68k_tr_tb_stop,
     .disas_log          = m68k_tr_disas_log,
diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static void mb_tr_insn_start(DisasContextBase *dcb, CPUState *cs)
     dc->insn_start = tcg_last_op();
 }
 
-static bool mb_tr_breakpoint_check(DisasContextBase *dcb, CPUState *cs,
-                                   const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcb, DisasContext, base);
-
-    gen_raise_exception_sync(dc, EXCP_DEBUG);
-
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->base.pc_next += 4;
-    return true;
-}
-
 static void mb_tr_translate_insn(DisasContextBase *dcb, CPUState *cs)
 {
     DisasContext *dc = container_of(dcb, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mb_tr_ops = {
     .init_disas_context = mb_tr_init_disas_context,
     .tb_start           = mb_tr_tb_start,
     .insn_start         = mb_tr_insn_start,
-    .breakpoint_check   = mb_tr_breakpoint_check,
     .translate_insn     = mb_tr_translate_insn,
     .tb_stop            = mb_tr_tb_stop,
     .disas_log          = mb_tr_disas_log,
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void mips_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
                        ctx->btarget);
 }
 
-static bool mips_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                     const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    save_cpu_state(ctx, 1);
-    ctx->base.is_jmp = DISAS_NORETURN;
-    gen_helper_raise_exception_debug(cpu_env);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static void mips_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     CPUMIPSState *env = cs->env_ptr;
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mips_tr_ops = {
     .init_disas_context = mips_tr_init_disas_context,
     .tb_start           = mips_tr_tb_start,
     .insn_start         = mips_tr_insn_start,
-    .breakpoint_check   = mips_tr_breakpoint_check,
     .translate_insn     = mips_tr_translate_insn,
     .tb_stop            = mips_tr_tb_stop,
     .disas_log          = mips_tr_disas_log,
diff --git a/target/nios2/translate.c b/target/nios2/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/translate.c
+++ b/target/nios2/translate.c
@@ -XXX,XX +XXX,XX @@ static const char * const regnames[] = {
 
 #include "exec/gen-icount.h"
 
-static void gen_exception(DisasContext *dc, uint32_t excp)
-{
-    TCGv_i32 tmp = tcg_const_i32(excp);
-
-    tcg_gen_movi_tl(cpu_R[R_PC], dc->pc);
-    gen_helper_raise_exception(cpu_env, tmp);
-    tcg_temp_free_i32(tmp);
-    dc->base.is_jmp = DISAS_NORETURN;
-}
-
 /* generate intermediate code for basic block 'tb'.  */
 static void nios2_tr_init_disas_context(DisasContextBase *dcbase, CPUState *cs)
 {
@@ -XXX,XX +XXX,XX @@ static void nios2_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool nios2_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    gen_exception(dc, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    dc->base.pc_next += 4;
-    return true;
-}
-
 static void nios2_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps nios2_tr_ops = {
     .init_disas_context = nios2_tr_init_disas_context,
     .tb_start           = nios2_tr_tb_start,
     .insn_start         = nios2_tr_insn_start,
-    .breakpoint_check   = nios2_tr_breakpoint_check,
     .translate_insn     = nios2_tr_translate_insn,
     .tb_stop            = nios2_tr_tb_stop,
     .disas_log          = nios2_tr_disas_log,
diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/translate.c
+++ b/target/openrisc/translate.c
@@ -XXX,XX +XXX,XX @@ static void openrisc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
                        | (dc->base.num_insns > 1 ? 2 : 0));
 }
 
-static bool openrisc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                         const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    tcg_gen_movi_tl(cpu_pc, dc->base.pc_next);
-    gen_exception(dc, EXCP_DEBUG);
-    dc->base.is_jmp = DISAS_NORETURN;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    dc->base.pc_next += 4;
-    return true;
-}
-
 static void openrisc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps openrisc_tr_ops = {
     .init_disas_context = openrisc_tr_init_disas_context,
     .tb_start           = openrisc_tr_tb_start,
     .insn_start         = openrisc_tr_insn_start,
-    .breakpoint_check   = openrisc_tr_breakpoint_check,
     .translate_insn     = openrisc_tr_translate_insn,
     .tb_stop            = openrisc_tr_tb_stop,
     .disas_log          = openrisc_tr_disas_log,
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -XXX,XX +XXX,XX @@ static void ppc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool ppc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    gen_update_nip(ctx, ctx->base.pc_next);
-    gen_debug_exception(ctx);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be properly
-     * cleared -- thus we increment the PC here so that the logic
-     * setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static bool is_prefix_insn(DisasContext *ctx, uint32_t insn)
 {
     REQUIRE_INSNS_FLAGS2(ctx, ISA310);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps ppc_tr_ops = {
     .init_disas_context = ppc_tr_init_disas_context,
     .tb_start           = ppc_tr_tb_start,
     .insn_start         = ppc_tr_insn_start,
-    .breakpoint_check   = ppc_tr_breakpoint_check,
     .translate_insn     = ppc_tr_translate_insn,
     .tb_stop            = ppc_tr_tb_stop,
     .disas_log          = ppc_tr_disas_log,
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static void riscv_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool riscv_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    tcg_gen_movi_tl(cpu_pc, ctx->base.pc_next);
-    ctx->base.is_jmp = DISAS_NORETURN;
-    gen_exception_debug();
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps riscv_tr_ops = {
     .init_disas_context = riscv_tr_init_disas_context,
     .tb_start           = riscv_tr_tb_start,
     .insn_start         = riscv_tr_insn_start,
-    .breakpoint_check   = riscv_tr_breakpoint_check,
     .translate_insn     = riscv_tr_translate_insn,
     .tb_stop            = riscv_tr_tb_stop,
     .disas_log          = riscv_tr_disas_log,
diff --git a/target/rx/translate.c b/target/rx/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -XXX,XX +XXX,XX @@ static void rx_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool rx_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    /* We have hit a breakpoint - make sure PC is up-to-date */
-    tcg_gen_movi_i32(cpu_pc, ctx->base.pc_next);
-    gen_helper_debug(cpu_env);
-    ctx->base.is_jmp = DISAS_NORETURN;
-    ctx->base.pc_next += 1;
-    return true;
-}
-
 static void rx_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps rx_tr_ops = {
     .init_disas_context = rx_tr_init_disas_context,
     .tb_start           = rx_tr_tb_start,
     .insn_start         = rx_tr_insn_start,
-    .breakpoint_check   = rx_tr_breakpoint_check,
     .translate_insn     = rx_tr_translate_insn,
     .tb_stop            = rx_tr_tb_stop,
     .disas_log          = rx_tr_disas_log,
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
 {
 }
 
-static bool s390x_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    /*
-     * Emit an insn_start to accompany the breakpoint exception.
-     * The ILEN value is a dummy, since this does not result in
-     * an s390x exception, but an internal qemu exception which
-     * brings us back to interact with the gdbstub.
-     */
-    tcg_gen_insn_start(dc->base.pc_next, dc->cc_op, 2);
-
-    dc->base.is_jmp = DISAS_PC_STALE;
-    dc->do_debug = true;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size does the right thing.  */
-    dc->base.pc_next += 2;
-    return true;
-}
-
 static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     CPUS390XState *env = cs->env_ptr;
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps s390x_tr_ops = {
     .init_disas_context = s390x_tr_init_disas_context,
     .tb_start           = s390x_tr_tb_start,
     .insn_start         = s390x_tr_insn_start,
-    .breakpoint_check   = s390x_tr_breakpoint_check,
     .translate_insn     = s390x_tr_translate_insn,
     .tb_stop            = s390x_tr_tb_stop,
     .disas_log          = s390x_tr_disas_log,
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static void sh4_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     tcg_gen_insn_start(ctx->base.pc_next, ctx->envflags);
 }
 
-static bool sh4_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                    const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-
-    /* We have hit a breakpoint - make sure PC is up-to-date */
-    gen_save_cpu_state(ctx, true);
-    gen_helper_debug(cpu_env);
-    ctx->base.is_jmp = DISAS_NORETURN;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    ctx->base.pc_next += 2;
-    return true;
-}
-
 static void sh4_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     CPUSH4State *env = cs->env_ptr;
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sh4_tr_ops = {
     .init_disas_context = sh4_tr_init_disas_context,
     .tb_start           = sh4_tr_tb_start,
     .insn_start         = sh4_tr_insn_start,
-    .breakpoint_check   = sh4_tr_breakpoint_check,
     .translate_insn     = sh4_tr_translate_insn,
     .tb_stop            = sh4_tr_tb_stop,
     .disas_log          = sh4_tr_disas_log,
diff --git a/target/sparc/translate.c b/target/sparc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sparc/translate.c
+++ b/target/sparc/translate.c
@@ -XXX,XX +XXX,XX @@ static void sparc_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     }
 }
 
-static bool sparc_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cs,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    if (dc->pc != dc->base.pc_first) {
-        save_state(dc);
-    }
-    gen_helper_debug(cpu_env);
-    tcg_gen_exit_tb(NULL, 0);
-    dc->base.is_jmp = DISAS_NORETURN;
-    /* update pc_next so that the current instruction is included in tb->size */
-    dc->base.pc_next += 4;
-    return true;
-}
-
 static void sparc_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sparc_tr_ops = {
     .init_disas_context = sparc_tr_init_disas_context,
     .tb_start           = sparc_tr_tb_start,
     .insn_start         = sparc_tr_insn_start,
-    .breakpoint_check   = sparc_tr_breakpoint_check,
     .translate_insn     = sparc_tr_translate_insn,
     .tb_stop            = sparc_tr_tb_stop,
     .disas_log          = sparc_tr_disas_log,
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static void tricore_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(ctx->base.pc_next);
 }
 
-static bool tricore_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                      const CPUBreakpoint *bp)
-{
-    DisasContext *ctx = container_of(dcbase, DisasContext, base);
-    generate_qemu_excp(ctx, EXCP_DEBUG);
-    /*
-     * The address covered by the breakpoint must be included in
-     * [tb->pc, tb->pc + tb->size) in order to for it to be
-     * properly cleared -- thus we increment the PC here so that
-     * the logic setting tb->size below does the right thing.
-     */
-    ctx->base.pc_next += 4;
-    return true;
-}
-
 static bool insn_crosses_page(CPUTriCoreState *env, DisasContext *ctx)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps tricore_tr_ops = {
     .init_disas_context = tricore_tr_init_disas_context,
     .tb_start           = tricore_tr_tb_start,
     .insn_start         = tricore_tr_insn_start,
-    .breakpoint_check   = tricore_tr_breakpoint_check,
     .translate_insn     = tricore_tr_translate_insn,
     .tb_stop            = tricore_tr_tb_stop,
     .disas_log          = tricore_tr_disas_log,
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -XXX,XX +XXX,XX @@ static void xtensa_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
     tcg_gen_insn_start(dcbase->pc_next);
 }
 
-static bool xtensa_tr_breakpoint_check(DisasContextBase *dcbase, CPUState *cpu,
-                                       const CPUBreakpoint *bp)
-{
-    DisasContext *dc = container_of(dcbase, DisasContext, base);
-
-    tcg_gen_movi_i32(cpu_pc, dc->base.pc_next);
-    gen_exception(dc, EXCP_DEBUG);
-    dc->base.is_jmp = DISAS_NORETURN;
-    /* The address covered by the breakpoint must be included in
-       [tb->pc, tb->pc + tb->size) in order to for it to be
-       properly cleared -- thus we increment the PC here so that
-       the logic setting tb->size below does the right thing.  */
-    dc->base.pc_next += 2;
-    return true;
-}
-
 static void xtensa_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps xtensa_translator_ops = {
     .init_disas_context = xtensa_tr_init_disas_context,
     .tb_start           = xtensa_tr_tb_start,
     .insn_start         = xtensa_tr_insn_start,
-    .breakpoint_check   = xtensa_tr_breakpoint_check,
     .translate_insn     = xtensa_tr_translate_insn,
     .tb_stop            = xtensa_tr_tb_stop,
     .disas_log          = xtensa_tr_disas_log,
-- 
2.25.1

The access internal to tb_cflags() is atomic.
Avoid re-reading it as such for the multiple uses.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/translator.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

Set CF_SINGLE_STEP when single-stepping is enabled.
This avoids the need to flush all tb's when turning
single-stepping on or off.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h   | 1 +
 accel/tcg/cpu-exec.c      | 7 ++++++-
 accel/tcg/translate-all.c | 4 ----
 accel/tcg/translator.c    | 7 +------
 cpu.c                     | 4 ----
 5 files changed, 8 insertions(+), 15 deletions(-)