Series comparison

-[PULL 00/20] tcg patch queue
+[PULL v3 00/20] tcg patch queue
-The following changes since commit e93ded1bf6c94ab95015b33e188bc8b0b0c32670:
+v2: Fix incorretly resolved rebase conflict in patch 16.
 v3: Work around clang preprocessor bug in patch 3.
-  Merge tag 'testing-pull-request-2022-08-30' of https://gitlab.com/thuth/qemu into staging (2022-08-31 18:19:03 -0400)
 r~
 The following changes since commit fd28528ece590dc709d1a893fce2ff2f68ddca70:
   Merge tag 'pull-or1k-20220904' of https://github.com/stffrdhrn/qemu into staging (2022-09-05 18:01:02 -0400)
 are available in the Git repository at:
-  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220901
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220906
-for you to fetch changes up to 20011be2e30b8aa8ef1fc258485f00c688703deb:
+for you to fetch changes up to 00c07344fa245b22e895b363320ba4cd0ec1088a:
-  target/riscv: Make translator stop before the end of a page (2022-09-01 07:43:08 +0100)
+  target/riscv: Make translator stop before the end of a page (2022-09-06 08:04:26 +0100)
 ----------------------------------------------------------------
 Respect PROT_EXEC in user-only mode.
 Fix s390x, i386 and riscv for translations crossing a page.
 ...

-[PULL 01/20] linux-user/arm: Mark the commpage executable
+[PULL v3 01/20] linux-user/arm: Mark the commpage executable
 We're about to start validating PAGE_EXEC, which means
 that we've got to mark the commpage executable.  We had
 been placing the commpage outside of reserved_va, which
 was incorrect and lead to an abort.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  linux-user/arm/target_cpu.h | 4 ++--
  linux-user/elfload.c        | 6 +++++-
 files changed, 7 insertions(+), 3 deletions(-)
 diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/arm/target_cpu.h
 +++ b/linux-user/arm/target_cpu.h
 @@ -XXX,XX +XXX,XX @@ static inline unsigned long arm_max_reserved_va(CPUState *cs)
      } else {
          /*
           * We need to be able to map the commpage.
 -         * See validate_guest_space in linux-user/elfload.c.
 +         * See init_guest_commpage in linux-user/elfload.c.
           */
 -        return 0xffff0000ul;
 +        return 0xfffffffful;
      }
  }
  #define MAX_RESERVED_VA  arm_max_reserved_va
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
 @@ -XXX,XX +XXX,XX @@ enum {
  static bool init_guest_commpage(void)
  {
 -    void *want = g2h_untagged(HI_COMMPAGE & -qemu_host_page_size);
 +    abi_ptr commpage = HI_COMMPAGE & -qemu_host_page_size;
 +    void *want = g2h_untagged(commpage);
      void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
                        MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
 @@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
          perror("Protecting guest commpage");
          exit(EXIT_FAILURE);
      }
 +
 +    page_set_flags(commpage, commpage + qemu_host_page_size,
 +                   PAGE_READ | PAGE_EXEC | PAGE_VALID);
      return true;
  }
 --
 .34.1

-[PULL 1/4] target/avr: Support probe argument to tlb_fill
+Deleted patch
-While there are no target-specific nonfaulting probes,
-generic code may grow some uses at some point.
-Note that the attrs argument was incorrect -- it should have
-been MEMTXATTRS_UNSPECIFIED. Just use the simpler interface.
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- target/avr/helper.c | 46 ++++++++++++++++++++++++++++-----------------
-file changed, 29 insertions(+), 17 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
-+++ b/target/avr/helper.c
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
-                       MMUAccessType access_type, int mmu_idx,
-                       bool probe, uintptr_t retaddr)
- {
--    int prot = 0;
--    MemTxAttrs attrs = {};
-+    int prot, page_size = TARGET_PAGE_SIZE;
-     uint32_t paddr;
-     address &= TARGET_PAGE_MASK;
-     if (mmu_idx == MMU_CODE_IDX) {
--        /* access to code in flash */
-+        /* Access to code in flash. */
-         paddr = OFFSET_CODE + address;
-         prot = PAGE_READ | PAGE_EXEC;
--        if (paddr + TARGET_PAGE_SIZE > OFFSET_DATA) {
-+        if (paddr >= OFFSET_DATA) {
-+            /*
-+             * This should not be possible via any architectural operations.
-+             * There is certainly not an exception that we can deliver.
-+             * Accept probing that might come from generic code.
-+             */
-+            if (probe) {
-+                return false;
-+            }
-             error_report("execution left flash memory");
-             abort();
-         }
--    } else if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
--        /*
--         * access to CPU registers, exit and rebuilt this TB to use full access
--         * incase it touches specially handled registers like SREG or SP
--         */
--        AVRCPU *cpu = AVR_CPU(cs);
--        CPUAVRState *env = &cpu->env;
--        env->fullacc = 1;
--        cpu_loop_exit_restore(cs, retaddr);
-     } else {
--        /* access to memory. nothing special */
-+        /* Access to memory. */
-         paddr = OFFSET_DATA + address;
-         prot = PAGE_READ | PAGE_WRITE;
-+        if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
-+            /*
-+             * Access to CPU registers, exit and rebuilt this TB to use
-+             * full access in case it touches specially handled registers
-+             * like SREG or SP.  For probing, set page_size = 1, in order
-+             * to force tlb_fill to be called for the next access.
-+             */
-+            if (probe) {
-+                page_size = 1;
-+            } else {
-+                AVRCPU *cpu = AVR_CPU(cs);
-+                CPUAVRState *env = &cpu->env;
-+                env->fullacc = 1;
-+                cpu_loop_exit_restore(cs, retaddr);
-+            }
-+        }
-     }
--    tlb_set_page_with_attrs(cs, address, paddr, attrs, prot,
--                            mmu_idx, TARGET_PAGE_SIZE);
--
-+    tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size);
-     return true;
- }
---
-.34.1

-[PULL 2/4] target/avr: Call avr_cpu_do_interrupt directly
+Deleted patch
-There is no need to go through cc->tcg_ops when
-we know what value that must have.
-Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- target/avr/helper.c | 5 ++---
-file changed, 2 insertions(+), 3 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
-+++ b/target/avr/helper.c
-@@ -XXX,XX +XXX,XX @@
- bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
- {
-     bool ret = false;
--    CPUClass *cc = CPU_GET_CLASS(cs);
-     AVRCPU *cpu = AVR_CPU(cs);
-     CPUAVRState *env = &cpu->env;
-     if (interrupt_request & CPU_INTERRUPT_RESET) {
-         if (cpu_interrupts_enabled(env)) {
-             cs->exception_index = EXCP_RESET;
--            cc->tcg_ops->do_interrupt(cs);
-+            avr_cpu_do_interrupt(cs);
-             cs->interrupt_request &= ~CPU_INTERRUPT_RESET;
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-         if (cpu_interrupts_enabled(env) && env->intsrc != 0) {
-             int index = ctz32(env->intsrc);
-             cs->exception_index = EXCP_INT(index);
--            cc->tcg_ops->do_interrupt(cs);
-+            avr_cpu_do_interrupt(cs);
-             env->intsrc &= env->intsrc - 1; /* clear the interrupt */
-             if (!env->intsrc) {
---
-.34.1

-[PULL 02/20] linux-user/hppa: Allocate page zero as a commpage
+[PULL v3 02/20] linux-user/hppa: Allocate page zero as a commpage
 We're about to start validating PAGE_EXEC, which means that we've
 got to mark page zero executable.  We had been special casing this
 entirely within translate.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  linux-user/elfload.c | 34 +++++++++++++++++++++++++++++++---
 file changed, 31 insertions(+), 3 deletions(-)
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
 @@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
      regs->gr[31] = infop->entry;
  }
 +#define LO_COMMPAGE  0
 +
 +static bool init_guest_commpage(void)
 +{
 +    void *want = g2h_untagged(LO_COMMPAGE);
 +    void *addr = mmap(want, qemu_host_page_size, PROT_NONE,
 +                      MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
 +
 +    if (addr == MAP_FAILED) {
 +        perror("Allocating guest commpage");
 +        exit(EXIT_FAILURE);
 +    }
 +    if (addr != want) {
 +        return false;
 +    }
 +
 +    /*
 +     * On Linux, page zero is normally marked execute only + gateway.
 +     * Normal read or write is supposed to fail (thus PROT_NONE above),
 +     * but specific offsets have kernel code mapped to raise permissions
 +     * and implement syscalls.  Here, simply mark the page executable.
 +     * Special case the entry points during translation (see do_page_zero).
 +     */
 +    page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
 +                   PAGE_EXEC | PAGE_VALID);
 +    return true;
 +}
 +
  #endif /* TARGET_HPPA */
  #ifdef TARGET_XTENSA
 @@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
  }
  #if defined(HI_COMMPAGE)
 -#define LO_COMMPAGE 0
 +#define LO_COMMPAGE -1
  #elif defined(LO_COMMPAGE)
  #define HI_COMMPAGE 0
  #else
  #define HI_COMMPAGE 0
 -#define LO_COMMPAGE 0
 +#define LO_COMMPAGE -1
  #define init_guest_commpage() true
  #endif
 @@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
          } else {
              offset = -(HI_COMMPAGE & -align);
          }
 -    } else if (LO_COMMPAGE != 0) {
 +    } else if (LO_COMMPAGE != -1) {
          loaddr = MIN(loaddr, LO_COMMPAGE & -align);
      }
 --
 .34.1

-[PULL 03/20] linux-user/x86_64: Allocate vsyscall page as a commpage
+[PULL v3 03/20] linux-user/x86_64: Allocate vsyscall page as a commpage
 ...
 +++ b/linux-user/elfload.c
 @@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
      (*regs)[26] = tswapreg(env->segs[R_GS].selector & 0xffff);
  }
-+#if ULONG_MAX >= TARGET_VSYSCALL_PAGE
++#if ULONG_MAX > UINT32_MAX
 +#define INIT_GUEST_COMMPAGE
 +static bool init_guest_commpage(void)
 +{
 +    /*
 +     * The vsyscall page is at a high negative address aka kernel space,
 ...

-[PULL 3/4] target/avr: Only execute one interrupt at a time
+Deleted patch
-We cannot deliver two interrupts simultaneously;
-the first interrupt handler must execute first.
-Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- target/avr/helper.c | 9 +++------
-file changed, 3 insertions(+), 6 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
-+++ b/target/avr/helper.c
-@@ -XXX,XX +XXX,XX @@
- bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
- {
--    bool ret = false;
-     AVRCPU *cpu = AVR_CPU(cs);
-     CPUAVRState *env = &cpu->env;
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-             avr_cpu_do_interrupt(cs);
-             cs->interrupt_request &= ~CPU_INTERRUPT_RESET;
--
--            ret = true;
-+            return true;
-         }
-     }
-     if (interrupt_request & CPU_INTERRUPT_HARD) {
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-             if (!env->intsrc) {
-                 cs->interrupt_request &= ~CPU_INTERRUPT_HARD;
-             }
--
--            ret = true;
-+            return true;
-         }
-     }
--    return ret;
-+    return false;
- }
- void avr_cpu_do_interrupt(CPUState *cs)
---
-.34.1

-[PULL 4/4] target/avr: Disable interrupts when env->skip set
+Deleted patch
-This bit is not saved across interrupts, so we must
-delay delivering the interrupt until the skip has
-been processed.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1118
-Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- target/avr/helper.c    |  9 +++++++++
- target/avr/translate.c | 26 ++++++++++++++++++++++----
-files changed, 31 insertions(+), 4 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
-+++ b/target/avr/helper.c
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
-     AVRCPU *cpu = AVR_CPU(cs);
-     CPUAVRState *env = &cpu->env;
-+    /*
-+     * We cannot separate a skip from the next instruction,
-+     * as the skip would not be preserved across the interrupt.
-+     * Separating the two insn normally only happens at page boundaries.
-+     */
-+    if (env->skip) {
-+        return false;
-+    }
-+
-     if (interrupt_request & CPU_INTERRUPT_RESET) {
-         if (cpu_interrupts_enabled(env)) {
-             cs->exception_index = EXCP_RESET;
-diff --git a/target/avr/translate.c b/target/avr/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/avr/translate.c
-+++ b/target/avr/translate.c
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
-     if (skip_label) {
-         canonicalize_skip(ctx);
-         gen_set_label(skip_label);
--        if (ctx->base.is_jmp == DISAS_NORETURN) {
-+
-+        switch (ctx->base.is_jmp) {
-+        case DISAS_NORETURN:
-             ctx->base.is_jmp = DISAS_CHAIN;
-+            break;
-+        case DISAS_NEXT:
-+            if (ctx->base.tb->flags & TB_FLAGS_SKIP) {
-+                ctx->base.is_jmp = DISAS_TOO_MANY;
-+            }
-+            break;
-+        default:
-+            break;
-         }
-     }
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
- {
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
-     bool nonconst_skip = canonicalize_skip(ctx);
-+    /*
-+     * Because we disable interrupts while env->skip is set,
-+     * we must return to the main loop to re-evaluate afterward.
-+     */
-+    bool force_exit = ctx->base.tb->flags & TB_FLAGS_SKIP;
-     switch (ctx->base.is_jmp) {
-     case DISAS_NORETURN:
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
-     case DISAS_NEXT:
-     case DISAS_TOO_MANY:
-     case DISAS_CHAIN:
--        if (!nonconst_skip) {
-+        if (!nonconst_skip && !force_exit) {
-             /* Note gen_goto_tb checks singlestep.  */
-             gen_goto_tb(ctx, 1, ctx->npc);
-             break;
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
-         tcg_gen_movi_tl(cpu_pc, ctx->npc);
-         /* fall through */
-     case DISAS_LOOKUP:
--        tcg_gen_lookup_and_goto_ptr();
--        break;
-+        if (!force_exit) {
-+            tcg_gen_lookup_and_goto_ptr();
-+            break;
-+        }
-+        /* fall through */
-     case DISAS_EXIT:
-         tcg_gen_exit_tb(NULL, 0);
-         break;
---
-.34.1

-[PULL 04/20] linux-user: Honor PT_GNU_STACK
+[PULL v3 04/20] linux-user: Honor PT_GNU_STACK
 Map the stack executable if required by default or on demand.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/elf.h        |  1 +
  linux-user/qemu.h    |  1 +
  linux-user/elfload.c | 19 ++++++++++++++++++-
 files changed, 20 insertions(+), 1 deletion(-)
 diff --git a/include/elf.h b/include/elf.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/elf.h
 +++ b/include/elf.h
 @@ -XXX,XX +XXX,XX @@ typedef int64_t  Elf64_Sxword;
  #define PT_LOPROC  0x70000000
  #define PT_HIPROC  0x7fffffff
 +#define PT_GNU_STACK      (PT_LOOS + 0x474e551)
  #define PT_GNU_PROPERTY   (PT_LOOS + 0x474e553)
  #define PT_MIPS_REGINFO   0x70000000
 diff --git a/linux-user/qemu.h b/linux-user/qemu.h
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/qemu.h
 +++ b/linux-user/qemu.h
 @@ -XXX,XX +XXX,XX @@ struct image_info {
          uint32_t        elf_flags;
          int             personality;
          abi_ulong       alignment;
 +        bool            exec_stack;
          /* Generic semihosting knows about these pointers. */
          abi_ulong       arg_strings;   /* strings for argv */
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
 @@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
  #define ELF_ARCH        EM_386
  #define ELF_PLATFORM get_elf_platform()
 +#define EXSTACK_DEFAULT true
  static const char *get_elf_platform(void)
  {
 @@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
  #define ELF_ARCH        EM_ARM
  #define ELF_CLASS       ELFCLASS32
 +#define EXSTACK_DEFAULT true
  static inline void init_thread(struct target_pt_regs *regs,
                                 struct image_info *infop)
 @@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
  #else
  #define ELF_CLASS       ELFCLASS32
 +#define EXSTACK_DEFAULT true
  #endif
 @@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUPPCState *en
  #define ELF_CLASS   ELFCLASS64
  #define ELF_ARCH    EM_LOONGARCH
 +#define EXSTACK_DEFAULT true
  #define elf_check_arch(x) ((x) == EM_LOONGARCH)
 @@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
  #define ELF_CLASS   ELFCLASS32
  #endif
  #define ELF_ARCH    EM_MIPS
 +#define EXSTACK_DEFAULT true
  #ifdef TARGET_ABI_MIPSN32
  #define elf_check_abi(x) ((x) & EF_MIPS_ABI2)
 @@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
  #define bswaptls(ptr) bswap32s(ptr)
  #endif
 +#ifndef EXSTACK_DEFAULT
 +#define EXSTACK_DEFAULT false
 +#endif
 +
  #include "elf.h"
  /* We must delay the following stanzas until after "elf.h". */
 @@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
                                   struct image_info *info)
  {
      abi_ulong size, error, guard;
 +    int prot;
      size = guest_stack_size;
      if (size < STACK_LOWER_LIMIT) {
 @@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
          guard = qemu_real_host_page_size();
      }
 -    error = target_mmap(0, size + guard, PROT_READ | PROT_WRITE,
 +    prot = PROT_READ | PROT_WRITE;
 +    if (info->exec_stack) {
 +        prot |= PROT_EXEC;
 +    }
 +    error = target_mmap(0, size + guard, prot,
                          MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
      if (error == -1) {
          perror("mmap stack");
 @@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
       */
      loaddr = -1, hiaddr = 0;
      info->alignment = 0;
 +    info->exec_stack = EXSTACK_DEFAULT;
      for (i = 0; i < ehdr->e_phnum; ++i) {
          struct elf_phdr *eppnt = phdr + i;
          if (eppnt->p_type == PT_LOAD) {
 @@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
              if (!parse_elf_properties(image_fd, info, eppnt, bprm_buf, &err)) {
                  goto exit_errmsg;
              }
 +        } else if (eppnt->p_type == PT_GNU_STACK) {
 +            info->exec_stack = eppnt->p_flags & PF_X;
          }
      }
 --
 .34.1

-[PULL 05/20] linux-user: Clear translations on mprotect()
+[PULL v3 05/20] linux-user: Clear translations on mprotect()
 From: Ilya Leoshkevich <iii@linux.ibm.com>
 Currently it's possible to execute pages that do not have PAGE_EXEC
 if there is an existing translation block. Fix by invalidating TBs
 that touch the affected pages.
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Message-Id: <20220817150506.592862-2-iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  linux-user/mmap.c | 6 ++++--
 file changed, 4 insertions(+), 2 deletions(-)
 diff --git a/linux-user/mmap.c b/linux-user/mmap.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/mmap.c
 +++ b/linux-user/mmap.c
 @@ -XXX,XX +XXX,XX @@ int target_mprotect(abi_ulong start, abi_ulong len, int target_prot)
              goto error;
          }
      }
 +
      page_set_flags(start, start + len, page_flags);
 -    mmap_unlock();
 -    return 0;
 +    tb_invalidate_phys_range(start, start + len);
 +    ret = 0;
 +
  error:
      mmap_unlock();
      return ret;
 --
 .34.1

-[PULL 06/20] tests/tcg/i386: Move smc_code2 to an executable section
+[PULL v3 06/20] tests/tcg/i386: Move smc_code2 to an executable section
 We're about to start validating PAGE_EXEC, which means
 that we've got to put this code into a section that is
 both writable and executable.
 Note that this test did not run on hardware beforehand either.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  tests/tcg/i386/test-i386.c | 2 +-
 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/tcg/i386/test-i386.c b/tests/tcg/i386/test-i386.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/i386/test-i386.c
 +++ b/tests/tcg/i386/test-i386.c
 @@ -XXX,XX +XXX,XX @@ uint8_t code[] = {
 xc3, /* ret */
  };
 -asm(".section \".data\"\n"
 +asm(".section \".data_x\",\"awx\"\n"
      "smc_code2:\n"
      "movl 4(%esp), %eax\n"
      "movl %eax, smc_patch_addr2 + 1\n"
 --
 .34.1

-[PULL 07/20] accel/tcg: Introduce is_same_page()
+[PULL v3 07/20] accel/tcg: Introduce is_same_page()
 From: Ilya Leoshkevich <iii@linux.ibm.com>
 Introduce a function that checks whether a given address is on the same
 page as where disassembly started. Having it improves readability of
 the following patches.
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Message-Id: <20220811095534.241224-3-iii@linux.ibm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 [rth: Make the DisasContextBase parameter const.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/translator.h | 10 ++++++++++
 file changed, 10 insertions(+)
 diff --git a/include/exec/translator.h b/include/exec/translator.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/translator.h
 +++ b/include/exec/translator.h
 @@ -XXX,XX +XXX,XX @@ FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
  #undef GEN_TRANSLATOR_LD
 +/*
 + * Return whether addr is on the same page as where disassembly started.
 + * Translators can use this to enforce the rule that only single-insn
 + * translation blocks are allowed to cross page boundaries.
 + */
 +static inline bool is_same_page(const DisasContextBase *db, target_ulong addr)
 +{
 +    return ((addr ^ db->pc_first) & TARGET_PAGE_MASK) == 0;
 +}
 +
  #endif /* EXEC__TRANSLATOR_H */
 --
 .34.1

-[PULL 08/20] accel/tcg: Properly implement get_page_addr_code for user-only
+[PULL v3 08/20] accel/tcg: Properly implement get_page_addr_code for user-only
 The current implementation is a no-op, simply returning addr.
 This is incorrect, because we ought to be checking the page
 permissions for execution.
 Make get_page_addr_code inline for both implementations.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Acked-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/exec-all.h | 85 ++++++++++++++---------------------------
  accel/tcg/cputlb.c      |  5 ---
  accel/tcg/user-exec.c   | 14 +++++++
 files changed, 42 insertions(+), 62 deletions(-)
 diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/exec-all.h
 +++ b/include/exec/exec-all.h
 @@ -XXX,XX +XXX,XX @@ struct MemoryRegionSection *iotlb_to_section(CPUState *cpu,
                                               hwaddr index, MemTxAttrs attrs);
  #endif
 -#if defined(CONFIG_USER_ONLY)
 -void mmap_lock(void);
 -void mmap_unlock(void);
 -bool have_mmap_lock(void);
 -
  /**
 - * get_page_addr_code() - user-mode version
 + * get_page_addr_code_hostp()
   * @env: CPUArchState
   * @addr: guest virtual address of guest code
   *
 - * Returns @addr.
 + * See get_page_addr_code() (full-system version) for documentation on the
 + * return value.
 + *
 + * Sets *@hostp (when @hostp is non-NULL) as follows.
 + * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
 + * to the host address where @addr's content is kept.
 + *
 + * Note: this function can trigger an exception.
 + */
 +tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
 +                                        void **hostp);
 +
 +/**
 + * get_page_addr_code()
 + * @env: CPUArchState
 + * @addr: guest virtual address of guest code
 + *
 + * If we cannot translate and execute from the entire RAM page, or if
 + * the region is not backed by RAM, returns -1. Otherwise, returns the
 + * ram_addr_t corresponding to the guest code at @addr.
 + *
 + * Note: this function can trigger an exception.
   */
  static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
                                                  target_ulong addr)
  {
 -    return addr;
 +    return get_page_addr_code_hostp(env, addr, NULL);
  }
 -/**
 - * get_page_addr_code_hostp() - user-mode version
 - * @env: CPUArchState
 - * @addr: guest virtual address of guest code
 - *
 - * Returns @addr.
 - *
 - * If @hostp is non-NULL, sets *@hostp to the host address where @addr's content
 - * is kept.
 - */
 -static inline tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env,
 -                                                      target_ulong addr,
 -                                                      void **hostp)
 -{
 -    if (hostp) {
 -        *hostp = g2h_untagged(addr);
 -    }
 -    return addr;
 -}
 +#if defined(CONFIG_USER_ONLY)
 +void mmap_lock(void);
 +void mmap_unlock(void);
 +bool have_mmap_lock(void);
  /**
   * adjust_signal_pc:
 @@ -XXX,XX +XXX,XX @@ G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
  static inline void mmap_lock(void) {}
  static inline void mmap_unlock(void) {}
 -/**
 - * get_page_addr_code() - full-system version
 - * @env: CPUArchState
 - * @addr: guest virtual address of guest code
 - *
 - * If we cannot translate and execute from the entire RAM page, or if
 - * the region is not backed by RAM, returns -1. Otherwise, returns the
 - * ram_addr_t corresponding to the guest code at @addr.
 - *
 - * Note: this function can trigger an exception.
 - */
 -tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr);
 -
 -/**
 - * get_page_addr_code_hostp() - full-system version
 - * @env: CPUArchState
 - * @addr: guest virtual address of guest code
 - *
 - * See get_page_addr_code() (full-system version) for documentation on the
 - * return value.
 - *
 - * Sets *@hostp (when @hostp is non-NULL) as follows.
 - * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
 - * to the host address where @addr's content is kept.
 - *
 - * Note: this function can trigger an exception.
 - */
 -tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
 -                                        void **hostp);
 -
  void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
  void tlb_set_dirty(CPUState *cpu, target_ulong vaddr);
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
 @@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
      return qemu_ram_addr_from_host_nofail(p);
  }
 -tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
 -{
 -    return get_page_addr_code_hostp(env, addr, NULL);
 -}
 -
  static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                             CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
  {
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
 @@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
      return size ? g2h(env_cpu(env), addr) : NULL;
  }
 +tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
 +                                        void **hostp)
 +{
 +    int flags;
 +
 +    flags = probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0);
 +    g_assert(flags == 0);
 +
 +    if (hostp) {
 +        *hostp = g2h_untagged(addr);
 +    }
 +    return addr;
 +}
 +
  /* The softmmu versions of these helpers are in cputlb.c.  */
  /*
 --
 .34.1

-[PULL 09/20] accel/tcg: Unlock mmap_lock after longjmp
+[PULL v3 09/20] accel/tcg: Unlock mmap_lock after longjmp
 The mmap_lock is held around tb_gen_code.  While the comment
 is correct that the lock is dropped when tb_gen_code runs out
 of memory, the lock is *not* dropped when an exception is
 raised reading code for translation.
 Acked-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  accel/tcg/cpu-exec.c  | 12 ++++++------
  accel/tcg/user-exec.c |  3 ---
 files changed, 6 insertions(+), 9 deletions(-)
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
 @@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
          cpu_tb_exec(cpu, tb, &tb_exit);
          cpu_exec_exit(cpu);
      } else {
 -        /*
 -         * The mmap_lock is dropped by tb_gen_code if it runs out of
 -         * memory.
 -         */
  #ifndef CONFIG_SOFTMMU
          clear_helper_retaddr();
 -        tcg_debug_assert(!have_mmap_lock());
 +        if (have_mmap_lock()) {
 +            mmap_unlock();
 +        }
  #endif
          if (qemu_mutex_iothread_locked()) {
              qemu_mutex_unlock_iothread();
 @@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
  #ifndef CONFIG_SOFTMMU
          clear_helper_retaddr();
 -        tcg_debug_assert(!have_mmap_lock());
 +        if (have_mmap_lock()) {
 +            mmap_unlock();
 +        }
  #endif
          if (qemu_mutex_iothread_locked()) {
              qemu_mutex_unlock_iothread();
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
 @@ -XXX,XX +XXX,XX @@ MMUAccessType adjust_signal_pc(uintptr_t *pc, bool is_write)
           * (and if the translator doesn't handle page boundaries correctly
           * there's little we can do about that here).  Therefore, do not
           * trigger the unwinder.
 -         *
 -         * Like tb_gen_code, release the memory lock before cpu_loop_exit.
           */
 -        mmap_unlock();
          *pc = 0;
          return MMU_INST_FETCH;
      }
 --
 .34.1

-[PULL 10/20] accel/tcg: Make tb_htable_lookup static
+[PULL v3 10/20] accel/tcg: Make tb_htable_lookup static
 The function is not used outside of cpu-exec.c.  Move it and
 its subroutines up in the file, before the first use.
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/exec-all.h |   3 -
  accel/tcg/cpu-exec.c    | 122 ++++++++++++++++++++--------------------
 files changed, 61 insertions(+), 64 deletions(-)
 diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/exec-all.h
 +++ b/include/exec/exec-all.h
 @@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
  #endif
  void tb_flush(CPUState *cpu);
  void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
 -TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
 -                                   target_ulong cs_base, uint32_t flags,
 -                                   uint32_t cflags);
  void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
  /* GETPC is the true target of the return instruction that we'll execute.  */
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
 @@ -XXX,XX +XXX,XX @@ uint32_t curr_cflags(CPUState *cpu)
      return cflags;
  }
 +struct tb_desc {
 +    target_ulong pc;
 +    target_ulong cs_base;
 +    CPUArchState *env;
 +    tb_page_addr_t phys_page1;
 +    uint32_t flags;
 +    uint32_t cflags;
 +    uint32_t trace_vcpu_dstate;
 +};
 +
 +static bool tb_lookup_cmp(const void *p, const void *d)
 +{
 +    const TranslationBlock *tb = p;
 +    const struct tb_desc *desc = d;
 +
 +    if (tb->pc == desc->pc &&
 +        tb->page_addr[0] == desc->phys_page1 &&
 +        tb->cs_base == desc->cs_base &&
 +        tb->flags == desc->flags &&
 +        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
 +        tb_cflags(tb) == desc->cflags) {
 +        /* check next page if needed */
 +        if (tb->page_addr[1] == -1) {
 +            return true;
 +        } else {
 +            tb_page_addr_t phys_page2;
 +            target_ulong virt_page2;
 +
 +            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
 +            phys_page2 = get_page_addr_code(desc->env, virt_page2);
 +            if (tb->page_addr[1] == phys_page2) {
 +                return true;
 +            }
 +        }
 +    }
 +    return false;
 +}
 +
 +static TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
 +                                          target_ulong cs_base, uint32_t flags,
 +                                          uint32_t cflags)
 +{
 +    tb_page_addr_t phys_pc;
 +    struct tb_desc desc;
 +    uint32_t h;
 +
 +    desc.env = cpu->env_ptr;
 +    desc.cs_base = cs_base;
 +    desc.flags = flags;
 +    desc.cflags = cflags;
 +    desc.trace_vcpu_dstate = *cpu->trace_dstate;
 +    desc.pc = pc;
 +    phys_pc = get_page_addr_code(desc.env, pc);
 +    if (phys_pc == -1) {
 +        return NULL;
 +    }
 +    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
 +    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
 +    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
 +}
 +
  /* Might cause an exception, so have a longjmp destination ready */
  static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
                                            target_ulong cs_base,
 @@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
      end_exclusive();
  }
 -struct tb_desc {
 -    target_ulong pc;
 -    target_ulong cs_base;
 -    CPUArchState *env;
 -    tb_page_addr_t phys_page1;
 -    uint32_t flags;
 -    uint32_t cflags;
 -    uint32_t trace_vcpu_dstate;
 -};
 -
 -static bool tb_lookup_cmp(const void *p, const void *d)
 -{
 -    const TranslationBlock *tb = p;
 -    const struct tb_desc *desc = d;
 -
 -    if (tb->pc == desc->pc &&
 -        tb->page_addr[0] == desc->phys_page1 &&
 -        tb->cs_base == desc->cs_base &&
 -        tb->flags == desc->flags &&
 -        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
 -        tb_cflags(tb) == desc->cflags) {
 -        /* check next page if needed */
 -        if (tb->page_addr[1] == -1) {
 -            return true;
 -        } else {
 -            tb_page_addr_t phys_page2;
 -            target_ulong virt_page2;
 -
 -            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
 -            phys_page2 = get_page_addr_code(desc->env, virt_page2);
 -            if (tb->page_addr[1] == phys_page2) {
 -                return true;
 -            }
 -        }
 -    }
 -    return false;
 -}
 -
 -TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
 -                                   target_ulong cs_base, uint32_t flags,
 -                                   uint32_t cflags)
 -{
 -    tb_page_addr_t phys_pc;
 -    struct tb_desc desc;
 -    uint32_t h;
 -
 -    desc.env = cpu->env_ptr;
 -    desc.cs_base = cs_base;
 -    desc.flags = flags;
 -    desc.cflags = cflags;
 -    desc.trace_vcpu_dstate = *cpu->trace_dstate;
 -    desc.pc = pc;
 -    phys_pc = get_page_addr_code(desc.env, pc);
 -    if (phys_pc == -1) {
 -        return NULL;
 -    }
 -    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
 -    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
 -    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
 -}
 -
  void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr)
  {
      if (TCG_TARGET_HAS_direct_jump) {
 --
 .34.1

-[PULL 11/20] accel/tcg: Move qemu_ram_addr_from_host_nofail to physmem.c
+[PULL v3 11/20] accel/tcg: Move qemu_ram_addr_from_host_nofail to physmem.c
 The base qemu_ram_addr_from_host function is already in
 softmmu/physmem.c; move the nofail version to be adjacent.
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/cpu-common.h |  1 +
  accel/tcg/cputlb.c        | 12 ------------
  softmmu/physmem.c         | 12 ++++++++++++
 files changed, 13 insertions(+), 12 deletions(-)
 diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu-common.h
 +++ b/include/exec/cpu-common.h
 @@ -XXX,XX +XXX,XX @@ typedef uintptr_t ram_addr_t;
  void qemu_ram_remap(ram_addr_t addr, ram_addr_t length);
  /* This should not be used by devices.  */
  ram_addr_t qemu_ram_addr_from_host(void *ptr);
 +ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
  RAMBlock *qemu_ram_block_by_name(const char *name);
  RAMBlock *qemu_ram_block_from_host(void *ptr, bool round_offset,
                                     ram_addr_t *offset);
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
 @@ -XXX,XX +XXX,XX @@ void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                              prot, mmu_idx, size);
  }
 -static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
 -{
 -    ram_addr_t ram_addr;
 -
 -    ram_addr = qemu_ram_addr_from_host(ptr);
 -    if (ram_addr == RAM_ADDR_INVALID) {
 -        error_report("Bad ram pointer %p", ptr);
 -        abort();
 -    }
 -    return ram_addr;
 -}
 -
  /*
   * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
   * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
 diff --git a/softmmu/physmem.c b/softmmu/physmem.c
 index XXXXXXX..XXXXXXX 100644
 --- a/softmmu/physmem.c
 +++ b/softmmu/physmem.c
 @@ -XXX,XX +XXX,XX @@ ram_addr_t qemu_ram_addr_from_host(void *ptr)
      return block->offset + offset;
  }
 +ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
 +{
 +    ram_addr_t ram_addr;
 +
 +    ram_addr = qemu_ram_addr_from_host(ptr);
 +    if (ram_addr == RAM_ADDR_INVALID) {
 +        error_report("Bad ram pointer %p", ptr);
 +        abort();
 +    }
 +    return ram_addr;
 +}
 +
  static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
                                   MemTxAttrs attrs, void *buf, hwaddr len);
  static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
 --
 .34.1

-[PULL 12/20] accel/tcg: Use probe_access_internal for softmmu get_page_addr_code_hostp
+[PULL v3 12/20] accel/tcg: Use probe_access_internal for softmmu get_page_addr_code_hostp
 Simplify the implementation of get_page_addr_code_hostp
 by reusing the existing probe_access infrastructure.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  accel/tcg/cputlb.c | 76 ++++++++++++++++------------------------------
 file changed, 26 insertions(+), 50 deletions(-)
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
 @@ -XXX,XX +XXX,XX @@ static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
    victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
                   (ADDR) & TARGET_PAGE_MASK)
 -/*
 - * Return a ram_addr_t for the virtual address for execution.
 - *
 - * Return -1 if we can't translate and execute from an entire page
 - * of RAM.  This will force us to execute by loading and translating
 - * one insn at a time, without caching.
 - *
 - * NOTE: This function will trigger an exception if the page is
 - * not executable.
 - */
 -tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
 -                                        void **hostp)
 -{
 -    uintptr_t mmu_idx = cpu_mmu_index(env, true);
 -    uintptr_t index = tlb_index(env, mmu_idx, addr);
 -    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 -    void *p;
 -
 -    if (unlikely(!tlb_hit(entry->addr_code, addr))) {
 -        if (!VICTIM_TLB_HIT(addr_code, addr)) {
 -            tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
 -            index = tlb_index(env, mmu_idx, addr);
 -            entry = tlb_entry(env, mmu_idx, addr);
 -
 -            if (unlikely(entry->addr_code & TLB_INVALID_MASK)) {
 -                /*
 -                 * The MMU protection covers a smaller range than a target
 -                 * page, so we must redo the MMU check for every insn.
 -                 */
 -                return -1;
 -            }
 -        }
 -        assert(tlb_hit(entry->addr_code, addr));
 -    }
 -
 -    if (unlikely(entry->addr_code & TLB_MMIO)) {
 -        /* The region is not backed by RAM.  */
 -        if (hostp) {
 -            *hostp = NULL;
 -        }
 -        return -1;
 -    }
 -
 -    p = (void *)((uintptr_t)addr + entry->addend);
 -    if (hostp) {
 -        *hostp = p;
 -    }
 -    return qemu_ram_addr_from_host_nofail(p);
 -}
 -
  static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                             CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
  {
 @@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
      return flags ? NULL : host;
  }
 +/*
 + * Return a ram_addr_t for the virtual address for execution.
 + *
 + * Return -1 if we can't translate and execute from an entire page
 + * of RAM.  This will force us to execute by loading and translating
 + * one insn at a time, without caching.
 + *
 + * NOTE: This function will trigger an exception if the page is
 + * not executable.
 + */
 +tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
 +                                        void **hostp)
 +{
 +    void *p;
 +
 +    (void)probe_access_internal(env, addr, 1, MMU_INST_FETCH,
 +                                cpu_mmu_index(env, true), false, &p, 0);
 +    if (p == NULL) {
 +        return -1;
 +    }
 +    if (hostp) {
 +        *hostp = p;
 +    }
 +    return qemu_ram_addr_from_host_nofail(p);
 +}
 +
  #ifdef CONFIG_PLUGIN
  /*
   * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
 --
 .34.1

-[PULL 13/20] accel/tcg: Document the faulting lookup in tb_lookup_cmp
+[PULL v3 13/20] accel/tcg: Document the faulting lookup in tb_lookup_cmp
 It was non-obvious to me why we can raise an exception in
 the middle of a comparison function, but it works.
 While nearby, use TARGET_PAGE_ALIGN instead of open-coding.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  accel/tcg/cpu-exec.c | 11 ++++++++++-
 file changed, 10 insertions(+), 1 deletion(-)
 diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cpu-exec.c
 +++ b/accel/tcg/cpu-exec.c
 @@ -XXX,XX +XXX,XX @@ static bool tb_lookup_cmp(const void *p, const void *d)
              tb_page_addr_t phys_page2;
              target_ulong virt_page2;
 -            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
 +            /*
 +             * We know that the first page matched, and an otherwise valid TB
 +             * encountered an incomplete instruction at the end of that page,
 +             * therefore we know that generating a new TB from the current PC
 +             * must also require reading from the next page -- even if the
 +             * second pages do not match, and therefore the resulting insn
 +             * is different for the new TB.  Therefore any exception raised
 +             * here by the faulting lookup is not premature.
 +             */
 +            virt_page2 = TARGET_PAGE_ALIGN(desc->pc);
              phys_page2 = get_page_addr_code(desc->env, virt_page2);
              if (tb->page_addr[1] == phys_page2) {
                  return true;
 --
 .34.1

-[PULL 14/20] accel/tcg: Remove translator_ldsw
+[PULL v3 14/20] accel/tcg: Remove translator_ldsw
 The only user can easily use translator_lduw and
 adjust the type to signed during the return.
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/translator.h   | 1 -
  target/i386/tcg/translate.c | 2 +-
 files changed, 1 insertion(+), 2 deletions(-)
 diff --git a/include/exec/translator.h b/include/exec/translator.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/translator.h
 +++ b/include/exec/translator.h
 @@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
  #define FOR_EACH_TRANSLATOR_LD(F)                                       \
      F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
 -    F(translator_ldsw, int16_t, cpu_ldsw_code, bswap16)                 \
      F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
      F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
      F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
  static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
  {
 -    return translator_ldsw(env, &s->base, advance_pc(env, s, 2));
 +    return translator_lduw(env, &s->base, advance_pc(env, s, 2));
  }
  static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
 --
 .34.1

-[PULL 15/20] accel/tcg: Add pc and host_pc params to gen_intermediate_code
+[PULL v3 15/20] accel/tcg: Add pc and host_pc params to gen_intermediate_code
 Pass these along to translator_loop -- pc may be used instead
 of tb->pc, and host_pc is currently unused.  Adjust all targets
 at one time.
 Acked-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/exec-all.h       |  1 -
  include/exec/translator.h     | 24 ++++++++++++++++++++----
  accel/tcg/translate-all.c     |  6 ++++--
  accel/tcg/translator.c        |  9 +++++----
  target/alpha/translate.c      |  5 +++--
  target/arm/translate.c        |  5 +++--
  target/avr/translate.c        |  5 +++--
  target/cris/translate.c       |  5 +++--
  target/hexagon/translate.c    |  6 ++++--
  target/hppa/translate.c       |  5 +++--
  target/i386/tcg/translate.c   |  5 +++--
  target/loongarch/translate.c  |  6 ++++--
  target/m68k/translate.c       |  5 +++--
  target/microblaze/translate.c |  5 +++--
  target/mips/tcg/translate.c   |  5 +++--
  target/nios2/translate.c      |  5 +++--
  target/openrisc/translate.c   |  6 ++++--
  target/ppc/translate.c        |  5 +++--
  target/riscv/translate.c      |  5 +++--
  target/rx/translate.c         |  5 +++--
  target/s390x/tcg/translate.c  |  5 +++--
  target/sh4/translate.c        |  5 +++--
  target/sparc/translate.c      |  5 +++--
  target/tricore/translate.c    |  6 ++++--
  target/xtensa/translate.c     |  6 ++++--
 files changed, 97 insertions(+), 53 deletions(-)
 diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/exec-all.h
 +++ b/include/exec/exec-all.h
 @@ -XXX,XX +XXX,XX @@ typedef ram_addr_t tb_page_addr_t;
  #define TB_PAGE_ADDR_FMT RAM_ADDR_FMT
  #endif
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns);
  void restore_state_to_opc(CPUArchState *env, TranslationBlock *tb,
                            target_ulong *data);
 diff --git a/include/exec/translator.h b/include/exec/translator.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/translator.h
 +++ b/include/exec/translator.h
 @@ -XXX,XX +XXX,XX @@
  #include "exec/translate-all.h"
  #include "tcg/tcg.h"
 +/**
 + * gen_intermediate_code
 + * @cpu: cpu context
 + * @tb: translation block
 + * @max_insns: max number of instructions to translate
 + * @pc: guest virtual program counter address
 + * @host_pc: host physical program counter address
 + *
 + * This function must be provided by the target, which should create
 + * the target-specific DisasContext, and then invoke translator_loop.
 + */
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc);
  /**
   * DisasJumpType:
 @@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
  /**
   * translator_loop:
 - * @ops: Target-specific operations.
 - * @db: Disassembly context.
   * @cpu: Target vCPU.
   * @tb: Translation block.
   * @max_insns: Maximum number of insns to translate.
 + * @pc: guest virtual program counter address
 + * @host_pc: host physical program counter address
 + * @ops: Target-specific operations.
 + * @db: Disassembly context.
   *
   * Generic translator loop.
   *
 @@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
   * - When single-stepping is enabled (system-wide or on the current vCPU).
   * - When too many instructions have been translated.
   */
 -void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
 -                     CPUState *cpu, TranslationBlock *tb, int max_insns);
 +void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                     target_ulong pc, void *host_pc,
 +                     const TranslatorOps *ops, DisasContextBase *db);
  void translator_loop_temp_check(DisasContextBase *db);
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
 @@ -XXX,XX +XXX,XX @@
  #include "exec/cputlb.h"
  #include "exec/translate-all.h"
 +#include "exec/translator.h"
  #include "qemu/bitmap.h"
  #include "qemu/qemu-print.h"
  #include "qemu/timer.h"
 @@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
      TCGProfile *prof = &tcg_ctx->prof;
      int64_t ti;
  #endif
 +    void *host_pc;
      assert_memory_lock();
      qemu_thread_jit_write();
 -    phys_pc = get_page_addr_code(env, pc);
 +    phys_pc = get_page_addr_code_hostp(env, pc, &host_pc);
      if (phys_pc == -1) {
          /* Generate a one-shot TB with 1 insn in it */
 @@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
      tcg_func_start(tcg_ctx);
      tcg_ctx->cpu = env_cpu(env);
 -    gen_intermediate_code(cpu, tb, max_insns);
 +    gen_intermediate_code(cpu, tb, max_insns, pc, host_pc);
      assert(tb->size != 0);
      tcg_ctx->cpu = NULL;
      max_insns = tb->icount;
 diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translator.c
 +++ b/accel/tcg/translator.c
 @@ -XXX,XX +XXX,XX @@ static inline void translator_page_protect(DisasContextBase *dcbase,
  #endif
  }
 -void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
 -                     CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                     target_ulong pc, void *host_pc,
 +                     const TranslatorOps *ops, DisasContextBase *db)
  {
      uint32_t cflags = tb_cflags(tb);
      bool plugin_enabled;
      /* Initialize DisasContext */
      db->tb = tb;
 -    db->pc_first = tb->pc;
 -    db->pc_next = db->pc_first;
 +    db->pc_first = pc;
 +    db->pc_next = pc;
      db->is_jmp = DISAS_NEXT;
      db->num_insns = 0;
      db->max_insns = max_insns;
 diff --git a/target/alpha/translate.c b/target/alpha/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/alpha/translate.c
 +++ b/target/alpha/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps alpha_tr_ops = {
      .disas_log          = alpha_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&alpha_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &alpha_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUAlphaState *env, TranslationBlock *tb,
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps thumb_translator_ops = {
  };
  /* generate intermediate code for basic block 'tb'.  */
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc = { };
      const TranslatorOps *ops = &arm_translator_ops;
 @@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
      }
  #endif
 -    translator_loop(ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, ops, &dc.base);
  }
  void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
 diff --git a/target/avr/translate.c b/target/avr/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/avr/translate.c
 +++ b/target/avr/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps avr_tr_ops = {
      .disas_log          = avr_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc = { };
 -    translator_loop(&avr_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &avr_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUAVRState *env, TranslationBlock *tb,
 diff --git a/target/cris/translate.c b/target/cris/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/cris/translate.c
 +++ b/target/cris/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps cris_tr_ops = {
      .disas_log          = cris_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&cris_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &cris_tr_ops, &dc.base);
  }
  void cris_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hexagon/translate.c
 +++ b/target/hexagon/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps hexagon_tr_ops = {
      .disas_log          = hexagon_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&hexagon_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &hexagon_tr_ops, &ctx.base);
  }
  #define NAME_LEN               64
 diff --git a/target/hppa/translate.c b/target/hppa/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hppa/translate.c
 +++ b/target/hppa/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps hppa_tr_ops = {
      .disas_log          = hppa_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&hppa_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &hppa_tr_ops, &ctx.base);
  }
  void restore_state_to_opc(CPUHPPAState *env, TranslationBlock *tb,
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps i386_tr_ops = {
  };
  /* generate intermediate code for basic block 'tb'.  */
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&i386_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUX86State *env, TranslationBlock *tb,
 diff --git a/target/loongarch/translate.c b/target/loongarch/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/loongarch/translate.c
 +++ b/target/loongarch/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps loongarch_tr_ops = {
      .disas_log          = loongarch_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&loongarch_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &loongarch_tr_ops, &ctx.base);
  }
  void loongarch_translate_init(void)
 diff --git a/target/m68k/translate.c b/target/m68k/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/m68k/translate.c
 +++ b/target/m68k/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps m68k_tr_ops = {
      .disas_log          = m68k_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&m68k_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &m68k_tr_ops, &dc.base);
  }
  static double floatx80_to_double(CPUM68KState *env, uint16_t high, uint64_t low)
 diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/microblaze/translate.c
 +++ b/target/microblaze/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps mb_tr_ops = {
      .disas_log          = mb_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&mb_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &mb_tr_ops, &dc.base);
  }
  void mb_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/tcg/translate.c
 +++ b/target/mips/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps mips_tr_ops = {
      .disas_log          = mips_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&mips_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &mips_tr_ops, &ctx.base);
  }
  void mips_tcg_init(void)
 diff --git a/target/nios2/translate.c b/target/nios2/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/nios2/translate.c
 +++ b/target/nios2/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps nios2_tr_ops = {
      .disas_log          = nios2_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&nios2_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &nios2_tr_ops, &dc.base);
  }
  void nios2_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/openrisc/translate.c
 +++ b/target/openrisc/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps openrisc_tr_ops = {
      .disas_log          = openrisc_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&openrisc_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &openrisc_tr_ops, &ctx.base);
  }
  void openrisc_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 diff --git a/target/ppc/translate.c b/target/ppc/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/ppc/translate.c
 +++ b/target/ppc/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps ppc_tr_ops = {
      .disas_log          = ppc_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&ppc_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &ppc_tr_ops, &ctx.base);
  }
  void restore_state_to_opc(CPUPPCState *env, TranslationBlock *tb,
 diff --git a/target/riscv/translate.c b/target/riscv/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/translate.c
 +++ b/target/riscv/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps riscv_tr_ops = {
      .disas_log          = riscv_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&riscv_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &riscv_tr_ops, &ctx.base);
  }
  void riscv_translate_init(void)
 diff --git a/target/rx/translate.c b/target/rx/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/rx/translate.c
 +++ b/target/rx/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps rx_tr_ops = {
      .disas_log          = rx_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&rx_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &rx_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPURXState *env, TranslationBlock *tb,
 diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/tcg/translate.c
 +++ b/target/s390x/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps s390x_tr_ops = {
      .disas_log          = s390x_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&s390x_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &s390x_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUS390XState *env, TranslationBlock *tb,
 diff --git a/target/sh4/translate.c b/target/sh4/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/sh4/translate.c
 +++ b/target/sh4/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps sh4_tr_ops = {
      .disas_log          = sh4_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&sh4_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &sh4_tr_ops, &ctx.base);
  }
  void restore_state_to_opc(CPUSH4State *env, TranslationBlock *tb,
 diff --git a/target/sparc/translate.c b/target/sparc/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/sparc/translate.c
 +++ b/target/sparc/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps sparc_tr_ops = {
      .disas_log          = sparc_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc = {};
 -    translator_loop(&sparc_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &sparc_tr_ops, &dc.base);
  }
  void sparc_tcg_init(void)
 diff --git a/target/tricore/translate.c b/target/tricore/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/tricore/translate.c
 +++ b/target/tricore/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps tricore_tr_ops = {
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&tricore_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &tricore_tr_ops, &ctx.base);
  }
  void
 diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/xtensa/translate.c
 +++ b/target/xtensa/translate.c
 @@ -XXX,XX +XXX,XX @@ static const TranslatorOps xtensa_translator_ops = {
      .disas_log          = xtensa_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc = {};
 -    translator_loop(&xtensa_translator_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc,
 +                    &xtensa_translator_ops, &dc.base);
  }
  void xtensa_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 --
 .34.1

-[PULL 16/20] accel/tcg: Add fast path for translator_ld*
+[PULL v3 16/20] accel/tcg: Add fast path for translator_ld*
 ...
 -#undef GEN_TRANSLATOR_LD
 +static inline uint64_t
 +translator_ldq_swap(CPUArchState *env, DisasContextBase *db,
 +                    abi_ptr pc, bool do_swap)
 +{
-+    uint64_t ret = translator_ldq_swap(env, db, pc, false);
++    uint64_t ret = translator_ldq(env, db, pc);
 +    if (do_swap) {
 +        ret = bswap64(ret);
 +    }
 +    return ret;
 +}
 ...

-[PULL 17/20] target/s390x: Make translator stop before the end of a page
+[PULL v3 17/20] target/s390x: Make translator stop before the end of a page
 From: Ilya Leoshkevich <iii@linux.ibm.com>
 Right now translator stops right *after* the end of a page, which
 breaks reporting of fault locations when the last instruction of a
 multi-insn translation block crosses a page boundary.
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20220817150506.592862-3-iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  target/s390x/tcg/translate.c     |  15 +++-
  tests/tcg/s390x/noexec.c         | 106 +++++++++++++++++++++++
  tests/tcg/multiarch/noexec.c.inc | 139 +++++++++++++++++++++++++++++++
  tests/tcg/s390x/Makefile.target  |   1 +
 files changed, 257 insertions(+), 4 deletions(-)
  create mode 100644 tests/tcg/s390x/noexec.c
  create mode 100644 tests/tcg/multiarch/noexec.c.inc
 diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/tcg/translate.c
 +++ b/target/s390x/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      dc->insn_start = tcg_last_op();
  }
 +static target_ulong get_next_pc(CPUS390XState *env, DisasContext *s,
 +                                uint64_t pc)
 +{
 +    uint64_t insn = ld_code2(env, s, pc);
 +
 +    return pc + get_ilen((insn >> 8) & 0xff);
 +}
 +
  static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
  {
      CPUS390XState *env = cs->env_ptr;
 @@ -XXX,XX +XXX,XX @@ static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
      dc->base.is_jmp = translate_one(env, dc);
      if (dc->base.is_jmp == DISAS_NEXT) {
 -        uint64_t page_start;
 -
 -        page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 -        if (dc->base.pc_next - page_start >= TARGET_PAGE_SIZE || dc->ex_value) {
 +        if (!is_same_page(dcbase, dc->base.pc_next) ||
 +            !is_same_page(dcbase, get_next_pc(env, dc, dc->base.pc_next)) ||
 +            dc->ex_value) {
              dc->base.is_jmp = DISAS_TOO_MANY;
          }
      }
 diff --git a/tests/tcg/s390x/noexec.c b/tests/tcg/s390x/noexec.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/s390x/noexec.c
 @@ -XXX,XX +XXX,XX @@
 +#include "../multiarch/noexec.c.inc"
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx)
 +{
 +    return (void *)ctx->psw.addr;
 +}
 +
 +static int arch_mcontext_arg(const mcontext_t *ctx)
 +{
 +    return ctx->gregs[2];
 +}
 +
 +static void arch_flush(void *p, int len)
 +{
 +}
 +
 +extern char noexec_1[];
 +extern char noexec_2[];
 +extern char noexec_end[];
 +
 +asm("noexec_1:\n"
 +    "   lgfi %r2,1\n"       /* %r2 is 0 on entry, set 1. */
 +    "noexec_2:\n"
 +    "   lgfi %r2,2\n"       /* %r2 is 0/1; set 2. */
 +    "   br %r14\n"          /* return */
 +    "noexec_end:");
 +
 +extern char exrl_1[];
 +extern char exrl_2[];
 +extern char exrl_end[];
 +
 +asm("exrl_1:\n"
 +    "   exrl %r0, exrl_2\n"
 +    "   br %r14\n"
 +    "exrl_2:\n"
 +    "   lgfi %r2,2\n"
 +    "exrl_end:");
 +
 +int main(void)
 +{
 +    struct noexec_test noexec_tests[] = {
 +        {
 +            .name = "fallthrough",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = noexec_1 - noexec_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = 0,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "exrl",
 +            .test_code = exrl_1,
 +            .test_len = exrl_end - exrl_1,
 +            .page_ofs = exrl_1 - exrl_2,
 +            .entry_ofs = exrl_1 - exrl_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = exrl_1 - exrl_2,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "fallthrough [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = noexec_1 - noexec_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = -2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "exrl [cross]",
 +            .test_code = exrl_1,
 +            .test_len = exrl_end - exrl_1,
 +            .page_ofs = exrl_1 - exrl_2 - 2,
 +            .entry_ofs = exrl_1 - exrl_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = exrl_1 - exrl_2 - 2,
 +            .expected_arg = 0,
 +        },
 +    };
 +
 +    return test_noexec(noexec_tests,
 +                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
 +}
 diff --git a/tests/tcg/multiarch/noexec.c.inc b/tests/tcg/multiarch/noexec.c.inc
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/multiarch/noexec.c.inc
 @@ -XXX,XX +XXX,XX @@
 +/*
 + * Common code for arch-specific MMU_INST_FETCH fault testing.
 + */
 +
 +#define _GNU_SOURCE
 +
 +#include <assert.h>
 +#include <signal.h>
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +#include <errno.h>
 +#include <unistd.h>
 +#include <sys/mman.h>
 +#include <sys/ucontext.h>
 +
 +/* Forward declarations. */
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx);
 +static int arch_mcontext_arg(const mcontext_t *ctx);
 +static void arch_flush(void *p, int len);
 +
 +/* Testing infrastructure. */
 +
 +struct noexec_test {
 +    const char *name;
 +    const char *test_code;
 +    int test_len;
 +    int page_ofs;
 +    int entry_ofs;
 +    int expected_si_ofs;
 +    int expected_pc_ofs;
 +    int expected_arg;
 +};
 +
 +static void *page_base;
 +static int page_size;
 +static const struct noexec_test *current_noexec_test;
 +
 +static void handle_err(const char *syscall)
 +{
 +    printf("[  FAILED  ] %s: %s\n", syscall, strerror(errno));
 +    exit(EXIT_FAILURE);
 +}
 +
 +static void handle_segv(int sig, siginfo_t *info, void *ucontext)
 +{
 +    const struct noexec_test *test = current_noexec_test;
 +    const mcontext_t *mc = &((ucontext_t *)ucontext)->uc_mcontext;
 +    void *expected_si;
 +    void *expected_pc;
 +    void *pc;
 +    int arg;
 +
 +    if (test == NULL) {
 +        printf("[  FAILED  ] unexpected SEGV\n");
 +        exit(EXIT_FAILURE);
 +    }
 +    current_noexec_test = NULL;
 +
 +    expected_si = page_base + test->expected_si_ofs;
 +    if (info->si_addr != expected_si) {
 +        printf("[  FAILED  ] wrong si_addr (%p != %p)\n",
 +               info->si_addr, expected_si);
 +        exit(EXIT_FAILURE);
 +    }
 +
 +    pc = arch_mcontext_pc(mc);
 +    expected_pc = page_base + test->expected_pc_ofs;
 +    if (pc != expected_pc) {
 +        printf("[  FAILED  ] wrong pc (%p != %p)\n", pc, expected_pc);
 +        exit(EXIT_FAILURE);
 +    }
 +
 +    arg = arch_mcontext_arg(mc);
 +    if (arg != test->expected_arg) {
 +        printf("[  FAILED  ] wrong arg (%d != %d)\n", arg, test->expected_arg);
 +        exit(EXIT_FAILURE);
 +    }
 +
 +    if (mprotect(page_base, page_size,
 +                 PROT_READ | PROT_WRITE | PROT_EXEC) < 0) {
 +        handle_err("mprotect");
 +    }
 +}
 +
 +static void test_noexec_1(const struct noexec_test *test)
 +{
 +    void *start = page_base + test->page_ofs;
 +    void (*fn)(int arg) = page_base + test->entry_ofs;
 +
 +    memcpy(start, test->test_code, test->test_len);
 +    arch_flush(start, test->test_len);
 +
 +    /* Trigger TB creation in order to test invalidation. */
 +    fn(0);
 +
 +    if (mprotect(page_base, page_size, PROT_NONE) < 0) {
 +        handle_err("mprotect");
 +    }
 +
 +    /* Trigger SEGV and check that handle_segv() ran. */
 +    current_noexec_test = test;
 +    fn(0);
 +    assert(current_noexec_test == NULL);
 +}
 +
 +static int test_noexec(struct noexec_test *tests, size_t n_tests)
 +{
 +    struct sigaction act;
 +    size_t i;
 +
 +    memset(&act, 0, sizeof(act));
 +    act.sa_sigaction = handle_segv;
 +    act.sa_flags = SA_SIGINFO;
 +    if (sigaction(SIGSEGV, &act, NULL) < 0) {
 +        handle_err("sigaction");
 +    }
 +
 +    page_size = getpagesize();
 +    page_base = mmap(NULL, 2 * page_size,
 +                     PROT_READ | PROT_WRITE | PROT_EXEC,
 +                     MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
 +    if (page_base == MAP_FAILED) {
 +        handle_err("mmap");
 +    }
 +    page_base += page_size;
 +
 +    for (i = 0; i < n_tests; i++) {
 +        struct noexec_test *test = &tests[i];
 +
 +        printf("[ RUN      ] %s\n", test->name);
 +        test_noexec_1(test);
 +        printf("[       OK ]\n");
 +    }
 +
 +    printf("[  PASSED  ]\n");
 +    return EXIT_SUCCESS;
 +}
 diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/s390x/Makefile.target
 +++ b/tests/tcg/s390x/Makefile.target
 @@ -XXX,XX +XXX,XX @@ TESTS+=shift
  TESTS+=trap
  TESTS+=signals-s390x
  TESTS+=branch-relative-long
 +TESTS+=noexec
  Z14_TESTS=vfminmax
  vfminmax: LDFLAGS+=-lm
 --
 .34.1

-[PULL 18/20] target/i386: Make translator stop before the end of a page
+[PULL v3 18/20] target/i386: Make translator stop before the end of a page
 From: Ilya Leoshkevich <iii@linux.ibm.com>
 Right now translator stops right *after* the end of a page, which
 breaks reporting of fault locations when the last instruction of a
 multi-insn translation block crosses a page boundary.
 An implementation, like the one arm and s390x have, would require an
 i386 length disassembler, which is burdensome to maintain. Another
 alternative would be to single-step at the end of a guest page, but
 this may come with a performance impact.
 Fix by snapshotting disassembly state and restoring it after we figure
 out we crossed a page boundary. This includes rolling back cc_op
 updates and emitted ops.
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1143
 Message-Id: <20220817150506.592862-4-iii@linux.ibm.com>
 [rth: Simplify end-of-insn cross-page checks.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  target/i386/tcg/translate.c      | 64 ++++++++++++++++-----------
  tests/tcg/x86_64/noexec.c        | 75 ++++++++++++++++++++++++++++++++
  tests/tcg/x86_64/Makefile.target |  3 +-
 files changed, 116 insertions(+), 26 deletions(-)
  create mode 100644 tests/tcg/x86_64/noexec.c
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
 @@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
      TCGv_i64 tmp1_i64;
      sigjmp_buf jmpbuf;
 +    TCGOp *prev_insn_end;
  } DisasContext;
  /* The environment in which user-only runs is constrained. */
 @@ -XXX,XX +XXX,XX @@ static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
  {
      uint64_t pc = s->pc;
 +    /* This is a subsequent insn that crosses a page boundary.  */
 +    if (s->base.num_insns > 1 &&
 +        !is_same_page(&s->base, s->pc + num_bytes - 1)) {
 +        siglongjmp(s->jmpbuf, 2);
 +    }
 +
      s->pc += num_bytes;
      if (unlikely(s->pc - s->pc_start > X86_MAX_INSN_LENGTH)) {
          /* If the instruction's 16th byte is on a different page than the 1st, a
 @@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
      int modrm, reg, rm, mod, op, opreg, val;
      target_ulong next_eip, tval;
      target_ulong pc_start = s->base.pc_next;
 +    bool orig_cc_op_dirty = s->cc_op_dirty;
 +    CCOp orig_cc_op = s->cc_op;
      s->pc_start = s->pc = pc_start;
      s->override = -1;
 @@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
      s->rip_offset = 0; /* for relative ip address */
      s->vex_l = 0;
      s->vex_v = 0;
 -    if (sigsetjmp(s->jmpbuf, 0) != 0) {
 +    switch (sigsetjmp(s->jmpbuf, 0)) {
 +    case 0:
 +        break;
 +    case 1:
          gen_exception_gpf(s);
          return s->pc;
 +    case 2:
 +        /* Restore state that may affect the next instruction. */
 +        s->cc_op_dirty = orig_cc_op_dirty;
 +        s->cc_op = orig_cc_op;
 +        s->base.num_insns--;
 +        tcg_remove_ops_after(s->prev_insn_end);
 +        s->base.is_jmp = DISAS_TOO_MANY;
 +        return pc_start;
 +    default:
 +        g_assert_not_reached();
      }
      prefixes = 0;
 @@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
  {
      DisasContext *dc = container_of(dcbase, DisasContext, base);
 +    dc->prev_insn_end = tcg_last_op();
      tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
  }
 @@ -XXX,XX +XXX,XX @@ static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
  #endif
      pc_next = disas_insn(dc, cpu);
 -
 -    if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
 -        /* if single step mode, we generate only one instruction and
 -           generate an exception */
 -        /* if irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
 -           the flag and abort the translation to give the irqs a
 -           chance to happen */
 -        dc->base.is_jmp = DISAS_TOO_MANY;
 -    } else if ((tb_cflags(dc->base.tb) & CF_USE_ICOUNT)
 -               && ((pc_next & TARGET_PAGE_MASK)
 -                   != ((pc_next + TARGET_MAX_INSN_SIZE - 1)
 -                       & TARGET_PAGE_MASK)
 -                   || (pc_next & ~TARGET_PAGE_MASK) == 0)) {
 -        /* Do not cross the boundary of the pages in icount mode,
 -           it can cause an exception. Do it only when boundary is
 -           crossed by the first instruction in the block.
 -           If current instruction already crossed the bound - it's ok,
 -           because an exception hasn't stopped this code.
 -         */
 -        dc->base.is_jmp = DISAS_TOO_MANY;
 -    } else if ((pc_next - dc->base.pc_first) >= (TARGET_PAGE_SIZE - 32)) {
 -        dc->base.is_jmp = DISAS_TOO_MANY;
 -    }
 -
      dc->base.pc_next = pc_next;
 +
 +    if (dc->base.is_jmp == DISAS_NEXT) {
 +        if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
 +            /*
 +             * If single step mode, we generate only one instruction and
 +             * generate an exception.
 +             * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
 +             * the flag and abort the translation to give the irqs a
 +             * chance to happen.
 +             */
 +            dc->base.is_jmp = DISAS_TOO_MANY;
 +        } else if (!is_same_page(&dc->base, pc_next)) {
 +            dc->base.is_jmp = DISAS_TOO_MANY;
 +        }
 +    }
  }
  static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
 diff --git a/tests/tcg/x86_64/noexec.c b/tests/tcg/x86_64/noexec.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/x86_64/noexec.c
 @@ -XXX,XX +XXX,XX @@
 +#include "../multiarch/noexec.c.inc"
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx)
 +{
 +    return (void *)ctx->gregs[REG_RIP];
 +}
 +
 +int arch_mcontext_arg(const mcontext_t *ctx)
 +{
 +    return ctx->gregs[REG_RDI];
 +}
 +
 +static void arch_flush(void *p, int len)
 +{
 +}
 +
 +extern char noexec_1[];
 +extern char noexec_2[];
 +extern char noexec_end[];
 +
 +asm("noexec_1:\n"
 +    "    movq $1,%rdi\n"    /* %rdi is 0 on entry, set 1. */
 +    "noexec_2:\n"
 +    "    movq $2,%rdi\n"    /* %rdi is 0/1; set 2. */
 +    "    ret\n"
 +    "noexec_end:");
 +
 +int main(void)
 +{
 +    struct noexec_test noexec_tests[] = {
 +        {
 +            .name = "fallthrough",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = noexec_1 - noexec_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = 0,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "fallthrough [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = noexec_1 - noexec_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = -2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 0,
 +        },
 +    };
 +
 +    return test_noexec(noexec_tests,
 +                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
 +}
 diff --git a/tests/tcg/x86_64/Makefile.target b/tests/tcg/x86_64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/x86_64/Makefile.target
 +++ b/tests/tcg/x86_64/Makefile.target
 @@ -XXX,XX +XXX,XX @@ include $(SRC_PATH)/tests/tcg/i386/Makefile.target
  ifeq ($(filter %-linux-user, $(TARGET)),$(TARGET))
  X86_64_TESTS += vsyscall
 +X86_64_TESTS += noexec
  TESTS=$(MULTIARCH_TESTS) $(X86_64_TESTS) test-x86_64
  else
  TESTS=$(MULTIARCH_TESTS)
 @@ -XXX,XX +XXX,XX @@ test-x86_64: LDFLAGS+=-lm -lc
  test-x86_64: test-i386.c test-i386.h test-i386-shift.h test-i386-muldiv.h
      $(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
 -vsyscall: $(SRC_PATH)/tests/tcg/x86_64/vsyscall.c
 +%: $(SRC_PATH)/tests/tcg/x86_64/%.c
      $(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
 --
 .34.1

-[PULL 19/20] target/riscv: Add MAX_INSN_LEN and insn_len
+[PULL v3 19/20] target/riscv: Add MAX_INSN_LEN and insn_len
 These will be useful in properly ending the TB.
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  target/riscv/translate.c | 10 +++++++++-
 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/target/riscv/translate.c b/target/riscv/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/translate.c
 +++ b/target/riscv/translate.c
 @@ -XXX,XX +XXX,XX @@ static uint32_t opcode_at(DisasContextBase *dcbase, target_ulong pc)
  /* Include decoders for factored-out extensions */
  #include "decode-XVentanaCondOps.c.inc"
 +/* The specification allows for longer insns, but not supported by qemu. */
 +#define MAX_INSN_LEN  4
 +
 +static inline int insn_len(uint16_t first_word)
 +{
 +    return (first_word & 3) == 3 ? 4 : 2;
 +}
 +
  static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
  {
      /*
 @@ -XXX,XX +XXX,XX @@ static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
      };
      /* Check for compressed insn */
 -    if (extract16(opcode, 0, 2) != 3) {
 +    if (insn_len(opcode) == 2) {
          if (!has_ext(ctx, RVC)) {
              gen_exception_illegal(ctx);
          } else {
 --
 .34.1

-[PULL 20/20] target/riscv: Make translator stop before the end of a page
+[PULL v3 20/20] target/riscv: Make translator stop before the end of a page
 Right now the translator stops right *after* the end of a page, which
 breaks reporting of fault locations when the last instruction of a
 multi-insn translation block crosses a page boundary.
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1155
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  target/riscv/translate.c          | 17 +++++--
  tests/tcg/riscv64/noexec.c        | 79 +++++++++++++++++++++++++++++++
  tests/tcg/riscv64/Makefile.target |  1 +
 files changed, 93 insertions(+), 4 deletions(-)
  create mode 100644 tests/tcg/riscv64/noexec.c
 diff --git a/target/riscv/translate.c b/target/riscv/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/riscv/translate.c
 +++ b/target/riscv/translate.c
 @@ -XXX,XX +XXX,XX @@ static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
      }
      ctx->nftemp = 0;
 +    /* Only the first insn within a TB is allowed to cross a page boundary. */
      if (ctx->base.is_jmp == DISAS_NEXT) {
 -        target_ulong page_start;
 -
 -        page_start = ctx->base.pc_first & TARGET_PAGE_MASK;
 -        if (ctx->base.pc_next - page_start >= TARGET_PAGE_SIZE) {
 +        if (!is_same_page(&ctx->base, ctx->base.pc_next)) {
              ctx->base.is_jmp = DISAS_TOO_MANY;
 +        } else {
 +            unsigned page_ofs = ctx->base.pc_next & ~TARGET_PAGE_MASK;
 +
 +            if (page_ofs > TARGET_PAGE_SIZE - MAX_INSN_LEN) {
 +                uint16_t next_insn = cpu_lduw_code(env, ctx->base.pc_next);
 +                int len = insn_len(next_insn);
 +
 +                if (!is_same_page(&ctx->base, ctx->base.pc_next + len)) {
 +                    ctx->base.is_jmp = DISAS_TOO_MANY;
 +                }
 +            }
          }
      }
  }
 diff --git a/tests/tcg/riscv64/noexec.c b/tests/tcg/riscv64/noexec.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/riscv64/noexec.c
 @@ -XXX,XX +XXX,XX @@
 +#include "../multiarch/noexec.c.inc"
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx)
 +{
 +    return (void *)ctx->__gregs[REG_PC];
 +}
 +
 +static int arch_mcontext_arg(const mcontext_t *ctx)
 +{
 +    return ctx->__gregs[REG_A0];
 +}
 +
 +static void arch_flush(void *p, int len)
 +{
 +    __builtin___clear_cache(p, p + len);
 +}
 +
 +extern char noexec_1[];
 +extern char noexec_2[];
 +extern char noexec_end[];
 +
 +asm(".option push\n"
 +    ".option norvc\n"
 +    "noexec_1:\n"
 +    "   li a0,1\n"       /* a0 is 0 on entry, set 1. */
 +    "noexec_2:\n"
 +    "   li a0,2\n"      /* a0 is 0/1; set 2. */
 +    "   ret\n"
 +    "noexec_end:\n"
 +    ".option pop");
 +
 +int main(void)
 +{
 +    struct noexec_test noexec_tests[] = {
 +        {
 +            .name = "fallthrough",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = noexec_1 - noexec_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = 0,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "fallthrough [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = noexec_1 - noexec_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = -2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 0,
 +        },
 +    };
 +
 +    return test_noexec(noexec_tests,
 +                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
 +}
 diff --git a/tests/tcg/riscv64/Makefile.target b/tests/tcg/riscv64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
 --- a/tests/tcg/riscv64/Makefile.target
 +++ b/tests/tcg/riscv64/Makefile.target
 @@ -XXX,XX +XXX,XX @@
  VPATH += $(SRC_PATH)/tests/tcg/riscv64
  TESTS += test-div
 +TESTS += noexec
 --
 .34.1

The following changes since commit e93ded1bf6c94ab95015b33e188bc8b0b0c32670:

Merge tag 'testing-pull-request-2022-08-30' of https://gitlab.com/thuth/qemu into staging (2022-08-31 18:19:03 -0400)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220901

for you to fetch changes up to 20011be2e30b8aa8ef1fc258485f00c688703deb:

target/riscv: Make translator stop before the end of a page (2022-09-01 07:43:08 +0100)

----------------------------------------------------------------
Respect PROT_EXEC in user-only mode.
Fix s390x, i386 and riscv for translations crossing a page.

----------------------------------------------------------------
Ilya Leoshkevich (4):
      linux-user: Clear translations on mprotect()
      accel/tcg: Introduce is_same_page()
      target/s390x: Make translator stop before the end of a page
      target/i386: Make translator stop before the end of a page

Richard Henderson (16):
      linux-user/arm: Mark the commpage executable
      linux-user/hppa: Allocate page zero as a commpage
      linux-user/x86_64: Allocate vsyscall page as a commpage
      linux-user: Honor PT_GNU_STACK
      tests/tcg/i386: Move smc_code2 to an executable section
      accel/tcg: Properly implement get_page_addr_code for user-only
      accel/tcg: Unlock mmap_lock after longjmp
      accel/tcg: Make tb_htable_lookup static
      accel/tcg: Move qemu_ram_addr_from_host_nofail to physmem.c
      accel/tcg: Use probe_access_internal for softmmu get_page_addr_code_hostp
      accel/tcg: Document the faulting lookup in tb_lookup_cmp
      accel/tcg: Remove translator_ldsw
      accel/tcg: Add pc and host_pc params to gen_intermediate_code
      accel/tcg: Add fast path for translator_ld*
      target/riscv: Add MAX_INSN_LEN and insn_len
      target/riscv: Make translator stop before the end of a page

include/elf.h                     |   1 +
 include/exec/cpu-common.h         |   1 +
 include/exec/exec-all.h           |  89 ++++++++----------------
 include/exec/translator.h         |  96 ++++++++++++++++---------
 linux-user/arm/target_cpu.h       |   4 +-
 linux-user/qemu.h                 |   1 +
 accel/tcg/cpu-exec.c              | 143 ++++++++++++++++++++------------------
 accel/tcg/cputlb.c                |  93 +++++++------------------
 accel/tcg/translate-all.c         |  29 ++++----
 accel/tcg/translator.c            | 135 ++++++++++++++++++++++++++---------
 accel/tcg/user-exec.c             |  17 ++++-
 linux-user/elfload.c              |  82 ++++++++++++++++++++--
 linux-user/mmap.c                 |   6 +-
 softmmu/physmem.c                 |  12 ++++
 target/alpha/translate.c          |   5 +-
 target/arm/translate.c            |   5 +-
 target/avr/translate.c            |   5 +-
 target/cris/translate.c           |   5 +-
 target/hexagon/translate.c        |   6 +-
 target/hppa/translate.c           |   5 +-
 target/i386/tcg/translate.c       |  71 +++++++++++--------
 target/loongarch/translate.c      |   6 +-
 target/m68k/translate.c           |   5 +-
 target/microblaze/translate.c     |   5 +-
 target/mips/tcg/translate.c       |   5 +-
 target/nios2/translate.c          |   5 +-
 target/openrisc/translate.c       |   6 +-
 target/ppc/translate.c            |   5 +-
 target/riscv/translate.c          |  32 +++++++--
 target/rx/translate.c             |   5 +-
 target/s390x/tcg/translate.c      |  20 ++++--
 target/sh4/translate.c            |   5 +-
 target/sparc/translate.c          |   5 +-
 target/tricore/translate.c        |   6 +-
 target/xtensa/translate.c         |   6 +-
 tests/tcg/i386/test-i386.c        |   2 +-
 tests/tcg/riscv64/noexec.c        |  79 +++++++++++++++++++++
 tests/tcg/s390x/noexec.c          | 106 ++++++++++++++++++++++++++++
 tests/tcg/x86_64/noexec.c         |  75 ++++++++++++++++++++
 tests/tcg/multiarch/noexec.c.inc  | 139 ++++++++++++++++++++++++++++++++++++
 tests/tcg/riscv64/Makefile.target |   1 +
 tests/tcg/s390x/Makefile.target   |   1 +
 tests/tcg/x86_64/Makefile.target  |   3 +-
 43 files changed, 966 insertions(+), 367 deletions(-)
 create mode 100644 tests/tcg/riscv64/noexec.c
 create mode 100644 tests/tcg/s390x/noexec.c
 create mode 100644 tests/tcg/x86_64/noexec.c
 create mode 100644 tests/tcg/multiarch/noexec.c.inc

We're about to start validating PAGE_EXEC, which means
that we've got to mark the commpage executable.  We had
been placing the commpage outside of reserved_va, which
was incorrect and lead to an abort.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/arm/target_cpu.h | 4 ++--
 linux-user/elfload.c        | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/arm/target_cpu.h
+++ b/linux-user/arm/target_cpu.h
@@ -XXX,XX +XXX,XX @@ static inline unsigned long arm_max_reserved_va(CPUState *cs)
     } else {
         /*
          * We need to be able to map the commpage.
-         * See validate_guest_space in linux-user/elfload.c.
+         * See init_guest_commpage in linux-user/elfload.c.
          */
-        return 0xffff0000ul;
+        return 0xfffffffful;
     }
 }
 #define MAX_RESERVED_VA  arm_max_reserved_va
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ enum {
 
 static bool init_guest_commpage(void)
 {
-    void *want = g2h_untagged(HI_COMMPAGE & -qemu_host_page_size);
+    abi_ptr commpage = HI_COMMPAGE & -qemu_host_page_size;
+    void *want = g2h_untagged(commpage);
     void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
                       MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
 
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
         perror("Protecting guest commpage");
         exit(EXIT_FAILURE);
     }
+
+    page_set_flags(commpage, commpage + qemu_host_page_size,
+                   PAGE_READ | PAGE_EXEC | PAGE_VALID);
     return true;
 }
 
-- 
2.34.1

While there are no target-specific nonfaulting probes,
generic code may grow some uses at some point.

Note that the attrs argument was incorrect -- it should have
been MEMTXATTRS_UNSPECIFIED. Just use the simpler interface.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c | 46 ++++++++++++++++++++++++++++-----------------
 1 file changed, 29 insertions(+), 17 deletions(-)

diff --git a/target/avr/helper.c b/target/avr/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -XXX,XX +XXX,XX @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       MMUAccessType access_type, int mmu_idx,
                       bool probe, uintptr_t retaddr)
 {
-    int prot = 0;
-    MemTxAttrs attrs = {};
+    int prot, page_size = TARGET_PAGE_SIZE;
     uint32_t paddr;
 
     address &= TARGET_PAGE_MASK;
 
     if (mmu_idx == MMU_CODE_IDX) {
-        /* access to code in flash */
+        /* Access to code in flash. */
         paddr = OFFSET_CODE + address;
         prot = PAGE_READ | PAGE_EXEC;
-        if (paddr + TARGET_PAGE_SIZE > OFFSET_DATA) {
+        if (paddr >= OFFSET_DATA) {
+            /*
+             * This should not be possible via any architectural operations.
+             * There is certainly not an exception that we can deliver.
+             * Accept probing that might come from generic code.
+             */
+            if (probe) {
+                return false;
+            }
             error_report("execution left flash memory");
             abort();
         }
-    } else if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
-        /*
-         * access to CPU registers, exit and rebuilt this TB to use full access
-         * incase it touches specially handled registers like SREG or SP
-         */
-        AVRCPU *cpu = AVR_CPU(cs);
-        CPUAVRState *env = &cpu->env;
-        env->fullacc = 1;
-        cpu_loop_exit_restore(cs, retaddr);
     } else {
-        /* access to memory. nothing special */
+        /* Access to memory. */
         paddr = OFFSET_DATA + address;
         prot = PAGE_READ | PAGE_WRITE;
+        if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
+            /*
+             * Access to CPU registers, exit and rebuilt this TB to use
+             * full access in case it touches specially handled registers
+             * like SREG or SP.  For probing, set page_size = 1, in order
+             * to force tlb_fill to be called for the next access.
+             */
+            if (probe) {
+                page_size = 1;
+            } else {
+                AVRCPU *cpu = AVR_CPU(cs);
+                CPUAVRState *env = &cpu->env;
+                env->fullacc = 1;
+                cpu_loop_exit_restore(cs, retaddr);
+            }
+        }
     }
 
-    tlb_set_page_with_attrs(cs, address, paddr, attrs, prot,
-                            mmu_idx, TARGET_PAGE_SIZE);
-
+    tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size);
     return true;
 }
 
-- 
2.34.1

There is no need to go through cc->tcg_ops when
we know what value that must have.

Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/avr/helper.c b/target/avr/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -XXX,XX +XXX,XX @@
 bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
     bool ret = false;
-    CPUClass *cc = CPU_GET_CLASS(cs);
     AVRCPU *cpu = AVR_CPU(cs);
     CPUAVRState *env = &cpu->env;
 
     if (interrupt_request & CPU_INTERRUPT_RESET) {
         if (cpu_interrupts_enabled(env)) {
             cs->exception_index = EXCP_RESET;
-            cc->tcg_ops->do_interrupt(cs);
+            avr_cpu_do_interrupt(cs);
 
             cs->interrupt_request &= ~CPU_INTERRUPT_RESET;
 
@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
         if (cpu_interrupts_enabled(env) && env->intsrc != 0) {
             int index = ctz32(env->intsrc);
             cs->exception_index = EXCP_INT(index);
-            cc->tcg_ops->do_interrupt(cs);
+            avr_cpu_do_interrupt(cs);
 
             env->intsrc &= env->intsrc - 1; /* clear the interrupt */
             if (!env->intsrc) {
-- 
2.34.1

We're about to start validating PAGE_EXEC, which means that we've
got to mark page zero executable.  We had been special casing this
entirely within translate.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
     regs->gr[31] = infop->entry;
 }
 
+#define LO_COMMPAGE  0
+
+static bool init_guest_commpage(void)
+{
+    void *want = g2h_untagged(LO_COMMPAGE);
+    void *addr = mmap(want, qemu_host_page_size, PROT_NONE,
+                      MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+
+    if (addr == MAP_FAILED) {
+        perror("Allocating guest commpage");
+        exit(EXIT_FAILURE);
+    }
+    if (addr != want) {
+        return false;
+    }
+
+    /*
+     * On Linux, page zero is normally marked execute only + gateway.
+     * Normal read or write is supposed to fail (thus PROT_NONE above),
+     * but specific offsets have kernel code mapped to raise permissions
+     * and implement syscalls.  Here, simply mark the page executable.
+     * Special case the entry points during translation (see do_page_zero).
+     */
+    page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
+                   PAGE_EXEC | PAGE_VALID);
+    return true;
+}
+
 #endif /* TARGET_HPPA */
 
 #ifdef TARGET_XTENSA
@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
 }
 
 #if defined(HI_COMMPAGE)
-#define LO_COMMPAGE 0
+#define LO_COMMPAGE -1
 #elif defined(LO_COMMPAGE)
 #define HI_COMMPAGE 0
 #else
 #define HI_COMMPAGE 0
-#define LO_COMMPAGE 0
+#define LO_COMMPAGE -1
 #define init_guest_commpage() true
 #endif
 
@@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
         } else {
             offset = -(HI_COMMPAGE & -align);
         }
-    } else if (LO_COMMPAGE != 0) {
+    } else if (LO_COMMPAGE != -1) {
         loaddr = MIN(loaddr, LO_COMMPAGE & -align);
     }
 
-- 
2.34.1

We're about to start validating PAGE_EXEC, which means that we've
got to mark the vsyscall page executable.  We had been special
casing this entirely within translate.

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
     (*regs)[26] = tswapreg(env->segs[R_GS].selector & 0xffff);
 }
 
+#if ULONG_MAX >= TARGET_VSYSCALL_PAGE
+#define INIT_GUEST_COMMPAGE
+static bool init_guest_commpage(void)
+{
+    /*
+     * The vsyscall page is at a high negative address aka kernel space,
+     * which means that we cannot actually allocate it with target_mmap.
+     * We still should be able to use page_set_flags, unless the user
+     * has specified -R reserved_va, which would trigger an assert().
+     */
+    if (reserved_va != 0 &&
+        TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE >= reserved_va) {
+        error_report("Cannot allocate vsyscall page");
+        exit(EXIT_FAILURE);
+    }
+    page_set_flags(TARGET_VSYSCALL_PAGE,
+                   TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE,
+                   PAGE_EXEC | PAGE_VALID);
+    return true;
+}
+#endif
 #else
 
 #define ELF_START_MMAP 0x80000000
@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
 #else
 #define HI_COMMPAGE 0
 #define LO_COMMPAGE -1
+#ifndef INIT_GUEST_COMMPAGE
 #define init_guest_commpage() true
 #endif
+#endif
 
 static void pgb_fail_in_use(const char *image_name)
 {
-- 
2.34.1

We cannot deliver two interrupts simultaneously;
the first interrupt handler must execute first.

Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

This bit is not saved across interrupts, so we must
delay delivering the interrupt until the skip has
been processed.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1118
Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c    |  9 +++++++++
 target/avr/translate.c | 26 ++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/target/avr/helper.c b/target/avr/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
     AVRCPU *cpu = AVR_CPU(cs);
     CPUAVRState *env = &cpu->env;
 
+    /*
+     * We cannot separate a skip from the next instruction,
+     * as the skip would not be preserved across the interrupt.
+     * Separating the two insn normally only happens at page boundaries.
+     */
+    if (env->skip) {
+        return false;
+    }
+
     if (interrupt_request & CPU_INTERRUPT_RESET) {
         if (cpu_interrupts_enabled(env)) {
             cs->exception_index = EXCP_RESET;
diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
     if (skip_label) {
         canonicalize_skip(ctx);
         gen_set_label(skip_label);
-        if (ctx->base.is_jmp == DISAS_NORETURN) {
+
+        switch (ctx->base.is_jmp) {
+        case DISAS_NORETURN:
             ctx->base.is_jmp = DISAS_CHAIN;
+            break;
+        case DISAS_NEXT:
+            if (ctx->base.tb->flags & TB_FLAGS_SKIP) {
+                ctx->base.is_jmp = DISAS_TOO_MANY;
+            }
+            break;
+        default:
+            break;
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
     bool nonconst_skip = canonicalize_skip(ctx);
+    /*
+     * Because we disable interrupts while env->skip is set,
+     * we must return to the main loop to re-evaluate afterward.
+     */
+    bool force_exit = ctx->base.tb->flags & TB_FLAGS_SKIP;
 
     switch (ctx->base.is_jmp) {
     case DISAS_NORETURN:
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     case DISAS_NEXT:
     case DISAS_TOO_MANY:
     case DISAS_CHAIN:
-        if (!nonconst_skip) {
+        if (!nonconst_skip && !force_exit) {
             /* Note gen_goto_tb checks singlestep.  */
             gen_goto_tb(ctx, 1, ctx->npc);
             break;
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         tcg_gen_movi_tl(cpu_pc, ctx->npc);
         /* fall through */
     case DISAS_LOOKUP:
-        tcg_gen_lookup_and_goto_ptr();
-        break;
+        if (!force_exit) {
+            tcg_gen_lookup_and_goto_ptr();
+            break;
+        }
+        /* fall through */
     case DISAS_EXIT:
         tcg_gen_exit_tb(NULL, 0);
         break;
-- 
2.34.1

Map the stack executable if required by default or on demand.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/elf.h        |  1 +
 linux-user/qemu.h    |  1 +
 linux-user/elfload.c | 19 ++++++++++++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/include/elf.h b/include/elf.h
index XXXXXXX..XXXXXXX 100644
--- a/include/elf.h
+++ b/include/elf.h
@@ -XXX,XX +XXX,XX @@ typedef int64_t  Elf64_Sxword;
 #define PT_LOPROC  0x70000000
 #define PT_HIPROC  0x7fffffff
 
+#define PT_GNU_STACK      (PT_LOOS + 0x474e551)
 #define PT_GNU_PROPERTY   (PT_LOOS + 0x474e553)
 
 #define PT_MIPS_REGINFO   0x70000000
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -XXX,XX +XXX,XX @@ struct image_info {
         uint32_t        elf_flags;
         int             personality;
         abi_ulong       alignment;
+        bool            exec_stack;
 
         /* Generic semihosting knows about these pointers. */
         abi_ulong       arg_strings;   /* strings for argv */
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
 #define ELF_ARCH        EM_386
 
 #define ELF_PLATFORM get_elf_platform()
+#define EXSTACK_DEFAULT true
 
 static const char *get_elf_platform(void)
 {
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
 
 #define ELF_ARCH        EM_ARM
 #define ELF_CLASS       ELFCLASS32
+#define EXSTACK_DEFAULT true
 
 static inline void init_thread(struct target_pt_regs *regs,
                                struct image_info *infop)
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
 #else
 
 #define ELF_CLASS       ELFCLASS32
+#define EXSTACK_DEFAULT true
 
 #endif
 
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUPPCState *en
 
 #define ELF_CLASS   ELFCLASS64
 #define ELF_ARCH    EM_LOONGARCH
+#define EXSTACK_DEFAULT true
 
 #define elf_check_arch(x) ((x) == EM_LOONGARCH)
 
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
 #define ELF_CLASS   ELFCLASS32
 #endif
 #define ELF_ARCH    EM_MIPS
+#define EXSTACK_DEFAULT true
 
 #ifdef TARGET_ABI_MIPSN32
 #define elf_check_abi(x) ((x) & EF_MIPS_ABI2)
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
 #define bswaptls(ptr) bswap32s(ptr)
 #endif
 
+#ifndef EXSTACK_DEFAULT
+#define EXSTACK_DEFAULT false
+#endif
+
 #include "elf.h"
 
 /* We must delay the following stanzas until after "elf.h". */
@@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
                                  struct image_info *info)
 {
     abi_ulong size, error, guard;
+    int prot;
 
     size = guest_stack_size;
     if (size < STACK_LOWER_LIMIT) {
@@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
         guard = qemu_real_host_page_size();
     }
 
-    error = target_mmap(0, size + guard, PROT_READ | PROT_WRITE,
+    prot = PROT_READ | PROT_WRITE;
+    if (info->exec_stack) {
+        prot |= PROT_EXEC;
+    }
+    error = target_mmap(0, size + guard, prot,
                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
     if (error == -1) {
         perror("mmap stack");
@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
      */
     loaddr = -1, hiaddr = 0;
     info->alignment = 0;
+    info->exec_stack = EXSTACK_DEFAULT;
     for (i = 0; i < ehdr->e_phnum; ++i) {
         struct elf_phdr *eppnt = phdr + i;
         if (eppnt->p_type == PT_LOAD) {
@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
             if (!parse_elf_properties(image_fd, info, eppnt, bprm_buf, &err)) {
                 goto exit_errmsg;
             }
+        } else if (eppnt->p_type == PT_GNU_STACK) {
+            info->exec_stack = eppnt->p_flags & PF_X;
         }
     }
 
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

Introduce a function that checks whether a given address is on the same
page as where disassembly started. Having it improves readability of
the following patches.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20220811095534.241224-3-iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
[rth: Make the DisasContextBase parameter const.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
 
 #undef GEN_TRANSLATOR_LD
 
+/*
+ * Return whether addr is on the same page as where disassembly started.
+ * Translators can use this to enforce the rule that only single-insn
+ * translation blocks are allowed to cross page boundaries.
+ */
+static inline bool is_same_page(const DisasContextBase *db, target_ulong addr)
+{
+    return ((addr ^ db->pc_first) & TARGET_PAGE_MASK) == 0;
+}
+
 #endif /* EXEC__TRANSLATOR_H */
-- 
2.34.1

The current implementation is a no-op, simply returning addr.
This is incorrect, because we ought to be checking the page
permissions for execution.

Make get_page_addr_code inline for both implementations.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 85 ++++++++++++++---------------------------
 accel/tcg/cputlb.c      |  5 ---
 accel/tcg/user-exec.c   | 14 +++++++
 3 files changed, 42 insertions(+), 62 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct MemoryRegionSection *iotlb_to_section(CPUState *cpu,
                                              hwaddr index, MemTxAttrs attrs);
 #endif
 
-#if defined(CONFIG_USER_ONLY)
-void mmap_lock(void);
-void mmap_unlock(void);
-bool have_mmap_lock(void);
-
 /**
- * get_page_addr_code() - user-mode version
+ * get_page_addr_code_hostp()
  * @env: CPUArchState
  * @addr: guest virtual address of guest code
  *
- * Returns @addr.
+ * See get_page_addr_code() (full-system version) for documentation on the
+ * return value.
+ *
+ * Sets *@hostp (when @hostp is non-NULL) as follows.
+ * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
+ * to the host address where @addr's content is kept.
+ *
+ * Note: this function can trigger an exception.
+ */
+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
+                                        void **hostp);
+
+/**
+ * get_page_addr_code()
+ * @env: CPUArchState
+ * @addr: guest virtual address of guest code
+ *
+ * If we cannot translate and execute from the entire RAM page, or if
+ * the region is not backed by RAM, returns -1. Otherwise, returns the
+ * ram_addr_t corresponding to the guest code at @addr.
+ *
+ * Note: this function can trigger an exception.
  */
 static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
                                                 target_ulong addr)
 {
-    return addr;
+    return get_page_addr_code_hostp(env, addr, NULL);
 }
 
-/**
- * get_page_addr_code_hostp() - user-mode version
- * @env: CPUArchState
- * @addr: guest virtual address of guest code
- *
- * Returns @addr.
- *
- * If @hostp is non-NULL, sets *@hostp to the host address where @addr's content
- * is kept.
- */
-static inline tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env,
-                                                      target_ulong addr,
-                                                      void **hostp)
-{
-    if (hostp) {
-        *hostp = g2h_untagged(addr);
-    }
-    return addr;
-}
+#if defined(CONFIG_USER_ONLY)
+void mmap_lock(void);
+void mmap_unlock(void);
+bool have_mmap_lock(void);
 
 /**
  * adjust_signal_pc:
@@ -XXX,XX +XXX,XX @@ G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
 static inline void mmap_lock(void) {}
 static inline void mmap_unlock(void) {}
 
-/**
- * get_page_addr_code() - full-system version
- * @env: CPUArchState
- * @addr: guest virtual address of guest code
- *
- * If we cannot translate and execute from the entire RAM page, or if
- * the region is not backed by RAM, returns -1. Otherwise, returns the
- * ram_addr_t corresponding to the guest code at @addr.
- *
- * Note: this function can trigger an exception.
- */
-tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr);
-
-/**
- * get_page_addr_code_hostp() - full-system version
- * @env: CPUArchState
- * @addr: guest virtual address of guest code
- *
- * See get_page_addr_code() (full-system version) for documentation on the
- * return value.
- *
- * Sets *@hostp (when @hostp is non-NULL) as follows.
- * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
- * to the host address where @addr's content is kept.
- *
- * Note: this function can trigger an exception.
- */
-tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
-                                        void **hostp);
-
 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr);
 
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
     return qemu_ram_addr_from_host_nofail(p);
 }
 
-tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
-{
-    return get_page_addr_code_hostp(env, addr, NULL);
-}
-
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
 {
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
     return size ? g2h(env_cpu(env), addr) : NULL;
 }
 
+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
+                                        void **hostp)
+{
+    int flags;
+
+    flags = probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0);
+    g_assert(flags == 0);
+
+    if (hostp) {
+        *hostp = g2h_untagged(addr);
+    }
+    return addr;
+}
+
 /* The softmmu versions of these helpers are in cputlb.c.  */
 
 /*
-- 
2.34.1

The mmap_lock is held around tb_gen_code.  While the comment
is correct that the lock is dropped when tb_gen_code runs out
of memory, the lock is *not* dropped when an exception is
raised reading code for translation.

Acked-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c  | 12 ++++++------
 accel/tcg/user-exec.c |  3 ---
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
         cpu_tb_exec(cpu, tb, &tb_exit);
         cpu_exec_exit(cpu);
     } else {
-        /*
-         * The mmap_lock is dropped by tb_gen_code if it runs out of
-         * memory.
-         */
 #ifndef CONFIG_SOFTMMU
         clear_helper_retaddr();
-        tcg_debug_assert(!have_mmap_lock());
+        if (have_mmap_lock()) {
+            mmap_unlock();
+        }
 #endif
         if (qemu_mutex_iothread_locked()) {
             qemu_mutex_unlock_iothread();
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
 
 #ifndef CONFIG_SOFTMMU
         clear_helper_retaddr();
-        tcg_debug_assert(!have_mmap_lock());
+        if (have_mmap_lock()) {
+            mmap_unlock();
+        }
 #endif
         if (qemu_mutex_iothread_locked()) {
             qemu_mutex_unlock_iothread();
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ MMUAccessType adjust_signal_pc(uintptr_t *pc, bool is_write)
          * (and if the translator doesn't handle page boundaries correctly
          * there's little we can do about that here).  Therefore, do not
          * trigger the unwinder.
-         *
-         * Like tb_gen_code, release the memory lock before cpu_loop_exit.
          */
-        mmap_unlock();
         *pc = 0;
         return MMU_INST_FETCH;
     }
-- 
2.34.1

The function is not used outside of cpu-exec.c.  Move it and
its subroutines up in the file, before the first use.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h |   3 -
 accel/tcg/cpu-exec.c    | 122 ++++++++++++++++++++--------------------
 2 files changed, 61 insertions(+), 64 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
 #endif
 void tb_flush(CPUState *cpu);
 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
-TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
-                                   target_ulong cs_base, uint32_t flags,
-                                   uint32_t cflags);
 void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
 
 /* GETPC is the true target of the return instruction that we'll execute.  */
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ uint32_t curr_cflags(CPUState *cpu)
     return cflags;
 }
 
+struct tb_desc {
+    target_ulong pc;
+    target_ulong cs_base;
+    CPUArchState *env;
+    tb_page_addr_t phys_page1;
+    uint32_t flags;
+    uint32_t cflags;
+    uint32_t trace_vcpu_dstate;
+};
+
+static bool tb_lookup_cmp(const void *p, const void *d)
+{
+    const TranslationBlock *tb = p;
+    const struct tb_desc *desc = d;
+
+    if (tb->pc == desc->pc &&
+        tb->page_addr[0] == desc->phys_page1 &&
+        tb->cs_base == desc->cs_base &&
+        tb->flags == desc->flags &&
+        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
+        tb_cflags(tb) == desc->cflags) {
+        /* check next page if needed */
+        if (tb->page_addr[1] == -1) {
+            return true;
+        } else {
+            tb_page_addr_t phys_page2;
+            target_ulong virt_page2;
+
+            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
+            phys_page2 = get_page_addr_code(desc->env, virt_page2);
+            if (tb->page_addr[1] == phys_page2) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+static TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
+                                          target_ulong cs_base, uint32_t flags,
+                                          uint32_t cflags)
+{
+    tb_page_addr_t phys_pc;
+    struct tb_desc desc;
+    uint32_t h;
+
+    desc.env = cpu->env_ptr;
+    desc.cs_base = cs_base;
+    desc.flags = flags;
+    desc.cflags = cflags;
+    desc.trace_vcpu_dstate = *cpu->trace_dstate;
+    desc.pc = pc;
+    phys_pc = get_page_addr_code(desc.env, pc);
+    if (phys_pc == -1) {
+        return NULL;
+    }
+    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
+    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
+    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
+}
+
 /* Might cause an exception, so have a longjmp destination ready */
 static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
                                           target_ulong cs_base,
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
     end_exclusive();
 }
 
-struct tb_desc {
-    target_ulong pc;
-    target_ulong cs_base;
-    CPUArchState *env;
-    tb_page_addr_t phys_page1;
-    uint32_t flags;
-    uint32_t cflags;
-    uint32_t trace_vcpu_dstate;
-};
-
-static bool tb_lookup_cmp(const void *p, const void *d)
-{
-    const TranslationBlock *tb = p;
-    const struct tb_desc *desc = d;
-
-    if (tb->pc == desc->pc &&
-        tb->page_addr[0] == desc->phys_page1 &&
-        tb->cs_base == desc->cs_base &&
-        tb->flags == desc->flags &&
-        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
-        tb_cflags(tb) == desc->cflags) {
-        /* check next page if needed */
-        if (tb->page_addr[1] == -1) {
-            return true;
-        } else {
-            tb_page_addr_t phys_page2;
-            target_ulong virt_page2;
-
-            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
-            phys_page2 = get_page_addr_code(desc->env, virt_page2);
-            if (tb->page_addr[1] == phys_page2) {
-                return true;
-            }
-        }
-    }
-    return false;
-}
-
-TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
-                                   target_ulong cs_base, uint32_t flags,
-                                   uint32_t cflags)
-{
-    tb_page_addr_t phys_pc;
-    struct tb_desc desc;
-    uint32_t h;
-
-    desc.env = cpu->env_ptr;
-    desc.cs_base = cs_base;
-    desc.flags = flags;
-    desc.cflags = cflags;
-    desc.trace_vcpu_dstate = *cpu->trace_dstate;
-    desc.pc = pc;
-    phys_pc = get_page_addr_code(desc.env, pc);
-    if (phys_pc == -1) {
-        return NULL;
-    }
-    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
-    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
-    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
-}
-
 void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr)
 {
     if (TCG_TARGET_HAS_direct_jump) {
-- 
2.34.1

The base qemu_ram_addr_from_host function is already in
softmmu/physmem.c; move the nofail version to be adjacent.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu-common.h |  1 +
 accel/tcg/cputlb.c        | 12 ------------
 softmmu/physmem.c         | 12 ++++++++++++
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -XXX,XX +XXX,XX @@ typedef uintptr_t ram_addr_t;
 void qemu_ram_remap(ram_addr_t addr, ram_addr_t length);
 /* This should not be used by devices.  */
 ram_addr_t qemu_ram_addr_from_host(void *ptr);
+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
 RAMBlock *qemu_ram_block_by_name(const char *name);
 RAMBlock *qemu_ram_block_from_host(void *ptr, bool round_offset,
                                    ram_addr_t *offset);
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                             prot, mmu_idx, size);
 }
 
-static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
-{
-    ram_addr_t ram_addr;
-
-    ram_addr = qemu_ram_addr_from_host(ptr);
-    if (ram_addr == RAM_ADDR_INVALID) {
-        error_report("Bad ram pointer %p", ptr);
-        abort();
-    }
-    return ram_addr;
-}
-
 /*
  * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
  * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -XXX,XX +XXX,XX @@ ram_addr_t qemu_ram_addr_from_host(void *ptr)
     return block->offset + offset;
 }
 
+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
+{
+    ram_addr_t ram_addr;
+
+    ram_addr = qemu_ram_addr_from_host(ptr);
+    if (ram_addr == RAM_ADDR_INVALID) {
+        error_report("Bad ram pointer %p", ptr);
+        abort();
+    }
+    return ram_addr;
+}
+
 static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
                                  MemTxAttrs attrs, void *buf, hwaddr len);
 static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
-- 
2.34.1

Simplify the implementation of get_page_addr_code_hostp
by reusing the existing probe_access infrastructure.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 76 ++++++++++++++++------------------------------
 1 file changed, 26 insertions(+), 50 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
   victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
                  (ADDR) & TARGET_PAGE_MASK)
 
-/*
- * Return a ram_addr_t for the virtual address for execution.
- *
- * Return -1 if we can't translate and execute from an entire page
- * of RAM.  This will force us to execute by loading and translating
- * one insn at a time, without caching.
- *
- * NOTE: This function will trigger an exception if the page is
- * not executable.
- */
-tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
-                                        void **hostp)
-{
-    uintptr_t mmu_idx = cpu_mmu_index(env, true);
-    uintptr_t index = tlb_index(env, mmu_idx, addr);
-    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-    void *p;
-
-    if (unlikely(!tlb_hit(entry->addr_code, addr))) {
-        if (!VICTIM_TLB_HIT(addr_code, addr)) {
-            tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
-            index = tlb_index(env, mmu_idx, addr);
-            entry = tlb_entry(env, mmu_idx, addr);
-
-            if (unlikely(entry->addr_code & TLB_INVALID_MASK)) {
-                /*
-                 * The MMU protection covers a smaller range than a target
-                 * page, so we must redo the MMU check for every insn.
-                 */
-                return -1;
-            }
-        }
-        assert(tlb_hit(entry->addr_code, addr));
-    }
-
-    if (unlikely(entry->addr_code & TLB_MMIO)) {
-        /* The region is not backed by RAM.  */
-        if (hostp) {
-            *hostp = NULL;
-        }
-        return -1;
-    }
-
-    p = (void *)((uintptr_t)addr + entry->addend);
-    if (hostp) {
-        *hostp = p;
-    }
-    return qemu_ram_addr_from_host_nofail(p);
-}
-
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
 {
@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
     return flags ? NULL : host;
 }
 
+/*
+ * Return a ram_addr_t for the virtual address for execution.
+ *
+ * Return -1 if we can't translate and execute from an entire page
+ * of RAM.  This will force us to execute by loading and translating
+ * one insn at a time, without caching.
+ *
+ * NOTE: This function will trigger an exception if the page is
+ * not executable.
+ */
+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
+                                        void **hostp)
+{
+    void *p;
+
+    (void)probe_access_internal(env, addr, 1, MMU_INST_FETCH,
+                                cpu_mmu_index(env, true), false, &p, 0);
+    if (p == NULL) {
+        return -1;
+    }
+    if (hostp) {
+        *hostp = p;
+    }
+    return qemu_ram_addr_from_host_nofail(p);
+}
+
 #ifdef CONFIG_PLUGIN
 /*
  * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
-- 
2.34.1

It was non-obvious to me why we can raise an exception in
the middle of a comparison function, but it works.
While nearby, use TARGET_PAGE_ALIGN instead of open-coding.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static bool tb_lookup_cmp(const void *p, const void *d)
             tb_page_addr_t phys_page2;
             target_ulong virt_page2;
 
-            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
+            /*
+             * We know that the first page matched, and an otherwise valid TB
+             * encountered an incomplete instruction at the end of that page,
+             * therefore we know that generating a new TB from the current PC
+             * must also require reading from the next page -- even if the
+             * second pages do not match, and therefore the resulting insn
+             * is different for the new TB.  Therefore any exception raised
+             * here by the faulting lookup is not premature.
+             */
+            virt_page2 = TARGET_PAGE_ALIGN(desc->pc);
             phys_page2 = get_page_addr_code(desc->env, virt_page2);
             if (tb->page_addr[1] == phys_page2) {
                 return true;
-- 
2.34.1

The only user can easily use translator_lduw and
adjust the type to signed during the return.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h   | 1 -
 target/i386/tcg/translate.c | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
 
 #define FOR_EACH_TRANSLATOR_LD(F)                                       \
     F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
-    F(translator_ldsw, int16_t, cpu_ldsw_code, bswap16)                 \
     F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
     F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
     F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
 
 static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
 {
-    return translator_ldsw(env, &s->base, advance_pc(env, s, 2));
+    return translator_lduw(env, &s->base, advance_pc(env, s, 2));
 }
 
 static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
-- 
2.34.1

Pass these along to translator_loop -- pc may be used instead
of tb->pc, and host_pc is currently unused.  Adjust all targets
at one time.

Acked-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h       |  1 -
 include/exec/translator.h     | 24 ++++++++++++++++++++----
 accel/tcg/translate-all.c     |  6 ++++--
 accel/tcg/translator.c        |  9 +++++----
 target/alpha/translate.c      |  5 +++--
 target/arm/translate.c        |  5 +++--
 target/avr/translate.c        |  5 +++--
 target/cris/translate.c       |  5 +++--
 target/hexagon/translate.c    |  6 ++++--
 target/hppa/translate.c       |  5 +++--
 target/i386/tcg/translate.c   |  5 +++--
 target/loongarch/translate.c  |  6 ++++--
 target/m68k/translate.c       |  5 +++--
 target/microblaze/translate.c |  5 +++--
 target/mips/tcg/translate.c   |  5 +++--
 target/nios2/translate.c      |  5 +++--
 target/openrisc/translate.c   |  6 ++++--
 target/ppc/translate.c        |  5 +++--
 target/riscv/translate.c      |  5 +++--
 target/rx/translate.c         |  5 +++--
 target/s390x/tcg/translate.c  |  5 +++--
 target/sh4/translate.c        |  5 +++--
 target/sparc/translate.c      |  5 +++--
 target/tricore/translate.c    |  6 ++++--
 target/xtensa/translate.c     |  6 ++++--
 25 files changed, 97 insertions(+), 53 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ typedef ram_addr_t tb_page_addr_t;
 #define TB_PAGE_ADDR_FMT RAM_ADDR_FMT
 #endif
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns);
 void restore_state_to_opc(CPUArchState *env, TranslationBlock *tb,
                           target_ulong *data);
 
diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@
 #include "exec/translate-all.h"
 #include "tcg/tcg.h"
 
+/**
+ * gen_intermediate_code
+ * @cpu: cpu context
+ * @tb: translation block
+ * @max_insns: max number of instructions to translate
+ * @pc: guest virtual program counter address
+ * @host_pc: host physical program counter address
+ *
+ * This function must be provided by the target, which should create
+ * the target-specific DisasContext, and then invoke translator_loop.
+ */
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc);
 
 /**
  * DisasJumpType:
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
 
 /**
  * translator_loop:
- * @ops: Target-specific operations.
- * @db: Disassembly context.
  * @cpu: Target vCPU.
  * @tb: Translation block.
  * @max_insns: Maximum number of insns to translate.
+ * @pc: guest virtual program counter address
+ * @host_pc: host physical program counter address
+ * @ops: Target-specific operations.
+ * @db: Disassembly context.
  *
  * Generic translator loop.
  *
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
  * - When single-stepping is enabled (system-wide or on the current vCPU).
  * - When too many instructions have been translated.
  */
-void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
-                     CPUState *cpu, TranslationBlock *tb, int max_insns);
+void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                     target_ulong pc, void *host_pc,
+                     const TranslatorOps *ops, DisasContextBase *db);
 
 void translator_loop_temp_check(DisasContextBase *db);
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@
 
 #include "exec/cputlb.h"
 #include "exec/translate-all.h"
+#include "exec/translator.h"
 #include "qemu/bitmap.h"
 #include "qemu/qemu-print.h"
 #include "qemu/timer.h"
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     TCGProfile *prof = &tcg_ctx->prof;
     int64_t ti;
 #endif
+    void *host_pc;
 
     assert_memory_lock();
     qemu_thread_jit_write();
 
-    phys_pc = get_page_addr_code(env, pc);
+    phys_pc = get_page_addr_code_hostp(env, pc, &host_pc);
 
     if (phys_pc == -1) {
         /* Generate a one-shot TB with 1 insn in it */
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     tcg_func_start(tcg_ctx);
 
     tcg_ctx->cpu = env_cpu(env);
-    gen_intermediate_code(cpu, tb, max_insns);
+    gen_intermediate_code(cpu, tb, max_insns, pc, host_pc);
     assert(tb->size != 0);
     tcg_ctx->cpu = NULL;
     max_insns = tb->icount;
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ static inline void translator_page_protect(DisasContextBase *dcbase,
 #endif
 }
 
-void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
-                     CPUState *cpu, TranslationBlock *tb, int max_insns)
+void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                     target_ulong pc, void *host_pc,
+                     const TranslatorOps *ops, DisasContextBase *db)
 {
     uint32_t cflags = tb_cflags(tb);
     bool plugin_enabled;
 
     /* Initialize DisasContext */
     db->tb = tb;
-    db->pc_first = tb->pc;
-    db->pc_next = db->pc_first;
+    db->pc_first = pc;
+    db->pc_next = pc;
     db->is_jmp = DISAS_NEXT;
     db->num_insns = 0;
     db->max_insns = max_insns;
diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps alpha_tr_ops = {
     .disas_log          = alpha_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&alpha_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &alpha_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUAlphaState *env, TranslationBlock *tb,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps thumb_translator_ops = {
 };
 
 /* generate intermediate code for basic block 'tb'.  */
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = { };
     const TranslatorOps *ops = &arm_translator_ops;
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
     }
 #endif
 
-    translator_loop(ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps avr_tr_ops = {
     .disas_log          = avr_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = { };
-    translator_loop(&avr_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &avr_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUAVRState *env, TranslationBlock *tb,
diff --git a/target/cris/translate.c b/target/cris/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/cris/translate.c
+++ b/target/cris/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps cris_tr_ops = {
     .disas_log          = cris_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&cris_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &cris_tr_ops, &dc.base);
 }
 
 void cris_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hexagon_tr_ops = {
     .disas_log          = hexagon_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&hexagon_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &hexagon_tr_ops, &ctx.base);
 }
 
 #define NAME_LEN               64
diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hppa_tr_ops = {
     .disas_log          = hppa_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
-    translator_loop(&hppa_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &hppa_tr_ops, &ctx.base);
 }
 
 void restore_state_to_opc(CPUHPPAState *env, TranslationBlock *tb,
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps i386_tr_ops = {
 };
 
 /* generate intermediate code for basic block 'tb'.  */
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
 
-    translator_loop(&i386_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUX86State *env, TranslationBlock *tb,
diff --git a/target/loongarch/translate.c b/target/loongarch/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/loongarch/translate.c
+++ b/target/loongarch/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps loongarch_tr_ops = {
     .disas_log          = loongarch_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&loongarch_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &loongarch_tr_ops, &ctx.base);
 }
 
 void loongarch_translate_init(void)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps m68k_tr_ops = {
     .disas_log          = m68k_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&m68k_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &m68k_tr_ops, &dc.base);
 }
 
 static double floatx80_to_double(CPUM68KState *env, uint16_t high, uint64_t low)
diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mb_tr_ops = {
     .disas_log          = mb_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&mb_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &mb_tr_ops, &dc.base);
 }
 
 void mb_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mips_tr_ops = {
     .disas_log          = mips_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&mips_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &mips_tr_ops, &ctx.base);
 }
 
 void mips_tcg_init(void)
diff --git a/target/nios2/translate.c b/target/nios2/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/translate.c
+++ b/target/nios2/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps nios2_tr_ops = {
     .disas_log          = nios2_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&nios2_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &nios2_tr_ops, &dc.base);
 }
 
 void nios2_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/translate.c
+++ b/target/openrisc/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps openrisc_tr_ops = {
     .disas_log          = openrisc_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&openrisc_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &openrisc_tr_ops, &ctx.base);
 }
 
 void openrisc_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps ppc_tr_ops = {
     .disas_log          = ppc_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&ppc_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &ppc_tr_ops, &ctx.base);
 }
 
 void restore_state_to_opc(CPUPPCState *env, TranslationBlock *tb,
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps riscv_tr_ops = {
     .disas_log          = riscv_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&riscv_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &riscv_tr_ops, &ctx.base);
 }
 
 void riscv_translate_init(void)
diff --git a/target/rx/translate.c b/target/rx/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps rx_tr_ops = {
     .disas_log          = rx_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
 
-    translator_loop(&rx_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &rx_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPURXState *env, TranslationBlock *tb,
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps s390x_tr_ops = {
     .disas_log          = s390x_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
 
-    translator_loop(&s390x_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &s390x_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUS390XState *env, TranslationBlock *tb,
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sh4_tr_ops = {
     .disas_log          = sh4_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&sh4_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &sh4_tr_ops, &ctx.base);
 }
 
 void restore_state_to_opc(CPUSH4State *env, TranslationBlock *tb,
diff --git a/target/sparc/translate.c b/target/sparc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sparc/translate.c
+++ b/target/sparc/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sparc_tr_ops = {
     .disas_log          = sparc_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = {};
 
-    translator_loop(&sparc_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &sparc_tr_ops, &dc.base);
 }
 
 void sparc_tcg_init(void)
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps tricore_tr_ops = {
 };
 
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
-    translator_loop(&tricore_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &tricore_tr_ops, &ctx.base);
 }
 
 void
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps xtensa_translator_ops = {
     .disas_log          = xtensa_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = {};
-    translator_loop(&xtensa_translator_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc,
+                    &xtensa_translator_ops, &dc.base);
 }
 
 void xtensa_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-- 
2.34.1

Cache the translation from guest to host address, so we may
use direct loads when we hit on the primary translation page.

Look up the second translation page only once, during translation.
This obviates another lookup of the second page within tb_gen_code
after translation.

Fixes a bug in that plugin_insn_append should be passed the bytes
in the original memory order, not bswapped by pieces.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h |  63 +++++++++++--------
 accel/tcg/translate-all.c |  23 +++----
 accel/tcg/translator.c    | 126 +++++++++++++++++++++++++++++---------
 3 files changed, 141 insertions(+), 71 deletions(-)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ typedef enum DisasJumpType {
  * Architecture-agnostic disassembly context.
  */
 typedef struct DisasContextBase {
-    const TranslationBlock *tb;
+    TranslationBlock *tb;
     target_ulong pc_first;
     target_ulong pc_next;
     DisasJumpType is_jmp;
     int num_insns;
     int max_insns;
     bool singlestep_enabled;
-#ifdef CONFIG_USER_ONLY
-    /*
-     * Guest address of the last byte of the last protected page.
-     *
-     * Pages containing the translated instructions are made non-writable in
-     * order to achieve consistency in case another thread is modifying the
-     * code while translate_insn() fetches the instruction bytes piecemeal.
-     * Such writer threads are blocked on mmap_lock() in page_unprotect().
-     */
-    target_ulong page_protect_end;
-#endif
+    void *host_addr[2];
 } DisasContextBase;
 
 /**
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
  * the relevant information at translation time.
  */
 
-#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
-    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
-                           abi_ptr pc, bool do_swap);                   \
-    static inline type fullname(CPUArchState *env,                      \
-                                DisasContextBase *dcbase, abi_ptr pc)   \
-    {                                                                   \
-        return fullname ## _swap(env, dcbase, pc, false);               \
+uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+
+static inline uint16_t
+translator_lduw_swap(CPUArchState *env, DisasContextBase *db,
+                     abi_ptr pc, bool do_swap)
+{
+    uint16_t ret = translator_lduw(env, db, pc);
+    if (do_swap) {
+        ret = bswap16(ret);
     }
+    return ret;
+}
 
-#define FOR_EACH_TRANSLATOR_LD(F)                                       \
-    F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
-    F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
-    F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
-    F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
+static inline uint32_t
+translator_ldl_swap(CPUArchState *env, DisasContextBase *db,
+                    abi_ptr pc, bool do_swap)
+{
+    uint32_t ret = translator_ldl(env, db, pc);
+    if (do_swap) {
+        ret = bswap32(ret);
+    }
+    return ret;
+}
 
-FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
-
-#undef GEN_TRANSLATOR_LD
+static inline uint64_t
+translator_ldq_swap(CPUArchState *env, DisasContextBase *db,
+                    abi_ptr pc, bool do_swap)
+{
+    uint64_t ret = translator_ldq_swap(env, db, pc, false);
+    if (do_swap) {
+        ret = bswap64(ret);
+    }
+    return ret;
+}
 
 /*
  * Return whether addr is on the same page as where disassembly started.
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
 {
     CPUArchState *env = cpu->env_ptr;
     TranslationBlock *tb, *existing_tb;
-    tb_page_addr_t phys_pc, phys_page2;
-    target_ulong virt_page2;
+    tb_page_addr_t phys_pc;
     tcg_insn_unit *gen_code_buf;
     int gen_code_size, search_size, max_insns;
 #ifdef CONFIG_PROFILER
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     tb->flags = flags;
     tb->cflags = cflags;
     tb->trace_vcpu_dstate = *cpu->trace_dstate;
+    tb->page_addr[0] = phys_pc;
+    tb->page_addr[1] = -1;
     tcg_ctx->tb_cflags = cflags;
  tb_overflow:
 
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     }
 
     /*
-     * If the TB is not associated with a physical RAM page then
-     * it must be a temporary one-insn TB, and we have nothing to do
-     * except fill in the page_addr[] fields. Return early before
-     * attempting to link to other TBs or add to the lookup table.
+     * If the TB is not associated with a physical RAM page then it must be
+     * a temporary one-insn TB, and we have nothing left to do. Return early
+     * before attempting to link to other TBs or add to the lookup table.
      */
-    if (phys_pc == -1) {
-        tb->page_addr[0] = tb->page_addr[1] = -1;
+    if (tb->page_addr[0] == -1) {
         return tb;
     }
 
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
      */
     tcg_tb_insert(tb);
 
-    /* check next page if needed */
-    virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
-    phys_page2 = -1;
-    if ((pc & TARGET_PAGE_MASK) != virt_page2) {
-        phys_page2 = get_page_addr_code(env, virt_page2);
-    }
     /*
      * No explicit memory barrier is required -- tb_link_page() makes the
      * TB visible in a consistent state.
      */
-    existing_tb = tb_link_page(tb, phys_pc, phys_page2);
+    existing_tb = tb_link_page(tb, tb->page_addr[0], tb->page_addr[1]);
     /* if the TB already exists, discard what we just translated */
     if (unlikely(existing_tb != tb)) {
         uintptr_t orig_aligned = (uintptr_t)gen_code_buf;
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
     return ((db->pc_first ^ dest) & TARGET_PAGE_MASK) == 0;
 }
 
-static inline void translator_page_protect(DisasContextBase *dcbase,
-                                           target_ulong pc)
-{
-#ifdef CONFIG_USER_ONLY
-    dcbase->page_protect_end = pc | ~TARGET_PAGE_MASK;
-    page_protect(pc);
-#endif
-}
-
 void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
                      target_ulong pc, void *host_pc,
                      const TranslatorOps *ops, DisasContextBase *db)
@@ -XXX,XX +XXX,XX @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
     db->num_insns = 0;
     db->max_insns = max_insns;
     db->singlestep_enabled = cflags & CF_SINGLE_STEP;
-    translator_page_protect(db, db->pc_next);
+    db->host_addr[0] = host_pc;
+    db->host_addr[1] = NULL;
+
+#ifdef CONFIG_USER_ONLY
+    page_protect(pc);
+#endif
 
     ops->init_disas_context(db, cpu);
     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
@@ -XXX,XX +XXX,XX @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
 #endif
 }
 
-static inline void translator_maybe_page_protect(DisasContextBase *dcbase,
-                                                 target_ulong pc, size_t len)
+static void *translator_access(CPUArchState *env, DisasContextBase *db,
+                               target_ulong pc, size_t len)
 {
-#ifdef CONFIG_USER_ONLY
-    target_ulong end = pc + len - 1;
+    void *host;
+    target_ulong base, end;
+    TranslationBlock *tb;
 
-    if (end > dcbase->page_protect_end) {
-        translator_page_protect(dcbase, end);
+    tb = db->tb;
+
+    /* Use slow path if first page is MMIO. */
+    if (unlikely(tb->page_addr[0] == -1)) {
+        return NULL;
     }
+
+    end = pc + len - 1;
+    if (likely(is_same_page(db, end))) {
+        host = db->host_addr[0];
+        base = db->pc_first;
+    } else {
+        host = db->host_addr[1];
+        base = TARGET_PAGE_ALIGN(db->pc_first);
+        if (host == NULL) {
+            tb->page_addr[1] =
+                get_page_addr_code_hostp(env, base, &db->host_addr[1]);
+#ifdef CONFIG_USER_ONLY
+            page_protect(end);
 #endif
+            /* We cannot handle MMIO as second page. */
+            assert(tb->page_addr[1] != -1);
+            host = db->host_addr[1];
+        }
+
+        /* Use slow path when crossing pages. */
+        if (is_same_page(db, pc)) {
+            return NULL;
+        }
+    }
+
+    tcg_debug_assert(pc >= base);
+    return host + (pc - base);
 }
 
-#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
-    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
-                           abi_ptr pc, bool do_swap)                    \
-    {                                                                   \
-        translator_maybe_page_protect(dcbase, pc, sizeof(type));        \
-        type ret = load_fn(env, pc);                                    \
-        if (do_swap) {                                                  \
-            ret = swap_fn(ret);                                         \
-        }                                                               \
-        plugin_insn_append(pc, &ret, sizeof(ret));                      \
-        return ret;                                                     \
+uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint8_t ret;
+    void *p = translator_access(env, db, pc, sizeof(ret));
+
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return ldub_p(p);
     }
+    ret = cpu_ldub_code(env, pc);
+    plugin_insn_append(pc, &ret, sizeof(ret));
+    return ret;
+}
 
-FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
+uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint16_t ret, plug;
+    void *p = translator_access(env, db, pc, sizeof(ret));
 
-#undef GEN_TRANSLATOR_LD
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return lduw_p(p);
+    }
+    ret = cpu_lduw_code(env, pc);
+    plug = tswap16(ret);
+    plugin_insn_append(pc, &plug, sizeof(ret));
+    return ret;
+}
+
+uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint32_t ret, plug;
+    void *p = translator_access(env, db, pc, sizeof(ret));
+
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return ldl_p(p);
+    }
+    ret = cpu_ldl_code(env, pc);
+    plug = tswap32(ret);
+    plugin_insn_append(pc, &plug, sizeof(ret));
+    return ret;
+}
+
+uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint64_t ret, plug;
+    void *p = translator_access(env, db, pc, sizeof(ret));
+
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return ldq_p(p);
+    }
+    ret = cpu_ldq_code(env, pc);
+    plug = tswap64(ret);
+    plugin_insn_append(pc, &plug, sizeof(ret));
+    return ret;
+}
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

Right now translator stops right *after* the end of a page, which
breaks reporting of fault locations when the last instruction of a
multi-insn translation block crosses a page boundary.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220817150506.592862-3-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/s390x/tcg/translate.c     |  15 +++-
 tests/tcg/s390x/noexec.c         | 106 +++++++++++++++++++++++
 tests/tcg/multiarch/noexec.c.inc | 139 +++++++++++++++++++++++++++++++
 tests/tcg/s390x/Makefile.target  |   1 +
 4 files changed, 257 insertions(+), 4 deletions(-)
 create mode 100644 tests/tcg/s390x/noexec.c
 create mode 100644 tests/tcg/multiarch/noexec.c.inc

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     dc->insn_start = tcg_last_op();
 }
 
+static target_ulong get_next_pc(CPUS390XState *env, DisasContext *s,
+                                uint64_t pc)
+{
+    uint64_t insn = ld_code2(env, s, pc);
+
+    return pc + get_ilen((insn >> 8) & 0xff);
+}
+
 static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     CPUS390XState *env = cs->env_ptr;
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 
     dc->base.is_jmp = translate_one(env, dc);
     if (dc->base.is_jmp == DISAS_NEXT) {
-        uint64_t page_start;
-
-        page_start = dc->base.pc_first & TARGET_PAGE_MASK;
-        if (dc->base.pc_next - page_start >= TARGET_PAGE_SIZE || dc->ex_value) {
+        if (!is_same_page(dcbase, dc->base.pc_next) ||
+            !is_same_page(dcbase, get_next_pc(env, dc, dc->base.pc_next)) ||
+            dc->ex_value) {
             dc->base.is_jmp = DISAS_TOO_MANY;
         }
     }
diff --git a/tests/tcg/s390x/noexec.c b/tests/tcg/s390x/noexec.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/s390x/noexec.c
@@ -XXX,XX +XXX,XX @@
+#include "../multiarch/noexec.c.inc"
+
+static void *arch_mcontext_pc(const mcontext_t *ctx)
+{
+    return (void *)ctx->psw.addr;
+}
+
+static int arch_mcontext_arg(const mcontext_t *ctx)
+{
+    return ctx->gregs[2];
+}
+
+static void arch_flush(void *p, int len)
+{
+}
+
+extern char noexec_1[];
+extern char noexec_2[];
+extern char noexec_end[];
+
+asm("noexec_1:\n"
+    "   lgfi %r2,1\n"       /* %r2 is 0 on entry, set 1. */
+    "noexec_2:\n"
+    "   lgfi %r2,2\n"       /* %r2 is 0/1; set 2. */
+    "   br %r14\n"          /* return */
+    "noexec_end:");
+
+extern char exrl_1[];
+extern char exrl_2[];
+extern char exrl_end[];
+
+asm("exrl_1:\n"
+    "   exrl %r0, exrl_2\n"
+    "   br %r14\n"
+    "exrl_2:\n"
+    "   lgfi %r2,2\n"
+    "exrl_end:");
+
+int main(void)
+{
+    struct noexec_test noexec_tests[] = {
+        {
+            .name = "fallthrough",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = noexec_1 - noexec_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = 0,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 0,
+        },
+        {
+            .name = "exrl",
+            .test_code = exrl_1,
+            .test_len = exrl_end - exrl_1,
+            .page_ofs = exrl_1 - exrl_2,
+            .entry_ofs = exrl_1 - exrl_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = exrl_1 - exrl_2,
+            .expected_arg = 0,
+        },
+        {
+            .name = "fallthrough [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = noexec_1 - noexec_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = -2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 0,
+        },
+        {
+            .name = "exrl [cross]",
+            .test_code = exrl_1,
+            .test_len = exrl_end - exrl_1,
+            .page_ofs = exrl_1 - exrl_2 - 2,
+            .entry_ofs = exrl_1 - exrl_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = exrl_1 - exrl_2 - 2,
+            .expected_arg = 0,
+        },
+    };
+
+    return test_noexec(noexec_tests,
+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+}
diff --git a/tests/tcg/multiarch/noexec.c.inc b/tests/tcg/multiarch/noexec.c.inc
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/multiarch/noexec.c.inc
@@ -XXX,XX +XXX,XX @@
+/*
+ * Common code for arch-specific MMU_INST_FETCH fault testing.
+ */
+
+#define _GNU_SOURCE
+
+#include <assert.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/ucontext.h>
+
+/* Forward declarations. */
+
+static void *arch_mcontext_pc(const mcontext_t *ctx);
+static int arch_mcontext_arg(const mcontext_t *ctx);
+static void arch_flush(void *p, int len);
+
+/* Testing infrastructure. */
+
+struct noexec_test {
+    const char *name;
+    const char *test_code;
+    int test_len;
+    int page_ofs;
+    int entry_ofs;
+    int expected_si_ofs;
+    int expected_pc_ofs;
+    int expected_arg;
+};
+
+static void *page_base;
+static int page_size;
+static const struct noexec_test *current_noexec_test;
+
+static void handle_err(const char *syscall)
+{
+    printf("[  FAILED  ] %s: %s\n", syscall, strerror(errno));
+    exit(EXIT_FAILURE);
+}
+
+static void handle_segv(int sig, siginfo_t *info, void *ucontext)
+{
+    const struct noexec_test *test = current_noexec_test;
+    const mcontext_t *mc = &((ucontext_t *)ucontext)->uc_mcontext;
+    void *expected_si;
+    void *expected_pc;
+    void *pc;
+    int arg;
+
+    if (test == NULL) {
+        printf("[  FAILED  ] unexpected SEGV\n");
+        exit(EXIT_FAILURE);
+    }
+    current_noexec_test = NULL;
+
+    expected_si = page_base + test->expected_si_ofs;
+    if (info->si_addr != expected_si) {
+        printf("[  FAILED  ] wrong si_addr (%p != %p)\n",
+               info->si_addr, expected_si);
+        exit(EXIT_FAILURE);
+    }
+
+    pc = arch_mcontext_pc(mc);
+    expected_pc = page_base + test->expected_pc_ofs;
+    if (pc != expected_pc) {
+        printf("[  FAILED  ] wrong pc (%p != %p)\n", pc, expected_pc);
+        exit(EXIT_FAILURE);
+    }
+
+    arg = arch_mcontext_arg(mc);
+    if (arg != test->expected_arg) {
+        printf("[  FAILED  ] wrong arg (%d != %d)\n", arg, test->expected_arg);
+        exit(EXIT_FAILURE);
+    }
+
+    if (mprotect(page_base, page_size,
+                 PROT_READ | PROT_WRITE | PROT_EXEC) < 0) {
+        handle_err("mprotect");
+    }
+}
+
+static void test_noexec_1(const struct noexec_test *test)
+{
+    void *start = page_base + test->page_ofs;
+    void (*fn)(int arg) = page_base + test->entry_ofs;
+
+    memcpy(start, test->test_code, test->test_len);
+    arch_flush(start, test->test_len);
+
+    /* Trigger TB creation in order to test invalidation. */
+    fn(0);
+
+    if (mprotect(page_base, page_size, PROT_NONE) < 0) {
+        handle_err("mprotect");
+    }
+
+    /* Trigger SEGV and check that handle_segv() ran. */
+    current_noexec_test = test;
+    fn(0);
+    assert(current_noexec_test == NULL);
+}
+
+static int test_noexec(struct noexec_test *tests, size_t n_tests)
+{
+    struct sigaction act;
+    size_t i;
+
+    memset(&act, 0, sizeof(act));
+    act.sa_sigaction = handle_segv;
+    act.sa_flags = SA_SIGINFO;
+    if (sigaction(SIGSEGV, &act, NULL) < 0) {
+        handle_err("sigaction");
+    }
+
+    page_size = getpagesize();
+    page_base = mmap(NULL, 2 * page_size,
+                     PROT_READ | PROT_WRITE | PROT_EXEC,
+                     MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+    if (page_base == MAP_FAILED) {
+        handle_err("mmap");
+    }
+    page_base += page_size;
+
+    for (i = 0; i < n_tests; i++) {
+        struct noexec_test *test = &tests[i];
+
+        printf("[ RUN      ] %s\n", test->name);
+        test_noexec_1(test);
+        printf("[       OK ]\n");
+    }
+
+    printf("[  PASSED  ]\n");
+    return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -XXX,XX +XXX,XX @@ TESTS+=shift
 TESTS+=trap
 TESTS+=signals-s390x
 TESTS+=branch-relative-long
+TESTS+=noexec
 
 Z14_TESTS=vfminmax
 vfminmax: LDFLAGS+=-lm
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

Right now translator stops right *after* the end of a page, which
breaks reporting of fault locations when the last instruction of a
multi-insn translation block crosses a page boundary.

An implementation, like the one arm and s390x have, would require an
i386 length disassembler, which is burdensome to maintain. Another
alternative would be to single-step at the end of a guest page, but
this may come with a performance impact.

Fix by snapshotting disassembly state and restoring it after we figure
out we crossed a page boundary. This includes rolling back cc_op
updates and emitted ops.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1143
Message-Id: <20220817150506.592862-4-iii@linux.ibm.com>
[rth: Simplify end-of-insn cross-page checks.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c      | 64 ++++++++++++++++-----------
 tests/tcg/x86_64/noexec.c        | 75 ++++++++++++++++++++++++++++++++
 tests/tcg/x86_64/Makefile.target |  3 +-
 3 files changed, 116 insertions(+), 26 deletions(-)
 create mode 100644 tests/tcg/x86_64/noexec.c

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     TCGv_i64 tmp1_i64;
 
     sigjmp_buf jmpbuf;
+    TCGOp *prev_insn_end;
 } DisasContext;
 
 /* The environment in which user-only runs is constrained. */
@@ -XXX,XX +XXX,XX @@ static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
 {
     uint64_t pc = s->pc;
 
+    /* This is a subsequent insn that crosses a page boundary.  */
+    if (s->base.num_insns > 1 &&
+        !is_same_page(&s->base, s->pc + num_bytes - 1)) {
+        siglongjmp(s->jmpbuf, 2);
+    }
+
     s->pc += num_bytes;
     if (unlikely(s->pc - s->pc_start > X86_MAX_INSN_LENGTH)) {
         /* If the instruction's 16th byte is on a different page than the 1st, a
@@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
     int modrm, reg, rm, mod, op, opreg, val;
     target_ulong next_eip, tval;
     target_ulong pc_start = s->base.pc_next;
+    bool orig_cc_op_dirty = s->cc_op_dirty;
+    CCOp orig_cc_op = s->cc_op;
 
     s->pc_start = s->pc = pc_start;
     s->override = -1;
@@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
     s->rip_offset = 0; /* for relative ip address */
     s->vex_l = 0;
     s->vex_v = 0;
-    if (sigsetjmp(s->jmpbuf, 0) != 0) {
+    switch (sigsetjmp(s->jmpbuf, 0)) {
+    case 0:
+        break;
+    case 1:
         gen_exception_gpf(s);
         return s->pc;
+    case 2:
+        /* Restore state that may affect the next instruction. */
+        s->cc_op_dirty = orig_cc_op_dirty;
+        s->cc_op = orig_cc_op;
+        s->base.num_insns--;
+        tcg_remove_ops_after(s->prev_insn_end);
+        s->base.is_jmp = DISAS_TOO_MANY;
+        return pc_start;
+    default:
+        g_assert_not_reached();
     }
 
     prefixes = 0;
@@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
+    dc->prev_insn_end = tcg_last_op();
     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 }
 
@@ -XXX,XX +XXX,XX @@ static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 #endif
 
     pc_next = disas_insn(dc, cpu);
-
-    if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
-        /* if single step mode, we generate only one instruction and
-           generate an exception */
-        /* if irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
-           the flag and abort the translation to give the irqs a
-           chance to happen */
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    } else if ((tb_cflags(dc->base.tb) & CF_USE_ICOUNT)
-               && ((pc_next & TARGET_PAGE_MASK)
-                   != ((pc_next + TARGET_MAX_INSN_SIZE - 1)
-                       & TARGET_PAGE_MASK)
-                   || (pc_next & ~TARGET_PAGE_MASK) == 0)) {
-        /* Do not cross the boundary of the pages in icount mode,
-           it can cause an exception. Do it only when boundary is
-           crossed by the first instruction in the block.
-           If current instruction already crossed the bound - it's ok,
-           because an exception hasn't stopped this code.
-         */
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    } else if ((pc_next - dc->base.pc_first) >= (TARGET_PAGE_SIZE - 32)) {
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    }
-
     dc->base.pc_next = pc_next;
+
+    if (dc->base.is_jmp == DISAS_NEXT) {
+        if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
+            /*
+             * If single step mode, we generate only one instruction and
+             * generate an exception.
+             * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
+             * the flag and abort the translation to give the irqs a
+             * chance to happen.
+             */
+            dc->base.is_jmp = DISAS_TOO_MANY;
+        } else if (!is_same_page(&dc->base, pc_next)) {
+            dc->base.is_jmp = DISAS_TOO_MANY;
+        }
+    }
 }
 
 static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/tests/tcg/x86_64/noexec.c b/tests/tcg/x86_64/noexec.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/x86_64/noexec.c
@@ -XXX,XX +XXX,XX @@
+#include "../multiarch/noexec.c.inc"
+
+static void *arch_mcontext_pc(const mcontext_t *ctx)
+{
+    return (void *)ctx->gregs[REG_RIP];
+}
+
+int arch_mcontext_arg(const mcontext_t *ctx)
+{
+    return ctx->gregs[REG_RDI];
+}
+
+static void arch_flush(void *p, int len)
+{
+}
+
+extern char noexec_1[];
+extern char noexec_2[];
+extern char noexec_end[];
+
+asm("noexec_1:\n"
+    "    movq $1,%rdi\n"    /* %rdi is 0 on entry, set 1. */
+    "noexec_2:\n"
+    "    movq $2,%rdi\n"    /* %rdi is 0/1; set 2. */
+    "    ret\n"
+    "noexec_end:");
+
+int main(void)
+{
+    struct noexec_test noexec_tests[] = {
+        {
+            .name = "fallthrough",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = noexec_1 - noexec_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = 0,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 0,
+        },
+        {
+            .name = "fallthrough [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = noexec_1 - noexec_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = -2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 0,
+        },
+    };
+
+    return test_noexec(noexec_tests,
+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+}
diff --git a/tests/tcg/x86_64/Makefile.target b/tests/tcg/x86_64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/x86_64/Makefile.target
+++ b/tests/tcg/x86_64/Makefile.target
@@ -XXX,XX +XXX,XX @@ include $(SRC_PATH)/tests/tcg/i386/Makefile.target
 
 ifeq ($(filter %-linux-user, $(TARGET)),$(TARGET))
 X86_64_TESTS += vsyscall
+X86_64_TESTS += noexec
 TESTS=$(MULTIARCH_TESTS) $(X86_64_TESTS) test-x86_64
 else
 TESTS=$(MULTIARCH_TESTS)
@@ -XXX,XX +XXX,XX @@ test-x86_64: LDFLAGS+=-lm -lc
 test-x86_64: test-i386.c test-i386.h test-i386-shift.h test-i386-muldiv.h
 	$(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
 
-vsyscall: $(SRC_PATH)/tests/tcg/x86_64/vsyscall.c
+%: $(SRC_PATH)/tests/tcg/x86_64/%.c
 	$(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
-- 
2.34.1

These will be useful in properly ending the TB.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/translate.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static uint32_t opcode_at(DisasContextBase *dcbase, target_ulong pc)
 /* Include decoders for factored-out extensions */
 #include "decode-XVentanaCondOps.c.inc"
 
+/* The specification allows for longer insns, but not supported by qemu. */
+#define MAX_INSN_LEN  4
+
+static inline int insn_len(uint16_t first_word)
+{
+    return (first_word & 3) == 3 ? 4 : 2;
+}
+
 static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
     };
 
     /* Check for compressed insn */
-    if (extract16(opcode, 0, 2) != 3) {
+    if (insn_len(opcode) == 2) {
         if (!has_ext(ctx, RVC)) {
             gen_exception_illegal(ctx);
         } else {
-- 
2.34.1

Right now the translator stops right *after* the end of a page, which
breaks reporting of fault locations when the last instruction of a
multi-insn translation block crosses a page boundary.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1155
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/translate.c          | 17 +++++--
 tests/tcg/riscv64/noexec.c        | 79 +++++++++++++++++++++++++++++++
 tests/tcg/riscv64/Makefile.target |  1 +
 3 files changed, 93 insertions(+), 4 deletions(-)
 create mode 100644 tests/tcg/riscv64/noexec.c

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
     ctx->nftemp = 0;
 
+    /* Only the first insn within a TB is allowed to cross a page boundary. */
     if (ctx->base.is_jmp == DISAS_NEXT) {
-        target_ulong page_start;
-
-        page_start = ctx->base.pc_first & TARGET_PAGE_MASK;
-        if (ctx->base.pc_next - page_start >= TARGET_PAGE_SIZE) {
+        if (!is_same_page(&ctx->base, ctx->base.pc_next)) {
             ctx->base.is_jmp = DISAS_TOO_MANY;
+        } else {
+            unsigned page_ofs = ctx->base.pc_next & ~TARGET_PAGE_MASK;
+
+            if (page_ofs > TARGET_PAGE_SIZE - MAX_INSN_LEN) {
+                uint16_t next_insn = cpu_lduw_code(env, ctx->base.pc_next);
+                int len = insn_len(next_insn);
+
+                if (!is_same_page(&ctx->base, ctx->base.pc_next + len)) {
+                    ctx->base.is_jmp = DISAS_TOO_MANY;
+                }
+            }
         }
     }
 }
diff --git a/tests/tcg/riscv64/noexec.c b/tests/tcg/riscv64/noexec.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/riscv64/noexec.c
@@ -XXX,XX +XXX,XX @@
+#include "../multiarch/noexec.c.inc"
+
+static void *arch_mcontext_pc(const mcontext_t *ctx)
+{
+    return (void *)ctx->__gregs[REG_PC];
+}
+
+static int arch_mcontext_arg(const mcontext_t *ctx)
+{
+    return ctx->__gregs[REG_A0];
+}
+
+static void arch_flush(void *p, int len)
+{
+    __builtin___clear_cache(p, p + len);
+}
+
+extern char noexec_1[];
+extern char noexec_2[];
+extern char noexec_end[];
+
+asm(".option push\n"
+    ".option norvc\n"
+    "noexec_1:\n"
+    "   li a0,1\n"       /* a0 is 0 on entry, set 1. */
+    "noexec_2:\n"
+    "   li a0,2\n"      /* a0 is 0/1; set 2. */
+    "   ret\n"
+    "noexec_end:\n"
+    ".option pop");
+
+int main(void)
+{
+    struct noexec_test noexec_tests[] = {
+        {
+            .name = "fallthrough",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = noexec_1 - noexec_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = 0,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 0,
+        },
+        {
+            .name = "fallthrough [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = noexec_1 - noexec_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = -2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 0,
+        },
+    };
+
+    return test_noexec(noexec_tests,
+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+}
diff --git a/tests/tcg/riscv64/Makefile.target b/tests/tcg/riscv64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/riscv64/Makefile.target
+++ b/tests/tcg/riscv64/Makefile.target
@@ -XXX,XX +XXX,XX @@
 
 VPATH += $(SRC_PATH)/tests/tcg/riscv64
 TESTS += test-div
+TESTS += noexec
-- 
2.34.1

v2: Fix incorretly resolved rebase conflict in patch 16.
v3: Work around clang preprocessor bug in patch 3.

The following changes since commit fd28528ece590dc709d1a893fce2ff2f68ddca70:

Merge tag 'pull-or1k-20220904' of https://github.com/stffrdhrn/qemu into staging (2022-09-05 18:01:02 -0400)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220906

for you to fetch changes up to 00c07344fa245b22e895b363320ba4cd0ec1088a:

target/riscv: Make translator stop before the end of a page (2022-09-06 08:04:26 +0100)

----------------------------------------------------------------
Respect PROT_EXEC in user-only mode.
Fix s390x, i386 and riscv for translations crossing a page.

We're about to start validating PAGE_EXEC, which means that we've
got to mark page zero executable.  We had been special casing this
entirely within translate.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

We're about to start validating PAGE_EXEC, which means that we've
got to mark the vsyscall page executable.  We had been special
casing this entirely within translate.

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
     (*regs)[26] = tswapreg(env->segs[R_GS].selector & 0xffff);
 }
 
+#if ULONG_MAX > UINT32_MAX
+#define INIT_GUEST_COMMPAGE
+static bool init_guest_commpage(void)
+{
+    /*
+     * The vsyscall page is at a high negative address aka kernel space,
+     * which means that we cannot actually allocate it with target_mmap.
+     * We still should be able to use page_set_flags, unless the user
+     * has specified -R reserved_va, which would trigger an assert().
+     */
+    if (reserved_va != 0 &&
+        TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE >= reserved_va) {
+        error_report("Cannot allocate vsyscall page");
+        exit(EXIT_FAILURE);
+    }
+    page_set_flags(TARGET_VSYSCALL_PAGE,
+                   TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE,
+                   PAGE_EXEC | PAGE_VALID);
+    return true;
+}
+#endif
 #else
 
 #define ELF_START_MMAP 0x80000000
@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
 #else
 #define HI_COMMPAGE 0
 #define LO_COMMPAGE -1
+#ifndef INIT_GUEST_COMMPAGE
 #define init_guest_commpage() true
 #endif
+#endif
 
 static void pgb_fail_in_use(const char *image_name)
 {
-- 
2.34.1