Series comparison

-[PULL 00/20] tcg patch queue
+[PULL 00/53] tcg patch queue
-The following changes since commit e93ded1bf6c94ab95015b33e188bc8b0b0c32670:
+The following changes since commit d530697ca20e19f7a626f4c1c8b26fccd0dc4470:
-  Merge tag 'testing-pull-request-2022-08-30' of https://gitlab.com/thuth/qemu into staging (2022-08-31 18:19:03 -0400)
+  Merge tag 'pull-testing-updates-100523-1' of https://gitlab.com/stsquad/qemu into staging (2023-05-10 16:43:01 +0100)
 are available in the Git repository at:
-  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220901
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230511
-for you to fetch changes up to 20011be2e30b8aa8ef1fc258485f00c688703deb:
+for you to fetch changes up to b2d4d6616c22325dff802e0a35092167f2dc2268:
-  target/riscv: Make translator stop before the end of a page (2022-09-01 07:43:08 +0100)
+  target/loongarch: Do not include tcg-ldst.h (2023-05-11 06:06:04 +0100)
 ----------------------------------------------------------------
-Respect PROT_EXEC in user-only mode.
+target/m68k: Fix gen_load_fp regression
-Fix s390x, i386 and riscv for translations crossing a page.
+accel/tcg: Ensure fairness with icount
 disas: Move disas.c into the target-independent source sets
 tcg: Use common routines for calling slow path helpers
 tcg/*: Cleanups to qemu_ld/st constraints
 tcg: Remove TARGET_ALIGNED_ONLY
 accel/tcg: Reorg system mode load/store helpers
 ----------------------------------------------------------------
-Ilya Leoshkevich (4):
+Jamie Iles (2):
-      linux-user: Clear translations on mprotect()
+      cpu: expose qemu_cpu_list_lock for lock-guard use
-      accel/tcg: Introduce is_same_page()
+      accel/tcg/tcg-accel-ops-rr: ensure fairness with icount
       target/s390x: Make translator stop before the end of a page
       target/i386: Make translator stop before the end of a page
-Richard Henderson (16):
+Richard Henderson (49):
-      linux-user/arm: Mark the commpage executable
+      target/m68k: Fix gen_load_fp for OS_LONG
-      linux-user/hppa: Allocate page zero as a commpage
+      accel/tcg: Fix atomic_mmu_lookup for reads
-      linux-user/x86_64: Allocate vsyscall page as a commpage
+      disas: Fix tabs and braces in disas.c
-      linux-user: Honor PT_GNU_STACK
+      disas: Move disas.c to disas/
-      tests/tcg/i386: Move smc_code2 to an executable section
+      disas: Remove target_ulong from the interface
-      accel/tcg: Properly implement get_page_addr_code for user-only
+      disas: Remove target-specific headers
-      accel/tcg: Unlock mmap_lock after longjmp
+      tcg/i386: Introduce prepare_host_addr
-      accel/tcg: Make tb_htable_lookup static
+      tcg/i386: Use indexed addressing for softmmu fast path
-      accel/tcg: Move qemu_ram_addr_from_host_nofail to physmem.c
+      tcg/aarch64: Introduce prepare_host_addr
-      accel/tcg: Use probe_access_internal for softmmu get_page_addr_code_hostp
+      tcg/arm: Introduce prepare_host_addr
-      accel/tcg: Document the faulting lookup in tb_lookup_cmp
+      tcg/loongarch64: Introduce prepare_host_addr
-      accel/tcg: Remove translator_ldsw
+      tcg/mips: Introduce prepare_host_addr
-      accel/tcg: Add pc and host_pc params to gen_intermediate_code
+      tcg/ppc: Introduce prepare_host_addr
-      accel/tcg: Add fast path for translator_ld*
+      tcg/riscv: Introduce prepare_host_addr
-      target/riscv: Add MAX_INSN_LEN and insn_len
+      tcg/s390x: Introduce prepare_host_addr
-      target/riscv: Make translator stop before the end of a page
+      tcg: Add routines for calling slow-path helpers
       tcg/i386: Convert tcg_out_qemu_ld_slow_path
       tcg/i386: Convert tcg_out_qemu_st_slow_path
       tcg/aarch64: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/arm: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/loongarch64: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/mips: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/ppc: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/riscv: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/s390x: Convert tcg_out_qemu_{ld,st}_slow_path
       tcg/loongarch64: Simplify constraints on qemu_ld/st
       tcg/mips: Remove MO_BSWAP handling
       tcg/mips: Reorg tlb load within prepare_host_addr
       tcg/mips: Simplify constraints on qemu_ld/st
       tcg/ppc: Reorg tcg_out_tlb_read
       tcg/ppc: Adjust constraints on qemu_ld/st
       tcg/ppc: Remove unused constraints A, B, C, D
       tcg/ppc: Remove unused constraint J
       tcg/riscv: Simplify constraints on qemu_ld/st
       tcg/s390x: Use ALGFR in constructing softmmu host address
       tcg/s390x: Simplify constraints on qemu_ld/st
       target/mips: Add MO_ALIGN to gen_llwp, gen_scwp
       target/mips: Add missing default_tcg_memop_mask
       target/mips: Use MO_ALIGN instead of 0
       target/mips: Remove TARGET_ALIGNED_ONLY
       target/nios2: Remove TARGET_ALIGNED_ONLY
       target/sh4: Use MO_ALIGN where required
       target/sh4: Remove TARGET_ALIGNED_ONLY
       tcg: Remove TARGET_ALIGNED_ONLY
       accel/tcg: Add cpu_in_serial_context
       accel/tcg: Introduce tlb_read_idx
       accel/tcg: Reorg system mode load helpers
       accel/tcg: Reorg system mode store helpers
       target/loongarch: Do not include tcg-ldst.h
- include/elf.h                     |   1 +
+Thomas Huth (2):
- include/exec/cpu-common.h         |   1 +
+      disas: Move softmmu specific code to separate file
- include/exec/exec-all.h           |  89 ++++++++----------------
+      disas: Move disas.c into the target-independent source set
- include/exec/translator.h         |  96 ++++++++++++++++---------
- linux-user/arm/target_cpu.h       |   4 +-
+ configs/targets/mips-linux-user.mak       |    1 -
- linux-user/qemu.h                 |   1 +
+ configs/targets/mips-softmmu.mak          |    1 -
- accel/tcg/cpu-exec.c              | 143 ++++++++++++++++++++------------------
+ configs/targets/mips64-linux-user.mak     |    1 -
- accel/tcg/cputlb.c                |  93 +++++++------------------
+ configs/targets/mips64-softmmu.mak        |    1 -
- accel/tcg/translate-all.c         |  29 ++++----
+ configs/targets/mips64el-linux-user.mak   |    1 -
- accel/tcg/translator.c            | 135 ++++++++++++++++++++++++++---------
+ configs/targets/mips64el-softmmu.mak      |    1 -
- accel/tcg/user-exec.c             |  17 ++++-
+ configs/targets/mipsel-linux-user.mak     |    1 -
- linux-user/elfload.c              |  82 ++++++++++++++++++++--
+ configs/targets/mipsel-softmmu.mak        |    1 -
- linux-user/mmap.c                 |   6 +-
+ configs/targets/mipsn32-linux-user.mak    |    1 -
- softmmu/physmem.c                 |  12 ++++
+ configs/targets/mipsn32el-linux-user.mak  |    1 -
- target/alpha/translate.c          |   5 +-
+ configs/targets/nios2-softmmu.mak         |    1 -
- target/arm/translate.c            |   5 +-
+ configs/targets/sh4-linux-user.mak        |    1 -
- target/avr/translate.c            |   5 +-
+ configs/targets/sh4-softmmu.mak           |    1 -
- target/cris/translate.c           |   5 +-
+ configs/targets/sh4eb-linux-user.mak      |    1 -
- target/hexagon/translate.c        |   6 +-
+ configs/targets/sh4eb-softmmu.mak         |    1 -
- target/hppa/translate.c           |   5 +-
+ meson.build                               |    3 -
- target/i386/tcg/translate.c       |  71 +++++++++++--------
+ accel/tcg/internal.h                      |    9 +
- target/loongarch/translate.c      |   6 +-
+ accel/tcg/tcg-accel-ops-icount.h          |    3 +-
- target/m68k/translate.c           |   5 +-
+ disas/disas-internal.h                    |   21 +
- target/microblaze/translate.c     |   5 +-
+ include/disas/disas.h                     |   23 +-
- target/mips/tcg/translate.c       |   5 +-
+ include/exec/cpu-common.h                 |    1 +
- target/nios2/translate.c          |   5 +-
+ include/exec/cpu-defs.h                   |    7 +-
- target/openrisc/translate.c       |   6 +-
+ include/exec/cpu_ldst.h                   |   26 +-
- target/ppc/translate.c            |   5 +-
+ include/exec/memop.h                      |   13 +-
- target/riscv/translate.c          |  32 +++++++--
+ include/exec/poison.h                     |    1 -
- target/rx/translate.c             |   5 +-
+ tcg/loongarch64/tcg-target-con-set.h      |    2 -
- target/s390x/tcg/translate.c      |  20 ++++--
+ tcg/loongarch64/tcg-target-con-str.h      |    1 -
- target/sh4/translate.c            |   5 +-
+ tcg/mips/tcg-target-con-set.h             |   13 +-
- target/sparc/translate.c          |   5 +-
+ tcg/mips/tcg-target-con-str.h             |    2 -
- target/tricore/translate.c        |   6 +-
+ tcg/mips/tcg-target.h                     |    4 +-
- target/xtensa/translate.c         |   6 +-
+ tcg/ppc/tcg-target-con-set.h              |   11 +-
- tests/tcg/i386/test-i386.c        |   2 +-
+ tcg/ppc/tcg-target-con-str.h              |    7 -
- tests/tcg/riscv64/noexec.c        |  79 +++++++++++++++++++++
+ tcg/riscv/tcg-target-con-set.h            |    2 -
- tests/tcg/s390x/noexec.c          | 106 ++++++++++++++++++++++++++++
+ tcg/riscv/tcg-target-con-str.h            |    1 -
- tests/tcg/x86_64/noexec.c         |  75 ++++++++++++++++++++
+ tcg/s390x/tcg-target-con-set.h            |    2 -
- tests/tcg/multiarch/noexec.c.inc  | 139 ++++++++++++++++++++++++++++++++++++
+ tcg/s390x/tcg-target-con-str.h            |    1 -
- tests/tcg/riscv64/Makefile.target |   1 +
+ accel/tcg/cpu-exec-common.c               |    3 +
- tests/tcg/s390x/Makefile.target   |   1 +
+ accel/tcg/cputlb.c                        | 1113 ++++++++++++++++-------------
- tests/tcg/x86_64/Makefile.target  |   3 +-
+ accel/tcg/tb-maint.c                      |    2 +-
-files changed, 966 insertions(+), 367 deletions(-)
+ accel/tcg/tcg-accel-ops-icount.c          |   21 +-
- create mode 100644 tests/tcg/riscv64/noexec.c
+ accel/tcg/tcg-accel-ops-rr.c              |   37 +-
- create mode 100644 tests/tcg/s390x/noexec.c
+ bsd-user/elfload.c                        |    5 +-
- create mode 100644 tests/tcg/x86_64/noexec.c
+ cpus-common.c                             |    2 +-
- create mode 100644 tests/tcg/multiarch/noexec.c.inc
+ disas/disas-mon.c                         |   65 ++
  disas.c => disas/disas.c                  |  109 +--
  linux-user/elfload.c                      |   18 +-
  migration/dirtyrate.c                     |   26 +-
  replay/replay.c                           |    3 +-
  target/loongarch/csr_helper.c             |    1 -
  target/loongarch/iocsr_helper.c           |    1 -
  target/m68k/translate.c                   |    1 +
  target/mips/tcg/mxu_translate.c           |    3 +-
  target/nios2/translate.c                  |   10 +
  target/sh4/translate.c                    |  102 ++-
  tcg/tcg.c                                 |  480 ++++++++++++-
  trace/control-target.c                    |    9 +-
  target/mips/tcg/micromips_translate.c.inc |   24 +-
  target/mips/tcg/mips16e_translate.c.inc   |   18 +-
  target/mips/tcg/nanomips_translate.c.inc  |   32 +-
  tcg/aarch64/tcg-target.c.inc              |  347 ++++-----
  tcg/arm/tcg-target.c.inc                  |  455 +++++-------
  tcg/i386/tcg-target.c.inc                 |  453 +++++-------
  tcg/loongarch64/tcg-target.c.inc          |  313 +++-----
  tcg/mips/tcg-target.c.inc                 |  870 +++++++---------------
  tcg/ppc/tcg-target.c.inc                  |  512 ++++++-------
  tcg/riscv/tcg-target.c.inc                |  304 ++++----
  tcg/s390x/tcg-target.c.inc                |  314 ++++----
  disas/meson.build                         |    6 +-
 files changed, 2788 insertions(+), 3039 deletions(-)
  create mode 100644 disas/disas-internal.h
  create mode 100644 disas/disas-mon.c
  rename disas.c => disas/disas.c (79%)

-New patch
+[PULL 01/53] target/m68k: Fix gen_load_fp for OS_LONG
+Case was accidentally dropped in b7a94da9550b.
+Tested-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Laurent Vivier <laurent@vivier.eu>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/m68k/translate.c | 1 +
+file changed, 1 insertion(+)
+diff --git a/target/m68k/translate.c b/target/m68k/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/m68k/translate.c
++++ b/target/m68k/translate.c
+@@ -XXX,XX +XXX,XX @@ static void gen_load_fp(DisasContext *s, int opsize, TCGv addr, TCGv_ptr fp,
+     switch (opsize) {
+     case OS_BYTE:
+     case OS_WORD:
++    case OS_LONG:
+         tcg_gen_qemu_ld_tl(tmp, addr, index, opsize | MO_SIGN | MO_TE);
+         gen_helper_exts32(cpu_env, fp, tmp);
+         break;
+--
+.34.1

-New patch
+[PULL 02/53] accel/tcg: Fix atomic_mmu_lookup for reads
+A copy-paste bug had us looking at the victim cache for writes.
+Cc: qemu-stable@nongnu.org
+Reported-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Fixes: 08dff435e2 ("tcg: Probe the proper permissions for atomic ops")
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Message-Id: <20230505204049.352469-1-richard.henderson@linaro.org>
+---
+ accel/tcg/cputlb.c | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+index XXXXXXX..XXXXXXX 100644
+--- a/accel/tcg/cputlb.c
++++ b/accel/tcg/cputlb.c
+@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
+     } else /* if (prot & PAGE_READ) */ {
+         tlb_addr = tlbe->addr_read;
+         if (!tlb_hit(tlb_addr, addr)) {
+-            if (!VICTIM_TLB_HIT(addr_write, addr)) {
++            if (!VICTIM_TLB_HIT(addr_read, addr)) {
+                 tlb_fill(env_cpu(env), addr, size,
+                          MMU_DATA_LOAD, mmu_idx, retaddr);
+                 index = tlb_index(env, mmu_idx, addr);
+--
+.34.1

-New patch
+[PULL 03/53] disas: Fix tabs and braces in disas.c
+Fix these before moving the file, for checkpatch.pl.
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20230510170812.663149-1-richard.henderson@linaro.org>
+---
+ disas.c | 11 ++++++-----
+file changed, 6 insertions(+), 5 deletions(-)
+diff --git a/disas.c b/disas.c
+index XXXXXXX..XXXXXXX 100644
+--- a/disas.c
++++ b/disas.c
+@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, target_ulong code,
+     }
+     for (pc = code; size > 0; pc += count, size -= count) {
+-    fprintf(out, "0x" TARGET_FMT_lx ":  ", pc);
+-    count = s.info.print_insn(pc, &s.info);
+-    fprintf(out, "\n");
+-    if (count < 0)
+-        break;
++        fprintf(out, "0x" TARGET_FMT_lx ":  ", pc);
++        count = s.info.print_insn(pc, &s.info);
++        fprintf(out, "\n");
++        if (count < 0) {
++            break;
++        }
+         if (size < count) {
+             fprintf(out,
+                     "Disassembler disagrees with translator over instruction "
+--
+.34.1

-New patch
+[PULL 04/53] disas: Move disas.c to disas/
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20230503072331.1747057-80-richard.henderson@linaro.org>
+---
+ meson.build              | 3 ---
+ disas.c => disas/disas.c | 0
+ disas/meson.build        | 4 +++-
+files changed, 3 insertions(+), 4 deletions(-)
+ rename disas.c => disas/disas.c (100%)
+diff --git a/meson.build b/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/meson.build
++++ b/meson.build
+@@ -XXX,XX +XXX,XX @@ specific_ss.add(files('cpu.c'))
+ subdir('softmmu')
+-common_ss.add(capstone)
+-specific_ss.add(files('disas.c'), capstone)
+-
+ # Work around a gcc bug/misfeature wherein constant propagation looks
+ # through an alias:
+ #   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99696
+diff --git a/disas.c b/disas/disas.c
+similarity index 100%
+rename from disas.c
+rename to disas/disas.c
+diff --git a/disas/meson.build b/disas/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/disas/meson.build
++++ b/disas/meson.build
+@@ -XXX,XX +XXX,XX @@ common_ss.add(when: 'CONFIG_RISCV_DIS', if_true: files('riscv.c'))
+ common_ss.add(when: 'CONFIG_SH4_DIS', if_true: files('sh4.c'))
+ common_ss.add(when: 'CONFIG_SPARC_DIS', if_true: files('sparc.c'))
+ common_ss.add(when: 'CONFIG_XTENSA_DIS', if_true: files('xtensa.c'))
+-common_ss.add(when: capstone, if_true: files('capstone.c'))
++common_ss.add(when: capstone, if_true: [files('capstone.c'), capstone])
++
++specific_ss.add(files('disas.c'), capstone)
+--
+.34.1

-[PULL 03/20] linux-user/x86_64: Allocate vsyscall page as a commpage
+[PULL 05/53] disas: Remove target_ulong from the interface
-We're about to start validating PAGE_EXEC, which means that we've
+Use uint64_t for the pc, and size_t for the size.
 got to mark the vsyscall page executable.  We had been special
 casing this entirely within translate.
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Thomas Huth <thuth@redhat.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20230503072331.1747057-81-richard.henderson@linaro.org>
 ---
- linux-user/elfload.c | 23 +++++++++++++++++++++++
+ include/disas/disas.h | 17 ++++++-----------
-file changed, 23 insertions(+)
+ bsd-user/elfload.c    |  5 +++--
  disas/disas.c         | 19 +++++++++----------
  linux-user/elfload.c  |  5 +++--
 files changed, 21 insertions(+), 25 deletions(-)
+diff --git a/include/disas/disas.h b/include/disas/disas.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/disas/disas.h
++++ b/include/disas/disas.h
+@@ -XXX,XX +XXX,XX @@
+ #include "cpu.h"
+ /* Disassemble this for me please... (debugging). */
+-void disas(FILE *out, const void *code, unsigned long size);
+-void target_disas(FILE *out, CPUState *cpu, target_ulong code,
+-                  target_ulong size);
++void disas(FILE *out, const void *code, size_t size);
++void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size);
+-void monitor_disas(Monitor *mon, CPUState *cpu,
+-                   target_ulong pc, int nb_insn, int is_physical);
++void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
++                   int nb_insn, bool is_physical);
+ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size);
+ /* Look up symbol for debugging purpose.  Returns "" if unknown. */
+-const char *lookup_symbol(target_ulong orig_addr);
++const char *lookup_symbol(uint64_t orig_addr);
+ #endif
+ struct syminfo;
+ struct elf32_sym;
+ struct elf64_sym;
+-#if defined(CONFIG_USER_ONLY)
+-typedef const char *(*lookup_symbol_t)(struct syminfo *s, target_ulong orig_addr);
+-#else
+-typedef const char *(*lookup_symbol_t)(struct syminfo *s, hwaddr orig_addr);
+-#endif
++typedef const char *(*lookup_symbol_t)(struct syminfo *s, uint64_t orig_addr);
+ struct syminfo {
+     lookup_symbol_t lookup_symbol;
+diff --git a/bsd-user/elfload.c b/bsd-user/elfload.c
+index XXXXXXX..XXXXXXX 100644
+--- a/bsd-user/elfload.c
++++ b/bsd-user/elfload.c
+@@ -XXX,XX +XXX,XX @@ static abi_ulong load_elf_interp(struct elfhdr *interp_elf_ex,
+ static int symfind(const void *s0, const void *s1)
+ {
+-    target_ulong addr = *(target_ulong *)s0;
++    __typeof(sym->st_value) addr = *(uint64_t *)s0;
+     struct elf_sym *sym = (struct elf_sym *)s1;
+     int result = 0;
++
+     if (addr < sym->st_value) {
+         result = -1;
+     } else if (addr >= sym->st_value + sym->st_size) {
+@@ -XXX,XX +XXX,XX @@ static int symfind(const void *s0, const void *s1)
+     return result;
+ }
+-static const char *lookup_symbolxx(struct syminfo *s, target_ulong orig_addr)
++static const char *lookup_symbolxx(struct syminfo *s, uint64_t orig_addr)
+ {
+ #if ELF_CLASS == ELFCLASS32
+     struct elf_sym *syms = s->disas_symtab.elf32;
+diff --git a/disas/disas.c b/disas/disas.c
+index XXXXXXX..XXXXXXX 100644
+--- a/disas/disas.c
++++ b/disas/disas.c
+@@ -XXX,XX +XXX,XX @@ static void initialize_debug_host(CPUDebug *s)
+ }
+ /* Disassemble this for me please... (debugging).  */
+-void target_disas(FILE *out, CPUState *cpu, target_ulong code,
+-                  target_ulong size)
++void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size)
+ {
+-    target_ulong pc;
++    uint64_t pc;
+     int count;
+     CPUDebug s;
+@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, target_ulong code,
+     }
+     for (pc = code; size > 0; pc += count, size -= count) {
+-        fprintf(out, "0x" TARGET_FMT_lx ":  ", pc);
++        fprintf(out, "0x%08" PRIx64 ":  ", pc);
+         count = s.info.print_insn(pc, &s.info);
+         fprintf(out, "\n");
+         if (count < 0) {
+@@ -XXX,XX +XXX,XX @@ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size)
+ }
+ /* Disassemble this for me please... (debugging). */
+-void disas(FILE *out, const void *code, unsigned long size)
++void disas(FILE *out, const void *code, size_t size)
+ {
+     uintptr_t pc;
+     int count;
+@@ -XXX,XX +XXX,XX @@ void disas(FILE *out, const void *code, unsigned long size)
+ }
+ /* Look up symbol for debugging purpose.  Returns "" if unknown. */
+-const char *lookup_symbol(target_ulong orig_addr)
++const char *lookup_symbol(uint64_t orig_addr)
+ {
+     const char *symbol = "";
+     struct syminfo *s;
+@@ -XXX,XX +XXX,XX @@ physical_read_memory(bfd_vma memaddr, bfd_byte *myaddr, int length,
+ }
+ /* Disassembler for the monitor.  */
+-void monitor_disas(Monitor *mon, CPUState *cpu,
+-                   target_ulong pc, int nb_insn, int is_physical)
++void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
++                   int nb_insn, bool is_physical)
+ {
+     int count, i;
+     CPUDebug s;
+@@ -XXX,XX +XXX,XX @@ void monitor_disas(Monitor *mon, CPUState *cpu,
+     }
+     if (!s.info.print_insn) {
+-        monitor_printf(mon, "0x" TARGET_FMT_lx
++        monitor_printf(mon, "0x%08" PRIx64
+                        ": Asm output not supported on this arch\n", pc);
+         return;
+     }
+     for (i = 0; i < nb_insn; i++) {
+-        g_string_append_printf(ds, "0x" TARGET_FMT_lx ":  ", pc);
++        g_string_append_printf(ds, "0x%08" PRIx64 ":  ", pc);
+         count = s.info.print_insn(pc, &s.info);
+         g_string_append_c(ds, '\n');
+         if (count < 0) {
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
-@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
+@@ -XXX,XX +XXX,XX @@ static void load_elf_interp(const char *filename, struct image_info *info,
-     (*regs)[26] = tswapreg(env->segs[R_GS].selector & 0xffff);
  static int symfind(const void *s0, const void *s1)
  {
 -    target_ulong addr = *(target_ulong *)s0;
      struct elf_sym *sym = (struct elf_sym *)s1;
 +    __typeof(sym->st_value) addr = *(uint64_t *)s0;
      int result = 0;
 +
      if (addr < sym->st_value) {
          result = -1;
      } else if (addr >= sym->st_value + sym->st_size) {
@@ -XXX,XX +XXX,XX @@ static int symfind(const void *s0, const void *s1)
      return result;
  }
-+#if ULONG_MAX >= TARGET_VSYSCALL_PAGE
+-static const char *lookup_symbolxx(struct syminfo *s, target_ulong orig_addr)
-+#define INIT_GUEST_COMMPAGE
++static const char *lookup_symbolxx(struct syminfo *s, uint64_t orig_addr)
 +static bool init_guest_commpage(void)
 +{
 +    /*
 +     * The vsyscall page is at a high negative address aka kernel space,
 +     * which means that we cannot actually allocate it with target_mmap.
 +     * We still should be able to use page_set_flags, unless the user
 +     * has specified -R reserved_va, which would trigger an assert().
 +     */
 +    if (reserved_va != 0 &&
 +        TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE >= reserved_va) {
 +        error_report("Cannot allocate vsyscall page");
 +        exit(EXIT_FAILURE);
 +    }
 +    page_set_flags(TARGET_VSYSCALL_PAGE,
 +                   TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE,
 +                   PAGE_EXEC | PAGE_VALID);
 +    return true;
 +}
 +#endif
  #else
  #define ELF_START_MMAP 0x80000000
@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
  #else
  #define HI_COMMPAGE 0
  #define LO_COMMPAGE -1
 +#ifndef INIT_GUEST_COMMPAGE
  #define init_guest_commpage() true
  #endif
 +#endif
  static void pgb_fail_in_use(const char *image_name)
  {
+ #if ELF_CLASS == ELFCLASS32
+     struct elf_sym *syms = s->disas_symtab.elf32;
 --
 .34.1

-New patch
+[PULL 06/53] disas: Remove target-specific headers
+Reviewed-by: Thomas Huth <thuth@redhat.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20230503072331.1747057-83-richard.henderson@linaro.org>
+---
+ include/disas/disas.h | 6 ------
+ disas/disas.c         | 3 ++-
+files changed, 2 insertions(+), 7 deletions(-)
+diff --git a/include/disas/disas.h b/include/disas/disas.h
+index XXXXXXX..XXXXXXX 100644
+--- a/include/disas/disas.h
++++ b/include/disas/disas.h
+@@ -XXX,XX +XXX,XX @@
+ #ifndef QEMU_DISAS_H
+ #define QEMU_DISAS_H
+-#include "exec/hwaddr.h"
+-
+-#ifdef NEED_CPU_H
+-#include "cpu.h"
+-
+ /* Disassemble this for me please... (debugging). */
+ void disas(FILE *out, const void *code, size_t size);
+ void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size);
+@@ -XXX,XX +XXX,XX @@ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size);
+ /* Look up symbol for debugging purpose.  Returns "" if unknown. */
+ const char *lookup_symbol(uint64_t orig_addr);
+-#endif
+ struct syminfo;
+ struct elf32_sym;
+diff --git a/disas/disas.c b/disas/disas.c
+index XXXXXXX..XXXXXXX 100644
+--- a/disas/disas.c
++++ b/disas/disas.c
+@@ -XXX,XX +XXX,XX @@
+ #include "disas/dis-asm.h"
+ #include "elf.h"
+ #include "qemu/qemu-print.h"
+-
+ #include "disas/disas.h"
+ #include "disas/capstone.h"
++#include "hw/core/cpu.h"
++#include "exec/memory.h"
+ typedef struct CPUDebug {
+     struct disassemble_info info;
+--
+.34.1

-[PULL 17/20] target/s390x: Make translator stop before the end of a page
+[PULL 07/53] disas: Move softmmu specific code to separate file
-From: Ilya Leoshkevich <iii@linux.ibm.com>
+From: Thomas Huth <thuth@redhat.com>
-Right now translator stops right *after* the end of a page, which
+We'd like to move disas.c into the common code source set, where
-breaks reporting of fault locations when the last instruction of a
+CONFIG_USER_ONLY is not available anymore. So we have to move
-multi-insn translation block crosses a page boundary.
+the related code into a separate file instead.
-Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Signed-off-by: Thomas Huth <thuth@redhat.com>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
+Message-Id: <20230508133745.109463-2-thuth@redhat.com>
-Message-Id: <20220817150506.592862-3-iii@linux.ibm.com>
+[rth: Type change done in a separate patch]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/s390x/tcg/translate.c     |  15 +++-
+ disas/disas-internal.h | 21 ++++++++++++
- tests/tcg/s390x/noexec.c         | 106 +++++++++++++++++++++++
+ disas/disas-mon.c      | 65 ++++++++++++++++++++++++++++++++++++
- tests/tcg/multiarch/noexec.c.inc | 139 +++++++++++++++++++++++++++++++
+ disas/disas.c          | 76 ++++--------------------------------------
- tests/tcg/s390x/Makefile.target  |   1 +
+ disas/meson.build      |  1 +
-files changed, 257 insertions(+), 4 deletions(-)
+files changed, 93 insertions(+), 70 deletions(-)
- create mode 100644 tests/tcg/s390x/noexec.c
+ create mode 100644 disas/disas-internal.h
- create mode 100644 tests/tcg/multiarch/noexec.c.inc
+ create mode 100644 disas/disas-mon.c
-diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
+diff --git a/disas/disas-internal.h b/disas/disas-internal.h
 index XXXXXXX..XXXXXXX 100644
 --- a/target/s390x/tcg/translate.c
 +++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
      dc->insn_start = tcg_last_op();
  }
 +static target_ulong get_next_pc(CPUS390XState *env, DisasContext *s,
 +                                uint64_t pc)
 +{
 +    uint64_t insn = ld_code2(env, s, pc);
 +
 +    return pc + get_ilen((insn >> 8) & 0xff);
 +}
 +
  static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
  {
      CPUS390XState *env = cs->env_ptr;
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
      dc->base.is_jmp = translate_one(env, dc);
      if (dc->base.is_jmp == DISAS_NEXT) {
 -        uint64_t page_start;
 -
 -        page_start = dc->base.pc_first & TARGET_PAGE_MASK;
 -        if (dc->base.pc_next - page_start >= TARGET_PAGE_SIZE || dc->ex_value) {
 +        if (!is_same_page(dcbase, dc->base.pc_next) ||
 +            !is_same_page(dcbase, get_next_pc(env, dc, dc->base.pc_next)) ||
 +            dc->ex_value) {
              dc->base.is_jmp = DISAS_TOO_MANY;
          }
      }
 diff --git a/tests/tcg/s390x/noexec.c b/tests/tcg/s390x/noexec.c
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/tcg/s390x/noexec.c
++++ b/disas/disas-internal.h
 @@ -XXX,XX +XXX,XX @@
-+#include "../multiarch/noexec.c.inc"
++/*
-+
++ * Definitions used internally in the disassembly code
-+static void *arch_mcontext_pc(const mcontext_t *ctx)
++ *
-+{
++ * SPDX-License-Identifier: GPL-2.0-or-later
-+    return (void *)ctx->psw.addr;
++ */
-+}
++
-+
++#ifndef DISAS_INTERNAL_H
-+static int arch_mcontext_arg(const mcontext_t *ctx)
++#define DISAS_INTERNAL_H
-+{
++
-+    return ctx->gregs[2];
++#include "disas/dis-asm.h"
-+}
++
-+
++typedef struct CPUDebug {
-+static void arch_flush(void *p, int len)
++    struct disassemble_info info;
-+{
++    CPUState *cpu;
-+}
++} CPUDebug;
 +
-+extern char noexec_1[];
++void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu);
-+extern char noexec_2[];
++int disas_gstring_printf(FILE *stream, const char *fmt, ...)
-+extern char noexec_end[];
++    G_GNUC_PRINTF(2, 3);
 +
-+asm("noexec_1:\n"
++#endif
-+    "   lgfi %r2,1\n"       /* %r2 is 0 on entry, set 1. */
+diff --git a/disas/disas-mon.c b/disas/disas-mon.c
 +    "noexec_2:\n"
 +    "   lgfi %r2,2\n"       /* %r2 is 0/1; set 2. */
 +    "   br %r14\n"          /* return */
 +    "noexec_end:");
 +
 +extern char exrl_1[];
 +extern char exrl_2[];
 +extern char exrl_end[];
 +
 +asm("exrl_1:\n"
 +    "   exrl %r0, exrl_2\n"
 +    "   br %r14\n"
 +    "exrl_2:\n"
 +    "   lgfi %r2,2\n"
 +    "exrl_end:");
 +
 +int main(void)
 +{
 +    struct noexec_test noexec_tests[] = {
 +        {
 +            .name = "fallthrough",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = noexec_1 - noexec_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = 0,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "exrl",
 +            .test_code = exrl_1,
 +            .test_len = exrl_end - exrl_1,
 +            .page_ofs = exrl_1 - exrl_2,
 +            .entry_ofs = exrl_1 - exrl_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = exrl_1 - exrl_2,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "fallthrough [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = noexec_1 - noexec_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = -2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "exrl [cross]",
 +            .test_code = exrl_1,
 +            .test_len = exrl_end - exrl_1,
 +            .page_ofs = exrl_1 - exrl_2 - 2,
 +            .entry_ofs = exrl_1 - exrl_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = exrl_1 - exrl_2 - 2,
 +            .expected_arg = 0,
 +        },
 +    };
 +
 +    return test_noexec(noexec_tests,
 +                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
 +}
 diff --git a/tests/tcg/multiarch/noexec.c.inc b/tests/tcg/multiarch/noexec.c.inc
 new file mode 100644
 index XXXXXXX..XXXXXXX
 --- /dev/null
-+++ b/tests/tcg/multiarch/noexec.c.inc
++++ b/disas/disas-mon.c
 @@ -XXX,XX +XXX,XX @@
 +/*
-+ * Common code for arch-specific MMU_INST_FETCH fault testing.
++ * Functions related to disassembly from the monitor
 + *
 + * SPDX-License-Identifier: GPL-2.0-or-later
 + */
 +
-+#define _GNU_SOURCE
++#include "qemu/osdep.h"
-+
++#include "disas-internal.h"
-+#include <assert.h>
++#include "disas/disas.h"
-+#include <signal.h>
++#include "exec/memory.h"
-+#include <stdio.h>
++#include "hw/core/cpu.h"
-+#include <stdlib.h>
++#include "monitor/monitor.h"
-+#include <string.h>
++
-+#include <errno.h>
++static int
-+#include <unistd.h>
++physical_read_memory(bfd_vma memaddr, bfd_byte *myaddr, int length,
-+#include <sys/mman.h>
++                     struct disassemble_info *info)
 +#include <sys/ucontext.h>
 +
 +/* Forward declarations. */
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx);
 +static int arch_mcontext_arg(const mcontext_t *ctx);
 +static void arch_flush(void *p, int len);
 +
 +/* Testing infrastructure. */
 +
 +struct noexec_test {
 +    const char *name;
 +    const char *test_code;
 +    int test_len;
 +    int page_ofs;
 +    int entry_ofs;
 +    int expected_si_ofs;
 +    int expected_pc_ofs;
 +    int expected_arg;
 +};
 +
 +static void *page_base;
 +static int page_size;
 +static const struct noexec_test *current_noexec_test;
 +
 +static void handle_err(const char *syscall)
 +{
-+    printf("[  FAILED  ] %s: %s\n", syscall, strerror(errno));
++    CPUDebug *s = container_of(info, CPUDebug, info);
-+    exit(EXIT_FAILURE);
++    MemTxResult res;
 +
 +    res = address_space_read(s->cpu->as, memaddr, MEMTXATTRS_UNSPECIFIED,
 +                             myaddr, length);
 +    return res == MEMTX_OK ? 0 : EIO;
 +}
 +
-+static void handle_segv(int sig, siginfo_t *info, void *ucontext)
++/* Disassembler for the monitor.  */
 +void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
 +                   int nb_insn, bool is_physical)
 +{
-+    const struct noexec_test *test = current_noexec_test;
++    int count, i;
-+    const mcontext_t *mc = &((ucontext_t *)ucontext)->uc_mcontext;
++    CPUDebug s;
-+    void *expected_si;
++    g_autoptr(GString) ds = g_string_new("");
-+    void *expected_pc;
++
-+    void *pc;
++    disas_initialize_debug_target(&s, cpu);
-+    int arg;
++    s.info.fprintf_func = disas_gstring_printf;
-+
++    s.info.stream = (FILE *)ds;  /* abuse this slot */
-+    if (test == NULL) {
++
-+        printf("[  FAILED  ] unexpected SEGV\n");
++    if (is_physical) {
-+        exit(EXIT_FAILURE);
++        s.info.read_memory_func = physical_read_memory;
 +    }
-+    current_noexec_test = NULL;
++    s.info.buffer_vma = pc;
 +
-+    expected_si = page_base + test->expected_si_ofs;
++    if (s.info.cap_arch >= 0 && cap_disas_monitor(&s.info, pc, nb_insn)) {
-+    if (info->si_addr != expected_si) {
++        monitor_puts(mon, ds->str);
-+        printf("[  FAILED  ] wrong si_addr (%p != %p)\n",
++        return;
-+               info->si_addr, expected_si);
++    }
-+        exit(EXIT_FAILURE);
++
-+    }
++    if (!s.info.print_insn) {
-+
++        monitor_printf(mon, "0x%08" PRIx64
-+    pc = arch_mcontext_pc(mc);
++                       ": Asm output not supported on this arch\n", pc);
-+    expected_pc = page_base + test->expected_pc_ofs;
++        return;
-+    if (pc != expected_pc) {
++    }
-+        printf("[  FAILED  ] wrong pc (%p != %p)\n", pc, expected_pc);
++
-+        exit(EXIT_FAILURE);
++    for (i = 0; i < nb_insn; i++) {
-+    }
++        g_string_append_printf(ds, "0x%08" PRIx64 ":  ", pc);
-+
++        count = s.info.print_insn(pc, &s.info);
-+    arg = arch_mcontext_arg(mc);
++        g_string_append_c(ds, '\n');
-+    if (arg != test->expected_arg) {
++        if (count < 0) {
-+        printf("[  FAILED  ] wrong arg (%d != %d)\n", arg, test->expected_arg);
++            break;
-+        exit(EXIT_FAILURE);
++        }
-+    }
++        pc += count;
-+
++    }
-+    if (mprotect(page_base, page_size,
++
-+                 PROT_READ | PROT_WRITE | PROT_EXEC) < 0) {
++    monitor_puts(mon, ds->str);
 +        handle_err("mprotect");
 +    }
 +}
-+
+diff --git a/disas/disas.c b/disas/disas.c
 +static void test_noexec_1(const struct noexec_test *test)
 +{
 +    void *start = page_base + test->page_ofs;
 +    void (*fn)(int arg) = page_base + test->entry_ofs;
 +
 +    memcpy(start, test->test_code, test->test_len);
 +    arch_flush(start, test->test_len);
 +
 +    /* Trigger TB creation in order to test invalidation. */
 +    fn(0);
 +
 +    if (mprotect(page_base, page_size, PROT_NONE) < 0) {
 +        handle_err("mprotect");
 +    }
 +
 +    /* Trigger SEGV and check that handle_segv() ran. */
 +    current_noexec_test = test;
 +    fn(0);
 +    assert(current_noexec_test == NULL);
 +}
 +
 +static int test_noexec(struct noexec_test *tests, size_t n_tests)
 +{
 +    struct sigaction act;
 +    size_t i;
 +
 +    memset(&act, 0, sizeof(act));
 +    act.sa_sigaction = handle_segv;
 +    act.sa_flags = SA_SIGINFO;
 +    if (sigaction(SIGSEGV, &act, NULL) < 0) {
 +        handle_err("sigaction");
 +    }
 +
 +    page_size = getpagesize();
 +    page_base = mmap(NULL, 2 * page_size,
 +                     PROT_READ | PROT_WRITE | PROT_EXEC,
 +                     MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
 +    if (page_base == MAP_FAILED) {
 +        handle_err("mmap");
 +    }
 +    page_base += page_size;
 +
 +    for (i = 0; i < n_tests; i++) {
 +        struct noexec_test *test = &tests[i];
 +
 +        printf("[ RUN      ] %s\n", test->name);
 +        test_noexec_1(test);
 +        printf("[       OK ]\n");
 +    }
 +
 +    printf("[  PASSED  ]\n");
 +    return EXIT_SUCCESS;
 +}
 diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
 index XXXXXXX..XXXXXXX 100644
---- a/tests/tcg/s390x/Makefile.target
+--- a/disas/disas.c
-+++ b/tests/tcg/s390x/Makefile.target
++++ b/disas/disas.c
-@@ -XXX,XX +XXX,XX @@ TESTS+=shift
+@@ -XXX,XX +XXX,XX @@
- TESTS+=trap
+ /* General "disassemble this chunk" code.  Used for debugging. */
- TESTS+=signals-s390x
+ #include "qemu/osdep.h"
- TESTS+=branch-relative-long
+-#include "disas/dis-asm.h"
-+TESTS+=noexec
++#include "disas/disas-internal.h"
+ #include "elf.h"
- Z14_TESTS=vfminmax
+ #include "qemu/qemu-print.h"
- vfminmax: LDFLAGS+=-lm
+ #include "disas/disas.h"
@@ -XXX,XX +XXX,XX @@
  #include "hw/core/cpu.h"
  #include "exec/memory.h"
 -typedef struct CPUDebug {
 -    struct disassemble_info info;
 -    CPUState *cpu;
 -} CPUDebug;
 -
  /* Filled in by elfload.c.  Simplistic, but will do for now. */
  struct syminfo *syminfos = NULL;
@@ -XXX,XX +XXX,XX @@ static void initialize_debug(CPUDebug *s)
      s->info.symbol_at_address_func = symbol_at_address;
  }
 -static void initialize_debug_target(CPUDebug *s, CPUState *cpu)
 +void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu)
  {
      initialize_debug(s);
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size)
      int count;
      CPUDebug s;
 -    initialize_debug_target(&s, cpu);
 +    disas_initialize_debug_target(&s, cpu);
      s.info.fprintf_func = fprintf;
      s.info.stream = out;
      s.info.buffer_vma = code;
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size)
      }
  }
 -static int G_GNUC_PRINTF(2, 3)
 -gstring_printf(FILE *stream, const char *fmt, ...)
 +int disas_gstring_printf(FILE *stream, const char *fmt, ...)
  {
      /* We abuse the FILE parameter to pass a GString. */
      GString *s = (GString *)stream;
@@ -XXX,XX +XXX,XX @@ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size)
      CPUDebug s;
      GString *ds = g_string_new(NULL);
 -    initialize_debug_target(&s, cpu);
 -    s.info.fprintf_func = gstring_printf;
 +    disas_initialize_debug_target(&s, cpu);
 +    s.info.fprintf_func = disas_gstring_printf;
      s.info.stream = (FILE *)ds;  /* abuse this slot */
      s.info.buffer_vma = addr;
      s.info.buffer_length = size;
@@ -XXX,XX +XXX,XX @@ const char *lookup_symbol(uint64_t orig_addr)
      return symbol;
  }
 -
 -#if !defined(CONFIG_USER_ONLY)
 -
 -#include "monitor/monitor.h"
 -
 -static int
 -physical_read_memory(bfd_vma memaddr, bfd_byte *myaddr, int length,
 -                     struct disassemble_info *info)
 -{
 -    CPUDebug *s = container_of(info, CPUDebug, info);
 -    MemTxResult res;
 -
 -    res = address_space_read(s->cpu->as, memaddr, MEMTXATTRS_UNSPECIFIED,
 -                             myaddr, length);
 -    return res == MEMTX_OK ? 0 : EIO;
 -}
 -
 -/* Disassembler for the monitor.  */
 -void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
 -                   int nb_insn, bool is_physical)
 -{
 -    int count, i;
 -    CPUDebug s;
 -    g_autoptr(GString) ds = g_string_new("");
 -
 -    initialize_debug_target(&s, cpu);
 -    s.info.fprintf_func = gstring_printf;
 -    s.info.stream = (FILE *)ds;  /* abuse this slot */
 -
 -    if (is_physical) {
 -        s.info.read_memory_func = physical_read_memory;
 -    }
 -    s.info.buffer_vma = pc;
 -
 -    if (s.info.cap_arch >= 0 && cap_disas_monitor(&s.info, pc, nb_insn)) {
 -        monitor_puts(mon, ds->str);
 -        return;
 -    }
 -
 -    if (!s.info.print_insn) {
 -        monitor_printf(mon, "0x%08" PRIx64
 -                       ": Asm output not supported on this arch\n", pc);
 -        return;
 -    }
 -
 -    for (i = 0; i < nb_insn; i++) {
 -        g_string_append_printf(ds, "0x%08" PRIx64 ":  ", pc);
 -        count = s.info.print_insn(pc, &s.info);
 -        g_string_append_c(ds, '\n');
 -        if (count < 0) {
 -            break;
 -        }
 -        pc += count;
 -    }
 -
 -    monitor_puts(mon, ds->str);
 -}
 -#endif
 diff --git a/disas/meson.build b/disas/meson.build
 index XXXXXXX..XXXXXXX 100644
 --- a/disas/meson.build
 +++ b/disas/meson.build
@@ -XXX,XX +XXX,XX @@ common_ss.add(when: 'CONFIG_SPARC_DIS', if_true: files('sparc.c'))
  common_ss.add(when: 'CONFIG_XTENSA_DIS', if_true: files('xtensa.c'))
  common_ss.add(when: capstone, if_true: [files('capstone.c'), capstone])
 +softmmu_ss.add(files('disas-mon.c'))
  specific_ss.add(files('disas.c'), capstone)
 --
 .34.1

-New patch
+[PULL 08/53] disas: Move disas.c into the target-independent source set
+From: Thomas Huth <thuth@redhat.com>
+By using target_words_bigendian() instead of an ifdef,
+we can build this code once.
+Signed-off-by: Thomas Huth <thuth@redhat.com>
+Message-Id: <20230508133745.109463-3-thuth@redhat.com>
+[rth: Type change done in a separate patch]
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ disas/disas.c     | 10 +++++-----
+ disas/meson.build |  3 ++-
+files changed, 7 insertions(+), 6 deletions(-)
+diff --git a/disas/disas.c b/disas/disas.c
+index XXXXXXX..XXXXXXX 100644
+--- a/disas/disas.c
++++ b/disas/disas.c
+@@ -XXX,XX +XXX,XX @@ void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu)
+     s->cpu = cpu;
+     s->info.read_memory_func = target_read_memory;
+     s->info.print_address_func = print_address;
+-#if TARGET_BIG_ENDIAN
+-    s->info.endian = BFD_ENDIAN_BIG;
+-#else
+-    s->info.endian = BFD_ENDIAN_LITTLE;
+-#endif
++    if (target_words_bigendian()) {
++        s->info.endian = BFD_ENDIAN_BIG;
++    } else {
++        s->info.endian =  BFD_ENDIAN_LITTLE;
++    }
+     CPUClass *cc = CPU_GET_CLASS(cpu);
+     if (cc->disas_set_info) {
+diff --git a/disas/meson.build b/disas/meson.build
+index XXXXXXX..XXXXXXX 100644
+--- a/disas/meson.build
++++ b/disas/meson.build
+@@ -XXX,XX +XXX,XX @@ common_ss.add(when: 'CONFIG_SH4_DIS', if_true: files('sh4.c'))
+ common_ss.add(when: 'CONFIG_SPARC_DIS', if_true: files('sparc.c'))
+ common_ss.add(when: 'CONFIG_XTENSA_DIS', if_true: files('xtensa.c'))
+ common_ss.add(when: capstone, if_true: [files('capstone.c'), capstone])
++common_ss.add(files('disas.c'))
+ softmmu_ss.add(files('disas-mon.c'))
+-specific_ss.add(files('disas.c'), capstone)
++specific_ss.add(capstone)
+--
+.34.1

-[PULL 11/20] accel/tcg: Move qemu_ram_addr_from_host_nofail to physmem.c
+[PULL 09/53] cpu: expose qemu_cpu_list_lock for lock-guard use
-The base qemu_ram_addr_from_host function is already in
+From: Jamie Iles <quic_jiles@quicinc.com>
 softmmu/physmem.c; move the nofail version to be adjacent.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Expose qemu_cpu_list_lock globally so that we can use
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+WITH_QEMU_LOCK_GUARD and QEMU_LOCK_GUARD to simplify a few code paths
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+now and in future.
 Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20230427020925.51003-2-quic_jiles@quicinc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  include/exec/cpu-common.h |  1 +
- accel/tcg/cputlb.c        | 12 ------------
+ cpus-common.c             |  2 +-
- softmmu/physmem.c         | 12 ++++++++++++
+ linux-user/elfload.c      | 13 +++++++------
-files changed, 13 insertions(+), 12 deletions(-)
+ migration/dirtyrate.c     | 26 +++++++++++++-------------
  trace/control-target.c    |  9 ++++-----
 files changed, 26 insertions(+), 25 deletions(-)
 diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu-common.h
 +++ b/include/exec/cpu-common.h
-@@ -XXX,XX +XXX,XX @@ typedef uintptr_t ram_addr_t;
+@@ -XXX,XX +XXX,XX @@ extern intptr_t qemu_host_page_mask;
- void qemu_ram_remap(ram_addr_t addr, ram_addr_t length);
+ #define REAL_HOST_PAGE_ALIGN(addr) ROUND_UP((addr), qemu_real_host_page_size())
- /* This should not be used by devices.  */
- ram_addr_t qemu_ram_addr_from_host(void *ptr);
+ /* The CPU list lock nests outside page_(un)lock or mmap_(un)lock */
-+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
++extern QemuMutex qemu_cpu_list_lock;
- RAMBlock *qemu_ram_block_by_name(const char *name);
+ void qemu_init_cpu_list(void);
- RAMBlock *qemu_ram_block_from_host(void *ptr, bool round_offset,
+ void cpu_list_lock(void);
-                                    ram_addr_t *offset);
+ void cpu_list_unlock(void);
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
+diff --git a/cpus-common.c b/cpus-common.c
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
+--- a/cpus-common.c
-+++ b/accel/tcg/cputlb.c
++++ b/cpus-common.c
-@@ -XXX,XX +XXX,XX @@ void tlb_set_page(CPUState *cpu, target_ulong vaddr,
+@@ -XXX,XX +XXX,XX @@
-                             prot, mmu_idx, size);
+ #include "qemu/lockable.h"
  #include "trace/trace-root.h"
 -static QemuMutex qemu_cpu_list_lock;
 +QemuMutex qemu_cpu_list_lock;
  static QemuCond exclusive_cond;
  static QemuCond exclusive_resume;
  static QemuCond qemu_work_cond;
 diff --git a/linux-user/elfload.c b/linux-user/elfload.c
 index XXXXXXX..XXXXXXX 100644
 --- a/linux-user/elfload.c
 +++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@
  #include "qemu/guest-random.h"
  #include "qemu/units.h"
  #include "qemu/selfmap.h"
 +#include "qemu/lockable.h"
  #include "qapi/error.h"
  #include "qemu/error-report.h"
  #include "target_signal.h"
@@ -XXX,XX +XXX,XX @@ static int fill_note_info(struct elf_note_info *info,
          info->notes_size += note_size(&info->notes[i]);
      /* read and fill status of all threads */
 -    cpu_list_lock();
 -    CPU_FOREACH(cpu) {
 -        if (cpu == thread_cpu) {
 -            continue;
 +    WITH_QEMU_LOCK_GUARD(&qemu_cpu_list_lock) {
 +        CPU_FOREACH(cpu) {
 +            if (cpu == thread_cpu) {
 +                continue;
 +            }
 +            fill_thread_info(info, cpu->env_ptr);
          }
 -        fill_thread_info(info, cpu->env_ptr);
      }
 -    cpu_list_unlock();
      return (0);
  }
+diff --git a/migration/dirtyrate.c b/migration/dirtyrate.c
 -static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
 -{
 -    ram_addr_t ram_addr;
 -
 -    ram_addr = qemu_ram_addr_from_host(ptr);
 -    if (ram_addr == RAM_ADDR_INVALID) {
 -        error_report("Bad ram pointer %p", ptr);
 -        abort();
 -    }
 -    return ram_addr;
 -}
 -
  /*
   * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
   * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
 diff --git a/softmmu/physmem.c b/softmmu/physmem.c
 index XXXXXXX..XXXXXXX 100644
---- a/softmmu/physmem.c
+--- a/migration/dirtyrate.c
-+++ b/softmmu/physmem.c
++++ b/migration/dirtyrate.c
-@@ -XXX,XX +XXX,XX @@ ram_addr_t qemu_ram_addr_from_host(void *ptr)
+@@ -XXX,XX +XXX,XX @@ int64_t vcpu_calculate_dirtyrate(int64_t calc_time_ms,
-     return block->offset + offset;
+ retry:
      init_time_ms = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
 -    cpu_list_lock();
 -    gen_id = cpu_list_generation_id_get();
 -    records = vcpu_dirty_stat_alloc(stat);
 -    vcpu_dirty_stat_collect(stat, records, true);
 -    cpu_list_unlock();
 +    WITH_QEMU_LOCK_GUARD(&qemu_cpu_list_lock) {
 +        gen_id = cpu_list_generation_id_get();
 +        records = vcpu_dirty_stat_alloc(stat);
 +        vcpu_dirty_stat_collect(stat, records, true);
 +    }
      duration = dirty_stat_wait(calc_time_ms, init_time_ms);
      global_dirty_log_sync(flag, one_shot);
 -    cpu_list_lock();
 -    if (gen_id != cpu_list_generation_id_get()) {
 -        g_free(records);
 -        g_free(stat->rates);
 -        cpu_list_unlock();
 -        goto retry;
 +    WITH_QEMU_LOCK_GUARD(&qemu_cpu_list_lock) {
 +        if (gen_id != cpu_list_generation_id_get()) {
 +            g_free(records);
 +            g_free(stat->rates);
 +            cpu_list_unlock();
 +            goto retry;
 +        }
 +        vcpu_dirty_stat_collect(stat, records, false);
      }
 -    vcpu_dirty_stat_collect(stat, records, false);
 -    cpu_list_unlock();
      for (i = 0; i < stat->nvcpu; i++) {
          dirtyrate = do_calculate_dirtyrate(records[i], duration);
 diff --git a/trace/control-target.c b/trace/control-target.c
 index XXXXXXX..XXXXXXX 100644
 --- a/trace/control-target.c
 +++ b/trace/control-target.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 +#include "qemu/lockable.h"
  #include "cpu.h"
  #include "trace/trace-root.h"
  #include "trace/control.h"
@@ -XXX,XX +XXX,XX @@ static bool adding_first_cpu1(void)
  static bool adding_first_cpu(void)
  {
 -    bool res;
 -    cpu_list_lock();
 -    res = adding_first_cpu1();
 -    cpu_list_unlock();
 -    return res;
 +    QEMU_LOCK_GUARD(&qemu_cpu_list_lock);
 +
 +    return adding_first_cpu1();
  }
-+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
+ void trace_init_vcpu(CPUState *vcpu)
 +{
 +    ram_addr_t ram_addr;
 +
 +    ram_addr = qemu_ram_addr_from_host(ptr);
 +    if (ram_addr == RAM_ADDR_INVALID) {
 +        error_report("Bad ram pointer %p", ptr);
 +        abort();
 +    }
 +    return ram_addr;
 +}
 +
  static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
                                   MemTxAttrs attrs, void *buf, hwaddr len);
  static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
 --
 .34.1

-[PULL 01/20] linux-user/arm: Mark the commpage executable
+[PULL 10/53] accel/tcg/tcg-accel-ops-rr: ensure fairness with icount
-We're about to start validating PAGE_EXEC, which means
+From: Jamie Iles <quic_jiles@quicinc.com>
-that we've got to mark the commpage executable.  We had
-been placing the commpage outside of reserved_va, which
+The round-robin scheduler will iterate over the CPU list with an
-was incorrect and lead to an abort.
+assigned budget until the next timer expiry and may exit early because
+of a TB exit.  This is fine under normal operation but with icount
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+enabled and SMP it is possible for a CPU to be starved of run time and
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+the system live-locks.
 For example, booting a riscv64 platform with '-icount
 shift=0,align=off,sleep=on -smp 2' we observe a livelock once the kernel
 has timers enabled and starts performing TLB shootdowns.  In this case
 we have CPU 0 in M-mode with interrupts disabled sending an IPI to CPU
 .  As we enter the TCG loop, we assign the icount budget to next timer
 interrupt to CPU 0 and begin executing where the guest is sat in a busy
 loop exhausting all of the budget before we try to execute CPU 1 which
 is the target of the IPI but CPU 1 is left with no budget with which to
 execute and the process repeats.
 We try here to add some fairness by splitting the budget across all of
 the CPUs on the thread fairly before entering each one.  The CPU count
 is cached on CPU list generation ID to avoid iterating the list on each
 loop iteration.  With this change it is possible to boot an SMP rv64
 guest with icount enabled and no hangs.
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Tested-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20230427020925.51003-3-quic_jiles@quicinc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- linux-user/arm/target_cpu.h | 4 ++--
+ accel/tcg/tcg-accel-ops-icount.h |  3 ++-
- linux-user/elfload.c        | 6 +++++-
+ accel/tcg/tcg-accel-ops-icount.c | 21 ++++++++++++++----
-files changed, 7 insertions(+), 3 deletions(-)
+ accel/tcg/tcg-accel-ops-rr.c     | 37 +++++++++++++++++++++++++++++++-
+ replay/replay.c                  |  3 +--
-diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
+files changed, 56 insertions(+), 8 deletions(-)
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/arm/target_cpu.h
+diff --git a/accel/tcg/tcg-accel-ops-icount.h b/accel/tcg/tcg-accel-ops-icount.h
-+++ b/linux-user/arm/target_cpu.h
+index XXXXXXX..XXXXXXX 100644
-@@ -XXX,XX +XXX,XX @@ static inline unsigned long arm_max_reserved_va(CPUState *cs)
+--- a/accel/tcg/tcg-accel-ops-icount.h
-     } else {
++++ b/accel/tcg/tcg-accel-ops-icount.h
-         /*
+@@ -XXX,XX +XXX,XX @@
-          * We need to be able to map the commpage.
+ #define TCG_ACCEL_OPS_ICOUNT_H
--         * See validate_guest_space in linux-user/elfload.c.
-+         * See init_guest_commpage in linux-user/elfload.c.
+ void icount_handle_deadline(void);
-          */
+-void icount_prepare_for_run(CPUState *cpu);
--        return 0xffff0000ul;
++void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget);
-+        return 0xfffffffful;
++int64_t icount_percpu_budget(int cpu_count);
  void icount_process_data(CPUState *cpu);
  void icount_handle_interrupt(CPUState *cpu, int mask);
 diff --git a/accel/tcg/tcg-accel-ops-icount.c b/accel/tcg/tcg-accel-ops-icount.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tcg-accel-ops-icount.c
 +++ b/accel/tcg/tcg-accel-ops-icount.c
@@ -XXX,XX +XXX,XX @@ void icount_handle_deadline(void)
      }
  }
- #define MAX_RESERVED_VA  arm_max_reserved_va
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+-void icount_prepare_for_run(CPUState *cpu)
-index XXXXXXX..XXXXXXX 100644
++/* Distribute the budget evenly across all CPUs */
---- a/linux-user/elfload.c
++int64_t icount_percpu_budget(int cpu_count)
-+++ b/linux-user/elfload.c
++{
-@@ -XXX,XX +XXX,XX @@ enum {
++    int64_t limit = icount_get_limit();
++    int64_t timeslice = limit / cpu_count;
- static bool init_guest_commpage(void)
++
 +    if (timeslice == 0) {
 +        timeslice = limit;
 +    }
 +
 +    return timeslice;
 +}
 +
 +void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget)
  {
--    void *want = g2h_untagged(HI_COMMPAGE & -qemu_host_page_size);
+     int insns_left;
-+    abi_ptr commpage = HI_COMMPAGE & -qemu_host_page_size;
-+    void *want = g2h_untagged(commpage);
+@@ -XXX,XX +XXX,XX @@ void icount_prepare_for_run(CPUState *cpu)
-     void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
+     g_assert(cpu_neg(cpu)->icount_decr.u16.low == 0);
-                       MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+     g_assert(cpu->icount_extra == 0);
-@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
+-    cpu->icount_budget = icount_get_limit();
-         perror("Protecting guest commpage");
++    replay_mutex_lock();
-         exit(EXIT_FAILURE);
++
 +    cpu->icount_budget = MIN(icount_get_limit(), cpu_budget);
      insns_left = MIN(0xffff, cpu->icount_budget);
      cpu_neg(cpu)->icount_decr.u16.low = insns_left;
      cpu->icount_extra = cpu->icount_budget - insns_left;
 -    replay_mutex_lock();
 -
      if (cpu->icount_budget == 0) {
          /*
           * We're called without the iothread lock, so must take it while
 diff --git a/accel/tcg/tcg-accel-ops-rr.c b/accel/tcg/tcg-accel-ops-rr.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tcg-accel-ops-rr.c
 +++ b/accel/tcg/tcg-accel-ops-rr.c
@@ -XXX,XX +XXX,XX @@
   */
  #include "qemu/osdep.h"
 +#include "qemu/lockable.h"
  #include "sysemu/tcg.h"
  #include "sysemu/replay.h"
  #include "sysemu/cpu-timers.h"
@@ -XXX,XX +XXX,XX @@ static void rr_force_rcu(Notifier *notify, void *data)
      rr_kick_next_cpu();
  }
 +/*
 + * Calculate the number of CPUs that we will process in a single iteration of
 + * the main CPU thread loop so that we can fairly distribute the instruction
 + * count across CPUs.
 + *
 + * The CPU count is cached based on the CPU list generation ID to avoid
 + * iterating the list every time.
 + */
 +static int rr_cpu_count(void)
 +{
 +    static unsigned int last_gen_id = ~0;
 +    static int cpu_count;
 +    CPUState *cpu;
 +
 +    QEMU_LOCK_GUARD(&qemu_cpu_list_lock);
 +
 +    if (cpu_list_generation_id_get() != last_gen_id) {
 +        cpu_count = 0;
 +        CPU_FOREACH(cpu) {
 +            ++cpu_count;
 +        }
 +        last_gen_id = cpu_list_generation_id_get();
 +    }
 +
 +    return cpu_count;
 +}
 +
  /*
   * In the single-threaded case each vCPU is simulated in turn. If
   * there is more than a single vCPU we create a simple timer to kick
@@ -XXX,XX +XXX,XX @@ static void *rr_cpu_thread_fn(void *arg)
      cpu->exit_request = 1;
      while (1) {
 +        /* Only used for icount_enabled() */
 +        int64_t cpu_budget = 0;
 +
          qemu_mutex_unlock_iothread();
          replay_mutex_lock();
          qemu_mutex_lock_iothread();
          if (icount_enabled()) {
 +            int cpu_count = rr_cpu_count();
 +
              /* Account partial waits to QEMU_CLOCK_VIRTUAL.  */
              icount_account_warp_timer();
              /*
@@ -XXX,XX +XXX,XX @@ static void *rr_cpu_thread_fn(void *arg)
               * waking up the I/O thread and waiting for completion.
               */
              icount_handle_deadline();
 +
 +            cpu_budget = icount_percpu_budget(cpu_count);
          }
          replay_mutex_unlock();
@@ -XXX,XX +XXX,XX @@ static void *rr_cpu_thread_fn(void *arg)
                  qemu_mutex_unlock_iothread();
                  if (icount_enabled()) {
 -                    icount_prepare_for_run(cpu);
 +                    icount_prepare_for_run(cpu, cpu_budget);
                  }
                  r = tcg_cpus_exec(cpu);
                  if (icount_enabled()) {
 diff --git a/replay/replay.c b/replay/replay.c
 index XXXXXXX..XXXXXXX 100644
 --- a/replay/replay.c
 +++ b/replay/replay.c
@@ -XXX,XX +XXX,XX @@ uint64_t replay_get_current_icount(void)
  int replay_get_instructions(void)
  {
      int res = 0;
 -    replay_mutex_lock();
 +    g_assert(replay_mutex_locked());
      if (replay_next_event_is(EVENT_INSTRUCTION)) {
          res = replay_state.instruction_count;
          if (replay_break_icount != -1LL) {
@@ -XXX,XX +XXX,XX @@ int replay_get_instructions(void)
              }
          }
      }
-+
+-    replay_mutex_unlock();
-+    page_set_flags(commpage, commpage + qemu_host_page_size,
+     return res;
 +                   PAGE_READ | PAGE_EXEC | PAGE_VALID);
      return true;
  }
 --
 .34.1

-[PULL 10/20] accel/tcg: Make tb_htable_lookup static
+[PULL 11/53] tcg/i386: Introduce prepare_host_addr
-The function is not used outside of cpu-exec.c.  Move it and
+Merge tcg_out_tlb_load, add_qemu_ldst_label,
-its subroutines up in the file, before the first use.
+tcg_out_test_alignment, and some code that lived in both
 tcg_out_qemu_ld and tcg_out_qemu_st into one function
 that returns HostAddress and TCGLabelQemuLdst structures.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/exec-all.h |   3 -
+ tcg/i386/tcg-target.c.inc | 346 ++++++++++++++++----------------------
- accel/tcg/cpu-exec.c    | 122 ++++++++++++++++++++--------------------
+file changed, 145 insertions(+), 201 deletions(-)
 files changed, 61 insertions(+), 64 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/tcg/i386/tcg-target.c.inc
-+++ b/include/exec/exec-all.h
++++ b/tcg/i386/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
- #endif
+     [MO_BEUQ] = helper_be_stq_mmu,
- void tb_flush(CPUState *cpu);
+ };
- void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
--TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
+-/* Perform the TLB load and compare.
--                                   target_ulong cs_base, uint32_t flags,
+-
--                                   uint32_t cflags);
+-   Inputs:
- void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
+-   ADDRLO and ADDRHI contain the low and high part of the address.
+-
- /* GETPC is the true target of the return instruction that we'll execute.  */
+-   MEM_INDEX and S_BITS are the memory context and log2 size of the load.
-diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+-
-index XXXXXXX..XXXXXXX 100644
+-   WHICH is the offset into the CPUTLBEntry structure of the slot to read.
---- a/accel/tcg/cpu-exec.c
+-   This should be offsetof addr_read or addr_write.
-+++ b/accel/tcg/cpu-exec.c
+-
-@@ -XXX,XX +XXX,XX @@ uint32_t curr_cflags(CPUState *cpu)
+-   Outputs:
-     return cflags;
+-   LABEL_PTRS is filled with 1 (32-bit addresses) or 2 (64-bit addresses)
 -   positions of the displacements of forward jumps to the TLB miss case.
 -
 -   Second argument register is loaded with the low part of the address.
 -   In the TLB hit case, it has been adjusted as indicated by the TLB
 -   and so is a host address.  In the TLB miss case, it continues to
 -   hold a guest address.
 -
 -   First argument register is clobbered.  */
 -
 -static inline void tcg_out_tlb_load(TCGContext *s, TCGReg addrlo, TCGReg addrhi,
 -                                    int mem_index, MemOp opc,
 -                                    tcg_insn_unit **label_ptr, int which)
 -{
 -    TCGType ttype = TCG_TYPE_I32;
 -    TCGType tlbtype = TCG_TYPE_I32;
 -    int trexw = 0, hrexw = 0, tlbrexw = 0;
 -    unsigned a_bits = get_alignment_bits(opc);
 -    unsigned s_bits = opc & MO_SIZE;
 -    unsigned a_mask = (1 << a_bits) - 1;
 -    unsigned s_mask = (1 << s_bits) - 1;
 -    target_ulong tlb_mask;
 -
 -    if (TCG_TARGET_REG_BITS == 64) {
 -        if (TARGET_LONG_BITS == 64) {
 -            ttype = TCG_TYPE_I64;
 -            trexw = P_REXW;
 -        }
 -        if (TCG_TYPE_PTR == TCG_TYPE_I64) {
 -            hrexw = P_REXW;
 -            if (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32) {
 -                tlbtype = TCG_TYPE_I64;
 -                tlbrexw = P_REXW;
 -            }
 -        }
 -    }
 -
 -    tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
 -    tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
 -                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 -
 -    tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
 -                         TLB_MASK_TABLE_OFS(mem_index) +
 -                         offsetof(CPUTLBDescFast, mask));
 -
 -    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
 -                         TLB_MASK_TABLE_OFS(mem_index) +
 -                         offsetof(CPUTLBDescFast, table));
 -
 -    /* If the required alignment is at least as large as the access, simply
 -       copy the address and mask.  For lesser alignments, check that we don't
 -       cross pages for the complete access.  */
 -    if (a_bits >= s_bits) {
 -        tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
 -    } else {
 -        tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
 -                             addrlo, s_mask - a_mask);
 -    }
 -    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
 -    tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
 -
 -    /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
 -    tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
 -                         TCG_REG_L1, TCG_REG_L0, which);
 -
 -    /* Prepare for both the fast path add of the tlb addend, and the slow
 -       path function argument setup.  */
 -    tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
 -
 -    /* jne slow_path */
 -    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 -    label_ptr[0] = s->code_ptr;
 -    s->code_ptr += 4;
 -
 -    if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) {
 -        /* cmp 4(TCG_REG_L0), addrhi */
 -        tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi, TCG_REG_L0, which + 4);
 -
 -        /* jne slow_path */
 -        tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 -        label_ptr[1] = s->code_ptr;
 -        s->code_ptr += 4;
 -    }
 -
 -    /* TLB Hit.  */
 -
 -    /* add addend(TCG_REG_L0), TCG_REG_L1 */
 -    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L1, TCG_REG_L0,
 -                         offsetof(CPUTLBEntry, addend));
 -}
 -
 -/*
 - * Record the context of a call to the out of line helper code for the slow path
 - * for a load or store, so that we can later generate the correct helper code
 - */
 -static void add_qemu_ldst_label(TCGContext *s, bool is_ld,
 -                                TCGType type, MemOpIdx oi,
 -                                TCGReg datalo, TCGReg datahi,
 -                                TCGReg addrlo, TCGReg addrhi,
 -                                tcg_insn_unit *raddr,
 -                                tcg_insn_unit **label_ptr)
 -{
 -    TCGLabelQemuLdst *label = new_ldst_label(s);
 -
 -    label->is_ld = is_ld;
 -    label->oi = oi;
 -    label->type = type;
 -    label->datalo_reg = datalo;
 -    label->datahi_reg = datahi;
 -    label->addrlo_reg = addrlo;
 -    label->addrhi_reg = addrhi;
 -    label->raddr = tcg_splitwx_to_rx(raddr);
 -    label->label_ptr[0] = label_ptr[0];
 -    if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) {
 -        label->label_ptr[1] = label_ptr[1];
 -    }
 -}
 -
  /*
   * Generate code for the slow path for a load at the end of block
   */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
      return true;
  }
+ #else
-+struct tb_desc {
+-
-+    target_ulong pc;
+-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
-+    target_ulong cs_base;
+-                                   TCGReg addrhi, unsigned a_bits)
-+    CPUArchState *env;
+-{
-+    tb_page_addr_t phys_page1;
+-    unsigned a_mask = (1 << a_bits) - 1;
-+    uint32_t flags;
+-    TCGLabelQemuLdst *label;
-+    uint32_t cflags;
+-
-+    uint32_t trace_vcpu_dstate;
+-    tcg_out_testi(s, addrlo, a_mask);
-+};
+-    /* jne slow_path */
-+
+-    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
-+static bool tb_lookup_cmp(const void *p, const void *d)
+-
 -    label = new_ldst_label(s);
 -    label->is_ld = is_ld;
 -    label->addrlo_reg = addrlo;
 -    label->addrhi_reg = addrhi;
 -    label->raddr = tcg_splitwx_to_rx(s->code_ptr + 4);
 -    label->label_ptr[0] = s->code_ptr;
 -
 -    s->code_ptr += 4;
 -}
 -
  static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
  {
      /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static inline int setup_guest_base_seg(void)
  #endif /* setup_guest_base_seg */
  #endif /* SOFTMMU */
 +/*
 + * For softmmu, perform the TLB load and compare.
 + * For useronly, perform any required alignment tests.
 + * In both cases, return a TCGLabelQemuLdst structure if the slow path
 + * is required and fill in @h with the host address for the fast path.
 + */
 +static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
 +                                           TCGReg addrlo, TCGReg addrhi,
 +                                           MemOpIdx oi, bool is_ld)
 +{
-+    const TranslationBlock *tb = p;
++    TCGLabelQemuLdst *ldst = NULL;
-+    const struct tb_desc *desc = d;
++    MemOp opc = get_memop(oi);
-+
++    unsigned a_bits = get_alignment_bits(opc);
-+    if (tb->pc == desc->pc &&
++    unsigned a_mask = (1 << a_bits) - 1;
-+        tb->page_addr[0] == desc->phys_page1 &&
++
-+        tb->cs_base == desc->cs_base &&
++#ifdef CONFIG_SOFTMMU
-+        tb->flags == desc->flags &&
++    int cmp_ofs = is_ld ? offsetof(CPUTLBEntry, addr_read)
-+        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
++                        : offsetof(CPUTLBEntry, addr_write);
-+        tb_cflags(tb) == desc->cflags) {
++    TCGType ttype = TCG_TYPE_I32;
-+        /* check next page if needed */
++    TCGType tlbtype = TCG_TYPE_I32;
-+        if (tb->page_addr[1] == -1) {
++    int trexw = 0, hrexw = 0, tlbrexw = 0;
-+            return true;
++    unsigned mem_index = get_mmuidx(oi);
-+        } else {
++    unsigned s_bits = opc & MO_SIZE;
-+            tb_page_addr_t phys_page2;
++    unsigned s_mask = (1 << s_bits) - 1;
-+            target_ulong virt_page2;
++    target_ulong tlb_mask;
 +
-+            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
++    ldst = new_ldst_label(s);
-+            phys_page2 = get_page_addr_code(desc->env, virt_page2);
++    ldst->is_ld = is_ld;
-+            if (tb->page_addr[1] == phys_page2) {
++    ldst->oi = oi;
-+                return true;
++    ldst->addrlo_reg = addrlo;
 +    ldst->addrhi_reg = addrhi;
 +
 +    if (TCG_TARGET_REG_BITS == 64) {
 +        if (TARGET_LONG_BITS == 64) {
 +            ttype = TCG_TYPE_I64;
 +            trexw = P_REXW;
 +        }
 +        if (TCG_TYPE_PTR == TCG_TYPE_I64) {
 +            hrexw = P_REXW;
 +            if (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32) {
 +                tlbtype = TCG_TYPE_I64;
 +                tlbrexw = P_REXW;
 +            }
 +        }
 +    }
-+    return false;
++
 +    tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
 +    tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
 +                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 +
 +    tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
 +                         TLB_MASK_TABLE_OFS(mem_index) +
 +                         offsetof(CPUTLBDescFast, mask));
 +
 +    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
 +                         TLB_MASK_TABLE_OFS(mem_index) +
 +                         offsetof(CPUTLBDescFast, table));
 +
 +    /*
 +     * If the required alignment is at least as large as the access, simply
 +     * copy the address and mask.  For lesser alignments, check that we don't
 +     * cross pages for the complete access.
 +     */
 +    if (a_bits >= s_bits) {
 +        tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
 +    } else {
 +        tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
 +                             addrlo, s_mask - a_mask);
 +    }
 +    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
 +    tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
 +
 +    /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
 +    tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
 +                         TCG_REG_L1, TCG_REG_L0, cmp_ofs);
 +
 +    /*
 +     * Prepare for both the fast path add of the tlb addend, and the slow
 +     * path function argument setup.
 +     */
 +    *h = (HostAddress) {
 +        .base = TCG_REG_L1,
 +        .index = -1
 +    };
 +    tcg_out_mov(s, ttype, h->base, addrlo);
 +
 +    /* jne slow_path */
 +    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 +    ldst->label_ptr[0] = s->code_ptr;
 +    s->code_ptr += 4;
 +
 +    if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) {
 +        /* cmp 4(TCG_REG_L0), addrhi */
 +        tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi, TCG_REG_L0, cmp_ofs + 4);
 +
 +        /* jne slow_path */
 +        tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 +        ldst->label_ptr[1] = s->code_ptr;
 +        s->code_ptr += 4;
 +    }
 +
 +    /* TLB Hit.  */
 +
 +    /* add addend(TCG_REG_L0), TCG_REG_L1 */
 +    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, h->base, TCG_REG_L0,
 +                         offsetof(CPUTLBEntry, addend));
 +#else
 +    if (a_bits) {
 +        ldst = new_ldst_label(s);
 +
 +        ldst->is_ld = is_ld;
 +        ldst->oi = oi;
 +        ldst->addrlo_reg = addrlo;
 +        ldst->addrhi_reg = addrhi;
 +
 +        tcg_out_testi(s, addrlo, a_mask);
 +        /* jne slow_path */
 +        tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 +        ldst->label_ptr[0] = s->code_ptr;
 +        s->code_ptr += 4;
 +    }
 +
 +    *h = x86_guest_base;
 +    h->base = addrlo;
 +#endif
 +
 +    return ldst;
 +}
 +
-+static TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
+ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg datalo, TCGReg datahi,
-+                                          target_ulong cs_base, uint32_t flags,
+                                    HostAddress h, TCGType type, MemOp memop)
-+                                          uint32_t cflags)
+ {
-+{
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
-+    tb_page_addr_t phys_pc;
+                             TCGReg addrlo, TCGReg addrhi,
-+    struct tb_desc desc;
+                             MemOpIdx oi, TCGType data_type)
-+    uint32_t h;
+ {
-+
+-    MemOp opc = get_memop(oi);
-+    desc.env = cpu->env_ptr;
++    TCGLabelQemuLdst *ldst;
-+    desc.cs_base = cs_base;
+     HostAddress h;
-+    desc.flags = flags;
-+    desc.cflags = cflags;
+-#if defined(CONFIG_SOFTMMU)
-+    desc.trace_vcpu_dstate = *cpu->trace_dstate;
+-    tcg_insn_unit *label_ptr[2];
-+    desc.pc = pc;
++    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
-+    phys_pc = get_page_addr_code(desc.env, pc);
++    tcg_out_qemu_ld_direct(s, datalo, datahi, h, data_type, get_memop(oi));
-+    if (phys_pc == -1) {
-+        return NULL;
+-    tcg_out_tlb_load(s, addrlo, addrhi, get_mmuidx(oi), opc,
-+    }
+-                     label_ptr, offsetof(CPUTLBEntry, addr_read));
-+    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
+-
-+    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
+-    /* TLB Hit.  */
-+    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
+-    h.base = TCG_REG_L1;
-+}
+-    h.index = -1;
-+
+-    h.ofs = 0;
- /* Might cause an exception, so have a longjmp destination ready */
+-    h.seg = 0;
- static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
+-    tcg_out_qemu_ld_direct(s, datalo, datahi, h, data_type, opc);
-                                           target_ulong cs_base,
+-
-@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
+-    /* Record the current context of a load into ldst label */
-     end_exclusive();
+-    add_qemu_ldst_label(s, true, data_type, oi, datalo, datahi,
 -                        addrlo, addrhi, s->code_ptr, label_ptr);
 -#else
 -    unsigned a_bits = get_alignment_bits(opc);
 -    if (a_bits) {
 -        tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = datalo;
 +        ldst->datahi_reg = datahi;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -
 -    h = x86_guest_base;
 -    h.base = addrlo;
 -    tcg_out_qemu_ld_direct(s, datalo, datahi, h, data_type, opc);
 -#endif
  }
--struct tb_desc {
+ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg datalo, TCGReg datahi,
--    target_ulong pc;
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
--    target_ulong cs_base;
+                             TCGReg addrlo, TCGReg addrhi,
--    CPUArchState *env;
+                             MemOpIdx oi, TCGType data_type)
 -    tb_page_addr_t phys_page1;
 -    uint32_t flags;
 -    uint32_t cflags;
 -    uint32_t trace_vcpu_dstate;
 -};
 -
 -static bool tb_lookup_cmp(const void *p, const void *d)
 -{
 -    const TranslationBlock *tb = p;
 -    const struct tb_desc *desc = d;
 -
 -    if (tb->pc == desc->pc &&
 -        tb->page_addr[0] == desc->phys_page1 &&
 -        tb->cs_base == desc->cs_base &&
 -        tb->flags == desc->flags &&
 -        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
 -        tb_cflags(tb) == desc->cflags) {
 -        /* check next page if needed */
 -        if (tb->page_addr[1] == -1) {
 -            return true;
 -        } else {
 -            tb_page_addr_t phys_page2;
 -            target_ulong virt_page2;
 -
 -            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
 -            phys_page2 = get_page_addr_code(desc->env, virt_page2);
 -            if (tb->page_addr[1] == phys_page2) {
 -                return true;
 -            }
 -        }
 -    }
 -    return false;
 -}
 -
 -TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
 -                                   target_ulong cs_base, uint32_t flags,
 -                                   uint32_t cflags)
 -{
 -    tb_page_addr_t phys_pc;
 -    struct tb_desc desc;
 -    uint32_t h;
 -
 -    desc.env = cpu->env_ptr;
 -    desc.cs_base = cs_base;
 -    desc.flags = flags;
 -    desc.cflags = cflags;
 -    desc.trace_vcpu_dstate = *cpu->trace_dstate;
 -    desc.pc = pc;
 -    phys_pc = get_page_addr_code(desc.env, pc);
 -    if (phys_pc == -1) {
 -        return NULL;
 -    }
 -    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
 -    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
 -    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
 -}
 -
  void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr)
  {
-     if (TCG_TARGET_HAS_direct_jump) {
+-    MemOp opc = get_memop(oi);
 +    TCGLabelQemuLdst *ldst;
      HostAddress h;
 -#if defined(CONFIG_SOFTMMU)
 -    tcg_insn_unit *label_ptr[2];
 +    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
 +    tcg_out_qemu_st_direct(s, datalo, datahi, h, get_memop(oi));
 -    tcg_out_tlb_load(s, addrlo, addrhi, get_mmuidx(oi), opc,
 -                     label_ptr, offsetof(CPUTLBEntry, addr_write));
 -
 -    /* TLB Hit.  */
 -    h.base = TCG_REG_L1;
 -    h.index = -1;
 -    h.ofs = 0;
 -    h.seg = 0;
 -    tcg_out_qemu_st_direct(s, datalo, datahi, h, opc);
 -
 -    /* Record the current context of a store into ldst label */
 -    add_qemu_ldst_label(s, false, data_type, oi, datalo, datahi,
 -                        addrlo, addrhi, s->code_ptr, label_ptr);
 -#else
 -    unsigned a_bits = get_alignment_bits(opc);
 -    if (a_bits) {
 -        tcg_out_test_alignment(s, false, addrlo, addrhi, a_bits);
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = datalo;
 +        ldst->datahi_reg = datahi;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -
 -    h = x86_guest_base;
 -    h.base = addrlo;
 -
 -    tcg_out_qemu_st_direct(s, datalo, datahi, h, opc);
 -#endif
  }
  static void tcg_out_exit_tb(TCGContext *s, uintptr_t a0)
 --
 .34.1

-New patch
+[PULL 12/53] tcg/i386: Use indexed addressing for softmmu fast path
+Since tcg_out_{ld,st}_helper_args, the slow path no longer requires
+the address argument to be set up by the tlb load sequence.  Use a
+plain load for the addend and indexed addressing with the original
+input address register.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/i386/tcg-target.c.inc | 25 ++++++++++---------------
+file changed, 10 insertions(+), 15 deletions(-)
+diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/i386/tcg-target.c.inc
++++ b/tcg/i386/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+         tcg_out_sti(s, TCG_TYPE_PTR, (uintptr_t)l->raddr, TCG_REG_ESP, ofs);
+     } else {
+         tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
+-        /* The second argument is already loaded with addrlo.  */
++        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
++                    l->addrlo_reg);
+         tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[2], oi);
+         tcg_out_movi(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[3],
+                      (uintptr_t)l->raddr);
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+         tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP, ofs);
+     } else {
+         tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
+-        /* The second argument is already loaded with addrlo.  */
++        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
++                    l->addrlo_reg);
+         tcg_out_mov(s, (s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32),
+                     tcg_target_call_iarg_regs[2], l->datalo_reg);
+         tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[3], oi);
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+     tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
+                          TCG_REG_L1, TCG_REG_L0, cmp_ofs);
+-    /*
+-     * Prepare for both the fast path add of the tlb addend, and the slow
+-     * path function argument setup.
+-     */
+-    *h = (HostAddress) {
+-        .base = TCG_REG_L1,
+-        .index = -1
+-    };
+-    tcg_out_mov(s, ttype, h->base, addrlo);
+-
+     /* jne slow_path */
+     tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
+     ldst->label_ptr[0] = s->code_ptr;
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+     }
+     /* TLB Hit.  */
++    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_L0, TCG_REG_L0,
++               offsetof(CPUTLBEntry, addend));
+-    /* add addend(TCG_REG_L0), TCG_REG_L1 */
+-    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, h->base, TCG_REG_L0,
+-                         offsetof(CPUTLBEntry, addend));
++    *h = (HostAddress) {
++        .base = addrlo,
++        .index = TCG_REG_L0,
++    };
+ #else
+     if (a_bits) {
+         ldst = new_ldst_label(s);
+--
+.34.1

-New patch
+[PULL 13/53] tcg/aarch64: Introduce prepare_host_addr
+Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
+and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
+into one function that returns HostAddress and TCGLabelQemuLdst structures.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/aarch64/tcg-target.c.inc | 313 +++++++++++++++--------------------
+file changed, 133 insertions(+), 180 deletions(-)
+diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/aarch64/tcg-target.c.inc
++++ b/tcg/aarch64/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+     tcg_out_goto(s, lb->raddr);
+     return true;
+ }
+-
+-static void add_qemu_ldst_label(TCGContext *s, bool is_ld, MemOpIdx oi,
+-                                TCGType ext, TCGReg data_reg, TCGReg addr_reg,
+-                                tcg_insn_unit *raddr, tcg_insn_unit *label_ptr)
+-{
+-    TCGLabelQemuLdst *label = new_ldst_label(s);
+-
+-    label->is_ld = is_ld;
+-    label->oi = oi;
+-    label->type = ext;
+-    label->datalo_reg = data_reg;
+-    label->addrlo_reg = addr_reg;
+-    label->raddr = tcg_splitwx_to_rx(raddr);
+-    label->label_ptr[0] = label_ptr;
+-}
+-
+-/* We expect to use a 7-bit scaled negative offset from ENV.  */
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -512);
+-
+-/* These offsets are built into the LDP below.  */
+-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
+-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 8);
+-
+-/* Load and compare a TLB entry, emitting the conditional jump to the
+-   slow path for the failure case, which will be patched later when finalizing
+-   the slow path. Generated code returns the host addend in X1,
+-   clobbers X0,X2,X3,TMP. */
+-static void tcg_out_tlb_read(TCGContext *s, TCGReg addr_reg, MemOp opc,
+-                             tcg_insn_unit **label_ptr, int mem_index,
+-                             bool is_read)
+-{
+-    unsigned a_bits = get_alignment_bits(opc);
+-    unsigned s_bits = opc & MO_SIZE;
+-    unsigned a_mask = (1u << a_bits) - 1;
+-    unsigned s_mask = (1u << s_bits) - 1;
+-    TCGReg x3;
+-    TCGType mask_type;
+-    uint64_t compare_mask;
+-
+-    mask_type = (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32
+-                 ? TCG_TYPE_I64 : TCG_TYPE_I32);
+-
+-    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {x0,x1}.  */
+-    tcg_out_insn(s, 3314, LDP, TCG_REG_X0, TCG_REG_X1, TCG_AREG0,
+-                 TLB_MASK_TABLE_OFS(mem_index), 1, 0);
+-
+-    /* Extract the TLB index from the address into X0.  */
+-    tcg_out_insn(s, 3502S, AND_LSR, mask_type == TCG_TYPE_I64,
+-                 TCG_REG_X0, TCG_REG_X0, addr_reg,
+-                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+-
+-    /* Add the tlb_table pointer, creating the CPUTLBEntry address into X1.  */
+-    tcg_out_insn(s, 3502, ADD, 1, TCG_REG_X1, TCG_REG_X1, TCG_REG_X0);
+-
+-    /* Load the tlb comparator into X0, and the fast path addend into X1.  */
+-    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_X0, TCG_REG_X1, is_read
+-               ? offsetof(CPUTLBEntry, addr_read)
+-               : offsetof(CPUTLBEntry, addr_write));
+-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_X1, TCG_REG_X1,
+-               offsetof(CPUTLBEntry, addend));
+-
+-    /* For aligned accesses, we check the first byte and include the alignment
+-       bits within the address.  For unaligned access, we check that we don't
+-       cross pages using the address of the last byte of the access.  */
+-    if (a_bits >= s_bits) {
+-        x3 = addr_reg;
+-    } else {
+-        tcg_out_insn(s, 3401, ADDI, TARGET_LONG_BITS == 64,
+-                     TCG_REG_X3, addr_reg, s_mask - a_mask);
+-        x3 = TCG_REG_X3;
+-    }
+-    compare_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
+-
+-    /* Store the page mask part of the address into X3.  */
+-    tcg_out_logicali(s, I3404_ANDI, TARGET_LONG_BITS == 64,
+-                     TCG_REG_X3, x3, compare_mask);
+-
+-    /* Perform the address comparison. */
+-    tcg_out_cmp(s, TARGET_LONG_BITS == 64, TCG_REG_X0, TCG_REG_X3, 0);
+-
+-    /* If not equal, we jump to the slow path. */
+-    *label_ptr = s->code_ptr;
+-    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
+-}
+-
+ #else
+-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addr_reg,
+-                                   unsigned a_bits)
+-{
+-    unsigned a_mask = (1 << a_bits) - 1;
+-    TCGLabelQemuLdst *label = new_ldst_label(s);
+-
+-    label->is_ld = is_ld;
+-    label->addrlo_reg = addr_reg;
+-
+-    /* tst addr, #mask */
+-    tcg_out_logicali(s, I3404_ANDSI, 0, TCG_REG_XZR, addr_reg, a_mask);
+-
+-    label->label_ptr[0] = s->code_ptr;
+-
+-    /* b.ne slow_path */
+-    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
+-
+-    label->raddr = tcg_splitwx_to_rx(s->code_ptr);
+-}
+-
+ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+     if (!reloc_pc19(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ }
+ #endif /* CONFIG_SOFTMMU */
++/*
++ * For softmmu, perform the TLB load and compare.
++ * For useronly, perform any required alignment tests.
++ * In both cases, return a TCGLabelQemuLdst structure if the slow path
++ * is required and fill in @h with the host address for the fast path.
++ */
++static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
++                                           TCGReg addr_reg, MemOpIdx oi,
++                                           bool is_ld)
++{
++    TCGType addr_type = TARGET_LONG_BITS == 64 ? TCG_TYPE_I64 : TCG_TYPE_I32;
++    TCGLabelQemuLdst *ldst = NULL;
++    MemOp opc = get_memop(oi);
++    unsigned a_bits = get_alignment_bits(opc);
++    unsigned a_mask = (1u << a_bits) - 1;
++
++#ifdef CONFIG_SOFTMMU
++    unsigned s_bits = opc & MO_SIZE;
++    unsigned s_mask = (1u << s_bits) - 1;
++    unsigned mem_index = get_mmuidx(oi);
++    TCGReg x3;
++    TCGType mask_type;
++    uint64_t compare_mask;
++
++    ldst = new_ldst_label(s);
++    ldst->is_ld = is_ld;
++    ldst->oi = oi;
++    ldst->addrlo_reg = addr_reg;
++
++    mask_type = (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32
++                 ? TCG_TYPE_I64 : TCG_TYPE_I32);
++
++    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {x0,x1}.  */
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -512);
++    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
++    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 8);
++    tcg_out_insn(s, 3314, LDP, TCG_REG_X0, TCG_REG_X1, TCG_AREG0,
++                 TLB_MASK_TABLE_OFS(mem_index), 1, 0);
++
++    /* Extract the TLB index from the address into X0.  */
++    tcg_out_insn(s, 3502S, AND_LSR, mask_type == TCG_TYPE_I64,
++                 TCG_REG_X0, TCG_REG_X0, addr_reg,
++                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
++
++    /* Add the tlb_table pointer, creating the CPUTLBEntry address into X1.  */
++    tcg_out_insn(s, 3502, ADD, 1, TCG_REG_X1, TCG_REG_X1, TCG_REG_X0);
++
++    /* Load the tlb comparator into X0, and the fast path addend into X1.  */
++    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_X0, TCG_REG_X1,
++               is_ld ? offsetof(CPUTLBEntry, addr_read)
++                     : offsetof(CPUTLBEntry, addr_write));
++    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_X1, TCG_REG_X1,
++               offsetof(CPUTLBEntry, addend));
++
++    /*
++     * For aligned accesses, we check the first byte and include the alignment
++     * bits within the address.  For unaligned access, we check that we don't
++     * cross pages using the address of the last byte of the access.
++     */
++    if (a_bits >= s_bits) {
++        x3 = addr_reg;
++    } else {
++        tcg_out_insn(s, 3401, ADDI, TARGET_LONG_BITS == 64,
++                     TCG_REG_X3, addr_reg, s_mask - a_mask);
++        x3 = TCG_REG_X3;
++    }
++    compare_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
++
++    /* Store the page mask part of the address into X3.  */
++    tcg_out_logicali(s, I3404_ANDI, TARGET_LONG_BITS == 64,
++                     TCG_REG_X3, x3, compare_mask);
++
++    /* Perform the address comparison. */
++    tcg_out_cmp(s, TARGET_LONG_BITS == 64, TCG_REG_X0, TCG_REG_X3, 0);
++
++    /* If not equal, we jump to the slow path. */
++    ldst->label_ptr[0] = s->code_ptr;
++    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
++
++    *h = (HostAddress){
++        .base = TCG_REG_X1,
++        .index = addr_reg,
++        .index_ext = addr_type
++    };
++#else
++    if (a_mask) {
++        ldst = new_ldst_label(s);
++
++        ldst->is_ld = is_ld;
++        ldst->oi = oi;
++        ldst->addrlo_reg = addr_reg;
++
++        /* tst addr, #mask */
++        tcg_out_logicali(s, I3404_ANDSI, 0, TCG_REG_XZR, addr_reg, a_mask);
++
++        /* b.ne slow_path */
++        ldst->label_ptr[0] = s->code_ptr;
++        tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
++    }
++
++    if (USE_GUEST_BASE) {
++        *h = (HostAddress){
++            .base = TCG_REG_GUEST_BASE,
++            .index = addr_reg,
++            .index_ext = addr_type
++        };
++    } else {
++        *h = (HostAddress){
++            .base = addr_reg,
++            .index = TCG_REG_XZR,
++            .index_ext = TCG_TYPE_I64
++        };
++    }
++#endif
++
++    return ldst;
++}
++
+ static void tcg_out_qemu_ld_direct(TCGContext *s, MemOp memop, TCGType ext,
+                                    TCGReg data_r, HostAddress h)
+ {
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp memop,
+ static void tcg_out_qemu_ld(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
+                             MemOpIdx oi, TCGType data_type)
+ {
+-    MemOp memop = get_memop(oi);
+-    TCGType addr_type = TARGET_LONG_BITS == 64 ? TCG_TYPE_I64 : TCG_TYPE_I32;
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-    /* Byte swapping is left to middle-end expansion. */
+-    tcg_debug_assert((memop & MO_BSWAP) == 0);
++    ldst = prepare_host_addr(s, &h, addr_reg, oi, true);
++    tcg_out_qemu_ld_direct(s, get_memop(oi), data_type, data_reg, h);
+-#ifdef CONFIG_SOFTMMU
+-    tcg_insn_unit *label_ptr;
+-
+-    tcg_out_tlb_read(s, addr_reg, memop, &label_ptr, get_mmuidx(oi), 1);
+-
+-    h = (HostAddress){
+-        .base = TCG_REG_X1,
+-        .index = addr_reg,
+-        .index_ext = addr_type
+-    };
+-    tcg_out_qemu_ld_direct(s, memop, data_type, data_reg, h);
+-
+-    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
+-                        s->code_ptr, label_ptr);
+-#else /* !CONFIG_SOFTMMU */
+-    unsigned a_bits = get_alignment_bits(memop);
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, true, addr_reg, a_bits);
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = data_reg;
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+     }
+-    if (USE_GUEST_BASE) {
+-        h = (HostAddress){
+-            .base = TCG_REG_GUEST_BASE,
+-            .index = addr_reg,
+-            .index_ext = addr_type
+-        };
+-    } else {
+-        h = (HostAddress){
+-            .base = addr_reg,
+-            .index = TCG_REG_XZR,
+-            .index_ext = TCG_TYPE_I64
+-        };
+-    }
+-    tcg_out_qemu_ld_direct(s, memop, data_type, data_reg, h);
+-#endif /* CONFIG_SOFTMMU */
+ }
+ static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
+                             MemOpIdx oi, TCGType data_type)
+ {
+-    MemOp memop = get_memop(oi);
+-    TCGType addr_type = TARGET_LONG_BITS == 64 ? TCG_TYPE_I64 : TCG_TYPE_I32;
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-    /* Byte swapping is left to middle-end expansion. */
+-    tcg_debug_assert((memop & MO_BSWAP) == 0);
++    ldst = prepare_host_addr(s, &h, addr_reg, oi, false);
++    tcg_out_qemu_st_direct(s, get_memop(oi), data_reg, h);
+-#ifdef CONFIG_SOFTMMU
+-    tcg_insn_unit *label_ptr;
+-
+-    tcg_out_tlb_read(s, addr_reg, memop, &label_ptr, get_mmuidx(oi), 0);
+-
+-    h = (HostAddress){
+-        .base = TCG_REG_X1,
+-        .index = addr_reg,
+-        .index_ext = addr_type
+-    };
+-    tcg_out_qemu_st_direct(s, memop, data_reg, h);
+-
+-    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
+-                        s->code_ptr, label_ptr);
+-#else /* !CONFIG_SOFTMMU */
+-    unsigned a_bits = get_alignment_bits(memop);
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, false, addr_reg, a_bits);
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = data_reg;
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+     }
+-    if (USE_GUEST_BASE) {
+-        h = (HostAddress){
+-            .base = TCG_REG_GUEST_BASE,
+-            .index = addr_reg,
+-            .index_ext = addr_type
+-        };
+-    } else {
+-        h = (HostAddress){
+-            .base = addr_reg,
+-            .index = TCG_REG_XZR,
+-            .index_ext = TCG_TYPE_I64
+-        };
+-    }
+-    tcg_out_qemu_st_direct(s, memop, data_reg, h);
+-#endif /* CONFIG_SOFTMMU */
+ }
+ static const tcg_insn_unit *tb_ret_addr;
+--
+.34.1

-New patch
+[PULL 14/53] tcg/arm: Introduce prepare_host_addr
+Merge tcg_out_tlb_load, add_qemu_ldst_label, and some code that lived
+in both tcg_out_qemu_ld and tcg_out_qemu_st into one function that
+returns HostAddress and TCGLabelQemuLdst structures.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/arm/tcg-target.c.inc | 351 ++++++++++++++++++---------------------
+file changed, 159 insertions(+), 192 deletions(-)
+diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/arm/tcg-target.c.inc
++++ b/tcg/arm/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg,
+     }
+ }
+-#define TLB_SHIFT    (CPU_TLB_ENTRY_BITS + CPU_TLB_BITS)
+-
+-/* We expect to use an 9-bit sign-magnitude negative offset from ENV.  */
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -256);
+-
+-/* These offsets are built into the LDRD below.  */
+-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
+-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 4);
+-
+-/* Load and compare a TLB entry, leaving the flags set.  Returns the register
+-   containing the addend of the tlb entry.  Clobbers R0, R1, R2, TMP.  */
+-
+-static TCGReg tcg_out_tlb_read(TCGContext *s, TCGReg addrlo, TCGReg addrhi,
+-                               MemOp opc, int mem_index, bool is_load)
+-{
+-    int cmp_off = (is_load ? offsetof(CPUTLBEntry, addr_read)
+-                   : offsetof(CPUTLBEntry, addr_write));
+-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
+-    unsigned s_mask = (1 << (opc & MO_SIZE)) - 1;
+-    unsigned a_mask = (1 << get_alignment_bits(opc)) - 1;
+-    TCGReg t_addr;
+-
+-    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {r0,r1}.  */
+-    tcg_out_ldrd_8(s, COND_AL, TCG_REG_R0, TCG_AREG0, fast_off);
+-
+-    /* Extract the tlb index from the address into R0.  */
+-    tcg_out_dat_reg(s, COND_AL, ARITH_AND, TCG_REG_R0, TCG_REG_R0, addrlo,
+-                    SHIFT_IMM_LSR(TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS));
+-
+-    /*
+-     * Add the tlb_table pointer, creating the CPUTLBEntry address in R1.
+-     * Load the tlb comparator into R2/R3 and the fast path addend into R1.
+-     */
+-    if (cmp_off == 0) {
+-        if (TARGET_LONG_BITS == 64) {
+-            tcg_out_ldrd_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
+-        } else {
+-            tcg_out_ld32_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
+-        }
+-    } else {
+-        tcg_out_dat_reg(s, COND_AL, ARITH_ADD,
+-                        TCG_REG_R1, TCG_REG_R1, TCG_REG_R0, 0);
+-        if (TARGET_LONG_BITS == 64) {
+-            tcg_out_ldrd_8(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
+-        } else {
+-            tcg_out_ld32_12(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
+-        }
+-    }
+-
+-    /* Load the tlb addend.  */
+-    tcg_out_ld32_12(s, COND_AL, TCG_REG_R1, TCG_REG_R1,
+-                    offsetof(CPUTLBEntry, addend));
+-
+-    /*
+-     * Check alignment, check comparators.
+-     * Do this in 2-4 insns.  Use MOVW for v7, if possible,
+-     * to reduce the number of sequential conditional instructions.
+-     * Almost all guests have at least 4k pages, which means that we need
+-     * to clear at least 9 bits even for an 8-byte memory, which means it
+-     * isn't worth checking for an immediate operand for BIC.
+-     *
+-     * For unaligned accesses, test the page of the last unit of alignment.
+-     * This leaves the least significant alignment bits unchanged, and of
+-     * course must be zero.
+-     */
+-    t_addr = addrlo;
+-    if (a_mask < s_mask) {
+-        t_addr = TCG_REG_R0;
+-        tcg_out_dat_imm(s, COND_AL, ARITH_ADD, t_addr,
+-                        addrlo, s_mask - a_mask);
+-    }
+-    if (use_armv7_instructions && TARGET_PAGE_BITS <= 16) {
+-        tcg_out_movi32(s, COND_AL, TCG_REG_TMP, ~(TARGET_PAGE_MASK | a_mask));
+-        tcg_out_dat_reg(s, COND_AL, ARITH_BIC, TCG_REG_TMP,
+-                        t_addr, TCG_REG_TMP, 0);
+-        tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, TCG_REG_R2, TCG_REG_TMP, 0);
+-    } else {
+-        if (a_mask) {
+-            tcg_debug_assert(a_mask <= 0xff);
+-            tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
+-        }
+-        tcg_out_dat_reg(s, COND_AL, ARITH_MOV, TCG_REG_TMP, 0, t_addr,
+-                        SHIFT_IMM_LSR(TARGET_PAGE_BITS));
+-        tcg_out_dat_reg(s, (a_mask ? COND_EQ : COND_AL), ARITH_CMP,
+-                        0, TCG_REG_R2, TCG_REG_TMP,
+-                        SHIFT_IMM_LSL(TARGET_PAGE_BITS));
+-    }
+-
+-    if (TARGET_LONG_BITS == 64) {
+-        tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, TCG_REG_R3, addrhi, 0);
+-    }
+-
+-    return TCG_REG_R1;
+-}
+-
+-/* Record the context of a call to the out of line helper code for the slow
+-   path for a load or store, so that we can later generate the correct
+-   helper code.  */
+-static void add_qemu_ldst_label(TCGContext *s, bool is_ld,
+-                                MemOpIdx oi, TCGType type,
+-                                TCGReg datalo, TCGReg datahi,
+-                                TCGReg addrlo, TCGReg addrhi,
+-                                tcg_insn_unit *raddr,
+-                                tcg_insn_unit *label_ptr)
+-{
+-    TCGLabelQemuLdst *label = new_ldst_label(s);
+-
+-    label->is_ld = is_ld;
+-    label->oi = oi;
+-    label->type = type;
+-    label->datalo_reg = datalo;
+-    label->datahi_reg = datahi;
+-    label->addrlo_reg = addrlo;
+-    label->addrhi_reg = addrhi;
+-    label->raddr = tcg_splitwx_to_rx(raddr);
+-    label->label_ptr[0] = label_ptr;
+-}
+-
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ {
+     TCGReg argreg;
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+     return true;
+ }
+ #else
+-
+-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
+-                                   TCGReg addrhi, unsigned a_bits)
+-{
+-    unsigned a_mask = (1 << a_bits) - 1;
+-    TCGLabelQemuLdst *label = new_ldst_label(s);
+-
+-    label->is_ld = is_ld;
+-    label->addrlo_reg = addrlo;
+-    label->addrhi_reg = addrhi;
+-
+-    /* We are expecting a_bits to max out at 7, and can easily support 8. */
+-    tcg_debug_assert(a_mask <= 0xff);
+-    /* tst addr, #mask */
+-    tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
+-
+-    /* blne slow_path */
+-    label->label_ptr[0] = s->code_ptr;
+-    tcg_out_bl_imm(s, COND_NE, 0);
+-
+-    label->raddr = tcg_splitwx_to_rx(s->code_ptr);
+-}
+-
+ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+     if (!reloc_pc24(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ }
+ #endif /* SOFTMMU */
++static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
++                                           TCGReg addrlo, TCGReg addrhi,
++                                           MemOpIdx oi, bool is_ld)
++{
++    TCGLabelQemuLdst *ldst = NULL;
++    MemOp opc = get_memop(oi);
++    MemOp a_bits = get_alignment_bits(opc);
++    unsigned a_mask = (1 << a_bits) - 1;
++
++#ifdef CONFIG_SOFTMMU
++    int mem_index = get_mmuidx(oi);
++    int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
++                        : offsetof(CPUTLBEntry, addr_write);
++    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
++    unsigned s_mask = (1 << (opc & MO_SIZE)) - 1;
++    TCGReg t_addr;
++
++    ldst = new_ldst_label(s);
++    ldst->is_ld = is_ld;
++    ldst->oi = oi;
++    ldst->addrlo_reg = addrlo;
++    ldst->addrhi_reg = addrhi;
++
++    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {r0,r1}.  */
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -256);
++    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
++    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 4);
++    tcg_out_ldrd_8(s, COND_AL, TCG_REG_R0, TCG_AREG0, fast_off);
++
++    /* Extract the tlb index from the address into R0.  */
++    tcg_out_dat_reg(s, COND_AL, ARITH_AND, TCG_REG_R0, TCG_REG_R0, addrlo,
++                    SHIFT_IMM_LSR(TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS));
++
++    /*
++     * Add the tlb_table pointer, creating the CPUTLBEntry address in R1.
++     * Load the tlb comparator into R2/R3 and the fast path addend into R1.
++     */
++    if (cmp_off == 0) {
++        if (TARGET_LONG_BITS == 64) {
++            tcg_out_ldrd_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
++        } else {
++            tcg_out_ld32_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
++        }
++    } else {
++        tcg_out_dat_reg(s, COND_AL, ARITH_ADD,
++                        TCG_REG_R1, TCG_REG_R1, TCG_REG_R0, 0);
++        if (TARGET_LONG_BITS == 64) {
++            tcg_out_ldrd_8(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
++        } else {
++            tcg_out_ld32_12(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
++        }
++    }
++
++    /* Load the tlb addend.  */
++    tcg_out_ld32_12(s, COND_AL, TCG_REG_R1, TCG_REG_R1,
++                    offsetof(CPUTLBEntry, addend));
++
++    /*
++     * Check alignment, check comparators.
++     * Do this in 2-4 insns.  Use MOVW for v7, if possible,
++     * to reduce the number of sequential conditional instructions.
++     * Almost all guests have at least 4k pages, which means that we need
++     * to clear at least 9 bits even for an 8-byte memory, which means it
++     * isn't worth checking for an immediate operand for BIC.
++     *
++     * For unaligned accesses, test the page of the last unit of alignment.
++     * This leaves the least significant alignment bits unchanged, and of
++     * course must be zero.
++     */
++    t_addr = addrlo;
++    if (a_mask < s_mask) {
++        t_addr = TCG_REG_R0;
++        tcg_out_dat_imm(s, COND_AL, ARITH_ADD, t_addr,
++                        addrlo, s_mask - a_mask);
++    }
++    if (use_armv7_instructions && TARGET_PAGE_BITS <= 16) {
++        tcg_out_movi32(s, COND_AL, TCG_REG_TMP, ~(TARGET_PAGE_MASK | a_mask));
++        tcg_out_dat_reg(s, COND_AL, ARITH_BIC, TCG_REG_TMP,
++                        t_addr, TCG_REG_TMP, 0);
++        tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, TCG_REG_R2, TCG_REG_TMP, 0);
++    } else {
++        if (a_mask) {
++            tcg_debug_assert(a_mask <= 0xff);
++            tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
++        }
++        tcg_out_dat_reg(s, COND_AL, ARITH_MOV, TCG_REG_TMP, 0, t_addr,
++                        SHIFT_IMM_LSR(TARGET_PAGE_BITS));
++        tcg_out_dat_reg(s, (a_mask ? COND_EQ : COND_AL), ARITH_CMP,
++                        0, TCG_REG_R2, TCG_REG_TMP,
++                        SHIFT_IMM_LSL(TARGET_PAGE_BITS));
++    }
++
++    if (TARGET_LONG_BITS == 64) {
++        tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, TCG_REG_R3, addrhi, 0);
++    }
++
++    *h = (HostAddress){
++        .cond = COND_AL,
++        .base = addrlo,
++        .index = TCG_REG_R1,
++        .index_scratch = true,
++    };
++#else
++    if (a_mask) {
++        ldst = new_ldst_label(s);
++        ldst->is_ld = is_ld;
++        ldst->oi = oi;
++        ldst->addrlo_reg = addrlo;
++        ldst->addrhi_reg = addrhi;
++
++        /* We are expecting a_bits to max out at 7 */
++        tcg_debug_assert(a_mask <= 0xff);
++        /* tst addr, #mask */
++        tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
++    }
++
++    *h = (HostAddress){
++        .cond = COND_AL,
++        .base = addrlo,
++        .index = guest_base ? TCG_REG_GUEST_BASE : -1,
++        .index_scratch = false,
++    };
++#endif
++
++    return ldst;
++}
++
+ static void tcg_out_qemu_ld_direct(TCGContext *s, MemOp opc, TCGReg datalo,
+                                    TCGReg datahi, HostAddress h)
+ {
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
+                             MemOpIdx oi, TCGType data_type)
+ {
+     MemOp opc = get_memop(oi);
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-#ifdef CONFIG_SOFTMMU
+-    h.cond = COND_AL;
+-    h.base = addrlo;
+-    h.index_scratch = true;
+-    h.index = tcg_out_tlb_read(s, addrlo, addrhi, opc, get_mmuidx(oi), 1);
++    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = datalo;
++        ldst->datahi_reg = datahi;
+-    /*
+-     * This a conditional BL only to load a pointer within this opcode into
+-     * LR for the slow path.  We will not be using the value for a tail call.
+-     */
+-    tcg_insn_unit *label_ptr = s->code_ptr;
+-    tcg_out_bl_imm(s, COND_NE, 0);
++        /*
++         * This a conditional BL only to load a pointer within this
++         * opcode into LR for the slow path.  We will not be using
++         * the value for a tail call.
++         */
++        ldst->label_ptr[0] = s->code_ptr;
++        tcg_out_bl_imm(s, COND_NE, 0);
+-    tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
+-
+-    add_qemu_ldst_label(s, true, oi, data_type, datalo, datahi,
+-                        addrlo, addrhi, s->code_ptr, label_ptr);
+-#else
+-    unsigned a_bits = get_alignment_bits(opc);
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
++        tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
++    } else {
++        tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
+     }
+-
+-    h.cond = COND_AL;
+-    h.base = addrlo;
+-    h.index = guest_base ? TCG_REG_GUEST_BASE : -1;
+-    h.index_scratch = false;
+-    tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
+-#endif
+ }
+ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp opc, TCGReg datalo,
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
+                             MemOpIdx oi, TCGType data_type)
+ {
+     MemOp opc = get_memop(oi);
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-#ifdef CONFIG_SOFTMMU
+-    h.cond = COND_EQ;
+-    h.base = addrlo;
+-    h.index_scratch = true;
+-    h.index = tcg_out_tlb_read(s, addrlo, addrhi, opc, get_mmuidx(oi), 0);
+-    tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
++    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = datalo;
++        ldst->datahi_reg = datahi;
+-    /* The conditional call must come last, as we're going to return here.  */
+-    tcg_insn_unit *label_ptr = s->code_ptr;
+-    tcg_out_bl_imm(s, COND_NE, 0);
+-
+-    add_qemu_ldst_label(s, false, oi, data_type, datalo, datahi,
+-                        addrlo, addrhi, s->code_ptr, label_ptr);
+-#else
+-    unsigned a_bits = get_alignment_bits(opc);
+-
+-    h.cond = COND_AL;
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, false, addrlo, addrhi, a_bits);
+         h.cond = COND_EQ;
+-    }
++        tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
+-    h.base = addrlo;
+-    h.index = guest_base ? TCG_REG_GUEST_BASE : -1;
+-    h.index_scratch = false;
+-    tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
+-#endif
++        /* The conditional call is last, as we're going to return here. */
++        ldst->label_ptr[0] = s->code_ptr;
++        tcg_out_bl_imm(s, COND_NE, 0);
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
++    } else {
++        tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
++    }
+ }
+ static void tcg_out_epilogue(TCGContext *s);
+--
+.34.1

-[PULL 08/20] accel/tcg: Properly implement get_page_addr_code for user-only
+[PULL 15/53] tcg/loongarch64: Introduce prepare_host_addr
-The current implementation is a no-op, simply returning addr.
+Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
-This is incorrect, because we ought to be checking the page
+tcg_out_zext_addr_if_32_bit, and some code that lived in both
-permissions for execution.
+tcg_out_qemu_ld and tcg_out_qemu_st into one function that returns
 HostAddress and TCGLabelQemuLdst structures.
-Make get_page_addr_code inline for both implementations.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Acked-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/exec-all.h | 85 ++++++++++++++---------------------------
+ tcg/loongarch64/tcg-target.c.inc | 255 +++++++++++++------------------
- accel/tcg/cputlb.c      |  5 ---
+file changed, 105 insertions(+), 150 deletions(-)
  accel/tcg/user-exec.c   | 14 +++++++
 files changed, 42 insertions(+), 62 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/tcg/loongarch64/tcg-target.c.inc
-+++ b/include/exec/exec-all.h
++++ b/tcg/loongarch64/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ struct MemoryRegionSection *iotlb_to_section(CPUState *cpu,
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[4] = {
-                                              hwaddr index, MemTxAttrs attrs);
+     [MO_64] = helper_le_stq_mmu,
- #endif
+ };
--#if defined(CONFIG_USER_ONLY)
+-/* We expect to use a 12-bit negative offset from ENV.  */
--void mmap_lock(void);
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
--void mmap_unlock(void);
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
--bool have_mmap_lock(void);
+-
--
+ static bool tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
- /**
+ {
-- * get_page_addr_code() - user-mode version
+     tcg_out_opc_b(s, 0);
-+ * get_page_addr_code_hostp()
+     return reloc_br_sd10k16(s->code_ptr - 1, target);
   * @env: CPUArchState
   * @addr: guest virtual address of guest code
   *
 - * Returns @addr.
 + * See get_page_addr_code() (full-system version) for documentation on the
 + * return value.
 + *
 + * Sets *@hostp (when @hostp is non-NULL) as follows.
 + * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
 + * to the host address where @addr's content is kept.
 + *
 + * Note: this function can trigger an exception.
 + */
 +tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
 +                                        void **hostp);
 +
 +/**
 + * get_page_addr_code()
 + * @env: CPUArchState
 + * @addr: guest virtual address of guest code
 + *
 + * If we cannot translate and execute from the entire RAM page, or if
 + * the region is not backed by RAM, returns -1. Otherwise, returns the
 + * ram_addr_t corresponding to the guest code at @addr.
 + *
 + * Note: this function can trigger an exception.
   */
  static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
                                                  target_ulong addr)
  {
 -    return addr;
 +    return get_page_addr_code_hostp(env, addr, NULL);
  }
--/**
+-/*
-- * get_page_addr_code_hostp() - user-mode version
+- * Emits common code for TLB addend lookup, that eventually loads the
-- * @env: CPUArchState
+- * addend in TCG_REG_TMP2.
-- * @addr: guest virtual address of guest code
+- */
 -static void tcg_out_tlb_load(TCGContext *s, TCGReg addrl, MemOpIdx oi,
 -                             tcg_insn_unit **label_ptr, bool is_load)
 -{
 -    MemOp opc = get_memop(oi);
 -    unsigned s_bits = opc & MO_SIZE;
 -    unsigned a_bits = get_alignment_bits(opc);
 -    tcg_target_long compare_mask;
 -    int mem_index = get_mmuidx(oi);
 -    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
 -    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
 -    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
 -
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, TCG_AREG0, mask_ofs);
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_AREG0, table_ofs);
 -
 -    tcg_out_opc_srli_d(s, TCG_REG_TMP2, addrl,
 -                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 -    tcg_out_opc_and(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
 -    tcg_out_opc_add_d(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
 -
 -    /* Load the tlb comparator and the addend.  */
 -    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
 -               is_load ? offsetof(CPUTLBEntry, addr_read)
 -               : offsetof(CPUTLBEntry, addr_write));
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
 -               offsetof(CPUTLBEntry, addend));
 -
 -    /* We don't support unaligned accesses.  */
 -    if (a_bits < s_bits) {
 -        a_bits = s_bits;
 -    }
 -    /* Clear the non-page, non-alignment bits from the address.  */
 -    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
 -    tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
 -    tcg_out_opc_and(s, TCG_REG_TMP1, TCG_REG_TMP1, addrl);
 -
 -    /* Compare masked address with the TLB entry.  */
 -    label_ptr[0] = s->code_ptr;
 -    tcg_out_opc_bne(s, TCG_REG_TMP0, TCG_REG_TMP1, 0);
 -
 -    /* TLB Hit - addend in TCG_REG_TMP2, ready for use.  */
 -}
 -
 -static void add_qemu_ldst_label(TCGContext *s, int is_ld, MemOpIdx oi,
 -                                TCGType type,
 -                                TCGReg datalo, TCGReg addrlo,
 -                                void *raddr, tcg_insn_unit **label_ptr)
 -{
 -    TCGLabelQemuLdst *label = new_ldst_label(s);
 -
 -    label->is_ld = is_ld;
 -    label->oi = oi;
 -    label->type = type;
 -    label->datalo_reg = datalo;
 -    label->datahi_reg = 0; /* unused */
 -    label->addrlo_reg = addrlo;
 -    label->addrhi_reg = 0; /* unused */
 -    label->raddr = tcg_splitwx_to_rx(raddr);
 -    label->label_ptr[0] = label_ptr[0];
 -}
 -
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  {
      MemOpIdx oi = l->oi;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
      return tcg_out_goto(s, l->raddr);
  }
  #else
 -
 -/*
 - * Alignment helpers for user-mode emulation
 - */
 -
 -static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addr_reg,
 -                                   unsigned a_bits)
 -{
 -    TCGLabelQemuLdst *l = new_ldst_label(s);
 -
 -    l->is_ld = is_ld;
 -    l->addrlo_reg = addr_reg;
 -
 -    /*
 -     * Without micro-architecture details, we don't know which of bstrpick or
 -     * andi is faster, so use bstrpick as it's not constrained by imm field
 -     * width. (Not to say alignments >= 2^12 are going to happen any time
 -     * soon, though)
 -     */
 -    tcg_out_opc_bstrpick_d(s, TCG_REG_TMP1, addr_reg, 0, a_bits - 1);
 -
 -    l->label_ptr[0] = s->code_ptr;
 -    tcg_out_opc_bne(s, TCG_REG_TMP1, TCG_REG_ZERO, 0);
 -
 -    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
 -}
 -
  static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
  {
      /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  #endif /* CONFIG_SOFTMMU */
 -/*
 - * `ext32u` the address register into the temp register given,
 - * if target is 32-bit, no-op otherwise.
 - *
-- * Returns @addr.
+- * Returns the address register ready for use with TLB addend.
 - *
 - * If @hostp is non-NULL, sets *@hostp to the host address where @addr's content
 - * is kept.
 - */
--static inline tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env,
+-static TCGReg tcg_out_zext_addr_if_32_bit(TCGContext *s,
--                                                      target_ulong addr,
+-                                          TCGReg addr, TCGReg tmp)
 -                                                      void **hostp)
 -{
--    if (hostp) {
+-    if (TARGET_LONG_BITS == 32) {
--        *hostp = g2h_untagged(addr);
+-        tcg_out_ext32u(s, tmp, addr);
 -        return tmp;
 -    }
 -    return addr;
 -}
-+#if defined(CONFIG_USER_ONLY)
+-
-+void mmap_lock(void);
+ typedef struct {
-+void mmap_unlock(void);
+     TCGReg base;
-+bool have_mmap_lock(void);
+     TCGReg index;
+ } HostAddress;
- /**
-  * adjust_signal_pc:
++/*
-@@ -XXX,XX +XXX,XX @@ G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
++ * For softmmu, perform the TLB load and compare.
- static inline void mmap_lock(void) {}
++ * For useronly, perform any required alignment tests.
- static inline void mmap_unlock(void) {}
++ * In both cases, return a TCGLabelQemuLdst structure if the slow path
++ * is required and fill in @h with the host address for the fast path.
--/**
++ */
-- * get_page_addr_code() - full-system version
++static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
-- * @env: CPUArchState
++                                           TCGReg addr_reg, MemOpIdx oi,
-- * @addr: guest virtual address of guest code
++                                           bool is_ld)
-- *
++{
-- * If we cannot translate and execute from the entire RAM page, or if
++    TCGLabelQemuLdst *ldst = NULL;
-- * the region is not backed by RAM, returns -1. Otherwise, returns the
++    MemOp opc = get_memop(oi);
-- * ram_addr_t corresponding to the guest code at @addr.
++    unsigned a_bits = get_alignment_bits(opc);
-- *
++
-- * Note: this function can trigger an exception.
++#ifdef CONFIG_SOFTMMU
-- */
++    unsigned s_bits = opc & MO_SIZE;
--tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr);
++    int mem_index = get_mmuidx(oi);
--
++    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
--/**
++    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
-- * get_page_addr_code_hostp() - full-system version
++    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
-- * @env: CPUArchState
++    tcg_target_long compare_mask;
-- * @addr: guest virtual address of guest code
++
-- *
++    ldst = new_ldst_label(s);
-- * See get_page_addr_code() (full-system version) for documentation on the
++    ldst->is_ld = is_ld;
-- * return value.
++    ldst->oi = oi;
-- *
++    ldst->addrlo_reg = addr_reg;
-- * Sets *@hostp (when @hostp is non-NULL) as follows.
++
-- * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-- * to the host address where @addr's content is kept.
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
-- *
++    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, TCG_AREG0, mask_ofs);
-- * Note: this function can trigger an exception.
++    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_AREG0, table_ofs);
-- */
++
--tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
++    tcg_out_opc_srli_d(s, TCG_REG_TMP2, addr_reg,
--                                        void **hostp);
++                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
--
++    tcg_out_opc_and(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
- void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
++    tcg_out_opc_add_d(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
- void tlb_set_dirty(CPUState *cpu, target_ulong vaddr);
++
++    /* Load the tlb comparator and the addend.  */
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
++    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
-index XXXXXXX..XXXXXXX 100644
++               is_ld ? offsetof(CPUTLBEntry, addr_read)
---- a/accel/tcg/cputlb.c
++                     : offsetof(CPUTLBEntry, addr_write));
-+++ b/accel/tcg/cputlb.c
++    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
-@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
++               offsetof(CPUTLBEntry, addend));
-     return qemu_ram_addr_from_host_nofail(p);
++
 +    /* We don't support unaligned accesses.  */
 +    if (a_bits < s_bits) {
 +        a_bits = s_bits;
 +    }
 +    /* Clear the non-page, non-alignment bits from the address.  */
 +    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
 +    tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
 +    tcg_out_opc_and(s, TCG_REG_TMP1, TCG_REG_TMP1, addr_reg);
 +
 +    /* Compare masked address with the TLB entry.  */
 +    ldst->label_ptr[0] = s->code_ptr;
 +    tcg_out_opc_bne(s, TCG_REG_TMP0, TCG_REG_TMP1, 0);
 +
 +    h->index = TCG_REG_TMP2;
 +#else
 +    if (a_bits) {
 +        ldst = new_ldst_label(s);
 +
 +        ldst->is_ld = is_ld;
 +        ldst->oi = oi;
 +        ldst->addrlo_reg = addr_reg;
 +
 +        /*
 +         * Without micro-architecture details, we don't know which of
 +         * bstrpick or andi is faster, so use bstrpick as it's not
 +         * constrained by imm field width. Not to say alignments >= 2^12
 +         * are going to happen any time soon.
 +         */
 +        tcg_out_opc_bstrpick_d(s, TCG_REG_TMP1, addr_reg, 0, a_bits - 1);
 +
 +        ldst->label_ptr[0] = s->code_ptr;
 +        tcg_out_opc_bne(s, TCG_REG_TMP1, TCG_REG_ZERO, 0);
 +    }
 +
 +    h->index = USE_GUEST_BASE ? TCG_GUEST_BASE_REG : TCG_REG_ZERO;
 +#endif
 +
 +    if (TARGET_LONG_BITS == 32) {
 +        h->base = TCG_REG_TMP0;
 +        tcg_out_ext32u(s, h->base, addr_reg);
 +    } else {
 +        h->base = addr_reg;
 +    }
 +
 +    return ldst;
 +}
 +
  static void tcg_out_qemu_ld_indexed(TCGContext *s, MemOp opc, TCGType type,
                                      TCGReg rd, HostAddress h)
  {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_indexed(TCGContext *s, MemOp opc, TCGType type,
  static void tcg_out_qemu_ld(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                              MemOpIdx oi, TCGType data_type)
  {
 -    MemOp opc = get_memop(oi);
 +    TCGLabelQemuLdst *ldst;
      HostAddress h;
 -#ifdef CONFIG_SOFTMMU
 -    tcg_insn_unit *label_ptr[1];
 +    ldst = prepare_host_addr(s, &h, addr_reg, oi, true);
 +    tcg_out_qemu_ld_indexed(s, get_memop(oi), data_type, data_reg, h);
 -    tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 1);
 -    h.index = TCG_REG_TMP2;
 -#else
 -    unsigned a_bits = get_alignment_bits(opc);
 -    if (a_bits) {
 -        tcg_out_test_alignment(s, true, addr_reg, a_bits);
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = data_reg;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -    h.index = USE_GUEST_BASE ? TCG_GUEST_BASE_REG : TCG_REG_ZERO;
 -#endif
 -
 -    h.base = tcg_out_zext_addr_if_32_bit(s, addr_reg, TCG_REG_TMP0);
 -    tcg_out_qemu_ld_indexed(s, opc, data_type, data_reg, h);
 -
 -#ifdef CONFIG_SOFTMMU
 -    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
 -                        s->code_ptr, label_ptr);
 -#endif
  }
--tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
+ static void tcg_out_qemu_st_indexed(TCGContext *s, MemOp opc,
--{
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_indexed(TCGContext *s, MemOp opc,
--    return get_page_addr_code_hostp(env, addr, NULL);
+ static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
--}
+                             MemOpIdx oi, TCGType data_type)
--
+ {
- static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
+-    MemOp opc = get_memop(oi);
-                            CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
++    TCGLabelQemuLdst *ldst;
- {
+     HostAddress h;
-diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
-index XXXXXXX..XXXXXXX 100644
+-#ifdef CONFIG_SOFTMMU
---- a/accel/tcg/user-exec.c
+-    tcg_insn_unit *label_ptr[1];
-+++ b/accel/tcg/user-exec.c
++    ldst = prepare_host_addr(s, &h, addr_reg, oi, false);
-@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
++    tcg_out_qemu_st_indexed(s, get_memop(oi), data_reg, h);
-     return size ? g2h(env_cpu(env), addr) : NULL;
 -    tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 0);
 -    h.index = TCG_REG_TMP2;
 -#else
 -    unsigned a_bits = get_alignment_bits(opc);
 -    if (a_bits) {
 -        tcg_out_test_alignment(s, false, addr_reg, a_bits);
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = data_reg;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -    h.index = USE_GUEST_BASE ? TCG_GUEST_BASE_REG : TCG_REG_ZERO;
 -#endif
 -
 -    h.base = tcg_out_zext_addr_if_32_bit(s, addr_reg, TCG_REG_TMP0);
 -    tcg_out_qemu_st_indexed(s, opc, data_reg, h);
 -
 -#ifdef CONFIG_SOFTMMU
 -    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
 -                        s->code_ptr, label_ptr);
 -#endif
  }
-+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
-+                                        void **hostp)
-+{
-+    int flags;
-+
-+    flags = probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0);
-+    g_assert(flags == 0);
-+
-+    if (hostp) {
-+        *hostp = g2h_untagged(addr);
-+    }
-+    return addr;
-+}
-+
- /* The softmmu versions of these helpers are in cputlb.c.  */
  /*
 --
 .34.1

-[PULL 02/20] linux-user/hppa: Allocate page zero as a commpage
+[PULL 16/53] tcg/mips: Introduce prepare_host_addr
-We're about to start validating PAGE_EXEC, which means that we've
+Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
-got to mark page zero executable.  We had been special casing this
+and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
-entirely within translate.
+into one function that returns HostAddress and TCGLabelQemuLdst structures.
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- linux-user/elfload.c | 34 +++++++++++++++++++++++++++++++---
+ tcg/mips/tcg-target.c.inc | 404 ++++++++++++++++----------------------
-file changed, 31 insertions(+), 3 deletions(-)
+file changed, 172 insertions(+), 232 deletions(-)
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/elfload.c
+--- a/tcg/mips/tcg-target.c.inc
-+++ b/linux-user/elfload.c
++++ b/tcg/mips/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
+@@ -XXX,XX +XXX,XX @@ static int tcg_out_call_iarg_reg2(TCGContext *s, int i, TCGReg al, TCGReg ah)
-     regs->gr[31] = infop->entry;
+     return i;
  }
-+#define LO_COMMPAGE  0
+-/* We expect to use a 16-bit negative offset from ENV.  */
-+
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-+static bool init_guest_commpage(void)
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
 -
 -/*
 - * Perform the tlb comparison operation.
 - * The complete host address is placed in BASE.
 - * Clobbers TMP0, TMP1, TMP2, TMP3.
 - */
 -static void tcg_out_tlb_load(TCGContext *s, TCGReg base, TCGReg addrl,
 -                             TCGReg addrh, MemOpIdx oi,
 -                             tcg_insn_unit *label_ptr[2], bool is_load)
 -{
 -    MemOp opc = get_memop(oi);
 -    unsigned a_bits = get_alignment_bits(opc);
 -    unsigned s_bits = opc & MO_SIZE;
 -    unsigned a_mask = (1 << a_bits) - 1;
 -    unsigned s_mask = (1 << s_bits) - 1;
 -    int mem_index = get_mmuidx(oi);
 -    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
 -    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
 -    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
 -    int add_off = offsetof(CPUTLBEntry, addend);
 -    int cmp_off = (is_load ? offsetof(CPUTLBEntry, addr_read)
 -                   : offsetof(CPUTLBEntry, addr_write));
 -    target_ulong tlb_mask;
 -
 -    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP0, TCG_AREG0, mask_off);
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP1, TCG_AREG0, table_off);
 -
 -    /* Extract the TLB index from the address into TMP3.  */
 -    tcg_out_opc_sa(s, ALIAS_TSRL, TCG_TMP3, addrl,
 -                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 -    tcg_out_opc_reg(s, OPC_AND, TCG_TMP3, TCG_TMP3, TCG_TMP0);
 -
 -    /* Add the tlb_table pointer, creating the CPUTLBEntry address in TMP3.  */
 -    tcg_out_opc_reg(s, ALIAS_PADD, TCG_TMP3, TCG_TMP3, TCG_TMP1);
 -
 -    /* Load the (low-half) tlb comparator.  */
 -    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
 -    } else {
 -        tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
 -                         : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
 -                     TCG_TMP0, TCG_TMP3, cmp_off);
 -    }
 -
 -    /* Zero extend a 32-bit guest address for a 64-bit host. */
 -    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 -        tcg_out_ext32u(s, base, addrl);
 -        addrl = base;
 -    }
 -
 -    /*
 -     * Mask the page bits, keeping the alignment bits to compare against.
 -     * For unaligned accesses, compare against the end of the access to
 -     * verify that it does not cross a page boundary.
 -     */
 -    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
 -    tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
 -    if (a_mask >= s_mask) {
 -        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrl);
 -    } else {
 -        tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrl, s_mask - a_mask);
 -        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
 -    }
 -
 -    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
 -        /* Load the tlb addend for the fast path.  */
 -        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
 -    }
 -
 -    label_ptr[0] = s->code_ptr;
 -    tcg_out_opc_br(s, OPC_BNE, TCG_TMP1, TCG_TMP0);
 -
 -    /* Load and test the high half tlb comparator.  */
 -    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -        /* delay slot */
 -        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
 -
 -        /* Load the tlb addend for the fast path.  */
 -        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
 -
 -        label_ptr[1] = s->code_ptr;
 -        tcg_out_opc_br(s, OPC_BNE, addrh, TCG_TMP0);
 -    }
 -
 -    /* delay slot */
 -    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP2, addrl);
 -}
 -
 -static void add_qemu_ldst_label(TCGContext *s, int is_ld, MemOpIdx oi,
 -                                TCGType ext,
 -                                TCGReg datalo, TCGReg datahi,
 -                                TCGReg addrlo, TCGReg addrhi,
 -                                void *raddr, tcg_insn_unit *label_ptr[2])
 -{
 -    TCGLabelQemuLdst *label = new_ldst_label(s);
 -
 -    label->is_ld = is_ld;
 -    label->oi = oi;
 -    label->type = ext;
 -    label->datalo_reg = datalo;
 -    label->datahi_reg = datahi;
 -    label->addrlo_reg = addrlo;
 -    label->addrhi_reg = addrhi;
 -    label->raddr = tcg_splitwx_to_rx(raddr);
 -    label->label_ptr[0] = label_ptr[0];
 -    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -        label->label_ptr[1] = label_ptr[1];
 -    }
 -}
 -
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  {
      const tcg_insn_unit *tgt_rx = tcg_splitwx_to_rx(s->code_ptr);
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  }
  #else
 -
 -static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
 -                                   TCGReg addrhi, unsigned a_bits)
 -{
 -    unsigned a_mask = (1 << a_bits) - 1;
 -    TCGLabelQemuLdst *l = new_ldst_label(s);
 -
 -    l->is_ld = is_ld;
 -    l->addrlo_reg = addrlo;
 -    l->addrhi_reg = addrhi;
 -
 -    /* We are expecting a_bits to max out at 7, much lower than ANDI. */
 -    tcg_debug_assert(a_bits < 16);
 -    tcg_out_opc_imm(s, OPC_ANDI, TCG_TMP0, addrlo, a_mask);
 -
 -    l->label_ptr[0] = s->code_ptr;
 -    if (use_mips32r6_instructions) {
 -        tcg_out_opc_br(s, OPC_BNEZALC_R6, TCG_REG_ZERO, TCG_TMP0);
 -    } else {
 -        tcg_out_opc_br(s, OPC_BNEL, TCG_TMP0, TCG_REG_ZERO);
 -        tcg_out_nop(s);
 -    }
 -
 -    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
 -}
 -
  static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
  {
      void *target;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  }
  #endif /* SOFTMMU */
 +typedef struct {
 +    TCGReg base;
 +    MemOp align;
 +} HostAddress;
 +
 +/*
 + * For softmmu, perform the TLB load and compare.
 + * For useronly, perform any required alignment tests.
 + * In both cases, return a TCGLabelQemuLdst structure if the slow path
 + * is required and fill in @h with the host address for the fast path.
 + */
 +static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
 +                                           TCGReg addrlo, TCGReg addrhi,
 +                                           MemOpIdx oi, bool is_ld)
 +{
-+    void *want = g2h_untagged(LO_COMMPAGE);
++    TCGLabelQemuLdst *ldst = NULL;
-+    void *addr = mmap(want, qemu_host_page_size, PROT_NONE,
++    MemOp opc = get_memop(oi);
-+                      MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
++    unsigned a_bits = get_alignment_bits(opc);
-+
++    unsigned s_bits = opc & MO_SIZE;
-+    if (addr == MAP_FAILED) {
++    unsigned a_mask = (1 << a_bits) - 1;
-+        perror("Allocating guest commpage");
++    TCGReg base;
-+        exit(EXIT_FAILURE);
++
-+    }
++#ifdef CONFIG_SOFTMMU
-+    if (addr != want) {
++    unsigned s_mask = (1 << s_bits) - 1;
-+        return false;
++    int mem_index = get_mmuidx(oi);
 +    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
 +    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
 +    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
 +    int add_off = offsetof(CPUTLBEntry, addend);
 +    int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
 +                        : offsetof(CPUTLBEntry, addr_write);
 +    target_ulong tlb_mask;
 +
 +    ldst = new_ldst_label(s);
 +    ldst->is_ld = is_ld;
 +    ldst->oi = oi;
 +    ldst->addrlo_reg = addrlo;
 +    ldst->addrhi_reg = addrhi;
 +    base = TCG_REG_A0;
 +
 +    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
 +    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
 +    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP0, TCG_AREG0, mask_off);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP1, TCG_AREG0, table_off);
 +
 +    /* Extract the TLB index from the address into TMP3.  */
 +    tcg_out_opc_sa(s, ALIAS_TSRL, TCG_TMP3, addrlo,
 +                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 +    tcg_out_opc_reg(s, OPC_AND, TCG_TMP3, TCG_TMP3, TCG_TMP0);
 +
 +    /* Add the tlb_table pointer, creating the CPUTLBEntry address in TMP3.  */
 +    tcg_out_opc_reg(s, ALIAS_PADD, TCG_TMP3, TCG_TMP3, TCG_TMP1);
 +
 +    /* Load the (low-half) tlb comparator.  */
 +    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 +        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
 +    } else {
 +        tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
 +                         : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
 +                     TCG_TMP0, TCG_TMP3, cmp_off);
 +    }
 +
 +    /* Zero extend a 32-bit guest address for a 64-bit host. */
 +    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 +        tcg_out_ext32u(s, base, addrlo);
 +        addrlo = base;
 +    }
 +
 +    /*
-+     * On Linux, page zero is normally marked execute only + gateway.
++     * Mask the page bits, keeping the alignment bits to compare against.
-+     * Normal read or write is supposed to fail (thus PROT_NONE above),
++     * For unaligned accesses, compare against the end of the access to
-+     * but specific offsets have kernel code mapped to raise permissions
++     * verify that it does not cross a page boundary.
 +     * and implement syscalls.  Here, simply mark the page executable.
 +     * Special case the entry points during translation (see do_page_zero).
 +     */
-+    page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
++    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
-+                   PAGE_EXEC | PAGE_VALID);
++    tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
-+    return true;
++    if (a_mask >= s_mask) {
 +        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrlo);
 +    } else {
 +        tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrlo, s_mask - a_mask);
 +        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
 +    }
 +
 +    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
 +        /* Load the tlb addend for the fast path.  */
 +        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
 +    }
 +
 +    ldst->label_ptr[0] = s->code_ptr;
 +    tcg_out_opc_br(s, OPC_BNE, TCG_TMP1, TCG_TMP0);
 +
 +    /* Load and test the high half tlb comparator.  */
 +    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 +        /* delay slot */
 +        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
 +
 +        /* Load the tlb addend for the fast path.  */
 +        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
 +
 +        ldst->label_ptr[1] = s->code_ptr;
 +        tcg_out_opc_br(s, OPC_BNE, addrhi, TCG_TMP0);
 +    }
 +
 +    /* delay slot */
 +    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP2, addrlo);
 +#else
 +    if (a_mask && (use_mips32r6_instructions || a_bits != s_bits)) {
 +        ldst = new_ldst_label(s);
 +
 +        ldst->is_ld = is_ld;
 +        ldst->oi = oi;
 +        ldst->addrlo_reg = addrlo;
 +        ldst->addrhi_reg = addrhi;
 +
 +        /* We are expecting a_bits to max out at 7, much lower than ANDI. */
 +        tcg_debug_assert(a_bits < 16);
 +        tcg_out_opc_imm(s, OPC_ANDI, TCG_TMP0, addrlo, a_mask);
 +
 +        ldst->label_ptr[0] = s->code_ptr;
 +        if (use_mips32r6_instructions) {
 +            tcg_out_opc_br(s, OPC_BNEZALC_R6, TCG_REG_ZERO, TCG_TMP0);
 +        } else {
 +            tcg_out_opc_br(s, OPC_BNEL, TCG_TMP0, TCG_REG_ZERO);
 +            tcg_out_nop(s);
 +        }
 +    }
 +
 +    base = addrlo;
 +    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 +        tcg_out_ext32u(s, TCG_REG_A0, base);
 +        base = TCG_REG_A0;
 +    }
 +    if (guest_base) {
 +        if (guest_base == (int16_t)guest_base) {
 +            tcg_out_opc_imm(s, ALIAS_PADDI, TCG_REG_A0, base, guest_base);
 +        } else {
 +            tcg_out_opc_reg(s, ALIAS_PADD, TCG_REG_A0, base,
 +                            TCG_GUEST_BASE_REG);
 +        }
 +        base = TCG_REG_A0;
 +    }
 +#endif
 +
 +    h->base = base;
 +    h->align = a_bits;
 +    return ldst;
 +}
 +
- #endif /* TARGET_HPPA */
+ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg lo, TCGReg hi,
+                                    TCGReg base, MemOp opc, TCGType type)
- #ifdef TARGET_XTENSA
+ {
-@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
                              MemOpIdx oi, TCGType data_type)
  {
      MemOp opc = get_memop(oi);
 -    unsigned a_bits = get_alignment_bits(opc);
 -    unsigned s_bits = opc & MO_SIZE;
 -    TCGReg base;
 +    TCGLabelQemuLdst *ldst;
 +    HostAddress h;
 -    /*
 -     * R6 removes the left/right instructions but requires the
 -     * system to support misaligned memory accesses.
 -     */
 -#if defined(CONFIG_SOFTMMU)
 -    tcg_insn_unit *label_ptr[2];
 +    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
 -    base = TCG_REG_A0;
 -    tcg_out_tlb_load(s, base, addrlo, addrhi, oi, label_ptr, 1);
 -    if (use_mips32r6_instructions || a_bits >= s_bits) {
 -        tcg_out_qemu_ld_direct(s, datalo, datahi, base, opc, data_type);
 +    if (use_mips32r6_instructions || h.align >= (opc & MO_SIZE)) {
 +        tcg_out_qemu_ld_direct(s, datalo, datahi, h.base, opc, data_type);
      } else {
 -        tcg_out_qemu_ld_unalign(s, datalo, datahi, base, opc, data_type);
 +        tcg_out_qemu_ld_unalign(s, datalo, datahi, h.base, opc, data_type);
      }
 -    add_qemu_ldst_label(s, true, oi, data_type, datalo, datahi,
 -                        addrlo, addrhi, s->code_ptr, label_ptr);
 -#else
 -    base = addrlo;
 -    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 -        tcg_out_ext32u(s, TCG_REG_A0, base);
 -        base = TCG_REG_A0;
 +
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = datalo;
 +        ldst->datahi_reg = datahi;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -    if (guest_base) {
 -        if (guest_base == (int16_t)guest_base) {
 -            tcg_out_opc_imm(s, ALIAS_PADDI, TCG_REG_A0, base, guest_base);
 -        } else {
 -            tcg_out_opc_reg(s, ALIAS_PADD, TCG_REG_A0, base,
 -                            TCG_GUEST_BASE_REG);
 -        }
 -        base = TCG_REG_A0;
 -    }
 -    if (use_mips32r6_instructions) {
 -        if (a_bits) {
 -            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
 -        }
 -        tcg_out_qemu_ld_direct(s, datalo, datahi, base, opc, data_type);
 -    } else {
 -        if (a_bits && a_bits != s_bits) {
 -            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
 -        }
 -        if (a_bits >= s_bits) {
 -            tcg_out_qemu_ld_direct(s, datalo, datahi, base, opc, data_type);
 -        } else {
 -            tcg_out_qemu_ld_unalign(s, datalo, datahi, base, opc, data_type);
 -        }
 -    }
 -#endif
  }
- #if defined(HI_COMMPAGE)
+ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg lo, TCGReg hi,
--#define LO_COMMPAGE 0
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
-+#define LO_COMMPAGE -1
+                             MemOpIdx oi, TCGType data_type)
- #elif defined(LO_COMMPAGE)
+ {
- #define HI_COMMPAGE 0
+     MemOp opc = get_memop(oi);
- #else
+-    unsigned a_bits = get_alignment_bits(opc);
- #define HI_COMMPAGE 0
+-    unsigned s_bits = opc & MO_SIZE;
--#define LO_COMMPAGE 0
+-    TCGReg base;
-+#define LO_COMMPAGE -1
++    TCGLabelQemuLdst *ldst;
- #define init_guest_commpage() true
++    HostAddress h;
- #endif
+-    /*
-@@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
+-     * R6 removes the left/right instructions but requires the
-         } else {
+-     * system to support misaligned memory accesses.
-             offset = -(HI_COMMPAGE & -align);
+-     */
-         }
+-#if defined(CONFIG_SOFTMMU)
--    } else if (LO_COMMPAGE != 0) {
+-    tcg_insn_unit *label_ptr[2];
-+    } else if (LO_COMMPAGE != -1) {
++    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
-         loaddr = MIN(loaddr, LO_COMMPAGE & -align);
 -    base = TCG_REG_A0;
 -    tcg_out_tlb_load(s, base, addrlo, addrhi, oi, label_ptr, 0);
 -    if (use_mips32r6_instructions || a_bits >= s_bits) {
 -        tcg_out_qemu_st_direct(s, datalo, datahi, base, opc);
 +    if (use_mips32r6_instructions || h.align >= (opc & MO_SIZE)) {
 +        tcg_out_qemu_st_direct(s, datalo, datahi, h.base, opc);
      } else {
 -        tcg_out_qemu_st_unalign(s, datalo, datahi, base, opc);
 +        tcg_out_qemu_st_unalign(s, datalo, datahi, h.base, opc);
      }
+-    add_qemu_ldst_label(s, false, oi, data_type, datalo, datahi,
 -                        addrlo, addrhi, s->code_ptr, label_ptr);
 -#else
 -    base = addrlo;
 -    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 -        tcg_out_ext32u(s, TCG_REG_A0, base);
 -        base = TCG_REG_A0;
 +
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = datalo;
 +        ldst->datahi_reg = datahi;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -    if (guest_base) {
 -        if (guest_base == (int16_t)guest_base) {
 -            tcg_out_opc_imm(s, ALIAS_PADDI, TCG_REG_A0, base, guest_base);
 -        } else {
 -            tcg_out_opc_reg(s, ALIAS_PADD, TCG_REG_A0, base,
 -                            TCG_GUEST_BASE_REG);
 -        }
 -        base = TCG_REG_A0;
 -    }
 -    if (use_mips32r6_instructions) {
 -        if (a_bits) {
 -            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
 -        }
 -        tcg_out_qemu_st_direct(s, datalo, datahi, base, opc);
 -    } else {
 -        if (a_bits && a_bits != s_bits) {
 -            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
 -        }
 -        if (a_bits >= s_bits) {
 -            tcg_out_qemu_st_direct(s, datalo, datahi, base, opc);
 -        } else {
 -            tcg_out_qemu_st_unalign(s, datalo, datahi, base, opc);
 -        }
 -    }
 -#endif
  }
  static void tcg_out_mb(TCGContext *s, TCGArg a0)
 --
 .34.1

-[PULL 04/20] linux-user: Honor PT_GNU_STACK
+[PULL 17/53] tcg/ppc: Introduce prepare_host_addr
-Map the stack executable if required by default or on demand.
+Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
 and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
 into one function that returns HostAddress and TCGLabelQemuLdst structures.
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/elf.h        |  1 +
+ tcg/ppc/tcg-target.c.inc | 381 ++++++++++++++++++---------------------
- linux-user/qemu.h    |  1 +
+file changed, 172 insertions(+), 209 deletions(-)
  linux-user/elfload.c | 19 ++++++++++++++++++-
 files changed, 20 insertions(+), 1 deletion(-)
-diff --git a/include/elf.h b/include/elf.h
+diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/include/elf.h
+--- a/tcg/ppc/tcg-target.c.inc
-+++ b/include/elf.h
++++ b/tcg/ppc/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ typedef int64_t  Elf64_Sxword;
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
- #define PT_LOPROC  0x70000000
+     [MO_BEUQ] = helper_be_stq_mmu,
- #define PT_HIPROC  0x7fffffff
+ };
-+#define PT_GNU_STACK      (PT_LOOS + 0x474e551)
+-/* We expect to use a 16-bit negative offset from ENV.  */
- #define PT_GNU_PROPERTY   (PT_LOOS + 0x474e553)
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
- #define PT_MIPS_REGINFO   0x70000000
+-
-diff --git a/linux-user/qemu.h b/linux-user/qemu.h
+-/* Perform the TLB load and compare.  Places the result of the comparison
-index XXXXXXX..XXXXXXX 100644
+-   in CR7, loads the addend of the TLB into R3, and returns the register
---- a/linux-user/qemu.h
+-   containing the guest address (zero-extended into R4).  Clobbers R0 and R2. */
-+++ b/linux-user/qemu.h
+-
-@@ -XXX,XX +XXX,XX @@ struct image_info {
+-static TCGReg tcg_out_tlb_read(TCGContext *s, MemOp opc,
-         uint32_t        elf_flags;
+-                               TCGReg addrlo, TCGReg addrhi,
-         int             personality;
+-                               int mem_index, bool is_read)
-         abi_ulong       alignment;
+-{
-+        bool            exec_stack;
+-    int cmp_off
+-        = (is_read
-         /* Generic semihosting knows about these pointers. */
+-           ? offsetof(CPUTLBEntry, addr_read)
-         abi_ulong       arg_strings;   /* strings for argv */
+-           : offsetof(CPUTLBEntry, addr_write));
-diff --git a/linux-user/elfload.c b/linux-user/elfload.c
+-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
-index XXXXXXX..XXXXXXX 100644
+-    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
---- a/linux-user/elfload.c
+-    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
-+++ b/linux-user/elfload.c
+-    unsigned s_bits = opc & MO_SIZE;
-@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
+-    unsigned a_bits = get_alignment_bits(opc);
- #define ELF_ARCH        EM_386
+-
+-    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
- #define ELF_PLATFORM get_elf_platform()
+-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_AREG0, mask_off);
-+#define EXSTACK_DEFAULT true
+-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R4, TCG_AREG0, table_off);
+-
- static const char *get_elf_platform(void)
+-    /* Extract the page index, shifted into place for tlb index.  */
 -    if (TCG_TARGET_REG_BITS == 32) {
 -        tcg_out_shri32(s, TCG_REG_TMP1, addrlo,
 -                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 -    } else {
 -        tcg_out_shri64(s, TCG_REG_TMP1, addrlo,
 -                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 -    }
 -    tcg_out32(s, AND | SAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_TMP1));
 -
 -    /* Load the TLB comparator.  */
 -    if (cmp_off == 0 && TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
 -        uint32_t lxu = (TCG_TARGET_REG_BITS == 32 || TARGET_LONG_BITS == 32
 -                        ? LWZUX : LDUX);
 -        tcg_out32(s, lxu | TAB(TCG_REG_TMP1, TCG_REG_R3, TCG_REG_R4));
 -    } else {
 -        tcg_out32(s, ADD | TAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_R4));
 -        if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP1, TCG_REG_R3, cmp_off + 4);
 -            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R4, TCG_REG_R3, cmp_off);
 -        } else {
 -            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP1, TCG_REG_R3, cmp_off);
 -        }
 -    }
 -
 -    /* Load the TLB addend for use on the fast path.  Do this asap
 -       to minimize any load use delay.  */
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_REG_R3,
 -               offsetof(CPUTLBEntry, addend));
 -
 -    /* Clear the non-page, non-alignment bits from the address */
 -    if (TCG_TARGET_REG_BITS == 32) {
 -        /* We don't support unaligned accesses on 32-bits.
 -         * Preserve the bottom bits and thus trigger a comparison
 -         * failure on unaligned accesses.
 -         */
 -        if (a_bits < s_bits) {
 -            a_bits = s_bits;
 -        }
 -        tcg_out_rlw(s, RLWINM, TCG_REG_R0, addrlo, 0,
 -                    (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
 -    } else {
 -        TCGReg t = addrlo;
 -
 -        /* If the access is unaligned, we need to make sure we fail if we
 -         * cross a page boundary.  The trick is to add the access size-1
 -         * to the address before masking the low bits.  That will make the
 -         * address overflow to the next page if we cross a page boundary,
 -         * which will then force a mismatch of the TLB compare.
 -         */
 -        if (a_bits < s_bits) {
 -            unsigned a_mask = (1 << a_bits) - 1;
 -            unsigned s_mask = (1 << s_bits) - 1;
 -            tcg_out32(s, ADDI | TAI(TCG_REG_R0, t, s_mask - a_mask));
 -            t = TCG_REG_R0;
 -        }
 -
 -        /* Mask the address for the requested alignment.  */
 -        if (TARGET_LONG_BITS == 32) {
 -            tcg_out_rlw(s, RLWINM, TCG_REG_R0, t, 0,
 -                        (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
 -            /* Zero-extend the address for use in the final address.  */
 -            tcg_out_ext32u(s, TCG_REG_R4, addrlo);
 -            addrlo = TCG_REG_R4;
 -        } else if (a_bits == 0) {
 -            tcg_out_rld(s, RLDICR, TCG_REG_R0, t, 0, 63 - TARGET_PAGE_BITS);
 -        } else {
 -            tcg_out_rld(s, RLDICL, TCG_REG_R0, t,
 -                        64 - TARGET_PAGE_BITS, TARGET_PAGE_BITS - a_bits);
 -            tcg_out_rld(s, RLDICL, TCG_REG_R0, TCG_REG_R0, TARGET_PAGE_BITS, 0);
 -        }
 -    }
 -
 -    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
 -                    0, 7, TCG_TYPE_I32);
 -        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_R4, 0, 6, TCG_TYPE_I32);
 -        tcg_out32(s, CRAND | BT(7, CR_EQ) | BA(6, CR_EQ) | BB(7, CR_EQ));
 -    } else {
 -        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
 -                    0, 7, TCG_TYPE_TL);
 -    }
 -
 -    return addrlo;
 -}
 -
 -/* Record the context of a call to the out of line helper code for the slow
 -   path for a load or store, so that we can later generate the correct
 -   helper code.  */
 -static void add_qemu_ldst_label(TCGContext *s, bool is_ld,
 -                                TCGType type, MemOpIdx oi,
 -                                TCGReg datalo_reg, TCGReg datahi_reg,
 -                                TCGReg addrlo_reg, TCGReg addrhi_reg,
 -                                tcg_insn_unit *raddr, tcg_insn_unit *lptr)
 -{
 -    TCGLabelQemuLdst *label = new_ldst_label(s);
 -
 -    label->is_ld = is_ld;
 -    label->type = type;
 -    label->oi = oi;
 -    label->datalo_reg = datalo_reg;
 -    label->datahi_reg = datahi_reg;
 -    label->addrlo_reg = addrlo_reg;
 -    label->addrhi_reg = addrhi_reg;
 -    label->raddr = tcg_splitwx_to_rx(raddr);
 -    label->label_ptr[0] = lptr;
 -}
 -
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
  {
-@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
+     MemOpIdx oi = lb->oi;
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
- #define ELF_ARCH        EM_ARM
+     return true;
- #define ELF_CLASS       ELFCLASS32
+ }
 +#define EXSTACK_DEFAULT true
  static inline void init_thread(struct target_pt_regs *regs,
                                 struct image_info *infop)
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
  #else
+-
- #define ELF_CLASS       ELFCLASS32
+-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
-+#define EXSTACK_DEFAULT true
+-                                   TCGReg addrhi, unsigned a_bits)
+-{
- #endif
+-    unsigned a_mask = (1 << a_bits) - 1;
+-    TCGLabelQemuLdst *label = new_ldst_label(s);
-@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUPPCState *en
+-
+-    label->is_ld = is_ld;
- #define ELF_CLASS   ELFCLASS64
+-    label->addrlo_reg = addrlo;
- #define ELF_ARCH    EM_LOONGARCH
+-    label->addrhi_reg = addrhi;
-+#define EXSTACK_DEFAULT true
+-
+-    /* We are expecting a_bits to max out at 7, much lower than ANDI. */
- #define elf_check_arch(x) ((x) == EM_LOONGARCH)
+-    tcg_debug_assert(a_bits < 16);
+-    tcg_out32(s, ANDI | SAI(addrlo, TCG_REG_R0, a_mask));
-@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
+-
- #define ELF_CLASS   ELFCLASS32
+-    label->label_ptr[0] = s->code_ptr;
- #endif
+-    tcg_out32(s, BC | BI(0, CR_EQ) | BO_COND_FALSE | LK);
- #define ELF_ARCH    EM_MIPS
+-
-+#define EXSTACK_DEFAULT true
+-    label->raddr = tcg_splitwx_to_rx(s->code_ptr);
+-}
- #ifdef TARGET_ABI_MIPSN32
+-
- #define elf_check_abi(x) ((x) & EF_MIPS_ABI2)
+ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
-@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
+ {
- #define bswaptls(ptr) bswap32s(ptr)
+     if (!reloc_pc14(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
- #endif
+@@ -XXX,XX +XXX,XX @@ typedef struct {
+     TCGReg index;
-+#ifndef EXSTACK_DEFAULT
+ } HostAddress;
-+#define EXSTACK_DEFAULT false
 +/*
 + * For softmmu, perform the TLB load and compare.
 + * For useronly, perform any required alignment tests.
 + * In both cases, return a TCGLabelQemuLdst structure if the slow path
 + * is required and fill in @h with the host address for the fast path.
 + */
 +static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
 +                                           TCGReg addrlo, TCGReg addrhi,
 +                                           MemOpIdx oi, bool is_ld)
 +{
 +    TCGLabelQemuLdst *ldst = NULL;
 +    MemOp opc = get_memop(oi);
 +    unsigned a_bits = get_alignment_bits(opc);
 +
 +#ifdef CONFIG_SOFTMMU
 +    int mem_index = get_mmuidx(oi);
 +    int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
 +                        : offsetof(CPUTLBEntry, addr_write);
 +    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
 +    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
 +    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
 +    unsigned s_bits = opc & MO_SIZE;
 +
 +    ldst = new_ldst_label(s);
 +    ldst->is_ld = is_ld;
 +    ldst->oi = oi;
 +    ldst->addrlo_reg = addrlo;
 +    ldst->addrhi_reg = addrhi;
 +
 +    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
 +    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
 +    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_AREG0, mask_off);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R4, TCG_AREG0, table_off);
 +
 +    /* Extract the page index, shifted into place for tlb index.  */
 +    if (TCG_TARGET_REG_BITS == 32) {
 +        tcg_out_shri32(s, TCG_REG_TMP1, addrlo,
 +                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 +    } else {
 +        tcg_out_shri64(s, TCG_REG_TMP1, addrlo,
 +                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 +    }
 +    tcg_out32(s, AND | SAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_TMP1));
 +
 +    /* Load the TLB comparator.  */
 +    if (cmp_off == 0 && TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
 +        uint32_t lxu = (TCG_TARGET_REG_BITS == 32 || TARGET_LONG_BITS == 32
 +                        ? LWZUX : LDUX);
 +        tcg_out32(s, lxu | TAB(TCG_REG_TMP1, TCG_REG_R3, TCG_REG_R4));
 +    } else {
 +        tcg_out32(s, ADD | TAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_R4));
 +        if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 +            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP1, TCG_REG_R3, cmp_off + 4);
 +            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R4, TCG_REG_R3, cmp_off);
 +        } else {
 +            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP1, TCG_REG_R3, cmp_off);
 +        }
 +    }
 +
 +    /*
 +     * Load the TLB addend for use on the fast path.
 +     * Do this asap to minimize any load use delay.
 +     */
 +    h->base = TCG_REG_R3;
 +    tcg_out_ld(s, TCG_TYPE_PTR, h->base, TCG_REG_R3,
 +               offsetof(CPUTLBEntry, addend));
 +
 +    /* Clear the non-page, non-alignment bits from the address */
 +    if (TCG_TARGET_REG_BITS == 32) {
 +        /*
 +         * We don't support unaligned accesses on 32-bits.
 +         * Preserve the bottom bits and thus trigger a comparison
 +         * failure on unaligned accesses.
 +         */
 +        if (a_bits < s_bits) {
 +            a_bits = s_bits;
 +        }
 +        tcg_out_rlw(s, RLWINM, TCG_REG_R0, addrlo, 0,
 +                    (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
 +    } else {
 +        TCGReg t = addrlo;
 +
 +        /*
 +         * If the access is unaligned, we need to make sure we fail if we
 +         * cross a page boundary.  The trick is to add the access size-1
 +         * to the address before masking the low bits.  That will make the
 +         * address overflow to the next page if we cross a page boundary,
 +         * which will then force a mismatch of the TLB compare.
 +         */
 +        if (a_bits < s_bits) {
 +            unsigned a_mask = (1 << a_bits) - 1;
 +            unsigned s_mask = (1 << s_bits) - 1;
 +            tcg_out32(s, ADDI | TAI(TCG_REG_R0, t, s_mask - a_mask));
 +            t = TCG_REG_R0;
 +        }
 +
 +        /* Mask the address for the requested alignment.  */
 +        if (TARGET_LONG_BITS == 32) {
 +            tcg_out_rlw(s, RLWINM, TCG_REG_R0, t, 0,
 +                        (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
 +            /* Zero-extend the address for use in the final address.  */
 +            tcg_out_ext32u(s, TCG_REG_R4, addrlo);
 +            addrlo = TCG_REG_R4;
 +        } else if (a_bits == 0) {
 +            tcg_out_rld(s, RLDICR, TCG_REG_R0, t, 0, 63 - TARGET_PAGE_BITS);
 +        } else {
 +            tcg_out_rld(s, RLDICL, TCG_REG_R0, t,
 +                        64 - TARGET_PAGE_BITS, TARGET_PAGE_BITS - a_bits);
 +            tcg_out_rld(s, RLDICL, TCG_REG_R0, TCG_REG_R0, TARGET_PAGE_BITS, 0);
 +        }
 +    }
 +    h->index = addrlo;
 +
 +    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 +        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
 +                    0, 7, TCG_TYPE_I32);
 +        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_R4, 0, 6, TCG_TYPE_I32);
 +        tcg_out32(s, CRAND | BT(7, CR_EQ) | BA(6, CR_EQ) | BB(7, CR_EQ));
 +    } else {
 +        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
 +                    0, 7, TCG_TYPE_TL);
 +    }
 +
 +    /* Load a pointer into the current opcode w/conditional branch-link. */
 +    ldst->label_ptr[0] = s->code_ptr;
 +    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
 +#else
 +    if (a_bits) {
 +        ldst = new_ldst_label(s);
 +        ldst->is_ld = is_ld;
 +        ldst->oi = oi;
 +        ldst->addrlo_reg = addrlo;
 +        ldst->addrhi_reg = addrhi;
 +
 +        /* We are expecting a_bits to max out at 7, much lower than ANDI. */
 +        tcg_debug_assert(a_bits < 16);
 +        tcg_out32(s, ANDI | SAI(addrlo, TCG_REG_R0, (1 << a_bits) - 1));
 +
 +        ldst->label_ptr[0] = s->code_ptr;
 +        tcg_out32(s, BC | BI(0, CR_EQ) | BO_COND_FALSE | LK);
 +    }
 +
 +    h->base = guest_base ? TCG_GUEST_BASE_REG : 0;
 +    h->index = addrlo;
 +    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 +        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
 +        h->index = TCG_REG_TMP1;
 +    }
 +#endif
 +
- #include "elf.h"
++    return ldst;
++}
- /* We must delay the following stanzas until after "elf.h". */
++
-@@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
+ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
-                                  struct image_info *info)
+                             TCGReg addrlo, TCGReg addrhi,
                              MemOpIdx oi, TCGType data_type)
  {
-     abi_ulong size, error, guard;
+     MemOp opc = get_memop(oi);
-+    int prot;
+-    MemOp s_bits = opc & MO_SIZE;
++    TCGLabelQemuLdst *ldst;
-     size = guest_stack_size;
+     HostAddress h;
-     if (size < STACK_LOWER_LIMIT) {
-@@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
+-#ifdef CONFIG_SOFTMMU
-         guard = qemu_real_host_page_size();
+-    tcg_insn_unit *label_ptr;
-     }
++    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
--    error = target_mmap(0, size + guard, PROT_READ | PROT_WRITE,
+-    h.index = tcg_out_tlb_read(s, opc, addrlo, addrhi, get_mmuidx(oi), true);
-+    prot = PROT_READ | PROT_WRITE;
+-    h.base = TCG_REG_R3;
-+    if (info->exec_stack) {
+-
-+        prot |= PROT_EXEC;
+-    /* Load a pointer into the current opcode w/conditional branch-link. */
-+    }
+-    label_ptr = s->code_ptr;
-+    error = target_mmap(0, size + guard, prot,
+-    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
-                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+-#else  /* !CONFIG_SOFTMMU */
-     if (error == -1) {
+-    unsigned a_bits = get_alignment_bits(opc);
-         perror("mmap stack");
+-    if (a_bits) {
-@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
+-        tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
-      */
+-    }
-     loaddr = -1, hiaddr = 0;
+-    h.base = guest_base ? TCG_GUEST_BASE_REG : 0;
-     info->alignment = 0;
+-    h.index = addrlo;
-+    info->exec_stack = EXSTACK_DEFAULT;
+-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-     for (i = 0; i < ehdr->e_phnum; ++i) {
+-        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
-         struct elf_phdr *eppnt = phdr + i;
+-        h.index = TCG_REG_TMP1;
-         if (eppnt->p_type == PT_LOAD) {
+-    }
-@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
+-#endif
-             if (!parse_elf_properties(image_fd, info, eppnt, bprm_buf, &err)) {
+-
-                 goto exit_errmsg;
+-    if (TCG_TARGET_REG_BITS == 32 && s_bits == MO_64) {
-             }
++    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
-+        } else if (eppnt->p_type == PT_GNU_STACK) {
+         if (opc & MO_BSWAP) {
-+            info->exec_stack = eppnt->p_flags & PF_X;
+             tcg_out32(s, ADDI | TAI(TCG_REG_R0, h.index, 4));
              tcg_out32(s, LWBRX | TAB(datalo, h.base, h.index));
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
          }
      }
+-#ifdef CONFIG_SOFTMMU
+-    add_qemu_ldst_label(s, true, data_type, oi, datalo, datahi,
+-                        addrlo, addrhi, s->code_ptr, label_ptr);
+-#endif
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = datalo;
++        ldst->datahi_reg = datahi;
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
++    }
+ }
+ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
+                             MemOpIdx oi, TCGType data_type)
+ {
+     MemOp opc = get_memop(oi);
+-    MemOp s_bits = opc & MO_SIZE;
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-#ifdef CONFIG_SOFTMMU
+-    tcg_insn_unit *label_ptr;
++    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
+-    h.index = tcg_out_tlb_read(s, opc, addrlo, addrhi, get_mmuidx(oi), false);
+-    h.base = TCG_REG_R3;
+-
+-    /* Load a pointer into the current opcode w/conditional branch-link. */
+-    label_ptr = s->code_ptr;
+-    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+-#else  /* !CONFIG_SOFTMMU */
+-    unsigned a_bits = get_alignment_bits(opc);
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, false, addrlo, addrhi, a_bits);
+-    }
+-    h.base = guest_base ? TCG_GUEST_BASE_REG : 0;
+-    h.index = addrlo;
+-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+-        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
+-        h.index = TCG_REG_TMP1;
+-    }
+-#endif
+-
+-    if (TCG_TARGET_REG_BITS == 32 && s_bits == MO_64) {
++    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
+         if (opc & MO_BSWAP) {
+             tcg_out32(s, ADDI | TAI(TCG_REG_R0, h.index, 4));
+             tcg_out32(s, STWBRX | SAB(datalo, h.base, h.index));
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
+         }
+     }
+-#ifdef CONFIG_SOFTMMU
+-    add_qemu_ldst_label(s, false, data_type, oi, datalo, datahi,
+-                        addrlo, addrhi, s->code_ptr, label_ptr);
+-#endif
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = datalo;
++        ldst->datahi_reg = datahi;
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
++    }
+ }
+ static void tcg_out_nop_fill(tcg_insn_unit *p, int count)
 --
 .34.1

-[PULL 07/20] accel/tcg: Introduce is_same_page()
+[PULL 18/53] tcg/riscv: Introduce prepare_host_addr
-From: Ilya Leoshkevich <iii@linux.ibm.com>
+Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
 and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
 into one function that returns TCGReg and TCGLabelQemuLdst.
-Introduce a function that checks whether a given address is on the same
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 page as where disassembly started. Having it improves readability of
 the following patches.
 Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Message-Id: <20220811095534.241224-3-iii@linux.ibm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 [rth: Make the DisasContextBase parameter const.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/translator.h | 10 ++++++++++
+ tcg/riscv/tcg-target.c.inc | 253 +++++++++++++++++--------------------
-file changed, 10 insertions(+)
+file changed, 114 insertions(+), 139 deletions(-)
-diff --git a/include/exec/translator.h b/include/exec/translator.h
+diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/translator.h
+--- a/tcg/riscv/tcg-target.c.inc
-+++ b/include/exec/translator.h
++++ b/tcg/riscv/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[MO_SIZE + 1] = {
+ #endif
- #undef GEN_TRANSLATOR_LD
+ };
 -/* We expect to use a 12-bit negative offset from ENV.  */
 -QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
 -QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
 -
  static void tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
  {
      tcg_out_opc_jump(s, OPC_JAL, TCG_REG_ZERO, 0);
@@ -XXX,XX +XXX,XX @@ static void tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
      tcg_debug_assert(ok);
  }
 -static TCGReg tcg_out_tlb_load(TCGContext *s, TCGReg addr, MemOpIdx oi,
 -                               tcg_insn_unit **label_ptr, bool is_load)
 -{
 -    MemOp opc = get_memop(oi);
 -    unsigned s_bits = opc & MO_SIZE;
 -    unsigned a_bits = get_alignment_bits(opc);
 -    tcg_target_long compare_mask;
 -    int mem_index = get_mmuidx(oi);
 -    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
 -    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
 -    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
 -    TCGReg mask_base = TCG_AREG0, table_base = TCG_AREG0;
 -
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, mask_base, mask_ofs);
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, table_base, table_ofs);
 -
 -    tcg_out_opc_imm(s, OPC_SRLI, TCG_REG_TMP2, addr,
 -                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 -    tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
 -    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
 -
 -    /* Load the tlb comparator and the addend.  */
 -    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
 -               is_load ? offsetof(CPUTLBEntry, addr_read)
 -               : offsetof(CPUTLBEntry, addr_write));
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
 -               offsetof(CPUTLBEntry, addend));
 -
 -    /* We don't support unaligned accesses. */
 -    if (a_bits < s_bits) {
 -        a_bits = s_bits;
 -    }
 -    /* Clear the non-page, non-alignment bits from the address.  */
 -    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
 -    if (compare_mask == sextreg(compare_mask, 0, 12)) {
 -        tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr, compare_mask);
 -    } else {
 -        tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
 -        tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP1, TCG_REG_TMP1, addr);
 -    }
 -
 -    /* Compare masked address with the TLB entry. */
 -    label_ptr[0] = s->code_ptr;
 -    tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP0, TCG_REG_TMP1, 0);
 -
 -    /* TLB Hit - translate address using addend.  */
 -    if (TARGET_LONG_BITS == 32) {
 -        tcg_out_ext32u(s, TCG_REG_TMP0, addr);
 -        addr = TCG_REG_TMP0;
 -    }
 -    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_REG_TMP2, addr);
 -    return TCG_REG_TMP0;
 -}
 -
 -static void add_qemu_ldst_label(TCGContext *s, int is_ld, MemOpIdx oi,
 -                                TCGType data_type, TCGReg data_reg,
 -                                TCGReg addr_reg, void *raddr,
 -                                tcg_insn_unit **label_ptr)
 -{
 -    TCGLabelQemuLdst *label = new_ldst_label(s);
 -
 -    label->is_ld = is_ld;
 -    label->oi = oi;
 -    label->type = data_type;
 -    label->datalo_reg = data_reg;
 -    label->addrlo_reg = addr_reg;
 -    label->raddr = tcg_splitwx_to_rx(raddr);
 -    label->label_ptr[0] = label_ptr[0];
 -}
 -
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  {
      MemOpIdx oi = l->oi;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
      return true;
  }
  #else
 -
 -static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addr_reg,
 -                                   unsigned a_bits)
 -{
 -    unsigned a_mask = (1 << a_bits) - 1;
 -    TCGLabelQemuLdst *l = new_ldst_label(s);
 -
 -    l->is_ld = is_ld;
 -    l->addrlo_reg = addr_reg;
 -
 -    /* We are expecting a_bits to max out at 7, so we can always use andi. */
 -    tcg_debug_assert(a_bits < 12);
 -    tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr_reg, a_mask);
 -
 -    l->label_ptr[0] = s->code_ptr;
 -    tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP1, TCG_REG_ZERO, 0);
 -
 -    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
 -}
 -
  static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
  {
      /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  {
      return tcg_out_fail_alignment(s, l);
  }
 -
  #endif /* CONFIG_SOFTMMU */
 +/*
-+ * Return whether addr is on the same page as where disassembly started.
++ * For softmmu, perform the TLB load and compare.
-+ * Translators can use this to enforce the rule that only single-insn
++ * For useronly, perform any required alignment tests.
-+ * translation blocks are allowed to cross page boundaries.
++ * In both cases, return a TCGLabelQemuLdst structure if the slow path
 + * is required and fill in @h with the host address for the fast path.
 + */
-+static inline bool is_same_page(const DisasContextBase *db, target_ulong addr)
++static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, TCGReg *pbase,
 +                                           TCGReg addr_reg, MemOpIdx oi,
 +                                           bool is_ld)
 +{
-+    return ((addr ^ db->pc_first) & TARGET_PAGE_MASK) == 0;
++    TCGLabelQemuLdst *ldst = NULL;
 +    MemOp opc = get_memop(oi);
 +    unsigned a_bits = get_alignment_bits(opc);
 +    unsigned a_mask = (1u << a_bits) - 1;
 +
 +#ifdef CONFIG_SOFTMMU
 +    unsigned s_bits = opc & MO_SIZE;
 +    int mem_index = get_mmuidx(oi);
 +    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
 +    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
 +    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
 +    TCGReg mask_base = TCG_AREG0, table_base = TCG_AREG0;
 +    tcg_target_long compare_mask;
 +
 +    ldst = new_ldst_label(s);
 +    ldst->is_ld = is_ld;
 +    ldst->oi = oi;
 +    ldst->addrlo_reg = addr_reg;
 +
 +    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
 +    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, mask_base, mask_ofs);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, table_base, table_ofs);
 +
 +    tcg_out_opc_imm(s, OPC_SRLI, TCG_REG_TMP2, addr_reg,
 +                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 +    tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
 +    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
 +
 +    /* Load the tlb comparator and the addend.  */
 +    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
 +               is_ld ? offsetof(CPUTLBEntry, addr_read)
 +                     : offsetof(CPUTLBEntry, addr_write));
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
 +               offsetof(CPUTLBEntry, addend));
 +
 +    /* We don't support unaligned accesses. */
 +    if (a_bits < s_bits) {
 +        a_bits = s_bits;
 +    }
 +    /* Clear the non-page, non-alignment bits from the address.  */
 +    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | a_mask;
 +    if (compare_mask == sextreg(compare_mask, 0, 12)) {
 +        tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr_reg, compare_mask);
 +    } else {
 +        tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
 +        tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP1, TCG_REG_TMP1, addr_reg);
 +    }
 +
 +    /* Compare masked address with the TLB entry. */
 +    ldst->label_ptr[0] = s->code_ptr;
 +    tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP0, TCG_REG_TMP1, 0);
 +
 +    /* TLB Hit - translate address using addend.  */
 +    if (TARGET_LONG_BITS == 32) {
 +        tcg_out_ext32u(s, TCG_REG_TMP0, addr_reg);
 +        addr_reg = TCG_REG_TMP0;
 +    }
 +    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_REG_TMP2, addr_reg);
 +    *pbase = TCG_REG_TMP0;
 +#else
 +    if (a_mask) {
 +        ldst = new_ldst_label(s);
 +        ldst->is_ld = is_ld;
 +        ldst->oi = oi;
 +        ldst->addrlo_reg = addr_reg;
 +
 +        /* We are expecting a_bits max 7, so we can always use andi. */
 +        tcg_debug_assert(a_bits < 12);
 +        tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr_reg, a_mask);
 +
 +        ldst->label_ptr[0] = s->code_ptr;
 +        tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP1, TCG_REG_ZERO, 0);
 +    }
 +
 +    TCGReg base = addr_reg;
 +    if (TARGET_LONG_BITS == 32) {
 +        tcg_out_ext32u(s, TCG_REG_TMP0, base);
 +        base = TCG_REG_TMP0;
 +    }
 +    if (guest_base != 0) {
 +        tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_GUEST_BASE_REG, base);
 +        base = TCG_REG_TMP0;
 +    }
 +    *pbase = base;
 +#endif
 +
 +    return ldst;
 +}
 +
- #endif /* EXEC__TRANSLATOR_H */
+ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg val,
                                     TCGReg base, MemOp opc, TCGType type)
  {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg val,
  static void tcg_out_qemu_ld(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                              MemOpIdx oi, TCGType data_type)
  {
 -    MemOp opc = get_memop(oi);
 +    TCGLabelQemuLdst *ldst;
      TCGReg base;
 -#if defined(CONFIG_SOFTMMU)
 -    tcg_insn_unit *label_ptr[1];
 +    ldst = prepare_host_addr(s, &base, addr_reg, oi, true);
 +    tcg_out_qemu_ld_direct(s, data_reg, base, get_memop(oi), data_type);
 -    base = tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 1);
 -    tcg_out_qemu_ld_direct(s, data_reg, base, opc, data_type);
 -    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
 -                        s->code_ptr, label_ptr);
 -#else
 -    unsigned a_bits = get_alignment_bits(opc);
 -    if (a_bits) {
 -        tcg_out_test_alignment(s, true, addr_reg, a_bits);
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = data_reg;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -    base = addr_reg;
 -    if (TARGET_LONG_BITS == 32) {
 -        tcg_out_ext32u(s, TCG_REG_TMP0, base);
 -        base = TCG_REG_TMP0;
 -    }
 -    if (guest_base != 0) {
 -        tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_GUEST_BASE_REG, base);
 -        base = TCG_REG_TMP0;
 -    }
 -    tcg_out_qemu_ld_direct(s, data_reg, base, opc, data_type);
 -#endif
  }
  static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg val,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg val,
  static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                              MemOpIdx oi, TCGType data_type)
  {
 -    MemOp opc = get_memop(oi);
 +    TCGLabelQemuLdst *ldst;
      TCGReg base;
 -#if defined(CONFIG_SOFTMMU)
 -    tcg_insn_unit *label_ptr[1];
 +    ldst = prepare_host_addr(s, &base, addr_reg, oi, false);
 +    tcg_out_qemu_st_direct(s, data_reg, base, get_memop(oi));
 -    base = tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 0);
 -    tcg_out_qemu_st_direct(s, data_reg, base, opc);
 -    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
 -                        s->code_ptr, label_ptr);
 -#else
 -    unsigned a_bits = get_alignment_bits(opc);
 -    if (a_bits) {
 -        tcg_out_test_alignment(s, false, addr_reg, a_bits);
 +    if (ldst) {
 +        ldst->type = data_type;
 +        ldst->datalo_reg = data_reg;
 +        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
      }
 -    base = addr_reg;
 -    if (TARGET_LONG_BITS == 32) {
 -        tcg_out_ext32u(s, TCG_REG_TMP0, base);
 -        base = TCG_REG_TMP0;
 -    }
 -    if (guest_base != 0) {
 -        tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_GUEST_BASE_REG, base);
 -        base = TCG_REG_TMP0;
 -    }
 -    tcg_out_qemu_st_direct(s, data_reg, base, opc);
 -#endif
  }
  static const tcg_insn_unit *tb_ret_addr;
 --
 .34.1

-New patch
+[PULL 19/53] tcg/s390x: Introduce prepare_host_addr
+Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
+tcg_prepare_user_ldst, and some code that lived in both tcg_out_qemu_ld
+and tcg_out_qemu_st into one function that returns HostAddress and
+TCGLabelQemuLdst structures.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/s390x/tcg-target.c.inc | 263 ++++++++++++++++---------------------
+file changed, 113 insertions(+), 150 deletions(-)
+diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/s390x/tcg-target.c.inc
++++ b/tcg/s390x/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp opc, TCGReg data,
+ }
+ #if defined(CONFIG_SOFTMMU)
+-/* We're expecting to use a 20-bit negative offset on the tlb memory ops.  */
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 19));
+-
+-/* Load and compare a TLB entry, leaving the flags set.  Loads the TLB
+-   addend into R2.  Returns a register with the santitized guest address.  */
+-static TCGReg tcg_out_tlb_read(TCGContext *s, TCGReg addr_reg, MemOp opc,
+-                               int mem_index, bool is_ld)
+-{
+-    unsigned s_bits = opc & MO_SIZE;
+-    unsigned a_bits = get_alignment_bits(opc);
+-    unsigned s_mask = (1 << s_bits) - 1;
+-    unsigned a_mask = (1 << a_bits) - 1;
+-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
+-    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
+-    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
+-    int ofs, a_off;
+-    uint64_t tlb_mask;
+-
+-    tcg_out_sh64(s, RSY_SRLG, TCG_REG_R2, addr_reg, TCG_REG_NONE,
+-                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+-    tcg_out_insn(s, RXY, NG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, mask_off);
+-    tcg_out_insn(s, RXY, AG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, table_off);
+-
+-    /* For aligned accesses, we check the first byte and include the alignment
+-       bits within the address.  For unaligned access, we check that we don't
+-       cross pages using the address of the last byte of the access.  */
+-    a_off = (a_bits >= s_bits ? 0 : s_mask - a_mask);
+-    tlb_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
+-    if (a_off == 0) {
+-        tgen_andi_risbg(s, TCG_REG_R3, addr_reg, tlb_mask);
+-    } else {
+-        tcg_out_insn(s, RX, LA, TCG_REG_R3, addr_reg, TCG_REG_NONE, a_off);
+-        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R3, tlb_mask);
+-    }
+-
+-    if (is_ld) {
+-        ofs = offsetof(CPUTLBEntry, addr_read);
+-    } else {
+-        ofs = offsetof(CPUTLBEntry, addr_write);
+-    }
+-    if (TARGET_LONG_BITS == 32) {
+-        tcg_out_insn(s, RX, C, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
+-    } else {
+-        tcg_out_insn(s, RXY, CG, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
+-    }
+-
+-    tcg_out_insn(s, RXY, LG, TCG_REG_R2, TCG_REG_R2, TCG_REG_NONE,
+-                 offsetof(CPUTLBEntry, addend));
+-
+-    if (TARGET_LONG_BITS == 32) {
+-        tcg_out_ext32u(s, TCG_REG_R3, addr_reg);
+-        return TCG_REG_R3;
+-    }
+-    return addr_reg;
+-}
+-
+-static void add_qemu_ldst_label(TCGContext *s, bool is_ld, MemOpIdx oi,
+-                                TCGType type, TCGReg data, TCGReg addr,
+-                                tcg_insn_unit *raddr, tcg_insn_unit *label_ptr)
+-{
+-    TCGLabelQemuLdst *label = new_ldst_label(s);
+-
+-    label->is_ld = is_ld;
+-    label->oi = oi;
+-    label->type = type;
+-    label->datalo_reg = data;
+-    label->addrlo_reg = addr;
+-    label->raddr = tcg_splitwx_to_rx(raddr);
+-    label->label_ptr[0] = label_ptr;
+-}
+-
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ {
+     TCGReg addr_reg = lb->addrlo_reg;
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+     return true;
+ }
+ #else
+-static void tcg_out_test_alignment(TCGContext *s, bool is_ld,
+-                                   TCGReg addrlo, unsigned a_bits)
+-{
+-    unsigned a_mask = (1 << a_bits) - 1;
+-    TCGLabelQemuLdst *l = new_ldst_label(s);
+-
+-    l->is_ld = is_ld;
+-    l->addrlo_reg = addrlo;
+-
+-    /* We are expecting a_bits to max out at 7, much lower than TMLL. */
+-    tcg_debug_assert(a_bits < 16);
+-    tcg_out_insn(s, RI, TMLL, addrlo, a_mask);
+-
+-    tcg_out16(s, RI_BRC | (7 << 4)); /* CC in {1,2,3} */
+-    l->label_ptr[0] = s->code_ptr;
+-    s->code_ptr += 1;
+-
+-    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
+-}
+-
+ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+     if (!patch_reloc(l->label_ptr[0], R_390_PC16DBL,
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+     return tcg_out_fail_alignment(s, l);
+ }
++#endif /* CONFIG_SOFTMMU */
+-static HostAddress tcg_prepare_user_ldst(TCGContext *s, TCGReg addr_reg)
++/*
++ * For softmmu, perform the TLB load and compare.
++ * For useronly, perform any required alignment tests.
++ * In both cases, return a TCGLabelQemuLdst structure if the slow path
++ * is required and fill in @h with the host address for the fast path.
++ */
++static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
++                                           TCGReg addr_reg, MemOpIdx oi,
++                                           bool is_ld)
+ {
+-    TCGReg index;
+-    int disp;
++    TCGLabelQemuLdst *ldst = NULL;
++    MemOp opc = get_memop(oi);
++    unsigned a_bits = get_alignment_bits(opc);
++    unsigned a_mask = (1u << a_bits) - 1;
++#ifdef CONFIG_SOFTMMU
++    unsigned s_bits = opc & MO_SIZE;
++    unsigned s_mask = (1 << s_bits) - 1;
++    int mem_index = get_mmuidx(oi);
++    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
++    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
++    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
++    int ofs, a_off;
++    uint64_t tlb_mask;
++
++    ldst = new_ldst_label(s);
++    ldst->is_ld = is_ld;
++    ldst->oi = oi;
++    ldst->addrlo_reg = addr_reg;
++
++    tcg_out_sh64(s, RSY_SRLG, TCG_REG_R2, addr_reg, TCG_REG_NONE,
++                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
++
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
++    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 19));
++    tcg_out_insn(s, RXY, NG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, mask_off);
++    tcg_out_insn(s, RXY, AG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, table_off);
++
++    /*
++     * For aligned accesses, we check the first byte and include the alignment
++     * bits within the address.  For unaligned access, we check that we don't
++     * cross pages using the address of the last byte of the access.
++     */
++    a_off = (a_bits >= s_bits ? 0 : s_mask - a_mask);
++    tlb_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
++    if (a_off == 0) {
++        tgen_andi_risbg(s, TCG_REG_R3, addr_reg, tlb_mask);
++    } else {
++        tcg_out_insn(s, RX, LA, TCG_REG_R3, addr_reg, TCG_REG_NONE, a_off);
++        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R3, tlb_mask);
++    }
++
++    if (is_ld) {
++        ofs = offsetof(CPUTLBEntry, addr_read);
++    } else {
++        ofs = offsetof(CPUTLBEntry, addr_write);
++    }
++    if (TARGET_LONG_BITS == 32) {
++        tcg_out_insn(s, RX, C, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
++    } else {
++        tcg_out_insn(s, RXY, CG, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
++    }
++
++    tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
++    ldst->label_ptr[0] = s->code_ptr++;
++
++    h->index = TCG_REG_R2;
++    tcg_out_insn(s, RXY, LG, h->index, TCG_REG_R2, TCG_REG_NONE,
++                 offsetof(CPUTLBEntry, addend));
++
++    h->base = addr_reg;
++    if (TARGET_LONG_BITS == 32) {
++        tcg_out_ext32u(s, TCG_REG_R3, addr_reg);
++        h->base = TCG_REG_R3;
++    }
++    h->disp = 0;
++#else
++    if (a_mask) {
++        ldst = new_ldst_label(s);
++        ldst->is_ld = is_ld;
++        ldst->oi = oi;
++        ldst->addrlo_reg = addr_reg;
++
++        /* We are expecting a_bits to max out at 7, much lower than TMLL. */
++        tcg_debug_assert(a_bits < 16);
++        tcg_out_insn(s, RI, TMLL, addr_reg, a_mask);
++
++        tcg_out16(s, RI_BRC | (7 << 4)); /* CC in {1,2,3} */
++        ldst->label_ptr[0] = s->code_ptr++;
++    }
++
++    h->base = addr_reg;
+     if (TARGET_LONG_BITS == 32) {
+         tcg_out_ext32u(s, TCG_TMP0, addr_reg);
+-        addr_reg = TCG_TMP0;
++        h->base = TCG_TMP0;
+     }
+     if (guest_base < 0x80000) {
+-        index = TCG_REG_NONE;
+-        disp = guest_base;
++        h->index = TCG_REG_NONE;
++        h->disp = guest_base;
+     } else {
+-        index = TCG_GUEST_BASE_REG;
+-        disp = 0;
++        h->index = TCG_GUEST_BASE_REG;
++        h->disp = 0;
+     }
+-    return (HostAddress){ .base = addr_reg, .index = index, .disp = disp };
++#endif
++
++    return ldst;
+ }
+-#endif /* CONFIG_SOFTMMU */
+ static void tcg_out_qemu_ld(TCGContext* s, TCGReg data_reg, TCGReg addr_reg,
+                             MemOpIdx oi, TCGType data_type)
+ {
+-    MemOp opc = get_memop(oi);
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-#ifdef CONFIG_SOFTMMU
+-    unsigned mem_index = get_mmuidx(oi);
+-    tcg_insn_unit *label_ptr;
++    ldst = prepare_host_addr(s, &h, addr_reg, oi, true);
++    tcg_out_qemu_ld_direct(s, get_memop(oi), data_reg, h);
+-    h.base = tcg_out_tlb_read(s, addr_reg, opc, mem_index, 1);
+-    h.index = TCG_REG_R2;
+-    h.disp = 0;
+-
+-    tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
+-    label_ptr = s->code_ptr;
+-    s->code_ptr += 1;
+-
+-    tcg_out_qemu_ld_direct(s, opc, data_reg, h);
+-
+-    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
+-                        s->code_ptr, label_ptr);
+-#else
+-    unsigned a_bits = get_alignment_bits(opc);
+-
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, true, addr_reg, a_bits);
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = data_reg;
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+     }
+-    h = tcg_prepare_user_ldst(s, addr_reg);
+-    tcg_out_qemu_ld_direct(s, opc, data_reg, h);
+-#endif
+ }
+ static void tcg_out_qemu_st(TCGContext* s, TCGReg data_reg, TCGReg addr_reg,
+                             MemOpIdx oi, TCGType data_type)
+ {
+-    MemOp opc = get_memop(oi);
++    TCGLabelQemuLdst *ldst;
+     HostAddress h;
+-#ifdef CONFIG_SOFTMMU
+-    unsigned mem_index = get_mmuidx(oi);
+-    tcg_insn_unit *label_ptr;
++    ldst = prepare_host_addr(s, &h, addr_reg, oi, false);
++    tcg_out_qemu_st_direct(s, get_memop(oi), data_reg, h);
+-    h.base = tcg_out_tlb_read(s, addr_reg, opc, mem_index, 0);
+-    h.index = TCG_REG_R2;
+-    h.disp = 0;
+-
+-    tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
+-    label_ptr = s->code_ptr;
+-    s->code_ptr += 1;
+-
+-    tcg_out_qemu_st_direct(s, opc, data_reg, h);
+-
+-    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
+-                        s->code_ptr, label_ptr);
+-#else
+-    unsigned a_bits = get_alignment_bits(opc);
+-
+-    if (a_bits) {
+-        tcg_out_test_alignment(s, false, addr_reg, a_bits);
++    if (ldst) {
++        ldst->type = data_type;
++        ldst->datalo_reg = data_reg;
++        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+     }
+-    h = tcg_prepare_user_ldst(s, addr_reg);
+-    tcg_out_qemu_st_direct(s, opc, data_reg, h);
+-#endif
+ }
+ static void tcg_out_exit_tb(TCGContext *s, uintptr_t a0)
+--
+.34.1

-New patch
+[PULL 20/53] tcg: Add routines for calling slow-path helpers
+Add tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
+and tcg_out_st_helper_args.  These and their subroutines
+use the existing knowledge of the host function call abi
+to load the function call arguments and return results.
+These will be used to simplify the backends in turn.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/tcg.c | 475 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
+file changed, 471 insertions(+), 4 deletions(-)
+diff --git a/tcg/tcg.c b/tcg/tcg.c
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/tcg.c
++++ b/tcg/tcg.c
+@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct);
+ static int tcg_out_ldst_finalize(TCGContext *s);
+ #endif
++typedef struct TCGLdstHelperParam {
++    TCGReg (*ra_gen)(TCGContext *s, const TCGLabelQemuLdst *l, int arg_reg);
++    unsigned ntmp;
++    int tmp[3];
++} TCGLdstHelperParam;
++
++static void tcg_out_ld_helper_args(TCGContext *s, const TCGLabelQemuLdst *l,
++                                   const TCGLdstHelperParam *p)
++    __attribute__((unused));
++static void tcg_out_ld_helper_ret(TCGContext *s, const TCGLabelQemuLdst *l,
++                                  bool load_sign, const TCGLdstHelperParam *p)
++    __attribute__((unused));
++static void tcg_out_st_helper_args(TCGContext *s, const TCGLabelQemuLdst *l,
++                                   const TCGLdstHelperParam *p)
++    __attribute__((unused));
++
+ TCGContext tcg_init_ctx;
+ __thread TCGContext *tcg_ctx;
+@@ -XXX,XX +XXX,XX @@ void tcg_raise_tb_overflow(TCGContext *s)
+     siglongjmp(s->jmp_trans, -2);
+ }
++/*
++ * Used by tcg_out_movext{1,2} to hold the arguments for tcg_out_movext.
++ * By the time we arrive at tcg_out_movext1, @dst is always a TCGReg.
++ *
++ * However, tcg_out_helper_load_slots reuses this field to hold an
++ * argument slot number (which may designate a argument register or an
++ * argument stack slot), converting to TCGReg once all arguments that
++ * are destined for the stack are processed.
++ */
+ typedef struct TCGMovExtend {
+-    TCGReg dst;
++    unsigned dst;
+     TCGReg src;
+     TCGType dst_type;
+     TCGType src_type;
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_movext1(TCGContext *s, const TCGMovExtend *i)
+  * between the sources and destinations.
+  */
+-static void __attribute__((unused))
+-tcg_out_movext2(TCGContext *s, const TCGMovExtend *i1,
+-                const TCGMovExtend *i2, int scratch)
++static void tcg_out_movext2(TCGContext *s, const TCGMovExtend *i1,
++                            const TCGMovExtend *i2, int scratch)
+ {
+     TCGReg src1 = i1->src;
+     TCGReg src2 = i2->src;
+@@ -XXX,XX +XXX,XX @@ static TCGHelperInfo all_helpers[] = {
+ };
+ static GHashTable *helper_table;
++/*
++ * Create TCGHelperInfo structures for "tcg/tcg-ldst.h" functions,
++ * akin to what "exec/helper-tcg.h" does with DEF_HELPER_FLAGS_N.
++ * We only use these for layout in tcg_out_ld_helper_ret and
++ * tcg_out_st_helper_args, and share them between several of
++ * the helpers, with the end result that it's easier to build manually.
++ */
++
++#if TCG_TARGET_REG_BITS == 32
++# define dh_typecode_ttl  dh_typecode_i32
++#else
++# define dh_typecode_ttl  dh_typecode_i64
++#endif
++
++static TCGHelperInfo info_helper_ld32_mmu = {
++    .flags = TCG_CALL_NO_WG,
++    .typemask = dh_typemask(ttl, 0)  /* return tcg_target_ulong */
++              | dh_typemask(env, 1)
++              | dh_typemask(tl, 2)   /* target_ulong addr */
++              | dh_typemask(i32, 3)  /* unsigned oi */
++              | dh_typemask(ptr, 4)  /* uintptr_t ra */
++};
++
++static TCGHelperInfo info_helper_ld64_mmu = {
++    .flags = TCG_CALL_NO_WG,
++    .typemask = dh_typemask(i64, 0)  /* return uint64_t */
++              | dh_typemask(env, 1)
++              | dh_typemask(tl, 2)   /* target_ulong addr */
++              | dh_typemask(i32, 3)  /* unsigned oi */
++              | dh_typemask(ptr, 4)  /* uintptr_t ra */
++};
++
++static TCGHelperInfo info_helper_st32_mmu = {
++    .flags = TCG_CALL_NO_WG,
++    .typemask = dh_typemask(void, 0)
++              | dh_typemask(env, 1)
++              | dh_typemask(tl, 2)   /* target_ulong addr */
++              | dh_typemask(i32, 3)  /* uint32_t data */
++              | dh_typemask(i32, 4)  /* unsigned oi */
++              | dh_typemask(ptr, 5)  /* uintptr_t ra */
++};
++
++static TCGHelperInfo info_helper_st64_mmu = {
++    .flags = TCG_CALL_NO_WG,
++    .typemask = dh_typemask(void, 0)
++              | dh_typemask(env, 1)
++              | dh_typemask(tl, 2)   /* target_ulong addr */
++              | dh_typemask(i64, 3)  /* uint64_t data */
++              | dh_typemask(i32, 4)  /* unsigned oi */
++              | dh_typemask(ptr, 5)  /* uintptr_t ra */
++};
++
+ #ifdef CONFIG_TCG_INTERPRETER
+ static ffi_type *typecode_to_ffi(int argmask)
+ {
+@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(unsigned max_cpus)
+                             (gpointer)&all_helpers[i]);
+     }
++    init_call_layout(&info_helper_ld32_mmu);
++    init_call_layout(&info_helper_ld64_mmu);
++    init_call_layout(&info_helper_st32_mmu);
++    init_call_layout(&info_helper_st64_mmu);
++
+ #ifdef CONFIG_TCG_INTERPRETER
+     init_ffi_layouts();
+ #endif
+@@ -XXX,XX +XXX,XX @@ static void tcg_reg_alloc_call(TCGContext *s, TCGOp *op)
+     }
+ }
++/*
++ * Similarly for qemu_ld/st slow path helpers.
++ * We must re-implement tcg_gen_callN and tcg_reg_alloc_call simultaneously,
++ * using only the provided backend tcg_out_* functions.
++ */
++
++static int tcg_out_helper_stk_ofs(TCGType type, unsigned slot)
++{
++    int ofs = arg_slot_stk_ofs(slot);
++
++    /*
++     * Each stack slot is TCG_TARGET_LONG_BITS.  If the host does not
++     * require extension to uint64_t, adjust the address for uint32_t.
++     */
++    if (HOST_BIG_ENDIAN &&
++        TCG_TARGET_REG_BITS == 64 &&
++        type == TCG_TYPE_I32) {
++        ofs += 4;
++    }
++    return ofs;
++}
++
++static void tcg_out_helper_load_regs(TCGContext *s,
++                                     unsigned nmov, TCGMovExtend *mov,
++                                     unsigned ntmp, const int *tmp)
++{
++    switch (nmov) {
++    default:
++        /* The backend must have provided enough temps for the worst case. */
++        tcg_debug_assert(ntmp + 1 >= nmov);
++
++        for (unsigned i = nmov - 1; i >= 2; --i) {
++            TCGReg dst = mov[i].dst;
++
++            for (unsigned j = 0; j < i; ++j) {
++                if (dst == mov[j].src) {
++                    /*
++                     * Conflict.
++                     * Copy the source to a temporary, recurse for the
++                     * remaining moves, perform the extension from our
++                     * scratch on the way out.
++                     */
++                    TCGReg scratch = tmp[--ntmp];
++                    tcg_out_mov(s, mov[i].src_type, scratch, mov[i].src);
++                    mov[i].src = scratch;
++
++                    tcg_out_helper_load_regs(s, i, mov, ntmp, tmp);
++                    tcg_out_movext1(s, &mov[i]);
++                    return;
++                }
++            }
++
++            /* No conflicts: perform this move and continue. */
++            tcg_out_movext1(s, &mov[i]);
++        }
++        /* fall through for the final two moves */
++
++    case 2:
++        tcg_out_movext2(s, mov, mov + 1, ntmp ? tmp[0] : -1);
++        return;
++    case 1:
++        tcg_out_movext1(s, mov);
++        return;
++    case 0:
++        g_assert_not_reached();
++    }
++}
++
++static void tcg_out_helper_load_slots(TCGContext *s,
++                                      unsigned nmov, TCGMovExtend *mov,
++                                      const TCGLdstHelperParam *parm)
++{
++    unsigned i;
++
++    /*
++     * Start from the end, storing to the stack first.
++     * This frees those registers, so we need not consider overlap.
++     */
++    for (i = nmov; i-- > 0; ) {
++        unsigned slot = mov[i].dst;
++
++        if (arg_slot_reg_p(slot)) {
++            goto found_reg;
++        }
++
++        TCGReg src = mov[i].src;
++        TCGType dst_type = mov[i].dst_type;
++        MemOp dst_mo = dst_type == TCG_TYPE_I32 ? MO_32 : MO_64;
++
++        /* The argument is going onto the stack; extend into scratch. */
++        if ((mov[i].src_ext & MO_SIZE) != dst_mo) {
++            tcg_debug_assert(parm->ntmp != 0);
++            mov[i].dst = src = parm->tmp[0];
++            tcg_out_movext1(s, &mov[i]);
++        }
++
++        tcg_out_st(s, dst_type, src, TCG_REG_CALL_STACK,
++                   tcg_out_helper_stk_ofs(dst_type, slot));
++    }
++    return;
++
++ found_reg:
++    /*
++     * The remaining arguments are in registers.
++     * Convert slot numbers to argument registers.
++     */
++    nmov = i + 1;
++    for (i = 0; i < nmov; ++i) {
++        mov[i].dst = tcg_target_call_iarg_regs[mov[i].dst];
++    }
++    tcg_out_helper_load_regs(s, nmov, mov, parm->ntmp, parm->tmp);
++}
++
++static void tcg_out_helper_load_imm(TCGContext *s, unsigned slot,
++                                    TCGType type, tcg_target_long imm,
++                                    const TCGLdstHelperParam *parm)
++{
++    if (arg_slot_reg_p(slot)) {
++        tcg_out_movi(s, type, tcg_target_call_iarg_regs[slot], imm);
++    } else {
++        int ofs = tcg_out_helper_stk_ofs(type, slot);
++        if (!tcg_out_sti(s, type, imm, TCG_REG_CALL_STACK, ofs)) {
++            tcg_debug_assert(parm->ntmp != 0);
++            tcg_out_movi(s, type, parm->tmp[0], imm);
++            tcg_out_st(s, type, parm->tmp[0], TCG_REG_CALL_STACK, ofs);
++        }
++    }
++}
++
++static void tcg_out_helper_load_common_args(TCGContext *s,
++                                            const TCGLabelQemuLdst *ldst,
++                                            const TCGLdstHelperParam *parm,
++                                            const TCGHelperInfo *info,
++                                            unsigned next_arg)
++{
++    TCGMovExtend ptr_mov = {
++        .dst_type = TCG_TYPE_PTR,
++        .src_type = TCG_TYPE_PTR,
++        .src_ext = sizeof(void *) == 4 ? MO_32 : MO_64
++    };
++    const TCGCallArgumentLoc *loc = &info->in[0];
++    TCGType type;
++    unsigned slot;
++    tcg_target_ulong imm;
++
++    /*
++     * Handle env, which is always first.
++     */
++    ptr_mov.dst = loc->arg_slot;
++    ptr_mov.src = TCG_AREG0;
++    tcg_out_helper_load_slots(s, 1, &ptr_mov, parm);
++
++    /*
++     * Handle oi.
++     */
++    imm = ldst->oi;
++    loc = &info->in[next_arg];
++    type = TCG_TYPE_I32;
++    switch (loc->kind) {
++    case TCG_CALL_ARG_NORMAL:
++        break;
++    case TCG_CALL_ARG_EXTEND_U:
++    case TCG_CALL_ARG_EXTEND_S:
++        /* No extension required for MemOpIdx. */
++        tcg_debug_assert(imm <= INT32_MAX);
++        type = TCG_TYPE_REG;
++        break;
++    default:
++        g_assert_not_reached();
++    }
++    tcg_out_helper_load_imm(s, loc->arg_slot, type, imm, parm);
++    next_arg++;
++
++    /*
++     * Handle ra.
++     */
++    loc = &info->in[next_arg];
++    slot = loc->arg_slot;
++    if (parm->ra_gen) {
++        int arg_reg = -1;
++        TCGReg ra_reg;
++
++        if (arg_slot_reg_p(slot)) {
++            arg_reg = tcg_target_call_iarg_regs[slot];
++        }
++        ra_reg = parm->ra_gen(s, ldst, arg_reg);
++
++        ptr_mov.dst = slot;
++        ptr_mov.src = ra_reg;
++        tcg_out_helper_load_slots(s, 1, &ptr_mov, parm);
++    } else {
++        imm = (uintptr_t)ldst->raddr;
++        tcg_out_helper_load_imm(s, slot, TCG_TYPE_PTR, imm, parm);
++    }
++}
++
++static unsigned tcg_out_helper_add_mov(TCGMovExtend *mov,
++                                       const TCGCallArgumentLoc *loc,
++                                       TCGType dst_type, TCGType src_type,
++                                       TCGReg lo, TCGReg hi)
++{
++    if (dst_type <= TCG_TYPE_REG) {
++        MemOp src_ext;
++
++        switch (loc->kind) {
++        case TCG_CALL_ARG_NORMAL:
++            src_ext = src_type == TCG_TYPE_I32 ? MO_32 : MO_64;
++            break;
++        case TCG_CALL_ARG_EXTEND_U:
++            dst_type = TCG_TYPE_REG;
++            src_ext = MO_UL;
++            break;
++        case TCG_CALL_ARG_EXTEND_S:
++            dst_type = TCG_TYPE_REG;
++            src_ext = MO_SL;
++            break;
++        default:
++            g_assert_not_reached();
++        }
++
++        mov[0].dst = loc->arg_slot;
++        mov[0].dst_type = dst_type;
++        mov[0].src = lo;
++        mov[0].src_type = src_type;
++        mov[0].src_ext = src_ext;
++        return 1;
++    }
++
++    assert(TCG_TARGET_REG_BITS == 32);
++
++    mov[0].dst = loc[HOST_BIG_ENDIAN].arg_slot;
++    mov[0].src = lo;
++    mov[0].dst_type = TCG_TYPE_I32;
++    mov[0].src_type = TCG_TYPE_I32;
++    mov[0].src_ext = MO_32;
++
++    mov[1].dst = loc[!HOST_BIG_ENDIAN].arg_slot;
++    mov[1].src = hi;
++    mov[1].dst_type = TCG_TYPE_I32;
++    mov[1].src_type = TCG_TYPE_I32;
++    mov[1].src_ext = MO_32;
++
++    return 2;
++}
++
++static void tcg_out_ld_helper_args(TCGContext *s, const TCGLabelQemuLdst *ldst,
++                                   const TCGLdstHelperParam *parm)
++{
++    const TCGHelperInfo *info;
++    const TCGCallArgumentLoc *loc;
++    TCGMovExtend mov[2];
++    unsigned next_arg, nmov;
++    MemOp mop = get_memop(ldst->oi);
++
++    switch (mop & MO_SIZE) {
++    case MO_8:
++    case MO_16:
++    case MO_32:
++        info = &info_helper_ld32_mmu;
++        break;
++    case MO_64:
++        info = &info_helper_ld64_mmu;
++        break;
++    default:
++        g_assert_not_reached();
++    }
++
++    /* Defer env argument. */
++    next_arg = 1;
++
++    loc = &info->in[next_arg];
++    nmov = tcg_out_helper_add_mov(mov, loc, TCG_TYPE_TL, TCG_TYPE_TL,
++                                  ldst->addrlo_reg, ldst->addrhi_reg);
++    next_arg += nmov;
++
++    tcg_out_helper_load_slots(s, nmov, mov, parm);
++
++    /* No special attention for 32 and 64-bit return values. */
++    tcg_debug_assert(info->out_kind == TCG_CALL_RET_NORMAL);
++
++    tcg_out_helper_load_common_args(s, ldst, parm, info, next_arg);
++}
++
++static void tcg_out_ld_helper_ret(TCGContext *s, const TCGLabelQemuLdst *ldst,
++                                  bool load_sign,
++                                  const TCGLdstHelperParam *parm)
++{
++    TCGMovExtend mov[2];
++
++    if (ldst->type <= TCG_TYPE_REG) {
++        MemOp mop = get_memop(ldst->oi);
++
++        mov[0].dst = ldst->datalo_reg;
++        mov[0].src = tcg_target_call_oarg_reg(TCG_CALL_RET_NORMAL, 0);
++        mov[0].dst_type = ldst->type;
++        mov[0].src_type = TCG_TYPE_REG;
++
++        /*
++         * If load_sign, then we allowed the helper to perform the
++         * appropriate sign extension to tcg_target_ulong, and all
++         * we need now is a plain move.
++         *
++         * If they do not, then we expect the relevant extension
++         * instruction to be no more expensive than a move, and
++         * we thus save the icache etc by only using one of two
++         * helper functions.
++         */
++        if (load_sign || !(mop & MO_SIGN)) {
++            if (TCG_TARGET_REG_BITS == 32 || ldst->type == TCG_TYPE_I32) {
++                mov[0].src_ext = MO_32;
++            } else {
++                mov[0].src_ext = MO_64;
++            }
++        } else {
++            mov[0].src_ext = mop & MO_SSIZE;
++        }
++        tcg_out_movext1(s, mov);
++    } else {
++        assert(TCG_TARGET_REG_BITS == 32);
++
++        mov[0].dst = ldst->datalo_reg;
++        mov[0].src =
++            tcg_target_call_oarg_reg(TCG_CALL_RET_NORMAL, HOST_BIG_ENDIAN);
++        mov[0].dst_type = TCG_TYPE_I32;
++        mov[0].src_type = TCG_TYPE_I32;
++        mov[0].src_ext = MO_32;
++
++        mov[1].dst = ldst->datahi_reg;
++        mov[1].src =
++            tcg_target_call_oarg_reg(TCG_CALL_RET_NORMAL, !HOST_BIG_ENDIAN);
++        mov[1].dst_type = TCG_TYPE_REG;
++        mov[1].src_type = TCG_TYPE_REG;
++        mov[1].src_ext = MO_32;
++
++        tcg_out_movext2(s, mov, mov + 1, parm->ntmp ? parm->tmp[0] : -1);
++    }
++}
++
++static void tcg_out_st_helper_args(TCGContext *s, const TCGLabelQemuLdst *ldst,
++                                   const TCGLdstHelperParam *parm)
++{
++    const TCGHelperInfo *info;
++    const TCGCallArgumentLoc *loc;
++    TCGMovExtend mov[4];
++    TCGType data_type;
++    unsigned next_arg, nmov, n;
++    MemOp mop = get_memop(ldst->oi);
++
++    switch (mop & MO_SIZE) {
++    case MO_8:
++    case MO_16:
++    case MO_32:
++        info = &info_helper_st32_mmu;
++        data_type = TCG_TYPE_I32;
++        break;
++    case MO_64:
++        info = &info_helper_st64_mmu;
++        data_type = TCG_TYPE_I64;
++        break;
++    default:
++        g_assert_not_reached();
++    }
++
++    /* Defer env argument. */
++    next_arg = 1;
++    nmov = 0;
++
++    /* Handle addr argument. */
++    loc = &info->in[next_arg];
++    n = tcg_out_helper_add_mov(mov, loc, TCG_TYPE_TL, TCG_TYPE_TL,
++                               ldst->addrlo_reg, ldst->addrhi_reg);
++    next_arg += n;
++    nmov += n;
++
++    /* Handle data argument. */
++    loc = &info->in[next_arg];
++    n = tcg_out_helper_add_mov(mov + nmov, loc, data_type, ldst->type,
++                               ldst->datalo_reg, ldst->datahi_reg);
++    next_arg += n;
++    nmov += n;
++    tcg_debug_assert(nmov <= ARRAY_SIZE(mov));
++
++    tcg_out_helper_load_slots(s, nmov, mov, parm);
++    tcg_out_helper_load_common_args(s, ldst, parm, info, next_arg);
++}
++
+ #ifdef CONFIG_PROFILER
+ /* avoid copy/paste errors */
+--
+.34.1

-New patch
+[PULL 21/53] tcg/i386: Convert tcg_out_qemu_ld_slow_path
+Use tcg_out_ld_helper_args and tcg_out_ld_helper_ret.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/i386/tcg-target.c.inc | 71 +++++++++++++++------------------------
+file changed, 28 insertions(+), 43 deletions(-)
+diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/i386/tcg-target.c.inc
++++ b/tcg/i386/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
+     [MO_BEUQ] = helper_be_stq_mmu,
+ };
++/*
++ * Because i686 has no register parameters and because x86_64 has xchg
++ * to handle addr/data register overlap, we have placed all input arguments
++ * before we need might need a scratch reg.
++ *
++ * Even then, a scratch is only needed for l->raddr.  Rather than expose
++ * a general-purpose scratch when we don't actually know it's available,
++ * use the ra_gen hook to load into RAX if needed.
++ */
++#if TCG_TARGET_REG_BITS == 64
++static TCGReg ldst_ra_gen(TCGContext *s, const TCGLabelQemuLdst *l, int arg)
++{
++    if (arg < 0) {
++        arg = TCG_REG_RAX;
++    }
++    tcg_out_movi(s, TCG_TYPE_PTR, arg, (uintptr_t)l->raddr);
++    return arg;
++}
++static const TCGLdstHelperParam ldst_helper_param = {
++    .ra_gen = ldst_ra_gen
++};
++#else
++static const TCGLdstHelperParam ldst_helper_param = { };
++#endif
++
+ /*
+  * Generate code for the slow path for a load at the end of block
+  */
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
++    MemOp opc = get_memop(l->oi);
+     tcg_insn_unit **label_ptr = &l->label_ptr[0];
+     /* resolve label address */
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+         tcg_patch32(label_ptr[1], s->code_ptr - label_ptr[1] - 4);
+     }
+-    if (TCG_TARGET_REG_BITS == 32) {
+-        int ofs = 0;
+-
+-        tcg_out_st(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        tcg_out_st(s, TCG_TYPE_I32, l->addrlo_reg, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        if (TARGET_LONG_BITS == 64) {
+-            tcg_out_st(s, TCG_TYPE_I32, l->addrhi_reg, TCG_REG_ESP, ofs);
+-            ofs += 4;
+-        }
+-
+-        tcg_out_sti(s, TCG_TYPE_I32, oi, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        tcg_out_sti(s, TCG_TYPE_PTR, (uintptr_t)l->raddr, TCG_REG_ESP, ofs);
+-    } else {
+-        tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
+-        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
+-                    l->addrlo_reg);
+-        tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[2], oi);
+-        tcg_out_movi(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[3],
+-                     (uintptr_t)l->raddr);
+-    }
+-
++    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
+     tcg_out_branch(s, 1, qemu_ld_helpers[opc & (MO_BSWAP | MO_SIZE)]);
++    tcg_out_ld_helper_ret(s, l, false, &ldst_helper_param);
+-    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
+-        TCGMovExtend ext[2] = {
+-            { .dst = l->datalo_reg, .dst_type = TCG_TYPE_I32,
+-              .src = TCG_REG_EAX, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+-            { .dst = l->datahi_reg, .dst_type = TCG_TYPE_I32,
+-              .src = TCG_REG_EDX, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
+-        };
+-        tcg_out_movext2(s, &ext[0], &ext[1], -1);
+-    } else {
+-        tcg_out_movext(s, l->type, l->datalo_reg,
+-                       TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_EAX);
+-    }
+-
+-    /* Jump to the code corresponding to next IR of qemu_st */
+     tcg_out_jmp(s, l->raddr);
+     return true;
+ }
+--
+.34.1

-New patch
+[PULL 22/53] tcg/i386: Convert tcg_out_qemu_st_slow_path
+Use tcg_out_st_helper_args.  This eliminates the use of a tail call to
+the store helper.  This may or may not be an improvement, depending on
+the call/return branch prediction of the host microarchitecture.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/i386/tcg-target.c.inc | 57 +++------------------------------------
+file changed, 4 insertions(+), 53 deletions(-)
+diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/i386/tcg-target.c.inc
++++ b/tcg/i386/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+  */
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp s_bits = opc & MO_SIZE;
++    MemOp opc = get_memop(l->oi);
+     tcg_insn_unit **label_ptr = &l->label_ptr[0];
+-    TCGReg retaddr;
+     /* resolve label address */
+     tcg_patch32(label_ptr[0], s->code_ptr - label_ptr[0] - 4);
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+         tcg_patch32(label_ptr[1], s->code_ptr - label_ptr[1] - 4);
+     }
+-    if (TCG_TARGET_REG_BITS == 32) {
+-        int ofs = 0;
++    tcg_out_st_helper_args(s, l, &ldst_helper_param);
++    tcg_out_branch(s, 1, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)]);
+-        tcg_out_st(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        tcg_out_st(s, TCG_TYPE_I32, l->addrlo_reg, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        if (TARGET_LONG_BITS == 64) {
+-            tcg_out_st(s, TCG_TYPE_I32, l->addrhi_reg, TCG_REG_ESP, ofs);
+-            ofs += 4;
+-        }
+-
+-        tcg_out_st(s, TCG_TYPE_I32, l->datalo_reg, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        if (s_bits == MO_64) {
+-            tcg_out_st(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_ESP, ofs);
+-            ofs += 4;
+-        }
+-
+-        tcg_out_sti(s, TCG_TYPE_I32, oi, TCG_REG_ESP, ofs);
+-        ofs += 4;
+-
+-        retaddr = TCG_REG_EAX;
+-        tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
+-        tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP, ofs);
+-    } else {
+-        tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
+-        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
+-                    l->addrlo_reg);
+-        tcg_out_mov(s, (s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32),
+-                    tcg_target_call_iarg_regs[2], l->datalo_reg);
+-        tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[3], oi);
+-
+-        if (ARRAY_SIZE(tcg_target_call_iarg_regs) > 4) {
+-            retaddr = tcg_target_call_iarg_regs[4];
+-            tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
+-        } else {
+-            retaddr = TCG_REG_RAX;
+-            tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
+-            tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP,
+-                       TCG_TARGET_CALL_STACK_OFFSET);
+-        }
+-    }
+-
+-    /* "Tail call" to the helper, with the return address back inline.  */
+-    tcg_out_push(s, retaddr);
+-    tcg_out_jmp(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)]);
++    tcg_out_jmp(s, l->raddr);
+     return true;
+ }
+ #else
+--
+.34.1

-[PULL 16/20] accel/tcg: Add fast path for translator_ld*
+[PULL 23/53] tcg/aarch64: Convert tcg_out_qemu_{ld,st}_slow_path
-Cache the translation from guest to host address, so we may
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
-use direct loads when we hit on the primary translation page.
+and tcg_out_st_helper_args.
-Look up the second translation page only once, during translation.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 This obviates another lookup of the second page within tb_gen_code
 after translation.
 Fixes a bug in that plugin_insn_append should be passed the bytes
 in the original memory order, not bswapped by pieces.
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/translator.h |  63 +++++++++++--------
+ tcg/aarch64/tcg-target.c.inc | 40 +++++++++++++++---------------------
- accel/tcg/translate-all.c |  23 +++----
+file changed, 16 insertions(+), 24 deletions(-)
  accel/tcg/translator.c    | 126 +++++++++++++++++++++++++++++---------
 files changed, 141 insertions(+), 71 deletions(-)
-diff --git a/include/exec/translator.h b/include/exec/translator.h
+diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/translator.h
+--- a/tcg/aarch64/tcg-target.c.inc
-+++ b/include/exec/translator.h
++++ b/tcg/aarch64/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ typedef enum DisasJumpType {
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_cltz(TCGContext *s, TCGType ext, TCGReg d,
   * Architecture-agnostic disassembly context.
   */
  typedef struct DisasContextBase {
 -    const TranslationBlock *tb;
 +    TranslationBlock *tb;
      target_ulong pc_first;
      target_ulong pc_next;
      DisasJumpType is_jmp;
      int num_insns;
      int max_insns;
      bool singlestep_enabled;
 -#ifdef CONFIG_USER_ONLY
 -    /*
 -     * Guest address of the last byte of the last protected page.
 -     *
 -     * Pages containing the translated instructions are made non-writable in
 -     * order to achieve consistency in case another thread is modifying the
 -     * code while translate_insn() fetches the instruction bytes piecemeal.
 -     * Such writer threads are blocked on mmap_lock() in page_unprotect().
 -     */
 -    target_ulong page_protect_end;
 -#endif
 +    void *host_addr[2];
  } DisasContextBase;
  /**
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
   * the relevant information at translation time.
   */
 -#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
 -    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
 -                           abi_ptr pc, bool do_swap);                   \
 -    static inline type fullname(CPUArchState *env,                      \
 -                                DisasContextBase *dcbase, abi_ptr pc)   \
 -    {                                                                   \
 -        return fullname ## _swap(env, dcbase, pc, false);               \
 +uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
 +uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
 +uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
 +uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
 +
 +static inline uint16_t
 +translator_lduw_swap(CPUArchState *env, DisasContextBase *db,
 +                     abi_ptr pc, bool do_swap)
 +{
 +    uint16_t ret = translator_lduw(env, db, pc);
 +    if (do_swap) {
 +        ret = bswap16(ret);
      }
-+    return ret;
-+}
--#define FOR_EACH_TRANSLATOR_LD(F)                                       \
--    F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
--    F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
--    F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
--    F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
-+static inline uint32_t
-+translator_ldl_swap(CPUArchState *env, DisasContextBase *db,
-+                    abi_ptr pc, bool do_swap)
-+{
-+    uint32_t ret = translator_ldl(env, db, pc);
-+    if (do_swap) {
-+        ret = bswap32(ret);
-+    }
-+    return ret;
-+}
--FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
--
--#undef GEN_TRANSLATOR_LD
-+static inline uint64_t
-+translator_ldq_swap(CPUArchState *env, DisasContextBase *db,
-+                    abi_ptr pc, bool do_swap)
-+{
-+    uint64_t ret = translator_ldq_swap(env, db, pc, false);
-+    if (do_swap) {
-+        ret = bswap64(ret);
-+    }
-+    return ret;
-+}
- /*
-  * Return whether addr is on the same page as where disassembly started.
-diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/translate-all.c
-+++ b/accel/tcg/translate-all.c
-@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
- {
-     CPUArchState *env = cpu->env_ptr;
-     TranslationBlock *tb, *existing_tb;
--    tb_page_addr_t phys_pc, phys_page2;
--    target_ulong virt_page2;
-+    tb_page_addr_t phys_pc;
-     tcg_insn_unit *gen_code_buf;
-     int gen_code_size, search_size, max_insns;
- #ifdef CONFIG_PROFILER
-@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
-     tb->flags = flags;
-     tb->cflags = cflags;
-     tb->trace_vcpu_dstate = *cpu->trace_dstate;
-+    tb->page_addr[0] = phys_pc;
-+    tb->page_addr[1] = -1;
-     tcg_ctx->tb_cflags = cflags;
-  tb_overflow:
-@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
-     }
-     /*
--     * If the TB is not associated with a physical RAM page then
--     * it must be a temporary one-insn TB, and we have nothing to do
--     * except fill in the page_addr[] fields. Return early before
--     * attempting to link to other TBs or add to the lookup table.
-+     * If the TB is not associated with a physical RAM page then it must be
-+     * a temporary one-insn TB, and we have nothing left to do. Return early
-+     * before attempting to link to other TBs or add to the lookup table.
-      */
--    if (phys_pc == -1) {
--        tb->page_addr[0] = tb->page_addr[1] = -1;
-+    if (tb->page_addr[0] == -1) {
-         return tb;
-     }
-@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
-      */
-     tcg_tb_insert(tb);
--    /* check next page if needed */
--    virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
--    phys_page2 = -1;
--    if ((pc & TARGET_PAGE_MASK) != virt_page2) {
--        phys_page2 = get_page_addr_code(env, virt_page2);
--    }
-     /*
-      * No explicit memory barrier is required -- tb_link_page() makes the
-      * TB visible in a consistent state.
-      */
--    existing_tb = tb_link_page(tb, phys_pc, phys_page2);
-+    existing_tb = tb_link_page(tb, tb->page_addr[0], tb->page_addr[1]);
-     /* if the TB already exists, discard what we just translated */
-     if (unlikely(existing_tb != tb)) {
-         uintptr_t orig_aligned = (uintptr_t)gen_code_buf;
-diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/translator.c
-+++ b/accel/tcg/translator.c
-@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
-     return ((db->pc_first ^ dest) & TARGET_PAGE_MASK) == 0;
  }
--static inline void translator_page_protect(DisasContextBase *dcbase,
+-static void tcg_out_adr(TCGContext *s, TCGReg rd, const void *target)
 -                                           target_ulong pc)
 -{
--#ifdef CONFIG_USER_ONLY
+-    ptrdiff_t offset = tcg_pcrel_diff(s, target);
--    dcbase->page_protect_end = pc | ~TARGET_PAGE_MASK;
+-    tcg_debug_assert(offset == sextract64(offset, 0, 21));
--    page_protect(pc);
+-    tcg_out_insn(s, 3406, ADR, rd, offset);
 -#endif
 -}
 -
- void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+ typedef struct {
-                      target_ulong pc, void *host_pc,
+     TCGReg base;
-                      const TranslatorOps *ops, DisasContextBase *db)
+     TCGReg index;
-@@ -XXX,XX +XXX,XX @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[MO_SIZE + 1] = {
-     db->num_insns = 0;
+ #endif
-     db->max_insns = max_insns;
+ };
-     db->singlestep_enabled = cflags & CF_SINGLE_STEP;
--    translator_page_protect(db, db->pc_next);
++static const TCGLdstHelperParam ldst_helper_param = {
-+    db->host_addr[0] = host_pc;
++    .ntmp = 1, .tmp = { TCG_REG_TMP }
-+    db->host_addr[1] = NULL;
++};
 +
-+#ifdef CONFIG_USER_ONLY
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
-+    page_protect(pc);
+ {
-+#endif
+-    MemOpIdx oi = lb->oi;
+-    MemOp opc = get_memop(oi);
-     ops->init_disas_context(db, cpu);
++    MemOp opc = get_memop(lb->oi);
-     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
-@@ -XXX,XX +XXX,XX @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+     if (!reloc_pc19(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
- #endif
+         return false;
      }
 -    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_X0, TCG_AREG0);
 -    tcg_out_mov(s, TARGET_LONG_BITS == 64, TCG_REG_X1, lb->addrlo_reg);
 -    tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_X2, oi);
 -    tcg_out_adr(s, TCG_REG_X3, lb->raddr);
 +    tcg_out_ld_helper_args(s, lb, &ldst_helper_param);
      tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE]);
 -
 -    tcg_out_movext(s, lb->type, lb->datalo_reg,
 -                   TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_X0);
 +    tcg_out_ld_helper_ret(s, lb, false, &ldst_helper_param);
      tcg_out_goto(s, lb->raddr);
      return true;
  }
--static inline void translator_maybe_page_protect(DisasContextBase *dcbase,
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 -                                                 target_ulong pc, size_t len)
 +static void *translator_access(CPUArchState *env, DisasContextBase *db,
 +                               target_ulong pc, size_t len)
  {
--#ifdef CONFIG_USER_ONLY
+-    MemOpIdx oi = lb->oi;
--    target_ulong end = pc + len - 1;
+-    MemOp opc = get_memop(oi);
-+    void *host;
+-    MemOp size = opc & MO_SIZE;
-+    target_ulong base, end;
++    MemOp opc = get_memop(lb->oi);
-+    TranslationBlock *tb;
+     if (!reloc_pc19(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
--    if (end > dcbase->page_protect_end) {
+         return false;
 -        translator_page_protect(dcbase, end);
 +    tb = db->tb;
 +
 +    /* Use slow path if first page is MMIO. */
 +    if (unlikely(tb->page_addr[0] == -1)) {
 +        return NULL;
      }
-+
-+    end = pc + len - 1;
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_X0, TCG_AREG0);
-+    if (likely(is_same_page(db, end))) {
+-    tcg_out_mov(s, TARGET_LONG_BITS == 64, TCG_REG_X1, lb->addrlo_reg);
-+        host = db->host_addr[0];
+-    tcg_out_mov(s, size == MO_64, TCG_REG_X2, lb->datalo_reg);
-+        base = db->pc_first;
+-    tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_X3, oi);
-+    } else {
+-    tcg_out_adr(s, TCG_REG_X4, lb->raddr);
-+        host = db->host_addr[1];
++    tcg_out_st_helper_args(s, lb, &ldst_helper_param);
-+        base = TARGET_PAGE_ALIGN(db->pc_first);
+     tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE]);
-+        if (host == NULL) {
+     tcg_out_goto(s, lb->raddr);
-+            tb->page_addr[1] =
+     return true;
 +                get_page_addr_code_hostp(env, base, &db->host_addr[1]);
 +#ifdef CONFIG_USER_ONLY
 +            page_protect(end);
  #endif
 +            /* We cannot handle MMIO as second page. */
 +            assert(tb->page_addr[1] != -1);
 +            host = db->host_addr[1];
 +        }
 +
 +        /* Use slow path when crossing pages. */
 +        if (is_same_page(db, pc)) {
 +            return NULL;
 +        }
 +    }
 +
 +    tcg_debug_assert(pc >= base);
 +    return host + (pc - base);
  }
+ #else
--#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
++static void tcg_out_adr(TCGContext *s, TCGReg rd, const void *target)
 -    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
 -                           abi_ptr pc, bool do_swap)                    \
 -    {                                                                   \
 -        translator_maybe_page_protect(dcbase, pc, sizeof(type));        \
 -        type ret = load_fn(env, pc);                                    \
 -        if (do_swap) {                                                  \
 -            ret = swap_fn(ret);                                         \
 -        }                                                               \
 -        plugin_insn_append(pc, &ret, sizeof(ret));                      \
 -        return ret;                                                     \
 +uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
 +{
-+    uint8_t ret;
++    ptrdiff_t offset = tcg_pcrel_diff(s, target);
-+    void *p = translator_access(env, db, pc, sizeof(ret));
++    tcg_debug_assert(offset == sextract64(offset, 0, 21));
-+
++    tcg_out_insn(s, 3406, ADR, rd, offset);
 +    if (p) {
 +        plugin_insn_append(pc, p, sizeof(ret));
 +        return ldub_p(p);
      }
 +    ret = cpu_ldub_code(env, pc);
 +    plugin_insn_append(pc, &ret, sizeof(ret));
 +    return ret;
 +}
 -FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
 +uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
 +{
 +    uint16_t ret, plug;
 +    void *p = translator_access(env, db, pc, sizeof(ret));
 -#undef GEN_TRANSLATOR_LD
 +    if (p) {
 +        plugin_insn_append(pc, p, sizeof(ret));
 +        return lduw_p(p);
 +    }
 +    ret = cpu_lduw_code(env, pc);
 +    plug = tswap16(ret);
 +    plugin_insn_append(pc, &plug, sizeof(ret));
 +    return ret;
 +}
 +
-+uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+ static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
-+{
+ {
-+    uint32_t ret, plug;
+     if (!reloc_pc19(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
 +    void *p = translator_access(env, db, pc, sizeof(ret));
 +
 +    if (p) {
 +        plugin_insn_append(pc, p, sizeof(ret));
 +        return ldl_p(p);
 +    }
 +    ret = cpu_ldl_code(env, pc);
 +    plug = tswap32(ret);
 +    plugin_insn_append(pc, &plug, sizeof(ret));
 +    return ret;
 +}
 +
 +uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
 +{
 +    uint64_t ret, plug;
 +    void *p = translator_access(env, db, pc, sizeof(ret));
 +
 +    if (p) {
 +        plugin_insn_append(pc, p, sizeof(ret));
 +        return ldq_p(p);
 +    }
 +    ret = cpu_ldq_code(env, pc);
 +    plug = tswap64(ret);
 +    plugin_insn_append(pc, &plug, sizeof(ret));
 +    return ret;
 +}
 --
 .34.1

-New patch
+[PULL 24/53] tcg/arm: Convert tcg_out_qemu_{ld,st}_slow_path
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
 and tcg_out_st_helper_args.  This allows our local
 tcg_out_arg_* infrastructure to be removed.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
  tcg/arm/tcg-target.c.inc | 140 +++++----------------------------------
 file changed, 18 insertions(+), 122 deletions(-)
 diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/arm/tcg-target.c.inc
 +++ b/tcg/arm/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ tcg_out_ldrd_rwb(TCGContext *s, ARMCond cond, TCGReg rt, TCGReg rn, TCGReg rm)
      tcg_out_memop_r(s, cond, INSN_LDRD_REG, rt, rn, rm, 1, 1, 1);
  }
 -static void tcg_out_strd_8(TCGContext *s, ARMCond cond, TCGReg rt,
 -                           TCGReg rn, int imm8)
 +static void __attribute__((unused))
 +tcg_out_strd_8(TCGContext *s, ARMCond cond, TCGReg rt, TCGReg rn, int imm8)
  {
      tcg_out_memop_8(s, cond, INSN_STRD_IMM, rt, rn, imm8, 1, 0);
  }
@@ -XXX,XX +XXX,XX @@ static void tcg_out_ext8u(TCGContext *s, TCGReg rd, TCGReg rn)
      tcg_out_dat_imm(s, COND_AL, ARITH_AND, rd, rn, 0xff);
  }
 -static void __attribute__((unused))
 -tcg_out_ext8u_cond(TCGContext *s, ARMCond cond, TCGReg rd, TCGReg rn)
 -{
 -    tcg_out_dat_imm(s, cond, ARITH_AND, rd, rn, 0xff);
 -}
 -
  static void tcg_out_ext16s(TCGContext *s, TCGType t, TCGReg rd, TCGReg rn)
  {
      /* sxth */
      tcg_out32(s, 0x06bf0070 | (COND_AL << 28) | (rd << 12) | rn);
  }
 -static void tcg_out_ext16u_cond(TCGContext *s, ARMCond cond,
 -                                TCGReg rd, TCGReg rn)
 -{
 -    /* uxth */
 -    tcg_out32(s, 0x06ff0070 | (cond << 28) | (rd << 12) | rn);
 -}
 -
  static void tcg_out_ext16u(TCGContext *s, TCGReg rd, TCGReg rn)
  {
 -    tcg_out_ext16u_cond(s, COND_AL, rd, rn);
 +    /* uxth */
 +    tcg_out32(s, 0x06ff0070 | (COND_AL << 28) | (rd << 12) | rn);
  }
  static void tcg_out_ext32s(TCGContext *s, TCGReg rd, TCGReg rn)
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[MO_SIZE + 1] = {
  #endif
  };
 -/* Helper routines for marshalling helper function arguments into
 - * the correct registers and stack.
 - * argreg is where we want to put this argument, arg is the argument itself.
 - * Return value is the updated argreg ready for the next call.
 - * Note that argreg 0..3 is real registers, 4+ on stack.
 - *
 - * We provide routines for arguments which are: immediate, 32 bit
 - * value in register, 16 and 8 bit values in register (which must be zero
 - * extended before use) and 64 bit value in a lo:hi register pair.
 - */
 -#define DEFINE_TCG_OUT_ARG(NAME, ARGTYPE, MOV_ARG, EXT_ARG)                \
 -static TCGReg NAME(TCGContext *s, TCGReg argreg, ARGTYPE arg)              \
 -{                                                                          \
 -    if (argreg < 4) {                                                      \
 -        MOV_ARG(s, COND_AL, argreg, arg);                                  \
 -    } else {                                                               \
 -        int ofs = (argreg - 4) * 4;                                        \
 -        EXT_ARG;                                                           \
 -        tcg_debug_assert(ofs + 4 <= TCG_STATIC_CALL_ARGS_SIZE);            \
 -        tcg_out_st32_12(s, COND_AL, arg, TCG_REG_CALL_STACK, ofs);         \
 -    }                                                                      \
 -    return argreg + 1;                                                     \
 -}
 -
 -DEFINE_TCG_OUT_ARG(tcg_out_arg_imm32, uint32_t, tcg_out_movi32,
 -    (tcg_out_movi32(s, COND_AL, TCG_REG_TMP, arg), arg = TCG_REG_TMP))
 -DEFINE_TCG_OUT_ARG(tcg_out_arg_reg8, TCGReg, tcg_out_ext8u_cond,
 -    (tcg_out_ext8u_cond(s, COND_AL, TCG_REG_TMP, arg), arg = TCG_REG_TMP))
 -DEFINE_TCG_OUT_ARG(tcg_out_arg_reg16, TCGReg, tcg_out_ext16u_cond,
 -    (tcg_out_ext16u_cond(s, COND_AL, TCG_REG_TMP, arg), arg = TCG_REG_TMP))
 -DEFINE_TCG_OUT_ARG(tcg_out_arg_reg32, TCGReg, tcg_out_mov_reg, )
 -
 -static TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg,
 -                                TCGReg arglo, TCGReg arghi)
 +static TCGReg ldst_ra_gen(TCGContext *s, const TCGLabelQemuLdst *l, int arg)
  {
 -    /* 64 bit arguments must go in even/odd register pairs
 -     * and in 8-aligned stack slots.
 -     */
 -    if (argreg & 1) {
 -        argreg++;
 -    }
 -    if (argreg >= 4 && (arglo & 1) == 0 && arghi == arglo + 1) {
 -        tcg_out_strd_8(s, COND_AL, arglo,
 -                       TCG_REG_CALL_STACK, (argreg - 4) * 4);
 -        return argreg + 2;
 -    } else {
 -        argreg = tcg_out_arg_reg32(s, argreg, arglo);
 -        argreg = tcg_out_arg_reg32(s, argreg, arghi);
 -        return argreg;
 -    }
 +    /* We arrive at the slow path via "BLNE", so R14 contains l->raddr. */
 +    return TCG_REG_R14;
  }
 +static const TCGLdstHelperParam ldst_helper_param = {
 +    .ra_gen = ldst_ra_gen,
 +    .ntmp = 1,
 +    .tmp = { TCG_REG_TMP },
 +};
 +
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
  {
 -    TCGReg argreg;
 -    MemOpIdx oi = lb->oi;
 -    MemOp opc = get_memop(oi);
 +    MemOp opc = get_memop(lb->oi);
      if (!reloc_pc24(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
          return false;
      }
 -    argreg = tcg_out_arg_reg32(s, TCG_REG_R0, TCG_AREG0);
 -    if (TARGET_LONG_BITS == 64) {
 -        argreg = tcg_out_arg_reg64(s, argreg, lb->addrlo_reg, lb->addrhi_reg);
 -    } else {
 -        argreg = tcg_out_arg_reg32(s, argreg, lb->addrlo_reg);
 -    }
 -    argreg = tcg_out_arg_imm32(s, argreg, oi);
 -    argreg = tcg_out_arg_reg32(s, argreg, TCG_REG_R14);
 -
 -    /* Use the canonical unsigned helpers and minimize icache usage. */
 +    tcg_out_ld_helper_args(s, lb, &ldst_helper_param);
      tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE]);
 -
 -    if ((opc & MO_SIZE) == MO_64) {
 -        TCGMovExtend ext[2] = {
 -            { .dst = lb->datalo_reg, .dst_type = TCG_TYPE_I32,
 -              .src = TCG_REG_R0, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 -            { .dst = lb->datahi_reg, .dst_type = TCG_TYPE_I32,
 -              .src = TCG_REG_R1, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
 -        };
 -        tcg_out_movext2(s, &ext[0], &ext[1], TCG_REG_TMP);
 -    } else {
 -        tcg_out_movext(s, TCG_TYPE_I32, lb->datalo_reg,
 -                       TCG_TYPE_I32, opc & MO_SSIZE, TCG_REG_R0);
 -    }
 +    tcg_out_ld_helper_ret(s, lb, false, &ldst_helper_param);
      tcg_out_goto(s, COND_AL, lb->raddr);
      return true;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
  static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
  {
 -    TCGReg argreg, datalo, datahi;
 -    MemOpIdx oi = lb->oi;
 -    MemOp opc = get_memop(oi);
 +    MemOp opc = get_memop(lb->oi);
      if (!reloc_pc24(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
          return false;
      }
 -    argreg = TCG_REG_R0;
 -    argreg = tcg_out_arg_reg32(s, argreg, TCG_AREG0);
 -    if (TARGET_LONG_BITS == 64) {
 -        argreg = tcg_out_arg_reg64(s, argreg, lb->addrlo_reg, lb->addrhi_reg);
 -    } else {
 -        argreg = tcg_out_arg_reg32(s, argreg, lb->addrlo_reg);
 -    }
 -
 -    datalo = lb->datalo_reg;
 -    datahi = lb->datahi_reg;
 -    switch (opc & MO_SIZE) {
 -    case MO_8:
 -        argreg = tcg_out_arg_reg8(s, argreg, datalo);
 -        break;
 -    case MO_16:
 -        argreg = tcg_out_arg_reg16(s, argreg, datalo);
 -        break;
 -    case MO_32:
 -    default:
 -        argreg = tcg_out_arg_reg32(s, argreg, datalo);
 -        break;
 -    case MO_64:
 -        argreg = tcg_out_arg_reg64(s, argreg, datalo, datahi);
 -        break;
 -    }
 -
 -    argreg = tcg_out_arg_imm32(s, argreg, oi);
 -    argreg = tcg_out_arg_reg32(s, argreg, TCG_REG_R14);
 +    tcg_out_st_helper_args(s, lb, &ldst_helper_param);
      /* Tail-call to the helper, which will return to the fast path.  */
      tcg_out_goto(s, COND_AL, qemu_st_helpers[opc & MO_SIZE]);
 --
 .34.1

-New patch
+[PULL 25/53] tcg/loongarch64: Convert tcg_out_qemu_{ld,st}_slow_path
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
+and tcg_out_st_helper_args.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/loongarch64/tcg-target.c.inc | 37 ++++++++++----------------------
+file changed, 11 insertions(+), 26 deletions(-)
+diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/loongarch64/tcg-target.c.inc
++++ b/tcg/loongarch64/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
+     return reloc_br_sd10k16(s->code_ptr - 1, target);
+ }
++static const TCGLdstHelperParam ldst_helper_param = {
++    .ntmp = 1, .tmp = { TCG_REG_TMP0 }
++};
++
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp size = opc & MO_SIZE;
++    MemOp opc = get_memop(l->oi);
+     /* resolve label address */
+     if (!reloc_br_sk16(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+         return false;
+     }
+-    /* call load helper */
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A0, TCG_AREG0);
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A1, l->addrlo_reg);
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A2, oi);
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A3, (tcg_target_long)l->raddr);
+-
+-    tcg_out_call_int(s, qemu_ld_helpers[size], false);
+-
+-    tcg_out_movext(s, l->type, l->datalo_reg,
+-                   TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_A0);
++    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
++    tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE], false);
++    tcg_out_ld_helper_ret(s, l, false, &ldst_helper_param);
+     return tcg_out_goto(s, l->raddr);
+ }
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp size = opc & MO_SIZE;
++    MemOp opc = get_memop(l->oi);
+     /* resolve label address */
+     if (!reloc_br_sk16(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+         return false;
+     }
+-    /* call store helper */
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A0, TCG_AREG0);
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A1, l->addrlo_reg);
+-    tcg_out_movext(s, size == MO_64 ? TCG_TYPE_I32 : TCG_TYPE_I32, TCG_REG_A2,
+-                   l->type, size, l->datalo_reg);
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A3, oi);
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A4, (tcg_target_long)l->raddr);
+-
+-    tcg_out_call_int(s, qemu_st_helpers[size], false);
+-
++    tcg_out_st_helper_args(s, l, &ldst_helper_param);
++    tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE], false);
+     return tcg_out_goto(s, l->raddr);
+ }
+ #else
+--
+.34.1

-[PULL 1/4] target/avr: Support probe argument to tlb_fill
+[PULL 26/53] tcg/mips: Convert tcg_out_qemu_{ld,st}_slow_path
-While there are no target-specific nonfaulting probes,
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
-generic code may grow some uses at some point.
+and tcg_out_st_helper_args.  This allows our local
+tcg_out_arg_* infrastructure to be removed.
-Note that the attrs argument was incorrect -- it should have
-been MEMTXATTRS_UNSPECIFIED. Just use the simpler interface.
+We are no longer filling the call or return branch
+delay slots, nor are we tail-calling for the store,
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+but this seems a small price to pay.
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/avr/helper.c | 46 ++++++++++++++++++++++++++++-----------------
+ tcg/mips/tcg-target.c.inc | 154 ++++++--------------------------------
-file changed, 29 insertions(+), 17 deletions(-)
+file changed, 22 insertions(+), 132 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
+diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
+--- a/tcg/mips/tcg-target.c.inc
-+++ b/target/avr/helper.c
++++ b/tcg/mips/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
-                       MMUAccessType access_type, int mmu_idx,
+     [MO_BEUQ] = helper_be_stq_mmu,
-                       bool probe, uintptr_t retaddr)
+ };
 -/* Helper routines for marshalling helper function arguments into
 - * the correct registers and stack.
 - * I is where we want to put this argument, and is updated and returned
 - * for the next call. ARG is the argument itself.
 - *
 - * We provide routines for arguments which are: immediate, 32 bit
 - * value in register, 16 and 8 bit values in register (which must be zero
 - * extended before use) and 64 bit value in a lo:hi register pair.
 - */
 -
 -static int tcg_out_call_iarg_reg(TCGContext *s, int i, TCGReg arg)
 -{
 -    if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
 -        tcg_out_mov(s, TCG_TYPE_REG, tcg_target_call_iarg_regs[i], arg);
 -    } else {
 -        /* For N32 and N64, the initial offset is different.  But there
 -           we also have 8 argument register so we don't run out here.  */
 -        tcg_debug_assert(TCG_TARGET_REG_BITS == 32);
 -        tcg_out_st(s, TCG_TYPE_REG, arg, TCG_REG_SP, 4 * i);
 -    }
 -    return i + 1;
 -}
 -
 -static int tcg_out_call_iarg_reg8(TCGContext *s, int i, TCGReg arg)
 -{
 -    TCGReg tmp = TCG_TMP0;
 -    if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
 -        tmp = tcg_target_call_iarg_regs[i];
 -    }
 -    tcg_out_ext8u(s, tmp, arg);
 -    return tcg_out_call_iarg_reg(s, i, tmp);
 -}
 -
 -static int tcg_out_call_iarg_reg16(TCGContext *s, int i, TCGReg arg)
 -{
 -    TCGReg tmp = TCG_TMP0;
 -    if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
 -        tmp = tcg_target_call_iarg_regs[i];
 -    }
 -    tcg_out_opc_imm(s, OPC_ANDI, tmp, arg, 0xffff);
 -    return tcg_out_call_iarg_reg(s, i, tmp);
 -}
 -
 -static int tcg_out_call_iarg_imm(TCGContext *s, int i, TCGArg arg)
 -{
 -    TCGReg tmp = TCG_TMP0;
 -    if (arg == 0) {
 -        tmp = TCG_REG_ZERO;
 -    } else {
 -        if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
 -            tmp = tcg_target_call_iarg_regs[i];
 -        }
 -        tcg_out_movi(s, TCG_TYPE_REG, tmp, arg);
 -    }
 -    return tcg_out_call_iarg_reg(s, i, tmp);
 -}
 -
 -static int tcg_out_call_iarg_reg2(TCGContext *s, int i, TCGReg al, TCGReg ah)
 -{
 -    tcg_debug_assert(TCG_TARGET_REG_BITS == 32);
 -    i = (i + 1) & ~1;
 -    i = tcg_out_call_iarg_reg(s, i, (MIPS_BE ? ah : al));
 -    i = tcg_out_call_iarg_reg(s, i, (MIPS_BE ? al : ah));
 -    return i;
 -}
 +/* We have four temps, we might as well expose three of them. */
 +static const TCGLdstHelperParam ldst_helper_param = {
 +    .ntmp = 3, .tmp = { TCG_TMP0, TCG_TMP1, TCG_TMP2 }
 +};
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  {
--    int prot = 0;
+     const tcg_insn_unit *tgt_rx = tcg_splitwx_to_rx(s->code_ptr);
--    MemTxAttrs attrs = {};
+-    MemOpIdx oi = l->oi;
-+    int prot, page_size = TARGET_PAGE_SIZE;
+-    MemOp opc = get_memop(oi);
-     uint32_t paddr;
+-    TCGReg v0;
+-    int i;
-     address &= TARGET_PAGE_MASK;
++    MemOp opc = get_memop(l->oi);
-     if (mmu_idx == MMU_CODE_IDX) {
+     /* resolve label address */
--        /* access to code in flash */
+     if (!reloc_pc16(l->label_ptr[0], tgt_rx)
-+        /* Access to code in flash. */
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
-         paddr = OFFSET_CODE + address;
+         return false;
          prot = PAGE_READ | PAGE_EXEC;
 -        if (paddr + TARGET_PAGE_SIZE > OFFSET_DATA) {
 +        if (paddr >= OFFSET_DATA) {
 +            /*
 +             * This should not be possible via any architectural operations.
 +             * There is certainly not an exception that we can deliver.
 +             * Accept probing that might come from generic code.
 +             */
 +            if (probe) {
 +                return false;
 +            }
              error_report("execution left flash memory");
              abort();
          }
 -    } else if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
 -        /*
 -         * access to CPU registers, exit and rebuilt this TB to use full access
 -         * incase it touches specially handled registers like SREG or SP
 -         */
 -        AVRCPU *cpu = AVR_CPU(cs);
 -        CPUAVRState *env = &cpu->env;
 -        env->fullacc = 1;
 -        cpu_loop_exit_restore(cs, retaddr);
      } else {
 -        /* access to memory. nothing special */
 +        /* Access to memory. */
          paddr = OFFSET_DATA + address;
          prot = PAGE_READ | PAGE_WRITE;
 +        if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
 +            /*
 +             * Access to CPU registers, exit and rebuilt this TB to use
 +             * full access in case it touches specially handled registers
 +             * like SREG or SP.  For probing, set page_size = 1, in order
 +             * to force tlb_fill to be called for the next access.
 +             */
 +            if (probe) {
 +                page_size = 1;
 +            } else {
 +                AVRCPU *cpu = AVR_CPU(cs);
 +                CPUAVRState *env = &cpu->env;
 +                env->fullacc = 1;
 +                cpu_loop_exit_restore(cs, retaddr);
 +            }
 +        }
      }
--    tlb_set_page_with_attrs(cs, address, paddr, attrs, prot,
+-    i = 1;
--                            mmu_idx, TARGET_PAGE_SIZE);
+-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
--
+-        i = tcg_out_call_iarg_reg2(s, i, l->addrlo_reg, l->addrhi_reg);
-+    tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size);
+-    } else {
 -        i = tcg_out_call_iarg_reg(s, i, l->addrlo_reg);
 -    }
 -    i = tcg_out_call_iarg_imm(s, i, oi);
 -    i = tcg_out_call_iarg_imm(s, i, (intptr_t)l->raddr);
 +    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
 +
      tcg_out_call_int(s, qemu_ld_helpers[opc & (MO_BSWAP | MO_SSIZE)], false);
      /* delay slot */
 -    tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
 +    tcg_out_nop(s);
 -    v0 = l->datalo_reg;
 -    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
 -        /* We eliminated V0 from the possible output registers, so it
 -           cannot be clobbered here.  So we must move V1 first.  */
 -        if (MIPS_BE) {
 -            tcg_out_mov(s, TCG_TYPE_I32, v0, TCG_REG_V1);
 -            v0 = l->datahi_reg;
 -        } else {
 -            tcg_out_mov(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_V1);
 -        }
 -    }
 +    tcg_out_ld_helper_ret(s, l, true, &ldst_helper_param);
      tcg_out_opc_br(s, OPC_BEQ, TCG_REG_ZERO, TCG_REG_ZERO);
      if (!reloc_pc16(s->code_ptr - 1, l->raddr)) {
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
      }
      /* delay slot */
 -    if (TCG_TARGET_REG_BITS == 64 && l->type == TCG_TYPE_I32) {
 -        /* we always sign-extend 32-bit loads */
 -        tcg_out_ext32s(s, v0, TCG_REG_V0);
 -    } else {
 -        tcg_out_opc_reg(s, OPC_OR, v0, TCG_REG_V0, TCG_REG_ZERO);
 -    }
 +    tcg_out_nop(s);
      return true;
  }
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+     const tcg_insn_unit *tgt_rx = tcg_splitwx_to_rx(s->code_ptr);
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp s_bits = opc & MO_SIZE;
+-    int i;
++    MemOp opc = get_memop(l->oi);
+     /* resolve label address */
+     if (!reloc_pc16(l->label_ptr[0], tgt_rx)
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+         return false;
+     }
+-    i = 1;
+-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+-        i = tcg_out_call_iarg_reg2(s, i, l->addrlo_reg, l->addrhi_reg);
+-    } else {
+-        i = tcg_out_call_iarg_reg(s, i, l->addrlo_reg);
+-    }
+-    switch (s_bits) {
+-    case MO_8:
+-        i = tcg_out_call_iarg_reg8(s, i, l->datalo_reg);
+-        break;
+-    case MO_16:
+-        i = tcg_out_call_iarg_reg16(s, i, l->datalo_reg);
+-        break;
+-    case MO_32:
+-        i = tcg_out_call_iarg_reg(s, i, l->datalo_reg);
+-        break;
+-    case MO_64:
+-        if (TCG_TARGET_REG_BITS == 32) {
+-            i = tcg_out_call_iarg_reg2(s, i, l->datalo_reg, l->datahi_reg);
+-        } else {
+-            i = tcg_out_call_iarg_reg(s, i, l->datalo_reg);
+-        }
+-        break;
+-    default:
+-        g_assert_not_reached();
+-    }
+-    i = tcg_out_call_iarg_imm(s, i, oi);
++    tcg_out_st_helper_args(s, l, &ldst_helper_param);
+-    /* Tail call to the store helper.  Thus force the return address
+-       computation to take place in the return address register.  */
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_RA, (intptr_t)l->raddr);
+-    i = tcg_out_call_iarg_reg(s, i, TCG_REG_RA);
+-    tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)], true);
++    tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)], false);
+     /* delay slot */
+-    tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
++    tcg_out_nop(s);
++
++    tcg_out_opc_br(s, OPC_BEQ, TCG_REG_ZERO, TCG_REG_ZERO);
++    if (!reloc_pc16(s->code_ptr - 1, l->raddr)) {
++        return false;
++    }
++
++    /* delay slot */
++    tcg_out_nop(s);
+     return true;
+ }
 --
 .34.1

-New patch
+[PULL 27/53] tcg/ppc: Convert tcg_out_qemu_{ld,st}_slow_path
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
+and tcg_out_st_helper_args.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/ppc/tcg-target.c.inc | 88 ++++++++++++----------------------------
+file changed, 26 insertions(+), 62 deletions(-)
+diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target.c.inc
++++ b/tcg/ppc/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
+     [MO_BEUQ] = helper_be_stq_mmu,
+ };
++static TCGReg ldst_ra_gen(TCGContext *s, const TCGLabelQemuLdst *l, int arg)
++{
++    if (arg < 0) {
++        arg = TCG_REG_TMP1;
++    }
++    tcg_out32(s, MFSPR | RT(arg) | LR);
++    return arg;
++}
++
++/*
++ * For the purposes of ppc32 sorting 4 input registers into 4 argument
++ * registers, there is an outside chance we would require 3 temps.
++ * Because of constraints, no inputs are in r3, and env will not be
++ * placed into r3 until after the sorting is done, and is thus free.
++ */
++static const TCGLdstHelperParam ldst_helper_param = {
++    .ra_gen = ldst_ra_gen,
++    .ntmp = 3,
++    .tmp = { TCG_REG_TMP1, TCG_REG_R0, TCG_REG_R3 }
++};
++
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ {
+-    MemOpIdx oi = lb->oi;
+-    MemOp opc = get_memop(oi);
+-    TCGReg hi, lo, arg = TCG_REG_R3;
++    MemOp opc = get_memop(lb->oi);
+     if (!reloc_pc14(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+         return false;
+     }
+-    tcg_out_mov(s, TCG_TYPE_PTR, arg++, TCG_AREG0);
+-
+-    lo = lb->addrlo_reg;
+-    hi = lb->addrhi_reg;
+-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+-        arg |= (TCG_TARGET_CALL_ARG_I64 == TCG_CALL_ARG_EVEN);
+-        tcg_out_mov(s, TCG_TYPE_I32, arg++, hi);
+-        tcg_out_mov(s, TCG_TYPE_I32, arg++, lo);
+-    } else {
+-        /* If the address needed to be zero-extended, we'll have already
+-           placed it in R4.  The only remaining case is 64-bit guest.  */
+-        tcg_out_mov(s, TCG_TYPE_TL, arg++, lo);
+-    }
+-
+-    tcg_out_movi(s, TCG_TYPE_I32, arg++, oi);
+-    tcg_out32(s, MFSPR | RT(arg) | LR);
+-
++    tcg_out_ld_helper_args(s, lb, &ldst_helper_param);
+     tcg_out_call_int(s, LK, qemu_ld_helpers[opc & (MO_BSWAP | MO_SIZE)]);
+-
+-    lo = lb->datalo_reg;
+-    hi = lb->datahi_reg;
+-    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
+-        tcg_out_mov(s, TCG_TYPE_I32, lo, TCG_REG_R4);
+-        tcg_out_mov(s, TCG_TYPE_I32, hi, TCG_REG_R3);
+-    } else {
+-        tcg_out_movext(s, lb->type, lo,
+-                       TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_R3);
+-    }
++    tcg_out_ld_helper_ret(s, lb, false, &ldst_helper_param);
+     tcg_out_b(s, 0, lb->raddr);
+     return true;
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ {
+-    MemOpIdx oi = lb->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp s_bits = opc & MO_SIZE;
+-    TCGReg hi, lo, arg = TCG_REG_R3;
++    MemOp opc = get_memop(lb->oi);
+     if (!reloc_pc14(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+         return false;
+     }
+-    tcg_out_mov(s, TCG_TYPE_PTR, arg++, TCG_AREG0);
+-
+-    lo = lb->addrlo_reg;
+-    hi = lb->addrhi_reg;
+-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+-        arg |= (TCG_TARGET_CALL_ARG_I64 == TCG_CALL_ARG_EVEN);
+-        tcg_out_mov(s, TCG_TYPE_I32, arg++, hi);
+-        tcg_out_mov(s, TCG_TYPE_I32, arg++, lo);
+-    } else {
+-        /* If the address needed to be zero-extended, we'll have already
+-           placed it in R4.  The only remaining case is 64-bit guest.  */
+-        tcg_out_mov(s, TCG_TYPE_TL, arg++, lo);
+-    }
+-
+-    lo = lb->datalo_reg;
+-    hi = lb->datahi_reg;
+-    if (TCG_TARGET_REG_BITS == 32 && s_bits == MO_64) {
+-        arg |= (TCG_TARGET_CALL_ARG_I64 == TCG_CALL_ARG_EVEN);
+-        tcg_out_mov(s, TCG_TYPE_I32, arg++, hi);
+-        tcg_out_mov(s, TCG_TYPE_I32, arg++, lo);
+-    } else {
+-        tcg_out_movext(s, s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32,
+-                       arg++, lb->type, s_bits, lo);
+-    }
+-
+-    tcg_out_movi(s, TCG_TYPE_I32, arg++, oi);
+-    tcg_out32(s, MFSPR | RT(arg) | LR);
+-
++    tcg_out_st_helper_args(s, lb, &ldst_helper_param);
+     tcg_out_call_int(s, LK, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)]);
+     tcg_out_b(s, 0, lb->raddr);
+--
+.34.1

-New patch
+[PULL 28/53] tcg/riscv: Convert tcg_out_qemu_{ld,st}_slow_path
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
+and tcg_out_st_helper_args.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/riscv/tcg-target.c.inc | 37 ++++++++++---------------------------
+file changed, 10 insertions(+), 27 deletions(-)
+diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/riscv/tcg-target.c.inc
++++ b/tcg/riscv/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
+     tcg_debug_assert(ok);
+ }
++/* We have three temps, we might as well expose them. */
++static const TCGLdstHelperParam ldst_helper_param = {
++    .ntmp = 3, .tmp = { TCG_REG_TMP0, TCG_REG_TMP1, TCG_REG_TMP2 }
++};
++
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
+-    TCGReg a0 = tcg_target_call_iarg_regs[0];
+-    TCGReg a1 = tcg_target_call_iarg_regs[1];
+-    TCGReg a2 = tcg_target_call_iarg_regs[2];
+-    TCGReg a3 = tcg_target_call_iarg_regs[3];
++    MemOp opc = get_memop(l->oi);
+     /* resolve label address */
+     if (!reloc_sbimm12(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+     }
+     /* call load helper */
+-    tcg_out_mov(s, TCG_TYPE_PTR, a0, TCG_AREG0);
+-    tcg_out_mov(s, TCG_TYPE_PTR, a1, l->addrlo_reg);
+-    tcg_out_movi(s, TCG_TYPE_PTR, a2, oi);
+-    tcg_out_movi(s, TCG_TYPE_PTR, a3, (tcg_target_long)l->raddr);
+-
++    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
+     tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SSIZE], false);
+-    tcg_out_mov(s, (opc & MO_SIZE) == MO_64, l->datalo_reg, a0);
++    tcg_out_ld_helper_ret(s, l, true, &ldst_helper_param);
+     tcg_out_goto(s, l->raddr);
+     return true;
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+ {
+-    MemOpIdx oi = l->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp s_bits = opc & MO_SIZE;
+-    TCGReg a0 = tcg_target_call_iarg_regs[0];
+-    TCGReg a1 = tcg_target_call_iarg_regs[1];
+-    TCGReg a2 = tcg_target_call_iarg_regs[2];
+-    TCGReg a3 = tcg_target_call_iarg_regs[3];
+-    TCGReg a4 = tcg_target_call_iarg_regs[4];
++    MemOp opc = get_memop(l->oi);
+     /* resolve label address */
+     if (!reloc_sbimm12(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+     }
+     /* call store helper */
+-    tcg_out_mov(s, TCG_TYPE_PTR, a0, TCG_AREG0);
+-    tcg_out_mov(s, TCG_TYPE_PTR, a1, l->addrlo_reg);
+-    tcg_out_movext(s, s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32, a2,
+-                   l->type, s_bits, l->datalo_reg);
+-    tcg_out_movi(s, TCG_TYPE_PTR, a3, oi);
+-    tcg_out_movi(s, TCG_TYPE_PTR, a4, (tcg_target_long)l->raddr);
+-
++    tcg_out_st_helper_args(s, l, &ldst_helper_param);
+     tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE], false);
+     tcg_out_goto(s, l->raddr);
+--
+.34.1

-New patch
+[PULL 29/53] tcg/s390x: Convert tcg_out_qemu_{ld,st}_slow_path
+Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
+and tcg_out_st_helper_args.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/s390x/tcg-target.c.inc | 35 ++++++++++-------------------------
+file changed, 10 insertions(+), 25 deletions(-)
+diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/s390x/tcg-target.c.inc
++++ b/tcg/s390x/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp opc, TCGReg data,
+ }
+ #if defined(CONFIG_SOFTMMU)
++static const TCGLdstHelperParam ldst_helper_param = {
++    .ntmp = 1, .tmp = { TCG_TMP0 }
++};
++
+ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ {
+-    TCGReg addr_reg = lb->addrlo_reg;
+-    TCGReg data_reg = lb->datalo_reg;
+-    MemOpIdx oi = lb->oi;
+-    MemOp opc = get_memop(oi);
++    MemOp opc = get_memop(lb->oi);
+     if (!patch_reloc(lb->label_ptr[0], R_390_PC16DBL,
+                      (intptr_t)tcg_splitwx_to_rx(s->code_ptr), 2)) {
+         return false;
+     }
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_R2, TCG_AREG0);
+-    if (TARGET_LONG_BITS == 64) {
+-        tcg_out_mov(s, TCG_TYPE_I64, TCG_REG_R3, addr_reg);
+-    }
+-    tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_R4, oi);
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_R5, (uintptr_t)lb->raddr);
+-    tcg_out_call_int(s, qemu_ld_helpers[opc & (MO_BSWAP | MO_SSIZE)]);
+-    tcg_out_mov(s, TCG_TYPE_I64, data_reg, TCG_REG_R2);
++    tcg_out_ld_helper_args(s, lb, &ldst_helper_param);
++    tcg_out_call_int(s, qemu_ld_helpers[opc & (MO_BSWAP | MO_SIZE)]);
++    tcg_out_ld_helper_ret(s, lb, false, &ldst_helper_param);
+     tgen_gotoi(s, S390_CC_ALWAYS, lb->raddr);
+     return true;
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
+ {
+-    TCGReg addr_reg = lb->addrlo_reg;
+-    TCGReg data_reg = lb->datalo_reg;
+-    MemOpIdx oi = lb->oi;
+-    MemOp opc = get_memop(oi);
+-    MemOp size = opc & MO_SIZE;
++    MemOp opc = get_memop(lb->oi);
+     if (!patch_reloc(lb->label_ptr[0], R_390_PC16DBL,
+                      (intptr_t)tcg_splitwx_to_rx(s->code_ptr), 2)) {
+         return false;
+     }
+-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_R2, TCG_AREG0);
+-    if (TARGET_LONG_BITS == 64) {
+-        tcg_out_mov(s, TCG_TYPE_I64, TCG_REG_R3, addr_reg);
+-    }
+-    tcg_out_movext(s, size == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32,
+-                   TCG_REG_R4, lb->type, size, data_reg);
+-    tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_R5, oi);
+-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_R6, (uintptr_t)lb->raddr);
++    tcg_out_st_helper_args(s, lb, &ldst_helper_param);
+     tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)]);
+     tgen_gotoi(s, S390_CC_ALWAYS, lb->raddr);
+--
+.34.1

-New patch
+[PULL 30/53] tcg/loongarch64: Simplify constraints on qemu_ld/st
+The softmmu tlb uses TCG_REG_TMP[0-2], not any of the normally available
+registers.  Now that we handle overlap betwen inputs and helper arguments,
+we can allow any allocatable reg.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/loongarch64/tcg-target-con-set.h |  2 --
+ tcg/loongarch64/tcg-target-con-str.h |  1 -
+ tcg/loongarch64/tcg-target.c.inc     | 23 ++++-------------------
+files changed, 4 insertions(+), 22 deletions(-)
+diff --git a/tcg/loongarch64/tcg-target-con-set.h b/tcg/loongarch64/tcg-target-con-set.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/loongarch64/tcg-target-con-set.h
++++ b/tcg/loongarch64/tcg-target-con-set.h
+@@ -XXX,XX +XXX,XX @@
+ C_O0_I1(r)
+ C_O0_I2(rZ, r)
+ C_O0_I2(rZ, rZ)
+-C_O0_I2(LZ, L)
+ C_O1_I1(r, r)
+-C_O1_I1(r, L)
+ C_O1_I2(r, r, rC)
+ C_O1_I2(r, r, ri)
+ C_O1_I2(r, r, rI)
+diff --git a/tcg/loongarch64/tcg-target-con-str.h b/tcg/loongarch64/tcg-target-con-str.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/loongarch64/tcg-target-con-str.h
++++ b/tcg/loongarch64/tcg-target-con-str.h
+@@ -XXX,XX +XXX,XX @@
+  * REGS(letter, register_mask)
+  */
+ REGS('r', ALL_GENERAL_REGS)
+-REGS('L', ALL_GENERAL_REGS & ~SOFTMMU_RESERVE_REGS)
+ /*
+  * Define constraint letters for constants:
+diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/loongarch64/tcg-target.c.inc
++++ b/tcg/loongarch64/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_target_call_oarg_reg(TCGCallReturnKind kind, int slot)
+ #define TCG_CT_CONST_C12   0x1000
+ #define TCG_CT_CONST_WSZ   0x2000
+-#define ALL_GENERAL_REGS      MAKE_64BIT_MASK(0, 32)
+-/*
+- * For softmmu, we need to avoid conflicts with the first 5
+- * argument registers to call the helper.  Some of these are
+- * also used for the tlb lookup.
+- */
+-#ifdef CONFIG_SOFTMMU
+-#define SOFTMMU_RESERVE_REGS  MAKE_64BIT_MASK(TCG_REG_A0, 5)
+-#else
+-#define SOFTMMU_RESERVE_REGS  0
+-#endif
+-
++#define ALL_GENERAL_REGS   MAKE_64BIT_MASK(0, 32)
+ static inline tcg_target_long sextreg(tcg_target_long val, int pos, int len)
+ {
+@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+     case INDEX_op_st32_i64:
+     case INDEX_op_st_i32:
+     case INDEX_op_st_i64:
++    case INDEX_op_qemu_st_i32:
++    case INDEX_op_qemu_st_i64:
+         return C_O0_I2(rZ, r);
+     case INDEX_op_brcond_i32:
+     case INDEX_op_brcond_i64:
+         return C_O0_I2(rZ, rZ);
+-    case INDEX_op_qemu_st_i32:
+-    case INDEX_op_qemu_st_i64:
+-        return C_O0_I2(LZ, L);
+-
+     case INDEX_op_ext8s_i32:
+     case INDEX_op_ext8s_i64:
+     case INDEX_op_ext8u_i32:
+@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+     case INDEX_op_ld32u_i64:
+     case INDEX_op_ld_i32:
+     case INDEX_op_ld_i64:
+-        return C_O1_I1(r, r);
+-
+     case INDEX_op_qemu_ld_i32:
+     case INDEX_op_qemu_ld_i64:
+-        return C_O1_I1(r, L);
++        return C_O1_I1(r, r);
+     case INDEX_op_andc_i32:
+     case INDEX_op_andc_i64:
+--
+.34.1

-New patch
+[PULL 31/53] tcg/mips: Remove MO_BSWAP handling
+While performing the load in the delay slot of the call to the common
+bswap helper function is cute, it is not worth the added complexity.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/mips/tcg-target.h     |   4 +-
+ tcg/mips/tcg-target.c.inc | 284 ++++++--------------------------------
+files changed, 48 insertions(+), 240 deletions(-)
+diff --git a/tcg/mips/tcg-target.h b/tcg/mips/tcg-target.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target.h
++++ b/tcg/mips/tcg-target.h
+@@ -XXX,XX +XXX,XX @@ extern bool use_mips32r2_instructions;
+ #define TCG_TARGET_HAS_ext16u_i64       0 /* andi rt, rs, 0xffff */
+ #endif
+-#define TCG_TARGET_DEFAULT_MO (0)
+-#define TCG_TARGET_HAS_MEMORY_BSWAP     1
++#define TCG_TARGET_DEFAULT_MO           0
++#define TCG_TARGET_HAS_MEMORY_BSWAP     0
+ #define TCG_TARGET_NEED_LDST_LABELS
+diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target.c.inc
++++ b/tcg/mips/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_call(TCGContext *s, const tcg_insn_unit *arg,
+ }
+ #if defined(CONFIG_SOFTMMU)
+-static void * const qemu_ld_helpers[(MO_SSIZE | MO_BSWAP) + 1] = {
++static void * const qemu_ld_helpers[MO_SSIZE + 1] = {
+     [MO_UB]   = helper_ret_ldub_mmu,
+     [MO_SB]   = helper_ret_ldsb_mmu,
+-    [MO_LEUW] = helper_le_lduw_mmu,
+-    [MO_LESW] = helper_le_ldsw_mmu,
+-    [MO_LEUL] = helper_le_ldul_mmu,
+-    [MO_LEUQ] = helper_le_ldq_mmu,
+-    [MO_BEUW] = helper_be_lduw_mmu,
+-    [MO_BESW] = helper_be_ldsw_mmu,
+-    [MO_BEUL] = helper_be_ldul_mmu,
+-    [MO_BEUQ] = helper_be_ldq_mmu,
+-#if TCG_TARGET_REG_BITS == 64
+-    [MO_LESL] = helper_le_ldsl_mmu,
+-    [MO_BESL] = helper_be_ldsl_mmu,
++#if HOST_BIG_ENDIAN
++    [MO_UW] = helper_be_lduw_mmu,
++    [MO_SW] = helper_be_ldsw_mmu,
++    [MO_UL] = helper_be_ldul_mmu,
++    [MO_SL] = helper_be_ldsl_mmu,
++    [MO_UQ] = helper_be_ldq_mmu,
++#else
++    [MO_UW] = helper_le_lduw_mmu,
++    [MO_SW] = helper_le_ldsw_mmu,
++    [MO_UL] = helper_le_ldul_mmu,
++    [MO_UQ] = helper_le_ldq_mmu,
++    [MO_SL] = helper_le_ldsl_mmu,
+ #endif
+ };
+-static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
++static void * const qemu_st_helpers[MO_SIZE + 1] = {
+     [MO_UB]   = helper_ret_stb_mmu,
+-    [MO_LEUW] = helper_le_stw_mmu,
+-    [MO_LEUL] = helper_le_stl_mmu,
+-    [MO_LEUQ] = helper_le_stq_mmu,
+-    [MO_BEUW] = helper_be_stw_mmu,
+-    [MO_BEUL] = helper_be_stl_mmu,
+-    [MO_BEUQ] = helper_be_stq_mmu,
++#if HOST_BIG_ENDIAN
++    [MO_UW] = helper_be_stw_mmu,
++    [MO_UL] = helper_be_stl_mmu,
++    [MO_UQ] = helper_be_stq_mmu,
++#else
++    [MO_UW] = helper_le_stw_mmu,
++    [MO_UL] = helper_le_stl_mmu,
++    [MO_UQ] = helper_le_stq_mmu,
++#endif
+ };
+ /* We have four temps, we might as well expose three of them. */
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+     tcg_out_ld_helper_args(s, l, &ldst_helper_param);
+-    tcg_out_call_int(s, qemu_ld_helpers[opc & (MO_BSWAP | MO_SSIZE)], false);
++    tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SSIZE], false);
+     /* delay slot */
+     tcg_out_nop(s);
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
+     tcg_out_st_helper_args(s, l, &ldst_helper_param);
+-    tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)], false);
++    tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE], false);
+     /* delay slot */
+     tcg_out_nop(s);
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg lo, TCGReg hi,
+                                    TCGReg base, MemOp opc, TCGType type)
+ {
+-    switch (opc & (MO_SSIZE | MO_BSWAP)) {
++    switch (opc & MO_SSIZE) {
+     case MO_UB:
+         tcg_out_opc_imm(s, OPC_LBU, lo, base, 0);
+         break;
+     case MO_SB:
+         tcg_out_opc_imm(s, OPC_LB, lo, base, 0);
+         break;
+-    case MO_UW | MO_BSWAP:
+-        tcg_out_opc_imm(s, OPC_LHU, TCG_TMP1, base, 0);
+-        tcg_out_bswap16(s, lo, TCG_TMP1, TCG_BSWAP_IZ | TCG_BSWAP_OZ);
+-        break;
+     case MO_UW:
+         tcg_out_opc_imm(s, OPC_LHU, lo, base, 0);
+         break;
+-    case MO_SW | MO_BSWAP:
+-        tcg_out_opc_imm(s, OPC_LHU, TCG_TMP1, base, 0);
+-        tcg_out_bswap16(s, lo, TCG_TMP1, TCG_BSWAP_IZ | TCG_BSWAP_OS);
+-        break;
+     case MO_SW:
+         tcg_out_opc_imm(s, OPC_LH, lo, base, 0);
+         break;
+-    case MO_UL | MO_BSWAP:
+-        if (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64) {
+-            if (use_mips32r2_instructions) {
+-                tcg_out_opc_imm(s, OPC_LWU, lo, base, 0);
+-                tcg_out_bswap32(s, lo, lo, TCG_BSWAP_IZ | TCG_BSWAP_OZ);
+-            } else {
+-                tcg_out_bswap_subr(s, bswap32u_addr);
+-                /* delay slot */
+-                tcg_out_opc_imm(s, OPC_LWU, TCG_TMP0, base, 0);
+-                tcg_out_mov(s, TCG_TYPE_I64, lo, TCG_TMP3);
+-            }
+-            break;
+-        }
+-        /* FALLTHRU */
+-    case MO_SL | MO_BSWAP:
+-        if (use_mips32r2_instructions) {
+-            tcg_out_opc_imm(s, OPC_LW, lo, base, 0);
+-            tcg_out_bswap32(s, lo, lo, 0);
+-        } else {
+-            tcg_out_bswap_subr(s, bswap32_addr);
+-            /* delay slot */
+-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 0);
+-            tcg_out_mov(s, TCG_TYPE_I32, lo, TCG_TMP3);
+-        }
+-        break;
+     case MO_UL:
+         if (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64) {
+             tcg_out_opc_imm(s, OPC_LWU, lo, base, 0);
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg lo, TCGReg hi,
+     case MO_SL:
+         tcg_out_opc_imm(s, OPC_LW, lo, base, 0);
+         break;
+-    case MO_UQ | MO_BSWAP:
+-        if (TCG_TARGET_REG_BITS == 64) {
+-            if (use_mips32r2_instructions) {
+-                tcg_out_opc_imm(s, OPC_LD, lo, base, 0);
+-                tcg_out_bswap64(s, lo, lo);
+-            } else {
+-                tcg_out_bswap_subr(s, bswap64_addr);
+-                /* delay slot */
+-                tcg_out_opc_imm(s, OPC_LD, TCG_TMP0, base, 0);
+-                tcg_out_mov(s, TCG_TYPE_I64, lo, TCG_TMP3);
+-            }
+-        } else if (use_mips32r2_instructions) {
+-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 0);
+-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP1, base, 4);
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, TCG_TMP0);
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, TCG_TMP1);
+-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? lo : hi, TCG_TMP0, 16);
+-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? hi : lo, TCG_TMP1, 16);
+-        } else {
+-            tcg_out_bswap_subr(s, bswap32_addr);
+-            /* delay slot */
+-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 0);
+-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 4);
+-            tcg_out_bswap_subr(s, bswap32_addr);
+-            /* delay slot */
+-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? lo : hi, TCG_TMP3);
+-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? hi : lo, TCG_TMP3);
+-        }
+-        break;
+     case MO_UQ:
+         /* Prefer to load from offset 0 first, but allow for overlap.  */
+         if (TCG_TARGET_REG_BITS == 64) {
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
+     const MIPSInsn lw2 = MIPS_BE ? OPC_LWR : OPC_LWL;
+     const MIPSInsn ld1 = MIPS_BE ? OPC_LDL : OPC_LDR;
+     const MIPSInsn ld2 = MIPS_BE ? OPC_LDR : OPC_LDL;
++    bool sgn = opc & MO_SIGN;
+-    bool sgn = (opc & MO_SIGN);
+-
+-    switch (opc & (MO_SSIZE | MO_BSWAP)) {
+-    case MO_SW | MO_BE:
+-    case MO_UW | MO_BE:
+-        tcg_out_opc_imm(s, sgn ? OPC_LB : OPC_LBU, TCG_TMP0, base, 0);
+-        tcg_out_opc_imm(s, OPC_LBU, lo, base, 1);
+-        if (use_mips32r2_instructions) {
+-            tcg_out_opc_bf(s, OPC_INS, lo, TCG_TMP0, 31, 8);
+-        } else {
+-            tcg_out_opc_sa(s, OPC_SLL, TCG_TMP0, TCG_TMP0, 8);
+-            tcg_out_opc_reg(s, OPC_OR, lo, TCG_TMP0, TCG_TMP1);
+-        }
+-        break;
+-
+-    case MO_SW | MO_LE:
+-    case MO_UW | MO_LE:
+-        if (use_mips32r2_instructions && lo != base) {
++    switch (opc & MO_SIZE) {
++    case MO_16:
++        if (HOST_BIG_ENDIAN) {
++            tcg_out_opc_imm(s, sgn ? OPC_LB : OPC_LBU, TCG_TMP0, base, 0);
++            tcg_out_opc_imm(s, OPC_LBU, lo, base, 1);
++            if (use_mips32r2_instructions) {
++                tcg_out_opc_bf(s, OPC_INS, lo, TCG_TMP0, 31, 8);
++            } else {
++                tcg_out_opc_sa(s, OPC_SLL, TCG_TMP0, TCG_TMP0, 8);
++                tcg_out_opc_reg(s, OPC_OR, lo, lo, TCG_TMP0);
++            }
++        } else if (use_mips32r2_instructions && lo != base) {
+             tcg_out_opc_imm(s, OPC_LBU, lo, base, 0);
+             tcg_out_opc_imm(s, sgn ? OPC_LB : OPC_LBU, TCG_TMP0, base, 1);
+             tcg_out_opc_bf(s, OPC_INS, lo, TCG_TMP0, 31, 8);
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
+         }
+         break;
+-    case MO_SL:
+-    case MO_UL:
++    case MO_32:
+         tcg_out_opc_imm(s, lw1, lo, base, 0);
+         tcg_out_opc_imm(s, lw2, lo, base, 3);
+         if (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64 && !sgn) {
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
+         }
+         break;
+-    case MO_UL | MO_BSWAP:
+-    case MO_SL | MO_BSWAP:
+-        if (use_mips32r2_instructions) {
+-            tcg_out_opc_imm(s, lw1, lo, base, 0);
+-            tcg_out_opc_imm(s, lw2, lo, base, 3);
+-            tcg_out_bswap32(s, lo, lo,
+-                            TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64
+-                            ? (sgn ? TCG_BSWAP_OS : TCG_BSWAP_OZ) : 0);
+-        } else {
+-            const tcg_insn_unit *subr =
+-                (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64 && !sgn
+-                 ? bswap32u_addr : bswap32_addr);
+-
+-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 0);
+-            tcg_out_bswap_subr(s, subr);
+-            /* delay slot */
+-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 3);
+-            tcg_out_mov(s, type, lo, TCG_TMP3);
+-        }
+-        break;
+-
+-    case MO_UQ:
++    case MO_64:
+         if (TCG_TARGET_REG_BITS == 64) {
+             tcg_out_opc_imm(s, ld1, lo, base, 0);
+             tcg_out_opc_imm(s, ld2, lo, base, 7);
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
+         }
+         break;
+-    case MO_UQ | MO_BSWAP:
+-        if (TCG_TARGET_REG_BITS == 64) {
+-            if (use_mips32r2_instructions) {
+-                tcg_out_opc_imm(s, ld1, lo, base, 0);
+-                tcg_out_opc_imm(s, ld2, lo, base, 7);
+-                tcg_out_bswap64(s, lo, lo);
+-            } else {
+-                tcg_out_opc_imm(s, ld1, TCG_TMP0, base, 0);
+-                tcg_out_bswap_subr(s, bswap64_addr);
+-                /* delay slot */
+-                tcg_out_opc_imm(s, ld2, TCG_TMP0, base, 7);
+-                tcg_out_mov(s, TCG_TYPE_I64, lo, TCG_TMP3);
+-            }
+-        } else if (use_mips32r2_instructions) {
+-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 0 + 0);
+-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 0 + 3);
+-            tcg_out_opc_imm(s, lw1, TCG_TMP1, base, 4 + 0);
+-            tcg_out_opc_imm(s, lw2, TCG_TMP1, base, 4 + 3);
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, TCG_TMP0);
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, TCG_TMP1);
+-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? lo : hi, TCG_TMP0, 16);
+-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? hi : lo, TCG_TMP1, 16);
+-        } else {
+-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 0 + 0);
+-            tcg_out_bswap_subr(s, bswap32_addr);
+-            /* delay slot */
+-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 0 + 3);
+-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 4 + 0);
+-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? lo : hi, TCG_TMP3);
+-            tcg_out_bswap_subr(s, bswap32_addr);
+-            /* delay slot */
+-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 4 + 3);
+-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? hi : lo, TCG_TMP3);
+-        }
+-        break;
+-
+     default:
+         g_assert_not_reached();
+     }
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
+ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg lo, TCGReg hi,
+                                    TCGReg base, MemOp opc)
+ {
+-    /* Don't clutter the code below with checks to avoid bswapping ZERO.  */
+-    if ((lo | hi) == 0) {
+-        opc &= ~MO_BSWAP;
+-    }
+-
+-    switch (opc & (MO_SIZE | MO_BSWAP)) {
++    switch (opc & MO_SIZE) {
+     case MO_8:
+         tcg_out_opc_imm(s, OPC_SB, lo, base, 0);
+         break;
+-
+-    case MO_16 | MO_BSWAP:
+-        tcg_out_bswap16(s, TCG_TMP1, lo, 0);
+-        lo = TCG_TMP1;
+-        /* FALLTHRU */
+     case MO_16:
+         tcg_out_opc_imm(s, OPC_SH, lo, base, 0);
+         break;
+-
+-    case MO_32 | MO_BSWAP:
+-        tcg_out_bswap32(s, TCG_TMP3, lo, 0);
+-        lo = TCG_TMP3;
+-        /* FALLTHRU */
+     case MO_32:
+         tcg_out_opc_imm(s, OPC_SW, lo, base, 0);
+         break;
+-
+-    case MO_64 | MO_BSWAP:
+-        if (TCG_TARGET_REG_BITS == 64) {
+-            tcg_out_bswap64(s, TCG_TMP3, lo);
+-            tcg_out_opc_imm(s, OPC_SD, TCG_TMP3, base, 0);
+-        } else if (use_mips32r2_instructions) {
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, MIPS_BE ? lo : hi);
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, MIPS_BE ? hi : lo);
+-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP0, TCG_TMP0, 16);
+-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP1, TCG_TMP1, 16);
+-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP0, base, 0);
+-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP1, base, 4);
+-        } else {
+-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? lo : hi, 0);
+-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP3, base, 0);
+-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? hi : lo, 0);
+-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP3, base, 4);
+-        }
+-        break;
+     case MO_64:
+         if (TCG_TARGET_REG_BITS == 64) {
+             tcg_out_opc_imm(s, OPC_SD, lo, base, 0);
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg lo, TCGReg hi,
+             tcg_out_opc_imm(s, OPC_SW, MIPS_BE ? lo : hi, base, 4);
+         }
+         break;
+-
+     default:
+         g_assert_not_reached();
+     }
+@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
+     const MIPSInsn sd1 = MIPS_BE ? OPC_SDL : OPC_SDR;
+     const MIPSInsn sd2 = MIPS_BE ? OPC_SDR : OPC_SDL;
+-    /* Don't clutter the code below with checks to avoid bswapping ZERO.  */
+-    if ((lo | hi) == 0) {
+-        opc &= ~MO_BSWAP;
+-    }
+-
+-    switch (opc & (MO_SIZE | MO_BSWAP)) {
+-    case MO_16 | MO_BE:
++    switch (opc & MO_SIZE) {
++    case MO_16:
+         tcg_out_opc_sa(s, OPC_SRL, TCG_TMP0, lo, 8);
+-        tcg_out_opc_imm(s, OPC_SB, TCG_TMP0, base, 0);
+-        tcg_out_opc_imm(s, OPC_SB, lo, base, 1);
++        tcg_out_opc_imm(s, OPC_SB, HOST_BIG_ENDIAN ? TCG_TMP0 : lo, base, 0);
++        tcg_out_opc_imm(s, OPC_SB, HOST_BIG_ENDIAN ? lo : TCG_TMP0, base, 1);
+         break;
+-    case MO_16 | MO_LE:
+-        tcg_out_opc_sa(s, OPC_SRL, TCG_TMP0, lo, 8);
+-        tcg_out_opc_imm(s, OPC_SB, lo, base, 0);
+-        tcg_out_opc_imm(s, OPC_SB, TCG_TMP0, base, 1);
+-        break;
+-
+-    case MO_32 | MO_BSWAP:
+-        tcg_out_bswap32(s, TCG_TMP3, lo, 0);
+-        lo = TCG_TMP3;
+-        /* fall through */
+     case MO_32:
+         tcg_out_opc_imm(s, sw1, lo, base, 0);
+         tcg_out_opc_imm(s, sw2, lo, base, 3);
+         break;
+-    case MO_64 | MO_BSWAP:
+-        if (TCG_TARGET_REG_BITS == 64) {
+-            tcg_out_bswap64(s, TCG_TMP3, lo);
+-            lo = TCG_TMP3;
+-        } else if (use_mips32r2_instructions) {
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, MIPS_BE ? hi : lo);
+-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, MIPS_BE ? lo : hi);
+-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP0, TCG_TMP0, 16);
+-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP1, TCG_TMP1, 16);
+-            hi = MIPS_BE ? TCG_TMP0 : TCG_TMP1;
+-            lo = MIPS_BE ? TCG_TMP1 : TCG_TMP0;
+-        } else {
+-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? lo : hi, 0);
+-            tcg_out_opc_imm(s, sw1, TCG_TMP3, base, 0 + 0);
+-            tcg_out_opc_imm(s, sw2, TCG_TMP3, base, 0 + 3);
+-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? hi : lo, 0);
+-            tcg_out_opc_imm(s, sw1, TCG_TMP3, base, 4 + 0);
+-            tcg_out_opc_imm(s, sw2, TCG_TMP3, base, 4 + 3);
+-            break;
+-        }
+-        /* fall through */
+     case MO_64:
+         if (TCG_TARGET_REG_BITS == 64) {
+             tcg_out_opc_imm(s, sd1, lo, base, 0);
+--
+.34.1

-New patch
+[PULL 32/53] tcg/mips: Reorg tlb load within prepare_host_addr
+Compare the address vs the tlb entry with sign-extended values.
+This simplifies the page+alignment mask constant, and the
+generation of the last byte address for the misaligned test.
+Move the tlb addend load up, and the zero-extension down.
+This frees up a register, which allows us use TMP3 as the returned base
+address register instead of A0, which we were using as a 5th temporary.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/mips/tcg-target.c.inc | 38 ++++++++++++++++++--------------------
+file changed, 18 insertions(+), 20 deletions(-)
+diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target.c.inc
++++ b/tcg/mips/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ typedef enum {
+     ALIAS_PADDI    = sizeof(void *) == 4 ? OPC_ADDIU : OPC_DADDIU,
+     ALIAS_TSRL     = TARGET_LONG_BITS == 32 || TCG_TARGET_REG_BITS == 32
+                      ? OPC_SRL : OPC_DSRL,
++    ALIAS_TADDI    = TARGET_LONG_BITS == 32 || TCG_TARGET_REG_BITS == 32
++                     ? OPC_ADDIU : OPC_DADDIU,
+ } MIPSInsn;
+ /*
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+     int add_off = offsetof(CPUTLBEntry, addend);
+     int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
+                         : offsetof(CPUTLBEntry, addr_write);
+-    target_ulong tlb_mask;
+     ldst = new_ldst_label(s);
+     ldst->is_ld = is_ld;
+     ldst->oi = oi;
+     ldst->addrlo_reg = addrlo;
+     ldst->addrhi_reg = addrhi;
+-    base = TCG_REG_A0;
+     /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
+     QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+     if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+         tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
+     } else {
+-        tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
+-                         : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
+-                     TCG_TMP0, TCG_TMP3, cmp_off);
++        tcg_out_ld(s, TCG_TYPE_TL, TCG_TMP0, TCG_TMP3, cmp_off);
+     }
+-    /* Zero extend a 32-bit guest address for a 64-bit host. */
+-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+-        tcg_out_ext32u(s, base, addrlo);
+-        addrlo = base;
++    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
++        /* Load the tlb addend for the fast path.  */
++        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP3, TCG_TMP3, add_off);
+     }
+     /*
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+      * For unaligned accesses, compare against the end of the access to
+      * verify that it does not cross a page boundary.
+      */
+-    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
+-    tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
+-    if (a_mask >= s_mask) {
+-        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrlo);
+-    } else {
+-        tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrlo, s_mask - a_mask);
++    tcg_out_movi(s, TCG_TYPE_TL, TCG_TMP1, TARGET_PAGE_MASK | a_mask);
++    if (a_mask < s_mask) {
++        tcg_out_opc_imm(s, ALIAS_TADDI, TCG_TMP2, addrlo, s_mask - a_mask);
+         tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
++    } else {
++        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrlo);
+     }
+-    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
+-        /* Load the tlb addend for the fast path.  */
+-        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
++    /* Zero extend a 32-bit guest address for a 64-bit host. */
++    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
++        tcg_out_ext32u(s, TCG_TMP2, addrlo);
++        addrlo = TCG_TMP2;
+     }
+     ldst->label_ptr[0] = s->code_ptr;
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+         tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
+         /* Load the tlb addend for the fast path.  */
+-        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
++        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP3, TCG_TMP3, add_off);
+         ldst->label_ptr[1] = s->code_ptr;
+         tcg_out_opc_br(s, OPC_BNE, addrhi, TCG_TMP0);
+     }
+     /* delay slot */
+-    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP2, addrlo);
++    base = TCG_TMP3;
++    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP3, addrlo);
+ #else
+     if (a_mask && (use_mips32r6_instructions || a_bits != s_bits)) {
+         ldst = new_ldst_label(s);
+--
+.34.1

-New patch
+[PULL 33/53] tcg/mips: Simplify constraints on qemu_ld/st
+The softmmu tlb uses TCG_REG_TMP[0-3], not any of the normally available
+registers.  Now that we handle overlap betwen inputs and helper arguments,
+and have eliminated use of A0, we can allow any allocatable reg.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/mips/tcg-target-con-set.h | 13 +++++--------
+ tcg/mips/tcg-target-con-str.h |  2 --
+ tcg/mips/tcg-target.c.inc     | 30 ++++++++----------------------
+files changed, 13 insertions(+), 32 deletions(-)
+diff --git a/tcg/mips/tcg-target-con-set.h b/tcg/mips/tcg-target-con-set.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target-con-set.h
++++ b/tcg/mips/tcg-target-con-set.h
+@@ -XXX,XX +XXX,XX @@
+ C_O0_I1(r)
+ C_O0_I2(rZ, r)
+ C_O0_I2(rZ, rZ)
+-C_O0_I2(SZ, S)
+-C_O0_I3(SZ, S, S)
+-C_O0_I3(SZ, SZ, S)
++C_O0_I3(rZ, r, r)
++C_O0_I3(rZ, rZ, r)
+ C_O0_I4(rZ, rZ, rZ, rZ)
+-C_O0_I4(SZ, SZ, S, S)
+-C_O1_I1(r, L)
++C_O0_I4(rZ, rZ, r, r)
+ C_O1_I1(r, r)
+ C_O1_I2(r, 0, rZ)
+-C_O1_I2(r, L, L)
++C_O1_I2(r, r, r)
+ C_O1_I2(r, r, ri)
+ C_O1_I2(r, r, rI)
+ C_O1_I2(r, r, rIK)
+@@ -XXX,XX +XXX,XX @@ C_O1_I2(r, rZ, rN)
+ C_O1_I2(r, rZ, rZ)
+ C_O1_I4(r, rZ, rZ, rZ, 0)
+ C_O1_I4(r, rZ, rZ, rZ, rZ)
+-C_O2_I1(r, r, L)
+-C_O2_I2(r, r, L, L)
++C_O2_I1(r, r, r)
+ C_O2_I2(r, r, r, r)
+ C_O2_I4(r, r, rZ, rZ, rN, rN)
+diff --git a/tcg/mips/tcg-target-con-str.h b/tcg/mips/tcg-target-con-str.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target-con-str.h
++++ b/tcg/mips/tcg-target-con-str.h
+@@ -XXX,XX +XXX,XX @@
+  * REGS(letter, register_mask)
+  */
+ REGS('r', ALL_GENERAL_REGS)
+-REGS('L', ALL_QLOAD_REGS)
+-REGS('S', ALL_QSTORE_REGS)
+ /*
+  * Define constraint letters for constants:
+diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/mips/tcg-target.c.inc
++++ b/tcg/mips/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static bool patch_reloc(tcg_insn_unit *code_ptr, int type,
+ #define TCG_CT_CONST_WSZ  0x2000   /* word size */
+ #define ALL_GENERAL_REGS  0xffffffffu
+-#define NOA0_REGS         (ALL_GENERAL_REGS & ~(1 << TCG_REG_A0))
+-
+-#ifdef CONFIG_SOFTMMU
+-#define ALL_QLOAD_REGS \
+-    (NOA0_REGS & ~((TCG_TARGET_REG_BITS < TARGET_LONG_BITS) << TCG_REG_A2))
+-#define ALL_QSTORE_REGS \
+-    (NOA0_REGS & ~(TCG_TARGET_REG_BITS < TARGET_LONG_BITS   \
+-                   ? (1 << TCG_REG_A2) | (1 << TCG_REG_A3)  \
+-                   : (1 << TCG_REG_A1)))
+-#else
+-#define ALL_QLOAD_REGS   NOA0_REGS
+-#define ALL_QSTORE_REGS  NOA0_REGS
+-#endif
+-
+ static bool is_p2m1(tcg_target_long val)
+ {
+@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+     case INDEX_op_qemu_ld_i32:
+         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
+-                ? C_O1_I1(r, L) : C_O1_I2(r, L, L));
++                ? C_O1_I1(r, r) : C_O1_I2(r, r, r));
+     case INDEX_op_qemu_st_i32:
+         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
+-                ? C_O0_I2(SZ, S) : C_O0_I3(SZ, S, S));
++                ? C_O0_I2(rZ, r) : C_O0_I3(rZ, r, r));
+     case INDEX_op_qemu_ld_i64:
+-        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, L)
+-                : TARGET_LONG_BITS == 32 ? C_O2_I1(r, r, L)
+-                : C_O2_I2(r, r, L, L));
++        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, r)
++                : TARGET_LONG_BITS == 32 ? C_O2_I1(r, r, r)
++                : C_O2_I2(r, r, r, r));
+     case INDEX_op_qemu_st_i64:
+-        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(SZ, S)
+-                : TARGET_LONG_BITS == 32 ? C_O0_I3(SZ, SZ, S)
+-                : C_O0_I4(SZ, SZ, S, S));
++        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(rZ, r)
++                : TARGET_LONG_BITS == 32 ? C_O0_I3(rZ, rZ, r)
++                : C_O0_I4(rZ, rZ, r, r));
+     default:
+         g_assert_not_reached();
+--
+.34.1

-[PULL 3/4] target/avr: Only execute one interrupt at a time
+[PULL 34/53] tcg/ppc: Reorg tcg_out_tlb_read
-We cannot deliver two interrupts simultaneously;
+Allocate TCG_REG_TMP2.  Use R0, TMP1, TMP2 instead of any of
-the first interrupt handler must execute first.
+the normally allocated registers for the tlb load.
-Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
+Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/avr/helper.c | 9 +++------
+ tcg/ppc/tcg-target.c.inc | 78 ++++++++++++++++++++++++----------------
-file changed, 3 insertions(+), 6 deletions(-)
+file changed, 47 insertions(+), 31 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
+diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
+--- a/tcg/ppc/tcg-target.c.inc
-+++ b/target/avr/helper.c
++++ b/tcg/ppc/tcg-target.c.inc
 @@ -XXX,XX +XXX,XX @@
+ #else
- bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+ # define TCG_REG_TMP1   TCG_REG_R12
- {
+ #endif
--    bool ret = false;
++#define TCG_REG_TMP2    TCG_REG_R11
-     AVRCPU *cpu = AVR_CPU(cs);
-     CPUAVRState *env = &cpu->env;
+ #define TCG_VEC_TMP1    TCG_REG_V0
+ #define TCG_VEC_TMP2    TCG_REG_V1
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+@@ -XXX,XX +XXX,XX @@ static TCGReg ldst_ra_gen(TCGContext *s, const TCGLabelQemuLdst *l, int arg)
-             avr_cpu_do_interrupt(cs);
+ /*
+  * For the purposes of ppc32 sorting 4 input registers into 4 argument
-             cs->interrupt_request &= ~CPU_INTERRUPT_RESET;
+  * registers, there is an outside chance we would require 3 temps.
--
+- * Because of constraints, no inputs are in r3, and env will not be
--            ret = true;
+- * placed into r3 until after the sorting is done, and is thus free.
-+            return true;
+  */
  static const TCGLdstHelperParam ldst_helper_param = {
      .ra_gen = ldst_ra_gen,
      .ntmp = 3,
 -    .tmp = { TCG_REG_TMP1, TCG_REG_R0, TCG_REG_R3 }
 +    .tmp = { TCG_REG_TMP1, TCG_REG_TMP2, TCG_REG_R0 }
  };
  static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
      QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
      QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_AREG0, mask_off);
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R4, TCG_AREG0, table_off);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_AREG0, mask_off);
 +    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_AREG0, table_off);
      /* Extract the page index, shifted into place for tlb index.  */
      if (TCG_TARGET_REG_BITS == 32) {
 -        tcg_out_shri32(s, TCG_REG_TMP1, addrlo,
 +        tcg_out_shri32(s, TCG_REG_R0, addrlo,
                         TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
      } else {
 -        tcg_out_shri64(s, TCG_REG_TMP1, addrlo,
 +        tcg_out_shri64(s, TCG_REG_R0, addrlo,
                         TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
      }
 -    tcg_out32(s, AND | SAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_TMP1));
 +    tcg_out32(s, AND | SAB(TCG_REG_TMP1, TCG_REG_TMP1, TCG_REG_R0));
 -    /* Load the TLB comparator.  */
 +    /* Load the (low part) TLB comparator into TMP2.  */
      if (cmp_off == 0 && TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
          uint32_t lxu = (TCG_TARGET_REG_BITS == 32 || TARGET_LONG_BITS == 32
                          ? LWZUX : LDUX);
 -        tcg_out32(s, lxu | TAB(TCG_REG_TMP1, TCG_REG_R3, TCG_REG_R4));
 +        tcg_out32(s, lxu | TAB(TCG_REG_TMP2, TCG_REG_TMP1, TCG_REG_TMP2));
      } else {
 -        tcg_out32(s, ADD | TAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_R4));
 +        tcg_out32(s, ADD | TAB(TCG_REG_TMP1, TCG_REG_TMP1, TCG_REG_TMP2));
          if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP1, TCG_REG_R3, cmp_off + 4);
 -            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R4, TCG_REG_R3, cmp_off);
 +            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP2,
 +                       TCG_REG_TMP1, cmp_off + 4 * HOST_BIG_ENDIAN);
          } else {
 -            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP1, TCG_REG_R3, cmp_off);
 +            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP2, TCG_REG_TMP1, cmp_off);
          }
      }
-     if (interrupt_request & CPU_INTERRUPT_HARD) {
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
-             if (!env->intsrc) {
+      * Load the TLB addend for use on the fast path.
-                 cs->interrupt_request &= ~CPU_INTERRUPT_HARD;
+      * Do this asap to minimize any load use delay.
-             }
+      */
--
+-    h->base = TCG_REG_R3;
--            ret = true;
+-    tcg_out_ld(s, TCG_TYPE_PTR, h->base, TCG_REG_R3,
-+            return true;
+-               offsetof(CPUTLBEntry, addend));
 +    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
 +        tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_REG_TMP1,
 +                   offsetof(CPUTLBEntry, addend));
 +    }
 -    /* Clear the non-page, non-alignment bits from the address */
 +    /* Clear the non-page, non-alignment bits from the address in R0. */
      if (TCG_TARGET_REG_BITS == 32) {
          /*
           * We don't support unaligned accesses on 32-bits.
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
          if (TARGET_LONG_BITS == 32) {
              tcg_out_rlw(s, RLWINM, TCG_REG_R0, t, 0,
                          (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
 -            /* Zero-extend the address for use in the final address.  */
 -            tcg_out_ext32u(s, TCG_REG_R4, addrlo);
 -            addrlo = TCG_REG_R4;
          } else if (a_bits == 0) {
              tcg_out_rld(s, RLDICR, TCG_REG_R0, t, 0, 63 - TARGET_PAGE_BITS);
          } else {
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
              tcg_out_rld(s, RLDICL, TCG_REG_R0, TCG_REG_R0, TARGET_PAGE_BITS, 0);
          }
      }
--    return ret;
+-    h->index = addrlo;
-+    return false;
      if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
 -        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
 +        /* Low part comparison into cr7. */
 +        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP2,
 , 7, TCG_TYPE_I32);
 -        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_R4, 0, 6, TCG_TYPE_I32);
 +
 +        /* Load the high part TLB comparator into TMP2.  */
 +        tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP2, TCG_REG_TMP1,
 +                   cmp_off + 4 * !HOST_BIG_ENDIAN);
 +
 +        /* Load addend, deferred for this case. */
 +        tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_REG_TMP1,
 +                   offsetof(CPUTLBEntry, addend));
 +
 +        /* High part comparison into cr6. */
 +        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_TMP2, 0, 6, TCG_TYPE_I32);
 +
 +        /* Combine comparisons into cr7. */
          tcg_out32(s, CRAND | BT(7, CR_EQ) | BA(6, CR_EQ) | BB(7, CR_EQ));
      } else {
 -        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
 +        /* Full comparison into cr7. */
 +        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP2,
 , 7, TCG_TYPE_TL);
      }
      /* Load a pointer into the current opcode w/conditional branch-link. */
      ldst->label_ptr[0] = s->code_ptr;
      tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
 +
 +    h->base = TCG_REG_TMP1;
  #else
      if (a_bits) {
          ldst = new_ldst_label(s);
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      }
      h->base = guest_base ? TCG_GUEST_BASE_REG : 0;
 -    h->index = addrlo;
 -    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 -        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
 -        h->index = TCG_REG_TMP1;
 -    }
  #endif
 +    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
 +        /* Zero-extend the guest address for use in the host address. */
 +        tcg_out_ext32u(s, TCG_REG_R0, addrlo);
 +        h->index = TCG_REG_R0;
 +    } else {
 +        h->index = addrlo;
 +    }
 +
      return ldst;
  }
- void avr_cpu_do_interrupt(CPUState *cs)
+@@ -XXX,XX +XXX,XX @@ static void tcg_target_init(TCGContext *s)
  #if defined(_CALL_SYSV) || TCG_TARGET_REG_BITS == 64
      tcg_regset_set_reg(s->reserved_regs, TCG_REG_R13); /* thread pointer */
  #endif
 -    tcg_regset_set_reg(s->reserved_regs, TCG_REG_TMP1); /* mem temp */
 +    tcg_regset_set_reg(s->reserved_regs, TCG_REG_TMP1);
 +    tcg_regset_set_reg(s->reserved_regs, TCG_REG_TMP2);
      tcg_regset_set_reg(s->reserved_regs, TCG_VEC_TMP1);
      tcg_regset_set_reg(s->reserved_regs, TCG_VEC_TMP2);
      if (USE_REG_TB) {
 --
 .34.1

-New patch
+[PULL 35/53] tcg/ppc: Adjust constraints on qemu_ld/st
+The softmmu tlb uses TCG_REG_{TMP1,TMP2,R0}, not any of the normally
+available registers.  Now that we handle overlap betwen inputs and
+helper arguments, we can allow any allocatable reg.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/ppc/tcg-target-con-set.h | 11 ++++-------
+ tcg/ppc/tcg-target-con-str.h |  2 --
+ tcg/ppc/tcg-target.c.inc     | 32 ++++++++++----------------------
+files changed, 14 insertions(+), 31 deletions(-)
+diff --git a/tcg/ppc/tcg-target-con-set.h b/tcg/ppc/tcg-target-con-set.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target-con-set.h
++++ b/tcg/ppc/tcg-target-con-set.h
+@@ -XXX,XX +XXX,XX @@
+ C_O0_I1(r)
+ C_O0_I2(r, r)
+ C_O0_I2(r, ri)
+-C_O0_I2(S, S)
+ C_O0_I2(v, r)
+-C_O0_I3(S, S, S)
++C_O0_I3(r, r, r)
+ C_O0_I4(r, r, ri, ri)
+-C_O0_I4(S, S, S, S)
+-C_O1_I1(r, L)
++C_O0_I4(r, r, r, r)
+ C_O1_I1(r, r)
+ C_O1_I1(v, r)
+ C_O1_I1(v, v)
+ C_O1_I1(v, vr)
+ C_O1_I2(r, 0, rZ)
+-C_O1_I2(r, L, L)
+ C_O1_I2(r, rI, ri)
+ C_O1_I2(r, rI, rT)
+ C_O1_I2(r, r, r)
+@@ -XXX,XX +XXX,XX @@ C_O1_I2(v, v, v)
+ C_O1_I3(v, v, v, v)
+ C_O1_I4(r, r, ri, rZ, rZ)
+ C_O1_I4(r, r, r, ri, ri)
+-C_O2_I1(L, L, L)
+-C_O2_I2(L, L, L, L)
++C_O2_I1(r, r, r)
++C_O2_I2(r, r, r, r)
+ C_O2_I4(r, r, rI, rZM, r, r)
+ C_O2_I4(r, r, r, r, rI, rZM)
+diff --git a/tcg/ppc/tcg-target-con-str.h b/tcg/ppc/tcg-target-con-str.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target-con-str.h
++++ b/tcg/ppc/tcg-target-con-str.h
+@@ -XXX,XX +XXX,XX @@ REGS('A', 1u << TCG_REG_R3)
+ REGS('B', 1u << TCG_REG_R4)
+ REGS('C', 1u << TCG_REG_R5)
+ REGS('D', 1u << TCG_REG_R6)
+-REGS('L', ALL_QLOAD_REGS)
+-REGS('S', ALL_QSTORE_REGS)
+ /*
+  * Define constraint letters for constants:
+diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target.c.inc
++++ b/tcg/ppc/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@
+ #define ALL_GENERAL_REGS  0xffffffffu
+ #define ALL_VECTOR_REGS   0xffffffff00000000ull
+-#ifdef CONFIG_SOFTMMU
+-#define ALL_QLOAD_REGS \
+-    (ALL_GENERAL_REGS & \
+-     ~((1 << TCG_REG_R3) | (1 << TCG_REG_R4) | (1 << TCG_REG_R5)))
+-#define ALL_QSTORE_REGS \
+-    (ALL_GENERAL_REGS & ~((1 << TCG_REG_R3) | (1 << TCG_REG_R4) | \
+-                          (1 << TCG_REG_R5) | (1 << TCG_REG_R6)))
+-#else
+-#define ALL_QLOAD_REGS  (ALL_GENERAL_REGS & ~(1 << TCG_REG_R3))
+-#define ALL_QSTORE_REGS ALL_QLOAD_REGS
+-#endif
+-
+ TCGPowerISA have_isa;
+ static bool have_isel;
+ bool have_altivec;
+@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+     case INDEX_op_qemu_ld_i32:
+         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
+-                ? C_O1_I1(r, L)
+-                : C_O1_I2(r, L, L));
++                ? C_O1_I1(r, r)
++                : C_O1_I2(r, r, r));
+     case INDEX_op_qemu_st_i32:
+         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
+-                ? C_O0_I2(S, S)
+-                : C_O0_I3(S, S, S));
++                ? C_O0_I2(r, r)
++                : C_O0_I3(r, r, r));
+     case INDEX_op_qemu_ld_i64:
+-        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, L)
+-                : TARGET_LONG_BITS == 32 ? C_O2_I1(L, L, L)
+-                : C_O2_I2(L, L, L, L));
++        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, r)
++                : TARGET_LONG_BITS == 32 ? C_O2_I1(r, r, r)
++                : C_O2_I2(r, r, r, r));
+     case INDEX_op_qemu_st_i64:
+-        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(S, S)
+-                : TARGET_LONG_BITS == 32 ? C_O0_I3(S, S, S)
+-                : C_O0_I4(S, S, S, S));
++        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(r, r)
++                : TARGET_LONG_BITS == 32 ? C_O0_I3(r, r, r)
++                : C_O0_I4(r, r, r, r));
+     case INDEX_op_add_vec:
+     case INDEX_op_sub_vec:
+--
+.34.1

-New patch
+[PULL 36/53] tcg/ppc: Remove unused constraints A, B, C, D
+These constraints have not been used for quite some time.
+Fixes: 77b73de67632 ("Use rem/div[u]_i32 drop div[u]2_i32")
+Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/ppc/tcg-target-con-str.h | 4 ----
+file changed, 4 deletions(-)
+diff --git a/tcg/ppc/tcg-target-con-str.h b/tcg/ppc/tcg-target-con-str.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target-con-str.h
++++ b/tcg/ppc/tcg-target-con-str.h
+@@ -XXX,XX +XXX,XX @@
+  */
+ REGS('r', ALL_GENERAL_REGS)
+ REGS('v', ALL_VECTOR_REGS)
+-REGS('A', 1u << TCG_REG_R3)
+-REGS('B', 1u << TCG_REG_R4)
+-REGS('C', 1u << TCG_REG_R5)
+-REGS('D', 1u << TCG_REG_R6)
+ /*
+  * Define constraint letters for constants:
+--
+.34.1

-New patch
+[PULL 37/53] tcg/ppc: Remove unused constraint J
+Never used since its introduction.
+Fixes: 3d582c6179c ("tcg-ppc64: Rearrange integer constant constraints")
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/ppc/tcg-target-con-str.h | 1 -
+ tcg/ppc/tcg-target.c.inc     | 3 ---
+files changed, 4 deletions(-)
+diff --git a/tcg/ppc/tcg-target-con-str.h b/tcg/ppc/tcg-target-con-str.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target-con-str.h
++++ b/tcg/ppc/tcg-target-con-str.h
+@@ -XXX,XX +XXX,XX @@ REGS('v', ALL_VECTOR_REGS)
+  * CONST(letter, TCG_CT_CONST_* bit set)
+  */
+ CONST('I', TCG_CT_CONST_S16)
+-CONST('J', TCG_CT_CONST_U16)
+ CONST('M', TCG_CT_CONST_MONE)
+ CONST('T', TCG_CT_CONST_S32)
+ CONST('U', TCG_CT_CONST_U32)
+diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/ppc/tcg-target.c.inc
++++ b/tcg/ppc/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@
+ #define SZR  (TCG_TARGET_REG_BITS / 8)
+ #define TCG_CT_CONST_S16  0x100
+-#define TCG_CT_CONST_U16  0x200
+ #define TCG_CT_CONST_S32  0x400
+ #define TCG_CT_CONST_U32  0x800
+ #define TCG_CT_CONST_ZERO 0x1000
+@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct)
+     if ((ct & TCG_CT_CONST_S16) && val == (int16_t)val) {
+         return 1;
+-    } else if ((ct & TCG_CT_CONST_U16) && val == (uint16_t)val) {
+-        return 1;
+     } else if ((ct & TCG_CT_CONST_S32) && val == (int32_t)val) {
+         return 1;
+     } else if ((ct & TCG_CT_CONST_U32) && val == (uint32_t)val) {
+--
+.34.1

-New patch
+[PULL 38/53] tcg/riscv: Simplify constraints on qemu_ld/st
+The softmmu tlb uses TCG_REG_TMP[0-2], not any of the normally available
+registers.  Now that we handle overlap betwen inputs and helper arguments,
+we can allow any allocatable reg.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/riscv/tcg-target-con-set.h |  2 --
+ tcg/riscv/tcg-target-con-str.h |  1 -
+ tcg/riscv/tcg-target.c.inc     | 16 +++-------------
+files changed, 3 insertions(+), 16 deletions(-)
+diff --git a/tcg/riscv/tcg-target-con-set.h b/tcg/riscv/tcg-target-con-set.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/riscv/tcg-target-con-set.h
++++ b/tcg/riscv/tcg-target-con-set.h
+@@ -XXX,XX +XXX,XX @@
+  * tcg-target-con-str.h; the constraint combination is inclusive or.
+  */
+ C_O0_I1(r)
+-C_O0_I2(LZ, L)
+ C_O0_I2(rZ, r)
+ C_O0_I2(rZ, rZ)
+-C_O1_I1(r, L)
+ C_O1_I1(r, r)
+ C_O1_I2(r, r, ri)
+ C_O1_I2(r, r, rI)
+diff --git a/tcg/riscv/tcg-target-con-str.h b/tcg/riscv/tcg-target-con-str.h
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/riscv/tcg-target-con-str.h
++++ b/tcg/riscv/tcg-target-con-str.h
+@@ -XXX,XX +XXX,XX @@
+  * REGS(letter, register_mask)
+  */
+ REGS('r', ALL_GENERAL_REGS)
+-REGS('L', ALL_GENERAL_REGS & ~SOFTMMU_RESERVE_REGS)
+ /*
+  * Define constraint letters for constants:
+diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/riscv/tcg-target.c.inc
++++ b/tcg/riscv/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_target_call_oarg_reg(TCGCallReturnKind kind, int slot)
+ #define TCG_CT_CONST_N12   0x400
+ #define TCG_CT_CONST_M12   0x800
+-#define ALL_GENERAL_REGS      MAKE_64BIT_MASK(0, 32)
+-/*
+- * For softmmu, we need to avoid conflicts with the first 5
+- * argument registers to call the helper.  Some of these are
+- * also used for the tlb lookup.
+- */
+-#ifdef CONFIG_SOFTMMU
+-#define SOFTMMU_RESERVE_REGS  MAKE_64BIT_MASK(TCG_REG_A0, 5)
+-#else
+-#define SOFTMMU_RESERVE_REGS  0
+-#endif
++#define ALL_GENERAL_REGS   MAKE_64BIT_MASK(0, 32)
+ #define sextreg  sextract64
+@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+     case INDEX_op_qemu_ld_i32:
+     case INDEX_op_qemu_ld_i64:
+-        return C_O1_I1(r, L);
++        return C_O1_I1(r, r);
+     case INDEX_op_qemu_st_i32:
+     case INDEX_op_qemu_st_i64:
+-        return C_O0_I2(LZ, L);
++        return C_O0_I2(rZ, r);
+     default:
+         g_assert_not_reached();
+--
+.34.1

-New patch
+[PULL 39/53] tcg/s390x: Use ALGFR in constructing softmmu host address
+Rather than zero-extend the guest address into a register,
+use an add instruction which zero-extends the second input.
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ tcg/s390x/tcg-target.c.inc | 8 +++++---
+file changed, 5 insertions(+), 3 deletions(-)
+diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/tcg/s390x/tcg-target.c.inc
++++ b/tcg/s390x/tcg-target.c.inc
+@@ -XXX,XX +XXX,XX @@ typedef enum S390Opcode {
+     RRE_ALGR    = 0xb90a,
+     RRE_ALCR    = 0xb998,
+     RRE_ALCGR   = 0xb988,
++    RRE_ALGFR   = 0xb91a,
+     RRE_CGR     = 0xb920,
+     RRE_CLGR    = 0xb921,
+     RRE_DLGR    = 0xb987,
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+     tcg_out_insn(s, RXY, LG, h->index, TCG_REG_R2, TCG_REG_NONE,
+                  offsetof(CPUTLBEntry, addend));
+-    h->base = addr_reg;
+     if (TARGET_LONG_BITS == 32) {
+-        tcg_out_ext32u(s, TCG_REG_R3, addr_reg);
+-        h->base = TCG_REG_R3;
++        tcg_out_insn(s, RRE, ALGFR, h->index, addr_reg);
++        h->base = TCG_REG_NONE;
++    } else {
++        h->base = addr_reg;
+     }
+     h->disp = 0;
+ #else
+--
+.34.1

-[PULL 4/4] target/avr: Disable interrupts when env->skip set
+[PULL 40/53] tcg/s390x: Simplify constraints on qemu_ld/st
-This bit is not saved across interrupts, so we must
+Adjust the softmmu tlb to use R0+R1, not any of the normally available
-delay delivering the interrupt until the skip has
+registers.  Since we handle overlap betwen inputs and helper arguments,
-been processed.
+we can allow any allocatable reg.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1118
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/avr/helper.c    |  9 +++++++++
+ tcg/s390x/tcg-target-con-set.h |  2 --
- target/avr/translate.c | 26 ++++++++++++++++++++++----
+ tcg/s390x/tcg-target-con-str.h |  1 -
-files changed, 31 insertions(+), 4 deletions(-)
+ tcg/s390x/tcg-target.c.inc     | 36 ++++++++++++----------------------
 files changed, 12 insertions(+), 27 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
+diff --git a/tcg/s390x/tcg-target-con-set.h b/tcg/s390x/tcg-target-con-set.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
+--- a/tcg/s390x/tcg-target-con-set.h
-+++ b/target/avr/helper.c
++++ b/tcg/s390x/tcg-target-con-set.h
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+@@ -XXX,XX +XXX,XX @@
-     AVRCPU *cpu = AVR_CPU(cs);
+  * tcg-target-con-str.h; the constraint combination is inclusive or.
-     CPUAVRState *env = &cpu->env;
+  */
+ C_O0_I1(r)
-+    /*
+-C_O0_I2(L, L)
-+     * We cannot separate a skip from the next instruction,
+ C_O0_I2(r, r)
-+     * as the skip would not be preserved across the interrupt.
+ C_O0_I2(r, ri)
-+     * Separating the two insn normally only happens at page boundaries.
+ C_O0_I2(r, rA)
-+     */
+ C_O0_I2(v, r)
-+    if (env->skip) {
+-C_O1_I1(r, L)
-+        return false;
+ C_O1_I1(r, r)
-+    }
+ C_O1_I1(v, r)
-+
+ C_O1_I1(v, v)
-     if (interrupt_request & CPU_INTERRUPT_RESET) {
+diff --git a/tcg/s390x/tcg-target-con-str.h b/tcg/s390x/tcg-target-con-str.h
          if (cpu_interrupts_enabled(env)) {
              cs->exception_index = EXCP_RESET;
 diff --git a/target/avr/translate.c b/target/avr/translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/avr/translate.c
+--- a/tcg/s390x/tcg-target-con-str.h
-+++ b/target/avr/translate.c
++++ b/tcg/s390x/tcg-target-con-str.h
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
+@@ -XXX,XX +XXX,XX @@
-     if (skip_label) {
+  * REGS(letter, register_mask)
-         canonicalize_skip(ctx);
+  */
-         gen_set_label(skip_label);
+ REGS('r', ALL_GENERAL_REGS)
--        if (ctx->base.is_jmp == DISAS_NORETURN) {
+-REGS('L', ALL_GENERAL_REGS & ~SOFTMMU_RESERVE_REGS)
-+
+ REGS('v', ALL_VECTOR_REGS)
-+        switch (ctx->base.is_jmp) {
+ REGS('o', 0xaaaa) /* odd numbered general regs */
-+        case DISAS_NORETURN:
-             ctx->base.is_jmp = DISAS_CHAIN;
+diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
-+            break;
+index XXXXXXX..XXXXXXX 100644
-+        case DISAS_NEXT:
+--- a/tcg/s390x/tcg-target.c.inc
-+            if (ctx->base.tb->flags & TB_FLAGS_SKIP) {
++++ b/tcg/s390x/tcg-target.c.inc
-+                ctx->base.is_jmp = DISAS_TOO_MANY;
+@@ -XXX,XX +XXX,XX @@
-+            }
+ #define ALL_GENERAL_REGS     MAKE_64BIT_MASK(0, 16)
-+            break;
+ #define ALL_VECTOR_REGS      MAKE_64BIT_MASK(32, 32)
-+        default:
-+            break;
+-/*
-         }
+- * For softmmu, we need to avoid conflicts with the first 3
 - * argument registers to perform the tlb lookup, and to call
 - * the helper function.
 - */
 -#ifdef CONFIG_SOFTMMU
 -#define SOFTMMU_RESERVE_REGS MAKE_64BIT_MASK(TCG_REG_R2, 3)
 -#else
 -#define SOFTMMU_RESERVE_REGS 0
 -#endif
 -
 -
  /* Several places within the instruction set 0 means "no register"
     rather than TCG_REG_R0.  */
  #define TCG_REG_NONE    0
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      ldst->oi = oi;
      ldst->addrlo_reg = addr_reg;
 -    tcg_out_sh64(s, RSY_SRLG, TCG_REG_R2, addr_reg, TCG_REG_NONE,
 +    tcg_out_sh64(s, RSY_SRLG, TCG_TMP0, addr_reg, TCG_REG_NONE,
                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
      QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
      QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 19));
 -    tcg_out_insn(s, RXY, NG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, mask_off);
 -    tcg_out_insn(s, RXY, AG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, table_off);
 +    tcg_out_insn(s, RXY, NG, TCG_TMP0, TCG_AREG0, TCG_REG_NONE, mask_off);
 +    tcg_out_insn(s, RXY, AG, TCG_TMP0, TCG_AREG0, TCG_REG_NONE, table_off);
      /*
       * For aligned accesses, we check the first byte and include the alignment
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      a_off = (a_bits >= s_bits ? 0 : s_mask - a_mask);
      tlb_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
      if (a_off == 0) {
 -        tgen_andi_risbg(s, TCG_REG_R3, addr_reg, tlb_mask);
 +        tgen_andi_risbg(s, TCG_REG_R0, addr_reg, tlb_mask);
      } else {
 -        tcg_out_insn(s, RX, LA, TCG_REG_R3, addr_reg, TCG_REG_NONE, a_off);
 -        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R3, tlb_mask);
 +        tcg_out_insn(s, RX, LA, TCG_REG_R0, addr_reg, TCG_REG_NONE, a_off);
 +        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R0, tlb_mask);
      }
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+     if (is_ld) {
- {
+@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
-     DisasContext *ctx = container_of(dcbase, DisasContext, base);
+         ofs = offsetof(CPUTLBEntry, addr_write);
-     bool nonconst_skip = canonicalize_skip(ctx);
+     }
-+    /*
+     if (TARGET_LONG_BITS == 32) {
-+     * Because we disable interrupts while env->skip is set,
+-        tcg_out_insn(s, RX, C, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
-+     * we must return to the main loop to re-evaluate afterward.
++        tcg_out_insn(s, RX, C, TCG_REG_R0, TCG_TMP0, TCG_REG_NONE, ofs);
-+     */
+     } else {
-+    bool force_exit = ctx->base.tb->flags & TB_FLAGS_SKIP;
+-        tcg_out_insn(s, RXY, CG, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
++        tcg_out_insn(s, RXY, CG, TCG_REG_R0, TCG_TMP0, TCG_REG_NONE, ofs);
-     switch (ctx->base.is_jmp) {
+     }
-     case DISAS_NORETURN:
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+     tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
-     case DISAS_NEXT:
+     ldst->label_ptr[0] = s->code_ptr++;
-     case DISAS_TOO_MANY:
-     case DISAS_CHAIN:
+-    h->index = TCG_REG_R2;
--        if (!nonconst_skip) {
+-    tcg_out_insn(s, RXY, LG, h->index, TCG_REG_R2, TCG_REG_NONE,
-+        if (!nonconst_skip && !force_exit) {
++    h->index = TCG_TMP0;
-             /* Note gen_goto_tb checks singlestep.  */
++    tcg_out_insn(s, RXY, LG, h->index, TCG_TMP0, TCG_REG_NONE,
-             gen_goto_tb(ctx, 1, ctx->npc);
+                  offsetof(CPUTLBEntry, addend));
-             break;
-@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
+     if (TARGET_LONG_BITS == 32) {
-         tcg_gen_movi_tl(cpu_pc, ctx->npc);
+@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
-         /* fall through */
-     case DISAS_LOOKUP:
+     case INDEX_op_qemu_ld_i32:
--        tcg_gen_lookup_and_goto_ptr();
+     case INDEX_op_qemu_ld_i64:
--        break;
+-        return C_O1_I1(r, L);
-+        if (!force_exit) {
++        return C_O1_I1(r, r);
-+            tcg_gen_lookup_and_goto_ptr();
+     case INDEX_op_qemu_st_i64:
-+            break;
+     case INDEX_op_qemu_st_i32:
-+        }
+-        return C_O0_I2(L, L);
-+        /* fall through */
++        return C_O0_I2(r, r);
-     case DISAS_EXIT:
-         tcg_gen_exit_tb(NULL, 0);
+     case INDEX_op_deposit_i32:
-         break;
+     case INDEX_op_deposit_i64:
 --
 .34.1

-[PULL 09/20] accel/tcg: Unlock mmap_lock after longjmp
+[PULL 41/53] target/mips: Add MO_ALIGN to gen_llwp, gen_scwp
-The mmap_lock is held around tb_gen_code.  While the comment
+These are atomic operations, so mark as requiring alignment.
 is correct that the lock is dropped when tb_gen_code runs out
 of memory, the lock is *not* dropped when an exception is
 raised reading code for translation.
-Acked-by: Alistair Francis <alistair.francis@wdc.com>
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cpu-exec.c  | 12 ++++++------
+ target/mips/tcg/nanomips_translate.c.inc | 5 +++--
- accel/tcg/user-exec.c |  3 ---
+file changed, 3 insertions(+), 2 deletions(-)
 files changed, 6 insertions(+), 9 deletions(-)
-diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+diff --git a/target/mips/tcg/nanomips_translate.c.inc b/target/mips/tcg/nanomips_translate.c.inc
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cpu-exec.c
+--- a/target/mips/tcg/nanomips_translate.c.inc
-+++ b/accel/tcg/cpu-exec.c
++++ b/target/mips/tcg/nanomips_translate.c.inc
-@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
+@@ -XXX,XX +XXX,XX @@ static void gen_llwp(DisasContext *ctx, uint32_t base, int16_t offset,
-         cpu_tb_exec(cpu, tb, &tb_exit);
+     TCGv tmp2 = tcg_temp_new();
-         cpu_exec_exit(cpu);
      gen_base_offset_addr(ctx, taddr, base, offset);
 -    tcg_gen_qemu_ld_i64(tval, taddr, ctx->mem_idx, MO_TEUQ);
 +    tcg_gen_qemu_ld_i64(tval, taddr, ctx->mem_idx, MO_TEUQ | MO_ALIGN);
      if (cpu_is_bigendian(ctx)) {
          tcg_gen_extr_i64_tl(tmp2, tmp1, tval);
      } else {
--        /*
+@@ -XXX,XX +XXX,XX @@ static void gen_scwp(DisasContext *ctx, uint32_t base, int16_t offset,
--         * The mmap_lock is dropped by tb_gen_code if it runs out of
--         * memory.
+     tcg_gen_ld_i64(llval, cpu_env, offsetof(CPUMIPSState, llval_wp));
--         */
+     tcg_gen_atomic_cmpxchg_i64(val, taddr, llval, tval,
- #ifndef CONFIG_SOFTMMU
+-                               eva ? MIPS_HFLAG_UM : ctx->mem_idx, MO_64);
-         clear_helper_retaddr();
++                               eva ? MIPS_HFLAG_UM : ctx->mem_idx,
--        tcg_debug_assert(!have_mmap_lock());
++                               MO_64 | MO_ALIGN);
-+        if (have_mmap_lock()) {
+     if (reg1 != 0) {
-+            mmap_unlock();
+         tcg_gen_movi_tl(cpu_gpr[reg1], 1);
 +        }
  #endif
          if (qemu_mutex_iothread_locked()) {
              qemu_mutex_unlock_iothread();
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
  #ifndef CONFIG_SOFTMMU
          clear_helper_retaddr();
 -        tcg_debug_assert(!have_mmap_lock());
 +        if (have_mmap_lock()) {
 +            mmap_unlock();
 +        }
  #endif
          if (qemu_mutex_iothread_locked()) {
              qemu_mutex_unlock_iothread();
 diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/user-exec.c
 +++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ MMUAccessType adjust_signal_pc(uintptr_t *pc, bool is_write)
           * (and if the translator doesn't handle page boundaries correctly
           * there's little we can do about that here).  Therefore, do not
           * trigger the unwinder.
 -         *
 -         * Like tb_gen_code, release the memory lock before cpu_loop_exit.
           */
 -        mmap_unlock();
          *pc = 0;
          return MMU_INST_FETCH;
      }
 --
 .34.1

-[PULL 14/20] accel/tcg: Remove translator_ldsw
+[PULL 42/53] target/mips: Add missing default_tcg_memop_mask
-The only user can easily use translator_lduw and
+Memory operations that are not already aligned, or otherwise
-adjust the type to signed during the return.
+marked up, require addition of ctx->default_tcg_memop_mask.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/translator.h   | 1 -
+ target/mips/tcg/mxu_translate.c           |  3 ++-
- target/i386/tcg/translate.c | 2 +-
+ target/mips/tcg/micromips_translate.c.inc | 24 ++++++++++++++--------
-files changed, 1 insertion(+), 2 deletions(-)
+ target/mips/tcg/mips16e_translate.c.inc   | 18 ++++++++++------
  target/mips/tcg/nanomips_translate.c.inc  | 25 +++++++++++------------
 files changed, 42 insertions(+), 28 deletions(-)
-diff --git a/include/exec/translator.h b/include/exec/translator.h
+diff --git a/target/mips/tcg/mxu_translate.c b/target/mips/tcg/mxu_translate.c
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/translator.h
+--- a/target/mips/tcg/mxu_translate.c
-+++ b/include/exec/translator.h
++++ b/target/mips/tcg/mxu_translate.c
-@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
+@@ -XXX,XX +XXX,XX @@ static void gen_mxu_s32ldd_s32lddr(DisasContext *ctx)
+         tcg_gen_ori_tl(t1, t1, 0xFFFFF000);
- #define FOR_EACH_TRANSLATOR_LD(F)                                       \
+     }
-     F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
+     tcg_gen_add_tl(t1, t0, t1);
--    F(translator_ldsw, int16_t, cpu_ldsw_code, bswap16)                 \
+-    tcg_gen_qemu_ld_tl(t1, t1, ctx->mem_idx, MO_TESL ^ (sel * MO_BSWAP));
-     F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
++    tcg_gen_qemu_ld_tl(t1, t1, ctx->mem_idx, (MO_TESL ^ (sel * MO_BSWAP)) |
-     F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
++                       ctx->default_tcg_memop_mask);
-     F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+     gen_store_mxu_gpr(t1, XRa);
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
  static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
  {
 -    return translator_ldsw(env, &s->base, advance_pc(env, s, 2));
 +    return translator_lduw(env, &s->base, advance_pc(env, s, 2));
  }
+diff --git a/target/mips/tcg/micromips_translate.c.inc b/target/mips/tcg/micromips_translate.c.inc
- static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
+index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/tcg/micromips_translate.c.inc
 +++ b/target/mips/tcg/micromips_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_ldst_pair(DisasContext *ctx, uint32_t opc, int rd,
              gen_reserved_instruction(ctx);
              return;
          }
 -        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL);
 +        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL |
 +                           ctx->default_tcg_memop_mask);
          gen_store_gpr(t1, rd);
          tcg_gen_movi_tl(t1, 4);
          gen_op_addr_add(ctx, t0, t0, t1);
 -        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL);
 +        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL |
 +                           ctx->default_tcg_memop_mask);
          gen_store_gpr(t1, rd + 1);
          break;
      case SWP:
          gen_load_gpr(t1, rd);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
 +                           ctx->default_tcg_memop_mask);
          tcg_gen_movi_tl(t1, 4);
          gen_op_addr_add(ctx, t0, t0, t1);
          gen_load_gpr(t1, rd + 1);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
 +                           ctx->default_tcg_memop_mask);
          break;
  #ifdef TARGET_MIPS64
      case LDP:
@@ -XXX,XX +XXX,XX @@ static void gen_ldst_pair(DisasContext *ctx, uint32_t opc, int rd,
              gen_reserved_instruction(ctx);
              return;
          }
 -        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
 +        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
 +                           ctx->default_tcg_memop_mask);
          gen_store_gpr(t1, rd);
          tcg_gen_movi_tl(t1, 8);
          gen_op_addr_add(ctx, t0, t0, t1);
 -        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
 +        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
 +                           ctx->default_tcg_memop_mask);
          gen_store_gpr(t1, rd + 1);
          break;
      case SDP:
          gen_load_gpr(t1, rd);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
 +                           ctx->default_tcg_memop_mask);
          tcg_gen_movi_tl(t1, 8);
          gen_op_addr_add(ctx, t0, t0, t1);
          gen_load_gpr(t1, rd + 1);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
 +                           ctx->default_tcg_memop_mask);
          break;
  #endif
      }
 diff --git a/target/mips/tcg/mips16e_translate.c.inc b/target/mips/tcg/mips16e_translate.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/tcg/mips16e_translate.c.inc
 +++ b/target/mips/tcg/mips16e_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_mips16_save(DisasContext *ctx,
      case 4:
          gen_base_offset_addr(ctx, t0, 29, 12);
          gen_load_gpr(t1, 7);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
 +                           ctx->default_tcg_memop_mask);
          /* Fall through */
      case 3:
          gen_base_offset_addr(ctx, t0, 29, 8);
          gen_load_gpr(t1, 6);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
 +                           ctx->default_tcg_memop_mask);
          /* Fall through */
      case 2:
          gen_base_offset_addr(ctx, t0, 29, 4);
          gen_load_gpr(t1, 5);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
 +                           ctx->default_tcg_memop_mask);
          /* Fall through */
      case 1:
          gen_base_offset_addr(ctx, t0, 29, 0);
          gen_load_gpr(t1, 4);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
 +                           ctx->default_tcg_memop_mask);
      }
      gen_load_gpr(t0, 29);
@@ -XXX,XX +XXX,XX @@ static void gen_mips16_save(DisasContext *ctx,
          tcg_gen_movi_tl(t2, -4);                                 \
          gen_op_addr_add(ctx, t0, t0, t2);                        \
          gen_load_gpr(t1, reg);                                   \
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL); \
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |       \
 +                           ctx->default_tcg_memop_mask);         \
      } while (0)
      if (do_ra) {
@@ -XXX,XX +XXX,XX @@ static void gen_mips16_restore(DisasContext *ctx,
  #define DECR_AND_LOAD(reg) do {                            \
          tcg_gen_movi_tl(t2, -4);                           \
          gen_op_addr_add(ctx, t0, t0, t2);                  \
 -        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL); \
 +        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL | \
 +                           ctx->default_tcg_memop_mask);   \
          gen_store_gpr(t1, reg);                            \
      } while (0)
 diff --git a/target/mips/tcg/nanomips_translate.c.inc b/target/mips/tcg/nanomips_translate.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/tcg/nanomips_translate.c.inc
 +++ b/target/mips/tcg/nanomips_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_p_lsx(DisasContext *ctx, int rd, int rs, int rt)
      switch (extract32(ctx->opcode, 7, 4)) {
      case NM_LBX:
 -        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
 -                           MO_SB);
 +        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx, MO_SB);
          gen_store_gpr(t0, rd);
          break;
      case NM_LHX:
      /*case NM_LHXS:*/
          tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
 -                           MO_TESW);
 +                           MO_TESW | ctx->default_tcg_memop_mask);
          gen_store_gpr(t0, rd);
          break;
      case NM_LWX:
      /*case NM_LWXS:*/
          tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
 -                           MO_TESL);
 +                           MO_TESL | ctx->default_tcg_memop_mask);
          gen_store_gpr(t0, rd);
          break;
      case NM_LBUX:
 -        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
 -                           MO_UB);
 +        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx, MO_UB);
          gen_store_gpr(t0, rd);
          break;
      case NM_LHUX:
      /*case NM_LHUXS:*/
          tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
 -                           MO_TEUW);
 +                           MO_TEUW | ctx->default_tcg_memop_mask);
          gen_store_gpr(t0, rd);
          break;
      case NM_SBX:
          check_nms(ctx);
          gen_load_gpr(t1, rd);
 -        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
 -                           MO_8);
 +        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_8);
          break;
      case NM_SHX:
      /*case NM_SHXS:*/
          check_nms(ctx);
          gen_load_gpr(t1, rd);
          tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
 -                           MO_TEUW);
 +                           MO_TEUW | ctx->default_tcg_memop_mask);
          break;
      case NM_SWX:
      /*case NM_SWXS:*/
          check_nms(ctx);
          gen_load_gpr(t1, rd);
          tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
 -                           MO_TEUL);
 +                           MO_TEUL | ctx->default_tcg_memop_mask);
          break;
      case NM_LWC1X:
      /*case NM_LWC1XS:*/
@@ -XXX,XX +XXX,XX @@ static int decode_nanomips_32_48_opc(CPUMIPSState *env, DisasContext *ctx)
                                                  addr_off);
                      tcg_gen_movi_tl(t0, addr);
 -                    tcg_gen_qemu_ld_tl(cpu_gpr[rt], t0, ctx->mem_idx, MO_TESL);
 +                    tcg_gen_qemu_ld_tl(cpu_gpr[rt], t0, ctx->mem_idx,
 +                                       MO_TESL | ctx->default_tcg_memop_mask);
                  }
                  break;
              case NM_SWPC48:
@@ -XXX,XX +XXX,XX @@ static int decode_nanomips_32_48_opc(CPUMIPSState *env, DisasContext *ctx)
                      tcg_gen_movi_tl(t0, addr);
                      gen_load_gpr(t1, rt);
 -                    tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
 +                    tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
 +                                       MO_TEUL | ctx->default_tcg_memop_mask);
                  }
                  break;
              default:
 --
 .34.1

-New patch
+[PULL 43/53] target/mips: Use MO_ALIGN instead of 0
+The opposite of MO_UNALN is MO_ALIGN.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/mips/tcg/nanomips_translate.c.inc | 2 +-
+file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/target/mips/tcg/nanomips_translate.c.inc b/target/mips/tcg/nanomips_translate.c.inc
+index XXXXXXX..XXXXXXX 100644
+--- a/target/mips/tcg/nanomips_translate.c.inc
++++ b/target/mips/tcg/nanomips_translate.c.inc
+@@ -XXX,XX +XXX,XX @@ static int decode_nanomips_32_48_opc(CPUMIPSState *env, DisasContext *ctx)
+                     TCGv va = tcg_temp_new();
+                     TCGv t1 = tcg_temp_new();
+                     MemOp memop = (extract32(ctx->opcode, 8, 3)) ==
+-                                      NM_P_LS_UAWM ? MO_UNALN : 0;
++                                      NM_P_LS_UAWM ? MO_UNALN : MO_ALIGN;
+                     count = (count == 0) ? 8 : count;
+                     while (counter != count) {
+--
+.34.1

-[PULL 13/20] accel/tcg: Document the faulting lookup in tb_lookup_cmp
+[PULL 44/53] target/mips: Remove TARGET_ALIGNED_ONLY
-It was non-obvious to me why we can raise an exception in
-the middle of a comparison function, but it works.
-While nearby, use TARGET_PAGE_ALIGN instead of open-coding.
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cpu-exec.c | 11 ++++++++++-
+ configs/targets/mips-linux-user.mak      | 1 -
-file changed, 10 insertions(+), 1 deletion(-)
+ configs/targets/mips-softmmu.mak         | 1 -
  configs/targets/mips64-linux-user.mak    | 1 -
  configs/targets/mips64-softmmu.mak       | 1 -
  configs/targets/mips64el-linux-user.mak  | 1 -
  configs/targets/mips64el-softmmu.mak     | 1 -
  configs/targets/mipsel-linux-user.mak    | 1 -
  configs/targets/mipsel-softmmu.mak       | 1 -
  configs/targets/mipsn32-linux-user.mak   | 1 -
  configs/targets/mipsn32el-linux-user.mak | 1 -
 files changed, 10 deletions(-)
-diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
+diff --git a/configs/targets/mips-linux-user.mak b/configs/targets/mips-linux-user.mak
 index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cpu-exec.c
+--- a/configs/targets/mips-linux-user.mak
-+++ b/accel/tcg/cpu-exec.c
++++ b/configs/targets/mips-linux-user.mak
-@@ -XXX,XX +XXX,XX @@ static bool tb_lookup_cmp(const void *p, const void *d)
+@@ -XXX,XX +XXX,XX @@ TARGET_ARCH=mips
-             tb_page_addr_t phys_page2;
+ TARGET_ABI_MIPSO32=y
-             target_ulong virt_page2;
+ TARGET_SYSTBL_ABI=o32
+ TARGET_SYSTBL=syscall_o32.tbl
--            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
+-TARGET_ALIGNED_ONLY=y
-+            /*
+ TARGET_BIG_ENDIAN=y
-+             * We know that the first page matched, and an otherwise valid TB
+diff --git a/configs/targets/mips-softmmu.mak b/configs/targets/mips-softmmu.mak
-+             * encountered an incomplete instruction at the end of that page,
+index XXXXXXX..XXXXXXX 100644
-+             * therefore we know that generating a new TB from the current PC
+--- a/configs/targets/mips-softmmu.mak
-+             * must also require reading from the next page -- even if the
++++ b/configs/targets/mips-softmmu.mak
-+             * second pages do not match, and therefore the resulting insn
+@@ -XXX,XX +XXX,XX @@
-+             * is different for the new TB.  Therefore any exception raised
+ TARGET_ARCH=mips
-+             * here by the faulting lookup is not premature.
+-TARGET_ALIGNED_ONLY=y
-+             */
+ TARGET_BIG_ENDIAN=y
-+            virt_page2 = TARGET_PAGE_ALIGN(desc->pc);
+ TARGET_SUPPORTS_MTTCG=y
-             phys_page2 = get_page_addr_code(desc->env, virt_page2);
+diff --git a/configs/targets/mips64-linux-user.mak b/configs/targets/mips64-linux-user.mak
-             if (tb->page_addr[1] == phys_page2) {
+index XXXXXXX..XXXXXXX 100644
-                 return true;
+--- a/configs/targets/mips64-linux-user.mak
 +++ b/configs/targets/mips64-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI_MIPSN64=y
  TARGET_BASE_ARCH=mips
  TARGET_SYSTBL_ABI=n64
  TARGET_SYSTBL=syscall_n64.tbl
 -TARGET_ALIGNED_ONLY=y
  TARGET_BIG_ENDIAN=y
 diff --git a/configs/targets/mips64-softmmu.mak b/configs/targets/mips64-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mips64-softmmu.mak
 +++ b/configs/targets/mips64-softmmu.mak
@@ -XXX,XX +XXX,XX @@
  TARGET_ARCH=mips64
  TARGET_BASE_ARCH=mips
 -TARGET_ALIGNED_ONLY=y
  TARGET_BIG_ENDIAN=y
 diff --git a/configs/targets/mips64el-linux-user.mak b/configs/targets/mips64el-linux-user.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mips64el-linux-user.mak
 +++ b/configs/targets/mips64el-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI_MIPSN64=y
  TARGET_BASE_ARCH=mips
  TARGET_SYSTBL_ABI=n64
  TARGET_SYSTBL=syscall_n64.tbl
 -TARGET_ALIGNED_ONLY=y
 diff --git a/configs/targets/mips64el-softmmu.mak b/configs/targets/mips64el-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mips64el-softmmu.mak
 +++ b/configs/targets/mips64el-softmmu.mak
@@ -XXX,XX +XXX,XX @@
  TARGET_ARCH=mips64
  TARGET_BASE_ARCH=mips
 -TARGET_ALIGNED_ONLY=y
  TARGET_NEED_FDT=y
 diff --git a/configs/targets/mipsel-linux-user.mak b/configs/targets/mipsel-linux-user.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mipsel-linux-user.mak
 +++ b/configs/targets/mipsel-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ARCH=mips
  TARGET_ABI_MIPSO32=y
  TARGET_SYSTBL_ABI=o32
  TARGET_SYSTBL=syscall_o32.tbl
 -TARGET_ALIGNED_ONLY=y
 diff --git a/configs/targets/mipsel-softmmu.mak b/configs/targets/mipsel-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mipsel-softmmu.mak
 +++ b/configs/targets/mipsel-softmmu.mak
@@ -XXX,XX +XXX,XX @@
  TARGET_ARCH=mips
 -TARGET_ALIGNED_ONLY=y
  TARGET_SUPPORTS_MTTCG=y
 diff --git a/configs/targets/mipsn32-linux-user.mak b/configs/targets/mipsn32-linux-user.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mipsn32-linux-user.mak
 +++ b/configs/targets/mipsn32-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI32=y
  TARGET_BASE_ARCH=mips
  TARGET_SYSTBL_ABI=n32
  TARGET_SYSTBL=syscall_n32.tbl
 -TARGET_ALIGNED_ONLY=y
  TARGET_BIG_ENDIAN=y
 diff --git a/configs/targets/mipsn32el-linux-user.mak b/configs/targets/mipsn32el-linux-user.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/mipsn32el-linux-user.mak
 +++ b/configs/targets/mipsn32el-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI32=y
  TARGET_BASE_ARCH=mips
  TARGET_SYSTBL_ABI=n32
  TARGET_SYSTBL=syscall_n32.tbl
 -TARGET_ALIGNED_ONLY=y
 --
 .34.1

-[PULL 15/20] accel/tcg: Add pc and host_pc params to gen_intermediate_code
+[PULL 45/53] target/nios2: Remove TARGET_ALIGNED_ONLY
-Pass these along to translator_loop -- pc may be used instead
+In gen_ldx/gen_stx, the only two locations for memory operations,
-of tb->pc, and host_pc is currently unused.  Adjust all targets
+mark the operation as either aligned (softmmu) or unaligned
-at one time.
+(user-only, as if emulated by the kernel).
-Acked-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- include/exec/exec-all.h       |  1 -
+ configs/targets/nios2-softmmu.mak |  1 -
- include/exec/translator.h     | 24 ++++++++++++++++++++----
+ target/nios2/translate.c          | 10 ++++++++++
- accel/tcg/translate-all.c     |  6 ++++--
+files changed, 10 insertions(+), 1 deletion(-)
  accel/tcg/translator.c        |  9 +++++----
  target/alpha/translate.c      |  5 +++--
  target/arm/translate.c        |  5 +++--
  target/avr/translate.c        |  5 +++--
  target/cris/translate.c       |  5 +++--
  target/hexagon/translate.c    |  6 ++++--
  target/hppa/translate.c       |  5 +++--
  target/i386/tcg/translate.c   |  5 +++--
  target/loongarch/translate.c  |  6 ++++--
  target/m68k/translate.c       |  5 +++--
  target/microblaze/translate.c |  5 +++--
  target/mips/tcg/translate.c   |  5 +++--
  target/nios2/translate.c      |  5 +++--
  target/openrisc/translate.c   |  6 ++++--
  target/ppc/translate.c        |  5 +++--
  target/riscv/translate.c      |  5 +++--
  target/rx/translate.c         |  5 +++--
  target/s390x/tcg/translate.c  |  5 +++--
  target/sh4/translate.c        |  5 +++--
  target/sparc/translate.c      |  5 +++--
  target/tricore/translate.c    |  6 ++++--
  target/xtensa/translate.c     |  6 ++++--
 files changed, 97 insertions(+), 53 deletions(-)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
+diff --git a/configs/targets/nios2-softmmu.mak b/configs/targets/nios2-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
+--- a/configs/targets/nios2-softmmu.mak
-+++ b/include/exec/exec-all.h
++++ b/configs/targets/nios2-softmmu.mak
@@ -XXX,XX +XXX,XX @@ typedef ram_addr_t tb_page_addr_t;
  #define TB_PAGE_ADDR_FMT RAM_ADDR_FMT
  #endif
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns);
  void restore_state_to_opc(CPUArchState *env, TranslationBlock *tb,
                            target_ulong *data);
 diff --git a/include/exec/translator.h b/include/exec/translator.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/translator.h
 +++ b/include/exec/translator.h
 @@ -XXX,XX +XXX,XX @@
- #include "exec/translate-all.h"
+ TARGET_ARCH=nios2
- #include "tcg/tcg.h"
+-TARGET_ALIGNED_ONLY=y
+ TARGET_NEED_FDT=y
 +/**
 + * gen_intermediate_code
 + * @cpu: cpu context
 + * @tb: translation block
 + * @max_insns: max number of instructions to translate
 + * @pc: guest virtual program counter address
 + * @host_pc: host physical program counter address
 + *
 + * This function must be provided by the target, which should create
 + * the target-specific DisasContext, and then invoke translator_loop.
 + */
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc);
  /**
   * DisasJumpType:
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
  /**
   * translator_loop:
 - * @ops: Target-specific operations.
 - * @db: Disassembly context.
   * @cpu: Target vCPU.
   * @tb: Translation block.
   * @max_insns: Maximum number of insns to translate.
 + * @pc: guest virtual program counter address
 + * @host_pc: host physical program counter address
 + * @ops: Target-specific operations.
 + * @db: Disassembly context.
   *
   * Generic translator loop.
   *
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
   * - When single-stepping is enabled (system-wide or on the current vCPU).
   * - When too many instructions have been translated.
   */
 -void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
 -                     CPUState *cpu, TranslationBlock *tb, int max_insns);
 +void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                     target_ulong pc, void *host_pc,
 +                     const TranslatorOps *ops, DisasContextBase *db);
  void translator_loop_temp_check(DisasContextBase *db);
 diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translate-all.c
 +++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@
  #include "exec/cputlb.h"
  #include "exec/translate-all.h"
 +#include "exec/translator.h"
  #include "qemu/bitmap.h"
  #include "qemu/qemu-print.h"
  #include "qemu/timer.h"
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
      TCGProfile *prof = &tcg_ctx->prof;
      int64_t ti;
  #endif
 +    void *host_pc;
      assert_memory_lock();
      qemu_thread_jit_write();
 -    phys_pc = get_page_addr_code(env, pc);
 +    phys_pc = get_page_addr_code_hostp(env, pc, &host_pc);
      if (phys_pc == -1) {
          /* Generate a one-shot TB with 1 insn in it */
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
      tcg_func_start(tcg_ctx);
      tcg_ctx->cpu = env_cpu(env);
 -    gen_intermediate_code(cpu, tb, max_insns);
 +    gen_intermediate_code(cpu, tb, max_insns, pc, host_pc);
      assert(tb->size != 0);
      tcg_ctx->cpu = NULL;
      max_insns = tb->icount;
 diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/translator.c
 +++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ static inline void translator_page_protect(DisasContextBase *dcbase,
  #endif
  }
 -void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
 -                     CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                     target_ulong pc, void *host_pc,
 +                     const TranslatorOps *ops, DisasContextBase *db)
  {
      uint32_t cflags = tb_cflags(tb);
      bool plugin_enabled;
      /* Initialize DisasContext */
      db->tb = tb;
 -    db->pc_first = tb->pc;
 -    db->pc_next = db->pc_first;
 +    db->pc_first = pc;
 +    db->pc_next = pc;
      db->is_jmp = DISAS_NEXT;
      db->num_insns = 0;
      db->max_insns = max_insns;
 diff --git a/target/alpha/translate.c b/target/alpha/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/alpha/translate.c
 +++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps alpha_tr_ops = {
      .disas_log          = alpha_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&alpha_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &alpha_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUAlphaState *env, TranslationBlock *tb,
 diff --git a/target/arm/translate.c b/target/arm/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/arm/translate.c
 +++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps thumb_translator_ops = {
  };
  /* generate intermediate code for basic block 'tb'.  */
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc = { };
      const TranslatorOps *ops = &arm_translator_ops;
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
      }
  #endif
 -    translator_loop(ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, ops, &dc.base);
  }
  void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
 diff --git a/target/avr/translate.c b/target/avr/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/avr/translate.c
 +++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps avr_tr_ops = {
      .disas_log          = avr_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc = { };
 -    translator_loop(&avr_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &avr_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUAVRState *env, TranslationBlock *tb,
 diff --git a/target/cris/translate.c b/target/cris/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/cris/translate.c
 +++ b/target/cris/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps cris_tr_ops = {
      .disas_log          = cris_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&cris_tr_ops, &dc.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &cris_tr_ops, &dc.base);
  }
  void cris_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hexagon/translate.c
 +++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hexagon_tr_ops = {
      .disas_log          = hexagon_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&hexagon_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &hexagon_tr_ops, &ctx.base);
  }
  #define NAME_LEN               64
 diff --git a/target/hppa/translate.c b/target/hppa/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/hppa/translate.c
 +++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hppa_tr_ops = {
      .disas_log          = hppa_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&hppa_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &hppa_tr_ops, &ctx.base);
  }
  void restore_state_to_opc(CPUHPPAState *env, TranslationBlock *tb,
 diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/i386/tcg/translate.c
 +++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps i386_tr_ops = {
  };
  /* generate intermediate code for basic block 'tb'.  */
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&i386_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
  }
  void restore_state_to_opc(CPUX86State *env, TranslationBlock *tb,
 diff --git a/target/loongarch/translate.c b/target/loongarch/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/loongarch/translate.c
 +++ b/target/loongarch/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps loongarch_tr_ops = {
      .disas_log          = loongarch_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&loongarch_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &loongarch_tr_ops, &ctx.base);
  }
  void loongarch_translate_init(void)
 diff --git a/target/m68k/translate.c b/target/m68k/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/m68k/translate.c
 +++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps m68k_tr_ops = {
      .disas_log          = m68k_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&m68k_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &m68k_tr_ops, &dc.base);
  }
  static double floatx80_to_double(CPUM68KState *env, uint16_t high, uint64_t low)
 diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/microblaze/translate.c
 +++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mb_tr_ops = {
      .disas_log          = mb_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext dc;
 -    translator_loop(&mb_tr_ops, &dc.base, cpu, tb, max_insns);
 +    translator_loop(cpu, tb, max_insns, pc, host_pc, &mb_tr_ops, &dc.base);
  }
  void mb_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/mips/tcg/translate.c
 +++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mips_tr_ops = {
      .disas_log          = mips_tr_disas_log,
  };
 -void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&mips_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &mips_tr_ops, &ctx.base);
  }
  void mips_tcg_init(void)
 diff --git a/target/nios2/translate.c b/target/nios2/translate.c
 index XXXXXXX..XXXXXXX 100644
 --- a/target/nios2/translate.c
 +++ b/target/nios2/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps nios2_tr_ops = {
+@@ -XXX,XX +XXX,XX @@ static void gen_ldx(DisasContext *dc, uint32_t code, uint32_t flags)
-     .disas_log          = nios2_tr_disas_log,
+     TCGv data = dest_gpr(dc, instr.b);
- };
+     tcg_gen_addi_tl(addr, load_gpr(dc, instr.a), instr.imm16.s);
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
++#ifdef CONFIG_USER_ONLY
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
++    flags |= MO_UNALN;
-+                           target_ulong pc, void *host_pc)
++#else
- {
++    flags |= MO_ALIGN;
-     DisasContext dc;
++#endif
--    translator_loop(&nios2_tr_ops, &dc.base, cs, tb, max_insns);
+     tcg_gen_qemu_ld_tl(data, addr, dc->mem_idx, flags);
 +    translator_loop(cs, tb, max_insns, pc, host_pc, &nios2_tr_ops, &dc.base);
  }
- void nios2_cpu_dump_state(CPUState *cs, FILE *f, int flags)
+@@ -XXX,XX +XXX,XX @@ static void gen_stx(DisasContext *dc, uint32_t code, uint32_t flags)
-diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
-index XXXXXXX..XXXXXXX 100644
+     TCGv addr = tcg_temp_new();
---- a/target/openrisc/translate.c
+     tcg_gen_addi_tl(addr, load_gpr(dc, instr.a), instr.imm16.s);
-+++ b/target/openrisc/translate.c
++#ifdef CONFIG_USER_ONLY
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps openrisc_tr_ops = {
++    flags |= MO_UNALN;
-     .disas_log          = openrisc_tr_disas_log,
++#else
- };
++    flags |= MO_ALIGN;
++#endif
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+     tcg_gen_qemu_st_tl(val, addr, dc->mem_idx, flags);
 +void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
 +                           target_ulong pc, void *host_pc)
  {
      DisasContext ctx;
 -    translator_loop(&openrisc_tr_ops, &ctx.base, cs, tb, max_insns);
 +    translator_loop(cs, tb, max_insns, pc, host_pc,
 +                    &openrisc_tr_ops, &ctx.base);
  }
- void openrisc_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-diff --git a/target/ppc/translate.c b/target/ppc/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/ppc/translate.c
-+++ b/target/ppc/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps ppc_tr_ops = {
-     .disas_log          = ppc_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext ctx;
--    translator_loop(&ppc_tr_ops, &ctx.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc, &ppc_tr_ops, &ctx.base);
- }
- void restore_state_to_opc(CPUPPCState *env, TranslationBlock *tb,
-diff --git a/target/riscv/translate.c b/target/riscv/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/translate.c
-+++ b/target/riscv/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps riscv_tr_ops = {
-     .disas_log          = riscv_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext ctx;
--    translator_loop(&riscv_tr_ops, &ctx.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc, &riscv_tr_ops, &ctx.base);
- }
- void riscv_translate_init(void)
-diff --git a/target/rx/translate.c b/target/rx/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/rx/translate.c
-+++ b/target/rx/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps rx_tr_ops = {
-     .disas_log          = rx_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext dc;
--    translator_loop(&rx_tr_ops, &dc.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc, &rx_tr_ops, &dc.base);
- }
- void restore_state_to_opc(CPURXState *env, TranslationBlock *tb,
-diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/s390x/tcg/translate.c
-+++ b/target/s390x/tcg/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps s390x_tr_ops = {
-     .disas_log          = s390x_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext dc;
--    translator_loop(&s390x_tr_ops, &dc.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc, &s390x_tr_ops, &dc.base);
- }
- void restore_state_to_opc(CPUS390XState *env, TranslationBlock *tb,
-diff --git a/target/sh4/translate.c b/target/sh4/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/sh4/translate.c
-+++ b/target/sh4/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sh4_tr_ops = {
-     .disas_log          = sh4_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext ctx;
--    translator_loop(&sh4_tr_ops, &ctx.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc, &sh4_tr_ops, &ctx.base);
- }
- void restore_state_to_opc(CPUSH4State *env, TranslationBlock *tb,
-diff --git a/target/sparc/translate.c b/target/sparc/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/sparc/translate.c
-+++ b/target/sparc/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sparc_tr_ops = {
-     .disas_log          = sparc_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext dc = {};
--    translator_loop(&sparc_tr_ops, &dc.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc, &sparc_tr_ops, &dc.base);
- }
- void sparc_tcg_init(void)
-diff --git a/target/tricore/translate.c b/target/tricore/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/tricore/translate.c
-+++ b/target/tricore/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps tricore_tr_ops = {
- };
--void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext ctx;
--    translator_loop(&tricore_tr_ops, &ctx.base, cs, tb, max_insns);
-+    translator_loop(cs, tb, max_insns, pc, host_pc,
-+                    &tricore_tr_ops, &ctx.base);
- }
- void
-diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
-index XXXXXXX..XXXXXXX 100644
---- a/target/xtensa/translate.c
-+++ b/target/xtensa/translate.c
-@@ -XXX,XX +XXX,XX @@ static const TranslatorOps xtensa_translator_ops = {
-     .disas_log          = xtensa_tr_disas_log,
- };
--void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
-+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
-+                           target_ulong pc, void *host_pc)
- {
-     DisasContext dc = {};
--    translator_loop(&xtensa_translator_ops, &dc.base, cpu, tb, max_insns);
-+    translator_loop(cpu, tb, max_insns, pc, host_pc,
-+                    &xtensa_translator_ops, &dc.base);
- }
- void xtensa_cpu_dump_state(CPUState *cs, FILE *f, int flags)
 --
 .34.1

-New patch
+[PULL 46/53] target/sh4: Use MO_ALIGN where required
+Mark all memory operations that are not already marked with UNALIGN.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
+Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
+---
+ target/sh4/translate.c | 102 ++++++++++++++++++++++++++---------------
+file changed, 66 insertions(+), 36 deletions(-)
+diff --git a/target/sh4/translate.c b/target/sh4/translate.c
+index XXXXXXX..XXXXXXX 100644
+--- a/target/sh4/translate.c
++++ b/target/sh4/translate.c
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     case 0x9000:        /* mov.w @(disp,PC),Rn */
+     {
+             TCGv addr = tcg_constant_i32(ctx->base.pc_next + 4 + B7_0 * 2);
+-            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx, MO_TESW);
++            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx,
++                                MO_TESW | MO_ALIGN);
+     }
+     return;
+     case 0xd000:        /* mov.l @(disp,PC),Rn */
+     {
+             TCGv addr = tcg_constant_i32((ctx->base.pc_next + 4 + B7_0 * 4) & ~3);
+-            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+     }
+     return;
+     case 0x7000:        /* add #imm,Rn */
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     {
+         TCGv arg0, arg1;
+         arg0 = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+         arg1 = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+             gen_helper_macl(cpu_env, arg0, arg1);
+         tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 4);
+         tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     {
+         TCGv arg0, arg1;
+         arg0 = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+         arg1 = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+             gen_helper_macw(cpu_env, arg0, arg1);
+         tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 2);
+         tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 2);
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+         if (ctx->tbflags & FPSCR_SZ) {
+             TCGv_i64 fp = tcg_temp_new_i64();
+             gen_load_fpr64(ctx, fp, XHACK(B7_4));
+-            tcg_gen_qemu_st_i64(fp, REG(B11_8), ctx->memidx, MO_TEUQ);
++            tcg_gen_qemu_st_i64(fp, REG(B11_8), ctx->memidx,
++                                MO_TEUQ | MO_ALIGN);
+     } else {
+-            tcg_gen_qemu_st_i32(FREG(B7_4), REG(B11_8), ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_st_i32(FREG(B7_4), REG(B11_8), ctx->memidx,
++                                MO_TEUL | MO_ALIGN);
+     }
+     return;
+     case 0xf008: /* fmov @Rm,{F,D,X}Rn - FPSCR: Nothing */
+     CHECK_FPU_ENABLED
+         if (ctx->tbflags & FPSCR_SZ) {
+             TCGv_i64 fp = tcg_temp_new_i64();
+-            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx, MO_TEUQ);
++            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx,
++                                MO_TEUQ | MO_ALIGN);
+             gen_store_fpr64(ctx, fp, XHACK(B11_8));
+     } else {
+-            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx,
++                                MO_TEUL | MO_ALIGN);
+     }
+     return;
+     case 0xf009: /* fmov @Rm+,{F,D,X}Rn - FPSCR: Nothing */
+     CHECK_FPU_ENABLED
+         if (ctx->tbflags & FPSCR_SZ) {
+             TCGv_i64 fp = tcg_temp_new_i64();
+-            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx, MO_TEUQ);
++            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx,
++                                MO_TEUQ | MO_ALIGN);
+             gen_store_fpr64(ctx, fp, XHACK(B11_8));
+             tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 8);
+     } else {
+-            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx,
++                                MO_TEUL | MO_ALIGN);
+         tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 4);
+     }
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+                 TCGv_i64 fp = tcg_temp_new_i64();
+                 gen_load_fpr64(ctx, fp, XHACK(B7_4));
+                 tcg_gen_subi_i32(addr, REG(B11_8), 8);
+-                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx, MO_TEUQ);
++                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx,
++                                    MO_TEUQ | MO_ALIGN);
+             } else {
+                 tcg_gen_subi_i32(addr, REG(B11_8), 4);
+-                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx, MO_TEUL);
++                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx,
++                                    MO_TEUL | MO_ALIGN);
+             }
+             tcg_gen_mov_i32(REG(B11_8), addr);
+         }
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+         tcg_gen_add_i32(addr, REG(B7_4), REG(0));
+             if (ctx->tbflags & FPSCR_SZ) {
+                 TCGv_i64 fp = tcg_temp_new_i64();
+-                tcg_gen_qemu_ld_i64(fp, addr, ctx->memidx, MO_TEUQ);
++                tcg_gen_qemu_ld_i64(fp, addr, ctx->memidx,
++                                    MO_TEUQ | MO_ALIGN);
+                 gen_store_fpr64(ctx, fp, XHACK(B11_8));
+         } else {
+-                tcg_gen_qemu_ld_i32(FREG(B11_8), addr, ctx->memidx, MO_TEUL);
++                tcg_gen_qemu_ld_i32(FREG(B11_8), addr, ctx->memidx,
++                                    MO_TEUL | MO_ALIGN);
+         }
+     }
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+             if (ctx->tbflags & FPSCR_SZ) {
+                 TCGv_i64 fp = tcg_temp_new_i64();
+                 gen_load_fpr64(ctx, fp, XHACK(B7_4));
+-                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx, MO_TEUQ);
++                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx,
++                                    MO_TEUQ | MO_ALIGN);
+         } else {
+-                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx, MO_TEUL);
++                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx,
++                                    MO_TEUL | MO_ALIGN);
+         }
+     }
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     {
+         TCGv addr = tcg_temp_new();
+         tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 2);
+-            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESW);
++            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESW | MO_ALIGN);
+     }
+     return;
+     case 0xc600:        /* mov.l @(disp,GBR),R0 */
+     {
+         TCGv addr = tcg_temp_new();
+         tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 4);
+-            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESL | MO_ALIGN);
+     }
+     return;
+     case 0xc000:        /* mov.b R0,@(disp,GBR) */
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     {
+         TCGv addr = tcg_temp_new();
+         tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 2);
+-            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUW);
++            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUW | MO_ALIGN);
+     }
+     return;
+     case 0xc200:        /* mov.l R0,@(disp,GBR) */
+     {
+         TCGv addr = tcg_temp_new();
+         tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 4);
+-            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUL | MO_ALIGN);
+     }
+     return;
+     case 0x8000:        /* mov.b R0,@(disp,Rn) */
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     return;
+     case 0x4087:        /* ldc.l @Rm+,Rn_BANK */
+     CHECK_PRIVILEGED
+-        tcg_gen_qemu_ld_i32(ALTREG(B6_4), REG(B11_8), ctx->memidx, MO_TESL);
++        tcg_gen_qemu_ld_i32(ALTREG(B6_4), REG(B11_8), ctx->memidx,
++                            MO_TESL | MO_ALIGN);
+     tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
+     return;
+     case 0x0082:        /* stc Rm_BANK,Rn */
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     {
+         TCGv addr = tcg_temp_new();
+         tcg_gen_subi_i32(addr, REG(B11_8), 4);
+-            tcg_gen_qemu_st_i32(ALTREG(B6_4), addr, ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_st_i32(ALTREG(B6_4), addr, ctx->memidx,
++                                MO_TEUL | MO_ALIGN);
+         tcg_gen_mov_i32(REG(B11_8), addr);
+     }
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     CHECK_PRIVILEGED
+     {
+         TCGv val = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+             tcg_gen_andi_i32(val, val, 0x700083f3);
+             gen_write_sr(val);
+         tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+             TCGv val = tcg_temp_new();
+         tcg_gen_subi_i32(addr, REG(B11_8), 4);
+             gen_read_sr(val);
+-            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL | MO_ALIGN);
+         tcg_gen_mov_i32(REG(B11_8), addr);
+     }
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     return;                            \
+   case ldpnum:                            \
+     prechk                                \
+-    tcg_gen_qemu_ld_i32(cpu_##reg, REG(B11_8), ctx->memidx, MO_TESL); \
++    tcg_gen_qemu_ld_i32(cpu_##reg, REG(B11_8), ctx->memidx,     \
++                        MO_TESL | MO_ALIGN);                    \
+     tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);        \
+     return;
+ #define ST(reg,stnum,stpnum,prechk)        \
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     {                                \
+     TCGv addr = tcg_temp_new();                \
+     tcg_gen_subi_i32(addr, REG(B11_8), 4);            \
+-        tcg_gen_qemu_st_i32(cpu_##reg, addr, ctx->memidx, MO_TEUL); \
++        tcg_gen_qemu_st_i32(cpu_##reg, addr, ctx->memidx,       \
++                            MO_TEUL | MO_ALIGN);                \
+     tcg_gen_mov_i32(REG(B11_8), addr);            \
+     }                                \
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+     CHECK_FPU_ENABLED
+     {
+         TCGv addr = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(addr, REG(B11_8), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(addr, REG(B11_8), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+         tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
+             gen_helper_ld_fpscr(cpu_env, addr);
+             ctx->base.is_jmp = DISAS_STOP;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+         tcg_gen_andi_i32(val, cpu_fpscr, 0x003fffff);
+         addr = tcg_temp_new();
+         tcg_gen_subi_i32(addr, REG(B11_8), 4);
+-            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL | MO_ALIGN);
+         tcg_gen_mov_i32(REG(B11_8), addr);
+     }
+     return;
+     case 0x00c3:        /* movca.l R0,@Rm */
+         {
+             TCGv val = tcg_temp_new();
+-            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx,
++                                MO_TEUL | MO_ALIGN);
+             gen_helper_movcal(cpu_env, REG(B11_8), val);
+-            tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx, MO_TEUL);
++            tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx,
++                                MO_TEUL | MO_ALIGN);
+         }
+         ctx->has_movcal = 1;
+     return;
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+                                    cpu_lock_addr, fail);
+                 tmp = tcg_temp_new();
+                 tcg_gen_atomic_cmpxchg_i32(tmp, REG(B11_8), cpu_lock_value,
+-                                           REG(0), ctx->memidx, MO_TEUL);
++                                           REG(0), ctx->memidx,
++                                           MO_TEUL | MO_ALIGN);
+                 tcg_gen_setcond_i32(TCG_COND_EQ, cpu_sr_t, tmp, cpu_lock_value);
+             } else {
+                 tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_lock_addr, -1, fail);
+-                tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx, MO_TEUL);
++                tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx,
++                                    MO_TEUL | MO_ALIGN);
+                 tcg_gen_movi_i32(cpu_sr_t, 1);
+             }
+             tcg_gen_br(done);
+@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
+         if ((tb_cflags(ctx->base.tb) & CF_PARALLEL)) {
+             TCGv tmp = tcg_temp_new();
+             tcg_gen_mov_i32(tmp, REG(B11_8));
+-            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+             tcg_gen_mov_i32(cpu_lock_value, REG(0));
+             tcg_gen_mov_i32(cpu_lock_addr, tmp);
+         } else {
+-            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx, MO_TESL);
++            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx,
++                                MO_TESL | MO_ALIGN);
+             tcg_gen_movi_i32(cpu_lock_addr, 0);
+         }
+         return;
+--
+.34.1

-[PULL 2/4] target/avr: Call avr_cpu_do_interrupt directly
+[PULL 47/53] target/sh4: Remove TARGET_ALIGNED_ONLY
-There is no need to go through cc->tcg_ops when
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 we know what value that must have.
 Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
 Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/avr/helper.c | 5 ++---
+ configs/targets/sh4-linux-user.mak   | 1 -
-file changed, 2 insertions(+), 3 deletions(-)
+ configs/targets/sh4-softmmu.mak      | 1 -
  configs/targets/sh4eb-linux-user.mak | 1 -
  configs/targets/sh4eb-softmmu.mak    | 1 -
 files changed, 4 deletions(-)
-diff --git a/target/avr/helper.c b/target/avr/helper.c
+diff --git a/configs/targets/sh4-linux-user.mak b/configs/targets/sh4-linux-user.mak
 index XXXXXXX..XXXXXXX 100644
---- a/target/avr/helper.c
+--- a/configs/targets/sh4-linux-user.mak
-+++ b/target/avr/helper.c
++++ b/configs/targets/sh4-linux-user.mak
 @@ -XXX,XX +XXX,XX @@
- bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
+ TARGET_ARCH=sh4
- {
+ TARGET_SYSTBL_ABI=common
-     bool ret = false;
+ TARGET_SYSTBL=syscall.tbl
--    CPUClass *cc = CPU_GET_CLASS(cs);
+-TARGET_ALIGNED_ONLY=y
-     AVRCPU *cpu = AVR_CPU(cs);
+ TARGET_HAS_BFLT=y
-     CPUAVRState *env = &cpu->env;
+diff --git a/configs/targets/sh4-softmmu.mak b/configs/targets/sh4-softmmu.mak
+index XXXXXXX..XXXXXXX 100644
-     if (interrupt_request & CPU_INTERRUPT_RESET) {
+--- a/configs/targets/sh4-softmmu.mak
-         if (cpu_interrupts_enabled(env)) {
++++ b/configs/targets/sh4-softmmu.mak
-             cs->exception_index = EXCP_RESET;
+@@ -1,2 +1 @@
--            cc->tcg_ops->do_interrupt(cs);
+ TARGET_ARCH=sh4
-+            avr_cpu_do_interrupt(cs);
+-TARGET_ALIGNED_ONLY=y
+diff --git a/configs/targets/sh4eb-linux-user.mak b/configs/targets/sh4eb-linux-user.mak
-             cs->interrupt_request &= ~CPU_INTERRUPT_RESET;
+index XXXXXXX..XXXXXXX 100644
+--- a/configs/targets/sh4eb-linux-user.mak
-@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
++++ b/configs/targets/sh4eb-linux-user.mak
-         if (cpu_interrupts_enabled(env) && env->intsrc != 0) {
+@@ -XXX,XX +XXX,XX @@
-             int index = ctz32(env->intsrc);
+ TARGET_ARCH=sh4
-             cs->exception_index = EXCP_INT(index);
+ TARGET_SYSTBL_ABI=common
--            cc->tcg_ops->do_interrupt(cs);
+ TARGET_SYSTBL=syscall.tbl
-+            avr_cpu_do_interrupt(cs);
+-TARGET_ALIGNED_ONLY=y
+ TARGET_BIG_ENDIAN=y
-             env->intsrc &= env->intsrc - 1; /* clear the interrupt */
+ TARGET_HAS_BFLT=y
-             if (!env->intsrc) {
+diff --git a/configs/targets/sh4eb-softmmu.mak b/configs/targets/sh4eb-softmmu.mak
 index XXXXXXX..XXXXXXX 100644
 --- a/configs/targets/sh4eb-softmmu.mak
 +++ b/configs/targets/sh4eb-softmmu.mak
@@ -XXX,XX +XXX,XX @@
  TARGET_ARCH=sh4
 -TARGET_ALIGNED_ONLY=y
  TARGET_BIG_ENDIAN=y
 --
 .34.1

-[PULL 06/20] tests/tcg/i386: Move smc_code2 to an executable section
+[PULL 48/53] tcg: Remove TARGET_ALIGNED_ONLY
-We're about to start validating PAGE_EXEC, which means
+All uses have now been expunged.
 that we've got to put this code into a section that is
 both writable and executable.
-Note that this test did not run on hardware beforehand either.
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- tests/tcg/i386/test-i386.c | 2 +-
+ include/exec/memop.h  | 13 ++-----------
-file changed, 1 insertion(+), 1 deletion(-)
+ include/exec/poison.h |  1 -
  tcg/tcg.c             |  5 -----
 files changed, 2 insertions(+), 17 deletions(-)
-diff --git a/tests/tcg/i386/test-i386.c b/tests/tcg/i386/test-i386.c
+diff --git a/include/exec/memop.h b/include/exec/memop.h
 index XXXXXXX..XXXXXXX 100644
---- a/tests/tcg/i386/test-i386.c
+--- a/include/exec/memop.h
-+++ b/tests/tcg/i386/test-i386.c
++++ b/include/exec/memop.h
-@@ -XXX,XX +XXX,XX @@ uint8_t code[] = {
+@@ -XXX,XX +XXX,XX @@ typedef enum MemOp {
-xc3, /* ret */
+      * MO_UNALN accesses are never checked for alignment.
       * MO_ALIGN accesses will result in a call to the CPU's
       * do_unaligned_access hook if the guest address is not aligned.
 -     * The default depends on whether the target CPU defines
 -     * TARGET_ALIGNED_ONLY.
       *
       * Some architectures (e.g. ARMv8) need the address which is aligned
       * to a size more than the size of the memory access.
@@ -XXX,XX +XXX,XX @@ typedef enum MemOp {
       */
      MO_ASHIFT = 5,
      MO_AMASK = 0x7 << MO_ASHIFT,
 -#ifdef NEED_CPU_H
 -#ifdef TARGET_ALIGNED_ONLY
 -    MO_ALIGN = 0,
 -    MO_UNALN = MO_AMASK,
 -#else
 -    MO_ALIGN = MO_AMASK,
 -    MO_UNALN = 0,
 -#endif
 -#endif
 +    MO_UNALN    = 0,
      MO_ALIGN_2  = 1 << MO_ASHIFT,
      MO_ALIGN_4  = 2 << MO_ASHIFT,
      MO_ALIGN_8  = 3 << MO_ASHIFT,
      MO_ALIGN_16 = 4 << MO_ASHIFT,
      MO_ALIGN_32 = 5 << MO_ASHIFT,
      MO_ALIGN_64 = 6 << MO_ASHIFT,
 +    MO_ALIGN    = MO_AMASK,
      /* Combinations of the above, for ease of use.  */
      MO_UB    = MO_8,
 diff --git a/include/exec/poison.h b/include/exec/poison.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/poison.h
 +++ b/include/exec/poison.h
@@ -XXX,XX +XXX,XX @@
  #pragma GCC poison TARGET_TRICORE
  #pragma GCC poison TARGET_XTENSA
 -#pragma GCC poison TARGET_ALIGNED_ONLY
  #pragma GCC poison TARGET_HAS_BFLT
  #pragma GCC poison TARGET_NAME
  #pragma GCC poison TARGET_SUPPORTS_MTTCG
 diff --git a/tcg/tcg.c b/tcg/tcg.c
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/tcg.c
 +++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static const char * const ldst_name[] =
  };
--asm(".section \".data\"\n"
+ static const char * const alignment_name[(MO_AMASK >> MO_ASHIFT) + 1] = {
-+asm(".section \".data_x\",\"awx\"\n"
+-#ifdef TARGET_ALIGNED_ONLY
-     "smc_code2:\n"
+     [MO_UNALN >> MO_ASHIFT]    = "un+",
-     "movl 4(%esp), %eax\n"
+-    [MO_ALIGN >> MO_ASHIFT]    = "",
-     "movl %eax, smc_patch_addr2 + 1\n"
+-#else
 -    [MO_UNALN >> MO_ASHIFT]    = "",
      [MO_ALIGN >> MO_ASHIFT]    = "al+",
 -#endif
      [MO_ALIGN_2 >> MO_ASHIFT]  = "al2+",
      [MO_ALIGN_4 >> MO_ASHIFT]  = "al4+",
      [MO_ALIGN_8 >> MO_ASHIFT]  = "al8+",
 --
 .34.1

-[PULL 20/20] target/riscv: Make translator stop before the end of a page
+[PULL 49/53] accel/tcg: Add cpu_in_serial_context
-Right now the translator stops right *after* the end of a page, which
+Like cpu_in_exclusive_context, but also true if
-breaks reporting of fault locations when the last instruction of a
+there is no other cpu against which we could race.
 multi-insn translation block crosses a page boundary.
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1155
+Use it in tb_flush as a direct replacement.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Use it in cpu_loop_exit_atomic to ensure that there
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+is no loop against cpu_exec_step_atomic.
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
 Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/riscv/translate.c          | 17 +++++--
+ accel/tcg/internal.h        | 9 +++++++++
- tests/tcg/riscv64/noexec.c        | 79 +++++++++++++++++++++++++++++++
+ accel/tcg/cpu-exec-common.c | 3 +++
- tests/tcg/riscv64/Makefile.target |  1 +
+ accel/tcg/tb-maint.c        | 2 +-
-files changed, 93 insertions(+), 4 deletions(-)
+files changed, 13 insertions(+), 1 deletion(-)
  create mode 100644 tests/tcg/riscv64/noexec.c
-diff --git a/target/riscv/translate.c b/target/riscv/translate.c
+diff --git a/accel/tcg/internal.h b/accel/tcg/internal.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/translate.c
+--- a/accel/tcg/internal.h
-+++ b/target/riscv/translate.c
++++ b/accel/tcg/internal.h
-@@ -XXX,XX +XXX,XX @@ static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
+@@ -XXX,XX +XXX,XX @@ static inline target_ulong log_pc(CPUState *cpu, const TranslationBlock *tb)
      }
      ctx->nftemp = 0;
 +    /* Only the first insn within a TB is allowed to cross a page boundary. */
      if (ctx->base.is_jmp == DISAS_NEXT) {
 -        target_ulong page_start;
 -
 -        page_start = ctx->base.pc_first & TARGET_PAGE_MASK;
 -        if (ctx->base.pc_next - page_start >= TARGET_PAGE_SIZE) {
 +        if (!is_same_page(&ctx->base, ctx->base.pc_next)) {
              ctx->base.is_jmp = DISAS_TOO_MANY;
 +        } else {
 +            unsigned page_ofs = ctx->base.pc_next & ~TARGET_PAGE_MASK;
 +
 +            if (page_ofs > TARGET_PAGE_SIZE - MAX_INSN_LEN) {
 +                uint16_t next_insn = cpu_lduw_code(env, ctx->base.pc_next);
 +                int len = insn_len(next_insn);
 +
 +                if (!is_same_page(&ctx->base, ctx->base.pc_next + len)) {
 +                    ctx->base.is_jmp = DISAS_TOO_MANY;
 +                }
 +            }
          }
      }
  }
-diff --git a/tests/tcg/riscv64/noexec.c b/tests/tcg/riscv64/noexec.c
-new file mode 100644
++/*
-index XXXXXXX..XXXXXXX
++ * Return true if CS is not running in parallel with other cpus, either
---- /dev/null
++ * because there are no other cpus or we are within an exclusive context.
-+++ b/tests/tcg/riscv64/noexec.c
++ */
-@@ -XXX,XX +XXX,XX @@
++static inline bool cpu_in_serial_context(CPUState *cs)
 +#include "../multiarch/noexec.c.inc"
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx)
 +{
-+    return (void *)ctx->__gregs[REG_PC];
++    return !(cs->tcg_cflags & CF_PARALLEL) || cpu_in_exclusive_context(cs);
 +}
 +
-+static int arch_mcontext_arg(const mcontext_t *ctx)
+ extern int64_t max_delay;
-+{
+ extern int64_t max_advance;
-+    return ctx->__gregs[REG_A0];
-+}
+diff --git a/accel/tcg/cpu-exec-common.c b/accel/tcg/cpu-exec-common.c
 +
 +static void arch_flush(void *p, int len)
 +{
 +    __builtin___clear_cache(p, p + len);
 +}
 +
 +extern char noexec_1[];
 +extern char noexec_2[];
 +extern char noexec_end[];
 +
 +asm(".option push\n"
 +    ".option norvc\n"
 +    "noexec_1:\n"
 +    "   li a0,1\n"       /* a0 is 0 on entry, set 1. */
 +    "noexec_2:\n"
 +    "   li a0,2\n"      /* a0 is 0/1; set 2. */
 +    "   ret\n"
 +    "noexec_end:\n"
 +    ".option pop");
 +
 +int main(void)
 +{
 +    struct noexec_test noexec_tests[] = {
 +        {
 +            .name = "fallthrough",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = noexec_1 - noexec_2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2,
 +            .entry_ofs = 0,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = 0,
 +            .expected_arg = 0,
 +        },
 +        {
 +            .name = "fallthrough [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = noexec_1 - noexec_2 - 2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 1,
 +        },
 +        {
 +            .name = "jump [cross]",
 +            .test_code = noexec_1,
 +            .test_len = noexec_end - noexec_1,
 +            .page_ofs = noexec_1 - noexec_2 - 2,
 +            .entry_ofs = -2,
 +            .expected_si_ofs = 0,
 +            .expected_pc_ofs = -2,
 +            .expected_arg = 0,
 +        },
 +    };
 +
 +    return test_noexec(noexec_tests,
 +                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
 +}
 diff --git a/tests/tcg/riscv64/Makefile.target b/tests/tcg/riscv64/Makefile.target
 index XXXXXXX..XXXXXXX 100644
---- a/tests/tcg/riscv64/Makefile.target
+--- a/accel/tcg/cpu-exec-common.c
-+++ b/tests/tcg/riscv64/Makefile.target
++++ b/accel/tcg/cpu-exec-common.c
 @@ -XXX,XX +XXX,XX @@
+ #include "sysemu/tcg.h"
- VPATH += $(SRC_PATH)/tests/tcg/riscv64
+ #include "exec/exec-all.h"
- TESTS += test-div
+ #include "qemu/plugin.h"
-+TESTS += noexec
++#include "internal.h"
  bool tcg_allowed;
@@ -XXX,XX +XXX,XX @@ void cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
  void cpu_loop_exit_atomic(CPUState *cpu, uintptr_t pc)
  {
 +    /* Prevent looping if already executing in a serial context. */
 +    g_assert(!cpu_in_serial_context(cpu));
      cpu->exception_index = EXCP_ATOMIC;
      cpu_loop_exit_restore(cpu, pc);
  }
 diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/tb-maint.c
 +++ b/accel/tcg/tb-maint.c
@@ -XXX,XX +XXX,XX @@ void tb_flush(CPUState *cpu)
      if (tcg_enabled()) {
          unsigned tb_flush_count = qatomic_read(&tb_ctx.tb_flush_count);
 -        if (cpu_in_exclusive_context(cpu)) {
 +        if (cpu_in_serial_context(cpu)) {
              do_tb_flush(cpu, RUN_ON_CPU_HOST_INT(tb_flush_count));
          } else {
              async_safe_run_on_cpu(cpu, do_tb_flush,
 --
 .34.1

-[PULL 19/20] target/riscv: Add MAX_INSN_LEN and insn_len
+[PULL 50/53] accel/tcg: Introduce tlb_read_idx
-These will be useful in properly ending the TB.
+Instead of playing with offsetof in various places, use
 MMUAccessType to index an array.  This is easily defined
 instead of the previous dummy padding array in the union.
-Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/riscv/translate.c | 10 +++++++++-
+ include/exec/cpu-defs.h |   7 ++-
-file changed, 9 insertions(+), 1 deletion(-)
+ include/exec/cpu_ldst.h |  26 ++++++++--
  accel/tcg/cputlb.c      | 104 +++++++++++++---------------------------
 files changed, 59 insertions(+), 78 deletions(-)
-diff --git a/target/riscv/translate.c b/target/riscv/translate.c
+diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
 index XXXXXXX..XXXXXXX 100644
---- a/target/riscv/translate.c
+--- a/include/exec/cpu-defs.h
-+++ b/target/riscv/translate.c
++++ b/include/exec/cpu-defs.h
-@@ -XXX,XX +XXX,XX @@ static uint32_t opcode_at(DisasContextBase *dcbase, target_ulong pc)
+@@ -XXX,XX +XXX,XX @@ typedef struct CPUTLBEntry {
- /* Include decoders for factored-out extensions */
+                use the corresponding iotlb value.  */
- #include "decode-XVentanaCondOps.c.inc"
+             uintptr_t addend;
+         };
-+/* The specification allows for longer insns, but not supported by qemu. */
+-        /* padding to get a power of two size */
-+#define MAX_INSN_LEN  4
+-        uint8_t dummy[1 << CPU_TLB_ENTRY_BITS];
 +        /*
 +         * Padding to get a power of two size, as well as index
 +         * access to addr_{read,write,code}.
 +         */
 +        target_ulong addr_idx[(1 << CPU_TLB_ENTRY_BITS) / TARGET_LONG_SIZE];
      };
  } CPUTLBEntry;
 diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
 index XXXXXXX..XXXXXXX 100644
 --- a/include/exec/cpu_ldst.h
 +++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ static inline void clear_helper_retaddr(void)
  /* Needed for TCG_OVERSIZED_GUEST */
  #include "tcg/tcg.h"
 +static inline target_ulong tlb_read_idx(const CPUTLBEntry *entry,
 +                                        MMUAccessType access_type)
 +{
 +    /* Do not rearrange the CPUTLBEntry structure members. */
 +    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_read) !=
 +                      MMU_DATA_LOAD * TARGET_LONG_SIZE);
 +    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_write) !=
 +                      MMU_DATA_STORE * TARGET_LONG_SIZE);
 +    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_code) !=
 +                      MMU_INST_FETCH * TARGET_LONG_SIZE);
 +
-+static inline int insn_len(uint16_t first_word)
++    const target_ulong *ptr = &entry->addr_idx[access_type];
-+{
++#if TCG_OVERSIZED_GUEST
-+    return (first_word & 3) == 3 ? 4 : 2;
++    return *ptr;
 +#else
 +    /* ofs might correspond to .addr_write, so use qatomic_read */
 +    return qatomic_read(ptr);
 +#endif
 +}
 +
- static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
+ static inline target_ulong tlb_addr_write(const CPUTLBEntry *entry)
  {
-     /*
+-#if TCG_OVERSIZED_GUEST
-@@ -XXX,XX +XXX,XX @@ static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
+-    return entry->addr_write;
-     };
+-#else
+-    return qatomic_read(&entry->addr_write);
-     /* Check for compressed insn */
+-#endif
--    if (extract16(opcode, 0, 2) != 3) {
++    return tlb_read_idx(entry, MMU_DATA_STORE);
-+    if (insn_len(opcode) == 2) {
+ }
-         if (!has_ext(ctx, RVC)) {
-             gen_exception_illegal(ctx);
+ /* Find the TLB index corresponding to the mmu_idx + address pair.  */
-         } else {
+diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void io_writex(CPUArchState *env, CPUTLBEntryFull *full,
      }
  }
 -static inline target_ulong tlb_read_ofs(CPUTLBEntry *entry, size_t ofs)
 -{
 -#if TCG_OVERSIZED_GUEST
 -    return *(target_ulong *)((uintptr_t)entry + ofs);
 -#else
 -    /* ofs might correspond to .addr_write, so use qatomic_read */
 -    return qatomic_read((target_ulong *)((uintptr_t)entry + ofs));
 -#endif
 -}
 -
  /* Return true if ADDR is present in the victim tlb, and has been copied
     back to the main tlb.  */
  static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
 -                           size_t elt_ofs, target_ulong page)
 +                           MMUAccessType access_type, target_ulong page)
  {
      size_t vidx;
      assert_cpu_is_self(env_cpu(env));
      for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
          CPUTLBEntry *vtlb = &env_tlb(env)->d[mmu_idx].vtable[vidx];
 -        target_ulong cmp;
 -
 -        /* elt_ofs might correspond to .addr_write, so use qatomic_read */
 -#if TCG_OVERSIZED_GUEST
 -        cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
 -#else
 -        cmp = qatomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
 -#endif
 +        target_ulong cmp = tlb_read_idx(vtlb, access_type);
          if (cmp == page) {
              /* Found entry in victim tlb, swap tlb and iotlb.  */
@@ -XXX,XX +XXX,XX @@ static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
      return false;
  }
 -/* Macro to call the above, with local variables from the use context.  */
 -#define VICTIM_TLB_HIT(TY, ADDR) \
 -  victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
 -                 (ADDR) & TARGET_PAGE_MASK)
 -
  static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                             CPUTLBEntryFull *full, uintptr_t retaddr)
  {
@@ -XXX,XX +XXX,XX @@ static int probe_access_internal(CPUArchState *env, target_ulong addr,
  {
      uintptr_t index = tlb_index(env, mmu_idx, addr);
      CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 -    target_ulong tlb_addr, page_addr;
 -    size_t elt_ofs;
 -    int flags;
 +    target_ulong tlb_addr = tlb_read_idx(entry, access_type);
 +    target_ulong page_addr = addr & TARGET_PAGE_MASK;
 +    int flags = TLB_FLAGS_MASK;
 -    switch (access_type) {
 -    case MMU_DATA_LOAD:
 -        elt_ofs = offsetof(CPUTLBEntry, addr_read);
 -        break;
 -    case MMU_DATA_STORE:
 -        elt_ofs = offsetof(CPUTLBEntry, addr_write);
 -        break;
 -    case MMU_INST_FETCH:
 -        elt_ofs = offsetof(CPUTLBEntry, addr_code);
 -        break;
 -    default:
 -        g_assert_not_reached();
 -    }
 -    tlb_addr = tlb_read_ofs(entry, elt_ofs);
 -
 -    flags = TLB_FLAGS_MASK;
 -    page_addr = addr & TARGET_PAGE_MASK;
      if (!tlb_hit_page(tlb_addr, page_addr)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page_addr)) {
 +        if (!victim_tlb_hit(env, mmu_idx, index, access_type, page_addr)) {
              CPUState *cs = env_cpu(env);
              if (!cs->cc->tcg_ops->tlb_fill(cs, addr, fault_size, access_type,
@@ -XXX,XX +XXX,XX @@ static int probe_access_internal(CPUArchState *env, target_ulong addr,
               */
              flags &= ~TLB_INVALID_MASK;
          }
 -        tlb_addr = tlb_read_ofs(entry, elt_ofs);
 +        tlb_addr = tlb_read_idx(entry, access_type);
      }
      flags &= tlb_addr;
@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
      if (prot & PAGE_WRITE) {
          tlb_addr = tlb_addr_write(tlbe);
          if (!tlb_hit(tlb_addr, addr)) {
 -            if (!VICTIM_TLB_HIT(addr_write, addr)) {
 +            if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_STORE,
 +                                addr & TARGET_PAGE_MASK)) {
                  tlb_fill(env_cpu(env), addr, size,
                           MMU_DATA_STORE, mmu_idx, retaddr);
                  index = tlb_index(env, mmu_idx, addr);
@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
      } else /* if (prot & PAGE_READ) */ {
          tlb_addr = tlbe->addr_read;
          if (!tlb_hit(tlb_addr, addr)) {
 -            if (!VICTIM_TLB_HIT(addr_read, addr)) {
 +            if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_LOAD,
 +                                addr & TARGET_PAGE_MASK)) {
                  tlb_fill(env_cpu(env), addr, size,
                           MMU_DATA_LOAD, mmu_idx, retaddr);
                  index = tlb_index(env, mmu_idx, addr);
@@ -XXX,XX +XXX,XX @@ load_memop(const void *haddr, MemOp op)
  static inline uint64_t QEMU_ALWAYS_INLINE
  load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 -            uintptr_t retaddr, MemOp op, bool code_read,
 +            uintptr_t retaddr, MemOp op, MMUAccessType access_type,
              FullLoadHelper *full_load)
  {
 -    const size_t tlb_off = code_read ?
 -        offsetof(CPUTLBEntry, addr_code) : offsetof(CPUTLBEntry, addr_read);
 -    const MMUAccessType access_type =
 -        code_read ? MMU_INST_FETCH : MMU_DATA_LOAD;
      const unsigned a_bits = get_alignment_bits(get_memop(oi));
      const size_t size = memop_size(op);
      uintptr_t mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
      index = tlb_index(env, mmu_idx, addr);
      entry = tlb_entry(env, mmu_idx, addr);
 -    tlb_addr = code_read ? entry->addr_code : entry->addr_read;
 +    tlb_addr = tlb_read_idx(entry, access_type);
      /* If the TLB entry is for a different page, reload and try again.  */
      if (!tlb_hit(tlb_addr, addr)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
 +        if (!victim_tlb_hit(env, mmu_idx, index, access_type,
                              addr & TARGET_PAGE_MASK)) {
              tlb_fill(env_cpu(env), addr, size,
                       access_type, mmu_idx, retaddr);
              index = tlb_index(env, mmu_idx, addr);
              entry = tlb_entry(env, mmu_idx, addr);
          }
 -        tlb_addr = code_read ? entry->addr_code : entry->addr_read;
 +        tlb_addr = tlb_read_idx(entry, access_type);
          tlb_addr &= ~TLB_INVALID_MASK;
      }
@@ -XXX,XX +XXX,XX @@ static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr,
                                MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_UB);
 -    return load_helper(env, addr, oi, retaddr, MO_UB, false, full_ldub_mmu);
 +    return load_helper(env, addr, oi, retaddr, MO_UB, MMU_DATA_LOAD,
 +                       full_ldub_mmu);
  }
  tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr,
                                   MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_LEUW);
 -    return load_helper(env, addr, oi, retaddr, MO_LEUW, false,
 +    return load_helper(env, addr, oi, retaddr, MO_LEUW, MMU_DATA_LOAD,
                         full_le_lduw_mmu);
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr,
                                   MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_BEUW);
 -    return load_helper(env, addr, oi, retaddr, MO_BEUW, false,
 +    return load_helper(env, addr, oi, retaddr, MO_BEUW, MMU_DATA_LOAD,
                         full_be_lduw_mmu);
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr,
                                   MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_LEUL);
 -    return load_helper(env, addr, oi, retaddr, MO_LEUL, false,
 +    return load_helper(env, addr, oi, retaddr, MO_LEUL, MMU_DATA_LOAD,
                         full_le_ldul_mmu);
  }
@@ -XXX,XX +XXX,XX @@ static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr,
                                   MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_BEUL);
 -    return load_helper(env, addr, oi, retaddr, MO_BEUL, false,
 +    return load_helper(env, addr, oi, retaddr, MO_BEUL, MMU_DATA_LOAD,
                         full_be_ldul_mmu);
  }
@@ -XXX,XX +XXX,XX @@ uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr,
                             MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_LEUQ);
 -    return load_helper(env, addr, oi, retaddr, MO_LEUQ, false,
 +    return load_helper(env, addr, oi, retaddr, MO_LEUQ, MMU_DATA_LOAD,
                         helper_le_ldq_mmu);
  }
@@ -XXX,XX +XXX,XX @@ uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr,
                             MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_BEUQ);
 -    return load_helper(env, addr, oi, retaddr, MO_BEUQ, false,
 +    return load_helper(env, addr, oi, retaddr, MO_BEUQ, MMU_DATA_LOAD,
                         helper_be_ldq_mmu);
  }
@@ -XXX,XX +XXX,XX @@ store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
                         uintptr_t retaddr, size_t size, uintptr_t mmu_idx,
                         bool big_endian)
  {
 -    const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
      uintptr_t index, index2;
      CPUTLBEntry *entry, *entry2;
      target_ulong page1, page2, tlb_addr, tlb_addr2;
@@ -XXX,XX +XXX,XX @@ store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
      tlb_addr2 = tlb_addr_write(entry2);
      if (page1 != page2 && !tlb_hit_page(tlb_addr2, page2)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index2, tlb_off, page2)) {
 +        if (!victim_tlb_hit(env, mmu_idx, index2, MMU_DATA_STORE, page2)) {
              tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE,
                       mmu_idx, retaddr);
              index2 = tlb_index(env, mmu_idx, page2);
@@ -XXX,XX +XXX,XX @@ static inline void QEMU_ALWAYS_INLINE
  store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
               MemOpIdx oi, uintptr_t retaddr, MemOp op)
  {
 -    const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
      const unsigned a_bits = get_alignment_bits(get_memop(oi));
      const size_t size = memop_size(op);
      uintptr_t mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
      /* If the TLB entry is for a different page, reload and try again.  */
      if (!tlb_hit(tlb_addr, addr)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
 +        if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_STORE,
              addr & TARGET_PAGE_MASK)) {
              tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
                       mmu_idx, retaddr);
@@ -XXX,XX +XXX,XX @@ void cpu_st16_le_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
  static uint64_t full_ldub_code(CPUArchState *env, target_ulong addr,
                                 MemOpIdx oi, uintptr_t retaddr)
  {
 -    return load_helper(env, addr, oi, retaddr, MO_8, true, full_ldub_code);
 +    return load_helper(env, addr, oi, retaddr, MO_8,
 +                       MMU_INST_FETCH, full_ldub_code);
  }
  uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
@@ -XXX,XX +XXX,XX @@ uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
  static uint64_t full_lduw_code(CPUArchState *env, target_ulong addr,
                                 MemOpIdx oi, uintptr_t retaddr)
  {
 -    return load_helper(env, addr, oi, retaddr, MO_TEUW, true, full_lduw_code);
 +    return load_helper(env, addr, oi, retaddr, MO_TEUW,
 +                       MMU_INST_FETCH, full_lduw_code);
  }
  uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
@@ -XXX,XX +XXX,XX @@ uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
  static uint64_t full_ldl_code(CPUArchState *env, target_ulong addr,
                                MemOpIdx oi, uintptr_t retaddr)
  {
 -    return load_helper(env, addr, oi, retaddr, MO_TEUL, true, full_ldl_code);
 +    return load_helper(env, addr, oi, retaddr, MO_TEUL,
 +                       MMU_INST_FETCH, full_ldl_code);
  }
  uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
@@ -XXX,XX +XXX,XX @@ uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
  static uint64_t full_ldq_code(CPUArchState *env, target_ulong addr,
                                MemOpIdx oi, uintptr_t retaddr)
  {
 -    return load_helper(env, addr, oi, retaddr, MO_TEUQ, true, full_ldq_code);
 +    return load_helper(env, addr, oi, retaddr, MO_TEUQ,
 +                       MMU_INST_FETCH, full_ldq_code);
  }
  uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
 --
 .34.1

-[PULL 12/20] accel/tcg: Use probe_access_internal for softmmu get_page_addr_code_hostp
+[PULL 51/53] accel/tcg: Reorg system mode load helpers
-Simplify the implementation of get_page_addr_code_hostp
+Instead of trying to unify all operations on uint64_t, pull out
-by reusing the existing probe_access infrastructure.
+mmu_lookup() to perform the basic tlb hit and resolution.
 Create individual functions to handle access by size.
-Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
-Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- accel/tcg/cputlb.c | 76 ++++++++++++++++------------------------------
+ accel/tcg/cputlb.c | 645 +++++++++++++++++++++++++++++----------------
-file changed, 26 insertions(+), 50 deletions(-)
+file changed, 424 insertions(+), 221 deletions(-)
 diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
 --- a/accel/tcg/cputlb.c
 +++ b/accel/tcg/cputlb.c
-@@ -XXX,XX +XXX,XX @@ static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
+@@ -XXX,XX +XXX,XX @@ bool tlb_plugin_lookup(CPUState *cpu, target_ulong addr, int mmu_idx,
-   victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
-                  (ADDR) & TARGET_PAGE_MASK)
+ #endif
--/*
++/*
-- * Return a ram_addr_t for the virtual address for execution.
++ * Probe for a load/store operation.
-- *
++ * Return the host address and into @flags.
-- * Return -1 if we can't translate and execute from an entire page
++ */
-- * of RAM.  This will force us to execute by loading and translating
++
-- * one insn at a time, without caching.
++typedef struct MMULookupPageData {
-- *
++    CPUTLBEntryFull *full;
-- * NOTE: This function will trigger an exception if the page is
++    void *haddr;
-- * not executable.
++    target_ulong addr;
-- */
++    int flags;
--tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
++    int size;
--                                        void **hostp)
++} MMULookupPageData;
 +
 +typedef struct MMULookupLocals {
 +    MMULookupPageData page[2];
 +    MemOp memop;
 +    int mmu_idx;
 +} MMULookupLocals;
 +
 +/**
 + * mmu_lookup1: translate one page
 + * @env: cpu context
 + * @data: lookup parameters
 + * @mmu_idx: virtual address context
 + * @access_type: load/store/code
 + * @ra: return address into tcg generated code, or 0
 + *
 + * Resolve the translation for the one page at @data.addr, filling in
 + * the rest of @data with the results.  If the translation fails,
 + * tlb_fill will longjmp out.  Return true if the softmmu tlb for
 + * @mmu_idx may have resized.
 + */
 +static bool mmu_lookup1(CPUArchState *env, MMULookupPageData *data,
 +                        int mmu_idx, MMUAccessType access_type, uintptr_t ra)
 +{
 +    target_ulong addr = data->addr;
 +    uintptr_t index = tlb_index(env, mmu_idx, addr);
 +    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
 +    target_ulong tlb_addr = tlb_read_idx(entry, access_type);
 +    bool maybe_resized = false;
 +
 +    /* If the TLB entry is for a different page, reload and try again.  */
 +    if (!tlb_hit(tlb_addr, addr)) {
 +        if (!victim_tlb_hit(env, mmu_idx, index, access_type,
 +                            addr & TARGET_PAGE_MASK)) {
 +            tlb_fill(env_cpu(env), addr, data->size, access_type, mmu_idx, ra);
 +            maybe_resized = true;
 +            index = tlb_index(env, mmu_idx, addr);
 +            entry = tlb_entry(env, mmu_idx, addr);
 +        }
 +        tlb_addr = tlb_read_idx(entry, access_type) & ~TLB_INVALID_MASK;
 +    }
 +
 +    data->flags = tlb_addr & TLB_FLAGS_MASK;
 +    data->full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
 +    /* Compute haddr speculatively; depending on flags it might be invalid. */
 +    data->haddr = (void *)((uintptr_t)addr + entry->addend);
 +
 +    return maybe_resized;
 +}
 +
 +/**
 + * mmu_watch_or_dirty
 + * @env: cpu context
 + * @data: lookup parameters
 + * @access_type: load/store/code
 + * @ra: return address into tcg generated code, or 0
 + *
 + * Trigger watchpoints for @data.addr:@data.size;
 + * record writes to protected clean pages.
 + */
 +static void mmu_watch_or_dirty(CPUArchState *env, MMULookupPageData *data,
 +                               MMUAccessType access_type, uintptr_t ra)
 +{
 +    CPUTLBEntryFull *full = data->full;
 +    target_ulong addr = data->addr;
 +    int flags = data->flags;
 +    int size = data->size;
 +
 +    /* On watchpoint hit, this will longjmp out.  */
 +    if (flags & TLB_WATCHPOINT) {
 +        int wp = access_type == MMU_DATA_STORE ? BP_MEM_WRITE : BP_MEM_READ;
 +        cpu_check_watchpoint(env_cpu(env), addr, size, full->attrs, wp, ra);
 +        flags &= ~TLB_WATCHPOINT;
 +    }
 +
 +    /* Note that notdirty is only set for writes. */
 +    if (flags & TLB_NOTDIRTY) {
 +        notdirty_write(env_cpu(env), addr, size, full, ra);
 +        flags &= ~TLB_NOTDIRTY;
 +    }
 +    data->flags = flags;
 +}
 +
 +/**
 + * mmu_lookup: translate page(s)
 + * @env: cpu context
 + * @addr: virtual address
 + * @oi: combined mmu_idx and MemOp
 + * @ra: return address into tcg generated code, or 0
 + * @access_type: load/store/code
 + * @l: output result
 + *
 + * Resolve the translation for the page(s) beginning at @addr, for MemOp.size
 + * bytes.  Return true if the lookup crosses a page boundary.
 + */
 +static bool mmu_lookup(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 +                       uintptr_t ra, MMUAccessType type, MMULookupLocals *l)
 +{
 +    unsigned a_bits;
 +    bool crosspage;
 +    int flags;
 +
 +    l->memop = get_memop(oi);
 +    l->mmu_idx = get_mmuidx(oi);
 +
 +    tcg_debug_assert(l->mmu_idx < NB_MMU_MODES);
 +
 +    /* Handle CPU specific unaligned behaviour */
 +    a_bits = get_alignment_bits(l->memop);
 +    if (addr & ((1 << a_bits) - 1)) {
 +        cpu_unaligned_access(env_cpu(env), addr, type, l->mmu_idx, ra);
 +    }
 +
 +    l->page[0].addr = addr;
 +    l->page[0].size = memop_size(l->memop);
 +    l->page[1].addr = (addr + l->page[0].size - 1) & TARGET_PAGE_MASK;
 +    l->page[1].size = 0;
 +    crosspage = (addr ^ l->page[1].addr) & TARGET_PAGE_MASK;
 +
 +    if (likely(!crosspage)) {
 +        mmu_lookup1(env, &l->page[0], l->mmu_idx, type, ra);
 +
 +        flags = l->page[0].flags;
 +        if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) {
 +            mmu_watch_or_dirty(env, &l->page[0], type, ra);
 +        }
 +        if (unlikely(flags & TLB_BSWAP)) {
 +            l->memop ^= MO_BSWAP;
 +        }
 +    } else {
 +        /* Finish compute of page crossing. */
 +        int size0 = l->page[1].addr - addr;
 +        l->page[1].size = l->page[0].size - size0;
 +        l->page[0].size = size0;
 +
 +        /*
 +         * Lookup both pages, recognizing exceptions from either.  If the
 +         * second lookup potentially resized, refresh first CPUTLBEntryFull.
 +         */
 +        mmu_lookup1(env, &l->page[0], l->mmu_idx, type, ra);
 +        if (mmu_lookup1(env, &l->page[1], l->mmu_idx, type, ra)) {
 +            uintptr_t index = tlb_index(env, l->mmu_idx, addr);
 +            l->page[0].full = &env_tlb(env)->d[l->mmu_idx].fulltlb[index];
 +        }
 +
 +        flags = l->page[0].flags | l->page[1].flags;
 +        if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) {
 +            mmu_watch_or_dirty(env, &l->page[0], type, ra);
 +            mmu_watch_or_dirty(env, &l->page[1], type, ra);
 +        }
 +
 +        /*
 +         * Since target/sparc is the only user of TLB_BSWAP, and all
 +         * Sparc accesses are aligned, any treatment across two pages
 +         * would be arbitrary.  Refuse it until there's a use.
 +         */
 +        tcg_debug_assert((flags & TLB_BSWAP) == 0);
 +    }
 +
 +    return crosspage;
 +}
 +
  /*
   * Probe for an atomic operation.  Do not allow unaligned operations,
   * or io operations to proceed.  Return the host address.
@@ -XXX,XX +XXX,XX @@ load_memop(const void *haddr, MemOp op)
      }
  }
 -static inline uint64_t QEMU_ALWAYS_INLINE
 -load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 -            uintptr_t retaddr, MemOp op, MMUAccessType access_type,
 -            FullLoadHelper *full_load)
 -{
--    uintptr_t mmu_idx = cpu_mmu_index(env, true);
+-    const unsigned a_bits = get_alignment_bits(get_memop(oi));
--    uintptr_t index = tlb_index(env, mmu_idx, addr);
+-    const size_t size = memop_size(op);
--    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+-    uintptr_t mmu_idx = get_mmuidx(oi);
--    void *p;
+-    uintptr_t index;
--
+-    CPUTLBEntry *entry;
--    if (unlikely(!tlb_hit(entry->addr_code, addr))) {
+-    target_ulong tlb_addr;
--        if (!VICTIM_TLB_HIT(addr_code, addr)) {
+-    void *haddr;
--            tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
+-    uint64_t res;
 -
 -    tcg_debug_assert(mmu_idx < NB_MMU_MODES);
 -
 -    /* Handle CPU specific unaligned behaviour */
 -    if (addr & ((1 << a_bits) - 1)) {
 -        cpu_unaligned_access(env_cpu(env), addr, access_type,
 -                             mmu_idx, retaddr);
 -    }
 -
 -    index = tlb_index(env, mmu_idx, addr);
 -    entry = tlb_entry(env, mmu_idx, addr);
 -    tlb_addr = tlb_read_idx(entry, access_type);
 -
 -    /* If the TLB entry is for a different page, reload and try again.  */
 -    if (!tlb_hit(tlb_addr, addr)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index, access_type,
 -                            addr & TARGET_PAGE_MASK)) {
 -            tlb_fill(env_cpu(env), addr, size,
 -                     access_type, mmu_idx, retaddr);
 -            index = tlb_index(env, mmu_idx, addr);
 -            entry = tlb_entry(env, mmu_idx, addr);
--
--            if (unlikely(entry->addr_code & TLB_INVALID_MASK)) {
--                /*
--                 * The MMU protection covers a smaller range than a target
--                 * page, so we must redo the MMU check for every insn.
--                 */
--                return -1;
--            }
 -        }
--        assert(tlb_hit(entry->addr_code, addr));
+-        tlb_addr = tlb_read_idx(entry, access_type);
 -        tlb_addr &= ~TLB_INVALID_MASK;
 -    }
 -
--    if (unlikely(entry->addr_code & TLB_MMIO)) {
+-    /* Handle anything that isn't just a straight memory access.  */
--        /* The region is not backed by RAM.  */
+-    if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
--        if (hostp) {
+-        CPUTLBEntryFull *full;
--            *hostp = NULL;
+-        bool need_swap;
 -
 -        /* For anything that is unaligned, recurse through full_load.  */
 -        if ((addr & (size - 1)) != 0) {
 -            goto do_unaligned_access;
 -        }
--        return -1;
+-
 -        full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
 -
 -        /* Handle watchpoints.  */
 -        if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
 -            /* On watchpoint hit, this will longjmp out.  */
 -            cpu_check_watchpoint(env_cpu(env), addr, size,
 -                                 full->attrs, BP_MEM_READ, retaddr);
 -        }
 -
 -        need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
 -
 -        /* Handle I/O access.  */
 -        if (likely(tlb_addr & TLB_MMIO)) {
 -            return io_readx(env, full, mmu_idx, addr, retaddr,
 -                            access_type, op ^ (need_swap * MO_BSWAP));
 -        }
 -
 -        haddr = (void *)((uintptr_t)addr + entry->addend);
 -
 -        /*
 -         * Keep these two load_memop separate to ensure that the compiler
 -         * is able to fold the entire function to a single instruction.
 -         * There is a build-time assert inside to remind you of this.  ;-)
 -         */
 -        if (unlikely(need_swap)) {
 -            return load_memop(haddr, op ^ MO_BSWAP);
 -        }
 -        return load_memop(haddr, op);
 -    }
 -
--    p = (void *)((uintptr_t)addr + entry->addend);
+-    /* Handle slow unaligned access (it spans two pages or IO).  */
--    if (hostp) {
+-    if (size > 1
--        *hostp = p;
+-        && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
 -                    >= TARGET_PAGE_SIZE)) {
 -        target_ulong addr1, addr2;
 -        uint64_t r1, r2;
 -        unsigned shift;
 -    do_unaligned_access:
 -        addr1 = addr & ~((target_ulong)size - 1);
 -        addr2 = addr1 + size;
 -        r1 = full_load(env, addr1, oi, retaddr);
 -        r2 = full_load(env, addr2, oi, retaddr);
 -        shift = (addr & (size - 1)) * 8;
 -
 -        if (memop_big_endian(op)) {
 -            /* Big-endian combine.  */
 -            res = (r1 << shift) | (r2 >> ((size * 8) - shift));
 -        } else {
 -            /* Little-endian combine.  */
 -            res = (r1 >> shift) | (r2 << ((size * 8) - shift));
 -        }
 -        return res & MAKE_64BIT_MASK(0, size * 8);
 -    }
--    return qemu_ram_addr_from_host_nofail(p);
+-
 -    haddr = (void *)((uintptr_t)addr + entry->addend);
 -    return load_memop(haddr, op);
 -}
 -
- static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
+ /*
-                            CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
+  * For the benefit of TCG generated code, we want to avoid the
- {
+  * complication of ABI-specific return type promotion and always
-@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
+@@ -XXX,XX +XXX,XX @@ load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
-     return flags ? NULL : host;
+  * We don't bother with this widened value for SOFTMMU_CODE_ACCESS.
- }
+  */
 -static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr,
 -                              MemOpIdx oi, uintptr_t retaddr)
 +/**
 + * do_ld_mmio_beN:
 + * @env: cpu context
 + * @p: translation parameters
 + * @ret_be: accumulated data
 + * @mmu_idx: virtual address context
 + * @ra: return address into tcg generated code, or 0
 + *
 + * Load @p->size bytes from @p->addr, which is memory-mapped i/o.
 + * The bytes are concatenated in big-endian order with @ret_be.
 + */
 +static uint64_t do_ld_mmio_beN(CPUArchState *env, MMULookupPageData *p,
 +                               uint64_t ret_be, int mmu_idx,
 +                               MMUAccessType type, uintptr_t ra)
  {
 -    validate_memop(oi, MO_UB);
 -    return load_helper(env, addr, oi, retaddr, MO_UB, MMU_DATA_LOAD,
 -                       full_ldub_mmu);
 +    CPUTLBEntryFull *full = p->full;
 +    target_ulong addr = p->addr;
 +    int i, size = p->size;
 +
 +    QEMU_IOTHREAD_LOCK_GUARD();
 +    for (i = 0; i < size; i++) {
 +        uint8_t x = io_readx(env, full, mmu_idx, addr + i, ra, type, MO_UB);
 +        ret_be = (ret_be << 8) | x;
 +    }
 +    return ret_be;
 +}
 +
 +/**
 + * do_ld_bytes_beN
 + * @p: translation parameters
 + * @ret_be: accumulated data
 + *
 + * Load @p->size bytes from @p->haddr, which is RAM.
 + * The bytes to concatenated in big-endian order with @ret_be.
 + */
 +static uint64_t do_ld_bytes_beN(MMULookupPageData *p, uint64_t ret_be)
 +{
 +    uint8_t *haddr = p->haddr;
 +    int i, size = p->size;
 +
 +    for (i = 0; i < size; i++) {
 +        ret_be = (ret_be << 8) | haddr[i];
 +    }
 +    return ret_be;
 +}
 +
 +/*
-+ * Return a ram_addr_t for the virtual address for execution.
++ * Wrapper for the above.
 + *
 + * Return -1 if we can't translate and execute from an entire page
 + * of RAM.  This will force us to execute by loading and translating
 + * one insn at a time, without caching.
 + *
 + * NOTE: This function will trigger an exception if the page is
 + * not executable.
 + */
-+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
++static uint64_t do_ld_beN(CPUArchState *env, MMULookupPageData *p,
-+                                        void **hostp)
++                          uint64_t ret_be, int mmu_idx,
-+{
++                          MMUAccessType type, uintptr_t ra)
-+    void *p;
++{
-+
++    if (unlikely(p->flags & TLB_MMIO)) {
-+    (void)probe_access_internal(env, addr, 1, MMU_INST_FETCH,
++        return do_ld_mmio_beN(env, p, ret_be, mmu_idx, type, ra);
-+                                cpu_mmu_index(env, true), false, &p, 0);
++    } else {
-+    if (p == NULL) {
++        return do_ld_bytes_beN(p, ret_be);
-+        return -1;
++    }
-+    }
++}
-+    if (hostp) {
++
-+        *hostp = p;
++static uint8_t do_ld_1(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
-+    }
++                       MMUAccessType type, uintptr_t ra)
-+    return qemu_ram_addr_from_host_nofail(p);
++{
-+}
++    if (unlikely(p->flags & TLB_MMIO)) {
-+
++        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, MO_UB);
- #ifdef CONFIG_PLUGIN
++    } else {
 +        return *(uint8_t *)p->haddr;
 +    }
 +}
 +
 +static uint16_t do_ld_2(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
 +                        MMUAccessType type, MemOp memop, uintptr_t ra)
 +{
 +    uint64_t ret;
 +
 +    if (unlikely(p->flags & TLB_MMIO)) {
 +        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, memop);
 +    }
 +
 +    /* Perform the load host endian, then swap if necessary. */
 +    ret = load_memop(p->haddr, MO_UW);
 +    if (memop & MO_BSWAP) {
 +        ret = bswap16(ret);
 +    }
 +    return ret;
 +}
 +
 +static uint32_t do_ld_4(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
 +                        MMUAccessType type, MemOp memop, uintptr_t ra)
 +{
 +    uint32_t ret;
 +
 +    if (unlikely(p->flags & TLB_MMIO)) {
 +        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, memop);
 +    }
 +
 +    /* Perform the load host endian. */
 +    ret = load_memop(p->haddr, MO_UL);
 +    if (memop & MO_BSWAP) {
 +        ret = bswap32(ret);
 +    }
 +    return ret;
 +}
 +
 +static uint64_t do_ld_8(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
 +                        MMUAccessType type, MemOp memop, uintptr_t ra)
 +{
 +    uint64_t ret;
 +
 +    if (unlikely(p->flags & TLB_MMIO)) {
 +        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, memop);
 +    }
 +
 +    /* Perform the load host endian. */
 +    ret = load_memop(p->haddr, MO_UQ);
 +    if (memop & MO_BSWAP) {
 +        ret = bswap64(ret);
 +    }
 +    return ret;
 +}
 +
 +static uint8_t do_ld1_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 +                          uintptr_t ra, MMUAccessType access_type)
 +{
 +    MMULookupLocals l;
 +    bool crosspage;
 +
 +    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
 +    tcg_debug_assert(!crosspage);
 +
 +    return do_ld_1(env, &l.page[0], l.mmu_idx, access_type, ra);
  }
  tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr,
                                       MemOpIdx oi, uintptr_t retaddr)
  {
 -    return full_ldub_mmu(env, addr, oi, retaddr);
 +    validate_memop(oi, MO_UB);
 +    return do_ld1_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
  }
 -static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr,
 -                                 MemOpIdx oi, uintptr_t retaddr)
 +static uint16_t do_ld2_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 +                           uintptr_t ra, MMUAccessType access_type)
  {
 -    validate_memop(oi, MO_LEUW);
 -    return load_helper(env, addr, oi, retaddr, MO_LEUW, MMU_DATA_LOAD,
 -                       full_le_lduw_mmu);
 +    MMULookupLocals l;
 +    bool crosspage;
 +    uint16_t ret;
 +    uint8_t a, b;
 +
 +    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
 +    if (likely(!crosspage)) {
 +        return do_ld_2(env, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
 +    }
 +
 +    a = do_ld_1(env, &l.page[0], l.mmu_idx, access_type, ra);
 +    b = do_ld_1(env, &l.page[1], l.mmu_idx, access_type, ra);
 +
 +    if ((l.memop & MO_BSWAP) == MO_LE) {
 +        ret = a | (b << 8);
 +    } else {
 +        ret = b | (a << 8);
 +    }
 +    return ret;
  }
  tcg_target_ulong helper_le_lduw_mmu(CPUArchState *env, target_ulong addr,
                                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    return full_le_lduw_mmu(env, addr, oi, retaddr);
 -}
 -
 -static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr,
 -                                 MemOpIdx oi, uintptr_t retaddr)
 -{
 -    validate_memop(oi, MO_BEUW);
 -    return load_helper(env, addr, oi, retaddr, MO_BEUW, MMU_DATA_LOAD,
 -                       full_be_lduw_mmu);
 +    validate_memop(oi, MO_LEUW);
 +    return do_ld2_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
  }
  tcg_target_ulong helper_be_lduw_mmu(CPUArchState *env, target_ulong addr,
                                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    return full_be_lduw_mmu(env, addr, oi, retaddr);
 +    validate_memop(oi, MO_BEUW);
 +    return do_ld2_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
  }
 -static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr,
 -                                 MemOpIdx oi, uintptr_t retaddr)
 +static uint32_t do_ld4_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 +                           uintptr_t ra, MMUAccessType access_type)
  {
 -    validate_memop(oi, MO_LEUL);
 -    return load_helper(env, addr, oi, retaddr, MO_LEUL, MMU_DATA_LOAD,
 -                       full_le_ldul_mmu);
 +    MMULookupLocals l;
 +    bool crosspage;
 +    uint32_t ret;
 +
 +    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
 +    if (likely(!crosspage)) {
 +        return do_ld_4(env, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
 +    }
 +
 +    ret = do_ld_beN(env, &l.page[0], 0, l.mmu_idx, access_type, ra);
 +    ret = do_ld_beN(env, &l.page[1], ret, l.mmu_idx, access_type, ra);
 +    if ((l.memop & MO_BSWAP) == MO_LE) {
 +        ret = bswap32(ret);
 +    }
 +    return ret;
  }
  tcg_target_ulong helper_le_ldul_mmu(CPUArchState *env, target_ulong addr,
                                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    return full_le_ldul_mmu(env, addr, oi, retaddr);
 -}
 -
 -static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr,
 -                                 MemOpIdx oi, uintptr_t retaddr)
 -{
 -    validate_memop(oi, MO_BEUL);
 -    return load_helper(env, addr, oi, retaddr, MO_BEUL, MMU_DATA_LOAD,
 -                       full_be_ldul_mmu);
 +    validate_memop(oi, MO_LEUL);
 +    return do_ld4_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
  }
  tcg_target_ulong helper_be_ldul_mmu(CPUArchState *env, target_ulong addr,
                                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    return full_be_ldul_mmu(env, addr, oi, retaddr);
 +    validate_memop(oi, MO_BEUL);
 +    return do_ld4_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 +}
 +
 +static uint64_t do_ld8_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 +                           uintptr_t ra, MMUAccessType access_type)
 +{
 +    MMULookupLocals l;
 +    bool crosspage;
 +    uint64_t ret;
 +
 +    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
 +    if (likely(!crosspage)) {
 +        return do_ld_8(env, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
 +    }
 +
 +    ret = do_ld_beN(env, &l.page[0], 0, l.mmu_idx, access_type, ra);
 +    ret = do_ld_beN(env, &l.page[1], ret, l.mmu_idx, access_type, ra);
 +    if ((l.memop & MO_BSWAP) == MO_LE) {
 +        ret = bswap64(ret);
 +    }
 +    return ret;
  }
  uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr,
                             MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_LEUQ);
 -    return load_helper(env, addr, oi, retaddr, MO_LEUQ, MMU_DATA_LOAD,
 -                       helper_le_ldq_mmu);
 +    return do_ld8_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
  }
  uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr,
                             MemOpIdx oi, uintptr_t retaddr)
  {
      validate_memop(oi, MO_BEUQ);
 -    return load_helper(env, addr, oi, retaddr, MO_BEUQ, MMU_DATA_LOAD,
 -                       helper_be_ldq_mmu);
 +    return do_ld8_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
  }
  /*
-  * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
+@@ -XXX,XX +XXX,XX @@ tcg_target_ulong helper_be_ldsl_mmu(CPUArchState *env, target_ulong addr,
   * Load helpers for cpu_ldst.h.
   */
 -static inline uint64_t cpu_load_helper(CPUArchState *env, abi_ptr addr,
 -                                       MemOpIdx oi, uintptr_t retaddr,
 -                                       FullLoadHelper *full_load)
 +static void plugin_load_cb(CPUArchState *env, abi_ptr addr, MemOpIdx oi)
  {
 -    uint64_t ret;
 -
 -    ret = full_load(env, addr, oi, retaddr);
      qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_R);
 -    return ret;
  }
  uint8_t cpu_ldb_mmu(CPUArchState *env, abi_ptr addr, MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, full_ldub_mmu);
 +    uint8_t ret;
 +
 +    validate_memop(oi, MO_UB);
 +    ret = do_ld1_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  uint16_t cpu_ldw_be_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, full_be_lduw_mmu);
 +    uint16_t ret;
 +
 +    validate_memop(oi, MO_BEUW);
 +    ret = do_ld2_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  uint32_t cpu_ldl_be_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, full_be_ldul_mmu);
 +    uint32_t ret;
 +
 +    validate_memop(oi, MO_BEUL);
 +    ret = do_ld4_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  uint64_t cpu_ldq_be_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, helper_be_ldq_mmu);
 +    uint64_t ret;
 +
 +    validate_memop(oi, MO_BEUQ);
 +    ret = do_ld8_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  uint16_t cpu_ldw_le_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, full_le_lduw_mmu);
 +    uint16_t ret;
 +
 +    validate_memop(oi, MO_LEUW);
 +    ret = do_ld2_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  uint32_t cpu_ldl_le_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, full_le_ldul_mmu);
 +    uint32_t ret;
 +
 +    validate_memop(oi, MO_LEUL);
 +    ret = do_ld4_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  uint64_t cpu_ldq_le_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t ra)
  {
 -    return cpu_load_helper(env, addr, oi, ra, helper_le_ldq_mmu);
 +    uint64_t ret;
 +
 +    validate_memop(oi, MO_LEUQ);
 +    ret = do_ld8_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
 +    plugin_load_cb(env, addr, oi);
 +    return ret;
  }
  Int128 cpu_ld16_be_mmu(CPUArchState *env, abi_ptr addr,
@@ -XXX,XX +XXX,XX @@ void cpu_st16_le_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
  /* Code access functions.  */
 -static uint64_t full_ldub_code(CPUArchState *env, target_ulong addr,
 -                               MemOpIdx oi, uintptr_t retaddr)
 -{
 -    return load_helper(env, addr, oi, retaddr, MO_8,
 -                       MMU_INST_FETCH, full_ldub_code);
 -}
 -
  uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
  {
      MemOpIdx oi = make_memop_idx(MO_UB, cpu_mmu_index(env, true));
 -    return full_ldub_code(env, addr, oi, 0);
 -}
 -
 -static uint64_t full_lduw_code(CPUArchState *env, target_ulong addr,
 -                               MemOpIdx oi, uintptr_t retaddr)
 -{
 -    return load_helper(env, addr, oi, retaddr, MO_TEUW,
 -                       MMU_INST_FETCH, full_lduw_code);
 +    return do_ld1_mmu(env, addr, oi, 0, MMU_INST_FETCH);
  }
  uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
  {
      MemOpIdx oi = make_memop_idx(MO_TEUW, cpu_mmu_index(env, true));
 -    return full_lduw_code(env, addr, oi, 0);
 -}
 -
 -static uint64_t full_ldl_code(CPUArchState *env, target_ulong addr,
 -                              MemOpIdx oi, uintptr_t retaddr)
 -{
 -    return load_helper(env, addr, oi, retaddr, MO_TEUL,
 -                       MMU_INST_FETCH, full_ldl_code);
 +    return do_ld2_mmu(env, addr, oi, 0, MMU_INST_FETCH);
  }
  uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
  {
      MemOpIdx oi = make_memop_idx(MO_TEUL, cpu_mmu_index(env, true));
 -    return full_ldl_code(env, addr, oi, 0);
 -}
 -
 -static uint64_t full_ldq_code(CPUArchState *env, target_ulong addr,
 -                              MemOpIdx oi, uintptr_t retaddr)
 -{
 -    return load_helper(env, addr, oi, retaddr, MO_TEUQ,
 -                       MMU_INST_FETCH, full_ldq_code);
 +    return do_ld4_mmu(env, addr, oi, 0, MMU_INST_FETCH);
  }
  uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
  {
      MemOpIdx oi = make_memop_idx(MO_TEUQ, cpu_mmu_index(env, true));
 -    return full_ldq_code(env, addr, oi, 0);
 +    return do_ld8_mmu(env, addr, oi, 0, MMU_INST_FETCH);
  }
  uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
                           MemOpIdx oi, uintptr_t retaddr)
  {
 -    return full_ldub_code(env, addr, oi, retaddr);
 +    return do_ld1_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
  }
  uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
                            MemOpIdx oi, uintptr_t retaddr)
  {
 -    MemOp mop = get_memop(oi);
 -    int idx = get_mmuidx(oi);
 -    uint16_t ret;
 -
 -    ret = full_lduw_code(env, addr, make_memop_idx(MO_TEUW, idx), retaddr);
 -    if ((mop & MO_BSWAP) != MO_TE) {
 -        ret = bswap16(ret);
 -    }
 -    return ret;
 +    return do_ld2_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
  }
  uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
                            MemOpIdx oi, uintptr_t retaddr)
  {
 -    MemOp mop = get_memop(oi);
 -    int idx = get_mmuidx(oi);
 -    uint32_t ret;
 -
 -    ret = full_ldl_code(env, addr, make_memop_idx(MO_TEUL, idx), retaddr);
 -    if ((mop & MO_BSWAP) != MO_TE) {
 -        ret = bswap32(ret);
 -    }
 -    return ret;
 +    return do_ld4_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
  }
  uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
                            MemOpIdx oi, uintptr_t retaddr)
  {
 -    MemOp mop = get_memop(oi);
 -    int idx = get_mmuidx(oi);
 -    uint64_t ret;
 -
 -    ret = full_ldq_code(env, addr, make_memop_idx(MO_TEUQ, idx), retaddr);
 -    if ((mop & MO_BSWAP) != MO_TE) {
 -        ret = bswap64(ret);
 -    }
 -    return ret;
 +    return do_ld8_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
  }
 --
 .34.1

-[PULL 18/20] target/i386: Make translator stop before the end of a page
+[PULL 52/53] accel/tcg: Reorg system mode store helpers
-From: Ilya Leoshkevich <iii@linux.ibm.com>
+Instead of trying to unify all operations on uint64_t, use
 mmu_lookup() to perform the basic tlb hit and resolution.
 Create individual functions to handle access by size.
-Right now translator stops right *after* the end of a page, which
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 breaks reporting of fault locations when the last instruction of a
 multi-insn translation block crosses a page boundary.
 An implementation, like the one arm and s390x have, would require an
 i386 length disassembler, which is burdensome to maintain. Another
 alternative would be to single-step at the end of a guest page, but
 this may come with a performance impact.
 Fix by snapshotting disassembly state and restoring it after we figure
 out we crossed a page boundary. This includes rolling back cc_op
 updates and emitted ops.
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1143
 Message-Id: <20220817150506.592862-4-iii@linux.ibm.com>
 [rth: Simplify end-of-insn cross-page checks.]
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- target/i386/tcg/translate.c      | 64 ++++++++++++++++-----------
+ accel/tcg/cputlb.c | 408 +++++++++++++++++++++------------------------
- tests/tcg/x86_64/noexec.c        | 75 ++++++++++++++++++++++++++++++++
+file changed, 193 insertions(+), 215 deletions(-)
  tests/tcg/x86_64/Makefile.target |  3 +-
 files changed, 116 insertions(+), 26 deletions(-)
  create mode 100644 tests/tcg/x86_64/noexec.c
-diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
+diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
 index XXXXXXX..XXXXXXX 100644
---- a/target/i386/tcg/translate.c
+--- a/accel/tcg/cputlb.c
-+++ b/target/i386/tcg/translate.c
++++ b/accel/tcg/cputlb.c
-@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
+@@ -XXX,XX +XXX,XX @@ store_memop(void *haddr, uint64_t val, MemOp op)
      TCGv_i64 tmp1_i64;
      sigjmp_buf jmpbuf;
 +    TCGOp *prev_insn_end;
  } DisasContext;
  /* The environment in which user-only runs is constrained. */
@@ -XXX,XX +XXX,XX @@ static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
  {
      uint64_t pc = s->pc;
 +    /* This is a subsequent insn that crosses a page boundary.  */
 +    if (s->base.num_insns > 1 &&
 +        !is_same_page(&s->base, s->pc + num_bytes - 1)) {
 +        siglongjmp(s->jmpbuf, 2);
 +    }
 +
      s->pc += num_bytes;
      if (unlikely(s->pc - s->pc_start > X86_MAX_INSN_LENGTH)) {
          /* If the instruction's 16th byte is on a different page than the 1st, a
@@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
      int modrm, reg, rm, mod, op, opreg, val;
      target_ulong next_eip, tval;
      target_ulong pc_start = s->base.pc_next;
 +    bool orig_cc_op_dirty = s->cc_op_dirty;
 +    CCOp orig_cc_op = s->cc_op;
      s->pc_start = s->pc = pc_start;
      s->override = -1;
@@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
      s->rip_offset = 0; /* for relative ip address */
      s->vex_l = 0;
      s->vex_v = 0;
 -    if (sigsetjmp(s->jmpbuf, 0) != 0) {
 +    switch (sigsetjmp(s->jmpbuf, 0)) {
 +    case 0:
 +        break;
 +    case 1:
          gen_exception_gpf(s);
          return s->pc;
 +    case 2:
 +        /* Restore state that may affect the next instruction. */
 +        s->cc_op_dirty = orig_cc_op_dirty;
 +        s->cc_op = orig_cc_op;
 +        s->base.num_insns--;
 +        tcg_remove_ops_after(s->prev_insn_end);
 +        s->base.is_jmp = DISAS_TOO_MANY;
 +        return pc_start;
 +    default:
 +        g_assert_not_reached();
      }
+ }
-     prefixes = 0;
-@@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
+-static void full_stb_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
- {
+-                         MemOpIdx oi, uintptr_t retaddr);
-     DisasContext *dc = container_of(dcbase, DisasContext, base);
+-
+-static void __attribute__((noinline))
-+    dc->prev_insn_end = tcg_last_op();
+-store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
-     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
+-                       uintptr_t retaddr, size_t size, uintptr_t mmu_idx,
- }
+-                       bool big_endian)
++/**
-@@ -XXX,XX +XXX,XX @@ static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
++ * do_st_mmio_leN:
- #endif
++ * @env: cpu context
++ * @p: translation parameters
-     pc_next = disas_insn(dc, cpu);
++ * @val_le: data to store
--
++ * @mmu_idx: virtual address context
--    if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
++ * @ra: return address into tcg generated code, or 0
--        /* if single step mode, we generate only one instruction and
++ *
--           generate an exception */
++ * Store @p->size bytes at @p->addr, which is memory-mapped i/o.
--        /* if irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
++ * The bytes to store are extracted in little-endian order from @val_le;
--           the flag and abort the translation to give the irqs a
++ * return the bytes of @val_le beyond @p->size that have not been stored.
--           chance to happen */
++ */
--        dc->base.is_jmp = DISAS_TOO_MANY;
++static uint64_t do_st_mmio_leN(CPUArchState *env, MMULookupPageData *p,
--    } else if ((tb_cflags(dc->base.tb) & CF_USE_ICOUNT)
++                               uint64_t val_le, int mmu_idx, uintptr_t ra)
--               && ((pc_next & TARGET_PAGE_MASK)
+ {
--                   != ((pc_next + TARGET_MAX_INSN_SIZE - 1)
+-    uintptr_t index, index2;
--                       & TARGET_PAGE_MASK)
+-    CPUTLBEntry *entry, *entry2;
--                   || (pc_next & ~TARGET_PAGE_MASK) == 0)) {
+-    target_ulong page1, page2, tlb_addr, tlb_addr2;
--        /* Do not cross the boundary of the pages in icount mode,
+-    MemOpIdx oi;
--           it can cause an exception. Do it only when boundary is
+-    size_t size2;
--           crossed by the first instruction in the block.
+-    int i;
--           If current instruction already crossed the bound - it's ok,
++    CPUTLBEntryFull *full = p->full;
--           because an exception hasn't stopped this code.
++    target_ulong addr = p->addr;
 +    int i, size = p->size;
 -    /*
 -     * Ensure the second page is in the TLB.  Note that the first page
 -     * is already guaranteed to be filled, and that the second page
 -     * cannot evict the first.  An exception to this rule is PAGE_WRITE_INV
 -     * handling: the first page could have evicted itself.
 -     */
 -    page1 = addr & TARGET_PAGE_MASK;
 -    page2 = (addr + size) & TARGET_PAGE_MASK;
 -    size2 = (addr + size) & ~TARGET_PAGE_MASK;
 -    index2 = tlb_index(env, mmu_idx, page2);
 -    entry2 = tlb_entry(env, mmu_idx, page2);
 -
 -    tlb_addr2 = tlb_addr_write(entry2);
 -    if (page1 != page2 && !tlb_hit_page(tlb_addr2, page2)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index2, MMU_DATA_STORE, page2)) {
 -            tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE,
 -                     mmu_idx, retaddr);
 -            index2 = tlb_index(env, mmu_idx, page2);
 -            entry2 = tlb_entry(env, mmu_idx, page2);
 -        }
 -        tlb_addr2 = tlb_addr_write(entry2);
 +    QEMU_IOTHREAD_LOCK_GUARD();
 +    for (i = 0; i < size; i++, val_le >>= 8) {
 +        io_writex(env, full, mmu_idx, val_le, addr + i, ra, MO_UB);
      }
 +    return val_le;
 +}
 -    index = tlb_index(env, mmu_idx, addr);
 -    entry = tlb_entry(env, mmu_idx, addr);
 -    tlb_addr = tlb_addr_write(entry);
 +/**
 + * do_st_bytes_leN:
 + * @p: translation parameters
 + * @val_le: data to store
 + *
 + * Store @p->size bytes at @p->haddr, which is RAM.
 + * The bytes to store are extracted in little-endian order from @val_le;
 + * return the bytes of @val_le beyond @p->size that have not been stored.
 + */
 +static uint64_t do_st_bytes_leN(MMULookupPageData *p, uint64_t val_le)
 +{
 +    uint8_t *haddr = p->haddr;
 +    int i, size = p->size;
 -    /*
 -     * Handle watchpoints.  Since this may trap, all checks
 -     * must happen before any store.
 -     */
 -    if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
 -        cpu_check_watchpoint(env_cpu(env), addr, size - size2,
 -                             env_tlb(env)->d[mmu_idx].fulltlb[index].attrs,
 -                             BP_MEM_WRITE, retaddr);
 -    }
 -    if (unlikely(tlb_addr2 & TLB_WATCHPOINT)) {
 -        cpu_check_watchpoint(env_cpu(env), page2, size2,
 -                             env_tlb(env)->d[mmu_idx].fulltlb[index2].attrs,
 -                             BP_MEM_WRITE, retaddr);
 +    for (i = 0; i < size; i++, val_le >>= 8) {
 +        haddr[i] = val_le;
      }
 +    return val_le;
 +}
 -    /*
 -     * XXX: not efficient, but simple.
 -     * This loop must go in the forward direction to avoid issues
 -     * with self-modifying code in Windows 64-bit.
 -     */
 -    oi = make_memop_idx(MO_UB, mmu_idx);
 -    if (big_endian) {
 -        for (i = 0; i < size; ++i) {
 -            /* Big-endian extract.  */
 -            uint8_t val8 = val >> (((size - 1) * 8) - (i * 8));
 -            full_stb_mmu(env, addr + i, val8, oi, retaddr);
 -        }
 +/*
 + * Wrapper for the above.
 + */
 +static uint64_t do_st_leN(CPUArchState *env, MMULookupPageData *p,
 +                          uint64_t val_le, int mmu_idx, uintptr_t ra)
 +{
 +    if (unlikely(p->flags & TLB_MMIO)) {
 +        return do_st_mmio_leN(env, p, val_le, mmu_idx, ra);
 +    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
 +        return val_le >> (p->size * 8);
      } else {
 -        for (i = 0; i < size; ++i) {
 -            /* Little-endian extract.  */
 -            uint8_t val8 = val >> (i * 8);
 -            full_stb_mmu(env, addr + i, val8, oi, retaddr);
 -        }
 +        return do_st_bytes_leN(p, val_le);
      }
  }
 -static inline void QEMU_ALWAYS_INLINE
 -store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
 -             MemOpIdx oi, uintptr_t retaddr, MemOp op)
 +static void do_st_1(CPUArchState *env, MMULookupPageData *p, uint8_t val,
 +                    int mmu_idx, uintptr_t ra)
  {
 -    const unsigned a_bits = get_alignment_bits(get_memop(oi));
 -    const size_t size = memop_size(op);
 -    uintptr_t mmu_idx = get_mmuidx(oi);
 -    uintptr_t index;
 -    CPUTLBEntry *entry;
 -    target_ulong tlb_addr;
 -    void *haddr;
 -
 -    tcg_debug_assert(mmu_idx < NB_MMU_MODES);
 -
 -    /* Handle CPU specific unaligned behaviour */
 -    if (addr & ((1 << a_bits) - 1)) {
 -        cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE,
 -                             mmu_idx, retaddr);
 +    if (unlikely(p->flags & TLB_MMIO)) {
 +        io_writex(env, p->full, mmu_idx, val, p->addr, ra, MO_UB);
 +    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
 +        /* nothing */
 +    } else {
 +        *(uint8_t *)p->haddr = val;
      }
 -
 -    index = tlb_index(env, mmu_idx, addr);
 -    entry = tlb_entry(env, mmu_idx, addr);
 -    tlb_addr = tlb_addr_write(entry);
 -
 -    /* If the TLB entry is for a different page, reload and try again.  */
 -    if (!tlb_hit(tlb_addr, addr)) {
 -        if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_STORE,
 -            addr & TARGET_PAGE_MASK)) {
 -            tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
 -                     mmu_idx, retaddr);
 -            index = tlb_index(env, mmu_idx, addr);
 -            entry = tlb_entry(env, mmu_idx, addr);
 -        }
 -        tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK;
 -    }
 -
 -    /* Handle anything that isn't just a straight memory access.  */
 -    if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
 -        CPUTLBEntryFull *full;
 -        bool need_swap;
 -
 -        /* For anything that is unaligned, recurse through byte stores.  */
 -        if ((addr & (size - 1)) != 0) {
 -            goto do_unaligned_access;
 -        }
 -
 -        full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
 -
 -        /* Handle watchpoints.  */
 -        if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
 -            /* On watchpoint hit, this will longjmp out.  */
 -            cpu_check_watchpoint(env_cpu(env), addr, size,
 -                                 full->attrs, BP_MEM_WRITE, retaddr);
 -        }
 -
 -        need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
 -
 -        /* Handle I/O access.  */
 -        if (tlb_addr & TLB_MMIO) {
 -            io_writex(env, full, mmu_idx, val, addr, retaddr,
 -                      op ^ (need_swap * MO_BSWAP));
 -            return;
 -        }
 -
 -        /* Ignore writes to ROM.  */
 -        if (unlikely(tlb_addr & TLB_DISCARD_WRITE)) {
 -            return;
 -        }
 -
 -        /* Handle clean RAM pages.  */
 -        if (tlb_addr & TLB_NOTDIRTY) {
 -            notdirty_write(env_cpu(env), addr, size, full, retaddr);
 -        }
 -
 -        haddr = (void *)((uintptr_t)addr + entry->addend);
 -
 -        /*
 -         * Keep these two store_memop separate to ensure that the compiler
 -         * is able to fold the entire function to a single instruction.
 -         * There is a build-time assert inside to remind you of this.  ;-)
 -         */
--        dc->base.is_jmp = DISAS_TOO_MANY;
+-        if (unlikely(need_swap)) {
--    } else if ((pc_next - dc->base.pc_first) >= (TARGET_PAGE_SIZE - 32)) {
+-            store_memop(haddr, val, op ^ MO_BSWAP);
--        dc->base.is_jmp = DISAS_TOO_MANY;
+-        } else {
 -            store_memop(haddr, val, op);
 -        }
 -        return;
 -    }
 -
-     dc->base.pc_next = pc_next;
+-    /* Handle slow unaligned access (it spans two pages or IO).  */
-+
+-    if (size > 1
-+    if (dc->base.is_jmp == DISAS_NEXT) {
+-        && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
-+        if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
+-                     >= TARGET_PAGE_SIZE)) {
-+            /*
+-    do_unaligned_access:
-+             * If single step mode, we generate only one instruction and
+-        store_helper_unaligned(env, addr, val, retaddr, size,
-+             * generate an exception.
+-                               mmu_idx, memop_big_endian(op));
-+             * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
+-        return;
-+             * the flag and abort the translation to give the irqs a
+-    }
-+             * chance to happen.
+-
-+             */
+-    haddr = (void *)((uintptr_t)addr + entry->addend);
-+            dc->base.is_jmp = DISAS_TOO_MANY;
+-    store_memop(haddr, val, op);
-+        } else if (!is_same_page(&dc->base, pc_next)) {
+ }
-+            dc->base.is_jmp = DISAS_TOO_MANY;
 -static void __attribute__((noinline))
 -full_stb_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
 -             MemOpIdx oi, uintptr_t retaddr)
 +static void do_st_2(CPUArchState *env, MMULookupPageData *p, uint16_t val,
 +                    int mmu_idx, MemOp memop, uintptr_t ra)
  {
 -    validate_memop(oi, MO_UB);
 -    store_helper(env, addr, val, oi, retaddr, MO_UB);
 +    if (unlikely(p->flags & TLB_MMIO)) {
 +        io_writex(env, p->full, mmu_idx, val, p->addr, ra, memop);
 +    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
 +        /* nothing */
 +    } else {
 +        /* Swap to host endian if necessary, then store. */
 +        if (memop & MO_BSWAP) {
 +            val = bswap16(val);
 +        }
-+    }
++        store_memop(p->haddr, val, MO_UW);
- }
++    }
++}
- static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
++
-diff --git a/tests/tcg/x86_64/noexec.c b/tests/tcg/x86_64/noexec.c
++static void do_st_4(CPUArchState *env, MMULookupPageData *p, uint32_t val,
-new file mode 100644
++                    int mmu_idx, MemOp memop, uintptr_t ra)
 index XXXXXXX..XXXXXXX
 --- /dev/null
 +++ b/tests/tcg/x86_64/noexec.c
@@ -XXX,XX +XXX,XX @@
 +#include "../multiarch/noexec.c.inc"
 +
 +static void *arch_mcontext_pc(const mcontext_t *ctx)
 +{
-+    return (void *)ctx->gregs[REG_RIP];
++    if (unlikely(p->flags & TLB_MMIO)) {
 +        io_writex(env, p->full, mmu_idx, val, p->addr, ra, memop);
 +    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
 +        /* nothing */
 +    } else {
 +        /* Swap to host endian if necessary, then store. */
 +        if (memop & MO_BSWAP) {
 +            val = bswap32(val);
 +        }
 +        store_memop(p->haddr, val, MO_UL);
 +    }
 +}
 +
-+int arch_mcontext_arg(const mcontext_t *ctx)
++static void do_st_8(CPUArchState *env, MMULookupPageData *p, uint64_t val,
 +                    int mmu_idx, MemOp memop, uintptr_t ra)
 +{
-+    return ctx->gregs[REG_RDI];
++    if (unlikely(p->flags & TLB_MMIO)) {
 +        io_writex(env, p->full, mmu_idx, val, p->addr, ra, memop);
 +    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
 +        /* nothing */
 +    } else {
 +        /* Swap to host endian if necessary, then store. */
 +        if (memop & MO_BSWAP) {
 +            val = bswap64(val);
 +        }
 +        store_memop(p->haddr, val, MO_UQ);
 +    }
  }
  void helper_ret_stb_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
 -                        MemOpIdx oi, uintptr_t retaddr)
 +                        MemOpIdx oi, uintptr_t ra)
  {
 -    full_stb_mmu(env, addr, val, oi, retaddr);
 +    MMULookupLocals l;
 +    bool crosspage;
 +
 +    validate_memop(oi, MO_UB);
 +    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
 +    tcg_debug_assert(!crosspage);
 +
 +    do_st_1(env, &l.page[0], val, l.mmu_idx, ra);
  }
 -static void full_le_stw_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
 -                            MemOpIdx oi, uintptr_t retaddr)
 +static void do_st2_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
 +                       MemOpIdx oi, uintptr_t ra)
  {
 -    validate_memop(oi, MO_LEUW);
 -    store_helper(env, addr, val, oi, retaddr, MO_LEUW);
 +    MMULookupLocals l;
 +    bool crosspage;
 +    uint8_t a, b;
 +
 +    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
 +    if (likely(!crosspage)) {
 +        do_st_2(env, &l.page[0], val, l.mmu_idx, l.memop, ra);
 +        return;
 +    }
 +
 +    if ((l.memop & MO_BSWAP) == MO_LE) {
 +        a = val, b = val >> 8;
 +    } else {
 +        b = val, a = val >> 8;
 +    }
 +    do_st_1(env, &l.page[0], a, l.mmu_idx, ra);
 +    do_st_1(env, &l.page[1], b, l.mmu_idx, ra);
  }
  void helper_le_stw_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                         MemOpIdx oi, uintptr_t retaddr)
  {
 -    full_le_stw_mmu(env, addr, val, oi, retaddr);
 -}
 -
 -static void full_be_stw_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
 -                            MemOpIdx oi, uintptr_t retaddr)
 -{
 -    validate_memop(oi, MO_BEUW);
 -    store_helper(env, addr, val, oi, retaddr, MO_BEUW);
 +    validate_memop(oi, MO_LEUW);
 +    do_st2_mmu(env, addr, val, oi, retaddr);
  }
  void helper_be_stw_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                         MemOpIdx oi, uintptr_t retaddr)
  {
 -    full_be_stw_mmu(env, addr, val, oi, retaddr);
 +    validate_memop(oi, MO_BEUW);
 +    do_st2_mmu(env, addr, val, oi, retaddr);
  }
 -static void full_le_stl_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
 -                            MemOpIdx oi, uintptr_t retaddr)
 +static void do_st4_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
 +                       MemOpIdx oi, uintptr_t ra)
  {
 -    validate_memop(oi, MO_LEUL);
 -    store_helper(env, addr, val, oi, retaddr, MO_LEUL);
 +    MMULookupLocals l;
 +    bool crosspage;
 +
 +    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
 +    if (likely(!crosspage)) {
 +        do_st_4(env, &l.page[0], val, l.mmu_idx, l.memop, ra);
 +        return;
 +    }
 +
 +    /* Swap to little endian for simplicity, then store by bytes. */
 +    if ((l.memop & MO_BSWAP) != MO_LE) {
 +        val = bswap32(val);
 +    }
 +    val = do_st_leN(env, &l.page[0], val, l.mmu_idx, ra);
 +    (void) do_st_leN(env, &l.page[1], val, l.mmu_idx, ra);
  }
  void helper_le_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                         MemOpIdx oi, uintptr_t retaddr)
  {
 -    full_le_stl_mmu(env, addr, val, oi, retaddr);
 -}
 -
 -static void full_be_stl_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
 -                            MemOpIdx oi, uintptr_t retaddr)
 -{
 -    validate_memop(oi, MO_BEUL);
 -    store_helper(env, addr, val, oi, retaddr, MO_BEUL);
 +    validate_memop(oi, MO_LEUL);
 +    do_st4_mmu(env, addr, val, oi, retaddr);
  }
  void helper_be_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                         MemOpIdx oi, uintptr_t retaddr)
  {
 -    full_be_stl_mmu(env, addr, val, oi, retaddr);
 +    validate_memop(oi, MO_BEUL);
 +    do_st4_mmu(env, addr, val, oi, retaddr);
 +}
 +
-+static void arch_flush(void *p, int len)
++static void do_st8_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
 +                       MemOpIdx oi, uintptr_t ra)
 +{
-+}
++    MMULookupLocals l;
-+
++    bool crosspage;
-+extern char noexec_1[];
++
-+extern char noexec_2[];
++    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
-+extern char noexec_end[];
++    if (likely(!crosspage)) {
-+
++        do_st_8(env, &l.page[0], val, l.mmu_idx, l.memop, ra);
-+asm("noexec_1:\n"
++        return;
-+    "    movq $1,%rdi\n"    /* %rdi is 0 on entry, set 1. */
++    }
-+    "noexec_2:\n"
++
-+    "    movq $2,%rdi\n"    /* %rdi is 0/1; set 2. */
++    /* Swap to little endian for simplicity, then store by bytes. */
-+    "    ret\n"
++    if ((l.memop & MO_BSWAP) != MO_LE) {
-+    "noexec_end:");
++        val = bswap64(val);
-+
++    }
-+int main(void)
++    val = do_st_leN(env, &l.page[0], val, l.mmu_idx, ra);
-+{
++    (void) do_st_leN(env, &l.page[1], val, l.mmu_idx, ra);
-+    struct noexec_test noexec_tests[] = {
+ }
-+        {
-+            .name = "fallthrough",
+ void helper_le_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-+            .test_code = noexec_1,
+                        MemOpIdx oi, uintptr_t retaddr)
-+            .test_len = noexec_end - noexec_1,
+ {
-+            .page_ofs = noexec_1 - noexec_2,
+     validate_memop(oi, MO_LEUQ);
-+            .entry_ofs = noexec_1 - noexec_2,
+-    store_helper(env, addr, val, oi, retaddr, MO_LEUQ);
-+            .expected_si_ofs = 0,
++    do_st8_mmu(env, addr, val, oi, retaddr);
-+            .expected_pc_ofs = 0,
+ }
-+            .expected_arg = 1,
-+        },
+ void helper_be_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-+        {
+                        MemOpIdx oi, uintptr_t retaddr)
-+            .name = "jump",
+ {
-+            .test_code = noexec_1,
+     validate_memop(oi, MO_BEUQ);
-+            .test_len = noexec_end - noexec_1,
+-    store_helper(env, addr, val, oi, retaddr, MO_BEUQ);
-+            .page_ofs = noexec_1 - noexec_2,
++    do_st8_mmu(env, addr, val, oi, retaddr);
-+            .entry_ofs = 0,
+ }
-+            .expected_si_ofs = 0,
-+            .expected_pc_ofs = 0,
+ /*
-+            .expected_arg = 0,
+  * Store Helpers for cpu_ldst.h
-+        },
+  */
-+        {
-+            .name = "fallthrough [cross]",
+-typedef void FullStoreHelper(CPUArchState *env, target_ulong addr,
-+            .test_code = noexec_1,
+-                             uint64_t val, MemOpIdx oi, uintptr_t retaddr);
-+            .test_len = noexec_end - noexec_1,
+-
-+            .page_ofs = noexec_1 - noexec_2 - 2,
+-static inline void cpu_store_helper(CPUArchState *env, target_ulong addr,
-+            .entry_ofs = noexec_1 - noexec_2 - 2,
+-                                    uint64_t val, MemOpIdx oi, uintptr_t ra,
-+            .expected_si_ofs = 0,
+-                                    FullStoreHelper *full_store)
-+            .expected_pc_ofs = -2,
++static void plugin_store_cb(CPUArchState *env, abi_ptr addr, MemOpIdx oi)
-+            .expected_arg = 1,
+ {
-+        },
+-    full_store(env, addr, val, oi, ra);
-+        {
+     qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_W);
-+            .name = "jump [cross]",
+ }
-+            .test_code = noexec_1,
-+            .test_len = noexec_end - noexec_1,
+ void cpu_stb_mmu(CPUArchState *env, target_ulong addr, uint8_t val,
-+            .page_ofs = noexec_1 - noexec_2 - 2,
+                  MemOpIdx oi, uintptr_t retaddr)
-+            .entry_ofs = -2,
+ {
-+            .expected_si_ofs = 0,
+-    cpu_store_helper(env, addr, val, oi, retaddr, full_stb_mmu);
-+            .expected_pc_ofs = -2,
++    helper_ret_stb_mmu(env, addr, val, oi, retaddr);
-+            .expected_arg = 0,
++    plugin_store_cb(env, addr, oi);
-+        },
+ }
-+    };
-+
+ void cpu_stw_be_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
-+    return test_noexec(noexec_tests,
+                     MemOpIdx oi, uintptr_t retaddr)
-+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+ {
-+}
+-    cpu_store_helper(env, addr, val, oi, retaddr, full_be_stw_mmu);
-diff --git a/tests/tcg/x86_64/Makefile.target b/tests/tcg/x86_64/Makefile.target
++    helper_be_stw_mmu(env, addr, val, oi, retaddr);
-index XXXXXXX..XXXXXXX 100644
++    plugin_store_cb(env, addr, oi);
---- a/tests/tcg/x86_64/Makefile.target
+ }
-+++ b/tests/tcg/x86_64/Makefile.target
-@@ -XXX,XX +XXX,XX @@ include $(SRC_PATH)/tests/tcg/i386/Makefile.target
+ void cpu_stl_be_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
+                     MemOpIdx oi, uintptr_t retaddr)
- ifeq ($(filter %-linux-user, $(TARGET)),$(TARGET))
+ {
- X86_64_TESTS += vsyscall
+-    cpu_store_helper(env, addr, val, oi, retaddr, full_be_stl_mmu);
-+X86_64_TESTS += noexec
++    helper_be_stl_mmu(env, addr, val, oi, retaddr);
- TESTS=$(MULTIARCH_TESTS) $(X86_64_TESTS) test-x86_64
++    plugin_store_cb(env, addr, oi);
- else
+ }
- TESTS=$(MULTIARCH_TESTS)
-@@ -XXX,XX +XXX,XX @@ test-x86_64: LDFLAGS+=-lm -lc
+ void cpu_stq_be_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
- test-x86_64: test-i386.c test-i386.h test-i386-shift.h test-i386-muldiv.h
+                     MemOpIdx oi, uintptr_t retaddr)
-     $(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
+ {
+-    cpu_store_helper(env, addr, val, oi, retaddr, helper_be_stq_mmu);
--vsyscall: $(SRC_PATH)/tests/tcg/x86_64/vsyscall.c
++    helper_be_stq_mmu(env, addr, val, oi, retaddr);
-+%: $(SRC_PATH)/tests/tcg/x86_64/%.c
++    plugin_store_cb(env, addr, oi);
-     $(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
+ }
  void cpu_stw_le_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    cpu_store_helper(env, addr, val, oi, retaddr, full_le_stw_mmu);
 +    helper_le_stw_mmu(env, addr, val, oi, retaddr);
 +    plugin_store_cb(env, addr, oi);
  }
  void cpu_stl_le_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    cpu_store_helper(env, addr, val, oi, retaddr, full_le_stl_mmu);
 +    helper_le_stl_mmu(env, addr, val, oi, retaddr);
 +    plugin_store_cb(env, addr, oi);
  }
  void cpu_stq_le_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
                      MemOpIdx oi, uintptr_t retaddr)
  {
 -    cpu_store_helper(env, addr, val, oi, retaddr, helper_le_stq_mmu);
 +    helper_le_stq_mmu(env, addr, val, oi, retaddr);
 +    plugin_store_cb(env, addr, oi);
  }
  void cpu_st16_be_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
 --
 .34.1

-[PULL 05/20] linux-user: Clear translations on mprotect()
+[PULL 53/53] target/loongarch: Do not include tcg-ldst.h
-From: Ilya Leoshkevich <iii@linux.ibm.com>
+This header is supposed to be private to tcg and in fact
 does not need to be included here at all.
-Currently it's possible to execute pages that do not have PAGE_EXEC
+Reviewed-by: Song Gao <gaosong@loongson.cn>
-if there is an existing translation block. Fix by invalidating TBs
+Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
 that touch the affected pages.
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Message-Id: <20220817150506.592862-2-iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- linux-user/mmap.c | 6 ++++--
+ target/loongarch/csr_helper.c   | 1 -
-file changed, 4 insertions(+), 2 deletions(-)
+ target/loongarch/iocsr_helper.c | 1 -
 files changed, 2 deletions(-)
-diff --git a/linux-user/mmap.c b/linux-user/mmap.c
+diff --git a/target/loongarch/csr_helper.c b/target/loongarch/csr_helper.c
 index XXXXXXX..XXXXXXX 100644
---- a/linux-user/mmap.c
+--- a/target/loongarch/csr_helper.c
-+++ b/linux-user/mmap.c
++++ b/target/loongarch/csr_helper.c
-@@ -XXX,XX +XXX,XX @@ int target_mprotect(abi_ulong start, abi_ulong len, int target_prot)
+@@ -XXX,XX +XXX,XX @@
-             goto error;
+ #include "exec/cpu_ldst.h"
-         }
+ #include "hw/irq.h"
-     }
+ #include "cpu-csr.h"
-+
+-#include "tcg/tcg-ldst.h"
-     page_set_flags(start, start + len, page_flags);
--    mmap_unlock();
+ target_ulong helper_csrrd_pgd(CPULoongArchState *env)
--    return 0;
+ {
-+    tb_invalidate_phys_range(start, start + len);
+diff --git a/target/loongarch/iocsr_helper.c b/target/loongarch/iocsr_helper.c
-+    ret = 0;
+index XXXXXXX..XXXXXXX 100644
-+
+--- a/target/loongarch/iocsr_helper.c
- error:
++++ b/target/loongarch/iocsr_helper.c
-     mmap_unlock();
+@@ -XXX,XX +XXX,XX @@
-     return ret;
+ #include "exec/helper-proto.h"
  #include "exec/exec-all.h"
  #include "exec/cpu_ldst.h"
 -#include "tcg/tcg-ldst.h"
  #define GET_MEMTXATTRS(cas) \
          ((MemTxAttrs){.requester_id = env_cpu(cas)->cpu_index})
 --
 .34.1

The following changes since commit e93ded1bf6c94ab95015b33e188bc8b0b0c32670:

Merge tag 'testing-pull-request-2022-08-30' of https://gitlab.com/thuth/qemu into staging (2022-08-31 18:19:03 -0400)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20220901

for you to fetch changes up to 20011be2e30b8aa8ef1fc258485f00c688703deb:

target/riscv: Make translator stop before the end of a page (2022-09-01 07:43:08 +0100)

----------------------------------------------------------------
Respect PROT_EXEC in user-only mode.
Fix s390x, i386 and riscv for translations crossing a page.

----------------------------------------------------------------
Ilya Leoshkevich (4):
      linux-user: Clear translations on mprotect()
      accel/tcg: Introduce is_same_page()
      target/s390x: Make translator stop before the end of a page
      target/i386: Make translator stop before the end of a page

Richard Henderson (16):
      linux-user/arm: Mark the commpage executable
      linux-user/hppa: Allocate page zero as a commpage
      linux-user/x86_64: Allocate vsyscall page as a commpage
      linux-user: Honor PT_GNU_STACK
      tests/tcg/i386: Move smc_code2 to an executable section
      accel/tcg: Properly implement get_page_addr_code for user-only
      accel/tcg: Unlock mmap_lock after longjmp
      accel/tcg: Make tb_htable_lookup static
      accel/tcg: Move qemu_ram_addr_from_host_nofail to physmem.c
      accel/tcg: Use probe_access_internal for softmmu get_page_addr_code_hostp
      accel/tcg: Document the faulting lookup in tb_lookup_cmp
      accel/tcg: Remove translator_ldsw
      accel/tcg: Add pc and host_pc params to gen_intermediate_code
      accel/tcg: Add fast path for translator_ld*
      target/riscv: Add MAX_INSN_LEN and insn_len
      target/riscv: Make translator stop before the end of a page

include/elf.h                     |   1 +
 include/exec/cpu-common.h         |   1 +
 include/exec/exec-all.h           |  89 ++++++++----------------
 include/exec/translator.h         |  96 ++++++++++++++++---------
 linux-user/arm/target_cpu.h       |   4 +-
 linux-user/qemu.h                 |   1 +
 accel/tcg/cpu-exec.c              | 143 ++++++++++++++++++++------------------
 accel/tcg/cputlb.c                |  93 +++++++------------------
 accel/tcg/translate-all.c         |  29 ++++----
 accel/tcg/translator.c            | 135 ++++++++++++++++++++++++++---------
 accel/tcg/user-exec.c             |  17 ++++-
 linux-user/elfload.c              |  82 ++++++++++++++++++++--
 linux-user/mmap.c                 |   6 +-
 softmmu/physmem.c                 |  12 ++++
 target/alpha/translate.c          |   5 +-
 target/arm/translate.c            |   5 +-
 target/avr/translate.c            |   5 +-
 target/cris/translate.c           |   5 +-
 target/hexagon/translate.c        |   6 +-
 target/hppa/translate.c           |   5 +-
 target/i386/tcg/translate.c       |  71 +++++++++++--------
 target/loongarch/translate.c      |   6 +-
 target/m68k/translate.c           |   5 +-
 target/microblaze/translate.c     |   5 +-
 target/mips/tcg/translate.c       |   5 +-
 target/nios2/translate.c          |   5 +-
 target/openrisc/translate.c       |   6 +-
 target/ppc/translate.c            |   5 +-
 target/riscv/translate.c          |  32 +++++++--
 target/rx/translate.c             |   5 +-
 target/s390x/tcg/translate.c      |  20 ++++--
 target/sh4/translate.c            |   5 +-
 target/sparc/translate.c          |   5 +-
 target/tricore/translate.c        |   6 +-
 target/xtensa/translate.c         |   6 +-
 tests/tcg/i386/test-i386.c        |   2 +-
 tests/tcg/riscv64/noexec.c        |  79 +++++++++++++++++++++
 tests/tcg/s390x/noexec.c          | 106 ++++++++++++++++++++++++++++
 tests/tcg/x86_64/noexec.c         |  75 ++++++++++++++++++++
 tests/tcg/multiarch/noexec.c.inc  | 139 ++++++++++++++++++++++++++++++++++++
 tests/tcg/riscv64/Makefile.target |   1 +
 tests/tcg/s390x/Makefile.target   |   1 +
 tests/tcg/x86_64/Makefile.target  |   3 +-
 43 files changed, 966 insertions(+), 367 deletions(-)
 create mode 100644 tests/tcg/riscv64/noexec.c
 create mode 100644 tests/tcg/s390x/noexec.c
 create mode 100644 tests/tcg/x86_64/noexec.c
 create mode 100644 tests/tcg/multiarch/noexec.c.inc

We're about to start validating PAGE_EXEC, which means
that we've got to mark the commpage executable.  We had
been placing the commpage outside of reserved_va, which
was incorrect and lead to an abort.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/arm/target_cpu.h | 4 ++--
 linux-user/elfload.c        | 6 +++++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/linux-user/arm/target_cpu.h b/linux-user/arm/target_cpu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/arm/target_cpu.h
+++ b/linux-user/arm/target_cpu.h
@@ -XXX,XX +XXX,XX @@ static inline unsigned long arm_max_reserved_va(CPUState *cs)
     } else {
         /*
          * We need to be able to map the commpage.
-         * See validate_guest_space in linux-user/elfload.c.
+         * See init_guest_commpage in linux-user/elfload.c.
          */
-        return 0xffff0000ul;
+        return 0xfffffffful;
     }
 }
 #define MAX_RESERVED_VA  arm_max_reserved_va
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ enum {
 
 static bool init_guest_commpage(void)
 {
-    void *want = g2h_untagged(HI_COMMPAGE & -qemu_host_page_size);
+    abi_ptr commpage = HI_COMMPAGE & -qemu_host_page_size;
+    void *want = g2h_untagged(commpage);
     void *addr = mmap(want, qemu_host_page_size, PROT_READ | PROT_WRITE,
                       MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
 
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
         perror("Protecting guest commpage");
         exit(EXIT_FAILURE);
     }
+
+    page_set_flags(commpage, commpage + qemu_host_page_size,
+                   PAGE_READ | PAGE_EXEC | PAGE_VALID);
     return true;
 }
 
-- 
2.34.1

While there are no target-specific nonfaulting probes,
generic code may grow some uses at some point.

Note that the attrs argument was incorrect -- it should have
been MEMTXATTRS_UNSPECIFIED. Just use the simpler interface.

Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c | 46 ++++++++++++++++++++++++++++-----------------
 1 file changed, 29 insertions(+), 17 deletions(-)

diff --git a/target/avr/helper.c b/target/avr/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -XXX,XX +XXX,XX @@ bool avr_cpu_tlb_fill(CPUState *cs, vaddr address, int size,
                       MMUAccessType access_type, int mmu_idx,
                       bool probe, uintptr_t retaddr)
 {
-    int prot = 0;
-    MemTxAttrs attrs = {};
+    int prot, page_size = TARGET_PAGE_SIZE;
     uint32_t paddr;
 
     address &= TARGET_PAGE_MASK;
 
     if (mmu_idx == MMU_CODE_IDX) {
-        /* access to code in flash */
+        /* Access to code in flash. */
         paddr = OFFSET_CODE + address;
         prot = PAGE_READ | PAGE_EXEC;
-        if (paddr + TARGET_PAGE_SIZE > OFFSET_DATA) {
+        if (paddr >= OFFSET_DATA) {
+            /*
+             * This should not be possible via any architectural operations.
+             * There is certainly not an exception that we can deliver.
+             * Accept probing that might come from generic code.
+             */
+            if (probe) {
+                return false;
+            }
             error_report("execution left flash memory");
             abort();
         }
-    } else if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
-        /*
-         * access to CPU registers, exit and rebuilt this TB to use full access
-         * incase it touches specially handled registers like SREG or SP
-         */
-        AVRCPU *cpu = AVR_CPU(cs);
-        CPUAVRState *env = &cpu->env;
-        env->fullacc = 1;
-        cpu_loop_exit_restore(cs, retaddr);
     } else {
-        /* access to memory. nothing special */
+        /* Access to memory. */
         paddr = OFFSET_DATA + address;
         prot = PAGE_READ | PAGE_WRITE;
+        if (address < NUMBER_OF_CPU_REGISTERS + NUMBER_OF_IO_REGISTERS) {
+            /*
+             * Access to CPU registers, exit and rebuilt this TB to use
+             * full access in case it touches specially handled registers
+             * like SREG or SP.  For probing, set page_size = 1, in order
+             * to force tlb_fill to be called for the next access.
+             */
+            if (probe) {
+                page_size = 1;
+            } else {
+                AVRCPU *cpu = AVR_CPU(cs);
+                CPUAVRState *env = &cpu->env;
+                env->fullacc = 1;
+                cpu_loop_exit_restore(cs, retaddr);
+            }
+        }
     }
 
-    tlb_set_page_with_attrs(cs, address, paddr, attrs, prot,
-                            mmu_idx, TARGET_PAGE_SIZE);
-
+    tlb_set_page(cs, address, paddr, prot, mmu_idx, page_size);
     return true;
 }
 
-- 
2.34.1

There is no need to go through cc->tcg_ops when
we know what value that must have.

Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/target/avr/helper.c b/target/avr/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -XXX,XX +XXX,XX @@
 bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
 {
     bool ret = false;
-    CPUClass *cc = CPU_GET_CLASS(cs);
     AVRCPU *cpu = AVR_CPU(cs);
     CPUAVRState *env = &cpu->env;
 
     if (interrupt_request & CPU_INTERRUPT_RESET) {
         if (cpu_interrupts_enabled(env)) {
             cs->exception_index = EXCP_RESET;
-            cc->tcg_ops->do_interrupt(cs);
+            avr_cpu_do_interrupt(cs);
 
             cs->interrupt_request &= ~CPU_INTERRUPT_RESET;
 
@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
         if (cpu_interrupts_enabled(env) && env->intsrc != 0) {
             int index = ctz32(env->intsrc);
             cs->exception_index = EXCP_INT(index);
-            cc->tcg_ops->do_interrupt(cs);
+            avr_cpu_do_interrupt(cs);
 
             env->intsrc &= env->intsrc - 1; /* clear the interrupt */
             if (!env->intsrc) {
-- 
2.34.1

We're about to start validating PAGE_EXEC, which means that we've
got to mark page zero executable.  We had been special casing this
entirely within translate.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 linux-user/elfload.c | 34 +++++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
     regs->gr[31] = infop->entry;
 }
 
+#define LO_COMMPAGE  0
+
+static bool init_guest_commpage(void)
+{
+    void *want = g2h_untagged(LO_COMMPAGE);
+    void *addr = mmap(want, qemu_host_page_size, PROT_NONE,
+                      MAP_ANONYMOUS | MAP_PRIVATE | MAP_FIXED, -1, 0);
+
+    if (addr == MAP_FAILED) {
+        perror("Allocating guest commpage");
+        exit(EXIT_FAILURE);
+    }
+    if (addr != want) {
+        return false;
+    }
+
+    /*
+     * On Linux, page zero is normally marked execute only + gateway.
+     * Normal read or write is supposed to fail (thus PROT_NONE above),
+     * but specific offsets have kernel code mapped to raise permissions
+     * and implement syscalls.  Here, simply mark the page executable.
+     * Special case the entry points during translation (see do_page_zero).
+     */
+    page_set_flags(LO_COMMPAGE, LO_COMMPAGE + TARGET_PAGE_SIZE,
+                   PAGE_EXEC | PAGE_VALID);
+    return true;
+}
+
 #endif /* TARGET_HPPA */
 
 #ifdef TARGET_XTENSA
@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
 }
 
 #if defined(HI_COMMPAGE)
-#define LO_COMMPAGE 0
+#define LO_COMMPAGE -1
 #elif defined(LO_COMMPAGE)
 #define HI_COMMPAGE 0
 #else
 #define HI_COMMPAGE 0
-#define LO_COMMPAGE 0
+#define LO_COMMPAGE -1
 #define init_guest_commpage() true
 #endif
 
@@ -XXX,XX +XXX,XX @@ static void pgb_static(const char *image_name, abi_ulong orig_loaddr,
         } else {
             offset = -(HI_COMMPAGE & -align);
         }
-    } else if (LO_COMMPAGE != 0) {
+    } else if (LO_COMMPAGE != -1) {
         loaddr = MIN(loaddr, LO_COMMPAGE & -align);
     }
 
-- 
2.34.1

We're about to start validating PAGE_EXEC, which means that we've
got to mark the vsyscall page executable.  We had been special
casing this entirely within translate.

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
     (*regs)[26] = tswapreg(env->segs[R_GS].selector & 0xffff);
 }
 
+#if ULONG_MAX >= TARGET_VSYSCALL_PAGE
+#define INIT_GUEST_COMMPAGE
+static bool init_guest_commpage(void)
+{
+    /*
+     * The vsyscall page is at a high negative address aka kernel space,
+     * which means that we cannot actually allocate it with target_mmap.
+     * We still should be able to use page_set_flags, unless the user
+     * has specified -R reserved_va, which would trigger an assert().
+     */
+    if (reserved_va != 0 &&
+        TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE >= reserved_va) {
+        error_report("Cannot allocate vsyscall page");
+        exit(EXIT_FAILURE);
+    }
+    page_set_flags(TARGET_VSYSCALL_PAGE,
+                   TARGET_VSYSCALL_PAGE + TARGET_PAGE_SIZE,
+                   PAGE_EXEC | PAGE_VALID);
+    return true;
+}
+#endif
 #else
 
 #define ELF_START_MMAP 0x80000000
@@ -XXX,XX +XXX,XX @@ static abi_ulong create_elf_tables(abi_ulong p, int argc, int envc,
 #else
 #define HI_COMMPAGE 0
 #define LO_COMMPAGE -1
+#ifndef INIT_GUEST_COMMPAGE
 #define init_guest_commpage() true
 #endif
+#endif
 
 static void pgb_fail_in_use(const char *image_name)
 {
-- 
2.34.1

We cannot deliver two interrupts simultaneously;
the first interrupt handler must execute first.

Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

This bit is not saved across interrupts, so we must
delay delivering the interrupt until the skip has
been processed.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1118
Reviewed-by: Michael Rolnik <mrolnik@gmail.com>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/avr/helper.c    |  9 +++++++++
 target/avr/translate.c | 26 ++++++++++++++++++++++----
 2 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/target/avr/helper.c b/target/avr/helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/helper.c
+++ b/target/avr/helper.c
@@ -XXX,XX +XXX,XX @@ bool avr_cpu_exec_interrupt(CPUState *cs, int interrupt_request)
     AVRCPU *cpu = AVR_CPU(cs);
     CPUAVRState *env = &cpu->env;
 
+    /*
+     * We cannot separate a skip from the next instruction,
+     * as the skip would not be preserved across the interrupt.
+     * Separating the two insn normally only happens at page boundaries.
+     */
+    if (env->skip) {
+        return false;
+    }
+
     if (interrupt_request & CPU_INTERRUPT_RESET) {
         if (cpu_interrupts_enabled(env)) {
             cs->exception_index = EXCP_RESET;
diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static void avr_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
     if (skip_label) {
         canonicalize_skip(ctx);
         gen_set_label(skip_label);
-        if (ctx->base.is_jmp == DISAS_NORETURN) {
+
+        switch (ctx->base.is_jmp) {
+        case DISAS_NORETURN:
             ctx->base.is_jmp = DISAS_CHAIN;
+            break;
+        case DISAS_NEXT:
+            if (ctx->base.tb->flags & TB_FLAGS_SKIP) {
+                ctx->base.is_jmp = DISAS_TOO_MANY;
+            }
+            break;
+        default:
+            break;
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
 {
     DisasContext *ctx = container_of(dcbase, DisasContext, base);
     bool nonconst_skip = canonicalize_skip(ctx);
+    /*
+     * Because we disable interrupts while env->skip is set,
+     * we must return to the main loop to re-evaluate afterward.
+     */
+    bool force_exit = ctx->base.tb->flags & TB_FLAGS_SKIP;
 
     switch (ctx->base.is_jmp) {
     case DISAS_NORETURN:
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
     case DISAS_NEXT:
     case DISAS_TOO_MANY:
     case DISAS_CHAIN:
-        if (!nonconst_skip) {
+        if (!nonconst_skip && !force_exit) {
             /* Note gen_goto_tb checks singlestep.  */
             gen_goto_tb(ctx, 1, ctx->npc);
             break;
@@ -XXX,XX +XXX,XX @@ static void avr_tr_tb_stop(DisasContextBase *dcbase, CPUState *cs)
         tcg_gen_movi_tl(cpu_pc, ctx->npc);
         /* fall through */
     case DISAS_LOOKUP:
-        tcg_gen_lookup_and_goto_ptr();
-        break;
+        if (!force_exit) {
+            tcg_gen_lookup_and_goto_ptr();
+            break;
+        }
+        /* fall through */
     case DISAS_EXIT:
         tcg_gen_exit_tb(NULL, 0);
         break;
-- 
2.34.1

Map the stack executable if required by default or on demand.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/elf.h        |  1 +
 linux-user/qemu.h    |  1 +
 linux-user/elfload.c | 19 ++++++++++++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/include/elf.h b/include/elf.h
index XXXXXXX..XXXXXXX 100644
--- a/include/elf.h
+++ b/include/elf.h
@@ -XXX,XX +XXX,XX @@ typedef int64_t  Elf64_Sxword;
 #define PT_LOPROC  0x70000000
 #define PT_HIPROC  0x7fffffff
 
+#define PT_GNU_STACK      (PT_LOOS + 0x474e551)
 #define PT_GNU_PROPERTY   (PT_LOOS + 0x474e553)
 
 #define PT_MIPS_REGINFO   0x70000000
diff --git a/linux-user/qemu.h b/linux-user/qemu.h
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/qemu.h
+++ b/linux-user/qemu.h
@@ -XXX,XX +XXX,XX @@ struct image_info {
         uint32_t        elf_flags;
         int             personality;
         abi_ulong       alignment;
+        bool            exec_stack;
 
         /* Generic semihosting knows about these pointers. */
         abi_ulong       arg_strings;   /* strings for argv */
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static bool init_guest_commpage(void)
 #define ELF_ARCH        EM_386
 
 #define ELF_PLATFORM get_elf_platform()
+#define EXSTACK_DEFAULT true
 
 static const char *get_elf_platform(void)
 {
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUX86State *en
 
 #define ELF_ARCH        EM_ARM
 #define ELF_CLASS       ELFCLASS32
+#define EXSTACK_DEFAULT true
 
 static inline void init_thread(struct target_pt_regs *regs,
                                struct image_info *infop)
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
 #else
 
 #define ELF_CLASS       ELFCLASS32
+#define EXSTACK_DEFAULT true
 
 #endif
 
@@ -XXX,XX +XXX,XX @@ static void elf_core_copy_regs(target_elf_gregset_t *regs, const CPUPPCState *en
 
 #define ELF_CLASS   ELFCLASS64
 #define ELF_ARCH    EM_LOONGARCH
+#define EXSTACK_DEFAULT true
 
 #define elf_check_arch(x) ((x) == EM_LOONGARCH)
 
@@ -XXX,XX +XXX,XX @@ static uint32_t get_elf_hwcap(void)
 #define ELF_CLASS   ELFCLASS32
 #endif
 #define ELF_ARCH    EM_MIPS
+#define EXSTACK_DEFAULT true
 
 #ifdef TARGET_ABI_MIPSN32
 #define elf_check_abi(x) ((x) & EF_MIPS_ABI2)
@@ -XXX,XX +XXX,XX @@ static inline void init_thread(struct target_pt_regs *regs,
 #define bswaptls(ptr) bswap32s(ptr)
 #endif
 
+#ifndef EXSTACK_DEFAULT
+#define EXSTACK_DEFAULT false
+#endif
+
 #include "elf.h"
 
 /* We must delay the following stanzas until after "elf.h". */
@@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
                                  struct image_info *info)
 {
     abi_ulong size, error, guard;
+    int prot;
 
     size = guest_stack_size;
     if (size < STACK_LOWER_LIMIT) {
@@ -XXX,XX +XXX,XX @@ static abi_ulong setup_arg_pages(struct linux_binprm *bprm,
         guard = qemu_real_host_page_size();
     }
 
-    error = target_mmap(0, size + guard, PROT_READ | PROT_WRITE,
+    prot = PROT_READ | PROT_WRITE;
+    if (info->exec_stack) {
+        prot |= PROT_EXEC;
+    }
+    error = target_mmap(0, size + guard, prot,
                         MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
     if (error == -1) {
         perror("mmap stack");
@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
      */
     loaddr = -1, hiaddr = 0;
     info->alignment = 0;
+    info->exec_stack = EXSTACK_DEFAULT;
     for (i = 0; i < ehdr->e_phnum; ++i) {
         struct elf_phdr *eppnt = phdr + i;
         if (eppnt->p_type == PT_LOAD) {
@@ -XXX,XX +XXX,XX @@ static void load_elf_image(const char *image_name, int image_fd,
             if (!parse_elf_properties(image_fd, info, eppnt, bprm_buf, &err)) {
                 goto exit_errmsg;
             }
+        } else if (eppnt->p_type == PT_GNU_STACK) {
+            info->exec_stack = eppnt->p_flags & PF_X;
         }
     }
 
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

Introduce a function that checks whether a given address is on the same
page as where disassembly started. Having it improves readability of
the following patches.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Message-Id: <20220811095534.241224-3-iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
[rth: Make the DisasContextBase parameter const.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
 
 #undef GEN_TRANSLATOR_LD
 
+/*
+ * Return whether addr is on the same page as where disassembly started.
+ * Translators can use this to enforce the rule that only single-insn
+ * translation blocks are allowed to cross page boundaries.
+ */
+static inline bool is_same_page(const DisasContextBase *db, target_ulong addr)
+{
+    return ((addr ^ db->pc_first) & TARGET_PAGE_MASK) == 0;
+}
+
 #endif /* EXEC__TRANSLATOR_H */
-- 
2.34.1

The current implementation is a no-op, simply returning addr.
This is incorrect, because we ought to be checking the page
permissions for execution.

Make get_page_addr_code inline for both implementations.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Acked-by: Alistair Francis <alistair.francis@wdc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 85 ++++++++++++++---------------------------
 accel/tcg/cputlb.c      |  5 ---
 accel/tcg/user-exec.c   | 14 +++++++
 3 files changed, 42 insertions(+), 62 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ struct MemoryRegionSection *iotlb_to_section(CPUState *cpu,
                                              hwaddr index, MemTxAttrs attrs);
 #endif
 
-#if defined(CONFIG_USER_ONLY)
-void mmap_lock(void);
-void mmap_unlock(void);
-bool have_mmap_lock(void);
-
 /**
- * get_page_addr_code() - user-mode version
+ * get_page_addr_code_hostp()
  * @env: CPUArchState
  * @addr: guest virtual address of guest code
  *
- * Returns @addr.
+ * See get_page_addr_code() (full-system version) for documentation on the
+ * return value.
+ *
+ * Sets *@hostp (when @hostp is non-NULL) as follows.
+ * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
+ * to the host address where @addr's content is kept.
+ *
+ * Note: this function can trigger an exception.
+ */
+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
+                                        void **hostp);
+
+/**
+ * get_page_addr_code()
+ * @env: CPUArchState
+ * @addr: guest virtual address of guest code
+ *
+ * If we cannot translate and execute from the entire RAM page, or if
+ * the region is not backed by RAM, returns -1. Otherwise, returns the
+ * ram_addr_t corresponding to the guest code at @addr.
+ *
+ * Note: this function can trigger an exception.
  */
 static inline tb_page_addr_t get_page_addr_code(CPUArchState *env,
                                                 target_ulong addr)
 {
-    return addr;
+    return get_page_addr_code_hostp(env, addr, NULL);
 }
 
-/**
- * get_page_addr_code_hostp() - user-mode version
- * @env: CPUArchState
- * @addr: guest virtual address of guest code
- *
- * Returns @addr.
- *
- * If @hostp is non-NULL, sets *@hostp to the host address where @addr's content
- * is kept.
- */
-static inline tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env,
-                                                      target_ulong addr,
-                                                      void **hostp)
-{
-    if (hostp) {
-        *hostp = g2h_untagged(addr);
-    }
-    return addr;
-}
+#if defined(CONFIG_USER_ONLY)
+void mmap_lock(void);
+void mmap_unlock(void);
+bool have_mmap_lock(void);
 
 /**
  * adjust_signal_pc:
@@ -XXX,XX +XXX,XX @@ G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
 static inline void mmap_lock(void) {}
 static inline void mmap_unlock(void) {}
 
-/**
- * get_page_addr_code() - full-system version
- * @env: CPUArchState
- * @addr: guest virtual address of guest code
- *
- * If we cannot translate and execute from the entire RAM page, or if
- * the region is not backed by RAM, returns -1. Otherwise, returns the
- * ram_addr_t corresponding to the guest code at @addr.
- *
- * Note: this function can trigger an exception.
- */
-tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr);
-
-/**
- * get_page_addr_code_hostp() - full-system version
- * @env: CPUArchState
- * @addr: guest virtual address of guest code
- *
- * See get_page_addr_code() (full-system version) for documentation on the
- * return value.
- *
- * Sets *@hostp (when @hostp is non-NULL) as follows.
- * If the return value is -1, sets *@hostp to NULL. Otherwise, sets *@hostp
- * to the host address where @addr's content is kept.
- *
- * Note: this function can trigger an exception.
- */
-tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
-                                        void **hostp);
-
 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
 void tlb_set_dirty(CPUState *cpu, target_ulong vaddr);
 
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
     return qemu_ram_addr_from_host_nofail(p);
 }
 
-tb_page_addr_t get_page_addr_code(CPUArchState *env, target_ulong addr)
-{
-    return get_page_addr_code_hostp(env, addr, NULL);
-}
-
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
 {
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ void *probe_access(CPUArchState *env, target_ulong addr, int size,
     return size ? g2h(env_cpu(env), addr) : NULL;
 }
 
+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
+                                        void **hostp)
+{
+    int flags;
+
+    flags = probe_access_internal(env, addr, 1, MMU_INST_FETCH, false, 0);
+    g_assert(flags == 0);
+
+    if (hostp) {
+        *hostp = g2h_untagged(addr);
+    }
+    return addr;
+}
+
 /* The softmmu versions of these helpers are in cputlb.c.  */
 
 /*
-- 
2.34.1

The mmap_lock is held around tb_gen_code.  While the comment
is correct that the lock is dropped when tb_gen_code runs out
of memory, the lock is *not* dropped when an exception is
raised reading code for translation.

Acked-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c  | 12 ++++++------
 accel/tcg/user-exec.c |  3 ---
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
         cpu_tb_exec(cpu, tb, &tb_exit);
         cpu_exec_exit(cpu);
     } else {
-        /*
-         * The mmap_lock is dropped by tb_gen_code if it runs out of
-         * memory.
-         */
 #ifndef CONFIG_SOFTMMU
         clear_helper_retaddr();
-        tcg_debug_assert(!have_mmap_lock());
+        if (have_mmap_lock()) {
+            mmap_unlock();
+        }
 #endif
         if (qemu_mutex_iothread_locked()) {
             qemu_mutex_unlock_iothread();
@@ -XXX,XX +XXX,XX @@ int cpu_exec(CPUState *cpu)
 
 #ifndef CONFIG_SOFTMMU
         clear_helper_retaddr();
-        tcg_debug_assert(!have_mmap_lock());
+        if (have_mmap_lock()) {
+            mmap_unlock();
+        }
 #endif
         if (qemu_mutex_iothread_locked()) {
             qemu_mutex_unlock_iothread();
diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ MMUAccessType adjust_signal_pc(uintptr_t *pc, bool is_write)
          * (and if the translator doesn't handle page boundaries correctly
          * there's little we can do about that here).  Therefore, do not
          * trigger the unwinder.
-         *
-         * Like tb_gen_code, release the memory lock before cpu_loop_exit.
          */
-        mmap_unlock();
         *pc = 0;
         return MMU_INST_FETCH;
     }
-- 
2.34.1

The function is not used outside of cpu-exec.c.  Move it and
its subroutines up in the file, before the first use.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h |   3 -
 accel/tcg/cpu-exec.c    | 122 ++++++++++++++++++++--------------------
 2 files changed, 61 insertions(+), 64 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ void tb_invalidate_phys_addr(AddressSpace *as, hwaddr addr, MemTxAttrs attrs);
 #endif
 void tb_flush(CPUState *cpu);
 void tb_phys_invalidate(TranslationBlock *tb, tb_page_addr_t page_addr);
-TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
-                                   target_ulong cs_base, uint32_t flags,
-                                   uint32_t cflags);
 void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr);
 
 /* GETPC is the true target of the return instruction that we'll execute.  */
diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ uint32_t curr_cflags(CPUState *cpu)
     return cflags;
 }
 
+struct tb_desc {
+    target_ulong pc;
+    target_ulong cs_base;
+    CPUArchState *env;
+    tb_page_addr_t phys_page1;
+    uint32_t flags;
+    uint32_t cflags;
+    uint32_t trace_vcpu_dstate;
+};
+
+static bool tb_lookup_cmp(const void *p, const void *d)
+{
+    const TranslationBlock *tb = p;
+    const struct tb_desc *desc = d;
+
+    if (tb->pc == desc->pc &&
+        tb->page_addr[0] == desc->phys_page1 &&
+        tb->cs_base == desc->cs_base &&
+        tb->flags == desc->flags &&
+        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
+        tb_cflags(tb) == desc->cflags) {
+        /* check next page if needed */
+        if (tb->page_addr[1] == -1) {
+            return true;
+        } else {
+            tb_page_addr_t phys_page2;
+            target_ulong virt_page2;
+
+            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
+            phys_page2 = get_page_addr_code(desc->env, virt_page2);
+            if (tb->page_addr[1] == phys_page2) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+static TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
+                                          target_ulong cs_base, uint32_t flags,
+                                          uint32_t cflags)
+{
+    tb_page_addr_t phys_pc;
+    struct tb_desc desc;
+    uint32_t h;
+
+    desc.env = cpu->env_ptr;
+    desc.cs_base = cs_base;
+    desc.flags = flags;
+    desc.cflags = cflags;
+    desc.trace_vcpu_dstate = *cpu->trace_dstate;
+    desc.pc = pc;
+    phys_pc = get_page_addr_code(desc.env, pc);
+    if (phys_pc == -1) {
+        return NULL;
+    }
+    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
+    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
+    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
+}
+
 /* Might cause an exception, so have a longjmp destination ready */
 static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
                                           target_ulong cs_base,
@@ -XXX,XX +XXX,XX @@ void cpu_exec_step_atomic(CPUState *cpu)
     end_exclusive();
 }
 
-struct tb_desc {
-    target_ulong pc;
-    target_ulong cs_base;
-    CPUArchState *env;
-    tb_page_addr_t phys_page1;
-    uint32_t flags;
-    uint32_t cflags;
-    uint32_t trace_vcpu_dstate;
-};
-
-static bool tb_lookup_cmp(const void *p, const void *d)
-{
-    const TranslationBlock *tb = p;
-    const struct tb_desc *desc = d;
-
-    if (tb->pc == desc->pc &&
-        tb->page_addr[0] == desc->phys_page1 &&
-        tb->cs_base == desc->cs_base &&
-        tb->flags == desc->flags &&
-        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
-        tb_cflags(tb) == desc->cflags) {
-        /* check next page if needed */
-        if (tb->page_addr[1] == -1) {
-            return true;
-        } else {
-            tb_page_addr_t phys_page2;
-            target_ulong virt_page2;
-
-            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
-            phys_page2 = get_page_addr_code(desc->env, virt_page2);
-            if (tb->page_addr[1] == phys_page2) {
-                return true;
-            }
-        }
-    }
-    return false;
-}
-
-TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
-                                   target_ulong cs_base, uint32_t flags,
-                                   uint32_t cflags)
-{
-    tb_page_addr_t phys_pc;
-    struct tb_desc desc;
-    uint32_t h;
-
-    desc.env = cpu->env_ptr;
-    desc.cs_base = cs_base;
-    desc.flags = flags;
-    desc.cflags = cflags;
-    desc.trace_vcpu_dstate = *cpu->trace_dstate;
-    desc.pc = pc;
-    phys_pc = get_page_addr_code(desc.env, pc);
-    if (phys_pc == -1) {
-        return NULL;
-    }
-    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
-    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
-    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
-}
-
 void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr)
 {
     if (TCG_TARGET_HAS_direct_jump) {
-- 
2.34.1

The base qemu_ram_addr_from_host function is already in
softmmu/physmem.c; move the nofail version to be adjacent.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu-common.h |  1 +
 accel/tcg/cputlb.c        | 12 ------------
 softmmu/physmem.c         | 12 ++++++++++++
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -XXX,XX +XXX,XX @@ typedef uintptr_t ram_addr_t;
 void qemu_ram_remap(ram_addr_t addr, ram_addr_t length);
 /* This should not be used by devices.  */
 ram_addr_t qemu_ram_addr_from_host(void *ptr);
+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr);
 RAMBlock *qemu_ram_block_by_name(const char *name);
 RAMBlock *qemu_ram_block_from_host(void *ptr, bool round_offset,
                                    ram_addr_t *offset);
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ void tlb_set_page(CPUState *cpu, target_ulong vaddr,
                             prot, mmu_idx, size);
 }
 
-static inline ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
-{
-    ram_addr_t ram_addr;
-
-    ram_addr = qemu_ram_addr_from_host(ptr);
-    if (ram_addr == RAM_ADDR_INVALID) {
-        error_report("Bad ram pointer %p", ptr);
-        abort();
-    }
-    return ram_addr;
-}
-
 /*
  * Note: tlb_fill() can trigger a resize of the TLB. This means that all of the
  * caller's prior references to the TLB table (e.g. CPUTLBEntry pointers) must
diff --git a/softmmu/physmem.c b/softmmu/physmem.c
index XXXXXXX..XXXXXXX 100644
--- a/softmmu/physmem.c
+++ b/softmmu/physmem.c
@@ -XXX,XX +XXX,XX @@ ram_addr_t qemu_ram_addr_from_host(void *ptr)
     return block->offset + offset;
 }
 
+ram_addr_t qemu_ram_addr_from_host_nofail(void *ptr)
+{
+    ram_addr_t ram_addr;
+
+    ram_addr = qemu_ram_addr_from_host(ptr);
+    if (ram_addr == RAM_ADDR_INVALID) {
+        error_report("Bad ram pointer %p", ptr);
+        abort();
+    }
+    return ram_addr;
+}
+
 static MemTxResult flatview_read(FlatView *fv, hwaddr addr,
                                  MemTxAttrs attrs, void *buf, hwaddr len);
 static MemTxResult flatview_write(FlatView *fv, hwaddr addr, MemTxAttrs attrs,
-- 
2.34.1

Simplify the implementation of get_page_addr_code_hostp
by reusing the existing probe_access infrastructure.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 76 ++++++++++++++++------------------------------
 1 file changed, 26 insertions(+), 50 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
   victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
                  (ADDR) & TARGET_PAGE_MASK)
 
-/*
- * Return a ram_addr_t for the virtual address for execution.
- *
- * Return -1 if we can't translate and execute from an entire page
- * of RAM.  This will force us to execute by loading and translating
- * one insn at a time, without caching.
- *
- * NOTE: This function will trigger an exception if the page is
- * not executable.
- */
-tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
-                                        void **hostp)
-{
-    uintptr_t mmu_idx = cpu_mmu_index(env, true);
-    uintptr_t index = tlb_index(env, mmu_idx, addr);
-    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-    void *p;
-
-    if (unlikely(!tlb_hit(entry->addr_code, addr))) {
-        if (!VICTIM_TLB_HIT(addr_code, addr)) {
-            tlb_fill(env_cpu(env), addr, 0, MMU_INST_FETCH, mmu_idx, 0);
-            index = tlb_index(env, mmu_idx, addr);
-            entry = tlb_entry(env, mmu_idx, addr);
-
-            if (unlikely(entry->addr_code & TLB_INVALID_MASK)) {
-                /*
-                 * The MMU protection covers a smaller range than a target
-                 * page, so we must redo the MMU check for every insn.
-                 */
-                return -1;
-            }
-        }
-        assert(tlb_hit(entry->addr_code, addr));
-    }
-
-    if (unlikely(entry->addr_code & TLB_MMIO)) {
-        /* The region is not backed by RAM.  */
-        if (hostp) {
-            *hostp = NULL;
-        }
-        return -1;
-    }
-
-    p = (void *)((uintptr_t)addr + entry->addend);
-    if (hostp) {
-        *hostp = p;
-    }
-    return qemu_ram_addr_from_host_nofail(p);
-}
-
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUIOTLBEntry *iotlbentry, uintptr_t retaddr)
 {
@@ -XXX,XX +XXX,XX @@ void *tlb_vaddr_to_host(CPUArchState *env, abi_ptr addr,
     return flags ? NULL : host;
 }
 
+/*
+ * Return a ram_addr_t for the virtual address for execution.
+ *
+ * Return -1 if we can't translate and execute from an entire page
+ * of RAM.  This will force us to execute by loading and translating
+ * one insn at a time, without caching.
+ *
+ * NOTE: This function will trigger an exception if the page is
+ * not executable.
+ */
+tb_page_addr_t get_page_addr_code_hostp(CPUArchState *env, target_ulong addr,
+                                        void **hostp)
+{
+    void *p;
+
+    (void)probe_access_internal(env, addr, 1, MMU_INST_FETCH,
+                                cpu_mmu_index(env, true), false, &p, 0);
+    if (p == NULL) {
+        return -1;
+    }
+    if (hostp) {
+        *hostp = p;
+    }
+    return qemu_ram_addr_from_host_nofail(p);
+}
+
 #ifdef CONFIG_PLUGIN
 /*
  * Perform a TLB lookup and populate the qemu_plugin_hwaddr structure.
-- 
2.34.1

It was non-obvious to me why we can raise an exception in
the middle of a comparison function, but it works.
While nearby, use TARGET_PAGE_ALIGN instead of open-coding.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cpu-exec.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/accel/tcg/cpu-exec.c b/accel/tcg/cpu-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -XXX,XX +XXX,XX @@ static bool tb_lookup_cmp(const void *p, const void *d)
             tb_page_addr_t phys_page2;
             target_ulong virt_page2;
 
-            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
+            /*
+             * We know that the first page matched, and an otherwise valid TB
+             * encountered an incomplete instruction at the end of that page,
+             * therefore we know that generating a new TB from the current PC
+             * must also require reading from the next page -- even if the
+             * second pages do not match, and therefore the resulting insn
+             * is different for the new TB.  Therefore any exception raised
+             * here by the faulting lookup is not premature.
+             */
+            virt_page2 = TARGET_PAGE_ALIGN(desc->pc);
             phys_page2 = get_page_addr_code(desc->env, virt_page2);
             if (tb->page_addr[1] == phys_page2) {
                 return true;
-- 
2.34.1

The only user can easily use translator_lduw and
adjust the type to signed during the return.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h   | 1 -
 target/i386/tcg/translate.c | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
 
 #define FOR_EACH_TRANSLATOR_LD(F)                                       \
     F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
-    F(translator_ldsw, int16_t, cpu_ldsw_code, bswap16)                 \
     F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
     F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
     F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static inline uint8_t x86_ldub_code(CPUX86State *env, DisasContext *s)
 
 static inline int16_t x86_ldsw_code(CPUX86State *env, DisasContext *s)
 {
-    return translator_ldsw(env, &s->base, advance_pc(env, s, 2));
+    return translator_lduw(env, &s->base, advance_pc(env, s, 2));
 }
 
 static inline uint16_t x86_lduw_code(CPUX86State *env, DisasContext *s)
-- 
2.34.1

Pass these along to translator_loop -- pc may be used instead
of tb->pc, and host_pc is currently unused.  Adjust all targets
at one time.

Acked-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h       |  1 -
 include/exec/translator.h     | 24 ++++++++++++++++++++----
 accel/tcg/translate-all.c     |  6 ++++--
 accel/tcg/translator.c        |  9 +++++----
 target/alpha/translate.c      |  5 +++--
 target/arm/translate.c        |  5 +++--
 target/avr/translate.c        |  5 +++--
 target/cris/translate.c       |  5 +++--
 target/hexagon/translate.c    |  6 ++++--
 target/hppa/translate.c       |  5 +++--
 target/i386/tcg/translate.c   |  5 +++--
 target/loongarch/translate.c  |  6 ++++--
 target/m68k/translate.c       |  5 +++--
 target/microblaze/translate.c |  5 +++--
 target/mips/tcg/translate.c   |  5 +++--
 target/nios2/translate.c      |  5 +++--
 target/openrisc/translate.c   |  6 ++++--
 target/ppc/translate.c        |  5 +++--
 target/riscv/translate.c      |  5 +++--
 target/rx/translate.c         |  5 +++--
 target/s390x/tcg/translate.c  |  5 +++--
 target/sh4/translate.c        |  5 +++--
 target/sparc/translate.c      |  5 +++--
 target/tricore/translate.c    |  6 ++++--
 target/xtensa/translate.c     |  6 ++++--
 25 files changed, 97 insertions(+), 53 deletions(-)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ typedef ram_addr_t tb_page_addr_t;
 #define TB_PAGE_ADDR_FMT RAM_ADDR_FMT
 #endif
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns);
 void restore_state_to_opc(CPUArchState *env, TranslationBlock *tb,
                           target_ulong *data);
 
diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@
 #include "exec/translate-all.h"
 #include "tcg/tcg.h"
 
+/**
+ * gen_intermediate_code
+ * @cpu: cpu context
+ * @tb: translation block
+ * @max_insns: max number of instructions to translate
+ * @pc: guest virtual program counter address
+ * @host_pc: host physical program counter address
+ *
+ * This function must be provided by the target, which should create
+ * the target-specific DisasContext, and then invoke translator_loop.
+ */
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc);
 
 /**
  * DisasJumpType:
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
 
 /**
  * translator_loop:
- * @ops: Target-specific operations.
- * @db: Disassembly context.
  * @cpu: Target vCPU.
  * @tb: Translation block.
  * @max_insns: Maximum number of insns to translate.
+ * @pc: guest virtual program counter address
+ * @host_pc: host physical program counter address
+ * @ops: Target-specific operations.
+ * @db: Disassembly context.
  *
  * Generic translator loop.
  *
@@ -XXX,XX +XXX,XX @@ typedef struct TranslatorOps {
  * - When single-stepping is enabled (system-wide or on the current vCPU).
  * - When too many instructions have been translated.
  */
-void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
-                     CPUState *cpu, TranslationBlock *tb, int max_insns);
+void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                     target_ulong pc, void *host_pc,
+                     const TranslatorOps *ops, DisasContextBase *db);
 
 void translator_loop_temp_check(DisasContextBase *db);
 
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@
 
 #include "exec/cputlb.h"
 #include "exec/translate-all.h"
+#include "exec/translator.h"
 #include "qemu/bitmap.h"
 #include "qemu/qemu-print.h"
 #include "qemu/timer.h"
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     TCGProfile *prof = &tcg_ctx->prof;
     int64_t ti;
 #endif
+    void *host_pc;
 
     assert_memory_lock();
     qemu_thread_jit_write();
 
-    phys_pc = get_page_addr_code(env, pc);
+    phys_pc = get_page_addr_code_hostp(env, pc, &host_pc);
 
     if (phys_pc == -1) {
         /* Generate a one-shot TB with 1 insn in it */
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     tcg_func_start(tcg_ctx);
 
     tcg_ctx->cpu = env_cpu(env);
-    gen_intermediate_code(cpu, tb, max_insns);
+    gen_intermediate_code(cpu, tb, max_insns, pc, host_pc);
     assert(tb->size != 0);
     tcg_ctx->cpu = NULL;
     max_insns = tb->icount;
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ static inline void translator_page_protect(DisasContextBase *dcbase,
 #endif
 }
 
-void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
-                     CPUState *cpu, TranslationBlock *tb, int max_insns)
+void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                     target_ulong pc, void *host_pc,
+                     const TranslatorOps *ops, DisasContextBase *db)
 {
     uint32_t cflags = tb_cflags(tb);
     bool plugin_enabled;
 
     /* Initialize DisasContext */
     db->tb = tb;
-    db->pc_first = tb->pc;
-    db->pc_next = db->pc_first;
+    db->pc_first = pc;
+    db->pc_next = pc;
     db->is_jmp = DISAS_NEXT;
     db->num_insns = 0;
     db->max_insns = max_insns;
diff --git a/target/alpha/translate.c b/target/alpha/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/alpha/translate.c
+++ b/target/alpha/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps alpha_tr_ops = {
     .disas_log          = alpha_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&alpha_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &alpha_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUAlphaState *env, TranslationBlock *tb,
diff --git a/target/arm/translate.c b/target/arm/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/arm/translate.c
+++ b/target/arm/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps thumb_translator_ops = {
 };
 
 /* generate intermediate code for basic block 'tb'.  */
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = { };
     const TranslatorOps *ops = &arm_translator_ops;
@@ -XXX,XX +XXX,XX @@ void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
     }
 #endif
 
-    translator_loop(ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUARMState *env, TranslationBlock *tb,
diff --git a/target/avr/translate.c b/target/avr/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/avr/translate.c
+++ b/target/avr/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps avr_tr_ops = {
     .disas_log          = avr_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = { };
-    translator_loop(&avr_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &avr_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUAVRState *env, TranslationBlock *tb,
diff --git a/target/cris/translate.c b/target/cris/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/cris/translate.c
+++ b/target/cris/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps cris_tr_ops = {
     .disas_log          = cris_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&cris_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &cris_tr_ops, &dc.base);
 }
 
 void cris_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/hexagon/translate.c b/target/hexagon/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hexagon/translate.c
+++ b/target/hexagon/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hexagon_tr_ops = {
     .disas_log          = hexagon_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&hexagon_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &hexagon_tr_ops, &ctx.base);
 }
 
 #define NAME_LEN               64
diff --git a/target/hppa/translate.c b/target/hppa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/hppa/translate.c
+++ b/target/hppa/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps hppa_tr_ops = {
     .disas_log          = hppa_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
-    translator_loop(&hppa_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &hppa_tr_ops, &ctx.base);
 }
 
 void restore_state_to_opc(CPUHPPAState *env, TranslationBlock *tb,
diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps i386_tr_ops = {
 };
 
 /* generate intermediate code for basic block 'tb'.  */
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
 
-    translator_loop(&i386_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &i386_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUX86State *env, TranslationBlock *tb,
diff --git a/target/loongarch/translate.c b/target/loongarch/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/loongarch/translate.c
+++ b/target/loongarch/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps loongarch_tr_ops = {
     .disas_log          = loongarch_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&loongarch_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &loongarch_tr_ops, &ctx.base);
 }
 
 void loongarch_translate_init(void)
diff --git a/target/m68k/translate.c b/target/m68k/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/m68k/translate.c
+++ b/target/m68k/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps m68k_tr_ops = {
     .disas_log          = m68k_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&m68k_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &m68k_tr_ops, &dc.base);
 }
 
 static double floatx80_to_double(CPUM68KState *env, uint16_t high, uint64_t low)
diff --git a/target/microblaze/translate.c b/target/microblaze/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/microblaze/translate.c
+++ b/target/microblaze/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mb_tr_ops = {
     .disas_log          = mb_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&mb_tr_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc, &mb_tr_ops, &dc.base);
 }
 
 void mb_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/mips/tcg/translate.c b/target/mips/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/translate.c
+++ b/target/mips/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps mips_tr_ops = {
     .disas_log          = mips_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&mips_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &mips_tr_ops, &ctx.base);
 }
 
 void mips_tcg_init(void)
diff --git a/target/nios2/translate.c b/target/nios2/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/translate.c
+++ b/target/nios2/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps nios2_tr_ops = {
     .disas_log          = nios2_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
-    translator_loop(&nios2_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &nios2_tr_ops, &dc.base);
 }
 
 void nios2_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/openrisc/translate.c b/target/openrisc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/openrisc/translate.c
+++ b/target/openrisc/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps openrisc_tr_ops = {
     .disas_log          = openrisc_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&openrisc_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &openrisc_tr_ops, &ctx.base);
 }
 
 void openrisc_cpu_dump_state(CPUState *cs, FILE *f, int flags)
diff --git a/target/ppc/translate.c b/target/ppc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/ppc/translate.c
+++ b/target/ppc/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps ppc_tr_ops = {
     .disas_log          = ppc_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&ppc_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &ppc_tr_ops, &ctx.base);
 }
 
 void restore_state_to_opc(CPUPPCState *env, TranslationBlock *tb,
diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps riscv_tr_ops = {
     .disas_log          = riscv_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&riscv_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &riscv_tr_ops, &ctx.base);
 }
 
 void riscv_translate_init(void)
diff --git a/target/rx/translate.c b/target/rx/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/rx/translate.c
+++ b/target/rx/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps rx_tr_ops = {
     .disas_log          = rx_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
 
-    translator_loop(&rx_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &rx_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPURXState *env, TranslationBlock *tb,
diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps s390x_tr_ops = {
     .disas_log          = s390x_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc;
 
-    translator_loop(&s390x_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &s390x_tr_ops, &dc.base);
 }
 
 void restore_state_to_opc(CPUS390XState *env, TranslationBlock *tb,
diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sh4_tr_ops = {
     .disas_log          = sh4_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
 
-    translator_loop(&sh4_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &sh4_tr_ops, &ctx.base);
 }
 
 void restore_state_to_opc(CPUSH4State *env, TranslationBlock *tb,
diff --git a/target/sparc/translate.c b/target/sparc/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sparc/translate.c
+++ b/target/sparc/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps sparc_tr_ops = {
     .disas_log          = sparc_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = {};
 
-    translator_loop(&sparc_tr_ops, &dc.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc, &sparc_tr_ops, &dc.base);
 }
 
 void sparc_tcg_init(void)
diff --git a/target/tricore/translate.c b/target/tricore/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/tricore/translate.c
+++ b/target/tricore/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps tricore_tr_ops = {
 };
 
 
-void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cs, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext ctx;
-    translator_loop(&tricore_tr_ops, &ctx.base, cs, tb, max_insns);
+    translator_loop(cs, tb, max_insns, pc, host_pc,
+                    &tricore_tr_ops, &ctx.base);
 }
 
 void
diff --git a/target/xtensa/translate.c b/target/xtensa/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/xtensa/translate.c
+++ b/target/xtensa/translate.c
@@ -XXX,XX +XXX,XX @@ static const TranslatorOps xtensa_translator_ops = {
     .disas_log          = xtensa_tr_disas_log,
 };
 
-void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns)
+void gen_intermediate_code(CPUState *cpu, TranslationBlock *tb, int max_insns,
+                           target_ulong pc, void *host_pc)
 {
     DisasContext dc = {};
-    translator_loop(&xtensa_translator_ops, &dc.base, cpu, tb, max_insns);
+    translator_loop(cpu, tb, max_insns, pc, host_pc,
+                    &xtensa_translator_ops, &dc.base);
 }
 
 void xtensa_cpu_dump_state(CPUState *cs, FILE *f, int flags)
-- 
2.34.1

Cache the translation from guest to host address, so we may
use direct loads when we hit on the primary translation page.

Look up the second translation page only once, during translation.
This obviates another lookup of the second page within tb_gen_code
after translation.

Fixes a bug in that plugin_insn_append should be passed the bytes
in the original memory order, not bswapped by pieces.

Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/translator.h |  63 +++++++++++--------
 accel/tcg/translate-all.c |  23 +++----
 accel/tcg/translator.c    | 126 +++++++++++++++++++++++++++++---------
 3 files changed, 141 insertions(+), 71 deletions(-)

diff --git a/include/exec/translator.h b/include/exec/translator.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/translator.h
+++ b/include/exec/translator.h
@@ -XXX,XX +XXX,XX @@ typedef enum DisasJumpType {
  * Architecture-agnostic disassembly context.
  */
 typedef struct DisasContextBase {
-    const TranslationBlock *tb;
+    TranslationBlock *tb;
     target_ulong pc_first;
     target_ulong pc_next;
     DisasJumpType is_jmp;
     int num_insns;
     int max_insns;
     bool singlestep_enabled;
-#ifdef CONFIG_USER_ONLY
-    /*
-     * Guest address of the last byte of the last protected page.
-     *
-     * Pages containing the translated instructions are made non-writable in
-     * order to achieve consistency in case another thread is modifying the
-     * code while translate_insn() fetches the instruction bytes piecemeal.
-     * Such writer threads are blocked on mmap_lock() in page_unprotect().
-     */
-    target_ulong page_protect_end;
-#endif
+    void *host_addr[2];
 } DisasContextBase;
 
 /**
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest);
  * the relevant information at translation time.
  */
 
-#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
-    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
-                           abi_ptr pc, bool do_swap);                   \
-    static inline type fullname(CPUArchState *env,                      \
-                                DisasContextBase *dcbase, abi_ptr pc)   \
-    {                                                                   \
-        return fullname ## _swap(env, dcbase, pc, false);               \
+uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc);
+
+static inline uint16_t
+translator_lduw_swap(CPUArchState *env, DisasContextBase *db,
+                     abi_ptr pc, bool do_swap)
+{
+    uint16_t ret = translator_lduw(env, db, pc);
+    if (do_swap) {
+        ret = bswap16(ret);
     }
+    return ret;
+}
 
-#define FOR_EACH_TRANSLATOR_LD(F)                                       \
-    F(translator_ldub, uint8_t, cpu_ldub_code, /* no swap */)           \
-    F(translator_lduw, uint16_t, cpu_lduw_code, bswap16)                \
-    F(translator_ldl, uint32_t, cpu_ldl_code, bswap32)                  \
-    F(translator_ldq, uint64_t, cpu_ldq_code, bswap64)
+static inline uint32_t
+translator_ldl_swap(CPUArchState *env, DisasContextBase *db,
+                    abi_ptr pc, bool do_swap)
+{
+    uint32_t ret = translator_ldl(env, db, pc);
+    if (do_swap) {
+        ret = bswap32(ret);
+    }
+    return ret;
+}
 
-FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
-
-#undef GEN_TRANSLATOR_LD
+static inline uint64_t
+translator_ldq_swap(CPUArchState *env, DisasContextBase *db,
+                    abi_ptr pc, bool do_swap)
+{
+    uint64_t ret = translator_ldq_swap(env, db, pc, false);
+    if (do_swap) {
+        ret = bswap64(ret);
+    }
+    return ret;
+}
 
 /*
  * Return whether addr is on the same page as where disassembly started.
diff --git a/accel/tcg/translate-all.c b/accel/tcg/translate-all.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
 {
     CPUArchState *env = cpu->env_ptr;
     TranslationBlock *tb, *existing_tb;
-    tb_page_addr_t phys_pc, phys_page2;
-    target_ulong virt_page2;
+    tb_page_addr_t phys_pc;
     tcg_insn_unit *gen_code_buf;
     int gen_code_size, search_size, max_insns;
 #ifdef CONFIG_PROFILER
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     tb->flags = flags;
     tb->cflags = cflags;
     tb->trace_vcpu_dstate = *cpu->trace_dstate;
+    tb->page_addr[0] = phys_pc;
+    tb->page_addr[1] = -1;
     tcg_ctx->tb_cflags = cflags;
  tb_overflow:
 
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
     }
 
     /*
-     * If the TB is not associated with a physical RAM page then
-     * it must be a temporary one-insn TB, and we have nothing to do
-     * except fill in the page_addr[] fields. Return early before
-     * attempting to link to other TBs or add to the lookup table.
+     * If the TB is not associated with a physical RAM page then it must be
+     * a temporary one-insn TB, and we have nothing left to do. Return early
+     * before attempting to link to other TBs or add to the lookup table.
      */
-    if (phys_pc == -1) {
-        tb->page_addr[0] = tb->page_addr[1] = -1;
+    if (tb->page_addr[0] == -1) {
         return tb;
     }
 
@@ -XXX,XX +XXX,XX @@ TranslationBlock *tb_gen_code(CPUState *cpu,
      */
     tcg_tb_insert(tb);
 
-    /* check next page if needed */
-    virt_page2 = (pc + tb->size - 1) & TARGET_PAGE_MASK;
-    phys_page2 = -1;
-    if ((pc & TARGET_PAGE_MASK) != virt_page2) {
-        phys_page2 = get_page_addr_code(env, virt_page2);
-    }
     /*
      * No explicit memory barrier is required -- tb_link_page() makes the
      * TB visible in a consistent state.
      */
-    existing_tb = tb_link_page(tb, phys_pc, phys_page2);
+    existing_tb = tb_link_page(tb, tb->page_addr[0], tb->page_addr[1]);
     /* if the TB already exists, discard what we just translated */
     if (unlikely(existing_tb != tb)) {
         uintptr_t orig_aligned = (uintptr_t)gen_code_buf;
diff --git a/accel/tcg/translator.c b/accel/tcg/translator.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -XXX,XX +XXX,XX @@ bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
     return ((db->pc_first ^ dest) & TARGET_PAGE_MASK) == 0;
 }
 
-static inline void translator_page_protect(DisasContextBase *dcbase,
-                                           target_ulong pc)
-{
-#ifdef CONFIG_USER_ONLY
-    dcbase->page_protect_end = pc | ~TARGET_PAGE_MASK;
-    page_protect(pc);
-#endif
-}
-
 void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
                      target_ulong pc, void *host_pc,
                      const TranslatorOps *ops, DisasContextBase *db)
@@ -XXX,XX +XXX,XX @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
     db->num_insns = 0;
     db->max_insns = max_insns;
     db->singlestep_enabled = cflags & CF_SINGLE_STEP;
-    translator_page_protect(db, db->pc_next);
+    db->host_addr[0] = host_pc;
+    db->host_addr[1] = NULL;
+
+#ifdef CONFIG_USER_ONLY
+    page_protect(pc);
+#endif
 
     ops->init_disas_context(db, cpu);
     tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */
@@ -XXX,XX +XXX,XX @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int max_insns,
 #endif
 }
 
-static inline void translator_maybe_page_protect(DisasContextBase *dcbase,
-                                                 target_ulong pc, size_t len)
+static void *translator_access(CPUArchState *env, DisasContextBase *db,
+                               target_ulong pc, size_t len)
 {
-#ifdef CONFIG_USER_ONLY
-    target_ulong end = pc + len - 1;
+    void *host;
+    target_ulong base, end;
+    TranslationBlock *tb;
 
-    if (end > dcbase->page_protect_end) {
-        translator_page_protect(dcbase, end);
+    tb = db->tb;
+
+    /* Use slow path if first page is MMIO. */
+    if (unlikely(tb->page_addr[0] == -1)) {
+        return NULL;
     }
+
+    end = pc + len - 1;
+    if (likely(is_same_page(db, end))) {
+        host = db->host_addr[0];
+        base = db->pc_first;
+    } else {
+        host = db->host_addr[1];
+        base = TARGET_PAGE_ALIGN(db->pc_first);
+        if (host == NULL) {
+            tb->page_addr[1] =
+                get_page_addr_code_hostp(env, base, &db->host_addr[1]);
+#ifdef CONFIG_USER_ONLY
+            page_protect(end);
 #endif
+            /* We cannot handle MMIO as second page. */
+            assert(tb->page_addr[1] != -1);
+            host = db->host_addr[1];
+        }
+
+        /* Use slow path when crossing pages. */
+        if (is_same_page(db, pc)) {
+            return NULL;
+        }
+    }
+
+    tcg_debug_assert(pc >= base);
+    return host + (pc - base);
 }
 
-#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
-    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
-                           abi_ptr pc, bool do_swap)                    \
-    {                                                                   \
-        translator_maybe_page_protect(dcbase, pc, sizeof(type));        \
-        type ret = load_fn(env, pc);                                    \
-        if (do_swap) {                                                  \
-            ret = swap_fn(ret);                                         \
-        }                                                               \
-        plugin_insn_append(pc, &ret, sizeof(ret));                      \
-        return ret;                                                     \
+uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint8_t ret;
+    void *p = translator_access(env, db, pc, sizeof(ret));
+
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return ldub_p(p);
     }
+    ret = cpu_ldub_code(env, pc);
+    plugin_insn_append(pc, &ret, sizeof(ret));
+    return ret;
+}
 
-FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)
+uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint16_t ret, plug;
+    void *p = translator_access(env, db, pc, sizeof(ret));
 
-#undef GEN_TRANSLATOR_LD
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return lduw_p(p);
+    }
+    ret = cpu_lduw_code(env, pc);
+    plug = tswap16(ret);
+    plugin_insn_append(pc, &plug, sizeof(ret));
+    return ret;
+}
+
+uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint32_t ret, plug;
+    void *p = translator_access(env, db, pc, sizeof(ret));
+
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return ldl_p(p);
+    }
+    ret = cpu_ldl_code(env, pc);
+    plug = tswap32(ret);
+    plugin_insn_append(pc, &plug, sizeof(ret));
+    return ret;
+}
+
+uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+{
+    uint64_t ret, plug;
+    void *p = translator_access(env, db, pc, sizeof(ret));
+
+    if (p) {
+        plugin_insn_append(pc, p, sizeof(ret));
+        return ldq_p(p);
+    }
+    ret = cpu_ldq_code(env, pc);
+    plug = tswap64(ret);
+    plugin_insn_append(pc, &plug, sizeof(ret));
+    return ret;
+}
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

Right now translator stops right *after* the end of a page, which
breaks reporting of fault locations when the last instruction of a
multi-insn translation block crosses a page boundary.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20220817150506.592862-3-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/s390x/tcg/translate.c     |  15 +++-
 tests/tcg/s390x/noexec.c         | 106 +++++++++++++++++++++++
 tests/tcg/multiarch/noexec.c.inc | 139 +++++++++++++++++++++++++++++++
 tests/tcg/s390x/Makefile.target  |   1 +
 4 files changed, 257 insertions(+), 4 deletions(-)
 create mode 100644 tests/tcg/s390x/noexec.c
 create mode 100644 tests/tcg/multiarch/noexec.c.inc

diff --git a/target/s390x/tcg/translate.c b/target/s390x/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/s390x/tcg/translate.c
+++ b/target/s390x/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_insn_start(DisasContextBase *dcbase, CPUState *cs)
     dc->insn_start = tcg_last_op();
 }
 
+static target_ulong get_next_pc(CPUS390XState *env, DisasContext *s,
+                                uint64_t pc)
+{
+    uint64_t insn = ld_code2(env, s, pc);
+
+    return pc + get_ilen((insn >> 8) & 0xff);
+}
+
 static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 {
     CPUS390XState *env = cs->env_ptr;
@@ -XXX,XX +XXX,XX @@ static void s390x_tr_translate_insn(DisasContextBase *dcbase, CPUState *cs)
 
     dc->base.is_jmp = translate_one(env, dc);
     if (dc->base.is_jmp == DISAS_NEXT) {
-        uint64_t page_start;
-
-        page_start = dc->base.pc_first & TARGET_PAGE_MASK;
-        if (dc->base.pc_next - page_start >= TARGET_PAGE_SIZE || dc->ex_value) {
+        if (!is_same_page(dcbase, dc->base.pc_next) ||
+            !is_same_page(dcbase, get_next_pc(env, dc, dc->base.pc_next)) ||
+            dc->ex_value) {
             dc->base.is_jmp = DISAS_TOO_MANY;
         }
     }
diff --git a/tests/tcg/s390x/noexec.c b/tests/tcg/s390x/noexec.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/s390x/noexec.c
@@ -XXX,XX +XXX,XX @@
+#include "../multiarch/noexec.c.inc"
+
+static void *arch_mcontext_pc(const mcontext_t *ctx)
+{
+    return (void *)ctx->psw.addr;
+}
+
+static int arch_mcontext_arg(const mcontext_t *ctx)
+{
+    return ctx->gregs[2];
+}
+
+static void arch_flush(void *p, int len)
+{
+}
+
+extern char noexec_1[];
+extern char noexec_2[];
+extern char noexec_end[];
+
+asm("noexec_1:\n"
+    "   lgfi %r2,1\n"       /* %r2 is 0 on entry, set 1. */
+    "noexec_2:\n"
+    "   lgfi %r2,2\n"       /* %r2 is 0/1; set 2. */
+    "   br %r14\n"          /* return */
+    "noexec_end:");
+
+extern char exrl_1[];
+extern char exrl_2[];
+extern char exrl_end[];
+
+asm("exrl_1:\n"
+    "   exrl %r0, exrl_2\n"
+    "   br %r14\n"
+    "exrl_2:\n"
+    "   lgfi %r2,2\n"
+    "exrl_end:");
+
+int main(void)
+{
+    struct noexec_test noexec_tests[] = {
+        {
+            .name = "fallthrough",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = noexec_1 - noexec_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = 0,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 0,
+        },
+        {
+            .name = "exrl",
+            .test_code = exrl_1,
+            .test_len = exrl_end - exrl_1,
+            .page_ofs = exrl_1 - exrl_2,
+            .entry_ofs = exrl_1 - exrl_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = exrl_1 - exrl_2,
+            .expected_arg = 0,
+        },
+        {
+            .name = "fallthrough [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = noexec_1 - noexec_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = -2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 0,
+        },
+        {
+            .name = "exrl [cross]",
+            .test_code = exrl_1,
+            .test_len = exrl_end - exrl_1,
+            .page_ofs = exrl_1 - exrl_2 - 2,
+            .entry_ofs = exrl_1 - exrl_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = exrl_1 - exrl_2 - 2,
+            .expected_arg = 0,
+        },
+    };
+
+    return test_noexec(noexec_tests,
+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+}
diff --git a/tests/tcg/multiarch/noexec.c.inc b/tests/tcg/multiarch/noexec.c.inc
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/multiarch/noexec.c.inc
@@ -XXX,XX +XXX,XX @@
+/*
+ * Common code for arch-specific MMU_INST_FETCH fault testing.
+ */
+
+#define _GNU_SOURCE
+
+#include <assert.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <sys/ucontext.h>
+
+/* Forward declarations. */
+
+static void *arch_mcontext_pc(const mcontext_t *ctx);
+static int arch_mcontext_arg(const mcontext_t *ctx);
+static void arch_flush(void *p, int len);
+
+/* Testing infrastructure. */
+
+struct noexec_test {
+    const char *name;
+    const char *test_code;
+    int test_len;
+    int page_ofs;
+    int entry_ofs;
+    int expected_si_ofs;
+    int expected_pc_ofs;
+    int expected_arg;
+};
+
+static void *page_base;
+static int page_size;
+static const struct noexec_test *current_noexec_test;
+
+static void handle_err(const char *syscall)
+{
+    printf("[  FAILED  ] %s: %s\n", syscall, strerror(errno));
+    exit(EXIT_FAILURE);
+}
+
+static void handle_segv(int sig, siginfo_t *info, void *ucontext)
+{
+    const struct noexec_test *test = current_noexec_test;
+    const mcontext_t *mc = &((ucontext_t *)ucontext)->uc_mcontext;
+    void *expected_si;
+    void *expected_pc;
+    void *pc;
+    int arg;
+
+    if (test == NULL) {
+        printf("[  FAILED  ] unexpected SEGV\n");
+        exit(EXIT_FAILURE);
+    }
+    current_noexec_test = NULL;
+
+    expected_si = page_base + test->expected_si_ofs;
+    if (info->si_addr != expected_si) {
+        printf("[  FAILED  ] wrong si_addr (%p != %p)\n",
+               info->si_addr, expected_si);
+        exit(EXIT_FAILURE);
+    }
+
+    pc = arch_mcontext_pc(mc);
+    expected_pc = page_base + test->expected_pc_ofs;
+    if (pc != expected_pc) {
+        printf("[  FAILED  ] wrong pc (%p != %p)\n", pc, expected_pc);
+        exit(EXIT_FAILURE);
+    }
+
+    arg = arch_mcontext_arg(mc);
+    if (arg != test->expected_arg) {
+        printf("[  FAILED  ] wrong arg (%d != %d)\n", arg, test->expected_arg);
+        exit(EXIT_FAILURE);
+    }
+
+    if (mprotect(page_base, page_size,
+                 PROT_READ | PROT_WRITE | PROT_EXEC) < 0) {
+        handle_err("mprotect");
+    }
+}
+
+static void test_noexec_1(const struct noexec_test *test)
+{
+    void *start = page_base + test->page_ofs;
+    void (*fn)(int arg) = page_base + test->entry_ofs;
+
+    memcpy(start, test->test_code, test->test_len);
+    arch_flush(start, test->test_len);
+
+    /* Trigger TB creation in order to test invalidation. */
+    fn(0);
+
+    if (mprotect(page_base, page_size, PROT_NONE) < 0) {
+        handle_err("mprotect");
+    }
+
+    /* Trigger SEGV and check that handle_segv() ran. */
+    current_noexec_test = test;
+    fn(0);
+    assert(current_noexec_test == NULL);
+}
+
+static int test_noexec(struct noexec_test *tests, size_t n_tests)
+{
+    struct sigaction act;
+    size_t i;
+
+    memset(&act, 0, sizeof(act));
+    act.sa_sigaction = handle_segv;
+    act.sa_flags = SA_SIGINFO;
+    if (sigaction(SIGSEGV, &act, NULL) < 0) {
+        handle_err("sigaction");
+    }
+
+    page_size = getpagesize();
+    page_base = mmap(NULL, 2 * page_size,
+                     PROT_READ | PROT_WRITE | PROT_EXEC,
+                     MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+    if (page_base == MAP_FAILED) {
+        handle_err("mmap");
+    }
+    page_base += page_size;
+
+    for (i = 0; i < n_tests; i++) {
+        struct noexec_test *test = &tests[i];
+
+        printf("[ RUN      ] %s\n", test->name);
+        test_noexec_1(test);
+        printf("[       OK ]\n");
+    }
+
+    printf("[  PASSED  ]\n");
+    return EXIT_SUCCESS;
+}
diff --git a/tests/tcg/s390x/Makefile.target b/tests/tcg/s390x/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/s390x/Makefile.target
+++ b/tests/tcg/s390x/Makefile.target
@@ -XXX,XX +XXX,XX @@ TESTS+=shift
 TESTS+=trap
 TESTS+=signals-s390x
 TESTS+=branch-relative-long
+TESTS+=noexec
 
 Z14_TESTS=vfminmax
 vfminmax: LDFLAGS+=-lm
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

Right now translator stops right *after* the end of a page, which
breaks reporting of fault locations when the last instruction of a
multi-insn translation block crosses a page boundary.

An implementation, like the one arm and s390x have, would require an
i386 length disassembler, which is burdensome to maintain. Another
alternative would be to single-step at the end of a guest page, but
this may come with a performance impact.

Fix by snapshotting disassembly state and restoring it after we figure
out we crossed a page boundary. This includes rolling back cc_op
updates and emitted ops.

Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1143
Message-Id: <20220817150506.592862-4-iii@linux.ibm.com>
[rth: Simplify end-of-insn cross-page checks.]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/i386/tcg/translate.c      | 64 ++++++++++++++++-----------
 tests/tcg/x86_64/noexec.c        | 75 ++++++++++++++++++++++++++++++++
 tests/tcg/x86_64/Makefile.target |  3 +-
 3 files changed, 116 insertions(+), 26 deletions(-)
 create mode 100644 tests/tcg/x86_64/noexec.c

diff --git a/target/i386/tcg/translate.c b/target/i386/tcg/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/i386/tcg/translate.c
+++ b/target/i386/tcg/translate.c
@@ -XXX,XX +XXX,XX @@ typedef struct DisasContext {
     TCGv_i64 tmp1_i64;
 
     sigjmp_buf jmpbuf;
+    TCGOp *prev_insn_end;
 } DisasContext;
 
 /* The environment in which user-only runs is constrained. */
@@ -XXX,XX +XXX,XX @@ static uint64_t advance_pc(CPUX86State *env, DisasContext *s, int num_bytes)
 {
     uint64_t pc = s->pc;
 
+    /* This is a subsequent insn that crosses a page boundary.  */
+    if (s->base.num_insns > 1 &&
+        !is_same_page(&s->base, s->pc + num_bytes - 1)) {
+        siglongjmp(s->jmpbuf, 2);
+    }
+
     s->pc += num_bytes;
     if (unlikely(s->pc - s->pc_start > X86_MAX_INSN_LENGTH)) {
         /* If the instruction's 16th byte is on a different page than the 1st, a
@@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
     int modrm, reg, rm, mod, op, opreg, val;
     target_ulong next_eip, tval;
     target_ulong pc_start = s->base.pc_next;
+    bool orig_cc_op_dirty = s->cc_op_dirty;
+    CCOp orig_cc_op = s->cc_op;
 
     s->pc_start = s->pc = pc_start;
     s->override = -1;
@@ -XXX,XX +XXX,XX @@ static target_ulong disas_insn(DisasContext *s, CPUState *cpu)
     s->rip_offset = 0; /* for relative ip address */
     s->vex_l = 0;
     s->vex_v = 0;
-    if (sigsetjmp(s->jmpbuf, 0) != 0) {
+    switch (sigsetjmp(s->jmpbuf, 0)) {
+    case 0:
+        break;
+    case 1:
         gen_exception_gpf(s);
         return s->pc;
+    case 2:
+        /* Restore state that may affect the next instruction. */
+        s->cc_op_dirty = orig_cc_op_dirty;
+        s->cc_op = orig_cc_op;
+        s->base.num_insns--;
+        tcg_remove_ops_after(s->prev_insn_end);
+        s->base.is_jmp = DISAS_TOO_MANY;
+        return pc_start;
+    default:
+        g_assert_not_reached();
     }
 
     prefixes = 0;
@@ -XXX,XX +XXX,XX @@ static void i386_tr_insn_start(DisasContextBase *dcbase, CPUState *cpu)
 {
     DisasContext *dc = container_of(dcbase, DisasContext, base);
 
+    dc->prev_insn_end = tcg_last_op();
     tcg_gen_insn_start(dc->base.pc_next, dc->cc_op);
 }
 
@@ -XXX,XX +XXX,XX @@ static void i386_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
 #endif
 
     pc_next = disas_insn(dc, cpu);
-
-    if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
-        /* if single step mode, we generate only one instruction and
-           generate an exception */
-        /* if irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
-           the flag and abort the translation to give the irqs a
-           chance to happen */
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    } else if ((tb_cflags(dc->base.tb) & CF_USE_ICOUNT)
-               && ((pc_next & TARGET_PAGE_MASK)
-                   != ((pc_next + TARGET_MAX_INSN_SIZE - 1)
-                       & TARGET_PAGE_MASK)
-                   || (pc_next & ~TARGET_PAGE_MASK) == 0)) {
-        /* Do not cross the boundary of the pages in icount mode,
-           it can cause an exception. Do it only when boundary is
-           crossed by the first instruction in the block.
-           If current instruction already crossed the bound - it's ok,
-           because an exception hasn't stopped this code.
-         */
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    } else if ((pc_next - dc->base.pc_first) >= (TARGET_PAGE_SIZE - 32)) {
-        dc->base.is_jmp = DISAS_TOO_MANY;
-    }
-
     dc->base.pc_next = pc_next;
+
+    if (dc->base.is_jmp == DISAS_NEXT) {
+        if (dc->flags & (HF_TF_MASK | HF_INHIBIT_IRQ_MASK)) {
+            /*
+             * If single step mode, we generate only one instruction and
+             * generate an exception.
+             * If irq were inhibited with HF_INHIBIT_IRQ_MASK, we clear
+             * the flag and abort the translation to give the irqs a
+             * chance to happen.
+             */
+            dc->base.is_jmp = DISAS_TOO_MANY;
+        } else if (!is_same_page(&dc->base, pc_next)) {
+            dc->base.is_jmp = DISAS_TOO_MANY;
+        }
+    }
 }
 
 static void i386_tr_tb_stop(DisasContextBase *dcbase, CPUState *cpu)
diff --git a/tests/tcg/x86_64/noexec.c b/tests/tcg/x86_64/noexec.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/x86_64/noexec.c
@@ -XXX,XX +XXX,XX @@
+#include "../multiarch/noexec.c.inc"
+
+static void *arch_mcontext_pc(const mcontext_t *ctx)
+{
+    return (void *)ctx->gregs[REG_RIP];
+}
+
+int arch_mcontext_arg(const mcontext_t *ctx)
+{
+    return ctx->gregs[REG_RDI];
+}
+
+static void arch_flush(void *p, int len)
+{
+}
+
+extern char noexec_1[];
+extern char noexec_2[];
+extern char noexec_end[];
+
+asm("noexec_1:\n"
+    "    movq $1,%rdi\n"    /* %rdi is 0 on entry, set 1. */
+    "noexec_2:\n"
+    "    movq $2,%rdi\n"    /* %rdi is 0/1; set 2. */
+    "    ret\n"
+    "noexec_end:");
+
+int main(void)
+{
+    struct noexec_test noexec_tests[] = {
+        {
+            .name = "fallthrough",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = noexec_1 - noexec_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = 0,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 0,
+        },
+        {
+            .name = "fallthrough [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = noexec_1 - noexec_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = -2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 0,
+        },
+    };
+
+    return test_noexec(noexec_tests,
+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+}
diff --git a/tests/tcg/x86_64/Makefile.target b/tests/tcg/x86_64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/x86_64/Makefile.target
+++ b/tests/tcg/x86_64/Makefile.target
@@ -XXX,XX +XXX,XX @@ include $(SRC_PATH)/tests/tcg/i386/Makefile.target
 
 ifeq ($(filter %-linux-user, $(TARGET)),$(TARGET))
 X86_64_TESTS += vsyscall
+X86_64_TESTS += noexec
 TESTS=$(MULTIARCH_TESTS) $(X86_64_TESTS) test-x86_64
 else
 TESTS=$(MULTIARCH_TESTS)
@@ -XXX,XX +XXX,XX @@ test-x86_64: LDFLAGS+=-lm -lc
 test-x86_64: test-i386.c test-i386.h test-i386-shift.h test-i386-muldiv.h
 	$(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
 
-vsyscall: $(SRC_PATH)/tests/tcg/x86_64/vsyscall.c
+%: $(SRC_PATH)/tests/tcg/x86_64/%.c
 	$(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
-- 
2.34.1

These will be useful in properly ending the TB.

Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/translate.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static uint32_t opcode_at(DisasContextBase *dcbase, target_ulong pc)
 /* Include decoders for factored-out extensions */
 #include "decode-XVentanaCondOps.c.inc"
 
+/* The specification allows for longer insns, but not supported by qemu. */
+#define MAX_INSN_LEN  4
+
+static inline int insn_len(uint16_t first_word)
+{
+    return (first_word & 3) == 3 ? 4 : 2;
+}
+
 static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
 {
     /*
@@ -XXX,XX +XXX,XX @@ static void decode_opc(CPURISCVState *env, DisasContext *ctx, uint16_t opcode)
     };
 
     /* Check for compressed insn */
-    if (extract16(opcode, 0, 2) != 3) {
+    if (insn_len(opcode) == 2) {
         if (!has_ext(ctx, RVC)) {
             gen_exception_illegal(ctx);
         } else {
-- 
2.34.1

Right now the translator stops right *after* the end of a page, which
breaks reporting of fault locations when the last instruction of a
multi-insn translation block crosses a page boundary.

Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1155
Reviewed-by: Alistair Francis <alistair.francis@wdc.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>
Tested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/riscv/translate.c          | 17 +++++--
 tests/tcg/riscv64/noexec.c        | 79 +++++++++++++++++++++++++++++++
 tests/tcg/riscv64/Makefile.target |  1 +
 3 files changed, 93 insertions(+), 4 deletions(-)
 create mode 100644 tests/tcg/riscv64/noexec.c

diff --git a/target/riscv/translate.c b/target/riscv/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/riscv/translate.c
+++ b/target/riscv/translate.c
@@ -XXX,XX +XXX,XX @@ static void riscv_tr_translate_insn(DisasContextBase *dcbase, CPUState *cpu)
     }
     ctx->nftemp = 0;
 
+    /* Only the first insn within a TB is allowed to cross a page boundary. */
     if (ctx->base.is_jmp == DISAS_NEXT) {
-        target_ulong page_start;
-
-        page_start = ctx->base.pc_first & TARGET_PAGE_MASK;
-        if (ctx->base.pc_next - page_start >= TARGET_PAGE_SIZE) {
+        if (!is_same_page(&ctx->base, ctx->base.pc_next)) {
             ctx->base.is_jmp = DISAS_TOO_MANY;
+        } else {
+            unsigned page_ofs = ctx->base.pc_next & ~TARGET_PAGE_MASK;
+
+            if (page_ofs > TARGET_PAGE_SIZE - MAX_INSN_LEN) {
+                uint16_t next_insn = cpu_lduw_code(env, ctx->base.pc_next);
+                int len = insn_len(next_insn);
+
+                if (!is_same_page(&ctx->base, ctx->base.pc_next + len)) {
+                    ctx->base.is_jmp = DISAS_TOO_MANY;
+                }
+            }
         }
     }
 }
diff --git a/tests/tcg/riscv64/noexec.c b/tests/tcg/riscv64/noexec.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/tests/tcg/riscv64/noexec.c
@@ -XXX,XX +XXX,XX @@
+#include "../multiarch/noexec.c.inc"
+
+static void *arch_mcontext_pc(const mcontext_t *ctx)
+{
+    return (void *)ctx->__gregs[REG_PC];
+}
+
+static int arch_mcontext_arg(const mcontext_t *ctx)
+{
+    return ctx->__gregs[REG_A0];
+}
+
+static void arch_flush(void *p, int len)
+{
+    __builtin___clear_cache(p, p + len);
+}
+
+extern char noexec_1[];
+extern char noexec_2[];
+extern char noexec_end[];
+
+asm(".option push\n"
+    ".option norvc\n"
+    "noexec_1:\n"
+    "   li a0,1\n"       /* a0 is 0 on entry, set 1. */
+    "noexec_2:\n"
+    "   li a0,2\n"      /* a0 is 0/1; set 2. */
+    "   ret\n"
+    "noexec_end:\n"
+    ".option pop");
+
+int main(void)
+{
+    struct noexec_test noexec_tests[] = {
+        {
+            .name = "fallthrough",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = noexec_1 - noexec_2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2,
+            .entry_ofs = 0,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = 0,
+            .expected_arg = 0,
+        },
+        {
+            .name = "fallthrough [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = noexec_1 - noexec_2 - 2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 1,
+        },
+        {
+            .name = "jump [cross]",
+            .test_code = noexec_1,
+            .test_len = noexec_end - noexec_1,
+            .page_ofs = noexec_1 - noexec_2 - 2,
+            .entry_ofs = -2,
+            .expected_si_ofs = 0,
+            .expected_pc_ofs = -2,
+            .expected_arg = 0,
+        },
+    };
+
+    return test_noexec(noexec_tests,
+                       sizeof(noexec_tests) / sizeof(noexec_tests[0]));
+}
diff --git a/tests/tcg/riscv64/Makefile.target b/tests/tcg/riscv64/Makefile.target
index XXXXXXX..XXXXXXX 100644
--- a/tests/tcg/riscv64/Makefile.target
+++ b/tests/tcg/riscv64/Makefile.target
@@ -XXX,XX +XXX,XX @@
 
 VPATH += $(SRC_PATH)/tests/tcg/riscv64
 TESTS += test-div
+TESTS += noexec
-- 
2.34.1

The following changes since commit d530697ca20e19f7a626f4c1c8b26fccd0dc4470:

Merge tag 'pull-testing-updates-100523-1' of https://gitlab.com/stsquad/qemu into staging (2023-05-10 16:43:01 +0100)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230511

for you to fetch changes up to b2d4d6616c22325dff802e0a35092167f2dc2268:

target/loongarch: Do not include tcg-ldst.h (2023-05-11 06:06:04 +0100)

----------------------------------------------------------------
target/m68k: Fix gen_load_fp regression
accel/tcg: Ensure fairness with icount
disas: Move disas.c into the target-independent source sets
tcg: Use common routines for calling slow path helpers
tcg/*: Cleanups to qemu_ld/st constraints
tcg: Remove TARGET_ALIGNED_ONLY
accel/tcg: Reorg system mode load/store helpers

----------------------------------------------------------------
Jamie Iles (2):
      cpu: expose qemu_cpu_list_lock for lock-guard use
      accel/tcg/tcg-accel-ops-rr: ensure fairness with icount

Richard Henderson (49):
      target/m68k: Fix gen_load_fp for OS_LONG
      accel/tcg: Fix atomic_mmu_lookup for reads
      disas: Fix tabs and braces in disas.c
      disas: Move disas.c to disas/
      disas: Remove target_ulong from the interface
      disas: Remove target-specific headers
      tcg/i386: Introduce prepare_host_addr
      tcg/i386: Use indexed addressing for softmmu fast path
      tcg/aarch64: Introduce prepare_host_addr
      tcg/arm: Introduce prepare_host_addr
      tcg/loongarch64: Introduce prepare_host_addr
      tcg/mips: Introduce prepare_host_addr
      tcg/ppc: Introduce prepare_host_addr
      tcg/riscv: Introduce prepare_host_addr
      tcg/s390x: Introduce prepare_host_addr
      tcg: Add routines for calling slow-path helpers
      tcg/i386: Convert tcg_out_qemu_ld_slow_path
      tcg/i386: Convert tcg_out_qemu_st_slow_path
      tcg/aarch64: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/arm: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/loongarch64: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/mips: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/ppc: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/riscv: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/s390x: Convert tcg_out_qemu_{ld,st}_slow_path
      tcg/loongarch64: Simplify constraints on qemu_ld/st
      tcg/mips: Remove MO_BSWAP handling
      tcg/mips: Reorg tlb load within prepare_host_addr
      tcg/mips: Simplify constraints on qemu_ld/st
      tcg/ppc: Reorg tcg_out_tlb_read
      tcg/ppc: Adjust constraints on qemu_ld/st
      tcg/ppc: Remove unused constraints A, B, C, D
      tcg/ppc: Remove unused constraint J
      tcg/riscv: Simplify constraints on qemu_ld/st
      tcg/s390x: Use ALGFR in constructing softmmu host address
      tcg/s390x: Simplify constraints on qemu_ld/st
      target/mips: Add MO_ALIGN to gen_llwp, gen_scwp
      target/mips: Add missing default_tcg_memop_mask
      target/mips: Use MO_ALIGN instead of 0
      target/mips: Remove TARGET_ALIGNED_ONLY
      target/nios2: Remove TARGET_ALIGNED_ONLY
      target/sh4: Use MO_ALIGN where required
      target/sh4: Remove TARGET_ALIGNED_ONLY
      tcg: Remove TARGET_ALIGNED_ONLY
      accel/tcg: Add cpu_in_serial_context
      accel/tcg: Introduce tlb_read_idx
      accel/tcg: Reorg system mode load helpers
      accel/tcg: Reorg system mode store helpers
      target/loongarch: Do not include tcg-ldst.h

Thomas Huth (2):
      disas: Move softmmu specific code to separate file
      disas: Move disas.c into the target-independent source set

A copy-paste bug had us looking at the victim cache for writes.

Cc: qemu-stable@nongnu.org
Reported-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Fixes: 08dff435e2 ("tcg: Probe the proper permissions for atomic ops")
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-Id: <20230505204049.352469-1-richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
     } else /* if (prot & PAGE_READ) */ {
         tlb_addr = tlbe->addr_read;
         if (!tlb_hit(tlb_addr, addr)) {
-            if (!VICTIM_TLB_HIT(addr_write, addr)) {
+            if (!VICTIM_TLB_HIT(addr_read, addr)) {
                 tlb_fill(env_cpu(env), addr, size,
                          MMU_DATA_LOAD, mmu_idx, retaddr);
                 index = tlb_index(env, mmu_idx, addr);
-- 
2.34.1

Fix these before moving the file, for checkpatch.pl.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230510170812.663149-1-richard.henderson@linaro.org>
---
 disas.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/disas.c b/disas.c
index XXXXXXX..XXXXXXX 100644
--- a/disas.c
+++ b/disas.c
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, target_ulong code,
     }
 
     for (pc = code; size > 0; pc += count, size -= count) {
-	fprintf(out, "0x" TARGET_FMT_lx ":  ", pc);
-	count = s.info.print_insn(pc, &s.info);
-	fprintf(out, "\n");
-	if (count < 0)
-	    break;
+        fprintf(out, "0x" TARGET_FMT_lx ":  ", pc);
+        count = s.info.print_insn(pc, &s.info);
+        fprintf(out, "\n");
+        if (count < 0) {
+            break;
+        }
         if (size < count) {
             fprintf(out,
                     "Disassembler disagrees with translator over instruction "
-- 
2.34.1

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230503072331.1747057-80-richard.henderson@linaro.org>
---
 meson.build              | 3 ---
 disas.c => disas/disas.c | 0
 disas/meson.build        | 4 +++-
 3 files changed, 3 insertions(+), 4 deletions(-)
 rename disas.c => disas/disas.c (100%)

diff --git a/meson.build b/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/meson.build
+++ b/meson.build
@@ -XXX,XX +XXX,XX @@ specific_ss.add(files('cpu.c'))
 
 subdir('softmmu')
 
-common_ss.add(capstone)
-specific_ss.add(files('disas.c'), capstone)
-
 # Work around a gcc bug/misfeature wherein constant propagation looks
 # through an alias:
 #   https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99696
diff --git a/disas.c b/disas/disas.c
similarity index 100%
rename from disas.c
rename to disas/disas.c
diff --git a/disas/meson.build b/disas/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/disas/meson.build
+++ b/disas/meson.build
@@ -XXX,XX +XXX,XX @@ common_ss.add(when: 'CONFIG_RISCV_DIS', if_true: files('riscv.c'))
 common_ss.add(when: 'CONFIG_SH4_DIS', if_true: files('sh4.c'))
 common_ss.add(when: 'CONFIG_SPARC_DIS', if_true: files('sparc.c'))
 common_ss.add(when: 'CONFIG_XTENSA_DIS', if_true: files('xtensa.c'))
-common_ss.add(when: capstone, if_true: files('capstone.c'))
+common_ss.add(when: capstone, if_true: [files('capstone.c'), capstone])
+
+specific_ss.add(files('disas.c'), capstone)
-- 
2.34.1

Use uint64_t for the pc, and size_t for the size.

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230503072331.1747057-81-richard.henderson@linaro.org>
---
 include/disas/disas.h | 17 ++++++-----------
 bsd-user/elfload.c    |  5 +++--
 disas/disas.c         | 19 +++++++++----------
 linux-user/elfload.c  |  5 +++--
 4 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/include/disas/disas.h b/include/disas/disas.h
index XXXXXXX..XXXXXXX 100644
--- a/include/disas/disas.h
+++ b/include/disas/disas.h
@@ -XXX,XX +XXX,XX @@
 #include "cpu.h"
 
 /* Disassemble this for me please... (debugging). */
-void disas(FILE *out, const void *code, unsigned long size);
-void target_disas(FILE *out, CPUState *cpu, target_ulong code,
-                  target_ulong size);
+void disas(FILE *out, const void *code, size_t size);
+void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size);
 
-void monitor_disas(Monitor *mon, CPUState *cpu,
-                   target_ulong pc, int nb_insn, int is_physical);
+void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
+                   int nb_insn, bool is_physical);
 
 char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size);
 
 /* Look up symbol for debugging purpose.  Returns "" if unknown. */
-const char *lookup_symbol(target_ulong orig_addr);
+const char *lookup_symbol(uint64_t orig_addr);
 #endif
 
 struct syminfo;
 struct elf32_sym;
 struct elf64_sym;
 
-#if defined(CONFIG_USER_ONLY)
-typedef const char *(*lookup_symbol_t)(struct syminfo *s, target_ulong orig_addr);
-#else
-typedef const char *(*lookup_symbol_t)(struct syminfo *s, hwaddr orig_addr);
-#endif
+typedef const char *(*lookup_symbol_t)(struct syminfo *s, uint64_t orig_addr);
 
 struct syminfo {
     lookup_symbol_t lookup_symbol;
diff --git a/bsd-user/elfload.c b/bsd-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/bsd-user/elfload.c
+++ b/bsd-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static abi_ulong load_elf_interp(struct elfhdr *interp_elf_ex,
 
 static int symfind(const void *s0, const void *s1)
 {
-    target_ulong addr = *(target_ulong *)s0;
+    __typeof(sym->st_value) addr = *(uint64_t *)s0;
     struct elf_sym *sym = (struct elf_sym *)s1;
     int result = 0;
+
     if (addr < sym->st_value) {
         result = -1;
     } else if (addr >= sym->st_value + sym->st_size) {
@@ -XXX,XX +XXX,XX @@ static int symfind(const void *s0, const void *s1)
     return result;
 }
 
-static const char *lookup_symbolxx(struct syminfo *s, target_ulong orig_addr)
+static const char *lookup_symbolxx(struct syminfo *s, uint64_t orig_addr)
 {
 #if ELF_CLASS == ELFCLASS32
     struct elf_sym *syms = s->disas_symtab.elf32;
diff --git a/disas/disas.c b/disas/disas.c
index XXXXXXX..XXXXXXX 100644
--- a/disas/disas.c
+++ b/disas/disas.c
@@ -XXX,XX +XXX,XX @@ static void initialize_debug_host(CPUDebug *s)
 }
 
 /* Disassemble this for me please... (debugging).  */
-void target_disas(FILE *out, CPUState *cpu, target_ulong code,
-                  target_ulong size)
+void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size)
 {
-    target_ulong pc;
+    uint64_t pc;
     int count;
     CPUDebug s;
 
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, target_ulong code,
     }
 
     for (pc = code; size > 0; pc += count, size -= count) {
-        fprintf(out, "0x" TARGET_FMT_lx ":  ", pc);
+        fprintf(out, "0x%08" PRIx64 ":  ", pc);
         count = s.info.print_insn(pc, &s.info);
         fprintf(out, "\n");
         if (count < 0) {
@@ -XXX,XX +XXX,XX @@ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size)
 }
 
 /* Disassemble this for me please... (debugging). */
-void disas(FILE *out, const void *code, unsigned long size)
+void disas(FILE *out, const void *code, size_t size)
 {
     uintptr_t pc;
     int count;
@@ -XXX,XX +XXX,XX @@ void disas(FILE *out, const void *code, unsigned long size)
 }
 
 /* Look up symbol for debugging purpose.  Returns "" if unknown. */
-const char *lookup_symbol(target_ulong orig_addr)
+const char *lookup_symbol(uint64_t orig_addr)
 {
     const char *symbol = "";
     struct syminfo *s;
@@ -XXX,XX +XXX,XX @@ physical_read_memory(bfd_vma memaddr, bfd_byte *myaddr, int length,
 }
 
 /* Disassembler for the monitor.  */
-void monitor_disas(Monitor *mon, CPUState *cpu,
-                   target_ulong pc, int nb_insn, int is_physical)
+void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
+                   int nb_insn, bool is_physical)
 {
     int count, i;
     CPUDebug s;
@@ -XXX,XX +XXX,XX @@ void monitor_disas(Monitor *mon, CPUState *cpu,
     }
 
     if (!s.info.print_insn) {
-        monitor_printf(mon, "0x" TARGET_FMT_lx
+        monitor_printf(mon, "0x%08" PRIx64
                        ": Asm output not supported on this arch\n", pc);
         return;
     }
 
     for (i = 0; i < nb_insn; i++) {
-        g_string_append_printf(ds, "0x" TARGET_FMT_lx ":  ", pc);
+        g_string_append_printf(ds, "0x%08" PRIx64 ":  ", pc);
         count = s.info.print_insn(pc, &s.info);
         g_string_append_c(ds, '\n');
         if (count < 0) {
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@ static void load_elf_interp(const char *filename, struct image_info *info,
 
 static int symfind(const void *s0, const void *s1)
 {
-    target_ulong addr = *(target_ulong *)s0;
     struct elf_sym *sym = (struct elf_sym *)s1;
+    __typeof(sym->st_value) addr = *(uint64_t *)s0;
     int result = 0;
+
     if (addr < sym->st_value) {
         result = -1;
     } else if (addr >= sym->st_value + sym->st_size) {
@@ -XXX,XX +XXX,XX @@ static int symfind(const void *s0, const void *s1)
     return result;
 }
 
-static const char *lookup_symbolxx(struct syminfo *s, target_ulong orig_addr)
+static const char *lookup_symbolxx(struct syminfo *s, uint64_t orig_addr)
 {
 #if ELF_CLASS == ELFCLASS32
     struct elf_sym *syms = s->disas_symtab.elf32;
-- 
2.34.1

Reviewed-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230503072331.1747057-83-richard.henderson@linaro.org>
---
 include/disas/disas.h | 6 ------
 disas/disas.c         | 3 ++-
 2 files changed, 2 insertions(+), 7 deletions(-)

diff --git a/include/disas/disas.h b/include/disas/disas.h
index XXXXXXX..XXXXXXX 100644
--- a/include/disas/disas.h
+++ b/include/disas/disas.h
@@ -XXX,XX +XXX,XX @@
 #ifndef QEMU_DISAS_H
 #define QEMU_DISAS_H
 
-#include "exec/hwaddr.h"
-
-#ifdef NEED_CPU_H
-#include "cpu.h"
-
 /* Disassemble this for me please... (debugging). */
 void disas(FILE *out, const void *code, size_t size);
 void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size);
@@ -XXX,XX +XXX,XX @@ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size);
 
 /* Look up symbol for debugging purpose.  Returns "" if unknown. */
 const char *lookup_symbol(uint64_t orig_addr);
-#endif
 
 struct syminfo;
 struct elf32_sym;
diff --git a/disas/disas.c b/disas/disas.c
index XXXXXXX..XXXXXXX 100644
--- a/disas/disas.c
+++ b/disas/disas.c
@@ -XXX,XX +XXX,XX @@
 #include "disas/dis-asm.h"
 #include "elf.h"
 #include "qemu/qemu-print.h"
-
 #include "disas/disas.h"
 #include "disas/capstone.h"
+#include "hw/core/cpu.h"
+#include "exec/memory.h"
 
 typedef struct CPUDebug {
     struct disassemble_info info;
-- 
2.34.1

From: Thomas Huth <thuth@redhat.com>

We'd like to move disas.c into the common code source set, where
CONFIG_USER_ONLY is not available anymore. So we have to move
the related code into a separate file instead.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230508133745.109463-2-thuth@redhat.com>
[rth: Type change done in a separate patch]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 disas/disas-internal.h | 21 ++++++++++++
 disas/disas-mon.c      | 65 ++++++++++++++++++++++++++++++++++++
 disas/disas.c          | 76 ++++--------------------------------------
 disas/meson.build      |  1 +
 4 files changed, 93 insertions(+), 70 deletions(-)
 create mode 100644 disas/disas-internal.h
 create mode 100644 disas/disas-mon.c

diff --git a/disas/disas-internal.h b/disas/disas-internal.h
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/disas/disas-internal.h
@@ -XXX,XX +XXX,XX @@
+/*
+ * Definitions used internally in the disassembly code
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#ifndef DISAS_INTERNAL_H
+#define DISAS_INTERNAL_H
+
+#include "disas/dis-asm.h"
+
+typedef struct CPUDebug {
+    struct disassemble_info info;
+    CPUState *cpu;
+} CPUDebug;
+
+void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu);
+int disas_gstring_printf(FILE *stream, const char *fmt, ...)
+    G_GNUC_PRINTF(2, 3);
+
+#endif
diff --git a/disas/disas-mon.c b/disas/disas-mon.c
new file mode 100644
index XXXXXXX..XXXXXXX
--- /dev/null
+++ b/disas/disas-mon.c
@@ -XXX,XX +XXX,XX @@
+/*
+ * Functions related to disassembly from the monitor
+ *
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ */
+
+#include "qemu/osdep.h"
+#include "disas-internal.h"
+#include "disas/disas.h"
+#include "exec/memory.h"
+#include "hw/core/cpu.h"
+#include "monitor/monitor.h"
+
+static int
+physical_read_memory(bfd_vma memaddr, bfd_byte *myaddr, int length,
+                     struct disassemble_info *info)
+{
+    CPUDebug *s = container_of(info, CPUDebug, info);
+    MemTxResult res;
+
+    res = address_space_read(s->cpu->as, memaddr, MEMTXATTRS_UNSPECIFIED,
+                             myaddr, length);
+    return res == MEMTX_OK ? 0 : EIO;
+}
+
+/* Disassembler for the monitor.  */
+void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
+                   int nb_insn, bool is_physical)
+{
+    int count, i;
+    CPUDebug s;
+    g_autoptr(GString) ds = g_string_new("");
+
+    disas_initialize_debug_target(&s, cpu);
+    s.info.fprintf_func = disas_gstring_printf;
+    s.info.stream = (FILE *)ds;  /* abuse this slot */
+
+    if (is_physical) {
+        s.info.read_memory_func = physical_read_memory;
+    }
+    s.info.buffer_vma = pc;
+
+    if (s.info.cap_arch >= 0 && cap_disas_monitor(&s.info, pc, nb_insn)) {
+        monitor_puts(mon, ds->str);
+        return;
+    }
+
+    if (!s.info.print_insn) {
+        monitor_printf(mon, "0x%08" PRIx64
+                       ": Asm output not supported on this arch\n", pc);
+        return;
+    }
+
+    for (i = 0; i < nb_insn; i++) {
+        g_string_append_printf(ds, "0x%08" PRIx64 ":  ", pc);
+        count = s.info.print_insn(pc, &s.info);
+        g_string_append_c(ds, '\n');
+        if (count < 0) {
+            break;
+        }
+        pc += count;
+    }
+
+    monitor_puts(mon, ds->str);
+}
diff --git a/disas/disas.c b/disas/disas.c
index XXXXXXX..XXXXXXX 100644
--- a/disas/disas.c
+++ b/disas/disas.c
@@ -XXX,XX +XXX,XX @@
 /* General "disassemble this chunk" code.  Used for debugging. */
 #include "qemu/osdep.h"
-#include "disas/dis-asm.h"
+#include "disas/disas-internal.h"
 #include "elf.h"
 #include "qemu/qemu-print.h"
 #include "disas/disas.h"
@@ -XXX,XX +XXX,XX @@
 #include "hw/core/cpu.h"
 #include "exec/memory.h"
 
-typedef struct CPUDebug {
-    struct disassemble_info info;
-    CPUState *cpu;
-} CPUDebug;
-
 /* Filled in by elfload.c.  Simplistic, but will do for now. */
 struct syminfo *syminfos = NULL;
 
@@ -XXX,XX +XXX,XX @@ static void initialize_debug(CPUDebug *s)
     s->info.symbol_at_address_func = symbol_at_address;
 }
 
-static void initialize_debug_target(CPUDebug *s, CPUState *cpu)
+void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu)
 {
     initialize_debug(s);
 
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size)
     int count;
     CPUDebug s;
 
-    initialize_debug_target(&s, cpu);
+    disas_initialize_debug_target(&s, cpu);
     s.info.fprintf_func = fprintf;
     s.info.stream = out;
     s.info.buffer_vma = code;
@@ -XXX,XX +XXX,XX @@ void target_disas(FILE *out, CPUState *cpu, uint64_t code, size_t size)
     }
 }
 
-static int G_GNUC_PRINTF(2, 3)
-gstring_printf(FILE *stream, const char *fmt, ...)
+int disas_gstring_printf(FILE *stream, const char *fmt, ...)
 {
     /* We abuse the FILE parameter to pass a GString. */
     GString *s = (GString *)stream;
@@ -XXX,XX +XXX,XX @@ char *plugin_disas(CPUState *cpu, uint64_t addr, size_t size)
     CPUDebug s;
     GString *ds = g_string_new(NULL);
 
-    initialize_debug_target(&s, cpu);
-    s.info.fprintf_func = gstring_printf;
+    disas_initialize_debug_target(&s, cpu);
+    s.info.fprintf_func = disas_gstring_printf;
     s.info.stream = (FILE *)ds;  /* abuse this slot */
     s.info.buffer_vma = addr;
     s.info.buffer_length = size;
@@ -XXX,XX +XXX,XX @@ const char *lookup_symbol(uint64_t orig_addr)
 
     return symbol;
 }
-
-#if !defined(CONFIG_USER_ONLY)
-
-#include "monitor/monitor.h"
-
-static int
-physical_read_memory(bfd_vma memaddr, bfd_byte *myaddr, int length,
-                     struct disassemble_info *info)
-{
-    CPUDebug *s = container_of(info, CPUDebug, info);
-    MemTxResult res;
-
-    res = address_space_read(s->cpu->as, memaddr, MEMTXATTRS_UNSPECIFIED,
-                             myaddr, length);
-    return res == MEMTX_OK ? 0 : EIO;
-}
-
-/* Disassembler for the monitor.  */
-void monitor_disas(Monitor *mon, CPUState *cpu, uint64_t pc,
-                   int nb_insn, bool is_physical)
-{
-    int count, i;
-    CPUDebug s;
-    g_autoptr(GString) ds = g_string_new("");
-
-    initialize_debug_target(&s, cpu);
-    s.info.fprintf_func = gstring_printf;
-    s.info.stream = (FILE *)ds;  /* abuse this slot */
-
-    if (is_physical) {
-        s.info.read_memory_func = physical_read_memory;
-    }
-    s.info.buffer_vma = pc;
-
-    if (s.info.cap_arch >= 0 && cap_disas_monitor(&s.info, pc, nb_insn)) {
-        monitor_puts(mon, ds->str);
-        return;
-    }
-
-    if (!s.info.print_insn) {
-        monitor_printf(mon, "0x%08" PRIx64
-                       ": Asm output not supported on this arch\n", pc);
-        return;
-    }
-
-    for (i = 0; i < nb_insn; i++) {
-        g_string_append_printf(ds, "0x%08" PRIx64 ":  ", pc);
-        count = s.info.print_insn(pc, &s.info);
-        g_string_append_c(ds, '\n');
-        if (count < 0) {
-            break;
-        }
-        pc += count;
-    }
-
-    monitor_puts(mon, ds->str);
-}
-#endif
diff --git a/disas/meson.build b/disas/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/disas/meson.build
+++ b/disas/meson.build
@@ -XXX,XX +XXX,XX @@ common_ss.add(when: 'CONFIG_SPARC_DIS', if_true: files('sparc.c'))
 common_ss.add(when: 'CONFIG_XTENSA_DIS', if_true: files('xtensa.c'))
 common_ss.add(when: capstone, if_true: [files('capstone.c'), capstone])
 
+softmmu_ss.add(files('disas-mon.c'))
 specific_ss.add(files('disas.c'), capstone)
-- 
2.34.1

From: Thomas Huth <thuth@redhat.com>

By using target_words_bigendian() instead of an ifdef,
we can build this code once.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Message-Id: <20230508133745.109463-3-thuth@redhat.com>
[rth: Type change done in a separate patch]
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 disas/disas.c     | 10 +++++-----
 disas/meson.build |  3 ++-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/disas/disas.c b/disas/disas.c
index XXXXXXX..XXXXXXX 100644
--- a/disas/disas.c
+++ b/disas/disas.c
@@ -XXX,XX +XXX,XX @@ void disas_initialize_debug_target(CPUDebug *s, CPUState *cpu)
     s->cpu = cpu;
     s->info.read_memory_func = target_read_memory;
     s->info.print_address_func = print_address;
-#if TARGET_BIG_ENDIAN
-    s->info.endian = BFD_ENDIAN_BIG;
-#else
-    s->info.endian = BFD_ENDIAN_LITTLE;
-#endif
+    if (target_words_bigendian()) {
+        s->info.endian = BFD_ENDIAN_BIG;
+    } else {
+        s->info.endian =  BFD_ENDIAN_LITTLE;
+    }
 
     CPUClass *cc = CPU_GET_CLASS(cpu);
     if (cc->disas_set_info) {
diff --git a/disas/meson.build b/disas/meson.build
index XXXXXXX..XXXXXXX 100644
--- a/disas/meson.build
+++ b/disas/meson.build
@@ -XXX,XX +XXX,XX @@ common_ss.add(when: 'CONFIG_SH4_DIS', if_true: files('sh4.c'))
 common_ss.add(when: 'CONFIG_SPARC_DIS', if_true: files('sparc.c'))
 common_ss.add(when: 'CONFIG_XTENSA_DIS', if_true: files('xtensa.c'))
 common_ss.add(when: capstone, if_true: [files('capstone.c'), capstone])
+common_ss.add(files('disas.c'))
 
 softmmu_ss.add(files('disas-mon.c'))
-specific_ss.add(files('disas.c'), capstone)
+specific_ss.add(capstone)
-- 
2.34.1

From: Jamie Iles <quic_jiles@quicinc.com>

Expose qemu_cpu_list_lock globally so that we can use
WITH_QEMU_LOCK_GUARD and QEMU_LOCK_GUARD to simplify a few code paths
now and in future.

Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230427020925.51003-2-quic_jiles@quicinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu-common.h |  1 +
 cpus-common.c             |  2 +-
 linux-user/elfload.c      | 13 +++++++------
 migration/dirtyrate.c     | 26 +++++++++++++-------------
 trace/control-target.c    |  9 ++++-----
 5 files changed, 26 insertions(+), 25 deletions(-)

diff --git a/include/exec/cpu-common.h b/include/exec/cpu-common.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu-common.h
+++ b/include/exec/cpu-common.h
@@ -XXX,XX +XXX,XX @@ extern intptr_t qemu_host_page_mask;
 #define REAL_HOST_PAGE_ALIGN(addr) ROUND_UP((addr), qemu_real_host_page_size())
 
 /* The CPU list lock nests outside page_(un)lock or mmap_(un)lock */
+extern QemuMutex qemu_cpu_list_lock;
 void qemu_init_cpu_list(void);
 void cpu_list_lock(void);
 void cpu_list_unlock(void);
diff --git a/cpus-common.c b/cpus-common.c
index XXXXXXX..XXXXXXX 100644
--- a/cpus-common.c
+++ b/cpus-common.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/lockable.h"
 #include "trace/trace-root.h"
 
-static QemuMutex qemu_cpu_list_lock;
+QemuMutex qemu_cpu_list_lock;
 static QemuCond exclusive_cond;
 static QemuCond exclusive_resume;
 static QemuCond qemu_work_cond;
diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -XXX,XX +XXX,XX @@
 #include "qemu/guest-random.h"
 #include "qemu/units.h"
 #include "qemu/selfmap.h"
+#include "qemu/lockable.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "target_signal.h"
@@ -XXX,XX +XXX,XX @@ static int fill_note_info(struct elf_note_info *info,
         info->notes_size += note_size(&info->notes[i]);
 
     /* read and fill status of all threads */
-    cpu_list_lock();
-    CPU_FOREACH(cpu) {
-        if (cpu == thread_cpu) {
-            continue;
+    WITH_QEMU_LOCK_GUARD(&qemu_cpu_list_lock) {
+        CPU_FOREACH(cpu) {
+            if (cpu == thread_cpu) {
+                continue;
+            }
+            fill_thread_info(info, cpu->env_ptr);
         }
-        fill_thread_info(info, cpu->env_ptr);
     }
-    cpu_list_unlock();
 
     return (0);
 }
diff --git a/migration/dirtyrate.c b/migration/dirtyrate.c
index XXXXXXX..XXXXXXX 100644
--- a/migration/dirtyrate.c
+++ b/migration/dirtyrate.c
@@ -XXX,XX +XXX,XX @@ int64_t vcpu_calculate_dirtyrate(int64_t calc_time_ms,
 retry:
     init_time_ms = qemu_clock_get_ms(QEMU_CLOCK_REALTIME);
 
-    cpu_list_lock();
-    gen_id = cpu_list_generation_id_get();
-    records = vcpu_dirty_stat_alloc(stat);
-    vcpu_dirty_stat_collect(stat, records, true);
-    cpu_list_unlock();
+    WITH_QEMU_LOCK_GUARD(&qemu_cpu_list_lock) {
+        gen_id = cpu_list_generation_id_get();
+        records = vcpu_dirty_stat_alloc(stat);
+        vcpu_dirty_stat_collect(stat, records, true);
+    }
 
     duration = dirty_stat_wait(calc_time_ms, init_time_ms);
 
     global_dirty_log_sync(flag, one_shot);
 
-    cpu_list_lock();
-    if (gen_id != cpu_list_generation_id_get()) {
-        g_free(records);
-        g_free(stat->rates);
-        cpu_list_unlock();
-        goto retry;
+    WITH_QEMU_LOCK_GUARD(&qemu_cpu_list_lock) {
+        if (gen_id != cpu_list_generation_id_get()) {
+            g_free(records);
+            g_free(stat->rates);
+            cpu_list_unlock();
+            goto retry;
+        }
+        vcpu_dirty_stat_collect(stat, records, false);
     }
-    vcpu_dirty_stat_collect(stat, records, false);
-    cpu_list_unlock();
 
     for (i = 0; i < stat->nvcpu; i++) {
         dirtyrate = do_calculate_dirtyrate(records[i], duration);
diff --git a/trace/control-target.c b/trace/control-target.c
index XXXXXXX..XXXXXXX 100644
--- a/trace/control-target.c
+++ b/trace/control-target.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/lockable.h"
 #include "cpu.h"
 #include "trace/trace-root.h"
 #include "trace/control.h"
@@ -XXX,XX +XXX,XX @@ static bool adding_first_cpu1(void)
 
 static bool adding_first_cpu(void)
 {
-    bool res;
-    cpu_list_lock();
-    res = adding_first_cpu1();
-    cpu_list_unlock();
-    return res;
+    QEMU_LOCK_GUARD(&qemu_cpu_list_lock);
+
+    return adding_first_cpu1();
 }
 
 void trace_init_vcpu(CPUState *vcpu)
-- 
2.34.1

From: Jamie Iles <quic_jiles@quicinc.com>

The round-robin scheduler will iterate over the CPU list with an
assigned budget until the next timer expiry and may exit early because
of a TB exit.  This is fine under normal operation but with icount
enabled and SMP it is possible for a CPU to be starved of run time and
the system live-locks.

For example, booting a riscv64 platform with '-icount
shift=0,align=off,sleep=on -smp 2' we observe a livelock once the kernel
has timers enabled and starts performing TLB shootdowns.  In this case
we have CPU 0 in M-mode with interrupts disabled sending an IPI to CPU
1.  As we enter the TCG loop, we assign the icount budget to next timer
interrupt to CPU 0 and begin executing where the guest is sat in a busy
loop exhausting all of the budget before we try to execute CPU 1 which
is the target of the IPI but CPU 1 is left with no budget with which to
execute and the process repeats.

We try here to add some fairness by splitting the budget across all of
the CPUs on the thread fairly before entering each one.  The CPU count
is cached on CPU list generation ID to avoid iterating the list on each
loop iteration.  With this change it is possible to boot an SMP rv64
guest with icount enabled and no hangs.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Tested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230427020925.51003-3-quic_jiles@quicinc.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/tcg-accel-ops-icount.h |  3 ++-
 accel/tcg/tcg-accel-ops-icount.c | 21 ++++++++++++++----
 accel/tcg/tcg-accel-ops-rr.c     | 37 +++++++++++++++++++++++++++++++-
 replay/replay.c                  |  3 +--
 4 files changed, 56 insertions(+), 8 deletions(-)

diff --git a/accel/tcg/tcg-accel-ops-icount.h b/accel/tcg/tcg-accel-ops-icount.h
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-accel-ops-icount.h
+++ b/accel/tcg/tcg-accel-ops-icount.h
@@ -XXX,XX +XXX,XX @@
 #define TCG_ACCEL_OPS_ICOUNT_H
 
 void icount_handle_deadline(void);
-void icount_prepare_for_run(CPUState *cpu);
+void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget);
+int64_t icount_percpu_budget(int cpu_count);
 void icount_process_data(CPUState *cpu);
 
 void icount_handle_interrupt(CPUState *cpu, int mask);
diff --git a/accel/tcg/tcg-accel-ops-icount.c b/accel/tcg/tcg-accel-ops-icount.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-accel-ops-icount.c
+++ b/accel/tcg/tcg-accel-ops-icount.c
@@ -XXX,XX +XXX,XX @@ void icount_handle_deadline(void)
     }
 }
 
-void icount_prepare_for_run(CPUState *cpu)
+/* Distribute the budget evenly across all CPUs */
+int64_t icount_percpu_budget(int cpu_count)
+{
+    int64_t limit = icount_get_limit();
+    int64_t timeslice = limit / cpu_count;
+
+    if (timeslice == 0) {
+        timeslice = limit;
+    }
+
+    return timeslice;
+}
+
+void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget)
 {
     int insns_left;
 
@@ -XXX,XX +XXX,XX @@ void icount_prepare_for_run(CPUState *cpu)
     g_assert(cpu_neg(cpu)->icount_decr.u16.low == 0);
     g_assert(cpu->icount_extra == 0);
 
-    cpu->icount_budget = icount_get_limit();
+    replay_mutex_lock();
+
+    cpu->icount_budget = MIN(icount_get_limit(), cpu_budget);
     insns_left = MIN(0xffff, cpu->icount_budget);
     cpu_neg(cpu)->icount_decr.u16.low = insns_left;
     cpu->icount_extra = cpu->icount_budget - insns_left;
 
-    replay_mutex_lock();
-
     if (cpu->icount_budget == 0) {
         /*
          * We're called without the iothread lock, so must take it while
diff --git a/accel/tcg/tcg-accel-ops-rr.c b/accel/tcg/tcg-accel-ops-rr.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tcg-accel-ops-rr.c
+++ b/accel/tcg/tcg-accel-ops-rr.c
@@ -XXX,XX +XXX,XX @@
  */
 
 #include "qemu/osdep.h"
+#include "qemu/lockable.h"
 #include "sysemu/tcg.h"
 #include "sysemu/replay.h"
 #include "sysemu/cpu-timers.h"
@@ -XXX,XX +XXX,XX @@ static void rr_force_rcu(Notifier *notify, void *data)
     rr_kick_next_cpu();
 }
 
+/*
+ * Calculate the number of CPUs that we will process in a single iteration of
+ * the main CPU thread loop so that we can fairly distribute the instruction
+ * count across CPUs.
+ *
+ * The CPU count is cached based on the CPU list generation ID to avoid
+ * iterating the list every time.
+ */
+static int rr_cpu_count(void)
+{
+    static unsigned int last_gen_id = ~0;
+    static int cpu_count;
+    CPUState *cpu;
+
+    QEMU_LOCK_GUARD(&qemu_cpu_list_lock);
+
+    if (cpu_list_generation_id_get() != last_gen_id) {
+        cpu_count = 0;
+        CPU_FOREACH(cpu) {
+            ++cpu_count;
+        }
+        last_gen_id = cpu_list_generation_id_get();
+    }
+
+    return cpu_count;
+}
+
 /*
  * In the single-threaded case each vCPU is simulated in turn. If
  * there is more than a single vCPU we create a simple timer to kick
@@ -XXX,XX +XXX,XX @@ static void *rr_cpu_thread_fn(void *arg)
     cpu->exit_request = 1;
 
     while (1) {
+        /* Only used for icount_enabled() */
+        int64_t cpu_budget = 0;
+
         qemu_mutex_unlock_iothread();
         replay_mutex_lock();
         qemu_mutex_lock_iothread();
 
         if (icount_enabled()) {
+            int cpu_count = rr_cpu_count();
+
             /* Account partial waits to QEMU_CLOCK_VIRTUAL.  */
             icount_account_warp_timer();
             /*
@@ -XXX,XX +XXX,XX @@ static void *rr_cpu_thread_fn(void *arg)
              * waking up the I/O thread and waiting for completion.
              */
             icount_handle_deadline();
+
+            cpu_budget = icount_percpu_budget(cpu_count);
         }
 
         replay_mutex_unlock();
@@ -XXX,XX +XXX,XX @@ static void *rr_cpu_thread_fn(void *arg)
 
                 qemu_mutex_unlock_iothread();
                 if (icount_enabled()) {
-                    icount_prepare_for_run(cpu);
+                    icount_prepare_for_run(cpu, cpu_budget);
                 }
                 r = tcg_cpus_exec(cpu);
                 if (icount_enabled()) {
diff --git a/replay/replay.c b/replay/replay.c
index XXXXXXX..XXXXXXX 100644
--- a/replay/replay.c
+++ b/replay/replay.c
@@ -XXX,XX +XXX,XX @@ uint64_t replay_get_current_icount(void)
 int replay_get_instructions(void)
 {
     int res = 0;
-    replay_mutex_lock();
+    g_assert(replay_mutex_locked());
     if (replay_next_event_is(EVENT_INSTRUCTION)) {
         res = replay_state.instruction_count;
         if (replay_break_icount != -1LL) {
@@ -XXX,XX +XXX,XX @@ int replay_get_instructions(void)
             }
         }
     }
-    replay_mutex_unlock();
     return res;
 }
 
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label,
tcg_out_test_alignment, and some code that lived in both
tcg_out_qemu_ld and tcg_out_qemu_st into one function
that returns HostAddress and TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/i386/tcg-target.c.inc | 346 ++++++++++++++++----------------------
 1 file changed, 145 insertions(+), 201 deletions(-)

diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
     [MO_BEUQ] = helper_be_stq_mmu,
 };
 
-/* Perform the TLB load and compare.
-
-   Inputs:
-   ADDRLO and ADDRHI contain the low and high part of the address.
-
-   MEM_INDEX and S_BITS are the memory context and log2 size of the load.
-
-   WHICH is the offset into the CPUTLBEntry structure of the slot to read.
-   This should be offsetof addr_read or addr_write.
-
-   Outputs:
-   LABEL_PTRS is filled with 1 (32-bit addresses) or 2 (64-bit addresses)
-   positions of the displacements of forward jumps to the TLB miss case.
-
-   Second argument register is loaded with the low part of the address.
-   In the TLB hit case, it has been adjusted as indicated by the TLB
-   and so is a host address.  In the TLB miss case, it continues to
-   hold a guest address.
-
-   First argument register is clobbered.  */
-
-static inline void tcg_out_tlb_load(TCGContext *s, TCGReg addrlo, TCGReg addrhi,
-                                    int mem_index, MemOp opc,
-                                    tcg_insn_unit **label_ptr, int which)
-{
-    TCGType ttype = TCG_TYPE_I32;
-    TCGType tlbtype = TCG_TYPE_I32;
-    int trexw = 0, hrexw = 0, tlbrexw = 0;
-    unsigned a_bits = get_alignment_bits(opc);
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_mask = (1 << a_bits) - 1;
-    unsigned s_mask = (1 << s_bits) - 1;
-    target_ulong tlb_mask;
-
-    if (TCG_TARGET_REG_BITS == 64) {
-        if (TARGET_LONG_BITS == 64) {
-            ttype = TCG_TYPE_I64;
-            trexw = P_REXW;
-        }
-        if (TCG_TYPE_PTR == TCG_TYPE_I64) {
-            hrexw = P_REXW;
-            if (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32) {
-                tlbtype = TCG_TYPE_I64;
-                tlbrexw = P_REXW;
-            }
-        }
-    }
-
-    tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
-    tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
-                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-
-    tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
-                         TLB_MASK_TABLE_OFS(mem_index) +
-                         offsetof(CPUTLBDescFast, mask));
-
-    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
-                         TLB_MASK_TABLE_OFS(mem_index) +
-                         offsetof(CPUTLBDescFast, table));
-
-    /* If the required alignment is at least as large as the access, simply
-       copy the address and mask.  For lesser alignments, check that we don't
-       cross pages for the complete access.  */
-    if (a_bits >= s_bits) {
-        tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
-    } else {
-        tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
-                             addrlo, s_mask - a_mask);
-    }
-    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
-    tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
-
-    /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
-    tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
-                         TCG_REG_L1, TCG_REG_L0, which);
-
-    /* Prepare for both the fast path add of the tlb addend, and the slow
-       path function argument setup.  */
-    tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
-
-    /* jne slow_path */
-    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
-    label_ptr[0] = s->code_ptr;
-    s->code_ptr += 4;
-
-    if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) {
-        /* cmp 4(TCG_REG_L0), addrhi */
-        tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi, TCG_REG_L0, which + 4);
-
-        /* jne slow_path */
-        tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
-        label_ptr[1] = s->code_ptr;
-        s->code_ptr += 4;
-    }
-
-    /* TLB Hit.  */
-
-    /* add addend(TCG_REG_L0), TCG_REG_L1 */
-    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L1, TCG_REG_L0,
-                         offsetof(CPUTLBEntry, addend));
-}
-
-/*
- * Record the context of a call to the out of line helper code for the slow path
- * for a load or store, so that we can later generate the correct helper code
- */
-static void add_qemu_ldst_label(TCGContext *s, bool is_ld,
-                                TCGType type, MemOpIdx oi,
-                                TCGReg datalo, TCGReg datahi,
-                                TCGReg addrlo, TCGReg addrhi,
-                                tcg_insn_unit *raddr,
-                                tcg_insn_unit **label_ptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = type;
-    label->datalo_reg = datalo;
-    label->datahi_reg = datahi;
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = addrhi;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr[0];
-    if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) {
-        label->label_ptr[1] = label_ptr[1];
-    }
-}
-
 /*
  * Generate code for the slow path for a load at the end of block
  */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     return true;
 }
 #else
-
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
-                                   TCGReg addrhi, unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *label;
-
-    tcg_out_testi(s, addrlo, a_mask);
-    /* jne slow_path */
-    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
-
-    label = new_ldst_label(s);
-    label->is_ld = is_ld;
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = addrhi;
-    label->raddr = tcg_splitwx_to_rx(s->code_ptr + 4);
-    label->label_ptr[0] = s->code_ptr;
-
-    s->code_ptr += 4;
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static inline int setup_guest_base_seg(void)
 #endif /* setup_guest_base_seg */
 #endif /* SOFTMMU */
 
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addrlo, TCGReg addrhi,
+                                           MemOpIdx oi, bool is_ld)
+{
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+    unsigned a_mask = (1 << a_bits) - 1;
+
+#ifdef CONFIG_SOFTMMU
+    int cmp_ofs = is_ld ? offsetof(CPUTLBEntry, addr_read)
+                        : offsetof(CPUTLBEntry, addr_write);
+    TCGType ttype = TCG_TYPE_I32;
+    TCGType tlbtype = TCG_TYPE_I32;
+    int trexw = 0, hrexw = 0, tlbrexw = 0;
+    unsigned mem_index = get_mmuidx(oi);
+    unsigned s_bits = opc & MO_SIZE;
+    unsigned s_mask = (1 << s_bits) - 1;
+    target_ulong tlb_mask;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addrlo;
+    ldst->addrhi_reg = addrhi;
+
+    if (TCG_TARGET_REG_BITS == 64) {
+        if (TARGET_LONG_BITS == 64) {
+            ttype = TCG_TYPE_I64;
+            trexw = P_REXW;
+        }
+        if (TCG_TYPE_PTR == TCG_TYPE_I64) {
+            hrexw = P_REXW;
+            if (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32) {
+                tlbtype = TCG_TYPE_I64;
+                tlbrexw = P_REXW;
+            }
+        }
+    }
+
+    tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
+    tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
+                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+
+    tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
+                         TLB_MASK_TABLE_OFS(mem_index) +
+                         offsetof(CPUTLBDescFast, mask));
+
+    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
+                         TLB_MASK_TABLE_OFS(mem_index) +
+                         offsetof(CPUTLBDescFast, table));
+
+    /*
+     * If the required alignment is at least as large as the access, simply
+     * copy the address and mask.  For lesser alignments, check that we don't
+     * cross pages for the complete access.
+     */
+    if (a_bits >= s_bits) {
+        tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
+    } else {
+        tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
+                             addrlo, s_mask - a_mask);
+    }
+    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
+    tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
+
+    /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
+    tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
+                         TCG_REG_L1, TCG_REG_L0, cmp_ofs);
+
+    /*
+     * Prepare for both the fast path add of the tlb addend, and the slow
+     * path function argument setup.
+     */
+    *h = (HostAddress) {
+        .base = TCG_REG_L1,
+        .index = -1
+    };
+    tcg_out_mov(s, ttype, h->base, addrlo);
+
+    /* jne slow_path */
+    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
+    ldst->label_ptr[0] = s->code_ptr;
+    s->code_ptr += 4;
+
+    if (TARGET_LONG_BITS > TCG_TARGET_REG_BITS) {
+        /* cmp 4(TCG_REG_L0), addrhi */
+        tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi, TCG_REG_L0, cmp_ofs + 4);
+
+        /* jne slow_path */
+        tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
+        ldst->label_ptr[1] = s->code_ptr;
+        s->code_ptr += 4;
+    }
+
+    /* TLB Hit.  */
+
+    /* add addend(TCG_REG_L0), TCG_REG_L1 */
+    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, h->base, TCG_REG_L0,
+                         offsetof(CPUTLBEntry, addend));
+#else
+    if (a_bits) {
+        ldst = new_ldst_label(s);
+
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addrlo;
+        ldst->addrhi_reg = addrhi;
+
+        tcg_out_testi(s, addrlo, a_mask);
+        /* jne slow_path */
+        tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
+        ldst->label_ptr[0] = s->code_ptr;
+        s->code_ptr += 4;
+    }
+
+    *h = x86_guest_base;
+    h->base = addrlo;
+#endif
+
+    return ldst;
+}
+
 static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg datalo, TCGReg datahi,
                                    HostAddress h, TCGType type, MemOp memop)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             TCGReg addrlo, TCGReg addrhi,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#if defined(CONFIG_SOFTMMU)
-    tcg_insn_unit *label_ptr[2];
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
+    tcg_out_qemu_ld_direct(s, datalo, datahi, h, data_type, get_memop(oi));
 
-    tcg_out_tlb_load(s, addrlo, addrhi, get_mmuidx(oi), opc,
-                     label_ptr, offsetof(CPUTLBEntry, addr_read));
-
-    /* TLB Hit.  */
-    h.base = TCG_REG_L1;
-    h.index = -1;
-    h.ofs = 0;
-    h.seg = 0;
-    tcg_out_qemu_ld_direct(s, datalo, datahi, h, data_type, opc);
-
-    /* Record the current context of a load into ldst label */
-    add_qemu_ldst_label(s, true, data_type, oi, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-
-    h = x86_guest_base;
-    h.base = addrlo;
-    tcg_out_qemu_ld_direct(s, datalo, datahi, h, data_type, opc);
-#endif
 }
 
 static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg datalo, TCGReg datahi,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             TCGReg addrlo, TCGReg addrhi,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#if defined(CONFIG_SOFTMMU)
-    tcg_insn_unit *label_ptr[2];
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
+    tcg_out_qemu_st_direct(s, datalo, datahi, h, get_memop(oi));
 
-    tcg_out_tlb_load(s, addrlo, addrhi, get_mmuidx(oi), opc,
-                     label_ptr, offsetof(CPUTLBEntry, addr_write));
-
-    /* TLB Hit.  */
-    h.base = TCG_REG_L1;
-    h.index = -1;
-    h.ofs = 0;
-    h.seg = 0;
-    tcg_out_qemu_st_direct(s, datalo, datahi, h, opc);
-
-    /* Record the current context of a store into ldst label */
-    add_qemu_ldst_label(s, false, data_type, oi, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addrlo, addrhi, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-
-    h = x86_guest_base;
-    h.base = addrlo;
-
-    tcg_out_qemu_st_direct(s, datalo, datahi, h, opc);
-#endif
 }
 
 static void tcg_out_exit_tb(TCGContext *s, uintptr_t a0)
-- 
2.34.1

Since tcg_out_{ld,st}_helper_args, the slow path no longer requires
the address argument to be set up by the tlb load sequence.  Use a
plain load for the addend and indexed addressing with the original
input address register.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/i386/tcg-target.c.inc | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
         tcg_out_sti(s, TCG_TYPE_PTR, (uintptr_t)l->raddr, TCG_REG_ESP, ofs);
     } else {
         tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
-        /* The second argument is already loaded with addrlo.  */
+        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
+                    l->addrlo_reg);
         tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[2], oi);
         tcg_out_movi(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[3],
                      (uintptr_t)l->raddr);
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
         tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP, ofs);
     } else {
         tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
-        /* The second argument is already loaded with addrlo.  */
+        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
+                    l->addrlo_reg);
         tcg_out_mov(s, (s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32),
                     tcg_target_call_iarg_regs[2], l->datalo_reg);
         tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[3], oi);
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
                          TCG_REG_L1, TCG_REG_L0, cmp_ofs);
 
-    /*
-     * Prepare for both the fast path add of the tlb addend, and the slow
-     * path function argument setup.
-     */
-    *h = (HostAddress) {
-        .base = TCG_REG_L1,
-        .index = -1
-    };
-    tcg_out_mov(s, ttype, h->base, addrlo);
-
     /* jne slow_path */
     tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
     ldst->label_ptr[0] = s->code_ptr;
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     }
 
     /* TLB Hit.  */
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_L0, TCG_REG_L0,
+               offsetof(CPUTLBEntry, addend));
 
-    /* add addend(TCG_REG_L0), TCG_REG_L1 */
-    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, h->base, TCG_REG_L0,
-                         offsetof(CPUTLBEntry, addend));
+    *h = (HostAddress) {
+        .base = addrlo,
+        .index = TCG_REG_L0,
+    };
 #else
     if (a_bits) {
         ldst = new_ldst_label(s);
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
into one function that returns HostAddress and TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/aarch64/tcg-target.c.inc | 313 +++++++++++++++--------------------
 1 file changed, 133 insertions(+), 180 deletions(-)

diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/aarch64/tcg-target.c.inc
+++ b/tcg/aarch64/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     tcg_out_goto(s, lb->raddr);
     return true;
 }
-
-static void add_qemu_ldst_label(TCGContext *s, bool is_ld, MemOpIdx oi,
-                                TCGType ext, TCGReg data_reg, TCGReg addr_reg,
-                                tcg_insn_unit *raddr, tcg_insn_unit *label_ptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = ext;
-    label->datalo_reg = data_reg;
-    label->addrlo_reg = addr_reg;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr;
-}
-
-/* We expect to use a 7-bit scaled negative offset from ENV.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -512);
-
-/* These offsets are built into the LDP below.  */
-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 8);
-
-/* Load and compare a TLB entry, emitting the conditional jump to the
-   slow path for the failure case, which will be patched later when finalizing
-   the slow path. Generated code returns the host addend in X1,
-   clobbers X0,X2,X3,TMP. */
-static void tcg_out_tlb_read(TCGContext *s, TCGReg addr_reg, MemOp opc,
-                             tcg_insn_unit **label_ptr, int mem_index,
-                             bool is_read)
-{
-    unsigned a_bits = get_alignment_bits(opc);
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_mask = (1u << a_bits) - 1;
-    unsigned s_mask = (1u << s_bits) - 1;
-    TCGReg x3;
-    TCGType mask_type;
-    uint64_t compare_mask;
-
-    mask_type = (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32
-                 ? TCG_TYPE_I64 : TCG_TYPE_I32);
-
-    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {x0,x1}.  */
-    tcg_out_insn(s, 3314, LDP, TCG_REG_X0, TCG_REG_X1, TCG_AREG0,
-                 TLB_MASK_TABLE_OFS(mem_index), 1, 0);
-
-    /* Extract the TLB index from the address into X0.  */
-    tcg_out_insn(s, 3502S, AND_LSR, mask_type == TCG_TYPE_I64,
-                 TCG_REG_X0, TCG_REG_X0, addr_reg,
-                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-
-    /* Add the tlb_table pointer, creating the CPUTLBEntry address into X1.  */
-    tcg_out_insn(s, 3502, ADD, 1, TCG_REG_X1, TCG_REG_X1, TCG_REG_X0);
-
-    /* Load the tlb comparator into X0, and the fast path addend into X1.  */
-    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_X0, TCG_REG_X1, is_read
-               ? offsetof(CPUTLBEntry, addr_read)
-               : offsetof(CPUTLBEntry, addr_write));
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_X1, TCG_REG_X1,
-               offsetof(CPUTLBEntry, addend));
-
-    /* For aligned accesses, we check the first byte and include the alignment
-       bits within the address.  For unaligned access, we check that we don't
-       cross pages using the address of the last byte of the access.  */
-    if (a_bits >= s_bits) {
-        x3 = addr_reg;
-    } else {
-        tcg_out_insn(s, 3401, ADDI, TARGET_LONG_BITS == 64,
-                     TCG_REG_X3, addr_reg, s_mask - a_mask);
-        x3 = TCG_REG_X3;
-    }
-    compare_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
-
-    /* Store the page mask part of the address into X3.  */
-    tcg_out_logicali(s, I3404_ANDI, TARGET_LONG_BITS == 64,
-                     TCG_REG_X3, x3, compare_mask);
-
-    /* Perform the address comparison. */
-    tcg_out_cmp(s, TARGET_LONG_BITS == 64, TCG_REG_X0, TCG_REG_X3, 0);
-
-    /* If not equal, we jump to the slow path. */
-    *label_ptr = s->code_ptr;
-    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
-}
-
 #else
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addr_reg,
-                                   unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->addrlo_reg = addr_reg;
-
-    /* tst addr, #mask */
-    tcg_out_logicali(s, I3404_ANDSI, 0, TCG_REG_XZR, addr_reg, a_mask);
-
-    label->label_ptr[0] = s->code_ptr;
-
-    /* b.ne slow_path */
-    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
-
-    label->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     if (!reloc_pc19(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 }
 #endif /* CONFIG_SOFTMMU */
 
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addr_reg, MemOpIdx oi,
+                                           bool is_ld)
+{
+    TCGType addr_type = TARGET_LONG_BITS == 64 ? TCG_TYPE_I64 : TCG_TYPE_I32;
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+    unsigned a_mask = (1u << a_bits) - 1;
+
+#ifdef CONFIG_SOFTMMU
+    unsigned s_bits = opc & MO_SIZE;
+    unsigned s_mask = (1u << s_bits) - 1;
+    unsigned mem_index = get_mmuidx(oi);
+    TCGReg x3;
+    TCGType mask_type;
+    uint64_t compare_mask;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addr_reg;
+
+    mask_type = (TARGET_PAGE_BITS + CPU_TLB_DYN_MAX_BITS > 32
+                 ? TCG_TYPE_I64 : TCG_TYPE_I32);
+
+    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {x0,x1}.  */
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -512);
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 8);
+    tcg_out_insn(s, 3314, LDP, TCG_REG_X0, TCG_REG_X1, TCG_AREG0,
+                 TLB_MASK_TABLE_OFS(mem_index), 1, 0);
+
+    /* Extract the TLB index from the address into X0.  */
+    tcg_out_insn(s, 3502S, AND_LSR, mask_type == TCG_TYPE_I64,
+                 TCG_REG_X0, TCG_REG_X0, addr_reg,
+                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+
+    /* Add the tlb_table pointer, creating the CPUTLBEntry address into X1.  */
+    tcg_out_insn(s, 3502, ADD, 1, TCG_REG_X1, TCG_REG_X1, TCG_REG_X0);
+
+    /* Load the tlb comparator into X0, and the fast path addend into X1.  */
+    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_X0, TCG_REG_X1,
+               is_ld ? offsetof(CPUTLBEntry, addr_read)
+                     : offsetof(CPUTLBEntry, addr_write));
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_X1, TCG_REG_X1,
+               offsetof(CPUTLBEntry, addend));
+
+    /*
+     * For aligned accesses, we check the first byte and include the alignment
+     * bits within the address.  For unaligned access, we check that we don't
+     * cross pages using the address of the last byte of the access.
+     */
+    if (a_bits >= s_bits) {
+        x3 = addr_reg;
+    } else {
+        tcg_out_insn(s, 3401, ADDI, TARGET_LONG_BITS == 64,
+                     TCG_REG_X3, addr_reg, s_mask - a_mask);
+        x3 = TCG_REG_X3;
+    }
+    compare_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
+
+    /* Store the page mask part of the address into X3.  */
+    tcg_out_logicali(s, I3404_ANDI, TARGET_LONG_BITS == 64,
+                     TCG_REG_X3, x3, compare_mask);
+
+    /* Perform the address comparison. */
+    tcg_out_cmp(s, TARGET_LONG_BITS == 64, TCG_REG_X0, TCG_REG_X3, 0);
+
+    /* If not equal, we jump to the slow path. */
+    ldst->label_ptr[0] = s->code_ptr;
+    tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
+
+    *h = (HostAddress){
+        .base = TCG_REG_X1,
+        .index = addr_reg,
+        .index_ext = addr_type
+    };
+#else
+    if (a_mask) {
+        ldst = new_ldst_label(s);
+
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addr_reg;
+
+        /* tst addr, #mask */
+        tcg_out_logicali(s, I3404_ANDSI, 0, TCG_REG_XZR, addr_reg, a_mask);
+
+        /* b.ne slow_path */
+        ldst->label_ptr[0] = s->code_ptr;
+        tcg_out_insn(s, 3202, B_C, TCG_COND_NE, 0);
+    }
+
+    if (USE_GUEST_BASE) {
+        *h = (HostAddress){
+            .base = TCG_REG_GUEST_BASE,
+            .index = addr_reg,
+            .index_ext = addr_type
+        };
+    } else {
+        *h = (HostAddress){
+            .base = addr_reg,
+            .index = TCG_REG_XZR,
+            .index_ext = TCG_TYPE_I64
+        };
+    }
+#endif
+
+    return ldst;
+}
+
 static void tcg_out_qemu_ld_direct(TCGContext *s, MemOp memop, TCGType ext,
                                    TCGReg data_r, HostAddress h)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp memop,
 static void tcg_out_qemu_ld(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp memop = get_memop(oi);
-    TCGType addr_type = TARGET_LONG_BITS == 64 ? TCG_TYPE_I64 : TCG_TYPE_I32;
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-    /* Byte swapping is left to middle-end expansion. */
-    tcg_debug_assert((memop & MO_BSWAP) == 0);
+    ldst = prepare_host_addr(s, &h, addr_reg, oi, true);
+    tcg_out_qemu_ld_direct(s, get_memop(oi), data_type, data_reg, h);
 
-#ifdef CONFIG_SOFTMMU
-    tcg_insn_unit *label_ptr;
-
-    tcg_out_tlb_read(s, addr_reg, memop, &label_ptr, get_mmuidx(oi), 1);
-
-    h = (HostAddress){
-        .base = TCG_REG_X1,
-        .index = addr_reg,
-        .index_ext = addr_type
-    };
-    tcg_out_qemu_ld_direct(s, memop, data_type, data_reg, h);
-
-    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#else /* !CONFIG_SOFTMMU */
-    unsigned a_bits = get_alignment_bits(memop);
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    if (USE_GUEST_BASE) {
-        h = (HostAddress){
-            .base = TCG_REG_GUEST_BASE,
-            .index = addr_reg,
-            .index_ext = addr_type
-        };
-    } else {
-        h = (HostAddress){
-            .base = addr_reg,
-            .index = TCG_REG_XZR,
-            .index_ext = TCG_TYPE_I64
-        };
-    }
-    tcg_out_qemu_ld_direct(s, memop, data_type, data_reg, h);
-#endif /* CONFIG_SOFTMMU */
 }
 
 static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp memop = get_memop(oi);
-    TCGType addr_type = TARGET_LONG_BITS == 64 ? TCG_TYPE_I64 : TCG_TYPE_I32;
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-    /* Byte swapping is left to middle-end expansion. */
-    tcg_debug_assert((memop & MO_BSWAP) == 0);
+    ldst = prepare_host_addr(s, &h, addr_reg, oi, false);
+    tcg_out_qemu_st_direct(s, get_memop(oi), data_reg, h);
 
-#ifdef CONFIG_SOFTMMU
-    tcg_insn_unit *label_ptr;
-
-    tcg_out_tlb_read(s, addr_reg, memop, &label_ptr, get_mmuidx(oi), 0);
-
-    h = (HostAddress){
-        .base = TCG_REG_X1,
-        .index = addr_reg,
-        .index_ext = addr_type
-    };
-    tcg_out_qemu_st_direct(s, memop, data_reg, h);
-
-    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#else /* !CONFIG_SOFTMMU */
-    unsigned a_bits = get_alignment_bits(memop);
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    if (USE_GUEST_BASE) {
-        h = (HostAddress){
-            .base = TCG_REG_GUEST_BASE,
-            .index = addr_reg,
-            .index_ext = addr_type
-        };
-    } else {
-        h = (HostAddress){
-            .base = addr_reg,
-            .index = TCG_REG_XZR,
-            .index_ext = TCG_TYPE_I64
-        };
-    }
-    tcg_out_qemu_st_direct(s, memop, data_reg, h);
-#endif /* CONFIG_SOFTMMU */
 }
 
 static const tcg_insn_unit *tb_ret_addr;
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, and some code that lived
in both tcg_out_qemu_ld and tcg_out_qemu_st into one function that
returns HostAddress and TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/arm/tcg-target.c.inc | 351 ++++++++++++++++++---------------------
 1 file changed, 159 insertions(+), 192 deletions(-)

diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/arm/tcg-target.c.inc
+++ b/tcg/arm/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg,
     }
 }
 
-#define TLB_SHIFT	(CPU_TLB_ENTRY_BITS + CPU_TLB_BITS)
-
-/* We expect to use an 9-bit sign-magnitude negative offset from ENV.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -256);
-
-/* These offsets are built into the LDRD below.  */
-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
-QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 4);
-
-/* Load and compare a TLB entry, leaving the flags set.  Returns the register
-   containing the addend of the tlb entry.  Clobbers R0, R1, R2, TMP.  */
-
-static TCGReg tcg_out_tlb_read(TCGContext *s, TCGReg addrlo, TCGReg addrhi,
-                               MemOp opc, int mem_index, bool is_load)
-{
-    int cmp_off = (is_load ? offsetof(CPUTLBEntry, addr_read)
-                   : offsetof(CPUTLBEntry, addr_write));
-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
-    unsigned s_mask = (1 << (opc & MO_SIZE)) - 1;
-    unsigned a_mask = (1 << get_alignment_bits(opc)) - 1;
-    TCGReg t_addr;
-
-    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {r0,r1}.  */
-    tcg_out_ldrd_8(s, COND_AL, TCG_REG_R0, TCG_AREG0, fast_off);
-
-    /* Extract the tlb index from the address into R0.  */
-    tcg_out_dat_reg(s, COND_AL, ARITH_AND, TCG_REG_R0, TCG_REG_R0, addrlo,
-                    SHIFT_IMM_LSR(TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS));
-
-    /*
-     * Add the tlb_table pointer, creating the CPUTLBEntry address in R1.
-     * Load the tlb comparator into R2/R3 and the fast path addend into R1.
-     */
-    if (cmp_off == 0) {
-        if (TARGET_LONG_BITS == 64) {
-            tcg_out_ldrd_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
-        } else {
-            tcg_out_ld32_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
-        }
-    } else {
-        tcg_out_dat_reg(s, COND_AL, ARITH_ADD,
-                        TCG_REG_R1, TCG_REG_R1, TCG_REG_R0, 0);
-        if (TARGET_LONG_BITS == 64) {
-            tcg_out_ldrd_8(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
-        } else {
-            tcg_out_ld32_12(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
-        }
-    }
-
-    /* Load the tlb addend.  */
-    tcg_out_ld32_12(s, COND_AL, TCG_REG_R1, TCG_REG_R1,
-                    offsetof(CPUTLBEntry, addend));
-
-    /*
-     * Check alignment, check comparators.
-     * Do this in 2-4 insns.  Use MOVW for v7, if possible,
-     * to reduce the number of sequential conditional instructions.
-     * Almost all guests have at least 4k pages, which means that we need
-     * to clear at least 9 bits even for an 8-byte memory, which means it
-     * isn't worth checking for an immediate operand for BIC.
-     *
-     * For unaligned accesses, test the page of the last unit of alignment.
-     * This leaves the least significant alignment bits unchanged, and of
-     * course must be zero.
-     */
-    t_addr = addrlo;
-    if (a_mask < s_mask) {
-        t_addr = TCG_REG_R0;
-        tcg_out_dat_imm(s, COND_AL, ARITH_ADD, t_addr,
-                        addrlo, s_mask - a_mask);
-    }
-    if (use_armv7_instructions && TARGET_PAGE_BITS <= 16) {
-        tcg_out_movi32(s, COND_AL, TCG_REG_TMP, ~(TARGET_PAGE_MASK | a_mask));
-        tcg_out_dat_reg(s, COND_AL, ARITH_BIC, TCG_REG_TMP,
-                        t_addr, TCG_REG_TMP, 0);
-        tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, TCG_REG_R2, TCG_REG_TMP, 0);
-    } else {
-        if (a_mask) {
-            tcg_debug_assert(a_mask <= 0xff);
-            tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
-        }
-        tcg_out_dat_reg(s, COND_AL, ARITH_MOV, TCG_REG_TMP, 0, t_addr,
-                        SHIFT_IMM_LSR(TARGET_PAGE_BITS));
-        tcg_out_dat_reg(s, (a_mask ? COND_EQ : COND_AL), ARITH_CMP,
-                        0, TCG_REG_R2, TCG_REG_TMP,
-                        SHIFT_IMM_LSL(TARGET_PAGE_BITS));
-    }
-
-    if (TARGET_LONG_BITS == 64) {
-        tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, TCG_REG_R3, addrhi, 0);
-    }
-
-    return TCG_REG_R1;
-}
-
-/* Record the context of a call to the out of line helper code for the slow
-   path for a load or store, so that we can later generate the correct
-   helper code.  */
-static void add_qemu_ldst_label(TCGContext *s, bool is_ld,
-                                MemOpIdx oi, TCGType type,
-                                TCGReg datalo, TCGReg datahi,
-                                TCGReg addrlo, TCGReg addrhi,
-                                tcg_insn_unit *raddr,
-                                tcg_insn_unit *label_ptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = type;
-    label->datalo_reg = datalo;
-    label->datahi_reg = datahi;
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = addrhi;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr;
-}
-
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
     TCGReg argreg;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     return true;
 }
 #else
-
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
-                                   TCGReg addrhi, unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = addrhi;
-
-    /* We are expecting a_bits to max out at 7, and can easily support 8. */
-    tcg_debug_assert(a_mask <= 0xff);
-    /* tst addr, #mask */
-    tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
-
-    /* blne slow_path */
-    label->label_ptr[0] = s->code_ptr;
-    tcg_out_bl_imm(s, COND_NE, 0);
-
-    label->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     if (!reloc_pc24(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 }
 #endif /* SOFTMMU */
 
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addrlo, TCGReg addrhi,
+                                           MemOpIdx oi, bool is_ld)
+{
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    MemOp a_bits = get_alignment_bits(opc);
+    unsigned a_mask = (1 << a_bits) - 1;
+
+#ifdef CONFIG_SOFTMMU
+    int mem_index = get_mmuidx(oi);
+    int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
+                        : offsetof(CPUTLBEntry, addr_write);
+    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
+    unsigned s_mask = (1 << (opc & MO_SIZE)) - 1;
+    TCGReg t_addr;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addrlo;
+    ldst->addrhi_reg = addrhi;
+
+    /* Load env_tlb(env)->f[mmu_idx].{mask,table} into {r0,r1}.  */
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -256);
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, mask) != 0);
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBDescFast, table) != 4);
+    tcg_out_ldrd_8(s, COND_AL, TCG_REG_R0, TCG_AREG0, fast_off);
+
+    /* Extract the tlb index from the address into R0.  */
+    tcg_out_dat_reg(s, COND_AL, ARITH_AND, TCG_REG_R0, TCG_REG_R0, addrlo,
+                    SHIFT_IMM_LSR(TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS));
+
+    /*
+     * Add the tlb_table pointer, creating the CPUTLBEntry address in R1.
+     * Load the tlb comparator into R2/R3 and the fast path addend into R1.
+     */
+    if (cmp_off == 0) {
+        if (TARGET_LONG_BITS == 64) {
+            tcg_out_ldrd_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
+        } else {
+            tcg_out_ld32_rwb(s, COND_AL, TCG_REG_R2, TCG_REG_R1, TCG_REG_R0);
+        }
+    } else {
+        tcg_out_dat_reg(s, COND_AL, ARITH_ADD,
+                        TCG_REG_R1, TCG_REG_R1, TCG_REG_R0, 0);
+        if (TARGET_LONG_BITS == 64) {
+            tcg_out_ldrd_8(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
+        } else {
+            tcg_out_ld32_12(s, COND_AL, TCG_REG_R2, TCG_REG_R1, cmp_off);
+        }
+    }
+
+    /* Load the tlb addend.  */
+    tcg_out_ld32_12(s, COND_AL, TCG_REG_R1, TCG_REG_R1,
+                    offsetof(CPUTLBEntry, addend));
+
+    /*
+     * Check alignment, check comparators.
+     * Do this in 2-4 insns.  Use MOVW for v7, if possible,
+     * to reduce the number of sequential conditional instructions.
+     * Almost all guests have at least 4k pages, which means that we need
+     * to clear at least 9 bits even for an 8-byte memory, which means it
+     * isn't worth checking for an immediate operand for BIC.
+     *
+     * For unaligned accesses, test the page of the last unit of alignment.
+     * This leaves the least significant alignment bits unchanged, and of
+     * course must be zero.
+     */
+    t_addr = addrlo;
+    if (a_mask < s_mask) {
+        t_addr = TCG_REG_R0;
+        tcg_out_dat_imm(s, COND_AL, ARITH_ADD, t_addr,
+                        addrlo, s_mask - a_mask);
+    }
+    if (use_armv7_instructions && TARGET_PAGE_BITS <= 16) {
+        tcg_out_movi32(s, COND_AL, TCG_REG_TMP, ~(TARGET_PAGE_MASK | a_mask));
+        tcg_out_dat_reg(s, COND_AL, ARITH_BIC, TCG_REG_TMP,
+                        t_addr, TCG_REG_TMP, 0);
+        tcg_out_dat_reg(s, COND_AL, ARITH_CMP, 0, TCG_REG_R2, TCG_REG_TMP, 0);
+    } else {
+        if (a_mask) {
+            tcg_debug_assert(a_mask <= 0xff);
+            tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
+        }
+        tcg_out_dat_reg(s, COND_AL, ARITH_MOV, TCG_REG_TMP, 0, t_addr,
+                        SHIFT_IMM_LSR(TARGET_PAGE_BITS));
+        tcg_out_dat_reg(s, (a_mask ? COND_EQ : COND_AL), ARITH_CMP,
+                        0, TCG_REG_R2, TCG_REG_TMP,
+                        SHIFT_IMM_LSL(TARGET_PAGE_BITS));
+    }
+
+    if (TARGET_LONG_BITS == 64) {
+        tcg_out_dat_reg(s, COND_EQ, ARITH_CMP, 0, TCG_REG_R3, addrhi, 0);
+    }
+
+    *h = (HostAddress){
+        .cond = COND_AL,
+        .base = addrlo,
+        .index = TCG_REG_R1,
+        .index_scratch = true,
+    };
+#else
+    if (a_mask) {
+        ldst = new_ldst_label(s);
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addrlo;
+        ldst->addrhi_reg = addrhi;
+
+        /* We are expecting a_bits to max out at 7 */
+        tcg_debug_assert(a_mask <= 0xff);
+        /* tst addr, #mask */
+        tcg_out_dat_imm(s, COND_AL, ARITH_TST, 0, addrlo, a_mask);
+    }
+
+    *h = (HostAddress){
+        .cond = COND_AL,
+        .base = addrlo,
+        .index = guest_base ? TCG_REG_GUEST_BASE : -1,
+        .index_scratch = false,
+    };
+#endif
+
+    return ldst;
+}
+
 static void tcg_out_qemu_ld_direct(TCGContext *s, MemOp opc, TCGReg datalo,
                                    TCGReg datahi, HostAddress h)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             MemOpIdx oi, TCGType data_type)
 {
     MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    h.cond = COND_AL;
-    h.base = addrlo;
-    h.index_scratch = true;
-    h.index = tcg_out_tlb_read(s, addrlo, addrhi, opc, get_mmuidx(oi), 1);
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
 
-    /*
-     * This a conditional BL only to load a pointer within this opcode into
-     * LR for the slow path.  We will not be using the value for a tail call.
-     */
-    tcg_insn_unit *label_ptr = s->code_ptr;
-    tcg_out_bl_imm(s, COND_NE, 0);
+        /*
+         * This a conditional BL only to load a pointer within this
+         * opcode into LR for the slow path.  We will not be using
+         * the value for a tail call.
+         */
+        ldst->label_ptr[0] = s->code_ptr;
+        tcg_out_bl_imm(s, COND_NE, 0);
 
-    tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
-
-    add_qemu_ldst_label(s, true, oi, data_type, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
+        tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+    } else {
+        tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
     }
-
-    h.cond = COND_AL;
-    h.base = addrlo;
-    h.index = guest_base ? TCG_REG_GUEST_BASE : -1;
-    h.index_scratch = false;
-    tcg_out_qemu_ld_direct(s, opc, datalo, datahi, h);
-#endif
 }
 
 static void tcg_out_qemu_st_direct(TCGContext *s, MemOp opc, TCGReg datalo,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             MemOpIdx oi, TCGType data_type)
 {
     MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    h.cond = COND_EQ;
-    h.base = addrlo;
-    h.index_scratch = true;
-    h.index = tcg_out_tlb_read(s, addrlo, addrhi, opc, get_mmuidx(oi), 0);
-    tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
 
-    /* The conditional call must come last, as we're going to return here.  */
-    tcg_insn_unit *label_ptr = s->code_ptr;
-    tcg_out_bl_imm(s, COND_NE, 0);
-
-    add_qemu_ldst_label(s, false, oi, data_type, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-
-    h.cond = COND_AL;
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addrlo, addrhi, a_bits);
         h.cond = COND_EQ;
-    }
+        tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
 
-    h.base = addrlo;
-    h.index = guest_base ? TCG_REG_GUEST_BASE : -1;
-    h.index_scratch = false;
-    tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
-#endif
+        /* The conditional call is last, as we're going to return here. */
+        ldst->label_ptr[0] = s->code_ptr;
+        tcg_out_bl_imm(s, COND_NE, 0);
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+    } else {
+        tcg_out_qemu_st_direct(s, opc, datalo, datahi, h);
+    }
 }
 
 static void tcg_out_epilogue(TCGContext *s);
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
tcg_out_zext_addr_if_32_bit, and some code that lived in both
tcg_out_qemu_ld and tcg_out_qemu_st into one function that returns
HostAddress and TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/loongarch64/tcg-target.c.inc | 255 +++++++++++++------------------
 1 file changed, 105 insertions(+), 150 deletions(-)

diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/loongarch64/tcg-target.c.inc
+++ b/tcg/loongarch64/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[4] = {
     [MO_64] = helper_le_stq_mmu,
 };
 
-/* We expect to use a 12-bit negative offset from ENV.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
-
 static bool tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
 {
     tcg_out_opc_b(s, 0);
     return reloc_br_sd10k16(s->code_ptr - 1, target);
 }
 
-/*
- * Emits common code for TLB addend lookup, that eventually loads the
- * addend in TCG_REG_TMP2.
- */
-static void tcg_out_tlb_load(TCGContext *s, TCGReg addrl, MemOpIdx oi,
-                             tcg_insn_unit **label_ptr, bool is_load)
-{
-    MemOp opc = get_memop(oi);
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_bits = get_alignment_bits(opc);
-    tcg_target_long compare_mask;
-    int mem_index = get_mmuidx(oi);
-    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
-    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
-    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
-
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, TCG_AREG0, mask_ofs);
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_AREG0, table_ofs);
-
-    tcg_out_opc_srli_d(s, TCG_REG_TMP2, addrl,
-                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-    tcg_out_opc_and(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
-    tcg_out_opc_add_d(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
-
-    /* Load the tlb comparator and the addend.  */
-    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
-               is_load ? offsetof(CPUTLBEntry, addr_read)
-               : offsetof(CPUTLBEntry, addr_write));
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
-               offsetof(CPUTLBEntry, addend));
-
-    /* We don't support unaligned accesses.  */
-    if (a_bits < s_bits) {
-        a_bits = s_bits;
-    }
-    /* Clear the non-page, non-alignment bits from the address.  */
-    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
-    tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
-    tcg_out_opc_and(s, TCG_REG_TMP1, TCG_REG_TMP1, addrl);
-
-    /* Compare masked address with the TLB entry.  */
-    label_ptr[0] = s->code_ptr;
-    tcg_out_opc_bne(s, TCG_REG_TMP0, TCG_REG_TMP1, 0);
-
-    /* TLB Hit - addend in TCG_REG_TMP2, ready for use.  */
-}
-
-static void add_qemu_ldst_label(TCGContext *s, int is_ld, MemOpIdx oi,
-                                TCGType type,
-                                TCGReg datalo, TCGReg addrlo,
-                                void *raddr, tcg_insn_unit **label_ptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = type;
-    label->datalo_reg = datalo;
-    label->datahi_reg = 0; /* unused */
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = 0; /* unused */
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr[0];
-}
-
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     MemOpIdx oi = l->oi;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     return tcg_out_goto(s, l->raddr);
 }
 #else
-
-/*
- * Alignment helpers for user-mode emulation
- */
-
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addr_reg,
-                                   unsigned a_bits)
-{
-    TCGLabelQemuLdst *l = new_ldst_label(s);
-
-    l->is_ld = is_ld;
-    l->addrlo_reg = addr_reg;
-
-    /*
-     * Without micro-architecture details, we don't know which of bstrpick or
-     * andi is faster, so use bstrpick as it's not constrained by imm field
-     * width. (Not to say alignments >= 2^12 are going to happen any time
-     * soon, though)
-     */
-    tcg_out_opc_bstrpick_d(s, TCG_REG_TMP1, addr_reg, 0, a_bits - 1);
-
-    l->label_ptr[0] = s->code_ptr;
-    tcg_out_opc_bne(s, TCG_REG_TMP1, TCG_REG_ZERO, 0);
-
-    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 
 #endif /* CONFIG_SOFTMMU */
 
-/*
- * `ext32u` the address register into the temp register given,
- * if target is 32-bit, no-op otherwise.
- *
- * Returns the address register ready for use with TLB addend.
- */
-static TCGReg tcg_out_zext_addr_if_32_bit(TCGContext *s,
-                                          TCGReg addr, TCGReg tmp)
-{
-    if (TARGET_LONG_BITS == 32) {
-        tcg_out_ext32u(s, tmp, addr);
-        return tmp;
-    }
-    return addr;
-}
-
 typedef struct {
     TCGReg base;
     TCGReg index;
 } HostAddress;
 
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addr_reg, MemOpIdx oi,
+                                           bool is_ld)
+{
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+
+#ifdef CONFIG_SOFTMMU
+    unsigned s_bits = opc & MO_SIZE;
+    int mem_index = get_mmuidx(oi);
+    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
+    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
+    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
+    tcg_target_long compare_mask;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addr_reg;
+
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, TCG_AREG0, mask_ofs);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_AREG0, table_ofs);
+
+    tcg_out_opc_srli_d(s, TCG_REG_TMP2, addr_reg,
+                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+    tcg_out_opc_and(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
+    tcg_out_opc_add_d(s, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
+
+    /* Load the tlb comparator and the addend.  */
+    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
+               is_ld ? offsetof(CPUTLBEntry, addr_read)
+                     : offsetof(CPUTLBEntry, addr_write));
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
+               offsetof(CPUTLBEntry, addend));
+
+    /* We don't support unaligned accesses.  */
+    if (a_bits < s_bits) {
+        a_bits = s_bits;
+    }
+    /* Clear the non-page, non-alignment bits from the address.  */
+    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
+    tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
+    tcg_out_opc_and(s, TCG_REG_TMP1, TCG_REG_TMP1, addr_reg);
+
+    /* Compare masked address with the TLB entry.  */
+    ldst->label_ptr[0] = s->code_ptr;
+    tcg_out_opc_bne(s, TCG_REG_TMP0, TCG_REG_TMP1, 0);
+
+    h->index = TCG_REG_TMP2;
+#else
+    if (a_bits) {
+        ldst = new_ldst_label(s);
+
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addr_reg;
+
+        /*
+         * Without micro-architecture details, we don't know which of
+         * bstrpick or andi is faster, so use bstrpick as it's not
+         * constrained by imm field width. Not to say alignments >= 2^12
+         * are going to happen any time soon.
+         */
+        tcg_out_opc_bstrpick_d(s, TCG_REG_TMP1, addr_reg, 0, a_bits - 1);
+
+        ldst->label_ptr[0] = s->code_ptr;
+        tcg_out_opc_bne(s, TCG_REG_TMP1, TCG_REG_ZERO, 0);
+    }
+
+    h->index = USE_GUEST_BASE ? TCG_GUEST_BASE_REG : TCG_REG_ZERO;
+#endif
+
+    if (TARGET_LONG_BITS == 32) {
+        h->base = TCG_REG_TMP0;
+        tcg_out_ext32u(s, h->base, addr_reg);
+    } else {
+        h->base = addr_reg;
+    }
+
+    return ldst;
+}
+
 static void tcg_out_qemu_ld_indexed(TCGContext *s, MemOp opc, TCGType type,
                                     TCGReg rd, HostAddress h)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_indexed(TCGContext *s, MemOp opc, TCGType type,
 static void tcg_out_qemu_ld(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    tcg_insn_unit *label_ptr[1];
+    ldst = prepare_host_addr(s, &h, addr_reg, oi, true);
+    tcg_out_qemu_ld_indexed(s, get_memop(oi), data_type, data_reg, h);
 
-    tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 1);
-    h.index = TCG_REG_TMP2;
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    h.index = USE_GUEST_BASE ? TCG_GUEST_BASE_REG : TCG_REG_ZERO;
-#endif
-
-    h.base = tcg_out_zext_addr_if_32_bit(s, addr_reg, TCG_REG_TMP0);
-    tcg_out_qemu_ld_indexed(s, opc, data_type, data_reg, h);
-
-#ifdef CONFIG_SOFTMMU
-    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#endif
 }
 
 static void tcg_out_qemu_st_indexed(TCGContext *s, MemOp opc,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_indexed(TCGContext *s, MemOp opc,
 static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    tcg_insn_unit *label_ptr[1];
+    ldst = prepare_host_addr(s, &h, addr_reg, oi, false);
+    tcg_out_qemu_st_indexed(s, get_memop(oi), data_reg, h);
 
-    tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 0);
-    h.index = TCG_REG_TMP2;
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    h.index = USE_GUEST_BASE ? TCG_GUEST_BASE_REG : TCG_REG_ZERO;
-#endif
-
-    h.base = tcg_out_zext_addr_if_32_bit(s, addr_reg, TCG_REG_TMP0);
-    tcg_out_qemu_st_indexed(s, opc, data_reg, h);
-
-#ifdef CONFIG_SOFTMMU
-    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#endif
 }
 
 /*
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
into one function that returns HostAddress and TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/mips/tcg-target.c.inc | 404 ++++++++++++++++----------------------
 1 file changed, 172 insertions(+), 232 deletions(-)

diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.c.inc
+++ b/tcg/mips/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static int tcg_out_call_iarg_reg2(TCGContext *s, int i, TCGReg al, TCGReg ah)
     return i;
 }
 
-/* We expect to use a 16-bit negative offset from ENV.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
-
-/*
- * Perform the tlb comparison operation.
- * The complete host address is placed in BASE.
- * Clobbers TMP0, TMP1, TMP2, TMP3.
- */
-static void tcg_out_tlb_load(TCGContext *s, TCGReg base, TCGReg addrl,
-                             TCGReg addrh, MemOpIdx oi,
-                             tcg_insn_unit *label_ptr[2], bool is_load)
-{
-    MemOp opc = get_memop(oi);
-    unsigned a_bits = get_alignment_bits(opc);
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_mask = (1 << a_bits) - 1;
-    unsigned s_mask = (1 << s_bits) - 1;
-    int mem_index = get_mmuidx(oi);
-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
-    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
-    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
-    int add_off = offsetof(CPUTLBEntry, addend);
-    int cmp_off = (is_load ? offsetof(CPUTLBEntry, addr_read)
-                   : offsetof(CPUTLBEntry, addr_write));
-    target_ulong tlb_mask;
-
-    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP0, TCG_AREG0, mask_off);
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP1, TCG_AREG0, table_off);
-
-    /* Extract the TLB index from the address into TMP3.  */
-    tcg_out_opc_sa(s, ALIAS_TSRL, TCG_TMP3, addrl,
-                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-    tcg_out_opc_reg(s, OPC_AND, TCG_TMP3, TCG_TMP3, TCG_TMP0);
-
-    /* Add the tlb_table pointer, creating the CPUTLBEntry address in TMP3.  */
-    tcg_out_opc_reg(s, ALIAS_PADD, TCG_TMP3, TCG_TMP3, TCG_TMP1);
-
-    /* Load the (low-half) tlb comparator.  */
-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
-    } else {
-        tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
-                         : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
-                     TCG_TMP0, TCG_TMP3, cmp_off);
-    }
-
-    /* Zero extend a 32-bit guest address for a 64-bit host. */
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, base, addrl);
-        addrl = base;
-    }
-
-    /*
-     * Mask the page bits, keeping the alignment bits to compare against.
-     * For unaligned accesses, compare against the end of the access to
-     * verify that it does not cross a page boundary.
-     */
-    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
-    tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
-    if (a_mask >= s_mask) {
-        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrl);
-    } else {
-        tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrl, s_mask - a_mask);
-        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
-    }
-
-    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
-        /* Load the tlb addend for the fast path.  */
-        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
-    }
-
-    label_ptr[0] = s->code_ptr;
-    tcg_out_opc_br(s, OPC_BNE, TCG_TMP1, TCG_TMP0);
-
-    /* Load and test the high half tlb comparator.  */
-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        /* delay slot */
-        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
-
-        /* Load the tlb addend for the fast path.  */
-        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
-
-        label_ptr[1] = s->code_ptr;
-        tcg_out_opc_br(s, OPC_BNE, addrh, TCG_TMP0);
-    }
-
-    /* delay slot */
-    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP2, addrl);
-}
-
-static void add_qemu_ldst_label(TCGContext *s, int is_ld, MemOpIdx oi,
-                                TCGType ext,
-                                TCGReg datalo, TCGReg datahi,
-                                TCGReg addrlo, TCGReg addrhi,
-                                void *raddr, tcg_insn_unit *label_ptr[2])
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = ext;
-    label->datalo_reg = datalo;
-    label->datahi_reg = datahi;
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = addrhi;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr[0];
-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        label->label_ptr[1] = label_ptr[1];
-    }
-}
-
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     const tcg_insn_unit *tgt_rx = tcg_splitwx_to_rx(s->code_ptr);
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 }
 
 #else
-
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
-                                   TCGReg addrhi, unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *l = new_ldst_label(s);
-
-    l->is_ld = is_ld;
-    l->addrlo_reg = addrlo;
-    l->addrhi_reg = addrhi;
-
-    /* We are expecting a_bits to max out at 7, much lower than ANDI. */
-    tcg_debug_assert(a_bits < 16);
-    tcg_out_opc_imm(s, OPC_ANDI, TCG_TMP0, addrlo, a_mask);
-
-    l->label_ptr[0] = s->code_ptr;
-    if (use_mips32r6_instructions) {
-        tcg_out_opc_br(s, OPC_BNEZALC_R6, TCG_REG_ZERO, TCG_TMP0);
-    } else {
-        tcg_out_opc_br(s, OPC_BNEL, TCG_TMP0, TCG_REG_ZERO);
-        tcg_out_nop(s);
-    }
-
-    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     void *target;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 }
 #endif /* SOFTMMU */
 
+typedef struct {
+    TCGReg base;
+    MemOp align;
+} HostAddress;
+
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addrlo, TCGReg addrhi,
+                                           MemOpIdx oi, bool is_ld)
+{
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+    unsigned s_bits = opc & MO_SIZE;
+    unsigned a_mask = (1 << a_bits) - 1;
+    TCGReg base;
+
+#ifdef CONFIG_SOFTMMU
+    unsigned s_mask = (1 << s_bits) - 1;
+    int mem_index = get_mmuidx(oi);
+    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
+    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
+    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
+    int add_off = offsetof(CPUTLBEntry, addend);
+    int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
+                        : offsetof(CPUTLBEntry, addr_write);
+    target_ulong tlb_mask;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addrlo;
+    ldst->addrhi_reg = addrhi;
+    base = TCG_REG_A0;
+
+    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP0, TCG_AREG0, mask_off);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP1, TCG_AREG0, table_off);
+
+    /* Extract the TLB index from the address into TMP3.  */
+    tcg_out_opc_sa(s, ALIAS_TSRL, TCG_TMP3, addrlo,
+                   TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+    tcg_out_opc_reg(s, OPC_AND, TCG_TMP3, TCG_TMP3, TCG_TMP0);
+
+    /* Add the tlb_table pointer, creating the CPUTLBEntry address in TMP3.  */
+    tcg_out_opc_reg(s, ALIAS_PADD, TCG_TMP3, TCG_TMP3, TCG_TMP1);
+
+    /* Load the (low-half) tlb comparator.  */
+    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
+    } else {
+        tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
+                         : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
+                     TCG_TMP0, TCG_TMP3, cmp_off);
+    }
+
+    /* Zero extend a 32-bit guest address for a 64-bit host. */
+    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+        tcg_out_ext32u(s, base, addrlo);
+        addrlo = base;
+    }
+
+    /*
+     * Mask the page bits, keeping the alignment bits to compare against.
+     * For unaligned accesses, compare against the end of the access to
+     * verify that it does not cross a page boundary.
+     */
+    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
+    tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
+    if (a_mask >= s_mask) {
+        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrlo);
+    } else {
+        tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrlo, s_mask - a_mask);
+        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
+    }
+
+    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
+        /* Load the tlb addend for the fast path.  */
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
+    }
+
+    ldst->label_ptr[0] = s->code_ptr;
+    tcg_out_opc_br(s, OPC_BNE, TCG_TMP1, TCG_TMP0);
+
+    /* Load and test the high half tlb comparator.  */
+    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+        /* delay slot */
+        tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
+
+        /* Load the tlb addend for the fast path.  */
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
+
+        ldst->label_ptr[1] = s->code_ptr;
+        tcg_out_opc_br(s, OPC_BNE, addrhi, TCG_TMP0);
+    }
+
+    /* delay slot */
+    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP2, addrlo);
+#else
+    if (a_mask && (use_mips32r6_instructions || a_bits != s_bits)) {
+        ldst = new_ldst_label(s);
+
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addrlo;
+        ldst->addrhi_reg = addrhi;
+
+        /* We are expecting a_bits to max out at 7, much lower than ANDI. */
+        tcg_debug_assert(a_bits < 16);
+        tcg_out_opc_imm(s, OPC_ANDI, TCG_TMP0, addrlo, a_mask);
+
+        ldst->label_ptr[0] = s->code_ptr;
+        if (use_mips32r6_instructions) {
+            tcg_out_opc_br(s, OPC_BNEZALC_R6, TCG_REG_ZERO, TCG_TMP0);
+        } else {
+            tcg_out_opc_br(s, OPC_BNEL, TCG_TMP0, TCG_REG_ZERO);
+            tcg_out_nop(s);
+        }
+    }
+
+    base = addrlo;
+    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+        tcg_out_ext32u(s, TCG_REG_A0, base);
+        base = TCG_REG_A0;
+    }
+    if (guest_base) {
+        if (guest_base == (int16_t)guest_base) {
+            tcg_out_opc_imm(s, ALIAS_PADDI, TCG_REG_A0, base, guest_base);
+        } else {
+            tcg_out_opc_reg(s, ALIAS_PADD, TCG_REG_A0, base,
+                            TCG_GUEST_BASE_REG);
+        }
+        base = TCG_REG_A0;
+    }
+#endif
+
+    h->base = base;
+    h->align = a_bits;
+    return ldst;
+}
+
 static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg lo, TCGReg hi,
                                    TCGReg base, MemOp opc, TCGType type)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             MemOpIdx oi, TCGType data_type)
 {
     MemOp opc = get_memop(oi);
-    unsigned a_bits = get_alignment_bits(opc);
-    unsigned s_bits = opc & MO_SIZE;
-    TCGReg base;
+    TCGLabelQemuLdst *ldst;
+    HostAddress h;
 
-    /*
-     * R6 removes the left/right instructions but requires the
-     * system to support misaligned memory accesses.
-     */
-#if defined(CONFIG_SOFTMMU)
-    tcg_insn_unit *label_ptr[2];
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
 
-    base = TCG_REG_A0;
-    tcg_out_tlb_load(s, base, addrlo, addrhi, oi, label_ptr, 1);
-    if (use_mips32r6_instructions || a_bits >= s_bits) {
-        tcg_out_qemu_ld_direct(s, datalo, datahi, base, opc, data_type);
+    if (use_mips32r6_instructions || h.align >= (opc & MO_SIZE)) {
+        tcg_out_qemu_ld_direct(s, datalo, datahi, h.base, opc, data_type);
     } else {
-        tcg_out_qemu_ld_unalign(s, datalo, datahi, base, opc, data_type);
+        tcg_out_qemu_ld_unalign(s, datalo, datahi, h.base, opc, data_type);
     }
-    add_qemu_ldst_label(s, true, oi, data_type, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#else
-    base = addrlo;
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, TCG_REG_A0, base);
-        base = TCG_REG_A0;
+
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    if (guest_base) {
-        if (guest_base == (int16_t)guest_base) {
-            tcg_out_opc_imm(s, ALIAS_PADDI, TCG_REG_A0, base, guest_base);
-        } else {
-            tcg_out_opc_reg(s, ALIAS_PADD, TCG_REG_A0, base,
-                            TCG_GUEST_BASE_REG);
-        }
-        base = TCG_REG_A0;
-    }
-    if (use_mips32r6_instructions) {
-        if (a_bits) {
-            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
-        }
-        tcg_out_qemu_ld_direct(s, datalo, datahi, base, opc, data_type);
-    } else {
-        if (a_bits && a_bits != s_bits) {
-            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
-        }
-        if (a_bits >= s_bits) {
-            tcg_out_qemu_ld_direct(s, datalo, datahi, base, opc, data_type);
-        } else {
-            tcg_out_qemu_ld_unalign(s, datalo, datahi, base, opc, data_type);
-        }
-    }
-#endif
 }
 
 static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg lo, TCGReg hi,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             MemOpIdx oi, TCGType data_type)
 {
     MemOp opc = get_memop(oi);
-    unsigned a_bits = get_alignment_bits(opc);
-    unsigned s_bits = opc & MO_SIZE;
-    TCGReg base;
+    TCGLabelQemuLdst *ldst;
+    HostAddress h;
 
-    /*
-     * R6 removes the left/right instructions but requires the
-     * system to support misaligned memory accesses.
-     */
-#if defined(CONFIG_SOFTMMU)
-    tcg_insn_unit *label_ptr[2];
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
 
-    base = TCG_REG_A0;
-    tcg_out_tlb_load(s, base, addrlo, addrhi, oi, label_ptr, 0);
-    if (use_mips32r6_instructions || a_bits >= s_bits) {
-        tcg_out_qemu_st_direct(s, datalo, datahi, base, opc);
+    if (use_mips32r6_instructions || h.align >= (opc & MO_SIZE)) {
+        tcg_out_qemu_st_direct(s, datalo, datahi, h.base, opc);
     } else {
-        tcg_out_qemu_st_unalign(s, datalo, datahi, base, opc);
+        tcg_out_qemu_st_unalign(s, datalo, datahi, h.base, opc);
     }
-    add_qemu_ldst_label(s, false, oi, data_type, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#else
-    base = addrlo;
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, TCG_REG_A0, base);
-        base = TCG_REG_A0;
+
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    if (guest_base) {
-        if (guest_base == (int16_t)guest_base) {
-            tcg_out_opc_imm(s, ALIAS_PADDI, TCG_REG_A0, base, guest_base);
-        } else {
-            tcg_out_opc_reg(s, ALIAS_PADD, TCG_REG_A0, base,
-                            TCG_GUEST_BASE_REG);
-        }
-        base = TCG_REG_A0;
-    }
-    if (use_mips32r6_instructions) {
-        if (a_bits) {
-            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
-        }
-        tcg_out_qemu_st_direct(s, datalo, datahi, base, opc);
-    } else {
-        if (a_bits && a_bits != s_bits) {
-            tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
-        }
-        if (a_bits >= s_bits) {
-            tcg_out_qemu_st_direct(s, datalo, datahi, base, opc);
-        } else {
-            tcg_out_qemu_st_unalign(s, datalo, datahi, base, opc);
-        }
-    }
-#endif
 }
 
 static void tcg_out_mb(TCGContext *s, TCGArg a0)
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
into one function that returns HostAddress and TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/ppc/tcg-target.c.inc | 381 ++++++++++++++++++---------------------
 1 file changed, 172 insertions(+), 209 deletions(-)

diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target.c.inc
+++ b/tcg/ppc/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
     [MO_BEUQ] = helper_be_stq_mmu,
 };
 
-/* We expect to use a 16-bit negative offset from ENV.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
-
-/* Perform the TLB load and compare.  Places the result of the comparison
-   in CR7, loads the addend of the TLB into R3, and returns the register
-   containing the guest address (zero-extended into R4).  Clobbers R0 and R2. */
-
-static TCGReg tcg_out_tlb_read(TCGContext *s, MemOp opc,
-                               TCGReg addrlo, TCGReg addrhi,
-                               int mem_index, bool is_read)
-{
-    int cmp_off
-        = (is_read
-           ? offsetof(CPUTLBEntry, addr_read)
-           : offsetof(CPUTLBEntry, addr_write));
-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
-    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
-    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_bits = get_alignment_bits(opc);
-
-    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_AREG0, mask_off);
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R4, TCG_AREG0, table_off);
-
-    /* Extract the page index, shifted into place for tlb index.  */
-    if (TCG_TARGET_REG_BITS == 32) {
-        tcg_out_shri32(s, TCG_REG_TMP1, addrlo,
-                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-    } else {
-        tcg_out_shri64(s, TCG_REG_TMP1, addrlo,
-                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-    }
-    tcg_out32(s, AND | SAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_TMP1));
-
-    /* Load the TLB comparator.  */
-    if (cmp_off == 0 && TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
-        uint32_t lxu = (TCG_TARGET_REG_BITS == 32 || TARGET_LONG_BITS == 32
-                        ? LWZUX : LDUX);
-        tcg_out32(s, lxu | TAB(TCG_REG_TMP1, TCG_REG_R3, TCG_REG_R4));
-    } else {
-        tcg_out32(s, ADD | TAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_R4));
-        if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP1, TCG_REG_R3, cmp_off + 4);
-            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R4, TCG_REG_R3, cmp_off);
-        } else {
-            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP1, TCG_REG_R3, cmp_off);
-        }
-    }
-
-    /* Load the TLB addend for use on the fast path.  Do this asap
-       to minimize any load use delay.  */
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_REG_R3,
-               offsetof(CPUTLBEntry, addend));
-
-    /* Clear the non-page, non-alignment bits from the address */
-    if (TCG_TARGET_REG_BITS == 32) {
-        /* We don't support unaligned accesses on 32-bits.
-         * Preserve the bottom bits and thus trigger a comparison
-         * failure on unaligned accesses.
-         */
-        if (a_bits < s_bits) {
-            a_bits = s_bits;
-        }
-        tcg_out_rlw(s, RLWINM, TCG_REG_R0, addrlo, 0,
-                    (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
-    } else {
-        TCGReg t = addrlo;
-
-        /* If the access is unaligned, we need to make sure we fail if we
-         * cross a page boundary.  The trick is to add the access size-1
-         * to the address before masking the low bits.  That will make the
-         * address overflow to the next page if we cross a page boundary,
-         * which will then force a mismatch of the TLB compare.
-         */
-        if (a_bits < s_bits) {
-            unsigned a_mask = (1 << a_bits) - 1;
-            unsigned s_mask = (1 << s_bits) - 1;
-            tcg_out32(s, ADDI | TAI(TCG_REG_R0, t, s_mask - a_mask));
-            t = TCG_REG_R0;
-        }
-
-        /* Mask the address for the requested alignment.  */
-        if (TARGET_LONG_BITS == 32) {
-            tcg_out_rlw(s, RLWINM, TCG_REG_R0, t, 0,
-                        (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
-            /* Zero-extend the address for use in the final address.  */
-            tcg_out_ext32u(s, TCG_REG_R4, addrlo);
-            addrlo = TCG_REG_R4;
-        } else if (a_bits == 0) {
-            tcg_out_rld(s, RLDICR, TCG_REG_R0, t, 0, 63 - TARGET_PAGE_BITS);
-        } else {
-            tcg_out_rld(s, RLDICL, TCG_REG_R0, t,
-                        64 - TARGET_PAGE_BITS, TARGET_PAGE_BITS - a_bits);
-            tcg_out_rld(s, RLDICL, TCG_REG_R0, TCG_REG_R0, TARGET_PAGE_BITS, 0);
-        }
-    }
-
-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
-                    0, 7, TCG_TYPE_I32);
-        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_R4, 0, 6, TCG_TYPE_I32);
-        tcg_out32(s, CRAND | BT(7, CR_EQ) | BA(6, CR_EQ) | BB(7, CR_EQ));
-    } else {
-        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
-                    0, 7, TCG_TYPE_TL);
-    }
-
-    return addrlo;
-}
-
-/* Record the context of a call to the out of line helper code for the slow
-   path for a load or store, so that we can later generate the correct
-   helper code.  */
-static void add_qemu_ldst_label(TCGContext *s, bool is_ld,
-                                TCGType type, MemOpIdx oi,
-                                TCGReg datalo_reg, TCGReg datahi_reg,
-                                TCGReg addrlo_reg, TCGReg addrhi_reg,
-                                tcg_insn_unit *raddr, tcg_insn_unit *lptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->type = type;
-    label->oi = oi;
-    label->datalo_reg = datalo_reg;
-    label->datahi_reg = datahi_reg;
-    label->addrlo_reg = addrlo_reg;
-    label->addrhi_reg = addrhi_reg;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = lptr;
-}
-
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
     MemOpIdx oi = lb->oi;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     return true;
 }
 #else
-
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addrlo,
-                                   TCGReg addrhi, unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->addrlo_reg = addrlo;
-    label->addrhi_reg = addrhi;
-
-    /* We are expecting a_bits to max out at 7, much lower than ANDI. */
-    tcg_debug_assert(a_bits < 16);
-    tcg_out32(s, ANDI | SAI(addrlo, TCG_REG_R0, a_mask));
-
-    label->label_ptr[0] = s->code_ptr;
-    tcg_out32(s, BC | BI(0, CR_EQ) | BO_COND_FALSE | LK);
-
-    label->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     if (!reloc_pc14(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
@@ -XXX,XX +XXX,XX @@ typedef struct {
     TCGReg index;
 } HostAddress;
 
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addrlo, TCGReg addrhi,
+                                           MemOpIdx oi, bool is_ld)
+{
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+
+#ifdef CONFIG_SOFTMMU
+    int mem_index = get_mmuidx(oi);
+    int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
+                        : offsetof(CPUTLBEntry, addr_write);
+    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
+    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
+    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
+    unsigned s_bits = opc & MO_SIZE;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addrlo;
+    ldst->addrhi_reg = addrhi;
+
+    /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_AREG0, mask_off);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R4, TCG_AREG0, table_off);
+
+    /* Extract the page index, shifted into place for tlb index.  */
+    if (TCG_TARGET_REG_BITS == 32) {
+        tcg_out_shri32(s, TCG_REG_TMP1, addrlo,
+                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+    } else {
+        tcg_out_shri64(s, TCG_REG_TMP1, addrlo,
+                       TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+    }
+    tcg_out32(s, AND | SAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_TMP1));
+
+    /* Load the TLB comparator.  */
+    if (cmp_off == 0 && TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
+        uint32_t lxu = (TCG_TARGET_REG_BITS == 32 || TARGET_LONG_BITS == 32
+                        ? LWZUX : LDUX);
+        tcg_out32(s, lxu | TAB(TCG_REG_TMP1, TCG_REG_R3, TCG_REG_R4));
+    } else {
+        tcg_out32(s, ADD | TAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_R4));
+        if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP1, TCG_REG_R3, cmp_off + 4);
+            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R4, TCG_REG_R3, cmp_off);
+        } else {
+            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP1, TCG_REG_R3, cmp_off);
+        }
+    }
+
+    /*
+     * Load the TLB addend for use on the fast path.
+     * Do this asap to minimize any load use delay.
+     */
+    h->base = TCG_REG_R3;
+    tcg_out_ld(s, TCG_TYPE_PTR, h->base, TCG_REG_R3,
+               offsetof(CPUTLBEntry, addend));
+
+    /* Clear the non-page, non-alignment bits from the address */
+    if (TCG_TARGET_REG_BITS == 32) {
+        /*
+         * We don't support unaligned accesses on 32-bits.
+         * Preserve the bottom bits and thus trigger a comparison
+         * failure on unaligned accesses.
+         */
+        if (a_bits < s_bits) {
+            a_bits = s_bits;
+        }
+        tcg_out_rlw(s, RLWINM, TCG_REG_R0, addrlo, 0,
+                    (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
+    } else {
+        TCGReg t = addrlo;
+
+        /*
+         * If the access is unaligned, we need to make sure we fail if we
+         * cross a page boundary.  The trick is to add the access size-1
+         * to the address before masking the low bits.  That will make the
+         * address overflow to the next page if we cross a page boundary,
+         * which will then force a mismatch of the TLB compare.
+         */
+        if (a_bits < s_bits) {
+            unsigned a_mask = (1 << a_bits) - 1;
+            unsigned s_mask = (1 << s_bits) - 1;
+            tcg_out32(s, ADDI | TAI(TCG_REG_R0, t, s_mask - a_mask));
+            t = TCG_REG_R0;
+        }
+
+        /* Mask the address for the requested alignment.  */
+        if (TARGET_LONG_BITS == 32) {
+            tcg_out_rlw(s, RLWINM, TCG_REG_R0, t, 0,
+                        (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
+            /* Zero-extend the address for use in the final address.  */
+            tcg_out_ext32u(s, TCG_REG_R4, addrlo);
+            addrlo = TCG_REG_R4;
+        } else if (a_bits == 0) {
+            tcg_out_rld(s, RLDICR, TCG_REG_R0, t, 0, 63 - TARGET_PAGE_BITS);
+        } else {
+            tcg_out_rld(s, RLDICL, TCG_REG_R0, t,
+                        64 - TARGET_PAGE_BITS, TARGET_PAGE_BITS - a_bits);
+            tcg_out_rld(s, RLDICL, TCG_REG_R0, TCG_REG_R0, TARGET_PAGE_BITS, 0);
+        }
+    }
+    h->index = addrlo;
+
+    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
+        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
+                    0, 7, TCG_TYPE_I32);
+        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_R4, 0, 6, TCG_TYPE_I32);
+        tcg_out32(s, CRAND | BT(7, CR_EQ) | BA(6, CR_EQ) | BB(7, CR_EQ));
+    } else {
+        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
+                    0, 7, TCG_TYPE_TL);
+    }
+
+    /* Load a pointer into the current opcode w/conditional branch-link. */
+    ldst->label_ptr[0] = s->code_ptr;
+    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+#else
+    if (a_bits) {
+        ldst = new_ldst_label(s);
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addrlo;
+        ldst->addrhi_reg = addrhi;
+
+        /* We are expecting a_bits to max out at 7, much lower than ANDI. */
+        tcg_debug_assert(a_bits < 16);
+        tcg_out32(s, ANDI | SAI(addrlo, TCG_REG_R0, (1 << a_bits) - 1));
+
+        ldst->label_ptr[0] = s->code_ptr;
+        tcg_out32(s, BC | BI(0, CR_EQ) | BO_COND_FALSE | LK);
+    }
+
+    h->base = guest_base ? TCG_GUEST_BASE_REG : 0;
+    h->index = addrlo;
+    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
+        h->index = TCG_REG_TMP1;
+    }
+#endif
+
+    return ldst;
+}
+
 static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             TCGReg addrlo, TCGReg addrhi,
                             MemOpIdx oi, TCGType data_type)
 {
     MemOp opc = get_memop(oi);
-    MemOp s_bits = opc & MO_SIZE;
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    tcg_insn_unit *label_ptr;
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, true);
 
-    h.index = tcg_out_tlb_read(s, opc, addrlo, addrhi, get_mmuidx(oi), true);
-    h.base = TCG_REG_R3;
-
-    /* Load a pointer into the current opcode w/conditional branch-link. */
-    label_ptr = s->code_ptr;
-    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
-#else  /* !CONFIG_SOFTMMU */
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addrlo, addrhi, a_bits);
-    }
-    h.base = guest_base ? TCG_GUEST_BASE_REG : 0;
-    h.index = addrlo;
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
-        h.index = TCG_REG_TMP1;
-    }
-#endif
-
-    if (TCG_TARGET_REG_BITS == 32 && s_bits == MO_64) {
+    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
         if (opc & MO_BSWAP) {
             tcg_out32(s, ADDI | TAI(TCG_REG_R0, h.index, 4));
             tcg_out32(s, LWBRX | TAB(datalo, h.base, h.index));
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
         }
     }
 
-#ifdef CONFIG_SOFTMMU
-    add_qemu_ldst_label(s, true, data_type, oi, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#endif
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+    }
 }
 
 static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
                             MemOpIdx oi, TCGType data_type)
 {
     MemOp opc = get_memop(oi);
-    MemOp s_bits = opc & MO_SIZE;
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    tcg_insn_unit *label_ptr;
+    ldst = prepare_host_addr(s, &h, addrlo, addrhi, oi, false);
 
-    h.index = tcg_out_tlb_read(s, opc, addrlo, addrhi, get_mmuidx(oi), false);
-    h.base = TCG_REG_R3;
-
-    /* Load a pointer into the current opcode w/conditional branch-link. */
-    label_ptr = s->code_ptr;
-    tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
-#else  /* !CONFIG_SOFTMMU */
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addrlo, addrhi, a_bits);
-    }
-    h.base = guest_base ? TCG_GUEST_BASE_REG : 0;
-    h.index = addrlo;
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
-        h.index = TCG_REG_TMP1;
-    }
-#endif
-
-    if (TCG_TARGET_REG_BITS == 32 && s_bits == MO_64) {
+    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
         if (opc & MO_BSWAP) {
             tcg_out32(s, ADDI | TAI(TCG_REG_R0, h.index, 4));
             tcg_out32(s, STWBRX | SAB(datalo, h.base, h.index));
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st(TCGContext *s, TCGReg datalo, TCGReg datahi,
         }
     }
 
-#ifdef CONFIG_SOFTMMU
-    add_qemu_ldst_label(s, false, data_type, oi, datalo, datahi,
-                        addrlo, addrhi, s->code_ptr, label_ptr);
-#endif
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = datalo;
+        ldst->datahi_reg = datahi;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
+    }
 }
 
 static void tcg_out_nop_fill(tcg_insn_unit *p, int count)
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
and some code that lived in both tcg_out_qemu_ld and tcg_out_qemu_st
into one function that returns TCGReg and TCGLabelQemuLdst.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/riscv/tcg-target.c.inc | 253 +++++++++++++++++--------------------
 1 file changed, 114 insertions(+), 139 deletions(-)

diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/riscv/tcg-target.c.inc
+++ b/tcg/riscv/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[MO_SIZE + 1] = {
 #endif
 };
 
-/* We expect to use a 12-bit negative offset from ENV.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
-
 static void tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
 {
     tcg_out_opc_jump(s, OPC_JAL, TCG_REG_ZERO, 0);
@@ -XXX,XX +XXX,XX @@ static void tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
     tcg_debug_assert(ok);
 }
 
-static TCGReg tcg_out_tlb_load(TCGContext *s, TCGReg addr, MemOpIdx oi,
-                               tcg_insn_unit **label_ptr, bool is_load)
-{
-    MemOp opc = get_memop(oi);
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_bits = get_alignment_bits(opc);
-    tcg_target_long compare_mask;
-    int mem_index = get_mmuidx(oi);
-    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
-    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
-    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
-    TCGReg mask_base = TCG_AREG0, table_base = TCG_AREG0;
-
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, mask_base, mask_ofs);
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, table_base, table_ofs);
-
-    tcg_out_opc_imm(s, OPC_SRLI, TCG_REG_TMP2, addr,
-                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-    tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
-    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
-
-    /* Load the tlb comparator and the addend.  */
-    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
-               is_load ? offsetof(CPUTLBEntry, addr_read)
-               : offsetof(CPUTLBEntry, addr_write));
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
-               offsetof(CPUTLBEntry, addend));
-
-    /* We don't support unaligned accesses. */
-    if (a_bits < s_bits) {
-        a_bits = s_bits;
-    }
-    /* Clear the non-page, non-alignment bits from the address.  */
-    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | ((1 << a_bits) - 1);
-    if (compare_mask == sextreg(compare_mask, 0, 12)) {
-        tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr, compare_mask);
-    } else {
-        tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
-        tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP1, TCG_REG_TMP1, addr);
-    }
-
-    /* Compare masked address with the TLB entry. */
-    label_ptr[0] = s->code_ptr;
-    tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP0, TCG_REG_TMP1, 0);
-
-    /* TLB Hit - translate address using addend.  */
-    if (TARGET_LONG_BITS == 32) {
-        tcg_out_ext32u(s, TCG_REG_TMP0, addr);
-        addr = TCG_REG_TMP0;
-    }
-    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_REG_TMP2, addr);
-    return TCG_REG_TMP0;
-}
-
-static void add_qemu_ldst_label(TCGContext *s, int is_ld, MemOpIdx oi,
-                                TCGType data_type, TCGReg data_reg,
-                                TCGReg addr_reg, void *raddr,
-                                tcg_insn_unit **label_ptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = data_type;
-    label->datalo_reg = data_reg;
-    label->addrlo_reg = addr_reg;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr[0];
-}
-
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     MemOpIdx oi = l->oi;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     return true;
 }
 #else
-
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld, TCGReg addr_reg,
-                                   unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *l = new_ldst_label(s);
-
-    l->is_ld = is_ld;
-    l->addrlo_reg = addr_reg;
-
-    /* We are expecting a_bits to max out at 7, so we can always use andi. */
-    tcg_debug_assert(a_bits < 12);
-    tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr_reg, a_mask);
-
-    l->label_ptr[0] = s->code_ptr;
-    tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP1, TCG_REG_ZERO, 0);
-
-    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     /* resolve label address */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     return tcg_out_fail_alignment(s, l);
 }
-
 #endif /* CONFIG_SOFTMMU */
 
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, TCGReg *pbase,
+                                           TCGReg addr_reg, MemOpIdx oi,
+                                           bool is_ld)
+{
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+    unsigned a_mask = (1u << a_bits) - 1;
+
+#ifdef CONFIG_SOFTMMU
+    unsigned s_bits = opc & MO_SIZE;
+    int mem_index = get_mmuidx(oi);
+    int fast_ofs = TLB_MASK_TABLE_OFS(mem_index);
+    int mask_ofs = fast_ofs + offsetof(CPUTLBDescFast, mask);
+    int table_ofs = fast_ofs + offsetof(CPUTLBDescFast, table);
+    TCGReg mask_base = TCG_AREG0, table_base = TCG_AREG0;
+    tcg_target_long compare_mask;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addr_reg;
+
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 11));
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP0, mask_base, mask_ofs);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, table_base, table_ofs);
+
+    tcg_out_opc_imm(s, OPC_SRLI, TCG_REG_TMP2, addr_reg,
+                    TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+    tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP0);
+    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP2, TCG_REG_TMP2, TCG_REG_TMP1);
+
+    /* Load the tlb comparator and the addend.  */
+    tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP0, TCG_REG_TMP2,
+               is_ld ? offsetof(CPUTLBEntry, addr_read)
+                     : offsetof(CPUTLBEntry, addr_write));
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_REG_TMP2,
+               offsetof(CPUTLBEntry, addend));
+
+    /* We don't support unaligned accesses. */
+    if (a_bits < s_bits) {
+        a_bits = s_bits;
+    }
+    /* Clear the non-page, non-alignment bits from the address.  */
+    compare_mask = (tcg_target_long)TARGET_PAGE_MASK | a_mask;
+    if (compare_mask == sextreg(compare_mask, 0, 12)) {
+        tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr_reg, compare_mask);
+    } else {
+        tcg_out_movi(s, TCG_TYPE_TL, TCG_REG_TMP1, compare_mask);
+        tcg_out_opc_reg(s, OPC_AND, TCG_REG_TMP1, TCG_REG_TMP1, addr_reg);
+    }
+
+    /* Compare masked address with the TLB entry. */
+    ldst->label_ptr[0] = s->code_ptr;
+    tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP0, TCG_REG_TMP1, 0);
+
+    /* TLB Hit - translate address using addend.  */
+    if (TARGET_LONG_BITS == 32) {
+        tcg_out_ext32u(s, TCG_REG_TMP0, addr_reg);
+        addr_reg = TCG_REG_TMP0;
+    }
+    tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_REG_TMP2, addr_reg);
+    *pbase = TCG_REG_TMP0;
+#else
+    if (a_mask) {
+        ldst = new_ldst_label(s);
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addr_reg;
+
+        /* We are expecting a_bits max 7, so we can always use andi. */
+        tcg_debug_assert(a_bits < 12);
+        tcg_out_opc_imm(s, OPC_ANDI, TCG_REG_TMP1, addr_reg, a_mask);
+
+        ldst->label_ptr[0] = s->code_ptr;
+        tcg_out_opc_branch(s, OPC_BNE, TCG_REG_TMP1, TCG_REG_ZERO, 0);
+    }
+
+    TCGReg base = addr_reg;
+    if (TARGET_LONG_BITS == 32) {
+        tcg_out_ext32u(s, TCG_REG_TMP0, base);
+        base = TCG_REG_TMP0;
+    }
+    if (guest_base != 0) {
+        tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_GUEST_BASE_REG, base);
+        base = TCG_REG_TMP0;
+    }
+    *pbase = base;
+#endif
+
+    return ldst;
+}
+
 static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg val,
                                    TCGReg base, MemOp opc, TCGType type)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg val,
 static void tcg_out_qemu_ld(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     TCGReg base;
 
-#if defined(CONFIG_SOFTMMU)
-    tcg_insn_unit *label_ptr[1];
+    ldst = prepare_host_addr(s, &base, addr_reg, oi, true);
+    tcg_out_qemu_ld_direct(s, data_reg, base, get_memop(oi), data_type);
 
-    base = tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 1);
-    tcg_out_qemu_ld_direct(s, data_reg, base, opc, data_type);
-    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    base = addr_reg;
-    if (TARGET_LONG_BITS == 32) {
-        tcg_out_ext32u(s, TCG_REG_TMP0, base);
-        base = TCG_REG_TMP0;
-    }
-    if (guest_base != 0) {
-        tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_GUEST_BASE_REG, base);
-        base = TCG_REG_TMP0;
-    }
-    tcg_out_qemu_ld_direct(s, data_reg, base, opc, data_type);
-#endif
 }
 
 static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg val,
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg val,
 static void tcg_out_qemu_st(TCGContext *s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     TCGReg base;
 
-#if defined(CONFIG_SOFTMMU)
-    tcg_insn_unit *label_ptr[1];
+    ldst = prepare_host_addr(s, &base, addr_reg, oi, false);
+    tcg_out_qemu_st_direct(s, data_reg, base, get_memop(oi));
 
-    base = tcg_out_tlb_load(s, addr_reg, oi, label_ptr, 0);
-    tcg_out_qemu_st_direct(s, data_reg, base, opc);
-    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    base = addr_reg;
-    if (TARGET_LONG_BITS == 32) {
-        tcg_out_ext32u(s, TCG_REG_TMP0, base);
-        base = TCG_REG_TMP0;
-    }
-    if (guest_base != 0) {
-        tcg_out_opc_reg(s, OPC_ADD, TCG_REG_TMP0, TCG_GUEST_BASE_REG, base);
-        base = TCG_REG_TMP0;
-    }
-    tcg_out_qemu_st_direct(s, data_reg, base, opc);
-#endif
 }
 
 static const tcg_insn_unit *tb_ret_addr;
-- 
2.34.1

Merge tcg_out_tlb_load, add_qemu_ldst_label, tcg_out_test_alignment,
tcg_prepare_user_ldst, and some code that lived in both tcg_out_qemu_ld
and tcg_out_qemu_st into one function that returns HostAddress and
TCGLabelQemuLdst structures.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/s390x/tcg-target.c.inc | 263 ++++++++++++++++---------------------
 1 file changed, 113 insertions(+), 150 deletions(-)

diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target.c.inc
+++ b/tcg/s390x/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, MemOp opc, TCGReg data,
 }
 
 #if defined(CONFIG_SOFTMMU)
-/* We're expecting to use a 20-bit negative offset on the tlb memory ops.  */
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
-QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 19));
-
-/* Load and compare a TLB entry, leaving the flags set.  Loads the TLB
-   addend into R2.  Returns a register with the santitized guest address.  */
-static TCGReg tcg_out_tlb_read(TCGContext *s, TCGReg addr_reg, MemOp opc,
-                               int mem_index, bool is_ld)
-{
-    unsigned s_bits = opc & MO_SIZE;
-    unsigned a_bits = get_alignment_bits(opc);
-    unsigned s_mask = (1 << s_bits) - 1;
-    unsigned a_mask = (1 << a_bits) - 1;
-    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
-    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
-    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
-    int ofs, a_off;
-    uint64_t tlb_mask;
-
-    tcg_out_sh64(s, RSY_SRLG, TCG_REG_R2, addr_reg, TCG_REG_NONE,
-                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
-    tcg_out_insn(s, RXY, NG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, mask_off);
-    tcg_out_insn(s, RXY, AG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, table_off);
-
-    /* For aligned accesses, we check the first byte and include the alignment
-       bits within the address.  For unaligned access, we check that we don't
-       cross pages using the address of the last byte of the access.  */
-    a_off = (a_bits >= s_bits ? 0 : s_mask - a_mask);
-    tlb_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
-    if (a_off == 0) {
-        tgen_andi_risbg(s, TCG_REG_R3, addr_reg, tlb_mask);
-    } else {
-        tcg_out_insn(s, RX, LA, TCG_REG_R3, addr_reg, TCG_REG_NONE, a_off);
-        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R3, tlb_mask);
-    }
-
-    if (is_ld) {
-        ofs = offsetof(CPUTLBEntry, addr_read);
-    } else {
-        ofs = offsetof(CPUTLBEntry, addr_write);
-    }
-    if (TARGET_LONG_BITS == 32) {
-        tcg_out_insn(s, RX, C, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
-    } else {
-        tcg_out_insn(s, RXY, CG, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
-    }
-
-    tcg_out_insn(s, RXY, LG, TCG_REG_R2, TCG_REG_R2, TCG_REG_NONE,
-                 offsetof(CPUTLBEntry, addend));
-
-    if (TARGET_LONG_BITS == 32) {
-        tcg_out_ext32u(s, TCG_REG_R3, addr_reg);
-        return TCG_REG_R3;
-    }
-    return addr_reg;
-}
-
-static void add_qemu_ldst_label(TCGContext *s, bool is_ld, MemOpIdx oi,
-                                TCGType type, TCGReg data, TCGReg addr,
-                                tcg_insn_unit *raddr, tcg_insn_unit *label_ptr)
-{
-    TCGLabelQemuLdst *label = new_ldst_label(s);
-
-    label->is_ld = is_ld;
-    label->oi = oi;
-    label->type = type;
-    label->datalo_reg = data;
-    label->addrlo_reg = addr;
-    label->raddr = tcg_splitwx_to_rx(raddr);
-    label->label_ptr[0] = label_ptr;
-}
-
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
     TCGReg addr_reg = lb->addrlo_reg;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
     return true;
 }
 #else
-static void tcg_out_test_alignment(TCGContext *s, bool is_ld,
-                                   TCGReg addrlo, unsigned a_bits)
-{
-    unsigned a_mask = (1 << a_bits) - 1;
-    TCGLabelQemuLdst *l = new_ldst_label(s);
-
-    l->is_ld = is_ld;
-    l->addrlo_reg = addrlo;
-
-    /* We are expecting a_bits to max out at 7, much lower than TMLL. */
-    tcg_debug_assert(a_bits < 16);
-    tcg_out_insn(s, RI, TMLL, addrlo, a_mask);
-
-    tcg_out16(s, RI_BRC | (7 << 4)); /* CC in {1,2,3} */
-    l->label_ptr[0] = s->code_ptr;
-    s->code_ptr += 1;
-
-    l->raddr = tcg_splitwx_to_rx(s->code_ptr);
-}
-
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     if (!patch_reloc(l->label_ptr[0], R_390_PC16DBL,
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     return tcg_out_fail_alignment(s, l);
 }
+#endif /* CONFIG_SOFTMMU */
 
-static HostAddress tcg_prepare_user_ldst(TCGContext *s, TCGReg addr_reg)
+/*
+ * For softmmu, perform the TLB load and compare.
+ * For useronly, perform any required alignment tests.
+ * In both cases, return a TCGLabelQemuLdst structure if the slow path
+ * is required and fill in @h with the host address for the fast path.
+ */
+static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
+                                           TCGReg addr_reg, MemOpIdx oi,
+                                           bool is_ld)
 {
-    TCGReg index;
-    int disp;
+    TCGLabelQemuLdst *ldst = NULL;
+    MemOp opc = get_memop(oi);
+    unsigned a_bits = get_alignment_bits(opc);
+    unsigned a_mask = (1u << a_bits) - 1;
 
+#ifdef CONFIG_SOFTMMU
+    unsigned s_bits = opc & MO_SIZE;
+    unsigned s_mask = (1 << s_bits) - 1;
+    int mem_index = get_mmuidx(oi);
+    int fast_off = TLB_MASK_TABLE_OFS(mem_index);
+    int mask_off = fast_off + offsetof(CPUTLBDescFast, mask);
+    int table_off = fast_off + offsetof(CPUTLBDescFast, table);
+    int ofs, a_off;
+    uint64_t tlb_mask;
+
+    ldst = new_ldst_label(s);
+    ldst->is_ld = is_ld;
+    ldst->oi = oi;
+    ldst->addrlo_reg = addr_reg;
+
+    tcg_out_sh64(s, RSY_SRLG, TCG_REG_R2, addr_reg, TCG_REG_NONE,
+                 TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
+
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
+    QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 19));
+    tcg_out_insn(s, RXY, NG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, mask_off);
+    tcg_out_insn(s, RXY, AG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, table_off);
+
+    /*
+     * For aligned accesses, we check the first byte and include the alignment
+     * bits within the address.  For unaligned access, we check that we don't
+     * cross pages using the address of the last byte of the access.
+     */
+    a_off = (a_bits >= s_bits ? 0 : s_mask - a_mask);
+    tlb_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
+    if (a_off == 0) {
+        tgen_andi_risbg(s, TCG_REG_R3, addr_reg, tlb_mask);
+    } else {
+        tcg_out_insn(s, RX, LA, TCG_REG_R3, addr_reg, TCG_REG_NONE, a_off);
+        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R3, tlb_mask);
+    }
+
+    if (is_ld) {
+        ofs = offsetof(CPUTLBEntry, addr_read);
+    } else {
+        ofs = offsetof(CPUTLBEntry, addr_write);
+    }
+    if (TARGET_LONG_BITS == 32) {
+        tcg_out_insn(s, RX, C, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
+    } else {
+        tcg_out_insn(s, RXY, CG, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
+    }
+
+    tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
+    ldst->label_ptr[0] = s->code_ptr++;
+
+    h->index = TCG_REG_R2;
+    tcg_out_insn(s, RXY, LG, h->index, TCG_REG_R2, TCG_REG_NONE,
+                 offsetof(CPUTLBEntry, addend));
+
+    h->base = addr_reg;
+    if (TARGET_LONG_BITS == 32) {
+        tcg_out_ext32u(s, TCG_REG_R3, addr_reg);
+        h->base = TCG_REG_R3;
+    }
+    h->disp = 0;
+#else
+    if (a_mask) {
+        ldst = new_ldst_label(s);
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addr_reg;
+
+        /* We are expecting a_bits to max out at 7, much lower than TMLL. */
+        tcg_debug_assert(a_bits < 16);
+        tcg_out_insn(s, RI, TMLL, addr_reg, a_mask);
+
+        tcg_out16(s, RI_BRC | (7 << 4)); /* CC in {1,2,3} */
+        ldst->label_ptr[0] = s->code_ptr++;
+    }
+
+    h->base = addr_reg;
     if (TARGET_LONG_BITS == 32) {
         tcg_out_ext32u(s, TCG_TMP0, addr_reg);
-        addr_reg = TCG_TMP0;
+        h->base = TCG_TMP0;
     }
     if (guest_base < 0x80000) {
-        index = TCG_REG_NONE;
-        disp = guest_base;
+        h->index = TCG_REG_NONE;
+        h->disp = guest_base;
     } else {
-        index = TCG_GUEST_BASE_REG;
-        disp = 0;
+        h->index = TCG_GUEST_BASE_REG;
+        h->disp = 0;
     }
-    return (HostAddress){ .base = addr_reg, .index = index, .disp = disp };
+#endif
+
+    return ldst;
 }
-#endif /* CONFIG_SOFTMMU */
 
 static void tcg_out_qemu_ld(TCGContext* s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    unsigned mem_index = get_mmuidx(oi);
-    tcg_insn_unit *label_ptr;
+    ldst = prepare_host_addr(s, &h, addr_reg, oi, true);
+    tcg_out_qemu_ld_direct(s, get_memop(oi), data_reg, h);
 
-    h.base = tcg_out_tlb_read(s, addr_reg, opc, mem_index, 1);
-    h.index = TCG_REG_R2;
-    h.disp = 0;
-
-    tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
-    label_ptr = s->code_ptr;
-    s->code_ptr += 1;
-
-    tcg_out_qemu_ld_direct(s, opc, data_reg, h);
-
-    add_qemu_ldst_label(s, true, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-
-    if (a_bits) {
-        tcg_out_test_alignment(s, true, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    h = tcg_prepare_user_ldst(s, addr_reg);
-    tcg_out_qemu_ld_direct(s, opc, data_reg, h);
-#endif
 }
 
 static void tcg_out_qemu_st(TCGContext* s, TCGReg data_reg, TCGReg addr_reg,
                             MemOpIdx oi, TCGType data_type)
 {
-    MemOp opc = get_memop(oi);
+    TCGLabelQemuLdst *ldst;
     HostAddress h;
 
-#ifdef CONFIG_SOFTMMU
-    unsigned mem_index = get_mmuidx(oi);
-    tcg_insn_unit *label_ptr;
+    ldst = prepare_host_addr(s, &h, addr_reg, oi, false);
+    tcg_out_qemu_st_direct(s, get_memop(oi), data_reg, h);
 
-    h.base = tcg_out_tlb_read(s, addr_reg, opc, mem_index, 0);
-    h.index = TCG_REG_R2;
-    h.disp = 0;
-
-    tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
-    label_ptr = s->code_ptr;
-    s->code_ptr += 1;
-
-    tcg_out_qemu_st_direct(s, opc, data_reg, h);
-
-    add_qemu_ldst_label(s, false, oi, data_type, data_reg, addr_reg,
-                        s->code_ptr, label_ptr);
-#else
-    unsigned a_bits = get_alignment_bits(opc);
-
-    if (a_bits) {
-        tcg_out_test_alignment(s, false, addr_reg, a_bits);
+    if (ldst) {
+        ldst->type = data_type;
+        ldst->datalo_reg = data_reg;
+        ldst->raddr = tcg_splitwx_to_rx(s->code_ptr);
     }
-    h = tcg_prepare_user_ldst(s, addr_reg);
-    tcg_out_qemu_st_direct(s, opc, data_reg, h);
-#endif
 }
 
 static void tcg_out_exit_tb(TCGContext *s, uintptr_t a0)
-- 
2.34.1

Add tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.  These and their subroutines
use the existing knowledge of the host function call abi
to load the function call arguments and return results.

These will be used to simplify the backends in turn.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/tcg.c | 475 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 471 insertions(+), 4 deletions(-)

diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct);
 static int tcg_out_ldst_finalize(TCGContext *s);
 #endif
 
+typedef struct TCGLdstHelperParam {
+    TCGReg (*ra_gen)(TCGContext *s, const TCGLabelQemuLdst *l, int arg_reg);
+    unsigned ntmp;
+    int tmp[3];
+} TCGLdstHelperParam;
+
+static void tcg_out_ld_helper_args(TCGContext *s, const TCGLabelQemuLdst *l,
+                                   const TCGLdstHelperParam *p)
+    __attribute__((unused));
+static void tcg_out_ld_helper_ret(TCGContext *s, const TCGLabelQemuLdst *l,
+                                  bool load_sign, const TCGLdstHelperParam *p)
+    __attribute__((unused));
+static void tcg_out_st_helper_args(TCGContext *s, const TCGLabelQemuLdst *l,
+                                   const TCGLdstHelperParam *p)
+    __attribute__((unused));
+
 TCGContext tcg_init_ctx;
 __thread TCGContext *tcg_ctx;
 
@@ -XXX,XX +XXX,XX @@ void tcg_raise_tb_overflow(TCGContext *s)
     siglongjmp(s->jmp_trans, -2);
 }
 
+/*
+ * Used by tcg_out_movext{1,2} to hold the arguments for tcg_out_movext.
+ * By the time we arrive at tcg_out_movext1, @dst is always a TCGReg.
+ *
+ * However, tcg_out_helper_load_slots reuses this field to hold an
+ * argument slot number (which may designate a argument register or an
+ * argument stack slot), converting to TCGReg once all arguments that
+ * are destined for the stack are processed.
+ */
 typedef struct TCGMovExtend {
-    TCGReg dst;
+    unsigned dst;
     TCGReg src;
     TCGType dst_type;
     TCGType src_type;
@@ -XXX,XX +XXX,XX @@ static void tcg_out_movext1(TCGContext *s, const TCGMovExtend *i)
  * between the sources and destinations.
  */
 
-static void __attribute__((unused))
-tcg_out_movext2(TCGContext *s, const TCGMovExtend *i1,
-                const TCGMovExtend *i2, int scratch)
+static void tcg_out_movext2(TCGContext *s, const TCGMovExtend *i1,
+                            const TCGMovExtend *i2, int scratch)
 {
     TCGReg src1 = i1->src;
     TCGReg src2 = i2->src;
@@ -XXX,XX +XXX,XX @@ static TCGHelperInfo all_helpers[] = {
 };
 static GHashTable *helper_table;
 
+/*
+ * Create TCGHelperInfo structures for "tcg/tcg-ldst.h" functions,
+ * akin to what "exec/helper-tcg.h" does with DEF_HELPER_FLAGS_N.
+ * We only use these for layout in tcg_out_ld_helper_ret and
+ * tcg_out_st_helper_args, and share them between several of
+ * the helpers, with the end result that it's easier to build manually.
+ */
+
+#if TCG_TARGET_REG_BITS == 32
+# define dh_typecode_ttl  dh_typecode_i32
+#else
+# define dh_typecode_ttl  dh_typecode_i64
+#endif
+
+static TCGHelperInfo info_helper_ld32_mmu = {
+    .flags = TCG_CALL_NO_WG,
+    .typemask = dh_typemask(ttl, 0)  /* return tcg_target_ulong */
+              | dh_typemask(env, 1)
+              | dh_typemask(tl, 2)   /* target_ulong addr */
+              | dh_typemask(i32, 3)  /* unsigned oi */
+              | dh_typemask(ptr, 4)  /* uintptr_t ra */
+};
+
+static TCGHelperInfo info_helper_ld64_mmu = {
+    .flags = TCG_CALL_NO_WG,
+    .typemask = dh_typemask(i64, 0)  /* return uint64_t */
+              | dh_typemask(env, 1)
+              | dh_typemask(tl, 2)   /* target_ulong addr */
+              | dh_typemask(i32, 3)  /* unsigned oi */
+              | dh_typemask(ptr, 4)  /* uintptr_t ra */
+};
+
+static TCGHelperInfo info_helper_st32_mmu = {
+    .flags = TCG_CALL_NO_WG,
+    .typemask = dh_typemask(void, 0)
+              | dh_typemask(env, 1)
+              | dh_typemask(tl, 2)   /* target_ulong addr */
+              | dh_typemask(i32, 3)  /* uint32_t data */
+              | dh_typemask(i32, 4)  /* unsigned oi */
+              | dh_typemask(ptr, 5)  /* uintptr_t ra */
+};
+
+static TCGHelperInfo info_helper_st64_mmu = {
+    .flags = TCG_CALL_NO_WG,
+    .typemask = dh_typemask(void, 0)
+              | dh_typemask(env, 1)
+              | dh_typemask(tl, 2)   /* target_ulong addr */
+              | dh_typemask(i64, 3)  /* uint64_t data */
+              | dh_typemask(i32, 4)  /* unsigned oi */
+              | dh_typemask(ptr, 5)  /* uintptr_t ra */
+};
+
 #ifdef CONFIG_TCG_INTERPRETER
 static ffi_type *typecode_to_ffi(int argmask)
 {
@@ -XXX,XX +XXX,XX @@ static void tcg_context_init(unsigned max_cpus)
                             (gpointer)&all_helpers[i]);
     }
 
+    init_call_layout(&info_helper_ld32_mmu);
+    init_call_layout(&info_helper_ld64_mmu);
+    init_call_layout(&info_helper_st32_mmu);
+    init_call_layout(&info_helper_st64_mmu);
+
 #ifdef CONFIG_TCG_INTERPRETER
     init_ffi_layouts();
 #endif
@@ -XXX,XX +XXX,XX @@ static void tcg_reg_alloc_call(TCGContext *s, TCGOp *op)
     }
 }
 
+/*
+ * Similarly for qemu_ld/st slow path helpers.
+ * We must re-implement tcg_gen_callN and tcg_reg_alloc_call simultaneously,
+ * using only the provided backend tcg_out_* functions.
+ */
+
+static int tcg_out_helper_stk_ofs(TCGType type, unsigned slot)
+{
+    int ofs = arg_slot_stk_ofs(slot);
+
+    /*
+     * Each stack slot is TCG_TARGET_LONG_BITS.  If the host does not
+     * require extension to uint64_t, adjust the address for uint32_t.
+     */
+    if (HOST_BIG_ENDIAN &&
+        TCG_TARGET_REG_BITS == 64 &&
+        type == TCG_TYPE_I32) {
+        ofs += 4;
+    }
+    return ofs;
+}
+
+static void tcg_out_helper_load_regs(TCGContext *s,
+                                     unsigned nmov, TCGMovExtend *mov,
+                                     unsigned ntmp, const int *tmp)
+{
+    switch (nmov) {
+    default:
+        /* The backend must have provided enough temps for the worst case. */
+        tcg_debug_assert(ntmp + 1 >= nmov);
+
+        for (unsigned i = nmov - 1; i >= 2; --i) {
+            TCGReg dst = mov[i].dst;
+
+            for (unsigned j = 0; j < i; ++j) {
+                if (dst == mov[j].src) {
+                    /*
+                     * Conflict.
+                     * Copy the source to a temporary, recurse for the
+                     * remaining moves, perform the extension from our
+                     * scratch on the way out.
+                     */
+                    TCGReg scratch = tmp[--ntmp];
+                    tcg_out_mov(s, mov[i].src_type, scratch, mov[i].src);
+                    mov[i].src = scratch;
+
+                    tcg_out_helper_load_regs(s, i, mov, ntmp, tmp);
+                    tcg_out_movext1(s, &mov[i]);
+                    return;
+                }
+            }
+
+            /* No conflicts: perform this move and continue. */
+            tcg_out_movext1(s, &mov[i]);
+        }
+        /* fall through for the final two moves */
+
+    case 2:
+        tcg_out_movext2(s, mov, mov + 1, ntmp ? tmp[0] : -1);
+        return;
+    case 1:
+        tcg_out_movext1(s, mov);
+        return;
+    case 0:
+        g_assert_not_reached();
+    }
+}
+
+static void tcg_out_helper_load_slots(TCGContext *s,
+                                      unsigned nmov, TCGMovExtend *mov,
+                                      const TCGLdstHelperParam *parm)
+{
+    unsigned i;
+
+    /*
+     * Start from the end, storing to the stack first.
+     * This frees those registers, so we need not consider overlap.
+     */
+    for (i = nmov; i-- > 0; ) {
+        unsigned slot = mov[i].dst;
+
+        if (arg_slot_reg_p(slot)) {
+            goto found_reg;
+        }
+
+        TCGReg src = mov[i].src;
+        TCGType dst_type = mov[i].dst_type;
+        MemOp dst_mo = dst_type == TCG_TYPE_I32 ? MO_32 : MO_64;
+
+        /* The argument is going onto the stack; extend into scratch. */
+        if ((mov[i].src_ext & MO_SIZE) != dst_mo) {
+            tcg_debug_assert(parm->ntmp != 0);
+            mov[i].dst = src = parm->tmp[0];
+            tcg_out_movext1(s, &mov[i]);
+        }
+
+        tcg_out_st(s, dst_type, src, TCG_REG_CALL_STACK,
+                   tcg_out_helper_stk_ofs(dst_type, slot));
+    }
+    return;
+
+ found_reg:
+    /*
+     * The remaining arguments are in registers.
+     * Convert slot numbers to argument registers.
+     */
+    nmov = i + 1;
+    for (i = 0; i < nmov; ++i) {
+        mov[i].dst = tcg_target_call_iarg_regs[mov[i].dst];
+    }
+    tcg_out_helper_load_regs(s, nmov, mov, parm->ntmp, parm->tmp);
+}
+
+static void tcg_out_helper_load_imm(TCGContext *s, unsigned slot,
+                                    TCGType type, tcg_target_long imm,
+                                    const TCGLdstHelperParam *parm)
+{
+    if (arg_slot_reg_p(slot)) {
+        tcg_out_movi(s, type, tcg_target_call_iarg_regs[slot], imm);
+    } else {
+        int ofs = tcg_out_helper_stk_ofs(type, slot);
+        if (!tcg_out_sti(s, type, imm, TCG_REG_CALL_STACK, ofs)) {
+            tcg_debug_assert(parm->ntmp != 0);
+            tcg_out_movi(s, type, parm->tmp[0], imm);
+            tcg_out_st(s, type, parm->tmp[0], TCG_REG_CALL_STACK, ofs);
+        }
+    }
+}
+
+static void tcg_out_helper_load_common_args(TCGContext *s,
+                                            const TCGLabelQemuLdst *ldst,
+                                            const TCGLdstHelperParam *parm,
+                                            const TCGHelperInfo *info,
+                                            unsigned next_arg)
+{
+    TCGMovExtend ptr_mov = {
+        .dst_type = TCG_TYPE_PTR,
+        .src_type = TCG_TYPE_PTR,
+        .src_ext = sizeof(void *) == 4 ? MO_32 : MO_64
+    };
+    const TCGCallArgumentLoc *loc = &info->in[0];
+    TCGType type;
+    unsigned slot;
+    tcg_target_ulong imm;
+
+    /*
+     * Handle env, which is always first.
+     */
+    ptr_mov.dst = loc->arg_slot;
+    ptr_mov.src = TCG_AREG0;
+    tcg_out_helper_load_slots(s, 1, &ptr_mov, parm);
+
+    /*
+     * Handle oi.
+     */
+    imm = ldst->oi;
+    loc = &info->in[next_arg];
+    type = TCG_TYPE_I32;
+    switch (loc->kind) {
+    case TCG_CALL_ARG_NORMAL:
+        break;
+    case TCG_CALL_ARG_EXTEND_U:
+    case TCG_CALL_ARG_EXTEND_S:
+        /* No extension required for MemOpIdx. */
+        tcg_debug_assert(imm <= INT32_MAX);
+        type = TCG_TYPE_REG;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+    tcg_out_helper_load_imm(s, loc->arg_slot, type, imm, parm);
+    next_arg++;
+
+    /*
+     * Handle ra.
+     */
+    loc = &info->in[next_arg];
+    slot = loc->arg_slot;
+    if (parm->ra_gen) {
+        int arg_reg = -1;
+        TCGReg ra_reg;
+
+        if (arg_slot_reg_p(slot)) {
+            arg_reg = tcg_target_call_iarg_regs[slot];
+        }
+        ra_reg = parm->ra_gen(s, ldst, arg_reg);
+
+        ptr_mov.dst = slot;
+        ptr_mov.src = ra_reg;
+        tcg_out_helper_load_slots(s, 1, &ptr_mov, parm);
+    } else {
+        imm = (uintptr_t)ldst->raddr;
+        tcg_out_helper_load_imm(s, slot, TCG_TYPE_PTR, imm, parm);
+    }
+}
+
+static unsigned tcg_out_helper_add_mov(TCGMovExtend *mov,
+                                       const TCGCallArgumentLoc *loc,
+                                       TCGType dst_type, TCGType src_type,
+                                       TCGReg lo, TCGReg hi)
+{
+    if (dst_type <= TCG_TYPE_REG) {
+        MemOp src_ext;
+
+        switch (loc->kind) {
+        case TCG_CALL_ARG_NORMAL:
+            src_ext = src_type == TCG_TYPE_I32 ? MO_32 : MO_64;
+            break;
+        case TCG_CALL_ARG_EXTEND_U:
+            dst_type = TCG_TYPE_REG;
+            src_ext = MO_UL;
+            break;
+        case TCG_CALL_ARG_EXTEND_S:
+            dst_type = TCG_TYPE_REG;
+            src_ext = MO_SL;
+            break;
+        default:
+            g_assert_not_reached();
+        }
+
+        mov[0].dst = loc->arg_slot;
+        mov[0].dst_type = dst_type;
+        mov[0].src = lo;
+        mov[0].src_type = src_type;
+        mov[0].src_ext = src_ext;
+        return 1;
+    }
+
+    assert(TCG_TARGET_REG_BITS == 32);
+
+    mov[0].dst = loc[HOST_BIG_ENDIAN].arg_slot;
+    mov[0].src = lo;
+    mov[0].dst_type = TCG_TYPE_I32;
+    mov[0].src_type = TCG_TYPE_I32;
+    mov[0].src_ext = MO_32;
+
+    mov[1].dst = loc[!HOST_BIG_ENDIAN].arg_slot;
+    mov[1].src = hi;
+    mov[1].dst_type = TCG_TYPE_I32;
+    mov[1].src_type = TCG_TYPE_I32;
+    mov[1].src_ext = MO_32;
+
+    return 2;
+}
+
+static void tcg_out_ld_helper_args(TCGContext *s, const TCGLabelQemuLdst *ldst,
+                                   const TCGLdstHelperParam *parm)
+{
+    const TCGHelperInfo *info;
+    const TCGCallArgumentLoc *loc;
+    TCGMovExtend mov[2];
+    unsigned next_arg, nmov;
+    MemOp mop = get_memop(ldst->oi);
+
+    switch (mop & MO_SIZE) {
+    case MO_8:
+    case MO_16:
+    case MO_32:
+        info = &info_helper_ld32_mmu;
+        break;
+    case MO_64:
+        info = &info_helper_ld64_mmu;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    /* Defer env argument. */
+    next_arg = 1;
+
+    loc = &info->in[next_arg];
+    nmov = tcg_out_helper_add_mov(mov, loc, TCG_TYPE_TL, TCG_TYPE_TL,
+                                  ldst->addrlo_reg, ldst->addrhi_reg);
+    next_arg += nmov;
+
+    tcg_out_helper_load_slots(s, nmov, mov, parm);
+
+    /* No special attention for 32 and 64-bit return values. */
+    tcg_debug_assert(info->out_kind == TCG_CALL_RET_NORMAL);
+
+    tcg_out_helper_load_common_args(s, ldst, parm, info, next_arg);
+}
+
+static void tcg_out_ld_helper_ret(TCGContext *s, const TCGLabelQemuLdst *ldst,
+                                  bool load_sign,
+                                  const TCGLdstHelperParam *parm)
+{
+    TCGMovExtend mov[2];
+
+    if (ldst->type <= TCG_TYPE_REG) {
+        MemOp mop = get_memop(ldst->oi);
+
+        mov[0].dst = ldst->datalo_reg;
+        mov[0].src = tcg_target_call_oarg_reg(TCG_CALL_RET_NORMAL, 0);
+        mov[0].dst_type = ldst->type;
+        mov[0].src_type = TCG_TYPE_REG;
+
+        /*
+         * If load_sign, then we allowed the helper to perform the
+         * appropriate sign extension to tcg_target_ulong, and all
+         * we need now is a plain move.
+         *
+         * If they do not, then we expect the relevant extension
+         * instruction to be no more expensive than a move, and
+         * we thus save the icache etc by only using one of two
+         * helper functions.
+         */
+        if (load_sign || !(mop & MO_SIGN)) {
+            if (TCG_TARGET_REG_BITS == 32 || ldst->type == TCG_TYPE_I32) {
+                mov[0].src_ext = MO_32;
+            } else {
+                mov[0].src_ext = MO_64;
+            }
+        } else {
+            mov[0].src_ext = mop & MO_SSIZE;
+        }
+        tcg_out_movext1(s, mov);
+    } else {
+        assert(TCG_TARGET_REG_BITS == 32);
+
+        mov[0].dst = ldst->datalo_reg;
+        mov[0].src =
+            tcg_target_call_oarg_reg(TCG_CALL_RET_NORMAL, HOST_BIG_ENDIAN);
+        mov[0].dst_type = TCG_TYPE_I32;
+        mov[0].src_type = TCG_TYPE_I32;
+        mov[0].src_ext = MO_32;
+
+        mov[1].dst = ldst->datahi_reg;
+        mov[1].src =
+            tcg_target_call_oarg_reg(TCG_CALL_RET_NORMAL, !HOST_BIG_ENDIAN);
+        mov[1].dst_type = TCG_TYPE_REG;
+        mov[1].src_type = TCG_TYPE_REG;
+        mov[1].src_ext = MO_32;
+
+        tcg_out_movext2(s, mov, mov + 1, parm->ntmp ? parm->tmp[0] : -1);
+    }
+}
+
+static void tcg_out_st_helper_args(TCGContext *s, const TCGLabelQemuLdst *ldst,
+                                   const TCGLdstHelperParam *parm)
+{
+    const TCGHelperInfo *info;
+    const TCGCallArgumentLoc *loc;
+    TCGMovExtend mov[4];
+    TCGType data_type;
+    unsigned next_arg, nmov, n;
+    MemOp mop = get_memop(ldst->oi);
+
+    switch (mop & MO_SIZE) {
+    case MO_8:
+    case MO_16:
+    case MO_32:
+        info = &info_helper_st32_mmu;
+        data_type = TCG_TYPE_I32;
+        break;
+    case MO_64:
+        info = &info_helper_st64_mmu;
+        data_type = TCG_TYPE_I64;
+        break;
+    default:
+        g_assert_not_reached();
+    }
+
+    /* Defer env argument. */
+    next_arg = 1;
+    nmov = 0;
+
+    /* Handle addr argument. */
+    loc = &info->in[next_arg];
+    n = tcg_out_helper_add_mov(mov, loc, TCG_TYPE_TL, TCG_TYPE_TL,
+                               ldst->addrlo_reg, ldst->addrhi_reg);
+    next_arg += n;
+    nmov += n;
+
+    /* Handle data argument. */
+    loc = &info->in[next_arg];
+    n = tcg_out_helper_add_mov(mov + nmov, loc, data_type, ldst->type,
+                               ldst->datalo_reg, ldst->datahi_reg);
+    next_arg += n;
+    nmov += n;
+    tcg_debug_assert(nmov <= ARRAY_SIZE(mov));
+
+    tcg_out_helper_load_slots(s, nmov, mov, parm);
+    tcg_out_helper_load_common_args(s, ldst, parm, info, next_arg);
+}
+
 #ifdef CONFIG_PROFILER
 
 /* avoid copy/paste errors */
-- 
2.34.1

Use tcg_out_ld_helper_args and tcg_out_ld_helper_ret.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/i386/tcg-target.c.inc | 71 +++++++++++++++------------------------
 1 file changed, 28 insertions(+), 43 deletions(-)

Use tcg_out_st_helper_args.  This eliminates the use of a tail call to
the store helper.  This may or may not be an improvement, depending on
the call/return branch prediction of the host microarchitecture.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/i386/tcg-target.c.inc | 57 +++------------------------------------
 1 file changed, 4 insertions(+), 53 deletions(-)

diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
  */
 static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    MemOp s_bits = opc & MO_SIZE;
+    MemOp opc = get_memop(l->oi);
     tcg_insn_unit **label_ptr = &l->label_ptr[0];
-    TCGReg retaddr;
 
     /* resolve label address */
     tcg_patch32(label_ptr[0], s->code_ptr - label_ptr[0] - 4);
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
         tcg_patch32(label_ptr[1], s->code_ptr - label_ptr[1] - 4);
     }
 
-    if (TCG_TARGET_REG_BITS == 32) {
-        int ofs = 0;
+    tcg_out_st_helper_args(s, l, &ldst_helper_param);
+    tcg_out_branch(s, 1, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)]);
 
-        tcg_out_st(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP, ofs);
-        ofs += 4;
-
-        tcg_out_st(s, TCG_TYPE_I32, l->addrlo_reg, TCG_REG_ESP, ofs);
-        ofs += 4;
-
-        if (TARGET_LONG_BITS == 64) {
-            tcg_out_st(s, TCG_TYPE_I32, l->addrhi_reg, TCG_REG_ESP, ofs);
-            ofs += 4;
-        }
-
-        tcg_out_st(s, TCG_TYPE_I32, l->datalo_reg, TCG_REG_ESP, ofs);
-        ofs += 4;
-
-        if (s_bits == MO_64) {
-            tcg_out_st(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_ESP, ofs);
-            ofs += 4;
-        }
-
-        tcg_out_sti(s, TCG_TYPE_I32, oi, TCG_REG_ESP, ofs);
-        ofs += 4;
-
-        retaddr = TCG_REG_EAX;
-        tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
-        tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP, ofs);
-    } else {
-        tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
-        tcg_out_mov(s, TCG_TYPE_TL, tcg_target_call_iarg_regs[1],
-                    l->addrlo_reg);
-        tcg_out_mov(s, (s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32),
-                    tcg_target_call_iarg_regs[2], l->datalo_reg);
-        tcg_out_movi(s, TCG_TYPE_I32, tcg_target_call_iarg_regs[3], oi);
-
-        if (ARRAY_SIZE(tcg_target_call_iarg_regs) > 4) {
-            retaddr = tcg_target_call_iarg_regs[4];
-            tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
-        } else {
-            retaddr = TCG_REG_RAX;
-            tcg_out_movi(s, TCG_TYPE_PTR, retaddr, (uintptr_t)l->raddr);
-            tcg_out_st(s, TCG_TYPE_PTR, retaddr, TCG_REG_ESP,
-                       TCG_TARGET_CALL_STACK_OFFSET);
-        }
-    }
-
-    /* "Tail call" to the helper, with the return address back inline.  */
-    tcg_out_push(s, retaddr);
-    tcg_out_jmp(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)]);
+    tcg_out_jmp(s, l->raddr);
     return true;
 }
 #else
-- 
2.34.1

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/aarch64/tcg-target.c.inc | 40 +++++++++++++++---------------------
 1 file changed, 16 insertions(+), 24 deletions(-)

diff --git a/tcg/aarch64/tcg-target.c.inc b/tcg/aarch64/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/aarch64/tcg-target.c.inc
+++ b/tcg/aarch64/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_cltz(TCGContext *s, TCGType ext, TCGReg d,
     }
 }
 
-static void tcg_out_adr(TCGContext *s, TCGReg rd, const void *target)
-{
-    ptrdiff_t offset = tcg_pcrel_diff(s, target);
-    tcg_debug_assert(offset == sextract64(offset, 0, 21));
-    tcg_out_insn(s, 3406, ADR, rd, offset);
-}
-
 typedef struct {
     TCGReg base;
     TCGReg index;
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[MO_SIZE + 1] = {
 #endif
 };
 
+static const TCGLdstHelperParam ldst_helper_param = {
+    .ntmp = 1, .tmp = { TCG_REG_TMP }
+};
+
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
-    MemOpIdx oi = lb->oi;
-    MemOp opc = get_memop(oi);
+    MemOp opc = get_memop(lb->oi);
 
     if (!reloc_pc19(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
         return false;
     }
 
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_X0, TCG_AREG0);
-    tcg_out_mov(s, TARGET_LONG_BITS == 64, TCG_REG_X1, lb->addrlo_reg);
-    tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_X2, oi);
-    tcg_out_adr(s, TCG_REG_X3, lb->raddr);
+    tcg_out_ld_helper_args(s, lb, &ldst_helper_param);
     tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE]);
-
-    tcg_out_movext(s, lb->type, lb->datalo_reg,
-                   TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_X0);
+    tcg_out_ld_helper_ret(s, lb, false, &ldst_helper_param);
     tcg_out_goto(s, lb->raddr);
     return true;
 }
 
 static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
-    MemOpIdx oi = lb->oi;
-    MemOp opc = get_memop(oi);
-    MemOp size = opc & MO_SIZE;
+    MemOp opc = get_memop(lb->oi);
 
     if (!reloc_pc19(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
         return false;
     }
 
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_X0, TCG_AREG0);
-    tcg_out_mov(s, TARGET_LONG_BITS == 64, TCG_REG_X1, lb->addrlo_reg);
-    tcg_out_mov(s, size == MO_64, TCG_REG_X2, lb->datalo_reg);
-    tcg_out_movi(s, TCG_TYPE_I32, TCG_REG_X3, oi);
-    tcg_out_adr(s, TCG_REG_X4, lb->raddr);
+    tcg_out_st_helper_args(s, lb, &ldst_helper_param);
     tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE]);
     tcg_out_goto(s, lb->raddr);
     return true;
 }
 #else
+static void tcg_out_adr(TCGContext *s, TCGReg rd, const void *target)
+{
+    ptrdiff_t offset = tcg_pcrel_diff(s, target);
+    tcg_debug_assert(offset == sextract64(offset, 0, 21));
+    tcg_out_insn(s, 3406, ADR, rd, offset);
+}
+
 static bool tcg_out_fail_alignment(TCGContext *s, TCGLabelQemuLdst *l)
 {
     if (!reloc_pc19(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
-- 
2.34.1

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.  This allows our local
tcg_out_arg_* infrastructure to be removed.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/arm/tcg-target.c.inc | 140 +++++----------------------------------
 1 file changed, 18 insertions(+), 122 deletions(-)

diff --git a/tcg/arm/tcg-target.c.inc b/tcg/arm/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/arm/tcg-target.c.inc
+++ b/tcg/arm/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ tcg_out_ldrd_rwb(TCGContext *s, ARMCond cond, TCGReg rt, TCGReg rn, TCGReg rm)
     tcg_out_memop_r(s, cond, INSN_LDRD_REG, rt, rn, rm, 1, 1, 1);
 }
 
-static void tcg_out_strd_8(TCGContext *s, ARMCond cond, TCGReg rt,
-                           TCGReg rn, int imm8)
+static void __attribute__((unused))
+tcg_out_strd_8(TCGContext *s, ARMCond cond, TCGReg rt, TCGReg rn, int imm8)
 {
     tcg_out_memop_8(s, cond, INSN_STRD_IMM, rt, rn, imm8, 1, 0);
 }
@@ -XXX,XX +XXX,XX @@ static void tcg_out_ext8u(TCGContext *s, TCGReg rd, TCGReg rn)
     tcg_out_dat_imm(s, COND_AL, ARITH_AND, rd, rn, 0xff);
 }
 
-static void __attribute__((unused))
-tcg_out_ext8u_cond(TCGContext *s, ARMCond cond, TCGReg rd, TCGReg rn)
-{
-    tcg_out_dat_imm(s, cond, ARITH_AND, rd, rn, 0xff);
-}
-
 static void tcg_out_ext16s(TCGContext *s, TCGType t, TCGReg rd, TCGReg rn)
 {
     /* sxth */
     tcg_out32(s, 0x06bf0070 | (COND_AL << 28) | (rd << 12) | rn);
 }
 
-static void tcg_out_ext16u_cond(TCGContext *s, ARMCond cond,
-                                TCGReg rd, TCGReg rn)
-{
-    /* uxth */
-    tcg_out32(s, 0x06ff0070 | (cond << 28) | (rd << 12) | rn);
-}
-
 static void tcg_out_ext16u(TCGContext *s, TCGReg rd, TCGReg rn)
 {
-    tcg_out_ext16u_cond(s, COND_AL, rd, rn);
+    /* uxth */
+    tcg_out32(s, 0x06ff0070 | (COND_AL << 28) | (rd << 12) | rn);
 }
 
 static void tcg_out_ext32s(TCGContext *s, TCGReg rd, TCGReg rn)
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[MO_SIZE + 1] = {
 #endif
 };
 
-/* Helper routines for marshalling helper function arguments into
- * the correct registers and stack.
- * argreg is where we want to put this argument, arg is the argument itself.
- * Return value is the updated argreg ready for the next call.
- * Note that argreg 0..3 is real registers, 4+ on stack.
- *
- * We provide routines for arguments which are: immediate, 32 bit
- * value in register, 16 and 8 bit values in register (which must be zero
- * extended before use) and 64 bit value in a lo:hi register pair.
- */
-#define DEFINE_TCG_OUT_ARG(NAME, ARGTYPE, MOV_ARG, EXT_ARG)                \
-static TCGReg NAME(TCGContext *s, TCGReg argreg, ARGTYPE arg)              \
-{                                                                          \
-    if (argreg < 4) {                                                      \
-        MOV_ARG(s, COND_AL, argreg, arg);                                  \
-    } else {                                                               \
-        int ofs = (argreg - 4) * 4;                                        \
-        EXT_ARG;                                                           \
-        tcg_debug_assert(ofs + 4 <= TCG_STATIC_CALL_ARGS_SIZE);            \
-        tcg_out_st32_12(s, COND_AL, arg, TCG_REG_CALL_STACK, ofs);         \
-    }                                                                      \
-    return argreg + 1;                                                     \
-}
-
-DEFINE_TCG_OUT_ARG(tcg_out_arg_imm32, uint32_t, tcg_out_movi32,
-    (tcg_out_movi32(s, COND_AL, TCG_REG_TMP, arg), arg = TCG_REG_TMP))
-DEFINE_TCG_OUT_ARG(tcg_out_arg_reg8, TCGReg, tcg_out_ext8u_cond,
-    (tcg_out_ext8u_cond(s, COND_AL, TCG_REG_TMP, arg), arg = TCG_REG_TMP))
-DEFINE_TCG_OUT_ARG(tcg_out_arg_reg16, TCGReg, tcg_out_ext16u_cond,
-    (tcg_out_ext16u_cond(s, COND_AL, TCG_REG_TMP, arg), arg = TCG_REG_TMP))
-DEFINE_TCG_OUT_ARG(tcg_out_arg_reg32, TCGReg, tcg_out_mov_reg, )
-
-static TCGReg tcg_out_arg_reg64(TCGContext *s, TCGReg argreg,
-                                TCGReg arglo, TCGReg arghi)
+static TCGReg ldst_ra_gen(TCGContext *s, const TCGLabelQemuLdst *l, int arg)
 {
-    /* 64 bit arguments must go in even/odd register pairs
-     * and in 8-aligned stack slots.
-     */
-    if (argreg & 1) {
-        argreg++;
-    }
-    if (argreg >= 4 && (arglo & 1) == 0 && arghi == arglo + 1) {
-        tcg_out_strd_8(s, COND_AL, arglo,
-                       TCG_REG_CALL_STACK, (argreg - 4) * 4);
-        return argreg + 2;
-    } else {
-        argreg = tcg_out_arg_reg32(s, argreg, arglo);
-        argreg = tcg_out_arg_reg32(s, argreg, arghi);
-        return argreg;
-    }
+    /* We arrive at the slow path via "BLNE", so R14 contains l->raddr. */
+    return TCG_REG_R14;
 }
 
+static const TCGLdstHelperParam ldst_helper_param = {
+    .ra_gen = ldst_ra_gen,
+    .ntmp = 1,
+    .tmp = { TCG_REG_TMP },
+};
+
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
-    TCGReg argreg;
-    MemOpIdx oi = lb->oi;
-    MemOp opc = get_memop(oi);
+    MemOp opc = get_memop(lb->oi);
 
     if (!reloc_pc24(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
         return false;
     }
 
-    argreg = tcg_out_arg_reg32(s, TCG_REG_R0, TCG_AREG0);
-    if (TARGET_LONG_BITS == 64) {
-        argreg = tcg_out_arg_reg64(s, argreg, lb->addrlo_reg, lb->addrhi_reg);
-    } else {
-        argreg = tcg_out_arg_reg32(s, argreg, lb->addrlo_reg);
-    }
-    argreg = tcg_out_arg_imm32(s, argreg, oi);
-    argreg = tcg_out_arg_reg32(s, argreg, TCG_REG_R14);
-
-    /* Use the canonical unsigned helpers and minimize icache usage. */
+    tcg_out_ld_helper_args(s, lb, &ldst_helper_param);
     tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE]);
-
-    if ((opc & MO_SIZE) == MO_64) {
-        TCGMovExtend ext[2] = {
-            { .dst = lb->datalo_reg, .dst_type = TCG_TYPE_I32,
-              .src = TCG_REG_R0, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
-            { .dst = lb->datahi_reg, .dst_type = TCG_TYPE_I32,
-              .src = TCG_REG_R1, .src_type = TCG_TYPE_I32, .src_ext = MO_UL },
-        };
-        tcg_out_movext2(s, &ext[0], &ext[1], TCG_REG_TMP);
-    } else {
-        tcg_out_movext(s, TCG_TYPE_I32, lb->datalo_reg,
-                       TCG_TYPE_I32, opc & MO_SSIZE, TCG_REG_R0);
-    }
+    tcg_out_ld_helper_ret(s, lb, false, &ldst_helper_param);
 
     tcg_out_goto(s, COND_AL, lb->raddr);
     return true;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 
 static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
 {
-    TCGReg argreg, datalo, datahi;
-    MemOpIdx oi = lb->oi;
-    MemOp opc = get_memop(oi);
+    MemOp opc = get_memop(lb->oi);
 
     if (!reloc_pc24(lb->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
         return false;
     }
 
-    argreg = TCG_REG_R0;
-    argreg = tcg_out_arg_reg32(s, argreg, TCG_AREG0);
-    if (TARGET_LONG_BITS == 64) {
-        argreg = tcg_out_arg_reg64(s, argreg, lb->addrlo_reg, lb->addrhi_reg);
-    } else {
-        argreg = tcg_out_arg_reg32(s, argreg, lb->addrlo_reg);
-    }
-
-    datalo = lb->datalo_reg;
-    datahi = lb->datahi_reg;
-    switch (opc & MO_SIZE) {
-    case MO_8:
-        argreg = tcg_out_arg_reg8(s, argreg, datalo);
-        break;
-    case MO_16:
-        argreg = tcg_out_arg_reg16(s, argreg, datalo);
-        break;
-    case MO_32:
-    default:
-        argreg = tcg_out_arg_reg32(s, argreg, datalo);
-        break;
-    case MO_64:
-        argreg = tcg_out_arg_reg64(s, argreg, datalo, datahi);
-        break;
-    }
-
-    argreg = tcg_out_arg_imm32(s, argreg, oi);
-    argreg = tcg_out_arg_reg32(s, argreg, TCG_REG_R14);
+    tcg_out_st_helper_args(s, lb, &ldst_helper_param);
 
     /* Tail-call to the helper, which will return to the fast path.  */
     tcg_out_goto(s, COND_AL, qemu_st_helpers[opc & MO_SIZE]);
-- 
2.34.1

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/loongarch64/tcg-target.c.inc | 37 ++++++++++----------------------
 1 file changed, 11 insertions(+), 26 deletions(-)

diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/loongarch64/tcg-target.c.inc
+++ b/tcg/loongarch64/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
     return reloc_br_sd10k16(s->code_ptr - 1, target);
 }
 
+static const TCGLdstHelperParam ldst_helper_param = {
+    .ntmp = 1, .tmp = { TCG_REG_TMP0 }
+};
+
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    MemOp size = opc & MO_SIZE;
+    MemOp opc = get_memop(l->oi);
 
     /* resolve label address */
     if (!reloc_br_sk16(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
         return false;
     }
 
-    /* call load helper */
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A0, TCG_AREG0);
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A1, l->addrlo_reg);
-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A2, oi);
-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A3, (tcg_target_long)l->raddr);
-
-    tcg_out_call_int(s, qemu_ld_helpers[size], false);
-
-    tcg_out_movext(s, l->type, l->datalo_reg,
-                   TCG_TYPE_REG, opc & MO_SSIZE, TCG_REG_A0);
+    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
+    tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SIZE], false);
+    tcg_out_ld_helper_ret(s, l, false, &ldst_helper_param);
     return tcg_out_goto(s, l->raddr);
 }
 
 static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    MemOp size = opc & MO_SIZE;
+    MemOp opc = get_memop(l->oi);
 
     /* resolve label address */
     if (!reloc_br_sk16(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
         return false;
     }
 
-    /* call store helper */
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A0, TCG_AREG0);
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_REG_A1, l->addrlo_reg);
-    tcg_out_movext(s, size == MO_64 ? TCG_TYPE_I32 : TCG_TYPE_I32, TCG_REG_A2,
-                   l->type, size, l->datalo_reg);
-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A3, oi);
-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_A4, (tcg_target_long)l->raddr);
-
-    tcg_out_call_int(s, qemu_st_helpers[size], false);
-
+    tcg_out_st_helper_args(s, l, &ldst_helper_param);
+    tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE], false);
     return tcg_out_goto(s, l->raddr);
 }
 #else
-- 
2.34.1

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.  This allows our local
tcg_out_arg_* infrastructure to be removed.

We are no longer filling the call or return branch
delay slots, nor are we tail-calling for the store,
but this seems a small price to pay.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/mips/tcg-target.c.inc | 154 ++++++--------------------------------
 1 file changed, 22 insertions(+), 132 deletions(-)

diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.c.inc
+++ b/tcg/mips/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
     [MO_BEUQ] = helper_be_stq_mmu,
 };
 
-/* Helper routines for marshalling helper function arguments into
- * the correct registers and stack.
- * I is where we want to put this argument, and is updated and returned
- * for the next call. ARG is the argument itself.
- *
- * We provide routines for arguments which are: immediate, 32 bit
- * value in register, 16 and 8 bit values in register (which must be zero
- * extended before use) and 64 bit value in a lo:hi register pair.
- */
-
-static int tcg_out_call_iarg_reg(TCGContext *s, int i, TCGReg arg)
-{
-    if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
-        tcg_out_mov(s, TCG_TYPE_REG, tcg_target_call_iarg_regs[i], arg);
-    } else {
-        /* For N32 and N64, the initial offset is different.  But there
-           we also have 8 argument register so we don't run out here.  */
-        tcg_debug_assert(TCG_TARGET_REG_BITS == 32);
-        tcg_out_st(s, TCG_TYPE_REG, arg, TCG_REG_SP, 4 * i);
-    }
-    return i + 1;
-}
-
-static int tcg_out_call_iarg_reg8(TCGContext *s, int i, TCGReg arg)
-{
-    TCGReg tmp = TCG_TMP0;
-    if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
-        tmp = tcg_target_call_iarg_regs[i];
-    }
-    tcg_out_ext8u(s, tmp, arg);
-    return tcg_out_call_iarg_reg(s, i, tmp);
-}
-
-static int tcg_out_call_iarg_reg16(TCGContext *s, int i, TCGReg arg)
-{
-    TCGReg tmp = TCG_TMP0;
-    if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
-        tmp = tcg_target_call_iarg_regs[i];
-    }
-    tcg_out_opc_imm(s, OPC_ANDI, tmp, arg, 0xffff);
-    return tcg_out_call_iarg_reg(s, i, tmp);
-}
-
-static int tcg_out_call_iarg_imm(TCGContext *s, int i, TCGArg arg)
-{
-    TCGReg tmp = TCG_TMP0;
-    if (arg == 0) {
-        tmp = TCG_REG_ZERO;
-    } else {
-        if (i < ARRAY_SIZE(tcg_target_call_iarg_regs)) {
-            tmp = tcg_target_call_iarg_regs[i];
-        }
-        tcg_out_movi(s, TCG_TYPE_REG, tmp, arg);
-    }
-    return tcg_out_call_iarg_reg(s, i, tmp);
-}
-
-static int tcg_out_call_iarg_reg2(TCGContext *s, int i, TCGReg al, TCGReg ah)
-{
-    tcg_debug_assert(TCG_TARGET_REG_BITS == 32);
-    i = (i + 1) & ~1;
-    i = tcg_out_call_iarg_reg(s, i, (MIPS_BE ? ah : al));
-    i = tcg_out_call_iarg_reg(s, i, (MIPS_BE ? al : ah));
-    return i;
-}
+/* We have four temps, we might as well expose three of them. */
+static const TCGLdstHelperParam ldst_helper_param = {
+    .ntmp = 3, .tmp = { TCG_TMP0, TCG_TMP1, TCG_TMP2 }
+};
 
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     const tcg_insn_unit *tgt_rx = tcg_splitwx_to_rx(s->code_ptr);
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    TCGReg v0;
-    int i;
+    MemOp opc = get_memop(l->oi);
 
     /* resolve label address */
     if (!reloc_pc16(l->label_ptr[0], tgt_rx)
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
         return false;
     }
 
-    i = 1;
-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        i = tcg_out_call_iarg_reg2(s, i, l->addrlo_reg, l->addrhi_reg);
-    } else {
-        i = tcg_out_call_iarg_reg(s, i, l->addrlo_reg);
-    }
-    i = tcg_out_call_iarg_imm(s, i, oi);
-    i = tcg_out_call_iarg_imm(s, i, (intptr_t)l->raddr);
+    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
+
     tcg_out_call_int(s, qemu_ld_helpers[opc & (MO_BSWAP | MO_SSIZE)], false);
     /* delay slot */
-    tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
+    tcg_out_nop(s);
 
-    v0 = l->datalo_reg;
-    if (TCG_TARGET_REG_BITS == 32 && (opc & MO_SIZE) == MO_64) {
-        /* We eliminated V0 from the possible output registers, so it
-           cannot be clobbered here.  So we must move V1 first.  */
-        if (MIPS_BE) {
-            tcg_out_mov(s, TCG_TYPE_I32, v0, TCG_REG_V1);
-            v0 = l->datahi_reg;
-        } else {
-            tcg_out_mov(s, TCG_TYPE_I32, l->datahi_reg, TCG_REG_V1);
-        }
-    }
+    tcg_out_ld_helper_ret(s, l, true, &ldst_helper_param);
 
     tcg_out_opc_br(s, OPC_BEQ, TCG_REG_ZERO, TCG_REG_ZERO);
     if (!reloc_pc16(s->code_ptr - 1, l->raddr)) {
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     }
 
     /* delay slot */
-    if (TCG_TARGET_REG_BITS == 64 && l->type == TCG_TYPE_I32) {
-        /* we always sign-extend 32-bit loads */
-        tcg_out_ext32s(s, v0, TCG_REG_V0);
-    } else {
-        tcg_out_opc_reg(s, OPC_OR, v0, TCG_REG_V0, TCG_REG_ZERO);
-    }
+    tcg_out_nop(s);
     return true;
 }
 
 static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
     const tcg_insn_unit *tgt_rx = tcg_splitwx_to_rx(s->code_ptr);
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    MemOp s_bits = opc & MO_SIZE;
-    int i;
+    MemOp opc = get_memop(l->oi);
 
     /* resolve label address */
     if (!reloc_pc16(l->label_ptr[0], tgt_rx)
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
         return false;
     }
 
-    i = 1;
-    if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        i = tcg_out_call_iarg_reg2(s, i, l->addrlo_reg, l->addrhi_reg);
-    } else {
-        i = tcg_out_call_iarg_reg(s, i, l->addrlo_reg);
-    }
-    switch (s_bits) {
-    case MO_8:
-        i = tcg_out_call_iarg_reg8(s, i, l->datalo_reg);
-        break;
-    case MO_16:
-        i = tcg_out_call_iarg_reg16(s, i, l->datalo_reg);
-        break;
-    case MO_32:
-        i = tcg_out_call_iarg_reg(s, i, l->datalo_reg);
-        break;
-    case MO_64:
-        if (TCG_TARGET_REG_BITS == 32) {
-            i = tcg_out_call_iarg_reg2(s, i, l->datalo_reg, l->datahi_reg);
-        } else {
-            i = tcg_out_call_iarg_reg(s, i, l->datalo_reg);
-        }
-        break;
-    default:
-        g_assert_not_reached();
-    }
-    i = tcg_out_call_iarg_imm(s, i, oi);
+    tcg_out_st_helper_args(s, l, &ldst_helper_param);
 
-    /* Tail call to the store helper.  Thus force the return address
-       computation to take place in the return address register.  */
-    tcg_out_movi(s, TCG_TYPE_PTR, TCG_REG_RA, (intptr_t)l->raddr);
-    i = tcg_out_call_iarg_reg(s, i, TCG_REG_RA);
-    tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)], true);
+    tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)], false);
     /* delay slot */
-    tcg_out_mov(s, TCG_TYPE_PTR, tcg_target_call_iarg_regs[0], TCG_AREG0);
+    tcg_out_nop(s);
+
+    tcg_out_opc_br(s, OPC_BEQ, TCG_REG_ZERO, TCG_REG_ZERO);
+    if (!reloc_pc16(s->code_ptr - 1, l->raddr)) {
+        return false;
+    }
+
+    /* delay slot */
+    tcg_out_nop(s);
     return true;
 }
 
-- 
2.34.1

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/ppc/tcg-target.c.inc | 88 ++++++++++++----------------------------
 1 file changed, 26 insertions(+), 62 deletions(-)

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/riscv/tcg-target.c.inc | 37 ++++++++++---------------------------
 1 file changed, 10 insertions(+), 27 deletions(-)

diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/riscv/tcg-target.c.inc
+++ b/tcg/riscv/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_goto(TCGContext *s, const tcg_insn_unit *target)
     tcg_debug_assert(ok);
 }
 
+/* We have three temps, we might as well expose them. */
+static const TCGLdstHelperParam ldst_helper_param = {
+    .ntmp = 3, .tmp = { TCG_REG_TMP0, TCG_REG_TMP1, TCG_REG_TMP2 }
+};
+
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    TCGReg a0 = tcg_target_call_iarg_regs[0];
-    TCGReg a1 = tcg_target_call_iarg_regs[1];
-    TCGReg a2 = tcg_target_call_iarg_regs[2];
-    TCGReg a3 = tcg_target_call_iarg_regs[3];
+    MemOp opc = get_memop(l->oi);
 
     /* resolve label address */
     if (!reloc_sbimm12(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     }
 
     /* call load helper */
-    tcg_out_mov(s, TCG_TYPE_PTR, a0, TCG_AREG0);
-    tcg_out_mov(s, TCG_TYPE_PTR, a1, l->addrlo_reg);
-    tcg_out_movi(s, TCG_TYPE_PTR, a2, oi);
-    tcg_out_movi(s, TCG_TYPE_PTR, a3, (tcg_target_long)l->raddr);
-
+    tcg_out_ld_helper_args(s, l, &ldst_helper_param);
     tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SSIZE], false);
-    tcg_out_mov(s, (opc & MO_SIZE) == MO_64, l->datalo_reg, a0);
+    tcg_out_ld_helper_ret(s, l, true, &ldst_helper_param);
 
     tcg_out_goto(s, l->raddr);
     return true;
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 
 static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 {
-    MemOpIdx oi = l->oi;
-    MemOp opc = get_memop(oi);
-    MemOp s_bits = opc & MO_SIZE;
-    TCGReg a0 = tcg_target_call_iarg_regs[0];
-    TCGReg a1 = tcg_target_call_iarg_regs[1];
-    TCGReg a2 = tcg_target_call_iarg_regs[2];
-    TCGReg a3 = tcg_target_call_iarg_regs[3];
-    TCGReg a4 = tcg_target_call_iarg_regs[4];
+    MemOp opc = get_memop(l->oi);
 
     /* resolve label address */
     if (!reloc_sbimm12(l->label_ptr[0], tcg_splitwx_to_rx(s->code_ptr))) {
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     }
 
     /* call store helper */
-    tcg_out_mov(s, TCG_TYPE_PTR, a0, TCG_AREG0);
-    tcg_out_mov(s, TCG_TYPE_PTR, a1, l->addrlo_reg);
-    tcg_out_movext(s, s_bits == MO_64 ? TCG_TYPE_I64 : TCG_TYPE_I32, a2,
-                   l->type, s_bits, l->datalo_reg);
-    tcg_out_movi(s, TCG_TYPE_PTR, a3, oi);
-    tcg_out_movi(s, TCG_TYPE_PTR, a4, (tcg_target_long)l->raddr);
-
+    tcg_out_st_helper_args(s, l, &ldst_helper_param);
     tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE], false);
 
     tcg_out_goto(s, l->raddr);
-- 
2.34.1

Use tcg_out_ld_helper_args, tcg_out_ld_helper_ret,
and tcg_out_st_helper_args.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/s390x/tcg-target.c.inc | 35 ++++++++++-------------------------
 1 file changed, 10 insertions(+), 25 deletions(-)

The softmmu tlb uses TCG_REG_TMP[0-2], not any of the normally available
registers.  Now that we handle overlap betwen inputs and helper arguments,
we can allow any allocatable reg.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/loongarch64/tcg-target-con-set.h |  2 --
 tcg/loongarch64/tcg-target-con-str.h |  1 -
 tcg/loongarch64/tcg-target.c.inc     | 23 ++++-------------------
 3 files changed, 4 insertions(+), 22 deletions(-)

diff --git a/tcg/loongarch64/tcg-target-con-set.h b/tcg/loongarch64/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/loongarch64/tcg-target-con-set.h
+++ b/tcg/loongarch64/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
 C_O0_I1(r)
 C_O0_I2(rZ, r)
 C_O0_I2(rZ, rZ)
-C_O0_I2(LZ, L)
 C_O1_I1(r, r)
-C_O1_I1(r, L)
 C_O1_I2(r, r, rC)
 C_O1_I2(r, r, ri)
 C_O1_I2(r, r, rI)
diff --git a/tcg/loongarch64/tcg-target-con-str.h b/tcg/loongarch64/tcg-target-con-str.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/loongarch64/tcg-target-con-str.h
+++ b/tcg/loongarch64/tcg-target-con-str.h
@@ -XXX,XX +XXX,XX @@
  * REGS(letter, register_mask)
  */
 REGS('r', ALL_GENERAL_REGS)
-REGS('L', ALL_GENERAL_REGS & ~SOFTMMU_RESERVE_REGS)
 
 /*
  * Define constraint letters for constants:
diff --git a/tcg/loongarch64/tcg-target.c.inc b/tcg/loongarch64/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/loongarch64/tcg-target.c.inc
+++ b/tcg/loongarch64/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_target_call_oarg_reg(TCGCallReturnKind kind, int slot)
 #define TCG_CT_CONST_C12   0x1000
 #define TCG_CT_CONST_WSZ   0x2000
 
-#define ALL_GENERAL_REGS      MAKE_64BIT_MASK(0, 32)
-/*
- * For softmmu, we need to avoid conflicts with the first 5
- * argument registers to call the helper.  Some of these are
- * also used for the tlb lookup.
- */
-#ifdef CONFIG_SOFTMMU
-#define SOFTMMU_RESERVE_REGS  MAKE_64BIT_MASK(TCG_REG_A0, 5)
-#else
-#define SOFTMMU_RESERVE_REGS  0
-#endif
-
+#define ALL_GENERAL_REGS   MAKE_64BIT_MASK(0, 32)
 
 static inline tcg_target_long sextreg(tcg_target_long val, int pos, int len)
 {
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
     case INDEX_op_st32_i64:
     case INDEX_op_st_i32:
     case INDEX_op_st_i64:
+    case INDEX_op_qemu_st_i32:
+    case INDEX_op_qemu_st_i64:
         return C_O0_I2(rZ, r);
 
     case INDEX_op_brcond_i32:
     case INDEX_op_brcond_i64:
         return C_O0_I2(rZ, rZ);
 
-    case INDEX_op_qemu_st_i32:
-    case INDEX_op_qemu_st_i64:
-        return C_O0_I2(LZ, L);
-
     case INDEX_op_ext8s_i32:
     case INDEX_op_ext8s_i64:
     case INDEX_op_ext8u_i32:
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
     case INDEX_op_ld32u_i64:
     case INDEX_op_ld_i32:
     case INDEX_op_ld_i64:
-        return C_O1_I1(r, r);
-
     case INDEX_op_qemu_ld_i32:
     case INDEX_op_qemu_ld_i64:
-        return C_O1_I1(r, L);
+        return C_O1_I1(r, r);
 
     case INDEX_op_andc_i32:
     case INDEX_op_andc_i64:
-- 
2.34.1

While performing the load in the delay slot of the call to the common
bswap helper function is cute, it is not worth the added complexity.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/mips/tcg-target.h     |   4 +-
 tcg/mips/tcg-target.c.inc | 284 ++++++--------------------------------
 2 files changed, 48 insertions(+), 240 deletions(-)

diff --git a/tcg/mips/tcg-target.h b/tcg/mips/tcg-target.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.h
+++ b/tcg/mips/tcg-target.h
@@ -XXX,XX +XXX,XX @@ extern bool use_mips32r2_instructions;
 #define TCG_TARGET_HAS_ext16u_i64       0 /* andi rt, rs, 0xffff */
 #endif
 
-#define TCG_TARGET_DEFAULT_MO (0)
-#define TCG_TARGET_HAS_MEMORY_BSWAP     1
+#define TCG_TARGET_DEFAULT_MO           0
+#define TCG_TARGET_HAS_MEMORY_BSWAP     0
 
 #define TCG_TARGET_NEED_LDST_LABELS
 
diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.c.inc
+++ b/tcg/mips/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_call(TCGContext *s, const tcg_insn_unit *arg,
 }
 
 #if defined(CONFIG_SOFTMMU)
-static void * const qemu_ld_helpers[(MO_SSIZE | MO_BSWAP) + 1] = {
+static void * const qemu_ld_helpers[MO_SSIZE + 1] = {
     [MO_UB]   = helper_ret_ldub_mmu,
     [MO_SB]   = helper_ret_ldsb_mmu,
-    [MO_LEUW] = helper_le_lduw_mmu,
-    [MO_LESW] = helper_le_ldsw_mmu,
-    [MO_LEUL] = helper_le_ldul_mmu,
-    [MO_LEUQ] = helper_le_ldq_mmu,
-    [MO_BEUW] = helper_be_lduw_mmu,
-    [MO_BESW] = helper_be_ldsw_mmu,
-    [MO_BEUL] = helper_be_ldul_mmu,
-    [MO_BEUQ] = helper_be_ldq_mmu,
-#if TCG_TARGET_REG_BITS == 64
-    [MO_LESL] = helper_le_ldsl_mmu,
-    [MO_BESL] = helper_be_ldsl_mmu,
+#if HOST_BIG_ENDIAN
+    [MO_UW] = helper_be_lduw_mmu,
+    [MO_SW] = helper_be_ldsw_mmu,
+    [MO_UL] = helper_be_ldul_mmu,
+    [MO_SL] = helper_be_ldsl_mmu,
+    [MO_UQ] = helper_be_ldq_mmu,
+#else
+    [MO_UW] = helper_le_lduw_mmu,
+    [MO_SW] = helper_le_ldsw_mmu,
+    [MO_UL] = helper_le_ldul_mmu,
+    [MO_UQ] = helper_le_ldq_mmu,
+    [MO_SL] = helper_le_ldsl_mmu,
 #endif
 };
 
-static void * const qemu_st_helpers[(MO_SIZE | MO_BSWAP) + 1] = {
+static void * const qemu_st_helpers[MO_SIZE + 1] = {
     [MO_UB]   = helper_ret_stb_mmu,
-    [MO_LEUW] = helper_le_stw_mmu,
-    [MO_LEUL] = helper_le_stl_mmu,
-    [MO_LEUQ] = helper_le_stq_mmu,
-    [MO_BEUW] = helper_be_stw_mmu,
-    [MO_BEUL] = helper_be_stl_mmu,
-    [MO_BEUQ] = helper_be_stq_mmu,
+#if HOST_BIG_ENDIAN
+    [MO_UW] = helper_be_stw_mmu,
+    [MO_UL] = helper_be_stl_mmu,
+    [MO_UQ] = helper_be_stq_mmu,
+#else
+    [MO_UW] = helper_le_stw_mmu,
+    [MO_UL] = helper_le_stl_mmu,
+    [MO_UQ] = helper_le_stq_mmu,
+#endif
 };
 
 /* We have four temps, we might as well expose three of them. */
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 
     tcg_out_ld_helper_args(s, l, &ldst_helper_param);
 
-    tcg_out_call_int(s, qemu_ld_helpers[opc & (MO_BSWAP | MO_SSIZE)], false);
+    tcg_out_call_int(s, qemu_ld_helpers[opc & MO_SSIZE], false);
     /* delay slot */
     tcg_out_nop(s);
 
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
 
     tcg_out_st_helper_args(s, l, &ldst_helper_param);
 
-    tcg_out_call_int(s, qemu_st_helpers[opc & (MO_BSWAP | MO_SIZE)], false);
+    tcg_out_call_int(s, qemu_st_helpers[opc & MO_SIZE], false);
     /* delay slot */
     tcg_out_nop(s);
 
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
 static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg lo, TCGReg hi,
                                    TCGReg base, MemOp opc, TCGType type)
 {
-    switch (opc & (MO_SSIZE | MO_BSWAP)) {
+    switch (opc & MO_SSIZE) {
     case MO_UB:
         tcg_out_opc_imm(s, OPC_LBU, lo, base, 0);
         break;
     case MO_SB:
         tcg_out_opc_imm(s, OPC_LB, lo, base, 0);
         break;
-    case MO_UW | MO_BSWAP:
-        tcg_out_opc_imm(s, OPC_LHU, TCG_TMP1, base, 0);
-        tcg_out_bswap16(s, lo, TCG_TMP1, TCG_BSWAP_IZ | TCG_BSWAP_OZ);
-        break;
     case MO_UW:
         tcg_out_opc_imm(s, OPC_LHU, lo, base, 0);
         break;
-    case MO_SW | MO_BSWAP:
-        tcg_out_opc_imm(s, OPC_LHU, TCG_TMP1, base, 0);
-        tcg_out_bswap16(s, lo, TCG_TMP1, TCG_BSWAP_IZ | TCG_BSWAP_OS);
-        break;
     case MO_SW:
         tcg_out_opc_imm(s, OPC_LH, lo, base, 0);
         break;
-    case MO_UL | MO_BSWAP:
-        if (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64) {
-            if (use_mips32r2_instructions) {
-                tcg_out_opc_imm(s, OPC_LWU, lo, base, 0);
-                tcg_out_bswap32(s, lo, lo, TCG_BSWAP_IZ | TCG_BSWAP_OZ);
-            } else {
-                tcg_out_bswap_subr(s, bswap32u_addr);
-                /* delay slot */
-                tcg_out_opc_imm(s, OPC_LWU, TCG_TMP0, base, 0);
-                tcg_out_mov(s, TCG_TYPE_I64, lo, TCG_TMP3);
-            }
-            break;
-        }
-        /* FALLTHRU */
-    case MO_SL | MO_BSWAP:
-        if (use_mips32r2_instructions) {
-            tcg_out_opc_imm(s, OPC_LW, lo, base, 0);
-            tcg_out_bswap32(s, lo, lo, 0);
-        } else {
-            tcg_out_bswap_subr(s, bswap32_addr);
-            /* delay slot */
-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 0);
-            tcg_out_mov(s, TCG_TYPE_I32, lo, TCG_TMP3);
-        }
-        break;
     case MO_UL:
         if (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64) {
             tcg_out_opc_imm(s, OPC_LWU, lo, base, 0);
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_direct(TCGContext *s, TCGReg lo, TCGReg hi,
     case MO_SL:
         tcg_out_opc_imm(s, OPC_LW, lo, base, 0);
         break;
-    case MO_UQ | MO_BSWAP:
-        if (TCG_TARGET_REG_BITS == 64) {
-            if (use_mips32r2_instructions) {
-                tcg_out_opc_imm(s, OPC_LD, lo, base, 0);
-                tcg_out_bswap64(s, lo, lo);
-            } else {
-                tcg_out_bswap_subr(s, bswap64_addr);
-                /* delay slot */
-                tcg_out_opc_imm(s, OPC_LD, TCG_TMP0, base, 0);
-                tcg_out_mov(s, TCG_TYPE_I64, lo, TCG_TMP3);
-            }
-        } else if (use_mips32r2_instructions) {
-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 0);
-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP1, base, 4);
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, TCG_TMP0);
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, TCG_TMP1);
-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? lo : hi, TCG_TMP0, 16);
-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? hi : lo, TCG_TMP1, 16);
-        } else {
-            tcg_out_bswap_subr(s, bswap32_addr);
-            /* delay slot */
-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 0);
-            tcg_out_opc_imm(s, OPC_LW, TCG_TMP0, base, 4);
-            tcg_out_bswap_subr(s, bswap32_addr);
-            /* delay slot */
-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? lo : hi, TCG_TMP3);
-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? hi : lo, TCG_TMP3);
-        }
-        break;
     case MO_UQ:
         /* Prefer to load from offset 0 first, but allow for overlap.  */
         if (TCG_TARGET_REG_BITS == 64) {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
     const MIPSInsn lw2 = MIPS_BE ? OPC_LWR : OPC_LWL;
     const MIPSInsn ld1 = MIPS_BE ? OPC_LDL : OPC_LDR;
     const MIPSInsn ld2 = MIPS_BE ? OPC_LDR : OPC_LDL;
+    bool sgn = opc & MO_SIGN;
 
-    bool sgn = (opc & MO_SIGN);
-
-    switch (opc & (MO_SSIZE | MO_BSWAP)) {
-    case MO_SW | MO_BE:
-    case MO_UW | MO_BE:
-        tcg_out_opc_imm(s, sgn ? OPC_LB : OPC_LBU, TCG_TMP0, base, 0);
-        tcg_out_opc_imm(s, OPC_LBU, lo, base, 1);
-        if (use_mips32r2_instructions) {
-            tcg_out_opc_bf(s, OPC_INS, lo, TCG_TMP0, 31, 8);
-        } else {
-            tcg_out_opc_sa(s, OPC_SLL, TCG_TMP0, TCG_TMP0, 8);
-            tcg_out_opc_reg(s, OPC_OR, lo, TCG_TMP0, TCG_TMP1);
-        }
-        break;
-
-    case MO_SW | MO_LE:
-    case MO_UW | MO_LE:
-        if (use_mips32r2_instructions && lo != base) {
+    switch (opc & MO_SIZE) {
+    case MO_16:
+        if (HOST_BIG_ENDIAN) {
+            tcg_out_opc_imm(s, sgn ? OPC_LB : OPC_LBU, TCG_TMP0, base, 0);
+            tcg_out_opc_imm(s, OPC_LBU, lo, base, 1);
+            if (use_mips32r2_instructions) {
+                tcg_out_opc_bf(s, OPC_INS, lo, TCG_TMP0, 31, 8);
+            } else {
+                tcg_out_opc_sa(s, OPC_SLL, TCG_TMP0, TCG_TMP0, 8);
+                tcg_out_opc_reg(s, OPC_OR, lo, lo, TCG_TMP0);
+            }
+        } else if (use_mips32r2_instructions && lo != base) {
             tcg_out_opc_imm(s, OPC_LBU, lo, base, 0);
             tcg_out_opc_imm(s, sgn ? OPC_LB : OPC_LBU, TCG_TMP0, base, 1);
             tcg_out_opc_bf(s, OPC_INS, lo, TCG_TMP0, 31, 8);
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
         }
         break;
 
-    case MO_SL:
-    case MO_UL:
+    case MO_32:
         tcg_out_opc_imm(s, lw1, lo, base, 0);
         tcg_out_opc_imm(s, lw2, lo, base, 3);
         if (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64 && !sgn) {
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
         }
         break;
 
-    case MO_UL | MO_BSWAP:
-    case MO_SL | MO_BSWAP:
-        if (use_mips32r2_instructions) {
-            tcg_out_opc_imm(s, lw1, lo, base, 0);
-            tcg_out_opc_imm(s, lw2, lo, base, 3);
-            tcg_out_bswap32(s, lo, lo,
-                            TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64
-                            ? (sgn ? TCG_BSWAP_OS : TCG_BSWAP_OZ) : 0);
-        } else {
-            const tcg_insn_unit *subr =
-                (TCG_TARGET_REG_BITS == 64 && type == TCG_TYPE_I64 && !sgn
-                 ? bswap32u_addr : bswap32_addr);
-
-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 0);
-            tcg_out_bswap_subr(s, subr);
-            /* delay slot */
-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 3);
-            tcg_out_mov(s, type, lo, TCG_TMP3);
-        }
-        break;
-
-    case MO_UQ:
+    case MO_64:
         if (TCG_TARGET_REG_BITS == 64) {
             tcg_out_opc_imm(s, ld1, lo, base, 0);
             tcg_out_opc_imm(s, ld2, lo, base, 7);
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
         }
         break;
 
-    case MO_UQ | MO_BSWAP:
-        if (TCG_TARGET_REG_BITS == 64) {
-            if (use_mips32r2_instructions) {
-                tcg_out_opc_imm(s, ld1, lo, base, 0);
-                tcg_out_opc_imm(s, ld2, lo, base, 7);
-                tcg_out_bswap64(s, lo, lo);
-            } else {
-                tcg_out_opc_imm(s, ld1, TCG_TMP0, base, 0);
-                tcg_out_bswap_subr(s, bswap64_addr);
-                /* delay slot */
-                tcg_out_opc_imm(s, ld2, TCG_TMP0, base, 7);
-                tcg_out_mov(s, TCG_TYPE_I64, lo, TCG_TMP3);
-            }
-        } else if (use_mips32r2_instructions) {
-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 0 + 0);
-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 0 + 3);
-            tcg_out_opc_imm(s, lw1, TCG_TMP1, base, 4 + 0);
-            tcg_out_opc_imm(s, lw2, TCG_TMP1, base, 4 + 3);
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, TCG_TMP0);
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, TCG_TMP1);
-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? lo : hi, TCG_TMP0, 16);
-            tcg_out_opc_sa(s, OPC_ROTR, MIPS_BE ? hi : lo, TCG_TMP1, 16);
-        } else {
-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 0 + 0);
-            tcg_out_bswap_subr(s, bswap32_addr);
-            /* delay slot */
-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 0 + 3);
-            tcg_out_opc_imm(s, lw1, TCG_TMP0, base, 4 + 0);
-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? lo : hi, TCG_TMP3);
-            tcg_out_bswap_subr(s, bswap32_addr);
-            /* delay slot */
-            tcg_out_opc_imm(s, lw2, TCG_TMP0, base, 4 + 3);
-            tcg_out_mov(s, TCG_TYPE_I32, MIPS_BE ? hi : lo, TCG_TMP3);
-        }
-        break;
-
     default:
         g_assert_not_reached();
     }
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_ld(TCGContext *s, TCGReg datalo, TCGReg datahi,
 static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg lo, TCGReg hi,
                                    TCGReg base, MemOp opc)
 {
-    /* Don't clutter the code below with checks to avoid bswapping ZERO.  */
-    if ((lo | hi) == 0) {
-        opc &= ~MO_BSWAP;
-    }
-
-    switch (opc & (MO_SIZE | MO_BSWAP)) {
+    switch (opc & MO_SIZE) {
     case MO_8:
         tcg_out_opc_imm(s, OPC_SB, lo, base, 0);
         break;
-
-    case MO_16 | MO_BSWAP:
-        tcg_out_bswap16(s, TCG_TMP1, lo, 0);
-        lo = TCG_TMP1;
-        /* FALLTHRU */
     case MO_16:
         tcg_out_opc_imm(s, OPC_SH, lo, base, 0);
         break;
-
-    case MO_32 | MO_BSWAP:
-        tcg_out_bswap32(s, TCG_TMP3, lo, 0);
-        lo = TCG_TMP3;
-        /* FALLTHRU */
     case MO_32:
         tcg_out_opc_imm(s, OPC_SW, lo, base, 0);
         break;
-
-    case MO_64 | MO_BSWAP:
-        if (TCG_TARGET_REG_BITS == 64) {
-            tcg_out_bswap64(s, TCG_TMP3, lo);
-            tcg_out_opc_imm(s, OPC_SD, TCG_TMP3, base, 0);
-        } else if (use_mips32r2_instructions) {
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, MIPS_BE ? lo : hi);
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, MIPS_BE ? hi : lo);
-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP0, TCG_TMP0, 16);
-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP1, TCG_TMP1, 16);
-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP0, base, 0);
-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP1, base, 4);
-        } else {
-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? lo : hi, 0);
-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP3, base, 0);
-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? hi : lo, 0);
-            tcg_out_opc_imm(s, OPC_SW, TCG_TMP3, base, 4);
-        }
-        break;
     case MO_64:
         if (TCG_TARGET_REG_BITS == 64) {
             tcg_out_opc_imm(s, OPC_SD, lo, base, 0);
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_direct(TCGContext *s, TCGReg lo, TCGReg hi,
             tcg_out_opc_imm(s, OPC_SW, MIPS_BE ? lo : hi, base, 4);
         }
         break;
-
     default:
         g_assert_not_reached();
     }
@@ -XXX,XX +XXX,XX @@ static void tcg_out_qemu_st_unalign(TCGContext *s, TCGReg lo, TCGReg hi,
     const MIPSInsn sd1 = MIPS_BE ? OPC_SDL : OPC_SDR;
     const MIPSInsn sd2 = MIPS_BE ? OPC_SDR : OPC_SDL;
 
-    /* Don't clutter the code below with checks to avoid bswapping ZERO.  */
-    if ((lo | hi) == 0) {
-        opc &= ~MO_BSWAP;
-    }
-
-    switch (opc & (MO_SIZE | MO_BSWAP)) {
-    case MO_16 | MO_BE:
+    switch (opc & MO_SIZE) {
+    case MO_16:
         tcg_out_opc_sa(s, OPC_SRL, TCG_TMP0, lo, 8);
-        tcg_out_opc_imm(s, OPC_SB, TCG_TMP0, base, 0);
-        tcg_out_opc_imm(s, OPC_SB, lo, base, 1);
+        tcg_out_opc_imm(s, OPC_SB, HOST_BIG_ENDIAN ? TCG_TMP0 : lo, base, 0);
+        tcg_out_opc_imm(s, OPC_SB, HOST_BIG_ENDIAN ? lo : TCG_TMP0, base, 1);
         break;
 
-    case MO_16 | MO_LE:
-        tcg_out_opc_sa(s, OPC_SRL, TCG_TMP0, lo, 8);
-        tcg_out_opc_imm(s, OPC_SB, lo, base, 0);
-        tcg_out_opc_imm(s, OPC_SB, TCG_TMP0, base, 1);
-        break;
-
-    case MO_32 | MO_BSWAP:
-        tcg_out_bswap32(s, TCG_TMP3, lo, 0);
-        lo = TCG_TMP3;
-        /* fall through */
     case MO_32:
         tcg_out_opc_imm(s, sw1, lo, base, 0);
         tcg_out_opc_imm(s, sw2, lo, base, 3);
         break;
 
-    case MO_64 | MO_BSWAP:
-        if (TCG_TARGET_REG_BITS == 64) {
-            tcg_out_bswap64(s, TCG_TMP3, lo);
-            lo = TCG_TMP3;
-        } else if (use_mips32r2_instructions) {
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP0, 0, MIPS_BE ? hi : lo);
-            tcg_out_opc_reg(s, OPC_WSBH, TCG_TMP1, 0, MIPS_BE ? lo : hi);
-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP0, TCG_TMP0, 16);
-            tcg_out_opc_sa(s, OPC_ROTR, TCG_TMP1, TCG_TMP1, 16);
-            hi = MIPS_BE ? TCG_TMP0 : TCG_TMP1;
-            lo = MIPS_BE ? TCG_TMP1 : TCG_TMP0;
-        } else {
-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? lo : hi, 0);
-            tcg_out_opc_imm(s, sw1, TCG_TMP3, base, 0 + 0);
-            tcg_out_opc_imm(s, sw2, TCG_TMP3, base, 0 + 3);
-            tcg_out_bswap32(s, TCG_TMP3, MIPS_BE ? hi : lo, 0);
-            tcg_out_opc_imm(s, sw1, TCG_TMP3, base, 4 + 0);
-            tcg_out_opc_imm(s, sw2, TCG_TMP3, base, 4 + 3);
-            break;
-        }
-        /* fall through */
     case MO_64:
         if (TCG_TARGET_REG_BITS == 64) {
             tcg_out_opc_imm(s, sd1, lo, base, 0);
-- 
2.34.1

Compare the address vs the tlb entry with sign-extended values.
This simplifies the page+alignment mask constant, and the
generation of the last byte address for the misaligned test.

Move the tlb addend load up, and the zero-extension down.

This frees up a register, which allows us use TMP3 as the returned base
address register instead of A0, which we were using as a 5th temporary.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/mips/tcg-target.c.inc | 38 ++++++++++++++++++--------------------
 1 file changed, 18 insertions(+), 20 deletions(-)

diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.c.inc
+++ b/tcg/mips/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ typedef enum {
     ALIAS_PADDI    = sizeof(void *) == 4 ? OPC_ADDIU : OPC_DADDIU,
     ALIAS_TSRL     = TARGET_LONG_BITS == 32 || TCG_TARGET_REG_BITS == 32
                      ? OPC_SRL : OPC_DSRL,
+    ALIAS_TADDI    = TARGET_LONG_BITS == 32 || TCG_TARGET_REG_BITS == 32
+                     ? OPC_ADDIU : OPC_DADDIU,
 } MIPSInsn;
 
 /*
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     int add_off = offsetof(CPUTLBEntry, addend);
     int cmp_off = is_ld ? offsetof(CPUTLBEntry, addr_read)
                         : offsetof(CPUTLBEntry, addr_write);
-    target_ulong tlb_mask;
 
     ldst = new_ldst_label(s);
     ldst->is_ld = is_ld;
     ldst->oi = oi;
     ldst->addrlo_reg = addrlo;
     ldst->addrhi_reg = addrhi;
-    base = TCG_REG_A0;
 
     /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
     QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
         tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + LO_OFF);
     } else {
-        tcg_out_ldst(s, (TARGET_LONG_BITS == 64 ? OPC_LD
-                         : TCG_TARGET_REG_BITS == 64 ? OPC_LWU : OPC_LW),
-                     TCG_TMP0, TCG_TMP3, cmp_off);
+        tcg_out_ld(s, TCG_TYPE_TL, TCG_TMP0, TCG_TMP3, cmp_off);
     }
 
-    /* Zero extend a 32-bit guest address for a 64-bit host. */
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, base, addrlo);
-        addrlo = base;
+    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
+        /* Load the tlb addend for the fast path.  */
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP3, TCG_TMP3, add_off);
     }
 
     /*
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      * For unaligned accesses, compare against the end of the access to
      * verify that it does not cross a page boundary.
      */
-    tlb_mask = (target_ulong)TARGET_PAGE_MASK | a_mask;
-    tcg_out_movi(s, TCG_TYPE_I32, TCG_TMP1, tlb_mask);
-    if (a_mask >= s_mask) {
-        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrlo);
-    } else {
-        tcg_out_opc_imm(s, ALIAS_PADDI, TCG_TMP2, addrlo, s_mask - a_mask);
+    tcg_out_movi(s, TCG_TYPE_TL, TCG_TMP1, TARGET_PAGE_MASK | a_mask);
+    if (a_mask < s_mask) {
+        tcg_out_opc_imm(s, ALIAS_TADDI, TCG_TMP2, addrlo, s_mask - a_mask);
         tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, TCG_TMP2);
+    } else {
+        tcg_out_opc_reg(s, OPC_AND, TCG_TMP1, TCG_TMP1, addrlo);
     }
 
-    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
-        /* Load the tlb addend for the fast path.  */
-        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
+    /* Zero extend a 32-bit guest address for a 64-bit host. */
+    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+        tcg_out_ext32u(s, TCG_TMP2, addrlo);
+        addrlo = TCG_TMP2;
     }
 
     ldst->label_ptr[0] = s->code_ptr;
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
         tcg_out_ldst(s, OPC_LW, TCG_TMP0, TCG_TMP3, cmp_off + HI_OFF);
 
         /* Load the tlb addend for the fast path.  */
-        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP2, TCG_TMP3, add_off);
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_TMP3, TCG_TMP3, add_off);
 
         ldst->label_ptr[1] = s->code_ptr;
         tcg_out_opc_br(s, OPC_BNE, addrhi, TCG_TMP0);
     }
 
     /* delay slot */
-    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP2, addrlo);
+    base = TCG_TMP3;
+    tcg_out_opc_reg(s, ALIAS_PADD, base, TCG_TMP3, addrlo);
 #else
     if (a_mask && (use_mips32r6_instructions || a_bits != s_bits)) {
         ldst = new_ldst_label(s);
-- 
2.34.1

The softmmu tlb uses TCG_REG_TMP[0-3], not any of the normally available
registers.  Now that we handle overlap betwen inputs and helper arguments,
and have eliminated use of A0, we can allow any allocatable reg.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/mips/tcg-target-con-set.h | 13 +++++--------
 tcg/mips/tcg-target-con-str.h |  2 --
 tcg/mips/tcg-target.c.inc     | 30 ++++++++----------------------
 3 files changed, 13 insertions(+), 32 deletions(-)

diff --git a/tcg/mips/tcg-target-con-set.h b/tcg/mips/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target-con-set.h
+++ b/tcg/mips/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
 C_O0_I1(r)
 C_O0_I2(rZ, r)
 C_O0_I2(rZ, rZ)
-C_O0_I2(SZ, S)
-C_O0_I3(SZ, S, S)
-C_O0_I3(SZ, SZ, S)
+C_O0_I3(rZ, r, r)
+C_O0_I3(rZ, rZ, r)
 C_O0_I4(rZ, rZ, rZ, rZ)
-C_O0_I4(SZ, SZ, S, S)
-C_O1_I1(r, L)
+C_O0_I4(rZ, rZ, r, r)
 C_O1_I1(r, r)
 C_O1_I2(r, 0, rZ)
-C_O1_I2(r, L, L)
+C_O1_I2(r, r, r)
 C_O1_I2(r, r, ri)
 C_O1_I2(r, r, rI)
 C_O1_I2(r, r, rIK)
@@ -XXX,XX +XXX,XX @@ C_O1_I2(r, rZ, rN)
 C_O1_I2(r, rZ, rZ)
 C_O1_I4(r, rZ, rZ, rZ, 0)
 C_O1_I4(r, rZ, rZ, rZ, rZ)
-C_O2_I1(r, r, L)
-C_O2_I2(r, r, L, L)
+C_O2_I1(r, r, r)
 C_O2_I2(r, r, r, r)
 C_O2_I4(r, r, rZ, rZ, rN, rN)
diff --git a/tcg/mips/tcg-target-con-str.h b/tcg/mips/tcg-target-con-str.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target-con-str.h
+++ b/tcg/mips/tcg-target-con-str.h
@@ -XXX,XX +XXX,XX @@
  * REGS(letter, register_mask)
  */
 REGS('r', ALL_GENERAL_REGS)
-REGS('L', ALL_QLOAD_REGS)
-REGS('S', ALL_QSTORE_REGS)
 
 /*
  * Define constraint letters for constants:
diff --git a/tcg/mips/tcg-target.c.inc b/tcg/mips/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/mips/tcg-target.c.inc
+++ b/tcg/mips/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static bool patch_reloc(tcg_insn_unit *code_ptr, int type,
 #define TCG_CT_CONST_WSZ  0x2000   /* word size */
 
 #define ALL_GENERAL_REGS  0xffffffffu
-#define NOA0_REGS         (ALL_GENERAL_REGS & ~(1 << TCG_REG_A0))
-
-#ifdef CONFIG_SOFTMMU
-#define ALL_QLOAD_REGS \
-    (NOA0_REGS & ~((TCG_TARGET_REG_BITS < TARGET_LONG_BITS) << TCG_REG_A2))
-#define ALL_QSTORE_REGS \
-    (NOA0_REGS & ~(TCG_TARGET_REG_BITS < TARGET_LONG_BITS   \
-                   ? (1 << TCG_REG_A2) | (1 << TCG_REG_A3)  \
-                   : (1 << TCG_REG_A1)))
-#else
-#define ALL_QLOAD_REGS   NOA0_REGS
-#define ALL_QSTORE_REGS  NOA0_REGS
-#endif
-
 
 static bool is_p2m1(tcg_target_long val)
 {
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
 
     case INDEX_op_qemu_ld_i32:
         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
-                ? C_O1_I1(r, L) : C_O1_I2(r, L, L));
+                ? C_O1_I1(r, r) : C_O1_I2(r, r, r));
     case INDEX_op_qemu_st_i32:
         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
-                ? C_O0_I2(SZ, S) : C_O0_I3(SZ, S, S));
+                ? C_O0_I2(rZ, r) : C_O0_I3(rZ, r, r));
     case INDEX_op_qemu_ld_i64:
-        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, L)
-                : TARGET_LONG_BITS == 32 ? C_O2_I1(r, r, L)
-                : C_O2_I2(r, r, L, L));
+        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, r)
+                : TARGET_LONG_BITS == 32 ? C_O2_I1(r, r, r)
+                : C_O2_I2(r, r, r, r));
     case INDEX_op_qemu_st_i64:
-        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(SZ, S)
-                : TARGET_LONG_BITS == 32 ? C_O0_I3(SZ, SZ, S)
-                : C_O0_I4(SZ, SZ, S, S));
+        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(rZ, r)
+                : TARGET_LONG_BITS == 32 ? C_O0_I3(rZ, rZ, r)
+                : C_O0_I4(rZ, rZ, r, r));
 
     default:
         g_assert_not_reached();
-- 
2.34.1

Allocate TCG_REG_TMP2.  Use R0, TMP1, TMP2 instead of any of
the normally allocated registers for the tlb load.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/ppc/tcg-target.c.inc | 78 ++++++++++++++++++++++++----------------
 1 file changed, 47 insertions(+), 31 deletions(-)

diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target.c.inc
+++ b/tcg/ppc/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@
 #else
 # define TCG_REG_TMP1   TCG_REG_R12
 #endif
+#define TCG_REG_TMP2    TCG_REG_R11
 
 #define TCG_VEC_TMP1    TCG_REG_V0
 #define TCG_VEC_TMP2    TCG_REG_V1
@@ -XXX,XX +XXX,XX @@ static TCGReg ldst_ra_gen(TCGContext *s, const TCGLabelQemuLdst *l, int arg)
 /*
  * For the purposes of ppc32 sorting 4 input registers into 4 argument
  * registers, there is an outside chance we would require 3 temps.
- * Because of constraints, no inputs are in r3, and env will not be
- * placed into r3 until after the sorting is done, and is thus free.
  */
 static const TCGLdstHelperParam ldst_helper_param = {
     .ra_gen = ldst_ra_gen,
     .ntmp = 3,
-    .tmp = { TCG_REG_TMP1, TCG_REG_R0, TCG_REG_R3 }
+    .tmp = { TCG_REG_TMP1, TCG_REG_TMP2, TCG_REG_R0 }
 };
 
 static bool tcg_out_qemu_ld_slow_path(TCGContext *s, TCGLabelQemuLdst *lb)
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     /* Load tlb_mask[mmu_idx] and tlb_table[mmu_idx].  */
     QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
     QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -32768);
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R3, TCG_AREG0, mask_off);
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_R4, TCG_AREG0, table_off);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_AREG0, mask_off);
+    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP2, TCG_AREG0, table_off);
 
     /* Extract the page index, shifted into place for tlb index.  */
     if (TCG_TARGET_REG_BITS == 32) {
-        tcg_out_shri32(s, TCG_REG_TMP1, addrlo,
+        tcg_out_shri32(s, TCG_REG_R0, addrlo,
                        TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
     } else {
-        tcg_out_shri64(s, TCG_REG_TMP1, addrlo,
+        tcg_out_shri64(s, TCG_REG_R0, addrlo,
                        TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
     }
-    tcg_out32(s, AND | SAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_TMP1));
+    tcg_out32(s, AND | SAB(TCG_REG_TMP1, TCG_REG_TMP1, TCG_REG_R0));
 
-    /* Load the TLB comparator.  */
+    /* Load the (low part) TLB comparator into TMP2.  */
     if (cmp_off == 0 && TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
         uint32_t lxu = (TCG_TARGET_REG_BITS == 32 || TARGET_LONG_BITS == 32
                         ? LWZUX : LDUX);
-        tcg_out32(s, lxu | TAB(TCG_REG_TMP1, TCG_REG_R3, TCG_REG_R4));
+        tcg_out32(s, lxu | TAB(TCG_REG_TMP2, TCG_REG_TMP1, TCG_REG_TMP2));
     } else {
-        tcg_out32(s, ADD | TAB(TCG_REG_R3, TCG_REG_R3, TCG_REG_R4));
+        tcg_out32(s, ADD | TAB(TCG_REG_TMP1, TCG_REG_TMP1, TCG_REG_TMP2));
         if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP1, TCG_REG_R3, cmp_off + 4);
-            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_R4, TCG_REG_R3, cmp_off);
+            tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP2,
+                       TCG_REG_TMP1, cmp_off + 4 * HOST_BIG_ENDIAN);
         } else {
-            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP1, TCG_REG_R3, cmp_off);
+            tcg_out_ld(s, TCG_TYPE_TL, TCG_REG_TMP2, TCG_REG_TMP1, cmp_off);
         }
     }
 
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      * Load the TLB addend for use on the fast path.
      * Do this asap to minimize any load use delay.
      */
-    h->base = TCG_REG_R3;
-    tcg_out_ld(s, TCG_TYPE_PTR, h->base, TCG_REG_R3,
-               offsetof(CPUTLBEntry, addend));
+    if (TCG_TARGET_REG_BITS >= TARGET_LONG_BITS) {
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_REG_TMP1,
+                   offsetof(CPUTLBEntry, addend));
+    }
 
-    /* Clear the non-page, non-alignment bits from the address */
+    /* Clear the non-page, non-alignment bits from the address in R0. */
     if (TCG_TARGET_REG_BITS == 32) {
         /*
          * We don't support unaligned accesses on 32-bits.
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
         if (TARGET_LONG_BITS == 32) {
             tcg_out_rlw(s, RLWINM, TCG_REG_R0, t, 0,
                         (32 - a_bits) & 31, 31 - TARGET_PAGE_BITS);
-            /* Zero-extend the address for use in the final address.  */
-            tcg_out_ext32u(s, TCG_REG_R4, addrlo);
-            addrlo = TCG_REG_R4;
         } else if (a_bits == 0) {
             tcg_out_rld(s, RLDICR, TCG_REG_R0, t, 0, 63 - TARGET_PAGE_BITS);
         } else {
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
             tcg_out_rld(s, RLDICL, TCG_REG_R0, TCG_REG_R0, TARGET_PAGE_BITS, 0);
         }
     }
-    h->index = addrlo;
 
     if (TCG_TARGET_REG_BITS < TARGET_LONG_BITS) {
-        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
+        /* Low part comparison into cr7. */
+        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP2,
                     0, 7, TCG_TYPE_I32);
-        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_R4, 0, 6, TCG_TYPE_I32);
+
+        /* Load the high part TLB comparator into TMP2.  */
+        tcg_out_ld(s, TCG_TYPE_I32, TCG_REG_TMP2, TCG_REG_TMP1,
+                   cmp_off + 4 * !HOST_BIG_ENDIAN);
+
+        /* Load addend, deferred for this case. */
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_TMP1, TCG_REG_TMP1,
+                   offsetof(CPUTLBEntry, addend));
+
+        /* High part comparison into cr6. */
+        tcg_out_cmp(s, TCG_COND_EQ, addrhi, TCG_REG_TMP2, 0, 6, TCG_TYPE_I32);
+
+        /* Combine comparisons into cr7. */
         tcg_out32(s, CRAND | BT(7, CR_EQ) | BA(6, CR_EQ) | BB(7, CR_EQ));
     } else {
-        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP1,
+        /* Full comparison into cr7. */
+        tcg_out_cmp(s, TCG_COND_EQ, TCG_REG_R0, TCG_REG_TMP2,
                     0, 7, TCG_TYPE_TL);
     }
 
     /* Load a pointer into the current opcode w/conditional branch-link. */
     ldst->label_ptr[0] = s->code_ptr;
     tcg_out32(s, BC | BI(7, CR_EQ) | BO_COND_FALSE | LK);
+
+    h->base = TCG_REG_TMP1;
 #else
     if (a_bits) {
         ldst = new_ldst_label(s);
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     }
 
     h->base = guest_base ? TCG_GUEST_BASE_REG : 0;
-    h->index = addrlo;
-    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
-        tcg_out_ext32u(s, TCG_REG_TMP1, addrlo);
-        h->index = TCG_REG_TMP1;
-    }
 #endif
 
+    if (TCG_TARGET_REG_BITS > TARGET_LONG_BITS) {
+        /* Zero-extend the guest address for use in the host address. */
+        tcg_out_ext32u(s, TCG_REG_R0, addrlo);
+        h->index = TCG_REG_R0;
+    } else {
+        h->index = addrlo;
+    }
+
     return ldst;
 }
 
@@ -XXX,XX +XXX,XX @@ static void tcg_target_init(TCGContext *s)
 #if defined(_CALL_SYSV) || TCG_TARGET_REG_BITS == 64
     tcg_regset_set_reg(s->reserved_regs, TCG_REG_R13); /* thread pointer */
 #endif
-    tcg_regset_set_reg(s->reserved_regs, TCG_REG_TMP1); /* mem temp */
+    tcg_regset_set_reg(s->reserved_regs, TCG_REG_TMP1);
+    tcg_regset_set_reg(s->reserved_regs, TCG_REG_TMP2);
     tcg_regset_set_reg(s->reserved_regs, TCG_VEC_TMP1);
     tcg_regset_set_reg(s->reserved_regs, TCG_VEC_TMP2);
     if (USE_REG_TB) {
-- 
2.34.1

The softmmu tlb uses TCG_REG_{TMP1,TMP2,R0}, not any of the normally
available registers.  Now that we handle overlap betwen inputs and
helper arguments, we can allow any allocatable reg.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/ppc/tcg-target-con-set.h | 11 ++++-------
 tcg/ppc/tcg-target-con-str.h |  2 --
 tcg/ppc/tcg-target.c.inc     | 32 ++++++++++----------------------
 3 files changed, 14 insertions(+), 31 deletions(-)

diff --git a/tcg/ppc/tcg-target-con-set.h b/tcg/ppc/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target-con-set.h
+++ b/tcg/ppc/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
 C_O0_I1(r)
 C_O0_I2(r, r)
 C_O0_I2(r, ri)
-C_O0_I2(S, S)
 C_O0_I2(v, r)
-C_O0_I3(S, S, S)
+C_O0_I3(r, r, r)
 C_O0_I4(r, r, ri, ri)
-C_O0_I4(S, S, S, S)
-C_O1_I1(r, L)
+C_O0_I4(r, r, r, r)
 C_O1_I1(r, r)
 C_O1_I1(v, r)
 C_O1_I1(v, v)
 C_O1_I1(v, vr)
 C_O1_I2(r, 0, rZ)
-C_O1_I2(r, L, L)
 C_O1_I2(r, rI, ri)
 C_O1_I2(r, rI, rT)
 C_O1_I2(r, r, r)
@@ -XXX,XX +XXX,XX @@ C_O1_I2(v, v, v)
 C_O1_I3(v, v, v, v)
 C_O1_I4(r, r, ri, rZ, rZ)
 C_O1_I4(r, r, r, ri, ri)
-C_O2_I1(L, L, L)
-C_O2_I2(L, L, L, L)
+C_O2_I1(r, r, r)
+C_O2_I2(r, r, r, r)
 C_O2_I4(r, r, rI, rZM, r, r)
 C_O2_I4(r, r, r, r, rI, rZM)
diff --git a/tcg/ppc/tcg-target-con-str.h b/tcg/ppc/tcg-target-con-str.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target-con-str.h
+++ b/tcg/ppc/tcg-target-con-str.h
@@ -XXX,XX +XXX,XX @@ REGS('A', 1u << TCG_REG_R3)
 REGS('B', 1u << TCG_REG_R4)
 REGS('C', 1u << TCG_REG_R5)
 REGS('D', 1u << TCG_REG_R6)
-REGS('L', ALL_QLOAD_REGS)
-REGS('S', ALL_QSTORE_REGS)
 
 /*
  * Define constraint letters for constants:
diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target.c.inc
+++ b/tcg/ppc/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@
 #define ALL_GENERAL_REGS  0xffffffffu
 #define ALL_VECTOR_REGS   0xffffffff00000000ull
 
-#ifdef CONFIG_SOFTMMU
-#define ALL_QLOAD_REGS \
-    (ALL_GENERAL_REGS & \
-     ~((1 << TCG_REG_R3) | (1 << TCG_REG_R4) | (1 << TCG_REG_R5)))
-#define ALL_QSTORE_REGS \
-    (ALL_GENERAL_REGS & ~((1 << TCG_REG_R3) | (1 << TCG_REG_R4) | \
-                          (1 << TCG_REG_R5) | (1 << TCG_REG_R6)))
-#else
-#define ALL_QLOAD_REGS  (ALL_GENERAL_REGS & ~(1 << TCG_REG_R3))
-#define ALL_QSTORE_REGS ALL_QLOAD_REGS
-#endif
-
 TCGPowerISA have_isa;
 static bool have_isel;
 bool have_altivec;
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
 
     case INDEX_op_qemu_ld_i32:
         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
-                ? C_O1_I1(r, L)
-                : C_O1_I2(r, L, L));
+                ? C_O1_I1(r, r)
+                : C_O1_I2(r, r, r));
 
     case INDEX_op_qemu_st_i32:
         return (TCG_TARGET_REG_BITS == 64 || TARGET_LONG_BITS == 32
-                ? C_O0_I2(S, S)
-                : C_O0_I3(S, S, S));
+                ? C_O0_I2(r, r)
+                : C_O0_I3(r, r, r));
 
     case INDEX_op_qemu_ld_i64:
-        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, L)
-                : TARGET_LONG_BITS == 32 ? C_O2_I1(L, L, L)
-                : C_O2_I2(L, L, L, L));
+        return (TCG_TARGET_REG_BITS == 64 ? C_O1_I1(r, r)
+                : TARGET_LONG_BITS == 32 ? C_O2_I1(r, r, r)
+                : C_O2_I2(r, r, r, r));
 
     case INDEX_op_qemu_st_i64:
-        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(S, S)
-                : TARGET_LONG_BITS == 32 ? C_O0_I3(S, S, S)
-                : C_O0_I4(S, S, S, S));
+        return (TCG_TARGET_REG_BITS == 64 ? C_O0_I2(r, r)
+                : TARGET_LONG_BITS == 32 ? C_O0_I3(r, r, r)
+                : C_O0_I4(r, r, r, r));
 
     case INDEX_op_add_vec:
     case INDEX_op_sub_vec:
-- 
2.34.1

Never used since its introduction.

Fixes: 3d582c6179c ("tcg-ppc64: Rearrange integer constant constraints")
Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/ppc/tcg-target-con-str.h | 1 -
 tcg/ppc/tcg-target.c.inc     | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/tcg/ppc/tcg-target-con-str.h b/tcg/ppc/tcg-target-con-str.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target-con-str.h
+++ b/tcg/ppc/tcg-target-con-str.h
@@ -XXX,XX +XXX,XX @@ REGS('v', ALL_VECTOR_REGS)
  * CONST(letter, TCG_CT_CONST_* bit set)
  */
 CONST('I', TCG_CT_CONST_S16)
-CONST('J', TCG_CT_CONST_U16)
 CONST('M', TCG_CT_CONST_MONE)
 CONST('T', TCG_CT_CONST_S32)
 CONST('U', TCG_CT_CONST_U32)
diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target.c.inc
+++ b/tcg/ppc/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@
 #define SZR  (TCG_TARGET_REG_BITS / 8)
 
 #define TCG_CT_CONST_S16  0x100
-#define TCG_CT_CONST_U16  0x200
 #define TCG_CT_CONST_S32  0x400
 #define TCG_CT_CONST_U32  0x800
 #define TCG_CT_CONST_ZERO 0x1000
@@ -XXX,XX +XXX,XX @@ static bool tcg_target_const_match(int64_t val, TCGType type, int ct)
 
     if ((ct & TCG_CT_CONST_S16) && val == (int16_t)val) {
         return 1;
-    } else if ((ct & TCG_CT_CONST_U16) && val == (uint16_t)val) {
-        return 1;
     } else if ((ct & TCG_CT_CONST_S32) && val == (int32_t)val) {
         return 1;
     } else if ((ct & TCG_CT_CONST_U32) && val == (uint32_t)val) {
-- 
2.34.1

The softmmu tlb uses TCG_REG_TMP[0-2], not any of the normally available
registers.  Now that we handle overlap betwen inputs and helper arguments,
we can allow any allocatable reg.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Daniel Henrique Barboza <dbarboza@ventanamicro.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/riscv/tcg-target-con-set.h |  2 --
 tcg/riscv/tcg-target-con-str.h |  1 -
 tcg/riscv/tcg-target.c.inc     | 16 +++-------------
 3 files changed, 3 insertions(+), 16 deletions(-)

diff --git a/tcg/riscv/tcg-target-con-set.h b/tcg/riscv/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/riscv/tcg-target-con-set.h
+++ b/tcg/riscv/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
  * tcg-target-con-str.h; the constraint combination is inclusive or.
  */
 C_O0_I1(r)
-C_O0_I2(LZ, L)
 C_O0_I2(rZ, r)
 C_O0_I2(rZ, rZ)
-C_O1_I1(r, L)
 C_O1_I1(r, r)
 C_O1_I2(r, r, ri)
 C_O1_I2(r, r, rI)
diff --git a/tcg/riscv/tcg-target-con-str.h b/tcg/riscv/tcg-target-con-str.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/riscv/tcg-target-con-str.h
+++ b/tcg/riscv/tcg-target-con-str.h
@@ -XXX,XX +XXX,XX @@
  * REGS(letter, register_mask)
  */
 REGS('r', ALL_GENERAL_REGS)
-REGS('L', ALL_GENERAL_REGS & ~SOFTMMU_RESERVE_REGS)
 
 /*
  * Define constraint letters for constants:
diff --git a/tcg/riscv/tcg-target.c.inc b/tcg/riscv/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/riscv/tcg-target.c.inc
+++ b/tcg/riscv/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_target_call_oarg_reg(TCGCallReturnKind kind, int slot)
 #define TCG_CT_CONST_N12   0x400
 #define TCG_CT_CONST_M12   0x800
 
-#define ALL_GENERAL_REGS      MAKE_64BIT_MASK(0, 32)
-/*
- * For softmmu, we need to avoid conflicts with the first 5
- * argument registers to call the helper.  Some of these are
- * also used for the tlb lookup.
- */
-#ifdef CONFIG_SOFTMMU
-#define SOFTMMU_RESERVE_REGS  MAKE_64BIT_MASK(TCG_REG_A0, 5)
-#else
-#define SOFTMMU_RESERVE_REGS  0
-#endif
+#define ALL_GENERAL_REGS   MAKE_64BIT_MASK(0, 32)
 
 #define sextreg  sextract64
 
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
 
     case INDEX_op_qemu_ld_i32:
     case INDEX_op_qemu_ld_i64:
-        return C_O1_I1(r, L);
+        return C_O1_I1(r, r);
     case INDEX_op_qemu_st_i32:
     case INDEX_op_qemu_st_i64:
-        return C_O0_I2(LZ, L);
+        return C_O0_I2(rZ, r);
 
     default:
         g_assert_not_reached();
-- 
2.34.1

Rather than zero-extend the guest address into a register,
use an add instruction which zero-extends the second input.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/s390x/tcg-target.c.inc | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target.c.inc
+++ b/tcg/s390x/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ typedef enum S390Opcode {
     RRE_ALGR    = 0xb90a,
     RRE_ALCR    = 0xb998,
     RRE_ALCGR   = 0xb988,
+    RRE_ALGFR   = 0xb91a,
     RRE_CGR     = 0xb920,
     RRE_CLGR    = 0xb921,
     RRE_DLGR    = 0xb987,
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     tcg_out_insn(s, RXY, LG, h->index, TCG_REG_R2, TCG_REG_NONE,
                  offsetof(CPUTLBEntry, addend));
 
-    h->base = addr_reg;
     if (TARGET_LONG_BITS == 32) {
-        tcg_out_ext32u(s, TCG_REG_R3, addr_reg);
-        h->base = TCG_REG_R3;
+        tcg_out_insn(s, RRE, ALGFR, h->index, addr_reg);
+        h->base = TCG_REG_NONE;
+    } else {
+        h->base = addr_reg;
     }
     h->disp = 0;
 #else
-- 
2.34.1

Adjust the softmmu tlb to use R0+R1, not any of the normally available
registers.  Since we handle overlap betwen inputs and helper arguments,
we can allow any allocatable reg.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/s390x/tcg-target-con-set.h |  2 --
 tcg/s390x/tcg-target-con-str.h |  1 -
 tcg/s390x/tcg-target.c.inc     | 36 ++++++++++++----------------------
 3 files changed, 12 insertions(+), 27 deletions(-)

diff --git a/tcg/s390x/tcg-target-con-set.h b/tcg/s390x/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target-con-set.h
+++ b/tcg/s390x/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
  * tcg-target-con-str.h; the constraint combination is inclusive or.
  */
 C_O0_I1(r)
-C_O0_I2(L, L)
 C_O0_I2(r, r)
 C_O0_I2(r, ri)
 C_O0_I2(r, rA)
 C_O0_I2(v, r)
-C_O1_I1(r, L)
 C_O1_I1(r, r)
 C_O1_I1(v, r)
 C_O1_I1(v, v)
diff --git a/tcg/s390x/tcg-target-con-str.h b/tcg/s390x/tcg-target-con-str.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target-con-str.h
+++ b/tcg/s390x/tcg-target-con-str.h
@@ -XXX,XX +XXX,XX @@
  * REGS(letter, register_mask)
  */
 REGS('r', ALL_GENERAL_REGS)
-REGS('L', ALL_GENERAL_REGS & ~SOFTMMU_RESERVE_REGS)
 REGS('v', ALL_VECTOR_REGS)
 REGS('o', 0xaaaa) /* odd numbered general regs */
 
diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target.c.inc
+++ b/tcg/s390x/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@
 #define ALL_GENERAL_REGS     MAKE_64BIT_MASK(0, 16)
 #define ALL_VECTOR_REGS      MAKE_64BIT_MASK(32, 32)
 
-/*
- * For softmmu, we need to avoid conflicts with the first 3
- * argument registers to perform the tlb lookup, and to call
- * the helper function.
- */
-#ifdef CONFIG_SOFTMMU
-#define SOFTMMU_RESERVE_REGS MAKE_64BIT_MASK(TCG_REG_R2, 3)
-#else
-#define SOFTMMU_RESERVE_REGS 0
-#endif
-
-
 /* Several places within the instruction set 0 means "no register"
    rather than TCG_REG_R0.  */
 #define TCG_REG_NONE    0
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     ldst->oi = oi;
     ldst->addrlo_reg = addr_reg;
 
-    tcg_out_sh64(s, RSY_SRLG, TCG_REG_R2, addr_reg, TCG_REG_NONE,
+    tcg_out_sh64(s, RSY_SRLG, TCG_TMP0, addr_reg, TCG_REG_NONE,
                  TARGET_PAGE_BITS - CPU_TLB_ENTRY_BITS);
 
     QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) > 0);
     QEMU_BUILD_BUG_ON(TLB_MASK_TABLE_OFS(0) < -(1 << 19));
-    tcg_out_insn(s, RXY, NG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, mask_off);
-    tcg_out_insn(s, RXY, AG, TCG_REG_R2, TCG_AREG0, TCG_REG_NONE, table_off);
+    tcg_out_insn(s, RXY, NG, TCG_TMP0, TCG_AREG0, TCG_REG_NONE, mask_off);
+    tcg_out_insn(s, RXY, AG, TCG_TMP0, TCG_AREG0, TCG_REG_NONE, table_off);
 
     /*
      * For aligned accesses, we check the first byte and include the alignment
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     a_off = (a_bits >= s_bits ? 0 : s_mask - a_mask);
     tlb_mask = (uint64_t)TARGET_PAGE_MASK | a_mask;
     if (a_off == 0) {
-        tgen_andi_risbg(s, TCG_REG_R3, addr_reg, tlb_mask);
+        tgen_andi_risbg(s, TCG_REG_R0, addr_reg, tlb_mask);
     } else {
-        tcg_out_insn(s, RX, LA, TCG_REG_R3, addr_reg, TCG_REG_NONE, a_off);
-        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R3, tlb_mask);
+        tcg_out_insn(s, RX, LA, TCG_REG_R0, addr_reg, TCG_REG_NONE, a_off);
+        tgen_andi(s, TCG_TYPE_TL, TCG_REG_R0, tlb_mask);
     }
 
     if (is_ld) {
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
         ofs = offsetof(CPUTLBEntry, addr_write);
     }
     if (TARGET_LONG_BITS == 32) {
-        tcg_out_insn(s, RX, C, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
+        tcg_out_insn(s, RX, C, TCG_REG_R0, TCG_TMP0, TCG_REG_NONE, ofs);
     } else {
-        tcg_out_insn(s, RXY, CG, TCG_REG_R3, TCG_REG_R2, TCG_REG_NONE, ofs);
+        tcg_out_insn(s, RXY, CG, TCG_REG_R0, TCG_TMP0, TCG_REG_NONE, ofs);
     }
 
     tcg_out16(s, RI_BRC | (S390_CC_NE << 4));
     ldst->label_ptr[0] = s->code_ptr++;
 
-    h->index = TCG_REG_R2;
-    tcg_out_insn(s, RXY, LG, h->index, TCG_REG_R2, TCG_REG_NONE,
+    h->index = TCG_TMP0;
+    tcg_out_insn(s, RXY, LG, h->index, TCG_TMP0, TCG_REG_NONE,
                  offsetof(CPUTLBEntry, addend));
 
     if (TARGET_LONG_BITS == 32) {
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
 
     case INDEX_op_qemu_ld_i32:
     case INDEX_op_qemu_ld_i64:
-        return C_O1_I1(r, L);
+        return C_O1_I1(r, r);
     case INDEX_op_qemu_st_i64:
     case INDEX_op_qemu_st_i32:
-        return C_O0_I2(L, L);
+        return C_O0_I2(r, r);
 
     case INDEX_op_deposit_i32:
     case INDEX_op_deposit_i64:
-- 
2.34.1

These are atomic operations, so mark as requiring alignment.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/mips/tcg/nanomips_translate.c.inc | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/target/mips/tcg/nanomips_translate.c.inc b/target/mips/tcg/nanomips_translate.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/nanomips_translate.c.inc
+++ b/target/mips/tcg/nanomips_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_llwp(DisasContext *ctx, uint32_t base, int16_t offset,
     TCGv tmp2 = tcg_temp_new();
 
     gen_base_offset_addr(ctx, taddr, base, offset);
-    tcg_gen_qemu_ld_i64(tval, taddr, ctx->mem_idx, MO_TEUQ);
+    tcg_gen_qemu_ld_i64(tval, taddr, ctx->mem_idx, MO_TEUQ | MO_ALIGN);
     if (cpu_is_bigendian(ctx)) {
         tcg_gen_extr_i64_tl(tmp2, tmp1, tval);
     } else {
@@ -XXX,XX +XXX,XX @@ static void gen_scwp(DisasContext *ctx, uint32_t base, int16_t offset,
 
     tcg_gen_ld_i64(llval, cpu_env, offsetof(CPUMIPSState, llval_wp));
     tcg_gen_atomic_cmpxchg_i64(val, taddr, llval, tval,
-                               eva ? MIPS_HFLAG_UM : ctx->mem_idx, MO_64);
+                               eva ? MIPS_HFLAG_UM : ctx->mem_idx,
+                               MO_64 | MO_ALIGN);
     if (reg1 != 0) {
         tcg_gen_movi_tl(cpu_gpr[reg1], 1);
     }
-- 
2.34.1

Memory operations that are not already aligned, or otherwise
marked up, require addition of ctx->default_tcg_memop_mask.

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/mips/tcg/mxu_translate.c           |  3 ++-
 target/mips/tcg/micromips_translate.c.inc | 24 ++++++++++++++--------
 target/mips/tcg/mips16e_translate.c.inc   | 18 ++++++++++------
 target/mips/tcg/nanomips_translate.c.inc  | 25 +++++++++++------------
 4 files changed, 42 insertions(+), 28 deletions(-)

diff --git a/target/mips/tcg/mxu_translate.c b/target/mips/tcg/mxu_translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/mxu_translate.c
+++ b/target/mips/tcg/mxu_translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_mxu_s32ldd_s32lddr(DisasContext *ctx)
         tcg_gen_ori_tl(t1, t1, 0xFFFFF000);
     }
     tcg_gen_add_tl(t1, t0, t1);
-    tcg_gen_qemu_ld_tl(t1, t1, ctx->mem_idx, MO_TESL ^ (sel * MO_BSWAP));
+    tcg_gen_qemu_ld_tl(t1, t1, ctx->mem_idx, (MO_TESL ^ (sel * MO_BSWAP)) |
+                       ctx->default_tcg_memop_mask);
 
     gen_store_mxu_gpr(t1, XRa);
 }
diff --git a/target/mips/tcg/micromips_translate.c.inc b/target/mips/tcg/micromips_translate.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/micromips_translate.c.inc
+++ b/target/mips/tcg/micromips_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_ldst_pair(DisasContext *ctx, uint32_t opc, int rd,
             gen_reserved_instruction(ctx);
             return;
         }
-        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL);
+        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL |
+                           ctx->default_tcg_memop_mask);
         gen_store_gpr(t1, rd);
         tcg_gen_movi_tl(t1, 4);
         gen_op_addr_add(ctx, t0, t0, t1);
-        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL);
+        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL |
+                           ctx->default_tcg_memop_mask);
         gen_store_gpr(t1, rd + 1);
         break;
     case SWP:
         gen_load_gpr(t1, rd);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
+                           ctx->default_tcg_memop_mask);
         tcg_gen_movi_tl(t1, 4);
         gen_op_addr_add(ctx, t0, t0, t1);
         gen_load_gpr(t1, rd + 1);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
+                           ctx->default_tcg_memop_mask);
         break;
 #ifdef TARGET_MIPS64
     case LDP:
@@ -XXX,XX +XXX,XX @@ static void gen_ldst_pair(DisasContext *ctx, uint32_t opc, int rd,
             gen_reserved_instruction(ctx);
             return;
         }
-        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
+        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
+                           ctx->default_tcg_memop_mask);
         gen_store_gpr(t1, rd);
         tcg_gen_movi_tl(t1, 8);
         gen_op_addr_add(ctx, t0, t0, t1);
-        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
+        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
+                           ctx->default_tcg_memop_mask);
         gen_store_gpr(t1, rd + 1);
         break;
     case SDP:
         gen_load_gpr(t1, rd);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
+                           ctx->default_tcg_memop_mask);
         tcg_gen_movi_tl(t1, 8);
         gen_op_addr_add(ctx, t0, t0, t1);
         gen_load_gpr(t1, rd + 1);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUQ |
+                           ctx->default_tcg_memop_mask);
         break;
 #endif
     }
diff --git a/target/mips/tcg/mips16e_translate.c.inc b/target/mips/tcg/mips16e_translate.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/mips16e_translate.c.inc
+++ b/target/mips/tcg/mips16e_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_mips16_save(DisasContext *ctx,
     case 4:
         gen_base_offset_addr(ctx, t0, 29, 12);
         gen_load_gpr(t1, 7);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
+                           ctx->default_tcg_memop_mask);
         /* Fall through */
     case 3:
         gen_base_offset_addr(ctx, t0, 29, 8);
         gen_load_gpr(t1, 6);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
+                           ctx->default_tcg_memop_mask);
         /* Fall through */
     case 2:
         gen_base_offset_addr(ctx, t0, 29, 4);
         gen_load_gpr(t1, 5);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
+                           ctx->default_tcg_memop_mask);
         /* Fall through */
     case 1:
         gen_base_offset_addr(ctx, t0, 29, 0);
         gen_load_gpr(t1, 4);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |
+                           ctx->default_tcg_memop_mask);
     }
 
     gen_load_gpr(t0, 29);
@@ -XXX,XX +XXX,XX @@ static void gen_mips16_save(DisasContext *ctx,
         tcg_gen_movi_tl(t2, -4);                                 \
         gen_op_addr_add(ctx, t0, t0, t2);                        \
         gen_load_gpr(t1, reg);                                   \
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL); \
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL |       \
+                           ctx->default_tcg_memop_mask);         \
     } while (0)
 
     if (do_ra) {
@@ -XXX,XX +XXX,XX @@ static void gen_mips16_restore(DisasContext *ctx,
 #define DECR_AND_LOAD(reg) do {                            \
         tcg_gen_movi_tl(t2, -4);                           \
         gen_op_addr_add(ctx, t0, t0, t2);                  \
-        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL); \
+        tcg_gen_qemu_ld_tl(t1, t0, ctx->mem_idx, MO_TESL | \
+                           ctx->default_tcg_memop_mask);   \
         gen_store_gpr(t1, reg);                            \
     } while (0)
 
diff --git a/target/mips/tcg/nanomips_translate.c.inc b/target/mips/tcg/nanomips_translate.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/target/mips/tcg/nanomips_translate.c.inc
+++ b/target/mips/tcg/nanomips_translate.c.inc
@@ -XXX,XX +XXX,XX @@ static void gen_p_lsx(DisasContext *ctx, int rd, int rs, int rt)
 
     switch (extract32(ctx->opcode, 7, 4)) {
     case NM_LBX:
-        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
-                           MO_SB);
+        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx, MO_SB);
         gen_store_gpr(t0, rd);
         break;
     case NM_LHX:
     /*case NM_LHXS:*/
         tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
-                           MO_TESW);
+                           MO_TESW | ctx->default_tcg_memop_mask);
         gen_store_gpr(t0, rd);
         break;
     case NM_LWX:
     /*case NM_LWXS:*/
         tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
-                           MO_TESL);
+                           MO_TESL | ctx->default_tcg_memop_mask);
         gen_store_gpr(t0, rd);
         break;
     case NM_LBUX:
-        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
-                           MO_UB);
+        tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx, MO_UB);
         gen_store_gpr(t0, rd);
         break;
     case NM_LHUX:
     /*case NM_LHUXS:*/
         tcg_gen_qemu_ld_tl(t0, t0, ctx->mem_idx,
-                           MO_TEUW);
+                           MO_TEUW | ctx->default_tcg_memop_mask);
         gen_store_gpr(t0, rd);
         break;
     case NM_SBX:
         check_nms(ctx);
         gen_load_gpr(t1, rd);
-        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
-                           MO_8);
+        tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_8);
         break;
     case NM_SHX:
     /*case NM_SHXS:*/
         check_nms(ctx);
         gen_load_gpr(t1, rd);
         tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
-                           MO_TEUW);
+                           MO_TEUW | ctx->default_tcg_memop_mask);
         break;
     case NM_SWX:
     /*case NM_SWXS:*/
         check_nms(ctx);
         gen_load_gpr(t1, rd);
         tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
-                           MO_TEUL);
+                           MO_TEUL | ctx->default_tcg_memop_mask);
         break;
     case NM_LWC1X:
     /*case NM_LWC1XS:*/
@@ -XXX,XX +XXX,XX @@ static int decode_nanomips_32_48_opc(CPUMIPSState *env, DisasContext *ctx)
                                                 addr_off);
 
                     tcg_gen_movi_tl(t0, addr);
-                    tcg_gen_qemu_ld_tl(cpu_gpr[rt], t0, ctx->mem_idx, MO_TESL);
+                    tcg_gen_qemu_ld_tl(cpu_gpr[rt], t0, ctx->mem_idx,
+                                       MO_TESL | ctx->default_tcg_memop_mask);
                 }
                 break;
             case NM_SWPC48:
@@ -XXX,XX +XXX,XX @@ static int decode_nanomips_32_48_opc(CPUMIPSState *env, DisasContext *ctx)
                     tcg_gen_movi_tl(t0, addr);
                     gen_load_gpr(t1, rt);
 
-                    tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx, MO_TEUL);
+                    tcg_gen_qemu_st_tl(t1, t0, ctx->mem_idx,
+                                       MO_TEUL | ctx->default_tcg_memop_mask);
                 }
                 break;
             default:
-- 
2.34.1

Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 configs/targets/mips-linux-user.mak      | 1 -
 configs/targets/mips-softmmu.mak         | 1 -
 configs/targets/mips64-linux-user.mak    | 1 -
 configs/targets/mips64-softmmu.mak       | 1 -
 configs/targets/mips64el-linux-user.mak  | 1 -
 configs/targets/mips64el-softmmu.mak     | 1 -
 configs/targets/mipsel-linux-user.mak    | 1 -
 configs/targets/mipsel-softmmu.mak       | 1 -
 configs/targets/mipsn32-linux-user.mak   | 1 -
 configs/targets/mipsn32el-linux-user.mak | 1 -
 10 files changed, 10 deletions(-)

diff --git a/configs/targets/mips-linux-user.mak b/configs/targets/mips-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mips-linux-user.mak
+++ b/configs/targets/mips-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ARCH=mips
 TARGET_ABI_MIPSO32=y
 TARGET_SYSTBL_ABI=o32
 TARGET_SYSTBL=syscall_o32.tbl
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
diff --git a/configs/targets/mips-softmmu.mak b/configs/targets/mips-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mips-softmmu.mak
+++ b/configs/targets/mips-softmmu.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=mips
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
 TARGET_SUPPORTS_MTTCG=y
diff --git a/configs/targets/mips64-linux-user.mak b/configs/targets/mips64-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mips64-linux-user.mak
+++ b/configs/targets/mips64-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI_MIPSN64=y
 TARGET_BASE_ARCH=mips
 TARGET_SYSTBL_ABI=n64
 TARGET_SYSTBL=syscall_n64.tbl
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
diff --git a/configs/targets/mips64-softmmu.mak b/configs/targets/mips64-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mips64-softmmu.mak
+++ b/configs/targets/mips64-softmmu.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=mips64
 TARGET_BASE_ARCH=mips
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
diff --git a/configs/targets/mips64el-linux-user.mak b/configs/targets/mips64el-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mips64el-linux-user.mak
+++ b/configs/targets/mips64el-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI_MIPSN64=y
 TARGET_BASE_ARCH=mips
 TARGET_SYSTBL_ABI=n64
 TARGET_SYSTBL=syscall_n64.tbl
-TARGET_ALIGNED_ONLY=y
diff --git a/configs/targets/mips64el-softmmu.mak b/configs/targets/mips64el-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mips64el-softmmu.mak
+++ b/configs/targets/mips64el-softmmu.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=mips64
 TARGET_BASE_ARCH=mips
-TARGET_ALIGNED_ONLY=y
 TARGET_NEED_FDT=y
diff --git a/configs/targets/mipsel-linux-user.mak b/configs/targets/mipsel-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mipsel-linux-user.mak
+++ b/configs/targets/mipsel-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ARCH=mips
 TARGET_ABI_MIPSO32=y
 TARGET_SYSTBL_ABI=o32
 TARGET_SYSTBL=syscall_o32.tbl
-TARGET_ALIGNED_ONLY=y
diff --git a/configs/targets/mipsel-softmmu.mak b/configs/targets/mipsel-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mipsel-softmmu.mak
+++ b/configs/targets/mipsel-softmmu.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=mips
-TARGET_ALIGNED_ONLY=y
 TARGET_SUPPORTS_MTTCG=y
diff --git a/configs/targets/mipsn32-linux-user.mak b/configs/targets/mipsn32-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mipsn32-linux-user.mak
+++ b/configs/targets/mipsn32-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI32=y
 TARGET_BASE_ARCH=mips
 TARGET_SYSTBL_ABI=n32
 TARGET_SYSTBL=syscall_n32.tbl
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
diff --git a/configs/targets/mipsn32el-linux-user.mak b/configs/targets/mipsn32el-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/mipsn32el-linux-user.mak
+++ b/configs/targets/mipsn32el-linux-user.mak
@@ -XXX,XX +XXX,XX @@ TARGET_ABI32=y
 TARGET_BASE_ARCH=mips
 TARGET_SYSTBL_ABI=n32
 TARGET_SYSTBL=syscall_n32.tbl
-TARGET_ALIGNED_ONLY=y
-- 
2.34.1

In gen_ldx/gen_stx, the only two locations for memory operations,
mark the operation as either aligned (softmmu) or unaligned
(user-only, as if emulated by the kernel).

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 configs/targets/nios2-softmmu.mak |  1 -
 target/nios2/translate.c          | 10 ++++++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/configs/targets/nios2-softmmu.mak b/configs/targets/nios2-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/nios2-softmmu.mak
+++ b/configs/targets/nios2-softmmu.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=nios2
-TARGET_ALIGNED_ONLY=y
 TARGET_NEED_FDT=y
diff --git a/target/nios2/translate.c b/target/nios2/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/nios2/translate.c
+++ b/target/nios2/translate.c
@@ -XXX,XX +XXX,XX @@ static void gen_ldx(DisasContext *dc, uint32_t code, uint32_t flags)
     TCGv data = dest_gpr(dc, instr.b);
 
     tcg_gen_addi_tl(addr, load_gpr(dc, instr.a), instr.imm16.s);
+#ifdef CONFIG_USER_ONLY
+    flags |= MO_UNALN;
+#else
+    flags |= MO_ALIGN;
+#endif
     tcg_gen_qemu_ld_tl(data, addr, dc->mem_idx, flags);
 }
 
@@ -XXX,XX +XXX,XX @@ static void gen_stx(DisasContext *dc, uint32_t code, uint32_t flags)
 
     TCGv addr = tcg_temp_new();
     tcg_gen_addi_tl(addr, load_gpr(dc, instr.a), instr.imm16.s);
+#ifdef CONFIG_USER_ONLY
+    flags |= MO_UNALN;
+#else
+    flags |= MO_ALIGN;
+#endif
     tcg_gen_qemu_st_tl(val, addr, dc->mem_idx, flags);
 }
 
-- 
2.34.1

Mark all memory operations that are not already marked with UNALIGN.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/sh4/translate.c | 102 ++++++++++++++++++++++++++---------------
 1 file changed, 66 insertions(+), 36 deletions(-)

diff --git a/target/sh4/translate.c b/target/sh4/translate.c
index XXXXXXX..XXXXXXX 100644
--- a/target/sh4/translate.c
+++ b/target/sh4/translate.c
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
     case 0x9000:		/* mov.w @(disp,PC),Rn */
 	{
             TCGv addr = tcg_constant_i32(ctx->base.pc_next + 4 + B7_0 * 2);
-            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx, MO_TESW);
+            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx,
+                                MO_TESW | MO_ALIGN);
 	}
 	return;
     case 0xd000:		/* mov.l @(disp,PC),Rn */
 	{
             TCGv addr = tcg_constant_i32((ctx->base.pc_next + 4 + B7_0 * 4) & ~3);
-            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(REG(B11_8), addr, ctx->memidx,
+                                MO_TESL | MO_ALIGN);
 	}
 	return;
     case 0x7000:		/* add #imm,Rn */
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	{
 	    TCGv arg0, arg1;
 	    arg0 = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
 	    arg1 = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
             gen_helper_macl(cpu_env, arg0, arg1);
 	    tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 4);
 	    tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	{
 	    TCGv arg0, arg1;
 	    arg0 = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(arg0, REG(B7_4), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
 	    arg1 = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(arg1, REG(B11_8), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
             gen_helper_macw(cpu_env, arg0, arg1);
 	    tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 2);
 	    tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 2);
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
         if (ctx->tbflags & FPSCR_SZ) {
             TCGv_i64 fp = tcg_temp_new_i64();
             gen_load_fpr64(ctx, fp, XHACK(B7_4));
-            tcg_gen_qemu_st_i64(fp, REG(B11_8), ctx->memidx, MO_TEUQ);
+            tcg_gen_qemu_st_i64(fp, REG(B11_8), ctx->memidx,
+                                MO_TEUQ | MO_ALIGN);
 	} else {
-            tcg_gen_qemu_st_i32(FREG(B7_4), REG(B11_8), ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_st_i32(FREG(B7_4), REG(B11_8), ctx->memidx,
+                                MO_TEUL | MO_ALIGN);
 	}
 	return;
     case 0xf008: /* fmov @Rm,{F,D,X}Rn - FPSCR: Nothing */
 	CHECK_FPU_ENABLED
         if (ctx->tbflags & FPSCR_SZ) {
             TCGv_i64 fp = tcg_temp_new_i64();
-            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx, MO_TEUQ);
+            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx,
+                                MO_TEUQ | MO_ALIGN);
             gen_store_fpr64(ctx, fp, XHACK(B11_8));
 	} else {
-            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx,
+                                MO_TEUL | MO_ALIGN);
 	}
 	return;
     case 0xf009: /* fmov @Rm+,{F,D,X}Rn - FPSCR: Nothing */
 	CHECK_FPU_ENABLED
         if (ctx->tbflags & FPSCR_SZ) {
             TCGv_i64 fp = tcg_temp_new_i64();
-            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx, MO_TEUQ);
+            tcg_gen_qemu_ld_i64(fp, REG(B7_4), ctx->memidx,
+                                MO_TEUQ | MO_ALIGN);
             gen_store_fpr64(ctx, fp, XHACK(B11_8));
             tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 8);
 	} else {
-            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_ld_i32(FREG(B11_8), REG(B7_4), ctx->memidx,
+                                MO_TEUL | MO_ALIGN);
 	    tcg_gen_addi_i32(REG(B7_4), REG(B7_4), 4);
 	}
 	return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
                 TCGv_i64 fp = tcg_temp_new_i64();
                 gen_load_fpr64(ctx, fp, XHACK(B7_4));
                 tcg_gen_subi_i32(addr, REG(B11_8), 8);
-                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx, MO_TEUQ);
+                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx,
+                                    MO_TEUQ | MO_ALIGN);
             } else {
                 tcg_gen_subi_i32(addr, REG(B11_8), 4);
-                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx, MO_TEUL);
+                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx,
+                                    MO_TEUL | MO_ALIGN);
             }
             tcg_gen_mov_i32(REG(B11_8), addr);
         }
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	    tcg_gen_add_i32(addr, REG(B7_4), REG(0));
             if (ctx->tbflags & FPSCR_SZ) {
                 TCGv_i64 fp = tcg_temp_new_i64();
-                tcg_gen_qemu_ld_i64(fp, addr, ctx->memidx, MO_TEUQ);
+                tcg_gen_qemu_ld_i64(fp, addr, ctx->memidx,
+                                    MO_TEUQ | MO_ALIGN);
                 gen_store_fpr64(ctx, fp, XHACK(B11_8));
 	    } else {
-                tcg_gen_qemu_ld_i32(FREG(B11_8), addr, ctx->memidx, MO_TEUL);
+                tcg_gen_qemu_ld_i32(FREG(B11_8), addr, ctx->memidx,
+                                    MO_TEUL | MO_ALIGN);
 	    }
 	}
 	return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
             if (ctx->tbflags & FPSCR_SZ) {
                 TCGv_i64 fp = tcg_temp_new_i64();
                 gen_load_fpr64(ctx, fp, XHACK(B7_4));
-                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx, MO_TEUQ);
+                tcg_gen_qemu_st_i64(fp, addr, ctx->memidx,
+                                    MO_TEUQ | MO_ALIGN);
 	    } else {
-                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx, MO_TEUL);
+                tcg_gen_qemu_st_i32(FREG(B7_4), addr, ctx->memidx,
+                                    MO_TEUL | MO_ALIGN);
 	    }
 	}
 	return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	{
 	    TCGv addr = tcg_temp_new();
 	    tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 2);
-            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESW);
+            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESW | MO_ALIGN);
 	}
 	return;
     case 0xc600:		/* mov.l @(disp,GBR),R0 */
 	{
 	    TCGv addr = tcg_temp_new();
 	    tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 4);
-            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(REG(0), addr, ctx->memidx, MO_TESL | MO_ALIGN);
 	}
 	return;
     case 0xc000:		/* mov.b R0,@(disp,GBR) */
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	{
 	    TCGv addr = tcg_temp_new();
 	    tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 2);
-            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUW);
+            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUW | MO_ALIGN);
 	}
 	return;
     case 0xc200:		/* mov.l R0,@(disp,GBR) */
 	{
 	    TCGv addr = tcg_temp_new();
 	    tcg_gen_addi_i32(addr, cpu_gbr, B7_0 * 4);
-            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_st_i32(REG(0), addr, ctx->memidx, MO_TEUL | MO_ALIGN);
 	}
 	return;
     case 0x8000:		/* mov.b R0,@(disp,Rn) */
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	return;
     case 0x4087:		/* ldc.l @Rm+,Rn_BANK */
 	CHECK_PRIVILEGED
-        tcg_gen_qemu_ld_i32(ALTREG(B6_4), REG(B11_8), ctx->memidx, MO_TESL);
+        tcg_gen_qemu_ld_i32(ALTREG(B6_4), REG(B11_8), ctx->memidx,
+                            MO_TESL | MO_ALIGN);
 	tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
 	return;
     case 0x0082:		/* stc Rm_BANK,Rn */
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	{
 	    TCGv addr = tcg_temp_new();
 	    tcg_gen_subi_i32(addr, REG(B11_8), 4);
-            tcg_gen_qemu_st_i32(ALTREG(B6_4), addr, ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_st_i32(ALTREG(B6_4), addr, ctx->memidx,
+                                MO_TEUL | MO_ALIGN);
 	    tcg_gen_mov_i32(REG(B11_8), addr);
 	}
 	return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	CHECK_PRIVILEGED
 	{
 	    TCGv val = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
             tcg_gen_andi_i32(val, val, 0x700083f3);
             gen_write_sr(val);
 	    tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
             TCGv val = tcg_temp_new();
 	    tcg_gen_subi_i32(addr, REG(B11_8), 4);
             gen_read_sr(val);
-            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL | MO_ALIGN);
 	    tcg_gen_mov_i32(REG(B11_8), addr);
 	}
 	return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
     return;							\
   case ldpnum:							\
     prechk    							\
-    tcg_gen_qemu_ld_i32(cpu_##reg, REG(B11_8), ctx->memidx, MO_TESL); \
+    tcg_gen_qemu_ld_i32(cpu_##reg, REG(B11_8), ctx->memidx,     \
+                        MO_TESL | MO_ALIGN);                    \
     tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);		\
     return;
 #define ST(reg,stnum,stpnum,prechk)		\
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
     {								\
 	TCGv addr = tcg_temp_new();				\
 	tcg_gen_subi_i32(addr, REG(B11_8), 4);			\
-        tcg_gen_qemu_st_i32(cpu_##reg, addr, ctx->memidx, MO_TEUL); \
+        tcg_gen_qemu_st_i32(cpu_##reg, addr, ctx->memidx,       \
+                            MO_TEUL | MO_ALIGN);                \
 	tcg_gen_mov_i32(REG(B11_8), addr);			\
     }								\
     return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	CHECK_FPU_ENABLED
 	{
 	    TCGv addr = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(addr, REG(B11_8), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(addr, REG(B11_8), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
 	    tcg_gen_addi_i32(REG(B11_8), REG(B11_8), 4);
             gen_helper_ld_fpscr(cpu_env, addr);
             ctx->base.is_jmp = DISAS_STOP;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
 	    tcg_gen_andi_i32(val, cpu_fpscr, 0x003fffff);
 	    addr = tcg_temp_new();
 	    tcg_gen_subi_i32(addr, REG(B11_8), 4);
-            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_st_i32(val, addr, ctx->memidx, MO_TEUL | MO_ALIGN);
 	    tcg_gen_mov_i32(REG(B11_8), addr);
 	}
 	return;
     case 0x00c3:		/* movca.l R0,@Rm */
         {
             TCGv val = tcg_temp_new();
-            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_ld_i32(val, REG(B11_8), ctx->memidx,
+                                MO_TEUL | MO_ALIGN);
             gen_helper_movcal(cpu_env, REG(B11_8), val);
-            tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx, MO_TEUL);
+            tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx,
+                                MO_TEUL | MO_ALIGN);
         }
         ctx->has_movcal = 1;
 	return;
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
                                    cpu_lock_addr, fail);
                 tmp = tcg_temp_new();
                 tcg_gen_atomic_cmpxchg_i32(tmp, REG(B11_8), cpu_lock_value,
-                                           REG(0), ctx->memidx, MO_TEUL);
+                                           REG(0), ctx->memidx,
+                                           MO_TEUL | MO_ALIGN);
                 tcg_gen_setcond_i32(TCG_COND_EQ, cpu_sr_t, tmp, cpu_lock_value);
             } else {
                 tcg_gen_brcondi_i32(TCG_COND_EQ, cpu_lock_addr, -1, fail);
-                tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx, MO_TEUL);
+                tcg_gen_qemu_st_i32(REG(0), REG(B11_8), ctx->memidx,
+                                    MO_TEUL | MO_ALIGN);
                 tcg_gen_movi_i32(cpu_sr_t, 1);
             }
             tcg_gen_br(done);
@@ -XXX,XX +XXX,XX @@ static void _decode_opc(DisasContext * ctx)
         if ((tb_cflags(ctx->base.tb) & CF_PARALLEL)) {
             TCGv tmp = tcg_temp_new();
             tcg_gen_mov_i32(tmp, REG(B11_8));
-            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
             tcg_gen_mov_i32(cpu_lock_value, REG(0));
             tcg_gen_mov_i32(cpu_lock_addr, tmp);
         } else {
-            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx, MO_TESL);
+            tcg_gen_qemu_ld_i32(REG(0), REG(B11_8), ctx->memidx,
+                                MO_TESL | MO_ALIGN);
             tcg_gen_movi_i32(cpu_lock_addr, 0);
         }
         return;
-- 
2.34.1

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 configs/targets/sh4-linux-user.mak   | 1 -
 configs/targets/sh4-softmmu.mak      | 1 -
 configs/targets/sh4eb-linux-user.mak | 1 -
 configs/targets/sh4eb-softmmu.mak    | 1 -
 4 files changed, 4 deletions(-)

diff --git a/configs/targets/sh4-linux-user.mak b/configs/targets/sh4-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/sh4-linux-user.mak
+++ b/configs/targets/sh4-linux-user.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=sh4
 TARGET_SYSTBL_ABI=common
 TARGET_SYSTBL=syscall.tbl
-TARGET_ALIGNED_ONLY=y
 TARGET_HAS_BFLT=y
diff --git a/configs/targets/sh4-softmmu.mak b/configs/targets/sh4-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/sh4-softmmu.mak
+++ b/configs/targets/sh4-softmmu.mak
@@ -1,2 +1 @@
 TARGET_ARCH=sh4
-TARGET_ALIGNED_ONLY=y
diff --git a/configs/targets/sh4eb-linux-user.mak b/configs/targets/sh4eb-linux-user.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/sh4eb-linux-user.mak
+++ b/configs/targets/sh4eb-linux-user.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=sh4
 TARGET_SYSTBL_ABI=common
 TARGET_SYSTBL=syscall.tbl
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
 TARGET_HAS_BFLT=y
diff --git a/configs/targets/sh4eb-softmmu.mak b/configs/targets/sh4eb-softmmu.mak
index XXXXXXX..XXXXXXX 100644
--- a/configs/targets/sh4eb-softmmu.mak
+++ b/configs/targets/sh4eb-softmmu.mak
@@ -XXX,XX +XXX,XX @@
 TARGET_ARCH=sh4
-TARGET_ALIGNED_ONLY=y
 TARGET_BIG_ENDIAN=y
-- 
2.34.1

All uses have now been expunged.

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/memop.h  | 13 ++-----------
 include/exec/poison.h |  1 -
 tcg/tcg.c             |  5 -----
 3 files changed, 2 insertions(+), 17 deletions(-)

diff --git a/include/exec/memop.h b/include/exec/memop.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/memop.h
+++ b/include/exec/memop.h
@@ -XXX,XX +XXX,XX @@ typedef enum MemOp {
      * MO_UNALN accesses are never checked for alignment.
      * MO_ALIGN accesses will result in a call to the CPU's
      * do_unaligned_access hook if the guest address is not aligned.
-     * The default depends on whether the target CPU defines
-     * TARGET_ALIGNED_ONLY.
      *
      * Some architectures (e.g. ARMv8) need the address which is aligned
      * to a size more than the size of the memory access.
@@ -XXX,XX +XXX,XX @@ typedef enum MemOp {
      */
     MO_ASHIFT = 5,
     MO_AMASK = 0x7 << MO_ASHIFT,
-#ifdef NEED_CPU_H
-#ifdef TARGET_ALIGNED_ONLY
-    MO_ALIGN = 0,
-    MO_UNALN = MO_AMASK,
-#else
-    MO_ALIGN = MO_AMASK,
-    MO_UNALN = 0,
-#endif
-#endif
+    MO_UNALN    = 0,
     MO_ALIGN_2  = 1 << MO_ASHIFT,
     MO_ALIGN_4  = 2 << MO_ASHIFT,
     MO_ALIGN_8  = 3 << MO_ASHIFT,
     MO_ALIGN_16 = 4 << MO_ASHIFT,
     MO_ALIGN_32 = 5 << MO_ASHIFT,
     MO_ALIGN_64 = 6 << MO_ASHIFT,
+    MO_ALIGN    = MO_AMASK,
 
     /* Combinations of the above, for ease of use.  */
     MO_UB    = MO_8,
diff --git a/include/exec/poison.h b/include/exec/poison.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/poison.h
+++ b/include/exec/poison.h
@@ -XXX,XX +XXX,XX @@
 #pragma GCC poison TARGET_TRICORE
 #pragma GCC poison TARGET_XTENSA
 
-#pragma GCC poison TARGET_ALIGNED_ONLY
 #pragma GCC poison TARGET_HAS_BFLT
 #pragma GCC poison TARGET_NAME
 #pragma GCC poison TARGET_SUPPORTS_MTTCG
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static const char * const ldst_name[] =
 };
 
 static const char * const alignment_name[(MO_AMASK >> MO_ASHIFT) + 1] = {
-#ifdef TARGET_ALIGNED_ONLY
     [MO_UNALN >> MO_ASHIFT]    = "un+",
-    [MO_ALIGN >> MO_ASHIFT]    = "",
-#else
-    [MO_UNALN >> MO_ASHIFT]    = "",
     [MO_ALIGN >> MO_ASHIFT]    = "al+",
-#endif
     [MO_ALIGN_2 >> MO_ASHIFT]  = "al2+",
     [MO_ALIGN_4 >> MO_ASHIFT]  = "al4+",
     [MO_ALIGN_8 >> MO_ASHIFT]  = "al8+",
-- 
2.34.1

Like cpu_in_exclusive_context, but also true if
there is no other cpu against which we could race.

Use it in tb_flush as a direct replacement.
Use it in cpu_loop_exit_atomic to ensure that there
is no loop against cpu_exec_step_atomic.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/internal.h        | 9 +++++++++
 accel/tcg/cpu-exec-common.c | 3 +++
 accel/tcg/tb-maint.c        | 2 +-
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/accel/tcg/internal.h b/accel/tcg/internal.h
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/internal.h
+++ b/accel/tcg/internal.h
@@ -XXX,XX +XXX,XX @@ static inline target_ulong log_pc(CPUState *cpu, const TranslationBlock *tb)
     }
 }
 
+/*
+ * Return true if CS is not running in parallel with other cpus, either
+ * because there are no other cpus or we are within an exclusive context.
+ */
+static inline bool cpu_in_serial_context(CPUState *cs)
+{
+    return !(cs->tcg_cflags & CF_PARALLEL) || cpu_in_exclusive_context(cs);
+}
+
 extern int64_t max_delay;
 extern int64_t max_advance;
 
diff --git a/accel/tcg/cpu-exec-common.c b/accel/tcg/cpu-exec-common.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cpu-exec-common.c
+++ b/accel/tcg/cpu-exec-common.c
@@ -XXX,XX +XXX,XX @@
 #include "sysemu/tcg.h"
 #include "exec/exec-all.h"
 #include "qemu/plugin.h"
+#include "internal.h"
 
 bool tcg_allowed;
 
@@ -XXX,XX +XXX,XX @@ void cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
 
 void cpu_loop_exit_atomic(CPUState *cpu, uintptr_t pc)
 {
+    /* Prevent looping if already executing in a serial context. */
+    g_assert(!cpu_in_serial_context(cpu));
     cpu->exception_index = EXCP_ATOMIC;
     cpu_loop_exit_restore(cpu, pc);
 }
diff --git a/accel/tcg/tb-maint.c b/accel/tcg/tb-maint.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
@@ -XXX,XX +XXX,XX @@ void tb_flush(CPUState *cpu)
     if (tcg_enabled()) {
         unsigned tb_flush_count = qatomic_read(&tb_ctx.tb_flush_count);
 
-        if (cpu_in_exclusive_context(cpu)) {
+        if (cpu_in_serial_context(cpu)) {
             do_tb_flush(cpu, RUN_ON_CPU_HOST_INT(tb_flush_count));
         } else {
             async_safe_run_on_cpu(cpu, do_tb_flush,
-- 
2.34.1

Instead of playing with offsetof in various places, use
MMUAccessType to index an array.  This is easily defined
instead of the previous dummy padding array in the union.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/cpu-defs.h |   7 ++-
 include/exec/cpu_ldst.h |  26 ++++++++--
 accel/tcg/cputlb.c      | 104 +++++++++++++---------------------------
 3 files changed, 59 insertions(+), 78 deletions(-)

diff --git a/include/exec/cpu-defs.h b/include/exec/cpu-defs.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu-defs.h
+++ b/include/exec/cpu-defs.h
@@ -XXX,XX +XXX,XX @@ typedef struct CPUTLBEntry {
                use the corresponding iotlb value.  */
             uintptr_t addend;
         };
-        /* padding to get a power of two size */
-        uint8_t dummy[1 << CPU_TLB_ENTRY_BITS];
+        /*
+         * Padding to get a power of two size, as well as index
+         * access to addr_{read,write,code}.
+         */
+        target_ulong addr_idx[(1 << CPU_TLB_ENTRY_BITS) / TARGET_LONG_SIZE];
     };
 } CPUTLBEntry;
 
diff --git a/include/exec/cpu_ldst.h b/include/exec/cpu_ldst.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/cpu_ldst.h
+++ b/include/exec/cpu_ldst.h
@@ -XXX,XX +XXX,XX @@ static inline void clear_helper_retaddr(void)
 /* Needed for TCG_OVERSIZED_GUEST */
 #include "tcg/tcg.h"
 
+static inline target_ulong tlb_read_idx(const CPUTLBEntry *entry,
+                                        MMUAccessType access_type)
+{
+    /* Do not rearrange the CPUTLBEntry structure members. */
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_read) !=
+                      MMU_DATA_LOAD * TARGET_LONG_SIZE);
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_write) !=
+                      MMU_DATA_STORE * TARGET_LONG_SIZE);
+    QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_code) !=
+                      MMU_INST_FETCH * TARGET_LONG_SIZE);
+
+    const target_ulong *ptr = &entry->addr_idx[access_type];
+#if TCG_OVERSIZED_GUEST
+    return *ptr;
+#else
+    /* ofs might correspond to .addr_write, so use qatomic_read */
+    return qatomic_read(ptr);
+#endif
+}
+
 static inline target_ulong tlb_addr_write(const CPUTLBEntry *entry)
 {
-#if TCG_OVERSIZED_GUEST
-    return entry->addr_write;
-#else
-    return qatomic_read(&entry->addr_write);
-#endif
+    return tlb_read_idx(entry, MMU_DATA_STORE);
 }
 
 /* Find the TLB index corresponding to the mmu_idx + address pair.  */
diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void io_writex(CPUArchState *env, CPUTLBEntryFull *full,
     }
 }
 
-static inline target_ulong tlb_read_ofs(CPUTLBEntry *entry, size_t ofs)
-{
-#if TCG_OVERSIZED_GUEST
-    return *(target_ulong *)((uintptr_t)entry + ofs);
-#else
-    /* ofs might correspond to .addr_write, so use qatomic_read */
-    return qatomic_read((target_ulong *)((uintptr_t)entry + ofs));
-#endif
-}
-
 /* Return true if ADDR is present in the victim tlb, and has been copied
    back to the main tlb.  */
 static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
-                           size_t elt_ofs, target_ulong page)
+                           MMUAccessType access_type, target_ulong page)
 {
     size_t vidx;
 
     assert_cpu_is_self(env_cpu(env));
     for (vidx = 0; vidx < CPU_VTLB_SIZE; ++vidx) {
         CPUTLBEntry *vtlb = &env_tlb(env)->d[mmu_idx].vtable[vidx];
-        target_ulong cmp;
-
-        /* elt_ofs might correspond to .addr_write, so use qatomic_read */
-#if TCG_OVERSIZED_GUEST
-        cmp = *(target_ulong *)((uintptr_t)vtlb + elt_ofs);
-#else
-        cmp = qatomic_read((target_ulong *)((uintptr_t)vtlb + elt_ofs));
-#endif
+        target_ulong cmp = tlb_read_idx(vtlb, access_type);
 
         if (cmp == page) {
             /* Found entry in victim tlb, swap tlb and iotlb.  */
@@ -XXX,XX +XXX,XX @@ static bool victim_tlb_hit(CPUArchState *env, size_t mmu_idx, size_t index,
     return false;
 }
 
-/* Macro to call the above, with local variables from the use context.  */
-#define VICTIM_TLB_HIT(TY, ADDR) \
-  victim_tlb_hit(env, mmu_idx, index, offsetof(CPUTLBEntry, TY), \
-                 (ADDR) & TARGET_PAGE_MASK)
-
 static void notdirty_write(CPUState *cpu, vaddr mem_vaddr, unsigned size,
                            CPUTLBEntryFull *full, uintptr_t retaddr)
 {
@@ -XXX,XX +XXX,XX @@ static int probe_access_internal(CPUArchState *env, target_ulong addr,
 {
     uintptr_t index = tlb_index(env, mmu_idx, addr);
     CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
-    target_ulong tlb_addr, page_addr;
-    size_t elt_ofs;
-    int flags;
+    target_ulong tlb_addr = tlb_read_idx(entry, access_type);
+    target_ulong page_addr = addr & TARGET_PAGE_MASK;
+    int flags = TLB_FLAGS_MASK;
 
-    switch (access_type) {
-    case MMU_DATA_LOAD:
-        elt_ofs = offsetof(CPUTLBEntry, addr_read);
-        break;
-    case MMU_DATA_STORE:
-        elt_ofs = offsetof(CPUTLBEntry, addr_write);
-        break;
-    case MMU_INST_FETCH:
-        elt_ofs = offsetof(CPUTLBEntry, addr_code);
-        break;
-    default:
-        g_assert_not_reached();
-    }
-    tlb_addr = tlb_read_ofs(entry, elt_ofs);
-
-    flags = TLB_FLAGS_MASK;
-    page_addr = addr & TARGET_PAGE_MASK;
     if (!tlb_hit_page(tlb_addr, page_addr)) {
-        if (!victim_tlb_hit(env, mmu_idx, index, elt_ofs, page_addr)) {
+        if (!victim_tlb_hit(env, mmu_idx, index, access_type, page_addr)) {
             CPUState *cs = env_cpu(env);
 
             if (!cs->cc->tcg_ops->tlb_fill(cs, addr, fault_size, access_type,
@@ -XXX,XX +XXX,XX @@ static int probe_access_internal(CPUArchState *env, target_ulong addr,
              */
             flags &= ~TLB_INVALID_MASK;
         }
-        tlb_addr = tlb_read_ofs(entry, elt_ofs);
+        tlb_addr = tlb_read_idx(entry, access_type);
     }
     flags &= tlb_addr;
 
@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
     if (prot & PAGE_WRITE) {
         tlb_addr = tlb_addr_write(tlbe);
         if (!tlb_hit(tlb_addr, addr)) {
-            if (!VICTIM_TLB_HIT(addr_write, addr)) {
+            if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_STORE,
+                                addr & TARGET_PAGE_MASK)) {
                 tlb_fill(env_cpu(env), addr, size,
                          MMU_DATA_STORE, mmu_idx, retaddr);
                 index = tlb_index(env, mmu_idx, addr);
@@ -XXX,XX +XXX,XX @@ static void *atomic_mmu_lookup(CPUArchState *env, target_ulong addr,
     } else /* if (prot & PAGE_READ) */ {
         tlb_addr = tlbe->addr_read;
         if (!tlb_hit(tlb_addr, addr)) {
-            if (!VICTIM_TLB_HIT(addr_read, addr)) {
+            if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_LOAD,
+                                addr & TARGET_PAGE_MASK)) {
                 tlb_fill(env_cpu(env), addr, size,
                          MMU_DATA_LOAD, mmu_idx, retaddr);
                 index = tlb_index(env, mmu_idx, addr);
@@ -XXX,XX +XXX,XX @@ load_memop(const void *haddr, MemOp op)
 
 static inline uint64_t QEMU_ALWAYS_INLINE
 load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
-            uintptr_t retaddr, MemOp op, bool code_read,
+            uintptr_t retaddr, MemOp op, MMUAccessType access_type,
             FullLoadHelper *full_load)
 {
-    const size_t tlb_off = code_read ?
-        offsetof(CPUTLBEntry, addr_code) : offsetof(CPUTLBEntry, addr_read);
-    const MMUAccessType access_type =
-        code_read ? MMU_INST_FETCH : MMU_DATA_LOAD;
     const unsigned a_bits = get_alignment_bits(get_memop(oi));
     const size_t size = memop_size(op);
     uintptr_t mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
 
     index = tlb_index(env, mmu_idx, addr);
     entry = tlb_entry(env, mmu_idx, addr);
-    tlb_addr = code_read ? entry->addr_code : entry->addr_read;
+    tlb_addr = tlb_read_idx(entry, access_type);
 
     /* If the TLB entry is for a different page, reload and try again.  */
     if (!tlb_hit(tlb_addr, addr)) {
-        if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
+        if (!victim_tlb_hit(env, mmu_idx, index, access_type,
                             addr & TARGET_PAGE_MASK)) {
             tlb_fill(env_cpu(env), addr, size,
                      access_type, mmu_idx, retaddr);
             index = tlb_index(env, mmu_idx, addr);
             entry = tlb_entry(env, mmu_idx, addr);
         }
-        tlb_addr = code_read ? entry->addr_code : entry->addr_read;
+        tlb_addr = tlb_read_idx(entry, access_type);
         tlb_addr &= ~TLB_INVALID_MASK;
     }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr,
                               MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_UB);
-    return load_helper(env, addr, oi, retaddr, MO_UB, false, full_ldub_mmu);
+    return load_helper(env, addr, oi, retaddr, MO_UB, MMU_DATA_LOAD,
+                       full_ldub_mmu);
 }
 
 tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr,
@@ -XXX,XX +XXX,XX @@ static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr,
                                  MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_LEUW);
-    return load_helper(env, addr, oi, retaddr, MO_LEUW, false,
+    return load_helper(env, addr, oi, retaddr, MO_LEUW, MMU_DATA_LOAD,
                        full_le_lduw_mmu);
 }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr,
                                  MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_BEUW);
-    return load_helper(env, addr, oi, retaddr, MO_BEUW, false,
+    return load_helper(env, addr, oi, retaddr, MO_BEUW, MMU_DATA_LOAD,
                        full_be_lduw_mmu);
 }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr,
                                  MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_LEUL);
-    return load_helper(env, addr, oi, retaddr, MO_LEUL, false,
+    return load_helper(env, addr, oi, retaddr, MO_LEUL, MMU_DATA_LOAD,
                        full_le_ldul_mmu);
 }
 
@@ -XXX,XX +XXX,XX @@ static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr,
                                  MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_BEUL);
-    return load_helper(env, addr, oi, retaddr, MO_BEUL, false,
+    return load_helper(env, addr, oi, retaddr, MO_BEUL, MMU_DATA_LOAD,
                        full_be_ldul_mmu);
 }
 
@@ -XXX,XX +XXX,XX @@ uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr,
                            MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_LEUQ);
-    return load_helper(env, addr, oi, retaddr, MO_LEUQ, false,
+    return load_helper(env, addr, oi, retaddr, MO_LEUQ, MMU_DATA_LOAD,
                        helper_le_ldq_mmu);
 }
 
@@ -XXX,XX +XXX,XX @@ uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr,
                            MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_BEUQ);
-    return load_helper(env, addr, oi, retaddr, MO_BEUQ, false,
+    return load_helper(env, addr, oi, retaddr, MO_BEUQ, MMU_DATA_LOAD,
                        helper_be_ldq_mmu);
 }
 
@@ -XXX,XX +XXX,XX @@ store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
                        uintptr_t retaddr, size_t size, uintptr_t mmu_idx,
                        bool big_endian)
 {
-    const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
     uintptr_t index, index2;
     CPUTLBEntry *entry, *entry2;
     target_ulong page1, page2, tlb_addr, tlb_addr2;
@@ -XXX,XX +XXX,XX @@ store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
 
     tlb_addr2 = tlb_addr_write(entry2);
     if (page1 != page2 && !tlb_hit_page(tlb_addr2, page2)) {
-        if (!victim_tlb_hit(env, mmu_idx, index2, tlb_off, page2)) {
+        if (!victim_tlb_hit(env, mmu_idx, index2, MMU_DATA_STORE, page2)) {
             tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE,
                      mmu_idx, retaddr);
             index2 = tlb_index(env, mmu_idx, page2);
@@ -XXX,XX +XXX,XX @@ static inline void QEMU_ALWAYS_INLINE
 store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
              MemOpIdx oi, uintptr_t retaddr, MemOp op)
 {
-    const size_t tlb_off = offsetof(CPUTLBEntry, addr_write);
     const unsigned a_bits = get_alignment_bits(get_memop(oi));
     const size_t size = memop_size(op);
     uintptr_t mmu_idx = get_mmuidx(oi);
@@ -XXX,XX +XXX,XX @@ store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
 
     /* If the TLB entry is for a different page, reload and try again.  */
     if (!tlb_hit(tlb_addr, addr)) {
-        if (!victim_tlb_hit(env, mmu_idx, index, tlb_off,
+        if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_STORE,
             addr & TARGET_PAGE_MASK)) {
             tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
                      mmu_idx, retaddr);
@@ -XXX,XX +XXX,XX @@ void cpu_st16_le_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
 static uint64_t full_ldub_code(CPUArchState *env, target_ulong addr,
                                MemOpIdx oi, uintptr_t retaddr)
 {
-    return load_helper(env, addr, oi, retaddr, MO_8, true, full_ldub_code);
+    return load_helper(env, addr, oi, retaddr, MO_8,
+                       MMU_INST_FETCH, full_ldub_code);
 }
 
 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
@@ -XXX,XX +XXX,XX @@ uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
 static uint64_t full_lduw_code(CPUArchState *env, target_ulong addr,
                                MemOpIdx oi, uintptr_t retaddr)
 {
-    return load_helper(env, addr, oi, retaddr, MO_TEUW, true, full_lduw_code);
+    return load_helper(env, addr, oi, retaddr, MO_TEUW,
+                       MMU_INST_FETCH, full_lduw_code);
 }
 
 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
@@ -XXX,XX +XXX,XX @@ uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
 static uint64_t full_ldl_code(CPUArchState *env, target_ulong addr,
                               MemOpIdx oi, uintptr_t retaddr)
 {
-    return load_helper(env, addr, oi, retaddr, MO_TEUL, true, full_ldl_code);
+    return load_helper(env, addr, oi, retaddr, MO_TEUL,
+                       MMU_INST_FETCH, full_ldl_code);
 }
 
 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
@@ -XXX,XX +XXX,XX @@ uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
 static uint64_t full_ldq_code(CPUArchState *env, target_ulong addr,
                               MemOpIdx oi, uintptr_t retaddr)
 {
-    return load_helper(env, addr, oi, retaddr, MO_TEUQ, true, full_ldq_code);
+    return load_helper(env, addr, oi, retaddr, MO_TEUQ,
+                       MMU_INST_FETCH, full_ldq_code);
 }
 
 uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
-- 
2.34.1

Instead of trying to unify all operations on uint64_t, pull out
mmu_lookup() to perform the basic tlb hit and resolution.
Create individual functions to handle access by size.

Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 645 +++++++++++++++++++++++++++++----------------
 1 file changed, 424 insertions(+), 221 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ bool tlb_plugin_lookup(CPUState *cpu, target_ulong addr, int mmu_idx,
 
 #endif
 
+/*
+ * Probe for a load/store operation.
+ * Return the host address and into @flags.
+ */
+
+typedef struct MMULookupPageData {
+    CPUTLBEntryFull *full;
+    void *haddr;
+    target_ulong addr;
+    int flags;
+    int size;
+} MMULookupPageData;
+
+typedef struct MMULookupLocals {
+    MMULookupPageData page[2];
+    MemOp memop;
+    int mmu_idx;
+} MMULookupLocals;
+
+/**
+ * mmu_lookup1: translate one page
+ * @env: cpu context
+ * @data: lookup parameters
+ * @mmu_idx: virtual address context
+ * @access_type: load/store/code
+ * @ra: return address into tcg generated code, or 0
+ *
+ * Resolve the translation for the one page at @data.addr, filling in
+ * the rest of @data with the results.  If the translation fails,
+ * tlb_fill will longjmp out.  Return true if the softmmu tlb for
+ * @mmu_idx may have resized.
+ */
+static bool mmu_lookup1(CPUArchState *env, MMULookupPageData *data,
+                        int mmu_idx, MMUAccessType access_type, uintptr_t ra)
+{
+    target_ulong addr = data->addr;
+    uintptr_t index = tlb_index(env, mmu_idx, addr);
+    CPUTLBEntry *entry = tlb_entry(env, mmu_idx, addr);
+    target_ulong tlb_addr = tlb_read_idx(entry, access_type);
+    bool maybe_resized = false;
+
+    /* If the TLB entry is for a different page, reload and try again.  */
+    if (!tlb_hit(tlb_addr, addr)) {
+        if (!victim_tlb_hit(env, mmu_idx, index, access_type,
+                            addr & TARGET_PAGE_MASK)) {
+            tlb_fill(env_cpu(env), addr, data->size, access_type, mmu_idx, ra);
+            maybe_resized = true;
+            index = tlb_index(env, mmu_idx, addr);
+            entry = tlb_entry(env, mmu_idx, addr);
+        }
+        tlb_addr = tlb_read_idx(entry, access_type) & ~TLB_INVALID_MASK;
+    }
+
+    data->flags = tlb_addr & TLB_FLAGS_MASK;
+    data->full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
+    /* Compute haddr speculatively; depending on flags it might be invalid. */
+    data->haddr = (void *)((uintptr_t)addr + entry->addend);
+
+    return maybe_resized;
+}
+
+/**
+ * mmu_watch_or_dirty
+ * @env: cpu context
+ * @data: lookup parameters
+ * @access_type: load/store/code
+ * @ra: return address into tcg generated code, or 0
+ *
+ * Trigger watchpoints for @data.addr:@data.size;
+ * record writes to protected clean pages.
+ */
+static void mmu_watch_or_dirty(CPUArchState *env, MMULookupPageData *data,
+                               MMUAccessType access_type, uintptr_t ra)
+{
+    CPUTLBEntryFull *full = data->full;
+    target_ulong addr = data->addr;
+    int flags = data->flags;
+    int size = data->size;
+
+    /* On watchpoint hit, this will longjmp out.  */
+    if (flags & TLB_WATCHPOINT) {
+        int wp = access_type == MMU_DATA_STORE ? BP_MEM_WRITE : BP_MEM_READ;
+        cpu_check_watchpoint(env_cpu(env), addr, size, full->attrs, wp, ra);
+        flags &= ~TLB_WATCHPOINT;
+    }
+
+    /* Note that notdirty is only set for writes. */
+    if (flags & TLB_NOTDIRTY) {
+        notdirty_write(env_cpu(env), addr, size, full, ra);
+        flags &= ~TLB_NOTDIRTY;
+    }
+    data->flags = flags;
+}
+
+/**
+ * mmu_lookup: translate page(s)
+ * @env: cpu context
+ * @addr: virtual address
+ * @oi: combined mmu_idx and MemOp
+ * @ra: return address into tcg generated code, or 0
+ * @access_type: load/store/code
+ * @l: output result
+ *
+ * Resolve the translation for the page(s) beginning at @addr, for MemOp.size
+ * bytes.  Return true if the lookup crosses a page boundary.
+ */
+static bool mmu_lookup(CPUArchState *env, target_ulong addr, MemOpIdx oi,
+                       uintptr_t ra, MMUAccessType type, MMULookupLocals *l)
+{
+    unsigned a_bits;
+    bool crosspage;
+    int flags;
+
+    l->memop = get_memop(oi);
+    l->mmu_idx = get_mmuidx(oi);
+
+    tcg_debug_assert(l->mmu_idx < NB_MMU_MODES);
+
+    /* Handle CPU specific unaligned behaviour */
+    a_bits = get_alignment_bits(l->memop);
+    if (addr & ((1 << a_bits) - 1)) {
+        cpu_unaligned_access(env_cpu(env), addr, type, l->mmu_idx, ra);
+    }
+
+    l->page[0].addr = addr;
+    l->page[0].size = memop_size(l->memop);
+    l->page[1].addr = (addr + l->page[0].size - 1) & TARGET_PAGE_MASK;
+    l->page[1].size = 0;
+    crosspage = (addr ^ l->page[1].addr) & TARGET_PAGE_MASK;
+
+    if (likely(!crosspage)) {
+        mmu_lookup1(env, &l->page[0], l->mmu_idx, type, ra);
+
+        flags = l->page[0].flags;
+        if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) {
+            mmu_watch_or_dirty(env, &l->page[0], type, ra);
+        }
+        if (unlikely(flags & TLB_BSWAP)) {
+            l->memop ^= MO_BSWAP;
+        }
+    } else {
+        /* Finish compute of page crossing. */
+        int size0 = l->page[1].addr - addr;
+        l->page[1].size = l->page[0].size - size0;
+        l->page[0].size = size0;
+
+        /*
+         * Lookup both pages, recognizing exceptions from either.  If the
+         * second lookup potentially resized, refresh first CPUTLBEntryFull.
+         */
+        mmu_lookup1(env, &l->page[0], l->mmu_idx, type, ra);
+        if (mmu_lookup1(env, &l->page[1], l->mmu_idx, type, ra)) {
+            uintptr_t index = tlb_index(env, l->mmu_idx, addr);
+            l->page[0].full = &env_tlb(env)->d[l->mmu_idx].fulltlb[index];
+        }
+
+        flags = l->page[0].flags | l->page[1].flags;
+        if (unlikely(flags & (TLB_WATCHPOINT | TLB_NOTDIRTY))) {
+            mmu_watch_or_dirty(env, &l->page[0], type, ra);
+            mmu_watch_or_dirty(env, &l->page[1], type, ra);
+        }
+
+        /*
+         * Since target/sparc is the only user of TLB_BSWAP, and all
+         * Sparc accesses are aligned, any treatment across two pages
+         * would be arbitrary.  Refuse it until there's a use.
+         */
+        tcg_debug_assert((flags & TLB_BSWAP) == 0);
+    }
+
+    return crosspage;
+}
+
 /*
  * Probe for an atomic operation.  Do not allow unaligned operations,
  * or io operations to proceed.  Return the host address.
@@ -XXX,XX +XXX,XX @@ load_memop(const void *haddr, MemOp op)
     }
 }
 
-static inline uint64_t QEMU_ALWAYS_INLINE
-load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
-            uintptr_t retaddr, MemOp op, MMUAccessType access_type,
-            FullLoadHelper *full_load)
-{
-    const unsigned a_bits = get_alignment_bits(get_memop(oi));
-    const size_t size = memop_size(op);
-    uintptr_t mmu_idx = get_mmuidx(oi);
-    uintptr_t index;
-    CPUTLBEntry *entry;
-    target_ulong tlb_addr;
-    void *haddr;
-    uint64_t res;
-
-    tcg_debug_assert(mmu_idx < NB_MMU_MODES);
-
-    /* Handle CPU specific unaligned behaviour */
-    if (addr & ((1 << a_bits) - 1)) {
-        cpu_unaligned_access(env_cpu(env), addr, access_type,
-                             mmu_idx, retaddr);
-    }
-
-    index = tlb_index(env, mmu_idx, addr);
-    entry = tlb_entry(env, mmu_idx, addr);
-    tlb_addr = tlb_read_idx(entry, access_type);
-
-    /* If the TLB entry is for a different page, reload and try again.  */
-    if (!tlb_hit(tlb_addr, addr)) {
-        if (!victim_tlb_hit(env, mmu_idx, index, access_type,
-                            addr & TARGET_PAGE_MASK)) {
-            tlb_fill(env_cpu(env), addr, size,
-                     access_type, mmu_idx, retaddr);
-            index = tlb_index(env, mmu_idx, addr);
-            entry = tlb_entry(env, mmu_idx, addr);
-        }
-        tlb_addr = tlb_read_idx(entry, access_type);
-        tlb_addr &= ~TLB_INVALID_MASK;
-    }
-
-    /* Handle anything that isn't just a straight memory access.  */
-    if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
-        CPUTLBEntryFull *full;
-        bool need_swap;
-
-        /* For anything that is unaligned, recurse through full_load.  */
-        if ((addr & (size - 1)) != 0) {
-            goto do_unaligned_access;
-        }
-
-        full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
-
-        /* Handle watchpoints.  */
-        if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
-            /* On watchpoint hit, this will longjmp out.  */
-            cpu_check_watchpoint(env_cpu(env), addr, size,
-                                 full->attrs, BP_MEM_READ, retaddr);
-        }
-
-        need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
-
-        /* Handle I/O access.  */
-        if (likely(tlb_addr & TLB_MMIO)) {
-            return io_readx(env, full, mmu_idx, addr, retaddr,
-                            access_type, op ^ (need_swap * MO_BSWAP));
-        }
-
-        haddr = (void *)((uintptr_t)addr + entry->addend);
-
-        /*
-         * Keep these two load_memop separate to ensure that the compiler
-         * is able to fold the entire function to a single instruction.
-         * There is a build-time assert inside to remind you of this.  ;-)
-         */
-        if (unlikely(need_swap)) {
-            return load_memop(haddr, op ^ MO_BSWAP);
-        }
-        return load_memop(haddr, op);
-    }
-
-    /* Handle slow unaligned access (it spans two pages or IO).  */
-    if (size > 1
-        && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
-                    >= TARGET_PAGE_SIZE)) {
-        target_ulong addr1, addr2;
-        uint64_t r1, r2;
-        unsigned shift;
-    do_unaligned_access:
-        addr1 = addr & ~((target_ulong)size - 1);
-        addr2 = addr1 + size;
-        r1 = full_load(env, addr1, oi, retaddr);
-        r2 = full_load(env, addr2, oi, retaddr);
-        shift = (addr & (size - 1)) * 8;
-
-        if (memop_big_endian(op)) {
-            /* Big-endian combine.  */
-            res = (r1 << shift) | (r2 >> ((size * 8) - shift));
-        } else {
-            /* Little-endian combine.  */
-            res = (r1 >> shift) | (r2 << ((size * 8) - shift));
-        }
-        return res & MAKE_64BIT_MASK(0, size * 8);
-    }
-
-    haddr = (void *)((uintptr_t)addr + entry->addend);
-    return load_memop(haddr, op);
-}
-
 /*
  * For the benefit of TCG generated code, we want to avoid the
  * complication of ABI-specific return type promotion and always
@@ -XXX,XX +XXX,XX @@ load_helper(CPUArchState *env, target_ulong addr, MemOpIdx oi,
  * We don't bother with this widened value for SOFTMMU_CODE_ACCESS.
  */
 
-static uint64_t full_ldub_mmu(CPUArchState *env, target_ulong addr,
-                              MemOpIdx oi, uintptr_t retaddr)
+/**
+ * do_ld_mmio_beN:
+ * @env: cpu context
+ * @p: translation parameters
+ * @ret_be: accumulated data
+ * @mmu_idx: virtual address context
+ * @ra: return address into tcg generated code, or 0
+ *
+ * Load @p->size bytes from @p->addr, which is memory-mapped i/o.
+ * The bytes are concatenated in big-endian order with @ret_be.
+ */
+static uint64_t do_ld_mmio_beN(CPUArchState *env, MMULookupPageData *p,
+                               uint64_t ret_be, int mmu_idx,
+                               MMUAccessType type, uintptr_t ra)
 {
-    validate_memop(oi, MO_UB);
-    return load_helper(env, addr, oi, retaddr, MO_UB, MMU_DATA_LOAD,
-                       full_ldub_mmu);
+    CPUTLBEntryFull *full = p->full;
+    target_ulong addr = p->addr;
+    int i, size = p->size;
+
+    QEMU_IOTHREAD_LOCK_GUARD();
+    for (i = 0; i < size; i++) {
+        uint8_t x = io_readx(env, full, mmu_idx, addr + i, ra, type, MO_UB);
+        ret_be = (ret_be << 8) | x;
+    }
+    return ret_be;
+}
+
+/**
+ * do_ld_bytes_beN
+ * @p: translation parameters
+ * @ret_be: accumulated data
+ *
+ * Load @p->size bytes from @p->haddr, which is RAM.
+ * The bytes to concatenated in big-endian order with @ret_be.
+ */
+static uint64_t do_ld_bytes_beN(MMULookupPageData *p, uint64_t ret_be)
+{
+    uint8_t *haddr = p->haddr;
+    int i, size = p->size;
+
+    for (i = 0; i < size; i++) {
+        ret_be = (ret_be << 8) | haddr[i];
+    }
+    return ret_be;
+}
+
+/*
+ * Wrapper for the above.
+ */
+static uint64_t do_ld_beN(CPUArchState *env, MMULookupPageData *p,
+                          uint64_t ret_be, int mmu_idx,
+                          MMUAccessType type, uintptr_t ra)
+{
+    if (unlikely(p->flags & TLB_MMIO)) {
+        return do_ld_mmio_beN(env, p, ret_be, mmu_idx, type, ra);
+    } else {
+        return do_ld_bytes_beN(p, ret_be);
+    }
+}
+
+static uint8_t do_ld_1(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
+                       MMUAccessType type, uintptr_t ra)
+{
+    if (unlikely(p->flags & TLB_MMIO)) {
+        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, MO_UB);
+    } else {
+        return *(uint8_t *)p->haddr;
+    }
+}
+
+static uint16_t do_ld_2(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
+                        MMUAccessType type, MemOp memop, uintptr_t ra)
+{
+    uint64_t ret;
+
+    if (unlikely(p->flags & TLB_MMIO)) {
+        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, memop);
+    }
+
+    /* Perform the load host endian, then swap if necessary. */
+    ret = load_memop(p->haddr, MO_UW);
+    if (memop & MO_BSWAP) {
+        ret = bswap16(ret);
+    }
+    return ret;
+}
+
+static uint32_t do_ld_4(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
+                        MMUAccessType type, MemOp memop, uintptr_t ra)
+{
+    uint32_t ret;
+
+    if (unlikely(p->flags & TLB_MMIO)) {
+        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, memop);
+    }
+
+    /* Perform the load host endian. */
+    ret = load_memop(p->haddr, MO_UL);
+    if (memop & MO_BSWAP) {
+        ret = bswap32(ret);
+    }
+    return ret;
+}
+
+static uint64_t do_ld_8(CPUArchState *env, MMULookupPageData *p, int mmu_idx,
+                        MMUAccessType type, MemOp memop, uintptr_t ra)
+{
+    uint64_t ret;
+
+    if (unlikely(p->flags & TLB_MMIO)) {
+        return io_readx(env, p->full, mmu_idx, p->addr, ra, type, memop);
+    }
+
+    /* Perform the load host endian. */
+    ret = load_memop(p->haddr, MO_UQ);
+    if (memop & MO_BSWAP) {
+        ret = bswap64(ret);
+    }
+    return ret;
+}
+
+static uint8_t do_ld1_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
+                          uintptr_t ra, MMUAccessType access_type)
+{
+    MMULookupLocals l;
+    bool crosspage;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
+    tcg_debug_assert(!crosspage);
+
+    return do_ld_1(env, &l.page[0], l.mmu_idx, access_type, ra);
 }
 
 tcg_target_ulong helper_ret_ldub_mmu(CPUArchState *env, target_ulong addr,
                                      MemOpIdx oi, uintptr_t retaddr)
 {
-    return full_ldub_mmu(env, addr, oi, retaddr);
+    validate_memop(oi, MO_UB);
+    return do_ld1_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 }
 
-static uint64_t full_le_lduw_mmu(CPUArchState *env, target_ulong addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
+static uint16_t do_ld2_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
+                           uintptr_t ra, MMUAccessType access_type)
 {
-    validate_memop(oi, MO_LEUW);
-    return load_helper(env, addr, oi, retaddr, MO_LEUW, MMU_DATA_LOAD,
-                       full_le_lduw_mmu);
+    MMULookupLocals l;
+    bool crosspage;
+    uint16_t ret;
+    uint8_t a, b;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
+    if (likely(!crosspage)) {
+        return do_ld_2(env, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
+    }
+
+    a = do_ld_1(env, &l.page[0], l.mmu_idx, access_type, ra);
+    b = do_ld_1(env, &l.page[1], l.mmu_idx, access_type, ra);
+
+    if ((l.memop & MO_BSWAP) == MO_LE) {
+        ret = a | (b << 8);
+    } else {
+        ret = b | (a << 8);
+    }
+    return ret;
 }
 
 tcg_target_ulong helper_le_lduw_mmu(CPUArchState *env, target_ulong addr,
                                     MemOpIdx oi, uintptr_t retaddr)
 {
-    return full_le_lduw_mmu(env, addr, oi, retaddr);
-}
-
-static uint64_t full_be_lduw_mmu(CPUArchState *env, target_ulong addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    validate_memop(oi, MO_BEUW);
-    return load_helper(env, addr, oi, retaddr, MO_BEUW, MMU_DATA_LOAD,
-                       full_be_lduw_mmu);
+    validate_memop(oi, MO_LEUW);
+    return do_ld2_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 }
 
 tcg_target_ulong helper_be_lduw_mmu(CPUArchState *env, target_ulong addr,
                                     MemOpIdx oi, uintptr_t retaddr)
 {
-    return full_be_lduw_mmu(env, addr, oi, retaddr);
+    validate_memop(oi, MO_BEUW);
+    return do_ld2_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 }
 
-static uint64_t full_le_ldul_mmu(CPUArchState *env, target_ulong addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
+static uint32_t do_ld4_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
+                           uintptr_t ra, MMUAccessType access_type)
 {
-    validate_memop(oi, MO_LEUL);
-    return load_helper(env, addr, oi, retaddr, MO_LEUL, MMU_DATA_LOAD,
-                       full_le_ldul_mmu);
+    MMULookupLocals l;
+    bool crosspage;
+    uint32_t ret;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
+    if (likely(!crosspage)) {
+        return do_ld_4(env, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
+    }
+
+    ret = do_ld_beN(env, &l.page[0], 0, l.mmu_idx, access_type, ra);
+    ret = do_ld_beN(env, &l.page[1], ret, l.mmu_idx, access_type, ra);
+    if ((l.memop & MO_BSWAP) == MO_LE) {
+        ret = bswap32(ret);
+    }
+    return ret;
 }
 
 tcg_target_ulong helper_le_ldul_mmu(CPUArchState *env, target_ulong addr,
                                     MemOpIdx oi, uintptr_t retaddr)
 {
-    return full_le_ldul_mmu(env, addr, oi, retaddr);
-}
-
-static uint64_t full_be_ldul_mmu(CPUArchState *env, target_ulong addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    validate_memop(oi, MO_BEUL);
-    return load_helper(env, addr, oi, retaddr, MO_BEUL, MMU_DATA_LOAD,
-                       full_be_ldul_mmu);
+    validate_memop(oi, MO_LEUL);
+    return do_ld4_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 }
 
 tcg_target_ulong helper_be_ldul_mmu(CPUArchState *env, target_ulong addr,
                                     MemOpIdx oi, uintptr_t retaddr)
 {
-    return full_be_ldul_mmu(env, addr, oi, retaddr);
+    validate_memop(oi, MO_BEUL);
+    return do_ld4_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
+}
+
+static uint64_t do_ld8_mmu(CPUArchState *env, target_ulong addr, MemOpIdx oi,
+                           uintptr_t ra, MMUAccessType access_type)
+{
+    MMULookupLocals l;
+    bool crosspage;
+    uint64_t ret;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, access_type, &l);
+    if (likely(!crosspage)) {
+        return do_ld_8(env, &l.page[0], l.mmu_idx, access_type, l.memop, ra);
+    }
+
+    ret = do_ld_beN(env, &l.page[0], 0, l.mmu_idx, access_type, ra);
+    ret = do_ld_beN(env, &l.page[1], ret, l.mmu_idx, access_type, ra);
+    if ((l.memop & MO_BSWAP) == MO_LE) {
+        ret = bswap64(ret);
+    }
+    return ret;
 }
 
 uint64_t helper_le_ldq_mmu(CPUArchState *env, target_ulong addr,
                            MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_LEUQ);
-    return load_helper(env, addr, oi, retaddr, MO_LEUQ, MMU_DATA_LOAD,
-                       helper_le_ldq_mmu);
+    return do_ld8_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 }
 
 uint64_t helper_be_ldq_mmu(CPUArchState *env, target_ulong addr,
                            MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_BEUQ);
-    return load_helper(env, addr, oi, retaddr, MO_BEUQ, MMU_DATA_LOAD,
-                       helper_be_ldq_mmu);
+    return do_ld8_mmu(env, addr, oi, retaddr, MMU_DATA_LOAD);
 }
 
 /*
@@ -XXX,XX +XXX,XX @@ tcg_target_ulong helper_be_ldsl_mmu(CPUArchState *env, target_ulong addr,
  * Load helpers for cpu_ldst.h.
  */
 
-static inline uint64_t cpu_load_helper(CPUArchState *env, abi_ptr addr,
-                                       MemOpIdx oi, uintptr_t retaddr,
-                                       FullLoadHelper *full_load)
+static void plugin_load_cb(CPUArchState *env, abi_ptr addr, MemOpIdx oi)
 {
-    uint64_t ret;
-
-    ret = full_load(env, addr, oi, retaddr);
     qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_R);
-    return ret;
 }
 
 uint8_t cpu_ldb_mmu(CPUArchState *env, abi_ptr addr, MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, full_ldub_mmu);
+    uint8_t ret;
+
+    validate_memop(oi, MO_UB);
+    ret = do_ld1_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 uint16_t cpu_ldw_be_mmu(CPUArchState *env, abi_ptr addr,
                         MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, full_be_lduw_mmu);
+    uint16_t ret;
+
+    validate_memop(oi, MO_BEUW);
+    ret = do_ld2_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 uint32_t cpu_ldl_be_mmu(CPUArchState *env, abi_ptr addr,
                         MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, full_be_ldul_mmu);
+    uint32_t ret;
+
+    validate_memop(oi, MO_BEUL);
+    ret = do_ld4_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 uint64_t cpu_ldq_be_mmu(CPUArchState *env, abi_ptr addr,
                         MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, helper_be_ldq_mmu);
+    uint64_t ret;
+
+    validate_memop(oi, MO_BEUQ);
+    ret = do_ld8_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 uint16_t cpu_ldw_le_mmu(CPUArchState *env, abi_ptr addr,
                         MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, full_le_lduw_mmu);
+    uint16_t ret;
+
+    validate_memop(oi, MO_LEUW);
+    ret = do_ld2_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 uint32_t cpu_ldl_le_mmu(CPUArchState *env, abi_ptr addr,
                         MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, full_le_ldul_mmu);
+    uint32_t ret;
+
+    validate_memop(oi, MO_LEUL);
+    ret = do_ld4_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 uint64_t cpu_ldq_le_mmu(CPUArchState *env, abi_ptr addr,
                         MemOpIdx oi, uintptr_t ra)
 {
-    return cpu_load_helper(env, addr, oi, ra, helper_le_ldq_mmu);
+    uint64_t ret;
+
+    validate_memop(oi, MO_LEUQ);
+    ret = do_ld8_mmu(env, addr, oi, ra, MMU_DATA_LOAD);
+    plugin_load_cb(env, addr, oi);
+    return ret;
 }
 
 Int128 cpu_ld16_be_mmu(CPUArchState *env, abi_ptr addr,
@@ -XXX,XX +XXX,XX @@ void cpu_st16_le_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
 
 /* Code access functions.  */
 
-static uint64_t full_ldub_code(CPUArchState *env, target_ulong addr,
-                               MemOpIdx oi, uintptr_t retaddr)
-{
-    return load_helper(env, addr, oi, retaddr, MO_8,
-                       MMU_INST_FETCH, full_ldub_code);
-}
-
 uint32_t cpu_ldub_code(CPUArchState *env, abi_ptr addr)
 {
     MemOpIdx oi = make_memop_idx(MO_UB, cpu_mmu_index(env, true));
-    return full_ldub_code(env, addr, oi, 0);
-}
-
-static uint64_t full_lduw_code(CPUArchState *env, target_ulong addr,
-                               MemOpIdx oi, uintptr_t retaddr)
-{
-    return load_helper(env, addr, oi, retaddr, MO_TEUW,
-                       MMU_INST_FETCH, full_lduw_code);
+    return do_ld1_mmu(env, addr, oi, 0, MMU_INST_FETCH);
 }
 
 uint32_t cpu_lduw_code(CPUArchState *env, abi_ptr addr)
 {
     MemOpIdx oi = make_memop_idx(MO_TEUW, cpu_mmu_index(env, true));
-    return full_lduw_code(env, addr, oi, 0);
-}
-
-static uint64_t full_ldl_code(CPUArchState *env, target_ulong addr,
-                              MemOpIdx oi, uintptr_t retaddr)
-{
-    return load_helper(env, addr, oi, retaddr, MO_TEUL,
-                       MMU_INST_FETCH, full_ldl_code);
+    return do_ld2_mmu(env, addr, oi, 0, MMU_INST_FETCH);
 }
 
 uint32_t cpu_ldl_code(CPUArchState *env, abi_ptr addr)
 {
     MemOpIdx oi = make_memop_idx(MO_TEUL, cpu_mmu_index(env, true));
-    return full_ldl_code(env, addr, oi, 0);
-}
-
-static uint64_t full_ldq_code(CPUArchState *env, target_ulong addr,
-                              MemOpIdx oi, uintptr_t retaddr)
-{
-    return load_helper(env, addr, oi, retaddr, MO_TEUQ,
-                       MMU_INST_FETCH, full_ldq_code);
+    return do_ld4_mmu(env, addr, oi, 0, MMU_INST_FETCH);
 }
 
 uint64_t cpu_ldq_code(CPUArchState *env, abi_ptr addr)
 {
     MemOpIdx oi = make_memop_idx(MO_TEUQ, cpu_mmu_index(env, true));
-    return full_ldq_code(env, addr, oi, 0);
+    return do_ld8_mmu(env, addr, oi, 0, MMU_INST_FETCH);
 }
 
 uint8_t cpu_ldb_code_mmu(CPUArchState *env, abi_ptr addr,
                          MemOpIdx oi, uintptr_t retaddr)
 {
-    return full_ldub_code(env, addr, oi, retaddr);
+    return do_ld1_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
 }
 
 uint16_t cpu_ldw_code_mmu(CPUArchState *env, abi_ptr addr,
                           MemOpIdx oi, uintptr_t retaddr)
 {
-    MemOp mop = get_memop(oi);
-    int idx = get_mmuidx(oi);
-    uint16_t ret;
-
-    ret = full_lduw_code(env, addr, make_memop_idx(MO_TEUW, idx), retaddr);
-    if ((mop & MO_BSWAP) != MO_TE) {
-        ret = bswap16(ret);
-    }
-    return ret;
+    return do_ld2_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
 }
 
 uint32_t cpu_ldl_code_mmu(CPUArchState *env, abi_ptr addr,
                           MemOpIdx oi, uintptr_t retaddr)
 {
-    MemOp mop = get_memop(oi);
-    int idx = get_mmuidx(oi);
-    uint32_t ret;
-
-    ret = full_ldl_code(env, addr, make_memop_idx(MO_TEUL, idx), retaddr);
-    if ((mop & MO_BSWAP) != MO_TE) {
-        ret = bswap32(ret);
-    }
-    return ret;
+    return do_ld4_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
 }
 
 uint64_t cpu_ldq_code_mmu(CPUArchState *env, abi_ptr addr,
                           MemOpIdx oi, uintptr_t retaddr)
 {
-    MemOp mop = get_memop(oi);
-    int idx = get_mmuidx(oi);
-    uint64_t ret;
-
-    ret = full_ldq_code(env, addr, make_memop_idx(MO_TEUQ, idx), retaddr);
-    if ((mop & MO_BSWAP) != MO_TE) {
-        ret = bswap64(ret);
-    }
-    return ret;
+    return do_ld8_mmu(env, addr, oi, retaddr, MMU_INST_FETCH);
 }
-- 
2.34.1

Instead of trying to unify all operations on uint64_t, use
mmu_lookup() to perform the basic tlb hit and resolution.
Create individual functions to handle access by size.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 408 +++++++++++++++++++++------------------------
 1 file changed, 193 insertions(+), 215 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ store_memop(void *haddr, uint64_t val, MemOp op)
     }
 }
 
-static void full_stb_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-                         MemOpIdx oi, uintptr_t retaddr);
-
-static void __attribute__((noinline))
-store_helper_unaligned(CPUArchState *env, target_ulong addr, uint64_t val,
-                       uintptr_t retaddr, size_t size, uintptr_t mmu_idx,
-                       bool big_endian)
+/**
+ * do_st_mmio_leN:
+ * @env: cpu context
+ * @p: translation parameters
+ * @val_le: data to store
+ * @mmu_idx: virtual address context
+ * @ra: return address into tcg generated code, or 0
+ *
+ * Store @p->size bytes at @p->addr, which is memory-mapped i/o.
+ * The bytes to store are extracted in little-endian order from @val_le;
+ * return the bytes of @val_le beyond @p->size that have not been stored.
+ */
+static uint64_t do_st_mmio_leN(CPUArchState *env, MMULookupPageData *p,
+                               uint64_t val_le, int mmu_idx, uintptr_t ra)
 {
-    uintptr_t index, index2;
-    CPUTLBEntry *entry, *entry2;
-    target_ulong page1, page2, tlb_addr, tlb_addr2;
-    MemOpIdx oi;
-    size_t size2;
-    int i;
+    CPUTLBEntryFull *full = p->full;
+    target_ulong addr = p->addr;
+    int i, size = p->size;
 
-    /*
-     * Ensure the second page is in the TLB.  Note that the first page
-     * is already guaranteed to be filled, and that the second page
-     * cannot evict the first.  An exception to this rule is PAGE_WRITE_INV
-     * handling: the first page could have evicted itself.
-     */
-    page1 = addr & TARGET_PAGE_MASK;
-    page2 = (addr + size) & TARGET_PAGE_MASK;
-    size2 = (addr + size) & ~TARGET_PAGE_MASK;
-    index2 = tlb_index(env, mmu_idx, page2);
-    entry2 = tlb_entry(env, mmu_idx, page2);
-
-    tlb_addr2 = tlb_addr_write(entry2);
-    if (page1 != page2 && !tlb_hit_page(tlb_addr2, page2)) {
-        if (!victim_tlb_hit(env, mmu_idx, index2, MMU_DATA_STORE, page2)) {
-            tlb_fill(env_cpu(env), page2, size2, MMU_DATA_STORE,
-                     mmu_idx, retaddr);
-            index2 = tlb_index(env, mmu_idx, page2);
-            entry2 = tlb_entry(env, mmu_idx, page2);
-        }
-        tlb_addr2 = tlb_addr_write(entry2);
+    QEMU_IOTHREAD_LOCK_GUARD();
+    for (i = 0; i < size; i++, val_le >>= 8) {
+        io_writex(env, full, mmu_idx, val_le, addr + i, ra, MO_UB);
     }
+    return val_le;
+}
 
-    index = tlb_index(env, mmu_idx, addr);
-    entry = tlb_entry(env, mmu_idx, addr);
-    tlb_addr = tlb_addr_write(entry);
+/**
+ * do_st_bytes_leN:
+ * @p: translation parameters
+ * @val_le: data to store
+ *
+ * Store @p->size bytes at @p->haddr, which is RAM.
+ * The bytes to store are extracted in little-endian order from @val_le;
+ * return the bytes of @val_le beyond @p->size that have not been stored.
+ */
+static uint64_t do_st_bytes_leN(MMULookupPageData *p, uint64_t val_le)
+{
+    uint8_t *haddr = p->haddr;
+    int i, size = p->size;
 
-    /*
-     * Handle watchpoints.  Since this may trap, all checks
-     * must happen before any store.
-     */
-    if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
-        cpu_check_watchpoint(env_cpu(env), addr, size - size2,
-                             env_tlb(env)->d[mmu_idx].fulltlb[index].attrs,
-                             BP_MEM_WRITE, retaddr);
-    }
-    if (unlikely(tlb_addr2 & TLB_WATCHPOINT)) {
-        cpu_check_watchpoint(env_cpu(env), page2, size2,
-                             env_tlb(env)->d[mmu_idx].fulltlb[index2].attrs,
-                             BP_MEM_WRITE, retaddr);
+    for (i = 0; i < size; i++, val_le >>= 8) {
+        haddr[i] = val_le;
     }
+    return val_le;
+}
 
-    /*
-     * XXX: not efficient, but simple.
-     * This loop must go in the forward direction to avoid issues
-     * with self-modifying code in Windows 64-bit.
-     */
-    oi = make_memop_idx(MO_UB, mmu_idx);
-    if (big_endian) {
-        for (i = 0; i < size; ++i) {
-            /* Big-endian extract.  */
-            uint8_t val8 = val >> (((size - 1) * 8) - (i * 8));
-            full_stb_mmu(env, addr + i, val8, oi, retaddr);
-        }
+/*
+ * Wrapper for the above.
+ */
+static uint64_t do_st_leN(CPUArchState *env, MMULookupPageData *p,
+                          uint64_t val_le, int mmu_idx, uintptr_t ra)
+{
+    if (unlikely(p->flags & TLB_MMIO)) {
+        return do_st_mmio_leN(env, p, val_le, mmu_idx, ra);
+    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
+        return val_le >> (p->size * 8);
     } else {
-        for (i = 0; i < size; ++i) {
-            /* Little-endian extract.  */
-            uint8_t val8 = val >> (i * 8);
-            full_stb_mmu(env, addr + i, val8, oi, retaddr);
-        }
+        return do_st_bytes_leN(p, val_le);
     }
 }
 
-static inline void QEMU_ALWAYS_INLINE
-store_helper(CPUArchState *env, target_ulong addr, uint64_t val,
-             MemOpIdx oi, uintptr_t retaddr, MemOp op)
+static void do_st_1(CPUArchState *env, MMULookupPageData *p, uint8_t val,
+                    int mmu_idx, uintptr_t ra)
 {
-    const unsigned a_bits = get_alignment_bits(get_memop(oi));
-    const size_t size = memop_size(op);
-    uintptr_t mmu_idx = get_mmuidx(oi);
-    uintptr_t index;
-    CPUTLBEntry *entry;
-    target_ulong tlb_addr;
-    void *haddr;
-
-    tcg_debug_assert(mmu_idx < NB_MMU_MODES);
-
-    /* Handle CPU specific unaligned behaviour */
-    if (addr & ((1 << a_bits) - 1)) {
-        cpu_unaligned_access(env_cpu(env), addr, MMU_DATA_STORE,
-                             mmu_idx, retaddr);
+    if (unlikely(p->flags & TLB_MMIO)) {
+        io_writex(env, p->full, mmu_idx, val, p->addr, ra, MO_UB);
+    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
+        /* nothing */
+    } else {
+        *(uint8_t *)p->haddr = val;
     }
-
-    index = tlb_index(env, mmu_idx, addr);
-    entry = tlb_entry(env, mmu_idx, addr);
-    tlb_addr = tlb_addr_write(entry);
-
-    /* If the TLB entry is for a different page, reload and try again.  */
-    if (!tlb_hit(tlb_addr, addr)) {
-        if (!victim_tlb_hit(env, mmu_idx, index, MMU_DATA_STORE,
-            addr & TARGET_PAGE_MASK)) {
-            tlb_fill(env_cpu(env), addr, size, MMU_DATA_STORE,
-                     mmu_idx, retaddr);
-            index = tlb_index(env, mmu_idx, addr);
-            entry = tlb_entry(env, mmu_idx, addr);
-        }
-        tlb_addr = tlb_addr_write(entry) & ~TLB_INVALID_MASK;
-    }
-
-    /* Handle anything that isn't just a straight memory access.  */
-    if (unlikely(tlb_addr & ~TARGET_PAGE_MASK)) {
-        CPUTLBEntryFull *full;
-        bool need_swap;
-
-        /* For anything that is unaligned, recurse through byte stores.  */
-        if ((addr & (size - 1)) != 0) {
-            goto do_unaligned_access;
-        }
-
-        full = &env_tlb(env)->d[mmu_idx].fulltlb[index];
-
-        /* Handle watchpoints.  */
-        if (unlikely(tlb_addr & TLB_WATCHPOINT)) {
-            /* On watchpoint hit, this will longjmp out.  */
-            cpu_check_watchpoint(env_cpu(env), addr, size,
-                                 full->attrs, BP_MEM_WRITE, retaddr);
-        }
-
-        need_swap = size > 1 && (tlb_addr & TLB_BSWAP);
-
-        /* Handle I/O access.  */
-        if (tlb_addr & TLB_MMIO) {
-            io_writex(env, full, mmu_idx, val, addr, retaddr,
-                      op ^ (need_swap * MO_BSWAP));
-            return;
-        }
-
-        /* Ignore writes to ROM.  */
-        if (unlikely(tlb_addr & TLB_DISCARD_WRITE)) {
-            return;
-        }
-
-        /* Handle clean RAM pages.  */
-        if (tlb_addr & TLB_NOTDIRTY) {
-            notdirty_write(env_cpu(env), addr, size, full, retaddr);
-        }
-
-        haddr = (void *)((uintptr_t)addr + entry->addend);
-
-        /*
-         * Keep these two store_memop separate to ensure that the compiler
-         * is able to fold the entire function to a single instruction.
-         * There is a build-time assert inside to remind you of this.  ;-)
-         */
-        if (unlikely(need_swap)) {
-            store_memop(haddr, val, op ^ MO_BSWAP);
-        } else {
-            store_memop(haddr, val, op);
-        }
-        return;
-    }
-
-    /* Handle slow unaligned access (it spans two pages or IO).  */
-    if (size > 1
-        && unlikely((addr & ~TARGET_PAGE_MASK) + size - 1
-                     >= TARGET_PAGE_SIZE)) {
-    do_unaligned_access:
-        store_helper_unaligned(env, addr, val, retaddr, size,
-                               mmu_idx, memop_big_endian(op));
-        return;
-    }
-
-    haddr = (void *)((uintptr_t)addr + entry->addend);
-    store_memop(haddr, val, op);
 }
 
-static void __attribute__((noinline))
-full_stb_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-             MemOpIdx oi, uintptr_t retaddr)
+static void do_st_2(CPUArchState *env, MMULookupPageData *p, uint16_t val,
+                    int mmu_idx, MemOp memop, uintptr_t ra)
 {
-    validate_memop(oi, MO_UB);
-    store_helper(env, addr, val, oi, retaddr, MO_UB);
+    if (unlikely(p->flags & TLB_MMIO)) {
+        io_writex(env, p->full, mmu_idx, val, p->addr, ra, memop);
+    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
+        /* nothing */
+    } else {
+        /* Swap to host endian if necessary, then store. */
+        if (memop & MO_BSWAP) {
+            val = bswap16(val);
+        }
+        store_memop(p->haddr, val, MO_UW);
+    }
+}
+
+static void do_st_4(CPUArchState *env, MMULookupPageData *p, uint32_t val,
+                    int mmu_idx, MemOp memop, uintptr_t ra)
+{
+    if (unlikely(p->flags & TLB_MMIO)) {
+        io_writex(env, p->full, mmu_idx, val, p->addr, ra, memop);
+    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
+        /* nothing */
+    } else {
+        /* Swap to host endian if necessary, then store. */
+        if (memop & MO_BSWAP) {
+            val = bswap32(val);
+        }
+        store_memop(p->haddr, val, MO_UL);
+    }
+}
+
+static void do_st_8(CPUArchState *env, MMULookupPageData *p, uint64_t val,
+                    int mmu_idx, MemOp memop, uintptr_t ra)
+{
+    if (unlikely(p->flags & TLB_MMIO)) {
+        io_writex(env, p->full, mmu_idx, val, p->addr, ra, memop);
+    } else if (unlikely(p->flags & TLB_DISCARD_WRITE)) {
+        /* nothing */
+    } else {
+        /* Swap to host endian if necessary, then store. */
+        if (memop & MO_BSWAP) {
+            val = bswap64(val);
+        }
+        store_memop(p->haddr, val, MO_UQ);
+    }
 }
 
 void helper_ret_stb_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
-                        MemOpIdx oi, uintptr_t retaddr)
+                        MemOpIdx oi, uintptr_t ra)
 {
-    full_stb_mmu(env, addr, val, oi, retaddr);
+    MMULookupLocals l;
+    bool crosspage;
+
+    validate_memop(oi, MO_UB);
+    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
+    tcg_debug_assert(!crosspage);
+
+    do_st_1(env, &l.page[0], val, l.mmu_idx, ra);
 }
 
-static void full_le_stw_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-                            MemOpIdx oi, uintptr_t retaddr)
+static void do_st2_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
+                       MemOpIdx oi, uintptr_t ra)
 {
-    validate_memop(oi, MO_LEUW);
-    store_helper(env, addr, val, oi, retaddr, MO_LEUW);
+    MMULookupLocals l;
+    bool crosspage;
+    uint8_t a, b;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
+    if (likely(!crosspage)) {
+        do_st_2(env, &l.page[0], val, l.mmu_idx, l.memop, ra);
+        return;
+    }
+
+    if ((l.memop & MO_BSWAP) == MO_LE) {
+        a = val, b = val >> 8;
+    } else {
+        b = val, a = val >> 8;
+    }
+    do_st_1(env, &l.page[0], a, l.mmu_idx, ra);
+    do_st_1(env, &l.page[1], b, l.mmu_idx, ra);
 }
 
 void helper_le_stw_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                        MemOpIdx oi, uintptr_t retaddr)
 {
-    full_le_stw_mmu(env, addr, val, oi, retaddr);
-}
-
-static void full_be_stw_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-                            MemOpIdx oi, uintptr_t retaddr)
-{
-    validate_memop(oi, MO_BEUW);
-    store_helper(env, addr, val, oi, retaddr, MO_BEUW);
+    validate_memop(oi, MO_LEUW);
+    do_st2_mmu(env, addr, val, oi, retaddr);
 }
 
 void helper_be_stw_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                        MemOpIdx oi, uintptr_t retaddr)
 {
-    full_be_stw_mmu(env, addr, val, oi, retaddr);
+    validate_memop(oi, MO_BEUW);
+    do_st2_mmu(env, addr, val, oi, retaddr);
 }
 
-static void full_le_stl_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-                            MemOpIdx oi, uintptr_t retaddr)
+static void do_st4_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
+                       MemOpIdx oi, uintptr_t ra)
 {
-    validate_memop(oi, MO_LEUL);
-    store_helper(env, addr, val, oi, retaddr, MO_LEUL);
+    MMULookupLocals l;
+    bool crosspage;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
+    if (likely(!crosspage)) {
+        do_st_4(env, &l.page[0], val, l.mmu_idx, l.memop, ra);
+        return;
+    }
+
+    /* Swap to little endian for simplicity, then store by bytes. */
+    if ((l.memop & MO_BSWAP) != MO_LE) {
+        val = bswap32(val);
+    }
+    val = do_st_leN(env, &l.page[0], val, l.mmu_idx, ra);
+    (void) do_st_leN(env, &l.page[1], val, l.mmu_idx, ra);
 }
 
 void helper_le_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                        MemOpIdx oi, uintptr_t retaddr)
 {
-    full_le_stl_mmu(env, addr, val, oi, retaddr);
-}
-
-static void full_be_stl_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
-                            MemOpIdx oi, uintptr_t retaddr)
-{
-    validate_memop(oi, MO_BEUL);
-    store_helper(env, addr, val, oi, retaddr, MO_BEUL);
+    validate_memop(oi, MO_LEUL);
+    do_st4_mmu(env, addr, val, oi, retaddr);
 }
 
 void helper_be_stl_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                        MemOpIdx oi, uintptr_t retaddr)
 {
-    full_be_stl_mmu(env, addr, val, oi, retaddr);
+    validate_memop(oi, MO_BEUL);
+    do_st4_mmu(env, addr, val, oi, retaddr);
+}
+
+static void do_st8_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
+                       MemOpIdx oi, uintptr_t ra)
+{
+    MMULookupLocals l;
+    bool crosspage;
+
+    crosspage = mmu_lookup(env, addr, oi, ra, MMU_DATA_STORE, &l);
+    if (likely(!crosspage)) {
+        do_st_8(env, &l.page[0], val, l.mmu_idx, l.memop, ra);
+        return;
+    }
+
+    /* Swap to little endian for simplicity, then store by bytes. */
+    if ((l.memop & MO_BSWAP) != MO_LE) {
+        val = bswap64(val);
+    }
+    val = do_st_leN(env, &l.page[0], val, l.mmu_idx, ra);
+    (void) do_st_leN(env, &l.page[1], val, l.mmu_idx, ra);
 }
 
 void helper_le_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
                        MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_LEUQ);
-    store_helper(env, addr, val, oi, retaddr, MO_LEUQ);
+    do_st8_mmu(env, addr, val, oi, retaddr);
 }
 
 void helper_be_stq_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
                        MemOpIdx oi, uintptr_t retaddr)
 {
     validate_memop(oi, MO_BEUQ);
-    store_helper(env, addr, val, oi, retaddr, MO_BEUQ);
+    do_st8_mmu(env, addr, val, oi, retaddr);
 }
 
 /*
  * Store Helpers for cpu_ldst.h
  */
 
-typedef void FullStoreHelper(CPUArchState *env, target_ulong addr,
-                             uint64_t val, MemOpIdx oi, uintptr_t retaddr);
-
-static inline void cpu_store_helper(CPUArchState *env, target_ulong addr,
-                                    uint64_t val, MemOpIdx oi, uintptr_t ra,
-                                    FullStoreHelper *full_store)
+static void plugin_store_cb(CPUArchState *env, abi_ptr addr, MemOpIdx oi)
 {
-    full_store(env, addr, val, oi, ra);
     qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_W);
 }
 
 void cpu_stb_mmu(CPUArchState *env, target_ulong addr, uint8_t val,
                  MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, full_stb_mmu);
+    helper_ret_stb_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_stw_be_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
                     MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, full_be_stw_mmu);
+    helper_be_stw_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_stl_be_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                     MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, full_be_stl_mmu);
+    helper_be_stl_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_stq_be_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
                     MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, helper_be_stq_mmu);
+    helper_be_stq_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_stw_le_mmu(CPUArchState *env, target_ulong addr, uint16_t val,
                     MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, full_le_stw_mmu);
+    helper_le_stw_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_stl_le_mmu(CPUArchState *env, target_ulong addr, uint32_t val,
                     MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, full_le_stl_mmu);
+    helper_le_stl_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_stq_le_mmu(CPUArchState *env, target_ulong addr, uint64_t val,
                     MemOpIdx oi, uintptr_t retaddr)
 {
-    cpu_store_helper(env, addr, val, oi, retaddr, helper_le_stq_mmu);
+    helper_le_stq_mmu(env, addr, val, oi, retaddr);
+    plugin_store_cb(env, addr, oi);
 }
 
 void cpu_st16_be_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
-- 
2.34.1

This header is supposed to be private to tcg and in fact
does not need to be included here at all.

Reviewed-by: Song Gao <gaosong@loongson.cn>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 target/loongarch/csr_helper.c   | 1 -
 target/loongarch/iocsr_helper.c | 1 -
 2 files changed, 2 deletions(-)

diff --git a/target/loongarch/csr_helper.c b/target/loongarch/csr_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/loongarch/csr_helper.c
+++ b/target/loongarch/csr_helper.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/cpu_ldst.h"
 #include "hw/irq.h"
 #include "cpu-csr.h"
-#include "tcg/tcg-ldst.h"
 
 target_ulong helper_csrrd_pgd(CPULoongArchState *env)
 {
diff --git a/target/loongarch/iocsr_helper.c b/target/loongarch/iocsr_helper.c
index XXXXXXX..XXXXXXX 100644
--- a/target/loongarch/iocsr_helper.c
+++ b/target/loongarch/iocsr_helper.c
@@ -XXX,XX +XXX,XX @@
 #include "exec/helper-proto.h"
 #include "exec/exec-all.h"
 #include "exec/cpu_ldst.h"
-#include "tcg/tcg-ldst.h"
 
 #define GET_MEMTXATTRS(cas) \
         ((MemTxAttrs){.requester_id = env_cpu(cas)->cpu_index})
-- 
2.34.1