Series comparison

-[PULL for-8.1-rc1 0/7] tcg patch queue
+[PULL v2 00/29] tcg patch queue
-The following changes since commit d1181d29370a4318a9f11ea92065bea6bb159f83:
+v2: Fix FreeBSD build error in patch 18.
-  Merge tag 'pull-nbd-2023-07-19' of https://repo.or.cz/qemu/ericb into staging (2023-07-20 09:54:07 +0100)
+r~
 The following changes since commit 0d239e513e0117e66fa739fb71a43b9383a108ff:
   Merge tag 'pull-lu-20231018' of https://gitlab.com/rth7680/qemu into staging (2023-10-19 10:20:57 -0700)
 are available in the Git repository at:
-  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230724
+  https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20231018-2
-for you to fetch changes up to 32b120394c578bc824f1db4835b3bffbeca88fae:
+for you to fetch changes up to a75f704d972b9408f5e2843784b3add48c724c52:
-  accel/tcg: Fix type of 'last' for pageflags_{find,next} (2023-07-24 09:48:49 +0100)
+  target/i386: Use i128 for 128 and 256-bit loads and stores (2023-10-19 21:11:44 -0700)
 ----------------------------------------------------------------
-accel/tcg: Zero-pad vaddr in tlb debug output
+tcg: Drop unused tcg_temp_free define
-accel/tcg: Fix type of 'last' for pageflags_{find,next}
+tcg: Introduce tcg_use_softmmu
-accel/tcg: Fix sense of read-only probes in ldst_atomicity
+tcg: Optimize past conditional branches
-accel/tcg: Take mmap_lock in load_atomic*_or_exit
+tcg: Use constant zero when expanding with divu2
-tcg: Add earlyclobber to op_add2 for x86 and s390x
+tcg/ppc: Enable direct branching tcg_out_goto_tb with TCG_REG_TB
-tcg/ppc: Fix race in goto_tb implementation
+tcg/ppc: Use ADDPCIS for power9
 tcg/ppc: Use prefixed instructions for power10
 tcg/ppc: Disable TCG_REG_TB for Power9/Power10
 ----------------------------------------------------------------
-Anton Johansson (1):
+Jordan Niethe (1):
-      accel/tcg: Zero-pad vaddr in tlb_debug output
+      tcg/ppc: Enable direct branching tcg_out_goto_tb with TCG_REG_TB
-Ilya Leoshkevich (1):
+Mike Frysinger (1):
-      tcg/{i386, s390x}: Add earlyclobber to the op_add2's first output
+      tcg: drop unused tcg_temp_free define
-Jordan Niethe (1):
+Richard Henderson (27):
-      tcg/ppc: Fix race in goto_tb implementation
+      tcg/ppc: Untabify tcg-target.c.inc
       tcg/ppc: Reinterpret tb-relative to TB+4
       tcg/ppc: Use ADDPCIS in tcg_out_tb_start
       tcg/ppc: Use ADDPCIS in tcg_out_movi_int
       tcg/ppc: Use ADDPCIS for the constant pool
       tcg/ppc: Use ADDPCIS in tcg_out_goto_tb
       tcg/ppc: Use PADDI in tcg_out_movi
       tcg/ppc: Use prefixed instructions in tcg_out_mem_long
       tcg/ppc: Use PLD in tcg_out_movi for constant pool
       tcg/ppc: Use prefixed instructions in tcg_out_dupi_vec
       tcg/ppc: Use PLD in tcg_out_goto_tb
       tcg/ppc: Disable TCG_REG_TB for Power9/Power10
       tcg: Introduce tcg_use_softmmu
       tcg: Provide guest_base fallback for system mode
       tcg/arm: Use tcg_use_softmmu
       tcg/aarch64: Use tcg_use_softmmu
       tcg/i386: Use tcg_use_softmmu
       tcg/loongarch64: Use tcg_use_softmmu
       tcg/mips: Use tcg_use_softmmu
       tcg/ppc: Use tcg_use_softmmu
       tcg/riscv: Do not reserve TCG_GUEST_BASE_REG for guest_base zero
       tcg/riscv: Use tcg_use_softmmu
       tcg/s390x: Use tcg_use_softmmu
       tcg: Use constant zero when expanding with divu2
       tcg: Optimize past conditional branches
       tcg: Add tcg_gen_{ld,st}_i128
       target/i386: Use i128 for 128 and 256-bit loads and stores
-Luca Bonissi (1):
+ include/tcg/tcg-op-common.h      |   3 +
-      accel/tcg: Fix type of 'last' for pageflags_{find,next}
+ include/tcg/tcg-op.h             |   2 -
+ include/tcg/tcg.h                |   8 +-
-Richard Henderson (3):
+ target/i386/tcg/translate.c      |  63 ++---
-      include/exec: Add WITH_MMAP_LOCK_GUARD
+ tcg/optimize.c                   |   8 +-
-      accel/tcg: Fix sense of read-only probes in ldst_atomicity
+ tcg/tcg-op-ldst.c                |  14 +-
-      accel/tcg: Take mmap_lock in load_atomic*_or_exit
+ tcg/tcg-op.c                     |  38 ++-
+ tcg/tcg.c                        |  13 +-
- include/exec/exec-all.h        | 10 ++++++++++
+ tcg/aarch64/tcg-target.c.inc     | 177 ++++++------
- tcg/i386/tcg-target-con-set.h  |  5 ++++-
+ tcg/arm/tcg-target.c.inc         | 203 +++++++-------
- tcg/s390x/tcg-target-con-set.h |  8 +++++---
+ tcg/i386/tcg-target.c.inc        | 198 +++++++-------
- accel/tcg/cputlb.c             | 20 ++++++++++----------
+ tcg/loongarch64/tcg-target.c.inc | 126 +++++----
- accel/tcg/user-exec.c          |  4 ++--
+ tcg/mips/tcg-target.c.inc        | 231 ++++++++--------
- bsd-user/mmap.c                |  1 +
+ tcg/ppc/tcg-target.c.inc         | 561 ++++++++++++++++++++++++++-------------
- linux-user/mmap.c              |  1 +
+ tcg/riscv/tcg-target.c.inc       | 189 ++++++-------
- tcg/tcg.c                      |  8 +++++++-
+ tcg/s390x/tcg-target.c.inc       | 161 ++++++-----
- accel/tcg/ldst_atomicity.c.inc | 32 ++++++++++++++++++--------------
+files changed, 1102 insertions(+), 893 deletions(-)
  tcg/i386/tcg-target.c.inc      |  2 +-
  tcg/ppc/tcg-target.c.inc       |  9 +++++----
  tcg/s390x/tcg-target.c.inc     |  4 ++--
 files changed, 66 insertions(+), 38 deletions(-)

-[PULL 1/7] tcg/ppc: Fix race in goto_tb implementation
+Deleted patch
-From: Jordan Niethe <jniethe5@gmail.com>
-Commit 20b6643324 ("tcg/ppc: Reorg goto_tb implementation") modified
-goto_tb to ensure only a single instruction was patched to prevent
-incorrect behavior if a thread was in the middle of multiple
-instructions when they were replaced. However this introduced a race
-between loading the jmp target into TCG_REG_TB and patching and
-executing the direct branch.
-The relevant part of the goto_tb implementation:
-    ld TCG_REG_TB, TARGET_ADDR_LOCATION(TCG_REG_TB)
-  patch_location:
-    mtctr TCG_REG_TB
-    bctr
-tb_target_set_jmp_target() will replace 'patch_location' with a direct
-branch if the target is in range. The direct branch now relies on
-TCG_REG_TB being set up correctly by the ld. Prior to this commit
-multiple instructions were patched in for the direct branch case; these
-instructions would initialize TCG_REG_TB to the same value as the branch
-target.
-Imagine the following sequence:
-) Thread A is executing the goto_tb sequence and loads the jmp
-   target into TCG_REG_TB.
-) Thread B updates the jmp target address and calls
-   tb_target_set_jmp_target(). This patches a new direct branch into the
-   goto_tb sequence.
-) Thread A executes the newly patched direct branch. The value in
-   TCG_REG_TB still contains the old jmp target.
-TCG_REG_TB MUST contain the translation block's tc.ptr. Execution will
-eventually crash after performing memory accesses generated from a
-faulty value in TCG_REG_TB.
-This presents as segfaults or illegal instruction exceptions.
-Do not revert commit 20b6643324 as it did fix a different race
-condition. Instead remove the direct branch optimization and always use
-indirect branches.
-The direct branch optimization can be re-added later with a race free
-sequence.
-Fixes: 20b6643324 ("tcg/ppc: Reorg goto_tb implementation")
-Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1726
-Reported-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com>
-Tested-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com>
-Tested-by: Michael Tokarev <mjt@tls.msk.ru>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Co-developed-by: Benjamin Gray <bgray@linux.ibm.com>
-Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
-Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
-Message-Id: <20230717093001.13167-1-jniethe5@gmail.com>
----
- tcg/ppc/tcg-target.c.inc | 9 +++++----
-file changed, 5 insertions(+), 4 deletions(-)
-diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/ppc/tcg-target.c.inc
-+++ b/tcg/ppc/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static void tcg_out_goto_tb(TCGContext *s, int which)
-         ptrdiff_t offset = tcg_tbrel_diff(s, (void *)ptr);
-         tcg_out_mem_long(s, LD, LDX, TCG_REG_TB, TCG_REG_TB, offset);
--        /* Direct branch will be patched by tb_target_set_jmp_target. */
-+        /* TODO: Use direct branches when possible. */
-         set_jmp_insn_offset(s, which);
-         tcg_out32(s, MTSPR | RS(TCG_REG_TB) | CTR);
--        /* When branch is out of range, fall through to indirect. */
-         tcg_out32(s, BCCTR | BO_ALWAYS);
-         /* For the unlinked case, need to reset TCG_REG_TB.  */
-@@ -XXX,XX +XXX,XX @@ void tb_target_set_jmp_target(const TranslationBlock *tb, int n,
-     intptr_t diff = addr - jmp_rx;
-     tcg_insn_unit insn;
-+    if (USE_REG_TB) {
-+        return;
-+    }
-+
-     if (in_range_b(diff)) {
-         insn = B | (diff & 0x3fffffc);
--    } else if (USE_REG_TB) {
--        insn = MTSPR | RS(TCG_REG_TB) | CTR;
-     } else {
-         insn = NOP;
-     }
---
-.34.1

-[PULL 2/7] include/exec: Add WITH_MMAP_LOCK_GUARD
+Deleted patch
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- include/exec/exec-all.h | 10 ++++++++++
- bsd-user/mmap.c         |  1 +
- linux-user/mmap.c       |  1 +
-files changed, 12 insertions(+)
-diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
-index XXXXXXX..XXXXXXX 100644
---- a/include/exec/exec-all.h
-+++ b/include/exec/exec-all.h
-@@ -XXX,XX +XXX,XX @@ void TSA_NO_TSA mmap_lock(void);
- void TSA_NO_TSA mmap_unlock(void);
- bool have_mmap_lock(void);
-+static inline void mmap_unlock_guard(void *unused)
-+{
-+    mmap_unlock();
-+}
-+
-+#define WITH_MMAP_LOCK_GUARD()                                            \
-+    for (int _mmap_lock_iter __attribute__((cleanup(mmap_unlock_guard)))  \
-+         = (mmap_lock(), 0); _mmap_lock_iter == 0; _mmap_lock_iter = 1)
-+
- /**
-  * adjust_signal_pc:
-  * @pc: raw pc from the host signal ucontext_t.
-@@ -XXX,XX +XXX,XX @@ G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
- #else
- static inline void mmap_lock(void) {}
- static inline void mmap_unlock(void) {}
-+#define WITH_MMAP_LOCK_GUARD()
- void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
- void tlb_set_dirty(CPUState *cpu, vaddr addr);
-diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
-index XXXXXXX..XXXXXXX 100644
---- a/bsd-user/mmap.c
-+++ b/bsd-user/mmap.c
-@@ -XXX,XX +XXX,XX @@ void mmap_lock(void)
- void mmap_unlock(void)
- {
-+    assert(mmap_lock_count > 0);
-     if (--mmap_lock_count == 0) {
-         pthread_mutex_unlock(&mmap_mutex);
-     }
-diff --git a/linux-user/mmap.c b/linux-user/mmap.c
-index XXXXXXX..XXXXXXX 100644
---- a/linux-user/mmap.c
-+++ b/linux-user/mmap.c
-@@ -XXX,XX +XXX,XX @@ void mmap_lock(void)
- void mmap_unlock(void)
- {
-+    assert(mmap_lock_count > 0);
-     if (--mmap_lock_count == 0) {
-         pthread_mutex_unlock(&mmap_mutex);
-     }
---
-.34.1

-[PULL 3/7] accel/tcg: Fix sense of read-only probes in ldst_atomicity
+Deleted patch
-In the initial commit, cdfac37be0d, the sense of the test is incorrect,
-as the -1/0 return was confusing.  In bef6f008b981, we mechanically
-invert all callers while changing to false/true return, preserving the
-incorrectness of the test.
-Now that the return sense is sane, it's easy to see that if !write,
-then the page is not modifiable (i.e. most likely read-only, with
-PROT_NONE handled via SIGSEGV).
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- accel/tcg/ldst_atomicity.c.inc | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/accel/tcg/ldst_atomicity.c.inc b/accel/tcg/ldst_atomicity.c.inc
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/ldst_atomicity.c.inc
-+++ b/accel/tcg/ldst_atomicity.c.inc
-@@ -XXX,XX +XXX,XX @@ static uint64_t load_atomic8_or_exit(CPUArchState *env, uintptr_t ra, void *pv)
-      * another process, because the fallback start_exclusive solution
-      * provides no protection across processes.
-      */
--    if (page_check_range(h2g(pv), 8, PAGE_WRITE_ORG)) {
-+    if (!page_check_range(h2g(pv), 8, PAGE_WRITE_ORG)) {
-         uint64_t *p = __builtin_assume_aligned(pv, 8);
-         return *p;
-     }
-@@ -XXX,XX +XXX,XX @@ static Int128 load_atomic16_or_exit(CPUArchState *env, uintptr_t ra, void *pv)
-      * another process, because the fallback start_exclusive solution
-      * provides no protection across processes.
-      */
--    if (page_check_range(h2g(p), 16, PAGE_WRITE_ORG)) {
-+    if (!page_check_range(h2g(p), 16, PAGE_WRITE_ORG)) {
-         return *p;
-     }
- #endif
---
-.34.1

-[PULL 4/7] accel/tcg: Take mmap_lock in load_atomic*_or_exit
+Deleted patch
-For user-only, the probe for page writability may race with another
-thread's mprotect.  Take the mmap_lock around the operation.  This
-is still faster than the start/end_exclusive fallback.
-Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- accel/tcg/ldst_atomicity.c.inc | 32 ++++++++++++++++++--------------
-file changed, 18 insertions(+), 14 deletions(-)
-diff --git a/accel/tcg/ldst_atomicity.c.inc b/accel/tcg/ldst_atomicity.c.inc
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/ldst_atomicity.c.inc
-+++ b/accel/tcg/ldst_atomicity.c.inc
-@@ -XXX,XX +XXX,XX @@ static uint64_t load_atomic8_or_exit(CPUArchState *env, uintptr_t ra, void *pv)
-      * another process, because the fallback start_exclusive solution
-      * provides no protection across processes.
-      */
--    if (!page_check_range(h2g(pv), 8, PAGE_WRITE_ORG)) {
--        uint64_t *p = __builtin_assume_aligned(pv, 8);
--        return *p;
-+    WITH_MMAP_LOCK_GUARD() {
-+        if (!page_check_range(h2g(pv), 8, PAGE_WRITE_ORG)) {
-+            uint64_t *p = __builtin_assume_aligned(pv, 8);
-+            return *p;
-+        }
-     }
- #endif
-@@ -XXX,XX +XXX,XX @@ static Int128 load_atomic16_or_exit(CPUArchState *env, uintptr_t ra, void *pv)
-         return atomic16_read_ro(p);
-     }
--#ifdef CONFIG_USER_ONLY
-     /*
-      * We can only use cmpxchg to emulate a load if the page is writable.
-      * If the page is not writable, then assume the value is immutable
-      * and requires no locking.  This ignores the case of MAP_SHARED with
-      * another process, because the fallback start_exclusive solution
-      * provides no protection across processes.
-+     *
-+     * In system mode all guest pages are writable.  For user mode,
-+     * we must take mmap_lock so that the query remains valid until
-+     * the write is complete -- tests/tcg/multiarch/munmap-pthread.c
-+     * is an example that can race.
-      */
--    if (!page_check_range(h2g(p), 16, PAGE_WRITE_ORG)) {
--        return *p;
--    }
-+    WITH_MMAP_LOCK_GUARD() {
-+#ifdef CONFIG_USER_ONLY
-+        if (!page_check_range(h2g(p), 16, PAGE_WRITE_ORG)) {
-+            return *p;
-+        }
- #endif
--
--    /*
--     * In system mode all guest pages are writable, and for user-only
--     * we have just checked writability.  Try cmpxchg.
--     */
--    if (HAVE_ATOMIC128_RW) {
--        return atomic16_read_rw(p);
-+        if (HAVE_ATOMIC128_RW) {
-+            return atomic16_read_rw(p);
-+        }
-     }
-     /* Ultimate fallback: re-execute in serial context. */
---
-.34.1

-[PULL 5/7] tcg/{i386, s390x}: Add earlyclobber to the op_add2's first output
+[PULL v2 18/29] tcg/i386: Use tcg_use_softmmu
-From: Ilya Leoshkevich <iii@linux.ibm.com>
+Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
 i386 and s390x implementations of op_add2 require an earlyclobber,
 which is currently missing. This breaks VCKSM in s390x guests. E.g., on
 x86_64 the following op:
     add2_i32 tmp2,tmp3,tmp2,tmp3,tmp3,tmp2   dead: 0 2 3 4 5  pref=none,0xffff
 is translated to:
     addl     %ebx, %r12d
     adcl     %r12d, %ebx
 Introduce a new C_N1_O1_I4 constraint, and make sure that earlyclobber
 of aliased outputs is honored.
 Cc: qemu-stable@nongnu.org
 Fixes: 82790a870992 ("tcg: Add markup for output requires new register")
 Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
 Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
 Message-Id: <20230719221310.1968845-7-iii@linux.ibm.com>
 Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
 ---
- tcg/i386/tcg-target-con-set.h  | 5 ++++-
+ tcg/i386/tcg-target.c.inc | 198 +++++++++++++++++++-------------------
- tcg/s390x/tcg-target-con-set.h | 8 +++++---
+file changed, 98 insertions(+), 100 deletions(-)
  tcg/tcg.c                      | 8 +++++++-
  tcg/i386/tcg-target.c.inc      | 2 +-
  tcg/s390x/tcg-target.c.inc     | 4 ++--
 files changed, 19 insertions(+), 8 deletions(-)
-diff --git a/tcg/i386/tcg-target-con-set.h b/tcg/i386/tcg-target-con-set.h
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/i386/tcg-target-con-set.h
-+++ b/tcg/i386/tcg-target-con-set.h
-@@ -XXX,XX +XXX,XX @@
-  *
-  * C_N1_Im(...) defines a constraint set with 1 output and <m> inputs,
-  * except that the output must use a new register.
-+ *
-+ * C_Nn_Om_Ik(...) defines a constraint set with <n + m> outputs and <k>
-+ * inputs, except that the first <n> outputs must use new registers.
-  */
- C_O0_I1(r)
- C_O0_I2(L, L)
-@@ -XXX,XX +XXX,XX @@ C_O2_I1(r, r, L)
- C_O2_I2(a, d, a, r)
- C_O2_I2(r, r, L, L)
- C_O2_I3(a, d, 0, 1, r)
--C_O2_I4(r, r, 0, 1, re, re)
-+C_N1_O1_I4(r, r, 0, 1, re, re)
-diff --git a/tcg/s390x/tcg-target-con-set.h b/tcg/s390x/tcg-target-con-set.h
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/s390x/tcg-target-con-set.h
-+++ b/tcg/s390x/tcg-target-con-set.h
-@@ -XXX,XX +XXX,XX @@
-  * C_On_Im(...) defines a constraint set with <n> outputs and <m> inputs.
-  * Each operand should be a sequence of constraint letters as defined by
-  * tcg-target-con-str.h; the constraint combination is inclusive or.
-+ *
-+ * C_Nn_Om_Ik(...) defines a constraint set with <n + m> outputs and <k>
-+ * inputs, except that the first <n> outputs must use new registers.
-  */
- C_O0_I1(r)
- C_O0_I2(r, r)
-@@ -XXX,XX +XXX,XX @@ C_O2_I1(o, m, r)
- C_O2_I2(o, m, 0, r)
- C_O2_I2(o, m, r, r)
- C_O2_I3(o, m, 0, 1, r)
--C_O2_I4(r, r, 0, 1, rA, r)
--C_O2_I4(r, r, 0, 1, ri, r)
--C_O2_I4(r, r, 0, 1, r, r)
-+C_N1_O1_I4(r, r, 0, 1, ri, r)
-+C_N1_O1_I4(r, r, 0, 1, rA, r)
-diff --git a/tcg/tcg.c b/tcg/tcg.c
-index XXXXXXX..XXXXXXX 100644
---- a/tcg/tcg.c
-+++ b/tcg/tcg.c
-@@ -XXX,XX +XXX,XX @@ static void tcg_out_movext3(TCGContext *s, const TCGMovExtend *i1,
- #define C_O2_I2(O1, O2, I1, I2)         C_PFX4(c_o2_i2_, O1, O2, I1, I2),
- #define C_O2_I3(O1, O2, I1, I2, I3)     C_PFX5(c_o2_i3_, O1, O2, I1, I2, I3),
- #define C_O2_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_o2_i4_, O1, O2, I1, I2, I3, I4),
-+#define C_N1_O1_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_n1_o1_i4_, O1, O2, I1, I2, I3, I4),
- typedef enum {
- #include "tcg-target-con-set.h"
-@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode);
- #undef C_O2_I2
- #undef C_O2_I3
- #undef C_O2_I4
-+#undef C_N1_O1_I4
- /* Put all of the constraint sets into an array, indexed by the enum. */
-@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode);
- #define C_O2_I2(O1, O2, I1, I2)         { .args_ct_str = { #O1, #O2, #I1, #I2 } },
- #define C_O2_I3(O1, O2, I1, I2, I3)     { .args_ct_str = { #O1, #O2, #I1, #I2, #I3 } },
- #define C_O2_I4(O1, O2, I1, I2, I3, I4) { .args_ct_str = { #O1, #O2, #I1, #I2, #I3, #I4 } },
-+#define C_N1_O1_I4(O1, O2, I1, I2, I3, I4) { .args_ct_str = { "&" #O1, #O2, #I1, #I2, #I3, #I4 } },
- static const TCGTargetOpDef constraint_sets[] = {
- #include "tcg-target-con-set.h"
-@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
- #undef C_O2_I2
- #undef C_O2_I3
- #undef C_O2_I4
-+#undef C_N1_O1_I4
- /* Expand the enumerator to be returned from tcg_target_op_def(). */
-@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
- #define C_O2_I2(O1, O2, I1, I2)         C_PFX4(c_o2_i2_, O1, O2, I1, I2)
- #define C_O2_I3(O1, O2, I1, I2, I3)     C_PFX5(c_o2_i3_, O1, O2, I1, I2, I3)
- #define C_O2_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_o2_i4_, O1, O2, I1, I2, I3, I4)
-+#define C_N1_O1_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_n1_o1_i4_, O1, O2, I1, I2, I3, I4)
- #include "tcg-target.c.inc"
-@@ -XXX,XX +XXX,XX @@ static void tcg_reg_alloc_op(TCGContext *s, const TCGOp *op)
-                  * dead after the instruction, we must allocate a new
-                  * register and move it.
-                  */
--                if (temp_readonly(ts) || !IS_DEAD_ARG(i)) {
-+                if (temp_readonly(ts) || !IS_DEAD_ARG(i)
-+                    || def->args_ct[arg_ct->alias_index].newreg) {
-                     allocate_new_reg = true;
-                 } else if (ts->val_type == TEMP_VAL_REG) {
-                     /*
 diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
 index XXXXXXX..XXXXXXX 100644
 --- a/tcg/i386/tcg-target.c.inc
 +++ b/tcg/i386/tcg-target.c.inc
-@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_target_call_oarg_reg(TCGCallReturnKind kind, int slot)
-     case INDEX_op_add2_i64:
+ # define ALL_VECTOR_REGS       0x00ff0000u
-     case INDEX_op_sub2_i32:
+ # define ALL_BYTEL_REGS        0x0000000fu
-     case INDEX_op_sub2_i64:
+ #endif
--        return C_O2_I4(r, r, 0, 1, re, re);
+-#ifdef CONFIG_SOFTMMU
-+        return C_N1_O1_I4(r, r, 0, 1, re, re);
+-# define SOFTMMU_RESERVE_REGS  ((1 << TCG_REG_L0) | (1 << TCG_REG_L1))
+-#else
-     case INDEX_op_ctz_i32:
+-# define SOFTMMU_RESERVE_REGS  0
-     case INDEX_op_ctz_i64:
+-#endif
-diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
++#define SOFTMMU_RESERVE_REGS \
-index XXXXXXX..XXXXXXX 100644
++    (tcg_use_softmmu ? (1 << TCG_REG_L0) | (1 << TCG_REG_L1) : 0)
---- a/tcg/s390x/tcg-target.c.inc
-+++ b/tcg/s390x/tcg-target.c.inc
+ /* For 64-bit, we always know that CMOV is available.  */
-@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
+ #if TCG_TARGET_REG_BITS == 64
+@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
-     case INDEX_op_add2_i32:
+     return true;
-     case INDEX_op_sub2_i32:
+ }
--        return C_O2_I4(r, r, 0, 1, ri, r);
-+        return C_N1_O1_I4(r, r, 0, 1, ri, r);
+-#ifndef CONFIG_SOFTMMU
++#ifdef CONFIG_USER_ONLY
-     case INDEX_op_add2_i64:
+ static HostAddress x86_guest_base = {
-     case INDEX_op_sub2_i64:
+     .index = -1
--        return C_O2_I4(r, r, 0, 1, rA, r);
+ };
-+        return C_N1_O1_I4(r, r, 0, 1, rA, r);
+@@ -XXX,XX +XXX,XX @@ static inline int setup_guest_base_seg(void)
+     }
-     case INDEX_op_st_vec:
+     return 0;
-         return C_O0_I2(v, r);
+ }
 +#define setup_guest_base_seg  setup_guest_base_seg
  #elif defined(__x86_64__) && \
        (defined (__FreeBSD__) || defined (__FreeBSD_kernel__))
  # include <machine/sysarch.h>
@@ -XXX,XX +XXX,XX @@ static inline int setup_guest_base_seg(void)
      }
      return 0;
  }
 +#define setup_guest_base_seg  setup_guest_base_seg
 +#endif
  #else
 -static inline int setup_guest_base_seg(void)
 -{
 -    return 0;
 -}
 -#endif /* setup_guest_base_seg */
 -#endif /* !SOFTMMU */
 +# define x86_guest_base (*(HostAddress *)({ qemu_build_not_reached(); NULL; }))
 +#endif /* CONFIG_USER_ONLY */
 +#ifndef setup_guest_base_seg
 +# define setup_guest_base_seg()  0
 +#endif
  #define MIN_TLB_MASK_TABLE_OFS  INT_MIN
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
      MemOp s_bits = opc & MO_SIZE;
      unsigned a_mask;
 -#ifdef CONFIG_SOFTMMU
 -    h->index = TCG_REG_L0;
 -    h->ofs = 0;
 -    h->seg = 0;
 -#else
 -    *h = x86_guest_base;
 -#endif
 +    if (tcg_use_softmmu) {
 +        h->index = TCG_REG_L0;
 +        h->ofs = 0;
 +        h->seg = 0;
 +    } else {
 +        *h = x86_guest_base;
 +    }
      h->base = addrlo;
      h->aa = atom_and_align_for_opc(s, opc, MO_ATOM_IFALIGN, s_bits == MO_128);
      a_mask = (1 << h->aa.align) - 1;
 -#ifdef CONFIG_SOFTMMU
 -    int cmp_ofs = is_ld ? offsetof(CPUTLBEntry, addr_read)
 -                        : offsetof(CPUTLBEntry, addr_write);
 -    TCGType ttype = TCG_TYPE_I32;
 -    TCGType tlbtype = TCG_TYPE_I32;
 -    int trexw = 0, hrexw = 0, tlbrexw = 0;
 -    unsigned mem_index = get_mmuidx(oi);
 -    unsigned s_mask = (1 << s_bits) - 1;
 -    int fast_ofs = tlb_mask_table_ofs(s, mem_index);
 -    int tlb_mask;
 +    if (tcg_use_softmmu) {
 +        int cmp_ofs = is_ld ? offsetof(CPUTLBEntry, addr_read)
 +                            : offsetof(CPUTLBEntry, addr_write);
 +        TCGType ttype = TCG_TYPE_I32;
 +        TCGType tlbtype = TCG_TYPE_I32;
 +        int trexw = 0, hrexw = 0, tlbrexw = 0;
 +        unsigned mem_index = get_mmuidx(oi);
 +        unsigned s_mask = (1 << s_bits) - 1;
 +        int fast_ofs = tlb_mask_table_ofs(s, mem_index);
 +        int tlb_mask;
 -    ldst = new_ldst_label(s);
 -    ldst->is_ld = is_ld;
 -    ldst->oi = oi;
 -    ldst->addrlo_reg = addrlo;
 -    ldst->addrhi_reg = addrhi;
 +        ldst = new_ldst_label(s);
 +        ldst->is_ld = is_ld;
 +        ldst->oi = oi;
 +        ldst->addrlo_reg = addrlo;
 +        ldst->addrhi_reg = addrhi;
 -    if (TCG_TARGET_REG_BITS == 64) {
 -        ttype = s->addr_type;
 -        trexw = (ttype == TCG_TYPE_I32 ? 0 : P_REXW);
 -        if (TCG_TYPE_PTR == TCG_TYPE_I64) {
 -            hrexw = P_REXW;
 -            if (s->page_bits + s->tlb_dyn_max_bits > 32) {
 -                tlbtype = TCG_TYPE_I64;
 -                tlbrexw = P_REXW;
 +        if (TCG_TARGET_REG_BITS == 64) {
 +            ttype = s->addr_type;
 +            trexw = (ttype == TCG_TYPE_I32 ? 0 : P_REXW);
 +            if (TCG_TYPE_PTR == TCG_TYPE_I64) {
 +                hrexw = P_REXW;
 +                if (s->page_bits + s->tlb_dyn_max_bits > 32) {
 +                    tlbtype = TCG_TYPE_I64;
 +                    tlbrexw = P_REXW;
 +                }
              }
          }
 -    }
 -    tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
 -    tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
 -                   s->page_bits - CPU_TLB_ENTRY_BITS);
 +        tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
 +        tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
 +                       s->page_bits - CPU_TLB_ENTRY_BITS);
 -    tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
 -                         fast_ofs + offsetof(CPUTLBDescFast, mask));
 +        tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
 +                             fast_ofs + offsetof(CPUTLBDescFast, mask));
 -    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
 -                         fast_ofs + offsetof(CPUTLBDescFast, table));
 +        tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
 +                             fast_ofs + offsetof(CPUTLBDescFast, table));
 -    /*
 -     * If the required alignment is at least as large as the access, simply
 -     * copy the address and mask.  For lesser alignments, check that we don't
 -     * cross pages for the complete access.
 -     */
 -    if (a_mask >= s_mask) {
 -        tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
 -    } else {
 -        tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
 -                             addrlo, s_mask - a_mask);
 -    }
 -    tlb_mask = s->page_mask | a_mask;
 -    tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
 +        /*
 +         * If the required alignment is at least as large as the access,
 +         * simply copy the address and mask.  For lesser alignments,
 +         * check that we don't cross pages for the complete access.
 +         */
 +        if (a_mask >= s_mask) {
 +            tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
 +        } else {
 +            tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
 +                                 addrlo, s_mask - a_mask);
 +        }
 +        tlb_mask = s->page_mask | a_mask;
 +        tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
 -    /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
 -    tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
 -                         TCG_REG_L1, TCG_REG_L0, cmp_ofs);
 -
 -    /* jne slow_path */
 -    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 -    ldst->label_ptr[0] = s->code_ptr;
 -    s->code_ptr += 4;
 -
 -    if (TCG_TARGET_REG_BITS == 32 && s->addr_type == TCG_TYPE_I64) {
 -        /* cmp 4(TCG_REG_L0), addrhi */
 -        tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi, TCG_REG_L0, cmp_ofs + 4);
 +        /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
 +        tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
 +                             TCG_REG_L1, TCG_REG_L0, cmp_ofs);
          /* jne slow_path */
          tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 -        ldst->label_ptr[1] = s->code_ptr;
 +        ldst->label_ptr[0] = s->code_ptr;
          s->code_ptr += 4;
 -    }
 -    /* TLB Hit.  */
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_L0, TCG_REG_L0,
 -               offsetof(CPUTLBEntry, addend));
 -#else
 -    if (a_mask) {
 +        if (TCG_TARGET_REG_BITS == 32 && s->addr_type == TCG_TYPE_I64) {
 +            /* cmp 4(TCG_REG_L0), addrhi */
 +            tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi,
 +                                 TCG_REG_L0, cmp_ofs + 4);
 +
 +            /* jne slow_path */
 +            tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
 +            ldst->label_ptr[1] = s->code_ptr;
 +            s->code_ptr += 4;
 +        }
 +
 +        /* TLB Hit.  */
 +        tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_L0, TCG_REG_L0,
 +                   offsetof(CPUTLBEntry, addend));
 +    } else if (a_mask) {
          ldst = new_ldst_label(s);
          ldst->is_ld = is_ld;
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
          ldst->label_ptr[0] = s->code_ptr;
          s->code_ptr += 4;
      }
 -#endif
      return ldst;
  }
@@ -XXX,XX +XXX,XX @@ static void tcg_target_qemu_prologue(TCGContext *s)
          tcg_out_push(s, tcg_target_callee_save_regs[i]);
      }
 -#if TCG_TARGET_REG_BITS == 32
 -    tcg_out_ld(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP,
 -               (ARRAY_SIZE(tcg_target_callee_save_regs) + 1) * 4);
 -    tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
 -    /* jmp *tb.  */
 -    tcg_out_modrm_offset(s, OPC_GRP5, EXT5_JMPN_Ev, TCG_REG_ESP,
 -                         (ARRAY_SIZE(tcg_target_callee_save_regs) + 2) * 4
 -                         + stack_addend);
 -#else
 -# if !defined(CONFIG_SOFTMMU)
 -    if (guest_base) {
 +    if (!tcg_use_softmmu && guest_base) {
          int seg = setup_guest_base_seg();
          if (seg != 0) {
              x86_guest_base.seg = seg;
          } else if (guest_base == (int32_t)guest_base) {
              x86_guest_base.ofs = guest_base;
          } else {
 +            assert(TCG_TARGET_REG_BITS == 64);
              /* Choose R12 because, as a base, it requires a SIB byte. */
              x86_guest_base.index = TCG_REG_R12;
              tcg_out_movi(s, TCG_TYPE_PTR, x86_guest_base.index, guest_base);
              tcg_regset_set_reg(s->reserved_regs, x86_guest_base.index);
          }
      }
 -# endif
 -    tcg_out_mov(s, TCG_TYPE_PTR, TCG_AREG0, tcg_target_call_iarg_regs[0]);
 -    tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
 -    /* jmp *tb.  */
 -    tcg_out_modrm(s, OPC_GRP5, EXT5_JMPN_Ev, tcg_target_call_iarg_regs[1]);
 -#endif
 +
 +    if (TCG_TARGET_REG_BITS == 32) {
 +        tcg_out_ld(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP,
 +                   (ARRAY_SIZE(tcg_target_callee_save_regs) + 1) * 4);
 +        tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
 +        /* jmp *tb.  */
 +        tcg_out_modrm_offset(s, OPC_GRP5, EXT5_JMPN_Ev, TCG_REG_ESP,
 +                             (ARRAY_SIZE(tcg_target_callee_save_regs) + 2) * 4
 +                             + stack_addend);
 +    } else {
 +        tcg_out_mov(s, TCG_TYPE_PTR, TCG_AREG0, tcg_target_call_iarg_regs[0]);
 +        tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
 +        /* jmp *tb.  */
 +        tcg_out_modrm(s, OPC_GRP5, EXT5_JMPN_Ev, tcg_target_call_iarg_regs[1]);
 +    }
      /*
       * Return path for goto_ptr. Set return value to 0, a-la exit_tb,
 --
 .34.1

-[PULL 6/7] accel/tcg: Zero-pad vaddr in tlb_debug output
+Deleted patch
-From: Anton Johansson <anjo@rev.ng>
-In replacing target_ulong with vaddr and TARGET_FMT_lx with VADDR_PRIx,
-the zero-padding of TARGET_FMT_lx got lost.  Readd 16-wide zero-padding
-for logging consistency.
-Suggested-by: Peter Maydell <peter.maydell@linaro.org>
-Signed-off-by: Anton Johansson <anjo@rev.ng>
-Message-Id: <20230713120746.26897-1-anjo@rev.ng>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- accel/tcg/cputlb.c | 20 ++++++++++----------
-file changed, 10 insertions(+), 10 deletions(-)
-diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/cputlb.c
-+++ b/accel/tcg/cputlb.c
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx, vaddr page)
-     /* Check if we need to flush due to large pages.  */
-     if ((page & lp_mask) == lp_addr) {
--        tlb_debug("forcing full flush midx %d (%"
--                  VADDR_PRIx "/%" VADDR_PRIx ")\n",
-+        tlb_debug("forcing full flush midx %d (%016"
-+                  VADDR_PRIx "/%016" VADDR_PRIx ")\n",
-                   midx, lp_addr, lp_mask);
-         tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
-     } else {
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
-     assert_cpu_is_self(cpu);
--    tlb_debug("page addr: %" VADDR_PRIx " mmu_map:0x%x\n", addr, idxmap);
-+    tlb_debug("page addr: %016" VADDR_PRIx " mmu_map:0x%x\n", addr, idxmap);
-     qemu_spin_lock(&env_tlb(env)->c.lock);
-     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
- void tlb_flush_page_by_mmuidx(CPUState *cpu, vaddr addr, uint16_t idxmap)
- {
--    tlb_debug("addr: %" VADDR_PRIx " mmu_idx:%" PRIx16 "\n", addr, idxmap);
-+    tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%" PRIx16 "\n", addr, idxmap);
-     /* This should already be page aligned */
-     addr &= TARGET_PAGE_MASK;
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, vaddr addr)
- void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, vaddr addr,
-                                        uint16_t idxmap)
- {
--    tlb_debug("addr: %" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
-+    tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
-     /* This should already be page aligned */
-     addr &= TARGET_PAGE_MASK;
-@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
-                                               vaddr addr,
-                                               uint16_t idxmap)
- {
--    tlb_debug("addr: %" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
-+    tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
-     /* This should already be page aligned */
-     addr &= TARGET_PAGE_MASK;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_range_locked(CPUArchState *env, int midx,
-      */
-     if (mask < f->mask || len > f->mask) {
-         tlb_debug("forcing full flush midx %d ("
--                  "%" VADDR_PRIx "/%" VADDR_PRIx "+%" VADDR_PRIx ")\n",
-+                  "%016" VADDR_PRIx "/%016" VADDR_PRIx "+%016" VADDR_PRIx ")\n",
-                   midx, addr, mask, len);
-         tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
-         return;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_range_locked(CPUArchState *env, int midx,
-      */
-     if (((addr + len - 1) & d->large_page_mask) == d->large_page_addr) {
-         tlb_debug("forcing full flush midx %d ("
--                  "%" VADDR_PRIx "/%" VADDR_PRIx ")\n",
-+                  "%016" VADDR_PRIx "/%016" VADDR_PRIx ")\n",
-                   midx, d->large_page_addr, d->large_page_mask);
-         tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
-         return;
-@@ -XXX,XX +XXX,XX @@ static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu,
-     assert_cpu_is_self(cpu);
--    tlb_debug("range: %" VADDR_PRIx "/%u+%" VADDR_PRIx " mmu_map:0x%x\n",
-+    tlb_debug("range: %016" VADDR_PRIx "/%u+%016" VADDR_PRIx " mmu_map:0x%x\n",
-               d.addr, d.bits, d.len, d.idxmap);
-     qemu_spin_lock(&env_tlb(env)->c.lock);
-@@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
-                                                 &xlat, &sz, full->attrs, &prot);
-     assert(sz >= TARGET_PAGE_SIZE);
--    tlb_debug("vaddr=%" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx
-+    tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx
-               " prot=%x idx=%d\n",
-               addr, full->phys_addr, prot, mmu_idx);
---
-.34.1

-[PULL 7/7] accel/tcg: Fix type of 'last' for pageflags_{find,next}
+Deleted patch
-From: Luca Bonissi <qemu@bonslack.org>
-These should match 'start' as target_ulong, not target_long.
-On 32bit targets, the parameter was sign-extended to uint64_t,
-so only the first mmap within the upper 2GB memory can succeed.
-Signed-off-by: Luca Bonissi <qemu@bonslack.org>
-Message-Id: <327460e2-0ebd-9edb-426b-1df80d16c32a@bonslack.org>
-Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
-Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
----
- accel/tcg/user-exec.c | 4 ++--
-file changed, 2 insertions(+), 2 deletions(-)
-diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
-index XXXXXXX..XXXXXXX 100644
---- a/accel/tcg/user-exec.c
-+++ b/accel/tcg/user-exec.c
-@@ -XXX,XX +XXX,XX @@ typedef struct PageFlagsNode {
- static IntervalTreeRoot pageflags_root;
--static PageFlagsNode *pageflags_find(target_ulong start, target_long last)
-+static PageFlagsNode *pageflags_find(target_ulong start, target_ulong last)
- {
-     IntervalTreeNode *n;
-@@ -XXX,XX +XXX,XX @@ static PageFlagsNode *pageflags_find(target_ulong start, target_long last)
- }
- static PageFlagsNode *pageflags_next(PageFlagsNode *p, target_ulong start,
--                                     target_long last)
-+                                     target_ulong last)
- {
-     IntervalTreeNode *n;
---
-.34.1

The following changes since commit d1181d29370a4318a9f11ea92065bea6bb159f83:

Merge tag 'pull-nbd-2023-07-19' of https://repo.or.cz/qemu/ericb into staging (2023-07-20 09:54:07 +0100)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20230724

for you to fetch changes up to 32b120394c578bc824f1db4835b3bffbeca88fae:

accel/tcg: Fix type of 'last' for pageflags_{find,next} (2023-07-24 09:48:49 +0100)

----------------------------------------------------------------
accel/tcg: Zero-pad vaddr in tlb debug output
accel/tcg: Fix type of 'last' for pageflags_{find,next}
accel/tcg: Fix sense of read-only probes in ldst_atomicity
accel/tcg: Take mmap_lock in load_atomic*_or_exit
tcg: Add earlyclobber to op_add2 for x86 and s390x
tcg/ppc: Fix race in goto_tb implementation

----------------------------------------------------------------
Anton Johansson (1):
      accel/tcg: Zero-pad vaddr in tlb_debug output

Ilya Leoshkevich (1):
      tcg/{i386, s390x}: Add earlyclobber to the op_add2's first output

Jordan Niethe (1):
      tcg/ppc: Fix race in goto_tb implementation

Luca Bonissi (1):
      accel/tcg: Fix type of 'last' for pageflags_{find,next}

Richard Henderson (3):
      include/exec: Add WITH_MMAP_LOCK_GUARD
      accel/tcg: Fix sense of read-only probes in ldst_atomicity
      accel/tcg: Take mmap_lock in load_atomic*_or_exit

From: Jordan Niethe <jniethe5@gmail.com>

Commit 20b6643324 ("tcg/ppc: Reorg goto_tb implementation") modified
goto_tb to ensure only a single instruction was patched to prevent
incorrect behavior if a thread was in the middle of multiple
instructions when they were replaced. However this introduced a race
between loading the jmp target into TCG_REG_TB and patching and
executing the direct branch.

The relevant part of the goto_tb implementation:

ld TCG_REG_TB, TARGET_ADDR_LOCATION(TCG_REG_TB)
  patch_location:
    mtctr TCG_REG_TB
    bctr

tb_target_set_jmp_target() will replace 'patch_location' with a direct
branch if the target is in range. The direct branch now relies on
TCG_REG_TB being set up correctly by the ld. Prior to this commit
multiple instructions were patched in for the direct branch case; these
instructions would initialize TCG_REG_TB to the same value as the branch
target.

Imagine the following sequence:

1) Thread A is executing the goto_tb sequence and loads the jmp
   target into TCG_REG_TB.

2) Thread B updates the jmp target address and calls
   tb_target_set_jmp_target(). This patches a new direct branch into the
   goto_tb sequence.

3) Thread A executes the newly patched direct branch. The value in
   TCG_REG_TB still contains the old jmp target.

TCG_REG_TB MUST contain the translation block's tc.ptr. Execution will
eventually crash after performing memory accesses generated from a
faulty value in TCG_REG_TB.

This presents as segfaults or illegal instruction exceptions.

Do not revert commit 20b6643324 as it did fix a different race
condition. Instead remove the direct branch optimization and always use
indirect branches.

The direct branch optimization can be re-added later with a race free
sequence.

Fixes: 20b6643324 ("tcg/ppc: Reorg goto_tb implementation")
Resolves: https://gitlab.com/qemu-project/qemu/-/issues/1726
Reported-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com>
Tested-by: Anushree Mathur <anushree.mathur@linux.vnet.ibm.com>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Co-developed-by: Benjamin Gray <bgray@linux.ibm.com>
Signed-off-by: Jordan Niethe <jniethe5@gmail.com>
Signed-off-by: Benjamin Gray <bgray@linux.ibm.com>
Message-Id: <20230717093001.13167-1-jniethe5@gmail.com>
---
 tcg/ppc/tcg-target.c.inc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/tcg/ppc/tcg-target.c.inc b/tcg/ppc/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/ppc/tcg-target.c.inc
+++ b/tcg/ppc/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static void tcg_out_goto_tb(TCGContext *s, int which)
         ptrdiff_t offset = tcg_tbrel_diff(s, (void *)ptr);
         tcg_out_mem_long(s, LD, LDX, TCG_REG_TB, TCG_REG_TB, offset);
     
-        /* Direct branch will be patched by tb_target_set_jmp_target. */
+        /* TODO: Use direct branches when possible. */
         set_jmp_insn_offset(s, which);
         tcg_out32(s, MTSPR | RS(TCG_REG_TB) | CTR);
 
-        /* When branch is out of range, fall through to indirect. */
         tcg_out32(s, BCCTR | BO_ALWAYS);
 
         /* For the unlinked case, need to reset TCG_REG_TB.  */
@@ -XXX,XX +XXX,XX @@ void tb_target_set_jmp_target(const TranslationBlock *tb, int n,
     intptr_t diff = addr - jmp_rx;
     tcg_insn_unit insn;
 
+    if (USE_REG_TB) {
+        return;
+    }
+
     if (in_range_b(diff)) {
         insn = B | (diff & 0x3fffffc);
-    } else if (USE_REG_TB) {
-        insn = MTSPR | RS(TCG_REG_TB) | CTR;
     } else {
         insn = NOP;
     }
-- 
2.34.1

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 include/exec/exec-all.h | 10 ++++++++++
 bsd-user/mmap.c         |  1 +
 linux-user/mmap.c       |  1 +
 3 files changed, 12 insertions(+)

diff --git a/include/exec/exec-all.h b/include/exec/exec-all.h
index XXXXXXX..XXXXXXX 100644
--- a/include/exec/exec-all.h
+++ b/include/exec/exec-all.h
@@ -XXX,XX +XXX,XX @@ void TSA_NO_TSA mmap_lock(void);
 void TSA_NO_TSA mmap_unlock(void);
 bool have_mmap_lock(void);
 
+static inline void mmap_unlock_guard(void *unused)
+{
+    mmap_unlock();
+}
+
+#define WITH_MMAP_LOCK_GUARD()                                            \
+    for (int _mmap_lock_iter __attribute__((cleanup(mmap_unlock_guard)))  \
+         = (mmap_lock(), 0); _mmap_lock_iter == 0; _mmap_lock_iter = 1)
+
 /**
  * adjust_signal_pc:
  * @pc: raw pc from the host signal ucontext_t.
@@ -XXX,XX +XXX,XX @@ G_NORETURN void cpu_loop_exit_sigbus(CPUState *cpu, target_ulong addr,
 #else
 static inline void mmap_lock(void) {}
 static inline void mmap_unlock(void) {}
+#define WITH_MMAP_LOCK_GUARD()
 
 void tlb_reset_dirty(CPUState *cpu, ram_addr_t start1, ram_addr_t length);
 void tlb_set_dirty(CPUState *cpu, vaddr addr);
diff --git a/bsd-user/mmap.c b/bsd-user/mmap.c
index XXXXXXX..XXXXXXX 100644
--- a/bsd-user/mmap.c
+++ b/bsd-user/mmap.c
@@ -XXX,XX +XXX,XX @@ void mmap_lock(void)
 
 void mmap_unlock(void)
 {
+    assert(mmap_lock_count > 0);
     if (--mmap_lock_count == 0) {
         pthread_mutex_unlock(&mmap_mutex);
     }
diff --git a/linux-user/mmap.c b/linux-user/mmap.c
index XXXXXXX..XXXXXXX 100644
--- a/linux-user/mmap.c
+++ b/linux-user/mmap.c
@@ -XXX,XX +XXX,XX @@ void mmap_lock(void)
 
 void mmap_unlock(void)
 {
+    assert(mmap_lock_count > 0);
     if (--mmap_lock_count == 0) {
         pthread_mutex_unlock(&mmap_mutex);
     }
-- 
2.34.1

In the initial commit, cdfac37be0d, the sense of the test is incorrect,
as the -1/0 return was confusing.  In bef6f008b981, we mechanically
invert all callers while changing to false/true return, preserving the
incorrectness of the test.

Now that the return sense is sane, it's easy to see that if !write,
then the page is not modifiable (i.e. most likely read-only, with
PROT_NONE handled via SIGSEGV).

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/ldst_atomicity.c.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

For user-only, the probe for page writability may race with another
thread's mprotect.  Take the mmap_lock around the operation.  This
is still faster than the start/end_exclusive fallback.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/ldst_atomicity.c.inc | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/accel/tcg/ldst_atomicity.c.inc b/accel/tcg/ldst_atomicity.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/ldst_atomicity.c.inc
+++ b/accel/tcg/ldst_atomicity.c.inc
@@ -XXX,XX +XXX,XX @@ static uint64_t load_atomic8_or_exit(CPUArchState *env, uintptr_t ra, void *pv)
      * another process, because the fallback start_exclusive solution
      * provides no protection across processes.
      */
-    if (!page_check_range(h2g(pv), 8, PAGE_WRITE_ORG)) {
-        uint64_t *p = __builtin_assume_aligned(pv, 8);
-        return *p;
+    WITH_MMAP_LOCK_GUARD() {
+        if (!page_check_range(h2g(pv), 8, PAGE_WRITE_ORG)) {
+            uint64_t *p = __builtin_assume_aligned(pv, 8);
+            return *p;
+        }
     }
 #endif
 
@@ -XXX,XX +XXX,XX @@ static Int128 load_atomic16_or_exit(CPUArchState *env, uintptr_t ra, void *pv)
         return atomic16_read_ro(p);
     }
 
-#ifdef CONFIG_USER_ONLY
     /*
      * We can only use cmpxchg to emulate a load if the page is writable.
      * If the page is not writable, then assume the value is immutable
      * and requires no locking.  This ignores the case of MAP_SHARED with
      * another process, because the fallback start_exclusive solution
      * provides no protection across processes.
+     *
+     * In system mode all guest pages are writable.  For user mode,
+     * we must take mmap_lock so that the query remains valid until
+     * the write is complete -- tests/tcg/multiarch/munmap-pthread.c
+     * is an example that can race.
      */
-    if (!page_check_range(h2g(p), 16, PAGE_WRITE_ORG)) {
-        return *p;
-    }
+    WITH_MMAP_LOCK_GUARD() {
+#ifdef CONFIG_USER_ONLY
+        if (!page_check_range(h2g(p), 16, PAGE_WRITE_ORG)) {
+            return *p;
+        }
 #endif
-
-    /*
-     * In system mode all guest pages are writable, and for user-only
-     * we have just checked writability.  Try cmpxchg.
-     */
-    if (HAVE_ATOMIC128_RW) {
-        return atomic16_read_rw(p);
+        if (HAVE_ATOMIC128_RW) {
+            return atomic16_read_rw(p);
+        }
     }
 
     /* Ultimate fallback: re-execute in serial context. */
-- 
2.34.1

From: Ilya Leoshkevich <iii@linux.ibm.com>

i386 and s390x implementations of op_add2 require an earlyclobber,
which is currently missing. This breaks VCKSM in s390x guests. E.g., on
x86_64 the following op:

add2_i32 tmp2,tmp3,tmp2,tmp3,tmp3,tmp2   dead: 0 2 3 4 5  pref=none,0xffff

is translated to:

addl     %ebx, %r12d
    adcl     %r12d, %ebx

Introduce a new C_N1_O1_I4 constraint, and make sure that earlyclobber
of aliased outputs is honored.

Cc: qemu-stable@nongnu.org
Fixes: 82790a870992 ("tcg: Add markup for output requires new register")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-Id: <20230719221310.1968845-7-iii@linux.ibm.com>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/i386/tcg-target-con-set.h  | 5 ++++-
 tcg/s390x/tcg-target-con-set.h | 8 +++++---
 tcg/tcg.c                      | 8 +++++++-
 tcg/i386/tcg-target.c.inc      | 2 +-
 tcg/s390x/tcg-target.c.inc     | 4 ++--
 5 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/tcg/i386/tcg-target-con-set.h b/tcg/i386/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target-con-set.h
+++ b/tcg/i386/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
  *
  * C_N1_Im(...) defines a constraint set with 1 output and <m> inputs,
  * except that the output must use a new register.
+ *
+ * C_Nn_Om_Ik(...) defines a constraint set with <n + m> outputs and <k>
+ * inputs, except that the first <n> outputs must use new registers.
  */
 C_O0_I1(r)
 C_O0_I2(L, L)
@@ -XXX,XX +XXX,XX @@ C_O2_I1(r, r, L)
 C_O2_I2(a, d, a, r)
 C_O2_I2(r, r, L, L)
 C_O2_I3(a, d, 0, 1, r)
-C_O2_I4(r, r, 0, 1, re, re)
+C_N1_O1_I4(r, r, 0, 1, re, re)
diff --git a/tcg/s390x/tcg-target-con-set.h b/tcg/s390x/tcg-target-con-set.h
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target-con-set.h
+++ b/tcg/s390x/tcg-target-con-set.h
@@ -XXX,XX +XXX,XX @@
  * C_On_Im(...) defines a constraint set with <n> outputs and <m> inputs.
  * Each operand should be a sequence of constraint letters as defined by
  * tcg-target-con-str.h; the constraint combination is inclusive or.
+ *
+ * C_Nn_Om_Ik(...) defines a constraint set with <n + m> outputs and <k>
+ * inputs, except that the first <n> outputs must use new registers.
  */
 C_O0_I1(r)
 C_O0_I2(r, r)
@@ -XXX,XX +XXX,XX @@ C_O2_I1(o, m, r)
 C_O2_I2(o, m, 0, r)
 C_O2_I2(o, m, r, r)
 C_O2_I3(o, m, 0, 1, r)
-C_O2_I4(r, r, 0, 1, rA, r)
-C_O2_I4(r, r, 0, 1, ri, r)
-C_O2_I4(r, r, 0, 1, r, r)
+C_N1_O1_I4(r, r, 0, 1, ri, r)
+C_N1_O1_I4(r, r, 0, 1, rA, r)
diff --git a/tcg/tcg.c b/tcg/tcg.c
index XXXXXXX..XXXXXXX 100644
--- a/tcg/tcg.c
+++ b/tcg/tcg.c
@@ -XXX,XX +XXX,XX @@ static void tcg_out_movext3(TCGContext *s, const TCGMovExtend *i1,
 #define C_O2_I2(O1, O2, I1, I2)         C_PFX4(c_o2_i2_, O1, O2, I1, I2),
 #define C_O2_I3(O1, O2, I1, I2, I3)     C_PFX5(c_o2_i3_, O1, O2, I1, I2, I3),
 #define C_O2_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_o2_i4_, O1, O2, I1, I2, I3, I4),
+#define C_N1_O1_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_n1_o1_i4_, O1, O2, I1, I2, I3, I4),
 
 typedef enum {
 #include "tcg-target-con-set.h"
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode);
 #undef C_O2_I2
 #undef C_O2_I3
 #undef C_O2_I4
+#undef C_N1_O1_I4
 
 /* Put all of the constraint sets into an array, indexed by the enum. */
 
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode);
 #define C_O2_I2(O1, O2, I1, I2)         { .args_ct_str = { #O1, #O2, #I1, #I2 } },
 #define C_O2_I3(O1, O2, I1, I2, I3)     { .args_ct_str = { #O1, #O2, #I1, #I2, #I3 } },
 #define C_O2_I4(O1, O2, I1, I2, I3, I4) { .args_ct_str = { #O1, #O2, #I1, #I2, #I3, #I4 } },
+#define C_N1_O1_I4(O1, O2, I1, I2, I3, I4) { .args_ct_str = { "&" #O1, #O2, #I1, #I2, #I3, #I4 } },
 
 static const TCGTargetOpDef constraint_sets[] = {
 #include "tcg-target-con-set.h"
@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
 #undef C_O2_I2
 #undef C_O2_I3
 #undef C_O2_I4
+#undef C_N1_O1_I4
 
 /* Expand the enumerator to be returned from tcg_target_op_def(). */
 
@@ -XXX,XX +XXX,XX @@ static const TCGTargetOpDef constraint_sets[] = {
 #define C_O2_I2(O1, O2, I1, I2)         C_PFX4(c_o2_i2_, O1, O2, I1, I2)
 #define C_O2_I3(O1, O2, I1, I2, I3)     C_PFX5(c_o2_i3_, O1, O2, I1, I2, I3)
 #define C_O2_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_o2_i4_, O1, O2, I1, I2, I3, I4)
+#define C_N1_O1_I4(O1, O2, I1, I2, I3, I4) C_PFX6(c_n1_o1_i4_, O1, O2, I1, I2, I3, I4)
 
 #include "tcg-target.c.inc"
 
@@ -XXX,XX +XXX,XX @@ static void tcg_reg_alloc_op(TCGContext *s, const TCGOp *op)
                  * dead after the instruction, we must allocate a new
                  * register and move it.
                  */
-                if (temp_readonly(ts) || !IS_DEAD_ARG(i)) {
+                if (temp_readonly(ts) || !IS_DEAD_ARG(i)
+                    || def->args_ct[arg_ct->alias_index].newreg) {
                     allocate_new_reg = true;
                 } else if (ts->val_type == TEMP_VAL_REG) {
                     /*
diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
     case INDEX_op_add2_i64:
     case INDEX_op_sub2_i32:
     case INDEX_op_sub2_i64:
-        return C_O2_I4(r, r, 0, 1, re, re);
+        return C_N1_O1_I4(r, r, 0, 1, re, re);
 
     case INDEX_op_ctz_i32:
     case INDEX_op_ctz_i64:
diff --git a/tcg/s390x/tcg-target.c.inc b/tcg/s390x/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/s390x/tcg-target.c.inc
+++ b/tcg/s390x/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static TCGConstraintSetIndex tcg_target_op_def(TCGOpcode op)
 
     case INDEX_op_add2_i32:
     case INDEX_op_sub2_i32:
-        return C_O2_I4(r, r, 0, 1, ri, r);
+        return C_N1_O1_I4(r, r, 0, 1, ri, r);
 
     case INDEX_op_add2_i64:
     case INDEX_op_sub2_i64:
-        return C_O2_I4(r, r, 0, 1, rA, r);
+        return C_N1_O1_I4(r, r, 0, 1, rA, r);
 
     case INDEX_op_st_vec:
         return C_O0_I2(v, r);
-- 
2.34.1

From: Anton Johansson <anjo@rev.ng>

In replacing target_ulong with vaddr and TARGET_FMT_lx with VADDR_PRIx,
the zero-padding of TARGET_FMT_lx got lost.  Readd 16-wide zero-padding
for logging consistency.

Suggested-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Anton Johansson <anjo@rev.ng>
Message-Id: <20230713120746.26897-1-anjo@rev.ng>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/cputlb.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_locked(CPUArchState *env, int midx, vaddr page)
 
     /* Check if we need to flush due to large pages.  */
     if ((page & lp_mask) == lp_addr) {
-        tlb_debug("forcing full flush midx %d (%"
-                  VADDR_PRIx "/%" VADDR_PRIx ")\n",
+        tlb_debug("forcing full flush midx %d (%016"
+                  VADDR_PRIx "/%016" VADDR_PRIx ")\n",
                   midx, lp_addr, lp_mask);
         tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
     } else {
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_0(CPUState *cpu,
 
     assert_cpu_is_self(cpu);
 
-    tlb_debug("page addr: %" VADDR_PRIx " mmu_map:0x%x\n", addr, idxmap);
+    tlb_debug("page addr: %016" VADDR_PRIx " mmu_map:0x%x\n", addr, idxmap);
 
     qemu_spin_lock(&env_tlb(env)->c.lock);
     for (mmu_idx = 0; mmu_idx < NB_MMU_MODES; mmu_idx++) {
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_page_by_mmuidx_async_2(CPUState *cpu,
 
 void tlb_flush_page_by_mmuidx(CPUState *cpu, vaddr addr, uint16_t idxmap)
 {
-    tlb_debug("addr: %" VADDR_PRIx " mmu_idx:%" PRIx16 "\n", addr, idxmap);
+    tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%" PRIx16 "\n", addr, idxmap);
 
     /* This should already be page aligned */
     addr &= TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page(CPUState *cpu, vaddr addr)
 void tlb_flush_page_by_mmuidx_all_cpus(CPUState *src_cpu, vaddr addr,
                                        uint16_t idxmap)
 {
-    tlb_debug("addr: %" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
+    tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
     addr &= TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ void tlb_flush_page_by_mmuidx_all_cpus_synced(CPUState *src_cpu,
                                               vaddr addr,
                                               uint16_t idxmap)
 {
-    tlb_debug("addr: %" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
+    tlb_debug("addr: %016" VADDR_PRIx " mmu_idx:%"PRIx16"\n", addr, idxmap);
 
     /* This should already be page aligned */
     addr &= TARGET_PAGE_MASK;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_range_locked(CPUArchState *env, int midx,
      */
     if (mask < f->mask || len > f->mask) {
         tlb_debug("forcing full flush midx %d ("
-                  "%" VADDR_PRIx "/%" VADDR_PRIx "+%" VADDR_PRIx ")\n",
+                  "%016" VADDR_PRIx "/%016" VADDR_PRIx "+%016" VADDR_PRIx ")\n",
                   midx, addr, mask, len);
         tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
         return;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_range_locked(CPUArchState *env, int midx,
      */
     if (((addr + len - 1) & d->large_page_mask) == d->large_page_addr) {
         tlb_debug("forcing full flush midx %d ("
-                  "%" VADDR_PRIx "/%" VADDR_PRIx ")\n",
+                  "%016" VADDR_PRIx "/%016" VADDR_PRIx ")\n",
                   midx, d->large_page_addr, d->large_page_mask);
         tlb_flush_one_mmuidx_locked(env, midx, get_clock_realtime());
         return;
@@ -XXX,XX +XXX,XX @@ static void tlb_flush_range_by_mmuidx_async_0(CPUState *cpu,
 
     assert_cpu_is_self(cpu);
 
-    tlb_debug("range: %" VADDR_PRIx "/%u+%" VADDR_PRIx " mmu_map:0x%x\n",
+    tlb_debug("range: %016" VADDR_PRIx "/%u+%016" VADDR_PRIx " mmu_map:0x%x\n",
               d.addr, d.bits, d.len, d.idxmap);
 
     qemu_spin_lock(&env_tlb(env)->c.lock);
@@ -XXX,XX +XXX,XX @@ void tlb_set_page_full(CPUState *cpu, int mmu_idx,
                                                 &xlat, &sz, full->attrs, &prot);
     assert(sz >= TARGET_PAGE_SIZE);
 
-    tlb_debug("vaddr=%" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx
+    tlb_debug("vaddr=%016" VADDR_PRIx " paddr=0x" HWADDR_FMT_plx
               " prot=%x idx=%d\n",
               addr, full->phys_addr, prot, mmu_idx);
 
-- 
2.34.1

From: Luca Bonissi <qemu@bonslack.org>

These should match 'start' as target_ulong, not target_long.

On 32bit targets, the parameter was sign-extended to uint64_t,
so only the first mmap within the upper 2GB memory can succeed.

Signed-off-by: Luca Bonissi <qemu@bonslack.org>
Message-Id: <327460e2-0ebd-9edb-426b-1df80d16c32a@bonslack.org>
Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 accel/tcg/user-exec.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/accel/tcg/user-exec.c b/accel/tcg/user-exec.c
index XXXXXXX..XXXXXXX 100644
--- a/accel/tcg/user-exec.c
+++ b/accel/tcg/user-exec.c
@@ -XXX,XX +XXX,XX @@ typedef struct PageFlagsNode {
 
 static IntervalTreeRoot pageflags_root;
 
-static PageFlagsNode *pageflags_find(target_ulong start, target_long last)
+static PageFlagsNode *pageflags_find(target_ulong start, target_ulong last)
 {
     IntervalTreeNode *n;
 
@@ -XXX,XX +XXX,XX @@ static PageFlagsNode *pageflags_find(target_ulong start, target_long last)
 }
 
 static PageFlagsNode *pageflags_next(PageFlagsNode *p, target_ulong start,
-                                     target_long last)
+                                     target_ulong last)
 {
     IntervalTreeNode *n;
 
-- 
2.34.1

v2: Fix FreeBSD build error in patch 18.

The following changes since commit 0d239e513e0117e66fa739fb71a43b9383a108ff:

Merge tag 'pull-lu-20231018' of https://gitlab.com/rth7680/qemu into staging (2023-10-19 10:20:57 -0700)

are available in the Git repository at:

https://gitlab.com/rth7680/qemu.git tags/pull-tcg-20231018-2

for you to fetch changes up to a75f704d972b9408f5e2843784b3add48c724c52:

target/i386: Use i128 for 128 and 256-bit loads and stores (2023-10-19 21:11:44 -0700)

----------------------------------------------------------------
tcg: Drop unused tcg_temp_free define
tcg: Introduce tcg_use_softmmu
tcg: Optimize past conditional branches
tcg: Use constant zero when expanding with divu2
tcg/ppc: Enable direct branching tcg_out_goto_tb with TCG_REG_TB
tcg/ppc: Use ADDPCIS for power9
tcg/ppc: Use prefixed instructions for power10
tcg/ppc: Disable TCG_REG_TB for Power9/Power10

----------------------------------------------------------------
Jordan Niethe (1):
      tcg/ppc: Enable direct branching tcg_out_goto_tb with TCG_REG_TB

Mike Frysinger (1):
      tcg: drop unused tcg_temp_free define

Richard Henderson (27):
      tcg/ppc: Untabify tcg-target.c.inc
      tcg/ppc: Reinterpret tb-relative to TB+4
      tcg/ppc: Use ADDPCIS in tcg_out_tb_start
      tcg/ppc: Use ADDPCIS in tcg_out_movi_int
      tcg/ppc: Use ADDPCIS for the constant pool
      tcg/ppc: Use ADDPCIS in tcg_out_goto_tb
      tcg/ppc: Use PADDI in tcg_out_movi
      tcg/ppc: Use prefixed instructions in tcg_out_mem_long
      tcg/ppc: Use PLD in tcg_out_movi for constant pool
      tcg/ppc: Use prefixed instructions in tcg_out_dupi_vec
      tcg/ppc: Use PLD in tcg_out_goto_tb
      tcg/ppc: Disable TCG_REG_TB for Power9/Power10
      tcg: Introduce tcg_use_softmmu
      tcg: Provide guest_base fallback for system mode
      tcg/arm: Use tcg_use_softmmu
      tcg/aarch64: Use tcg_use_softmmu
      tcg/i386: Use tcg_use_softmmu
      tcg/loongarch64: Use tcg_use_softmmu
      tcg/mips: Use tcg_use_softmmu
      tcg/ppc: Use tcg_use_softmmu
      tcg/riscv: Do not reserve TCG_GUEST_BASE_REG for guest_base zero
      tcg/riscv: Use tcg_use_softmmu
      tcg/s390x: Use tcg_use_softmmu
      tcg: Use constant zero when expanding with divu2
      tcg: Optimize past conditional branches
      tcg: Add tcg_gen_{ld,st}_i128
      target/i386: Use i128 for 128 and 256-bit loads and stores

Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
---
 tcg/i386/tcg-target.c.inc | 198 +++++++++++++++++++-------------------
 1 file changed, 98 insertions(+), 100 deletions(-)

diff --git a/tcg/i386/tcg-target.c.inc b/tcg/i386/tcg-target.c.inc
index XXXXXXX..XXXXXXX 100644
--- a/tcg/i386/tcg-target.c.inc
+++ b/tcg/i386/tcg-target.c.inc
@@ -XXX,XX +XXX,XX @@ static TCGReg tcg_target_call_oarg_reg(TCGCallReturnKind kind, int slot)
 # define ALL_VECTOR_REGS       0x00ff0000u
 # define ALL_BYTEL_REGS        0x0000000fu
 #endif
-#ifdef CONFIG_SOFTMMU
-# define SOFTMMU_RESERVE_REGS  ((1 << TCG_REG_L0) | (1 << TCG_REG_L1))
-#else
-# define SOFTMMU_RESERVE_REGS  0
-#endif
+#define SOFTMMU_RESERVE_REGS \
+    (tcg_use_softmmu ? (1 << TCG_REG_L0) | (1 << TCG_REG_L1) : 0)
 
 /* For 64-bit, we always know that CMOV is available.  */
 #if TCG_TARGET_REG_BITS == 64
@@ -XXX,XX +XXX,XX @@ static bool tcg_out_qemu_st_slow_path(TCGContext *s, TCGLabelQemuLdst *l)
     return true;
 }
 
-#ifndef CONFIG_SOFTMMU
+#ifdef CONFIG_USER_ONLY
 static HostAddress x86_guest_base = {
     .index = -1
 };
@@ -XXX,XX +XXX,XX @@ static inline int setup_guest_base_seg(void)
     }
     return 0;
 }
+#define setup_guest_base_seg  setup_guest_base_seg
 #elif defined(__x86_64__) && \
       (defined (__FreeBSD__) || defined (__FreeBSD_kernel__))
 # include <machine/sysarch.h>
@@ -XXX,XX +XXX,XX @@ static inline int setup_guest_base_seg(void)
     }
     return 0;
 }
+#define setup_guest_base_seg  setup_guest_base_seg
+#endif
 #else
-static inline int setup_guest_base_seg(void)
-{
-    return 0;
-}
-#endif /* setup_guest_base_seg */
-#endif /* !SOFTMMU */
+# define x86_guest_base (*(HostAddress *)({ qemu_build_not_reached(); NULL; }))
+#endif /* CONFIG_USER_ONLY */
+#ifndef setup_guest_base_seg
+# define setup_guest_base_seg()  0
+#endif
 
 #define MIN_TLB_MASK_TABLE_OFS  INT_MIN
 
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
     MemOp s_bits = opc & MO_SIZE;
     unsigned a_mask;
 
-#ifdef CONFIG_SOFTMMU
-    h->index = TCG_REG_L0;
-    h->ofs = 0;
-    h->seg = 0;
-#else
-    *h = x86_guest_base;
-#endif
+    if (tcg_use_softmmu) {
+        h->index = TCG_REG_L0;
+        h->ofs = 0;
+        h->seg = 0;
+    } else {
+        *h = x86_guest_base;
+    }
     h->base = addrlo;
     h->aa = atom_and_align_for_opc(s, opc, MO_ATOM_IFALIGN, s_bits == MO_128);
     a_mask = (1 << h->aa.align) - 1;
 
-#ifdef CONFIG_SOFTMMU
-    int cmp_ofs = is_ld ? offsetof(CPUTLBEntry, addr_read)
-                        : offsetof(CPUTLBEntry, addr_write);
-    TCGType ttype = TCG_TYPE_I32;
-    TCGType tlbtype = TCG_TYPE_I32;
-    int trexw = 0, hrexw = 0, tlbrexw = 0;
-    unsigned mem_index = get_mmuidx(oi);
-    unsigned s_mask = (1 << s_bits) - 1;
-    int fast_ofs = tlb_mask_table_ofs(s, mem_index);
-    int tlb_mask;
+    if (tcg_use_softmmu) {
+        int cmp_ofs = is_ld ? offsetof(CPUTLBEntry, addr_read)
+                            : offsetof(CPUTLBEntry, addr_write);
+        TCGType ttype = TCG_TYPE_I32;
+        TCGType tlbtype = TCG_TYPE_I32;
+        int trexw = 0, hrexw = 0, tlbrexw = 0;
+        unsigned mem_index = get_mmuidx(oi);
+        unsigned s_mask = (1 << s_bits) - 1;
+        int fast_ofs = tlb_mask_table_ofs(s, mem_index);
+        int tlb_mask;
 
-    ldst = new_ldst_label(s);
-    ldst->is_ld = is_ld;
-    ldst->oi = oi;
-    ldst->addrlo_reg = addrlo;
-    ldst->addrhi_reg = addrhi;
+        ldst = new_ldst_label(s);
+        ldst->is_ld = is_ld;
+        ldst->oi = oi;
+        ldst->addrlo_reg = addrlo;
+        ldst->addrhi_reg = addrhi;
 
-    if (TCG_TARGET_REG_BITS == 64) {
-        ttype = s->addr_type;
-        trexw = (ttype == TCG_TYPE_I32 ? 0 : P_REXW);
-        if (TCG_TYPE_PTR == TCG_TYPE_I64) {
-            hrexw = P_REXW;
-            if (s->page_bits + s->tlb_dyn_max_bits > 32) {
-                tlbtype = TCG_TYPE_I64;
-                tlbrexw = P_REXW;
+        if (TCG_TARGET_REG_BITS == 64) {
+            ttype = s->addr_type;
+            trexw = (ttype == TCG_TYPE_I32 ? 0 : P_REXW);
+            if (TCG_TYPE_PTR == TCG_TYPE_I64) {
+                hrexw = P_REXW;
+                if (s->page_bits + s->tlb_dyn_max_bits > 32) {
+                    tlbtype = TCG_TYPE_I64;
+                    tlbrexw = P_REXW;
+                }
             }
         }
-    }
 
-    tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
-    tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
-                   s->page_bits - CPU_TLB_ENTRY_BITS);
+        tcg_out_mov(s, tlbtype, TCG_REG_L0, addrlo);
+        tcg_out_shifti(s, SHIFT_SHR + tlbrexw, TCG_REG_L0,
+                       s->page_bits - CPU_TLB_ENTRY_BITS);
 
-    tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
-                         fast_ofs + offsetof(CPUTLBDescFast, mask));
+        tcg_out_modrm_offset(s, OPC_AND_GvEv + trexw, TCG_REG_L0, TCG_AREG0,
+                             fast_ofs + offsetof(CPUTLBDescFast, mask));
 
-    tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
-                         fast_ofs + offsetof(CPUTLBDescFast, table));
+        tcg_out_modrm_offset(s, OPC_ADD_GvEv + hrexw, TCG_REG_L0, TCG_AREG0,
+                             fast_ofs + offsetof(CPUTLBDescFast, table));
 
-    /*
-     * If the required alignment is at least as large as the access, simply
-     * copy the address and mask.  For lesser alignments, check that we don't
-     * cross pages for the complete access.
-     */
-    if (a_mask >= s_mask) {
-        tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
-    } else {
-        tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
-                             addrlo, s_mask - a_mask);
-    }
-    tlb_mask = s->page_mask | a_mask;
-    tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
+        /*
+         * If the required alignment is at least as large as the access,
+         * simply copy the address and mask.  For lesser alignments,
+         * check that we don't cross pages for the complete access.
+         */
+        if (a_mask >= s_mask) {
+            tcg_out_mov(s, ttype, TCG_REG_L1, addrlo);
+        } else {
+            tcg_out_modrm_offset(s, OPC_LEA + trexw, TCG_REG_L1,
+                                 addrlo, s_mask - a_mask);
+        }
+        tlb_mask = s->page_mask | a_mask;
+        tgen_arithi(s, ARITH_AND + trexw, TCG_REG_L1, tlb_mask, 0);
 
-    /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
-    tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
-                         TCG_REG_L1, TCG_REG_L0, cmp_ofs);
-
-    /* jne slow_path */
-    tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
-    ldst->label_ptr[0] = s->code_ptr;
-    s->code_ptr += 4;
-
-    if (TCG_TARGET_REG_BITS == 32 && s->addr_type == TCG_TYPE_I64) {
-        /* cmp 4(TCG_REG_L0), addrhi */
-        tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi, TCG_REG_L0, cmp_ofs + 4);
+        /* cmp 0(TCG_REG_L0), TCG_REG_L1 */
+        tcg_out_modrm_offset(s, OPC_CMP_GvEv + trexw,
+                             TCG_REG_L1, TCG_REG_L0, cmp_ofs);
 
         /* jne slow_path */
         tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
-        ldst->label_ptr[1] = s->code_ptr;
+        ldst->label_ptr[0] = s->code_ptr;
         s->code_ptr += 4;
-    }
 
-    /* TLB Hit.  */
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_L0, TCG_REG_L0,
-               offsetof(CPUTLBEntry, addend));
-#else
-    if (a_mask) {
+        if (TCG_TARGET_REG_BITS == 32 && s->addr_type == TCG_TYPE_I64) {
+            /* cmp 4(TCG_REG_L0), addrhi */
+            tcg_out_modrm_offset(s, OPC_CMP_GvEv, addrhi,
+                                 TCG_REG_L0, cmp_ofs + 4);
+
+            /* jne slow_path */
+            tcg_out_opc(s, OPC_JCC_long + JCC_JNE, 0, 0, 0);
+            ldst->label_ptr[1] = s->code_ptr;
+            s->code_ptr += 4;
+        }
+
+        /* TLB Hit.  */
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_REG_L0, TCG_REG_L0,
+                   offsetof(CPUTLBEntry, addend));
+    } else if (a_mask) {
         ldst = new_ldst_label(s);
 
         ldst->is_ld = is_ld;
@@ -XXX,XX +XXX,XX @@ static TCGLabelQemuLdst *prepare_host_addr(TCGContext *s, HostAddress *h,
         ldst->label_ptr[0] = s->code_ptr;
         s->code_ptr += 4;
     }
-#endif
 
     return ldst;
 }
@@ -XXX,XX +XXX,XX @@ static void tcg_target_qemu_prologue(TCGContext *s)
         tcg_out_push(s, tcg_target_callee_save_regs[i]);
     }
 
-#if TCG_TARGET_REG_BITS == 32
-    tcg_out_ld(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP,
-               (ARRAY_SIZE(tcg_target_callee_save_regs) + 1) * 4);
-    tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
-    /* jmp *tb.  */
-    tcg_out_modrm_offset(s, OPC_GRP5, EXT5_JMPN_Ev, TCG_REG_ESP,
-                         (ARRAY_SIZE(tcg_target_callee_save_regs) + 2) * 4
-                         + stack_addend);
-#else
-# if !defined(CONFIG_SOFTMMU)
-    if (guest_base) {
+    if (!tcg_use_softmmu && guest_base) {
         int seg = setup_guest_base_seg();
         if (seg != 0) {
             x86_guest_base.seg = seg;
         } else if (guest_base == (int32_t)guest_base) {
             x86_guest_base.ofs = guest_base;
         } else {
+            assert(TCG_TARGET_REG_BITS == 64);
             /* Choose R12 because, as a base, it requires a SIB byte. */
             x86_guest_base.index = TCG_REG_R12;
             tcg_out_movi(s, TCG_TYPE_PTR, x86_guest_base.index, guest_base);
             tcg_regset_set_reg(s->reserved_regs, x86_guest_base.index);
         }
     }
-# endif
-    tcg_out_mov(s, TCG_TYPE_PTR, TCG_AREG0, tcg_target_call_iarg_regs[0]);
-    tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
-    /* jmp *tb.  */
-    tcg_out_modrm(s, OPC_GRP5, EXT5_JMPN_Ev, tcg_target_call_iarg_regs[1]);
-#endif
+
+    if (TCG_TARGET_REG_BITS == 32) {
+        tcg_out_ld(s, TCG_TYPE_PTR, TCG_AREG0, TCG_REG_ESP,
+                   (ARRAY_SIZE(tcg_target_callee_save_regs) + 1) * 4);
+        tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
+        /* jmp *tb.  */
+        tcg_out_modrm_offset(s, OPC_GRP5, EXT5_JMPN_Ev, TCG_REG_ESP,
+                             (ARRAY_SIZE(tcg_target_callee_save_regs) + 2) * 4
+                             + stack_addend);
+    } else {
+        tcg_out_mov(s, TCG_TYPE_PTR, TCG_AREG0, tcg_target_call_iarg_regs[0]);
+        tcg_out_addi(s, TCG_REG_ESP, -stack_addend);
+        /* jmp *tb.  */
+        tcg_out_modrm(s, OPC_GRP5, EXT5_JMPN_Ev, tcg_target_call_iarg_regs[1]);
+    }
 
     /*
      * Return path for goto_ptr. Set return value to 0, a-la exit_tb,
-- 
2.34.1