[PATCH 0/5] Enable QEMU TCI to run 64bit guests on browsers

[PATCH 0/5] Enable QEMU TCI to run 64bit guests on browsers

[Kohei Tokunaga]

This patch series is split from the original "Enable QEMU to run on
browsers" series, focusing solely on supporting 64bit guest on QEMU TCI
compiled with Emscripten. The implementation is based on discussions from
the thread in the "tcg: Add WebAssembly backend" patch series, particulalrly
Paolo Bonzini's suggestion to introduce TCG_VADDR_BITS. Thank you for the
feedback in that thread.

# Running 64bit Guests on WebAssembly

The current implementation uses Wasm's 32bit memory model. This series
explores supporting 64bit guests while relying on SoftMMU for address
translation. To achieve this in Wasm today, it was necessary to partially
revert recent changes that removed support for 64bit guests on 32bit hosts,
specifically those related to pointer width differences between host and
guest (e.g. commits a70af12addd9060fdf8f3dbd42b42e3072c3914f and
bf455ec50b6fea15b4d2493059365bf94c706273) when compiling with
Emscripten. While this serves as a temporary workaround, a long-term
solution could involve migrating to Wasm's 64bit memory model once it gains
broader support, as it is currently not widely adopted (e.g. unsupported by
Safari and libffi).

# Overview of build process

This section provides an overview of the build process for compiling QEMU
using Emscripten. Full instructions are available in the sample
repository[1].

To compile QEMU with Emscripten, the following dependencies are required.
The emsdk-wasm32-cross.docker environment includes all necessary components
and can be used as the build environment:

- Emscripten SDK (emsdk) v3.1.50
- Libraries cross-compiled with Emscripten (refer to
  emsdk-wasm32-cross.docker for build steps)
  - GLib v2.84.0
  - zlib v1.3.1
  - libffi v3.4.7
  - Pixman v0.44.2

QEMU can be compiled using Emscripten's emconfigure and emmake, which
automatically set environment variables such as CC for targeting Emscripten.

emconfigure configure --static --disable-tools \
                      --target-list=x86_64-softmmu --enable-tcg-interpreter
emmake make -j$(nproc)

This process generates the following files:

- qemu-system-x86_64.js
- qemu-system-x86_64.wasm
- qemu-system-x86_64.worker.js

Guest images can be packaged using Emscripten's file_packager.py tool.
For example, if the images are stored in a directory named "pack", the
following command packages them, allowing QEMU to access them through
Emscripten's virtual filesystem:

/path/to/file_packager.py qemu-system-x86_64.data --preload pack > load.js

This process generates the following files:

- qemu-system-x86_64.data
- load.js

Emscripten allows passing arguments to the QEMU command via the Module
object in JavaScript:

Module['arguments'] = [
    '-nographic', '-m', '512M',
    '-L', 'pack/',
    '-drive', 'if=virtio,format=raw,file=pack/rootfs.bin',
    '-kernel', 'pack/bzImage',
    '-append', 'earlyprintk=ttyS0 console=ttyS0 root=/dev/vda loglevel=7',
];

The sample repository[1] provides a complete setup, including an HTML file
that implements a terminal UI.

[1] https://github.com/ktock/qemu-wasm-sample

# Additional references

- A talk at FOSDEM 2025:
  https://fosdem.org/2025/schedule/event/fosdem-2025-6290-running-qemu-inside-browser/

Kohei Tokunaga (5):
  meson.build: add TCG_VADDR_BITS for defining the vaddr size
  include: define vaddr based on TCG_VADDR_BITS
  tlb: specify address field size based on TCG_VADDR_BITS
  tci: define TCG_TARGET_REG_BITS based on TCG_VADDR_BITS
  tci: use tcg_target_ulong when retrieving the pool data

 accel/tcg/cputlb.c             |  8 ++++----
 include/exec/helper-head.h.inc |  9 +++++----
 include/exec/tlb-common.h      | 18 +++++++++++++-----
 include/exec/vaddr.h           | 28 +++++++++++++++++++---------
 include/qemu/atomic.h          |  4 ++++
 include/tcg/tcg.h              |  6 +++---
 meson.build                    |  5 ++++-
 tcg/tci.c                      |  6 ++++--
 tcg/tci/tcg-target-reg-bits.h  |  4 ++--
 9 files changed, 58 insertions(+), 30 deletions(-)

-- 
2.43.0

[PATCH 1/5] meson.build: add TCG_VADDR_BITS for defining the vaddr size

[Kohei Tokunaga]

This commit introduces TCG_VADDR_BITS in meson.build to explicitly define
the vaddr size. For non-wasm hosts, this is set to the value of
host_long_bits, preserving the original behaviour of the check in the target
loop. For the wasm host, it's explicitly set to 64 to enable support for
64bit guests.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 meson.build | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/meson.build b/meson.build
index ad2053f968..185ec96149 100644
--- a/meson.build
+++ b/meson.build
@@ -3229,6 +3229,9 @@ endif
 
 # Detect host pointer size for the target configuration loop.
 host_long_bits = cc.sizeof('void *') * 8
+tcg_vaddr_bits = host_arch == 'wasm32' ? 64 : host_long_bits
+
+config_host_data.set('TCG_VADDR_BITS', tcg_vaddr_bits)
 
 ########################
 # Target configuration #
@@ -3327,7 +3330,7 @@ foreach target : target_dirs
   target_kconfig = []
   foreach sym: accelerators
     # Disallow 64-bit on 32-bit emulation and virtualization
-    if host_long_bits < config_target['TARGET_LONG_BITS'].to_int()
+    if tcg_vaddr_bits < config_target['TARGET_LONG_BITS'].to_int()
       continue
     endif
     if sym == 'CONFIG_TCG' or target in accelerator_targets.get(sym, [])
-- 
2.43.0

[PATCH 2/5] include: define vaddr based on TCG_VADDR_BITS

[Kohei Tokunaga]

This commit defines vaddr based on TCG_VADDR_BITS. For non-wasm hosts,
TCG_VADDR_BITS maches the pointer size, so this change preserves the
original behaviour.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 include/exec/helper-head.h.inc |  9 +++++----
 include/exec/vaddr.h           | 28 +++++++++++++++++++---------
 include/tcg/tcg.h              |  6 +++---
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/include/exec/helper-head.h.inc b/include/exec/helper-head.h.inc
index 5b248fd713..cbeb7bc371 100644
--- a/include/exec/helper-head.h.inc
+++ b/include/exec/helper-head.h.inc
@@ -58,16 +58,17 @@
 # define dh_ctype_tl target_ulong
 #endif /* COMPILING_PER_TARGET */
 
-#if __SIZEOF_POINTER__ == 4
+#if TCG_VADDR_BITS == 32
 # define dh_alias_vaddr i32
 # define dh_typecode_vaddr dh_typecode_i32
-#elif __SIZEOF_POINTER__ == 8
+# define dh_ctype_vaddr uint32_t
+#elif TCG_VADDR_BITS == 64
 # define dh_alias_vaddr i64
 # define dh_typecode_vaddr dh_typecode_i64
+# define dh_ctype_vaddr uint64_t
 #else
 # error "sizeof pointer is different from {4,8}"
-#endif /* __SIZEOF_POINTER__ */
-# define dh_ctype_vaddr uintptr_t
+#endif /* TCG_VADDR_BITS */
 
 /* We can't use glue() here because it falls foul of C preprocessor
    recursive expansion rules.  */
diff --git a/include/exec/vaddr.h b/include/exec/vaddr.h
index 28bec632fb..ff6184a31e 100644
--- a/include/exec/vaddr.h
+++ b/include/exec/vaddr.h
@@ -6,15 +6,25 @@
 /**
  * vaddr:
  * Type wide enough to contain any #target_ulong virtual address.
- * We do not support 64-bit guest on 32-host and detect at configure time.
- * Therefore, a host pointer width will always fit a guest pointer.
  */
-typedef uintptr_t vaddr;
-#define VADDR_PRId PRIdPTR
-#define VADDR_PRIu PRIuPTR
-#define VADDR_PRIo PRIoPTR
-#define VADDR_PRIx PRIxPTR
-#define VADDR_PRIX PRIXPTR
-#define VADDR_MAX UINTPTR_MAX
+#if TCG_VADDR_BITS == 32
+typedef uint32_t vaddr;
+#define VADDR_PRId PRId32
+#define VADDR_PRIu PRIu32
+#define VADDR_PRIo PRIo32
+#define VADDR_PRIx PRIx32
+#define VADDR_PRIX PRIX32
+#define VADDR_MAX UINT32_MAX
+#elif TCG_VADDR_BITS == 64
+typedef uint64_t vaddr;
+#define VADDR_PRId PRId64
+#define VADDR_PRIu PRIu64
+#define VADDR_PRIo PRIo64
+#define VADDR_PRIx PRIx64
+#define VADDR_PRIX PRIX64
+#define VADDR_MAX UINT64_MAX
+#else
+#error Unknown pointer size
+#endif
 
 #endif
diff --git a/include/tcg/tcg.h b/include/tcg/tcg.h
index 3fa5a7aed2..256a7b059c 100644
--- a/include/tcg/tcg.h
+++ b/include/tcg/tcg.h
@@ -218,13 +218,13 @@ typedef struct TCGv_ptr_d *TCGv_ptr;
 typedef struct TCGv_vec_d *TCGv_vec;
 typedef TCGv_ptr TCGv_env;
 
-#if __SIZEOF_POINTER__ == 4
+#if TCG_VADDR_BITS == 32
 typedef TCGv_i32 TCGv_vaddr;
-#elif __SIZEOF_POINTER__ == 8
+#elif TCG_VADDR_BITS == 64
 typedef TCGv_i64 TCGv_vaddr;
 #else
 # error "sizeof pointer is different from {4,8}"
-#endif /* __SIZEOF_POINTER__ */
+#endif /* TCG_VADDR_BITS */
 
 /* call flags */
 /* Helper does not read globals (either directly or through an exception). It
-- 
2.43.0

[PATCH 3/5] tlb: specify address field size based on TCG_VADDR_BITS

[Kohei Tokunaga]

This commit sets the address field sizes in CPUTLBEntry based on the value
of TCG_VADDR_BITS. For non-wasm hosts, TCG_VADDR_BITS matches the pointer
size so this change preserves the original behaviour.

WebAssembly supports 64bit atomics even though sizeof(void *) is 4. This
commit also updates ATOMIC_REG_SIZE value for the wasm build to ensure
assertions pass.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 accel/tcg/cputlb.c        |  8 ++++----
 include/exec/tlb-common.h | 18 +++++++++++++-----
 include/qemu/atomic.h     |  4 ++++
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/accel/tcg/cputlb.c b/accel/tcg/cputlb.c
index 5f6d7c601c..b15e9e80ee 100644
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
@@ -109,13 +109,13 @@ static inline uint64_t tlb_read_idx(const CPUTLBEntry *entry,
 {
     /* Do not rearrange the CPUTLBEntry structure members. */
     QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_read) !=
-                      MMU_DATA_LOAD * sizeof(uintptr_t));
+                      MMU_DATA_LOAD * sizeof(tlb_addr));
     QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_write) !=
-                      MMU_DATA_STORE * sizeof(uintptr_t));
+                      MMU_DATA_STORE * sizeof(tlb_addr));
     QEMU_BUILD_BUG_ON(offsetof(CPUTLBEntry, addr_code) !=
-                      MMU_INST_FETCH * sizeof(uintptr_t));
+                      MMU_INST_FETCH * sizeof(tlb_addr));
 
-    const uintptr_t *ptr = &entry->addr_idx[access_type];
+    const tlb_addr *ptr = &entry->addr_idx[access_type];
     /* ofs might correspond to .addr_write, so use qatomic_read */
     return qatomic_read(ptr);
 }
diff --git a/include/exec/tlb-common.h b/include/exec/tlb-common.h
index 03b5a8ffc7..87f8beab9a 100644
--- a/include/exec/tlb-common.h
+++ b/include/exec/tlb-common.h
@@ -19,14 +19,22 @@
 #ifndef EXEC_TLB_COMMON_H
 #define EXEC_TLB_COMMON_H 1
 
-#define CPU_TLB_ENTRY_BITS (HOST_LONG_BITS == 32 ? 4 : 5)
+#if TCG_VADDR_BITS == 32
+#define CPU_TLB_ENTRY_BITS 4
+typedef uint32_t tlb_addr;
+#elif TCG_VADDR_BITS == 64
+#define CPU_TLB_ENTRY_BITS 5
+typedef uint64_t tlb_addr;
+#else
+#error Unknown pointer size
+#endif
 
 /* Minimalized TLB entry for use by TCG fast path. */
 typedef union CPUTLBEntry {
     struct {
-        uintptr_t addr_read;
-        uintptr_t addr_write;
-        uintptr_t addr_code;
+        tlb_addr addr_read;
+        tlb_addr addr_write;
+        tlb_addr addr_code;
         /*
          * Addend to virtual address to get host address.  IO accesses
          * use the corresponding iotlb value.
@@ -37,7 +45,7 @@ typedef union CPUTLBEntry {
      * Padding to get a power of two size, as well as index
      * access to addr_{read,write,code}.
      */
-    uintptr_t addr_idx[(1 << CPU_TLB_ENTRY_BITS) / sizeof(uintptr_t)];
+    tlb_addr addr_idx[(1 << CPU_TLB_ENTRY_BITS) / sizeof(tlb_addr)];
 } CPUTLBEntry;
 
 QEMU_BUILD_BUG_ON(sizeof(CPUTLBEntry) != (1 << CPU_TLB_ENTRY_BITS));
diff --git a/include/qemu/atomic.h b/include/qemu/atomic.h
index f80cba24cf..76a8fbcd8c 100644
--- a/include/qemu/atomic.h
+++ b/include/qemu/atomic.h
@@ -56,6 +56,7 @@
  */
 #define signal_barrier()    __atomic_signal_fence(__ATOMIC_SEQ_CST)
 
+#ifndef EMSCRIPTEN
 /*
  * Sanity check that the size of an atomic operation isn't "overly large".
  * Despite the fact that e.g. i686 has 64-bit atomic operations, we do not
@@ -63,6 +64,9 @@
  * bit of sanity checking that other 32-bit hosts might build.
  */
 #define ATOMIC_REG_SIZE  sizeof(void *)
+#else
+#define ATOMIC_REG_SIZE  8 /* wasm supports 64bit atomics */
+#endif
 
 /* Weak atomic operations prevent the compiler moving other
  * loads/stores past the atomic operation load/store. However there is
-- 
2.43.0

[PATCH 4/5] tci: define TCG_TARGET_REG_BITS based on TCG_VADDR_BITS

[Kohei Tokunaga]

This commit defines TCG_TARGET_REG_BITS based on the value of
TCG_VADDR_BITS. For non-wasm hosts, TCG_VADDR_BITS matches the pointer size,
so this change preserves the original behaviour. For the wasm host, this
change enables support for 64bit guests.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 tcg/tci/tcg-target-reg-bits.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tcg/tci/tcg-target-reg-bits.h b/tcg/tci/tcg-target-reg-bits.h
index dcb1a203f8..0e5db44e22 100644
--- a/tcg/tci/tcg-target-reg-bits.h
+++ b/tcg/tci/tcg-target-reg-bits.h
@@ -7,9 +7,9 @@
 #ifndef TCG_TARGET_REG_BITS_H
 #define TCG_TARGET_REG_BITS_H
 
-#if UINTPTR_MAX == UINT32_MAX
+#if TCG_VADDR_BITS == 32
 # define TCG_TARGET_REG_BITS 32
-#elif UINTPTR_MAX == UINT64_MAX
+#elif TCG_VADDR_BITS == 64
 # define TCG_TARGET_REG_BITS 64
 #else
 # error Unknown pointer size for tci target
-- 
2.43.0

[PATCH 5/5] tci: use tcg_target_ulong when retrieving the pool data

[Kohei Tokunaga]

TCI's tcg_out_call stores "func" and "cif" as tcg_target_ulong in the TB
using the pool feature. On non-wasm hosts, tcg_target_ulong matches the
pointer size so this commit preserves the original behaviour. On the wasm
host, tcg_target_ulong differs from the pointer size so this change ensures
TCI retrieves the data using the correct type consistent with how it was
stored using the pool feature.

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
---
 tcg/tci.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tcg/tci.c b/tcg/tci.c
index 700e672616..cee65bceea 100644
--- a/tcg/tci.c
+++ b/tcg/tci.c
@@ -367,10 +367,12 @@ uintptr_t QEMU_DISABLE_CFI tcg_qemu_tb_exec(CPUArchState *env,
                 ffi_cif *cif;
                 void *func;
                 unsigned i, s, n;
+                tcg_target_ulong *data;
 
                 tci_args_nl(insn, tb_ptr, &len, &ptr);
-                func = ((void **)ptr)[0];
-                cif = ((void **)ptr)[1];
+                data = ptr;
+                func = (void *)data[0];
+                cif = (void *)data[1];
 
                 n = cif->nargs;
                 for (i = s = 0; i < n; ++i) {
-- 
2.43.0

Re: [PATCH 0/5] Enable QEMU TCI to run 64bit guests on browsers

[Kohei Tokunaga]

[-- Attachment #1: Type: text/plain, Size: 181 bytes --]

Hi all,

Kinldy ping on this patch series. I would appreciate any feedback or
comments.

Patchew URL:
https://patchew.org/QEMU/cover.1747922170.git.ktokunaga.mail@gmail.com/

Kohei

[-- Attachment #2: Type: text/html, Size: 339 bytes --]