From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([140.186.70.92]:34602)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1Qtywi-0003kS-Jw
	for qemu-devel@nongnu.org; Thu, 18 Aug 2011 05:31:29 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1Qtywh-0002TM-Lo
	for qemu-devel@nongnu.org; Thu, 18 Aug 2011 05:31:28 -0400
Received: from mail-gx0-f173.google.com ([209.85.161.173]:56869)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <jcmvbkbc@gmail.com>) id 1Qtywh-0002TE-It
	for qemu-devel@nongnu.org; Thu, 18 Aug 2011 05:31:27 -0400
Received: by gxk26 with SMTP id 26so1568752gxk.4
	for <qemu-devel@nongnu.org>; Thu, 18 Aug 2011 02:31:25 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <20110818063338.GA69924@cs.nctu.edu.tw>
References: <20110818063338.GA69924@cs.nctu.edu.tw>
Date: Thu, 18 Aug 2011 13:31:25 +0400
Message-ID: <CAMo8BfLgV6-FPvcUPsyZLswcE2sjHGoLL6QrepvV9sGv3fvLPA@mail.gmail.com>
From: Max Filippov <jcmvbkbc@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] The reason behind block linking constraint?
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: =?UTF-8?B?6Zmz6Z+L5Lu7?= <chenwj@iis.sinica.edu.tw>
Cc: qemu-devel@nongnu.org

> Hi, all
>
> =A0I am trying to figure out why QEMU put some constraints on block
> linking (chaining). Take x86 as an example, there are two places
> put constraints on block linking, gen_goto_tb and cpu_exec.
>
> ----------------- gen_goto_tb (target-i386/translate.c) ---------------
> =A0/* NOTE: we handle the case where the TB spans two pages here */
> =A0if ((pc & TARGET_PAGE_MASK) =3D=3D (tb->pc & TARGET_PAGE_MASK) ||
> =A0 =A0 =A0(pc & TARGET_PAGE_MASK) =3D=3D ((s->pc - 1) & TARGET_PAGE_MASK=
)) =A0{
> =A0 =A0 =A0/* jump to same page: we can use a direct jump */
> =A0 =A0 =A0tcg_gen_goto_tb(tb_num);
> =A0 =A0 =A0gen_jmp_im(eip);
> =A0 =A0 =A0tcg_gen_exit_tb((tcg_target_long)tb + tb_num);
> =A0} else {
> =A0 =A0 =A0/* jump to another page: currently not optimized */
> =A0 =A0 =A0gen_jmp_im(eip);
> =A0 =A0 =A0gen_eob(s);
> =A0}
> -----------------------------------------------------------------------
>
> ----------------------- cpu_exec (cpu-exec.c) -------------------------
> =A0/* see if we can patch the calling TB. When the TB
> =A0 =A0 spans two pages, we cannot safely do a direct
> =A0 =A0 jump. */
> =A0if (next_tb !=3D 0 && tb->page_addr[1] =3D=3D -1) {
> =A0 =A0 =A0tb_add_jump((TranslationBlock *)(next_tb & ~3), next_tb & 3, t=
b);
> =A0}
> -----------------------------------------------------------------------
>
> =A0Is it just because we cannot optimize block linking which crosses page
> boundary, or there are some correctness/safety issues should be considere=
d?

If we link a TB with another TB from the different page, then the
second TB may disappear when the memory mapping changes and the
subsequent direct jump from the first TB will crash qemu.

I guess that this usually does not happen in usermode, because the
guest would not modify executable code memory mapping. However I
suppose that this is also possible.

--=20
Thanks.
-- Max