Changeset 102663 in vbox for trunk/src/VBox/VMM/VMMAll

Timestamp:

Dec 21, 2023 1:55:07 AM (15 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

160825

Message:

VMM/IEM: Working on BODY_CHECK_PC_AFTER_BRANCH and sideeffects of it. Fixed bug in 8-bit register stores (AMD64). Fixed bug in iemNativeEmitBltInCheckOpcodes (AMD64). Added a way to inject state logging between each instruction, currently only really implemented for AMD64. Relaxed the heave flushing code, no need to set the buffer pointer to NULL. Started looking at avoiding code TLB flushing when allocating memory to replace zero pages. bugref:10371

Location:

trunk/src/VBox/VMM/VMMAll

Files:

• IEMAll.cpp (modified) (1 diff)
• IEMAllN8veHlpA.asm (added)
• IEMAllN8veRecompBltIn.cpp (modified) (13 diffs)
• IEMAllN8veRecompiler.cpp (modified) (11 diffs)
• IEMAllThrdFuncsBltIn.cpp (modified) (6 diffs)
• IEMAllThrdPython.py (modified) (2 diffs)
• IEMAllThrdRecompiler.cpp (modified) (6 diffs)
• PGMAllPhys.cpp (modified) (3 diffs)

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -816 +816 @@
     pVCpu->iem.s.cbOpcode = cbInstr; /* Note! SVM and VT-x may set this to zero on exit, rather than the instruction length. */
 #elif 1
-    pVCpu->iem.s.pbInstrBuf      = NULL;
     pVCpu->iem.s.cbInstrBufTotal = 0;
     RT_NOREF(cbInstr);

trunk/src/VBox/VMM/VMMAll/IEMAllN8veRecompBltIn.cpp

@@ -61 +61 @@
 *   TB Helper Functions                                                                                                          *
 *********************************************************************************************************************************/
+#ifdef RT_ARCH_AMD64
+DECLASM(void) iemNativeHlpAsmSafeWrapLogCpuState(void);
+#endif
 
 
@@ -67 +70 @@
 *   Builtin functions                                                                                                            *
 *********************************************************************************************************************************/
+
+/**
+ * Built-in function that does nothing.
+ *
+ * Whether this is called or not can be controlled by the entry in the
+ * IEMThreadedGenerator.katBltIns table.  This can be useful to determine
+ * whether why behaviour changes when enabling the LogCpuState builtins.  I.e.
+ * whether it's the reduced call count in the TBs or the threaded calls flushing
+ * register state.
+ */
+IEM_DECL_IEMNATIVERECOMPFUNC_DEF(iemNativeRecompFunc_BltIn_Nop)
+{
+    RT_NOREF(pReNative, pCallEntry);
+    return off;
+}
+
+
+/**
+ * Emits for for LogCpuState.
+ *
+ * This shouldn't have any relevant impact on the recompiler state.
+ */
+IEM_DECL_IEMNATIVERECOMPFUNC_DEF(iemNativeRecompFunc_BltIn_LogCpuState)
+{
+#ifdef RT_ARCH_AMD64
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 20);
+    /* push rax */
+    pbCodeBuf[off++] = 0x50 + X86_GREG_xAX;
+    /* push imm32 */
+    pbCodeBuf[off++] = 0x68;
+    pbCodeBuf[off++] = RT_BYTE1(pCallEntry->auParams[0]);
+    pbCodeBuf[off++] = RT_BYTE2(pCallEntry->auParams[0]);
+    pbCodeBuf[off++] = RT_BYTE3(pCallEntry->auParams[0]);
+    pbCodeBuf[off++] = RT_BYTE4(pCallEntry->auParams[0]);
+    /* mov rax, iemNativeHlpAsmSafeWrapLogCpuState */
+    pbCodeBuf[off++] = X86_OP_REX_W;
+    pbCodeBuf[off++] = 0xb8 + X86_GREG_xAX;
+    *(uint64_t *)&pbCodeBuf[off] = (uintptr_t)iemNativeHlpAsmSafeWrapLogCpuState;
+    off += sizeof(uint64_t);
+    /* call rax */
+    pbCodeBuf[off++] = 0xff;
+    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 2, X86_GREG_xAX);
+    /* pop rax */
+    pbCodeBuf[off++] = 0x58 + X86_GREG_xAX;
+    /* pop rax */
+    pbCodeBuf[off++] = 0x58 + X86_GREG_xAX;
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+
+#else
+    /** @todo Implement this  */
+    AssertFailed();
+    RT_NOREF(pReNative, pCallEntry);
+#endif
+    return off;
+}
+
 
 /**
@@ -211 +270 @@
     Assert(cbInstr >  0);
     Assert(cbInstr < 16);
+#ifdef VBOX_STRICT
+    off = iemNativeEmitMarker(pReNative, off, 0x80000001);
+#endif
 
     /*
@@ -304 +366 @@
  */
 #define BODY_CONSIDER_CS_LIM_CHECKING(a_pTb, a_cbInstr) \
-    RT_NOREF(cbInstr); \
+    RT_NOREF(a_cbInstr); \
     off = iemNativeEmitBltInConsiderLimChecking(pReNative, off)
 
@@ -310 +372 @@
 iemNativeEmitBltInConsiderLimChecking(PIEMRECOMPILERSTATE pReNative, uint32_t off)
 {
+#ifdef VBOX_STRICT
+    off = iemNativeEmitMarker(pReNative, off, 0x80000002);
+#endif
+
     /*
      * This check must match the ones in the iem in iemGetTbFlagsForCurrentPc
@@ -380 +446 @@
  */
 #define BODY_CHECK_OPCODES(a_pTb, a_idxRange, a_offRange, a_cbInstr) \
-    RT_NOREF(cbInstr); \
+    RT_NOREF(a_cbInstr); \
     off = iemNativeEmitBltInCheckOpcodes(pReNative, off, (a_pTb), (a_idxRange), (a_offRange))
 
@@ -388 +454 @@
     Assert(idxRange < pTb->cRanges && pTb->cRanges <= RT_ELEMENTS(pTb->aRanges));
     Assert(offRange < pTb->aRanges[idxRange].cbOpcodes);
+#ifdef VBOX_STRICT
+    off = iemNativeEmitMarker(pReNative, off, 0x80000003);
+#endif
 
     uint32_t const      idxLabelObsoleteTb = iemNativeLabelCreate(pReNative, kIemNativeLabelType_ObsoleteTb);
@@ -428 +497 @@
             { \
                 pbCodeBuf[off++] = 0x74; /* jz near +5 */ \
-                pbCodeBuf[off++] = 0x05; \
+                pbCodeBuf[off++] = 0x05 /*+ 1*/; \
                 offConsolidatedJump = off; \
+                /*pbCodeBuf[off++] = 0xcc; */ \
                 pbCodeBuf[off++] = 0xe9; /* jmp rel32 */ \
                 iemNativeAddFixup(pReNative, off, idxLabelObsoleteTb, kIemNativeFixupType_Rel32, -4); \
@@ -587 +657 @@
 
         if (cbLeft & 4)
-            CHECK_OPCODES_CMPSX(0xa7, 0, 0);                                /* cost: 3 */
+            CHECK_OPCODES_CMPSX(0xa7, 4, 0);                                /* cost: 3 */
         if (cbLeft & 2)
-            CHECK_OPCODES_CMPSX(0xa7, 0, X86_OP_PRF_SIZE_OP);               /* cost: 4 */
-        if (cbLeft & 2)
-            CHECK_OPCODES_CMPSX(0xa6, 0, 0);                                /* cost: 3 */
+            CHECK_OPCODES_CMPSX(0xa7, 2, X86_OP_PRF_SIZE_OP);               /* cost: 4 */
+        if (cbLeft & 1)
+            CHECK_OPCODES_CMPSX(0xa6, 1, 0);                                /* cost: 3 */
 
         IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
@@ -867 +937 @@
 
 
+/** Duplicated in IEMAllThrdFuncsBltIn.cpp. */
+DECL_FORCE_INLINE(RTGCPHYS) iemTbGetRangePhysPageAddr(PCIEMTB pTb, uint8_t idxRange)
+{
+    Assert(idxRange < RT_MIN(pTb->cRanges, RT_ELEMENTS(pTb->aRanges)));
+    uint8_t const idxPage = pTb->aRanges[idxRange].idxPhysPage;
+    Assert(idxPage <= RT_ELEMENTS(pTb->aGCPhysPages));
+    if (idxPage == 0)
+        return pTb->GCPhysPc & ~(RTGCPHYS)GUEST_PAGE_OFFSET_MASK;
+    Assert(!(pTb->aGCPhysPages[idxPage - 1] & GUEST_PAGE_OFFSET_MASK));
+    return pTb->aGCPhysPages[idxPage - 1];
+}
+
+
+/**
+ * Macro that implements PC check after a conditional branch.
+ */
+#define BODY_CHECK_PC_AFTER_BRANCH(a_pTb, a_idxRange, a_offRange, a_cbInstr)  \
+    RT_NOREF(a_cbInstr); \
+    off = iemNativeEmitBltInCheckPcAfterBranch(pReNative, off, a_pTb, a_idxRange, a_offRange)
+
+DECL_FORCE_INLINE(uint32_t)
+iemNativeEmitBltInCheckPcAfterBranch(PIEMRECOMPILERSTATE pReNative, uint32_t off, PCIEMTB pTb,
+                                     uint8_t idxRange, uint16_t offRange)
+{
+#ifdef VBOX_STRICT
+    off = iemNativeEmitMarker(pReNative, off, 0x80000004);
+#endif
+
+    /*
+     * The GCPhysRangePageWithOffset value in the threaded function is a fixed
+     * constant for us here.
+     *
+     * We can pretend that iem.s.cbInstrBufTotal is X86_PAGE_SIZE here, because
+     * it serves no purpose as a CS.LIM, if that's needed we've just performed
+     * it, and as long as we don't implement code TLB reload code here there is
+     * no point in checking that the TLB data we're using is still valid.
+     *
+     * What we to do is.
+     *      1. Calculate the FLAT PC (RIP + CS.BASE).
+     *      2. Subtract iem.s.uInstrBufPc from it and getting 'off'.
+     *      3. The 'off' must be less than X86_PAGE_SIZE/cbInstrBufTotal or
+     *         we're in the wrong spot and need to find a new TB.
+     *      4. Add 'off' to iem.s.GCPhysInstrBuf and compare with the
+     *         GCPhysRangePageWithOffset constant mentioned above.
+     *
+     * The adding of CS.BASE to RIP can be skipped in the first step if we're
+     * in 64-bit code or flat 32-bit.
+     */
+
+    /* Allocate registers for step 1. Get the shadowed stuff before allocating
+       the temp register, so we don't accidentally clobber something we'll be
+       needing again immediately.  This is why we get idxRegCsBase here. */
+    uint8_t const  idxRegPc     = iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_Pc,
+                                                                  kIemNativeGstRegUse_ReadOnly);
+    uint8_t const  idxRegCsBase = IEM_F_MODE_X86_IS_FLAT(pReNative->fExec) ? UINT8_MAX
+                                : iemNativeRegAllocTmpForGuestReg(pReNative, &off, IEMNATIVEGSTREG_SEG_BASE(X86_SREG_CS),
+                                                                 kIemNativeGstRegUse_ReadOnly);
+
+    uint8_t const  idxRegTmp    = iemNativeRegAllocTmp(pReNative, &off);
+
+#ifdef VBOX_STRICT
+    /* Do assertions before idxRegTmp contains anything. */
+    Assert(RT_SIZEOFMEMB(VMCPUCC, iem.s.cbInstrBufTotal) == sizeof(uint16_t));
+# ifdef RT_ARCH_AMD64
+    {
+        uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 8+2+1 + 11+2+1);
+        /* Assert(pVCpu->cpum.GstCtx.cs.u64Base == 0 || !IEM_F_MODE_X86_IS_FLAT(pReNative->fExec)); */
+        if (IEM_F_MODE_X86_IS_FLAT(pReNative->fExec))
+        {
+            /* cmp r/m64, imm8 */
+            pbCodeBuf[off++] = X86_OP_REX_W;
+            pbCodeBuf[off++] = 0x83;
+            off = iemNativeEmitGprByVCpuDisp(pbCodeBuf, off, 7, RT_UOFFSETOF(VMCPUCC, cpum.GstCtx.cs.u64Base));
+            pbCodeBuf[off++] = 0;
+            /* je rel8 */
+            pbCodeBuf[off++] = 0x74;
+            pbCodeBuf[off++] = 1;
+            /* int3 */
+            pbCodeBuf[off++] = 0xcc;
+
+        }
+
+        /* Assert(!(pVCpu->iem.s.GCPhysInstrBuf & X86_PAGE_OFFSET_MASK)); - done later by the non-x86 code */
+        /* test r/m64, imm32 */
+        pbCodeBuf[off++] = X86_OP_REX_W;
+        pbCodeBuf[off++] = 0xf7;
+        off = iemNativeEmitGprByVCpuDisp(pbCodeBuf, off, 0, RT_UOFFSETOF(VMCPUCC, iem.s.GCPhysInstrBuf));
+        pbCodeBuf[off++] = RT_BYTE1(X86_PAGE_OFFSET_MASK);
+        pbCodeBuf[off++] = RT_BYTE2(X86_PAGE_OFFSET_MASK);
+        pbCodeBuf[off++] = RT_BYTE3(X86_PAGE_OFFSET_MASK);
+        pbCodeBuf[off++] = RT_BYTE4(X86_PAGE_OFFSET_MASK);
+        /* jz rel8 */
+        pbCodeBuf[off++] = 0x74;
+        pbCodeBuf[off++] = 1;
+        /* int3 */
+        pbCodeBuf[off++] = 0xcc;
+        IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    }
+# else
+off = iemNativeEmitBrk(pReNative, off, 0x1234);
+
+    /* Assert(pVCpu->cpum.GstCtx.cs.u64Base == 0 || !IEM_F_MODE_X86_IS_FLAT(pReNative->fExec)); */
+    if (IEM_F_MODE_X86_IS_FLAT(pReNative->fExec))
+    {
+        off = iemNativeEmitLoadGprFromVCpuU64(pReNative, off, idxRegTmp, RT_UOFFSETOF(VMCPUCC, cpum.GstCtx.cs.u64Base));
+# ifdef RT_ARCH_ARM64
+        uint32_t * const pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 2);
+        pu32CodeBuf[off++] = Armv8A64MkInstrCbzCbnz(false /*fJmpIfNotZero*/, 1, idxRegTmp);
+        pu32CodeBuf[off++] = Armv8A64MkInstrBrk(0x2004);
+        IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+# else
+#  error "Port me!"
+# endif
+    }
+# endif
+
+#endif /* VBOX_STRICT */
+
+    /* 1+2. Calculate 'off' first (into idxRegTmp). */
+    off = iemNativeEmitLoadGprFromVCpuU64(pReNative, off, idxRegTmp, RT_UOFFSETOF(VMCPUCC, iem.s.uInstrBufPc));
+    if (IEM_F_MODE_X86_IS_FLAT(pReNative->fExec))
+    {
+#ifdef RT_ARCH_ARM64
+        uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+        pu32CodeBuf[off++] = Armv8A64MkInstrSubReg(idxRegTmp, idxRegPc, idxRegTmp);
+        IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+#else
+        off = iemNativeEmitNegGpr(pReNative, off, idxRegTmp);
+        off = iemNativeEmitAddTwoGprs(pReNative, off, idxRegTmp, idxRegPc);
+#endif
+    }
+    else
+    {
+#ifdef RT_ARCH_ARM64
+        uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 2);
+        pu32CodeBuf[off++] = Armv8A64MkInstrSubReg(idxRegTmp, idxRegCsBase, idxRegTmp);
+        pu32CodeBuf[off++] = Armv8A64MkInstrAddReg(idxRegTmp, idxRegTmp, idxRegPc);
+        IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+#else
+        off = iemNativeEmitNegGpr(pReNative, off, idxRegTmp);
+        off = iemNativeEmitAddTwoGprs(pReNative, off, idxRegTmp, idxRegCsBase);
+        off = iemNativeEmitAddTwoGprs(pReNative, off, idxRegTmp, idxRegPc);
+#endif
+        iemNativeRegFreeTmp(pReNative, idxRegCsBase);
+    }
+    iemNativeRegFreeTmp(pReNative, idxRegPc);
+
+    /* 3. Check that off is less than X86_PAGE_SIZE/cbInstrBufTotal. */
+    off = iemNativeEmitCmpGprWithImm(pReNative, off, idxRegTmp, X86_PAGE_SIZE - 1);
+    off = iemNativeEmitJaToNewLabel(pReNative, off, kIemNativeLabelType_CheckBranchMiss);
+
+    /* 4. Add iem.s.GCPhysInstrBuf and compare with GCPhysRangePageWithOffset. */
+#ifdef RT_ARCH_AMD64
+    uint8_t * const pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 7);
+    pbCodeBuf[off++] = idxRegTmp < 8 ? X86_OP_REX_W : X86_OP_REX_W | X86_OP_REX_R;
+    pbCodeBuf[off++] = 0x03; /* add r64, r/m64 */
+    off = iemNativeEmitGprByVCpuDisp(pbCodeBuf, off, idxRegTmp, RT_UOFFSETOF(VMCPUCC, iem.s.GCPhysInstrBuf));
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+
+#elif defined(RT_ARCH_ARM64)
+    uint8_t const idxRegTmp2 = iemNativeRegAllocTmp(pReNative, &off);
+
+    off = iemNativeEmitLoadGprFromVCpuU64(pReNative, off, idxRegTmp2, RT_UOFFSETOF(VMCPUCC, iem.s.GCPhysInstrBuf));
+    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
+    pu32CodeBuf[off++] = Armv8A64MkInstrSubReg(idxRegTmp, idxRegTmp, idxRegTmp2);
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+
+# ifdef VBOX_STRICT /* Assert(!(pVCpu->iem.s.GCPhysInstrBuf & X86_PAGE_OFFSET_MASK)); */
+    off = iemNativeEmitAndGpr32ByImm(pReNative, off, idxRegTmp, X86_PAGE_OFFSET_MASK, true /*fSetFlags*/);
+    off = iemNativeEmitJzToFixed(pReNative, off, 1);
+    off = iemNativeEmitBrk(pReNative, off, 0x2005);
+# endif
+    iemNativeRegFreeTmp(pReNative, idxRegTmp2);
+#else
+# error "Port me"
+#endif
+
+    RTGCPHYS const GCPhysRangePageWithOffset = (  iemTbGetRangePhysPageAddr(pTb, idxRange)
+                                                | pTb->aRanges[idxRange].offPhysPage)
+                                             + offRange;
+    off = iemNativeEmitTestIfGprNotEqualImmAndJmpToNewLabel(pReNative, off, idxRegTmp, GCPhysRangePageWithOffset,
+                                                            kIemNativeLabelType_CheckBranchMiss);
+
+    iemNativeRegFreeTmp(pReNative, idxRegTmp);
+    return off;
+}
+
+
 #ifdef BODY_CHECK_CS_LIM
 /**
@@ -958 +1216 @@
     BODY_SET_CUR_INSTR();
     BODY_CHECK_CS_LIM(cbInstr);
-    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, cbInstr);
+    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, offRange, cbInstr);
     BODY_CHECK_OPCODES(pTb, idxRange, offRange, cbInstr);
     //LogFunc(("okay\n"));
@@ -981 +1239 @@
     //LogFunc(("idxRange=%u @ %#x LB %#x: offPhysPage=%#x LB %#x\n", idxRange, offRange, cbInstr, pTb->aRanges[idxRange].offPhysPage, pTb->aRanges[idxRange].cbOpcodes));
     BODY_SET_CUR_INSTR();
-    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, cbInstr);
+    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, offRange, cbInstr);
     BODY_CHECK_OPCODES(pTb, idxRange, offRange, cbInstr);
     //LogFunc(("okay\n"));
@@ -1006 +1264 @@
     BODY_SET_CUR_INSTR();
     BODY_CONSIDER_CS_LIM_CHECKING(pTb, cbInstr);
-    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, cbInstr);
+    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, offRange, cbInstr);
     BODY_CHECK_OPCODES(pTb, idxRange, offRange, cbInstr);
     //LogFunc(("okay\n"));

trunk/src/VBox/VMM/VMMAll/IEMAllN8veRecompiler.cpp

@@ -1605 +1605 @@
        the executable memory till we've returned our way back to iemTbExec as
        that return path codes via the native code generated for the TB. */
+    Log7(("TB obsolete: %p at %04x:%08RX64\n", pVCpu->iem.s.pCurTbR3, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
     iemThreadedTbObsolete(pVCpu, pVCpu->iem.s.pCurTbR3, false /*fSafeToFree*/);
     return VINF_IEM_REEXEC_BREAK;
@@ -1622 +1623 @@
     return VINF_IEM_REEXEC_BREAK;
 }
+
+
+/**
+ * Used by TB code when we missed a PC check after a branch.
+ */
+IEM_DECL_NATIVE_HLP_DEF(int, iemNativeHlpCheckBranchMiss,(PVMCPUCC pVCpu))
+{
+    Log7(("TB jmp miss: %p at %04x:%08RX64; GCPhysWithOffset=%RGp, pbInstrBuf=%p\n",
+          pVCpu->iem.s.pCurTbR3, pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip,
+          pVCpu->iem.s.GCPhysInstrBuf + pVCpu->cpum.GstCtx.rip + pVCpu->cpum.GstCtx.cs.u64Base - pVCpu->iem.s.uInstrBufPc,
+          pVCpu->iem.s.pbInstrBuf));
+    STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatCheckBranchMisses);
+    return VINF_IEM_REEXEC_BREAK;
+}
+
 
 
@@ -2449 +2465 @@
     pReNative->Core.u64ArgVars             = UINT64_MAX;
 
-    AssertCompile(RT_ELEMENTS(pReNative->aidxUniqueLabels) == 8);
+    AssertCompile(RT_ELEMENTS(pReNative->aidxUniqueLabels) == 9);
     pReNative->aidxUniqueLabels[0]         = UINT32_MAX;
     pReNative->aidxUniqueLabels[1]         = UINT32_MAX;
@@ -2458 +2474 @@
     pReNative->aidxUniqueLabels[6]         = UINT32_MAX;
     pReNative->aidxUniqueLabels[7]         = UINT32_MAX;
+    pReNative->aidxUniqueLabels[8]         = UINT32_MAX;
 
     /* Full host register reinit: */
@@ -4850 +4867 @@
 
 /**
+ * Emits the code at the CheckBranchMiss label.
+ */
+static uint32_t iemNativeEmitCheckBranchMiss(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint32_t idxReturnLabel)
+{
+    uint32_t const idxLabel = iemNativeLabelFind(pReNative, kIemNativeLabelType_CheckBranchMiss);
+    if (idxLabel != UINT32_MAX)
+    {
+        iemNativeLabelDefine(pReNative, idxLabel, off);
+
+        /* int iemNativeHlpCheckBranchMiss(PVMCPUCC pVCpu) */
+        off = iemNativeEmitLoadGprFromGpr(pReNative, off, IEMNATIVE_CALL_ARG0_GREG, IEMNATIVE_REG_FIXED_PVMCPU);
+        off = iemNativeEmitCallImm(pReNative, off, (uintptr_t)iemNativeHlpCheckBranchMiss);
+
+        /* jump back to the return sequence. */
+        off = iemNativeEmitJmpToLabel(pReNative, off, idxReturnLabel);
+    }
+    return off;
+}
+
+
+/**
  * Emits the code at the NeedCsLimChecking label.
  */
@@ -8184 +8222 @@
         if (idxGstTmpReg >= 8 || idxVarReg >= 8)
             pbCodeBuf[off++] = (idxGstTmpReg >= 8 ? X86_OP_REX_R : 0) | (idxVarReg >= 8 ? X86_OP_REX_B : 0);
-        else if (idxGstTmpReg >= 4)
+        else if (idxGstTmpReg >= 4 || idxVarReg >= 4)
             pbCodeBuf[off++] = X86_OP_REX;
         pbCodeBuf[off++] = 0x8a;
@@ -11169 +11207 @@
 {
     AssertReturnVoid((pTb->fFlags & IEMTB_F_TYPE_MASK) == IEMTB_F_TYPE_NATIVE);
+#if defined(RT_ARCH_AMD64)
+    static const char * const a_apszMarkers[] =
+    {
+        "unknown0", "CheckCsLim", "ConsiderLimChecking", "CheckOpcodes", "PcAfterBranch",
+    };
+#endif
 
     char                    szDisBuf[512];
@@ -11374 +11418 @@
                                 case kIemNativeLabelType_NeedCsLimChecking:
                                     pszName = "NeedCsLimChecking";
+                                    break;
+                                case kIemNativeLabelType_CheckBranchMiss:
+                                    pszName = "CheckBranchMiss";
                                     break;
                                 case kIemNativeLabelType_If:
@@ -11442 +11489 @@
                                         g_acIemThreadedFunctionUsedArgs[RT_HIWORD(uInfo)],
                                         uInfo & 0x8000 ? "recompiled" : "todo");
+                    else if ((uInfo & ~RT_BIT_32(31)) < RT_ELEMENTS(a_apszMarkers))
+                        pHlp->pfnPrintf(pHlp, "    %p: nop ; marker: %s\n", pNativeCur, a_apszMarkers[uInfo & ~RT_BIT_32(31)]);
                     else
                         pHlp->pfnPrintf(pHlp, "    %p: nop ; unknown marker: %#x (%d)\n", pNativeCur, uInfo, uInfo);
@@ -11572 +11621 @@
                                         g_acIemThreadedFunctionUsedArgs[RT_HIWORD(uInfo)],
                                         uInfo & 0x8000 ? "recompiled" : "todo");
+                    else if ((uInfo & ~RT_BIT_32(31)) < RT_ELEMENTS(a_apszMarkers))
+                        pHlp->pfnPrintf(pHlp, "    %p: nop ; marker: %s\n", pNativeCur, a_apszMarkers[uInfo & ~RT_BIT_32(31)]);
                     else
                         pHlp->pfnPrintf(pHlp, "    %p: nop ; unknown marker: %#x (%d)\n", pNativeCur, uInfo, uInfo);
@@ -11777 +11828 @@
         if (pReNative->bmLabelTypes & RT_BIT_64(kIemNativeLabelType_NeedCsLimChecking))
             off = iemNativeEmitNeedCsLimChecking(pReNative, off, idxReturnLabel);
+        if (pReNative->bmLabelTypes & RT_BIT_64(kIemNativeLabelType_CheckBranchMiss))
+            off = iemNativeEmitCheckBranchMiss(pReNative, off, idxReturnLabel);
     }
     IEMNATIVE_CATCH_LONGJMP_BEGIN(pReNative, rc);

trunk/src/VBox/VMM/VMMAll/IEMAllThrdFuncsBltIn.cpp

@@ -79 +79 @@
     iemThreadedTbObsolete(pVCpu, pVCpu->iem.s.pCurTbR3, false /*fSafeToFree*/);
     return VINF_IEM_REEXEC_BREAK;
+}
+
+
+/**
+ * Built-in function that does absolutely nothing - for debugging.
+ *
+ * This can be used for artifically increasing the number of calls generated, or
+ * for triggering flushes associated with threaded calls.
+ */
+IEM_DECL_IEMTHREADEDFUNC_DEF(iemThreadedFunc_BltIn_Nop)
+{
+    RT_NOREF(pVCpu, uParam0, uParam1, uParam2);
+    return VINF_SUCCESS;
+}
+
+
+
+/**
+ * This is also called from iemNativeHlpAsmSafeWrapLogCpuState.
+ */
+DECLASM(void) iemThreadedFunc_BltIn_LogCpuStateWorker(PVMCPU pVCpu)
+{
+#ifdef LOG_ENABLED
+    PCIEMTB const      pTb     = pVCpu->iem.s.pCurTbR3;
+    PCX86FXSTATE const pFpuCtx = &pVCpu->cpum.GstCtx.XState.x87;
+    Log2(("**** LG%c fExec=%x pTb=%p cUsed=%u\n"
+          " eax=%08x ebx=%08x ecx=%08x edx=%08x esi=%08x edi=%08x\n"
+          " eip=%08x esp=%08x ebp=%08x iopl=%d tr=%04x\n"
+          " cs=%04x ss=%04x ds=%04x es=%04x fs=%04x gs=%04x efl=%08x\n"
+          " fsw=%04x fcw=%04x ftw=%02x mxcsr=%04x/%04x\n"
+          , pTb && (pTb->fFlags & IEMTB_F_TYPE_NATIVE) ? 'n' : 't', pVCpu->iem.s.fExec, pTb, pTb ? pTb->cUsed : 0,
+          pVCpu->cpum.GstCtx.eax, pVCpu->cpum.GstCtx.ebx, pVCpu->cpum.GstCtx.ecx, pVCpu->cpum.GstCtx.edx, pVCpu->cpum.GstCtx.esi, pVCpu->cpum.GstCtx.edi,
+          pVCpu->cpum.GstCtx.eip, pVCpu->cpum.GstCtx.esp, pVCpu->cpum.GstCtx.ebp, pVCpu->cpum.GstCtx.eflags.Bits.u2IOPL, pVCpu->cpum.GstCtx.tr.Sel,
+          pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.ss.Sel, pVCpu->cpum.GstCtx.ds.Sel, pVCpu->cpum.GstCtx.es.Sel,
+          pVCpu->cpum.GstCtx.fs.Sel, pVCpu->cpum.GstCtx.gs.Sel, pVCpu->cpum.GstCtx.eflags.u,
+          pFpuCtx->FSW, pFpuCtx->FCW, pFpuCtx->FTW, pFpuCtx->MXCSR, pFpuCtx->MXCSR_MASK ));
+#else
+    RT_NOREF(pVCpu);
+#endif
+}
+
+
+/**
+ * Built-in function that logs the current CPU state - for debugging.
+ */
+IEM_DECL_IEMTHREADEDFUNC_DEF(iemThreadedFunc_BltIn_LogCpuState)
+{
+    iemThreadedFunc_BltIn_LogCpuStateWorker(pVCpu);
+    RT_NOREF(uParam0, uParam1, uParam2);
+    return VINF_SUCCESS;
 }
 
@@ -348 +398 @@
  * Macro that implements PC check after a conditional branch.
  */
-#define BODY_CHECK_PC_AFTER_BRANCH(a_pTb, a_idxRange, a_cbInstr) do { \
+#define BODY_CHECK_PC_AFTER_BRANCH(a_pTb, a_idxRange, a_offRange, a_cbInstr) do { \
         /* Is RIP within the current code page? */ \
         Assert(pVCpu->cpum.GstCtx.cs.u64Base == 0 || !IEM_IS_64BIT_CODE(pVCpu)); \
@@ -354 +404 @@
         uint64_t const off = uPc - pVCpu->iem.s.uInstrBufPc; \
         Assert(!(pVCpu->iem.s.GCPhysInstrBuf & GUEST_PAGE_OFFSET_MASK)); \
-        RTGCPHYS const GCPhysRangePageWithOffset = iemTbGetRangePhysPageAddr(a_pTb, a_idxRange) \
-                                                 | pTb->aRanges[(a_idxRange)].offPhysPage; \
+        RTGCPHYS const GCPhysRangePageWithOffset = (  iemTbGetRangePhysPageAddr(a_pTb, a_idxRange) \
+                                                    | (a_pTb)->aRanges[(a_idxRange)].offPhysPage) \
+                                                 + (a_offRange); \
         if (   GCPhysRangePageWithOffset == pVCpu->iem.s.GCPhysInstrBuf + off \
-            && off < pVCpu->iem.s.cbInstrBufTotal) \
+            && off < /*pVCpu->iem.s.cbInstrBufTotal - ignore flushes and CS.LIM is check elsewhere*/ X86_PAGE_SIZE) \
         { /* we're good */ } \
         else \
@@ -450 +501 @@
     //LogFunc(("idxRange=%u @ %#x LB %#x: offPhysPage=%#x LB %#x\n", idxRange, offRange, cbInstr, pTb->aRanges[idxRange].offPhysPage, pTb->aRanges[idxRange].cbOpcodes));
     BODY_CHECK_CS_LIM(cbInstr);
-    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, cbInstr);
+    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, offRange, cbInstr);
     BODY_CHECK_OPCODES(pTb, idxRange, offRange, cbInstr);
     //LogFunc(("okay\n"));
@@ -470 +521 @@
     uint32_t const offRange = (uint32_t)uParam2;
     //LogFunc(("idxRange=%u @ %#x LB %#x: offPhysPage=%#x LB %#x\n", idxRange, offRange, cbInstr, pTb->aRanges[idxRange].offPhysPage, pTb->aRanges[idxRange].cbOpcodes));
-    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, cbInstr);
+    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, offRange, cbInstr);
     BODY_CHECK_OPCODES(pTb, idxRange, offRange, cbInstr);
     //LogFunc(("okay\n"));
@@ -492 +543 @@
     //LogFunc(("idxRange=%u @ %#x LB %#x: offPhysPage=%#x LB %#x\n", idxRange, offRange, cbInstr, pTb->aRanges[idxRange].offPhysPage, pTb->aRanges[idxRange].cbOpcodes));
     BODY_CONSIDER_CS_LIM_CHECKING(pTb, cbInstr);
-    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, cbInstr);
+    BODY_CHECK_PC_AFTER_BRANCH(pTb, idxRange, offRange, cbInstr);
     BODY_CHECK_OPCODES(pTb, idxRange, offRange, cbInstr);
     //LogFunc(("okay\n"));

trunk/src/VBox/VMM/VMMAll/IEMAllThrdPython.py

@@ -1960 +1960 @@
     ## whether it has a native recompiler implementation.
     katBltIns = (
+        ( 'Nop',                                                0, True  ),
+        ( 'LogCpuState',                                        0, True  ),
+
         ( 'DeferToCImpl0',                                      2, True  ),
         ( 'CheckIrq',                                           0, True  ),
@@ -1970 +1973 @@
         ( 'CheckOpcodesConsiderCsLim',                          3, True  ),
 
-        ( 'CheckCsLimAndPcAndOpcodes',                          3, False ),
-        ( 'CheckPcAndOpcodes',                                  3, False ),
-        ( 'CheckPcAndOpcodesConsiderCsLim',                     3, False ),
+        ( 'CheckCsLimAndPcAndOpcodes',                          3, True  ),
+        ( 'CheckPcAndOpcodes',                                  3, True  ),
+        ( 'CheckPcAndOpcodesConsiderCsLim',                     3, True  ),
 
         ( 'CheckCsLimAndOpcodesAcrossPageLoadingTlb',           3, False ),

trunk/src/VBox/VMM/VMMAll/IEMAllThrdRecompiler.cpp

@@ -640 +640 @@
     int            cLeft   = IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]);
 #endif
-    Log10(("TB lookup: fFlags=%#x GCPhysPc=%RGp idxHash=%#x: %p L %d\n", fFlags, GCPhysPc, idxHash, pTb, cLeft));
     while (pTb)
     {
@@ -656 +655 @@
 #ifdef VBOX_WITH_IEM_NATIVE_RECOMPILER
                     if ((pTb->fFlags & IEMTB_F_TYPE_NATIVE) || pTb->cUsed != 16)
+                    {
+                        Log10(("TB lookup: fFlags=%#x GCPhysPc=%RGp idxHash=%#x: %p (@ %d / %d)\n",
+                               fFlags, GCPhysPc, idxHash, pTb, IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) - cLeft,
+                               IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) ));
                         return pTb;
+                    }
+                    Log10(("TB lookup: fFlags=%#x GCPhysPc=%RGp idxHash=%#x: %p (@ %d / %d) - recompiling\n",
+                           fFlags, GCPhysPc, idxHash, pTb, IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) - cLeft,
+                           IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) ));
                     return iemNativeRecompile(pVCpu, pTb);
 #else
+                    Log10(("TB lookup: fFlags=%#x GCPhysPc=%RGp idxHash=%#x: %p (@ %d / %d)\n",
+                           fFlags, GCPhysPc, idxHash, pTb, IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) - cLeft,
+                           IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) ));
                     return pTb;
 #endif
@@ -677 +687 @@
     AssertMsg(cLeft == 0, ("%d\n", cLeft));
     STAM_REL_COUNTER_INC(&pTbCache->cLookupMisses);
+    Log10(("TB lookup: fFlags=%#x GCPhysPc=%RGp idxHash=%#x: NULL - (%p L %d)\n", fFlags, GCPhysPc, idxHash,
+           IEMTBCACHE_PTR_GET_TB(pTbCache->apHash[idxHash]), IEMTBCACHE_PTR_GET_COUNT(pTbCache->apHash[idxHash]) ));
     return pTb;
 }
@@ -1483 +1495 @@
               szInstr));
 
-        if (LogIs3Enabled())
-            DBGFR3InfoEx(pVCpu->pVMR3->pUVM, pVCpu->idCpu, "cpumguest", "verbose", NULL);
+        /*if (LogIs3Enabled()) - this outputs an insane amount of stuff, so disabled.
+            DBGFR3InfoEx(pVCpu->pVMR3->pUVM, pVCpu->idCpu, "cpumguest", "verbose", NULL); */
     }
     else
@@ -1660 +1672 @@
 }
 
+#ifdef LOG_ENABLED
+
+/**
+ * Inserts a NOP call.
+ *
+ * This is for debugging.
+ *
+ * @returns true on success, false if we're out of call entries.
+ * @param   pTb         The translation block being compiled.
+ */
+bool iemThreadedCompileEmitNop(PIEMTB pTb)
+{
+    /* Emit the call. */
+    uint32_t const idxCall = pTb->Thrd.cCalls;
+    AssertReturn(idxCall < pTb->Thrd.cAllocated, false);
+    PIEMTHRDEDCALLENTRY pCall = &pTb->Thrd.paCalls[idxCall];
+    pTb->Thrd.cCalls = (uint16_t)(idxCall + 1);
+    pCall->enmFunction = kIemThreadedFunc_BltIn_Nop;
+    pCall->idxInstr    = pTb->cInstructions - 1;
+    pCall->uUnused0    = 0;
+    pCall->offOpcode   = 0;
+    pCall->cbOpcode    = 0;
+    pCall->idxRange    = 0;
+    pCall->auParams[0] = 0;
+    pCall->auParams[1] = 0;
+    pCall->auParams[2] = 0;
+    return true;
+}
+
+
+/**
+ * Called by iemThreadedCompile if cpu state logging is desired.
+ *
+ * @returns true on success, false if we're out of call entries.
+ * @param   pTb         The translation block being compiled.
+ */
+bool iemThreadedCompileEmitLogCpuState(PIEMTB pTb)
+{
+    /* Emit the call. */
+    uint32_t const idxCall = pTb->Thrd.cCalls;
+    AssertReturn(idxCall < pTb->Thrd.cAllocated, false);
+    PIEMTHRDEDCALLENTRY pCall = &pTb->Thrd.paCalls[idxCall];
+    pTb->Thrd.cCalls = (uint16_t)(idxCall + 1);
+    pCall->enmFunction = kIemThreadedFunc_BltIn_LogCpuState;
+    pCall->idxInstr    = pTb->cInstructions - 1;
+    pCall->uUnused0    = 0;
+    pCall->offOpcode   = 0;
+    pCall->cbOpcode    = 0;
+    pCall->idxRange    = 0;
+    pCall->auParams[0] = RT_MAKE_U16(pCall->idxInstr, idxCall); /* currently not used, but whatever */
+    pCall->auParams[1] = 0;
+    pCall->auParams[2] = 0;
+    return true;
+}
+
+#endif /* LOG_ENABLED */
 
 DECLINLINE(void) iemThreadedCopyOpcodeBytesInline(PCVMCPUCC pVCpu, uint8_t *pbDst, uint8_t cbInstr)
@@ -2294 +2362 @@
             else
                 break;
+
+#if defined(LOG_ENABLED) && 0 /* for debugging */
+            iemThreadedCompileEmitNop(pTb);
+            iemThreadedCompileEmitLogCpuState(pTb);
+#endif
         }
         else

trunk/src/VBox/VMM/VMMAll/PGMAllPhys.cpp

@@ -964 +964 @@
 
     void const *pvSharedPage = NULL;
-    if (PGM_PAGE_IS_SHARED(pPage))
+    if (!PGM_PAGE_IS_SHARED(pPage))
+    {
+        Log2(("PGM: Replaced zero page %RGp with %#x / %RHp\n", GCPhys, pVM->pgm.s.aHandyPages[iHandyPage].idPage, HCPhys));
+        STAM_COUNTER_INC(&pVM->pgm.s.Stats.StatRZPageReplaceZero);
+        pVM->pgm.s.cZeroPages--;
+    }
+    else
     {
         /* Mark this shared page for freeing/dereferencing. */
@@ -978 +984 @@
         rc = pgmPhysPageMapReadOnly(pVM, pPage, GCPhys, &pvSharedPage);
         AssertRC(rc);
-    }
-    else
-    {
-        Log2(("PGM: Replaced zero page %RGp with %#x / %RHp\n", GCPhys, pVM->pgm.s.aHandyPages[iHandyPage].idPage, HCPhys));
-        STAM_COUNTER_INC(&pVM->pgm.s.Stats.StatRZPageReplaceZero);
-        pVM->pgm.s.cZeroPages--;
     }
 
@@ -995 +995 @@
     PGM_PAGE_SET_PDE_TYPE(pVM, pPage, PGM_PAGE_PDE_TYPE_PT);
     pgmPhysInvalidatePageMapTLBEntry(pVM, GCPhys);
-    IEMTlbInvalidateAllPhysicalAllCpus(pVM, NIL_VMCPUID, IEMTLBPHYSFLUSHREASON_ALLOCATED);
+    IEMTlbInvalidateAllPhysicalAllCpus(pVM, NIL_VMCPUID,
+                                       !pvSharedPage
+                                       ? IEMTLBPHYSFLUSHREASON_ALLOCATED : IEMTLBPHYSFLUSHREASON_ALLOCATED_FROM_SHARED);
 
     /* Copy the shared page contents to the replacement page. */
-    if (pvSharedPage)
+    if (!pvSharedPage)
+    { /* likely */ }
+    else
     {
         /* Get the virtual address of the new page. */