Changeset 102790 in vbox for trunk

Timestamp:

Jan 9, 2024 1:41:28 AM (13 months ago)

Author:

vboxsync

Message:

VMM/IEM: Emit TLB lookup for POP GPR instructions. bugref:10371

Location:

trunk/src/VBox/VMM

Files:

• VMMAll/IEMAllMemRWTmpl.cpp.h (modified) (1 diff)
• VMMAll/IEMAllMemRWTmplInline.cpp.h (modified) (8 diffs)
• VMMAll/IEMAllN8veRecompiler.cpp (modified) (11 diffs)
• include/IEMInternal.h (modified) (1 diff)
• include/IEMN8veRecompilerEmit.h (modified) (3 diffs)

trunk/src/VBox/VMM/VMMAll/IEMAllMemRWTmpl.cpp.h

@@ -535 +535 @@
 
 /**
+ * Safe/fallback stack fetch function that longjmps on error.
+ */
+TMPL_MEM_TYPE RT_CONCAT3(iemMemFetchStack,TMPL_MEM_FN_SUFF,SafeJmp)(PVMCPUCC pVCpu, RTGCPTR GCPtrMem) IEM_NOEXCEPT_MAY_LONGJMP
+{
+# if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3)
+    pVCpu->iem.s.DataTlb.cTlbSafeReadPath++;
+# endif
+
+    /* Read the data. */
+    uint8_t              bUnmapInfo;
+    TMPL_MEM_TYPE const *puSrc = (TMPL_MEM_TYPE const *)iemMemMapJmp(pVCpu, &bUnmapInfo, sizeof(TMPL_MEM_TYPE), X86_SREG_SS,
+                                                                     GCPtrMem, IEM_ACCESS_STACK_R, TMPL_MEM_TYPE_ALIGN);
+    TMPL_MEM_TYPE const  uValue = *puSrc;
+    iemMemCommitAndUnmapJmp(pVCpu, bUnmapInfo);
+
+    /* Commit the register and RSP values. */
+    Log10(("IEM RD " TMPL_MEM_FMT_DESC " SS|%RGv: " TMPL_MEM_FMT_TYPE "\n", GCPtrMem, uValue));
+    return uValue;
+}
+
+
+/**
  * Safe/fallback stack push function that longjmps on error.
  */

trunk/src/VBox/VMM/VMMAll/IEMAllMemRWTmplInline.cpp.h

@@ -731 +731 @@
 RT_CONCAT3(iemMemStoreStack,TMPL_MEM_FN_SUFF,Jmp)(PVMCPUCC pVCpu, RTGCPTR GCPtrMem, TMPL_MEM_TYPE uValue) IEM_NOEXCEPT_MAY_LONGJMP
 {
-#  if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
+#   if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
     /*
      * Apply segmentation and check that the item doesn't cross a page boundrary.
      */
     RTGCPTR const GCPtrEff = iemMemApplySegmentToWriteJmp(pVCpu, X86_SREG_SS, sizeof(TMPL_MEM_TYPE), GCPtrMem);
-#  if TMPL_MEM_TYPE_SIZE > 1
+#    if TMPL_MEM_TYPE_SIZE > 1
     if (RT_LIKELY(TMPL_MEM_ALIGN_CHECK(GCPtrEff)))
-#  endif
+#    endif
     {
         /*
@@ -774 +774 @@
        outdated page pointer, or other troubles.  (This will do a TLB load.) */
     Log12Ex(LOG_GROUP_IEM_MEM,(LOG_FN_FMT ": %RGv falling back\n", LOG_FN_NAME, GCPtrEff));
-#  endif
+#   endif
     RT_CONCAT3(iemMemStoreStack,TMPL_MEM_FN_SUFF,SafeJmp)(pVCpu, GCPtrMem, uValue);
 }
@@ -790 +790 @@
                                                       TMPL_MEM_TYPE uValue) IEM_NOEXCEPT_MAY_LONGJMP
 {
-#  if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
-    /*
-     * Decrement the stack pointer (prep), apply segmentation and check that
-     * the item doesn't cross a page boundrary.
+#    if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
+    /*
+     * Apply segmentation to the address and check that the item doesn't cross
+     * a page boundrary.
      */
     RTGCPTR const GCPtrEff = iemMemApplySegmentToWriteJmp(pVCpu, X86_SREG_SS, sizeof(TMPL_MEM_TYPE), GCPtrMem);
-#  if TMPL_MEM_TYPE_SIZE > 1
+#     if TMPL_MEM_TYPE_SIZE > 1
     if (RT_LIKELY(   !(GCPtrEff & (sizeof(uint16_t) - 1U))
                   || TMPL_MEM_CHECK_UNALIGNED_WITHIN_PAGE_OK(pVCpu, GCPtrEff, uint16_t) ))
-#  endif
+#     endif
     {
         /*
@@ -835 +835 @@
        outdated page pointer, or other troubles.  (This will do a TLB load.) */
     Log12Ex(LOG_GROUP_IEM_MEM,(LOG_FN_FMT ": %RGv falling back\n", LOG_FN_NAME, GCPtrEff));
-#  endif
+#     endif
     RT_CONCAT3(iemMemStoreStack,TMPL_MEM_FN_SUFF,SRegSafeJmp)(pVCpu, GCPtrMem, uValue);
 }
@@ -854 +854 @@
                 && pVCpu->cpum.GstCtx.ss.u64Base == 0));
 
-#  if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
+#   if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
     /*
      * Check that the item doesn't cross a page boundrary.
      */
-#  if TMPL_MEM_TYPE_SIZE > 1
+#    if TMPL_MEM_TYPE_SIZE > 1
     if (RT_LIKELY(TMPL_MEM_ALIGN_CHECK(GCPtrMem)))
-#  endif
+#    endif
     {
         /*
@@ -897 +897 @@
        outdated page pointer, or other troubles.  (This will do a TLB load.) */
     Log12Ex(LOG_GROUP_IEM_MEM,(LOG_FN_FMT ": %RGv falling back\n", LOG_FN_NAME, GCPtrMem));
-#  endif
+#   endif
     RT_CONCAT3(iemMemStoreStack,TMPL_MEM_FN_SUFF,SafeJmp)(pVCpu, GCPtrMem, uValue);
 }
@@ -912 +912 @@
                                                           TMPL_MEM_TYPE uValue) IEM_NOEXCEPT_MAY_LONGJMP
 {
-#  if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
-    /*
-     * Calculate the new stack pointer and check that the item doesn't cross a page boundrary.
+#    if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
+    /*
+     * Check that the item doesn't cross a page boundrary.
      */
     if (RT_LIKELY(   !(GCPtrMem & (sizeof(uint16_t) - 1))
@@ -954 +954 @@
        outdated page pointer, or other troubles.  (This will do a TLB load.) */
     Log12Ex(LOG_GROUP_IEM_MEM,(LOG_FN_FMT ": %RGv falling back\n", LOG_FN_NAME, GCPtrMem));
-#  endif
+#    endif
     RT_CONCAT3(iemMemStoreStack,TMPL_MEM_FN_SUFF,SRegSafeJmp)(pVCpu, GCPtrMem, uValue);
 }
 #   endif /* TMPL_WITH_PUSH_SREG */
 
+
+/**
+ * Stack fetch function that longjmps on error.
+ */
+DECL_INLINE_THROW(TMPL_MEM_TYPE)
+RT_CONCAT3(iemMemFetchStack,TMPL_MEM_FN_SUFF,Jmp)(PVMCPUCC pVCpu, RTGCPTR GCPtrMem) IEM_NOEXCEPT_MAY_LONGJMP
+{
+#   if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
+    /*
+     * Apply segmentation to the address and check that the item doesn't cross
+     * a page boundrary.
+     */
+    RTGCPTR const GCPtrEff = iemMemApplySegmentToWriteJmp(pVCpu, X86_SREG_SS, sizeof(TMPL_MEM_TYPE), GCPtrMem);
+#    if TMPL_MEM_TYPE_SIZE > 1
+    if (RT_LIKELY(TMPL_MEM_ALIGN_CHECK(GCPtrEff)))
+#    endif
+    {
+        /*
+         * TLB lookup.
+         */
+        uint64_t const uTag  = IEMTLB_CALC_TAG(    &pVCpu->iem.s.DataTlb, GCPtrEff);
+        PIEMTLBENTRY   pTlbe = IEMTLB_TAG_TO_ENTRY(&pVCpu->iem.s.DataTlb, uTag);
+        if (RT_LIKELY(pTlbe->uTag == uTag))
+        {
+            /*
+             * Check TLB page table level access flags.
+             */
+            AssertCompile(IEMTLBE_F_PT_NO_USER == 4);
+            uint64_t const fNoUser = (IEM_GET_CPL(pVCpu) + 1) & IEMTLBE_F_PT_NO_USER;
+            if (RT_LIKELY(   (pTlbe->fFlagsAndPhysRev & (  IEMTLBE_F_PHYS_REV       | IEMTLBE_F_NO_MAPPINGR3
+                                                         | IEMTLBE_F_PG_UNASSIGNED  | IEMTLBE_F_PG_NO_READ
+                                                         | IEMTLBE_F_PT_NO_ACCESSED | fNoUser))
+                          == pVCpu->iem.s.DataTlb.uTlbPhysRev))
+            {
+                /*
+                 * Do the pop.
+                 */
+                STAM_STATS({pVCpu->iem.s.DataTlb.cTlbHits++;});
+                Assert(pTlbe->pbMappingR3); /* (Only ever cleared by the owning EMT.) */
+                Assert(!((uintptr_t)pTlbe->pbMappingR3 & GUEST_PAGE_OFFSET_MASK));
+                TMPL_MEM_TYPE const uValue = *(TMPL_MEM_TYPE const *)&pTlbe->pbMappingR3[GCPtrEff & GUEST_PAGE_OFFSET_MASK];
+                Log9Ex(LOG_GROUP_IEM_MEM,("IEM RD " TMPL_MEM_FMT_DESC " SS|%RGv: " TMPL_MEM_FMT_TYPE "\n", GCPtrEff, uValue));
+                return uValue;
+            }
+        }
+    }
+
+    /* Fall back on the slow careful approach in case of TLB miss, MMIO, exception
+       outdated page pointer, or other troubles.  (This will do a TLB load.) */
+    Log10Ex(LOG_GROUP_IEM_MEM,(LOG_FN_FMT ": %RGv falling back\n", LOG_FN_NAME, GCPtrEff));
+#   endif
+    return RT_CONCAT3(iemMemFetchStack,TMPL_MEM_FN_SUFF,SafeJmp)(pVCpu, GCPtrMem);
+}
+
+
+/**
+ * Flat stack fetch function that longjmps on error.
+ */
+DECL_INLINE_THROW(TMPL_MEM_TYPE)
+RT_CONCAT3(iemMemFlatFetchStack,TMPL_MEM_FN_SUFF,Jmp)(PVMCPUCC pVCpu, RTGCPTR GCPtrMem) IEM_NOEXCEPT_MAY_LONGJMP
+{
+#   if defined(IEM_WITH_DATA_TLB) && defined(IN_RING3) && !defined(TMPL_MEM_NO_INLINE)
+    /*
+     * Check that the item doesn't cross a page boundrary.
+     */
+#    if TMPL_MEM_TYPE_SIZE > 1
+    if (RT_LIKELY(TMPL_MEM_ALIGN_CHECK(GCPtrMem)))
+#    endif
+    {
+        /*
+         * TLB lookup.
+         */
+        uint64_t const uTag  = IEMTLB_CALC_TAG(    &pVCpu->iem.s.DataTlb, GCPtrMem);
+        PIEMTLBENTRY   pTlbe = IEMTLB_TAG_TO_ENTRY(&pVCpu->iem.s.DataTlb, uTag);
+        if (RT_LIKELY(pTlbe->uTag == uTag))
+        {
+            /*
+             * Check TLB page table level access flags.
+             */
+            AssertCompile(IEMTLBE_F_PT_NO_USER == 4);
+            uint64_t const fNoUser = (IEM_GET_CPL(pVCpu) + 1) & IEMTLBE_F_PT_NO_USER;
+            if (RT_LIKELY(   (pTlbe->fFlagsAndPhysRev & (  IEMTLBE_F_PHYS_REV       | IEMTLBE_F_NO_MAPPINGR3
+                                                         | IEMTLBE_F_PG_UNASSIGNED  | IEMTLBE_F_PG_NO_READ
+                                                         | IEMTLBE_F_PT_NO_ACCESSED | fNoUser))
+                          == pVCpu->iem.s.DataTlb.uTlbPhysRev))
+            {
+                /*
+                 * Do the pop.
+                 */
+                STAM_STATS({pVCpu->iem.s.DataTlb.cTlbHits++;});
+                Assert(pTlbe->pbMappingR3); /* (Only ever cleared by the owning EMT.) */
+                Assert(!((uintptr_t)pTlbe->pbMappingR3 & GUEST_PAGE_OFFSET_MASK));
+                TMPL_MEM_TYPE const uValue = *(TMPL_MEM_TYPE const *)&pTlbe->pbMappingR3[GCPtrMem & GUEST_PAGE_OFFSET_MASK];
+                Log9Ex(LOG_GROUP_IEM_MEM,("IEM RD " TMPL_MEM_FMT_DESC " SS|%RGv: " TMPL_MEM_FMT_TYPE "\n", GCPtrMem, uValue));
+                return uValue;
+            }
+        }
+    }
+
+    /* Fall back on the slow careful approach in case of TLB miss, MMIO, exception
+       outdated page pointer, or other troubles.  (This will do a TLB load.) */
+    Log10Ex(LOG_GROUP_IEM_MEM,(LOG_FN_FMT ": %RGv falling back\n", LOG_FN_NAME, GCPtrMem));
+#   endif
+    return RT_CONCAT3(iemMemFetchStack,TMPL_MEM_FN_SUFF,SafeJmp)(pVCpu, GCPtrMem);
+}
 
 

trunk/src/VBox/VMM/VMMAll/IEMAllN8veRecompiler.cpp

@@ -111 +111 @@
 #ifdef IEMNATIVE_WITH_TLB_LOOKUP
 # define IEMNATIVE_WITH_TLB_LOOKUP_PUSH
+#endif
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP
+# define IEMNATIVE_WITH_TLB_LOOKUP_POP
 #endif
 
@@ -1754 +1757 @@
  * Used by TB code to store unsigned 8-bit data w/ segmentation.
  */
-IEMNATIVE_WITH_TLB_LOOKUP_PUSH
 IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpMemStoreDataU8,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem, uint8_t iSegReg, uint8_t u8Value))
 {
@@ -1844 +1846 @@
 
 /**
- * Used by TB code to pop a 16-bit general purpose register off a generic stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackPopGRegU16,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemStackPopGRegU16Jmp(pVCpu, iGReg); /** @todo iemMemStackPopGRegU16SafeJmp */
-}
-
-
-/**
- * Used by TB code to pop a 32-bit general purpose register off a generic stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackPopGRegU32,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemStackPopGRegU32Jmp(pVCpu, iGReg); /** @todo iemMemStackPopGRegU32SafeJmp */
-}
-
-
-/**
- * Used by TB code to pop a 64-bit general purpose register off a generic stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackPopGRegU64,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemStackPopGRegU64Jmp(pVCpu, iGReg); /** @todo iemMemStackPopGRegU64SafeJmp */
+ * Used by TB code to fetch an unsigned 16-bit item off a generic stack.
+ */
+IEM_DECL_NATIVE_HLP_DEF(uint16_t, iemNativeHlpStackFetchU16,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem))
+{
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP_POP
+    return iemMemFetchStackU16SafeJmp(pVCpu, GCPtrMem);
+#else
+    return iemMemFetchStackU16Jmp(pVCpu, GCPtrMem);
+#endif
+}
+
+
+/**
+ * Used by TB code to fetch an unsigned 32-bit item off a generic stack.
+ */
+IEM_DECL_NATIVE_HLP_DEF(uint32_t, iemNativeHlpStackFetchU32,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem))
+{
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP_POP
+    return iemMemFetchStackU32SafeJmp(pVCpu, GCPtrMem);
+#else
+    return iemMemFetchStackU32Jmp(pVCpu, GCPtrMem);
+#endif
+}
+
+
+/**
+ * Used by TB code to fetch an unsigned 64-bit item off a generic stack.
+ */
+IEM_DECL_NATIVE_HLP_DEF(uint64_t, iemNativeHlpStackFetchU64,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem))
+{
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP_POP
+    return iemMemFetchStackU64SafeJmp(pVCpu, GCPtrMem);
+#else
+    return iemMemFetchStackU64Jmp(pVCpu, GCPtrMem);
+#endif
 }
 
@@ -2071 +2085 @@
 
 /**
- * Used by TB code to pop a 16-bit general purpose register off a flat 32-bit stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackFlat32PopGRegU16,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemFlat32StackPopGRegU16Jmp(pVCpu, iGReg); /** @todo iemMemFlat32StackPopGRegU16SafeJmp */
-}
-
-
-/**
- * Used by TB code to pop a 64-bit general purpose register off a flat 32-bit stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackFlat32PopGRegU32,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemFlat32StackPopGRegU32Jmp(pVCpu, iGReg); /** @todo iemMemFlat32StackPopGRegU32SafeJmp */
-}
-
-
-/**
- * Used by TB code to pop a 16-bit general purpose register off a flat 64-bit stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackFlat64PopGRegU16,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemFlat64StackPopGRegU16Jmp(pVCpu, iGReg); /** @todo iemMemFlat64StackPopGRegU16SafeJmp */
-}
-
-
-/**
- * Used by TB code to pop a 64-bit general purpose register off a flat 64-bit stack.
- */
-IEM_DECL_NATIVE_HLP_DEF(void, iemNativeHlpStackFlat64PopGRegU64,(PVMCPUCC pVCpu, uint8_t iGReg))
-{
-    iemMemFlat64StackPopGRegU64Jmp(pVCpu, iGReg); /** @todo iemMemFlat64StackPopGRegU64SafeJmp */
+ * Used by TB code to fetch an unsigned 16-bit item off a generic stack.
+ */
+IEM_DECL_NATIVE_HLP_DEF(uint16_t, iemNativeHlpStackFlatFetchU16,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem))
+{
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP_POP
+    return iemMemFetchStackU16SafeJmp(pVCpu, GCPtrMem);
+#else
+    return iemMemFlatFetchStackU16Jmp(pVCpu, GCPtrMem);
+#endif
+}
+
+
+/**
+ * Used by TB code to fetch an unsigned 32-bit item off a generic stack.
+ */
+IEM_DECL_NATIVE_HLP_DEF(uint32_t, iemNativeHlpStackFlatFetchU32,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem))
+{
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP_POP
+    return iemMemFetchStackU32SafeJmp(pVCpu, GCPtrMem);
+#else
+    return iemMemFlatFetchStackU32Jmp(pVCpu, GCPtrMem);
+#endif
+}
+
+
+/**
+ * Used by TB code to fetch an unsigned 64-bit item off a generic stack.
+ */
+IEM_DECL_NATIVE_HLP_DEF(uint64_t, iemNativeHlpStackFlatFetchU64,(PVMCPUCC pVCpu, RTGCPTR GCPtrMem))
+{
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP_POP
+    return iemMemFetchStackU64SafeJmp(pVCpu, GCPtrMem);
+#else
+    return iemMemFlatFetchStackU64Jmp(pVCpu, GCPtrMem);
+#endif
 }
 
@@ -11579 +11596 @@
      * First we calculate the new RSP and the effective stack pointer value.
      * For 64-bit mode and flat 32-bit these two are the same.
+     * (Code structure is very similar to that of PUSH)
      */
     uint8_t const cbMem       = RT_BYTE1(cBitsVarAndFlat) / 8;
@@ -11745 +11763 @@
          * Emit code to do the actual storing / fetching.
          */
-        PIEMNATIVEINSTR pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 64);
+        PIEMNATIVEINSTR const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 64);
         if (idxRegValue != UINT8_MAX)
         {
@@ -11849 +11867 @@
 #define IEM_MC_POP_GREG_U16(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(16,  0, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackPopGRegU16, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFetchU16, pCallEntry->idxInstr)
 #define IEM_MC_POP_GREG_U32(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(32,  0, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackPopGRegU32, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFetchU32, pCallEntry->idxInstr)
 #define IEM_MC_POP_GREG_U64(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(64,  0, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackPopGRegU64, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFetchU64, pCallEntry->idxInstr)
 
 #define IEM_MC_FLAT32_POP_GREG_U16(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(16, 32, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackFlat32PopGRegU16, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFlatFetchU16, pCallEntry->idxInstr)
 #define IEM_MC_FLAT32_POP_GREG_U32(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(32, 32, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackFlat32PopGRegU32, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFlatFetchU32, pCallEntry->idxInstr)
 
 #define IEM_MC_FLAT64_POP_GREG_U16(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(16, 64, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackFlat64PopGRegU16, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFlatFetchU16, pCallEntry->idxInstr)
 #define IEM_MC_FLAT64_POP_GREG_U64(a_iGReg) \
     off = iemNativeEmitStackPopGReg(pReNative, off, a_iGReg, RT_MAKE_U32_FROM_U8(64, 64, 0, 0), \
-                                    (uintptr_t)iemNativeHlpStackFlat64PopGRegU64, pCallEntry->idxInstr)
+                                    (uintptr_t)iemNativeHlpStackFlatFetchU64, pCallEntry->idxInstr)
+
+
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitStackPopUse16Sp(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t idxRegRsp, uint8_t idxRegEffSp, uint8_t cbMem)
+{
+    /* Use16BitSp: */
+#ifdef RT_ARCH_AMD64
+    off = iemNativeEmitLoadGprFromGpr16Ex(pCodeBuf, off, idxRegEffSp, idxRegRsp);
+    off = iemNativeEmitAddGpr16ImmEx(pCodeBuf, off, idxRegRsp, cbMem); /* ASSUMES this does NOT modify bits [63:16]! */
+#else
+    /* bfi regrsp, regeff, #0, #16 - moves bits 15:0 from idxVarReg to idxGstTmpReg bits 15:0. */
+    pCodeBuf[off++] = Armv8A64MkInstrBfi(idxRegRsp, idxRegEffSp, 0, 16, false /*f64Bit*/);
+    /* add regeff, regrsp, #cbMem */
+    pCodeBuf[off++] = Armv8A64MkInstrAddUImm12(idxRegEffSp, idxRegRsp, cbMem, false /*f64Bit*/);
+    /* and regeff, regeff, #0xffff */
+    Assert(Armv8A64ConvertImmRImmS2Mask32(15, 0) == 0xffff);
+    pCodeBuf[off++] = Armv8A64MkInstrAndImm(idxRegEffSp, idxRegEffSp, 15, 0,  false /*f64Bit*/);
+#endif
+    return off;
+}
+
+
+DECL_FORCE_INLINE(uint32_t)
+iemNativeEmitStackPopUse32Sp(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t idxRegRsp, uint8_t idxRegEffSp, uint8_t cbMem)
+{
+    /* Use32BitSp: */
+    off = iemNativeEmitLoadGprFromGpr32Ex(pCodeBuf, off, idxRegEffSp, idxRegRsp);
+    off = iemNativeEmitAddGpr32ImmEx(pCodeBuf, off, idxRegRsp, cbMem);
+    return off;
+}
+
 
 /** IEM_MC[|_FLAT32|_FLAT64]_POP_GREG_U16/32/64 */
@@ -11887 +11936 @@
                || (pReNative->fExec & IEM_F_MODE_MASK) == IEM_F_MODE_X86_32BIT_FLAT);
         Assert(   pfnFunction
-               == (  cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(16, 32, 0, 0) ? (uintptr_t)iemNativeHlpStackFlat32PopGRegU16
-                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(32, 32, 0, 0) ? (uintptr_t)iemNativeHlpStackFlat32PopGRegU32
-                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(16, 64, 0, 0) ? (uintptr_t)iemNativeHlpStackFlat64PopGRegU16
-                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(64, 64, 0, 0) ? (uintptr_t)iemNativeHlpStackFlat64PopGRegU64
+               == (  cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(16, 32, 0, 0) ? (uintptr_t)iemNativeHlpStackFlatFetchU16
+                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(32, 32, 0, 0) ? (uintptr_t)iemNativeHlpStackFlatFetchU32
+                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(16, 64, 0, 0) ? (uintptr_t)iemNativeHlpStackFlatFetchU16
+                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(64, 64, 0, 0) ? (uintptr_t)iemNativeHlpStackFlatFetchU64
                    : UINT64_C(0xc000b000a0009000) ));
     }
     else
         Assert(   pfnFunction
-               == (  cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(16, 0, 0, 0) ? (uintptr_t)iemNativeHlpStackPopGRegU16
-                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(32, 0, 0, 0) ? (uintptr_t)iemNativeHlpStackPopGRegU32
-                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(64, 0, 0, 0) ? (uintptr_t)iemNativeHlpStackPopGRegU64
+               == (  cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(16, 0, 0, 0) ? (uintptr_t)iemNativeHlpStackFetchU16
+                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(32, 0, 0, 0) ? (uintptr_t)iemNativeHlpStackFetchU32
+                   : cBitsVarAndFlat == RT_MAKE_U32_FROM_U8(64, 0, 0, 0) ? (uintptr_t)iemNativeHlpStackFetchU64
                    : UINT64_C(0xc000b000a0009000) ));
 #endif
@@ -11912 +11961 @@
      * may end up making calls.
      */
-    /** @todo we could postpone this till we make the call and reload the
-     * registers after returning from the call. Not sure if that's sensible or
-     * not, though. */
     off = iemNativeRegFlushPendingWrites(pReNative, off);
 
     /*
-     * Move/spill/flush stuff out of call-volatile registers.
-     * This is the easy way out. We could contain this to the tlb-miss branch
-     * by saving and restoring active stuff here.
-     */
-    /** @todo save+restore active registers and maybe guest shadows in tlb-miss.  */
-    off = iemNativeRegMoveAndFreeAndFlushAtCall(pReNative, off, 0 /* vacate all non-volatile regs */);
-
-    /* For now, flush the any shadow copy of the guest register that is about
-       to be popped and the xSP register. */
-    iemNativeRegFlushGuestShadows(pReNative,
-                                  RT_BIT_64(IEMNATIVEGSTREG_GPR(idxGReg)) | RT_BIT_64(IEMNATIVEGSTREG_GPR(X86_GREG_xSP)));
-
-    /*
-     * Define labels and allocate the result register (trying for the return
-     * register if we can).
-     */
-    uint16_t const uTlbSeqNo        = pReNative->uTlbSeqNo++;
-    uint32_t const idxLabelTlbMiss  = iemNativeLabelCreate(pReNative, kIemNativeLabelType_TlbMiss, UINT32_MAX, uTlbSeqNo);
-    uint32_t const idxLabelTlbDone  = iemNativeLabelCreate(pReNative, kIemNativeLabelType_TlbDone, UINT32_MAX, uTlbSeqNo);
-
-    /*
-     * First we try to go via the TLB.
-     */
-//pReNative->pInstrBuf[off++] = 0xcc;
-    /** @todo later. */
-    RT_NOREF(cBitsVarAndFlat);
-
-    /*
-     * Call helper to do the popping.
+     * Determine the effective stack pointer, for non-FLAT modes we also update RSP.
+     * For FLAT modes we'll do this in TlbDone as we'll be using the incoming RSP
+     * directly as the effective stack pointer.
+     * (Code structure is very similar to that of PUSH)
+     */
+    uint8_t const cbMem       = RT_BYTE1(cBitsVarAndFlat) / 8;
+    uint8_t const cBitsFlat   = RT_BYTE2(cBitsVarAndFlat);      RT_NOREF(cBitsFlat);
+    uint8_t const idxRegRsp   = iemNativeRegAllocTmpForGuestReg(pReNative, &off, IEMNATIVEGSTREG_GPR(X86_GREG_xSP),
+                                                                kIemNativeGstRegUse_ForUpdate, true /*fNoVolatileRegs*/);
+    uint8_t const idxRegEffSp = cBitsFlat != 0 ? idxRegRsp : iemNativeRegAllocTmp(pReNative, &off);
+    uint32_t      offFixupJumpToUseOtherBitSp = UINT32_MAX;
+    if (cBitsFlat != 0)
+    {
+        Assert(idxRegEffSp == idxRegRsp);
+        Assert(cBitsFlat == 32 || cBitsFlat == 64);
+        Assert(IEM_F_MODE_X86_IS_FLAT(pReNative->fExec));
+    }
+    else /** @todo We can skip the test if we're targeting pre-386 CPUs. */
+    {
+        Assert(idxRegEffSp != idxRegRsp);
+        uint8_t const idxRegSsAttr = iemNativeRegAllocTmpForGuestReg(pReNative, &off, IEMNATIVEGSTREG_SEG_ATTRIB(X86_SREG_SS),
+                                                                     kIemNativeGstRegUse_ReadOnly);
+#ifdef RT_ARCH_AMD64
+        PIEMNATIVEINSTR const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 32);
+#else
+        PIEMNATIVEINSTR const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 10);
+#endif
+        off = iemNativeEmitTestAnyBitsInGpr32Ex(pCodeBuf, off, idxRegSsAttr, X86DESCATTR_D);
+        iemNativeRegFreeTmp(pReNative, idxRegSsAttr);
+        offFixupJumpToUseOtherBitSp = off;
+        if ((pReNative->fExec & IEM_F_MODE_CPUMODE_MASK) == IEMMODE_32BIT)
+        {
+/** @todo can skip idxRegRsp updating when popping ESP.   */
+            off = iemNativeEmitJccToFixedEx(pCodeBuf, off, off /*8-bit suffices*/, kIemNativeInstrCond_e); /* jump if zero */
+            off = iemNativeEmitStackPopUse32Sp(pCodeBuf, off, idxRegRsp, idxRegEffSp, cbMem);
+        }
+        else
+        {
+            off = iemNativeEmitJccToFixedEx(pCodeBuf, off, off /*8-bit suffices*/, kIemNativeInstrCond_ne); /* jump if not zero */
+            off = iemNativeEmitStackPopUse16Sp(pCodeBuf, off, idxRegRsp, idxRegEffSp, cbMem);
+        }
+        IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    }
+    /* SpUpdateEnd: */
+    uint32_t const offLabelSpUpdateEnd = off;
+
+    /*
+     * Okay, now prepare for TLB lookup and jump to code (or the TlbMiss if
+     * we're skipping lookup).
+     */
+    uint8_t const  iSegReg           = cBitsFlat != 0 ? UINT8_MAX : X86_SREG_SS;
+    IEMNATIVEEMITTLBSTATE const TlbState(pReNative, idxRegEffSp, &off, iSegReg, cbMem);
+    uint16_t const uTlbSeqNo         = pReNative->uTlbSeqNo++;
+    uint32_t const idxLabelTlbMiss   = iemNativeLabelCreate(pReNative, kIemNativeLabelType_TlbMiss, UINT32_MAX, uTlbSeqNo);
+    uint32_t const idxLabelTlbLookup = !TlbState.fSkip
+                                     ? iemNativeLabelCreate(pReNative, kIemNativeLabelType_TlbLookup, UINT32_MAX, uTlbSeqNo)
+                                     : UINT32_MAX;
+    /** @todo can do a better job picking the register here. For cbMem >= 4 this
+     *        will be the resulting register value. */
+    uint8_t const  idxRegMemResult   = iemNativeRegAllocTmp(pReNative, &off); /* pointer then value */
+
+    if (!TlbState.fSkip)
+        off = iemNativeEmitJmpToLabel(pReNative, off, idxLabelTlbLookup); /** @todo short jump */
+    else
+        off = iemNativeEmitJmpToLabel(pReNative, off, idxLabelTlbMiss); /** @todo short jump */
+
+    /*
+     * Use16BitSp:
+     */
+    if (cBitsFlat == 0)
+    {
+#ifdef RT_ARCH_AMD64
+        PIEMNATIVEINSTR const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 32);
+#else
+        PIEMNATIVEINSTR const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 10);
+#endif
+        iemNativeFixupFixedJump(pReNative, offFixupJumpToUseOtherBitSp, off);
+        if ((pReNative->fExec & IEM_F_MODE_CPUMODE_MASK) == IEMMODE_32BIT)
+            off = iemNativeEmitStackPopUse16Sp(pCodeBuf, off, idxRegRsp, idxRegEffSp, cbMem);
+        else
+            off = iemNativeEmitStackPopUse32Sp(pCodeBuf, off, idxRegRsp, idxRegEffSp, cbMem);
+        off = iemNativeEmitJmpToFixedEx(pCodeBuf, off, offLabelSpUpdateEnd);
+        IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    }
+
+    /*
+     * TlbMiss:
+     *
+     * Call helper to do the pushing.
      */
     iemNativeLabelDefine(pReNative, idxLabelTlbMiss, off);
@@ -11956 +12062 @@
 #endif
 
-    /* IEMNATIVE_CALL_ARG1_GREG = iGReg */
-    off = iemNativeEmitLoadGpr8Imm(pReNative, off, IEMNATIVE_CALL_ARG1_GREG, idxGReg);
+    uint32_t const fHstRegsNotToSave = TlbState.getRegsNotToSave()
+                                     | (idxRegMemResult < RT_ELEMENTS(pReNative->Core.aHstRegs) ? RT_BIT_32(idxRegMemResult) : 0)
+                                     | (idxRegEffSp != idxRegRsp ? RT_BIT_32(idxRegEffSp) : 0);
+    off = iemNativeVarSaveVolatileRegsPreHlpCall(pReNative, off, fHstRegsNotToSave);
+
+
+    /* IEMNATIVE_CALL_ARG1_GREG = EffSp/RSP */
+    if (idxRegEffSp != IEMNATIVE_CALL_ARG1_GREG)
+        off = iemNativeEmitLoadGprFromGpr(pReNative, off, IEMNATIVE_CALL_ARG1_GREG, idxRegEffSp);
 
     /* IEMNATIVE_CALL_ARG0_GREG = pVCpu */
@@ -11965 +12078 @@
     off = iemNativeEmitCallImm(pReNative, off, pfnFunction);
 
-    iemNativeLabelDefine(pReNative, idxLabelTlbDone, off);
+    /* Move the return register content to idxRegMemResult. */
+    if (idxRegMemResult != IEMNATIVE_CALL_RET_GREG)
+        off = iemNativeEmitLoadGprFromGpr(pReNative, off, idxRegMemResult, IEMNATIVE_CALL_RET_GREG);
+
+    /* Restore variables and guest shadow registers to volatile registers. */
+    off = iemNativeVarRestoreVolatileRegsPostHlpCall(pReNative, off, fHstRegsNotToSave);
+    off = iemNativeRegRestoreGuestShadowsInVolatileRegs(pReNative, off, TlbState.getActiveRegsWithShadows());
+
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP
+    if (!TlbState.fSkip)
+    {
+        /* end of TlbMiss - Jump to the done label. */
+        uint32_t const idxLabelTlbDone = iemNativeLabelCreate(pReNative, kIemNativeLabelType_TlbDone, UINT32_MAX, uTlbSeqNo);
+        off = iemNativeEmitJmpToLabel(pReNative, off, idxLabelTlbDone);
+
+        /*
+         * TlbLookup:
+         */
+        off = iemNativeEmitTlbLookup(pReNative, off, &TlbState, iSegReg, cbMem, cbMem - 1, IEM_ACCESS_TYPE_READ,
+                                     idxLabelTlbLookup, idxLabelTlbMiss, idxRegMemResult);
+
+        /*
+         * Emit code to load the value (from idxRegMemResult into idxRegMemResult).
+         */
+        PIEMNATIVEINSTR const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 32);
+        switch (cbMem)
+        {
+            case 2:
+                off = iemNativeEmitLoadGprByGprU16Ex(pCodeBuf, off, idxRegMemResult, idxRegMemResult);
+                break;
+            case 4:
+                off = iemNativeEmitLoadGprByGprU32Ex(pCodeBuf, off, idxRegMemResult, idxRegMemResult);
+                break;
+            case 8:
+                off = iemNativeEmitLoadGprByGprU64Ex(pCodeBuf, off, idxRegMemResult, idxRegMemResult);
+                break;
+            default:
+                AssertFailed();
+        }
+
+        TlbState.freeRegsAndReleaseVars(pReNative);
+
+        /*
+         * TlbDone:
+         *
+         * Set the new RSP value (FLAT accesses needs to calculate it first) and
+         * commit the popped register value.
+         */
+        iemNativeLabelDefine(pReNative, idxLabelTlbDone, off);
+    }
+#endif /* IEMNATIVE_WITH_TLB_LOOKUP */
+
+    if (idxGReg != X86_GREG_xSP)
+    {
+        /* Set the register. */
+        if (cbMem >= sizeof(uint32_t))
+        {
+            iemNativeRegClearAndMarkAsGstRegShadow(pReNative, idxRegMemResult,  IEMNATIVEGSTREG_GPR(idxGReg), off);
+            off = iemNativeEmitStoreGprToVCpuU64(pReNative, off, idxRegMemResult,
+                                                 RT_UOFFSETOF_DYN(VMCPU, cpum.GstCtx.aGRegs[idxGReg]));
+        }
+        else
+        {
+            Assert(cbMem == sizeof(uint16_t));
+            uint8_t const idxRegDst = iemNativeRegAllocTmpForGuestReg(pReNative, &off, IEMNATIVEGSTREG_GPR(idxGReg),
+                                                                      kIemNativeGstRegUse_ForUpdate);
+            off = iemNativeEmitGprMergeInGpr16(pReNative, off, idxRegDst, idxRegMemResult);
+            off = iemNativeEmitStoreGprToVCpuU64(pReNative, off, idxRegDst, RT_UOFFSETOF_DYN(VMCPU, cpum.GstCtx.aGRegs[idxGReg]));
+            iemNativeRegFreeTmp(pReNative, idxRegDst);
+        }
+
+        /* Complete RSP calculation for FLAT mode. */
+        if (idxRegEffSp == idxRegRsp)
+        {
+            if (cBitsFlat == 64)
+                off = iemNativeEmitAddGprImm8(pReNative, off, idxRegRsp, sizeof(uint64_t));
+            else
+                off = iemNativeEmitAddGpr32Imm8(pReNative, off, idxRegRsp, sizeof(uint32_t));
+        }
+    }
+    else
+    {
+        /* We're popping RSP, ESP or SP. Only the is a bit extra work, of course. */
+        if (cbMem == sizeof(uint64_t))
+            off = iemNativeEmitLoadGprFromGpr(pReNative, off, idxRegRsp, idxRegMemResult);
+        else if (cbMem == sizeof(uint32_t))
+            off = iemNativeEmitLoadGprFromGpr32(pReNative, off, idxRegRsp, idxRegMemResult);
+        else
+        {
+            if (idxRegEffSp == idxRegRsp)
+            {
+                if (cBitsFlat == 64)
+                    off = iemNativeEmitAddGprImm8(pReNative, off, idxRegRsp, sizeof(uint64_t));
+                else
+                    off = iemNativeEmitAddGpr32Imm8(pReNative, off, idxRegRsp, sizeof(uint32_t));
+            }
+            off = iemNativeEmitGprMergeInGpr16(pReNative, off, idxRegRsp, idxRegMemResult);
+        }
+    }
+    off = iemNativeEmitStoreGprToVCpuU64(pReNative, off, idxRegRsp, RT_UOFFSETOF(VMCPU, cpum.GstCtx.rsp));
+
+    iemNativeRegFreeTmp(pReNative, idxRegRsp);
+    if (idxRegEffSp != idxRegRsp)
+        iemNativeRegFreeTmp(pReNative, idxRegEffSp);
+    iemNativeRegFreeTmp(pReNative, idxRegMemResult);
 
     return off;

trunk/src/VBox/VMM/include/IEMInternal.h

@@ -5262 +5262 @@
 void            iemMemStoreStackU64SafeJmp(PVMCPUCC pVCpu, RTGCPTR GCPtrMem, uint64_t uValue) IEM_NOEXCEPT_MAY_LONGJMP;
 
+uint16_t        iemMemFetchStackU16SafeJmp(PVMCPUCC pVCpu, RTGCPTR GCPtrMem) IEM_NOEXCEPT_MAY_LONGJMP;
+uint32_t        iemMemFetchStackU32SafeJmp(PVMCPUCC pVCpu, RTGCPTR GCPtrMem) IEM_NOEXCEPT_MAY_LONGJMP;
+uint64_t        iemMemFetchStackU64SafeJmp(PVMCPUCC pVCpu, RTGCPTR GCPtrMem) IEM_NOEXCEPT_MAY_LONGJMP;
 
 #endif

trunk/src/VBox/VMM/include/IEMN8veRecompilerEmit.h

@@ -1427 +1427 @@
 
 
+/**
+ * Emits a gprdst[15:0] = gprsrc[15:0], preserving all other bits in the
+ * destination.
+ */
+DECL_FORCE_INLINE(uint32_t)
+iemNativeEmitGprMergeInGpr16Ex(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t idxDst, uint8_t idxSrc)
+{
+#ifdef RT_ARCH_AMD64
+    /* mov reg16, r/m16 */
+    pCodeBuf[off++] = X86_OP_PRF_SIZE_OP;
+    if (idxDst >= 8 || idxSrc >= 8)
+        pCodeBuf[off++] = (idxDst < 8 ? 0 : X86_OP_REX_R) | (idxSrc < 8 ? 0 : X86_OP_REX_B);
+    pCodeBuf[off++] = 0x8b;
+    pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, idxDst & 7, idxSrc & 7);
+
+#elif defined(RT_ARCH_ARM64)
+    /* bfi w1, w2, 0, 16 - moves bits 15:0 from idxSrc to idxDst bits 15:0. */
+    pCodeBuf[off++] = Armv8A64MkInstrBfi(idxDst, idxSrc, 0, 16);
+
+#else
+# error "Port me!"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a gprdst[15:0] = gprsrc[15:0], preserving all other bits in the
+ * destination.
+ */
+DECL_INLINE_THROW(uint32_t)
+iemNativeEmitGprMergeInGpr16(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t idxDst, uint8_t idxSrc)
+{
+#ifdef RT_ARCH_AMD64
+    off = iemNativeEmitGprMergeInGpr16Ex(iemNativeInstrBufEnsure(pReNative, off, 4), off, idxDst, idxSrc);
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitGprMergeInGpr16Ex(iemNativeInstrBufEnsure(pReNative, off, 1), off, idxDst, idxSrc);
+#else
+# error "Port me!"
+#endif
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    return off;
+}
+
 
 #ifdef RT_ARCH_AMD64
@@ -2814 +2858 @@
  * so not suitable as a base for conditional jumps.
  *
+ * @note AMD64: Will only update the lower 16 bits of the register.
  * @note ARM64: Will update the entire register.
- * @note AMD64: May perhaps only update the lower 16 bits of the register.
  * @note ARM64: Larger constants will require a temporary register.  Failing to
  *       specify one when needed will trigger fatal assertion / throw.
@@ -3326 +3370 @@
     return off;
 }
+
+
+/**
+ * Emits a 16-bit GPR add with a signed immediate addend.
+ *
+ * This will optimize using INC/DEC/whatever and ARM64 will not set flags,
+ * so not suitable as a base for conditional jumps.
+ *
+ * @note AMD64: Will only update the lower 16 bits of the register.
+ * @note ARM64: Will update the entire register.
+ * @note ARM64: Larger constants will require a temporary register.  Failing to
+ *       specify one when needed will trigger fatal assertion / throw.
+ * @sa   iemNativeEmitSubGpr16ImmEx
+ */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitAddGpr16ImmEx(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGprDst, int16_t iAddend,
+                           uint8_t iGprTmp = UINT8_MAX)
+{
+#ifdef RT_ARCH_AMD64
+    pCodeBuf[off++] = X86_OP_PRF_SIZE_OP;
+    if (iGprDst >= 8)
+        pCodeBuf[off++] = X86_OP_REX_B;
+    if (iAddend == 1)
+    {
+        /* inc r/m16 */
+        pCodeBuf[off++] = 0xff;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 0, iGprDst & 7);
+    }
+    else if (iAddend == -1)
+    {
+        /* dec r/m16 */
+        pCodeBuf[off++] = 0xff;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 1, iGprDst & 7);
+    }
+    else if ((int8_t)iAddend == iAddend)
+    {
+        /* add r/m16, imm8 */
+        pCodeBuf[off++] = 0x83;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 0, iGprDst & 7);
+        pCodeBuf[off++] = (uint8_t)iAddend;
+    }
+    else
+    {
+        /* add r/m16, imm16 */
+        pCodeBuf[off++] = 0x81;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 0, iGprDst & 7);
+        pCodeBuf[off++] = RT_BYTE1((uint16_t)iAddend);
+        pCodeBuf[off++] = RT_BYTE2((uint16_t)iAddend);
+    }
+    RT_NOREF(iGprTmp);
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t uAbsAddend = RT_ABS(iAddend);
+    if (uAbsAddend < 4096)
+    {
+        if (iAddend >= 0)
+            pCodeBuf[off++] = Armv8A64MkInstrAddUImm12(iGprDst, iGprDst, uAbsAddend, false /*f64Bit*/);
+        else
+            pCodeBuf[off++] = Armv8A64MkInstrSubUImm12(iGprDst, iGprDst, uAbsAddend, false /*f64Bit*/);
+    }
+    else if (uAbsAddend <= 0xfff000 && !(uAbsAddend & 0xfff))
+    {
+        if (iAddend >= 0)
+            pCodeBuf[off++] = Armv8A64MkInstrAddUImm12(iGprDst, iGprDst, uAbsAddend >> 12,
+                                                       false /*f64Bit*/, false /*fSetFlags*/, true /*fShift*/);
+        else
+            pCodeBuf[off++] = Armv8A64MkInstrSubUImm12(iGprDst, iGprDst, uAbsAddend >> 12,
+                                                       false /*f64Bit*/, false /*fSetFlags*/, true /*fShift*/);
+    }
+    else if (iGprTmp != UINT8_MAX)
+    {
+        off = iemNativeEmitLoadGpr32ImmEx(pCodeBuf, off, iGprTmp, (uint32_t)iAddend);
+        pCodeBuf[off++] = Armv8A64MkInstrAddReg(iGprDst, iGprDst, iGprTmp, false /*f64Bit*/);
+    }
+    else
+# ifdef IEM_WITH_THROW_CATCH
+        AssertFailedStmt(IEMNATIVE_DO_LONGJMP(NULL, VERR_IEM_IPE_9));
+# else
+        AssertReleaseFailedStmt(off = UINT32_MAX);
+# endif
+    pCodeBuf[off++] = Armv8A64MkInstrAndImm(iGprDst, iGprDst, 15, 0, false /*f64Bit*/);
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
+