Changeset 102850 in vbox for trunk/src/VBox/VMM/include

Timestamp:

Jan 12, 2024 12:47:47 AM (15 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

161051

Message:

VMM/IEM: Implemented the first of two code TLB lookups. bugref:10371

Location:

trunk/src/VBox/VMM/include

Files:

• IEMInternal.h (modified) (1 diff)
• IEMN8veRecompilerEmit.h (modified) (4 diffs)
• IEMN8veRecompilerTlbLookup.h (modified) (13 diffs)

trunk/src/VBox/VMM/include/IEMInternal.h

@@ -1745 +1745 @@
     /** Native recompiled execution: Code TLB misses for new page. */
     STAMCOUNTER             StatNativeCodeTlbMissesNewPage;
-    uint64_t                au64Padding[6];
+    /** Native recompiled execution: Code TLB hits for new page. */
+    STAMCOUNTER             StatNativeCodeTlbHitsForNewPage;
+    /** Native recompiled execution: Code TLB misses for new page with offset. */
+    STAMCOUNTER             StatNativeCodeTlbMissesNewPageWithOffset;
+    /** Native recompiled execution: Code TLB hits for new page with offset. */
+    STAMCOUNTER             StatNativeCodeTlbHitsForNewPageWithOffset;
+    uint64_t                au64Padding[3];
     /** @} */
 

trunk/src/VBox/VMM/include/IEMN8veRecompilerEmit.h

@@ -710 +710 @@
  * Emits a store of a GPR value to a 64-bit VCpu field.
  */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitStoreGprToVCpuU64Ex(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGpr, uint32_t offVCpu,
+                                 uint8_t iGprTmp = UINT8_MAX)
+{
+#ifdef RT_ARCH_AMD64
+    /* mov mem64, reg64 */
+    if (iGpr < 8)
+        pCodeBuf[off++] = X86_OP_REX_W;
+    else
+        pCodeBuf[off++] = X86_OP_REX_W | X86_OP_REX_R;
+    pCodeBuf[off++] = 0x89;
+    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, iGpr, offVCpu);
+    RT_NOREF(iGprTmp);
+
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitGprByVCpuLdStEx(pReNative, off, iGpr, offVCpu, kArmv8A64InstrLdStType_St_Dword, sizeof(uint64_t), iGprTmp);
+
+#else
+# error "port me"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a store of a GPR value to a 64-bit VCpu field.
+ */
 DECL_INLINE_THROW(uint32_t)
 iemNativeEmitStoreGprToVCpuU64(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGpr, uint32_t offVCpu)
 {
 #ifdef RT_ARCH_AMD64
-    /* mov mem64, reg64 */
-    uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 7);
-    if (iGpr < 8)
-        pbCodeBuf[off++] = X86_OP_REX_W;
-    else
-        pbCodeBuf[off++] = X86_OP_REX_W | X86_OP_REX_R;
-    pbCodeBuf[off++] = 0x89;
-    off = iemNativeEmitGprByVCpuDisp(pbCodeBuf,off,iGpr, offVCpu);
-    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
-
-#elif defined(RT_ARCH_ARM64)
-    off = iemNativeEmitGprByVCpuLdSt(pReNative, off, iGpr, offVCpu, kArmv8A64InstrLdStType_St_Dword, sizeof(uint64_t));
-
-#else
-# error "port me"
-#endif
+    off = iemNativeEmitStoreGprToVCpuU64Ex(iemNativeInstrBufEnsure(pReNative, off, 7), off, iGpr, offVCpu);
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitStoreGprToVCpuU64Ex(iemNativeInstrBufEnsure(pReNative, off, 5), off, iGpr, offVCpu,
+                                           IEMNATIVE_REG_FIXED_TMP0);
+#else
+# error "port me"
+#endif
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
     return off;
 }
@@ -802 +821 @@
 #elif defined(RT_ARCH_ARM64)
     off = iemNativeEmitGprByVCpuLdSt(pReNative, off, iGpr, offVCpu, kArmv8A64InstrLdStType_St_Byte, sizeof(uint8_t));
+
+#else
+# error "port me"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits a store of an immediate value to a 16-bit VCpu field.
+ *
+ * @note ARM64: A idxTmp1 is always required! The idxTmp2 depends on whehter the
+ *       offset can be encoded as an immediate or not.  The @a offVCpu immediate
+ *       range is 0..8190 bytes from VMCPU and the same from CPUMCPU.
+ */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitStoreImmToVCpuU16Ex(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint16_t uImm, uint32_t offVCpu,
+                                 uint8_t idxTmp1 = UINT8_MAX, uint8_t idxTmp2 = UINT8_MAX)
+{
+#ifdef RT_ARCH_AMD64
+    /* mov mem16, imm16 */
+    pCodeBuf[off++] = X86_OP_PRF_SIZE_OP;
+    pCodeBuf[off++] = 0xc7;
+    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, 0, offVCpu);
+    pCodeBuf[off++] = RT_BYTE1(uImm);
+    pCodeBuf[off++] = RT_BYTE2(uImm);
+    RT_NOREF(idxTmp1, idxTmp2);
+
+#elif defined(RT_ARCH_ARM64)
+    if (idxTmp1 != UINT8_MAX)
+    {
+        pCodeBuf[off++] = Armv8A64MkInstrMovZ(idxTmp1, uImm);
+        off = iemNativeEmitGprByVCpuLdStEx(pCodeBuf, off, idxTmp1, offVCpu, kArmv8A64InstrLdStType_St_Half,
+                                           sizeof(uint16_t), idxTmp2);
+    }
+    else
+# ifdef IEM_WITH_THROW_CATCH
+        AssertFailedStmt(IEMNATIVE_DO_LONGJMP(NULL, VERR_IEM_IPE_9));
+# else
+        AssertReleaseFailedStmt(off = UINT32_MAX);
+# endif
 
 #else
@@ -3857 +3917 @@
  *       and ARM64 hosts.
  */
-DECL_INLINE_THROW(uint32_t)
-iemNativeEmitAndGprByGpr(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprDst, uint8_t iGprSrc, bool fSetFlags = false)
+DECL_FORCE_INLINE(uint32_t)
+iemNativeEmitAndGprByGprEx(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGprDst, uint8_t iGprSrc, bool fSetFlags = false)
 {
 #if defined(RT_ARCH_AMD64)
     /* and Gv, Ev */
-    uint8_t *pbCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 3);
-    pbCodeBuf[off++] = X86_OP_REX_W | (iGprDst < 8 ? 0 : X86_OP_REX_R) | (iGprSrc < 8 ? 0 : X86_OP_REX_B);
-    pbCodeBuf[off++] = 0x23;
-    pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprDst & 7, iGprSrc & 7);
+    pCodeBuf[off++] = X86_OP_REX_W | (iGprDst < 8 ? 0 : X86_OP_REX_R) | (iGprSrc < 8 ? 0 : X86_OP_REX_B);
+    pCodeBuf[off++] = 0x23;
+    pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprDst & 7, iGprSrc & 7);
     RT_NOREF(fSetFlags);
 
 #elif defined(RT_ARCH_ARM64)
-    uint32_t *pu32CodeBuf = iemNativeInstrBufEnsure(pReNative, off, 1);
     if (!fSetFlags)
-        pu32CodeBuf[off++] = Armv8A64MkInstrAnd(iGprDst, iGprDst, iGprSrc);
-    else
-        pu32CodeBuf[off++] = Armv8A64MkInstrAnds(iGprDst, iGprDst, iGprSrc);
-
+        pCodeBuf[off++] = Armv8A64MkInstrAnd(iGprDst, iGprDst, iGprSrc);
+    else
+        pCodeBuf[off++] = Armv8A64MkInstrAnds(iGprDst, iGprDst, iGprSrc);
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
+
+
+/**
+ * Emits code for AND'ing two 64-bit GPRs.
+ *
+ * @note When fSetFlags=true, JZ/JNZ jumps can be used afterwards on both AMD64
+ *       and ARM64 hosts.
+ */
+DECL_INLINE_THROW(uint32_t)
+iemNativeEmitAndGprByGpr(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprDst, uint8_t iGprSrc, bool fSetFlags = false)
+{
+#if defined(RT_ARCH_AMD64)
+    off = iemNativeEmitAndGprByGprEx(iemNativeInstrBufEnsure(pReNative, off, 3), off, iGprDst, iGprSrc, fSetFlags);
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitAndGprByGprEx(iemNativeInstrBufEnsure(pReNative, off, 1), off, iGprDst, iGprSrc, fSetFlags);
 #else
 # error "Port me"
@@ -4087 +4165 @@
 }
 
+
+/**
+ * Emits code for AND'ing an 64-bit GPRs with a constant.
+ *
+ * @note For ARM64 any complicated immediates w/o a AND/ANDS compatible
+ *       encoding will assert / throw exception if @a iGprDst and @a iGprSrc are
+ *       the same.
+ */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitGprEqGprAndImmEx(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGprDst, uint8_t iGprSrc, uint64_t uImm,
+                              bool fSetFlags = false)
+{
+#if defined(RT_ARCH_AMD64)
+    off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, iGprDst, uImm);
+    off = iemNativeEmitAndGprByGprEx(pCodeBuf, off, iGprDst, iGprSrc);
+    RT_NOREF(fSetFlags);
+
+#elif defined(RT_ARCH_ARM64)
+    uint32_t uImmR     = 0;
+    uint32_t uImmNandS = 0;
+    if (Armv8A64ConvertMask64ToImmRImmS(uImm, &uImmNandS, &uImmR))
+    {
+        if (!fSetFlags)
+            pCodeBuf[off++] = Armv8A64MkInstrAndImm(iGprDst, iGprSrc, uImmNandS, uImmR);
+        else
+            pCodeBuf[off++] = Armv8A64MkInstrAndsImm(iGprDst, iGprSrc, uImmNandS, uImmR);
+    }
+    else if (iGprDst != iGprSrc)
+    {
+        off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, iGprDst, uImm);
+        off = iemNativeEmitAndGprByGprEx(pCodeBuf, off, iGprDst, iGprSrc, fSetFlags);
+    }
+    else
+# ifdef IEM_WITH_THROW_CATCH
+        AssertFailedStmt(IEMNATIVE_DO_LONGJMP(NULL, VERR_IEM_IPE_9));
+# else
+        AssertReleaseFailedStmt(off = UINT32_MAX);
+# endif
+
+#else
+# error "Port me"
+#endif
+    return off;
+}
 
 /**

trunk/src/VBox/VMM/include/IEMN8veRecompilerTlbLookup.h

@@ -160 +160 @@
     }
 
-    void freeRegsAndReleaseVars(PIEMRECOMPILERSTATE a_pReNative, uint8_t idxVarGCPtrMem = UINT8_MAX) const
-    {
-        if (idxRegPtr != UINT8_MAX)
-        {
-            if (idxRegPtrHlp == UINT8_MAX)
+    /* Alternative constructor for the code TLB lookups where we implictly use RIP
+       variable, only a register derived from the guest RSP. */
+    IEMNATIVEEMITTLBSTATE(PIEMRECOMPILERSTATE a_pReNative, bool a_fFlat, uint32_t *a_poff)
+#ifdef IEMNATIVE_WITH_TLB_LOOKUP
+        :           fSkip(false)
+#else
+        :           fSkip(true)
+#endif
+        ,    idxRegPtrHlp(UINT8_MAX)
+        ,       idxRegPtr(iemNativeRegAllocTmpForGuestReg(a_pReNative, a_poff, kIemNativeGstReg_Pc))
+        ,   idxRegSegBase(a_fFlat || fSkip
+                          ? UINT8_MAX
+                          : iemNativeRegAllocTmpForGuestReg(a_pReNative, a_poff, IEMNATIVEGSTREG_SEG_BASE(X86_SREG_CS)))
+        ,  idxRegSegLimit(/*a_fFlat || fSkip
+                          ? UINT8_MAX
+                          : iemNativeRegAllocTmpForGuestReg(a_pReNative, a_poff, IEMNATIVEGSTREG_SEG_LIMIT(X86_SREG_CS))*/
+                          UINT8_MAX)
+        , idxRegSegAttrib(UINT8_MAX)
+        ,         idxReg1(!fSkip ? iemNativeRegAllocTmp(a_pReNative, a_poff) : UINT8_MAX)
+        ,         idxReg2(!fSkip ? iemNativeRegAllocTmp(a_pReNative, a_poff) : UINT8_MAX)
+#if defined(RT_ARCH_ARM64)
+        ,         idxReg3(!fSkip ? iemNativeRegAllocTmp(a_pReNative, a_poff) : UINT8_MAX)
+#endif
+        ,         uAbsPtr(UINT64_MAX)
+
+    {
+    }
+
+    void freeRegsAndReleaseVars(PIEMRECOMPILERSTATE a_pReNative, uint8_t idxVarGCPtrMem = UINT8_MAX, bool fIsCode = false) const
+    {
+        if (!fIsCode)
+        {
+            if (idxRegPtr != UINT8_MAX)
             {
-                if (idxVarGCPtrMem != UINT8_MAX)
-                    iemNativeVarRegisterRelease(a_pReNative, idxVarGCPtrMem);
+                if (idxRegPtrHlp == UINT8_MAX)
+                {
+                    if (idxVarGCPtrMem != UINT8_MAX)
+                        iemNativeVarRegisterRelease(a_pReNative, idxVarGCPtrMem);
+                }
+                else
+                {
+                    Assert(idxRegPtrHlp == idxRegPtr);
+                    iemNativeRegFreeTmpImm(a_pReNative, idxRegPtrHlp);
+                }
             }
             else
-            {
-                Assert(idxRegPtrHlp == idxRegPtr);
-                iemNativeRegFreeTmpImm(a_pReNative, idxRegPtrHlp);
-            }
-        }
-        else
+                Assert(idxRegPtrHlp == UINT8_MAX);
+        }
+        else
+        {
+            Assert(idxVarGCPtrMem == UINT8_MAX);
             Assert(idxRegPtrHlp == UINT8_MAX);
+            iemNativeRegFreeTmp(a_pReNative, idxRegPtr); /* RIP */
+        }
         if (idxRegSegBase != UINT8_MAX)
             iemNativeRegFreeTmp(a_pReNative, idxRegSegBase);
         if (idxRegSegLimit != UINT8_MAX)
-        {
             iemNativeRegFreeTmp(a_pReNative, idxRegSegLimit);
+        if (idxRegSegAttrib != UINT8_MAX)
             iemNativeRegFreeTmp(a_pReNative, idxRegSegAttrib);
-        }
-        else
-            Assert(idxRegSegAttrib == UINT8_MAX);
 #if defined(RT_ARCH_ARM64)
         iemNativeRegFreeTmp(a_pReNative, idxReg3);
@@ -207 +241 @@
 
     /** This is only for avoid assertions. */
-    uint32_t getActiveRegsWithShadows() const
+    uint32_t getActiveRegsWithShadows(bool fCode = false) const
     {
 #ifdef VBOX_STRICT
         if (!fSkip)
-            return RT_BIT_32(idxRegSegBase) | RT_BIT_32(idxRegSegLimit) | RT_BIT_32(idxRegSegAttrib);
+            return (idxRegSegBase   != UINT8_MAX ? RT_BIT_32(idxRegSegBase)   : 0)
+                 | (idxRegSegLimit  != UINT8_MAX ? RT_BIT_32(idxRegSegLimit)  : 0)
+                 | (idxRegSegAttrib != UINT8_MAX ? RT_BIT_32(idxRegSegAttrib) : 0)
+                 | (fCode                        ? RT_BIT_32(idxRegPtr)       : 0);
 #endif
         return 0;
@@ -229 +266 @@
 {
     Assert(!pTlbState->fSkip);
+    uint32_t const   offVCpuTlb = a_fDataTlb ? RT_UOFFSETOF(VMCPUCC, iem.s.DataTlb) : RT_UOFFSETOF(VMCPUCC, iem.s.CodeTlb);
 # if defined(RT_ARCH_AMD64)
-    uint8_t * const  pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 512);
+    uint8_t * const  pCodeBuf   = iemNativeInstrBufEnsure(pReNative, off, 512);
 # elif defined(RT_ARCH_ARM64)
-    uint32_t * const pCodeBuf = iemNativeInstrBufEnsure(pReNative, off, 64);
+    uint32_t * const pCodeBuf   = iemNativeInstrBufEnsure(pReNative, off, 64);
 # endif
 
@@ -296 +334 @@
      *
      * 1a. Check segment limit and attributes if non-flat 32-bit code.  This is complicated.
-     */
-    if (iSegReg != UINT8_MAX && (pReNative->fExec & IEM_F_MODE_CPUMODE_MASK) != IEMMODE_64BIT)
+     *
+     *     This can be skipped for code TLB lookups because limit is checked by jmp, call,
+     *     ret, and iret prior to making it.  It is also checked by the helpers prior to
+     *     doing TLB loading.
+     */
+    if (a_fDataTlb && iSegReg != UINT8_MAX && (pReNative->fExec & IEM_F_MODE_CPUMODE_MASK) != IEMMODE_64BIT)
     {
         /* Check that we've got a segment loaded and that it allows the access.
@@ -539 +581 @@
     pCodeBuf[off++] = pTlbState->idxReg1 < 8 ? X86_OP_REX_W : X86_OP_REX_W | X86_OP_REX_R;
     pCodeBuf[off++] = 0x0b; /* OR r64,r/m64 */
-    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, pTlbState->idxReg1, RT_UOFFSETOF(VMCPUCC, iem.s.DataTlb.uTlbRevision));
+    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, pTlbState->idxReg1, offVCpuTlb + RT_UOFFSETOF(IEMTLB, uTlbRevision));
 # else
-    off = iemNativeEmitLoadGprFromVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg3, RT_UOFFSETOF(VMCPUCC, iem.s.DataTlb.uTlbRevision));
+    off = iemNativeEmitLoadGprFromVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg3, offVCpuTlb + RT_UOFFSETOF(IEMTLB, uTlbRevision));
     off = iemNativeEmitOrGprByGprEx(pCodeBuf, off, pTlbState->idxReg1, pTlbState->idxReg3);
 # endif
@@ -548 +590 @@
      * 3b. Calc pTlbe.
      */
+    uint32_t const offTlbEntries = offVCpuTlb + RT_UOFFSETOF(IEMTLB, aEntries);
 # if defined(RT_ARCH_AMD64)
     /* movzx reg2, byte reg1 */
@@ -560 +603 @@
     pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_MEM4, pTlbState->idxReg2 & 7, 4 /*SIB*/);
     pCodeBuf[off++] = X86_SIB_MAKE(IEMNATIVE_REG_FIXED_PVMCPU & 7, pTlbState->idxReg2 & 7, 0);
-    pCodeBuf[off++] = RT_BYTE1(RT_UOFFSETOF(VMCPUCC,  iem.s.DataTlb.aEntries));
-    pCodeBuf[off++] = RT_BYTE2(RT_UOFFSETOF(VMCPUCC,  iem.s.DataTlb.aEntries));
-    pCodeBuf[off++] = RT_BYTE3(RT_UOFFSETOF(VMCPUCC,  iem.s.DataTlb.aEntries));
-    pCodeBuf[off++] = RT_BYTE4(RT_UOFFSETOF(VMCPUCC,  iem.s.DataTlb.aEntries));
+    pCodeBuf[off++] = RT_BYTE1(offTlbEntries);
+    pCodeBuf[off++] = RT_BYTE2(offTlbEntries);
+    pCodeBuf[off++] = RT_BYTE3(offTlbEntries);
+    pCodeBuf[off++] = RT_BYTE4(offTlbEntries);
 
 # elif defined(RT_ARCH_ARM64)
@@ -569 +612 @@
     pCodeBuf[off++] = Armv8A64MkInstrUbfiz(pTlbState->idxReg2, pTlbState->idxReg1, 5, 8);
     /* reg2 += offsetof(VMCPUCC, iem.s.DataTlb.aEntries) */
-    off = iemNativeEmitAddGprImmEx(pCodeBuf, off, pTlbState->idxReg2, RT_UOFFSETOF(VMCPUCC, iem.s.DataTlb.aEntries),
-                                   pTlbState->idxReg3 /*iGprTmp*/);
+    off = iemNativeEmitAddGprImmEx(pCodeBuf, off, pTlbState->idxReg2, offTlbEntries, pTlbState->idxReg3 /*iGprTmp*/);
     /* reg2 += pVCpu */
     off = iemNativeEmitAddTwoGprsEx(pCodeBuf, off, pTlbState->idxReg2, IEMNATIVE_REG_FIXED_PVMCPU);
@@ -602 +644 @@
     uint64_t       fTlbe   = IEMTLBE_F_PHYS_REV | IEMTLBE_F_NO_MAPPINGR3 | IEMTLBE_F_PG_UNASSIGNED | IEMTLBE_F_PT_NO_ACCESSED
                            | fNoUser;
+    if (fAccess & IEM_ACCESS_TYPE_EXEC)
+        fTlbe |= IEMTLBE_F_PT_NO_EXEC /*| IEMTLBE_F_PG_NO_READ?*/;
     if (fAccess & IEM_ACCESS_TYPE_READ)
         fTlbe |= IEMTLBE_F_PG_NO_READ;
@@ -618 +662 @@
     pCodeBuf[off++] = 0x3b;
     off = iemNativeEmitGprByGprDisp(pCodeBuf, off, pTlbState->idxReg1, IEMNATIVE_REG_FIXED_PVMCPU,
-                                    RT_UOFFSETOF(VMCPUCC, iem.s.DataTlb.uTlbPhysRev));
+                                    offVCpuTlb + RT_UOFFSETOF(IEMTLB, uTlbPhysRev));
 # elif defined(RT_ARCH_ARM64)
     off = iemNativeEmitLoadGprByGprU64Ex(pCodeBuf, off, pTlbState->idxReg3, pTlbState->idxReg2,
                                          RT_UOFFSETOF(IEMTLBENTRY, fFlagsAndPhysRev));
     pCodeBuf[off++] = Armv8A64MkInstrAnd(pTlbState->idxReg1, pTlbState->idxReg1, pTlbState->idxReg3);
-    off = iemNativeEmitLoadGprFromVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg3, RT_UOFFSETOF(VMCPUCC, iem.s.DataTlb.uTlbPhysRev));
+    off = iemNativeEmitLoadGprFromVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg3, offVCpuTlb + RT_UOFFSETOF(IEMTLB, uTlbPhysRev));
     off = iemNativeEmitCmpGprWithGprEx(pCodeBuf, off, pTlbState->idxReg1, pTlbState->idxReg3);
 # else
@@ -634 +678 @@
      * 5. Check that pbMappingR3 isn't NULL (paranoia) and calculate the
      *    resulting pointer.
+     *
+     *    For code TLB lookups we have some more work to do here to set various
+     *    IEMCPU members and we return a GCPhys address rather than a host pointer.
      */
     /* mov  reg1, [reg2->pbMappingR3] */
@@ -643 +690 @@
                                                       true /*f64Bit*/, idxLabelTlbMiss);
 
-    if (idxRegFlatPtr == idxRegMemResult) /* See step 1b. */
-    {
-        /* and result, 0xfff */
-        off = iemNativeEmitAndGpr32ByImmEx(pCodeBuf, off, idxRegMemResult, GUEST_PAGE_OFFSET_MASK);
+    if (a_fDataTlb)
+    {
+        if (idxRegFlatPtr == idxRegMemResult) /* See step 1b. */
+        {
+            /* and result, 0xfff */
+            off = iemNativeEmitAndGpr32ByImmEx(pCodeBuf, off, idxRegMemResult, GUEST_PAGE_OFFSET_MASK);
+        }
+        else
+        {
+            Assert(idxRegFlatPtr == pTlbState->idxRegPtr);
+            /* result = regflat & 0xfff */
+            off = iemNativeEmitGpr32EqGprAndImmEx(pCodeBuf, off, idxRegMemResult, idxRegFlatPtr, GUEST_PAGE_OFFSET_MASK);
+        }
+
+        /* add result, reg1 */
+        off = iemNativeEmitAddTwoGprsEx(pCodeBuf, off, idxRegMemResult, pTlbState->idxReg1);
     }
     else
     {
-        Assert(idxRegFlatPtr == pTlbState->idxRegPtr);
-        /* result = regflat & 0xfff */
-        off = iemNativeEmitGpr32EqGprAndImmEx(pCodeBuf, off, idxRegMemResult, idxRegFlatPtr, GUEST_PAGE_OFFSET_MASK);
-    }
-    /* add result, reg1 */
-    off = iemNativeEmitAddTwoGprsEx(pCodeBuf, off, idxRegMemResult, pTlbState->idxReg1);
+        /*
+         * Code TLB use a la iemOpcodeFetchBytesJmp - keep reg2 pointing to the TLBE.
+         *
+         * Note. We do not need to set offCurInstrStart or offInstrNextByte.
+         */
+# ifdef RT_ARCH_AMD64
+        uint8_t const idxReg3 = UINT8_MAX;
+# else
+        uint8_t const idxReg3 = pTlbState->idxReg3;
+# endif
+        /* Set pbInstrBuf first since we've got it loaded already. */
+        off = iemNativeEmitStoreGprToVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg1,
+                                               RT_UOFFSETOF(VMCPUCC, iem.s.pbInstrBuf), idxReg3);
+        /* Set uInstrBufPc to (FlatPC & ~GUEST_PAGE_OFFSET_MASK). */
+        off = iemNativeEmitGprEqGprAndImmEx(pCodeBuf, off, pTlbState->idxReg1, idxRegFlatPtr, ~(RTGCPTR)GUEST_PAGE_OFFSET_MASK);
+        off = iemNativeEmitStoreGprToVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg1,
+                                               RT_UOFFSETOF(VMCPUCC, iem.s.uInstrBufPc), idxReg3);
+        /* Set cbInstrBufTotal to GUEST_PAGE_SIZE. */ /** @todo this is a simplifications. Calc right size using CS.LIM and EIP? */
+        off = iemNativeEmitStoreImmToVCpuU16Ex(pCodeBuf, off, GUEST_PAGE_SIZE, RT_UOFFSETOF(VMCPUCC, iem.s.cbInstrBufTotal),
+                                               pTlbState->idxReg1, idxReg3);
+        /* Now set GCPhysInstrBuf last as we'll be returning it in idxRegMemResult. */
+        off = iemNativeEmitLoadGprByGprU64Ex(pCodeBuf, off, pTlbState->idxReg1,
+                                             pTlbState->idxReg2, RT_UOFFSETOF(IEMTLBENTRY, GCPhys));
+        off = iemNativeEmitStoreGprToVCpuU64Ex(pCodeBuf, off, pTlbState->idxReg1,
+                                               RT_UOFFSETOF(VMCPUCC, iem.s.GCPhysInstrBuf), idxReg3);
+        /* Set idxRegMemResult. */
+        if (idxRegFlatPtr == idxRegMemResult) /* See step 1b. */
+            off = iemNativeEmitAndGpr32ByImmEx(pCodeBuf, off, idxRegMemResult, GUEST_PAGE_OFFSET_MASK);
+        else
+            off = iemNativeEmitGpr32EqGprAndImmEx(pCodeBuf, off, idxRegMemResult, idxRegFlatPtr, GUEST_PAGE_OFFSET_MASK);
+        off = iemNativeEmitAddTwoGprsEx(pCodeBuf, off, idxRegMemResult, pTlbState->idxReg1);
+    }
 
 # if 0
@@ -665 +750 @@
      */
 #  ifdef RT_ARCH_AMD64
-    /* push     seg | (cbMem << 8) | (fAccess << 16) */
-    pCodeBuf[off++] = 0x68;
-    pCodeBuf[off++] = iSegReg;
-    pCodeBuf[off++] = cbMem;
-    pCodeBuf[off++] = RT_BYTE1(fAccess);
-    pCodeBuf[off++] = RT_BYTE2(fAccess);
-    /* push     pTlbState->idxRegPtr / immediate address. */
-    if (pTlbState->idxRegPtr != UINT8_MAX)
-    {
-        if (pTlbState->idxRegPtr >= 8)
+    if (a_fDataTlb)
+    {
+        /* push     seg | (cbMem << 8) | (fAccess << 16) */
+        pCodeBuf[off++] = 0x68;
+        pCodeBuf[off++] = iSegReg;
+        pCodeBuf[off++] = cbMem;
+        pCodeBuf[off++] = RT_BYTE1(fAccess);
+        pCodeBuf[off++] = RT_BYTE2(fAccess);
+        /* push     pTlbState->idxRegPtr / immediate address. */
+        if (pTlbState->idxRegPtr != UINT8_MAX)
+        {
+            if (pTlbState->idxRegPtr >= 8)
+                pCodeBuf[off++] = X86_OP_REX_B;
+            pCodeBuf[off++] = 0x50 + (pTlbState->idxRegPtr & 7);
+        }
+        else
+        {
+            off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, pTlbState->idxReg1, pTlbState->uAbsPtr);
+            if (pTlbState->idxReg1 >= 8)
+                pCodeBuf[off++] = X86_OP_REX_B;
+            pCodeBuf[off++] = 0x50 + (pTlbState->idxReg1 & 7);
+        }
+        /* push     idxRegMemResult */
+        if (idxRegMemResult >= 8)
             pCodeBuf[off++] = X86_OP_REX_B;
-        pCodeBuf[off++] = 0x50 + (pTlbState->idxRegPtr & 7);
-    }
-    else
-    {
-        off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, pTlbState->idxReg1, pTlbState->uAbsPtr);
-        if (pTlbState->idxReg1 >= 8)
-            pCodeBuf[off++] = X86_OP_REX_B;
-        pCodeBuf[off++] = 0x50 + (pTlbState->idxReg1 & 7);
-    }
-    /* push     idxRegMemResult */
-    if (idxRegMemResult >= 8)
-        pCodeBuf[off++] = X86_OP_REX_B;
-    pCodeBuf[off++] = 0x50 + (idxRegMemResult & 7);
-    /* push     pVCpu */
-    pCodeBuf[off++] = 0x50 + IEMNATIVE_REG_FIXED_PVMCPU;
-    /* mov      reg1, helper */
-    off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, pTlbState->idxReg1, (uintptr_t)iemNativeHlpAsmSafeWrapCheckTlbLookup);
-    /* call     [reg1] */
-    pCodeBuf[off++] = X86_OP_REX_W | (pTlbState->idxReg1 < 8 ? 0 : X86_OP_REX_B);
-    pCodeBuf[off++] = 0xff;
-    pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 2, pTlbState->idxReg1 & 7);
-    /* The stack is cleaned up by helper function. */
+        pCodeBuf[off++] = 0x50 + (idxRegMemResult & 7);
+        /* push     pVCpu */
+        pCodeBuf[off++] = 0x50 + IEMNATIVE_REG_FIXED_PVMCPU;
+        /* mov      reg1, helper */
+        off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, pTlbState->idxReg1, (uintptr_t)iemNativeHlpAsmSafeWrapCheckTlbLookup);
+        /* call     [reg1] */
+        pCodeBuf[off++] = X86_OP_REX_W | (pTlbState->idxReg1 < 8 ? 0 : X86_OP_REX_B);
+        pCodeBuf[off++] = 0xff;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 2, pTlbState->idxReg1 & 7);
+        /* The stack is cleaned up by helper function. */
+    }
 
 #  else