Changeset 105673 in vbox for trunk

Timestamp:

Aug 14, 2024 1:57:57 PM (5 months ago)

Author:

vboxsync

Message:

VMM/IEM,TM: Do full-TB looping. Redid timer polling in the recompiler. Rewrote the Blt_CheckIrq code, eliminating a conditional. Fixed some TLB related assertions. Moved some IEMCPU members around in hope of better cache-locality. bugref:10656

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• include/VBox/vmm/tm.h (modified) (1 diff)
• include/VBox/vmm/vm.h (modified) (2 diffs)
• src/VBox/VMM/VMMAll/IEMAll.cpp (modified) (5 diffs)
• src/VBox/VMM/VMMAll/IEMAllN8veRecompBltIn.cpp (modified) (4 diffs)
• src/VBox/VMM/VMMAll/IEMAllN8veRecompiler.cpp (modified) (10 diffs)
• src/VBox/VMM/VMMAll/IEMAllThrdFuncsBltIn.cpp (modified) (3 diffs)
• src/VBox/VMM/VMMAll/IEMAllThrdPython.py (modified) (2 diffs)
• src/VBox/VMM/VMMAll/IEMAllThrdRecompiler.cpp (modified) (18 diffs)
• src/VBox/VMM/VMMAll/IEMAllThrdTables.h (modified) (8 diffs)
• src/VBox/VMM/VMMAll/TMAll.cpp (modified) (2 diffs)
• src/VBox/VMM/VMMR3/IEMR3.cpp (modified) (5 diffs)
• src/VBox/VMM/include/IEMInternal.h (modified) (18 diffs)
• src/VBox/VMM/include/IEMN8veRecompiler.h (modified) (3 diffs)
• src/VBox/VMM/include/IEMN8veRecompilerEmit.h (modified) (9 diffs)

trunk/include/VBox/err.h

@@ -2520 +2520 @@
  *  handling. */
 #define VINF_IEM_REEXEC_FINISH_WITH_FLAGS           (5312)
+/** Recompiled execution: Jump back in the same TB. */
+#define VINF_IEM_REEXEC_JUMP                        (5313)
 
 /** Recompilation: End translation block. */

trunk/include/VBox/vmm/tm.h

@@ -272 +272 @@
 
 VMMDECL(bool)           TMTimerPollBool(PVMCC pVM, PVMCPUCC pVCpu);
-VMMDECL(bool)           TMTimerPollBoolWith32BitMilliTS(PVMCC pVM, PVMCPUCC pVCpu, uint32_t *pmsNow);
+VMM_INT_DECL(bool)      TMTimerPollBoolWith32BitMilliTS(PVMCC pVM, PVMCPUCC pVCpu, uint32_t *pmsNow);
+VMM_INT_DECL(bool)      TMTimerPollBoolWithNanoTS(PVMCC pVM, PVMCPUCC pVCpu, uint64_t *pnsNow);
 VMM_INT_DECL(void)      TMTimerPollVoid(PVMCC pVM, PVMCPUCC pVCpu);
 VMM_INT_DECL(uint64_t)  TMTimerPollGIP(PVMCC pVM, PVMCPUCC pVCpu, uint64_t *pu64Delta);

trunk/include/VBox/vmm/vm.h

@@ -417 +417 @@
  *
  * Available VM bits:
- *      0, 1, 5, 6, 7, 13, 14, 15, 16, 17, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30
+ *      5, 6, 7, 13, 14, 15, 16, 17, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30
  *
  *
@@ -427 +427 @@
  * @{
  */
+/* Bit 0, bit 1: Reserved and must not be reused.  The recompiler ASSUMES it
+   can OR the local and global FFs together and keept the two
+   VMCPU_FF_INTERRUPT_XXX flags uncorrupted.  */
 /** The virtual sync clock has been stopped, go to TM until it has been
  *  restarted... */

trunk/src/VBox/VMM/VMMAll/IEMAll.cpp

@@ -1603 +1603 @@
             {
                 pVCpu->iem.s.fTbCrossedPage     |= offPg == 0 || pVCpu->iem.s.fTbBranched != 0; /** @todo Spurious load effect on branch handling? */
+#  if 0 /* unused */
                 pVCpu->iem.s.GCPhysInstrBufPrev  = pVCpu->iem.s.GCPhysInstrBuf;
-
+#  endif
                 pVCpu->iem.s.offInstrNextByte = offPg + (uint32_t)cbDst;
                 pVCpu->iem.s.uInstrBufPc      = GCPtrFirst & ~(RTGCPTR)X86_PAGE_OFFSET_MASK;
@@ -1697 +1698 @@
             uint32_t const offPg = (GCPtrFirst & X86_PAGE_OFFSET_MASK);
             pVCpu->iem.s.fTbCrossedPage     |= offPg == 0 || pVCpu->iem.s.fTbBranched != 0;
+#  if 0 /* unused */
             pVCpu->iem.s.GCPhysInstrBufPrev  = pVCpu->iem.s.GCPhysInstrBuf;
-
+#  endif
             pVCpu->iem.s.offCurInstrStart = (int16_t)(offPg - cbInstr);
             pVCpu->iem.s.offInstrNextByte = offPg + cbInstr + cbToRead;
@@ -6291 +6293 @@
                        || (   (    IEM_GET_CPL(pVCpu) != 3
                                || (fAccess & IEM_ACCESS_WHAT_SYS))
-                           && (pVCpu->cpum.GstCtx.cr0 & X86_CR0_WP)) )
+                           && !(pVCpu->cpum.GstCtx.cr0 & X86_CR0_WP)) )
                     && (   (WalkFast.fEffective & X86_PTE_US)
                         || IEM_GET_CPL(pVCpu) != 3
@@ -7123 +7125 @@
         Assert(!(pTlbe->fFlagsAndPhysRev & IEMTLBE_F_PT_NO_ACCESSED));
         Assert(!(pTlbe->fFlagsAndPhysRev & IEMTLBE_F_PT_NO_DIRTY) || !(fAccess & IEM_ACCESS_TYPE_WRITE));
-        Assert(!(pTlbe->fFlagsAndPhysRev & IEMTLBE_F_PT_NO_WRITE) || !(fAccess & IEM_ACCESS_TYPE_WRITE));
+        Assert(   !(pTlbe->fFlagsAndPhysRev & IEMTLBE_F_PT_NO_WRITE)
+               || !(fAccess & IEM_ACCESS_TYPE_WRITE)
+               || (fQPage & (PGMQPAGE_F_CR0_WP0 | PGMQPAGE_F_USER_MODE)) == PGMQPAGE_F_CR0_WP0);
         Assert(   !(pTlbe->fFlagsAndPhysRev & IEMTLBE_F_PT_NO_USER)
                || IEM_GET_CPL(pVCpu) != 3
@@ -7537 +7541 @@
         pTlbe->pbMappingR3      = NULL;
         Assert(!(pTlbe->fFlagsAndPhysRev & ((fNoWriteNoDirty & IEMTLBE_F_PT_NO_DIRTY) | IEMTLBE_F_PT_NO_ACCESSED)));
-        Assert(!(pTlbe->fFlagsAndPhysRev & fNoWriteNoDirty & IEMTLBE_F_PT_NO_WRITE));
+        Assert(   !(pTlbe->fFlagsAndPhysRev & fNoWriteNoDirty & IEMTLBE_F_PT_NO_WRITE)
+               || (fQPage & (PGMQPAGE_F_CR0_WP0 | PGMQPAGE_F_USER_MODE)) == PGMQPAGE_F_CR0_WP0);
         Assert(!(pTlbe->fFlagsAndPhysRev & fNoUser & IEMTLBE_F_PT_NO_USER));
 

trunk/src/VBox/VMM/VMMAll/IEMAllN8veRecompBltIn.cpp

@@ -203 +203 @@
 
 /**
+ * Worker for the CheckIrq, CheckTimers and CheckTimersAndIrq builtins below.
+ */
+template<bool const a_fCheckTimers, bool const a_fCheckIrqs>
+DECL_FORCE_INLINE(uint32_t) iemNativeRecompFunc_BltIn_CheckTimersAndIrqsCommon(PIEMRECOMPILERSTATE pReNative, uint32_t off)
+{
+    uint8_t const         idxEflReg  = !a_fCheckIrqs ? UINT8_MAX
+                                     : iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_EFlags,
+                                                                       kIemNativeGstRegUse_ReadOnly);
+    uint8_t const         idxTmpReg1 = iemNativeRegAllocTmp(pReNative, &off);
+    uint8_t const         idxTmpReg2 = a_fCheckIrqs ? iemNativeRegAllocTmp(pReNative, &off) : UINT8_MAX;
+    PIEMNATIVEINSTR const pCodeBuf   = iemNativeInstrBufEnsure(pReNative, off, RT_ARCH_VAL == RT_ARCH_VAL_AMD64 ? 72 : 32);
+
+    /*
+     * First we decrement the timer poll counter, if so desired.
+     */
+    if (a_fCheckTimers)
+    {
+# ifdef RT_ARCH_AMD64
+        /* dec  [rbx + cIrqChecksTillNextPoll] */
+        pCodeBuf[off++] = 0xff;
+        off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, 1, RT_UOFFSETOF(VMCPU, iem.s.cIrqChecksTillNextPoll));
+
+        /* jz   ReturnBreakFF */
+        off = iemNativeEmitJccTbExitEx(pReNative, pCodeBuf, off, kIemNativeLabelType_ReturnBreakFF, kIemNativeInstrCond_e);
+
+# elif defined(RT_ARCH_ARM64)
+        AssertCompile(RTASSERT_OFFSET_OF(VMCPU, iem.s.cIrqChecksTillNextPoll) < _4K * sizeof(uint32_t));
+        off = iemNativeEmitLoadGprFromVCpuU32Ex(pCodeBuf, off, idxTmpReg1, RT_UOFFSETOF(VMCPU, iem.s.cIrqChecksTillNextPoll));
+        pCodeBuf[off++] = Armv8A64MkInstrSubUImm12(idxTmpReg1, idxTmpReg1, 1, false /*f64Bit*/);
+        off = iemNativeEmitStoreGprToVCpuU32Ex(pCodeBuf, off, idxTmpReg1, RT_UOFFSETOF(VMCPU, iem.s.cIrqChecksTillNextPoll));
+
+        /* cbz reg1, ReturnBreakFF */
+        off = iemNativeEmitTestIfGprIsZeroAndTbExitEx(pReNative, pCodeBuf, off, idxTmpReg1, false /*f64Bit*/,
+                                                      kIemNativeLabelType_ReturnBreakFF);
+
+# else
+#  error "port me"
+# endif
+    }
+
+    /*
+     * Second, check forced flags, if so desired.
+     *
+     * We OR them together to save a conditional.  A trick here is that the
+     * two IRQ flags are unused in the global flags, so we can still use the
+     * resulting value to check for suppressed interrupts.
+     */
+    if (a_fCheckIrqs)
+    {
+        /* Load VMCPU::fLocalForcedActions first and mask it.  We can simplify the
+           masking by ASSUMING none of the unwanted flags are located above bit 30.  */
+        uint64_t const fUnwantedCpuFFs = VMCPU_FF_PGM_SYNC_CR3
+                                       | VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL
+                                       | VMCPU_FF_TLB_FLUSH
+                                       | VMCPU_FF_UNHALT;
+        AssertCompile(fUnwantedCpuFFs < RT_BIT_64(31));
+        off = iemNativeEmitLoadGprFromVCpuU64Ex(pCodeBuf, off, idxTmpReg1, RT_UOFFSETOF(VMCPUCC, fLocalForcedActions));
+# if defined(RT_ARCH_AMD64)
+        /* and reg1, ~fUnwantedCpuFFs */
+        pCodeBuf[off++] = idxTmpReg1 >= 8 ? X86_OP_REX_B | X86_OP_REX_W : X86_OP_REX_W;
+        pCodeBuf[off++] = 0x81;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 4, idxTmpReg1 & 7);
+        *(uint32_t *)&pCodeBuf[off] = ~(uint32_t)fUnwantedCpuFFs;
+        off += 4;
+
+# else
+        off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, idxTmpReg2, ~fUnwantedCpuFFs);
+        off = iemNativeEmitAndGprByGprEx(pCodeBuf, off, idxTmpReg1, idxTmpReg2);
+# endif
+
+        /* OR in VM::fGlobalForcedActions.  We access the member via pVCpu.
+           No need to mask anything here.  Unfortunately, it's a 32-bit
+           variable, so we can't OR it directly on x86. */
+        AssertCompile(VM_FF_ALL_MASK == UINT32_MAX);
+        intptr_t const offGlobalForcedActions = (intptr_t)&pReNative->pVCpu->CTX_SUFF(pVM)->fGlobalForcedActions
+                                              - (intptr_t)pReNative->pVCpu;
+        Assert((int32_t)offGlobalForcedActions == offGlobalForcedActions);
+
+# ifdef RT_ARCH_AMD64
+        if (idxTmpReg2 >= 8)
+            pCodeBuf[off++] = X86_OP_REX_R;
+        pCodeBuf[off++] = 0x8b; /* mov */
+        off = iemNativeEmitGprByVCpuSignedDisp(pCodeBuf, off, idxTmpReg2, (int32_t)offGlobalForcedActions);
+
+        /* or reg1, reg2 */
+        off = iemNativeEmitOrGprByGprEx(pCodeBuf, off, idxTmpReg1, idxTmpReg2);
+
+        /* jz nothing_pending */
+        uint32_t const offFixup1 = off;
+        off = iemNativeEmitJccToFixedEx(pCodeBuf, off, off + 64, kIemNativeInstrCond_e);
+
+# elif defined(RT_ARCH_ARM64)
+        off = iemNativeEmitGprBySignedVCpuLdStEx(pCodeBuf, off, idxTmpReg2, (int32_t)offGlobalForcedActions,
+                                                 kArmv8A64InstrLdStType_Ld_Word, sizeof(uint32_t));
+        off = iemNativeEmitOrGprByGprEx(pCodeBuf, off, idxTmpReg1, idxTmpReg2);
+
+        /* cbz nothing_pending */
+        uint32_t const offFixup1 = off;
+        off = iemNativeEmitTestIfGprIsZeroOrNotZeroAndJmpToFixedEx(pCodeBuf, off, idxTmpReg1, true /*f64Bit*/,
+                                                                   false /*fJmpIfNotZero*/, off + 16);
+# else
+#  error "port me"
+# endif
+
+        /* More than just IRQ FFs pending? */
+        AssertCompile((VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC) == 3);
+        /* cmp reg1, 3 */
+        off = iemNativeEmitCmpGprWithImmEx(pCodeBuf, off, idxTmpReg1, VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC);
+        /* ja ReturnBreakFF */
+        off = iemNativeEmitJccTbExitEx(pReNative, pCodeBuf, off, kIemNativeLabelType_ReturnBreakFF, kIemNativeInstrCond_nbe);
+
+        /*
+         * Okay, we've only got pending IRQ related FFs: Can we dispatch IRQs?
+         *
+         * ASSUME that the shadow flags are cleared when they ought to be cleared,
+         * so we can skip the RIP check.
+         */
+        AssertCompile(CPUMCTX_INHIBIT_SHADOW < RT_BIT_32(31));
+        /* reg1 = efl & (IF | INHIBIT_SHADOW) */
+        off = iemNativeEmitGpr32EqGprAndImmEx(pCodeBuf, off, idxTmpReg1, idxEflReg, X86_EFL_IF | CPUMCTX_INHIBIT_SHADOW);
+        /* reg1 ^= IF */
+        off = iemNativeEmitXorGpr32ByImmEx(pCodeBuf, off, idxTmpReg1, X86_EFL_IF);
+
+# ifdef RT_ARCH_AMD64
+        /* jz   ReturnBreakFF */
+        off = iemNativeEmitJccTbExitEx(pReNative, pCodeBuf, off, kIemNativeLabelType_ReturnBreakFF, kIemNativeInstrCond_e);
+
+# elif defined(RT_ARCH_ARM64)
+        /* cbz  reg1, ReturnBreakFF */
+        off = iemNativeEmitTestIfGprIsZeroAndTbExitEx(pReNative, pCodeBuf, off, idxTmpReg1, false /*f64Bit*/,
+                                                      kIemNativeLabelType_ReturnBreakFF);
+# else
+#  error "port me"
+# endif
+        /*
+         * nothing_pending:
+         */
+        iemNativeFixupFixedJump(pReNative, offFixup1, off);
+    }
+
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+
+    /*
+     * Cleanup.
+     */
+    iemNativeRegFreeTmp(pReNative, idxTmpReg1);
+    if (a_fCheckIrqs)
+    {
+        iemNativeRegFreeTmp(pReNative, idxTmpReg2);
+        iemNativeRegFreeTmp(pReNative, idxEflReg);
+    }
+    else
+    {
+        Assert(idxTmpReg2 == UINT8_MAX);
+        Assert(idxEflReg == UINT8_MAX);
+    }
+
+    return off;
+}
+
+
+/**
  * Built-in function that checks for pending interrupts that can be delivered or
  * forced action flags.
@@ -212 +374 @@
 IEM_DECL_IEMNATIVERECOMPFUNC_DEF(iemNativeRecompFunc_BltIn_CheckIrq)
 {
-    RT_NOREF(pCallEntry);
-
     BODY_FLUSH_PENDING_WRITES();
-
-    /* It's too convenient to use iemNativeEmitTestBitInGprAndJmpToLabelIfNotSet below
-       and I'm too lazy to create a 'Fixed' version of that one. */
-    uint32_t const idxLabelVmCheck = iemNativeLabelCreate(pReNative, kIemNativeLabelType_CheckIrq,
-                                                          UINT32_MAX, pReNative->uCheckIrqSeqNo++);
-
-    /* Again, we need to load the extended EFLAGS before we actually need them
-       in case we jump.  We couldn't use iemNativeRegAllocTmpForGuestReg if we
-       loaded them inside the check, as the shadow state would not be correct
-       when the code branches before the load.  Ditto PC. */
-    uint8_t const idxEflReg = iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_EFlags,
-                                                              kIemNativeGstRegUse_ReadOnly);
-
-    uint8_t const idxPcReg  = iemNativeRegAllocTmpForGuestReg(pReNative, &off, kIemNativeGstReg_Pc, kIemNativeGstRegUse_ReadOnly);
-
-    uint8_t idxTmpReg = iemNativeRegAllocTmp(pReNative, &off);
-
-    /*
-     * Start by checking the local forced actions of the EMT we're on for IRQs
-     * and other FFs that needs servicing.
-     */
-    /** @todo this isn't even close to the NMI and interrupt conditions in EM! */
-    /* Load FFs in to idxTmpReg and AND with all relevant flags. */
-    off = iemNativeEmitLoadGprFromVCpuU64(pReNative, off, idxTmpReg, RT_UOFFSETOF(VMCPUCC, fLocalForcedActions));
-    off = iemNativeEmitAndGprByImm(pReNative, off, idxTmpReg,
-                                   VMCPU_FF_ALL_MASK & ~(  VMCPU_FF_PGM_SYNC_CR3
-                                                         | VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL
-                                                         | VMCPU_FF_TLB_FLUSH
-                                                         | VMCPU_FF_UNHALT ),
-                                   true /*fSetFlags*/);
-    /* If we end up with ZERO in idxTmpReg there is nothing to do.*/
-    uint32_t const offFixupJumpToVmCheck1 = off;
-    off = iemNativeEmitJzToFixed(pReNative, off, off /* ASSUME jz rel8 suffices */);
-
-    /* Some relevant FFs are set, but if's only APIC or/and PIC being set,
-       these may be supressed by EFLAGS.IF or CPUMIsInInterruptShadow. */
-    off = iemNativeEmitAndGprByImm(pReNative, off, idxTmpReg,
-                                   ~(VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC), true /*fSetFlags*/);
-    /* Return VINF_IEM_REEXEC_BREAK if other FFs are set. */
-    off = iemNativeEmitJnzTbExit(pReNative, off, kIemNativeLabelType_ReturnBreakFF);
-
-    /* So, it's only interrupt releated FFs and we need to see if IRQs are being
-       suppressed by the CPU or not. */
-    off = iemNativeEmitTestBitInGprAndJmpToLabelIfNotSet(pReNative, off, idxEflReg, X86_EFL_IF_BIT, idxLabelVmCheck);
-    off = iemNativeEmitTestAnyBitsInGprAndTbExitIfNoneSet(pReNative, off, idxEflReg, CPUMCTX_INHIBIT_SHADOW,
-                                                          kIemNativeLabelType_ReturnBreakFF);
-
-    /* We've got shadow flags set, so we must check that the PC they are valid
-       for matches our current PC value. */
-    /** @todo AMD64 can do this more efficiently w/o loading uRipInhibitInt into
-     *        a register. */
-    off = iemNativeEmitLoadGprFromVCpuU64(pReNative, off, idxTmpReg, RT_UOFFSETOF(VMCPUCC, cpum.GstCtx.uRipInhibitInt));
-    off = iemNativeEmitTestIfGprNotEqualGprAndTbExit(pReNative, off, idxTmpReg, idxPcReg,
-                                                     kIemNativeLabelType_ReturnBreakFF);
-
-    /*
-     * Now check the force flags of the VM.
-     */
-    iemNativeLabelDefine(pReNative, idxLabelVmCheck, off);
-    iemNativeFixupFixedJump(pReNative, offFixupJumpToVmCheck1, off);
-    off = iemNativeEmitLoadGprFromVCpuU64(pReNative, off, idxTmpReg, RT_UOFFSETOF(VMCPUCC, CTX_SUFF(pVM))); /* idxTmpReg = pVM */
-    off = iemNativeEmitLoadGprByGprU32(pReNative, off, idxTmpReg, idxTmpReg, RT_UOFFSETOF(VMCC, fGlobalForcedActions));
-    off = iemNativeEmitAndGpr32ByImm(pReNative, off, idxTmpReg, VM_FF_ALL_MASK, true /*fSetFlags*/);
-    off = iemNativeEmitJnzTbExit(pReNative, off, kIemNativeLabelType_ReturnBreakFF);
-
-    /** @todo STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatCheckIrqBreaks); */
-
-    /*
-     * We're good, no IRQs or FFs pending.
-     */
-    iemNativeRegFreeTmp(pReNative, idxTmpReg);
-    iemNativeRegFreeTmp(pReNative, idxEflReg);
-    iemNativeRegFreeTmp(pReNative, idxPcReg);
-
-    /*
-     * Note down that we've been here, so we can skip FFs + IRQ checks when
-     * doing direct linking.
-     */
+    off = iemNativeRecompFunc_BltIn_CheckTimersAndIrqsCommon<false, true>(pReNative, off);
+
+    /* Note down that we've been here, so we can skip FFs + IRQ checks when
+       doing direct linking. */
 #ifdef IEMNATIVE_WITH_LIVENESS_ANALYSIS
     pReNative->idxLastCheckIrqCallNo = pReNative->idxCurCall;
+    RT_NOREF(pCallEntry);
 #else
     pReNative->idxLastCheckIrqCallNo = pCallEntry - pReNative->pTbOrg->Thrd.paCalls;
@@ -303 +390 @@
 
 IEM_DECL_IEMNATIVELIVENESSFUNC_DEF(iemNativeLivenessFunc_BltIn_CheckIrq)
+{
+    IEM_LIVENESS_RAW_INIT_WITH_XCPT_OR_CALL(pOutgoing, pIncoming);
+    IEM_LIVENESS_RAW_EFLAGS_ONE_INPUT(pOutgoing, fEflOther);
+    RT_NOREF(pCallEntry);
+}
+
+
+/**
+ * Built-in function that works the cIrqChecksTillNextPoll counter on direct TB
+ * linking, like loop-jumps.
+ */
+IEM_DECL_IEMNATIVERECOMPFUNC_DEF(iemNativeRecompFunc_BltIn_CheckTimers)
+{
+    BODY_FLUSH_PENDING_WRITES();
+    RT_NOREF(pCallEntry);
+    return iemNativeRecompFunc_BltIn_CheckTimersAndIrqsCommon<true, false>(pReNative, off);
+}
+
+IEM_DECL_IEMNATIVELIVENESSFUNC_DEF(iemNativeLivenessFunc_BltIn_CheckTimers)
+{
+    IEM_LIVENESS_RAW_INIT_WITH_XCPT_OR_CALL(pOutgoing, pIncoming);
+    RT_NOREF(pCallEntry);
+}
+
+
+/**
+ * Combined BltIn_CheckTimers + BltIn_CheckIrq for direct linking.
+ */
+IEM_DECL_IEMNATIVERECOMPFUNC_DEF(iemNativeRecompFunc_BltIn_CheckTimersAndIrq)
+{
+    BODY_FLUSH_PENDING_WRITES();
+    RT_NOREF(pCallEntry);
+    return iemNativeRecompFunc_BltIn_CheckTimersAndIrqsCommon<true, true>(pReNative, off);
+}
+
+IEM_DECL_IEMNATIVELIVENESSFUNC_DEF(iemNativeLivenessFunc_BltIn_CheckTimersAndIrq)
 {
     IEM_LIVENESS_RAW_INIT_WITH_XCPT_OR_CALL(pOutgoing, pIncoming);
@@ -2293 +2416 @@
 #endif
 
+
+/**
+ * Built-in function for jumping in the call sequence.
+ */
+IEM_DECL_IEMNATIVERECOMPFUNC_DEF(iemNativeRecompFunc_BltIn_Jump)
+{
+    PCIEMTB const  pTb         = pReNative->pTbOrg;
+    Assert(pCallEntry->auParams[1] == 0 && pCallEntry->auParams[2] == 0);
+    Assert(pCallEntry->auParams[0] < pTb->Thrd.cCalls);
+#if 1
+    RT_NOREF(pCallEntry, pTb);
+
+# ifdef VBOX_WITH_STATISTICS
+    /* Increment StatNativeTbExitLoopFullTb. */
+    uint32_t const offStat = RT_UOFFSETOF(VMCPU, iem.s.StatNativeTbExitLoopFullTb);
+#  ifdef RT_ARCH_AMD64
+    off = iemNativeEmitIncStamCounterInVCpu(pReNative, off, UINT8_MAX, UINT8_MAX, offStat);
+#  else
+    uint8_t const idxStatsTmp1 = iemNativeRegAllocTmp(pReNative, &off);
+    uint8_t const idxStatsTmp2 = iemNativeRegAllocTmp(pReNative, &off);
+    off = iemNativeEmitIncStamCounterInVCpu(pReNative, off, idxStatsTmp1, idxStatsTmp2, offStat);
+    iemNativeRegFreeTmp(pReNative, idxStatsTmp1);
+    iemNativeRegFreeTmp(pReNative, idxStatsTmp2);
+#  endif
+# endif
+# ifdef IEMNATIVE_WITH_INSTRUCTION_COUNTING
+    /** @todo
+    off = iemNativeEmitAddU32CounterInVCpuEx(pReNative, off, pTb->cInstructions, RT_UOFFSETOF(VMCPUCC, iem.s.cInstructions));
+    */
+# endif
+
+    /* Jump to the start of the TB. */
+    uint32_t idxLabel = iemNativeLabelFind(pReNative, kIemNativeLabelType_LoopJumpTarget);
+    AssertStmt(idxLabel < pReNative->cLabels, IEMNATIVE_DO_LONGJMP(pReNative, VERR_IEM_LABEL_IPE_6)); /** @todo better status */
+    return iemNativeEmitJmpToLabel(pReNative, off, idxLabel);
+#else
+    RT_NOREF(pReNative, pCallEntry, pTb);
+    return off;
+#endif
+}
+
+IEM_DECL_IEMNATIVELIVENESSFUNC_DEF(iemNativeLivenessFunc_BltIn_Jump)
+{
+    IEM_LIVENESS_RAW_INIT_WITH_XCPT_OR_CALL(pOutgoing, pIncoming);
+    RT_NOREF(pCallEntry);
+}
+

trunk/src/VBox/VMM/VMMAll/IEMAllN8veRecompiler.cpp

@@ -2093 +2093 @@
     pReNative->Core.u64ArgVars             = UINT64_MAX;
 
-    AssertCompile(RT_ELEMENTS(pReNative->aidxUniqueLabels) == 22);
+    AssertCompile(RT_ELEMENTS(pReNative->aidxUniqueLabels) == 23);
     pReNative->aidxUniqueLabels[0]         = UINT32_MAX;
     pReNative->aidxUniqueLabels[1]         = UINT32_MAX;
@@ -2116 +2116 @@
     pReNative->aidxUniqueLabels[20]        = UINT32_MAX;
     pReNative->aidxUniqueLabels[21]        = UINT32_MAX;
+    pReNative->aidxUniqueLabels[22]        = UINT32_MAX;
 
     pReNative->idxLastCheckIrqCallNo       = UINT32_MAX;
@@ -2313 +2314 @@
     Assert(uData == 0 || enmType >= kIemNativeLabelType_FirstWithMultipleInstances);
 #if defined(IEMNATIVE_WITH_RECOMPILER_PER_CHUNK_TAIL_CODE) && defined(RT_ARCH_AMD64)
-    Assert(enmType >= kIemNativeLabelType_FirstWithMultipleInstances);
+    Assert(enmType >= kIemNativeLabelType_LoopJumpTarget);
 #endif
 
@@ -2421 +2422 @@
 
 
-#if !defined(IEMNATIVE_WITH_RECOMPILER_PER_CHUNK_TAIL_CODE) || !defined(RT_ARCH_AMD64)
 /**
  * Looks up a lable.
@@ -2427 +2427 @@
  * @returns Label ID if found, UINT32_MAX if not.
  */
-static uint32_t iemNativeLabelFind(PIEMRECOMPILERSTATE pReNative, IEMNATIVELABELTYPE enmType,
-                                   uint32_t offWhere = UINT32_MAX, uint16_t uData = 0) RT_NOEXCEPT
+DECLHIDDEN(uint32_t) iemNativeLabelFind(PIEMRECOMPILERSTATE pReNative, IEMNATIVELABELTYPE enmType,
+                                        uint32_t offWhere /*= UINT32_MAX*/, uint16_t uData /*= 0*/) RT_NOEXCEPT
 {
     Assert((unsigned)enmType < 64);
@@ -2448 +2448 @@
     return UINT32_MAX;
 }
-#endif
 
 
@@ -8948 +8947 @@
 #undef STR_CASE_CMN
 #define STR_CASE_LBL(a_Label) case kIemNativeLabelType_ ## a_Label: return #a_Label;
+        STR_CASE_LBL(LoopJumpTarget);
         STR_CASE_LBL(If);
         STR_CASE_LBL(Else);
@@ -9929 +9929 @@
         uint32_t             cRecompiledCalls = 0;
 #endif
-#if defined(IEMNATIVE_WITH_LIVENESS_ANALYSIS) || defined(VBOX_STRICT) || defined(LOG_ENABLED)
+#if defined(IEMNATIVE_WITH_LIVENESS_ANALYSIS) || defined(IEM_WITH_INTRA_TB_JUMPS) || defined(VBOX_STRICT) || defined(LOG_ENABLED)
         uint32_t             idxCurCall       = 0;
 #endif
@@ -9939 +9939 @@
 #ifdef IEMNATIVE_WITH_LIVENESS_ANALYSIS
             pReNative->idxCurCall                 = idxCurCall;
+#endif
+
+#ifdef IEM_WITH_INTRA_TB_JUMPS
+            /*
+             * Define label for jump targets (currently only the first entry).
+             */
+            if (!(pCallEntry->fFlags & IEMTHREADEDCALLENTRY_F_JUMP_TARGET))
+            { /* likely */ }
+            else
+            {
+                iemNativeLabelCreate(pReNative, kIemNativeLabelType_LoopJumpTarget, off);
+                Assert(idxCurCall == 0); /** @todo when jumping elsewhere, we have to save the register state. */
+            }
 #endif
 
@@ -10038 +10051 @@
              */
             pCallEntry++;
-#if defined(IEMNATIVE_WITH_LIVENESS_ANALYSIS) || defined(VBOX_STRICT) || defined(LOG_ENABLED)
+#if defined(IEMNATIVE_WITH_LIVENESS_ANALYSIS) || defined(IEM_WITH_INTRA_TB_JUMPS) || defined(VBOX_STRICT) || defined(LOG_ENABLED)
             idxCurCall++;
 #endif

trunk/src/VBox/VMM/VMMAll/IEMAllThrdFuncsBltIn.cpp

@@ -145 +145 @@
 
 /**
+ * Worker for iemThreadedFunc_BltIn_CheckIrq and
+ * iemThreadedFunc_BltIn_CheckTimersAndIrqs that checks for pending FFs
+ * and IRQs, and if it's only the latter whether we can dispatch them now.
+ */
+DECL_FORCE_INLINE(int) iemThreadedFunc_BltIn_CheckIrqCommon(PVMCPUCC pVCpu)
+{
+    /* Get and mask the per-CPU FFs.*/
+    uint64_t const fCpuRaw = pVCpu->fLocalForcedActions;
+    uint64_t       fFlags  = fCpuRaw & (VMCPU_FF_ALL_MASK & ~(  VMCPU_FF_PGM_SYNC_CR3
+                                                              | VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL
+                                                              | VMCPU_FF_TLB_FLUSH
+                                                              | VMCPU_FF_UNHALT ));
+
+    /* OR in VM-wide FFs and check them together. */
+    uint32_t const fVmRaw = pVCpu->CTX_SUFF(pVM)->fGlobalForcedActions;
+    fFlags |= fVmRaw;
+    if (RT_LIKELY(!fFlags))
+        return VINF_SUCCESS;
+
+    /* Since the VMCPU_FF_INTERUPT_XXX flags was once upon a time in fVm and
+       we haven't reused the bits yet, we can still reliably check whether
+       we're only here for reasons of pending interrupts and whether these
+       are supressed by EFLAGS.IF=0 or interrupt shadowing. */
+    Assert(!(fVmRaw & (VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC)));
+    AssertCompile((VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC) == 3);
+    if (   fFlags <= (VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC)
+        && (   !pVCpu->cpum.GstCtx.rflags.Bits.u1IF
+            || CPUMIsInInterruptShadow(&pVCpu->cpum.GstCtx)))
+        return VINF_SUCCESS;
+
+    Log(("%04x:%08RX32: Pending IRQ and/or FF: fCpu=%#RX64 fVm=%#RX32 IF=%d\n",
+         pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.eip, fCpuRaw, fVmRaw, pVCpu->cpum.GstCtx.rflags.Bits.u1IF));
+    STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatCheckIrqBreaks);
+    return VINF_IEM_REEXEC_BREAK;
+}
+
+
+/**
  * Built-in function that checks for pending interrupts that can be delivered or
  * forced action flags.
@@ -152 +190 @@
  * a non-zero status that stops TB execution.
  */
+/** @todo add VMX / SVM variants of this. */
 IEM_DECL_IEMTHREADEDFUNC_DEF(iemThreadedFunc_BltIn_CheckIrq)
 {
     RT_NOREF(uParam0, uParam1, uParam2);
-
-    /*
-     * Check for IRQs and other FFs that needs servicing.
-     */
-    uint64_t fCpu = pVCpu->fLocalForcedActions;
-    fCpu &= VMCPU_FF_ALL_MASK & ~(  VMCPU_FF_PGM_SYNC_CR3
-                                  | VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL
-                                  | VMCPU_FF_TLB_FLUSH
-                                  | VMCPU_FF_UNHALT );
-    /** @todo this isn't even close to the NMI and interrupt conditions in EM! */
-    if (RT_LIKELY(   (   !fCpu
-                      || (   !(fCpu & ~(VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC))
-                          && (   !pVCpu->cpum.GstCtx.rflags.Bits.u1IF
-                              || CPUMIsInInterruptShadow(&pVCpu->cpum.GstCtx)) ) )
-                  && !VM_FF_IS_ANY_SET(pVCpu->CTX_SUFF(pVM), VM_FF_ALL_MASK) ))
+    return iemThreadedFunc_BltIn_CheckIrqCommon(pVCpu);
+}
+
+
+/**
+ * Built-in function that works the cIrqChecksTillNextPoll counter on direct TB
+ * linking, like loop-jumps.
+ */
+IEM_DECL_IEMTHREADEDFUNC_DEF(iemThreadedFunc_BltIn_CheckTimers)
+{
+    if (RT_LIKELY(--pVCpu->iem.s.cIrqChecksTillNextPoll > 0))
         return VINF_SUCCESS;
 
-    Log(("%04x:%08RX32: Pending IRQ and/or FF: fCpu=%#RX64 fVm=%#RX32 IF=%d\n",
-         pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.eip, fCpu,
-         pVCpu->CTX_SUFF(pVM)->fGlobalForcedActions & VM_FF_ALL_MASK, pVCpu->cpum.GstCtx.rflags.Bits.u1IF));
-    STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatCheckIrqBreaks);
+    Log(("%04x:%08RX32: Check timers\n", pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.eip));
+    STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatCheckTimersBreaks);
+    RT_NOREF(uParam0, uParam1, uParam2);
+    return VINF_IEM_REEXEC_BREAK;
+}
+
+
+/**
+ * Combined BltIn_CheckTimers + BltIn_CheckIrq for direct linking.
+ */
+IEM_DECL_IEMTHREADEDFUNC_DEF(iemThreadedFunc_BltIn_CheckTimersAndIrq)
+{
+    if (RT_LIKELY(--pVCpu->iem.s.cIrqChecksTillNextPoll > 0))
+        return iemThreadedFunc_BltIn_CheckIrqCommon(pVCpu);
+
+    Log(("%04x:%08RX32: Check timers\n", pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.eip));
+    STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatCheckTimersBreaks);
+    RT_NOREF(uParam0, uParam1, uParam2);
     return VINF_IEM_REEXEC_BREAK;
 }
@@ -829 +878 @@
 }
 
+
+/**
+ * Built-in function for jumping in the call sequence.
+ */
+IEM_DECL_IEMTHREADEDFUNC_DEF(iemThreadedFunc_BltIn_Jump)
+{
+    Assert(uParam1 == 0 && uParam2 == 0);
+    RT_NOREF(pVCpu, uParam0, uParam1, uParam2);
+    return VINF_IEM_REEXEC_JUMP;
+}
+

trunk/src/VBox/VMM/VMMAll/IEMAllThrdPython.py

@@ -2831 +2831 @@
         ( 'DeferToCImpl0',                                      2, True  ),
         ( 'CheckIrq',                                           0, True  ),
+        ( 'CheckTimers',                                        0, True  ),
+        ( 'CheckTimersAndIrq',                                  0, True  ),
         ( 'CheckMode',                                          1, True  ),
         ( 'CheckHwInstrBps',                                    0, False ),
@@ -2858 +2860 @@
         ( 'CheckOpcodesOnNewPageLoadingTlb',                    2, True  ),
         ( 'CheckOpcodesOnNewPageLoadingTlbConsiderCsLim',       2, True  ),
+
+        ( 'Jump',                                               1, True  ),
     );
 

trunk/src/VBox/VMM/VMMAll/IEMAllThrdRecompiler.cpp

@@ -1941 +1941 @@
         pVCpu->iem.s.fTbCrossedPage         = false;
         pVCpu->iem.s.cInstrTillIrqCheck     = !(fExtraFlags & IEMTB_F_INHIBIT_SHADOW) ? 32 : 0;
+        pVCpu->iem.s.idxLastCheckIrqCallNo  = UINT16_MAX;
         pVCpu->iem.s.fTbCurInstrIsSti       = false;
         /* Force RF clearing and TF checking on first instruction in the block
@@ -2060 +2061 @@
     pCall->offOpcode   = 0;
     pCall->uTbLookup   = 0;
-    pCall->uUnused0    = 0;
+    pCall->fFlags      = 0;
     pCall->auParams[0] = 0;
     pCall->auParams[1] = 0;
@@ -2086 +2087 @@
     pCall->offOpcode   = 0;
     pCall->uTbLookup   = 0;
-    pCall->uUnused0    = 0;
+    pCall->fFlags      = 0;
     pCall->auParams[0] = RT_MAKE_U16(pCall->idxInstr, idxCall); /* currently not used, but whatever */
     pCall->auParams[1] = 0;
@@ -2119 +2120 @@
 
 
+#ifdef IEM_WITH_INTRA_TB_JUMPS
+/**
+ * Emits the necessary tail calls for a full TB loop-jump.
+ */
+static bool iemThreadedCompileFullTbJump(PVMCPUCC pVCpu, PIEMTB pTb)
+{
+    /*
+     * We need a timer and maybe IRQ check before jumping, so make sure
+     * we've got sufficient call entries left before emitting anything.
+     */
+    uint32_t idxCall = pTb->Thrd.cCalls;
+    if (idxCall + 1U <= pTb->Thrd.cAllocated)
+    {
+        /*
+         * We're good, emit the calls.
+         */
+        PIEMTHRDEDCALLENTRY pCall = &pTb->Thrd.paCalls[idxCall];
+        pTb->Thrd.cCalls = (uint16_t)(idxCall + 2);
+
+        /* Always check timers as we risk getting stuck in a loop otherwise.  We
+           combine it with an IRQ check if that's not performed in the TB already. */
+        pCall->enmFunction = pVCpu->iem.s.idxLastCheckIrqCallNo < idxCall
+                           ? kIemThreadedFunc_BltIn_CheckTimers
+                           : kIemThreadedFunc_BltIn_CheckTimersAndIrq;
+        pCall->idxInstr    = 0;
+        pCall->offOpcode   = 0;
+        pCall->cbOpcode    = 0;
+        pCall->uTbLookup   = 0;
+        pCall->fFlags      = 0;
+        pCall->auParams[0] = 0;
+        pCall->auParams[1] = 0;
+        pCall->auParams[2] = 0;
+        pCall++;
+
+        /* The jump callentry[0]. */
+        pCall->enmFunction = kIemThreadedFunc_BltIn_Jump;
+        pCall->idxInstr    = 0;
+        pCall->offOpcode   = 0;
+        pCall->cbOpcode    = 0;
+        pCall->uTbLookup   = 0;
+        pCall->fFlags      = 0;
+        pCall->auParams[0] = 0; /* jump target is call zero */
+        pCall->auParams[1] = 0;
+        pCall->auParams[2] = 0;
+
+        /* Mark callentry #0 as a jump target. */
+        pTb->Thrd.paCalls[0].fFlags |= IEMTHREADEDCALLENTRY_F_JUMP_TARGET;
+    }
+
+    return false;
+}
+#endif /* IEM_WITH_INTRA_TB_JUMPS */
+
+
 /**
  * Called by IEM_MC2_BEGIN_EMIT_CALLS() under one of these conditions:
@@ -2178 +2233 @@
     pCall->offOpcode   = offOpcode;
     pCall->uTbLookup   = 0;
-    pCall->uUnused0    = 0;
+    pCall->fFlags      = 0;
     pCall->auParams[0] = (uint32_t)cbInstr
                        | (uint32_t)(pVCpu->iem.s.fExec << 8) /* liveness: Enough of fExec for IEM_F_MODE_X86_IS_FLAT. */
@@ -2289 +2344 @@
                         {
                             Log8(("%04x:%08RX64: loop detected after branch\n", pVCpu->cpum.GstCtx.cs.Sel, pVCpu->cpum.GstCtx.rip));
-                            STAM_COUNTER_INC(&pVCpu->iem.s.StatTbLoopInTbDetected);
+#ifdef IEM_WITH_INTRA_TB_JUMPS
+                            /* If we're looping back to the start of the TB and the mode is still the same,
+                               we could emit a jump optimization.  For now we don't do page transitions
+                               as that implies TLB loading and such. */
+                            if (   idxLoopRange == 0
+                                && offPhysPc == pTb->aRanges[0].offPhysPage
+                                &&    (pVCpu->iem.s.fExec & IEMTB_F_IEM_F_MASK & IEMTB_F_KEY_MASK)
+                                   == (pTb->fFlags        & IEMTB_F_KEY_MASK   & ~IEMTB_F_CS_LIM_CHECKS)
+                                &&    (pVCpu->iem.s.fTbBranched & (  IEMBRANCHED_F_INDIRECT | IEMBRANCHED_F_FAR
+                                                                   | IEMBRANCHED_F_STACK | IEMBRANCHED_F_RELATIVE))
+                                   == IEMBRANCHED_F_RELATIVE)
+                            {
+                                STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatTbLoopFullTbDetected);
+                                return iemThreadedCompileFullTbJump(pVCpu, pTb);
+                            }
+#endif
+                            STAM_REL_COUNTER_INC(&pVCpu->iem.s.StatTbLoopInTbDetected);
                             return false;
                         }
@@ -2565 +2636 @@
     pCall->offOpcode   = 0;
     pCall->uTbLookup   = 0;
-    pCall->uUnused0    = 0;
+    pCall->fFlags      = 0;
     pCall->auParams[0] = pVCpu->iem.s.fExec;
     pCall->auParams[1] = 0;
@@ -2597 +2668 @@
         /* Emit the call. */
         AssertReturn(idxCall < pTb->Thrd.cAllocated, false);
+        pVCpu->iem.s.idxLastCheckIrqCallNo = (uint16_t)idxCall;
+        pTb->Thrd.cCalls                   = (uint16_t)(idxCall + 1);
         PIEMTHRDEDCALLENTRY pCall = &pTb->Thrd.paCalls[idxCall];
-        pTb->Thrd.cCalls = (uint16_t)(idxCall + 1);
         pCall->enmFunction = kIemThreadedFunc_BltIn_CheckIrq;
         pCall->idxInstr    = pTb->cInstructions;
@@ -2604 +2676 @@
         pCall->cbOpcode    = 0;
         pCall->uTbLookup   = 0;
-        pCall->uUnused0    = 0;
+        pCall->fFlags      = 0;
         pCall->auParams[0] = 0;
         pCall->auParams[1] = 0;
@@ -2651 +2723 @@
      * Emit the call.
      */
-    AssertReturn(pTb->Thrd.cCalls < pTb->Thrd.cAllocated, false);
-    PIEMTHRDEDCALLENTRY pCall = &pTb->Thrd.paCalls[pTb->Thrd.cCalls++];
+    uint32_t const idxCall = pTb->Thrd.cCalls;
+    AssertReturn(idxCall < pTb->Thrd.cAllocated, false);
+    pVCpu->iem.s.idxLastCheckIrqCallNo = (uint16_t)idxCall;
+    pTb->Thrd.cCalls                   = (uint16_t)(idxCall + 1);
+    PIEMTHRDEDCALLENTRY pCall = &pTb->Thrd.paCalls[idxCall];
     pCall->enmFunction = kIemThreadedFunc_BltIn_CheckIrq;
     pCall->idxInstr    = pTb->cInstructions;
@@ -2658 +2733 @@
     pCall->cbOpcode    = 0;
     pCall->uTbLookup   = 0;
-    pCall->uUnused0    = 0;
+    pCall->fFlags      = 0;
     pCall->auParams[0] = 0;
     pCall->auParams[1] = 0;
@@ -2844 +2919 @@
 *   Recompiled Execution Core                                                                                                    *
 *********************************************************************************************************************************/
+
+/**
+ * Helper for polling timers.
+ */
+DECLHIDDEN(int) iemPollTimers(PVMCC pVM, PVMCPUCC pVCpu) RT_NOEXCEPT
+{
+    /*
+     * Do the polling and calculate the time since the last time.
+     */
+    uint64_t       nsNow        = 0;
+    bool const     fExpired     = TMTimerPollBoolWithNanoTS(pVM, pVCpu, &nsNow);
+    uint64_t const cNsSinceLast = nsNow - pVCpu->iem.s.nsRecompilerPollNow;
+
+    /* Store the new timstamps.  */
+    pVCpu->iem.s.nsRecompilerPollNow = nsNow;
+    pVCpu->iem.s.msRecompilerPollNow = (uint32_t)(nsNow / RT_NS_1MS);
+
+    /*
+     * Set the next polling count down value.
+     *
+     * We take the previous value and adjust it according to the cNsSinceLast
+     * value, if it's not within reason.   This can't be too accurate since the
+     * CheckIrq and intra-TB-checks aren't evenly spaced, they depends highly
+     * on the guest code.
+     */
+/** @todo can we make this even more adaptive based on current timer config as well? */
+    uint32_t       cIrqChecksTillNextPoll = pVCpu->iem.s.cIrqChecksTillNextPollPrev;
+    uint32_t const cNsIdealPollInterval   = pVCpu->iem.s.cNsIdealPollInterval;
+    int64_t const  nsFromIdeal            = cNsSinceLast - cNsIdealPollInterval;
+    if (nsFromIdeal < 0)
+    {
+        if ((uint64_t)-nsFromIdeal > cNsIdealPollInterval / 8 && cIrqChecksTillNextPoll < _64K)
+        {
+            cIrqChecksTillNextPoll += cIrqChecksTillNextPoll / 8;
+            pVCpu->iem.s.cIrqChecksTillNextPollPrev = cIrqChecksTillNextPoll;
+        }
+    }
+    else
+    {
+        if ((uint64_t)nsFromIdeal > cNsIdealPollInterval / 8 && cIrqChecksTillNextPoll > 256)
+        {
+            cIrqChecksTillNextPoll -= cIrqChecksTillNextPoll / 8;
+            pVCpu->iem.s.cIrqChecksTillNextPollPrev = cIrqChecksTillNextPoll;
+        }
+    }
+    pVCpu->iem.s.cIrqChecksTillNextPoll = cIrqChecksTillNextPoll;
+
+    /*
+     * Repeat the IRQ and FF checks.
+     */
+    if (!fExpired)
+    {
+        uint32_t fCpu = pVCpu->fLocalForcedActions;
+        fCpu &= VMCPU_FF_ALL_MASK & ~(  VMCPU_FF_PGM_SYNC_CR3
+                                      | VMCPU_FF_PGM_SYNC_CR3_NON_GLOBAL
+                                      | VMCPU_FF_TLB_FLUSH
+                                      | VMCPU_FF_UNHALT );
+        if (RT_LIKELY(   (   !fCpu
+                          || (   !(fCpu & ~(VMCPU_FF_INTERRUPT_APIC | VMCPU_FF_INTERRUPT_PIC))
+                              && (   !pVCpu->cpum.GstCtx.rflags.Bits.u1IF
+                                  || CPUMIsInInterruptShadow(&pVCpu->cpum.GstCtx)) ) )
+                      && !VM_FF_IS_ANY_SET(pVCpu->CTX_SUFF(pVM), VM_FF_ALL_MASK) ))
+            return VINF_SUCCESS;
+    }
+    return VINF_IEM_REEXEC_BREAK_FF;
+}
+
 
 /** Helper for iemTbExec. */
@@ -2988 +3130 @@
                           && pVCpu->iem.s.rcPassUp == VINF_SUCCESS /** @todo this isn't great. */))
                 pCallEntry++;
+            else if (rcStrict == VINF_IEM_REEXEC_JUMP)
+            {
+                Assert(pVCpu->iem.s.rcPassUp == VINF_SUCCESS);
+                Assert(cCallsLeft == 0);
+                uint32_t const idxTarget = (uint32_t)pCallEntry->auParams[0];
+                cCallsLeft = pTb->Thrd.cCalls;
+                AssertBreak(idxTarget < cCallsLeft - 1);
+                cCallsLeft -= idxTarget;
+                pCallEntry  = &pTb->Thrd.paCalls[idxTarget];
+                AssertBreak(pCallEntry->fFlags & IEMTHREADEDCALLENTRY_F_JUMP_TARGET);
+            }
             else
             {
@@ -3045 +3198 @@
      */
     uint64_t uPc = pVCpu->cpum.GstCtx.rip;
+#if 0 /* unused */
     pVCpu->iem.s.uCurTbStartPc = uPc;
+#endif
     Assert(pVCpu->cpum.GstCtx.cs.u64Base == 0 || !IEM_IS_64BIT_CODE(pVCpu));
     uPc += pVCpu->cpum.GstCtx.cs.u64Base;
@@ -3154 +3309 @@
         IEM_TRY_SETJMP(pVCpu, rcStrict)
         {
-            uint32_t const cPollRate = 511; /* EM.cpp passes 4095 to IEMExecLots, so an eigth of that seems reasonable for now. */
-            for (uint32_t iIterations = 0; ; iIterations++)
+            for (;;)
             {
                 /* Translate PC to physical address, we'll need this for both lookup and compilation. */
@@ -3177 +3331 @@
                         return rcStrict;
 #endif
-                    rcStrict = IEMExecLots(pVCpu, 2048, cPollRate, NULL);
+                    rcStrict = IEMExecLots(pVCpu, 2048, 511, NULL);
                 }
                 if (rcStrict == VINF_SUCCESS)
@@ -3183 +3337 @@
                     Assert(pVCpu->iem.s.cActiveMappings == 0);
 
+                    /* Note! This IRQ/FF check is repeated in iemPollTimers, iemThreadedFunc_BltIn_CheckIrq
+                             and emitted by iemNativeRecompFunc_BltIn_CheckIrq. */
                     uint64_t fCpu = pVCpu->fLocalForcedActions;
                     fCpu &= VMCPU_FF_ALL_MASK & ~(  VMCPU_FF_PGM_SYNC_CR3
@@ -3195 +3351 @@
                                   && !VM_FF_IS_ANY_SET(pVM, VM_FF_ALL_MASK) ))
                     {
-                        if (RT_LIKELY(   (iIterations & cPollRate) != 0
-                                      || !TMTimerPollBoolWith32BitMilliTS(pVM, pVCpu, &pVCpu->iem.s.msRecompilerPollNow)))
+                        /* Once in a while we need to poll timers here. */
+                        if ((int32_t)--pVCpu->iem.s.cIrqChecksTillNextPoll > 0)
                         { /* likely */ }
                         else
-                            return VINF_SUCCESS;
+                        {
+                            int rc = iemPollTimers(pVM, pVCpu);
+                            if (rc != VINF_SUCCESS)
+                                return VINF_SUCCESS;
+                        }
                     }
                     else

trunk/src/VBox/VMM/VMMAll/IEMAllThrdTables.h

@@ -234 +234 @@
         pCall->offOpcode   = offOpcodeMc2; \
         pCall->uTbLookup   = 0; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = 0; \
         pCall->auParams[1] = 0; \
@@ -250 +250 @@
         pCall->offOpcode   = offOpcodeMc2; \
         pCall->uTbLookup   = 0; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = a_uArg0; \
         pCall->auParams[1] = 0; \
@@ -267 +267 @@
         pCall->offOpcode   = offOpcodeMc2; \
         pCall->uTbLookup   = 0; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = a_uArg0; \
         pCall->auParams[1] = a_uArg1; \
@@ -285 +285 @@
         pCall->cbOpcode    = cbInstrMc2; \
         pCall->uTbLookup   = 0; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = a_uArg0; \
         pCall->auParams[1] = a_uArg1; \
@@ -302 +302 @@
         pCall->uTbLookup   = IEM_TB_LOOKUP_TAB_MAKE(pTb->cTbLookupEntries, a_fLargeTbLookup); \
         pTb->cTbLookupEntries += !(a_fLargeTbLookup) ? 1 : IEM_TB_LOOKUP_TAB_LARGE_SIZE; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = 0; \
         pCall->auParams[1] = 0; \
@@ -319 +319 @@
         pCall->uTbLookup   = IEM_TB_LOOKUP_TAB_MAKE(pTb->cTbLookupEntries, a_fLargeTbLookup); \
         pTb->cTbLookupEntries += !(a_fLargeTbLookup) ? 1 : IEM_TB_LOOKUP_TAB_LARGE_SIZE; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = a_uArg0; \
         pCall->auParams[1] = 0; \
@@ -337 +337 @@
         pCall->uTbLookup   = IEM_TB_LOOKUP_TAB_MAKE(pTb->cTbLookupEntries, a_fLargeTbLookup); \
         pTb->cTbLookupEntries += !(a_fLargeTbLookup) ? 1 : IEM_TB_LOOKUP_TAB_LARGE_SIZE; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = a_uArg0; \
         pCall->auParams[1] = a_uArg1; \
@@ -356 +356 @@
         pCall->uTbLookup   = IEM_TB_LOOKUP_TAB_MAKE(pTb->cTbLookupEntries, a_fLargeTbLookup); \
         pTb->cTbLookupEntries += !(a_fLargeTbLookup) ? 1 : IEM_TB_LOOKUP_TAB_LARGE_SIZE; \
-        pCall->uUnused0    = 0; \
+        pCall->fFlags      = 0; \
         pCall->auParams[0] = a_uArg0; \
         pCall->auParams[1] = a_uArg1; \

trunk/src/VBox/VMM/VMMAll/TMAll.cpp

@@ -1136 +1136 @@
  * @thread  The emulation thread.
  */
-VMMDECL(bool) TMTimerPollBoolWith32BitMilliTS(PVMCC pVM, PVMCPUCC pVCpu, uint32_t *pmsNow)
+VMM_INT_DECL(bool) TMTimerPollBoolWith32BitMilliTS(PVMCC pVM, PVMCPUCC pVCpu, uint32_t *pmsNow)
 {
     AssertCompile(TMCLOCK_FREQ_VIRTUAL == 1000000000);
@@ -1143 +1143 @@
     tmTimerPollInternal(pVM, pVCpu, &off, &u64Now);
     *pmsNow = (uint32_t)(u64Now / RT_NS_1MS);
+    return off == 0;
+}
+
+
+/**
+ * Set FF if we've passed the next virtual event and return virtual time as MS.
+ *
+ * This function is called before FFs are checked in the inner execution EM loops.
+ *
+ * This is used by the IEM recompiler for polling timers while also providing a
+ * free time source for recent use tracking and such.
+ *
+ * @returns true if timers are pending, false if not.
+ *
+ * @param   pVM         The cross context VM structure.
+ * @param   pVCpu       The cross context virtual CPU structure of the calling EMT.
+ * @param   pnsNow      Where to return the current virtual time in nanoseconds.
+ * @thread  The emulation thread.
+ */
+VMM_INT_DECL(bool) TMTimerPollBoolWithNanoTS(PVMCC pVM, PVMCPUCC pVCpu, uint64_t *pnsNow)
+{
+    AssertCompile(TMCLOCK_FREQ_VIRTUAL == 1000000000);
+    uint64_t off = 0;
+    tmTimerPollInternal(pVM, pVCpu, &off, pnsNow);
     return off == 0;
 }

trunk/src/VBox/VMM/VMMR3/IEMR3.cpp

@@ -224 +224 @@
         pVCpu->iem.s.DataTlb.NonGlobalLargePageRange.uFirstTag = UINT64_MAX;
         pVCpu->iem.s.DataTlb.GlobalLargePageRange.uFirstTag    = UINT64_MAX;
+#endif
+
+#ifndef VBOX_VMM_TARGET_ARMV8
+        /* Poll timers every 400 us / 2500 Hz. (source: thin air) */
+        pVCpu->iem.s.cNsIdealPollInterval       = 400U * RT_NS_1US;
+        pVCpu->iem.s.cIrqChecksTillNextPoll     = 128;
+        pVCpu->iem.s.cIrqChecksTillNextPollPrev = 128;
 #endif
 
@@ -595 +602 @@
                         "Times threaded TB execution was interrupted/broken off on a call without lookup entries", "/IEM/CPU%u/re/cTbExecThreadedBreaksWithoutLookup", idCpu);
 # endif
+
+        STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.cIrqChecksTillNextPollPrev, STAMTYPE_U32, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
+                        "Timer polling interval",                       "/IEM/CPU%u/re/cIrqChecksTillNextPollPrev", idCpu);
 
         PIEMTBALLOCATOR const pTbAllocator = pVCpu->iem.s.pTbAllocatorR3;
@@ -648 +658 @@
         STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatCheckIrqBreaks,  STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
                         "TB breaks by CheckIrq",                        "/IEM/CPU%u/re/CheckIrqBreaks", idCpu);
+        STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatCheckTimersBreaks, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
+                        "TB breaks by CheckIrq",                        "/IEM/CPU%u/re/CheckTimersBreaks", idCpu);
         STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatCheckModeBreaks, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
                         "TB breaks by CheckMode",                       "/IEM/CPU%u/re/CheckModeBreaks", idCpu);
@@ -654 +666 @@
         STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatCheckNeedCsLimChecking, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
                         "Needing CS.LIM checking TB after branch or on page crossing", "/IEM/CPU%u/re/CheckTbNeedCsLimChecking", idCpu);
-# ifdef VBOX_WITH_STATISTICS
+
+        STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatTbLoopFullTbDetected, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
+                        "Detected loop full TB",  "/IEM/CPU%u/re/LoopFullTbDetected", idCpu);
         STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatTbLoopInTbDetected, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
                         "Detected loop within TB", "/IEM/CPU%u/re/LoopInTbDetected", idCpu);
-#endif
 
         STAMR3RegisterF(pVM, (void *)&pVCpu->iem.s.StatNativeExecMemInstrBufAllocFailed, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
@@ -883 +896 @@
                         "Number of times the TB finished raising a #XF exception",
                         RAISE_PREFIX "RaiseXf", idCpu);
+
+#  ifdef VBOX_WITH_STATISTICS
+        STAMR3RegisterF(pVM, &pVCpu->iem.s.StatNativeTbExitLoopFullTb, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,
+                        "Number of full TB loops.",
+                        "/IEM/CPU%u/re/NativeTbExit/LoopFullTb", idCpu);
+#  endif
 
         STAMR3RegisterF(pVM, &pVCpu->iem.s.StatNativeTbExitDirectLinking1Irq, STAMTYPE_COUNTER, STAMVISIBILITY_ALWAYS, STAMUNIT_COUNT,

trunk/src/VBox/VMM/include/IEMInternal.h

@@ -92 +92 @@
 # define IEM_WITH_THROW_CATCH
 #endif /*ASM-NOINC-END*/
+
+/** @def IEM_WITH_INTRA_TB_JUMPS
+ * Enables loop-jumps within a TB (currently only to the first call).
+ */
+#if defined(DOXYGEN_RUNNING) || 1
+# define IEM_WITH_INTRA_TB_JUMPS
+#endif
 
 /** @def IEMNATIVE_WITH_DELAYED_PC_UPDATING
@@ -1245 +1252 @@
     uint8_t     uTbLookup;
 
-    /** Unused atm. */
-    uint8_t     uUnused0;
+    /** Flags - IEMTHREADEDCALLENTRY_F_XXX. */
+    uint8_t     fFlags;
 
     /** Generic parameters. */
@@ -1270 +1277 @@
 /** Make a IEMTHRDEDCALLENTRY::uTbLookup value. */
 #define IEM_TB_LOOKUP_TAB_MAKE(a_idxTable, a_fLarge)    ((a_idxTable) | ((a_fLarge) ? 0x80 : 0))
+
+
+/** The call entry is a jump target. */
+#define IEMTHREADEDCALLENTRY_F_JUMP_TARGET              UINT8_C(0x01)
+
 
 /**
@@ -2129 +2141 @@
     uint8_t                 abAlignment9[42];
 
-    /** @name Recompilation
+
+    /** @name Recompiled Exection
      * @{ */
     /** Pointer to the current translation block.
@@ -2156 +2169 @@
     uint64_t                u64Unused;
 #endif
-    /** Fixed TB used for threaded recompilation.
-     * This is allocated once with maxed-out sizes and re-used afterwards. */
-    R3PTRTYPE(PIEMTB)       pThrdCompileTbR3;
     /** Pointer to the ring-3 TB cache for this EMT. */
     R3PTRTYPE(PIEMTBCACHE)  pTbCacheR3;
@@ -2165 +2175 @@
      * entry, thus it can always safely be used w/o NULL checking. */
     R3PTRTYPE(PIEMTB *)     ppTbLookupEntryR3;
+#if 0 /* unused */
     /** The PC (RIP) at the start of pCurTbR3/pCurTbR0.
      * The TBs are based on physical addresses, so this is needed to correleated
      * RIP to opcode bytes stored in the TB (AMD-V / VT-x). */
     uint64_t                uCurTbStartPc;
+#endif
+
     /** Number of threaded TBs executed. */
     uint64_t                cTbExecThreaded;
     /** Number of native TBs executed. */
     uint64_t                cTbExecNative;
+
+    /** The number of IRQ/FF checks till the next timer poll call. */
+    uint32_t                cIrqChecksTillNextPoll;
+    /** The virtual sync time at the last timer poll call in milliseconds. */
+    uint32_t                msRecompilerPollNow;
+    /** The virtual sync time at the last timer poll call in nanoseconds. */
+    uint64_t                nsRecompilerPollNow;
+    /** The previous cIrqChecksTillNextPoll value. */
+    uint32_t                cIrqChecksTillNextPollPrev;
+    /** The ideal nanosecond interval between two timer polls.
+     * @todo make this adaptive?  */
+    uint32_t                cNsIdealPollInterval;
+
+    /** The current instruction number in a native TB.
+     * This is set by code that may trigger an unexpected TB exit (throw/longjmp)
+     * and will be picked up by the TB execution loop. Only used when
+     * IEMNATIVE_WITH_INSTRUCTION_COUNTING is defined. */
+    uint8_t                 idxTbCurInstr;
+    /** @} */
+
+    /** @name Recompilation
+     * @{ */
     /** Whether we need to check the opcode bytes for the current instruction.
      * This is set by a previous instruction if it modified memory or similar.  */
@@ -2182 +2217 @@
     /** Whether to end the current TB. */
     bool                    fEndTb;
+    /** Indicates that the current instruction is an STI.  This is set by the
+     * iemCImpl_sti code and subsequently cleared by the recompiler. */
+    bool                    fTbCurInstrIsSti;
+    /** Spaced reserved for recompiler data / alignment. */
+    bool                    afRecompilerStuff1[1];
     /** Number of instructions before we need emit an IRQ check call again.
      * This helps making sure we don't execute too long w/o checking for
@@ -2189 +2229 @@
      * fTbCurInstrIsSti. */
     uint8_t                 cInstrTillIrqCheck;
-    /** Indicates that the current instruction is an STI.  This is set by the
-     * iemCImpl_sti code and subsequently cleared by the recompiler. */
-    bool                    fTbCurInstrIsSti;
+    /** The index of the last CheckIrq call during threaded recompilation. */
+    uint16_t                idxLastCheckIrqCallNo;
     /** The size of the IEMTB::pabOpcodes allocation in pThrdCompileTbR3. */
     uint16_t                cbOpcodesAllocated;
-    /** The current instruction number in a native TB.
-     * This is set by code that may trigger an unexpected TB exit (throw/longjmp)
-     * and will be picked up by the TB execution loop. Only used when
-     * IEMNATIVE_WITH_INSTRUCTION_COUNTING is defined. */
-    uint8_t                 idxTbCurInstr;
-    /** Spaced reserved for recompiler data / alignment. */
-    bool                    afRecompilerStuff1[3];
-    /** The virtual sync time at the last timer poll call. */
-    uint32_t                msRecompilerPollNow;
     /** The IEMTB::cUsed value when to attempt native recompilation of a TB. */
     uint32_t                uTbNativeRecompileAtUsedCount;
@@ -2212 +2242 @@
      *  currently not up to date in EFLAGS. */
     uint32_t                fSkippingEFlags;
+    /** Spaced reserved for recompiler data / alignment. */
+    uint32_t                u32RecompilerStuff2;
+#if 0  /* unused */
     /** Previous GCPhysInstrBuf value - only valid if fTbCrossedPage is set.   */
     RTGCPHYS                GCPhysInstrBufPrev;
+#endif
+
+    /** Fixed TB used for threaded recompilation.
+     * This is allocated once with maxed-out sizes and re-used afterwards. */
+    R3PTRTYPE(PIEMTB)       pThrdCompileTbR3;
     /** Pointer to the ring-3 TB allocator for this EMT. */
     R3PTRTYPE(PIEMTBALLOCATOR) pTbAllocatorR3;
@@ -2222 +2260 @@
     /** Dummy entry for ppTbLookupEntryR3. */
     R3PTRTYPE(PIEMTB)       pTbLookupEntryDummyR3;
+    /** @} */
 
     /** Dummy TLB entry used for accesses to pages with databreakpoints. */
@@ -2230 +2269 @@
     /** Statistics: Times BltIn_CheckIrq breaks out of the TB. */
     STAMCOUNTER             StatCheckIrqBreaks;
+    /** Statistics: Times BltIn_CheckTimers breaks direct linking TBs. */
+    STAMCOUNTER             StatCheckTimersBreaks;
     /** Statistics: Times BltIn_CheckMode breaks out of the TB. */
     STAMCOUNTER             StatCheckModeBreaks;
@@ -2240 +2281 @@
     /** Statistics: Times a jump or page crossing required a TB with CS.LIM checking. */
     STAMCOUNTER             StatCheckNeedCsLimChecking;
-    /** Statistics: Times a loop was detected within a TB.. */
+    /** Statistics: Times a loop was detected within a TB. */
     STAMCOUNTER             StatTbLoopInTbDetected;
+    /** Statistics: Times a loop back to the start of the TB was detected. */
+    STAMCOUNTER             StatTbLoopFullTbDetected;
     /** Exec memory allocator statistics: Number of times allocaintg executable memory failed. */
     STAMCOUNTER             StatNativeExecMemInstrBufAllocFailed;
@@ -2421 +2464 @@
     STAMCOUNTER             StatNativeTbExitObsoleteTb;
 
+    /** Native recompiler: Number of full TB loops (jumps from end to start). */
+    STAMCOUNTER             StatNativeTbExitLoopFullTb;
+
     /** Native recompiler: Failure situations with direct linking scenario \#1.
      * Counter with StatNativeTbExitReturnBreak. Not in release builds.
@@ -2448 +2494 @@
 
 #ifdef IEM_WITH_TLB_TRACE
-    uint64_t                au64Padding[2];
+    uint64_t                au64Padding[6];
 #else
-    uint64_t                au64Padding[4];
-#endif
-    /** @} */
+    //uint64_t                au64Padding[1];
+#endif
 
 #ifdef IEM_WITH_TLB_TRACE
@@ -2491 +2536 @@
 AssertCompileMemberAlignment(IEMCPU, aMemMappingLocks, 16);
 AssertCompileMemberAlignment(IEMCPU, aBounceBuffers, 64);
+AssertCompileMemberAlignment(IEMCPU, pCurTbR3, 64);
 AssertCompileMemberAlignment(IEMCPU, DataTlb, 64);
 AssertCompileMemberAlignment(IEMCPU, CodeTlb, 64);
@@ -6742 +6788 @@
 extern const PFNIEMOP g_apfnIemThreadedRecompilerVecMap3[1024];
 
+DECLHIDDEN(int)     iemPollTimers(PVMCC pVM, PVMCPUCC pVCpu) RT_NOEXCEPT;
+
 DECLCALLBACK(int)   iemTbInit(PVMCC pVM, uint32_t cInitialTbs, uint32_t cMaxTbs,
                               uint64_t cbInitialExec, uint64_t cbMaxExec, uint32_t cbChunkExec);
@@ -6777 +6825 @@
 
 IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckIrq);
+IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckTimers);
+IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckTimersAndIrq);
 IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckMode);
 IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckHwInstrBps);
@@ -6806 +6856 @@
 IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckOpcodesOnNewPageLoadingTlb);
 IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_CheckOpcodesOnNewPageLoadingTlbConsiderCsLim);
+
+IEM_DECL_IEMTHREADEDFUNC_PROTO(iemThreadedFunc_BltIn_Jump);
 
 bool iemThreadedCompileEmitIrqCheckBefore(PVMCPUCC pVCpu, PIEMTB pTb);

trunk/src/VBox/VMM/include/IEMN8veRecompiler.h

@@ -491 +491 @@
     kIemNativeLabelType_LastTbExit        = kIemNativeLabelType_Return,
 
+    /** Loop-jump target. */
+    kIemNativeLabelType_LoopJumpTarget,
+
     /*
      * Labels with data, potentially multiple instances per TB:
@@ -1449 +1452 @@
     /** Condition sequence number (for generating unique labels). */
     uint16_t                    uCondSeqNo;
-    /** Check IRQ seqeunce number (for generating unique labels). */
+    /** Check IRQ sequence number (for generating unique labels). */
     uint16_t                    uCheckIrqSeqNo;
     /** TLB load sequence number (for generating unique labels). */
@@ -1632 +1635 @@
                                                  uint32_t offWhere = UINT32_MAX, uint16_t uData = 0);
 DECL_HIDDEN_THROW(void)     iemNativeLabelDefine(PIEMRECOMPILERSTATE pReNative, uint32_t idxLabel, uint32_t offWhere);
+DECLHIDDEN(uint32_t)        iemNativeLabelFind(PIEMRECOMPILERSTATE pReNative, IEMNATIVELABELTYPE enmType,
+                                               uint32_t offWhere = UINT32_MAX, uint16_t uData = 0) RT_NOEXCEPT;
 DECL_HIDDEN_THROW(void)     iemNativeAddFixup(PIEMRECOMPILERSTATE pReNative, uint32_t offWhere, uint32_t idxLabel,
                                               IEMNATIVEFIXUPTYPE enmType, int8_t offAddend = 0);

trunk/src/VBox/VMM/include/IEMN8veRecompilerEmit.h

@@ -503 +503 @@
 }
 
+/**
+ * Special variant of iemNativeEmitGprByVCpuDisp for accessing the VM structure.
+ */
+DECL_FORCE_INLINE(uint32_t)
+iemNativeEmitGprByVCpuSignedDisp(uint8_t *pbCodeBuf, uint32_t off, uint8_t iGprReg, int32_t offVCpu)
+{
+    Assert(offVCpu < 0);
+    if (offVCpu < 128 && offVCpu >= -128)
+    {
+        pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_MEM1, iGprReg & 7, IEMNATIVE_REG_FIXED_PVMCPU);
+        pbCodeBuf[off++] = (uint8_t)(int8_t)offVCpu;
+    }
+    else
+    {
+        pbCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_MEM4, iGprReg & 7, IEMNATIVE_REG_FIXED_PVMCPU);
+        pbCodeBuf[off++] = RT_BYTE1((uint32_t)offVCpu);
+        pbCodeBuf[off++] = RT_BYTE2((uint32_t)offVCpu);
+        pbCodeBuf[off++] = RT_BYTE3((uint32_t)offVCpu);
+        pbCodeBuf[off++] = RT_BYTE4((uint32_t)offVCpu);
+    }
+    return off;
+}
+
 #elif defined(RT_ARCH_ARM64)
 
@@ -585 +608 @@
 }
 
+
+/**
+ * Special variant of iemNativeEmitGprByVCpuLdStEx for accessing the VM
+ * structure.
+ *
+ * @note Loads can use @a iGprReg for large offsets, stores requires a temporary
+ *       registers (@a iGprTmp).
+ * @note DON'T try this with prefetch.
+ */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitGprBySignedVCpuLdStEx(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGprReg, int32_t offVCpu,
+                                   ARMV8A64INSTRLDSTTYPE enmOperation, unsigned cbData, uint8_t iGprTmp = UINT8_MAX)
+{
+    Assert(offVCpu < 0);
+    Assert((uint32_t)-offVCpu < RT_BIT_32(28)); /* we should be way out of range for problematic sign extending issues. */
+    Assert(!((uint32_t)-offVCpu & (cbData - 1)));
+
+   /*
+     * For negative offsets we need to use put the displacement in a register
+     * as the two variants with signed immediates will either post or pre
+     * increment the base address register.
+     */
+    if (!ARMV8A64INSTRLDSTTYPE_IS_STORE(enmOperation) || iGprTmp != UINT8_MAX)
+    {
+        uint8_t const idxIndexReg = !ARMV8A64INSTRLDSTTYPE_IS_STORE(enmOperation) ? iGprReg : IEMNATIVE_REG_FIXED_TMP0;
+        off = iemNativeEmitLoadGpr32ImmEx(pCodeBuf, off, idxIndexReg, offVCpu / (int32_t)cbData);
+        pCodeBuf[off++] = Armv8A64MkInstrStLdRegIdx(enmOperation, iGprReg, IEMNATIVE_REG_FIXED_PVMCPU, idxIndexReg,
+                                                    kArmv8A64InstrLdStExtend_Sxtw, cbData > 1 /*fShifted*/);
+    }
+    else
+# ifdef IEM_WITH_THROW_CATCH
+        AssertFailedStmt(IEMNATIVE_DO_LONGJMP(NULL, VERR_IEM_IPE_9));
+# else
+        AssertReleaseFailedStmt(off = UINT32_MAX);
+# endif
+
+    return off;
+}
+
+/**
+ * Special variant of iemNativeEmitGprByVCpuLdSt for accessing the VM structure.
+ */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitGprBySignedVCpuLdSt(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprReg,
+                                 int32_t offVCpu, ARMV8A64INSTRLDSTTYPE enmOperation, unsigned cbData)
+{
+    off = iemNativeEmitGprBySignedVCpuLdStEx(iemNativeInstrBufEnsure(pReNative, off, 2 + 1), off, iGprReg,
+                                             offVCpu, enmOperation, cbData, IEMNATIVE_REG_FIXED_TMP0);
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    return off;
+}
+
 #endif /* RT_ARCH_ARM64 */
 
@@ -601 +676 @@
         pCodeBuf[off++] = X86_OP_REX_W | X86_OP_REX_R;
     pCodeBuf[off++] = 0x8b;
-    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off,iGpr, offVCpu);
+    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, iGpr, offVCpu);
 
 #elif defined(RT_ARCH_ARM64)
@@ -773 +848 @@
 #endif
     IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    return off;
+}
+
+
+/**
+ * Emits a store of a GPR value to a 32-bit VCpu field.
+ *
+ * @note Limited range on ARM64.
+ */
+DECL_INLINE_THROW(uint32_t)
+iemNativeEmitStoreGprToVCpuU32Ex(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGpr, uint32_t offVCpu)
+{
+#ifdef RT_ARCH_AMD64
+    /* mov mem32, reg32 */
+    if (iGpr >= 8)
+        pCodeBuf[off++] = X86_OP_REX_R;
+    pCodeBuf[off++] = 0x89;
+    off = iemNativeEmitGprByVCpuDisp(pCodeBuf, off, iGpr, offVCpu);
+
+#elif defined(RT_ARCH_ARM64)
+    off = iemNativeEmitGprByVCpuLdStEx(pCodeBuf, off, iGpr, offVCpu, kArmv8A64InstrLdStType_St_Word, sizeof(uint32_t));
+
+#else
+# error "port me"
+#endif
     return off;
 }
@@ -5436 +5536 @@
 {
 #if defined(RT_ARCH_AMD64)
-    /* and Ev, imm */
+    /* xor Ev, imm */
     if (iGprDst >= 8)
         pCodeBuf[off++] = X86_OP_REX_B;
@@ -6130 +6230 @@
  */
 DECL_INLINE_THROW(uint32_t)
+iemNativeEmitCmpGprWithImmEx(PIEMNATIVEINSTR pCodeBuf, uint32_t off, uint8_t iGprLeft,
+                             uint64_t uImm, uint8_t idxTmpReg = UINT8_MAX)
+{
+#ifdef RT_ARCH_AMD64
+    if ((int8_t)uImm == (int64_t)uImm)
+    {
+        /* cmp Ev, Ib */
+        pCodeBuf[off++] = X86_OP_REX_W | (iGprLeft >= 8 ? X86_OP_REX_B : 0);
+        pCodeBuf[off++] = 0x83;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 7, iGprLeft & 7);
+        pCodeBuf[off++] = (uint8_t)uImm;
+        return off;
+    }
+    if ((int32_t)uImm == (int64_t)uImm)
+    {
+        /* cmp Ev, imm */
+        pCodeBuf[off++] = X86_OP_REX_W | (iGprLeft >= 8 ? X86_OP_REX_B : 0);
+        pCodeBuf[off++] = 0x81;
+        pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, 7, iGprLeft & 7);
+        pCodeBuf[off++] = RT_BYTE1(uImm);
+        pCodeBuf[off++] = RT_BYTE2(uImm);
+        pCodeBuf[off++] = RT_BYTE3(uImm);
+        pCodeBuf[off++] = RT_BYTE4(uImm);
+        return off;
+    }
+
+#elif defined(RT_ARCH_ARM64)
+    if (uImm < _4K)
+    {
+        pCodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(true /*fSub*/, ARMV8_A64_REG_XZR, iGprLeft, (uint32_t)uImm,
+                                                      true /*64Bit*/, true /*fSetFlags*/);
+        return off;
+    }
+    if ((uImm & ~(uint64_t)0xfff000) == 0)
+    {
+        pCodeBuf[off++] = Armv8A64MkInstrAddSubUImm12(true /*fSub*/, ARMV8_A64_REG_XZR, iGprLeft, (uint32_t)uImm >> 12,
+                                                      true /*64Bit*/, true /*fSetFlags*/, true /*fShift12*/);
+        return off;
+    }
+
+#else
+# error "Port me!"
+#endif
+
+    if (idxTmpReg != UINT8_MAX)
+    {
+        /* Use temporary register for the immediate. */
+        off = iemNativeEmitLoadGprImmEx(pCodeBuf, off, idxTmpReg, uImm);
+        off = iemNativeEmitCmpGprWithGprEx(pCodeBuf, off, iGprLeft, idxTmpReg);
+    }
+    else
+# ifdef IEM_WITH_THROW_CATCH
+        AssertFailedStmt(IEMNATIVE_DO_LONGJMP(NULL, VERR_IEM_IPE_9));
+# else
+        AssertReleaseFailedStmt(off = UINT32_MAX);
+# endif
+
+    return off;
+}
+
+
+/**
+ * Emits a compare of a 64-bit GPR with a constant value, settings status
+ * flags/whatever for use with conditional instruction.
+ */
+DECL_INLINE_THROW(uint32_t)
 iemNativeEmitCmpGprWithImm(PIEMRECOMPILERSTATE pReNative, uint32_t off, uint8_t iGprLeft, uint64_t uImm)
 {
 #ifdef RT_ARCH_AMD64
-    if (uImm <= UINT32_C(0xff))
+    if ((int8_t)uImm == (int64_t)uImm)
     {
         /* cmp Ev, Ib */
@@ -6142 +6308 @@
         pbCodeBuf[off++] = (uint8_t)uImm;
     }
-    else if ((int64_t)uImm == (int32_t)uImm)
+    else if ((int32_t)uImm == (int64_t)uImm)
     {
         /* cmp Ev, imm */
@@ -6974 +7140 @@
 
 #elif defined(RT_ARCH_ARM64)
+    int32_t const    offDisp     = offTarget - offFixup;
     uint32_t * const pu32CodeBuf = pReNative->pInstrBuf;
     if ((pu32CodeBuf[offFixup] & UINT32_C(0xff000000)) == UINT32_C(0x54000000))
     {
         /* B.COND + BC.COND */
-        int32_t const offDisp = offTarget - offFixup;
         Assert(offDisp >= -262144 && offDisp < 262144);
         pu32CodeBuf[offFixup] = (pu32CodeBuf[offFixup] & UINT32_C(0xff00001f))
                               | (((uint32_t)offDisp    & UINT32_C(0x0007ffff)) << 5);
     }
-    else
+    else if ((pu32CodeBuf[offFixup] & UINT32_C(0xfc000000)) == UINT32_C(0x14000000))
     {
         /* B imm26 */
-        Assert((pu32CodeBuf[offFixup] & UINT32_C(0xfc000000)) == UINT32_C(0x14000000));
-        int32_t const offDisp = offTarget - offFixup;
         Assert(offDisp >= -33554432 && offDisp < 33554432);
         pu32CodeBuf[offFixup] = (pu32CodeBuf[offFixup] & UINT32_C(0xfc000000))
                               | ((uint32_t)offDisp     & UINT32_C(0x03ffffff));
+    }
+    else
+    {
+        /* CBZ / CBNZ reg, imm19 */
+        Assert((pu32CodeBuf[offFixup] & UINT32_C(0x7e000000)) == UINT32_C(0x34000000));
+        Assert(offDisp >= -1048576 && offDisp < 1048576);
+        pu32CodeBuf[offFixup] = (pu32CodeBuf[offFixup]    & UINT32_C(0xff00001f))
+                              | (((uint32_t)offDisp << 5) & UINT32_C(0x00ffffe0));
+
     }
 
@@ -8451 +8624 @@
 
 
+/**
+ * Emits code that exits the current TB with @a enmExitReason if @a iGprSrc is zero.
+ *
+ * The operand size is given by @a f64Bit.
+ */
+DECL_FORCE_INLINE_THROW(uint32_t)
+iemNativeEmitTestIfGprIsZeroAndTbExitEx(PIEMRECOMPILERSTATE pReNative, PIEMNATIVEINSTR pCodeBuf, uint32_t off,
+                                        uint8_t iGprSrc, bool f64Bit, IEMNATIVELABELTYPE enmExitReason)
+{
+    Assert(IEMNATIVELABELTYPE_IS_EXIT_REASON(enmExitReason));
+#if defined(IEMNATIVE_WITH_RECOMPILER_PER_CHUNK_TAIL_CODE) && defined(RT_ARCH_AMD64)
+    /* test reg32,reg32  / test reg64,reg64 */
+    if (f64Bit)
+        pCodeBuf[off++] = X86_OP_REX_W | (iGprSrc < 8 ? 0 : X86_OP_REX_R | X86_OP_REX_B);
+    else if (iGprSrc >= 8)
+        pCodeBuf[off++] = X86_OP_REX_R | X86_OP_REX_B;
+    pCodeBuf[off++] = 0x85;
+    pCodeBuf[off++] = X86_MODRM_MAKE(X86_MOD_REG, iGprSrc & 7, iGprSrc & 7);
+
+    /* jnz idxLabel  */
+    return iemNativeEmitJccTbExitEx(pReNative, pCodeBuf, off, enmExitReason, kIemNativeInstrCond_e);
+
+#else
+    /* ARM64 doesn't have the necessary jump range, so we jump via local label
+       just like when we keep everything local. */
+    uint32_t const idxLabel = iemNativeLabelCreate(pReNative, enmExitReason, UINT32_MAX /*offWhere*/, 0 /*uData*/);
+    return iemNativeEmitTestIfGprIsZeroOrNotZeroAndJmpToLabelEx(pReNative, pCodeBuf, off, iGprSrc,
+                                                                f64Bit, false /*fJmpIfNotZero*/, idxLabel);
+#endif
+}
+
+
+/**
+ * Emits code to exit the current TB with the given reason @a enmExitReason if @a iGprSrc is zero.
+ *
+ * The operand size is given by @a f64Bit.
+ */
+DECL_INLINE_THROW(uint32_t)
+iemNativeEmitTestIfGprIsZeroAndTbExit(PIEMRECOMPILERSTATE pReNative, uint32_t off,
+                                      uint8_t iGprSrc, bool f64Bit, IEMNATIVELABELTYPE enmExitReason)
+{
+#if defined(IEMNATIVE_WITH_RECOMPILER_PER_CHUNK_TAIL_CODE) && defined(RT_ARCH_AMD64)
+    off = iemNativeEmitTestIfGprIsZeroAndTbExitEx(pReNative, iemNativeInstrBufEnsure(pReNative, off, 3 + 6),
+                                                  off, iGprSrc, f64Bit, enmExitReason);
+    IEMNATIVE_ASSERT_INSTR_BUF_ENSURE(pReNative, off);
+    return off;
+#else
+    uint32_t const idxLabel = iemNativeLabelCreate(pReNative, enmExitReason, UINT32_MAX /*offWhere*/, 0 /*uData*/);
+    return iemNativeEmitTestIfGprIsZeroOrNotZeroAndJmpToLabel(pReNative, off, iGprSrc, f64Bit, false /*fJmpIfNotZero*/, idxLabel);
+#endif
+}
+
+
 #ifdef IEMNATIVE_WITH_SIMD_REG_ALLOCATOR
 /*********************************************************************************************************************************