Changeset 15284 in vbox

Timestamp:

Dec 11, 2008 3:23:40 AM (16 years ago)

Author:

vboxsync

Message:

PGM, REM: Virtual address in TLB - this is what I meant...

Location:

trunk

Files:

• include/VBox/err.h (modified) (1 diff)
• include/VBox/pgm.h (modified) (4 diffs)
• src/VBox/VMM/PGMPhys.cpp (modified) (1 diff)
• src/VBox/VMM/VMMAll/PGMAllHandler.cpp (modified) (4 diffs)
• src/VBox/VMM/VMMAll/PGMAllPhys.cpp (modified) (1 diff)
• src/recompiler_new/VBoxREMWrapper.cpp (modified) (2 diffs)
• src/recompiler_new/VBoxRecompiler.c (modified) (2 diffs)
• src/recompiler_new/cpu-all.h (modified) (1 diff)
• src/recompiler_new/exec.c (modified) (23 diffs)

trunk/include/VBox/err.h

@@ -423 +423 @@
 /** The expanding of the dynamic mapping cache failed. */
 #define VERR_PGM_DYNMAP_EXPAND_ERROR            (-1632)
+/** The page is unassigned (akin to VERR_PGM_INVALID_GC_PHYSICAL_ADDRESS). */
+#define VERR_PGM_PHYS_TLB_UNASSIGNED            (-1633)
+/** Catch any access and route it thru PGM. */
+#define VERR_PGM_PHYS_TLB_CATCH_ALL             (-1634)
+/** Catch write access and route it thru PGM. */
+#define VINF_PGM_PHYS_TLB_CATCH_WRITE           1635
 
 /** @} */

trunk/include/VBox/pgm.h

@@ -352 +352 @@
                                                  R3PTRTYPE(const char *) pszDesc);
 VMMDECL(int)        PGMHandlerPhysicalModify(PVM pVM, RTGCPHYS GCPhysCurrent, RTGCPHYS GCPhys, RTGCPHYS GCPhysLast);
-VMMDECL(bool)       PGMHandlerVirtualIsRegistered(PVM pVM, RTGCPTR GCPtr);
 VMMDECL(int)        PGMHandlerPhysicalDeregister(PVM pVM, RTGCPHYS GCPhys);
 VMMDECL(int)        PGMHandlerPhysicalChangeCallbacks(PVM pVM, RTGCPHYS GCPhys,
@@ -366 +365 @@
 VMMDECL(int)        PGMHandlerPhysicalPageReset(PVM pVM, RTGCPHYS GCPhys, RTGCPHYS GCPhysPage);
 VMMDECL(bool)       PGMHandlerPhysicalIsRegistered(PVM pVM, RTGCPHYS GCPhys);
+VMMDECL(bool)       PGMHandlerVirtualIsRegistered(PVM pVM, RTGCPTR GCPtr);
 VMMDECL(bool)       PGMPhysIsA20Enabled(PVM pVM);
 VMMDECL(bool)       PGMPhysIsGCPhysValid(PVM pVM, RTGCPHYS GCPhys);
@@ -422 +422 @@
 VMMDECL(int)        PGMPhysGCPhys2R3Ptr(PVM pVM, RTGCPHYS GCPhys, RTUINT cbRange, PRTR3PTR pR3Ptr);
 VMMDECL(RTR3PTR)    PGMPhysGCPhys2R3PtrAssert(PVM pVM, RTGCPHYS GCPhys, RTUINT cbRange);
-/** @PGMPhysGCPhys2R3PtrEx flags.
- * @{ */
-/** Default value of the flag, behaves the same way as PGMPhysGCPhys2R3Ptr. */
-#define PGMPHYS_TRANSLATION_FLAG_DEFAULT           0
-/** Indicates that for monitored pages with physical handlers
- * VERR_PGM_PHYS_PAGE_RESERVED error code should be returned,
- * so address translation routines must fallback to PGM functions for
- * access memory. */
-#define PGMPHYS_TRANSLATION_FLAG_CHECK_PHYS_MONITORED   RT_BIT_32(0)
-/** Indicates that for monitored pages with virtual handlers
- * VERR_PGM_PHYS_PAGE_RESERVED error code should be returned,
- * so address translation routines must fallback to PGM functions for
- * access memory. */
-#define PGMPHYS_TRANSLATION_FLAG_CHECK_VIRT_MONITORED   RT_BIT_32(1)
-/** @} */
-VMMDECL(int)        PGMPhysGCPhys2R3PtrEx(PVM pVM, RTGCPHYS GCPhys, RTGCPTR GCPtr, uint32_t flags, PRTR3PTR pR3Ptr);
 VMMDECL(int)        PGMPhysGCPtr2R3Ptr(PVM pVM, RTGCPTR GCPtr, PRTR3PTR pR3Ptr);
 VMMDECL(int)        PGMPhysGCPtr2R3PtrByGstCR3(PVM pVM, RTGCPTR GCPtr, uint64_t cr3, unsigned fFlags, PRTR3PTR pR3Ptr);
@@ -601 +585 @@
 VMMR3DECL(int)      PGMR3DumpHierarchyGC(PVM pVM, uint64_t cr3, uint64_t cr4, RTGCPHYS PhysSearch);
 
+VMMR3DECL(int)      PGMR3PhysTlbGCPhys2Ptr(PVM pVM, RTGCPHYS GCPhys, bool fWritable, void **pvPtr);
 VMMR3DECL(uint8_t)  PGMR3PhysReadU8(PVM pVM, RTGCPHYS GCPhys);
 VMMR3DECL(uint16_t) PGMR3PhysReadU16(PVM pVM, RTGCPHYS GCPhys);

trunk/src/VBox/VMM/PGMPhys.cpp

@@ -2424 +2424 @@
 }
 
+
+/**
+ * Converts a GC physical address to a HC ring-3 pointer, with some
+ * additional checks.
+ *
+ * @returns VBox status code.
+ * @retval  VINF_SUCCESS on success.
+ * @retval  VINF_PGM_PHYS_TLB_CATCH_WRITE and *pvPtr set if the page has a write
+ *          access handler of some kind.
+ * @retval  VERR_PGM_PHYS_TLB_CATCH_ALL if the page has a handler catching all
+ *          accesses or is odd in any way.
+ * @retval  VERR_PGM_PHYS_TLB_UNASSIGNED if the page doesn't exist.
+ *
+ * @param   pVM         The VM handle.
+ * @param   GCPhys      The GC physical address to convert.
+ * @param   fWritable   Whether write access is required.
+ * @param   pR3Ptr      Where to store the R3 pointer on success.
+ */
+VMMR3DECL(int) PGMR3PhysTlbGCPhys2Ptr(PVM pVM, RTGCPHYS GCPhys, bool fWritable, void **pvPtr)
+{
+    pgmLock(pVM);
+
+    PPGMRAMRANGE pRam;
+    PPGMPAGE pPage;
+    int rc = pgmPhysGetPageAndRangeEx(&pVM->pgm.s, GCPhys, &pPage, &pRam);
+    if (RT_SUCCESS(rc))
+    {
+#if 0 /** @todo ifndef PGM_IGNORE_RAM_FLAGS_RESERVED */
+        if (RT_UNLIKELY(PGM_PAGE_IS_RESERVED(pPage)))
+            rc = VERR_PGM_PHYS_TLB_UNASSIGNED;
+#endif
+        {
+#if 0 /** @todo looks like the system ROM is registered incorrectly, 0xfe000 claims to be a zero page. */
+            if (fWritable && PGM_PAGE_GET_STATE(pPage) != PGM_PAGE_STATE_ALLOCATED)
+                rc = VERR_PGM_PHYS_TLB_UNASSIGNED; /** @todo VBOX_WITH_NEW_PHYS_CODE: remap it to a writeable page. */
+#else
+            if (0)
+                /* nothing */;
+#endif
+            else if (PGM_PAGE_HAS_ACTIVE_ALL_HANDLERS(pPage)) /* catches MMIO */
+                rc = VERR_PGM_PHYS_TLB_CATCH_ALL;
+            else if (fWritable && PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
+                rc = VINF_PGM_PHYS_TLB_CATCH_WRITE;
+            else
+                rc = VINF_SUCCESS;
+            if (RT_SUCCESS(rc))
+            {
+                if (pRam->fFlags & MM_RAM_FLAGS_DYNAMIC_ALLOC)
+                {
+                    Assert(PGM_PAGE_GET_TYPE(pPage) == PGMPAGETYPE_RAM);
+                    RTGCPHYS off = GCPhys - pRam->GCPhys;
+                    unsigned iChunk = (off >> PGM_DYNAMIC_CHUNK_SHIFT);
+                    *pvPtr = (void *)(pRam->paChunkR3Ptrs[iChunk] + (off & PGM_DYNAMIC_CHUNK_OFFSET_MASK));
+                }
+                else if (RT_LIKELY(pRam->pvR3))
+                {
+                    Assert(PGM_PAGE_GET_TYPE(pPage) == PGMPAGETYPE_RAM);
+                    RTGCPHYS off = GCPhys - pRam->GCPhys;
+                    *pvPtr = (uint8_t *)pRam->pvR3 + off;
+                }
+                else
+                    rc = VERR_PGM_PHYS_TLB_UNASSIGNED;
+            }
+        }
+    }
+    else
+        rc = VERR_PGM_PHYS_TLB_UNASSIGNED;
+
+    pgmUnlock(pVM);
+    return rc;
+}
+
+
+

trunk/src/VBox/VMM/VMMAll/PGMAllHandler.cpp

@@ -1032 +1032 @@
  * @param   pVM         VM Handle.
  * @param   GCPhys      Start physical address earlier passed to PGMR3HandlerPhysicalRegister().
+ * @remarks Caller must take the PGM lock...
+ * @threads EMT.
  */
 VMMDECL(bool) PGMHandlerPhysicalIsRegistered(PVM pVM, RTGCPHYS GCPhys)
@@ -1054 +1056 @@
 }
 
+
 /**
  * Check if particular guest's VA is being monitored.
@@ -1060 +1063 @@
  * @param   pVM             VM handle.
  * @param   GCPtr           Virtual address.
+ * @remarks Will acquire the PGM lock.
+ * @threads Any.
  */
 VMMDECL(bool) PGMHandlerVirtualIsRegistered(PVM pVM, RTGCPTR GCPtr)
@@ -1067 +1072 @@
     pgmUnlock(pVM);
 
-    return pCur != 0;
-}
+    return pCur != NULL;
+}
+
 
 /**

trunk/src/VBox/VMM/VMMAll/PGMAllPhys.cpp

@@ -913 +913 @@
 }
 
-/**
- * Converts a GC physical address to a HC ring-3 pointer, with some
- * additional checks.
- *
- * @returns VINF_SUCCESS on success.
- * @returns VERR_PGM_PHYS_PAGE_RESERVED it it's a valid GC physical
- *          page but has no physical backing, or if partuclar 
- *          memory access must always go via PGM, because of handlers.
- * @returns VERR_PGM_INVALID_GC_PHYSICAL_ADDRESS if it's not a valid
- *          GC physical address.
- *
- * @param   pVM         The VM handle.
- * @param   GCPhys      The GC physical address to convert.
- * @param   GCPtr       The guest VA, to check virtual handler on.
- * @param   flags       Flags controlling additional checks.
- * @param   pR3Ptr      Where to store the R3 pointer on success.
- */
-VMMDECL(int) PGMPhysGCPhys2R3PtrEx(PVM pVM, RTGCPHYS GCPhys, RTGCPTR GCPtr, uint32_t flags, PRTR3PTR pR3Ptr)
-{
-  int rc;
-
-  rc = PGMPhysGCPhys2R3Ptr(pVM, GCPhys, 1, pR3Ptr);
-
-  if (RT_SUCCESS(rc) && (flags & PGMPHYS_TRANSLATION_FLAG_CHECK_PHYS_MONITORED))
-  {
-    /* Check if there's a physical handler for PA */
-      if (PGMHandlerPhysicalIsRegistered(pVM, GCPhys))
-        rc = VERR_PGM_PHYS_PAGE_RESERVED;
-  }
-
-  if (RT_SUCCESS(rc) && (flags & PGMPHYS_TRANSLATION_FLAG_CHECK_VIRT_MONITORED))
-  {
-    /* Check if there's a virtual handler for VA */
-    if (PGMHandlerVirtualIsRegistered(pVM, GCPtr))
-        rc = VERR_PGM_PHYS_PAGE_RESERVED;
-  }
-
-  return rc;
-}
+
 /**
  * PGMPhysGCPhys2R3Ptr convenience for use with assertions.

trunk/src/recompiler_new/VBoxREMWrapper.cpp

@@ -718 +718 @@
     { REMPARMDESC_FLAGS_INT,        sizeof(PRTR3PTR), NULL }
 };
-static const REMPARMDESC g_aArgsPGMPhysGCPhys2R3PtrEx[] = 
+static const REMPARMDESC g_aArgsPGMR3PhysTlbGCPhys2Ptr[] =
 {
     { REMPARMDESC_FLAGS_INT,        sizeof(PVM), NULL },
     { REMPARMDESC_FLAGS_GCPHYS,     sizeof(RTGCPHYS), NULL },
-    { REMPARMDESC_FLAGS_GCPTR,      sizeof(RTGCPHYS), NULL },
-    { REMPARMDESC_FLAGS_INT,        sizeof(uint32_t), NULL },
-    { REMPARMDESC_FLAGS_INT,        sizeof(PRTR3PTR), NULL }
+    { REMPARMDESC_FLAGS_INT,        sizeof(bool), NULL },
+    { REMPARMDESC_FLAGS_INT,        sizeof(void *), NULL }
 };
 static const REMPARMDESC g_aArgsPGMPhysGCPtr2R3PtrByGstCR3[] =
@@ -1151 +1150 @@
     { "PGMR3PhysWriteU32",                      (void *)(uintptr_t)&PGMR3PhysWriteU32,              &g_aArgsPGMR3PhysWriteU32[0],               RT_ELEMENTS(g_aArgsPGMR3PhysWriteU32),                 REMFNDESC_FLAGS_RET_VOID,   0,                  NULL },
     { "PGMR3PhysWriteU64",                      (void *)(uintptr_t)&PGMR3PhysWriteU64,              &g_aArgsPGMR3PhysWriteU64[0],               RT_ELEMENTS(g_aArgsPGMR3PhysWriteU32),                 REMFNDESC_FLAGS_RET_VOID,   0,                  NULL },
-    { "PGMR3DbgR3Ptr2GCPhys",                   (void *)(uintptr_t)&PGMR3DbgR3Ptr2GCPhys,              &g_aArgsPGMR3DbgR3Ptr2GCPhys[0],               RT_ELEMENTS(g_aArgsPGMR3DbgR3Ptr2GCPhys),                 REMFNDESC_FLAGS_RET_INT,   sizeof(uint64_t),                  NULL },
-    { "PGMPhysGCPhys2R3PtrEx",          (void *)(uintptr_t)&PGMPhysGCPhys2R3PtrEx,              &g_aArgsPGMPhysGCPhys2R3PtrEx[0],               RT_ELEMENTS(g_aArgsPGMPhysGCPhys2R3PtrEx),                 REMFNDESC_FLAGS_RET_INT,   sizeof(int),                  NULL },
+    { "PGMR3DbgR3Ptr2GCPhys",                   (void *)(uintptr_t)&PGMR3DbgR3Ptr2GCPhys,           &g_aArgsPGMR3DbgR3Ptr2GCPhys[0],            RT_ELEMENTS(g_aArgsPGMR3DbgR3Ptr2GCPhys),              REMFNDESC_FLAGS_RET_INT,    sizeof(int),        NULL },
+    { "PGMR3PhysGCPhys2Ptr",                    (void *)(uintptr_t)&PGMR3PhysTlbGCPhys2Ptr,         &g_aArgsPGMR3PhysTlbGCPhys2Ptr[0],          RT_ELEMENTS(g_aArgsPGMR3PhysTlbGCPhys2Ptr),            REMFNDESC_FLAGS_RET_INT,    sizeof(int),        NULL },
     { "SSMR3GetGCPtr",                          (void *)(uintptr_t)&SSMR3GetGCPtr,                  &g_aArgsSSMR3GetGCPtr[0],                   RT_ELEMENTS(g_aArgsSSMR3GetGCPtr),                     REMFNDESC_FLAGS_RET_INT,    sizeof(int),        NULL },
     { "SSMR3GetMem",                            (void *)(uintptr_t)&SSMR3GetMem,                    &g_aArgsSSMR3GetMem[0],                     RT_ELEMENTS(g_aArgsSSMR3GetMem),                       REMFNDESC_FLAGS_RET_INT,    sizeof(int),        NULL },

trunk/src/recompiler_new/VBoxRecompiler.c

@@ -637 +637 @@
     }
     else
-    {        
+    {
         switch (rc)
         {
@@ -1283 +1283 @@
 
 #ifndef REM_PHYS_ADDR_IN_TLB
-void* remR3GCPhys2HCVirt(CPUState *env1, target_ulong physAddr, target_ulong virtAddr)
-{
-    void* rv = NULL;
-    int rc;
-    uint32_t flags = PGMPHYS_TRANSLATION_FLAG_CHECK_PHYS_MONITORED;
-    
-    if (virtAddr != (target_ulong)-1)
-      flags |= PGMPHYS_TRANSLATION_FLAG_CHECK_VIRT_MONITORED;
-
-    rc = PGMPhysGCPhys2R3PtrEx(env1->pVM, (RTGCPHYS)physAddr, (RTGCPTR)virtAddr,
-                               flags, &rv);
-
-    if (rc == VERR_PGM_PHYS_PAGE_RESERVED)
-    {
-        rv = (void*)((uintptr_t)rv | 1);
-        rc = 0;
-    }
-    Assert (RT_SUCCESS(rc));
-
-    return rv;
+void *remR3TlbGCPhys2Ptr(CPUState *env1, target_ulong physAddr, int fWritable)
+{
+    void *pv;
+    int rc = PGMR3PhysTlbGCPhys2Ptr(env1->pVM, physAddr, true /*fWritable*/, &pv);
+    Assert(   rc == VINF_SUCCESS
+           || rc == VINF_PGM_PHYS_TLB_CATCH_WRITE
+           || rc == VERR_PGM_PHYS_TLB_CATCH_ALL
+           || rc == VERR_PGM_PHYS_TLB_UNASSIGNED);
+    if (RT_FAILURE(rc))
+        return (void *)1;
+    if (rc == VINF_PGM_PHYS_TLB_CATCH_WRITE)
+        return (void *)((uintptr_t)pv | 2);
+    return pv;
 }
 

trunk/src/recompiler_new/cpu-all.h

@@ -264 +264 @@
 uint64_t    remR3PhysReadU64(RTGCPHYS SrcGCPhys);
 int64_t     remR3PhysReadS64(RTGCPHYS SrcGCPhys);
-void     remR3PhysWrite(RTGCPHYS DstGCPhys, const void *pvSrc, unsigned cb);
-void     remR3PhysWriteU8(RTGCPHYS DstGCPhys, uint8_t val);
-void     remR3PhysWriteU16(RTGCPHYS DstGCPhys, uint16_t val);
-void     remR3PhysWriteU32(RTGCPHYS DstGCPhys, uint32_t val);
-void     remR3PhysWriteU64(RTGCPHYS DstGCPhys, uint64_t val);
+void        remR3PhysWrite(RTGCPHYS DstGCPhys, const void *pvSrc, unsigned cb);
+void        remR3PhysWriteU8(RTGCPHYS DstGCPhys, uint8_t val);
+void        remR3PhysWriteU16(RTGCPHYS DstGCPhys, uint16_t val);
+void        remR3PhysWriteU32(RTGCPHYS DstGCPhys, uint32_t val);
+void        remR3PhysWriteU64(RTGCPHYS DstGCPhys, uint64_t val);
 
 #ifndef REM_PHYS_ADDR_IN_TLB
+void       *remR3TlbGCPhys2Ptr(CPUState *env1, target_ulong physAddr, int fWritable);
 target_ulong remR3HCVirt2GCPhys(CPUState *env1, void *addr);
-void* remR3GCPhys2HCVirt(CPUState *env1, target_ulong physAddr, target_ulong virtAddr);
 #endif
 

trunk/src/recompiler_new/exec.c

@@ -243 +243 @@
     VirtualProtect(addr, size,
                    PAGE_EXECUTE_READWRITE, &old_protect);
-    
+
 }
 #else
@@ -249 +249 @@
 {
     unsigned long start, end, page_size;
-    
+
     page_size = getpagesize();
     start = (unsigned long)addr;
     start &= ~(page_size - 1);
-    
+
     end = (unsigned long)addr + size;
     end += page_size - 1;
     end &= ~(page_size - 1);
-    
+
     mprotect((void *)start, end - start,
              PROT_READ | PROT_WRITE | PROT_EXEC);
@@ -308 +308 @@
 #ifdef VBOX
     /* We use other means to set reserved bit on our pages */
-#else 
+#else
 #if !defined(_WIN32) && defined(CONFIG_USER_ONLY)
     {
@@ -328 +328 @@
                     page_set_flags(startaddr & TARGET_PAGE_MASK,
                                    TARGET_PAGE_ALIGN(endaddr),
-                                   PAGE_RESERVED); 
+                                   PAGE_RESERVED);
                 }
             } while (!feof(f));
@@ -379 +379 @@
             page_set_flags(addr & TARGET_PAGE_MASK,
                            TARGET_PAGE_ALIGN(addr + len),
-                           PAGE_RESERVED); 
+                           PAGE_RESERVED);
         }
 #else
@@ -478 +478 @@
 #endif
 
-/* VBox allocates codegen buffer dynamically */ 
+/* VBox allocates codegen buffer dynamically */
 #ifndef VBOX
 #ifdef USE_STATIC_CODE_GEN_BUFFER
@@ -508 +508 @@
 #ifdef VBOX
     code_gen_buffer = RTMemExecAlloc(code_gen_buffer_size);
-    
+
     if (!code_gen_buffer) {
-        LogRel(("REM: failed allocate codegen buffer %lld\n", 
+        LogRel(("REM: failed allocate codegen buffer %lld\n",
                 code_gen_buffer_size));
         return;
     }
 #else //!VBOX
-#if defined(__linux__) 
+#if defined(__linux__)
     {
         int flags;
@@ -556 +556 @@
 #endif
         code_gen_buffer = mmap(addr, code_gen_buffer_size,
-                               PROT_WRITE | PROT_READ | PROT_EXEC, 
+                               PROT_WRITE | PROT_READ | PROT_EXEC,
                                flags, -1, 0);
         if (code_gen_buffer == MAP_FAILED) {
@@ -580 +580 @@
 #endif
 
-    code_gen_buffer_max_size = code_gen_buffer_size - 
+    code_gen_buffer_max_size = code_gen_buffer_size -
         code_gen_max_block_size();
     code_gen_max_blocks = code_gen_buffer_size / CODE_GEN_AVG_BLOCK_SIZE;
@@ -1282 +1282 @@
 #else
 DECLINLINE(void) tb_alloc_page(TranslationBlock *tb,
-                                 unsigned int n, target_ulong page_addr)                   
+                                 unsigned int n, target_ulong page_addr)
 #endif
 {
@@ -1346 +1346 @@
         (code_gen_ptr - code_gen_buffer) >= code_gen_buffer_max_size)
 #else
-        (code_gen_ptr - code_gen_buffer) >= (int)code_gen_buffer_max_size)     
+        (code_gen_ptr - code_gen_buffer) >= (int)code_gen_buffer_max_size)
 #endif
         return NULL;
@@ -1831 +1831 @@
        overlap the flushed page.  */
     i = tb_jmp_cache_hash_page(addr - TARGET_PAGE_SIZE);
-    memset (&env->tb_jmp_cache[i], 0, 
+    memset (&env->tb_jmp_cache[i], 0,
             TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
 
     i = tb_jmp_cache_hash_page(addr);
-    memset (&env->tb_jmp_cache[i], 0, 
+    memset (&env->tb_jmp_cache[i], 0,
             TB_JMP_PAGE_SIZE * sizeof(TranslationBlock *));
 
@@ -1929 +1929 @@
 #endif
 #endif
-    
+
     tlb_flush_jmp_cache(env, addr);
 
@@ -1974 +1974 @@
 
 #ifdef VBOX
-    if (start & 1)
+    if (start & 3)
         return;
 #endif
@@ -2027 +2027 @@
     start1 = start + (unsigned long)phys_ram_base;
 #else
-    start1 = (unsigned long)remR3GCPhys2HCVirt(first_cpu, start, -1);
+    start1 = (unsigned long)remR3TlbGCPhys2Ptr(first_cpu, start, 1 /*fWritable*/); /** @todo this can be harmful with VBOX_WITH_NEW_PHYS_CODE, fix interface/whatever. */
 #endif
     for(env = first_cpu; env != NULL; env = env->next_cpu) {
@@ -2176 +2176 @@
     addend = (unsigned long)phys_ram_base + (pd & TARGET_PAGE_MASK);
 #else
-    addend = (unsigned long)remR3GCPhys2HCVirt(env, 
+    /** @todo this is racing the phys_page_find call above since it may register
+     *        a new chunk of memory...  */
+    addend = (unsigned long)remR3TlbGCPhys2Ptr(env,
                                                pd & TARGET_PAGE_MASK,
-                                               vaddr & TARGET_PAGE_MASK);
+                                               !!(prot & PAGE_WRITE));
 #endif
     if ((pd & ~TARGET_PAGE_MASK) <= IO_MEM_ROM) {
@@ -2201 +2203 @@
 #ifdef VBOX
 #  if !defined(REM_PHYS_ADDR_IN_TLB)
-    if (addend & 0x1)
+    if (addend & 0x2)
     {
-        addend &= ~(target_ulong)0x1;
-        if ((pd & ~TARGET_PAGE_MASK) == IO_MEM_RAM)
+        /* catch write */
+        addend &= ~(target_ulong)0x3;
+        if ((pd & ~TARGET_PAGE_MASK) <= IO_MEM_ROM)
+        {
+/** @todo improve this, it's only avoid code reads right now! */
+            address |= TLB_MMIO;
+            iotlb = env->pVM->rem.s.iHandlerMemType + paddr;
+        }
+    }
+    else if (addend & 0x1)
+    {
+        /* catch all */
+        addend &= ~(target_ulong)0x3;
+        if ((pd & ~TARGET_PAGE_MASK) <= IO_MEM_ROM)
         {
             address |= TLB_MMIO;
-            iotlb = (pd & ~TARGET_PAGE_MASK) + paddr +env->pVM->rem.s.iHandlerMemType;
+            code_address |= TLB_MMIO;
+            iotlb = env->pVM->rem.s.iHandlerMemType + paddr;
         }
     }
@@ -2723 +2738 @@
     unsigned long ram_addr;
     int dirty_flags;
-#if defined(VBOX) 
+#if defined(VBOX)
     ram_addr = addr;
 #elif
@@ -2770 +2785 @@
     unsigned long ram_addr;
     int dirty_flags;
-#if defined(VBOX) 
+#if defined(VBOX)
     ram_addr = addr;
 #else
@@ -2818 +2833 @@
     unsigned long ram_addr;
     int dirty_flags;
-#if defined(VBOX) 
+#if defined(VBOX)
     ram_addr = addr;
 #else
@@ -3104 +3119 @@
     io_mem_nb = 5;
 #endif
-    
+
     io_mem_watch = cpu_register_io_memory(0, watch_mem_read,
                                           watch_mem_write, NULL);
-    
+
 #ifndef VBOX /* VBOX: we do this later when the RAM is allocated. */
     /* alloc dirty bits array */
@@ -3637 +3652 @@
     tb = tb_find_pc((unsigned long)retaddr);
     if (!tb) {
-        cpu_abort(env, "cpu_io_recompile: could not find TB for pc=%p", 
+        cpu_abort(env, "cpu_io_recompile: could not find TB for pc=%p",
                   retaddr);
     }
@@ -3716 +3731 @@
     cpu_fprintf(f, "gen code size       %ld/%ld\n",
                 code_gen_ptr - code_gen_buffer, code_gen_buffer_max_size);
-    cpu_fprintf(f, "TB count            %d/%d\n", 
+    cpu_fprintf(f, "TB count            %d/%d\n",
                 nb_tbs, code_gen_max_blocks);
     cpu_fprintf(f, "TB avg target size  %d max=%d bytes\n",