Changeset 23121 in vbox for trunk/src

Timestamp:

Sep 18, 2009 11:12:52 AM (15 years ago)

Author:

vboxsync

Message:

Paging updates:

• use the dirty page handling after fewer writes
• don't always invalidate PTEs in pgmHandlerPhysicalSetRamFlagsAndFlushShadowPTs; just flipping the X86_PTE_W bit is sufficient

Location:

trunk/src/VBox/VMM

Files:

• PGMInternal.h (modified) (4 diffs)
• PGMPool.cpp (modified) (3 diffs)
• VMMAll/PGMAllHandler.cpp (modified) (1 diff)
• VMMAll/PGMAllPool.cpp (modified) (23 diffs)

trunk/src/VBox/VMM/PGMInternal.h

@@ -1822 +1822 @@
     /** Number of times we've been out of user records. */
     STAMCOUNTER                 StatTrackFreeUpOneUser;
+    /** Nr of flushed entries. */
+    STAMCOUNTER                 StatTrackFlushEntry;
+    /** Nr of updated entries. */
+    STAMCOUNTER                 StatTrackFlushEntryKeep;
 # endif
 # ifdef PGMPOOL_WITH_GCPHYS_TRACKING
@@ -1854 +1858 @@
     /** Profiling the REP STOSD cases we've handled. */
     STAMPROFILE                 StatMonitorRZRepStosd;
+    /** Nr of handled PT faults. */
+    STAMCOUNTER                 StatMonitorRZFaultPT;
+    /** Nr of handled PD faults. */
+    STAMCOUNTER                 StatMonitorRZFaultPD;
+    /** Nr of handled PDPT faults. */
+    STAMCOUNTER                 StatMonitorRZFaultPDPT;
+    /** Nr of handled PML4 faults. */
+    STAMCOUNTER                 StatMonitorRZFaultPML4;
 
     /** Profiling the R3 access handler. */
@@ -1873 +1885 @@
     /** Profiling the REP STOSD cases we've handled. */
     STAMPROFILE                 StatMonitorR3RepStosd;
+    /** Nr of handled PT faults. */
+    STAMCOUNTER                 StatMonitorR3FaultPT;
+    /** Nr of handled PD faults. */
+    STAMCOUNTER                 StatMonitorR3FaultPD;
+    /** Nr of handled PDPT faults. */
+    STAMCOUNTER                 StatMonitorR3FaultPDPT;
+    /** Nr of handled PML4 faults. */
+    STAMCOUNTER                 StatMonitorR3FaultPML4;
     /** The number of times we're called in an async thread an need to flush. */
     STAMCOUNTER                 StatMonitorR3Async;
@@ -3106 +3126 @@
 int             pgmPoolSyncCR3(PVMCPU pVCpu);
 bool            pgmPoolIsDirtyPage(PVM pVM, RTGCPHYS GCPhys);
-int             pgmPoolTrackFlushGCPhys(PVM pVM, PPGMPAGE pPhysPage, bool *pfFlushTLBs);
+int             pgmPoolTrackUpdateGCPhys(PVM pVM, PPGMPAGE pPhysPage, bool fFlushPTEs, bool *pfFlushTLBs);
+DECLINLINE(int) pgmPoolTrackFlushGCPhys(PVM pVM, PPGMPAGE pPhysPage, bool *pfFlushTLBs)
+{
+    return pgmPoolTrackUpdateGCPhys(pVM, pPhysPage, true /* flush PTEs */, pfFlushTLBs);
+}
+
 uint16_t        pgmPoolTrackPhysExtAddref(PVM pVM, uint16_t u16, uint16_t iShwPT);
 void            pgmPoolTrackPhysExtDerefGCPhys(PPGMPOOL pPool, PPGMPOOLPAGE pPoolPage, PPGMPAGE pPhysPage);

trunk/src/VBox/VMM/PGMPool.cpp

@@ -348 +348 @@
     STAM_REG(pVM, &pPool->StatTrackFlushGCPhysPTs,      STAMTYPE_PROFILE,   "/PGM/Pool/Track/FlushGCPhysPTs",       STAMUNIT_TICKS_PER_CALL, "Profiling of pgmPoolTrackFlushGCPhysPTs.");
     STAM_REG(pVM, &pPool->StatTrackFlushGCPhysPTsSlow,  STAMTYPE_PROFILE,   "/PGM/Pool/Track/FlushGCPhysPTsSlow",   STAMUNIT_TICKS_PER_CALL, "Profiling of pgmPoolTrackFlushGCPhysPTsSlow.");
+    STAM_REG(pVM, &pPool->StatTrackFlushEntry,          STAMTYPE_COUNTER,   "/PGM/Pool/Track/Entry/Flush",          STAMUNIT_COUNT,          "Nr of flushed entries.");
+    STAM_REG(pVM, &pPool->StatTrackFlushEntryKeep,      STAMTYPE_COUNTER,   "/PGM/Pool/Track/Entry/Update",         STAMUNIT_COUNT,          "Nr of updated entries.");
     STAM_REG(pVM, &pPool->StatTrackFreeUpOneUser,       STAMTYPE_COUNTER,   "/PGM/Pool/Track/FreeUpOneUser",        STAMUNIT_TICKS_PER_CALL, "The number of times we were out of user tracking records.");
 # endif
@@ -367 +369 @@
     STAM_REG(pVM, &pPool->StatMonitorRZRepPrefix,       STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/RZ/RepPrefix",       STAMUNIT_OCCURENCES,     "The number of times we've seen rep prefixes we can't handle.");
     STAM_REG(pVM, &pPool->StatMonitorRZRepStosd,        STAMTYPE_PROFILE,   "/PGM/Pool/Monitor/RZ/RepStosd",        STAMUNIT_TICKS_PER_CALL, "Profiling the REP STOSD cases we've handled.");
+    STAM_REG(pVM, &pPool->StatMonitorRZFaultPT,         STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/RZ/Fault/PT",        STAMUNIT_OCCURENCES,     "Nr of handled PT faults.");
+    STAM_REG(pVM, &pPool->StatMonitorRZFaultPD,         STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/RZ/Fault/PD",        STAMUNIT_OCCURENCES,     "Nr of handled PD faults.");
+    STAM_REG(pVM, &pPool->StatMonitorRZFaultPDPT,       STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/RZ/Fault/PDPT",      STAMUNIT_OCCURENCES,     "Nr of handled PDPT faults.");
+    STAM_REG(pVM, &pPool->StatMonitorRZFaultPML4,       STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/RZ/Fault/PML4",      STAMUNIT_OCCURENCES,     "Nr of handled PML4 faults.");
     STAM_REG(pVM, &pPool->StatMonitorR3,                STAMTYPE_PROFILE,   "/PGM/Pool/Monitor/R3",                 STAMUNIT_TICKS_PER_CALL, "Profiling the R3 access handler.");
     STAM_REG(pVM, &pPool->StatMonitorR3EmulateInstr,    STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/EmulateInstr",    STAMUNIT_OCCURENCES,     "Times we've failed interpreting the instruction.");
@@ -376 +382 @@
     STAM_REG(pVM, &pPool->StatMonitorR3RepPrefix,       STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/RepPrefix",       STAMUNIT_OCCURENCES,     "The number of times we've seen rep prefixes we can't handle.");
     STAM_REG(pVM, &pPool->StatMonitorR3RepStosd,        STAMTYPE_PROFILE,   "/PGM/Pool/Monitor/R3/RepStosd",        STAMUNIT_TICKS_PER_CALL, "Profiling the REP STOSD cases we've handled.");
+    STAM_REG(pVM, &pPool->StatMonitorR3FaultPT,         STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/Fault/PT",        STAMUNIT_OCCURENCES,     "Nr of handled PT faults.");
+    STAM_REG(pVM, &pPool->StatMonitorR3FaultPD,         STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/Fault/PD",        STAMUNIT_OCCURENCES,     "Nr of handled PD faults.");
+    STAM_REG(pVM, &pPool->StatMonitorR3FaultPDPT,       STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/Fault/PDPT",      STAMUNIT_OCCURENCES,     "Nr of handled PDPT faults.");
+    STAM_REG(pVM, &pPool->StatMonitorR3FaultPML4,       STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/Fault/PML4",      STAMUNIT_OCCURENCES,     "Nr of handled PML4 faults.");
     STAM_REG(pVM, &pPool->StatMonitorR3Async,           STAMTYPE_COUNTER,   "/PGM/Pool/Monitor/R3/Async",           STAMUNIT_OCCURENCES,     "Times we're called in an async thread and need to flush.");
     STAM_REG(pVM, &pPool->cModifiedPages,               STAMTYPE_U16,       "/PGM/Pool/Monitor/cModifiedPages",     STAMUNIT_PAGES,          "The current cModifiedPages value.");

trunk/src/VBox/VMM/VMMAll/PGMAllHandler.cpp

@@ -223 +223 @@
             PGM_PAGE_SET_HNDL_PHYS_STATE(pPage, uState);
 
-            int rc2 = pgmPoolTrackFlushGCPhys(pVM, pPage, &fFlushTLBs);
+            int rc2 = pgmPoolTrackUpdateGCPhys(pVM, pPage, false /* allow updates of PTEs (instead of flushing) */, &fFlushTLBs);
             if (rc2 != VINF_SUCCESS && rc == VINF_SUCCESS)
                 rc = rc2;

trunk/src/VBox/VMM/VMMAll/PGMAllPool.cpp

@@ -66 +66 @@
 #endif
 
-void            pgmPoolTrackFlushGCPhysPT(PVM pVM, PPGMPAGE pPhysPage, uint16_t iShw, uint16_t cRefs);
-void            pgmPoolTrackFlushGCPhysPTs(PVM pVM, PPGMPAGE pPhysPage, uint16_t iPhysExt);
 int             pgmPoolTrackFlushGCPhysPTsSlow(PVM pVM, PPGMPAGE pPhysPage);
 PPGMPOOLPHYSEXT pgmPoolTrackPhysExtAlloc(PVM pVM, uint16_t *piPhysExt);
@@ -272 +270 @@
             case PGMPOOLKIND_32BIT_PT_FOR_32BIT_PT:
             {
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
                 uShw.pv = PGMPOOL_PAGE_2_LOCKED_PTR(pVM, pPage);
                 const unsigned iShw = off / sizeof(X86PTE);
@@ -295 +294 @@
             case PGMPOOLKIND_PAE_PT_FOR_32BIT_PT:
             {
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
                 uShw.pv = PGMPOOL_PAGE_2_LOCKED_PTR(pVM, pPage);
                 if (!((off ^ pPage->GCPhys) & (PAGE_SIZE / 2)))
@@ -329 +329 @@
 
                 LogFlow(("pgmPoolMonitorChainChanging PAE for 32 bits: iGst=%x iShw=%x idx = %d page idx=%d\n", iGst, iShw, iShwPdpt, pPage->enmKind - PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD));
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
                 if (iShwPdpt == pPage->enmKind - (unsigned)PGMPOOLKIND_PAE_PD0_FOR_32BIT_PD)
                 {
@@ -391 +392 @@
                 uShw.pv = PGMPOOL_PAGE_2_LOCKED_PTR(pVM, pPage);
                 const unsigned iShw = off / sizeof(X86PTEPAE);
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
                 if (uShw.pPTPae->a[iShw].n.u1Present)
                 {
@@ -441 +443 @@
 
                 LogFlow(("pgmPoolMonitorChainChanging: PGMPOOLKIND_32BIT_PD %x\n", iShw));
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
 #  ifndef IN_RING0
                 if (uShw.pPD->a[iShw].u & PGM_PDFLAGS_MAPPING)
@@ -519 +522 @@
                 uShw.pv = PGMPOOL_PAGE_2_LOCKED_PTR(pVM, pPage);
                 const unsigned iShw = off / sizeof(X86PDEPAE);
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
 #ifndef IN_RING0
                 if (uShw.pPDPae->a[iShw].u & PGM_PDFLAGS_MAPPING)
@@ -585 +589 @@
             case PGMPOOLKIND_PAE_PDPT:
             {
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPDPT));
                 /*
                  * Hopefully this doesn't happen very often:
@@ -660 +665 @@
             case PGMPOOLKIND_64BIT_PD_FOR_64BIT_PD:
             {
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPD));
                 uShw.pv = PGMPOOL_PAGE_2_LOCKED_PTR(pVM, pPage);
                 const unsigned iShw = off / sizeof(X86PDEPAE);
@@ -696 +702 @@
             case PGMPOOLKIND_64BIT_PDPT_FOR_64BIT_PDPT:
             {
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPDPT));
                 /*
                  * Hopefully this doesn't happen very often:
@@ -729 +736 @@
             case PGMPOOLKIND_64BIT_PML4:
             {
+                STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPML4));
                 /*
                  * Hopefully this doesn't happen very often:
@@ -1177 +1185 @@
 #endif
 
-    /* Maximum nr of modifications depends on the guest mode. */
-    if (pDis->mode == CPUMODE_32BIT)
-        cMaxModifications = 48;
+#ifdef IN_RING0
+    /* Maximum nr of modifications depends on the page type. */
+    if (pPage->enmKind == PGMPOOLKIND_PAE_PT_FOR_PAE_PT)
+        cMaxModifications = 4;
     else
         cMaxModifications = 24;
+#else
+    cMaxModifications = 48;
+#endif
 
     /*
@@ -1308 +1320 @@
     }
 
-#ifdef PGMPOOL_WITH_OPTIMIZED_DIRTY_PT
+#if defined(PGMPOOL_WITH_OPTIMIZED_DIRTY_PT) && defined(IN_RING0)
     /* E.g. Windows 7 x64 initializes page tables and touches some pages in the table during the process. This
      * leads to pgm pool trashing and an excessive amount of write faults due to page monitoring.
@@ -3100 +3112 @@
  * Scans one shadow page table for mappings of a physical page.
  *
+ * @returns true/false indicating removal of all relevant PTEs
  * @param   pVM         The VM handle.
  * @param   pPhysPage   The guest page in question.
+ * @param   fFlushPTEs  Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
  * @param   iShw        The shadow page table.
  * @param   cRefs       The number of references made in that PT.
- */
-static void pgmPoolTrackFlushGCPhysPTInt(PVM pVM, PCPGMPAGE pPhysPage, uint16_t iShw, uint16_t cRefs)
-{
-    LogFlow(("pgmPoolTrackFlushGCPhysPT: pPhysPage=%R[pgmpage] iShw=%d cRefs=%d\n", pPhysPage, iShw, cRefs));
+ * @param   pfKeptPTEs  Flag indicating removal of all relevant PTEs (out)
+ */
+static bool pgmPoolTrackFlushGCPhysPTInt(PVM pVM, PCPGMPAGE pPhysPage, bool fFlushPTEs, uint16_t iShw, uint16_t cRefs)
+{
+    LogFlow(("pgmPoolTrackFlushGCPhysPT: pPhysPage=%RHp iShw=%d cRefs=%d\n", PGM_PAGE_GET_HCPHYS(pPhysPage), iShw, cRefs));
     PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
+    bool bRet = false;
 
     /*
@@ -3128 +3144 @@
             const uint32_t  u32 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PTE_P;
             PX86PT          pPT = (PX86PT)PGMPOOL_PAGE_2_PTR(pVM, pPage);
+            uint32_t        u32AndMask, u32OrMask;
+
+            u32AndMask = 0;
+            u32OrMask  = 0;
+
+            if (!fFlushPTEs)
+            {
+                switch (PGM_PAGE_GET_HNDL_PHYS_STATE(pPhysPage))
+                {
+                case PGM_PAGE_HNDL_PHYS_STATE_NONE:         /** No handler installed. */
+                case PGM_PAGE_HNDL_PHYS_STATE_DISABLED:     /** Monitoring is temporarily disabled. */
+                    u32OrMask = X86_PTE_RW;
+                    u32AndMask = UINT32_MAX;
+                    bRet = true;
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
+                    break;
+
+                case PGM_PAGE_HNDL_PHYS_STATE_WRITE:        /** Write access is monitored. */
+                    u32OrMask = 0;
+                    u32AndMask = ~X86_PTE_RW;
+                    bRet = true;
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
+                    break;
+                default:
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
+                    break;
+                }
+            }
+            else
+                STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
+
             for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
                 if ((pPT->a[i].u & (X86_PTE_PG_MASK | X86_PTE_P)) == u32)
                 {
                     Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pte=%RX32 cRefs=%#x\n", i, pPT->a[i], cRefs));
-                    pPT->a[i].u = 0;
+                    pPT->a[i].u = (pPT->a[i].u & u32AndMask) | u32OrMask;
                     cRefs--;
                     if (!cRefs)
-                        return;
+                        return bRet;
                 }
 #ifdef LOG_ENABLED
@@ -3157 +3204 @@
             const uint64_t  u64 = PGM_PAGE_GET_HCPHYS(pPhysPage) | X86_PTE_P;
             PX86PTPAE       pPT = (PX86PTPAE)PGMPOOL_PAGE_2_PTR(pVM, pPage);
+            uint64_t        u64AndMask, u64OrMask;
+
+            u64OrMask = 0;
+            u64AndMask = 0;
+            if (!fFlushPTEs)
+            {
+                switch (PGM_PAGE_GET_HNDL_PHYS_STATE(pPhysPage))
+                {
+                case PGM_PAGE_HNDL_PHYS_STATE_NONE:         /** No handler installed. */
+                case PGM_PAGE_HNDL_PHYS_STATE_DISABLED:     /** Monitoring is temporarily disabled. */
+                    u64OrMask = X86_PTE_RW;
+                    u64AndMask = UINT64_MAX;
+                    bRet = true;
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
+                    break;
+
+                case PGM_PAGE_HNDL_PHYS_STATE_WRITE:        /** Write access is monitored. */
+                    u64OrMask = 0;
+                    u64AndMask = ~((uint64_t)X86_PTE_RW);
+                    bRet = true;
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntryKeep);
+                    break;
+
+                default:
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
+                    break;
+                }
+            }
+            else
+                STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
+
             for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
                 if ((pPT->a[i].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P)) == u64)
                 {
                     Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pte=%RX64 cRefs=%#x\n", i, pPT->a[i], cRefs));
-                    pPT->a[i].u = 0;
+                    pPT->a[i].u = (pPT->a[i].u & u64AndMask) | u64OrMask;
                     cRefs--;
                     if (!cRefs)
-                        return;
+                        return bRet;
                 }
 #ifdef LOG_ENABLED
@@ -3186 +3264 @@
                 {
                     Log4(("pgmPoolTrackFlushGCPhysPTs: i=%d pte=%RX64 cRefs=%#x\n", i, pPT->a[i], cRefs));
+                    STAM_COUNTER_INC(&pPool->StatTrackFlushEntry);
                     pPT->a[i].u = 0;
                     cRefs--;
                     if (!cRefs)
-                        return;
+                        return bRet;
                 }
 #ifdef LOG_ENABLED
@@ -3206 +3285 @@
             AssertFatalMsgFailed(("enmKind=%d iShw=%d\n", pPage->enmKind, iShw));
     }
+    return bRet;
 }
 
@@ -3214 +3294 @@
  * @param   pVM         The VM handle.
  * @param   pPhysPage   The guest page in question.
+ * @param   fFlushPTEs  Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
  * @param   iShw        The shadow page table.
  * @param   cRefs       The number of references made in that PT.
  */
-void pgmPoolTrackFlushGCPhysPT(PVM pVM, PPGMPAGE pPhysPage, uint16_t iShw, uint16_t cRefs)
+static void pgmPoolTrackFlushGCPhysPT(PVM pVM, PPGMPAGE pPhysPage, bool fFlushPTEs, uint16_t iShw, uint16_t cRefs)
 {
     PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool); NOREF(pPool);
-    LogFlow(("pgmPoolTrackFlushGCPhysPT: pPhysPage=%R[pgmpage] iShw=%d cRefs=%d\n", pPhysPage, iShw, cRefs));
+
+    LogFlow(("pgmPoolTrackFlushGCPhysPT: pPhysPage=%RHp iShw=%d cRefs=%d\n", PGM_PAGE_GET_HCPHYS(pPhysPage), iShw, cRefs));
     STAM_PROFILE_START(&pPool->StatTrackFlushGCPhysPT, f);
-    pgmPoolTrackFlushGCPhysPTInt(pVM, pPhysPage, iShw, cRefs);
-    PGM_PAGE_SET_TRACKING(pPhysPage, 0);
+    bool fKeptPTEs = pgmPoolTrackFlushGCPhysPTInt(pVM, pPhysPage, fFlushPTEs, iShw, cRefs);
+    if (!fKeptPTEs)
+        PGM_PAGE_SET_TRACKING(pPhysPage, 0);
     STAM_PROFILE_STOP(&pPool->StatTrackFlushGCPhysPT, f);
 }
@@ -3233 +3316 @@
  * @param   pVM         The VM handle.
  * @param   pPhysPage   The guest page in question.
+ * @param   fFlushPTEs  Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
  * @param   iPhysExt    The physical cross reference extent list to flush.
  */
-void pgmPoolTrackFlushGCPhysPTs(PVM pVM, PPGMPAGE pPhysPage, uint16_t iPhysExt)
+static void pgmPoolTrackFlushGCPhysPTs(PVM pVM, PPGMPAGE pPhysPage, bool fFlushPTEs, uint16_t iPhysExt)
 {
     Assert(PGMIsLockOwner(pVM));
     PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
+    bool     fKeepList = false;
+
     STAM_PROFILE_START(&pPool->StatTrackFlushGCPhysPTs, f);
-    LogFlow(("pgmPoolTrackFlushGCPhysPTs: pPhysPage=%R[pgmpage] iPhysExt\n", pPhysPage, iPhysExt));
-
-    const uint16_t  iPhysExtStart = iPhysExt;
+    LogFlow(("pgmPoolTrackFlushGCPhysPTs: pPhysPage=%RHp iPhysExt\n", PGM_PAGE_GET_HCPHYS(pPhysPage), iPhysExt));
+
+    const uint16_t iPhysExtStart = iPhysExt;
     PPGMPOOLPHYSEXT pPhysExt;
     do
@@ -3249 +3335 @@
         pPhysExt = &pPool->CTX_SUFF(paPhysExts)[iPhysExt];
         for (unsigned i = 0; i < RT_ELEMENTS(pPhysExt->aidx); i++)
+        {
             if (pPhysExt->aidx[i] != NIL_PGMPOOL_IDX)
             {
-                pgmPoolTrackFlushGCPhysPTInt(pVM, pPhysPage, pPhysExt->aidx[i], 1);
-                pPhysExt->aidx[i] = NIL_PGMPOOL_IDX;
+                bool fKeptPTEs = pgmPoolTrackFlushGCPhysPTInt(pVM, pPhysPage, fFlushPTEs, pPhysExt->aidx[i], 1);
+                if (!fKeptPTEs)
+                    pPhysExt->aidx[i] = NIL_PGMPOOL_IDX;
+                else
+                    fKeepList = true;
             }
-
+        }
         /* next */
         iPhysExt = pPhysExt->iNext;
     } while (iPhysExt != NIL_PGMPOOL_PHYSEXT_INDEX);
 
-    /* insert the list into the free list and clear the ram range entry. */
-    pPhysExt->iNext = pPool->iPhysExtFreeHead;
-    pPool->iPhysExtFreeHead = iPhysExtStart;
-    PGM_PAGE_SET_TRACKING(pPhysPage, 0);
+    if (!fKeepList)
+    {
+        /* insert the list into the free list and clear the ram range entry. */
+        pPhysExt->iNext = pPool->iPhysExtFreeHead;
+        pPool->iPhysExtFreeHead = iPhysExtStart;
+        PGM_PAGE_SET_TRACKING(pPhysPage, 0);
+    }
 
     STAM_PROFILE_STOP(&pPool->StatTrackFlushGCPhysPTs, f);
@@ -3282 +3375 @@
  * @param   pVM         The VM handle.
  * @param   pPhysPage   The guest page in question.
+ * @param   fFlushPTEs  Flush PTEs or allow them to be updated (e.g. in case of an RW bit change)
  * @param   pfFlushTLBs This is set to @a true if the shadow TLBs should be
  *                      flushed, it is NOT touched if this isn't necessary.
  *                      The caller MUST initialized this to @a false.
  */
-int pgmPoolTrackFlushGCPhys(PVM pVM, PPGMPAGE pPhysPage, bool *pfFlushTLBs)
+int pgmPoolTrackUpdateGCPhys(PVM pVM, PPGMPAGE pPhysPage, bool fFlushPTEs, bool *pfFlushTLBs)
 {
     PVMCPU pVCpu = VMMGetCpu(pVM);
@@ -3314 +3408 @@
                 pgmPoolTrackFlushGCPhysPT(pVM,
                                           pPhysPage,
+                                          fFlushPTEs,
                                           PGMPOOL_TD_GET_IDX(u16),
                                           PGMPOOL_TD_GET_CREFS(u16));
             else if (u16 != PGMPOOL_TD_MAKE(PGMPOOL_TD_CREFS_PHYSEXT, PGMPOOL_TD_IDX_OVERFLOWED))
-                pgmPoolTrackFlushGCPhysPTs(pVM, pPhysPage, PGMPOOL_TD_GET_IDX(u16));
+                pgmPoolTrackFlushGCPhysPTs(pVM, pPhysPage, fFlushPTEs, PGMPOOL_TD_GET_IDX(u16));
             else
                 rc = pgmPoolTrackFlushGCPhysPTsSlow(pVM, pPhysPage);