Changeset 31593 in vbox for trunk/src/VBox/VMM/VMMAll

Timestamp:

Aug 12, 2010 12:52:52 AM (15 years ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

64700

Message:

PGM,IOM: MMIO optimization - hacking in progress. (still disabled)

Location:

trunk/src/VBox/VMM/VMMAll

Files:

• IOMAllMMIO.cpp (modified) (15 diffs)
• PGMAllBth.h (modified) (10 diffs)
• PGMAllPool.cpp (modified) (18 diffs)

trunk/src/VBox/VMM/VMMAll/IOMAllMMIO.cpp

@@ -5 +5 @@
 
 /*
- * Copyright (C) 2006-2007 Oracle Corporation
+ * Copyright (C) 2006-2010 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -318 +318 @@
  * @param   ppStat      Which sub-sample to attribute this call to.
  */
-static int iomInterpretMOVS(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysFault, PDISCPUSTATE pCpu, PIOMMMIORANGE pRange, PSTAMPROFILE *ppStat)
+static int iomInterpretMOVS(PVM pVM, bool fWriteAccess, PCPUMCTXCORE pRegFrame, RTGCPHYS GCPhysFault, PDISCPUSTATE pCpu, PIOMMMIORANGE pRange, PSTAMPROFILE *ppStat)
 {
     /*
@@ -367 +367 @@
     RTGCPHYS Phys = GCPhysFault;
     int rc;
-    if (uErrorCode & X86_TRAP_PF_RW)
+    if (fWriteAccess)
     {
         /*
@@ -1030 +1030 @@
  * @returns VBox status code (appropriate for GC return).
  * @param   pVM         VM Handle.
- * @param   uErrorCode  CPU Error code.
+ * @param   uErrorCode  CPU Error code.  This is UINT32_MAX when we don't have
+ *                      any error code (the EPT misconfig hack).
  * @param   pCtxCore    Trap register frame.
  * @param   GCPhysFault The GC physical address corresponding to pvFault.
  * @param   pvUser      Pointer to the MMIO ring-3 range entry.
  */
-static int iomMMIOHandler(PVM pVM, RTGCUINT uErrorCode, PCPUMCTXCORE pCtxCore, RTGCPHYS GCPhysFault, void *pvUser)
+static int iomMMIOHandler(PVM pVM, uint32_t uErrorCode, PCPUMCTXCORE pCtxCore, RTGCPHYS GCPhysFault, void *pvUser)
 {
     /* Take the IOM lock before performing any MMIO. */
@@ -1047 +1048 @@
     STAM_PROFILE_START(&pVM->iom.s.StatRZMMIOHandler, a);
     Log(("iomMMIOHandler: GCPhys=%RGp uErr=%#x rip=%RGv\n",
-         GCPhysFault, (uint32_t)uErrorCode, (RTGCPTR)pCtxCore->rip));
+         GCPhysFault, uErrorCode, (RTGCPTR)pCtxCore->rip));
 
     PIOMMMIORANGE pRange = (PIOMMMIORANGE)pvUser;
@@ -1079 +1080 @@
 #ifndef IN_RING3
     /*
-     * Should we defer the request right away?
-     */
-    if (uErrorCode & X86_TRAP_PF_RW
-        ? !pRange->CTX_SUFF(pfnWriteCallback) && pRange->pfnWriteCallbackR3
-        : !pRange->CTX_SUFF(pfnReadCallback)  && pRange->pfnReadCallbackR3)
+     * Should we defer the request right away?  This isn't usually the case, so
+     * do the simple test first and the try deal with uErrorCode being N/A.
+     */
+    if (RT_UNLIKELY(   (   !pRange->CTX_SUFF(pfnWriteCallback)
+                        || !pRange->CTX_SUFF(pfnReadCallback))
+                    && (  uErrorCode == UINT32_MAX
+                        ? pRange->pfnWriteCallbackR3 || pRange->pfnReadCallbackR3
+                        : uErrorCode & X86_TRAP_PF_RW
+                          ? !pRange->CTX_SUFF(pfnWriteCallback) && pRange->pfnWriteCallbackR3
+                          : !pRange->CTX_SUFF(pfnReadCallback)  && pRange->pfnReadCallbackR3
+                        )
+                   )
+       )
     {
         if (uErrorCode & X86_TRAP_PF_RW)
@@ -1093 +1102 @@
         STAM_COUNTER_INC(&pVM->iom.s.StatRZMMIOFailures);
         iomUnlock(pVM);
-        return (uErrorCode & X86_TRAP_PF_RW ? VINF_IOM_HC_MMIO_WRITE : VINF_IOM_HC_MMIO_READ);
+        return VINF_IOM_HC_MMIO_READ_WRITE;
     }
 #endif /* !IN_RING3 */
@@ -1117 +1126 @@
         {
             STAM_PROFILE_START(&pVM->iom.s.StatRZInstMov, b);
-            if (uErrorCode & X86_TRAP_PF_RW)
+            AssertMsg(uErrorCode == UINT32_MAX || DIS_IS_EFFECTIVE_ADDR(pDis->param1.flags) == !!(uErrorCode & X86_TRAP_PF_RW), ("flags1=%#llx/%RTbool flags2=%#llx/%RTbool ErrCd=%#x\n", pDis->param1.flags, DIS_IS_EFFECTIVE_ADDR(pDis->param1.flags), pDis->param2.flags, DIS_IS_EFFECTIVE_ADDR(pDis->param2.flags), uErrorCode));
+            if (uErrorCode != UINT32_MAX    /* EPT+MMIO optimization */
+                ? uErrorCode & X86_TRAP_PF_RW
+                : DIS_IS_EFFECTIVE_ADDR(pDis->param1.flags))
                 rc = iomInterpretMOVxXWrite(pVM, pCtxCore, pDis, pRange, GCPhysFault);
             else
@@ -1130 +1142 @@
         case OP_MOVSWD:
         {
+            if (uErrorCode == UINT32_MAX)
+                return VINF_IOM_HC_MMIO_READ_WRITE;
             STAM_PROFILE_ADV_START(&pVM->iom.s.StatRZInstMovs, c);
             PSTAMPROFILE pStat = NULL;
-            rc = iomInterpretMOVS(pVM, uErrorCode, pCtxCore, GCPhysFault, pDis, pRange, &pStat);
+            rc = iomInterpretMOVS(pVM, !!(uErrorCode & X86_TRAP_PF_RW), pCtxCore, GCPhysFault, pDis, pRange, &pStat);
             STAM_PROFILE_ADV_STOP_EX(&pVM->iom.s.StatRZInstMovs, pStat, c);
             break;
@@ -1148 +1162 @@
         case OP_LODSB:
         case OP_LODSWD:
-            Assert(!(uErrorCode & X86_TRAP_PF_RW));
+            Assert(!(uErrorCode & X86_TRAP_PF_RW) || uErrorCode == UINT32_MAX);
             STAM_PROFILE_START(&pVM->iom.s.StatRZInstLods, e);
             rc = iomInterpretLODS(pVM, pCtxCore, GCPhysFault, pDis, pRange);
@@ -1155 +1169 @@
 
         case OP_CMP:
-            Assert(!(uErrorCode & X86_TRAP_PF_RW));
+            Assert(!(uErrorCode & X86_TRAP_PF_RW) || uErrorCode == UINT32_MAX);
             STAM_PROFILE_START(&pVM->iom.s.StatRZInstCmp, f);
             rc = iomInterpretCMP(pVM, pCtxCore, GCPhysFault, pDis, pRange);
@@ -1180 +1194 @@
 
         case OP_TEST:
-            Assert(!(uErrorCode & X86_TRAP_PF_RW));
+            Assert(!(uErrorCode & X86_TRAP_PF_RW) || uErrorCode == UINT32_MAX);
             STAM_PROFILE_START(&pVM->iom.s.StatRZInstTest, h);
             rc = iomInterpretTEST(pVM, pCtxCore, GCPhysFault, pDis, pRange);
@@ -1187 +1201 @@
 
         case OP_BT:
-            Assert(!(uErrorCode & X86_TRAP_PF_RW));
+            Assert(!(uErrorCode & X86_TRAP_PF_RW) || uErrorCode == UINT32_MAX);
             STAM_PROFILE_START(&pVM->iom.s.StatRZInstBt, l);
             rc = iomInterpretBT(pVM, pCtxCore, GCPhysFault, pDis, pRange);
@@ -1251 +1265 @@
     LogFlow(("IOMMMIOHandler: GCPhys=%RGp uErr=%#x pvFault=%RGv rip=%RGv\n",
              GCPhysFault, (uint32_t)uErrorCode, pvFault, (RTGCPTR)pCtxCore->rip));
-if (!pvUser)
-{
-    int rc = iomLock(pVM);
-    pvUser = iomMMIOGetRange(&pVM->iom.s, GCPhysFault);
-    iomUnlock(pVM);
-}
-    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, pvUser);
+    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, pvUser);
     return VBOXSTRICTRC_VAL(rcStrict);
 }
@@ -1277 +1285 @@
         return VINF_IOM_HC_MMIO_READ_WRITE;
 #endif
-    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(&pVM->iom.s, GCPhysFault));
+    VBOXSTRICTRC rcStrict = iomMMIOHandler(pVM, (uint32_t)uErrorCode, pCtxCore, GCPhysFault, iomMMIOGetRange(&pVM->iom.s, GCPhysFault));
     iomUnlock(pVM);
     return VBOXSTRICTRC_VAL(rcStrict);

trunk/src/VBox/VMM/VMMAll/PGMAllBth.h

@@ -129 +129 @@
  * Deal with a guest page fault.
  *
+ * The caller has taken the PGM lock.
+ *
  * @returns Strict VBox status code.
  *
@@ -137 +139 @@
  * @param   pPage           The guest page at @a pvFault.
  * @param   pGstWalk        The guest page table walk result.
+ * @param   pfLockTaken     PGM lock taken here or not (out).  This is true
+ *                          when we're called.
  */
 static VBOXSTRICTRC PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(PVMCPU pVCpu, RTGCUINT uErr, PCPUMCTXCORE pRegFrame,
+                                                                RTGCPTR pvFault, PPGMPAGE pPage, bool *pfLockTaken
 # if PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE)
-                                                                RTGCPTR pvFault, PPGMPAGE pPage, PGSTPTWALK pGstWalk)
-# else
-                                                                RTGCPTR pvFault, PPGMPAGE pPage)
-# endif
+                                                                , PGSTPTWALK pGstWalk
+# endif
+                                                                )
 {
 # if !PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE)
@@ -197 +201 @@
                        pvFault, GCPhysFault, pPage, uErr, pCur->enmType));
 
-# if defined(IN_RC) || defined(IN_RING0) /** @todo remove this */
             if (pCur->CTX_SUFF(pfnHandler))
             {
-                PPGMPOOL pPool = pVM->pgm.s.CTX_SUFF(pPool);
+                PPGMPOOL            pPool      = pVM->pgm.s.CTX_SUFF(pPool);
+                void               *pvUser     = pCur->CTX_SUFF(pvUser);
 #  ifdef IN_RING0
                 PFNPGMR0PHYSHANDLER pfnHandler = pCur->CTX_SUFF(pfnHandler);
@@ -206 +210 @@
                 PFNPGMRCPHYSHANDLER pfnHandler = pCur->CTX_SUFF(pfnHandler);
 #  endif
-                bool  fLeaveLock = (pfnHandler != pPool->CTX_SUFF(pfnAccessHandler));
-                void *pvUser = pCur->CTX_SUFF(pvUser);
 
                 STAM_PROFILE_START(&pCur->Stat, h);
-                if (fLeaveLock)
-                    pgmUnlock(pVM); /** @todo: Not entirely safe. */
+                if (pfnHandler != pPool->CTX_SUFF(pfnAccessHandler))
+                {
+                    pgmUnlock(pVM);
+                    *pfLockTaken = false;
+                }
 
                 rc = pfnHandler(pVM, uErr, pRegFrame, pvFault, GCPhysFault, pvUser);
-                if (fLeaveLock)
-                    pgmLock(pVM);
+
 #  ifdef VBOX_WITH_STATISTICS
+                pgmLock(pVM);
                 pCur = pgmHandlerPhysicalLookup(pVM, GCPhysFault);
                 if (pCur)
                     STAM_PROFILE_STOP(&pCur->Stat, h);
-#  else
-                pCur = NULL;    /* might be invalid by now. */
+                pgmUnlock(pVM);
 #  endif
-
             }
             else
-# endif /* IN_RC || IN_RING0 */
                 rc = VINF_EM_RAW_EMULATE_INSTR;
 
             STAM_COUNTER_INC(&pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZTrap0eHandlersPhysical);
+            if (uErr & X86_TRAP_PF_RSVD) STAM_COUNTER_INC(&pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZTrap0eHandlersPhysical);
             STAM_STATS({ pVCpu->pgm.s.CTX_SUFF(pStatTrap0eAttribution) = &pVCpu->pgm.s.CTX_SUFF(pStats)->StatRZTrap0eTime2HndPhys; });
             return rc;
@@ -285 +288 @@
 #   ifdef IN_RC
                 STAM_PROFILE_START(&pCur->Stat, h);
+                RTGCPTR                     GCPtrStart = pCur->Core.Key;
+                CTX_MID(PFNPGM,VIRTHANDLER) pfnHandler = pCur->CTX_SUFF(pfnHandler);
                 pgmUnlock(pVM);
-                rc = pCur->CTX_SUFF(pfnHandler)(pVM, uErr, pRegFrame, pvFault, pCur->Core.Key, pvFault - pCur->Core.Key);
+                *pfLockTaken = false;
+
+                rc = pfnHandler(pVM, uErr, pRegFrame, pvFault, GCPtrStart, pvFault - GCPtrStart);
+
+#    ifdef VBOX_WITH_STATISTICS
                 pgmLock(pVM);
-                STAM_PROFILE_STOP(&pCur->Stat, h);
+                pCur = (PPGMVIRTHANDLER)RTAvlroGCPtrRangeGet(&pVM->pgm.s.CTX_SUFF(pTrees)->VirtHandlers, pvFault);
+                if (pCur)
+                    STAM_PROFILE_STOP(&pCur->Stat, h);
+                pgmUnlock(pVM);
+#    endif
 #   else
                 rc = VINF_EM_RAW_EMULATE_INSTR; /** @todo for VMX */
@@ -310 +323 @@
                 Assert((pCur->aPhysToVirt[iPage].Core.Key & X86_PTE_PAE_PG_MASK) == (pGstWalk->Core.GCPhys & X86_PTE_PAE_PG_MASK));
 #   ifdef IN_RC
-                RTGCPTR off = (iPage << PAGE_SHIFT) + (pvFault & PAGE_OFFSET_MASK) - (pCur->Core.Key & PAGE_OFFSET_MASK);
+                STAM_PROFILE_START(&pCur->Stat, h);
+                RTGCPTR                     GCPtrStart = pCur->Core.Key;
+                CTX_MID(PFNPGM,VIRTHANDLER) pfnHandler = pCur->CTX_SUFF(pfnHandler);
+                pgmUnlock(pVM);
+                *pfLockTaken = false;
+
+                RTGCPTR off = (iPage << PAGE_SHIFT)
+                            + (pvFault    & PAGE_OFFSET_MASK)
+                            - (GCPtrStart & PAGE_OFFSET_MASK);
                 Assert(off < pCur->cb);
-                STAM_PROFILE_START(&pCur->Stat, h);
+                rc = pfnHandler(pVM, uErr, pRegFrame, pvFault, GCPtrStart, off);
+
+#    ifdef VBOX_WITH_STATISTICS
+                pgmLock(pVM);
+                pCur = (PPGMVIRTHANDLER)RTAvlroGCPtrRangeGet(&pVM->pgm.s.CTX_SUFF(pTrees)->VirtHandlers, GCPtrStart);
+                if (pCur)
+                    STAM_PROFILE_STOP(&pCur->Stat, h);
                 pgmUnlock(pVM);
-                rc = pCur->CTX_SUFF(pfnHandler)(pVM, uErr, pRegFrame, pvFault, pCur->Core.Key, off);
-                pgmLock(pVM);
-                STAM_PROFILE_STOP(&pCur->Stat, h);
+#    endif
 #   else
                 rc = VINF_EM_RAW_EMULATE_INSTR; /** @todo for VMX */
@@ -421 +446 @@
             return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerGuestFault)(pVCpu, &GstWalk, uErr));
     }
-#  endif /* PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE) */
-
-#  ifdef PGM_WITH_MMIO_OPTIMIZATIONS
-    /*
-     * If it is a reserved bit fault we know that it is an MMIO or access
-     * handler related fault and can skip the dirty page stuff below.
-     */
-    if (uErr & X86_TRAP_PF_RSVD)
-    {
-/** @todo This is not complete code. take locks */
-        Assert(uErr & X86_TRAP_PF_P);
-        PPGMPAGE pPage;
-/** @todo Only all physical access handlers here, so optimize further. */
-#   if PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE)
-        rc = pgmPhysGetPageEx(&pVM->pgm.s, GstWalk.Core.GCPhys, &pPage);
-        if (RT_SUCCESS(rc) && PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
-            return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage,
-                                                                                 &GstWalk));
-#   else
-        rc = pgmPhysGetPageEx(&pVM->pgm.s, (RTGCPHYS)pvFault, &pPage);
-        if (RT_SUCCESS(rc) && PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
-            return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage));
-#   endif
-    }
-#  endif /* PGM_WITH_MMIO_OPTIMIZATIONS */
-
-#  if PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE)
+
     /*
      * Set the accessed and dirty flags.
@@ -503 +502 @@
     *pfLockTaken = true;
     pgmLock(pVM);
+
+#  ifdef PGM_WITH_MMIO_OPTIMIZATIONS
+    /*
+     * If it is a reserved bit fault we know that it is an MMIO (access
+     * handler) related fault and can skip some 200 lines of code.
+     */
+    if (uErr & X86_TRAP_PF_RSVD)
+    {
+        Assert(uErr & X86_TRAP_PF_P);
+        PPGMPAGE pPage;
+#   if PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE)
+        rc = pgmPhysGetPageEx(&pVM->pgm.s, GstWalk.Core.GCPhys, &pPage);
+        if (RT_SUCCESS(rc) && PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
+            return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage,
+                                                                                 pfLockTaken, &GstWalk));
+        rc = PGM_BTH_NAME(SyncPage)(pVCpu, GstWalk.Pde, pvFault, 1, uErr);
+#   else
+        rc = pgmPhysGetPageEx(&pVM->pgm.s, (RTGCPHYS)pvFault, &pPage);
+        if (RT_SUCCESS(rc) && PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
+            return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage,
+                                                                                 pfLockTaken));
+        rc = PGM_BTH_NAME(SyncPage)(pVCpu, PdeSrcDummy, pvFault, 1, uErr);
+#   endif
+        AssertRC(rc);
+    }
+#  endif /* PGM_WITH_MMIO_OPTIMIZATIONS */
 
     /*
@@ -706 +731 @@
     if (PGM_PAGE_HAS_ACTIVE_HANDLERS(pPage))
 # if PGM_WITH_PAGING(PGM_GST_TYPE, PGM_SHW_TYPE)
-        return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage, &GstWalk));
+        return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage, pfLockTaken,
+                                                                             &GstWalk));
 # else
-        return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage));
+        return VBOXSTRICTRC_TODO(PGM_BTH_NAME(Trap0eHandlerDoAccessHandlers)(pVCpu, uErr, pRegFrame, pvFault, pPage, pfLockTaken));
 # endif
 
@@ -1440 +1466 @@
 #ifdef PGM_WITH_MMIO_OPTIMIZATIONS
 # if PGM_SHW_TYPE == PGM_TYPE_EPT || PGM_SHW_TYPE == PGM_TYPE_PAE || PGM_SHW_TYPE == PGM_TYPE_AMD64
-    else if (   PGM_PAGE_IS_MMIO(pPage)
-#  if PGM_SHW_TYPE != PGM_TYPE_EPT
-             && (       (fPteSrc & (X86_PTE_RW /*| X86_PTE_D | X86_PTE_A*/ | X86_PTE_US )) /* #PF handles D & A first. */
-                    ==             (X86_PTE_RW /*| X86_PTE_D | X86_PTE_A*/)
-                 || BTH_IS_NP_ACTIVE(pVM) )
-#  endif
+    else if (   PGM_PAGE_HAS_ACTIVE_ALL_HANDLERS(pPage)
+             && (   BTH_IS_NP_ACTIVE(pVM)
+                 || (fPteSrc & (X86_PTE_RW | X86_PTE_US)) == X86_PTE_RW) /** @todo remove X86_PTE_US */
 #  if PGM_SHW_TYPE == PGM_TYPE_AMD64
              && pVM->pgm.s.fLessThan52PhysicalAddressBits

trunk/src/VBox/VMM/VMMAll/PGMAllPool.cpp

@@ -5 +5 @@
 
 /*
- * Copyright (C) 2006-2007 Oracle Corporation
+ * Copyright (C) 2006-2010 Oracle Corporation
  *
  * This file is part of VirtualBox Open Source Edition (OSE), as
@@ -39 +39 @@
 #include <iprt/asm-amd64-x86.h>
 #include <iprt/string.h>
+
+
+/*******************************************************************************
+*   Defined Constants And Macros                                               *
+*******************************************************************************/
+/**
+ * Checks if a PAE PTE entry is actually present and not just invalid because
+ * of the MMIO optimization.
+ * @todo Move this to PGMInternal.h if necessary.
+ */
+#ifdef PGM_WITH_MMIO_OPTIMIZATIONS
+# define PGM_POOL_IS_PAE_PTE_PRESENT(Pte) \
+    ( ((Pte).u & (X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX)) == X86_PTE_P)
+#else
+# define PGM_POOL_IS_PAE_PTE_PRESENT(Pte) \
+    ( (Pte).n.u1Present )
+#endif
+
+/**
+ * Checks if a EPT PTE entry is actually present and not just invalid
+ * because of the MMIO optimization.
+ * @todo Move this to PGMInternal.h if necessary.
+ */
+#define PGM_POOL_IS_EPT_PTE_PRESENT(Pte) \
+    ( (Pte).n.u1Present )
 
 
@@ -228 +253 @@
                     const unsigned iShw = (off / sizeof(X86PTE)) & (X86_PG_PAE_ENTRIES - 1);
                     LogFlow(("PGMPOOLKIND_PAE_PT_FOR_32BIT_PT iShw=%x\n", iShw));
-                    if (uShw.pPTPae->a[iShw].n.u1Present)
+                    if (PGM_POOL_IS_PAE_PTE_PRESENT(uShw.pPTPae->a[iShw]))
                     {
                         X86PTE GstPte;
@@ -319 +344 @@
                 const unsigned iShw = off / sizeof(X86PTEPAE);
                 STAM_COUNTER_INC(&pPool->CTX_MID_Z(StatMonitor,FaultPT));
-                if (uShw.pPTPae->a[iShw].n.u1Present)
+                if (PGM_POOL_IS_PAE_PTE_PRESENT(uShw.pPTPae->a[iShw]))
                 {
                     X86PTEPAE GstPte;
@@ -340 +365 @@
                     AssertBreak(iShw2 < RT_ELEMENTS(uShw.pPTPae->a));
 
-                    if (uShw.pPTPae->a[iShw2].n.u1Present)
+                    if (PGM_POOL_IS_PAE_PTE_PRESENT(uShw.pPTPae->a[iShw2]))
                     {
                         X86PTEPAE GstPte;
@@ -1002 +1027 @@
              * it's fairly safe to assume the guest is reusing the PT.
              */
-            if (GstPte.n.u1Present)
+            if (PGM_POOL_IS_PAE_PTE_PRESENT(GstPte))
             {
                 RTHCPHYS HCPhys = -1;
@@ -1350 +1375 @@
 #ifdef VBOX_STRICT
     for (unsigned i = 0; i < RT_MIN(RT_ELEMENTS(pShwPT->a), pPage->iFirstPresent); i++)
-        AssertMsg(!pShwPT->a[i].n.u1Present, ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, pShwPT->a[i].u,  pPage->iFirstPresent));
+        AssertMsg(!PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]), ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, pShwPT->a[i].u,  pPage->iFirstPresent));
 #endif
     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
     {
-        if (pShwPT->a[i].n.u1Present)
+        if (PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]))
         {
             RTHCPHYS HCPhys = NIL_RTHCPHYS;
@@ -1381 +1406 @@
                         for (unsigned j = 0; j < RT_ELEMENTS(pShwPT->a); j++)
                         {
-                            if (    pShwPT2->a[j].n.u1Present
-                                &&  pShwPT2->a[j].n.u1Write
-                                &&  ((pShwPT2->a[j].u & X86_PTE_PAE_PG_MASK) == HCPhysPT))
+                            if (   PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT2->a[j])
+                                && pShwPT2->a[j].n.u1Write
+                                && (pShwPT2->a[j].u & X86_PTE_PAE_PG_MASK) == HCPhysPT)
                             {
                                 Log(("GCPhys=%RGp idx=%d %RX64 vs %RX64\n", pTempPage->GCPhys, j, pShwPT->a[j].u, pShwPT2->a[j].u));
@@ -1418 +1443 @@
 #ifdef VBOX_STRICT
     for (unsigned i = 0; i < RT_MIN(RT_ELEMENTS(pShwPT->a), pPage->iFirstPresent); i++)
-        AssertMsg(!pShwPT->a[i].n.u1Present, ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, pShwPT->a[i].u,  pPage->iFirstPresent));
+        AssertMsg(!PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]), ("Unexpected PTE: idx=%d %RX64 (first=%d)\n", i, pShwPT->a[i].u,  pPage->iFirstPresent));
 #endif
     *pfFlush = false;
@@ -1436 +1461 @@
             }
         }
-        if (pShwPT->a[i].n.u1Present)
+        if (PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]))
         {
             /* If the old cached PTE is identical, then there's no need to flush the shadow copy. */
@@ -3061 +3086 @@
             }
 
-            if ((pPT->a[iPte].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P)) == u64)
+            if ((pPT->a[iPte].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX)) == u64)
             {
                 X86PTEPAE Pte;
@@ -3078 +3103 @@
             Log(("Found %RX64 expected %RX64\n", pPT->a[iPte].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P), u64));
             for (unsigned i = 0; i < RT_ELEMENTS(pPT->a); i++)
-                if ((pPT->a[i].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P)) == u64)
+                if ((pPT->a[i].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX)) == u64)
                 {
                     Log(("i=%d cRefs=%d\n", i, cRefs--));
@@ -3446 +3471 @@
                     PX86PTPAE pPT = (PX86PTPAE)PGMPOOL_PAGE_2_PTR(pVM, pPage);
                     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
-                        if (pPT->a[i].n.u1Present)
+                        if (PGM_POOL_IS_PAE_PTE_PRESENT(pPT->a[i]))
                         {
-                            if ((pPT->a[i].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P)) == u64)
+                            if ((pPT->a[i].u & (X86_PTE_PAE_PG_MASK | X86_PTE_P | X86_PTE_PAE_MBZ_MASK_NX)) == u64)
                             {
                                 //Log4(("pgmPoolTrackFlushGCPhysPTsSlow: idx=%d i=%d pte=%RX64\n", iPage, i, pPT->a[i]));
@@ -3471 +3496 @@
                     PEPTPT    pPT = (PEPTPT)PGMPOOL_PAGE_2_PTR(pVM, pPage);
                     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pPT->a); i++)
-                        if (pPT->a[i].n.u1Present)
+                        if (PGM_POOL_IS_EPT_PTE_PRESENT(pPT->a[i]))
                         {
                             if ((pPT->a[i].u & (EPT_PTE_PG_MASK | X86_PTE_P)) == u64)
@@ -4107 +4132 @@
 {
     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
-        if (pShwPT->a[i].n.u1Present)
+        if (PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]))
         {
             Log4(("pgmPoolTrackDerefPTPae32Bit: i=%d pte=%RX64 hint=%RX32\n",
@@ -4129 +4154 @@
 {
     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++)
-        if (pShwPT->a[i].n.u1Present)
+        if (PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]))
         {
             Log4(("pgmPoolTrackDerefPTPaePae: i=%d pte=%RX32 hint=%RX32\n",
@@ -4173 +4198 @@
     RTGCPHYS GCPhys = pPage->GCPhys + PAGE_SIZE * pPage->iFirstPresent;
     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++, GCPhys += PAGE_SIZE)
-        if (pShwPT->a[i].n.u1Present)
+        if (PGM_POOL_IS_PAE_PTE_PRESENT(pShwPT->a[i]))
         {
             Log4(("pgmPoolTrackDerefPTPaeBig: i=%d pte=%RX64 hint=%RGp\n",
@@ -4195 +4220 @@
     RTGCPHYS GCPhys = pPage->GCPhys + PAGE_SIZE * pPage->iFirstPresent;
     for (unsigned i = pPage->iFirstPresent; i < RT_ELEMENTS(pShwPT->a); i++, GCPhys += PAGE_SIZE)
-        if (pShwPT->a[i].n.u1Present)
+        if (PGM_POOL_IS_EPT_PTE_PRESENT(pShwPT->a[i]))
         {
             Log4(("pgmPoolTrackDerefPTEPT: i=%d pte=%RX64 GCPhys=%RX64\n",