[Qemu-devel] ARM PC-relative Loads, and TBs in soft MMU

[Tom Spink]

Hello,

I have a question about ARM PC-relative load instructions in softmmu 
execution, and how the PC is constant-folded at JIT compilation time 
into a TB.

I have observed in translate.c the following code:

/* Set a variable to the value of a CPU register.  */
static void load_reg_var(DisasContext *s, TCGv_i32 var, int reg)
{
    if (reg == 15) {
        uint32_t addr;
        if (s->thumb)
            addr = (long)s->pc + 2;
        else
            addr = (long)s->pc + 4;
        tcg_gen_movi_i32(var, addr);
    } else {
        tcg_gen_mov_i32(var, cpu_R[reg]);
    }
}

This constant folds the value of the PC into the TCG mov for (potential) 
use by a memory operation, but it is my understanding that this will be 
the *virtual* PC.

It is also my understanding that since TBs are physically indexed in the 
TB cache, they aren't invalidated when the guest page tables change.

So, my question is, how can a TB for a particular block containing a 
constant folded *virtual* PC work, if the MMU mappings change and a 
different virtual address is used to access the same physical address?

E.g. assume we have an instruction such as: ldr r0, [pc, #8]

If this is compiled in a block that begins at virtual address 0x10000, 
then the load will be emitted as a constant load from address 0x10008 
(and will be subject to the usual TLB lookup code).  But, if the MMU 
mappings change, and the block is entered from virtual address 0x20000 
(because 0x20000 now points to the same physical page), then the load 
will be incorrect, as it would still be accessing address 0x10000, but 
should actually be accessing address 0x20008.

Have I made any incorrect assumptions, or is there something else going 
on that I'm not aware of?

Thanks in advance for any information you can give me,
Tom

--
Kindest Regards,
Tom Spink

University of Edinburgh

The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.