jcs.org / qemu
qemu with hax to log dma reads & writes jcs.org/2018/11/12/vfio
fork atom

tcg: Limit the number of ops in a TB

In 6001f7729e12 we partially attempt to address the branch
displacement overflow caused by 15fa08f845.

However, gcc/testsuite/gcc.target/aarch64/advsimd-intrinsics/vqtbX.c
is a testcase that contains a TB so large as to overflow anyway.
The limit here of 8000 ops produces a maximum output TB size of
24112 bytes on a ppc64le host with that test case. This is still
much less than the maximum forward branch distance of 32764 bytes.

Cc: qemu-stable@nongnu.org
Fixes: 15fa08f845 ("tcg: Dynamically allocate TCGOps")
Reviewed-by: Laurent Vivier <laurent@vivier.eu>
Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
(cherry picked from commit abebf92597186be2bc48d487235da28b1127860f)
Signed-off-by: Michael Roth <mdroth@linux.vnet.ibm.com>

authored by

Richard Henderson and committed by
Michael Roth 9363c348 51d5decb

+10 -1
+3
tcg/tcg.c
··· 866 866 /* No temps have been previously allocated for size or locality. */ 867 867 memset(s->free_temps, 0, sizeof(s->free_temps)); 868 868 869 + s->nb_ops = 0; 869 870 s->nb_labels = 0; 870 871 s->current_frame_offset = s->frame_start; 871 872 ··· 1983 1984 { 1984 1985 QTAILQ_REMOVE(&s->ops, op, link); 1985 1986 QTAILQ_INSERT_TAIL(&s->free_ops, op, link); 1987 + s->nb_ops--; 1986 1988 1987 1989 #ifdef CONFIG_PROFILER 1988 1990 atomic_set(&s->prof.del_op_count, s->prof.del_op_count + 1); ··· 2002 2004 } 2003 2005 memset(op, 0, offsetof(TCGOp, link)); 2004 2006 op->opc = opc; 2007 + s->nb_ops++; 2005 2008 2006 2009 return op; 2007 2010 }
+7 -1
tcg/tcg.h
··· 655 655 int nb_globals; 656 656 int nb_temps; 657 657 int nb_indirects; 658 + int nb_ops; 658 659 659 660 /* goto_tb support */ 660 661 tcg_insn_unit *code_buf; ··· 844 845 /* Test for whether to terminate the TB for using too many opcodes. */ 845 846 static inline bool tcg_op_buf_full(void) 846 847 { 847 - return false; 848 + /* This is not a hard limit, it merely stops translation when 849 + * we have produced "enough" opcodes. We want to limit TB size 850 + * such that a RISC host can reasonably use a 16-bit signed 851 + * branch within the TB. 852 + */ 853 + return tcg_ctx->nb_ops >= 8000; 848 854 } 849 855 850 856 /* pool based memory allocation */