net: Update MemReentrancyGuard for NIC (bsc#1213269, CVE-2023-3019)

Recently MemReentrancyGuard was added to DeviceState to record that the device is engaging in I/O. The network device backend needs to update it when delivering a packet to a device. This implementation follows what bottom half does, but it does not add a tracepoint for the case that the network device backend started delivering a packet to a device which is already engaging in I/O. This is because such reentrancy frequently happens for qemu_flush_queued_packets() and is insignificant. Fixes: CVE-2023-3019 Reported-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Akihiko Odaki <akihiko.odaki@daynix.com> Acked-by: Alexander Bulekov <alxndr@bu.edu> Signed-off-by: Jason Wang <jasowang@redhat.com> (cherry picked from commit 9050f976e4) References: bsc#1213269 Signed-off-by: Dario Faggioli <dfaggioli@suse.com>
net: Provide MemReentrancyGuard * to qemu_new_nic() (bsc#1213269, CVE-2023-3019)
2024-04-17 19:04:37 +02:00 · 2024-04-17 19:04:35 +02:00 · 2024-04-17 18:23:23 +02:00 · 2024-04-16 18:33:31 +02:00 · 2024-04-16 18:33:03 +02:00 · 2024-04-16 18:32:33 +02:00
6065 changed files with 290619 additions and 600071 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -0,0 +1,110 @@
+env:
+  CIRRUS_CLONE_DEPTH: 1
+
+windows_msys2_task:
+  timeout_in: 90m
+  windows_container:
+    image: cirrusci/windowsservercore:2019
+    os_version: 2019
+    cpu: 8
+    memory: 8G
+  env:
+    CIRRUS_SHELL: powershell
+    MSYS: winsymlinks:nativestrict
+    MSYSTEM: MINGW64
+    MSYS2_URL: https://github.com/msys2/msys2-installer/releases/download/2021-04-19/msys2-base-x86_64-20210419.sfx.exe
+    MSYS2_FINGERPRINT: 0
+    MSYS2_PACKAGES: "
+      diffutils git grep make pkg-config sed
+      mingw-w64-x86_64-python
+      mingw-w64-x86_64-python-sphinx
+      mingw-w64-x86_64-toolchain
+      mingw-w64-x86_64-SDL2
+      mingw-w64-x86_64-SDL2_image
+      mingw-w64-x86_64-gtk3
+      mingw-w64-x86_64-glib2
+      mingw-w64-x86_64-ninja
+      mingw-w64-x86_64-jemalloc
+      mingw-w64-x86_64-lzo2
+      mingw-w64-x86_64-zstd
+      mingw-w64-x86_64-libjpeg-turbo
+      mingw-w64-x86_64-pixman
+      mingw-w64-x86_64-libgcrypt
+      mingw-w64-x86_64-libpng
+      mingw-w64-x86_64-libssh
+      mingw-w64-x86_64-libxml2
+      mingw-w64-x86_64-snappy
+      mingw-w64-x86_64-libusb
+      mingw-w64-x86_64-usbredir
+      mingw-w64-x86_64-libtasn1
+      mingw-w64-x86_64-nettle
+      mingw-w64-x86_64-cyrus-sasl
+      mingw-w64-x86_64-curl
+      mingw-w64-x86_64-gnutls
+      mingw-w64-x86_64-libnfs
+    "
+    CHERE_INVOKING: 1
+  msys2_cache:
+    folder: C:\tools\archive
+    reupload_on_changes: false
+    # These env variables are used to generate fingerprint to trigger the cache procedure
+    # If wanna to force re-populate msys2, increase MSYS2_FINGERPRINT
+    fingerprint_script:
+      - |
+        echo $env:CIRRUS_TASK_NAME
+        echo $env:MSYS2_URL
+        echo $env:MSYS2_FINGERPRINT
+        echo $env:MSYS2_PACKAGES
+    populate_script:
+      - |
+        md -Force C:\tools\archive\pkg
+        $start_time = Get-Date
+        bitsadmin /transfer msys_download /dynamic /download /priority FOREGROUND $env:MSYS2_URL C:\tools\archive\base.exe
+        Write-Output "Download time taken: $((Get-Date).Subtract($start_time))"
+        cd C:\tools
+        C:\tools\archive\base.exe -y
+        del -Force C:\tools\archive\base.exe
+        Write-Output "Base install time taken: $((Get-Date).Subtract($start_time))"
+        $start_time = Get-Date
+
+        ((Get-Content -path C:\tools\msys64\etc\\post-install\\07-pacman-key.post -Raw) -replace '--refresh-keys', '--version') | Set-Content -Path C:\tools\msys64\etc\\post-install\\07-pacman-key.post
+        C:\tools\msys64\usr\bin\bash.exe -lc "sed -i 's/^CheckSpace/#CheckSpace/g' /etc/pacman.conf"
+        C:\tools\msys64\usr\bin\bash.exe -lc "export"
+        C:\tools\msys64\usr\bin\pacman.exe --noconfirm -Sy
+        echo Y | C:\tools\msys64\usr\bin\pacman.exe --noconfirm -Suu --overwrite=*
+        taskkill /F /FI "MODULES eq msys-2.0.dll"
+        tasklist
+        C:\tools\msys64\usr\bin\bash.exe -lc "mv -f /etc/pacman.conf.pacnew /etc/pacman.conf || true"
+        C:\tools\msys64\usr\bin\bash.exe -lc "pacman --noconfirm -Syuu --overwrite=*"
+        Write-Output "Core install time taken: $((Get-Date).Subtract($start_time))"
+        $start_time = Get-Date
+
+        C:\tools\msys64\usr\bin\bash.exe -lc "pacman --noconfirm -S --needed $env:MSYS2_PACKAGES"
+        Write-Output "Package install time taken: $((Get-Date).Subtract($start_time))"
+        $start_time = Get-Date
+
+        del -Force -ErrorAction SilentlyContinue C:\tools\msys64\etc\mtab
+        del -Force -ErrorAction SilentlyContinue C:\tools\msys64\dev\fd
+        del -Force -ErrorAction SilentlyContinue C:\tools\msys64\dev\stderr
+        del -Force -ErrorAction SilentlyContinue C:\tools\msys64\dev\stdin
+        del -Force -ErrorAction SilentlyContinue C:\tools\msys64\dev\stdout
+        del -Force -Recurse -ErrorAction SilentlyContinue C:\tools\msys64\var\cache\pacman\pkg
+        tar cf C:\tools\archive\msys64.tar -C C:\tools\ msys64
+
+        Write-Output "Package archive time taken: $((Get-Date).Subtract($start_time))"
+        del -Force -Recurse -ErrorAction SilentlyContinue c:\tools\msys64 
+  install_script:
+    - |
+      $start_time = Get-Date
+      cd C:\tools
+      ls C:\tools\archive\msys64.tar
+      tar xf C:\tools\archive\msys64.tar
+      Write-Output "Extract msys2 time taken: $((Get-Date).Subtract($start_time))"
+  script:
+    - C:\tools\msys64\usr\bin\bash.exe -lc "mkdir build"
+    - C:\tools\msys64\usr\bin\bash.exe -lc "cd build && ../configure --python=python3"
+    - C:\tools\msys64\usr\bin\bash.exe -lc "cd build && make -j8"
+    - exit $LastExitCode
+  test_script:
+    - C:\tools\msys64\usr\bin\bash.exe -lc "cd build && make V=1 check"
+    - exit $LastExitCode
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,21 +0,0 @@
-#
-# List of code-formatting clean ups the git blame can ignore
-#
-#   git blame --ignore-revs-file .git-blame-ignore-revs
-#
-# or
-#
-#   git config blame.ignoreRevsFile .git-blame-ignore-revs
-#
-
-# gdbstub: clean-up indents
-ad9e4585b3c7425759d3eea697afbca71d2c2082
-
-# e1000e: fix code style
-0eadd56bf53ab196a16d492d7dd31c62e1c24c32
-
-# target/riscv: coding style fixes
-8c7feddddd9218b407792120bcfda0347ed16205
-
-# replace TABs with spaces
-48805df9c22a0700fba4b3b548fafaa21726ca68
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,3 @@
 *.c.inc         diff=c
 *.h.inc         diff=c
-*.m             diff=objc
 *.py            diff=python
--- a/.github/workflows/lockdown.yml
+++ b/.github/workflows/lockdown.yml
@@ -15,7 +15,7 @@ jobs:
    steps:
      - uses: dessant/repo-lockdown@v2
        with:
-          pr-comment: |
+          pull-comment: |
            Thank you for your interest in the QEMU project.

            This repository is a read-only mirror of the project's repostories hosted
@@ -26,5 +26,5 @@ jobs:
            functionality). However, we get a lot of patches, and so we have some
            guidelines about contributing on the project website:
            https://www.qemu.org/contribute/
-          lock-pr: true
-          close-pr: true
+          lock-pull: true
+          close-pull: true
--- a/.gitignore
+++ b/.gitignore
@@ -1,13 +1,9 @@
 /GNUmakefile
 /build/
-/.cache/
-/.vscode/
 *.pyc
 .sdk
 .stgit-*
 .git-submodule-status
-.clang-format
-.gdb_history
 cscope.*
 tags
 TAGS
@@ -19,4 +15,3 @@ GTAGS
 *.depend_raw
 *.swp
 *.patch
-*.gcov
--- a/.gitlab-ci.d/base.yml
+++ b/.gitlab-ci.d/base.yml
@@ -1,128 +0,0 @@
-
-variables:
-  # On stable branches this is changed by later rules. Should also
-  # be overridden per pipeline if running pipelines concurrently
-  # for different branches in contributor forks.
-  QEMU_CI_CONTAINER_TAG: latest
-
-  # For purposes of CI rules, upstream is the gitlab.com/qemu-project
-  # namespace. When testing CI, it might be usefult to override this
-  # to point to a fork repo
-  QEMU_CI_UPSTREAM: qemu-project
-
-# The order of rules defined here is critically important.
-# They are evaluated in order and first match wins.
-#
-# Thus we group them into a number of stages, ordered from
-# most restrictive to least restrictive
-#
-# For pipelines running for stable "staging-X.Y" branches
-# we must override QEMU_CI_CONTAINER_TAG
-#
-.base_job_template:
-  variables:
-    # Each script line from will be in a collapsible section in the job output
-    # and show the duration of each line.
-    FF_SCRIPT_SECTIONS: 1
-
-  interruptible: true
-
-  rules:
-    #############################################################
-    # Stage 1: exclude scenarios where we definitely don't
-    # want jobs to run
-    #############################################################
-
-    # Never run jobs upstream on stable branch, staging branch jobs already ran
-    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH =~ /^stable-/'
-      when: never
-
-    # Never run jobs upstream on tags, staging branch jobs already ran
-    - if: '$CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_TAG'
-      when: never
-
-    # Cirrus jobs can't run unless the creds / target repo are set
-    - if: '$QEMU_JOB_CIRRUS && ($CIRRUS_GITHUB_REPO == null || $CIRRUS_API_TOKEN == null)'
-      when: never
-
-    # Publishing jobs should only run on the default branch in upstream
-    - if: '$QEMU_JOB_PUBLISH == "1" && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH != $CI_DEFAULT_BRANCH'
-      when: never
-
-    # Non-publishing jobs should only run on staging branches in upstream
-    - if: '$QEMU_JOB_PUBLISH != "1" && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH !~ /staging/'
-      when: never
-
-    # Jobs only intended for forks should always be skipped on upstream
-    - if: '$QEMU_JOB_ONLY_FORKS == "1" && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM'
-      when: never
-
-    # Forks don't get pipelines unless QEMU_CI=1 or QEMU_CI=2 is set
-    - if: '$QEMU_CI != "1" && $QEMU_CI != "2" && $CI_PROJECT_NAMESPACE != $QEMU_CI_UPSTREAM'
-      when: never
-
-    # Avocado jobs don't run in forks unless $QEMU_CI_AVOCADO_TESTING is set
-    - if: '$QEMU_JOB_AVOCADO && $QEMU_CI_AVOCADO_TESTING != "1" && $CI_PROJECT_NAMESPACE != $QEMU_CI_UPSTREAM'
-      when: never
-
-
-    #############################################################
-    # Stage 2: fine tune execution of jobs in specific scenarios
-    # where the catch all logic is inappropriate
-    #############################################################
-
-    # Optional jobs should not be run unless manually triggered
-    - if: '$QEMU_JOB_OPTIONAL && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH =~ /staging-[[:digit:]]+\.[[:digit:]]/'
-      when: manual
-      allow_failure: true
-      variables:
-        QEMU_CI_CONTAINER_TAG: $CI_COMMIT_REF_SLUG
-
-    - if: '$QEMU_JOB_OPTIONAL'
-      when: manual
-      allow_failure: true
-
-    # Skipped jobs should not be run unless manually triggered
-    - if: '$QEMU_JOB_SKIPPED && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH =~ /staging-[[:digit:]]+\.[[:digit:]]/'
-      when: manual
-      allow_failure: true
-      variables:
-        QEMU_CI_CONTAINER_TAG: $CI_COMMIT_REF_SLUG
-
-    - if: '$QEMU_JOB_SKIPPED'
-      when: manual
-      allow_failure: true
-
-    # Avocado jobs can be manually start in forks if $QEMU_CI_AVOCADO_TESTING is unset
-    - if: '$QEMU_JOB_AVOCADO && $CI_PROJECT_NAMESPACE != $QEMU_CI_UPSTREAM'
-      when: manual
-      allow_failure: true
-
-
-    #############################################################
-    # Stage 3: catch all logic applying to any job not matching
-    # an earlier criteria
-    #############################################################
-
-    # Forks pipeline jobs don't start automatically unless
-    # QEMU_CI=2 is set
-    - if: '$QEMU_CI != "2" && $CI_PROJECT_NAMESPACE != $QEMU_CI_UPSTREAM'
-      when: manual
-
-    # Upstream pipeline jobs start automatically unless told not to
-    # by setting QEMU_CI=1
-    - if: '$QEMU_CI == "1" && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH =~ /staging-[[:digit:]]+\.[[:digit:]]/'
-      when: manual
-      variables:
-        QEMU_CI_CONTAINER_TAG: $CI_COMMIT_REF_SLUG
-
-    - if: '$QEMU_CI == "1" && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM'
-      when: manual
-
-    # Jobs can run if any jobs they depend on were successful
-    - if: '$QEMU_JOB_SKIPPED && $CI_PROJECT_NAMESPACE == $QEMU_CI_UPSTREAM && $CI_COMMIT_BRANCH =~ /staging-[[:digit:]]+\.[[:digit:]]/'
-      when: on_success
-      variables:
-        QEMU_CI_CONTAINER_TAG: $CI_COMMIT_REF_SLUG
-
-    - when: on_success
--- a/.gitlab-ci.d/buildtest-template.yml
+++ b/.gitlab-ci.d/buildtest-template.yml
@@ -1,79 +1,44 @@
 .native_build_job_template:
-  extends: .base_job_template
  stage: build
-  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:$QEMU_CI_CONTAINER_TAG
-  cache:
-    paths:
-      - ccache
-    key: "$CI_JOB_NAME"
-    when: always
+  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:latest
  before_script:
    - JOBS=$(expr $(nproc) + 1)
  script:
-    - export CCACHE_BASEDIR="$(pwd)"
-    - export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    - export CCACHE_MAXSIZE="500M"
-    - export PATH="$CCACHE_WRAPPERSDIR:$PATH"
-    - mkdir build
-    - cd build
-    - ccache --zero-stats
-    - ../configure --enable-werror --disable-docs --enable-fdt=system
-          ${TARGETS:+--target-list="$TARGETS"}
-          $CONFIGURE_ARGS ||
-      { cat config.log meson-logs/meson-log.txt && exit 1; }
    - if test -n "$LD_JOBS";
      then
-        pyvenv/bin/meson configure . -Dbackend_max_links="$LD_JOBS" ;
+        scripts/git-submodule.sh update meson ;
+      fi
+    - mkdir build
+    - cd build
+    - if test -n "$TARGETS";
+      then
+        ../configure --enable-werror --disable-docs ${LD_JOBS:+--meson=git} $CONFIGURE_ARGS --target-list="$TARGETS" ;
+      else
+        ../configure --enable-werror --disable-docs ${LD_JOBS:+--meson=git} $CONFIGURE_ARGS ;
+      fi || { cat config.log meson-logs/meson-log.txt && exit 1; }
+    - if test -n "$LD_JOBS";
+      then
+        ../meson/meson.py configure . -Dbackend_max_links="$LD_JOBS" ;
      fi || exit 1;
    - make -j"$JOBS"
    - if test -n "$MAKE_CHECK_ARGS";
      then
        make -j"$JOBS" $MAKE_CHECK_ARGS ;
      fi
-    - ccache --show-stats

-# We jump some hoops in common_test_job_template to avoid
-# rebuilding all the object files we skip in the artifacts
-.native_build_artifact_template:
-  artifacts:
-    when: on_success
-    expire_in: 2 days
-    paths:
-      - build
-      - .git-submodule-status
-    exclude:
-      - build/**/*.p
-      - build/**/*.a.p
-      - build/**/*.fa.p
-      - build/**/*.c.o
-      - build/**/*.c.o.d
-      - build/**/*.fa
-
-.common_test_job_template:
-  extends: .base_job_template
+.native_test_job_template:
  stage: test
-  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:$QEMU_CI_CONTAINER_TAG
+  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:latest
  script:
-    - scripts/git-submodule.sh update roms/SLOF
-    - meson subprojects download $(cd build/subprojects && echo *)
+    - scripts/git-submodule.sh update
+        $(sed -n '/GIT_SUBMODULES=/ s/.*=// p' build/config-host.mak)
    - cd build
    - find . -type f -exec touch {} +
    # Avoid recompiling by hiding ninja with NINJA=":"
    - make NINJA=":" $MAKE_CHECK_ARGS

-.native_test_job_template:
-  extends: .common_test_job_template
-  artifacts:
-    name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
-    when: always
-    expire_in: 7 days
-    paths:
-      - build/meson-logs/testlog.txt
-    reports:
-      junit: build/meson-logs/testlog.junit.xml
-
 .avocado_test_job_template:
-  extends: .common_test_job_template
+  extends: .native_test_job_template
  cache:
    key: "${CI_JOB_NAME}-cache"
    paths:
@@ -81,7 +46,7 @@
    policy: pull-push
  artifacts:
    name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
-    when: always
+    when: on_failure
    expire_in: 7 days
    paths:
      - build/tests/results/latest/results.xml
@@ -102,5 +67,15 @@
  after_script:
    - cd build
    - du -chs ${CI_PROJECT_DIR}/avocado-cache
-  variables:
-    QEMU_JOB_AVOCADO: 1
+  rules:
+    # Only run these jobs if running on the mainstream namespace,
+    # or if the user set the QEMU_CI_AVOCADO_TESTING variable (either
+    # in its namespace setting or via git-push option, see documentation
+    # in /.gitlab-ci.yml of this repository).
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project"'
+      when: on_success
+    - if: '$QEMU_CI_AVOCADO_TESTING'
+      when: on_success
+    # Otherwise, set to manual (the jobs are created but not run).
+    - when: manual
+      allow_failure: true
--- a/.gitlab-ci.d/buildtest.yml
+++ b/.gitlab-ci.d/buildtest.yml
@@ -2,16 +2,20 @@ include:
  - local: '/.gitlab-ci.d/buildtest-template.yml'

 build-system-alpine:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
    - job: amd64-alpine-container
  variables:
    IMAGE: alpine
-    TARGETS: avr-softmmu loongarch64-softmmu mips64-softmmu mipsel-softmmu
+    TARGETS: aarch64-softmmu alpha-softmmu cris-softmmu hppa-softmmu
+      microblazeel-softmmu mips64el-softmmu
    MAKE_CHECK_ARGS: check-build
    CONFIGURE_ARGS: --enable-docs --enable-trace-backends=log,simple,syslog
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - .git-submodule-status
+      - build

 check-system-alpine:
  extends: .native_test_job_template
@@ -20,7 +24,7 @@ check-system-alpine:
      artifacts: true
  variables:
    IMAGE: alpine
-    MAKE_CHECK_ARGS: check-unit check-qtest
+    MAKE_CHECK_ARGS: check

 avocado-system-alpine:
  extends: .avocado_test_job_template
@@ -30,19 +34,21 @@ avocado-system-alpine:
  variables:
    IMAGE: alpine
    MAKE_CHECK_ARGS: check-avocado
-    AVOCADO_TAGS: arch:avr arch:loongarch64 arch:mips64 arch:mipsel

 build-system-ubuntu:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
-    job: amd64-ubuntu2204-container
+    job: amd64-ubuntu2004-container
  variables:
-    IMAGE: ubuntu2204
-    CONFIGURE_ARGS: --enable-docs
-    TARGETS: alpha-softmmu microblazeel-softmmu mips64el-softmmu
+    IMAGE: ubuntu2004
+    CONFIGURE_ARGS: --enable-docs --enable-fdt=system --enable-slirp=system
+    TARGETS: aarch64-softmmu alpha-softmmu cris-softmmu hppa-softmmu
+      microblazeel-softmmu mips64el-softmmu
    MAKE_CHECK_ARGS: check-build
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 check-system-ubuntu:
  extends: .native_test_job_template
@@ -50,7 +56,7 @@ check-system-ubuntu:
    - job: build-system-ubuntu
      artifacts: true
  variables:
-    IMAGE: ubuntu2204
+    IMAGE: ubuntu2004
    MAKE_CHECK_ARGS: check

 avocado-system-ubuntu:
@@ -59,22 +65,22 @@ avocado-system-ubuntu:
    - job: build-system-ubuntu
      artifacts: true
  variables:
-    IMAGE: ubuntu2204
+    IMAGE: ubuntu2004
    MAKE_CHECK_ARGS: check-avocado
-    AVOCADO_TAGS: arch:alpha arch:microblaze arch:mips64el

 build-system-debian:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
    job: amd64-debian-container
  variables:
    IMAGE: debian-amd64
-    CONFIGURE_ARGS: --with-coroutine=sigaltstack
-    TARGETS: arm-softmmu i386-softmmu riscv64-softmmu sh4eb-softmmu
-      sparc-softmmu xtensa-softmmu
+    TARGETS: arm-softmmu avr-softmmu i386-softmmu mipsel-softmmu
+      riscv64-softmmu sh4eb-softmmu sparc-softmmu xtensaeb-softmmu
    MAKE_CHECK_ARGS: check-build
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 check-system-debian:
  extends: .native_test_job_template
@@ -93,32 +99,22 @@ avocado-system-debian:
  variables:
    IMAGE: debian-amd64
    MAKE_CHECK_ARGS: check-avocado
-    AVOCADO_TAGS: arch:arm arch:i386 arch:riscv64 arch:sh4 arch:sparc arch:xtensa
-
-crash-test-debian:
-  extends: .native_test_job_template
-  needs:
-    - job: build-system-debian
-      artifacts: true
-  variables:
-    IMAGE: debian-amd64
-  script:
-    - cd build
-    - make NINJA=":" check-venv
-    - pyvenv/bin/python3 scripts/device-crash-test -q --tcg-only ./qemu-system-i386

 build-system-fedora:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
    job: amd64-fedora-container
  variables:
    IMAGE: fedora
    CONFIGURE_ARGS: --disable-gcrypt --enable-nettle --enable-docs
-    TARGETS: microblaze-softmmu mips-softmmu
+             --enable-fdt=system --enable-slirp=system --enable-capstone=system
+    TARGETS: tricore-softmmu microblaze-softmmu mips-softmmu
      xtensa-softmmu m68k-softmmu riscv32-softmmu ppc-softmmu sparc64-softmmu
    MAKE_CHECK_ARGS: check-build
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 check-system-fedora:
  extends: .native_test_job_template
@@ -137,35 +133,22 @@ avocado-system-fedora:
  variables:
    IMAGE: fedora
    MAKE_CHECK_ARGS: check-avocado
-    AVOCADO_TAGS: arch:microblaze arch:mips arch:xtensa arch:m68k
-      arch:riscv32 arch:ppc arch:sparc64
-
-crash-test-fedora:
-  extends: .native_test_job_template
-  needs:
-    - job: build-system-fedora
-      artifacts: true
-  variables:
-    IMAGE: fedora
-  script:
-    - cd build
-    - make NINJA=":" check-venv
-    - pyvenv/bin/python3 scripts/device-crash-test -q ./qemu-system-ppc
-    - pyvenv/bin/python3 scripts/device-crash-test -q ./qemu-system-riscv32

 build-system-centos:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
    job: amd64-centos8-container
  variables:
    IMAGE: centos8
-    CONFIGURE_ARGS: --disable-nettle --enable-gcrypt --enable-vfio-user-server
-      --enable-modules --enable-trace-backends=dtrace --enable-docs
+    CONFIGURE_ARGS: --disable-nettle --enable-gcrypt --enable-fdt=system
+                    --enable-modules --enable-trace-backends=dtrace
    TARGETS: ppc64-softmmu or1k-softmmu s390x-softmmu
      x86_64-softmmu rx-softmmu sh4-softmmu nios2-softmmu
    MAKE_CHECK_ARGS: check-build
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 check-system-centos:
  extends: .native_test_job_template
@@ -184,19 +167,20 @@ avocado-system-centos:
  variables:
    IMAGE: centos8
    MAKE_CHECK_ARGS: check-avocado
-    AVOCADO_TAGS: arch:ppc64 arch:or1k arch:390x arch:x86_64 arch:rx
-      arch:sh4 arch:nios2

 build-system-opensuse:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
    job: amd64-opensuse-leap-container
  variables:
    IMAGE: opensuse-leap
+    CONFIGURE_ARGS: --enable-fdt=system
    TARGETS: s390x-softmmu x86_64-softmmu aarch64-softmmu
    MAKE_CHECK_ARGS: check-build
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 check-system-opensuse:
  extends: .native_test_job_template
@@ -215,7 +199,6 @@ avocado-system-opensuse:
  variables:
    IMAGE: opensuse-leap
    MAKE_CHECK_ARGS: check-avocado
-    AVOCADO_TAGS: arch:s390x arch:x86_64 arch:aarch64


 # This jobs explicitly disable TCG (--disable-tcg), KVM is detected by
@@ -235,7 +218,6 @@ build-tcg-disabled:
    - mkdir build
    - cd build
    - ../configure --disable-tcg --audio-drv-list="" --with-coroutine=ucontext
-                   --disable-docs --disable-sdl --disable-gtk --disable-vnc
      || { cat config.log meson-logs/meson-log.txt && exit 1; }
    - make -j"$JOBS"
    - make check-unit
@@ -256,7 +238,6 @@ build-user:
  variables:
    IMAGE: debian-all-test-cross
    CONFIGURE_ARGS: --disable-tools --disable-system
-      --target-list-exclude=alpha-linux-user,sh4-linux-user
    MAKE_CHECK_ARGS: check-tcg

 build-user-static:
@@ -266,33 +247,23 @@ build-user-static:
  variables:
    IMAGE: debian-all-test-cross
    CONFIGURE_ARGS: --disable-tools --disable-system --static
-      --target-list-exclude=alpha-linux-user,sh4-linux-user
-    MAKE_CHECK_ARGS: check-tcg
-
-# targets stuck on older compilers
-build-legacy:
-  extends: .native_build_job_template
-  needs:
-    job: amd64-debian-legacy-cross-container
-  variables:
-    IMAGE: debian-legacy-test-cross
-    TARGETS: alpha-linux-user alpha-softmmu sh4-linux-user
-    CONFIGURE_ARGS: --disable-tools
    MAKE_CHECK_ARGS: check-tcg

+# Because the hexagon cross-compiler takes so long to build we don't rely
+# on the CI system to build it and hence this job has an optional dependency
+# declared. The image is manually uploaded.
 build-user-hexagon:
  extends: .native_build_job_template
  needs:
    job: hexagon-cross-container
+    optional: true
  variables:
    IMAGE: debian-hexagon-cross
    TARGETS: hexagon-linux-user
    CONFIGURE_ARGS: --disable-tools --disable-docs --enable-debug-tcg
    MAKE_CHECK_ARGS: check-tcg

-# Build the softmmu targets we have check-tcg tests and compilers in
-# our omnibus all-test-cross container. Those targets that haven't got
-# Debian cross compiler support need to use special containers.
+# Only build the softmmu targets we have check-tcg tests for
 build-some-softmmu:
  extends: .native_build_job_template
  needs:
@@ -300,18 +271,7 @@ build-some-softmmu:
  variables:
    IMAGE: debian-all-test-cross
    CONFIGURE_ARGS: --disable-tools --enable-debug
-    TARGETS: arm-softmmu aarch64-softmmu i386-softmmu riscv64-softmmu
-      s390x-softmmu x86_64-softmmu
-    MAKE_CHECK_ARGS: check-tcg
-
-build-loongarch64:
-  extends: .native_build_job_template
-  needs:
-    job: loongarch-debian-cross-container
-  variables:
-    IMAGE: debian-loongarch-cross
-    CONFIGURE_ARGS: --disable-tools --enable-debug
-    TARGETS: loongarch64-linux-user loongarch64-softmmu
+    TARGETS: xtensa-softmmu arm-softmmu aarch64-softmmu alpha-softmmu
    MAKE_CHECK_ARGS: check-tcg

 # We build tricore in a very minimal tricore only container
@@ -333,18 +293,18 @@ clang-system:
    IMAGE: fedora
    CONFIGURE_ARGS: --cc=clang --cxx=clang++
      --extra-cflags=-fsanitize=undefined --extra-cflags=-fno-sanitize-recover=undefined
-    TARGETS: alpha-softmmu arm-softmmu m68k-softmmu mips64-softmmu s390x-softmmu
+    TARGETS: alpha-softmmu arm-softmmu m68k-softmmu mips64-softmmu
+      ppc-softmmu s390x-softmmu
    MAKE_CHECK_ARGS: check-qtest check-tcg

 clang-user:
  extends: .native_build_job_template
  needs:
    job: amd64-debian-user-cross-container
-  timeout: 70m
  variables:
    IMAGE: debian-all-test-cross
    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --disable-system
-      --target-list-exclude=alpha-linux-user,microblazeel-linux-user,aarch64_be-linux-user,i386-linux-user,m68k-linux-user,mipsn32el-linux-user,xtensaeb-linux-user
+      --target-list-exclude=microblazeel-linux-user,aarch64_be-linux-user,i386-linux-user,m68k-linux-user,mipsn32el-linux-user,xtensaeb-linux-user
      --extra-cflags=-fsanitize=undefined --extra-cflags=-fno-sanitize-recover=undefined
    MAKE_CHECK_ARGS: check-unit check-tcg

@@ -352,15 +312,15 @@ clang-user:
 # On gitlab runners, default value sometimes end up calling 2 lds concurrently and
 # triggers an Out-Of-Memory error
 #
-# Since slirp callbacks are used in QEMU Timers, we cannot use libslirp with
-# CFI builds, and thus have to disable it here.
+# Since slirp callbacks are used in QEMU Timers, slirp needs to be compiled together
+# with QEMU and linked as a static library to avoid false positives in CFI checks.
+# This can be accomplished by using -enable-slirp=git, which avoids the use of
+# a system-wide version of the library
 #
 # Split in three sets of build/check/avocado to limit the execution time of each
 # job
 build-cfi-aarch64:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
  - job: amd64-fedora-container
  variables:
@@ -368,14 +328,20 @@ build-cfi-aarch64:
    AR: llvm-ar
    IMAGE: fedora
    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
-      --enable-safe-stack --disable-slirp
+      --enable-safe-stack --enable-slirp=git
    TARGETS: aarch64-softmmu
    MAKE_CHECK_ARGS: check-build
+  timeout: 70m
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build
+  rules:
    # FIXME: This job is often failing, likely due to out-of-memory problems in
    # the constrained containers of the shared runners. Thus this is marked as
-    # skipped until the situation has been solved.
-    QEMU_JOB_SKIPPED: 1
-  timeout: 90m
+    # manual until the situation has been solved.
+    - when: manual
+      allow_failure: true

 check-cfi-aarch64:
  extends: .native_test_job_template
@@ -396,9 +362,7 @@ avocado-cfi-aarch64:
    MAKE_CHECK_ARGS: check-avocado

 build-cfi-ppc64-s390x:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
  - job: amd64-fedora-container
  variables:
@@ -406,14 +370,20 @@ build-cfi-ppc64-s390x:
    AR: llvm-ar
    IMAGE: fedora
    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
-      --enable-safe-stack --disable-slirp
+      --enable-safe-stack --enable-slirp=git
    TARGETS: ppc64-softmmu s390x-softmmu
    MAKE_CHECK_ARGS: check-build
+  timeout: 70m
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build
+  rules:
    # FIXME: This job is often failing, likely due to out-of-memory problems in
    # the constrained containers of the shared runners. Thus this is marked as
-    # skipped until the situation has been solved.
-    QEMU_JOB_SKIPPED: 1
-  timeout: 80m
+    # manual until the situation has been solved.
+    - when: manual
+      allow_failure: true

 check-cfi-ppc64-s390x:
  extends: .native_test_job_template
@@ -434,9 +404,7 @@ avocado-cfi-ppc64-s390x:
    MAKE_CHECK_ARGS: check-avocado

 build-cfi-x86_64:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
  - job: amd64-fedora-container
  variables:
@@ -444,10 +412,14 @@ build-cfi-x86_64:
    AR: llvm-ar
    IMAGE: fedora
    CONFIGURE_ARGS: --cc=clang --cxx=clang++ --enable-cfi --enable-cfi-debug
-      --enable-safe-stack --disable-slirp
+      --enable-safe-stack --enable-slirp=git
    TARGETS: x86_64-softmmu
    MAKE_CHECK_ARGS: check-build
  timeout: 70m
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 check-cfi-x86_64:
  extends: .native_test_job_template
@@ -470,40 +442,65 @@ avocado-cfi-x86_64:
 tsan-build:
  extends: .native_build_job_template
  needs:
-    job: amd64-ubuntu2204-container
+    job: amd64-ubuntu2004-container
  variables:
-    IMAGE: ubuntu2204
-    CONFIGURE_ARGS: --enable-tsan --cc=clang --cxx=clang++
-          --enable-trace-backends=ust --disable-slirp
+    IMAGE: ubuntu2004
+    CONFIGURE_ARGS: --enable-tsan --cc=clang-10 --cxx=clang++-10
+          --enable-trace-backends=ust --enable-fdt=system --enable-slirp=system
    TARGETS: x86_64-softmmu ppc64-softmmu riscv64-softmmu x86_64-linux-user
+    MAKE_CHECK_ARGS: bench V=1

-# gcov is a GCC features
-gcov:
+# These targets are on the way out
+build-deprecated:
  extends: .native_build_job_template
  needs:
-    job: amd64-ubuntu2204-container
-  timeout: 80m
+    job: amd64-debian-user-cross-container
  variables:
-    IMAGE: ubuntu2204
-    CONFIGURE_ARGS: --enable-gcov
-    TARGETS: aarch64-softmmu ppc64-softmmu s390x-softmmu x86_64-softmmu
-    MAKE_CHECK_ARGS: check-unit check-softfloat
-  after_script:
-    - cd build
-    - gcovr --xml-pretty --exclude-unreachable-branches --print-summary
-        -o coverage.xml --root ${CI_PROJECT_DIR} . *.p
-  coverage: /^\s*lines:\s*\d+.\d+\%/
+    IMAGE: debian-all-test-cross
+    CONFIGURE_ARGS: --disable-tools
+    MAKE_CHECK_ARGS: build-tcg
+    TARGETS: ppc64abi32-linux-user
  artifacts:
-    name: ${CI_JOB_NAME}-${CI_COMMIT_REF_NAME}-${CI_COMMIT_SHA}
-    when: always
    expire_in: 2 days
    paths:
-      - build/meson-logs/testlog.txt
-    reports:
-      junit: build/meson-logs/testlog.junit.xml
-      coverage_report:
-        coverage_format: cobertura
-        path: build/coverage.xml
+      - build
+
+# We split the check-tcg step as test failures are expected but we still
+# want to catch the build breaking.
+check-deprecated:
+  extends: .native_test_job_template
+  needs:
+    - job: build-deprecated
+      artifacts: true
+  variables:
+    IMAGE: debian-all-test-cross
+    MAKE_CHECK_ARGS: check-tcg
+  allow_failure: true
+
+# gprof/gcov are GCC features
+build-gprof-gcov:
+  extends: .native_build_job_template
+  needs:
+    job: amd64-ubuntu2004-container
+  variables:
+    IMAGE: ubuntu2004
+    CONFIGURE_ARGS: --enable-gprof --enable-gcov
+    TARGETS: aarch64-softmmu ppc64-softmmu s390x-softmmu x86_64-softmmu
+  artifacts:
+    expire_in: 1 days
+    paths:
+      - build
+
+check-gprof-gcov:
+  extends: .native_test_job_template
+  needs:
+    - job: build-gprof-gcov
+      artifacts: true
+  variables:
+    IMAGE: ubuntu2004
+    MAKE_CHECK_ARGS: check
+  after_script:
+    - ${CI_PROJECT_DIR}/scripts/ci/coverage-summary.sh

 build-oss-fuzz:
  extends: .native_build_job_template
@@ -513,7 +510,6 @@ build-oss-fuzz:
    IMAGE: fedora
  script:
    - mkdir build-oss-fuzz
-    - export LSAN_OPTIONS=suppressions=scripts/oss-fuzz/lsan_suppressions.txt
    - CC="clang" CXX="clang++" CFLAGS="-fsanitize=address"
      ./scripts/oss-fuzz/build.sh
    - export ASAN_OPTIONS="fast_unwind_on_malloc=0"
@@ -523,6 +519,8 @@ build-oss-fuzz:
        echo Testing ${fuzzer} ... ;
        "${fuzzer}" -runs=1 -seed=1 || exit 1 ;
      done
+    # Unrelated to fuzzer: run some tests with -fsanitize=address
+    - cd build-oss-fuzz && make check-qtest-i386 check-unit

 build-tci:
  extends: .native_build_job_template
@@ -531,12 +529,11 @@ build-tci:
  variables:
    IMAGE: debian-all-test-cross
  script:
-    - TARGETS="aarch64 arm hppa m68k microblaze ppc64 s390x x86_64"
+    - TARGETS="aarch64 alpha arm hppa m68k microblaze ppc64 s390x x86_64"
    - mkdir build
    - cd build
-    - ../configure --enable-tcg-interpreter --disable-docs --disable-gtk --disable-vnc
-        --target-list="$(for tg in $TARGETS; do echo -n ${tg}'-softmmu '; done)"
-        || { cat config.log meson-logs/meson-log.txt && exit 1; }
+    - ../configure --enable-tcg-interpreter
+        --target-list="$(for tg in $TARGETS; do echo -n ${tg}'-softmmu '; done)" || { cat config.log meson-logs/meson-log.txt && exit 1; }
    - make -j"$JOBS"
    - make tests/qtest/boot-serial-test tests/qtest/cdrom-test tests/qtest/pxe-test
    - for tg in $TARGETS ; do
@@ -548,28 +545,47 @@ build-tci:
    - QTEST_QEMU_BINARY="./qemu-system-s390x" ./tests/qtest/pxe-test -m slow
    - make check-tcg

+# Alternate coroutines implementations are only really of interest to KVM users
+# However we can't test against KVM on Gitlab-CI so we can only run unit tests
+build-coroutine-sigaltstack:
+  extends: .native_build_job_template
+  needs:
+    job: amd64-ubuntu2004-container
+  variables:
+    IMAGE: ubuntu2004
+    CONFIGURE_ARGS: --with-coroutine=sigaltstack --disable-tcg
+                    --enable-trace-backends=ftrace
+    MAKE_CHECK_ARGS: check-unit
+
 # Check our reduced build configurations
-build-without-defaults:
+build-without-default-devices:
  extends: .native_build_job_template
  needs:
    job: amd64-centos8-container
  variables:
    IMAGE: centos8
+    CONFIGURE_ARGS: --without-default-devices --disable-user
+
+build-without-default-features:
+  extends: .native_build_job_template
+  needs:
+    job: amd64-fedora-container
+  variables:
+    IMAGE: fedora
    CONFIGURE_ARGS:
-      --without-default-devices
      --without-default-features
-      --disable-fdt
+      --disable-capstone
      --disable-pie
      --disable-qom-cast-debug
+      --disable-slirp
      --disable-strip
-    TARGETS: avr-softmmu mips64-softmmu s390x-softmmu sh4-softmmu
+    TARGETS: avr-softmmu i386-softmmu mips64-softmmu s390x-softmmu sh4-softmmu
      sparc64-softmmu hexagon-linux-user i386-linux-user s390x-linux-user
-    MAKE_CHECK_ARGS: check
+    MAKE_CHECK_ARGS: check-unit check-qtest SPEED=slow

 build-libvhost-user:
-  extends: .base_job_template
  stage: build
-  image: $CI_REGISTRY_IMAGE/qemu/fedora:$QEMU_CI_CONTAINER_TAG
+  image: $CI_REGISTRY_IMAGE/qemu/fedora:latest
  needs:
    job: amd64-fedora-container
  script:
@@ -581,18 +597,17 @@ build-libvhost-user:
 # No targets are built here, just tools, docs, and unit tests. This
 # also feeds into the eventual documentation deployment steps later
 build-tools-and-docs-debian:
-  extends:
-    - .native_build_job_template
-    - .native_build_artifact_template
+  extends: .native_build_job_template
  needs:
    job: amd64-debian-container
-    # when running on 'master' we use pre-existing container
-    optional: true
  variables:
    IMAGE: debian-amd64
-    MAKE_CHECK_ARGS: check-unit ctags TAGS cscope
+    MAKE_CHECK_ARGS: check-unit check-softfloat ctags TAGS cscope
    CONFIGURE_ARGS: --disable-system --disable-user --enable-docs --enable-tools
-    QEMU_JOB_PUBLISH: 1
+  artifacts:
+    expire_in: 2 days
+    paths:
+      - build

 # Prepare for GitLab pages deployment. Anything copied into the
 # "public" directory will be deployed to $USER.gitlab.io/$PROJECT
@@ -608,8 +623,7 @@ build-tools-and-docs-debian:
 # that users can see the results of their commits, regardless
 # of what topic branch they're currently using
 pages:
-  extends: .base_job_template
-  image: $CI_REGISTRY_IMAGE/qemu/debian-amd64:$QEMU_CI_CONTAINER_TAG
+  image: $CI_REGISTRY_IMAGE/qemu/debian-amd64:latest
  stage: test
  needs:
    - job: build-tools-and-docs-debian
@@ -624,8 +638,12 @@ pages:
    - make -C build install DESTDIR=$(pwd)/temp-install
    - mv temp-install/usr/local/share/doc/qemu/* public/
  artifacts:
-    when: on_success
    paths:
      - public
-  variables:
-    QEMU_JOB_PUBLISH: 1
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+      when: on_success
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project"'
+      when: never
+    - if: '$CI_PROJECT_NAMESPACE != "qemu-project"'
+      when: on_success
--- a/.gitlab-ci.d/cirrus.yml
+++ b/.gitlab-ci.d/cirrus.yml
@@ -11,14 +11,11 @@
 # special care, because we can't just override it at the GitLab CI job
 # definition level or we risk breaking it completely.
 .cirrus_build_job:
-  extends: .base_job_template
  stage: build
  image: registry.gitlab.com/libvirt/libvirt-ci/cirrus-run:master
  needs: []
-  # 20 mins larger than "timeout_in" in cirrus/build.yml
-  # as there's often a 5-10 minute delay before Cirrus CI
-  # actually starts the task
  timeout: 80m
+  allow_failure: true
  script:
    - source .gitlab-ci.d/cirrus/$NAME.vars
    - sed -e "s|[@]CI_REPOSITORY_URL@|$CI_REPOSITORY_URL|g"
@@ -43,8 +40,27 @@
      <.gitlab-ci.d/cirrus/build.yml >.gitlab-ci.d/cirrus/$NAME.yml
    - cat .gitlab-ci.d/cirrus/$NAME.yml
    - cirrus-run -v --show-build-log always .gitlab-ci.d/cirrus/$NAME.yml
+  rules:
+    # Allow on 'staging' branch and 'stable-X.Y-staging' branches only
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH !~ /staging/'
+      when: never
+    - if: "$CIRRUS_GITHUB_REPO && $CIRRUS_API_TOKEN"
+
+x64-freebsd-12-build:
+  extends: .cirrus_build_job
  variables:
-    QEMU_JOB_CIRRUS: 1
+    NAME: freebsd-12
+    CIRRUS_VM_INSTANCE_TYPE: freebsd_instance
+    CIRRUS_VM_IMAGE_SELECTOR: image_family
+    CIRRUS_VM_IMAGE_NAME: freebsd-12-2
+    CIRRUS_VM_CPUS: 8
+    CIRRUS_VM_RAM: 8G
+    UPDATE_COMMAND: pkg update
+    INSTALL_COMMAND: pkg install -y
+    # TODO: Enable gnutls again once FreeBSD's libtasn1 got fixed
+    # See: https://gitlab.com/gnutls/libtasn1/-/merge_requests/71
+    CONFIGURE_ARGS: --disable-gnutls
+    TEST_TARGETS: check

 x64-freebsd-13-build:
  extends: .cirrus_build_job
@@ -52,61 +68,24 @@ x64-freebsd-13-build:
    NAME: freebsd-13
    CIRRUS_VM_INSTANCE_TYPE: freebsd_instance
    CIRRUS_VM_IMAGE_SELECTOR: image_family
-    CIRRUS_VM_IMAGE_NAME: freebsd-13-2
+    CIRRUS_VM_IMAGE_NAME: freebsd-13-0
    CIRRUS_VM_CPUS: 8
    CIRRUS_VM_RAM: 8G
-    UPDATE_COMMAND: pkg update; pkg upgrade -y
+    UPDATE_COMMAND: pkg update
    INSTALL_COMMAND: pkg install -y
    TEST_TARGETS: check

-aarch64-macos-12-base-build:
+x64-macos-11-base-build:
  extends: .cirrus_build_job
  variables:
-    NAME: macos-12
-    CIRRUS_VM_INSTANCE_TYPE: macos_instance
+    NAME: macos-11
+    CIRRUS_VM_INSTANCE_TYPE: osx_instance
    CIRRUS_VM_IMAGE_SELECTOR: image
-    CIRRUS_VM_IMAGE_NAME: ghcr.io/cirruslabs/macos-monterey-base:latest
+    CIRRUS_VM_IMAGE_NAME: big-sur-base
    CIRRUS_VM_CPUS: 12
    CIRRUS_VM_RAM: 24G
    UPDATE_COMMAND: brew update
    INSTALL_COMMAND: brew install
-    PATH_EXTRA: /opt/homebrew/ccache/libexec:/opt/homebrew/gettext/bin
-    PKG_CONFIG_PATH: /opt/homebrew/curl/lib/pkgconfig:/opt/homebrew/ncurses/lib/pkgconfig:/opt/homebrew/readline/lib/pkgconfig
+    PATH_EXTRA: /usr/local/opt/ccache/libexec:/usr/local/opt/gettext/bin
+    PKG_CONFIG_PATH: /usr/local/opt/curl/lib/pkgconfig:/usr/local/opt/ncurses/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig
    TEST_TARGETS: check-unit check-block check-qapi-schema check-softfloat check-qtest-x86_64
-
-
-# The following jobs run VM-based tests via KVM on a Linux-based Cirrus-CI job
-.cirrus_kvm_job:
-  extends: .base_job_template
-  stage: build
-  image: registry.gitlab.com/libvirt/libvirt-ci/cirrus-run:master
-  needs: []
-  timeout: 80m
-  script:
-    - sed -e "s|[@]CI_REPOSITORY_URL@|$CI_REPOSITORY_URL|g"
-          -e "s|[@]CI_COMMIT_REF_NAME@|$CI_COMMIT_REF_NAME|g"
-          -e "s|[@]CI_COMMIT_SHA@|$CI_COMMIT_SHA|g"
-          -e "s|[@]NAME@|$NAME|g"
-          -e "s|[@]CONFIGURE_ARGS@|$CONFIGURE_ARGS|g"
-          -e "s|[@]TEST_TARGETS@|$TEST_TARGETS|g"
-      <.gitlab-ci.d/cirrus/kvm-build.yml >.gitlab-ci.d/cirrus/$NAME.yml
-    - cat .gitlab-ci.d/cirrus/$NAME.yml
-    - cirrus-run -v --show-build-log always .gitlab-ci.d/cirrus/$NAME.yml
-  variables:
-    QEMU_JOB_CIRRUS: 1
-    QEMU_JOB_OPTIONAL: 1
-
-
-x86-netbsd:
-  extends: .cirrus_kvm_job
-  variables:
-    NAME: netbsd
-    CONFIGURE_ARGS: --target-list=x86_64-softmmu,ppc64-softmmu,aarch64-softmmu
-    TEST_TARGETS: check
-
-x86-openbsd:
-  extends: .cirrus_kvm_job
-  variables:
-    NAME: openbsd
-    CONFIGURE_ARGS: --target-list=i386-softmmu,riscv64-softmmu,mips64-softmmu
-    TEST_TARGETS: check
--- a/.gitlab-ci.d/cirrus/build.yml
+++ b/.gitlab-ci.d/cirrus/build.yml
@@ -16,8 +16,6 @@ env:
  TEST_TARGETS: "@TEST_TARGETS@"

 build_task:
-  # A little shorter than GitLab timeout in ../cirrus.yml
-  timeout_in: 60m
  install_script:
    - @UPDATE_COMMAND@
    - @INSTALL_COMMAND@ @PKGS@
@@ -36,7 +34,3 @@ build_task:
      do
        $MAKE -j$(sysctl -n hw.ncpu) $TARGET V=1 ;
      done
-  always:
-    build_result_artifacts:
-      path: build/meson-logs/*log.txt
-      type: text/plain
--- a/.gitlab-ci.d/cirrus/freebsd-12.vars
+++ b/.gitlab-ci.d/cirrus/freebsd-12.vars
@@ -0,0 +1,13 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool variables freebsd-12 qemu
+#
+# https://gitlab.com/libvirt/libvirt-ci/-/commit/c7e275ab27ac0dcd09da290817b9adeea1fd1eb1
+
+PACKAGING_COMMAND='pkg'
+CCACHE='/usr/local/bin/ccache'
+MAKE='/usr/local/bin/gmake'
+NINJA='/usr/local/bin/ninja'
+PYTHON='/usr/local/bin/python3'
+PIP3='/usr/local/bin/pip-3.8'
+PKGS='alsa-lib bash bzip2 ca_root_nss capstone4 ccache cdrkit-genisoimage ctags curl cyrus-sasl dbus diffutils gettext git glib gmake gnutls gsed gtk3 libepoxy libffi libgcrypt libjpeg-turbo libnfs libspice-server libssh libtasn1 libxml2 llvm lttng-ust lzo2 meson ncurses nettle ninja opencv p5-Test-Harness perl5 pixman pkgconf png py38-numpy py38-pillow py38-pip py38-sphinx py38-sphinx_rtd_theme py38-virtualenv py38-yaml python3 rpm2cpio sdl2 sdl2_image snappy spice-protocol tesseract texinfo usbredir virglrenderer vte3 zstd'
--- a/.gitlab-ci.d/cirrus/freebsd-13.vars
+++ b/.gitlab-ci.d/cirrus/freebsd-13.vars
@@ -2,15 +2,12 @@
 #
 #  $ lcitool variables freebsd-13 qemu
 #
-# https://gitlab.com/libvirt/libvirt-ci
+# https://gitlab.com/libvirt/libvirt-ci/-/commit/c7e275ab27ac0dcd09da290817b9adeea1fd1eb1

+PACKAGING_COMMAND='pkg'
 CCACHE='/usr/local/bin/ccache'
-CPAN_PKGS=''
-CROSS_PKGS=''
 MAKE='/usr/local/bin/gmake'
 NINJA='/usr/local/bin/ninja'
-PACKAGING_COMMAND='pkg'
-PIP3='/usr/local/bin/pip-3.8'
-PKGS='alsa-lib bash bison bzip2 ca_root_nss capstone4 ccache cmocka ctags curl cyrus-sasl dbus diffutils dtc flex fusefs-libs3 gettext git glib gmake gnutls gsed gtk3 json-c libepoxy libffi libgcrypt libjpeg-turbo libnfs libslirp libspice-server libssh libtasn1 llvm lzo2 meson mtools ncurses nettle ninja opencv pixman pkgconf png py39-numpy py39-pillow py39-pip py39-sphinx py39-sphinx_rtd_theme py39-tomli py39-yaml python3 rpm2cpio sdl2 sdl2_image snappy sndio socat spice-protocol tesseract usbredir virglrenderer vte3 xorriso zstd'
-PYPI_PKGS=''
 PYTHON='/usr/local/bin/python3'
+PIP3='/usr/local/bin/pip-3.8'
+PKGS='alsa-lib bash bzip2 ca_root_nss capstone4 ccache cdrkit-genisoimage ctags curl cyrus-sasl dbus diffutils gettext git glib gmake gnutls gsed gtk3 libepoxy libffi libgcrypt libjpeg-turbo libnfs libspice-server libssh libtasn1 libxml2 llvm lttng-ust lzo2 meson ncurses nettle ninja opencv p5-Test-Harness perl5 pixman pkgconf png py38-numpy py38-pillow py38-pip py38-sphinx py38-sphinx_rtd_theme py38-virtualenv py38-yaml python3 rpm2cpio sdl2 sdl2_image snappy spice-protocol tesseract texinfo usbredir virglrenderer vte3 zstd'
--- a/.gitlab-ci.d/cirrus/kvm-build.yml
+++ b/.gitlab-ci.d/cirrus/kvm-build.yml
@@ -1,31 +0,0 @@
-container:
-  image: fedora:35
-  cpu: 4
-  memory: 8Gb
-  kvm: true
-
-env:
-  CIRRUS_CLONE_DEPTH: 1
-  CI_REPOSITORY_URL: "@CI_REPOSITORY_URL@"
-  CI_COMMIT_REF_NAME: "@CI_COMMIT_REF_NAME@"
-  CI_COMMIT_SHA: "@CI_COMMIT_SHA@"
-
-@NAME@_task:
-  @NAME@_vm_cache:
-    folder: $HOME/.cache/qemu-vm
-  install_script:
-    - dnf update -y
-    - dnf install -y git make openssh-clients qemu-img qemu-system-x86 wget meson
-  clone_script:
-    - git clone --depth 100 "$CI_REPOSITORY_URL" .
-    - git fetch origin "$CI_COMMIT_REF_NAME"
-    - git reset --hard "$CI_COMMIT_SHA"
-  build_script:
-    - if [ -f $HOME/.cache/qemu-vm/images/@NAME@.img ]; then
-        make vm-build-@NAME@ J=$(getconf _NPROCESSORS_ONLN)
-          EXTRA_CONFIGURE_OPTS="@CONFIGURE_ARGS@"
-          BUILD_TARGET="@TEST_TARGETS@" ;
-      else
-        make vm-build-@NAME@ J=$(getconf _NPROCESSORS_ONLN) BUILD_TARGET=help
-          EXTRA_CONFIGURE_OPTS="--disable-system --disable-user --disable-tools" ;
-      fi
--- a/.gitlab-ci.d/cirrus/macos-11.vars
+++ b/.gitlab-ci.d/cirrus/macos-11.vars
@@ -0,0 +1,15 @@
+# THIS FILE WAS AUTO-GENERATED
+#
+#  $ lcitool variables macos-11 qemu
+#
+# https://gitlab.com/libvirt/libvirt-ci/-/commit/c7e275ab27ac0dcd09da290817b9adeea1fd1eb1
+
+PACKAGING_COMMAND='brew'
+CCACHE='/usr/local/bin/ccache'
+MAKE='/usr/local/bin/gmake'
+NINJA='/usr/local/bin/ninja'
+PYTHON='/usr/local/bin/python3'
+PIP3='/usr/local/bin/pip3'
+PKGS='bash bc bzip2 capstone ccache cpanminus ctags curl dbus diffutils gcovr gettext git glib gnu-sed gnutls gtk+3 jemalloc jpeg-turbo libepoxy libffi libgcrypt libiscsi libnfs libpng libslirp libssh libtasn1 libusb libxml2 llvm lzo make meson ncurses nettle ninja perl pixman pkg-config python3 rpm2cpio sdl2 sdl2_image snappy sparse spice-protocol tesseract texinfo usbredir vde vte3 zlib zstd'
+PYPI_PKGS='PyYAML numpy pillow sphinx sphinx-rtd-theme virtualenv'
+CPAN_PKGS='Test::Harness'
--- a/.gitlab-ci.d/cirrus/macos-12.vars
+++ b/.gitlab-ci.d/cirrus/macos-12.vars
@@ -1,16 +0,0 @@
-# THIS FILE WAS AUTO-GENERATED
-#
-#  $ lcitool variables macos-12 qemu
-#
-# https://gitlab.com/libvirt/libvirt-ci
-
-CCACHE='/opt/homebrew/bin/ccache'
-CPAN_PKGS=''
-CROSS_PKGS=''
-MAKE='/opt/homebrew/bin/gmake'
-NINJA='/opt/homebrew/bin/ninja'
-PACKAGING_COMMAND='brew'
-PIP3='/opt/homebrew/bin/pip3'
-PKGS='bash bc bison bzip2 capstone ccache cmocka ctags curl dbus diffutils dtc flex gcovr gettext git glib gnu-sed gnutls gtk+3 jemalloc jpeg-turbo json-c libepoxy libffi libgcrypt libiscsi libnfs libpng libslirp libssh libtasn1 libusb llvm lzo make meson mtools ncurses nettle ninja pixman pkg-config python3 rpm2cpio sdl2 sdl2_image snappy socat sparse spice-protocol swtpm tesseract usbredir vde vte3 xorriso zlib zstd'
-PYPI_PKGS='PyYAML numpy pillow sphinx sphinx-rtd-theme tomli'
-PYTHON='/opt/homebrew/bin/python3'
--- a/.gitlab-ci.d/container-core.yml
+++ b/.gitlab-ci.d/container-core.yml
@@ -10,3 +10,8 @@ amd64-fedora-container:
  extends: .container_job_template
  variables:
    NAME: fedora
+
+amd64-debian10-container:
+  extends: .container_job_template
+  variables:
+    NAME: debian10
--- a/.gitlab-ci.d/container-cross.yml
+++ b/.gitlab-ci.d/container-cross.yml
@@ -1,87 +1,169 @@
+alpha-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
+  variables:
+    NAME: debian-alpha-cross
+
 amd64-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-amd64-cross

 amd64-debian-user-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-all-test-cross

-amd64-debian-legacy-cross-container:
-  extends: .container_job_template
-  stage: containers
-  variables:
-    NAME: debian-legacy-test-cross
-
 arm64-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-arm64-cross

+arm64-test-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian11-container']
+  variables:
+    NAME: debian-arm64-test-cross
+
 armel-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-armel-cross

 armhf-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-armhf-cross

+# We never want to build hexagon in the CI system and by default we
+# always want to refer to the master registry where it lives.
 hexagon-cross-container:
-  extends: .container_job_template
+  image: docker:stable
  stage: containers
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project"'
+      when: never
+    - when: always
  variables:
    NAME: debian-hexagon-cross
+    GIT_DEPTH: 1
+  services:
+    - docker:dind
+  before_script:
+    - export TAG="$CI_REGISTRY_IMAGE/qemu/$NAME:latest"
+    - export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/qemu/$NAME:latest"
+    - docker info
+    - docker login $CI_REGISTRY -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD"
+  script:
+    - echo "TAG:$TAG"
+    - echo "COMMON_TAG:$COMMON_TAG"
+    - docker pull $COMMON_TAG
+    - docker tag $COMMON_TAG $TAG
+    - docker push "$TAG"
+  after_script:
+    - docker logout

-loongarch-debian-cross-container:
+hppa-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
-    NAME: debian-loongarch-cross
+    NAME: debian-hppa-cross
+
+m68k-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
+  variables:
+    NAME: debian-m68k-cross
+
+mips64-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
+  variables:
+    NAME: debian-mips64-cross

 mips64el-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-mips64el-cross

+mips-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
+  variables:
+    NAME: debian-mips-cross
+
 mipsel-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-mipsel-cross

+powerpc-test-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian11-container']
+  variables:
+    NAME: debian-powerpc-test-cross
+
 ppc64el-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-ppc64el-cross

 riscv64-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
  # as we are currently based on 'sid/unstable' we may break so...
  allow_failure: true
  variables:
    NAME: debian-riscv64-cross
-    QEMU_JOB_OPTIONAL: 1

 s390x-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-s390x-cross

+sh4-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
+  variables:
+    NAME: debian-sh4-cross
+
+sparc64-debian-cross-container:
+  extends: .container_job_template
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
+  variables:
+    NAME: debian-sparc64-cross
+
 tricore-debian-cross-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-tricore-cross

--- a/.gitlab-ci.d/container-template.yml
+++ b/.gitlab-ci.d/container-template.yml
@@ -1,21 +1,21 @@
 .container_job_template:
-  extends: .base_job_template
-  image: docker:latest
+  image: docker:stable
  stage: containers
  services:
    - docker:dind
  before_script:
-    - export TAG="$CI_REGISTRY_IMAGE/qemu/$NAME:$QEMU_CI_CONTAINER_TAG"
-    # Always ':latest' because we always use upstream as a common cache source
-    - export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/qemu/$NAME:latest"
+    - export TAG="$CI_REGISTRY_IMAGE/qemu/$NAME:latest"
+    - export COMMON_TAG="$CI_REGISTRY/qemu-project/qemu/$NAME:latest"
+    - apk add python3
+    - docker info
    - docker login $CI_REGISTRY -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD"
-    - until docker info; do sleep 1; done
  script:
    - echo "TAG:$TAG"
    - echo "COMMON_TAG:$COMMON_TAG"
-    - docker build --tag "$TAG" --cache-from "$TAG" --cache-from "$COMMON_TAG"
-      --build-arg BUILDKIT_INLINE_CACHE=1
-      -f "tests/docker/dockerfiles/$NAME.docker" "."
+    - ./tests/docker/docker.py --engine docker build
+          -t "qemu/$NAME" -f "tests/docker/dockerfiles/$NAME.docker"
+          -r $CI_REGISTRY/qemu-project/qemu
+    - docker tag "qemu/$NAME" "$TAG"
    - docker push "$TAG"
  after_script:
    - docker logout
--- a/.gitlab-ci.d/containers.yml
+++ b/.gitlab-ci.d/containers.yml
@@ -7,16 +7,32 @@ amd64-alpine-container:
  variables:
    NAME: alpine

+amd64-debian11-container:
+  extends: .container_job_template
+  variables:
+    NAME: debian11
+
 amd64-debian-container:
  extends: .container_job_template
-  stage: containers
+  stage: containers-layer2
+  needs: ['amd64-debian10-container']
  variables:
    NAME: debian-amd64

-amd64-ubuntu2204-container:
+amd64-ubuntu1804-container:
  extends: .container_job_template
  variables:
-    NAME: ubuntu2204
+    NAME: ubuntu1804
+
+amd64-ubuntu2004-container:
+  extends: .container_job_template
+  variables:
+    NAME: ubuntu2004
+
+amd64-ubuntu-container:
+  extends: .container_job_template
+  variables:
+    NAME: ubuntu

 amd64-opensuse-leap-container:
  extends: .container_job_template
--- a/.gitlab-ci.d/crossbuild-template.yml
+++ b/.gitlab-ci.d/crossbuild-template.yml
@@ -1,34 +1,22 @@
 .cross_system_build_job:
-  extends: .base_job_template
  stage: build
-  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:$QEMU_CI_CONTAINER_TAG
-  cache:
-    paths:
-      - ccache
-    key: "$CI_JOB_NAME"
-    when: always
+  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:latest
  timeout: 80m
  script:
-    - export CCACHE_BASEDIR="$(pwd)"
-    - export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    - export CCACHE_MAXSIZE="500M"
-    - export PATH="$CCACHE_WRAPPERSDIR:$PATH"
    - mkdir build
    - cd build
-    - ccache --zero-stats
-    - ../configure --enable-werror --disable-docs --enable-fdt=system
-        --disable-user $QEMU_CONFIGURE_OPTS $EXTRA_CONFIGURE_OPTS
-        --target-list-exclude="arm-softmmu cris-softmmu
+    - PKG_CONFIG_PATH=$PKG_CONFIG_PATH
+      ../configure --enable-werror --disable-docs $QEMU_CONFIGURE_OPTS
+        --disable-user --target-list-exclude="arm-softmmu cris-softmmu
          i386-softmmu microblaze-softmmu mips-softmmu mipsel-softmmu
          mips64-softmmu ppc-softmmu riscv32-softmmu sh4-softmmu
          sparc-softmmu xtensa-softmmu $CROSS_SKIP_TARGETS"
    - make -j$(expr $(nproc) + 1) all check-build $MAKE_CHECK_ARGS
    - if grep -q "EXESUF=.exe" config-host.mak;
      then make installer;
-      version="$(git describe --match v[0-9]* 2>/dev/null || git rev-parse --short HEAD)";
+      version="$(git describe --match v[0-9]*)";
      mv -v qemu-setup*.exe qemu-setup-${version}.exe;
      fi
-    - ccache --show-stats

 # Job to cross-build specific accelerators.
 #
@@ -36,54 +24,24 @@
 # KVM), and set extra options (such disabling other accelerators) via the
 # $EXTRA_CONFIGURE_OPTS variable.
 .cross_accel_build_job:
-  extends: .base_job_template
  stage: build
-  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:$QEMU_CI_CONTAINER_TAG
+  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:latest
  timeout: 30m
-  cache:
-    paths:
-      - ccache/
-    key: "$CI_JOB_NAME"
  script:
-    - export CCACHE_BASEDIR="$(pwd)"
-    - export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    - export CCACHE_MAXSIZE="500M"
-    - export PATH="$CCACHE_WRAPPERSDIR:$PATH"
    - mkdir build
    - cd build
-    - ../configure --enable-werror --disable-docs $QEMU_CONFIGURE_OPTS
+    - PKG_CONFIG_PATH=$PKG_CONFIG_PATH
+      ../configure --enable-werror --disable-docs $QEMU_CONFIGURE_OPTS
        --disable-tools --enable-${ACCEL:-kvm} $EXTRA_CONFIGURE_OPTS
    - make -j$(expr $(nproc) + 1) all check-build $MAKE_CHECK_ARGS

 .cross_user_build_job:
-  extends: .base_job_template
  stage: build
-  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:$QEMU_CI_CONTAINER_TAG
-  cache:
-    paths:
-      - ccache/
-    key: "$CI_JOB_NAME"
+  image: $CI_REGISTRY_IMAGE/qemu/$IMAGE:latest
  script:
-    - export CCACHE_BASEDIR="$(pwd)"
-    - export CCACHE_DIR="$CCACHE_BASEDIR/ccache"
-    - export CCACHE_MAXSIZE="500M"
    - mkdir build
    - cd build
-    - ../configure --enable-werror --disable-docs $QEMU_CONFIGURE_OPTS
-        --disable-system --target-list-exclude="aarch64_be-linux-user
-          alpha-linux-user cris-linux-user m68k-linux-user microblazeel-linux-user
-          nios2-linux-user or1k-linux-user ppc-linux-user sparc-linux-user
-          xtensa-linux-user $CROSS_SKIP_TARGETS"
+    - PKG_CONFIG_PATH=$PKG_CONFIG_PATH
+      ../configure --enable-werror --disable-docs $QEMU_CONFIGURE_OPTS
+        --disable-system
    - make -j$(expr $(nproc) + 1) all check-build $MAKE_CHECK_ARGS
-
-# We can still run some tests on some of our cross build jobs. They can add this
-# template to their extends to save the build logs and test results
-.cross_test_artifacts:
-  artifacts:
-    name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
-    when: always
-    expire_in: 7 days
-    paths:
-      - build/meson-logs/testlog.txt
-    reports:
-      junit: build/meson-logs/testlog.junit.xml
--- a/.gitlab-ci.d/crossbuilds.yml
+++ b/.gitlab-ci.d/crossbuilds.yml
@@ -1,6 +1,13 @@
 include:
  - local: '/.gitlab-ci.d/crossbuild-template.yml'

+cross-armel-system:
+  extends: .cross_system_build_job
+  needs:
+    job: armel-debian-cross-container
+  variables:
+    IMAGE: debian-armel-cross
+
 cross-armel-user:
  extends: .cross_user_build_job
  needs:
@@ -8,6 +15,13 @@ cross-armel-user:
  variables:
    IMAGE: debian-armel-cross

+cross-armhf-system:
+  extends: .cross_system_build_job
+  needs:
+    job: armhf-debian-cross-container
+  variables:
+    IMAGE: debian-armhf-cross
+
 cross-armhf-user:
  extends: .cross_user_build_job
  needs:
@@ -29,18 +43,16 @@ cross-arm64-user:
  variables:
    IMAGE: debian-arm64-cross

-cross-arm64-kvm-only:
-  extends: .cross_accel_build_job
+cross-i386-system:
+  extends: .cross_system_build_job
  needs:
-    job: arm64-debian-cross-container
+    job: i386-fedora-cross-container
  variables:
-    IMAGE: debian-arm64-cross
-    EXTRA_CONFIGURE_OPTS: --disable-tcg --without-default-features
+    IMAGE: fedora-i386-cross
+    MAKE_CHECK_ARGS: check-qtest

 cross-i386-user:
-  extends:
-    - .cross_user_build_job
-    - .cross_test_artifacts
+  extends: .cross_user_build_job
  needs:
    job: i386-fedora-cross-container
  variables:
@@ -48,18 +60,28 @@ cross-i386-user:
    MAKE_CHECK_ARGS: check

 cross-i386-tci:
-  extends:
-    - .cross_accel_build_job
-    - .cross_test_artifacts
+  extends: .cross_accel_build_job
  timeout: 60m
-  needs:
-    job: i386-fedora-cross-container
  variables:
    IMAGE: fedora-i386-cross
    ACCEL: tcg-interpreter
-    EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user --disable-plugins
+    EXTRA_CONFIGURE_OPTS: --target-list=i386-softmmu,i386-linux-user,aarch64-softmmu,aarch64-linux-user,ppc-softmmu,ppc-linux-user
    MAKE_CHECK_ARGS: check check-tcg

+cross-mips-system:
+  extends: .cross_system_build_job
+  needs:
+    job: mips-debian-cross-container
+  variables:
+    IMAGE: debian-mips-cross
+
+cross-mips-user:
+  extends: .cross_user_build_job
+  needs:
+    job: mips-debian-cross-container
+  variables:
+    IMAGE: debian-mips-cross
+
 cross-mipsel-system:
  extends: .cross_system_build_job
  needs:
@@ -102,14 +124,6 @@ cross-ppc64el-user:
  variables:
    IMAGE: debian-ppc64el-cross

-cross-ppc64el-kvm-only:
-  extends: .cross_accel_build_job
-  needs:
-    job: ppc64el-debian-cross-container
-  variables:
-    IMAGE: debian-ppc64el-cross
-    EXTRA_CONFIGURE_OPTS: --disable-tcg --without-default-devices
-
 # The riscv64 cross-builds currently use a 'sid' container to get
 # compilers and libraries. Until something more stable is found we
 # allow_failure so as not to block CI.
@@ -149,7 +163,7 @@ cross-s390x-kvm-only:
    job: s390x-debian-cross-container
  variables:
    IMAGE: debian-s390x-cross
-    EXTRA_CONFIGURE_OPTS: --disable-tcg --enable-trace-backends=ftrace
+    EXTRA_CONFIGURE_OPTS: --disable-tcg

 cross-mips64el-kvm-only:
  extends: .cross_accel_build_job
@@ -165,11 +179,9 @@ cross-win32-system:
    job: win32-fedora-cross-container
  variables:
    IMAGE: fedora-win32-cross
-    EXTRA_CONFIGURE_OPTS: --enable-fdt=internal --disable-plugins
    CROSS_SKIP_TARGETS: alpha-softmmu avr-softmmu hppa-softmmu m68k-softmmu
                        microblazeel-softmmu mips64el-softmmu nios2-softmmu
  artifacts:
-    when: on_success
    paths:
      - build/qemu-setup*.exe

@@ -179,13 +191,9 @@ cross-win64-system:
    job: win64-fedora-cross-container
  variables:
    IMAGE: fedora-win64-cross
-    EXTRA_CONFIGURE_OPTS: --enable-fdt=internal --disable-plugins
-    CROSS_SKIP_TARGETS: alpha-softmmu avr-softmmu hppa-softmmu
-                        m68k-softmmu microblazeel-softmmu nios2-softmmu
-                        or1k-softmmu rx-softmmu sh4eb-softmmu sparc64-softmmu
+    CROSS_SKIP_TARGETS: or1k-softmmu rx-softmmu sh4eb-softmmu sparc64-softmmu
                        tricore-softmmu xtensaeb-softmmu
  artifacts:
-    when: on_success
    paths:
      - build/qemu-setup*.exe

--- a/.gitlab-ci.d/custom-runners.yml
+++ b/.gitlab-ci.d/custom-runners.yml
@@ -13,22 +13,7 @@
 variables:
  GIT_STRATEGY: clone

-# All custom runners can extend this template to upload the testlog
-# data as an artifact and also feed the junit report
-.custom_runner_template:
-  extends: .base_job_template
-  artifacts:
-    name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
-    expire_in: 7 days
-    when: always
-    paths:
-      - build/build.ninja
-      - build/meson-logs
-    reports:
-      junit: build/meson-logs/testlog.junit.xml
-
 include:
-  - local: '/.gitlab-ci.d/custom-runners/ubuntu-20.04-s390x.yml'
-  - local: '/.gitlab-ci.d/custom-runners/ubuntu-22.04-aarch64.yml'
-  - local: '/.gitlab-ci.d/custom-runners/ubuntu-22.04-aarch32.yml'
+  - local: '/.gitlab-ci.d/custom-runners/ubuntu-18.04-s390x.yml'
+  - local: '/.gitlab-ci.d/custom-runners/ubuntu-20.04-aarch64.yml'
  - local: '/.gitlab-ci.d/custom-runners/centos-stream-8-x86_64.yml'
--- a/.gitlab-ci.d/custom-runners/centos-stream-8-x86_64.yml
+++ b/.gitlab-ci.d/custom-runners/centos-stream-8-x86_64.yml
@@ -1,9 +1,4 @@
-# All centos-stream-8 jobs should run successfully in an environment
-# setup by the scripts/ci/setup/stream/8/build-environment.yml task
-# "Installation of extra packages to build QEMU"
-
 centos-stream-8-x86_64:
- extends: .custom_runner_template
 allow_failure: true
 needs: []
 stage: build
@@ -13,12 +8,21 @@ centos-stream-8-x86_64:
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
 - if: "$CENTOS_STREAM_8_x86_64_RUNNER_AVAILABLE"
+ artifacts:
+   name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
+   when: on_failure
+   expire_in: 7 days
+   paths:
+     - build/tests/results/latest/results.xml
+     - build/tests/results/latest/test-results
+   reports:
+     junit: build/tests/results/latest/results.xml
 before_script:
 - JOBS=$(expr $(nproc) + 1)
 script:
 - mkdir build
 - cd build
 - ../scripts/ci/org.centos/stream/8/x86_64/configure
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make -j"$JOBS"
- - make NINJA=":" check check-avocado
+ - make NINJA=":" check
+ - ../scripts/ci/org.centos/stream/8/x86_64/test-avocado
--- a/.gitlab-ci.d/custom-runners/ubuntu-18.04-s390x.yml
+++ b/.gitlab-ci.d/custom-runners/ubuntu-18.04-s390x.yml
@@ -1,13 +1,12 @@
-# All ubuntu-20.04 jobs should run successfully in an environment
+# All ubuntu-18.04 jobs should run successfully in an environment
 # setup by the scripts/ci/setup/build-environment.yml task
-# "Install basic packages to build QEMU on Ubuntu 20.04/20.04"
+# "Install basic packages to build QEMU on Ubuntu 18.04/20.04"

-ubuntu-20.04-s390x-all-linux-static:
- extends: .custom_runner_template
+ubuntu-18.04-s390x-all-linux-static:
 needs: []
 stage: build
 tags:
- - ubuntu_20.04
+ - ubuntu_18.04
 - s390x
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
@@ -18,19 +17,16 @@ ubuntu-20.04-s390x-all-linux-static:
 - mkdir build
 - cd build
 - ../configure --enable-debug --static --disable-system --disable-glusterfs --disable-libssh
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make --output-sync -j`nproc`
- - make --output-sync check-tcg
- - make --output-sync -j`nproc` check
+ - make --output-sync -j`nproc` check V=1
+ - make --output-sync -j`nproc` check-tcg V=1

-ubuntu-20.04-s390x-all:
- extends: .custom_runner_template
+ubuntu-18.04-s390x-all:
 needs: []
 stage: build
 tags:
- - ubuntu_20.04
+ - ubuntu_18.04
 - s390x
- timeout: 75m
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
 - if: "$S390X_RUNNER_AVAILABLE"
@@ -38,16 +34,14 @@ ubuntu-20.04-s390x-all:
 - mkdir build
 - cd build
 - ../configure --disable-libssh
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make --output-sync -j`nproc`
- - make --output-sync -j`nproc` check
+ - make --output-sync -j`nproc` check V=1

-ubuntu-20.04-s390x-alldbg:
- extends: .custom_runner_template
+ubuntu-18.04-s390x-alldbg:
 needs: []
 stage: build
 tags:
- - ubuntu_20.04
+ - ubuntu_18.04
 - s390x
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
@@ -60,17 +54,15 @@ ubuntu-20.04-s390x-alldbg:
 - mkdir build
 - cd build
 - ../configure --enable-debug --disable-libssh
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make clean
 - make --output-sync -j`nproc`
- - make --output-sync -j`nproc` check
+ - make --output-sync -j`nproc` check V=1

-ubuntu-20.04-s390x-clang:
- extends: .custom_runner_template
+ubuntu-18.04-s390x-clang:
 needs: []
 stage: build
 tags:
- - ubuntu_20.04
+ - ubuntu_18.04
 - s390x
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
@@ -83,15 +75,14 @@ ubuntu-20.04-s390x-clang:
 - mkdir build
 - cd build
 - ../configure --disable-libssh --cc=clang --cxx=clang++ --enable-sanitizers
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make --output-sync -j`nproc`
- - make --output-sync -j`nproc` check
+ - make --output-sync -j`nproc` check V=1

-ubuntu-20.04-s390x-tci:
+ubuntu-18.04-s390x-tci:
 needs: []
 stage: build
 tags:
- - ubuntu_20.04
+ - ubuntu_18.04
 - s390x
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
@@ -104,15 +95,13 @@ ubuntu-20.04-s390x-tci:
 - mkdir build
 - cd build
 - ../configure --disable-libssh --enable-tcg-interpreter
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make --output-sync -j`nproc`

-ubuntu-20.04-s390x-notcg:
- extends: .custom_runner_template
+ubuntu-18.04-s390x-notcg:
 needs: []
 stage: build
 tags:
- - ubuntu_20.04
+ - ubuntu_18.04
 - s390x
 rules:
 - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
@@ -125,6 +114,5 @@ ubuntu-20.04-s390x-notcg:
 - mkdir build
 - cd build
 - ../configure --disable-libssh --disable-tcg
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
 - make --output-sync -j`nproc`
- - make --output-sync -j`nproc` check
+ - make --output-sync -j`nproc` check V=1
--- a/.gitlab-ci.d/custom-runners/ubuntu-20.04-aarch64.yml
+++ b/.gitlab-ci.d/custom-runners/ubuntu-20.04-aarch64.yml
@@ -0,0 +1,118 @@
+# All ubuntu-20.04 jobs should run successfully in an environment
+# setup by the scripts/ci/setup/qemu/build-environment.yml task
+# "Install basic packages to build QEMU on Ubuntu 18.04/20.04"
+
+ubuntu-20.04-aarch64-all-linux-static:
+ needs: []
+ stage: build
+ tags:
+ - ubuntu_20.04
+ - aarch64
+ rules:
+ - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
+ - if: "$AARCH64_RUNNER_AVAILABLE"
+ script:
+ # --disable-libssh is needed because of https://bugs.launchpad.net/qemu/+bug/1838763
+ # --disable-glusterfs is needed because there's no static version of those libs in distro supplied packages
+ - mkdir build
+ - cd build
+ - ../configure --enable-debug --static --disable-system --disable-glusterfs --disable-libssh
+ - make --output-sync -j`nproc`
+ - make --output-sync -j`nproc` check V=1
+ - make --output-sync -j`nproc` check-tcg V=1
+
+ubuntu-20.04-aarch64-all:
+ needs: []
+ stage: build
+ tags:
+ - ubuntu_20.04
+ - aarch64
+ rules:
+ - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
+   when: manual
+   allow_failure: true
+ - if: "$AARCH64_RUNNER_AVAILABLE"
+   when: manual
+   allow_failure: true
+ script:
+ - mkdir build
+ - cd build
+ - ../configure --disable-libssh
+ - make --output-sync -j`nproc`
+ - make --output-sync -j`nproc` check V=1
+
+ubuntu-20.04-aarch64-alldbg:
+ needs: []
+ stage: build
+ tags:
+ - ubuntu_20.04
+ - aarch64
+ rules:
+ - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
+ - if: "$AARCH64_RUNNER_AVAILABLE"
+ script:
+ - mkdir build
+ - cd build
+ - ../configure --enable-debug --disable-libssh
+ - make clean
+ - make --output-sync -j`nproc`
+ - make --output-sync -j`nproc` check V=1
+
+ubuntu-20.04-aarch64-clang:
+ needs: []
+ stage: build
+ tags:
+ - ubuntu_20.04
+ - aarch64
+ rules:
+ - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
+   when: manual
+   allow_failure: true
+ - if: "$AARCH64_RUNNER_AVAILABLE"
+   when: manual
+   allow_failure: true
+ script:
+ - mkdir build
+ - cd build
+ - ../configure --disable-libssh --cc=clang-10 --cxx=clang++-10 --enable-sanitizers
+ - make --output-sync -j`nproc`
+ - make --output-sync -j`nproc` check V=1
+
+ubuntu-20.04-aarch64-tci:
+ needs: []
+ stage: build
+ tags:
+ - ubuntu_20.04
+ - aarch64
+ rules:
+ - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
+   when: manual
+   allow_failure: true
+ - if: "$AARCH64_RUNNER_AVAILABLE"
+   when: manual
+   allow_failure: true
+ script:
+ - mkdir build
+ - cd build
+ - ../configure --disable-libssh --enable-tcg-interpreter
+ - make --output-sync -j`nproc`
+
+ubuntu-20.04-aarch64-notcg:
+ needs: []
+ stage: build
+ tags:
+ - ubuntu_20.04
+ - aarch64
+ rules:
+ - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
+   when: manual
+   allow_failure: true
+ - if: "$AARCH64_RUNNER_AVAILABLE"
+   when: manual
+   allow_failure: true
+ script:
+ - mkdir build
+ - cd build
+ - ../configure --disable-libssh --disable-tcg
+ - make --output-sync -j`nproc`
+ - make --output-sync -j`nproc` check V=1
--- a/.gitlab-ci.d/custom-runners/ubuntu-22.04-aarch32.yml
+++ b/.gitlab-ci.d/custom-runners/ubuntu-22.04-aarch32.yml
@@ -1,25 +0,0 @@
-# All ubuntu-22.04 jobs should run successfully in an environment
-# setup by the scripts/ci/setup/qemu/build-environment.yml task
-# "Install basic packages to build QEMU on Ubuntu 22.04"
-
-ubuntu-22.04-aarch32-all:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch32
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
-   when: manual
-   allow_failure: true
- - if: "$AARCH32_RUNNER_AVAILABLE"
-   when: manual
-   allow_failure: true
- script:
- - mkdir build
- - cd build
- - ../configure --cross-prefix=arm-linux-gnueabihf-
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
- - make --output-sync -j`nproc --ignore=40` check
--- a/.gitlab-ci.d/custom-runners/ubuntu-22.04-aarch64.yml
+++ b/.gitlab-ci.d/custom-runners/ubuntu-22.04-aarch64.yml
@@ -1,151 +0,0 @@
-# All ubuntu-22.04 jobs should run successfully in an environment
-# setup by the scripts/ci/setup/qemu/build-environment.yml task
-# "Install basic packages to build QEMU on Ubuntu 22.04"
-
-ubuntu-22.04-aarch64-all-linux-static:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
- - if: "$AARCH64_RUNNER_AVAILABLE"
- script:
- - mkdir build
- - cd build
- # Disable -static-pie due to build error with system libc:
- # https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1987438
- - ../configure --enable-debug --static --disable-system --disable-pie
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
- - make check-tcg
- - make --output-sync -j`nproc --ignore=40` check
-
-ubuntu-22.04-aarch64-all:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
-   when: manual
-   allow_failure: true
- - if: "$AARCH64_RUNNER_AVAILABLE"
-   when: manual
-   allow_failure: true
- script:
- - mkdir build
- - cd build
- - ../configure
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
- - make --output-sync -j`nproc --ignore=40` check
-
-ubuntu-22.04-aarch64-without-defaults:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
-   when: manual
-   allow_failure: true
- - if: "$AARCH64_RUNNER_AVAILABLE"
-   when: manual
-   allow_failure: true
- script:
- - mkdir build
- - cd build
- - ../configure --disable-user --without-default-devices --without-default-features
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
- - make --output-sync -j`nproc --ignore=40` check
-
-ubuntu-22.04-aarch64-alldbg:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
- - if: "$AARCH64_RUNNER_AVAILABLE"
- script:
- - mkdir build
- - cd build
- - ../configure --enable-debug
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make clean
- - make --output-sync -j`nproc --ignore=40`
- - make --output-sync -j`nproc --ignore=40` check
-
-ubuntu-22.04-aarch64-clang:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
-   when: manual
-   allow_failure: true
- - if: "$AARCH64_RUNNER_AVAILABLE"
-   when: manual
-   allow_failure: true
- script:
- - mkdir build
- - cd build
- - ../configure --disable-libssh --cc=clang --cxx=clang++ --enable-sanitizers
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
- - make --output-sync -j`nproc --ignore=40` check
-
-ubuntu-22.04-aarch64-tci:
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
-   when: manual
-   allow_failure: true
- - if: "$AARCH64_RUNNER_AVAILABLE"
-   when: manual
-   allow_failure: true
- script:
- - mkdir build
- - cd build
- - ../configure --enable-tcg-interpreter
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
-
-ubuntu-22.04-aarch64-notcg:
- extends: .custom_runner_template
- needs: []
- stage: build
- tags:
- - ubuntu_22.04
- - aarch64
- rules:
- - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH =~ /^staging/'
-   when: manual
-   allow_failure: true
- - if: "$AARCH64_RUNNER_AVAILABLE"
-   when: manual
-   allow_failure: true
- script:
- - mkdir build
- - cd build
- - ../configure --disable-tcg --with-devices-aarch64=minimal
-   || { cat config.log meson-logs/meson-log.txt; exit 1; }
- - make --output-sync -j`nproc --ignore=40`
- - make --output-sync -j`nproc --ignore=40` check
--- a/.gitlab-ci.d/edk2.yml
+++ b/.gitlab-ci.d/edk2.yml
@@ -0,0 +1,60 @@
+# All jobs needing docker-edk2 must use the same rules it uses.
+.edk2_job_rules:
+ rules: # Only run this job when ...
+ - changes:
+   # this file is modified
+   - .gitlab-ci.d/edk2.yml
+   # or the Dockerfile is modified
+   - .gitlab-ci.d/edk2/Dockerfile
+   # or roms/edk2/ is modified (submodule updated)
+   - roms/edk2/*
+   when: on_success
+ - if: '$CI_COMMIT_REF_NAME =~ /^edk2/' # or the branch/tag starts with 'edk2'
+   when: on_success
+ - if: '$CI_COMMIT_MESSAGE =~ /edk2/i' # or last commit description contains 'EDK2'
+   when: on_success
+
+docker-edk2:
+ extends: .edk2_job_rules
+ stage: containers
+ image: docker:19.03.1
+ services:
+ - docker:19.03.1-dind
+ variables:
+  GIT_DEPTH: 3
+  IMAGE_TAG: $CI_REGISTRY_IMAGE:edk2-cross-build
+  # We don't use TLS
+  DOCKER_HOST: tcp://docker:2375
+  DOCKER_TLS_CERTDIR: ""
+ before_script:
+ - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+ script:
+ - docker pull $IMAGE_TAG || true
+ - docker build --cache-from $IMAGE_TAG --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+                                        --tag $IMAGE_TAG .gitlab-ci.d/edk2
+ - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+ - docker push $IMAGE_TAG
+
+build-edk2:
+ extends: .edk2_job_rules
+ stage: build
+ needs: ['docker-edk2']
+ artifacts:
+   paths: # 'artifacts.zip' will contains the following files:
+   - pc-bios/edk2*bz2
+   - pc-bios/edk2-licenses.txt
+   - edk2-stdout.log
+   - edk2-stderr.log
+ image: $CI_REGISTRY_IMAGE:edk2-cross-build
+ variables:
+   GIT_DEPTH: 3
+ script: # Clone the required submodules and build EDK2
+ - git submodule update --init roms/edk2
+ - git -C roms/edk2 submodule update --init --
+     ArmPkg/Library/ArmSoftFloatLib/berkeley-softfloat-3
+     BaseTools/Source/C/BrotliCompress/brotli
+     CryptoPkg/Library/OpensslLib/openssl
+     MdeModulePkg/Library/BrotliCustomDecompressLib/brotli
+ - export JOBS=$(($(getconf _NPROCESSORS_ONLN) + 1))
+ - echo "=== Using ${JOBS} simultaneous jobs ==="
+ - make -j${JOBS} -C roms efi 2>&1 1>edk2-stdout.log | tee -a edk2-stderr.log >&2
--- a/.gitlab-ci.d/edk2/Dockerfile
+++ b/.gitlab-ci.d/edk2/Dockerfile
@@ -0,0 +1,27 @@
+#
+# Docker image to cross-compile EDK2 firmware binaries
+#
+FROM ubuntu:16.04
+
+MAINTAINER Philippe Mathieu-Daudé <philmd@redhat.com>
+
+# Install packages required to build EDK2
+RUN apt update \
+    && \
+    \
+    DEBIAN_FRONTEND=noninteractive \
+    apt install --assume-yes --no-install-recommends \
+        build-essential \
+        ca-certificates \
+        dos2unix \
+        gcc-aarch64-linux-gnu \
+        gcc-arm-linux-gnueabi \
+        git \
+        iasl \
+        make \
+        nasm \
+        python \
+        uuid-dev \
+    && \
+    \
+    rm -rf /var/lib/apt/lists/*
--- a/.gitlab-ci.d/opensbi.yml
+++ b/.gitlab-ci.d/opensbi.yml
@@ -1,84 +1,63 @@
 # All jobs needing docker-opensbi must use the same rules it uses.
 .opensbi_job_rules:
-  rules:
-    # Forks don't get pipelines unless QEMU_CI=1 or QEMU_CI=2 is set
-    - if: '$QEMU_CI != "1" && $QEMU_CI != "2" && $CI_PROJECT_NAMESPACE != "qemu-project"'
-      when: never
-
-    # In forks, if QEMU_CI=1 is set, then create manual job
-    # if any files affecting the build output are touched
-    - if: '$QEMU_CI == "1" && $CI_PROJECT_NAMESPACE != "qemu-project"'
-      changes:
-        - .gitlab-ci.d/opensbi.yml
-        - .gitlab-ci.d/opensbi/Dockerfile
-        - roms/opensbi/*
-      when: manual
-
-    # In forks, if QEMU_CI=1 is set, then create manual job
-    # if the branch/tag starts with 'opensbi'
-    - if: '$QEMU_CI == "1" && $CI_PROJECT_NAMESPACE != "qemu-project" && $CI_COMMIT_REF_NAME =~ /^opensbi/'
-      when: manual
-
-    # In forks, if QEMU_CI=1 is set, then create manual job
-    # if the last commit msg contains 'OpenSBI' (case insensitive)
-    - if: '$QEMU_CI == "1" && $CI_PROJECT_NAMESPACE != "qemu-project" && $CI_COMMIT_MESSAGE =~ /opensbi/i'
-      when: manual
-
-    # Run if any files affecting the build output are touched
-    - changes:
-        - .gitlab-ci.d/opensbi.yml
-        - .gitlab-ci.d/opensbi/Dockerfile
-        - roms/opensbi/*
-      when: on_success
-
-    # Run if the branch/tag starts with 'opensbi'
-    - if: '$CI_COMMIT_REF_NAME =~ /^opensbi/'
-      when: on_success
-
-    # Run if the last commit msg contains 'OpenSBI' (case insensitive)
-    - if: '$CI_COMMIT_MESSAGE =~ /opensbi/i'
-      when: on_success
+ rules: # Only run this job when ...
+ - changes:
+   # this file is modified
+   - .gitlab-ci.d/opensbi.yml
+   # or the Dockerfile is modified
+   - .gitlab-ci.d/opensbi/Dockerfile
+   when: on_success
+ - changes: # or roms/opensbi/ is modified (submodule updated)
+   - roms/opensbi/*
+   when: on_success
+ - if: '$CI_COMMIT_REF_NAME =~ /^opensbi/' # or the branch/tag starts with 'opensbi'
+   when: on_success
+ - if: '$CI_COMMIT_MESSAGE =~ /opensbi/i' # or last commit description contains 'OpenSBI'
+   when: on_success

 docker-opensbi:
-  extends: .opensbi_job_rules
-  stage: containers
-  image: docker:latest
-  services:
-    - docker:dind
-  variables:
-    GIT_DEPTH: 3
-    IMAGE_TAG: $CI_REGISTRY_IMAGE:opensbi-cross-build
-  before_script:
-    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-    - until docker info; do sleep 1; done
-  script:
-    - docker pull $IMAGE_TAG || true
-    - docker build --cache-from $IMAGE_TAG --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
-                                           --tag $IMAGE_TAG .gitlab-ci.d/opensbi
-    - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
-    - docker push $IMAGE_TAG
+ extends: .opensbi_job_rules
+ stage: containers
+ image: docker:19.03.1
+ services:
+ - docker:19.03.1-dind
+ variables:
+  GIT_DEPTH: 3
+  IMAGE_TAG: $CI_REGISTRY_IMAGE:opensbi-cross-build
+  # We don't use TLS
+  DOCKER_HOST: tcp://docker:2375
+  DOCKER_TLS_CERTDIR: ""
+ before_script:
+ - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+ script:
+ - docker pull $IMAGE_TAG || true
+ - docker build --cache-from $IMAGE_TAG --tag $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+                                        --tag $IMAGE_TAG .gitlab-ci.d/opensbi
+ - docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
+ - docker push $IMAGE_TAG

 build-opensbi:
-  extends: .opensbi_job_rules
-  stage: build
-  needs: ['docker-opensbi']
-  artifacts:
-    when: on_success
-    paths: # 'artifacts.zip' will contains the following files:
-      - pc-bios/opensbi-riscv32-generic-fw_dynamic.bin
-      - pc-bios/opensbi-riscv64-generic-fw_dynamic.bin
-      - opensbi32-generic-stdout.log
-      - opensbi32-generic-stderr.log
-      - opensbi64-generic-stdout.log
-      - opensbi64-generic-stderr.log
-  image: $CI_REGISTRY_IMAGE:opensbi-cross-build
-  variables:
-    GIT_DEPTH: 3
-  script: # Clone the required submodules and build OpenSBI
-    - git submodule update --init roms/opensbi
-    - export JOBS=$(($(getconf _NPROCESSORS_ONLN) + 1))
-    - echo "=== Using ${JOBS} simultaneous jobs ==="
-    - make -j${JOBS} -C roms/opensbi clean
-    - make -j${JOBS} -C roms opensbi32-generic 2>&1 1>opensbi32-generic-stdout.log | tee -a opensbi32-generic-stderr.log >&2
-    - make -j${JOBS} -C roms/opensbi clean
-    - make -j${JOBS} -C roms opensbi64-generic 2>&1 1>opensbi64-generic-stdout.log | tee -a opensbi64-generic-stderr.log >&2
+ extends: .opensbi_job_rules
+ stage: build
+ needs: ['docker-opensbi']
+ artifacts:
+   paths: # 'artifacts.zip' will contains the following files:
+   - pc-bios/opensbi-riscv32-generic-fw_dynamic.bin
+   - pc-bios/opensbi-riscv32-generic-fw_dynamic.elf
+   - pc-bios/opensbi-riscv64-generic-fw_dynamic.bin
+   - pc-bios/opensbi-riscv64-generic-fw_dynamic.elf
+   - opensbi32-generic-stdout.log
+   - opensbi32-generic-stderr.log
+   - opensbi64-generic-stdout.log
+   - opensbi64-generic-stderr.log
+ image: $CI_REGISTRY_IMAGE:opensbi-cross-build
+ variables:
+   GIT_DEPTH: 3
+ script: # Clone the required submodules and build OpenSBI
+ - git submodule update --init roms/opensbi
+ - export JOBS=$(($(getconf _NPROCESSORS_ONLN) + 1))
+ - echo "=== Using ${JOBS} simultaneous jobs ==="
+ - make -j${JOBS} -C roms/opensbi clean
+ - make -j${JOBS} -C roms opensbi32-generic 2>&1 1>opensbi32-generic-stdout.log | tee -a opensbi32-generic-stderr.log >&2
+ - make -j${JOBS} -C roms/opensbi clean
+ - make -j${JOBS} -C roms opensbi64-generic 2>&1 1>opensbi64-generic-stdout.log | tee -a opensbi64-generic-stderr.log >&2
--- a/.gitlab-ci.d/opensbi/Dockerfile
+++ b/.gitlab-ci.d/opensbi/Dockerfile
@@ -15,7 +15,6 @@ RUN apt update \
        ca-certificates \
        git \
        make \
-	python3 \
        wget \
    && \
    \
--- a/.gitlab-ci.d/qemu-project.yml
+++ b/.gitlab-ci.d/qemu-project.yml
@@ -1,16 +1,9 @@
 # This file contains the set of jobs run by the QEMU project:
 # https://gitlab.com/qemu-project/qemu/-/pipelines

-variables:
-  RUNNER_TAG: ""
-
-default:
-  tags:
-    - $RUNNER_TAG
-
 include:
-  - local: '/.gitlab-ci.d/base.yml'
  - local: '/.gitlab-ci.d/stages.yml'
+  - local: '/.gitlab-ci.d/edk2.yml'
  - local: '/.gitlab-ci.d/opensbi.yml'
  - local: '/.gitlab-ci.d/containers.yml'
  - local: '/.gitlab-ci.d/crossbuilds.yml'
@@ -18,4 +11,3 @@ include:
  - local: '/.gitlab-ci.d/static_checks.yml'
  - local: '/.gitlab-ci.d/custom-runners.yml'
  - local: '/.gitlab-ci.d/cirrus.yml'
-  - local: '/.gitlab-ci.d/windows.yml'
--- a/.gitlab-ci.d/stages.yml
+++ b/.gitlab-ci.d/stages.yml
@@ -3,5 +3,6 @@
 #  - test (for test stages, using build artefacts from a build stage)
 stages:
  - containers
+  - containers-layer2
  - build
  - test
--- a/.gitlab-ci.d/static_checks.yml
+++ b/.gitlab-ci.d/static_checks.yml
@@ -1,48 +1,49 @@
 check-patch:
-  extends: .base_job_template
  stage: build
-  image: python:3.10-alpine
-  needs: []
+  image: $CI_REGISTRY_IMAGE/qemu/centos8:latest
+  needs:
+    job: amd64-centos8-container
  script:
    - .gitlab-ci.d/check-patch.py
  variables:
    GIT_DEPTH: 1000
-    QEMU_JOB_ONLY_FORKS: 1
-  before_script:
-    - apk -U add git perl
-  allow_failure: true
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project"'
+      when: never
+    - when: on_success
+      allow_failure: true

 check-dco:
-  extends: .base_job_template
  stage: build
-  image: python:3.10-alpine
-  needs: []
+  image: $CI_REGISTRY_IMAGE/qemu/centos8:latest
+  needs:
+    job: amd64-centos8-container
  script: .gitlab-ci.d/check-dco.py
  variables:
    GIT_DEPTH: 1000
-  before_script:
-    - apk -U add git
+  rules:
+    - if: '$CI_PROJECT_NAMESPACE == "qemu-project" && $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+      when: never
+    - when: on_success

-check-python-minreqs:
-  extends: .base_job_template
+check-python-pipenv:
  stage: test
-  image: $CI_REGISTRY_IMAGE/qemu/python:$QEMU_CI_CONTAINER_TAG
+  image: $CI_REGISTRY_IMAGE/qemu/python:latest
  script:
-    - make -C python check-minreqs
+    - make -C python check-pipenv
  variables:
    GIT_DEPTH: 1
  needs:
    job: python-container

 check-python-tox:
-  extends: .base_job_template
  stage: test
-  image: $CI_REGISTRY_IMAGE/qemu/python:$QEMU_CI_CONTAINER_TAG
+  image: $CI_REGISTRY_IMAGE/qemu/python:latest
  script:
    - make -C python check-tox
  variables:
    GIT_DEPTH: 1
    QEMU_TOX_EXTRA_ARGS: --skip-missing-interpreters=false
-    QEMU_JOB_OPTIONAL: 1
  needs:
    job: python-container
+  allow_failure: true
--- a/.gitlab-ci.d/windows.yml
+++ b/.gitlab-ci.d/windows.yml
@@ -1,141 +0,0 @@
-.shared_msys2_builder:
-  extends: .base_job_template
-  tags:
-  - shared-windows
-  - windows
-  - windows-1809
-  cache:
-    key: "$CI_JOB_NAME"
-    paths:
-      - msys64/var/cache
-      - ccache
-    when: always
-  needs: []
-  stage: build
-  timeout: 100m
-  variables:
-    # This feature doesn't (currently) work with PowerShell, it stops
-    # the echo'ing of commands being run and doesn't show any timing
-    FF_SCRIPT_SECTIONS: 0
-  artifacts:
-    name: "$CI_JOB_NAME-$CI_COMMIT_REF_SLUG"
-    expire_in: 7 days
-    paths:
-      - build/meson-logs/testlog.txt
-    reports:
-      junit: "build/meson-logs/testlog.junit.xml"
-  before_script:
-  - Write-Output "Acquiring msys2.exe installer at $(Get-Date -Format u)"
-  - If ( !(Test-Path -Path msys64\var\cache ) ) {
-      mkdir msys64\var\cache
-    }
-  - Invoke-WebRequest
-    "https://repo.msys2.org/distrib/msys2-x86_64-latest.sfx.exe.sig"
-    -outfile "msys2.exe.sig"
-  - if ( Test-Path -Path msys64\var\cache\msys2.exe.sig ) {
-      Write-Output "Cached installer sig" ;
-      if ( ((Get-FileHash msys2.exe.sig).Hash -ne (Get-FileHash msys64\var\cache\msys2.exe.sig).Hash) ) {
-        Write-Output "Mis-matched installer sig, new installer download required" ;
-        Remove-Item -Path msys64\var\cache\msys2.exe.sig ;
-        if ( Test-Path -Path msys64\var\cache\msys2.exe ) {
-          Remove-Item -Path msys64\var\cache\msys2.exe
-        }
-      } else {
-        Write-Output "Matched installer sig, cached installer still valid"
-      }
-    } else {
-      Write-Output "No cached installer sig, new installer download required" ;
-      if ( Test-Path -Path msys64\var\cache\msys2.exe ) {
-        Remove-Item -Path msys64\var\cache\msys2.exe
-      }
-    }
-  - if ( !(Test-Path -Path msys64\var\cache\msys2.exe ) ) {
-      Write-Output "Fetching latest installer" ;
-      Invoke-WebRequest
-      "https://repo.msys2.org/distrib/msys2-x86_64-latest.sfx.exe"
-      -outfile "msys64\var\cache\msys2.exe" ;
-      Copy-Item -Path msys2.exe.sig -Destination msys64\var\cache\msys2.exe.sig
-    } else {
-      Write-Output "Using cached installer"
-    }
-  - Write-Output "Invoking msys2.exe installer at $(Get-Date -Format u)"
-  - msys64\var\cache\msys2.exe -y
-  - ((Get-Content -path .\msys64\etc\\post-install\\07-pacman-key.post -Raw)
-      -replace '--refresh-keys', '--version') |
-     Set-Content -Path ${CI_PROJECT_DIR}\msys64\etc\\post-install\\07-pacman-key.post
-  - .\msys64\usr\bin\bash -lc "sed -i 's/^CheckSpace/#CheckSpace/g' /etc/pacman.conf"
-  - .\msys64\usr\bin\bash -lc 'pacman --noconfirm -Syuu'  # Core update
-  - .\msys64\usr\bin\bash -lc 'pacman --noconfirm -Syuu'  # Normal update
-  - taskkill /F /FI "MODULES eq msys-2.0.dll"
-  script:
-  - Write-Output "Installing mingw packages at $(Get-Date -Format u)"
-  - .\msys64\usr\bin\bash -lc "pacman -Sy --noconfirm --needed
-      bison diffutils flex
-      git grep make sed
-      $MINGW_TARGET-binutils
-      $MINGW_TARGET-capstone
-      $MINGW_TARGET-ccache
-      $MINGW_TARGET-curl
-      $MINGW_TARGET-cyrus-sasl
-      $MINGW_TARGET-dtc
-      $MINGW_TARGET-gcc
-      $MINGW_TARGET-glib2
-      $MINGW_TARGET-gnutls
-      $MINGW_TARGET-gtk3
-      $MINGW_TARGET-libgcrypt
-      $MINGW_TARGET-libjpeg-turbo
-      $MINGW_TARGET-libnfs
-      $MINGW_TARGET-libpng
-      $MINGW_TARGET-libssh
-      $MINGW_TARGET-libtasn1
-      $MINGW_TARGET-libusb
-      $MINGW_TARGET-lzo2
-      $MINGW_TARGET-nettle
-      $MINGW_TARGET-ninja
-      $MINGW_TARGET-pixman
-      $MINGW_TARGET-pkgconf
-      $MINGW_TARGET-python
-      $MINGW_TARGET-SDL2
-      $MINGW_TARGET-SDL2_image
-      $MINGW_TARGET-snappy
-      $MINGW_TARGET-spice
-      $MINGW_TARGET-usbredir
-      $MINGW_TARGET-zstd "
-  - Write-Output "Running build at $(Get-Date -Format u)"
-  - $env:CHERE_INVOKING = 'yes'  # Preserve the current working directory
-  - $env:MSYS = 'winsymlinks:native' # Enable native Windows symlink
-  - $env:CCACHE_BASEDIR = "$env:CI_PROJECT_DIR"
-  - $env:CCACHE_DIR = "$env:CCACHE_BASEDIR/ccache"
-  - $env:CCACHE_MAXSIZE = "500M"
-  - $env:CCACHE_DEPEND = 1 # cache misses are too expensive with preprocessor mode
-  - $env:CC = "ccache gcc"
-  - mkdir build
-  - cd build
-  - ..\msys64\usr\bin\bash -lc "ccache --zero-stats"
-  - ..\msys64\usr\bin\bash -lc "../configure --enable-fdt=system $CONFIGURE_ARGS"
-  - ..\msys64\usr\bin\bash -lc "make"
-  - ..\msys64\usr\bin\bash -lc "make check MTESTARGS='$TEST_ARGS' || { cat meson-logs/testlog.txt; exit 1; } ;"
-  - ..\msys64\usr\bin\bash -lc "ccache --show-stats"
-  - Write-Output "Finished build at $(Get-Date -Format u)"
-
-msys2-64bit:
-  extends: .shared_msys2_builder
-  variables:
-    MINGW_TARGET: mingw-w64-x86_64
-    MSYSTEM: MINGW64
-    # do not remove "--without-default-devices"!
-    # commit 9f8e6cad65a6 ("gitlab-ci: Speed up the msys2-64bit job by using --without-default-devices"
-    # changed to compile QEMU with the --without-default-devices switch
-    # for the msys2 64-bit job, due to the build could not complete within
-    CONFIGURE_ARGS:  --target-list=x86_64-softmmu --without-default-devices -Ddebug=false -Doptimization=0
-    # qTests don't run successfully with "--without-default-devices",
-    # so let's exclude the qtests from CI for now.
-    TEST_ARGS: --no-suite qtest
-
-msys2-32bit:
-  extends: .shared_msys2_builder
-  variables:
-    MINGW_TARGET: mingw-w64-i686
-    MSYSTEM: MINGW32
-    CONFIGURE_ARGS:  --target-list=ppc64-softmmu -Ddebug=false -Doptimization=0
-    TEST_ARGS: --no-suite qtest
--- a/.gitlab/issue_templates/bug.md
+++ b/.gitlab/issue_templates/bug.md
@@ -18,11 +18,11 @@ https://www.qemu.org/contribute/security-process/
 -->

 ## Host environment
- - Operating system:            <!-- Windows 10 21H1, Fedora 37, etc. -->
- - OS/kernel version:           <!-- For POSIX hosts, use `uname -a` -->
- - Architecture:                <!-- x86, ARM, s390x, etc. -->
- - QEMU flavor:                 <!-- qemu-system-x86_64, qemu-aarch64, qemu-img, etc. -->
- - QEMU version:                <!-- e.g. `qemu-system-x86_64 --version` -->
+ - Operating system: (Windows 10 21H1, Fedora 34, etc.)
+ - OS/kernel version: (For POSIX hosts, use `uname -a`)
+ - Architecture: (x86, ARM, s390x, etc.)
+ - QEMU flavor: (qemu-system-x86_64, qemu-aarch64, qemu-img, etc.)
+ - QEMU version: (e.g. `qemu-system-x86_64 --version`)
 - QEMU command line:
   <!--
   Give the smallest, complete command line that exhibits the problem.
@@ -35,9 +35,9 @@ https://www.qemu.org/contribute/security-process/
   ```

 ## Emulated/Virtualized environment
- - Operating system:            <!-- Windows 10 21H1, Fedora 37, etc. -->
- - OS/kernel version:           <!-- For POSIX guests, use `uname -a`. -->
- - Architecture:                <!-- x86, ARM, s390x, etc. -->
+ - Operating system: (Windows 10 21H1, Fedora 34, etc.)
+ - OS/kernel version: (For POSIX guests, use `uname -a`.)
+ - Architecture: (x86, ARM, s390x, etc.)


 ## Description of problem
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,45 +1,66 @@
 [submodule "roms/seabios"]
 	path = roms/seabios
-	url = https://gitlab.com/qemu-project/seabios.git/
+	url = https://gitlab.suse.de/virtualization/qemu-seabios.git
 [submodule "roms/SLOF"]
 	path = roms/SLOF
 	url = https://gitlab.com/qemu-project/SLOF.git
 [submodule "roms/ipxe"]
 	path = roms/ipxe
-	url = https://gitlab.com/qemu-project/ipxe.git
+	url = https://gitlab.suse.de/virtualization/qemu-ipxe.git
 [submodule "roms/openbios"]
 	path = roms/openbios
 	url = https://gitlab.com/qemu-project/openbios.git
 [submodule "roms/qemu-palcode"]
 	path = roms/qemu-palcode
 	url = https://gitlab.com/qemu-project/qemu-palcode.git
+[submodule "roms/sgabios"]
+	path = roms/sgabios
+	url = https://gitlab.suse.de/virtualization/qemu-sgabios.git
+[submodule "dtc"]
+	path = dtc
+	url = https://gitlab.com/qemu-project/dtc.git
 [submodule "roms/u-boot"]
 	path = roms/u-boot
 	url = https://gitlab.com/qemu-project/u-boot.git
 [submodule "roms/skiboot"]
 	path = roms/skiboot
-	url = https://gitlab.com/qemu-project/skiboot.git
+	url = https://gitlab.suse.de/virtualization/qemu-skiboot.git
 [submodule "roms/QemuMacDrivers"]
 	path = roms/QemuMacDrivers
 	url = https://gitlab.com/qemu-project/QemuMacDrivers.git
+[submodule "ui/keycodemapdb"]
+	path = ui/keycodemapdb
+	url = https://gitlab.com/qemu-project/keycodemapdb.git
+[submodule "capstone"]
+	path = capstone
+	url = https://gitlab.com/qemu-project/capstone.git
 [submodule "roms/seabios-hppa"]
 	path = roms/seabios-hppa
 	url = https://gitlab.com/qemu-project/seabios-hppa.git
 [submodule "roms/u-boot-sam460ex"]
 	path = roms/u-boot-sam460ex
 	url = https://gitlab.com/qemu-project/u-boot-sam460ex.git
+[submodule "tests/fp/berkeley-testfloat-3"]
+	path = tests/fp/berkeley-testfloat-3
+	url = https://gitlab.com/qemu-project/berkeley-testfloat-3.git
+[submodule "tests/fp/berkeley-softfloat-3"]
+	path = tests/fp/berkeley-softfloat-3
+	url = https://gitlab.com/qemu-project/berkeley-softfloat-3.git
 [submodule "roms/edk2"]
 	path = roms/edk2
-	url = https://gitlab.com/qemu-project/edk2.git
+	url = https://gitlab.suse.de/virtualization/qemu-edk2.git
+[submodule "slirp"]
+	path = slirp
+	url = https://gitlab.com/qemu-project/libslirp.git
 [submodule "roms/opensbi"]
 	path = roms/opensbi
-	url = 	https://gitlab.com/qemu-project/opensbi.git
+	url = https://gitlab.suse.de/virtualization/qemu-opensbi.git
 [submodule "roms/qboot"]
 	path = roms/qboot
-	url = https://gitlab.com/qemu-project/qboot.git
+	url = https://gitlab.suse.de/virtualization/qemu-qboot.git
+[submodule "meson"]
+	path = meson
+	url = https://gitlab.com/qemu-project/meson.git
 [submodule "roms/vbootrom"]
 	path = roms/vbootrom
 	url = https://gitlab.com/qemu-project/vbootrom.git
-[submodule "tests/lcitool/libvirt-ci"]
-	path = tests/lcitool/libvirt-ci
-	url = https://gitlab.com/libvirt/libvirt-ci.git
--- a/.mailmap
+++ b/.mailmap
@@ -28,40 +28,19 @@ Thiemo Seufer <ths@networkno.de> ths <ths@c046a42c-6fe2-441c-8c8c-71466251a162>
 malc <av1474@comtv.ru> malc <malc@c046a42c-6fe2-441c-8c8c-71466251a162>

 # Corrupted Author fields
-Aaron Larson <alarson@ddci.com> alarson@ddci.com
-Andreas Färber <andreas.faerber@web.de> Andreas Färber <andreas.faerber>
-fanwenjie <fanwj@mail.ustc.edu.cn> fanwj@mail.ustc.edu.cn <fanwj@mail.ustc.edu.cn>
-Jason Wang <jasowang@redhat.com> Jason Wang <jasowang>
 Marek Dolata <mkdolata@us.ibm.com> mkdolata@us.ibm.com <mkdolata@us.ibm.com>
-Michael Ellerman <mpe@ellerman.id.au> michael@ozlabs.org <michael@ozlabs.org>
 Nick Hudson <hnick@vmware.com> hnick@vmware.com <hnick@vmware.com>
-Timothée Cocault <timothee.cocault@gmail.com> timothee.cocault@gmail.com <timothee.cocault@gmail.com>

 # There is also a:
 #    (no author) <(no author)@c046a42c-6fe2-441c-8c8c-71466251a162>
 # for the cvs2svn initialization commit e63c3dc74bf.

 # Next, translate a few commits where mailman rewrote the From: line due
-# to strict SPF and DMARC.  Usually, our build process should be flagging
-# commits like these before maintainer merges; if you find the need to add
-# a line here, please also report a bug against the part of the build
-# process that let the mis-attribution slip through in the first place.
-#
-# If the mailing list munges your emails, use:
-#   git config sendemail.from '"Your Name" <your.email@example.com>'
-# the use of "" in that line will differ from the typically unquoted
-# 'git config user.name', which in turn is sufficient for 'git send-email'
-# to add an extra From: line in the body of your email that takes
-# precedence over any munged From: in the mail's headers.
-# See https://lists.openembedded.org/g/openembedded-core/message/166515
-# and https://lists.gnu.org/archive/html/qemu-devel/2023-09/msg06784.html
+# to strict SPF, although we prefer to avoid adding more entries like that.
 Ed Swierk <eswierk@skyportsystems.com> Ed Swierk via Qemu-devel <qemu-devel@nongnu.org>
 Ian McKellar <ianloic@google.com> Ian McKellar via Qemu-devel <qemu-devel@nongnu.org>
 Julia Suvorova <jusual@mail.ru> Julia Suvorova via Qemu-devel <qemu-devel@nongnu.org>
 Justin Terry (VM) <juterry@microsoft.com> Justin Terry (VM) via Qemu-devel <qemu-devel@nongnu.org>
-Stefan Weil <sw@weilnetz.de> Stefan Weil via <qemu-devel@nongnu.org>
-Andrey Drobyshev <andrey.drobyshev@virtuozzo.com> Andrey Drobyshev via <qemu-block@nongnu.org>
-BALATON Zoltan <balaton@eik.bme.hu> BALATON Zoltan via <qemu-ppc@nongnu.org>

 # Next, replace old addresses by a more recent one.
 Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> <aleksandar.markovic@mips.com>
@@ -70,40 +49,25 @@ Aleksandar Markovic <aleksandar.qemu.devel@gmail.com> <amarkovic@wavecomp.com>
 Aleksandar Rikalo <aleksandar.rikalo@syrmia.com> <arikalo@wavecomp.com>
 Aleksandar Rikalo <aleksandar.rikalo@syrmia.com> <aleksandar.rikalo@rt-rk.com>
 Alexander Graf <agraf@csgraf.de> <agraf@suse.de>
-Ani Sinha <anisinha@redhat.com> <ani@anisinha.ca>
 Anthony Liguori <anthony@codemonkey.ws> Anthony Liguori <aliguori@us.ibm.com>
-Christian Borntraeger <borntraeger@linux.ibm.com> <borntraeger@de.ibm.com>
-Damien Hedde <damien.hedde@dahe.fr> <damien.hedde@greensocs.com>
 Filip Bozuta <filip.bozuta@syrmia.com> <filip.bozuta@rt-rk.com.com>
-Frederic Konrad <konrad.frederic@yahoo.fr> <fred.konrad@greensocs.com>
-Frederic Konrad <konrad.frederic@yahoo.fr> <konrad@adacore.com>
+Frederic Konrad <konrad@adacore.com> <fred.konrad@greensocs.com>
 Greg Kurz <groug@kaod.org> <gkurz@linux.vnet.ibm.com>
 Huacai Chen <chenhuacai@kernel.org> <chenhc@lemote.com>
 Huacai Chen <chenhuacai@kernel.org> <chenhuacai@loongson.cn>
 James Hogan <jhogan@kernel.org> <james.hogan@imgtec.com>
-Leif Lindholm <quic_llindhol@quicinc.com> <leif.lindholm@linaro.org>
-Leif Lindholm <quic_llindhol@quicinc.com> <leif@nuviainc.com>
-Luc Michel <luc@lmichel.fr> <luc.michel@git.antfield.fr>
-Luc Michel <luc@lmichel.fr> <luc.michel@greensocs.com>
-Luc Michel <luc@lmichel.fr> <lmichel@kalray.eu>
+Leif Lindholm <leif@nuviainc.com> <leif.lindholm@linaro.org>
 Radoslaw Biernacki <rad@semihalf.com> <radoslaw.biernacki@linaro.org>
-Paul Brook <paul@nowt.org> <paul@codesourcery.com>
 Paul Burton <paulburton@kernel.org> <paul.burton@mips.com>
 Paul Burton <paulburton@kernel.org> <paul.burton@imgtec.com>
 Paul Burton <paulburton@kernel.org> <paul@archlinuxmips.org>
 Paul Burton <paulburton@kernel.org> <pburton@wavecomp.com>
-Philippe Mathieu-Daudé <philmd@linaro.org> <f4bug@amsat.org>
-Philippe Mathieu-Daudé <philmd@linaro.org> <philmd@redhat.com>
-Philippe Mathieu-Daudé <philmd@linaro.org> <philmd@fungible.com>
-Roman Bolshakov <rbolshakov@ddn.com> <r.bolshakov@yadro.com>
 Stefan Brankovic <stefan.brankovic@syrmia.com> <stefan.brankovic@rt-rk.com.com>
-Taylor Simpson <ltaylorsimpson@gmail.com> <tsimpson@quicinc.com>
 Yongbok Kim <yongbok.kim@mips.com> <yongbok.kim@imgtec.com>

 # Also list preferred name forms where people have changed their
 # git author config, or had utf8/latin1 encoding issues.
 Aaron Lindsay <aaron@os.amperecomputing.com>
-Aaron Larson <alarson@ddci.com>
 Alexey Gerasimenko <x1917x@gmail.com>
 Alex Chen <alex.chen@huawei.com>
 Alex Ivanov <void@aleksoft.net>
@@ -178,7 +142,6 @@ Pan Nengyuan <pannengyuan@huawei.com>
 Pavel Dovgaluk <dovgaluk@ispras.ru>
 Pavel Dovgaluk <pavel.dovgaluk@gmail.com>
 Pavel Dovgaluk <Pavel.Dovgaluk@ispras.ru>
-Peter Chubb <peter.chubb@nicta.com.au>
 Peter Crosthwaite <crosthwaite.peter@gmail.com>
 Peter Crosthwaite <peter.crosthwaite@petalogix.com>
 Peter Crosthwaite <peter.crosthwaite@xilinx.com>
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,6 @@
+# The current Travis default is a VM based 16.04 Xenial on GCE
+# Additional builds with specific requirements for a full VM need to
+# be added as additional matrix: entries later on
 os: linux
 dist: focal
 language: c
@@ -16,6 +19,43 @@ cache:
  - $HOME/avocado/data/cache


+addons:
+  apt:
+    packages:
+      # Build dependencies
+      - libaio-dev
+      - libattr1-dev
+      - libbrlapi-dev
+      - libcap-ng-dev
+      - libcacard-dev
+      - libgcc-7-dev
+      - libgnutls28-dev
+      - libgtk-3-dev
+      - libiscsi-dev
+      - liblttng-ust-dev
+      - libncurses5-dev
+      - libnfs-dev
+      - libpixman-1-dev
+      - libpng-dev
+      - librados-dev
+      - libsdl2-dev
+      - libsdl2-image-dev
+      - libseccomp-dev
+      - libspice-protocol-dev
+      - libspice-server-dev
+      - libssh-dev
+      - liburcu-dev
+      - libusb-1.0-0-dev
+      - libvdeplug-dev
+      - libvte-2.91-dev
+      - libzstd-dev
+      - ninja-build
+      - sparse
+      - uuid-dev
+      # Tests dependencies
+      - genisoimage
+
+
 # The channel name "irc.oftc.net#qemu" is encrypted against qemu/qemu
 # to prevent IRC notifications from forks. This was created using:
 # $ travis encrypt -r "qemu/qemu" "irc.oftc.net#qemu"
@@ -34,7 +74,7 @@ env:
    - BASE_CONFIG="--disable-docs --disable-tools"
    - TEST_BUILD_CMD=""
    - TEST_CMD="make check V=1"
-    # This is broadly a list of "mainline" system targets which have support across the major distros
+    # This is broadly a list of "mainline" softmmu targets which have support across the major distros
    - MAIN_SOFTMMU_TARGETS="aarch64-softmmu,mips64-softmmu,ppc64-softmmu,riscv64-softmmu,s390x-softmmu,x86_64-softmmu"
    - CCACHE_SLOPPINESS="include_file_ctime,include_file_mtime"
    - CCACHE_MAXSIZE=1G
@@ -91,7 +131,6 @@ jobs:
          - libbrlapi-dev
          - libcacard-dev
          - libcap-ng-dev
-          - libfdt-dev
          - libgcrypt20-dev
          - libgnutls28-dev
          - libgtk-3-dev
@@ -113,8 +152,7 @@ jobs:
          - genisoimage
      env:
        - TEST_CMD="make check check-tcg V=1"
-        - CONFIG="--disable-containers --enable-fdt=system
-                  --target-list=${MAIN_SOFTMMU_TARGETS} --cxx=/bin/false"
+        - CONFIG="--disable-containers --target-list=${MAIN_SOFTMMU_TARGETS} --cxx=/bin/false"
        - UNRELIABLE=true

    - name: "[ppc64] GCC check-tcg"
@@ -127,7 +165,6 @@ jobs:
          - libbrlapi-dev
          - libcacard-dev
          - libcap-ng-dev
-          - libfdt-dev
          - libgcrypt20-dev
          - libgnutls28-dev
          - libgtk-3-dev
@@ -149,12 +186,11 @@ jobs:
          - genisoimage
      env:
        - TEST_CMD="make check check-tcg V=1"
-        - CONFIG="--disable-containers --enable-fdt=system
-                  --target-list=ppc64-softmmu,ppc64le-linux-user"
+        - CONFIG="--disable-containers --target-list=ppc64-softmmu,ppc64le-linux-user"

    - name: "[s390x] GCC check-tcg"
      arch: s390x
-      dist: focal
+      dist: bionic
      addons:
        apt_packages:
          - libaio-dev
@@ -162,7 +198,6 @@ jobs:
          - libbrlapi-dev
          - libcacard-dev
          - libcap-ng-dev
-          - libfdt-dev
          - libgcrypt20-dev
          - libgnutls28-dev
          - libgtk-3-dev
@@ -184,29 +219,27 @@ jobs:
          - genisoimage
      env:
        - TEST_CMD="make check check-tcg V=1"
-        - CONFIG="--disable-containers --enable-fdt=system
-                  --target-list=${MAIN_SOFTMMU_TARGETS},s390x-linux-user"
+        - CONFIG="--disable-containers --target-list=${MAIN_SOFTMMU_TARGETS},s390x-linux-user"
        - UNRELIABLE=true
      script:
        - BUILD_RC=0 && make -j${JOBS} || BUILD_RC=$?
        - |
          if [ "$BUILD_RC" -eq 0 ] ; then
-              mv pc-bios/s390-ccw/*.img qemu-bundle/usr/local/share/qemu ;
+              mv pc-bios/s390-ccw/*.img pc-bios/ ;
              ${TEST_CMD} ;
          else
              $(exit $BUILD_RC);
          fi

-    - name: "[s390x] GCC (other-system)"
+    - name: "[s390x] GCC (other-softmmu)"
      arch: s390x
-      dist: focal
+      dist: bionic
      addons:
        apt_packages:
          - libaio-dev
          - libattr1-dev
          - libcacard-dev
          - libcap-ng-dev
-          - libfdt-dev
          - libgnutls28-dev
          - libiscsi-dev
          - liblttng-ust-dev
@@ -225,27 +258,24 @@ jobs:
          # Tests dependencies
          - genisoimage
      env:
-        - CONFIG="--disable-containers --enable-fdt=system --audio-drv-list=sdl
-                  --disable-user --target-list-exclude=${MAIN_SOFTMMU_TARGETS}"
+        - CONFIG="--disable-containers --audio-drv-list=sdl --disable-user
+                  --target-list-exclude=${MAIN_SOFTMMU_TARGETS}"

    - name: "[s390x] GCC (user)"
      arch: s390x
-      dist: focal
+      dist: bionic
      addons:
        apt_packages:
          - libgcrypt20-dev
-          - libglib2.0-dev
          - libgnutls28-dev
          - ninja-build
-          - flex
-          - bison
      env:
        - CONFIG="--disable-containers --disable-system"

    - name: "[s390x] Clang (disable-tcg)"
      arch: s390x
-      dist: focal
-      compiler: clang-10
+      dist: bionic
+      compiler: clang
      addons:
        apt_packages:
          - libaio-dev
@@ -253,7 +283,6 @@ jobs:
          - libbrlapi-dev
          - libcacard-dev
          - libcap-ng-dev
-          - libfdt-dev
          - libgcrypt20-dev
          - libgnutls28-dev
          - libgtk-3-dev
@@ -271,9 +300,8 @@ jobs:
          - libvdeplug-dev
          - libvte-2.91-dev
          - ninja-build
-          - clang-10
      env:
        - TEST_CMD="make check-unit"
-        - CONFIG="--disable-containers --disable-tcg --enable-kvm --disable-tools
-                  --enable-fdt=system --host-cc=clang --cxx=clang++"
+        - CONFIG="--disable-containers --disable-tcg --enable-kvm
+                  --disable-tools --host-cc=clang --cxx=clang++"
        - UNRELIABLE=true
--- a/Kconfig.host
+++ b/Kconfig.host
@@ -11,9 +11,6 @@ config OPENGL
 config X11
    bool

-config PIXMAN
-    bool
-
 config SPICE
    bool

@@ -25,12 +22,15 @@ config TPM

 config VHOST_USER
    bool
+    select VHOST

 config VHOST_VDPA
    bool
+    select VHOST

 config VHOST_KERNEL
    bool
+    select VHOST

 config VIRTFS
    bool
@@ -45,10 +45,3 @@ config MULTIPROCESS_ALLOWED
 config FUZZ
    bool
    select SPARSE_MEM
-
-config VFIO_USER_SERVER_ALLOWED
-    bool
-    imply VFIO_USER_SERVER
-
-config HV_BALLOON_POSSIBLE
-    bool
--- a/1081
+++ b/1081
--- a/119
+++ b/119
@@ -26,9 +26,9 @@ quiet-command-run = $(if $(V),,$(if $2,printf "  %-7s %s\n" $2 $3 && ))$1
 quiet-@ = $(if $(V),,@)
 quiet-command = $(quiet-@)$(call quiet-command-run,$1,$2,$3)

-UNCHECKED_GOALS := TAGS gtags cscope ctags dist \
+UNCHECKED_GOALS := %clean TAGS cscope ctags dist \
    help check-help print-% \
-    docker docker-% lcitool-refresh vm-help vm-test vm-build-%
+    docker docker-% vm-help vm-test vm-build-%

 all:
 .PHONY: all clean distclean recurse-all dist msi FORCE
@@ -42,8 +42,17 @@ configure: ;
 ifneq ($(wildcard config-host.mak),)
 include config-host.mak

-include Makefile.prereqs
-Makefile.prereqs: config-host.mak
+git-submodule-update:
+.git-submodule-status: git-submodule-update config-host.mak
+Makefile: .git-submodule-status
+
+.PHONY: git-submodule-update
+git-submodule-update:
+ifneq ($(GIT_SUBMODULES_ACTION),ignore)
+	$(call quiet-command, \
+		(GIT="$(GIT)" "$(SRC_PATH)/scripts/git-submodule.sh" $(GIT_SUBMODULES_ACTION) $(GIT_SUBMODULES)), \
+		"GIT","$(GIT_SUBMODULES)")
+endif

 # 0. ensure the build tree is okay

@@ -83,17 +92,16 @@ config-host.mak: $(SRC_PATH)/configure $(SRC_PATH)/scripts/meson-buildoptions.sh
 	@if test -f meson-private/coredata.dat; then \
 	  ./config.status --skip-meson; \
 	else \
-	  ./config.status; \
+	  ./config.status && touch build.ninja.stamp; \
 	fi

 # 2. meson.stamp exists if meson has run at least once (so ninja reconfigure
 # works), but otherwise never needs to be updated
-
 meson-private/coredata.dat: meson.stamp
 meson.stamp: config-host.mak
 	@touch meson.stamp

-# 3. ensure meson-generated build files are up-to-date
+# 3. ensure generated build files are up-to-date

 ifneq ($(NINJA),)
 Makefile.ninja: build.ninja
@@ -104,23 +112,15 @@ Makefile.ninja: build.ninja
 	  $(NINJA) -t query build.ninja | sed -n '1,/^  input:/d; /^  outputs:/q; s/$$/ \\/p'; \
 	} > $@.tmp && mv $@.tmp $@
 -include Makefile.ninja
-endif

-ifneq ($(MESON),)
-# The path to meson always points to pyvenv/bin/meson, but the absolute
-# paths could change.  In that case, force a regeneration of build.ninja.
-# Note that this invocation of $(NINJA), just like when Make rebuilds
-# Makefiles, does not include -n.
+# A separate rule is needed for Makefile dependencies to avoid -n
 build.ninja: build.ninja.stamp
 $(build-files):
 build.ninja.stamp: meson.stamp $(build-files)
-	@if test "$$(cat build.ninja.stamp)" = "$(MESON)" && test -n "$(NINJA)"; then \
-	  $(NINJA) build.ninja; \
-	else \
-	  echo "$(MESON) setup --reconfigure $(SRC_PATH)"; \
-	  $(MESON) setup --reconfigure $(SRC_PATH); \
-	fi && echo "$(MESON)" > $@
+	$(NINJA) $(if $V,-v,) build.ninja && touch $@
+endif

+ifneq ($(MESON),)
 Makefile.mtest: build.ninja scripts/mtest2make.py
 	$(MESON) introspect --targets --tests --benchmarks | $(PYTHON) scripts/mtest2make.py > $@
 -include Makefile.mtest
@@ -143,11 +143,11 @@ MAKE.q = $(findstring q,$(firstword $(filter-out --%,$(MAKEFLAGS))))
 MAKE.nq = $(if $(word 2, $(MAKE.n) $(MAKE.q)),nq)
 NINJAFLAGS = $(if $V,-v) $(if $(MAKE.n), -n) $(if $(MAKE.k), -k0) \
        $(filter-out -j, $(lastword -j1 $(filter -l% -j%, $(MAKEFLAGS)))) \
-        -d keepdepfile
-ninja-cmd-goals = $(or $(MAKECMDGOALS), all)
-ninja-cmd-goals += $(foreach g, $(MAKECMDGOALS), $(.ninja-goals.$g))

-makefile-targets := build.ninja ctags TAGS cscope dist clean
+ninja-cmd-goals = $(or $(MAKECMDGOALS), all)
+ninja-cmd-goals += $(foreach t, $(.tests), $(.test.deps.$t))
+
+makefile-targets := build.ninja ctags TAGS cscope dist clean uninstall
 # "ninja -t targets" also lists all prerequisites.  If build system
 # files are marked as PHONY, however, Make will always try to execute
 # "ninja build.ninja".
@@ -159,14 +159,27 @@ $(ninja-targets): run-ninja
 # --output-sync line.
 run-ninja: config-host.mak
 ifneq ($(filter $(ninja-targets), $(ninja-cmd-goals)),)
-	+$(if $(MAKE.nq),@:,$(quiet-@)$(NINJA) $(NINJAFLAGS) \
-	   $(sort $(filter $(ninja-targets), $(ninja-cmd-goals))) | cat)
+	+$(quiet-@)$(if $(MAKE.nq),@:, $(NINJA) -d keepdepfile \
+	   $(NINJAFLAGS) $(sort $(filter $(ninja-targets), $(ninja-cmd-goals))) | cat)
 endif
 endif

+# Force configure to re-run if the API symbols are updated
+ifeq ($(CONFIG_PLUGIN),y)
+config-host.mak: $(SRC_PATH)/plugins/qemu-plugins.symbols
+
+.PHONY: plugins
+plugins:
+	$(call quiet-command,\
+		$(MAKE) $(SUBDIR_MAKEFLAGS) -C contrib/plugins V="$(V)", \
+		"BUILD", "example plugins")
+endif # $(CONFIG_PLUGIN)
+
 else # config-host.mak does not exist
+config-host.mak:
 ifneq ($(filter-out $(UNCHECKED_GOALS),$(MAKECMDGOALS)),$(if $(MAKECMDGOALS),,fail))
-$(error Please call configure before running make)
+	@echo "Please call configure before running make!"
+	@exit 1
 endif
 endif # config-host.mak does not exist

@@ -176,32 +189,30 @@ include $(SRC_PATH)/tests/Makefile.include

 all: recurse-all

-SUBDIR_RULES=$(foreach t, all clean distclean, $(addsuffix /$(t), $(SUBDIRS)))
-.PHONY: $(SUBDIR_RULES)
-$(SUBDIR_RULES):
+ROM_DIRS = $(addprefix pc-bios/, $(ROMS))
+ROM_DIRS_RULES=$(foreach t, all clean, $(addsuffix /$(t), $(ROM_DIRS)))
+# Only keep -O and -g cflags
+.PHONY: $(ROM_DIRS_RULES)
+$(ROM_DIRS_RULES):
 	$(call quiet-command,$(MAKE) $(SUBDIR_MAKEFLAGS) -C $(dir $@) V="$(V)" TARGET_DIR="$(dir $@)" $(notdir $@),)

-ifneq ($(filter contrib/plugins, $(SUBDIRS)),)
-.PHONY: plugins
-plugins: contrib/plugins/all
-endif
-
 .PHONY: recurse-all recurse-clean
-recurse-all: $(addsuffix /all, $(SUBDIRS))
-recurse-clean: $(addsuffix /clean, $(SUBDIRS))
-recurse-distclean: $(addsuffix /distclean, $(SUBDIRS))
+recurse-all: $(addsuffix /all, $(ROM_DIRS))
+recurse-clean: $(addsuffix /clean, $(ROM_DIRS))

 ######################################################################

 clean: recurse-clean
 	-$(quiet-@)test -f build.ninja && $(NINJA) $(NINJAFLAGS) -t clean || :
 	-$(quiet-@)test -f build.ninja && $(NINJA) $(NINJAFLAGS) clean-ctlist || :
-	find . \( -name '*.so' -o -name '*.dll' -o \
-		  -name '*.[oda]' -o -name '*.gcno' \) -type f \
+# avoid old build problems by removing potentially incorrect old files
+	rm -f config.mak op-i386.h opc-i386.h gen-op-i386.h op-arm.h opc-arm.h gen-op-arm.h
+	find . \( -name '*.so' -o -name '*.dll' -o -name '*.[oda]' \) -type f \
 		! -path ./roms/edk2/ArmPkg/Library/GccLto/liblto-aarch64.a \
 		! -path ./roms/edk2/ArmPkg/Library/GccLto/liblto-arm.a \
 		-exec rm {} +
-	rm -f TAGS cscope.* *~ */*~
+	rm -f TAGS cscope.* *.pod *~ */*~
+	rm -f fsdev/*.pod scsi/*.pod

 VERSION = $(shell cat $(SRC_PATH)/VERSION)

@@ -210,19 +221,19 @@ dist: qemu-$(VERSION).tar.bz2
 qemu-%.tar.bz2:
 	$(SRC_PATH)/scripts/make-release "$(SRC_PATH)" "$(patsubst qemu-%.tar.bz2,%,$@)"

-distclean: clean recurse-distclean
+distclean: clean
 	-$(quiet-@)test -f build.ninja && $(NINJA) $(NINJAFLAGS) -t clean -g || :
-	rm -f config-host.mak Makefile.prereqs
-	rm -f tests/tcg/*/config-target.mak tests/tcg/config-host.mak
-	rm -f config.status
-	rm -f roms/seabios/config.mak
+	rm -f config-host.mak config-host.h* config-poison.h
+	rm -f tests/tcg/config-*.mak
+	rm -f config-all-disas.mak config.status
+	rm -f roms/seabios/config.mak roms/vgabios/config.mak
 	rm -f qemu-plugins-ld.symbols qemu-plugins-ld64.symbols
 	rm -f *-config-target.h *-config-devices.mak *-config-devices.h
 	rm -rf meson-private meson-logs meson-info compile_commands.json
 	rm -f Makefile.ninja Makefile.mtest build.ninja.stamp meson.stamp
 	rm -f config.log
 	rm -f linux-headers/asm
-	rm -Rf .sdk qemu-bundle
+	rm -Rf .sdk

 find-src-path = find "$(SRC_PATH)" -path "$(SRC_PATH)/meson" -prune -o \
 	-type l -prune -o \( -name "*.[chsS]" -o -name "*.[ch].inc" \)
@@ -276,20 +287,12 @@ cscope:
 # Needed by "meson install"
 export DESTDIR

-include $(SRC_PATH)/tests/lcitool/Makefile.include
 include $(SRC_PATH)/tests/docker/Makefile.include
 include $(SRC_PATH)/tests/vm/Makefile.include

 print-help-run = printf "  %-30s - %s\\n" "$1" "$2"
 print-help = @$(call print-help-run,$1,$2)

-.PHONY: update-linux-vdso
-update-linux-vdso:
-	@for m in $(SRC_PATH)/linux-user/*/Makefile.vdso; do \
-	  $(MAKE) $(SUBDIR_MAKEFLAGS) -C $$(dirname $$m) -f Makefile.vdso \
-		SRC_PATH=$(SRC_PATH) BUILD_DIR=$(BUILD_DIR); \
-	done
-
 .PHONY: help
 help:
 	@echo  'Generic targets:'
@@ -300,7 +303,7 @@ help:
 	$(call print-help,cscope,Generate cscope index)
 	$(call print-help,sparse,Run sparse on the QEMU source)
 	@echo  ''
-ifneq ($(filter contrib/plugins, $(SUBDIRS)),)
+ifeq ($(CONFIG_PLUGIN),y)
 	@echo  'Plugin targets:'
 	$(call print-help,plugins,Build the example TCG plugins)
 	@echo  ''
@@ -310,20 +313,16 @@ endif
 	$(call print-help,distclean,Remove all generated files)
 	$(call print-help,dist,Build a distributable tarball)
 	@echo  ''
-	@echo  'Linux-user targets:'
-	$(call print-help,update-linux-vdso,Build linux-user vdso images)
-	@echo  ''
 	@echo  'Test targets:'
 	$(call print-help,check,Run all tests (check-help for details))
 	$(call print-help,bench,Run all benchmarks)
-	$(call print-help,lcitool-help,Help about targets for managing build environment manifests)
 	$(call print-help,docker-help,Help about targets running tests inside containers)
 	$(call print-help,vm-help,Help about targets running tests inside VM)
 	@echo  ''
 	@echo  'Documentation targets:'
 	$(call print-help,html man,Build documentation in specified format)
 	@echo  ''
-ifneq ($(filter msi, $(ninja-targets)),)
+ifdef CONFIG_WIN32
 	@echo  'Windows targets:'
 	$(call print-help,installer,Build NSIS-based installer for QEMU)
 	$(call print-help,msi,Build MSI-based installer for qemu-ga)
--- a/README.rst
+++ b/README.rst
@@ -39,7 +39,7 @@ Documentation can be found hosted online at
 current development version that is available at
 `<https://www.qemu.org/docs/master/>`_ is generated from the ``docs/``
 folder in the source tree, and is built by `Sphinx
-<https://www.sphinx-doc.org/en/master/>`_.
+<https://www.sphinx-doc.org/en/master/>_`.


 Building
@@ -78,7 +78,7 @@ format-patch' and/or 'git send-email' to format & send the mail to the
 qemu-devel@nongnu.org mailing list. All patches submitted must contain
 a 'Signed-off-by' line from the author. Patches should follow the
 guidelines set out in the `style section
-<https://www.qemu.org/docs/master/devel/style.html>`_ of
+<https://www.qemu.org/docs/master/devel/style.html>` of
 the Developers Guide.

 Additional information on submitting patches can be found online via
--- a/2
+++ b/2
@@ -1 +1 @@
-8.1.50
+6.2.0
--- a/accel/Kconfig
+++ b/accel/Kconfig
@@ -4,6 +4,9 @@ config WHPX
 config NVMM
    bool

+config HAX
+    bool
+
 config HVF
    bool

--- a/accel/accel-blocker.c
+++ b/accel/accel-blocker.c
@@ -1,154 +0,0 @@
-/*
- * Lock to inhibit accelerator ioctls
- *
- * Copyright (c) 2022 Red Hat Inc.
- *
- * Author: Emanuele Giuseppe Esposito       <eesposit@redhat.com>
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
- * THE SOFTWARE.
- */
-
-#include "qemu/osdep.h"
-#include "qemu/thread.h"
-#include "qemu/main-loop.h"
-#include "hw/core/cpu.h"
-#include "sysemu/accel-blocker.h"
-
-static QemuLockCnt accel_in_ioctl_lock;
-static QemuEvent accel_in_ioctl_event;
-
-void accel_blocker_init(void)
-{
-    qemu_lockcnt_init(&accel_in_ioctl_lock);
-    qemu_event_init(&accel_in_ioctl_event, false);
-}
-
-void accel_ioctl_begin(void)
-{
-    if (likely(qemu_mutex_iothread_locked())) {
-        return;
-    }
-
-    /* block if lock is taken in kvm_ioctl_inhibit_begin() */
-    qemu_lockcnt_inc(&accel_in_ioctl_lock);
-}
-
-void accel_ioctl_end(void)
-{
-    if (likely(qemu_mutex_iothread_locked())) {
-        return;
-    }
-
-    qemu_lockcnt_dec(&accel_in_ioctl_lock);
-    /* change event to SET. If event was BUSY, wake up all waiters */
-    qemu_event_set(&accel_in_ioctl_event);
-}
-
-void accel_cpu_ioctl_begin(CPUState *cpu)
-{
-    if (unlikely(qemu_mutex_iothread_locked())) {
-        return;
-    }
-
-    /* block if lock is taken in kvm_ioctl_inhibit_begin() */
-    qemu_lockcnt_inc(&cpu->in_ioctl_lock);
-}
-
-void accel_cpu_ioctl_end(CPUState *cpu)
-{
-    if (unlikely(qemu_mutex_iothread_locked())) {
-        return;
-    }
-
-    qemu_lockcnt_dec(&cpu->in_ioctl_lock);
-    /* change event to SET. If event was BUSY, wake up all waiters */
-    qemu_event_set(&accel_in_ioctl_event);
-}
-
-static bool accel_has_to_wait(void)
-{
-    CPUState *cpu;
-    bool needs_to_wait = false;
-
-    CPU_FOREACH(cpu) {
-        if (qemu_lockcnt_count(&cpu->in_ioctl_lock)) {
-            /* exit the ioctl, if vcpu is running it */
-            qemu_cpu_kick(cpu);
-            needs_to_wait = true;
-        }
-    }
-
-    return needs_to_wait || qemu_lockcnt_count(&accel_in_ioctl_lock);
-}
-
-void accel_ioctl_inhibit_begin(void)
-{
-    CPUState *cpu;
-
-    /*
-     * We allow to inhibit only when holding the BQL, so we can identify
-     * when an inhibitor wants to issue an ioctl easily.
-     */
-    g_assert(qemu_mutex_iothread_locked());
-
-    /* Block further invocations of the ioctls outside the BQL.  */
-    CPU_FOREACH(cpu) {
-        qemu_lockcnt_lock(&cpu->in_ioctl_lock);
-    }
-    qemu_lockcnt_lock(&accel_in_ioctl_lock);
-
-    /* Keep waiting until there are running ioctls */
-    while (true) {
-
-        /* Reset event to FREE. */
-        qemu_event_reset(&accel_in_ioctl_event);
-
-        if (accel_has_to_wait()) {
-            /*
-             * If event is still FREE, and there are ioctls still in progress,
-             * wait.
-             *
-             *  If an ioctl finishes before qemu_event_wait(), it will change
-             * the event state to SET. This will prevent qemu_event_wait() from
-             * blocking, but it's not a problem because if other ioctls are
-             * still running the loop will iterate once more and reset the event
-             * status to FREE so that it can wait properly.
-             *
-             * If an ioctls finishes while qemu_event_wait() is blocking, then
-             * it will be waken up, but also here the while loop makes sure
-             * to re-enter the wait if there are other running ioctls.
-             */
-            qemu_event_wait(&accel_in_ioctl_event);
-        } else {
-            /* No ioctl is running */
-            return;
-        }
-    }
-}
-
-void accel_ioctl_inhibit_end(void)
-{
-    CPUState *cpu;
-
-    qemu_lockcnt_unlock(&accel_in_ioctl_lock);
-    CPU_FOREACH(cpu) {
-        qemu_lockcnt_unlock(&cpu->in_ioctl_lock);
-    }
-}
-
--- a/accel/accel-common.c
+++ b/accel/accel-common.c
@@ -30,7 +30,7 @@
 #include "hw/core/accel-cpu.h"

 #ifndef CONFIG_USER_ONLY
-#include "accel-system.h"
+#include "accel-softmmu.h"
 #endif /* !CONFIG_USER_ONLY */

 static const TypeInfo accel_type = {
@@ -49,14 +49,6 @@ AccelClass *accel_find(const char *opt_name)
    return ac;
 }

-/* Return the name of the current accelerator */
-const char *current_accel_name(void)
-{
-    AccelClass *ac = ACCEL_GET_CLASS(current_accel());
-
-    return ac->name;
-}
-
 static void accel_init_cpu_int_aux(ObjectClass *klass, void *opaque)
 {
    CPUClass *cc = CPU_CLASS(klass);
@@ -119,47 +111,16 @@ void accel_cpu_instance_init(CPUState *cpu)
    }
 }

-bool accel_cpu_common_realize(CPUState *cpu, Error **errp)
+bool accel_cpu_realizefn(CPUState *cpu, Error **errp)
 {
    CPUClass *cc = CPU_GET_CLASS(cpu);
-    AccelState *accel = current_accel();
-    AccelClass *acc = ACCEL_GET_CLASS(accel);

-    /* target specific realization */
-    if (cc->accel_cpu && cc->accel_cpu->cpu_target_realize
-        && !cc->accel_cpu->cpu_target_realize(cpu, errp)) {
-        return false;
+    if (cc->accel_cpu && cc->accel_cpu->cpu_realizefn) {
+        return cc->accel_cpu->cpu_realizefn(cpu, errp);
    }
-
-    /* generic realization */
-    if (acc->cpu_common_realize && !acc->cpu_common_realize(cpu, errp)) {
-        return false;
-    }
-
    return true;
 }

-void accel_cpu_common_unrealize(CPUState *cpu)
-{
-    AccelState *accel = current_accel();
-    AccelClass *acc = ACCEL_GET_CLASS(accel);
-
-    /* generic unrealization */
-    if (acc->cpu_common_unrealize) {
-        acc->cpu_common_unrealize(cpu);
-    }
-}
-
-int accel_supported_gdbstub_sstep_flags(void)
-{
-    AccelState *accel = current_accel();
-    AccelClass *acc = ACCEL_GET_CLASS(accel);
-    if (acc->gdbstub_supported_sstep_flags) {
-        return acc->gdbstub_supported_sstep_flags();
-    }
-    return 0;
-}
-
 static const TypeInfo accel_cpu_type = {
    .name = TYPE_ACCEL_CPU,
    .parent = TYPE_OBJECT,
--- a/accel/accel-softmmu.c
+++ b/accel/accel-softmmu.c
@@ -27,8 +27,8 @@
 #include "qemu/accel.h"
 #include "hw/boards.h"
 #include "sysemu/cpus.h"
-#include "qemu/error-report.h"
-#include "accel-system.h"
+
+#include "accel-softmmu.h"

 int accel_init_machine(AccelState *accel, MachineState *ms)
 {
@@ -66,7 +66,6 @@ void accel_init_ops_interfaces(AccelClass *ac)
 {
    const char *ac_name;
    char *ops_name;
-    ObjectClass *oc;
    AccelOpsClass *ops;

    ac_name = object_class_get_name(OBJECT_CLASS(ac));
@@ -74,13 +73,8 @@ void accel_init_ops_interfaces(AccelClass *ac)

    ops_name = g_strdup_printf("%s" ACCEL_OPS_SUFFIX, ac_name);
    ops = ACCEL_OPS_CLASS(module_object_class_by_name(ops_name));
-    oc = module_object_class_by_name(ops_name);
-    if (!oc) {
-        error_report("fatal: could not load module for type '%s'", ops_name);
-        exit(1);
-    }
    g_free(ops_name);
-    ops = ACCEL_OPS_CLASS(oc);
+
    /*
     * all accelerators need to define ops, providing at least a mandatory
     * non-NULL create_vcpu_thread operation.
@@ -99,8 +93,8 @@ static const TypeInfo accel_ops_type_info = {
    .class_size = sizeof(AccelOpsClass),
 };

-static void accel_system_register_types(void)
+static void accel_softmmu_register_types(void)
 {
    type_register_static(&accel_ops_type_info);
 }
-type_init(accel_system_register_types);
+type_init(accel_softmmu_register_types);
--- a/accel/accel-softmmu.h
+++ b/accel/accel-softmmu.h
@@ -7,9 +7,9 @@
 * See the COPYING file in the top-level directory.
 */

-#ifndef ACCEL_SYSTEM_H
-#define ACCEL_SYSTEM_H
+#ifndef ACCEL_SOFTMMU_H
+#define ACCEL_SOFTMMU_H

 void accel_init_ops_interfaces(AccelClass *ac);

-#endif /* ACCEL_SYSTEM_H */
+#endif /* ACCEL_SOFTMMU_H */
--- a/accel/dummy-cpus.c
+++ b/accel/dummy-cpus.c
@@ -21,22 +21,19 @@
 static void *dummy_cpu_thread_fn(void *arg)
 {
    CPUState *cpu = arg;
+    sigset_t waitset;
+    int r;

    rcu_register_thread();

    qemu_mutex_lock_iothread();
    qemu_thread_get_self(cpu->thread);
    cpu->thread_id = qemu_get_thread_id();
-    cpu->neg.can_do_io = true;
+    cpu->can_do_io = 1;
    current_cpu = cpu;

-#ifndef _WIN32
-    sigset_t waitset;
-    int r;
-
    sigemptyset(&waitset);
    sigaddset(&waitset, SIG_IPI);
-#endif

    /* signal CPU creation */
    cpu_thread_signal_created(cpu);
@@ -44,7 +41,6 @@ static void *dummy_cpu_thread_fn(void *arg)

    do {
        qemu_mutex_unlock_iothread();
-#ifndef _WIN32
        do {
            int sig;
            r = sigwait(&waitset, &sig);
@@ -53,9 +49,6 @@ static void *dummy_cpu_thread_fn(void *arg)
            perror("sigwait");
            exit(1);
        }
-#else
-        qemu_sem_wait(&cpu->sem);
-#endif
        qemu_mutex_lock_iothread();
        qemu_wait_io_event(cpu);
    } while (!cpu->unplug);
@@ -76,7 +69,4 @@ void dummy_start_vcpu_thread(CPUState *cpu)
             cpu->cpu_index);
    qemu_thread_create(cpu->thread, thread_name, dummy_cpu_thread_fn, cpu,
                       QEMU_THREAD_JOINABLE);
-#ifdef _WIN32
-    qemu_sem_init(&cpu->sem, 0);
-#endif
 }
--- a/accel/hvf/hvf-accel-ops.c
+++ b/accel/hvf/hvf-accel-ops.c
@@ -52,7 +52,6 @@
 #include "qemu/main-loop.h"
 #include "exec/address-spaces.h"
 #include "exec/exec-all.h"
-#include "exec/gdbstub.h"
 #include "sysemu/cpus.h"
 #include "sysemu/hvf.h"
 #include "sysemu/hvf_int.h"
@@ -121,12 +120,12 @@ static void hvf_set_phys_mem(MemoryRegionSection *section, bool add)
 {
    hvf_slot *mem;
    MemoryRegion *area = section->mr;
-    bool writable = !area->readonly && !area->rom_device;
+    bool writeable = !area->readonly && !area->rom_device;
    hv_memory_flags_t flags;
-    uint64_t page_size = qemu_real_host_page_size();
+    uint64_t page_size = qemu_real_host_page_size;

    if (!memory_region_is_ram(area)) {
-        if (writable) {
+        if (writeable) {
            return;
        } else if (!memory_region_is_romd(area)) {
            /*
@@ -304,7 +303,7 @@ static void hvf_region_del(MemoryListener *listener,

 static MemoryListener hvf_memory_listener = {
    .name = "hvf",
-    .priority = MEMORY_LISTENER_PRIORITY_ACCEL,
+    .priority = 10,
    .region_add = hvf_region_add,
    .region_del = hvf_region_del,
    .log_start = hvf_log_start,
@@ -335,26 +334,18 @@ static int hvf_accel_init(MachineState *ms)
        s->slots[x].slot_id = x;
    }

-    QTAILQ_INIT(&s->hvf_sw_breakpoints);
-
    hvf_state = s;
    memory_listener_register(&hvf_memory_listener, &address_space_memory);

    return hvf_arch_init();
 }

-static inline int hvf_gdbstub_sstep_flags(void)
-{
-    return SSTEP_ENABLE | SSTEP_NOIRQ;
-}
-
 static void hvf_accel_class_init(ObjectClass *oc, void *data)
 {
    AccelClass *ac = ACCEL_CLASS(oc);
    ac->name = "HVF";
    ac->init_machine = hvf_accel_init;
    ac->allowed = &hvf_allowed;
-    ac->gdbstub_supported_sstep_flags = hvf_gdbstub_sstep_flags;
 }

 static const TypeInfo hvf_accel_type = {
@@ -372,19 +363,19 @@ type_init(hvf_type_init);

 static void hvf_vcpu_destroy(CPUState *cpu)
 {
-    hv_return_t ret = hv_vcpu_destroy(cpu->accel->fd);
+    hv_return_t ret = hv_vcpu_destroy(cpu->hvf->fd);
    assert_hvf_ok(ret);

    hvf_arch_vcpu_destroy(cpu);
-    g_free(cpu->accel);
-    cpu->accel = NULL;
+    g_free(cpu->hvf);
+    cpu->hvf = NULL;
 }

 static int hvf_init_vcpu(CPUState *cpu)
 {
    int r;

-    cpu->accel = g_new0(AccelCPUState, 1);
+    cpu->hvf = g_malloc0(sizeof(*cpu->hvf));

    /* init cpu signals */
    struct sigaction sigact;
@@ -393,20 +384,17 @@ static int hvf_init_vcpu(CPUState *cpu)
    sigact.sa_handler = dummy_signal;
    sigaction(SIG_IPI, &sigact, NULL);

-    pthread_sigmask(SIG_BLOCK, NULL, &cpu->accel->unblock_ipi_mask);
-    sigdelset(&cpu->accel->unblock_ipi_mask, SIG_IPI);
+    pthread_sigmask(SIG_BLOCK, NULL, &cpu->hvf->unblock_ipi_mask);
+    sigdelset(&cpu->hvf->unblock_ipi_mask, SIG_IPI);

 #ifdef __aarch64__
-    r = hv_vcpu_create(&cpu->accel->fd,
-                       (hv_vcpu_exit_t **)&cpu->accel->exit, NULL);
+    r = hv_vcpu_create(&cpu->hvf->fd, (hv_vcpu_exit_t **)&cpu->hvf->exit, NULL);
 #else
-    r = hv_vcpu_create((hv_vcpuid_t *)&cpu->accel->fd, HV_VCPU_DEFAULT);
+    r = hv_vcpu_create((hv_vcpuid_t *)&cpu->hvf->fd, HV_VCPU_DEFAULT);
 #endif
    cpu->vcpu_dirty = 1;
    assert_hvf_ok(r);

-    cpu->accel->guest_debug_enabled = false;
-
    return hvf_arch_init_vcpu(cpu);
 }

@@ -428,7 +416,7 @@ static void *hvf_cpu_thread_fn(void *arg)
    qemu_thread_get_self(cpu->thread);

    cpu->thread_id = qemu_get_thread_id();
-    cpu->neg.can_do_io = true;
+    cpu->can_do_io = 1;
    current_cpu = cpu;

    hvf_init_vcpu(cpu);
@@ -474,108 +462,6 @@ static void hvf_start_vcpu_thread(CPUState *cpu)
                       cpu, QEMU_THREAD_JOINABLE);
 }

-static int hvf_insert_breakpoint(CPUState *cpu, int type, vaddr addr, vaddr len)
-{
-    struct hvf_sw_breakpoint *bp;
-    int err;
-
-    if (type == GDB_BREAKPOINT_SW) {
-        bp = hvf_find_sw_breakpoint(cpu, addr);
-        if (bp) {
-            bp->use_count++;
-            return 0;
-        }
-
-        bp = g_new(struct hvf_sw_breakpoint, 1);
-        bp->pc = addr;
-        bp->use_count = 1;
-        err = hvf_arch_insert_sw_breakpoint(cpu, bp);
-        if (err) {
-            g_free(bp);
-            return err;
-        }
-
-        QTAILQ_INSERT_HEAD(&hvf_state->hvf_sw_breakpoints, bp, entry);
-    } else {
-        err = hvf_arch_insert_hw_breakpoint(addr, len, type);
-        if (err) {
-            return err;
-        }
-    }
-
-    CPU_FOREACH(cpu) {
-        err = hvf_update_guest_debug(cpu);
-        if (err) {
-            return err;
-        }
-    }
-    return 0;
-}
-
-static int hvf_remove_breakpoint(CPUState *cpu, int type, vaddr addr, vaddr len)
-{
-    struct hvf_sw_breakpoint *bp;
-    int err;
-
-    if (type == GDB_BREAKPOINT_SW) {
-        bp = hvf_find_sw_breakpoint(cpu, addr);
-        if (!bp) {
-            return -ENOENT;
-        }
-
-        if (bp->use_count > 1) {
-            bp->use_count--;
-            return 0;
-        }
-
-        err = hvf_arch_remove_sw_breakpoint(cpu, bp);
-        if (err) {
-            return err;
-        }
-
-        QTAILQ_REMOVE(&hvf_state->hvf_sw_breakpoints, bp, entry);
-        g_free(bp);
-    } else {
-        err = hvf_arch_remove_hw_breakpoint(addr, len, type);
-        if (err) {
-            return err;
-        }
-    }
-
-    CPU_FOREACH(cpu) {
-        err = hvf_update_guest_debug(cpu);
-        if (err) {
-            return err;
-        }
-    }
-    return 0;
-}
-
-static void hvf_remove_all_breakpoints(CPUState *cpu)
-{
-    struct hvf_sw_breakpoint *bp, *next;
-    CPUState *tmpcpu;
-
-    QTAILQ_FOREACH_SAFE(bp, &hvf_state->hvf_sw_breakpoints, entry, next) {
-        if (hvf_arch_remove_sw_breakpoint(cpu, bp) != 0) {
-            /* Try harder to find a CPU that currently sees the breakpoint. */
-            CPU_FOREACH(tmpcpu)
-            {
-                if (hvf_arch_remove_sw_breakpoint(tmpcpu, bp) == 0) {
-                    break;
-                }
-            }
-        }
-        QTAILQ_REMOVE(&hvf_state->hvf_sw_breakpoints, bp, entry);
-        g_free(bp);
-    }
-    hvf_arch_remove_all_hw_breakpoints();
-
-    CPU_FOREACH(cpu) {
-        hvf_update_guest_debug(cpu);
-    }
-}
-
 static void hvf_accel_ops_class_init(ObjectClass *oc, void *data)
 {
    AccelOpsClass *ops = ACCEL_OPS_CLASS(oc);
@@ -587,12 +473,6 @@ static void hvf_accel_ops_class_init(ObjectClass *oc, void *data)
    ops->synchronize_post_init = hvf_cpu_synchronize_post_init;
    ops->synchronize_state = hvf_cpu_synchronize_state;
    ops->synchronize_pre_loadvm = hvf_cpu_synchronize_pre_loadvm;
-
-    ops->insert_breakpoint = hvf_insert_breakpoint;
-    ops->remove_breakpoint = hvf_remove_breakpoint;
-    ops->remove_all_breakpoints = hvf_remove_all_breakpoints;
-    ops->update_guest_debug = hvf_update_guest_debug;
-    ops->supports_guest_debug = hvf_arch_supports_guest_debug;
 };
 static const TypeInfo hvf_accel_ops_type = {
    .name = ACCEL_OPS_NAME("hvf"),
--- a/accel/hvf/hvf-all.c
+++ b/accel/hvf/hvf-all.c
@@ -9,6 +9,7 @@
 */

 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "qemu/error-report.h"
 #include "sysemu/hvf.h"
 #include "sysemu/hvf_int.h"
@@ -38,38 +39,9 @@ void assert_hvf_ok(hv_return_t ret)
    case HV_UNSUPPORTED:
        error_report("Error: HV_UNSUPPORTED");
        break;
-#if defined(MAC_OS_VERSION_11_0) && \
-    MAC_OS_X_VERSION_MIN_REQUIRED >= MAC_OS_VERSION_11_0
-    case HV_DENIED:
-        error_report("Error: HV_DENIED");
-        break;
-#endif
    default:
        error_report("Unknown Error");
    }

    abort();
 }
-
-struct hvf_sw_breakpoint *hvf_find_sw_breakpoint(CPUState *cpu, vaddr pc)
-{
-    struct hvf_sw_breakpoint *bp;
-
-    QTAILQ_FOREACH(bp, &hvf_state->hvf_sw_breakpoints, entry) {
-        if (bp->pc == pc) {
-            return bp;
-        }
-    }
-    return NULL;
-}
-
-int hvf_sw_breakpoints_active(CPUState *cpu)
-{
-    return !QTAILQ_EMPTY(&hvf_state->hvf_sw_breakpoints);
-}
-
-int hvf_update_guest_debug(CPUState *cpu)
-{
-    hvf_arch_update_guest_debug(cpu);
-    return 0;
-}
--- a/accel/kvm/kvm-accel-ops.c
+++ b/accel/kvm/kvm-accel-ops.c
@@ -16,14 +16,12 @@
 #include "qemu/osdep.h"
 #include "qemu/error-report.h"
 #include "qemu/main-loop.h"
-#include "sysemu/kvm.h"
 #include "sysemu/kvm_int.h"
 #include "sysemu/runstate.h"
 #include "sysemu/cpus.h"
 #include "qemu/guest-random.h"
 #include "qapi/error.h"

-#include <linux/kvm.h>
 #include "kvm-cpus.h"

 static void *kvm_vcpu_thread_fn(void *arg)
@@ -36,7 +34,7 @@ static void *kvm_vcpu_thread_fn(void *arg)
    qemu_mutex_lock_iothread();
    qemu_thread_get_self(cpu->thread);
    cpu->thread_id = qemu_get_thread_id();
-    cpu->neg.can_do_io = true;
+    cpu->can_do_io = 1;
    current_cpu = cpu;

    r = kvm_init_vcpu(cpu, &error_fatal);
@@ -76,42 +74,15 @@ static void kvm_start_vcpu_thread(CPUState *cpu)
                       cpu, QEMU_THREAD_JOINABLE);
 }

-static bool kvm_vcpu_thread_is_idle(CPUState *cpu)
-{
-    return !kvm_halt_in_kernel();
-}
-
-static bool kvm_cpus_are_resettable(void)
-{
-    return !kvm_enabled() || kvm_cpu_check_are_resettable();
-}
-
-#ifdef KVM_CAP_SET_GUEST_DEBUG
-static int kvm_update_guest_debug_ops(CPUState *cpu)
-{
-    return kvm_update_guest_debug(cpu, 0);
-}
-#endif
-
 static void kvm_accel_ops_class_init(ObjectClass *oc, void *data)
 {
    AccelOpsClass *ops = ACCEL_OPS_CLASS(oc);

    ops->create_vcpu_thread = kvm_start_vcpu_thread;
-    ops->cpu_thread_is_idle = kvm_vcpu_thread_is_idle;
-    ops->cpus_are_resettable = kvm_cpus_are_resettable;
    ops->synchronize_post_reset = kvm_cpu_synchronize_post_reset;
    ops->synchronize_post_init = kvm_cpu_synchronize_post_init;
    ops->synchronize_state = kvm_cpu_synchronize_state;
    ops->synchronize_pre_loadvm = kvm_cpu_synchronize_pre_loadvm;
-
-#ifdef KVM_CAP_SET_GUEST_DEBUG
-    ops->update_guest_debug = kvm_update_guest_debug_ops;
-    ops->supports_guest_debug = kvm_supports_guest_debug;
-    ops->insert_breakpoint = kvm_insert_breakpoint;
-    ops->remove_breakpoint = kvm_remove_breakpoint;
-    ops->remove_all_breakpoints = kvm_remove_all_breakpoints;
-#endif
 }

 static const TypeInfo kvm_accel_ops_type = {
--- a/accel/kvm/kvm-all.c
+++ b/accel/kvm/kvm-all.c
--- a/accel/kvm/kvm-cpus.h
+++ b/accel/kvm/kvm-cpus.h
@@ -18,9 +18,5 @@ void kvm_destroy_vcpu(CPUState *cpu);
 void kvm_cpu_synchronize_post_reset(CPUState *cpu);
 void kvm_cpu_synchronize_post_init(CPUState *cpu);
 void kvm_cpu_synchronize_pre_loadvm(CPUState *cpu);
-bool kvm_supports_guest_debug(void);
-int kvm_insert_breakpoint(CPUState *cpu, int type, vaddr addr, vaddr len);
-int kvm_remove_breakpoint(CPUState *cpu, int type, vaddr addr, vaddr len);
-void kvm_remove_all_breakpoints(CPUState *cpu);

 #endif /* KVM_CPUS_H */
--- a/accel/meson.build
+++ b/accel/meson.build
@@ -1,15 +1,18 @@
-specific_ss.add(files('accel-target.c'))
-system_ss.add(files('accel-system.c', 'accel-blocker.c'))
+specific_ss.add(files('accel-common.c'))
+softmmu_ss.add(files('accel-softmmu.c'))
 user_ss.add(files('accel-user.c'))

+subdir('hvf')
+subdir('qtest')
+subdir('kvm')
 subdir('tcg')
-if have_system
-  subdir('hvf')
-  subdir('qtest')
-  subdir('kvm')
-  subdir('xen')
-  subdir('stubs')
-endif
+subdir('xen')
+subdir('stubs')

-# qtest
-system_ss.add(files('dummy-cpus.c'))
+dummy_ss = ss.source_set()
+dummy_ss.add(files(
+  'dummy-cpus.c',
+))
+
+specific_ss.add_all(when: ['CONFIG_SOFTMMU', 'CONFIG_POSIX'], if_true: dummy_ss)
+specific_ss.add_all(when: ['CONFIG_XEN'], if_true: dummy_ss)
--- a/accel/qtest/meson.build
+++ b/accel/qtest/meson.build
@@ -1 +1,2 @@
-qtest_module_ss.add(when: ['CONFIG_SYSTEM_ONLY'], if_true: files('qtest.c'))
+qtest_module_ss.add(when: ['CONFIG_SOFTMMU', 'CONFIG_POSIX'],
+                    if_true: files('qtest.c'))
--- a/accel/qtest/qtest.c
+++ b/accel/qtest/qtest.c
@@ -20,6 +20,7 @@
 #include "qemu/accel.h"
 #include "sysemu/qtest.h"
 #include "sysemu/cpus.h"
+#include "sysemu/cpu-timers.h"
 #include "qemu/guest-random.h"
 #include "qemu/main-loop.h"
 #include "hw/core/cpu.h"
--- a/accel/stubs/hax-stub.c
+++ b/accel/stubs/hax-stub.c
@@ -0,0 +1,22 @@
+/*
+ * QEMU HAXM support
+ *
+ * Copyright (c) 2015, Intel Corporation
+ *
+ * Copyright 2016 Google, Inc.
+ *
+ * This software is licensed under the terms of the GNU General Public
+ * License version 2, as published by the Free Software Foundation, and
+ * may be copied, distributed, and modified under those terms.
+ *
+ * See the COPYING file in the top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include "sysemu/hax.h"
+
+int hax_sync_vcpus(void)
+{
+    return 0;
+}
--- a/accel/stubs/kvm-stub.c
+++ b/accel/stubs/kvm-stub.c
@@ -12,17 +12,23 @@

 #include "qemu/osdep.h"
 #include "sysemu/kvm.h"
+
+#ifndef CONFIG_USER_ONLY
 #include "hw/pci/msi.h"
+#endif

 KVMState *kvm_state;
 bool kvm_kernel_irqchip;
 bool kvm_async_interrupts_allowed;
+bool kvm_eventfds_allowed;
+bool kvm_irqfds_allowed;
 bool kvm_resamplefds_allowed;
 bool kvm_msi_via_irqfd_allowed;
 bool kvm_gsi_routing_allowed;
 bool kvm_gsi_direct_mapping;
 bool kvm_allowed;
 bool kvm_readonly_mem_allowed;
+bool kvm_ioeventfd_any_length_allowed;
 bool kvm_msi_use_devid;

 void kvm_flush_coalesced_mmio_buffer(void)
@@ -38,6 +44,32 @@ bool kvm_has_sync_mmu(void)
    return false;
 }

+int kvm_has_many_ioeventfds(void)
+{
+    return 0;
+}
+
+int kvm_update_guest_debug(CPUState *cpu, unsigned long reinject_trap)
+{
+    return -ENOSYS;
+}
+
+int kvm_insert_breakpoint(CPUState *cpu, target_ulong addr,
+                          target_ulong len, int type)
+{
+    return -EINVAL;
+}
+
+int kvm_remove_breakpoint(CPUState *cpu, target_ulong addr,
+                          target_ulong len, int type)
+{
+    return -EINVAL;
+}
+
+void kvm_remove_all_breakpoints(CPUState *cpu)
+{
+}
+
 int kvm_on_sigbus_vcpu(CPUState *cpu, int code, void *addr)
 {
    return 1;
@@ -48,7 +80,8 @@ int kvm_on_sigbus(int code, void *addr)
    return 1;
 }

-int kvm_irqchip_add_msi_route(KVMRouteChange *c, int vector, PCIDevice *dev)
+#ifndef CONFIG_USER_ONLY
+int kvm_irqchip_add_msi_route(KVMState *s, int vector, PCIDevice *dev)
 {
    return -ENOSYS;
 }
@@ -83,6 +116,11 @@ void kvm_irqchip_change_notify(void)
 {
 }

+int kvm_irqchip_add_adapter_route(KVMState *s, AdapterInfo *adapter)
+{
+    return -ENOSYS;
+}
+
 int kvm_irqchip_add_irqfd_notifier_gsi(KVMState *s, EventNotifier *n,
                                       EventNotifier *rn, int virq)
 {
@@ -95,14 +133,9 @@ int kvm_irqchip_remove_irqfd_notifier_gsi(KVMState *s, EventNotifier *n,
    return -ENOSYS;
 }

-unsigned int kvm_get_max_memslots(void)
+bool kvm_has_free_slot(MachineState *ms)
 {
-    return 0;
-}
-
-unsigned int kvm_get_free_memslots(void)
-{
-    return 0;
+    return false;
 }

 void kvm_init_cpu_signals(CPUState *cpu)
@@ -119,8 +152,4 @@ bool kvm_dirty_ring_enabled(void)
 {
    return false;
 }
-
-uint32_t kvm_dirty_ring_size(void)
-{
-    return 0;
-}
+#endif
--- a/accel/stubs/meson.build
+++ b/accel/stubs/meson.build
@@ -1,6 +1,4 @@
-system_stubs_ss = ss.source_set()
-system_stubs_ss.add(when: 'CONFIG_XEN', if_false: files('xen-stub.c'))
-system_stubs_ss.add(when: 'CONFIG_KVM', if_false: files('kvm-stub.c'))
-system_stubs_ss.add(when: 'CONFIG_TCG', if_false: files('tcg-stub.c'))
-
-specific_ss.add_all(when: ['CONFIG_SYSTEM_ONLY'], if_true: system_stubs_ss)
+specific_ss.add(when: 'CONFIG_HAX', if_false: files('hax-stub.c'))
+specific_ss.add(when: 'CONFIG_XEN', if_false: files('xen-stub.c'))
+specific_ss.add(when: 'CONFIG_KVM', if_false: files('kvm-stub.c'))
+specific_ss.add(when: 'CONFIG_TCG', if_false: files('tcg-stub.c'))
--- a/accel/stubs/tcg-stub.c
+++ b/accel/stubs/tcg-stub.c
@@ -11,37 +11,29 @@
 */

 #include "qemu/osdep.h"
-#include "exec/tb-flush.h"
 #include "exec/exec-all.h"

 void tb_flush(CPUState *cpu)
 {
 }

-void tlb_set_dirty(CPUState *cpu, vaddr vaddr)
+void tlb_set_dirty(CPUState *cpu, target_ulong vaddr)
 {
 }

-int probe_access_flags(CPUArchState *env, vaddr addr, int size,
-                       MMUAccessType access_type, int mmu_idx,
-                       bool nonfault, void **phost, uintptr_t retaddr)
-{
-     g_assert_not_reached();
-}
-
-void *probe_access(CPUArchState *env, vaddr addr, int size,
+void *probe_access(CPUArchState *env, target_ulong addr, int size,
                   MMUAccessType access_type, int mmu_idx, uintptr_t retaddr)
 {
     /* Handled by hardware accelerator. */
     g_assert_not_reached();
 }

-G_NORETURN void cpu_loop_exit(CPUState *cpu)
+void QEMU_NORETURN cpu_loop_exit(CPUState *cpu)
 {
    g_assert_not_reached();
 }

-G_NORETURN void cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
+void QEMU_NORETURN cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
 {
    g_assert_not_reached();
 }
--- a/accel/tcg/atomic_common.c.inc
+++ b/accel/tcg/atomic_common.c.inc
@@ -13,12 +13,46 @@
 * See the COPYING file in the top-level directory.
 */

-static void atomic_trace_rmw_post(CPUArchState *env, uint64_t addr,
+static void atomic_trace_rmw_pre(CPUArchState *env, target_ulong addr,
+                                 MemOpIdx oi)
+{
+    CPUState *cpu = env_cpu(env);
+
+    trace_guest_rmw_before_exec(cpu, addr, oi);
+}
+
+static void atomic_trace_rmw_post(CPUArchState *env, target_ulong addr,
                                  MemOpIdx oi)
 {
    qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_RW);
 }

+#if HAVE_ATOMIC128
+static void atomic_trace_ld_pre(CPUArchState *env, target_ulong addr,
+                                MemOpIdx oi)
+{
+    trace_guest_ld_before_exec(env_cpu(env), addr, oi);
+}
+
+static void atomic_trace_ld_post(CPUArchState *env, target_ulong addr,
+                                 MemOpIdx oi)
+{
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_R);
+}
+
+static void atomic_trace_st_pre(CPUArchState *env, target_ulong addr,
+                                MemOpIdx oi)
+{
+    trace_guest_st_before_exec(env_cpu(env), addr, oi);
+}
+
+static void atomic_trace_st_post(CPUArchState *env, target_ulong addr,
+                                 MemOpIdx oi)
+{
+    qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_W);
+}
+#endif
+
 /*
 * Atomic helpers callable from TCG.
 * These have a common interface and all defer to cpu_atomic_*
@@ -26,7 +60,7 @@ static void atomic_trace_rmw_post(CPUArchState *env, uint64_t addr,
 */

 #define CMPXCHG_HELPER(OP, TYPE) \
-    TYPE HELPER(atomic_##OP)(CPUArchState *env, uint64_t addr,      \
+    TYPE HELPER(atomic_##OP)(CPUArchState *env, target_ulong addr,  \
                             TYPE oldv, TYPE newv, uint32_t oi)     \
    { return cpu_atomic_##OP##_mmu(env, addr, oldv, newv, oi, GETPC()); }

@@ -41,35 +75,10 @@ CMPXCHG_HELPER(cmpxchgq_be, uint64_t)
 CMPXCHG_HELPER(cmpxchgq_le, uint64_t)
 #endif

-#if HAVE_CMPXCHG128
-CMPXCHG_HELPER(cmpxchgo_be, Int128)
-CMPXCHG_HELPER(cmpxchgo_le, Int128)
-#endif
-
 #undef CMPXCHG_HELPER

-Int128 HELPER(nonatomic_cmpxchgo)(CPUArchState *env, uint64_t addr,
-                                  Int128 cmpv, Int128 newv, uint32_t oi)
-{
-#if TCG_TARGET_REG_BITS == 32
-    uintptr_t ra = GETPC();
-    Int128 oldv;
-
-    oldv = cpu_ld16_mmu(env, addr, oi, ra);
-    if (int128_eq(oldv, cmpv)) {
-        cpu_st16_mmu(env, addr, newv, oi, ra);
-    } else {
-        /* Even with comparison failure, still need a write cycle. */
-        probe_write(env, addr, 16, get_mmuidx(oi), ra);
-    }
-    return oldv;
-#else
-    g_assert_not_reached();
-#endif
-}
-
 #define ATOMIC_HELPER(OP, TYPE) \
-    TYPE HELPER(glue(atomic_,OP))(CPUArchState *env, uint64_t addr,  \
+    TYPE HELPER(glue(atomic_,OP))(CPUArchState *env, target_ulong addr,  \
                                  TYPE val, uint32_t oi)                 \
    { return glue(glue(cpu_atomic_,OP),_mmu)(env, addr, val, oi, GETPC()); }

--- a/accel/tcg/atomic_template.h
+++ b/accel/tcg/atomic_template.h
@@ -63,20 +63,21 @@
   the ATOMIC_NAME macro, and redefined below.  */
 #if DATA_SIZE == 1
 # define END
-#elif HOST_BIG_ENDIAN
+#elif defined(HOST_WORDS_BIGENDIAN)
 # define END  _be
 #else
 # define END  _le
 #endif

-ABI_TYPE ATOMIC_NAME(cmpxchg)(CPUArchState *env, abi_ptr addr,
+ABI_TYPE ATOMIC_NAME(cmpxchg)(CPUArchState *env, target_ulong addr,
                              ABI_TYPE cmpv, ABI_TYPE newv,
                              MemOpIdx oi, uintptr_t retaddr)
 {
-    DATA_TYPE *haddr = atomic_mmu_lookup(env_cpu(env), addr, oi,
-                                         DATA_SIZE, retaddr);
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_READ | PAGE_WRITE, retaddr);
    DATA_TYPE ret;

+    atomic_trace_rmw_pre(env, addr, oi);
 #if DATA_SIZE == 16
    ret = atomic16_cmpxchg(haddr, cmpv, newv);
 #else
@@ -87,14 +88,43 @@ ABI_TYPE ATOMIC_NAME(cmpxchg)(CPUArchState *env, abi_ptr addr,
    return ret;
 }

-#if DATA_SIZE < 16
-ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, abi_ptr addr, ABI_TYPE val,
+#if DATA_SIZE >= 16
+#if HAVE_ATOMIC128
+ABI_TYPE ATOMIC_NAME(ld)(CPUArchState *env, target_ulong addr,
+                         MemOpIdx oi, uintptr_t retaddr)
+{
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_READ, retaddr);
+    DATA_TYPE val;
+
+    atomic_trace_ld_pre(env, addr, oi);
+    val = atomic16_read(haddr);
+    ATOMIC_MMU_CLEANUP;
+    atomic_trace_ld_post(env, addr, oi);
+    return val;
+}
+
+void ATOMIC_NAME(st)(CPUArchState *env, target_ulong addr, ABI_TYPE val,
+                     MemOpIdx oi, uintptr_t retaddr)
+{
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_WRITE, retaddr);
+
+    atomic_trace_st_pre(env, addr, oi);
+    atomic16_set(haddr, val);
+    ATOMIC_MMU_CLEANUP;
+    atomic_trace_st_post(env, addr, oi);
+}
+#endif
+#else
+ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, target_ulong addr, ABI_TYPE val,
                           MemOpIdx oi, uintptr_t retaddr)
 {
-    DATA_TYPE *haddr = atomic_mmu_lookup(env_cpu(env), addr, oi,
-                                         DATA_SIZE, retaddr);
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_READ | PAGE_WRITE, retaddr);
    DATA_TYPE ret;

+    atomic_trace_rmw_pre(env, addr, oi);
    ret = qatomic_xchg__nocheck(haddr, val);
    ATOMIC_MMU_CLEANUP;
    atomic_trace_rmw_post(env, addr, oi);
@@ -102,11 +132,13 @@ ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, abi_ptr addr, ABI_TYPE val,
 }

 #define GEN_ATOMIC_HELPER(X)                                        \
-ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, abi_ptr addr,            \
+ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, target_ulong addr,       \
                        ABI_TYPE val, MemOpIdx oi, uintptr_t retaddr) \
 {                                                                   \
-    DATA_TYPE *haddr, ret;                                          \
-    haddr = atomic_mmu_lookup(env_cpu(env), addr, oi, DATA_SIZE, retaddr);   \
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,  \
+                                         PAGE_READ | PAGE_WRITE, retaddr); \
+    DATA_TYPE ret;                                                  \
+    atomic_trace_rmw_pre(env, addr, oi);                            \
    ret = qatomic_##X(haddr, val);                                  \
    ATOMIC_MMU_CLEANUP;                                             \
    atomic_trace_rmw_post(env, addr, oi);                           \
@@ -133,11 +165,13 @@ GEN_ATOMIC_HELPER(xor_fetch)
 * of CF_PARALLEL's value, we'll trace just a read and a write.
 */
 #define GEN_ATOMIC_HELPER_FN(X, FN, XDATA_TYPE, RET)                \
-ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, abi_ptr addr,            \
+ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, target_ulong addr,       \
                        ABI_TYPE xval, MemOpIdx oi, uintptr_t retaddr) \
 {                                                                   \
-    XDATA_TYPE *haddr, cmp, old, new, val = xval;                   \
-    haddr = atomic_mmu_lookup(env_cpu(env), addr, oi, DATA_SIZE, retaddr);   \
+    XDATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE, \
+                                          PAGE_READ | PAGE_WRITE, retaddr); \
+    XDATA_TYPE cmp, old, new, val = xval;                           \
+    atomic_trace_rmw_pre(env, addr, oi);                            \
    smp_mb();                                                       \
    cmp = qatomic_read__nocheck(haddr);                             \
    do {                                                            \
@@ -160,7 +194,7 @@ GEN_ATOMIC_HELPER_FN(smax_fetch, MAX, SDATA_TYPE, new)
 GEN_ATOMIC_HELPER_FN(umax_fetch, MAX,  DATA_TYPE, new)

 #undef GEN_ATOMIC_HELPER_FN
-#endif /* DATA SIZE < 16 */
+#endif /* DATA SIZE >= 16 */

 #undef END

@@ -168,20 +202,21 @@ GEN_ATOMIC_HELPER_FN(umax_fetch, MAX,  DATA_TYPE, new)

 /* Define reverse-host-endian atomic operations.  Note that END is used
   within the ATOMIC_NAME macro.  */
-#if HOST_BIG_ENDIAN
+#ifdef HOST_WORDS_BIGENDIAN
 # define END  _le
 #else
 # define END  _be
 #endif

-ABI_TYPE ATOMIC_NAME(cmpxchg)(CPUArchState *env, abi_ptr addr,
+ABI_TYPE ATOMIC_NAME(cmpxchg)(CPUArchState *env, target_ulong addr,
                              ABI_TYPE cmpv, ABI_TYPE newv,
                              MemOpIdx oi, uintptr_t retaddr)
 {
-    DATA_TYPE *haddr = atomic_mmu_lookup(env_cpu(env), addr, oi,
-                                         DATA_SIZE, retaddr);
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_READ | PAGE_WRITE, retaddr);
    DATA_TYPE ret;

+    atomic_trace_rmw_pre(env, addr, oi);
 #if DATA_SIZE == 16
    ret = atomic16_cmpxchg(haddr, BSWAP(cmpv), BSWAP(newv));
 #else
@@ -192,14 +227,44 @@ ABI_TYPE ATOMIC_NAME(cmpxchg)(CPUArchState *env, abi_ptr addr,
    return BSWAP(ret);
 }

-#if DATA_SIZE < 16
-ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, abi_ptr addr, ABI_TYPE val,
+#if DATA_SIZE >= 16
+#if HAVE_ATOMIC128
+ABI_TYPE ATOMIC_NAME(ld)(CPUArchState *env, target_ulong addr,
+                         MemOpIdx oi, uintptr_t retaddr)
+{
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_READ, retaddr);
+    DATA_TYPE val;
+
+    atomic_trace_ld_pre(env, addr, oi);
+    val = atomic16_read(haddr);
+    ATOMIC_MMU_CLEANUP;
+    atomic_trace_ld_post(env, addr, oi);
+    return BSWAP(val);
+}
+
+void ATOMIC_NAME(st)(CPUArchState *env, target_ulong addr, ABI_TYPE val,
+                     MemOpIdx oi, uintptr_t retaddr)
+{
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_WRITE, retaddr);
+
+    atomic_trace_st_pre(env, addr, oi);
+    val = BSWAP(val);
+    atomic16_set(haddr, val);
+    ATOMIC_MMU_CLEANUP;
+    atomic_trace_st_post(env, addr, oi);
+}
+#endif
+#else
+ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, target_ulong addr, ABI_TYPE val,
                           MemOpIdx oi, uintptr_t retaddr)
 {
-    DATA_TYPE *haddr = atomic_mmu_lookup(env_cpu(env), addr, oi,
-                                         DATA_SIZE, retaddr);
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,
+                                         PAGE_READ | PAGE_WRITE, retaddr);
    ABI_TYPE ret;

+    atomic_trace_rmw_pre(env, addr, oi);
    ret = qatomic_xchg__nocheck(haddr, BSWAP(val));
    ATOMIC_MMU_CLEANUP;
    atomic_trace_rmw_post(env, addr, oi);
@@ -207,11 +272,13 @@ ABI_TYPE ATOMIC_NAME(xchg)(CPUArchState *env, abi_ptr addr, ABI_TYPE val,
 }

 #define GEN_ATOMIC_HELPER(X)                                        \
-ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, abi_ptr addr,            \
+ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, target_ulong addr,       \
                        ABI_TYPE val, MemOpIdx oi, uintptr_t retaddr) \
 {                                                                   \
-    DATA_TYPE *haddr, ret;                                          \
-    haddr = atomic_mmu_lookup(env_cpu(env), addr, oi, DATA_SIZE, retaddr);   \
+    DATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE,  \
+                                         PAGE_READ | PAGE_WRITE, retaddr); \
+    DATA_TYPE ret;                                                  \
+    atomic_trace_rmw_pre(env, addr, oi);                            \
    ret = qatomic_##X(haddr, BSWAP(val));                           \
    ATOMIC_MMU_CLEANUP;                                             \
    atomic_trace_rmw_post(env, addr, oi);                           \
@@ -235,11 +302,13 @@ GEN_ATOMIC_HELPER(xor_fetch)
 * of CF_PARALLEL's value, we'll trace just a read and a write.
 */
 #define GEN_ATOMIC_HELPER_FN(X, FN, XDATA_TYPE, RET)                \
-ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, abi_ptr addr,            \
+ABI_TYPE ATOMIC_NAME(X)(CPUArchState *env, target_ulong addr,       \
                        ABI_TYPE xval, MemOpIdx oi, uintptr_t retaddr) \
 {                                                                   \
-    XDATA_TYPE *haddr, ldo, ldn, old, new, val = xval;              \
-    haddr = atomic_mmu_lookup(env_cpu(env), addr, oi, DATA_SIZE, retaddr);   \
+    XDATA_TYPE *haddr = atomic_mmu_lookup(env, addr, oi, DATA_SIZE, \
+                                          PAGE_READ | PAGE_WRITE, retaddr); \
+    XDATA_TYPE ldo, ldn, old, new, val = xval;                      \
+    atomic_trace_rmw_pre(env, addr, oi);                            \
    smp_mb();                                                       \
    ldn = qatomic_read__nocheck(haddr);                             \
    do {                                                            \
@@ -269,7 +338,7 @@ GEN_ATOMIC_HELPER_FN(add_fetch, ADD, DATA_TYPE, new)
 #undef ADD

 #undef GEN_ATOMIC_HELPER_FN
-#endif /* DATA_SIZE < 16 */
+#endif /* DATA_SIZE >= 16 */

 #undef END
 #endif /* DATA_SIZE > 1 */
--- a/accel/tcg/cpu-exec-common.c
+++ b/accel/tcg/cpu-exec-common.c
@@ -20,8 +20,7 @@
 #include "qemu/osdep.h"
 #include "sysemu/cpus.h"
 #include "sysemu/tcg.h"
-#include "qemu/plugin.h"
-#include "internal-common.h"
+#include "exec/exec-all.h"

 bool tcg_allowed;

@@ -32,27 +31,53 @@ void cpu_loop_exit_noexc(CPUState *cpu)
    cpu_loop_exit(cpu);
 }

+#if defined(CONFIG_SOFTMMU)
+void cpu_reloading_memory_map(void)
+{
+    if (qemu_in_vcpu_thread() && current_cpu->running) {
+        /* The guest can in theory prolong the RCU critical section as long
+         * as it feels like. The major problem with this is that because it
+         * can do multiple reconfigurations of the memory map within the
+         * critical section, we could potentially accumulate an unbounded
+         * collection of memory data structures awaiting reclamation.
+         *
+         * Because the only thing we're currently protecting with RCU is the
+         * memory data structures, it's sufficient to break the critical section
+         * in this callback, which we know will get called every time the
+         * memory map is rearranged.
+         *
+         * (If we add anything else in the system that uses RCU to protect
+         * its data structures, we will need to implement some other mechanism
+         * to force TCG CPUs to exit the critical section, at which point this
+         * part of this callback might become unnecessary.)
+         *
+         * This pair matches cpu_exec's rcu_read_lock()/rcu_read_unlock(), which
+         * only protects cpu->as->dispatch. Since we know our caller is about
+         * to reload it, it's safe to split the critical section.
+         */
+        rcu_read_unlock();
+        rcu_read_lock();
+    }
+}
+#endif
+
 void cpu_loop_exit(CPUState *cpu)
 {
    /* Undo the setting in cpu_tb_exec.  */
-    cpu->neg.can_do_io = true;
-    /* Undo any setting in generated code.  */
-    qemu_plugin_disable_mem_helpers(cpu);
+    cpu->can_do_io = 1;
    siglongjmp(cpu->jmp_env, 1);
 }

 void cpu_loop_exit_restore(CPUState *cpu, uintptr_t pc)
 {
    if (pc) {
-        cpu_restore_state(cpu, pc);
+        cpu_restore_state(cpu, pc, true);
    }
    cpu_loop_exit(cpu);
 }

 void cpu_loop_exit_atomic(CPUState *cpu, uintptr_t pc)
 {
-    /* Prevent looping if already executing in a serial context. */
-    g_assert(!cpu_in_serial_context(cpu));
    cpu->exception_index = EXCP_ATOMIC;
    cpu_loop_exit_restore(cpu, pc);
 }
--- a/accel/tcg/cpu-exec.c
+++ b/accel/tcg/cpu-exec.c
@@ -18,8 +18,10 @@
 */

 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "qemu/qemu-print.h"
 #include "qapi/error.h"
+#include "qapi/qapi-commands-machine.h"
 #include "qapi/type-helpers.h"
 #include "hw/core/tcg-cpu-ops.h"
 #include "trace.h"
@@ -27,6 +29,8 @@
 #include "exec/exec-all.h"
 #include "tcg/tcg.h"
 #include "qemu/atomic.h"
+#include "qemu/compiler.h"
+#include "qemu/timer.h"
 #include "qemu/rcu.h"
 #include "exec/log.h"
 #include "qemu/main-loop.h"
@@ -36,14 +40,12 @@
 #include "sysemu/cpus.h"
 #include "exec/cpu-all.h"
 #include "sysemu/cpu-timers.h"
-#include "exec/replay-core.h"
+#include "sysemu/replay.h"
 #include "sysemu/tcg.h"
-#include "exec/helper-proto-common.h"
-#include "tb-jmp-cache.h"
+#include "exec/helper-proto.h"
 #include "tb-hash.h"
 #include "tb-context.h"
-#include "internal-common.h"
-#include "internal-target.h"
+#include "internal.h"

 /* -icount align implementation. */

@@ -63,8 +65,8 @@ typedef struct SyncClocks {
 #define MAX_DELAY_PRINT_RATE 2000000000LL
 #define MAX_NB_PRINTS 100

-int64_t max_delay;
-int64_t max_advance;
+static int64_t max_delay;
+static int64_t max_advance;

 static void align_clocks(SyncClocks *sc, CPUState *cpu)
 {
@@ -74,7 +76,7 @@ static void align_clocks(SyncClocks *sc, CPUState *cpu)
        return;
    }

-    cpu_icount = cpu->icount_extra + cpu->neg.icount_decr.u16.low;
+    cpu_icount = cpu->icount_extra + cpu_neg(cpu)->icount_decr.u16.low;
    sc->diff_clk += icount_to_ns(sc->last_cpu_icount - cpu_icount);
    sc->last_cpu_icount = cpu_icount;

@@ -125,7 +127,7 @@ static void init_delay_params(SyncClocks *sc, CPUState *cpu)
    sc->realtime_clock = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL_RT);
    sc->diff_clk = qemu_clock_get_ns(QEMU_CLOCK_VIRTUAL) - sc->realtime_clock;
    sc->last_cpu_icount
-        = cpu->icount_extra + cpu->neg.icount_decr.u16.low;
+        = cpu->icount_extra + cpu_neg(cpu)->icount_decr.u16.low;
    if (sc->diff_clk < max_delay) {
        max_delay = sc->diff_clk;
    }
@@ -160,7 +162,7 @@ uint32_t curr_cflags(CPUState *cpu)
     */
    if (unlikely(cpu->singlestep_enabled)) {
        cflags |= CF_NO_GOTO_TB | CF_NO_GOTO_PTR | CF_SINGLE_STEP | 1;
-    } else if (qatomic_read(&one_insn_per_tb)) {
+    } else if (singlestep) {
        cflags |= CF_NO_GOTO_TB | 1;
    } else if (qemu_loglevel_mask(CPU_LOG_TB_NOCHAIN)) {
        cflags |= CF_NO_GOTO_TB;
@@ -169,167 +171,76 @@ uint32_t curr_cflags(CPUState *cpu)
    return cflags;
 }

-struct tb_desc {
-    vaddr pc;
-    uint64_t cs_base;
-    CPUArchState *env;
-    tb_page_addr_t page_addr0;
-    uint32_t flags;
-    uint32_t cflags;
-};
-
-static bool tb_lookup_cmp(const void *p, const void *d)
-{
-    const TranslationBlock *tb = p;
-    const struct tb_desc *desc = d;
-
-    if ((tb_cflags(tb) & CF_PCREL || tb->pc == desc->pc) &&
-        tb_page_addr0(tb) == desc->page_addr0 &&
-        tb->cs_base == desc->cs_base &&
-        tb->flags == desc->flags &&
-        tb_cflags(tb) == desc->cflags) {
-        /* check next page if needed */
-        tb_page_addr_t tb_phys_page1 = tb_page_addr1(tb);
-        if (tb_phys_page1 == -1) {
-            return true;
-        } else {
-            tb_page_addr_t phys_page1;
-            vaddr virt_page1;
-
-            /*
-             * We know that the first page matched, and an otherwise valid TB
-             * encountered an incomplete instruction at the end of that page,
-             * therefore we know that generating a new TB from the current PC
-             * must also require reading from the next page -- even if the
-             * second pages do not match, and therefore the resulting insn
-             * is different for the new TB.  Therefore any exception raised
-             * here by the faulting lookup is not premature.
-             */
-            virt_page1 = TARGET_PAGE_ALIGN(desc->pc);
-            phys_page1 = get_page_addr_code(desc->env, virt_page1);
-            if (tb_phys_page1 == phys_page1) {
-                return true;
-            }
-        }
-    }
-    return false;
-}
-
-static TranslationBlock *tb_htable_lookup(CPUState *cpu, vaddr pc,
-                                          uint64_t cs_base, uint32_t flags,
-                                          uint32_t cflags)
-{
-    tb_page_addr_t phys_pc;
-    struct tb_desc desc;
-    uint32_t h;
-
-    desc.env = cpu_env(cpu);
-    desc.cs_base = cs_base;
-    desc.flags = flags;
-    desc.cflags = cflags;
-    desc.pc = pc;
-    phys_pc = get_page_addr_code(desc.env, pc);
-    if (phys_pc == -1) {
-        return NULL;
-    }
-    desc.page_addr0 = phys_pc;
-    h = tb_hash_func(phys_pc, (cflags & CF_PCREL ? 0 : pc),
-                     flags, cs_base, cflags);
-    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
-}
-
 /* Might cause an exception, so have a longjmp destination ready */
-static inline TranslationBlock *tb_lookup(CPUState *cpu, vaddr pc,
-                                          uint64_t cs_base, uint32_t flags,
-                                          uint32_t cflags)
+static inline TranslationBlock *tb_lookup(CPUState *cpu, target_ulong pc,
+                                          target_ulong cs_base,
+                                          uint32_t flags, uint32_t cflags)
 {
    TranslationBlock *tb;
-    CPUJumpCache *jc;
    uint32_t hash;

    /* we should never be trying to look up an INVALID tb */
    tcg_debug_assert(!(cflags & CF_INVALID));

    hash = tb_jmp_cache_hash_func(pc);
-    jc = cpu->tb_jmp_cache;
+    tb = qatomic_rcu_read(&cpu->tb_jmp_cache[hash]);

-    if (cflags & CF_PCREL) {
-        /* Use acquire to ensure current load of pc from jc. */
-        tb = qatomic_load_acquire(&jc->array[hash].tb);
-
-        if (likely(tb &&
-                   jc->array[hash].pc == pc &&
-                   tb->cs_base == cs_base &&
-                   tb->flags == flags &&
-                   tb_cflags(tb) == cflags)) {
-            return tb;
-        }
-        tb = tb_htable_lookup(cpu, pc, cs_base, flags, cflags);
-        if (tb == NULL) {
-            return NULL;
-        }
-        jc->array[hash].pc = pc;
-        /* Ensure pc is written first. */
-        qatomic_store_release(&jc->array[hash].tb, tb);
-    } else {
-        /* Use rcu_read to ensure current load of pc from *tb. */
-        tb = qatomic_rcu_read(&jc->array[hash].tb);
-
-        if (likely(tb &&
-                   tb->pc == pc &&
-                   tb->cs_base == cs_base &&
-                   tb->flags == flags &&
-                   tb_cflags(tb) == cflags)) {
-            return tb;
-        }
-        tb = tb_htable_lookup(cpu, pc, cs_base, flags, cflags);
-        if (tb == NULL) {
-            return NULL;
-        }
-        /* Use the pc value already stored in tb->pc. */
-        qatomic_set(&jc->array[hash].tb, tb);
+    if (likely(tb &&
+               tb->pc == pc &&
+               tb->cs_base == cs_base &&
+               tb->flags == flags &&
+               tb->trace_vcpu_dstate == *cpu->trace_dstate &&
+               tb_cflags(tb) == cflags)) {
+        return tb;
    }
-
+    tb = tb_htable_lookup(cpu, pc, cs_base, flags, cflags);
+    if (tb == NULL) {
+        return NULL;
+    }
+    qatomic_set(&cpu->tb_jmp_cache[hash], tb);
    return tb;
 }

-static void log_cpu_exec(vaddr pc, CPUState *cpu,
-                         const TranslationBlock *tb)
+static inline void log_cpu_exec(target_ulong pc, CPUState *cpu,
+                                const TranslationBlock *tb)
 {
-    if (qemu_log_in_addr_range(pc)) {
+    if (unlikely(qemu_loglevel_mask(CPU_LOG_TB_CPU | CPU_LOG_EXEC))
+        && qemu_log_in_addr_range(pc)) {
+
        qemu_log_mask(CPU_LOG_EXEC,
-                      "Trace %d: %p [%08" PRIx64
-                      "/%016" VADDR_PRIx "/%08x/%08x] %s\n",
+                      "Trace %d: %p [" TARGET_FMT_lx
+                      "/" TARGET_FMT_lx "/%08x/%08x] %s\n",
                      cpu->cpu_index, tb->tc.ptr, tb->cs_base, pc,
                      tb->flags, tb->cflags, lookup_symbol(pc));

+#if defined(DEBUG_DISAS)
        if (qemu_loglevel_mask(CPU_LOG_TB_CPU)) {
-            FILE *logfile = qemu_log_trylock();
-            if (logfile) {
-                int flags = 0;
+            FILE *logfile = qemu_log_lock();
+            int flags = 0;

-                if (qemu_loglevel_mask(CPU_LOG_TB_FPU)) {
-                    flags |= CPU_DUMP_FPU;
-                }
-#if defined(TARGET_I386)
-                flags |= CPU_DUMP_CCOP;
-#endif
-                if (qemu_loglevel_mask(CPU_LOG_TB_VPU)) {
-                    flags |= CPU_DUMP_VPU;
-                }
-                cpu_dump_state(cpu, logfile, flags);
-                qemu_log_unlock(logfile);
+            if (qemu_loglevel_mask(CPU_LOG_TB_FPU)) {
+                flags |= CPU_DUMP_FPU;
            }
+#if defined(TARGET_I386)
+            flags |= CPU_DUMP_CCOP;
+#endif
+            log_cpu_state(cpu, flags);
+            qemu_log_unlock(logfile);
        }
+#endif /* DEBUG_DISAS */
    }
 }

-static bool check_for_breakpoints_slow(CPUState *cpu, vaddr pc,
-                                       uint32_t *cflags)
+static bool check_for_breakpoints(CPUState *cpu, target_ulong pc,
+                                  uint32_t *cflags)
 {
    CPUBreakpoint *bp;
    bool match_page = false;

+    if (likely(QTAILQ_EMPTY(&cpu->breakpoints))) {
+        return false;
+    }
+
    /*
     * Singlestep overrides breakpoints.
     * This requirement is visible in the record-replay tests, where
@@ -390,13 +301,6 @@ static bool check_for_breakpoints_slow(CPUState *cpu, vaddr pc,
    return false;
 }

-static inline bool check_for_breakpoints(CPUState *cpu, vaddr pc,
-                                         uint32_t *cflags)
-{
-    return unlikely(!QTAILQ_EMPTY(&cpu->breakpoints)) &&
-        check_for_breakpoints_slow(cpu, pc, cflags);
-}
-
 /**
 * helper_lookup_tb_ptr: quick check for next tb
 * @env: current cpu state
@@ -409,8 +313,7 @@ const void *HELPER(lookup_tb_ptr)(CPUArchState *env)
 {
    CPUState *cpu = env_cpu(env);
    TranslationBlock *tb;
-    vaddr pc;
-    uint64_t cs_base;
+    target_ulong cs_base, pc;
    uint32_t flags, cflags;

    cpu_get_tb_cpu_state(env, &pc, &cs_base, &flags);
@@ -425,9 +328,7 @@ const void *HELPER(lookup_tb_ptr)(CPUArchState *env)
        return tcg_code_gen_epilogue;
    }

-    if (qemu_loglevel_mask(CPU_LOG_TB_CPU | CPU_LOG_EXEC)) {
-        log_cpu_exec(pc, cpu, tb);
-    }
+    log_cpu_exec(pc, cpu, tb);

    return tb->tc.ptr;
 }
@@ -445,19 +346,16 @@ const void *HELPER(lookup_tb_ptr)(CPUArchState *env)
 static inline TranslationBlock * QEMU_DISABLE_CFI
 cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
 {
-    CPUArchState *env = cpu_env(cpu);
+    CPUArchState *env = cpu->env_ptr;
    uintptr_t ret;
    TranslationBlock *last_tb;
    const void *tb_ptr = itb->tc.ptr;

-    if (qemu_loglevel_mask(CPU_LOG_TB_CPU | CPU_LOG_EXEC)) {
-        log_cpu_exec(log_pc(cpu, itb), cpu, itb);
-    }
+    log_cpu_exec(itb->pc, cpu, itb);

    qemu_thread_jit_execute();
    ret = tcg_qemu_tb_exec(env, tb_ptr);
-    cpu->neg.can_do_io = true;
-    qemu_plugin_disable_mem_helpers(cpu);
+    cpu->can_do_io = 1;
    /*
     * TODO: Delay swapping back to the read-write region of the TB
     * until we actually need to modify the TB.  The read-only copy,
@@ -477,22 +375,17 @@ cpu_tb_exec(CPUState *cpu, TranslationBlock *itb, int *tb_exit)
         * of the start of the TB.
         */
        CPUClass *cc = CPU_GET_CLASS(cpu);
-
+        qemu_log_mask_and_addr(CPU_LOG_EXEC, last_tb->pc,
+                               "Stopped execution of TB chain before %p ["
+                               TARGET_FMT_lx "] %s\n",
+                               last_tb->tc.ptr, last_tb->pc,
+                               lookup_symbol(last_tb->pc));
        if (cc->tcg_ops->synchronize_from_tb) {
            cc->tcg_ops->synchronize_from_tb(cpu, last_tb);
        } else {
-            tcg_debug_assert(!(tb_cflags(last_tb) & CF_PCREL));
            assert(cc->set_pc);
            cc->set_pc(cpu, last_tb->pc);
        }
-        if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
-            vaddr pc = log_pc(cpu, last_tb);
-            if (qemu_log_in_addr_range(pc)) {
-                qemu_log("Stopped execution of TB chain before %p [%016"
-                         VADDR_PRIx "] %s\n",
-                         last_tb->tc.ptr, pc, lookup_symbol(pc));
-            }
-        }
    }

    /*
@@ -527,49 +420,11 @@ static void cpu_exec_exit(CPUState *cpu)
    }
 }

-static void cpu_exec_longjmp_cleanup(CPUState *cpu)
-{
-    /* Non-buggy compilers preserve this; assert the correct value. */
-    g_assert(cpu == current_cpu);
-
-#ifdef CONFIG_USER_ONLY
-    clear_helper_retaddr();
-    if (have_mmap_lock()) {
-        mmap_unlock();
-    }
-#else
-    /*
-     * For softmmu, a tlb_fill fault during translation will land here,
-     * and we need to release any page locks held.  In system mode we
-     * have one tcg_ctx per thread, so we know it was this cpu doing
-     * the translation.
-     *
-     * Alternative 1: Install a cleanup to be called via an exception
-     * handling safe longjmp.  It seems plausible that all our hosts
-     * support such a thing.  We'd have to properly register unwind info
-     * for the JIT for EH, rather that just for GDB.
-     *
-     * Alternative 2: Set and restore cpu->jmp_env in tb_gen_code to
-     * capture the cpu_loop_exit longjmp, perform the cleanup, and
-     * jump again to arrive here.
-     */
-    if (tcg_ctx->gen_tb) {
-        tb_unlock_pages(tcg_ctx->gen_tb);
-        tcg_ctx->gen_tb = NULL;
-    }
-#endif
-    if (qemu_mutex_iothread_locked()) {
-        qemu_mutex_unlock_iothread();
-    }
-    assert_no_pages_locked();
-}
-
 void cpu_exec_step_atomic(CPUState *cpu)
 {
-    CPUArchState *env = cpu_env(cpu);
+    CPUArchState *env = (CPUArchState *)cpu->env_ptr;
    TranslationBlock *tb;
-    vaddr pc;
-    uint64_t cs_base;
+    target_ulong cs_base, pc;
    uint32_t flags, cflags;
    int tb_exit;

@@ -606,7 +461,19 @@ void cpu_exec_step_atomic(CPUState *cpu)
        cpu_tb_exec(cpu, tb, &tb_exit);
        cpu_exec_exit(cpu);
    } else {
-        cpu_exec_longjmp_cleanup(cpu);
+        /*
+         * The mmap_lock is dropped by tb_gen_code if it runs out of
+         * memory.
+         */
+#ifndef CONFIG_SOFTMMU
+        clear_helper_retaddr();
+        tcg_debug_assert(!have_mmap_lock());
+#endif
+        if (qemu_mutex_iothread_locked()) {
+            qemu_mutex_unlock_iothread();
+        }
+        assert_no_pages_locked();
+        qemu_plugin_disable_mem_helpers(cpu);
    }

    /*
@@ -619,20 +486,78 @@ void cpu_exec_step_atomic(CPUState *cpu)
    end_exclusive();
 }

+struct tb_desc {
+    target_ulong pc;
+    target_ulong cs_base;
+    CPUArchState *env;
+    tb_page_addr_t phys_page1;
+    uint32_t flags;
+    uint32_t cflags;
+    uint32_t trace_vcpu_dstate;
+};
+
+static bool tb_lookup_cmp(const void *p, const void *d)
+{
+    const TranslationBlock *tb = p;
+    const struct tb_desc *desc = d;
+
+    if (tb->pc == desc->pc &&
+        tb->page_addr[0] == desc->phys_page1 &&
+        tb->cs_base == desc->cs_base &&
+        tb->flags == desc->flags &&
+        tb->trace_vcpu_dstate == desc->trace_vcpu_dstate &&
+        tb_cflags(tb) == desc->cflags) {
+        /* check next page if needed */
+        if (tb->page_addr[1] == -1) {
+            return true;
+        } else {
+            tb_page_addr_t phys_page2;
+            target_ulong virt_page2;
+
+            virt_page2 = (desc->pc & TARGET_PAGE_MASK) + TARGET_PAGE_SIZE;
+            phys_page2 = get_page_addr_code(desc->env, virt_page2);
+            if (tb->page_addr[1] == phys_page2) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+
+TranslationBlock *tb_htable_lookup(CPUState *cpu, target_ulong pc,
+                                   target_ulong cs_base, uint32_t flags,
+                                   uint32_t cflags)
+{
+    tb_page_addr_t phys_pc;
+    struct tb_desc desc;
+    uint32_t h;
+
+    desc.env = (CPUArchState *)cpu->env_ptr;
+    desc.cs_base = cs_base;
+    desc.flags = flags;
+    desc.cflags = cflags;
+    desc.trace_vcpu_dstate = *cpu->trace_dstate;
+    desc.pc = pc;
+    phys_pc = get_page_addr_code(desc.env, pc);
+    if (phys_pc == -1) {
+        return NULL;
+    }
+    desc.phys_page1 = phys_pc & TARGET_PAGE_MASK;
+    h = tb_hash_func(phys_pc, pc, flags, cflags, *cpu->trace_dstate);
+    return qht_lookup_custom(&tb_ctx.htable, &desc, h, tb_lookup_cmp);
+}
+
 void tb_set_jmp_target(TranslationBlock *tb, int n, uintptr_t addr)
 {
-    /*
-     * Get the rx view of the structure, from which we find the
-     * executable code address, and tb_target_set_jmp_target can
-     * produce a pc-relative displacement to jmp_target_addr[n].
-     */
-    const TranslationBlock *c_tb = tcg_splitwx_to_rx(tb);
-    uintptr_t offset = tb->jmp_insn_offset[n];
-    uintptr_t jmp_rx = (uintptr_t)tb->tc.ptr + offset;
-    uintptr_t jmp_rw = jmp_rx - tcg_splitwx_diff;
-
-    tb->jmp_target_addr[n] = addr;
-    tb_target_set_jmp_target(c_tb, n, jmp_rx, jmp_rw);
+    if (TCG_TARGET_HAS_direct_jump) {
+        uintptr_t offset = tb->jmp_target_arg[n];
+        uintptr_t tc_ptr = (uintptr_t)tb->tc.ptr;
+        uintptr_t jmp_rx = tc_ptr + offset;
+        uintptr_t jmp_rw = jmp_rx - tcg_splitwx_diff;
+        tb_target_set_jmp_target(tc_ptr, jmp_rx, jmp_rw, addr);
+    } else {
+        tb->jmp_target_arg[n] = addr;
+    }
 }

 static inline void tb_add_jump(TranslationBlock *tb, int n,
@@ -664,8 +589,11 @@ static inline void tb_add_jump(TranslationBlock *tb, int n,

    qemu_spin_unlock(&tb_next->jmp_lock);

-    qemu_log_mask(CPU_LOG_EXEC, "Linking TBs %p index %d -> %p\n",
-                  tb->tc.ptr, n, tb_next->tc.ptr);
+    qemu_log_mask_and_addr(CPU_LOG_EXEC, tb->pc,
+                           "Linking TBs %p [" TARGET_FMT_lx
+                           "] index %d -> %p [" TARGET_FMT_lx "]\n",
+                           tb->tc.ptr, tb->pc, n,
+                           tb_next->tc.ptr, tb_next->pc);
    return;

 out_unlock_next:
@@ -718,10 +646,9 @@ static inline bool cpu_handle_exception(CPUState *cpu, int *ret)
    if (cpu->exception_index < 0) {
 #ifndef CONFIG_USER_ONLY
        if (replay_has_exception()
-            && cpu->neg.icount_decr.u16.low + cpu->icount_extra == 0) {
+            && cpu_neg(cpu)->icount_decr.u16.low + cpu->icount_extra == 0) {
            /* Execute just one insn to trigger exception pending in the log */
-            cpu->cflags_next_tb = (curr_cflags(cpu) & ~CF_USE_ICOUNT)
-                | CF_LAST_IO | CF_NOIRQ | 1;
+            cpu->cflags_next_tb = (curr_cflags(cpu) & ~CF_USE_ICOUNT) | 1;
        }
 #endif
        return false;
@@ -808,7 +735,7 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
     * Ensure zeroing happens before reading cpu->exit_request or
     * cpu->interrupt_request (see also smp_wmb in cpu_exit())
     */
-    qatomic_set_mb(&cpu->neg.icount_decr.u16.high, 0);
+    qatomic_mb_set(&cpu_neg(cpu)->icount_decr.u16.high, 0);

    if (unlikely(qatomic_read(&cpu->interrupt_request))) {
        int interrupt_request;
@@ -871,12 +798,8 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
                 * raised when single-stepping so that GDB doesn't miss the
                 * next instruction.
                 */
-                if (unlikely(cpu->singlestep_enabled)) {
-                    cpu->exception_index = EXCP_DEBUG;
-                    qemu_mutex_unlock_iothread();
-                    return true;
-                }
-                cpu->exception_index = -1;
+                cpu->exception_index =
+                    (cpu->singlestep_enabled ? EXCP_DEBUG : -1);
                *last_tb = NULL;
            }
            /* The target hook may have updated the 'cpu->interrupt_request';
@@ -899,7 +822,7 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
    if (unlikely(qatomic_read(&cpu->exit_request))
        || (icount_enabled()
            && (cpu->cflags_next_tb == -1 || cpu->cflags_next_tb & CF_USE_ICOUNT)
-            && cpu->neg.icount_decr.u16.low + cpu->icount_extra == 0)) {
+            && cpu_neg(cpu)->icount_decr.u16.low + cpu->icount_extra == 0)) {
        qatomic_set(&cpu->exit_request, 0);
        if (cpu->exception_index == -1) {
            cpu->exception_index = EXCP_INTERRUPT;
@@ -911,12 +834,11 @@ static inline bool cpu_handle_interrupt(CPUState *cpu,
 }

 static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
-                                    vaddr pc, TranslationBlock **last_tb,
-                                    int *tb_exit)
+                                    TranslationBlock **last_tb, int *tb_exit)
 {
    int32_t insns_left;

-    trace_exec_tb(tb, pc);
+    trace_exec_tb(tb, tb->pc);
    tb = cpu_tb_exec(cpu, tb, tb_exit);
    if (*tb_exit != TB_EXIT_REQUESTED) {
        *last_tb = tb;
@@ -924,7 +846,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
    }

    *last_tb = NULL;
-    insns_left = qatomic_read(&cpu->neg.icount_decr.u32);
+    insns_left = qatomic_read(&cpu_neg(cpu)->icount_decr.u32);
    if (insns_left < 0) {
        /* Something asked us to stop executing chained TBs; just
         * continue round the main loop. Whatever requested the exit
@@ -943,7 +865,7 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,
    icount_update(cpu);
    /* Refill decrementer and continue execution.  */
    insns_left = MIN(0xffff, cpu->icount_budget);
-    cpu->neg.icount_decr.u16.low = insns_left;
+    cpu_neg(cpu)->icount_decr.u16.low = insns_left;
    cpu->icount_extra = cpu->icount_budget - insns_left;

    /*
@@ -961,10 +883,62 @@ static inline void cpu_loop_exec_tb(CPUState *cpu, TranslationBlock *tb,

 /* main execution loop */

-static int __attribute__((noinline))
-cpu_exec_loop(CPUState *cpu, SyncClocks *sc)
+int cpu_exec(CPUState *cpu)
 {
    int ret;
+    SyncClocks sc = { 0 };
+
+    /* replay_interrupt may need current_cpu */
+    current_cpu = cpu;
+
+    if (cpu_handle_halt(cpu)) {
+        return EXCP_HALTED;
+    }
+
+    rcu_read_lock();
+
+    cpu_exec_enter(cpu);
+
+    /* Calculate difference between guest clock and host clock.
+     * This delay includes the delay of the last cycle, so
+     * what we have to do is sleep until it is 0. As for the
+     * advance/delay we gain here, we try to fix it next time.
+     */
+    init_delay_params(&sc, cpu);
+
+    /* prepare setjmp context for exception handling */
+    if (sigsetjmp(cpu->jmp_env, 0) != 0) {
+#if defined(__clang__)
+        /*
+         * Some compilers wrongly smash all local variables after
+         * siglongjmp (the spec requires that only non-volatile locals
+         * which are changed between the sigsetjmp and siglongjmp are
+         * permitted to be trashed). There were bug reports for gcc
+         * 4.5.0 and clang.  The bug is fixed in all versions of gcc
+         * that we support, but is still unfixed in clang:
+         *   https://bugs.llvm.org/show_bug.cgi?id=21183
+         *
+         * Reload an essential local variable here for those compilers.
+         * Newer versions of gcc would complain about this code (-Wclobbered),
+         * so we only perform the workaround for clang.
+         */
+        cpu = current_cpu;
+#else
+        /* Non-buggy compilers preserve this; assert the correct value. */
+        g_assert(cpu == current_cpu);
+#endif
+
+#ifndef CONFIG_SOFTMMU
+        clear_helper_retaddr();
+        tcg_debug_assert(!have_mmap_lock());
+#endif
+        if (qemu_mutex_iothread_locked()) {
+            qemu_mutex_unlock_iothread();
+        }
+        qemu_plugin_disable_mem_helpers(cpu);
+
+        assert_no_pages_locked();
+    }

    /* if an exception is pending, we execute it here */
    while (!cpu_handle_exception(cpu, &ret)) {
@@ -973,11 +947,10 @@ cpu_exec_loop(CPUState *cpu, SyncClocks *sc)

        while (!cpu_handle_interrupt(cpu, &last_tb)) {
            TranslationBlock *tb;
-            vaddr pc;
-            uint64_t cs_base;
+            target_ulong cs_base, pc;
            uint32_t flags, cflags;

-            cpu_get_tb_cpu_state(cpu_env(cpu), &pc, &cs_base, &flags);
+            cpu_get_tb_cpu_state(cpu->env_ptr, &pc, &cs_base, &flags);

            /*
             * When requested, use an exact setting for cflags for the next
@@ -999,27 +972,14 @@ cpu_exec_loop(CPUState *cpu, SyncClocks *sc)

            tb = tb_lookup(cpu, pc, cs_base, flags, cflags);
            if (tb == NULL) {
-                CPUJumpCache *jc;
-                uint32_t h;
-
                mmap_lock();
                tb = tb_gen_code(cpu, pc, cs_base, flags, cflags);
                mmap_unlock();
-
                /*
                 * We add the TB in the virtual pc hash table
                 * for the fast lookup
                 */
-                h = tb_jmp_cache_hash_func(pc);
-                jc = cpu->tb_jmp_cache;
-                if (cflags & CF_PCREL) {
-                    jc->array[h].pc = pc;
-                    /* Ensure pc is written first. */
-                    qatomic_store_release(&jc->array[h].tb, tb);
-                } else {
-                    /* Use the pc value already stored in tb->pc. */
-                    qatomic_set(&jc->array[h].tb, tb);
-                }
+                qatomic_set(&cpu->tb_jmp_cache[tb_jmp_cache_hash_func(pc)], tb);
            }

 #ifndef CONFIG_USER_ONLY
@@ -1029,7 +989,7 @@ cpu_exec_loop(CPUState *cpu, SyncClocks *sc)
             * direct jump to a TB spanning two pages because the mapping
             * for the second page can change.
             */
-            if (tb_page_addr1(tb) != -1) {
+            if (tb->page_addr[1] != -1) {
                last_tb = NULL;
            }
 #endif
@@ -1038,50 +998,13 @@ cpu_exec_loop(CPUState *cpu, SyncClocks *sc)
                tb_add_jump(last_tb, tb_exit, tb);
            }

-            cpu_loop_exec_tb(cpu, tb, pc, &last_tb, &tb_exit);
+            cpu_loop_exec_tb(cpu, tb, &last_tb, &tb_exit);

            /* Try to align the host and virtual clocks
               if the guest is in advance */
-            align_clocks(sc, cpu);
+            align_clocks(&sc, cpu);
        }
    }
-    return ret;
-}
-
-static int cpu_exec_setjmp(CPUState *cpu, SyncClocks *sc)
-{
-    /* Prepare setjmp context for exception handling. */
-    if (unlikely(sigsetjmp(cpu->jmp_env, 0) != 0)) {
-        cpu_exec_longjmp_cleanup(cpu);
-    }
-
-    return cpu_exec_loop(cpu, sc);
-}
-
-int cpu_exec(CPUState *cpu)
-{
-    int ret;
-    SyncClocks sc = { 0 };
-
-    /* replay_interrupt may need current_cpu */
-    current_cpu = cpu;
-
-    if (cpu_handle_halt(cpu)) {
-        return EXCP_HALTED;
-    }
-
-    rcu_read_lock();
-    cpu_exec_enter(cpu);
-
-    /*
-     * Calculate difference between guest clock and host clock.
-     * This delay includes the delay of the last cycle, so
-     * what we have to do is sleep until it is 0. As for the
-     * advance/delay we gain here, we try to fix it next time.
-     */
-    init_delay_params(&sc, cpu);
-
-    ret = cpu_exec_setjmp(cpu, &sc);

    cpu_exec_exit(cpu);
    rcu_read_unlock();
@@ -1089,7 +1012,7 @@ int cpu_exec(CPUState *cpu)
    return ret;
 }

-bool tcg_exec_realizefn(CPUState *cpu, Error **errp)
+void tcg_exec_realizefn(CPUState *cpu, Error **errp)
 {
    static bool tcg_target_initialized;
    CPUClass *cc = CPU_GET_CLASS(cpu);
@@ -1098,15 +1021,12 @@ bool tcg_exec_realizefn(CPUState *cpu, Error **errp)
        cc->tcg_ops->initialize();
        tcg_target_initialized = true;
    }
-
-    cpu->tb_jmp_cache = g_new0(CPUJumpCache, 1);
    tlb_init(cpu);
+    qemu_plugin_vcpu_init_hook(cpu);
+
 #ifndef CONFIG_USER_ONLY
    tcg_iommu_init_notifier_list(cpu);
 #endif /* !CONFIG_USER_ONLY */
-    /* qemu_plugin_vcpu_init_hook delayed until cpu_index assigned. */
-
-    return true;
 }

 /* undo the initializations in reverse order */
@@ -1116,6 +1036,58 @@ void tcg_exec_unrealizefn(CPUState *cpu)
    tcg_iommu_free_notifier_list(cpu);
 #endif /* !CONFIG_USER_ONLY */

+    qemu_plugin_vcpu_exit_hook(cpu);
    tlb_destroy(cpu);
-    g_free_rcu(cpu->tb_jmp_cache, rcu);
 }
+
+#ifndef CONFIG_USER_ONLY
+
+void dump_drift_info(GString *buf)
+{
+    if (!icount_enabled()) {
+        return;
+    }
+
+    g_string_append_printf(buf, "Host - Guest clock  %"PRIi64" ms\n",
+                           (cpu_get_clock() - icount_get()) / SCALE_MS);
+    if (icount_align_option) {
+        g_string_append_printf(buf, "Max guest delay     %"PRIi64" ms\n",
+                               -max_delay / SCALE_MS);
+        g_string_append_printf(buf, "Max guest advance   %"PRIi64" ms\n",
+                               max_advance / SCALE_MS);
+    } else {
+        g_string_append_printf(buf, "Max guest delay     NA\n");
+        g_string_append_printf(buf, "Max guest advance   NA\n");
+    }
+}
+
+HumanReadableText *qmp_x_query_jit(Error **errp)
+{
+    g_autoptr(GString) buf = g_string_new("");
+
+    if (!tcg_enabled()) {
+        error_setg(errp, "JIT information is only available with accel=tcg");
+        return NULL;
+    }
+
+    dump_exec_info(buf);
+    dump_drift_info(buf);
+
+    return human_readable_text_from_str(buf);
+}
+
+HumanReadableText *qmp_x_query_opcount(Error **errp)
+{
+    g_autoptr(GString) buf = g_string_new("");
+
+    if (!tcg_enabled()) {
+        error_setg(errp, "Opcode count information is only available with accel=tcg");
+        return NULL;
+    }
+
+    dump_opcount_info(buf);
+
+    return human_readable_text_from_str(buf);
+}
+
+#endif /* !CONFIG_USER_ONLY */
--- a/accel/tcg/cputlb.c
+++ b/accel/tcg/cputlb.c
--- a/accel/tcg/debuginfo.c
+++ b/accel/tcg/debuginfo.c
@@ -1,96 +0,0 @@
-/*
- * Debug information support.
- *
- * SPDX-License-Identifier: GPL-2.0-or-later
- */
-
-#include "qemu/osdep.h"
-#include "qemu/lockable.h"
-
-#include <elfutils/libdwfl.h>
-
-#include "debuginfo.h"
-
-static QemuMutex lock;
-static Dwfl *dwfl;
-static const Dwfl_Callbacks dwfl_callbacks = {
-    .find_elf = NULL,
-    .find_debuginfo = dwfl_standard_find_debuginfo,
-    .section_address = NULL,
-    .debuginfo_path = NULL,
-};
-
-__attribute__((constructor))
-static void debuginfo_init(void)
-{
-    qemu_mutex_init(&lock);
-}
-
-void debuginfo_report_elf(const char *name, int fd, uint64_t bias)
-{
-    QEMU_LOCK_GUARD(&lock);
-
-    if (dwfl) {
-        dwfl_report_begin_add(dwfl);
-    } else {
-        dwfl = dwfl_begin(&dwfl_callbacks);
-    }
-
-    if (dwfl) {
-        dwfl_report_elf(dwfl, name, name, fd, bias, true);
-        dwfl_report_end(dwfl, NULL, NULL);
-    }
-}
-
-void debuginfo_lock(void)
-{
-    qemu_mutex_lock(&lock);
-}
-
-void debuginfo_query(struct debuginfo_query *q, size_t n)
-{
-    const char *symbol, *file;
-    Dwfl_Module *dwfl_module;
-    Dwfl_Line *dwfl_line;
-    GElf_Off dwfl_offset;
-    GElf_Sym dwfl_sym;
-    size_t i;
-    int line;
-
-    if (!dwfl) {
-        return;
-    }
-
-    for (i = 0; i < n; i++) {
-        dwfl_module = dwfl_addrmodule(dwfl, q[i].address);
-        if (!dwfl_module) {
-            continue;
-        }
-
-        if (q[i].flags & DEBUGINFO_SYMBOL) {
-            symbol = dwfl_module_addrinfo(dwfl_module, q[i].address,
-                                          &dwfl_offset, &dwfl_sym,
-                                          NULL, NULL, NULL);
-            if (symbol) {
-                q[i].symbol = symbol;
-                q[i].offset = dwfl_offset;
-            }
-        }
-
-        if (q[i].flags & DEBUGINFO_LINE) {
-            dwfl_line = dwfl_module_getsrc(dwfl_module, q[i].address);
-            if (dwfl_line) {
-                file = dwfl_lineinfo(dwfl_line, NULL, &line, 0, NULL, NULL);
-                if (file) {
-                    q[i].file = file;
-                    q[i].line = line;
-                }
-            }
-        }
-    }
-}
-
-void debuginfo_unlock(void)
-{
-    qemu_mutex_unlock(&lock);
-}
--- a/accel/tcg/debuginfo.h
+++ b/accel/tcg/debuginfo.h
@@ -1,79 +0,0 @@
-/*
- * Debug information support.
- *
- * SPDX-License-Identifier: GPL-2.0-or-later
- */
-
-#ifndef ACCEL_TCG_DEBUGINFO_H
-#define ACCEL_TCG_DEBUGINFO_H
-
-#include "qemu/bitops.h"
-
-/*
- * Debuginfo describing a certain address.
- */
-struct debuginfo_query {
-    uint64_t address;    /* Input: address. */
-    int flags;           /* Input: debuginfo subset. */
-    const char *symbol;  /* Symbol that the address is part of. */
-    uint64_t offset;     /* Offset from the symbol. */
-    const char *file;    /* Source file associated with the address. */
-    int line;            /* Line number in the source file. */
-};
-
-/*
- * Debuginfo subsets.
- */
-#define DEBUGINFO_SYMBOL BIT(1)
-#define DEBUGINFO_LINE   BIT(2)
-
-#if defined(CONFIG_TCG) && defined(CONFIG_LIBDW)
-/*
- * Load debuginfo for the specified guest ELF image.
- * Return true on success, false on failure.
- */
-void debuginfo_report_elf(const char *name, int fd, uint64_t bias);
-
-/*
- * Take the debuginfo lock.
- */
-void debuginfo_lock(void);
-
-/*
- * Fill each on N Qs with the debuginfo about Q->ADDRESS as specified by
- * Q->FLAGS:
- *
- * - DEBUGINFO_SYMBOL: update Q->SYMBOL and Q->OFFSET. If symbol debuginfo is
- *                     missing, then leave them as is.
- * - DEBUINFO_LINE: update Q->FILE and Q->LINE. If line debuginfo is missing,
- *                  then leave them as is.
- *
- * This function must be called under the debuginfo lock. The results can be
- * accessed only until the debuginfo lock is released.
- */
-void debuginfo_query(struct debuginfo_query *q, size_t n);
-
-/*
- * Release the debuginfo lock.
- */
-void debuginfo_unlock(void);
-#else
-static inline void debuginfo_report_elf(const char *image_name, int image_fd,
-                                        uint64_t load_bias)
-{
-}
-
-static inline void debuginfo_lock(void)
-{
-}
-
-static inline void debuginfo_query(struct debuginfo_query *q, size_t n)
-{
-}
-
-static inline void debuginfo_unlock(void)
-{
-}
-#endif
-
-#endif
--- a/accel/tcg/hmp.c
+++ b/accel/tcg/hmp.c
@@ -0,0 +1,15 @@
+#include "qemu/osdep.h"
+#include "qemu/error-report.h"
+#include "qapi/error.h"
+#include "qapi/qapi-commands-machine.h"
+#include "exec/exec-all.h"
+#include "monitor/monitor.h"
+#include "sysemu/tcg.h"
+
+static void hmp_tcg_register(void)
+{
+    monitor_register_hmp_info_hrt("jit", qmp_x_query_jit);
+    monitor_register_hmp_info_hrt("opcount", qmp_x_query_opcount);
+}
+
+type_init(hmp_tcg_register);
--- a/accel/tcg/internal-common.h
+++ b/accel/tcg/internal-common.h
@@ -1,26 +0,0 @@
-/*
- * Internal execution defines for qemu (target agnostic)
- *
- *  Copyright (c) 2003 Fabrice Bellard
- *
- * SPDX-License-Identifier: LGPL-2.1-or-later
- */
-
-#ifndef ACCEL_TCG_INTERNAL_COMMON_H
-#define ACCEL_TCG_INTERNAL_COMMON_H
-
-#include "exec/translation-block.h"
-
-extern int64_t max_delay;
-extern int64_t max_advance;
-
-/*
- * Return true if CS is not running in parallel with other cpus, either
- * because there are no other cpus or we are within an exclusive context.
- */
-static inline bool cpu_in_serial_context(CPUState *cs)
-{
-    return !(cs->tcg_cflags & CF_PARALLEL) || cpu_in_exclusive_context(cs);
-}
-
-#endif
--- a/accel/tcg/internal-target.h
+++ b/accel/tcg/internal-target.h
@@ -1,132 +0,0 @@
-/*
- * Internal execution defines for qemu (target specific)
- *
- *  Copyright (c) 2003 Fabrice Bellard
- *
- * SPDX-License-Identifier: LGPL-2.1-or-later
- */
-
-#ifndef ACCEL_TCG_INTERNAL_TARGET_H
-#define ACCEL_TCG_INTERNAL_TARGET_H
-
-#include "exec/exec-all.h"
-#include "exec/translate-all.h"
-
-/*
- * Access to the various translations structures need to be serialised
- * via locks for consistency.  In user-mode emulation access to the
- * memory related structures are protected with mmap_lock.
- * In !user-mode we use per-page locks.
- */
-#ifdef CONFIG_USER_ONLY
-#define assert_memory_lock() tcg_debug_assert(have_mmap_lock())
-#else
-#define assert_memory_lock()
-#endif
-
-#if defined(CONFIG_SOFTMMU) && defined(CONFIG_DEBUG_TCG)
-void assert_no_pages_locked(void);
-#else
-static inline void assert_no_pages_locked(void) { }
-#endif
-
-#ifdef CONFIG_USER_ONLY
-static inline void page_table_config_init(void) { }
-#else
-void page_table_config_init(void);
-#endif
-
-#ifdef CONFIG_USER_ONLY
-/*
- * For user-only, page_protect sets the page read-only.
- * Since most execution is already on read-only pages, and we'd need to
- * account for other TBs on the same page, defer undoing any page protection
- * until we receive the write fault.
- */
-static inline void tb_lock_page0(tb_page_addr_t p0)
-{
-    page_protect(p0);
-}
-
-static inline void tb_lock_page1(tb_page_addr_t p0, tb_page_addr_t p1)
-{
-    page_protect(p1);
-}
-
-static inline void tb_unlock_page1(tb_page_addr_t p0, tb_page_addr_t p1) { }
-static inline void tb_unlock_pages(TranslationBlock *tb) { }
-#else
-void tb_lock_page0(tb_page_addr_t);
-void tb_lock_page1(tb_page_addr_t, tb_page_addr_t);
-void tb_unlock_page1(tb_page_addr_t, tb_page_addr_t);
-void tb_unlock_pages(TranslationBlock *);
-#endif
-
-#ifdef CONFIG_SOFTMMU
-void tb_invalidate_phys_range_fast(ram_addr_t ram_addr,
-                                   unsigned size,
-                                   uintptr_t retaddr);
-G_NORETURN void cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
-#endif /* CONFIG_SOFTMMU */
-
-TranslationBlock *tb_gen_code(CPUState *cpu, vaddr pc,
-                              uint64_t cs_base, uint32_t flags,
-                              int cflags);
-void page_init(void);
-void tb_htable_init(void);
-void tb_reset_jump(TranslationBlock *tb, int n);
-TranslationBlock *tb_link_page(TranslationBlock *tb);
-bool tb_invalidate_phys_page_unwind(tb_page_addr_t addr, uintptr_t pc);
-void cpu_restore_state_from_tb(CPUState *cpu, TranslationBlock *tb,
-                               uintptr_t host_pc);
-
-bool tcg_exec_realizefn(CPUState *cpu, Error **errp);
-void tcg_exec_unrealizefn(CPUState *cpu);
-
-/* Return the current PC from CPU, which may be cached in TB. */
-static inline vaddr log_pc(CPUState *cpu, const TranslationBlock *tb)
-{
-    if (tb_cflags(tb) & CF_PCREL) {
-        return cpu->cc->get_pc(cpu);
-    } else {
-        return tb->pc;
-    }
-}
-
-extern bool one_insn_per_tb;
-
-/**
- * tcg_req_mo:
- * @type: TCGBar
- *
- * Filter @type to the barrier that is required for the guest
- * memory ordering vs the host memory ordering.  A non-zero
- * result indicates that some barrier is required.
- *
- * If TCG_GUEST_DEFAULT_MO is not defined, assume that the
- * guest requires strict ordering.
- *
- * This is a macro so that it's constant even without optimization.
- */
-#ifdef TCG_GUEST_DEFAULT_MO
-# define tcg_req_mo(type) \
-    ((type) & TCG_GUEST_DEFAULT_MO & ~TCG_TARGET_DEFAULT_MO)
-#else
-# define tcg_req_mo(type) ((type) & ~TCG_TARGET_DEFAULT_MO)
-#endif
-
-/**
- * cpu_req_mo:
- * @type: TCGBar
- *
- * If tcg_req_mo indicates a barrier for @type is required
- * for the guest memory model, issue a host memory barrier.
- */
-#define cpu_req_mo(type)          \
-    do {                          \
-        if (tcg_req_mo(type)) {   \
-            smp_mb();             \
-        }                         \
-    } while (0)
-
-#endif /* ACCEL_TCG_INTERNAL_H */
--- a/accel/tcg/internal.h
+++ b/accel/tcg/internal.h
@@ -0,0 +1,22 @@
+/*
+ * Internal execution defines for qemu
+ *
+ *  Copyright (c) 2003 Fabrice Bellard
+ *
+ * SPDX-License-Identifier: LGPL-2.1-or-later
+ */
+
+#ifndef ACCEL_TCG_INTERNAL_H
+#define ACCEL_TCG_INTERNAL_H
+
+#include "exec/exec-all.h"
+
+TranslationBlock *tb_gen_code(CPUState *cpu, target_ulong pc,
+                              target_ulong cs_base, uint32_t flags,
+                              int cflags);
+
+void QEMU_NORETURN cpu_io_recompile(CPUState *cpu, uintptr_t retaddr);
+void page_init(void);
+void tb_htable_init(void);
+
+#endif /* ACCEL_TCG_INTERNAL_H */
--- a/accel/tcg/ldst_atomicity.c.inc
+++ b/accel/tcg/ldst_atomicity.c.inc
--- a/accel/tcg/ldst_common.c.inc
+++ b/accel/tcg/ldst_common.c.inc
@@ -8,231 +8,6 @@
 * This work is licensed under the terms of the GNU GPL, version 2 or later.
 * See the COPYING file in the top-level directory.
 */
-/*
- * Load helpers for tcg-ldst.h
- */
-
-tcg_target_ulong helper_ldub_mmu(CPUArchState *env, uint64_t addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_8);
-    return do_ld1_mmu(env_cpu(env), addr, oi, retaddr, MMU_DATA_LOAD);
-}
-
-tcg_target_ulong helper_lduw_mmu(CPUArchState *env, uint64_t addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_16);
-    return do_ld2_mmu(env_cpu(env), addr, oi, retaddr, MMU_DATA_LOAD);
-}
-
-tcg_target_ulong helper_ldul_mmu(CPUArchState *env, uint64_t addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_32);
-    return do_ld4_mmu(env_cpu(env), addr, oi, retaddr, MMU_DATA_LOAD);
-}
-
-uint64_t helper_ldq_mmu(CPUArchState *env, uint64_t addr,
-                        MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_64);
-    return do_ld8_mmu(env_cpu(env), addr, oi, retaddr, MMU_DATA_LOAD);
-}
-
-/*
- * Provide signed versions of the load routines as well.  We can of course
- * avoid this for 64-bit data, or for 32-bit data on 32-bit host.
- */
-
-tcg_target_ulong helper_ldsb_mmu(CPUArchState *env, uint64_t addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    return (int8_t)helper_ldub_mmu(env, addr, oi, retaddr);
-}
-
-tcg_target_ulong helper_ldsw_mmu(CPUArchState *env, uint64_t addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    return (int16_t)helper_lduw_mmu(env, addr, oi, retaddr);
-}
-
-tcg_target_ulong helper_ldsl_mmu(CPUArchState *env, uint64_t addr,
-                                 MemOpIdx oi, uintptr_t retaddr)
-{
-    return (int32_t)helper_ldul_mmu(env, addr, oi, retaddr);
-}
-
-Int128 helper_ld16_mmu(CPUArchState *env, uint64_t addr,
-                       MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_128);
-    return do_ld16_mmu(env_cpu(env), addr, oi, retaddr);
-}
-
-Int128 helper_ld_i128(CPUArchState *env, uint64_t addr, uint32_t oi)
-{
-    return helper_ld16_mmu(env, addr, oi, GETPC());
-}
-
-/*
- * Store helpers for tcg-ldst.h
- */
-
-void helper_stb_mmu(CPUArchState *env, uint64_t addr, uint32_t val,
-                    MemOpIdx oi, uintptr_t ra)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_8);
-    do_st1_mmu(env_cpu(env), addr, val, oi, ra);
-}
-
-void helper_stw_mmu(CPUArchState *env, uint64_t addr, uint32_t val,
-                    MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_16);
-    do_st2_mmu(env_cpu(env), addr, val, oi, retaddr);
-}
-
-void helper_stl_mmu(CPUArchState *env, uint64_t addr, uint32_t val,
-                    MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_32);
-    do_st4_mmu(env_cpu(env), addr, val, oi, retaddr);
-}
-
-void helper_stq_mmu(CPUArchState *env, uint64_t addr, uint64_t val,
-                    MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_64);
-    do_st8_mmu(env_cpu(env), addr, val, oi, retaddr);
-}
-
-void helper_st16_mmu(CPUArchState *env, uint64_t addr, Int128 val,
-                     MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_128);
-    do_st16_mmu(env_cpu(env), addr, val, oi, retaddr);
-}
-
-void helper_st_i128(CPUArchState *env, uint64_t addr, Int128 val, MemOpIdx oi)
-{
-    helper_st16_mmu(env, addr, val, oi, GETPC());
-}
-
-/*
- * Load helpers for cpu_ldst.h
- */
-
-static void plugin_load_cb(CPUArchState *env, abi_ptr addr, MemOpIdx oi)
-{
-    qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_R);
-}
-
-uint8_t cpu_ldb_mmu(CPUArchState *env, abi_ptr addr, MemOpIdx oi, uintptr_t ra)
-{
-    uint8_t ret;
-
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_UB);
-    ret = do_ld1_mmu(env_cpu(env), addr, oi, ra, MMU_DATA_LOAD);
-    plugin_load_cb(env, addr, oi);
-    return ret;
-}
-
-uint16_t cpu_ldw_mmu(CPUArchState *env, abi_ptr addr,
-                     MemOpIdx oi, uintptr_t ra)
-{
-    uint16_t ret;
-
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_16);
-    ret = do_ld2_mmu(env_cpu(env), addr, oi, ra, MMU_DATA_LOAD);
-    plugin_load_cb(env, addr, oi);
-    return ret;
-}
-
-uint32_t cpu_ldl_mmu(CPUArchState *env, abi_ptr addr,
-                     MemOpIdx oi, uintptr_t ra)
-{
-    uint32_t ret;
-
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_32);
-    ret = do_ld4_mmu(env_cpu(env), addr, oi, ra, MMU_DATA_LOAD);
-    plugin_load_cb(env, addr, oi);
-    return ret;
-}
-
-uint64_t cpu_ldq_mmu(CPUArchState *env, abi_ptr addr,
-                     MemOpIdx oi, uintptr_t ra)
-{
-    uint64_t ret;
-
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_64);
-    ret = do_ld8_mmu(env_cpu(env), addr, oi, ra, MMU_DATA_LOAD);
-    plugin_load_cb(env, addr, oi);
-    return ret;
-}
-
-Int128 cpu_ld16_mmu(CPUArchState *env, abi_ptr addr,
-                    MemOpIdx oi, uintptr_t ra)
-{
-    Int128 ret;
-
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_128);
-    ret = do_ld16_mmu(env_cpu(env), addr, oi, ra);
-    plugin_load_cb(env, addr, oi);
-    return ret;
-}
-
-/*
- * Store helpers for cpu_ldst.h
- */
-
-static void plugin_store_cb(CPUArchState *env, abi_ptr addr, MemOpIdx oi)
-{
-    qemu_plugin_vcpu_mem_cb(env_cpu(env), addr, oi, QEMU_PLUGIN_MEM_W);
-}
-
-void cpu_stb_mmu(CPUArchState *env, abi_ptr addr, uint8_t val,
-                 MemOpIdx oi, uintptr_t retaddr)
-{
-    helper_stb_mmu(env, addr, val, oi, retaddr);
-    plugin_store_cb(env, addr, oi);
-}
-
-void cpu_stw_mmu(CPUArchState *env, abi_ptr addr, uint16_t val,
-                 MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_16);
-    do_st2_mmu(env_cpu(env), addr, val, oi, retaddr);
-    plugin_store_cb(env, addr, oi);
-}
-
-void cpu_stl_mmu(CPUArchState *env, abi_ptr addr, uint32_t val,
-                    MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_32);
-    do_st4_mmu(env_cpu(env), addr, val, oi, retaddr);
-    plugin_store_cb(env, addr, oi);
-}
-
-void cpu_stq_mmu(CPUArchState *env, abi_ptr addr, uint64_t val,
-                 MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_64);
-    do_st8_mmu(env_cpu(env), addr, val, oi, retaddr);
-    plugin_store_cb(env, addr, oi);
-}
-
-void cpu_st16_mmu(CPUArchState *env, abi_ptr addr, Int128 val,
-                  MemOpIdx oi, uintptr_t retaddr)
-{
-    tcg_debug_assert((get_memop(oi) & MO_SIZE) == MO_128);
-    do_st16_mmu(env_cpu(env), addr, val, oi, retaddr);
-    plugin_store_cb(env, addr, oi);
-}
-
-/*
- * Wrappers of the above
- */

 uint32_t cpu_ldub_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                            int mmu_idx, uintptr_t ra)
@@ -251,7 +26,7 @@ uint32_t cpu_lduw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                               int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_BEUW | MO_UNALN, mmu_idx);
-    return cpu_ldw_mmu(env, addr, oi, ra);
+    return cpu_ldw_be_mmu(env, addr, oi, ra);
 }

 int cpu_ldsw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
@@ -264,21 +39,21 @@ uint32_t cpu_ldl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                              int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_BEUL | MO_UNALN, mmu_idx);
-    return cpu_ldl_mmu(env, addr, oi, ra);
+    return cpu_ldl_be_mmu(env, addr, oi, ra);
 }

 uint64_t cpu_ldq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                              int mmu_idx, uintptr_t ra)
 {
-    MemOpIdx oi = make_memop_idx(MO_BEUQ | MO_UNALN, mmu_idx);
-    return cpu_ldq_mmu(env, addr, oi, ra);
+    MemOpIdx oi = make_memop_idx(MO_BEQ | MO_UNALN, mmu_idx);
+    return cpu_ldq_be_mmu(env, addr, oi, ra);
 }

 uint32_t cpu_lduw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                               int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_LEUW | MO_UNALN, mmu_idx);
-    return cpu_ldw_mmu(env, addr, oi, ra);
+    return cpu_ldw_le_mmu(env, addr, oi, ra);
 }

 int cpu_ldsw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
@@ -291,14 +66,14 @@ uint32_t cpu_ldl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                              int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_LEUL | MO_UNALN, mmu_idx);
-    return cpu_ldl_mmu(env, addr, oi, ra);
+    return cpu_ldl_le_mmu(env, addr, oi, ra);
 }

 uint64_t cpu_ldq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr,
                              int mmu_idx, uintptr_t ra)
 {
-    MemOpIdx oi = make_memop_idx(MO_LEUQ | MO_UNALN, mmu_idx);
-    return cpu_ldq_mmu(env, addr, oi, ra);
+    MemOpIdx oi = make_memop_idx(MO_LEQ | MO_UNALN, mmu_idx);
+    return cpu_ldq_le_mmu(env, addr, oi, ra);
 }

 void cpu_stb_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
@@ -312,42 +87,42 @@ void cpu_stw_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
                          int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_BEUW | MO_UNALN, mmu_idx);
-    cpu_stw_mmu(env, addr, val, oi, ra);
+    cpu_stw_be_mmu(env, addr, val, oi, ra);
 }

 void cpu_stl_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
                          int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_BEUL | MO_UNALN, mmu_idx);
-    cpu_stl_mmu(env, addr, val, oi, ra);
+    cpu_stl_be_mmu(env, addr, val, oi, ra);
 }

 void cpu_stq_be_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
                          int mmu_idx, uintptr_t ra)
 {
-    MemOpIdx oi = make_memop_idx(MO_BEUQ | MO_UNALN, mmu_idx);
-    cpu_stq_mmu(env, addr, val, oi, ra);
+    MemOpIdx oi = make_memop_idx(MO_BEQ | MO_UNALN, mmu_idx);
+    cpu_stq_be_mmu(env, addr, val, oi, ra);
 }

 void cpu_stw_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
                          int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_LEUW | MO_UNALN, mmu_idx);
-    cpu_stw_mmu(env, addr, val, oi, ra);
+    cpu_stw_le_mmu(env, addr, val, oi, ra);
 }

 void cpu_stl_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint32_t val,
                          int mmu_idx, uintptr_t ra)
 {
    MemOpIdx oi = make_memop_idx(MO_LEUL | MO_UNALN, mmu_idx);
-    cpu_stl_mmu(env, addr, val, oi, ra);
+    cpu_stl_le_mmu(env, addr, val, oi, ra);
 }

 void cpu_stq_le_mmuidx_ra(CPUArchState *env, abi_ptr addr, uint64_t val,
                          int mmu_idx, uintptr_t ra)
 {
-    MemOpIdx oi = make_memop_idx(MO_LEUQ | MO_UNALN, mmu_idx);
-    cpu_stq_mmu(env, addr, val, oi, ra);
+    MemOpIdx oi = make_memop_idx(MO_LEQ | MO_UNALN, mmu_idx);
+    cpu_stq_le_mmu(env, addr, val, oi, ra);
 }

 /*--------------------------*/
--- a/accel/tcg/meson.build
+++ b/accel/tcg/meson.build
@@ -1,35 +1,24 @@
 tcg_ss = ss.source_set()
-common_ss.add(when: 'CONFIG_TCG', if_true: files(
-  'cpu-exec-common.c',
-))
 tcg_ss.add(files(
  'tcg-all.c',
+  'cpu-exec-common.c',
  'cpu-exec.c',
-  'tb-maint.c',
  'tcg-runtime-gvec.c',
  'tcg-runtime.c',
  'translate-all.c',
  'translator.c',
 ))
 tcg_ss.add(when: 'CONFIG_USER_ONLY', if_true: files('user-exec.c'))
-tcg_ss.add(when: 'CONFIG_SYSTEM_ONLY', if_false: files('user-exec-stub.c'))
-if get_option('plugins')
-  tcg_ss.add(files('plugin-gen.c'))
-endif
-tcg_ss.add(when: libdw, if_true: files('debuginfo.c'))
-tcg_ss.add(when: 'CONFIG_LINUX', if_true: files('perf.c'))
+tcg_ss.add(when: 'CONFIG_SOFTMMU', if_false: files('user-exec-stub.c'))
+tcg_ss.add(when: 'CONFIG_PLUGIN', if_true: [files('plugin-gen.c')])
 specific_ss.add_all(when: 'CONFIG_TCG', if_true: tcg_ss)

-specific_ss.add(when: ['CONFIG_SYSTEM_ONLY', 'CONFIG_TCG'], if_true: files(
+specific_ss.add(when: ['CONFIG_SOFTMMU', 'CONFIG_TCG'], if_true: files(
  'cputlb.c',
+  'hmp.c',
 ))

-system_ss.add(when: ['CONFIG_TCG'], if_true: files(
-  'icount-common.c',
-  'monitor.c',
-))
-
-tcg_module_ss.add(when: ['CONFIG_SYSTEM_ONLY', 'CONFIG_TCG'], if_true: files(
+tcg_module_ss.add(when: ['CONFIG_SOFTMMU', 'CONFIG_TCG'], if_true: files(
  'tcg-accel-ops.c',
  'tcg-accel-ops-mttcg.c',
  'tcg-accel-ops-icount.c',
--- a/accel/tcg/monitor.c
+++ b/accel/tcg/monitor.c
@@ -1,244 +0,0 @@
-/*
- * SPDX-License-Identifier: LGPL-2.1-or-later
- *
- *  QEMU TCG monitor
- *
- *  Copyright (c) 2003-2005 Fabrice Bellard
- */
-
-#include "qemu/osdep.h"
-#include "qemu/accel.h"
-#include "qemu/qht.h"
-#include "qapi/error.h"
-#include "qapi/type-helpers.h"
-#include "qapi/qapi-commands-machine.h"
-#include "monitor/monitor.h"
-#include "sysemu/cpus.h"
-#include "sysemu/cpu-timers.h"
-#include "sysemu/tcg.h"
-#include "tcg/tcg.h"
-#include "internal-common.h"
-#include "tb-context.h"
-
-
-static void dump_drift_info(GString *buf)
-{
-    if (!icount_enabled()) {
-        return;
-    }
-
-    g_string_append_printf(buf, "Host - Guest clock  %"PRIi64" ms\n",
-                           (cpu_get_clock() - icount_get()) / SCALE_MS);
-    if (icount_align_option) {
-        g_string_append_printf(buf, "Max guest delay     %"PRIi64" ms\n",
-                               -max_delay / SCALE_MS);
-        g_string_append_printf(buf, "Max guest advance   %"PRIi64" ms\n",
-                               max_advance / SCALE_MS);
-    } else {
-        g_string_append_printf(buf, "Max guest delay     NA\n");
-        g_string_append_printf(buf, "Max guest advance   NA\n");
-    }
-}
-
-static void dump_accel_info(GString *buf)
-{
-    AccelState *accel = current_accel();
-    bool one_insn_per_tb = object_property_get_bool(OBJECT(accel),
-                                                    "one-insn-per-tb",
-                                                    &error_fatal);
-
-    g_string_append_printf(buf, "Accelerator settings:\n");
-    g_string_append_printf(buf, "one-insn-per-tb: %s\n\n",
-                           one_insn_per_tb ? "on" : "off");
-}
-
-static void print_qht_statistics(struct qht_stats hst, GString *buf)
-{
-    uint32_t hgram_opts;
-    size_t hgram_bins;
-    char *hgram;
-
-    if (!hst.head_buckets) {
-        return;
-    }
-    g_string_append_printf(buf, "TB hash buckets     %zu/%zu "
-                           "(%0.2f%% head buckets used)\n",
-                           hst.used_head_buckets, hst.head_buckets,
-                           (double)hst.used_head_buckets /
-                           hst.head_buckets * 100);
-
-    hgram_opts =  QDIST_PR_BORDER | QDIST_PR_LABELS;
-    hgram_opts |= QDIST_PR_100X   | QDIST_PR_PERCENT;
-    if (qdist_xmax(&hst.occupancy) - qdist_xmin(&hst.occupancy) == 1) {
-        hgram_opts |= QDIST_PR_NODECIMAL;
-    }
-    hgram = qdist_pr(&hst.occupancy, 10, hgram_opts);
-    g_string_append_printf(buf, "TB hash occupancy   %0.2f%% avg chain occ. "
-                           "Histogram: %s\n",
-                           qdist_avg(&hst.occupancy) * 100, hgram);
-    g_free(hgram);
-
-    hgram_opts = QDIST_PR_BORDER | QDIST_PR_LABELS;
-    hgram_bins = qdist_xmax(&hst.chain) - qdist_xmin(&hst.chain);
-    if (hgram_bins > 10) {
-        hgram_bins = 10;
-    } else {
-        hgram_bins = 0;
-        hgram_opts |= QDIST_PR_NODECIMAL | QDIST_PR_NOBINRANGE;
-    }
-    hgram = qdist_pr(&hst.chain, hgram_bins, hgram_opts);
-    g_string_append_printf(buf, "TB hash avg chain   %0.3f buckets. "
-                           "Histogram: %s\n",
-                           qdist_avg(&hst.chain), hgram);
-    g_free(hgram);
-}
-
-struct tb_tree_stats {
-    size_t nb_tbs;
-    size_t host_size;
-    size_t target_size;
-    size_t max_target_size;
-    size_t direct_jmp_count;
-    size_t direct_jmp2_count;
-    size_t cross_page;
-};
-
-static gboolean tb_tree_stats_iter(gpointer key, gpointer value, gpointer data)
-{
-    const TranslationBlock *tb = value;
-    struct tb_tree_stats *tst = data;
-
-    tst->nb_tbs++;
-    tst->host_size += tb->tc.size;
-    tst->target_size += tb->size;
-    if (tb->size > tst->max_target_size) {
-        tst->max_target_size = tb->size;
-    }
-    if (tb->page_addr[1] != -1) {
-        tst->cross_page++;
-    }
-    if (tb->jmp_reset_offset[0] != TB_JMP_OFFSET_INVALID) {
-        tst->direct_jmp_count++;
-        if (tb->jmp_reset_offset[1] != TB_JMP_OFFSET_INVALID) {
-            tst->direct_jmp2_count++;
-        }
-    }
-    return false;
-}
-
-static void tlb_flush_counts(size_t *pfull, size_t *ppart, size_t *pelide)
-{
-    CPUState *cpu;
-    size_t full = 0, part = 0, elide = 0;
-
-    CPU_FOREACH(cpu) {
-        full += qatomic_read(&cpu->neg.tlb.c.full_flush_count);
-        part += qatomic_read(&cpu->neg.tlb.c.part_flush_count);
-        elide += qatomic_read(&cpu->neg.tlb.c.elide_flush_count);
-    }
-    *pfull = full;
-    *ppart = part;
-    *pelide = elide;
-}
-
-static void tcg_dump_info(GString *buf)
-{
-    g_string_append_printf(buf, "[TCG profiler not compiled]\n");
-}
-
-static void dump_exec_info(GString *buf)
-{
-    struct tb_tree_stats tst = {};
-    struct qht_stats hst;
-    size_t nb_tbs, flush_full, flush_part, flush_elide;
-
-    tcg_tb_foreach(tb_tree_stats_iter, &tst);
-    nb_tbs = tst.nb_tbs;
-    /* XXX: avoid using doubles ? */
-    g_string_append_printf(buf, "Translation buffer state:\n");
-    /*
-     * Report total code size including the padding and TB structs;
-     * otherwise users might think "-accel tcg,tb-size" is not honoured.
-     * For avg host size we use the precise numbers from tb_tree_stats though.
-     */
-    g_string_append_printf(buf, "gen code size       %zu/%zu\n",
-                           tcg_code_size(), tcg_code_capacity());
-    g_string_append_printf(buf, "TB count            %zu\n", nb_tbs);
-    g_string_append_printf(buf, "TB avg target size  %zu max=%zu bytes\n",
-                           nb_tbs ? tst.target_size / nb_tbs : 0,
-                           tst.max_target_size);
-    g_string_append_printf(buf, "TB avg host size    %zu bytes "
-                           "(expansion ratio: %0.1f)\n",
-                           nb_tbs ? tst.host_size / nb_tbs : 0,
-                           tst.target_size ?
-                           (double)tst.host_size / tst.target_size : 0);
-    g_string_append_printf(buf, "cross page TB count %zu (%zu%%)\n",
-                           tst.cross_page,
-                           nb_tbs ? (tst.cross_page * 100) / nb_tbs : 0);
-    g_string_append_printf(buf, "direct jump count   %zu (%zu%%) "
-                           "(2 jumps=%zu %zu%%)\n",
-                           tst.direct_jmp_count,
-                           nb_tbs ? (tst.direct_jmp_count * 100) / nb_tbs : 0,
-                           tst.direct_jmp2_count,
-                           nb_tbs ? (tst.direct_jmp2_count * 100) / nb_tbs : 0);
-
-    qht_statistics_init(&tb_ctx.htable, &hst);
-    print_qht_statistics(hst, buf);
-    qht_statistics_destroy(&hst);
-
-    g_string_append_printf(buf, "\nStatistics:\n");
-    g_string_append_printf(buf, "TB flush count      %u\n",
-                           qatomic_read(&tb_ctx.tb_flush_count));
-    g_string_append_printf(buf, "TB invalidate count %u\n",
-                           qatomic_read(&tb_ctx.tb_phys_invalidate_count));
-
-    tlb_flush_counts(&flush_full, &flush_part, &flush_elide);
-    g_string_append_printf(buf, "TLB full flushes    %zu\n", flush_full);
-    g_string_append_printf(buf, "TLB partial flushes %zu\n", flush_part);
-    g_string_append_printf(buf, "TLB elided flushes  %zu\n", flush_elide);
-    tcg_dump_info(buf);
-}
-
-HumanReadableText *qmp_x_query_jit(Error **errp)
-{
-    g_autoptr(GString) buf = g_string_new("");
-
-    if (!tcg_enabled()) {
-        error_setg(errp, "JIT information is only available with accel=tcg");
-        return NULL;
-    }
-
-    dump_accel_info(buf);
-    dump_exec_info(buf);
-    dump_drift_info(buf);
-
-    return human_readable_text_from_str(buf);
-}
-
-static void tcg_dump_op_count(GString *buf)
-{
-    g_string_append_printf(buf, "[TCG profiler not compiled]\n");
-}
-
-HumanReadableText *qmp_x_query_opcount(Error **errp)
-{
-    g_autoptr(GString) buf = g_string_new("");
-
-    if (!tcg_enabled()) {
-        error_setg(errp,
-                   "Opcode count information is only available with accel=tcg");
-        return NULL;
-    }
-
-    tcg_dump_op_count(buf);
-
-    return human_readable_text_from_str(buf);
-}
-
-static void hmp_tcg_register(void)
-{
-    monitor_register_hmp_info_hrt("jit", qmp_x_query_jit);
-    monitor_register_hmp_info_hrt("opcount", qmp_x_query_opcount);
-}
-
-type_init(hmp_tcg_register);
--- a/accel/tcg/perf.c
+++ b/accel/tcg/perf.c
@@ -1,386 +0,0 @@
-/*
- * Linux perf perf-<pid>.map and jit-<pid>.dump integration.
- *
- * The jitdump spec can be found at [1].
- *
- * [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/plain/tools/perf/Documentation/jitdump-specification.txt
- *
- * SPDX-License-Identifier: GPL-2.0-or-later
- */
-
-#include "qemu/osdep.h"
-#include "elf.h"
-#include "exec/exec-all.h"
-#include "qemu/timer.h"
-#include "tcg/tcg.h"
-
-#include "debuginfo.h"
-#include "perf.h"
-
-static FILE *safe_fopen_w(const char *path)
-{
-    int saved_errno;
-    FILE *f;
-    int fd;
-
-    /* Delete the old file, if any. */
-    unlink(path);
-
-    /* Avoid symlink attacks by using O_CREAT | O_EXCL. */
-    fd = open(path, O_RDWR | O_CREAT | O_EXCL, S_IRUSR | S_IWUSR);
-    if (fd == -1) {
-        return NULL;
-    }
-
-    /* Convert fd to FILE*. */
-    f = fdopen(fd, "w");
-    if (f == NULL) {
-        saved_errno = errno;
-        close(fd);
-        errno = saved_errno;
-        return NULL;
-    }
-
-    return f;
-}
-
-static FILE *perfmap;
-
-void perf_enable_perfmap(void)
-{
-    char map_file[32];
-
-    snprintf(map_file, sizeof(map_file), "/tmp/perf-%d.map", getpid());
-    perfmap = safe_fopen_w(map_file);
-    if (perfmap == NULL) {
-        warn_report("Could not open %s: %s, proceeding without perfmap",
-                    map_file, strerror(errno));
-    }
-}
-
-/* Get PC and size of code JITed for guest instruction #INSN. */
-static void get_host_pc_size(uintptr_t *host_pc, uint16_t *host_size,
-                             const void *start, size_t insn)
-{
-    uint16_t start_off = insn ? tcg_ctx->gen_insn_end_off[insn - 1] : 0;
-
-    if (host_pc) {
-        *host_pc = (uintptr_t)start + start_off;
-    }
-    if (host_size) {
-        *host_size = tcg_ctx->gen_insn_end_off[insn] - start_off;
-    }
-}
-
-static const char *pretty_symbol(const struct debuginfo_query *q, size_t *len)
-{
-    static __thread char buf[64];
-    int tmp;
-
-    if (!q->symbol) {
-        tmp = snprintf(buf, sizeof(buf), "guest-0x%"PRIx64, q->address);
-        if (len) {
-            *len = MIN(tmp + 1, sizeof(buf));
-        }
-        return buf;
-    }
-
-    if (!q->offset) {
-        if (len) {
-            *len = strlen(q->symbol) + 1;
-        }
-        return q->symbol;
-    }
-
-    tmp = snprintf(buf, sizeof(buf), "%s+0x%"PRIx64, q->symbol, q->offset);
-    if (len) {
-        *len = MIN(tmp + 1, sizeof(buf));
-    }
-    return buf;
-}
-
-static void write_perfmap_entry(const void *start, size_t insn,
-                                const struct debuginfo_query *q)
-{
-    uint16_t host_size;
-    uintptr_t host_pc;
-
-    get_host_pc_size(&host_pc, &host_size, start, insn);
-    fprintf(perfmap, "%"PRIxPTR" %"PRIx16" %s\n",
-            host_pc, host_size, pretty_symbol(q, NULL));
-}
-
-static FILE *jitdump;
-static size_t perf_marker_size;
-static void *perf_marker = MAP_FAILED;
-
-#define JITHEADER_MAGIC 0x4A695444
-#define JITHEADER_VERSION 1
-
-struct jitheader {
-    uint32_t magic;
-    uint32_t version;
-    uint32_t total_size;
-    uint32_t elf_mach;
-    uint32_t pad1;
-    uint32_t pid;
-    uint64_t timestamp;
-    uint64_t flags;
-};
-
-enum jit_record_type {
-    JIT_CODE_LOAD = 0,
-    JIT_CODE_DEBUG_INFO = 2,
-};
-
-struct jr_prefix {
-    uint32_t id;
-    uint32_t total_size;
-    uint64_t timestamp;
-};
-
-struct jr_code_load {
-    struct jr_prefix p;
-
-    uint32_t pid;
-    uint32_t tid;
-    uint64_t vma;
-    uint64_t code_addr;
-    uint64_t code_size;
-    uint64_t code_index;
-};
-
-struct debug_entry {
-    uint64_t addr;
-    int lineno;
-    int discrim;
-    const char name[];
-};
-
-struct jr_code_debug_info {
-    struct jr_prefix p;
-
-    uint64_t code_addr;
-    uint64_t nr_entry;
-    struct debug_entry entries[];
-};
-
-static uint32_t get_e_machine(void)
-{
-    Elf64_Ehdr elf_header;
-    FILE *exe;
-    size_t n;
-
-    QEMU_BUILD_BUG_ON(offsetof(Elf32_Ehdr, e_machine) !=
-                      offsetof(Elf64_Ehdr, e_machine));
-
-    exe = fopen("/proc/self/exe", "r");
-    if (exe == NULL) {
-        return EM_NONE;
-    }
-
-    n = fread(&elf_header, sizeof(elf_header), 1, exe);
-    fclose(exe);
-    if (n != 1) {
-        return EM_NONE;
-    }
-
-    return elf_header.e_machine;
-}
-
-void perf_enable_jitdump(void)
-{
-    struct jitheader header;
-    char jitdump_file[32];
-
-    if (!use_rt_clock) {
-        warn_report("CLOCK_MONOTONIC is not available, proceeding without jitdump");
-        return;
-    }
-
-    snprintf(jitdump_file, sizeof(jitdump_file), "jit-%d.dump", getpid());
-    jitdump = safe_fopen_w(jitdump_file);
-    if (jitdump == NULL) {
-        warn_report("Could not open %s: %s, proceeding without jitdump",
-                    jitdump_file, strerror(errno));
-        return;
-    }
-
-    /*
-     * `perf inject` will see that the mapped file name in the corresponding
-     * PERF_RECORD_MMAP or PERF_RECORD_MMAP2 event is of the form jit-%d.dump
-     * and will process it as a jitdump file.
-     */
-    perf_marker_size = qemu_real_host_page_size();
-    perf_marker = mmap(NULL, perf_marker_size, PROT_READ | PROT_EXEC,
-                       MAP_PRIVATE, fileno(jitdump), 0);
-    if (perf_marker == MAP_FAILED) {
-        warn_report("Could not map %s: %s, proceeding without jitdump",
-                    jitdump_file, strerror(errno));
-        fclose(jitdump);
-        jitdump = NULL;
-        return;
-    }
-
-    header.magic = JITHEADER_MAGIC;
-    header.version = JITHEADER_VERSION;
-    header.total_size = sizeof(header);
-    header.elf_mach = get_e_machine();
-    header.pad1 = 0;
-    header.pid = getpid();
-    header.timestamp = get_clock();
-    header.flags = 0;
-    fwrite(&header, sizeof(header), 1, jitdump);
-}
-
-void perf_report_prologue(const void *start, size_t size)
-{
-    if (perfmap) {
-        fprintf(perfmap, "%"PRIxPTR" %zx tcg-prologue-buffer\n",
-                (uintptr_t)start, size);
-    }
-}
-
-/* Write a JIT_CODE_DEBUG_INFO jitdump entry. */
-static void write_jr_code_debug_info(const void *start,
-                                     const struct debuginfo_query *q,
-                                     size_t icount)
-{
-    struct jr_code_debug_info rec;
-    struct debug_entry ent;
-    uintptr_t host_pc;
-    int insn;
-
-    /* Write the header. */
-    rec.p.id = JIT_CODE_DEBUG_INFO;
-    rec.p.total_size = sizeof(rec) + sizeof(ent) + 1;
-    rec.p.timestamp = get_clock();
-    rec.code_addr = (uintptr_t)start;
-    rec.nr_entry = 1;
-    for (insn = 0; insn < icount; insn++) {
-        if (q[insn].file) {
-            rec.p.total_size += sizeof(ent) + strlen(q[insn].file) + 1;
-            rec.nr_entry++;
-        }
-    }
-    fwrite(&rec, sizeof(rec), 1, jitdump);
-
-    /* Write the main debug entries. */
-    for (insn = 0; insn < icount; insn++) {
-        if (q[insn].file) {
-            get_host_pc_size(&host_pc, NULL, start, insn);
-            ent.addr = host_pc;
-            ent.lineno = q[insn].line;
-            ent.discrim = 0;
-            fwrite(&ent, sizeof(ent), 1, jitdump);
-            fwrite(q[insn].file, strlen(q[insn].file) + 1, 1, jitdump);
-        }
-    }
-
-    /* Write the trailing debug_entry. */
-    ent.addr = (uintptr_t)start + tcg_ctx->gen_insn_end_off[icount - 1];
-    ent.lineno = 0;
-    ent.discrim = 0;
-    fwrite(&ent, sizeof(ent), 1, jitdump);
-    fwrite("", 1, 1, jitdump);
-}
-
-/* Write a JIT_CODE_LOAD jitdump entry. */
-static void write_jr_code_load(const void *start, uint16_t host_size,
-                               const struct debuginfo_query *q)
-{
-    static uint64_t code_index;
-    struct jr_code_load rec;
-    const char *symbol;
-    size_t symbol_size;
-
-    symbol = pretty_symbol(q, &symbol_size);
-    rec.p.id = JIT_CODE_LOAD;
-    rec.p.total_size = sizeof(rec) + symbol_size + host_size;
-    rec.p.timestamp = get_clock();
-    rec.pid = getpid();
-    rec.tid = qemu_get_thread_id();
-    rec.vma = (uintptr_t)start;
-    rec.code_addr = (uintptr_t)start;
-    rec.code_size = host_size;
-    rec.code_index = code_index++;
-    fwrite(&rec, sizeof(rec), 1, jitdump);
-    fwrite(symbol, symbol_size, 1, jitdump);
-    fwrite(start, host_size, 1, jitdump);
-}
-
-void perf_report_code(uint64_t guest_pc, TranslationBlock *tb,
-                      const void *start)
-{
-    struct debuginfo_query *q;
-    size_t insn, start_words;
-    uint64_t *gen_insn_data;
-
-    if (!perfmap && !jitdump) {
-        return;
-    }
-
-    q = g_try_malloc0_n(tb->icount, sizeof(*q));
-    if (!q) {
-        return;
-    }
-
-    debuginfo_lock();
-
-    /* Query debuginfo for each guest instruction. */
-    gen_insn_data = tcg_ctx->gen_insn_data;
-    start_words = tcg_ctx->insn_start_words;
-
-    for (insn = 0; insn < tb->icount; insn++) {
-        /* FIXME: This replicates the restore_state_to_opc() logic. */
-        q[insn].address = gen_insn_data[insn * start_words + 0];
-        if (tb_cflags(tb) & CF_PCREL) {
-            q[insn].address |= (guest_pc & TARGET_PAGE_MASK);
-        } else {
-#if defined(TARGET_I386)
-            q[insn].address -= tb->cs_base;
-#endif
-        }
-        q[insn].flags = DEBUGINFO_SYMBOL | (jitdump ? DEBUGINFO_LINE : 0);
-    }
-    debuginfo_query(q, tb->icount);
-
-    /* Emit perfmap entries if needed. */
-    if (perfmap) {
-        flockfile(perfmap);
-        for (insn = 0; insn < tb->icount; insn++) {
-            write_perfmap_entry(start, insn, &q[insn]);
-        }
-        funlockfile(perfmap);
-    }
-
-    /* Emit jitdump entries if needed. */
-    if (jitdump) {
-        flockfile(jitdump);
-        write_jr_code_debug_info(start, q, tb->icount);
-        write_jr_code_load(start, tcg_ctx->gen_insn_end_off[tb->icount - 1],
-                           q);
-        funlockfile(jitdump);
-    }
-
-    debuginfo_unlock();
-    g_free(q);
-}
-
-void perf_exit(void)
-{
-    if (perfmap) {
-        fclose(perfmap);
-        perfmap = NULL;
-    }
-
-    if (perf_marker != MAP_FAILED) {
-        munmap(perf_marker, perf_marker_size);
-        perf_marker = MAP_FAILED;
-    }
-
-    if (jitdump) {
-        fclose(jitdump);
-        jitdump = NULL;
-    }
-}
--- a/accel/tcg/perf.h
+++ b/accel/tcg/perf.h
@@ -1,49 +0,0 @@
-/*
- * Linux perf perf-<pid>.map and jit-<pid>.dump integration.
- *
- * SPDX-License-Identifier: GPL-2.0-or-later
- */
-
-#ifndef ACCEL_TCG_PERF_H
-#define ACCEL_TCG_PERF_H
-
-#if defined(CONFIG_TCG) && defined(CONFIG_LINUX)
-/* Start writing perf-<pid>.map. */
-void perf_enable_perfmap(void);
-
-/* Start writing jit-<pid>.dump. */
-void perf_enable_jitdump(void);
-
-/* Add information about TCG prologue to profiler maps. */
-void perf_report_prologue(const void *start, size_t size);
-
-/* Add information about JITted guest code to profiler maps. */
-void perf_report_code(uint64_t guest_pc, TranslationBlock *tb,
-                      const void *start);
-
-/* Stop writing perf-<pid>.map and/or jit-<pid>.dump. */
-void perf_exit(void);
-#else
-static inline void perf_enable_perfmap(void)
-{
-}
-
-static inline void perf_enable_jitdump(void)
-{
-}
-
-static inline void perf_report_prologue(const void *start, size_t size)
-{
-}
-
-static inline void perf_report_code(uint64_t guest_pc, TranslationBlock *tb,
-                                    const void *start)
-{
-}
-
-static inline void perf_exit(void)
-{
-}
-#endif
-
-#endif
--- a/accel/tcg/plugin-gen.c
+++ b/accel/tcg/plugin-gen.c
@@ -43,18 +43,11 @@
 * CPU's index into a TCG temp, since the first callback did it already.
 */
 #include "qemu/osdep.h"
-#include "cpu.h"
 #include "tcg/tcg.h"
-#include "tcg/tcg-temp-internal.h"
 #include "tcg/tcg-op.h"
 #include "exec/exec-all.h"
 #include "exec/plugin-gen.h"
 #include "exec/translator.h"
-#include "exec/helper-proto-common.h"
-
-#define HELPER_H  "accel/tcg/plugin-helpers.h"
-#include "exec/helper-info.c.inc"
-#undef  HELPER_H

 #ifdef CONFIG_SOFTMMU
 # define CONFIG_SOFTMMU_GATE 1
@@ -98,13 +91,31 @@ void HELPER(plugin_vcpu_mem_cb)(unsigned int vcpu_index,
                                void *userdata)
 { }

+static void do_gen_mem_cb(TCGv vaddr, uint32_t info)
+{
+    TCGv_i32 cpu_index = tcg_temp_new_i32();
+    TCGv_i32 meminfo = tcg_const_i32(info);
+    TCGv_i64 vaddr64 = tcg_temp_new_i64();
+    TCGv_ptr udata = tcg_const_ptr(NULL);
+
+    tcg_gen_ld_i32(cpu_index, cpu_env,
+                   -offsetof(ArchCPU, env) + offsetof(CPUState, cpu_index));
+    tcg_gen_extu_tl_i64(vaddr64, vaddr);
+
+    gen_helper_plugin_vcpu_mem_cb(cpu_index, meminfo, vaddr64, udata);
+
+    tcg_temp_free_ptr(udata);
+    tcg_temp_free_i64(vaddr64);
+    tcg_temp_free_i32(meminfo);
+    tcg_temp_free_i32(cpu_index);
+}
+
 static void gen_empty_udata_cb(void)
 {
-    TCGv_i32 cpu_index = tcg_temp_ebb_new_i32();
-    TCGv_ptr udata = tcg_temp_ebb_new_ptr();
+    TCGv_i32 cpu_index = tcg_temp_new_i32();
+    TCGv_ptr udata = tcg_const_ptr(NULL); /* will be overwritten later */

-    tcg_gen_movi_ptr(udata, 0);
-    tcg_gen_ld_i32(cpu_index, tcg_env,
+    tcg_gen_ld_i32(cpu_index, cpu_env,
                   -offsetof(ArchCPU, env) + offsetof(CPUState, cpu_index));
    gen_helper_plugin_vcpu_udata_cb(cpu_index, udata);

@@ -118,10 +129,9 @@ static void gen_empty_udata_cb(void)
 */
 static void gen_empty_inline_cb(void)
 {
-    TCGv_i64 val = tcg_temp_ebb_new_i64();
-    TCGv_ptr ptr = tcg_temp_ebb_new_ptr();
+    TCGv_i64 val = tcg_temp_new_i64();
+    TCGv_ptr ptr = tcg_const_ptr(NULL); /* overwritten later */

-    tcg_gen_movi_ptr(ptr, 0);
    tcg_gen_ld_i64(val, ptr, 0);
    /* pass an immediate != 0 so that it doesn't get optimized away */
    tcg_gen_addi_i64(val, val, 0xdeadface);
@@ -130,22 +140,9 @@ static void gen_empty_inline_cb(void)
    tcg_temp_free_i64(val);
 }

-static void gen_empty_mem_cb(TCGv_i64 addr, uint32_t info)
+static void gen_empty_mem_cb(TCGv addr, uint32_t info)
 {
-    TCGv_i32 cpu_index = tcg_temp_ebb_new_i32();
-    TCGv_i32 meminfo = tcg_temp_ebb_new_i32();
-    TCGv_ptr udata = tcg_temp_ebb_new_ptr();
-
-    tcg_gen_movi_i32(meminfo, info);
-    tcg_gen_movi_ptr(udata, 0);
-    tcg_gen_ld_i32(cpu_index, tcg_env,
-                   -offsetof(ArchCPU, env) + offsetof(CPUState, cpu_index));
-
-    gen_helper_plugin_vcpu_mem_cb(cpu_index, meminfo, addr, udata);
-
-    tcg_temp_free_ptr(udata);
-    tcg_temp_free_i32(meminfo);
-    tcg_temp_free_i32(cpu_index);
+    do_gen_mem_cb(addr, info);
 }

 /*
@@ -154,10 +151,10 @@ static void gen_empty_mem_cb(TCGv_i64 addr, uint32_t info)
 */
 static void gen_empty_mem_helper(void)
 {
-    TCGv_ptr ptr = tcg_temp_ebb_new_ptr();
+    TCGv_ptr ptr;

-    tcg_gen_movi_ptr(ptr, 0);
-    tcg_gen_st_ptr(ptr, tcg_env, offsetof(CPUState, plugin_mem_cbs) -
+    ptr = tcg_const_ptr(NULL);
+    tcg_gen_st_ptr(ptr, cpu_env, offsetof(CPUState, plugin_mem_cbs) -
                                 offsetof(ArchCPU, env));
    tcg_temp_free_ptr(ptr);
 }
@@ -200,17 +197,35 @@ static void plugin_gen_empty_callback(enum plugin_gen_from from)
    }
 }

-void plugin_gen_empty_mem_callback(TCGv_i64 addr, uint32_t info)
+union mem_gen_fn {
+    void (*mem_fn)(TCGv, uint32_t);
+    void (*inline_fn)(void);
+};
+
+static void gen_mem_wrapped(enum plugin_gen_cb type,
+                            const union mem_gen_fn *f, TCGv addr,
+                            uint32_t info, bool is_mem)
 {
    enum qemu_plugin_mem_rw rw = get_plugin_meminfo_rw(info);

-    gen_plugin_cb_start(PLUGIN_GEN_FROM_MEM, PLUGIN_GEN_CB_MEM, rw);
-    gen_empty_mem_cb(addr, info);
+    gen_plugin_cb_start(PLUGIN_GEN_FROM_MEM, type, rw);
+    if (is_mem) {
+        f->mem_fn(addr, info);
+    } else {
+        f->inline_fn();
+    }
    tcg_gen_plugin_cb_end();
+}

-    gen_plugin_cb_start(PLUGIN_GEN_FROM_MEM, PLUGIN_GEN_CB_INLINE, rw);
-    gen_empty_inline_cb();
-    tcg_gen_plugin_cb_end();
+void plugin_gen_empty_mem_callback(TCGv addr, uint32_t info)
+{
+    union mem_gen_fn fn;
+
+    fn.mem_fn = gen_empty_mem_cb;
+    gen_mem_wrapped(PLUGIN_GEN_CB_MEM, &fn, addr, info, true);
+
+    fn.inline_fn = gen_empty_inline_cb;
+    gen_mem_wrapped(PLUGIN_GEN_CB_INLINE, &fn, 0, info, false);
 }

 static TCGOp *find_op(TCGOp *op, TCGOpcode opc)
@@ -243,13 +258,10 @@ static TCGOp *rm_ops(TCGOp *op)

 static TCGOp *copy_op_nocheck(TCGOp **begin_op, TCGOp *op)
 {
-    TCGOp *old_op = QTAILQ_NEXT(*begin_op, link);
-    unsigned nargs = old_op->nargs;
-
-    *begin_op = old_op;
-    op = tcg_op_insert_after(tcg_ctx, op, old_op->opc, nargs);
-    memcpy(op->args, old_op->args, sizeof(op->args[0]) * nargs);
-
+    *begin_op = QTAILQ_NEXT(*begin_op, link);
+    tcg_debug_assert(*begin_op);
+    op = tcg_op_insert_after(tcg_ctx, op, (*begin_op)->opc);
+    memcpy(op->args, (*begin_op)->args, sizeof(op->args));
    return op;
 }

@@ -260,6 +272,33 @@ static TCGOp *copy_op(TCGOp **begin_op, TCGOp *op, TCGOpcode opc)
    return op;
 }

+static TCGOp *copy_extu_i32_i64(TCGOp **begin_op, TCGOp *op)
+{
+    if (TCG_TARGET_REG_BITS == 32) {
+        /* mov_i32 */
+        op = copy_op(begin_op, op, INDEX_op_mov_i32);
+        /* mov_i32 w/ $0 */
+        op = copy_op(begin_op, op, INDEX_op_mov_i32);
+    } else {
+        /* extu_i32_i64 */
+        op = copy_op(begin_op, op, INDEX_op_extu_i32_i64);
+    }
+    return op;
+}
+
+static TCGOp *copy_mov_i64(TCGOp **begin_op, TCGOp *op)
+{
+    if (TCG_TARGET_REG_BITS == 32) {
+        /* 2x mov_i32 */
+        op = copy_op(begin_op, op, INDEX_op_mov_i32);
+        op = copy_op(begin_op, op, INDEX_op_mov_i32);
+    } else {
+        /* mov_i64 */
+        op = copy_op(begin_op, op, INDEX_op_mov_i64);
+    }
+    return op;
+}
+
 static TCGOp *copy_const_ptr(TCGOp **begin_op, TCGOp *op, void *ptr)
 {
    if (UINTPTR_MAX == UINT32_MAX) {
@@ -274,6 +313,18 @@ static TCGOp *copy_const_ptr(TCGOp **begin_op, TCGOp *op, void *ptr)
    return op;
 }

+static TCGOp *copy_extu_tl_i64(TCGOp **begin_op, TCGOp *op)
+{
+    if (TARGET_LONG_BITS == 32) {
+        /* extu_i32_i64 */
+        op = copy_extu_i32_i64(begin_op, op);
+    } else {
+        /* mov_i64 */
+        op = copy_mov_i64(begin_op, op);
+    }
+    return op;
+}
+
 static TCGOp *copy_ld_i64(TCGOp **begin_op, TCGOp *op)
 {
    if (TCG_TARGET_REG_BITS == 32) {
@@ -327,25 +378,35 @@ static TCGOp *copy_st_ptr(TCGOp **begin_op, TCGOp *op)
    return op;
 }

-static TCGOp *copy_call(TCGOp **begin_op, TCGOp *op, void *func, int *cb_idx)
+static TCGOp *copy_call(TCGOp **begin_op, TCGOp *op, void *empty_func,
+                        void *func, int *cb_idx)
 {
-    TCGOp *old_op;
-    int func_idx;
-
    /* copy all ops until the call */
    do {
        op = copy_op_nocheck(begin_op, op);
    } while (op->opc != INDEX_op_call);

    /* fill in the op call */
-    old_op = *begin_op;
-    TCGOP_CALLI(op) = TCGOP_CALLI(old_op);
-    TCGOP_CALLO(op) = TCGOP_CALLO(old_op);
+    op->param1 = (*begin_op)->param1;
+    op->param2 = (*begin_op)->param2;
    tcg_debug_assert(op->life == 0);
+    if (*cb_idx == -1) {
+        int i;

-    func_idx = TCGOP_CALLO(op) + TCGOP_CALLI(op);
-    *cb_idx = func_idx;
-    op->args[func_idx] = (uintptr_t)func;
+        /*
+         * Instead of working out the position of the callback in args[], just
+         * look for @empty_func, since it should be a unique pointer.
+         */
+        for (i = 0; i < MAX_OPC_PARAM_ARGS; i++) {
+            if ((uintptr_t)(*begin_op)->args[i] == (uintptr_t)empty_func) {
+                *cb_idx = i;
+                break;
+            }
+        }
+        tcg_debug_assert(i < MAX_OPC_PARAM_ARGS);
+    }
+    op->args[*cb_idx] = (uintptr_t)func;
+    op->args[*cb_idx + 1] = (*begin_op)->args[*cb_idx + 1];

    return op;
 }
@@ -363,15 +424,16 @@ static TCGOp *append_udata_cb(const struct qemu_plugin_dyn_cb *cb,
    op = copy_const_ptr(&begin_op, op, cb->userp);

    /* copy the ld_i32, but note that we only have to copy it once */
+    begin_op = QTAILQ_NEXT(begin_op, link);
+    tcg_debug_assert(begin_op && begin_op->opc == INDEX_op_ld_i32);
    if (*cb_idx == -1) {
-        op = copy_op(&begin_op, op, INDEX_op_ld_i32);
-    } else {
-        begin_op = QTAILQ_NEXT(begin_op, link);
-        tcg_debug_assert(begin_op && begin_op->opc == INDEX_op_ld_i32);
+        op = tcg_op_insert_after(tcg_ctx, op, INDEX_op_ld_i32);
+        memcpy(op->args, begin_op->args, sizeof(op->args));
    }

    /* call */
-    op = copy_call(&begin_op, op, cb->f.vcpu_udata, cb_idx);
+    op = copy_call(&begin_op, op, HELPER(plugin_vcpu_udata_cb),
+                   cb->f.vcpu_udata, cb_idx);

    return op;
 }
@@ -409,16 +471,20 @@ static TCGOp *append_mem_cb(const struct qemu_plugin_dyn_cb *cb,
    op = copy_const_ptr(&begin_op, op, cb->userp);

    /* copy the ld_i32, but note that we only have to copy it once */
+    begin_op = QTAILQ_NEXT(begin_op, link);
+    tcg_debug_assert(begin_op && begin_op->opc == INDEX_op_ld_i32);
    if (*cb_idx == -1) {
-        op = copy_op(&begin_op, op, INDEX_op_ld_i32);
-    } else {
-        begin_op = QTAILQ_NEXT(begin_op, link);
-        tcg_debug_assert(begin_op && begin_op->opc == INDEX_op_ld_i32);
+        op = tcg_op_insert_after(tcg_ctx, op, INDEX_op_ld_i32);
+        memcpy(op->args, begin_op->args, sizeof(op->args));
    }

+    /* extu_tl_i64 */
+    op = copy_extu_tl_i64(&begin_op, op);
+
    if (type == PLUGIN_GEN_CB_MEM) {
        /* call */
-        op = copy_call(&begin_op, op, cb->f.vcpu_udata, cb_idx);
+        op = copy_call(&begin_op, op, HELPER(plugin_vcpu_mem_cb),
+                       cb->f.vcpu_udata, cb_idx);
    }

    return op;
@@ -519,8 +585,7 @@ static void inject_mem_helper(TCGOp *begin_op, GArray *arr)
 * is possible that the code we generate after the instruction is
 * dead, we also add checks before generating tb_exit etc.
 */
-static void inject_mem_enable_helper(struct qemu_plugin_tb *ptb,
-                                     struct qemu_plugin_insn *plugin_insn,
+static void inject_mem_enable_helper(struct qemu_plugin_insn *plugin_insn,
                                     TCGOp *begin_op)
 {
    GArray *cbs[2];
@@ -540,7 +605,6 @@ static void inject_mem_enable_helper(struct qemu_plugin_tb *ptb,
        rm_ops(begin_op);
        return;
    }
-    ptb->mem_helper = true;

    arr = g_array_sized_new(false, false,
                            sizeof(struct qemu_plugin_dyn_cb), n_cbs);
@@ -566,20 +630,17 @@ static void inject_mem_disable_helper(struct qemu_plugin_insn *plugin_insn,
 /* called before finishing a TB with exit_tb, goto_tb or goto_ptr */
 void plugin_gen_disable_mem_helpers(void)
 {
-    /*
-     * We could emit the clearing unconditionally and be done. However, this can
-     * be wasteful if for instance plugins don't track memory accesses, or if
-     * most TBs don't use helpers. Instead, emit the clearing iff the TB calls
-     * helpers that might access guest memory.
-     *
-     * Note: we do not reset plugin_tb->mem_helper here; a TB might have several
-     * exit points, and we want to emit the clearing from all of them.
-     */
-    if (!tcg_ctx->plugin_tb->mem_helper) {
+    TCGv_ptr ptr;
+
+    if (likely(tcg_ctx->plugin_insn == NULL ||
+               !tcg_ctx->plugin_insn->mem_helper)) {
        return;
    }
-    tcg_gen_st_ptr(tcg_constant_ptr(NULL), tcg_env,
-                   offsetof(CPUState, plugin_mem_cbs) - offsetof(ArchCPU, env));
+    ptr = tcg_const_ptr(NULL);
+    tcg_gen_st_ptr(ptr, cpu_env, offsetof(CPUState, plugin_mem_cbs) -
+                                 offsetof(ArchCPU, env));
+    tcg_temp_free_ptr(ptr);
+    tcg_ctx->plugin_insn->mem_helper = false;
 }

 static void plugin_gen_tb_udata(const struct qemu_plugin_tb *ptb,
@@ -627,14 +688,14 @@ static void plugin_gen_mem_inline(const struct qemu_plugin_tb *ptb,
    inject_inline_cb(cbs, begin_op, op_rw);
 }

-static void plugin_gen_enable_mem_helper(struct qemu_plugin_tb *ptb,
+static void plugin_gen_enable_mem_helper(const struct qemu_plugin_tb *ptb,
                                         TCGOp *begin_op, int insn_idx)
 {
    struct qemu_plugin_insn *insn = g_ptr_array_index(ptb->insns, insn_idx);
-    inject_mem_enable_helper(ptb, insn, begin_op);
+    inject_mem_enable_helper(insn, begin_op);
 }

-static void plugin_gen_disable_mem_helper(struct qemu_plugin_tb *ptb,
+static void plugin_gen_disable_mem_helper(const struct qemu_plugin_tb *ptb,
                                          TCGOp *begin_op, int insn_idx)
 {
    struct qemu_plugin_insn *insn = g_ptr_array_index(ptb->insns, insn_idx);
@@ -695,7 +756,7 @@ static void pr_ops(void)
 #endif
 }

-static void plugin_gen_inject(struct qemu_plugin_tb *plugin_tb)
+static void plugin_gen_inject(const struct qemu_plugin_tb *plugin_tb)
 {
    TCGOp *op;
    int insn_idx = -1;
@@ -791,37 +852,22 @@ static void plugin_gen_inject(struct qemu_plugin_tb *plugin_tb)
    pr_ops();
 }

-bool plugin_gen_tb_start(CPUState *cpu, const DisasContextBase *db,
-                         bool mem_only)
+bool plugin_gen_tb_start(CPUState *cpu, const TranslationBlock *tb, bool mem_only)
 {
+    struct qemu_plugin_tb *ptb = tcg_ctx->plugin_tb;
    bool ret = false;

    if (test_bit(QEMU_PLUGIN_EV_VCPU_TB_TRANS, cpu->plugin_mask)) {
-        struct qemu_plugin_tb *ptb = tcg_ctx->plugin_tb;
-        int i;
-
-        /* reset callbacks */
-        for (i = 0; i < PLUGIN_N_CB_SUBTYPES; i++) {
-            if (ptb->cbs[i]) {
-                g_array_set_size(ptb->cbs[i], 0);
-            }
-        }
-        ptb->n = 0;
-
        ret = true;

-        ptb->vaddr = db->pc_first;
+        ptb->vaddr = tb->pc;
        ptb->vaddr2 = -1;
-        ptb->haddr1 = db->host_addr[0];
+        get_page_addr_code_hostp(cpu->env_ptr, tb->pc, &ptb->haddr1);
        ptb->haddr2 = NULL;
        ptb->mem_only = mem_only;
-        ptb->mem_helper = false;

        plugin_gen_empty_callback(PLUGIN_GEN_FROM_TB);
    }
-
-    tcg_ctx->plugin_insn = NULL;
-
    return ret;
 }

@@ -839,15 +885,16 @@ void plugin_gen_insn_start(CPUState *cpu, const DisasContextBase *db)
     * Note that we skip this when haddr1 == NULL, e.g. when we're
     * fetching instructions from a region not backed by RAM.
     */
-    if (ptb->haddr1 == NULL) {
-        pinsn->haddr = NULL;
-    } else if (is_same_page(db, db->pc_next)) {
+    if (likely(ptb->haddr1 != NULL && ptb->vaddr2 == -1) &&
+        unlikely((db->pc_next & TARGET_PAGE_MASK) !=
+                 (db->pc_first & TARGET_PAGE_MASK))) {
+        get_page_addr_code_hostp(cpu->env_ptr, db->pc_next,
+                                 &ptb->haddr2);
+        ptb->vaddr2 = db->pc_next;
+    }
+    if (likely(ptb->vaddr2 == -1)) {
        pinsn->haddr = ptb->haddr1 + pinsn->vaddr - ptb->vaddr;
    } else {
-        if (ptb->vaddr2 == -1) {
-            ptb->vaddr2 = TARGET_PAGE_ALIGN(db->pc_first);
-            get_page_addr_code_hostp(cpu_env(cpu), ptb->vaddr2, &ptb->haddr2);
-        }
        pinsn->haddr = ptb->haddr2 + pinsn->vaddr - ptb->vaddr2;
    }
 }
@@ -857,23 +904,23 @@ void plugin_gen_insn_end(void)
    plugin_gen_empty_callback(PLUGIN_GEN_AFTER_INSN);
 }

-/*
- * There are cases where we never get to finalise a translation - for
- * example a page fault during translation. As a result we shouldn't
- * do any clean-up here and make sure things are reset in
- * plugin_gen_tb_start.
- */
-void plugin_gen_tb_end(CPUState *cpu, size_t num_insns)
+void plugin_gen_tb_end(CPUState *cpu)
 {
    struct qemu_plugin_tb *ptb = tcg_ctx->plugin_tb;
-
-    /* translator may have removed instructions, update final count */
-    g_assert(num_insns <= ptb->n);
-    ptb->n = num_insns;
+    int i;

    /* collect instrumentation requests */
    qemu_plugin_tb_trans_cb(cpu, ptb);

    /* inject the instrumentation at the appropriate places */
    plugin_gen_inject(ptb);
+
+    /* clean up */
+    for (i = 0; i < PLUGIN_N_CB_SUBTYPES; i++) {
+        if (ptb->cbs[i]) {
+            g_array_set_size(ptb->cbs[i], 0);
+        }
+    }
+    ptb->n = 0;
+    tcg_ctx->plugin_insn = NULL;
 }
--- a/accel/tcg/plugin-helpers.h
+++ b/accel/tcg/plugin-helpers.h
@@ -1,4 +1,4 @@
 #ifdef CONFIG_PLUGIN
-DEF_HELPER_FLAGS_2(plugin_vcpu_udata_cb, TCG_CALL_NO_RWG | TCG_CALL_PLUGIN, void, i32, ptr)
-DEF_HELPER_FLAGS_4(plugin_vcpu_mem_cb, TCG_CALL_NO_RWG | TCG_CALL_PLUGIN, void, i32, i32, i64, ptr)
+DEF_HELPER_FLAGS_2(plugin_vcpu_udata_cb, TCG_CALL_NO_RWG, void, i32, ptr)
+DEF_HELPER_FLAGS_4(plugin_vcpu_mem_cb, TCG_CALL_NO_RWG, void, i32, i32, i64, ptr)
 #endif
--- a/accel/tcg/tb-hash.h
+++ b/accel/tcg/tb-hash.h
@@ -23,7 +23,6 @@
 #include "exec/cpu-defs.h"
 #include "exec/exec-all.h"
 #include "qemu/xxhash.h"
-#include "tb-jmp-cache.h"

 #ifdef CONFIG_SOFTMMU

@@ -35,16 +34,16 @@
 #define TB_JMP_ADDR_MASK (TB_JMP_PAGE_SIZE - 1)
 #define TB_JMP_PAGE_MASK (TB_JMP_CACHE_SIZE - TB_JMP_PAGE_SIZE)

-static inline unsigned int tb_jmp_cache_hash_page(vaddr pc)
+static inline unsigned int tb_jmp_cache_hash_page(target_ulong pc)
 {
-    vaddr tmp;
+    target_ulong tmp;
    tmp = pc ^ (pc >> (TARGET_PAGE_BITS - TB_JMP_PAGE_BITS));
    return (tmp >> (TARGET_PAGE_BITS - TB_JMP_PAGE_BITS)) & TB_JMP_PAGE_MASK;
 }

-static inline unsigned int tb_jmp_cache_hash_func(vaddr pc)
+static inline unsigned int tb_jmp_cache_hash_func(target_ulong pc)
 {
-    vaddr tmp;
+    target_ulong tmp;
    tmp = pc ^ (pc >> (TARGET_PAGE_BITS - TB_JMP_PAGE_BITS));
    return (((tmp >> (TARGET_PAGE_BITS - TB_JMP_PAGE_BITS)) & TB_JMP_PAGE_MASK)
           | (tmp & TB_JMP_ADDR_MASK));
@@ -53,7 +52,7 @@ static inline unsigned int tb_jmp_cache_hash_func(vaddr pc)
 #else

 /* In user-mode we can get better hashing because we do not have a TLB */
-static inline unsigned int tb_jmp_cache_hash_func(vaddr pc)
+static inline unsigned int tb_jmp_cache_hash_func(target_ulong pc)
 {
    return (pc ^ (pc >> TB_JMP_CACHE_BITS)) & (TB_JMP_CACHE_SIZE - 1);
 }
@@ -61,10 +60,10 @@ static inline unsigned int tb_jmp_cache_hash_func(vaddr pc)
 #endif /* CONFIG_SOFTMMU */

 static inline
-uint32_t tb_hash_func(tb_page_addr_t phys_pc, vaddr pc,
-                      uint32_t flags, uint64_t flags2, uint32_t cf_mask)
+uint32_t tb_hash_func(tb_page_addr_t phys_pc, target_ulong pc, uint32_t flags,
+                      uint32_t cf_mask, uint32_t trace_vcpu_dstate)
 {
-    return qemu_xxhash8(phys_pc, pc, flags2, flags, cf_mask);
+    return qemu_xxhash7(phys_pc, pc, flags, cf_mask, trace_vcpu_dstate);
 }

 #endif
--- a/accel/tcg/tb-jmp-cache.h
+++ b/accel/tcg/tb-jmp-cache.h
@@ -1,28 +0,0 @@
-/*
- * The per-CPU TranslationBlock jump cache.
- *
- *  Copyright (c) 2003 Fabrice Bellard
- *
- * SPDX-License-Identifier: GPL-2.0-or-later
- */
-
-#ifndef ACCEL_TCG_TB_JMP_CACHE_H
-#define ACCEL_TCG_TB_JMP_CACHE_H
-
-#define TB_JMP_CACHE_BITS 12
-#define TB_JMP_CACHE_SIZE (1 << TB_JMP_CACHE_BITS)
-
-/*
- * Accessed in parallel; all accesses to 'tb' must be atomic.
- * For CF_PCREL, accesses to 'pc' must be protected by a
- * load_acquire/store_release to 'tb'.
- */
-struct CPUJumpCache {
-    struct rcu_head rcu;
-    struct {
-        TranslationBlock *tb;
-        vaddr pc;
-    } array[TB_JMP_CACHE_SIZE];
-};
-
-#endif /* ACCEL_TCG_TB_JMP_CACHE_H */
--- a/accel/tcg/tb-maint.c
+++ b/accel/tcg/tb-maint.c
--- a/accel/tcg/tcg-accel-ops-icount.c
+++ b/accel/tcg/tcg-accel-ops-icount.c
@@ -24,8 +24,9 @@
 */

 #include "qemu/osdep.h"
+#include "qemu-common.h"
+#include "sysemu/tcg.h"
 #include "sysemu/replay.h"
-#include "sysemu/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/guest-random.h"
 #include "exec/exec-all.h"
@@ -84,25 +85,13 @@ void icount_handle_deadline(void)
     * Don't interrupt cpu thread, when these events are waiting
     * (i.e., there is no checkpoint)
     */
-    if (deadline == 0) {
+    if (deadline == 0
+        && (replay_mode != REPLAY_MODE_PLAY || replay_has_checkpoint())) {
        icount_notify_aio_contexts();
    }
 }

-/* Distribute the budget evenly across all CPUs */
-int64_t icount_percpu_budget(int cpu_count)
-{
-    int64_t limit = icount_get_limit();
-    int64_t timeslice = limit / cpu_count;
-
-    if (timeslice == 0) {
-        timeslice = limit;
-    }
-
-    return timeslice;
-}
-
-void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget)
+void icount_prepare_for_run(CPUState *cpu)
 {
    int insns_left;

@@ -111,24 +100,18 @@ void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget)
     * each vCPU execution. However u16.high can be raised
     * asynchronously by cpu_exit/cpu_interrupt/tcg_handle_interrupt
     */
-    g_assert(cpu->neg.icount_decr.u16.low == 0);
+    g_assert(cpu_neg(cpu)->icount_decr.u16.low == 0);
    g_assert(cpu->icount_extra == 0);

+    cpu->icount_budget = icount_get_limit();
+    insns_left = MIN(0xffff, cpu->icount_budget);
+    cpu_neg(cpu)->icount_decr.u16.low = insns_left;
+    cpu->icount_extra = cpu->icount_budget - insns_left;
+
    replay_mutex_lock();

-    cpu->icount_budget = MIN(icount_get_limit(), cpu_budget);
-    insns_left = MIN(0xffff, cpu->icount_budget);
-    cpu->neg.icount_decr.u16.low = insns_left;
-    cpu->icount_extra = cpu->icount_budget - insns_left;
-
-    if (cpu->icount_budget == 0) {
-        /*
-         * We're called without the iothread lock, so must take it while
-         * we're calling timer handlers.
-         */
-        qemu_mutex_lock_iothread();
+    if (cpu->icount_budget == 0 && replay_has_checkpoint()) {
        icount_notify_aio_contexts();
-        qemu_mutex_unlock_iothread();
    }
 }

@@ -138,7 +121,7 @@ void icount_process_data(CPUState *cpu)
    icount_update(cpu);

    /* Reset the counters */
-    cpu->neg.icount_decr.u16.low = 0;
+    cpu_neg(cpu)->icount_decr.u16.low = 0;
    cpu->icount_extra = 0;
    cpu->icount_budget = 0;

@@ -153,7 +136,7 @@ void icount_handle_interrupt(CPUState *cpu, int mask)

    tcg_handle_interrupt(cpu, mask);
    if (qemu_cpu_is_self(cpu) &&
-        !cpu->neg.can_do_io
+        !cpu->can_do_io
        && (mask & ~old_mask) != 0) {
        cpu_abort(cpu, "Raised interrupt while not in I/O function");
    }
--- a/accel/tcg/tcg-accel-ops-icount.h
+++ b/accel/tcg/tcg-accel-ops-icount.h
@@ -7,14 +7,13 @@
 * See the COPYING file in the top-level directory.
 */

-#ifndef TCG_ACCEL_OPS_ICOUNT_H
-#define TCG_ACCEL_OPS_ICOUNT_H
+#ifndef TCG_CPUS_ICOUNT_H
+#define TCG_CPUS_ICOUNT_H

 void icount_handle_deadline(void);
-void icount_prepare_for_run(CPUState *cpu, int64_t cpu_budget);
-int64_t icount_percpu_budget(int cpu_count);
+void icount_prepare_for_run(CPUState *cpu);
 void icount_process_data(CPUState *cpu);

 void icount_handle_interrupt(CPUState *cpu, int mask);

-#endif /* TCG_ACCEL_OPS_ICOUNT_H */
+#endif /* TCG_CPUS_ICOUNT_H */
--- a/accel/tcg/tcg-accel-ops-mttcg.c
+++ b/accel/tcg/tcg-accel-ops-mttcg.c
@@ -24,15 +24,15 @@
 */

 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "sysemu/tcg.h"
 #include "sysemu/replay.h"
-#include "sysemu/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/notify.h"
 #include "qemu/guest-random.h"
 #include "exec/exec-all.h"
 #include "hw/boards.h"
-#include "tcg/startup.h"
+
 #include "tcg-accel-ops.h"
 #include "tcg-accel-ops-mttcg.h"

@@ -80,7 +80,7 @@ static void *mttcg_cpu_thread_fn(void *arg)
    qemu_thread_get_self(cpu->thread);

    cpu->thread_id = qemu_get_thread_id();
-    cpu->neg.can_do_io = true;
+    cpu->can_do_io = 1;
    current_cpu = cpu;
    cpu_thread_signal_created(cpu);
    qemu_guest_random_seed_thread_part2(cpu->random_seed);
@@ -100,9 +100,14 @@ static void *mttcg_cpu_thread_fn(void *arg)
                break;
            case EXCP_HALTED:
                /*
-                 * Usually cpu->halted is set, but may have already been
-                 * reset by another thread by the time we arrive here.
+                 * during start-up the vCPU is reset and the thread is
+                 * kicked several times. If we don't ensure we go back
+                 * to sleep in the halted state we won't cleanly
+                 * start-up when the vCPU is enabled.
+                 *
+                 * cpu->halted should ensure we sleep in wait_io_event
                 */
+                g_assert(cpu->halted);
                break;
            case EXCP_ATOMIC:
                qemu_mutex_unlock_iothread();
@@ -114,7 +119,7 @@ static void *mttcg_cpu_thread_fn(void *arg)
            }
        }

-        qatomic_set_mb(&cpu->exit_request, 0);
+        qatomic_mb_set(&cpu->exit_request, 0);
        qemu_wait_io_event(cpu);
    } while (!cpu->unplug || cpu_can_run(cpu));

@@ -137,7 +142,7 @@ void mttcg_start_vcpu_thread(CPUState *cpu)
    g_assert(tcg_enabled());
    tcg_cpu_init_cflags(cpu, current_machine->smp.max_cpus > 1);

-    cpu->thread = g_new0(QemuThread, 1);
+    cpu->thread = g_malloc0(sizeof(QemuThread));
    cpu->halt_cond = g_malloc0(sizeof(QemuCond));
    qemu_cond_init(cpu->halt_cond);

@@ -147,4 +152,8 @@ void mttcg_start_vcpu_thread(CPUState *cpu)

    qemu_thread_create(cpu->thread, thread_name, mttcg_cpu_thread_fn,
                       cpu, QEMU_THREAD_JOINABLE);
+
+#ifdef _WIN32
+    cpu->hThread = qemu_thread_get_handle(cpu->thread);
+#endif
 }
--- a/accel/tcg/tcg-accel-ops-mttcg.h
+++ b/accel/tcg/tcg-accel-ops-mttcg.h
@@ -7,8 +7,8 @@
 * See the COPYING file in the top-level directory.
 */

-#ifndef TCG_ACCEL_OPS_MTTCG_H
-#define TCG_ACCEL_OPS_MTTCG_H
+#ifndef TCG_CPUS_MTTCG_H
+#define TCG_CPUS_MTTCG_H

 /* kick MTTCG vCPU thread */
 void mttcg_kick_vcpu_thread(CPUState *cpu);
@@ -16,4 +16,4 @@ void mttcg_kick_vcpu_thread(CPUState *cpu);
 /* start an mttcg vCPU thread */
 void mttcg_start_vcpu_thread(CPUState *cpu);

-#endif /* TCG_ACCEL_OPS_MTTCG_H */
+#endif /* TCG_CPUS_MTTCG_H */
--- a/accel/tcg/tcg-accel-ops-rr.c
+++ b/accel/tcg/tcg-accel-ops-rr.c
@@ -24,15 +24,14 @@
 */

 #include "qemu/osdep.h"
-#include "qemu/lockable.h"
+#include "qemu-common.h"
 #include "sysemu/tcg.h"
 #include "sysemu/replay.h"
-#include "sysemu/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/notify.h"
 #include "qemu/guest-random.h"
 #include "exec/exec-all.h"
-#include "tcg/startup.h"
+
 #include "tcg-accel-ops.h"
 #include "tcg-accel-ops-rr.h"
 #include "tcg-accel-ops-icount.h"
@@ -52,7 +51,7 @@ void rr_kick_vcpu_thread(CPUState *unused)
 *
 * The kick timer is responsible for moving single threaded vCPU
 * emulation on to the next vCPU. If more than one vCPU is running a
- * timer event we force a cpu->exit so the next vCPU can get
+ * timer event with force a cpu->exit so the next vCPU can get
 * scheduled.
 *
 * The timer is removed if all vCPUs are idle and restarted again once
@@ -72,13 +71,11 @@ static void rr_kick_next_cpu(void)
 {
    CPUState *cpu;
    do {
-        cpu = qatomic_read(&rr_current_cpu);
+        cpu = qatomic_mb_read(&rr_current_cpu);
        if (cpu) {
            cpu_exit(cpu);
        }
-        /* Finish kicking this cpu before reading again.  */
-        smp_mb();
-    } while (cpu != qatomic_read(&rr_current_cpu));
+    } while (cpu != qatomic_mb_read(&rr_current_cpu));
 }

 static void rr_kick_thread(void *opaque)
@@ -142,33 +139,6 @@ static void rr_force_rcu(Notifier *notify, void *data)
    rr_kick_next_cpu();
 }

-/*
- * Calculate the number of CPUs that we will process in a single iteration of
- * the main CPU thread loop so that we can fairly distribute the instruction
- * count across CPUs.
- *
- * The CPU count is cached based on the CPU list generation ID to avoid
- * iterating the list every time.
- */
-static int rr_cpu_count(void)
-{
-    static unsigned int last_gen_id = ~0;
-    static int cpu_count;
-    CPUState *cpu;
-
-    QEMU_LOCK_GUARD(&qemu_cpu_list_lock);
-
-    if (cpu_list_generation_id_get() != last_gen_id) {
-        cpu_count = 0;
-        CPU_FOREACH(cpu) {
-            ++cpu_count;
-        }
-        last_gen_id = cpu_list_generation_id_get();
-    }
-
-    return cpu_count;
-}
-
 /*
 * In the single-threaded case each vCPU is simulated in turn. If
 * there is more than a single vCPU we create a simple timer to kick
@@ -192,7 +162,7 @@ static void *rr_cpu_thread_fn(void *arg)
    qemu_thread_get_self(cpu->thread);

    cpu->thread_id = qemu_get_thread_id();
-    cpu->neg.can_do_io = true;
+    cpu->can_do_io = 1;
    cpu_thread_signal_created(cpu);
    qemu_guest_random_seed_thread_part2(cpu->random_seed);

@@ -215,16 +185,11 @@ static void *rr_cpu_thread_fn(void *arg)
    cpu->exit_request = 1;

    while (1) {
-        /* Only used for icount_enabled() */
-        int64_t cpu_budget = 0;
-
        qemu_mutex_unlock_iothread();
        replay_mutex_lock();
        qemu_mutex_lock_iothread();

        if (icount_enabled()) {
-            int cpu_count = rr_cpu_count();
-
            /* Account partial waits to QEMU_CLOCK_VIRTUAL.  */
            icount_account_warp_timer();
            /*
@@ -232,8 +197,6 @@ static void *rr_cpu_thread_fn(void *arg)
             * waking up the I/O thread and waiting for completion.
             */
            icount_handle_deadline();
-
-            cpu_budget = icount_percpu_budget(cpu_count);
        }

        replay_mutex_unlock();
@@ -243,9 +206,8 @@ static void *rr_cpu_thread_fn(void *arg)
        }

        while (cpu && cpu_work_list_empty(cpu) && !cpu->exit_request) {
-            /* Store rr_current_cpu before evaluating cpu_can_run().  */
-            qatomic_set_mb(&rr_current_cpu, cpu);

+            qatomic_mb_set(&rr_current_cpu, cpu);
            current_cpu = cpu;

            qemu_clock_enable(QEMU_CLOCK_VIRTUAL,
@@ -256,7 +218,7 @@ static void *rr_cpu_thread_fn(void *arg)

                qemu_mutex_unlock_iothread();
                if (icount_enabled()) {
-                    icount_prepare_for_run(cpu, cpu_budget);
+                    icount_prepare_for_run(cpu);
                }
                r = tcg_cpus_exec(cpu);
                if (icount_enabled()) {
@@ -283,11 +245,11 @@ static void *rr_cpu_thread_fn(void *arg)
            cpu = CPU_NEXT(cpu);
        } /* while (cpu && !cpu->exit_request).. */

-        /* Does not need a memory barrier because a spurious wakeup is okay.  */
+        /* Does not need qatomic_mb_set because a spurious wakeup is okay.  */
        qatomic_set(&rr_current_cpu, NULL);

        if (cpu && cpu->exit_request) {
-            qatomic_set_mb(&cpu->exit_request, 0);
+            qatomic_mb_set(&cpu->exit_request, 0);
        }

        if (icount_enabled() && all_cpu_threads_idle()) {
@@ -317,8 +279,8 @@ void rr_start_vcpu_thread(CPUState *cpu)
    tcg_cpu_init_cflags(cpu, false);

    if (!single_tcg_cpu_thread) {
-        cpu->thread = g_new0(QemuThread, 1);
-        cpu->halt_cond = g_new0(QemuCond, 1);
+        cpu->thread = g_malloc0(sizeof(QemuThread));
+        cpu->halt_cond = g_malloc0(sizeof(QemuCond));
        qemu_cond_init(cpu->halt_cond);

        /* share a single thread for all cpus with TCG */
@@ -329,12 +291,15 @@ void rr_start_vcpu_thread(CPUState *cpu)

        single_tcg_halt_cond = cpu->halt_cond;
        single_tcg_cpu_thread = cpu->thread;
+#ifdef _WIN32
+        cpu->hThread = qemu_thread_get_handle(cpu->thread);
+#endif
    } else {
        /* we share the thread */
        cpu->thread = single_tcg_cpu_thread;
        cpu->halt_cond = single_tcg_halt_cond;
        cpu->thread_id = first_cpu->thread_id;
-        cpu->neg.can_do_io = 1;
+        cpu->can_do_io = 1;
        cpu->created = true;
    }
 }
--- a/accel/tcg/tcg-accel-ops-rr.h
+++ b/accel/tcg/tcg-accel-ops-rr.h
@@ -7,8 +7,8 @@
 * See the COPYING file in the top-level directory.
 */

-#ifndef TCG_ACCEL_OPS_RR_H
-#define TCG_ACCEL_OPS_RR_H
+#ifndef TCG_CPUS_RR_H
+#define TCG_CPUS_RR_H

 #define TCG_KICK_PERIOD (NANOSECONDS_PER_SECOND / 10)

@@ -18,4 +18,4 @@ void rr_kick_vcpu_thread(CPUState *unused);
 /* start the round robin vcpu thread */
 void rr_start_vcpu_thread(CPUState *cpu);

-#endif /* TCG_ACCEL_OPS_RR_H */
+#endif /* TCG_CPUS_RR_H */
--- a/accel/tcg/tcg-accel-ops.c
+++ b/accel/tcg/tcg-accel-ops.c
@@ -26,16 +26,12 @@
 */

 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "sysemu/tcg.h"
 #include "sysemu/replay.h"
-#include "sysemu/cpu-timers.h"
 #include "qemu/main-loop.h"
 #include "qemu/guest-random.h"
-#include "qemu/timer.h"
 #include "exec/exec-all.h"
-#include "exec/hwaddr.h"
-#include "exec/tb-flush.h"
-#include "exec/gdbstub.h"

 #include "tcg-accel-ops.h"
 #include "tcg-accel-ops-mttcg.h"
@@ -46,21 +42,10 @@

 void tcg_cpu_init_cflags(CPUState *cpu, bool parallel)
 {
-    uint32_t cflags;
-
-    /*
-     * Include the cluster number in the hash we use to look up TBs.
-     * This is important because a TB that is valid for one cluster at
-     * a given physical address and set of CPU flags is not necessarily
-     * valid for another:
-     * the two clusters may have different views of physical memory, or
-     * may have different CPU features (eg FPU present or absent).
-     */
-    cflags = cpu->cluster_index << CF_CLUSTER_SHIFT;
-
+    uint32_t cflags = cpu->cluster_index << CF_CLUSTER_SHIFT;
    cflags |= parallel ? CF_PARALLEL : 0;
    cflags |= icount_enabled() ? CF_USE_ICOUNT : 0;
-    cpu->tcg_cflags |= cflags;
+    cpu->tcg_cflags = cflags;
 }

 void tcg_cpus_destroy(CPUState *cpu)
@@ -71,20 +56,23 @@ void tcg_cpus_destroy(CPUState *cpu)
 int tcg_cpus_exec(CPUState *cpu)
 {
    int ret;
+#ifdef CONFIG_PROFILER
+    int64_t ti;
+#endif
    assert(tcg_enabled());
+#ifdef CONFIG_PROFILER
+    ti = profile_getclock();
+#endif
    cpu_exec_start(cpu);
    ret = cpu_exec(cpu);
    cpu_exec_end(cpu);
+#ifdef CONFIG_PROFILER
+    qatomic_set(&tcg_ctx->prof.cpu_exec_time,
+                tcg_ctx->prof.cpu_exec_time + profile_getclock() - ti);
+#endif
    return ret;
 }

-static void tcg_cpu_reset_hold(CPUState *cpu)
-{
-    tcg_flush_jmp_cache(cpu);
-
-    tlb_flush(cpu);
-}
-
 /* mask must never be zero, except for A20 change call */
 void tcg_handle_interrupt(CPUState *cpu, int mask)
 {
@@ -99,125 +87,27 @@ void tcg_handle_interrupt(CPUState *cpu, int mask)
    if (!qemu_cpu_is_self(cpu)) {
        qemu_cpu_kick(cpu);
    } else {
-        qatomic_set(&cpu->neg.icount_decr.u16.high, -1);
+        qatomic_set(&cpu_neg(cpu)->icount_decr.u16.high, -1);
    }
 }

-static bool tcg_supports_guest_debug(void)
-{
-    return true;
-}
-
-/* Translate GDB watchpoint type to a flags value for cpu_watchpoint_* */
-static inline int xlat_gdb_type(CPUState *cpu, int gdbtype)
-{
-    static const int xlat[] = {
-        [GDB_WATCHPOINT_WRITE]  = BP_GDB | BP_MEM_WRITE,
-        [GDB_WATCHPOINT_READ]   = BP_GDB | BP_MEM_READ,
-        [GDB_WATCHPOINT_ACCESS] = BP_GDB | BP_MEM_ACCESS,
-    };
-
-    CPUClass *cc = CPU_GET_CLASS(cpu);
-    int cputype = xlat[gdbtype];
-
-    if (cc->gdb_stop_before_watchpoint) {
-        cputype |= BP_STOP_BEFORE_ACCESS;
-    }
-    return cputype;
-}
-
-static int tcg_insert_breakpoint(CPUState *cs, int type, vaddr addr, vaddr len)
-{
-    CPUState *cpu;
-    int err = 0;
-
-    switch (type) {
-    case GDB_BREAKPOINT_SW:
-    case GDB_BREAKPOINT_HW:
-        CPU_FOREACH(cpu) {
-            err = cpu_breakpoint_insert(cpu, addr, BP_GDB, NULL);
-            if (err) {
-                break;
-            }
-        }
-        return err;
-    case GDB_WATCHPOINT_WRITE:
-    case GDB_WATCHPOINT_READ:
-    case GDB_WATCHPOINT_ACCESS:
-        CPU_FOREACH(cpu) {
-            err = cpu_watchpoint_insert(cpu, addr, len,
-                                        xlat_gdb_type(cpu, type), NULL);
-            if (err) {
-                break;
-            }
-        }
-        return err;
-    default:
-        return -ENOSYS;
-    }
-}
-
-static int tcg_remove_breakpoint(CPUState *cs, int type, vaddr addr, vaddr len)
-{
-    CPUState *cpu;
-    int err = 0;
-
-    switch (type) {
-    case GDB_BREAKPOINT_SW:
-    case GDB_BREAKPOINT_HW:
-        CPU_FOREACH(cpu) {
-            err = cpu_breakpoint_remove(cpu, addr, BP_GDB);
-            if (err) {
-                break;
-            }
-        }
-        return err;
-    case GDB_WATCHPOINT_WRITE:
-    case GDB_WATCHPOINT_READ:
-    case GDB_WATCHPOINT_ACCESS:
-        CPU_FOREACH(cpu) {
-            err = cpu_watchpoint_remove(cpu, addr, len,
-                                        xlat_gdb_type(cpu, type));
-            if (err) {
-                break;
-            }
-        }
-        return err;
-    default:
-        return -ENOSYS;
-    }
-}
-
-static inline void tcg_remove_all_breakpoints(CPUState *cpu)
-{
-    cpu_breakpoint_remove_all(cpu, BP_GDB);
-    cpu_watchpoint_remove_all(cpu, BP_GDB);
-}
-
 static void tcg_accel_ops_init(AccelOpsClass *ops)
 {
    if (qemu_tcg_mttcg_enabled()) {
        ops->create_vcpu_thread = mttcg_start_vcpu_thread;
        ops->kick_vcpu_thread = mttcg_kick_vcpu_thread;
        ops->handle_interrupt = tcg_handle_interrupt;
+    } else if (icount_enabled()) {
+        ops->create_vcpu_thread = rr_start_vcpu_thread;
+        ops->kick_vcpu_thread = rr_kick_vcpu_thread;
+        ops->handle_interrupt = icount_handle_interrupt;
+        ops->get_virtual_clock = icount_get;
+        ops->get_elapsed_ticks = icount_get;
    } else {
        ops->create_vcpu_thread = rr_start_vcpu_thread;
        ops->kick_vcpu_thread = rr_kick_vcpu_thread;
-
-        if (icount_enabled()) {
-            ops->handle_interrupt = icount_handle_interrupt;
-            ops->get_virtual_clock = icount_get;
-            ops->get_elapsed_ticks = icount_get;
-        } else {
-            ops->handle_interrupt = tcg_handle_interrupt;
-        }
+        ops->handle_interrupt = tcg_handle_interrupt;
    }
-
-    ops->cpu_reset_hold = tcg_cpu_reset_hold;
-    ops->supports_guest_debug = tcg_supports_guest_debug;
-    ops->insert_breakpoint = tcg_insert_breakpoint;
-    ops->remove_breakpoint = tcg_remove_breakpoint;
-    ops->remove_all_breakpoints = tcg_remove_all_breakpoints;
 }

 static void tcg_accel_ops_class_init(ObjectClass *oc, void *data)
--- a/accel/tcg/tcg-accel-ops.h
+++ b/accel/tcg/tcg-accel-ops.h
@@ -9,8 +9,8 @@
 * See the COPYING file in the top-level directory.
 */

-#ifndef TCG_ACCEL_OPS_H
-#define TCG_ACCEL_OPS_H
+#ifndef TCG_CPUS_H
+#define TCG_CPUS_H

 #include "sysemu/cpus.h"

@@ -19,4 +19,4 @@ int tcg_cpus_exec(CPUState *cpu);
 void tcg_handle_interrupt(CPUState *cpu, int mask);
 void tcg_cpu_init_cflags(CPUState *cpu, bool parallel);

-#endif /* TCG_ACCEL_OPS_H */
+#endif /* TCG_CPUS_H */
--- a/accel/tcg/tcg-all.c
+++ b/accel/tcg/tcg-all.c
@@ -24,27 +24,24 @@
 */

 #include "qemu/osdep.h"
+#include "qemu-common.h"
 #include "sysemu/tcg.h"
-#include "exec/replay-core.h"
 #include "sysemu/cpu-timers.h"
-#include "tcg/startup.h"
-#include "tcg/oversized-guest.h"
+#include "tcg/tcg.h"
 #include "qapi/error.h"
 #include "qemu/error-report.h"
 #include "qemu/accel.h"
-#include "qemu/atomic.h"
 #include "qapi/qapi-builtin-visit.h"
 #include "qemu/units.h"
 #if !defined(CONFIG_USER_ONLY)
 #include "hw/boards.h"
 #endif
-#include "internal-target.h"
+#include "internal.h"

 struct TCGState {
    AccelState parent_obj;

    bool mttcg_enabled;
-    bool one_insn_per_tb;
    int splitwx_enabled;
    unsigned long tb_size;
 };
@@ -64,23 +61,37 @@ DECLARE_INSTANCE_CHECKER(TCGState, TCG_STATE,
 * they can set the appropriate CONFIG flags in ${target}-softmmu.mak
 *
 * Once a guest architecture has been converted to the new primitives
- * there is one remaining limitation to check:
- *   - The guest can't be oversized (e.g. 64 bit guest on 32 bit host)
+ * there are two remaining limitations to check.
+ *
+ * - The guest can't be oversized (e.g. 64 bit guest on 32 bit host)
+ * - The host must have a stronger memory order than the guest
+ *
+ * It may be possible in future to support strong guests on weak hosts
+ * but that will require tagging all load/stores in a guest with their
+ * implicit memory order requirements which would likely slow things
+ * down a lot.
 */

+static bool check_tcg_memory_orders_compatible(void)
+{
+#if defined(TCG_GUEST_DEFAULT_MO) && defined(TCG_TARGET_DEFAULT_MO)
+    return (TCG_GUEST_DEFAULT_MO & ~TCG_TARGET_DEFAULT_MO) == 0;
+#else
+    return false;
+#endif
+}
+
 static bool default_mttcg_enabled(void)
 {
    if (icount_enabled() || TCG_OVERSIZED_GUEST) {
        return false;
-    }
+    } else {
 #ifdef TARGET_SUPPORTS_MTTCG
-# ifndef TCG_GUEST_DEFAULT_MO
-#  error "TARGET_SUPPORTS_MTTCG without TCG_GUEST_DEFAULT_MO"
-# endif
-    return true;
+        return check_tcg_memory_orders_compatible();
 #else
-    return false;
+        return false;
 #endif
+    }
 }

 static void tcg_accel_instance_init(Object *obj)
@@ -98,7 +109,6 @@ static void tcg_accel_instance_init(Object *obj)
 }

 bool mttcg_enabled;
-bool one_insn_per_tb;

 static int tcg_init_machine(MachineState *ms)
 {
@@ -121,7 +131,7 @@ static int tcg_init_machine(MachineState *ms)
     * There's no guest base to take into account, so go ahead and
     * initialize the prologue now.
     */
-    tcg_prologue_init();
+    tcg_prologue_init(tcg_ctx);
 #endif

    return 0;
@@ -148,6 +158,11 @@ static void tcg_set_thread(Object *obj, const char *value, Error **errp)
            warn_report("Guest not yet converted to MTTCG - "
                        "you may get unexpected results");
 #endif
+            if (!check_tcg_memory_orders_compatible()) {
+                warn_report("Guest expects a stronger memory ordering "
+                            "than the host provides");
+                error_printf("This may cause strange/hard to debug errors\n");
+            }
            s->mttcg_enabled = true;
        }
    } else if (strcmp(value, "single") == 0) {
@@ -193,44 +208,12 @@ static void tcg_set_splitwx(Object *obj, bool value, Error **errp)
    s->splitwx_enabled = value;
 }

-static bool tcg_get_one_insn_per_tb(Object *obj, Error **errp)
-{
-    TCGState *s = TCG_STATE(obj);
-    return s->one_insn_per_tb;
-}
-
-static void tcg_set_one_insn_per_tb(Object *obj, bool value, Error **errp)
-{
-    TCGState *s = TCG_STATE(obj);
-    s->one_insn_per_tb = value;
-    /* Set the global also: this changes the behaviour */
-    qatomic_set(&one_insn_per_tb, value);
-}
-
-static int tcg_gdbstub_supported_sstep_flags(void)
-{
-    /*
-     * In replay mode all events will come from the log and can't be
-     * suppressed otherwise we would break determinism. However as those
-     * events are tied to the number of executed instructions we won't see
-     * them occurring every time we single step.
-     */
-    if (replay_mode != REPLAY_MODE_NONE) {
-        return SSTEP_ENABLE;
-    } else {
-        return SSTEP_ENABLE | SSTEP_NOIRQ | SSTEP_NOTIMER;
-    }
-}
-
 static void tcg_accel_class_init(ObjectClass *oc, void *data)
 {
    AccelClass *ac = ACCEL_CLASS(oc);
    ac->name = "tcg";
    ac->init_machine = tcg_init_machine;
-    ac->cpu_common_realize = tcg_exec_realizefn;
-    ac->cpu_common_unrealize = tcg_exec_unrealizefn;
    ac->allowed = &tcg_allowed;
-    ac->gdbstub_supported_sstep_flags = tcg_gdbstub_supported_sstep_flags;

    object_class_property_add_str(oc, "thread",
                                  tcg_get_thread,
@@ -246,12 +229,6 @@ static void tcg_accel_class_init(ObjectClass *oc, void *data)
        tcg_get_splitwx, tcg_set_splitwx);
    object_class_property_set_description(oc, "split-wx",
        "Map jit pages into separate RW and RX regions");
-
-    object_class_property_add_bool(oc, "one-insn-per-tb",
-                                   tcg_get_one_insn_per_tb,
-                                   tcg_set_one_insn_per_tb);
-    object_class_property_set_description(oc, "one-insn-per-tb",
-        "Only put one guest insn in each translation block");
 }

 static const TypeInfo tcg_accel_type = {
--- a/accel/tcg/tcg-runtime-gvec.c
+++ b/accel/tcg/tcg-runtime-gvec.c
@@ -20,7 +20,7 @@
 #include "qemu/osdep.h"
 #include "qemu/host-utils.h"
 #include "cpu.h"
-#include "exec/helper-proto-common.h"
+#include "exec/helper-proto.h"
 #include "tcg/tcg-gvec-desc.h"


@@ -550,17 +550,6 @@ void HELPER(gvec_ands)(void *d, void *a, uint64_t b, uint32_t desc)
    clear_high(d, oprsz, desc);
 }

-void HELPER(gvec_andcs)(void *d, void *a, uint64_t b, uint32_t desc)
-{
-    intptr_t oprsz = simd_oprsz(desc);
-    intptr_t i;
-
-    for (i = 0; i < oprsz; i += sizeof(uint64_t)) {
-        *(uint64_t *)(d + i) = *(uint64_t *)(a + i) & ~b;
-    }
-    clear_high(d, oprsz, desc);
-}
-
 void HELPER(gvec_xors)(void *d, void *a, uint64_t b, uint32_t desc)
 {
    intptr_t oprsz = simd_oprsz(desc);
@@ -1042,32 +1031,6 @@ DO_CMP2(64)
 #undef DO_CMP1
 #undef DO_CMP2

-#define DO_CMP1(NAME, TYPE, OP)                                            \
-void HELPER(NAME)(void *d, void *a, uint64_t b64, uint32_t desc)           \
-{                                                                          \
-    intptr_t oprsz = simd_oprsz(desc);                                     \
-    TYPE inv = simd_data(desc), b = b64;                                   \
-    for (intptr_t i = 0; i < oprsz; i += sizeof(TYPE)) {                   \
-        *(TYPE *)(d + i) = -((*(TYPE *)(a + i) OP b) ^ inv);               \
-    }                                                                      \
-    clear_high(d, oprsz, desc);                                            \
-}
-
-#define DO_CMP2(SZ) \
-    DO_CMP1(gvec_eqs##SZ, uint##SZ##_t, ==)    \
-    DO_CMP1(gvec_lts##SZ, int##SZ##_t, <)      \
-    DO_CMP1(gvec_les##SZ, int##SZ##_t, <=)     \
-    DO_CMP1(gvec_ltus##SZ, uint##SZ##_t, <)    \
-    DO_CMP1(gvec_leus##SZ, uint##SZ##_t, <=)
-
-DO_CMP2(8)
-DO_CMP2(16)
-DO_CMP2(32)
-DO_CMP2(64)
-
-#undef DO_CMP1
-#undef DO_CMP2
-
 void HELPER(gvec_ssadd8)(void *d, void *a, void *b, uint32_t desc)
 {
    intptr_t oprsz = simd_oprsz(desc);
--- a/accel/tcg/tcg-runtime.c
+++ b/accel/tcg/tcg-runtime.c
@@ -24,17 +24,13 @@
 #include "qemu/osdep.h"
 #include "qemu/host-utils.h"
 #include "cpu.h"
-#include "exec/helper-proto-common.h"
+#include "exec/helper-proto.h"
 #include "exec/cpu_ldst.h"
 #include "exec/exec-all.h"
 #include "disas/disas.h"
 #include "exec/log.h"
 #include "tcg/tcg.h"

-#define HELPER_H  "accel/tcg/tcg-runtime.h"
-#include "exec/helper-info.c.inc"
-#undef  HELPER_H
-
 /* 32-bit helpers */

 int32_t HELPER(div_i32)(int32_t arg1, int32_t arg2)
--- a/accel/tcg/tcg-runtime.h
+++ b/accel/tcg/tcg-runtime.h
@@ -39,63 +39,51 @@ DEF_HELPER_FLAGS_1(exit_atomic, TCG_CALL_NO_WG, noreturn, env)
 DEF_HELPER_FLAGS_3(memset, TCG_CALL_NO_RWG, ptr, ptr, int, ptr)
 #endif /* IN_HELPER_PROTO */

-DEF_HELPER_FLAGS_3(ld_i128, TCG_CALL_NO_WG, i128, env, i64, i32)
-DEF_HELPER_FLAGS_4(st_i128, TCG_CALL_NO_WG, void, env, i64, i128, i32)
-
 DEF_HELPER_FLAGS_5(atomic_cmpxchgb, TCG_CALL_NO_WG,
-                   i32, env, i64, i32, i32, i32)
+                   i32, env, tl, i32, i32, i32)
 DEF_HELPER_FLAGS_5(atomic_cmpxchgw_be, TCG_CALL_NO_WG,
-                   i32, env, i64, i32, i32, i32)
+                   i32, env, tl, i32, i32, i32)
 DEF_HELPER_FLAGS_5(atomic_cmpxchgw_le, TCG_CALL_NO_WG,
-                   i32, env, i64, i32, i32, i32)
+                   i32, env, tl, i32, i32, i32)
 DEF_HELPER_FLAGS_5(atomic_cmpxchgl_be, TCG_CALL_NO_WG,
-                   i32, env, i64, i32, i32, i32)
+                   i32, env, tl, i32, i32, i32)
 DEF_HELPER_FLAGS_5(atomic_cmpxchgl_le, TCG_CALL_NO_WG,
-                   i32, env, i64, i32, i32, i32)
+                   i32, env, tl, i32, i32, i32)
 #ifdef CONFIG_ATOMIC64
 DEF_HELPER_FLAGS_5(atomic_cmpxchgq_be, TCG_CALL_NO_WG,
-                   i64, env, i64, i64, i64, i32)
+                   i64, env, tl, i64, i64, i32)
 DEF_HELPER_FLAGS_5(atomic_cmpxchgq_le, TCG_CALL_NO_WG,
-                   i64, env, i64, i64, i64, i32)
+                   i64, env, tl, i64, i64, i32)
 #endif
-#if HAVE_CMPXCHG128
-DEF_HELPER_FLAGS_5(atomic_cmpxchgo_be, TCG_CALL_NO_WG,
-                   i128, env, i64, i128, i128, i32)
-DEF_HELPER_FLAGS_5(atomic_cmpxchgo_le, TCG_CALL_NO_WG,
-                   i128, env, i64, i128, i128, i32)
-#endif
-
-DEF_HELPER_FLAGS_5(nonatomic_cmpxchgo, TCG_CALL_NO_WG,
-                   i128, env, i64, i128, i128, i32)

 #ifdef CONFIG_ATOMIC64
 #define GEN_ATOMIC_HELPERS(NAME)                                  \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), b),              \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), w_le),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), w_be),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), l_le),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), l_be),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), q_le),           \
-                       TCG_CALL_NO_WG, i64, env, i64, i64, i32)   \
+                       TCG_CALL_NO_WG, i64, env, tl, i64, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), q_be),           \
-                       TCG_CALL_NO_WG, i64, env, i64, i64, i32)
+                       TCG_CALL_NO_WG, i64, env, tl, i64, i32)
 #else
 #define GEN_ATOMIC_HELPERS(NAME)                                  \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), b),              \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), w_le),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), w_be),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), l_le),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)   \
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)    \
    DEF_HELPER_FLAGS_4(glue(glue(atomic_, NAME), l_be),           \
-                       TCG_CALL_NO_WG, i32, env, i64, i32, i32)
+                       TCG_CALL_NO_WG, i32, env, tl, i32, i32)
 #endif /* CONFIG_ATOMIC64 */

 GEN_ATOMIC_HELPERS(fetch_add)
@@ -218,7 +206,6 @@ DEF_HELPER_FLAGS_4(gvec_nor, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_eqv, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)

 DEF_HELPER_FLAGS_4(gvec_ands, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_andcs, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 DEF_HELPER_FLAGS_4(gvec_xors, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
 DEF_HELPER_FLAGS_4(gvec_ors, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)

@@ -297,29 +284,4 @@ DEF_HELPER_FLAGS_4(gvec_leu16, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu32, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)
 DEF_HELPER_FLAGS_4(gvec_leu64, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32)

-DEF_HELPER_FLAGS_4(gvec_eqs8, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_eqs16, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_eqs32, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_eqs64, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-
-DEF_HELPER_FLAGS_4(gvec_lts8, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_lts16, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_lts32, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_lts64, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-
-DEF_HELPER_FLAGS_4(gvec_les8, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_les16, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_les32, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_les64, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-
-DEF_HELPER_FLAGS_4(gvec_ltus8, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_ltus16, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_ltus32, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_ltus64, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-
-DEF_HELPER_FLAGS_4(gvec_leus8, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_leus16, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_leus32, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-DEF_HELPER_FLAGS_4(gvec_leus64, TCG_CALL_NO_RWG, void, ptr, ptr, i64, i32)
-
 DEF_HELPER_FLAGS_5(gvec_bitsel, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr, i32)
--- a/accel/tcg/trace-events
+++ b/accel/tcg/trace-events
@@ -6,9 +6,5 @@ exec_tb(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
 exec_tb_nocache(void *tb, uintptr_t pc) "tb:%p pc=0x%"PRIxPTR
 exec_tb_exit(void *last_tb, unsigned int flags) "tb:%p flags=0x%x"

-# cputlb.c
-memory_notdirty_write_access(uint64_t vaddr, uint64_t ram_addr, unsigned size) "0x%" PRIx64 " ram_addr 0x%" PRIx64 " size %u"
-memory_notdirty_set_dirty(uint64_t vaddr) "0x%" PRIx64
-
 # translate-all.c
 translate_block(void *tb, uintptr_t pc, const void *tb_code) "tb:%p, pc:0x%"PRIxPTR", tb_code:%p"
--- a/accel/tcg/translate-all.c
+++ b/accel/tcg/translate-all.c
--- a/accel/tcg/translator.c
+++ b/accel/tcg/translator.c
@@ -8,111 +8,30 @@
 */

 #include "qemu/osdep.h"
-#include "qemu/log.h"
 #include "qemu/error-report.h"
+#include "tcg/tcg.h"
+#include "tcg/tcg-op.h"
 #include "exec/exec-all.h"
+#include "exec/gen-icount.h"
+#include "exec/log.h"
 #include "exec/translator.h"
 #include "exec/plugin-gen.h"
-#include "tcg/tcg-op-common.h"
-#include "internal-target.h"
+#include "sysemu/replay.h"

-static void set_can_do_io(DisasContextBase *db, bool val)
+/* Pairs with tcg_clear_temp_count.
+   To be called by #TranslatorOps.{translate_insn,tb_stop} if
+   (1) the target is sufficiently clean to support reporting,
+   (2) as and when all temporaries are known to be consumed.
+   For most targets, (2) is at the end of translate_insn.  */
+void translator_loop_temp_check(DisasContextBase *db)
 {
-    if (db->saved_can_do_io != val) {
-        db->saved_can_do_io = val;
-
-        QEMU_BUILD_BUG_ON(sizeof_field(CPUState, neg.can_do_io) != 1);
-        tcg_gen_st8_i32(tcg_constant_i32(val), tcg_env,
-                        offsetof(ArchCPU, parent_obj.neg.can_do_io) -
-                        offsetof(ArchCPU, env));
+    if (tcg_check_temp_count()) {
+        qemu_log("warning: TCG temporary leaks before "
+                 TARGET_FMT_lx "\n", db->pc_next);
    }
 }

-bool translator_io_start(DisasContextBase *db)
-{
-    set_can_do_io(db, true);
-
-    /*
-     * Ensure that this instruction will be the last in the TB.
-     * The target may override this to something more forceful.
-     */
-    if (db->is_jmp == DISAS_NEXT) {
-        db->is_jmp = DISAS_TOO_MANY;
-    }
-    return true;
-}
-
-static TCGOp *gen_tb_start(DisasContextBase *db, uint32_t cflags)
-{
-    TCGv_i32 count = NULL;
-    TCGOp *icount_start_insn = NULL;
-
-    if ((cflags & CF_USE_ICOUNT) || !(cflags & CF_NOIRQ)) {
-        count = tcg_temp_new_i32();
-        tcg_gen_ld_i32(count, tcg_env,
-                       offsetof(ArchCPU, parent_obj.neg.icount_decr.u32)
-                       - offsetof(ArchCPU, env));
-    }
-
-    if (cflags & CF_USE_ICOUNT) {
-        /*
-         * We emit a sub with a dummy immediate argument. Keep the insn index
-         * of the sub so that we later (when we know the actual insn count)
-         * can update the argument with the actual insn count.
-         */
-        tcg_gen_sub_i32(count, count, tcg_constant_i32(0));
-        icount_start_insn = tcg_last_op();
-    }
-
-    /*
-     * Emit the check against icount_decr.u32 to see if we should exit
-     * unless we suppress the check with CF_NOIRQ. If we are using
-     * icount and have suppressed interruption the higher level code
-     * should have ensured we don't run more instructions than the
-     * budget.
-     */
-    if (cflags & CF_NOIRQ) {
-        tcg_ctx->exitreq_label = NULL;
-    } else {
-        tcg_ctx->exitreq_label = gen_new_label();
-        tcg_gen_brcondi_i32(TCG_COND_LT, count, 0, tcg_ctx->exitreq_label);
-    }
-
-    if (cflags & CF_USE_ICOUNT) {
-        tcg_gen_st16_i32(count, tcg_env,
-                         offsetof(ArchCPU, parent_obj.neg.icount_decr.u16.low)
-                         - offsetof(ArchCPU, env));
-    }
-
-    /*
-     * cpu->neg.can_do_io is set automatically here at the beginning of
-     * each translation block.  The cost is minimal, plus it would be
-     * very easy to forget doing it in the translator.
-     */
-    set_can_do_io(db, db->max_insns == 1 && (cflags & CF_LAST_IO));
-
-    return icount_start_insn;
-}
-
-static void gen_tb_end(const TranslationBlock *tb, uint32_t cflags,
-                       TCGOp *icount_start_insn, int num_insns)
-{
-    if (cflags & CF_USE_ICOUNT) {
-        /*
-         * Update the num_insn immediate parameter now that we know
-         * the actual insn count.
-         */
-        tcg_set_insn_param(icount_start_insn, 2,
-                           tcgv_i32_arg(tcg_constant_i32(num_insns)));
-    }
-
-    if (tcg_ctx->exitreq_label) {
-        gen_set_label(tcg_ctx->exitreq_label);
-        tcg_gen_exit_tb(tb, TB_EXIT_REQUESTED);
-    }
-}
-
-bool translator_use_goto_tb(DisasContextBase *db, vaddr dest)
+bool translator_use_goto_tb(DisasContextBase *db, target_ulong dest)
 {
    /* Suppress goto_tb if requested. */
    if (tb_cflags(db->tb) & CF_NO_GOTO_TB) {
@@ -123,45 +42,46 @@ bool translator_use_goto_tb(DisasContextBase *db, vaddr dest)
    return ((db->pc_first ^ dest) & TARGET_PAGE_MASK) == 0;
 }

-void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
-                     vaddr pc, void *host_pc, const TranslatorOps *ops,
-                     DisasContextBase *db)
+static inline void translator_page_protect(DisasContextBase *dcbase,
+                                           target_ulong pc)
+{
+#ifdef CONFIG_USER_ONLY
+    dcbase->page_protect_end = pc | ~TARGET_PAGE_MASK;
+    page_protect(pc);
+#endif
+}
+
+void translator_loop(const TranslatorOps *ops, DisasContextBase *db,
+                     CPUState *cpu, TranslationBlock *tb, int max_insns)
 {
    uint32_t cflags = tb_cflags(tb);
-    TCGOp *icount_start_insn;
    bool plugin_enabled;

    /* Initialize DisasContext */
    db->tb = tb;
-    db->pc_first = pc;
-    db->pc_next = pc;
+    db->pc_first = tb->pc;
+    db->pc_next = db->pc_first;
    db->is_jmp = DISAS_NEXT;
    db->num_insns = 0;
-    db->max_insns = *max_insns;
+    db->max_insns = max_insns;
    db->singlestep_enabled = cflags & CF_SINGLE_STEP;
-    db->saved_can_do_io = -1;
-    db->host_addr[0] = host_pc;
-    db->host_addr[1] = NULL;
+    translator_page_protect(db, db->pc_next);

    ops->init_disas_context(db, cpu);
    tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */

+    /* Reset the temp count so that we can identify leaks */
+    tcg_clear_temp_count();
+
    /* Start translating.  */
-    icount_start_insn = gen_tb_start(db, cflags);
+    gen_tb_start(db->tb);
    ops->tb_start(db, cpu);
    tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */

-    if (cflags & CF_MEMI_ONLY) {
-        /* We should only see CF_MEMI_ONLY for io_recompile. */
-        assert(cflags & CF_LAST_IO);
-        plugin_enabled = plugin_gen_tb_start(cpu, db, true);
-    } else {
-        plugin_enabled = plugin_gen_tb_start(cpu, db, false);
-    }
-    db->plugin_enabled = plugin_enabled;
+    plugin_enabled = plugin_gen_tb_start(cpu, tb, cflags & CF_MEMI_ONLY);

    while (true) {
-        *max_insns = ++db->num_insns;
+        db->num_insns++;
        ops->insn_start(db, cpu);
        tcg_debug_assert(db->is_jmp == DISAS_NEXT);  /* no early exit */

@@ -175,21 +95,12 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
           the next instruction.  */
        if (db->num_insns == db->max_insns && (cflags & CF_LAST_IO)) {
            /* Accept I/O on the last instruction.  */
-            set_can_do_io(db, true);
-        }
-        ops->translate_insn(db, cpu);
-
-        /*
-         * We can't instrument after instructions that change control
-         * flow although this only really affects post-load operations.
-         *
-         * Calling plugin_gen_insn_end() before we possibly stop translation
-         * is important. Even if this ends up as dead code, plugin generation
-         * needs to see a matching plugin_gen_insn_{start,end}() pair in order
-         * to accurately track instrumented helpers that might access memory.
-         */
-        if (plugin_enabled) {
-            plugin_gen_insn_end();
+            gen_io_start();
+            ops->translate_insn(db, cpu);
+        } else {
+            /* we should only see CF_MEMI_ONLY for io_recompile */
+            tcg_debug_assert(!(cflags & CF_MEMI_ONLY));
+            ops->translate_insn(db, cpu);
        }

        /* Stop translation if translate_insn so indicated.  */
@@ -197,6 +108,14 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,
            break;
        }

+        /*
+         * We can't instrument after instructions that change control
+         * flow although this only really affects post-load operations.
+         */
+        if (plugin_enabled) {
+            plugin_gen_insn_end();
+        }
+
        /* Stop translation if the output buffer is full,
           or we have executed all of the allowed instructions.  */
        if (tcg_op_buf_full() || db->num_insns >= db->max_insns) {
@@ -207,174 +126,53 @@ void translator_loop(CPUState *cpu, TranslationBlock *tb, int *max_insns,

    /* Emit code to exit the TB, as indicated by db->is_jmp.  */
    ops->tb_stop(db, cpu);
-    gen_tb_end(tb, cflags, icount_start_insn, db->num_insns);
+    gen_tb_end(db->tb, db->num_insns);

    if (plugin_enabled) {
-        plugin_gen_tb_end(cpu, db->num_insns);
+        plugin_gen_tb_end(cpu);
    }

    /* The disas_log hook may use these values rather than recompute.  */
    tb->size = db->pc_next - db->pc_first;
    tb->icount = db->num_insns;

+#ifdef DEBUG_DISAS
    if (qemu_loglevel_mask(CPU_LOG_TB_IN_ASM)
        && qemu_log_in_addr_range(db->pc_first)) {
-        FILE *logfile = qemu_log_trylock();
-        if (logfile) {
-            fprintf(logfile, "----------------\n");
-            ops->disas_log(db, cpu, logfile);
-            fprintf(logfile, "\n");
-            qemu_log_unlock(logfile);
-        }
+        FILE *logfile = qemu_log_lock();
+        qemu_log("----------------\n");
+        ops->disas_log(db, cpu);
+        qemu_log("\n");
+        qemu_log_unlock(logfile);
    }
-}
-
-static void *translator_access(CPUArchState *env, DisasContextBase *db,
-                               vaddr pc, size_t len)
-{
-    void *host;
-    vaddr base, end;
-    TranslationBlock *tb;
-
-    tb = db->tb;
-
-    /* Use slow path if first page is MMIO. */
-    if (unlikely(tb_page_addr0(tb) == -1)) {
-        return NULL;
-    }
-
-    end = pc + len - 1;
-    if (likely(is_same_page(db, end))) {
-        host = db->host_addr[0];
-        base = db->pc_first;
-    } else {
-        host = db->host_addr[1];
-        base = TARGET_PAGE_ALIGN(db->pc_first);
-        if (host == NULL) {
-            tb_page_addr_t page0, old_page1, new_page1;
-
-            new_page1 = get_page_addr_code_hostp(env, base, &db->host_addr[1]);
-
-            /*
-             * If the second page is MMIO, treat as if the first page
-             * was MMIO as well, so that we do not cache the TB.
-             */
-            if (unlikely(new_page1 == -1)) {
-                tb_unlock_pages(tb);
-                tb_set_page_addr0(tb, -1);
-                return NULL;
-            }
-
-            /*
-             * If this is not the first time around, and page1 matches,
-             * then we already have the page locked.  Alternately, we're
-             * not doing anything to prevent the PTE from changing, so
-             * we might wind up with a different page, requiring us to
-             * re-do the locking.
-             */
-            old_page1 = tb_page_addr1(tb);
-            if (likely(new_page1 != old_page1)) {
-                page0 = tb_page_addr0(tb);
-                if (unlikely(old_page1 != -1)) {
-                    tb_unlock_page1(page0, old_page1);
-                }
-                tb_set_page_addr1(tb, new_page1);
-                tb_lock_page1(page0, new_page1);
-            }
-            host = db->host_addr[1];
-        }
-
-        /* Use slow path when crossing pages. */
-        if (is_same_page(db, pc)) {
-            return NULL;
-        }
-    }
-
-    tcg_debug_assert(pc >= base);
-    return host + (pc - base);
-}
-
-static void plugin_insn_append(abi_ptr pc, const void *from, size_t size)
-{
-#ifdef CONFIG_PLUGIN
-    struct qemu_plugin_insn *insn = tcg_ctx->plugin_insn;
-    abi_ptr off;
-
-    if (insn == NULL) {
-        return;
-    }
-    off = pc - insn->vaddr;
-    if (off < insn->data->len) {
-        g_byte_array_set_size(insn->data, off);
-    } else if (off > insn->data->len) {
-        /* we have an unexpected gap */
-        g_assert_not_reached();
-    }
-
-    insn->data = g_byte_array_append(insn->data, from, size);
 #endif
 }

-uint8_t translator_ldub(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
+static inline void translator_maybe_page_protect(DisasContextBase *dcbase,
+                                                 target_ulong pc, size_t len)
 {
-    uint8_t ret;
-    void *p = translator_access(env, db, pc, sizeof(ret));
+#ifdef CONFIG_USER_ONLY
+    target_ulong end = pc + len - 1;

-    if (p) {
-        plugin_insn_append(pc, p, sizeof(ret));
-        return ldub_p(p);
+    if (end > dcbase->page_protect_end) {
+        translator_page_protect(dcbase, end);
    }
-    ret = cpu_ldub_code(env, pc);
-    plugin_insn_append(pc, &ret, sizeof(ret));
-    return ret;
+#endif
 }

-uint16_t translator_lduw(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
-{
-    uint16_t ret, plug;
-    void *p = translator_access(env, db, pc, sizeof(ret));
-
-    if (p) {
-        plugin_insn_append(pc, p, sizeof(ret));
-        return lduw_p(p);
+#define GEN_TRANSLATOR_LD(fullname, type, load_fn, swap_fn)             \
+    type fullname ## _swap(CPUArchState *env, DisasContextBase *dcbase, \
+                           abi_ptr pc, bool do_swap)                    \
+    {                                                                   \
+        translator_maybe_page_protect(dcbase, pc, sizeof(type));        \
+        type ret = load_fn(env, pc);                                    \
+        if (do_swap) {                                                  \
+            ret = swap_fn(ret);                                         \
+        }                                                               \
+        plugin_insn_append(pc, &ret, sizeof(ret));                      \
+        return ret;                                                     \
    }
-    ret = cpu_lduw_code(env, pc);
-    plug = tswap16(ret);
-    plugin_insn_append(pc, &plug, sizeof(ret));
-    return ret;
-}

-uint32_t translator_ldl(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
-{
-    uint32_t ret, plug;
-    void *p = translator_access(env, db, pc, sizeof(ret));
+FOR_EACH_TRANSLATOR_LD(GEN_TRANSLATOR_LD)

-    if (p) {
-        plugin_insn_append(pc, p, sizeof(ret));
-        return ldl_p(p);
-    }
-    ret = cpu_ldl_code(env, pc);
-    plug = tswap32(ret);
-    plugin_insn_append(pc, &plug, sizeof(ret));
-    return ret;
-}
-
-uint64_t translator_ldq(CPUArchState *env, DisasContextBase *db, abi_ptr pc)
-{
-    uint64_t ret, plug;
-    void *p = translator_access(env, db, pc, sizeof(ret));
-
-    if (p) {
-        plugin_insn_append(pc, p, sizeof(ret));
-        return ldq_p(p);
-    }
-    ret = cpu_ldq_code(env, pc);
-    plug = tswap64(ret);
-    plugin_insn_append(pc, &plug, sizeof(ret));
-    return ret;
-}
-
-void translator_fake_ldb(uint8_t insn8, abi_ptr pc)
-{
-    plugin_insn_append(pc, &insn8, sizeof(insn8));
-}
+#undef GEN_TRANSLATOR_LD
--- a/accel/tcg/user-exec-stub.c
+++ b/accel/tcg/user-exec-stub.c
@@ -1,6 +1,8 @@
 #include "qemu/osdep.h"
 #include "hw/core/cpu.h"
-#include "exec/replay-core.h"
+#include "sysemu/replay.h"
+
+bool enable_cpu_pm = false;

 void cpu_resume(CPUState *cpu)
 {
@@ -14,10 +16,6 @@ void qemu_init_vcpu(CPUState *cpu)
 {
 }

-void cpu_exec_reset_hold(CPUState *cpu)
-{
-}
-
 /* User mode emulation does not support record/replay yet.  */

 bool replay_exception(void)
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .1.50
 .2.0