As said in the comment, instructions doing device I/Os must be at the end of the TB in deterministic execution mode, icount mode or replay mode in other words.
But cpu_io_recompile is still got called when I disable icount opt. The corresponding MemoryRegion is apic-msi with the access address fee000b0. Why is the cpu_io_recompile called in non-icount mode? I checked a lot of historical commit messages about cpu_io_recompile. It was brought into QEMU because of the use of icount. /* commit 2e70f6efa8b960d3b5401373ad6fa98747bb9578 Add instruction counter. git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@4799 c046a42c-6fe2-441c-8c8c-71466251a162 2e70f6ef pbrook <pbrook@c046a42c-6fe2-441c-8c8c-71466251a162> on 2008/6/29 at 09:03 */ The commit below explained that TB would be recompiled if MMIO touching address is located in the middle of TB. /* commit afd46fcad2dceffda35c0586f5723c127b6e09d8 icount: fix cpu_restore_state_from_tb for non-tb-exit cases In icount mode, instructions that access io memory spaces in the middle of the translation block invoke TB recompilation. */ Anyway, there is no evidence to prove that cpu_io_recompile would be used in non-icount mode? Is it correctly? Or I just encountered some EXTREME BUG?
