As said in the comment, instructions doing device I/Os must be at the end of the TB in deterministic execution mode, icount mode or replay mode in other words.
But cpu_io_recompile is still got called when I disable icount opt. The corresponding MemoryRegion is apic-msi with the access address fee000b0. Why is the cpu_io_recompile called in non-icount mode?
I checked a lot of historical commit messages about cpu_io_recompile. It was brought into QEMU because of the use of icount.
/*
commit 2e70f6efa8b960d3b5401373ad6fa98747bb9578
Add instruction counter.
git-svn-id: svn://
svn.savannah.nongnu.org/qemu/trunk@4799 c046a42c-6fe2-441c-8c8c-71466251a162
2e70f6ef pbrook <pbrook@c046a42c-6fe2-441c-8c8c-71466251a162> on 2008/6/29 at 09:03
*/
The commit below explained that TB would be recompiled if MMIO touching address is located in the middle of TB.
/*
commit afd46fcad2dceffda35c0586f5723c127b6e09d8
icount: fix cpu_restore_state_from_tb for non-tb-exit cases In icount mode, instructions that access io memory spaces in the middle of the translation block invoke TB recompilation.
*/
Anyway, there is no evidence to prove that cpu_io_recompile would be used in non-icount mode?
Is it correctly? Or I just encountered some EXTREME BUG?