It seems to me that when QEMU emits a TB to TB transition, it does not look for whether the code has already been generated or not ( at least x86 on x86 emulation) . it just lay down a 4 byte address, waiting to be patched later. Am I right ?
case INDEX_op_goto_tb: if (s->tb_jmp_offset) { /* direct jump method */ /* need to make sure that the jmp offset does not cross 32 byte boundary on Intel chip * and 8 byte boundary on AMD chip. As qemu is not checking for processor type. Assume
* 8 byte boundary to be safe */ tcg_out8(s, OPC_JMP_long); /* jmp im */ s->tb_jmp_offset[args[0]] = s->code_ptr - s->code_buf; tcg_out32(s, 0);
} else { /* indirect jump method */ tcg_out_modrm_offset(s, OPC_GRP5, EXT5_JMPN_Ev, -1, (tcg_target_long)(s->tb_next + args[0])); }
s->tb_next_offset[args[0]] = s->code_ptr - s->code_buf; break;